This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Infamous "antirootkit" from F-Secure. Driver contains few potential CVE's. | |
With such "functionallity" under the hood it was unable to detect anything more advanced then few PoC's from old rootkit.com | |
main.c | |
RtlCopyUnicodeString(&g_DriverRegEntry, RegistryPath); | |
DriverObject->MajorFunction[2] = fsblIrpCloseHandler; | |
DriverObject->MajorFunction[0xE] = fsblDriverDispatch; | |
DriverObject->MajorFunction[0x12] = fsblIrpCleanupHandler; | |
DriverObject->MajorFunction[0] = fsblIrpCreateHandler; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
void __fastcall Func007( | |
int IoControlCode, | |
MEMOP *InputBuffer, | |
__int64 InputBufferLength, | |
MEMOP *OutputBuffer, | |
int OutputBufferLength, | |
_DWORD *StatusInformation) | |
{ | |
PHYSICAL_ADDRESS PhysicalAddress; | |
PMDL MemoryDescriptorList; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
16299 | |
PAGE:00000001C0026144 4C 8B CB mov r9, rbx | |
PAGE:00000001C0026147 4C 8B C7 mov r8, rdi | |
PAGE:00000001C002614A 48 8B D6 mov rdx, rsi | |
PAGE:00000001C002614D 8B CD mov ecx, ebp | |
PAGE:00000001C002614F E8 A0 07 00 00 call CipInitialize | |
17134.1 | |
PAGE:00000001C0027144 4C 8B CB mov r9, rbx |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
PoRegisterCoalescingCallback | |
PAGE | |
9200 - 15063 | |
PopCoalescingCallbackRoutine | |
Count 8 | |
48 8D 0D 01 10 DA FF lea rcx, PopCoalescingCallbackRoutine | |
9600 | |
48 8D 0D 19 B9 DC FF lea rcx, PopCoalescingCallbackRoutine |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <windows.h> | |
#include "ntos.h" | |
#include <cstdio> | |
NTSTATUS CallDriver( | |
_In_ HANDLE DeviceHandle, | |
_In_ ULONG IoControlCode, | |
_In_ PVOID InputBuffer, | |
_In_ ULONG InputBufferLength, | |
_In_opt_ PVOID OutputBuffer, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
Win32k NtUserOpenDesktop->OpenDesktop Denial Of Service feature. | |
Working range: x64 Windows 8 (9200) up to Windows 10 RS4 (17046). | |
x86 versions not tested. | |
Feature: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
NtGdiDdDDISetHwProtectionTeardownRecovery (0x121B) service implemented in Windows 10 TH2 has no validation of input parameter which is pointer. | |
.text:00000001C00BA0C0 public NtGdiDdDDISetHwProtectionTeardownRecovery | |
.text:00000001C00BA0C0 NtGdiDdDDISetHwProtectionTeardownRecovery proc near | |
.text:00000001C00BA0C0 xor r8d, r8d | |
.text:00000001C00BA0C3 mov edx, 1 | |
.text:00000001C00BA0C8 cmp [rcx+4], r8d //<- Have a nice BSOD | |
.text:00000001C00BA0CC setz r8b | |
.text:00000001C00BA0D0 xor ecx, ecx | |
.text:00000001C00BA0D2 jmp DCompositionForceRender |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Named pipe Description Service or process Interface identifier | |
atsvc atsvc interface (Scheduler service) mstask.exe 1ff70682-0a51-30e8-076d-740be8cee98b v1.0 | |
AudioSrv AudioSrv interface (Windows Audio service) AudioSrv 3faf4738-3a21-4307-b46c-fdda9bb8c0d5 v1.0 | |
browser (ntsvcs alias) browser interface (Computer Browser service) Browser 6bffd098-a112-3610-9833-012892020162 v0.0 | |
cert ICertPassage interface (Certificate services) certsrv.exe 91ae6020-9e3c-11cf-8d7c-00aa00c091be v0.0 | |
Ctx_Winstation_API_Service winstation_rpc interface termsrv.exe 5ca4a760-ebb1-11cf-8611-00a0245420ed v1.0 | |
DAV RPC SERVICE davclntrpc interface (WebDAV client service) WebClient c8cb7687-e6d3-11d2-a958-00c04f682e16 v1.0 | |
dnsserver DnsServer interface (DNS Server service) dns.exe 50abc2a4-574d-40b3-9d66-ee4fd5fba076 v5.0 | |
epmapper epmp interface (RPC endpoint mapper) RpcSs e1af8308-5d1f-11c9-91a4-08002b14a0fa v3.0 | |
eventlog (ntsvcs alias) eventlog interface (Eventlog service) Eventlog 82273fdc-e32a-18c3-3f78-827929dc23ea v0.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0"?> | |
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy"> | |
<VersionEx>10.0.25090.0</VersionEx> | |
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
<PolicyID>{D2BDA982-CCF6-4344-AC5B-0B44427B6816}</PolicyID> | |
<BasePolicyID>{D2BDA982-CCF6-4344-AC5B-0B44427B6816}</BasePolicyID> | |
<Rules> | |
<Rule> | |
<Option>Enabled:Unsigned System Integrity Policy</Option> | |
</Rule> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
typedef struct _UNLOADED_DRIVERS { | |
UNICODE_STRING Name; | |
PVOID StartAddress; | |
PVOID EndAddress; | |
LARGE_INTEGER CurrentTime; | |
} UNLOADED_DRIVERS, *PUNLOADED_DRIVERS; | |
#define MI_UNLOADED_DRIVERS 50 | |
mov reg, 7D0h ; -> NumberOfBytes = MI_UNLOADED_DRIVERS * sizeof (UNLOADED_DRIVERS); |