Skip to content

Commit

Permalink
[UP] Sending code to Github
Browse files Browse the repository at this point in the history 
Detection of nirvaned process and simples dll to quick hook X86 and X64
  • Loading branch information
@keowu
keowu committed Sep 16, 2023
1 parent 04c319f commit 78056a8
Show file tree
Hide file tree
Showing 28 changed files with 1,632 additions and 2 deletions.
35 changes: 35 additions & 0 deletions DetectProcessContainerInstrumented/DetectProcessContainerInstrumented.sln
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 17
VisualStudioVersion = 17.6.33829.357
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DetectProcessContainerInstrumented", "DetectProcessContainerNirvaned\DetectProcessContainerNirvaned.vcxproj", "{9F14E6F2-4F89-452E-B8EE-1611F305D0F0}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|ARM64 = Debug|ARM64
Debug|x64 = Debug|x64
Release|ARM64 = Release|ARM64
Release|x64 = Release|x64
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{9F14E6F2-4F89-452E-B8EE-1611F305D0F0}.Debug|ARM64.ActiveCfg = Debug|ARM64
{9F14E6F2-4F89-452E-B8EE-1611F305D0F0}.Debug|ARM64.Build.0 = Debug|ARM64
{9F14E6F2-4F89-452E-B8EE-1611F305D0F0}.Debug|ARM64.Deploy.0 = Debug|ARM64
{9F14E6F2-4F89-452E-B8EE-1611F305D0F0}.Debug|x64.ActiveCfg = Debug|x64
{9F14E6F2-4F89-452E-B8EE-1611F305D0F0}.Debug|x64.Build.0 = Debug|x64
{9F14E6F2-4F89-452E-B8EE-1611F305D0F0}.Debug|x64.Deploy.0 = Debug|x64
{9F14E6F2-4F89-452E-B8EE-1611F305D0F0}.Release|ARM64.ActiveCfg = Release|ARM64
{9F14E6F2-4F89-452E-B8EE-1611F305D0F0}.Release|ARM64.Build.0 = Release|ARM64
{9F14E6F2-4F89-452E-B8EE-1611F305D0F0}.Release|ARM64.Deploy.0 = Release|ARM64
{9F14E6F2-4F89-452E-B8EE-1611F305D0F0}.Release|x64.ActiveCfg = Release|x64
{9F14E6F2-4F89-452E-B8EE-1611F305D0F0}.Release|x64.Build.0 = Release|x64
{9F14E6F2-4F89-452E-B8EE-1611F305D0F0}.Release|x64.Deploy.0 = Release|x64
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {F9521924-AD7D-4C49-BE93-2C0BDC42E3E1}
EndGlobalSection
EndGlobal
59 changes: 59 additions & 0 deletions DetectProcessContainerInstrumented/DetectProcessContainerNirvaned/Defs.hh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
/*
_ __ _____ _____ _ _ _ _
| | / /| ___| _ || | | | | | |
| |/ / | |__ | | | || | | | | | |
| \ | __|| | | || |/\| | | | |
| |\ \| |___\ \_/ /\ /\ / |_| |
\_| \_/\____/ \___/ \/ \/ \___/
2023
Copyright (c) Fluxuss Cyber Tech Desenvolvimento de Software, SLU (FLUXUSS)
Copyright (c) Fluxuss Software Security, LLC
*/
#include <ntifs.h>

typedef struct _SYSTEM_THREADS {

LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientId;
KPRIORITY Priority;
KPRIORITY BasePriority;
ULONG ContextSwitchCount;
LONG State;
LONG WaitReason;

} SYSTEM_THREADS, * PSYSTEM_THREADS;

typedef struct _SYSTEM_PROCESSES {

ULONG NextEntryDelta;
ULONG ThreadCount;
ULONG Reserved1[6];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
KPRIORITY BasePriority;
SIZE_T ProcessId;
SIZE_T InheritedFromProcessId;
ULONG HandleCount;
ULONG Reserved2[2];
VM_COUNTERS VmCounters;
IO_COUNTERS IoCounters;
SYSTEM_THREADS Threads[1];

} SYSTEM_PROCESSES, * PSYSTEM_PROCESSES;

#define SystemProcessInformation 0x05

extern "C" NTSTATUS NTAPI ZwQuerySystemInformation(

_In_ ULONG SystemInformationClass,
_Inout_ PVOID SystemInformation,
_In_ ULONG SystemInformationLength,
_Out_opt_ PULONG ReturnLength

);
77 changes: 77 additions & 0 deletions ...ntainerInstrumented/DetectProcessContainerNirvaned/DetectProcessContainerInstrumented.inf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
;
; DetectProcessContainerInstrumented.inf
;

[Version]
Signature="$WINDOWS NT$"
Class=System ; TODO: specify appropriate Class
ClassGuid={4d36e97d-e325-11ce-bfc1-08002be10318} ; TODO: specify appropriate ClassGuid
Provider=%ManufacturerName%
CatalogFile=DetectProcessContainerInstrumented.cat
DriverVer= ; TODO: set DriverVer in stampinf property pages
PnpLockdown=1

[DestinationDirs]
DefaultDestDir = 12
DetectProcessContainerInstrumented_Device_CoInstaller_CopyFiles = 11

[SourceDisksNames]
1 = %DiskName%,,,""

[SourceDisksFiles]
DetectProcessContainerInstrumented.sys = 1,,
WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll=1 ; make sure the number matches with SourceDisksNames

;*****************************************
; Install Section
;*****************************************

[Manufacturer]
%ManufacturerName%=Standard,NT$ARCH$

[Standard.NT$ARCH$]
%DetectProcessContainerInstrumented.DeviceDesc%=DetectProcessContainerInstrumented_Device, Root\DetectProcessContainerInstrumented ; TODO: edit hw-id

[DetectProcessContainerInstrumented_Device.NT]
CopyFiles=Drivers_Dir

[Drivers_Dir]
DetectProcessContainerInstrumented.sys

;-------------- Service installation
[DetectProcessContainerInstrumented_Device.NT.Services]
AddService = DetectProcessContainerInstrumented,%SPSVCINST_ASSOCSERVICE%, DetectProcessContainerInstrumented_Service_Inst

; -------------- DetectProcessContainerInstrumented driver install sections
[DetectProcessContainerInstrumented_Service_Inst]
DisplayName = %DetectProcessContainerInstrumented.SVCDESC%
ServiceType = 1 ; SERVICE_KERNEL_DRIVER
StartType = 3 ; SERVICE_DEMAND_START
ErrorControl = 1 ; SERVICE_ERROR_NORMAL
ServiceBinary = %12%\DetectProcessContainerInstrumented.sys

;
;--- DetectProcessContainerInstrumented_Device Coinstaller installation ------
;

[DetectProcessContainerInstrumented_Device.NT.CoInstallers]
AddReg=DetectProcessContainerInstrumented_Device_CoInstaller_AddReg
CopyFiles=DetectProcessContainerInstrumented_Device_CoInstaller_CopyFiles

[DetectProcessContainerInstrumented_Device_CoInstaller_AddReg]
HKR,,CoInstallers32,0x00010000, "WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll,WdfCoInstaller"

[DetectProcessContainerInstrumented_Device_CoInstaller_CopyFiles]
WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll

[DetectProcessContainerInstrumented_Device.NT.Wdf]
KmdfService = DetectProcessContainerInstrumented, DetectProcessContainerInstrumented_wdfsect
[DetectProcessContainerInstrumented_wdfsect]
KmdfLibraryVersion = $KMDFVERSION$

[Strings]
SPSVCINST_ASSOCSERVICE= 0x00000002
ManufacturerName="<Your manufacturer name>" ;TODO: Replace with your manufacturer name
DiskName = "DetectProcessContainerInstrumented Installation Disk"
DetectProcessContainerInstrumented.DeviceDesc = "DetectProcessContainerInstrumented Device"
DetectProcessContainerInstrumented.SVCDESC = "DetectProcessContainerInstrumented Service"
122 changes: 122 additions & 0 deletions ...ntainerInstrumented/DetectProcessContainerNirvaned/DetectProcessContainerNirvaned.vcxproj
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,122 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|ARM64">
<Configuration>Debug</Configuration>
<Platform>ARM64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|ARM64">
<Configuration>Release</Configuration>
<Platform>ARM64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{9F14E6F2-4F89-452E-B8EE-1611F305D0F0}</ProjectGuid>
<TemplateGuid>{1bc93793-694f-48fe-9372-81e2b05556fd}</TemplateGuid>
<TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
<MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>
<Configuration>Debug</Configuration>
<Platform Condition="'$(Platform)' == ''">x64</Platform>
<RootNamespace>DetectProcessContainerNirvaned</RootNamespace>
<ProjectName>DetectProcessContainerInstrumented</ProjectName>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<DriverSign>
<FileDigestAlgorithm>sha256</FileDigestAlgorithm>
</DriverSign>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<DriverSign>
<FileDigestAlgorithm>sha256</FileDigestAlgorithm>
</DriverSign>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
<DriverSign>
<FileDigestAlgorithm>sha256</FileDigestAlgorithm>
</DriverSign>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
<DriverSign>
<FileDigestAlgorithm>sha256</FileDigestAlgorithm>
</DriverSign>
</ItemDefinitionGroup>
<ItemGroup>
<Inf Include="DetectProcessContainerInstrumented.inf" />
</ItemGroup>
<ItemGroup>
<FilesToPackage Include="$(TargetPath)" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="MainDriver.cc" />
<ClCompile Include="NirvanaHeuristics.cc" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="Defs.hh" />
<ClInclude Include="MainDriver.hh" />
<ClInclude Include="NirvanaHeuristics.hh" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>
45 changes: 45 additions & 0 deletions ...nstrumented/DetectProcessContainerNirvaned/DetectProcessContainerNirvaned.vcxproj.filters
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
<Filter Include="Driver Files">
<UniqueIdentifier>{8E41214B-6785-4CFE-B992-037D68949A14}</UniqueIdentifier>
<Extensions>inf;inv;inx;mof;mc;</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<Inf Include="DetectProcessContainerInstrumented.inf">
<Filter>Driver Files</Filter>
</Inf>
</ItemGroup>
<ItemGroup>
<ClCompile Include="MainDriver.cc">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="NirvanaHeuristics.cc">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="MainDriver.hh">
<Filter>Resource Files</Filter>
</ClInclude>
<ClInclude Include="NirvanaHeuristics.hh">
<Filter>Resource Files</Filter>
</ClInclude>
<ClInclude Include="Defs.hh">
<Filter>Resource Files</Filter>
</ClInclude>
</ItemGroup>
</Project>
Loading

0 comments on commit 78056a8

Please sign in to comment.