├── .gitattributes
├── .gitignore
├── AngryWindows.sln
├── AngryWindows
    ├── AngryWindows.inf
    ├── AngryWindows.vcxproj
    ├── AngryWindows.vcxproj.filters
    ├── Source.cpp
    ├── bluescreen.cpp
    ├── bluescreen.h
    ├── resolve.cpp
    ├── resolve.h
    └── typedefs.h
├── Images
    └── Capture.PNG
├── LICENSE
└── README.md


/.gitattributes:
--------------------------------------------------------------------------------
 1 | ###############################################################################
 2 | # Set default behavior to automatically normalize line endings.
 3 | ###############################################################################
 4 | * text=auto
 5 | 
 6 | ###############################################################################
 7 | # Set default behavior for command prompt diff.
 8 | #
 9 | # This is need for earlier builds of msysgit that does not have it on by
10 | # default for csharp files.
11 | # Note: This is only used by command line
12 | ###############################################################################
13 | #*.cs     diff=csharp
14 | 
15 | ###############################################################################
16 | # Set the merge driver for project and solution files
17 | #
18 | # Merging from the command prompt will add diff markers to the files if there
19 | # are conflicts (Merging from VS is not affected by the settings below, in VS
20 | # the diff markers are never inserted). Diff markers may cause the following 
21 | # file extensions to fail to load in VS. An alternative would be to treat
22 | # these files as binary and thus will always conflict and require user
23 | # intervention with every merge. To do so, just uncomment the entries below
24 | ###############################################################################
25 | #*.sln       merge=binary
26 | #*.csproj    merge=binary
27 | #*.vbproj    merge=binary
28 | #*.vcxproj   merge=binary
29 | #*.vcproj    merge=binary
30 | #*.dbproj    merge=binary
31 | #*.fsproj    merge=binary
32 | #*.lsproj    merge=binary
33 | #*.wixproj   merge=binary
34 | #*.modelproj merge=binary
35 | #*.sqlproj   merge=binary
36 | #*.wwaproj   merge=binary
37 | 
38 | ###############################################################################
39 | # behavior for image files
40 | #
41 | # image files are treated as binary by default.
42 | ###############################################################################
43 | #*.jpg   binary
44 | #*.png   binary
45 | #*.gif   binary
46 | 
47 | ###############################################################################
48 | # diff behavior for common document formats
49 | # 
50 | # Convert binary document formats to text before diffing them. This feature
51 | # is only available from the command line. Turn it on by uncommenting the 
52 | # entries below.
53 | ###############################################################################
54 | #*.doc   diff=astextplain
55 | #*.DOC   diff=astextplain
56 | #*.docx  diff=astextplain
57 | #*.DOCX  diff=astextplain
58 | #*.dot   diff=astextplain
59 | #*.DOT   diff=astextplain
60 | #*.pdf   diff=astextplain
61 | #*.PDF   diff=astextplain
62 | #*.rtf   diff=astextplain
63 | #*.RTF   diff=astextplain
64 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
  1 | ## Ignore Visual Studio temporary files, build results, and
  2 | ## files generated by popular Visual Studio add-ons.
  3 | ##
  4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
  5 | 
  6 | # User-specific files
  7 | *.rsuser
  8 | *.suo
  9 | *.user
 10 | *.userosscache
 11 | *.sln.docstates
 12 | 
 13 | # User-specific files (MonoDevelop/Xamarin Studio)
 14 | *.userprefs
 15 | 
 16 | # Mono auto generated files
 17 | mono_crash.*
 18 | 
 19 | # Build results
 20 | [Dd]ebug/
 21 | [Dd]ebugPublic/
 22 | [Rr]elease/
 23 | [Rr]eleases/
 24 | x64/
 25 | x86/
 26 | [Ww][Ii][Nn]32/
 27 | [Aa][Rr][Mm]/
 28 | [Aa][Rr][Mm]64/
 29 | bld/
 30 | [Bb]in/
 31 | [Oo]bj/
 32 | [Oo]ut/
 33 | [Ll]og/
 34 | [Ll]ogs/
 35 | 
 36 | # Visual Studio 2015/2017 cache/options directory
 37 | .vs/
 38 | # Uncomment if you have tasks that create the project's static files in wwwroot
 39 | #wwwroot/
 40 | 
 41 | # Visual Studio 2017 auto generated files
 42 | Generated\ Files/
 43 | 
 44 | # MSTest test Results
 45 | [Tt]est[Rr]esult*/
 46 | [Bb]uild[Ll]og.*
 47 | 
 48 | # NUnit
 49 | *.VisualState.xml
 50 | TestResult.xml
 51 | nunit-*.xml
 52 | 
 53 | # Build Results of an ATL Project
 54 | [Dd]ebugPS/
 55 | [Rr]eleasePS/
 56 | dlldata.c
 57 | 
 58 | # Benchmark Results
 59 | BenchmarkDotNet.Artifacts/
 60 | 
 61 | # .NET Core
 62 | project.lock.json
 63 | project.fragment.lock.json
 64 | artifacts/
 65 | 
 66 | # ASP.NET Scaffolding
 67 | ScaffoldingReadMe.txt
 68 | 
 69 | # StyleCop
 70 | StyleCopReport.xml
 71 | 
 72 | # Files built by Visual Studio
 73 | *_i.c
 74 | *_p.c
 75 | *_h.h
 76 | *.ilk
 77 | *.meta
 78 | *.obj
 79 | *.iobj
 80 | *.pch
 81 | *.pdb
 82 | *.ipdb
 83 | *.pgc
 84 | *.pgd
 85 | *.rsp
 86 | *.sbr
 87 | *.tlb
 88 | *.tli
 89 | *.tlh
 90 | *.tmp
 91 | *.tmp_proj
 92 | *_wpftmp.csproj
 93 | *.log
 94 | *.vspscc
 95 | *.vssscc
 96 | .builds
 97 | *.pidb
 98 | *.svclog
 99 | *.scc
100 | 
101 | # Chutzpah Test files
102 | _Chutzpah*
103 | 
104 | # Visual C++ cache files
105 | ipch/
106 | *.aps
107 | *.ncb
108 | *.opendb
109 | *.opensdf
110 | *.sdf
111 | *.cachefile
112 | *.VC.db
113 | *.VC.VC.opendb
114 | 
115 | # Visual Studio profiler
116 | *.psess
117 | *.vsp
118 | *.vspx
119 | *.sap
120 | 
121 | # Visual Studio Trace Files
122 | *.e2e
123 | 
124 | # TFS 2012 Local Workspace
125 | $tf/
126 | 
127 | # Guidance Automation Toolkit
128 | *.gpState
129 | 
130 | # ReSharper is a .NET coding add-in
131 | _ReSharper*/
132 | *.[Rr]e[Ss]harper
133 | *.DotSettings.user
134 | 
135 | # TeamCity is a build add-in
136 | _TeamCity*
137 | 
138 | # DotCover is a Code Coverage Tool
139 | *.dotCover
140 | 
141 | # AxoCover is a Code Coverage Tool
142 | .axoCover/*
143 | !.axoCover/settings.json
144 | 
145 | # Coverlet is a free, cross platform Code Coverage Tool
146 | coverage*.json
147 | coverage*.xml
148 | coverage*.info
149 | 
150 | # Visual Studio code coverage results
151 | *.coverage
152 | *.coveragexml
153 | 
154 | # NCrunch
155 | _NCrunch_*
156 | .*crunch*.local.xml
157 | nCrunchTemp_*
158 | 
159 | # MightyMoose
160 | *.mm.*
161 | AutoTest.Net/
162 | 
163 | # Web workbench (sass)
164 | .sass-cache/
165 | 
166 | # Installshield output folder
167 | [Ee]xpress/
168 | 
169 | # DocProject is a documentation generator add-in
170 | DocProject/buildhelp/
171 | DocProject/Help/*.HxT
172 | DocProject/Help/*.HxC
173 | DocProject/Help/*.hhc
174 | DocProject/Help/*.hhk
175 | DocProject/Help/*.hhp
176 | DocProject/Help/Html2
177 | DocProject/Help/html
178 | 
179 | # Click-Once directory
180 | publish/
181 | 
182 | # Publish Web Output
183 | *.[Pp]ublish.xml
184 | *.azurePubxml
185 | # Note: Comment the next line if you want to checkin your web deploy settings,
186 | # but database connection strings (with potential passwords) will be unencrypted
187 | *.pubxml
188 | *.publishproj
189 | 
190 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
191 | # checkin your Azure Web App publish settings, but sensitive information contained
192 | # in these scripts will be unencrypted
193 | PublishScripts/
194 | 
195 | # NuGet Packages
196 | *.nupkg
197 | # NuGet Symbol Packages
198 | *.snupkg
199 | # The packages folder can be ignored because of Package Restore
200 | **/[Pp]ackages/*
201 | # except build/, which is used as an MSBuild target.
202 | !**/[Pp]ackages/build/
203 | # Uncomment if necessary however generally it will be regenerated when needed
204 | #!**/[Pp]ackages/repositories.config
205 | # NuGet v3's project.json files produces more ignorable files
206 | *.nuget.props
207 | *.nuget.targets
208 | 
209 | # Microsoft Azure Build Output
210 | csx/
211 | *.build.csdef
212 | 
213 | # Microsoft Azure Emulator
214 | ecf/
215 | rcf/
216 | 
217 | # Windows Store app package directories and files
218 | AppPackages/
219 | BundleArtifacts/
220 | Package.StoreAssociation.xml
221 | _pkginfo.txt
222 | *.appx
223 | *.appxbundle
224 | *.appxupload
225 | 
226 | # Visual Studio cache files
227 | # files ending in .cache can be ignored
228 | *.[Cc]ache
229 | # but keep track of directories ending in .cache
230 | !?*.[Cc]ache/
231 | 
232 | # Others
233 | ClientBin/
234 | ~$*
235 | *~
236 | *.dbmdl
237 | *.dbproj.schemaview
238 | *.jfm
239 | *.pfx
240 | *.publishsettings
241 | orleans.codegen.cs
242 | 
243 | # Including strong name files can present a security risk
244 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
245 | #*.snk
246 | 
247 | # Since there are multiple workflows, uncomment next line to ignore bower_components
248 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
249 | #bower_components/
250 | 
251 | # RIA/Silverlight projects
252 | Generated_Code/
253 | 
254 | # Backup & report files from converting an old project file
255 | # to a newer Visual Studio version. Backup files are not needed,
256 | # because we have git ;-)
257 | _UpgradeReport_Files/
258 | Backup*/
259 | UpgradeLog*.XML
260 | UpgradeLog*.htm
261 | ServiceFabricBackup/
262 | *.rptproj.bak
263 | 
264 | # SQL Server files
265 | *.mdf
266 | *.ldf
267 | *.ndf
268 | 
269 | # Business Intelligence projects
270 | *.rdl.data
271 | *.bim.layout
272 | *.bim_*.settings
273 | *.rptproj.rsuser
274 | *- [Bb]ackup.rdl
275 | *- [Bb]ackup ([0-9]).rdl
276 | *- [Bb]ackup ([0-9][0-9]).rdl
277 | 
278 | # Microsoft Fakes
279 | FakesAssemblies/
280 | 
281 | # GhostDoc plugin setting file
282 | *.GhostDoc.xml
283 | 
284 | # Node.js Tools for Visual Studio
285 | .ntvs_analysis.dat
286 | node_modules/
287 | 
288 | # Visual Studio 6 build log
289 | *.plg
290 | 
291 | # Visual Studio 6 workspace options file
292 | *.opt
293 | 
294 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
295 | *.vbw
296 | 
297 | # Visual Studio LightSwitch build output
298 | **/*.HTMLClient/GeneratedArtifacts
299 | **/*.DesktopClient/GeneratedArtifacts
300 | **/*.DesktopClient/ModelManifest.xml
301 | **/*.Server/GeneratedArtifacts
302 | **/*.Server/ModelManifest.xml
303 | _Pvt_Extensions
304 | 
305 | # Paket dependency manager
306 | .paket/paket.exe
307 | paket-files/
308 | 
309 | # FAKE - F# Make
310 | .fake/
311 | 
312 | # CodeRush personal settings
313 | .cr/personal
314 | 
315 | # Python Tools for Visual Studio (PTVS)
316 | __pycache__/
317 | *.pyc
318 | 
319 | # Cake - Uncomment if you are using it
320 | # tools/**
321 | # !tools/packages.config
322 | 
323 | # Tabs Studio
324 | *.tss
325 | 
326 | # Telerik's JustMock configuration file
327 | *.jmconfig
328 | 
329 | # BizTalk build output
330 | *.btp.cs
331 | *.btm.cs
332 | *.odx.cs
333 | *.xsd.cs
334 | 
335 | # OpenCover UI analysis results
336 | OpenCover/
337 | 
338 | # Azure Stream Analytics local run output
339 | ASALocalRun/
340 | 
341 | # MSBuild Binary and Structured Log
342 | *.binlog
343 | 
344 | # NVidia Nsight GPU debugger configuration file
345 | *.nvuser
346 | 
347 | # MFractors (Xamarin productivity tool) working folder
348 | .mfractor/
349 | 
350 | # Local History for Visual Studio
351 | .localhistory/
352 | 
353 | # BeatPulse healthcheck temp database
354 | healthchecksdb
355 | 
356 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
357 | MigrationBackup/
358 | 
359 | # Ionide (cross platform F# VS Code tools) working folder
360 | .ionide/
361 | 
362 | # Fody - auto-generated XML schema
363 | FodyWeavers.xsd


--------------------------------------------------------------------------------
/AngryWindows.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 16
 4 | VisualStudioVersion = 16.0.31205.134
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "AngryWindows", "AngryWindows\AngryWindows.vcxproj", "{0D73C7AD-16EE-40CD-BDB4-D75B761CD82C}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|ARM = Debug|ARM
11 | 		Debug|ARM64 = Debug|ARM64
12 | 		Debug|x64 = Debug|x64
13 | 		Debug|x86 = Debug|x86
14 | 		Release|ARM = Release|ARM
15 | 		Release|ARM64 = Release|ARM64
16 | 		Release|x64 = Release|x64
17 | 		Release|x86 = Release|x86
18 | 	EndGlobalSection
19 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
20 | 		{0D73C7AD-16EE-40CD-BDB4-D75B761CD82C}.Debug|ARM.ActiveCfg = Debug|ARM
21 | 		{0D73C7AD-16EE-40CD-BDB4-D75B761CD82C}.Debug|ARM.Build.0 = Debug|ARM
22 | 		{0D73C7AD-16EE-40CD-BDB4-D75B761CD82C}.Debug|ARM.Deploy.0 = Debug|ARM
23 | 		{0D73C7AD-16EE-40CD-BDB4-D75B761CD82C}.Debug|ARM64.ActiveCfg = Debug|ARM64
24 | 		{0D73C7AD-16EE-40CD-BDB4-D75B761CD82C}.Debug|ARM64.Build.0 = Debug|ARM64
25 | 		{0D73C7AD-16EE-40CD-BDB4-D75B761CD82C}.Debug|ARM64.Deploy.0 = Debug|ARM64
26 | 		{0D73C7AD-16EE-40CD-BDB4-D75B761CD82C}.Debug|x64.ActiveCfg = Debug|x64
27 | 		{0D73C7AD-16EE-40CD-BDB4-D75B761CD82C}.Debug|x64.Build.0 = Debug|x64
28 | 		{0D73C7AD-16EE-40CD-BDB4-D75B761CD82C}.Debug|x64.Deploy.0 = Debug|x64
29 | 		{0D73C7AD-16EE-40CD-BDB4-D75B761CD82C}.Debug|x86.ActiveCfg = Debug|Win32
30 | 		{0D73C7AD-16EE-40CD-BDB4-D75B761CD82C}.Debug|x86.Build.0 = Debug|Win32
31 | 		{0D73C7AD-16EE-40CD-BDB4-D75B761CD82C}.Debug|x86.Deploy.0 = Debug|Win32
32 | 		{0D73C7AD-16EE-40CD-BDB4-D75B761CD82C}.Release|ARM.ActiveCfg = Release|ARM
33 | 		{0D73C7AD-16EE-40CD-BDB4-D75B761CD82C}.Release|ARM.Build.0 = Release|ARM
34 | 		{0D73C7AD-16EE-40CD-BDB4-D75B761CD82C}.Release|ARM.Deploy.0 = Release|ARM
35 | 		{0D73C7AD-16EE-40CD-BDB4-D75B761CD82C}.Release|ARM64.ActiveCfg = Release|ARM64
36 | 		{0D73C7AD-16EE-40CD-BDB4-D75B761CD82C}.Release|ARM64.Build.0 = Release|ARM64
37 | 		{0D73C7AD-16EE-40CD-BDB4-D75B761CD82C}.Release|ARM64.Deploy.0 = Release|ARM64
38 | 		{0D73C7AD-16EE-40CD-BDB4-D75B761CD82C}.Release|x64.ActiveCfg = Release|x64
39 | 		{0D73C7AD-16EE-40CD-BDB4-D75B761CD82C}.Release|x64.Build.0 = Release|x64
40 | 		{0D73C7AD-16EE-40CD-BDB4-D75B761CD82C}.Release|x64.Deploy.0 = Release|x64
41 | 		{0D73C7AD-16EE-40CD-BDB4-D75B761CD82C}.Release|x86.ActiveCfg = Release|Win32
42 | 		{0D73C7AD-16EE-40CD-BDB4-D75B761CD82C}.Release|x86.Build.0 = Release|Win32
43 | 		{0D73C7AD-16EE-40CD-BDB4-D75B761CD82C}.Release|x86.Deploy.0 = Release|Win32
44 | 	EndGlobalSection
45 | 	GlobalSection(SolutionProperties) = preSolution
46 | 		HideSolutionNode = FALSE
47 | 	EndGlobalSection
48 | 	GlobalSection(ExtensibilityGlobals) = postSolution
49 | 		SolutionGuid = {A6B2C4EA-CFFD-4883-AA62-ACB8842E367A}
50 | 	EndGlobalSection
51 | EndGlobal
52 | 


--------------------------------------------------------------------------------
/AngryWindows/AngryWindows.inf:
--------------------------------------------------------------------------------
 1 | ;
 2 | ; AngryWindows.inf
 3 | ;
 4 | 
 5 | [Version]
 6 | Signature="$WINDOWS NT$"
 7 | Class=System
 8 | ClassGuid={4d36e97d-e325-11ce-bfc1-08002be10318}
 9 | Provider=%ManufacturerName%
10 | DriverVer=
11 | CatalogFile=AngryWindows.cat
12 | PnpLockDown=1
13 | 
14 | [DestinationDirs]
15 | DefaultDestDir = 12
16 | 
17 | 
18 | [SourceDisksNames]
19 | 1 = %DiskName%,,,""
20 | 
21 | [SourceDisksFiles]
22 | 
23 | 
24 | [DefaultInstall.NT$ARCH$]
25 | 
26 | 
27 | [Strings]
28 | ManufacturerName="<Your manufacturer name>" ;TODO: Replace with your manufacturer name
29 | ClassName=""
30 | DiskName="AngryWindows Source Disk"
31 | 


--------------------------------------------------------------------------------
/AngryWindows/AngryWindows.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |     <ProjectConfiguration Include="Debug|ARM">
 21 |       <Configuration>Debug</Configuration>
 22 |       <Platform>ARM</Platform>
 23 |     </ProjectConfiguration>
 24 |     <ProjectConfiguration Include="Release|ARM">
 25 |       <Configuration>Release</Configuration>
 26 |       <Platform>ARM</Platform>
 27 |     </ProjectConfiguration>
 28 |     <ProjectConfiguration Include="Debug|ARM64">
 29 |       <Configuration>Debug</Configuration>
 30 |       <Platform>ARM64</Platform>
 31 |     </ProjectConfiguration>
 32 |     <ProjectConfiguration Include="Release|ARM64">
 33 |       <Configuration>Release</Configuration>
 34 |       <Platform>ARM64</Platform>
 35 |     </ProjectConfiguration>
 36 |   </ItemGroup>
 37 |   <PropertyGroup Label="Globals">
 38 |     <ProjectGuid>{0D73C7AD-16EE-40CD-BDB4-D75B761CD82C}</ProjectGuid>
 39 |     <TemplateGuid>{dd38f7fc-d7bd-488b-9242-7d8754cde80d}</TemplateGuid>
 40 |     <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
 41 |     <MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>
 42 |     <Configuration>Debug</Configuration>
 43 |     <Platform Condition="'$(Platform)' == ''">Win32</Platform>
 44 |     <RootNamespace>AngryWindows</RootNamespace>
 45 |   </PropertyGroup>
 46 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 47 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 48 |     <TargetVersion>Windows10</TargetVersion>
 49 |     <UseDebugLibraries>true</UseDebugLibraries>
 50 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 51 |     <ConfigurationType>Driver</ConfigurationType>
 52 |     <DriverType>WDM</DriverType>
 53 |   </PropertyGroup>
 54 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 55 |     <TargetVersion>Windows10</TargetVersion>
 56 |     <UseDebugLibraries>false</UseDebugLibraries>
 57 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 58 |     <ConfigurationType>Driver</ConfigurationType>
 59 |     <DriverType>WDM</DriverType>
 60 |   </PropertyGroup>
 61 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 62 |     <TargetVersion>Windows10</TargetVersion>
 63 |     <UseDebugLibraries>true</UseDebugLibraries>
 64 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 65 |     <ConfigurationType>Driver</ConfigurationType>
 66 |     <DriverType>WDM</DriverType>
 67 |   </PropertyGroup>
 68 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 69 |     <TargetVersion>Windows10</TargetVersion>
 70 |     <UseDebugLibraries>false</UseDebugLibraries>
 71 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 72 |     <ConfigurationType>Driver</ConfigurationType>
 73 |     <DriverType>WDM</DriverType>
 74 |   </PropertyGroup>
 75 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
 76 |     <TargetVersion>Windows10</TargetVersion>
 77 |     <UseDebugLibraries>true</UseDebugLibraries>
 78 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 79 |     <ConfigurationType>Driver</ConfigurationType>
 80 |     <DriverType>WDM</DriverType>
 81 |   </PropertyGroup>
 82 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
 83 |     <TargetVersion>Windows10</TargetVersion>
 84 |     <UseDebugLibraries>false</UseDebugLibraries>
 85 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 86 |     <ConfigurationType>Driver</ConfigurationType>
 87 |     <DriverType>WDM</DriverType>
 88 |   </PropertyGroup>
 89 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
 90 |     <TargetVersion>Windows10</TargetVersion>
 91 |     <UseDebugLibraries>true</UseDebugLibraries>
 92 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 93 |     <ConfigurationType>Driver</ConfigurationType>
 94 |     <DriverType>WDM</DriverType>
 95 |   </PropertyGroup>
 96 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
 97 |     <TargetVersion>Windows10</TargetVersion>
 98 |     <UseDebugLibraries>false</UseDebugLibraries>
 99 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
100 |     <ConfigurationType>Driver</ConfigurationType>
101 |     <DriverType>WDM</DriverType>
102 |   </PropertyGroup>
103 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
104 |   <ImportGroup Label="ExtensionSettings">
105 |   </ImportGroup>
106 |   <ImportGroup Label="PropertySheets">
107 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
108 |   </ImportGroup>
109 |   <PropertyGroup Label="UserMacros" />
110 |   <PropertyGroup />
111 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
112 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
113 |   </PropertyGroup>
114 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
115 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
116 |   </PropertyGroup>
117 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
118 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
119 |   </PropertyGroup>
120 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
121 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
122 |   </PropertyGroup>
123 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
124 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
125 |   </PropertyGroup>
126 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
127 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
128 |   </PropertyGroup>
129 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
130 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
131 |   </PropertyGroup>
132 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
133 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
134 |   </PropertyGroup>
135 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
136 |     <Link>
137 |       <AdditionalLibraryDirectories>
138 |       </AdditionalLibraryDirectories>
139 |       <AdditionalDependencies>%(AdditionalDependencies);$(KernelBufferOverflowLib);$(DDK_LIB_PATH)ntoskrnl.lib;$(DDK_LIB_PATH)hal.lib;$(DDK_LIB_PATH)wmilib.lib</AdditionalDependencies>
140 |     </Link>
141 |   </ItemDefinitionGroup>
142 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
143 |     <Link>
144 |       <AdditionalLibraryDirectories>
145 |       </AdditionalLibraryDirectories>
146 |       <AdditionalDependencies>%(AdditionalDependencies);$(KernelBufferOverflowLib);$(DDK_LIB_PATH)ntoskrnl.lib;$(DDK_LIB_PATH)hal.lib;$(DDK_LIB_PATH)wmilib.lib</AdditionalDependencies>
147 |     </Link>
148 |   </ItemDefinitionGroup>
149 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
150 |     <Link>
151 |       <AdditionalLibraryDirectories>
152 |       </AdditionalLibraryDirectories>
153 |       <AdditionalDependencies>%(AdditionalDependencies);$(KernelBufferOverflowLib);$(DDK_LIB_PATH)ntoskrnl.lib;$(DDK_LIB_PATH)hal.lib;$(DDK_LIB_PATH)wmilib.lib</AdditionalDependencies>
154 |     </Link>
155 |   </ItemDefinitionGroup>
156 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
157 |     <Link>
158 |       <AdditionalLibraryDirectories>
159 |       </AdditionalLibraryDirectories>
160 |       <AdditionalDependencies>%(AdditionalDependencies);$(KernelBufferOverflowLib);$(DDK_LIB_PATH)ntoskrnl.lib;$(DDK_LIB_PATH)hal.lib;$(DDK_LIB_PATH)wmilib.lib</AdditionalDependencies>
161 |     </Link>
162 |   </ItemDefinitionGroup>
163 |   <ItemGroup>
164 |     <Inf Include="AngryWindows.inf" />
165 |   </ItemGroup>
166 |   <ItemGroup>
167 |     <FilesToPackage Include="$(TargetPath)" />
168 |   </ItemGroup>
169 |   <ItemGroup>
170 |     <ClCompile Include="bluescreen.cpp" />
171 |     <ClCompile Include="resolve.cpp" />
172 |     <ClCompile Include="Source.cpp" />
173 |   </ItemGroup>
174 |   <ItemGroup>
175 |     <ClInclude Include="bluescreen.h" />
176 |     <ClInclude Include="resolve.h" />
177 |     <ClInclude Include="typedefs.h" />
178 |   </ItemGroup>
179 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
180 |   <ImportGroup Label="ExtensionTargets">
181 |   </ImportGroup>
182 | </Project>


--------------------------------------------------------------------------------
/AngryWindows/AngryWindows.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |     <Filter Include="Driver Files">
17 |       <UniqueIdentifier>{8E41214B-6785-4CFE-B992-037D68949A14}</UniqueIdentifier>
18 |       <Extensions>inf;inv;inx;mof;mc;</Extensions>
19 |     </Filter>
20 |   </ItemGroup>
21 |   <ItemGroup>
22 |     <Inf Include="AngryWindows.inf">
23 |       <Filter>Driver Files</Filter>
24 |     </Inf>
25 |   </ItemGroup>
26 |   <ItemGroup>
27 |     <ClCompile Include="Source.cpp">
28 |       <Filter>Source Files</Filter>
29 |     </ClCompile>
30 |     <ClCompile Include="resolve.cpp">
31 |       <Filter>Source Files</Filter>
32 |     </ClCompile>
33 |     <ClCompile Include="bluescreen.cpp">
34 |       <Filter>Source Files</Filter>
35 |     </ClCompile>
36 |   </ItemGroup>
37 |   <ItemGroup>
38 |     <ClInclude Include="typedefs.h">
39 |       <Filter>Header Files</Filter>
40 |     </ClInclude>
41 |     <ClInclude Include="resolve.h">
42 |       <Filter>Header Files</Filter>
43 |     </ClInclude>
44 |     <ClInclude Include="bluescreen.h">
45 |       <Filter>Header Files</Filter>
46 |     </ClInclude>
47 |   </ItemGroup>
48 | </Project>


--------------------------------------------------------------------------------
/AngryWindows/Source.cpp:
--------------------------------------------------------------------------------
 1 | #include <ntddk.h>
 2 | 
 3 | #include "typedefs.h"
 4 | #include "bluescreen.h"
 5 | 
 6 | PBSOD_INFORMATION g_BsodInformation = nullptr;
 7 | 
 8 | EXTERN_C NTSTATUS DriverEntry(PDRIVER_OBJECT, PUNICODE_STRING)
 9 | {
10 | 	g_BsodInformation = static_cast<PBSOD_INFORMATION>(
11 | 		ExAllocatePool(NonPagedPoolNx, sizeof(BSOD_INFORMATION))
12 | 		);
13 | 	if (g_BsodInformation == NULL)
14 | 	{
15 | 		DbgPrint("[%ws::%d] ExAllocatePool failed: %08x\n", __FUNCTIONW__, __LINE__, STATUS_INSUFFICIENT_RESOURCES);
16 | 		return STATUS_FAILED_DRIVER_ENTRY;
17 | 	}
18 | 	else
19 | 	{
20 | 		RtlSecureZeroMemory(g_BsodInformation, sizeof(BSOD_INFORMATION));
21 | 	}
22 | 
23 | 	///
24 | 	/// Set the emoticon and new error message to be something Walter-like
25 | 	/// 
26 | 	g_BsodInformation->lol = RTL_CONSTANT_STRING(L":8[");
27 | 	g_BsodInformation->Grouch = RTL_CONSTANT_STRING(L"Have you seen your skills? I ain't worried one bit.");
28 | 
29 | 	///
30 | 	/// Anything after ~96 characters overwrites the next buffer, which is the percentage counter so you'll have 
31 | 	/// 100 sippee cu
32 | 	/// L"We're just collecting some error info, and then you can go and cry to yo mama with your precious sippee cup."
33 | 	/// 
34 | 	g_BsodInformation->Insult = RTL_CONSTANT_STRING(L"We're just collecting some error info, and then think of how pathetic you are. Ha, wow.");
35 | 
36 | 	///
37 | 	/// Resolve all the variables needed to dynamically locate the emoji and color variables
38 | 	/// 
39 | 	if (!NT_SUCCESS(bluescreen::initialize()))
40 | 	{
41 | 		return STATUS_FAILED_DRIVER_ENTRY;
42 | 	}
43 | 
44 | 	///
45 | 	/// Overwrite the sad face emoji to be something else
46 | 	/// 
47 | 	if (!NT_SUCCESS(bluescreen::OverwriteSadFace()))
48 | 	{
49 | 		return STATUS_FAILED_DRIVER_ENTRY;
50 | 	}
51 | 
52 | 	///
53 | 	/// Overwrite the error messages with something mean
54 | 	/// 
55 | 	if (!NT_SUCCESS(bluescreen::OverwriteErrorMessage(
56 | 		g_BsodInformation->BsodMessageOne,
57 | 		&g_BsodInformation->Grouch
58 | 	)))
59 | 	{
60 | 		return STATUS_FAILED_DRIVER_ENTRY;
61 | 	}
62 | 
63 | 	if (!NT_SUCCESS(bluescreen::OverwriteErrorMessage(
64 | 		g_BsodInformation->BsodMessageTwo,
65 | 		&g_BsodInformation->Insult
66 | 	)))
67 | 	{
68 | 		return STATUS_FAILED_DRIVER_ENTRY;
69 | 	}
70 | 
71 | 	///
72 | 	/// Set the BSOD to be a dark red color
73 | 	/// 
74 | 	if (!NT_SUCCESS(bluescreen::ChangeBsodColor(0xff8b0000)))
75 | 	{
76 | 		return STATUS_FAILED_DRIVER_ENTRY;
77 | 	}
78 | 
79 | 	if (g_BsodInformation)
80 | 	{
81 | 		ExFreePool(g_BsodInformation);
82 | 	}
83 | 
84 | 	///
85 | 	/// No need to completely load/unload the driver as it's just modifying 
86 | 	/// some variables. An error message that comes up when loading this driver
87 | 	/// is normal. 
88 | 	/// 
89 | 	return STATUS_FAILED_DRIVER_ENTRY;
90 | }
91 | 
92 | 
93 | /// EOF


--------------------------------------------------------------------------------
/AngryWindows/bluescreen.cpp:
--------------------------------------------------------------------------------
  1 | #include "bluescreen.h"
  2 | 
  3 | /// <summary>
  4 | /// This will dynamically resolve all the variables needed to be able 
  5 | /// to modify the Bluescreen of Death. If any of the variables are not 
  6 | /// able to be found, STATUS_NOT_FOUND will be returned. 
  7 | /// </summary>
  8 | /// <returns>STATUS_SUCCESS/STATUS_NOT_FOUND</returns>
  9 | NTSTATUS bluescreen::initialize()
 10 | {
 11 | 	UNICODE_STRING SystemRoutineName = RTL_CONSTANT_STRING(L"KeBugCheckEx");
 12 | 
 13 | 	UINT64 KeBugCheck2 = 0;
 14 | 	UINT64 KiDisplayBlueScreen = 0;
 15 | 	UINT64 BgpFwDisplayBugCheckScreen = 0;
 16 | 
 17 | 	PVOID KeBugCheckExAddress = MmGetSystemRoutineAddress(&SystemRoutineName);
 18 | 	if (KeBugCheckExAddress == NULL)
 19 | 	{
 20 | 		DbgPrint("[%ws::%d] Unable to resolve KeBugCheckEx\n", __FUNCTIONW__, __LINE__);
 21 | 		return STATUS_NOT_FOUND;
 22 | 	}
 23 | 
 24 | 	NTSTATUS Status = resolve::KeBugCheck2(
 25 | 		reinterpret_cast<UINT64>(KeBugCheckExAddress), 
 26 | 		&KeBugCheck2
 27 | 	);
 28 | 	if (!NT_SUCCESS(Status) || KeBugCheck2 == 0)
 29 | 	{
 30 | 		DbgPrint("[%ws::%d] Unable to resolve KeBugCheck2\n", __FUNCTIONW__, __LINE__);
 31 | 		return STATUS_NOT_FOUND;
 32 | 	}
 33 | 
 34 | 	Status = resolve::KiDisplayBlueScreen(
 35 | 		KeBugCheck2,
 36 | 		&KiDisplayBlueScreen
 37 | 	);
 38 | 	if (!NT_SUCCESS(Status) || KiDisplayBlueScreen == 0)
 39 | 	{
 40 | 		DbgPrint("[%ws::%d] Unable to resolve KiDisplayBlueScreen\n", __FUNCTIONW__, __LINE__);
 41 | 		return STATUS_NOT_FOUND;
 42 | 	}
 43 | 
 44 | 	Status = resolve::BgpFwDisplayBugCheckScreen(
 45 | 		KiDisplayBlueScreen,
 46 | 		&BgpFwDisplayBugCheckScreen
 47 | 	);
 48 | 	if (!NT_SUCCESS(Status) || BgpFwDisplayBugCheckScreen == 0)
 49 | 	{
 50 | 		DbgPrint("[%ws::%d] Unable to resolve BgpFwDisplayBugCheckScreen\n", __FUNCTIONW__, __LINE__);
 51 | 		return STATUS_NOT_FOUND;
 52 | 	}
 53 | 
 54 | 	resolve::Phrases(BgpFwDisplayBugCheckScreen);
 55 | 
 56 | 	return STATUS_SUCCESS;
 57 | }
 58 | 
 59 | /// <summary>
 60 | /// The location of the sad emoticon is in read only memory. To modify the 
 61 | /// permissions of this location, the physical address is mapped as ReadWrite and then written to. 
 62 | /// This is done twice to adjust the size of the UNICODE_STRING, and then the buffer
 63 | /// itself is mapped as ReadWrite to be able to modify the contents of the buffer. 
 64 | /// The mapped page is then unmapped, and CR0.WP is left alone. 
 65 | /// </summary>
 66 | /// <returns>STATUS_SUCCESS/STATUS_INSUFFICIENT_RESOURCES</returns>
 67 | NTSTATUS bluescreen::OverwriteSadFace()
 68 | {
 69 | 	PHYSICAL_ADDRESS pa = MmGetPhysicalAddress(
 70 | 		//reinterpret_cast<PVOID>(g_BsodInformation->HalpPCIConfigReadHandlers)
 71 | 		reinterpret_cast<PVOID>(g_BsodInformation->Sadface)
 72 | 	);
 73 | 
 74 | 	PUNICODE_STRING mappedAddress = static_cast<PUNICODE_STRING>(
 75 | 		MmMapIoSpace(pa, sizeof(UNICODE_STRING), MmNonCached)
 76 | 		);
 77 | 	if (mappedAddress == NULL)
 78 | 	{
 79 | 		DbgPrint("[%ws::%d] MmMapIoSpace failed: %08x\n", __FUNCTIONW__, __LINE__, STATUS_INSUFFICIENT_RESOURCES);
 80 | 		return STATUS_INSUFFICIENT_RESOURCES;
 81 | 	}
 82 | 
 83 | 	mappedAddress->Length = g_BsodInformation->lol.Length;
 84 | 	mappedAddress->MaximumLength = g_BsodInformation->lol.MaximumLength;
 85 | 
 86 | 	PHYSICAL_ADDRESS paBuffer = MmGetPhysicalAddress(mappedAddress->Buffer);
 87 | 
 88 | 	PVOID mappedBuffer = MmMapIoSpace(paBuffer, mappedAddress->MaximumLength, MmNonCached);
 89 | 	if (mappedBuffer == NULL)
 90 | 	{
 91 | 		MmUnmapIoSpace(mappedAddress, sizeof(UNICODE_STRING));
 92 | 		DbgPrint("[%ws::%d] MmMapIoSpace failed: %08x\n", __FUNCTIONW__, __LINE__, STATUS_INSUFFICIENT_RESOURCES);
 93 | 		return STATUS_INSUFFICIENT_RESOURCES;
 94 | 	}
 95 | 
 96 | 	RtlCopyMemory(mappedBuffer, g_BsodInformation->lol.Buffer, g_BsodInformation->lol.Length);
 97 | 
 98 | 	MmUnmapIoSpace(mappedBuffer, mappedAddress->MaximumLength);
 99 | 	MmUnmapIoSpace(mappedAddress, sizeof(UNICODE_STRING));
100 | 
101 | 	return STATUS_SUCCESS;
102 | }
103 | 
104 | /// <summary>
105 | /// The same principal applies for the location of the error message. The location it lies at is
106 | /// read only. The same steps for modifying the sad face emoticon applies here as well. 
107 | /// </summary>
108 | /// <returns>STATUS_SUCCESS/STATUS_INSUFFICIENT_RESOURCES</returns>
109 | NTSTATUS bluescreen::OverwriteErrorMessage(PUNICODE_STRING error, PUNICODE_STRING replace)
110 | {
111 | 	PHYSICAL_ADDRESS pa = MmGetPhysicalAddress(
112 | 		reinterpret_cast<PVOID>(error)
113 | 	);
114 | 
115 | 	PUNICODE_STRING mappedAddress = reinterpret_cast<PUNICODE_STRING>(
116 | 		MmMapIoSpace(pa, sizeof(UNICODE_STRING), MmNonCached)
117 | 		);
118 | 	if (mappedAddress == NULL)
119 | 	{
120 | 		DbgPrint("[%ws::%d] MmMapIoSpace failed: %08x\n", __FUNCTIONW__, __LINE__, STATUS_INSUFFICIENT_RESOURCES);
121 | 		return STATUS_INSUFFICIENT_RESOURCES;
122 | 	}
123 | 
124 | 	mappedAddress->Length = replace->Length;
125 | 	mappedAddress->MaximumLength = replace->MaximumLength;
126 | 
127 | 	PHYSICAL_ADDRESS paBuffer = MmGetPhysicalAddress(mappedAddress->Buffer);
128 | 
129 | 	PVOID mappedBuffer = MmMapIoSpace(paBuffer, mappedAddress->MaximumLength, MmNonCached);
130 | 	if (mappedBuffer == NULL)
131 | 	{
132 | 		MmUnmapIoSpace(mappedAddress, sizeof(UNICODE_STRING));
133 | 
134 | 		DbgPrint("[%ws::%d] MmMapIoSpace failed: %08x\n", __FUNCTIONW__, __LINE__, STATUS_INSUFFICIENT_RESOURCES);
135 | 		return STATUS_INSUFFICIENT_RESOURCES;
136 | 	}
137 | 
138 | 	RtlCopyMemory(mappedBuffer, replace->Buffer, replace->Length);
139 | 
140 | 	MmUnmapIoSpace(mappedBuffer, mappedAddress->MaximumLength);
141 | 	MmUnmapIoSpace(mappedAddress, sizeof(UNICODE_STRING));
142 | 
143 | 	return STATUS_SUCCESS;
144 | }
145 | 
146 | /// <summary>
147 | /// The color it takes in to change the Bluescreen of Death is of type UINT32 and in
148 | /// ARGB format. There is no need to modify the permissions of the page as it is 
149 | /// read/write. 
150 | /// </summary>
151 | /// <param name="color"></param>
152 | /// <returns>STATUS_SUCCESS</returns>
153 | NTSTATUS bluescreen::ChangeBsodColor(UINT32 color)
154 | {
155 | 	RtlCopyMemory(
156 | 		&g_BsodInformation->AddressOfColorVar,
157 | 		reinterpret_cast<PVOID>(g_BsodInformation->EtwpLastBranchEntry),
158 | 		sizeof(g_BsodInformation->EtwpLastBranchEntry)
159 | 	);
160 | 
161 | 	g_BsodInformation->AddressOfColorVar += g_BsodInformation->offset;
162 | 
163 | 	RtlCopyMemory(
164 | 		&g_BsodInformation->AddressOfColorVar,
165 | 		reinterpret_cast<PVOID>(g_BsodInformation->AddressOfColorVar),
166 | 		sizeof(g_BsodInformation->AddressOfColorVar)
167 | 	);
168 | 
169 | 	g_BsodInformation->AddressOfColorVar += g_BsodInformation->colorOffset;
170 | 
171 | 	*(PUINT32)g_BsodInformation->AddressOfColorVar = color;
172 | 
173 | 	return STATUS_SUCCESS;
174 | }
175 | 
176 | 
177 | /// EOF


--------------------------------------------------------------------------------
/AngryWindows/bluescreen.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | #include <ntddk.h>
 3 | #include "resolve.h"
 4 | 
 5 | /// <summary>
 6 | /// The namespace responsible for modifying the Bluescreen of
 7 | /// Death. This will only modify the sad face emoticon and the
 8 | /// first error message. 
 9 | /// </summary>
10 | namespace bluescreen
11 | {
12 | 	NTSTATUS initialize();
13 | 	NTSTATUS OverwriteSadFace();
14 | 
15 | 	NTSTATUS OverwriteErrorMessage(
16 | 		_In_ PUNICODE_STRING error,
17 | 		_In_ PUNICODE_STRING replace
18 | 	);
19 | 
20 | 	NTSTATUS ChangeBsodColor(
21 | 		_In_ UINT32 color
22 | 	);
23 | }
24 | 
25 | 
26 | /// EOF 


--------------------------------------------------------------------------------
/AngryWindows/resolve.cpp:
--------------------------------------------------------------------------------
  1 | #include "resolve.h"
  2 | #include <ntddk.h>
  3 | 
  4 | /// <summary>
  5 | /// Resolves the address to KeBugCheck2. The starting point of decompiling starts at
  6 | /// the address of KeBugCheckEx.
  7 | /// This works by searching for the call instruction and the next instruction being a NOP. 
  8 | /// There is only two instances of this, both leading to the call to KeBugCheck2. 
  9 | /// </summary>
 10 | /// <param name="data"></param>
 11 | /// <param name="result"></param>
 12 | /// <returns>STATUS_SUCCESS if successful</returns>
 13 | NTSTATUS resolve::KeBugCheck2(UINT64 address, PUINT64 result)
 14 | {
 15 | 	UINT8 KeBugCheck2Sig[] = {
 16 | 		0x45, 0x33, 0xc9,	/// xor r9d, r9d
 17 | 		0x45, 0x33, 0xc0,	/// xor r8d, r8d
 18 | 		0x33, 0xd2,			/// xor edx, edx
 19 | 		0xe8				/// call nt!KeBugCheck2
 20 | 	};
 21 | 
 22 | 	UINT8 EndOfFunction[] = {
 23 | 		0x90,	/// nop
 24 | 		0xc3,	/// ret
 25 | 		0xcc,	/// int 3
 26 | 		0xcc,	/// int 3
 27 | 		0xcc,	/// int 3
 28 | 		0xcc	/// int 3
 29 | 	};
 30 | 
 31 | 	size_t EndOfFunctionLength = 0;
 32 | 
 33 | 	do
 34 | 	{
 35 | 		size_t length = RtlCompareMemory(
 36 | 			reinterpret_cast<PVOID>(address),
 37 | 			KeBugCheck2Sig,
 38 | 			sizeof(KeBugCheck2Sig)
 39 | 		);
 40 | 		if (length == sizeof(KeBugCheck2Sig))
 41 | 		{
 42 | 			UINT32 offset = 0;
 43 | 
 44 | 			RtlCopyMemory(
 45 | 				&offset, 
 46 | 				reinterpret_cast<PVOID>(address + length), 
 47 | 				sizeof(offset)
 48 | 			);
 49 | 
 50 | 			*result = address + length + offset + 4;
 51 | 
 52 | 			return STATUS_SUCCESS;
 53 | 		}
 54 | 
 55 | 		EndOfFunctionLength = RtlCompareMemory(
 56 | 			reinterpret_cast<PVOID>(address),
 57 | 			EndOfFunction,
 58 | 			sizeof(EndOfFunction)
 59 | 		);
 60 | 
 61 | 		address++;
 62 | 	} while (EndOfFunctionLength != sizeof(EndOfFunction));
 63 | 	
 64 | 	return STATUS_NOT_FOUND;
 65 | }
 66 | 
 67 | /// <summary>
 68 | /// Resolves the address to KiDisplayBluescreen. This function is also not exported
 69 | /// and is easier to resolve via decompilation without having to rely on signature scanning.
 70 | /// This works by locating the instruction "cmovne ecx, eax" because the next instruction
 71 | /// is the call to nt!KiDisplayBlueScreen.
 72 | /// </summary>
 73 | /// <param name="data"></param>
 74 | /// <param name="result"></param>
 75 | /// <returns>STATUS_SUCCESS if successfull</returns>
 76 | NTSTATUS resolve::KiDisplayBlueScreen(UINT64 address, PUINT64 result)
 77 | {
 78 | 	UINT8 KiDisplayBlueScreenSig[] = {
 79 | 		0x0f, 0x45, 0xc1,	/// cmovne eax, ecx
 80 | 		0x8b, 0xc8,			/// mov ecx, eax
 81 | 		0x83, 0xc9, 0x01,	/// or ecx, 1
 82 | 		0x45, 0x84, 0xf6,	/// test r14b, r14b
 83 | 		0x0f, 0x45, 0xc8,	/// cmovne ecx, eax
 84 | 		0xe8				/// call nt!KiDisplayBlueScreen
 85 | 	};
 86 | 
 87 | 	UINT8 EndOfFunction[] = {
 88 | 		0x5f,	/// pop rdi
 89 | 		0x5e,	/// pop rsi
 90 | 		0x5d,	/// pop rbp
 91 | 		0xc3	/// ret
 92 | 	};
 93 | 
 94 | 	size_t EndOfFunctionLength = 0;
 95 | 
 96 | 	do
 97 | 	{
 98 | 		size_t length = RtlCompareMemory(
 99 | 			reinterpret_cast<PVOID>(address),
100 | 			KiDisplayBlueScreenSig,
101 | 			sizeof(KiDisplayBlueScreenSig)
102 | 		);
103 | 		if (length == sizeof(KiDisplayBlueScreenSig))
104 | 		{
105 | 			UINT32 offset = 0;
106 | 
107 | 			RtlCopyMemory(
108 | 				&offset,
109 | 				reinterpret_cast<PVOID>(address + length),
110 | 				sizeof(offset)
111 | 			);
112 | 
113 | 			*result = address + length + offset + 4;
114 | 
115 | 			return STATUS_SUCCESS;
116 | 		}
117 | 
118 | 		EndOfFunctionLength = RtlCompareMemory(
119 | 			reinterpret_cast<PVOID>(address),
120 | 			EndOfFunction,
121 | 			sizeof(EndOfFunction)
122 | 		);
123 | 
124 | 		address++;
125 | 	} while (EndOfFunctionLength != sizeof(EndOfFunction));
126 | 
127 | 	return STATUS_NOT_FOUND;
128 | }
129 | 
130 | /// <summary>
131 | /// Resolves the address to BgpFwDisplayBugCheckScreen. This function is also not exported
132 | /// and is easiest to resolve via decompilation. 
133 | /// This works by locating the call instruction with the next instruction being a mov rdi, 
134 | /// qword ptr [rsp + 78h]. There is only one instance of this sequence. The call is 
135 | /// pointing to nt!BgpFwDisplayBugCheckScreen. 
136 | /// </summary>
137 | /// <param name="data"></param>
138 | /// <param name="result"></param>
139 | /// <returns>STATUS_SUCCESS if successful</returns>
140 | NTSTATUS resolve::BgpFwDisplayBugCheckScreen(UINT64 address, PUINT64 result)
141 | {
142 | 	UINT8 BgpFwDisplayBugCheckScreen2002Sig[] = {
143 | 		0x4c, 0x8b, 0xc3,	/// mov r8, rbx
144 | 		0x48, 0x8b, 0xd6,	/// mov rdx, rsi
145 | 		0x41, 0x8b, 0xcf,	/// mov ecx, r15d
146 | 		0xe8				/// call nt!BgpFwDisplayBugCheckScreen
147 | 	};
148 | 
149 | 	UINT8 BgpFwDisplayBugCheckScreen1909Sig[] = {
150 | 		0x4c, 0x8b, 0xc3,	/// mov r8, rbx
151 | 		0x49, 0x8b, 0xd7,	/// mov rdx, r15
152 | 		0x41, 0x8b, 0xce,	/// mov ecx, r14d
153 | 		0xe8				/// call nt!BgpFwDisplayBugCheckScreen
154 | 	};
155 | 
156 | 	UINT8 EndOfFunction[] = {
157 | 		0x41, 0x5d, /// pop r13
158 | 		0x41, 0x5c, /// pop r12
159 | 		0x5d,		/// pop rbp
160 | 		0xc3		/// ret
161 | 	};
162 | 
163 | 	size_t EndOfFunctionLength = 0;
164 | 	size_t length = 0;
165 | 	UINT32 offset = 0;
166 | 
167 | 	do
168 | 	{
169 | 		size_t Length2002 = RtlCompareMemory(
170 | 			reinterpret_cast<PVOID>(address),
171 | 			BgpFwDisplayBugCheckScreen2002Sig,
172 | 			sizeof(BgpFwDisplayBugCheckScreen2002Sig)
173 | 		);
174 | 
175 | 		size_t Length1909 = RtlCompareMemory(
176 | 			reinterpret_cast<PVOID>(address),
177 | 			BgpFwDisplayBugCheckScreen1909Sig,
178 | 			sizeof(BgpFwDisplayBugCheckScreen1909Sig)
179 | 		);
180 | 		if (Length2002 == sizeof(BgpFwDisplayBugCheckScreen2002Sig))
181 | 		{
182 | 			length = Length2002;
183 | 			break;
184 | 		}
185 | 		else if (Length1909 == sizeof(BgpFwDisplayBugCheckScreen1909Sig))
186 | 		{
187 | 			length = Length1909;
188 | 			break;
189 | 		}
190 | 
191 | 		EndOfFunctionLength = RtlCompareMemory(
192 | 			reinterpret_cast<PVOID>(address),
193 | 			EndOfFunction,
194 | 			sizeof(EndOfFunction)
195 | 		);
196 | 		if (EndOfFunctionLength == sizeof(EndOfFunction))
197 | 			return STATUS_NOT_FOUND;
198 | 
199 | 		address++;
200 | 	} while (EndOfFunctionLength != sizeof(EndOfFunction));
201 | 
202 | 	RtlCopyMemory(
203 | 		&offset,
204 | 		reinterpret_cast<PVOID>(address + length),
205 | 		sizeof(offset)
206 | 	);
207 | 
208 | 	*result = address + length + offset + 4;
209 | 
210 | 	return STATUS_SUCCESS;
211 | }
212 | 
213 | /// <summary>
214 | /// This function is responsible for resolving five addresses: the location for the LIST_ENTRY of
215 | /// EtwpLastBranchEntry, the two offsets that are used to pull from this object, HalpPCIConfigReadHandlers,
216 | /// and the location of the first error message. 
217 | /// The two offsets are to avoid hardcoding the offsets for EtwpLastBranchEntry to resolve the color
218 | /// of the Bluescreen of Death. The color is in ARGB format. EtwpLastBranchEntry is found by locating the 
219 | /// instruction mov edi, 0x1c8. The instruction before this loads EtwpLastBranchEntry.
220 | /// 
221 | /// HalpPCIConfigReadHandlers is resolved because the value that is being loaded is actually a type
222 | /// UNICODE_STRING pointing to the ":(". This is found by locating two instructions: mov r9d, ebx and 
223 | /// lea rcx. There is only one sequence of this. The lea instruction loads HalpPCIConfigReadHandlers.
224 | /// 
225 | /// Lastly, we search for another EtwpLastBranchEntry only this time, it's the one responsible for the 
226 | /// error messages that are displayed. Since all of the error messages related to the Bluescreen of Death
227 | /// are in EtwpLastBranchEntry, there is no need to resolve the other locations as we can just iterate 
228 | /// through EtwpLastBranchEntry with the sizeof(UNICODE_STRING). These are found by searching for the 
229 | /// instruction lea r10, xxx. There is only one instance of this and loads exactly what I want. 
230 | /// </summary>
231 | /// <param name="data"></param>
232 | /// <param name="halpPciConfig"></param>
233 | /// <returns>STATUS_SUCCESS if successful</returns>
234 | NTSTATUS resolve::Phrases(UINT64 address)//, PUINT64 halpPciConfig)
235 | {
236 | 	UINT8 EtwpLastBranchSig[] = {
237 | 		0xbf, 0xc8, 0x01, 0x00, 0x00	/// mov edi, 1c8h
238 | 	};
239 | 
240 | 	UINT8 SadfaceSig2004[] = {
241 | 		0x41, 0x8b, 0x54, 0xf7, 0x0c,	/// mov edx, dword ptr [r15 + rsi * 8 + 0ch]
242 | 		0x44, 0x8b, 0xcb,				/// mov r9d, ebx
243 | 		0x48, 0x8d						/// lea rcx, [nt!HalpPciConfigReadHandlers+0x18]
244 | 	};
245 | 
246 | 	UINT8 SadfaceSig1909[] = {
247 | 		0x41, 0x8b, 0x54, 0xf4, 0x0c,	/// mov edx, dword ptr [r12 + rsi * 8 + 0ch]
248 | 		0x44, 0x8b, 0xcb,				/// mov r9d, ebx
249 | 		0x48, 0x8d						/// lea rcx, [nt!ExpLeapSecondRegKeyPath+0x28e0]
250 | 	};
251 | 
252 | 	UINT8 ColorOffsetSig[] = {
253 | 		0xeb, 0x03,			/// jmp nt!BgpFwDiisplayBugCheckScreen+0xcd
254 | 		0x8b, 0x48, 0x28	/// mov ecx, dword ptr [rax + 28h]
255 | 	};
256 | 
257 | 	UINT8 MessagesSig[] = {
258 | 		0x4c, 0x8d, 0x15	/// lea r10, [nt!EtwpLastBranchLookAsideList]
259 | 	};
260 | 
261 | 	UINT8 EndOfFunction[] = {
262 | 		0x41, 0x5f, /// pop r15
263 | 		0x41, 0x5e, /// pop r14
264 | 		0x41, 0x5d, /// pop r13
265 | 		0x41, 0x5c, /// pop r12
266 | 	};
267 | 
268 | 	bool bIsNotEndOfFunction = true;
269 | 
270 | 	do
271 | 	{
272 | 		size_t EtwpLastBranchLength = RtlCompareMemory(
273 | 			reinterpret_cast<PVOID>(address + 7),
274 | 			EtwpLastBranchSig,
275 | 			sizeof(EtwpLastBranchSig)
276 | 		);
277 | 
278 | 		size_t ColorOffsetLength = RtlCompareMemory(
279 | 			reinterpret_cast<PVOID>(address),
280 | 			ColorOffsetSig,
281 | 			sizeof(ColorOffsetSig)
282 | 		);
283 | 
284 | 		size_t SadFaceLength2004 = RtlCompareMemory(
285 | 			reinterpret_cast<PVOID>(address),
286 | 			SadfaceSig2004,
287 | 			sizeof(SadfaceSig2004)
288 | 		);
289 | 
290 | 		size_t SadFaceLength1909 = RtlCompareMemory(
291 | 			reinterpret_cast<PVOID>(address),
292 | 			SadfaceSig1909,
293 | 			sizeof(SadfaceSig1909)
294 | 		);
295 | 
296 | 		size_t MessagesSigLength = RtlCompareMemory(
297 | 			reinterpret_cast<PVOID>(address),
298 | 			MessagesSig,
299 | 			sizeof(MessagesSig)
300 | 		);
301 | 
302 | 		size_t EndOfFunctionLength = RtlCompareMemory(
303 | 			reinterpret_cast<PVOID>(address),
304 | 			EndOfFunction,
305 | 			sizeof(EndOfFunction)
306 | 		);
307 | 		if (EndOfFunctionLength == sizeof(EndOfFunction))
308 | 		{
309 | 			bIsNotEndOfFunction = false;
310 | 		}
311 | 		else if (MessagesSigLength == sizeof(MessagesSig))
312 | 		{
313 | 			UINT64 TempAddress = address;
314 | 			UINT32 offset = 0;
315 | 
316 | 			RtlCopyMemory(
317 | 				&offset,
318 | 				reinterpret_cast<PVOID>(TempAddress + MessagesSigLength),
319 | 				sizeof(offset)
320 | 			);
321 | 
322 | 			g_BsodInformation->BsodMessageOne = reinterpret_cast<PUNICODE_STRING>(
323 | 				TempAddress + MessagesSigLength + offset + 4
324 | 				);
325 | 
326 | 			PUNICODE_STRING temp = g_BsodInformation->BsodMessageOne;
327 | 
328 | 			for (UINT8 next = 0; next < sizeof(UNICODE_STRING); next++, temp++)
329 | 			{
330 | 				/*
331 | 				*[FFFFF8010F853CD0] Got: Have you seen your skills? I ain't worried one bit.
332 | 				*[FFFFF8010F853CE0] Got: If you call a support person, give them this info:
333 | 				*[FFFFF8010F853CF0] Got: We're just collecting some error info, and then we'll restart for you.
334 | 				*[FFFFF8010F853D00] Got: We're just collecting some error info, and then you can restart.
335 | 				*[FFFFF8010F853D10] Got: We'll restart for you.
336 | 				*[FFFFF8010F853D20] Got: You can restart.
337 | 				*[FFFFF8010F853D30] Got:
338 | 				*[FFFFF8010F853D40] Got: % complete
339 | 				*[FFFFF8010F853D50] Got:
340 | 				*[FFFFF8010F853D60] Got: % complete
341 | 				*[FFFFF8010F853D70] Got: What failed:
342 | 				*[FFFFF8010F853D80] Got: Stop code:
343 | 				*[FFFFF8010F853D90] Got: For more information about this issue and possible fixes, visit
344 | 				*[FFFFF8010F853DA0] Got: https://www.windows.com/stopcode
345 | 				*[FFFFF8010F853DB0] Got: Your Windows Insider Build ran into a problem and needs to restart.
346 | 				*[FFFFF8010F853DC0] Got: Please release the power button.
347 | 				*/
348 | 				if (wcsstr(temp->Buffer, L"and then we'll restart for you") != 0)
349 | 				{
350 | 					g_BsodInformation->BsodMessageTwo = temp;
351 | 				}
352 | 			}
353 | 		}
354 | 		else if (EtwpLastBranchLength == sizeof(EtwpLastBranchSig))
355 | 		{
356 | 			UINT64 TempAddress = address;
357 | 			UINT32 offset = 0;
358 | 
359 | 			RtlCopyMemory(
360 | 				&g_BsodInformation->offset,
361 | 				reinterpret_cast<PVOID>(TempAddress + 0x12),
362 | 				sizeof(g_BsodInformation->offset)
363 | 			);
364 | 
365 | 			TempAddress += 3;
366 | 
367 | 			RtlCopyMemory(
368 | 				&offset,
369 | 				reinterpret_cast<PVOID>(TempAddress),
370 | 				sizeof(offset)
371 | 			);
372 | 
373 | 			TempAddress += offset + 4;
374 | 
375 | 			g_BsodInformation->EtwpLastBranchEntry = TempAddress;
376 | 		}
377 | 		else if (ColorOffsetLength == sizeof(ColorOffsetSig))
378 | 		{			
379 | 			RtlCopyMemory(
380 | 				&g_BsodInformation->colorOffset,
381 | 				reinterpret_cast<PVOID>(address + 4),
382 | 				sizeof(g_BsodInformation->colorOffset)
383 | 			);
384 | 		}
385 | 		else if (SadFaceLength2004 == sizeof(SadfaceSig2004))
386 | 		{
387 | 			UINT64 TempAddress = address;
388 | 			UINT64 mask = 0xffffffff00000000;
389 | 			UINT32 offset = 0;
390 | 
391 | 			TempAddress += SadFaceLength2004 + 1;
392 | 			
393 | 			RtlCopyMemory(
394 | 				&offset,
395 | 				reinterpret_cast<PVOID>(TempAddress),
396 | 				sizeof(offset)
397 | 			);
398 | 
399 | 			mask |= offset;
400 | 
401 | 			TempAddress += mask + 4;
402 | 
403 | 			g_BsodInformation->Sadface = TempAddress;
404 | 		}
405 | 		else if (SadFaceLength1909 == sizeof(SadfaceSig1909))
406 | 		{
407 | 			UINT64 TempAddress = address;
408 | 			UINT32 offset = 0;
409 | 
410 | 			TempAddress += SadFaceLength1909 + 1;
411 | 
412 | 			RtlCopyMemory(
413 | 				&offset,
414 | 				reinterpret_cast<PVOID>(TempAddress),
415 | 				sizeof(offset)
416 | 			);
417 | 
418 | 			TempAddress += offset + 4;
419 | 
420 | 			g_BsodInformation->Sadface = TempAddress;
421 | 		}
422 | 
423 | 		address++;
424 | 	} while (bIsNotEndOfFunction);
425 | 
426 | 	return STATUS_SUCCESS;
427 | }
428 | 
429 | 
430 | /// EOF


--------------------------------------------------------------------------------
/AngryWindows/resolve.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | //#include "capstone/capstone.h"
 3 | #include "typedefs.h"
 4 | 
 5 | #include <ntdef.h>
 6 | 
 7 | /// <summary>
 8 | /// This namespace is responsible for resolving all the variables needed
 9 | /// for modifying the Bluescreen of Death. It dynamically locates
10 | /// KeBugCheck2, KiDisplayBluescreen, BgpFwDisplayBugCheckScreen,
11 | /// HalpPCIConfigReadHandlers, the sad face emoticon, and one of the error
12 | /// messages. 
13 | /// </summary>
14 | namespace resolve
15 | {
16 | 	_Success_(return >= 0)
17 | 	NTSTATUS KeBugCheck2(
18 | 		_In_ UINT64 address,
19 | 		_Out_ _Ret_maybenull_ PUINT64 result
20 | 	);
21 | 
22 | 	_Success_(return >= 0)
23 | 	NTSTATUS KiDisplayBlueScreen(
24 | 		_In_ UINT64 address,
25 | 		_Out_ _Ret_maybenull_ PUINT64 result
26 | 	);
27 | 
28 | 	_Success_(return >= 0)
29 | 	NTSTATUS BgpFwDisplayBugCheckScreen(
30 | 		_In_ UINT64 address,
31 | 		_Out_ _Ret_maybenull_ PUINT64 result
32 | 	);
33 | 
34 | 	_Success_(return >= 0)
35 | 	NTSTATUS Phrases(
36 | 		_In_ UINT64 address
37 | 		//_Out_ _Ret_maybenull_ PUINT64 halpPciConfig
38 | 	);
39 | }
40 | 
41 | 
42 | /// EOF


--------------------------------------------------------------------------------
/AngryWindows/typedefs.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | #include <ntdef.h>
 3 | 
 4 | ///================================================
 5 | /// Types
 6 | ///================================================
 7 | typedef struct _BSOD_INFORMATION
 8 | {
 9 | 	UINT64 Sadface = 0;
10 | 	UINT64 EtwpLastBranchEntry = 0;
11 | 	UINT64 AddressOfColorVar = 0;
12 | 	UINT8 offset = 0;
13 | 	UINT8 colorOffset = 0;
14 | 	UNICODE_STRING lol;
15 | 	UNICODE_STRING Grouch;
16 | 	UNICODE_STRING Insult;
17 | 	PUNICODE_STRING BsodMessageOne;
18 | 	PUNICODE_STRING BsodMessageTwo;
19 | } BSOD_INFORMATION, * PBSOD_INFORMATION;
20 | 
21 | ///================================================
22 | /// Globals
23 | ///================================================
24 | extern PBSOD_INFORMATION g_BsodInformation;
25 | 
26 | 
27 | /// EOF 


--------------------------------------------------------------------------------
/Images/Capture.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ch3rn0byl/AngryWindows/bd2ca82360f16b1a809b12d5c56fd4fffee78c5d/Images/Capture.PNG


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2022 Jon
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # AngryWindows
 2 | 
 3 | ![whatever](https://github.com/ch3rn0byl/AngryWindows/blob/master/Images/Capture.PNG)
 4 | 
 5 | When you are trying to fuzz or exploit the kernel and your machine becomes sentient and starts building up saltiness from you bullying it all the time, this is what ends up happening. 
 6 | Eventually it'll start to defend itself and call you out, OR    
 7 | 
 8 | This is a driver that modifies the emoticon, color, and error messages of the Bluescreen of Death. This came about while I was working on something else and here it is! 
 9 | 
10 | ## How does this work?
11 | 
12 | The end goal was to ultimately resolve the unexported function `nt!BgpFwDisplayBugCheckScreen`. The only way I saw that would reliably get this function was to trace it back to an exported function. The only exported function that used this lead to `nt!KeBugCheckEx`.
13 | I use `nt!MmGetSystemRoutineAddress` to resolve `nt!KeBugCheckEx` and then start disassembling KeBugCheckEx to pull out `nt!KeBugCheck2`. 
14 | 
15 | From KeBugCheck2, I began disassembling until I reach `nt!KiDisplayBlueScreen`. Lastly, I use KiDisplayBlueScreen to dynamically resolve `nt!BgpFwDisplayBugCheckScreen`. 
16 | 
17 | Everything needed to modify the Bluescreen of Death is inside BgpFwDisplayBugCheckScreen. The sad face emoticon is located at `nt!HalpPCIConfigReadHandlers+0x18`, which is the UNICODE_STRING datatype.
18 | ```
19 | 2: kd> ? nt!HalpPCIConfigReadHandlers+0x18 
20 | Evaluate expression: -8769656301296 = fffff806`27c05910
21 | 2: kd> dt nt!_UNICODE_STRING fffff806`27c05910
22 |  ":("
23 |    +0x000 Length           : 4
24 |    +0x002 MaximumLength    : 6
25 |    +0x008 Buffer           : 0xfffff806`27c1faf4  ":(
26 | ```
27 | 
28 | All the messages pertaining to what is going on are all located inside of `nt!EtwpLastBranchLookAsideList`, beginning at offset 0x60. 
29 | ```
30 | 3: kd> ? nt!EtwpLastBranchLookAsideList + 0x60
31 | Evaluate expression: -8769643397936 = fffff806`28853cd0
32 | 3: kd> dps fffff806`28853cd0 l2
33 | fffff806`28853cd0  00000000`006a0068
34 | fffff806`28853cd8  ffffb980`20ba4804
35 | 3: kd> dS fffff806`28853cd0
36 | ffffb980`20ba4804  "Your device ran into a problem a"
37 | ffffb980`20ba4844  "nd needs to restart."
38 | ```
39 | 
40 | If the strings are going to be modified, the length and the maximum buffer of the UNICODE_STRING _need to be adjusted_ to reflect the new value otherwise you will only get parts of your string. 
41 | 
42 | I've noticed a max buffer of around ~96 or so characters. If you go more than that, you will definitely overwrite the buffer in the percentage section. So instead of saying `complete`, you will get some of your characters in that data. 
43 | 
44 | ## How to use
45 | To use the driver, issue the following commands inside an elevated command prompt: 
46 | ```
47 | sc create <service name> binPath= <path to driver>/AngryWindows.sys type= kernel start= auto
48 | sc start <service name>
49 | ```
50 | This will create a service for the driver and start it automatically. Anyhow...
51 | 
52 | Have fun!
53 | 


--------------------------------------------------------------------------------