batsec bats3c
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #define RULE_ALLOW_ALL "rule Allow { condition: false }" | |
| YRInitalize(); | |
| RtlCopyMemory(cRule, RULE_ALLOW_ALL, strlen(RULE_ALLOW_ALL)); | |
| if (YRCompilerCreate(&yrCompiler) != ERROR_SUCCESS) | |
| { | |
| return -1; | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| INT ToReportOrNotToReportThatIsTheQuestion( YR_SCAN_CONTEXT* Context, | |
| INT Message, | |
| PVOID pMessageData, | |
| PVOID pUserData | |
| ) | |
| { | |
| if (Message == CALLBACK_MSG_RULE_MATCHING) | |
| { | |
| (*(int*)pUserData) = 1; | |
| } |
bats3c
/ fake_image_loads.c
Created
June 14, 2021 13:37
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <windows.h> | |
| #include <winternl.h> | |
| #define DLL_TO_FAKE_LOAD L"\\??\\C:\\windows\\system32\\calc.exe" | |
| BOOL FakeImageLoad() | |
| { | |
| HANDLE hFile; | |
| SIZE_T stSize = 0; |
OlderNewer