gavz

typedef struct _PML4E
{
    union
    {
        struct
        {
            ULONG64 Present : 1;              // Must be 1, region invalid if 0.
            ULONG64 ReadWrite : 1;            // If 0, writes not allowed.
            ULONG64 UserSupervisor : 1;       // If 0, user-mode accesses not allowed.
            ULONG64 PageWriteThrough : 1;     // Determines the memory type used to access PDPT.

gavz

typedef struct _PDPTE
{
    union
    {
        struct
        {
            ULONG64 Present : 1;              // Must be 1, region invalid if 0.
            ULONG64 ReadWrite : 1;            // If 0, writes not allowed.
            ULONG64 UserSupervisor : 1;       // If 0, user-mode accesses not allowed.
            ULONG64 PageWriteThrough : 1;     // Determines the memory type used to access PD.

gavz

typedef struct _PDE
{
    union
    {
        struct
        {
            ULONG64 Present : 1;              // Must be 1, region invalid if 0.
            ULONG64 ReadWrite : 1;            // If 0, writes not allowed.
            ULONG64 UserSupervisor : 1;       // If 0, user-mode accesses not allowed.
            ULONG64 PageWriteThrough : 1;     // Determines the memory type used to access PT.

gavz

typedef struct _PTE
{
    union
    {
        struct
        {
            ULONG64 Present : 1;              // Must be 1, region invalid if 0.
            ULONG64 ReadWrite : 1;            // If 0, writes not allowed.
            ULONG64 UserSupervisor : 1;       // If 0, user-mode accesses not allowed.
            ULONG64 PageWriteThrough : 1;     // Determines the memory type used to access the memory.

gavz

#include <windows.h>

int main() {
    HANDLE file = CreateFileA(".\\test.txt", GENERIC_WRITE, FILE_SHARE_WRITE, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL|FILE_ATTRIBUTE_ENCRYPTED|FILE_FLAG_DELETE_ON_CLOSE, NULL);
    if (!file || file == INVALID_HANDLE_VALUE) {
        return GetLastError();
    }
    CloseHandle(file);
    return 0;
}

gavz

/*
 * PinTrace
 *
 * API call trace tool built with intel pin (https://software.intel.com/en-us/articles/pin-a-binary-instrumentation-tool-downloads).
 *
 * CC by mirar@chaosmail.org
 *
 * This module can either be run in audit mode (-a flag) or provided with a config file (-c path/to/config).
 *
 * The config format is as follows:

gavz

/*
 * EAT-based hooking for x86/x64.
 * 
 * Big thanks to ez (https://github.com/ezdiy/) for making this!
 * 
 * Creates "hooks" by modifying the module's export address table.
 * The procedure works in three main parts:
 * 
 * 1. Reading the module's PE file and getting all exported functions.
 * 2. Finding the right function to "hook" by simple address lookup

gavz

/*
 * fork.c
 * Experimental fork() on Windows.  Requires NT 6 subsystem or
 * newer.
 *
 * Copyright (c) 2012 William Pitcock <nenolod@dereferenced.org>
 *
 * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.

gavz

// iThome 2020 Demo: Signature Patcher for Explorer
// author: aaaddress1@chroot.org
#include <iostream>
#include <Windows.h>

int main() {
	DWORD explorer_pid;
	GetWindowThreadProcessId(FindWindowA("Shell_TrayWnd", NULL), &explorer_pid);
	
	if (HANDLE token = OpenProcess(PROCESS_ALL_ACCESS, FALSE, explorer_pid)) {

gavz

// VEH Montior by aaaddress1@chroot.org
#include <stdio.h>
#include <windows.h>
#pragma warning( disable : 4996 )

LONG __stdcall TrapFilter(PEXCEPTION_POINTERS pexinf) {
	if (pexinf->ExceptionRecord->ExceptionCode == EXCEPTION_ACCESS_VIOLATION && ((DWORD)pexinf->ExceptionRecord->ExceptionAddress & 0x80000000))
		pexinf->ContextRecord->Eip = pexinf->ContextRecord->Eip ^ 0x80000000;
	else if (pexinf->ExceptionRecord->ExceptionCode != EXCEPTION_SINGLE_STEP)
		return EXCEPTION_CONTINUE_SEARCH;