Nah, Remko. I told you the second parameter in WinStationShadow() must be a string (LPCWSTR or PWideChar respectively). So NULL (nil) will just be an empty string then ... no idea what should be the contents, though. But it's definitely a string param. Also remember I told you that WinStationShadowStop() takes 3 parameters (check your chat logs). I haven't found out what the third parameter is, though. Use ULONG and 0 now. But if you declare it with two parameters only your stack will be unbalanced after every call!!!!
Code:
BOOLEAN __stdcall WinStationShadow(
HANDLE hServer, LPCWSTR lpwszUnknownString, ULONG SessionID, ULONG KeyCode, ULONG KeyModifier);
BOOLEAN __stdcall WinStationShadowStop(
HANDLE hServer, ULONG SessionID, int);
-1 for the session ID will cause the function to retrieve the default value of the current process' WindowStation from Teb.Peb.Win32WindowStation
Code:
mov eax, large fs:18h ; TEB
mov eax, [eax+30h] ; TEB.Peb
mov eax, [eax+1D4h] ; PEB.Win32WindowStation
NULL for the hServer parameter causes the function to call the (non-exported) function WinStationOpenLocalServer() and retrieve the
handle to the local server.
