├── .gitattributes ├── .gitignore ├── BugCheckHack.sln ├── BugCheckHack ├── BugCheckHack.inf ├── BugCheckHack.vcxproj ├── BugCheckHack.vcxproj.filters └── entry.c ├── BugCheckHackUser ├── BugCheckHackUser.vcxproj ├── BugCheckHackUser.vcxproj.filters ├── get.h ├── main.c ├── pdb.h ├── registry.c ├── registry.h ├── service.c └── service.h └── README.md /.gitattributes: -------------------------------------------------------------------------------- 1 | ############################################################################### 2 | # Set default behavior to automatically normalize line endings. 3 | ############################################################################### 4 | * text=auto 5 | 6 | ############################################################################### 7 | # Set default behavior for command prompt diff. 8 | # 9 | # This is need for earlier builds of msysgit that does not have it on by 10 | # default for csharp files. 11 | # Note: This is only used by command line 12 | ############################################################################### 13 | #*.cs diff=csharp 14 | 15 | ############################################################################### 16 | # Set the merge driver for project and solution files 17 | # 18 | # Merging from the command prompt will add diff markers to the files if there 19 | # are conflicts (Merging from VS is not affected by the settings below, in VS 20 | # the diff markers are never inserted). Diff markers may cause the following 21 | # file extensions to fail to load in VS. An alternative would be to treat 22 | # these files as binary and thus will always conflict and require user 23 | # intervention with every merge. To do so, just uncomment the entries below 24 | ############################################################################### 25 | #*.sln merge=binary 26 | #*.csproj merge=binary 27 | #*.vbproj merge=binary 28 | #*.vcxproj merge=binary 29 | #*.vcproj merge=binary 30 | #*.dbproj merge=binary 31 | #*.fsproj merge=binary 32 | #*.lsproj merge=binary 33 | #*.wixproj merge=binary 34 | #*.modelproj merge=binary 35 | #*.sqlproj merge=binary 36 | #*.wwaproj merge=binary 37 | 38 | ############################################################################### 39 | # behavior for image files 40 | # 41 | # image files are treated as binary by default. 42 | ############################################################################### 43 | #*.jpg binary 44 | #*.png binary 45 | #*.gif binary 46 | 47 | ############################################################################### 48 | # diff behavior for common document formats 49 | # 50 | # Convert binary document formats to text before diffing them. This feature 51 | # is only available from the command line. Turn it on by uncommenting the 52 | # entries below. 53 | ############################################################################### 54 | #*.doc diff=astextplain 55 | #*.DOC diff=astextplain 56 | #*.docx diff=astextplain 57 | #*.DOCX diff=astextplain 58 | #*.dot diff=astextplain 59 | #*.DOT diff=astextplain 60 | #*.pdf diff=astextplain 61 | #*.PDF diff=astextplain 62 | #*.rtf diff=astextplain 63 | #*.RTF diff=astextplain 64 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.rsuser 8 | *.suo 9 | *.user 10 | *.userosscache 11 | *.sln.docstates 12 | 13 | # User-specific files (MonoDevelop/Xamarin Studio) 14 | *.userprefs 15 | 16 | # Mono auto generated files 17 | mono_crash.* 18 | 19 | # Build results 20 | [Dd]ebug/ 21 | [Dd]ebugPublic/ 22 | [Rr]elease/ 23 | [Rr]eleases/ 24 | x64/ 25 | x86/ 26 | [Ww][Ii][Nn]32/ 27 | [Aa][Rr][Mm]/ 28 | [Aa][Rr][Mm]64/ 29 | bld/ 30 | [Bb]in/ 31 | [Oo]bj/ 32 | [Oo]ut/ 33 | [Ll]og/ 34 | [Ll]ogs/ 35 | 36 | # Visual Studio 2015/2017 cache/options directory 37 | .vs/ 38 | # Uncomment if you have tasks that create the project's static files in wwwroot 39 | #wwwroot/ 40 | 41 | # Visual Studio 2017 auto generated files 42 | Generated\ Files/ 43 | 44 | # MSTest test Results 45 | [Tt]est[Rr]esult*/ 46 | [Bb]uild[Ll]og.* 47 | 48 | # NUnit 49 | *.VisualState.xml 50 | TestResult.xml 51 | nunit-*.xml 52 | 53 | # Build Results of an ATL Project 54 | [Dd]ebugPS/ 55 | [Rr]eleasePS/ 56 | dlldata.c 57 | 58 | # Benchmark Results 59 | BenchmarkDotNet.Artifacts/ 60 | 61 | # .NET Core 62 | project.lock.json 63 | project.fragment.lock.json 64 | artifacts/ 65 | 66 | # ASP.NET Scaffolding 67 | ScaffoldingReadMe.txt 68 | 69 | # StyleCop 70 | StyleCopReport.xml 71 | 72 | # Files built by Visual Studio 73 | *_i.c 74 | *_p.c 75 | *_h.h 76 | *.ilk 77 | *.meta 78 | *.obj 79 | *.iobj 80 | *.pch 81 | *.pdb 82 | *.ipdb 83 | *.pgc 84 | *.pgd 85 | *.rsp 86 | *.sbr 87 | *.tlb 88 | *.tli 89 | *.tlh 90 | *.tmp 91 | *.tmp_proj 92 | *_wpftmp.csproj 93 | *.log 94 | *.vspscc 95 | *.vssscc 96 | .builds 97 | *.pidb 98 | *.svclog 99 | *.scc 100 | 101 | # Chutzpah Test files 102 | _Chutzpah* 103 | 104 | # Visual C++ cache files 105 | ipch/ 106 | *.aps 107 | *.ncb 108 | *.opendb 109 | *.opensdf 110 | *.sdf 111 | *.cachefile 112 | *.VC.db 113 | *.VC.VC.opendb 114 | 115 | # Visual Studio profiler 116 | *.psess 117 | *.vsp 118 | *.vspx 119 | *.sap 120 | 121 | # Visual Studio Trace Files 122 | *.e2e 123 | 124 | # TFS 2012 Local Workspace 125 | $tf/ 126 | 127 | # Guidance Automation Toolkit 128 | *.gpState 129 | 130 | # ReSharper is a .NET coding add-in 131 | _ReSharper*/ 132 | *.[Rr]e[Ss]harper 133 | *.DotSettings.user 134 | 135 | # TeamCity is a build add-in 136 | _TeamCity* 137 | 138 | # DotCover is a Code Coverage Tool 139 | *.dotCover 140 | 141 | # AxoCover is a Code Coverage Tool 142 | .axoCover/* 143 | !.axoCover/settings.json 144 | 145 | # Coverlet is a free, cross platform Code Coverage Tool 146 | coverage*.json 147 | coverage*.xml 148 | coverage*.info 149 | 150 | # Visual Studio code coverage results 151 | *.coverage 152 | *.coveragexml 153 | 154 | # NCrunch 155 | _NCrunch_* 156 | .*crunch*.local.xml 157 | nCrunchTemp_* 158 | 159 | # MightyMoose 160 | *.mm.* 161 | AutoTest.Net/ 162 | 163 | # Web workbench (sass) 164 | .sass-cache/ 165 | 166 | # Installshield output folder 167 | [Ee]xpress/ 168 | 169 | # DocProject is a documentation generator add-in 170 | DocProject/buildhelp/ 171 | DocProject/Help/*.HxT 172 | DocProject/Help/*.HxC 173 | DocProject/Help/*.hhc 174 | DocProject/Help/*.hhk 175 | DocProject/Help/*.hhp 176 | DocProject/Help/Html2 177 | DocProject/Help/html 178 | 179 | # Click-Once directory 180 | publish/ 181 | 182 | # Publish Web Output 183 | *.[Pp]ublish.xml 184 | *.azurePubxml 185 | # Note: Comment the next line if you want to checkin your web deploy settings, 186 | # but database connection strings (with potential passwords) will be unencrypted 187 | *.pubxml 188 | *.publishproj 189 | 190 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 191 | # checkin your Azure Web App publish settings, but sensitive information contained 192 | # in these scripts will be unencrypted 193 | PublishScripts/ 194 | 195 | # NuGet Packages 196 | *.nupkg 197 | # NuGet Symbol Packages 198 | *.snupkg 199 | # The packages folder can be ignored because of Package Restore 200 | **/[Pp]ackages/* 201 | # except build/, which is used as an MSBuild target. 202 | !**/[Pp]ackages/build/ 203 | # Uncomment if necessary however generally it will be regenerated when needed 204 | #!**/[Pp]ackages/repositories.config 205 | # NuGet v3's project.json files produces more ignorable files 206 | *.nuget.props 207 | *.nuget.targets 208 | 209 | # Microsoft Azure Build Output 210 | csx/ 211 | *.build.csdef 212 | 213 | # Microsoft Azure Emulator 214 | ecf/ 215 | rcf/ 216 | 217 | # Windows Store app package directories and files 218 | AppPackages/ 219 | BundleArtifacts/ 220 | Package.StoreAssociation.xml 221 | _pkginfo.txt 222 | *.appx 223 | *.appxbundle 224 | *.appxupload 225 | 226 | # Visual Studio cache files 227 | # files ending in .cache can be ignored 228 | *.[Cc]ache 229 | # but keep track of directories ending in .cache 230 | !?*.[Cc]ache/ 231 | 232 | # Others 233 | ClientBin/ 234 | ~$* 235 | *~ 236 | *.dbmdl 237 | *.dbproj.schemaview 238 | *.jfm 239 | *.pfx 240 | *.publishsettings 241 | orleans.codegen.cs 242 | 243 | # Including strong name files can present a security risk 244 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 245 | #*.snk 246 | 247 | # Since there are multiple workflows, uncomment next line to ignore bower_components 248 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 249 | #bower_components/ 250 | 251 | # RIA/Silverlight projects 252 | Generated_Code/ 253 | 254 | # Backup & report files from converting an old project file 255 | # to a newer Visual Studio version. Backup files are not needed, 256 | # because we have git ;-) 257 | _UpgradeReport_Files/ 258 | Backup*/ 259 | UpgradeLog*.XML 260 | UpgradeLog*.htm 261 | ServiceFabricBackup/ 262 | *.rptproj.bak 263 | 264 | # SQL Server files 265 | *.mdf 266 | *.ldf 267 | *.ndf 268 | 269 | # Business Intelligence projects 270 | *.rdl.data 271 | *.bim.layout 272 | *.bim_*.settings 273 | *.rptproj.rsuser 274 | *- [Bb]ackup.rdl 275 | *- [Bb]ackup ([0-9]).rdl 276 | *- [Bb]ackup ([0-9][0-9]).rdl 277 | 278 | # Microsoft Fakes 279 | FakesAssemblies/ 280 | 281 | # GhostDoc plugin setting file 282 | *.GhostDoc.xml 283 | 284 | # Node.js Tools for Visual Studio 285 | .ntvs_analysis.dat 286 | node_modules/ 287 | 288 | # Visual Studio 6 build log 289 | *.plg 290 | 291 | # Visual Studio 6 workspace options file 292 | *.opt 293 | 294 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 295 | *.vbw 296 | 297 | # Visual Studio LightSwitch build output 298 | **/*.HTMLClient/GeneratedArtifacts 299 | **/*.DesktopClient/GeneratedArtifacts 300 | **/*.DesktopClient/ModelManifest.xml 301 | **/*.Server/GeneratedArtifacts 302 | **/*.Server/ModelManifest.xml 303 | _Pvt_Extensions 304 | 305 | # Paket dependency manager 306 | .paket/paket.exe 307 | paket-files/ 308 | 309 | # FAKE - F# Make 310 | .fake/ 311 | 312 | # CodeRush personal settings 313 | .cr/personal 314 | 315 | # Python Tools for Visual Studio (PTVS) 316 | __pycache__/ 317 | *.pyc 318 | 319 | # Cake - Uncomment if you are using it 320 | # tools/** 321 | # !tools/packages.config 322 | 323 | # Tabs Studio 324 | *.tss 325 | 326 | # Telerik's JustMock configuration file 327 | *.jmconfig 328 | 329 | # BizTalk build output 330 | *.btp.cs 331 | *.btm.cs 332 | *.odx.cs 333 | *.xsd.cs 334 | 335 | # OpenCover UI analysis results 336 | OpenCover/ 337 | 338 | # Azure Stream Analytics local run output 339 | ASALocalRun/ 340 | 341 | # MSBuild Binary and Structured Log 342 | *.binlog 343 | 344 | # NVidia Nsight GPU debugger configuration file 345 | *.nvuser 346 | 347 | # MFractors (Xamarin productivity tool) working folder 348 | .mfractor/ 349 | 350 | # Local History for Visual Studio 351 | .localhistory/ 352 | 353 | # BeatPulse healthcheck temp database 354 | healthchecksdb 355 | 356 | # Backup folder for Package Reference Convert tool in Visual Studio 2017 357 | MigrationBackup/ 358 | 359 | # Ionide (cross platform F# VS Code tools) working folder 360 | .ionide/ 361 | 362 | # Fody - auto-generated XML schema 363 | FodyWeavers.xsd -------------------------------------------------------------------------------- /BugCheckHack.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.31624.102 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "BugCheckHack", "BugCheckHack\BugCheckHack.vcxproj", "{7531E089-C527-411B-A36B-17FD0841CE45}" 7 | EndProject 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "BugCheckHackUser", "BugCheckHackUser\BugCheckHackUser.vcxproj", "{158D39C3-3C3D-44E7-B0E1-34334FAFF9D4}" 9 | EndProject 10 | Global 11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 12 | Debug|ARM = Debug|ARM 13 | Debug|ARM64 = Debug|ARM64 14 | Debug|x64 = Debug|x64 15 | Debug|x86 = Debug|x86 16 | Release|ARM = Release|ARM 17 | Release|ARM64 = Release|ARM64 18 | Release|x64 = Release|x64 19 | Release|x86 = Release|x86 20 | EndGlobalSection 21 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 22 | {7531E089-C527-411B-A36B-17FD0841CE45}.Debug|ARM.ActiveCfg = Debug|ARM 23 | {7531E089-C527-411B-A36B-17FD0841CE45}.Debug|ARM.Build.0 = Debug|ARM 24 | {7531E089-C527-411B-A36B-17FD0841CE45}.Debug|ARM.Deploy.0 = Debug|ARM 25 | {7531E089-C527-411B-A36B-17FD0841CE45}.Debug|ARM64.ActiveCfg = Debug|ARM64 26 | {7531E089-C527-411B-A36B-17FD0841CE45}.Debug|ARM64.Build.0 = Debug|ARM64 27 | {7531E089-C527-411B-A36B-17FD0841CE45}.Debug|ARM64.Deploy.0 = Debug|ARM64 28 | {7531E089-C527-411B-A36B-17FD0841CE45}.Debug|x64.ActiveCfg = Debug|x64 29 | {7531E089-C527-411B-A36B-17FD0841CE45}.Debug|x64.Build.0 = Debug|x64 30 | {7531E089-C527-411B-A36B-17FD0841CE45}.Debug|x64.Deploy.0 = Debug|x64 31 | {7531E089-C527-411B-A36B-17FD0841CE45}.Debug|x86.ActiveCfg = Debug|Win32 32 | {7531E089-C527-411B-A36B-17FD0841CE45}.Debug|x86.Build.0 = Debug|Win32 33 | {7531E089-C527-411B-A36B-17FD0841CE45}.Debug|x86.Deploy.0 = Debug|Win32 34 | {7531E089-C527-411B-A36B-17FD0841CE45}.Release|ARM.ActiveCfg = Release|ARM 35 | {7531E089-C527-411B-A36B-17FD0841CE45}.Release|ARM.Build.0 = Release|ARM 36 | {7531E089-C527-411B-A36B-17FD0841CE45}.Release|ARM.Deploy.0 = Release|ARM 37 | {7531E089-C527-411B-A36B-17FD0841CE45}.Release|ARM64.ActiveCfg = Release|ARM64 38 | {7531E089-C527-411B-A36B-17FD0841CE45}.Release|ARM64.Build.0 = Release|ARM64 39 | {7531E089-C527-411B-A36B-17FD0841CE45}.Release|ARM64.Deploy.0 = Release|ARM64 40 | {7531E089-C527-411B-A36B-17FD0841CE45}.Release|x64.ActiveCfg = Release|x64 41 | {7531E089-C527-411B-A36B-17FD0841CE45}.Release|x64.Build.0 = Release|x64 42 | {7531E089-C527-411B-A36B-17FD0841CE45}.Release|x64.Deploy.0 = Release|x64 43 | {7531E089-C527-411B-A36B-17FD0841CE45}.Release|x86.ActiveCfg = Release|Win32 44 | {7531E089-C527-411B-A36B-17FD0841CE45}.Release|x86.Build.0 = Release|Win32 45 | {7531E089-C527-411B-A36B-17FD0841CE45}.Release|x86.Deploy.0 = Release|Win32 46 | {158D39C3-3C3D-44E7-B0E1-34334FAFF9D4}.Debug|ARM.ActiveCfg = Debug|Win32 47 | {158D39C3-3C3D-44E7-B0E1-34334FAFF9D4}.Debug|ARM64.ActiveCfg = Debug|Win32 48 | {158D39C3-3C3D-44E7-B0E1-34334FAFF9D4}.Debug|x64.ActiveCfg = Debug|x64 49 | {158D39C3-3C3D-44E7-B0E1-34334FAFF9D4}.Debug|x64.Build.0 = Debug|x64 50 | {158D39C3-3C3D-44E7-B0E1-34334FAFF9D4}.Debug|x86.ActiveCfg = Debug|Win32 51 | {158D39C3-3C3D-44E7-B0E1-34334FAFF9D4}.Debug|x86.Build.0 = Debug|Win32 52 | {158D39C3-3C3D-44E7-B0E1-34334FAFF9D4}.Release|ARM.ActiveCfg = Release|Win32 53 | {158D39C3-3C3D-44E7-B0E1-34334FAFF9D4}.Release|ARM64.ActiveCfg = Release|Win32 54 | {158D39C3-3C3D-44E7-B0E1-34334FAFF9D4}.Release|x64.ActiveCfg = Release|x64 55 | {158D39C3-3C3D-44E7-B0E1-34334FAFF9D4}.Release|x64.Build.0 = Release|x64 56 | {158D39C3-3C3D-44E7-B0E1-34334FAFF9D4}.Release|x86.ActiveCfg = Release|Win32 57 | {158D39C3-3C3D-44E7-B0E1-34334FAFF9D4}.Release|x86.Build.0 = Release|Win32 58 | EndGlobalSection 59 | GlobalSection(SolutionProperties) = preSolution 60 | HideSolutionNode = FALSE 61 | EndGlobalSection 62 | GlobalSection(ExtensibilityGlobals) = postSolution 63 | SolutionGuid = {BDC49B23-0362-4542-A824-4EF88043B3A3} 64 | EndGlobalSection 65 | EndGlobal 66 | -------------------------------------------------------------------------------- /BugCheckHack/BugCheckHack.inf: -------------------------------------------------------------------------------- 1 | ; 2 | ; BugCheckHack.inf 3 | ; 4 | 5 | [Version] 6 | Signature="$WINDOWS NT$" 7 | Class=Sample ; TODO: edit Class 8 | ClassGuid={78A1C341-4539-11d3-B88D-00C04FAD5171} ; TODO: edit ClassGuid 9 | Provider=%ManufacturerName% 10 | CatalogFile=BugCheckHack.cat 11 | DriverVer= ; TODO: set DriverVer in stampinf property pages 12 | PnpLockDown=1 13 | 14 | [DestinationDirs] 15 | DefaultDestDir = 12 16 | BugCheckHack_Device_CoInstaller_CopyFiles = 11 17 | 18 | ; ================= Class section ===================== 19 | 20 | [ClassInstall32] 21 | Addreg=SampleClassReg 22 | 23 | [SampleClassReg] 24 | HKR,,,0,%ClassName% 25 | HKR,,Icon,,-5 26 | 27 | [SourceDisksNames] 28 | 1 = %DiskName%,,,"" 29 | 30 | [SourceDisksFiles] 31 | BugCheckHack.sys = 1,, 32 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll=1 ; make sure the number matches with SourceDisksNames 33 | 34 | ;***************************************** 35 | ; Install Section 36 | ;***************************************** 37 | 38 | [Manufacturer] 39 | %ManufacturerName%=Standard,NT$ARCH$ 40 | 41 | [Standard.NT$ARCH$] 42 | %BugCheckHack.DeviceDesc%=BugCheckHack_Device, Root\BugCheckHack ; TODO: edit hw-id 43 | 44 | [BugCheckHack_Device.NT] 45 | CopyFiles=Drivers_Dir 46 | 47 | [Drivers_Dir] 48 | BugCheckHack.sys 49 | 50 | ;-------------- Service installation 51 | [BugCheckHack_Device.NT.Services] 52 | AddService = BugCheckHack,%SPSVCINST_ASSOCSERVICE%, BugCheckHack_Service_Inst 53 | 54 | ; -------------- BugCheckHack driver install sections 55 | [BugCheckHack_Service_Inst] 56 | DisplayName = %BugCheckHack.SVCDESC% 57 | ServiceType = 1 ; SERVICE_KERNEL_DRIVER 58 | StartType = 3 ; SERVICE_DEMAND_START 59 | ErrorControl = 1 ; SERVICE_ERROR_NORMAL 60 | ServiceBinary = %12%\BugCheckHack.sys 61 | 62 | ; 63 | ;--- BugCheckHack_Device Coinstaller installation ------ 64 | ; 65 | 66 | [BugCheckHack_Device.NT.CoInstallers] 67 | AddReg=BugCheckHack_Device_CoInstaller_AddReg 68 | CopyFiles=BugCheckHack_Device_CoInstaller_CopyFiles 69 | 70 | [BugCheckHack_Device_CoInstaller_AddReg] 71 | HKR,,CoInstallers32,0x00010000, "WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll,WdfCoInstaller" 72 | 73 | [BugCheckHack_Device_CoInstaller_CopyFiles] 74 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll 75 | 76 | [BugCheckHack_Device.NT.Wdf] 77 | KmdfService = BugCheckHack, BugCheckHack_wdfsect 78 | [BugCheckHack_wdfsect] 79 | KmdfLibraryVersion = $KMDFVERSION$ 80 | 81 | [Strings] 82 | SPSVCINST_ASSOCSERVICE= 0x00000002 83 | ManufacturerName="" ;TODO: Replace with your manufacturer name 84 | ClassName="Samples" ; TODO: edit ClassName 85 | DiskName = "BugCheckHack Installation Disk" 86 | BugCheckHack.DeviceDesc = "BugCheckHack Device" 87 | BugCheckHack.SVCDESC = "BugCheckHack Service" 88 | -------------------------------------------------------------------------------- /BugCheckHack/BugCheckHack.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | Debug 22 | ARM 23 | 24 | 25 | Release 26 | ARM 27 | 28 | 29 | Debug 30 | ARM64 31 | 32 | 33 | Release 34 | ARM64 35 | 36 | 37 | 38 | {7531E089-C527-411B-A36B-17FD0841CE45} 39 | {1bc93793-694f-48fe-9372-81e2b05556fd} 40 | v4.5 41 | 12.0 42 | Debug 43 | Win32 44 | BugCheckHack 45 | $(LatestTargetPlatformVersion) 46 | 47 | 48 | 49 | Windows10 50 | true 51 | WindowsKernelModeDriver10.0 52 | Driver 53 | KMDF 54 | Universal 55 | false 56 | 57 | 58 | Windows10 59 | false 60 | WindowsKernelModeDriver10.0 61 | Driver 62 | KMDF 63 | Universal 64 | false 65 | 66 | 67 | Windows10 68 | true 69 | WindowsKernelModeDriver10.0 70 | Driver 71 | KMDF 72 | Universal 73 | false 74 | 75 | 76 | Windows10 77 | false 78 | WindowsKernelModeDriver10.0 79 | Driver 80 | KMDF 81 | Universal 82 | false 83 | 84 | 85 | Windows10 86 | true 87 | WindowsKernelModeDriver10.0 88 | Driver 89 | KMDF 90 | Universal 91 | false 92 | 93 | 94 | Windows10 95 | false 96 | WindowsKernelModeDriver10.0 97 | Driver 98 | KMDF 99 | Universal 100 | false 101 | 102 | 103 | Windows10 104 | true 105 | WindowsKernelModeDriver10.0 106 | Driver 107 | KMDF 108 | Universal 109 | false 110 | 111 | 112 | Windows10 113 | false 114 | WindowsKernelModeDriver10.0 115 | Driver 116 | KMDF 117 | Universal 118 | false 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | DbgengKernelDebugger 130 | $(SolutionDir)$(Platform)\$(Configuration) 131 | 132 | 133 | DbgengKernelDebugger 134 | $(SolutionDir)$(Platform)\$(Configuration) 135 | 136 | 137 | DbgengKernelDebugger 138 | $(SolutionDir)$(Platform)\$(Configuration) 139 | 140 | 141 | DbgengKernelDebugger 142 | $(SolutionDir)$(Platform)\$(Configuration) 143 | 144 | 145 | DbgengKernelDebugger 146 | $(SolutionDir)$(Platform)\$(Configuration) 147 | 148 | 149 | DbgengKernelDebugger 150 | $(SolutionDir)$(Platform)\$(Configuration) 151 | 152 | 153 | DbgengKernelDebugger 154 | $(SolutionDir)$(Platform)\$(Configuration) 155 | 156 | 157 | DbgengKernelDebugger 158 | $(SolutionDir)$(Platform)\$(Configuration) 159 | 160 | 161 | 162 | Level1 163 | 164 | 165 | 166 | 167 | false 168 | 169 | 170 | 171 | 172 | Level1 173 | 174 | 175 | 176 | 177 | false 178 | 179 | 180 | 181 | 182 | Level1 183 | 184 | 185 | 186 | 187 | false 188 | 189 | 190 | 191 | 192 | Level1 193 | 194 | 195 | 196 | 197 | false 198 | 199 | 200 | 201 | 202 | Level1 203 | 204 | 205 | 206 | 207 | false 208 | 209 | 210 | 211 | 212 | Level1 213 | 214 | 215 | 216 | 217 | false 218 | 219 | 220 | 221 | 222 | Level1 223 | 224 | 225 | 226 | 227 | false 228 | 229 | 230 | 231 | 232 | Level1 233 | 234 | 235 | 236 | 237 | false 238 | 239 | 240 | 241 | 242 | 243 | 244 | 245 | 246 | 247 | 248 | 249 | 250 | 251 | 252 | -------------------------------------------------------------------------------- /BugCheckHack/BugCheckHack.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | {8E41214B-6785-4CFE-B992-037D68949A14} 18 | inf;inv;inx;mof;mc; 19 | 20 | 21 | 22 | 23 | Driver Files 24 | 25 | 26 | 27 | 28 | Source Files 29 | 30 | 31 | -------------------------------------------------------------------------------- /BugCheckHack/entry.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | typedef struct _LDR_DATA_TABLE_ENTRY 4 | { 5 | LIST_ENTRY InLoadOrderLinks; 6 | LIST_ENTRY InMemoryOrderLinks; 7 | LIST_ENTRY InInitializationOrderLinks; 8 | PVOID DllBase; 9 | PVOID EntryPoint; 10 | ULONG SizeOfImage; 11 | UNICODE_STRING FullDllName; 12 | UNICODE_STRING BaseDllName; 13 | ULONG Flags; 14 | USHORT LoadCount; 15 | USHORT TlsIndex; 16 | LIST_ENTRY HashLinks; 17 | ULONG TimeDateStamp; 18 | } LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY; 19 | 20 | PVOID KernelBase = NULL; 21 | 22 | PCWSTR Entries[6] = { 23 | L"Emoticon", 24 | L"StringOne", 25 | L"StringTwo", 26 | L"WebsiteUrl", 27 | L"CalledSupport", 28 | L"PossibleFixes" 29 | }; 30 | 31 | NTSTATUS RegistryGetValue(PCWSTR EntryName, PVOID Address) { 32 | RTL_QUERY_REGISTRY_TABLE Query[2] = { 0 }; 33 | Query[0].Name = EntryName; 34 | Query[0].Flags = RTL_QUERY_REGISTRY_DIRECT; 35 | Query[0].EntryContext = Address; 36 | return RtlQueryRegistryValues( 37 | RTL_REGISTRY_ABSOLUTE, 38 | L"\\Registry\\Machine\\Software\\BugCheckHack", 39 | Query, 40 | NULL, 41 | NULL 42 | ); 43 | } 44 | 45 | NTSTATUS Overwrite(PVOID Address, PVOID Data, ULONG Size) { 46 | PHYSICAL_ADDRESS PhysAddress = MmGetPhysicalAddress(Address); 47 | PVOID MappedAddress = MmMapIoSpace(PhysAddress, Size, MmNonCached); 48 | 49 | if (MappedAddress == NULL) 50 | return STATUS_INSUFFICIENT_RESOURCES; 51 | 52 | RtlCopyMemory(MappedAddress, Data, Size); 53 | MmUnmapIoSpace(MappedAddress, Size); 54 | return STATUS_SUCCESS; 55 | } 56 | 57 | 58 | // https://www.unknowncheats.me/forum/general-programming-and-reversing/427419-getkernelbase.html 59 | 60 | __forceinline wchar_t locase_w(wchar_t c) { 61 | if ((c >= 'A') && (c <= 'Z')) 62 | return c + 0x20; 63 | else 64 | return c; 65 | } 66 | 67 | int _strcmpi_w(const wchar_t* s1, const wchar_t* s2) { 68 | wchar_t c1, c2; 69 | 70 | if (s1 == s2) 71 | return 0; 72 | 73 | if (s1 == 0) 74 | return -1; 75 | 76 | if (s2 == 0) 77 | return 1; 78 | 79 | do { 80 | c1 = locase_w(*s1); 81 | c2 = locase_w(*s2); 82 | s1++; 83 | s2++; 84 | } while ((c1 != 0) && (c1 == c2)); 85 | 86 | return (int)(c1 - c2); 87 | } 88 | 89 | PVOID GetKernelBase(PDRIVER_OBJECT DriverObject) { 90 | if (KernelBase) 91 | return KernelBase; 92 | PLDR_DATA_TABLE_ENTRY entry = (PLDR_DATA_TABLE_ENTRY)DriverObject->DriverSection; 93 | PLDR_DATA_TABLE_ENTRY first = entry; 94 | while ((PLDR_DATA_TABLE_ENTRY)entry->InLoadOrderLinks.Flink != first) { 95 | if (_strcmpi_w(entry->BaseDllName.Buffer, L"ntoskrnl.exe") == 0) { 96 | return entry->DllBase; 97 | } 98 | entry = (PLDR_DATA_TABLE_ENTRY)entry->InLoadOrderLinks.Flink; 99 | } 100 | KernelBase = NULL; 101 | return NULL; 102 | } 103 | 104 | BOOLEAN IsInsider(VOID) { 105 | DWORD32 Exist; 106 | RTL_QUERY_REGISTRY_TABLE Query[2] = { 0 }; 107 | Query[0].Name = L"IsBuildFlightingEnabled"; 108 | Query[0].Flags = RTL_QUERY_REGISTRY_DIRECT; 109 | Query[0].EntryContext = &Exist; 110 | if (RtlQueryRegistryValues( 111 | RTL_REGISTRY_ABSOLUTE, 112 | L"\\Registry\\Machine\\Software\\Microsoft\\WindowsSelfHost\\Applicability", 113 | Query, 114 | NULL, 115 | NULL 116 | )) { 117 | return FALSE; 118 | } 119 | return Exist; 120 | } 121 | 122 | VOID ParseEtwpLastBranchLookAsideListStrings(ULONG_PTR EtwpLastBranchLookAsideList, ULONG_PTR* Addresses) { 123 | Addresses[0] = EtwpLastBranchLookAsideList + 0x60; 124 | PUNICODE_STRING temp = (PUNICODE_STRING)(EtwpLastBranchLookAsideList + 0x60); 125 | for (UCHAR i = 0; i < sizeof(UNICODE_STRING); i++, temp++) { 126 | if (wcsstr(temp->Buffer, L"Insider Build ran into a problem and needs to restart.") && IsInsider()) 127 | Addresses[0] = (UINT64)temp; 128 | if (wcsstr(temp->Buffer, L"and then we'll restart for you")) 129 | Addresses[1] = (UINT64)temp; 130 | if (wcsstr(temp->Buffer, L"www.windows.com/stopcode")) 131 | Addresses[2] = (UINT64)temp; 132 | if (wcsstr(temp->Buffer, L"this issue and possible fixes, visit")) 133 | Addresses[3] = (UINT64)temp; 134 | if (wcsstr(temp->Buffer, L"give them this info:")) 135 | Addresses[4] = (UINT64)temp; 136 | } 137 | } 138 | 139 | NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) { 140 | DWORD32 FrownyOffset = 0; 141 | DWORD32 StringsOffset = 0; 142 | DWORD32 BgpClearScreen = 0; 143 | KernelBase = GetKernelBase(DriverObject); 144 | if (RegistryGetValue(L"FrownyOffset", &FrownyOffset)) { 145 | return STATUS_DRIVER_INTERNAL_ERROR; 146 | } 147 | if (RegistryGetValue(L"StringsOffset", &StringsOffset)) { 148 | return STATUS_DRIVER_INTERNAL_ERROR; 149 | } 150 | if (RegistryGetValue(L"BgpClearScreenOffset", &BgpClearScreen)) { 151 | return STATUS_DRIVER_INTERNAL_ERROR; 152 | } 153 | 154 | DbgPrint("%llx\n%llx\n%llx\n%llx\n", FrownyOffset, StringsOffset, BgpClearScreen, KernelBase); 155 | 156 | if (!FrownyOffset || !StringsOffset) 157 | return STATUS_DRIVER_INTERNAL_ERROR; 158 | 159 | ULONG_PTR Strings[5] = { 0 }; 160 | ParseEtwpLastBranchLookAsideListStrings((ULONG_PTR)KernelBase + StringsOffset, Strings); 161 | 162 | // faster than memset lmfao 163 | CHAR Patch[8] = { 0xc3, 0xc3, 0xc3, 0xc3, 0xc3, 0xc3, 0xc3, 0xc3 }; 164 | 165 | if (BgpClearScreen != 0) { 166 | Overwrite((PVOID)((ULONG_PTR)KernelBase + BgpClearScreen), Patch, 1); 167 | } 168 | 169 | UNICODE_STRING String[6] = { 0 }; 170 | 171 | String[0].MaximumLength = 10; 172 | for (UCHAR i = 1; i < 6; i++) 173 | String[i].MaximumLength = 100; 174 | 175 | for (UCHAR i = 0; i < 6; i++) { 176 | if (RegistryGetValue(Entries[i], &String[i])) { 177 | return STATUS_DRIVER_INTERNAL_ERROR; 178 | } 179 | if (i == 0) { 180 | if (Overwrite(((ULONG_PTR)KernelBase + FrownyOffset), &String[i], sizeof(UNICODE_STRING))) 181 | return STATUS_DRIVER_INTERNAL_ERROR; 182 | } 183 | else { 184 | if (Overwrite(Strings[i - 1], &String[i], sizeof(UNICODE_STRING))) 185 | return STATUS_DRIVER_INTERNAL_ERROR; 186 | } 187 | } 188 | 189 | return STATUS_FAILED_DRIVER_ENTRY; 190 | } -------------------------------------------------------------------------------- /BugCheckHackUser/BugCheckHackUser.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {158d39c3-3c3d-44e7-b0e1-34334faff9d4} 25 | BugCheckHackUser 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v142 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v142 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v142 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v142 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | false 78 | 79 | 80 | true 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Level3 88 | true 89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 90 | true 91 | 92 | 93 | Windows 94 | true 95 | Version.lib;%(AdditionalDependencies) 96 | 97 | 98 | 99 | 100 | Level3 101 | true 102 | true 103 | true 104 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 105 | true 106 | 107 | 108 | Windows 109 | true 110 | true 111 | true 112 | Version.lib;%(AdditionalDependencies) 113 | 114 | 115 | 116 | 117 | Level3 118 | true 119 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 120 | true 121 | 122 | 123 | Windows 124 | true 125 | Version.lib;%(AdditionalDependencies) 126 | 127 | 128 | 129 | 130 | Level3 131 | true 132 | true 133 | true 134 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 135 | true 136 | 137 | 138 | Windows 139 | true 140 | true 141 | true 142 | Version.lib;%(AdditionalDependencies) 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | -------------------------------------------------------------------------------- /BugCheckHackUser/BugCheckHackUser.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | Source Files 26 | 27 | 28 | 29 | 30 | Header Files 31 | 32 | 33 | Header Files 34 | 35 | 36 | Header Files 37 | 38 | 39 | Header Files 40 | 41 | 42 | -------------------------------------------------------------------------------- /BugCheckHackUser/get.h: -------------------------------------------------------------------------------- 1 | #ifndef LIBVALINET_INTERNET_GET_H_ 2 | #define LIBVALINET_INTERNET_GET_H_ 3 | #include 4 | #include 5 | #include 6 | #pragma comment(lib, "Wininet.lib") 7 | 8 | DWORD VnDownloadFile( 9 | char* filename, 10 | char* hostname, 11 | char* path, 12 | char* userAgent, 13 | INTERNET_PORT nServerPort, 14 | DWORD dwService, 15 | char* referrer, 16 | char* headers, 17 | DWORD bufsiz 18 | ) 19 | { 20 | DWORD dwRet = 0; 21 | HINTERNET hInternet; 22 | if (hInternet = InternetOpenA( 23 | userAgent, 24 | INTERNET_OPEN_TYPE_DIRECT, 25 | NULL, 26 | NULL, 27 | NULL 28 | )) 29 | { 30 | HINTERNET hConnect; 31 | if (hConnect = InternetConnectA( 32 | hInternet, 33 | hostname, 34 | nServerPort, 35 | NULL, 36 | NULL, 37 | dwService, 38 | NULL, 39 | NULL 40 | )) 41 | { 42 | HINTERNET hRequest; 43 | if (hRequest = HttpOpenRequestA( 44 | hConnect, 45 | "GET", 46 | path, 47 | NULL, 48 | referrer, 49 | NULL, 50 | NULL, 51 | NULL 52 | )) 53 | { 54 | char data[1] = ""; 55 | if (HttpSendRequestA( 56 | hRequest, 57 | headers, 58 | strlen(headers), 59 | (LPVOID)(data), 60 | strlen(data) * sizeof(char) 61 | )) 62 | { 63 | FILE* f = NULL; 64 | if (fopen_s( 65 | &f, 66 | filename, 67 | "wb" 68 | )) 69 | { 70 | dwRet = 7; 71 | } 72 | else 73 | { 74 | BYTE* buffer = (BYTE*)malloc(bufsiz); 75 | if (buffer == NULL) 76 | { 77 | dwRet = 6; 78 | } 79 | else 80 | { 81 | DWORD dwRead; 82 | BOOL bRet = TRUE; 83 | while (bRet = InternetReadFile( 84 | hRequest, 85 | buffer, 86 | bufsiz, 87 | &dwRead 88 | )) 89 | { 90 | if (dwRead == 0) 91 | { 92 | break; 93 | } 94 | fwrite( 95 | buffer, 96 | sizeof(BYTE), 97 | dwRead, 98 | f 99 | ); 100 | dwRead = 0; 101 | } 102 | if (bRet == FALSE) 103 | { 104 | dwRet = 5; 105 | } 106 | free(buffer); 107 | } 108 | fclose(f); 109 | } 110 | } 111 | else 112 | { 113 | dwRet = 4; 114 | } 115 | InternetCloseHandle(hRequest); 116 | } 117 | else 118 | { 119 | dwRet = 3; 120 | } 121 | InternetCloseHandle(hConnect); 122 | } 123 | else 124 | { 125 | dwRet = 2; 126 | } 127 | InternetCloseHandle(hInternet); 128 | } 129 | else 130 | { 131 | dwRet = 1; 132 | } 133 | return dwRet; 134 | } 135 | 136 | #endif -------------------------------------------------------------------------------- /BugCheckHackUser/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include "registry.h" 3 | #include "pdb.h" 4 | #include "service.h" 5 | 6 | // shit to make it look nicer 7 | 8 | #pragma comment(linker,"\"/manifestdependency:type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='*' publicKeyToken='6595b64144ccf1df' language='*'\"") 9 | 10 | // https://stackoverflow.com/a/41808496 11 | 12 | BOOL CALLBACK EnumChildProc(HWND hWnd, LPARAM lParam) { 13 | HFONT hfDefault = (HFONT)GetStockObject(DEFAULT_GUI_FONT); 14 | SendMessage(hWnd, WM_SETFONT, (WPARAM)hfDefault, MAKELPARAM(TRUE, 0)); 15 | return TRUE; 16 | } 17 | 18 | PCWSTR* ValueNames[6] = { 19 | L"Frowny", 20 | L"String One", 21 | L"String Two", 22 | L"Website URL", 23 | L"Called Support", 24 | L"Possible Fixes" 25 | }; 26 | 27 | PCWSTR* ButtonNames[4] = { 28 | L"Save Values", 29 | L"Create Service", 30 | L"Delete Service", 31 | L"Run Service" 32 | }; 33 | 34 | PCWSTR* RegValueNames[9] = { 35 | L"FrownyOffset", 36 | L"StringsOffset", 37 | L"BgpClearScreenOffset", 38 | L"Emoticon", 39 | L"StringOne", 40 | L"StringTwo", 41 | L"WebsiteUrl", 42 | L"CalledSupport", 43 | L"PossibleFixes" 44 | }; 45 | 46 | #define KEY L"SOFTWARE\\BugCheckHack" 47 | 48 | CHAR FilePathA[MAX_PATH] = { 0 }; 49 | WCHAR FilePathW[MAX_PATH] = { 0 }; 50 | UCHAR count = 2; 51 | 52 | VOID GetWindowsVersion(DWORD* Version) { 53 | DWORD Dummy; 54 | DWORD FileInfoSize = GetFileVersionInfoSizeExW(FILE_VER_GET_NEUTRAL, L"KernelBase.dll", &Dummy); 55 | BYTE* Buffer = (BYTE*)malloc(FileInfoSize); 56 | GetFileVersionInfoExW(FILE_VER_GET_NEUTRAL, L"KernelBase.dll", Dummy, 57 | FileInfoSize, Buffer); 58 | VOID* p = NULL; 59 | UINT Size = 0; 60 | VerQueryValueW(Buffer, L"\\", &p, &Size); 61 | const VS_FIXEDFILEINFO* FileInfo = (const VS_FIXEDFILEINFO*)p; 62 | Version[0] = HIWORD(FileInfo->dwFileVersionMS); 63 | Version[1] = LOWORD(FileInfo->dwFileVersionMS); 64 | Version[2] = HIWORD(FileInfo->dwFileVersionLS); 65 | Version[3] = LOWORD(FileInfo->dwFileVersionLS); 66 | free(Buffer); 67 | } 68 | 69 | BOOL IsProcessElevated(VOID) { 70 | BOOL IsElevated = FALSE; 71 | HANDLE hToken = NULL; 72 | TOKEN_ELEVATION elevation; 73 | DWORD dwSize; 74 | 75 | if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) { 76 | if (hToken) { 77 | CloseHandle(hToken); 78 | hToken = NULL; 79 | return FALSE; 80 | } 81 | } 82 | 83 | 84 | if (!GetTokenInformation(hToken, TokenElevation, &elevation, sizeof(elevation), &dwSize)) { 85 | if (hToken) { 86 | CloseHandle(hToken); 87 | hToken = NULL; 88 | return FALSE; 89 | } 90 | } 91 | 92 | return elevation.TokenIsElevated; 93 | } 94 | 95 | // Kill me 96 | 97 | BOOLEAN ParseNtoskrnl(VOID) { 98 | if (VnDownloadSymbols(NULL, FilePathA, 99 | FilePathA, MAX_PATH)) { 100 | MessageBox(NULL, L"Failed to download symbols", NULL, MB_ICONSTOP); 101 | return FALSE; 102 | } 103 | DWORD Address[3] = { 0 }; 104 | DWORD WindowsVersion[4] = { 0 }; 105 | GetWindowsVersion(WindowsVersion); 106 | if (WindowsVersion[2] >= 19041 && WindowsVersion[2] < 22000) { 107 | CHAR* SymbolName[3] = { "HalpPCIConfigReadHandlers", "EtwpLastBranchLookAsideList", "BgpClearScreen" }; 108 | if (VnGetSymbols(FilePathA, 109 | Address, SymbolName, count)) { 110 | MessageBox(NULL, L"Failed to find the required functions", NULL, MB_ICONSTOP); 111 | return FALSE; 112 | } 113 | } 114 | else if (WindowsVersion[2] >= 22000) { 115 | if (WindowsVersion[3] >= 434) { 116 | CHAR* SymbolName[3] = { "HalpPCIConfigReadHandlers", "EtwpStackLookAsideList", "BgpClearScreen" }; 117 | if (VnGetSymbols(FilePathA, 118 | Address, SymbolName, count)) { 119 | MessageBox(NULL, L"Failed to find the required functions", NULL, MB_ICONSTOP); 120 | return FALSE; 121 | } 122 | } 123 | else { 124 | CHAR* SymbolName[3] = { "HalpPCIConfigReadHandlers", "EtwpLastBranchLookAsideList", "BgpClearScreen" }; 125 | if (VnGetSymbols(FilePathA, 126 | Address, SymbolName, count)) { 127 | MessageBox(NULL, L"Failed to find the required functions", NULL, MB_ICONSTOP); 128 | return FALSE; 129 | } 130 | } 131 | } 132 | else { 133 | MessageBox(NULL, L"This version of Windows is not supported", NULL, MB_ICONSTOP); 134 | return FALSE; 135 | } 136 | for (int i = 0; i < 3; i++) { 137 | if (!i) 138 | Address[i] += 0x18; 139 | RegistryWriteDword32(KEY, RegValueNames[i], Address[i]); 140 | } 141 | if (!ServiceStart(L"BugCheckHack")) { 142 | MessageBox(NULL, L"Failed to start service", NULL, MB_ICONSTOP); 143 | return FALSE; 144 | } 145 | return TRUE; 146 | } 147 | 148 | LRESULT CALLBACK WndProc(HWND hwnd, UINT msg, 149 | WPARAM wParam, LPARAM lParam) { 150 | 151 | BOOLEAN checked = TRUE; 152 | INT first = 5; 153 | static HWND TextBoxes[6]; 154 | HINSTANCE inst = { 0 }; 155 | switch (msg) { 156 | 157 | case WM_CREATE: 158 | 159 | for (UCHAR i = 0; i < 6; i++) { 160 | CreateWindow(L"Static", ValueNames[i], 161 | WS_CHILD | WS_VISIBLE | SS_LEFT, 162 | 5, 10 + (i * 30), 300, 230, 163 | hwnd, (HMENU)1, NULL, NULL); 164 | TextBoxes[i] = CreateWindow(L"Edit", NULL, 165 | WS_CHILD | WS_VISIBLE | WS_BORDER, 166 | 90, 10 + (i * 30), 325, 20, hwnd, (HMENU)i, 167 | NULL, NULL); 168 | } 169 | 170 | CreateWindowW(L"Button", L"Aero BSOD", 171 | WS_CHILD | WS_VISIBLE | BS_AUTORADIOBUTTON, 172 | 5, 10 + (6 * 30), (10 * 9), 15, hwnd, (HMENU)42, inst, NULL); 173 | 174 | for (int i = 0; i < 4; i++) { 175 | CreateWindow(L"Button", ButtonNames[i], 176 | WS_VISIBLE | WS_CHILD, 177 | first, (7 * 30) + 10, (wcslen(ButtonNames[i]) * 8), 25, hwnd, (HMENU)10 + i, NULL, NULL); 178 | first += (wcslen(ButtonNames[i]) * 8) + 10; 179 | } 180 | 181 | break; 182 | 183 | case WM_COMMAND: 184 | switch (LOWORD(wParam)) { 185 | case 0xa: 186 | for (INT i = 0; i < 6; i++) { 187 | PCWSTR Text = malloc((GetWindowTextLength(TextBoxes[i]) + 1) * sizeof(WCHAR)); 188 | GetWindowText(TextBoxes[i], Text, GetWindowTextLength(TextBoxes[i]) + 1); 189 | RegistryWriteString(KEY, RegValueNames[i + 3], Text); 190 | free(Text); 191 | } 192 | break; 193 | case 0xe: 194 | if (!ServiceCreate(L"BugCheckHack", FilePathW)) { 195 | MessageBox(hwnd, L"Failed to create service", NULL, MB_ICONSTOP); 196 | break; 197 | } 198 | MessageBox(hwnd, L"Successfully created the service", NULL, 0); 199 | break; 200 | case 0x12: 201 | if (!ServiceDelete(L"BugCheckHack")) { 202 | MessageBox(hwnd, L"Failed to delete service", NULL, MB_ICONSTOP); 203 | break; 204 | } 205 | MessageBox(hwnd, L"Successfully deleted the service", NULL, 0); 206 | break; 207 | case 0x16: 208 | if (!ParseNtoskrnl()) { 209 | MessageBox(hwnd, L"Failed to modify the bsod", NULL, 0); 210 | break; 211 | } 212 | MessageBox(hwnd, L"Successfully modified the bsod", NULL, 0); 213 | break; 214 | case 0x2a: 215 | count = 3; 216 | } 217 | break; 218 | 219 | case WM_DESTROY: 220 | PostQuitMessage(0); 221 | break; 222 | } 223 | 224 | return DefWindowProc(hwnd, msg, wParam, lParam); 225 | } 226 | 227 | INT WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, 228 | PWSTR lpCmdLine, int nCmdShow) { 229 | 230 | if (!IsProcessElevated()) { 231 | MessageBox(NULL, L"Please run the program as administrator!", NULL, MB_ICONSTOP); 232 | return -1; 233 | } 234 | 235 | if (!RegistryDoesKeyExist(KEY)) 236 | RegistryCreateKey(KEY); 237 | 238 | GetSystemDirectoryA(FilePathA, MAX_PATH); 239 | strcat_s(FilePathA, MAX_PATH, "\\ntoskrnl.exe"); 240 | 241 | GetWindowsDirectoryW(FilePathW, MAX_PATH * sizeof(WCHAR)); 242 | lstrcatW(FilePathW, L"\\BugCheckHack.sys"); 243 | 244 | DWORD dwAttrib = GetFileAttributes(FilePathW); 245 | 246 | if (!(dwAttrib != INVALID_FILE_ATTRIBUTES && 247 | !(dwAttrib & FILE_ATTRIBUTE_DIRECTORY))) { 248 | MessageBox(NULL, L"Make sure to copy over BugCheckHack.sys to your Windows directory before running", NULL, MB_ICONSTOP); 249 | return -1; 250 | } 251 | 252 | MSG msg; 253 | WNDCLASSW wc = { 0 }; 254 | wc.lpszClassName = L"BugCheckHack"; 255 | wc.hInstance = hInstance; 256 | wc.hbrBackground = GetSysColorBrush(COLOR_3DFACE); 257 | wc.lpfnWndProc = WndProc; 258 | wc.hCursor = LoadCursor(0, IDC_ARROW); 259 | 260 | RegisterClassW(&wc); 261 | HWND window = CreateWindow(wc.lpszClassName, L"BugCheckHack", 262 | WS_OVERLAPPED | WS_CAPTION | WS_SYSMENU, 263 | 150, 150, 455, (10 * 30), 0, 0, hInstance, 0); 264 | 265 | EnumChildWindows(window, EnumChildProc, 0); 266 | 267 | ShowWindow(window, SW_SHOW); 268 | 269 | while (GetMessage(&msg, NULL, 0, 0)) { 270 | TranslateMessage(&msg); 271 | DispatchMessage(&msg); 272 | } 273 | 274 | return (int)msg.wParam; 275 | } -------------------------------------------------------------------------------- /BugCheckHackUser/pdb.h: -------------------------------------------------------------------------------- 1 | #ifndef LIBVALINET_PDB_PDB_H_ 2 | #define LIBVALINET_PDB_PDB_H_ 3 | // 4 | // pdb includes: 5 | // * pdbdump - Small tool to list and query symbols in PDB files. 6 | // original source code: https://gist.github.com/mridgers/2968595 7 | // * PDBDownloader 8 | // original source code: https://github.com/rajkumar-rangaraj/PDB-Downloader 9 | 10 | #include "get.h" 11 | #include 12 | #include 13 | #include 14 | #include 15 | #pragma comment(lib, "dbghelp.lib") 16 | #include 17 | #pragma comment(lib, "Shlwapi.lib") 18 | 19 | #define ASSERT(x, m, ...) if (!(x)) { fprintf(stderr, m, __VA_ARGS__); \ 20 | exit(-1); } 21 | #define VN_PDB_ONE_MB (10240 * 10240) 22 | #define VN_PDB_ADDRESS_OFFSET 0x400000 23 | #define VN_PDB_SYMBOL_HOSTNAME "msdl.microsoft.com" 24 | #define VN_PDB_SYMBOL_WEB "/download/symbols/" 25 | #define VN_PDB_USER_AGENT "Microsoft-Symbol-Server/10.0.10036.206" 26 | #define VN_PDB_FORM_HEADERS "Content-Type: application/octet-stream;\r\n" 27 | #define VN_PDB_DOWNLOAD_FILE_BUFFER_SIZE 4096 28 | 29 | // https://deplinenoise.wordpress.com/2013/06/14/getting-your-pdb-name-from-a-running-executable-windows/ 30 | typedef struct _PdbInfo 31 | { 32 | DWORD Signature; 33 | GUID Guid; 34 | DWORD Age; 35 | char PdbFileName[1]; 36 | }; 37 | typedef struct _PdbInfo PdbInfo; 38 | 39 | //------------------------------------------------------------------------------ 40 | // https://stackoverflow.com/questions/3828835/how-can-we-check-if-a-file-exists-or-not-using-win32-program 41 | int fileExists(char* file) 42 | { 43 | WIN32_FIND_DATAA FindFileData; 44 | HANDLE handle = FindFirstFileA(file, &FindFileData); 45 | int found = handle != INVALID_HANDLE_VALUE; 46 | if (found) 47 | { 48 | FindClose(handle); 49 | } 50 | return found; 51 | } 52 | 53 | enum e_mode 54 | { 55 | e_mode_resolve_stdin, 56 | e_mode_enum_symbols, 57 | }; 58 | 59 | enum e_enum_type 60 | { 61 | e_enum_type_symbols, 62 | e_enum_type_types 63 | }; 64 | 65 | struct _sym_info 66 | { 67 | DWORD64 addr; 68 | int size; 69 | char* name; 70 | char* file; 71 | int tag : 8; 72 | int line : 24; 73 | }; 74 | typedef struct _sym_info sym_info_t; 75 | 76 | struct _pool 77 | { 78 | char* base; 79 | int committed; 80 | int size; 81 | int used; 82 | }; 83 | typedef struct _pool pool_t; 84 | 85 | typedef int (sort_func_t)(const sym_info_t*, const sym_info_t*); 86 | 87 | int g_page_size = 0; 88 | HANDLE g_handle = (HANDLE)0x493; 89 | int g_csv_output = 0; 90 | int g_sym_count = 0; 91 | enum e_mode g_mode = e_mode_enum_symbols; 92 | enum e_enum_type g_enum_type = e_enum_type_symbols; 93 | pool_t g_symbol_pool; 94 | pool_t g_string_pool; 95 | extern const char* g_sym_tag_names[]; /* ...at end of file */ 96 | 97 | void pool_create(pool_t* pool, int size) 98 | { 99 | pool->base = (char*)VirtualAlloc(NULL, size, MEM_RESERVE, PAGE_READWRITE); 100 | pool->size = size; 101 | pool->committed = 0; 102 | pool->used = 0; 103 | } 104 | 105 | void pool_destroy(pool_t* pool) 106 | { 107 | VirtualFree(pool->base, 0, MEM_RELEASE); 108 | } 109 | 110 | void pool_clear(pool_t* pool) 111 | { 112 | pool->used = 0; 113 | } 114 | 115 | void* pool_alloc(pool_t* pool, int size) 116 | { 117 | int i; 118 | char* addr; 119 | 120 | ASSERT(size < g_page_size, "Allocation too large!"); 121 | 122 | i = pool->used + size; 123 | if (i >= pool->committed) 124 | { 125 | ASSERT(i < pool->size, "Memory pool exhausted."); 126 | VirtualAlloc((void*)(pool->base + pool->committed), g_page_size, 127 | MEM_COMMIT, PAGE_READWRITE 128 | ); 129 | pool->committed += g_page_size; 130 | } 131 | 132 | addr = pool->base + pool->used; 133 | pool->used += size; 134 | return addr; 135 | } 136 | 137 | void dbghelp_to_sym_info(SYMBOL_INFO* info, sym_info_t* sym_info) 138 | { 139 | BOOL ok; 140 | DWORD disp; 141 | IMAGEHLP_LINE64 line; 142 | 143 | // General properties 144 | sym_info->addr = info->Address; 145 | sym_info->size = info->Size; 146 | sym_info->tag = info->Tag; 147 | 148 | // Symbol name 149 | sym_info->name = (char*)pool_alloc(&g_string_pool, info->NameLen + 1); 150 | memcpy(sym_info->name, info->Name, info->NameLen); 151 | 152 | // Get file and line number info. 153 | line.SizeOfStruct = sizeof(line); 154 | ok = SymGetLineFromAddr64(g_handle, info->Address, &disp, &line); 155 | if ((ok != FALSE) && line.FileName) 156 | { 157 | sym_info->line = line.LineNumber; 158 | sym_info->file = (char*)pool_alloc(&g_string_pool, strlen(line.FileName) + 1); 159 | memcpy(sym_info->file, line.FileName, strlen(line.FileName)); 160 | } 161 | else 162 | { 163 | sym_info->line = 0; 164 | sym_info->file = (char*)"?"; 165 | } 166 | } 167 | 168 | BOOL CALLBACK enum_proc(SYMBOL_INFO* info, ULONG size, void* param) 169 | { 170 | sym_info_t* sym_info; 171 | 172 | sym_info = (sym_info_t*)pool_alloc(&g_symbol_pool, sizeof(sym_info_t)); 173 | dbghelp_to_sym_info(info, sym_info); 174 | 175 | ++g_sym_count; 176 | 177 | return TRUE; 178 | } 179 | 180 | int create_pools(uintptr_t base_addr) 181 | { 182 | BOOL ok; 183 | FILE* in; 184 | int size, i; 185 | const char* guide; 186 | 187 | // Fetch PDB file for the module. 188 | IMAGEHLP_MODULE64 module = { sizeof(module) }; 189 | ok = SymGetModuleInfo64(g_handle, base_addr, &module); 190 | if (!ok) 191 | { 192 | return 0; 193 | } 194 | 195 | guide = module.LoadedPdbName; 196 | 197 | // An .exe with no symbols available? 198 | if (!guide || guide[0] == '\0') 199 | { 200 | return 0; 201 | } 202 | 203 | // Get file size. 204 | fopen_s(&in, guide, "rb"); 205 | ASSERT(in != NULL, "Failed to open pool-size guide file."); 206 | 207 | fseek(in, 0, SEEK_END); 208 | size = ftell(in); 209 | fclose(in); 210 | 211 | // Use anecdotal evidence to guess at suitable pool sizes :). 212 | i = size / 4; 213 | pool_create(&g_string_pool, (i < VN_PDB_ONE_MB) ? VN_PDB_ONE_MB : i); 214 | 215 | i = size / 25; 216 | pool_create(&g_symbol_pool, (i < VN_PDB_ONE_MB) ? VN_PDB_ONE_MB : i); 217 | 218 | return 1; 219 | } 220 | 221 | uintptr_t load_module(const char* pdb_file) 222 | { 223 | uintptr_t base_addr = VN_PDB_ADDRESS_OFFSET; 224 | 225 | base_addr = (size_t)SymLoadModuleEx(g_handle, NULL, pdb_file, NULL, 226 | base_addr, 0x7fffffff, NULL, 0 227 | ); 228 | 229 | return base_addr; 230 | } 231 | 232 | INT VnGetSymbols( 233 | const char* pdb_file, 234 | DWORD* addresses, 235 | char** symbols, 236 | DWORD numOfSymbols 237 | ) 238 | { 239 | DWORD options; 240 | SYSTEM_INFO sys_info; 241 | int i; 242 | uintptr_t base_addr; 243 | DWORD ok; 244 | 245 | // Get page size. 246 | GetSystemInfo(&sys_info); 247 | g_page_size = sys_info.dwPageSize; 248 | 249 | // Initialise DbgHelp 250 | options = SymGetOptions(); 251 | options &= ~SYMOPT_DEFERRED_LOADS; 252 | options |= SYMOPT_LOAD_LINES; 253 | options |= SYMOPT_IGNORE_NT_SYMPATH; 254 | #if ENABLE_DEBUG_OUTPUT 255 | options |= SYMOPT_DEBUG; 256 | #endif 257 | options |= SYMOPT_UNDNAME; 258 | SymSetOptions(options); 259 | 260 | ok = SymInitialize(g_handle, NULL, FALSE); 261 | if (!ok) 262 | { 263 | return -1; 264 | } 265 | 266 | // Load module. 267 | base_addr = load_module(pdb_file); 268 | if (!base_addr) 269 | { 270 | SymCleanup(g_handle); 271 | return -2; 272 | } 273 | 274 | if (!create_pools(base_addr)) 275 | { 276 | SymCleanup(g_handle); 277 | return -3; 278 | } 279 | 280 | g_sym_count = 0; 281 | for (i = 0; i < numOfSymbols; ++i) 282 | { 283 | SymEnumSymbols(g_handle, base_addr, symbols[i], enum_proc, NULL); 284 | if (g_sym_count != i + 1) 285 | { 286 | SymCleanup(g_handle); 287 | return -4; 288 | } 289 | } 290 | 291 | for (i = 0; i < g_sym_count; ++i) 292 | { 293 | sym_info_t* sym_info = ((sym_info_t*)g_symbol_pool.base) + i; 294 | addresses[i] = sym_info->addr - VN_PDB_ADDRESS_OFFSET; 295 | } 296 | 297 | // Done. 298 | ok = SymUnloadModule64(g_handle, (DWORD64)base_addr); 299 | if (!ok) 300 | { 301 | SymCleanup(g_handle); 302 | return -5; 303 | } 304 | 305 | pool_destroy(&g_string_pool); 306 | pool_destroy(&g_symbol_pool); 307 | 308 | SymCleanup(g_handle); 309 | 310 | return 0; 311 | } 312 | 313 | // adapted from: https://github.com/rajkumar-rangaraj/PDB-Downloader 314 | INT VnDownloadSymbols( 315 | HMODULE hModule, 316 | char* dllName, 317 | char* szLibPath, 318 | UINT sizeLibPath 319 | ) 320 | { 321 | HANDLE hFile; 322 | HANDLE hFileMapping; 323 | LPVOID lpFileBase; 324 | PBYTE baseImage; 325 | PIMAGE_DOS_HEADER dosHeader; 326 | #ifdef _WIN64 327 | PIMAGE_NT_HEADERS64 ntHeader; 328 | #else 329 | PIMAGE_NT_HEADERS32 ntHeader; 330 | #endif 331 | PIMAGE_SECTION_HEADER sectionHeader; 332 | DWORD ptr; 333 | UINT nSectionCount; 334 | UINT i; 335 | uintptr_t offset; 336 | UINT cbDebug = 0; 337 | PIMAGE_DEBUG_DIRECTORY imageDebugDirectory; 338 | PdbInfo* pdb_info = NULL; 339 | char url[_MAX_PATH]; 340 | ZeroMemory(url, _MAX_PATH * sizeof(char)); 341 | strcat_s(url, _MAX_PATH, VN_PDB_SYMBOL_WEB); 342 | 343 | hFile = CreateFileA( 344 | dllName, 345 | GENERIC_READ, 346 | FILE_SHARE_READ, 347 | NULL, 348 | OPEN_EXISTING, 349 | FILE_ATTRIBUTE_NORMAL, 350 | 0 351 | ); 352 | if (hFile == INVALID_HANDLE_VALUE) 353 | { 354 | return 1; 355 | } 356 | 357 | hFileMapping = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, 0, NULL); 358 | if (hFileMapping == 0) 359 | { 360 | CloseHandle(hFile); 361 | return 2; 362 | } 363 | 364 | lpFileBase = MapViewOfFile(hFileMapping, FILE_MAP_READ, 0, 0, 0); 365 | if (lpFileBase == 0) 366 | { 367 | CloseHandle(hFileMapping); 368 | CloseHandle(hFile); 369 | return 3; 370 | } 371 | 372 | baseImage = (PBYTE)lpFileBase; 373 | dosHeader = (PIMAGE_DOS_HEADER)lpFileBase; 374 | if (dosHeader->e_magic != IMAGE_DOS_SIGNATURE) 375 | { 376 | UnmapViewOfFile(lpFileBase); 377 | CloseHandle(hFileMapping); 378 | CloseHandle(hFile); 379 | return 4; 380 | } 381 | 382 | #ifdef _WIN64 383 | ntHeader = (PIMAGE_NT_HEADERS64)((u_char*)dosHeader + dosHeader->e_lfanew); 384 | #else 385 | ntHeader = (PIMAGE_NT_HEADERS32)((u_char*)dosHeader + dosHeader->e_lfanew); 386 | #endif 387 | if (ntHeader->Signature != IMAGE_NT_SIGNATURE) 388 | { 389 | UnmapViewOfFile(lpFileBase); 390 | CloseHandle(hFileMapping); 391 | CloseHandle(hFile); 392 | return 5; 393 | } 394 | if (ntHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG].VirtualAddress == 0) 395 | { 396 | UnmapViewOfFile(lpFileBase); 397 | CloseHandle(hFileMapping); 398 | CloseHandle(hFile); 399 | return 6; 400 | } 401 | cbDebug = ntHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG].Size; 402 | ptr = ntHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG].VirtualAddress; 403 | sectionHeader = IMAGE_FIRST_SECTION(ntHeader); 404 | nSectionCount = ntHeader->FileHeader.NumberOfSections; 405 | for (i = 0; i <= nSectionCount; ++i, ++sectionHeader) 406 | { 407 | if ((sectionHeader->VirtualAddress) > ptr) 408 | { 409 | sectionHeader--; 410 | break; 411 | } 412 | } 413 | if (i > nSectionCount) 414 | { 415 | sectionHeader = IMAGE_FIRST_SECTION(ntHeader); 416 | UINT nSectionCount = ntHeader->FileHeader.NumberOfSections; 417 | for (i = 0; i < nSectionCount - 1; ++i, ++sectionHeader); 418 | } 419 | offset = (uintptr_t)baseImage + ptr + (uintptr_t)sectionHeader->PointerToRawData - (uintptr_t)sectionHeader->VirtualAddress; 420 | while (cbDebug >= sizeof(IMAGE_DEBUG_DIRECTORY)) 421 | { 422 | imageDebugDirectory = (PIMAGE_DEBUG_DIRECTORY)(offset); 423 | offset += sizeof(IMAGE_DEBUG_DIRECTORY); 424 | if (imageDebugDirectory->Type == IMAGE_DEBUG_TYPE_CODEVIEW) 425 | { 426 | pdb_info = (PdbInfo*)((uintptr_t)baseImage + imageDebugDirectory->PointerToRawData); 427 | if (0 == memcmp(&pdb_info->Signature, "RSDS", 4)) 428 | { 429 | strcat_s(url, _MAX_PATH, pdb_info->PdbFileName); 430 | strcat_s(url, _MAX_PATH, "/"); 431 | // https://stackoverflow.com/questions/1672677/print-a-guid-variable 432 | sprintf_s( 433 | url + strlen(url), 434 | 33, 435 | "%08lX%04hX%04hX%02hhX%02hhX%02hhX%02hhX%02hhX%02hhX%02hhX%02hhX", 436 | pdb_info->Guid.Data1, 437 | pdb_info->Guid.Data2, 438 | pdb_info->Guid.Data3, 439 | pdb_info->Guid.Data4[0], 440 | pdb_info->Guid.Data4[1], 441 | pdb_info->Guid.Data4[2], 442 | pdb_info->Guid.Data4[3], 443 | pdb_info->Guid.Data4[4], 444 | pdb_info->Guid.Data4[5], 445 | pdb_info->Guid.Data4[6], 446 | pdb_info->Guid.Data4[7] 447 | ); 448 | sprintf_s( 449 | url + strlen(url), 450 | 4, 451 | "%x/", 452 | pdb_info->Age 453 | ); 454 | strcat_s(url, _MAX_PATH, pdb_info->PdbFileName); 455 | break; 456 | } 457 | } 458 | cbDebug -= (UINT)sizeof(IMAGE_DEBUG_DIRECTORY); 459 | } 460 | if (pdb_info == NULL) 461 | { 462 | UnmapViewOfFile(lpFileBase); 463 | CloseHandle(hFileMapping); 464 | CloseHandle(hFile); 465 | return 7; 466 | } 467 | PathRemoveFileSpecA(szLibPath); 468 | strcat_s( 469 | szLibPath, 470 | sizeLibPath, 471 | "\\" 472 | ); 473 | strcat_s( 474 | szLibPath, 475 | sizeLibPath, 476 | pdb_info->PdbFileName 477 | ); 478 | UnmapViewOfFile(lpFileBase); 479 | CloseHandle(hFileMapping); 480 | CloseHandle(hFile); 481 | if (fileExists(szLibPath)) 482 | { 483 | DeleteFileA(szLibPath); 484 | } 485 | return VnDownloadFile( 486 | szLibPath, 487 | (char*)VN_PDB_SYMBOL_HOSTNAME, 488 | url, 489 | (char*)VN_PDB_USER_AGENT, 490 | INTERNET_DEFAULT_HTTP_PORT, 491 | INTERNET_SERVICE_HTTP, 492 | NULL, 493 | (char*)VN_PDB_FORM_HEADERS, 494 | VN_PDB_DOWNLOAD_FILE_BUFFER_SIZE 495 | ); 496 | } 497 | #endif 498 | -------------------------------------------------------------------------------- /BugCheckHackUser/registry.c: -------------------------------------------------------------------------------- 1 | #include "registry.h" 2 | 3 | BOOLEAN RegistryDoesKeyExist(PCWSTR Key) { 4 | HKEY temp; 5 | return !(RegOpenKeyEx(HKEY_LOCAL_MACHINE, Key, 0, KEY_READ, &temp)); 6 | } 7 | 8 | BOOLEAN RegistryCreateKey(PCWSTR Key) { 9 | DWORD dwDisposition; 10 | HKEY hKey; 11 | DWORD Ret = RegCreateKeyEx(HKEY_LOCAL_MACHINE, Key, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, &dwDisposition); 12 | if (Ret != ERROR_SUCCESS) { 13 | return FALSE; 14 | } 15 | RegCloseKey(hKey); 16 | return TRUE; 17 | } 18 | 19 | BOOLEAN RegistryWriteDword32(PCWSTR Key, PCWSTR ValueName, DWORD32 Value) { 20 | HKEY hKey; 21 | DWORD Ret = RegOpenKeyEx(HKEY_LOCAL_MACHINE, Key, 0, KEY_WRITE, &hKey); 22 | if (Ret == ERROR_SUCCESS) { 23 | if (RegSetValueEx(hKey, ValueName, 0, REG_DWORD, (BYTE*)(&Value), sizeof(Value))) { 24 | RegCloseKey(hKey); 25 | return FALSE; 26 | } 27 | RegCloseKey(hKey); 28 | return TRUE; 29 | } 30 | return FALSE; 31 | } 32 | 33 | BOOLEAN RegistryWriteString(PCWSTR Key, PCWSTR ValueName, PCWSTR Value) { 34 | DWORD Ret; 35 | HKEY hKey; 36 | Ret = RegOpenKeyEx(HKEY_LOCAL_MACHINE, Key, 0, KEY_WRITE, &hKey); 37 | if (Ret == ERROR_SUCCESS) { 38 | if (RegSetValueEx(hKey, ValueName, 0, REG_SZ, (LPBYTE)(Value), ((((DWORD)lstrlen(Value) + 1)) * 2))) { 39 | RegCloseKey(hKey); 40 | return FALSE; 41 | } 42 | RegCloseKey(hKey); 43 | return TRUE; 44 | } 45 | return FALSE; 46 | } -------------------------------------------------------------------------------- /BugCheckHackUser/registry.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | BOOLEAN RegistryDoesKeyExist(PCWSTR Key); 6 | BOOLEAN RegistryCreateKey(PCWSTR Key); 7 | BOOLEAN RegistryWriteDword32(PCWSTR Key, PCWSTR ValueName, DWORD32 Value); 8 | BOOLEAN RegistryWriteString(PCWSTR Key, PCWSTR ValueName, PCWSTR Value); -------------------------------------------------------------------------------- /BugCheckHackUser/service.c: -------------------------------------------------------------------------------- 1 | #include "service.h" 2 | 3 | BOOLEAN ServiceCreate(PCWSTR Name, PCWSTR Path) { 4 | SC_HANDLE pSCM = OpenSCManagerW(NULL, NULL, 5 | SC_MANAGER_CREATE_SERVICE); 6 | if (!pSCM) 7 | return FALSE; 8 | SC_HANDLE pService = CreateService( 9 | pSCM, 10 | Name, 11 | Name, 12 | SERVICE_ALL_ACCESS, 13 | SERVICE_KERNEL_DRIVER, 14 | SERVICE_AUTO_START, 15 | SERVICE_ERROR_IGNORE, 16 | Path, 17 | NULL, NULL, NULL, NULL, NULL 18 | ); 19 | if (!pService) { 20 | CloseServiceHandle(pSCM); 21 | return FALSE; 22 | } 23 | CloseServiceHandle(pService); 24 | CloseServiceHandle(pSCM); 25 | return TRUE; 26 | } 27 | 28 | BOOLEAN ServiceDelete(PCWSTR Name) { 29 | SC_HANDLE pSCM = OpenSCManagerW(NULL, NULL, 30 | SC_MANAGER_CREATE_SERVICE); 31 | if (!pSCM) 32 | return FALSE; 33 | SC_HANDLE pService = OpenService(pSCM, Name, SERVICE_ALL_ACCESS); 34 | if (!pService) { 35 | CloseServiceHandle(pSCM); 36 | return FALSE; 37 | } 38 | BOOLEAN ret = DeleteService(pService); 39 | CloseServiceHandle(pService); 40 | CloseServiceHandle(pSCM); 41 | return ret; 42 | } 43 | 44 | BOOLEAN ServiceStart(PCWSTR Name) { 45 | SC_HANDLE pSCM = OpenSCManagerW(NULL, NULL, 46 | SC_MANAGER_CREATE_SERVICE); 47 | if (!pSCM) 48 | return FALSE; 49 | 50 | SC_HANDLE pService = OpenService(pSCM, Name, SERVICE_ALL_ACCESS); 51 | if (!pService) { 52 | CloseServiceHandle(pSCM); 53 | return FALSE; 54 | } 55 | BOOLEAN ret = (StartService(pService, 0, NULL) || GetLastError() == 0x287); 56 | CloseServiceHandle(pService); 57 | CloseServiceHandle(pSCM); 58 | return ret; 59 | } -------------------------------------------------------------------------------- /BugCheckHackUser/service.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | BOOLEAN ServiceCreate(PCWSTR Name, PCWSTR Path); 6 | BOOLEAN ServiceDelete(PCWSTR Name); 7 | BOOLEAN ServiceStart(PCWSTR Name); -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # BugCheckHack 2 | Modify your BSOD! 3 | 4 | # Note 5 | 6 | This works on real hardware but I would recommend you to use this under a virtual machine 7 | 8 | Make sure you have internet access as this tool downloads pdb files for getting offsets of required functions. 9 | 10 | Windows builds from 19041.* to current 22000.556 should work 11 | 12 | The service created by the program is Automatic and the driver will load at startup 13 | 14 | You can change the service setting by using the `sc` tool 15 | 16 | # How to use 17 | 18 | 1) Enable test signing by running 19 | ``` 20 | bcdedit /set testsigning on 21 | ```` 22 | 2) Copy over `BugCheckHack.sys` to your Windows folder 23 | 24 | 3) Launch the program as an administrator 25 | 26 | ![Program](https://cdn.discordapp.com/attachments/855872050132811796/978613277586243605/unknown.png) 27 | 28 | 4) Fill in your values and click `Save values` 29 | 30 | 5) Then create the service and then run service 31 | 32 | 6) If everything went correctly you should get a message saying "Successfully modified the BSOD" 33 | 34 | # Aero BSOD 35 | 36 | This option `0xc3s` [ret] out `BgpClearScreen` so whatever was present on the screen will be displayed during the BSOD 37 | 38 | # Images 39 | 40 | ![WeDontKnowwhereyourPCis](https://cdn.discordapp.com/attachments/855872050132811796/978650524045963264/unknown.png) 41 | ![OmameBSOD](https://cdn.discordapp.com/attachments/413430340388913171/978623156875055134/unknown.png) 42 | [Cat's owner](https://omame.xyz/) 43 | 44 | # Resources used 45 | 46 | [Libvalinet](https://github.com/valinet/libvalinet/) for downloading and finding offsets in `ntoskrnl.exe` using the pdb. 47 | 48 | [Unknowncheats](https://www.unknowncheats.me/forum/general-programming-and-reversing/427419-getkernelbase.html) for getting the kernel base address in the driver. 49 | 50 | [Stackoverflow](https://stackoverflow.com/a/41808496) for figuring out how to make the program look nicer and not something from Windows 3.1. --------------------------------------------------------------------------------