Skip to content

Commit f538151

Browse files
vxundergroundvxunderground
authored
Create CreateProcessWithCfGuard.cpp
1 parent b8742d6 commit f538151

File tree

1 file changed

+156
-0
lines changed

1 file changed

+156
-0
lines changed

Evasion/CreateProcessWithCfGuard.cpp

+156
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,156 @@
1+
/*
2+
must pass pointer of PPROCESS_INFORMATION to function, callee is responsible for closing handles
3+
eg
4+
5+
CloseHandle(PihProcess);
6+
CloseHandle(Pi.hThread);
7+
*/
8+
9+
typedef struct _PROC_THREAD_ATTRIBUTE {
10+
ULONG64 Attribute;
11+
ULONG64 Size;
12+
ULONG64 Value;
13+
}PROC_THREAD_ATTRIBUTE, * PPROC_THREAD_ATTRIBUTE;
14+
15+
typedef struct _PROC_THREAD_ATTRIBUTE_LIST {
16+
ULONG PresentFlags;
17+
ULONG AttributeCount;
18+
ULONG LastAttribute;
19+
ULONG SpareUlong0;
20+
struct _PROC_THREAD_ATTRIBUTE* ExtendedFlagsAttribute;
21+
struct _PROC_THREAD_ATTRIBUTE Attributes[1];
22+
}PROC_THREAD_ATTRIBUTE_LIST, * PPROC_THREAD_ATTRIBUTE_LIST;
23+
24+
BOOL UnusedSubroutineInitializeProcThreadAttributeList(LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList, DWORD dwAttributeCount, DWORD dwFlags, PSIZE_T lpSize)
25+
{
26+
BOOL bFlag = FALSE;
27+
DWORD dwSize = ERROR_SUCCESS;
28+
29+
if (dwFlags || (dwAttributeCount > 0x1B))
30+
{
31+
SetLastError(ERROR_INVALID_PARAMETER);
32+
return bFlag;
33+
}
34+
35+
dwSize = (24 * (dwAttributeCount + 1));
36+
37+
if (lpAttributeList && *lpSize >= dwSize)
38+
{
39+
lpAttributeList->PresentFlags = 0;
40+
lpAttributeList->ExtendedFlagsAttribute = 0;
41+
lpAttributeList->AttributeCount = dwAttributeCount;
42+
lpAttributeList->LastAttribute = 0;
43+
bFlag = TRUE;
44+
}
45+
else
46+
SetLastError(ERROR_INSUFFICIENT_BUFFER);
47+
48+
*lpSize = dwSize;
49+
return bFlag;
50+
}
51+
52+
DWORD UnusedSubroutineGetProcThreadAttributeListSize(VOID)
53+
{
54+
SIZE_T dwSize = 0;
55+
56+
UnusedSubroutineInitializeProcThreadAttributeList(NULL, 1, 0, &dwSize);
57+
58+
return dwSize;
59+
}
60+
61+
VOID UnusedSubroutineUpdateProcThreadAttribute(LPPROC_THREAD_ATTRIBUTE_LIST AttributeList, DWORD_PTR Attribute, PVOID Policy, SIZE_T Size)
62+
{
63+
PPROC_THREAD_ATTRIBUTE ExtendedAttributes;
64+
65+
AttributeList->PresentFlags |= (1 << (Attribute & 0x0000FFFF));
66+
67+
ExtendedAttributes = AttributeList->Attributes;
68+
ExtendedAttributes->Attribute = Attribute;
69+
ExtendedAttributes->Size = Size;
70+
ExtendedAttributes->Value = (ULONG64)Policy;
71+
AttributeList->LastAttribute++;
72+
73+
return;
74+
}
75+
76+
BOOL CreateProcessWithCfGuardW(PPROCESS_INFORMATION Pi, PWCHAR Path)
77+
{
78+
BOOL bFlag = FALSE;
79+
PPROC_THREAD_ATTRIBUTE_LIST ThreadAttributes = NULL;
80+
SIZE_T dwAttributeSize = 0;
81+
DWORD64 Policy = PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON;
82+
83+
STARTUPINFOEXW Si; RfZeroMemory(&Si, sizeof(STARTUPINFOEXW));
84+
Si.StartupInfo.cb = sizeof(STARTUPINFOEXW);
85+
RfZeroMemory(Pi, sizeof(PROCESS_INFORMATION));
86+
87+
dwAttributeSize = UnusedSubroutineGetProcThreadAttributeListSize();
88+
if (dwAttributeSize == 0)
89+
goto EXIT_ROUTINE;
90+
91+
ThreadAttributes = (PPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(RfGetProcessHeap(), HEAP_ZERO_MEMORY, dwAttributeSize);
92+
if (ThreadAttributes == NULL)
93+
goto EXIT_ROUTINE;
94+
95+
if(!UnusedSubroutineInitializeProcThreadAttributeList(ThreadAttributes, 1, 0, &dwAttributeSize))
96+
goto EXIT_ROUTINE;
97+
98+
UnusedSubroutineUpdateProcThreadAttribute(ThreadAttributes, PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, &Policy, sizeof(DWORD64));
99+
100+
Si.lpAttributeList = ThreadAttributes;
101+
102+
if (!CreateProcessW(Path, NULL, NULL, NULL, TRUE, EXTENDED_STARTUPINFO_PRESENT, NULL, NULL, &Si.StartupInfo, Pi))
103+
goto EXIT_ROUTINE;
104+
105+
Si.lpAttributeList = ThreadAttributes;
106+
107+
bFlag = TRUE;
108+
109+
EXIT_ROUTINE:
110+
111+
if (ThreadAttributes)
112+
HeapFree(RfGetProcessHeap(), HEAP_ZERO_MEMORY, (PPROC_THREAD_ATTRIBUTE_LIST)ThreadAttributes);
113+
114+
return bFlag;
115+
}
116+
117+
BOOL CreateProcessWithCfGuardA(PPROCESS_INFORMATION Pi, PCHAR Path)
118+
{
119+
BOOL bFlag = FALSE;
120+
PPROC_THREAD_ATTRIBUTE_LIST ThreadAttributes = NULL;
121+
SIZE_T dwAttributeSize = 0;
122+
DWORD64 Policy = PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON;
123+
124+
STARTUPINFOEXA Si; RfZeroMemory(&Si, sizeof(STARTUPINFOEXA));
125+
Si.StartupInfo.cb = sizeof(STARTUPINFOEXW);
126+
RfZeroMemory(Pi, sizeof(PROCESS_INFORMATION));
127+
128+
dwAttributeSize = UnusedSubroutineGetProcThreadAttributeListSize();
129+
if (dwAttributeSize == 0)
130+
goto EXIT_ROUTINE;
131+
132+
ThreadAttributes = (PPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(RfGetProcessHeap(), HEAP_ZERO_MEMORY, dwAttributeSize);
133+
if (ThreadAttributes == NULL)
134+
goto EXIT_ROUTINE;
135+
136+
if (!UnusedSubroutineInitializeProcThreadAttributeList(ThreadAttributes, 1, 0, &dwAttributeSize))
137+
goto EXIT_ROUTINE;
138+
139+
UnusedSubroutineUpdateProcThreadAttribute(ThreadAttributes, PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, &Policy, sizeof(DWORD64));
140+
141+
Si.lpAttributeList = ThreadAttributes;
142+
143+
if (!CreateProcessA(Path, NULL, NULL, NULL, TRUE, EXTENDED_STARTUPINFO_PRESENT, NULL, NULL, &Si.StartupInfo, Pi))
144+
goto EXIT_ROUTINE;
145+
146+
Si.lpAttributeList = ThreadAttributes;
147+
148+
bFlag = TRUE;
149+
150+
EXIT_ROUTINE:
151+
152+
if (ThreadAttributes)
153+
HeapFree(RfGetProcessHeap(), HEAP_ZERO_MEMORY, (PPROC_THREAD_ATTRIBUTE_LIST)ThreadAttributes);
154+
155+
return bFlag;
156+
}

0 commit comments

Comments
 (0)