diff --git a/.clang-format b/.clang-format
new file mode 100644
index 0000000..4096055
--- /dev/null
+++ b/.clang-format
@@ -0,0 +1,101 @@
+AccessModifierOffset: -4
+AlignAfterOpenBracket: AlwaysBreak
+AlignConsecutiveAssignments: false
+AlignConsecutiveDeclarations: false
+AlignEscapedNewlines: DontAlign
+AlignOperands: true
+AllowAllParametersOfDeclarationOnNextLine: false
+AllowShortBlocksOnASingleLine: false
+AllowShortCaseLabelsOnASingleLine: false
+AllowShortFunctionsOnASingleLine: Inline
+AllowShortIfStatementsOnASingleLine: false
+AllowShortLoopsOnASingleLine: false
+AlwaysBreakAfterReturnType: TopLevel
+AlwaysBreakBeforeMultilineStrings: false
+AlwaysBreakTemplateDeclarations: true
+BinPackArguments: false
+BinPackParameters: false
+BraceWrapping:
+ AfterClass: true
+ AfterControlStatement: true
+ AfterEnum: true
+ AfterFunction: true
+ AfterNamespace: false
+ AfterStruct: true
+ AfterUnion: true
+ AfterExternBlock: false
+ BeforeCatch: true
+ BeforeElse: true
+BreakBeforeBraces: Custom
+BreakBeforeBinaryOperators: None
+BreakBeforeTernaryOperators: true
+BreakConstructorInitializers: AfterColon
+BreakStringLiterals: false
+ColumnLimit: 120
+CommentPragmas: '^begin_wpp|^end_wpp|^FUNC |^USESUFFIX |^USESUFFIX '
+ConstructorInitializerAllOnOneLineOrOnePerLine: true
+ConstructorInitializerIndentWidth: 4
+ContinuationIndentWidth: 4
+Cpp11BracedListStyle: true
+DerivePointerAlignment: false
+ExperimentalAutoDetectBinPacking: false
+IndentCaseLabels: false
+IndentPPDirectives: AfterHash
+IndentWidth: 4
+KeepEmptyLinesAtTheStartOfBlocks: false
+Language: Cpp
+MacroBlockBegin: '^BEGIN_MODULE$|^BEGIN_TEST_CLASS$|^BEGIN_TEST_METHOD$'
+MacroBlockEnd: '^END_MODULE$|^END_TEST_CLASS$|^END_TEST_METHOD$'
+MaxEmptyLinesToKeep: 1
+NamespaceIndentation: None
+PointerAlignment: Right
+ReflowComments: true
+SortIncludes: false
+SpaceAfterCStyleCast: false
+SpaceBeforeAssignmentOperators: true
+SpaceBeforeCtorInitializerColon: true
+SpaceBeforeCtorInitializerColon: true
+SpaceBeforeParens: ControlStatements
+SpaceBeforeRangeBasedForLoopColon: true
+SpaceInEmptyParentheses: false
+SpacesInAngles: false
+SpacesInCStyleCastParentheses: false
+SpacesInParentheses: false
+SpacesInSquareBrackets: false
+Standard: Cpp11
+StatementMacros: [
+ 'EXTERN_C',
+ 'PAGED',
+ 'PAGEDX',
+ 'NONPAGED',
+ 'PNPCODE',
+ 'INITCODE',
+ '_At_',
+ '_When_',
+ '_Success_',
+ '_Check_return_',
+ '_Must_inspect_result_',
+ '_IRQL_requires_',
+ '_IRQL_requires_max_',
+ '_IRQL_requires_min_',
+ '_IRQL_saves_',
+ '_IRQL_restores_',
+ '_IRQL_saves_global_',
+ '_IRQL_restores_global_',
+ '_IRQL_raises_',
+ '_IRQL_lowers_',
+ '_Acquires_lock_',
+ '_Releases_lock_',
+ '_Acquires_exclusive_lock_',
+ '_Releases_exclusive_lock_',
+ '_Acquires_shared_lock_',
+ '_Releases_shared_lock_',
+ '_Requires_lock_held_',
+ '_Use_decl_annotations_',
+ '_Guarded_by_',
+ '__drv_preferredFunction',
+ '__drv_allocatesMem',
+ '__drv_freesMem',
+ ]
+TabWidth: '4'
+UseTab: Never
diff --git a/FakeEnclave.sln b/FakeEnclave.sln
new file mode 100644
index 0000000..5060687
--- /dev/null
+++ b/FakeEnclave.sln
@@ -0,0 +1,35 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 17
+VisualStudioVersion = 17.2.32519.379
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "FakeEnclave", "FakeEnclave.vcxproj", "{FE7F43A7-1F9C-4E4B-8898-4B768B43BF55}"
+EndProject
+Global
+ GlobalSection(SolutionConfigurationPlatforms) = preSolution
+ Debug|ARM64 = Debug|ARM64
+ Debug|x64 = Debug|x64
+ Release|ARM64 = Release|ARM64
+ Release|x64 = Release|x64
+ EndGlobalSection
+ GlobalSection(ProjectConfigurationPlatforms) = postSolution
+ {FE7F43A7-1F9C-4E4B-8898-4B768B43BF55}.Debug|ARM64.ActiveCfg = Debug|ARM64
+ {FE7F43A7-1F9C-4E4B-8898-4B768B43BF55}.Debug|ARM64.Build.0 = Debug|ARM64
+ {FE7F43A7-1F9C-4E4B-8898-4B768B43BF55}.Debug|ARM64.Deploy.0 = Debug|ARM64
+ {FE7F43A7-1F9C-4E4B-8898-4B768B43BF55}.Debug|x64.ActiveCfg = Debug|x64
+ {FE7F43A7-1F9C-4E4B-8898-4B768B43BF55}.Debug|x64.Build.0 = Debug|x64
+ {FE7F43A7-1F9C-4E4B-8898-4B768B43BF55}.Debug|x64.Deploy.0 = Debug|x64
+ {FE7F43A7-1F9C-4E4B-8898-4B768B43BF55}.Release|ARM64.ActiveCfg = Release|ARM64
+ {FE7F43A7-1F9C-4E4B-8898-4B768B43BF55}.Release|ARM64.Build.0 = Release|ARM64
+ {FE7F43A7-1F9C-4E4B-8898-4B768B43BF55}.Release|ARM64.Deploy.0 = Release|ARM64
+ {FE7F43A7-1F9C-4E4B-8898-4B768B43BF55}.Release|x64.ActiveCfg = Release|x64
+ {FE7F43A7-1F9C-4E4B-8898-4B768B43BF55}.Release|x64.Build.0 = Release|x64
+ {FE7F43A7-1F9C-4E4B-8898-4B768B43BF55}.Release|x64.Deploy.0 = Release|x64
+ EndGlobalSection
+ GlobalSection(SolutionProperties) = preSolution
+ HideSolutionNode = FALSE
+ EndGlobalSection
+ GlobalSection(ExtensibilityGlobals) = postSolution
+ SolutionGuid = {8852CAE8-8666-47DE-8C40-AA6BF9B7D73B}
+ EndGlobalSection
+EndGlobal
diff --git a/FakeEnclave.vcxproj b/FakeEnclave.vcxproj
new file mode 100644
index 0000000..425ac1c
--- /dev/null
+++ b/FakeEnclave.vcxproj
@@ -0,0 +1,134 @@
+
+
+
+
+ Debug
+ x64
+
+
+ Release
+ x64
+
+
+ Debug
+ ARM64
+
+
+ Release
+ ARM64
+
+
+
+ {FE7F43A7-1F9C-4E4B-8898-4B768B43BF55}
+ {1bc93793-694f-48fe-9372-81e2b05556fd}
+ v4.5
+ 12.0
+ Debug
+ x64
+ FakeEnclave
+ $(LatestTargetPlatformVersion)
+
+
+
+ Windows10
+ true
+ LLVM-MSVC_v143_KernelMode
+ Driver
+ KMDF
+ Universal
+ false
+
+
+ Windows10
+ false
+ LLVM-MSVC_v143_KernelMode
+ Driver
+ KMDF
+ Universal
+ false
+
+
+ Windows10
+ true
+ LLVM-MSVC_v143_KernelMode
+ Driver
+ KMDF
+ Universal
+
+
+ Windows10
+ false
+ LLVM-MSVC_v143_KernelMode
+ Driver
+ KMDF
+ Universal
+
+
+
+
+
+
+
+
+
+
+ DbgengKernelDebugger
+
+
+ DbgengKernelDebugger
+
+
+ DbgengKernelDebugger
+
+
+ DbgengKernelDebugger
+
+
+
+ sha256
+
+
+ false
+ Level3
+ false
+
+
+ DriverEntry
+
+
+
+
+ sha256
+
+
+ false
+ Level3
+ false
+
+
+ DriverEntry
+
+
+
+
+ sha256
+
+
+
+
+ sha256
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/FakeEnclave.vcxproj.filters b/FakeEnclave.vcxproj.filters
new file mode 100644
index 0000000..0f135ea
--- /dev/null
+++ b/FakeEnclave.vcxproj.filters
@@ -0,0 +1,27 @@
+
+
+
+
+ {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
+ cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
+
+
+ {93995380-89BD-4b04-88EB-625FBE52EBFB}
+ h;hpp;hxx;hm;inl;inc;xsd
+
+
+ {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
+ rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
+
+
+
+
+ Source Files
+
+
+
+
+ Header Files
+
+
+
\ No newline at end of file
diff --git a/README.md b/README.md
index d1918c9..00ec5f6 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,11 @@
# FakeEnclave
+A poc that abuses Enclave
+
-A poc that abuses Enclave
\ No newline at end of file
+## What it can do?
+- Anti-tamper
+- There may be nothing to do
+
+## Compile
+- Visual Studio 2022 & WDK10
+- llvm-msvc [[link]](https://github.com/NewWorldComingSoon/llvm-msvc-build)
diff --git a/Source.cpp b/Source.cpp
new file mode 100644
index 0000000..ce921c5
--- /dev/null
+++ b/Source.cpp
@@ -0,0 +1,183 @@
+#include
+#include
+#include "struct.h"
+
+#define YOUR_APP_NAME "dwm.exe"
+
+#define dprintf(...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, __VA_ARGS__)
+
+EXTERN_C
+PCCHAR
+NTAPI
+PsGetProcessImageFileName(IN PEPROCESS Process);
+
+EXTERN_C
+PVOID
+PsGetProcessSectionBaseAddress(__in PEPROCESS Process);
+
+using fnMiObtainReferencedVadEx = void *(NTAPI *)(void *a1, char a2, int *a3);
+
+__declspec(naked) PVOID GetNtosBase()
+{
+ _asm {
+ mov rax, qword ptr gs:[18h]
+ mov rcx, [rax+38h]
+ mov rax, 0FFFFFFFFFFFFF000h
+ and rax, [rcx+4h]
+ jmp while_begin
+ search_begin:
+ add rax, 0FFFFFFFFFFFFF000h
+ while_begin:
+ xor ecx, ecx
+ jmp search_cmp
+ search_next:
+ add rcx, 1
+ cmp rcx, 0FF9h
+ jz search_begin
+ search_cmp:
+ cmp byte ptr[rax+rcx], 48h
+ jnz search_next
+ cmp byte ptr[rax+rcx+1], 8Dh
+ jnz search_next
+ cmp byte ptr[rax+rcx+2], 1Dh
+ jnz search_next
+ cmp byte ptr[rax+rcx+6], 0FFh
+ jnz search_next
+ mov r8d,[rax+rcx+3]
+ lea edx,[rcx+r8]
+ add edx, eax
+ add edx, 7
+ test edx, 0FFFh
+ jnz search_next
+ mov rdx, 0FFFFFFFF00000000h
+ and rdx, rax
+ add r8d, eax
+ lea eax,[rcx+r8]
+ add eax, 7
+ or rax, rdx
+ ret
+ }
+}
+
+static PUCHAR
+FindPattern(PVOID Module, ULONG Size, LPCSTR Pattern, LPCSTR Mask)
+{
+ auto checkMask = [](PUCHAR Buffer, LPCSTR Pattern, LPCSTR Mask) -> bool {
+ for (auto x = Buffer; *Mask; Pattern++, Mask++, x++)
+ {
+ auto addr = *(UCHAR *)(Pattern);
+ if (addr != *x && *Mask != '?')
+ return false;
+ }
+
+ return true;
+ };
+
+ for (auto x = 0; x < Size - strlen(Mask); x++)
+ {
+ auto addr = (PUCHAR)Module + x;
+ if (checkMask(addr, Pattern, Mask))
+ return addr;
+ }
+
+ return nullptr;
+}
+
+static PEPROCESS
+FindDWMEprocess(ULONG &OutPid)
+{
+ OutPid = 0;
+ PEPROCESS pEpDWM = nullptr;
+ for (ULONG i = 0; i < 0x5000; i += 4)
+ {
+ PEPROCESS pEp = nullptr;
+ auto lStatus = PsLookupProcessByProcessId((HANDLE)i, &pEp);
+ if (!NT_SUCCESS(lStatus) || !pEp)
+ {
+ continue;
+ }
+
+ auto pName = PsGetProcessImageFileName(pEp);
+ // A more casual code
+ if (pName && strstr(pName, YOUR_APP_NAME))
+ {
+ pEpDWM = pEp;
+ }
+ ObDereferenceObject(pEp);
+
+ if (pEpDWM)
+ {
+ OutPid = i;
+ break;
+ }
+ }
+
+ return pEpDWM;
+}
+
+EXTERN_C
+NTSTATUS
+DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)
+{
+ dprintf("new world!\n");
+
+ PVOID pNtosBase = GetNtosBase();
+ dprintf("pNtosBase=%p\n", pNtosBase);
+
+ // 48 89 5C 24 10 48 89 74 24 18 48 89 7C 24 20 41 54 41 56 41 57 48 83 EC 20 41 C7 00 00 00 00 00 4D 8B E0 65 48 8B
+ // ?? ?? 88 01 00 00 44 8B ?? 48 8B ?? ?? ?? ?? B8 00 00 00
+ fnMiObtainReferencedVadEx pMiObtainReferencedVadEx = (fnMiObtainReferencedVadEx)FindPattern(
+ ((PUCHAR)pNtosBase + 0x1000),
+ 0x50000,
+ "\x48\x89\x5C\x24\x10\x48\x89\x74\x24\x18\x48\x89\x7C\x24\x20\x41\x54\x41\x56\x41\x57\x48\x83\xEC\x20\x41\xC7\x00\x00\x00\x00\x00\x4D\x8B\xE0\x65\x48\x8B\x00\x00\x88\x01\x00\x00\x44\x8B\x00\x48\x8B\x00\x00\x00\x00\xB8\x00\x00\x00",
+ "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx??xxxxxx?xx????xxxx");
+ dprintf("pMiObtainReferencedVadEx=%p\n", pMiObtainReferencedVadEx);
+
+ if (!pMiObtainReferencedVadEx)
+ {
+ dprintf("Error: Not found MiObtainReferencedVadEx!\n");
+ return -1;
+ }
+
+ ULONG uDWMPID;
+ PEPROCESS pEpDWM = FindDWMEprocess(uDWMPID);
+ dprintf("pEpDWM=%p, uDWMPID=%d!\n", pEpDWM, uDWMPID);
+ if (uDWMPID == 0)
+ {
+ dprintf("Error: Not found DWM!\n");
+ return -2;
+ }
+
+ PUCHAR pFirstPage = (PUCHAR)PsGetProcessSectionBaseAddress(pEpDWM) + 0x1000;
+ dprintf("pFirstPage=%p!\n", pFirstPage);
+
+ KAPC_STATE ks;
+ KeStackAttachProcess(pEpDWM, &ks);
+
+ PETHREAD pCurThread = KeGetCurrentThread();
+ short uOldSpecialApcDisable = *(short *)((PUCHAR)pCurThread + SpecialApcDisable_17763_OFFSET);
+
+ *(short *)((PUCHAR)pCurThread + SpecialApcDisable_17763_OFFSET) = 0;
+
+ int ns = 0;
+ auto pVAD = (PMMVAD_SHORT_17763)pMiObtainReferencedVadEx(pFirstPage, 2, &ns);
+
+ *(short *)((PUCHAR)pCurThread + SpecialApcDisable_17763_OFFSET) = uOldSpecialApcDisable;
+
+ KeUnstackDetachProcess(&ks);
+
+ dprintf("pVAD=%p\n", pVAD);
+ if (pVAD)
+ {
+ dprintf("pVAD->u.VadFlags.PrivateMemory=%d\n", pVAD->u.VadFlags.PrivateMemory);
+ dprintf("pVAD->u.VadFlags.Graphics=%d\n", pVAD->u.VadFlags.Graphics);
+ dprintf("pVAD->u.VadFlags.Enclave=%d\n", pVAD->u.VadFlags.Enclave);
+
+ pVAD->u.VadFlags.PrivateMemory = 1;
+ pVAD->u.VadFlags.Graphics = 1;
+ pVAD->u.VadFlags.Enclave = 1;
+ dprintf("fake world!\n");
+ }
+
+ return STATUS_VIRUS_INFECTED;
+}
diff --git a/struct.h b/struct.h
new file mode 100644
index 0000000..7cb01a6
--- /dev/null
+++ b/struct.h
@@ -0,0 +1,83 @@
+#pragma once
+#include
+
+typedef struct _EX_PUSH_LOCK_17763
+{
+ union
+ {
+ struct /* bitfield */
+ {
+ /* 0x0000 */ unsigned __int64 Locked : 1; /* bit position: 0 */
+ /* 0x0000 */ unsigned __int64 Waiting : 1; /* bit position: 1 */
+ /* 0x0000 */ unsigned __int64 Waking : 1; /* bit position: 2 */
+ /* 0x0000 */ unsigned __int64 MultipleShared : 1; /* bit position: 3 */
+ /* 0x0000 */ unsigned __int64 Shared : 60; /* bit position: 4 */
+ }; /* bitfield */
+ /* 0x0000 */ unsigned __int64 Value;
+ /* 0x0000 */ void *Ptr;
+ }; /* size: 0x0008 */
+} EX_PUSH_LOCK_17763, *PEX_PUSH_LOCK_17763; /* size: 0x0008 */
+
+typedef struct _MMVAD_FLAGS_17763
+{
+ struct /* bitfield */
+ {
+ /* 0x0000 */ unsigned long VadType : 3; /* bit position: 0 */
+ /* 0x0000 */ unsigned long Protection : 5; /* bit position: 3 */
+ /* 0x0000 */ unsigned long PreferredNode : 6; /* bit position: 8 */
+ /* 0x0000 */ unsigned long PrivateMemory : 1; /* bit position: 14 */
+ /* 0x0000 */ unsigned long PrivateFixup : 1; /* bit position: 15 */
+ /* 0x0000 */ unsigned long Graphics : 1; /* bit position: 16 */
+ /* 0x0000 */ unsigned long Enclave : 1; /* bit position: 17 */
+ /* 0x0000 */ unsigned long PageSize64K : 1; /* bit position: 18 */
+ /* 0x0000 */ unsigned long ShadowStack : 1; /* bit position: 19 */
+ /* 0x0000 */ unsigned long Spare : 6; /* bit position: 20 */
+ /* 0x0000 */ unsigned long HotPatchAllowed : 1; /* bit position: 26 */
+ /* 0x0000 */ unsigned long NoChange : 1; /* bit position: 27 */
+ /* 0x0000 */ unsigned long ManySubsections : 1; /* bit position: 28 */
+ /* 0x0000 */ unsigned long DeleteInProgress : 1; /* bit position: 29 */
+ /* 0x0000 */ unsigned long LockContended : 1; /* bit position: 30 */
+ /* 0x0000 */ unsigned long Lock : 1; /* bit position: 31 */
+ }; /* bitfield */
+} MMVAD_FLAGS_17763, *PMMVAD_FLAGS_17763; /* size: 0x0004 */
+
+typedef struct _MMVAD_SHORT_17763
+{
+ union
+ {
+ struct
+ {
+ /* 0x0000 */ struct _MMVAD_SHORT *NextVad;
+ /* 0x0008 */ void *ExtraCreateInfo;
+ }; /* size: 0x0010 */
+ /* 0x0000 */ struct _RTL_BALANCED_NODE VadNode;
+ }; /* size: 0x0018 */
+ /* 0x0018 */ unsigned long StartingVpn;
+ /* 0x001c */ unsigned long EndingVpn;
+ /* 0x0020 */ unsigned char StartingVpnHigh;
+ /* 0x0021 */ unsigned char EndingVpnHigh;
+ /* 0x0022 */ unsigned char CommitChargeHigh;
+ /* 0x0023 */ unsigned char SpareNT64VadUChar;
+ /* 0x0024 */ long ReferenceCount;
+ /* 0x0028 */ struct _EX_PUSH_LOCK_17763 PushLock;
+ union
+ {
+ union
+ {
+ /* 0x0030 */ unsigned long LongFlags;
+ /* 0x0030 */ struct _MMVAD_FLAGS_17763 VadFlags;
+ /* 0x0030 */ volatile unsigned long VolatileVadLong;
+ }; /* size: 0x0004 */
+ } /* size: 0x0004 */ u;
+ union
+ {
+ union
+ {
+ /* 0x0034 */ unsigned long LongFlags1;
+ ///* 0x0034 */ struct _MMVAD_FLAGS1 VadFlags1;
+ }; /* size: 0x0004 */
+ } /* size: 0x0004 */ u1;
+ /* 0x0038 */ struct _MI_VAD_EVENT_BLOCK *EventList;
+} MMVAD_SHORT_17763, *PMMVAD_SHORT_17763; /* size: 0x0040 */
+
+#define SpecialApcDisable_17763_OFFSET (0x01e6)