4.4 RopRelease ROP Request

In the RopRelease ROP request scenario, the buffer contains a pair of RopRelease ROP requests (section 2.2.15.3). These two ROPs are releasing two different Server objects, based on the different Server object handles that they reference.

 08 00 01 00 00 01 00 01 6F 00 00 00 6E 00 00 00

RopSize: 08 00

Rops:

RopId: 01 (RopRelease)

LogonId: 00

InputHandleIndex: 00

RopId: 01 (RopRelease)

LogonId: 00

InputHandleIndex: 01

ServerObjectHandleTable:

6F 00 00 00 (Handle 0, input of first RopRelease)

6E 00 00 00 (Handle 1, input of second RopRelease)