hfiref0x
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * File: apiset.c | |
| * | |
| * Created on: Dec 06, 2024 | |
| * | |
| * Modified on: Dec 06, 2024 | |
| * | |
| * Project: WinDepends.Core | |
| * | |
| * Author: WinDepends dev team |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| __int64 __fastcall GetSystemWow64Directory2W(LPWSTR lpBuffer, ULONG Size, WORD ImageFileMachineType) | |
| { | |
| const UNICODE_STRING *usSystemDirectory; // rbx | |
| UINT sysDirLength; // ecx | |
| __int64 result; // rax | |
| unsigned int maxLength; // edx | |
| _UNICODE_STRING usQueryBuffer; // [rsp+20h] [rbp-18h] BYREF | |
| usQueryBuffer = 0i64; | |
| if ( Size > 0xFFFF ) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 22000 | |
| 48 8D 0D 96 F9 44 00 lea rcx, IopDiskFileSystemQueueHead | |
| 48 8B 43 08 mov rax, [rbx+8] | |
| 48 8D 0D AE F8 44 00 lea rcx, IopCdRomFileSystemQueueHead | |
| E9 03 FF FF FF jmp loc_1407F745A | |
| 48 8D 0D 82 F8 44 00 lea rcx, IopNetworkFileSystemQueueHead | |
| E9 00 FF FF FF jmp loc_1407F7463 | |
| 48 8D 0D 5D F8 44 00 lea rcx, IopTapeFileSystemQueueHead | |
| E9 E2 FE FF FF jmp loc_1407F745A |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| IoRegisterPlugPlayNotification, always PAGE | |
| 7601 | |
| F7 E1 | |
| mul ecx | |
| 48 8D 05 lea rcx, PnpDeviceClassNotifyList | |
| C1 EA 02 6B D2 0D |
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| unsigned char UCDLL[533840] = { | |
| 0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0x00, 0x00, | |
| 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, | |
| 0x0E, 0x1F, 0xBA, 0x0E, 0x00, 0xB4, 0x09, 0xCD, 0x21, 0xB8, 0x01, 0x4C, 0xCD, 0x21, 0x54, 0x68, | |
| 0x69, 0x73, 0x20, 0x70, 0x72, 0x6F, 0x67, 0x72, 0x61, 0x6D, 0x20, 0x63, 0x61, 0x6E, 0x6E, 0x6F, | |
| 0x74, 0x20, 0x62, 0x65, 0x20, 0x72, 0x75, 0x6E, 0x20, 0x69, 0x6E, 0x20, 0x44, 0x4F, 0x53, 0x20, | |
| 0x6D, 0x6F, 0x64, 0x65, 0x2E, 0x0D, 0x0D, 0x0A, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
hfiref0x
/ NtUserInitialize.c
Last active
October 20, 2024 13:31
Windows 11 Next-Gen (24H2) NtUserInitialize BSOD
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Windows 11 builds starting from 259XXX (24H2) switched to new way of storing win32k global variables, using WIN32KSGD.sys | |
| driver which now allocates huge structure where it hold a lot of session related information, apiset tables etc. | |
| However due to heavy remake there are new bugs introduced - one of it is a BSOD generator inside win32kbase!Win32kBaseUserInitialize | |
| (which is ultimate destination of apiset obscure NtUserInitialize call). | |
| What they did is removed a check if USER was already initialized, thus every code calling NtUserInitialize will go further and lay into | |
| TCB privileges checking part which of course will fail in 99.99% situations and cause Windows to do bugcheck 0x91 | |
| WIN32K_INIT_OR_RIT_FAILURE. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| __int64 __fastcall CiQueryInformation( | |
| SYSTEM_CODEINTEGRITY_INFORMATION *CodeIntegrityInformation, | |
| unsigned int CodeIntegrityInformationLength, | |
| char SeILSigningPolicyNotUnchecked, | |
| _DWORD *ReturnLength) | |
| { | |
| unsigned int v8; // esi | |
| __int64 v9; // r8 | |
| int CodeIntegrityOptions; // ecx | |
| int v11; // edx |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Infamous "antirootkit" from F-Secure. Driver contains few potential CVE's. | |
| With such "functionallity" under the hood it was unable to detect anything more advanced then few PoC's from old rootkit.com | |
| main.c | |
| RtlCopyUnicodeString(&g_DriverRegEntry, RegistryPath); | |
| DriverObject->MajorFunction[2] = fsblIrpCloseHandler; | |
| DriverObject->MajorFunction[0xE] = fsblDriverDispatch; | |
| DriverObject->MajorFunction[0x12] = fsblIrpCleanupHandler; | |
| DriverObject->MajorFunction[0] = fsblIrpCreateHandler; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| void __fastcall Func007( | |
| int IoControlCode, | |
| MEMOP *InputBuffer, | |
| __int64 InputBufferLength, | |
| MEMOP *OutputBuffer, | |
| int OutputBufferLength, | |
| _DWORD *StatusInformation) | |
| { | |
| PHYSICAL_ADDRESS PhysicalAddress; | |
| PMDL MemoryDescriptorList; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Named pipe Description Service or process Interface identifier | |
| atsvc atsvc interface (Scheduler service) mstask.exe 1ff70682-0a51-30e8-076d-740be8cee98b v1.0 | |
| AudioSrv AudioSrv interface (Windows Audio service) AudioSrv 3faf4738-3a21-4307-b46c-fdda9bb8c0d5 v1.0 | |
| browser (ntsvcs alias) browser interface (Computer Browser service) Browser 6bffd098-a112-3610-9833-012892020162 v0.0 | |
| cert ICertPassage interface (Certificate services) certsrv.exe 91ae6020-9e3c-11cf-8d7c-00aa00c091be v0.0 | |
| Ctx_Winstation_API_Service winstation_rpc interface termsrv.exe 5ca4a760-ebb1-11cf-8611-00a0245420ed v1.0 | |
| DAV RPC SERVICE davclntrpc interface (WebDAV client service) WebClient c8cb7687-e6d3-11d2-a958-00c04f682e16 v1.0 | |
| dnsserver DnsServer interface (DNS Server service) dns.exe 50abc2a4-574d-40b3-9d66-ee4fd5fba076 v5.0 | |
| epmapper epmp interface (RPC endpoint mapper) RpcSs e1af8308-5d1f-11c9-91a4-08002b14a0fa v3.0 | |
| eventlog (ntsvcs alias) eventlog interface (Eventlog service) Eventlog 82273fdc-e32a-18c3-3f78-827929dc23ea v0.0 |
NewerOlder