A comprehensive Windows security toolkit written in C++ using MFC, designed for security researchers, penetration testers, and developers interested in Windows internals. This project demonstrates various security techniques including DLL injection, process manipulation, privilege escalation, and system monitoring capabilities.
- Overview
- Features
- Requirements
- Configuration
- Usage
- Project Structure
- Building from Source
- Code Examples
- Contributing
- License
HackerTools is a Windows-based security toolkit that provides a graphical interface for various security operations. The application is organized into two main sections: User Tools and Kernel Tools, each containing specialized modules for different security tasks.
The toolkit demonstrates advanced Windows API usage, process manipulation techniques, and security research methodologies.
- ZwCreateThreadEx Injection: Remote thread creation for DLL injection
- APC Injection: Asynchronous Procedure Call injection method
- Global Hook Injection: System-wide hook installation
- Process enumeration and selection
- Debug privilege management
- PEB Manipulation: Modify Process Environment Block to disguise process identity
- Process Replacement: Replace target process with shellcode
- DLL Hijacking: Test and demonstrate DLL hijacking vulnerabilities
- Process path and command line modification
- Debug privilege enabling/disabling
- UAC bypass techniques (CMLuaUtil method)
- Process privilege enumeration
- Token manipulation
- Registry Auto-Start: Modify Windows registry for persistence
- Startup Folder: Add programs to user startup directory
- Windows Services: Create, start, stop, and delete system services
- Task Scheduler: Schedule tasks for automatic execution
- List all running processes
- Display process IDs and names
- Process information analysis
- Real-time file system monitoring
- Directory change detection
- File creation/modification tracking
- zlib-based compression library
- File compression and decompression
- In-memory data compression
- Support for files up to 100MB
- Hash Calculation: MD5, SHA-1, SHA-256, SHA-512
- AES Encryption/Decryption: Symmetric encryption
- RSA Encryption/Decryption: Asymmetric encryption with key generation
- File and data encryption support
- Disk information retrieval
- Free space and total space analysis
- File system type detection
- Disk enumeration
- File enumeration
- File attribute manipulation
- File system analysis
Kernel-level tools and utilities (extensible framework for future kernel-mode features).
- IDE: Visual Studio 2022
- Framework: Microsoft Foundation Classes (MFC)
- C++ Standard: C++11+
- Windows SDK: Windows SDK 10.0+
- Dependencies:
- zlib (included in project)
- Windows API libraries
See the Building from Source section for detailed instructions.
The application includes built-in protection against multiple instances. A mutex named "GuiShou" prevents concurrent execution.
Many features require debug privileges. The application automatically attempts to enable debug privileges when needed, but administrator rights are typically required.
The zlib compression library is pre-configured for both x86 and x64 architectures in Debug and Release modes. Static libraries are included in the project.
-
Launch the Application
- Run
HackerTools.exeas Administrator - The main window displays two tabs: "User Tools" and "Kernel Tools"
- Run
-
Navigate Features
- Click on buttons in the User Tools tab to access different modules
- Each module opens in a separate dialog window
- Open the Inject module
- Select injection method (ZwCreateThreadEx, APC, or Global Hook)
- Choose target process from the process list
- Select or drag-and-drop the DLL file
- Click Inject to perform the injection
- Open the Hide module
- Select disguise method:
- Pretend: Modify PEB to change process appearance
- Puppet: Replace process with shellcode
- Hijack: DLL hijacking test
- Provide target path and parameters
- Execute the disguise operation
- Open the Privilege module
- View current process privileges
- Enable debug privileges or attempt UAC bypass
- Check privilege status
- Open the SelfStart module
- Drag-and-drop the executable file
- Choose persistence method:
- Registry
- Startup Folder
- Task Scheduler
- Windows Service
- Configure and apply
- Open the Encrypt module
- Drag-and-drop file to encrypt
- Choose encryption method:
- Hash: Calculate file hash (MD5, SHA-256, etc.)
- AES: Symmetric encryption
- RSA: Asymmetric encryption (generates key pair)
- Enter password/key information
- Execute encryption
ZwCreateThreadEx Injection
BOOL ZwCreateThreadExInjectDll(DWORD dwProcessId, char* pszDllFileName);- Uses undocumented
ZwCreateThreadExAPI - Creates remote thread in target process
- Loads DLL via
LoadLibrary
APC Injection
BOOL APCInject(char *pszProcessName, char *pszDllName);- Uses Asynchronous Procedure Calls
- Injects into all threads of target process
- Leverages thread alertable state
Global Hook
void SetGlobalHook();- Installs system-wide Windows hook
- Uses
SetWindowsHookExAPI - Requires hook DLL (MyHook project)
PEB Modification
BOOL DisguiseProcess(const wchar_t* lpwszPath, const wchar_t* lpwszCmd);- Modifies Process Environment Block
- Changes process path and command line
- Affects how process appears in task manager
Process Replacement
BOOL ReplaceProcess(const wchar_t* pszFilePath, PVOID pReplaceData,
DWORD dwReplaceDataSize, DWORD dwRunOffset);- Replaces target process image
- Executes shellcode in process context
- Maintains process handle
CMLuaUtil Method
BOOL CMLuaUtilBypassUAC(const wchar_t* lpwszExecutable);- Uses COM interface elevation
- Leverages ICMLuaUtil interface
- Bypasses User Account Control prompts
AES Encryption
- Uses Windows CryptoAPI
- Supports AES-128, AES-192, AES-256
- Password-based key derivation
RSA Encryption
- Generates RSA key pairs (2048-bit)
- Public key encryption
- Private key decryption
- Administrator Rights: Most features require elevated privileges
- Antivirus Detection: Some techniques may trigger antivirus alerts
- System Stability: Incorrect usage may cause system instability
- Legal Compliance: Ensure authorized use only
HackerTools/
├── HackerTools/ # Main application
│ ├── CInject.* # DLL injection module
│ ├── CHide.* # Process hiding/disguising
│ ├── CPrivilege.* # Privilege escalation
│ ├── CSelfStart.* # Persistence mechanisms
│ ├── CEnumProcess.* # Process enumeration
│ ├── CFileMonit.* # File monitoring
│ ├── CCompress.* # Compression utilities
│ ├── CEncrypt.* # Encryption/hashing
│ ├── CDisk.* # Disk operations
│ ├── CEnumFiles.* # File enumeration
│ ├── CFileAttr.* # File attributes
│ ├── CDia_User.* # User tools dialog
│ ├── CDia_Core.* # Kernel tools dialog
│ └── zlib/ # Compression library
├── MyHook/ # Global hook DLL
├── TestDll/ # Test DLL for injection
│ └── CBypassUAC.* # UAC bypass implementation
├── DllHijackTest/ # DLL hijacking test
├── ServiceExeTest/ # Service test executable
└── HackerTools.sln # Visual Studio solution
-
Install Visual Studio 2022 with:
- Desktop development with C++
- MFC components
- Windows SDK
-
Ensure you have administrator rights for building
-
Open Solution
- Open
HackerTools.slnin Visual Studio
- Open
-
Configure Build
- Select configuration: Debug or Release
- Ensure all projects are set to build
-
Build Solution
- Right-click solution → Build Solution
- Or press
Ctrl+Shift+B
-
Output Location
- Executables will be in
HackerTools/[Configuration]/[Platform]/
- Executables will be in
- Debug: Includes debug symbols, no optimizations
- Release: Optimized build, smaller executable size
Issue: Missing MFC libraries
- Solution: Install "MFC and ATL support" in Visual Studio Installer
Issue: zlib linking errors
- Solution: Ensure zlib static libraries are in correct architecture folders
Issue: Windows SDK not found
- Solution: Install Windows SDK 10.0 or later via Visual Studio Installer
// Enable debug privilege
EnableDebugPrivilege(TRUE);
// Inject DLL into process
DWORD processId = GetPidByPname("notepad.exe");
ZwCreateThreadExInjectDll(processId, "C:\\path\\to\\mydll.dll");// Disguise current process as system process
DisguiseProcess(L"C:\\Windows\\System32\\svchost.exe",
L"-k netsvcs");// Bypass UAC to run elevated executable
CMLuaUtilBypassUAC(L"C:\\Windows\\System32\\cmd.exe");// Read file data
BYTE* fileData;
DWORD fileSize;
GetFileData("C:\\test.txt", &fileData, &fileSize);
// Encrypt with AES
BYTE password[] = "MySecretPassword";
AesEncrypt(password, strlen((char*)password),
fileData, fileSize, fileSize * 2);// Add to registry startup
SetRegAutoRun("C:\\MyApp\\app.exe", "MyAppName");- Fork the repository
- Create a feature branch (
git checkout -b feature/feature) - Commit your changes (
git commit -m 'Add some Feature') - Push to the branch (
git push origin feature/Feature) - Open a Pull Request
This software is intended for educational and authorized security testing purposes only. The authors and contributors are not liable for any misuse or damage caused by this software.
This project is licensed under the MIT License - see the LICENSE file for details.