Skip to content

Instantly share code, notes, and snippets.

@hfiref0x
hfiref0x / UpdateCompression.c
Created December 17, 2023 13:57
UpdateCompression raw dump
This file has been truncated, but you can view the full file.
unsigned char UCDLL[533840] = {
0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0x00, 0x00,
0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00,
0x0E, 0x1F, 0xBA, 0x0E, 0x00, 0xB4, 0x09, 0xCD, 0x21, 0xB8, 0x01, 0x4C, 0xCD, 0x21, 0x54, 0x68,
0x69, 0x73, 0x20, 0x70, 0x72, 0x6F, 0x67, 0x72, 0x61, 0x6D, 0x20, 0x63, 0x61, 0x6E, 0x6E, 0x6F,
0x74, 0x20, 0x62, 0x65, 0x20, 0x72, 0x75, 0x6E, 0x20, 0x69, 0x6E, 0x20, 0x44, 0x4F, 0x53, 0x20,
0x6D, 0x6F, 0x64, 0x65, 0x2E, 0x0D, 0x0D, 0x0A, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
@hfiref0x
hfiref0x / NtUserInitialize.c
Last active August 8, 2023 07:27
Windows 11 Next-Gen (24H2) NtUserInitialize BSOD
/*
Windows 11 builds starting from 259XXX (24H2) switched to new way of storing win32k global variables, using WIN32KSGD.sys
driver which now allocates huge structure where it hold a lot of session related information, apiset tables etc.
However due to heavy remake there are new bugs introduced - one of it is a BSOD generator inside win32kbase!Win32kBaseUserInitialize
(which is ultimate destination of apiset obscure NtUserInitialize call).
What they did is removed a check if USER was already initialized, thus every code calling NtUserInitialize will go further and lay into
TCB privileges checking part which of course will fail in 99.99% situations and cause Windows to do bugcheck 0x91
WIN32K_INIT_OR_RIT_FAILURE.
__int64 __fastcall CiQueryInformation(
SYSTEM_CODEINTEGRITY_INFORMATION *CodeIntegrityInformation,
unsigned int CodeIntegrityInformationLength,
char SeILSigningPolicyNotUnchecked,
_DWORD *ReturnLength)
{
unsigned int v8; // esi
__int64 v9; // r8
int CodeIntegrityOptions; // ecx
int v11; // edx
@hfiref0x
hfiref0x / fsbl.c
Created April 29, 2023 01:33
F-Secure Blacklight fsbl.sys
Infamous "antirootkit" from F-Secure. Driver contains few potential CVE's.
With such "functionallity" under the hood it was unable to detect anything more advanced then few PoC's from old rootkit.com
main.c
RtlCopyUnicodeString(&g_DriverRegEntry, RegistryPath);
DriverObject->MajorFunction[2] = fsblIrpCloseHandler;
DriverObject->MajorFunction[0xE] = fsblDriverDispatch;
DriverObject->MajorFunction[0x12] = fsblIrpCleanupHandler;
DriverObject->MajorFunction[0] = fsblIrpCreateHandler;
void __fastcall Func007(
int IoControlCode,
MEMOP *InputBuffer,
__int64 InputBufferLength,
MEMOP *OutputBuffer,
int OutputBufferLength,
_DWORD *StatusInformation)
{
PHYSICAL_ADDRESS PhysicalAddress;
PMDL MemoryDescriptorList;
@hfiref0x
hfiref0x / pipes.txt
Created June 4, 2022 05:20
Well-known MSRPC named pipes
Named pipe Description Service or process Interface identifier
atsvc atsvc interface (Scheduler service) mstask.exe 1ff70682-0a51-30e8-076d-740be8cee98b v1.0
AudioSrv AudioSrv interface (Windows Audio service) AudioSrv 3faf4738-3a21-4307-b46c-fdda9bb8c0d5 v1.0
browser (ntsvcs alias) browser interface (Computer Browser service) Browser 6bffd098-a112-3610-9833-012892020162 v0.0
cert ICertPassage interface (Certificate services) certsrv.exe 91ae6020-9e3c-11cf-8d7c-00aa00c091be v0.0
Ctx_Winstation_API_Service winstation_rpc interface termsrv.exe 5ca4a760-ebb1-11cf-8611-00a0245420ed v1.0
DAV RPC SERVICE davclntrpc interface (WebDAV client service) WebClient c8cb7687-e6d3-11d2-a958-00c04f682e16 v1.0
dnsserver DnsServer interface (DNS Server service) dns.exe 50abc2a4-574d-40b3-9d66-ee4fd5fba076 v5.0
epmapper epmp interface (RPC endpoint mapper) RpcSs e1af8308-5d1f-11c9-91a4-08002b14a0fa v3.0
eventlog (ntsvcs alias) eventlog interface (Eventlog service) Eventlog 82273fdc-e32a-18c3-3f78-827929dc23ea v0.0
@hfiref0x
hfiref0x / CoalescingCallback.c
Created November 28, 2021 14:21
PoCoalescingCallback
PoRegisterCoalescingCallback
PAGE
9200 - 15063
PopCoalescingCallbackRoutine
Count 8
48 8D 0D 01 10 DA FF lea rcx, PopCoalescingCallbackRoutine
9600
48 8D 0D 19 B9 DC FF lea rcx, PopCoalescingCallbackRoutine
@hfiref0x
hfiref0x / OslpDetermineKernelHal
Created November 14, 2021 06:44
Winload kernel/hal name selection
winload!BlArchIsFiveLevelPagingActive
bResult = 0;
cr0value = __readcr0();
if ( (cr0value & 0x80000000) != 0 && (__readmsr(0xC0000080) & 0x400) != 0 )
{
cr4value = __readcr4();
return (cr4value & 0x1000) != 0i64;
}
return bResult;
@hfiref0x
hfiref0x / NtQueryInformationCpuPartition.c
Created October 5, 2021 10:33
Denial of Service bug in Windows 11 (22468 build) NtQueryInformationCpuPartition
#include <Windows.h>
#include <cstdio>
typedef NTSTATUS(NTAPI* pfnNtQueryInformationCpuPartition)(
ULONG_PTR PartitionHandle,
ULONG_PTR Flags,
ULONG_PTR OutputBuffer,
ULONG_PTR Length,
ULONG_PTR ReturnedLength
);
@hfiref0x
hfiref0x / blacklist.xml
Last active May 27, 2022 11:45
blacklist w11
<?xml version="1.0"?>
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>10.0.25090.0</VersionEx>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<PolicyID>{D2BDA982-CCF6-4344-AC5B-0B44427B6816}</PolicyID>
<BasePolicyID>{D2BDA982-CCF6-4344-AC5B-0B44427B6816}</BasePolicyID>
<Rules>
<Rule>
<Option>Enabled:Unsigned System Integrity Policy</Option>
</Rule>