添加项目文件。
This commit is contained in:
琴心
51
CobaltStrikeDetected.sln
Normal file
51
CobaltStrikeDetected.sln
Normal file
@@ -0,0 +1,51 @@
|
|||||||
|
|
||||||
|
Microsoft Visual Studio Solution File, Format Version 12.00
|
||||||
|
# Visual Studio Version 16
|
||||||
|
VisualStudioVersion = 16.0.31424.327
|
||||||
|
MinimumVisualStudioVersion = 10.0.40219.1
|
||||||
|
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CobaltStrikeDetected", "CobaltStrikeDetected\CobaltStrikeDetected.vcxproj", "{9A484276-0F33-45EE-B217-60F3ABD836C4}"
|
||||||
|
EndProject
|
||||||
|
Global
|
||||||
|
GlobalSection(SolutionConfigurationPlatforms) = preSolution
|
||||||
|
Debug|ARM = Debug|ARM
|
||||||
|
Debug|ARM64 = Debug|ARM64
|
||||||
|
Debug|x64 = Debug|x64
|
||||||
|
Debug|x86 = Debug|x86
|
||||||
|
Release|ARM = Release|ARM
|
||||||
|
Release|ARM64 = Release|ARM64
|
||||||
|
Release|x64 = Release|x64
|
||||||
|
Release|x86 = Release|x86
|
||||||
|
EndGlobalSection
|
||||||
|
GlobalSection(ProjectConfigurationPlatforms) = postSolution
|
||||||
|
{9A484276-0F33-45EE-B217-60F3ABD836C4}.Debug|ARM.ActiveCfg = Debug|ARM
|
||||||
|
{9A484276-0F33-45EE-B217-60F3ABD836C4}.Debug|ARM.Build.0 = Debug|ARM
|
||||||
|
{9A484276-0F33-45EE-B217-60F3ABD836C4}.Debug|ARM.Deploy.0 = Debug|ARM
|
||||||
|
{9A484276-0F33-45EE-B217-60F3ABD836C4}.Debug|ARM64.ActiveCfg = Debug|ARM64
|
||||||
|
{9A484276-0F33-45EE-B217-60F3ABD836C4}.Debug|ARM64.Build.0 = Debug|ARM64
|
||||||
|
{9A484276-0F33-45EE-B217-60F3ABD836C4}.Debug|ARM64.Deploy.0 = Debug|ARM64
|
||||||
|
{9A484276-0F33-45EE-B217-60F3ABD836C4}.Debug|x64.ActiveCfg = Debug|x64
|
||||||
|
{9A484276-0F33-45EE-B217-60F3ABD836C4}.Debug|x64.Build.0 = Debug|x64
|
||||||
|
{9A484276-0F33-45EE-B217-60F3ABD836C4}.Debug|x64.Deploy.0 = Debug|x64
|
||||||
|
{9A484276-0F33-45EE-B217-60F3ABD836C4}.Debug|x86.ActiveCfg = Debug|Win32
|
||||||
|
{9A484276-0F33-45EE-B217-60F3ABD836C4}.Debug|x86.Build.0 = Debug|Win32
|
||||||
|
{9A484276-0F33-45EE-B217-60F3ABD836C4}.Debug|x86.Deploy.0 = Debug|Win32
|
||||||
|
{9A484276-0F33-45EE-B217-60F3ABD836C4}.Release|ARM.ActiveCfg = Release|ARM
|
||||||
|
{9A484276-0F33-45EE-B217-60F3ABD836C4}.Release|ARM.Build.0 = Release|ARM
|
||||||
|
{9A484276-0F33-45EE-B217-60F3ABD836C4}.Release|ARM.Deploy.0 = Release|ARM
|
||||||
|
{9A484276-0F33-45EE-B217-60F3ABD836C4}.Release|ARM64.ActiveCfg = Release|ARM64
|
||||||
|
{9A484276-0F33-45EE-B217-60F3ABD836C4}.Release|ARM64.Build.0 = Release|ARM64
|
||||||
|
{9A484276-0F33-45EE-B217-60F3ABD836C4}.Release|ARM64.Deploy.0 = Release|ARM64
|
||||||
|
{9A484276-0F33-45EE-B217-60F3ABD836C4}.Release|x64.ActiveCfg = Release|x64
|
||||||
|
{9A484276-0F33-45EE-B217-60F3ABD836C4}.Release|x64.Build.0 = Release|x64
|
||||||
|
{9A484276-0F33-45EE-B217-60F3ABD836C4}.Release|x64.Deploy.0 = Release|x64
|
||||||
|
{9A484276-0F33-45EE-B217-60F3ABD836C4}.Release|x86.ActiveCfg = Release|Win32
|
||||||
|
{9A484276-0F33-45EE-B217-60F3ABD836C4}.Release|x86.Build.0 = Release|Win32
|
||||||
|
{9A484276-0F33-45EE-B217-60F3ABD836C4}.Release|x86.Deploy.0 = Release|Win32
|
||||||
|
EndGlobalSection
|
||||||
|
GlobalSection(SolutionProperties) = preSolution
|
||||||
|
HideSolutionNode = FALSE
|
||||||
|
EndGlobalSection
|
||||||
|
GlobalSection(ExtensibilityGlobals) = postSolution
|
||||||
|
SolutionGuid = {92EB6D07-A524-4660-BF50-9ADCBA85F9EB}
|
||||||
|
EndGlobalSection
|
||||||
|
EndGlobal
|
||||||
28
CobaltStrikeDetected/CobaltStrikeDetected.inf
Normal file
28
CobaltStrikeDetected/CobaltStrikeDetected.inf
Normal file
@@ -0,0 +1,28 @@
|
|||||||
|
;
|
||||||
|
; CobaltStrikeDetected.inf
|
||||||
|
;
|
||||||
|
|
||||||
|
[Version]
|
||||||
|
Signature="$WINDOWS NT$"
|
||||||
|
Class=System
|
||||||
|
ClassGuid={4d36e97d-e325-11ce-bfc1-08002be10318}
|
||||||
|
Provider=%ManufacturerName%
|
||||||
|
DriverVer=
|
||||||
|
CatalogFile=CobaltStrikeDetected.cat
|
||||||
|
PnpLockDown=1
|
||||||
|
|
||||||
|
[DestinationDirs]
|
||||||
|
DefaultDestDir = 12
|
||||||
|
|
||||||
|
|
||||||
|
[SourceDisksNames]
|
||||||
|
1 = %DiskName%,,,""
|
||||||
|
|
||||||
|
[SourceDisksFiles]
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
[Strings]
|
||||||
|
ManufacturerName="<Your manufacturer name>" ;TODO: Replace with your manufacturer name
|
||||||
|
ClassName=""
|
||||||
|
DiskName="CobaltStrikeDetected Source Disk"
|
||||||
160
CobaltStrikeDetected/CobaltStrikeDetected.vcxproj
Normal file
160
CobaltStrikeDetected/CobaltStrikeDetected.vcxproj
Normal file
@@ -0,0 +1,160 @@
|
|||||||
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
|
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||||
|
<ItemGroup Label="ProjectConfigurations">
|
||||||
|
<ProjectConfiguration Include="Debug|Win32">
|
||||||
|
<Configuration>Debug</Configuration>
|
||||||
|
<Platform>Win32</Platform>
|
||||||
|
</ProjectConfiguration>
|
||||||
|
<ProjectConfiguration Include="Release|Win32">
|
||||||
|
<Configuration>Release</Configuration>
|
||||||
|
<Platform>Win32</Platform>
|
||||||
|
</ProjectConfiguration>
|
||||||
|
<ProjectConfiguration Include="Debug|x64">
|
||||||
|
<Configuration>Debug</Configuration>
|
||||||
|
<Platform>x64</Platform>
|
||||||
|
</ProjectConfiguration>
|
||||||
|
<ProjectConfiguration Include="Release|x64">
|
||||||
|
<Configuration>Release</Configuration>
|
||||||
|
<Platform>x64</Platform>
|
||||||
|
</ProjectConfiguration>
|
||||||
|
<ProjectConfiguration Include="Debug|ARM">
|
||||||
|
<Configuration>Debug</Configuration>
|
||||||
|
<Platform>ARM</Platform>
|
||||||
|
</ProjectConfiguration>
|
||||||
|
<ProjectConfiguration Include="Release|ARM">
|
||||||
|
<Configuration>Release</Configuration>
|
||||||
|
<Platform>ARM</Platform>
|
||||||
|
</ProjectConfiguration>
|
||||||
|
<ProjectConfiguration Include="Debug|ARM64">
|
||||||
|
<Configuration>Debug</Configuration>
|
||||||
|
<Platform>ARM64</Platform>
|
||||||
|
</ProjectConfiguration>
|
||||||
|
<ProjectConfiguration Include="Release|ARM64">
|
||||||
|
<Configuration>Release</Configuration>
|
||||||
|
<Platform>ARM64</Platform>
|
||||||
|
</ProjectConfiguration>
|
||||||
|
</ItemGroup>
|
||||||
|
<PropertyGroup Label="Globals">
|
||||||
|
<ProjectGuid>{9A484276-0F33-45EE-B217-60F3ABD836C4}</ProjectGuid>
|
||||||
|
<TemplateGuid>{dd38f7fc-d7bd-488b-9242-7d8754cde80d}</TemplateGuid>
|
||||||
|
<TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
|
||||||
|
<MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>
|
||||||
|
<Configuration>Debug</Configuration>
|
||||||
|
<Platform Condition="'$(Platform)' == ''">Win32</Platform>
|
||||||
|
<RootNamespace>CobaltStrikeDetected</RootNamespace>
|
||||||
|
</PropertyGroup>
|
||||||
|
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
|
||||||
|
<TargetVersion>Windows10</TargetVersion>
|
||||||
|
<UseDebugLibraries>true</UseDebugLibraries>
|
||||||
|
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
|
||||||
|
<ConfigurationType>Driver</ConfigurationType>
|
||||||
|
<DriverType>WDM</DriverType>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
||||||
|
<TargetVersion>Windows10</TargetVersion>
|
||||||
|
<UseDebugLibraries>false</UseDebugLibraries>
|
||||||
|
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
|
||||||
|
<ConfigurationType>Driver</ConfigurationType>
|
||||||
|
<DriverType>WDM</DriverType>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
|
||||||
|
<TargetVersion>Windows10</TargetVersion>
|
||||||
|
<UseDebugLibraries>true</UseDebugLibraries>
|
||||||
|
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
|
||||||
|
<ConfigurationType>Driver</ConfigurationType>
|
||||||
|
<DriverType>WDM</DriverType>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
|
||||||
|
<TargetVersion>Windows7</TargetVersion>
|
||||||
|
<UseDebugLibraries>false</UseDebugLibraries>
|
||||||
|
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
|
||||||
|
<ConfigurationType>Driver</ConfigurationType>
|
||||||
|
<DriverType>WDM</DriverType>
|
||||||
|
<Driver_SpectreMitigation>false</Driver_SpectreMitigation>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
|
||||||
|
<TargetVersion>Windows10</TargetVersion>
|
||||||
|
<UseDebugLibraries>true</UseDebugLibraries>
|
||||||
|
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
|
||||||
|
<ConfigurationType>Driver</ConfigurationType>
|
||||||
|
<DriverType>WDM</DriverType>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
|
||||||
|
<TargetVersion>Windows10</TargetVersion>
|
||||||
|
<UseDebugLibraries>false</UseDebugLibraries>
|
||||||
|
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
|
||||||
|
<ConfigurationType>Driver</ConfigurationType>
|
||||||
|
<DriverType>WDM</DriverType>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
|
||||||
|
<TargetVersion>Windows10</TargetVersion>
|
||||||
|
<UseDebugLibraries>true</UseDebugLibraries>
|
||||||
|
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
|
||||||
|
<ConfigurationType>Driver</ConfigurationType>
|
||||||
|
<DriverType>WDM</DriverType>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
|
||||||
|
<TargetVersion>Windows10</TargetVersion>
|
||||||
|
<UseDebugLibraries>false</UseDebugLibraries>
|
||||||
|
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
|
||||||
|
<ConfigurationType>Driver</ConfigurationType>
|
||||||
|
<DriverType>WDM</DriverType>
|
||||||
|
</PropertyGroup>
|
||||||
|
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
||||||
|
<ImportGroup Label="ExtensionSettings">
|
||||||
|
</ImportGroup>
|
||||||
|
<ImportGroup Label="PropertySheets">
|
||||||
|
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||||
|
</ImportGroup>
|
||||||
|
<PropertyGroup Label="UserMacros" />
|
||||||
|
<PropertyGroup />
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||||
|
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||||
|
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||||
|
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||||
|
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
|
||||||
|
<EnableInf2cat>false</EnableInf2cat>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
|
||||||
|
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
|
||||||
|
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
|
||||||
|
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
|
||||||
|
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
|
||||||
|
</PropertyGroup>
|
||||||
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||||
|
<Inf>
|
||||||
|
<SpecifyArchitecture>false</SpecifyArchitecture>
|
||||||
|
</Inf>
|
||||||
|
<Link>
|
||||||
|
<TreatLinkerWarningAsErrors>false</TreatLinkerWarningAsErrors>
|
||||||
|
</Link>
|
||||||
|
<ClCompile>
|
||||||
|
<TreatWarningAsError>false</TreatWarningAsError>
|
||||||
|
</ClCompile>
|
||||||
|
</ItemDefinitionGroup>
|
||||||
|
<ItemGroup>
|
||||||
|
<Inf Include="CobaltStrikeDetected.inf" />
|
||||||
|
</ItemGroup>
|
||||||
|
<ItemGroup>
|
||||||
|
<FilesToPackage Include="$(TargetPath)" />
|
||||||
|
</ItemGroup>
|
||||||
|
<ItemGroup>
|
||||||
|
<ClCompile Include="main.cpp" />
|
||||||
|
</ItemGroup>
|
||||||
|
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
|
||||||
|
<ImportGroup Label="ExtensionTargets">
|
||||||
|
</ImportGroup>
|
||||||
|
</Project>
|
||||||
31
CobaltStrikeDetected/CobaltStrikeDetected.vcxproj.filters
Normal file
31
CobaltStrikeDetected/CobaltStrikeDetected.vcxproj.filters
Normal file
@@ -0,0 +1,31 @@
|
|||||||
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
|
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||||
|
<ItemGroup>
|
||||||
|
<Filter Include="Source Files">
|
||||||
|
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
|
||||||
|
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
|
||||||
|
</Filter>
|
||||||
|
<Filter Include="Header Files">
|
||||||
|
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
|
||||||
|
<Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
|
||||||
|
</Filter>
|
||||||
|
<Filter Include="Resource Files">
|
||||||
|
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
|
||||||
|
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
|
||||||
|
</Filter>
|
||||||
|
<Filter Include="Driver Files">
|
||||||
|
<UniqueIdentifier>{8E41214B-6785-4CFE-B992-037D68949A14}</UniqueIdentifier>
|
||||||
|
<Extensions>inf;inv;inx;mof;mc;</Extensions>
|
||||||
|
</Filter>
|
||||||
|
</ItemGroup>
|
||||||
|
<ItemGroup>
|
||||||
|
<Inf Include="CobaltStrikeDetected.inf">
|
||||||
|
<Filter>Driver Files</Filter>
|
||||||
|
</Inf>
|
||||||
|
</ItemGroup>
|
||||||
|
<ItemGroup>
|
||||||
|
<ClCompile Include="main.cpp">
|
||||||
|
<Filter>Source Files</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
</ItemGroup>
|
||||||
|
</Project>
|
||||||
138
CobaltStrikeDetected/main.cpp
Normal file
138
CobaltStrikeDetected/main.cpp
Normal file
@@ -0,0 +1,138 @@
|
|||||||
|
//ϵͳͷ<CDB3>ļ<EFBFBD>
|
||||||
|
#include <intrin.h>
|
||||||
|
#include <ntifs.h>
|
||||||
|
#define STACK_WALK_WEIGHT 20
|
||||||
|
#define DebugPrint(...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, __VA_ARGS__)
|
||||||
|
extern "C" {
|
||||||
|
NTKERNELAPI UCHAR* PsGetProcessImageFileName(__in PEPROCESS Process);
|
||||||
|
NTKERNELAPI
|
||||||
|
NTSTATUS
|
||||||
|
NTAPI
|
||||||
|
ZwQueryInformationProcess(
|
||||||
|
_In_ HANDLE ProcessHandle,
|
||||||
|
_In_ PROCESSINFOCLASS ProcessInformationClass,
|
||||||
|
_Out_ PVOID ProcessInformation,
|
||||||
|
_In_ ULONG ProcessInformationLength,
|
||||||
|
_Out_opt_ PULONG ReturnLength
|
||||||
|
);
|
||||||
|
};
|
||||||
|
typedef enum _PS_PROTECTED_TYPE {
|
||||||
|
PsProtectedTypeNone = 0,
|
||||||
|
PsProtectedTypeProtectedLight = 1,
|
||||||
|
PsProtectedTypeProtected = 2
|
||||||
|
} PS_PROTECTED_TYPE, * PPS_PROTECTED_TYPE;
|
||||||
|
typedef enum _PS_PROTECTED_SIGNER {
|
||||||
|
PsProtectedSignerNone = 0,
|
||||||
|
PsProtectedSignerAuthenticode,
|
||||||
|
PsProtectedSignerCodeGen,
|
||||||
|
PsProtectedSignerAntimalware,
|
||||||
|
PsProtectedSignerLsa,
|
||||||
|
PsProtectedSignerWindows,
|
||||||
|
PsProtectedSignerWinTcb,
|
||||||
|
PsProtectedSignerWinSystem,
|
||||||
|
PsProtectedSignerApp,
|
||||||
|
PsProtectedSignerMax
|
||||||
|
} PS_PROTECTED_SIGNER, * PPS_PROTECTED_SIGNER;
|
||||||
|
typedef struct _PS_PROTECTION {
|
||||||
|
union {
|
||||||
|
UCHAR Level;
|
||||||
|
struct {
|
||||||
|
UCHAR Type : 3;
|
||||||
|
UCHAR Audit : 1; // Reserved
|
||||||
|
UCHAR Signer : 4;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
} PS_PROTECTION, * PPS_PROTECTION;
|
||||||
|
namespace Global {
|
||||||
|
bool hLoadImageNotify;
|
||||||
|
};
|
||||||
|
bool CheckProcessProtect() {
|
||||||
|
PS_PROTECTION ProtectInfo = { 0 };
|
||||||
|
NTSTATUS ntStatus = ZwQueryInformationProcess(NtCurrentProcess(), ProcessProtectionInformation, &ProtectInfo, sizeof(ProtectInfo), 0ull);
|
||||||
|
bool Result1 = false;
|
||||||
|
bool Result2 = false;
|
||||||
|
if (NT_SUCCESS(ntStatus)) {
|
||||||
|
Result1 = ProtectInfo.Type == PsProtectedTypeNone && ProtectInfo.Signer == PsProtectedSignerNone;
|
||||||
|
PROCESS_EXTENDED_BASIC_INFORMATION ProcessExtenedInfo = { 0 };
|
||||||
|
ntStatus = ZwQueryInformationProcess(NtCurrentProcess(), ProcessBasicInformation, &ProcessExtenedInfo, sizeof(ProcessExtenedInfo), 0ull);
|
||||||
|
if (NT_SUCCESS(ntStatus)) {
|
||||||
|
Result2 = ProcessExtenedInfo.IsProtectedProcess == false && ProcessExtenedInfo.IsSecureProcess == false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return Result2 && Result1;
|
||||||
|
}
|
||||||
|
bool CheckStackVAD(PVOID pAddress) {
|
||||||
|
bool bResult = false;
|
||||||
|
size_t iReturnlength;
|
||||||
|
MEMORY_BASIC_INFORMATION MemoryInfomation[sizeof(MEMORY_BASIC_INFORMATION)] = { 0 };
|
||||||
|
if (MemoryInfomation) {
|
||||||
|
NTSTATUS nt_status = ZwQueryVirtualMemory(NtCurrentProcess(), (PVOID)pAddress, MemoryBasicInformation, MemoryInfomation, sizeof(MEMORY_BASIC_INFORMATION), &iReturnlength);
|
||||||
|
if (NT_SUCCESS(nt_status)) {
|
||||||
|
bool is_map_memory = (MemoryInfomation->Type == MEM_PRIVATE || MemoryInfomation->Type == MEM_MAPPED) && MemoryInfomation->State == MEM_COMMIT;
|
||||||
|
bResult = is_map_memory &&
|
||||||
|
(MemoryInfomation->Protect == PAGE_EXECUTE || MemoryInfomation->Protect == PAGE_EXECUTE_READWRITE ||
|
||||||
|
MemoryInfomation->Protect == PAGE_EXECUTE_READ || MemoryInfomation->Protect == PAGE_EXECUTE_WRITECOPY);
|
||||||
|
if (bResult) {
|
||||||
|
DebugPrint("MemoryInfomation->Protect %08X MemoryInfomation->Type %08X \n", MemoryInfomation->Protect, MemoryInfomation->Type);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return bResult;
|
||||||
|
}
|
||||||
|
bool WalkStack(int pHeight)
|
||||||
|
{
|
||||||
|
bool bResult = true;
|
||||||
|
PVOID dwStackWalkAddress[STACK_WALK_WEIGHT] = { 0 };
|
||||||
|
unsigned __int64 iWalkChainCount = RtlWalkFrameChain(dwStackWalkAddress, STACK_WALK_WEIGHT, 1);
|
||||||
|
int iWalkLimit = 0;
|
||||||
|
for (unsigned __int64 i = iWalkChainCount; i > 0; i--)
|
||||||
|
{
|
||||||
|
if (iWalkLimit > pHeight)
|
||||||
|
break;
|
||||||
|
iWalkLimit++;
|
||||||
|
if (CheckStackVAD((PVOID)dwStackWalkAddress[i])) {
|
||||||
|
DebugPrint("height: %d address %p \n", i, dwStackWalkAddress[i]);
|
||||||
|
bResult = false;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return bResult;
|
||||||
|
}
|
||||||
|
void LoadImageNotify(PUNICODE_STRING pFullImageName, HANDLE pProcessId, PIMAGE_INFO pImageInfo)
|
||||||
|
{
|
||||||
|
UNREFERENCED_PARAMETER(pFullImageName);
|
||||||
|
UNREFERENCED_PARAMETER(pProcessId);
|
||||||
|
UNREFERENCED_PARAMETER(pImageInfo);
|
||||||
|
if (KeGetCurrentIrql() != PASSIVE_LEVEL)
|
||||||
|
return;
|
||||||
|
if (PsGetCurrentProcessId() != (HANDLE)4 && PsGetCurrentProcessId() != (HANDLE)0) {
|
||||||
|
if (WalkStack(10) == false) {
|
||||||
|
|
||||||
|
DebugPrint("[!!!] CobaltStrike Shellcode Detected Process Name: %s\n", PsGetProcessImageFileName(PsGetCurrentProcess()));
|
||||||
|
ZwTerminateProcess(NtCurrentProcess(), 0);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
void DriverUnload(PDRIVER_OBJECT pDriverObject)
|
||||||
|
{
|
||||||
|
UNREFERENCED_PARAMETER(pDriverObject);
|
||||||
|
if (Global::hLoadImageNotify)
|
||||||
|
PsRemoveLoadImageNotifyRoutine(LoadImageNotify);
|
||||||
|
|
||||||
|
DebugPrint("[DebugMessage] Driver Uninstall \n");
|
||||||
|
}
|
||||||
|
extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath)
|
||||||
|
{
|
||||||
|
UNREFERENCED_PARAMETER(pDriverObject);
|
||||||
|
UNREFERENCED_PARAMETER(pRegPath);
|
||||||
|
Global::hLoadImageNotify = NT_SUCCESS(PsSetLoadImageNotifyRoutine(LoadImageNotify));
|
||||||
|
if (!Global::hLoadImageNotify) {
|
||||||
|
DebugPrint("[DebugMessage] LoadImageNotify failed...\r\n");
|
||||||
|
return STATUS_UNSUCCESSFUL;
|
||||||
|
}
|
||||||
|
pDriverObject->DriverUnload = DriverUnload;
|
||||||
|
DebugPrint("[DebugMessage] Driver Installed \n");
|
||||||
|
return STATUS_SUCCESS;
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user