nganhkhoa/lpus-driver
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Change name to lpus

Browse Source
This commit is contained in:
nganhkhoa 2020-06-11 17:16:40 +07:00
parent 7e009b6bfe
commit 533666baab
16 changed files with 1840 additions and 2525 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
first_proc_chunk.txt
View File

@ -1,24 +0,0 @@
00000001 0.00000000 [NAK] :: [ ] Hello from Kernel, setup a few things
00000002 0.00001790 [NAK] :: [+] Setup completed, GO GO GO !!!!
00000003 0.00003500 [NAK] :: [ ] Windows version : 10.0.19564
00000004 0.00003650 [NAK] :: [ ] Detected windows : 2020 Fast Ring
00000005 0.00003880 [NAK] :: [ ] eprocess : 0xFFFFB0078D8BE040, [ System]
00000006 0.00004050 [NAK] :: [ ] PsActiveProcessHead : 0xFFFFF80465E1F970
00000007 0.00004200 [NAK] :: [ ] ntoskrnl.exe : 0xFFFFF80465200000
00000008 0.00004350 [NAK] :: [ ] nt!MiState : 0xFFFFF80465E4F200
00000009 0.00004500 [NAK] :: [ ] &systemNonPageInfo : 0xFFFFD10180016010
00000010 0.00004640 [NAK] :: [ ] &NonPagedPoolFirstVa : 0xFFFFD10180016070
00000011 0.00004790 [NAK] :: [ ] &NonPagedPoolLastVa : 0xFFFFD10180016078
00000012 0.00004970 [NAK] :: [+] nonPagedPoolStart : 0xffffb00000000000
00000013 0.00005130 [NAK] :: [+] nonPagedPoolEnd : 0xffffc00000000000
00000014 0.00005230 [NAK] :: [+] Scanning
00000015 0.08150540 [NAK] :: [+] ==== PoolStart 0xFFFFB0078D8BE000 ====
00000016 0.08150930 [NAK] :: [|] PreviousSize : 0x0
00000017 0.08151110 [NAK] :: [|] PoolIndex : 0xfb
00000018 0.08151260 [NAK] :: [|] BlockSize : 0xf00
00000019 0.08151400 [NAK] :: [|] PoolType : 0x2
00000020 0.08151630 [NAK] :: [|] PoolTag : 0x636f7250 [Proc]
00000021 0.08151850 [NAK] :: [+] ==== PoolEnd 0xFFFFB0078D8BE000 ====
00000022 0.08152020 [NAK] :: [+] HEY EPROCESS POOL CHUNK
00000023 0.08152160 [NAK] :: [+] Finish scanning
00000024 2.03572369 [NAK] :: [+] Goodbye from Kernel

102
KMDF Driver2.sln → lpus.sln
View File

@ -1,51 +1,51 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 16
VisualStudioVersion = 16.0.29409.12
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "KMDF Driver2", "KMDF Driver2\KMDF Driver2.vcxproj", "{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|ARM = Debug|ARM
Debug|ARM64 = Debug|ARM64
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release|ARM = Release|ARM
Release|ARM64 = Release|ARM64
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|ARM.ActiveCfg = Debug|ARM
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|ARM.Build.0 = Debug|ARM
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|ARM.Deploy.0 = Debug|ARM
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|ARM64.ActiveCfg = Debug|ARM64
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|ARM64.Build.0 = Debug|ARM64
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|ARM64.Deploy.0 = Debug|ARM64
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|x64.ActiveCfg = Debug|x64
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|x64.Build.0 = Debug|x64
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|x64.Deploy.0 = Debug|x64
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|x86.ActiveCfg = Debug|x64
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|x86.Build.0 = Debug|x64
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|x86.Deploy.0 = Debug|x64
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|ARM.ActiveCfg = Release|ARM
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|ARM.Build.0 = Release|ARM
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|ARM.Deploy.0 = Release|ARM
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|ARM64.ActiveCfg = Release|ARM64
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|ARM64.Build.0 = Release|ARM64
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|ARM64.Deploy.0 = Release|ARM64
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|x64.ActiveCfg = Release|x64
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|x64.Build.0 = Release|x64
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|x64.Deploy.0 = Release|x64
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|x86.ActiveCfg = Release|Win32
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|x86.Build.0 = Release|Win32
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|x86.Deploy.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {BEF2B030-38D0-445E-8EE8-6A31B825389D}
EndGlobalSection
EndGlobal

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 16
VisualStudioVersion = 16.0.29409.12
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "lpus", "lpus\lpus.vcxproj", "{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|ARM = Debug|ARM
Debug|ARM64 = Debug|ARM64
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release|ARM = Release|ARM
Release|ARM64 = Release|ARM64
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|ARM.ActiveCfg = Debug|ARM
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|ARM.Build.0 = Debug|ARM
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|ARM.Deploy.0 = Debug|ARM
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|ARM64.ActiveCfg = Debug|ARM64
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|ARM64.Build.0 = Debug|ARM64
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|ARM64.Deploy.0 = Debug|ARM64
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|x64.ActiveCfg = Debug|x64
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|x64.Build.0 = Debug|x64
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|x64.Deploy.0 = Debug|x64
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|x86.ActiveCfg = Debug|x64
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|x86.Build.0 = Debug|x64
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|x86.Deploy.0 = Debug|x64
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|ARM.ActiveCfg = Release|ARM
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|ARM.Build.0 = Release|ARM
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|ARM.Deploy.0 = Release|ARM
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|ARM64.ActiveCfg = Release|ARM64
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|ARM64.Build.0 = Release|ARM64
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|ARM64.Deploy.0 = Release|ARM64
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|x64.ActiveCfg = Release|x64
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|x64.Build.0 = Release|x64
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|x64.Deploy.0 = Release|x64
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|x86.ActiveCfg = Release|Win32
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|x86.Build.0 = Release|Win32
{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|x86.Deploy.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {BEF2B030-38D0-445E-8EE8-6A31B825389D}
EndGlobalSection
EndGlobal

1206
KMDF Driver2/Driver.cpp → lpus/Driver.cpp
View File

File diff suppressed because it is too large Load Diff

0
KMDF Driver2/Driver.h → lpus/Driver.h
View File

0
KMDF Driver2/findglobalkernelvars.png → lpus/findglobalkernelvars.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 193 KiB

After

Width:  |  Height:  |  Size: 193 KiB

266
KMDF Driver2/kernel-shellcode.cpp → lpus/kernel-shellcode.cpp
View File

@ -1,133 +1,133 @@
#include <wdm.h>
__declspec(dllexport)
__declspec(noinline)
void*
GetNtoskrnlBaseAddress()
{
//
// From Windows Internals part 1, chapter 2:
//
// "The kernel uses a data structure called the processor control region, or KPCR, to store
// processor-specific data. The KPCR contains basic information such as the processor's interrupt
// dispatch table(IDT), task - state segment(TSS), and global descriptor table(GDT). It also includes the
// interrupt controller state, which it shares with other modules, such as the ACPI driver and the HAL. To
// provide easy access to the KPCR, the kernel stores a pointer to it in the fs register on 32-bit Windows
// and in the gs register on an x64 Windows system."
//
//
// Let's view the address of KPCR of the current processor:
//
// 1: kd> dg gs
// P Si Gr Pr Lo
// Sel Base Limit Type l ze an es ng Flags
// ---- ---------------- - ---------------- - ---------- - -- -- -- -- --------
// 002B ffffd001`1972e000 00000000`ffffffff Data RW Ac 3 Bg Pg P Nl 00000cf3
//
// We only care about one field in KPCR which is IdtBase (it has been always at the offset 0x38):
//
// 1: kd> dt nt!_KPCR 0xffffd001`1972e000
// + 0x000 NtTib : _NT_TIB
// + 0x000 GdtBase : 0xffffd001`1973b8c0 _KGDTENTRY64
// + 0x008 TssBase : 0xffffd001`19734b40 _KTSS64
// + 0x010 UserRsp : 0x000000c0`87cffc18
// + 0x018 Self : 0xffffd001`1972e000 _KPCR
// + 0x020 CurrentPrcb : 0xffffd001`1972e180 _KPRCB
// + 0x028 LockArray : 0xffffd001`1972e7f0 _KSPIN_LOCK_QUEUE
// + 0x030 Used_Self : 0x000000c0`86875000 Void
// + 0x038 IdtBase : 0xffffd001`1973b930 _KIDTENTRY64 <- pointer to the IDT array
// ...
//
// The field is a pointer to an array of interrupt service routines in the following format:
//
// 1: kd> dt nt!_KIDTENTRY64
// +0x000 OffsetLow : Uint2B
// +0x002 Selector : Uint2B
// +0x004 IstIndex : Pos 0, 3 Bits --+
// +0x004 Reserved0 : Pos 3, 5 Bits |
// +0x004 Type : Pos 8, 5 Bits |
// +0x004 Dpl : Pos 13, 2 Bits |-> the interrupt service routine as a bitfield
// +0x004 Present : Pos 15, 1 Bit |
// +0x006 OffsetMiddle : Uint2B |
// +0x008 OffsetHigh : Uint4B --+
// +0x00c Reserved1 : Uint4B
// +0x000 Alignment : Uint8B
//
//
// These interrupt service routines are functions defined within the address space of ntoskrnl.exe. We will
// use this fact for searching for the base address of ntoskrnl.exe.
//
// Ensure that the structure is aligned on 1 byte boundary.
#pragma pack(push, 1)
typedef struct
{
UCHAR Padding[4];
PVOID InterruptServiceRoutine;
} IDT_ENTRY;
#pragma pack(pop)
// Find the address of IdtBase using gs register.
const auto idt_base = reinterpret_cast<IDT_ENTRY *>(__readgsqword(0x38));
// Find the address of the first (or any) interrupt service routine.
const auto first_isr_address = idt_base[0].InterruptServiceRoutine;
// Align the address on page boundary.
auto page_within_ntoskrnl = reinterpret_cast<uintptr_t>(first_isr_address) & ~static_cast<uintptr_t>(0xfff);
// Traverse pages backward until we find the PE signature (MZ) of ntoskrnl.exe in the beginning of some page.
while (*reinterpret_cast<const USHORT *>(page_within_ntoskrnl) != 0x5a4d)
{
page_within_ntoskrnl -= 0x1000;
}
// Now we have the base address of ntoskrnl.exe
return reinterpret_cast<void*>(page_within_ntoskrnl);
}
VOID
DriverUnload(PDRIVER_OBJECT driver_object)
{
UNREFERENCED_PARAMETER(driver_object);
}
EXTERN_C
NTSTATUS
DriverEntry(PDRIVER_OBJECT driver_object, PUNICODE_STRING registry_path)
{
UNREFERENCED_PARAMETER(registry_path);
driver_object->DriverUnload = DriverUnload;
// 0 : 65 48 8b 04 25 38 00 mov rax, QWORD PTR gs : 0x38
// 7 : 00 00
// 9 : b9 4d 5a 00 00 mov ecx, 0x5a4d
// e : 48 8b 40 04 mov rax, QWORD PTR[rax + 0x4]
// 12: 48 25 00 f0 ff ff and rax, 0xfffffffffffff000
// 18: eb 06 jmp 0x20
// 1a: 48 2d 00 10 00 00 sub rax, 0x1000
// 20: 66 39 08 cmp WORD PTR[rax], cx
// 23: 75 f5 jne 0x1a
// 25: c3 ret
static const UCHAR shellcode[] = {
0x65, 0x48, 0x8B, 0x04, 0x25, 0x38, 0x00, 0x00, 0x00, 0xB9, 0x4D, 0x5A, 0x00, 0x00, 0x48, 0x8B,
0x40, 0x04, 0x48, 0x25, 0x00, 0xF0, 0xFF, 0xFF, 0xEB, 0x06, 0x48, 0x2D, 0x00, 0x10, 0x00, 0x00,
0x66, 0x39, 0x08, 0x75, 0xF5, 0xC3
};
const auto ntoskrnl_base_address = GetNtoskrnlBaseAddress();
const auto pool = ExAllocatePoolWithTag(NonPagedPoolExecute, sizeof(shellcode), 'KMSL');
if (pool != nullptr)
{
RtlCopyMemory(pool, shellcode, sizeof(shellcode));
const auto get_ntoskrnl_base_address = reinterpret_cast<void *(*)()>(pool);
ASSERT(get_ntoskrnl_base_address() == ntoskrnl_base_address);
ExFreePoolWithTag(pool, 'KMSL');
}
return STATUS_SUCCESS;
}
#include <wdm.h>
__declspec(dllexport)
__declspec(noinline)
void*
GetNtoskrnlBaseAddress()
{
//
// From Windows Internals part 1, chapter 2:
//
// "The kernel uses a data structure called the processor control region, or KPCR, to store
// processor-specific data. The KPCR contains basic information such as the processor's interrupt
// dispatch table(IDT), task - state segment(TSS), and global descriptor table(GDT). It also includes the
// interrupt controller state, which it shares with other modules, such as the ACPI driver and the HAL. To
// provide easy access to the KPCR, the kernel stores a pointer to it in the fs register on 32-bit Windows
// and in the gs register on an x64 Windows system."
//
//
// Let's view the address of KPCR of the current processor:
//
// 1: kd> dg gs
// P Si Gr Pr Lo
// Sel Base Limit Type l ze an es ng Flags
// ---- ---------------- - ---------------- - ---------- - -- -- -- -- --------
// 002B ffffd001`1972e000 00000000`ffffffff Data RW Ac 3 Bg Pg P Nl 00000cf3
//
// We only care about one field in KPCR which is IdtBase (it has been always at the offset 0x38):
//
// 1: kd> dt nt!_KPCR 0xffffd001`1972e000
// + 0x000 NtTib : _NT_TIB
// + 0x000 GdtBase : 0xffffd001`1973b8c0 _KGDTENTRY64
// + 0x008 TssBase : 0xffffd001`19734b40 _KTSS64
// + 0x010 UserRsp : 0x000000c0`87cffc18
// + 0x018 Self : 0xffffd001`1972e000 _KPCR
// + 0x020 CurrentPrcb : 0xffffd001`1972e180 _KPRCB
// + 0x028 LockArray : 0xffffd001`1972e7f0 _KSPIN_LOCK_QUEUE
// + 0x030 Used_Self : 0x000000c0`86875000 Void
// + 0x038 IdtBase : 0xffffd001`1973b930 _KIDTENTRY64 <- pointer to the IDT array
// ...
//
// The field is a pointer to an array of interrupt service routines in the following format:
//
// 1: kd> dt nt!_KIDTENTRY64
// +0x000 OffsetLow : Uint2B
// +0x002 Selector : Uint2B
// +0x004 IstIndex : Pos 0, 3 Bits --+
// +0x004 Reserved0 : Pos 3, 5 Bits |
// +0x004 Type : Pos 8, 5 Bits |
// +0x004 Dpl : Pos 13, 2 Bits |-> the interrupt service routine as a bitfield
// +0x004 Present : Pos 15, 1 Bit |
// +0x006 OffsetMiddle : Uint2B |
// +0x008 OffsetHigh : Uint4B --+
// +0x00c Reserved1 : Uint4B
// +0x000 Alignment : Uint8B
//
//
// These interrupt service routines are functions defined within the address space of ntoskrnl.exe. We will
// use this fact for searching for the base address of ntoskrnl.exe.
//
// Ensure that the structure is aligned on 1 byte boundary.
#pragma pack(push, 1)
typedef struct
{
UCHAR Padding[4];
PVOID InterruptServiceRoutine;
} IDT_ENTRY;
#pragma pack(pop)
// Find the address of IdtBase using gs register.
const auto idt_base = reinterpret_cast<IDT_ENTRY *>(__readgsqword(0x38));
// Find the address of the first (or any) interrupt service routine.
const auto first_isr_address = idt_base[0].InterruptServiceRoutine;
// Align the address on page boundary.
auto page_within_ntoskrnl = reinterpret_cast<uintptr_t>(first_isr_address) & ~static_cast<uintptr_t>(0xfff);
// Traverse pages backward until we find the PE signature (MZ) of ntoskrnl.exe in the beginning of some page.
while (*reinterpret_cast<const USHORT *>(page_within_ntoskrnl) != 0x5a4d)
{
page_within_ntoskrnl -= 0x1000;
}
// Now we have the base address of ntoskrnl.exe
return reinterpret_cast<void*>(page_within_ntoskrnl);
}
VOID
DriverUnload(PDRIVER_OBJECT driver_object)
{
UNREFERENCED_PARAMETER(driver_object);
}
EXTERN_C
NTSTATUS
DriverEntry(PDRIVER_OBJECT driver_object, PUNICODE_STRING registry_path)
{
UNREFERENCED_PARAMETER(registry_path);
driver_object->DriverUnload = DriverUnload;
// 0 : 65 48 8b 04 25 38 00 mov rax, QWORD PTR gs : 0x38
// 7 : 00 00
// 9 : b9 4d 5a 00 00 mov ecx, 0x5a4d
// e : 48 8b 40 04 mov rax, QWORD PTR[rax + 0x4]
// 12: 48 25 00 f0 ff ff and rax, 0xfffffffffffff000
// 18: eb 06 jmp 0x20
// 1a: 48 2d 00 10 00 00 sub rax, 0x1000
// 20: 66 39 08 cmp WORD PTR[rax], cx
// 23: 75 f5 jne 0x1a
// 25: c3 ret
static const UCHAR shellcode[] = {
0x65, 0x48, 0x8B, 0x04, 0x25, 0x38, 0x00, 0x00, 0x00, 0xB9, 0x4D, 0x5A, 0x00, 0x00, 0x48, 0x8B,
0x40, 0x04, 0x48, 0x25, 0x00, 0xF0, 0xFF, 0xFF, 0xEB, 0x06, 0x48, 0x2D, 0x00, 0x10, 0x00, 0x00,
0x66, 0x39, 0x08, 0x75, 0xF5, 0xC3
};
const auto ntoskrnl_base_address = GetNtoskrnlBaseAddress();
const auto pool = ExAllocatePoolWithTag(NonPagedPoolExecute, sizeof(shellcode), 'KMSL');
if (pool != nullptr)
{
RtlCopyMemory(pool, shellcode, sizeof(shellcode));
const auto get_ntoskrnl_base_address = reinterpret_cast<void *(*)()>(pool);
ASSERT(get_ntoskrnl_base_address() == ntoskrnl_base_address);
ExFreePoolWithTag(pool, 'KMSL');
}
return STATUS_SUCCESS;
}

22
KMDF Driver2/kpcr.asm → lpus/kpcr.asm
View File

@ -1,11 +1,11 @@
PUBLIC FindKdVersionBlock
.code _text
FindKdVersionBlock PROC PUBLIC
mov rax, gs:[108h]
ret
FindKdVersionBlock ENDP
END
PUBLIC FindKdVersionBlock
.code _text
FindKdVersionBlock PROC PUBLIC
mov rax, gs:[108h]
ret
FindKdVersionBlock ENDP
END

172
KMDF Driver2/KMDFDriver2.inf → lpus/lpus.inf
View File

@ -1,86 +1,86 @@
;
; KMDFDriver2.inf
;
[Version]
Signature="$WINDOWS NT$"
Class=Sample ; TODO: edit Class
ClassGuid={78A1C341-4539-11d3-B88D-00C04FAD5171} ; TODO: edit ClassGuid
Provider=%ManufacturerName%
CatalogFile=KMDFDriver2.cat
DriverVer= ; TODO: set DriverVer in stampinf property pages
[DestinationDirs]
DefaultDestDir = 12
KMDFDriver2_Device_CoInstaller_CopyFiles = 11
; ================= Class section =====================
[ClassInstall32]
Addreg=SampleClassReg
[SampleClassReg]
HKR,,,0,%ClassName%
HKR,,Icon,,-5
[SourceDisksNames]
1 = %DiskName%,,,""
[SourceDisksFiles]
KMDFDriver2.sys = 1,,
WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll=1 ; make sure the number matches with SourceDisksNames
;*****************************************
; Install Section
;*****************************************
[Manufacturer]
%ManufacturerName%=Standard,NT$ARCH$
[Standard.NT$ARCH$]
%KMDFDriver2.DeviceDesc%=KMDFDriver2_Device, Root\KMDFDriver2 ; TODO: edit hw-id
[KMDFDriver2_Device.NT]
CopyFiles=Drivers_Dir
[Drivers_Dir]
KMDFDriver2.sys
;-------------- Service installation
[KMDFDriver2_Device.NT.Services]
AddService = KMDFDriver2,%SPSVCINST_ASSOCSERVICE%, KMDFDriver2_Service_Inst
; -------------- KMDFDriver2 driver install sections
[KMDFDriver2_Service_Inst]
DisplayName = %KMDFDriver2.SVCDESC%
ServiceType = 1 ; SERVICE_KERNEL_DRIVER
StartType = 3 ; SERVICE_DEMAND_START
ErrorControl = 1 ; SERVICE_ERROR_NORMAL
ServiceBinary = %12%\KMDFDriver2.sys
;
;--- KMDFDriver2_Device Coinstaller installation ------
;
[KMDFDriver2_Device.NT.CoInstallers]
AddReg=KMDFDriver2_Device_CoInstaller_AddReg
CopyFiles=KMDFDriver2_Device_CoInstaller_CopyFiles
[KMDFDriver2_Device_CoInstaller_AddReg]
HKR,,CoInstallers32,0x00010000, "WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll,WdfCoInstaller"
[KMDFDriver2_Device_CoInstaller_CopyFiles]
WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll
[KMDFDriver2_Device.NT.Wdf]
KmdfService = KMDFDriver2, KMDFDriver2_wdfsect
[KMDFDriver2_wdfsect]
KmdfLibraryVersion = $KMDFVERSION$
[Strings]
SPSVCINST_ASSOCSERVICE= 0x00000002
ManufacturerName="<Your manufacturer name>" ;TODO: Replace with your manufacturer name
ClassName="Samples" ; TODO: edit ClassName
DiskName = "KMDFDriver2 Installation Disk"
KMDFDriver2.DeviceDesc = "KMDFDriver2 Device"
KMDFDriver2.SVCDESC = "KMDFDriver2 Service"
;
; lpus.inf
;
[Version]
Signature="$WINDOWS NT$"
Class=Sample ; TODO: edit Class
ClassGuid={78A1C341-4539-11d3-B88D-00C04FAD5171} ; TODO: edit ClassGuid
Provider=%ManufacturerName%
CatalogFile=lpus.cat
DriverVer= ; TODO: set DriverVer in stampinf property pages
[DestinationDirs]
DefaultDestDir = 12
lpus_Device_CoInstaller_CopyFiles = 11
; ================= Class section =====================
[ClassInstall32]
Addreg=SampleClassReg
[SampleClassReg]
HKR,,,0,%ClassName%
HKR,,Icon,,-5
[SourceDisksNames]
1 = %DiskName%,,,""
[SourceDisksFiles]
lpus.sys = 1,,
WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll=1 ; make sure the number matches with SourceDisksNames
;*****************************************
; Install Section
;*****************************************
[Manufacturer]
%ManufacturerName%=Standard,NT$ARCH$
[Standard.NT$ARCH$]
%lpus.DeviceDesc%=lpus_Device, Root\lpus ; TODO: edit hw-id
[lpus_Device.NT]
CopyFiles=Drivers_Dir
[Drivers_Dir]
lpus.sys
;-------------- Service installation
[lpus_Device.NT.Services]
AddService = lpus,%SPSVCINST_ASSOCSERVICE%, lpus_Service_Inst
; -------------- lpus driver install sections
[lpus_Service_Inst]
DisplayName = %lpus.SVCDESC%
ServiceType = 1 ; SERVICE_KERNEL_DRIVER
StartType = 3 ; SERVICE_DEMAND_START
ErrorControl = 1 ; SERVICE_ERROR_NORMAL
ServiceBinary = %12%\lpus.sys
;
;--- lpus_Device Coinstaller installation ------
;
[lpus_Device.NT.CoInstallers]
AddReg=lpus_Device_CoInstaller_AddReg
CopyFiles=lpus_Device_CoInstaller_CopyFiles
[lpus_Device_CoInstaller_AddReg]
HKR,,CoInstallers32,0x00010000, "WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll,WdfCoInstaller"
[lpus_Device_CoInstaller_CopyFiles]
WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll
[lpus_Device.NT.Wdf]
KmdfService = lpus, lpus_wdfsect
[lpus_wdfsect]
KmdfLibraryVersion = $KMDFVERSION$
[Strings]
SPSVCINST_ASSOCSERVICE= 0x00000002
ManufacturerName="<Your manufacturer name>" ;TODO: Replace with your manufacturer name
ClassName="Samples" ; TODO: edit ClassName
DiskName = "lpus Installation Disk"
lpus.DeviceDesc = "lpus Device"
lpus.SVCDESC = "lpus Service"

335
KMDF Driver2/KMDF Driver2.vcxproj → lpus/lpus.vcxproj
View File

@ -1,167 +1,168 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|ARM">
<Configuration>Debug</Configuration>
<Platform>ARM</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|ARM">
<Configuration>Release</Configuration>
<Platform>ARM</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|ARM64">
<Configuration>Debug</Configuration>
<Platform>ARM64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|ARM64">
<Configuration>Release</Configuration>
<Platform>ARM64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}</ProjectGuid>
<TemplateGuid>{1bc93793-694f-48fe-9372-81e2b05556fd}</TemplateGuid>
<TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
<MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>
<Configuration>Debug</Configuration>
<Platform Condition="'$(Platform)' == ''">Win32</Platform>
<RootNamespace>KMDF_Driver2</RootNamespace>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<Inf2CatUseLocalTime>true</Inf2CatUseLocalTime>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Link>
<AdditionalDependencies>$(DDK_LIB_PATH)\netio.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<Inf Include="KMDFDriver2.inf" />
</ItemGroup>
<ItemGroup>
<FilesToPackage Include="$(TargetPath)" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="Driver.cpp" />
<ClCompile Include="simplewsk.c" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="Driver.h" />
<ClInclude Include="simplewsk.h" />
<ClInclude Include="sioctl.h" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|ARM">
<Configuration>Debug</Configuration>
<Platform>ARM</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|ARM">
<Configuration>Release</Configuration>
<Platform>ARM</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|ARM64">
<Configuration>Debug</Configuration>
<Platform>ARM64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|ARM64">
<Configuration>Release</Configuration>
<Platform>ARM64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}</ProjectGuid>
<TemplateGuid>{1bc93793-694f-48fe-9372-81e2b05556fd}</TemplateGuid>
<TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
<MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>
<Configuration>Debug</Configuration>
<Platform Condition="'$(Platform)' == ''">Win32</Platform>
<RootNamespace>lpus</RootNamespace>
<ProjectName>lpus</ProjectName>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<Inf2CatUseLocalTime>true</Inf2CatUseLocalTime>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Link>
<AdditionalDependencies>$(DDK_LIB_PATH)\netio.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<Inf Include="lpus.inf" />
</ItemGroup>
<ItemGroup>
<FilesToPackage Include="$(TargetPath)" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="Driver.cpp" />
<ClCompile Include="simplewsk.c" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="Driver.h" />
<ClInclude Include="simplewsk.h" />
<ClInclude Include="sioctl.h" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

90
KMDF Driver2/KMDF Driver2.vcxproj.filters → lpus/lpus.vcxproj.filters
View File

@ -1,45 +1,45 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
<Filter Include="Driver Files">
<UniqueIdentifier>{8E41214B-6785-4CFE-B992-037D68949A14}</UniqueIdentifier>
<Extensions>inf;inv;inx;mof;mc;</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<Inf Include="KMDFDriver2.inf">
<Filter>Driver Files</Filter>
</Inf>
</ItemGroup>
<ItemGroup>
<ClCompile Include="Driver.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="simplewsk.c">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="sioctl.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="Driver.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="simplewsk.h">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
</Project>
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
<Filter Include="Driver Files">
<UniqueIdentifier>{8E41214B-6785-4CFE-B992-037D68949A14}</UniqueIdentifier>
<Extensions>inf;inv;inx;mof;mc;</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<Inf Include="lpus.inf">
<Filter>Driver Files</Filter>
</Inf>
</ItemGroup>
<ItemGroup>
<ClCompile Include="Driver.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="simplewsk.c">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="sioctl.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="Driver.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="simplewsk.h">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
</Project>

0
KMDF Driver2/note.md → lpus/note.md
View File

418
KMDF Driver2/peformat.h → lpus/peformat.h
View File

@ -1,209 +1,209 @@
// Copyright Ric Vieler, 2006
// Support header for hookManager.c
// Contains required PE file format data structures used by GetFunctionAddress()
#ifndef _PE_FORMAT_HEADER_
#define _PE_FORMAT_HEADER_
typedef unsigned short WORD;
typedef unsigned long DWORD;
typedef long LONG;
typedef unsigned char BYTE;
typedef unsigned long ULONG;
typedef unsigned short USHORT;
typedef unsigned char UCHAR;
typedef unsigned __int64 ULONGLONG;
//
// Image Format
//
#define IMAGE_DOS_SIGNATURE 0x5A4D // MZ
#define IMAGE_NT_SIGNATURE 0x00004550 // PE00
typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header
WORD e_magic; // Magic number
WORD e_cblp; // Bytes on last page of file
WORD e_cp; // Pages in file
WORD e_crlc; // Relocations
WORD e_cparhdr; // Size of header in paragraphs
WORD e_minalloc; // Minimum extra paragraphs needed
WORD e_maxalloc; // Maximum extra paragraphs needed
WORD e_ss; // Initial (relative) SS value
WORD e_sp; // Initial SP value
WORD e_csum; // Checksum
WORD e_ip; // Initial IP value
WORD e_cs; // Initial (relative) CS value
WORD e_lfarlc; // File address of relocation table
WORD e_ovno; // Overlay number
WORD e_res[4]; // Reserved words
WORD e_oemid; // OEM identifier (for e_oeminfo)
WORD e_oeminfo; // OEM information; e_oemid specific
WORD e_res2[10]; // Reserved words
LONG e_lfanew; // File address of new exe header
} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
//
// File header format.
//
typedef struct _IMAGE_FILE_HEADER {
WORD Machine;
WORD NumberOfSections;
DWORD TimeDateStamp;
DWORD PointerToSymbolTable;
DWORD NumberOfSymbols;
WORD SizeOfOptionalHeader;
WORD Characteristics;
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
//
// Directory format.
//
typedef struct _IMAGE_DATA_DIRECTORY {
DWORD VirtualAddress;
DWORD Size;
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
#define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16
//
// Optional header format.
//
typedef struct _IMAGE_OPTIONAL_HEADER {
//
// Standard fields.
//
WORD Magic;
BYTE MajorLinkerVersion;
BYTE MinorLinkerVersion;
DWORD SizeOfCode;
DWORD SizeOfInitializedData;
DWORD SizeOfUninitializedData;
DWORD AddressOfEntryPoint;
DWORD BaseOfCode;
DWORD BaseOfData;
//
// NT additional fields.
//
DWORD ImageBase;
DWORD SectionAlignment;
DWORD FileAlignment;
WORD MajorOperatingSystemVersion;
WORD MinorOperatingSystemVersion;
WORD MajorImageVersion;
WORD MinorImageVersion;
WORD MajorSubsystemVersion;
WORD MinorSubsystemVersion;
DWORD Win32VersionValue;
DWORD SizeOfImage;
DWORD SizeOfHeaders;
DWORD CheckSum;
WORD Subsystem;
WORD DllCharacteristics;
DWORD SizeOfStackReserve;
DWORD SizeOfStackCommit;
DWORD SizeOfHeapReserve;
DWORD SizeOfHeapCommit;
DWORD LoaderFlags;
DWORD NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
} IMAGE_OPTIONAL_HEADER, *PIMAGE_OPTIONAL_HEADER;
typedef struct _IMAGE_OPTIONAL_HEADER64 {
WORD Magic;
BYTE MajorLinkerVersion;
BYTE MinorLinkerVersion;
DWORD SizeOfCode;
DWORD SizeOfInitializedData;
DWORD SizeOfUninitializedData;
DWORD AddressOfEntryPoint;
DWORD BaseOfCode;
ULONGLONG ImageBase;
DWORD SectionAlignment;
DWORD FileAlignment;
WORD MajorOperatingSystemVersion;
WORD MinorOperatingSystemVersion;
WORD MajorImageVersion;
WORD MinorImageVersion;
WORD MajorSubsystemVersion;
WORD MinorSubsystemVersion;
DWORD Win32VersionValue;
DWORD SizeOfImage;
DWORD SizeOfHeaders;
DWORD CheckSum;
WORD Subsystem;
WORD DllCharacteristics;
ULONGLONG SizeOfStackReserve;
ULONGLONG SizeOfStackCommit;
ULONGLONG SizeOfHeapReserve;
ULONGLONG SizeOfHeapCommit;
DWORD LoaderFlags;
DWORD NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
} IMAGE_OPTIONAL_HEADER64, *PIMAGE_OPTIONAL_HEADER64;
typedef struct _IMAGE_NT_HEADERS {
ULONG Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER OptionalHeader;
} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;
typedef struct _IMAGE_NT_HEADER64 {
DWORD Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER64 OptionalHeader;
} IMAGE_NT_HEADER64, *PIMAGE_NT_HEADER64;
#define IMAGE_SIZEOF_SHORT_NAME 8
typedef struct _IMAGE_SECTION_HEADER {
UCHAR Name[IMAGE_SIZEOF_SHORT_NAME];
union {
ULONG PhysicalAddress;
ULONG VirtualSize;
} Misc;
ULONG VirtualAddress;
ULONG SizeOfRawData;
ULONG PointerToRawData;
ULONG PointerToRelocations;
ULONG PointerToLinenumbers;
USHORT NumberOfRelocations;
USHORT NumberOfLinenumbers;
ULONG Characteristics;
} IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;
//
// Export Format
//
typedef struct _IMAGE_EXPORT_DIRECTORY {
DWORD Characteristics;
DWORD TimeDateStamp;
WORD MajorVersion;
WORD MinorVersion;
DWORD Name;
DWORD Base;
DWORD NumberOfFunctions;
DWORD NumberOfNames;
DWORD AddressOfFunctions; // RVA from base of image
DWORD AddressOfNames; // RVA from base of image
DWORD AddressOfNameOrdinals; // RVA from base of image
} IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;
// Directory Entries
#define IMAGE_DIRECTORY_ENTRY_EXPORT 0 // Export Directory
#endif
// Copyright Ric Vieler, 2006
// Support header for hookManager.c
// Contains required PE file format data structures used by GetFunctionAddress()
#ifndef _PE_FORMAT_HEADER_
#define _PE_FORMAT_HEADER_
typedef unsigned short WORD;
typedef unsigned long DWORD;
typedef long LONG;
typedef unsigned char BYTE;
typedef unsigned long ULONG;
typedef unsigned short USHORT;
typedef unsigned char UCHAR;
typedef unsigned __int64 ULONGLONG;
//
// Image Format
//
#define IMAGE_DOS_SIGNATURE 0x5A4D // MZ
#define IMAGE_NT_SIGNATURE 0x00004550 // PE00
typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header
WORD e_magic; // Magic number
WORD e_cblp; // Bytes on last page of file
WORD e_cp; // Pages in file
WORD e_crlc; // Relocations
WORD e_cparhdr; // Size of header in paragraphs
WORD e_minalloc; // Minimum extra paragraphs needed
WORD e_maxalloc; // Maximum extra paragraphs needed
WORD e_ss; // Initial (relative) SS value
WORD e_sp; // Initial SP value
WORD e_csum; // Checksum
WORD e_ip; // Initial IP value
WORD e_cs; // Initial (relative) CS value
WORD e_lfarlc; // File address of relocation table
WORD e_ovno; // Overlay number
WORD e_res[4]; // Reserved words
WORD e_oemid; // OEM identifier (for e_oeminfo)
WORD e_oeminfo; // OEM information; e_oemid specific
WORD e_res2[10]; // Reserved words
LONG e_lfanew; // File address of new exe header
} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
//
// File header format.
//
typedef struct _IMAGE_FILE_HEADER {
WORD Machine;
WORD NumberOfSections;
DWORD TimeDateStamp;
DWORD PointerToSymbolTable;
DWORD NumberOfSymbols;
WORD SizeOfOptionalHeader;
WORD Characteristics;
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
//
// Directory format.
//
typedef struct _IMAGE_DATA_DIRECTORY {
DWORD VirtualAddress;
DWORD Size;
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
#define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16
//
// Optional header format.
//
typedef struct _IMAGE_OPTIONAL_HEADER {
//
// Standard fields.
//
WORD Magic;
BYTE MajorLinkerVersion;
BYTE MinorLinkerVersion;
DWORD SizeOfCode;
DWORD SizeOfInitializedData;
DWORD SizeOfUninitializedData;
DWORD AddressOfEntryPoint;
DWORD BaseOfCode;
DWORD BaseOfData;
//
// NT additional fields.
//
DWORD ImageBase;
DWORD SectionAlignment;
DWORD FileAlignment;
WORD MajorOperatingSystemVersion;
WORD MinorOperatingSystemVersion;
WORD MajorImageVersion;
WORD MinorImageVersion;
WORD MajorSubsystemVersion;
WORD MinorSubsystemVersion;
DWORD Win32VersionValue;
DWORD SizeOfImage;
DWORD SizeOfHeaders;
DWORD CheckSum;
WORD Subsystem;
WORD DllCharacteristics;
DWORD SizeOfStackReserve;
DWORD SizeOfStackCommit;
DWORD SizeOfHeapReserve;
DWORD SizeOfHeapCommit;
DWORD LoaderFlags;
DWORD NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
} IMAGE_OPTIONAL_HEADER, *PIMAGE_OPTIONAL_HEADER;
typedef struct _IMAGE_OPTIONAL_HEADER64 {
WORD Magic;
BYTE MajorLinkerVersion;
BYTE MinorLinkerVersion;
DWORD SizeOfCode;
DWORD SizeOfInitializedData;
DWORD SizeOfUninitializedData;
DWORD AddressOfEntryPoint;
DWORD BaseOfCode;
ULONGLONG ImageBase;
DWORD SectionAlignment;
DWORD FileAlignment;
WORD MajorOperatingSystemVersion;
WORD MinorOperatingSystemVersion;
WORD MajorImageVersion;
WORD MinorImageVersion;
WORD MajorSubsystemVersion;
WORD MinorSubsystemVersion;
DWORD Win32VersionValue;
DWORD SizeOfImage;
DWORD SizeOfHeaders;
DWORD CheckSum;
WORD Subsystem;
WORD DllCharacteristics;
ULONGLONG SizeOfStackReserve;
ULONGLONG SizeOfStackCommit;
ULONGLONG SizeOfHeapReserve;
ULONGLONG SizeOfHeapCommit;
DWORD LoaderFlags;
DWORD NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
} IMAGE_OPTIONAL_HEADER64, *PIMAGE_OPTIONAL_HEADER64;
typedef struct _IMAGE_NT_HEADERS {
ULONG Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER OptionalHeader;
} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;
typedef struct _IMAGE_NT_HEADER64 {
DWORD Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER64 OptionalHeader;
} IMAGE_NT_HEADER64, *PIMAGE_NT_HEADER64;
#define IMAGE_SIZEOF_SHORT_NAME 8
typedef struct _IMAGE_SECTION_HEADER {
UCHAR Name[IMAGE_SIZEOF_SHORT_NAME];
union {
ULONG PhysicalAddress;
ULONG VirtualSize;
} Misc;
ULONG VirtualAddress;
ULONG SizeOfRawData;
ULONG PointerToRawData;
ULONG PointerToRelocations;
ULONG PointerToLinenumbers;
USHORT NumberOfRelocations;
USHORT NumberOfLinenumbers;
ULONG Characteristics;
} IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;
//
// Export Format
//
typedef struct _IMAGE_EXPORT_DIRECTORY {
DWORD Characteristics;
DWORD TimeDateStamp;
WORD MajorVersion;
WORD MinorVersion;
DWORD Name;
DWORD Base;
DWORD NumberOfFunctions;
DWORD NumberOfNames;
DWORD AddressOfFunctions; // RVA from base of image
DWORD AddressOfNames; // RVA from base of image
DWORD AddressOfNameOrdinals; // RVA from base of image
} IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;
// Directory Entries
#define IMAGE_DIRECTORY_ENTRY_EXPORT 0 // Export Directory
#endif

958
KMDF Driver2/simplewsk.c → lpus/simplewsk.c
View File

@ -1,479 +1,479 @@
/*++
Module Name:
simplewsk.c
Abstract:
Wrapper library for WSK functions
Author:
MaD, 12-May-2009
--*/
#include "simplewsk.h"
static WSK_REGISTRATION g_WskRegistration;
static WSK_PROVIDER_NPI g_WskProvider;
static WSK_CLIENT_DISPATCH g_WskDispatch = {MAKE_WSK_VERSION(1, 0), 0, NULL};
enum { DEINITIALIZED, DEINITIALIZING, INITIALIZING, INITIALIZED };
static LONG g_SocketsState = DEINITIALIZED;
static NTSTATUS NTAPI CompletionRoutine(__in PDEVICE_OBJECT DeviceObject,
__in PIRP Irp,
__in PKEVENT CompletionEvent) {
ASSERT(CompletionEvent);
UNREFERENCED_PARAMETER(Irp);
UNREFERENCED_PARAMETER(DeviceObject);
KeSetEvent(CompletionEvent, IO_NO_INCREMENT, FALSE);
return STATUS_MORE_PROCESSING_REQUIRED;
}
static NTSTATUS InitWskData(__out PIRP* pIrp, __out PKEVENT CompletionEvent) {
ASSERT(pIrp);
ASSERT(CompletionEvent);
*pIrp = IoAllocateIrp(1, FALSE);
if (!*pIrp) {
KdPrint(("InitWskData(): IoAllocateIrp() failed\n"));
return STATUS_INSUFFICIENT_RESOURCES;
}
KeInitializeEvent(CompletionEvent, SynchronizationEvent, FALSE);
IoSetCompletionRoutine(*pIrp, CompletionRoutine, CompletionEvent, TRUE, TRUE,
TRUE);
return STATUS_SUCCESS;
}
static NTSTATUS InitWskBuffer(__in PVOID Buffer, __in ULONG BufferSize,
__out PWSK_BUF WskBuffer) {
NTSTATUS Status = STATUS_SUCCESS;
ASSERT(Buffer);
ASSERT(BufferSize);
ASSERT(WskBuffer);
WskBuffer->Offset = 0;
WskBuffer->Length = BufferSize;
WskBuffer->Mdl = IoAllocateMdl(Buffer, BufferSize, FALSE, FALSE, NULL);
if (!WskBuffer->Mdl) {
KdPrint(("InitWskBuffer(): IoAllocateMdl() failed\n"));
return STATUS_INSUFFICIENT_RESOURCES;
}
__try {
MmProbeAndLockPages(WskBuffer->Mdl, KernelMode, IoWriteAccess);
} __except (EXCEPTION_EXECUTE_HANDLER) {
KdPrint(("InitWskBuffer(): MmProbeAndLockPages(%p) failed\n", Buffer));
IoFreeMdl(WskBuffer->Mdl);
Status = STATUS_ACCESS_VIOLATION;
}
return Status;
}
static VOID FreeWskBuffer(__in PWSK_BUF WskBuffer) {
ASSERT(WskBuffer);
MmUnlockPages(WskBuffer->Mdl);
IoFreeMdl(WskBuffer->Mdl);
}
//
// Library initialization routine
//
NTSTATUS NTAPI WSKStartup() {
WSK_CLIENT_NPI WskClient = {0};
NTSTATUS Status = STATUS_UNSUCCESSFUL;
if (InterlockedCompareExchange(&g_SocketsState, INITIALIZING,
DEINITIALIZED) != DEINITIALIZED)
return STATUS_ALREADY_REGISTERED;
WskClient.ClientContext = NULL;
WskClient.Dispatch = &g_WskDispatch;
Status = WskRegister(&WskClient, &g_WskRegistration);
if (!NT_SUCCESS(Status)) {
KdPrint(("WskRegister() failed with status 0x%08X\n", Status));
InterlockedExchange(&g_SocketsState, DEINITIALIZED);
return Status;
}
Status =
WskCaptureProviderNPI(&g_WskRegistration, WSK_NO_WAIT, &g_WskProvider);
if (!NT_SUCCESS(Status)) {
KdPrint(("WskCaptureProviderNPI() failed with status 0x%08X\n", Status));
WskDeregister(&g_WskRegistration);
InterlockedExchange(&g_SocketsState, DEINITIALIZED);
return Status;
}
InterlockedExchange(&g_SocketsState, INITIALIZED);
return STATUS_SUCCESS;
}
//
// Library deinitialization routine
//
VOID NTAPI WSKCleanup() {
if (InterlockedCompareExchange(&g_SocketsState, INITIALIZED,
DEINITIALIZING) != INITIALIZED)
return;
WskReleaseProviderNPI(&g_WskRegistration);
WskDeregister(&g_WskRegistration);
InterlockedExchange(&g_SocketsState, DEINITIALIZED);
}
PWSK_SOCKET
NTAPI
CreateSocket(__in ADDRESS_FAMILY AddressFamily, __in USHORT SocketType,
__in ULONG Protocol, __in ULONG Flags) {
KEVENT CompletionEvent = {0};
PIRP Irp = NULL;
PWSK_SOCKET WskSocket = NULL;
NTSTATUS Status = STATUS_UNSUCCESSFUL;
if (g_SocketsState != INITIALIZED) return NULL;
Status = InitWskData(&Irp, &CompletionEvent);
if (!NT_SUCCESS(Status)) {
KdPrint(
("CreateSocket(): InitWskData() failed with status 0x%08X\n", Status));
return NULL;
}
Status = g_WskProvider.Dispatch->WskSocket(
g_WskProvider.Client, AddressFamily, SocketType, Protocol, Flags, NULL,
NULL, NULL, NULL, NULL, Irp);
if (Status == STATUS_PENDING) {
KeWaitForSingleObject(&CompletionEvent, Executive, KernelMode, FALSE, NULL);
Status = Irp->IoStatus.Status;
}
WskSocket =
NT_SUCCESS(Status) ? (PWSK_SOCKET)Irp->IoStatus.Information : NULL;
IoFreeIrp(Irp);
return (PWSK_SOCKET)WskSocket;
}
NTSTATUS
NTAPI
CloseSocket(__in PWSK_SOCKET WskSocket) {
KEVENT CompletionEvent = {0};
PIRP Irp = NULL;
NTSTATUS Status = STATUS_UNSUCCESSFUL;
if (g_SocketsState != INITIALIZED || !WskSocket)
return STATUS_INVALID_PARAMETER;
Status = InitWskData(&Irp, &CompletionEvent);
if (!NT_SUCCESS(Status)) {
KdPrint(
("CloseSocket(): InitWskData() failed with status 0x%08X\n", Status));
return Status;
}
Status = ((PWSK_PROVIDER_BASIC_DISPATCH)WskSocket->Dispatch)
->WskCloseSocket(WskSocket, Irp);
if (Status == STATUS_PENDING) {
KeWaitForSingleObject(&CompletionEvent, Executive, KernelMode, FALSE, NULL);
Status = Irp->IoStatus.Status;
}
IoFreeIrp(Irp);
return Status;
}
NTSTATUS
NTAPI
Connect(__in PWSK_SOCKET WskSocket, __in PSOCKADDR RemoteAddress) {
KEVENT CompletionEvent = {0};
PIRP Irp = NULL;
NTSTATUS Status = STATUS_UNSUCCESSFUL;
if (g_SocketsState != INITIALIZED || !WskSocket || !RemoteAddress)
return STATUS_INVALID_PARAMETER;
Status = InitWskData(&Irp, &CompletionEvent);
if (!NT_SUCCESS(Status)) {
KdPrint(("Connect(): InitWskData() failed with status 0x%08X\n", Status));
return Status;
}
Status = ((PWSK_PROVIDER_CONNECTION_DISPATCH)WskSocket->Dispatch)
->WskConnect(WskSocket, RemoteAddress, 0, Irp);
if (Status == STATUS_PENDING) {
KeWaitForSingleObject(&CompletionEvent, Executive, KernelMode, FALSE, NULL);
Status = Irp->IoStatus.Status;
}
IoFreeIrp(Irp);
return Status;
}
PWSK_SOCKET
NTAPI
SocketConnect(__in USHORT SocketType, __in ULONG Protocol,
__in PSOCKADDR RemoteAddress, __in PSOCKADDR LocalAddress) {
KEVENT CompletionEvent = {0};
PIRP Irp = NULL;
NTSTATUS Status = STATUS_UNSUCCESSFUL;
PWSK_SOCKET WskSocket = NULL;
if (g_SocketsState != INITIALIZED || !RemoteAddress || !LocalAddress)
return NULL;
Status = InitWskData(&Irp, &CompletionEvent);
if (!NT_SUCCESS(Status)) {
KdPrint(("InitWskData() failed with status 0x%08X\n", Status));
return NULL;
}
Status = g_WskProvider.Dispatch->WskSocketConnect(
g_WskProvider.Client, SocketType, Protocol, LocalAddress, RemoteAddress,
0, NULL, NULL, NULL, NULL, NULL, Irp);
if (Status == STATUS_PENDING) {
KeWaitForSingleObject(&CompletionEvent, Executive, KernelMode, FALSE, NULL);
Status = Irp->IoStatus.Status;
}
WskSocket =
NT_SUCCESS(Status) ? (PWSK_SOCKET)Irp->IoStatus.Information : NULL;
IoFreeIrp(Irp);
return WskSocket;
}
LONG NTAPI Send(__in PWSK_SOCKET WskSocket, __in PVOID Buffer,
__in ULONG BufferSize, __in ULONG Flags) {
KEVENT CompletionEvent = {0};
PIRP Irp = NULL;
WSK_BUF WskBuffer = {0};
LONG BytesSent = SOCKET_ERROR;
NTSTATUS Status = STATUS_UNSUCCESSFUL;
if (g_SocketsState != INITIALIZED || !WskSocket || !Buffer || !BufferSize)
return SOCKET_ERROR;
Status = InitWskBuffer(Buffer, BufferSize, &WskBuffer);
if (!NT_SUCCESS(Status)) {
KdPrint(("Send(): InitWskData() failed with status 0x%08X\n", Status));
return SOCKET_ERROR;
}
Status = InitWskData(&Irp, &CompletionEvent);
if (!NT_SUCCESS(Status)) {
KdPrint(("Send(): InitWskData() failed with status 0x%08X\n", Status));
FreeWskBuffer(&WskBuffer);
return SOCKET_ERROR;
}
Status = ((PWSK_PROVIDER_CONNECTION_DISPATCH)WskSocket->Dispatch)
->WskSend(WskSocket, &WskBuffer, Flags, Irp);
if (Status == STATUS_PENDING) {
KeWaitForSingleObject(&CompletionEvent, Executive, KernelMode, FALSE, NULL);
Status = Irp->IoStatus.Status;
}
BytesSent =
NT_SUCCESS(Status) ? (LONG)Irp->IoStatus.Information : SOCKET_ERROR;
IoFreeIrp(Irp);
FreeWskBuffer(&WskBuffer);
return BytesSent;
}
LONG NTAPI SendTo(__in PWSK_SOCKET WskSocket, __in PVOID Buffer,
__in ULONG BufferSize, __in_opt PSOCKADDR RemoteAddress) {
KEVENT CompletionEvent = {0};
PIRP Irp = NULL;
WSK_BUF WskBuffer = {0};
LONG BytesSent = SOCKET_ERROR;
NTSTATUS Status = STATUS_UNSUCCESSFUL;
if (g_SocketsState != INITIALIZED || !WskSocket || !Buffer || !BufferSize)
return SOCKET_ERROR;
Status = InitWskBuffer(Buffer, BufferSize, &WskBuffer);
if (!NT_SUCCESS(Status)) {
KdPrint(("SendTo(): InitWskData() failed with status 0x%08X\n", Status));
return SOCKET_ERROR;
}
Status = InitWskData(&Irp, &CompletionEvent);
if (!NT_SUCCESS(Status)) {
KdPrint(("SendTo(): InitWskData() failed with status 0x%08X\n", Status));
FreeWskBuffer(&WskBuffer);
return SOCKET_ERROR;
}
Status =
((PWSK_PROVIDER_DATAGRAM_DISPATCH)WskSocket->Dispatch)
->WskSendTo(WskSocket, &WskBuffer, 0, RemoteAddress, 0, NULL, Irp);
if (Status == STATUS_PENDING) {
KeWaitForSingleObject(&CompletionEvent, Executive, KernelMode, FALSE, NULL);
Status = Irp->IoStatus.Status;
}
BytesSent =
NT_SUCCESS(Status) ? (LONG)Irp->IoStatus.Information : SOCKET_ERROR;
IoFreeIrp(Irp);
FreeWskBuffer(&WskBuffer);
return BytesSent;
}
LONG NTAPI Receive(__in PWSK_SOCKET WskSocket, __out PVOID Buffer,
__in ULONG BufferSize, __in ULONG Flags) {
KEVENT CompletionEvent = {0};
PIRP Irp = NULL;
WSK_BUF WskBuffer = {0};
LONG BytesReceived = SOCKET_ERROR;
NTSTATUS Status = STATUS_UNSUCCESSFUL;
if (g_SocketsState != INITIALIZED || !WskSocket || !Buffer || !BufferSize)
return SOCKET_ERROR;
Status = InitWskBuffer(Buffer, BufferSize, &WskBuffer);
if (!NT_SUCCESS(Status)) {
KdPrint(("Receive(): InitWskData() failed with status 0x%08X\n", Status));
return SOCKET_ERROR;
}
Status = InitWskData(&Irp, &CompletionEvent);
if (!NT_SUCCESS(Status)) {
KdPrint(("Receive(): InitWskData() failed with status 0x%08X\n", Status));
FreeWskBuffer(&WskBuffer);
return SOCKET_ERROR;
}
Status = ((PWSK_PROVIDER_CONNECTION_DISPATCH)WskSocket->Dispatch)
->WskReceive(WskSocket, &WskBuffer, Flags, Irp);
if (Status == STATUS_PENDING) {
KeWaitForSingleObject(&CompletionEvent, Executive, KernelMode, FALSE, NULL);
Status = Irp->IoStatus.Status;
}
BytesReceived =
NT_SUCCESS(Status) ? (LONG)Irp->IoStatus.Information : SOCKET_ERROR;
IoFreeIrp(Irp);
FreeWskBuffer(&WskBuffer);
return BytesReceived;
}
LONG NTAPI ReceiveFrom(__in PWSK_SOCKET WskSocket, __out PVOID Buffer,
__in ULONG BufferSize, __out_opt PSOCKADDR RemoteAddress,
__out_opt PULONG ControlFlags) {
KEVENT CompletionEvent = {0};
PIRP Irp = NULL;
WSK_BUF WskBuffer = {0};
LONG BytesReceived = SOCKET_ERROR;
NTSTATUS Status = STATUS_UNSUCCESSFUL;
if (g_SocketsState != INITIALIZED || !WskSocket || !Buffer || !BufferSize)
return SOCKET_ERROR;
Status = InitWskBuffer(Buffer, BufferSize, &WskBuffer);
if (!NT_SUCCESS(Status)) {
KdPrint(
("ReceiveFrom(): InitWskData() failed with status 0x%08X\n", Status));
return SOCKET_ERROR;
}
Status = InitWskData(&Irp, &CompletionEvent);
if (!NT_SUCCESS(Status)) {
KdPrint(
("ReceiveFrom(): InitWskData() failed with status 0x%08X\n", Status));
FreeWskBuffer(&WskBuffer);
return SOCKET_ERROR;
}
Status = ((PWSK_PROVIDER_DATAGRAM_DISPATCH)WskSocket->Dispatch)
->WskReceiveFrom(WskSocket, &WskBuffer, 0, RemoteAddress, 0,
NULL, ControlFlags, Irp);
if (Status == STATUS_PENDING) {
KeWaitForSingleObject(&CompletionEvent, Executive, KernelMode, FALSE, NULL);
Status = Irp->IoStatus.Status;
}
BytesReceived =
NT_SUCCESS(Status) ? (LONG)Irp->IoStatus.Information : SOCKET_ERROR;
IoFreeIrp(Irp);
FreeWskBuffer(&WskBuffer);
return BytesReceived;
}
NTSTATUS
NTAPI
Bind(__in PWSK_SOCKET WskSocket, __in PSOCKADDR LocalAddress) {
KEVENT CompletionEvent = {0};
PIRP Irp = NULL;
NTSTATUS Status = STATUS_UNSUCCESSFUL;
if (g_SocketsState != INITIALIZED || !WskSocket || !LocalAddress)
return STATUS_INVALID_PARAMETER;
Status = InitWskData(&Irp, &CompletionEvent);
if (!NT_SUCCESS(Status)) {
KdPrint(("Bind(): InitWskData() failed with status 0x%08X\n", Status));
return Status;
}
Status = ((PWSK_PROVIDER_CONNECTION_DISPATCH)WskSocket->Dispatch)
->WskBind(WskSocket, LocalAddress, 0, Irp);
if (Status == STATUS_PENDING) {
KeWaitForSingleObject(&CompletionEvent, Executive, KernelMode, FALSE, NULL);
Status = Irp->IoStatus.Status;
}
IoFreeIrp(Irp);
return Status;
}
PWSK_SOCKET
NTAPI
Accept(__in PWSK_SOCKET WskSocket, __out_opt PSOCKADDR LocalAddress,
__out_opt PSOCKADDR RemoteAddress) {
KEVENT CompletionEvent = {0};
PIRP Irp = NULL;
NTSTATUS Status = STATUS_UNSUCCESSFUL;
PWSK_SOCKET AcceptedSocket = NULL;
if (g_SocketsState != INITIALIZED || !WskSocket) return NULL;
Status = InitWskData(&Irp, &CompletionEvent);
if (!NT_SUCCESS(Status)) {
KdPrint(("Accept(): InitWskData() failed with status 0x%08X\n", Status));
return NULL;
}
Status = ((PWSK_PROVIDER_LISTEN_DISPATCH)WskSocket->Dispatch)
->WskAccept(WskSocket, 0, NULL, NULL, LocalAddress,
RemoteAddress, Irp);
if (Status == STATUS_PENDING) {
KeWaitForSingleObject(&CompletionEvent, Executive, KernelMode, FALSE, NULL);
Status = Irp->IoStatus.Status;
}
AcceptedSocket =
NT_SUCCESS(Status) ? (PWSK_SOCKET)Irp->IoStatus.Information : NULL;
IoFreeIrp(Irp);
return AcceptedSocket;
}
/*++
Module Name:
simplewsk.c
Abstract:
Wrapper library for WSK functions
Author:
MaD, 12-May-2009
--*/
#include "simplewsk.h"
static WSK_REGISTRATION g_WskRegistration;
static WSK_PROVIDER_NPI g_WskProvider;
static WSK_CLIENT_DISPATCH g_WskDispatch = {MAKE_WSK_VERSION(1, 0), 0, NULL};
enum { DEINITIALIZED, DEINITIALIZING, INITIALIZING, INITIALIZED };
static LONG g_SocketsState = DEINITIALIZED;
static NTSTATUS NTAPI CompletionRoutine(__in PDEVICE_OBJECT DeviceObject,
__in PIRP Irp,
__in PKEVENT CompletionEvent) {
ASSERT(CompletionEvent);
UNREFERENCED_PARAMETER(Irp);
UNREFERENCED_PARAMETER(DeviceObject);
KeSetEvent(CompletionEvent, IO_NO_INCREMENT, FALSE);
return STATUS_MORE_PROCESSING_REQUIRED;
}
static NTSTATUS InitWskData(__out PIRP* pIrp, __out PKEVENT CompletionEvent) {
ASSERT(pIrp);
ASSERT(CompletionEvent);
*pIrp = IoAllocateIrp(1, FALSE);
if (!*pIrp) {
KdPrint(("InitWskData(): IoAllocateIrp() failed\n"));
return STATUS_INSUFFICIENT_RESOURCES;
}
KeInitializeEvent(CompletionEvent, SynchronizationEvent, FALSE);
IoSetCompletionRoutine(*pIrp, CompletionRoutine, CompletionEvent, TRUE, TRUE,
TRUE);
return STATUS_SUCCESS;
}
static NTSTATUS InitWskBuffer(__in PVOID Buffer, __in ULONG BufferSize,
__out PWSK_BUF WskBuffer) {
NTSTATUS Status = STATUS_SUCCESS;
ASSERT(Buffer);
ASSERT(BufferSize);
ASSERT(WskBuffer);
WskBuffer->Offset = 0;
WskBuffer->Length = BufferSize;
WskBuffer->Mdl = IoAllocateMdl(Buffer, BufferSize, FALSE, FALSE, NULL);
if (!WskBuffer->Mdl) {
KdPrint(("InitWskBuffer(): IoAllocateMdl() failed\n"));
return STATUS_INSUFFICIENT_RESOURCES;
}
__try {
MmProbeAndLockPages(WskBuffer->Mdl, KernelMode, IoWriteAccess);
} __except (EXCEPTION_EXECUTE_HANDLER) {
KdPrint(("InitWskBuffer(): MmProbeAndLockPages(%p) failed\n", Buffer));
IoFreeMdl(WskBuffer->Mdl);
Status = STATUS_ACCESS_VIOLATION;
}
return Status;
}
static VOID FreeWskBuffer(__in PWSK_BUF WskBuffer) {
ASSERT(WskBuffer);
MmUnlockPages(WskBuffer->Mdl);
IoFreeMdl(WskBuffer->Mdl);
}
//
// Library initialization routine
//
NTSTATUS NTAPI WSKStartup() {
WSK_CLIENT_NPI WskClient = {0};
NTSTATUS Status = STATUS_UNSUCCESSFUL;
if (InterlockedCompareExchange(&g_SocketsState, INITIALIZING,
DEINITIALIZED) != DEINITIALIZED)
return STATUS_ALREADY_REGISTERED;
WskClient.ClientContext = NULL;
WskClient.Dispatch = &g_WskDispatch;
Status = WskRegister(&WskClient, &g_WskRegistration);
if (!NT_SUCCESS(Status)) {
KdPrint(("WskRegister() failed with status 0x%08X\n", Status));
InterlockedExchange(&g_SocketsState, DEINITIALIZED);
return Status;
}
Status =
WskCaptureProviderNPI(&g_WskRegistration, WSK_NO_WAIT, &g_WskProvider);
if (!NT_SUCCESS(Status)) {
KdPrint(("WskCaptureProviderNPI() failed with status 0x%08X\n", Status));
WskDeregister(&g_WskRegistration);
InterlockedExchange(&g_SocketsState, DEINITIALIZED);
return Status;
}
InterlockedExchange(&g_SocketsState, INITIALIZED);
return STATUS_SUCCESS;
}
//
// Library deinitialization routine
//
VOID NTAPI WSKCleanup() {
if (InterlockedCompareExchange(&g_SocketsState, INITIALIZED,
DEINITIALIZING) != INITIALIZED)
return;
WskReleaseProviderNPI(&g_WskRegistration);
WskDeregister(&g_WskRegistration);
InterlockedExchange(&g_SocketsState, DEINITIALIZED);
}
PWSK_SOCKET
NTAPI
CreateSocket(__in ADDRESS_FAMILY AddressFamily, __in USHORT SocketType,
__in ULONG Protocol, __in ULONG Flags) {
KEVENT CompletionEvent = {0};
PIRP Irp = NULL;
PWSK_SOCKET WskSocket = NULL;
NTSTATUS Status = STATUS_UNSUCCESSFUL;
if (g_SocketsState != INITIALIZED) return NULL;
Status = InitWskData(&Irp, &CompletionEvent);
if (!NT_SUCCESS(Status)) {
KdPrint(
("CreateSocket(): InitWskData() failed with status 0x%08X\n", Status));
return NULL;
}
Status = g_WskProvider.Dispatch->WskSocket(
g_WskProvider.Client, AddressFamily, SocketType, Protocol, Flags, NULL,
NULL, NULL, NULL, NULL, Irp);
if (Status == STATUS_PENDING) {
KeWaitForSingleObject(&CompletionEvent, Executive, KernelMode, FALSE, NULL);
Status = Irp->IoStatus.Status;
}
WskSocket =
NT_SUCCESS(Status) ? (PWSK_SOCKET)Irp->IoStatus.Information : NULL;
IoFreeIrp(Irp);
return (PWSK_SOCKET)WskSocket;
}
NTSTATUS
NTAPI
CloseSocket(__in PWSK_SOCKET WskSocket) {
KEVENT CompletionEvent = {0};
PIRP Irp = NULL;
NTSTATUS Status = STATUS_UNSUCCESSFUL;
if (g_SocketsState != INITIALIZED || !WskSocket)
return STATUS_INVALID_PARAMETER;
Status = InitWskData(&Irp, &CompletionEvent);
if (!NT_SUCCESS(Status)) {
KdPrint(
("CloseSocket(): InitWskData() failed with status 0x%08X\n", Status));
return Status;
}
Status = ((PWSK_PROVIDER_BASIC_DISPATCH)WskSocket->Dispatch)
->WskCloseSocket(WskSocket, Irp);
if (Status == STATUS_PENDING) {
KeWaitForSingleObject(&CompletionEvent, Executive, KernelMode, FALSE, NULL);
Status = Irp->IoStatus.Status;
}
IoFreeIrp(Irp);
return Status;
}
NTSTATUS
NTAPI
Connect(__in PWSK_SOCKET WskSocket, __in PSOCKADDR RemoteAddress) {
KEVENT CompletionEvent = {0};
PIRP Irp = NULL;
NTSTATUS Status = STATUS_UNSUCCESSFUL;
if (g_SocketsState != INITIALIZED || !WskSocket || !RemoteAddress)
return STATUS_INVALID_PARAMETER;
Status = InitWskData(&Irp, &CompletionEvent);
if (!NT_SUCCESS(Status)) {
KdPrint(("Connect(): InitWskData() failed with status 0x%08X\n", Status));
return Status;
}
Status = ((PWSK_PROVIDER_CONNECTION_DISPATCH)WskSocket->Dispatch)
->WskConnect(WskSocket, RemoteAddress, 0, Irp);
if (Status == STATUS_PENDING) {
KeWaitForSingleObject(&CompletionEvent, Executive, KernelMode, FALSE, NULL);
Status = Irp->IoStatus.Status;
}
IoFreeIrp(Irp);
return Status;
}
PWSK_SOCKET
NTAPI
SocketConnect(__in USHORT SocketType, __in ULONG Protocol,
__in PSOCKADDR RemoteAddress, __in PSOCKADDR LocalAddress) {
KEVENT CompletionEvent = {0};
PIRP Irp = NULL;
NTSTATUS Status = STATUS_UNSUCCESSFUL;
PWSK_SOCKET WskSocket = NULL;
if (g_SocketsState != INITIALIZED || !RemoteAddress || !LocalAddress)
return NULL;
Status = InitWskData(&Irp, &CompletionEvent);
if (!NT_SUCCESS(Status)) {
KdPrint(("InitWskData() failed with status 0x%08X\n", Status));
return NULL;
}
Status = g_WskProvider.Dispatch->WskSocketConnect(
g_WskProvider.Client, SocketType, Protocol, LocalAddress, RemoteAddress,
0, NULL, NULL, NULL, NULL, NULL, Irp);
if (Status == STATUS_PENDING) {
KeWaitForSingleObject(&CompletionEvent, Executive, KernelMode, FALSE, NULL);
Status = Irp->IoStatus.Status;
}
WskSocket =
NT_SUCCESS(Status) ? (PWSK_SOCKET)Irp->IoStatus.Information : NULL;
IoFreeIrp(Irp);
return WskSocket;
}
LONG NTAPI Send(__in PWSK_SOCKET WskSocket, __in PVOID Buffer,
__in ULONG BufferSize, __in ULONG Flags) {
KEVENT CompletionEvent = {0};
PIRP Irp = NULL;
WSK_BUF WskBuffer = {0};
LONG BytesSent = SOCKET_ERROR;
NTSTATUS Status = STATUS_UNSUCCESSFUL;
if (g_SocketsState != INITIALIZED || !WskSocket || !Buffer || !BufferSize)
return SOCKET_ERROR;
Status = InitWskBuffer(Buffer, BufferSize, &WskBuffer);
if (!NT_SUCCESS(Status)) {
KdPrint(("Send(): InitWskData() failed with status 0x%08X\n", Status));
return SOCKET_ERROR;
}
Status = InitWskData(&Irp, &CompletionEvent);
if (!NT_SUCCESS(Status)) {
KdPrint(("Send(): InitWskData() failed with status 0x%08X\n", Status));
FreeWskBuffer(&WskBuffer);
return SOCKET_ERROR;
}
Status = ((PWSK_PROVIDER_CONNECTION_DISPATCH)WskSocket->Dispatch)
->WskSend(WskSocket, &WskBuffer, Flags, Irp);
if (Status == STATUS_PENDING) {
KeWaitForSingleObject(&CompletionEvent, Executive, KernelMode, FALSE, NULL);
Status = Irp->IoStatus.Status;
}
BytesSent =
NT_SUCCESS(Status) ? (LONG)Irp->IoStatus.Information : SOCKET_ERROR;
IoFreeIrp(Irp);
FreeWskBuffer(&WskBuffer);
return BytesSent;
}
LONG NTAPI SendTo(__in PWSK_SOCKET WskSocket, __in PVOID Buffer,
__in ULONG BufferSize, __in_opt PSOCKADDR RemoteAddress) {
KEVENT CompletionEvent = {0};
PIRP Irp = NULL;
WSK_BUF WskBuffer = {0};
LONG BytesSent = SOCKET_ERROR;
NTSTATUS Status = STATUS_UNSUCCESSFUL;
if (g_SocketsState != INITIALIZED || !WskSocket || !Buffer || !BufferSize)
return SOCKET_ERROR;
Status = InitWskBuffer(Buffer, BufferSize, &WskBuffer);
if (!NT_SUCCESS(Status)) {
KdPrint(("SendTo(): InitWskData() failed with status 0x%08X\n", Status));
return SOCKET_ERROR;
}
Status = InitWskData(&Irp, &CompletionEvent);
if (!NT_SUCCESS(Status)) {
KdPrint(("SendTo(): InitWskData() failed with status 0x%08X\n", Status));
FreeWskBuffer(&WskBuffer);
return SOCKET_ERROR;
}
Status =
((PWSK_PROVIDER_DATAGRAM_DISPATCH)WskSocket->Dispatch)
->WskSendTo(WskSocket, &WskBuffer, 0, RemoteAddress, 0, NULL, Irp);
if (Status == STATUS_PENDING) {
KeWaitForSingleObject(&CompletionEvent, Executive, KernelMode, FALSE, NULL);
Status = Irp->IoStatus.Status;
}
BytesSent =
NT_SUCCESS(Status) ? (LONG)Irp->IoStatus.Information : SOCKET_ERROR;
IoFreeIrp(Irp);
FreeWskBuffer(&WskBuffer);
return BytesSent;
}
LONG NTAPI Receive(__in PWSK_SOCKET WskSocket, __out PVOID Buffer,
__in ULONG BufferSize, __in ULONG Flags) {
KEVENT CompletionEvent = {0};
PIRP Irp = NULL;
WSK_BUF WskBuffer = {0};
LONG BytesReceived = SOCKET_ERROR;
NTSTATUS Status = STATUS_UNSUCCESSFUL;
if (g_SocketsState != INITIALIZED || !WskSocket || !Buffer || !BufferSize)
return SOCKET_ERROR;
Status = InitWskBuffer(Buffer, BufferSize, &WskBuffer);
if (!NT_SUCCESS(Status)) {
KdPrint(("Receive(): InitWskData() failed with status 0x%08X\n", Status));
return SOCKET_ERROR;
}
Status = InitWskData(&Irp, &CompletionEvent);
if (!NT_SUCCESS(Status)) {
KdPrint(("Receive(): InitWskData() failed with status 0x%08X\n", Status));
FreeWskBuffer(&WskBuffer);
return SOCKET_ERROR;
}
Status = ((PWSK_PROVIDER_CONNECTION_DISPATCH)WskSocket->Dispatch)
->WskReceive(WskSocket, &WskBuffer, Flags, Irp);
if (Status == STATUS_PENDING) {
KeWaitForSingleObject(&CompletionEvent, Executive, KernelMode, FALSE, NULL);
Status = Irp->IoStatus.Status;
}
BytesReceived =
NT_SUCCESS(Status) ? (LONG)Irp->IoStatus.Information : SOCKET_ERROR;
IoFreeIrp(Irp);
FreeWskBuffer(&WskBuffer);
return BytesReceived;
}
LONG NTAPI ReceiveFrom(__in PWSK_SOCKET WskSocket, __out PVOID Buffer,
__in ULONG BufferSize, __out_opt PSOCKADDR RemoteAddress,
__out_opt PULONG ControlFlags) {
KEVENT CompletionEvent = {0};
PIRP Irp = NULL;
WSK_BUF WskBuffer = {0};
LONG BytesReceived = SOCKET_ERROR;
NTSTATUS Status = STATUS_UNSUCCESSFUL;
if (g_SocketsState != INITIALIZED || !WskSocket || !Buffer || !BufferSize)
return SOCKET_ERROR;
Status = InitWskBuffer(Buffer, BufferSize, &WskBuffer);
if (!NT_SUCCESS(Status)) {
KdPrint(
("ReceiveFrom(): InitWskData() failed with status 0x%08X\n", Status));
return SOCKET_ERROR;
}
Status = InitWskData(&Irp, &CompletionEvent);
if (!NT_SUCCESS(Status)) {
KdPrint(
("ReceiveFrom(): InitWskData() failed with status 0x%08X\n", Status));
FreeWskBuffer(&WskBuffer);
return SOCKET_ERROR;
}
Status = ((PWSK_PROVIDER_DATAGRAM_DISPATCH)WskSocket->Dispatch)
->WskReceiveFrom(WskSocket, &WskBuffer, 0, RemoteAddress, 0,
NULL, ControlFlags, Irp);
if (Status == STATUS_PENDING) {
KeWaitForSingleObject(&CompletionEvent, Executive, KernelMode, FALSE, NULL);
Status = Irp->IoStatus.Status;
}
BytesReceived =
NT_SUCCESS(Status) ? (LONG)Irp->IoStatus.Information : SOCKET_ERROR;
IoFreeIrp(Irp);
FreeWskBuffer(&WskBuffer);
return BytesReceived;
}
NTSTATUS
NTAPI
Bind(__in PWSK_SOCKET WskSocket, __in PSOCKADDR LocalAddress) {
KEVENT CompletionEvent = {0};
PIRP Irp = NULL;
NTSTATUS Status = STATUS_UNSUCCESSFUL;
if (g_SocketsState != INITIALIZED || !WskSocket || !LocalAddress)
return STATUS_INVALID_PARAMETER;
Status = InitWskData(&Irp, &CompletionEvent);
if (!NT_SUCCESS(Status)) {
KdPrint(("Bind(): InitWskData() failed with status 0x%08X\n", Status));
return Status;
}
Status = ((PWSK_PROVIDER_CONNECTION_DISPATCH)WskSocket->Dispatch)
->WskBind(WskSocket, LocalAddress, 0, Irp);
if (Status == STATUS_PENDING) {
KeWaitForSingleObject(&CompletionEvent, Executive, KernelMode, FALSE, NULL);
Status = Irp->IoStatus.Status;
}
IoFreeIrp(Irp);
return Status;
}
PWSK_SOCKET
NTAPI
Accept(__in PWSK_SOCKET WskSocket, __out_opt PSOCKADDR LocalAddress,
__out_opt PSOCKADDR RemoteAddress) {
KEVENT CompletionEvent = {0};
PIRP Irp = NULL;
NTSTATUS Status = STATUS_UNSUCCESSFUL;
PWSK_SOCKET AcceptedSocket = NULL;
if (g_SocketsState != INITIALIZED || !WskSocket) return NULL;
Status = InitWskData(&Irp, &CompletionEvent);
if (!NT_SUCCESS(Status)) {
KdPrint(("Accept(): InitWskData() failed with status 0x%08X\n", Status));
return NULL;
}
Status = ((PWSK_PROVIDER_LISTEN_DISPATCH)WskSocket->Dispatch)
->WskAccept(WskSocket, 0, NULL, NULL, LocalAddress,
RemoteAddress, Irp);
if (Status == STATUS_PENDING) {
KeWaitForSingleObject(&CompletionEvent, Executive, KernelMode, FALSE, NULL);
Status = Irp->IoStatus.Status;
}
AcceptedSocket =
NT_SUCCESS(Status) ? (PWSK_SOCKET)Irp->IoStatus.Information : NULL;
IoFreeIrp(Irp);
return AcceptedSocket;
}

110
KMDF Driver2/simplewsk.h → lpus/simplewsk.h
View File

@ -1,55 +1,55 @@
#pragma warning(push)
#pragma warning(disable : 4201) // nameless struct/union
#pragma warning(disable : 4214) // bit field types other than int
#pragma once
#include <ntddk.h>
#include <wsk.h>
#pragma warning(pop)
#define SOCKET_ERROR -1
NTSTATUS NTAPI WSKStartup();
VOID NTAPI WSKCleanup();
PWSK_SOCKET
NTAPI
CreateSocket(__in ADDRESS_FAMILY AddressFamily, __in USHORT SocketType,
__in ULONG Protocol, __in ULONG Flags);
NTSTATUS
NTAPI
CloseSocket(__in PWSK_SOCKET WskSocket);
NTSTATUS
NTAPI
Connect(__in PWSK_SOCKET WskSocket, __in PSOCKADDR RemoteAddress);
PWSK_SOCKET
NTAPI
SocketConnect(__in USHORT SocketType, __in ULONG Protocol,
__in PSOCKADDR RemoteAddress, __in PSOCKADDR LocalAddress);
LONG NTAPI Send(__in PWSK_SOCKET WskSocket, __in PVOID Buffer,
__in ULONG BufferSize, __in ULONG Flags);
LONG NTAPI SendTo(__in PWSK_SOCKET WskSocket, __in PVOID Buffer,
__in ULONG BufferSize, __in_opt PSOCKADDR RemoteAddress);
LONG NTAPI Receive(__in PWSK_SOCKET WskSocket, __out PVOID Buffer,
__in ULONG BufferSize, __in ULONG Flags);
LONG NTAPI ReceiveFrom(__in PWSK_SOCKET WskSocket, __out PVOID Buffer,
__in ULONG BufferSize, __out_opt PSOCKADDR RemoteAddress,
__out_opt PULONG ControlFlags);
NTSTATUS
NTAPI
Bind(__in PWSK_SOCKET WskSocket, __in PSOCKADDR LocalAddress);
PWSK_SOCKET
NTAPI
Accept(__in PWSK_SOCKET WskSocket, __out_opt PSOCKADDR LocalAddress,
__out_opt PSOCKADDR RemoteAddress);
#pragma warning(push)
#pragma warning(disable : 4201) // nameless struct/union
#pragma warning(disable : 4214) // bit field types other than int
#pragma once
#include <ntddk.h>
#include <wsk.h>
#pragma warning(pop)
#define SOCKET_ERROR -1
NTSTATUS NTAPI WSKStartup();
VOID NTAPI WSKCleanup();
PWSK_SOCKET
NTAPI
CreateSocket(__in ADDRESS_FAMILY AddressFamily, __in USHORT SocketType,
__in ULONG Protocol, __in ULONG Flags);
NTSTATUS
NTAPI
CloseSocket(__in PWSK_SOCKET WskSocket);
NTSTATUS
NTAPI
Connect(__in PWSK_SOCKET WskSocket, __in PSOCKADDR RemoteAddress);
PWSK_SOCKET
NTAPI
SocketConnect(__in USHORT SocketType, __in ULONG Protocol,
__in PSOCKADDR RemoteAddress, __in PSOCKADDR LocalAddress);
LONG NTAPI Send(__in PWSK_SOCKET WskSocket, __in PVOID Buffer,
__in ULONG BufferSize, __in ULONG Flags);
LONG NTAPI SendTo(__in PWSK_SOCKET WskSocket, __in PVOID Buffer,
__in ULONG BufferSize, __in_opt PSOCKADDR RemoteAddress);
LONG NTAPI Receive(__in PWSK_SOCKET WskSocket, __out PVOID Buffer,
__in ULONG BufferSize, __in ULONG Flags);
LONG NTAPI ReceiveFrom(__in PWSK_SOCKET WskSocket, __out PVOID Buffer,
__in ULONG BufferSize, __out_opt PSOCKADDR RemoteAddress,
__out_opt PULONG ControlFlags);
NTSTATUS
NTAPI
Bind(__in PWSK_SOCKET WskSocket, __in PSOCKADDR LocalAddress);
PWSK_SOCKET
NTAPI
Accept(__in PWSK_SOCKET WskSocket, __out_opt PSOCKADDR LocalAddress,
__out_opt PSOCKADDR RemoteAddress);

0
KMDF Driver2/sioctl.h → lpus/sioctl.h
View File

662
sample_scan.txt
View File

@ -1,662 +0,0 @@
00000007 2.44968486 [NAK] :: [ ] Hello from Kernel, setup a few things
00000008 2.44975328 [NAK] :: [+] Setup completed, GO GO GO !!!!
00000009 2.44980168 [NAK] :: [ ] Windows version : 10.0.19564
00000010 2.44980717 [NAK] :: [ ] Detected windows : 2020 Fast Ring
00000011 2.44981456 [NAK] :: [ ] System eprocess : 0xFFFFDB0CC8CB5040, [ System]
00000012 2.44984531 [NAK] :: [ ] PsActiveProcessHead : 0xFFFFF8031601F970
00000013 2.44985104 [NAK] :: [ ] ntoskrnl.exe : 0xFFFFF80315400000
00000014 2.44985557 [NAK] :: [ ] Scan the PsActiveProcessHead linked-list
00000015 2.44986176 [NAK] :: [ ] eprocess : 0xFFFFDB0CC8DE7080, [ Secure System]
00000016 2.44996500 [NAK] :: [ ] eprocess : 0xFFFFDB0CC8D36080, [ Registry]
00000017 2.44997287 [NAK] :: [ ] eprocess : 0xFFFFDB0CD1AA3040, [ smss.exe]
00000018 2.44998288 [NAK] :: [ ] eprocess : 0xFFFFDB0CD1C6D0C0, [ smss.exe]
00000019 2.44999051 [NAK] :: [ ] eprocess : 0xFFFFDB0CD1C60140, [ csrss.exe]
00000020 2.44999647 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3A53080, [ smss.exe]
00000021 2.45000243 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3A54080, [ wininit.exe]
00000022 2.45000839 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3A52140, [ csrss.exe]
00000023 2.45001388 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3AAB080, [ services.exe]
00000024 2.45001888 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3ACB080, [ LsaIso.exe]
00000025 2.45002389 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3AC9080, [ lsass.exe]
00000026 2.45002913 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3BD8080, [ svchost.exe]
00000027 2.45003533 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3C430C0, [ fontdrvhost.ex]
00000028 2.45004129 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3C2F080, [ WUDFHost.exe]
00000029 2.45004702 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3CD1240, [ svchost.exe]
00000030 2.45005274 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3D10080, [ svchost.exe]
00000031 2.45005846 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3D84080, [ winlogon.exe]
00000032 2.45009232 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3E27080, [ fontdrvhost.ex]
00000033 2.45009780 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3E5C080, [ dwm.exe]
00000034 2.45010328 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3F210C0, [ svchost.exe]
00000035 2.45010829 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3F25080, [ svchost.exe]
00000036 2.45011401 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3F42080, [ svchost.exe]
00000037 2.45018148 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3F44080, [ svchost.exe]
00000038 2.45018888 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3F4F080, [ svchost.exe]
00000039 2.45023370 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3F54080, [ svchost.exe]
00000040 2.45023942 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3F6E0C0, [ svchost.exe]
00000041 2.45024443 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3F74080, [ svchost.exe]
00000042 2.45024967 [NAK] :: [ ] eprocess : 0xFFFFDB0CD560C080, [ svchost.exe]
00000043 2.45025444 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5611080, [ svchost.exe]
00000044 2.45025969 [NAK] :: [ ] eprocess : 0xFFFFDB0CD564A080, [ svchost.exe]
00000045 2.45026469 [NAK] :: [ ] eprocess : 0xFFFFDB0CD566F080, [ svchost.exe]
00000046 2.45026994 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5671080, [ svchost.exe]
00000047 2.45027471 [NAK] :: [ ] eprocess : 0xFFFFDB0CD56B9080, [ svchost.exe]
00000048 2.45027971 [NAK] :: [ ] eprocess : 0xFFFFDB0CD56B7080, [ svchost.exe]
00000049 2.45028472 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5757080, [ svchost.exe]
00000050 2.45028973 [NAK] :: [ ] eprocess : 0xFFFFDB0CD57970C0, [ svchost.exe]
00000051 2.45029521 [NAK] :: [ ] eprocess : 0xFFFFDB0CD579D080, [ svchost.exe]
00000052 2.45029998 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5868080, [ svchost.exe]
00000053 2.45030522 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5887080, [ svchost.exe]
00000054 2.45031071 [NAK] :: [ ] eprocess : 0xFFFFDB0CD588E080, [ dasHost.exe]
00000055 2.45033646 [NAK] :: [ ] eprocess : 0xFFFFDB0CD589C080, [ svchost.exe]
00000056 2.45034194 [NAK] :: [ ] eprocess : 0xFFFFDB0CD58F0080, [ svchost.exe]
00000057 2.45034766 [NAK] :: [ ] eprocess : 0xFFFFDB0CD59450C0, [ svchost.exe]
00000058 2.45035267 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5962080, [ svchost.exe]
00000059 2.45036316 [NAK] :: [ ] eprocess : 0xFFFFDB0CD59A90C0, [ svchost.exe]
00000060 2.45036960 [NAK] :: [ ] eprocess : 0xFFFFDB0CD59B8080, [ vmms.exe]
00000061 2.45037484 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5A250C0, [ svchost.exe]
00000062 2.45038009 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5A31080, [ svchost.exe]
00000063 2.45038509 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5B29080, [ svchost.exe]
00000064 2.45039034 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5B350C0, [ svchost.exe]
00000065 2.45039558 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5B43080, [ svchost.exe]
00000066 2.45040083 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5B42080, [ NVDisplay.Cont]
00000067 2.45040607 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5BBF080, [ svchost.exe]
00000068 2.45041108 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5BE8080, [ svchost.exe]
00000069 2.45041656 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5B65080, [ svchost.exe]
00000070 2.45042205 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5C2F0C0, [ svchost.exe]
00000071 2.45042729 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5C4E080, [ igfxCUIService]
00000072 2.45043230 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5C51040, [ MemCompression]
00000073 2.45043731 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5CCA0C0, [ svchost.exe]
00000074 2.45044231 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5CCE080, [ svchost.exe]
00000075 2.45044923 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5CD2080, [ svchost.exe]
00000076 2.45045567 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5D840C0, [ svchost.exe]
00000077 2.45046210 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5DBB080, [ NVDisplay.Cont]
00000078 2.45046687 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5DE90C0, [ svchost.exe]
00000079 2.45047331 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5E4A080, [ svchost.exe]
00000080 2.45047832 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5E670C0, [ svchost.exe]
00000081 2.45048451 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5EB5080, [ svchost.exe]
00000082 2.45048952 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5DE7080, [ svchost.exe]
00000083 2.45049477 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5EEB080, [ svchost.exe]
00000084 2.45049953 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5EEA080, [ svchost.exe]
00000085 2.45050478 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5F07080, [ svchost.exe]
00000086 2.45051026 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5FE9080, [ svchost.exe]
00000087 2.45051551 [NAK] :: [ ] eprocess : 0xFFFFDB0CD606D080, [ svchost.exe]
00000088 2.45052052 [NAK] :: [ ] eprocess : 0xFFFFDB0CD6167080, [ svchost.exe]
00000089 2.45052552 [NAK] :: [ ] eprocess : 0xFFFFDB0CD6164080, [ svchost.exe]
00000090 2.45053577 [NAK] :: [ ] eprocess : 0xFFFFDB0CD616B080, [ svchost.exe]
00000091 2.45054245 [NAK] :: [ ] eprocess : 0xFFFFDB0CD61B40C0, [ spoolsv.exe]
00000092 2.45054793 [NAK] :: [ ] eprocess : 0xFFFFDB0CD621B080, [ svchost.exe]
00000093 2.45055389 [NAK] :: [ ] eprocess : 0xFFFFDB0CD6253080, [ svchost.exe]
00000094 2.45055985 [NAK] :: [ ] eprocess : 0xFFFFDB0CD62AE080, [ armsvc.exe]
00000095 2.45056605 [NAK] :: [ ] eprocess : 0xFFFFDB0CD62CB0C0, [ AdobeUpdateSer]
00000096 2.45057201 [NAK] :: [ ] eprocess : 0xFFFFDB0CD62DF080, [ AGMService.exe]
00000097 2.45057750 [NAK] :: [ ] eprocess : 0xFFFFDB0CD62E7080, [ OfficeClickToR]
00000098 2.45058799 [NAK] :: [ ] eprocess : 0xFFFFDB0CD62E8080, [ com.docker.ser]
00000099 2.45059443 [NAK] :: [ ] eprocess : 0xFFFFDB0CD62E6080, [ IntelCpHDCPSvc]
00000100 2.45060039 [NAK] :: [ ] eprocess : 0xFFFFDB0CD63C80C0, [ svchost.exe]
00000101 2.45060635 [NAK] :: [ ] eprocess : 0xFFFFDB0CD63DF080, [ CxAudMsg64.exe]
00000102 2.45061231 [NAK] :: [ ] eprocess : 0xFFFFDB0CD63E2080, [ CxUtilSvc.exe]
00000103 2.45061851 [NAK] :: [ ] eprocess : 0xFFFFDB0CD6452080, [ DbxSvc.exe]
00000104 2.45062470 [NAK] :: [ ] eprocess : 0xFFFFDB0CD6456080, [ svchost.exe]
00000105 2.45063090 [NAK] :: [ ] eprocess : 0xFFFFDB0CD64E10C0, [ wlanext.exe]
00000106 2.45063686 [NAK] :: [ ] eprocess : 0xFFFFDB0CD64EE080, [ ibtsiva.exe]
00000107 2.45064282 [NAK] :: [ ] eprocess : 0xFFFFDB0CD65020C0, [ esif_uf.exe]
00000108 2.45064950 [NAK] :: [ ] eprocess : 0xFFFFDB0CD64EC080, [ EvtEng.exe]
00000109 2.45065570 [NAK] :: [ ] eprocess : 0xFFFFDB0CD6503080, [ FMService64.ex]
00000110 2.45066190 [NAK] :: [ ] eprocess : 0xFFFFDB0CD6522080, [ svchost.exe]
00000111 2.45066810 [NAK] :: [ ] eprocess : 0xFFFFDB0CD652A080, [ conhost.exe]
00000112 2.45070338 [NAK] :: [ ] eprocess : 0xFFFFDB0CD652B080, [ LegacyCsLoader]
00000113 2.45070910 [NAK] :: [ ] eprocess : 0xFFFFDB0CD6540080, [ svchost.exe]
00000114 2.45071411 [NAK] :: [ ] eprocess : 0xFFFFDB0CD6543080, [ IntelTechnolog]
00000115 2.45071912 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3D9B080, [ IpOverUsbSvc.e]
00000116 2.45072436 [NAK] :: [ ] eprocess : 0xFFFFDB0CD659A080, [ NvTelemetryCon]
00000117 2.45072961 [NAK] :: [ ] eprocess : 0xFFFFDB0CD663F080, [ PnkBstrA.exe]
00000118 2.45078611 [NAK] :: [ ] eprocess : 0xFFFFDB0CD668B080, [ svchost.exe]
00000119 2.45079350 [NAK] :: [ ] eprocess : 0xFFFFDB0CD646F080, [ RtkAudUService]
00000120 2.45079875 [NAK] :: [ ] eprocess : 0xFFFFDB0CD6691080, [ RemoteServerWi]
00000121 2.45080400 [NAK] :: [ ] eprocess : 0xFFFFDB0CD6690080, [ SmartByteNetwo]
00000122 2.45080924 [NAK] :: [ ] eprocess : 0xFFFFDB0CD67970C0, [ svchost.exe]
00000123 2.45081472 [NAK] :: [ ] eprocess : 0xFFFFDB0CD6795080, [ svchost.exe]
00000124 2.45081997 [NAK] :: [ ] eprocess : 0xFFFFDB0CD679D080, [ SynTPEnhServic]
00000125 2.45083952 [NAK] :: [ ] eprocess : 0xFFFFDB0CD67C4080, [ sqlwriter.exe]
00000126 2.45084524 [NAK] :: [ ] eprocess : 0xFFFFDB0CD67C5080, [ ThunderboltSer]
00000127 2.45085025 [NAK] :: [ ] eprocess : 0xFFFFDB0CD685C080, [ TeamViewer_Ser]
00000128 2.45085549 [NAK] :: [ ] eprocess : 0xFFFFDB0CD68C60C0, [ svchost.exe]
00000129 2.45086122 [NAK] :: [ ] eprocess : 0xFFFFDB0CD68CE080, [ TrueColorALS.e]
00000130 2.45086622 [NAK] :: [ ] eprocess : 0xFFFFDB0CD68CF080, [ WmiPrvSE.exe]
00000131 2.45087171 [NAK] :: [ ] eprocess : 0xFFFFDB0CD691E080, [ vmware-authd.e]
00000132 2.45087647 [NAK] :: [ ] eprocess : 0xFFFFDB0CD690D080, [ vmnetdhcp.exe]
00000133 2.45088124 [NAK] :: [ ] eprocess : 0xFFFFDB0CD6910080, [ WmiPrvSE.exe]
00000134 2.45088649 [NAK] :: [ ] eprocess : 0xFFFFDB0CD6940080, [ vmware-usbarbi]
00000135 2.45089149 [NAK] :: [ ] eprocess : 0xFFFFDB0CD6947080, [ vmnat.exe]
00000136 2.45089650 [NAK] :: [ ] eprocess : 0xFFFFDB0CD69A00C0, [ WDDriveService]
00000137 2.45090151 [NAK] :: [ ] eprocess : 0xFFFFDB0CD69A5080, [ ZeroConfigServ]
00000138 2.45090675 [NAK] :: [ ] eprocess : 0xFFFFDB0CD69A3080, [ MsMpEng.exe]
00000139 2.45091200 [NAK] :: [ ] eprocess : 0xFFFFDB0CD6944080, [ svchost.exe]
00000140 2.45091677 [NAK] :: [ ] eprocess : 0xFFFFDB0CD69C9080, [ svchost.exe]
00000141 2.45092320 [NAK] :: [ ] eprocess : 0xFFFFDB0CD6A06080, [ unsecapp.exe]
00000142 2.45093346 [NAK] :: [ ] eprocess : 0xFFFFDB0CD6A71080, [ IntelCpHeciSvc]
00000143 2.45093966 [NAK] :: [ ] eprocess : 0xFFFFDB0CD6CCF080, [ svchost.exe]
00000144 2.45094514 [NAK] :: [ ] eprocess : 0xFFFFDB0CD6D6B080, [ igfxext.exe]
00000145 2.45095086 [NAK] :: [ ] eprocess : 0xFFFFDB0CD701C080, [ svchost.exe]
00000146 2.45095682 [NAK] :: [ ] eprocess : 0xFFFFDB0CC8D99080, [ svchost.exe]
00000147 2.45096517 [NAK] :: [ ] eprocess : 0xFFFFDB0CD71B0080, [ svchost.exe]
00000148 2.45100307 [NAK] :: [ ] eprocess : 0xFFFFDB0CD71D40C0, [ svchost.exe]
00000149 2.45100832 [NAK] :: [ ] eprocess : 0xFFFFDB0CD7296080, [ vmware-hostd.e]
00000150 2.45106411 [NAK] :: [ ] eprocess : 0xFFFFDB0CD7ADE080, [ svchost.exe]
00000151 2.45107079 [NAK] :: [ ] eprocess : 0xFFFFDB0CD74EB080, [ svchost.exe]
00000152 2.45107603 [NAK] :: [ ] eprocess : 0xFFFFDB0CD7BF6080, [ dllhost.exe]
00000153 2.45108151 [NAK] :: [ ] eprocess : 0xFFFFDB0CD79ED080, [ vmcompute.exe]
00000154 2.45109081 [NAK] :: [ ] eprocess : 0xFFFFDB0CD7FE6080, [ NisSrv.exe]
00000155 2.45109725 [NAK] :: [ ] eprocess : 0xFFFFDB0CE401A240, [ dptf_helper.ex]
00000156 2.45110250 [NAK] :: [ ] eprocess : 0xFFFFDB0CD606C080, [ SynTPEnh.exe]
00000157 2.45110726 [NAK] :: [ ] eprocess : 0xFFFFDB0CE417F080, [ svchost.exe]
00000158 2.45111251 [NAK] :: [ ] eprocess : 0xFFFFDB0CE4190080, [ SynTPEnh.exe]
00000159 2.45111728 [NAK] :: [ ] eprocess : 0xFFFFDB0CE41E0080, [ svchost.exe]
00000160 2.45112205 [NAK] :: [ ] eprocess : 0xFFFFDB0CE41E7200, [ sihost.exe]
00000161 2.45112705 [NAK] :: [ ] eprocess : 0xFFFFDB0CE429E080, [ svchost.exe]
00000162 2.45113230 [NAK] :: [ ] eprocess : 0xFFFFDB0CE42A1080, [ GoogleUpdate.e]
00000163 2.45113730 [NAK] :: [ ] eprocess : 0xFFFFDB0CE42A2080, [ svchost.exe]
00000164 2.45114326 [NAK] :: [ ] eprocess : 0xFFFFDB0CE42A3080, [ PresentationFo]
00000165 2.45114899 [NAK] :: [ ] eprocess : 0xFFFFDB0CE42A60C0, [ taskhostw.exe]
00000166 2.45115423 [NAK] :: [ ] eprocess : 0xFFFFDB0CE42A4080, [ DropboxUpdate.]
00000167 2.45115948 [NAK] :: [ ] eprocess : 0xFFFFDB0CE42A8080, [ svchost.exe]
00000168 2.45116448 [NAK] :: [ ] eprocess : 0xFFFFDB0CE4170080, [ svchost.exe]
00000169 2.45116925 [NAK] :: [ ] eprocess : 0xFFFFDB0CE43E3200, [ ctfmon.exe]
00000170 2.45117450 [NAK] :: [ ] eprocess : 0xFFFFDB0CE44130C0, [ SynTPHelper.ex]
00000171 2.45117998 [NAK] :: [ ] eprocess : 0xFFFFDB0CE43E00C0, [ svchost.exe]
00000172 2.45118690 [NAK] :: [ ] eprocess : 0xFFFFDB0CE45E2080, [ svchost.exe]
00000173 2.45119190 [NAK] :: [ ] eprocess : 0xFFFFDB0CE4659080, [ ChsIME.exe]
00000174 2.45119858 [NAK] :: [ ] eprocess : 0xFFFFDB0CE4663080, [ cmd.exe]
00000175 2.45120525 [NAK] :: [ ] eprocess : 0xFFFFDB0CE4688080, [ userinit.exe]
00000176 2.45121121 [NAK] :: [ ] eprocess : 0xFFFFDB0CE43F9080, [ explorer.exe]
00000177 2.45122242 [NAK] :: [ ] eprocess : 0xFFFFDB0CE47460C0, [ igfxEM.exe]
00000178 2.45122814 [NAK] :: [ ] eprocess : 0xFFFFDB0CE4784140, [ svchost.exe]
00000179 2.45123363 [NAK] :: [ ] eprocess : 0xFFFFDB0CE48C5080, [ SearchIndexer.]
00000180 2.45123911 [NAK] :: [ ] eprocess : 0xFFFFDB0CE4AAB080, [ svchost.exe]
00000181 2.45124412 [NAK] :: [ ] eprocess : 0xFFFFDB0CD7E60080, [ StartMenuExper]
00000182 2.45124960 [NAK] :: [ ] eprocess : 0xFFFFDB0CE4BE1080, [ RuntimeBroker.]
00000183 2.45125484 [NAK] :: [ ] eprocess : 0xFFFFDB0CE4DB90C0, [ RuntimeBroker.]
00000184 2.45126009 [NAK] :: [ ] eprocess : 0xFFFFDB0CE4EFC080, [ YourPhone.exe]
00000185 2.45126510 [NAK] :: [ ] eprocess : 0xFFFFDB0CE60CE240, [ SkypeBackgroun]
00000186 2.45127034 [NAK] :: [ ] eprocess : 0xFFFFDB0CE60F5080, [ SkypeApp.exe]
00000187 2.45127559 [NAK] :: [ ] eprocess : 0xFFFFDB0CE611A140, [ RtkAudUService]
00000188 2.45128155 [NAK] :: [ ] eprocess : 0xFFFFDB0CE4C240C0, [ TextInputHost.]
00000189 2.45128727 [NAK] :: [ ] eprocess : 0xFFFFDB0CE6122080, [ svchost.exe]
00000190 2.45129251 [NAK] :: [ ] eprocess : 0xFFFFDB0CE61540C0, [ RuntimeBroker.]
00000191 2.45129871 [NAK] :: [ ] eprocess : 0xFFFFDB0CE4F860C0, [ RuntimeBroker.]
00000192 2.45130372 [NAK] :: [ ] eprocess : 0xFFFFDB0CE61780C0, [ SettingSyncHos]
00000193 2.45130992 [NAK] :: [ ] eprocess : 0xFFFFDB0CE7603080, [ ShellExperienc]
00000194 2.45131564 [NAK] :: [ ] eprocess : 0xFFFFDB0CE636B080, [ RuntimeBroker.]
00000195 2.45132089 [NAK] :: [ ] eprocess : 0xFFFFDB0CE7662080, [ GoogleCrashHan]
00000196 2.45132637 [NAK] :: [ ] eprocess : 0xFFFFDB0CE40F5080, [ GoogleCrashHan]
00000197 2.45133638 [NAK] :: [ ] eprocess : 0xFFFFDB0CE752D240, [ SecurityHealth]
00000198 2.45134282 [NAK] :: [ ] eprocess : 0xFFFFDB0CE75B80C0, [ SecurityHealth]
00000199 2.45134878 [NAK] :: [ ] eprocess : 0xFFFFDB0CE4E240C0, [ IAStorIconLaun]
00000200 2.45135474 [NAK] :: [ ] eprocess : 0xFFFFDB0CE760B180, [ CAudioFilterAg]
00000201 2.45136070 [NAK] :: [ ] eprocess : 0xFFFFDB0CE4D65080, [ sacpl.exe]
00000202 2.45136642 [NAK] :: [ ] eprocess : 0xFFFFDB0CE63DE080, [ chrome.exe]
00000203 2.45137191 [NAK] :: [ ] eprocess : 0xFFFFDB0CE600B080, [ chrome.exe]
00000204 2.45137811 [NAK] :: [ ] eprocess : 0xFFFFDB0CE7731080, [ Docker Desktop]
00000205 2.45138407 [NAK] :: [ ] eprocess : 0xFFFFDB0CE74D90C0, [ chrome.exe]
00000206 2.45139003 [NAK] :: [ ] eprocess : 0xFFFFDB0CE77240C0, [ SmartAudio3.ex]
00000207 2.45139718 [NAK] :: [ ] eprocess : 0xFFFFDB0CE77460C0, [ chrome.exe]
00000208 2.45140362 [NAK] :: [ ] eprocess : 0xFFFFDB0CE77790C0, [ chrome.exe]
00000209 2.45141029 [NAK] :: [ ] eprocess : 0xFFFFDB0CE4D130C0, [ RemoteServerWi]
00000210 2.45141625 [NAK] :: [ ] eprocess : 0xFFFFDB0CE74DB080, [ runonce.exe]
00000211 2.45142269 [NAK] :: [ ] eprocess : 0xFFFFDB0CE770B080, [ SearchApp.exe]
00000212 2.45142937 [NAK] :: [ ] eprocess : 0xFFFFDB0CE7770080, [ chrome.exe]
00000213 2.45146275 [NAK] :: [ ] eprocess : 0xFFFFDB0CE7705080, [ chrome.exe]
00000214 2.45146966 [NAK] :: [ ] eprocess : 0xFFFFDB0CE775B080, [ chrome.exe]
00000215 2.45147491 [NAK] :: [ ] eprocess : 0xFFFFDB0CE7710080, [ chrome.exe]
00000216 2.45147991 [NAK] :: [ ] eprocess : 0xFFFFDB0CE774E080, [ chrome.exe]
00000217 2.45148921 [NAK] :: [ ] eprocess : 0xFFFFDB0CE7720080, [ chrome.exe]
00000218 2.45154881 [NAK] :: [ ] eprocess : 0xFFFFDB0CE63B0080, [ chrome.exe]
00000219 2.45155478 [NAK] :: [ ] eprocess : 0xFFFFDB0CE775E080, [ chrome.exe]
00000220 2.45156050 [NAK] :: [ ] eprocess : 0xFFFFDB0CE4DD8080, [ chrome.exe]
00000221 2.45156598 [NAK] :: [ ] eprocess : 0xFFFFDB0CE4D14080, [ chrome.exe]
00000222 2.45157194 [NAK] :: [ ] eprocess : 0xFFFFDB0CE65870C0, [ chrome.exe]
00000223 2.45157766 [NAK] :: [ ] eprocess : 0xFFFFDB0CE663B080, [ chrome.exe]
00000224 2.45158339 [NAK] :: [ ] eprocess : 0xFFFFDB0CE6577080, [ chrome.exe]
00000225 2.45159316 [NAK] :: [ ] eprocess : 0xFFFFDB0CE6579080, [ chrome.exe]
00000226 2.45160127 [NAK] :: [ ] eprocess : 0xFFFFDB0CE66C8080, [ chrome.exe]
00000227 2.45160675 [NAK] :: [ ] eprocess : 0xFFFFDB0CE66CA0C0, [ chrome.exe]
00000228 2.45161200 [NAK] :: [ ] eprocess : 0xFFFFDB0CE678A0C0, [ Dropbox.exe]
00000229 2.45161724 [NAK] :: [ ] eprocess : 0xFFFFDB0CE6775080, [ chrome.exe]
00000230 2.45162249 [NAK] :: [ ] eprocess : 0xFFFFDB0CE69130C0, [ vmware-tray.ex]
00000231 2.45162797 [NAK] :: [ ] eprocess : 0xFFFFDB0CE691D200, [ Dropbox.exe]
00000232 2.45163345 [NAK] :: [ ] eprocess : 0xFFFFDB0CE6385080, [ Dropbox.exe]
00000233 2.45163870 [NAK] :: [ ] eprocess : 0xFFFFDB0CE694D080, [ Dropbox.exe]
00000234 2.45164394 [NAK] :: [ ] eprocess : 0xFFFFDB0CE698A080, [ ioc.exe]
00000235 2.45164895 [NAK] :: [ ] eprocess : 0xFFFFDB0CE6CCA080, [ aesm_service.e]
00000236 2.45165420 [NAK] :: [ ] eprocess : 0xFFFFDB0CE48240C0, [ svchost.exe]
00000237 2.45165992 [NAK] :: [ ] eprocess : 0xFFFFDB0CE70E90C0, [ DDVRulesProces]
00000238 2.45166469 [NAK] :: [ ] eprocess : 0xFFFFDB0CE6921080, [ DSAPI.exe]
00000239 2.45166969 [NAK] :: [ ] eprocess : 0xFFFFDB0CE4FF1080, [ svchost.exe]
00000240 2.45167518 [NAK] :: [ ] eprocess : 0xFFFFDB0CE76D3080, [ IAStorIcon.exe]
00000241 2.45167994 [NAK] :: [ ] eprocess : 0xFFFFDB0CE62CE080, [ ServiceShell.e]
00000242 2.45168519 [NAK] :: [ ] eprocess : 0xFFFFDB0CE7A8B080, [ QtWebEnginePro]
00000243 2.45172191 [NAK] :: [ ] eprocess : 0xFFFFDB0CE60C3080, [ QtWebEnginePro]
00000244 2.45172691 [NAK] :: [ ] eprocess : 0xFFFFDB0CE79750C0, [ dllhost.exe]
00000245 2.45178127 [NAK] :: [ ] eprocess : 0xFFFFDB0CE6B94080, [ msdtc.exe]
00000246 2.45178795 [NAK] :: [ ] eprocess : 0xFFFFDB0CE7E15080, [ DolbyDAX2API.e]
00000247 2.45179391 [NAK] :: [ ] eprocess : 0xFFFFDB0CE80E3080, [ IAStorDataMgrS]
00000248 2.45184469 [NAK] :: [ ] eprocess : 0xFFFFDB0CE8170080, [ jhi_service.ex]
00000249 2.45185089 [NAK] :: [ ] eprocess : 0xFFFFDB0CE816E080, [ LMS.exe]
00000250 2.45185637 [NAK] :: [ ] eprocess : 0xFFFFDB0CE80800C0, [ SgrmBroker.exe]
00000251 2.45186234 [NAK] :: [ ] eprocess : 0xFFFFDB0CE8255080, [ SupportAssistA]
00000252 2.45186830 [NAK] :: [ ] eprocess : 0xFFFFDB0CE83240C0, [ DDVDataCollect]
00000253 2.45187449 [NAK] :: [ ] eprocess : 0xFFFFDB0CE81760C0, [ DDVCollectorSv]
00000254 2.45187998 [NAK] :: [ ] eprocess : 0xFFFFDB0CE833E080, [ com.docker.bac]
00000255 2.45188618 [NAK] :: [ ] eprocess : 0xFFFFDB0CE824A080, [ conhost.exe]
00000256 2.45189214 [NAK] :: [ ] eprocess : 0xFFFFDB0CE78DF080, [ Docker.Watchgu]
00000257 2.45189881 [NAK] :: [ ] eprocess : 0xFFFFDB0CE7984080, [ conhost.exe]
00000258 2.45190525 [NAK] :: [ ] eprocess : 0xFFFFDB0CE6C620C0, [ nvapiw.exe]
00000259 2.45194554 [NAK] :: [ ] eprocess : 0xFFFFDB0CE84B9080, [ svchost.exe]
00000260 2.45195246 [NAK] :: [ ] eprocess : 0xFFFFDB0CE87C5080, [ nvapiw.exe]
00000261 2.45195770 [NAK] :: [ ] eprocess : 0xFFFFDB0CE8AA50C0, [ vpnkit-bridge.]
00000262 2.45196295 [NAK] :: [ ] eprocess : 0xFFFFDB0CE8B020C0, [ conhost.exe]
00000263 2.45196819 [NAK] :: [ ] eprocess : 0xFFFFDB0CE89940C0, [ chrome.exe]
00000264 2.45197368 [NAK] :: [ ] eprocess : 0xFFFFDB0CE8CAD0C0, [ vpnkit.exe]
00000265 2.45197892 [NAK] :: [ ] eprocess : 0xFFFFDB0CE4D240C0, [ Docker.Watchgu]
00000266 2.45198512 [NAK] :: [ ] eprocess : 0xFFFFDB0CE8C95080, [ conhost.exe]
00000267 2.45199060 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5EB0080, [ conhost.exe]
00000268 2.45199704 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5C57080, [ vmwp.exe]
00000269 2.45200205 [NAK] :: [ ] eprocess : 0xFFFFDB0CD61D50C0, [ vmmem]
00000270 2.45200777 [NAK] :: [ ] eprocess : 0xFFFFDB0CD7973080, [ svchost.exe]
00000271 2.45201302 [NAK] :: [ ] eprocess : 0xFFFFDB0CE8FEA0C0, [ HxTsr.exe]
00000272 2.45201802 [NAK] :: [ ] eprocess : 0xFFFFDB0CEB3EE080, [ AcrobatNotific]
00000273 2.45202327 [NAK] :: [ ] eprocess : 0xFFFFDB0CE8BC1240, [ com.docker.pro]
00000274 2.45202851 [NAK] :: [ ] eprocess : 0xFFFFDB0CEB3CE240, [ Docker.Watchgu]
00000275 2.45203400 [NAK] :: [ ] eprocess : 0xFFFFDB0CE90241C0, [ conhost.exe]
00000276 2.45204043 [NAK] :: [ ] eprocess : 0xFFFFDB0CEB3CC0C0, [ conhost.exe]
00000277 2.45204568 [NAK] :: [ ] eprocess : 0xFFFFDB0CE906E080, [ chrome.exe]
00000278 2.45205069 [NAK] :: [ ] eprocess : 0xFFFFDB0CE9130280, [ RuntimeBroker.]
00000279 2.45205593 [NAK] :: [ ] eprocess : 0xFFFFDB0CE9123240, [ chrome.exe]
00000280 2.45206451 [NAK] :: [ ] eprocess : 0xFFFFDB0CE9129080, [ explorer.exe]
00000281 2.45206928 [NAK] :: [ ] eprocess : 0xFFFFDB0CE4188080, [ MsMpEngCP.exe]
00000282 2.45207453 [NAK] :: [ ] eprocess : 0xFFFFDB0CE9E11080, [ dllhost.exe]
00000283 2.45208168 [NAK] :: [ ] eprocess : 0xFFFFDB0CE8CEE080, [ chrome.exe]
00000284 2.45208979 [NAK] :: [ ] eprocess : 0xFFFFDB0CE9076100, [ chrome.exe]
00000285 2.45209575 [NAK] :: [ ] eprocess : 0xFFFFDB0CEAB9E0C0, [ RuntimeBroker.]
00000286 2.45210171 [NAK] :: [ ] eprocess : 0xFFFFDB0CEA7020C0, [ svchost.exe]
00000287 2.45210838 [NAK] :: [ ] eprocess : 0xFFFFDB0CEA6920C0, [ Microsoft.Phot]
00000288 2.45211363 [NAK] :: [ ] eprocess : 0xFFFFDB0CEA7350C0, [ RuntimeBroker.]
00000289 2.45212007 [NAK] :: [ ] eprocess : 0xFFFFDB0CEADD0080, [ svchost.exe]
00000290 2.45212650 [NAK] :: [ ] eprocess : 0xFFFFDB0CEA7DC240, [ chrome.exe]
00000291 2.45213270 [NAK] :: [ ] eprocess : 0xFFFFDB0CE4B7E080, [ cmd.exe]
00000292 2.45213914 [NAK] :: [ ] eprocess : 0xFFFFDB0CE7E530C0, [ YourPhoneServe]
00000293 2.45215058 [NAK] :: [ ] eprocess : 0xFFFFDB0CE9079100, [ chrome.exe]
00000294 2.45215774 [NAK] :: [ ] eprocess : 0xFFFFDB0CEB8680C0, [ nvapiw.exe]
00000295 2.45216274 [NAK] :: [ ] eprocess : 0xFFFFDB0CEBABD0C0, [ chrome.exe]
00000296 2.45216846 [NAK] :: [ ] eprocess : 0xFFFFDB0CED79A0C0, [ chrome.exe]
00000297 2.45217371 [NAK] :: [ ] eprocess : 0xFFFFDB0CE4B54100, [ chrome.exe]
00000298 2.45217919 [NAK] :: [ ] eprocess : 0xFFFFDB0CEB6020C0, [ chrome.exe]
00000299 2.45218492 [NAK] :: [ ] eprocess : 0xFFFFDB0CED7560C0, [ HxTsr.exe]
00000300 2.45219040 [NAK] :: [ ] eprocess : 0xFFFFDB0CECFE6240, [ svchost.exe]
00000301 2.45219612 [NAK] :: [ ] eprocess : 0xFFFFDB0CEB0C5140, [ chrome.exe]
00000302 2.45220160 [NAK] :: [ ] eprocess : 0xFFFFDB0CEB5350C0, [ chrome.exe]
00000303 2.45220757 [NAK] :: [ ] eprocess : 0xFFFFDB0CEBA460C0, [ chrome.exe]
00000304 2.45221806 [NAK] :: [ ] eprocess : 0xFFFFDB0CED740240, [ audiodg.exe]
00000305 2.45222545 [NAK] :: [ ] eprocess : 0xFFFFDB0CEC9CE0C0, [ svchost.exe]
00000306 2.45223069 [NAK] :: [ ] eprocess : 0xFFFFDB0CEB0B80C0, [ Dbgview.exe]
00000307 2.45224094 [NAK] :: [ ] eprocess : 0xFFFFDB0CECBAD0C0, [ chrome.exe]
00000308 2.45224690 [NAK] :: [ ] eprocess : 0xFFFFDB0CEBC8A0C0, [ chrome.exe]
00000309 2.45225263 [NAK] :: [ ] eprocess : 0xFFFFDB0CF01A7180, [ goneovim.exe]
00000310 2.45225763 [NAK] :: [ ] eprocess : 0xFFFFDB0CEB4860C0, [ nvim.exe]
00000311 2.45226288 [NAK] :: [ ] eprocess : 0xFFFFDB0CE80E50C0, [ conhost.exe]
00000312 2.45226884 [NAK] :: [ ] eprocess : 0xFFFFDB0CED8790C0, [ nvim.exe]
00000313 2.45227480 [NAK] :: [ ] eprocess : 0xFFFFDB0CE91250C0, [ conhost.exe]
00000314 2.45228028 [NAK] :: [ ] eprocess : 0xFFFFDB0CEAC350C0, [ python.exe]
00000315 2.45228624 [NAK] :: [ ] eprocess : 0xFFFFDB0CECFCA0C0, [ conhost.exe]
00000316 2.45229316 [NAK] :: [ ] eprocess : 0xFFFFDB0CEA3770C0, [ languageclient]
00000317 2.45229888 [NAK] :: [ ] eprocess : 0xFFFFDB0CECD670C0, [ conhost.exe]
00000318 2.45230412 [NAK] :: [ ] eprocess : 0xFFFFDB0CEBB130C0, [ python.exe]
00000319 2.45230961 [NAK] :: [ ] eprocess : 0xFFFFDB0CEBB460C0, [ conhost.exe]
00000320 2.45231557 [NAK] :: [ ] eprocess : 0xFFFFDB0CEB4DB0C0, [ python.exe]
00000321 2.45232153 [NAK] :: [ ] eprocess : 0xFFFFDB0CED3130C0, [ python.exe]
00000322 2.45232725 [NAK] :: [ ] eprocess : 0xFFFFDB0CEB9CE0C0, [ python.exe]
00000323 2.45233750 [NAK] :: [ ] eprocess : 0xFFFFDB0CEF8680C0, [ python.exe]
00000324 2.45234370 [NAK] :: [ ] eprocess : 0xFFFFDB0CEBB07080, [ cmd.exe]
00000325 2.45234871 [NAK] :: [ ] eprocess : 0xFFFFDB0CE8BF8080, [ conhost.exe]
00000326 2.45235419 [NAK] :: [ ] eprocess : 0xFFFFDB0CEB25C080, [ MSBuild.exe]
00000327 2.45235968 [NAK] :: [ ] eprocess : 0xFFFFDB0CE8E9A0C0, [ Tracker.exe]
00000328 2.45236444 [NAK] :: [ ] eprocess : 0xFFFFDB0CEBB16080, [ link.exe]
00000329 2.45236969 [NAK] :: [ ] eprocess : 0xFFFFDB0CE8BFA080, [ mspdbsrv.exe]
00000330 2.45237541 [NAK] :: [ ] eprocess : 0xFFFFDB0CECE950C0, [ SearchApp.exe]
00000331 2.45238090 [NAK] :: [ ] eprocess : 0xFFFFDB0CED2A50C0, [ WmiApSrv.exe]
00000332 2.45238590 [NAK] :: [ ] eprocess : 0xFFFFDB0CED7890C0, [ parse_pdb_for_]
00000333 2.45239091 [NAK] :: [ ] nt!MiState : 0xFFFFF8031604F200
00000334 2.45239520 [NAK] :: [ ] &systemNonPageInfo : 0xFFFF908180016010
00000335 2.45239949 [NAK] :: [ ] &NonPagedPoolFirstVa : 0xFFFF908180016070
00000336 2.45240402 [NAK] :: [ ] &NonPagedPoolLastVa : 0xFFFF908180016078
00000337 2.45240879 [NAK] :: [+] nonPagedPoolStart : 0xffffdb0000000000
00000338 2.45241356 [NAK] :: [+] nonPagedPoolEnd : 0xffffeb0000000000
00000339 2.45241809 [NAK] :: [+] large page address : 0xFFFFF80316017ED8
00000340 2.45242143 [NAK] :: [+] large page size : 0x10000
00000341 2.45242405 [NAK] :: [+] Scanning
00000342 2.63246703 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CC8CB5080, [h<>ËÖ Ű˙˙Í]
00000343 2.63351870 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CC8D36090, []
00000344 2.63428450 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CC8D99080, [svchost.exe]
00000345 2.63490915 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CC8DE70C0, [`vŢČ Ű˙˙]
00000346 2.87199759 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD1AA3080, [heŞŃ Ű˙˙]]
00000347 2.87527966 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD1C60140, [csrss.exe]
00000348 2.87539291 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD1C6D0C0, [smss.exe]
00000349 2.91730165 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3A52140, [csrss.exe]
00000350 2.91731024 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3A53080, [smss.exe]
00000351 2.91731691 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3A54080, [wininit.exe]
00000352 2.91772556 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3AAB080, [services.exe]
00000353 2.91788101 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3AC9080, [lsass.exe]
00000354 2.91789341 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3ACB080, [LsaIso.exe]
00000355 2.91916966 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3BD8080, [svchost.exe]
00000356 2.91957378 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3C2F080, [WUDFHost.exe]
00000357 2.91967535 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3C430C0, [fontdrvhost.ex]
00000358 2.92035127 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3CD1250, []
00000359 2.92065287 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3D10080, [svchost.exe]
00000360 2.92119598 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3D84080, [winlogon.exe]
00000361 2.92130995 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3D9B080, [IpOverUsbSvc.e]
00000362 2.92196655 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3E27080, [fontdrvhost.ex]
00000363 2.92222476 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3E5C080, [dwm.exe]
00000364 2.92318130 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3F210C0, [svchost.exe]
00000365 2.92320132 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3F25080, [svchost.exe]
00000366 2.92332840 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3F42080, [svchost.exe]
00000367 2.92333937 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3F44080, [svchost.exe]
00000368 2.92338872 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3F4F080, [svchost.exe]
00000369 2.92341232 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3F54080, [svchost.exe]
00000370 2.92352891 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3F6E0C0, [svchost.exe]
00000371 2.92355919 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3F74080, [svchost.exe]
00000372 2.94584513 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD560C080, [svchost.exe]
00000373 2.94587302 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5611080, [svchost.exe]
00000374 2.94614220 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD564A080, [svchost.exe]
00000375 2.94631362 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD566F080, [svchost.exe]
00000376 2.94632435 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5671080, [svchost.exe]
00000377 2.94663954 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD56B7080, [svchost.exe]
00000378 2.94665051 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD56B9080, [svchost.exe]
00000379 2.94742322 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5757080, [svchost.exe]
00000380 2.94771171 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD57970C0, [svchost.exe]
00000381 2.94774199 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD579D080, [svchost.exe]
00000382 2.94871163 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5868080, [svchost.exe]
00000383 2.94886303 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5887080, [svchost.exe]
00000384 2.94891000 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD588E080, [dasHost.exe]
00000385 2.94898200 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD589C080, [svchost.exe]
00000386 2.94937444 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD58F0080, [svchost.exe]
00000387 2.94978309 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD59450C0, [svchost.exe]
00000388 2.94995356 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5962080, [svchost.exe]
00000389 2.95025492 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD59A90C0, [svchost.exe]
00000390 2.95032954 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD59B8080, [vmms.exe]
00000391 2.95088482 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5A250C0, [svchost.exe]
00000392 2.95094442 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5A31080, [svchost.exe]
00000393 2.95211935 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5B29080, [svchost.exe]
00000394 2.95217681 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5B350C0, [svchost.exe]
00000395 2.95223808 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5B42080, [NVDisplay.Cont]
00000396 2.95224428 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5B43080, [svchost.exe]
00000397 2.95240355 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5B65080, [svchost.exe]
00000398 2.95280814 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5BBF080, [svchost.exe]
00000399 2.95308948 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5BE8080, [svchost.exe]
00000400 2.95345449 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5C2F0D0, []
00000401 2.95360231 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5C4E080, [igfxCUIService]
00000402 2.95364356 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5C51080, [h%ÚÓ Ű˙˙:]
00000403 2.95370793 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5C57080, [vmwp.exe]
00000404 2.95459485 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5CCA0C0, [svchost.exe]
00000405 2.95464444 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5CCE080, [svchost.exe]
00000406 2.95469213 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5CD2080, [svchost.exe]
00000407 2.95558810 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5D840C0, [svchost.exe]
00000408 2.95584178 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5DBB080, [NVDisplay.Cont]
00000409 2.95605445 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5DE7080, [svchost.exe]
00000410 2.95606661 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5DE90C0, [svchost.exe]
00000411 2.95652485 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5E4A080, [svchost.exe]
00000412 2.95666122 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5E670C0, [svchost.exe]
00000413 2.95700240 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5EB0080, [conhost.exe]
00000414 2.95702648 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5EB5080, [svchost.exe]
00000415 2.95726752 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5EEA080, [svchost.exe]
00000416 2.95727372 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5EEB080, [svchost.exe]
00000417 2.95740604 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5F07080, [svchost.exe]
00000418 2.95841455 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5FE9080, [svchost.exe]
00000419 2.95902801 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD606C080, [SynTPEnh.exe]
00000420 2.95903516 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD606D080, [svchost.exe]
00000421 2.96019650 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD6164080, [svchost.exe]
00000422 2.96021247 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD6167080, [svchost.exe]
00000423 2.96023345 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD616B080, [svchost.exe]
00000424 2.96058130 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD61B40C0, [spoolsv.exe]
00000425 2.96080041 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD61D50C0, [vmmem]
00000426 2.96114516 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD621B080, [svchost.exe]
00000427 2.96140885 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD6253080, [svchost.exe]
00000428 2.96181417 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD62AE080, [armsvc.exe]
00000429 2.96203542 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD62CB0C0, [AdobeUpdateSer]
00000430 2.96219349 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD62DF080, [AGMService.exe]
00000431 2.96224880 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD62E6080, [IntelCpHDCPSvc]
00000432 2.96225882 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD62E7080, [OfficeClickToR]
00000433 2.96226835 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD62E8080, [com.docker.ser]
00000434 2.96370101 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD63C80C0, [svchost.exe]
00000435 2.96385813 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD63DF080, [CxAudMsg64.exe]
00000436 2.96388078 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD63E2080, [CxUtilSvc.exe]
00000437 2.96463919 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD6452080, [DbxSvc.exe]
00000438 2.96466875 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD6456080, [svchost.exe]
00000439 2.96485615 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD646F080, [RtkAudUService]
00000440 2.96563125 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD64E10C0, [wlanext.exe]
00000441 2.96569848 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD64EC080, [EvtEng.exe]
00000442 2.96571350 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD64EE080, [ibtsiva.exe]
00000443 2.96585250 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD65020C0, [esif_uf.exe]
00000444 2.96586204 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD6503080, [FMService64.ex]
00000445 2.96607280 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD6522080, [svchost.exe]
00000446 2.96612597 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD652A080, [conhost.exe]
00000447 2.96613526 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD652B080, [LegacyCsLoader]
00000448 2.96628666 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD6540080, [svchost.exe]
00000449 2.96631217 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD6543080, [IntelTechnolog]
00000450 2.96672440 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD659A080, [NvTelemetryCon]
00000451 2.96746445 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD663F080, [PnkBstrA.exe]
00000452 2.96781206 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD668B080, [svchost.exe]
00000453 2.96783924 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD6690080, [SmartByteNetwo]
00000454 2.96784568 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD6691080, [RemoteServerWi]
00000455 2.96916771 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD6795080, [svchost.exe]
00000456 2.96918273 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD67970C0, [svchost.exe]
00000457 2.96923518 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD679D080, [SynTPEnhServic]
00000458 2.96947789 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD67C4080, [sqlwriter.exe]
00000459 2.96948504 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD67C5080, [ThunderboltSer]
00000460 2.97019792 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD685C080, [TeamViewer_Ser]
00000461 2.97067618 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD68C60C0, [svchost.exe]
00000462 2.97071409 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD68CE080, [TrueColorALS.e]
00000463 2.97072029 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD68CF080, [WmiPrvSE.exe]
00000464 2.97099590 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD690D080, [vmnetdhcp.exe]
00000465 2.97101235 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD6910080, [WmiPrvSE.exe]
00000466 2.97107911 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD691E080, [vmware-authd.e]
00000467 2.97123647 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD6940080, [vmware-usbarbi]
00000468 2.97125530 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD6944080, [svchost.exe]
00000469 2.97127104 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD6947080, [vmnat.exe]
00000470 2.97165990 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD69A00C0, [WDDriveService]
00000471 2.97167611 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD69A3080, [MsMpEng.exe]
00000472 2.97168708 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD69A5080, [ZeroConfigServ]
00000473 2.97186589 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD69C9080, [svchost.exe]
00000474 2.97216320 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD6A06080, [unsecapp.exe]
00000475 2.97266603 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD6A71080, [IntelCpHeciSvc]
00000476 2.97543430 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD6CCF080, [svchost.exe]
00000477 2.97611046 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD6D6B080, [igfxext.exe]
00000478 2.97943473 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD701C080, [svchost.exe]
00000479 2.98128009 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD71B0080, [svchost.exe]
00000480 2.98144913 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD71D40C0, [svchost.exe]
00000481 2.98282051 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD7296080, [vmware-hostd.e]
00000482 2.98661041 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD74EB080, [svchost.exe]
00000483 2.99496651 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD7973080, [svchost.exe]
00000484 2.99584842 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD79ED080, [vmcompute.exe]
00000485 2.99792528 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD7ADE080, [svchost.exe]
00000486 3.00029874 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD7BF6080, [dllhost.exe]
00000487 3.00457072 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD7E60080, [StartMenuExper]
00000488 3.00676703 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD7FE6080, [NisSrv.exe]
00000489 3.28639555 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE401A250, []
00000490 3.28735828 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE40F5080, [GoogleCrashHan]
00000491 3.28799891 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE4170080, [svchost.exe]
00000492 3.28811359 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE417F080, [svchost.exe]
00000493 3.28816867 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE4188080, [MsMpEngCP.exe]
00000494 3.28820729 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE4190080, [SynTPEnh.exe]
00000495 3.28860879 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE41E0080, [svchost.exe]
00000496 3.28864789 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE41E7210, []
00000497 3.28950691 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE429E080, [svchost.exe]
00000498 3.28952146 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE42A1080, [GoogleUpdate.e]
00000499 3.28952718 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE42A2080, [svchost.exe]
00000500 3.28953314 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE42A3080, [PresentationFo]
00000501 3.28953886 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE42A4080, [DropboxUpdate.]
00000502 3.28954768 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE42A60C0, [taskhostw.exe]
00000503 3.28955722 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE42A8080, [svchost.exe]
00000504 3.29098248 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE43E00E0, [<5B>Ŕ<EFBFBD>× Ű˙˙<CB99>Ŕ<EFBFBD>× Ű˙]
00000505 3.29099870 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE43E3200, [ctfmon.exe]
00000506 3.29109120 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE43F9080, [explorer.exe]
00000507 3.29118562 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE44130C0, [SynTPHelper.ex]
00000508 3.29326200 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE45E2080, [svchost.exe]
00000509 3.29384112 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE4659080, [ChsIME.exe]
00000510 3.29390001 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE4663080, [cmd.exe]
00000511 3.29411006 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE4688080, [userinit.exe]
00000512 3.29490852 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE47460C0, [igfxEM.exe]
00000513 3.29516125 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE4784140, [svchost.exe]
00000514 3.29586363 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE48240C0, [svchost.exe]
00000515 3.29657674 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE48C5080, [SearchIndexer.]
00000516 3.29871511 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE4AAB080, [svchost.exe]
00000517 3.29944324 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE4B54100, [chrome.exe]
00000518 3.29962206 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE4B7E080, [cmd.exe]
00000519 3.30003691 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE4BE1080, [RuntimeBroker.]
00000520 3.30031085 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE4C240C0, [TextInputHost.]
00000521 3.30134678 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE4D130C0, [RemoteServerWi]
00000522 3.30135274 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE4D14080, [chrome.exe]
00000523 3.30142379 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE4D240C0, [Docker.Watchgu]
00000524 3.30169678 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE4D650A0, []
00000525 3.30205512 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE4DB90C0, [RuntimeBroker.]
00000526 3.30219984 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE4DD8080, [chrome.exe]
00000527 3.30251813 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE4E240C0, [IAStorIconLaun]
00000528 3.30344009 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE4EFC080, [YourPhone.exe]
00000529 3.30410147 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE4F860C0, [RuntimeBroker.]
00000530 3.30456710 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE4FF1080, [svchost.exe]
00000531 3.30864000 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE600B080, [chrome.exe]
00000532 3.30942130 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE60C30A0, []
00000533 3.30947471 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE60CE250, []
00000534 3.30963230 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE60F5080, [SkypeApp.exe]
00000535 3.30979204 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE611A140, [RtkAudUService]
00000536 3.30982947 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE61220A0, [<5B><> Ű˙˙<CB99><CB99> Ű˙]
00000537 3.31002927 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE61540E0, [<5B>đĐä Ű˙˙<CB99>đĐä Ű˙]
00000538 3.31019044 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE61780C0, [SettingSyncHos]
00000539 3.31176949 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE62CE080, [ServiceShell.e]
00000540 3.31246471 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE636B080, [RuntimeBroker.]
00000541 3.31258917 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE6385080, [Dropbox.exe]
00000542 3.31278801 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE63B0080, [chrome.exe]
00000543 3.31299162 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE63DE0A0, []
00000544 3.31472635 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE6577080, [chrome.exe]
00000545 3.31473613 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE6579080, [chrome.exe]
00000546 3.31479931 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE65870C0, [chrome.exe]
00000547 3.31558490 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE663B080, [chrome.exe]
00000548 3.31617689 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE66C8080, [chrome.exe]
00000549 3.31618571 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE66CA0C0, [chrome.exe]
00000550 3.31693316 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE6775080, [chrome.exe]
00000551 3.31703353 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE678A0C0, [Dropbox.exe]
00000552 3.31869006 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE69130C0, [vmware-tray.ex]
00000553 3.31873870 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE691D1F0, []
00000554 3.31876397 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE6921080, [DSAPI.exe]
00000555 3.31897473 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE694D080, [Dropbox.exe]
00000556 3.31926370 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE698A0A0, []
00000557 3.32157469 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE6B94080, [msdtc.exe]
00000558 3.32247639 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE6C620C0, [nvapiw.exe]
00000559 3.32292271 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE6CCA080, [aesm_service.e]
00000560 3.32754970 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE70E90C0, [DDVRulesProces]
00000561 3.33183599 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE74D90C0, [chrome.exe]
00000562 3.33184600 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE74DB080, [runonce.exe]
00000563 3.33223796 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE752D250, []
00000564 3.33284116 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE75B80C0, [SecurityHealth]
00000565 3.33319354 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE7603080, [ShellExperienc]
00000566 3.33323169 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE760B170, []
00000567 3.33363795 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE7662080, [GoogleCrashHan]
00000568 3.33412194 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE76D3080, [IAStorIcon.exe]
00000569 3.33434391 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE7705080, [chrome.exe]
00000570 3.33437157 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE770B080, [SearchApp.exe]
00000571 3.33439684 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE7710080, [chrome.exe]
00000572 3.33446765 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE7720080, [chrome.exe]
00000573 3.33448601 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE77240C0, [SmartAudio3.ex]
00000574 3.33454323 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE7731080, [Docker Desktop]
00000575 3.33463645 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE77460C0, [chrome.exe]
00000576 3.33467436 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE774E080, [chrome.exe]
00000577 3.33473611 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE775B080, [chrome.exe]
00000578 3.33474994 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE775E080, [chrome.exe]
00000579 3.33483458 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE7770080, [chrome.exe]
00000580 3.33487511 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE77790C0, [chrome.exe]
00000581 3.33648634 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE78DF080, [Docker.Watchgu]
00000582 3.33714986 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE79750C0, [dllhost.exe]
00000583 3.33721972 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE7984080, [conhost.exe]
00000584 3.33837271 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE7A8B080, [QtWebEnginePro]
00000585 3.34235191 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE7E15080, [DolbyDAX2API.e]
00000586 3.34262753 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE7E530C0, [YourPhoneServe]
00000587 3.34525514 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE80800C0, [SgrmBroker.exe]
00000588 3.34568691 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE80E3080, [IAStorDataMgrS]
00000589 3.34569359 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE80E50C0, [conhost.exe]
00000590 3.34627342 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE816E080, [LMS.exe]
00000591 3.34628510 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE8170080, [jhi_service.ex]
00000592 3.34630871 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE81760C0, [DDVCollectorSv]
00000593 3.34719944 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE824A080, [conhost.exe]
00000594 3.34724712 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE8255080, [SupportAssistA]
00000595 3.34816432 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE83240C0, [DDVDataCollect]
00000596 3.34828162 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE833E080, [com.docker.bac]
00000597 3.34985566 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE84B9080, [svchost.exe]
00000598 3.35335588 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE87C5080, [nvapiw.exe]
00000599 3.35537553 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE89940C0, [chrome.exe]
00000600 3.35656047 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE8AA50D0, []
00000601 3.35697365 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE8B020C0, [conhost.exe]
00000602 3.35779047 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE8BC1240, [com.docker.pro]
00000603 3.35801768 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE8BF8080, [conhost.exe]
00000604 3.35802770 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE8BFA080, [mspdbsrv.exe]
00000605 3.35872483 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE8C95080, [conhost.exe]
00000606 3.35882521 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE8CAD0C0, [vpnkit.exe]
00000607 3.35910034 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE8CEE080, [chrome.exe]
00000608 3.36116886 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE8E9A0C0, [Tracker.exe]
00000609 3.36263990 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE8FEA0C0, [HxTsr.exe]
00000610 3.36290050 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE90241D0, []
00000611 3.36324644 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE906E080, [chrome.exe]
00000612 3.36327887 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE90760F0, []
00000613 3.36329150 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE90790F0, []
00000614 3.36407995 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE9123230, []
00000615 3.36408949 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE91250C0, [conhost.exe]
00000616 3.36410761 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE9129080, [explorer.exe]
00000617 3.36413932 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE9130270, []
00000618 3.37451839 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE9E11080, [dllhost.exe]
00000619 3.38101768 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEA3770C0, [languageclient]
00000620 3.38458967 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEA6920C0, [Microsoft.Phot]
00000621 3.38509631 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEA7020C0, [svchost.exe]
00000622 3.38530755 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEA7350C0, [RuntimeBroker.]
00000623 3.38608718 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEA7DC250, []
00000624 3.39062309 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEAB9E0C0, [RuntimeBroker.]
00000625 3.39129710 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEAC350C0, [python.exe]
00000626 3.39329767 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEADD0080, [svchost.exe]
00000627 3.39734554 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEB0B80C0, [Dbgview.exe]
00000628 3.39742398 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEB0C5140, [chrome.exe]
00000629 3.39953208 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEB25C080, [MSBuild.exe]
00000630 3.40128160 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEB3CC0C0, [conhost.exe]
00000631 3.40129328 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEB3CE250, []
00000632 3.40144920 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEB3EE080, [AcrobatNotific]
00000633 3.40218401 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEB4860C0, [nvim.exe]
00000634 3.40258121 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEB4DB0C0, [python.exe]
00000635 3.40300751 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEB5350C0, [chrome.exe]
00000636 3.40410805 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEB6020C0, [chrome.exe]
00000637 3.40424156 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEB61D080, [conhost.exe]
00000638 3.40674567 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEB8680C0, [nvapiw.exe]
00000639 3.40698719 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEB89F080, [conhost.exe]
00000640 3.40811443 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEB9CE0C0, [python.exe]
00000641 3.40863681 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEBA460C0, [chrome.exe]
00000642 3.40906000 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEBABD0C0, [chrome.exe]
00000643 3.40936565 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEBB07080, [cmd.exe]
00000644 3.40941429 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEBB130C0, [python.exe]
00000645 3.40942931 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEBB16080, [link.exe]
00000646 3.40962291 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEBB460C0, [conhost.exe]
00000647 3.41114521 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEBC8A0C0, [chrome.exe]
00000648 3.42360640 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEC9CE0C0, [svchost.exe]
00000649 3.42558122 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CECBAD0C0, [chrome.exe]
00000650 3.42760444 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CECD670C0, [conhost.exe]
00000651 3.42910671 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CECE950C0, [SearchApp.exe]
00000652 3.43050885 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CECFCA0C0, [conhost.exe]
00000653 3.43063807 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CECFE6250, []
00000654 3.43387008 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CED2A50C0, [WmiApSrv.exe]
00000655 3.43430996 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CED3130C0, [python.exe]
00000656 3.43888521 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CED730080, [Tracker.exe]
00000657 3.43895841 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CED740250, []
00000658 3.43905997 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CED7560C0, [HxTsr.exe]
00000659 3.43929195 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CED7890C0, [parse_pdb_for_]
00000660 3.43935728 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CED798080, [conhost.exe]
00000661 3.43936372 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CED79A0C0, [chrome.exe]
00000662 3.43977690 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CED7FE080, [signtool.exe]
00000663 3.44034481 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CED8790C0, [nvim.exe]
00000664 3.44190884 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEF8680C0, [python.exe]
00000665 3.44340634 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CF01A7170, []
00000666 33.47640610 [NAK] :: [+] Finish scanning
00000667 33.47640991 [NAK] :: [-] Scan large pool not supported yet
00000668 33.47682190 [NAK] :: [+] Goodbye from Kernel