User-mode Function Pointer Hook

If a vulnerability is triggered in the context of a process then the doors open up to a whole wide array of possibilities. For instance, the FastPebLockRoutine could be hooked to call into some code that is present in SharedUserData prior to calling the real lock routine. This is just one example of the different types of function pointers that could be hooked relative to a process.