Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Gives code examples for all the necessary steps in order to call ValidateHwnd or any other Validate method in win32kbase.
// for examples sake, lets say all of these are pre defined: ValidateHwnd, wnd_handle
void* ethread::get_win32() {
return PsGetThreadWin32Thread(ethr);
}
void ethread::set_win32(void* new_, void* buffer) {
void* current = get_win32();
PsSetThreadWin32Thread(ethr, NULL, current); // reset win32
PsSetThreadWin32Thread(ethr, new_, NULL); // modify win32
if (buffer && current)
*reinterpret_cast<void**>(buffer) = current;
}
// offsets::ApcStateIndex = 0x24a; Works between Win10 1507 - 2004
byte ethread::get_apc_index() {
byte result = NULL;
memory::kernel::read(reinterpret_cast<void*>(reinterpret_cast<uint64_t>(ethr) + utils::offsets::ApcStateIndex), &result, sizeof(byte));
return result;
}
void ethread::set_apc_index(byte new_, void* buffer) {
if (buffer)
*reinterpret_cast<byte*>(buffer) = get_apc_index();
memory::kernel::write(reinterpret_cast<void*>(reinterpret_cast<uint64_t>(ethr) + utils::offsets::ApcStateIndex), &new_, sizeof(byte));
}
// wrapping code
modules::eprocess explorer = "explorer.exe"; KAPC_STATE apc = {};
if (explorer.attach(apc)) {
// attached to explorer, must set current thread win32 thread
modules::ethread current = KeGetCurrentThread(); // same method used by ValidateHwnd
// setting win32, guarantees W32GetThreadWin32Thread will have a valid win32 to return
void* old_win32 = NULL;
current.set_win32(modules::ethread(explorer.find_thread(0)).get_win32(), &old_win32);
// setting ApcStateIndex, guarantees IsThreadCrossSessionAttached skips the session check
byte old_state_index = NULL;
current.set_apc_index(OriginalApcEnvironment, &old_state_index);
wnd_k* inst = ValidateHwnd(wnd_handle);
print("wnd_inst: %p\n", inst);
// cleanup
current.set_win32(old_win32, NULL);
current.set_apc_index(old_state_index, NULL);
explorer.detach(apc);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.