Microsoft's latest patch fixes a CVE2015-0 0 5 7 mention the right vulnerability, the same day that the vulnerability discovery has published analytical articles in the One-Bit To Rule Them All: Bypassing Windows’ 1 0 Protections using a Single Bit of action, after reading the article, want to try structure out of the sample, originally thought is very simple, the results encountered during the a few questions, share out, hoping to with everyone together to discuss.
Since the analysis in the article mentioned vulnerability is by xxxEnableWndSBArrows caused by CreateWindowEx to create the ScrollBar, and then call EnableScrollBar, the implementation of the xxxDrawScrollBar, according to the analysis in the article Description, The complete process is as follows:
The results found can be performed to xxxGetColorObjects, but always can't go to xxxDefWindowProc, because(((_WORD )P + 0x15) & 0x3FFF) == 0x29A always true, and finally google it and found here is to determine the current form is not the ScrollBar is.
((_WORD )P + 0x15)represents FNID, by NtUserSetWindowFNID in the Create form, when set, can be in the reactos code see windows contains the following FNID it.
+// FNID's for NtUserSetWindowFNID +#define FNID_BUTTON 0x02A1 +#define FNID_COMBOBOX 0x02A2 +#define FNID_COMBOLBOX 0x02A3 +#define FNID_DIALOG 0x02A4 +#define FNID_EDIT 0x02A5 +#define FNID_LISTBOX 0x02A6 +#define FNID_MDICLIENT 0x02A7 +#define FNID_STATIC 0x02A8 +#define FNID_IME 0x02A9
NtUserSetWindowFNID, you can see here(_WORD )(v2 + 0x2A)at a value to be set(_WORD )P + 0x15 with equivalent(_WORD *)(v2 + 0x2A)。