[
  {
    "path": ".gitattributes",
    "content": "# Auto detect text files and perform LF normalization\n* text=auto\n"
  },
  {
    "path": "Outflank-Recon-AD/Recon-AD.cna",
    "content": "#Recon-AD\n#author Cornelis de Plaa\n#@outflank.nl\n\n#Using Active Directory Service Interfaces (ADSI) to query Active Directory objects and corresponding attributes.\n\n#register help\nbeacon_command_register(\"Recon-AD-Domain\", \"Using Active Directory Domain Services to enumerate domain information.\",\n\t\"Using Active Directory Domain Services to enumerate domain information.\\n\\n\" .\n\t\"Synopsis: Recon-AD-Domain\\n\\n\");\n\nbeacon_command_register(\"Recon-AD-Users\", \"Use ADSI to query Active Directory user objects and attributes.\",\n\t\"Use Active Directory Service Interfaces (ADSI) to query user objects and corresponding attributes.\\n\\n\" .\n\t\"Synopsis: Recon-AD-Users [username], to query a specific user object including attributes.\\n\" .\n\t\"          Recon-AD-Users [*admin*], to query for usernames containing admin.\\n\" .\n\t\"          Recon-AD-Users All, to query all user objects including attributes.\\n\");\n\nbeacon_command_register(\"Recon-AD-Computers\", \"Use ADSI to query Active Directory computer objects and attributes.\",\n\t\"Use Active Directory Service Interfaces (ADSI) to query computer objects and corresponding attributes.\\n\\n\" .\n\t\"Synopsis: Recon-AD-Computers [computername], to query a specific computer object including attributes.\\n\" .\n\t\"          Recon-AD-Computers [*dc*], to query for computernames containing dc.\\n\" .\n\t\"          Recon-AD-Computers All, to query all computer objects including attributes.\\n\");\n\nbeacon_command_register(\"Recon-AD-Groups\", \"Use ADSI to query Active Directory group objects and attributes.\",\n\t\"Use Active Directory Service Interfaces (ADSI) to query group objects and corresponding attributes.\\n\\n\" .\n\t\"Synopsis: Recon-AD-Groups [groupname], to query a specific group object including attributes.\\n\" .\n\t\"          Recon-AD-Groups [*admin*], to query for groupnames containing admin.\\n\" .\n\t\"          Recon-AD-Groups All, to query all group objects including attributes.\\n\");\n\nbeacon_command_register(\"Recon-AD-LocalGroups\", \"Use ADSI to query a computer for specific localgroups.\",\n\t\"Use Active Directory Service Interfaces (ADSI) to query a computer for specific localgroups (default Administrators group).\\n\\n\" .\n\t\"Synopsis: Recon-AD-LocalGroups [computername] [groupname], to query a specific computer and localgroup.\\n\");\n\nbeacon_command_register(\"Recon-AD-AllLocalGroups\", \"Use ADSI to query a computer for all localgroups.\",\n\t\"Use Active Directory Service Interfaces (ADSI) to query a computer for all localgroups.\\n\\n\" .\n\t\"Synopsis: Recon-AD-AllLocalGroups [computername], to query a specific computer for all localgroups.\\n\");\n\nbeacon_command_register(\"Recon-AD-SPNs\", \"Use ADSI to query Active Directory user objects with Service Principal Names (SPN) configured.\",\n\t\"Use Active Directory Service Interfaces (ADSI) to query user objects with Service Principal Names (SPN) configured.\\n\\n\" .\n\t\"Synopsis: Recon-AD-SPNs\\n\\n\");\n\n\nalias Recon-AD-Domain {\n\t$bid = $1;\n\tblog($bid, \"Let's enumerate the domain\\n\");\n\tbdllspawn($bid, script_resource(\"Recon-AD-Domain.dll\"), \"\", \"Recon-AD-Domain\", 5000, false);\n}\n\nalias Recon-AD-Users {\n\t$bid = $1;\n\n\t$input = substr($0, 15);\n\t@args = split(' ', $input);\n\n\t$object = @args[0];\n\n\tif ($object eq \"\") {\n\t\tberror($bid, \"Please specify a username or all.\");\n\t\treturn;\n\t}\n\telse if ($object eq \"all\") {\n\t\tblog($bid, \"Let's enumerate all users\\n\");\n\t\tbdllspawn($bid, script_resource(\"Recon-AD-Users.dll\"), \"\", \"Recon-AD-Users\", 5000, false);\n\t}\n\telse{\n\t\t$param = \"(sAMAccountName=\" . $object . \")\";\n\t\tblog($bid, \"Let's enumerate user \" . $object . \"\\n\");\n\t\tbdllspawn($bid, script_resource(\"Recon-AD-Users.dll\"), $param, \"Recon-AD-Users\", 5000, false);\n\t}\n}\n\nalias Recon-AD-Computers {\n\t$bid = $1;\n\n\t$input = substr($0, 19);\n\t@args = split(' ', $input);\n\n\t$object = @args[0];\n\n\tif ($object eq \"\") {\n\t\tberror($bid, \"Please specify a computername or all.\");\n\t\treturn;\n\t}\n\telse if ($object eq \"all\") {\n\t\tblog($bid, \"Let's enumerate all computers\\n\");\n\t\tbdllspawn($1, script_resource(\"Recon-AD-Computers.dll\"), \"\", \"Recon-AD-Computers\", 5000, false);\n\t}\n\telse {\n\t\t$param = \"(cn=\" . $object . \")\";\n\t\tblog($bid, \"Let's enumerate computer \" . $object . \"\\n\");\n\t\tbdllspawn($1, script_resource(\"Recon-AD-Computers.dll\"), $param, \"Recon-AD-Computers\", 5000, false);\n\t}\n}\n\nalias Recon-AD-Groups {\n\t$bid = $1;\n\n\t$input = substr($0, 16);\n\t@args = split(' ', $input);\n\n\t#For Groups with spaces in Groupname...\n\t$object = @args[0];\n\t$object1 = @args[1];\n\t$object2 = @args[2];\n\t$object3 = @args[3];\n\t$object4 = @args[4];\n\t$object5 = @args[5];\n\n\tif ($object eq \"\") {\n\t\tberror($bid, \"Please specify a groupname or all.\");\n\t\treturn;\n\t}\n\telse if ($object eq \"all\") {\n\t\tblog($bid, \"Let's enumerate all groups\\n\");\n\t\tbdllspawn($1, script_resource(\"Recon-AD-Groups.dll\"), \"\", \"Recon-AD-Groups\", 5000, false);\n\t}\n\telse if (@args[1] eq \"\"){\n\t\t$param = \"(sAMAccountName=\" . $object . \")\";\n\t}\n\telse if (@args[2] eq \"\"){\n\t\t$param = \"(sAMAccountName=\" . $object . \" \" . $object1 . \")\";\n\t}\n\telse if (@args[3] eq \"\"){\n\t\t$param = \"(sAMAccountName=\" . $object . \" \" . $object1 . \" \" . $object2 . \")\";\n\t}\n\telse if (@args[4] eq \"\"){\n\t\t$param = \"(sAMAccountName=\" . $object . \" \" . $object1 . \" \" . $object2 . \" \" . $object3 . \")\";\n\t}\n\telse if (@args[5] eq \"\"){\n\t\t$param = \"(sAMAccountName=\" . $object . \" \" . $object1 . \" \" . $object2 . \" \" . $object3 . \" \" . $object4 . \")\";\n\t}\n\telse {\n\t\t$param = \"(sAMAccountName=\" . $object . \" \" . $object1 . \" \" . $object2 . \" \" . $object3 . \" \" . $object4 . \" \" . $object5 . \")\";\n\t}\n\tblog($bid, \"Let's enumerate group \" . $object . \" \" . $object1 . \" \" . $object2 . \" \" . $object3 . \" \" . $object4 . \" \" . $object5\"\\n\");\n\tbdllspawn($1, script_resource(\"Recon-AD-Groups.dll\"), $param, \"Recon-AD-Groups\", 5000, false);\n}\n\nalias Recon-AD-AllLocalGroups {\n\t$bid = $1;\n\n\t$input = substr($0, 24);\n\t@args = split(' ', $input);\n\n\t$object = @args[0];\n\n\tif ($object eq \"\") {\n\t\tberror($bid, \"Please specify a computername.\");\n\t\treturn;\n\t}\n\telse{\n\t\t$param = $object;\n\t}\n\tblog($bid, \"Let's enumerate computer \" . $object . \" for localgroups\\n\");\n\tbdllspawn($bid, script_resource(\"Recon-AD-AllLocalGroups.dll\"), $param, \"Recon-AD-AllLocalGroups\", 5000, false);\n}\n\nalias Recon-AD-LocalGroups {\n\t$bid = $1;\n\n\t$input = substr($0, 21);\n\t@args = split(' ', $input);\n\n\t$object = @args[0];\n\t$object1 = @args[1];\n\t$object2 = @args[2];\n\t$object3 = @args[3];\n\n\tif ($object eq \"\") {\n\t\tberror($bid, \"Please specify a computername and localgroup.\");\n\t\treturn;\n\t}\n\telse if (@args[1] eq \"\"){\n\t\t$param = $object;\n\t}\n\telse if (@args[2] eq \"\"){\n\t\t$param = $object . \" \" . $object1;\n\t}\n\telse if (@args[3] eq \"\"){\n\t\t$param = $object . \" \" . $object1 . \" \" . $object2;\n\t}\n\telse {\n\t\t$param = $object . \" \" . $object1 . \" \" . $object2 . \" \" . $object3;\n\t}\n\tblog($bid, \"Let's enumerate computer \" . $object . \" for localgroup \" . $object1 . \" \" . $object2 . \" \" . $object3\"\\n\");\n\tbdllspawn($1, script_resource(\"Recon-AD-LocalGroups.dll\"), $param, \"Recon-AD-LocalGroups\", 5000, false);\n}\n\nalias Recon-AD-SPNs {\n\t$bid = $1;\n\tblog($bid, \"Let's enumerate all users with SPNs configured.\\n\");\n\tbdllspawn($bid, script_resource(\"Recon-AD-SPNs.dll\"), \"servicePrincipalName=*\", \"Recon-AD-SPNs\", 5000, false);\n}\n"
  },
  {
    "path": "README.md",
    "content": "# Recon-AD, an AD recon tool based on ADSI and reflective DLL’s\nNew monitoring and defense optics are being applied within Microsoft operating systems and security products. This should help defenders in detecting malicious behavior within their environments. While PowerShell has long been very popular for post exploitation, now it’s something attackers try to avoid. .NET is the current hype for offensive tradecraft, but Microsoft is rapidly developing new measures by adding optics to catch malicious behavior on this platform. \n\nAs a proof of concept, we developed an C/C++ Active Directory reconnaissance tool based on ADSI and reflective DLLs which can be used within Cobalt Strike. The tool is called “Recon-AD” and at this moment consist of seven Reflective DLLs and a corresponding aggressor script. This tool should help you moving away from PowerShell and .NET when enumerating Active Directory and help you stay under the radar from the latest monitoring and defense technologies being applied within modern environments.\n\nMore info about the used techniques can be found on the following Blog: \nhttps://outflank.nl/blog/2019/10/20/red-team-tactics-active-directory-recon-using-adsi-and-reflective-dlls/\n\n## The following functionality is included in the toolkit:\n\n```\nRecon-AD-Domain: to enumerate Domain information (Domain name, GUID, site name, password policy, DC list e.g.).\nRecon-AD-Users: to query for user objects and corresponding attributes.\nRecon-AD-Groups: to query for group objects and corresponding attributes.\nRecon-AD-Computers: to query for computer objects and corresponding attributes.\nRecon-AD-SPNs: to query for user objects with Service Principal Names (SPN) configured and display useful attributes.\nRecon-AD-AllLocalGroups: to query a computer for all local groups and group-members.\nRecon-AD-LocalGroups: to query a computer for specific local groups and group-members (default Administrators group).\n```\n\n## Usage:\n\n```\nDownload the Outflank-Recon-AD folder and load the Recon-AD.cna script within the Cobalt Strike Script Manager.\nUse the Beacon help command to display syntax information.\n```\n\n```\nThis project is written in C/C++\nYou can use Visual Studio to compile the reflective dll's from source.\n```\n\n## Credits\nAuthor: Cornelis de Plaa (@Cneelis) / Outflank\n\nShout out to: Stan Hegt (@StanHacked) and all my other great collegues at Outflank"
  },
  {
    "path": "Src/Recon-AD-AllLocalGroups/Recon-AD-AllLocalGroups/Recon-AD-AllLocalGroups.vcxproj",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project DefaultTargets=\"Build\" ToolsVersion=\"14.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\n  <ItemGroup Label=\"ProjectConfigurations\">\n    <ProjectConfiguration Include=\"Debug|Win32\">\n      <Configuration>Debug</Configuration>\n      <Platform>Win32</Platform>\n    </ProjectConfiguration>\n    <ProjectConfiguration Include=\"Release|Win32\">\n      <Configuration>Release</Configuration>\n      <Platform>Win32</Platform>\n    </ProjectConfiguration>\n    <ProjectConfiguration Include=\"Debug|x64\">\n      <Configuration>Debug</Configuration>\n      <Platform>x64</Platform>\n    </ProjectConfiguration>\n    <ProjectConfiguration Include=\"Release|x64\">\n      <Configuration>Release</Configuration>\n      <Platform>x64</Platform>\n    </ProjectConfiguration>\n  </ItemGroup>\n  <PropertyGroup Label=\"Globals\">\n    <ProjectGuid>{D30C9D6B-1F45-47BD-825B-389FE8CC9069}</ProjectGuid>\n    <RootNamespace>ReconADDomain</RootNamespace>\n    <WindowsTargetPlatformVersion>8.1</WindowsTargetPlatformVersion>\n    <ProjectName>Recon-AD-AllLocalGroups</ProjectName>\n  </PropertyGroup>\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.Default.props\" />\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\" Label=\"Configuration\">\n    <ConfigurationType>Application</ConfigurationType>\n    <UseDebugLibraries>true</UseDebugLibraries>\n    <PlatformToolset>v140</PlatformToolset>\n    <CharacterSet>MultiByte</CharacterSet>\n  </PropertyGroup>\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\" Label=\"Configuration\">\n    <ConfigurationType>DynamicLibrary</ConfigurationType>\n    <UseDebugLibraries>false</UseDebugLibraries>\n    <PlatformToolset>v140</PlatformToolset>\n    <WholeProgramOptimization>true</WholeProgramOptimization>\n    <CharacterSet>Unicode</CharacterSet>\n  </PropertyGroup>\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\" Label=\"Configuration\">\n    <ConfigurationType>DynamicLibrary</ConfigurationType>\n    <UseDebugLibraries>true</UseDebugLibraries>\n    <PlatformToolset>v141</PlatformToolset>\n    <CharacterSet>Unicode</CharacterSet>\n  </PropertyGroup>\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\" Label=\"Configuration\">\n    <ConfigurationType>DynamicLibrary</ConfigurationType>\n    <UseDebugLibraries>false</UseDebugLibraries>\n    <PlatformToolset>v141</PlatformToolset>\n    <WholeProgramOptimization>true</WholeProgramOptimization>\n    <CharacterSet>Unicode</CharacterSet>\n  </PropertyGroup>\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.props\" />\n  <ImportGroup Label=\"ExtensionSettings\">\n  </ImportGroup>\n  <ImportGroup Label=\"Shared\">\n  </ImportGroup>\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\">\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\n  </ImportGroup>\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\">\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\n  </ImportGroup>\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\">\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\n  </ImportGroup>\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\">\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\n  </ImportGroup>\n  <PropertyGroup Label=\"UserMacros\" />\n  <PropertyGroup />\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\">\n    <ClCompile>\n      <WarningLevel>Level3</WarningLevel>\n      <Optimization>Disabled</Optimization>\n      <SDLCheck>true</SDLCheck>\n    </ClCompile>\n  </ItemDefinitionGroup>\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\">\n    <ClCompile>\n      <WarningLevel>Level3</WarningLevel>\n      <Optimization>Disabled</Optimization>\n      <SDLCheck>true</SDLCheck>\n      <PreprocessorDefinitions>WIN64;NDEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;WIN_X64;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>\n    </ClCompile>\n  </ItemDefinitionGroup>\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\">\n    <ClCompile>\n      <WarningLevel>Level3</WarningLevel>\n      <Optimization>MaxSpeed</Optimization>\n      <FunctionLevelLinking>true</FunctionLevelLinking>\n      <IntrinsicFunctions>true</IntrinsicFunctions>\n      <SDLCheck>true</SDLCheck>\n      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>\n      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN_X86;REFLECTIVE_DLL_EXPORTS;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>\n    </ClCompile>\n    <Link>\n      <EnableCOMDATFolding>true</EnableCOMDATFolding>\n      <OptimizeReferences>true</OptimizeReferences>\n      <GenerateDebugInformation>false</GenerateDebugInformation>\n    </Link>\n  </ItemDefinitionGroup>\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\">\n    <ClCompile>\n      <WarningLevel>Level3</WarningLevel>\n      <Optimization>MaxSpeed</Optimization>\n      <FunctionLevelLinking>true</FunctionLevelLinking>\n      <IntrinsicFunctions>true</IntrinsicFunctions>\n      <SDLCheck>true</SDLCheck>\n      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>\n      <PreprocessorDefinitions>WIN64;NDEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;WIN_X64;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>\n    </ClCompile>\n    <Link>\n      <EnableCOMDATFolding>true</EnableCOMDATFolding>\n      <OptimizeReferences>true</OptimizeReferences>\n      <GenerateDebugInformation>false</GenerateDebugInformation>\n    </Link>\n  </ItemDefinitionGroup>\n  <ItemGroup>\n    <ClInclude Include=\"ReflectiveDLLInjection.h\" />\n    <ClInclude Include=\"ReflectiveLoader.h\" />\n  </ItemGroup>\n  <ItemGroup>\n    <ClCompile Include=\"ReflectiveDll.cpp\" />\n    <ClCompile Include=\"ReflectiveLoader.cpp\" />\n  </ItemGroup>\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.targets\" />\n  <ImportGroup Label=\"ExtensionTargets\">\n  </ImportGroup>\n</Project>"
  },
  {
    "path": "Src/Recon-AD-AllLocalGroups/Recon-AD-AllLocalGroups/Recon-AD-AllLocalGroups.vcxproj.filters",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\n  <ItemGroup>\n    <Filter Include=\"Source Files\">\n      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>\n      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>\n    </Filter>\n    <Filter Include=\"Header Files\">\n      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>\n      <Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>\n    </Filter>\n    <Filter Include=\"Resource Files\">\n      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>\n      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>\n    </Filter>\n  </ItemGroup>\n  <ItemGroup>\n    <ClInclude Include=\"ReflectiveDLLInjection.h\">\n      <Filter>Header Files</Filter>\n    </ClInclude>\n    <ClInclude Include=\"ReflectiveLoader.h\">\n      <Filter>Header Files</Filter>\n    </ClInclude>\n  </ItemGroup>\n  <ItemGroup>\n    <ClCompile Include=\"ReflectiveLoader.cpp\">\n      <Filter>Source Files</Filter>\n    </ClCompile>\n    <ClCompile Include=\"ReflectiveDll.cpp\">\n      <Filter>Source Files</Filter>\n    </ClCompile>\n  </ItemGroup>\n</Project>"
  },
  {
    "path": "Src/Recon-AD-AllLocalGroups/Recon-AD-AllLocalGroups/Recon-AD-AllLocalGroups.vcxproj.user",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"14.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\n  <PropertyGroup />\n</Project>"
  },
  {
    "path": "Src/Recon-AD-AllLocalGroups/Recon-AD-AllLocalGroups/ReflectiveDLLInjection.h",
    "content": "//===============================================================================================//\n// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)\n// All rights reserved.\n// \n// Redistribution and use in source and binary forms, with or without modification, are permitted \n// provided that the following conditions are met:\n// \n//     * Redistributions of source code must retain the above copyright notice, this list of \n// conditions and the following disclaimer.\n// \n//     * Redistributions in binary form must reproduce the above copyright notice, this list of \n// conditions and the following disclaimer in the documentation and/or other materials provided \n// with the distribution.\n// \n//     * Neither the name of Harmony Security nor the names of its contributors may be used to\n// endorse or promote products derived from this software without specific prior written permission.\n// \n// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND ANY EXPRESS OR \n// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND\n// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR \n// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR \n// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR \n// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY \n// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR \n// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE \n// POSSIBILITY OF SUCH DAMAGE.\n//===============================================================================================//\n#ifndef _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H\n#define _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H\n//===============================================================================================//\n#define WIN32_LEAN_AND_MEAN\n#include <windows.h>\n\n// we declare some common stuff in here...\n\n#define DLL_QUERY_HMODULE\t\t6\n\n#define DEREF( name )*(UINT_PTR *)(name)\n#define DEREF_64( name )*(DWORD64 *)(name)\n#define DEREF_32( name )*(DWORD *)(name)\n#define DEREF_16( name )*(WORD *)(name)\n#define DEREF_8( name )*(BYTE *)(name)\n\ntypedef ULONG_PTR(WINAPI * REFLECTIVELOADER)(VOID);\ntypedef BOOL(WINAPI * DLLMAIN)(HINSTANCE, DWORD, LPVOID);\n\n#define DLLEXPORT   __declspec( dllexport ) \n\n//===============================================================================================//\n#endif\n//===============================================================================================//\n\n"
  },
  {
    "path": "Src/Recon-AD-AllLocalGroups/Recon-AD-AllLocalGroups/ReflectiveDll.cpp",
    "content": "#undef  _UNICODE\n#define _UNICODE\n#undef  UNICODE\n#define UNICODE\n\n#include \"ReflectiveLoader.h\"\n#include <stdio.h>\n#include <atlbase.h>\n#include <atlstr.h>\n#include <activeds.h>\n#include <assert.h>\n\n#pragma comment(lib, \"ADSIid.lib\")\n#pragma comment(lib, \"ActiveDS.Lib\")\n\n#define FETCH_NUM 100\n\n// Note: REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR and REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN are\n// defined in the project properties (Properties->C++->Preprocessor) so as we can specify our own \n// DllMain and use the LoadRemoteLibraryR() API to inject this DLL.\n\n// You can use this value as a pseudo hinstDLL value (defined and set via ReflectiveLoader.c)\nextern HINSTANCE hAppInstance;\n\n\nHRESULT PrintGroupObjectMembers(IADsGroup * pADsGroup)\n{\n\tHRESULT         hr = S_OK;\t\t\t\t\t// COM Result Code\n\tIADsMembers *   pADsMembers = NULL;\t\t\t// Pointer to Members of the IADsGroup\n\tBOOL            fContinue = TRUE;\t\t\t// Looping Variable\n\tIEnumVARIANT *  pEnumVariant = NULL;\t\t// Pointer to the Enum variant\n\tIUnknown *      pUnknown = NULL;\t\t\t// IUnknown for getting the ENUM initially\n\tVARIANT         VariantArray[FETCH_NUM];\t// Variant array for temp holding returned data\n\tULONG           ulElementsFetched = NULL;\t// Number of elements retrieved\n\n\t// Get an interface pointer to the IADsCollection of members.\n\thr = pADsGroup->Members(&pADsMembers);\n\n\tif (SUCCEEDED(hr))\n\t{\n\n\t\t// Query the IADsCollection of members for a new ENUM Interface.\n\t\t// Be aware that the enum comes back as an IUnknown *\n\t\thr = pADsMembers->get__NewEnum(&pUnknown);\n\n\t\tif (SUCCEEDED(hr))\n\t\t{\n\n\t\t\t// Call the QueryInterface method for the IUnknown * for a IEnumVARIANT interface.\n\t\t\thr = pUnknown->QueryInterface(IID_IEnumVARIANT, (void **)&pEnumVariant);\n\n\t\t\tif (SUCCEEDED(hr))\n\t\t\t{\n\n\t\t\t\t// While no errors or end of data...\n\t\t\t\twhile (fContinue)\n\t\t\t\t{\n\t\t\t\t\tulElementsFetched = 0;\n\n\t\t\t\t\t// Get a \"batch\" number of group members - number of rows that FETCH_NUM specifies\n\t\t\t\t\thr = ADsEnumerateNext(pEnumVariant, FETCH_NUM, VariantArray, &ulElementsFetched);\n\n\t\t\t\t\tif (ulElementsFetched)//SUCCEEDED(hr) && hr != S_FALSE)\n\t\t\t\t\t{\n\t\t\t\t\t\twprintf(L\"[+] Members:\\n\");\n\n\t\t\t\t\t\t// Loop through the current batch, printing \n\t\t\t\t\t\t// the path for each member.\n\t\t\t\t\t\tfor (ULONG i = 0; i < ulElementsFetched; i++)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tIDispatch * pDispatch = NULL;\n\t\t\t\t\t\t\t// Pointer for holding dispath of element.\n\t\t\t\t\t\t\tIADs      * pIADsGroupMember = NULL;\n\t\t\t\t\t\t\t// IADs pointer to group member.\n\t\t\t\t\t\t\tBSTR        bstrPath = NULL;\n\t\t\t\t\t\t\t// Contains the path of the object.\n\n\t\t\t\t\t\t\t// Get the dispatch pointer for the variant.\n\t\t\t\t\t\t\tpDispatch = VariantArray[i].pdispVal;\n\t\t\t\t\t\t\t//assert(HAS_BIT_STYLE(VariantArray[i].vt, VT_DISPATCH));\n\n\t\t\t\t\t\t\t// Get the IADs interface for the \"member\" of this group.\n\t\t\t\t\t\t\thr = pDispatch->QueryInterface(IID_IADs,\n\t\t\t\t\t\t\t\t(VOID **)&pIADsGroupMember);\n\n\t\t\t\t\t\t\tif (SUCCEEDED(hr))\n\t\t\t\t\t\t\t{\n\n\t\t\t\t\t\t\t\t// Get the ADsPath property for this member.\n\t\t\t\t\t\t\t\thr = pIADsGroupMember->get_ADsPath(&bstrPath);\n\n\t\t\t\t\t\t\t\tif (SUCCEEDED(hr))\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t// Print the ADsPath of the group member.\n\t\t\t\t\t\t\t\t\t//CStringW sBstr;\n\t\t\t\t\t\t\t\t\t//sBstr = (LPCWSTR)bstrPath;\n\t\t\t\t\t\t\t\t\t//sBstr.Replace(L\"WinNT://\", L\"\");\n\n\t\t\t\t\t\t\t\t\twprintf(L\"    %s\\r\\n\", (LPCWSTR)bstrPath);\n\t\t\t\t\t\t\t\t\tSysFreeString(bstrPath);\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\tpIADsGroupMember->Release();\n\t\t\t\t\t\t\t\tpIADsGroupMember = NULL;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\t// Clear the variant array.\n\t\t\t\t\t\tmemset(VariantArray, 0, sizeof(VARIANT)*FETCH_NUM);\n\t\t\t\t\t}\n\t\t\t\t\telse\n\t\t\t\t\t\tfContinue = FALSE;\n\t\t\t\t}\n\t\t\t\tpEnumVariant->Release();\n\t\t\t\tpEnumVariant = NULL;\n\t\t\t}\n\t\t\tpUnknown->Release();\n\t\t\tpUnknown = NULL;\n\t\t}\n\t\tpADsMembers->Release();\n\t\tpADsMembers = NULL;\n\t}\n\n\t// If all completed normally, all data\n\t// was printed, and an S_FALSE, indicating \n\t// no more data, was received. If so,\n\t// return S_OK.\n\tif (hr == S_FALSE)\n\t\thr = S_OK;\n\n\treturn hr;\n}\n\n\nBOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)\n{\n\tBOOL bReturnValue = TRUE;\n\tLPWSTR pwszParams = (LPWSTR)calloc(strlen((LPSTR)lpReserved) + 1, sizeof(WCHAR));\n\tsize_t convertedChars = 0;\n\tsize_t newsize = strlen((LPSTR)lpReserved) + 1;\n\n\tswitch (dwReason)\n\t{\n\t\tcase DLL_QUERY_HMODULE:\n\t\t\tif (lpReserved != NULL)\n\t\t\t\t*(HMODULE *)lpReserved = hAppInstance;\n\t\t\tbreak;\n\t\tcase DLL_PROCESS_ATTACH:\n\t\t\thAppInstance = hinstDLL;\n\n\t\t\tif (lpReserved != NULL) {\n\n\t\t\t\t// Handle the command line arguments.\n\t\t\t\tint maxAlloc = MAX_PATH * 2;\n\t\t\t\tLPOLESTR pszBuffer = new OLECHAR[maxAlloc];\n\t\t\t\tmbstowcs_s(&convertedChars, pwszParams, newsize, (LPSTR)lpReserved, _TRUNCATE);\n\t\t\t\twcscpy_s(pszBuffer, maxAlloc, pwszParams);\n\n\t\t\t\tLPCWSTR pwszComputer = pszBuffer;\n\t\t\t\tLPCWSTR pwszClass = L\"group\";\n\t\t\t\tLPCWSTR pwszUsername = NULL;\n\t\t\t\tLPCWSTR pwszPassword = NULL;\n\n\t\t\t\tHRESULT hr;\n\n\t\t\t\t// Initialize COM\n\t\t\t\tCoInitialize(NULL);\n\n\t\t\t\tIADsContainer * pIADsCont = NULL;\n\n\t\t\t\t// Build the binding string.\n\t\t\t\tCComBSTR sbstrBindingString;\n\t\t\t\tsbstrBindingString = \"WinNT://\";\n\t\t\t\tsbstrBindingString += pwszComputer;\n\t\t\t\tsbstrBindingString += \",computer\";\n\n\t\t\t\t// Bind to the container.\n\t\t\t\thr = ADsOpenObject(sbstrBindingString,\n\t\t\t\t\tpwszUsername,\n\t\t\t\t\tpwszPassword,\n\t\t\t\t\tADS_SECURE_AUTHENTICATION,\n\t\t\t\t\tIID_IADsContainer,\n\t\t\t\t\t(void**)&pIADsCont);\n\n\t\t\t\tif (SUCCEEDED(hr))\n\t\t\t\t{\n\t\t\t\t\tVARIANT vFilter;\n\t\t\t\t\tVariantInit(&vFilter);\n\t\t\t\t\tLPWSTR rgpwszFilter[] = { (LPWSTR)pwszClass };\n\n\t\t\t\t\t// Build a Variant of array type, using the filter passed.\n\t\t\t\t\thr = ADsBuildVarArrayStr(rgpwszFilter, 1, &vFilter);\n\t\t\t\t\tif (SUCCEEDED(hr))\n\t\t\t\t\t{\n\t\t\t\t\t\t// Set the filter for the results of the enumeration.\n\t\t\t\t\t\thr = pIADsCont->put_Filter(vFilter);\n\t\t\t\t\t\tif (SUCCEEDED(hr))\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tIEnumVARIANT *pEnumVariant = NULL;\n\n\t\t\t\t\t\t\t// Build an enumerator interface. This is used \n\t\t\t\t\t\t\t// to enumerate the objects contained in \n\t\t\t\t\t\t\t// the IADsContainer.\n\t\t\t\t\t\t\thr = ADsBuildEnumerator(pIADsCont, &pEnumVariant);\n\n\t\t\t\t\t\t\tif (SUCCEEDED(hr))\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tVARIANT Variant;\n\t\t\t\t\t\t\t\tULONG ulElementsFetched;\n\n\t\t\t\t\t\t\t\twprintf(L\"--------------------------------------------------------------------\\n\");\n\n\t\t\t\t\t\t\t\t// Loop through and print the data.\n\t\t\t\t\t\t\t\twhile (SUCCEEDED(ADsEnumerateNext(pEnumVariant,\n\t\t\t\t\t\t\t\t\t1,\n\t\t\t\t\t\t\t\t\t&Variant,\n\t\t\t\t\t\t\t\t\t&ulElementsFetched))\n\t\t\t\t\t\t\t\t\t&& (ulElementsFetched > 0))\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tif (VT_DISPATCH == Variant.vt)\n\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\tIADs *pIADs = NULL;\n\n\t\t\t\t\t\t\t\t\t\t// Query the variant IDispatch *\n\t\t\t\t\t\t\t\t\t\t// for the IADs interface\n\t\t\t\t\t\t\t\t\t\thr = Variant.pdispVal->QueryInterface(IID_IADs,\n\t\t\t\t\t\t\t\t\t\t\t(VOID**)&pIADs);\n\n\t\t\t\t\t\t\t\t\t\tif (SUCCEEDED(hr))\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\t// Print the object data.\n\t\t\t\t\t\t\t\t\t\t\tCComBSTR sbstrResult;\n\t\t\t\t\t\t\t\t\t\t\thr = pIADs->get_Name(&sbstrResult);\n\t\t\t\t\t\t\t\t\t\t\tif (SUCCEEDED(hr))\n\t\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\t\twprintf(L\"[+] Group:\\n\");\n\t\t\t\t\t\t\t\t\t\t\t\twprintf(L\"    %s\\r\\n\", (LPCWSTR)sbstrResult);\n\t\t\t\t\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t\t\t\t\thr = pIADs->get_ADsPath(&sbstrResult);\n\t\t\t\t\t\t\t\t\t\t\tif (SUCCEEDED(hr))\n\t\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\t\t//wprintf(L\"[+] ADsPath:\\n\");\n\t\t\t\t\t\t\t\t\t\t\t\t//wprintf(L\"    %s\\r\\n\", (LPCWSTR)sbstrResult);\n\t\t\t\t\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t\t\t\t\tIADsGroup *pGroup = NULL;\n\t\t\t\t\t\t\t\t\t\t\thr = ADsGetObject(sbstrResult, IID_IADsGroup, (void**)&pGroup);\n\t\t\t\t\t\t\t\t\t\t\tif (SUCCEEDED(hr)) {\n\t\t\t\t\t\t\t\t\t\t\t\tPrintGroupObjectMembers(pGroup);\n\t\t\t\t\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t\t\t\t\twprintf(L\"--------------------------------------------------------------------\\n\");\n\n\t\t\t\t\t\t\t\t\t\t\tpIADs->Release();\n\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t\t\tVariantClear(&Variant);\n\t\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t\tpEnumVariant->Release();\n\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t\tVariantClear(&vFilter);\n\n\t\t\t\t\t// Uninitialize COM\n\t\t\t\t\tCoUninitialize();\n\t\t\t\t}\n\t\t\t\t\n\t\t\t}\n\n\t\t\t// Flush STDOUT\n\t\t\tfflush(stdout);\n\n\t\t\t// We're done, so let's exit\n\t\t\tExitProcess(0);\n\n\t\t\tbreak;\n\t\tcase DLL_PROCESS_DETACH:\n\t\tcase DLL_THREAD_ATTACH:\n\t\tcase DLL_THREAD_DETACH:\n\t\t\tbreak;\n\t}\n\treturn bReturnValue;\n}\n"
  },
  {
    "path": "Src/Recon-AD-AllLocalGroups/Recon-AD-AllLocalGroups/ReflectiveLoader.cpp",
    "content": "//===============================================================================================//\n// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)\n// All rights reserved.\n// \n// Redistribution and use in source and binary forms, with or without modification, are permitted \n// provided that the following conditions are met:\n// \n//     * Redistributions of source code must retain the above copyright notice, this list of \n// conditions and the following disclaimer.\n// \n//     * Redistributions in binary form must reproduce the above copyright notice, this list of \n// conditions and the following disclaimer in the documentation and/or other materials provided \n// with the distribution.\n// \n//     * Neither the name of Harmony Security nor the names of its contributors may be used to\n// endorse or promote products derived from this software without specific prior written permission.\n// \n// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND ANY EXPRESS OR \n// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND\n// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR \n// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR \n// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR \n// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY \n// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR \n// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE \n// POSSIBILITY OF SUCH DAMAGE.\n//===============================================================================================//\n#include \"ReflectiveLoader.h\"\n//===============================================================================================//\n// Our loader will set this to a pseudo correct HINSTANCE/HMODULE value\nHINSTANCE hAppInstance = NULL;\n//===============================================================================================//\n#pragma intrinsic( _ReturnAddress )\n// This function can not be inlined by the compiler or we will not get the address we expect. Ideally \n// this code will be compiled with the /O2 and /Ob1 switches. Bonus points if we could take advantage of \n// RIP relative addressing in this instance but I dont believe we can do so with the compiler intrinsics \n// available (and no inline asm available under x64).\n__declspec(noinline) ULONG_PTR caller(VOID) { return (ULONG_PTR)_ReturnAddress(); }\n//===============================================================================================//\n\n// Note 1: If you want to have your own DllMain, define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN,  \n//         otherwise the DllMain at the end of this file will be used.\n\n// Note 2: If you are injecting the DLL via LoadRemoteLibraryR, define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR,\n//         otherwise it is assumed you are calling the ReflectiveLoader via a stub.\n\n// This is our position independent reflective DLL loader/injector\n#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR\nDLLEXPORT ULONG_PTR WINAPI ReflectiveLoader(LPVOID lpParameter)\n#else\nDLLEXPORT ULONG_PTR WINAPI ReflectiveLoader(VOID)\n#endif\n{\n\t// the functions we need\n\tLOADLIBRARYA pLoadLibraryA = NULL;\n\tGETPROCADDRESS pGetProcAddress = NULL;\n\tVIRTUALALLOC pVirtualAlloc = NULL;\n\tNTFLUSHINSTRUCTIONCACHE pNtFlushInstructionCache = NULL;\n\n\tUSHORT usCounter;\n\n\t// the initial location of this image in memory\n\tULONG_PTR uiLibraryAddress;\n\t// the kernels base address and later this images newly loaded base address\n\tULONG_PTR uiBaseAddress;\n\n\t// variables for processing the kernels export table\n\tULONG_PTR uiAddressArray;\n\tULONG_PTR uiNameArray;\n\tULONG_PTR uiExportDir;\n\tULONG_PTR uiNameOrdinals;\n\tDWORD dwHashValue;\n\n\t// variables for loading this image\n\tULONG_PTR uiHeaderValue;\n\tULONG_PTR uiValueA;\n\tULONG_PTR uiValueB;\n\tULONG_PTR uiValueC;\n\tULONG_PTR uiValueD;\n\tULONG_PTR uiValueE;\n\n\t// STEP 0: calculate our images current base address\n\n\t// we will start searching backwards from our callers return address.\n\tuiLibraryAddress = caller();\n\n\t// loop through memory backwards searching for our images base address\n\t// we dont need SEH style search as we shouldnt generate any access violations with this\n\twhile (TRUE)\n\t{\n\t\tif (((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_magic == IMAGE_DOS_SIGNATURE)\n\t\t{\n\t\t\tuiHeaderValue = ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;\n\t\t\t// some x64 dll's can trigger a bogus signature (IMAGE_DOS_SIGNATURE == 'POP r10'),\n\t\t\t// we sanity check the e_lfanew with an upper threshold value of 1024 to avoid problems.\n\t\t\tif (uiHeaderValue >= sizeof(IMAGE_DOS_HEADER) && uiHeaderValue < 1024)\n\t\t\t{\n\t\t\t\tuiHeaderValue += uiLibraryAddress;\n\t\t\t\t// break if we have found a valid MZ/PE header\n\t\t\t\tif (((PIMAGE_NT_HEADERS)uiHeaderValue)->Signature == IMAGE_NT_SIGNATURE)\n\t\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\tuiLibraryAddress--;\n\t}\n\n\t// STEP 1: process the kernels exports for the functions our loader needs...\n\n\t// get the Process Enviroment Block\n#ifdef WIN_X64\n\tuiBaseAddress = __readgsqword(0x60);\n#else\n#ifdef WIN_X86\n\tuiBaseAddress = __readfsdword(0x30);\n#else WIN_ARM\n\tuiBaseAddress = *(DWORD *)((BYTE *)_MoveFromCoprocessor(15, 0, 13, 0, 2) + 0x30);\n#endif\n#endif\n\n\t// get the processes loaded modules. ref: http://msdn.microsoft.com/en-us/library/aa813708(VS.85).aspx\n\tuiBaseAddress = (ULONG_PTR)((_PPEB)uiBaseAddress)->pLdr;\n\n\t// get the first entry of the InMemoryOrder module list\n\tuiValueA = (ULONG_PTR)((PPEB_LDR_DATA)uiBaseAddress)->InMemoryOrderModuleList.Flink;\n\twhile (uiValueA)\n\t{\n\t\t// get pointer to current modules name (unicode string)\n\t\tuiValueB = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.pBuffer;\n\t\t// set bCounter to the length for the loop\n\t\tusCounter = ((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.Length;\n\t\t// clear uiValueC which will store the hash of the module name\n\t\tuiValueC = 0;\n\n\t\t// compute the hash of the module name...\n\t\tdo\n\t\t{\n\t\t\tuiValueC = ror((DWORD)uiValueC);\n\t\t\t// normalize to uppercase if the madule name is in lowercase\n\t\t\tif (*((BYTE *)uiValueB) >= 'a')\n\t\t\t\tuiValueC += *((BYTE *)uiValueB) - 0x20;\n\t\t\telse\n\t\t\t\tuiValueC += *((BYTE *)uiValueB);\n\t\t\tuiValueB++;\n\t\t} while (--usCounter);\n\n\t\t// compare the hash with that of kernel32.dll\n\t\tif ((DWORD)uiValueC == KERNEL32DLL_HASH)\n\t\t{\n\t\t\t// get this modules base address\n\t\t\tuiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;\n\n\t\t\t// get the VA of the modules NT Header\n\t\t\tuiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;\n\n\t\t\t// uiNameArray = the address of the modules export directory entry\n\t\t\tuiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];\n\n\t\t\t// get the VA of the export directory\n\t\t\tuiExportDir = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress);\n\n\t\t\t// get the VA for the array of name pointers\n\t\t\tuiNameArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNames);\n\n\t\t\t// get the VA for the array of name ordinals\n\t\t\tuiNameOrdinals = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNameOrdinals);\n\n\t\t\tusCounter = 3;\n\n\t\t\t// loop while we still have imports to find\n\t\t\twhile (usCounter > 0)\n\t\t\t{\n\t\t\t\t// compute the hash values for this function name\n\t\t\t\tdwHashValue = hash((char *)(uiBaseAddress + DEREF_32(uiNameArray)));\n\n\t\t\t\t// if we have found a function we want we get its virtual address\n\t\t\t\tif (dwHashValue == LOADLIBRARYA_HASH || dwHashValue == GETPROCADDRESS_HASH || dwHashValue == VIRTUALALLOC_HASH)\n\t\t\t\t{\n\t\t\t\t\t// get the VA for the array of addresses\n\t\t\t\t\tuiAddressArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfFunctions);\n\n\t\t\t\t\t// use this functions name ordinal as an index into the array of name pointers\n\t\t\t\t\tuiAddressArray += (DEREF_16(uiNameOrdinals) * sizeof(DWORD));\n\n\t\t\t\t\t// store this functions VA\n\t\t\t\t\tif (dwHashValue == LOADLIBRARYA_HASH)\n\t\t\t\t\t\tpLoadLibraryA = (LOADLIBRARYA)(uiBaseAddress + DEREF_32(uiAddressArray));\n\t\t\t\t\telse if (dwHashValue == GETPROCADDRESS_HASH)\n\t\t\t\t\t\tpGetProcAddress = (GETPROCADDRESS)(uiBaseAddress + DEREF_32(uiAddressArray));\n\t\t\t\t\telse if (dwHashValue == VIRTUALALLOC_HASH)\n\t\t\t\t\t\tpVirtualAlloc = (VIRTUALALLOC)(uiBaseAddress + DEREF_32(uiAddressArray));\n\n\t\t\t\t\t// decrement our counter\n\t\t\t\t\tusCounter--;\n\t\t\t\t}\n\n\t\t\t\t// get the next exported function name\n\t\t\t\tuiNameArray += sizeof(DWORD);\n\n\t\t\t\t// get the next exported function name ordinal\n\t\t\t\tuiNameOrdinals += sizeof(WORD);\n\t\t\t}\n\t\t}\n\t\telse if ((DWORD)uiValueC == NTDLLDLL_HASH)\n\t\t{\n\t\t\t// get this modules base address\n\t\t\tuiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;\n\n\t\t\t// get the VA of the modules NT Header\n\t\t\tuiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;\n\n\t\t\t// uiNameArray = the address of the modules export directory entry\n\t\t\tuiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];\n\n\t\t\t// get the VA of the export directory\n\t\t\tuiExportDir = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress);\n\n\t\t\t// get the VA for the array of name pointers\n\t\t\tuiNameArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNames);\n\n\t\t\t// get the VA for the array of name ordinals\n\t\t\tuiNameOrdinals = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNameOrdinals);\n\n\t\t\tusCounter = 1;\n\n\t\t\t// loop while we still have imports to find\n\t\t\twhile (usCounter > 0)\n\t\t\t{\n\t\t\t\t// compute the hash values for this function name\n\t\t\t\tdwHashValue = hash((char *)(uiBaseAddress + DEREF_32(uiNameArray)));\n\n\t\t\t\t// if we have found a function we want we get its virtual address\n\t\t\t\tif (dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH)\n\t\t\t\t{\n\t\t\t\t\t// get the VA for the array of addresses\n\t\t\t\t\tuiAddressArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfFunctions);\n\n\t\t\t\t\t// use this functions name ordinal as an index into the array of name pointers\n\t\t\t\t\tuiAddressArray += (DEREF_16(uiNameOrdinals) * sizeof(DWORD));\n\n\t\t\t\t\t// store this functions VA\n\t\t\t\t\tif (dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH)\n\t\t\t\t\t\tpNtFlushInstructionCache = (NTFLUSHINSTRUCTIONCACHE)(uiBaseAddress + DEREF_32(uiAddressArray));\n\n\t\t\t\t\t// decrement our counter\n\t\t\t\t\tusCounter--;\n\t\t\t\t}\n\n\t\t\t\t// get the next exported function name\n\t\t\t\tuiNameArray += sizeof(DWORD);\n\n\t\t\t\t// get the next exported function name ordinal\n\t\t\t\tuiNameOrdinals += sizeof(WORD);\n\t\t\t}\n\t\t}\n\n\t\t// we stop searching when we have found everything we need.\n\t\tif (pLoadLibraryA && pGetProcAddress && pVirtualAlloc && pNtFlushInstructionCache)\n\t\t\tbreak;\n\n\t\t// get the next entry\n\t\tuiValueA = DEREF(uiValueA);\n\t}\n\n\t// STEP 2: load our image into a new permanent location in memory...\n\n\t// get the VA of the NT Header for the PE to be loaded\n\tuiHeaderValue = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;\n\n\t// allocate all the memory for the DLL to be loaded into. we can load at any address because we will  \n\t// relocate the image. Also zeros all memory and marks it as READ, WRITE and EXECUTE to avoid any problems.\n\tuiBaseAddress = (ULONG_PTR)pVirtualAlloc(NULL, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);\n\n\t// we must now copy over the headers\n\tuiValueA = ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfHeaders;\n\tuiValueB = uiLibraryAddress;\n\tuiValueC = uiBaseAddress;\n\n\twhile (uiValueA--)\n\t\t*(BYTE *)uiValueC++ = *(BYTE *)uiValueB++;\n\n\t// STEP 3: load in all of our sections...\n\n\t// uiValueA = the VA of the first section\n\tuiValueA = ((ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader + ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.SizeOfOptionalHeader);\n\n\t// itterate through all sections, loading them into memory.\n\tuiValueE = ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.NumberOfSections;\n\twhile (uiValueE--)\n\t{\n\t\t// uiValueB is the VA for this section\n\t\tuiValueB = (uiBaseAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->VirtualAddress);\n\n\t\t// uiValueC if the VA for this sections data\n\t\tuiValueC = (uiLibraryAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->PointerToRawData);\n\n\t\t// copy the section over\n\t\tuiValueD = ((PIMAGE_SECTION_HEADER)uiValueA)->SizeOfRawData;\n\n\t\twhile (uiValueD--)\n\t\t\t*(BYTE *)uiValueB++ = *(BYTE *)uiValueC++;\n\n\t\t// get the VA of the next section\n\t\tuiValueA += sizeof(IMAGE_SECTION_HEADER);\n\t}\n\n\t// STEP 4: process our images import table...\n\n\t// uiValueB = the address of the import directory\n\tuiValueB = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];\n\n\t// we assume their is an import table to process\n\t// uiValueC is the first entry in the import table\n\tuiValueC = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress);\n\n\t// itterate through all imports\n\twhile (((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name)\n\t{\n\t\t// use LoadLibraryA to load the imported module into memory\n\t\tuiLibraryAddress = (ULONG_PTR)pLoadLibraryA((LPCSTR)(uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name));\n\n\t\t// uiValueD = VA of the OriginalFirstThunk\n\t\tuiValueD = (uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->OriginalFirstThunk);\n\n\t\t// uiValueA = VA of the IAT (via first thunk not origionalfirstthunk)\n\t\tuiValueA = (uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->FirstThunk);\n\n\t\t// itterate through all imported functions, importing by ordinal if no name present\n\t\twhile (DEREF(uiValueA))\n\t\t{\n\t\t\t// sanity check uiValueD as some compilers only import by FirstThunk\n\t\t\tif (uiValueD && ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal & IMAGE_ORDINAL_FLAG)\n\t\t\t{\n\t\t\t\t// get the VA of the modules NT Header\n\t\t\t\tuiExportDir = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;\n\n\t\t\t\t// uiNameArray = the address of the modules export directory entry\n\t\t\t\tuiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];\n\n\t\t\t\t// get the VA of the export directory\n\t\t\t\tuiExportDir = (uiLibraryAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress);\n\n\t\t\t\t// get the VA for the array of addresses\n\t\t\t\tuiAddressArray = (uiLibraryAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfFunctions);\n\n\t\t\t\t// use the import ordinal (- export ordinal base) as an index into the array of addresses\n\t\t\t\tuiAddressArray += ((IMAGE_ORDINAL(((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal) - ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->Base) * sizeof(DWORD));\n\n\t\t\t\t// patch in the address for this imported function\n\t\t\t\tDEREF(uiValueA) = (uiLibraryAddress + DEREF_32(uiAddressArray));\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\t// get the VA of this functions import by name struct\n\t\t\t\tuiValueB = (uiBaseAddress + DEREF(uiValueA));\n\n\t\t\t\t// use GetProcAddress and patch in the address for this imported function\n\t\t\t\tDEREF(uiValueA) = (ULONG_PTR)pGetProcAddress((HMODULE)uiLibraryAddress, (LPCSTR)((PIMAGE_IMPORT_BY_NAME)uiValueB)->Name);\n\t\t\t}\n\t\t\t// get the next imported function\n\t\t\tuiValueA += sizeof(ULONG_PTR);\n\t\t\tif (uiValueD)\n\t\t\t\tuiValueD += sizeof(ULONG_PTR);\n\t\t}\n\n\t\t// get the next import\n\t\tuiValueC += sizeof(IMAGE_IMPORT_DESCRIPTOR);\n\t}\n\n\t// STEP 5: process all of our images relocations...\n\n\t// calculate the base address delta and perform relocations (even if we load at desired image base)\n\tuiLibraryAddress = uiBaseAddress - ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.ImageBase;\n\n\t// uiValueB = the address of the relocation directory\n\tuiValueB = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];\n\n\t// check if their are any relocations present\n\tif (((PIMAGE_DATA_DIRECTORY)uiValueB)->Size)\n\t{\n\t\t// uiValueC is now the first entry (IMAGE_BASE_RELOCATION)\n\t\tuiValueC = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress);\n\n\t\t// and we itterate through all entries...\n\t\twhile (((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock)\n\t\t{\n\t\t\t// uiValueA = the VA for this relocation block\n\t\t\tuiValueA = (uiBaseAddress + ((PIMAGE_BASE_RELOCATION)uiValueC)->VirtualAddress);\n\n\t\t\t// uiValueB = number of entries in this relocation block\n\t\t\tuiValueB = (((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(IMAGE_RELOC);\n\n\t\t\t// uiValueD is now the first entry in the current relocation block\n\t\t\tuiValueD = uiValueC + sizeof(IMAGE_BASE_RELOCATION);\n\n\t\t\t// we itterate through all the entries in the current block...\n\t\t\twhile (uiValueB--)\n\t\t\t{\n\t\t\t\t// perform the relocation, skipping IMAGE_REL_BASED_ABSOLUTE as required.\n\t\t\t\t// we dont use a switch statement to avoid the compiler building a jump table\n\t\t\t\t// which would not be very position independent!\n\t\t\t\tif (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_DIR64)\n\t\t\t\t\t*(ULONG_PTR *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += uiLibraryAddress;\n\t\t\t\telse if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGHLOW)\n\t\t\t\t\t*(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += (DWORD)uiLibraryAddress;\n#ifdef WIN_ARM\n\t\t\t\t// Note: On ARM, the compiler optimization /O2 seems to introduce an off by one issue, possibly a code gen bug. Using /O1 instead avoids this problem.\n\t\t\t\telse if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_ARM_MOV32T)\n\t\t\t\t{\n\t\t\t\t\tregister DWORD dwInstruction;\n\t\t\t\t\tregister DWORD dwAddress;\n\t\t\t\t\tregister WORD wImm;\n\t\t\t\t\t// get the MOV.T instructions DWORD value (We add 4 to the offset to go past the first MOV.W which handles the low word)\n\t\t\t\t\tdwInstruction = *(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset + sizeof(DWORD));\n\t\t\t\t\t// flip the words to get the instruction as expected\n\t\t\t\t\tdwInstruction = MAKELONG(HIWORD(dwInstruction), LOWORD(dwInstruction));\n\t\t\t\t\t// sanity chack we are processing a MOV instruction...\n\t\t\t\t\tif ((dwInstruction & ARM_MOV_MASK) == ARM_MOVT)\n\t\t\t\t\t{\n\t\t\t\t\t\t// pull out the encoded 16bit value (the high portion of the address-to-relocate)\n\t\t\t\t\t\twImm = (WORD)(dwInstruction & 0x000000FF);\n\t\t\t\t\t\twImm |= (WORD)((dwInstruction & 0x00007000) >> 4);\n\t\t\t\t\t\twImm |= (WORD)((dwInstruction & 0x04000000) >> 15);\n\t\t\t\t\t\twImm |= (WORD)((dwInstruction & 0x000F0000) >> 4);\n\t\t\t\t\t\t// apply the relocation to the target address\n\t\t\t\t\t\tdwAddress = ((WORD)HIWORD(uiLibraryAddress) + wImm) & 0xFFFF;\n\t\t\t\t\t\t// now create a new instruction with the same opcode and register param.\n\t\t\t\t\t\tdwInstruction = (DWORD)(dwInstruction & ARM_MOV_MASK2);\n\t\t\t\t\t\t// patch in the relocated address...\n\t\t\t\t\t\tdwInstruction |= (DWORD)(dwAddress & 0x00FF);\n\t\t\t\t\t\tdwInstruction |= (DWORD)(dwAddress & 0x0700) << 4;\n\t\t\t\t\t\tdwInstruction |= (DWORD)(dwAddress & 0x0800) << 15;\n\t\t\t\t\t\tdwInstruction |= (DWORD)(dwAddress & 0xF000) << 4;\n\t\t\t\t\t\t// now flip the instructions words and patch back into the code...\n\t\t\t\t\t\t*(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset + sizeof(DWORD)) = MAKELONG(HIWORD(dwInstruction), LOWORD(dwInstruction));\n\t\t\t\t\t}\n\t\t\t\t}\n#endif\n\t\t\t\telse if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGH)\n\t\t\t\t\t*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += HIWORD(uiLibraryAddress);\n\t\t\t\telse if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_LOW)\n\t\t\t\t\t*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += LOWORD(uiLibraryAddress);\n\n\t\t\t\t// get the next entry in the current relocation block\n\t\t\t\tuiValueD += sizeof(IMAGE_RELOC);\n\t\t\t}\n\n\t\t\t// get the next entry in the relocation directory\n\t\t\tuiValueC = uiValueC + ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock;\n\t\t}\n\t}\n\n\t// STEP 6: call our images entry point\n\n\t// uiValueA = the VA of our newly loaded DLL/EXE's entry point\n\tuiValueA = (uiBaseAddress + ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.AddressOfEntryPoint);\n\n\t// We must flush the instruction cache to avoid stale code being used which was updated by our relocation processing.\n\tpNtFlushInstructionCache((HANDLE)-1, NULL, 0);\n\n\t// call our respective entry point, fudging our hInstance value\n#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR\n\t// if we are injecting a DLL via LoadRemoteLibraryR we call DllMain and pass in our parameter (via the DllMain lpReserved parameter)\n\t((DLLMAIN)uiValueA)((HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, lpParameter);\n#else\n\t// if we are injecting an DLL via a stub we call DllMain with no parameter\n\t((DLLMAIN)uiValueA)((HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, NULL);\n#endif\n\n\t// STEP 8: return our new entry point address so whatever called us can call DllMain() if needed.\n\treturn uiValueA;\n}\n//===============================================================================================//\n#ifndef REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN\n\nBOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)\n{\n\tBOOL bReturnValue = TRUE;\n\tswitch (dwReason)\n\t{\n\tcase DLL_QUERY_HMODULE:\n\t\tif (lpReserved != NULL)\n\t\t\t*(HMODULE *)lpReserved = hAppInstance;\n\t\tbreak;\n\tcase DLL_PROCESS_ATTACH:\n\t\thAppInstance = hinstDLL;\n\t\tbreak;\n\tcase DLL_PROCESS_DETACH:\n\tcase DLL_THREAD_ATTACH:\n\tcase DLL_THREAD_DETACH:\n\t\tbreak;\n\t}\n\treturn bReturnValue;\n}\n\n#endif\n//===============================================================================================//\n"
  },
  {
    "path": "Src/Recon-AD-AllLocalGroups/Recon-AD-AllLocalGroups/ReflectiveLoader.h",
    "content": "//===============================================================================================//\n// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)\n// All rights reserved.\n// \n// Redistribution and use in source and binary forms, with or without modification, are permitted \n// provided that the following conditions are met:\n// \n//     * Redistributions of source code must retain the above copyright notice, this list of \n// conditions and the following disclaimer.\n// \n//     * Redistributions in binary form must reproduce the above copyright notice, this list of \n// conditions and the following disclaimer in the documentation and/or other materials provided \n// with the distribution.\n// \n//     * Neither the name of Harmony Security nor the names of its contributors may be used to\n// endorse or promote products derived from this software without specific prior written permission.\n// \n// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND ANY EXPRESS OR \n// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND\n// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR \n// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR \n// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR \n// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY \n// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR \n// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE \n// POSSIBILITY OF SUCH DAMAGE.\n//===============================================================================================//\n#ifndef _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H\n#define _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H\n//===============================================================================================//\n#define WIN32_LEAN_AND_MEAN\n#include <windows.h>\n#include <Winsock2.h>\n#include <intrin.h>\n\n#include \"ReflectiveDLLInjection.h\"\n\ntypedef HMODULE(WINAPI * LOADLIBRARYA)(LPCSTR);\ntypedef FARPROC(WINAPI * GETPROCADDRESS)(HMODULE, LPCSTR);\ntypedef LPVOID(WINAPI * VIRTUALALLOC)(LPVOID, SIZE_T, DWORD, DWORD);\ntypedef DWORD(NTAPI * NTFLUSHINSTRUCTIONCACHE)(HANDLE, PVOID, ULONG);\n\n#define KERNEL32DLL_HASH\t\t\t\t0x6A4ABC5B\n#define NTDLLDLL_HASH\t\t\t\t\t0x3CFA685D\n\n#define LOADLIBRARYA_HASH\t\t\t\t0xEC0E4E8E\n#define GETPROCADDRESS_HASH\t\t\t\t0x7C0DFCAA\n#define VIRTUALALLOC_HASH\t\t\t\t0x91AFCA54\n#define NTFLUSHINSTRUCTIONCACHE_HASH\t0x534C0AB8\n\n#define IMAGE_REL_BASED_ARM_MOV32A\t\t5\n#define IMAGE_REL_BASED_ARM_MOV32T\t\t7\n\n#define ARM_MOV_MASK\t\t\t\t\t(DWORD)(0xFBF08000)\n#define ARM_MOV_MASK2\t\t\t\t\t(DWORD)(0xFBF08F00)\n#define ARM_MOVW\t\t\t\t\t\t0xF2400000\n#define ARM_MOVT\t\t\t\t\t\t0xF2C00000\n\n#define HASH_KEY\t\t\t\t\t\t13\n//===============================================================================================//\n#pragma intrinsic( _rotr )\n\n__forceinline DWORD ror(DWORD d)\n{\n\treturn _rotr(d, HASH_KEY);\n}\n\n__forceinline DWORD hash(char * c)\n{\n\tregister DWORD h = 0;\n\tdo\n\t{\n\t\th = ror(h);\n\t\th += *c;\n\t} while (*++c);\n\n\treturn h;\n}\n//===============================================================================================//\ntypedef struct _UNICODE_STR\n{\n\tUSHORT Length;\n\tUSHORT MaximumLength;\n\tPWSTR pBuffer;\n} UNICODE_STR, *PUNICODE_STR;\n\n// WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY\n//__declspec( align(8) ) \ntypedef struct _LDR_DATA_TABLE_ENTRY\n{\n\t//LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry.\n\tLIST_ENTRY InMemoryOrderModuleList;\n\tLIST_ENTRY InInitializationOrderModuleList;\n\tPVOID DllBase;\n\tPVOID EntryPoint;\n\tULONG SizeOfImage;\n\tUNICODE_STR FullDllName;\n\tUNICODE_STR BaseDllName;\n\tULONG Flags;\n\tSHORT LoadCount;\n\tSHORT TlsIndex;\n\tLIST_ENTRY HashTableEntry;\n\tULONG TimeDateStamp;\n} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;\n\n// WinDbg> dt -v ntdll!_PEB_LDR_DATA\ntypedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes\n{\n\tDWORD dwLength;\n\tDWORD dwInitialized;\n\tLPVOID lpSsHandle;\n\tLIST_ENTRY InLoadOrderModuleList;\n\tLIST_ENTRY InMemoryOrderModuleList;\n\tLIST_ENTRY InInitializationOrderModuleList;\n\tLPVOID lpEntryInProgress;\n} PEB_LDR_DATA, *PPEB_LDR_DATA;\n\n// WinDbg> dt -v ntdll!_PEB_FREE_BLOCK\ntypedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes\n{\n\tstruct _PEB_FREE_BLOCK * pNext;\n\tDWORD dwSize;\n} PEB_FREE_BLOCK, *PPEB_FREE_BLOCK;\n\n// struct _PEB is defined in Winternl.h but it is incomplete\n// WinDbg> dt -v ntdll!_PEB\ntypedef struct __PEB // 65 elements, 0x210 bytes\n{\n\tBYTE bInheritedAddressSpace;\n\tBYTE bReadImageFileExecOptions;\n\tBYTE bBeingDebugged;\n\tBYTE bSpareBool;\n\tLPVOID lpMutant;\n\tLPVOID lpImageBaseAddress;\n\tPPEB_LDR_DATA pLdr;\n\tLPVOID lpProcessParameters;\n\tLPVOID lpSubSystemData;\n\tLPVOID lpProcessHeap;\n\tPRTL_CRITICAL_SECTION pFastPebLock;\n\tLPVOID lpFastPebLockRoutine;\n\tLPVOID lpFastPebUnlockRoutine;\n\tDWORD dwEnvironmentUpdateCount;\n\tLPVOID lpKernelCallbackTable;\n\tDWORD dwSystemReserved;\n\tDWORD dwAtlThunkSListPtr32;\n\tPPEB_FREE_BLOCK pFreeList;\n\tDWORD dwTlsExpansionCounter;\n\tLPVOID lpTlsBitmap;\n\tDWORD dwTlsBitmapBits[2];\n\tLPVOID lpReadOnlySharedMemoryBase;\n\tLPVOID lpReadOnlySharedMemoryHeap;\n\tLPVOID lpReadOnlyStaticServerData;\n\tLPVOID lpAnsiCodePageData;\n\tLPVOID lpOemCodePageData;\n\tLPVOID lpUnicodeCaseTableData;\n\tDWORD dwNumberOfProcessors;\n\tDWORD dwNtGlobalFlag;\n\tLARGE_INTEGER liCriticalSectionTimeout;\n\tDWORD dwHeapSegmentReserve;\n\tDWORD dwHeapSegmentCommit;\n\tDWORD dwHeapDeCommitTotalFreeThreshold;\n\tDWORD dwHeapDeCommitFreeBlockThreshold;\n\tDWORD dwNumberOfHeaps;\n\tDWORD dwMaximumNumberOfHeaps;\n\tLPVOID lpProcessHeaps;\n\tLPVOID lpGdiSharedHandleTable;\n\tLPVOID lpProcessStarterHelper;\n\tDWORD dwGdiDCAttributeList;\n\tLPVOID lpLoaderLock;\n\tDWORD dwOSMajorVersion;\n\tDWORD dwOSMinorVersion;\n\tWORD wOSBuildNumber;\n\tWORD wOSCSDVersion;\n\tDWORD dwOSPlatformId;\n\tDWORD dwImageSubsystem;\n\tDWORD dwImageSubsystemMajorVersion;\n\tDWORD dwImageSubsystemMinorVersion;\n\tDWORD dwImageProcessAffinityMask;\n\tDWORD dwGdiHandleBuffer[34];\n\tLPVOID lpPostProcessInitRoutine;\n\tLPVOID lpTlsExpansionBitmap;\n\tDWORD dwTlsExpansionBitmapBits[32];\n\tDWORD dwSessionId;\n\tULARGE_INTEGER liAppCompatFlags;\n\tULARGE_INTEGER liAppCompatFlagsUser;\n\tLPVOID lppShimData;\n\tLPVOID lpAppCompatInfo;\n\tUNICODE_STR usCSDVersion;\n\tLPVOID lpActivationContextData;\n\tLPVOID lpProcessAssemblyStorageMap;\n\tLPVOID lpSystemDefaultActivationContextData;\n\tLPVOID lpSystemAssemblyStorageMap;\n\tDWORD dwMinimumStackCommit;\n} _PEB, *_PPEB;\n\ntypedef struct\n{\n\tWORD\toffset : 12;\n\tWORD\ttype : 4;\n} IMAGE_RELOC, *PIMAGE_RELOC;\n//===============================================================================================//\n#endif\n//===============================================================================================//\n\n"
  },
  {
    "path": "Src/Recon-AD-AllLocalGroups/Recon-AD-AllLocalGroups.sln",
    "content": "\nMicrosoft Visual Studio Solution File, Format Version 12.00\n# Visual Studio 15\nVisualStudioVersion = 15.0.28307.852\nMinimumVisualStudioVersion = 10.0.40219.1\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"Recon-AD-AllLocalGroups\", \"Recon-AD-AllLocalGroups\\Recon-AD-AllLocalGroups.vcxproj\", \"{D30C9D6B-1F45-47BD-825B-389FE8CC9069}\"\nEndProject\nGlobal\n\tGlobalSection(SolutionConfigurationPlatforms) = preSolution\n\t\tDebug|x64 = Debug|x64\n\t\tDebug|x86 = Debug|x86\n\t\tRelease|x64 = Release|x64\n\t\tRelease|x86 = Release|x86\n\tEndGlobalSection\n\tGlobalSection(ProjectConfigurationPlatforms) = postSolution\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x64.ActiveCfg = Debug|x64\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x64.Build.0 = Debug|x64\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x86.ActiveCfg = Debug|Win32\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x86.Build.0 = Debug|Win32\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x64.ActiveCfg = Release|x64\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x64.Build.0 = Release|x64\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x86.ActiveCfg = Release|Win32\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x86.Build.0 = Release|Win32\n\tEndGlobalSection\n\tGlobalSection(SolutionProperties) = preSolution\n\t\tHideSolutionNode = FALSE\n\tEndGlobalSection\n\tGlobalSection(ExtensibilityGlobals) = postSolution\n\t\tSolutionGuid = {ACBE159D-66DD-4330-B464-35D40C540652}\n\tEndGlobalSection\nEndGlobal\n"
  },
  {
    "path": "Src/Recon-AD-Computers/Recon-AD-Computers/Recon-AD-Computers.vcxproj",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project DefaultTargets=\"Build\" ToolsVersion=\"14.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\n  <ItemGroup Label=\"ProjectConfigurations\">\n    <ProjectConfiguration Include=\"Debug|Win32\">\n      <Configuration>Debug</Configuration>\n      <Platform>Win32</Platform>\n    </ProjectConfiguration>\n    <ProjectConfiguration Include=\"Release|Win32\">\n      <Configuration>Release</Configuration>\n      <Platform>Win32</Platform>\n    </ProjectConfiguration>\n    <ProjectConfiguration Include=\"Debug|x64\">\n      <Configuration>Debug</Configuration>\n      <Platform>x64</Platform>\n    </ProjectConfiguration>\n    <ProjectConfiguration Include=\"Release|x64\">\n      <Configuration>Release</Configuration>\n      <Platform>x64</Platform>\n    </ProjectConfiguration>\n  </ItemGroup>\n  <PropertyGroup Label=\"Globals\">\n    <ProjectGuid>{D30C9D6B-1F45-47BD-825B-389FE8CC9069}</ProjectGuid>\n    <RootNamespace>ReconADDomain</RootNamespace>\n    <WindowsTargetPlatformVersion>8.1</WindowsTargetPlatformVersion>\n    <ProjectName>Recon-AD-Computers</ProjectName>\n  </PropertyGroup>\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.Default.props\" />\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\" Label=\"Configuration\">\n    <ConfigurationType>Application</ConfigurationType>\n    <UseDebugLibraries>true</UseDebugLibraries>\n    <PlatformToolset>v140</PlatformToolset>\n    <CharacterSet>MultiByte</CharacterSet>\n  </PropertyGroup>\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\" Label=\"Configuration\">\n    <ConfigurationType>DynamicLibrary</ConfigurationType>\n    <UseDebugLibraries>false</UseDebugLibraries>\n    <PlatformToolset>v140</PlatformToolset>\n    <WholeProgramOptimization>true</WholeProgramOptimization>\n    <CharacterSet>Unicode</CharacterSet>\n  </PropertyGroup>\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\" Label=\"Configuration\">\n    <ConfigurationType>Application</ConfigurationType>\n    <UseDebugLibraries>true</UseDebugLibraries>\n    <PlatformToolset>v140</PlatformToolset>\n    <CharacterSet>MultiByte</CharacterSet>\n  </PropertyGroup>\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\" Label=\"Configuration\">\n    <ConfigurationType>DynamicLibrary</ConfigurationType>\n    <UseDebugLibraries>false</UseDebugLibraries>\n    <PlatformToolset>v140</PlatformToolset>\n    <WholeProgramOptimization>true</WholeProgramOptimization>\n    <CharacterSet>Unicode</CharacterSet>\n  </PropertyGroup>\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.props\" />\n  <ImportGroup Label=\"ExtensionSettings\">\n  </ImportGroup>\n  <ImportGroup Label=\"Shared\">\n  </ImportGroup>\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\">\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\n  </ImportGroup>\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\">\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\n  </ImportGroup>\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\">\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\n  </ImportGroup>\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\">\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\n  </ImportGroup>\n  <PropertyGroup Label=\"UserMacros\" />\n  <PropertyGroup />\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\">\n    <ClCompile>\n      <WarningLevel>Level3</WarningLevel>\n      <Optimization>Disabled</Optimization>\n      <SDLCheck>true</SDLCheck>\n    </ClCompile>\n  </ItemDefinitionGroup>\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\">\n    <ClCompile>\n      <WarningLevel>Level3</WarningLevel>\n      <Optimization>Disabled</Optimization>\n      <SDLCheck>true</SDLCheck>\n    </ClCompile>\n  </ItemDefinitionGroup>\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\">\n    <ClCompile>\n      <WarningLevel>Level3</WarningLevel>\n      <Optimization>MaxSpeed</Optimization>\n      <FunctionLevelLinking>true</FunctionLevelLinking>\n      <IntrinsicFunctions>true</IntrinsicFunctions>\n      <SDLCheck>true</SDLCheck>\n      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>\n      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN_X86;REFLECTIVE_DLL_EXPORTS;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>\n    </ClCompile>\n    <Link>\n      <EnableCOMDATFolding>true</EnableCOMDATFolding>\n      <OptimizeReferences>true</OptimizeReferences>\n      <GenerateDebugInformation>false</GenerateDebugInformation>\n    </Link>\n  </ItemDefinitionGroup>\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\">\n    <ClCompile>\n      <WarningLevel>Level3</WarningLevel>\n      <Optimization>MaxSpeed</Optimization>\n      <FunctionLevelLinking>true</FunctionLevelLinking>\n      <IntrinsicFunctions>true</IntrinsicFunctions>\n      <SDLCheck>true</SDLCheck>\n      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>\n      <PreprocessorDefinitions>WIN64;NDEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;WIN_X64;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>\n    </ClCompile>\n    <Link>\n      <EnableCOMDATFolding>true</EnableCOMDATFolding>\n      <OptimizeReferences>true</OptimizeReferences>\n      <GenerateDebugInformation>false</GenerateDebugInformation>\n    </Link>\n  </ItemDefinitionGroup>\n  <ItemGroup>\n    <ClInclude Include=\"ReflectiveDLLInjection.h\" />\n    <ClInclude Include=\"ReflectiveLoader.h\" />\n  </ItemGroup>\n  <ItemGroup>\n    <ClCompile Include=\"ReflectiveDll.cpp\" />\n    <ClCompile Include=\"ReflectiveLoader.cpp\" />\n  </ItemGroup>\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.targets\" />\n  <ImportGroup Label=\"ExtensionTargets\">\n  </ImportGroup>\n</Project>"
  },
  {
    "path": "Src/Recon-AD-Computers/Recon-AD-Computers/Recon-AD-Computers.vcxproj.filters",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\n  <ItemGroup>\n    <Filter Include=\"Source Files\">\n      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>\n      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>\n    </Filter>\n    <Filter Include=\"Header Files\">\n      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>\n      <Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>\n    </Filter>\n    <Filter Include=\"Resource Files\">\n      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>\n      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>\n    </Filter>\n  </ItemGroup>\n  <ItemGroup>\n    <ClInclude Include=\"ReflectiveDLLInjection.h\">\n      <Filter>Header Files</Filter>\n    </ClInclude>\n    <ClInclude Include=\"ReflectiveLoader.h\">\n      <Filter>Header Files</Filter>\n    </ClInclude>\n  </ItemGroup>\n  <ItemGroup>\n    <ClCompile Include=\"ReflectiveLoader.cpp\">\n      <Filter>Source Files</Filter>\n    </ClCompile>\n    <ClCompile Include=\"ReflectiveDll.cpp\">\n      <Filter>Source Files</Filter>\n    </ClCompile>\n  </ItemGroup>\n</Project>"
  },
  {
    "path": "Src/Recon-AD-Computers/Recon-AD-Computers/Recon-AD-Computers.vcxproj.user",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"14.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\n  <PropertyGroup />\n</Project>"
  },
  {
    "path": "Src/Recon-AD-Computers/Recon-AD-Computers/ReflectiveDLLInjection.h",
    "content": "//===============================================================================================//\n// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)\n// All rights reserved.\n// \n// Redistribution and use in source and binary forms, with or without modification, are permitted \n// provided that the following conditions are met:\n// \n//     * Redistributions of source code must retain the above copyright notice, this list of \n// conditions and the following disclaimer.\n// \n//     * Redistributions in binary form must reproduce the above copyright notice, this list of \n// conditions and the following disclaimer in the documentation and/or other materials provided \n// with the distribution.\n// \n//     * Neither the name of Harmony Security nor the names of its contributors may be used to\n// endorse or promote products derived from this software without specific prior written permission.\n// \n// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND ANY EXPRESS OR \n// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND\n// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR \n// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR \n// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR \n// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY \n// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR \n// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE \n// POSSIBILITY OF SUCH DAMAGE.\n//===============================================================================================//\n#ifndef _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H\n#define _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H\n//===============================================================================================//\n#define WIN32_LEAN_AND_MEAN\n#include <windows.h>\n\n// we declare some common stuff in here...\n\n#define DLL_QUERY_HMODULE\t\t6\n\n#define DEREF( name )*(UINT_PTR *)(name)\n#define DEREF_64( name )*(DWORD64 *)(name)\n#define DEREF_32( name )*(DWORD *)(name)\n#define DEREF_16( name )*(WORD *)(name)\n#define DEREF_8( name )*(BYTE *)(name)\n\ntypedef ULONG_PTR(WINAPI * REFLECTIVELOADER)(VOID);\ntypedef BOOL(WINAPI * DLLMAIN)(HINSTANCE, DWORD, LPVOID);\n\n#define DLLEXPORT   __declspec( dllexport ) \n\n//===============================================================================================//\n#endif\n//===============================================================================================//\n\n"
  },
  {
    "path": "Src/Recon-AD-Computers/Recon-AD-Computers/ReflectiveDll.cpp",
    "content": "#undef  _UNICODE\n#define _UNICODE\n#undef  UNICODE\n#define UNICODE\n\n#include \"ReflectiveLoader.h\"\n#include <stdio.h>\n#include <objbase.h>\n#include <activeds.h>\n#include <sddl.h>\n\n#pragma comment(lib, \"ADSIid.lib\")\n#pragma comment(lib, \"ActiveDS.Lib\")\n\n// Note: REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR and REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN are\n// defined in the project properties (Properties->C++->Preprocessor) so as we can specify our own \n// DllMain and use the LoadRemoteLibraryR() API to inject this DLL.\n\n// You can use this value as a pseudo hinstDLL value (defined and set via ReflectiveLoader.c)\nextern HINSTANCE hAppInstance;\n\n\nint IS_BUFFER_ENOUGH(UINT maxAlloc, LPWSTR pszTarget, LPCWSTR pszSource, int toCopy = -1) {\n\tif (toCopy == -1) {\n\t\ttoCopy = wcslen(pszSource);\n\t}\n\n\treturn maxAlloc - (wcslen(pszTarget) + toCopy + 1);\n}\n\nHRESULT FindComputers(IDirectorySearch *pContainerToSearch,\t// IDirectorySearch pointer to Partitions container.\n\tLPOLESTR szFilter,\t\t\t\t\t\t\t\t\t\t// Filter for finding specific crossrefs. NULL returns all attributeSchema objects.\n\tLPOLESTR *pszPropertiesToReturn)\t\t\t\t\t\t// Properties to return for crossRef objects found. NULL returns all set properties.\n{\n\tif (!pContainerToSearch)\n\t\treturn E_POINTER;\n\n\t// Create search filter\n\tLPOLESTR pszSearchFilter = new OLECHAR[MAX_PATH * 2];\n\tif (!pszSearchFilter)\n\t\treturn E_OUTOFMEMORY;\n\twchar_t szFormat[] = L\"(&(objectCategory=computer)(objectClass=computer)%s)\";\n\n\t// Check the buffer first\n\tif (IS_BUFFER_ENOUGH(MAX_PATH * 2, szFormat, szFilter) > 0)\n\t{\n\t\t// Add the filter.\n\t\tswprintf_s(pszSearchFilter, MAX_PATH * 2, szFormat, szFilter);\n\t}\n\telse\n\t{\n\t\twprintf(L\"[!] The filter is too large for buffer, aborting...\");\n\t\tdelete[] pszSearchFilter;\n\t\treturn FALSE;\n\t}\n\n\t// Specify subtree search\n\tADS_SEARCHPREF_INFO SearchPrefs;\n\tSearchPrefs.dwSearchPref = ADS_SEARCHPREF_SEARCH_SCOPE;\n\tSearchPrefs.vValue.dwType = ADSTYPE_INTEGER;\n\tSearchPrefs.vValue.Integer = ADS_SCOPE_SUBTREE;\n\tDWORD dwNumPrefs = 1;\n\n\t// COL for iterations\n\tLPOLESTR pszColumn = NULL;\n\tADS_SEARCH_COLUMN col;\n\tHRESULT hr;\n\n\t// Interface Pointers\n\tIADs *pObj = NULL;\n\tIADs *pIADs = NULL;\n\n\t// Handle used for searching\n\tADS_SEARCH_HANDLE hSearch = NULL;\n\n\t// Set the search preference\n\thr = pContainerToSearch->SetSearchPreference(&SearchPrefs, dwNumPrefs);\n\tif (FAILED(hr))\n\t{\n\t\tdelete[] pszSearchFilter;\n\t\treturn hr;\n\t}\n\n\tLPOLESTR pszBool = NULL;\n\tDWORD dwBool;\n\tPSID pObjectSID = NULL;\n\tLPOLESTR szSID = NULL;\n\tLPOLESTR szDSGUID = new WCHAR[39];\n\tLPGUID pObjectGUID = NULL;\n\tFILETIME filetime;\n\tSYSTEMTIME systemtime;\n\tDATE date;\n\tVARIANT varDate;\n\tLARGE_INTEGER liValue;\n\tLPOLESTR *pszPropertyList = NULL;\n\n\tint iCount = 0;\n\tDWORD x = 0L;\n\n\tif (!pszPropertiesToReturn)\n\t{\n\t\t// Return all properties.\n\t\thr = pContainerToSearch->ExecuteSearch(pszSearchFilter,\n\t\t\tNULL,\n\t\t\t-1L,\n\t\t\t&hSearch);\n\t}\n\telse\n\t{\n\t\t// Specified subset.\n\t\tpszPropertyList = pszPropertiesToReturn;\n\n\t\t// Return specified properties\n\t\thr = pContainerToSearch->ExecuteSearch(pszSearchFilter,\n\t\t\tpszPropertyList,\n\t\t\tsizeof(pszPropertyList) / sizeof(LPOLESTR),\n\t\t\t&hSearch);\n\t}\n\n\tif (SUCCEEDED(hr))\n\t{\n\t\t// Call IDirectorySearch::GetNextRow() to retrieve the next row of data\n\t\thr = pContainerToSearch->GetFirstRow(hSearch);\n\t\tif (SUCCEEDED(hr))\n\t\t{\n\t\t\twhile (hr != S_ADS_NOMORE_ROWS)\n\t\t\t{\n\t\t\t\t// Keep track of count.\n\t\t\t\tiCount++;\n\t\t\t\t\t\n\t\t\t\twprintf(L\"--------------------------------------------------------------------\\n\");\n\t\t\t\t\n\t\t\t\t// Loop through the array of passed column names, print the data for each column\n\t\t\t\twhile (pContainerToSearch->GetNextColumnName(hSearch, &pszColumn) != S_ADS_NOMORE_COLUMNS)\n\t\t\t\t{\n\t\t\t\t\thr = pContainerToSearch->GetColumn(hSearch, pszColumn, &col);\n\t\t\t\t\tif (SUCCEEDED(hr))\n\t\t\t\t\t{\n\t\t\t\t\t\t// Print the data for the column and free the column\n\t\t\t\t\t\t// Get the data for this column\n\t\t\t\t\t\twprintf(L\"[+] %s:\\n\", col.pszAttrName);\n\t\t\t\t\t\tswitch (col.dwADsType)\n\t\t\t\t\t\t{\n\t\t\t\t\t\tcase ADSTYPE_DN_STRING:\n\t\t\t\t\t\t\tfor (x = 0; x< col.dwNumValues; x++)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\twprintf(L\"    %s\\r\\n\", col.pADsValues[x].DNString);\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tcase ADSTYPE_CASE_EXACT_STRING:\n\t\t\t\t\t\tcase ADSTYPE_CASE_IGNORE_STRING:\n\t\t\t\t\t\tcase ADSTYPE_PRINTABLE_STRING:\n\t\t\t\t\t\tcase ADSTYPE_NUMERIC_STRING:\n\t\t\t\t\t\tcase ADSTYPE_TYPEDNAME:\n\t\t\t\t\t\tcase ADSTYPE_FAXNUMBER:\n\t\t\t\t\t\tcase ADSTYPE_PATH:\n\t\t\t\t\t\tcase ADSTYPE_OBJECT_CLASS:\n\t\t\t\t\t\t\tfor (x = 0; x< col.dwNumValues; x++)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\twprintf(L\"    %s\\r\\n\", col.pADsValues[x].CaseIgnoreString);\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tcase ADSTYPE_BOOLEAN:\n\t\t\t\t\t\t\tfor (x = 0; x< col.dwNumValues; x++)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tdwBool = col.pADsValues[x].Boolean;\n\t\t\t\t\t\t\t\tpszBool = dwBool ? L\"TRUE\" : L\"FALSE\";\n\t\t\t\t\t\t\t\twprintf(L\"    %s\\r\\n\", pszBool);\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tcase ADSTYPE_INTEGER:\n\t\t\t\t\t\t\tfor (x = 0; x< col.dwNumValues; x++)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\twprintf(L\"    %d\\r\\n\", col.pADsValues[x].Integer);\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tcase ADSTYPE_OCTET_STRING:\n\t\t\t\t\t\t\tif (_wcsicmp(col.pszAttrName, L\"objectSID\") == 0)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tfor (x = 0; x< col.dwNumValues; x++)\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tpObjectSID = (PSID)(col.pADsValues[x].OctetString.lpValue);\n\t\t\t\t\t\t\t\t\t// Convert SID to string.\n\t\t\t\t\t\t\t\t\tConvertSidToStringSid(pObjectSID, &szSID);\n\t\t\t\t\t\t\t\t\twprintf(L\"    %s\\r\\n\", szSID);\n\t\t\t\t\t\t\t\t\tLocalFree(szSID);\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\telse if ((_wcsicmp(col.pszAttrName, L\"objectGUID\") == 0))\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tfor (x = 0; x< col.dwNumValues; x++)\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t// Cast to LPGUID\n\t\t\t\t\t\t\t\t\tpObjectGUID = (LPGUID)(col.pADsValues[x].OctetString.lpValue);\n\t\t\t\t\t\t\t\t\t// Convert GUID to string.\n\t\t\t\t\t\t\t\t\t::StringFromGUID2(*pObjectGUID, szDSGUID, 39);\n\t\t\t\t\t\t\t\t\t// Print the GUID\n\t\t\t\t\t\t\t\t\twprintf(L\"    %s\\r\\n\", szDSGUID);\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\telse\n\t\t\t\t\t\t\t\twprintf(L\"    Value of type Octet String. No Conversion.\\n\");\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tcase ADSTYPE_UTC_TIME:\n\t\t\t\t\t\t\tfor (x = 0; x< col.dwNumValues; x++)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tsystemtime = col.pADsValues[x].UTCTime;\n\t\t\t\t\t\t\t\tif (SystemTimeToVariantTime(&systemtime,\n\t\t\t\t\t\t\t\t\t&date) != 0)\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t// Pack in variant.vt\n\t\t\t\t\t\t\t\t\tvarDate.vt = VT_DATE;\n\t\t\t\t\t\t\t\t\tvarDate.date = date;\n\t\t\t\t\t\t\t\t\tVariantChangeType(&varDate, &varDate, VARIANT_NOVALUEPROP, VT_BSTR);\n\t\t\t\t\t\t\t\t\twprintf(L\"    %s\\r\\n\", varDate.bstrVal);\n\t\t\t\t\t\t\t\t\tVariantClear(&varDate);\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\telse\n\t\t\t\t\t\t\t\t\twprintf(L\"[!] Could not convert UTC-Time.\\n\");\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tcase ADSTYPE_LARGE_INTEGER:\n\t\t\t\t\t\t\tfor (x = 0; x< col.dwNumValues; x++)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tliValue = col.pADsValues[x].LargeInteger;\n\t\t\t\t\t\t\t\tfiletime.dwLowDateTime = liValue.LowPart;\n\t\t\t\t\t\t\t\tfiletime.dwHighDateTime = liValue.HighPart;\n\t\t\t\t\t\t\t\tif ((filetime.dwHighDateTime == 0) && (filetime.dwLowDateTime == 0))\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\twprintf(L\"    No value set.\\n\");\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\telse\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t// Check for properties of type LargeInteger that represent time\n\t\t\t\t\t\t\t\t\t// if TRUE, then convert to variant time.\n\t\t\t\t\t\t\t\t\tif ((0 == wcscmp(L\"accountExpires\", col.pszAttrName)) |\n\t\t\t\t\t\t\t\t\t\t(0 == wcscmp(L\"badPasswordTime\", col.pszAttrName)) ||\n\t\t\t\t\t\t\t\t\t\t(0 == wcscmp(L\"lastLogon\", col.pszAttrName)) ||\n\t\t\t\t\t\t\t\t\t\t(0 == wcscmp(L\"lastLogoff\", col.pszAttrName)) ||\n\t\t\t\t\t\t\t\t\t\t(0 == wcscmp(L\"lockoutTime\", col.pszAttrName)) ||\n\t\t\t\t\t\t\t\t\t\t(0 == wcscmp(L\"pwdLastSet\", col.pszAttrName))\n\t\t\t\t\t\t\t\t\t\t)\n\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t// Handle special case for Never Expires where low part is -1\n\t\t\t\t\t\t\t\t\t\tif (filetime.dwLowDateTime == -1)\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\twprintf(L\"    Never Expires.\\n\");\n\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t\telse\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tif (FileTimeToLocalFileTime(&filetime, &filetime) != 0)\n\t\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\t\tif (FileTimeToSystemTime(&filetime,\n\t\t\t\t\t\t\t\t\t\t\t\t\t&systemtime) != 0)\n\t\t\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\t\t\tif (SystemTimeToVariantTime(&systemtime,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t&date) != 0)\n\t\t\t\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t// Pack in variant.vt\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tvarDate.vt = VT_DATE;\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tvarDate.date = date;\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tVariantChangeType(&varDate, &varDate, VARIANT_NOVALUEPROP, VT_BSTR);\n\t\t\t\t\t\t\t\t\t\t\t\t\t\twprintf(L\"    %s\\r\\n\", varDate.bstrVal);\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tVariantClear(&varDate);\n\t\t\t\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t\t\t\t\telse\n\t\t\t\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\t\t\t\twprintf(L\"    FileTimeToVariantTime failed\\n\");\n\t\t\t\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t\t\t\telse\n\t\t\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\t\t\twprintf(L\"    FileTimeToSystemTime failed\\n\");\n\t\t\t\t\t\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t\t\telse\n\t\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\t\twprintf(L\"    FileTimeToLocalFileTime failed\\n\");\n\t\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\telse\n\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t// Print the LargeInteger.\n\t\t\t\t\t\t\t\t\t\twprintf(L\"    high: %d low: %d\\r\\n\", filetime.dwHighDateTime, filetime.dwLowDateTime);\n\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tcase ADSTYPE_NT_SECURITY_DESCRIPTOR:\n\t\t\t\t\t\t\tfor (x = 0; x< col.dwNumValues; x++)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\twprintf(L\"    Security descriptor.\\n\");\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tdefault:\n\t\t\t\t\t\t\twprintf(L\"[!] Unknown type %d.\\n\", col.dwADsType);\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tpContainerToSearch->FreeColumn(&col);\n\t\t\t\t\t}\n\t\t\t\t\tCoTaskMemFree(pszColumn);\n\t\t\t\t}\n\n\t\t\t\t// Get the next row\n\t\t\t\thr = pContainerToSearch->GetNextRow(hSearch);\n\t\t\t}\n\t\t}\n\t\t// Close the search handle to clean up\n\t\tpContainerToSearch->CloseSearchHandle(hSearch);\n\t}\n\tif (SUCCEEDED(hr) && 0 == iCount)\n\t\thr = S_FALSE;\n\n\twprintf(L\"--------------------------------------------------------------------\\n\");\n\n\tdelete[] pszSearchFilter;\n\treturn hr;\n}\n\n\nBOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)\n{\n\tBOOL bReturnValue = TRUE;\n\tLPWSTR pwszParams = (LPWSTR)calloc(strlen((LPSTR)lpReserved) + 1, sizeof(WCHAR));\n\tsize_t convertedChars = 0;\n\tsize_t newsize = strlen((LPSTR)lpReserved) + 1;\n\n\tswitch (dwReason)\n\t{\n\tcase DLL_QUERY_HMODULE:\n\t\tif (lpReserved != NULL)\n\t\t\t*(HMODULE *)lpReserved = hAppInstance;\n\t\tbreak;\n\tcase DLL_PROCESS_ATTACH:\n\t\thAppInstance = hinstDLL;\n\n\t\tif (lpReserved != NULL) {\n\n\t\t\t// Handle the command line arguments.\n\t\t\tint maxAlloc = MAX_PATH * 2;\n\t\t\tLPOLESTR pszBuffer = new OLECHAR[maxAlloc];\n\t\t\tmbstowcs_s(&convertedChars, pwszParams, newsize, (LPSTR)lpReserved, _TRUNCATE);\n\t\t\twcscpy_s(pszBuffer, maxAlloc, pwszParams);\n\n\t\t\t// Initialize COM\n\t\t\tCoInitialize(NULL);\n\t\t\tHRESULT hr = S_OK;\n\n\t\t\t// Get rootDSE and the current user's domain container DN.\n\t\t\tIADs *pObject = NULL;\n\t\t\tIDirectorySearch *pContainerToSearch = NULL;\n\t\t\tLPOLESTR szPath = new OLECHAR[MAX_PATH];\n\t\t\tVARIANT var;\n\t\t\thr = ADsOpenObject(L\"LDAP://rootDSE\",\n\t\t\t\tNULL,\n\t\t\t\tNULL,\n\t\t\t\tADS_SECURE_AUTHENTICATION, // Use Secure Authentication\n\t\t\t\tIID_IADs,\n\t\t\t\t(void**)&pObject);\n\t\t\tif (FAILED(hr))\n\t\t\t{\n\t\t\t\twprintf(L\"[!] Could not execute query. Could not bind to LDAP://rootDSE.\\n\");\n\t\t\t\tif (pObject)\n\t\t\t\t\tpObject->Release();\n\t\t\t\tdelete[] pszBuffer;\n\t\t\t\tdelete[] szPath;\n\t\t\t\tCoUninitialize();\n\n\t\t\t\t// Flush STDOUT\n\t\t\t\tfflush(stdout);\n\n\t\t\t\t// We're done, so let's exit\n\t\t\t\tExitProcess(0);\n\t\t\t}\n\t\t\tif (SUCCEEDED(hr))\n\t\t\t{\n\t\t\t\thr = pObject->Get(L\"defaultNamingContext\", &var);\n\t\t\t\tif (SUCCEEDED(hr))\n\t\t\t\t{\n\t\t\t\t\t// Build path to the domain container.\n\t\t\t\t\twcscpy_s(szPath, MAX_PATH, L\"LDAP://\");\n\t\t\t\t\tif (IS_BUFFER_ENOUGH(MAX_PATH, szPath, var.bstrVal) > 0)\n\t\t\t\t\t{\n\t\t\t\t\t\twcscat_s(szPath, MAX_PATH, var.bstrVal);\n\t\t\t\t\t}\n\t\t\t\t\telse\n\t\t\t\t\t{\n\t\t\t\t\t\twprintf(L\"[!] Buffer is too small for the domain DN\");\n\t\t\t\t\t\tdelete[] pszBuffer;\n\t\t\t\t\t\tdelete[] szPath;\n\t\t\t\t\t\tCoUninitialize();\n\n\t\t\t\t\t\t// Flush STDOUT\n\t\t\t\t\t\tfflush(stdout);\n\n\t\t\t\t\t\t// We're done, so let's exit\n\t\t\t\t\t\tExitProcess(0);\n\t\t\t\t\t}\n\n\t\t\t\t\thr = ADsOpenObject(szPath,\n\t\t\t\t\t\tNULL,\n\t\t\t\t\t\tNULL,\n\t\t\t\t\t\tADS_SECURE_AUTHENTICATION, // Use Secure Authentication\n\t\t\t\t\t\tIID_IDirectorySearch,\n\t\t\t\t\t\t(void**)&pContainerToSearch);\n\n\t\t\t\t\tif (SUCCEEDED(hr))\n\t\t\t\t\t{\n\t\t\t\t\t\thr = FindComputers(pContainerToSearch, // IDirectorySearch pointer to Partitions container.\n\t\t\t\t\t\t\tpszBuffer,\n\t\t\t\t\t\t\tNULL\t//Return all properties\n\t\t\t\t\t\t);\n\t\t\t\t\t\tif (SUCCEEDED(hr))\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tif (S_FALSE == hr)\n\t\t\t\t\t\t\t\twprintf(L\"[!] No computer object could be found.\\n\");\n\t\t\t\t\t\t}\n\t\t\t\t\t\telse if (0x8007203e == hr)\n\t\t\t\t\t\t\twprintf(L\"[!] Could not execute query. An invalid filter was specified.\\n\");\n\t\t\t\t\t\telse\n\t\t\t\t\t\t\twprintf(L\"[!] Query failed to run. HRESULT: %x\\n\", hr);\n\t\t\t\t\t}\n\t\t\t\t\telse\n\t\t\t\t\t{\n\t\t\t\t\t\twprintf(L\"[!] Could not execute query. Could not bind to the container.\\n\");\n\t\t\t\t\t}\n\t\t\t\t\tif (pContainerToSearch)\n\t\t\t\t\t\tpContainerToSearch->Release();\n\t\t\t\t}\n\t\t\t\tVariantClear(&var);\n\t\t\t}\n\t\t\tif (pObject)\n\t\t\t\tpObject->Release();\n\n\t\t\tdelete[] pszBuffer;\n\t\t\tdelete[] szPath;\n\n\t\t\t// Uninitialize COM\n\t\t\tCoUninitialize();\n\t\t}\n\n\t\t// Flush STDOUT\n\t\tfflush(stdout);\n\n\t\t// We're done, so let's exit\n\t\tExitProcess(0);\n\t\tbreak;\n\tcase DLL_PROCESS_DETACH:\n\tcase DLL_THREAD_ATTACH:\n\tcase DLL_THREAD_DETACH:\n\t\tbreak;\n\t}\n\treturn bReturnValue;\n}\n"
  },
  {
    "path": "Src/Recon-AD-Computers/Recon-AD-Computers/ReflectiveLoader.cpp",
    "content": "//===============================================================================================//\n// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)\n// All rights reserved.\n// \n// Redistribution and use in source and binary forms, with or without modification, are permitted \n// provided that the following conditions are met:\n// \n//     * Redistributions of source code must retain the above copyright notice, this list of \n// conditions and the following disclaimer.\n// \n//     * Redistributions in binary form must reproduce the above copyright notice, this list of \n// conditions and the following disclaimer in the documentation and/or other materials provided \n// with the distribution.\n// \n//     * Neither the name of Harmony Security nor the names of its contributors may be used to\n// endorse or promote products derived from this software without specific prior written permission.\n// \n// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND ANY EXPRESS OR \n// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND\n// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR \n// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR \n// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR \n// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY \n// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR \n// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE \n// POSSIBILITY OF SUCH DAMAGE.\n//===============================================================================================//\n#include \"ReflectiveLoader.h\"\n//===============================================================================================//\n// Our loader will set this to a pseudo correct HINSTANCE/HMODULE value\nHINSTANCE hAppInstance = NULL;\n//===============================================================================================//\n#pragma intrinsic( _ReturnAddress )\n// This function can not be inlined by the compiler or we will not get the address we expect. Ideally \n// this code will be compiled with the /O2 and /Ob1 switches. Bonus points if we could take advantage of \n// RIP relative addressing in this instance but I dont believe we can do so with the compiler intrinsics \n// available (and no inline asm available under x64).\n__declspec(noinline) ULONG_PTR caller(VOID) { return (ULONG_PTR)_ReturnAddress(); }\n//===============================================================================================//\n\n// Note 1: If you want to have your own DllMain, define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN,  \n//         otherwise the DllMain at the end of this file will be used.\n\n// Note 2: If you are injecting the DLL via LoadRemoteLibraryR, define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR,\n//         otherwise it is assumed you are calling the ReflectiveLoader via a stub.\n\n// This is our position independent reflective DLL loader/injector\n#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR\nDLLEXPORT ULONG_PTR WINAPI ReflectiveLoader(LPVOID lpParameter)\n#else\nDLLEXPORT ULONG_PTR WINAPI ReflectiveLoader(VOID)\n#endif\n{\n\t// the functions we need\n\tLOADLIBRARYA pLoadLibraryA = NULL;\n\tGETPROCADDRESS pGetProcAddress = NULL;\n\tVIRTUALALLOC pVirtualAlloc = NULL;\n\tNTFLUSHINSTRUCTIONCACHE pNtFlushInstructionCache = NULL;\n\n\tUSHORT usCounter;\n\n\t// the initial location of this image in memory\n\tULONG_PTR uiLibraryAddress;\n\t// the kernels base address and later this images newly loaded base address\n\tULONG_PTR uiBaseAddress;\n\n\t// variables for processing the kernels export table\n\tULONG_PTR uiAddressArray;\n\tULONG_PTR uiNameArray;\n\tULONG_PTR uiExportDir;\n\tULONG_PTR uiNameOrdinals;\n\tDWORD dwHashValue;\n\n\t// variables for loading this image\n\tULONG_PTR uiHeaderValue;\n\tULONG_PTR uiValueA;\n\tULONG_PTR uiValueB;\n\tULONG_PTR uiValueC;\n\tULONG_PTR uiValueD;\n\tULONG_PTR uiValueE;\n\n\t// STEP 0: calculate our images current base address\n\n\t// we will start searching backwards from our callers return address.\n\tuiLibraryAddress = caller();\n\n\t// loop through memory backwards searching for our images base address\n\t// we dont need SEH style search as we shouldnt generate any access violations with this\n\twhile (TRUE)\n\t{\n\t\tif (((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_magic == IMAGE_DOS_SIGNATURE)\n\t\t{\n\t\t\tuiHeaderValue = ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;\n\t\t\t// some x64 dll's can trigger a bogus signature (IMAGE_DOS_SIGNATURE == 'POP r10'),\n\t\t\t// we sanity check the e_lfanew with an upper threshold value of 1024 to avoid problems.\n\t\t\tif (uiHeaderValue >= sizeof(IMAGE_DOS_HEADER) && uiHeaderValue < 1024)\n\t\t\t{\n\t\t\t\tuiHeaderValue += uiLibraryAddress;\n\t\t\t\t// break if we have found a valid MZ/PE header\n\t\t\t\tif (((PIMAGE_NT_HEADERS)uiHeaderValue)->Signature == IMAGE_NT_SIGNATURE)\n\t\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\tuiLibraryAddress--;\n\t}\n\n\t// STEP 1: process the kernels exports for the functions our loader needs...\n\n\t// get the Process Enviroment Block\n#ifdef WIN_X64\n\tuiBaseAddress = __readgsqword(0x60);\n#else\n#ifdef WIN_X86\n\tuiBaseAddress = __readfsdword(0x30);\n#else WIN_ARM\n\tuiBaseAddress = *(DWORD *)((BYTE *)_MoveFromCoprocessor(15, 0, 13, 0, 2) + 0x30);\n#endif\n#endif\n\n\t// get the processes loaded modules. ref: http://msdn.microsoft.com/en-us/library/aa813708(VS.85).aspx\n\tuiBaseAddress = (ULONG_PTR)((_PPEB)uiBaseAddress)->pLdr;\n\n\t// get the first entry of the InMemoryOrder module list\n\tuiValueA = (ULONG_PTR)((PPEB_LDR_DATA)uiBaseAddress)->InMemoryOrderModuleList.Flink;\n\twhile (uiValueA)\n\t{\n\t\t// get pointer to current modules name (unicode string)\n\t\tuiValueB = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.pBuffer;\n\t\t// set bCounter to the length for the loop\n\t\tusCounter = ((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.Length;\n\t\t// clear uiValueC which will store the hash of the module name\n\t\tuiValueC = 0;\n\n\t\t// compute the hash of the module name...\n\t\tdo\n\t\t{\n\t\t\tuiValueC = ror((DWORD)uiValueC);\n\t\t\t// normalize to uppercase if the madule name is in lowercase\n\t\t\tif (*((BYTE *)uiValueB) >= 'a')\n\t\t\t\tuiValueC += *((BYTE *)uiValueB) - 0x20;\n\t\t\telse\n\t\t\t\tuiValueC += *((BYTE *)uiValueB);\n\t\t\tuiValueB++;\n\t\t} while (--usCounter);\n\n\t\t// compare the hash with that of kernel32.dll\n\t\tif ((DWORD)uiValueC == KERNEL32DLL_HASH)\n\t\t{\n\t\t\t// get this modules base address\n\t\t\tuiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;\n\n\t\t\t// get the VA of the modules NT Header\n\t\t\tuiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;\n\n\t\t\t// uiNameArray = the address of the modules export directory entry\n\t\t\tuiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];\n\n\t\t\t// get the VA of the export directory\n\t\t\tuiExportDir = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress);\n\n\t\t\t// get the VA for the array of name pointers\n\t\t\tuiNameArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNames);\n\n\t\t\t// get the VA for the array of name ordinals\n\t\t\tuiNameOrdinals = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNameOrdinals);\n\n\t\t\tusCounter = 3;\n\n\t\t\t// loop while we still have imports to find\n\t\t\twhile (usCounter > 0)\n\t\t\t{\n\t\t\t\t// compute the hash values for this function name\n\t\t\t\tdwHashValue = hash((char *)(uiBaseAddress + DEREF_32(uiNameArray)));\n\n\t\t\t\t// if we have found a function we want we get its virtual address\n\t\t\t\tif (dwHashValue == LOADLIBRARYA_HASH || dwHashValue == GETPROCADDRESS_HASH || dwHashValue == VIRTUALALLOC_HASH)\n\t\t\t\t{\n\t\t\t\t\t// get the VA for the array of addresses\n\t\t\t\t\tuiAddressArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfFunctions);\n\n\t\t\t\t\t// use this functions name ordinal as an index into the array of name pointers\n\t\t\t\t\tuiAddressArray += (DEREF_16(uiNameOrdinals) * sizeof(DWORD));\n\n\t\t\t\t\t// store this functions VA\n\t\t\t\t\tif (dwHashValue == LOADLIBRARYA_HASH)\n\t\t\t\t\t\tpLoadLibraryA = (LOADLIBRARYA)(uiBaseAddress + DEREF_32(uiAddressArray));\n\t\t\t\t\telse if (dwHashValue == GETPROCADDRESS_HASH)\n\t\t\t\t\t\tpGetProcAddress = (GETPROCADDRESS)(uiBaseAddress + DEREF_32(uiAddressArray));\n\t\t\t\t\telse if (dwHashValue == VIRTUALALLOC_HASH)\n\t\t\t\t\t\tpVirtualAlloc = (VIRTUALALLOC)(uiBaseAddress + DEREF_32(uiAddressArray));\n\n\t\t\t\t\t// decrement our counter\n\t\t\t\t\tusCounter--;\n\t\t\t\t}\n\n\t\t\t\t// get the next exported function name\n\t\t\t\tuiNameArray += sizeof(DWORD);\n\n\t\t\t\t// get the next exported function name ordinal\n\t\t\t\tuiNameOrdinals += sizeof(WORD);\n\t\t\t}\n\t\t}\n\t\telse if ((DWORD)uiValueC == NTDLLDLL_HASH)\n\t\t{\n\t\t\t// get this modules base address\n\t\t\tuiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;\n\n\t\t\t// get the VA of the modules NT Header\n\t\t\tuiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;\n\n\t\t\t// uiNameArray = the address of the modules export directory entry\n\t\t\tuiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];\n\n\t\t\t// get the VA of the export directory\n\t\t\tuiExportDir = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress);\n\n\t\t\t// get the VA for the array of name pointers\n\t\t\tuiNameArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNames);\n\n\t\t\t// get the VA for the array of name ordinals\n\t\t\tuiNameOrdinals = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNameOrdinals);\n\n\t\t\tusCounter = 1;\n\n\t\t\t// loop while we still have imports to find\n\t\t\twhile (usCounter > 0)\n\t\t\t{\n\t\t\t\t// compute the hash values for this function name\n\t\t\t\tdwHashValue = hash((char *)(uiBaseAddress + DEREF_32(uiNameArray)));\n\n\t\t\t\t// if we have found a function we want we get its virtual address\n\t\t\t\tif (dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH)\n\t\t\t\t{\n\t\t\t\t\t// get the VA for the array of addresses\n\t\t\t\t\tuiAddressArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfFunctions);\n\n\t\t\t\t\t// use this functions name ordinal as an index into the array of name pointers\n\t\t\t\t\tuiAddressArray += (DEREF_16(uiNameOrdinals) * sizeof(DWORD));\n\n\t\t\t\t\t// store this functions VA\n\t\t\t\t\tif (dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH)\n\t\t\t\t\t\tpNtFlushInstructionCache = (NTFLUSHINSTRUCTIONCACHE)(uiBaseAddress + DEREF_32(uiAddressArray));\n\n\t\t\t\t\t// decrement our counter\n\t\t\t\t\tusCounter--;\n\t\t\t\t}\n\n\t\t\t\t// get the next exported function name\n\t\t\t\tuiNameArray += sizeof(DWORD);\n\n\t\t\t\t// get the next exported function name ordinal\n\t\t\t\tuiNameOrdinals += sizeof(WORD);\n\t\t\t}\n\t\t}\n\n\t\t// we stop searching when we have found everything we need.\n\t\tif (pLoadLibraryA && pGetProcAddress && pVirtualAlloc && pNtFlushInstructionCache)\n\t\t\tbreak;\n\n\t\t// get the next entry\n\t\tuiValueA = DEREF(uiValueA);\n\t}\n\n\t// STEP 2: load our image into a new permanent location in memory...\n\n\t// get the VA of the NT Header for the PE to be loaded\n\tuiHeaderValue = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;\n\n\t// allocate all the memory for the DLL to be loaded into. we can load at any address because we will  \n\t// relocate the image. Also zeros all memory and marks it as READ, WRITE and EXECUTE to avoid any problems.\n\tuiBaseAddress = (ULONG_PTR)pVirtualAlloc(NULL, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);\n\n\t// we must now copy over the headers\n\tuiValueA = ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfHeaders;\n\tuiValueB = uiLibraryAddress;\n\tuiValueC = uiBaseAddress;\n\n\twhile (uiValueA--)\n\t\t*(BYTE *)uiValueC++ = *(BYTE *)uiValueB++;\n\n\t// STEP 3: load in all of our sections...\n\n\t// uiValueA = the VA of the first section\n\tuiValueA = ((ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader + ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.SizeOfOptionalHeader);\n\n\t// itterate through all sections, loading them into memory.\n\tuiValueE = ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.NumberOfSections;\n\twhile (uiValueE--)\n\t{\n\t\t// uiValueB is the VA for this section\n\t\tuiValueB = (uiBaseAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->VirtualAddress);\n\n\t\t// uiValueC if the VA for this sections data\n\t\tuiValueC = (uiLibraryAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->PointerToRawData);\n\n\t\t// copy the section over\n\t\tuiValueD = ((PIMAGE_SECTION_HEADER)uiValueA)->SizeOfRawData;\n\n\t\twhile (uiValueD--)\n\t\t\t*(BYTE *)uiValueB++ = *(BYTE *)uiValueC++;\n\n\t\t// get the VA of the next section\n\t\tuiValueA += sizeof(IMAGE_SECTION_HEADER);\n\t}\n\n\t// STEP 4: process our images import table...\n\n\t// uiValueB = the address of the import directory\n\tuiValueB = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];\n\n\t// we assume their is an import table to process\n\t// uiValueC is the first entry in the import table\n\tuiValueC = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress);\n\n\t// itterate through all imports\n\twhile (((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name)\n\t{\n\t\t// use LoadLibraryA to load the imported module into memory\n\t\tuiLibraryAddress = (ULONG_PTR)pLoadLibraryA((LPCSTR)(uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name));\n\n\t\t// uiValueD = VA of the OriginalFirstThunk\n\t\tuiValueD = (uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->OriginalFirstThunk);\n\n\t\t// uiValueA = VA of the IAT (via first thunk not origionalfirstthunk)\n\t\tuiValueA = (uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->FirstThunk);\n\n\t\t// itterate through all imported functions, importing by ordinal if no name present\n\t\twhile (DEREF(uiValueA))\n\t\t{\n\t\t\t// sanity check uiValueD as some compilers only import by FirstThunk\n\t\t\tif (uiValueD && ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal & IMAGE_ORDINAL_FLAG)\n\t\t\t{\n\t\t\t\t// get the VA of the modules NT Header\n\t\t\t\tuiExportDir = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;\n\n\t\t\t\t// uiNameArray = the address of the modules export directory entry\n\t\t\t\tuiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];\n\n\t\t\t\t// get the VA of the export directory\n\t\t\t\tuiExportDir = (uiLibraryAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress);\n\n\t\t\t\t// get the VA for the array of addresses\n\t\t\t\tuiAddressArray = (uiLibraryAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfFunctions);\n\n\t\t\t\t// use the import ordinal (- export ordinal base) as an index into the array of addresses\n\t\t\t\tuiAddressArray += ((IMAGE_ORDINAL(((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal) - ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->Base) * sizeof(DWORD));\n\n\t\t\t\t// patch in the address for this imported function\n\t\t\t\tDEREF(uiValueA) = (uiLibraryAddress + DEREF_32(uiAddressArray));\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\t// get the VA of this functions import by name struct\n\t\t\t\tuiValueB = (uiBaseAddress + DEREF(uiValueA));\n\n\t\t\t\t// use GetProcAddress and patch in the address for this imported function\n\t\t\t\tDEREF(uiValueA) = (ULONG_PTR)pGetProcAddress((HMODULE)uiLibraryAddress, (LPCSTR)((PIMAGE_IMPORT_BY_NAME)uiValueB)->Name);\n\t\t\t}\n\t\t\t// get the next imported function\n\t\t\tuiValueA += sizeof(ULONG_PTR);\n\t\t\tif (uiValueD)\n\t\t\t\tuiValueD += sizeof(ULONG_PTR);\n\t\t}\n\n\t\t// get the next import\n\t\tuiValueC += sizeof(IMAGE_IMPORT_DESCRIPTOR);\n\t}\n\n\t// STEP 5: process all of our images relocations...\n\n\t// calculate the base address delta and perform relocations (even if we load at desired image base)\n\tuiLibraryAddress = uiBaseAddress - ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.ImageBase;\n\n\t// uiValueB = the address of the relocation directory\n\tuiValueB = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];\n\n\t// check if their are any relocations present\n\tif (((PIMAGE_DATA_DIRECTORY)uiValueB)->Size)\n\t{\n\t\t// uiValueC is now the first entry (IMAGE_BASE_RELOCATION)\n\t\tuiValueC = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress);\n\n\t\t// and we itterate through all entries...\n\t\twhile (((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock)\n\t\t{\n\t\t\t// uiValueA = the VA for this relocation block\n\t\t\tuiValueA = (uiBaseAddress + ((PIMAGE_BASE_RELOCATION)uiValueC)->VirtualAddress);\n\n\t\t\t// uiValueB = number of entries in this relocation block\n\t\t\tuiValueB = (((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(IMAGE_RELOC);\n\n\t\t\t// uiValueD is now the first entry in the current relocation block\n\t\t\tuiValueD = uiValueC + sizeof(IMAGE_BASE_RELOCATION);\n\n\t\t\t// we itterate through all the entries in the current block...\n\t\t\twhile (uiValueB--)\n\t\t\t{\n\t\t\t\t// perform the relocation, skipping IMAGE_REL_BASED_ABSOLUTE as required.\n\t\t\t\t// we dont use a switch statement to avoid the compiler building a jump table\n\t\t\t\t// which would not be very position independent!\n\t\t\t\tif (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_DIR64)\n\t\t\t\t\t*(ULONG_PTR *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += uiLibraryAddress;\n\t\t\t\telse if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGHLOW)\n\t\t\t\t\t*(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += (DWORD)uiLibraryAddress;\n#ifdef WIN_ARM\n\t\t\t\t// Note: On ARM, the compiler optimization /O2 seems to introduce an off by one issue, possibly a code gen bug. Using /O1 instead avoids this problem.\n\t\t\t\telse if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_ARM_MOV32T)\n\t\t\t\t{\n\t\t\t\t\tregister DWORD dwInstruction;\n\t\t\t\t\tregister DWORD dwAddress;\n\t\t\t\t\tregister WORD wImm;\n\t\t\t\t\t// get the MOV.T instructions DWORD value (We add 4 to the offset to go past the first MOV.W which handles the low word)\n\t\t\t\t\tdwInstruction = *(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset + sizeof(DWORD));\n\t\t\t\t\t// flip the words to get the instruction as expected\n\t\t\t\t\tdwInstruction = MAKELONG(HIWORD(dwInstruction), LOWORD(dwInstruction));\n\t\t\t\t\t// sanity chack we are processing a MOV instruction...\n\t\t\t\t\tif ((dwInstruction & ARM_MOV_MASK) == ARM_MOVT)\n\t\t\t\t\t{\n\t\t\t\t\t\t// pull out the encoded 16bit value (the high portion of the address-to-relocate)\n\t\t\t\t\t\twImm = (WORD)(dwInstruction & 0x000000FF);\n\t\t\t\t\t\twImm |= (WORD)((dwInstruction & 0x00007000) >> 4);\n\t\t\t\t\t\twImm |= (WORD)((dwInstruction & 0x04000000) >> 15);\n\t\t\t\t\t\twImm |= (WORD)((dwInstruction & 0x000F0000) >> 4);\n\t\t\t\t\t\t// apply the relocation to the target address\n\t\t\t\t\t\tdwAddress = ((WORD)HIWORD(uiLibraryAddress) + wImm) & 0xFFFF;\n\t\t\t\t\t\t// now create a new instruction with the same opcode and register param.\n\t\t\t\t\t\tdwInstruction = (DWORD)(dwInstruction & ARM_MOV_MASK2);\n\t\t\t\t\t\t// patch in the relocated address...\n\t\t\t\t\t\tdwInstruction |= (DWORD)(dwAddress & 0x00FF);\n\t\t\t\t\t\tdwInstruction |= (DWORD)(dwAddress & 0x0700) << 4;\n\t\t\t\t\t\tdwInstruction |= (DWORD)(dwAddress & 0x0800) << 15;\n\t\t\t\t\t\tdwInstruction |= (DWORD)(dwAddress & 0xF000) << 4;\n\t\t\t\t\t\t// now flip the instructions words and patch back into the code...\n\t\t\t\t\t\t*(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset + sizeof(DWORD)) = MAKELONG(HIWORD(dwInstruction), LOWORD(dwInstruction));\n\t\t\t\t\t}\n\t\t\t\t}\n#endif\n\t\t\t\telse if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGH)\n\t\t\t\t\t*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += HIWORD(uiLibraryAddress);\n\t\t\t\telse if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_LOW)\n\t\t\t\t\t*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += LOWORD(uiLibraryAddress);\n\n\t\t\t\t// get the next entry in the current relocation block\n\t\t\t\tuiValueD += sizeof(IMAGE_RELOC);\n\t\t\t}\n\n\t\t\t// get the next entry in the relocation directory\n\t\t\tuiValueC = uiValueC + ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock;\n\t\t}\n\t}\n\n\t// STEP 6: call our images entry point\n\n\t// uiValueA = the VA of our newly loaded DLL/EXE's entry point\n\tuiValueA = (uiBaseAddress + ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.AddressOfEntryPoint);\n\n\t// We must flush the instruction cache to avoid stale code being used which was updated by our relocation processing.\n\tpNtFlushInstructionCache((HANDLE)-1, NULL, 0);\n\n\t// call our respective entry point, fudging our hInstance value\n#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR\n\t// if we are injecting a DLL via LoadRemoteLibraryR we call DllMain and pass in our parameter (via the DllMain lpReserved parameter)\n\t((DLLMAIN)uiValueA)((HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, lpParameter);\n#else\n\t// if we are injecting an DLL via a stub we call DllMain with no parameter\n\t((DLLMAIN)uiValueA)((HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, NULL);\n#endif\n\n\t// STEP 8: return our new entry point address so whatever called us can call DllMain() if needed.\n\treturn uiValueA;\n}\n//===============================================================================================//\n#ifndef REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN\n\nBOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)\n{\n\tBOOL bReturnValue = TRUE;\n\tswitch (dwReason)\n\t{\n\tcase DLL_QUERY_HMODULE:\n\t\tif (lpReserved != NULL)\n\t\t\t*(HMODULE *)lpReserved = hAppInstance;\n\t\tbreak;\n\tcase DLL_PROCESS_ATTACH:\n\t\thAppInstance = hinstDLL;\n\t\tbreak;\n\tcase DLL_PROCESS_DETACH:\n\tcase DLL_THREAD_ATTACH:\n\tcase DLL_THREAD_DETACH:\n\t\tbreak;\n\t}\n\treturn bReturnValue;\n}\n\n#endif\n//===============================================================================================//\n"
  },
  {
    "path": "Src/Recon-AD-Computers/Recon-AD-Computers/ReflectiveLoader.h",
    "content": "//===============================================================================================//\n// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)\n// All rights reserved.\n// \n// Redistribution and use in source and binary forms, with or without modification, are permitted \n// provided that the following conditions are met:\n// \n//     * Redistributions of source code must retain the above copyright notice, this list of \n// conditions and the following disclaimer.\n// \n//     * Redistributions in binary form must reproduce the above copyright notice, this list of \n// conditions and the following disclaimer in the documentation and/or other materials provided \n// with the distribution.\n// \n//     * Neither the name of Harmony Security nor the names of its contributors may be used to\n// endorse or promote products derived from this software without specific prior written permission.\n// \n// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND ANY EXPRESS OR \n// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND\n// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR \n// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR \n// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR \n// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY \n// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR \n// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE \n// POSSIBILITY OF SUCH DAMAGE.\n//===============================================================================================//\n#ifndef _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H\n#define _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H\n//===============================================================================================//\n#define WIN32_LEAN_AND_MEAN\n#include <windows.h>\n#include <Winsock2.h>\n#include <intrin.h>\n\n#include \"ReflectiveDLLInjection.h\"\n\ntypedef HMODULE(WINAPI * LOADLIBRARYA)(LPCSTR);\ntypedef FARPROC(WINAPI * GETPROCADDRESS)(HMODULE, LPCSTR);\ntypedef LPVOID(WINAPI * VIRTUALALLOC)(LPVOID, SIZE_T, DWORD, DWORD);\ntypedef DWORD(NTAPI * NTFLUSHINSTRUCTIONCACHE)(HANDLE, PVOID, ULONG);\n\n#define KERNEL32DLL_HASH\t\t\t\t0x6A4ABC5B\n#define NTDLLDLL_HASH\t\t\t\t\t0x3CFA685D\n\n#define LOADLIBRARYA_HASH\t\t\t\t0xEC0E4E8E\n#define GETPROCADDRESS_HASH\t\t\t\t0x7C0DFCAA\n#define VIRTUALALLOC_HASH\t\t\t\t0x91AFCA54\n#define NTFLUSHINSTRUCTIONCACHE_HASH\t0x534C0AB8\n\n#define IMAGE_REL_BASED_ARM_MOV32A\t\t5\n#define IMAGE_REL_BASED_ARM_MOV32T\t\t7\n\n#define ARM_MOV_MASK\t\t\t\t\t(DWORD)(0xFBF08000)\n#define ARM_MOV_MASK2\t\t\t\t\t(DWORD)(0xFBF08F00)\n#define ARM_MOVW\t\t\t\t\t\t0xF2400000\n#define ARM_MOVT\t\t\t\t\t\t0xF2C00000\n\n#define HASH_KEY\t\t\t\t\t\t13\n//===============================================================================================//\n#pragma intrinsic( _rotr )\n\n__forceinline DWORD ror(DWORD d)\n{\n\treturn _rotr(d, HASH_KEY);\n}\n\n__forceinline DWORD hash(char * c)\n{\n\tregister DWORD h = 0;\n\tdo\n\t{\n\t\th = ror(h);\n\t\th += *c;\n\t} while (*++c);\n\n\treturn h;\n}\n//===============================================================================================//\ntypedef struct _UNICODE_STR\n{\n\tUSHORT Length;\n\tUSHORT MaximumLength;\n\tPWSTR pBuffer;\n} UNICODE_STR, *PUNICODE_STR;\n\n// WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY\n//__declspec( align(8) ) \ntypedef struct _LDR_DATA_TABLE_ENTRY\n{\n\t//LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry.\n\tLIST_ENTRY InMemoryOrderModuleList;\n\tLIST_ENTRY InInitializationOrderModuleList;\n\tPVOID DllBase;\n\tPVOID EntryPoint;\n\tULONG SizeOfImage;\n\tUNICODE_STR FullDllName;\n\tUNICODE_STR BaseDllName;\n\tULONG Flags;\n\tSHORT LoadCount;\n\tSHORT TlsIndex;\n\tLIST_ENTRY HashTableEntry;\n\tULONG TimeDateStamp;\n} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;\n\n// WinDbg> dt -v ntdll!_PEB_LDR_DATA\ntypedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes\n{\n\tDWORD dwLength;\n\tDWORD dwInitialized;\n\tLPVOID lpSsHandle;\n\tLIST_ENTRY InLoadOrderModuleList;\n\tLIST_ENTRY InMemoryOrderModuleList;\n\tLIST_ENTRY InInitializationOrderModuleList;\n\tLPVOID lpEntryInProgress;\n} PEB_LDR_DATA, *PPEB_LDR_DATA;\n\n// WinDbg> dt -v ntdll!_PEB_FREE_BLOCK\ntypedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes\n{\n\tstruct _PEB_FREE_BLOCK * pNext;\n\tDWORD dwSize;\n} PEB_FREE_BLOCK, *PPEB_FREE_BLOCK;\n\n// struct _PEB is defined in Winternl.h but it is incomplete\n// WinDbg> dt -v ntdll!_PEB\ntypedef struct __PEB // 65 elements, 0x210 bytes\n{\n\tBYTE bInheritedAddressSpace;\n\tBYTE bReadImageFileExecOptions;\n\tBYTE bBeingDebugged;\n\tBYTE bSpareBool;\n\tLPVOID lpMutant;\n\tLPVOID lpImageBaseAddress;\n\tPPEB_LDR_DATA pLdr;\n\tLPVOID lpProcessParameters;\n\tLPVOID lpSubSystemData;\n\tLPVOID lpProcessHeap;\n\tPRTL_CRITICAL_SECTION pFastPebLock;\n\tLPVOID lpFastPebLockRoutine;\n\tLPVOID lpFastPebUnlockRoutine;\n\tDWORD dwEnvironmentUpdateCount;\n\tLPVOID lpKernelCallbackTable;\n\tDWORD dwSystemReserved;\n\tDWORD dwAtlThunkSListPtr32;\n\tPPEB_FREE_BLOCK pFreeList;\n\tDWORD dwTlsExpansionCounter;\n\tLPVOID lpTlsBitmap;\n\tDWORD dwTlsBitmapBits[2];\n\tLPVOID lpReadOnlySharedMemoryBase;\n\tLPVOID lpReadOnlySharedMemoryHeap;\n\tLPVOID lpReadOnlyStaticServerData;\n\tLPVOID lpAnsiCodePageData;\n\tLPVOID lpOemCodePageData;\n\tLPVOID lpUnicodeCaseTableData;\n\tDWORD dwNumberOfProcessors;\n\tDWORD dwNtGlobalFlag;\n\tLARGE_INTEGER liCriticalSectionTimeout;\n\tDWORD dwHeapSegmentReserve;\n\tDWORD dwHeapSegmentCommit;\n\tDWORD dwHeapDeCommitTotalFreeThreshold;\n\tDWORD dwHeapDeCommitFreeBlockThreshold;\n\tDWORD dwNumberOfHeaps;\n\tDWORD dwMaximumNumberOfHeaps;\n\tLPVOID lpProcessHeaps;\n\tLPVOID lpGdiSharedHandleTable;\n\tLPVOID lpProcessStarterHelper;\n\tDWORD dwGdiDCAttributeList;\n\tLPVOID lpLoaderLock;\n\tDWORD dwOSMajorVersion;\n\tDWORD dwOSMinorVersion;\n\tWORD wOSBuildNumber;\n\tWORD wOSCSDVersion;\n\tDWORD dwOSPlatformId;\n\tDWORD dwImageSubsystem;\n\tDWORD dwImageSubsystemMajorVersion;\n\tDWORD dwImageSubsystemMinorVersion;\n\tDWORD dwImageProcessAffinityMask;\n\tDWORD dwGdiHandleBuffer[34];\n\tLPVOID lpPostProcessInitRoutine;\n\tLPVOID lpTlsExpansionBitmap;\n\tDWORD dwTlsExpansionBitmapBits[32];\n\tDWORD dwSessionId;\n\tULARGE_INTEGER liAppCompatFlags;\n\tULARGE_INTEGER liAppCompatFlagsUser;\n\tLPVOID lppShimData;\n\tLPVOID lpAppCompatInfo;\n\tUNICODE_STR usCSDVersion;\n\tLPVOID lpActivationContextData;\n\tLPVOID lpProcessAssemblyStorageMap;\n\tLPVOID lpSystemDefaultActivationContextData;\n\tLPVOID lpSystemAssemblyStorageMap;\n\tDWORD dwMinimumStackCommit;\n} _PEB, *_PPEB;\n\ntypedef struct\n{\n\tWORD\toffset : 12;\n\tWORD\ttype : 4;\n} IMAGE_RELOC, *PIMAGE_RELOC;\n//===============================================================================================//\n#endif\n//===============================================================================================//\n\n"
  },
  {
    "path": "Src/Recon-AD-Computers/Recon-AD-Computers.sln",
    "content": "\nMicrosoft Visual Studio Solution File, Format Version 12.00\n# Visual Studio Express 14 for Windows Desktop\nVisualStudioVersion = 14.0.25420.1\nMinimumVisualStudioVersion = 10.0.40219.1\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"Recon-AD-Computers\", \"Recon-AD-Computers\\Recon-AD-Computers.vcxproj\", \"{D30C9D6B-1F45-47BD-825B-389FE8CC9069}\"\nEndProject\nGlobal\n\tGlobalSection(SolutionConfigurationPlatforms) = preSolution\n\t\tDebug|x64 = Debug|x64\n\t\tDebug|x86 = Debug|x86\n\t\tRelease|x64 = Release|x64\n\t\tRelease|x86 = Release|x86\n\tEndGlobalSection\n\tGlobalSection(ProjectConfigurationPlatforms) = postSolution\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x64.ActiveCfg = Debug|x64\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x64.Build.0 = Debug|x64\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x86.ActiveCfg = Debug|Win32\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x86.Build.0 = Debug|Win32\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x64.ActiveCfg = Release|x64\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x64.Build.0 = Release|x64\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x86.ActiveCfg = Release|Win32\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x86.Build.0 = Release|Win32\n\tEndGlobalSection\n\tGlobalSection(SolutionProperties) = preSolution\n\t\tHideSolutionNode = FALSE\n\tEndGlobalSection\nEndGlobal\n"
  },
  {
    "path": "Src/Recon-AD-Domain/Recon-AD-Domain/Recon-AD-Domain.vcxproj",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project DefaultTargets=\"Build\" ToolsVersion=\"14.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\n  <ItemGroup Label=\"ProjectConfigurations\">\n    <ProjectConfiguration Include=\"Debug|Win32\">\n      <Configuration>Debug</Configuration>\n      <Platform>Win32</Platform>\n    </ProjectConfiguration>\n    <ProjectConfiguration Include=\"Release|Win32\">\n      <Configuration>Release</Configuration>\n      <Platform>Win32</Platform>\n    </ProjectConfiguration>\n    <ProjectConfiguration Include=\"Debug|x64\">\n      <Configuration>Debug</Configuration>\n      <Platform>x64</Platform>\n    </ProjectConfiguration>\n    <ProjectConfiguration Include=\"Release|x64\">\n      <Configuration>Release</Configuration>\n      <Platform>x64</Platform>\n    </ProjectConfiguration>\n  </ItemGroup>\n  <PropertyGroup Label=\"Globals\">\n    <ProjectGuid>{D30C9D6B-1F45-47BD-825B-389FE8CC9069}</ProjectGuid>\n    <RootNamespace>ReconADDomain</RootNamespace>\n    <WindowsTargetPlatformVersion>8.1</WindowsTargetPlatformVersion>\n  </PropertyGroup>\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.Default.props\" />\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\" Label=\"Configuration\">\n    <ConfigurationType>Application</ConfigurationType>\n    <UseDebugLibraries>true</UseDebugLibraries>\n    <PlatformToolset>v140</PlatformToolset>\n    <CharacterSet>MultiByte</CharacterSet>\n  </PropertyGroup>\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\" Label=\"Configuration\">\n    <ConfigurationType>DynamicLibrary</ConfigurationType>\n    <UseDebugLibraries>false</UseDebugLibraries>\n    <PlatformToolset>v140</PlatformToolset>\n    <WholeProgramOptimization>true</WholeProgramOptimization>\n    <CharacterSet>Unicode</CharacterSet>\n  </PropertyGroup>\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\" Label=\"Configuration\">\n    <ConfigurationType>Application</ConfigurationType>\n    <UseDebugLibraries>true</UseDebugLibraries>\n    <PlatformToolset>v140</PlatformToolset>\n    <CharacterSet>MultiByte</CharacterSet>\n  </PropertyGroup>\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\" Label=\"Configuration\">\n    <ConfigurationType>DynamicLibrary</ConfigurationType>\n    <UseDebugLibraries>false</UseDebugLibraries>\n    <PlatformToolset>v140</PlatformToolset>\n    <WholeProgramOptimization>true</WholeProgramOptimization>\n    <CharacterSet>Unicode</CharacterSet>\n  </PropertyGroup>\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.props\" />\n  <ImportGroup Label=\"ExtensionSettings\">\n  </ImportGroup>\n  <ImportGroup Label=\"Shared\">\n  </ImportGroup>\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\">\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\n  </ImportGroup>\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\">\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\n  </ImportGroup>\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\">\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\n  </ImportGroup>\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\">\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\n  </ImportGroup>\n  <PropertyGroup Label=\"UserMacros\" />\n  <PropertyGroup />\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\">\n    <ClCompile>\n      <WarningLevel>Level3</WarningLevel>\n      <Optimization>Disabled</Optimization>\n      <SDLCheck>true</SDLCheck>\n    </ClCompile>\n  </ItemDefinitionGroup>\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\">\n    <ClCompile>\n      <WarningLevel>Level3</WarningLevel>\n      <Optimization>Disabled</Optimization>\n      <SDLCheck>true</SDLCheck>\n    </ClCompile>\n  </ItemDefinitionGroup>\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\">\n    <ClCompile>\n      <WarningLevel>Level3</WarningLevel>\n      <Optimization>MaxSpeed</Optimization>\n      <FunctionLevelLinking>true</FunctionLevelLinking>\n      <IntrinsicFunctions>true</IntrinsicFunctions>\n      <SDLCheck>true</SDLCheck>\n      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>\n      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN_X86;REFLECTIVE_DLL_EXPORTS;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>\n    </ClCompile>\n    <Link>\n      <EnableCOMDATFolding>true</EnableCOMDATFolding>\n      <OptimizeReferences>true</OptimizeReferences>\n      <GenerateDebugInformation>false</GenerateDebugInformation>\n    </Link>\n  </ItemDefinitionGroup>\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\">\n    <ClCompile>\n      <WarningLevel>Level3</WarningLevel>\n      <Optimization>MaxSpeed</Optimization>\n      <FunctionLevelLinking>true</FunctionLevelLinking>\n      <IntrinsicFunctions>true</IntrinsicFunctions>\n      <SDLCheck>true</SDLCheck>\n      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>\n      <PreprocessorDefinitions>WIN64;NDEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;WIN_X64;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>\n    </ClCompile>\n    <Link>\n      <EnableCOMDATFolding>true</EnableCOMDATFolding>\n      <OptimizeReferences>true</OptimizeReferences>\n      <GenerateDebugInformation>false</GenerateDebugInformation>\n    </Link>\n  </ItemDefinitionGroup>\n  <ItemGroup>\n    <ClInclude Include=\"ReflectiveDLLInjection.h\" />\n    <ClInclude Include=\"ReflectiveLoader.h\" />\n  </ItemGroup>\n  <ItemGroup>\n    <ClCompile Include=\"ReflectiveDll.cpp\" />\n    <ClCompile Include=\"ReflectiveLoader.cpp\" />\n  </ItemGroup>\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.targets\" />\n  <ImportGroup Label=\"ExtensionTargets\">\n  </ImportGroup>\n</Project>"
  },
  {
    "path": "Src/Recon-AD-Domain/Recon-AD-Domain/Recon-AD-Domain.vcxproj.filters",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\n  <ItemGroup>\n    <Filter Include=\"Source Files\">\n      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>\n      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>\n    </Filter>\n    <Filter Include=\"Header Files\">\n      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>\n      <Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>\n    </Filter>\n    <Filter Include=\"Resource Files\">\n      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>\n      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>\n    </Filter>\n  </ItemGroup>\n  <ItemGroup>\n    <ClInclude Include=\"ReflectiveDLLInjection.h\">\n      <Filter>Header Files</Filter>\n    </ClInclude>\n    <ClInclude Include=\"ReflectiveLoader.h\">\n      <Filter>Header Files</Filter>\n    </ClInclude>\n  </ItemGroup>\n  <ItemGroup>\n    <ClCompile Include=\"ReflectiveLoader.cpp\">\n      <Filter>Source Files</Filter>\n    </ClCompile>\n    <ClCompile Include=\"ReflectiveDll.cpp\">\n      <Filter>Source Files</Filter>\n    </ClCompile>\n  </ItemGroup>\n</Project>"
  },
  {
    "path": "Src/Recon-AD-Domain/Recon-AD-Domain/Recon-AD-Domain.vcxproj.user",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"14.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\n  <PropertyGroup />\n</Project>"
  },
  {
    "path": "Src/Recon-AD-Domain/Recon-AD-Domain/ReflectiveDLLInjection.h",
    "content": "//===============================================================================================//\n// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)\n// All rights reserved.\n// \n// Redistribution and use in source and binary forms, with or without modification, are permitted \n// provided that the following conditions are met:\n// \n//     * Redistributions of source code must retain the above copyright notice, this list of \n// conditions and the following disclaimer.\n// \n//     * Redistributions in binary form must reproduce the above copyright notice, this list of \n// conditions and the following disclaimer in the documentation and/or other materials provided \n// with the distribution.\n// \n//     * Neither the name of Harmony Security nor the names of its contributors may be used to\n// endorse or promote products derived from this software without specific prior written permission.\n// \n// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND ANY EXPRESS OR \n// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND\n// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR \n// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR \n// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR \n// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY \n// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR \n// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE \n// POSSIBILITY OF SUCH DAMAGE.\n//===============================================================================================//\n#ifndef _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H\n#define _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H\n//===============================================================================================//\n#define WIN32_LEAN_AND_MEAN\n#include <windows.h>\n\n// we declare some common stuff in here...\n\n#define DLL_QUERY_HMODULE\t\t6\n\n#define DEREF( name )*(UINT_PTR *)(name)\n#define DEREF_64( name )*(DWORD64 *)(name)\n#define DEREF_32( name )*(DWORD *)(name)\n#define DEREF_16( name )*(WORD *)(name)\n#define DEREF_8( name )*(BYTE *)(name)\n\ntypedef ULONG_PTR(WINAPI * REFLECTIVELOADER)(VOID);\ntypedef BOOL(WINAPI * DLLMAIN)(HINSTANCE, DWORD, LPVOID);\n\n#define DLLEXPORT   __declspec( dllexport ) \n\n//===============================================================================================//\n#endif\n//===============================================================================================//\n\n"
  },
  {
    "path": "Src/Recon-AD-Domain/Recon-AD-Domain/ReflectiveDll.cpp",
    "content": "#undef  _UNICODE\n#define _UNICODE\n#undef  UNICODE\n#define UNICODE\n\n#include \"ReflectiveLoader.h\"\n#include <winsock2.h>\n#include <Windows.h>\n#include <stdio.h>\n#include <DsGetDC.h>\n#include <lm.h>\n#include <lmapibuf.h>\n#include <Objbase.h>\n\n#pragma comment(lib, \"Ws2_32.lib\")\n#pragma comment(lib, \"Netapi32.lib\")\n\n#define DS_NOTIFY_AFTER_SITE_RECORDS 0x02\n\n// Note: REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR and REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN are\n// defined in the project properties (Properties->C++->Preprocessor) so as we can specify our own \n// DllMain and use the LoadRemoteLibraryR() API to inject this DLL.\n\n// You can use this value as a pseudo hinstDLL value (defined and set via ReflectiveLoader.c)\nextern HINSTANCE hAppInstance;\n\n\nBOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)\n{\n\tBOOL bReturnValue = TRUE;\n\n\tswitch (dwReason)\n\t{\n\tcase DLL_QUERY_HMODULE:\n\t\tif (lpReserved != NULL)\n\t\t\t*(HMODULE *)lpReserved = hAppInstance;\n\t\tbreak;\n\tcase DLL_PROCESS_ATTACH:\n\t\thAppInstance = hinstDLL;\n\n\t\t// Get a Domain Controller for the Domain this computer is on.\n\t\tDWORD dwRet;\n\t\tPDOMAIN_CONTROLLER_INFO pdcInfo;\n\n\t\tdwRet = DsGetDcName(NULL, NULL, NULL, NULL, 0, &pdcInfo);\n\t\tif (ERROR_SUCCESS == dwRet)\n\t\t{\t\n\t\t\t// Open the enumeration.\n\t\t\tHANDLE hGetDc;\n\t\t\tdwRet = DsGetDcOpen(pdcInfo->DomainName,\n\t\t\t\tDS_NOTIFY_AFTER_SITE_RECORDS,\n\t\t\t\tNULL,\n\t\t\t\tNULL,\n\t\t\t\tNULL,\n\t\t\t\t0,\n\t\t\t\t&hGetDc);\n\t\t\tif (ERROR_SUCCESS == dwRet)\n\t\t\t{\n\t\t\t\tLPTSTR pszDnsHostName;\n\t\t\t\tGUID guid;\n\t\t\t\tCoCreateGuid(&guid);\n\n\t\t\t\tOLECHAR* guidString;\n\t\t\t\tStringFromCLSID(pdcInfo->DomainGuid, &guidString);\n\n\t\t\t\twprintf(L\"--------------------------------------------------------------------\\n\");\n\n\t\t\t\twprintf(L\"[+] DomainName:\\n\");\n\t\t\t\twprintf(L\"    %ls\\n\", pdcInfo->DomainName);\n\n\t\t\t\twprintf(L\"[+] DomainGuid:\\n\");\n\t\t\t\twprintf(L\"    %ls\\n\", guidString);\n\n\t\t\t\twprintf(L\"[+] DnsForestName:\\n\");\n\t\t\t\twprintf(L\"    %ls\\n\", pdcInfo->DnsForestName);\n\n\t\t\t\twprintf(L\"[+] DcSiteName:\\n\");\n\t\t\t\twprintf(L\"    %ls\\n\", pdcInfo->DcSiteName);\n\n\t\t\t\twprintf(L\"[+] ClientSiteName:\\n\");\n\t\t\t\twprintf(L\"    %ls\\n\", pdcInfo->ClientSiteName);\n\n\t\t\t\twprintf(L\"[+] DomainControllerName (PDC):\\n\");\n\t\t\t\twprintf(L\"    %ls\\n\", pdcInfo->DomainControllerName);\n\n\t\t\t\twprintf(L\"[+] DomainControllerAddress (PDC):\\n\");\n\t\t\t\twprintf(L\"    %ls\\n\", pdcInfo->DomainControllerAddress);\n\n\t\t\t\tCoTaskMemFree(guidString);\n\n\t\t\t\t// Enumerate Domain password policy.\n\t\t\t\tDWORD dwLevel = 0;\n\t\t\t\tUSER_MODALS_INFO_0 *pBuf0 = NULL;\n\t\t\t\tUSER_MODALS_INFO_3 *pBuf3 = NULL;\n\t\t\t\tNET_API_STATUS nStatus;\n\n\t\t\t\t// Call the NetUserModalsGet function; specify level 0.\n\t\t\t\tnStatus = NetUserModalsGet(pdcInfo->DomainControllerName,\n\t\t\t\t\tdwLevel,\n\t\t\t\t\t(LPBYTE *)&pBuf0);\n\n\t\t\t\t// If the call succeeds, print the global information.\n\t\t\t\tif (nStatus == NERR_Success)\n\t\t\t\t{\n\t\t\t\t\tif (pBuf0 != NULL)\n\t\t\t\t\t{\n\t\t\t\t\t\twprintf(L\"[+] Default Domain Password Policy:\\n\");\n\n\t\t\t\t\t\twprintf(L\"    Password history length: %d\\n\", pBuf0->usrmod0_password_hist_len);\n\t\t\t\t\t\twprintf(L\"    Maximum password age (d): %d\\n\", pBuf0->usrmod0_max_passwd_age / 86400);\n\t\t\t\t\t\twprintf(L\"    Minimum password age (d): %d\\n\", pBuf0->usrmod0_min_passwd_age / 86400);\n\t\t\t\t\t\twprintf(L\"    Minimum password length: %d\\n\", pBuf0->usrmod0_min_passwd_len);\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\t// Free the allocated memory.\n\t\t\t\tif (pBuf0 != NULL)\n\t\t\t\t\tNetApiBufferFree(pBuf0);\n\n\t\t\t\t// Call the NetUserModalsGet function; specify level 3.\n\t\t\t\tdwLevel = 3;\n\t\t\t\tnStatus = NetUserModalsGet(pdcInfo->DomainControllerName,\n\t\t\t\t\tdwLevel,\n\t\t\t\t\t(LPBYTE *)&pBuf3);\n\n\t\t\t\t// If the call succeeds, print the global information.\n\t\t\t\tif (nStatus == NERR_Success)\n\t\t\t\t{\n\t\t\t\t\tif (pBuf3 != NULL)\n\t\t\t\t\t{\n\t\t\t\t\t\twprintf(L\"[+] Account Lockout Policy:\\n\");\n\n\t\t\t\t\t\twprintf(L\"    Account lockout threshold: %d\\n\", pBuf3->usrmod3_lockout_threshold);\n\t\t\t\t\t\twprintf(L\"    Account lockout duration (m): %d\\n\", pBuf3->usrmod3_lockout_duration / 60);\n\t\t\t\t\t\twprintf(L\"    Account lockout observation window (m): %d\\n\", pBuf3->usrmod3_lockout_duration / 60);\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\t// Free the allocated memory.\n\t\t\t\tif (pBuf3 != NULL)\n\t\t\t\t\tNetApiBufferFree(pBuf3);\n\n\t\t\t\t// Enumerate each Domain Controller and print its name.\n\t\t\t\twprintf(L\"[+] NextDc DnsHostName:\\n\");\n\n\t\t\t\twhile (TRUE)\n\t\t\t\t{\n\t\t\t\t\tULONG ulSocketCount;\n\t\t\t\t\tLPSOCKET_ADDRESS rgSocketAddresses;\n\n\t\t\t\t\tdwRet = DsGetDcNext(\n\t\t\t\t\t\thGetDc,\n\t\t\t\t\t\t&ulSocketCount,\n\t\t\t\t\t\t&rgSocketAddresses,\n\t\t\t\t\t\t&pszDnsHostName);\n\n\t\t\t\t\tif (ERROR_SUCCESS == dwRet)\n\t\t\t\t\t{\n\t\t\t\t\t\twprintf(L\"    %ls\\n\", pszDnsHostName);\n\n\t\t\t\t\t\t// Free the allocated string.\n\t\t\t\t\t\tNetApiBufferFree(pszDnsHostName);\n\n\t\t\t\t\t\t// Free the socket address array.\n\t\t\t\t\t\tLocalFree(rgSocketAddresses);\n\t\t\t\t\t}\n\t\t\t\t\telse if (ERROR_NO_MORE_ITEMS == dwRet)\n\t\t\t\t\t{\n\t\t\t\t\t\t// The end of the list has been reached.\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\t\t\t\t\telse if (ERROR_FILEMARK_DETECTED == dwRet)\n\t\t\t\t\t{\n\t\t\t\t\t\t/*\n\t\t\t\t\t\tDS_NOTIFY_AFTER_SITE_RECORDS was specified in\n\t\t\t\t\t\tDsGetDcOpen and the end of the site-specific\n\t\t\t\t\t\trecords was reached.\n\t\t\t\t\t\t*/\n\t\t\t\t\t\twprintf(L\"[+] End of site-specific Domain Controllers.\\n\");\n\t\t\t\t\t\tcontinue;\n\t\t\t\t\t}\n\t\t\t\t\telse\n\t\t\t\t\t{\n\t\t\t\t\t\t// Some other error occurred.\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\twprintf(L\"--------------------------------------------------------------------\\n\");\n\n\t\t\t\t// Close the enumeration.\n\t\t\t\tDsGetDcClose(hGetDc);\n\t\t\t}\n\n\t\t\t// Free the DOMAIN_CONTROLLER_INFO structure. \n\t\t\tNetApiBufferFree(pdcInfo);\n\t\t}\n\n\t\t// Flush STDOUT\n\t\tfflush(stdout);\n\n\t\t// We're done, so let's exit\n\t\tExitProcess(0);\n\t\tbreak;\n\tcase DLL_PROCESS_DETACH:\n\tcase DLL_THREAD_ATTACH:\n\tcase DLL_THREAD_DETACH:\n\t\tbreak;\n\t}\n\treturn bReturnValue;\n}\n"
  },
  {
    "path": "Src/Recon-AD-Domain/Recon-AD-Domain/ReflectiveLoader.cpp",
    "content": "//===============================================================================================//\n// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)\n// All rights reserved.\n// \n// Redistribution and use in source and binary forms, with or without modification, are permitted \n// provided that the following conditions are met:\n// \n//     * Redistributions of source code must retain the above copyright notice, this list of \n// conditions and the following disclaimer.\n// \n//     * Redistributions in binary form must reproduce the above copyright notice, this list of \n// conditions and the following disclaimer in the documentation and/or other materials provided \n// with the distribution.\n// \n//     * Neither the name of Harmony Security nor the names of its contributors may be used to\n// endorse or promote products derived from this software without specific prior written permission.\n// \n// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND ANY EXPRESS OR \n// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND\n// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR \n// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR \n// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR \n// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY \n// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR \n// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE \n// POSSIBILITY OF SUCH DAMAGE.\n//===============================================================================================//\n#include \"ReflectiveLoader.h\"\n//===============================================================================================//\n// Our loader will set this to a pseudo correct HINSTANCE/HMODULE value\nHINSTANCE hAppInstance = NULL;\n//===============================================================================================//\n#pragma intrinsic( _ReturnAddress )\n// This function can not be inlined by the compiler or we will not get the address we expect. Ideally \n// this code will be compiled with the /O2 and /Ob1 switches. Bonus points if we could take advantage of \n// RIP relative addressing in this instance but I dont believe we can do so with the compiler intrinsics \n// available (and no inline asm available under x64).\n__declspec(noinline) ULONG_PTR caller(VOID) { return (ULONG_PTR)_ReturnAddress(); }\n//===============================================================================================//\n\n// Note 1: If you want to have your own DllMain, define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN,  \n//         otherwise the DllMain at the end of this file will be used.\n\n// Note 2: If you are injecting the DLL via LoadRemoteLibraryR, define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR,\n//         otherwise it is assumed you are calling the ReflectiveLoader via a stub.\n\n// This is our position independent reflective DLL loader/injector\n#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR\nDLLEXPORT ULONG_PTR WINAPI ReflectiveLoader(LPVOID lpParameter)\n#else\nDLLEXPORT ULONG_PTR WINAPI ReflectiveLoader(VOID)\n#endif\n{\n\t// the functions we need\n\tLOADLIBRARYA pLoadLibraryA = NULL;\n\tGETPROCADDRESS pGetProcAddress = NULL;\n\tVIRTUALALLOC pVirtualAlloc = NULL;\n\tNTFLUSHINSTRUCTIONCACHE pNtFlushInstructionCache = NULL;\n\n\tUSHORT usCounter;\n\n\t// the initial location of this image in memory\n\tULONG_PTR uiLibraryAddress;\n\t// the kernels base address and later this images newly loaded base address\n\tULONG_PTR uiBaseAddress;\n\n\t// variables for processing the kernels export table\n\tULONG_PTR uiAddressArray;\n\tULONG_PTR uiNameArray;\n\tULONG_PTR uiExportDir;\n\tULONG_PTR uiNameOrdinals;\n\tDWORD dwHashValue;\n\n\t// variables for loading this image\n\tULONG_PTR uiHeaderValue;\n\tULONG_PTR uiValueA;\n\tULONG_PTR uiValueB;\n\tULONG_PTR uiValueC;\n\tULONG_PTR uiValueD;\n\tULONG_PTR uiValueE;\n\n\t// STEP 0: calculate our images current base address\n\n\t// we will start searching backwards from our callers return address.\n\tuiLibraryAddress = caller();\n\n\t// loop through memory backwards searching for our images base address\n\t// we dont need SEH style search as we shouldnt generate any access violations with this\n\twhile (TRUE)\n\t{\n\t\tif (((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_magic == IMAGE_DOS_SIGNATURE)\n\t\t{\n\t\t\tuiHeaderValue = ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;\n\t\t\t// some x64 dll's can trigger a bogus signature (IMAGE_DOS_SIGNATURE == 'POP r10'),\n\t\t\t// we sanity check the e_lfanew with an upper threshold value of 1024 to avoid problems.\n\t\t\tif (uiHeaderValue >= sizeof(IMAGE_DOS_HEADER) && uiHeaderValue < 1024)\n\t\t\t{\n\t\t\t\tuiHeaderValue += uiLibraryAddress;\n\t\t\t\t// break if we have found a valid MZ/PE header\n\t\t\t\tif (((PIMAGE_NT_HEADERS)uiHeaderValue)->Signature == IMAGE_NT_SIGNATURE)\n\t\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\tuiLibraryAddress--;\n\t}\n\n\t// STEP 1: process the kernels exports for the functions our loader needs...\n\n\t// get the Process Enviroment Block\n#ifdef WIN_X64\n\tuiBaseAddress = __readgsqword(0x60);\n#else\n#ifdef WIN_X86\n\tuiBaseAddress = __readfsdword(0x30);\n#else WIN_ARM\n\tuiBaseAddress = *(DWORD *)((BYTE *)_MoveFromCoprocessor(15, 0, 13, 0, 2) + 0x30);\n#endif\n#endif\n\n\t// get the processes loaded modules. ref: http://msdn.microsoft.com/en-us/library/aa813708(VS.85).aspx\n\tuiBaseAddress = (ULONG_PTR)((_PPEB)uiBaseAddress)->pLdr;\n\n\t// get the first entry of the InMemoryOrder module list\n\tuiValueA = (ULONG_PTR)((PPEB_LDR_DATA)uiBaseAddress)->InMemoryOrderModuleList.Flink;\n\twhile (uiValueA)\n\t{\n\t\t// get pointer to current modules name (unicode string)\n\t\tuiValueB = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.pBuffer;\n\t\t// set bCounter to the length for the loop\n\t\tusCounter = ((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.Length;\n\t\t// clear uiValueC which will store the hash of the module name\n\t\tuiValueC = 0;\n\n\t\t// compute the hash of the module name...\n\t\tdo\n\t\t{\n\t\t\tuiValueC = ror((DWORD)uiValueC);\n\t\t\t// normalize to uppercase if the madule name is in lowercase\n\t\t\tif (*((BYTE *)uiValueB) >= 'a')\n\t\t\t\tuiValueC += *((BYTE *)uiValueB) - 0x20;\n\t\t\telse\n\t\t\t\tuiValueC += *((BYTE *)uiValueB);\n\t\t\tuiValueB++;\n\t\t} while (--usCounter);\n\n\t\t// compare the hash with that of kernel32.dll\n\t\tif ((DWORD)uiValueC == KERNEL32DLL_HASH)\n\t\t{\n\t\t\t// get this modules base address\n\t\t\tuiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;\n\n\t\t\t// get the VA of the modules NT Header\n\t\t\tuiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;\n\n\t\t\t// uiNameArray = the address of the modules export directory entry\n\t\t\tuiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];\n\n\t\t\t// get the VA of the export directory\n\t\t\tuiExportDir = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress);\n\n\t\t\t// get the VA for the array of name pointers\n\t\t\tuiNameArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNames);\n\n\t\t\t// get the VA for the array of name ordinals\n\t\t\tuiNameOrdinals = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNameOrdinals);\n\n\t\t\tusCounter = 3;\n\n\t\t\t// loop while we still have imports to find\n\t\t\twhile (usCounter > 0)\n\t\t\t{\n\t\t\t\t// compute the hash values for this function name\n\t\t\t\tdwHashValue = hash((char *)(uiBaseAddress + DEREF_32(uiNameArray)));\n\n\t\t\t\t// if we have found a function we want we get its virtual address\n\t\t\t\tif (dwHashValue == LOADLIBRARYA_HASH || dwHashValue == GETPROCADDRESS_HASH || dwHashValue == VIRTUALALLOC_HASH)\n\t\t\t\t{\n\t\t\t\t\t// get the VA for the array of addresses\n\t\t\t\t\tuiAddressArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfFunctions);\n\n\t\t\t\t\t// use this functions name ordinal as an index into the array of name pointers\n\t\t\t\t\tuiAddressArray += (DEREF_16(uiNameOrdinals) * sizeof(DWORD));\n\n\t\t\t\t\t// store this functions VA\n\t\t\t\t\tif (dwHashValue == LOADLIBRARYA_HASH)\n\t\t\t\t\t\tpLoadLibraryA = (LOADLIBRARYA)(uiBaseAddress + DEREF_32(uiAddressArray));\n\t\t\t\t\telse if (dwHashValue == GETPROCADDRESS_HASH)\n\t\t\t\t\t\tpGetProcAddress = (GETPROCADDRESS)(uiBaseAddress + DEREF_32(uiAddressArray));\n\t\t\t\t\telse if (dwHashValue == VIRTUALALLOC_HASH)\n\t\t\t\t\t\tpVirtualAlloc = (VIRTUALALLOC)(uiBaseAddress + DEREF_32(uiAddressArray));\n\n\t\t\t\t\t// decrement our counter\n\t\t\t\t\tusCounter--;\n\t\t\t\t}\n\n\t\t\t\t// get the next exported function name\n\t\t\t\tuiNameArray += sizeof(DWORD);\n\n\t\t\t\t// get the next exported function name ordinal\n\t\t\t\tuiNameOrdinals += sizeof(WORD);\n\t\t\t}\n\t\t}\n\t\telse if ((DWORD)uiValueC == NTDLLDLL_HASH)\n\t\t{\n\t\t\t// get this modules base address\n\t\t\tuiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;\n\n\t\t\t// get the VA of the modules NT Header\n\t\t\tuiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;\n\n\t\t\t// uiNameArray = the address of the modules export directory entry\n\t\t\tuiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];\n\n\t\t\t// get the VA of the export directory\n\t\t\tuiExportDir = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress);\n\n\t\t\t// get the VA for the array of name pointers\n\t\t\tuiNameArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNames);\n\n\t\t\t// get the VA for the array of name ordinals\n\t\t\tuiNameOrdinals = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNameOrdinals);\n\n\t\t\tusCounter = 1;\n\n\t\t\t// loop while we still have imports to find\n\t\t\twhile (usCounter > 0)\n\t\t\t{\n\t\t\t\t// compute the hash values for this function name\n\t\t\t\tdwHashValue = hash((char *)(uiBaseAddress + DEREF_32(uiNameArray)));\n\n\t\t\t\t// if we have found a function we want we get its virtual address\n\t\t\t\tif (dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH)\n\t\t\t\t{\n\t\t\t\t\t// get the VA for the array of addresses\n\t\t\t\t\tuiAddressArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfFunctions);\n\n\t\t\t\t\t// use this functions name ordinal as an index into the array of name pointers\n\t\t\t\t\tuiAddressArray += (DEREF_16(uiNameOrdinals) * sizeof(DWORD));\n\n\t\t\t\t\t// store this functions VA\n\t\t\t\t\tif (dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH)\n\t\t\t\t\t\tpNtFlushInstructionCache = (NTFLUSHINSTRUCTIONCACHE)(uiBaseAddress + DEREF_32(uiAddressArray));\n\n\t\t\t\t\t// decrement our counter\n\t\t\t\t\tusCounter--;\n\t\t\t\t}\n\n\t\t\t\t// get the next exported function name\n\t\t\t\tuiNameArray += sizeof(DWORD);\n\n\t\t\t\t// get the next exported function name ordinal\n\t\t\t\tuiNameOrdinals += sizeof(WORD);\n\t\t\t}\n\t\t}\n\n\t\t// we stop searching when we have found everything we need.\n\t\tif (pLoadLibraryA && pGetProcAddress && pVirtualAlloc && pNtFlushInstructionCache)\n\t\t\tbreak;\n\n\t\t// get the next entry\n\t\tuiValueA = DEREF(uiValueA);\n\t}\n\n\t// STEP 2: load our image into a new permanent location in memory...\n\n\t// get the VA of the NT Header for the PE to be loaded\n\tuiHeaderValue = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;\n\n\t// allocate all the memory for the DLL to be loaded into. we can load at any address because we will  \n\t// relocate the image. Also zeros all memory and marks it as READ, WRITE and EXECUTE to avoid any problems.\n\tuiBaseAddress = (ULONG_PTR)pVirtualAlloc(NULL, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);\n\n\t// we must now copy over the headers\n\tuiValueA = ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfHeaders;\n\tuiValueB = uiLibraryAddress;\n\tuiValueC = uiBaseAddress;\n\n\twhile (uiValueA--)\n\t\t*(BYTE *)uiValueC++ = *(BYTE *)uiValueB++;\n\n\t// STEP 3: load in all of our sections...\n\n\t// uiValueA = the VA of the first section\n\tuiValueA = ((ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader + ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.SizeOfOptionalHeader);\n\n\t// itterate through all sections, loading them into memory.\n\tuiValueE = ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.NumberOfSections;\n\twhile (uiValueE--)\n\t{\n\t\t// uiValueB is the VA for this section\n\t\tuiValueB = (uiBaseAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->VirtualAddress);\n\n\t\t// uiValueC if the VA for this sections data\n\t\tuiValueC = (uiLibraryAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->PointerToRawData);\n\n\t\t// copy the section over\n\t\tuiValueD = ((PIMAGE_SECTION_HEADER)uiValueA)->SizeOfRawData;\n\n\t\twhile (uiValueD--)\n\t\t\t*(BYTE *)uiValueB++ = *(BYTE *)uiValueC++;\n\n\t\t// get the VA of the next section\n\t\tuiValueA += sizeof(IMAGE_SECTION_HEADER);\n\t}\n\n\t// STEP 4: process our images import table...\n\n\t// uiValueB = the address of the import directory\n\tuiValueB = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];\n\n\t// we assume their is an import table to process\n\t// uiValueC is the first entry in the import table\n\tuiValueC = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress);\n\n\t// itterate through all imports\n\twhile (((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name)\n\t{\n\t\t// use LoadLibraryA to load the imported module into memory\n\t\tuiLibraryAddress = (ULONG_PTR)pLoadLibraryA((LPCSTR)(uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name));\n\n\t\t// uiValueD = VA of the OriginalFirstThunk\n\t\tuiValueD = (uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->OriginalFirstThunk);\n\n\t\t// uiValueA = VA of the IAT (via first thunk not origionalfirstthunk)\n\t\tuiValueA = (uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->FirstThunk);\n\n\t\t// itterate through all imported functions, importing by ordinal if no name present\n\t\twhile (DEREF(uiValueA))\n\t\t{\n\t\t\t// sanity check uiValueD as some compilers only import by FirstThunk\n\t\t\tif (uiValueD && ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal & IMAGE_ORDINAL_FLAG)\n\t\t\t{\n\t\t\t\t// get the VA of the modules NT Header\n\t\t\t\tuiExportDir = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;\n\n\t\t\t\t// uiNameArray = the address of the modules export directory entry\n\t\t\t\tuiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];\n\n\t\t\t\t// get the VA of the export directory\n\t\t\t\tuiExportDir = (uiLibraryAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress);\n\n\t\t\t\t// get the VA for the array of addresses\n\t\t\t\tuiAddressArray = (uiLibraryAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfFunctions);\n\n\t\t\t\t// use the import ordinal (- export ordinal base) as an index into the array of addresses\n\t\t\t\tuiAddressArray += ((IMAGE_ORDINAL(((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal) - ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->Base) * sizeof(DWORD));\n\n\t\t\t\t// patch in the address for this imported function\n\t\t\t\tDEREF(uiValueA) = (uiLibraryAddress + DEREF_32(uiAddressArray));\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\t// get the VA of this functions import by name struct\n\t\t\t\tuiValueB = (uiBaseAddress + DEREF(uiValueA));\n\n\t\t\t\t// use GetProcAddress and patch in the address for this imported function\n\t\t\t\tDEREF(uiValueA) = (ULONG_PTR)pGetProcAddress((HMODULE)uiLibraryAddress, (LPCSTR)((PIMAGE_IMPORT_BY_NAME)uiValueB)->Name);\n\t\t\t}\n\t\t\t// get the next imported function\n\t\t\tuiValueA += sizeof(ULONG_PTR);\n\t\t\tif (uiValueD)\n\t\t\t\tuiValueD += sizeof(ULONG_PTR);\n\t\t}\n\n\t\t// get the next import\n\t\tuiValueC += sizeof(IMAGE_IMPORT_DESCRIPTOR);\n\t}\n\n\t// STEP 5: process all of our images relocations...\n\n\t// calculate the base address delta and perform relocations (even if we load at desired image base)\n\tuiLibraryAddress = uiBaseAddress - ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.ImageBase;\n\n\t// uiValueB = the address of the relocation directory\n\tuiValueB = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];\n\n\t// check if their are any relocations present\n\tif (((PIMAGE_DATA_DIRECTORY)uiValueB)->Size)\n\t{\n\t\t// uiValueC is now the first entry (IMAGE_BASE_RELOCATION)\n\t\tuiValueC = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress);\n\n\t\t// and we itterate through all entries...\n\t\twhile (((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock)\n\t\t{\n\t\t\t// uiValueA = the VA for this relocation block\n\t\t\tuiValueA = (uiBaseAddress + ((PIMAGE_BASE_RELOCATION)uiValueC)->VirtualAddress);\n\n\t\t\t// uiValueB = number of entries in this relocation block\n\t\t\tuiValueB = (((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(IMAGE_RELOC);\n\n\t\t\t// uiValueD is now the first entry in the current relocation block\n\t\t\tuiValueD = uiValueC + sizeof(IMAGE_BASE_RELOCATION);\n\n\t\t\t// we itterate through all the entries in the current block...\n\t\t\twhile (uiValueB--)\n\t\t\t{\n\t\t\t\t// perform the relocation, skipping IMAGE_REL_BASED_ABSOLUTE as required.\n\t\t\t\t// we dont use a switch statement to avoid the compiler building a jump table\n\t\t\t\t// which would not be very position independent!\n\t\t\t\tif (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_DIR64)\n\t\t\t\t\t*(ULONG_PTR *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += uiLibraryAddress;\n\t\t\t\telse if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGHLOW)\n\t\t\t\t\t*(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += (DWORD)uiLibraryAddress;\n#ifdef WIN_ARM\n\t\t\t\t// Note: On ARM, the compiler optimization /O2 seems to introduce an off by one issue, possibly a code gen bug. Using /O1 instead avoids this problem.\n\t\t\t\telse if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_ARM_MOV32T)\n\t\t\t\t{\n\t\t\t\t\tregister DWORD dwInstruction;\n\t\t\t\t\tregister DWORD dwAddress;\n\t\t\t\t\tregister WORD wImm;\n\t\t\t\t\t// get the MOV.T instructions DWORD value (We add 4 to the offset to go past the first MOV.W which handles the low word)\n\t\t\t\t\tdwInstruction = *(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset + sizeof(DWORD));\n\t\t\t\t\t// flip the words to get the instruction as expected\n\t\t\t\t\tdwInstruction = MAKELONG(HIWORD(dwInstruction), LOWORD(dwInstruction));\n\t\t\t\t\t// sanity chack we are processing a MOV instruction...\n\t\t\t\t\tif ((dwInstruction & ARM_MOV_MASK) == ARM_MOVT)\n\t\t\t\t\t{\n\t\t\t\t\t\t// pull out the encoded 16bit value (the high portion of the address-to-relocate)\n\t\t\t\t\t\twImm = (WORD)(dwInstruction & 0x000000FF);\n\t\t\t\t\t\twImm |= (WORD)((dwInstruction & 0x00007000) >> 4);\n\t\t\t\t\t\twImm |= (WORD)((dwInstruction & 0x04000000) >> 15);\n\t\t\t\t\t\twImm |= (WORD)((dwInstruction & 0x000F0000) >> 4);\n\t\t\t\t\t\t// apply the relocation to the target address\n\t\t\t\t\t\tdwAddress = ((WORD)HIWORD(uiLibraryAddress) + wImm) & 0xFFFF;\n\t\t\t\t\t\t// now create a new instruction with the same opcode and register param.\n\t\t\t\t\t\tdwInstruction = (DWORD)(dwInstruction & ARM_MOV_MASK2);\n\t\t\t\t\t\t// patch in the relocated address...\n\t\t\t\t\t\tdwInstruction |= (DWORD)(dwAddress & 0x00FF);\n\t\t\t\t\t\tdwInstruction |= (DWORD)(dwAddress & 0x0700) << 4;\n\t\t\t\t\t\tdwInstruction |= (DWORD)(dwAddress & 0x0800) << 15;\n\t\t\t\t\t\tdwInstruction |= (DWORD)(dwAddress & 0xF000) << 4;\n\t\t\t\t\t\t// now flip the instructions words and patch back into the code...\n\t\t\t\t\t\t*(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset + sizeof(DWORD)) = MAKELONG(HIWORD(dwInstruction), LOWORD(dwInstruction));\n\t\t\t\t\t}\n\t\t\t\t}\n#endif\n\t\t\t\telse if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGH)\n\t\t\t\t\t*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += HIWORD(uiLibraryAddress);\n\t\t\t\telse if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_LOW)\n\t\t\t\t\t*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += LOWORD(uiLibraryAddress);\n\n\t\t\t\t// get the next entry in the current relocation block\n\t\t\t\tuiValueD += sizeof(IMAGE_RELOC);\n\t\t\t}\n\n\t\t\t// get the next entry in the relocation directory\n\t\t\tuiValueC = uiValueC + ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock;\n\t\t}\n\t}\n\n\t// STEP 6: call our images entry point\n\n\t// uiValueA = the VA of our newly loaded DLL/EXE's entry point\n\tuiValueA = (uiBaseAddress + ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.AddressOfEntryPoint);\n\n\t// We must flush the instruction cache to avoid stale code being used which was updated by our relocation processing.\n\tpNtFlushInstructionCache((HANDLE)-1, NULL, 0);\n\n\t// call our respective entry point, fudging our hInstance value\n#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR\n\t// if we are injecting a DLL via LoadRemoteLibraryR we call DllMain and pass in our parameter (via the DllMain lpReserved parameter)\n\t((DLLMAIN)uiValueA)((HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, lpParameter);\n#else\n\t// if we are injecting an DLL via a stub we call DllMain with no parameter\n\t((DLLMAIN)uiValueA)((HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, NULL);\n#endif\n\n\t// STEP 8: return our new entry point address so whatever called us can call DllMain() if needed.\n\treturn uiValueA;\n}\n//===============================================================================================//\n#ifndef REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN\n\nBOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)\n{\n\tBOOL bReturnValue = TRUE;\n\tswitch (dwReason)\n\t{\n\tcase DLL_QUERY_HMODULE:\n\t\tif (lpReserved != NULL)\n\t\t\t*(HMODULE *)lpReserved = hAppInstance;\n\t\tbreak;\n\tcase DLL_PROCESS_ATTACH:\n\t\thAppInstance = hinstDLL;\n\t\tbreak;\n\tcase DLL_PROCESS_DETACH:\n\tcase DLL_THREAD_ATTACH:\n\tcase DLL_THREAD_DETACH:\n\t\tbreak;\n\t}\n\treturn bReturnValue;\n}\n\n#endif\n//===============================================================================================//\n"
  },
  {
    "path": "Src/Recon-AD-Domain/Recon-AD-Domain/ReflectiveLoader.h",
    "content": "//===============================================================================================//\n// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)\n// All rights reserved.\n// \n// Redistribution and use in source and binary forms, with or without modification, are permitted \n// provided that the following conditions are met:\n// \n//     * Redistributions of source code must retain the above copyright notice, this list of \n// conditions and the following disclaimer.\n// \n//     * Redistributions in binary form must reproduce the above copyright notice, this list of \n// conditions and the following disclaimer in the documentation and/or other materials provided \n// with the distribution.\n// \n//     * Neither the name of Harmony Security nor the names of its contributors may be used to\n// endorse or promote products derived from this software without specific prior written permission.\n// \n// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND ANY EXPRESS OR \n// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND\n// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR \n// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR \n// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR \n// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY \n// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR \n// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE \n// POSSIBILITY OF SUCH DAMAGE.\n//===============================================================================================//\n#ifndef _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H\n#define _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H\n//===============================================================================================//\n#define WIN32_LEAN_AND_MEAN\n#include <windows.h>\n#include <Winsock2.h>\n#include <intrin.h>\n\n#include \"ReflectiveDLLInjection.h\"\n\ntypedef HMODULE(WINAPI * LOADLIBRARYA)(LPCSTR);\ntypedef FARPROC(WINAPI * GETPROCADDRESS)(HMODULE, LPCSTR);\ntypedef LPVOID(WINAPI * VIRTUALALLOC)(LPVOID, SIZE_T, DWORD, DWORD);\ntypedef DWORD(NTAPI * NTFLUSHINSTRUCTIONCACHE)(HANDLE, PVOID, ULONG);\n\n#define KERNEL32DLL_HASH\t\t\t\t0x6A4ABC5B\n#define NTDLLDLL_HASH\t\t\t\t\t0x3CFA685D\n\n#define LOADLIBRARYA_HASH\t\t\t\t0xEC0E4E8E\n#define GETPROCADDRESS_HASH\t\t\t\t0x7C0DFCAA\n#define VIRTUALALLOC_HASH\t\t\t\t0x91AFCA54\n#define NTFLUSHINSTRUCTIONCACHE_HASH\t0x534C0AB8\n\n#define IMAGE_REL_BASED_ARM_MOV32A\t\t5\n#define IMAGE_REL_BASED_ARM_MOV32T\t\t7\n\n#define ARM_MOV_MASK\t\t\t\t\t(DWORD)(0xFBF08000)\n#define ARM_MOV_MASK2\t\t\t\t\t(DWORD)(0xFBF08F00)\n#define ARM_MOVW\t\t\t\t\t\t0xF2400000\n#define ARM_MOVT\t\t\t\t\t\t0xF2C00000\n\n#define HASH_KEY\t\t\t\t\t\t13\n//===============================================================================================//\n#pragma intrinsic( _rotr )\n\n__forceinline DWORD ror(DWORD d)\n{\n\treturn _rotr(d, HASH_KEY);\n}\n\n__forceinline DWORD hash(char * c)\n{\n\tregister DWORD h = 0;\n\tdo\n\t{\n\t\th = ror(h);\n\t\th += *c;\n\t} while (*++c);\n\n\treturn h;\n}\n//===============================================================================================//\ntypedef struct _UNICODE_STR\n{\n\tUSHORT Length;\n\tUSHORT MaximumLength;\n\tPWSTR pBuffer;\n} UNICODE_STR, *PUNICODE_STR;\n\n// WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY\n//__declspec( align(8) ) \ntypedef struct _LDR_DATA_TABLE_ENTRY\n{\n\t//LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry.\n\tLIST_ENTRY InMemoryOrderModuleList;\n\tLIST_ENTRY InInitializationOrderModuleList;\n\tPVOID DllBase;\n\tPVOID EntryPoint;\n\tULONG SizeOfImage;\n\tUNICODE_STR FullDllName;\n\tUNICODE_STR BaseDllName;\n\tULONG Flags;\n\tSHORT LoadCount;\n\tSHORT TlsIndex;\n\tLIST_ENTRY HashTableEntry;\n\tULONG TimeDateStamp;\n} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;\n\n// WinDbg> dt -v ntdll!_PEB_LDR_DATA\ntypedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes\n{\n\tDWORD dwLength;\n\tDWORD dwInitialized;\n\tLPVOID lpSsHandle;\n\tLIST_ENTRY InLoadOrderModuleList;\n\tLIST_ENTRY InMemoryOrderModuleList;\n\tLIST_ENTRY InInitializationOrderModuleList;\n\tLPVOID lpEntryInProgress;\n} PEB_LDR_DATA, *PPEB_LDR_DATA;\n\n// WinDbg> dt -v ntdll!_PEB_FREE_BLOCK\ntypedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes\n{\n\tstruct _PEB_FREE_BLOCK * pNext;\n\tDWORD dwSize;\n} PEB_FREE_BLOCK, *PPEB_FREE_BLOCK;\n\n// struct _PEB is defined in Winternl.h but it is incomplete\n// WinDbg> dt -v ntdll!_PEB\ntypedef struct __PEB // 65 elements, 0x210 bytes\n{\n\tBYTE bInheritedAddressSpace;\n\tBYTE bReadImageFileExecOptions;\n\tBYTE bBeingDebugged;\n\tBYTE bSpareBool;\n\tLPVOID lpMutant;\n\tLPVOID lpImageBaseAddress;\n\tPPEB_LDR_DATA pLdr;\n\tLPVOID lpProcessParameters;\n\tLPVOID lpSubSystemData;\n\tLPVOID lpProcessHeap;\n\tPRTL_CRITICAL_SECTION pFastPebLock;\n\tLPVOID lpFastPebLockRoutine;\n\tLPVOID lpFastPebUnlockRoutine;\n\tDWORD dwEnvironmentUpdateCount;\n\tLPVOID lpKernelCallbackTable;\n\tDWORD dwSystemReserved;\n\tDWORD dwAtlThunkSListPtr32;\n\tPPEB_FREE_BLOCK pFreeList;\n\tDWORD dwTlsExpansionCounter;\n\tLPVOID lpTlsBitmap;\n\tDWORD dwTlsBitmapBits[2];\n\tLPVOID lpReadOnlySharedMemoryBase;\n\tLPVOID lpReadOnlySharedMemoryHeap;\n\tLPVOID lpReadOnlyStaticServerData;\n\tLPVOID lpAnsiCodePageData;\n\tLPVOID lpOemCodePageData;\n\tLPVOID lpUnicodeCaseTableData;\n\tDWORD dwNumberOfProcessors;\n\tDWORD dwNtGlobalFlag;\n\tLARGE_INTEGER liCriticalSectionTimeout;\n\tDWORD dwHeapSegmentReserve;\n\tDWORD dwHeapSegmentCommit;\n\tDWORD dwHeapDeCommitTotalFreeThreshold;\n\tDWORD dwHeapDeCommitFreeBlockThreshold;\n\tDWORD dwNumberOfHeaps;\n\tDWORD dwMaximumNumberOfHeaps;\n\tLPVOID lpProcessHeaps;\n\tLPVOID lpGdiSharedHandleTable;\n\tLPVOID lpProcessStarterHelper;\n\tDWORD dwGdiDCAttributeList;\n\tLPVOID lpLoaderLock;\n\tDWORD dwOSMajorVersion;\n\tDWORD dwOSMinorVersion;\n\tWORD wOSBuildNumber;\n\tWORD wOSCSDVersion;\n\tDWORD dwOSPlatformId;\n\tDWORD dwImageSubsystem;\n\tDWORD dwImageSubsystemMajorVersion;\n\tDWORD dwImageSubsystemMinorVersion;\n\tDWORD dwImageProcessAffinityMask;\n\tDWORD dwGdiHandleBuffer[34];\n\tLPVOID lpPostProcessInitRoutine;\n\tLPVOID lpTlsExpansionBitmap;\n\tDWORD dwTlsExpansionBitmapBits[32];\n\tDWORD dwSessionId;\n\tULARGE_INTEGER liAppCompatFlags;\n\tULARGE_INTEGER liAppCompatFlagsUser;\n\tLPVOID lppShimData;\n\tLPVOID lpAppCompatInfo;\n\tUNICODE_STR usCSDVersion;\n\tLPVOID lpActivationContextData;\n\tLPVOID lpProcessAssemblyStorageMap;\n\tLPVOID lpSystemDefaultActivationContextData;\n\tLPVOID lpSystemAssemblyStorageMap;\n\tDWORD dwMinimumStackCommit;\n} _PEB, *_PPEB;\n\ntypedef struct\n{\n\tWORD\toffset : 12;\n\tWORD\ttype : 4;\n} IMAGE_RELOC, *PIMAGE_RELOC;\n//===============================================================================================//\n#endif\n//===============================================================================================//\n\n"
  },
  {
    "path": "Src/Recon-AD-Domain/Recon-AD-Domain.sln",
    "content": "\nMicrosoft Visual Studio Solution File, Format Version 12.00\n# Visual Studio Express 14 for Windows Desktop\nVisualStudioVersion = 14.0.25420.1\nMinimumVisualStudioVersion = 10.0.40219.1\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"Recon-AD-Domain\", \"Recon-AD-Domain\\Recon-AD-Domain.vcxproj\", \"{D30C9D6B-1F45-47BD-825B-389FE8CC9069}\"\nEndProject\nGlobal\n\tGlobalSection(SolutionConfigurationPlatforms) = preSolution\n\t\tDebug|x64 = Debug|x64\n\t\tDebug|x86 = Debug|x86\n\t\tRelease|x64 = Release|x64\n\t\tRelease|x86 = Release|x86\n\tEndGlobalSection\n\tGlobalSection(ProjectConfigurationPlatforms) = postSolution\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x64.ActiveCfg = Debug|x64\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x64.Build.0 = Debug|x64\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x86.ActiveCfg = Debug|Win32\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x86.Build.0 = Debug|Win32\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x64.ActiveCfg = Release|x64\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x64.Build.0 = Release|x64\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x86.ActiveCfg = Release|Win32\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x86.Build.0 = Release|Win32\n\tEndGlobalSection\n\tGlobalSection(SolutionProperties) = preSolution\n\t\tHideSolutionNode = FALSE\n\tEndGlobalSection\nEndGlobal\n"
  },
  {
    "path": "Src/Recon-AD-Groups/Recon-AD-Groups/Recon-AD-Groups.vcxproj",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project DefaultTargets=\"Build\" ToolsVersion=\"14.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\n  <ItemGroup Label=\"ProjectConfigurations\">\n    <ProjectConfiguration Include=\"Debug|Win32\">\n      <Configuration>Debug</Configuration>\n      <Platform>Win32</Platform>\n    </ProjectConfiguration>\n    <ProjectConfiguration Include=\"Release|Win32\">\n      <Configuration>Release</Configuration>\n      <Platform>Win32</Platform>\n    </ProjectConfiguration>\n    <ProjectConfiguration Include=\"Debug|x64\">\n      <Configuration>Debug</Configuration>\n      <Platform>x64</Platform>\n    </ProjectConfiguration>\n    <ProjectConfiguration Include=\"Release|x64\">\n      <Configuration>Release</Configuration>\n      <Platform>x64</Platform>\n    </ProjectConfiguration>\n  </ItemGroup>\n  <PropertyGroup Label=\"Globals\">\n    <ProjectGuid>{D30C9D6B-1F45-47BD-825B-389FE8CC9069}</ProjectGuid>\n    <RootNamespace>ReconADDomain</RootNamespace>\n    <WindowsTargetPlatformVersion>8.1</WindowsTargetPlatformVersion>\n    <ProjectName>Recon-AD-Groups</ProjectName>\n  </PropertyGroup>\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.Default.props\" />\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\" Label=\"Configuration\">\n    <ConfigurationType>Application</ConfigurationType>\n    <UseDebugLibraries>true</UseDebugLibraries>\n    <PlatformToolset>v140</PlatformToolset>\n    <CharacterSet>MultiByte</CharacterSet>\n  </PropertyGroup>\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\" Label=\"Configuration\">\n    <ConfigurationType>DynamicLibrary</ConfigurationType>\n    <UseDebugLibraries>false</UseDebugLibraries>\n    <PlatformToolset>v140</PlatformToolset>\n    <WholeProgramOptimization>true</WholeProgramOptimization>\n    <CharacterSet>Unicode</CharacterSet>\n  </PropertyGroup>\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\" Label=\"Configuration\">\n    <ConfigurationType>Application</ConfigurationType>\n    <UseDebugLibraries>true</UseDebugLibraries>\n    <PlatformToolset>v140</PlatformToolset>\n    <CharacterSet>MultiByte</CharacterSet>\n  </PropertyGroup>\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\" Label=\"Configuration\">\n    <ConfigurationType>DynamicLibrary</ConfigurationType>\n    <UseDebugLibraries>false</UseDebugLibraries>\n    <PlatformToolset>v140</PlatformToolset>\n    <WholeProgramOptimization>true</WholeProgramOptimization>\n    <CharacterSet>Unicode</CharacterSet>\n  </PropertyGroup>\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.props\" />\n  <ImportGroup Label=\"ExtensionSettings\">\n  </ImportGroup>\n  <ImportGroup Label=\"Shared\">\n  </ImportGroup>\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\">\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\n  </ImportGroup>\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\">\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\n  </ImportGroup>\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\">\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\n  </ImportGroup>\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\">\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\n  </ImportGroup>\n  <PropertyGroup Label=\"UserMacros\" />\n  <PropertyGroup />\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\">\n    <ClCompile>\n      <WarningLevel>Level3</WarningLevel>\n      <Optimization>Disabled</Optimization>\n      <SDLCheck>true</SDLCheck>\n    </ClCompile>\n  </ItemDefinitionGroup>\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\">\n    <ClCompile>\n      <WarningLevel>Level3</WarningLevel>\n      <Optimization>Disabled</Optimization>\n      <SDLCheck>true</SDLCheck>\n    </ClCompile>\n  </ItemDefinitionGroup>\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\">\n    <ClCompile>\n      <WarningLevel>Level3</WarningLevel>\n      <Optimization>MaxSpeed</Optimization>\n      <FunctionLevelLinking>true</FunctionLevelLinking>\n      <IntrinsicFunctions>true</IntrinsicFunctions>\n      <SDLCheck>true</SDLCheck>\n      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>\n      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN_X86;REFLECTIVE_DLL_EXPORTS;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>\n    </ClCompile>\n    <Link>\n      <EnableCOMDATFolding>true</EnableCOMDATFolding>\n      <OptimizeReferences>true</OptimizeReferences>\n      <GenerateDebugInformation>false</GenerateDebugInformation>\n    </Link>\n  </ItemDefinitionGroup>\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\">\n    <ClCompile>\n      <WarningLevel>Level3</WarningLevel>\n      <Optimization>MaxSpeed</Optimization>\n      <FunctionLevelLinking>true</FunctionLevelLinking>\n      <IntrinsicFunctions>true</IntrinsicFunctions>\n      <SDLCheck>true</SDLCheck>\n      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>\n      <PreprocessorDefinitions>WIN64;NDEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;WIN_X64;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>\n    </ClCompile>\n    <Link>\n      <EnableCOMDATFolding>true</EnableCOMDATFolding>\n      <OptimizeReferences>true</OptimizeReferences>\n      <GenerateDebugInformation>false</GenerateDebugInformation>\n    </Link>\n  </ItemDefinitionGroup>\n  <ItemGroup>\n    <ClInclude Include=\"ReflectiveDLLInjection.h\" />\n    <ClInclude Include=\"ReflectiveLoader.h\" />\n  </ItemGroup>\n  <ItemGroup>\n    <ClCompile Include=\"ReflectiveDll.cpp\" />\n    <ClCompile Include=\"ReflectiveLoader.cpp\" />\n  </ItemGroup>\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.targets\" />\n  <ImportGroup Label=\"ExtensionTargets\">\n  </ImportGroup>\n</Project>"
  },
  {
    "path": "Src/Recon-AD-Groups/Recon-AD-Groups/Recon-AD-Groups.vcxproj.filters",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\n  <ItemGroup>\n    <Filter Include=\"Source Files\">\n      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>\n      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>\n    </Filter>\n    <Filter Include=\"Header Files\">\n      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>\n      <Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>\n    </Filter>\n    <Filter Include=\"Resource Files\">\n      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>\n      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>\n    </Filter>\n  </ItemGroup>\n  <ItemGroup>\n    <ClInclude Include=\"ReflectiveDLLInjection.h\">\n      <Filter>Header Files</Filter>\n    </ClInclude>\n    <ClInclude Include=\"ReflectiveLoader.h\">\n      <Filter>Header Files</Filter>\n    </ClInclude>\n  </ItemGroup>\n  <ItemGroup>\n    <ClCompile Include=\"ReflectiveLoader.cpp\">\n      <Filter>Source Files</Filter>\n    </ClCompile>\n    <ClCompile Include=\"ReflectiveDll.cpp\">\n      <Filter>Source Files</Filter>\n    </ClCompile>\n  </ItemGroup>\n</Project>"
  },
  {
    "path": "Src/Recon-AD-Groups/Recon-AD-Groups/Recon-AD-Groups.vcxproj.user",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"14.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\n  <PropertyGroup />\n</Project>"
  },
  {
    "path": "Src/Recon-AD-Groups/Recon-AD-Groups/ReflectiveDLLInjection.h",
    "content": "//===============================================================================================//\n// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)\n// All rights reserved.\n// \n// Redistribution and use in source and binary forms, with or without modification, are permitted \n// provided that the following conditions are met:\n// \n//     * Redistributions of source code must retain the above copyright notice, this list of \n// conditions and the following disclaimer.\n// \n//     * Redistributions in binary form must reproduce the above copyright notice, this list of \n// conditions and the following disclaimer in the documentation and/or other materials provided \n// with the distribution.\n// \n//     * Neither the name of Harmony Security nor the names of its contributors may be used to\n// endorse or promote products derived from this software without specific prior written permission.\n// \n// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND ANY EXPRESS OR \n// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND\n// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR \n// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR \n// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR \n// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY \n// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR \n// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE \n// POSSIBILITY OF SUCH DAMAGE.\n//===============================================================================================//\n#ifndef _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H\n#define _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H\n//===============================================================================================//\n#define WIN32_LEAN_AND_MEAN\n#include <windows.h>\n\n// we declare some common stuff in here...\n\n#define DLL_QUERY_HMODULE\t\t6\n\n#define DEREF( name )*(UINT_PTR *)(name)\n#define DEREF_64( name )*(DWORD64 *)(name)\n#define DEREF_32( name )*(DWORD *)(name)\n#define DEREF_16( name )*(WORD *)(name)\n#define DEREF_8( name )*(BYTE *)(name)\n\ntypedef ULONG_PTR(WINAPI * REFLECTIVELOADER)(VOID);\ntypedef BOOL(WINAPI * DLLMAIN)(HINSTANCE, DWORD, LPVOID);\n\n#define DLLEXPORT   __declspec( dllexport ) \n\n//===============================================================================================//\n#endif\n//===============================================================================================//\n\n"
  },
  {
    "path": "Src/Recon-AD-Groups/Recon-AD-Groups/ReflectiveDll.cpp",
    "content": "#undef  _UNICODE\n#define _UNICODE\n#undef  UNICODE\n#define UNICODE\n\n#include \"ReflectiveLoader.h\"\n#include <stdio.h>\n#include <objbase.h>\n#include <activeds.h>\n#include <sddl.h>\n\n#pragma comment(lib, \"ADSIid.lib\")\n#pragma comment(lib, \"ActiveDS.Lib\")\n\n// Note: REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR and REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN are\n// defined in the project properties (Properties->C++->Preprocessor) so as we can specify our own \n// DllMain and use the LoadRemoteLibraryR() API to inject this DLL.\n\n// You can use this value as a pseudo hinstDLL value (defined and set via ReflectiveLoader.c)\nextern HINSTANCE hAppInstance;\n\n\nint IS_BUFFER_ENOUGH(UINT maxAlloc, LPWSTR pszTarget, LPCWSTR pszSource, int toCopy = -1) {\n\tif (toCopy == -1) {\n\t\ttoCopy = wcslen(pszSource);\n\t}\n\n\treturn maxAlloc - (wcslen(pszTarget) + toCopy + 1);\n}\n\nHRESULT FindGroups(IDirectorySearch *pContainerToSearch,\t// IDirectorySearch pointer to Partitions container.\n\tLPOLESTR szFilter,\t\t\t\t\t\t\t\t\t\t// Filter for finding specific crossrefs. NULL returns all attributeSchema objects.\n\tLPOLESTR *pszPropertiesToReturn)\t\t\t\t\t\t// Properties to return for crossRef objects found. NULL returns all set properties.\n{\n\tif (!pContainerToSearch)\n\t\treturn E_POINTER;\n\n\t// Create search filter\n\tLPOLESTR pszSearchFilter = new OLECHAR[MAX_PATH * 2];\n\tif (!pszSearchFilter)\n\t\treturn E_OUTOFMEMORY;\n\twchar_t szFormat[] = L\"(&(objectCategory=group)%s)\";\n\n\t// Check the buffer first\n\tif (IS_BUFFER_ENOUGH(MAX_PATH * 2, szFormat, szFilter) > 0)\n\t{\n\t\t// Add the filter.\n\t\tswprintf_s(pszSearchFilter, MAX_PATH * 2, szFormat, szFilter);\n\t}\n\telse\n\t{\n\t\twprintf(L\"[!] The filter is too large for buffer, aborting...\");\n\t\tdelete[] pszSearchFilter;\n\t\treturn FALSE;\n\t}\n\n\t// Specify subtree search\n\tADS_SEARCHPREF_INFO SearchPrefs;\n\tSearchPrefs.dwSearchPref = ADS_SEARCHPREF_SEARCH_SCOPE;\n\tSearchPrefs.vValue.dwType = ADSTYPE_INTEGER;\n\tSearchPrefs.vValue.Integer = ADS_SCOPE_SUBTREE;\n\tDWORD dwNumPrefs = 1;\n\n\t// COL for iterations\n\tLPOLESTR pszColumn = NULL;\n\tADS_SEARCH_COLUMN col;\n\tHRESULT hr;\n\n\t// Interface Pointers\n\tIADs *pObj = NULL;\n\tIADs *pIADs = NULL;\n\n\t// Handle used for searching\n\tADS_SEARCH_HANDLE hSearch = NULL;\n\n\t// Set the search preference\n\thr = pContainerToSearch->SetSearchPreference(&SearchPrefs, dwNumPrefs);\n\tif (FAILED(hr))\n\t{\n\t\tdelete[] pszSearchFilter;\n\t\treturn hr;\n\t}\n\n\tLPOLESTR pszBool = NULL;\n\tDWORD dwBool;\n\tPSID pObjectSID = NULL;\n\tLPOLESTR szSID = NULL;\n\tLPOLESTR szDSGUID = new WCHAR[39];\n\tLPGUID pObjectGUID = NULL;\n\tFILETIME filetime;\n\tSYSTEMTIME systemtime;\n\tDATE date;\n\tVARIANT varDate;\n\tLARGE_INTEGER liValue;\n\tLPOLESTR *pszPropertyList = NULL;\n\n\tint iCount = 0;\n\tDWORD x = 0L;\n\n\tif (!pszPropertiesToReturn)\n\t{\n\t\t// Return all properties.\n\t\thr = pContainerToSearch->ExecuteSearch(pszSearchFilter,\n\t\t\tNULL,\n\t\t\t-1L,\n\t\t\t&hSearch);\n\t}\n\telse\n\t{\n\t\t// Specified subset.\n\t\tpszPropertyList = pszPropertiesToReturn;\n\n\t\t// Return specified properties\n\t\thr = pContainerToSearch->ExecuteSearch(pszSearchFilter,\n\t\t\tpszPropertyList,\n\t\t\tsizeof(pszPropertyList) / sizeof(LPOLESTR),\n\t\t\t&hSearch);\n\t}\n\n\tif (SUCCEEDED(hr))\n\t{\n\t\t// Call IDirectorySearch::GetNextRow() to retrieve the next row of data\n\t\thr = pContainerToSearch->GetFirstRow(hSearch);\n\t\tif (SUCCEEDED(hr))\n\t\t{\n\t\t\twhile (hr != S_ADS_NOMORE_ROWS)\n\t\t\t{\n\t\t\t\t// Keep track of count.\n\t\t\t\tiCount++;\n\t\t\t\t\t\n\t\t\t\twprintf(L\"--------------------------------------------------------------------\\n\");\n\t\t\t\t\n\t\t\t\t// Loop through the array of passed column names, print the data for each column\n\t\t\t\twhile (pContainerToSearch->GetNextColumnName(hSearch, &pszColumn) != S_ADS_NOMORE_COLUMNS)\n\t\t\t\t{\n\t\t\t\t\thr = pContainerToSearch->GetColumn(hSearch, pszColumn, &col);\n\t\t\t\t\tif (SUCCEEDED(hr))\n\t\t\t\t\t{\n\t\t\t\t\t\t// Print the data for the column and free the column\n\t\t\t\t\t\t// Get the data for this column\n\t\t\t\t\t\twprintf(L\"[+] %s:\\n\", col.pszAttrName);\n\t\t\t\t\t\tswitch (col.dwADsType)\n\t\t\t\t\t\t{\n\t\t\t\t\t\tcase ADSTYPE_DN_STRING:\n\t\t\t\t\t\t\tfor (x = 0; x< col.dwNumValues; x++)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tif (wcscmp(L\"member\", col.pszAttrName) == 0) {\n\t\t\t\t\t\t\t\t\tIADsNameTranslate *pNto;\n\t\t\t\t\t\t\t\t\tBSTR bstr;\n\n\t\t\t\t\t\t\t\t\thr = CoCreateInstance(CLSID_NameTranslate,\n\t\t\t\t\t\t\t\t\t\tNULL,\n\t\t\t\t\t\t\t\t\t\tCLSCTX_INPROC_SERVER,\n\t\t\t\t\t\t\t\t\t\tIID_IADsNameTranslate,\n\t\t\t\t\t\t\t\t\t\t(void**)&pNto);\n\t\t\t\t\t\t\t\t\tif (SUCCEEDED(hr)) {\n\t\t\t\t\t\t\t\t\t\thr = pNto->Set(ADS_NAME_TYPE_1779, col.pADsValues[x].DNString);\n\t\t\t\t\t\t\t\t\t\tif (SUCCEEDED(hr)) {\n\t\t\t\t\t\t\t\t\t\t\thr = pNto->Get(ADS_NAME_TYPE_NT4, &bstr);\n\t\t\t\t\t\t\t\t\t\t\twprintf(L\"    %s\\r\\n\", bstr);\n\t\t\t\t\t\t\t\t\t\t\tSysFreeString(bstr);\n\t\t\t\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t\t\t\tpNto->Release();\n\t\t\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\telse {\n\t\t\t\t\t\t\t\t\twprintf(L\"    %s\\r\\n\", col.pADsValues[x].DNString);\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tcase ADSTYPE_CASE_EXACT_STRING:\n\t\t\t\t\t\tcase ADSTYPE_CASE_IGNORE_STRING:\n\t\t\t\t\t\tcase ADSTYPE_PRINTABLE_STRING:\n\t\t\t\t\t\tcase ADSTYPE_NUMERIC_STRING:\n\t\t\t\t\t\tcase ADSTYPE_TYPEDNAME:\n\t\t\t\t\t\tcase ADSTYPE_FAXNUMBER:\n\t\t\t\t\t\tcase ADSTYPE_PATH:\n\t\t\t\t\t\tcase ADSTYPE_OBJECT_CLASS:\n\t\t\t\t\t\t\tfor (x = 0; x< col.dwNumValues; x++)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\twprintf(L\"    %s\\r\\n\", col.pADsValues[x].CaseIgnoreString);\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tcase ADSTYPE_BOOLEAN:\n\t\t\t\t\t\t\tfor (x = 0; x< col.dwNumValues; x++)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tdwBool = col.pADsValues[x].Boolean;\n\t\t\t\t\t\t\t\tpszBool = dwBool ? L\"TRUE\" : L\"FALSE\";\n\t\t\t\t\t\t\t\twprintf(L\"    %s\\r\\n\", pszBool);\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tcase ADSTYPE_INTEGER:\n\t\t\t\t\t\t\tfor (x = 0; x< col.dwNumValues; x++)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\twprintf(L\"    %d\\r\\n\", col.pADsValues[x].Integer);\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tcase ADSTYPE_OCTET_STRING:\n\t\t\t\t\t\t\tif (_wcsicmp(col.pszAttrName, L\"objectSID\") == 0)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tfor (x = 0; x< col.dwNumValues; x++)\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tpObjectSID = (PSID)(col.pADsValues[x].OctetString.lpValue);\n\t\t\t\t\t\t\t\t\t// Convert SID to string.\n\t\t\t\t\t\t\t\t\tConvertSidToStringSid(pObjectSID, &szSID);\n\t\t\t\t\t\t\t\t\twprintf(L\"    %s\\r\\n\", szSID);\n\t\t\t\t\t\t\t\t\tLocalFree(szSID);\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\telse if ((_wcsicmp(col.pszAttrName, L\"objectGUID\") == 0))\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tfor (x = 0; x< col.dwNumValues; x++)\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t// Cast to LPGUID\n\t\t\t\t\t\t\t\t\tpObjectGUID = (LPGUID)(col.pADsValues[x].OctetString.lpValue);\n\t\t\t\t\t\t\t\t\t// Convert GUID to string.\n\t\t\t\t\t\t\t\t\t::StringFromGUID2(*pObjectGUID, szDSGUID, 39);\n\t\t\t\t\t\t\t\t\t// Print the GUID\n\t\t\t\t\t\t\t\t\twprintf(L\"    %s\\r\\n\", szDSGUID);\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\telse\n\t\t\t\t\t\t\t\twprintf(L\"    Value of type Octet String. No Conversion.\\n\");\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tcase ADSTYPE_UTC_TIME:\n\t\t\t\t\t\t\tfor (x = 0; x< col.dwNumValues; x++)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tsystemtime = col.pADsValues[x].UTCTime;\n\t\t\t\t\t\t\t\tif (SystemTimeToVariantTime(&systemtime,\n\t\t\t\t\t\t\t\t\t&date) != 0)\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t// Pack in variant.vt\n\t\t\t\t\t\t\t\t\tvarDate.vt = VT_DATE;\n\t\t\t\t\t\t\t\t\tvarDate.date = date;\n\t\t\t\t\t\t\t\t\tVariantChangeType(&varDate, &varDate, VARIANT_NOVALUEPROP, VT_BSTR);\n\t\t\t\t\t\t\t\t\twprintf(L\"    %s\\r\\n\", varDate.bstrVal);\n\t\t\t\t\t\t\t\t\tVariantClear(&varDate);\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\telse\n\t\t\t\t\t\t\t\t\twprintf(L\"[!] Could not convert UTC-Time.\\n\");\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tcase ADSTYPE_LARGE_INTEGER:\n\t\t\t\t\t\t\tfor (x = 0; x< col.dwNumValues; x++)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tliValue = col.pADsValues[x].LargeInteger;\n\t\t\t\t\t\t\t\tfiletime.dwLowDateTime = liValue.LowPart;\n\t\t\t\t\t\t\t\tfiletime.dwHighDateTime = liValue.HighPart;\n\t\t\t\t\t\t\t\tif ((filetime.dwHighDateTime == 0) && (filetime.dwLowDateTime == 0))\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\twprintf(L\"    No value set.\\n\");\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\telse\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t// Check for properties of type LargeInteger that represent time\n\t\t\t\t\t\t\t\t\t// if TRUE, then convert to variant time.\n\t\t\t\t\t\t\t\t\tif ((0 == wcscmp(L\"accountExpires\", col.pszAttrName)) |\n\t\t\t\t\t\t\t\t\t\t(0 == wcscmp(L\"badPasswordTime\", col.pszAttrName)) ||\n\t\t\t\t\t\t\t\t\t\t(0 == wcscmp(L\"lastLogon\", col.pszAttrName)) ||\n\t\t\t\t\t\t\t\t\t\t(0 == wcscmp(L\"lastLogoff\", col.pszAttrName)) ||\n\t\t\t\t\t\t\t\t\t\t(0 == wcscmp(L\"lockoutTime\", col.pszAttrName)) ||\n\t\t\t\t\t\t\t\t\t\t(0 == wcscmp(L\"pwdLastSet\", col.pszAttrName))\n\t\t\t\t\t\t\t\t\t\t)\n\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t// Handle special case for Never Expires where low part is -1\n\t\t\t\t\t\t\t\t\t\tif (filetime.dwLowDateTime == -1)\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\twprintf(L\"    Never Expires.\\n\");\n\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t\telse\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tif (FileTimeToLocalFileTime(&filetime, &filetime) != 0)\n\t\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\t\tif (FileTimeToSystemTime(&filetime,\n\t\t\t\t\t\t\t\t\t\t\t\t\t&systemtime) != 0)\n\t\t\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\t\t\tif (SystemTimeToVariantTime(&systemtime,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t&date) != 0)\n\t\t\t\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t// Pack in variant.vt\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tvarDate.vt = VT_DATE;\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tvarDate.date = date;\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tVariantChangeType(&varDate, &varDate, VARIANT_NOVALUEPROP, VT_BSTR);\n\t\t\t\t\t\t\t\t\t\t\t\t\t\twprintf(L\"    %s\\r\\n\", varDate.bstrVal);\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tVariantClear(&varDate);\n\t\t\t\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t\t\t\t\telse\n\t\t\t\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\t\t\t\twprintf(L\"    FileTimeToVariantTime failed\\n\");\n\t\t\t\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t\t\t\telse\n\t\t\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\t\t\twprintf(L\"    FileTimeToSystemTime failed\\n\");\n\t\t\t\t\t\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t\t\telse\n\t\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\t\twprintf(L\"    FileTimeToLocalFileTime failed\\n\");\n\t\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\telse\n\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t// Print the LargeInteger.\n\t\t\t\t\t\t\t\t\t\twprintf(L\"    high: %d low: %d\\r\\n\", filetime.dwHighDateTime, filetime.dwLowDateTime);\n\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tcase ADSTYPE_NT_SECURITY_DESCRIPTOR:\n\t\t\t\t\t\t\tfor (x = 0; x< col.dwNumValues; x++)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\twprintf(L\"    Security descriptor.\\n\");\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tdefault:\n\t\t\t\t\t\t\twprintf(L\"[!] Unknown type %d.\\n\", col.dwADsType);\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tpContainerToSearch->FreeColumn(&col);\n\t\t\t\t\t}\n\t\t\t\t\tCoTaskMemFree(pszColumn);\n\t\t\t\t}\n\n\t\t\t\t// Get the next row\n\t\t\t\thr = pContainerToSearch->GetNextRow(hSearch);\n\t\t\t}\n\t\t}\n\t\t// Close the search handle to clean up\n\t\tpContainerToSearch->CloseSearchHandle(hSearch);\n\t}\n\tif (SUCCEEDED(hr) && 0 == iCount)\n\t\thr = S_FALSE;\n\n\twprintf(L\"--------------------------------------------------------------------\\n\");\n\n\tdelete[] pszSearchFilter;\n\treturn hr;\n}\n\n\nBOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)\n{\n\tBOOL bReturnValue = TRUE;\n\tLPWSTR pwszParams = (LPWSTR)calloc(strlen((LPSTR)lpReserved) + 1, sizeof(WCHAR));\n\tsize_t convertedChars = 0;\n\tsize_t newsize = strlen((LPSTR)lpReserved) + 1;\n\n\tswitch (dwReason)\n\t{\n\t\tcase DLL_QUERY_HMODULE:\n\t\t\tif (lpReserved != NULL)\n\t\t\t\t*(HMODULE *)lpReserved = hAppInstance;\n\t\t\tbreak;\n\t\tcase DLL_PROCESS_ATTACH:\n\t\t\thAppInstance = hinstDLL;\n\n\t\t\tif (lpReserved != NULL) {\n\n\t\t\t\t// Handle the command line arguments.\n\t\t\t\tint maxAlloc = MAX_PATH * 2;\n\t\t\t\tLPOLESTR pszBuffer = new OLECHAR[maxAlloc];\n\t\t\t\tmbstowcs_s(&convertedChars, pwszParams, newsize, (LPSTR)lpReserved, _TRUNCATE);\n\t\t\t\twcscpy_s(pszBuffer, maxAlloc, pwszParams);\n\n\t\t\t\t// Initialize COM\n\t\t\t\tCoInitialize(NULL);\n\t\t\t\tHRESULT hr = S_OK;\n\n\t\t\t\t// Get rootDSE and the current user's domain container DN.\n\t\t\t\tIADs *pObject = NULL;\n\t\t\t\tIDirectorySearch *pContainerToSearch = NULL;\n\t\t\t\tLPOLESTR szPath = new OLECHAR[MAX_PATH];\n\t\t\t\tVARIANT var;\n\t\t\t\thr = ADsOpenObject(L\"LDAP://rootDSE\",\n\t\t\t\t\tNULL,\n\t\t\t\t\tNULL,\n\t\t\t\t\tADS_SECURE_AUTHENTICATION, // Use Secure Authentication\n\t\t\t\t\tIID_IADs,\n\t\t\t\t\t(void**)&pObject);\n\t\t\t\tif (FAILED(hr))\n\t\t\t\t{\n\t\t\t\t\twprintf(L\"[!] Could not execute query. Could not bind to LDAP://rootDSE.\\n\");\n\t\t\t\t\tif (pObject)\n\t\t\t\t\t\tpObject->Release();\n\t\t\t\t\tdelete[] pszBuffer;\n\t\t\t\t\tdelete[] szPath;\n\t\t\t\t\tCoUninitialize();\n\n\t\t\t\t\t// Flush STDOUT\n\t\t\t\t\tfflush(stdout);\n\n\t\t\t\t\t// We're done, so let's exit\n\t\t\t\t\tExitProcess(0);\n\t\t\t\t}\n\t\t\t\tif (SUCCEEDED(hr))\n\t\t\t\t{\n\t\t\t\t\thr = pObject->Get(L\"defaultNamingContext\", &var);\n\t\t\t\t\tif (SUCCEEDED(hr))\n\t\t\t\t\t{\n\t\t\t\t\t\t// Build path to the domain container.\n\t\t\t\t\t\twcscpy_s(szPath, MAX_PATH, L\"LDAP://\");\n\t\t\t\t\t\tif (IS_BUFFER_ENOUGH(MAX_PATH, szPath, var.bstrVal) > 0)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\twcscat_s(szPath, MAX_PATH, var.bstrVal);\n\t\t\t\t\t\t}\n\t\t\t\t\t\telse\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\twprintf(L\"[!] Buffer is too small for the domain DN\");\n\t\t\t\t\t\t\tdelete[] pszBuffer;\n\t\t\t\t\t\t\tdelete[] szPath;\n\t\t\t\t\t\t\tCoUninitialize();\n\n\t\t\t\t\t\t\t// Flush STDOUT\n\t\t\t\t\t\t\tfflush(stdout);\n\n\t\t\t\t\t\t\t// We're done, so let's exit\n\t\t\t\t\t\t\tExitProcess(0);\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\thr = ADsOpenObject(szPath,\n\t\t\t\t\t\t\tNULL,\n\t\t\t\t\t\t\tNULL,\n\t\t\t\t\t\t\tADS_SECURE_AUTHENTICATION, // Use Secure Authentication\n\t\t\t\t\t\t\tIID_IDirectorySearch,\n\t\t\t\t\t\t\t(void**)&pContainerToSearch);\n\n\t\t\t\t\t\tif (SUCCEEDED(hr))\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\thr = FindGroups(pContainerToSearch, //IDirectorySearch pointer to Partitions container.\n\t\t\t\t\t\t\t\tpszBuffer,\n\t\t\t\t\t\t\t\tNULL\t //Return all properties\n\t\t\t\t\t\t\t);\n\t\t\t\t\t\t\tif (SUCCEEDED(hr))\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tif (S_FALSE == hr)\n\t\t\t\t\t\t\t\t\twprintf(L\"[!] No group object could be found.\\n\");\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\telse if (0x8007203e == hr)\n\t\t\t\t\t\t\t\twprintf(L\"[!] Could not execute query. An invalid filter was specified.\\n\");\n\t\t\t\t\t\t\telse\n\t\t\t\t\t\t\t\twprintf(L\"[!] Query failed to run. HRESULT: %x\\n\", hr);\n\t\t\t\t\t\t}\n\t\t\t\t\t\telse\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\twprintf(L\"[!] Could not execute query. Could not bind to the container.\\n\");\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif (pContainerToSearch)\n\t\t\t\t\t\t\tpContainerToSearch->Release();\n\t\t\t\t\t}\n\t\t\t\t\tVariantClear(&var);\n\t\t\t\t}\n\t\t\t\tif (pObject)\n\t\t\t\t\tpObject->Release();\n\n\t\t\t\tdelete[] pszBuffer;\n\t\t\t\tdelete[] szPath;\n\n\t\t\t\t// Uninitialize COM\n\t\t\t\tCoUninitialize();\n\t\t\t}\n\n\t\t\t// Flush STDOUT\n\t\t\tfflush(stdout);\n\n\t\t\t// We're done, so let's exit\n\t\t\tExitProcess(0);\n\t\t\tbreak;\n\t\tcase DLL_PROCESS_DETACH:\n\t\tcase DLL_THREAD_ATTACH:\n\t\tcase DLL_THREAD_DETACH:\n\t\t\tbreak;\n\t}\n\treturn bReturnValue;\n}\n"
  },
  {
    "path": "Src/Recon-AD-Groups/Recon-AD-Groups/ReflectiveLoader.cpp",
    "content": "//===============================================================================================//\n// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)\n// All rights reserved.\n// \n// Redistribution and use in source and binary forms, with or without modification, are permitted \n// provided that the following conditions are met:\n// \n//     * Redistributions of source code must retain the above copyright notice, this list of \n// conditions and the following disclaimer.\n// \n//     * Redistributions in binary form must reproduce the above copyright notice, this list of \n// conditions and the following disclaimer in the documentation and/or other materials provided \n// with the distribution.\n// \n//     * Neither the name of Harmony Security nor the names of its contributors may be used to\n// endorse or promote products derived from this software without specific prior written permission.\n// \n// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND ANY EXPRESS OR \n// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND\n// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR \n// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR \n// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR \n// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY \n// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR \n// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE \n// POSSIBILITY OF SUCH DAMAGE.\n//===============================================================================================//\n#include \"ReflectiveLoader.h\"\n//===============================================================================================//\n// Our loader will set this to a pseudo correct HINSTANCE/HMODULE value\nHINSTANCE hAppInstance = NULL;\n//===============================================================================================//\n#pragma intrinsic( _ReturnAddress )\n// This function can not be inlined by the compiler or we will not get the address we expect. Ideally \n// this code will be compiled with the /O2 and /Ob1 switches. Bonus points if we could take advantage of \n// RIP relative addressing in this instance but I dont believe we can do so with the compiler intrinsics \n// available (and no inline asm available under x64).\n__declspec(noinline) ULONG_PTR caller(VOID) { return (ULONG_PTR)_ReturnAddress(); }\n//===============================================================================================//\n\n// Note 1: If you want to have your own DllMain, define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN,  \n//         otherwise the DllMain at the end of this file will be used.\n\n// Note 2: If you are injecting the DLL via LoadRemoteLibraryR, define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR,\n//         otherwise it is assumed you are calling the ReflectiveLoader via a stub.\n\n// This is our position independent reflective DLL loader/injector\n#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR\nDLLEXPORT ULONG_PTR WINAPI ReflectiveLoader(LPVOID lpParameter)\n#else\nDLLEXPORT ULONG_PTR WINAPI ReflectiveLoader(VOID)\n#endif\n{\n\t// the functions we need\n\tLOADLIBRARYA pLoadLibraryA = NULL;\n\tGETPROCADDRESS pGetProcAddress = NULL;\n\tVIRTUALALLOC pVirtualAlloc = NULL;\n\tNTFLUSHINSTRUCTIONCACHE pNtFlushInstructionCache = NULL;\n\n\tUSHORT usCounter;\n\n\t// the initial location of this image in memory\n\tULONG_PTR uiLibraryAddress;\n\t// the kernels base address and later this images newly loaded base address\n\tULONG_PTR uiBaseAddress;\n\n\t// variables for processing the kernels export table\n\tULONG_PTR uiAddressArray;\n\tULONG_PTR uiNameArray;\n\tULONG_PTR uiExportDir;\n\tULONG_PTR uiNameOrdinals;\n\tDWORD dwHashValue;\n\n\t// variables for loading this image\n\tULONG_PTR uiHeaderValue;\n\tULONG_PTR uiValueA;\n\tULONG_PTR uiValueB;\n\tULONG_PTR uiValueC;\n\tULONG_PTR uiValueD;\n\tULONG_PTR uiValueE;\n\n\t// STEP 0: calculate our images current base address\n\n\t// we will start searching backwards from our callers return address.\n\tuiLibraryAddress = caller();\n\n\t// loop through memory backwards searching for our images base address\n\t// we dont need SEH style search as we shouldnt generate any access violations with this\n\twhile (TRUE)\n\t{\n\t\tif (((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_magic == IMAGE_DOS_SIGNATURE)\n\t\t{\n\t\t\tuiHeaderValue = ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;\n\t\t\t// some x64 dll's can trigger a bogus signature (IMAGE_DOS_SIGNATURE == 'POP r10'),\n\t\t\t// we sanity check the e_lfanew with an upper threshold value of 1024 to avoid problems.\n\t\t\tif (uiHeaderValue >= sizeof(IMAGE_DOS_HEADER) && uiHeaderValue < 1024)\n\t\t\t{\n\t\t\t\tuiHeaderValue += uiLibraryAddress;\n\t\t\t\t// break if we have found a valid MZ/PE header\n\t\t\t\tif (((PIMAGE_NT_HEADERS)uiHeaderValue)->Signature == IMAGE_NT_SIGNATURE)\n\t\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\tuiLibraryAddress--;\n\t}\n\n\t// STEP 1: process the kernels exports for the functions our loader needs...\n\n\t// get the Process Enviroment Block\n#ifdef WIN_X64\n\tuiBaseAddress = __readgsqword(0x60);\n#else\n#ifdef WIN_X86\n\tuiBaseAddress = __readfsdword(0x30);\n#else WIN_ARM\n\tuiBaseAddress = *(DWORD *)((BYTE *)_MoveFromCoprocessor(15, 0, 13, 0, 2) + 0x30);\n#endif\n#endif\n\n\t// get the processes loaded modules. ref: http://msdn.microsoft.com/en-us/library/aa813708(VS.85).aspx\n\tuiBaseAddress = (ULONG_PTR)((_PPEB)uiBaseAddress)->pLdr;\n\n\t// get the first entry of the InMemoryOrder module list\n\tuiValueA = (ULONG_PTR)((PPEB_LDR_DATA)uiBaseAddress)->InMemoryOrderModuleList.Flink;\n\twhile (uiValueA)\n\t{\n\t\t// get pointer to current modules name (unicode string)\n\t\tuiValueB = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.pBuffer;\n\t\t// set bCounter to the length for the loop\n\t\tusCounter = ((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.Length;\n\t\t// clear uiValueC which will store the hash of the module name\n\t\tuiValueC = 0;\n\n\t\t// compute the hash of the module name...\n\t\tdo\n\t\t{\n\t\t\tuiValueC = ror((DWORD)uiValueC);\n\t\t\t// normalize to uppercase if the madule name is in lowercase\n\t\t\tif (*((BYTE *)uiValueB) >= 'a')\n\t\t\t\tuiValueC += *((BYTE *)uiValueB) - 0x20;\n\t\t\telse\n\t\t\t\tuiValueC += *((BYTE *)uiValueB);\n\t\t\tuiValueB++;\n\t\t} while (--usCounter);\n\n\t\t// compare the hash with that of kernel32.dll\n\t\tif ((DWORD)uiValueC == KERNEL32DLL_HASH)\n\t\t{\n\t\t\t// get this modules base address\n\t\t\tuiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;\n\n\t\t\t// get the VA of the modules NT Header\n\t\t\tuiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;\n\n\t\t\t// uiNameArray = the address of the modules export directory entry\n\t\t\tuiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];\n\n\t\t\t// get the VA of the export directory\n\t\t\tuiExportDir = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress);\n\n\t\t\t// get the VA for the array of name pointers\n\t\t\tuiNameArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNames);\n\n\t\t\t// get the VA for the array of name ordinals\n\t\t\tuiNameOrdinals = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNameOrdinals);\n\n\t\t\tusCounter = 3;\n\n\t\t\t// loop while we still have imports to find\n\t\t\twhile (usCounter > 0)\n\t\t\t{\n\t\t\t\t// compute the hash values for this function name\n\t\t\t\tdwHashValue = hash((char *)(uiBaseAddress + DEREF_32(uiNameArray)));\n\n\t\t\t\t// if we have found a function we want we get its virtual address\n\t\t\t\tif (dwHashValue == LOADLIBRARYA_HASH || dwHashValue == GETPROCADDRESS_HASH || dwHashValue == VIRTUALALLOC_HASH)\n\t\t\t\t{\n\t\t\t\t\t// get the VA for the array of addresses\n\t\t\t\t\tuiAddressArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfFunctions);\n\n\t\t\t\t\t// use this functions name ordinal as an index into the array of name pointers\n\t\t\t\t\tuiAddressArray += (DEREF_16(uiNameOrdinals) * sizeof(DWORD));\n\n\t\t\t\t\t// store this functions VA\n\t\t\t\t\tif (dwHashValue == LOADLIBRARYA_HASH)\n\t\t\t\t\t\tpLoadLibraryA = (LOADLIBRARYA)(uiBaseAddress + DEREF_32(uiAddressArray));\n\t\t\t\t\telse if (dwHashValue == GETPROCADDRESS_HASH)\n\t\t\t\t\t\tpGetProcAddress = (GETPROCADDRESS)(uiBaseAddress + DEREF_32(uiAddressArray));\n\t\t\t\t\telse if (dwHashValue == VIRTUALALLOC_HASH)\n\t\t\t\t\t\tpVirtualAlloc = (VIRTUALALLOC)(uiBaseAddress + DEREF_32(uiAddressArray));\n\n\t\t\t\t\t// decrement our counter\n\t\t\t\t\tusCounter--;\n\t\t\t\t}\n\n\t\t\t\t// get the next exported function name\n\t\t\t\tuiNameArray += sizeof(DWORD);\n\n\t\t\t\t// get the next exported function name ordinal\n\t\t\t\tuiNameOrdinals += sizeof(WORD);\n\t\t\t}\n\t\t}\n\t\telse if ((DWORD)uiValueC == NTDLLDLL_HASH)\n\t\t{\n\t\t\t// get this modules base address\n\t\t\tuiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;\n\n\t\t\t// get the VA of the modules NT Header\n\t\t\tuiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;\n\n\t\t\t// uiNameArray = the address of the modules export directory entry\n\t\t\tuiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];\n\n\t\t\t// get the VA of the export directory\n\t\t\tuiExportDir = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress);\n\n\t\t\t// get the VA for the array of name pointers\n\t\t\tuiNameArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNames);\n\n\t\t\t// get the VA for the array of name ordinals\n\t\t\tuiNameOrdinals = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNameOrdinals);\n\n\t\t\tusCounter = 1;\n\n\t\t\t// loop while we still have imports to find\n\t\t\twhile (usCounter > 0)\n\t\t\t{\n\t\t\t\t// compute the hash values for this function name\n\t\t\t\tdwHashValue = hash((char *)(uiBaseAddress + DEREF_32(uiNameArray)));\n\n\t\t\t\t// if we have found a function we want we get its virtual address\n\t\t\t\tif (dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH)\n\t\t\t\t{\n\t\t\t\t\t// get the VA for the array of addresses\n\t\t\t\t\tuiAddressArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfFunctions);\n\n\t\t\t\t\t// use this functions name ordinal as an index into the array of name pointers\n\t\t\t\t\tuiAddressArray += (DEREF_16(uiNameOrdinals) * sizeof(DWORD));\n\n\t\t\t\t\t// store this functions VA\n\t\t\t\t\tif (dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH)\n\t\t\t\t\t\tpNtFlushInstructionCache = (NTFLUSHINSTRUCTIONCACHE)(uiBaseAddress + DEREF_32(uiAddressArray));\n\n\t\t\t\t\t// decrement our counter\n\t\t\t\t\tusCounter--;\n\t\t\t\t}\n\n\t\t\t\t// get the next exported function name\n\t\t\t\tuiNameArray += sizeof(DWORD);\n\n\t\t\t\t// get the next exported function name ordinal\n\t\t\t\tuiNameOrdinals += sizeof(WORD);\n\t\t\t}\n\t\t}\n\n\t\t// we stop searching when we have found everything we need.\n\t\tif (pLoadLibraryA && pGetProcAddress && pVirtualAlloc && pNtFlushInstructionCache)\n\t\t\tbreak;\n\n\t\t// get the next entry\n\t\tuiValueA = DEREF(uiValueA);\n\t}\n\n\t// STEP 2: load our image into a new permanent location in memory...\n\n\t// get the VA of the NT Header for the PE to be loaded\n\tuiHeaderValue = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;\n\n\t// allocate all the memory for the DLL to be loaded into. we can load at any address because we will  \n\t// relocate the image. Also zeros all memory and marks it as READ, WRITE and EXECUTE to avoid any problems.\n\tuiBaseAddress = (ULONG_PTR)pVirtualAlloc(NULL, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);\n\n\t// we must now copy over the headers\n\tuiValueA = ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfHeaders;\n\tuiValueB = uiLibraryAddress;\n\tuiValueC = uiBaseAddress;\n\n\twhile (uiValueA--)\n\t\t*(BYTE *)uiValueC++ = *(BYTE *)uiValueB++;\n\n\t// STEP 3: load in all of our sections...\n\n\t// uiValueA = the VA of the first section\n\tuiValueA = ((ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader + ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.SizeOfOptionalHeader);\n\n\t// itterate through all sections, loading them into memory.\n\tuiValueE = ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.NumberOfSections;\n\twhile (uiValueE--)\n\t{\n\t\t// uiValueB is the VA for this section\n\t\tuiValueB = (uiBaseAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->VirtualAddress);\n\n\t\t// uiValueC if the VA for this sections data\n\t\tuiValueC = (uiLibraryAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->PointerToRawData);\n\n\t\t// copy the section over\n\t\tuiValueD = ((PIMAGE_SECTION_HEADER)uiValueA)->SizeOfRawData;\n\n\t\twhile (uiValueD--)\n\t\t\t*(BYTE *)uiValueB++ = *(BYTE *)uiValueC++;\n\n\t\t// get the VA of the next section\n\t\tuiValueA += sizeof(IMAGE_SECTION_HEADER);\n\t}\n\n\t// STEP 4: process our images import table...\n\n\t// uiValueB = the address of the import directory\n\tuiValueB = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];\n\n\t// we assume their is an import table to process\n\t// uiValueC is the first entry in the import table\n\tuiValueC = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress);\n\n\t// itterate through all imports\n\twhile (((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name)\n\t{\n\t\t// use LoadLibraryA to load the imported module into memory\n\t\tuiLibraryAddress = (ULONG_PTR)pLoadLibraryA((LPCSTR)(uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name));\n\n\t\t// uiValueD = VA of the OriginalFirstThunk\n\t\tuiValueD = (uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->OriginalFirstThunk);\n\n\t\t// uiValueA = VA of the IAT (via first thunk not origionalfirstthunk)\n\t\tuiValueA = (uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->FirstThunk);\n\n\t\t// itterate through all imported functions, importing by ordinal if no name present\n\t\twhile (DEREF(uiValueA))\n\t\t{\n\t\t\t// sanity check uiValueD as some compilers only import by FirstThunk\n\t\t\tif (uiValueD && ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal & IMAGE_ORDINAL_FLAG)\n\t\t\t{\n\t\t\t\t// get the VA of the modules NT Header\n\t\t\t\tuiExportDir = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;\n\n\t\t\t\t// uiNameArray = the address of the modules export directory entry\n\t\t\t\tuiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];\n\n\t\t\t\t// get the VA of the export directory\n\t\t\t\tuiExportDir = (uiLibraryAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress);\n\n\t\t\t\t// get the VA for the array of addresses\n\t\t\t\tuiAddressArray = (uiLibraryAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfFunctions);\n\n\t\t\t\t// use the import ordinal (- export ordinal base) as an index into the array of addresses\n\t\t\t\tuiAddressArray += ((IMAGE_ORDINAL(((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal) - ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->Base) * sizeof(DWORD));\n\n\t\t\t\t// patch in the address for this imported function\n\t\t\t\tDEREF(uiValueA) = (uiLibraryAddress + DEREF_32(uiAddressArray));\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\t// get the VA of this functions import by name struct\n\t\t\t\tuiValueB = (uiBaseAddress + DEREF(uiValueA));\n\n\t\t\t\t// use GetProcAddress and patch in the address for this imported function\n\t\t\t\tDEREF(uiValueA) = (ULONG_PTR)pGetProcAddress((HMODULE)uiLibraryAddress, (LPCSTR)((PIMAGE_IMPORT_BY_NAME)uiValueB)->Name);\n\t\t\t}\n\t\t\t// get the next imported function\n\t\t\tuiValueA += sizeof(ULONG_PTR);\n\t\t\tif (uiValueD)\n\t\t\t\tuiValueD += sizeof(ULONG_PTR);\n\t\t}\n\n\t\t// get the next import\n\t\tuiValueC += sizeof(IMAGE_IMPORT_DESCRIPTOR);\n\t}\n\n\t// STEP 5: process all of our images relocations...\n\n\t// calculate the base address delta and perform relocations (even if we load at desired image base)\n\tuiLibraryAddress = uiBaseAddress - ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.ImageBase;\n\n\t// uiValueB = the address of the relocation directory\n\tuiValueB = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];\n\n\t// check if their are any relocations present\n\tif (((PIMAGE_DATA_DIRECTORY)uiValueB)->Size)\n\t{\n\t\t// uiValueC is now the first entry (IMAGE_BASE_RELOCATION)\n\t\tuiValueC = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress);\n\n\t\t// and we itterate through all entries...\n\t\twhile (((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock)\n\t\t{\n\t\t\t// uiValueA = the VA for this relocation block\n\t\t\tuiValueA = (uiBaseAddress + ((PIMAGE_BASE_RELOCATION)uiValueC)->VirtualAddress);\n\n\t\t\t// uiValueB = number of entries in this relocation block\n\t\t\tuiValueB = (((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(IMAGE_RELOC);\n\n\t\t\t// uiValueD is now the first entry in the current relocation block\n\t\t\tuiValueD = uiValueC + sizeof(IMAGE_BASE_RELOCATION);\n\n\t\t\t// we itterate through all the entries in the current block...\n\t\t\twhile (uiValueB--)\n\t\t\t{\n\t\t\t\t// perform the relocation, skipping IMAGE_REL_BASED_ABSOLUTE as required.\n\t\t\t\t// we dont use a switch statement to avoid the compiler building a jump table\n\t\t\t\t// which would not be very position independent!\n\t\t\t\tif (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_DIR64)\n\t\t\t\t\t*(ULONG_PTR *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += uiLibraryAddress;\n\t\t\t\telse if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGHLOW)\n\t\t\t\t\t*(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += (DWORD)uiLibraryAddress;\n#ifdef WIN_ARM\n\t\t\t\t// Note: On ARM, the compiler optimization /O2 seems to introduce an off by one issue, possibly a code gen bug. Using /O1 instead avoids this problem.\n\t\t\t\telse if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_ARM_MOV32T)\n\t\t\t\t{\n\t\t\t\t\tregister DWORD dwInstruction;\n\t\t\t\t\tregister DWORD dwAddress;\n\t\t\t\t\tregister WORD wImm;\n\t\t\t\t\t// get the MOV.T instructions DWORD value (We add 4 to the offset to go past the first MOV.W which handles the low word)\n\t\t\t\t\tdwInstruction = *(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset + sizeof(DWORD));\n\t\t\t\t\t// flip the words to get the instruction as expected\n\t\t\t\t\tdwInstruction = MAKELONG(HIWORD(dwInstruction), LOWORD(dwInstruction));\n\t\t\t\t\t// sanity chack we are processing a MOV instruction...\n\t\t\t\t\tif ((dwInstruction & ARM_MOV_MASK) == ARM_MOVT)\n\t\t\t\t\t{\n\t\t\t\t\t\t// pull out the encoded 16bit value (the high portion of the address-to-relocate)\n\t\t\t\t\t\twImm = (WORD)(dwInstruction & 0x000000FF);\n\t\t\t\t\t\twImm |= (WORD)((dwInstruction & 0x00007000) >> 4);\n\t\t\t\t\t\twImm |= (WORD)((dwInstruction & 0x04000000) >> 15);\n\t\t\t\t\t\twImm |= (WORD)((dwInstruction & 0x000F0000) >> 4);\n\t\t\t\t\t\t// apply the relocation to the target address\n\t\t\t\t\t\tdwAddress = ((WORD)HIWORD(uiLibraryAddress) + wImm) & 0xFFFF;\n\t\t\t\t\t\t// now create a new instruction with the same opcode and register param.\n\t\t\t\t\t\tdwInstruction = (DWORD)(dwInstruction & ARM_MOV_MASK2);\n\t\t\t\t\t\t// patch in the relocated address...\n\t\t\t\t\t\tdwInstruction |= (DWORD)(dwAddress & 0x00FF);\n\t\t\t\t\t\tdwInstruction |= (DWORD)(dwAddress & 0x0700) << 4;\n\t\t\t\t\t\tdwInstruction |= (DWORD)(dwAddress & 0x0800) << 15;\n\t\t\t\t\t\tdwInstruction |= (DWORD)(dwAddress & 0xF000) << 4;\n\t\t\t\t\t\t// now flip the instructions words and patch back into the code...\n\t\t\t\t\t\t*(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset + sizeof(DWORD)) = MAKELONG(HIWORD(dwInstruction), LOWORD(dwInstruction));\n\t\t\t\t\t}\n\t\t\t\t}\n#endif\n\t\t\t\telse if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGH)\n\t\t\t\t\t*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += HIWORD(uiLibraryAddress);\n\t\t\t\telse if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_LOW)\n\t\t\t\t\t*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += LOWORD(uiLibraryAddress);\n\n\t\t\t\t// get the next entry in the current relocation block\n\t\t\t\tuiValueD += sizeof(IMAGE_RELOC);\n\t\t\t}\n\n\t\t\t// get the next entry in the relocation directory\n\t\t\tuiValueC = uiValueC + ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock;\n\t\t}\n\t}\n\n\t// STEP 6: call our images entry point\n\n\t// uiValueA = the VA of our newly loaded DLL/EXE's entry point\n\tuiValueA = (uiBaseAddress + ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.AddressOfEntryPoint);\n\n\t// We must flush the instruction cache to avoid stale code being used which was updated by our relocation processing.\n\tpNtFlushInstructionCache((HANDLE)-1, NULL, 0);\n\n\t// call our respective entry point, fudging our hInstance value\n#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR\n\t// if we are injecting a DLL via LoadRemoteLibraryR we call DllMain and pass in our parameter (via the DllMain lpReserved parameter)\n\t((DLLMAIN)uiValueA)((HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, lpParameter);\n#else\n\t// if we are injecting an DLL via a stub we call DllMain with no parameter\n\t((DLLMAIN)uiValueA)((HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, NULL);\n#endif\n\n\t// STEP 8: return our new entry point address so whatever called us can call DllMain() if needed.\n\treturn uiValueA;\n}\n//===============================================================================================//\n#ifndef REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN\n\nBOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)\n{\n\tBOOL bReturnValue = TRUE;\n\tswitch (dwReason)\n\t{\n\tcase DLL_QUERY_HMODULE:\n\t\tif (lpReserved != NULL)\n\t\t\t*(HMODULE *)lpReserved = hAppInstance;\n\t\tbreak;\n\tcase DLL_PROCESS_ATTACH:\n\t\thAppInstance = hinstDLL;\n\t\tbreak;\n\tcase DLL_PROCESS_DETACH:\n\tcase DLL_THREAD_ATTACH:\n\tcase DLL_THREAD_DETACH:\n\t\tbreak;\n\t}\n\treturn bReturnValue;\n}\n\n#endif\n//===============================================================================================//\n"
  },
  {
    "path": "Src/Recon-AD-Groups/Recon-AD-Groups/ReflectiveLoader.h",
    "content": "//===============================================================================================//\n// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)\n// All rights reserved.\n// \n// Redistribution and use in source and binary forms, with or without modification, are permitted \n// provided that the following conditions are met:\n// \n//     * Redistributions of source code must retain the above copyright notice, this list of \n// conditions and the following disclaimer.\n// \n//     * Redistributions in binary form must reproduce the above copyright notice, this list of \n// conditions and the following disclaimer in the documentation and/or other materials provided \n// with the distribution.\n// \n//     * Neither the name of Harmony Security nor the names of its contributors may be used to\n// endorse or promote products derived from this software without specific prior written permission.\n// \n// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND ANY EXPRESS OR \n// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND\n// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR \n// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR \n// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR \n// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY \n// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR \n// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE \n// POSSIBILITY OF SUCH DAMAGE.\n//===============================================================================================//\n#ifndef _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H\n#define _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H\n//===============================================================================================//\n#define WIN32_LEAN_AND_MEAN\n#include <windows.h>\n#include <Winsock2.h>\n#include <intrin.h>\n\n#include \"ReflectiveDLLInjection.h\"\n\ntypedef HMODULE(WINAPI * LOADLIBRARYA)(LPCSTR);\ntypedef FARPROC(WINAPI * GETPROCADDRESS)(HMODULE, LPCSTR);\ntypedef LPVOID(WINAPI * VIRTUALALLOC)(LPVOID, SIZE_T, DWORD, DWORD);\ntypedef DWORD(NTAPI * NTFLUSHINSTRUCTIONCACHE)(HANDLE, PVOID, ULONG);\n\n#define KERNEL32DLL_HASH\t\t\t\t0x6A4ABC5B\n#define NTDLLDLL_HASH\t\t\t\t\t0x3CFA685D\n\n#define LOADLIBRARYA_HASH\t\t\t\t0xEC0E4E8E\n#define GETPROCADDRESS_HASH\t\t\t\t0x7C0DFCAA\n#define VIRTUALALLOC_HASH\t\t\t\t0x91AFCA54\n#define NTFLUSHINSTRUCTIONCACHE_HASH\t0x534C0AB8\n\n#define IMAGE_REL_BASED_ARM_MOV32A\t\t5\n#define IMAGE_REL_BASED_ARM_MOV32T\t\t7\n\n#define ARM_MOV_MASK\t\t\t\t\t(DWORD)(0xFBF08000)\n#define ARM_MOV_MASK2\t\t\t\t\t(DWORD)(0xFBF08F00)\n#define ARM_MOVW\t\t\t\t\t\t0xF2400000\n#define ARM_MOVT\t\t\t\t\t\t0xF2C00000\n\n#define HASH_KEY\t\t\t\t\t\t13\n//===============================================================================================//\n#pragma intrinsic( _rotr )\n\n__forceinline DWORD ror(DWORD d)\n{\n\treturn _rotr(d, HASH_KEY);\n}\n\n__forceinline DWORD hash(char * c)\n{\n\tregister DWORD h = 0;\n\tdo\n\t{\n\t\th = ror(h);\n\t\th += *c;\n\t} while (*++c);\n\n\treturn h;\n}\n//===============================================================================================//\ntypedef struct _UNICODE_STR\n{\n\tUSHORT Length;\n\tUSHORT MaximumLength;\n\tPWSTR pBuffer;\n} UNICODE_STR, *PUNICODE_STR;\n\n// WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY\n//__declspec( align(8) ) \ntypedef struct _LDR_DATA_TABLE_ENTRY\n{\n\t//LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry.\n\tLIST_ENTRY InMemoryOrderModuleList;\n\tLIST_ENTRY InInitializationOrderModuleList;\n\tPVOID DllBase;\n\tPVOID EntryPoint;\n\tULONG SizeOfImage;\n\tUNICODE_STR FullDllName;\n\tUNICODE_STR BaseDllName;\n\tULONG Flags;\n\tSHORT LoadCount;\n\tSHORT TlsIndex;\n\tLIST_ENTRY HashTableEntry;\n\tULONG TimeDateStamp;\n} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;\n\n// WinDbg> dt -v ntdll!_PEB_LDR_DATA\ntypedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes\n{\n\tDWORD dwLength;\n\tDWORD dwInitialized;\n\tLPVOID lpSsHandle;\n\tLIST_ENTRY InLoadOrderModuleList;\n\tLIST_ENTRY InMemoryOrderModuleList;\n\tLIST_ENTRY InInitializationOrderModuleList;\n\tLPVOID lpEntryInProgress;\n} PEB_LDR_DATA, *PPEB_LDR_DATA;\n\n// WinDbg> dt -v ntdll!_PEB_FREE_BLOCK\ntypedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes\n{\n\tstruct _PEB_FREE_BLOCK * pNext;\n\tDWORD dwSize;\n} PEB_FREE_BLOCK, *PPEB_FREE_BLOCK;\n\n// struct _PEB is defined in Winternl.h but it is incomplete\n// WinDbg> dt -v ntdll!_PEB\ntypedef struct __PEB // 65 elements, 0x210 bytes\n{\n\tBYTE bInheritedAddressSpace;\n\tBYTE bReadImageFileExecOptions;\n\tBYTE bBeingDebugged;\n\tBYTE bSpareBool;\n\tLPVOID lpMutant;\n\tLPVOID lpImageBaseAddress;\n\tPPEB_LDR_DATA pLdr;\n\tLPVOID lpProcessParameters;\n\tLPVOID lpSubSystemData;\n\tLPVOID lpProcessHeap;\n\tPRTL_CRITICAL_SECTION pFastPebLock;\n\tLPVOID lpFastPebLockRoutine;\n\tLPVOID lpFastPebUnlockRoutine;\n\tDWORD dwEnvironmentUpdateCount;\n\tLPVOID lpKernelCallbackTable;\n\tDWORD dwSystemReserved;\n\tDWORD dwAtlThunkSListPtr32;\n\tPPEB_FREE_BLOCK pFreeList;\n\tDWORD dwTlsExpansionCounter;\n\tLPVOID lpTlsBitmap;\n\tDWORD dwTlsBitmapBits[2];\n\tLPVOID lpReadOnlySharedMemoryBase;\n\tLPVOID lpReadOnlySharedMemoryHeap;\n\tLPVOID lpReadOnlyStaticServerData;\n\tLPVOID lpAnsiCodePageData;\n\tLPVOID lpOemCodePageData;\n\tLPVOID lpUnicodeCaseTableData;\n\tDWORD dwNumberOfProcessors;\n\tDWORD dwNtGlobalFlag;\n\tLARGE_INTEGER liCriticalSectionTimeout;\n\tDWORD dwHeapSegmentReserve;\n\tDWORD dwHeapSegmentCommit;\n\tDWORD dwHeapDeCommitTotalFreeThreshold;\n\tDWORD dwHeapDeCommitFreeBlockThreshold;\n\tDWORD dwNumberOfHeaps;\n\tDWORD dwMaximumNumberOfHeaps;\n\tLPVOID lpProcessHeaps;\n\tLPVOID lpGdiSharedHandleTable;\n\tLPVOID lpProcessStarterHelper;\n\tDWORD dwGdiDCAttributeList;\n\tLPVOID lpLoaderLock;\n\tDWORD dwOSMajorVersion;\n\tDWORD dwOSMinorVersion;\n\tWORD wOSBuildNumber;\n\tWORD wOSCSDVersion;\n\tDWORD dwOSPlatformId;\n\tDWORD dwImageSubsystem;\n\tDWORD dwImageSubsystemMajorVersion;\n\tDWORD dwImageSubsystemMinorVersion;\n\tDWORD dwImageProcessAffinityMask;\n\tDWORD dwGdiHandleBuffer[34];\n\tLPVOID lpPostProcessInitRoutine;\n\tLPVOID lpTlsExpansionBitmap;\n\tDWORD dwTlsExpansionBitmapBits[32];\n\tDWORD dwSessionId;\n\tULARGE_INTEGER liAppCompatFlags;\n\tULARGE_INTEGER liAppCompatFlagsUser;\n\tLPVOID lppShimData;\n\tLPVOID lpAppCompatInfo;\n\tUNICODE_STR usCSDVersion;\n\tLPVOID lpActivationContextData;\n\tLPVOID lpProcessAssemblyStorageMap;\n\tLPVOID lpSystemDefaultActivationContextData;\n\tLPVOID lpSystemAssemblyStorageMap;\n\tDWORD dwMinimumStackCommit;\n} _PEB, *_PPEB;\n\ntypedef struct\n{\n\tWORD\toffset : 12;\n\tWORD\ttype : 4;\n} IMAGE_RELOC, *PIMAGE_RELOC;\n//===============================================================================================//\n#endif\n//===============================================================================================//\n\n"
  },
  {
    "path": "Src/Recon-AD-Groups/Recon-AD-Groups.sln",
    "content": "\nMicrosoft Visual Studio Solution File, Format Version 12.00\n# Visual Studio Express 14 for Windows Desktop\nVisualStudioVersion = 14.0.25420.1\nMinimumVisualStudioVersion = 10.0.40219.1\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"Recon-AD-Groups\", \"Recon-AD-Groups\\Recon-AD-Groups.vcxproj\", \"{D30C9D6B-1F45-47BD-825B-389FE8CC9069}\"\nEndProject\nGlobal\n\tGlobalSection(SolutionConfigurationPlatforms) = preSolution\n\t\tDebug|x64 = Debug|x64\n\t\tDebug|x86 = Debug|x86\n\t\tRelease|x64 = Release|x64\n\t\tRelease|x86 = Release|x86\n\tEndGlobalSection\n\tGlobalSection(ProjectConfigurationPlatforms) = postSolution\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x64.ActiveCfg = Debug|x64\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x64.Build.0 = Debug|x64\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x86.ActiveCfg = Debug|Win32\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x86.Build.0 = Debug|Win32\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x64.ActiveCfg = Release|x64\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x64.Build.0 = Release|x64\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x86.ActiveCfg = Release|Win32\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x86.Build.0 = Release|Win32\n\tEndGlobalSection\n\tGlobalSection(SolutionProperties) = preSolution\n\t\tHideSolutionNode = FALSE\n\tEndGlobalSection\nEndGlobal\n"
  },
  {
    "path": "Src/Recon-AD-LocalGroups/Recon-AD-LocalGroups/Recon-AD-LocalGroups.vcxproj",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project DefaultTargets=\"Build\" ToolsVersion=\"14.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\n  <ItemGroup Label=\"ProjectConfigurations\">\n    <ProjectConfiguration Include=\"Debug|Win32\">\n      <Configuration>Debug</Configuration>\n      <Platform>Win32</Platform>\n    </ProjectConfiguration>\n    <ProjectConfiguration Include=\"Release|Win32\">\n      <Configuration>Release</Configuration>\n      <Platform>Win32</Platform>\n    </ProjectConfiguration>\n    <ProjectConfiguration Include=\"Debug|x64\">\n      <Configuration>Debug</Configuration>\n      <Platform>x64</Platform>\n    </ProjectConfiguration>\n    <ProjectConfiguration Include=\"Release|x64\">\n      <Configuration>Release</Configuration>\n      <Platform>x64</Platform>\n    </ProjectConfiguration>\n  </ItemGroup>\n  <PropertyGroup Label=\"Globals\">\n    <ProjectGuid>{D30C9D6B-1F45-47BD-825B-389FE8CC9069}</ProjectGuid>\n    <RootNamespace>ReconADDomain</RootNamespace>\n    <WindowsTargetPlatformVersion>8.1</WindowsTargetPlatformVersion>\n    <ProjectName>Recon-AD-LocalGroups</ProjectName>\n  </PropertyGroup>\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.Default.props\" />\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\" Label=\"Configuration\">\n    <ConfigurationType>Application</ConfigurationType>\n    <UseDebugLibraries>true</UseDebugLibraries>\n    <PlatformToolset>v140</PlatformToolset>\n    <CharacterSet>MultiByte</CharacterSet>\n  </PropertyGroup>\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\" Label=\"Configuration\">\n    <ConfigurationType>DynamicLibrary</ConfigurationType>\n    <UseDebugLibraries>false</UseDebugLibraries>\n    <PlatformToolset>v140</PlatformToolset>\n    <WholeProgramOptimization>true</WholeProgramOptimization>\n    <CharacterSet>Unicode</CharacterSet>\n  </PropertyGroup>\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\" Label=\"Configuration\">\n    <ConfigurationType>DynamicLibrary</ConfigurationType>\n    <UseDebugLibraries>true</UseDebugLibraries>\n    <PlatformToolset>v141</PlatformToolset>\n    <CharacterSet>Unicode</CharacterSet>\n  </PropertyGroup>\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\" Label=\"Configuration\">\n    <ConfigurationType>DynamicLibrary</ConfigurationType>\n    <UseDebugLibraries>false</UseDebugLibraries>\n    <PlatformToolset>v141</PlatformToolset>\n    <WholeProgramOptimization>true</WholeProgramOptimization>\n    <CharacterSet>Unicode</CharacterSet>\n  </PropertyGroup>\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.props\" />\n  <ImportGroup Label=\"ExtensionSettings\">\n  </ImportGroup>\n  <ImportGroup Label=\"Shared\">\n  </ImportGroup>\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\">\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\n  </ImportGroup>\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\">\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\n  </ImportGroup>\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\">\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\n  </ImportGroup>\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\">\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\n  </ImportGroup>\n  <PropertyGroup Label=\"UserMacros\" />\n  <PropertyGroup />\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\">\n    <ClCompile>\n      <WarningLevel>Level3</WarningLevel>\n      <Optimization>Disabled</Optimization>\n      <SDLCheck>true</SDLCheck>\n    </ClCompile>\n  </ItemDefinitionGroup>\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\">\n    <ClCompile>\n      <WarningLevel>Level3</WarningLevel>\n      <Optimization>Disabled</Optimization>\n      <SDLCheck>true</SDLCheck>\n      <PreprocessorDefinitions>WIN64;NDEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;WIN_X64;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>\n    </ClCompile>\n  </ItemDefinitionGroup>\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\">\n    <ClCompile>\n      <WarningLevel>Level3</WarningLevel>\n      <Optimization>MaxSpeed</Optimization>\n      <FunctionLevelLinking>true</FunctionLevelLinking>\n      <IntrinsicFunctions>true</IntrinsicFunctions>\n      <SDLCheck>true</SDLCheck>\n      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>\n      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN_X86;REFLECTIVE_DLL_EXPORTS;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>\n    </ClCompile>\n    <Link>\n      <EnableCOMDATFolding>true</EnableCOMDATFolding>\n      <OptimizeReferences>true</OptimizeReferences>\n      <GenerateDebugInformation>false</GenerateDebugInformation>\n    </Link>\n  </ItemDefinitionGroup>\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\">\n    <ClCompile>\n      <WarningLevel>Level3</WarningLevel>\n      <Optimization>MaxSpeed</Optimization>\n      <FunctionLevelLinking>true</FunctionLevelLinking>\n      <IntrinsicFunctions>true</IntrinsicFunctions>\n      <SDLCheck>true</SDLCheck>\n      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>\n      <PreprocessorDefinitions>WIN64;NDEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;WIN_X64;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>\n    </ClCompile>\n    <Link>\n      <EnableCOMDATFolding>true</EnableCOMDATFolding>\n      <OptimizeReferences>true</OptimizeReferences>\n      <GenerateDebugInformation>false</GenerateDebugInformation>\n    </Link>\n  </ItemDefinitionGroup>\n  <ItemGroup>\n    <ClInclude Include=\"ReflectiveDLLInjection.h\" />\n    <ClInclude Include=\"ReflectiveLoader.h\" />\n  </ItemGroup>\n  <ItemGroup>\n    <ClCompile Include=\"ReflectiveDll.cpp\" />\n    <ClCompile Include=\"ReflectiveLoader.cpp\" />\n  </ItemGroup>\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.targets\" />\n  <ImportGroup Label=\"ExtensionTargets\">\n  </ImportGroup>\n</Project>"
  },
  {
    "path": "Src/Recon-AD-LocalGroups/Recon-AD-LocalGroups/Recon-AD-LocalGroups.vcxproj.filters",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\n  <ItemGroup>\n    <Filter Include=\"Source Files\">\n      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>\n      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>\n    </Filter>\n    <Filter Include=\"Header Files\">\n      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>\n      <Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>\n    </Filter>\n    <Filter Include=\"Resource Files\">\n      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>\n      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>\n    </Filter>\n  </ItemGroup>\n  <ItemGroup>\n    <ClInclude Include=\"ReflectiveDLLInjection.h\">\n      <Filter>Header Files</Filter>\n    </ClInclude>\n    <ClInclude Include=\"ReflectiveLoader.h\">\n      <Filter>Header Files</Filter>\n    </ClInclude>\n  </ItemGroup>\n  <ItemGroup>\n    <ClCompile Include=\"ReflectiveLoader.cpp\">\n      <Filter>Source Files</Filter>\n    </ClCompile>\n    <ClCompile Include=\"ReflectiveDll.cpp\">\n      <Filter>Source Files</Filter>\n    </ClCompile>\n  </ItemGroup>\n</Project>"
  },
  {
    "path": "Src/Recon-AD-LocalGroups/Recon-AD-LocalGroups/Recon-AD-LocalGroups.vcxproj.user",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"14.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\n  <PropertyGroup />\n</Project>"
  },
  {
    "path": "Src/Recon-AD-LocalGroups/Recon-AD-LocalGroups/ReflectiveDLLInjection.h",
    "content": "//===============================================================================================//\n// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)\n// All rights reserved.\n// \n// Redistribution and use in source and binary forms, with or without modification, are permitted \n// provided that the following conditions are met:\n// \n//     * Redistributions of source code must retain the above copyright notice, this list of \n// conditions and the following disclaimer.\n// \n//     * Redistributions in binary form must reproduce the above copyright notice, this list of \n// conditions and the following disclaimer in the documentation and/or other materials provided \n// with the distribution.\n// \n//     * Neither the name of Harmony Security nor the names of its contributors may be used to\n// endorse or promote products derived from this software without specific prior written permission.\n// \n// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND ANY EXPRESS OR \n// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND\n// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR \n// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR \n// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR \n// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY \n// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR \n// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE \n// POSSIBILITY OF SUCH DAMAGE.\n//===============================================================================================//\n#ifndef _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H\n#define _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H\n//===============================================================================================//\n#define WIN32_LEAN_AND_MEAN\n#include <windows.h>\n\n// we declare some common stuff in here...\n\n#define DLL_QUERY_HMODULE\t\t6\n\n#define DEREF( name )*(UINT_PTR *)(name)\n#define DEREF_64( name )*(DWORD64 *)(name)\n#define DEREF_32( name )*(DWORD *)(name)\n#define DEREF_16( name )*(WORD *)(name)\n#define DEREF_8( name )*(BYTE *)(name)\n\ntypedef ULONG_PTR(WINAPI * REFLECTIVELOADER)(VOID);\ntypedef BOOL(WINAPI * DLLMAIN)(HINSTANCE, DWORD, LPVOID);\n\n#define DLLEXPORT   __declspec( dllexport ) \n\n//===============================================================================================//\n#endif\n//===============================================================================================//\n\n"
  },
  {
    "path": "Src/Recon-AD-LocalGroups/Recon-AD-LocalGroups/ReflectiveDll.cpp",
    "content": "#undef  _UNICODE\n#define _UNICODE\n#undef  UNICODE\n#define UNICODE\n\n#include \"ReflectiveLoader.h\"\n#include <stdio.h>\n#include <atlbase.h>\n#include <atlstr.h>\n#include <activeds.h>\n#include <assert.h>\n\n#pragma comment(lib, \"ADSIid.lib\")\n#pragma comment(lib, \"ActiveDS.Lib\")\n\n#define FETCH_NUM 100\n\n// Note: REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR and REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN are\n// defined in the project properties (Properties->C++->Preprocessor) so as we can specify our own \n// DllMain and use the LoadRemoteLibraryR() API to inject this DLL.\n\n// You can use this value as a pseudo hinstDLL value (defined and set via ReflectiveLoader.c)\nextern HINSTANCE hAppInstance;\n\n\nHRESULT PrintGroupObjectMembers(IADsGroup * pADsGroup)\n{\n\tHRESULT         hr = S_OK;\t\t\t\t\t// COM Result Code\n\tIADsMembers *   pADsMembers = NULL;\t\t\t// Pointer to Members of the IADsGroup\n\tBOOL            fContinue = TRUE;\t\t\t// Looping Variable\n\tIEnumVARIANT *  pEnumVariant = NULL;\t\t// Pointer to the Enum variant\n\tIUnknown *      pUnknown = NULL;\t\t\t// IUnknown for getting the ENUM initially\n\tVARIANT         VariantArray[FETCH_NUM];\t// Variant array for temp holding returned data\n\tULONG           ulElementsFetched = NULL;\t// Number of elements retrieved\n\n\t// Get an interface pointer to the IADsCollection of members.\n\thr = pADsGroup->Members(&pADsMembers);\n\n\tif (SUCCEEDED(hr))\n\t{\n\n\t\t// Query the IADsCollection of members for a new ENUM Interface.\n\t\t// Be aware that the enum comes back as an IUnknown *\n\t\thr = pADsMembers->get__NewEnum(&pUnknown);\n\n\t\tif (SUCCEEDED(hr))\n\t\t{\n\n\t\t\t// Call the QueryInterface method for the IUnknown * for a IEnumVARIANT interface.\n\t\t\thr = pUnknown->QueryInterface(IID_IEnumVARIANT, (void **)&pEnumVariant);\n\n\t\t\tif (SUCCEEDED(hr))\n\t\t\t{\n\n\t\t\t\t// While no errors or end of data...\n\t\t\t\twhile (fContinue)\n\t\t\t\t{\n\t\t\t\t\tulElementsFetched = 0;\n\n\t\t\t\t\t// Get a \"batch\" number of group members - number of rows that FETCH_NUM specifies\n\t\t\t\t\thr = ADsEnumerateNext(pEnumVariant, FETCH_NUM, VariantArray, &ulElementsFetched);\n\n\t\t\t\t\tif (ulElementsFetched)//SUCCEEDED(hr) && hr != S_FALSE)\n\t\t\t\t\t{\n\t\t\t\t\t\twprintf(L\"[+] Members:\\n\");\n\n\t\t\t\t\t\t// Loop through the current batch, printing \n\t\t\t\t\t\t// the path for each member.\n\t\t\t\t\t\tfor (ULONG i = 0; i < ulElementsFetched; i++)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tIDispatch * pDispatch = NULL;\n\t\t\t\t\t\t\t// Pointer for holding dispath of element.\n\t\t\t\t\t\t\tIADs      * pIADsGroupMember = NULL;\n\t\t\t\t\t\t\t// IADs pointer to group member.\n\t\t\t\t\t\t\tBSTR        bstrPath = NULL;\n\t\t\t\t\t\t\t// Contains the path of the object.\n\n\t\t\t\t\t\t\t// Get the dispatch pointer for the variant.\n\t\t\t\t\t\t\tpDispatch = VariantArray[i].pdispVal;\n\t\t\t\t\t\t\t//assert(HAS_BIT_STYLE(VariantArray[i].vt, VT_DISPATCH));\n\n\t\t\t\t\t\t\t// Get the IADs interface for the \"member\" of this group.\n\t\t\t\t\t\t\thr = pDispatch->QueryInterface(IID_IADs,\n\t\t\t\t\t\t\t\t(VOID **)&pIADsGroupMember);\n\n\t\t\t\t\t\t\tif (SUCCEEDED(hr))\n\t\t\t\t\t\t\t{\n\n\t\t\t\t\t\t\t\t// Get the ADsPath property for this member.\n\t\t\t\t\t\t\t\thr = pIADsGroupMember->get_ADsPath(&bstrPath);\n\n\t\t\t\t\t\t\t\tif (SUCCEEDED(hr))\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t// Print the ADsPath of the group member.\n\t\t\t\t\t\t\t\t\t//CStringW sBstr;\n\t\t\t\t\t\t\t\t\t//sBstr = (LPCWSTR)bstrPath;\n\t\t\t\t\t\t\t\t\t//sBstr.Replace(L\"WinNT://\", L\"\");\n\n\t\t\t\t\t\t\t\t\twprintf(L\"    %s\\r\\n\", (LPCWSTR)bstrPath);\n\t\t\t\t\t\t\t\t\tSysFreeString(bstrPath);\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\tpIADsGroupMember->Release();\n\t\t\t\t\t\t\t\tpIADsGroupMember = NULL;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\t// Clear the variant array.\n\t\t\t\t\t\tmemset(VariantArray, 0, sizeof(VARIANT)*FETCH_NUM);\n\t\t\t\t\t}\n\t\t\t\t\telse\n\t\t\t\t\t\tfContinue = FALSE;\n\t\t\t\t}\n\t\t\t\tpEnumVariant->Release();\n\t\t\t\tpEnumVariant = NULL;\n\t\t\t}\n\t\t\tpUnknown->Release();\n\t\t\tpUnknown = NULL;\n\t\t}\n\t\tpADsMembers->Release();\n\t\tpADsMembers = NULL;\n\t}\n\n\t// If all completed normally, all data\n\t// was printed, and an S_FALSE, indicating \n\t// no more data, was received. If so,\n\t// return S_OK.\n\tif (hr == S_FALSE)\n\t\thr = S_OK;\n\n\treturn hr;\n}\n\n\nBOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)\n{\n\tBOOL bReturnValue = TRUE;\n\tLPWSTR pwszParams = (LPWSTR)calloc(strlen((LPSTR)lpReserved) + 1, sizeof(WCHAR));\n\tsize_t convertedChars = 0;\n\tsize_t newsize = strlen((LPSTR)lpReserved) + 1;\n\n\tswitch (dwReason)\n\t{\n\t\tcase DLL_QUERY_HMODULE:\n\t\t\tif (lpReserved != NULL)\n\t\t\t\t*(HMODULE *)lpReserved = hAppInstance;\n\t\t\tbreak;\n\t\tcase DLL_PROCESS_ATTACH:\n\t\t\thAppInstance = hinstDLL;\n\n\t\t\tif (lpReserved != NULL) {\n\n\t\t\t\t// Handle the command line arguments.\n\t\t\t\tint maxAlloc = MAX_PATH * 2;\n\t\t\t\tLPOLESTR pszBuffer = new OLECHAR[maxAlloc];\n\t\t\t\tmbstowcs_s(&convertedChars, pwszParams, newsize, (LPSTR)lpReserved, _TRUNCATE);\n\t\t\t\twcscpy_s(pszBuffer, maxAlloc, pwszParams);\n\n\t\t\t\tLPWSTR pwszGroup = NULL;\n\t\t\t\tLPCWSTR pwszComputer = wcstok_s(pszBuffer, L\" \", &pwszGroup);\t\t\t\t\n\t\t\t\tLPCWSTR pwszUsername = NULL;\n\t\t\t\tLPCWSTR pwszPassword = NULL;\n\n\t\t\t\tHRESULT hr;\n\n\t\t\t\t// Initialize COM\n\t\t\t\tCoInitialize(NULL);\n\n\t\t\t\t// Build the binding string.\n\t\t\t\tCComBSTR sbstrBindingString;\n\t\t\t\tsbstrBindingString = \"WinNT://\";\n\t\t\t\tsbstrBindingString += pwszComputer;\n\t\t\t\tif (wcscmp(L\"\", pwszGroup) == 0) {\n\t\t\t\t\tsbstrBindingString += \"/Administrators\";\n\t\t\t\t}\n\t\t\t\telse {\n\n\t\t\t\t\tsbstrBindingString += \"/\";\n\t\t\t\t\tsbstrBindingString += pwszGroup;\n\t\t\t\t}\n\t\t\t\tsbstrBindingString += \",group\";\n\n\t\t\t\t// Bind to the container.\n\t\t\t\tIADsGroup *pGroup = NULL;\n\n\t\t\t\thr = ADsOpenObject(sbstrBindingString,\n\t\t\t\t\tpwszUsername,\n\t\t\t\t\tpwszPassword,\n\t\t\t\t\tADS_SECURE_AUTHENTICATION,\n\t\t\t\t\tIID_IADsGroup,\n\t\t\t\t\t(void**)&pGroup);\n\n\t\t\t\tif (SUCCEEDED(hr))\n\t\t\t\t{\n\t\t\t\t\t// Print the object data.\n\t\t\t\t\tCComBSTR sbstrNameResult;\n\t\t\t\t\tCComBSTR sbstrADsResult;\n\n\t\t\t\t\twprintf(L\"--------------------------------------------------------------------\\n\");\n\n\t\t\t\t\thr = pGroup->get_Name(&sbstrNameResult);\n\t\t\t\t\tif (SUCCEEDED(hr))\n\t\t\t\t\t{\n\t\t\t\t\t\twprintf(L\"[+] Group:\\n\");\n\t\t\t\t\t\twprintf(L\"    %s\\r\\n\", (LPCWSTR)sbstrNameResult);\n\t\t\t\t\t}\n\n\t\t\t\t\thr = pGroup->get_ADsPath(&sbstrADsResult);\n\t\t\t\t\tif (SUCCEEDED(hr))\n\t\t\t\t\t{\n\t\t\t\t\t\t//wprintf(L\"[+] ADsPath:\\n\");\n\t\t\t\t\t\t//wprintf(L\"    %s\\r\\n\", (LPCWSTR)sbstrADsResult);\n\t\t\t\t\t}\n\n\t\t\t\t\tif (SUCCEEDED(hr)) {\n\t\t\t\t\t\tPrintGroupObjectMembers(pGroup);\n\t\t\t\t\t}\n\n\t\t\t\t\twprintf(L\"--------------------------------------------------------------------\\n\");\n\n\t\t\t\t\t// Uninitialize COM\n\t\t\t\t\tCoUninitialize();\n\t\t\t\t}\t\t\t\n\t\t\t}\n\n\t\t\t// Flush STDOUT\n\t\t\tfflush(stdout);\n\n\t\t\t// We're done, so let's exit\n\t\t\tExitProcess(0);\n\n\t\t\tbreak;\n\t\tcase DLL_PROCESS_DETACH:\n\t\tcase DLL_THREAD_ATTACH:\n\t\tcase DLL_THREAD_DETACH:\n\t\t\tbreak;\n\t}\n\treturn bReturnValue;\n}\n"
  },
  {
    "path": "Src/Recon-AD-LocalGroups/Recon-AD-LocalGroups/ReflectiveLoader.cpp",
    "content": "//===============================================================================================//\n// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)\n// All rights reserved.\n// \n// Redistribution and use in source and binary forms, with or without modification, are permitted \n// provided that the following conditions are met:\n// \n//     * Redistributions of source code must retain the above copyright notice, this list of \n// conditions and the following disclaimer.\n// \n//     * Redistributions in binary form must reproduce the above copyright notice, this list of \n// conditions and the following disclaimer in the documentation and/or other materials provided \n// with the distribution.\n// \n//     * Neither the name of Harmony Security nor the names of its contributors may be used to\n// endorse or promote products derived from this software without specific prior written permission.\n// \n// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND ANY EXPRESS OR \n// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND\n// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR \n// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR \n// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR \n// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY \n// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR \n// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE \n// POSSIBILITY OF SUCH DAMAGE.\n//===============================================================================================//\n#include \"ReflectiveLoader.h\"\n//===============================================================================================//\n// Our loader will set this to a pseudo correct HINSTANCE/HMODULE value\nHINSTANCE hAppInstance = NULL;\n//===============================================================================================//\n#pragma intrinsic( _ReturnAddress )\n// This function can not be inlined by the compiler or we will not get the address we expect. Ideally \n// this code will be compiled with the /O2 and /Ob1 switches. Bonus points if we could take advantage of \n// RIP relative addressing in this instance but I dont believe we can do so with the compiler intrinsics \n// available (and no inline asm available under x64).\n__declspec(noinline) ULONG_PTR caller(VOID) { return (ULONG_PTR)_ReturnAddress(); }\n//===============================================================================================//\n\n// Note 1: If you want to have your own DllMain, define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN,  \n//         otherwise the DllMain at the end of this file will be used.\n\n// Note 2: If you are injecting the DLL via LoadRemoteLibraryR, define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR,\n//         otherwise it is assumed you are calling the ReflectiveLoader via a stub.\n\n// This is our position independent reflective DLL loader/injector\n#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR\nDLLEXPORT ULONG_PTR WINAPI ReflectiveLoader(LPVOID lpParameter)\n#else\nDLLEXPORT ULONG_PTR WINAPI ReflectiveLoader(VOID)\n#endif\n{\n\t// the functions we need\n\tLOADLIBRARYA pLoadLibraryA = NULL;\n\tGETPROCADDRESS pGetProcAddress = NULL;\n\tVIRTUALALLOC pVirtualAlloc = NULL;\n\tNTFLUSHINSTRUCTIONCACHE pNtFlushInstructionCache = NULL;\n\n\tUSHORT usCounter;\n\n\t// the initial location of this image in memory\n\tULONG_PTR uiLibraryAddress;\n\t// the kernels base address and later this images newly loaded base address\n\tULONG_PTR uiBaseAddress;\n\n\t// variables for processing the kernels export table\n\tULONG_PTR uiAddressArray;\n\tULONG_PTR uiNameArray;\n\tULONG_PTR uiExportDir;\n\tULONG_PTR uiNameOrdinals;\n\tDWORD dwHashValue;\n\n\t// variables for loading this image\n\tULONG_PTR uiHeaderValue;\n\tULONG_PTR uiValueA;\n\tULONG_PTR uiValueB;\n\tULONG_PTR uiValueC;\n\tULONG_PTR uiValueD;\n\tULONG_PTR uiValueE;\n\n\t// STEP 0: calculate our images current base address\n\n\t// we will start searching backwards from our callers return address.\n\tuiLibraryAddress = caller();\n\n\t// loop through memory backwards searching for our images base address\n\t// we dont need SEH style search as we shouldnt generate any access violations with this\n\twhile (TRUE)\n\t{\n\t\tif (((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_magic == IMAGE_DOS_SIGNATURE)\n\t\t{\n\t\t\tuiHeaderValue = ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;\n\t\t\t// some x64 dll's can trigger a bogus signature (IMAGE_DOS_SIGNATURE == 'POP r10'),\n\t\t\t// we sanity check the e_lfanew with an upper threshold value of 1024 to avoid problems.\n\t\t\tif (uiHeaderValue >= sizeof(IMAGE_DOS_HEADER) && uiHeaderValue < 1024)\n\t\t\t{\n\t\t\t\tuiHeaderValue += uiLibraryAddress;\n\t\t\t\t// break if we have found a valid MZ/PE header\n\t\t\t\tif (((PIMAGE_NT_HEADERS)uiHeaderValue)->Signature == IMAGE_NT_SIGNATURE)\n\t\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\tuiLibraryAddress--;\n\t}\n\n\t// STEP 1: process the kernels exports for the functions our loader needs...\n\n\t// get the Process Enviroment Block\n#ifdef WIN_X64\n\tuiBaseAddress = __readgsqword(0x60);\n#else\n#ifdef WIN_X86\n\tuiBaseAddress = __readfsdword(0x30);\n#else WIN_ARM\n\tuiBaseAddress = *(DWORD *)((BYTE *)_MoveFromCoprocessor(15, 0, 13, 0, 2) + 0x30);\n#endif\n#endif\n\n\t// get the processes loaded modules. ref: http://msdn.microsoft.com/en-us/library/aa813708(VS.85).aspx\n\tuiBaseAddress = (ULONG_PTR)((_PPEB)uiBaseAddress)->pLdr;\n\n\t// get the first entry of the InMemoryOrder module list\n\tuiValueA = (ULONG_PTR)((PPEB_LDR_DATA)uiBaseAddress)->InMemoryOrderModuleList.Flink;\n\twhile (uiValueA)\n\t{\n\t\t// get pointer to current modules name (unicode string)\n\t\tuiValueB = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.pBuffer;\n\t\t// set bCounter to the length for the loop\n\t\tusCounter = ((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.Length;\n\t\t// clear uiValueC which will store the hash of the module name\n\t\tuiValueC = 0;\n\n\t\t// compute the hash of the module name...\n\t\tdo\n\t\t{\n\t\t\tuiValueC = ror((DWORD)uiValueC);\n\t\t\t// normalize to uppercase if the madule name is in lowercase\n\t\t\tif (*((BYTE *)uiValueB) >= 'a')\n\t\t\t\tuiValueC += *((BYTE *)uiValueB) - 0x20;\n\t\t\telse\n\t\t\t\tuiValueC += *((BYTE *)uiValueB);\n\t\t\tuiValueB++;\n\t\t} while (--usCounter);\n\n\t\t// compare the hash with that of kernel32.dll\n\t\tif ((DWORD)uiValueC == KERNEL32DLL_HASH)\n\t\t{\n\t\t\t// get this modules base address\n\t\t\tuiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;\n\n\t\t\t// get the VA of the modules NT Header\n\t\t\tuiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;\n\n\t\t\t// uiNameArray = the address of the modules export directory entry\n\t\t\tuiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];\n\n\t\t\t// get the VA of the export directory\n\t\t\tuiExportDir = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress);\n\n\t\t\t// get the VA for the array of name pointers\n\t\t\tuiNameArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNames);\n\n\t\t\t// get the VA for the array of name ordinals\n\t\t\tuiNameOrdinals = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNameOrdinals);\n\n\t\t\tusCounter = 3;\n\n\t\t\t// loop while we still have imports to find\n\t\t\twhile (usCounter > 0)\n\t\t\t{\n\t\t\t\t// compute the hash values for this function name\n\t\t\t\tdwHashValue = hash((char *)(uiBaseAddress + DEREF_32(uiNameArray)));\n\n\t\t\t\t// if we have found a function we want we get its virtual address\n\t\t\t\tif (dwHashValue == LOADLIBRARYA_HASH || dwHashValue == GETPROCADDRESS_HASH || dwHashValue == VIRTUALALLOC_HASH)\n\t\t\t\t{\n\t\t\t\t\t// get the VA for the array of addresses\n\t\t\t\t\tuiAddressArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfFunctions);\n\n\t\t\t\t\t// use this functions name ordinal as an index into the array of name pointers\n\t\t\t\t\tuiAddressArray += (DEREF_16(uiNameOrdinals) * sizeof(DWORD));\n\n\t\t\t\t\t// store this functions VA\n\t\t\t\t\tif (dwHashValue == LOADLIBRARYA_HASH)\n\t\t\t\t\t\tpLoadLibraryA = (LOADLIBRARYA)(uiBaseAddress + DEREF_32(uiAddressArray));\n\t\t\t\t\telse if (dwHashValue == GETPROCADDRESS_HASH)\n\t\t\t\t\t\tpGetProcAddress = (GETPROCADDRESS)(uiBaseAddress + DEREF_32(uiAddressArray));\n\t\t\t\t\telse if (dwHashValue == VIRTUALALLOC_HASH)\n\t\t\t\t\t\tpVirtualAlloc = (VIRTUALALLOC)(uiBaseAddress + DEREF_32(uiAddressArray));\n\n\t\t\t\t\t// decrement our counter\n\t\t\t\t\tusCounter--;\n\t\t\t\t}\n\n\t\t\t\t// get the next exported function name\n\t\t\t\tuiNameArray += sizeof(DWORD);\n\n\t\t\t\t// get the next exported function name ordinal\n\t\t\t\tuiNameOrdinals += sizeof(WORD);\n\t\t\t}\n\t\t}\n\t\telse if ((DWORD)uiValueC == NTDLLDLL_HASH)\n\t\t{\n\t\t\t// get this modules base address\n\t\t\tuiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;\n\n\t\t\t// get the VA of the modules NT Header\n\t\t\tuiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;\n\n\t\t\t// uiNameArray = the address of the modules export directory entry\n\t\t\tuiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];\n\n\t\t\t// get the VA of the export directory\n\t\t\tuiExportDir = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress);\n\n\t\t\t// get the VA for the array of name pointers\n\t\t\tuiNameArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNames);\n\n\t\t\t// get the VA for the array of name ordinals\n\t\t\tuiNameOrdinals = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNameOrdinals);\n\n\t\t\tusCounter = 1;\n\n\t\t\t// loop while we still have imports to find\n\t\t\twhile (usCounter > 0)\n\t\t\t{\n\t\t\t\t// compute the hash values for this function name\n\t\t\t\tdwHashValue = hash((char *)(uiBaseAddress + DEREF_32(uiNameArray)));\n\n\t\t\t\t// if we have found a function we want we get its virtual address\n\t\t\t\tif (dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH)\n\t\t\t\t{\n\t\t\t\t\t// get the VA for the array of addresses\n\t\t\t\t\tuiAddressArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfFunctions);\n\n\t\t\t\t\t// use this functions name ordinal as an index into the array of name pointers\n\t\t\t\t\tuiAddressArray += (DEREF_16(uiNameOrdinals) * sizeof(DWORD));\n\n\t\t\t\t\t// store this functions VA\n\t\t\t\t\tif (dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH)\n\t\t\t\t\t\tpNtFlushInstructionCache = (NTFLUSHINSTRUCTIONCACHE)(uiBaseAddress + DEREF_32(uiAddressArray));\n\n\t\t\t\t\t// decrement our counter\n\t\t\t\t\tusCounter--;\n\t\t\t\t}\n\n\t\t\t\t// get the next exported function name\n\t\t\t\tuiNameArray += sizeof(DWORD);\n\n\t\t\t\t// get the next exported function name ordinal\n\t\t\t\tuiNameOrdinals += sizeof(WORD);\n\t\t\t}\n\t\t}\n\n\t\t// we stop searching when we have found everything we need.\n\t\tif (pLoadLibraryA && pGetProcAddress && pVirtualAlloc && pNtFlushInstructionCache)\n\t\t\tbreak;\n\n\t\t// get the next entry\n\t\tuiValueA = DEREF(uiValueA);\n\t}\n\n\t// STEP 2: load our image into a new permanent location in memory...\n\n\t// get the VA of the NT Header for the PE to be loaded\n\tuiHeaderValue = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;\n\n\t// allocate all the memory for the DLL to be loaded into. we can load at any address because we will  \n\t// relocate the image. Also zeros all memory and marks it as READ, WRITE and EXECUTE to avoid any problems.\n\tuiBaseAddress = (ULONG_PTR)pVirtualAlloc(NULL, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);\n\n\t// we must now copy over the headers\n\tuiValueA = ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfHeaders;\n\tuiValueB = uiLibraryAddress;\n\tuiValueC = uiBaseAddress;\n\n\twhile (uiValueA--)\n\t\t*(BYTE *)uiValueC++ = *(BYTE *)uiValueB++;\n\n\t// STEP 3: load in all of our sections...\n\n\t// uiValueA = the VA of the first section\n\tuiValueA = ((ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader + ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.SizeOfOptionalHeader);\n\n\t// itterate through all sections, loading them into memory.\n\tuiValueE = ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.NumberOfSections;\n\twhile (uiValueE--)\n\t{\n\t\t// uiValueB is the VA for this section\n\t\tuiValueB = (uiBaseAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->VirtualAddress);\n\n\t\t// uiValueC if the VA for this sections data\n\t\tuiValueC = (uiLibraryAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->PointerToRawData);\n\n\t\t// copy the section over\n\t\tuiValueD = ((PIMAGE_SECTION_HEADER)uiValueA)->SizeOfRawData;\n\n\t\twhile (uiValueD--)\n\t\t\t*(BYTE *)uiValueB++ = *(BYTE *)uiValueC++;\n\n\t\t// get the VA of the next section\n\t\tuiValueA += sizeof(IMAGE_SECTION_HEADER);\n\t}\n\n\t// STEP 4: process our images import table...\n\n\t// uiValueB = the address of the import directory\n\tuiValueB = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];\n\n\t// we assume their is an import table to process\n\t// uiValueC is the first entry in the import table\n\tuiValueC = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress);\n\n\t// itterate through all imports\n\twhile (((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name)\n\t{\n\t\t// use LoadLibraryA to load the imported module into memory\n\t\tuiLibraryAddress = (ULONG_PTR)pLoadLibraryA((LPCSTR)(uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name));\n\n\t\t// uiValueD = VA of the OriginalFirstThunk\n\t\tuiValueD = (uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->OriginalFirstThunk);\n\n\t\t// uiValueA = VA of the IAT (via first thunk not origionalfirstthunk)\n\t\tuiValueA = (uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->FirstThunk);\n\n\t\t// itterate through all imported functions, importing by ordinal if no name present\n\t\twhile (DEREF(uiValueA))\n\t\t{\n\t\t\t// sanity check uiValueD as some compilers only import by FirstThunk\n\t\t\tif (uiValueD && ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal & IMAGE_ORDINAL_FLAG)\n\t\t\t{\n\t\t\t\t// get the VA of the modules NT Header\n\t\t\t\tuiExportDir = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;\n\n\t\t\t\t// uiNameArray = the address of the modules export directory entry\n\t\t\t\tuiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];\n\n\t\t\t\t// get the VA of the export directory\n\t\t\t\tuiExportDir = (uiLibraryAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress);\n\n\t\t\t\t// get the VA for the array of addresses\n\t\t\t\tuiAddressArray = (uiLibraryAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfFunctions);\n\n\t\t\t\t// use the import ordinal (- export ordinal base) as an index into the array of addresses\n\t\t\t\tuiAddressArray += ((IMAGE_ORDINAL(((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal) - ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->Base) * sizeof(DWORD));\n\n\t\t\t\t// patch in the address for this imported function\n\t\t\t\tDEREF(uiValueA) = (uiLibraryAddress + DEREF_32(uiAddressArray));\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\t// get the VA of this functions import by name struct\n\t\t\t\tuiValueB = (uiBaseAddress + DEREF(uiValueA));\n\n\t\t\t\t// use GetProcAddress and patch in the address for this imported function\n\t\t\t\tDEREF(uiValueA) = (ULONG_PTR)pGetProcAddress((HMODULE)uiLibraryAddress, (LPCSTR)((PIMAGE_IMPORT_BY_NAME)uiValueB)->Name);\n\t\t\t}\n\t\t\t// get the next imported function\n\t\t\tuiValueA += sizeof(ULONG_PTR);\n\t\t\tif (uiValueD)\n\t\t\t\tuiValueD += sizeof(ULONG_PTR);\n\t\t}\n\n\t\t// get the next import\n\t\tuiValueC += sizeof(IMAGE_IMPORT_DESCRIPTOR);\n\t}\n\n\t// STEP 5: process all of our images relocations...\n\n\t// calculate the base address delta and perform relocations (even if we load at desired image base)\n\tuiLibraryAddress = uiBaseAddress - ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.ImageBase;\n\n\t// uiValueB = the address of the relocation directory\n\tuiValueB = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];\n\n\t// check if their are any relocations present\n\tif (((PIMAGE_DATA_DIRECTORY)uiValueB)->Size)\n\t{\n\t\t// uiValueC is now the first entry (IMAGE_BASE_RELOCATION)\n\t\tuiValueC = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress);\n\n\t\t// and we itterate through all entries...\n\t\twhile (((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock)\n\t\t{\n\t\t\t// uiValueA = the VA for this relocation block\n\t\t\tuiValueA = (uiBaseAddress + ((PIMAGE_BASE_RELOCATION)uiValueC)->VirtualAddress);\n\n\t\t\t// uiValueB = number of entries in this relocation block\n\t\t\tuiValueB = (((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(IMAGE_RELOC);\n\n\t\t\t// uiValueD is now the first entry in the current relocation block\n\t\t\tuiValueD = uiValueC + sizeof(IMAGE_BASE_RELOCATION);\n\n\t\t\t// we itterate through all the entries in the current block...\n\t\t\twhile (uiValueB--)\n\t\t\t{\n\t\t\t\t// perform the relocation, skipping IMAGE_REL_BASED_ABSOLUTE as required.\n\t\t\t\t// we dont use a switch statement to avoid the compiler building a jump table\n\t\t\t\t// which would not be very position independent!\n\t\t\t\tif (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_DIR64)\n\t\t\t\t\t*(ULONG_PTR *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += uiLibraryAddress;\n\t\t\t\telse if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGHLOW)\n\t\t\t\t\t*(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += (DWORD)uiLibraryAddress;\n#ifdef WIN_ARM\n\t\t\t\t// Note: On ARM, the compiler optimization /O2 seems to introduce an off by one issue, possibly a code gen bug. Using /O1 instead avoids this problem.\n\t\t\t\telse if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_ARM_MOV32T)\n\t\t\t\t{\n\t\t\t\t\tregister DWORD dwInstruction;\n\t\t\t\t\tregister DWORD dwAddress;\n\t\t\t\t\tregister WORD wImm;\n\t\t\t\t\t// get the MOV.T instructions DWORD value (We add 4 to the offset to go past the first MOV.W which handles the low word)\n\t\t\t\t\tdwInstruction = *(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset + sizeof(DWORD));\n\t\t\t\t\t// flip the words to get the instruction as expected\n\t\t\t\t\tdwInstruction = MAKELONG(HIWORD(dwInstruction), LOWORD(dwInstruction));\n\t\t\t\t\t// sanity chack we are processing a MOV instruction...\n\t\t\t\t\tif ((dwInstruction & ARM_MOV_MASK) == ARM_MOVT)\n\t\t\t\t\t{\n\t\t\t\t\t\t// pull out the encoded 16bit value (the high portion of the address-to-relocate)\n\t\t\t\t\t\twImm = (WORD)(dwInstruction & 0x000000FF);\n\t\t\t\t\t\twImm |= (WORD)((dwInstruction & 0x00007000) >> 4);\n\t\t\t\t\t\twImm |= (WORD)((dwInstruction & 0x04000000) >> 15);\n\t\t\t\t\t\twImm |= (WORD)((dwInstruction & 0x000F0000) >> 4);\n\t\t\t\t\t\t// apply the relocation to the target address\n\t\t\t\t\t\tdwAddress = ((WORD)HIWORD(uiLibraryAddress) + wImm) & 0xFFFF;\n\t\t\t\t\t\t// now create a new instruction with the same opcode and register param.\n\t\t\t\t\t\tdwInstruction = (DWORD)(dwInstruction & ARM_MOV_MASK2);\n\t\t\t\t\t\t// patch in the relocated address...\n\t\t\t\t\t\tdwInstruction |= (DWORD)(dwAddress & 0x00FF);\n\t\t\t\t\t\tdwInstruction |= (DWORD)(dwAddress & 0x0700) << 4;\n\t\t\t\t\t\tdwInstruction |= (DWORD)(dwAddress & 0x0800) << 15;\n\t\t\t\t\t\tdwInstruction |= (DWORD)(dwAddress & 0xF000) << 4;\n\t\t\t\t\t\t// now flip the instructions words and patch back into the code...\n\t\t\t\t\t\t*(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset + sizeof(DWORD)) = MAKELONG(HIWORD(dwInstruction), LOWORD(dwInstruction));\n\t\t\t\t\t}\n\t\t\t\t}\n#endif\n\t\t\t\telse if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGH)\n\t\t\t\t\t*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += HIWORD(uiLibraryAddress);\n\t\t\t\telse if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_LOW)\n\t\t\t\t\t*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += LOWORD(uiLibraryAddress);\n\n\t\t\t\t// get the next entry in the current relocation block\n\t\t\t\tuiValueD += sizeof(IMAGE_RELOC);\n\t\t\t}\n\n\t\t\t// get the next entry in the relocation directory\n\t\t\tuiValueC = uiValueC + ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock;\n\t\t}\n\t}\n\n\t// STEP 6: call our images entry point\n\n\t// uiValueA = the VA of our newly loaded DLL/EXE's entry point\n\tuiValueA = (uiBaseAddress + ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.AddressOfEntryPoint);\n\n\t// We must flush the instruction cache to avoid stale code being used which was updated by our relocation processing.\n\tpNtFlushInstructionCache((HANDLE)-1, NULL, 0);\n\n\t// call our respective entry point, fudging our hInstance value\n#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR\n\t// if we are injecting a DLL via LoadRemoteLibraryR we call DllMain and pass in our parameter (via the DllMain lpReserved parameter)\n\t((DLLMAIN)uiValueA)((HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, lpParameter);\n#else\n\t// if we are injecting an DLL via a stub we call DllMain with no parameter\n\t((DLLMAIN)uiValueA)((HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, NULL);\n#endif\n\n\t// STEP 8: return our new entry point address so whatever called us can call DllMain() if needed.\n\treturn uiValueA;\n}\n//===============================================================================================//\n#ifndef REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN\n\nBOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)\n{\n\tBOOL bReturnValue = TRUE;\n\tswitch (dwReason)\n\t{\n\tcase DLL_QUERY_HMODULE:\n\t\tif (lpReserved != NULL)\n\t\t\t*(HMODULE *)lpReserved = hAppInstance;\n\t\tbreak;\n\tcase DLL_PROCESS_ATTACH:\n\t\thAppInstance = hinstDLL;\n\t\tbreak;\n\tcase DLL_PROCESS_DETACH:\n\tcase DLL_THREAD_ATTACH:\n\tcase DLL_THREAD_DETACH:\n\t\tbreak;\n\t}\n\treturn bReturnValue;\n}\n\n#endif\n//===============================================================================================//\n"
  },
  {
    "path": "Src/Recon-AD-LocalGroups/Recon-AD-LocalGroups/ReflectiveLoader.h",
    "content": "//===============================================================================================//\n// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)\n// All rights reserved.\n// \n// Redistribution and use in source and binary forms, with or without modification, are permitted \n// provided that the following conditions are met:\n// \n//     * Redistributions of source code must retain the above copyright notice, this list of \n// conditions and the following disclaimer.\n// \n//     * Redistributions in binary form must reproduce the above copyright notice, this list of \n// conditions and the following disclaimer in the documentation and/or other materials provided \n// with the distribution.\n// \n//     * Neither the name of Harmony Security nor the names of its contributors may be used to\n// endorse or promote products derived from this software without specific prior written permission.\n// \n// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND ANY EXPRESS OR \n// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND\n// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR \n// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR \n// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR \n// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY \n// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR \n// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE \n// POSSIBILITY OF SUCH DAMAGE.\n//===============================================================================================//\n#ifndef _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H\n#define _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H\n//===============================================================================================//\n#define WIN32_LEAN_AND_MEAN\n#include <windows.h>\n#include <Winsock2.h>\n#include <intrin.h>\n\n#include \"ReflectiveDLLInjection.h\"\n\ntypedef HMODULE(WINAPI * LOADLIBRARYA)(LPCSTR);\ntypedef FARPROC(WINAPI * GETPROCADDRESS)(HMODULE, LPCSTR);\ntypedef LPVOID(WINAPI * VIRTUALALLOC)(LPVOID, SIZE_T, DWORD, DWORD);\ntypedef DWORD(NTAPI * NTFLUSHINSTRUCTIONCACHE)(HANDLE, PVOID, ULONG);\n\n#define KERNEL32DLL_HASH\t\t\t\t0x6A4ABC5B\n#define NTDLLDLL_HASH\t\t\t\t\t0x3CFA685D\n\n#define LOADLIBRARYA_HASH\t\t\t\t0xEC0E4E8E\n#define GETPROCADDRESS_HASH\t\t\t\t0x7C0DFCAA\n#define VIRTUALALLOC_HASH\t\t\t\t0x91AFCA54\n#define NTFLUSHINSTRUCTIONCACHE_HASH\t0x534C0AB8\n\n#define IMAGE_REL_BASED_ARM_MOV32A\t\t5\n#define IMAGE_REL_BASED_ARM_MOV32T\t\t7\n\n#define ARM_MOV_MASK\t\t\t\t\t(DWORD)(0xFBF08000)\n#define ARM_MOV_MASK2\t\t\t\t\t(DWORD)(0xFBF08F00)\n#define ARM_MOVW\t\t\t\t\t\t0xF2400000\n#define ARM_MOVT\t\t\t\t\t\t0xF2C00000\n\n#define HASH_KEY\t\t\t\t\t\t13\n//===============================================================================================//\n#pragma intrinsic( _rotr )\n\n__forceinline DWORD ror(DWORD d)\n{\n\treturn _rotr(d, HASH_KEY);\n}\n\n__forceinline DWORD hash(char * c)\n{\n\tregister DWORD h = 0;\n\tdo\n\t{\n\t\th = ror(h);\n\t\th += *c;\n\t} while (*++c);\n\n\treturn h;\n}\n//===============================================================================================//\ntypedef struct _UNICODE_STR\n{\n\tUSHORT Length;\n\tUSHORT MaximumLength;\n\tPWSTR pBuffer;\n} UNICODE_STR, *PUNICODE_STR;\n\n// WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY\n//__declspec( align(8) ) \ntypedef struct _LDR_DATA_TABLE_ENTRY\n{\n\t//LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry.\n\tLIST_ENTRY InMemoryOrderModuleList;\n\tLIST_ENTRY InInitializationOrderModuleList;\n\tPVOID DllBase;\n\tPVOID EntryPoint;\n\tULONG SizeOfImage;\n\tUNICODE_STR FullDllName;\n\tUNICODE_STR BaseDllName;\n\tULONG Flags;\n\tSHORT LoadCount;\n\tSHORT TlsIndex;\n\tLIST_ENTRY HashTableEntry;\n\tULONG TimeDateStamp;\n} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;\n\n// WinDbg> dt -v ntdll!_PEB_LDR_DATA\ntypedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes\n{\n\tDWORD dwLength;\n\tDWORD dwInitialized;\n\tLPVOID lpSsHandle;\n\tLIST_ENTRY InLoadOrderModuleList;\n\tLIST_ENTRY InMemoryOrderModuleList;\n\tLIST_ENTRY InInitializationOrderModuleList;\n\tLPVOID lpEntryInProgress;\n} PEB_LDR_DATA, *PPEB_LDR_DATA;\n\n// WinDbg> dt -v ntdll!_PEB_FREE_BLOCK\ntypedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes\n{\n\tstruct _PEB_FREE_BLOCK * pNext;\n\tDWORD dwSize;\n} PEB_FREE_BLOCK, *PPEB_FREE_BLOCK;\n\n// struct _PEB is defined in Winternl.h but it is incomplete\n// WinDbg> dt -v ntdll!_PEB\ntypedef struct __PEB // 65 elements, 0x210 bytes\n{\n\tBYTE bInheritedAddressSpace;\n\tBYTE bReadImageFileExecOptions;\n\tBYTE bBeingDebugged;\n\tBYTE bSpareBool;\n\tLPVOID lpMutant;\n\tLPVOID lpImageBaseAddress;\n\tPPEB_LDR_DATA pLdr;\n\tLPVOID lpProcessParameters;\n\tLPVOID lpSubSystemData;\n\tLPVOID lpProcessHeap;\n\tPRTL_CRITICAL_SECTION pFastPebLock;\n\tLPVOID lpFastPebLockRoutine;\n\tLPVOID lpFastPebUnlockRoutine;\n\tDWORD dwEnvironmentUpdateCount;\n\tLPVOID lpKernelCallbackTable;\n\tDWORD dwSystemReserved;\n\tDWORD dwAtlThunkSListPtr32;\n\tPPEB_FREE_BLOCK pFreeList;\n\tDWORD dwTlsExpansionCounter;\n\tLPVOID lpTlsBitmap;\n\tDWORD dwTlsBitmapBits[2];\n\tLPVOID lpReadOnlySharedMemoryBase;\n\tLPVOID lpReadOnlySharedMemoryHeap;\n\tLPVOID lpReadOnlyStaticServerData;\n\tLPVOID lpAnsiCodePageData;\n\tLPVOID lpOemCodePageData;\n\tLPVOID lpUnicodeCaseTableData;\n\tDWORD dwNumberOfProcessors;\n\tDWORD dwNtGlobalFlag;\n\tLARGE_INTEGER liCriticalSectionTimeout;\n\tDWORD dwHeapSegmentReserve;\n\tDWORD dwHeapSegmentCommit;\n\tDWORD dwHeapDeCommitTotalFreeThreshold;\n\tDWORD dwHeapDeCommitFreeBlockThreshold;\n\tDWORD dwNumberOfHeaps;\n\tDWORD dwMaximumNumberOfHeaps;\n\tLPVOID lpProcessHeaps;\n\tLPVOID lpGdiSharedHandleTable;\n\tLPVOID lpProcessStarterHelper;\n\tDWORD dwGdiDCAttributeList;\n\tLPVOID lpLoaderLock;\n\tDWORD dwOSMajorVersion;\n\tDWORD dwOSMinorVersion;\n\tWORD wOSBuildNumber;\n\tWORD wOSCSDVersion;\n\tDWORD dwOSPlatformId;\n\tDWORD dwImageSubsystem;\n\tDWORD dwImageSubsystemMajorVersion;\n\tDWORD dwImageSubsystemMinorVersion;\n\tDWORD dwImageProcessAffinityMask;\n\tDWORD dwGdiHandleBuffer[34];\n\tLPVOID lpPostProcessInitRoutine;\n\tLPVOID lpTlsExpansionBitmap;\n\tDWORD dwTlsExpansionBitmapBits[32];\n\tDWORD dwSessionId;\n\tULARGE_INTEGER liAppCompatFlags;\n\tULARGE_INTEGER liAppCompatFlagsUser;\n\tLPVOID lppShimData;\n\tLPVOID lpAppCompatInfo;\n\tUNICODE_STR usCSDVersion;\n\tLPVOID lpActivationContextData;\n\tLPVOID lpProcessAssemblyStorageMap;\n\tLPVOID lpSystemDefaultActivationContextData;\n\tLPVOID lpSystemAssemblyStorageMap;\n\tDWORD dwMinimumStackCommit;\n} _PEB, *_PPEB;\n\ntypedef struct\n{\n\tWORD\toffset : 12;\n\tWORD\ttype : 4;\n} IMAGE_RELOC, *PIMAGE_RELOC;\n//===============================================================================================//\n#endif\n//===============================================================================================//\n\n"
  },
  {
    "path": "Src/Recon-AD-LocalGroups/Recon-AD-LocalGroups.sln",
    "content": "\nMicrosoft Visual Studio Solution File, Format Version 12.00\n# Visual Studio 15\nVisualStudioVersion = 15.0.28307.852\nMinimumVisualStudioVersion = 10.0.40219.1\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"Recon-AD-LocalGroups\", \"Recon-AD-LocalGroups\\Recon-AD-LocalGroups.vcxproj\", \"{D30C9D6B-1F45-47BD-825B-389FE8CC9069}\"\nEndProject\nGlobal\n\tGlobalSection(SolutionConfigurationPlatforms) = preSolution\n\t\tDebug|x64 = Debug|x64\n\t\tDebug|x86 = Debug|x86\n\t\tRelease|x64 = Release|x64\n\t\tRelease|x86 = Release|x86\n\tEndGlobalSection\n\tGlobalSection(ProjectConfigurationPlatforms) = postSolution\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x64.ActiveCfg = Debug|x64\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x64.Build.0 = Debug|x64\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x86.ActiveCfg = Debug|Win32\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x86.Build.0 = Debug|Win32\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x64.ActiveCfg = Release|x64\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x64.Build.0 = Release|x64\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x86.ActiveCfg = Release|Win32\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x86.Build.0 = Release|Win32\n\tEndGlobalSection\n\tGlobalSection(SolutionProperties) = preSolution\n\t\tHideSolutionNode = FALSE\n\tEndGlobalSection\n\tGlobalSection(ExtensibilityGlobals) = postSolution\n\t\tSolutionGuid = {ACBE159D-66DD-4330-B464-35D40C540652}\n\tEndGlobalSection\nEndGlobal\n"
  },
  {
    "path": "Src/Recon-AD-SPNs/Recon-AD-SPNs/Recon-AD-SPNs.vcxproj",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project DefaultTargets=\"Build\" ToolsVersion=\"14.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\n  <ItemGroup Label=\"ProjectConfigurations\">\n    <ProjectConfiguration Include=\"Debug|Win32\">\n      <Configuration>Debug</Configuration>\n      <Platform>Win32</Platform>\n    </ProjectConfiguration>\n    <ProjectConfiguration Include=\"Release|Win32\">\n      <Configuration>Release</Configuration>\n      <Platform>Win32</Platform>\n    </ProjectConfiguration>\n    <ProjectConfiguration Include=\"Debug|x64\">\n      <Configuration>Debug</Configuration>\n      <Platform>x64</Platform>\n    </ProjectConfiguration>\n    <ProjectConfiguration Include=\"Release|x64\">\n      <Configuration>Release</Configuration>\n      <Platform>x64</Platform>\n    </ProjectConfiguration>\n  </ItemGroup>\n  <PropertyGroup Label=\"Globals\">\n    <ProjectGuid>{D30C9D6B-1F45-47BD-825B-389FE8CC9069}</ProjectGuid>\n    <RootNamespace>ReconADDomain</RootNamespace>\n    <WindowsTargetPlatformVersion>8.1</WindowsTargetPlatformVersion>\n    <ProjectName>Recon-AD-SPNs</ProjectName>\n  </PropertyGroup>\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.Default.props\" />\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\" Label=\"Configuration\">\n    <ConfigurationType>Application</ConfigurationType>\n    <UseDebugLibraries>true</UseDebugLibraries>\n    <PlatformToolset>v140</PlatformToolset>\n    <CharacterSet>MultiByte</CharacterSet>\n  </PropertyGroup>\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\" Label=\"Configuration\">\n    <ConfigurationType>DynamicLibrary</ConfigurationType>\n    <UseDebugLibraries>false</UseDebugLibraries>\n    <PlatformToolset>v140</PlatformToolset>\n    <WholeProgramOptimization>true</WholeProgramOptimization>\n    <CharacterSet>Unicode</CharacterSet>\n  </PropertyGroup>\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\" Label=\"Configuration\">\n    <ConfigurationType>Application</ConfigurationType>\n    <UseDebugLibraries>true</UseDebugLibraries>\n    <PlatformToolset>v140</PlatformToolset>\n    <CharacterSet>MultiByte</CharacterSet>\n  </PropertyGroup>\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\" Label=\"Configuration\">\n    <ConfigurationType>DynamicLibrary</ConfigurationType>\n    <UseDebugLibraries>false</UseDebugLibraries>\n    <PlatformToolset>v140</PlatformToolset>\n    <WholeProgramOptimization>true</WholeProgramOptimization>\n    <CharacterSet>Unicode</CharacterSet>\n  </PropertyGroup>\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.props\" />\n  <ImportGroup Label=\"ExtensionSettings\">\n  </ImportGroup>\n  <ImportGroup Label=\"Shared\">\n  </ImportGroup>\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\">\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\n  </ImportGroup>\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\">\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\n  </ImportGroup>\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\">\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\n  </ImportGroup>\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\">\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\n  </ImportGroup>\n  <PropertyGroup Label=\"UserMacros\" />\n  <PropertyGroup />\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\">\n    <ClCompile>\n      <WarningLevel>Level3</WarningLevel>\n      <Optimization>Disabled</Optimization>\n      <SDLCheck>true</SDLCheck>\n    </ClCompile>\n  </ItemDefinitionGroup>\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\">\n    <ClCompile>\n      <WarningLevel>Level3</WarningLevel>\n      <Optimization>Disabled</Optimization>\n      <SDLCheck>true</SDLCheck>\n    </ClCompile>\n  </ItemDefinitionGroup>\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\">\n    <ClCompile>\n      <WarningLevel>Level3</WarningLevel>\n      <Optimization>MaxSpeed</Optimization>\n      <FunctionLevelLinking>true</FunctionLevelLinking>\n      <IntrinsicFunctions>true</IntrinsicFunctions>\n      <SDLCheck>true</SDLCheck>\n      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>\n      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN_X86;REFLECTIVE_DLL_EXPORTS;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>\n    </ClCompile>\n    <Link>\n      <EnableCOMDATFolding>true</EnableCOMDATFolding>\n      <OptimizeReferences>true</OptimizeReferences>\n      <GenerateDebugInformation>false</GenerateDebugInformation>\n    </Link>\n  </ItemDefinitionGroup>\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\">\n    <ClCompile>\n      <WarningLevel>Level3</WarningLevel>\n      <Optimization>MaxSpeed</Optimization>\n      <FunctionLevelLinking>true</FunctionLevelLinking>\n      <IntrinsicFunctions>true</IntrinsicFunctions>\n      <SDLCheck>true</SDLCheck>\n      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>\n      <PreprocessorDefinitions>WIN64;NDEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;WIN_X64;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>\n    </ClCompile>\n    <Link>\n      <EnableCOMDATFolding>true</EnableCOMDATFolding>\n      <OptimizeReferences>true</OptimizeReferences>\n      <GenerateDebugInformation>false</GenerateDebugInformation>\n    </Link>\n  </ItemDefinitionGroup>\n  <ItemGroup>\n    <ClInclude Include=\"ReflectiveDLLInjection.h\" />\n    <ClInclude Include=\"ReflectiveLoader.h\" />\n  </ItemGroup>\n  <ItemGroup>\n    <ClCompile Include=\"ReflectiveDll.cpp\" />\n    <ClCompile Include=\"ReflectiveLoader.cpp\" />\n  </ItemGroup>\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.targets\" />\n  <ImportGroup Label=\"ExtensionTargets\">\n  </ImportGroup>\n</Project>"
  },
  {
    "path": "Src/Recon-AD-SPNs/Recon-AD-SPNs/Recon-AD-SPNs.vcxproj.filters",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\n  <ItemGroup>\n    <Filter Include=\"Source Files\">\n      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>\n      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>\n    </Filter>\n    <Filter Include=\"Header Files\">\n      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>\n      <Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>\n    </Filter>\n    <Filter Include=\"Resource Files\">\n      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>\n      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>\n    </Filter>\n  </ItemGroup>\n  <ItemGroup>\n    <ClInclude Include=\"ReflectiveDLLInjection.h\">\n      <Filter>Header Files</Filter>\n    </ClInclude>\n    <ClInclude Include=\"ReflectiveLoader.h\">\n      <Filter>Header Files</Filter>\n    </ClInclude>\n  </ItemGroup>\n  <ItemGroup>\n    <ClCompile Include=\"ReflectiveLoader.cpp\">\n      <Filter>Source Files</Filter>\n    </ClCompile>\n    <ClCompile Include=\"ReflectiveDll.cpp\">\n      <Filter>Source Files</Filter>\n    </ClCompile>\n  </ItemGroup>\n</Project>"
  },
  {
    "path": "Src/Recon-AD-SPNs/Recon-AD-SPNs/Recon-AD-SPNs.vcxproj.user",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"14.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\n  <PropertyGroup />\n</Project>"
  },
  {
    "path": "Src/Recon-AD-SPNs/Recon-AD-SPNs/ReflectiveDLLInjection.h",
    "content": "//===============================================================================================//\n// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)\n// All rights reserved.\n// \n// Redistribution and use in source and binary forms, with or without modification, are permitted \n// provided that the following conditions are met:\n// \n//     * Redistributions of source code must retain the above copyright notice, this list of \n// conditions and the following disclaimer.\n// \n//     * Redistributions in binary form must reproduce the above copyright notice, this list of \n// conditions and the following disclaimer in the documentation and/or other materials provided \n// with the distribution.\n// \n//     * Neither the name of Harmony Security nor the names of its contributors may be used to\n// endorse or promote products derived from this software without specific prior written permission.\n// \n// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND ANY EXPRESS OR \n// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND\n// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR \n// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR \n// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR \n// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY \n// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR \n// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE \n// POSSIBILITY OF SUCH DAMAGE.\n//===============================================================================================//\n#ifndef _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H\n#define _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H\n//===============================================================================================//\n#define WIN32_LEAN_AND_MEAN\n#include <windows.h>\n\n// we declare some common stuff in here...\n\n#define DLL_QUERY_HMODULE\t\t6\n\n#define DEREF( name )*(UINT_PTR *)(name)\n#define DEREF_64( name )*(DWORD64 *)(name)\n#define DEREF_32( name )*(DWORD *)(name)\n#define DEREF_16( name )*(WORD *)(name)\n#define DEREF_8( name )*(BYTE *)(name)\n\ntypedef ULONG_PTR(WINAPI * REFLECTIVELOADER)(VOID);\ntypedef BOOL(WINAPI * DLLMAIN)(HINSTANCE, DWORD, LPVOID);\n\n#define DLLEXPORT   __declspec( dllexport ) \n\n//===============================================================================================//\n#endif\n//===============================================================================================//\n\n"
  },
  {
    "path": "Src/Recon-AD-SPNs/Recon-AD-SPNs/ReflectiveDll.cpp",
    "content": "#undef  _UNICODE\n#define _UNICODE\n#undef  UNICODE\n#define UNICODE\n\n#include \"ReflectiveLoader.h\"\n#include <stdio.h>\n#include <objbase.h>\n#include <activeds.h>\n#include <sddl.h>\n\n#pragma comment(lib, \"ADSIid.lib\")\n#pragma comment(lib, \"ActiveDS.Lib\")\n\n// Note: REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR and REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN are\n// defined in the project properties (Properties->C++->Preprocessor) so as we can specify our own \n// DllMain and use the LoadRemoteLibraryR() API to inject this DLL.\n\n// You can use this value as a pseudo hinstDLL value (defined and set via ReflectiveLoader.c)\nextern HINSTANCE hAppInstance;\n\n\nint IS_BUFFER_ENOUGH(UINT maxAlloc, LPWSTR pszTarget, LPCWSTR pszSource, int toCopy = -1) {\n\tif (toCopy == -1) {\n\t\ttoCopy = wcslen(pszSource);\n\t}\n\n\treturn maxAlloc - (wcslen(pszTarget) + toCopy + 1);\n}\n\nHRESULT FindSPNs(IDirectorySearch *pContainerToSearch,  // IDirectorySearch pointer to Partitions container.\n\tLPOLESTR szFilter,\t\t\t\t\t\t\t\t\t// Filter for finding specific crossrefs. NULL returns all attributeSchema objects.\n\tLPOLESTR *pszPropertiesToReturn)\t\t\t\t\t// Properties to return for crossRef objects found. NULL returns all set properties.\n{\n\tif (!pContainerToSearch)\n\t\treturn E_POINTER;\n\t\n\t// Create search filter\n\tLPOLESTR pszSearchFilter = new OLECHAR[MAX_PATH * 2];\n\tif (!pszSearchFilter)\n\t\treturn E_OUTOFMEMORY;\n\twchar_t szFormat[] = L\"(&(objectClass=user)(objectCategory=person)%s)\";\n\n\t// Check the buffer first\n\tif (IS_BUFFER_ENOUGH(MAX_PATH * 2, szFormat, szFilter) > 0)\n\t{\n\t\t// Add the filter.\n\t\tswprintf_s(pszSearchFilter, MAX_PATH * 2, szFormat, szFilter);\n\t}\n\telse\n\t{\n\t\twprintf(L\"[!] The filter is too large for buffer, aborting...\");\n\t\tdelete[] pszSearchFilter;\n\t\treturn FALSE;\n\t}\n\n\t// Specify subtree search\n\tADS_SEARCHPREF_INFO SearchPrefs;\n\tSearchPrefs.dwSearchPref = ADS_SEARCHPREF_SEARCH_SCOPE;\n\tSearchPrefs.vValue.dwType = ADSTYPE_INTEGER;\n\tSearchPrefs.vValue.Integer = ADS_SCOPE_SUBTREE;\n\tDWORD dwNumPrefs = 1;\n\n\t// COL for iterations\n\tLPOLESTR pszColumn = NULL;\n\tADS_SEARCH_COLUMN col;\n\tHRESULT hr;\n\n\t// Interface Pointers\n\tIADs *pObj = NULL;\n\tIADs *pIADs = NULL;\n\n\t// Handle used for searching\n\tADS_SEARCH_HANDLE hSearch = NULL;\n\n\t// Set the search preference\n\thr = pContainerToSearch->SetSearchPreference(&SearchPrefs, dwNumPrefs);\n\tif (FAILED(hr))\n\t{\n\t\tdelete[] pszSearchFilter;\n\t\treturn hr;\n\t}\n\n\tFILETIME filetime;\n\tSYSTEMTIME systemtime;\n\tDATE date;\n\tVARIANT varDate;\n\tLARGE_INTEGER liValue;\n\tLPOLESTR *pszPropertyList = NULL;\n\n\ttypedef struct _USER_INFO {\n\t\tWCHAR chName[MAX_PATH];\n\t\tWCHAR chDistinguishedName[MAX_PATH];\n\t\tWCHAR chSamAccountName[MAX_PATH];\n\t\tWCHAR chDescription[MAX_PATH];\n\t\tWCHAR chuserPrincipalName[MAX_PATH];\n\t\tWCHAR chMemberOf[250][MAX_PATH];\n\t\tWCHAR chServicePrincipalName[250][MAX_PATH];\n\t\tWCHAR chWhenCreated[MAX_PATH];\n\t\tWCHAR chWhenChanged[MAX_PATH];\n\t\tWCHAR chPwdLastSet[MAX_PATH];\n\t\tWCHAR chAccountExpires[MAX_PATH];\n\t\tWCHAR chLastLogon[MAX_PATH];\n\t} USER_INFO, *PUSER_INFO;\n\n\tPUSER_INFO pUserInfo = (PUSER_INFO)calloc(1, sizeof(USER_INFO));\n\n\tint iCount = 0;\n\tDWORD x = 0L;\n\n\tif (!pszPropertiesToReturn)\n\t{\n\t\t// Return all properties.\n\t\thr = pContainerToSearch->ExecuteSearch(pszSearchFilter,\n\t\t\tNULL,\n\t\t\t-1L,\n\t\t\t&hSearch);\n\t}\n\telse\n\t{\n\t\t// Specified subset.\n\t\tpszPropertyList = pszPropertiesToReturn;\n\n\t\t// Return specified properties\n\t\thr = pContainerToSearch->ExecuteSearch(pszSearchFilter,\n\t\t\tpszPropertyList,\n\t\t\tsizeof(pszPropertyList) / sizeof(LPOLESTR),\n\t\t\t&hSearch);\n\t}\n\n\tif (SUCCEEDED(hr))\n\t{\n\t\t// Call IDirectorySearch::GetNextRow() to retrieve the next row of data\n\t\thr = pContainerToSearch->GetFirstRow(hSearch);\n\t\tif (SUCCEEDED(hr))\n\t\t{\n\t\t\twhile (hr != S_ADS_NOMORE_ROWS)\n\t\t\t{\n\t\t\t\t// Keep track of count.\n\t\t\t\tiCount++;\n\n\t\t\t\t// Loop through the array of passed column names, print the data for each column\n\t\t\t\twhile (pContainerToSearch->GetNextColumnName(hSearch, &pszColumn) != S_ADS_NOMORE_COLUMNS)\n\t\t\t\t{\n\t\t\t\t\thr = pContainerToSearch->GetColumn(hSearch, pszColumn, &col);\n\t\t\t\t\tif (SUCCEEDED(hr))\n\t\t\t\t\t{\n\t\t\t\t\t\t// Print the data for the column and free the column\n\t\t\t\t\t\t// Get the data for this column\n\t\t\t\t\t\tswitch (col.dwADsType)\n\t\t\t\t\t\t{\n\t\t\t\t\t\tcase ADSTYPE_DN_STRING:\n\t\t\t\t\t\t\tfor (x = 0; x < col.dwNumValues; x++)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tif (_wcsicmp(col.pszAttrName, L\"memberOf\") == 0) {\n\t\t\t\t\t\t\t\t\twcscpy_s(pUserInfo->chMemberOf[x], MAX_PATH, col.pADsValues[x].DNString);\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tif (_wcsicmp(col.pszAttrName, L\"distinguishedName\") == 0) {\n\t\t\t\t\t\t\t\twcscpy_s(pUserInfo->chDistinguishedName, MAX_PATH, col.pADsValues->CaseIgnoreString);\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tcase ADSTYPE_CASE_EXACT_STRING:\n\t\t\t\t\t\tcase ADSTYPE_CASE_IGNORE_STRING:\n\t\t\t\t\t\tcase ADSTYPE_PRINTABLE_STRING:\n\t\t\t\t\t\tcase ADSTYPE_NUMERIC_STRING:\n\t\t\t\t\t\tcase ADSTYPE_TYPEDNAME:\n\t\t\t\t\t\tcase ADSTYPE_FAXNUMBER:\n\t\t\t\t\t\tcase ADSTYPE_PATH:\n\t\t\t\t\t\tcase ADSTYPE_OBJECT_CLASS:\n\t\t\t\t\t\t\tfor (x = 0; x < col.dwNumValues; x++)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tif (_wcsicmp(col.pszAttrName, L\"servicePrincipalName\") == 0) {\n\t\t\t\t\t\t\t\t\twcscpy_s(pUserInfo->chServicePrincipalName[x], MAX_PATH, col.pADsValues[x].CaseIgnoreString);\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tif (_wcsicmp(col.pszAttrName, L\"name\") == 0) {\n\t\t\t\t\t\t\t\twcscpy_s(pUserInfo->chName, MAX_PATH, col.pADsValues->CaseIgnoreString);\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\telse if (_wcsicmp(col.pszAttrName, L\"description\") == 0) {\n\t\t\t\t\t\t\t\twcscpy_s(pUserInfo->chDescription, MAX_PATH, col.pADsValues->CaseIgnoreString);\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\telse if (_wcsicmp(col.pszAttrName, L\"userPrincipalName\") == 0) {\n\t\t\t\t\t\t\t\twcscpy_s(pUserInfo->chuserPrincipalName, MAX_PATH, col.pADsValues->CaseIgnoreString);\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\telse if (_wcsicmp(col.pszAttrName, L\"sAMAccountName\") == 0) {\n\t\t\t\t\t\t\t\twcscpy_s(pUserInfo->chSamAccountName, MAX_PATH, col.pADsValues->CaseIgnoreString);\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\telse {\n\t\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tcase ADSTYPE_BOOLEAN:\n\t\t\t\t\t\tcase ADSTYPE_INTEGER:\n\t\t\t\t\t\tcase ADSTYPE_OCTET_STRING:\n\t\t\t\t\t\tcase ADSTYPE_UTC_TIME:\n\t\t\t\t\t\t\tfor (x = 0; x < col.dwNumValues; x++)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tsystemtime = col.pADsValues[x].UTCTime;\n\t\t\t\t\t\t\t\tif (SystemTimeToVariantTime(&systemtime,\n\t\t\t\t\t\t\t\t\t&date) != 0)\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t//Pack in variant.vt\n\t\t\t\t\t\t\t\t\tvarDate.vt = VT_DATE;\n\t\t\t\t\t\t\t\t\tvarDate.date = date;\n\t\t\t\t\t\t\t\t\tVariantChangeType(&varDate, &varDate, VARIANT_NOVALUEPROP, VT_BSTR);\n\n\t\t\t\t\t\t\t\t\tif (_wcsicmp(col.pszAttrName, L\"whenCreated\") == 0) {\n\t\t\t\t\t\t\t\t\t\twcscpy_s(pUserInfo->chWhenCreated, MAX_PATH, varDate.bstrVal);\n\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\telse if (_wcsicmp(col.pszAttrName, L\"whenChanged\") == 0) {\n\t\t\t\t\t\t\t\t\t\twcscpy_s(pUserInfo->chWhenChanged, MAX_PATH, varDate.bstrVal);\n\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\telse {\n\t\t\t\t\t\t\t\t\t\tVariantClear(&varDate);\n\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\tVariantClear(&varDate);\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tcase ADSTYPE_LARGE_INTEGER:\n\t\t\t\t\t\t\tfor (x = 0; x < col.dwNumValues; x++)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tliValue = col.pADsValues[x].LargeInteger;\n\t\t\t\t\t\t\t\tfiletime.dwLowDateTime = liValue.LowPart;\n\t\t\t\t\t\t\t\tfiletime.dwHighDateTime = liValue.HighPart;\n\n\t\t\t\t\t\t\t\t// Check for properties of type LargeInteger that represent time\n\t\t\t\t\t\t\t\t// if TRUE, then convert to variant time.\n\t\t\t\t\t\t\t\tif ((0 == wcscmp(L\"accountExpires\", col.pszAttrName)) |\n\t\t\t\t\t\t\t\t\t(0 == wcscmp(L\"badPasswordTime\", col.pszAttrName)) ||\n\t\t\t\t\t\t\t\t\t(0 == wcscmp(L\"lastLogon\", col.pszAttrName)) ||\n\t\t\t\t\t\t\t\t\t(0 == wcscmp(L\"lastLogoff\", col.pszAttrName)) ||\n\t\t\t\t\t\t\t\t\t(0 == wcscmp(L\"lockoutTime\", col.pszAttrName)) ||\n\t\t\t\t\t\t\t\t\t(0 == wcscmp(L\"pwdLastSet\", col.pszAttrName))\n\t\t\t\t\t\t\t\t\t)\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t// Handle special case for Never Expires where low part is -1\n\t\t\t\t\t\t\t\t\tif (filetime.dwLowDateTime == -1)\n\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\tif (_wcsicmp(col.pszAttrName, L\"accountExpires\") == 0) {\n\t\t\t\t\t\t\t\t\t\t\twcscpy_s(pUserInfo->chAccountExpires, MAX_PATH, L\"Never Expires\");\n\t\t\t\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\telse\n\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\tif (FileTimeToLocalFileTime(&filetime, &filetime) != 0)\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tif (FileTimeToSystemTime(&filetime,\n\t\t\t\t\t\t\t\t\t\t\t\t&systemtime) != 0)\n\t\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\t\tif (SystemTimeToVariantTime(&systemtime,\n\t\t\t\t\t\t\t\t\t\t\t\t\t&date) != 0)\n\t\t\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\t\t\t// Pack in variant.vt\n\t\t\t\t\t\t\t\t\t\t\t\t\tvarDate.vt = VT_DATE;\n\t\t\t\t\t\t\t\t\t\t\t\t\tvarDate.date = date;\n\t\t\t\t\t\t\t\t\t\t\t\t\tVariantChangeType(&varDate, &varDate, VARIANT_NOVALUEPROP, VT_BSTR);\n\n\t\t\t\t\t\t\t\t\t\t\t\t\tif (_wcsicmp(col.pszAttrName, L\"pwdLastSet\") == 0) {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\twcscpy_s(pUserInfo->chPwdLastSet, MAX_PATH, varDate.bstrVal);\n\t\t\t\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t\t\t\t\telse if (_wcsicmp(col.pszAttrName, L\"lastLogon\") == 0) {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tif (_wcsicmp(varDate.bstrVal, L\"1-1-1601 02:00:00\") == 0) {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\twcscpy_s(pUserInfo->chLastLogon, MAX_PATH, L\"Never\");\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t\t\t\t\t\telse {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\twcscpy_s(pUserInfo->chLastLogon, MAX_PATH, varDate.bstrVal);\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t\t\t\t\telse if (_wcsicmp(col.pszAttrName, L\"accountExpires\") == 0) {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tif (_wcsicmp(varDate.bstrVal, L\"1-1-1601 02:00:00\") == 0) {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\twcscpy_s(pUserInfo->chAccountExpires, MAX_PATH, L\"Never Expires\");\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t\t\t\t\t\telse {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\twcscpy_s(pUserInfo->chAccountExpires, MAX_PATH, varDate.bstrVal);\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t\t\t\t\t\t\tVariantClear(&varDate);\n\t\t\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tcase ADSTYPE_NT_SECURITY_DESCRIPTOR:\n\t\t\t\t\t\tdefault:\n\t\t\t\t\t\t\twprintf(L\"Unknown type %d.\\n\", col.dwADsType);\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tpContainerToSearch->FreeColumn(&col);\n\t\t\t\t\t}\n\t\t\t\t\tCoTaskMemFree(pszColumn);\n\t\t\t\t}\n\n\t\t\t\tif (wcscmp(pUserInfo->chServicePrincipalName[0], L\"\") != 0) {\n\n\t\t\t\t\twprintf(L\"--------------------------------------------------------------------\\n\");\n\n\t\t\t\t\twprintf(L\"[+] name:\\n\");\n\t\t\t\t\twprintf(L\"    %s\\r\\n\", pUserInfo->chName);\n\n\t\t\t\t\twprintf(L\"[+] sAMAccountName:\\n\");\n\t\t\t\t\twprintf(L\"    %s\\r\\n\", pUserInfo->chSamAccountName);\n\n\t\t\t\t\twprintf(L\"[+] description:\\n\");\n\t\t\t\t\twprintf(L\"    %s\\r\\n\", pUserInfo->chDescription);\n\n\t\t\t\t\twprintf(L\"[+] userPrincipalName:\\n\");\n\t\t\t\t\twprintf(L\"    %s\\r\\n\", pUserInfo->chuserPrincipalName);\n\n\t\t\t\t\twprintf(L\"[+] distinguishedName:\\n\");\n\t\t\t\t\twprintf(L\"    %s\\r\\n\", pUserInfo->chDistinguishedName);\n\n\t\t\t\t\twprintf(L\"[+] whenCreated:\\n\");\n\t\t\t\t\twprintf(L\"    %s\\r\\n\", pUserInfo->chWhenCreated);\n\n\t\t\t\t\twprintf(L\"[+] whenChanged:\\n\");\n\t\t\t\t\twprintf(L\"    %s\\r\\n\", pUserInfo->chWhenChanged);\n\n\t\t\t\t\twprintf(L\"[+] pwdLastSet:\\n\");\n\t\t\t\t\twprintf(L\"    %s\\r\\n\", pUserInfo->chPwdLastSet);\n\n\t\t\t\t\twprintf(L\"[+] accountExpires:\\n\");\n\t\t\t\t\twprintf(L\"    %s\\r\\n\", pUserInfo->chAccountExpires);\n\n\t\t\t\t\twprintf(L\"[+] lastLogon:\\n\");\n\t\t\t\t\twprintf(L\"    %s\\r\\n\", pUserInfo->chLastLogon);\n\n\t\t\t\t\twprintf(L\"[+] memberOf:\\n\");\n\t\t\t\t\tfor (x = 0; x < 250; x++) {\n\t\t\t\t\t\tif (wcscmp(pUserInfo->chMemberOf[x], L\"\") == 0) {\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t}\n\t\t\t\t\t\telse {\n\t\t\t\t\t\t\twprintf(L\"    %s\\r\\n\", pUserInfo->chMemberOf[x]);\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\n\t\t\t\t\twprintf(L\"[+] servicePrincipalName (SPNs):\\n\");\n\t\t\t\t\tfor (x = 0; x < 250; x++) {\n\t\t\t\t\t\tif (wcscmp(pUserInfo->chServicePrincipalName[x], L\"\") == 0) {\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t}\n\t\t\t\t\t\telse {\n\t\t\t\t\t\t\twprintf(L\"    %s\\r\\n\", pUserInfo->chServicePrincipalName[x]);\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tRtlZeroMemory(pUserInfo, sizeof(USER_INFO));\n\n\t\t\t\t// Get the next row\n\t\t\t\thr = pContainerToSearch->GetNextRow(hSearch);\n\t\t\t}\n\t\t}\n\t\t// Close the search handle to clean up\n\t\tpContainerToSearch->CloseSearchHandle(hSearch);\n\t}\n\tif (SUCCEEDED(hr) && 0 == iCount)\n\t\thr = S_FALSE;\n\n\twprintf(L\"--------------------------------------------------------------------\\n\");\n\n\tdelete[] pszSearchFilter;\n\treturn hr;\n}\n\n\nBOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)\n{\n\tBOOL bReturnValue = TRUE;\n\tLPWSTR pwszParams = (LPWSTR)calloc(strlen((LPSTR)lpReserved) + 1, sizeof(WCHAR));\n\tsize_t convertedChars = 0;\n\tsize_t newsize = strlen((LPSTR)lpReserved) + 1;\n\n\tswitch (dwReason)\n\t{\n\tcase DLL_QUERY_HMODULE:\n\t\tif (lpReserved != NULL)\n\t\t\t*(HMODULE *)lpReserved = hAppInstance;\n\t\tbreak;\n\tcase DLL_PROCESS_ATTACH:\n\t\thAppInstance = hinstDLL;\n\n\t\tif (lpReserved != NULL) {\n\n\t\t\t// Handle the command line arguments.\n\t\t\tint maxAlloc = MAX_PATH * 2;\n\t\t\tLPOLESTR pszBuffer = new OLECHAR[maxAlloc];\n\t\t\tmbstowcs_s(&convertedChars, pwszParams, newsize, (LPSTR)lpReserved, _TRUNCATE);\n\t\t\twcscpy_s(pszBuffer, maxAlloc, pwszParams);\n\n\t\t\t// Initialize COM\n\t\t\tCoInitialize(NULL);\n\t\t\tHRESULT hr = S_OK;\n\n\t\t\t// Get rootDSE and the current user's domain container DN.\n\t\t\tIADs *pObject = NULL;\n\t\t\tIDirectorySearch *pContainerToSearch = NULL;\n\t\t\tLPOLESTR szPath = new OLECHAR[MAX_PATH];\n\t\t\tVARIANT var;\n\t\t\thr = ADsOpenObject(L\"LDAP://rootDSE\",\n\t\t\t\tNULL,\n\t\t\t\tNULL,\n\t\t\t\tADS_SECURE_AUTHENTICATION, // Use Secure Authentication\n\t\t\t\tIID_IADs,\n\t\t\t\t(void**)&pObject);\n\t\t\tif (FAILED(hr))\n\t\t\t{\n\t\t\t\twprintf(L\"[!] Could not execute query. Could not bind to LDAP://rootDSE.\\n\");\n\t\t\t\tif (pObject)\n\t\t\t\t\tpObject->Release();\n\t\t\t\tdelete[] pszBuffer;\n\t\t\t\tdelete[] szPath;\n\t\t\t\tCoUninitialize();\n\n\t\t\t\t// Flush STDOUT\n\t\t\t\tfflush(stdout);\n\n\t\t\t\t// We're done, so let's exit\n\t\t\t\tExitProcess(0);\n\t\t\t}\n\t\t\tif (SUCCEEDED(hr))\n\t\t\t{\n\t\t\t\thr = pObject->Get(L\"defaultNamingContext\", &var);\n\t\t\t\tif (SUCCEEDED(hr))\n\t\t\t\t{\n\t\t\t\t\t// Build path to the domain container.\n\t\t\t\t\twcscpy_s(szPath, MAX_PATH, L\"LDAP://\");\n\t\t\t\t\tif (IS_BUFFER_ENOUGH(MAX_PATH, szPath, var.bstrVal) > 0)\n\t\t\t\t\t{\n\t\t\t\t\t\twcscat_s(szPath, MAX_PATH, var.bstrVal);\n\t\t\t\t\t}\n\t\t\t\t\telse\n\t\t\t\t\t{\n\t\t\t\t\t\twprintf(L\"[!] Buffer is too small for the domain DN\");\n\t\t\t\t\t\tdelete[] pszBuffer;\n\t\t\t\t\t\tdelete[] szPath;\n\t\t\t\t\t\tCoUninitialize();\n\n\t\t\t\t\t\t// Flush STDOUT\n\t\t\t\t\t\tfflush(stdout);\n\n\t\t\t\t\t\t// We're done, so let's exit\n\t\t\t\t\t\tExitProcess(0);\n\t\t\t\t\t}\n\n\t\t\t\t\thr = ADsOpenObject(szPath,\n\t\t\t\t\t\tNULL,\n\t\t\t\t\t\tNULL,\n\t\t\t\t\t\tADS_SECURE_AUTHENTICATION, // Use Secure Authentication\n\t\t\t\t\t\tIID_IDirectorySearch,\n\t\t\t\t\t\t(void**)&pContainerToSearch);\n\n\t\t\t\t\tif (SUCCEEDED(hr))\n\t\t\t\t\t{\n\t\t\t\t\t\thr = FindSPNs(pContainerToSearch, // IDirectorySearch pointer to Partitions container.\n\t\t\t\t\t\t\tpszBuffer,\n\t\t\t\t\t\t\tNULL\t//Return all properties\n\t\t\t\t\t\t);\n\t\t\t\t\t\tif (SUCCEEDED(hr))\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tif (S_FALSE == hr)\n\t\t\t\t\t\t\t\twprintf(L\"[!] No user object could be found.\\n\");\n\t\t\t\t\t\t}\n\t\t\t\t\t\telse if (0x8007203e == hr)\n\t\t\t\t\t\t\twprintf(L\"[!] Could not execute query. An invalid filter was specified.\\n\");\n\t\t\t\t\t\telse\n\t\t\t\t\t\t\twprintf(L\"[!] Query failed to run. HRESULT: %x\\n\", hr);\n\t\t\t\t\t}\n\t\t\t\t\telse\n\t\t\t\t\t{\n\t\t\t\t\t\twprintf(L\"[!] Could not execute query. Could not bind to the container.\\n\");\n\t\t\t\t\t}\n\t\t\t\t\tif (pContainerToSearch)\n\t\t\t\t\t\tpContainerToSearch->Release();\n\t\t\t\t}\n\t\t\t\tVariantClear(&var);\n\t\t\t}\n\t\t\tif (pObject)\n\t\t\t\tpObject->Release();\n\n\t\t\tdelete[] pszBuffer;\n\t\t\tdelete[] szPath;\n\n\t\t\t// Uninitialize COM\n\t\t\tCoUninitialize();\n\t\t}\n\n\t\t// Flush STDOUT\n\t\tfflush(stdout);\n\n\t\t// We're done, so let's exit\n\t\tExitProcess(0);\n\t\tbreak;\n\tcase DLL_PROCESS_DETACH:\n\tcase DLL_THREAD_ATTACH:\n\tcase DLL_THREAD_DETACH:\n\t\tbreak;\n\t}\n\treturn bReturnValue;\n}\n"
  },
  {
    "path": "Src/Recon-AD-SPNs/Recon-AD-SPNs/ReflectiveLoader.cpp",
    "content": "//===============================================================================================//\n// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)\n// All rights reserved.\n// \n// Redistribution and use in source and binary forms, with or without modification, are permitted \n// provided that the following conditions are met:\n// \n//     * Redistributions of source code must retain the above copyright notice, this list of \n// conditions and the following disclaimer.\n// \n//     * Redistributions in binary form must reproduce the above copyright notice, this list of \n// conditions and the following disclaimer in the documentation and/or other materials provided \n// with the distribution.\n// \n//     * Neither the name of Harmony Security nor the names of its contributors may be used to\n// endorse or promote products derived from this software without specific prior written permission.\n// \n// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND ANY EXPRESS OR \n// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND\n// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR \n// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR \n// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR \n// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY \n// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR \n// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE \n// POSSIBILITY OF SUCH DAMAGE.\n//===============================================================================================//\n#include \"ReflectiveLoader.h\"\n//===============================================================================================//\n// Our loader will set this to a pseudo correct HINSTANCE/HMODULE value\nHINSTANCE hAppInstance = NULL;\n//===============================================================================================//\n#pragma intrinsic( _ReturnAddress )\n// This function can not be inlined by the compiler or we will not get the address we expect. Ideally \n// this code will be compiled with the /O2 and /Ob1 switches. Bonus points if we could take advantage of \n// RIP relative addressing in this instance but I dont believe we can do so with the compiler intrinsics \n// available (and no inline asm available under x64).\n__declspec(noinline) ULONG_PTR caller(VOID) { return (ULONG_PTR)_ReturnAddress(); }\n//===============================================================================================//\n\n// Note 1: If you want to have your own DllMain, define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN,  \n//         otherwise the DllMain at the end of this file will be used.\n\n// Note 2: If you are injecting the DLL via LoadRemoteLibraryR, define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR,\n//         otherwise it is assumed you are calling the ReflectiveLoader via a stub.\n\n// This is our position independent reflective DLL loader/injector\n#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR\nDLLEXPORT ULONG_PTR WINAPI ReflectiveLoader(LPVOID lpParameter)\n#else\nDLLEXPORT ULONG_PTR WINAPI ReflectiveLoader(VOID)\n#endif\n{\n\t// the functions we need\n\tLOADLIBRARYA pLoadLibraryA = NULL;\n\tGETPROCADDRESS pGetProcAddress = NULL;\n\tVIRTUALALLOC pVirtualAlloc = NULL;\n\tNTFLUSHINSTRUCTIONCACHE pNtFlushInstructionCache = NULL;\n\n\tUSHORT usCounter;\n\n\t// the initial location of this image in memory\n\tULONG_PTR uiLibraryAddress;\n\t// the kernels base address and later this images newly loaded base address\n\tULONG_PTR uiBaseAddress;\n\n\t// variables for processing the kernels export table\n\tULONG_PTR uiAddressArray;\n\tULONG_PTR uiNameArray;\n\tULONG_PTR uiExportDir;\n\tULONG_PTR uiNameOrdinals;\n\tDWORD dwHashValue;\n\n\t// variables for loading this image\n\tULONG_PTR uiHeaderValue;\n\tULONG_PTR uiValueA;\n\tULONG_PTR uiValueB;\n\tULONG_PTR uiValueC;\n\tULONG_PTR uiValueD;\n\tULONG_PTR uiValueE;\n\n\t// STEP 0: calculate our images current base address\n\n\t// we will start searching backwards from our callers return address.\n\tuiLibraryAddress = caller();\n\n\t// loop through memory backwards searching for our images base address\n\t// we dont need SEH style search as we shouldnt generate any access violations with this\n\twhile (TRUE)\n\t{\n\t\tif (((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_magic == IMAGE_DOS_SIGNATURE)\n\t\t{\n\t\t\tuiHeaderValue = ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;\n\t\t\t// some x64 dll's can trigger a bogus signature (IMAGE_DOS_SIGNATURE == 'POP r10'),\n\t\t\t// we sanity check the e_lfanew with an upper threshold value of 1024 to avoid problems.\n\t\t\tif (uiHeaderValue >= sizeof(IMAGE_DOS_HEADER) && uiHeaderValue < 1024)\n\t\t\t{\n\t\t\t\tuiHeaderValue += uiLibraryAddress;\n\t\t\t\t// break if we have found a valid MZ/PE header\n\t\t\t\tif (((PIMAGE_NT_HEADERS)uiHeaderValue)->Signature == IMAGE_NT_SIGNATURE)\n\t\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\tuiLibraryAddress--;\n\t}\n\n\t// STEP 1: process the kernels exports for the functions our loader needs...\n\n\t// get the Process Enviroment Block\n#ifdef WIN_X64\n\tuiBaseAddress = __readgsqword(0x60);\n#else\n#ifdef WIN_X86\n\tuiBaseAddress = __readfsdword(0x30);\n#else WIN_ARM\n\tuiBaseAddress = *(DWORD *)((BYTE *)_MoveFromCoprocessor(15, 0, 13, 0, 2) + 0x30);\n#endif\n#endif\n\n\t// get the processes loaded modules. ref: http://msdn.microsoft.com/en-us/library/aa813708(VS.85).aspx\n\tuiBaseAddress = (ULONG_PTR)((_PPEB)uiBaseAddress)->pLdr;\n\n\t// get the first entry of the InMemoryOrder module list\n\tuiValueA = (ULONG_PTR)((PPEB_LDR_DATA)uiBaseAddress)->InMemoryOrderModuleList.Flink;\n\twhile (uiValueA)\n\t{\n\t\t// get pointer to current modules name (unicode string)\n\t\tuiValueB = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.pBuffer;\n\t\t// set bCounter to the length for the loop\n\t\tusCounter = ((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.Length;\n\t\t// clear uiValueC which will store the hash of the module name\n\t\tuiValueC = 0;\n\n\t\t// compute the hash of the module name...\n\t\tdo\n\t\t{\n\t\t\tuiValueC = ror((DWORD)uiValueC);\n\t\t\t// normalize to uppercase if the madule name is in lowercase\n\t\t\tif (*((BYTE *)uiValueB) >= 'a')\n\t\t\t\tuiValueC += *((BYTE *)uiValueB) - 0x20;\n\t\t\telse\n\t\t\t\tuiValueC += *((BYTE *)uiValueB);\n\t\t\tuiValueB++;\n\t\t} while (--usCounter);\n\n\t\t// compare the hash with that of kernel32.dll\n\t\tif ((DWORD)uiValueC == KERNEL32DLL_HASH)\n\t\t{\n\t\t\t// get this modules base address\n\t\t\tuiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;\n\n\t\t\t// get the VA of the modules NT Header\n\t\t\tuiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;\n\n\t\t\t// uiNameArray = the address of the modules export directory entry\n\t\t\tuiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];\n\n\t\t\t// get the VA of the export directory\n\t\t\tuiExportDir = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress);\n\n\t\t\t// get the VA for the array of name pointers\n\t\t\tuiNameArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNames);\n\n\t\t\t// get the VA for the array of name ordinals\n\t\t\tuiNameOrdinals = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNameOrdinals);\n\n\t\t\tusCounter = 3;\n\n\t\t\t// loop while we still have imports to find\n\t\t\twhile (usCounter > 0)\n\t\t\t{\n\t\t\t\t// compute the hash values for this function name\n\t\t\t\tdwHashValue = hash((char *)(uiBaseAddress + DEREF_32(uiNameArray)));\n\n\t\t\t\t// if we have found a function we want we get its virtual address\n\t\t\t\tif (dwHashValue == LOADLIBRARYA_HASH || dwHashValue == GETPROCADDRESS_HASH || dwHashValue == VIRTUALALLOC_HASH)\n\t\t\t\t{\n\t\t\t\t\t// get the VA for the array of addresses\n\t\t\t\t\tuiAddressArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfFunctions);\n\n\t\t\t\t\t// use this functions name ordinal as an index into the array of name pointers\n\t\t\t\t\tuiAddressArray += (DEREF_16(uiNameOrdinals) * sizeof(DWORD));\n\n\t\t\t\t\t// store this functions VA\n\t\t\t\t\tif (dwHashValue == LOADLIBRARYA_HASH)\n\t\t\t\t\t\tpLoadLibraryA = (LOADLIBRARYA)(uiBaseAddress + DEREF_32(uiAddressArray));\n\t\t\t\t\telse if (dwHashValue == GETPROCADDRESS_HASH)\n\t\t\t\t\t\tpGetProcAddress = (GETPROCADDRESS)(uiBaseAddress + DEREF_32(uiAddressArray));\n\t\t\t\t\telse if (dwHashValue == VIRTUALALLOC_HASH)\n\t\t\t\t\t\tpVirtualAlloc = (VIRTUALALLOC)(uiBaseAddress + DEREF_32(uiAddressArray));\n\n\t\t\t\t\t// decrement our counter\n\t\t\t\t\tusCounter--;\n\t\t\t\t}\n\n\t\t\t\t// get the next exported function name\n\t\t\t\tuiNameArray += sizeof(DWORD);\n\n\t\t\t\t// get the next exported function name ordinal\n\t\t\t\tuiNameOrdinals += sizeof(WORD);\n\t\t\t}\n\t\t}\n\t\telse if ((DWORD)uiValueC == NTDLLDLL_HASH)\n\t\t{\n\t\t\t// get this modules base address\n\t\t\tuiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;\n\n\t\t\t// get the VA of the modules NT Header\n\t\t\tuiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;\n\n\t\t\t// uiNameArray = the address of the modules export directory entry\n\t\t\tuiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];\n\n\t\t\t// get the VA of the export directory\n\t\t\tuiExportDir = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress);\n\n\t\t\t// get the VA for the array of name pointers\n\t\t\tuiNameArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNames);\n\n\t\t\t// get the VA for the array of name ordinals\n\t\t\tuiNameOrdinals = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNameOrdinals);\n\n\t\t\tusCounter = 1;\n\n\t\t\t// loop while we still have imports to find\n\t\t\twhile (usCounter > 0)\n\t\t\t{\n\t\t\t\t// compute the hash values for this function name\n\t\t\t\tdwHashValue = hash((char *)(uiBaseAddress + DEREF_32(uiNameArray)));\n\n\t\t\t\t// if we have found a function we want we get its virtual address\n\t\t\t\tif (dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH)\n\t\t\t\t{\n\t\t\t\t\t// get the VA for the array of addresses\n\t\t\t\t\tuiAddressArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfFunctions);\n\n\t\t\t\t\t// use this functions name ordinal as an index into the array of name pointers\n\t\t\t\t\tuiAddressArray += (DEREF_16(uiNameOrdinals) * sizeof(DWORD));\n\n\t\t\t\t\t// store this functions VA\n\t\t\t\t\tif (dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH)\n\t\t\t\t\t\tpNtFlushInstructionCache = (NTFLUSHINSTRUCTIONCACHE)(uiBaseAddress + DEREF_32(uiAddressArray));\n\n\t\t\t\t\t// decrement our counter\n\t\t\t\t\tusCounter--;\n\t\t\t\t}\n\n\t\t\t\t// get the next exported function name\n\t\t\t\tuiNameArray += sizeof(DWORD);\n\n\t\t\t\t// get the next exported function name ordinal\n\t\t\t\tuiNameOrdinals += sizeof(WORD);\n\t\t\t}\n\t\t}\n\n\t\t// we stop searching when we have found everything we need.\n\t\tif (pLoadLibraryA && pGetProcAddress && pVirtualAlloc && pNtFlushInstructionCache)\n\t\t\tbreak;\n\n\t\t// get the next entry\n\t\tuiValueA = DEREF(uiValueA);\n\t}\n\n\t// STEP 2: load our image into a new permanent location in memory...\n\n\t// get the VA of the NT Header for the PE to be loaded\n\tuiHeaderValue = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;\n\n\t// allocate all the memory for the DLL to be loaded into. we can load at any address because we will  \n\t// relocate the image. Also zeros all memory and marks it as READ, WRITE and EXECUTE to avoid any problems.\n\tuiBaseAddress = (ULONG_PTR)pVirtualAlloc(NULL, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);\n\n\t// we must now copy over the headers\n\tuiValueA = ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfHeaders;\n\tuiValueB = uiLibraryAddress;\n\tuiValueC = uiBaseAddress;\n\n\twhile (uiValueA--)\n\t\t*(BYTE *)uiValueC++ = *(BYTE *)uiValueB++;\n\n\t// STEP 3: load in all of our sections...\n\n\t// uiValueA = the VA of the first section\n\tuiValueA = ((ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader + ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.SizeOfOptionalHeader);\n\n\t// itterate through all sections, loading them into memory.\n\tuiValueE = ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.NumberOfSections;\n\twhile (uiValueE--)\n\t{\n\t\t// uiValueB is the VA for this section\n\t\tuiValueB = (uiBaseAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->VirtualAddress);\n\n\t\t// uiValueC if the VA for this sections data\n\t\tuiValueC = (uiLibraryAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->PointerToRawData);\n\n\t\t// copy the section over\n\t\tuiValueD = ((PIMAGE_SECTION_HEADER)uiValueA)->SizeOfRawData;\n\n\t\twhile (uiValueD--)\n\t\t\t*(BYTE *)uiValueB++ = *(BYTE *)uiValueC++;\n\n\t\t// get the VA of the next section\n\t\tuiValueA += sizeof(IMAGE_SECTION_HEADER);\n\t}\n\n\t// STEP 4: process our images import table...\n\n\t// uiValueB = the address of the import directory\n\tuiValueB = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];\n\n\t// we assume their is an import table to process\n\t// uiValueC is the first entry in the import table\n\tuiValueC = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress);\n\n\t// itterate through all imports\n\twhile (((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name)\n\t{\n\t\t// use LoadLibraryA to load the imported module into memory\n\t\tuiLibraryAddress = (ULONG_PTR)pLoadLibraryA((LPCSTR)(uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name));\n\n\t\t// uiValueD = VA of the OriginalFirstThunk\n\t\tuiValueD = (uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->OriginalFirstThunk);\n\n\t\t// uiValueA = VA of the IAT (via first thunk not origionalfirstthunk)\n\t\tuiValueA = (uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->FirstThunk);\n\n\t\t// itterate through all imported functions, importing by ordinal if no name present\n\t\twhile (DEREF(uiValueA))\n\t\t{\n\t\t\t// sanity check uiValueD as some compilers only import by FirstThunk\n\t\t\tif (uiValueD && ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal & IMAGE_ORDINAL_FLAG)\n\t\t\t{\n\t\t\t\t// get the VA of the modules NT Header\n\t\t\t\tuiExportDir = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;\n\n\t\t\t\t// uiNameArray = the address of the modules export directory entry\n\t\t\t\tuiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];\n\n\t\t\t\t// get the VA of the export directory\n\t\t\t\tuiExportDir = (uiLibraryAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress);\n\n\t\t\t\t// get the VA for the array of addresses\n\t\t\t\tuiAddressArray = (uiLibraryAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfFunctions);\n\n\t\t\t\t// use the import ordinal (- export ordinal base) as an index into the array of addresses\n\t\t\t\tuiAddressArray += ((IMAGE_ORDINAL(((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal) - ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->Base) * sizeof(DWORD));\n\n\t\t\t\t// patch in the address for this imported function\n\t\t\t\tDEREF(uiValueA) = (uiLibraryAddress + DEREF_32(uiAddressArray));\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\t// get the VA of this functions import by name struct\n\t\t\t\tuiValueB = (uiBaseAddress + DEREF(uiValueA));\n\n\t\t\t\t// use GetProcAddress and patch in the address for this imported function\n\t\t\t\tDEREF(uiValueA) = (ULONG_PTR)pGetProcAddress((HMODULE)uiLibraryAddress, (LPCSTR)((PIMAGE_IMPORT_BY_NAME)uiValueB)->Name);\n\t\t\t}\n\t\t\t// get the next imported function\n\t\t\tuiValueA += sizeof(ULONG_PTR);\n\t\t\tif (uiValueD)\n\t\t\t\tuiValueD += sizeof(ULONG_PTR);\n\t\t}\n\n\t\t// get the next import\n\t\tuiValueC += sizeof(IMAGE_IMPORT_DESCRIPTOR);\n\t}\n\n\t// STEP 5: process all of our images relocations...\n\n\t// calculate the base address delta and perform relocations (even if we load at desired image base)\n\tuiLibraryAddress = uiBaseAddress - ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.ImageBase;\n\n\t// uiValueB = the address of the relocation directory\n\tuiValueB = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];\n\n\t// check if their are any relocations present\n\tif (((PIMAGE_DATA_DIRECTORY)uiValueB)->Size)\n\t{\n\t\t// uiValueC is now the first entry (IMAGE_BASE_RELOCATION)\n\t\tuiValueC = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress);\n\n\t\t// and we itterate through all entries...\n\t\twhile (((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock)\n\t\t{\n\t\t\t// uiValueA = the VA for this relocation block\n\t\t\tuiValueA = (uiBaseAddress + ((PIMAGE_BASE_RELOCATION)uiValueC)->VirtualAddress);\n\n\t\t\t// uiValueB = number of entries in this relocation block\n\t\t\tuiValueB = (((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(IMAGE_RELOC);\n\n\t\t\t// uiValueD is now the first entry in the current relocation block\n\t\t\tuiValueD = uiValueC + sizeof(IMAGE_BASE_RELOCATION);\n\n\t\t\t// we itterate through all the entries in the current block...\n\t\t\twhile (uiValueB--)\n\t\t\t{\n\t\t\t\t// perform the relocation, skipping IMAGE_REL_BASED_ABSOLUTE as required.\n\t\t\t\t// we dont use a switch statement to avoid the compiler building a jump table\n\t\t\t\t// which would not be very position independent!\n\t\t\t\tif (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_DIR64)\n\t\t\t\t\t*(ULONG_PTR *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += uiLibraryAddress;\n\t\t\t\telse if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGHLOW)\n\t\t\t\t\t*(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += (DWORD)uiLibraryAddress;\n#ifdef WIN_ARM\n\t\t\t\t// Note: On ARM, the compiler optimization /O2 seems to introduce an off by one issue, possibly a code gen bug. Using /O1 instead avoids this problem.\n\t\t\t\telse if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_ARM_MOV32T)\n\t\t\t\t{\n\t\t\t\t\tregister DWORD dwInstruction;\n\t\t\t\t\tregister DWORD dwAddress;\n\t\t\t\t\tregister WORD wImm;\n\t\t\t\t\t// get the MOV.T instructions DWORD value (We add 4 to the offset to go past the first MOV.W which handles the low word)\n\t\t\t\t\tdwInstruction = *(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset + sizeof(DWORD));\n\t\t\t\t\t// flip the words to get the instruction as expected\n\t\t\t\t\tdwInstruction = MAKELONG(HIWORD(dwInstruction), LOWORD(dwInstruction));\n\t\t\t\t\t// sanity chack we are processing a MOV instruction...\n\t\t\t\t\tif ((dwInstruction & ARM_MOV_MASK) == ARM_MOVT)\n\t\t\t\t\t{\n\t\t\t\t\t\t// pull out the encoded 16bit value (the high portion of the address-to-relocate)\n\t\t\t\t\t\twImm = (WORD)(dwInstruction & 0x000000FF);\n\t\t\t\t\t\twImm |= (WORD)((dwInstruction & 0x00007000) >> 4);\n\t\t\t\t\t\twImm |= (WORD)((dwInstruction & 0x04000000) >> 15);\n\t\t\t\t\t\twImm |= (WORD)((dwInstruction & 0x000F0000) >> 4);\n\t\t\t\t\t\t// apply the relocation to the target address\n\t\t\t\t\t\tdwAddress = ((WORD)HIWORD(uiLibraryAddress) + wImm) & 0xFFFF;\n\t\t\t\t\t\t// now create a new instruction with the same opcode and register param.\n\t\t\t\t\t\tdwInstruction = (DWORD)(dwInstruction & ARM_MOV_MASK2);\n\t\t\t\t\t\t// patch in the relocated address...\n\t\t\t\t\t\tdwInstruction |= (DWORD)(dwAddress & 0x00FF);\n\t\t\t\t\t\tdwInstruction |= (DWORD)(dwAddress & 0x0700) << 4;\n\t\t\t\t\t\tdwInstruction |= (DWORD)(dwAddress & 0x0800) << 15;\n\t\t\t\t\t\tdwInstruction |= (DWORD)(dwAddress & 0xF000) << 4;\n\t\t\t\t\t\t// now flip the instructions words and patch back into the code...\n\t\t\t\t\t\t*(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset + sizeof(DWORD)) = MAKELONG(HIWORD(dwInstruction), LOWORD(dwInstruction));\n\t\t\t\t\t}\n\t\t\t\t}\n#endif\n\t\t\t\telse if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGH)\n\t\t\t\t\t*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += HIWORD(uiLibraryAddress);\n\t\t\t\telse if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_LOW)\n\t\t\t\t\t*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += LOWORD(uiLibraryAddress);\n\n\t\t\t\t// get the next entry in the current relocation block\n\t\t\t\tuiValueD += sizeof(IMAGE_RELOC);\n\t\t\t}\n\n\t\t\t// get the next entry in the relocation directory\n\t\t\tuiValueC = uiValueC + ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock;\n\t\t}\n\t}\n\n\t// STEP 6: call our images entry point\n\n\t// uiValueA = the VA of our newly loaded DLL/EXE's entry point\n\tuiValueA = (uiBaseAddress + ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.AddressOfEntryPoint);\n\n\t// We must flush the instruction cache to avoid stale code being used which was updated by our relocation processing.\n\tpNtFlushInstructionCache((HANDLE)-1, NULL, 0);\n\n\t// call our respective entry point, fudging our hInstance value\n#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR\n\t// if we are injecting a DLL via LoadRemoteLibraryR we call DllMain and pass in our parameter (via the DllMain lpReserved parameter)\n\t((DLLMAIN)uiValueA)((HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, lpParameter);\n#else\n\t// if we are injecting an DLL via a stub we call DllMain with no parameter\n\t((DLLMAIN)uiValueA)((HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, NULL);\n#endif\n\n\t// STEP 8: return our new entry point address so whatever called us can call DllMain() if needed.\n\treturn uiValueA;\n}\n//===============================================================================================//\n#ifndef REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN\n\nBOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)\n{\n\tBOOL bReturnValue = TRUE;\n\tswitch (dwReason)\n\t{\n\tcase DLL_QUERY_HMODULE:\n\t\tif (lpReserved != NULL)\n\t\t\t*(HMODULE *)lpReserved = hAppInstance;\n\t\tbreak;\n\tcase DLL_PROCESS_ATTACH:\n\t\thAppInstance = hinstDLL;\n\t\tbreak;\n\tcase DLL_PROCESS_DETACH:\n\tcase DLL_THREAD_ATTACH:\n\tcase DLL_THREAD_DETACH:\n\t\tbreak;\n\t}\n\treturn bReturnValue;\n}\n\n#endif\n//===============================================================================================//\n"
  },
  {
    "path": "Src/Recon-AD-SPNs/Recon-AD-SPNs/ReflectiveLoader.h",
    "content": "//===============================================================================================//\n// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)\n// All rights reserved.\n// \n// Redistribution and use in source and binary forms, with or without modification, are permitted \n// provided that the following conditions are met:\n// \n//     * Redistributions of source code must retain the above copyright notice, this list of \n// conditions and the following disclaimer.\n// \n//     * Redistributions in binary form must reproduce the above copyright notice, this list of \n// conditions and the following disclaimer in the documentation and/or other materials provided \n// with the distribution.\n// \n//     * Neither the name of Harmony Security nor the names of its contributors may be used to\n// endorse or promote products derived from this software without specific prior written permission.\n// \n// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND ANY EXPRESS OR \n// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND\n// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR \n// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR \n// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR \n// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY \n// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR \n// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE \n// POSSIBILITY OF SUCH DAMAGE.\n//===============================================================================================//\n#ifndef _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H\n#define _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H\n//===============================================================================================//\n#define WIN32_LEAN_AND_MEAN\n#include <windows.h>\n#include <Winsock2.h>\n#include <intrin.h>\n\n#include \"ReflectiveDLLInjection.h\"\n\ntypedef HMODULE(WINAPI * LOADLIBRARYA)(LPCSTR);\ntypedef FARPROC(WINAPI * GETPROCADDRESS)(HMODULE, LPCSTR);\ntypedef LPVOID(WINAPI * VIRTUALALLOC)(LPVOID, SIZE_T, DWORD, DWORD);\ntypedef DWORD(NTAPI * NTFLUSHINSTRUCTIONCACHE)(HANDLE, PVOID, ULONG);\n\n#define KERNEL32DLL_HASH\t\t\t\t0x6A4ABC5B\n#define NTDLLDLL_HASH\t\t\t\t\t0x3CFA685D\n\n#define LOADLIBRARYA_HASH\t\t\t\t0xEC0E4E8E\n#define GETPROCADDRESS_HASH\t\t\t\t0x7C0DFCAA\n#define VIRTUALALLOC_HASH\t\t\t\t0x91AFCA54\n#define NTFLUSHINSTRUCTIONCACHE_HASH\t0x534C0AB8\n\n#define IMAGE_REL_BASED_ARM_MOV32A\t\t5\n#define IMAGE_REL_BASED_ARM_MOV32T\t\t7\n\n#define ARM_MOV_MASK\t\t\t\t\t(DWORD)(0xFBF08000)\n#define ARM_MOV_MASK2\t\t\t\t\t(DWORD)(0xFBF08F00)\n#define ARM_MOVW\t\t\t\t\t\t0xF2400000\n#define ARM_MOVT\t\t\t\t\t\t0xF2C00000\n\n#define HASH_KEY\t\t\t\t\t\t13\n//===============================================================================================//\n#pragma intrinsic( _rotr )\n\n__forceinline DWORD ror(DWORD d)\n{\n\treturn _rotr(d, HASH_KEY);\n}\n\n__forceinline DWORD hash(char * c)\n{\n\tregister DWORD h = 0;\n\tdo\n\t{\n\t\th = ror(h);\n\t\th += *c;\n\t} while (*++c);\n\n\treturn h;\n}\n//===============================================================================================//\ntypedef struct _UNICODE_STR\n{\n\tUSHORT Length;\n\tUSHORT MaximumLength;\n\tPWSTR pBuffer;\n} UNICODE_STR, *PUNICODE_STR;\n\n// WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY\n//__declspec( align(8) ) \ntypedef struct _LDR_DATA_TABLE_ENTRY\n{\n\t//LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry.\n\tLIST_ENTRY InMemoryOrderModuleList;\n\tLIST_ENTRY InInitializationOrderModuleList;\n\tPVOID DllBase;\n\tPVOID EntryPoint;\n\tULONG SizeOfImage;\n\tUNICODE_STR FullDllName;\n\tUNICODE_STR BaseDllName;\n\tULONG Flags;\n\tSHORT LoadCount;\n\tSHORT TlsIndex;\n\tLIST_ENTRY HashTableEntry;\n\tULONG TimeDateStamp;\n} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;\n\n// WinDbg> dt -v ntdll!_PEB_LDR_DATA\ntypedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes\n{\n\tDWORD dwLength;\n\tDWORD dwInitialized;\n\tLPVOID lpSsHandle;\n\tLIST_ENTRY InLoadOrderModuleList;\n\tLIST_ENTRY InMemoryOrderModuleList;\n\tLIST_ENTRY InInitializationOrderModuleList;\n\tLPVOID lpEntryInProgress;\n} PEB_LDR_DATA, *PPEB_LDR_DATA;\n\n// WinDbg> dt -v ntdll!_PEB_FREE_BLOCK\ntypedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes\n{\n\tstruct _PEB_FREE_BLOCK * pNext;\n\tDWORD dwSize;\n} PEB_FREE_BLOCK, *PPEB_FREE_BLOCK;\n\n// struct _PEB is defined in Winternl.h but it is incomplete\n// WinDbg> dt -v ntdll!_PEB\ntypedef struct __PEB // 65 elements, 0x210 bytes\n{\n\tBYTE bInheritedAddressSpace;\n\tBYTE bReadImageFileExecOptions;\n\tBYTE bBeingDebugged;\n\tBYTE bSpareBool;\n\tLPVOID lpMutant;\n\tLPVOID lpImageBaseAddress;\n\tPPEB_LDR_DATA pLdr;\n\tLPVOID lpProcessParameters;\n\tLPVOID lpSubSystemData;\n\tLPVOID lpProcessHeap;\n\tPRTL_CRITICAL_SECTION pFastPebLock;\n\tLPVOID lpFastPebLockRoutine;\n\tLPVOID lpFastPebUnlockRoutine;\n\tDWORD dwEnvironmentUpdateCount;\n\tLPVOID lpKernelCallbackTable;\n\tDWORD dwSystemReserved;\n\tDWORD dwAtlThunkSListPtr32;\n\tPPEB_FREE_BLOCK pFreeList;\n\tDWORD dwTlsExpansionCounter;\n\tLPVOID lpTlsBitmap;\n\tDWORD dwTlsBitmapBits[2];\n\tLPVOID lpReadOnlySharedMemoryBase;\n\tLPVOID lpReadOnlySharedMemoryHeap;\n\tLPVOID lpReadOnlyStaticServerData;\n\tLPVOID lpAnsiCodePageData;\n\tLPVOID lpOemCodePageData;\n\tLPVOID lpUnicodeCaseTableData;\n\tDWORD dwNumberOfProcessors;\n\tDWORD dwNtGlobalFlag;\n\tLARGE_INTEGER liCriticalSectionTimeout;\n\tDWORD dwHeapSegmentReserve;\n\tDWORD dwHeapSegmentCommit;\n\tDWORD dwHeapDeCommitTotalFreeThreshold;\n\tDWORD dwHeapDeCommitFreeBlockThreshold;\n\tDWORD dwNumberOfHeaps;\n\tDWORD dwMaximumNumberOfHeaps;\n\tLPVOID lpProcessHeaps;\n\tLPVOID lpGdiSharedHandleTable;\n\tLPVOID lpProcessStarterHelper;\n\tDWORD dwGdiDCAttributeList;\n\tLPVOID lpLoaderLock;\n\tDWORD dwOSMajorVersion;\n\tDWORD dwOSMinorVersion;\n\tWORD wOSBuildNumber;\n\tWORD wOSCSDVersion;\n\tDWORD dwOSPlatformId;\n\tDWORD dwImageSubsystem;\n\tDWORD dwImageSubsystemMajorVersion;\n\tDWORD dwImageSubsystemMinorVersion;\n\tDWORD dwImageProcessAffinityMask;\n\tDWORD dwGdiHandleBuffer[34];\n\tLPVOID lpPostProcessInitRoutine;\n\tLPVOID lpTlsExpansionBitmap;\n\tDWORD dwTlsExpansionBitmapBits[32];\n\tDWORD dwSessionId;\n\tULARGE_INTEGER liAppCompatFlags;\n\tULARGE_INTEGER liAppCompatFlagsUser;\n\tLPVOID lppShimData;\n\tLPVOID lpAppCompatInfo;\n\tUNICODE_STR usCSDVersion;\n\tLPVOID lpActivationContextData;\n\tLPVOID lpProcessAssemblyStorageMap;\n\tLPVOID lpSystemDefaultActivationContextData;\n\tLPVOID lpSystemAssemblyStorageMap;\n\tDWORD dwMinimumStackCommit;\n} _PEB, *_PPEB;\n\ntypedef struct\n{\n\tWORD\toffset : 12;\n\tWORD\ttype : 4;\n} IMAGE_RELOC, *PIMAGE_RELOC;\n//===============================================================================================//\n#endif\n//===============================================================================================//\n\n"
  },
  {
    "path": "Src/Recon-AD-SPNs/Recon-AD-SPNs.sln",
    "content": "\nMicrosoft Visual Studio Solution File, Format Version 12.00\n# Visual Studio Express 14 for Windows Desktop\nVisualStudioVersion = 14.0.25420.1\nMinimumVisualStudioVersion = 10.0.40219.1\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"Recon-AD-SPNs\", \"Recon-AD-SPNs\\Recon-AD-SPNs.vcxproj\", \"{D30C9D6B-1F45-47BD-825B-389FE8CC9069}\"\nEndProject\nGlobal\n\tGlobalSection(SolutionConfigurationPlatforms) = preSolution\n\t\tDebug|x64 = Debug|x64\n\t\tDebug|x86 = Debug|x86\n\t\tRelease|x64 = Release|x64\n\t\tRelease|x86 = Release|x86\n\tEndGlobalSection\n\tGlobalSection(ProjectConfigurationPlatforms) = postSolution\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x64.ActiveCfg = Debug|x64\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x64.Build.0 = Debug|x64\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x86.ActiveCfg = Debug|Win32\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x86.Build.0 = Debug|Win32\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x64.ActiveCfg = Release|x64\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x64.Build.0 = Release|x64\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x86.ActiveCfg = Release|Win32\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x86.Build.0 = Release|Win32\n\tEndGlobalSection\n\tGlobalSection(SolutionProperties) = preSolution\n\t\tHideSolutionNode = FALSE\n\tEndGlobalSection\nEndGlobal\n"
  },
  {
    "path": "Src/Recon-AD-Users/Recon-AD-Users/Recon-AD-Users.vcxproj",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project DefaultTargets=\"Build\" ToolsVersion=\"14.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\n  <ItemGroup Label=\"ProjectConfigurations\">\n    <ProjectConfiguration Include=\"Debug|Win32\">\n      <Configuration>Debug</Configuration>\n      <Platform>Win32</Platform>\n    </ProjectConfiguration>\n    <ProjectConfiguration Include=\"Release|Win32\">\n      <Configuration>Release</Configuration>\n      <Platform>Win32</Platform>\n    </ProjectConfiguration>\n    <ProjectConfiguration Include=\"Debug|x64\">\n      <Configuration>Debug</Configuration>\n      <Platform>x64</Platform>\n    </ProjectConfiguration>\n    <ProjectConfiguration Include=\"Release|x64\">\n      <Configuration>Release</Configuration>\n      <Platform>x64</Platform>\n    </ProjectConfiguration>\n  </ItemGroup>\n  <PropertyGroup Label=\"Globals\">\n    <ProjectGuid>{D30C9D6B-1F45-47BD-825B-389FE8CC9069}</ProjectGuid>\n    <RootNamespace>ReconADDomain</RootNamespace>\n    <WindowsTargetPlatformVersion>8.1</WindowsTargetPlatformVersion>\n    <ProjectName>Recon-AD-Users</ProjectName>\n  </PropertyGroup>\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.Default.props\" />\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\" Label=\"Configuration\">\n    <ConfigurationType>Application</ConfigurationType>\n    <UseDebugLibraries>true</UseDebugLibraries>\n    <PlatformToolset>v140</PlatformToolset>\n    <CharacterSet>MultiByte</CharacterSet>\n  </PropertyGroup>\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\" Label=\"Configuration\">\n    <ConfigurationType>DynamicLibrary</ConfigurationType>\n    <UseDebugLibraries>false</UseDebugLibraries>\n    <PlatformToolset>v140</PlatformToolset>\n    <WholeProgramOptimization>true</WholeProgramOptimization>\n    <CharacterSet>Unicode</CharacterSet>\n  </PropertyGroup>\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\" Label=\"Configuration\">\n    <ConfigurationType>Application</ConfigurationType>\n    <UseDebugLibraries>true</UseDebugLibraries>\n    <PlatformToolset>v140</PlatformToolset>\n    <CharacterSet>MultiByte</CharacterSet>\n  </PropertyGroup>\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\" Label=\"Configuration\">\n    <ConfigurationType>DynamicLibrary</ConfigurationType>\n    <UseDebugLibraries>false</UseDebugLibraries>\n    <PlatformToolset>v140</PlatformToolset>\n    <WholeProgramOptimization>true</WholeProgramOptimization>\n    <CharacterSet>Unicode</CharacterSet>\n  </PropertyGroup>\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.props\" />\n  <ImportGroup Label=\"ExtensionSettings\">\n  </ImportGroup>\n  <ImportGroup Label=\"Shared\">\n  </ImportGroup>\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\">\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\n  </ImportGroup>\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\">\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\n  </ImportGroup>\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\">\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\n  </ImportGroup>\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\">\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\n  </ImportGroup>\n  <PropertyGroup Label=\"UserMacros\" />\n  <PropertyGroup />\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\">\n    <ClCompile>\n      <WarningLevel>Level3</WarningLevel>\n      <Optimization>Disabled</Optimization>\n      <SDLCheck>true</SDLCheck>\n    </ClCompile>\n  </ItemDefinitionGroup>\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\">\n    <ClCompile>\n      <WarningLevel>Level3</WarningLevel>\n      <Optimization>Disabled</Optimization>\n      <SDLCheck>true</SDLCheck>\n    </ClCompile>\n  </ItemDefinitionGroup>\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\">\n    <ClCompile>\n      <WarningLevel>Level3</WarningLevel>\n      <Optimization>MaxSpeed</Optimization>\n      <FunctionLevelLinking>true</FunctionLevelLinking>\n      <IntrinsicFunctions>true</IntrinsicFunctions>\n      <SDLCheck>true</SDLCheck>\n      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>\n      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN_X86;REFLECTIVE_DLL_EXPORTS;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>\n    </ClCompile>\n    <Link>\n      <EnableCOMDATFolding>true</EnableCOMDATFolding>\n      <OptimizeReferences>true</OptimizeReferences>\n      <GenerateDebugInformation>false</GenerateDebugInformation>\n    </Link>\n  </ItemDefinitionGroup>\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\">\n    <ClCompile>\n      <WarningLevel>Level3</WarningLevel>\n      <Optimization>MaxSpeed</Optimization>\n      <FunctionLevelLinking>true</FunctionLevelLinking>\n      <IntrinsicFunctions>true</IntrinsicFunctions>\n      <SDLCheck>true</SDLCheck>\n      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>\n      <PreprocessorDefinitions>WIN64;NDEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;WIN_X64;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>\n    </ClCompile>\n    <Link>\n      <EnableCOMDATFolding>true</EnableCOMDATFolding>\n      <OptimizeReferences>true</OptimizeReferences>\n      <GenerateDebugInformation>false</GenerateDebugInformation>\n    </Link>\n  </ItemDefinitionGroup>\n  <ItemGroup>\n    <ClInclude Include=\"ReflectiveDLLInjection.h\" />\n    <ClInclude Include=\"ReflectiveLoader.h\" />\n  </ItemGroup>\n  <ItemGroup>\n    <ClCompile Include=\"ReflectiveDll.cpp\" />\n    <ClCompile Include=\"ReflectiveLoader.cpp\" />\n  </ItemGroup>\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.targets\" />\n  <ImportGroup Label=\"ExtensionTargets\">\n  </ImportGroup>\n</Project>"
  },
  {
    "path": "Src/Recon-AD-Users/Recon-AD-Users/Recon-AD-Users.vcxproj.filters",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\n  <ItemGroup>\n    <Filter Include=\"Source Files\">\n      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>\n      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>\n    </Filter>\n    <Filter Include=\"Header Files\">\n      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>\n      <Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>\n    </Filter>\n    <Filter Include=\"Resource Files\">\n      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>\n      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>\n    </Filter>\n  </ItemGroup>\n  <ItemGroup>\n    <ClInclude Include=\"ReflectiveDLLInjection.h\">\n      <Filter>Header Files</Filter>\n    </ClInclude>\n    <ClInclude Include=\"ReflectiveLoader.h\">\n      <Filter>Header Files</Filter>\n    </ClInclude>\n  </ItemGroup>\n  <ItemGroup>\n    <ClCompile Include=\"ReflectiveLoader.cpp\">\n      <Filter>Source Files</Filter>\n    </ClCompile>\n    <ClCompile Include=\"ReflectiveDll.cpp\">\n      <Filter>Source Files</Filter>\n    </ClCompile>\n  </ItemGroup>\n</Project>"
  },
  {
    "path": "Src/Recon-AD-Users/Recon-AD-Users/Recon-AD-Users.vcxproj.user",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"14.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\n  <PropertyGroup />\n</Project>"
  },
  {
    "path": "Src/Recon-AD-Users/Recon-AD-Users/ReflectiveDLLInjection.h",
    "content": "//===============================================================================================//\n// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)\n// All rights reserved.\n// \n// Redistribution and use in source and binary forms, with or without modification, are permitted \n// provided that the following conditions are met:\n// \n//     * Redistributions of source code must retain the above copyright notice, this list of \n// conditions and the following disclaimer.\n// \n//     * Redistributions in binary form must reproduce the above copyright notice, this list of \n// conditions and the following disclaimer in the documentation and/or other materials provided \n// with the distribution.\n// \n//     * Neither the name of Harmony Security nor the names of its contributors may be used to\n// endorse or promote products derived from this software without specific prior written permission.\n// \n// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND ANY EXPRESS OR \n// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND\n// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR \n// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR \n// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR \n// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY \n// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR \n// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE \n// POSSIBILITY OF SUCH DAMAGE.\n//===============================================================================================//\n#ifndef _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H\n#define _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H\n//===============================================================================================//\n#define WIN32_LEAN_AND_MEAN\n#include <windows.h>\n\n// we declare some common stuff in here...\n\n#define DLL_QUERY_HMODULE\t\t6\n\n#define DEREF( name )*(UINT_PTR *)(name)\n#define DEREF_64( name )*(DWORD64 *)(name)\n#define DEREF_32( name )*(DWORD *)(name)\n#define DEREF_16( name )*(WORD *)(name)\n#define DEREF_8( name )*(BYTE *)(name)\n\ntypedef ULONG_PTR(WINAPI * REFLECTIVELOADER)(VOID);\ntypedef BOOL(WINAPI * DLLMAIN)(HINSTANCE, DWORD, LPVOID);\n\n#define DLLEXPORT   __declspec( dllexport ) \n\n//===============================================================================================//\n#endif\n//===============================================================================================//\n\n"
  },
  {
    "path": "Src/Recon-AD-Users/Recon-AD-Users/ReflectiveDll.cpp",
    "content": "#undef  _UNICODE\n#define _UNICODE\n#undef  UNICODE\n#define UNICODE\n\n#include \"ReflectiveLoader.h\"\n#include <stdio.h>\n#include <objbase.h>\n#include <activeds.h>\n#include <sddl.h>\n\n#pragma comment(lib, \"ADSIid.lib\")\n#pragma comment(lib, \"ActiveDS.Lib\")\n\n// Note: REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR and REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN are\n// defined in the project properties (Properties->C++->Preprocessor) so as we can specify our own \n// DllMain and use the LoadRemoteLibraryR() API to inject this DLL.\n\n// You can use this value as a pseudo hinstDLL value (defined and set via ReflectiveLoader.c)\nextern HINSTANCE hAppInstance;\n\n\nint IS_BUFFER_ENOUGH(UINT maxAlloc, LPWSTR pszTarget, LPCWSTR pszSource, int toCopy = -1) {\n\tif (toCopy == -1) {\n\t\ttoCopy = wcslen(pszSource);\n\t}\n\n\treturn maxAlloc - (wcslen(pszTarget) + toCopy + 1);\n}\n\nHRESULT FindUsers(IDirectorySearch *pContainerToSearch,\t// IDirectorySearch pointer to Partitions container.\n\tLPOLESTR szFilter,\t\t\t\t\t\t\t\t\t// Filter for finding specific crossrefs. NULL returns all attributeSchema objects.\n\tLPOLESTR *pszPropertiesToReturn)\t\t\t\t\t// Properties to return for crossRef objects found. NULL returns all set properties.\n{\n\tif (!pContainerToSearch)\n\t\treturn E_POINTER;\n\n\t// Create search filter\n\tLPOLESTR pszSearchFilter = new OLECHAR[MAX_PATH * 2];\n\tif (!pszSearchFilter)\n\t\treturn E_OUTOFMEMORY;\n\twchar_t szFormat[] = L\"(&(objectClass=user)(objectCategory=person)%s)\";\n\n\t// Check the buffer first\n\tif (IS_BUFFER_ENOUGH(MAX_PATH * 2, szFormat, szFilter) > 0)\n\t{\n\t\t// Add the filter.\n\t\tswprintf_s(pszSearchFilter, MAX_PATH * 2, szFormat, szFilter);\n\t}\n\telse\n\t{\n\t\twprintf(L\"[!] The filter is too large for buffer, aborting...\");\n\t\tdelete[] pszSearchFilter;\n\t\treturn FALSE;\n\t}\n\n\t// Specify subtree search\n\tADS_SEARCHPREF_INFO SearchPrefs;\n\tSearchPrefs.dwSearchPref = ADS_SEARCHPREF_SEARCH_SCOPE;\n\tSearchPrefs.vValue.dwType = ADSTYPE_INTEGER;\n\tSearchPrefs.vValue.Integer = ADS_SCOPE_SUBTREE;\n\tDWORD dwNumPrefs = 1;\n\n\t// COL for iterations\n\tLPOLESTR pszColumn = NULL;\n\tADS_SEARCH_COLUMN col;\n\tHRESULT hr;\n\n\t// Interface Pointers\n\tIADs *pObj = NULL;\n\tIADs *pIADs = NULL;\n\n\t// Handle used for searching\n\tADS_SEARCH_HANDLE hSearch = NULL;\n\n\t// Set the search preference\n\thr = pContainerToSearch->SetSearchPreference(&SearchPrefs, dwNumPrefs);\n\tif (FAILED(hr))\n\t{\n\t\tdelete[] pszSearchFilter;\n\t\treturn hr;\n\t}\n\n\tLPOLESTR pszBool = NULL;\n\tDWORD dwBool;\n\tPSID pObjectSID = NULL;\n\tLPOLESTR szSID = NULL;\n\tLPOLESTR szDSGUID = new WCHAR[39];\n\tLPGUID pObjectGUID = NULL;\n\tFILETIME filetime;\n\tSYSTEMTIME systemtime;\n\tDATE date;\n\tVARIANT varDate;\n\tLARGE_INTEGER liValue;\n\tLPOLESTR *pszPropertyList = NULL;\n\n\tint iCount = 0;\n\tDWORD x = 0L;\n\n\tif (!pszPropertiesToReturn)\n\t{\n\t\t// Return all properties.\n\t\thr = pContainerToSearch->ExecuteSearch(pszSearchFilter,\n\t\t\tNULL,\n\t\t\t-1L,\n\t\t\t&hSearch);\n\t}\n\telse\n\t{\n\t\t// Specified subset.\n\t\tpszPropertyList = pszPropertiesToReturn;\n\n\t\t// Return specified properties\n\t\thr = pContainerToSearch->ExecuteSearch(pszSearchFilter,\n\t\t\tpszPropertyList,\n\t\t\tsizeof(pszPropertyList) / sizeof(LPOLESTR),\n\t\t\t&hSearch);\n\t}\n\n\tif (SUCCEEDED(hr))\n\t{\n\t\t// Call IDirectorySearch::GetNextRow() to retrieve the next row of data\n\t\thr = pContainerToSearch->GetFirstRow(hSearch);\n\t\tif (SUCCEEDED(hr))\n\t\t{\n\t\t\twhile (hr != S_ADS_NOMORE_ROWS)\n\t\t\t{\n\t\t\t\t// Keep track of count.\n\t\t\t\tiCount++;\n\t\t\t\t\t\n\t\t\t\twprintf(L\"--------------------------------------------------------------------\\n\");\n\t\t\t\t\n\t\t\t\t// Loop through the array of passed column names, print the data for each column\n\t\t\t\twhile (pContainerToSearch->GetNextColumnName(hSearch, &pszColumn) != S_ADS_NOMORE_COLUMNS)\n\t\t\t\t{\n\t\t\t\t\thr = pContainerToSearch->GetColumn(hSearch, pszColumn, &col);\n\t\t\t\t\tif (SUCCEEDED(hr))\n\t\t\t\t\t{\n\t\t\t\t\t\t// Print the data for the column and free the column\n\t\t\t\t\t\t// Get the data for this column\n\t\t\t\t\t\twprintf(L\"[+] %s:\\n\", col.pszAttrName);\n\t\t\t\t\t\tswitch (col.dwADsType)\n\t\t\t\t\t\t{\n\t\t\t\t\t\tcase ADSTYPE_DN_STRING:\n\t\t\t\t\t\t\tfor (x = 0; x< col.dwNumValues; x++)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\twprintf(L\"    %s\\r\\n\", col.pADsValues[x].DNString);\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tcase ADSTYPE_CASE_EXACT_STRING:\n\t\t\t\t\t\tcase ADSTYPE_CASE_IGNORE_STRING:\n\t\t\t\t\t\tcase ADSTYPE_PRINTABLE_STRING:\n\t\t\t\t\t\tcase ADSTYPE_NUMERIC_STRING:\n\t\t\t\t\t\tcase ADSTYPE_TYPEDNAME:\n\t\t\t\t\t\tcase ADSTYPE_FAXNUMBER:\n\t\t\t\t\t\tcase ADSTYPE_PATH:\n\t\t\t\t\t\tcase ADSTYPE_OBJECT_CLASS:\n\t\t\t\t\t\t\tfor (x = 0; x< col.dwNumValues; x++)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\twprintf(L\"    %s\\r\\n\", col.pADsValues[x].CaseIgnoreString);\n\t\t\t\t\t\t\t\tif (wcscmp(L\"ADsPath\", col.pszAttrName) == 0) {\n\t\t\t\t\t\t\t\t\tIADsUser *pUser;\n\t\t\t\t\t\t\t\t\tSYSTEMTIME ExpirationDate;\n\t\t\t\t\t\t\t\t\tVARIANT_BOOL pfAccountDisabled;\n\n\t\t\t\t\t\t\t\t\thr = ADsGetObject(col.pADsValues[x].CaseIgnoreString, IID_IADsUser, (void**)&pUser);\n\t\t\t\t\t\t\t\t\tif (SUCCEEDED(hr))\n\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\tDATE expirationDate;\n\n\t\t\t\t\t\t\t\t\t\thr = pUser->get_PasswordExpirationDate(&expirationDate);\n\t\t\t\t\t\t\t\t\t\tif (SUCCEEDED(hr))\n\t\t\t\t\t\t\t\t\t\t\tVariantTimeToSystemTime(expirationDate, &ExpirationDate);\n\t\t\t\t\t\t\t\t\t\telse {\n\t\t\t\t\t\t\t\t\t\t\tpUser->Release();\n\t\t\t\t\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t\t\t\twprintf(L\"[+] Password expire settings:\\r\\n\");\n\n\t\t\t\t\t\t\t\t\t\tif (ExpirationDate.wYear == 1970) {\n\t\t\t\t\t\t\t\t\t\t\twprintf(L\"    password never expires\\r\\n\");\n\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t\telse {\n\t\t\t\t\t\t\t\t\t\t\twprintf(L\"    password expires at: %02d-%02d-%02d %02d:%02d:%02d\\r\\n\", ExpirationDate.wDay, ExpirationDate.wMonth, ExpirationDate.wYear, ExpirationDate.wHour, ExpirationDate.wMinute, ExpirationDate.wSecond);\n\t\t\t\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t\t\t\twprintf(L\"[+] Account options:\\r\\n\");\n\n\t\t\t\t\t\t\t\t\t\thr = pUser->get_AccountDisabled(&pfAccountDisabled);\n\t\t\t\t\t\t\t\t\t\tif (SUCCEEDED(hr))\n\t\t\t\t\t\t\t\t\t\t\tif (pfAccountDisabled != 0) {\n\t\t\t\t\t\t\t\t\t\t\t\twprintf(L\"    account disabled\\r\\n\");\n\t\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t\t\telse if (pfAccountDisabled == 0) {\n\t\t\t\t\t\t\t\t\t\t\t\twprintf(L\"    account enabled\\r\\n\");\n\t\t\t\t\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t\t\t\t\tpUser->Release();\n\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tcase ADSTYPE_BOOLEAN:\n\t\t\t\t\t\t\tfor (x = 0; x< col.dwNumValues; x++)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tdwBool = col.pADsValues[x].Boolean;\n\t\t\t\t\t\t\t\tpszBool = dwBool ? L\"TRUE\" : L\"FALSE\";\n\t\t\t\t\t\t\t\twprintf(L\"    %s\\r\\n\", pszBool);\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tcase ADSTYPE_INTEGER:\n\t\t\t\t\t\t\tfor (x = 0; x< col.dwNumValues; x++)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\twprintf(L\"    %d\\r\\n\", col.pADsValues[x].Integer);\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tcase ADSTYPE_OCTET_STRING:\n\t\t\t\t\t\t\tif (_wcsicmp(col.pszAttrName, L\"objectSID\") == 0)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tfor (x = 0; x< col.dwNumValues; x++)\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tpObjectSID = (PSID)(col.pADsValues[x].OctetString.lpValue);\n\t\t\t\t\t\t\t\t\t// Convert SID to string.\n\t\t\t\t\t\t\t\t\tConvertSidToStringSid(pObjectSID, &szSID);\n\t\t\t\t\t\t\t\t\twprintf(L\"    %s\\r\\n\", szSID);\n\t\t\t\t\t\t\t\t\tLocalFree(szSID);\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\telse if ((_wcsicmp(col.pszAttrName, L\"objectGUID\") == 0))\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tfor (x = 0; x< col.dwNumValues; x++)\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t// Cast to LPGUID\n\t\t\t\t\t\t\t\t\tpObjectGUID = (LPGUID)(col.pADsValues[x].OctetString.lpValue);\n\t\t\t\t\t\t\t\t\t// Convert GUID to string.\n\t\t\t\t\t\t\t\t\t::StringFromGUID2(*pObjectGUID, szDSGUID, 39);\n\t\t\t\t\t\t\t\t\t// Print the GUID\n\t\t\t\t\t\t\t\t\twprintf(L\"    %s\\r\\n\", szDSGUID);\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\telse\n\t\t\t\t\t\t\t\twprintf(L\"    Value of type Octet String. No Conversion.\\n\");\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tcase ADSTYPE_UTC_TIME:\n\t\t\t\t\t\t\tfor (x = 0; x< col.dwNumValues; x++)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tsystemtime = col.pADsValues[x].UTCTime;\n\t\t\t\t\t\t\t\tif (SystemTimeToVariantTime(&systemtime,\n\t\t\t\t\t\t\t\t\t&date) != 0)\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t// Pack in variant.vt\n\t\t\t\t\t\t\t\t\tvarDate.vt = VT_DATE;\n\t\t\t\t\t\t\t\t\tvarDate.date = date;\n\t\t\t\t\t\t\t\t\tVariantChangeType(&varDate, &varDate, VARIANT_NOVALUEPROP, VT_BSTR);\n\t\t\t\t\t\t\t\t\twprintf(L\"    %s\\r\\n\", varDate.bstrVal);\n\t\t\t\t\t\t\t\t\tVariantClear(&varDate);\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\telse\n\t\t\t\t\t\t\t\t\twprintf(L\"[!] Could not convert UTC-Time.\\n\");\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tcase ADSTYPE_LARGE_INTEGER:\n\t\t\t\t\t\t\tfor (x = 0; x< col.dwNumValues; x++)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tliValue = col.pADsValues[x].LargeInteger;\n\t\t\t\t\t\t\t\tfiletime.dwLowDateTime = liValue.LowPart;\n\t\t\t\t\t\t\t\tfiletime.dwHighDateTime = liValue.HighPart;\n\t\t\t\t\t\t\t\tif ((filetime.dwHighDateTime == 0) && (filetime.dwLowDateTime == 0))\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\twprintf(L\"    No value set.\\n\");\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\telse\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t// Check for properties of type LargeInteger that represent time\n\t\t\t\t\t\t\t\t\t// if TRUE, then convert to variant time.\n\t\t\t\t\t\t\t\t\tif ((0 == wcscmp(L\"accountExpires\", col.pszAttrName)) |\n\t\t\t\t\t\t\t\t\t\t(0 == wcscmp(L\"badPasswordTime\", col.pszAttrName)) ||\n\t\t\t\t\t\t\t\t\t\t(0 == wcscmp(L\"lastLogon\", col.pszAttrName)) ||\n\t\t\t\t\t\t\t\t\t\t(0 == wcscmp(L\"lastLogoff\", col.pszAttrName)) ||\n\t\t\t\t\t\t\t\t\t\t(0 == wcscmp(L\"lockoutTime\", col.pszAttrName)) ||\n\t\t\t\t\t\t\t\t\t\t(0 == wcscmp(L\"pwdLastSet\", col.pszAttrName))\n\t\t\t\t\t\t\t\t\t\t)\n\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t// Handle special case for Never Expires where low part is -1\n\t\t\t\t\t\t\t\t\t\tif (filetime.dwLowDateTime == -1)\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\twprintf(L\"    Never Expires.\\n\");\n\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t\telse\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tif (FileTimeToLocalFileTime(&filetime, &filetime) != 0)\n\t\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\t\tif (FileTimeToSystemTime(&filetime,\n\t\t\t\t\t\t\t\t\t\t\t\t\t&systemtime) != 0)\n\t\t\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\t\t\tif (SystemTimeToVariantTime(&systemtime,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t&date) != 0)\n\t\t\t\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t// Pack in variant.vt\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tvarDate.vt = VT_DATE;\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tvarDate.date = date;\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tVariantChangeType(&varDate, &varDate, VARIANT_NOVALUEPROP, VT_BSTR);\n\t\t\t\t\t\t\t\t\t\t\t\t\t\twprintf(L\"    %s\\r\\n\", varDate.bstrVal);\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tVariantClear(&varDate);\n\t\t\t\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t\t\t\t\telse\n\t\t\t\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\t\t\t\twprintf(L\"    FileTimeToVariantTime failed\\n\");\n\t\t\t\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t\t\t\telse\n\t\t\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\t\t\twprintf(L\"    FileTimeToSystemTime failed\\n\");\n\t\t\t\t\t\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t\t\telse\n\t\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\t\twprintf(L\"    FileTimeToLocalFileTime failed\\n\");\n\t\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\telse\n\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t// Print the LargeInteger.\n\t\t\t\t\t\t\t\t\t\twprintf(L\"    high: %d low: %d\\r\\n\", filetime.dwHighDateTime, filetime.dwLowDateTime);\n\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tcase ADSTYPE_NT_SECURITY_DESCRIPTOR:\n\t\t\t\t\t\t\tfor (x = 0; x< col.dwNumValues; x++)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\twprintf(L\"    Security descriptor.\\n\");\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tdefault:\n\t\t\t\t\t\t\twprintf(L\"[!] Unknown type %d.\\n\", col.dwADsType);\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tpContainerToSearch->FreeColumn(&col);\n\t\t\t\t\t}\n\t\t\t\t\tCoTaskMemFree(pszColumn);\n\t\t\t\t}\n\n\t\t\t\t// Get the next row\n\t\t\t\thr = pContainerToSearch->GetNextRow(hSearch);\n\t\t\t}\n\t\t}\n\t\t// Close the search handle to clean up\n\t\tpContainerToSearch->CloseSearchHandle(hSearch);\n\t}\n\tif (SUCCEEDED(hr) && 0 == iCount)\n\t\thr = S_FALSE;\n\n\twprintf(L\"--------------------------------------------------------------------\\n\");\n\n\tdelete[] pszSearchFilter;\n\treturn hr;\n}\n\n\nBOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)\n{\n\tBOOL bReturnValue = TRUE;\n\tLPWSTR pwszParams = (LPWSTR)calloc(strlen((LPSTR)lpReserved) + 1, sizeof(WCHAR));\n\tsize_t convertedChars = 0;\n\tsize_t newsize = strlen((LPSTR)lpReserved) + 1;\n\n\tswitch (dwReason)\n\t{\n\tcase DLL_QUERY_HMODULE:\n\t\tif (lpReserved != NULL)\n\t\t\t*(HMODULE *)lpReserved = hAppInstance;\n\t\tbreak;\n\tcase DLL_PROCESS_ATTACH:\n\t\thAppInstance = hinstDLL;\n\n\t\tif (lpReserved != NULL) {\n\n\t\t\t// Handle the command line arguments.\n\t\t\tint maxAlloc = MAX_PATH * 2;\n\t\t\tLPOLESTR pszBuffer = new OLECHAR[maxAlloc];\n\t\t\tmbstowcs_s(&convertedChars, pwszParams, newsize, (LPSTR)lpReserved, _TRUNCATE);\n\t\t\twcscpy_s(pszBuffer, maxAlloc, pwszParams);\n\n\t\t\t// Initialize COM\n\t\t\tCoInitialize(NULL);\n\t\t\tHRESULT hr = S_OK;\n\n\t\t\t// Get rootDSE and the current user's domain container DN.\n\t\t\tIADs *pObject = NULL;\n\t\t\tIDirectorySearch *pContainerToSearch = NULL;\n\t\t\tLPOLESTR szPath = new OLECHAR[MAX_PATH];\n\t\t\tVARIANT var;\n\t\t\thr = ADsOpenObject(L\"LDAP://rootDSE\",\n\t\t\t\tNULL,\n\t\t\t\tNULL,\n\t\t\t\tADS_SECURE_AUTHENTICATION, // Use Secure Authentication\n\t\t\t\tIID_IADs,\n\t\t\t\t(void**)&pObject);\n\t\t\tif (FAILED(hr))\n\t\t\t{\n\t\t\t\twprintf(L\"[!] Could not execute query. Could not bind to LDAP://rootDSE.\\n\");\n\t\t\t\tif (pObject)\n\t\t\t\t\tpObject->Release();\n\t\t\t\tdelete[] pszBuffer;\n\t\t\t\tdelete[] szPath;\n\t\t\t\tCoUninitialize();\n\n\t\t\t\t// Flush STDOUT\n\t\t\t\tfflush(stdout);\n\n\t\t\t\t// We're done, so let's exit\n\t\t\t\tExitProcess(0);\n\t\t\t}\n\t\t\tif (SUCCEEDED(hr))\n\t\t\t{\n\t\t\t\thr = pObject->Get(L\"defaultNamingContext\", &var);\n\t\t\t\tif (SUCCEEDED(hr))\n\t\t\t\t{\n\t\t\t\t\t// Build path to the domain container.\n\t\t\t\t\twcscpy_s(szPath, MAX_PATH, L\"LDAP://\");\n\t\t\t\t\tif (IS_BUFFER_ENOUGH(MAX_PATH, szPath, var.bstrVal) > 0)\n\t\t\t\t\t{\n\t\t\t\t\t\twcscat_s(szPath, MAX_PATH, var.bstrVal);\n\t\t\t\t\t}\n\t\t\t\t\telse\n\t\t\t\t\t{\n\t\t\t\t\t\twprintf(L\"[!] Buffer is too small for the domain DN\");\n\t\t\t\t\t\tdelete[] pszBuffer;\n\t\t\t\t\t\tdelete[] szPath;\n\t\t\t\t\t\tCoUninitialize();\n\n\t\t\t\t\t\t// Flush STDOUT\n\t\t\t\t\t\tfflush(stdout);\n\n\t\t\t\t\t\t// We're done, so let's exit\n\t\t\t\t\t\tExitProcess(0);\n\t\t\t\t\t}\n\n\t\t\t\t\thr = ADsOpenObject(szPath,\n\t\t\t\t\t\tNULL,\n\t\t\t\t\t\tNULL,\n\t\t\t\t\t\tADS_SECURE_AUTHENTICATION, // Use Secure Authentication\n\t\t\t\t\t\tIID_IDirectorySearch,\n\t\t\t\t\t\t(void**)&pContainerToSearch);\n\n\t\t\t\t\tif (SUCCEEDED(hr))\n\t\t\t\t\t{\n\t\t\t\t\t\thr = FindUsers(pContainerToSearch, // IDirectorySearch pointer to Partitions container.\n\t\t\t\t\t\t\tpszBuffer,\n\t\t\t\t\t\t\tNULL\t//Return all properties\n\t\t\t\t\t\t);\n\t\t\t\t\t\tif (SUCCEEDED(hr))\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tif (S_FALSE == hr)\n\t\t\t\t\t\t\t\twprintf(L\"[!] No user object could be found.\\n\");\n\t\t\t\t\t\t}\n\t\t\t\t\t\telse if (0x8007203e == hr)\n\t\t\t\t\t\t\twprintf(L\"[!] Could not execute query. An invalid filter was specified.\\n\");\n\t\t\t\t\t\telse\n\t\t\t\t\t\t\twprintf(L\"[!] Query failed to run. HRESULT: %x\\n\", hr);\n\t\t\t\t\t}\n\t\t\t\t\telse\n\t\t\t\t\t{\n\t\t\t\t\t\twprintf(L\"[!] Could not execute query. Could not bind to the container.\\n\");\n\t\t\t\t\t}\n\t\t\t\t\tif (pContainerToSearch)\n\t\t\t\t\t\tpContainerToSearch->Release();\n\t\t\t\t}\n\t\t\t\tVariantClear(&var);\n\t\t\t}\n\t\t\tif (pObject)\n\t\t\t\tpObject->Release();\n\n\t\t\tdelete[] pszBuffer;\n\t\t\tdelete[] szPath;\n\n\t\t\t// Uninitialize COM\n\t\t\tCoUninitialize();\n\t\t}\n\n\t\t// Flush STDOUT\n\t\tfflush(stdout);\n\n\t\t// We're done, so let's exit\n\t\tExitProcess(0);\n\t\tbreak;\n\tcase DLL_PROCESS_DETACH:\n\tcase DLL_THREAD_ATTACH:\n\tcase DLL_THREAD_DETACH:\n\t\tbreak;\n\t}\n\treturn bReturnValue;\n}\n"
  },
  {
    "path": "Src/Recon-AD-Users/Recon-AD-Users/ReflectiveLoader.cpp",
    "content": "//===============================================================================================//\n// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)\n// All rights reserved.\n// \n// Redistribution and use in source and binary forms, with or without modification, are permitted \n// provided that the following conditions are met:\n// \n//     * Redistributions of source code must retain the above copyright notice, this list of \n// conditions and the following disclaimer.\n// \n//     * Redistributions in binary form must reproduce the above copyright notice, this list of \n// conditions and the following disclaimer in the documentation and/or other materials provided \n// with the distribution.\n// \n//     * Neither the name of Harmony Security nor the names of its contributors may be used to\n// endorse or promote products derived from this software without specific prior written permission.\n// \n// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND ANY EXPRESS OR \n// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND\n// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR \n// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR \n// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR \n// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY \n// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR \n// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE \n// POSSIBILITY OF SUCH DAMAGE.\n//===============================================================================================//\n#include \"ReflectiveLoader.h\"\n//===============================================================================================//\n// Our loader will set this to a pseudo correct HINSTANCE/HMODULE value\nHINSTANCE hAppInstance = NULL;\n//===============================================================================================//\n#pragma intrinsic( _ReturnAddress )\n// This function can not be inlined by the compiler or we will not get the address we expect. Ideally \n// this code will be compiled with the /O2 and /Ob1 switches. Bonus points if we could take advantage of \n// RIP relative addressing in this instance but I dont believe we can do so with the compiler intrinsics \n// available (and no inline asm available under x64).\n__declspec(noinline) ULONG_PTR caller(VOID) { return (ULONG_PTR)_ReturnAddress(); }\n//===============================================================================================//\n\n// Note 1: If you want to have your own DllMain, define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN,  \n//         otherwise the DllMain at the end of this file will be used.\n\n// Note 2: If you are injecting the DLL via LoadRemoteLibraryR, define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR,\n//         otherwise it is assumed you are calling the ReflectiveLoader via a stub.\n\n// This is our position independent reflective DLL loader/injector\n#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR\nDLLEXPORT ULONG_PTR WINAPI ReflectiveLoader(LPVOID lpParameter)\n#else\nDLLEXPORT ULONG_PTR WINAPI ReflectiveLoader(VOID)\n#endif\n{\n\t// the functions we need\n\tLOADLIBRARYA pLoadLibraryA = NULL;\n\tGETPROCADDRESS pGetProcAddress = NULL;\n\tVIRTUALALLOC pVirtualAlloc = NULL;\n\tNTFLUSHINSTRUCTIONCACHE pNtFlushInstructionCache = NULL;\n\n\tUSHORT usCounter;\n\n\t// the initial location of this image in memory\n\tULONG_PTR uiLibraryAddress;\n\t// the kernels base address and later this images newly loaded base address\n\tULONG_PTR uiBaseAddress;\n\n\t// variables for processing the kernels export table\n\tULONG_PTR uiAddressArray;\n\tULONG_PTR uiNameArray;\n\tULONG_PTR uiExportDir;\n\tULONG_PTR uiNameOrdinals;\n\tDWORD dwHashValue;\n\n\t// variables for loading this image\n\tULONG_PTR uiHeaderValue;\n\tULONG_PTR uiValueA;\n\tULONG_PTR uiValueB;\n\tULONG_PTR uiValueC;\n\tULONG_PTR uiValueD;\n\tULONG_PTR uiValueE;\n\n\t// STEP 0: calculate our images current base address\n\n\t// we will start searching backwards from our callers return address.\n\tuiLibraryAddress = caller();\n\n\t// loop through memory backwards searching for our images base address\n\t// we dont need SEH style search as we shouldnt generate any access violations with this\n\twhile (TRUE)\n\t{\n\t\tif (((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_magic == IMAGE_DOS_SIGNATURE)\n\t\t{\n\t\t\tuiHeaderValue = ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;\n\t\t\t// some x64 dll's can trigger a bogus signature (IMAGE_DOS_SIGNATURE == 'POP r10'),\n\t\t\t// we sanity check the e_lfanew with an upper threshold value of 1024 to avoid problems.\n\t\t\tif (uiHeaderValue >= sizeof(IMAGE_DOS_HEADER) && uiHeaderValue < 1024)\n\t\t\t{\n\t\t\t\tuiHeaderValue += uiLibraryAddress;\n\t\t\t\t// break if we have found a valid MZ/PE header\n\t\t\t\tif (((PIMAGE_NT_HEADERS)uiHeaderValue)->Signature == IMAGE_NT_SIGNATURE)\n\t\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\tuiLibraryAddress--;\n\t}\n\n\t// STEP 1: process the kernels exports for the functions our loader needs...\n\n\t// get the Process Enviroment Block\n#ifdef WIN_X64\n\tuiBaseAddress = __readgsqword(0x60);\n#else\n#ifdef WIN_X86\n\tuiBaseAddress = __readfsdword(0x30);\n#else WIN_ARM\n\tuiBaseAddress = *(DWORD *)((BYTE *)_MoveFromCoprocessor(15, 0, 13, 0, 2) + 0x30);\n#endif\n#endif\n\n\t// get the processes loaded modules. ref: http://msdn.microsoft.com/en-us/library/aa813708(VS.85).aspx\n\tuiBaseAddress = (ULONG_PTR)((_PPEB)uiBaseAddress)->pLdr;\n\n\t// get the first entry of the InMemoryOrder module list\n\tuiValueA = (ULONG_PTR)((PPEB_LDR_DATA)uiBaseAddress)->InMemoryOrderModuleList.Flink;\n\twhile (uiValueA)\n\t{\n\t\t// get pointer to current modules name (unicode string)\n\t\tuiValueB = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.pBuffer;\n\t\t// set bCounter to the length for the loop\n\t\tusCounter = ((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.Length;\n\t\t// clear uiValueC which will store the hash of the module name\n\t\tuiValueC = 0;\n\n\t\t// compute the hash of the module name...\n\t\tdo\n\t\t{\n\t\t\tuiValueC = ror((DWORD)uiValueC);\n\t\t\t// normalize to uppercase if the madule name is in lowercase\n\t\t\tif (*((BYTE *)uiValueB) >= 'a')\n\t\t\t\tuiValueC += *((BYTE *)uiValueB) - 0x20;\n\t\t\telse\n\t\t\t\tuiValueC += *((BYTE *)uiValueB);\n\t\t\tuiValueB++;\n\t\t} while (--usCounter);\n\n\t\t// compare the hash with that of kernel32.dll\n\t\tif ((DWORD)uiValueC == KERNEL32DLL_HASH)\n\t\t{\n\t\t\t// get this modules base address\n\t\t\tuiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;\n\n\t\t\t// get the VA of the modules NT Header\n\t\t\tuiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;\n\n\t\t\t// uiNameArray = the address of the modules export directory entry\n\t\t\tuiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];\n\n\t\t\t// get the VA of the export directory\n\t\t\tuiExportDir = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress);\n\n\t\t\t// get the VA for the array of name pointers\n\t\t\tuiNameArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNames);\n\n\t\t\t// get the VA for the array of name ordinals\n\t\t\tuiNameOrdinals = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNameOrdinals);\n\n\t\t\tusCounter = 3;\n\n\t\t\t// loop while we still have imports to find\n\t\t\twhile (usCounter > 0)\n\t\t\t{\n\t\t\t\t// compute the hash values for this function name\n\t\t\t\tdwHashValue = hash((char *)(uiBaseAddress + DEREF_32(uiNameArray)));\n\n\t\t\t\t// if we have found a function we want we get its virtual address\n\t\t\t\tif (dwHashValue == LOADLIBRARYA_HASH || dwHashValue == GETPROCADDRESS_HASH || dwHashValue == VIRTUALALLOC_HASH)\n\t\t\t\t{\n\t\t\t\t\t// get the VA for the array of addresses\n\t\t\t\t\tuiAddressArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfFunctions);\n\n\t\t\t\t\t// use this functions name ordinal as an index into the array of name pointers\n\t\t\t\t\tuiAddressArray += (DEREF_16(uiNameOrdinals) * sizeof(DWORD));\n\n\t\t\t\t\t// store this functions VA\n\t\t\t\t\tif (dwHashValue == LOADLIBRARYA_HASH)\n\t\t\t\t\t\tpLoadLibraryA = (LOADLIBRARYA)(uiBaseAddress + DEREF_32(uiAddressArray));\n\t\t\t\t\telse if (dwHashValue == GETPROCADDRESS_HASH)\n\t\t\t\t\t\tpGetProcAddress = (GETPROCADDRESS)(uiBaseAddress + DEREF_32(uiAddressArray));\n\t\t\t\t\telse if (dwHashValue == VIRTUALALLOC_HASH)\n\t\t\t\t\t\tpVirtualAlloc = (VIRTUALALLOC)(uiBaseAddress + DEREF_32(uiAddressArray));\n\n\t\t\t\t\t// decrement our counter\n\t\t\t\t\tusCounter--;\n\t\t\t\t}\n\n\t\t\t\t// get the next exported function name\n\t\t\t\tuiNameArray += sizeof(DWORD);\n\n\t\t\t\t// get the next exported function name ordinal\n\t\t\t\tuiNameOrdinals += sizeof(WORD);\n\t\t\t}\n\t\t}\n\t\telse if ((DWORD)uiValueC == NTDLLDLL_HASH)\n\t\t{\n\t\t\t// get this modules base address\n\t\t\tuiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;\n\n\t\t\t// get the VA of the modules NT Header\n\t\t\tuiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;\n\n\t\t\t// uiNameArray = the address of the modules export directory entry\n\t\t\tuiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];\n\n\t\t\t// get the VA of the export directory\n\t\t\tuiExportDir = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress);\n\n\t\t\t// get the VA for the array of name pointers\n\t\t\tuiNameArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNames);\n\n\t\t\t// get the VA for the array of name ordinals\n\t\t\tuiNameOrdinals = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNameOrdinals);\n\n\t\t\tusCounter = 1;\n\n\t\t\t// loop while we still have imports to find\n\t\t\twhile (usCounter > 0)\n\t\t\t{\n\t\t\t\t// compute the hash values for this function name\n\t\t\t\tdwHashValue = hash((char *)(uiBaseAddress + DEREF_32(uiNameArray)));\n\n\t\t\t\t// if we have found a function we want we get its virtual address\n\t\t\t\tif (dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH)\n\t\t\t\t{\n\t\t\t\t\t// get the VA for the array of addresses\n\t\t\t\t\tuiAddressArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfFunctions);\n\n\t\t\t\t\t// use this functions name ordinal as an index into the array of name pointers\n\t\t\t\t\tuiAddressArray += (DEREF_16(uiNameOrdinals) * sizeof(DWORD));\n\n\t\t\t\t\t// store this functions VA\n\t\t\t\t\tif (dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH)\n\t\t\t\t\t\tpNtFlushInstructionCache = (NTFLUSHINSTRUCTIONCACHE)(uiBaseAddress + DEREF_32(uiAddressArray));\n\n\t\t\t\t\t// decrement our counter\n\t\t\t\t\tusCounter--;\n\t\t\t\t}\n\n\t\t\t\t// get the next exported function name\n\t\t\t\tuiNameArray += sizeof(DWORD);\n\n\t\t\t\t// get the next exported function name ordinal\n\t\t\t\tuiNameOrdinals += sizeof(WORD);\n\t\t\t}\n\t\t}\n\n\t\t// we stop searching when we have found everything we need.\n\t\tif (pLoadLibraryA && pGetProcAddress && pVirtualAlloc && pNtFlushInstructionCache)\n\t\t\tbreak;\n\n\t\t// get the next entry\n\t\tuiValueA = DEREF(uiValueA);\n\t}\n\n\t// STEP 2: load our image into a new permanent location in memory...\n\n\t// get the VA of the NT Header for the PE to be loaded\n\tuiHeaderValue = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;\n\n\t// allocate all the memory for the DLL to be loaded into. we can load at any address because we will  \n\t// relocate the image. Also zeros all memory and marks it as READ, WRITE and EXECUTE to avoid any problems.\n\tuiBaseAddress = (ULONG_PTR)pVirtualAlloc(NULL, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);\n\n\t// we must now copy over the headers\n\tuiValueA = ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfHeaders;\n\tuiValueB = uiLibraryAddress;\n\tuiValueC = uiBaseAddress;\n\n\twhile (uiValueA--)\n\t\t*(BYTE *)uiValueC++ = *(BYTE *)uiValueB++;\n\n\t// STEP 3: load in all of our sections...\n\n\t// uiValueA = the VA of the first section\n\tuiValueA = ((ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader + ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.SizeOfOptionalHeader);\n\n\t// itterate through all sections, loading them into memory.\n\tuiValueE = ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.NumberOfSections;\n\twhile (uiValueE--)\n\t{\n\t\t// uiValueB is the VA for this section\n\t\tuiValueB = (uiBaseAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->VirtualAddress);\n\n\t\t// uiValueC if the VA for this sections data\n\t\tuiValueC = (uiLibraryAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->PointerToRawData);\n\n\t\t// copy the section over\n\t\tuiValueD = ((PIMAGE_SECTION_HEADER)uiValueA)->SizeOfRawData;\n\n\t\twhile (uiValueD--)\n\t\t\t*(BYTE *)uiValueB++ = *(BYTE *)uiValueC++;\n\n\t\t// get the VA of the next section\n\t\tuiValueA += sizeof(IMAGE_SECTION_HEADER);\n\t}\n\n\t// STEP 4: process our images import table...\n\n\t// uiValueB = the address of the import directory\n\tuiValueB = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];\n\n\t// we assume their is an import table to process\n\t// uiValueC is the first entry in the import table\n\tuiValueC = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress);\n\n\t// itterate through all imports\n\twhile (((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name)\n\t{\n\t\t// use LoadLibraryA to load the imported module into memory\n\t\tuiLibraryAddress = (ULONG_PTR)pLoadLibraryA((LPCSTR)(uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name));\n\n\t\t// uiValueD = VA of the OriginalFirstThunk\n\t\tuiValueD = (uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->OriginalFirstThunk);\n\n\t\t// uiValueA = VA of the IAT (via first thunk not origionalfirstthunk)\n\t\tuiValueA = (uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->FirstThunk);\n\n\t\t// itterate through all imported functions, importing by ordinal if no name present\n\t\twhile (DEREF(uiValueA))\n\t\t{\n\t\t\t// sanity check uiValueD as some compilers only import by FirstThunk\n\t\t\tif (uiValueD && ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal & IMAGE_ORDINAL_FLAG)\n\t\t\t{\n\t\t\t\t// get the VA of the modules NT Header\n\t\t\t\tuiExportDir = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;\n\n\t\t\t\t// uiNameArray = the address of the modules export directory entry\n\t\t\t\tuiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];\n\n\t\t\t\t// get the VA of the export directory\n\t\t\t\tuiExportDir = (uiLibraryAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress);\n\n\t\t\t\t// get the VA for the array of addresses\n\t\t\t\tuiAddressArray = (uiLibraryAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfFunctions);\n\n\t\t\t\t// use the import ordinal (- export ordinal base) as an index into the array of addresses\n\t\t\t\tuiAddressArray += ((IMAGE_ORDINAL(((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal) - ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->Base) * sizeof(DWORD));\n\n\t\t\t\t// patch in the address for this imported function\n\t\t\t\tDEREF(uiValueA) = (uiLibraryAddress + DEREF_32(uiAddressArray));\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\t// get the VA of this functions import by name struct\n\t\t\t\tuiValueB = (uiBaseAddress + DEREF(uiValueA));\n\n\t\t\t\t// use GetProcAddress and patch in the address for this imported function\n\t\t\t\tDEREF(uiValueA) = (ULONG_PTR)pGetProcAddress((HMODULE)uiLibraryAddress, (LPCSTR)((PIMAGE_IMPORT_BY_NAME)uiValueB)->Name);\n\t\t\t}\n\t\t\t// get the next imported function\n\t\t\tuiValueA += sizeof(ULONG_PTR);\n\t\t\tif (uiValueD)\n\t\t\t\tuiValueD += sizeof(ULONG_PTR);\n\t\t}\n\n\t\t// get the next import\n\t\tuiValueC += sizeof(IMAGE_IMPORT_DESCRIPTOR);\n\t}\n\n\t// STEP 5: process all of our images relocations...\n\n\t// calculate the base address delta and perform relocations (even if we load at desired image base)\n\tuiLibraryAddress = uiBaseAddress - ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.ImageBase;\n\n\t// uiValueB = the address of the relocation directory\n\tuiValueB = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];\n\n\t// check if their are any relocations present\n\tif (((PIMAGE_DATA_DIRECTORY)uiValueB)->Size)\n\t{\n\t\t// uiValueC is now the first entry (IMAGE_BASE_RELOCATION)\n\t\tuiValueC = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress);\n\n\t\t// and we itterate through all entries...\n\t\twhile (((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock)\n\t\t{\n\t\t\t// uiValueA = the VA for this relocation block\n\t\t\tuiValueA = (uiBaseAddress + ((PIMAGE_BASE_RELOCATION)uiValueC)->VirtualAddress);\n\n\t\t\t// uiValueB = number of entries in this relocation block\n\t\t\tuiValueB = (((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(IMAGE_RELOC);\n\n\t\t\t// uiValueD is now the first entry in the current relocation block\n\t\t\tuiValueD = uiValueC + sizeof(IMAGE_BASE_RELOCATION);\n\n\t\t\t// we itterate through all the entries in the current block...\n\t\t\twhile (uiValueB--)\n\t\t\t{\n\t\t\t\t// perform the relocation, skipping IMAGE_REL_BASED_ABSOLUTE as required.\n\t\t\t\t// we dont use a switch statement to avoid the compiler building a jump table\n\t\t\t\t// which would not be very position independent!\n\t\t\t\tif (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_DIR64)\n\t\t\t\t\t*(ULONG_PTR *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += uiLibraryAddress;\n\t\t\t\telse if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGHLOW)\n\t\t\t\t\t*(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += (DWORD)uiLibraryAddress;\n#ifdef WIN_ARM\n\t\t\t\t// Note: On ARM, the compiler optimization /O2 seems to introduce an off by one issue, possibly a code gen bug. Using /O1 instead avoids this problem.\n\t\t\t\telse if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_ARM_MOV32T)\n\t\t\t\t{\n\t\t\t\t\tregister DWORD dwInstruction;\n\t\t\t\t\tregister DWORD dwAddress;\n\t\t\t\t\tregister WORD wImm;\n\t\t\t\t\t// get the MOV.T instructions DWORD value (We add 4 to the offset to go past the first MOV.W which handles the low word)\n\t\t\t\t\tdwInstruction = *(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset + sizeof(DWORD));\n\t\t\t\t\t// flip the words to get the instruction as expected\n\t\t\t\t\tdwInstruction = MAKELONG(HIWORD(dwInstruction), LOWORD(dwInstruction));\n\t\t\t\t\t// sanity chack we are processing a MOV instruction...\n\t\t\t\t\tif ((dwInstruction & ARM_MOV_MASK) == ARM_MOVT)\n\t\t\t\t\t{\n\t\t\t\t\t\t// pull out the encoded 16bit value (the high portion of the address-to-relocate)\n\t\t\t\t\t\twImm = (WORD)(dwInstruction & 0x000000FF);\n\t\t\t\t\t\twImm |= (WORD)((dwInstruction & 0x00007000) >> 4);\n\t\t\t\t\t\twImm |= (WORD)((dwInstruction & 0x04000000) >> 15);\n\t\t\t\t\t\twImm |= (WORD)((dwInstruction & 0x000F0000) >> 4);\n\t\t\t\t\t\t// apply the relocation to the target address\n\t\t\t\t\t\tdwAddress = ((WORD)HIWORD(uiLibraryAddress) + wImm) & 0xFFFF;\n\t\t\t\t\t\t// now create a new instruction with the same opcode and register param.\n\t\t\t\t\t\tdwInstruction = (DWORD)(dwInstruction & ARM_MOV_MASK2);\n\t\t\t\t\t\t// patch in the relocated address...\n\t\t\t\t\t\tdwInstruction |= (DWORD)(dwAddress & 0x00FF);\n\t\t\t\t\t\tdwInstruction |= (DWORD)(dwAddress & 0x0700) << 4;\n\t\t\t\t\t\tdwInstruction |= (DWORD)(dwAddress & 0x0800) << 15;\n\t\t\t\t\t\tdwInstruction |= (DWORD)(dwAddress & 0xF000) << 4;\n\t\t\t\t\t\t// now flip the instructions words and patch back into the code...\n\t\t\t\t\t\t*(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset + sizeof(DWORD)) = MAKELONG(HIWORD(dwInstruction), LOWORD(dwInstruction));\n\t\t\t\t\t}\n\t\t\t\t}\n#endif\n\t\t\t\telse if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGH)\n\t\t\t\t\t*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += HIWORD(uiLibraryAddress);\n\t\t\t\telse if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_LOW)\n\t\t\t\t\t*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += LOWORD(uiLibraryAddress);\n\n\t\t\t\t// get the next entry in the current relocation block\n\t\t\t\tuiValueD += sizeof(IMAGE_RELOC);\n\t\t\t}\n\n\t\t\t// get the next entry in the relocation directory\n\t\t\tuiValueC = uiValueC + ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock;\n\t\t}\n\t}\n\n\t// STEP 6: call our images entry point\n\n\t// uiValueA = the VA of our newly loaded DLL/EXE's entry point\n\tuiValueA = (uiBaseAddress + ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.AddressOfEntryPoint);\n\n\t// We must flush the instruction cache to avoid stale code being used which was updated by our relocation processing.\n\tpNtFlushInstructionCache((HANDLE)-1, NULL, 0);\n\n\t// call our respective entry point, fudging our hInstance value\n#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR\n\t// if we are injecting a DLL via LoadRemoteLibraryR we call DllMain and pass in our parameter (via the DllMain lpReserved parameter)\n\t((DLLMAIN)uiValueA)((HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, lpParameter);\n#else\n\t// if we are injecting an DLL via a stub we call DllMain with no parameter\n\t((DLLMAIN)uiValueA)((HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, NULL);\n#endif\n\n\t// STEP 8: return our new entry point address so whatever called us can call DllMain() if needed.\n\treturn uiValueA;\n}\n//===============================================================================================//\n#ifndef REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN\n\nBOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)\n{\n\tBOOL bReturnValue = TRUE;\n\tswitch (dwReason)\n\t{\n\tcase DLL_QUERY_HMODULE:\n\t\tif (lpReserved != NULL)\n\t\t\t*(HMODULE *)lpReserved = hAppInstance;\n\t\tbreak;\n\tcase DLL_PROCESS_ATTACH:\n\t\thAppInstance = hinstDLL;\n\t\tbreak;\n\tcase DLL_PROCESS_DETACH:\n\tcase DLL_THREAD_ATTACH:\n\tcase DLL_THREAD_DETACH:\n\t\tbreak;\n\t}\n\treturn bReturnValue;\n}\n\n#endif\n//===============================================================================================//\n"
  },
  {
    "path": "Src/Recon-AD-Users/Recon-AD-Users/ReflectiveLoader.h",
    "content": "//===============================================================================================//\n// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)\n// All rights reserved.\n// \n// Redistribution and use in source and binary forms, with or without modification, are permitted \n// provided that the following conditions are met:\n// \n//     * Redistributions of source code must retain the above copyright notice, this list of \n// conditions and the following disclaimer.\n// \n//     * Redistributions in binary form must reproduce the above copyright notice, this list of \n// conditions and the following disclaimer in the documentation and/or other materials provided \n// with the distribution.\n// \n//     * Neither the name of Harmony Security nor the names of its contributors may be used to\n// endorse or promote products derived from this software without specific prior written permission.\n// \n// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND ANY EXPRESS OR \n// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND\n// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR \n// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR \n// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR \n// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY \n// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR \n// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE \n// POSSIBILITY OF SUCH DAMAGE.\n//===============================================================================================//\n#ifndef _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H\n#define _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H\n//===============================================================================================//\n#define WIN32_LEAN_AND_MEAN\n#include <windows.h>\n#include <Winsock2.h>\n#include <intrin.h>\n\n#include \"ReflectiveDLLInjection.h\"\n\ntypedef HMODULE(WINAPI * LOADLIBRARYA)(LPCSTR);\ntypedef FARPROC(WINAPI * GETPROCADDRESS)(HMODULE, LPCSTR);\ntypedef LPVOID(WINAPI * VIRTUALALLOC)(LPVOID, SIZE_T, DWORD, DWORD);\ntypedef DWORD(NTAPI * NTFLUSHINSTRUCTIONCACHE)(HANDLE, PVOID, ULONG);\n\n#define KERNEL32DLL_HASH\t\t\t\t0x6A4ABC5B\n#define NTDLLDLL_HASH\t\t\t\t\t0x3CFA685D\n\n#define LOADLIBRARYA_HASH\t\t\t\t0xEC0E4E8E\n#define GETPROCADDRESS_HASH\t\t\t\t0x7C0DFCAA\n#define VIRTUALALLOC_HASH\t\t\t\t0x91AFCA54\n#define NTFLUSHINSTRUCTIONCACHE_HASH\t0x534C0AB8\n\n#define IMAGE_REL_BASED_ARM_MOV32A\t\t5\n#define IMAGE_REL_BASED_ARM_MOV32T\t\t7\n\n#define ARM_MOV_MASK\t\t\t\t\t(DWORD)(0xFBF08000)\n#define ARM_MOV_MASK2\t\t\t\t\t(DWORD)(0xFBF08F00)\n#define ARM_MOVW\t\t\t\t\t\t0xF2400000\n#define ARM_MOVT\t\t\t\t\t\t0xF2C00000\n\n#define HASH_KEY\t\t\t\t\t\t13\n//===============================================================================================//\n#pragma intrinsic( _rotr )\n\n__forceinline DWORD ror(DWORD d)\n{\n\treturn _rotr(d, HASH_KEY);\n}\n\n__forceinline DWORD hash(char * c)\n{\n\tregister DWORD h = 0;\n\tdo\n\t{\n\t\th = ror(h);\n\t\th += *c;\n\t} while (*++c);\n\n\treturn h;\n}\n//===============================================================================================//\ntypedef struct _UNICODE_STR\n{\n\tUSHORT Length;\n\tUSHORT MaximumLength;\n\tPWSTR pBuffer;\n} UNICODE_STR, *PUNICODE_STR;\n\n// WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY\n//__declspec( align(8) ) \ntypedef struct _LDR_DATA_TABLE_ENTRY\n{\n\t//LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry.\n\tLIST_ENTRY InMemoryOrderModuleList;\n\tLIST_ENTRY InInitializationOrderModuleList;\n\tPVOID DllBase;\n\tPVOID EntryPoint;\n\tULONG SizeOfImage;\n\tUNICODE_STR FullDllName;\n\tUNICODE_STR BaseDllName;\n\tULONG Flags;\n\tSHORT LoadCount;\n\tSHORT TlsIndex;\n\tLIST_ENTRY HashTableEntry;\n\tULONG TimeDateStamp;\n} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;\n\n// WinDbg> dt -v ntdll!_PEB_LDR_DATA\ntypedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes\n{\n\tDWORD dwLength;\n\tDWORD dwInitialized;\n\tLPVOID lpSsHandle;\n\tLIST_ENTRY InLoadOrderModuleList;\n\tLIST_ENTRY InMemoryOrderModuleList;\n\tLIST_ENTRY InInitializationOrderModuleList;\n\tLPVOID lpEntryInProgress;\n} PEB_LDR_DATA, *PPEB_LDR_DATA;\n\n// WinDbg> dt -v ntdll!_PEB_FREE_BLOCK\ntypedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes\n{\n\tstruct _PEB_FREE_BLOCK * pNext;\n\tDWORD dwSize;\n} PEB_FREE_BLOCK, *PPEB_FREE_BLOCK;\n\n// struct _PEB is defined in Winternl.h but it is incomplete\n// WinDbg> dt -v ntdll!_PEB\ntypedef struct __PEB // 65 elements, 0x210 bytes\n{\n\tBYTE bInheritedAddressSpace;\n\tBYTE bReadImageFileExecOptions;\n\tBYTE bBeingDebugged;\n\tBYTE bSpareBool;\n\tLPVOID lpMutant;\n\tLPVOID lpImageBaseAddress;\n\tPPEB_LDR_DATA pLdr;\n\tLPVOID lpProcessParameters;\n\tLPVOID lpSubSystemData;\n\tLPVOID lpProcessHeap;\n\tPRTL_CRITICAL_SECTION pFastPebLock;\n\tLPVOID lpFastPebLockRoutine;\n\tLPVOID lpFastPebUnlockRoutine;\n\tDWORD dwEnvironmentUpdateCount;\n\tLPVOID lpKernelCallbackTable;\n\tDWORD dwSystemReserved;\n\tDWORD dwAtlThunkSListPtr32;\n\tPPEB_FREE_BLOCK pFreeList;\n\tDWORD dwTlsExpansionCounter;\n\tLPVOID lpTlsBitmap;\n\tDWORD dwTlsBitmapBits[2];\n\tLPVOID lpReadOnlySharedMemoryBase;\n\tLPVOID lpReadOnlySharedMemoryHeap;\n\tLPVOID lpReadOnlyStaticServerData;\n\tLPVOID lpAnsiCodePageData;\n\tLPVOID lpOemCodePageData;\n\tLPVOID lpUnicodeCaseTableData;\n\tDWORD dwNumberOfProcessors;\n\tDWORD dwNtGlobalFlag;\n\tLARGE_INTEGER liCriticalSectionTimeout;\n\tDWORD dwHeapSegmentReserve;\n\tDWORD dwHeapSegmentCommit;\n\tDWORD dwHeapDeCommitTotalFreeThreshold;\n\tDWORD dwHeapDeCommitFreeBlockThreshold;\n\tDWORD dwNumberOfHeaps;\n\tDWORD dwMaximumNumberOfHeaps;\n\tLPVOID lpProcessHeaps;\n\tLPVOID lpGdiSharedHandleTable;\n\tLPVOID lpProcessStarterHelper;\n\tDWORD dwGdiDCAttributeList;\n\tLPVOID lpLoaderLock;\n\tDWORD dwOSMajorVersion;\n\tDWORD dwOSMinorVersion;\n\tWORD wOSBuildNumber;\n\tWORD wOSCSDVersion;\n\tDWORD dwOSPlatformId;\n\tDWORD dwImageSubsystem;\n\tDWORD dwImageSubsystemMajorVersion;\n\tDWORD dwImageSubsystemMinorVersion;\n\tDWORD dwImageProcessAffinityMask;\n\tDWORD dwGdiHandleBuffer[34];\n\tLPVOID lpPostProcessInitRoutine;\n\tLPVOID lpTlsExpansionBitmap;\n\tDWORD dwTlsExpansionBitmapBits[32];\n\tDWORD dwSessionId;\n\tULARGE_INTEGER liAppCompatFlags;\n\tULARGE_INTEGER liAppCompatFlagsUser;\n\tLPVOID lppShimData;\n\tLPVOID lpAppCompatInfo;\n\tUNICODE_STR usCSDVersion;\n\tLPVOID lpActivationContextData;\n\tLPVOID lpProcessAssemblyStorageMap;\n\tLPVOID lpSystemDefaultActivationContextData;\n\tLPVOID lpSystemAssemblyStorageMap;\n\tDWORD dwMinimumStackCommit;\n} _PEB, *_PPEB;\n\ntypedef struct\n{\n\tWORD\toffset : 12;\n\tWORD\ttype : 4;\n} IMAGE_RELOC, *PIMAGE_RELOC;\n//===============================================================================================//\n#endif\n//===============================================================================================//\n\n"
  },
  {
    "path": "Src/Recon-AD-Users/Recon-AD-Users.sln",
    "content": "\nMicrosoft Visual Studio Solution File, Format Version 12.00\n# Visual Studio Express 14 for Windows Desktop\nVisualStudioVersion = 14.0.25420.1\nMinimumVisualStudioVersion = 10.0.40219.1\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"Recon-AD-Users\", \"Recon-AD-Users\\Recon-AD-Users.vcxproj\", \"{D30C9D6B-1F45-47BD-825B-389FE8CC9069}\"\nEndProject\nGlobal\n\tGlobalSection(SolutionConfigurationPlatforms) = preSolution\n\t\tDebug|x64 = Debug|x64\n\t\tDebug|x86 = Debug|x86\n\t\tRelease|x64 = Release|x64\n\t\tRelease|x86 = Release|x86\n\tEndGlobalSection\n\tGlobalSection(ProjectConfigurationPlatforms) = postSolution\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x64.ActiveCfg = Debug|x64\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x64.Build.0 = Debug|x64\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x86.ActiveCfg = Debug|Win32\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x86.Build.0 = Debug|Win32\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x64.ActiveCfg = Release|x64\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x64.Build.0 = Release|x64\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x86.ActiveCfg = Release|Win32\n\t\t{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x86.Build.0 = Release|Win32\n\tEndGlobalSection\n\tGlobalSection(SolutionProperties) = preSolution\n\t\tHideSolutionNode = FALSE\n\tEndGlobalSection\nEndGlobal\n"
  }
]