AngryWindows - Modifies the Blue Screen of Death for 1909/20h1/20h2/21h1.

Overview

AngryWindows

whatever

When you are trying to fuzz or exploit the kernel and your machine becomes sentient and starts building up saltiness from you bullying it all the time, this is what ends up happening. Eventually it'll start to defend itself and call you out, OR

This is a driver that modifies the emoticon, color, and error messages of the Bluescreen of Death. This came about while I was working on something else and here it is!

How does this work?

The end goal was to ultimately resolve the unexported function nt!BgpFwDisplayBugCheckScreen. The only way I saw that would reliably get this function was to trace it back to an exported function. The only exported function that used this lead to nt!KeBugCheckEx. I use nt!MmGetSystemRoutineAddress to resolve nt!KeBugCheckEx and then start disassembling KeBugCheckEx to pull out nt!KeBugCheck2.

From KeBugCheck2, I began disassembling until I reach nt!KiDisplayBlueScreen. Lastly, I use KiDisplayBlueScreen to dynamically resolve nt!BgpFwDisplayBugCheckScreen.

Everything needed to modify the Bluescreen of Death is inside BgpFwDisplayBugCheckScreen. The sad face emoticon is located at nt!HalpPCIConfigReadHandlers+0x18, which is the UNICODE_STRING datatype.

2: kd> ? nt!HalpPCIConfigReadHandlers+0x18 
Evaluate expression: -8769656301296 = fffff806`27c05910
2: kd> dt nt!_UNICODE_STRING fffff806`27c05910
 ":("
   +0x000 Length           : 4
   +0x002 MaximumLength    : 6
   +0x008 Buffer           : 0xfffff806`27c1faf4  ":(

All the messages pertaining to what is going on are all located inside of nt!EtwpLastBranchLookAsideList, beginning at offset 0x60.

3: kd> ? nt!EtwpLastBranchLookAsideList + 0x60
Evaluate expression: -8769643397936 = fffff806`28853cd0
3: kd> dps fffff806`28853cd0 l2
fffff806`28853cd0  00000000`006a0068
fffff806`28853cd8  ffffb980`20ba4804
3: kd> dS fffff806`28853cd0
ffffb980`20ba4804  "Your device ran into a problem a"
ffffb980`20ba4844  "nd needs to restart."

If the strings are going to be modified, the length and the maximum buffer of the UNICODE_STRING need to be adjusted to reflect the new value otherwise you will only get parts of your string.

I've noticed a max buffer of around ~96 or so characters. If you go more than that, you will definitely overwrite the buffer in the percentage section. So instead of saying complete, you will get some of your characters in that data.

How to use

To use the driver, issue the following commands inside an elevated command prompt:

sc create <service name> binPath= <path to driver>/AngryWindows.sys type= kernel start= auto
sc start <service name>

This will create a service for the driver and start it automatically. Anyhow...

Have fun!

You might also like...
A tiny external monitor for PC using STM32 and ST7789. Connects to PC over USB and displays the captured screen on ST7789 (240x240) display.
A tiny external monitor for PC using STM32 and ST7789. Connects to PC over USB and displays the captured screen on ST7789 (240x240) display.

STM32 Tiny Monitor A super tiny monitor for your PC, suitable for your pet ant. A python script sends the captured screen over USB to the STM32 microc

A simple tool using PC mouse via USART to control MCU and LCD/OLED (with LVGL library), if your screen cannot be controlled by touch.
A simple tool using PC mouse via USART to control MCU and LCD/OLED (with LVGL library), if your screen cannot be controlled by touch.

LVGL_USB_Mouse A simple tool using PC mouse via USART to control MCU and LCD/OLED (with LVGL library), if your screen cannot be controlled by touch. 如

USB serial TTY for the Arduino Uno with ILI9341 LCD screen shield
USB serial TTY for the Arduino Uno with ILI9341 LCD screen shield

ILI9341TTY USB serial TTY for the Arduino Uno with ILI9341 LCD screen shield [video] Semigraphics, ANSI, unicode, and an Arduino LCD-screen terminal I

a pc heat verifier using arduino uno and oled screen(ssd1306)
a pc heat verifier using arduino uno and oled screen(ssd1306)

pc-heat-check a pc heat verifier using arduino uno and oled screen(ssd1306) to this application works needs this other application running: https://gi

Classic iPod mod with Raspberry Pi Zero and color screen
Classic iPod mod with Raspberry Pi Zero and color screen

ipodrpi Classic iPod mod with Raspberry Pi Zero and color screen. Suitable for OSMC and plain Raspbian install. Install OSMC: Burn SD card with Raspbe

A little Trojan I wrote in a few days, creating GDI screen effects.

Monoxide A little Trojan I wrote in a few days, creating GDI screen effects. PSA This project is licensed with AGPL 3.0! In short, this means if you d

CPU implementation of Seidel aberrations for screen-space DOF by Niels Asberg.

PrimeFocusCPU CPU implementation of Seidel aberrations for screen-space DOF by Niels Asberg. MIT License Copyright (c) 2021 Niels Asberg Permission is

Lock you keyboard and clean your screen. A simple, and easy way to clean your computers.

Pristine Cleaner A screen and keyboard cleaning application made to turn screen black, and lock keyboard for easy cleaning. With features such as star

A simple on-screen pixel meter
A simple on-screen pixel meter

QRuler A simple on-screen pixel meter. Dependencies Under Debian based systems: cmake qtbase5-dev qttools5-dev Build cmake -B build -DCMAKE_BUILD_TYPE

Comments
  • Create LICENSE

    Create LICENSE

    This project does not identify a license anywhere. This is important, since without a license, you are not sharing the code. Instead, you are only showing it. Under GitHub TOS, users can only view and fork the repository without a license, nothing else.

    To avoid this situation, I opened this PR to remind you to add a license (I chose the MIT license for this PR) so others can take this and put it in their own project. Our community pulse (Insights) is less than half finished, so I suggest it gets finished as soon as possible. :)

    opened by Tyler887 1
  • Edit all BSOD text

    Edit all BSOD text

    It is possible to edit? "%d% complete" "For more information about issue..." "If you call a support person..." "Stop code: %s" "What failed: %s" QR Code

    opened by NexSqaud 1
Releases(1A)
Owner
Jon
OSCP, OSCE, OSEE Trifecta
Jon
A repair tool for Symbian Nokia phones affected by the infamous white screen of death.

WSODFix About Nokia mobile phones such as the N-Gage running early versions of the Symbian OS suffer from a very common problem widely known as the Wh

Michael Fitzmayer 22 Aug 14, 2022
Modifies the hosts file in order to block sites hosting Kant's rat

In the Minecraft cheating community, it's not uncommon for clients or client cracks/leaks to be malware. The most famous example of this would be the Autumn client "crack", released by Kant. This application attempts to blacklist known hosts of Kant's malware, in order to prevent someone from accidentally getting themselves ratted.

Gardening_Tool 61 Sep 22, 2022
KMQuake2, hacked to death for TFOL

This is the complete source code for Quake 2, version 3.21, buildable with visual C++ 6.0. The linux version should be buildable, but we haven't test

Ethan Lee 7 Dec 2, 2021
A MCBE dll mod (mainly for testing) which modifies some piston functions

PistonFuckery A MCBE dll mod (mainly for testing) which modifies some piston functions. The current version modifies PistonBlockActor::_checkAttachedB

Luke7720 2 Apr 24, 2022
a Blue Pill Neopixel Emulator

NeoPill a Blue Pill Neopixel Emulator, firmware for STM32F103C8T6. To build with STM32CubeMX (6.1.1), open bluepill_neoemu_clk.ioc, generate code in a

null 21 Aug 30, 2022
Quartz Arc codebase for STM32F103C6 Blue Pill development boards

QuartzArc_STM32F103C6_BluePill Quartz Arc codebase for STM32F103C6 Blue Pill development boards This codebase is covered by Creative Commons CC-BY-NC-

1s and 0s 2 Dec 14, 2021
Sysmon event simulation utility which can be used to simulate the attacks to generate the Sysmon Event logs for testing the EDR detections and correlation rules by Blue teams.

SysmonSimulator SysmonSimulator is an Open source Windows event simulation utility created in C language, that can be used to simulate most of the att

Scarred Monk 654 Oct 3, 2022
A program that allows you to hide certain windows when sharing your full screen

Invisiwind Invisiwind (short for Invisible Window) is an application that allows you to hide certain windows when sharing your full screen.

Joshua T. 68 Sep 17, 2022
A test using a TTGO module (ESP32 + screen) which renders a 3d scene using pingo library

A simple 3D renderer tested and developed for the TTGO T-Display ESP32 board. The 3d renderer is: https://github.com/fededevi/pingo The 3D renderer is

fedevi 9 Aug 17, 2022
slock - simple screen locker

slock - simple screen locker simple screen locker utility for X. Requirements In order to build slock you need the Xlib header files. Installation Edi

Arie Boven 11 Jan 5, 2022