This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
void RemapSelfInternal(PVOID ImageBase, PVOID TempBase, ULONG SizeOfImage, HANDLE hSection) | |
{ | |
if (UnmapViewOfFile(ImageBase)) | |
{ | |
PVOID BaseAddress = ImageBase; | |
SIZE_T ViewSize = SizeOfImage; | |
// for x64 only, because we not pass address of ZwMapViewOfSection | |
if (0 <= ZwMapViewOfSection(hSection, NtCurrentProcess(), &BaseAddress, | |
0, 0, 0, &ViewSize, ViewUnmap, 0, PAGE_EXECUTE_READWRITE) && ImageBase == BaseAddress) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
BOOL IsParentExplorer() | |
{ | |
if (HWND hwnd = GetShellWindow()) | |
{ | |
ULONG dwProcessId; | |
if (GetWindowThreadProcessId(hwnd, &dwProcessId)) | |
{ | |
PROCESS_BASIC_INFORMATION pbi; | |
if (0 <= NtQueryInformationProcess(NtCurrentProcess(), ProcessBasicInformation, &pbi, sizeof(pbi), 0)) | |
{ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
void ListModules() | |
{ | |
PLIST_ENTRY InLoadOrderModuleList = &NtCurrentTeb()->ProcessEnvironmentBlock->Ldr->InLoadOrderModuleList; | |
PLDR_DATA_TABLE_ENTRY cursor = CONTAINING_RECORD(InLoadOrderModuleList->Flink, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); | |
while (InLoadOrderModuleList != &cursor->InLoadOrderLinks) | |
{ | |
DbgPrint("%p %wZ\r\n", cursor->DllBase, &cursor->BaseDllName); | |
cursor = CONTAINING_RECORD(cursor->InLoadOrderLinks.Flink, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
void GetPebModules(PLDR_DATA_TABLE_ENTRY cursor) | |
{ | |
while (cursor->DllBase) | |
{ | |
//DbgPrint("%p %wZ\r\n", cursor->DllBase, &cursor->BaseDllName); | |
cursor = (PLDR_DATA_TABLE_ENTRY)cursor->InLoadOrderLinks.Flink; | |
} | |
DbgPrint("%p !!!\n", &cursor->DllBase); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
BOOL UnhookNT() | |
{ | |
BOOL fOk = FALSE; | |
if (HMODULE hmod = GetModuleHandleW(L"ntdll")) | |
{ | |
if (PIMAGE_NT_HEADERS pinth = RtlImageNtHeader(hmod)) | |
{ | |
PVOID BaseAddress = (PBYTE)hmod + pinth->OptionalHeader.BaseOfCode; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#define FILE_NOTIFY_VALID_MASK 0x00000fff | |
class RDC : OVERLAPPED | |
{ | |
HANDLE _M_hFile = 0; | |
SRWLOCK _M_lock {}; | |
LONG _M_dwRef = 1; | |
union { | |
FILE_NOTIFY_INFORMATION _M_fni; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
OBJECT_ATTRIBUTES oa = { sizeof(oa) }; | |
LSA_HANDLE PolicyHandle; | |
if (0 <= LsaOpenPolicy(0, &oa, POLICY_LOOKUP_NAMES, &PolicyHandle)) | |
{ | |
ULONG CountOfRights; | |
static SID EveryOne = { SID_REVISION, 1, SECURITY_WORLD_SID_AUTHORITY, { SECURITY_WORLD_RID } }; | |
PLSA_UNICODE_STRING UserRights; | |
if (0 <= LsaEnumerateAccountRights(PolicyHandle, &EveryOne, &UserRights, &CountOfRights)) | |
{ | |
if (CountOfRights) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
void DumpKeyCrc(NCRYPT_KEY_HANDLE hKey) | |
{ | |
ULONG cb; | |
UCHAR blob[0x400]; | |
if (0 <= NCryptExportKey(hKey, 0, BCRYPT_RSAPUBLIC_BLOB, 0, blob, sizeof(blob), &cb, 0)) | |
{ | |
DbgPrint("crc=%08X\r\n", RtlComputeCrc32(0, blob, cb)); | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
if (HCERTSTORE hCertStore = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0, | |
CERT_STORE_OPEN_EXISTING_FLAG|CERT_STORE_READONLY_FLAG| | |
CERT_SYSTEM_STORE_LOCAL_MACHINE, L"root")) | |
{ | |
PCCERT_CONTEXT pCertContext = 0; | |
while (pCertContext = CertEnumCertificatesInStore(hCertStore, pCertContext)) | |
{ | |
UCHAR hash[20]; | |
ULONG cb = sizeof(hash); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
typedef struct KERB_SMARTCARD_CSP_INFO | |
{ | |
ULONG dwCspInfoLen; // size of this structure w/ payload | |
ULONG MessageType; // info type, currently CertHashInfo | |
// payload starts, marshaled structure of MessageType | |
union { | |
PVOID ContextInformation; // Reserved | |
ULONG64 SpaceHolderForWow64; | |
}; | |
ULONG flags; // Reserved |