參考資訊:
https://www.exploit-db.com/exploits/37052/
https://msdn.microsoft.com/en-us/library/windows/desktop/aa365247(v=vs.85).aspx
https://googleprojectzero.blogspot.tw/2016/02/the-definitive-guide-on-win32-to-nt.html
main.c
#include <windows.h>
#include <winternl.h>
#include <stdio.h>
#pragma comment(lib, "ntdll.lib")
void WINAPI RtlInitUnicodeString(PUNICODE_STRING target, LPCWSTR source)
{
if ((target->Buffer = (LPWSTR)source))
{
target->Length = wcslen(source) * sizeof(WCHAR);
target->MaximumLength = target->Length + sizeof(WCHAR);
}
else
{
target->Length = target->MaximumLength = 0;
}
}
int __cdecl main(int argc, CHAR *argv[])
{
typedef NTSTATUS(__stdcall * NT_OPEN_FILE)(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, ULONG ShareAccess, ULONG OpenOptions);
NT_OPEN_FILE NtOpenFileStruct;
PVOID Info;
HMODULE hModule = LoadLibrary("ntdll.dll");
NtOpenFileStruct = (NT_OPEN_FILE)GetProcAddress(hModule, "NtOpenFile");
if (NtOpenFileStruct == NULL)
{
return -1;
}
HANDLE hCF = CreateFile("\\Device\\CNG", MAXIMUM_ALLOWED, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
printf("CreateFile(\"\\Device\\CNG\"): (handle:0x%X, err:0x%x)\n", hCF, GetLastError());
if (hCF != (HANDLE)-1)
{
CloseHandle(hCF);
}
UNICODE_STRING filename;
RtlInitUnicodeString(&filename, L"\\Device\\CNG");
OBJECT_ATTRIBUTES obja;
obja.Attributes = 0x40;
obja.ObjectName = &filename;
obja.Length = 0x18;
obja.RootDirectory = NULL;
obja.SecurityDescriptor = NULL;
obja.SecurityQualityOfService = NULL;
IO_STATUS_BLOCK iostatusblock;
HANDLE hCNG = NULL;
NTSTATUS stat = NtOpenFileStruct(&hCNG, 0x100001, &obja, &iostatusblock, 7, 0x20);
printf("NtOpenFileStruct(\"\\Device\\CNG\"): (status:0x%x)\n", stat);
if (stat == 0)
{
CloseHandle(hCNG);
}
return 0;
}