From 1ccd1cc73a9e716482bcc5bb5b9b9cd76c234fa8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E7=90=B4=E5=BF=83?= <qinzixing@rongma.com>
Date: Sun, 25 Jul 2021 22:29:05 +0800
Subject: [PATCH] =?UTF-8?q?=E6=B7=BB=E5=8A=A0=E9=A1=B9=E7=9B=AE=E6=96=87?=
 =?UTF-8?q?=E4=BB=B6=E3=80=82?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 CobaltStrikeDetected.sln                      |  51 ++++++
 CobaltStrikeDetected/CobaltStrikeDetected.inf |  28 +++
 .../CobaltStrikeDetected.vcxproj              | 160 ++++++++++++++++++
 .../CobaltStrikeDetected.vcxproj.filters      |  31 ++++
 CobaltStrikeDetected/main.cpp                 | 138 +++++++++++++++
 5 files changed, 408 insertions(+)
 create mode 100644 CobaltStrikeDetected.sln
 create mode 100644 CobaltStrikeDetected/CobaltStrikeDetected.inf
 create mode 100644 CobaltStrikeDetected/CobaltStrikeDetected.vcxproj
 create mode 100644 CobaltStrikeDetected/CobaltStrikeDetected.vcxproj.filters
 create mode 100644 CobaltStrikeDetected/main.cpp

diff --git a/CobaltStrikeDetected.sln b/CobaltStrikeDetected.sln
new file mode 100644
index 0000000..05156ef
--- /dev/null
+++ b/CobaltStrikeDetected.sln
@@ -0,0 +1,51 @@
+ï»¿
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.31424.327
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CobaltStrikeDetected", "CobaltStrikeDetected\CobaltStrikeDetected.vcxproj", "{9A484276-0F33-45EE-B217-60F3ABD836C4}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|ARM = Debug|ARM
+		Debug|ARM64 = Debug|ARM64
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|ARM = Release|ARM
+		Release|ARM64 = Release|ARM64
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{9A484276-0F33-45EE-B217-60F3ABD836C4}.Debug|ARM.ActiveCfg = Debug|ARM
+		{9A484276-0F33-45EE-B217-60F3ABD836C4}.Debug|ARM.Build.0 = Debug|ARM
+		{9A484276-0F33-45EE-B217-60F3ABD836C4}.Debug|ARM.Deploy.0 = Debug|ARM
+		{9A484276-0F33-45EE-B217-60F3ABD836C4}.Debug|ARM64.ActiveCfg = Debug|ARM64
+		{9A484276-0F33-45EE-B217-60F3ABD836C4}.Debug|ARM64.Build.0 = Debug|ARM64
+		{9A484276-0F33-45EE-B217-60F3ABD836C4}.Debug|ARM64.Deploy.0 = Debug|ARM64
+		{9A484276-0F33-45EE-B217-60F3ABD836C4}.Debug|x64.ActiveCfg = Debug|x64
+		{9A484276-0F33-45EE-B217-60F3ABD836C4}.Debug|x64.Build.0 = Debug|x64
+		{9A484276-0F33-45EE-B217-60F3ABD836C4}.Debug|x64.Deploy.0 = Debug|x64
+		{9A484276-0F33-45EE-B217-60F3ABD836C4}.Debug|x86.ActiveCfg = Debug|Win32
+		{9A484276-0F33-45EE-B217-60F3ABD836C4}.Debug|x86.Build.0 = Debug|Win32
+		{9A484276-0F33-45EE-B217-60F3ABD836C4}.Debug|x86.Deploy.0 = Debug|Win32
+		{9A484276-0F33-45EE-B217-60F3ABD836C4}.Release|ARM.ActiveCfg = Release|ARM
+		{9A484276-0F33-45EE-B217-60F3ABD836C4}.Release|ARM.Build.0 = Release|ARM
+		{9A484276-0F33-45EE-B217-60F3ABD836C4}.Release|ARM.Deploy.0 = Release|ARM
+		{9A484276-0F33-45EE-B217-60F3ABD836C4}.Release|ARM64.ActiveCfg = Release|ARM64
+		{9A484276-0F33-45EE-B217-60F3ABD836C4}.Release|ARM64.Build.0 = Release|ARM64
+		{9A484276-0F33-45EE-B217-60F3ABD836C4}.Release|ARM64.Deploy.0 = Release|ARM64
+		{9A484276-0F33-45EE-B217-60F3ABD836C4}.Release|x64.ActiveCfg = Release|x64
+		{9A484276-0F33-45EE-B217-60F3ABD836C4}.Release|x64.Build.0 = Release|x64
+		{9A484276-0F33-45EE-B217-60F3ABD836C4}.Release|x64.Deploy.0 = Release|x64
+		{9A484276-0F33-45EE-B217-60F3ABD836C4}.Release|x86.ActiveCfg = Release|Win32
+		{9A484276-0F33-45EE-B217-60F3ABD836C4}.Release|x86.Build.0 = Release|Win32
+		{9A484276-0F33-45EE-B217-60F3ABD836C4}.Release|x86.Deploy.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {92EB6D07-A524-4660-BF50-9ADCBA85F9EB}
+	EndGlobalSection
+EndGlobal
diff --git a/CobaltStrikeDetected/CobaltStrikeDetected.inf b/CobaltStrikeDetected/CobaltStrikeDetected.inf
new file mode 100644
index 0000000..77ce138
--- /dev/null
+++ b/CobaltStrikeDetected/CobaltStrikeDetected.inf
@@ -0,0 +1,28 @@
+;
+; CobaltStrikeDetected.inf
+;
+
+[Version]
+Signature="$WINDOWS NT$"
+Class=System
+ClassGuid={4d36e97d-e325-11ce-bfc1-08002be10318}
+Provider=%ManufacturerName%
+DriverVer=
+CatalogFile=CobaltStrikeDetected.cat
+PnpLockDown=1
+
+[DestinationDirs]
+DefaultDestDir = 12
+
+
+[SourceDisksNames]
+1 = %DiskName%,,,""
+
+[SourceDisksFiles]
+
+
+
+[Strings]
+ManufacturerName="<Your manufacturer name>" ;TODO: Replace with your manufacturer name
+ClassName=""
+DiskName="CobaltStrikeDetected Source Disk"
diff --git a/CobaltStrikeDetected/CobaltStrikeDetected.vcxproj b/CobaltStrikeDetected/CobaltStrikeDetected.vcxproj
new file mode 100644
index 0000000..68b0caa
--- /dev/null
+++ b/CobaltStrikeDetected/CobaltStrikeDetected.vcxproj
@@ -0,0 +1,160 @@
+ï»¿<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|ARM">
+      <Configuration>Debug</Configuration>
+      <Platform>ARM</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|ARM">
+      <Configuration>Release</Configuration>
+      <Platform>ARM</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|ARM64">
+      <Configuration>Debug</Configuration>
+      <Platform>ARM64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|ARM64">
+      <Configuration>Release</Configuration>
+      <Platform>ARM64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{9A484276-0F33-45EE-B217-60F3ABD836C4}</ProjectGuid>
+    <TemplateGuid>{dd38f7fc-d7bd-488b-9242-7d8754cde80d}</TemplateGuid>
+    <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
+    <MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>
+    <Configuration>Debug</Configuration>
+    <Platform Condition="'$(Platform)' == ''">Win32</Platform>
+    <RootNamespace>CobaltStrikeDetected</RootNamespace>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>WDM</DriverType>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>WDM</DriverType>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>WDM</DriverType>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <TargetVersion>Windows7</TargetVersion>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>WDM</DriverType>
+    <Driver_SpectreMitigation>false</Driver_SpectreMitigation>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>WDM</DriverType>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>WDM</DriverType>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>WDM</DriverType>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>WDM</DriverType>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+    <EnableInf2cat>false</EnableInf2cat>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Inf>
+      <SpecifyArchitecture>false</SpecifyArchitecture>
+    </Inf>
+    <Link>
+      <TreatLinkerWarningAsErrors>false</TreatLinkerWarningAsErrors>
+    </Link>
+    <ClCompile>
+      <TreatWarningAsError>false</TreatWarningAsError>
+    </ClCompile>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <Inf Include="CobaltStrikeDetected.inf" />
+  </ItemGroup>
+  <ItemGroup>
+    <FilesToPackage Include="$(TargetPath)" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="main.cpp" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
\ No newline at end of file
diff --git a/CobaltStrikeDetected/CobaltStrikeDetected.vcxproj.filters b/CobaltStrikeDetected/CobaltStrikeDetected.vcxproj.filters
new file mode 100644
index 0000000..6bc120f
--- /dev/null
+++ b/CobaltStrikeDetected/CobaltStrikeDetected.vcxproj.filters
@@ -0,0 +1,31 @@
+ï»¿<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+    <Filter Include="Driver Files">
+      <UniqueIdentifier>{8E41214B-6785-4CFE-B992-037D68949A14}</UniqueIdentifier>
+      <Extensions>inf;inv;inx;mof;mc;</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <Inf Include="CobaltStrikeDetected.inf">
+      <Filter>Driver Files</Filter>
+    </Inf>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="main.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/CobaltStrikeDetected/main.cpp b/CobaltStrikeDetected/main.cpp
new file mode 100644
index 0000000..6223525
--- /dev/null
+++ b/CobaltStrikeDetected/main.cpp
@@ -0,0 +1,138 @@
+//ÏµÍ³Í·ÎÄ¼þ
+#include <intrin.h>
+#include <ntifs.h>
+#define STACK_WALK_WEIGHT 20
+#define DebugPrint(...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, __VA_ARGS__)
+extern "C" {
+	NTKERNELAPI UCHAR* PsGetProcessImageFileName(__in PEPROCESS Process);
+	NTKERNELAPI
+		NTSTATUS
+		NTAPI
+		ZwQueryInformationProcess(
+			_In_      HANDLE           ProcessHandle,
+			_In_      PROCESSINFOCLASS ProcessInformationClass,
+			_Out_     PVOID            ProcessInformation,
+			_In_      ULONG            ProcessInformationLength,
+			_Out_opt_ PULONG           ReturnLength
+		);
+};
+typedef enum _PS_PROTECTED_TYPE {
+	PsProtectedTypeNone = 0,
+	PsProtectedTypeProtectedLight = 1,
+	PsProtectedTypeProtected = 2
+} PS_PROTECTED_TYPE, * PPS_PROTECTED_TYPE;
+typedef enum _PS_PROTECTED_SIGNER {
+	PsProtectedSignerNone = 0,
+	PsProtectedSignerAuthenticode,
+	PsProtectedSignerCodeGen,
+	PsProtectedSignerAntimalware,
+	PsProtectedSignerLsa,
+	PsProtectedSignerWindows,
+	PsProtectedSignerWinTcb,
+	PsProtectedSignerWinSystem,
+	PsProtectedSignerApp,
+	PsProtectedSignerMax
+} PS_PROTECTED_SIGNER, * PPS_PROTECTED_SIGNER;
+typedef struct _PS_PROTECTION {
+	union {
+		UCHAR Level;
+		struct {
+			UCHAR Type : 3;
+			UCHAR Audit : 1;                  // Reserved
+			UCHAR Signer : 4;
+		};
+	};
+} PS_PROTECTION, * PPS_PROTECTION;
+namespace Global {
+	bool hLoadImageNotify;
+};
+bool CheckProcessProtect() {
+	PS_PROTECTION ProtectInfo = { 0 };
+	NTSTATUS ntStatus = ZwQueryInformationProcess(NtCurrentProcess(), ProcessProtectionInformation, &ProtectInfo, sizeof(ProtectInfo), 0ull);
+	bool Result1 = false;
+	bool Result2 = false;
+	if (NT_SUCCESS(ntStatus)) {
+		Result1 = ProtectInfo.Type == PsProtectedTypeNone && ProtectInfo.Signer == PsProtectedSignerNone;
+		PROCESS_EXTENDED_BASIC_INFORMATION ProcessExtenedInfo = { 0 };
+		ntStatus = ZwQueryInformationProcess(NtCurrentProcess(), ProcessBasicInformation, &ProcessExtenedInfo, sizeof(ProcessExtenedInfo), 0ull);
+		if (NT_SUCCESS(ntStatus)) {
+			Result2 = ProcessExtenedInfo.IsProtectedProcess == false && ProcessExtenedInfo.IsSecureProcess == false;
+		}
+	}
+	return Result2 && Result1;
+}
+bool CheckStackVAD(PVOID pAddress) {
+	bool bResult = false;
+	size_t iReturnlength;
+	MEMORY_BASIC_INFORMATION MemoryInfomation[sizeof(MEMORY_BASIC_INFORMATION)] = { 0 };
+	if (MemoryInfomation) {
+		NTSTATUS nt_status = ZwQueryVirtualMemory(NtCurrentProcess(), (PVOID)pAddress, MemoryBasicInformation, MemoryInfomation, sizeof(MEMORY_BASIC_INFORMATION), &iReturnlength);
+		if (NT_SUCCESS(nt_status)) {
+			bool is_map_memory = (MemoryInfomation->Type == MEM_PRIVATE || MemoryInfomation->Type == MEM_MAPPED) && MemoryInfomation->State == MEM_COMMIT;
+			bResult = is_map_memory &&
+				(MemoryInfomation->Protect == PAGE_EXECUTE || MemoryInfomation->Protect == PAGE_EXECUTE_READWRITE ||
+					MemoryInfomation->Protect == PAGE_EXECUTE_READ || MemoryInfomation->Protect == PAGE_EXECUTE_WRITECOPY);
+			if (bResult) {
+				DebugPrint("MemoryInfomation->Protect %08X MemoryInfomation->Type %08X \n", MemoryInfomation->Protect, MemoryInfomation->Type);
+			}
+		}
+	}
+	return bResult;
+}
+bool WalkStack(int pHeight)
+{
+	bool bResult = true;
+	PVOID dwStackWalkAddress[STACK_WALK_WEIGHT] = { 0 };
+	unsigned __int64  iWalkChainCount = RtlWalkFrameChain(dwStackWalkAddress, STACK_WALK_WEIGHT, 1);
+	int iWalkLimit = 0;
+	for (unsigned __int64 i = iWalkChainCount; i > 0; i--)
+	{
+		if (iWalkLimit > pHeight)
+			break;
+		iWalkLimit++;
+		if (CheckStackVAD((PVOID)dwStackWalkAddress[i])) {
+			DebugPrint("height: %d address %p \n", i, dwStackWalkAddress[i]);
+			bResult = false;
+			break;
+		}
+	}
+	return bResult;
+}
+void LoadImageNotify(PUNICODE_STRING pFullImageName, HANDLE pProcessId, PIMAGE_INFO pImageInfo)
+{
+	UNREFERENCED_PARAMETER(pFullImageName);
+	UNREFERENCED_PARAMETER(pProcessId);
+	UNREFERENCED_PARAMETER(pImageInfo);
+	if (KeGetCurrentIrql() != PASSIVE_LEVEL)
+		return;
+	if (PsGetCurrentProcessId() != (HANDLE)4 && PsGetCurrentProcessId() != (HANDLE)0) {
+		if (WalkStack(10) == false) {
+
+			DebugPrint("[!!!] CobaltStrike Shellcode Detected Process Name: %s\n", PsGetProcessImageFileName(PsGetCurrentProcess()));
+			ZwTerminateProcess(NtCurrentProcess(), 0);
+			return;
+		}
+	}
+	return;
+}
+void DriverUnload(PDRIVER_OBJECT pDriverObject)
+{
+	UNREFERENCED_PARAMETER(pDriverObject);
+	if (Global::hLoadImageNotify)
+		PsRemoveLoadImageNotifyRoutine(LoadImageNotify);
+
+	DebugPrint("[DebugMessage] Driver Uninstall \n");
+}
+extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath)
+{
+	UNREFERENCED_PARAMETER(pDriverObject);
+	UNREFERENCED_PARAMETER(pRegPath);
+	Global::hLoadImageNotify = NT_SUCCESS(PsSetLoadImageNotifyRoutine(LoadImageNotify));
+	if (!Global::hLoadImageNotify) {
+		DebugPrint("[DebugMessage] LoadImageNotify failed...\r\n");
+		return STATUS_UNSUCCESSFUL;
+	}
+	pDriverObject->DriverUnload = DriverUnload;
+	DebugPrint("[DebugMessage] Driver Installed \n");
+	return STATUS_SUCCESS;
+}
\ No newline at end of file