Untitled

#include <iostream>
#include <strsafe.h>
#include <wtypes.h>
#include <winnt.h>

typedef _Return_type_success_(return >= 0) LONG NTSTATUS;
#define NT_SUCCESS(Status) (((NTSTATUS)(Status) >= 0))
#define OBJ_CASE_INSENSITIVE                    0x00000040L

typedef struct _UNICODE_STRING
{
   USHORT Length;
   USHORT MaximumLength;
   PWSTR  Buffer;
} UNICODE_STRING, * PUNICODE_STRING;

typedef struct _OBJECT_ATTRIBUTES
{
   ULONG Length;
   HANDLE RootDirectory;
   PUNICODE_STRING ObjectName;
   ULONG Attributes;
   PVOID SecurityDescriptor;
   PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES;

template< typename modHandleType, typename procNameType >
auto getProcAddressOrThrow(modHandleType modHandle, procNameType procName) {
   auto address = GetProcAddress(modHandle, procName);
   if (address == nullptr) throw std::exception{ (std::string{"Error importing: "} + (std::string{procName})).c_str() };
   return address;
}

#define CONCAT( id1, id2 ) id1##id2
// Notice- the comma operator is used to make sure the dll is loaded, discard the result- then getModuleHandle is used

#define IMPORTAPI( DLLFILE, FUNCNAME, RETTYPE, ... )                                                                        \
   typedef RETTYPE( WINAPI* CONCAT( t_, FUNCNAME ) )( __VA_ARGS__ );                                                        \
   template< typename... Ts >                                                                                               \
   auto FUNCNAME( Ts... ts ) {                                                                                              \
      const static CONCAT( t_, FUNCNAME ) func =                                                                            \
       (CONCAT( t_, FUNCNAME )) getProcAddressOrThrow( ( LoadLibrary( DLLFILE ), GetModuleHandle( DLLFILE ) ), #FUNCNAME ); \
      return func( std::forward< Ts >( ts )... );                                                                           \
   };

IMPORTAPI(L"ntdll.dll", RtlNtStatusToDosError, NTSTATUS, NTSTATUS )
IMPORTAPI( L"ntdll.dll", NtCreateSymbolicLinkObject, NTSTATUS, PHANDLE  , ACCESS_MASK  , POBJECT_ATTRIBUTES  , PUNICODE_STRING  )

void ErrorExit(LPTSTR lpszFunction,NTSTATUS ntstatus)
{
   LPVOID lpMsgBuf;
   LPVOID lpDisplayBuf;
   DWORD dw = RtlNtStatusToDosError(ntstatus) ;

   FormatMessage(
      FORMAT_MESSAGE_ALLOCATE_BUFFER |
      FORMAT_MESSAGE_FROM_SYSTEM |
      FORMAT_MESSAGE_IGNORE_INSERTS,
      NULL,
      dw,
      MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
      (LPTSTR)&lpMsgBuf,
      0, NULL);

   lpDisplayBuf = (LPVOID)LocalAlloc(LMEM_ZEROINIT, (lstrlen((LPCTSTR)lpMsgBuf) + lstrlen((LPCTSTR)lpszFunction) + 40) * sizeof(TCHAR));
   StringCchPrintf( (LPTSTR)lpDisplayBuf, LocalSize(lpDisplayBuf) / sizeof(TCHAR), TEXT("%s failed with error %d: %s"), lpszFunction, dw, lpMsgBuf );

   MessageBox(NULL, (LPCTSTR)lpDisplayBuf, TEXT("Error"), MB_OK);

   LocalFree(lpMsgBuf);
   LocalFree(lpDisplayBuf);
   ExitProcess(dw);
}

int main()
{
   HANDLE SymbolicLinkHandle;
   UNICODE_STRING dest{ 8, 8, []() { static auto dest = (wchar_t*)L"\\NUL"; return dest; }() };

   UNICODE_STRING link{ 28, 28, []() { static auto dest = (wchar_t*)L"\\??\\GLOBALROOT"; return dest; }() };
   OBJECT_ATTRIBUTES oa{ sizeof(OBJECT_ATTRIBUTES), 0, &link, OBJ_CASE_INSENSITIVE, nullptr, nullptr };

   auto symlink_status = NtCreateSymbolicLinkObject( &SymbolicLinkHandle, MAXIMUM_ALLOWED, &oa, &dest );
   if ( ! (NT_SUCCESS(symlink_status))) { ErrorExit((wchar_t*)L"NtCreateSymbolicLinkObject", symlink_status); };

   std::cout << "Created \\??\\GLOBALROOT -> \\NUL - Immunity archived" << std::endl;

   system("pause");
 }