Microsoft Windows Kernel Pool Address Derivation

Posted by deepcore on November 16, 2017 – 8:33 pm

The OpenType ATMFD.DLL kernel-mode font driver on Windows has an undocumented “escape” interface, handled by the standard DrvEscape and DrvFontManagement functions implemented by the module. The interface is very similar to Buffered IOCTL in nature, and handles 13 different operation codes in the numerical range of 0x2502 to 0x2514. It is accessible to user-mode applications through an exported (but not documented) gdi32!NamedEscape function, which internally invokes the NtGdiExtEscape syscall.

This post is under “exploit” and has no respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

Post a reply

You must be logged in to post a comment.

« Microsoft Edge Object.setPrototypeOf Memory Corruption Microsoft Windows Kernel Pool GetFontData Address Leak »

:: Deepquest ::

This site contains information which could be considered illegal in some countries. It is provided here for educational use only and is not intended to be used for illegal activities.

Microsoft Windows Kernel Pool Address Derivation

Post a reply

Tabs Switcher

Categories

Archives

Meta

BLOGROLL