This program based on NtCall by Peter Kosyh. It isn't advanced version and its purpose - port NtCall functionality for x64 Windows NT 6+.
- x64 Windows 7/8/8.1/10(TH1/TH2/RS1);
- Account with administrative privileges (optional).
NTCALL64 [-win32k]
- -win32k - launch W32pServiceTable services fuzzing (sometimes referenced as Shadow SSDT).
When used without parameters NtCall64 will start fuzzing services in KiServiceTable (sometimes referenced as SSDT).
Example:
- ntcall64.exe
- ntcall64.exe -win32k
Note: make sure to configure Windows crash dump settings before trying this tool
(e.g. https://msdn.microsoft.com/en-us/library/windows/hardware/ff542953(v=vs.85).aspx).
It brute-force through system services and call them multiple times with input parameters randomly taken from predefined "bad arguments" list.
By using badcalls.ini configuration file you can blacklist certain services. To do this - add service name (case sensitive) to the corresponding section of the badcalls.ini, e.g. if you want to blacklist services from KiServiceTable then use [ntos] section.
Example of badcalls.ini (default config shipped with program)
[ntos] NtClose NtRaiseHardError NtReleaseKeyedEvent NtPropagationComplete NtShutdownSystem NtSuspendProcess NtSuspendThread NtTerminateProcess NtTerminateThread NtWaitForAlertByThreadId NtWaitForSingleObject NtWaitForKeyedEvent [win32k] NtUserRealWaitMessageEx NtUserShowSystemCursor NtUserSwitchDesktop NtUserLockWorkStation NtUserEnumDisplayMonitors NtUserGetMessage NtUserWaitMessage NtUserDoSoundConnect NtUserRealInternalGetMessage NtUserBroadcastThemeChangeEvent
This program may crash the operation system, affect it stability, which may result in data lost or program crash itself. You use it at your own risk.
NTCALL64 comes with full source code written in C with tiny assembler usage. In order to build from source you need Microsoft Visual Studio 2015 and later versions.
(c) 2016 NTCALL64 Project
Original NtCall by Peter Kosyh aka Gloomy (c) 2001, http://gl00my.chat.ru/