ropshell> use 7450dd3ddf93a83f69c64c82b539212a (download)
name         : win32kfull.sys (x86_64/PE)
base address : 0x1c0001000
total gadgets: 13056

ropshell> suggest "stack pivoting"
> 0x1c0009c99 : xchg eax, esp; ret
> 0x1c00dfddc : mov rsp, r11; pop r12; ret
> 0x1c00dfddd : mov esp, ebx; pop r12; ret
> 0x1c0239f13 : mov esp, ebp; jmp [rdi + rcx]
> 0x1c00db85b : lea esp, [rdi]; add [rax - 0x75], cl; sbb [rax - 0x7f], cl; ret
> 0x1c026d080 : push rcx; or [rax - 0x77], cl; adc ecx, [rax - 0x75]; pop rsp; and al, 8; ret
> 0x1c0233161 : leave ; ret