Donaldduck8/script.txt

## script.txt
// Unpacking APIs

// static extern NTSTATUS NtProtectVirtualMemory(
//   IntPtr ProcessHandle,
//   ref IntPtr BaseAddress,
//   ref UInt32 NumberOfBytesToProtect,
//   UInt32 NewAccessProtection,
//   ref UInt32 OldAccessProtection
// );
// This can be very noisy during normal operation. Uncomment when needed.
//bp NtProtectVirtualMemory

// static extern NTSTATUS NtProtectVirtualMemory(
//   IntPtr ProcessHandle,
//   ref IntPtr BaseAddress,
//   ref UInt32 NumberOfBytesToProtect,
//   UInt32 NewAccessProtection,
//   ref UInt32 OldAccessProtection
// );
bp NtUnmapViewOfSection

// NTSYSAPI NTSTATUS ZwMapViewOfSection(
//   [in]                HANDLE          SectionHandle,
//   [in]                HANDLE          ProcessHandle,
//   [in, out]           PVOID           *BaseAddress,
//   [in]                ULONG_PTR       ZeroBits,
//   [in]                SIZE_T          CommitSize,
//   [in, out, optional] PLARGE_INTEGER  SectionOffset,
//   [in, out]           PSIZE_T         ViewSize,
//   [in]                SECTION_INHERIT InheritDisposition,
//   [in]                ULONG           AllocationType,
//   [in]                ULONG           Win32Protect
// );
// This can be very noisy during normal operation. Uncomment when needed.
//bp NtMapViewOfSection

// __kernel_entry NTSYSCALLAPI NTSTATUS NtCreateSection(
//   [out]          PHANDLE            SectionHandle,
//   [in]           ACCESS_MASK        DesiredAccess,
//   [in, optional] POBJECT_ATTRIBUTES ObjectAttributes,
//   [in, optional] PLARGE_INTEGER     MaximumSize,
//   [in]           ULONG              SectionPageProtection,
//   [in]           ULONG              AllocationAttributes,
//   [in, optional] HANDLE             FileHandle
// );
// This can be very noisy during normal operation. Uncomment when needed.
//bp NtCreateSection

// static extern NTSTATUS NtCreateThreadEx(
//   ref IntPtr threadHandle,
//   UInt32 desiredAccess,
//   IntPtr objectAttributes,
//   IntPtr processHandle,
//   IntPtr startAddress,
//   IntPtr parameter,
//   bool inCreateSuspended,
//   Int32 stackZeroBits,
//   Int32 sizeOfStack,
//   Int32 maximumStackSize,
//   IntPtr attributeList
// );
bp NtCreateThreadEx

// NtCreateThread(
//  OUT PHANDLE             ThreadHandle,
//  IN ACCESS_MASK          DesiredAccess,
//  IN POBJECT_ATTRIBUTES   ObjectAttributes OPTIONAL,
//  IN HANDLE               ProcessHandle,
//  OUT PCLIENT_ID          ClientId,
//  IN PCONTEXT             ThreadContext,
//  IN PINITIAL_TEB         InitialTeb,
//  IN BOOLEAN              CreateSuspended
//);
bp NtCreateThread

// NTSTATUS NtAllocateVirtualMemory(
//  [in]      HANDLE    ProcessHandle,
//  [in, out] PVOID     *BaseAddress,
//  [in]      ULONG_PTR ZeroBits,
//  [in, out] PSIZE_T   RegionSize,
//  [in]      ULONG     AllocationType,
//  [in]      ULONG     Protect
//);
// This can be very noisy during normal operation, however,
// all lower level memory allocation APIs will eventually call this
// so it can provide great insight into what memory allocation APIs
// are being used by the sample.
//bp NtAllocateVirtualMemory

//Higher level APIs from Kernel32

// LPVOID VirtualAllocEx(
//   [in]           HANDLE hProcess,
//   [in, optional] LPVOID lpAddress,
//   [in]           SIZE_T dwSize,
//   [in]           DWORD  flAllocationType,
//   [in]           DWORD  flProtect
// );
bp VirtualAllocEx

// LPVOID VirtualAlloc(
//   [in, optional] LPVOID lpAddress,
//   [in]           SIZE_T dwSize,
//   [in]           DWORD  flAllocationType,
//   [in]           DWORD  flProtect
// );
bp VirtualAlloc


// BOOL VirtualProtect(
//   [in]  LPVOID lpAddress,
//   [in]  SIZE_T dwSize,
//   [in]  DWORD  flNewProtect,
//   [out] PDWORD lpflOldProtect
// );
bp VirtualProtect

// BOOL VirtualProtectEx(
//  [in]  HANDLE hProcess,
//  [in]  LPVOID lpAddress,
//  [in]  SIZE_T dwSize,
//  [in]  DWORD  flNewProtect,
//  [out] PDWORD lpflOldProtect
//);
bp VirtualProtectEx

// Injection APIs

// BOOL CreateProcessW(
//   [in, optional]      LPCWSTR               lpApplicationName,
//   [in, out, optional] LPWSTR                lpCommandLine,
//   [in, optional]      LPSECURITY_ATTRIBUTES lpProcessAttributes,
//   [in, optional]      LPSECURITY_ATTRIBUTES lpThreadAttributes,
//   [in]                BOOL                  bInheritHandles,
//   [in]                DWORD                 dwCreationFlags,
//   [in, optional]      LPVOID                lpEnvironment,
//   [in, optional]      LPCWSTR               lpCurrentDirectory,
//   [in]                LPSTARTUPINFOW        lpStartupInfo,
//   [out]               LPPROCESS_INFORMATION lpProcessInformation
// );
bp CreateProcessW

//BOOL CreateProcessA(
//  [in, optional]      LPCSTR                lpApplicationName,
//  [in, out, optional] LPSTR                 lpCommandLine,
//  [in, optional]      LPSECURITY_ATTRIBUTES lpProcessAttributes,
//  [in, optional]      LPSECURITY_ATTRIBUTES lpThreadAttributes,
//  [in]                BOOL                  bInheritHandles,
//  [in]                DWORD                 dwCreationFlags,
//  [in, optional]      LPVOID                lpEnvironment,
//  [in, optional]      LPCSTR                lpCurrentDirectory,
//  [in]                LPSTARTUPINFOA        lpStartupInfo,
//  [out]               LPPROCESS_INFORMATION lpProcessInformation
//);
bp CreateProcessA

// UINT WinExec(
//  [in] LPCSTR lpCmdLine,
//  [in] UINT   uCmdShow
// );
bp WinExec

// HANDLE CreateToolhelp32Snapshot(
//   [in] DWORD dwFlags,
//   [in] DWORD th32ProcessID
// );
bp CreateToolhelp32Snapshot

// BOOL Process32First(
//   [in]      HANDLE           hSnapshot,
//   [in, out] LPPROCESSENTRY32 lppe
// );
bp Process32First

// BOOL Process32Next(
//   [in]  HANDLE           hSnapshot,
//   [out] LPPROCESSENTRY32 lppe
// );
bp Process32Next

// HANDLE OpenProcess(
//   [in] DWORD dwDesiredAccess,
//   [in] BOOL  bInheritHandle,
//   [in] DWORD dwProcessId
// );
bp OpenProcess

// BOOL WriteProcessMemory(
//   [in]  HANDLE  hProcess,
//   [in]  LPVOID  lpBaseAddress,
//   [in]  LPCVOID lpBuffer,
//   [in]  SIZE_T  nSize,
//   [out] SIZE_T  *lpNumberOfBytesWritten
// );
bp WriteProcessMemory

// BOOL ReadProcessMemory(
//  [in]  HANDLE  hProcess,
//  [in]  LPCVOID lpBaseAddress,
//  [out] LPVOID  lpBuffer,
//  [in]  SIZE_T  nSize,
//  [out] SIZE_T  *lpNumberOfBytesRead
// );
bp ReadProcessMemory

// HANDLE CreateRemoteThread(
//   [in]  HANDLE                 hProcess,
//   [in]  LPSECURITY_ATTRIBUTES  lpThreadAttributes,
//   [in]  SIZE_T                 dwStackSize,
//   [in]  LPTHREAD_START_ROUTINE lpStartAddress,
//   [in]  LPVOID                 lpParameter,
//   [in]  DWORD                  dwCreationFlags,
//   [out] LPDWORD                lpThreadId
// );
bp CreateRemoteThread

// HANDLE CreateThread(
//   [in, optional]  LPSECURITY_ATTRIBUTES   lpThreadAttributes,
//   [in]            SIZE_T                  dwStackSize,
//   [in]            LPTHREAD_START_ROUTINE  lpStartAddress,
//   [in, optional]  __drv_aliasesMem LPVOID lpParameter,
//   [in]            DWORD                   dwCreationFlags,
//   [out, optional] LPDWORD                 lpThreadId
// );
bp CreateThread

// BOOL SetThreadContext(
//  [in] HANDLE        hThread,
//  [in] const CONTEXT *lpContext
// );
bp SetThreadContext

// NTSYSAPI NTSTATUS NTAPI NtSetContextThread(
//  IN HANDLE               ThreadHandle,
//  IN PCONTEXT             Context );
//bp ZwSetThreadContext

// DWORD ResumeThread(
//   [in] HANDLE hThread
// );
bp ResumeThread

// Often there are other payloads that can be written to disk in between stages
// HANDLE CreateFileA(
//  [in]           LPCSTR                lpFileName,
//  [in]           DWORD                 dwDesiredAccess,
//  [in]           DWORD                 dwShareMode,
//  [in, optional] LPSECURITY_ATTRIBUTES lpSecurityAttributes,
//  [in]           DWORD                 dwCreationDisposition,
//  [in]           DWORD                 dwFlagsAndAttributes,
//  [in, optional] HANDLE                hTemplateFile
// );
bp CreateFileA

// HANDLE CreateFileW(
//  [in]           LPCWSTR               lpFileName,
//  [in]           DWORD                 dwDesiredAccess,
//  [in]           DWORD                 dwShareMode,
//  [in, optional] LPSECURITY_ATTRIBUTES lpSecurityAttributes,
//  [in]           DWORD                 dwCreationDisposition,
//  [in]           DWORD                 dwFlagsAndAttributes,
//  [in, optional] HANDLE                hTemplateFile
// );
bp CreateFileW

// BOOL WriteFile(
//   [in]                HANDLE       hFile,
//   [in]                LPCVOID      lpBuffer,
//   [in]                DWORD        nNumberOfBytesToWrite,
//   [out, optional]     LPDWORD      lpNumberOfBytesWritten,
//   [in, out, optional] LPOVERLAPPED lpOverlapped
// );
bp WriteFile

msg "Unpacking, Injection and File Operation API breakpoints set!"
	// Unpacking APIs

	// static extern NTSTATUS NtProtectVirtualMemory(
	// IntPtr ProcessHandle,
	// ref IntPtr BaseAddress,
	// ref UInt32 NumberOfBytesToProtect,
	// UInt32 NewAccessProtection,
	// ref UInt32 OldAccessProtection
	// );
	// This can be very noisy during normal operation. Uncomment when needed.
	//bp NtProtectVirtualMemory

	// static extern NTSTATUS NtProtectVirtualMemory(
	// IntPtr ProcessHandle,
	// ref IntPtr BaseAddress,
	// ref UInt32 NumberOfBytesToProtect,
	// UInt32 NewAccessProtection,
	// ref UInt32 OldAccessProtection
	// );
	bp NtUnmapViewOfSection

	// NTSYSAPI NTSTATUS ZwMapViewOfSection(
	// [in] HANDLE SectionHandle,
	// [in] HANDLE ProcessHandle,
	// [in, out] PVOID *BaseAddress,
	// [in] ULONG_PTR ZeroBits,
	// [in] SIZE_T CommitSize,
	// [in, out, optional] PLARGE_INTEGER SectionOffset,
	// [in, out] PSIZE_T ViewSize,
	// [in] SECTION_INHERIT InheritDisposition,
	// [in] ULONG AllocationType,
	// [in] ULONG Win32Protect
	// );
	// This can be very noisy during normal operation. Uncomment when needed.
	//bp NtMapViewOfSection

	// __kernel_entry NTSYSCALLAPI NTSTATUS NtCreateSection(
	// [out] PHANDLE SectionHandle,
	// [in] ACCESS_MASK DesiredAccess,
	// [in, optional] POBJECT_ATTRIBUTES ObjectAttributes,
	// [in, optional] PLARGE_INTEGER MaximumSize,
	// [in] ULONG SectionPageProtection,
	// [in] ULONG AllocationAttributes,
	// [in, optional] HANDLE FileHandle
	// );
	// This can be very noisy during normal operation. Uncomment when needed.
	//bp NtCreateSection

	// static extern NTSTATUS NtCreateThreadEx(
	// ref IntPtr threadHandle,
	// UInt32 desiredAccess,
	// IntPtr objectAttributes,
	// IntPtr processHandle,
	// IntPtr startAddress,
	// IntPtr parameter,
	// bool inCreateSuspended,
	// Int32 stackZeroBits,
	// Int32 sizeOfStack,
	// Int32 maximumStackSize,
	// IntPtr attributeList
	// );
	bp NtCreateThreadEx

	// NtCreateThread(
	// OUT PHANDLE ThreadHandle,
	// IN ACCESS_MASK DesiredAccess,
	// IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
	// IN HANDLE ProcessHandle,
	// OUT PCLIENT_ID ClientId,
	// IN PCONTEXT ThreadContext,
	// IN PINITIAL_TEB InitialTeb,
	// IN BOOLEAN CreateSuspended
	//);
	bp NtCreateThread

	// NTSTATUS NtAllocateVirtualMemory(
	// [in] HANDLE ProcessHandle,
	// [in, out] PVOID *BaseAddress,
	// [in] ULONG_PTR ZeroBits,
	// [in, out] PSIZE_T RegionSize,
	// [in] ULONG AllocationType,
	// [in] ULONG Protect
	//);
	// This can be very noisy during normal operation, however,
	// all lower level memory allocation APIs will eventually call this
	// so it can provide great insight into what memory allocation APIs
	// are being used by the sample.
	//bp NtAllocateVirtualMemory

	//Higher level APIs from Kernel32

	// LPVOID VirtualAllocEx(
	// [in] HANDLE hProcess,
	// [in, optional] LPVOID lpAddress,
	// [in] SIZE_T dwSize,
	// [in] DWORD flAllocationType,
	// [in] DWORD flProtect
	// );
	bp VirtualAllocEx

	// LPVOID VirtualAlloc(
	// [in, optional] LPVOID lpAddress,
	// [in] SIZE_T dwSize,
	// [in] DWORD flAllocationType,
	// [in] DWORD flProtect
	// );
	bp VirtualAlloc



	// BOOL VirtualProtect(
	// [in] LPVOID lpAddress,
	// [in] SIZE_T dwSize,
	// [in] DWORD flNewProtect,
	// [out] PDWORD lpflOldProtect
	// );
	bp VirtualProtect

	// BOOL VirtualProtectEx(
	// [in] HANDLE hProcess,
	// [in] LPVOID lpAddress,
	// [in] SIZE_T dwSize,
	// [in] DWORD flNewProtect,
	// [out] PDWORD lpflOldProtect
	//);
	bp VirtualProtectEx

	// Injection APIs

	// BOOL CreateProcessW(
	// [in, optional] LPCWSTR lpApplicationName,
	// [in, out, optional] LPWSTR lpCommandLine,
	// [in, optional] LPSECURITY_ATTRIBUTES lpProcessAttributes,
	// [in, optional] LPSECURITY_ATTRIBUTES lpThreadAttributes,
	// [in] BOOL bInheritHandles,
	// [in] DWORD dwCreationFlags,
	// [in, optional] LPVOID lpEnvironment,
	// [in, optional] LPCWSTR lpCurrentDirectory,
	// [in] LPSTARTUPINFOW lpStartupInfo,
	// [out] LPPROCESS_INFORMATION lpProcessInformation
	// );
	bp CreateProcessW

	//BOOL CreateProcessA(
	// [in, optional] LPCSTR lpApplicationName,
	// [in, out, optional] LPSTR lpCommandLine,
	// [in, optional] LPSECURITY_ATTRIBUTES lpProcessAttributes,
	// [in, optional] LPSECURITY_ATTRIBUTES lpThreadAttributes,
	// [in] BOOL bInheritHandles,
	// [in] DWORD dwCreationFlags,
	// [in, optional] LPVOID lpEnvironment,
	// [in, optional] LPCSTR lpCurrentDirectory,
	// [in] LPSTARTUPINFOA lpStartupInfo,
	// [out] LPPROCESS_INFORMATION lpProcessInformation
	//);
	bp CreateProcessA

	// UINT WinExec(
	// [in] LPCSTR lpCmdLine,
	// [in] UINT uCmdShow
	// );
	bp WinExec

	// HANDLE CreateToolhelp32Snapshot(
	// [in] DWORD dwFlags,
	// [in] DWORD th32ProcessID
	// );
	bp CreateToolhelp32Snapshot

	// BOOL Process32First(
	// [in] HANDLE hSnapshot,
	// [in, out] LPPROCESSENTRY32 lppe
	// );
	bp Process32First

	// BOOL Process32Next(
	// [in] HANDLE hSnapshot,
	// [out] LPPROCESSENTRY32 lppe
	// );
	bp Process32Next

	// HANDLE OpenProcess(
	// [in] DWORD dwDesiredAccess,
	// [in] BOOL bInheritHandle,
	// [in] DWORD dwProcessId
	// );
	bp OpenProcess

	// BOOL WriteProcessMemory(
	// [in] HANDLE hProcess,
	// [in] LPVOID lpBaseAddress,
	// [in] LPCVOID lpBuffer,
	// [in] SIZE_T nSize,
	// [out] SIZE_T *lpNumberOfBytesWritten
	// );
	bp WriteProcessMemory

	// BOOL ReadProcessMemory(
	// [in] HANDLE hProcess,
	// [in] LPCVOID lpBaseAddress,
	// [out] LPVOID lpBuffer,
	// [in] SIZE_T nSize,
	// [out] SIZE_T *lpNumberOfBytesRead
	// );
	bp ReadProcessMemory

	// HANDLE CreateRemoteThread(
	// [in] HANDLE hProcess,
	// [in] LPSECURITY_ATTRIBUTES lpThreadAttributes,
	// [in] SIZE_T dwStackSize,
	// [in] LPTHREAD_START_ROUTINE lpStartAddress,
	// [in] LPVOID lpParameter,
	// [in] DWORD dwCreationFlags,
	// [out] LPDWORD lpThreadId
	// );
	bp CreateRemoteThread

	// HANDLE CreateThread(
	// [in, optional] LPSECURITY_ATTRIBUTES lpThreadAttributes,
	// [in] SIZE_T dwStackSize,
	// [in] LPTHREAD_START_ROUTINE lpStartAddress,
	// [in, optional] __drv_aliasesMem LPVOID lpParameter,
	// [in] DWORD dwCreationFlags,
	// [out, optional] LPDWORD lpThreadId
	// );
	bp CreateThread

	// BOOL SetThreadContext(
	// [in] HANDLE hThread,
	// [in] const CONTEXT *lpContext
	// );
	bp SetThreadContext

	// NTSYSAPI NTSTATUS NTAPI NtSetContextThread(
	// IN HANDLE ThreadHandle,
	// IN PCONTEXT Context );
	//bp ZwSetThreadContext

	// DWORD ResumeThread(
	// [in] HANDLE hThread
	// );
	bp ResumeThread

	// Often there are other payloads that can be written to disk in between stages
	// HANDLE CreateFileA(
	// [in] LPCSTR lpFileName,
	// [in] DWORD dwDesiredAccess,
	// [in] DWORD dwShareMode,
	// [in, optional] LPSECURITY_ATTRIBUTES lpSecurityAttributes,
	// [in] DWORD dwCreationDisposition,
	// [in] DWORD dwFlagsAndAttributes,
	// [in, optional] HANDLE hTemplateFile
	// );
	bp CreateFileA

	// HANDLE CreateFileW(
	// [in] LPCWSTR lpFileName,
	// [in] DWORD dwDesiredAccess,
	// [in] DWORD dwShareMode,
	// [in, optional] LPSECURITY_ATTRIBUTES lpSecurityAttributes,
	// [in] DWORD dwCreationDisposition,
	// [in] DWORD dwFlagsAndAttributes,
	// [in, optional] HANDLE hTemplateFile
	// );
	bp CreateFileW

	// BOOL WriteFile(
	// [in] HANDLE hFile,
	// [in] LPCVOID lpBuffer,
	// [in] DWORD nNumberOfBytesToWrite,
	// [out, optional] LPDWORD lpNumberOfBytesWritten,
	// [in, out, optional] LPOVERLAPPED lpOverlapped
	// );
	bp WriteFile

	msg "Unpacking, Injection and File Operation API breakpoints set!"