hasherezade/send_ioctl.cpp Secret

## send_ioctl.cpp
#include <stdio.h>
#include <windows.h>

#define HACKSYS_EVD_IOCTL_STACK_OVERFLOW    CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_NEITHER, FILE_ANY_ACCESS)

const char kDevName[] = "\\\\.\\HackSysExtremeVulnerableDriver";

HANDLE open_device(const char* device_name)
{
    HANDLE device = CreateFileA(device_name,
        GENERIC_READ | GENERIC_WRITE,
        NULL,
        NULL,
        OPEN_EXISTING,
        NULL,
        NULL
    );
    return device;
}

void close_device(HANDLE device)
{
    CloseHandle(device);
}

BOOL send_ioctl(HANDLE device, DWORD ioctl_code)
{
    //prepare input buffer:
    DWORD bufSize = 0x4;
    BYTE* inBuffer = (BYTE*) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, bufSize);

    //fill the buffer with some content:
    RtlFillMemory(inBuffer, bufSize, 'A');

    DWORD size_returned = 0;
    BOOL is_ok = DeviceIoControl(device,
        ioctl_code,
        inBuffer,
        bufSize,
        NULL, //outBuffer -> None
        0, //outBuffer size -> 0
        &size_returned,
        NULL
    );
    //release the input bufffer:
    HeapFree(GetProcessHeap(), 0, (LPVOID)inBuffer);
    return is_ok;
}

int main()
{
    HANDLE dev = open_device(kDevName);
    if (dev == INVALID_HANDLE_VALUE) {
        printf("Failed!\n");
        system("pause");
        return -1;
    }

    send_ioctl(dev, HACKSYS_EVD_IOCTL_STACK_OVERFLOW);

    close_device(dev);
    system("pause");
    return 0;
}
	#include <stdio.h>
	#include <windows.h>

	#define HACKSYS_EVD_IOCTL_STACK_OVERFLOW CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_NEITHER, FILE_ANY_ACCESS)

	const char kDevName[] = "\\\\.\\HackSysExtremeVulnerableDriver";

	HANDLE open_device(const char* device_name)
	{
	HANDLE device = CreateFileA(device_name,
	GENERIC_READ \| GENERIC_WRITE,
	NULL,
	NULL,
	OPEN_EXISTING,
	NULL,
	NULL
	);
	return device;
	}

	void close_device(HANDLE device)
	{
	CloseHandle(device);
	}

	BOOL send_ioctl(HANDLE device, DWORD ioctl_code)
	{
	//prepare input buffer:
	DWORD bufSize = 0x4;
	BYTE* inBuffer = (BYTE*) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, bufSize);

	//fill the buffer with some content:
	RtlFillMemory(inBuffer, bufSize, 'A');

	DWORD size_returned = 0;
	BOOL is_ok = DeviceIoControl(device,
	ioctl_code,
	inBuffer,
	bufSize,
	NULL, //outBuffer -> None
	0, //outBuffer size -> 0
	&size_returned,
	NULL
	);
	//release the input bufffer:
	HeapFree(GetProcessHeap(), 0, (LPVOID)inBuffer);
	return is_ok;
	}

	int main()
	{
	HANDLE dev = open_device(kDevName);
	if (dev == INVALID_HANDLE_VALUE) {
	printf("Failed!\n");
	system("pause");
	return -1;
	}

	send_ioctl(dev, HACKSYS_EVD_IOCTL_STACK_OVERFLOW);

	close_device(dev);
	system("pause");
	return 0;
	}