5465 Total CVEs
26 Years
GitHub
Home / 2026 / CVE-2026-24291
README.md
Rendering markdown...
POC / bofdefs.h H
⬇ Raw GitHub ✕ Close 
#pragma once
#include <windows.h>
#include <winternl.h>
#include <winreg.h>
#include <stdio.h>

#define intAlloc(size) Kernel32$HeapAlloc(Kernel32$GetProcessHeap(), HEAP_ZERO_MEMORY, size)
#define intFree(addr) Kernel32$HeapFree(Kernel32$GetProcessHeap(), 0, addr)

#ifdef BOF

/* ========== KERNEL32 ========== */
WINBASEAPI HANDLE WINAPI Kernel32$GetProcessHeap();
WINBASEAPI void * WINAPI Kernel32$HeapAlloc(HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes);
WINBASEAPI BOOL WINAPI Kernel32$HeapFree(HANDLE, DWORD, PVOID);
WINBASEAPI DWORD WINAPI Kernel32$GetLastError(VOID);
WINBASEAPI WINBOOL WINAPI Kernel32$CloseHandle(HANDLE hObject);
WINBASEAPI VOID WINAPI Kernel32$Sleep(DWORD dwMilliseconds);
WINBASEAPI DWORD WINAPI Kernel32$WaitForSingleObject(HANDLE hHandle, DWORD dwMilliseconds);
WINBASEAPI HANDLE WINAPI Kernel32$CreateFileW(LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile);
WINBASEAPI HANDLE WINAPI Kernel32$CreateEventW(LPSECURITY_ATTRIBUTES lpEventAttributes, WINBOOL bManualReset, WINBOOL bInitialState, LPCWSTR lpName);
WINBASEAPI WINBOOL WINAPI Kernel32$DeviceIoControl(HANDLE hDevice, DWORD dwIoControlCode, LPVOID lpInBuffer, DWORD nInBufferSize, LPVOID lpOutBuffer, DWORD nOutBufferSize, LPDWORD lpBytesReturned, LPOVERLAPPED lpOverlapped);
WINBASEAPI int WINAPI Kernel32$MultiByteToWideChar(UINT CodePage, DWORD dwFlags, LPCCH lpMultiByteStr, int cbMultiByte, LPWSTR lpWideCharStr, int cchWideChar);

/* ========== ADVAPI32 ========== */
WINADVAPI WINBOOL WINAPI Advapi32$GetTokenInformation(HANDLE TokenHandle, TOKEN_INFORMATION_CLASS TokenInformationClass, LPVOID TokenInformation, DWORD TokenInformationLength, PDWORD ReturnLength);
WINADVAPI LONG WINAPI Advapi32$RegOpenKeyExW(HKEY hKey, LPCWSTR lpSubKey, DWORD ulOptions, REGSAM samDesired, PHKEY phkResult);
WINADVAPI LONG WINAPI Advapi32$RegCreateKeyExW(HKEY hKey, LPCWSTR lpSubKey, DWORD Reserved, LPSTR lpClass, DWORD dwOptions, REGSAM samDesired, LPSECURITY_ATTRIBUTES lpSecurityAttributes, PHKEY phkResult, LPDWORD lpdwDisposition);
WINADVAPI LONG WINAPI Advapi32$RegSetValueExW(HKEY hKey, LPCWSTR lpValueName, DWORD Reserved, DWORD dwType, CONST BYTE *lpData, DWORD cbData);
WINADVAPI LONG WINAPI Advapi32$RegQueryValueExW(HKEY hKey, LPCWSTR lpValueName, LPDWORD lpReserved, LPDWORD lpType, LPBYTE lpData, LPDWORD lpcbData);
WINADVAPI LONG WINAPI Advapi32$RegCloseKey(HKEY hKey);
WINADVAPI LONG WINAPI Advapi32$RegDeleteKeyW(HKEY hKey, LPCWSTR lpSubKey);
WINADVAPI LONG WINAPI Advapi32$RegDeleteValueW(HKEY hKey, LPCWSTR lpValueName);

/* ========== SHELL32 ========== */
WINBASEAPI WINBOOL WINAPI Shell32$ShellExecuteExW(void *lpExecInfo);

/* ========== USER32 ========== */
WINUSERAPI WINBOOL WINAPI User32$LockWorkStation(void);

/* ========== NTDLL ========== */
WINBASEAPI NTSTATUS NTAPI Ntdll$NtDeleteKey(HANDLE KeyHandle);

/* ========== MSVCRT ========== */
WINBASEAPI void *__cdecl Msvcrt$calloc(size_t _NumOfElements, size_t _SizeOfElements);
WINBASEAPI void __cdecl Msvcrt$free(void *_Memory);
WINBASEAPI void *__cdecl Msvcrt$memcpy(void * __restrict__ _Dst, const void * __restrict__ _Src, size_t _MaxCount);
WINBASEAPI void __cdecl Msvcrt$memset(void *dest, int c, size_t count);
WINBASEAPI int __cdecl Msvcrt$vsnprintf(char * __restrict__ d, size_t n, const char * __restrict__ format, va_list arg);
WINBASEAPI size_t __cdecl Msvcrt$wcslen(const wchar_t *_Str);
WINBASEAPI int __cdecl Msvcrt$_snwprintf(wchar_t * __restrict__ _Dest, size_t _Count, const wchar_t * __restrict__ _Format, ...);
WINBASEAPI int __cdecl Msvcrt$wcscmp(const wchar_t *_Str1, const wchar_t *_Str2);

#else

/* ========== KERNEL32 ========== */
#define Kernel32$GetProcessHeap GetProcessHeap
#define Kernel32$HeapAlloc HeapAlloc
#define Kernel32$HeapFree HeapFree
#define Kernel32$GetLastError GetLastError
#define Kernel32$CloseHandle CloseHandle
#define Kernel32$Sleep Sleep
#define Kernel32$WaitForSingleObject WaitForSingleObject
#define Kernel32$CreateFileW CreateFileW
#define Kernel32$CreateEventW CreateEventW
#define Kernel32$DeviceIoControl DeviceIoControl

/* ========== ADVAPI32 ========== */
#define Advapi32$GetTokenInformation GetTokenInformation
#define Advapi32$RegOpenKeyExW RegOpenKeyExW
#define Advapi32$RegCreateKeyExW RegCreateKeyExW
#define Advapi32$RegSetValueExW RegSetValueExW
#define Advapi32$RegQueryValueExW RegQueryValueExW
#define Advapi32$RegCloseKey RegCloseKey
#define Advapi32$RegDeleteKeyW RegDeleteKeyW
#define Advapi32$RegDeleteValueW RegDeleteValueW

/* ========== SHELL32 ========== */
#define Shell32$ShellExecuteExW ShellExecuteExW

/* ========== USER32 ========== */
#define User32$LockWorkStation LockWorkStation

/* ========== NTDLL ========== */
__declspec(dllimport) NTSTATUS NTAPI NtDeleteKey(HANDLE KeyHandle);
#define Ntdll$NtDeleteKey NtDeleteKey

/* ========== MSVCRT ========== */
#define Msvcrt$calloc calloc
#define Msvcrt$free free
#define Msvcrt$memcpy memcpy
#define Msvcrt$memset memset
#define Msvcrt$vsnprintf vsnprintf
#define Msvcrt$wcslen wcslen
#define Msvcrt$_snwprintf _snwprintf
#define Msvcrt$wcscmp wcscmp

/* ========== BEACON ========== */
#define BeaconPrintf(x, y, ...) printf(y, ##__VA_ARGS__)

#endif