From 533666baab0729c78e726dd22e9b50740026a79f Mon Sep 17 00:00:00 2001 From: nganhkhoa Date: Thu, 11 Jun 2020 17:16:40 +0700 Subject: [PATCH] Change name to lpus --- first_proc_chunk.txt | 24 - KMDF Driver2.sln => lpus.sln | 102 +- {KMDF Driver2 => lpus}/Driver.cpp | 1206 ++++++++--------- {KMDF Driver2 => lpus}/Driver.h | 0 .../findglobalkernelvars.png | Bin {KMDF Driver2 => lpus}/kernel-shellcode.cpp | 266 ++-- {KMDF Driver2 => lpus}/kpcr.asm | 22 +- KMDF Driver2/KMDFDriver2.inf => lpus/lpus.inf | 172 +-- .../KMDF Driver2.vcxproj => lpus/lpus.vcxproj | 335 ++--- .../lpus.vcxproj.filters | 90 +- {KMDF Driver2 => lpus}/note.md | 0 {KMDF Driver2 => lpus}/peformat.h | 418 +++--- {KMDF Driver2 => lpus}/simplewsk.c | 958 ++++++------- {KMDF Driver2 => lpus}/simplewsk.h | 110 +- {KMDF Driver2 => lpus}/sioctl.h | 0 sample_scan.txt | 662 --------- 16 files changed, 1840 insertions(+), 2525 deletions(-) delete mode 100644 first_proc_chunk.txt rename KMDF Driver2.sln => lpus.sln (92%) rename {KMDF Driver2 => lpus}/Driver.cpp (97%) rename {KMDF Driver2 => lpus}/Driver.h (100%) rename {KMDF Driver2 => lpus}/findglobalkernelvars.png (100%) rename {KMDF Driver2 => lpus}/kernel-shellcode.cpp (97%) rename {KMDF Driver2 => lpus}/kpcr.asm (91%) rename KMDF Driver2/KMDFDriver2.inf => lpus/lpus.inf (55%) rename KMDF Driver2/KMDF Driver2.vcxproj => lpus/lpus.vcxproj (96%) rename KMDF Driver2/KMDF Driver2.vcxproj.filters => lpus/lpus.vcxproj.filters (94%) rename {KMDF Driver2 => lpus}/note.md (100%) rename {KMDF Driver2 => lpus}/peformat.h (96%) rename {KMDF Driver2 => lpus}/simplewsk.c (96%) rename {KMDF Driver2 => lpus}/simplewsk.h (96%) rename {KMDF Driver2 => lpus}/sioctl.h (100%) delete mode 100644 sample_scan.txt diff --git a/first_proc_chunk.txt b/first_proc_chunk.txt deleted file mode 100644 index 9229dfe..0000000 --- a/first_proc_chunk.txt +++ /dev/null @@ -1,24 +0,0 @@ -00000001 0.00000000 [NAK] :: [ ] Hello from Kernel, setup a few things -00000002 0.00001790 [NAK] :: [+] Setup completed, GO GO GO !!!! -00000003 0.00003500 [NAK] :: [ ] Windows version : 10.0.19564 -00000004 0.00003650 [NAK] :: [ ] Detected windows : 2020 Fast Ring -00000005 0.00003880 [NAK] :: [ ] eprocess : 0xFFFFB0078D8BE040, [ System] -00000006 0.00004050 [NAK] :: [ ] PsActiveProcessHead : 0xFFFFF80465E1F970 -00000007 0.00004200 [NAK] :: [ ] ntoskrnl.exe : 0xFFFFF80465200000 -00000008 0.00004350 [NAK] :: [ ] nt!MiState : 0xFFFFF80465E4F200 -00000009 0.00004500 [NAK] :: [ ] &systemNonPageInfo : 0xFFFFD10180016010 -00000010 0.00004640 [NAK] :: [ ] &NonPagedPoolFirstVa : 0xFFFFD10180016070 -00000011 0.00004790 [NAK] :: [ ] &NonPagedPoolLastVa : 0xFFFFD10180016078 -00000012 0.00004970 [NAK] :: [+] nonPagedPoolStart : 0xffffb00000000000 -00000013 0.00005130 [NAK] :: [+] nonPagedPoolEnd : 0xffffc00000000000 -00000014 0.00005230 [NAK] :: [+] Scanning -00000015 0.08150540 [NAK] :: [+] ==== PoolStart 0xFFFFB0078D8BE000 ==== -00000016 0.08150930 [NAK] :: [|] PreviousSize : 0x0 -00000017 0.08151110 [NAK] :: [|] PoolIndex : 0xfb -00000018 0.08151260 [NAK] :: [|] BlockSize : 0xf00 -00000019 0.08151400 [NAK] :: [|] PoolType : 0x2 -00000020 0.08151630 [NAK] :: [|] PoolTag : 0x636f7250 [Proc] -00000021 0.08151850 [NAK] :: [+] ==== PoolEnd 0xFFFFB0078D8BE000 ==== -00000022 0.08152020 [NAK] :: [+] HEY EPROCESS POOL CHUNK -00000023 0.08152160 [NAK] :: [+] Finish scanning -00000024 2.03572369 [NAK] :: [+] Goodbye from Kernel diff --git a/KMDF Driver2.sln b/lpus.sln similarity index 92% rename from KMDF Driver2.sln rename to lpus.sln index 29e418c..b967e1b 100644 --- a/KMDF Driver2.sln +++ b/lpus.sln @@ -1,51 +1,51 @@ - -Microsoft Visual Studio Solution File, Format Version 12.00 -# Visual Studio Version 16 -VisualStudioVersion = 16.0.29409.12 -MinimumVisualStudioVersion = 10.0.40219.1 -Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "KMDF Driver2", "KMDF Driver2\KMDF Driver2.vcxproj", "{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}" -EndProject -Global - GlobalSection(SolutionConfigurationPlatforms) = preSolution - Debug|ARM = Debug|ARM - Debug|ARM64 = Debug|ARM64 - Debug|x64 = Debug|x64 - Debug|x86 = Debug|x86 - Release|ARM = Release|ARM - Release|ARM64 = Release|ARM64 - Release|x64 = Release|x64 - Release|x86 = Release|x86 - EndGlobalSection - GlobalSection(ProjectConfigurationPlatforms) = postSolution - {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|ARM.ActiveCfg = Debug|ARM - {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|ARM.Build.0 = Debug|ARM - {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|ARM.Deploy.0 = Debug|ARM - {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|ARM64.ActiveCfg = Debug|ARM64 - {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|ARM64.Build.0 = Debug|ARM64 - {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|ARM64.Deploy.0 = Debug|ARM64 - {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|x64.ActiveCfg = Debug|x64 - {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|x64.Build.0 = Debug|x64 - {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|x64.Deploy.0 = Debug|x64 - {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|x86.ActiveCfg = Debug|x64 - {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|x86.Build.0 = Debug|x64 - {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|x86.Deploy.0 = Debug|x64 - {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|ARM.ActiveCfg = Release|ARM - {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|ARM.Build.0 = Release|ARM - {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|ARM.Deploy.0 = Release|ARM - {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|ARM64.ActiveCfg = Release|ARM64 - {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|ARM64.Build.0 = Release|ARM64 - {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|ARM64.Deploy.0 = Release|ARM64 - {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|x64.ActiveCfg = Release|x64 - {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|x64.Build.0 = Release|x64 - {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|x64.Deploy.0 = Release|x64 - {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|x86.ActiveCfg = Release|Win32 - {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|x86.Build.0 = Release|Win32 - {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|x86.Deploy.0 = Release|Win32 - EndGlobalSection - GlobalSection(SolutionProperties) = preSolution - HideSolutionNode = FALSE - EndGlobalSection - GlobalSection(ExtensibilityGlobals) = postSolution - SolutionGuid = {BEF2B030-38D0-445E-8EE8-6A31B825389D} - EndGlobalSection -EndGlobal + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio Version 16 +VisualStudioVersion = 16.0.29409.12 +MinimumVisualStudioVersion = 10.0.40219.1 +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "lpus", "lpus\lpus.vcxproj", "{905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|ARM = Debug|ARM + Debug|ARM64 = Debug|ARM64 + Debug|x64 = Debug|x64 + Debug|x86 = Debug|x86 + Release|ARM = Release|ARM + Release|ARM64 = Release|ARM64 + Release|x64 = Release|x64 + Release|x86 = Release|x86 + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|ARM.ActiveCfg = Debug|ARM + {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|ARM.Build.0 = Debug|ARM + {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|ARM.Deploy.0 = Debug|ARM + {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|ARM64.ActiveCfg = Debug|ARM64 + {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|ARM64.Build.0 = Debug|ARM64 + {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|ARM64.Deploy.0 = Debug|ARM64 + {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|x64.ActiveCfg = Debug|x64 + {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|x64.Build.0 = Debug|x64 + {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|x64.Deploy.0 = Debug|x64 + {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|x86.ActiveCfg = Debug|x64 + {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|x86.Build.0 = Debug|x64 + {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Debug|x86.Deploy.0 = Debug|x64 + {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|ARM.ActiveCfg = Release|ARM + {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|ARM.Build.0 = Release|ARM + {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|ARM.Deploy.0 = Release|ARM + {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|ARM64.ActiveCfg = Release|ARM64 + {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|ARM64.Build.0 = Release|ARM64 + {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|ARM64.Deploy.0 = Release|ARM64 + {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|x64.ActiveCfg = Release|x64 + {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|x64.Build.0 = Release|x64 + {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|x64.Deploy.0 = Release|x64 + {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|x86.ActiveCfg = Release|Win32 + {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|x86.Build.0 = Release|Win32 + {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4}.Release|x86.Deploy.0 = Release|Win32 + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection + GlobalSection(ExtensibilityGlobals) = postSolution + SolutionGuid = {BEF2B030-38D0-445E-8EE8-6A31B825389D} + EndGlobalSection +EndGlobal diff --git a/KMDF Driver2/Driver.cpp b/lpus/Driver.cpp similarity index 97% rename from KMDF Driver2/Driver.cpp rename to lpus/Driver.cpp index 0d8c6f4..9018e79 100644 --- a/KMDF Driver2/Driver.cpp +++ b/lpus/Driver.cpp @@ -1,603 +1,603 @@ -#include -#include -#include -#include - -#include "Driver.h" -#include "sioctl.h" -// #include "simplewsk.h" - -extern "C" DRIVER_INITIALIZE DriverEntry; -extern "C" DRIVER_UNLOAD UnloadRoutine; -extern "C" DRIVER_DISPATCH DriverCreateClose; -extern "C" DRIVER_DISPATCH DriverControl; -// extern "C" PDBGKD_GET_VERSION64 FindKdVersionBlock(void); - -#define NT_DEVICE_NAME L"\\Device\\poolscanner" -#define DOS_DEVICE_NAME L"\\DosDevices\\poolscanner" - -#define F_DbgPrint(...) \ - DbgPrint("[NAK] :: ");\ - DbgPrint(__VA_ARGS__); - -#define POOL_HEADER_SIZE 0x10 // windows 10 -#define CHUNK_SIZE 16 // 64 bit -// #define PAGE_SIZE 4096 // 4KB - -// some globals -PVOID ntosbase; -PVOID systemEprocess; -PVOID processHead; - -// offset to get from PDB file -ULONG64 eprocessNameOffset = 0; -ULONG64 eprocessLinkOffset = 0; -ULONG64 listBLinkOffset = 0; -ULONG64 processHeadOffset = 0; -ULONG64 miStateOffset = 0; -ULONG64 hardwareOffset = 0; -ULONG64 systemNodeOffset = 0; -ULONG64 firstVaOffset = 0; -ULONG64 lastVaOffset = 0; -ULONG64 largePageTableOffset = 0; -ULONG64 largePageSizeOffset = 0; -ULONG64 poolChunkSize = 0; - -NTSTATUS -DriverCreateClose(PDEVICE_OBJECT /* DriverObject */, PIRP Irp) { - PAGED_CODE(); - - Irp->IoStatus.Status = STATUS_SUCCESS; - Irp->IoStatus.Information = 0; - - IoCompleteRequest(Irp, IO_NO_INCREMENT); - - return STATUS_SUCCESS; -} - -NTSTATUS -DriverControl(PDEVICE_OBJECT /* DriverObject */, PIRP Irp) { - PIO_STACK_LOCATION irpSp; - NTSTATUS ntStatus = STATUS_SUCCESS; - // ULONG inBufLength; - // ULONG outBufLength; - ULONG controlCode; - // PCHAR inBuf; - // PCHAR outBuf; - PINPUT_DATA inputData = nullptr; - POUTPUT_DATA outputData = nullptr; - POFFSET_VALUE offsetValues = nullptr; - PDEREF_ADDR derefAddr = nullptr; - PSCAN_RANGE scanRange = nullptr; - PHIDE_PROCESS processHide = nullptr; - - PAGED_CODE(); - - irpSp = IoGetCurrentIrpStackLocation(Irp); - /* - * struct { - * ULONG OutputBufferLength; - * ULONG POINTER_ALIGNMENT InputBufferLength; - * ULONG POINTER_ALIGNMENT IoControlCode; - * PVOID Type3InputBuffer; - * } DeviceIoControl; - **/ - controlCode = irpSp->Parameters.DeviceIoControl.IoControlCode; - - switch (controlCode) { - case IOCTL_SETUP_OFFSETS: - DbgPrint("[NAK] :: [ ] Setup offsets\n"); - inputData = (PINPUT_DATA)(Irp->AssociatedIrp.SystemBuffer); - offsetValues = &(inputData->offsetValues); - eprocessNameOffset = offsetValues->eprocessNameOffset; - eprocessLinkOffset = offsetValues->eprocessLinkOffset; - listBLinkOffset = offsetValues->listBLinkOffset; - processHeadOffset = offsetValues->processHeadOffset; - miStateOffset = offsetValues->miStateOffset; - hardwareOffset = offsetValues->hardwareOffset; - systemNodeOffset = offsetValues->systemNodeOffset; - firstVaOffset = offsetValues->firstVaOffset; - lastVaOffset = offsetValues->lastVaOffset; - largePageTableOffset = offsetValues->largePageTableOffset; - largePageSizeOffset = offsetValues->largePageSizeOffset; - poolChunkSize = offsetValues->poolChunkSize; - setup(); - break; - case GET_KERNEL_BASE: - DbgPrint("[NAK] :: [ ] Get kernel base\n"); - outputData = (POUTPUT_DATA)MmGetSystemAddressForMdlSafe(Irp->MdlAddress, NormalPagePriority | MdlMappingNoExecute); - // TODO: check for safety outputData address null - outputData->ulong64Value = (ULONG64)ntosbase; - Irp->IoStatus.Information = sizeof(ULONG64); - break; - case SCAN_PS_ACTIVE_HEAD: - DbgPrint("[NAK] :: [ ] Scan ps active head\n"); - scan_ps_active_head(); - break; - case SCAN_POOL: - DbgPrint("[NAK] :: [ ] Scan pool\n"); - inputData = (PINPUT_DATA)(Irp->AssociatedIrp.SystemBuffer); - scanRange = &(inputData->scanRange); - DbgPrint("[NAK] :: Range: %llx - %llx", scanRange->start, scanRange->end); - scanNormalPool(scanRange->start, scanRange->end); - break; - case SCAN_POOL_REMOTE: - inputData = (PINPUT_DATA)(Irp->AssociatedIrp.SystemBuffer); - outputData = (POUTPUT_DATA)MmGetSystemAddressForMdlSafe(Irp->MdlAddress, NormalPagePriority | MdlMappingNoExecute); - scanRange = &(inputData->scanRange); - DbgPrint("[NAK] :: Range: %llx - %llx", scanRange->start, scanRange->end); - (outputData->poolChunk).addr = (ULONG64)scanRemote(scanRange->start, scanRange->end, scanRange->tag); - DbgPrint("[NAK] :: Found: %llx", (outputData->poolChunk).addr); - break; - case DEREFERENCE_ADDRESS: - // DbgPrint("[NAK] :: [ ] Deref address\n"); - inputData = (PINPUT_DATA)(Irp->AssociatedIrp.SystemBuffer); - derefAddr = &(inputData->derefAddr); - outputData = (POUTPUT_DATA)MmGetSystemAddressForMdlSafe(Irp->MdlAddress, NormalPagePriority | MdlMappingNoExecute); - // DbgPrint("[NAK] :: [ ] Deref %llu bytes from %llx\n", derefAddr->size, derefAddr->addr); - RtlCopyBytes((PVOID)outputData, (PVOID)derefAddr->addr, (SIZE_T)derefAddr->size); - break; - case HIDE_PROCESS_BY_NAME: - DbgPrint("[NAK] :: [ ] Hide process\n"); - inputData = (PINPUT_DATA)(Irp->AssociatedIrp.SystemBuffer); - processHide = &(inputData->processHide); - DbgPrint("[NAK] :: [ ] Hide process name: [%15s]; size: %llu\n", processHide->name, processHide->size); - hideProcess(processHide->name, processHide->size); - break; - default: - break; - } - - Irp->IoStatus.Status = ntStatus; - IoCompleteRequest(Irp, IO_NO_INCREMENT); - return ntStatus; -} - -NTSTATUS -DriverEntry( - _In_ PDRIVER_OBJECT DriverObject, - _In_ PUNICODE_STRING /* RegistryPath */ -) { - DbgPrint("[NAK] :: [ ] Hello from Kernel, setup a few things\n"); - - NTSTATUS returnStatus = STATUS_SUCCESS; - UNICODE_STRING ntUnicodeString; - UNICODE_STRING ntWin32NameString; - PDEVICE_OBJECT deviceObject = nullptr; - - PAGED_CODE(); - - RtlInitUnicodeString(&ntUnicodeString, NT_DEVICE_NAME); - returnStatus = IoCreateDevice( - DriverObject, // Our Driver Object - 0, // We don't use a device extension - &ntUnicodeString, // Device name "\Device\poolscanner" - FILE_DEVICE_UNKNOWN, // Device type - FILE_DEVICE_SECURE_OPEN, // Device characteristics - FALSE, // Not an exclusive device - &deviceObject); // Returned ptr to Device Object - if (!NT_SUCCESS(returnStatus)) { - DbgPrint(("[NAK] :: [-] Couldn't create the device object\n")); - return returnStatus; - } - - DriverObject->DriverUnload = UnloadRoutine; - DriverObject->MajorFunction[IRP_MJ_CREATE] = DriverCreateClose; - DriverObject->MajorFunction[IRP_MJ_CLOSE] = DriverCreateClose; - DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DriverControl; - - RtlInitUnicodeString(&ntWin32NameString, DOS_DEVICE_NAME); - returnStatus = IoCreateSymbolicLink(&ntWin32NameString, &ntUnicodeString); - if (!NT_SUCCESS(returnStatus)) { - DbgPrint("[NAK] :: [-] Couldn't create symbolic link for driver\n"); - IoDeleteDevice(deviceObject); - } - - systemEprocess = IoGetCurrentProcess(); - - DbgPrint("[NAK] :: [+] Setup completed, waiting for command on DeviceIo\n"); - - return returnStatus; -} - -VOID -setup() { - PAGED_CODE(); - // TODO: Exception????? - PVOID eprocess = systemEprocess; - DbgPrint("[NAK] :: [ ] System eprocess : 0x%p, [%15s]\n", - eprocess, (char*)((ULONG64)eprocess + eprocessNameOffset)); - processHead = (PVOID)(*(ULONG64*)((ULONG64)eprocess + eprocessLinkOffset + listBLinkOffset)); - DbgPrint("[NAK] :: [ ] PsActiveProcessHead : 0x%p\n", processHead); - ntosbase = (PVOID)((ULONG64)processHead - processHeadOffset); - DbgPrint("[NAK] :: [ ] ntoskrnl.exe : 0x%p\n", ntosbase); - - // TODO: Check if ntosbase is a PE, and the name is ntoskrnl.exe - // https://stackoverflow.com/a/4316804 - // https://stackoverflow.com/a/47898643 - // https://github.com/Reetus/RazorRE/blob/42f441093bd85443b39fcff5d2a02069b524b114/Crypt/Misc.cpp#L63 - // if (ntosbase->e_magic == IMAGE_DOS_SIGNATURE) { - // DbgPrint("[NAK] :: [ ] DOS Signature (MZ) Matched \n"); - // const PIMAGE_NT_HEADERS32 peHeader = (PIMAGE_NT_HEADERS32) ((unsigned char*)ntosbase+ntosbase->e_lfanew); - // if(peHeader->Signature == IMAGE_NT_SIGNATURE) { - // DbgPrint("[NAK] :: [ ] PE Signature (PE) Matched \n"); - // // yeah we really got ntoskrnl.exe base - // } - // } - -} - -VOID -scan_ps_active_head() { - PVOID eprocess = (PVOID)((ULONG64)processHead - eprocessLinkOffset); - DbgPrint("[NAK] :: [ ] Scan the PsActiveProcessHead linked-list\n"); - while (*(ULONG64*)((ULONG64)eprocess + eprocessLinkOffset) != (ULONG64)processHead) { - eprocess = (PVOID)(*(ULONG64*)((ULONG64)eprocess + eprocessLinkOffset) - eprocessLinkOffset); - DbgPrint("[NAK] :: [ ] eprocess : 0x%p, [%15s]\n", - eprocess, (char*)((ULONG64)eprocess + eprocessNameOffset)); - } -} - -VOID -hideProcess(CHAR* name, ULONG64 size) { - PVOID eprocess = (PVOID)((ULONG64)processHead - eprocessLinkOffset); - while (*(ULONG64*)((ULONG64)eprocess + eprocessLinkOffset) != (ULONG64)processHead) { - PVOID next_eprocess = (PVOID)(*(ULONG64*)((ULONG64)eprocess + eprocessLinkOffset) - eprocessLinkOffset); - char* processName = (char*)((ULONG64)eprocess + eprocessNameOffset); - int i = 0; - for (; i < size; i++) { - if (processName[i] != name[i]) break; - } - if (i != size) { - eprocess = next_eprocess; - continue; - } - // found process with name - PVOID next_eprocess_link = (PVOID)(*(ULONG64*)((ULONG64)eprocess + eprocessLinkOffset)); - PVOID prev_eprocess_link = (PVOID)(*(ULONG64*)((ULONG64)eprocess + eprocessLinkOffset + listBLinkOffset)); - - // set current to 0 - // *(ULONG64*)((ULONG64)eprocess + eprocessLinkOffset) = 0; - // *(ULONG64*)((ULONG64)eprocess + eprocessLinkOffset + listBLinkOffset) = 0; - - *(ULONG64*)((ULONG64)next_eprocess_link + listBLinkOffset) = (ULONG64)prev_eprocess_link; - *(ULONG64*)prev_eprocess_link = (ULONG64)next_eprocess_link; - - eprocess = next_eprocess; - } -} - -NTSTATUS -routine() { - PAGED_CODE(); - NTSTATUS returnStatus = STATUS_SUCCESS; - - OSVERSIONINFOW windowsVersionInfo; - RtlGetVersion(&windowsVersionInfo); - DbgPrint("[NAK] :: [ ] Windows version : %lu.%lu.%lu\n", - windowsVersionInfo.dwMajorVersion, windowsVersionInfo.dwMinorVersion, windowsVersionInfo.dwBuildNumber); - - if (windowsVersionInfo.dwMajorVersion != 10) { - DbgPrint("[NAK] :: [-] Windows version outside 10 is not supported yet!"); - return returnStatus; - } - - // https://en.wikipedia.org/wiki/Windows_10_version_history - VERSION_BY_POOL windowsVersionByPool = WINDOWS_NOT_SUPPORTED; - - // TODO: Move this to front-end for portable update - // TODO: automatically get from parsed PDB file - if (windowsVersionInfo.dwBuildNumber == 17134 || windowsVersionInfo.dwBuildNumber == 17763) { - DbgPrint("[NAK] :: [ ] Detected windows : 2018\n"); - windowsVersionByPool = WINDOWS_2018; - } - else if (windowsVersionInfo.dwBuildNumber == 18362 || windowsVersionInfo.dwBuildNumber == 18363) { - DbgPrint("[NAK] :: [ ] Detected windows : 2019\n"); - windowsVersionByPool = WINDOWS_2019; - } - else if (windowsVersionInfo.dwBuildNumber == 19041) { - DbgPrint("[NAK] :: [ ] Detected windows : 2020\n"); - windowsVersionByPool = WINDOWS_2020; - } - else if (windowsVersionInfo.dwBuildNumber >= 19536) { - DbgPrint("[NAK] :: [ ] Detected windows : 2020 Fast Ring\n"); - windowsVersionByPool = WINDOWS_2020_FASTRING; - // eprocessNameOffset = 0x5a8; - // eprocessLinkOffset = 0x448; - // listBLinkOffset = 0x8; - // processHeadOffset = 0xc1f960; - // miStateOffset = 0xc4f040; - // hardwareOffset = 0x1580; - // systemNodeOffset = 0x20; - // firstVaOffset = 0x60; - // lastVaOffset = 0x68; - // largePageTableOffset = 0xc1a740; - // largePageSizeOffset = 0xc1a738; - } - - if (windowsVersionByPool == WINDOWS_NOT_SUPPORTED) { - DbgPrint("[NAK] :: [-] Windows 10 with this build number is not supported yet!"); - return returnStatus; - } - - /** - * Try to find `MmNonPagedPoolStart` and `MmNonPagedPoolEnd` - * - * https://web.archive.org/web/20061110120809/http://www.rootkit.com/newsread.php?newsid=153 - * KPCR->KdVersionBlock->Debugger Data List Entry->Flink - * - * This technique is old and cannot be used in Windows 10, Windows 7/8 may fail too, - * After research, the result is summary into this README - * https://github.com/nganhkhoa/pdb_for_nonpagedpool - * - * Basically, find ntoskrnl.exe module address (kernel base) in memory and use offsets parsed from PDB file, - * Finding the kernel base by shellcode is not usable in Windows 2020 Insider Preview, - * I use IoGetCurrentProcess and traverse the ActiveProcessLinks linked list, - * Luckily, the process returned by IoGetCurrentProcess is System (the first process), so the BLINK is nt!PsActiveProcessHead - * With offset of nt!PsActiveProcessHead parsed from PDB file, we can get the kernel base by subtracting. - * - * Then offset to find NonPagedPool{First,Last}Va - * - * In Windows 10, we must use nt!MiState and look into Hardware->NodeInfo, - * there is a slightly different layout/offset to each version of Windows by year? - * 2015 -> 2016 -> 2018 -> 2019 -> 2020 all have a slight (or big) different - * - **/ - - /** - * In Windows 10 Insider Preview Feb 2020, the global debug is MiState, try this in windbg and see - * `x nt!MiState` to get address of MiState - * `dt _MI_SYSTEM_INFORMATION` to get offset to Hardware - * `dt _MI_HARDWARE_STATE` to get offset to SystemNodeNonPagedPool - * with those offset, use the following command to list the NonPagedPool{First,Last}Va - * `dt (_MI_SYSTEM_NODE_NONPAGED_POOL*) ( + + )` - * Sample output - * - * +0x000 DynamicBitMapNonPagedPool : _MI_DYNAMIC_BITMAP - * +0x048 CachedNonPagedPoolCount : 0 - * +0x050 NonPagedPoolSpinLock : 0 - * +0x058 CachedNonPagedPool : (null) - * +0x060 NonPagedPoolFirstVa : 0xffffe580`00000000 Void - * +0x068 NonPagedPoolLastVa : 0xfffff580`00000000 Void - * +0x070 SystemNodeInformation : 0xffffe58f`9283b050 _MI_SYSTEM_NODE_INFORMATION - * - * The big page pool is denoted by two variables `PoolBigPageTable.Va` and `PoolBigPageTableSize` - * It seems that this big page is inside NonPagedPool range - * - * PoolBigPageTable is an array with PoolBigPageTableSize elements, where - * each elements has: - * Va -> Address of the allocation - * Key -> Pool tag - * NumberOfBytes -> Size - * - **/ - - PVOID miState = (PVOID)((ULONG64)ntosbase + miStateOffset); - DbgPrint("[NAK] :: [ ] nt!MiState : 0x%p\n", miState); - PVOID systemNonPageInfo = nullptr; - - ULONG64 nonPagedPoolStart = 0; - ULONG64 nonPagedPoolEnd = 0; - PVOID largePageTableArray = 0; - ULONG64 largePageTableSize = 0; - - largePageTableArray = (PVOID)((ULONG64)ntosbase + largePageTableOffset); - largePageTableSize = *(ULONG64*)((ULONG64)ntosbase + largePageSizeOffset); - - - // TODO: Move this to front-end for portable update - // use defined formula by windows build number to get those two values - switch (windowsVersionByPool) { - case WINDOWS_2020_FASTRING: - systemNonPageInfo = (PVOID)*(ULONG64*)((ULONG64)miState + hardwareOffset + systemNodeOffset); - DbgPrint("[NAK] :: [ ] &systemNonPageInfo : 0x%p\n", systemNonPageInfo); - DbgPrint("[NAK] :: [ ] &NonPagedPoolFirstVa : 0x%p\n", (ULONG64*)((ULONG64)systemNonPageInfo + firstVaOffset)); - DbgPrint("[NAK] :: [ ] &NonPagedPoolLastVa : 0x%p\n", (ULONG64*)((ULONG64)systemNonPageInfo + lastVaOffset)); - nonPagedPoolStart = *(ULONG64*)((ULONG64)systemNonPageInfo + firstVaOffset); - nonPagedPoolEnd = *(ULONG64*)((ULONG64)systemNonPageInfo + lastVaOffset); - break; - default: - break; - } - - DbgPrint("[NAK] :: [+] nonPagedPoolStart : 0x%llx\n", nonPagedPoolStart); - DbgPrint("[NAK] :: [+] nonPagedPoolEnd : 0x%llx\n", nonPagedPoolEnd); - DbgPrint("[NAK] :: [+] large page address : 0x%p\n", largePageTableArray); - DbgPrint("[NAK] :: [+] large page size : 0x%llx\n", largePageTableSize); - - // scanNormalPool(nonPagedPoolStart, nonPagedPoolEnd); - // scanLargePool(largePageTableArray, largePageTableSize); - - return returnStatus; -} - -VOID -UnloadRoutine(_In_ PDRIVER_OBJECT DriverObject) { - PDEVICE_OBJECT deviceObject = DriverObject->DeviceObject; - UNICODE_STRING uniWin32NameString; - PAGED_CODE(); - - RtlInitUnicodeString(&uniWin32NameString, DOS_DEVICE_NAME); - IoDeleteSymbolicLink(&uniWin32NameString); - - if (deviceObject != nullptr) { - IoDeleteDevice(deviceObject); - } - - DbgPrint("[NAK] :: [+] Goodbye from Kernel\n"); -} - -VOID -toPoolHeader(PPOOL_HEADER p, PVOID chunkAddr) { - p->addr = chunkAddr; - p->prevBlockSize = *(USHORT*)((ULONG64) chunkAddr + 0x0) & 0xff; - p->poolIndex = *(USHORT*)((ULONG64) chunkAddr + 0x0) >> 8; - p->blockSize = *(USHORT*)((ULONG64) chunkAddr + 0x2) & 0xff; - p->poolType = *(USHORT*)((ULONG64) chunkAddr + 0x2) >> 8; - p->tag = *(ULONG*)((ULONG64) chunkAddr + 0x4); -} - -VOID -tryNextChunk(PPOOL_HEADER p) { - toPoolHeader(p, (PVOID)((ULONG64)p->addr + CHUNK_SIZE)); -} - -bool -validTag(PPOOL_HEADER p) { - // I know the compiler will optimize for me, so meeh :) - const char a = (char)(p->tag & 0xff); - const char b = (char)((p->tag & 0xff00) >> 8); - const char c = (char)((p->tag & 0xff0000) >> 16); - const char d = (char)(p->tag >> 24); - - // https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-exallocatepoolwithtag - // > Each ASCII character in the tag must be a value in the range 0x20 (space) to 0x7E (tilde) - if (!(a >= 0x20 && a <= 0x7e) || - !(b >= 0x20 && b <= 0x7e) || - !(c >= 0x20 && c <= 0x7e) || - !(d >= 0x20 && d <= 0x7e)) - return false; - return true; -} - -bool -validPool(PPOOL_HEADER p) { - // https://subs.emis.de/LNI/Proceedings/Proceedings97/GI-Proceedings-97-9.pdf - // long long int offsetInPage = (long long int)p->addr % PAGE_SIZE; // OffsetInPage = addr % pagesize - // (offsetInPage % CHUNK_SIZE == 0) && // rule 1 - // (p->blockSize > 0) && // rule 2 - // (p->blockSize * CHUNK_SIZE + offsetInPage == PAGE_SIZE) && // rule 3 - // (p->prevBlockSize * CHUNK_SIZE <= offsetInPage) // rule 5 - if ((p->blockSize * CHUNK_SIZE) < 0xb00 + 0x10 || // eprocess size + pool_header size - // p->poolType % 2 != 0 || // pool tag must be even number aka nonpaged - p->poolType != 2 // force to search for nonpaged pool only aka poolType == 2 - ) - return false; - return true; -} - -VOID -printChunkInfo(PPOOL_HEADER p) { - DbgPrint("[NAK] :: [+] ==== PoolStart 0x%p ====\n", p->addr); - DbgPrint("[NAK] :: [|] \tPreviousSize : 0x%x\n", p->prevBlockSize); - DbgPrint("[NAK] :: [|] \tPoolIndex : 0x%x\n", p->poolIndex); - DbgPrint("[NAK] :: [|] \tBlockSize : 0x%x\n", p->blockSize * CHUNK_SIZE); - DbgPrint("[NAK] :: [|] \tPoolType : 0x%x\n", p->poolType); - DbgPrint("[NAK] :: [|] \tPoolTag : 0x%lx [%4s]\n", p->tag, p->tag); - DbgPrint("[NAK] :: [+] ==== PoolEnd 0x%p ====\n", p->addr); -} - -VOID -scanNormalPool(ULONG64 nonPagedPoolStart, ULONG64 nonPagedPoolEnd) { - DbgPrint("[NAK] :: [+] Scanning\n"); - - /* - * The name nonpaged pool is quite misunderstanding, - * the correct definition of a nonpaged pool is a pool which remains on the nonpaged region - * nonpaged region is a range of address inside the kernel virtual address that has - * a correspoding page in the physical memory (RAM) - * - * Which is, if there is a **valid** page in nonpaged pool, there is a correspoding page in RAM - * The OS will allocate a page in this nonpaged region with a page in RAM when a new page - * is requested to be nonpaged and there is no space left in current allocated nonpaged region. - * - * That is, if the address lies in the nonpaged region but is not allocated yet to have a - * backed paged on RAM, then a bug check will occur. The name is `PAGE FAULT IN NONPAGED AREA` - * - **/ - - POOL_HEADER p; - PVOID eprocess = nullptr; - char eprocess_name[16] = {0}; // eprocess name is 15 bytes + 1 null - PVOID currentAddr = (PVOID)(nonPagedPoolStart); - while (true) { - if ((ULONG64)currentAddr >= nonPagedPoolEnd) - break; - - /* - * BOOLEAN MmIsAddressValid(PVOID) - * - * Warning We do not recommend using this function. - * - * If no page fault would occur from reading or writing at the given virtual address, - * MmIsAddressValid returns TRUE. - * - * Even if MmIsAddressValid returns TRUE, accessing the address can cause page faults - * unless the memory has been locked down or the address **is a valid nonpaged pool address**. - * - * Well, we got a nonpaged pool address, so it is good - * - **/ - if (!MmIsAddressValid(currentAddr)) { - // Because a chunk pool reside on a page, so we check on page alignment - currentAddr = (PVOID)((ULONG64)currentAddr + PAGE_SIZE); - continue; - } - - // TODO: perform scan in one page, use BlockSize/PreviousBlockSize - toPoolHeader(&p, (PVOID)currentAddr); - currentAddr = (PVOID)((ULONG64)currentAddr + poolChunkSize); - - if (p.tag == 0) continue; - if (!validTag(&p)) continue; - if (!validPool(&p)) continue; - - if (p.tag != 'Proc' && p.tag != 'corP') - continue; - - // TODO: Parse data as _EPROCESS - // The first Proc found seems to be the System _EPROCESS - // The offset of system's chunk to _EPROCESS is 0x40, size is ... - // but offset of other processes' chunk to _EPROCESS is 0x80, size is 0xe00 - // TODO: search for CreateTime, this field must be in range [system startup time; now] - // this is resolved in frontend - printChunkInfo(&p); - if (p.blockSize * CHUNK_SIZE == 0xf00) { - eprocess = (PVOID)((ULONG64)p.addr + 0x40); - } else if (p.blockSize * CHUNK_SIZE == 0xd80) { - eprocess = (PVOID)((ULONG64)p.addr + 0x70); - } else if (p.blockSize * CHUNK_SIZE == 0xe00) { - eprocess = (PVOID)((ULONG64)p.addr + 0x80); - } else { - DbgPrint("[NAK] :: [ ] This is not a valid eprocess, maybe\n"); - continue; - } - RtlStringCbCopyNA(eprocess_name, 16, (char*)((ULONG64)eprocess + eprocessNameOffset), 15); - DbgPrint("[NAK] :: [ ] eprocess offset 0x80 : 0x%p, [%s]\n", eprocess, eprocess_name); - } - - DbgPrint("[NAK] :: [+] Finish scanning"); -} - -VOID -scanLargePool(PVOID /* largePageTableArray */, ULONG64 /* largePageTableSize */) { - DbgPrint("[NAK] :: [-] Scan large pool not supported yet"); -} - -PVOID -scanRemote(ULONG64 startAddress, ULONG64 endAddress, ULONG tag) { - POOL_HEADER p; - PVOID currentAddr = (PVOID)startAddress; - while (true) { - if ((ULONG64)currentAddr >= endAddress) - break; - - if (!MmIsAddressValid(currentAddr)) { - currentAddr = (PVOID)((ULONG64)currentAddr + PAGE_SIZE); - continue; - } - - toPoolHeader(&p, (PVOID)currentAddr); - currentAddr = (PVOID)((ULONG64)currentAddr + poolChunkSize); - - if (p.tag == 0) continue; - if (!validTag(&p)) continue; - // if (!validPool(&p)) continue; - - if (p.tag != tag) - continue; - - return p.addr; - } - return (PVOID)endAddress; -} +#include +#include +#include +#include + +#include "Driver.h" +#include "sioctl.h" +// #include "simplewsk.h" + +extern "C" DRIVER_INITIALIZE DriverEntry; +extern "C" DRIVER_UNLOAD UnloadRoutine; +extern "C" DRIVER_DISPATCH DriverCreateClose; +extern "C" DRIVER_DISPATCH DriverControl; +// extern "C" PDBGKD_GET_VERSION64 FindKdVersionBlock(void); + +#define NT_DEVICE_NAME L"\\Device\\poolscanner" +#define DOS_DEVICE_NAME L"\\DosDevices\\poolscanner" + +#define F_DbgPrint(...) \ + DbgPrint("[NAK] :: ");\ + DbgPrint(__VA_ARGS__); + +#define POOL_HEADER_SIZE 0x10 // windows 10 +#define CHUNK_SIZE 16 // 64 bit +// #define PAGE_SIZE 4096 // 4KB + +// some globals +PVOID ntosbase; +PVOID systemEprocess; +PVOID processHead; + +// offset to get from PDB file +ULONG64 eprocessNameOffset = 0; +ULONG64 eprocessLinkOffset = 0; +ULONG64 listBLinkOffset = 0; +ULONG64 processHeadOffset = 0; +ULONG64 miStateOffset = 0; +ULONG64 hardwareOffset = 0; +ULONG64 systemNodeOffset = 0; +ULONG64 firstVaOffset = 0; +ULONG64 lastVaOffset = 0; +ULONG64 largePageTableOffset = 0; +ULONG64 largePageSizeOffset = 0; +ULONG64 poolChunkSize = 0; + +NTSTATUS +DriverCreateClose(PDEVICE_OBJECT /* DriverObject */, PIRP Irp) { + PAGED_CODE(); + + Irp->IoStatus.Status = STATUS_SUCCESS; + Irp->IoStatus.Information = 0; + + IoCompleteRequest(Irp, IO_NO_INCREMENT); + + return STATUS_SUCCESS; +} + +NTSTATUS +DriverControl(PDEVICE_OBJECT /* DriverObject */, PIRP Irp) { + PIO_STACK_LOCATION irpSp; + NTSTATUS ntStatus = STATUS_SUCCESS; + // ULONG inBufLength; + // ULONG outBufLength; + ULONG controlCode; + // PCHAR inBuf; + // PCHAR outBuf; + PINPUT_DATA inputData = nullptr; + POUTPUT_DATA outputData = nullptr; + POFFSET_VALUE offsetValues = nullptr; + PDEREF_ADDR derefAddr = nullptr; + PSCAN_RANGE scanRange = nullptr; + PHIDE_PROCESS processHide = nullptr; + + PAGED_CODE(); + + irpSp = IoGetCurrentIrpStackLocation(Irp); + /* + * struct { + * ULONG OutputBufferLength; + * ULONG POINTER_ALIGNMENT InputBufferLength; + * ULONG POINTER_ALIGNMENT IoControlCode; + * PVOID Type3InputBuffer; + * } DeviceIoControl; + **/ + controlCode = irpSp->Parameters.DeviceIoControl.IoControlCode; + + switch (controlCode) { + case IOCTL_SETUP_OFFSETS: + DbgPrint("[NAK] :: [ ] Setup offsets\n"); + inputData = (PINPUT_DATA)(Irp->AssociatedIrp.SystemBuffer); + offsetValues = &(inputData->offsetValues); + eprocessNameOffset = offsetValues->eprocessNameOffset; + eprocessLinkOffset = offsetValues->eprocessLinkOffset; + listBLinkOffset = offsetValues->listBLinkOffset; + processHeadOffset = offsetValues->processHeadOffset; + miStateOffset = offsetValues->miStateOffset; + hardwareOffset = offsetValues->hardwareOffset; + systemNodeOffset = offsetValues->systemNodeOffset; + firstVaOffset = offsetValues->firstVaOffset; + lastVaOffset = offsetValues->lastVaOffset; + largePageTableOffset = offsetValues->largePageTableOffset; + largePageSizeOffset = offsetValues->largePageSizeOffset; + poolChunkSize = offsetValues->poolChunkSize; + setup(); + break; + case GET_KERNEL_BASE: + DbgPrint("[NAK] :: [ ] Get kernel base\n"); + outputData = (POUTPUT_DATA)MmGetSystemAddressForMdlSafe(Irp->MdlAddress, NormalPagePriority | MdlMappingNoExecute); + // TODO: check for safety outputData address null + outputData->ulong64Value = (ULONG64)ntosbase; + Irp->IoStatus.Information = sizeof(ULONG64); + break; + case SCAN_PS_ACTIVE_HEAD: + DbgPrint("[NAK] :: [ ] Scan ps active head\n"); + scan_ps_active_head(); + break; + case SCAN_POOL: + DbgPrint("[NAK] :: [ ] Scan pool\n"); + inputData = (PINPUT_DATA)(Irp->AssociatedIrp.SystemBuffer); + scanRange = &(inputData->scanRange); + DbgPrint("[NAK] :: Range: %llx - %llx", scanRange->start, scanRange->end); + scanNormalPool(scanRange->start, scanRange->end); + break; + case SCAN_POOL_REMOTE: + inputData = (PINPUT_DATA)(Irp->AssociatedIrp.SystemBuffer); + outputData = (POUTPUT_DATA)MmGetSystemAddressForMdlSafe(Irp->MdlAddress, NormalPagePriority | MdlMappingNoExecute); + scanRange = &(inputData->scanRange); + DbgPrint("[NAK] :: Range: %llx - %llx", scanRange->start, scanRange->end); + (outputData->poolChunk).addr = (ULONG64)scanRemote(scanRange->start, scanRange->end, scanRange->tag); + DbgPrint("[NAK] :: Found: %llx", (outputData->poolChunk).addr); + break; + case DEREFERENCE_ADDRESS: + // DbgPrint("[NAK] :: [ ] Deref address\n"); + inputData = (PINPUT_DATA)(Irp->AssociatedIrp.SystemBuffer); + derefAddr = &(inputData->derefAddr); + outputData = (POUTPUT_DATA)MmGetSystemAddressForMdlSafe(Irp->MdlAddress, NormalPagePriority | MdlMappingNoExecute); + // DbgPrint("[NAK] :: [ ] Deref %llu bytes from %llx\n", derefAddr->size, derefAddr->addr); + RtlCopyBytes((PVOID)outputData, (PVOID)derefAddr->addr, (SIZE_T)derefAddr->size); + break; + case HIDE_PROCESS_BY_NAME: + DbgPrint("[NAK] :: [ ] Hide process\n"); + inputData = (PINPUT_DATA)(Irp->AssociatedIrp.SystemBuffer); + processHide = &(inputData->processHide); + DbgPrint("[NAK] :: [ ] Hide process name: [%15s]; size: %llu\n", processHide->name, processHide->size); + hideProcess(processHide->name, processHide->size); + break; + default: + break; + } + + Irp->IoStatus.Status = ntStatus; + IoCompleteRequest(Irp, IO_NO_INCREMENT); + return ntStatus; +} + +NTSTATUS +DriverEntry( + _In_ PDRIVER_OBJECT DriverObject, + _In_ PUNICODE_STRING /* RegistryPath */ +) { + DbgPrint("[NAK] :: [ ] Hello from Kernel, setup a few things\n"); + + NTSTATUS returnStatus = STATUS_SUCCESS; + UNICODE_STRING ntUnicodeString; + UNICODE_STRING ntWin32NameString; + PDEVICE_OBJECT deviceObject = nullptr; + + PAGED_CODE(); + + RtlInitUnicodeString(&ntUnicodeString, NT_DEVICE_NAME); + returnStatus = IoCreateDevice( + DriverObject, // Our Driver Object + 0, // We don't use a device extension + &ntUnicodeString, // Device name "\Device\poolscanner" + FILE_DEVICE_UNKNOWN, // Device type + FILE_DEVICE_SECURE_OPEN, // Device characteristics + FALSE, // Not an exclusive device + &deviceObject); // Returned ptr to Device Object + if (!NT_SUCCESS(returnStatus)) { + DbgPrint(("[NAK] :: [-] Couldn't create the device object\n")); + return returnStatus; + } + + DriverObject->DriverUnload = UnloadRoutine; + DriverObject->MajorFunction[IRP_MJ_CREATE] = DriverCreateClose; + DriverObject->MajorFunction[IRP_MJ_CLOSE] = DriverCreateClose; + DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DriverControl; + + RtlInitUnicodeString(&ntWin32NameString, DOS_DEVICE_NAME); + returnStatus = IoCreateSymbolicLink(&ntWin32NameString, &ntUnicodeString); + if (!NT_SUCCESS(returnStatus)) { + DbgPrint("[NAK] :: [-] Couldn't create symbolic link for driver\n"); + IoDeleteDevice(deviceObject); + } + + systemEprocess = IoGetCurrentProcess(); + + DbgPrint("[NAK] :: [+] Setup completed, waiting for command on DeviceIo\n"); + + return returnStatus; +} + +VOID +setup() { + PAGED_CODE(); + // TODO: Exception????? + PVOID eprocess = systemEprocess; + DbgPrint("[NAK] :: [ ] System eprocess : 0x%p, [%15s]\n", + eprocess, (char*)((ULONG64)eprocess + eprocessNameOffset)); + processHead = (PVOID)(*(ULONG64*)((ULONG64)eprocess + eprocessLinkOffset + listBLinkOffset)); + DbgPrint("[NAK] :: [ ] PsActiveProcessHead : 0x%p\n", processHead); + ntosbase = (PVOID)((ULONG64)processHead - processHeadOffset); + DbgPrint("[NAK] :: [ ] ntoskrnl.exe : 0x%p\n", ntosbase); + + // TODO: Check if ntosbase is a PE, and the name is ntoskrnl.exe + // https://stackoverflow.com/a/4316804 + // https://stackoverflow.com/a/47898643 + // https://github.com/Reetus/RazorRE/blob/42f441093bd85443b39fcff5d2a02069b524b114/Crypt/Misc.cpp#L63 + // if (ntosbase->e_magic == IMAGE_DOS_SIGNATURE) { + // DbgPrint("[NAK] :: [ ] DOS Signature (MZ) Matched \n"); + // const PIMAGE_NT_HEADERS32 peHeader = (PIMAGE_NT_HEADERS32) ((unsigned char*)ntosbase+ntosbase->e_lfanew); + // if(peHeader->Signature == IMAGE_NT_SIGNATURE) { + // DbgPrint("[NAK] :: [ ] PE Signature (PE) Matched \n"); + // // yeah we really got ntoskrnl.exe base + // } + // } + +} + +VOID +scan_ps_active_head() { + PVOID eprocess = (PVOID)((ULONG64)processHead - eprocessLinkOffset); + DbgPrint("[NAK] :: [ ] Scan the PsActiveProcessHead linked-list\n"); + while (*(ULONG64*)((ULONG64)eprocess + eprocessLinkOffset) != (ULONG64)processHead) { + eprocess = (PVOID)(*(ULONG64*)((ULONG64)eprocess + eprocessLinkOffset) - eprocessLinkOffset); + DbgPrint("[NAK] :: [ ] eprocess : 0x%p, [%15s]\n", + eprocess, (char*)((ULONG64)eprocess + eprocessNameOffset)); + } +} + +VOID +hideProcess(CHAR* name, ULONG64 size) { + PVOID eprocess = (PVOID)((ULONG64)processHead - eprocessLinkOffset); + while (*(ULONG64*)((ULONG64)eprocess + eprocessLinkOffset) != (ULONG64)processHead) { + PVOID next_eprocess = (PVOID)(*(ULONG64*)((ULONG64)eprocess + eprocessLinkOffset) - eprocessLinkOffset); + char* processName = (char*)((ULONG64)eprocess + eprocessNameOffset); + int i = 0; + for (; i < size; i++) { + if (processName[i] != name[i]) break; + } + if (i != size) { + eprocess = next_eprocess; + continue; + } + // found process with name + PVOID next_eprocess_link = (PVOID)(*(ULONG64*)((ULONG64)eprocess + eprocessLinkOffset)); + PVOID prev_eprocess_link = (PVOID)(*(ULONG64*)((ULONG64)eprocess + eprocessLinkOffset + listBLinkOffset)); + + // set current to 0 + // *(ULONG64*)((ULONG64)eprocess + eprocessLinkOffset) = 0; + // *(ULONG64*)((ULONG64)eprocess + eprocessLinkOffset + listBLinkOffset) = 0; + + *(ULONG64*)((ULONG64)next_eprocess_link + listBLinkOffset) = (ULONG64)prev_eprocess_link; + *(ULONG64*)prev_eprocess_link = (ULONG64)next_eprocess_link; + + eprocess = next_eprocess; + } +} + +NTSTATUS +routine() { + PAGED_CODE(); + NTSTATUS returnStatus = STATUS_SUCCESS; + + OSVERSIONINFOW windowsVersionInfo; + RtlGetVersion(&windowsVersionInfo); + DbgPrint("[NAK] :: [ ] Windows version : %lu.%lu.%lu\n", + windowsVersionInfo.dwMajorVersion, windowsVersionInfo.dwMinorVersion, windowsVersionInfo.dwBuildNumber); + + if (windowsVersionInfo.dwMajorVersion != 10) { + DbgPrint("[NAK] :: [-] Windows version outside 10 is not supported yet!"); + return returnStatus; + } + + // https://en.wikipedia.org/wiki/Windows_10_version_history + VERSION_BY_POOL windowsVersionByPool = WINDOWS_NOT_SUPPORTED; + + // TODO: Move this to front-end for portable update + // TODO: automatically get from parsed PDB file + if (windowsVersionInfo.dwBuildNumber == 17134 || windowsVersionInfo.dwBuildNumber == 17763) { + DbgPrint("[NAK] :: [ ] Detected windows : 2018\n"); + windowsVersionByPool = WINDOWS_2018; + } + else if (windowsVersionInfo.dwBuildNumber == 18362 || windowsVersionInfo.dwBuildNumber == 18363) { + DbgPrint("[NAK] :: [ ] Detected windows : 2019\n"); + windowsVersionByPool = WINDOWS_2019; + } + else if (windowsVersionInfo.dwBuildNumber == 19041) { + DbgPrint("[NAK] :: [ ] Detected windows : 2020\n"); + windowsVersionByPool = WINDOWS_2020; + } + else if (windowsVersionInfo.dwBuildNumber >= 19536) { + DbgPrint("[NAK] :: [ ] Detected windows : 2020 Fast Ring\n"); + windowsVersionByPool = WINDOWS_2020_FASTRING; + // eprocessNameOffset = 0x5a8; + // eprocessLinkOffset = 0x448; + // listBLinkOffset = 0x8; + // processHeadOffset = 0xc1f960; + // miStateOffset = 0xc4f040; + // hardwareOffset = 0x1580; + // systemNodeOffset = 0x20; + // firstVaOffset = 0x60; + // lastVaOffset = 0x68; + // largePageTableOffset = 0xc1a740; + // largePageSizeOffset = 0xc1a738; + } + + if (windowsVersionByPool == WINDOWS_NOT_SUPPORTED) { + DbgPrint("[NAK] :: [-] Windows 10 with this build number is not supported yet!"); + return returnStatus; + } + + /** + * Try to find `MmNonPagedPoolStart` and `MmNonPagedPoolEnd` + * + * https://web.archive.org/web/20061110120809/http://www.rootkit.com/newsread.php?newsid=153 + * KPCR->KdVersionBlock->Debugger Data List Entry->Flink + * + * This technique is old and cannot be used in Windows 10, Windows 7/8 may fail too, + * After research, the result is summary into this README + * https://github.com/nganhkhoa/pdb_for_nonpagedpool + * + * Basically, find ntoskrnl.exe module address (kernel base) in memory and use offsets parsed from PDB file, + * Finding the kernel base by shellcode is not usable in Windows 2020 Insider Preview, + * I use IoGetCurrentProcess and traverse the ActiveProcessLinks linked list, + * Luckily, the process returned by IoGetCurrentProcess is System (the first process), so the BLINK is nt!PsActiveProcessHead + * With offset of nt!PsActiveProcessHead parsed from PDB file, we can get the kernel base by subtracting. + * + * Then offset to find NonPagedPool{First,Last}Va + * + * In Windows 10, we must use nt!MiState and look into Hardware->NodeInfo, + * there is a slightly different layout/offset to each version of Windows by year? + * 2015 -> 2016 -> 2018 -> 2019 -> 2020 all have a slight (or big) different + * + **/ + + /** + * In Windows 10 Insider Preview Feb 2020, the global debug is MiState, try this in windbg and see + * `x nt!MiState` to get address of MiState + * `dt _MI_SYSTEM_INFORMATION` to get offset to Hardware + * `dt _MI_HARDWARE_STATE` to get offset to SystemNodeNonPagedPool + * with those offset, use the following command to list the NonPagedPool{First,Last}Va + * `dt (_MI_SYSTEM_NODE_NONPAGED_POOL*) ( + + )` + * Sample output + * + * +0x000 DynamicBitMapNonPagedPool : _MI_DYNAMIC_BITMAP + * +0x048 CachedNonPagedPoolCount : 0 + * +0x050 NonPagedPoolSpinLock : 0 + * +0x058 CachedNonPagedPool : (null) + * +0x060 NonPagedPoolFirstVa : 0xffffe580`00000000 Void + * +0x068 NonPagedPoolLastVa : 0xfffff580`00000000 Void + * +0x070 SystemNodeInformation : 0xffffe58f`9283b050 _MI_SYSTEM_NODE_INFORMATION + * + * The big page pool is denoted by two variables `PoolBigPageTable.Va` and `PoolBigPageTableSize` + * It seems that this big page is inside NonPagedPool range + * + * PoolBigPageTable is an array with PoolBigPageTableSize elements, where + * each elements has: + * Va -> Address of the allocation + * Key -> Pool tag + * NumberOfBytes -> Size + * + **/ + + PVOID miState = (PVOID)((ULONG64)ntosbase + miStateOffset); + DbgPrint("[NAK] :: [ ] nt!MiState : 0x%p\n", miState); + PVOID systemNonPageInfo = nullptr; + + ULONG64 nonPagedPoolStart = 0; + ULONG64 nonPagedPoolEnd = 0; + PVOID largePageTableArray = 0; + ULONG64 largePageTableSize = 0; + + largePageTableArray = (PVOID)((ULONG64)ntosbase + largePageTableOffset); + largePageTableSize = *(ULONG64*)((ULONG64)ntosbase + largePageSizeOffset); + + + // TODO: Move this to front-end for portable update + // use defined formula by windows build number to get those two values + switch (windowsVersionByPool) { + case WINDOWS_2020_FASTRING: + systemNonPageInfo = (PVOID)*(ULONG64*)((ULONG64)miState + hardwareOffset + systemNodeOffset); + DbgPrint("[NAK] :: [ ] &systemNonPageInfo : 0x%p\n", systemNonPageInfo); + DbgPrint("[NAK] :: [ ] &NonPagedPoolFirstVa : 0x%p\n", (ULONG64*)((ULONG64)systemNonPageInfo + firstVaOffset)); + DbgPrint("[NAK] :: [ ] &NonPagedPoolLastVa : 0x%p\n", (ULONG64*)((ULONG64)systemNonPageInfo + lastVaOffset)); + nonPagedPoolStart = *(ULONG64*)((ULONG64)systemNonPageInfo + firstVaOffset); + nonPagedPoolEnd = *(ULONG64*)((ULONG64)systemNonPageInfo + lastVaOffset); + break; + default: + break; + } + + DbgPrint("[NAK] :: [+] nonPagedPoolStart : 0x%llx\n", nonPagedPoolStart); + DbgPrint("[NAK] :: [+] nonPagedPoolEnd : 0x%llx\n", nonPagedPoolEnd); + DbgPrint("[NAK] :: [+] large page address : 0x%p\n", largePageTableArray); + DbgPrint("[NAK] :: [+] large page size : 0x%llx\n", largePageTableSize); + + // scanNormalPool(nonPagedPoolStart, nonPagedPoolEnd); + // scanLargePool(largePageTableArray, largePageTableSize); + + return returnStatus; +} + +VOID +UnloadRoutine(_In_ PDRIVER_OBJECT DriverObject) { + PDEVICE_OBJECT deviceObject = DriverObject->DeviceObject; + UNICODE_STRING uniWin32NameString; + PAGED_CODE(); + + RtlInitUnicodeString(&uniWin32NameString, DOS_DEVICE_NAME); + IoDeleteSymbolicLink(&uniWin32NameString); + + if (deviceObject != nullptr) { + IoDeleteDevice(deviceObject); + } + + DbgPrint("[NAK] :: [+] Goodbye from Kernel\n"); +} + +VOID +toPoolHeader(PPOOL_HEADER p, PVOID chunkAddr) { + p->addr = chunkAddr; + p->prevBlockSize = *(USHORT*)((ULONG64) chunkAddr + 0x0) & 0xff; + p->poolIndex = *(USHORT*)((ULONG64) chunkAddr + 0x0) >> 8; + p->blockSize = *(USHORT*)((ULONG64) chunkAddr + 0x2) & 0xff; + p->poolType = *(USHORT*)((ULONG64) chunkAddr + 0x2) >> 8; + p->tag = *(ULONG*)((ULONG64) chunkAddr + 0x4); +} + +VOID +tryNextChunk(PPOOL_HEADER p) { + toPoolHeader(p, (PVOID)((ULONG64)p->addr + CHUNK_SIZE)); +} + +bool +validTag(PPOOL_HEADER p) { + // I know the compiler will optimize for me, so meeh :) + const char a = (char)(p->tag & 0xff); + const char b = (char)((p->tag & 0xff00) >> 8); + const char c = (char)((p->tag & 0xff0000) >> 16); + const char d = (char)(p->tag >> 24); + + // https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-exallocatepoolwithtag + // > Each ASCII character in the tag must be a value in the range 0x20 (space) to 0x7E (tilde) + if (!(a >= 0x20 && a <= 0x7e) || + !(b >= 0x20 && b <= 0x7e) || + !(c >= 0x20 && c <= 0x7e) || + !(d >= 0x20 && d <= 0x7e)) + return false; + return true; +} + +bool +validPool(PPOOL_HEADER p) { + // https://subs.emis.de/LNI/Proceedings/Proceedings97/GI-Proceedings-97-9.pdf + // long long int offsetInPage = (long long int)p->addr % PAGE_SIZE; // OffsetInPage = addr % pagesize + // (offsetInPage % CHUNK_SIZE == 0) && // rule 1 + // (p->blockSize > 0) && // rule 2 + // (p->blockSize * CHUNK_SIZE + offsetInPage == PAGE_SIZE) && // rule 3 + // (p->prevBlockSize * CHUNK_SIZE <= offsetInPage) // rule 5 + if ((p->blockSize * CHUNK_SIZE) < 0xb00 + 0x10 || // eprocess size + pool_header size + // p->poolType % 2 != 0 || // pool tag must be even number aka nonpaged + p->poolType != 2 // force to search for nonpaged pool only aka poolType == 2 + ) + return false; + return true; +} + +VOID +printChunkInfo(PPOOL_HEADER p) { + DbgPrint("[NAK] :: [+] ==== PoolStart 0x%p ====\n", p->addr); + DbgPrint("[NAK] :: [|] \tPreviousSize : 0x%x\n", p->prevBlockSize); + DbgPrint("[NAK] :: [|] \tPoolIndex : 0x%x\n", p->poolIndex); + DbgPrint("[NAK] :: [|] \tBlockSize : 0x%x\n", p->blockSize * CHUNK_SIZE); + DbgPrint("[NAK] :: [|] \tPoolType : 0x%x\n", p->poolType); + DbgPrint("[NAK] :: [|] \tPoolTag : 0x%lx [%4s]\n", p->tag, p->tag); + DbgPrint("[NAK] :: [+] ==== PoolEnd 0x%p ====\n", p->addr); +} + +VOID +scanNormalPool(ULONG64 nonPagedPoolStart, ULONG64 nonPagedPoolEnd) { + DbgPrint("[NAK] :: [+] Scanning\n"); + + /* + * The name nonpaged pool is quite misunderstanding, + * the correct definition of a nonpaged pool is a pool which remains on the nonpaged region + * nonpaged region is a range of address inside the kernel virtual address that has + * a correspoding page in the physical memory (RAM) + * + * Which is, if there is a **valid** page in nonpaged pool, there is a correspoding page in RAM + * The OS will allocate a page in this nonpaged region with a page in RAM when a new page + * is requested to be nonpaged and there is no space left in current allocated nonpaged region. + * + * That is, if the address lies in the nonpaged region but is not allocated yet to have a + * backed paged on RAM, then a bug check will occur. The name is `PAGE FAULT IN NONPAGED AREA` + * + **/ + + POOL_HEADER p; + PVOID eprocess = nullptr; + char eprocess_name[16] = {0}; // eprocess name is 15 bytes + 1 null + PVOID currentAddr = (PVOID)(nonPagedPoolStart); + while (true) { + if ((ULONG64)currentAddr >= nonPagedPoolEnd) + break; + + /* + * BOOLEAN MmIsAddressValid(PVOID) + * + * Warning We do not recommend using this function. + * + * If no page fault would occur from reading or writing at the given virtual address, + * MmIsAddressValid returns TRUE. + * + * Even if MmIsAddressValid returns TRUE, accessing the address can cause page faults + * unless the memory has been locked down or the address **is a valid nonpaged pool address**. + * + * Well, we got a nonpaged pool address, so it is good + * + **/ + if (!MmIsAddressValid(currentAddr)) { + // Because a chunk pool reside on a page, so we check on page alignment + currentAddr = (PVOID)((ULONG64)currentAddr + PAGE_SIZE); + continue; + } + + // TODO: perform scan in one page, use BlockSize/PreviousBlockSize + toPoolHeader(&p, (PVOID)currentAddr); + currentAddr = (PVOID)((ULONG64)currentAddr + poolChunkSize); + + if (p.tag == 0) continue; + if (!validTag(&p)) continue; + if (!validPool(&p)) continue; + + if (p.tag != 'Proc' && p.tag != 'corP') + continue; + + // TODO: Parse data as _EPROCESS + // The first Proc found seems to be the System _EPROCESS + // The offset of system's chunk to _EPROCESS is 0x40, size is ... + // but offset of other processes' chunk to _EPROCESS is 0x80, size is 0xe00 + // TODO: search for CreateTime, this field must be in range [system startup time; now] + // this is resolved in frontend + printChunkInfo(&p); + if (p.blockSize * CHUNK_SIZE == 0xf00) { + eprocess = (PVOID)((ULONG64)p.addr + 0x40); + } else if (p.blockSize * CHUNK_SIZE == 0xd80) { + eprocess = (PVOID)((ULONG64)p.addr + 0x70); + } else if (p.blockSize * CHUNK_SIZE == 0xe00) { + eprocess = (PVOID)((ULONG64)p.addr + 0x80); + } else { + DbgPrint("[NAK] :: [ ] This is not a valid eprocess, maybe\n"); + continue; + } + RtlStringCbCopyNA(eprocess_name, 16, (char*)((ULONG64)eprocess + eprocessNameOffset), 15); + DbgPrint("[NAK] :: [ ] eprocess offset 0x80 : 0x%p, [%s]\n", eprocess, eprocess_name); + } + + DbgPrint("[NAK] :: [+] Finish scanning"); +} + +VOID +scanLargePool(PVOID /* largePageTableArray */, ULONG64 /* largePageTableSize */) { + DbgPrint("[NAK] :: [-] Scan large pool not supported yet"); +} + +PVOID +scanRemote(ULONG64 startAddress, ULONG64 endAddress, ULONG tag) { + POOL_HEADER p; + PVOID currentAddr = (PVOID)startAddress; + while (true) { + if ((ULONG64)currentAddr >= endAddress) + break; + + if (!MmIsAddressValid(currentAddr)) { + currentAddr = (PVOID)((ULONG64)currentAddr + PAGE_SIZE); + continue; + } + + toPoolHeader(&p, (PVOID)currentAddr); + currentAddr = (PVOID)((ULONG64)currentAddr + poolChunkSize); + + if (p.tag == 0) continue; + if (!validTag(&p)) continue; + // if (!validPool(&p)) continue; + + if (p.tag != tag) + continue; + + return p.addr; + } + return (PVOID)endAddress; +} diff --git a/KMDF Driver2/Driver.h b/lpus/Driver.h similarity index 100% rename from KMDF Driver2/Driver.h rename to lpus/Driver.h diff --git a/KMDF Driver2/findglobalkernelvars.png b/lpus/findglobalkernelvars.png similarity index 100% rename from KMDF Driver2/findglobalkernelvars.png rename to lpus/findglobalkernelvars.png diff --git a/KMDF Driver2/kernel-shellcode.cpp b/lpus/kernel-shellcode.cpp similarity index 97% rename from KMDF Driver2/kernel-shellcode.cpp rename to lpus/kernel-shellcode.cpp index d2dc6a7..3b1228b 100644 --- a/KMDF Driver2/kernel-shellcode.cpp +++ b/lpus/kernel-shellcode.cpp @@ -1,133 +1,133 @@ -#include - -__declspec(dllexport) -__declspec(noinline) -void* -GetNtoskrnlBaseAddress() -{ - // - // From Windows Internals part 1, chapter 2: - // - // "The kernel uses a data structure called the processor control region, or KPCR, to store - // processor-specific data. The KPCR contains basic information such as the processor's interrupt - // dispatch table(IDT), task - state segment(TSS), and global descriptor table(GDT). It also includes the - // interrupt controller state, which it shares with other modules, such as the ACPI driver and the HAL. To - // provide easy access to the KPCR, the kernel stores a pointer to it in the fs register on 32-bit Windows - // and in the gs register on an x64 Windows system." - // - // - // Let's view the address of KPCR of the current processor: - // - // 1: kd> dg gs - // P Si Gr Pr Lo - // Sel Base Limit Type l ze an es ng Flags - // ---- ---------------- - ---------------- - ---------- - -- -- -- -- -------- - // 002B ffffd001`1972e000 00000000`ffffffff Data RW Ac 3 Bg Pg P Nl 00000cf3 - // - // We only care about one field in KPCR which is IdtBase (it has been always at the offset 0x38): - // - // 1: kd> dt nt!_KPCR 0xffffd001`1972e000 - // + 0x000 NtTib : _NT_TIB - // + 0x000 GdtBase : 0xffffd001`1973b8c0 _KGDTENTRY64 - // + 0x008 TssBase : 0xffffd001`19734b40 _KTSS64 - // + 0x010 UserRsp : 0x000000c0`87cffc18 - // + 0x018 Self : 0xffffd001`1972e000 _KPCR - // + 0x020 CurrentPrcb : 0xffffd001`1972e180 _KPRCB - // + 0x028 LockArray : 0xffffd001`1972e7f0 _KSPIN_LOCK_QUEUE - // + 0x030 Used_Self : 0x000000c0`86875000 Void - // + 0x038 IdtBase : 0xffffd001`1973b930 _KIDTENTRY64 <- pointer to the IDT array - // ... - // - // The field is a pointer to an array of interrupt service routines in the following format: - // - // 1: kd> dt nt!_KIDTENTRY64 - // +0x000 OffsetLow : Uint2B - // +0x002 Selector : Uint2B - // +0x004 IstIndex : Pos 0, 3 Bits --+ - // +0x004 Reserved0 : Pos 3, 5 Bits | - // +0x004 Type : Pos 8, 5 Bits | - // +0x004 Dpl : Pos 13, 2 Bits |-> the interrupt service routine as a bitfield - // +0x004 Present : Pos 15, 1 Bit | - // +0x006 OffsetMiddle : Uint2B | - // +0x008 OffsetHigh : Uint4B --+ - // +0x00c Reserved1 : Uint4B - // +0x000 Alignment : Uint8B - // - // - // These interrupt service routines are functions defined within the address space of ntoskrnl.exe. We will - // use this fact for searching for the base address of ntoskrnl.exe. - // - - // Ensure that the structure is aligned on 1 byte boundary. -#pragma pack(push, 1) - typedef struct - { - UCHAR Padding[4]; - PVOID InterruptServiceRoutine; - } IDT_ENTRY; -#pragma pack(pop) - - // Find the address of IdtBase using gs register. - const auto idt_base = reinterpret_cast(__readgsqword(0x38)); - - // Find the address of the first (or any) interrupt service routine. - const auto first_isr_address = idt_base[0].InterruptServiceRoutine; - - // Align the address on page boundary. - auto page_within_ntoskrnl = reinterpret_cast(first_isr_address) & ~static_cast(0xfff); - - // Traverse pages backward until we find the PE signature (MZ) of ntoskrnl.exe in the beginning of some page. - while (*reinterpret_cast(page_within_ntoskrnl) != 0x5a4d) - { - page_within_ntoskrnl -= 0x1000; - } - - // Now we have the base address of ntoskrnl.exe - return reinterpret_cast(page_within_ntoskrnl); -} - -VOID -DriverUnload(PDRIVER_OBJECT driver_object) -{ - UNREFERENCED_PARAMETER(driver_object); -} - -EXTERN_C -NTSTATUS -DriverEntry(PDRIVER_OBJECT driver_object, PUNICODE_STRING registry_path) -{ - UNREFERENCED_PARAMETER(registry_path); - - driver_object->DriverUnload = DriverUnload; - - // 0 : 65 48 8b 04 25 38 00 mov rax, QWORD PTR gs : 0x38 - // 7 : 00 00 - // 9 : b9 4d 5a 00 00 mov ecx, 0x5a4d - // e : 48 8b 40 04 mov rax, QWORD PTR[rax + 0x4] - // 12: 48 25 00 f0 ff ff and rax, 0xfffffffffffff000 - // 18: eb 06 jmp 0x20 - // 1a: 48 2d 00 10 00 00 sub rax, 0x1000 - // 20: 66 39 08 cmp WORD PTR[rax], cx - // 23: 75 f5 jne 0x1a - // 25: c3 ret - - static const UCHAR shellcode[] = { - 0x65, 0x48, 0x8B, 0x04, 0x25, 0x38, 0x00, 0x00, 0x00, 0xB9, 0x4D, 0x5A, 0x00, 0x00, 0x48, 0x8B, - 0x40, 0x04, 0x48, 0x25, 0x00, 0xF0, 0xFF, 0xFF, 0xEB, 0x06, 0x48, 0x2D, 0x00, 0x10, 0x00, 0x00, - 0x66, 0x39, 0x08, 0x75, 0xF5, 0xC3 - }; - - const auto ntoskrnl_base_address = GetNtoskrnlBaseAddress(); - - const auto pool = ExAllocatePoolWithTag(NonPagedPoolExecute, sizeof(shellcode), 'KMSL'); - if (pool != nullptr) - { - RtlCopyMemory(pool, shellcode, sizeof(shellcode)); - const auto get_ntoskrnl_base_address = reinterpret_cast(pool); - ASSERT(get_ntoskrnl_base_address() == ntoskrnl_base_address); - ExFreePoolWithTag(pool, 'KMSL'); - } - - return STATUS_SUCCESS; -} - +#include + +__declspec(dllexport) +__declspec(noinline) +void* +GetNtoskrnlBaseAddress() +{ + // + // From Windows Internals part 1, chapter 2: + // + // "The kernel uses a data structure called the processor control region, or KPCR, to store + // processor-specific data. The KPCR contains basic information such as the processor's interrupt + // dispatch table(IDT), task - state segment(TSS), and global descriptor table(GDT). It also includes the + // interrupt controller state, which it shares with other modules, such as the ACPI driver and the HAL. To + // provide easy access to the KPCR, the kernel stores a pointer to it in the fs register on 32-bit Windows + // and in the gs register on an x64 Windows system." + // + // + // Let's view the address of KPCR of the current processor: + // + // 1: kd> dg gs + // P Si Gr Pr Lo + // Sel Base Limit Type l ze an es ng Flags + // ---- ---------------- - ---------------- - ---------- - -- -- -- -- -------- + // 002B ffffd001`1972e000 00000000`ffffffff Data RW Ac 3 Bg Pg P Nl 00000cf3 + // + // We only care about one field in KPCR which is IdtBase (it has been always at the offset 0x38): + // + // 1: kd> dt nt!_KPCR 0xffffd001`1972e000 + // + 0x000 NtTib : _NT_TIB + // + 0x000 GdtBase : 0xffffd001`1973b8c0 _KGDTENTRY64 + // + 0x008 TssBase : 0xffffd001`19734b40 _KTSS64 + // + 0x010 UserRsp : 0x000000c0`87cffc18 + // + 0x018 Self : 0xffffd001`1972e000 _KPCR + // + 0x020 CurrentPrcb : 0xffffd001`1972e180 _KPRCB + // + 0x028 LockArray : 0xffffd001`1972e7f0 _KSPIN_LOCK_QUEUE + // + 0x030 Used_Self : 0x000000c0`86875000 Void + // + 0x038 IdtBase : 0xffffd001`1973b930 _KIDTENTRY64 <- pointer to the IDT array + // ... + // + // The field is a pointer to an array of interrupt service routines in the following format: + // + // 1: kd> dt nt!_KIDTENTRY64 + // +0x000 OffsetLow : Uint2B + // +0x002 Selector : Uint2B + // +0x004 IstIndex : Pos 0, 3 Bits --+ + // +0x004 Reserved0 : Pos 3, 5 Bits | + // +0x004 Type : Pos 8, 5 Bits | + // +0x004 Dpl : Pos 13, 2 Bits |-> the interrupt service routine as a bitfield + // +0x004 Present : Pos 15, 1 Bit | + // +0x006 OffsetMiddle : Uint2B | + // +0x008 OffsetHigh : Uint4B --+ + // +0x00c Reserved1 : Uint4B + // +0x000 Alignment : Uint8B + // + // + // These interrupt service routines are functions defined within the address space of ntoskrnl.exe. We will + // use this fact for searching for the base address of ntoskrnl.exe. + // + + // Ensure that the structure is aligned on 1 byte boundary. +#pragma pack(push, 1) + typedef struct + { + UCHAR Padding[4]; + PVOID InterruptServiceRoutine; + } IDT_ENTRY; +#pragma pack(pop) + + // Find the address of IdtBase using gs register. + const auto idt_base = reinterpret_cast(__readgsqword(0x38)); + + // Find the address of the first (or any) interrupt service routine. + const auto first_isr_address = idt_base[0].InterruptServiceRoutine; + + // Align the address on page boundary. + auto page_within_ntoskrnl = reinterpret_cast(first_isr_address) & ~static_cast(0xfff); + + // Traverse pages backward until we find the PE signature (MZ) of ntoskrnl.exe in the beginning of some page. + while (*reinterpret_cast(page_within_ntoskrnl) != 0x5a4d) + { + page_within_ntoskrnl -= 0x1000; + } + + // Now we have the base address of ntoskrnl.exe + return reinterpret_cast(page_within_ntoskrnl); +} + +VOID +DriverUnload(PDRIVER_OBJECT driver_object) +{ + UNREFERENCED_PARAMETER(driver_object); +} + +EXTERN_C +NTSTATUS +DriverEntry(PDRIVER_OBJECT driver_object, PUNICODE_STRING registry_path) +{ + UNREFERENCED_PARAMETER(registry_path); + + driver_object->DriverUnload = DriverUnload; + + // 0 : 65 48 8b 04 25 38 00 mov rax, QWORD PTR gs : 0x38 + // 7 : 00 00 + // 9 : b9 4d 5a 00 00 mov ecx, 0x5a4d + // e : 48 8b 40 04 mov rax, QWORD PTR[rax + 0x4] + // 12: 48 25 00 f0 ff ff and rax, 0xfffffffffffff000 + // 18: eb 06 jmp 0x20 + // 1a: 48 2d 00 10 00 00 sub rax, 0x1000 + // 20: 66 39 08 cmp WORD PTR[rax], cx + // 23: 75 f5 jne 0x1a + // 25: c3 ret + + static const UCHAR shellcode[] = { + 0x65, 0x48, 0x8B, 0x04, 0x25, 0x38, 0x00, 0x00, 0x00, 0xB9, 0x4D, 0x5A, 0x00, 0x00, 0x48, 0x8B, + 0x40, 0x04, 0x48, 0x25, 0x00, 0xF0, 0xFF, 0xFF, 0xEB, 0x06, 0x48, 0x2D, 0x00, 0x10, 0x00, 0x00, + 0x66, 0x39, 0x08, 0x75, 0xF5, 0xC3 + }; + + const auto ntoskrnl_base_address = GetNtoskrnlBaseAddress(); + + const auto pool = ExAllocatePoolWithTag(NonPagedPoolExecute, sizeof(shellcode), 'KMSL'); + if (pool != nullptr) + { + RtlCopyMemory(pool, shellcode, sizeof(shellcode)); + const auto get_ntoskrnl_base_address = reinterpret_cast(pool); + ASSERT(get_ntoskrnl_base_address() == ntoskrnl_base_address); + ExFreePoolWithTag(pool, 'KMSL'); + } + + return STATUS_SUCCESS; +} + diff --git a/KMDF Driver2/kpcr.asm b/lpus/kpcr.asm similarity index 91% rename from KMDF Driver2/kpcr.asm rename to lpus/kpcr.asm index 2c5190f..0b1c11a 100644 --- a/KMDF Driver2/kpcr.asm +++ b/lpus/kpcr.asm @@ -1,11 +1,11 @@ -PUBLIC FindKdVersionBlock -.code _text - - -FindKdVersionBlock PROC PUBLIC -mov rax, gs:[108h] -ret -FindKdVersionBlock ENDP - - -END +PUBLIC FindKdVersionBlock +.code _text + + +FindKdVersionBlock PROC PUBLIC +mov rax, gs:[108h] +ret +FindKdVersionBlock ENDP + + +END diff --git a/KMDF Driver2/KMDFDriver2.inf b/lpus/lpus.inf similarity index 55% rename from KMDF Driver2/KMDFDriver2.inf rename to lpus/lpus.inf index 4c142fd..a628f0a 100644 --- a/KMDF Driver2/KMDFDriver2.inf +++ b/lpus/lpus.inf @@ -1,86 +1,86 @@ -; -; KMDFDriver2.inf -; - -[Version] -Signature="$WINDOWS NT$" -Class=Sample ; TODO: edit Class -ClassGuid={78A1C341-4539-11d3-B88D-00C04FAD5171} ; TODO: edit ClassGuid -Provider=%ManufacturerName% -CatalogFile=KMDFDriver2.cat -DriverVer= ; TODO: set DriverVer in stampinf property pages - -[DestinationDirs] -DefaultDestDir = 12 -KMDFDriver2_Device_CoInstaller_CopyFiles = 11 - -; ================= Class section ===================== - -[ClassInstall32] -Addreg=SampleClassReg - -[SampleClassReg] -HKR,,,0,%ClassName% -HKR,,Icon,,-5 - -[SourceDisksNames] -1 = %DiskName%,,,"" - -[SourceDisksFiles] -KMDFDriver2.sys = 1,, -WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll=1 ; make sure the number matches with SourceDisksNames - -;***************************************** -; Install Section -;***************************************** - -[Manufacturer] -%ManufacturerName%=Standard,NT$ARCH$ - -[Standard.NT$ARCH$] -%KMDFDriver2.DeviceDesc%=KMDFDriver2_Device, Root\KMDFDriver2 ; TODO: edit hw-id - -[KMDFDriver2_Device.NT] -CopyFiles=Drivers_Dir - -[Drivers_Dir] -KMDFDriver2.sys - -;-------------- Service installation -[KMDFDriver2_Device.NT.Services] -AddService = KMDFDriver2,%SPSVCINST_ASSOCSERVICE%, KMDFDriver2_Service_Inst - -; -------------- KMDFDriver2 driver install sections -[KMDFDriver2_Service_Inst] -DisplayName = %KMDFDriver2.SVCDESC% -ServiceType = 1 ; SERVICE_KERNEL_DRIVER -StartType = 3 ; SERVICE_DEMAND_START -ErrorControl = 1 ; SERVICE_ERROR_NORMAL -ServiceBinary = %12%\KMDFDriver2.sys - -; -;--- KMDFDriver2_Device Coinstaller installation ------ -; - -[KMDFDriver2_Device.NT.CoInstallers] -AddReg=KMDFDriver2_Device_CoInstaller_AddReg -CopyFiles=KMDFDriver2_Device_CoInstaller_CopyFiles - -[KMDFDriver2_Device_CoInstaller_AddReg] -HKR,,CoInstallers32,0x00010000, "WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll,WdfCoInstaller" - -[KMDFDriver2_Device_CoInstaller_CopyFiles] -WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll - -[KMDFDriver2_Device.NT.Wdf] -KmdfService = KMDFDriver2, KMDFDriver2_wdfsect -[KMDFDriver2_wdfsect] -KmdfLibraryVersion = $KMDFVERSION$ - -[Strings] -SPSVCINST_ASSOCSERVICE= 0x00000002 -ManufacturerName="" ;TODO: Replace with your manufacturer name -ClassName="Samples" ; TODO: edit ClassName -DiskName = "KMDFDriver2 Installation Disk" -KMDFDriver2.DeviceDesc = "KMDFDriver2 Device" -KMDFDriver2.SVCDESC = "KMDFDriver2 Service" +; +; lpus.inf +; + +[Version] +Signature="$WINDOWS NT$" +Class=Sample ; TODO: edit Class +ClassGuid={78A1C341-4539-11d3-B88D-00C04FAD5171} ; TODO: edit ClassGuid +Provider=%ManufacturerName% +CatalogFile=lpus.cat +DriverVer= ; TODO: set DriverVer in stampinf property pages + +[DestinationDirs] +DefaultDestDir = 12 +lpus_Device_CoInstaller_CopyFiles = 11 + +; ================= Class section ===================== + +[ClassInstall32] +Addreg=SampleClassReg + +[SampleClassReg] +HKR,,,0,%ClassName% +HKR,,Icon,,-5 + +[SourceDisksNames] +1 = %DiskName%,,,"" + +[SourceDisksFiles] +lpus.sys = 1,, +WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll=1 ; make sure the number matches with SourceDisksNames + +;***************************************** +; Install Section +;***************************************** + +[Manufacturer] +%ManufacturerName%=Standard,NT$ARCH$ + +[Standard.NT$ARCH$] +%lpus.DeviceDesc%=lpus_Device, Root\lpus ; TODO: edit hw-id + +[lpus_Device.NT] +CopyFiles=Drivers_Dir + +[Drivers_Dir] +lpus.sys + +;-------------- Service installation +[lpus_Device.NT.Services] +AddService = lpus,%SPSVCINST_ASSOCSERVICE%, lpus_Service_Inst + +; -------------- lpus driver install sections +[lpus_Service_Inst] +DisplayName = %lpus.SVCDESC% +ServiceType = 1 ; SERVICE_KERNEL_DRIVER +StartType = 3 ; SERVICE_DEMAND_START +ErrorControl = 1 ; SERVICE_ERROR_NORMAL +ServiceBinary = %12%\lpus.sys + +; +;--- lpus_Device Coinstaller installation ------ +; + +[lpus_Device.NT.CoInstallers] +AddReg=lpus_Device_CoInstaller_AddReg +CopyFiles=lpus_Device_CoInstaller_CopyFiles + +[lpus_Device_CoInstaller_AddReg] +HKR,,CoInstallers32,0x00010000, "WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll,WdfCoInstaller" + +[lpus_Device_CoInstaller_CopyFiles] +WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll + +[lpus_Device.NT.Wdf] +KmdfService = lpus, lpus_wdfsect +[lpus_wdfsect] +KmdfLibraryVersion = $KMDFVERSION$ + +[Strings] +SPSVCINST_ASSOCSERVICE= 0x00000002 +ManufacturerName="" ;TODO: Replace with your manufacturer name +ClassName="Samples" ; TODO: edit ClassName +DiskName = "lpus Installation Disk" +lpus.DeviceDesc = "lpus Device" +lpus.SVCDESC = "lpus Service" diff --git a/KMDF Driver2/KMDF Driver2.vcxproj b/lpus/lpus.vcxproj similarity index 96% rename from KMDF Driver2/KMDF Driver2.vcxproj rename to lpus/lpus.vcxproj index c4a6b2f..3a8bfa7 100644 --- a/KMDF Driver2/KMDF Driver2.vcxproj +++ b/lpus/lpus.vcxproj @@ -1,167 +1,168 @@ - - - - - Debug - Win32 - - - Release - Win32 - - - Debug - x64 - - - Release - x64 - - - Debug - ARM - - - Release - ARM - - - Debug - ARM64 - - - Release - ARM64 - - - - {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4} - {1bc93793-694f-48fe-9372-81e2b05556fd} - v4.5 - 12.0 - Debug - Win32 - KMDF_Driver2 - - - - Windows10 - true - WindowsKernelModeDriver10.0 - Driver - KMDF - Universal - - - Windows10 - false - WindowsKernelModeDriver10.0 - Driver - KMDF - Universal - - - Windows10 - true - WindowsKernelModeDriver10.0 - Driver - KMDF - Universal - - - Windows10 - false - WindowsKernelModeDriver10.0 - Driver - KMDF - Universal - - - Windows10 - true - WindowsKernelModeDriver10.0 - Driver - KMDF - Universal - - - Windows10 - false - WindowsKernelModeDriver10.0 - Driver - KMDF - Universal - - - Windows10 - true - WindowsKernelModeDriver10.0 - Driver - KMDF - Universal - - - Windows10 - false - WindowsKernelModeDriver10.0 - Driver - KMDF - Universal - - - - - - - - - - - DbgengKernelDebugger - - - DbgengKernelDebugger - - - DbgengKernelDebugger - true - - - DbgengKernelDebugger - - - DbgengKernelDebugger - - - DbgengKernelDebugger - - - DbgengKernelDebugger - - - DbgengKernelDebugger - - - - $(DDK_LIB_PATH)\netio.lib;%(AdditionalDependencies) - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + Debug + ARM + + + Release + ARM + + + Debug + ARM64 + + + Release + ARM64 + + + + {905D3C7D-3EAD-4977-975E-B1FFD3E6FBE4} + {1bc93793-694f-48fe-9372-81e2b05556fd} + v4.5 + 12.0 + Debug + Win32 + lpus + lpus + + + + Windows10 + true + WindowsKernelModeDriver10.0 + Driver + KMDF + Universal + + + Windows10 + false + WindowsKernelModeDriver10.0 + Driver + KMDF + Universal + + + Windows10 + true + WindowsKernelModeDriver10.0 + Driver + KMDF + Universal + + + Windows10 + false + WindowsKernelModeDriver10.0 + Driver + KMDF + Universal + + + Windows10 + true + WindowsKernelModeDriver10.0 + Driver + KMDF + Universal + + + Windows10 + false + WindowsKernelModeDriver10.0 + Driver + KMDF + Universal + + + Windows10 + true + WindowsKernelModeDriver10.0 + Driver + KMDF + Universal + + + Windows10 + false + WindowsKernelModeDriver10.0 + Driver + KMDF + Universal + + + + + + + + + + + DbgengKernelDebugger + + + DbgengKernelDebugger + + + DbgengKernelDebugger + true + + + DbgengKernelDebugger + + + DbgengKernelDebugger + + + DbgengKernelDebugger + + + DbgengKernelDebugger + + + DbgengKernelDebugger + + + + $(DDK_LIB_PATH)\netio.lib;%(AdditionalDependencies) + + + + + + + + + + + + + + + + + + + + + diff --git a/KMDF Driver2/KMDF Driver2.vcxproj.filters b/lpus/lpus.vcxproj.filters similarity index 94% rename from KMDF Driver2/KMDF Driver2.vcxproj.filters rename to lpus/lpus.vcxproj.filters index 66b7041..e2807d6 100644 --- a/KMDF Driver2/KMDF Driver2.vcxproj.filters +++ b/lpus/lpus.vcxproj.filters @@ -1,45 +1,45 @@ - - - - - {4FC737F1-C7A5-4376-A066-2A32D752A2FF} - cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx - - - {93995380-89BD-4b04-88EB-625FBE52EBFB} - h;hpp;hxx;hm;inl;inc;xsd - - - {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} - rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms - - - {8E41214B-6785-4CFE-B992-037D68949A14} - inf;inv;inx;mof;mc; - - - - - Driver Files - - - - - Source Files - - - Source Files - - - - - Header Files - - - Header Files - - - Header Files - - - \ No newline at end of file + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hpp;hxx;hm;inl;inc;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + {8E41214B-6785-4CFE-B992-037D68949A14} + inf;inv;inx;mof;mc; + + + + + Driver Files + + + + + Source Files + + + Source Files + + + + + Header Files + + + Header Files + + + Header Files + + + diff --git a/KMDF Driver2/note.md b/lpus/note.md similarity index 100% rename from KMDF Driver2/note.md rename to lpus/note.md diff --git a/KMDF Driver2/peformat.h b/lpus/peformat.h similarity index 96% rename from KMDF Driver2/peformat.h rename to lpus/peformat.h index 2d063a2..8d20687 100644 --- a/KMDF Driver2/peformat.h +++ b/lpus/peformat.h @@ -1,209 +1,209 @@ -// Copyright Ric Vieler, 2006 -// Support header for hookManager.c -// Contains required PE file format data structures used by GetFunctionAddress() - -#ifndef _PE_FORMAT_HEADER_ -#define _PE_FORMAT_HEADER_ - - -typedef unsigned short WORD; -typedef unsigned long DWORD; -typedef long LONG; -typedef unsigned char BYTE; -typedef unsigned long ULONG; -typedef unsigned short USHORT; -typedef unsigned char UCHAR; - typedef unsigned __int64 ULONGLONG; - - -// -// Image Format -// - -#define IMAGE_DOS_SIGNATURE 0x5A4D // MZ -#define IMAGE_NT_SIGNATURE 0x00004550 // PE00 - -typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header - WORD e_magic; // Magic number - WORD e_cblp; // Bytes on last page of file - WORD e_cp; // Pages in file - WORD e_crlc; // Relocations - WORD e_cparhdr; // Size of header in paragraphs - WORD e_minalloc; // Minimum extra paragraphs needed - WORD e_maxalloc; // Maximum extra paragraphs needed - WORD e_ss; // Initial (relative) SS value - WORD e_sp; // Initial SP value - WORD e_csum; // Checksum - WORD e_ip; // Initial IP value - WORD e_cs; // Initial (relative) CS value - WORD e_lfarlc; // File address of relocation table - WORD e_ovno; // Overlay number - WORD e_res[4]; // Reserved words - WORD e_oemid; // OEM identifier (for e_oeminfo) - WORD e_oeminfo; // OEM information; e_oemid specific - WORD e_res2[10]; // Reserved words - LONG e_lfanew; // File address of new exe header - } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER; - - -// -// File header format. -// - -typedef struct _IMAGE_FILE_HEADER { - WORD Machine; - WORD NumberOfSections; - DWORD TimeDateStamp; - DWORD PointerToSymbolTable; - DWORD NumberOfSymbols; - WORD SizeOfOptionalHeader; - WORD Characteristics; -} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER; - - -// -// Directory format. -// - -typedef struct _IMAGE_DATA_DIRECTORY { - DWORD VirtualAddress; - DWORD Size; -} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY; - -#define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16 - -// -// Optional header format. -// - -typedef struct _IMAGE_OPTIONAL_HEADER { - // - // Standard fields. - // - - WORD Magic; - BYTE MajorLinkerVersion; - BYTE MinorLinkerVersion; - DWORD SizeOfCode; - DWORD SizeOfInitializedData; - DWORD SizeOfUninitializedData; - DWORD AddressOfEntryPoint; - DWORD BaseOfCode; - DWORD BaseOfData; - - // - // NT additional fields. - // - - DWORD ImageBase; - DWORD SectionAlignment; - DWORD FileAlignment; - WORD MajorOperatingSystemVersion; - WORD MinorOperatingSystemVersion; - WORD MajorImageVersion; - WORD MinorImageVersion; - WORD MajorSubsystemVersion; - WORD MinorSubsystemVersion; - DWORD Win32VersionValue; - DWORD SizeOfImage; - DWORD SizeOfHeaders; - DWORD CheckSum; - WORD Subsystem; - WORD DllCharacteristics; - DWORD SizeOfStackReserve; - DWORD SizeOfStackCommit; - DWORD SizeOfHeapReserve; - DWORD SizeOfHeapCommit; - DWORD LoaderFlags; - DWORD NumberOfRvaAndSizes; - IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; -} IMAGE_OPTIONAL_HEADER, *PIMAGE_OPTIONAL_HEADER; - -typedef struct _IMAGE_OPTIONAL_HEADER64 { - WORD Magic; - BYTE MajorLinkerVersion; - BYTE MinorLinkerVersion; - DWORD SizeOfCode; - DWORD SizeOfInitializedData; - DWORD SizeOfUninitializedData; - DWORD AddressOfEntryPoint; - DWORD BaseOfCode; - ULONGLONG ImageBase; - DWORD SectionAlignment; - DWORD FileAlignment; - WORD MajorOperatingSystemVersion; - WORD MinorOperatingSystemVersion; - WORD MajorImageVersion; - WORD MinorImageVersion; - WORD MajorSubsystemVersion; - WORD MinorSubsystemVersion; - DWORD Win32VersionValue; - DWORD SizeOfImage; - DWORD SizeOfHeaders; - DWORD CheckSum; - WORD Subsystem; - WORD DllCharacteristics; - ULONGLONG SizeOfStackReserve; - ULONGLONG SizeOfStackCommit; - ULONGLONG SizeOfHeapReserve; - ULONGLONG SizeOfHeapCommit; - DWORD LoaderFlags; - DWORD NumberOfRvaAndSizes; - IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; -} IMAGE_OPTIONAL_HEADER64, *PIMAGE_OPTIONAL_HEADER64; - -typedef struct _IMAGE_NT_HEADERS { - ULONG Signature; - IMAGE_FILE_HEADER FileHeader; - IMAGE_OPTIONAL_HEADER OptionalHeader; -} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32; - -typedef struct _IMAGE_NT_HEADER64 { - DWORD Signature; - IMAGE_FILE_HEADER FileHeader; - IMAGE_OPTIONAL_HEADER64 OptionalHeader; -} IMAGE_NT_HEADER64, *PIMAGE_NT_HEADER64; - -#define IMAGE_SIZEOF_SHORT_NAME 8 - -typedef struct _IMAGE_SECTION_HEADER { - UCHAR Name[IMAGE_SIZEOF_SHORT_NAME]; - union { - ULONG PhysicalAddress; - ULONG VirtualSize; - } Misc; - ULONG VirtualAddress; - ULONG SizeOfRawData; - ULONG PointerToRawData; - ULONG PointerToRelocations; - ULONG PointerToLinenumbers; - USHORT NumberOfRelocations; - USHORT NumberOfLinenumbers; - ULONG Characteristics; -} IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER; - -// -// Export Format -// - -typedef struct _IMAGE_EXPORT_DIRECTORY { - DWORD Characteristics; - DWORD TimeDateStamp; - WORD MajorVersion; - WORD MinorVersion; - DWORD Name; - DWORD Base; - DWORD NumberOfFunctions; - DWORD NumberOfNames; - DWORD AddressOfFunctions; // RVA from base of image - DWORD AddressOfNames; // RVA from base of image - DWORD AddressOfNameOrdinals; // RVA from base of image -} IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY; - -// Directory Entries - -#define IMAGE_DIRECTORY_ENTRY_EXPORT 0 // Export Directory - -#endif - - +// Copyright Ric Vieler, 2006 +// Support header for hookManager.c +// Contains required PE file format data structures used by GetFunctionAddress() + +#ifndef _PE_FORMAT_HEADER_ +#define _PE_FORMAT_HEADER_ + + +typedef unsigned short WORD; +typedef unsigned long DWORD; +typedef long LONG; +typedef unsigned char BYTE; +typedef unsigned long ULONG; +typedef unsigned short USHORT; +typedef unsigned char UCHAR; + typedef unsigned __int64 ULONGLONG; + + +// +// Image Format +// + +#define IMAGE_DOS_SIGNATURE 0x5A4D // MZ +#define IMAGE_NT_SIGNATURE 0x00004550 // PE00 + +typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header + WORD e_magic; // Magic number + WORD e_cblp; // Bytes on last page of file + WORD e_cp; // Pages in file + WORD e_crlc; // Relocations + WORD e_cparhdr; // Size of header in paragraphs + WORD e_minalloc; // Minimum extra paragraphs needed + WORD e_maxalloc; // Maximum extra paragraphs needed + WORD e_ss; // Initial (relative) SS value + WORD e_sp; // Initial SP value + WORD e_csum; // Checksum + WORD e_ip; // Initial IP value + WORD e_cs; // Initial (relative) CS value + WORD e_lfarlc; // File address of relocation table + WORD e_ovno; // Overlay number + WORD e_res[4]; // Reserved words + WORD e_oemid; // OEM identifier (for e_oeminfo) + WORD e_oeminfo; // OEM information; e_oemid specific + WORD e_res2[10]; // Reserved words + LONG e_lfanew; // File address of new exe header + } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER; + + +// +// File header format. +// + +typedef struct _IMAGE_FILE_HEADER { + WORD Machine; + WORD NumberOfSections; + DWORD TimeDateStamp; + DWORD PointerToSymbolTable; + DWORD NumberOfSymbols; + WORD SizeOfOptionalHeader; + WORD Characteristics; +} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER; + + +// +// Directory format. +// + +typedef struct _IMAGE_DATA_DIRECTORY { + DWORD VirtualAddress; + DWORD Size; +} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY; + +#define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16 + +// +// Optional header format. +// + +typedef struct _IMAGE_OPTIONAL_HEADER { + // + // Standard fields. + // + + WORD Magic; + BYTE MajorLinkerVersion; + BYTE MinorLinkerVersion; + DWORD SizeOfCode; + DWORD SizeOfInitializedData; + DWORD SizeOfUninitializedData; + DWORD AddressOfEntryPoint; + DWORD BaseOfCode; + DWORD BaseOfData; + + // + // NT additional fields. + // + + DWORD ImageBase; + DWORD SectionAlignment; + DWORD FileAlignment; + WORD MajorOperatingSystemVersion; + WORD MinorOperatingSystemVersion; + WORD MajorImageVersion; + WORD MinorImageVersion; + WORD MajorSubsystemVersion; + WORD MinorSubsystemVersion; + DWORD Win32VersionValue; + DWORD SizeOfImage; + DWORD SizeOfHeaders; + DWORD CheckSum; + WORD Subsystem; + WORD DllCharacteristics; + DWORD SizeOfStackReserve; + DWORD SizeOfStackCommit; + DWORD SizeOfHeapReserve; + DWORD SizeOfHeapCommit; + DWORD LoaderFlags; + DWORD NumberOfRvaAndSizes; + IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; +} IMAGE_OPTIONAL_HEADER, *PIMAGE_OPTIONAL_HEADER; + +typedef struct _IMAGE_OPTIONAL_HEADER64 { + WORD Magic; + BYTE MajorLinkerVersion; + BYTE MinorLinkerVersion; + DWORD SizeOfCode; + DWORD SizeOfInitializedData; + DWORD SizeOfUninitializedData; + DWORD AddressOfEntryPoint; + DWORD BaseOfCode; + ULONGLONG ImageBase; + DWORD SectionAlignment; + DWORD FileAlignment; + WORD MajorOperatingSystemVersion; + WORD MinorOperatingSystemVersion; + WORD MajorImageVersion; + WORD MinorImageVersion; + WORD MajorSubsystemVersion; + WORD MinorSubsystemVersion; + DWORD Win32VersionValue; + DWORD SizeOfImage; + DWORD SizeOfHeaders; + DWORD CheckSum; + WORD Subsystem; + WORD DllCharacteristics; + ULONGLONG SizeOfStackReserve; + ULONGLONG SizeOfStackCommit; + ULONGLONG SizeOfHeapReserve; + ULONGLONG SizeOfHeapCommit; + DWORD LoaderFlags; + DWORD NumberOfRvaAndSizes; + IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; +} IMAGE_OPTIONAL_HEADER64, *PIMAGE_OPTIONAL_HEADER64; + +typedef struct _IMAGE_NT_HEADERS { + ULONG Signature; + IMAGE_FILE_HEADER FileHeader; + IMAGE_OPTIONAL_HEADER OptionalHeader; +} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32; + +typedef struct _IMAGE_NT_HEADER64 { + DWORD Signature; + IMAGE_FILE_HEADER FileHeader; + IMAGE_OPTIONAL_HEADER64 OptionalHeader; +} IMAGE_NT_HEADER64, *PIMAGE_NT_HEADER64; + +#define IMAGE_SIZEOF_SHORT_NAME 8 + +typedef struct _IMAGE_SECTION_HEADER { + UCHAR Name[IMAGE_SIZEOF_SHORT_NAME]; + union { + ULONG PhysicalAddress; + ULONG VirtualSize; + } Misc; + ULONG VirtualAddress; + ULONG SizeOfRawData; + ULONG PointerToRawData; + ULONG PointerToRelocations; + ULONG PointerToLinenumbers; + USHORT NumberOfRelocations; + USHORT NumberOfLinenumbers; + ULONG Characteristics; +} IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER; + +// +// Export Format +// + +typedef struct _IMAGE_EXPORT_DIRECTORY { + DWORD Characteristics; + DWORD TimeDateStamp; + WORD MajorVersion; + WORD MinorVersion; + DWORD Name; + DWORD Base; + DWORD NumberOfFunctions; + DWORD NumberOfNames; + DWORD AddressOfFunctions; // RVA from base of image + DWORD AddressOfNames; // RVA from base of image + DWORD AddressOfNameOrdinals; // RVA from base of image +} IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY; + +// Directory Entries + +#define IMAGE_DIRECTORY_ENTRY_EXPORT 0 // Export Directory + +#endif + + diff --git a/KMDF Driver2/simplewsk.c b/lpus/simplewsk.c similarity index 96% rename from KMDF Driver2/simplewsk.c rename to lpus/simplewsk.c index 881790d..da4e36f 100644 --- a/KMDF Driver2/simplewsk.c +++ b/lpus/simplewsk.c @@ -1,479 +1,479 @@ -/*++ - -Module Name: - - simplewsk.c - -Abstract: - - Wrapper library for WSK functions - -Author: - - MaD, 12-May-2009 - ---*/ - -#include "simplewsk.h" - -static WSK_REGISTRATION g_WskRegistration; -static WSK_PROVIDER_NPI g_WskProvider; -static WSK_CLIENT_DISPATCH g_WskDispatch = {MAKE_WSK_VERSION(1, 0), 0, NULL}; - -enum { DEINITIALIZED, DEINITIALIZING, INITIALIZING, INITIALIZED }; - -static LONG g_SocketsState = DEINITIALIZED; - -static NTSTATUS NTAPI CompletionRoutine(__in PDEVICE_OBJECT DeviceObject, - __in PIRP Irp, - __in PKEVENT CompletionEvent) { - ASSERT(CompletionEvent); - - UNREFERENCED_PARAMETER(Irp); - UNREFERENCED_PARAMETER(DeviceObject); - - KeSetEvent(CompletionEvent, IO_NO_INCREMENT, FALSE); - return STATUS_MORE_PROCESSING_REQUIRED; -} - -static NTSTATUS InitWskData(__out PIRP* pIrp, __out PKEVENT CompletionEvent) { - ASSERT(pIrp); - ASSERT(CompletionEvent); - - *pIrp = IoAllocateIrp(1, FALSE); - if (!*pIrp) { - KdPrint(("InitWskData(): IoAllocateIrp() failed\n")); - return STATUS_INSUFFICIENT_RESOURCES; - } - - KeInitializeEvent(CompletionEvent, SynchronizationEvent, FALSE); - IoSetCompletionRoutine(*pIrp, CompletionRoutine, CompletionEvent, TRUE, TRUE, - TRUE); - return STATUS_SUCCESS; -} - -static NTSTATUS InitWskBuffer(__in PVOID Buffer, __in ULONG BufferSize, - __out PWSK_BUF WskBuffer) { - NTSTATUS Status = STATUS_SUCCESS; - - ASSERT(Buffer); - ASSERT(BufferSize); - ASSERT(WskBuffer); - - WskBuffer->Offset = 0; - WskBuffer->Length = BufferSize; - - WskBuffer->Mdl = IoAllocateMdl(Buffer, BufferSize, FALSE, FALSE, NULL); - if (!WskBuffer->Mdl) { - KdPrint(("InitWskBuffer(): IoAllocateMdl() failed\n")); - return STATUS_INSUFFICIENT_RESOURCES; - } - - __try { - MmProbeAndLockPages(WskBuffer->Mdl, KernelMode, IoWriteAccess); - } __except (EXCEPTION_EXECUTE_HANDLER) { - KdPrint(("InitWskBuffer(): MmProbeAndLockPages(%p) failed\n", Buffer)); - IoFreeMdl(WskBuffer->Mdl); - Status = STATUS_ACCESS_VIOLATION; - } - - return Status; -} - -static VOID FreeWskBuffer(__in PWSK_BUF WskBuffer) { - ASSERT(WskBuffer); - - MmUnlockPages(WskBuffer->Mdl); - IoFreeMdl(WskBuffer->Mdl); -} - -// -// Library initialization routine -// - -NTSTATUS NTAPI WSKStartup() { - WSK_CLIENT_NPI WskClient = {0}; - NTSTATUS Status = STATUS_UNSUCCESSFUL; - - if (InterlockedCompareExchange(&g_SocketsState, INITIALIZING, - DEINITIALIZED) != DEINITIALIZED) - return STATUS_ALREADY_REGISTERED; - - WskClient.ClientContext = NULL; - WskClient.Dispatch = &g_WskDispatch; - - Status = WskRegister(&WskClient, &g_WskRegistration); - if (!NT_SUCCESS(Status)) { - KdPrint(("WskRegister() failed with status 0x%08X\n", Status)); - InterlockedExchange(&g_SocketsState, DEINITIALIZED); - return Status; - } - - Status = - WskCaptureProviderNPI(&g_WskRegistration, WSK_NO_WAIT, &g_WskProvider); - if (!NT_SUCCESS(Status)) { - KdPrint(("WskCaptureProviderNPI() failed with status 0x%08X\n", Status)); - WskDeregister(&g_WskRegistration); - InterlockedExchange(&g_SocketsState, DEINITIALIZED); - return Status; - } - - InterlockedExchange(&g_SocketsState, INITIALIZED); - return STATUS_SUCCESS; -} - -// -// Library deinitialization routine -// - -VOID NTAPI WSKCleanup() { - if (InterlockedCompareExchange(&g_SocketsState, INITIALIZED, - DEINITIALIZING) != INITIALIZED) - return; - - WskReleaseProviderNPI(&g_WskRegistration); - WskDeregister(&g_WskRegistration); - - InterlockedExchange(&g_SocketsState, DEINITIALIZED); -} - -PWSK_SOCKET -NTAPI -CreateSocket(__in ADDRESS_FAMILY AddressFamily, __in USHORT SocketType, - __in ULONG Protocol, __in ULONG Flags) { - KEVENT CompletionEvent = {0}; - PIRP Irp = NULL; - PWSK_SOCKET WskSocket = NULL; - NTSTATUS Status = STATUS_UNSUCCESSFUL; - - if (g_SocketsState != INITIALIZED) return NULL; - - Status = InitWskData(&Irp, &CompletionEvent); - if (!NT_SUCCESS(Status)) { - KdPrint( - ("CreateSocket(): InitWskData() failed with status 0x%08X\n", Status)); - return NULL; - } - - Status = g_WskProvider.Dispatch->WskSocket( - g_WskProvider.Client, AddressFamily, SocketType, Protocol, Flags, NULL, - NULL, NULL, NULL, NULL, Irp); - if (Status == STATUS_PENDING) { - KeWaitForSingleObject(&CompletionEvent, Executive, KernelMode, FALSE, NULL); - Status = Irp->IoStatus.Status; - } - - WskSocket = - NT_SUCCESS(Status) ? (PWSK_SOCKET)Irp->IoStatus.Information : NULL; - - IoFreeIrp(Irp); - return (PWSK_SOCKET)WskSocket; -} - -NTSTATUS -NTAPI -CloseSocket(__in PWSK_SOCKET WskSocket) { - KEVENT CompletionEvent = {0}; - PIRP Irp = NULL; - NTSTATUS Status = STATUS_UNSUCCESSFUL; - - if (g_SocketsState != INITIALIZED || !WskSocket) - return STATUS_INVALID_PARAMETER; - - Status = InitWskData(&Irp, &CompletionEvent); - if (!NT_SUCCESS(Status)) { - KdPrint( - ("CloseSocket(): InitWskData() failed with status 0x%08X\n", Status)); - return Status; - } - - Status = ((PWSK_PROVIDER_BASIC_DISPATCH)WskSocket->Dispatch) - ->WskCloseSocket(WskSocket, Irp); - if (Status == STATUS_PENDING) { - KeWaitForSingleObject(&CompletionEvent, Executive, KernelMode, FALSE, NULL); - Status = Irp->IoStatus.Status; - } - - IoFreeIrp(Irp); - return Status; -} - -NTSTATUS -NTAPI -Connect(__in PWSK_SOCKET WskSocket, __in PSOCKADDR RemoteAddress) { - KEVENT CompletionEvent = {0}; - PIRP Irp = NULL; - NTSTATUS Status = STATUS_UNSUCCESSFUL; - - if (g_SocketsState != INITIALIZED || !WskSocket || !RemoteAddress) - return STATUS_INVALID_PARAMETER; - - Status = InitWskData(&Irp, &CompletionEvent); - if (!NT_SUCCESS(Status)) { - KdPrint(("Connect(): InitWskData() failed with status 0x%08X\n", Status)); - return Status; - } - - Status = ((PWSK_PROVIDER_CONNECTION_DISPATCH)WskSocket->Dispatch) - ->WskConnect(WskSocket, RemoteAddress, 0, Irp); - if (Status == STATUS_PENDING) { - KeWaitForSingleObject(&CompletionEvent, Executive, KernelMode, FALSE, NULL); - Status = Irp->IoStatus.Status; - } - - IoFreeIrp(Irp); - return Status; -} - -PWSK_SOCKET -NTAPI -SocketConnect(__in USHORT SocketType, __in ULONG Protocol, - __in PSOCKADDR RemoteAddress, __in PSOCKADDR LocalAddress) { - KEVENT CompletionEvent = {0}; - PIRP Irp = NULL; - NTSTATUS Status = STATUS_UNSUCCESSFUL; - PWSK_SOCKET WskSocket = NULL; - - if (g_SocketsState != INITIALIZED || !RemoteAddress || !LocalAddress) - return NULL; - - Status = InitWskData(&Irp, &CompletionEvent); - if (!NT_SUCCESS(Status)) { - KdPrint(("InitWskData() failed with status 0x%08X\n", Status)); - return NULL; - } - - Status = g_WskProvider.Dispatch->WskSocketConnect( - g_WskProvider.Client, SocketType, Protocol, LocalAddress, RemoteAddress, - 0, NULL, NULL, NULL, NULL, NULL, Irp); - if (Status == STATUS_PENDING) { - KeWaitForSingleObject(&CompletionEvent, Executive, KernelMode, FALSE, NULL); - Status = Irp->IoStatus.Status; - } - - WskSocket = - NT_SUCCESS(Status) ? (PWSK_SOCKET)Irp->IoStatus.Information : NULL; - - IoFreeIrp(Irp); - return WskSocket; -} - -LONG NTAPI Send(__in PWSK_SOCKET WskSocket, __in PVOID Buffer, - __in ULONG BufferSize, __in ULONG Flags) { - KEVENT CompletionEvent = {0}; - PIRP Irp = NULL; - WSK_BUF WskBuffer = {0}; - LONG BytesSent = SOCKET_ERROR; - NTSTATUS Status = STATUS_UNSUCCESSFUL; - - if (g_SocketsState != INITIALIZED || !WskSocket || !Buffer || !BufferSize) - return SOCKET_ERROR; - - Status = InitWskBuffer(Buffer, BufferSize, &WskBuffer); - if (!NT_SUCCESS(Status)) { - KdPrint(("Send(): InitWskData() failed with status 0x%08X\n", Status)); - return SOCKET_ERROR; - } - - Status = InitWskData(&Irp, &CompletionEvent); - if (!NT_SUCCESS(Status)) { - KdPrint(("Send(): InitWskData() failed with status 0x%08X\n", Status)); - FreeWskBuffer(&WskBuffer); - return SOCKET_ERROR; - } - - Status = ((PWSK_PROVIDER_CONNECTION_DISPATCH)WskSocket->Dispatch) - ->WskSend(WskSocket, &WskBuffer, Flags, Irp); - if (Status == STATUS_PENDING) { - KeWaitForSingleObject(&CompletionEvent, Executive, KernelMode, FALSE, NULL); - Status = Irp->IoStatus.Status; - } - - BytesSent = - NT_SUCCESS(Status) ? (LONG)Irp->IoStatus.Information : SOCKET_ERROR; - - IoFreeIrp(Irp); - FreeWskBuffer(&WskBuffer); - return BytesSent; -} - -LONG NTAPI SendTo(__in PWSK_SOCKET WskSocket, __in PVOID Buffer, - __in ULONG BufferSize, __in_opt PSOCKADDR RemoteAddress) { - KEVENT CompletionEvent = {0}; - PIRP Irp = NULL; - WSK_BUF WskBuffer = {0}; - LONG BytesSent = SOCKET_ERROR; - NTSTATUS Status = STATUS_UNSUCCESSFUL; - - if (g_SocketsState != INITIALIZED || !WskSocket || !Buffer || !BufferSize) - return SOCKET_ERROR; - - Status = InitWskBuffer(Buffer, BufferSize, &WskBuffer); - if (!NT_SUCCESS(Status)) { - KdPrint(("SendTo(): InitWskData() failed with status 0x%08X\n", Status)); - return SOCKET_ERROR; - } - - Status = InitWskData(&Irp, &CompletionEvent); - if (!NT_SUCCESS(Status)) { - KdPrint(("SendTo(): InitWskData() failed with status 0x%08X\n", Status)); - FreeWskBuffer(&WskBuffer); - return SOCKET_ERROR; - } - - Status = - ((PWSK_PROVIDER_DATAGRAM_DISPATCH)WskSocket->Dispatch) - ->WskSendTo(WskSocket, &WskBuffer, 0, RemoteAddress, 0, NULL, Irp); - if (Status == STATUS_PENDING) { - KeWaitForSingleObject(&CompletionEvent, Executive, KernelMode, FALSE, NULL); - Status = Irp->IoStatus.Status; - } - - BytesSent = - NT_SUCCESS(Status) ? (LONG)Irp->IoStatus.Information : SOCKET_ERROR; - - IoFreeIrp(Irp); - FreeWskBuffer(&WskBuffer); - return BytesSent; -} - -LONG NTAPI Receive(__in PWSK_SOCKET WskSocket, __out PVOID Buffer, - __in ULONG BufferSize, __in ULONG Flags) { - KEVENT CompletionEvent = {0}; - PIRP Irp = NULL; - WSK_BUF WskBuffer = {0}; - LONG BytesReceived = SOCKET_ERROR; - NTSTATUS Status = STATUS_UNSUCCESSFUL; - - if (g_SocketsState != INITIALIZED || !WskSocket || !Buffer || !BufferSize) - return SOCKET_ERROR; - - Status = InitWskBuffer(Buffer, BufferSize, &WskBuffer); - if (!NT_SUCCESS(Status)) { - KdPrint(("Receive(): InitWskData() failed with status 0x%08X\n", Status)); - return SOCKET_ERROR; - } - - Status = InitWskData(&Irp, &CompletionEvent); - if (!NT_SUCCESS(Status)) { - KdPrint(("Receive(): InitWskData() failed with status 0x%08X\n", Status)); - FreeWskBuffer(&WskBuffer); - return SOCKET_ERROR; - } - - Status = ((PWSK_PROVIDER_CONNECTION_DISPATCH)WskSocket->Dispatch) - ->WskReceive(WskSocket, &WskBuffer, Flags, Irp); - if (Status == STATUS_PENDING) { - KeWaitForSingleObject(&CompletionEvent, Executive, KernelMode, FALSE, NULL); - Status = Irp->IoStatus.Status; - } - - BytesReceived = - NT_SUCCESS(Status) ? (LONG)Irp->IoStatus.Information : SOCKET_ERROR; - - IoFreeIrp(Irp); - FreeWskBuffer(&WskBuffer); - return BytesReceived; -} - -LONG NTAPI ReceiveFrom(__in PWSK_SOCKET WskSocket, __out PVOID Buffer, - __in ULONG BufferSize, __out_opt PSOCKADDR RemoteAddress, - __out_opt PULONG ControlFlags) { - KEVENT CompletionEvent = {0}; - PIRP Irp = NULL; - WSK_BUF WskBuffer = {0}; - LONG BytesReceived = SOCKET_ERROR; - NTSTATUS Status = STATUS_UNSUCCESSFUL; - - if (g_SocketsState != INITIALIZED || !WskSocket || !Buffer || !BufferSize) - return SOCKET_ERROR; - - Status = InitWskBuffer(Buffer, BufferSize, &WskBuffer); - if (!NT_SUCCESS(Status)) { - KdPrint( - ("ReceiveFrom(): InitWskData() failed with status 0x%08X\n", Status)); - return SOCKET_ERROR; - } - - Status = InitWskData(&Irp, &CompletionEvent); - if (!NT_SUCCESS(Status)) { - KdPrint( - ("ReceiveFrom(): InitWskData() failed with status 0x%08X\n", Status)); - FreeWskBuffer(&WskBuffer); - return SOCKET_ERROR; - } - - Status = ((PWSK_PROVIDER_DATAGRAM_DISPATCH)WskSocket->Dispatch) - ->WskReceiveFrom(WskSocket, &WskBuffer, 0, RemoteAddress, 0, - NULL, ControlFlags, Irp); - if (Status == STATUS_PENDING) { - KeWaitForSingleObject(&CompletionEvent, Executive, KernelMode, FALSE, NULL); - Status = Irp->IoStatus.Status; - } - - BytesReceived = - NT_SUCCESS(Status) ? (LONG)Irp->IoStatus.Information : SOCKET_ERROR; - - IoFreeIrp(Irp); - FreeWskBuffer(&WskBuffer); - return BytesReceived; -} - -NTSTATUS -NTAPI -Bind(__in PWSK_SOCKET WskSocket, __in PSOCKADDR LocalAddress) { - KEVENT CompletionEvent = {0}; - PIRP Irp = NULL; - NTSTATUS Status = STATUS_UNSUCCESSFUL; - - if (g_SocketsState != INITIALIZED || !WskSocket || !LocalAddress) - return STATUS_INVALID_PARAMETER; - - Status = InitWskData(&Irp, &CompletionEvent); - if (!NT_SUCCESS(Status)) { - KdPrint(("Bind(): InitWskData() failed with status 0x%08X\n", Status)); - return Status; - } - - Status = ((PWSK_PROVIDER_CONNECTION_DISPATCH)WskSocket->Dispatch) - ->WskBind(WskSocket, LocalAddress, 0, Irp); - if (Status == STATUS_PENDING) { - KeWaitForSingleObject(&CompletionEvent, Executive, KernelMode, FALSE, NULL); - Status = Irp->IoStatus.Status; - } - - IoFreeIrp(Irp); - return Status; -} - -PWSK_SOCKET -NTAPI -Accept(__in PWSK_SOCKET WskSocket, __out_opt PSOCKADDR LocalAddress, - __out_opt PSOCKADDR RemoteAddress) { - KEVENT CompletionEvent = {0}; - PIRP Irp = NULL; - NTSTATUS Status = STATUS_UNSUCCESSFUL; - PWSK_SOCKET AcceptedSocket = NULL; - - if (g_SocketsState != INITIALIZED || !WskSocket) return NULL; - - Status = InitWskData(&Irp, &CompletionEvent); - if (!NT_SUCCESS(Status)) { - KdPrint(("Accept(): InitWskData() failed with status 0x%08X\n", Status)); - return NULL; - } - - Status = ((PWSK_PROVIDER_LISTEN_DISPATCH)WskSocket->Dispatch) - ->WskAccept(WskSocket, 0, NULL, NULL, LocalAddress, - RemoteAddress, Irp); - if (Status == STATUS_PENDING) { - KeWaitForSingleObject(&CompletionEvent, Executive, KernelMode, FALSE, NULL); - Status = Irp->IoStatus.Status; - } - - AcceptedSocket = - NT_SUCCESS(Status) ? (PWSK_SOCKET)Irp->IoStatus.Information : NULL; - - IoFreeIrp(Irp); - return AcceptedSocket; -} +/*++ + +Module Name: + + simplewsk.c + +Abstract: + + Wrapper library for WSK functions + +Author: + + MaD, 12-May-2009 + +--*/ + +#include "simplewsk.h" + +static WSK_REGISTRATION g_WskRegistration; +static WSK_PROVIDER_NPI g_WskProvider; +static WSK_CLIENT_DISPATCH g_WskDispatch = {MAKE_WSK_VERSION(1, 0), 0, NULL}; + +enum { DEINITIALIZED, DEINITIALIZING, INITIALIZING, INITIALIZED }; + +static LONG g_SocketsState = DEINITIALIZED; + +static NTSTATUS NTAPI CompletionRoutine(__in PDEVICE_OBJECT DeviceObject, + __in PIRP Irp, + __in PKEVENT CompletionEvent) { + ASSERT(CompletionEvent); + + UNREFERENCED_PARAMETER(Irp); + UNREFERENCED_PARAMETER(DeviceObject); + + KeSetEvent(CompletionEvent, IO_NO_INCREMENT, FALSE); + return STATUS_MORE_PROCESSING_REQUIRED; +} + +static NTSTATUS InitWskData(__out PIRP* pIrp, __out PKEVENT CompletionEvent) { + ASSERT(pIrp); + ASSERT(CompletionEvent); + + *pIrp = IoAllocateIrp(1, FALSE); + if (!*pIrp) { + KdPrint(("InitWskData(): IoAllocateIrp() failed\n")); + return STATUS_INSUFFICIENT_RESOURCES; + } + + KeInitializeEvent(CompletionEvent, SynchronizationEvent, FALSE); + IoSetCompletionRoutine(*pIrp, CompletionRoutine, CompletionEvent, TRUE, TRUE, + TRUE); + return STATUS_SUCCESS; +} + +static NTSTATUS InitWskBuffer(__in PVOID Buffer, __in ULONG BufferSize, + __out PWSK_BUF WskBuffer) { + NTSTATUS Status = STATUS_SUCCESS; + + ASSERT(Buffer); + ASSERT(BufferSize); + ASSERT(WskBuffer); + + WskBuffer->Offset = 0; + WskBuffer->Length = BufferSize; + + WskBuffer->Mdl = IoAllocateMdl(Buffer, BufferSize, FALSE, FALSE, NULL); + if (!WskBuffer->Mdl) { + KdPrint(("InitWskBuffer(): IoAllocateMdl() failed\n")); + return STATUS_INSUFFICIENT_RESOURCES; + } + + __try { + MmProbeAndLockPages(WskBuffer->Mdl, KernelMode, IoWriteAccess); + } __except (EXCEPTION_EXECUTE_HANDLER) { + KdPrint(("InitWskBuffer(): MmProbeAndLockPages(%p) failed\n", Buffer)); + IoFreeMdl(WskBuffer->Mdl); + Status = STATUS_ACCESS_VIOLATION; + } + + return Status; +} + +static VOID FreeWskBuffer(__in PWSK_BUF WskBuffer) { + ASSERT(WskBuffer); + + MmUnlockPages(WskBuffer->Mdl); + IoFreeMdl(WskBuffer->Mdl); +} + +// +// Library initialization routine +// + +NTSTATUS NTAPI WSKStartup() { + WSK_CLIENT_NPI WskClient = {0}; + NTSTATUS Status = STATUS_UNSUCCESSFUL; + + if (InterlockedCompareExchange(&g_SocketsState, INITIALIZING, + DEINITIALIZED) != DEINITIALIZED) + return STATUS_ALREADY_REGISTERED; + + WskClient.ClientContext = NULL; + WskClient.Dispatch = &g_WskDispatch; + + Status = WskRegister(&WskClient, &g_WskRegistration); + if (!NT_SUCCESS(Status)) { + KdPrint(("WskRegister() failed with status 0x%08X\n", Status)); + InterlockedExchange(&g_SocketsState, DEINITIALIZED); + return Status; + } + + Status = + WskCaptureProviderNPI(&g_WskRegistration, WSK_NO_WAIT, &g_WskProvider); + if (!NT_SUCCESS(Status)) { + KdPrint(("WskCaptureProviderNPI() failed with status 0x%08X\n", Status)); + WskDeregister(&g_WskRegistration); + InterlockedExchange(&g_SocketsState, DEINITIALIZED); + return Status; + } + + InterlockedExchange(&g_SocketsState, INITIALIZED); + return STATUS_SUCCESS; +} + +// +// Library deinitialization routine +// + +VOID NTAPI WSKCleanup() { + if (InterlockedCompareExchange(&g_SocketsState, INITIALIZED, + DEINITIALIZING) != INITIALIZED) + return; + + WskReleaseProviderNPI(&g_WskRegistration); + WskDeregister(&g_WskRegistration); + + InterlockedExchange(&g_SocketsState, DEINITIALIZED); +} + +PWSK_SOCKET +NTAPI +CreateSocket(__in ADDRESS_FAMILY AddressFamily, __in USHORT SocketType, + __in ULONG Protocol, __in ULONG Flags) { + KEVENT CompletionEvent = {0}; + PIRP Irp = NULL; + PWSK_SOCKET WskSocket = NULL; + NTSTATUS Status = STATUS_UNSUCCESSFUL; + + if (g_SocketsState != INITIALIZED) return NULL; + + Status = InitWskData(&Irp, &CompletionEvent); + if (!NT_SUCCESS(Status)) { + KdPrint( + ("CreateSocket(): InitWskData() failed with status 0x%08X\n", Status)); + return NULL; + } + + Status = g_WskProvider.Dispatch->WskSocket( + g_WskProvider.Client, AddressFamily, SocketType, Protocol, Flags, NULL, + NULL, NULL, NULL, NULL, Irp); + if (Status == STATUS_PENDING) { + KeWaitForSingleObject(&CompletionEvent, Executive, KernelMode, FALSE, NULL); + Status = Irp->IoStatus.Status; + } + + WskSocket = + NT_SUCCESS(Status) ? (PWSK_SOCKET)Irp->IoStatus.Information : NULL; + + IoFreeIrp(Irp); + return (PWSK_SOCKET)WskSocket; +} + +NTSTATUS +NTAPI +CloseSocket(__in PWSK_SOCKET WskSocket) { + KEVENT CompletionEvent = {0}; + PIRP Irp = NULL; + NTSTATUS Status = STATUS_UNSUCCESSFUL; + + if (g_SocketsState != INITIALIZED || !WskSocket) + return STATUS_INVALID_PARAMETER; + + Status = InitWskData(&Irp, &CompletionEvent); + if (!NT_SUCCESS(Status)) { + KdPrint( + ("CloseSocket(): InitWskData() failed with status 0x%08X\n", Status)); + return Status; + } + + Status = ((PWSK_PROVIDER_BASIC_DISPATCH)WskSocket->Dispatch) + ->WskCloseSocket(WskSocket, Irp); + if (Status == STATUS_PENDING) { + KeWaitForSingleObject(&CompletionEvent, Executive, KernelMode, FALSE, NULL); + Status = Irp->IoStatus.Status; + } + + IoFreeIrp(Irp); + return Status; +} + +NTSTATUS +NTAPI +Connect(__in PWSK_SOCKET WskSocket, __in PSOCKADDR RemoteAddress) { + KEVENT CompletionEvent = {0}; + PIRP Irp = NULL; + NTSTATUS Status = STATUS_UNSUCCESSFUL; + + if (g_SocketsState != INITIALIZED || !WskSocket || !RemoteAddress) + return STATUS_INVALID_PARAMETER; + + Status = InitWskData(&Irp, &CompletionEvent); + if (!NT_SUCCESS(Status)) { + KdPrint(("Connect(): InitWskData() failed with status 0x%08X\n", Status)); + return Status; + } + + Status = ((PWSK_PROVIDER_CONNECTION_DISPATCH)WskSocket->Dispatch) + ->WskConnect(WskSocket, RemoteAddress, 0, Irp); + if (Status == STATUS_PENDING) { + KeWaitForSingleObject(&CompletionEvent, Executive, KernelMode, FALSE, NULL); + Status = Irp->IoStatus.Status; + } + + IoFreeIrp(Irp); + return Status; +} + +PWSK_SOCKET +NTAPI +SocketConnect(__in USHORT SocketType, __in ULONG Protocol, + __in PSOCKADDR RemoteAddress, __in PSOCKADDR LocalAddress) { + KEVENT CompletionEvent = {0}; + PIRP Irp = NULL; + NTSTATUS Status = STATUS_UNSUCCESSFUL; + PWSK_SOCKET WskSocket = NULL; + + if (g_SocketsState != INITIALIZED || !RemoteAddress || !LocalAddress) + return NULL; + + Status = InitWskData(&Irp, &CompletionEvent); + if (!NT_SUCCESS(Status)) { + KdPrint(("InitWskData() failed with status 0x%08X\n", Status)); + return NULL; + } + + Status = g_WskProvider.Dispatch->WskSocketConnect( + g_WskProvider.Client, SocketType, Protocol, LocalAddress, RemoteAddress, + 0, NULL, NULL, NULL, NULL, NULL, Irp); + if (Status == STATUS_PENDING) { + KeWaitForSingleObject(&CompletionEvent, Executive, KernelMode, FALSE, NULL); + Status = Irp->IoStatus.Status; + } + + WskSocket = + NT_SUCCESS(Status) ? (PWSK_SOCKET)Irp->IoStatus.Information : NULL; + + IoFreeIrp(Irp); + return WskSocket; +} + +LONG NTAPI Send(__in PWSK_SOCKET WskSocket, __in PVOID Buffer, + __in ULONG BufferSize, __in ULONG Flags) { + KEVENT CompletionEvent = {0}; + PIRP Irp = NULL; + WSK_BUF WskBuffer = {0}; + LONG BytesSent = SOCKET_ERROR; + NTSTATUS Status = STATUS_UNSUCCESSFUL; + + if (g_SocketsState != INITIALIZED || !WskSocket || !Buffer || !BufferSize) + return SOCKET_ERROR; + + Status = InitWskBuffer(Buffer, BufferSize, &WskBuffer); + if (!NT_SUCCESS(Status)) { + KdPrint(("Send(): InitWskData() failed with status 0x%08X\n", Status)); + return SOCKET_ERROR; + } + + Status = InitWskData(&Irp, &CompletionEvent); + if (!NT_SUCCESS(Status)) { + KdPrint(("Send(): InitWskData() failed with status 0x%08X\n", Status)); + FreeWskBuffer(&WskBuffer); + return SOCKET_ERROR; + } + + Status = ((PWSK_PROVIDER_CONNECTION_DISPATCH)WskSocket->Dispatch) + ->WskSend(WskSocket, &WskBuffer, Flags, Irp); + if (Status == STATUS_PENDING) { + KeWaitForSingleObject(&CompletionEvent, Executive, KernelMode, FALSE, NULL); + Status = Irp->IoStatus.Status; + } + + BytesSent = + NT_SUCCESS(Status) ? (LONG)Irp->IoStatus.Information : SOCKET_ERROR; + + IoFreeIrp(Irp); + FreeWskBuffer(&WskBuffer); + return BytesSent; +} + +LONG NTAPI SendTo(__in PWSK_SOCKET WskSocket, __in PVOID Buffer, + __in ULONG BufferSize, __in_opt PSOCKADDR RemoteAddress) { + KEVENT CompletionEvent = {0}; + PIRP Irp = NULL; + WSK_BUF WskBuffer = {0}; + LONG BytesSent = SOCKET_ERROR; + NTSTATUS Status = STATUS_UNSUCCESSFUL; + + if (g_SocketsState != INITIALIZED || !WskSocket || !Buffer || !BufferSize) + return SOCKET_ERROR; + + Status = InitWskBuffer(Buffer, BufferSize, &WskBuffer); + if (!NT_SUCCESS(Status)) { + KdPrint(("SendTo(): InitWskData() failed with status 0x%08X\n", Status)); + return SOCKET_ERROR; + } + + Status = InitWskData(&Irp, &CompletionEvent); + if (!NT_SUCCESS(Status)) { + KdPrint(("SendTo(): InitWskData() failed with status 0x%08X\n", Status)); + FreeWskBuffer(&WskBuffer); + return SOCKET_ERROR; + } + + Status = + ((PWSK_PROVIDER_DATAGRAM_DISPATCH)WskSocket->Dispatch) + ->WskSendTo(WskSocket, &WskBuffer, 0, RemoteAddress, 0, NULL, Irp); + if (Status == STATUS_PENDING) { + KeWaitForSingleObject(&CompletionEvent, Executive, KernelMode, FALSE, NULL); + Status = Irp->IoStatus.Status; + } + + BytesSent = + NT_SUCCESS(Status) ? (LONG)Irp->IoStatus.Information : SOCKET_ERROR; + + IoFreeIrp(Irp); + FreeWskBuffer(&WskBuffer); + return BytesSent; +} + +LONG NTAPI Receive(__in PWSK_SOCKET WskSocket, __out PVOID Buffer, + __in ULONG BufferSize, __in ULONG Flags) { + KEVENT CompletionEvent = {0}; + PIRP Irp = NULL; + WSK_BUF WskBuffer = {0}; + LONG BytesReceived = SOCKET_ERROR; + NTSTATUS Status = STATUS_UNSUCCESSFUL; + + if (g_SocketsState != INITIALIZED || !WskSocket || !Buffer || !BufferSize) + return SOCKET_ERROR; + + Status = InitWskBuffer(Buffer, BufferSize, &WskBuffer); + if (!NT_SUCCESS(Status)) { + KdPrint(("Receive(): InitWskData() failed with status 0x%08X\n", Status)); + return SOCKET_ERROR; + } + + Status = InitWskData(&Irp, &CompletionEvent); + if (!NT_SUCCESS(Status)) { + KdPrint(("Receive(): InitWskData() failed with status 0x%08X\n", Status)); + FreeWskBuffer(&WskBuffer); + return SOCKET_ERROR; + } + + Status = ((PWSK_PROVIDER_CONNECTION_DISPATCH)WskSocket->Dispatch) + ->WskReceive(WskSocket, &WskBuffer, Flags, Irp); + if (Status == STATUS_PENDING) { + KeWaitForSingleObject(&CompletionEvent, Executive, KernelMode, FALSE, NULL); + Status = Irp->IoStatus.Status; + } + + BytesReceived = + NT_SUCCESS(Status) ? (LONG)Irp->IoStatus.Information : SOCKET_ERROR; + + IoFreeIrp(Irp); + FreeWskBuffer(&WskBuffer); + return BytesReceived; +} + +LONG NTAPI ReceiveFrom(__in PWSK_SOCKET WskSocket, __out PVOID Buffer, + __in ULONG BufferSize, __out_opt PSOCKADDR RemoteAddress, + __out_opt PULONG ControlFlags) { + KEVENT CompletionEvent = {0}; + PIRP Irp = NULL; + WSK_BUF WskBuffer = {0}; + LONG BytesReceived = SOCKET_ERROR; + NTSTATUS Status = STATUS_UNSUCCESSFUL; + + if (g_SocketsState != INITIALIZED || !WskSocket || !Buffer || !BufferSize) + return SOCKET_ERROR; + + Status = InitWskBuffer(Buffer, BufferSize, &WskBuffer); + if (!NT_SUCCESS(Status)) { + KdPrint( + ("ReceiveFrom(): InitWskData() failed with status 0x%08X\n", Status)); + return SOCKET_ERROR; + } + + Status = InitWskData(&Irp, &CompletionEvent); + if (!NT_SUCCESS(Status)) { + KdPrint( + ("ReceiveFrom(): InitWskData() failed with status 0x%08X\n", Status)); + FreeWskBuffer(&WskBuffer); + return SOCKET_ERROR; + } + + Status = ((PWSK_PROVIDER_DATAGRAM_DISPATCH)WskSocket->Dispatch) + ->WskReceiveFrom(WskSocket, &WskBuffer, 0, RemoteAddress, 0, + NULL, ControlFlags, Irp); + if (Status == STATUS_PENDING) { + KeWaitForSingleObject(&CompletionEvent, Executive, KernelMode, FALSE, NULL); + Status = Irp->IoStatus.Status; + } + + BytesReceived = + NT_SUCCESS(Status) ? (LONG)Irp->IoStatus.Information : SOCKET_ERROR; + + IoFreeIrp(Irp); + FreeWskBuffer(&WskBuffer); + return BytesReceived; +} + +NTSTATUS +NTAPI +Bind(__in PWSK_SOCKET WskSocket, __in PSOCKADDR LocalAddress) { + KEVENT CompletionEvent = {0}; + PIRP Irp = NULL; + NTSTATUS Status = STATUS_UNSUCCESSFUL; + + if (g_SocketsState != INITIALIZED || !WskSocket || !LocalAddress) + return STATUS_INVALID_PARAMETER; + + Status = InitWskData(&Irp, &CompletionEvent); + if (!NT_SUCCESS(Status)) { + KdPrint(("Bind(): InitWskData() failed with status 0x%08X\n", Status)); + return Status; + } + + Status = ((PWSK_PROVIDER_CONNECTION_DISPATCH)WskSocket->Dispatch) + ->WskBind(WskSocket, LocalAddress, 0, Irp); + if (Status == STATUS_PENDING) { + KeWaitForSingleObject(&CompletionEvent, Executive, KernelMode, FALSE, NULL); + Status = Irp->IoStatus.Status; + } + + IoFreeIrp(Irp); + return Status; +} + +PWSK_SOCKET +NTAPI +Accept(__in PWSK_SOCKET WskSocket, __out_opt PSOCKADDR LocalAddress, + __out_opt PSOCKADDR RemoteAddress) { + KEVENT CompletionEvent = {0}; + PIRP Irp = NULL; + NTSTATUS Status = STATUS_UNSUCCESSFUL; + PWSK_SOCKET AcceptedSocket = NULL; + + if (g_SocketsState != INITIALIZED || !WskSocket) return NULL; + + Status = InitWskData(&Irp, &CompletionEvent); + if (!NT_SUCCESS(Status)) { + KdPrint(("Accept(): InitWskData() failed with status 0x%08X\n", Status)); + return NULL; + } + + Status = ((PWSK_PROVIDER_LISTEN_DISPATCH)WskSocket->Dispatch) + ->WskAccept(WskSocket, 0, NULL, NULL, LocalAddress, + RemoteAddress, Irp); + if (Status == STATUS_PENDING) { + KeWaitForSingleObject(&CompletionEvent, Executive, KernelMode, FALSE, NULL); + Status = Irp->IoStatus.Status; + } + + AcceptedSocket = + NT_SUCCESS(Status) ? (PWSK_SOCKET)Irp->IoStatus.Information : NULL; + + IoFreeIrp(Irp); + return AcceptedSocket; +} diff --git a/KMDF Driver2/simplewsk.h b/lpus/simplewsk.h similarity index 96% rename from KMDF Driver2/simplewsk.h rename to lpus/simplewsk.h index d776e72..b48000e 100644 --- a/KMDF Driver2/simplewsk.h +++ b/lpus/simplewsk.h @@ -1,55 +1,55 @@ - -#pragma warning(push) -#pragma warning(disable : 4201) // nameless struct/union -#pragma warning(disable : 4214) // bit field types other than int - -#pragma once -#include -#include - -#pragma warning(pop) - -#define SOCKET_ERROR -1 - -NTSTATUS NTAPI WSKStartup(); -VOID NTAPI WSKCleanup(); - -PWSK_SOCKET -NTAPI -CreateSocket(__in ADDRESS_FAMILY AddressFamily, __in USHORT SocketType, - __in ULONG Protocol, __in ULONG Flags); - -NTSTATUS -NTAPI -CloseSocket(__in PWSK_SOCKET WskSocket); - -NTSTATUS -NTAPI -Connect(__in PWSK_SOCKET WskSocket, __in PSOCKADDR RemoteAddress); - -PWSK_SOCKET -NTAPI -SocketConnect(__in USHORT SocketType, __in ULONG Protocol, - __in PSOCKADDR RemoteAddress, __in PSOCKADDR LocalAddress); - -LONG NTAPI Send(__in PWSK_SOCKET WskSocket, __in PVOID Buffer, - __in ULONG BufferSize, __in ULONG Flags); - -LONG NTAPI SendTo(__in PWSK_SOCKET WskSocket, __in PVOID Buffer, - __in ULONG BufferSize, __in_opt PSOCKADDR RemoteAddress); - -LONG NTAPI Receive(__in PWSK_SOCKET WskSocket, __out PVOID Buffer, - __in ULONG BufferSize, __in ULONG Flags); - -LONG NTAPI ReceiveFrom(__in PWSK_SOCKET WskSocket, __out PVOID Buffer, - __in ULONG BufferSize, __out_opt PSOCKADDR RemoteAddress, - __out_opt PULONG ControlFlags); - -NTSTATUS -NTAPI -Bind(__in PWSK_SOCKET WskSocket, __in PSOCKADDR LocalAddress); - -PWSK_SOCKET -NTAPI -Accept(__in PWSK_SOCKET WskSocket, __out_opt PSOCKADDR LocalAddress, - __out_opt PSOCKADDR RemoteAddress); + +#pragma warning(push) +#pragma warning(disable : 4201) // nameless struct/union +#pragma warning(disable : 4214) // bit field types other than int + +#pragma once +#include +#include + +#pragma warning(pop) + +#define SOCKET_ERROR -1 + +NTSTATUS NTAPI WSKStartup(); +VOID NTAPI WSKCleanup(); + +PWSK_SOCKET +NTAPI +CreateSocket(__in ADDRESS_FAMILY AddressFamily, __in USHORT SocketType, + __in ULONG Protocol, __in ULONG Flags); + +NTSTATUS +NTAPI +CloseSocket(__in PWSK_SOCKET WskSocket); + +NTSTATUS +NTAPI +Connect(__in PWSK_SOCKET WskSocket, __in PSOCKADDR RemoteAddress); + +PWSK_SOCKET +NTAPI +SocketConnect(__in USHORT SocketType, __in ULONG Protocol, + __in PSOCKADDR RemoteAddress, __in PSOCKADDR LocalAddress); + +LONG NTAPI Send(__in PWSK_SOCKET WskSocket, __in PVOID Buffer, + __in ULONG BufferSize, __in ULONG Flags); + +LONG NTAPI SendTo(__in PWSK_SOCKET WskSocket, __in PVOID Buffer, + __in ULONG BufferSize, __in_opt PSOCKADDR RemoteAddress); + +LONG NTAPI Receive(__in PWSK_SOCKET WskSocket, __out PVOID Buffer, + __in ULONG BufferSize, __in ULONG Flags); + +LONG NTAPI ReceiveFrom(__in PWSK_SOCKET WskSocket, __out PVOID Buffer, + __in ULONG BufferSize, __out_opt PSOCKADDR RemoteAddress, + __out_opt PULONG ControlFlags); + +NTSTATUS +NTAPI +Bind(__in PWSK_SOCKET WskSocket, __in PSOCKADDR LocalAddress); + +PWSK_SOCKET +NTAPI +Accept(__in PWSK_SOCKET WskSocket, __out_opt PSOCKADDR LocalAddress, + __out_opt PSOCKADDR RemoteAddress); diff --git a/KMDF Driver2/sioctl.h b/lpus/sioctl.h similarity index 100% rename from KMDF Driver2/sioctl.h rename to lpus/sioctl.h diff --git a/sample_scan.txt b/sample_scan.txt deleted file mode 100644 index 6162abc..0000000 --- a/sample_scan.txt +++ /dev/null @@ -1,662 +0,0 @@ -00000007 2.44968486 [NAK] :: [ ] Hello from Kernel, setup a few things -00000008 2.44975328 [NAK] :: [+] Setup completed, GO GO GO !!!! -00000009 2.44980168 [NAK] :: [ ] Windows version : 10.0.19564 -00000010 2.44980717 [NAK] :: [ ] Detected windows : 2020 Fast Ring -00000011 2.44981456 [NAK] :: [ ] System eprocess : 0xFFFFDB0CC8CB5040, [ System] -00000012 2.44984531 [NAK] :: [ ] PsActiveProcessHead : 0xFFFFF8031601F970 -00000013 2.44985104 [NAK] :: [ ] ntoskrnl.exe : 0xFFFFF80315400000 -00000014 2.44985557 [NAK] :: [ ] Scan the PsActiveProcessHead linked-list -00000015 2.44986176 [NAK] :: [ ] eprocess : 0xFFFFDB0CC8DE7080, [ Secure System] -00000016 2.44996500 [NAK] :: [ ] eprocess : 0xFFFFDB0CC8D36080, [ Registry] -00000017 2.44997287 [NAK] :: [ ] eprocess : 0xFFFFDB0CD1AA3040, [ smss.exe] -00000018 2.44998288 [NAK] :: [ ] eprocess : 0xFFFFDB0CD1C6D0C0, [ smss.exe] -00000019 2.44999051 [NAK] :: [ ] eprocess : 0xFFFFDB0CD1C60140, [ csrss.exe] -00000020 2.44999647 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3A53080, [ smss.exe] -00000021 2.45000243 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3A54080, [ wininit.exe] -00000022 2.45000839 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3A52140, [ csrss.exe] -00000023 2.45001388 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3AAB080, [ services.exe] -00000024 2.45001888 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3ACB080, [ LsaIso.exe] -00000025 2.45002389 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3AC9080, [ lsass.exe] -00000026 2.45002913 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3BD8080, [ svchost.exe] -00000027 2.45003533 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3C430C0, [ fontdrvhost.ex] -00000028 2.45004129 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3C2F080, [ WUDFHost.exe] -00000029 2.45004702 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3CD1240, [ svchost.exe] -00000030 2.45005274 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3D10080, [ svchost.exe] -00000031 2.45005846 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3D84080, [ winlogon.exe] -00000032 2.45009232 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3E27080, [ fontdrvhost.ex] -00000033 2.45009780 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3E5C080, [ dwm.exe] -00000034 2.45010328 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3F210C0, [ svchost.exe] -00000035 2.45010829 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3F25080, [ svchost.exe] -00000036 2.45011401 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3F42080, [ svchost.exe] -00000037 2.45018148 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3F44080, [ svchost.exe] -00000038 2.45018888 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3F4F080, [ svchost.exe] -00000039 2.45023370 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3F54080, [ svchost.exe] -00000040 2.45023942 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3F6E0C0, [ svchost.exe] -00000041 2.45024443 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3F74080, [ svchost.exe] -00000042 2.45024967 [NAK] :: [ ] eprocess : 0xFFFFDB0CD560C080, [ svchost.exe] -00000043 2.45025444 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5611080, [ svchost.exe] -00000044 2.45025969 [NAK] :: [ ] eprocess : 0xFFFFDB0CD564A080, [ svchost.exe] -00000045 2.45026469 [NAK] :: [ ] eprocess : 0xFFFFDB0CD566F080, [ svchost.exe] -00000046 2.45026994 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5671080, [ svchost.exe] -00000047 2.45027471 [NAK] :: [ ] eprocess : 0xFFFFDB0CD56B9080, [ svchost.exe] -00000048 2.45027971 [NAK] :: [ ] eprocess : 0xFFFFDB0CD56B7080, [ svchost.exe] -00000049 2.45028472 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5757080, [ svchost.exe] -00000050 2.45028973 [NAK] :: [ ] eprocess : 0xFFFFDB0CD57970C0, [ svchost.exe] -00000051 2.45029521 [NAK] :: [ ] eprocess : 0xFFFFDB0CD579D080, [ svchost.exe] -00000052 2.45029998 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5868080, [ svchost.exe] -00000053 2.45030522 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5887080, [ svchost.exe] -00000054 2.45031071 [NAK] :: [ ] eprocess : 0xFFFFDB0CD588E080, [ dasHost.exe] -00000055 2.45033646 [NAK] :: [ ] eprocess : 0xFFFFDB0CD589C080, [ svchost.exe] -00000056 2.45034194 [NAK] :: [ ] eprocess : 0xFFFFDB0CD58F0080, [ svchost.exe] -00000057 2.45034766 [NAK] :: [ ] eprocess : 0xFFFFDB0CD59450C0, [ svchost.exe] -00000058 2.45035267 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5962080, [ svchost.exe] -00000059 2.45036316 [NAK] :: [ ] eprocess : 0xFFFFDB0CD59A90C0, [ svchost.exe] -00000060 2.45036960 [NAK] :: [ ] eprocess : 0xFFFFDB0CD59B8080, [ vmms.exe] -00000061 2.45037484 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5A250C0, [ svchost.exe] -00000062 2.45038009 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5A31080, [ svchost.exe] -00000063 2.45038509 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5B29080, [ svchost.exe] -00000064 2.45039034 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5B350C0, [ svchost.exe] -00000065 2.45039558 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5B43080, [ svchost.exe] -00000066 2.45040083 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5B42080, [ NVDisplay.Cont] -00000067 2.45040607 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5BBF080, [ svchost.exe] -00000068 2.45041108 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5BE8080, [ svchost.exe] -00000069 2.45041656 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5B65080, [ svchost.exe] -00000070 2.45042205 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5C2F0C0, [ svchost.exe] -00000071 2.45042729 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5C4E080, [ igfxCUIService] -00000072 2.45043230 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5C51040, [ MemCompression] -00000073 2.45043731 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5CCA0C0, [ svchost.exe] -00000074 2.45044231 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5CCE080, [ svchost.exe] -00000075 2.45044923 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5CD2080, [ svchost.exe] -00000076 2.45045567 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5D840C0, [ svchost.exe] -00000077 2.45046210 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5DBB080, [ NVDisplay.Cont] -00000078 2.45046687 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5DE90C0, [ svchost.exe] -00000079 2.45047331 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5E4A080, [ svchost.exe] -00000080 2.45047832 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5E670C0, [ svchost.exe] -00000081 2.45048451 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5EB5080, [ svchost.exe] -00000082 2.45048952 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5DE7080, [ svchost.exe] -00000083 2.45049477 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5EEB080, [ svchost.exe] -00000084 2.45049953 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5EEA080, [ svchost.exe] -00000085 2.45050478 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5F07080, [ svchost.exe] -00000086 2.45051026 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5FE9080, [ svchost.exe] -00000087 2.45051551 [NAK] :: [ ] eprocess : 0xFFFFDB0CD606D080, [ svchost.exe] -00000088 2.45052052 [NAK] :: [ ] eprocess : 0xFFFFDB0CD6167080, [ svchost.exe] -00000089 2.45052552 [NAK] :: [ ] eprocess : 0xFFFFDB0CD6164080, [ svchost.exe] -00000090 2.45053577 [NAK] :: [ ] eprocess : 0xFFFFDB0CD616B080, [ svchost.exe] -00000091 2.45054245 [NAK] :: [ ] eprocess : 0xFFFFDB0CD61B40C0, [ spoolsv.exe] -00000092 2.45054793 [NAK] :: [ ] eprocess : 0xFFFFDB0CD621B080, [ svchost.exe] -00000093 2.45055389 [NAK] :: [ ] eprocess : 0xFFFFDB0CD6253080, [ svchost.exe] -00000094 2.45055985 [NAK] :: [ ] eprocess : 0xFFFFDB0CD62AE080, [ armsvc.exe] -00000095 2.45056605 [NAK] :: [ ] eprocess : 0xFFFFDB0CD62CB0C0, [ AdobeUpdateSer] -00000096 2.45057201 [NAK] :: [ ] eprocess : 0xFFFFDB0CD62DF080, [ AGMService.exe] -00000097 2.45057750 [NAK] :: [ ] eprocess : 0xFFFFDB0CD62E7080, [ OfficeClickToR] -00000098 2.45058799 [NAK] :: [ ] eprocess : 0xFFFFDB0CD62E8080, [ com.docker.ser] -00000099 2.45059443 [NAK] :: [ ] eprocess : 0xFFFFDB0CD62E6080, [ IntelCpHDCPSvc] -00000100 2.45060039 [NAK] :: [ ] eprocess : 0xFFFFDB0CD63C80C0, [ svchost.exe] -00000101 2.45060635 [NAK] :: [ ] eprocess : 0xFFFFDB0CD63DF080, [ CxAudMsg64.exe] -00000102 2.45061231 [NAK] :: [ ] eprocess : 0xFFFFDB0CD63E2080, [ CxUtilSvc.exe] -00000103 2.45061851 [NAK] :: [ ] eprocess : 0xFFFFDB0CD6452080, [ DbxSvc.exe] -00000104 2.45062470 [NAK] :: [ ] eprocess : 0xFFFFDB0CD6456080, [ svchost.exe] -00000105 2.45063090 [NAK] :: [ ] eprocess : 0xFFFFDB0CD64E10C0, [ wlanext.exe] -00000106 2.45063686 [NAK] :: [ ] eprocess : 0xFFFFDB0CD64EE080, [ ibtsiva.exe] -00000107 2.45064282 [NAK] :: [ ] eprocess : 0xFFFFDB0CD65020C0, [ esif_uf.exe] -00000108 2.45064950 [NAK] :: [ ] eprocess : 0xFFFFDB0CD64EC080, [ EvtEng.exe] -00000109 2.45065570 [NAK] :: [ ] eprocess : 0xFFFFDB0CD6503080, [ FMService64.ex] -00000110 2.45066190 [NAK] :: [ ] eprocess : 0xFFFFDB0CD6522080, [ svchost.exe] -00000111 2.45066810 [NAK] :: [ ] eprocess : 0xFFFFDB0CD652A080, [ conhost.exe] -00000112 2.45070338 [NAK] :: [ ] eprocess : 0xFFFFDB0CD652B080, [ LegacyCsLoader] -00000113 2.45070910 [NAK] :: [ ] eprocess : 0xFFFFDB0CD6540080, [ svchost.exe] -00000114 2.45071411 [NAK] :: [ ] eprocess : 0xFFFFDB0CD6543080, [ IntelTechnolog] -00000115 2.45071912 [NAK] :: [ ] eprocess : 0xFFFFDB0CD3D9B080, [ IpOverUsbSvc.e] -00000116 2.45072436 [NAK] :: [ ] eprocess : 0xFFFFDB0CD659A080, [ NvTelemetryCon] -00000117 2.45072961 [NAK] :: [ ] eprocess : 0xFFFFDB0CD663F080, [ PnkBstrA.exe] -00000118 2.45078611 [NAK] :: [ ] eprocess : 0xFFFFDB0CD668B080, [ svchost.exe] -00000119 2.45079350 [NAK] :: [ ] eprocess : 0xFFFFDB0CD646F080, [ RtkAudUService] -00000120 2.45079875 [NAK] :: [ ] eprocess : 0xFFFFDB0CD6691080, [ RemoteServerWi] -00000121 2.45080400 [NAK] :: [ ] eprocess : 0xFFFFDB0CD6690080, [ SmartByteNetwo] -00000122 2.45080924 [NAK] :: [ ] eprocess : 0xFFFFDB0CD67970C0, [ svchost.exe] -00000123 2.45081472 [NAK] :: [ ] eprocess : 0xFFFFDB0CD6795080, [ svchost.exe] -00000124 2.45081997 [NAK] :: [ ] eprocess : 0xFFFFDB0CD679D080, [ SynTPEnhServic] -00000125 2.45083952 [NAK] :: [ ] eprocess : 0xFFFFDB0CD67C4080, [ sqlwriter.exe] -00000126 2.45084524 [NAK] :: [ ] eprocess : 0xFFFFDB0CD67C5080, [ ThunderboltSer] -00000127 2.45085025 [NAK] :: [ ] eprocess : 0xFFFFDB0CD685C080, [ TeamViewer_Ser] -00000128 2.45085549 [NAK] :: [ ] eprocess : 0xFFFFDB0CD68C60C0, [ svchost.exe] -00000129 2.45086122 [NAK] :: [ ] eprocess : 0xFFFFDB0CD68CE080, [ TrueColorALS.e] -00000130 2.45086622 [NAK] :: [ ] eprocess : 0xFFFFDB0CD68CF080, [ WmiPrvSE.exe] -00000131 2.45087171 [NAK] :: [ ] eprocess : 0xFFFFDB0CD691E080, [ vmware-authd.e] -00000132 2.45087647 [NAK] :: [ ] eprocess : 0xFFFFDB0CD690D080, [ vmnetdhcp.exe] -00000133 2.45088124 [NAK] :: [ ] eprocess : 0xFFFFDB0CD6910080, [ WmiPrvSE.exe] -00000134 2.45088649 [NAK] :: [ ] eprocess : 0xFFFFDB0CD6940080, [ vmware-usbarbi] -00000135 2.45089149 [NAK] :: [ ] eprocess : 0xFFFFDB0CD6947080, [ vmnat.exe] -00000136 2.45089650 [NAK] :: [ ] eprocess : 0xFFFFDB0CD69A00C0, [ WDDriveService] -00000137 2.45090151 [NAK] :: [ ] eprocess : 0xFFFFDB0CD69A5080, [ ZeroConfigServ] -00000138 2.45090675 [NAK] :: [ ] eprocess : 0xFFFFDB0CD69A3080, [ MsMpEng.exe] -00000139 2.45091200 [NAK] :: [ ] eprocess : 0xFFFFDB0CD6944080, [ svchost.exe] -00000140 2.45091677 [NAK] :: [ ] eprocess : 0xFFFFDB0CD69C9080, [ svchost.exe] -00000141 2.45092320 [NAK] :: [ ] eprocess : 0xFFFFDB0CD6A06080, [ unsecapp.exe] -00000142 2.45093346 [NAK] :: [ ] eprocess : 0xFFFFDB0CD6A71080, [ IntelCpHeciSvc] -00000143 2.45093966 [NAK] :: [ ] eprocess : 0xFFFFDB0CD6CCF080, [ svchost.exe] -00000144 2.45094514 [NAK] :: [ ] eprocess : 0xFFFFDB0CD6D6B080, [ igfxext.exe] -00000145 2.45095086 [NAK] :: [ ] eprocess : 0xFFFFDB0CD701C080, [ svchost.exe] -00000146 2.45095682 [NAK] :: [ ] eprocess : 0xFFFFDB0CC8D99080, [ svchost.exe] -00000147 2.45096517 [NAK] :: [ ] eprocess : 0xFFFFDB0CD71B0080, [ svchost.exe] -00000148 2.45100307 [NAK] :: [ ] eprocess : 0xFFFFDB0CD71D40C0, [ svchost.exe] -00000149 2.45100832 [NAK] :: [ ] eprocess : 0xFFFFDB0CD7296080, [ vmware-hostd.e] -00000150 2.45106411 [NAK] :: [ ] eprocess : 0xFFFFDB0CD7ADE080, [ svchost.exe] -00000151 2.45107079 [NAK] :: [ ] eprocess : 0xFFFFDB0CD74EB080, [ svchost.exe] -00000152 2.45107603 [NAK] :: [ ] eprocess : 0xFFFFDB0CD7BF6080, [ dllhost.exe] -00000153 2.45108151 [NAK] :: [ ] eprocess : 0xFFFFDB0CD79ED080, [ vmcompute.exe] -00000154 2.45109081 [NAK] :: [ ] eprocess : 0xFFFFDB0CD7FE6080, [ NisSrv.exe] -00000155 2.45109725 [NAK] :: [ ] eprocess : 0xFFFFDB0CE401A240, [ dptf_helper.ex] -00000156 2.45110250 [NAK] :: [ ] eprocess : 0xFFFFDB0CD606C080, [ SynTPEnh.exe] -00000157 2.45110726 [NAK] :: [ ] eprocess : 0xFFFFDB0CE417F080, [ svchost.exe] -00000158 2.45111251 [NAK] :: [ ] eprocess : 0xFFFFDB0CE4190080, [ SynTPEnh.exe] -00000159 2.45111728 [NAK] :: [ ] eprocess : 0xFFFFDB0CE41E0080, [ svchost.exe] -00000160 2.45112205 [NAK] :: [ ] eprocess : 0xFFFFDB0CE41E7200, [ sihost.exe] -00000161 2.45112705 [NAK] :: [ ] eprocess : 0xFFFFDB0CE429E080, [ svchost.exe] -00000162 2.45113230 [NAK] :: [ ] eprocess : 0xFFFFDB0CE42A1080, [ GoogleUpdate.e] -00000163 2.45113730 [NAK] :: [ ] eprocess : 0xFFFFDB0CE42A2080, [ svchost.exe] -00000164 2.45114326 [NAK] :: [ ] eprocess : 0xFFFFDB0CE42A3080, [ PresentationFo] -00000165 2.45114899 [NAK] :: [ ] eprocess : 0xFFFFDB0CE42A60C0, [ taskhostw.exe] -00000166 2.45115423 [NAK] :: [ ] eprocess : 0xFFFFDB0CE42A4080, [ DropboxUpdate.] -00000167 2.45115948 [NAK] :: [ ] eprocess : 0xFFFFDB0CE42A8080, [ svchost.exe] -00000168 2.45116448 [NAK] :: [ ] eprocess : 0xFFFFDB0CE4170080, [ svchost.exe] -00000169 2.45116925 [NAK] :: [ ] eprocess : 0xFFFFDB0CE43E3200, [ ctfmon.exe] -00000170 2.45117450 [NAK] :: [ ] eprocess : 0xFFFFDB0CE44130C0, [ SynTPHelper.ex] -00000171 2.45117998 [NAK] :: [ ] eprocess : 0xFFFFDB0CE43E00C0, [ svchost.exe] -00000172 2.45118690 [NAK] :: [ ] eprocess : 0xFFFFDB0CE45E2080, [ svchost.exe] -00000173 2.45119190 [NAK] :: [ ] eprocess : 0xFFFFDB0CE4659080, [ ChsIME.exe] -00000174 2.45119858 [NAK] :: [ ] eprocess : 0xFFFFDB0CE4663080, [ cmd.exe] -00000175 2.45120525 [NAK] :: [ ] eprocess : 0xFFFFDB0CE4688080, [ userinit.exe] -00000176 2.45121121 [NAK] :: [ ] eprocess : 0xFFFFDB0CE43F9080, [ explorer.exe] -00000177 2.45122242 [NAK] :: [ ] eprocess : 0xFFFFDB0CE47460C0, [ igfxEM.exe] -00000178 2.45122814 [NAK] :: [ ] eprocess : 0xFFFFDB0CE4784140, [ svchost.exe] -00000179 2.45123363 [NAK] :: [ ] eprocess : 0xFFFFDB0CE48C5080, [ SearchIndexer.] -00000180 2.45123911 [NAK] :: [ ] eprocess : 0xFFFFDB0CE4AAB080, [ svchost.exe] -00000181 2.45124412 [NAK] :: [ ] eprocess : 0xFFFFDB0CD7E60080, [ StartMenuExper] -00000182 2.45124960 [NAK] :: [ ] eprocess : 0xFFFFDB0CE4BE1080, [ RuntimeBroker.] -00000183 2.45125484 [NAK] :: [ ] eprocess : 0xFFFFDB0CE4DB90C0, [ RuntimeBroker.] -00000184 2.45126009 [NAK] :: [ ] eprocess : 0xFFFFDB0CE4EFC080, [ YourPhone.exe] -00000185 2.45126510 [NAK] :: [ ] eprocess : 0xFFFFDB0CE60CE240, [ SkypeBackgroun] -00000186 2.45127034 [NAK] :: [ ] eprocess : 0xFFFFDB0CE60F5080, [ SkypeApp.exe] -00000187 2.45127559 [NAK] :: [ ] eprocess : 0xFFFFDB0CE611A140, [ RtkAudUService] -00000188 2.45128155 [NAK] :: [ ] eprocess : 0xFFFFDB0CE4C240C0, [ TextInputHost.] -00000189 2.45128727 [NAK] :: [ ] eprocess : 0xFFFFDB0CE6122080, [ svchost.exe] -00000190 2.45129251 [NAK] :: [ ] eprocess : 0xFFFFDB0CE61540C0, [ RuntimeBroker.] -00000191 2.45129871 [NAK] :: [ ] eprocess : 0xFFFFDB0CE4F860C0, [ RuntimeBroker.] -00000192 2.45130372 [NAK] :: [ ] eprocess : 0xFFFFDB0CE61780C0, [ SettingSyncHos] -00000193 2.45130992 [NAK] :: [ ] eprocess : 0xFFFFDB0CE7603080, [ ShellExperienc] -00000194 2.45131564 [NAK] :: [ ] eprocess : 0xFFFFDB0CE636B080, [ RuntimeBroker.] -00000195 2.45132089 [NAK] :: [ ] eprocess : 0xFFFFDB0CE7662080, [ GoogleCrashHan] -00000196 2.45132637 [NAK] :: [ ] eprocess : 0xFFFFDB0CE40F5080, [ GoogleCrashHan] -00000197 2.45133638 [NAK] :: [ ] eprocess : 0xFFFFDB0CE752D240, [ SecurityHealth] -00000198 2.45134282 [NAK] :: [ ] eprocess : 0xFFFFDB0CE75B80C0, [ SecurityHealth] -00000199 2.45134878 [NAK] :: [ ] eprocess : 0xFFFFDB0CE4E240C0, [ IAStorIconLaun] -00000200 2.45135474 [NAK] :: [ ] eprocess : 0xFFFFDB0CE760B180, [ CAudioFilterAg] -00000201 2.45136070 [NAK] :: [ ] eprocess : 0xFFFFDB0CE4D65080, [ sacpl.exe] -00000202 2.45136642 [NAK] :: [ ] eprocess : 0xFFFFDB0CE63DE080, [ chrome.exe] -00000203 2.45137191 [NAK] :: [ ] eprocess : 0xFFFFDB0CE600B080, [ chrome.exe] -00000204 2.45137811 [NAK] :: [ ] eprocess : 0xFFFFDB0CE7731080, [ Docker Desktop] -00000205 2.45138407 [NAK] :: [ ] eprocess : 0xFFFFDB0CE74D90C0, [ chrome.exe] -00000206 2.45139003 [NAK] :: [ ] eprocess : 0xFFFFDB0CE77240C0, [ SmartAudio3.ex] -00000207 2.45139718 [NAK] :: [ ] eprocess : 0xFFFFDB0CE77460C0, [ chrome.exe] -00000208 2.45140362 [NAK] :: [ ] eprocess : 0xFFFFDB0CE77790C0, [ chrome.exe] -00000209 2.45141029 [NAK] :: [ ] eprocess : 0xFFFFDB0CE4D130C0, [ RemoteServerWi] -00000210 2.45141625 [NAK] :: [ ] eprocess : 0xFFFFDB0CE74DB080, [ runonce.exe] -00000211 2.45142269 [NAK] :: [ ] eprocess : 0xFFFFDB0CE770B080, [ SearchApp.exe] -00000212 2.45142937 [NAK] :: [ ] eprocess : 0xFFFFDB0CE7770080, [ chrome.exe] -00000213 2.45146275 [NAK] :: [ ] eprocess : 0xFFFFDB0CE7705080, [ chrome.exe] -00000214 2.45146966 [NAK] :: [ ] eprocess : 0xFFFFDB0CE775B080, [ chrome.exe] -00000215 2.45147491 [NAK] :: [ ] eprocess : 0xFFFFDB0CE7710080, [ chrome.exe] -00000216 2.45147991 [NAK] :: [ ] eprocess : 0xFFFFDB0CE774E080, [ chrome.exe] -00000217 2.45148921 [NAK] :: [ ] eprocess : 0xFFFFDB0CE7720080, [ chrome.exe] -00000218 2.45154881 [NAK] :: [ ] eprocess : 0xFFFFDB0CE63B0080, [ chrome.exe] -00000219 2.45155478 [NAK] :: [ ] eprocess : 0xFFFFDB0CE775E080, [ chrome.exe] -00000220 2.45156050 [NAK] :: [ ] eprocess : 0xFFFFDB0CE4DD8080, [ chrome.exe] -00000221 2.45156598 [NAK] :: [ ] eprocess : 0xFFFFDB0CE4D14080, [ chrome.exe] -00000222 2.45157194 [NAK] :: [ ] eprocess : 0xFFFFDB0CE65870C0, [ chrome.exe] -00000223 2.45157766 [NAK] :: [ ] eprocess : 0xFFFFDB0CE663B080, [ chrome.exe] -00000224 2.45158339 [NAK] :: [ ] eprocess : 0xFFFFDB0CE6577080, [ chrome.exe] -00000225 2.45159316 [NAK] :: [ ] eprocess : 0xFFFFDB0CE6579080, [ chrome.exe] -00000226 2.45160127 [NAK] :: [ ] eprocess : 0xFFFFDB0CE66C8080, [ chrome.exe] -00000227 2.45160675 [NAK] :: [ ] eprocess : 0xFFFFDB0CE66CA0C0, [ chrome.exe] -00000228 2.45161200 [NAK] :: [ ] eprocess : 0xFFFFDB0CE678A0C0, [ Dropbox.exe] -00000229 2.45161724 [NAK] :: [ ] eprocess : 0xFFFFDB0CE6775080, [ chrome.exe] -00000230 2.45162249 [NAK] :: [ ] eprocess : 0xFFFFDB0CE69130C0, [ vmware-tray.ex] -00000231 2.45162797 [NAK] :: [ ] eprocess : 0xFFFFDB0CE691D200, [ Dropbox.exe] -00000232 2.45163345 [NAK] :: [ ] eprocess : 0xFFFFDB0CE6385080, [ Dropbox.exe] -00000233 2.45163870 [NAK] :: [ ] eprocess : 0xFFFFDB0CE694D080, [ Dropbox.exe] -00000234 2.45164394 [NAK] :: [ ] eprocess : 0xFFFFDB0CE698A080, [ ioc.exe] -00000235 2.45164895 [NAK] :: [ ] eprocess : 0xFFFFDB0CE6CCA080, [ aesm_service.e] -00000236 2.45165420 [NAK] :: [ ] eprocess : 0xFFFFDB0CE48240C0, [ svchost.exe] -00000237 2.45165992 [NAK] :: [ ] eprocess : 0xFFFFDB0CE70E90C0, [ DDVRulesProces] -00000238 2.45166469 [NAK] :: [ ] eprocess : 0xFFFFDB0CE6921080, [ DSAPI.exe] -00000239 2.45166969 [NAK] :: [ ] eprocess : 0xFFFFDB0CE4FF1080, [ svchost.exe] -00000240 2.45167518 [NAK] :: [ ] eprocess : 0xFFFFDB0CE76D3080, [ IAStorIcon.exe] -00000241 2.45167994 [NAK] :: [ ] eprocess : 0xFFFFDB0CE62CE080, [ ServiceShell.e] -00000242 2.45168519 [NAK] :: [ ] eprocess : 0xFFFFDB0CE7A8B080, [ QtWebEnginePro] -00000243 2.45172191 [NAK] :: [ ] eprocess : 0xFFFFDB0CE60C3080, [ QtWebEnginePro] -00000244 2.45172691 [NAK] :: [ ] eprocess : 0xFFFFDB0CE79750C0, [ dllhost.exe] -00000245 2.45178127 [NAK] :: [ ] eprocess : 0xFFFFDB0CE6B94080, [ msdtc.exe] -00000246 2.45178795 [NAK] :: [ ] eprocess : 0xFFFFDB0CE7E15080, [ DolbyDAX2API.e] -00000247 2.45179391 [NAK] :: [ ] eprocess : 0xFFFFDB0CE80E3080, [ IAStorDataMgrS] -00000248 2.45184469 [NAK] :: [ ] eprocess : 0xFFFFDB0CE8170080, [ jhi_service.ex] -00000249 2.45185089 [NAK] :: [ ] eprocess : 0xFFFFDB0CE816E080, [ LMS.exe] -00000250 2.45185637 [NAK] :: [ ] eprocess : 0xFFFFDB0CE80800C0, [ SgrmBroker.exe] -00000251 2.45186234 [NAK] :: [ ] eprocess : 0xFFFFDB0CE8255080, [ SupportAssistA] -00000252 2.45186830 [NAK] :: [ ] eprocess : 0xFFFFDB0CE83240C0, [ DDVDataCollect] -00000253 2.45187449 [NAK] :: [ ] eprocess : 0xFFFFDB0CE81760C0, [ DDVCollectorSv] -00000254 2.45187998 [NAK] :: [ ] eprocess : 0xFFFFDB0CE833E080, [ com.docker.bac] -00000255 2.45188618 [NAK] :: [ ] eprocess : 0xFFFFDB0CE824A080, [ conhost.exe] -00000256 2.45189214 [NAK] :: [ ] eprocess : 0xFFFFDB0CE78DF080, [ Docker.Watchgu] -00000257 2.45189881 [NAK] :: [ ] eprocess : 0xFFFFDB0CE7984080, [ conhost.exe] -00000258 2.45190525 [NAK] :: [ ] eprocess : 0xFFFFDB0CE6C620C0, [ nvapiw.exe] -00000259 2.45194554 [NAK] :: [ ] eprocess : 0xFFFFDB0CE84B9080, [ svchost.exe] -00000260 2.45195246 [NAK] :: [ ] eprocess : 0xFFFFDB0CE87C5080, [ nvapiw.exe] -00000261 2.45195770 [NAK] :: [ ] eprocess : 0xFFFFDB0CE8AA50C0, [ vpnkit-bridge.] -00000262 2.45196295 [NAK] :: [ ] eprocess : 0xFFFFDB0CE8B020C0, [ conhost.exe] -00000263 2.45196819 [NAK] :: [ ] eprocess : 0xFFFFDB0CE89940C0, [ chrome.exe] -00000264 2.45197368 [NAK] :: [ ] eprocess : 0xFFFFDB0CE8CAD0C0, [ vpnkit.exe] -00000265 2.45197892 [NAK] :: [ ] eprocess : 0xFFFFDB0CE4D240C0, [ Docker.Watchgu] -00000266 2.45198512 [NAK] :: [ ] eprocess : 0xFFFFDB0CE8C95080, [ conhost.exe] -00000267 2.45199060 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5EB0080, [ conhost.exe] -00000268 2.45199704 [NAK] :: [ ] eprocess : 0xFFFFDB0CD5C57080, [ vmwp.exe] -00000269 2.45200205 [NAK] :: [ ] eprocess : 0xFFFFDB0CD61D50C0, [ vmmem] -00000270 2.45200777 [NAK] :: [ ] eprocess : 0xFFFFDB0CD7973080, [ svchost.exe] -00000271 2.45201302 [NAK] :: [ ] eprocess : 0xFFFFDB0CE8FEA0C0, [ HxTsr.exe] -00000272 2.45201802 [NAK] :: [ ] eprocess : 0xFFFFDB0CEB3EE080, [ AcrobatNotific] -00000273 2.45202327 [NAK] :: [ ] eprocess : 0xFFFFDB0CE8BC1240, [ com.docker.pro] -00000274 2.45202851 [NAK] :: [ ] eprocess : 0xFFFFDB0CEB3CE240, [ Docker.Watchgu] -00000275 2.45203400 [NAK] :: [ ] eprocess : 0xFFFFDB0CE90241C0, [ conhost.exe] -00000276 2.45204043 [NAK] :: [ ] eprocess : 0xFFFFDB0CEB3CC0C0, [ conhost.exe] -00000277 2.45204568 [NAK] :: [ ] eprocess : 0xFFFFDB0CE906E080, [ chrome.exe] -00000278 2.45205069 [NAK] :: [ ] eprocess : 0xFFFFDB0CE9130280, [ RuntimeBroker.] -00000279 2.45205593 [NAK] :: [ ] eprocess : 0xFFFFDB0CE9123240, [ chrome.exe] -00000280 2.45206451 [NAK] :: [ ] eprocess : 0xFFFFDB0CE9129080, [ explorer.exe] -00000281 2.45206928 [NAK] :: [ ] eprocess : 0xFFFFDB0CE4188080, [ MsMpEngCP.exe] -00000282 2.45207453 [NAK] :: [ ] eprocess : 0xFFFFDB0CE9E11080, [ dllhost.exe] -00000283 2.45208168 [NAK] :: [ ] eprocess : 0xFFFFDB0CE8CEE080, [ chrome.exe] -00000284 2.45208979 [NAK] :: [ ] eprocess : 0xFFFFDB0CE9076100, [ chrome.exe] -00000285 2.45209575 [NAK] :: [ ] eprocess : 0xFFFFDB0CEAB9E0C0, [ RuntimeBroker.] -00000286 2.45210171 [NAK] :: [ ] eprocess : 0xFFFFDB0CEA7020C0, [ svchost.exe] -00000287 2.45210838 [NAK] :: [ ] eprocess : 0xFFFFDB0CEA6920C0, [ Microsoft.Phot] -00000288 2.45211363 [NAK] :: [ ] eprocess : 0xFFFFDB0CEA7350C0, [ RuntimeBroker.] -00000289 2.45212007 [NAK] :: [ ] eprocess : 0xFFFFDB0CEADD0080, [ svchost.exe] -00000290 2.45212650 [NAK] :: [ ] eprocess : 0xFFFFDB0CEA7DC240, [ chrome.exe] -00000291 2.45213270 [NAK] :: [ ] eprocess : 0xFFFFDB0CE4B7E080, [ cmd.exe] -00000292 2.45213914 [NAK] :: [ ] eprocess : 0xFFFFDB0CE7E530C0, [ YourPhoneServe] -00000293 2.45215058 [NAK] :: [ ] eprocess : 0xFFFFDB0CE9079100, [ chrome.exe] -00000294 2.45215774 [NAK] :: [ ] eprocess : 0xFFFFDB0CEB8680C0, [ nvapiw.exe] -00000295 2.45216274 [NAK] :: [ ] eprocess : 0xFFFFDB0CEBABD0C0, [ chrome.exe] -00000296 2.45216846 [NAK] :: [ ] eprocess : 0xFFFFDB0CED79A0C0, [ chrome.exe] -00000297 2.45217371 [NAK] :: [ ] eprocess : 0xFFFFDB0CE4B54100, [ chrome.exe] -00000298 2.45217919 [NAK] :: [ ] eprocess : 0xFFFFDB0CEB6020C0, [ chrome.exe] -00000299 2.45218492 [NAK] :: [ ] eprocess : 0xFFFFDB0CED7560C0, [ HxTsr.exe] -00000300 2.45219040 [NAK] :: [ ] eprocess : 0xFFFFDB0CECFE6240, [ svchost.exe] -00000301 2.45219612 [NAK] :: [ ] eprocess : 0xFFFFDB0CEB0C5140, [ chrome.exe] -00000302 2.45220160 [NAK] :: [ ] eprocess : 0xFFFFDB0CEB5350C0, [ chrome.exe] -00000303 2.45220757 [NAK] :: [ ] eprocess : 0xFFFFDB0CEBA460C0, [ chrome.exe] -00000304 2.45221806 [NAK] :: [ ] eprocess : 0xFFFFDB0CED740240, [ audiodg.exe] -00000305 2.45222545 [NAK] :: [ ] eprocess : 0xFFFFDB0CEC9CE0C0, [ svchost.exe] -00000306 2.45223069 [NAK] :: [ ] eprocess : 0xFFFFDB0CEB0B80C0, [ Dbgview.exe] -00000307 2.45224094 [NAK] :: [ ] eprocess : 0xFFFFDB0CECBAD0C0, [ chrome.exe] -00000308 2.45224690 [NAK] :: [ ] eprocess : 0xFFFFDB0CEBC8A0C0, [ chrome.exe] -00000309 2.45225263 [NAK] :: [ ] eprocess : 0xFFFFDB0CF01A7180, [ goneovim.exe] -00000310 2.45225763 [NAK] :: [ ] eprocess : 0xFFFFDB0CEB4860C0, [ nvim.exe] -00000311 2.45226288 [NAK] :: [ ] eprocess : 0xFFFFDB0CE80E50C0, [ conhost.exe] -00000312 2.45226884 [NAK] :: [ ] eprocess : 0xFFFFDB0CED8790C0, [ nvim.exe] -00000313 2.45227480 [NAK] :: [ ] eprocess : 0xFFFFDB0CE91250C0, [ conhost.exe] -00000314 2.45228028 [NAK] :: [ ] eprocess : 0xFFFFDB0CEAC350C0, [ python.exe] -00000315 2.45228624 [NAK] :: [ ] eprocess : 0xFFFFDB0CECFCA0C0, [ conhost.exe] -00000316 2.45229316 [NAK] :: [ ] eprocess : 0xFFFFDB0CEA3770C0, [ languageclient] -00000317 2.45229888 [NAK] :: [ ] eprocess : 0xFFFFDB0CECD670C0, [ conhost.exe] -00000318 2.45230412 [NAK] :: [ ] eprocess : 0xFFFFDB0CEBB130C0, [ python.exe] -00000319 2.45230961 [NAK] :: [ ] eprocess : 0xFFFFDB0CEBB460C0, [ conhost.exe] -00000320 2.45231557 [NAK] :: [ ] eprocess : 0xFFFFDB0CEB4DB0C0, [ python.exe] -00000321 2.45232153 [NAK] :: [ ] eprocess : 0xFFFFDB0CED3130C0, [ python.exe] -00000322 2.45232725 [NAK] :: [ ] eprocess : 0xFFFFDB0CEB9CE0C0, [ python.exe] -00000323 2.45233750 [NAK] :: [ ] eprocess : 0xFFFFDB0CEF8680C0, [ python.exe] -00000324 2.45234370 [NAK] :: [ ] eprocess : 0xFFFFDB0CEBB07080, [ cmd.exe] -00000325 2.45234871 [NAK] :: [ ] eprocess : 0xFFFFDB0CE8BF8080, [ conhost.exe] -00000326 2.45235419 [NAK] :: [ ] eprocess : 0xFFFFDB0CEB25C080, [ MSBuild.exe] -00000327 2.45235968 [NAK] :: [ ] eprocess : 0xFFFFDB0CE8E9A0C0, [ Tracker.exe] -00000328 2.45236444 [NAK] :: [ ] eprocess : 0xFFFFDB0CEBB16080, [ link.exe] -00000329 2.45236969 [NAK] :: [ ] eprocess : 0xFFFFDB0CE8BFA080, [ mspdbsrv.exe] -00000330 2.45237541 [NAK] :: [ ] eprocess : 0xFFFFDB0CECE950C0, [ SearchApp.exe] -00000331 2.45238090 [NAK] :: [ ] eprocess : 0xFFFFDB0CED2A50C0, [ WmiApSrv.exe] -00000332 2.45238590 [NAK] :: [ ] eprocess : 0xFFFFDB0CED7890C0, [ parse_pdb_for_] -00000333 2.45239091 [NAK] :: [ ] nt!MiState : 0xFFFFF8031604F200 -00000334 2.45239520 [NAK] :: [ ] &systemNonPageInfo : 0xFFFF908180016010 -00000335 2.45239949 [NAK] :: [ ] &NonPagedPoolFirstVa : 0xFFFF908180016070 -00000336 2.45240402 [NAK] :: [ ] &NonPagedPoolLastVa : 0xFFFF908180016078 -00000337 2.45240879 [NAK] :: [+] nonPagedPoolStart : 0xffffdb0000000000 -00000338 2.45241356 [NAK] :: [+] nonPagedPoolEnd : 0xffffeb0000000000 -00000339 2.45241809 [NAK] :: [+] large page address : 0xFFFFF80316017ED8 -00000340 2.45242143 [NAK] :: [+] large page size : 0x10000 -00000341 2.45242405 [NAK] :: [+] Scanning -00000342 2.63246703 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CC8CB5080, [h…ËÖ ÛÿÿÍ] -00000343 2.63351870 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CC8D36090, [] -00000344 2.63428450 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CC8D99080, [svchost.exe] -00000345 2.63490915 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CC8DE70C0, [`vÞÈ Ûÿÿ] -00000346 2.87199759 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD1AA3080, [heªÑ Ûÿÿ]] -00000347 2.87527966 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD1C60140, [csrss.exe] -00000348 2.87539291 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD1C6D0C0, [smss.exe] -00000349 2.91730165 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3A52140, [csrss.exe] -00000350 2.91731024 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3A53080, [smss.exe] -00000351 2.91731691 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3A54080, [wininit.exe] -00000352 2.91772556 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3AAB080, [services.exe] -00000353 2.91788101 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3AC9080, [lsass.exe] -00000354 2.91789341 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3ACB080, [LsaIso.exe] -00000355 2.91916966 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3BD8080, [svchost.exe] -00000356 2.91957378 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3C2F080, [WUDFHost.exe] -00000357 2.91967535 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3C430C0, [fontdrvhost.ex] -00000358 2.92035127 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3CD1250, [] -00000359 2.92065287 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3D10080, [svchost.exe] -00000360 2.92119598 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3D84080, [winlogon.exe] -00000361 2.92130995 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3D9B080, [IpOverUsbSvc.e] -00000362 2.92196655 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3E27080, [fontdrvhost.ex] -00000363 2.92222476 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3E5C080, [dwm.exe] -00000364 2.92318130 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3F210C0, [svchost.exe] -00000365 2.92320132 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3F25080, [svchost.exe] -00000366 2.92332840 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3F42080, [svchost.exe] -00000367 2.92333937 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3F44080, [svchost.exe] -00000368 2.92338872 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3F4F080, [svchost.exe] -00000369 2.92341232 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3F54080, [svchost.exe] -00000370 2.92352891 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3F6E0C0, [svchost.exe] -00000371 2.92355919 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD3F74080, [svchost.exe] -00000372 2.94584513 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD560C080, [svchost.exe] -00000373 2.94587302 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5611080, [svchost.exe] -00000374 2.94614220 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD564A080, [svchost.exe] -00000375 2.94631362 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD566F080, [svchost.exe] -00000376 2.94632435 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5671080, [svchost.exe] -00000377 2.94663954 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD56B7080, [svchost.exe] -00000378 2.94665051 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD56B9080, [svchost.exe] -00000379 2.94742322 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5757080, [svchost.exe] -00000380 2.94771171 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD57970C0, [svchost.exe] -00000381 2.94774199 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD579D080, [svchost.exe] -00000382 2.94871163 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5868080, [svchost.exe] -00000383 2.94886303 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5887080, [svchost.exe] -00000384 2.94891000 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD588E080, [dasHost.exe] -00000385 2.94898200 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD589C080, [svchost.exe] -00000386 2.94937444 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD58F0080, [svchost.exe] -00000387 2.94978309 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD59450C0, [svchost.exe] -00000388 2.94995356 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5962080, [svchost.exe] -00000389 2.95025492 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD59A90C0, [svchost.exe] -00000390 2.95032954 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD59B8080, [vmms.exe] -00000391 2.95088482 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5A250C0, [svchost.exe] -00000392 2.95094442 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5A31080, [svchost.exe] -00000393 2.95211935 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5B29080, [svchost.exe] -00000394 2.95217681 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5B350C0, [svchost.exe] -00000395 2.95223808 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5B42080, [NVDisplay.Cont] -00000396 2.95224428 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5B43080, [svchost.exe] -00000397 2.95240355 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5B65080, [svchost.exe] -00000398 2.95280814 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5BBF080, [svchost.exe] -00000399 2.95308948 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5BE8080, [svchost.exe] -00000400 2.95345449 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5C2F0D0, [] -00000401 2.95360231 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5C4E080, [igfxCUIService] -00000402 2.95364356 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5C51080, [h%ÚÓ Ûÿÿ:] -00000403 2.95370793 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5C57080, [vmwp.exe] -00000404 2.95459485 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5CCA0C0, [svchost.exe] -00000405 2.95464444 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5CCE080, [svchost.exe] -00000406 2.95469213 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5CD2080, [svchost.exe] -00000407 2.95558810 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5D840C0, [svchost.exe] -00000408 2.95584178 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5DBB080, [NVDisplay.Cont] -00000409 2.95605445 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5DE7080, [svchost.exe] -00000410 2.95606661 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5DE90C0, [svchost.exe] -00000411 2.95652485 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5E4A080, [svchost.exe] -00000412 2.95666122 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5E670C0, [svchost.exe] -00000413 2.95700240 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5EB0080, [conhost.exe] -00000414 2.95702648 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5EB5080, [svchost.exe] -00000415 2.95726752 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5EEA080, [svchost.exe] -00000416 2.95727372 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5EEB080, [svchost.exe] -00000417 2.95740604 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5F07080, [svchost.exe] -00000418 2.95841455 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD5FE9080, [svchost.exe] -00000419 2.95902801 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD606C080, [SynTPEnh.exe] -00000420 2.95903516 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD606D080, [svchost.exe] -00000421 2.96019650 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD6164080, [svchost.exe] -00000422 2.96021247 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD6167080, [svchost.exe] -00000423 2.96023345 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD616B080, [svchost.exe] -00000424 2.96058130 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD61B40C0, [spoolsv.exe] -00000425 2.96080041 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD61D50C0, [vmmem] -00000426 2.96114516 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD621B080, [svchost.exe] -00000427 2.96140885 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD6253080, [svchost.exe] -00000428 2.96181417 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD62AE080, [armsvc.exe] -00000429 2.96203542 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD62CB0C0, [AdobeUpdateSer] -00000430 2.96219349 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD62DF080, [AGMService.exe] -00000431 2.96224880 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD62E6080, [IntelCpHDCPSvc] -00000432 2.96225882 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD62E7080, [OfficeClickToR] -00000433 2.96226835 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD62E8080, [com.docker.ser] -00000434 2.96370101 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD63C80C0, [svchost.exe] -00000435 2.96385813 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD63DF080, [CxAudMsg64.exe] -00000436 2.96388078 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD63E2080, [CxUtilSvc.exe] -00000437 2.96463919 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD6452080, [DbxSvc.exe] -00000438 2.96466875 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD6456080, [svchost.exe] -00000439 2.96485615 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD646F080, [RtkAudUService] -00000440 2.96563125 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD64E10C0, [wlanext.exe] -00000441 2.96569848 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD64EC080, [EvtEng.exe] -00000442 2.96571350 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD64EE080, [ibtsiva.exe] -00000443 2.96585250 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD65020C0, [esif_uf.exe] -00000444 2.96586204 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD6503080, [FMService64.ex] -00000445 2.96607280 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD6522080, [svchost.exe] -00000446 2.96612597 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD652A080, [conhost.exe] -00000447 2.96613526 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD652B080, [LegacyCsLoader] -00000448 2.96628666 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD6540080, [svchost.exe] -00000449 2.96631217 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD6543080, [IntelTechnolog] -00000450 2.96672440 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD659A080, [NvTelemetryCon] -00000451 2.96746445 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD663F080, [PnkBstrA.exe] -00000452 2.96781206 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD668B080, [svchost.exe] -00000453 2.96783924 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD6690080, [SmartByteNetwo] -00000454 2.96784568 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD6691080, [RemoteServerWi] -00000455 2.96916771 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD6795080, [svchost.exe] -00000456 2.96918273 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD67970C0, [svchost.exe] -00000457 2.96923518 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD679D080, [SynTPEnhServic] -00000458 2.96947789 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD67C4080, [sqlwriter.exe] -00000459 2.96948504 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD67C5080, [ThunderboltSer] -00000460 2.97019792 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD685C080, [TeamViewer_Ser] -00000461 2.97067618 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD68C60C0, [svchost.exe] -00000462 2.97071409 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD68CE080, [TrueColorALS.e] -00000463 2.97072029 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD68CF080, [WmiPrvSE.exe] -00000464 2.97099590 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD690D080, [vmnetdhcp.exe] -00000465 2.97101235 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD6910080, [WmiPrvSE.exe] -00000466 2.97107911 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD691E080, [vmware-authd.e] -00000467 2.97123647 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD6940080, [vmware-usbarbi] -00000468 2.97125530 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD6944080, [svchost.exe] -00000469 2.97127104 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD6947080, [vmnat.exe] -00000470 2.97165990 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD69A00C0, [WDDriveService] -00000471 2.97167611 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD69A3080, [MsMpEng.exe] -00000472 2.97168708 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD69A5080, [ZeroConfigServ] -00000473 2.97186589 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD69C9080, [svchost.exe] -00000474 2.97216320 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD6A06080, [unsecapp.exe] -00000475 2.97266603 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD6A71080, [IntelCpHeciSvc] -00000476 2.97543430 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD6CCF080, [svchost.exe] -00000477 2.97611046 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD6D6B080, [igfxext.exe] -00000478 2.97943473 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD701C080, [svchost.exe] -00000479 2.98128009 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD71B0080, [svchost.exe] -00000480 2.98144913 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD71D40C0, [svchost.exe] -00000481 2.98282051 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD7296080, [vmware-hostd.e] -00000482 2.98661041 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD74EB080, [svchost.exe] -00000483 2.99496651 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD7973080, [svchost.exe] -00000484 2.99584842 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD79ED080, [vmcompute.exe] -00000485 2.99792528 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD7ADE080, [svchost.exe] -00000486 3.00029874 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD7BF6080, [dllhost.exe] -00000487 3.00457072 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD7E60080, [StartMenuExper] -00000488 3.00676703 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CD7FE6080, [NisSrv.exe] -00000489 3.28639555 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE401A250, [] -00000490 3.28735828 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE40F5080, [GoogleCrashHan] -00000491 3.28799891 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE4170080, [svchost.exe] -00000492 3.28811359 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE417F080, [svchost.exe] -00000493 3.28816867 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE4188080, [MsMpEngCP.exe] -00000494 3.28820729 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE4190080, [SynTPEnh.exe] -00000495 3.28860879 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE41E0080, [svchost.exe] -00000496 3.28864789 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE41E7210, [] -00000497 3.28950691 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE429E080, [svchost.exe] -00000498 3.28952146 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE42A1080, [GoogleUpdate.e] -00000499 3.28952718 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE42A2080, [svchost.exe] -00000500 3.28953314 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE42A3080, [PresentationFo] -00000501 3.28953886 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE42A4080, [DropboxUpdate.] -00000502 3.28954768 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE42A60C0, [taskhostw.exe] -00000503 3.28955722 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE42A8080, [svchost.exe] -00000504 3.29098248 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE43E00E0, [ˆÀ’× ÛÿÿˆÀ’× Ûÿ] -00000505 3.29099870 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE43E3200, [ctfmon.exe] -00000506 3.29109120 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE43F9080, [explorer.exe] -00000507 3.29118562 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE44130C0, [SynTPHelper.ex] -00000508 3.29326200 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE45E2080, [svchost.exe] -00000509 3.29384112 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE4659080, [ChsIME.exe] -00000510 3.29390001 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE4663080, [cmd.exe] -00000511 3.29411006 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE4688080, [userinit.exe] -00000512 3.29490852 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE47460C0, [igfxEM.exe] -00000513 3.29516125 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE4784140, [svchost.exe] -00000514 3.29586363 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE48240C0, [svchost.exe] -00000515 3.29657674 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE48C5080, [SearchIndexer.] -00000516 3.29871511 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE4AAB080, [svchost.exe] -00000517 3.29944324 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE4B54100, [chrome.exe] -00000518 3.29962206 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE4B7E080, [cmd.exe] -00000519 3.30003691 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE4BE1080, [RuntimeBroker.] -00000520 3.30031085 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE4C240C0, [TextInputHost.] -00000521 3.30134678 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE4D130C0, [RemoteServerWi] -00000522 3.30135274 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE4D14080, [chrome.exe] -00000523 3.30142379 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE4D240C0, [Docker.Watchgu] -00000524 3.30169678 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE4D650A0, [] -00000525 3.30205512 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE4DB90C0, [RuntimeBroker.] -00000526 3.30219984 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE4DD8080, [chrome.exe] -00000527 3.30251813 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE4E240C0, [IAStorIconLaun] -00000528 3.30344009 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE4EFC080, [YourPhone.exe] -00000529 3.30410147 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE4F860C0, [RuntimeBroker.] -00000530 3.30456710 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE4FF1080, [svchost.exe] -00000531 3.30864000 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE600B080, [chrome.exe] -00000532 3.30942130 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE60C30A0, [] -00000533 3.30947471 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE60CE250, [] -00000534 3.30963230 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE60F5080, [SkypeApp.exe] -00000535 3.30979204 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE611A140, [RtkAudUService] -00000536 3.30982947 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE61220A0, [ˆ€EÖ Ûÿÿˆ€EÖ Ûÿ] -00000537 3.31002927 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE61540E0, [ˆðÐä ÛÿÿˆðÐä Ûÿ] -00000538 3.31019044 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE61780C0, [SettingSyncHos] -00000539 3.31176949 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE62CE080, [ServiceShell.e] -00000540 3.31246471 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE636B080, [RuntimeBroker.] -00000541 3.31258917 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE6385080, [Dropbox.exe] -00000542 3.31278801 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE63B0080, [chrome.exe] -00000543 3.31299162 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE63DE0A0, [] -00000544 3.31472635 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE6577080, [chrome.exe] -00000545 3.31473613 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE6579080, [chrome.exe] -00000546 3.31479931 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE65870C0, [chrome.exe] -00000547 3.31558490 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE663B080, [chrome.exe] -00000548 3.31617689 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE66C8080, [chrome.exe] -00000549 3.31618571 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE66CA0C0, [chrome.exe] -00000550 3.31693316 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE6775080, [chrome.exe] -00000551 3.31703353 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE678A0C0, [Dropbox.exe] -00000552 3.31869006 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE69130C0, [vmware-tray.ex] -00000553 3.31873870 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE691D1F0, [] -00000554 3.31876397 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE6921080, [DSAPI.exe] -00000555 3.31897473 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE694D080, [Dropbox.exe] -00000556 3.31926370 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE698A0A0, [] -00000557 3.32157469 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE6B94080, [msdtc.exe] -00000558 3.32247639 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE6C620C0, [nvapiw.exe] -00000559 3.32292271 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE6CCA080, [aesm_service.e] -00000560 3.32754970 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE70E90C0, [DDVRulesProces] -00000561 3.33183599 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE74D90C0, [chrome.exe] -00000562 3.33184600 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE74DB080, [runonce.exe] -00000563 3.33223796 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE752D250, [] -00000564 3.33284116 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE75B80C0, [SecurityHealth] -00000565 3.33319354 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE7603080, [ShellExperienc] -00000566 3.33323169 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE760B170, [] -00000567 3.33363795 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE7662080, [GoogleCrashHan] -00000568 3.33412194 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE76D3080, [IAStorIcon.exe] -00000569 3.33434391 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE7705080, [chrome.exe] -00000570 3.33437157 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE770B080, [SearchApp.exe] -00000571 3.33439684 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE7710080, [chrome.exe] -00000572 3.33446765 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE7720080, [chrome.exe] -00000573 3.33448601 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE77240C0, [SmartAudio3.ex] -00000574 3.33454323 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE7731080, [Docker Desktop] -00000575 3.33463645 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE77460C0, [chrome.exe] -00000576 3.33467436 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE774E080, [chrome.exe] -00000577 3.33473611 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE775B080, [chrome.exe] -00000578 3.33474994 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE775E080, [chrome.exe] -00000579 3.33483458 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE7770080, [chrome.exe] -00000580 3.33487511 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE77790C0, [chrome.exe] -00000581 3.33648634 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE78DF080, [Docker.Watchgu] -00000582 3.33714986 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE79750C0, [dllhost.exe] -00000583 3.33721972 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE7984080, [conhost.exe] -00000584 3.33837271 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE7A8B080, [QtWebEnginePro] -00000585 3.34235191 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE7E15080, [DolbyDAX2API.e] -00000586 3.34262753 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE7E530C0, [YourPhoneServe] -00000587 3.34525514 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE80800C0, [SgrmBroker.exe] -00000588 3.34568691 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE80E3080, [IAStorDataMgrS] -00000589 3.34569359 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE80E50C0, [conhost.exe] -00000590 3.34627342 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE816E080, [LMS.exe] -00000591 3.34628510 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE8170080, [jhi_service.ex] -00000592 3.34630871 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE81760C0, [DDVCollectorSv] -00000593 3.34719944 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE824A080, [conhost.exe] -00000594 3.34724712 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE8255080, [SupportAssistA] -00000595 3.34816432 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE83240C0, [DDVDataCollect] -00000596 3.34828162 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE833E080, [com.docker.bac] -00000597 3.34985566 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE84B9080, [svchost.exe] -00000598 3.35335588 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE87C5080, [nvapiw.exe] -00000599 3.35537553 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE89940C0, [chrome.exe] -00000600 3.35656047 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE8AA50D0, [] -00000601 3.35697365 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE8B020C0, [conhost.exe] -00000602 3.35779047 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE8BC1240, [com.docker.pro] -00000603 3.35801768 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE8BF8080, [conhost.exe] -00000604 3.35802770 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE8BFA080, [mspdbsrv.exe] -00000605 3.35872483 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE8C95080, [conhost.exe] -00000606 3.35882521 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE8CAD0C0, [vpnkit.exe] -00000607 3.35910034 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE8CEE080, [chrome.exe] -00000608 3.36116886 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE8E9A0C0, [Tracker.exe] -00000609 3.36263990 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE8FEA0C0, [HxTsr.exe] -00000610 3.36290050 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE90241D0, [] -00000611 3.36324644 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE906E080, [chrome.exe] -00000612 3.36327887 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE90760F0, [] -00000613 3.36329150 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE90790F0, [] -00000614 3.36407995 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE9123230, [] -00000615 3.36408949 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE91250C0, [conhost.exe] -00000616 3.36410761 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE9129080, [explorer.exe] -00000617 3.36413932 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE9130270, [] -00000618 3.37451839 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CE9E11080, [dllhost.exe] -00000619 3.38101768 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEA3770C0, [languageclient] -00000620 3.38458967 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEA6920C0, [Microsoft.Phot] -00000621 3.38509631 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEA7020C0, [svchost.exe] -00000622 3.38530755 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEA7350C0, [RuntimeBroker.] -00000623 3.38608718 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEA7DC250, [] -00000624 3.39062309 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEAB9E0C0, [RuntimeBroker.] -00000625 3.39129710 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEAC350C0, [python.exe] -00000626 3.39329767 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEADD0080, [svchost.exe] -00000627 3.39734554 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEB0B80C0, [Dbgview.exe] -00000628 3.39742398 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEB0C5140, [chrome.exe] -00000629 3.39953208 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEB25C080, [MSBuild.exe] -00000630 3.40128160 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEB3CC0C0, [conhost.exe] -00000631 3.40129328 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEB3CE250, [] -00000632 3.40144920 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEB3EE080, [AcrobatNotific] -00000633 3.40218401 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEB4860C0, [nvim.exe] -00000634 3.40258121 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEB4DB0C0, [python.exe] -00000635 3.40300751 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEB5350C0, [chrome.exe] -00000636 3.40410805 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEB6020C0, [chrome.exe] -00000637 3.40424156 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEB61D080, [conhost.exe] -00000638 3.40674567 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEB8680C0, [nvapiw.exe] -00000639 3.40698719 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEB89F080, [conhost.exe] -00000640 3.40811443 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEB9CE0C0, [python.exe] -00000641 3.40863681 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEBA460C0, [chrome.exe] -00000642 3.40906000 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEBABD0C0, [chrome.exe] -00000643 3.40936565 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEBB07080, [cmd.exe] -00000644 3.40941429 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEBB130C0, [python.exe] -00000645 3.40942931 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEBB16080, [link.exe] -00000646 3.40962291 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEBB460C0, [conhost.exe] -00000647 3.41114521 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEBC8A0C0, [chrome.exe] -00000648 3.42360640 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEC9CE0C0, [svchost.exe] -00000649 3.42558122 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CECBAD0C0, [chrome.exe] -00000650 3.42760444 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CECD670C0, [conhost.exe] -00000651 3.42910671 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CECE950C0, [SearchApp.exe] -00000652 3.43050885 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CECFCA0C0, [conhost.exe] -00000653 3.43063807 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CECFE6250, [] -00000654 3.43387008 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CED2A50C0, [WmiApSrv.exe] -00000655 3.43430996 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CED3130C0, [python.exe] -00000656 3.43888521 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CED730080, [Tracker.exe] -00000657 3.43895841 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CED740250, [] -00000658 3.43905997 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CED7560C0, [HxTsr.exe] -00000659 3.43929195 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CED7890C0, [parse_pdb_for_] -00000660 3.43935728 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CED798080, [conhost.exe] -00000661 3.43936372 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CED79A0C0, [chrome.exe] -00000662 3.43977690 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CED7FE080, [signtool.exe] -00000663 3.44034481 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CED8790C0, [nvim.exe] -00000664 3.44190884 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CEF8680C0, [python.exe] -00000665 3.44340634 [NAK] :: [ ] eprocess offset 0x80 : 0xFFFFDB0CF01A7170, [] -00000666 33.47640610 [NAK] :: [+] Finish scanning -00000667 33.47640991 [NAK] :: [-] Scan large pool not supported yet -00000668 33.47682190 [NAK] :: [+] Goodbye from Kernel \ No newline at end of file