hfiref0x

typedef struct _UNLOADED_DRIVERS {
    UNICODE_STRING Name;
    PVOID StartAddress;
    PVOID EndAddress;
    LARGE_INTEGER CurrentTime;
} UNLOADED_DRIVERS, *PUNLOADED_DRIVERS;

#define MI_UNLOADED_DRIVERS 50

mov reg, 7D0h ;  -> NumberOfBytes = MI_UNLOADED_DRIVERS * sizeof (UNLOADED_DRIVERS);

hfiref0x

NTSTATUS HandleOpen(PDEVICE_OBJECT DeviceObject, IRP *Irp)
{
  NTSTATUS ntStatus;
  BOOL bAllowed;
  PIO_SECURITY_CONTEXT SecurityContext; 
  PACCESS_STATE AccessState; 
  PACCESS_TOKEN Token;
  DWORD IsTokenElevated; 
  DWORD tokenIntegrityLevel;
  PTOKEN_ELEVATION tokenElevation; 

hfiref0x

#include <windows.h>
#include <cstdio>

#define DEVICE_WR0_TYPE 40000
#define WR0_DEVICE_LINK TEXT("\\\\.\\WinRing0_1_2_0")

HANDLE g_handleWR0 = INVALID_HANDLE_VALUE;

#define IOCTL_WR0_READ_PCI_CONFIG   CTL_CODE(DEVICE_WR0_TYPE, 0x851, METHOD_BUFFERED, FILE_READ_ACCESS)
#define IOCTL_WR0_WRITE_PCI_CONFIG  CTL_CODE(DEVICE_WR0_TYPE, 0x852, METHOD_BUFFERED, FILE_WRITE_ACCESS)

hfiref0x

#include <windows.h>
#include <cstdio>

#define DEVICE_WR0_TYPE 40000
#define WR0_DEVICE_LINK TEXT("\\\\.\\WinRing0_1_2_0")

HANDLE g_handleWR0 = INVALID_HANDLE_VALUE;

#define IOCTL_WR0_READ_MEMORY   CTL_CODE(DEVICE_WR0_TYPE, 0x841, METHOD_BUFFERED, FILE_READ_ACCESS)
#define IOCTL_WR0_WRITE_MEMORY  CTL_CODE(DEVICE_WR0_TYPE, 0x842, METHOD_BUFFERED, FILE_WRITE_ACCESS)

hfiref0x

#include <windows.h>
#include <cstdio>

#define DEVICE_WR0_TYPE 40000
#define WR0_DEVICE_LINK TEXT("\\\\.\\WinRing0_1_2_0")

HANDLE g_handleWR0 = INVALID_HANDLE_VALUE;

#define IOCTL_WR0_READ_MSR  CTL_CODE(DEVICE_WR0_TYPE, 0x821, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_WR0_WRITE_MSR	CTL_CODE(DEVICE_WR0_TYPE, 0x822, METHOD_BUFFERED, FILE_ANY_ACCESS)

hfiref0x

#include <windows.h>
#include <cstdio>

#define DEVICE_WR0_TYPE 40000
#define WR0_DEVICE_LINK TEXT("\\\\.\\WinRing0_1_2_0")

HANDLE g_handleWR0 = INVALID_HANDLE_VALUE;

//
// Port mapped I/O access IOCTLS.

hfiref0x

#include <windows.h>
#include <cstdio>

typedef struct _RTCORE_WRITE_PORT_UCHAR {
    ULONG Port;
    ULONG Value;
} RTCORE_WRITE_PORT_UCHAR, * PRTCORE_WRITE_PORT_UCHAR;

#define KBRD_INTRFC 0x64
#define KBRD_RESET 0xFE

hfiref0x

NtAcceptConnectPort	0
NtAccessCheck	1
NtAccessCheckAndAuditAlarm	2
NtAccessCheckByType	3 (STATUS_NOT_IMPLEMENTED)
NtAccessCheckByTypeAndAuditAlarm	4
NtAccessCheckByTypeResultList	5 (STATUS_NOT_IMPLEMENTED)
NtAccessCheckByTypeResultListAndAuditAlarm	6
NtAccessCheckByTypeResultListAndAuditAlarmByHandle	7
NtAddAtom	8
NtAddBootEntry	9 (STATUS_NOT_IMPLEMENTED)

hfiref0x

NtGdiDdDDISetHwProtectionTeardownRecovery (0x121B) service implemented in Windows 10 TH2 has no validation of input parameter which is pointer.

.text:00000001C00BA0C0                 public NtGdiDdDDISetHwProtectionTeardownRecovery
.text:00000001C00BA0C0 NtGdiDdDDISetHwProtectionTeardownRecovery proc near
.text:00000001C00BA0C0                 xor     r8d, r8d
.text:00000001C00BA0C3                 mov     edx, 1
.text:00000001C00BA0C8                 cmp     [rcx+4], r8d //<- Have a nice BSOD
.text:00000001C00BA0CC                 setz    r8b
.text:00000001C00BA0D0                 xor     ecx, ecx
.text:00000001C00BA0D2                 jmp     DCompositionForceRender

hfiref0x

typedef interface IEditionUpgradeManager IEditionUpgradeManager;

typedef struct IEditionUpgradeManagerVtbl {

    BEGIN_INTERFACE

    HRESULT(STDMETHODCALLTYPE *QueryInterface)(
        __RPC__in IEditionUpgradeManager * This,
        __RPC__in REFIID riid,