Michael B. DownWithUp
DownWithUp
/ ThreadStateChangeTests.c
Created
October 1, 2020 18:05
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Test of ntoskrnl build 20226's thread state APIs. | |
| #include <Windows.h> | |
| #include <winternl.h> | |
| #include <stdio.h> | |
| // Looking at the disassembly, Unknown must be 0 or STATUS_INVALID_PARAMETER (0xC000000D) will be returned | |
| typedef NTSTATUS(__fastcall* NtCreateThreadStateChange)(OUT PHANDLE StateChangeHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN HANDLE ThreadHandle, IN INT Unknown); | |
| /* | |
| New type of object (and therefore handle) type PspThreadStateChangeType |
DownWithUp
/ ProcessStateChangeTests.c
Created
August 20, 2020 01:17
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <winternl.h> | |
| #include <stdio.h> | |
| // Looking at the disassembly, Unknown must be 0? | |
| typedef NTSTATUS (__fastcall* NtCreateProcessStateChange)(OUT PHANDLE StateChangeHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN HANDLE ProcessHandle, IN INT Unknown); | |
| /* | |
| New type of object (and therefore handle) type PspProcessStateChangeType | |
| If wanting to suspend/resume: |
DownWithUp
/ Kernel Patch Guard Protected Data
Created
February 25, 2019 14:23
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // windbg use: !analyze -show 109 | |
| // As of 2/25/2019 | |
| 0 : A generic data region | |
| 1 : Modification of a function or .pdata | |
| 2 : A processor IDT | |
| 3 : A processor GDT | |
| 4 : Type 1 process list corruption | |
| 5 : Type 2 process list corruption | |
| 6 : Debug routine modification | |
| 7 : Critical MSR modification |
DownWithUp
/ MajorFunctionIRPDefines.c
Created
January 25, 2019 01:46
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // From ntddk.h, because MSDN does not list their hexadecimal values which are important when reverse engineering. | |
| #define IRP_MJ_CREATE 0x00 | |
| #define IRP_MJ_CREATE_NAMED_PIPE 0x01 | |
| #define IRP_MJ_CLOSE 0x02 | |
| #define IRP_MJ_READ 0x03 | |
| #define IRP_MJ_WRITE 0x04 | |
| #define IRP_MJ_QUERY_INFORMATION 0x05 | |
| #define IRP_MJ_SET_INFORMATION 0x06 | |
| #define IRP_MJ_QUERY_EA 0x07 | |
| #define IRP_MJ_SET_EA 0x08 |
DownWithUp
/ SeeDbgPrintMessages.vbs
Created
December 28, 2018 19:27
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ' Must run this script as an admin | |
| Set wshShell = CreateObject( "WScript.Shell" ) | |
| strPath = "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\" | |
| wshShell.RegWrite strPath, "" | |
| wshShell.RegWrite strPath + "Debug Print Filter\", "" | |
| wshShell.RegWrite strPath + "Debug Print Filter\DEFAULT", 8, "REG_DWORD" | |
| MsgBox "Registry Written @ " + vbCrLf + strPath + "Debug Print Filter\" |
DownWithUp
/ BeepDriverIOCTL.c
Created
October 26, 2018 13:48
Use an IOCTL to create a beep from Beep.sys
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <stdio.h> | |
| #include <winternl.h> | |
| typedef struct _BEEP_SETTINGS { | |
| ULONG ulFrequency; | |
| ULONG ulDuration; | |
| } BEEP_SETTINGS; | |
| void main() { |
DownWithUp
/ StructsForNtQuerySystemInformationClasses.c
Created
August 28, 2018 12:21
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // I found this code @ http://www.exploit-monday.com/2013/06/undocumented-ntquerysysteminformation.html | |
| enum _SYSTEM_INFORMATION_CLASS | |
| { | |
| SystemBasicInformation=0x0000, | |
| SystemProcessorInformation=0x0001, | |
| SystemPerformanceInformation=0x0002, | |
| SystemTimeOfDayInformation=0x0003, | |
| SystemPathInformation=0x0004, | |
| SystemProcessInformation=0x0005, | |
| SystemCallCountInformation=0x0006, |