kapiushion

## exec_remote_process.cpp
// Copyright (C) 2024 Evan McBroom

#include <Windows.h>
#include <iostream>
#include <vector>
#include <WbemCli.h>
#include <atlbase.h>
#include <iomanip>

// The modified, compiled IDL file from:

## SystemProcessInformation.cpp
// Demonstrates use of NtQuerySystemInformation and SystemProcessInformation variants to enumerate processes without opening handles
// Author: TheWover
//

#include <iostream>
#include <string>
#include "ntdefs.h"

bool demoSystemProcessInformation(bool full)
{

## AmsiContextHook.cpp
#include <Windows.h>
#include <Psapi.h>
#include <metahost.h>
#include <comutil.h>
#include <mscoree.h>
#include "patch_info.h"
#include "base\helpers.h"

/**
 * For the debug build we want:

## AmsiLoader.cpp
#include <Windows.h>
#include <iostream>
#include <fstream>
#include <amsi.h>

#define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 )
#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)

// https://modexp.wordpress.com/2019/06/03/disable-amsi-wldp-dotnet/
typedef struct tagHAMSICONTEXT {

## CtlInject_Legacy.c
/*!
 *
 * ROGUE
 *
 * GuidePoint Security LLC
 *
 * Threat and Attack Simulation Team
 *
!*/

## PrtSc_Screenshotter.ps1
# dependency
Add-Type -AssemblyName System.Windows.Forms

# send PrtSc key (= capture the screen to the clipboard)
[Windows.Forms.Sendkeys]::SendWait("{PrtSc}")

# save the image as PNG in memory
$png = New-Object System.IO.MemoryStream
[Windows.Forms.Clipboard]::GetImage().Save($png, [System.Drawing.Imaging.ImageFormat]::Png)

## TaskManagerSecret.c
/*
	TaskManagerSecret

	Author: @splinter_code

	This is a very ugly POC for a very unreliable UAC bypass through some UI hacks.
	The core of this hack is stealing and using a token containing the UIAccess flag set.
	A trick described by James Forshaw, so all credits to him --> https://www.tiraniddo.dev/2019/02/accessing-access-tokens-for-uiaccess.html
	From there it uses a task manager "feature" to run a new High IL cmd.exe.
	This has been developed only for fun and shouldn't be used due to its high unreliability.

## shitcode.c
#include <Core.h>
#include <Win32.h>
#include <Structs.h>
#include <Sleep.h>
#include <Utils.h>

SEC( text, C ) VOID Ekko ( DWORD SleepTime, PINSTANCE Instance)

{

## LastCall.c
// "A process executes until one of the following events occurs:
//	  - Any thread of the process calls the ExitProcess function.
//    - The last thread of the process terminates
//    - ..."
// Ref: https://learn.microsoft.com/en-us/windows/win32/procthread/terminating-a-process
//
// --------------------------------------------------------------------------------------------
//
// The idea is to inject shellcode into another process and stomp the instructions of it's ExitProcess().
// So when ExitProcess is called, the thread will be redirected to the shellcode instead of exiting.

## Entry.c
D_SEC( A ) NTSTATUS NTAPI Entry( _In_ PVOID Parameter )
{
        PARSED_BUF      Psr;

        UINT32          Wrt = 0;

        PARG            Arg = NULL;
        LPWSTR          Nps = NULL;
        HANDLE          Pip = NULL;
	// Copyright (C) 2024 Evan McBroom

	#include <Windows.h>
	#include <iostream>
	#include <vector>
	#include <WbemCli.h>
	#include <atlbase.h>
	#include <iomanip>

	// The modified, compiled IDL file from:
	// Demonstrates use of NtQuerySystemInformation and SystemProcessInformation variants to enumerate processes without opening handles
	// Author: TheWover
	//

	#include <iostream>
	#include <string>
	#include "ntdefs.h"

	bool demoSystemProcessInformation(bool full)
	{
	#include <Windows.h>
	#include <Psapi.h>
	#include <metahost.h>
	#include <comutil.h>
	#include <mscoree.h>
	#include "patch_info.h"
	#include "base\helpers.h"

	/**
	* For the debug build we want:
	#include <Windows.h>
	#include <iostream>
	#include <fstream>
	#include <amsi.h>

	#define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 )
	#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)

	// https://modexp.wordpress.com/2019/06/03/disable-amsi-wldp-dotnet/
	typedef struct tagHAMSICONTEXT {
	/*!
	*
	* ROGUE
	*
	* GuidePoint Security LLC
	*
	* Threat and Attack Simulation Team
	*
	!*/
	# dependency
	Add-Type -AssemblyName System.Windows.Forms

	# send PrtSc key (= capture the screen to the clipboard)
	[Windows.Forms.Sendkeys]::SendWait("{PrtSc}")

	# save the image as PNG in memory
	$png = New-Object System.IO.MemoryStream
	[Windows.Forms.Clipboard]::GetImage().Save($png, [System.Drawing.Imaging.ImageFormat]::Png)
	/*
	TaskManagerSecret

	Author: @splinter_code

	This is a very ugly POC for a very unreliable UAC bypass through some UI hacks.
	The core of this hack is stealing and using a token containing the UIAccess flag set.
	A trick described by James Forshaw, so all credits to him --> https://www.tiraniddo.dev/2019/02/accessing-access-tokens-for-uiaccess.html
	From there it uses a task manager "feature" to run a new High IL cmd.exe.
	This has been developed only for fun and shouldn't be used due to its high unreliability.
	#include <Core.h>
	#include <Win32.h>
	#include <Structs.h>
	#include <Sleep.h>
	#include <Utils.h>

	SEC( text, C ) VOID Ekko ( DWORD SleepTime, PINSTANCE Instance)

	{
	// "A process executes until one of the following events occurs:
	// - Any thread of the process calls the ExitProcess function.
	// - The last thread of the process terminates
	// - ..."
	// Ref: https://learn.microsoft.com/en-us/windows/win32/procthread/terminating-a-process
	//
	// --------------------------------------------------------------------------------------------
	//
	// The idea is to inject shellcode into another process and stomp the instructions of it's ExitProcess().
	// So when ExitProcess is called, the thread will be redirected to the shellcode instead of exiting.
	D_SEC( A ) NTSTATUS NTAPI Entry( _In_ PVOID Parameter )
	{
	PARSED_BUF Psr;

	UINT32 Wrt = 0;

	PARG Arg = NULL;
	LPWSTR Nps = NULL;
	HANDLE Pip = NULL;