Initial commit for public version

Co-authored-by: Thomas Diot <thomas.diot@wavestone.com>
2026-06-11 01:41:20 +00:00 · 2021-11-08 09:54:05 +01:00
commit 4bff81986b
42 changed files with 8490 additions and 0 deletions
@@ -0,0 +1,88 @@
+/*
+
+--- Functions to set the current process as a Protected Process (PsProtectedSignerWinTcb-Light).
+--- The code to locate the EPROCESS structure is adapted from:
+    http://blog.rewolf.pl/blog/?p=1683
+
+*/
+
+#pragma once
+
+#include <Windows.h>
+#include <Tchar.h>
+#include <stdio.h>
+
+#include "Globals.h"
+#include "KernelMemoryPrimitives.h"
+#include "NtoskrnlOffsets.h"
+
+//extern union NtoskrnlOffsets ntoskrnlOffsets;
+
+#ifndef NT_SUCCESS
+#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
+#endif
+#define STATUS_INFO_LENGTH_MISMATCH 0xc0000004
+
+#define PROTECTED_PROCESS_MASK	0x00000800
+
+/*
+* Defines the NtQuerySystemInformation function.
+* Undocumented function with a signature subject to possible change in futher Windows versions.
+*/
+#define SystemHandleInformation 0x10
+#define SystemHandleInformationBaseSize 0x1000
+
+typedef NTSTATUS(NTAPI* _NtQuerySystemInformation)(
+    ULONG SystemInformationClass,
+    PVOID SystemInformation,
+    ULONG SystemInformationLength,
+    PULONG ReturnLength
+    );
+
+/*
+* Source: https://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/ex/sysinfo/handle_table_entry.htm
+*/
+typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO {
+    USHORT UniqueProcessId;
+    USHORT CreatorBackTraceIndex;
+    UCHAR ObjectTypeIndex;
+    UCHAR HandleAttributes;
+    USHORT HandleValue;
+    PVOID Object;
+    ULONG GrantedAccess;
+} SYSTEM_HANDLE_TABLE_ENTRY_INFO, * PSYSTEM_HANDLE_TABLE_ENTRY_INFO;
+
+/*
+* Source: https://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/ex/sysinfo/handle.htm
+*/
+typedef struct _SYSTEM_HANDLE_INFORMATION {
+    ULONG NumberOfHandles;
+    SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1];
+} SYSTEM_HANDLE_INFORMATION, * PSYSTEM_HANDLE_INFORMATION;
+
+/*
+* Defines the structures related to the process protection (EPROCESS's Protection attribute).
+* Source: https://docs.microsoft.com/en-us/windows/win32/procthread/zwqueryinformationprocess
+*/
+typedef enum _PS_PROTECTED_TYPE {
+    PsProtectedTypeNone = 0,
+    PsProtectedTypeProtectedLight = 1,
+    PsProtectedTypeProtected = 2
+} PS_PROTECTED_TYPE, * PPS_PROTECTED_TYPE;
+
+typedef enum _PS_PROTECTED_SIGNER {
+    PsProtectedSignerNone = 0,
+    PsProtectedSignerAuthenticode,
+    PsProtectedSignerCodeGen,
+    PsProtectedSignerAntimalware,
+    PsProtectedSignerLsa,
+    PsProtectedSignerWindows,
+    PsProtectedSignerWinTcb,
+    PsProtectedSignerWinSystem,
+    PsProtectedSignerApp,
+    PsProtectedSignerMax
+} PS_PROTECTED_SIGNER, * PPS_PROTECTED_SIGNER;
+
+DWORD64 GetSelfEPROCESSAddress(BOOL verbose);
+
+int SetCurrentProcessAsProtected(BOOL verbose);