Connected to Windows 7 7601 x86 compatible target at (Sat Mar 21 11:01:55.519 2015 (UTC + 1:00)), ptr64 FALSE
Kernel Debugger connection established.
Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols;srv*c:\symbols*http://chromium-browser-symsrv.commondatastorage.googleapis.comSRV*c:\symbols\*http://symbols.mozilla.org/firefox;srv*c:\symbols*https://chromium-browser-symsrv.commondatastorage.googleapis.com
Executable search path is: 
Windows 7 Kernel Version 7601 MP (1 procs) Free x86 compatible
Built by: 7601.18741.x86fre.win7sp1_gdr.150202-1526
Machine Name:
Kernel base = 0x82a3e000 PsLoadedModuleList = 0x82b885b0
System Uptime: not available
nt!DbgLoadImageSymbols+0x47:
82a56578 cc              int     3
kd> g
KDTARGET: Refreshing KD connection
*******************************************************************************
*
* This is the string you add to your checkin description
* Driver Verifier: Enabled for win32k.sys on Build 7601 Swoke0cxHt9I3y4CfWvmAH
*
*******************************************************************************
nt!DbgLoadImageSymbols+0x47:
82a56578 cc              int     3
1: kd> g
Access violation - code c0000005 (!!! second chance !!!)
win32k!xxxDoPaint+0x2b:
94923618 837e6800        cmp     dword ptr [esi+68h],0

1: kd> r
eax=8a19b9c8 ebx=fe3bedd8 ecx=00360031 edx=00000020 esi=00000000 edi=00000020
eip=94923618 esp=95233b14 ebp=95233b20 iopl=0         nv up ei ng nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010282
win32k!xxxDoPaint+0x2b:
94923618 837e6800        cmp     dword ptr [esi+68h],0 ds:0023:00000068=????????

esi is in this case 0x0

Code in xxDoPaint:
.text:BF8C34A6 ; __stdcall xxxDoPaint(x, x)
.text:BF8C34A6 _xxxDoPaint@8   proc near               ; CODE XREF: xxxRealInternalGetMessage(x,x,x,x,x,x)+397p
.text:BF8C34A6
.text:BF8C34A6 arg_0           = dword ptr  8
.text:BF8C34A6 arg_4           = dword ptr  0Ch
.text:BF8C34A6
.text:BF8C34A6                 mov     edi, edi
.text:BF8C34A8                 push    ebp
.text:BF8C34A9                 mov     ebp, esp
.text:BF8C34AB                 push    ebx
.text:BF8C34AC                 mov     ebx, _gptiCurrent
.text:BF8C34B2                 test    byte ptr [ebx+0D8h], 4
.text:BF8C34B9                 push    esi
.text:BF8C34BA                 push    edi
.text:BF8C34BB                 jz      short loc_BF8C3503
.text:BF8C34BD                 mov     eax, [ebx+108h]
.text:BF8C34C3                 test    eax, eax
.text:BF8C34C5                 jz      loc_BF8C35C5
.text:BF8C34CB                 mov     ecx, [eax+0Ch]
.text:BF8C34CE                 mov     esi, [ecx+4]
.text:BF8C34D1                 cmp     dword ptr [esi+68h], 0
.text:BF8C34D5                 jnz     short loc_BF8C3517
.text:BF8C34D7                 test    byte ptr [esi+15h], 10h
.text:BF8C34DB                 jnz     short loc_BF8C3517
.text:BF8C34DD                 mov     edi, [eax+8]
.text:BF8C34E0                 test    edi, edi
.text:BF8C34E2                 jz      loc_BF8C35C5
.text:BF8C34E8
.text:BF8C34E8 loc_BF8C34E8:                           ; CODE XREF: xxxDoPaint(x,x)+59j
.text:BF8C34E8                 mov     eax, [edi+4]
.text:BF8C34EB                 push    ebx
.text:BF8C34EC                 push    dword ptr [eax+8]
.text:BF8C34EF                 call    _xxxInternalDoPaint@8 ; xxxInternalDoPaint(x,x)


ebx is the current THREADINFO object from which the WindowStation object is retrieved
ebx = fe3bedd8

1: kd> dt win32k!tagTHREADINFO fe3bedd8
 ...
   +0x108 pwinsta          : 0x8a19b9c8 tagWINDOWSTATION
 ...

 WindowStation is at 0x8a19b9c8.

 1: kd> dd 0x8a19b9c8
8a19b9c8  007b005f 00390041 00430043 00360031
8a19b9d8  00320045 0037002d 00440042 002d0033
8a19b9e8  00340034 00350046 0042002d 00330042
8a19b9f8  002d0030 00420037 00440042 00390039
8a19ba08  00320042 00370042 00370030 0000007d
8a19ba18  00650078 8a5d3518 08190014 e56c6946
8a19ba28  8a5b4a90 000000f8 00000000 00000000
8a19ba38  00000000 00000000 851fb4c0 89ca6328

Which has been freed and replaced with widechar characters, pointing into usermode.

We control the first argument to the _xxxInternalDoPaint call, which offers multiple ways of turning this into a controlled write.
