- We know that HRGN handle which is used in GetDCEx need to be the same handle as win32kbase!ghrgnGDC. This handle is shared therefor we can get it from peb->GdiSharedHandleTable
- We need to pass GetDCEx correct flag which is DCX_EXCLUDERGN
- In order to trigger the crash it’s essential to enable special pool for win32kbase.sys and win32kfull.sys using the verifier.
- We know that the crash occurs when the Height * Width in PlgBlt is bigger than the bitmap dimensions
- This crash occur at win32kfull!GreUnlockRegion when trying to access freed memory
PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: ffffd2018e77af2c, memory referenced. Arg2: 0000000000000002, value 0 = read operation, 1 = write operation. Arg3: ffffd22d6924e50b, If non-zero, the instruction address which referenced the bad memory address. Arg4: 0000000000000000, (reserved)
Stack at crash:
nt!DbgBreakPointWithStatus nt!KiBugCheckDebugBreak+0x12 nt!KeBugCheck2+0x952 nt!KeBugCheckEx+0x107 nt!MiSystemFault+0x1d2ff1 nt!MmAccessFault+0x34f nt!KiPageFault+0x35a win32kbase!GreUnlockRegion+0xb win32kfull!NtUserGetDCEx+0x94 nt!KiSystemServiceCopyEnd+0x25 win32u!NtUserGetDCEx+0x14 poc!main+0x80 [r:\poc\poc\main.c @ 68]
rax=0000000000000000 rbx=0000000000000000 rcx=ffffd2018e77af20 rdx=0000000000000001 rsi=0000000000000000 rdi=0000000000000000 rip=ffffd22d6924e50b rsp=ffff9f0fe56efa48 rbp=ffffd2018e77af20 r8=0000000000000000 r9=0000000000000000 r10=0000000000000001 r11=0000000000000000 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei ng nz na pe nc win32kbase!GreUnlockRegion+0xb: ffffd22d`6924e50b f0ff490c lock dec dword ptr [rcx+0Ch] ds:ffffd201`8e77af2c=????????
- Compile the poc attached and copy it to the target machine
- Enable verifier flags 0x9 to win32k drivers
- Run the compiled poc and machine will crash with BSOD