ropshell> use 7450dd3ddf93a83f69c64c82b539212a (download)
name         : win32kfull.sys (x86_64/PE)
base address : 0x1c0001000
total gadgets: 13056

ropshell> suggest
call
    > 0x1c009006a : call rax
    > 0x1c0081911 : call rbx
    > 0x1c0005e96 : call rcx
    > 0x1c00022d3 : call rdx
    > 0x1c01afa8c : call rsi
jmp
    > 0x1c00ec070 : push rsp; ret
    > 0x1c008eda5 : jmp rax
    > 0x1c01502fe : jmp rbx
    > 0x1c0009833 : jmp rcx
    > 0x1c002104c : jmp rdx
load mem
    > 0x1c002b93f : mov rax, [rcx]; ret
    > 0x1c02b62cd : mov rax, [r8]; ret
    > 0x1c002b940 : mov eax, [rcx]; ret
    > 0x1c0150d10 : mov eax, [rdx]; ret
    > 0x1c012d910 : mov eax, [r8]; ret
load reg
    > 0x1c00101a4 : pop rax; ret
    > 0x1c0001142 : pop rbx; ret
    > 0x1c009b537 : pop rcx; ret
    > 0x1c01dd036 : pop rdx; ret
    > 0x1c0005b1b : pop rsi; ret
pop pop ret
    > 0x1c000349f : pop r12; ret
    > 0x1c0008088 : pop r12; pop rbp; ret
    > 0x1c000a0fa : pop r12; pop rdi; pop rbp; ret
    > 0x1c005654b : pop r12; pop rdi; pop rbx; pop rbp; ret
    > 0x1c0008a4c : pop r12; pop rdi; pop rsi; pop rbp; pop rbx; ret
sp lifting
    > 0x1c00be195 : add rsp, 0x18; ret
    > 0x1c00be195 : add rsp, 0x18; ret
    > 0x1c000c6fe : add rsp, 0x28; ret
    > 0x1c000aeab : add rsp, 0x38; ret
    > 0x1c0003bca : add rsp, 0x48; ret
stack pivoting
    > 0x1c0009c99 : xchg eax, esp; ret
    > 0x1c00dfddc : mov rsp, r11; pop r12; ret
    > 0x1c00dfddd : mov esp, ebx; pop r12; ret
    > 0x1c0239f13 : mov esp, ebp; jmp [rdi + rcx]
    > 0x1c00db85b : lea esp, [rdi]; add [rax - 0x75], cl; sbb [rax - 0x7f], cl; ret
syscall
    > 0x1c024807c : int 0x80; add cl, ch; ret
write mem
    > 0x1c01b184e : adc [rax], r8; ret
    > 0x1c0142a16 : adc [rax], ecx; ret
    > 0x1c02c3ff5 : add [rbx], ecx; ret
    > 0x1c029b59b : add [rbx], edi; ret
    > 0x1c01fc80f : add [rbx], ebp; ret