program main32;
uses Windows, SysUtils; // Old Delphi like delphi 7.
//uses Winapi.Windows, System.SysUtils; // Modern Delphi like XE8.
type
PLARGE_INTEGER = ^LARGE_INTEGER;
PVOID = pointer;
HANDLE = THANDLE;
NTSTATUS = LongInt;
TUnicodeString = packed record
Length: Word;
MaximumLength: Word;
Buffer: PWideChar;
end;
UNICODE_STRING = TUnicodeString;
PUNICODE_STRING = ^TUnicodeString;
TObjectAttributes = packed record
Length: ULONG;
RootDirectory: THandle;
ObjectName: PUNICODE_STRING;
Attributes: ULONG;
SecurityDescriptor: Pointer;
SecurityQualityOfService: Pointer;
end;
OBJECT_ATTRIBUTES = TObjectAttributes;
POBJECT_ATTRIBUTES = ^TObjectAttributes;
TIoStatusBlock = packed record
Status: NTSTATUS;
Information: ULONG;
end;
IO_STATUS_BLOCK = TIoStatusBlock;
PIO_STATUS_BLOCK = ^TIoStatusBlock;
const
STATUS_SUCCESS = NTSTATUS(0);
OBJ_CASE_INSENSITIVE = $00000040;
FILE_ATTRIBUTE_HIDDEN = $00000002;
FILE_DIRECTORY_FILE = $00000001;
FILE_CREATE = $00000002;
FILE_READ_DATA = $0001;
FILE_WRITE_DATA = $0002;
function NtCreateFile(FileHandle: PHANDLE;
DesiredAccess: ACCESS_MASK;
ObjectAttributes: POBJECT_ATTRIBUTES;
IoStatusBlock: PIO_STATUS_BLOCK;
AllocationSize: PLARGE_INTEGER;
FileAttributes: ULONG;
ShareAccess: ULONG;
CreateDisposition: ULONG;
CreateOptions: ULONG;
EaBuffer: PVOID;
EaLength: ULONG): NTSTATUS; stdcall;
external 'ntdll.dll' name 'NtCreateFile';
function NtDeleteFile(ObjectAttributes: POBJECT_ATTRIBUTES): NTSTATUS; stdcall;
external 'ntdll.dll' name 'NtDeleteFile';
procedure RtlInitUnicodeString(DestinationString: PUNICODE_STRING; SourceString: PWideChar); stdcall;
external 'ntdll.dll' name 'RtlInitUnicodeString';
function NtClose(Handle: THANDLE): NTSTATUS; stdcall;
external 'ntdll.dll' name 'NtClose';
procedure InitializeObjectAttributes(p: POBJECT_ATTRIBUTES; n: PUNICODE_STRING; a: ULONG; r: HANDLE; s: PSECURITY_DESCRIPTOR);
begin
p.Length := sizeof(OBJECT_ATTRIBUTES);
p.RootDirectory := r;
p.Attributes := a;
p.ObjectName := n;
p.SecurityDescriptor := s;
p.SecurityQualityOfService := nil;
end;
procedure Report(NtStatus: NTSTATUS; msg: PAnsiChar; path: PWideChar);
var
buffer: WideString;
statusMsg: string;
begin
statusMsg := 'FAILED!';
if NtStatus = 0 then
statusMsg := 'SUCCESS';
buffer := format('Task: %s' + #13 + 'Path: %S' + #13 + 'Status: 0x%X (%s)',
[msg, path, NtStatus, statusMsg]);
if NtStatus = 0 then
MessageBoxW(GetDesktopWindow(),
PWideChar(buffer),
'Report',
MB_ICONINFORMATION)
else
MessageBoxW(GetDesktopWindow(),
PWideChar(buffer),
'Report',
MB_ICONERROR);
end;
var
ObjectAttributes: OBJECT_ATTRIBUTES;
IoStatusBlock: IO_STATUS_BLOCK;
hTarget: THandle;
Status: NTSTATUS;
FolderName: UNICODE_STRING;
folders: array[0..2] of PWideChar = (
'\??\C:\Winmend~Folder~Hidden',
'\??\C:\Winmend~Folder~Hidden\...',
'\??\C:\Winmend~Folder~Hidden\...\cn');
x, z: byte;
begin
for x := 0 to 2 do
begin
RtlInitUnicodeString(@FolderName, folders[x]);
InitializeObjectAttributes(@ObjectAttributes, @FolderName, OBJ_CASE_INSENSITIVE, 0, nil);
Status := NtCreateFile(@hTarget,
FILE_READ_DATA + FILE_WRITE_DATA,
@ObjectAttributes,
@IoStatusBlock,
nil,
FILE_ATTRIBUTE_HIDDEN,
FILE_SHARE_READ + FILE_SHARE_WRITE,
FILE_CREATE,
FILE_DIRECTORY_FILE,
nil,
0);
Report(Status, 'Creating folder...', folders[x]);
NtClose(hTarget);
end;
for z := 2 downto 0 do
begin
RtlInitUnicodeString(@FolderName, folders[z]);
InitializeObjectAttributes(@ObjectAttributes, @FolderName, OBJ_CASE_INSENSITIVE, 0, nil);
Status := NtDeleteFile(@ObjectAttributes);
Report(Status, 'Deleting folder...', folders[z]);
end;
end.
Link: http://www.mediafire.com/file/c87ck5a8htrbc87/inaccessible_folder_delphi.rar
Tuesday, October 4, 2016
[DELPHI/NATIVE] inaccessible folder
Friday, September 30, 2016
[C++/NATIVE] inaccessible folder
Inaccessible folder inspired from "WinMend Folder Hidden" work.
Link: http://www.mediafire.com/file/9wwiembfz3vbacn/inaccessible_folder.rar
#include < windows.h >
#include < ntdll.h >
#ifdef _WIN64
char *captionMsg = "64-bit Application";
#else
char *captionMsg = "32-bit Application";
#endif
char *statusMsg = "FAILED!";
#define MAIN_FOLDER L"\\??\\C:\\Winmend~Folder~Hidden"
wchar_t *folders[] = {
MAIN_FOLDER,
MAIN_FOLDER L"\\..." ,
MAIN_FOLDER L"\\...\\cn"
};
void Report(NTSTATUS NtStatus, char *msg, wchar_t *path) {
char buffer[256] = {0};
if (NtStatus == 0)
statusMsg = "SUCCESS";
sprintf(buffer,
"Task:\t%s\nPath:\t%S\nStatus:\t0x%X (%s)",
msg,
path,
NtStatus,
statusMsg);
if (NtStatus == 0)
MessageBoxA(NULL,
buffer,
captionMsg,
MB_ICONINFORMATION);
else
MessageBoxA(NULL,
buffer,
captionMsg,
MB_ICONERROR);
}
int main() {
NTSTATUS NtStatus;
HANDLE hTarget;
UNICODE_STRING ObjectName;
OBJECT_ATTRIBUTES ObjectAttributes;
IO_STATUS_BLOCK IoStatusBlock;
for (int x = 0; x < 3; x++) {
RtlInitUnicodeString(&ObjectName, folders[x]);
InitializeObjectAttributes(&ObjectAttributes,
&ObjectName,
OBJ_CASE_INSENSITIVE,
NULL,
NULL);
NtStatus = NtCreateFile(&hTarget,
FILE_READ_DATA | FILE_WRITE_DATA,
&ObjectAttributes,
&IoStatusBlock,
NULL,
FILE_ATTRIBUTE_HIDDEN,
FILE_SHARE_READ | FILE_SHARE_WRITE,
FILE_CREATE,
FILE_DIRECTORY_FILE,
NULL,
0);
Report(NtStatus, "Creating folder...", folders[x]);
NtClose(hTarget);
}
for (int x = 2; x >= 0; x--) {
RtlInitUnicodeString(&ObjectName, folders[x]);
InitializeObjectAttributes(&ObjectAttributes,
&ObjectName,
OBJ_CASE_INSENSITIVE,
NULL,
NULL);
NtStatus = NtDeleteFile(&ObjectAttributes);
Report(NtStatus, "Deleting folder...", folders[x]);
}
return 0;
}
Link: http://www.mediafire.com/file/9wwiembfz3vbacn/inaccessible_folder.rar
Tuesday, October 20, 2015
Memory patcher to deal with (ASLR) 02 Updated
Code snippet updated to support Wow64 for 64bit patcher to patch 32bit target...
Attached file contains (source and binary (32bit/64bit and Wow64) for testing purposes):
Link: http://www.mediafire.com/download/l81e74mr9nc09he/loader02.rar
#include < windows.h >
#include < stdio.h >
#ifdef _WIN64
#define CAPTION "atomos - memory patcher for chimera #01 (64-bit)"
#define EXENAME "target64.exe" // change it to target "target32.exe" for Wow64 test.
#else
#define CAPTION "atomos - memory patcher for chimera #01 (32-bit)"
#define EXENAME "target32.exe"
#endif
int iWinMain() {
PROCESS_INFORMATION lpProcessInfo = {0};
STARTUPINFO lpStartupInfo = {0};
printf("%s\nFilename: %s\n\n", CAPTION, EXENAME);
if(CreateProcessA(EXENAME,
NULL,
NULL,
NULL,
0,
CREATE_SUSPENDED,
NULL,
NULL,
&lpStartupInfo,
&lpProcessInfo)) {
#ifdef _WIN64 // 64bit Application
DWORD64* peb64bit;
DWORD32* wowPeb;
CONTEXT lpContext64bit = {0};
WOW64_CONTEXT lpWoWContext = {0};
DWORD64 uTargetAddress64bit;
char newByte64bit;
DWORD64 uTargetAddressWow64;
char newByteWow64;
BOOL Wow64Process = FALSE;
IsWow64Process(lpProcessInfo.hProcess, &Wow64Process);
if (Wow64Process) { // Wow64 Process
lpWoWContext.ContextFlags = CONTEXT_FULL;
Wow64GetThreadContext(lpProcessInfo.hThread, &lpWoWContext);
wowPeb = (DWORD32*)lpWoWContext.Ebx;
DWORD32 ImageBaseAddress = NULL;
ReadProcessMemory(lpProcessInfo.hProcess,
&wowPeb[2],
(LPVOID)&ImageBaseAddress,
sizeof(DWORD32),
NULL);
printf("[-] Wow64 ImageBase Address = 0x%08X\n", ImageBaseAddress);
printf("[-] Wow64 EntryPoint Address = 0x%08X\n", lpWoWContext.Eax);
printf("[-] Wow64 Process (PEB Address) = 0x%08X\n", lpWoWContext.Ebx);
uTargetAddressWow64 = lpWoWContext.Eax + 0x64;
newByteWow64 = 0x74;
WriteProcessMemory(lpProcessInfo.hProcess,
(LPVOID)uTargetAddressWow64,
&newByteWow64,
1,
NULL);
} else { // 64bit Process
lpContext64bit.ContextFlags = CONTEXT_FULL;
GetThreadContext(lpProcessInfo.hThread, &lpContext64bit);
peb64bit = (DWORD64*)lpContext64bit.Rdx;
DWORD64 ImageBaseAddress = NULL;
ReadProcessMemory(lpProcessInfo.hProcess,
&peb64bit[2],
(LPVOID)&ImageBaseAddress,
sizeof(DWORD64),
NULL);
printf("[-] 64bit ImageBase Address = 0x%p\n", ImageBaseAddress);
printf("[-] 64bit EntryPoint Address = 0x%p\n", lpContext64bit.Rcx);
printf("[-] 64bit Process (PEB Address) = 0x%p\n", lpContext64bit.Rdx);
uTargetAddress64bit = lpContext64bit.Rcx + 0x7E;
newByte64bit = 0x75;
WriteProcessMemory(lpProcessInfo.hProcess,
(LPVOID)uTargetAddress64bit,
&newByte64bit,
1,
NULL);
}
ResumeThread(lpProcessInfo.hThread);
WaitForSingleObject(lpProcessInfo.hThread, INFINITE);
#else // 32bit Application
DWORD32* peb32bit;
CONTEXT lpContext32bit = {0};
DWORD32 uTargetAddress32bit;
char newByte32bit;
lpContext32bit.ContextFlags = CONTEXT_FULL;
GetThreadContext(lpProcessInfo.hThread, &lpContext32bit);
peb32bit = (DWORD32*)lpContext32bit.Ebx;
DWORD32 ImageBaseAddress = NULL;
ReadProcessMemory(lpProcessInfo.hProcess,
&peb32bit[2],
(LPVOID)&ImageBaseAddress,
sizeof(DWORD32),
NULL);
printf("[-] 32bit ImageBase Address = 0x%08X\n", ImageBaseAddress);
printf("[-] 32bit EntryPoint Address = 0x%08X\n", lpContext32bit.Eax);
printf("[-] 32bit Process (PEB Address) = 0x%08X\n", lpContext32bit.Ebx);
uTargetAddress32bit = lpContext32bit.Eax + 0x64;
newByte32bit = 0x74;
WriteProcessMemory(lpProcessInfo.hProcess,
(LPVOID)uTargetAddress32bit,
&newByte32bit,
1,
NULL);
ResumeThread(lpProcessInfo.hThread);
WaitForSingleObject(lpProcessInfo.hThread, INFINITE);
#endif
}
return 0;
}
Attached file contains (source and binary (32bit/64bit and Wow64) for testing purposes):
Link: http://www.mediafire.com/download/l81e74mr9nc09he/loader02.rar
Monday, September 7, 2015
Memory patcher to deal with (ASLR)
Memory patcher to deal with Address Space Layout Randomization (ASLR)
Source: http://www.mediafire.com/download/dobdsqd6dsplwsq/loader.rar
#include < windows.h >
#include < stdio.h >
#ifdef _WIN64
#define CAPTION "atomos - memory patcher for chimera #01 (64-bit)"
#define EXENAME "target64.exe"
#else
#define CAPTION "atomos - memory patcher for chimera #01 (32-bit)"
#define EXENAME "target32.exe"
#endif
int iWinMain() {
PROCESS_INFORMATION lpProcessInfo = {0};
CONTEXT lpContext = {0};
STARTUPINFO lpStartupInfo = {0};
printf("%s\nFilename: %s\n\n", CAPTION, EXENAME);
if(CreateProcessA(EXENAME,
NULL,
NULL,
NULL,
0,
CREATE_SUSPENDED,
NULL,
NULL,
&lpStartupInfo,
&lpProcessInfo)) {
lpContext.ContextFlags = CONTEXT_FULL;
GetThreadContext(lpProcessInfo.hThread, &lpContext);
#ifdef _WIN64
ULONG_PTR* peb = (ULONG_PTR*)lpContext.Rdx;
#else
ULONG_PTR* peb = (ULONG_PTR*)lpContext.Ebx;
#endif
ULONG_PTR ImageBaseAddress = NULL;
ReadProcessMemory(lpProcessInfo.hProcess,
&peb[2],
(LPVOID)&ImageBaseAddress,
sizeof(ULONG_PTR),
NULL);
printf("[-] ImageBase Address = 0x%p\n", ImageBaseAddress);
#ifdef _WIN64
printf("[-] EntryPoint Address = 0x%p\n", lpContext.Rcx);
printf("[-] Process (PEB Address) = 0x%p\n", lpContext.Rdx);
#else
printf("[-] EntryPoint Address = 0x%p\n", lpContext.Eax);
printf("[-] Process (PEB Address) = 0x%p\n", lpContext.Ebx);
#endif
#ifdef _WIN64
ULONG_PTR uTargetAddress = lpContext.Rcx + 0x7E;
const char newByte = 0x75;
#else
ULONG_PTR uTargetAddress = lpContext.Eax + 0x64;
const char newByte = 0x74;
#endif
WriteProcessMemory(lpProcessInfo.hProcess,
(LPVOID)uTargetAddress,
&newByte,
1,
NULL);
ResumeThread(lpProcessInfo.hThread);
WaitForSingleObject(lpProcessInfo.hThread, INFINITE);
}
return 0;
}
Source: http://www.mediafire.com/download/dobdsqd6dsplwsq/loader.rar
Friday, May 22, 2015
[C/C++] Using RtlAdjustPrivilege to detect debugger.
A basic way using RtlAdjustPrivilege to detect the debugger (OllyDbg and IDA demo 6.6)
As usually but not (enabled by default) for all debugger, the Debugger must acquiring debug privilege
to work with its complete capacity.
The snippet is simple and probably already used but I write it as simple as possible to get a clear ASM code
inside the debugger.
RtlAdjustPrivilege: Enables or disables a privilege from the calling thread or process.
NTSTATUS RtlAdjustPrivilege
(
ULONG Privilege, //[In] Privilege index to change.
BOOLEAN Enable, //[In] If TRUE, then enable the privilege otherwise disable.
BOOLEAN CurrentThread, //[In] If TRUE, then enable in calling thread, otherwise process.
PBOOLEAN Enabled //[Out] Whether privilege was previously enabled or disabled.
)
RtlAdjustPrivilege store the previous status into boolean variable
Our work is to read the contents of this variable after calling RtlAdjustPrivilege with SE_DEBUG_PRIVILEGE as parameter,
and of course if a status is already enabled then we have a likely debugging situation.
Code Snippet:
http://www.mediafire.com/download/z3udrn29pd93wvl/RtlAdjustPrivilege.rar
As usually but not (enabled by default) for all debugger, the Debugger must acquiring debug privilege
to work with its complete capacity.
The snippet is simple and probably already used but I write it as simple as possible to get a clear ASM code
inside the debugger.
RtlAdjustPrivilege: Enables or disables a privilege from the calling thread or process.
NTSTATUS RtlAdjustPrivilege
(
ULONG Privilege, //[In] Privilege index to change.
BOOLEAN Enable, //[In] If TRUE, then enable the privilege otherwise disable.
BOOLEAN CurrentThread, //[In] If TRUE, then enable in calling thread, otherwise process.
PBOOLEAN Enabled //[Out] Whether privilege was previously enabled or disabled.
)
RtlAdjustPrivilege store the previous status into boolean variable
Our work is to read the contents of this variable after calling RtlAdjustPrivilege with SE_DEBUG_PRIVILEGE as parameter,
and of course if a status is already enabled then we have a likely debugging situation.
Code Snippet:
#include <windows.h>
#include <ntdll.h>
#ifdef _WIN64
#define captionMsg L"Application 64-bit"
#else
#define captionMsg L"Application 32-bit"
#endif
int WINAPI iWinMain() {
//Boolean to check after calling RtlAdjustPrivilege.
BOOLEAN bPreviousPrivilegeStatus;
RtlAdjustPrivilege(
SE_DEBUG_PRIVILEGE,
FALSE, // avoid to adjust privilege (DISABLE IT).
FALSE,
&bPreviousPrivilegeStatus);
// check if SE_DEBUG_PRIVILEGE was already acquired then voluntary crash the application,
// by calling memset with invalid pointer as parameter.
if (bPreviousPrivilegeStatus)
memset(NULL, 0, 1); //<-- BOOM! PADA BOOM!!!
MessageBoxW(
NULL,
L"Nothing!",
captionMsg,
MB_ICONINFORMATION);
return 0;
}
Source:http://www.mediafire.com/download/z3udrn29pd93wvl/RtlAdjustPrivilege.rar
[C/C++] Using "csrss.exe" ProcessId to detect debugger.
Code Snippet:
Source:
http://www.mediafire.com/download/uqm9shm64trv2q6/csrssDBG.rar
#include <windows.h>
#include <ntdll.h>
#ifdef _WIN64
#define captionMsg L"64-bit Application"
#else
#define captionMsg L"32-bit Application"
#endif
int WINAPI iWinMain() {
HANDLE ProcessHandle = NULL;
OBJECT_ATTRIBUTES ObjectAttributes;
CLIENT_ID ClientId;
ObjectAttributes.Length = sizeof(OBJECT_ATTRIBUTES);
ObjectAttributes.RootDirectory = 0;
ObjectAttributes.ObjectName = NULL;
ObjectAttributes.Attributes = OBJ_CASE_INSENSITIVE;
ObjectAttributes.SecurityDescriptor = NULL;
ObjectAttributes.SecurityQualityOfService = NULL;
ClientId.UniqueProcess = CsrGetProcessId(); // getting "csrss.exe" ProcessId.
ClientId.UniqueThread = 0;
NtOpenProcess(
&ProcessHandle,
PROCESS_ALL_ACCESS, // This parameter need SeDebugPrivilege.
&ObjectAttributes,
&ClientId);
if (ProcessHandle != NULL)
memset(NULL, 0, 1); //<-- BOOM! PADA BOOM!!!
MessageBoxW(
NULL,
L"Nothing!",
captionMsg,
MB_ICONINFORMATION);
return 0;
}
Source:
http://www.mediafire.com/download/uqm9shm64trv2q6/csrssDBG.rar
Monday, May 18, 2015
DSEFix (kernelmode.info)
Windows x64 Driver Signature Enforcement Overrider from kernelmode.info.
For more info see Defeating x64 Driver Signature Enforcement.
http://www.kernelmode.info/forum/viewtopic.php?f=11&t=3322
Source:
https://github.com/hfiref0x/DSEFix
For more info see Defeating x64 Driver Signature Enforcement.
http://www.kernelmode.info/forum/viewtopic.php?f=11&t=3322
Source:
https://github.com/hfiref0x/DSEFix
UACMe (kernelmode.info)
Defeating Windows User Account Control by abusing built-in Windows AutoElevate backdoor.
More info http://www.kernelmode.info/forum/viewtopic.php?f=11&t=3643
Source:
https://github.com/hfiref0x/UACME
More info http://www.kernelmode.info/forum/viewtopic.php?f=11&t=3643
Source:
https://github.com/hfiref0x/UACME
WinObjEx64 (kernelmode.info)
Windows Object Explorer 64-bit (WinObjEx64) from kernelmode.info.
http://www.kernelmode.info/forum/viewtopic.php?f=11&t=3751
Quote(kernelmode.info):
WinObjEx64 is an advanced utility that lets you explore the Windows Object Manager namespace.
For certain object types, you can double-click on it or use the "Properties..."
toolbar button to get more information, such as description, attributes, resource usage etc.
WinObjEx64 let you view and edit object-related security information if you have required access rights.
System Requirements:
WinObjEx64 does not require administrative privileges. However administrative privilege is required
to view much of the namespace and to edit object-related security information.
WinObjEx64 works only on the following x64 Windows:
Windows 7, Windows 8, Windows 8.1 and Windows 10, including Server variants.
WinObjEx64 does not work on Windows XP, Windows Vista is partially supported.
We have no plans of their full support.
In order to use all program features Windows must be booted in the DEBUG mode.
Build:
WinObjEx64 comes with full source code.
In order to build from source you need Microsoft Visual Studio 2013 U4 and later versions.
Authors:
(c) 2015 WinObjEx64 Project
Original WinObjEx (c) 2003 - 2005 Four-F
Acknowledgements:
We would like to thanks the following people for their contributions (in the alphabetical order):
Andrew Ivlev aka Four-F - author of the original x86-32 WinObjEx
Giuseppe Bonfa aka Evilcry - KDSubmarine author
Mark Russinovich - author of the original proof-of-concept tool WinObj
Microsoft WinDBG developers team
Source and compiled binary here:
https://github.com/hfiref0x/WinObjEx64
Project files SHA1 https://github.com/hfiref0x/WinObjEx64/ ... /SHA1.hash
Copyrights:
WinObjEx64 developed by WinObjEx64 Project group, in the alphabetical order:
EP_X0FF
MP_ART
This program uses Windows Debugger Local Kernel Debugging Driver © Microsoft Corporation.
Please use this thread for bugreports. Also take a note that Windows 10 is supported *AS IS*
since it wasn't released yet, official support will be added after official release.
http://www.kernelmode.info/forum/viewtopic.php?f=11&t=3751
Quote(kernelmode.info):
WinObjEx64 is an advanced utility that lets you explore the Windows Object Manager namespace.
For certain object types, you can double-click on it or use the "Properties..."
toolbar button to get more information, such as description, attributes, resource usage etc.
WinObjEx64 let you view and edit object-related security information if you have required access rights.
System Requirements:
WinObjEx64 does not require administrative privileges. However administrative privilege is required
to view much of the namespace and to edit object-related security information.
WinObjEx64 works only on the following x64 Windows:
Windows 7, Windows 8, Windows 8.1 and Windows 10, including Server variants.
WinObjEx64 does not work on Windows XP, Windows Vista is partially supported.
We have no plans of their full support.
In order to use all program features Windows must be booted in the DEBUG mode.
Build:
WinObjEx64 comes with full source code.
In order to build from source you need Microsoft Visual Studio 2013 U4 and later versions.
Authors:
(c) 2015 WinObjEx64 Project
Original WinObjEx (c) 2003 - 2005 Four-F
Acknowledgements:
We would like to thanks the following people for their contributions (in the alphabetical order):
Andrew Ivlev aka Four-F - author of the original x86-32 WinObjEx
Giuseppe Bonfa aka Evilcry - KDSubmarine author
Mark Russinovich - author of the original proof-of-concept tool WinObj
Microsoft WinDBG developers team
Source and compiled binary here:
https://github.com/hfiref0x/WinObjEx64
Project files SHA1 https://github.com/hfiref0x/WinObjEx64/ ... /SHA1.hash
Copyrights:
WinObjEx64 developed by WinObjEx64 Project group, in the alphabetical order:
EP_X0FF
MP_ART
This program uses Windows Debugger Local Kernel Debugging Driver © Microsoft Corporation.
Please use this thread for bugreports. Also take a note that Windows 10 is supported *AS IS*
since it wasn't released yet, official support will be added after official release.
VirtualBox Hardened Loader x64 (kernelmode.info)
VirtualBox Hardened VM detection mitigation loader x64 from kernelmode.info.
Step by step guide for VirtualBox Hardened (4.3.14+) VM detection mitigation configuring.
http://www.kernelmode.info/forum/viewtopic.php?f=11&t=3478
Quote(kernelmode.info):
Project comes with full source code. In order to build from source you need: Microsoft Visual Studio 2013 U4 and later versions for loader build. Windows Driver Kit 8.1 U1 and later versions for driver build.
https://github.com/hfiref0x/VBoxHardenedLoader
Step by step guide for VirtualBox Hardened (4.3.14+) VM detection mitigation configuring.
http://www.kernelmode.info/forum/viewtopic.php?f=11&t=3478
Quote(kernelmode.info):
Project comes with full source code. In order to build from source you need: Microsoft Visual Studio 2013 U4 and later versions for loader build. Windows Driver Kit 8.1 U1 and later versions for driver build.
https://github.com/hfiref0x/VBoxHardenedLoader
Subscribe to:
Posts (Atom)