Gives code examples for all the necessary steps in order to call ValidateHwnd or any other Validate method in win32kbase.

fixing_validatehwnd_call.cpp

// for examples sake, lets say all of these are pre defined: ValidateHwnd, wnd_handle

void* ethread::get_win32() {
	return PsGetThreadWin32Thread(ethr);
}

void ethread::set_win32(void* new_, void* buffer) {
	void* current = get_win32();
	PsSetThreadWin32Thread(ethr, NULL, current); // reset win32
	PsSetThreadWin32Thread(ethr, new_, NULL); // modify win32

	if (buffer && current)
		*reinterpret_cast<void**>(buffer) = current;
}

// offsets::ApcStateIndex = 0x24a; Works between Win10 1507 - 2004
byte ethread::get_apc_index() {
	byte result = NULL;
	memory::kernel::read(reinterpret_cast<void*>(reinterpret_cast<uint64_t>(ethr) + utils::offsets::ApcStateIndex), &result, sizeof(byte));

	return result;
}

void ethread::set_apc_index(byte new_, void* buffer) {
	if (buffer)
		*reinterpret_cast<byte*>(buffer) = get_apc_index();

	memory::kernel::write(reinterpret_cast<void*>(reinterpret_cast<uint64_t>(ethr) + utils::offsets::ApcStateIndex), &new_, sizeof(byte));
}

// wrapping code
modules::eprocess explorer = "explorer.exe"; KAPC_STATE apc = {};
if (explorer.attach(apc)) {
	// attached to explorer, must set current thread win32 thread
	modules::ethread current = KeGetCurrentThread(); // same method used by ValidateHwnd
	
	// setting win32, guarantees W32GetThreadWin32Thread will have a valid win32 to return
	void* old_win32 = NULL;
	current.set_win32(modules::ethread(explorer.find_thread(0)).get_win32(), &old_win32);
	
	// setting ApcStateIndex, guarantees IsThreadCrossSessionAttached skips the session check
	byte old_state_index = NULL;
	current.set_apc_index(OriginalApcEnvironment, &old_state_index);
	
	wnd_k* inst = ValidateHwnd(wnd_handle);
	print("wnd_inst: %p\n", inst);
	
	// cleanup
	current.set_win32(old_win32, NULL);
	current.set_apc_index(old_state_index, NULL);
	explorer.detach(apc);
}