Windows 10 RS2/RS3 exploitation primitives
A vulnerable driver that imitates the bug that I found. It's a heap overflow in the session heap.
The deadlock-free technique to bypass the GDI pushlock mitigation.
Another technique based on reclaiming the heap block to bypass the GDI pushlock mitigation.
A pykd script that displays all the allowed/filtered system calls for each filter level. Make sure that you are in the process context of a process running in the session that you want to query.
$>.load pykd.pyd $>!process 0 0 explorer.exe PROCESS fffffa800330fb10 SessionId: 1 Cid: 0580 Peb: 7fffffd7000 ParentCid: 0374 DirBase: 0cf72000 ObjectTable: fffff8a0013d6c10 HandleCount: 595. Image: explorer.exe $>.process /i /r fffffa800330fb10 $>g $>!py filter.py 5 5 0 win32k!_stub_UserSetWindowFeedbackSetting 0x146b win32k!_stub_UserTransformPoint 0x147c win32k!_stub_UserTransformRect 0x147d ....