323 B
323 B
simple method.
__int64 NtCompareSigningLevels() { int v0; // eax
v0 = 0; if ( function_pointer ) v0 = ((__int64 (*)(void))function_pointer)(); return v0 == 0 ? 0xC0000428 : 0; }
this loads a qword into r9 from a var.
we use pdfwkrnl's memcpy vulnerable function to swap this pointer to our kernel function.