Skip to content

Commit

Permalink
Now you can change the website url, possible fixes and if you called …
Browse files Browse the repository at this point in the history 
…support strings!
  • Loading branch information
@NSG650
NSG650 committed Sep 27, 2021
1 parent b247aaa commit 0ea5bf2
Show file tree
Hide file tree
Showing 3 changed files with 79 additions and 13 deletions.
14 changes: 12 additions & 2 deletions BugCheckHack/disassemble.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,7 @@ UINT64 Disassemble_BgpFwDisplayBugCheckScreen(PVOID KiDisplayBlueScreenAddress,
return 0;
}

UINT64 Disassemble_HalpPCIConfigReadHandlers(PVOID BgpFwDisplayBugCheckScreenAddress, UINT64* Result1, UINT64* Result2, UINT64* Result3) {
UINT64 Disassemble_HalpPCIConfigReadHandlers(PVOID BgpFwDisplayBugCheckScreenAddress, UINT64* Result1, UINT64* Result2, UINT64* Result3, UINT64* Result4, UINT64* Result5, UINT64* Result6) {
ZydisDecoder Decoder;
ZydisDecoderInit(&Decoder, ZYDIS_MACHINE_MODE_LONG_64, ZYDIS_ADDRESS_WIDTH_64);
ZydisFormatter Formatter;
Expand All @@ -120,9 +120,19 @@ UINT64 Disassemble_HalpPCIConfigReadHandlers(PVOID BgpFwDisplayBugCheckScreenAdd
*Result2 = _strtoui64(&PrintBuffer[10], NULL, 16);
PUNICODE_STRING temp = (PUNICODE_STRING)_strtoui64(&PrintBuffer[10], NULL, 16);
for (UINT8 i = 0; i < sizeof(UNICODE_STRING); i++, temp++) {
if (wcsstr(temp->Buffer, L"and then we'll restart for you") != 0) {
// Print("%ls\n", temp->Buffer);
if (wcsstr(temp->Buffer, L"and then we'll restart for you")) {
*Result3 = (UINT64)temp;
}
if (wcsstr(temp->Buffer, L"www.windows.com/stopcode")) {
*Result4 = (UINT64)temp;
}
if (wcsstr(temp->Buffer, L"this issue and possible fixes, visit")) {
*Result5 = (UINT64)temp;
}
if (wcsstr(temp->Buffer, L"give them this info:")) {
*Result6 = (UINT64)temp;
}
}
return 1;
}
Expand Down
2 changes: 1 addition & 1 deletion BugCheckHack/disassemble.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,4 +5,4 @@
UINT64 Disassemble_KeBugCheck2(UINT64* Result);
UINT64 Disassemble_KiDisplayBlueScreen(PVOID KeBugCheck2Address, UINT64* Result);
UINT64 Disassemble_BgpFwDisplayBugCheckScreen(PVOID KiDisplayBlueScreenAddress, UINT64* Result);
UINT64 Disassemble_HalpPCIConfigReadHandlers(PVOID BgpFwDisplayBugCheckScreenAddress, UINT64* Result1, UINT64* Result2, UINT64* Result3);
UINT64 Disassemble_HalpPCIConfigReadHandlers(PVOID BgpFwDisplayBugCheckScreenAddress, UINT64* Result1, UINT64* Result2, UINT64* Result3, UINT64* Result4, UINT64* Result5, UINT64* Result6);
76 changes: 66 additions & 10 deletions BugCheckHack/driver.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,42 +27,62 @@ NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
UINT64 HalPCIConfigReadHandlers_0x18;
UINT64 EtwpLastBranchEntry_Address;
UINT64 EtwpLastBranchEntry2_Address;
if (!Disassemble_HalpPCIConfigReadHandlers((PVOID)BgpFwDisplayBugCheckScreen_Address, &HalPCIConfigReadHandlers_0x18, &EtwpLastBranchEntry_Address, &EtwpLastBranchEntry2_Address)) {
UINT64 EtwpLastBranchEntry3_Address;
UINT64 EtwpLastBranchEntry4_Address;
UINT64 EtwpLastBranchEntry5_Address;
if (!Disassemble_HalpPCIConfigReadHandlers((PVOID)BgpFwDisplayBugCheckScreen_Address, &HalPCIConfigReadHandlers_0x18, &EtwpLastBranchEntry_Address,
&EtwpLastBranchEntry2_Address, &EtwpLastBranchEntry3_Address, &EtwpLastBranchEntry4_Address, &EtwpLastBranchEntry5_Address)) {
return STATUS_DRIVER_INTERNAL_ERROR;
}
Print("KeBugCheck2 located at %llx\n", KeBugCheck2_Address);
Print("KiDisplayBlueScreen located at %llx\n", KiDisplayBlueScreen_Address);
Print("BgpFwDisplayBugCheckScreen located at %llx\n", BgpFwDisplayBugCheckScreen_Address);
Print("EtwpLastBranchEntry located at %llx\n", EtwpLastBranchEntry_Address);
Print("EtwpLastBranchEntry2 located at %llx\n", EtwpLastBranchEntry2_Address);
Print("HalpPCIConfigReadHandlers+0x18 located at %llx\n", HalPCIConfigReadHandlers_0x18);
Print("StringOne located at %llx\n", EtwpLastBranchEntry_Address);
Print("StringTwo located at %llx\n", EtwpLastBranchEntry2_Address);
Print("WebsiteUrl located at %llx\n", EtwpLastBranchEntry3_Address);
Print("PossibleFixes located at %llx\n", EtwpLastBranchEntry4_Address);
Print("CalledSupport located at %llx\n", EtwpLastBranchEntry5_Address);
Print("Frowny located at %llx\n", HalPCIConfigReadHandlers_0x18);

UNICODE_STRING Emoticon;
UNICODE_STRING StringOne;
UNICODE_STRING StringTwo;
UNICODE_STRING WebsiteUrl;
UNICODE_STRING CalledSupport;
UNICODE_STRING PossibleFixes;

RTL_QUERY_REGISTRY_TABLE query[2];
NTSTATUS regStatus = 0;

Emoticon.Buffer = NULL;
StringOne.Buffer = NULL;
StringTwo.Buffer = NULL;
WebsiteUrl.Buffer = NULL;
CalledSupport.Buffer = NULL;
PossibleFixes.Buffer = NULL;

Emoticon.Length = 0;
StringOne.Length = 0;
StringTwo.Length = 0;
WebsiteUrl.Length = 0;
CalledSupport.Length = 0;
PossibleFixes.Length = 0;

Emoticon.MaximumLength = 10;
StringOne.MaximumLength = 100;
StringTwo.MaximumLength = 100;
WebsiteUrl.MaximumLength = 100;
CalledSupport.MaximumLength = 100;
PossibleFixes.MaximumLength = 100;

RtlZeroMemory(query, sizeof(RTL_QUERY_REGISTRY_TABLE) * 2);
query[0].Name = L"Emoticon";
query[0].Flags = RTL_QUERY_REGISTRY_DIRECT;
query[0].EntryContext = &Emoticon;
regStatus = RtlQueryRegistryValues(RTL_REGISTRY_ABSOLUTE, L"\\Registry\\Machine\\Software\\BugCheckHack", query, NULL, NULL);
if (regStatus != STATUS_SUCCESS) {

if (regStatus != STATUS_SUCCESS)
RtlInitUnicodeString(&Emoticon, L":)");
}

if (OverwriteFrowny(HalPCIConfigReadHandlers_0x18, &Emoticon) != STATUS_SUCCESS)
return STATUS_DRIVER_INTERNAL_ERROR;
Expand All @@ -73,9 +93,8 @@ NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
query[0].EntryContext = &StringOne;
regStatus = RtlQueryRegistryValues(RTL_REGISTRY_ABSOLUTE, L"\\Registry\\Machine\\Software\\BugCheckHack", query, NULL, NULL);

if (regStatus != STATUS_SUCCESS) {
if (regStatus != STATUS_SUCCESS)
RtlInitUnicodeString(&StringOne, L"Windows tried to break your hard drive and failed.");
}

if (OverwriteString((PUNICODE_STRING)EtwpLastBranchEntry_Address, &StringOne) != STATUS_SUCCESS)
return STATUS_DRIVER_INTERNAL_ERROR;
Expand All @@ -86,12 +105,49 @@ NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
query[0].EntryContext = &StringTwo;
regStatus = RtlQueryRegistryValues(RTL_REGISTRY_ABSOLUTE, L"\\Registry\\Machine\\Software\\BugCheckHack", query, NULL, NULL);

if (regStatus != STATUS_SUCCESS) {
if (regStatus != STATUS_SUCCESS)
RtlInitUnicodeString(&StringTwo, L"We are restarting and thinking how stupid you are lmfao.");
}

if (OverwriteString((PUNICODE_STRING)EtwpLastBranchEntry2_Address, &StringTwo) != STATUS_SUCCESS)
return STATUS_DRIVER_INTERNAL_ERROR;


RtlZeroMemory(query, sizeof(RTL_QUERY_REGISTRY_TABLE) * 2);
query[0].Name = L"WebsiteUrl";
query[0].Flags = RTL_QUERY_REGISTRY_DIRECT;
query[0].EntryContext = &WebsiteUrl;
regStatus = RtlQueryRegistryValues(RTL_REGISTRY_ABSOLUTE, L"\\Registry\\Machine\\Software\\BugCheckHack", query, NULL, NULL);

if (regStatus != STATUS_SUCCESS)
RtlInitUnicodeString(&WebsiteUrl, L"https://cryaboutit.com/");

if (OverwriteString((PUNICODE_STRING)EtwpLastBranchEntry3_Address, &WebsiteUrl))
return STATUS_DRIVER_INTERNAL_ERROR;

RtlZeroMemory(query, sizeof(RTL_QUERY_REGISTRY_TABLE) * 2);
query[0].Name = L"CalledSupport";
query[0].Flags = RTL_QUERY_REGISTRY_DIRECT;
query[0].EntryContext = &CalledSupport;
regStatus = RtlQueryRegistryValues(RTL_REGISTRY_ABSOLUTE, L"\\Registry\\Machine\\Software\\BugCheckHack", query, NULL, NULL);

if (regStatus != STATUS_SUCCESS)
RtlInitUnicodeString(&CalledSupport, L"Here is some useless code that wont help you at all!");

if (OverwriteString((PUNICODE_STRING)EtwpLastBranchEntry5_Address, &CalledSupport))
return STATUS_DRIVER_INTERNAL_ERROR;

RtlZeroMemory(query, sizeof(RTL_QUERY_REGISTRY_TABLE) * 2);
query[0].Name = L"PossibleFixes";
query[0].Flags = RTL_QUERY_REGISTRY_DIRECT;
query[0].EntryContext = &PossibleFixes;
regStatus = RtlQueryRegistryValues(RTL_REGISTRY_ABSOLUTE, L"\\Registry\\Machine\\Software\\BugCheckHack", query, NULL, NULL);

if (regStatus != STATUS_SUCCESS)
RtlInitUnicodeString(&PossibleFixes, L"Please visit the website which wont help you at all!");

if (OverwriteString((PUNICODE_STRING)EtwpLastBranchEntry4_Address, &PossibleFixes))
return STATUS_DRIVER_INTERNAL_ERROR;


return STATUS_UNSUCCESSFUL;
}

0 comments on commit 0ea5bf2

Please sign in to comment.