Archives
/
defender-control
mirror of https://github.com/qtkite/defender-control
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

x64 dumper configuration

Browse Source
pull/1/head
qtKite 3 years ago
parent 8aaef07cef
commit 26598c0e01
10 changed files with 119 additions and 1399 deletions
Show Stats Download Patch File Download Diff File

1209
src/detour/include/detours.h
View File

File diff suppressed because it is too large Load Diff

27
src/detour/include/detver.h
Unescape Escape View File

@ -1,27 +0,0 @@
//////////////////////////////////////////////////////////////////////////////
//
// Common version parameters.
//
// Microsoft Research Detours Package, Version 4.0.1
//
// Copyright (c) Microsoft Corporation. All rights reserved.
//
#define _USING_V110_SDK71_ 1
#include "winver.h"
#if 0
#include <windows.h>
#include <detours.h>
#else
#ifndef DETOURS_STRINGIFY
#define DETOURS_STRINGIFY_(x) #x
#define DETOURS_STRINGIFY(x) DETOURS_STRINGIFY_(x)
#endif
#define VER_FILEFLAGSMASK 0x3fL
#define VER_FILEFLAGS 0x0L
#define VER_FILEOS 0x00040004L
#define VER_FILETYPE 0x00000002L
#define VER_FILESUBTYPE 0x00000000L
#endif
#define VER_DETOURS_BITS DETOURS_STRINGIFY(DETOURS_BITS)

89
src/detour/include/syelog.h
Unescape Escape View File

@ -1,89 +0,0 @@
//////////////////////////////////////////////////////////////////////////////
//
// Detours Test Program (syelog.h of syelog.lib)
//
// Microsoft Research Detours Package
//
// Copyright (c) Microsoft Corporation. All rights reserved.
//
#pragma once
#ifndef _SYELOGD_H_
#define _SYELOGD_H_
#include <stdarg.h>
#pragma pack(push, 1)
#pragma warning(push)
#pragma warning(disable: 4200)
//////////////////////////////////////////////////////////////////////////////
//
//
#define SYELOG_PIPE_NAMEA "\\\\.\\pipe\\syelog"
#define SYELOG_PIPE_NAMEW L"\\\\.\\pipe\\syelog"
#ifdef UNICODE
#define SYELOG_PIPE_NAME SYELOG_PIPE_NAMEW
#else
#define SYELOG_PIPE_NAME SYELOG_PIPE_NAMEA
#endif
//////////////////////////////////////////////////////////////////////////////
//
#define SYELOG_MAXIMUM_MESSAGE 4086 // 4096 - sizeof(header stuff)
typedef struct _SYELOG_MESSAGE
{
USHORT nBytes;
BYTE nFacility;
BYTE nSeverity;
DWORD nProcessId;
FILETIME ftOccurance;
BOOL fTerminate;
CHAR szMessage[SYELOG_MAXIMUM_MESSAGE];
} SYELOG_MESSAGE, *PSYELOG_MESSAGE;
// Facility Codes.
//
#define SYELOG_FACILITY_KERNEL 0x10 // OS Kernel
#define SYELOG_FACILITY_SECURITY 0x20 // OS Security
#define SYELOG_FACILITY_LOGGING 0x30 // OS Logging-internal
#define SYELOG_FACILITY_SERVICE 0x40 // User-mode system daemon
#define SYELOG_FACILITY_APPLICATION 0x50 // User-mode application
#define SYELOG_FACILITY_USER 0x60 // User self-generated.
#define SYELOG_FACILITY_LOCAL0 0x70 // Locally defined.
#define SYELOG_FACILITY_LOCAL1 0x71 // Locally defined.
#define SYELOG_FACILITY_LOCAL2 0x72 // Locally defined.
#define SYELOG_FACILITY_LOCAL3 0x73 // Locally defined.
#define SYELOG_FACILITY_LOCAL4 0x74 // Locally defined.
#define SYELOG_FACILITY_LOCAL5 0x75 // Locally defined.
#define SYELOG_FACILITY_LOCAL6 0x76 // Locally defined.
#define SYELOG_FACILITY_LOCAL7 0x77 // Locally defined.
#define SYELOG_FACILITY_LOCAL8 0x78 // Locally defined.
#define SYELOG_FACILITY_LOCAL9 0x79 // Locally defined.
// Severity Codes.
//
#define SYELOG_SEVERITY_FATAL 0x00 // System is dead.
#define SYELOG_SEVERITY_ALERT 0x10 // Take action immediately.
#define SYELOG_SEVERITY_CRITICAL 0x20 // Critical condition.
#define SYELOG_SEVERITY_ERROR 0x30 // Error
#define SYELOG_SEVERITY_WARNING 0x40 // Warning
#define SYELOG_SEVERITY_NOTICE 0x50 // Significant condition.
#define SYELOG_SEVERITY_INFORMATION 0x60 // Informational
#define SYELOG_SEVERITY_AUDIT_FAIL 0x66 // Audit Failed
#define SYELOG_SEVERITY_AUDIT_PASS 0x67 // Audit Succeeeded
#define SYELOG_SEVERITY_DEBUG 0x70 // Debugging
// Logging Functions.
//
VOID SyelogOpen(PCSTR pszIdentifier, BYTE nFacility);
VOID Syelog(BYTE nSeverity, PCSTR pszMsgf, ...);
VOID SyelogV(BYTE nSeverity, PCSTR pszMsgf, va_list args);
VOID SyelogClose(BOOL fTerminate);
#pragma warning(pop)
#pragma pack(pop)
#endif // _SYELOGD_H_
//
///////////////////////////////////////////////////////////////// End of File.

BIN
src/detour/lib.X64/detours.lib
View File

Binary file not shown.

BIN
src/detour/lib.X64/syelog.lib
View File

Binary file not shown.

68
src/dumper/dllmain.cpp
Unescape Escape View File

@ -1,68 +0,0 @@
// this is to poc for dumping out registry files as part 2 of the reversal
//
// TO-DO:
// import detours, will need to recompile 32 bit
// write hook functions
// inject and write findings
// list of functions to hook:
// all imported from ADVAPI32
// RegEnumValueW
// RegDeleteValueW
// RegDeleteKeyW
// RegSetValueExW
// RegCreateKeyExW
// RegConnectRegistryW
// RegEnumKeyExW
// RegCloseKey
// RegQueryValueExW
// RegOpenKeyExW
#include "pch.h"
void perf_hook()
{
// example code from last ctf
// will add code base for x64 and x32 support, as well as setup empty
// project to do this stuff quicky?
#if 0
using LoadStr_t = int(*)(HINSTANCE, UINT, LPSTR, int);
uint64_t loadstr_addr;
// perform hooking
loadstr_addr = (uint64_t)GetProcAddress(GetModuleHandleA("User32.dll"), "LoadStringA");
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourAttach(&(PVOID&)loadstr_addr, hk_loadstr);
DetourTransactionCommit();
#endif
}
void thread_main()
{
// setup console
//
AllocConsole();
freopen("CONIN$", "r", stdin);
freopen("CONOUT$", "w", stdout);
freopen("CONOUT$", "w", stderr);
SetConsoleTitleA("Log");
}
BOOL APIENTRY DllMain(HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
CreateThread(0, 0, reinterpret_cast<LPTHREAD_START_ROUTINE>(thread_main), 0, 0, 0);
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}

111
src/dumper/dumper.cpp
Unescape Escape View File

@ -0,0 +1,111 @@
// this is to poc for dumping out registry files as part 2 of the reversal
//
// TO-DO:
// import detours, will need to recompile 32 bit
// write hook functions
// inject and write findings
// list of functions to hook:
// all imported from ADVAPI32
// RegEnumValueW
// RegDeleteValueW
// RegDeleteKeyW
// RegSetValueExW
// RegCreateKeyExW
// RegConnectRegistryW
// RegEnumKeyExW
// RegCloseKey
// RegQueryValueExW
// RegOpenKeyExW
#include "pch.h"
namespace RegHooks
{
// hook for RegEnumValueW
//
LSTATUS hk_reg_enum_valuew(
HKEY hKey,
DWORD dwIndex,
LPWSTR lpValueName,
LPDWORD lpcchValueName,
LPDWORD lpReserved,
LPDWORD lpType,
LPBYTE lpData,
LPDWORD lpcbData
)
{
}
}
namespace DetourExample
{
using LoadStr_t = int(*)(HINSTANCE, UINT, LPSTR, int);
uint64_t loadstr_addr;
int __stdcall hk_loadstr(HINSTANCE hInstance, UINT uID, LPSTR lpBuffer, int cchBufferMax)
{
auto original = ((LoadStr_t)(loadstr_addr))(hInstance, uID, lpBuffer, cchBufferMax);
return original;
}
// only to serve as a temp example, do not call
void example_hook()
{
// perform hooking
loadstr_addr = (uint64_t)GetProcAddress(GetModuleHandleA("User32.dll"), "LoadStringA");
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourAttach(&(PVOID&)loadstr_addr, hk_loadstr);
DetourTransactionCommit();
}
}
namespace DetourHelper
{
// places a hook
void perf_hook()
{
// example code from last ctf
// will add code base for x64 and x32 support, as well as setup empty
// project to do this stuff quicky?
}
// removes a hook
void undo_hook()
{
}
}
void thread_main()
{
// setup console
//
AllocConsole();
freopen("CONIN$", "r", stdin);
freopen("CONOUT$", "w", stdout);
freopen("CONOUT$", "w", stderr);
SetConsoleTitleA("Log");
}
BOOL APIENTRY DllMain(HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
CreateThread(0, 0, reinterpret_cast<LPTHREAD_START_ROUTINE>(thread_main), 0, 0, 0);
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}

6
src/dumper/dumper.vcxproj
Unescape Escape View File

@ -82,6 +82,8 @@
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
<IntDir>$(Platform)\$(Configuration)</IntDir>
<IncludePath>$(SolutionDir)\detour\x64\include;$(IncludePath)</IncludePath>
<LibraryPath>$(SolutionDir)\detour\x64\lib;$(LibraryPath)</LibraryPath>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
@ -139,7 +141,7 @@
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>NDEBUG;DUMPER_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<PreprocessorDefinitions>NDEBUG;DUMPER_EXPORTS;_WINDOWS;_USRDLL;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
<PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
</ClCompile>
@ -156,7 +158,7 @@
<ClInclude Include="pch.h" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="dllmain.cpp" />
<ClCompile Include="dumper.cpp" />
<ClCompile Include="pch.cpp">
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>

4
src/dumper/dumper.vcxproj.filters
Unescape Escape View File

@ -23,10 +23,10 @@
</ClInclude>
</ItemGroup>
<ItemGroup>
<ClCompile Include="dllmain.cpp">
<ClCompile Include="pch.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="pch.cpp">
<ClCompile Include="dumper.cpp">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>

4
src/dumper/pch.h
Unescape Escape View File

@ -11,7 +11,7 @@
#include <Windows.h>
#include <Psapi.h>
//#include <detours.h>
//#pragma comment(lib, "detours.lib")
#include <detours.h>
#pragma comment(lib, "detours.lib")
#endif //PCH_H

Write Preview
Loading…
Cancel
Save