Repository: SinaKarvandi/Process-Magics Branch: master Commit: a3e822417920 Files: 58 Total size: 85.3 KB Directory structure: gitextract_gethi38c/ ├── .gitignore ├── Bypass Sysmon With Updating Rules/ │ ├── SysmonRuleUpdateBypass/ │ │ ├── SysmonDataRecv/ │ │ │ ├── SysmonDataRecv.cpp │ │ │ ├── SysmonDataRecv.vcxproj │ │ │ ├── SysmonDataRecv.vcxproj.filters │ │ │ ├── SysmonDataRecv.vcxproj.user │ │ │ ├── pch.cpp │ │ │ └── pch.h │ │ └── SysmonDataRecv.sln │ ├── bypass.xml │ ├── bypass_edr.reg │ └── readme.md ├── CriticalProcess/ │ ├── CriticalProcess/ │ │ ├── CriticalProcess.cpp │ │ ├── CriticalProcess.vcxproj │ │ ├── CriticalProcess.vcxproj.filters │ │ ├── CriticalProcess.vcxproj.user │ │ ├── pch.cpp │ │ └── pch.h │ └── CriticalProcess.sln ├── EnumAllHandles/ │ ├── EnumAllHandles/ │ │ ├── EnumAllHandles.cpp │ │ ├── EnumAllHandles.vcxproj │ │ ├── EnumAllHandles.vcxproj.filters │ │ ├── EnumAllHandles.vcxproj.user │ │ ├── pch.cpp │ │ └── pch.h │ └── EnumAllHandles.sln ├── Images/ │ └── readme.md ├── ImpersonateNtlmNegotiation/ │ ├── SSPI_Client/ │ │ ├── SSPI_Client/ │ │ │ ├── SSPI_Client.cpp │ │ │ ├── SSPI_Client.vcxproj │ │ │ ├── SSPI_Client.vcxproj.filters │ │ │ ├── SSPI_Client.vcxproj.user │ │ │ ├── SspiExample.h │ │ │ ├── pch.cpp │ │ │ └── pch.h │ │ └── SSPI_Client.sln │ └── SSPI_Server/ │ ├── SSPI_Server/ │ │ ├── SSPI_Server.cpp │ │ ├── SSPI_Server.vcxproj │ │ ├── SSPI_Server.vcxproj.filters │ │ ├── SSPI_Server.vcxproj.user │ │ ├── SspiExample.h │ │ ├── pch.cpp │ │ └── pch.h │ └── SSPI_Server.sln ├── ImpersonationPipeLine/ │ ├── NamedPipeClient/ │ │ ├── NamedPipeClient/ │ │ │ ├── NamedPipeClient.cpp │ │ │ ├── NamedPipeClient.vcxproj │ │ │ ├── NamedPipeClient.vcxproj.filters │ │ │ ├── NamedPipeClient.vcxproj.user │ │ │ ├── pch.cpp │ │ │ └── pch.h │ │ └── NamedPipeClient.sln │ └── NamedPipeServer/ │ ├── NamedPipeServer/ │ │ ├── NamedPipeServer.cpp │ │ ├── NamedPipeServer.vcxproj │ │ ├── NamedPipeServer.vcxproj.filters │ │ ├── NamedPipeServer.vcxproj.user │ │ ├── pch.cpp │ │ └── pch.h │ └── NamedPipeServer.sln ├── LICENSE └── README.md ================================================ FILE CONTENTS ================================================ ================================================ FILE: .gitignore ================================================ # Prerequisites *.d # Compiled Object files *.slo *.lo *.o *.obj # Precompiled Headers *.gch *.pch # Compiled Dynamic libraries *.so *.dylib *.dll # Fortran module files *.mod *.smod # Compiled Static libraries *.lai *.la *.a *.lib # Executables *.exe *.out *.app ================================================ FILE: Bypass Sysmon With Updating Rules/SysmonRuleUpdateBypass/SysmonDataRecv/SysmonDataRecv.vcxproj ================================================ Debug Win32 Release Win32 Debug x64 Release x64 15.0 {163AB816-2959-4671-B3EE-06948359766E} Win32Proj SysmonDataRecv 10.0.18362.0 Application true v141 Unicode Application false v141 true Unicode Application true v141 Unicode Application false v141 true Unicode true true false false Use Level3 Disabled true WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) true pch.h Console true %(AdditionalLibraryDirectories) Use Level3 Disabled true _DEBUG;_CONSOLE;%(PreprocessorDefinitions) true pch.h false MultiThreadedDebug Console true C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\lib\amd64;%(AdditionalLibraryDirectories) Use Level3 MaxSpeed true true true WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) true pch.h Console true true true Use Level3 MaxSpeed true true true NDEBUG;_CONSOLE;%(PreprocessorDefinitions) true pch.h Console true true true Create Create Create Create ================================================ FILE: Bypass Sysmon With Updating Rules/SysmonRuleUpdateBypass/SysmonDataRecv/SysmonDataRecv.vcxproj.filters ================================================ {4FC737F1-C7A5-4376-A066-2A32D752A2FF} cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx {93995380-89BD-4b04-88EB-625FBE52EBFB} h;hh;hpp;hxx;hm;inl;inc;ipp;xsd {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms Header Files Source Files Source Files ================================================ FILE: Bypass Sysmon With Updating Rules/SysmonRuleUpdateBypass/SysmonDataRecv/SysmonDataRecv.vcxproj.user ================================================ ================================================ FILE: Bypass Sysmon With Updating Rules/SysmonRuleUpdateBypass/SysmonDataRecv.sln ================================================ Microsoft Visual Studio Solution File, Format Version 12.00 # Visual Studio 15 VisualStudioVersion = 15.0.28010.0 MinimumVisualStudioVersion = 10.0.40219.1 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SysmonDataRecv", "SysmonDataRecv\SysmonDataRecv.vcxproj", "{163AB816-2959-4671-B3EE-06948359766E}" EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|x64 = Debug|x64 Debug|x86 = Debug|x86 Release|x64 = Release|x64 Release|x86 = Release|x86 EndGlobalSection GlobalSection(ProjectConfigurationPlatforms) = postSolution {163AB816-2959-4671-B3EE-06948359766E}.Debug|x64.ActiveCfg = Debug|x64 {163AB816-2959-4671-B3EE-06948359766E}.Debug|x64.Build.0 = Debug|x64 {163AB816-2959-4671-B3EE-06948359766E}.Debug|x86.ActiveCfg = Debug|Win32 {163AB816-2959-4671-B3EE-06948359766E}.Debug|x86.Build.0 = Debug|Win32 {163AB816-2959-4671-B3EE-06948359766E}.Release|x64.ActiveCfg = Release|x64 {163AB816-2959-4671-B3EE-06948359766E}.Release|x64.Build.0 = Release|x64 {163AB816-2959-4671-B3EE-06948359766E}.Release|x86.ActiveCfg = Release|Win32 {163AB816-2959-4671-B3EE-06948359766E}.Release|x86.Build.0 = Release|Win32 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE EndGlobalSection GlobalSection(ExtensibilityGlobals) = postSolution SolutionGuid = {38AB2C15-8DBA-4B48-8593-B0603D0CBB68} EndGlobalSection EndGlobal ================================================ FILE: Bypass Sysmon With Updating Rules/bypass.xml ================================================ md5,sha256 C:\Windows\System32\BypassEDR.EDR1 C:\Windows\System32\BypassEDR.EDR2 C:\Windows\system32\BypassEDR.EDR BypassEDR.EDR3 BypassEDR5 BypassEDR6 BypassEDR7 C:\Windows\system32\BypassEDR.EDR8 .bypassEDR. ================================================ FILE: Bypass Sysmon With Updating Rules/readme.md ================================================ This is the needed files for a Sysmon bypass ================================================ FILE: CriticalProcess/CriticalProcess/CriticalProcess.vcxproj ================================================ Debug Win32 Release Win32 Debug x64 Release x64 15.0 {EDC75EF4-4628-48AD-9082-785B6A4CA959} Win32Proj CriticalProcess 10.0.17763.0 Application true v141 Unicode Application false v141 true Unicode Application true v141 Unicode Application false v141 true Unicode true true false false Use Level3 Disabled true WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) true pch.h false MultiThreadedDebug Console true C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\lib;%(AdditionalLibraryDirectories) Use Level3 Disabled true _DEBUG;_CONSOLE;%(PreprocessorDefinitions) true pch.h Console true Use Level3 MaxSpeed true true true WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) true pch.h Console true true true Use Level3 MaxSpeed true true true NDEBUG;_CONSOLE;%(PreprocessorDefinitions) true pch.h Console true true true Create Create Create Create ================================================ FILE: CriticalProcess/CriticalProcess/CriticalProcess.vcxproj.filters ================================================ {4FC737F1-C7A5-4376-A066-2A32D752A2FF} cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx {93995380-89BD-4b04-88EB-625FBE52EBFB} h;hh;hpp;hxx;hm;inl;inc;ipp;xsd {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms Header Files Source Files Source Files ================================================ FILE: CriticalProcess/CriticalProcess/CriticalProcess.vcxproj.user ================================================ ================================================ FILE: CriticalProcess/CriticalProcess.sln ================================================ Microsoft Visual Studio Solution File, Format Version 12.00 # Visual Studio 15 VisualStudioVersion = 15.0.28010.0 MinimumVisualStudioVersion = 10.0.40219.1 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CriticalProcess", "CriticalProcess\CriticalProcess.vcxproj", "{EDC75EF4-4628-48AD-9082-785B6A4CA959}" EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|x64 = Debug|x64 Debug|x86 = Debug|x86 Release|x64 = Release|x64 Release|x86 = Release|x86 EndGlobalSection GlobalSection(ProjectConfigurationPlatforms) = postSolution {EDC75EF4-4628-48AD-9082-785B6A4CA959}.Debug|x64.ActiveCfg = Debug|x64 {EDC75EF4-4628-48AD-9082-785B6A4CA959}.Debug|x64.Build.0 = Debug|x64 {EDC75EF4-4628-48AD-9082-785B6A4CA959}.Debug|x86.ActiveCfg = Debug|Win32 {EDC75EF4-4628-48AD-9082-785B6A4CA959}.Debug|x86.Build.0 = Debug|Win32 {EDC75EF4-4628-48AD-9082-785B6A4CA959}.Release|x64.ActiveCfg = Release|x64 {EDC75EF4-4628-48AD-9082-785B6A4CA959}.Release|x64.Build.0 = Release|x64 {EDC75EF4-4628-48AD-9082-785B6A4CA959}.Release|x86.ActiveCfg = Release|Win32 {EDC75EF4-4628-48AD-9082-785B6A4CA959}.Release|x86.Build.0 = Release|Win32 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE EndGlobalSection GlobalSection(ExtensibilityGlobals) = postSolution SolutionGuid = {DFED5742-9898-4620-AC1C-E19D3E0F4086} EndGlobalSection EndGlobal ================================================ FILE: EnumAllHandles/EnumAllHandles/EnumAllHandles.vcxproj ================================================ Debug Win32 Release Win32 Debug x64 Release x64 15.0 {D9AF087A-D2A1-4533-A034-D94759B7796B} Win32Proj EnumAllHandles 10.0.17763.0 Application true v141 Unicode Application false v141 true Unicode Application true v141 Unicode Application false v141 true Unicode true true false false Use Level3 Disabled true WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) true pch.h Console true %(AdditionalLibraryDirectories) Use Level3 Disabled true _DEBUG;_CONSOLE;%(PreprocessorDefinitions) true pch.h Console true Use Level3 MaxSpeed true true true WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) true pch.h Console true true true %(AdditionalLibraryDirectories) Use Level3 MaxSpeed true true true NDEBUG;_CONSOLE;%(PreprocessorDefinitions) true pch.h Console true true true C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\lib\amd64;%(AdditionalLibraryDirectories) Create Create Create Create ================================================ FILE: EnumAllHandles/EnumAllHandles/EnumAllHandles.vcxproj.filters ================================================ {4FC737F1-C7A5-4376-A066-2A32D752A2FF} cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx {93995380-89BD-4b04-88EB-625FBE52EBFB} h;hh;hpp;hxx;hm;inl;inc;ipp;xsd {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms Header Files Source Files Source Files ================================================ FILE: EnumAllHandles/EnumAllHandles/EnumAllHandles.vcxproj.user ================================================ ================================================ FILE: EnumAllHandles/EnumAllHandles.sln ================================================ Microsoft Visual Studio Solution File, Format Version 12.00 # Visual Studio 15 VisualStudioVersion = 15.0.28010.0 MinimumVisualStudioVersion = 10.0.40219.1 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnumAllHandles", "EnumAllHandles\EnumAllHandles.vcxproj", "{D9AF087A-D2A1-4533-A034-D94759B7796B}" EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|x64 = Debug|x64 Debug|x86 = Debug|x86 Release|x64 = Release|x64 Release|x86 = Release|x86 EndGlobalSection GlobalSection(ProjectConfigurationPlatforms) = postSolution {D9AF087A-D2A1-4533-A034-D94759B7796B}.Debug|x64.ActiveCfg = Debug|x64 {D9AF087A-D2A1-4533-A034-D94759B7796B}.Debug|x64.Build.0 = Debug|x64 {D9AF087A-D2A1-4533-A034-D94759B7796B}.Debug|x86.ActiveCfg = Debug|Win32 {D9AF087A-D2A1-4533-A034-D94759B7796B}.Debug|x86.Build.0 = Debug|Win32 {D9AF087A-D2A1-4533-A034-D94759B7796B}.Release|x64.ActiveCfg = Release|x64 {D9AF087A-D2A1-4533-A034-D94759B7796B}.Release|x64.Build.0 = Release|x64 {D9AF087A-D2A1-4533-A034-D94759B7796B}.Release|x86.ActiveCfg = Release|Win32 {D9AF087A-D2A1-4533-A034-D94759B7796B}.Release|x86.Build.0 = Release|Win32 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE EndGlobalSection GlobalSection(ExtensibilityGlobals) = postSolution SolutionGuid = {DE0B4417-B1B6-4AF3-B1E3-333C6FECB671} EndGlobalSection EndGlobal ================================================ FILE: Images/readme.md ================================================ list of images ================================================ FILE: ImpersonateNtlmNegotiation/SSPI_Client/SSPI_Client/SSPI_Client.vcxproj ================================================ Debug Win32 Release Win32 Debug x64 Release x64 15.0 {1E5D8131-82F4-4C28-AF3B-3D7FCD7F1366} Win32Proj SSPIClient 10.0.17763.0 Application true v141 Unicode Application false v141 true Unicode Application true v141 Unicode Application false v141 true Unicode true true false false Use Level3 Disabled true WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) true pch.h false Console true C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\lib;%(AdditionalLibraryDirectories) Use Level3 Disabled true _DEBUG;_CONSOLE;%(PreprocessorDefinitions) true pch.h Console true Use Level3 MaxSpeed true true true WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) true pch.h Console true true true C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\lib;%(AdditionalLibraryDirectories) Use Level3 MaxSpeed true true true NDEBUG;_CONSOLE;%(PreprocessorDefinitions) true pch.h Console true true true Create Create Create Create ================================================ FILE: ImpersonateNtlmNegotiation/SSPI_Client/SSPI_Client/SSPI_Client.vcxproj.filters ================================================ {4FC737F1-C7A5-4376-A066-2A32D752A2FF} cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx {93995380-89BD-4b04-88EB-625FBE52EBFB} h;hh;hpp;hxx;hm;inl;inc;ipp;xsd {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms Header Files Header Files Source Files Source Files ================================================ FILE: ImpersonateNtlmNegotiation/SSPI_Client/SSPI_Client/SSPI_Client.vcxproj.user ================================================ ================================================ FILE: ImpersonateNtlmNegotiation/SSPI_Client/SSPI_Client/SspiExample.h ================================================ #pragma once // SspiExample.h #include #include BOOL SendMsg(SOCKET s, PBYTE pBuf, DWORD cbBuf); BOOL ReceiveMsg(SOCKET s, PBYTE pBuf, DWORD cbBuf, DWORD *pcbRead); BOOL SendBytes(SOCKET s, PBYTE pBuf, DWORD cbBuf); BOOL ReceiveBytes(SOCKET s, PBYTE pBuf, DWORD cbBuf, DWORD *pcbRead); void cleanup(); BOOL GenClientContext( BYTE *pIn, DWORD cbIn, BYTE *pOut, DWORD *pcbOut, BOOL *pfDone, CHAR *pszTarget, CredHandle *hCred, struct _SecHandle *hcText ); BOOL GenServerContext( BYTE *pIn, DWORD cbIn, BYTE *pOut, DWORD *pcbOut, BOOL *pfDone, BOOL fNewCredential ); BOOL EncryptThis( PBYTE pMessage, ULONG cbMessage, BYTE ** ppOutput, LPDWORD pcbOutput, ULONG securityTrailer ); PBYTE DecryptThis( PBYTE achData, LPDWORD pcbMessage, _SecHandle *hCtxt, ULONG cbSecurityTrailer ); BOOL SignThis( PBYTE pMessage, ULONG cbMessage, BYTE ** ppOutput, LPDWORD pcbOutput ); PBYTE VerifyThis( PBYTE pBuffer, LPDWORD pcbMessage, _SecHandle *hCtxt, ULONG cbMaxSignature ); void PrintHexDump(DWORD length, PBYTE buffer); BOOL ConnectAuthSocket( SOCKET *s, CredHandle *hCred, _SecHandle *hcText ); BOOL CloseAuthSocket(SOCKET s); BOOL DoAuthentication(SOCKET s); void MyHandleError(char *s); ================================================ FILE: ImpersonateNtlmNegotiation/SSPI_Client/SSPI_Client.sln ================================================ Microsoft Visual Studio Solution File, Format Version 12.00 # Visual Studio 15 VisualStudioVersion = 15.0.28010.0 MinimumVisualStudioVersion = 10.0.40219.1 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SSPI_Client", "SSPI_Client\SSPI_Client.vcxproj", "{1E5D8131-82F4-4C28-AF3B-3D7FCD7F1366}" EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|x64 = Debug|x64 Debug|x86 = Debug|x86 Release|x64 = Release|x64 Release|x86 = Release|x86 EndGlobalSection GlobalSection(ProjectConfigurationPlatforms) = postSolution {1E5D8131-82F4-4C28-AF3B-3D7FCD7F1366}.Debug|x64.ActiveCfg = Debug|x64 {1E5D8131-82F4-4C28-AF3B-3D7FCD7F1366}.Debug|x64.Build.0 = Debug|x64 {1E5D8131-82F4-4C28-AF3B-3D7FCD7F1366}.Debug|x86.ActiveCfg = Debug|Win32 {1E5D8131-82F4-4C28-AF3B-3D7FCD7F1366}.Debug|x86.Build.0 = Debug|Win32 {1E5D8131-82F4-4C28-AF3B-3D7FCD7F1366}.Release|x64.ActiveCfg = Release|x64 {1E5D8131-82F4-4C28-AF3B-3D7FCD7F1366}.Release|x64.Build.0 = Release|x64 {1E5D8131-82F4-4C28-AF3B-3D7FCD7F1366}.Release|x86.ActiveCfg = Release|Win32 {1E5D8131-82F4-4C28-AF3B-3D7FCD7F1366}.Release|x86.Build.0 = Release|Win32 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE EndGlobalSection GlobalSection(ExtensibilityGlobals) = postSolution SolutionGuid = {BCC7D16C-6F77-48D2-824E-5692FA004665} EndGlobalSection EndGlobal ================================================ FILE: ImpersonateNtlmNegotiation/SSPI_Server/SSPI_Server/SSPI_Server.vcxproj ================================================ Debug Win32 Release Win32 Debug x64 Release x64 15.0 {0F287824-4459-459B-BD6B-7D206600132F} Win32Proj SSPIServer 10.0.17763.0 Application true v141 Unicode Application false v141 true Unicode Application true v141 Unicode Application false v141 true Unicode true true false false Use Level3 Disabled true WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) true pch.h false Console true C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\lib;%(AdditionalLibraryDirectories) Use Level3 Disabled true _DEBUG;_CONSOLE;%(PreprocessorDefinitions) true pch.h Console true Use Level3 MaxSpeed true true true WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) true pch.h Console true true true Use Level3 MaxSpeed true true true NDEBUG;_CONSOLE;%(PreprocessorDefinitions) true pch.h Console true true true Create Create Create Create ================================================ FILE: ImpersonateNtlmNegotiation/SSPI_Server/SSPI_Server/SSPI_Server.vcxproj.filters ================================================ {4FC737F1-C7A5-4376-A066-2A32D752A2FF} cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx {93995380-89BD-4b04-88EB-625FBE52EBFB} h;hh;hpp;hxx;hm;inl;inc;ipp;xsd {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms Header Files Header Files Source Files Source Files ================================================ FILE: ImpersonateNtlmNegotiation/SSPI_Server/SSPI_Server/SSPI_Server.vcxproj.user ================================================ ================================================ FILE: ImpersonateNtlmNegotiation/SSPI_Server/SSPI_Server/SspiExample.h ================================================ #pragma once #pragma once // SspiExample.h #include #include BOOL SendMsg(SOCKET s, PBYTE pBuf, DWORD cbBuf); BOOL ReceiveMsg(SOCKET s, PBYTE pBuf, DWORD cbBuf, DWORD *pcbRead); BOOL SendBytes(SOCKET s, PBYTE pBuf, DWORD cbBuf); BOOL ReceiveBytes(SOCKET s, PBYTE pBuf, DWORD cbBuf, DWORD *pcbRead); void cleanup(); BOOL GenClientContext( BYTE *pIn, DWORD cbIn, BYTE *pOut, DWORD *pcbOut, BOOL *pfDone, CHAR *pszTarget, CredHandle *hCred, struct _SecHandle *hcText ); BOOL GenServerContext( BYTE *pIn, DWORD cbIn, BYTE *pOut, DWORD *pcbOut, BOOL *pfDone, BOOL fNewCredential ); BOOL EncryptThis( PBYTE pMessage, ULONG cbMessage, BYTE ** ppOutput, LPDWORD pcbOutput, ULONG securityTrailer ); PBYTE DecryptThis( PBYTE achData, LPDWORD pcbMessage, struct _SecHandle *hCtxt, ULONG cbSecurityTrailer ); BOOL SignThis( PBYTE pMessage, ULONG cbMessage, BYTE ** ppOutput, LPDWORD pcbOutput ); PBYTE VerifyThis( PBYTE pBuffer, LPDWORD pcbMessage, struct _SecHandle *hCtxt, ULONG cbMaxSignature ); void PrintHexDump(DWORD length, PBYTE buffer); BOOL ConnectAuthSocket( SOCKET *s, CredHandle *hCred, struct _SecHandle *hcText ); BOOL CloseAuthSocket(SOCKET s); BOOL DoAuthentication(SOCKET s); void MyHandleError(char *s); ================================================ FILE: ImpersonateNtlmNegotiation/SSPI_Server/SSPI_Server.sln ================================================ Microsoft Visual Studio Solution File, Format Version 12.00 # Visual Studio 15 VisualStudioVersion = 15.0.28010.0 MinimumVisualStudioVersion = 10.0.40219.1 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SSPI_Server", "SSPI_Server\SSPI_Server.vcxproj", "{0F287824-4459-459B-BD6B-7D206600132F}" EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|x64 = Debug|x64 Debug|x86 = Debug|x86 Release|x64 = Release|x64 Release|x86 = Release|x86 EndGlobalSection GlobalSection(ProjectConfigurationPlatforms) = postSolution {0F287824-4459-459B-BD6B-7D206600132F}.Debug|x64.ActiveCfg = Debug|x64 {0F287824-4459-459B-BD6B-7D206600132F}.Debug|x64.Build.0 = Debug|x64 {0F287824-4459-459B-BD6B-7D206600132F}.Debug|x86.ActiveCfg = Debug|Win32 {0F287824-4459-459B-BD6B-7D206600132F}.Debug|x86.Build.0 = Debug|Win32 {0F287824-4459-459B-BD6B-7D206600132F}.Release|x64.ActiveCfg = Release|x64 {0F287824-4459-459B-BD6B-7D206600132F}.Release|x64.Build.0 = Release|x64 {0F287824-4459-459B-BD6B-7D206600132F}.Release|x86.ActiveCfg = Release|Win32 {0F287824-4459-459B-BD6B-7D206600132F}.Release|x86.Build.0 = Release|Win32 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE EndGlobalSection GlobalSection(ExtensibilityGlobals) = postSolution SolutionGuid = {F2CED5A8-F349-4ADF-ACE5-D9171A54E248} EndGlobalSection EndGlobal ================================================ FILE: ImpersonationPipeLine/NamedPipeClient/NamedPipeClient/NamedPipeClient.vcxproj ================================================ Debug Win32 Release Win32 Debug x64 Release x64 15.0 {CFB43636-5FE4-4630-A4E6-D38594B5528C} Win32Proj NamedPipeClient 10.0.17763.0 Application true v141 Unicode Application false v141 true Unicode Application true v141 Unicode Application false v141 true Unicode true true false false Use Level3 Disabled true WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) true pch.h false Console true C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\lib;%(AdditionalLibraryDirectories) Use Level3 Disabled true _DEBUG;_CONSOLE;%(PreprocessorDefinitions) true pch.h Console true Use Level3 MaxSpeed true true true WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) true pch.h Console true true true Use Level3 MaxSpeed true true true NDEBUG;_CONSOLE;%(PreprocessorDefinitions) true pch.h Console true true true Create Create Create Create ================================================ FILE: ImpersonationPipeLine/NamedPipeClient/NamedPipeClient/NamedPipeClient.vcxproj.filters ================================================ {4FC737F1-C7A5-4376-A066-2A32D752A2FF} cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx {93995380-89BD-4b04-88EB-625FBE52EBFB} h;hh;hpp;hxx;hm;inl;inc;ipp;xsd {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms Header Files Source Files Source Files ================================================ FILE: ImpersonationPipeLine/NamedPipeClient/NamedPipeClient/NamedPipeClient.vcxproj.user ================================================ ================================================ FILE: ImpersonationPipeLine/NamedPipeClient/NamedPipeClient.sln ================================================ Microsoft Visual Studio Solution File, Format Version 12.00 # Visual Studio 15 VisualStudioVersion = 15.0.28010.0 MinimumVisualStudioVersion = 10.0.40219.1 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "NamedPipeClient", "NamedPipeClient\NamedPipeClient.vcxproj", "{CFB43636-5FE4-4630-A4E6-D38594B5528C}" EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|x64 = Debug|x64 Debug|x86 = Debug|x86 Release|x64 = Release|x64 Release|x86 = Release|x86 EndGlobalSection GlobalSection(ProjectConfigurationPlatforms) = postSolution {CFB43636-5FE4-4630-A4E6-D38594B5528C}.Debug|x64.ActiveCfg = Debug|x64 {CFB43636-5FE4-4630-A4E6-D38594B5528C}.Debug|x64.Build.0 = Debug|x64 {CFB43636-5FE4-4630-A4E6-D38594B5528C}.Debug|x86.ActiveCfg = Debug|Win32 {CFB43636-5FE4-4630-A4E6-D38594B5528C}.Debug|x86.Build.0 = Debug|Win32 {CFB43636-5FE4-4630-A4E6-D38594B5528C}.Release|x64.ActiveCfg = Release|x64 {CFB43636-5FE4-4630-A4E6-D38594B5528C}.Release|x64.Build.0 = Release|x64 {CFB43636-5FE4-4630-A4E6-D38594B5528C}.Release|x86.ActiveCfg = Release|Win32 {CFB43636-5FE4-4630-A4E6-D38594B5528C}.Release|x86.Build.0 = Release|Win32 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE EndGlobalSection GlobalSection(ExtensibilityGlobals) = postSolution SolutionGuid = {0C852107-1C2D-4ED7-B1C7-A599EFD80F82} EndGlobalSection EndGlobal ================================================ FILE: ImpersonationPipeLine/NamedPipeServer/NamedPipeServer/NamedPipeServer.vcxproj ================================================ Debug Win32 Release Win32 Debug x64 Release x64 15.0 {269A4535-78A0-4736-ABFB-B944F625CC53} Win32Proj NamedPipeServer 10.0.17763.0 Application true v141 Unicode Application false v141 true Unicode Application true v141 Unicode Application false v141 true Unicode true true false false Use Level3 Disabled true WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) true pch.h false Console true C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\lib;%(AdditionalLibraryDirectories) Use Level3 Disabled true _DEBUG;_CONSOLE;%(PreprocessorDefinitions) true pch.h Console true Use Level3 MaxSpeed true true true WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) true pch.h Console true true true Use Level3 MaxSpeed true true true NDEBUG;_CONSOLE;%(PreprocessorDefinitions) true pch.h Console true true true Create Create Create Create ================================================ FILE: ImpersonationPipeLine/NamedPipeServer/NamedPipeServer/NamedPipeServer.vcxproj.filters ================================================ {4FC737F1-C7A5-4376-A066-2A32D752A2FF} cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx {93995380-89BD-4b04-88EB-625FBE52EBFB} h;hh;hpp;hxx;hm;inl;inc;ipp;xsd {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms Header Files Source Files Source Files ================================================ FILE: ImpersonationPipeLine/NamedPipeServer/NamedPipeServer/NamedPipeServer.vcxproj.user ================================================ ================================================ FILE: ImpersonationPipeLine/NamedPipeServer/NamedPipeServer.sln ================================================ Microsoft Visual Studio Solution File, Format Version 12.00 # Visual Studio 15 VisualStudioVersion = 15.0.28010.0 MinimumVisualStudioVersion = 10.0.40219.1 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "NamedPipeServer", "NamedPipeServer\NamedPipeServer.vcxproj", "{269A4535-78A0-4736-ABFB-B944F625CC53}" EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|x64 = Debug|x64 Debug|x86 = Debug|x86 Release|x64 = Release|x64 Release|x86 = Release|x86 EndGlobalSection GlobalSection(ProjectConfigurationPlatforms) = postSolution {269A4535-78A0-4736-ABFB-B944F625CC53}.Debug|x64.ActiveCfg = Debug|x64 {269A4535-78A0-4736-ABFB-B944F625CC53}.Debug|x64.Build.0 = Debug|x64 {269A4535-78A0-4736-ABFB-B944F625CC53}.Debug|x86.ActiveCfg = Debug|Win32 {269A4535-78A0-4736-ABFB-B944F625CC53}.Debug|x86.Build.0 = Debug|Win32 {269A4535-78A0-4736-ABFB-B944F625CC53}.Release|x64.ActiveCfg = Release|x64 {269A4535-78A0-4736-ABFB-B944F625CC53}.Release|x64.Build.0 = Release|x64 {269A4535-78A0-4736-ABFB-B944F625CC53}.Release|x86.ActiveCfg = Release|Win32 {269A4535-78A0-4736-ABFB-B944F625CC53}.Release|x86.Build.0 = Release|Win32 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE EndGlobalSection GlobalSection(ExtensibilityGlobals) = postSolution SolutionGuid = {E299369B-490F-47F1-9A2F-E0AE46615254} EndGlobalSection EndGlobal ================================================ FILE: LICENSE ================================================ MIT License Copyright (c) 2019 Sina Karvandi Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ================================================ FILE: README.md ================================================ # Process-Magics This is a collection of interesting codes about Windows Process creation. ## CriticalProcess This program enables SeDebugPrivilege and then sets its own process as Windows Critical Process, if by any reason the process is killed or closed then as it's a critical process, a blue screen appears. ## EnumAllHandles This program enumerates all the handles from all the processes using a call to the native API NtQuerySystemInformation. ## ImpersonateNtlmNegotiation This program is a client-server example of how a server can impersonate client through SSPI connections using ImpersonateSecurityContext. ## ImpersonationPipeLine This program is a client-server example of how a server can impersonate client through named pipe connections using ImpersonateNamedPipeClient. ## Bypass Sysmon With Updating Rules This project aims to bypass Sysmon's "16. Sysmon config states change" by directly sending update IOCTL to Sysmon's driver and as a result, completely bypasses Sysmon.