blaquee

DLL utilizing ALPC
Name: C:\Windows\System32\AudioSes.dll
Name: C:\Windows\System32\CoreMessaging.dll
Name: C:\Windows\System32\csrsrv.dll
Name: C:\Windows\System32\daxexec.dll
Name: C:\Windows\System32\DispBroker.dll
Name: C:\Windows\System32\dps.dll
Name: C:\Windows\System32\dwmapi.dll
Name: C:\Windows\System32\dwmghost.dll
Name: C:\Windows\System32\dwminit.dll

blaquee

Misc Notes on Windows Drivers and Object Management

Some terminology for File System Drivers:

FSD - File System Driver: A Driver that implements a File System

FCB - File Control Block: Uniquely represents an open, on-disk object in system memory. (a similarity to vnodes in UNIX). When an object is successfully opened in the Object Manager, an FCB is created by the IO Manager.

CCB - Context Control Block: A CCB is created by the FSD when a successful open operation in made by a user mode program. A Handle is returned and the CCB is a kernel representation of this handle.

blaquee

	HANDLE curHandle = nullptr;
	NTSTATUS status;
	ULONG dwLen = 0;
	UNICODE_STRING strProcNameBuffer = { 0 };
	PUNICODE_STRING ucBuffer = nullptr;
	//enumerate next processes, use flag 1 to enumerate the processlist backwards
	while (NtGetNextProcess(curHandle, MAXIMUM_ALLOWED, 0, 0, &curHandle) == STATUS_SUCCESS)
	{

		status = NtQueryInformationProcess(curHandle, ProcessImageFileName, 0, 0, &dwLen);

blaquee

Mshta executable is invoked and calls the WldpGetLockdownPolicy function.

It sets the WLDP_HOST_INFORMATION members to: dwRevision = 1 and dwHostId = WLDP_HOST_ID_GLOBAL (1)

This checks the state of a lockdown policy

Checks the registry for the CLSID of the mhtml dll. RegOpenKeyExA(HKEY_CLASSES_ROOT, "clsid\\{25336920-03f9-11cf-8fd0-00aa00686f13}\\InProcServer32", 0, 1u, &hKey)

blaquee

/* SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause) */

/* THIS FILE IS AUTOGENERATED! */
#ifndef __OPENSNOOP_BPF_SKEL_H__
#define __OPENSNOOP_BPF_SKEL_H__

#include <stdlib.h>
#include <bpf/libbpf.h>

struct opensnoop_bpf {

blaquee

#!/usr/bin/env bash

#     --slave /usr/bin/$1 $1 /usr/bin/$1-\${version} \\

function register_clang_version {
    local version=$1
    local priority=$2

    update-alternatives \
        --install /usr/bin/llvm-config       llvm-config      /usr/lib/llvm-${version}/bin/llvm-config ${priority} \

blaquee

/////////////////////////////////////////////////////////////////////////////
//                                                                         //
// Universal well-known SIDs                                               //
//                                                                         //
//     Null SID                     S-1-0-0                                //
//     World                        S-1-1-0                                //
//     Local                        S-1-2-0                                //
//     Creator Owner ID             S-1-3-0                                //
//     Creator Group ID             S-1-3-1                                //
//     Creator Owner Server ID      S-1-3-2                                //

blaquee

#include <windows.h>
#include <winnt.h>
#include <winternl.h>

#include <pshpack8.h>
typedef struct {
	DWORD dwType;
	LPCSTR szName;
	DWORD dwThreadID;
	DWORD dwFlags;

blaquee

// Original source link https://twitter.com/hFireF0X/status/887930221466443776
// If you are here from any other link - do know that they just steal original info without giving any credit to source
// This bug has been fixed in 16273 public build.
#include "global.h"

HINSTANCE  g_hInstance;
HANDLE     g_ConOut = NULL;
BOOL       g_ConsoleOutput = FALSE;
WCHAR      g_BE = 0xFEFF;

blaquee

#include <iostream>
#include <map>
#include <algorithm>
#include <functional>
#include <memory>

using namespace std;

class EventArgs {
public: