-
-
Save hasherezade/ac5e54c3bb904dbb53338660249b2289 to your computer and use it in GitHub Desktop.
Send IOCTL to HEVD
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <stdio.h> | |
#include <windows.h> | |
#define HACKSYS_EVD_IOCTL_STACK_OVERFLOW CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_NEITHER, FILE_ANY_ACCESS) | |
const char kDevName[] = "\\\\.\\HackSysExtremeVulnerableDriver"; | |
HANDLE open_device(const char* device_name) | |
{ | |
HANDLE device = CreateFileA(device_name, | |
GENERIC_READ | GENERIC_WRITE, | |
NULL, | |
NULL, | |
OPEN_EXISTING, | |
NULL, | |
NULL | |
); | |
return device; | |
} | |
void close_device(HANDLE device) | |
{ | |
CloseHandle(device); | |
} | |
BOOL send_ioctl(HANDLE device, DWORD ioctl_code) | |
{ | |
//prepare input buffer: | |
DWORD bufSize = 0x4; | |
BYTE* inBuffer = (BYTE*) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, bufSize); | |
//fill the buffer with some content: | |
RtlFillMemory(inBuffer, bufSize, 'A'); | |
DWORD size_returned = 0; | |
BOOL is_ok = DeviceIoControl(device, | |
ioctl_code, | |
inBuffer, | |
bufSize, | |
NULL, //outBuffer -> None | |
0, //outBuffer size -> 0 | |
&size_returned, | |
NULL | |
); | |
//release the input bufffer: | |
HeapFree(GetProcessHeap(), 0, (LPVOID)inBuffer); | |
return is_ok; | |
} | |
int main() | |
{ | |
HANDLE dev = open_device(kDevName); | |
if (dev == INVALID_HANDLE_VALUE) { | |
printf("Failed!\n"); | |
system("pause"); | |
return -1; | |
} | |
send_ioctl(dev, HACKSYS_EVD_IOCTL_STACK_OVERFLOW); | |
close_device(dev); | |
system("pause"); | |
return 0; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment