Sample repl setup

Use address type to represent address
Decompose address with ease using DriverState.decompose

.cargo/config

@@ -0,0 +1,2 @@
+[target.x86_64-pc-windows-msvc]
+rustflags = ["-Ctarget-feature=+crt-static"]

Cargo.lock

@@ -5,6 +5,17 @@ name = "anyhow"
 version = "1.0.26"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 
+[[package]]
+name = "app_dirs"
+version = "1.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "ole32-sys 0.2.0 (registry+https://github.com/rust-lang/crates.io-index)",
+ "shell32-sys 0.1.2 (registry+https://github.com/rust-lang/crates.io-index)",
+ "winapi 0.2.8 (registry+https://github.com/rust-lang/crates.io-index)",
+ "xdg 2.2.0 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
 [[package]]
 name = "autocfg"
 version = "1.0.0"
@@ -48,6 +59,16 @@ name = "cfg-if"
 version = "0.1.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 
+[[package]]
+name = "chrono"
+version = "0.4.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "num-integer 0.1.42 (registry+https://github.com/rust-lang/crates.io-index)",
+ "num-traits 0.2.11 (registry+https://github.com/rust-lang/crates.io-index)",
+ "time 0.1.42 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
 [[package]]
 name = "core-foundation"
 version = "0.6.4"
@@ -197,11 +218,6 @@ dependencies = [
  "libc 0.2.66 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 
-[[package]]
-name = "hex"
-version = "0.4.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-
 [[package]]
 name = "http"
 version = "0.2.0"
@@ -327,6 +343,19 @@ dependencies = [
  "cfg-if 0.1.10 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 
+[[package]]
+name = "lpus"
+version = "0.1.0"
+dependencies = [
+ "app_dirs 1.2.1 (registry+https://github.com/rust-lang/crates.io-index)",
+ "chrono 0.4.10 (registry+https://github.com/rust-lang/crates.io-index)",
+ "pdb 0.5.0 (registry+https://github.com/rust-lang/crates.io-index)",
+ "reqwest 0.10.1 (registry+https://github.com/rust-lang/crates.io-index)",
+ "serde_json 1.0.55 (registry+https://github.com/rust-lang/crates.io-index)",
+ "widestring 0.4.2 (registry+https://github.com/rust-lang/crates.io-index)",
+ "winapi 0.3.8 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
 [[package]]
 name = "matches"
 version = "0.1.8"
@@ -416,6 +445,23 @@ dependencies = [
  "version_check 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 
+[[package]]
+name = "num-integer"
+version = "0.1.42"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "autocfg 1.0.0 (registry+https://github.com/rust-lang/crates.io-index)",
+ "num-traits 0.2.11 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
+[[package]]
+name = "num-traits"
+version = "0.2.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "autocfg 1.0.0 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
 [[package]]
 name = "num_cpus"
 version = "1.12.0"
@@ -425,6 +471,15 @@ dependencies = [
  "libc 0.2.66 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 
+[[package]]
+name = "ole32-sys"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "winapi 0.2.8 (registry+https://github.com/rust-lang/crates.io-index)",
+ "winapi-build 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
 [[package]]
 name = "openssl"
 version = "0.10.28"
@@ -455,17 +510,6 @@ dependencies = [
  "vcpkg 0.2.8 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 
-[[package]]
-name = "parse_pdb_for_offsets"
-version = "0.1.0"
-dependencies = [
- "hex 0.4.2 (registry+https://github.com/rust-lang/crates.io-index)",
- "pdb 0.5.0 (registry+https://github.com/rust-lang/crates.io-index)",
- "reqwest 0.10.1 (registry+https://github.com/rust-lang/crates.io-index)",
- "widestring 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)",
- "winapi 0.3.8 (registry+https://github.com/rust-lang/crates.io-index)",
-]
-
 [[package]]
 name = "pdb"
 version = "0.5.0"
@@ -715,7 +759,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 
 [[package]]
 name = "serde_json"
-version = "1.0.48"
+version = "1.0.55"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 dependencies = [
  "itoa 0.4.5 (registry+https://github.com/rust-lang/crates.io-index)",
@@ -734,6 +778,15 @@ dependencies = [
  "url 2.1.1 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 
+[[package]]
+name = "shell32-sys"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "winapi 0.2.8 (registry+https://github.com/rust-lang/crates.io-index)",
+ "winapi-build 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
 [[package]]
 name = "slab"
 version = "0.4.2"
@@ -930,7 +983,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 dependencies = [
  "cfg-if 0.1.10 (registry+https://github.com/rust-lang/crates.io-index)",
  "serde 1.0.104 (registry+https://github.com/rust-lang/crates.io-index)",
- "serde_json 1.0.48 (registry+https://github.com/rust-lang/crates.io-index)",
+ "serde_json 1.0.55 (registry+https://github.com/rust-lang/crates.io-index)",
  "wasm-bindgen-macro 0.2.58 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 
@@ -1022,7 +1075,7 @@ dependencies = [
 
 [[package]]
 name = "widestring"
-version = "0.4.0"
+version = "0.4.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 
 [[package]]
@@ -1071,8 +1124,14 @@ dependencies = [
  "winapi-build 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 
+[[package]]
+name = "xdg"
+version = "2.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+
 [metadata]
 "checksum anyhow 1.0.26 (registry+https://github.com/rust-lang/crates.io-index)" = "7825f6833612eb2414095684fcf6c635becf3ce97fe48cf6421321e93bfbd53c"
+"checksum app_dirs 1.2.1 (registry+https://github.com/rust-lang/crates.io-index)" = "e73a24bad9bd6a94d6395382a6c69fe071708ae4409f763c5475e14ee896313d"
 "checksum autocfg 1.0.0 (registry+https://github.com/rust-lang/crates.io-index)" = "f8aac770f1885fd7e387acedd76065302551364496e46b3dd00860b2f8359b9d"
 "checksum base64 0.11.0 (registry+https://github.com/rust-lang/crates.io-index)" = "b41b7ea54a0c9d92199de89e20e58d49f02f8e699814ef3fdf266f6f748d15c7"
 "checksum bitflags 1.2.1 (registry+https://github.com/rust-lang/crates.io-index)" = "cf1de2fe8c75bc145a2f577add951f8134889b4795d47466a54a5c846d691693"
@@ -1081,6 +1140,7 @@ dependencies = [
 "checksum c2-chacha 0.2.3 (registry+https://github.com/rust-lang/crates.io-index)" = "214238caa1bf3a496ec3392968969cab8549f96ff30652c9e56885329315f6bb"
 "checksum cc 1.0.50 (registry+https://github.com/rust-lang/crates.io-index)" = "95e28fa049fda1c330bcf9d723be7663a899c4679724b34c81e9f5a326aab8cd"
 "checksum cfg-if 0.1.10 (registry+https://github.com/rust-lang/crates.io-index)" = "4785bdd1c96b2a846b2bd7cc02e86b6b3dbf14e7e53446c4f54c92a361040822"
+"checksum chrono 0.4.10 (registry+https://github.com/rust-lang/crates.io-index)" = "31850b4a4d6bae316f7a09e691c944c28299298837edc0a03f755618c23cbc01"
 "checksum core-foundation 0.6.4 (registry+https://github.com/rust-lang/crates.io-index)" = "25b9e03f145fd4f2bf705e07b900cd41fc636598fe5dc452fd0db1441c3f496d"
 "checksum core-foundation-sys 0.6.2 (registry+https://github.com/rust-lang/crates.io-index)" = "e7ca8a5221364ef15ce201e8ed2f609fc312682a8f4e0e3d4aa5879764e0fa3b"
 "checksum dtoa 0.4.5 (registry+https://github.com/rust-lang/crates.io-index)" = "4358a9e11b9a09cf52383b451b49a169e8d797b68aa02301ff586d70d9661ea3"
@@ -1101,7 +1161,6 @@ dependencies = [
 "checksum h2 0.2.1 (registry+https://github.com/rust-lang/crates.io-index)" = "b9433d71e471c1736fd5a61b671fc0b148d7a2992f666c958d03cd8feb3b88d1"
 "checksum heck 0.3.1 (registry+https://github.com/rust-lang/crates.io-index)" = "20564e78d53d2bb135c343b3f47714a56af2061f1c928fdb541dc7b9fdd94205"
 "checksum hermit-abi 0.1.6 (registry+https://github.com/rust-lang/crates.io-index)" = "eff2656d88f158ce120947499e971d743c05dbcbed62e5bd2f38f1698bbc3772"
-"checksum hex 0.4.2 (registry+https://github.com/rust-lang/crates.io-index)" = "644f9158b2f133fd50f5fb3242878846d9eb792e445c893805ff0e3824006e35"
 "checksum http 0.2.0 (registry+https://github.com/rust-lang/crates.io-index)" = "b708cc7f06493459026f53b9a61a7a121a5d1ec6238dee58ea4941132b30156b"
 "checksum http-body 0.3.1 (registry+https://github.com/rust-lang/crates.io-index)" = "13d5ff830006f7646652e057693569bfe0d51760c0085a071769d142a205111b"
 "checksum httparse 1.3.4 (registry+https://github.com/rust-lang/crates.io-index)" = "cd179ae861f0c2e53da70d892f5f3029f9594be0c41dc5269cd371691b1dc2f9"
@@ -1125,7 +1184,10 @@ dependencies = [
 "checksum native-tls 0.2.3 (registry+https://github.com/rust-lang/crates.io-index)" = "4b2df1a4c22fd44a62147fd8f13dd0f95c9d8ca7b2610299b2a2f9cf8964274e"
 "checksum net2 0.2.33 (registry+https://github.com/rust-lang/crates.io-index)" = "42550d9fb7b6684a6d404d9fa7250c2eb2646df731d1c06afc06dcee9e1bcf88"
 "checksum nom 4.2.3 (registry+https://github.com/rust-lang/crates.io-index)" = "2ad2a91a8e869eeb30b9cb3119ae87773a8f4ae617f41b1eb9c154b2905f7bd6"
+"checksum num-integer 0.1.42 (registry+https://github.com/rust-lang/crates.io-index)" = "3f6ea62e9d81a77cd3ee9a2a5b9b609447857f3d358704331e4ef39eb247fcba"
+"checksum num-traits 0.2.11 (registry+https://github.com/rust-lang/crates.io-index)" = "c62be47e61d1842b9170f0fdeec8eba98e60e90e5446449a0545e5152acd7096"
 "checksum num_cpus 1.12.0 (registry+https://github.com/rust-lang/crates.io-index)" = "46203554f085ff89c235cd12f7075f3233af9b11ed7c9e16dfe2560d03313ce6"
+"checksum ole32-sys 0.2.0 (registry+https://github.com/rust-lang/crates.io-index)" = "5d2c49021782e5233cd243168edfa8037574afed4eba4bbaf538b3d8d1789d8c"
 "checksum openssl 0.10.28 (registry+https://github.com/rust-lang/crates.io-index)" = "973293749822d7dd6370d6da1e523b0d1db19f06c459134c658b2a4261378b52"
 "checksum openssl-probe 0.1.2 (registry+https://github.com/rust-lang/crates.io-index)" = "77af24da69f9d9341038eba93a073b1fdaaa1b788221b00a69bce9e762cb32de"
 "checksum openssl-sys 0.9.54 (registry+https://github.com/rust-lang/crates.io-index)" = "1024c0a59774200a555087a6da3f253a9095a5f344e353b212ac4c8b8e450986"
@@ -1158,8 +1220,9 @@ dependencies = [
 "checksum semver 0.9.0 (registry+https://github.com/rust-lang/crates.io-index)" = "1d7eb9ef2c18661902cc47e535f9bc51b78acd254da71d375c2f6720d9a40403"
 "checksum semver-parser 0.7.0 (registry+https://github.com/rust-lang/crates.io-index)" = "388a1df253eca08550bef6c72392cfe7c30914bf41df5269b68cbd6ff8f570a3"
 "checksum serde 1.0.104 (registry+https://github.com/rust-lang/crates.io-index)" = "414115f25f818d7dfccec8ee535d76949ae78584fc4f79a6f45a904bf8ab4449"
-"checksum serde_json 1.0.48 (registry+https://github.com/rust-lang/crates.io-index)" = "9371ade75d4c2d6cb154141b9752cf3781ec9c05e0e5cf35060e1e70ee7b9c25"
+"checksum serde_json 1.0.55 (registry+https://github.com/rust-lang/crates.io-index)" = "ec2c5d7e739bc07a3e73381a39d61fdb5f671c60c1df26a130690665803d8226"
 "checksum serde_urlencoded 0.6.1 (registry+https://github.com/rust-lang/crates.io-index)" = "9ec5d77e2d4c73717816afac02670d5c4f534ea95ed430442cad02e7a6e32c97"
+"checksum shell32-sys 0.1.2 (registry+https://github.com/rust-lang/crates.io-index)" = "9ee04b46101f57121c9da2b151988283b6beb79b34f5bb29a58ee48cb695122c"
 "checksum slab 0.4.2 (registry+https://github.com/rust-lang/crates.io-index)" = "c111b5bd5695e56cffe5129854aa230b39c93a305372fdbb2668ca2394eea9f8"
 "checksum smallvec 1.2.0 (registry+https://github.com/rust-lang/crates.io-index)" = "5c2fb2ec9bcd216a5b0d0ccf31ab17b5ed1d627960edff65bbe95d3ce221cefc"
 "checksum sourcefile 0.1.4 (registry+https://github.com/rust-lang/crates.io-index)" = "4bf77cb82ba8453b42b6ae1d692e4cdc92f9a47beaf89a847c8be83f4e328ad3"
@@ -1194,7 +1257,7 @@ dependencies = [
 "checksum wasm-bindgen-webidl 0.2.58 (registry+https://github.com/rust-lang/crates.io-index)" = "ef012a0d93fc0432df126a8eaf547b2dce25a8ce9212e1d3cbeef5c11157975d"
 "checksum web-sys 0.3.35 (registry+https://github.com/rust-lang/crates.io-index)" = "aaf97caf6aa8c2b1dac90faf0db529d9d63c93846cca4911856f78a83cebf53b"
 "checksum weedle 0.10.0 (registry+https://github.com/rust-lang/crates.io-index)" = "3bb43f70885151e629e2a19ce9e50bd730fd436cfd4b666894c9ce4de9141164"
-"checksum widestring 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)" = "effc0e4ff8085673ea7b9b2e3c73f6bd4d118810c9009ed8f1e16bd96c331db6"
+"checksum widestring 0.4.2 (registry+https://github.com/rust-lang/crates.io-index)" = "a763e303c0e0f23b0da40888724762e802a8ffefbc22de4127ef42493c2ea68c"
 "checksum winapi 0.2.8 (registry+https://github.com/rust-lang/crates.io-index)" = "167dc9d6949a9b857f3451275e911c3f44255842c1f7a76f33c55103a909087a"
 "checksum winapi 0.3.8 (registry+https://github.com/rust-lang/crates.io-index)" = "8093091eeb260906a183e6ae1abdba2ef5ef2257a21801128899c3fc699229c6"
 "checksum winapi-build 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)" = "2d315eee3b34aca4797b2da6b13ed88266e6d612562a0c46390af8299fc699bc"
@@ -1202,3 +1265,4 @@ dependencies = [
 "checksum winapi-x86_64-pc-windows-gnu 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)" = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
 "checksum winreg 0.6.2 (registry+https://github.com/rust-lang/crates.io-index)" = "b2986deb581c4fe11b621998a5e53361efe6b48a151178d0cd9eeffa4dc6acc9"
 "checksum ws2_32-sys 0.2.1 (registry+https://github.com/rust-lang/crates.io-index)" = "d59cefebd0c892fa2dd6de581e937301d8552cb44489cdff035c6187cb63fa5e"
+"checksum xdg 2.2.0 (registry+https://github.com/rust-lang/crates.io-index)" = "d089681aa106a86fade1b0128fb5daf07d5867a509ab036d99988dec80429a57"

Cargo.toml

@@ -1,14 +1,20 @@
 [package]
-name = "parse_pdb_for_offsets"
+name = "lpus"
 version = "0.1.0"
 authors = ["nganhkhoa <mail.nganhkhoa@gmail.com>"]
+description = "Live pool tag scanning frontend"
 edition = "2018"
 
-# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+#  See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+[lib]
+name = "lpus"
+doctest = false
 
 [dependencies]
-hex = "0.4.2"
+app_dirs = "1.2.1"
 pdb = "0.5.0"
+chrono = "0.4"
 widestring = "0.4.0"
-winapi = { version = "0.3.8", features = ["libloaderapi", "processthreadsapi", "winbase", "securitybaseapi", "handleapi", "winnt", "winreg"] }
+winapi = { version = "0.3.8", features = ["libloaderapi", "processthreadsapi", "winbase", "securitybaseapi", "handleapi", "winnt", "winreg", "fileapi", "ioapiset", "winioctl", "errhandlingapi", "sysinfoapi"] }
 reqwest = { version = "0.10.1", features = ["blocking"] }
+serde_json = "1.0.55"

README.md

@@ -1,558 +1,35 @@
-> If you came here for `MmNonPagedPoolStart`, `MmNonPagedPoolEnd`, you ended up at the right place.
+# LPUS (A live pool-tag scanning solution)
 
-`NonPagedPool` in Windows has two variables that defined the start and end of the section in kernel memory. Online blog posts and tutorials show an outdated version of these two variables.
+This is the frontend to the live pool tag scanning solution, the backend is a driver (which is now closed source).
 
-Take a look at [this old post](https://web.archive.org/web/20061110120809/http://www.rootkit.com/newsread.php?newsid=153). `_DBGKD_GET_VERSION64 KdVersionBlock` was a very important structure into the debugger block of Windows. However, if you try to find this structure in Windows 10, you will hit `KdVersionBlock == 0` (Ouch!!!). But this structure provides offset into `MmNonPagedPool{Start,End}`, how can we get those?
+## How this works
 
-Luckily, both `MmNonPagedPoolStart` and `MmNonPagedPoolEnd` in Windows XP, can be found by offseting from `ntoskrnl.exe`. Rekall team are very positive that their tools doesn't rely on profiles file like Volatility but use PDB provided by Windows to find these values.
+In simple way, we use PDB files to get the global variable offsets and structure definitions.
+The backend finds the kernel base and use these values to calculate the nonpaged-pool range.
+A more detailed report is in [nonpaged-pool-range.md](nonpaged-pool-range.md)
+The frontend calls the backend to scan for a specific tag.
 
-In [Rekall source code](https://github.com/google/rekall/blob/c5d68e31705f4b5bd2581c1d951b7f6983f7089c/rekall-core/rekall/plugins/windows/pool.py#L87), the values of those variables are:
+## How to use
 
-- Windows XP: `MmNonPagedPool{Start,End}`
-- Windows 7 and maybe 8: `MiNonPagedPoolStartAligned`, `MiNonPagedPoolEnd`, and `MiNonPagedPoolBitMap`
-- Windows 10 below
+Example is [here](./src/bin/eprocess_scan.rs).
 
-In Windows 7, 8, another field was added to controll the allocation of `NonPagedPool`, which is why there is [this paper about pool tag quick scanning](https://www.sciencedirect.com/science/article/pii/S1742287616000062).
+```rust
+use lpus::{
+    driver_state::{DriverState}
+};
 
-However, from Windows 10, the whole game changed around when the global offset to those (similar) variables are gone. Instead Windows 10 introduced a new variable `MiState`. `MiState` offset is available and we can get those start/end variables by either:
-
-- Windows 2015: `*((ntoskrnl.exe+MiState)->SystemNodeInformation->NonPagedPool{First,Last}Va)`
-- Windows 2016: `*((ntoskrnl.exe+MiState)->Hardware.SystemNodeInformation->NonPagedPool{First,Last}Va)`
-
-The `NonPagedBitMap` was still visible untill the May 2019 Update, here, take a look at these 2 consecutive update [`1809 Redstone 5 (October Update)`](https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016/1809%20Redstone%205%20(October%20Update)/\_MI\_SYSTEM\_NODE\_INFORMATION) and [`1903 19H1 (May 2019 Update)`](https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016/1903%2019H1%20(May%202019%20Update)/\_MI\_SYSTEM\_NODE\_INFORMATION).
-
-Yeah, now `pool tag quick scanning` is useless (gah). Windows OS changes quite frequently right? Tell you more, I am using the Insider version of Windows in 2020, and guess what, I found out that they put another struct to point to those value. So now we need to go like this:
-
-- Windows 2020 Insider preview: `*((ntoskrnl.exe+MiState)->SystemNodeNonPagedPool->NonPagedPool{First,Last}Va)`
-
-> If you go with low-level, then you only care about the offset and formula to get those variables but knowing the structure is well benefit.
-
-Anyway, I create this project to help me with my thesis, following outdated structs online yields no result. Oh, yeah, a guy seems to be asking on [how to get `MmNonPagedPoolStart`](https://reverseengineering.stackexchange.com/q/6483) on `stackexchange`, too bad [the answer](https://reverseengineering.stackexchange.com/a/6487) is not so much helpful.
-
-Take a look at my ntoskrnl.exe pdb file parsed.
-
-```
-PDB for Amd64, guid: 3c6978d6-66d9-c05a-53b6-a1e1561282c8, age: 1,
-
-Void(UNNOWN) PsActiveProcessHead 0xc1f970 23:129392
-Void(UNNOWN) MiState 0xc4f200 23:324096
-Void(UNNOWN) KeNumberNodes 0xcfc000 24:0
-Void(UNNOWN) PsLoadedModuleList 0xc2ba30 23:178736
-Void(UNNOWN) KdDebuggerDataBlock 0xc00a30 23:2608
-
-beginstruct _LIST_ENTRY
-	0x0 _LIST_ENTRY* Flink
-	0x8 _LIST_ENTRY* Blink
-endstruct
-
-beginstruct _RTL_BITMAP
-	0x0 U32 SizeOfBitMap
-	0x8 U32 Buffer
-endstruct
-
-beginstruct _EPROCESS
-	0x0 _KPROCESS Pcb
-	0x438 _EX_PUSH_LOCK ProcessLock
-	0x440 Void UniqueProcessId
-	0x448 _LIST_ENTRY ActiveProcessLinks
-	0x458 _EX_RUNDOWN_REF RundownProtect
-	0x460 U32 Flags2
-	0x460 UNNOWN JobNotReallyActive
-	0x460 UNNOWN AccountingFolded
-	0x460 UNNOWN NewProcessReported
-	0x460 UNNOWN ExitProcessReported
-	0x460 UNNOWN ReportCommitChanges
-	0x460 UNNOWN LastReportMemory
-	0x460 UNNOWN ForceWakeCharge
-	0x460 UNNOWN CrossSessionCreate
-	0x460 UNNOWN NeedsHandleRundown
-	0x460 UNNOWN RefTraceEnabled
-	0x460 UNNOWN PicoCreated
-	0x460 UNNOWN EmptyJobEvaluated
-	0x460 UNNOWN DefaultPagePriority
-	0x460 UNNOWN PrimaryTokenFrozen
-	0x460 UNNOWN ProcessVerifierTarget
-	0x460 UNNOWN RestrictSetThreadContext
-	0x460 UNNOWN AffinityPermanent
-	0x460 UNNOWN AffinityUpdateEnable
-	0x460 UNNOWN PropagateNode
-	0x460 UNNOWN ExplicitAffinity
-	0x460 UNNOWN ProcessExecutionState
-	0x460 UNNOWN EnableReadVmLogging
-	0x460 UNNOWN EnableWriteVmLogging
-	0x460 UNNOWN FatalAccessTerminationRequested
-	0x460 UNNOWN DisableSystemAllowedCpuSet
-	0x460 UNNOWN ProcessStateChangeRequest
-	0x460 UNNOWN ProcessStateChangeInProgress
-	0x460 UNNOWN InPrivate
-	0x464 U32 Flags
-	0x464 UNNOWN CreateReported
-	0x464 UNNOWN NoDebugInherit
-	0x464 UNNOWN ProcessExiting
-	0x464 UNNOWN ProcessDelete
-	0x464 UNNOWN ManageExecutableMemoryWrites
-	0x464 UNNOWN VmDeleted
-	0x464 UNNOWN OutswapEnabled
-	0x464 UNNOWN Outswapped
-	0x464 UNNOWN FailFastOnCommitFail
-	0x464 UNNOWN Wow64VaSpace4Gb
-	0x464 UNNOWN AddressSpaceInitialized
-	0x464 UNNOWN SetTimerResolution
-	0x464 UNNOWN BreakOnTermination
-	0x464 UNNOWN DeprioritizeViews
-	0x464 UNNOWN WriteWatch
-	0x464 UNNOWN ProcessInSession
-	0x464 UNNOWN OverrideAddressSpace
-	0x464 UNNOWN HasAddressSpace
-	0x464 UNNOWN LaunchPrefetched
-	0x464 UNNOWN Background
-	0x464 UNNOWN VmTopDown
-	0x464 UNNOWN ImageNotifyDone
-	0x464 UNNOWN PdeUpdateNeeded
-	0x464 UNNOWN VdmAllowed
-	0x464 UNNOWN ProcessRundown
-	0x464 UNNOWN ProcessInserted
-	0x464 UNNOWN DefaultIoPriority
-	0x464 UNNOWN ProcessSelfDelete
-	0x464 UNNOWN SetTimerResolutionLink
-	0x468 _LARGE_INTEGER CreateTime
-	0x470 U64[16] ProcessQuotaUsage
-	0x480 U64[16] ProcessQuotaPeak
-	0x490 U64 PeakVirtualSize
-	0x498 U64 VirtualSize
-	0x4a0 _LIST_ENTRY SessionProcessLinks
-	0x4b0 Void ExceptionPortData
-	0x4b0 U64 ExceptionPortValue
-	0x4b0 UNNOWN ExceptionPortState
-	0x4b8 _EX_FAST_REF Token
-	0x4c0 U64 MmReserved
-	0x4c8 _EX_PUSH_LOCK AddressCreationLock
-	0x4d0 _EX_PUSH_LOCK PageTableCommitmentLock
-	0x4d8 _ETHREAD* RotateInProgress
-	0x4e0 _ETHREAD* ForkInProgress
-	0x4e8 _EJOB* CommitChargeJob
-	0x4f0 _RTL_AVL_TREE CloneRoot
-	0x4f8 volatile U64 NumberOfPrivatePages
-	0x500 volatile U64 NumberOfLockedPages
-	0x508 Void Win32Process
-	0x510 _EJOB* Job
-	0x518 Void SectionObject
-	0x520 Void SectionBaseAddress
-	0x528 U32 Cookie
-	0x530 _PAGEFAULT_HISTORY* WorkingSetWatch
-	0x538 Void Win32WindowStation
-	0x540 Void InheritedFromUniqueProcessId
-	0x548 volatile U64 OwnerProcessId
-	0x550 _PEB* Peb
-	0x558 _MM_SESSION_SPACE* Session
-	0x560 Void Spare1
-	0x568 _EPROCESS_QUOTA_BLOCK* QuotaBlock
-	0x570 _HANDLE_TABLE* ObjectTable
-	0x578 Void DebugPort
-	0x580 _EWOW64PROCESS* WoW64Process
-	0x588 Void DeviceMap
-	0x590 Void EtwDataSource
-	0x598 U64 PageDirectoryPte
-	0x5a0 _FILE_OBJECT* ImageFilePointer
-	0x5a8 UChar[15] ImageFileName
-	0x5b7 UChar PriorityClass
-	0x5b8 Void SecurityPort
-	0x5c0 _SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo
-	0x5c8 _LIST_ENTRY JobLinks
-	0x5d8 Void HighestUserAddress
-	0x5e0 _LIST_ENTRY ThreadListHead
-	0x5f0 volatile U32 ActiveThreads
-	0x5f4 U32 ImagePathHash
-	0x5f8 U32 DefaultHardErrorProcessing
-	0x5fc I32 LastThreadExitStatus
-	0x600 _EX_FAST_REF PrefetchTrace
-	0x608 Void LockedPagesList
-	0x610 _LARGE_INTEGER ReadOperationCount
-	0x618 _LARGE_INTEGER WriteOperationCount
-	0x620 _LARGE_INTEGER OtherOperationCount
-	0x628 _LARGE_INTEGER ReadTransferCount
-	0x630 _LARGE_INTEGER WriteTransferCount
-	0x638 _LARGE_INTEGER OtherTransferCount
-	0x640 U64 CommitChargeLimit
-	0x648 volatile U64 CommitCharge
-	0x650 volatile U64 CommitChargePeak
-	0x680 _MMSUPPORT_FULL Vm
-	0x7c0 _LIST_ENTRY MmProcessLinks
-	0x7d0 U32 ModifiedPageCount
-	0x7d4 I32 ExitStatus
-	0x7d8 _RTL_AVL_TREE VadRoot
-	0x7e0 Void VadHint
-	0x7e8 U64 VadCount
-	0x7f0 volatile U64 VadPhysicalPages
-	0x7f8 U64 VadPhysicalPagesLimit
-	0x800 _ALPC_PROCESS_CONTEXT AlpcContext
-	0x820 _LIST_ENTRY TimerResolutionLink
-	0x830 _PO_DIAG_STACK_RECORD* TimerResolutionStackRecord
-	0x838 U32 RequestedTimerResolution
-	0x83c U32 SmallestTimerResolution
-	0x840 _LARGE_INTEGER ExitTime
-	0x848 _INVERTED_FUNCTION_TABLE* InvertedFunctionTable
-	0x850 _EX_PUSH_LOCK InvertedFunctionTableLock
-	0x858 U32 ActiveThreadsHighWatermark
-	0x85c U32 LargePrivateVadCount
-	0x860 _EX_PUSH_LOCK ThreadListLock
-	0x868 Void WnfContext
-	0x870 _EJOB* ServerSilo
-	0x878 UChar SignatureLevel
-	0x879 UChar SectionSignatureLevel
-	0x87a _PS_PROTECTION Protection
-	0x87b UNNOWN HangCount
-	0x87b UNNOWN GhostCount
-	0x87b UNNOWN PrefilterException
-	0x87c U32 Flags3
-	0x87c UNNOWN Minimal
-	0x87c UNNOWN ReplacingPageRoot
-	0x87c UNNOWN Crashed
-	0x87c UNNOWN JobVadsAreTracked
-	0x87c UNNOWN VadTrackingDisabled
-	0x87c UNNOWN AuxiliaryProcess
-	0x87c UNNOWN SubsystemProcess
-	0x87c UNNOWN IndirectCpuSets
-	0x87c UNNOWN RelinquishedCommit
-	0x87c UNNOWN HighGraphicsPriority
-	0x87c UNNOWN CommitFailLogged
-	0x87c UNNOWN ReserveFailLogged
-	0x87c UNNOWN SystemProcess
-	0x87c UNNOWN HideImageBaseAddresses
-	0x87c UNNOWN AddressPolicyFrozen
-	0x87c UNNOWN ProcessFirstResume
-	0x87c UNNOWN ForegroundExternal
-	0x87c UNNOWN ForegroundSystem
-	0x87c UNNOWN HighMemoryPriority
-	0x87c UNNOWN EnableProcessSuspendResumeLogging
-	0x87c UNNOWN EnableThreadSuspendResumeLogging
-	0x87c UNNOWN SecurityDomainChanged
-	0x87c UNNOWN SecurityFreezeComplete
-	0x87c UNNOWN VmProcessorHost
-	0x87c UNNOWN VmProcessorHostTransition
-	0x87c UNNOWN AltSyscall
-	0x87c UNNOWN TimerResolutionIgnore
-	0x880 I32 DeviceAsid
-	0x888 Void SvmData
-	0x890 _EX_PUSH_LOCK SvmProcessLock
-	0x898 U64 SvmLock
-	0x8a0 _LIST_ENTRY SvmProcessDeviceListHead
-	0x8b0 U64 LastFreezeInterruptTime
-	0x8b8 _PROCESS_DISK_COUNTERS* DiskCounters
-	0x8c0 Void PicoContext
-	0x8c8 Void EnclaveTable
-	0x8d0 U64 EnclaveNumber
-	0x8d8 _EX_PUSH_LOCK EnclaveLock
-	0x8e0 U32 HighPriorityFaultsAllowed
-	0x8e8 _PO_PROCESS_ENERGY_CONTEXT* EnergyContext
-	0x8f0 Void VmContext
-	0x8f8 U64 SequenceNumber
-	0x900 U64 CreateInterruptTime
-	0x908 U64 CreateUnbiasedInterruptTime
-	0x910 U64 TotalUnbiasedFrozenTime
-	0x918 U64 LastAppStateUpdateTime
-	0x920 UNNOWN LastAppStateUptime
-	0x920 UNNOWN LastAppState
-	0x928 volatile U64 SharedCommitCharge
-	0x930 _EX_PUSH_LOCK SharedCommitLock
-	0x938 _LIST_ENTRY SharedCommitLinks
-	0x948 U64 AllowedCpuSets
-	0x950 U64 DefaultCpuSets
-	0x948 U64 AllowedCpuSetsIndirect
-	0x950 U64 DefaultCpuSetsIndirect
-	0x958 Void DiskIoAttribution
-	0x960 Void DxgProcess
-	0x968 U32 Win32KFilterSet
-	0x970 volatile _PS_INTERLOCKED_TIMER_DELAY_VALUES ProcessTimerDelay
-	0x978 volatile U32 KTimerSets
-	0x97c volatile U32 KTimer2Sets
-	0x980 volatile U32 ThreadTimerSets
-	0x988 U64 VirtualTimerListLock
-	0x990 _LIST_ENTRY VirtualTimerListHead
-	0x9a0 _WNF_STATE_NAME WakeChannel
-	0x9a0 _PS_PROCESS_WAKE_INFORMATION WakeInfo
-	0x9d0 U32 MitigationFlags
-	0x9d0 <anonymous-tag> MitigationFlagsValues
-	0x9d4 U32 MitigationFlags2
-	0x9d4 <anonymous-tag> MitigationFlags2Values
-	0x9d8 Void PartitionObject
-	0x9e0 U64 SecurityDomain
-	0x9e8 U64 ParentSecurityDomain
-	0x9f0 Void CoverageSamplerContext
-	0x9f8 Void MmHotPatchContext
-	0xa00 _KE_IDEAL_PROCESSOR_ASSIGNMENT_BLOCK IdealProcessorAssignmentBlock
-	0xab8 _RTL_AVL_TREE DynamicEHContinuationTargetsTree
-	0xac0 _EX_PUSH_LOCK DynamicEHContinuationTargetsLock
-endstruct
-
-beginstruct _RTL_BITMAP_EX
-	0x0 U64 SizeOfBitMap
-	0x8 U64 Buffer
-endstruct
-
-beginstruct _MI_SYSTEM_INFORMATION
-	0x0 _MI_POOL_STATE Pools
-	0xc0 _MI_SECTION_STATE Sections
-	0x400 _MI_SYSTEM_IMAGE_STATE SystemImages
-	0x4a8 _MI_SESSION_STATE Sessions
-	0x1530 _MI_PROCESS_STATE Processes
-	0x1580 _MI_HARDWARE_STATE Hardware
-	0x1740 _MI_SYSTEM_VA_STATE SystemVa
-	0x1c00 _MI_COMBINE_STATE PageCombines
-	0x1c20 _MI_PAGELIST_STATE PageLists
-	0x1cc0 _MI_PARTITION_STATE Partitions
-	0x1d80 _MI_SHUTDOWN_STATE Shutdowns
-	0x1df8 _MI_ERROR_STATE Errors
-	0x1f00 _MI_ACCESS_LOG_STATE AccessLog
-	0x1f80 _MI_DEBUGGER_STATE Debugger
-	0x20a0 _MI_STANDBY_STATE Standby
-	0x2140 _MI_SYSTEM_PTE_STATE SystemPtes
-	0x2340 _MI_IO_PAGE_STATE IoPages
-	0x2400 _MI_PAGING_IO_STATE PagingIo
-	0x24b0 _MI_COMMON_PAGE_STATE CommonPages
-	0x2580 _MI_SYSTEM_TRIM_STATE Trims
-	0x25c0 _MI_SYSTEM_ZEROING Zeroing
-	0x25e0 _MI_ENCLAVE_STATE Enclaves
-	0x2628 U64 Cookie
-	0x2630 Void** BootRegistryRuns
-	0x2638 volatile I32 ZeroingDisabled
-	0x263c UChar FullyInitialized
-	0x263d UChar SafeBooted
-	0x2640 const _tlgProvider_t* TraceLogging
-	0x2680 _MI_VISIBLE_STATE Vs
-endstruct
-
-beginstruct _PEB
-	0x0 UChar InheritedAddressSpace
-	0x1 UChar ReadImageFileExecOptions
-	0x2 UChar BeingDebugged
-	0x3 UChar BitField
-	0x3 UNNOWN ImageUsesLargePages
-	0x3 UNNOWN IsProtectedProcess
-	0x3 UNNOWN IsImageDynamicallyRelocated
-	0x3 UNNOWN SkipPatchingUser32Forwarders
-	0x3 UNNOWN IsPackagedProcess
-	0x3 UNNOWN IsAppContainer
-	0x3 UNNOWN IsProtectedProcessLight
-	0x3 UNNOWN IsLongPathAwareProcess
-	0x4 UChar[4] Padding0
-	0x8 Void Mutant
-	0x10 Void ImageBaseAddress
-	0x18 _PEB_LDR_DATA* Ldr
-	0x20 _RTL_USER_PROCESS_PARAMETERS* ProcessParameters
-	0x28 Void SubSystemData
-	0x30 Void ProcessHeap
-	0x38 _RTL_CRITICAL_SECTION* FastPebLock
-	0x40 _SLIST_HEADER* AtlThunkSListPtr
-	0x48 Void IFEOKey
-	0x50 U32 CrossProcessFlags
-	0x50 UNNOWN ProcessInJob
-	0x50 UNNOWN ProcessInitializing
-	0x50 UNNOWN ProcessUsingVEH
-	0x50 UNNOWN ProcessUsingVCH
-	0x50 UNNOWN ProcessUsingFTH
-	0x50 UNNOWN ProcessPreviouslyThrottled
-	0x50 UNNOWN ProcessCurrentlyThrottled
-	0x50 UNNOWN ProcessImagesHotPatched
-	0x50 UNNOWN ReservedBits0
-	0x54 UChar[4] Padding1
-	0x58 Void KernelCallbackTable
-	0x58 Void UserSharedInfoPtr
-	0x60 U32 SystemReserved
-	0x64 U32 AtlThunkSListPtr32
-	0x68 Void ApiSetMap
-	0x70 U32 TlsExpansionCounter
-	0x74 UChar[4] Padding2
-	0x78 Void TlsBitmap
-	0x80 U32[8] TlsBitmapBits
-	0x88 Void ReadOnlySharedMemoryBase
-	0x90 Void SharedData
-	0x98 Void* ReadOnlyStaticServerData
-	0xa0 Void AnsiCodePageData
-	0xa8 Void OemCodePageData
-	0xb0 Void UnicodeCaseTableData
-	0xb8 U32 NumberOfProcessors
-	0xbc U32 NtGlobalFlag
-	0xc0 _LARGE_INTEGER CriticalSectionTimeout
-	0xc8 U64 HeapSegmentReserve
-	0xd0 U64 HeapSegmentCommit
-	0xd8 U64 HeapDeCommitTotalFreeThreshold
-	0xe0 U64 HeapDeCommitFreeBlockThreshold
-	0xe8 U32 NumberOfHeaps
-	0xec U32 MaximumNumberOfHeaps
-	0xf0 Void* ProcessHeaps
-	0xf8 Void GdiSharedHandleTable
-	0x100 Void ProcessStarterHelper
-	0x108 U32 GdiDCAttributeList
-	0x10c UChar[4] Padding3
-	0x110 _RTL_CRITICAL_SECTION* LoaderLock
-	0x118 U32 OSMajorVersion
-	0x11c U32 OSMinorVersion
-	0x120 U16 OSBuildNumber
-	0x122 U16 OSCSDVersion
-	0x124 U32 OSPlatformId
-	0x128 U32 ImageSubsystem
-	0x12c U32 ImageSubsystemMajorVersion
-	0x130 U32 ImageSubsystemMinorVersion
-	0x134 UChar[4] Padding4
-	0x138 U64 ActiveProcessAffinityMask
-	0x140 U32[240] GdiHandleBuffer
-	0x230 Void(UNNOWN)* PostProcessInitRoutine
-	0x238 Void TlsExpansionBitmap
-	0x240 U32[128] TlsExpansionBitmapBits
-	0x2c0 U32 SessionId
-	0x2c4 UChar[4] Padding5
-	0x2c8 _ULARGE_INTEGER AppCompatFlags
-	0x2d0 _ULARGE_INTEGER AppCompatFlagsUser
-	0x2d8 Void pShimData
-	0x2e0 Void AppCompatInfo
-	0x2e8 _UNICODE_STRING CSDVersion
-	0x2f8 const _ACTIVATION_CONTEXT_DATA* ActivationContextData
-	0x300 _ASSEMBLY_STORAGE_MAP* ProcessAssemblyStorageMap
-	0x308 const _ACTIVATION_CONTEXT_DATA* SystemDefaultActivationContextData
-	0x310 _ASSEMBLY_STORAGE_MAP* SystemAssemblyStorageMap
-	0x318 U64 MinimumStackCommit
-	0x320 Void[32] SparePointers
-	0x340 U32[20] SpareUlongs
-	0x358 Void WerRegistrationData
-	0x360 Void WerShipAssertPtr
-	0x368 Void pUnused
-	0x370 Void pImageHeaderHash
-	0x378 U32 TracingFlags
-	0x378 UNNOWN HeapTracingEnabled
-	0x378 UNNOWN CritSecTracingEnabled
-	0x378 UNNOWN LibLoaderTracingEnabled
-	0x378 UNNOWN SpareTracingBits
-	0x37c UChar[4] Padding6
-	0x380 U64 CsrServerReadOnlySharedMemoryBase
-	0x388 U64 TppWorkerpListLock
-	0x390 _LIST_ENTRY TppWorkerpList
-	0x3a0 Void[1024] WaitOnAddressHashTable
-	0x7a0 Void TelemetryCoverageHeader
-	0x7a8 U32 CloudFileFlags
-	0x7ac U32 CloudFileDiagFlags
-	0x7b0 RChar PlaceholderCompatibilityMode
-	0x7b1 RChar[7] PlaceholderCompatibilityModeReserved
-	0x7b8 _LEAP_SECOND_DATA* LeapSecondData
-	0x7c0 U32 LeapSecondFlags
-	0x7c0 UNNOWN SixtySecondEnabled
-	0x7c0 UNNOWN Reserved
-	0x7c4 U32 NtGlobalFlag2
-endstruct
-
-beginstruct _MI_DYNAMIC_BITMAP
-	0x0 _RTL_BITMAP_EX Bitmap
-	0x10 U64 MaximumSize
-	0x18 U64 Hint
-	0x20 Void BaseVa
-	0x28 U64 SizeTopDown
-	0x30 U64 HintTopDown
-	0x38 Void BaseVaTopDown
-	0x40 U64 SpinLock
-endstruct
-
-beginstruct _MI_HARDWARE_STATE
-	0x0 U32 NodeMask
-	0x4 U32 NumaHintIndex
-	0x8 U32 NumaLastRangeIndexInclusive
-	0xc UChar NodeShift
-	0xd UChar ChannelShift
-	0x10 U32 ChannelHintIndex
-	0x14 U32 ChannelLastRangeIndexInclusive
-	0x18 _MI_NODE_NUMBER_ZERO_BASED* NodeGraph
-	0x20 _MI_SYSTEM_NODE_NONPAGED_POOL* SystemNodeNonPagedPool
-	0x28 _HAL_NODE_RANGE[32] TemporaryNumaRanges
-	0x48 _HAL_NODE_RANGE* NumaMemoryRanges
-	0x50 _HAL_CHANNEL_MEMORY_RANGES* ChannelMemoryRanges
-	0x58 U32 SecondLevelCacheSize
-	0x5c U32 FirstLevelCacheSize
-	0x60 U32 PhysicalAddressBits
-	0x64 U32 PfnDatabasePageBits
-	0x68 U32 LogicalProcessorsPerCore
-	0x6c UChar ProcessorCachesFlushedOnPowerLoss
-	0x70 U64 TotalPagesAllowed
-	0x78 U32 SecondaryColorMask
-	0x7c U32 SecondaryColors
-	0x80 U32 FlushTbForAttributeChange
-	0x84 U32 FlushCacheForAttributeChange
-	0x88 U32 FlushCacheForPageAttributeChange
-	0x8c U32 CacheFlushPromoteThreshold
-	0x90 _LARGE_INTEGER PerformanceCounterFrequency
-	0xc0 U64 InvalidPteMask
-	0x100 U32[12] LargePageColors
-	0x110 U64 FlushTbThreshold
-	0x118 _MI_PFN_CACHE_ATTRIBUTE[16][64] OptimalZeroingAttribute
-	0x158 UChar AttributeChangeRequiresReZero
-	0x160 _MI_ZERO_COST_COUNTS[32] ZeroCostCounts
-	0x180 U64 HighestPossiblePhysicalPage
-	0x188 U64 VsmKernelPageCount
-endstruct
-
-beginstruct _MI_SYSTEM_NODE_NONPAGED_POOL
-	0x0 _MI_DYNAMIC_BITMAP DynamicBitMapNonPagedPool
-	0x48 U64 CachedNonPagedPoolCount
-	0x50 U64 NonPagedPoolSpinLock
-	0x58 _MMPFN* CachedNonPagedPool
-	0x60 Void NonPagedPoolFirstVa
-	0x68 Void NonPagedPoolLastVa
-	0x70 _MI_SYSTEM_NODE_INFORMATION* SystemNodeInformation
-endstruct
-
-beginstruct _MI_SYSTEM_NODE_INFORMATION
-	0x0 _CACHED_KSTACK_LIST[64] CachedKernelStacks
-	0x40 _GROUP_AFFINITY GroupAffinity
-	0x50 U16 ProcessorCount
-	0x58 Void BootZeroPageTimesPerProcessor
-	0x60 U64 CyclesToZeroOneLargePage
-	0x68 U64 ScaledCyclesToZeroOneLargePage
-	0x70 _MI_WRITE_CALIBRATION WriteCalibration
-	0xc0 volatile I32 IoPfnLock
-endstruct
-
-```
-
-----
-
-Global variables offset are parsed and can be queried by `nt!` in Windbg. In a kernel driver, we need to get the kernel base address (which is `nt!`). Kernel base address is the loaded address of `ntoskrnl.exe`. There is a shellcode to get the address [here](https://gist.github.com/Barakat/34e9924217ed81fd78c9c92d746ec9c6), using IDT table. But when I use the shellcode with the Windows Insider preview 2020, the address is wrong (it still a loaded PE though). Other ways to get the address are listed [here](https://m0uk4.gitbook.io/notebooks/mouka/windowsinternal/find-kernel-module-address-todo). And hereby I present another way to get the kernel base address.
-
-A device driver can get a pointer to a `EPROCESS` through the use of `PEPROCESS IoGetCurrentProcess`. And as we know, `EPROCESS` has pointer to other `EPROCESS` as a doubly linked list. If we dump them all out, we can notice a few things:
-
-- The image name returned by calling `IoGetCurrentProcess` is `System`
-- The `EPROCESS` before `System` is somehow empty
-
-```cpp
-PVOID eprocess = (PVOID)IoGetCurrentProcess();
-DbgPrint("eprocess : 0x%p, [%15s]\n", eprocess, (char*)((ULONG64)eprocess + ImageBaseNameOffset));
-for (int i = 0; i < 100; i++) {
-  eprocess = (PVOID)(*(ULONG64*)((ULONG64)eprocess + ActiveProcessLinksOffset) - ActiveProcessLinksOffset);
-  DbgPrint("eprocess : 0x%p, [%15s]\n", eprocess, (char*)((ULONG64)eprocess + ImageBaseOffset));
+fn main() -> Result<(), Box<dyn Error>> {
+    let mut driver = DriverState::new();
+    println!("NtLoadDriver()   -> 0x{:x}", driver.startup());
+    driver.scan_pool(b"Tag ", |pool_addr, header, data_addr| {
+    })?;
+    println!("NtUnloadDriver() -> 0x{:x}", driver.shutdown());
 }
-
-// sample output
-eprocess : 0xFFFFF8037401F528, [               ]
-eprocess : 0xFFFF840F5A0D9080, [         System]
-eprocess : 0xFFFF840F5A28C040, [  Secure System]
-eprocess : 0xFFFF840F5A2EF040, [       Registry]
-eprocess : 0xFFFF840F622BF040, [       smss.exe]
-eprocess : 0xFFFF840F6187D080, [       smss.exe]
-eprocess : 0xFFFF840F6263D140, [      csrss.exe]
-eprocess : 0xFFFF840F6277F0C0, [       smss.exe]
-eprocess : 0xFFFF840F627C2080, [    wininit.exe]
-eprocess : 0xFFFF840F64187140, [      csrss.exe]
-eprocess : 0xFFFF840F641CD080, [   services.exe]
 ```
 
-And if we debug and compare the address of that `Empty EPROCESS+ActiveProcessLinksOffset` with `nt!PsActiveProcessHead`, it is just the same. And with the given offset parsed from the PDB file, we can get kernel base address.
+The closure is a mutable closure, so you can just put a vector and saves the result.
+The function signature for the closure is: `FnMut(u64, &[u8], u64) -> Result<bool, std::error::Error>`
+Parsing the struct data is up to you.
+You can use `driver.deref_addr(addr, &value)` to dereference an address in kernel space
+and `driver.pdb_store.get_offset_r("offset")?` to get an offset from PDB file.
 
-```cpp
-PVOID eprocess = (PVOID)IoGetCurrentProcess();
-DbgPrint("eprocess               : 0x%p, [%15s]\n", eprocess, (char*)((ULONG64)eprocess + ImageBaseNameOffset));
-PVOID processHead = (PVOID)(*(ULONG64*)((ULONG64)eprocess + ActiveProcessLinksOffset + BLinkOffset));
-DbgPrint("PsActiveProcessHead    : 0x%p\n", processHead);
-PVOID ntosbase = (PVOID)((ULONG64)processHead - ActiveHeadOffset);
-DbgPrint("ntoskrnl.exe           : 0x%p\n", ntosbase);
-```
-
-From now we have successfully get the kernel base address to index into other global variables.
-
-(In this way we use `PsActiveProcessHead`, but a better way maybe traversing `PsLoadedModuleList` which could get the correct address of `ntoskrnl.exe` but I do not know)

logs/build_process_tree.py

@@ -0,0 +1,74 @@
+import sys
+import re
+import collections
+
+class Process:
+    def __init__(self, e, pid, ppid, name, path):
+        self.e = e
+        self.pid = pid
+        self.ppid = ppid
+        self.name = name
+        self.path = path
+    def __str__(self):
+        return f'{self.e} {self.pid} {self.ppid} {self.name} {self.path}'
+    def __repr__(self):
+        return f'{self.e} {self.pid} {self.ppid} {self.name} {self.path}'
+
+process_map = {}
+
+# shamelessly steal from https://github.com/giampaolo/psutil/blob/master/scripts/pstree.py
+# not work if a detached node presents
+def print_tree(parent, tree, indent='', traversed=[]):
+    try:
+        p = process_map[parent]
+        name = f"{p.pid} [{p.name}] {p.path}"
+    except:
+        name = f"{parent} [UNNOWN]"
+    # input(name)
+    if parent in traversed:
+        print(name, "[LOOP]")
+        return
+    else:
+        print(name)
+    traversed += [parent]
+
+    if parent not in tree:
+        return
+    children = tree[parent][:-1]
+    for child in children:
+        print(indent + "|- ", end='')
+        print_tree(child.pid, tree, indent + "| ", traversed)
+    child = tree[parent][-1]
+    print(indent + "`_ ", end='')
+    print_tree(child.pid, tree, indent + "  ", traversed)
+
+lpus = re.finditer(r'^pool: 0x[0-9a-f]+ \| eprocess: (0x[0-9a-f]+) \| pid: (\d+) \| ppid: (\d+) \| name: ([^|]*) \| (.*)$',
+                   open(sys.argv[1], 'r', encoding='utf-8').read(), re.MULTILINE)
+
+process_tree = {}
+for v in lpus:
+    e, pid, ppid, name, path = list(v.groups())
+    proc = Process(e, int(pid), int(ppid), name, path)
+    process_map[int(pid)] = proc
+    if int(ppid) in process_tree:
+        process_tree[int(ppid)] += [proc]
+    else:
+        process_tree[int(ppid)] = [proc]
+
+if 0 in process_tree:
+        process_tree.pop(0)
+
+remove = []
+for k, child in process_tree.items():
+    for c in child:
+        if c.pid in process_tree and c.ppid in process_tree:
+            # print('remove', c)
+            remove += [c.pid]
+            break
+
+# print(remove)
+for k in process_tree.keys():
+    if k not in remove:
+        print_tree(k, process_tree)
+        # input()
+

logs/dump_test/1/eprocess_lpusscan.csv

@@ -0,0 +1,118 @@
+address,process,fullpath
+0xffff948957c6c080,svchost.exe,
+0xffff948957caa080,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895ad15080,powershell.exe,
+0xffff94895ad1a080,CodeHelper.exe,\Users\User\AppData\Local\Programs\Microsoft VS Code\resources\app\out\vs\platform\files\node\watcher\win32\CodeHelper.exe
+0xffff94895b394080,Code.exe,\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe
+0xffff94895ba28080,MicrosoftEdgeC,\Windows\System32\MicrosoftEdgeCP.exe
+0xffff94895ba2b080,sppsvc.exe,\Windows\System32\sppsvc.exe
+0xffff94895ba433c0,audiodg.exe,\Windows\System32\audiodg.exe
+0xffff94895bb21380,powershell.exe,\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
+0xffff94895bb25080,MicrosoftEdgeC,\Windows\System32\MicrosoftEdgeCP.exe
+0xffff94895bb28080,conhost.exe,\Windows\System32\conhost.exe
+0xffff94895bb8a080,conhost.exe,\Windows\System32\conhost.exe
+0xffff94895cbc9080,Code.exe,\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe
+0xffff94895ce98400,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895cea7080,MemCompression,
+0xffff94895ceb5380,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895cec9080,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895cf2e3c0,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895cf5c400,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895cf90400,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895cf98400,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895e017440,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895e02b380,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895e072400,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895e077400,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895e0ce400,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895e0d8400,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895e1670c0,sqlwriter.exe,\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
+0xffff94895e169380,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895e16a080,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895e16b080,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895e16c080,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895e16d080,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895e170080,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895e171080,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895e172080,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895e174080,spoolsv.exe,\Windows\System32\spoolsv.exe
+0xffff94895e1780c0,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895e38b080,WindowsInterna,\Windows\SystemApps\InputApp_cw5n1h2txyewy\WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe
+0xffff94895e390080,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895e391080,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895e392080,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895e394080,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895e395080,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895e396080,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895e3990c0,wlms.exe,\Windows\System32\wlms\wlms.exe
+0xffff94895e54e4c0,NisSrv.exe,\ProgramData\Microsoft\Windows Defender\Platform\4.18.2005.5-0\NisSrv.exe
+0xffff94895e929480,smartscreen.ex,\Windows\System32\smartscreen.exe
+0xffff94895e92a080,Code.exe,\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe
+0xffff94895e9412c0,Windows.WARP.J,\Windows\System32\Windows.WARP.JITService.exe
+0xffff94895e9512c0,MsMpEng.exe,\ProgramData\Microsoft\Windows Defender\Platform\4.18.2005.5-0\MsMpEng.exe
+0xffff94895e970080,SearchUI.exe,\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
+0xffff94895eaaf440,sihost.exe,\Windows\System32\sihost.exe
+0xffff94895eaee480,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895eaf54c0,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895eaf84c0,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895eb4f080,svchost.exe,
+0xffff94895eb57380,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895eb5b4c0,taskhostw.exe,\Windows\System32\taskhostw.exe
+0xffff94895ebbd3c0,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895ebc2440,ctfmon.exe,\Windows\System32\ctfmon.exe
+0xffff94895ec48400,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895ec5e080,userinit.exe,
+0xffff94895ec62080,explorer.exe,\Windows\explorer.exe
+0xffff94895ec70080,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895ec77080,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895ec934c0,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895eccc4c0,Code.exe,\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe
+0xffff94895ece5080,dllhost.exe,\Windows\System32\dllhost.exe
+0xffff94895edca080,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895edda080,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895edf6080,StartMenuExper,\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
+0xffff94895ef1b480,RuntimeBroker.,\Windows\System32\RuntimeBroker.exe
+0xffff94895efb9080,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895f089480,RuntimeBroker.,\Windows\System32\RuntimeBroker.exe
+0xffff94895f118480,RuntimeBroker.,\Windows\System32\RuntimeBroker.exe
+0xffff94895f119080,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895f122380,SearchIndexer.,\Windows\System32\SearchIndexer.exe
+0xffff94895f19e080,Windows.WARP.J,\Windows\System32\Windows.WARP.JITService.exe
+0xffff94895f2020c0,MicrosoftEdge.,\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
+0xffff94895f2074c0,ApplicationFra,\Windows\System32\ApplicationFrameHost.exe
+0xffff94895f267440,cmd.exe,\Windows\System32\cmd.exe
+0xffff94895f2c8080,SgrmBroker.exe,\Windows\System32\SgrmBroker.exe
+0xffff94895f2db080,SkypeBackgroun,\Program Files\WindowsApps\Microsoft.SkypeApp_14.56.102.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe
+0xffff94895f2dd080,SkypeApp.exe,\Program Files\WindowsApps\Microsoft.SkypeApp_14.56.102.0_x64__kzf8qxf38zg5c\SkypeApp.exe
+0xffff94895f3be480,browser_broker,\Windows\System32\browser_broker.exe
+0xffff94895f3c5080,YourPhone.exe,\Program Files\WindowsApps\Microsoft.YourPhone_1.20041.91.0_x64__8wekyb3d8bbwe\YourPhone.exe
+0xffff94895f3ce400,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895f419080,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895f449080,WinStore.App.e,\Program Files\WindowsApps\Microsoft.WindowsStore_12005.1001.1.0_x64__8wekyb3d8bbwe\WinStore.App.exe
+0xffff94895f44b480,RuntimeBroker.,\Windows\System32\RuntimeBroker.exe
+0xffff94895f4b1080,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895f4e5080,RuntimeBroker.,\Windows\System32\RuntimeBroker.exe
+0xffff94895f4e9240,MicrosoftEdgeC,\Windows\System32\MicrosoftEdgeCP.exe
+0xffff94895f571480,RuntimeBroker.,\Windows\System32\RuntimeBroker.exe
+0xffff94895f5880c0,RuntimeBroker.,\Windows\System32\RuntimeBroker.exe
+0xffff94895f58e080,VBoxTray.exe,\Windows\System32\VBoxTray.exe
+0xffff94895f5c7080,svchost.exe,\Windows\System32\svchost.exe
+0xffff94895f603080,MicrosoftEdgeS,\Windows\System32\MicrosoftEdgeSH.exe
+0xffff94895f7c7080,OneDrive.exe,\Users\User\AppData\Local\Microsoft\OneDrive\OneDrive.exe
+0xffff94895f7c8080,SecurityHealth,\Windows\System32\SecurityHealthSystray.exe
+0xffff94895f7ca380,SecurityHealth,\Windows\System32\SecurityHealthService.exe
+0xffff94895fce60c0,backgroundTask,\Windows\System32\backgroundTaskHost.exe
+0xffff94895fdd2080,Code.exe,\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe
+0xffff94895ffce080,MicrosoftEdgeC,
+0xffff94895ffe2080,Code.exe,\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe
+0xffff94895ffef080,backgroundTask,\Windows\System32\backgroundTaskHost.exe
+0xffff94895fff2480,conhost.exe,\Windows\System32\conhost.exe
+0xffff9489600c50c0,Code.exe,\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe
+0xffff9489600cf340,eprocess_scan.,\Users\User\Desktop\lpus-0.3-alpha\target\release\eprocess_scan.exe
+0xffff9489602ec080,dllhost.exe,\Windows\System32\dllhost.exe
+0xffff9489602f0080,conhost.exe,
+0xffff9489602f5080,svchost.exe,\Windows\System32\svchost.exe
+0xffff9489603ca080,Windows.WARP.J,\Windows\System32\Windows.WARP.JITService.exe
+0xffff948960acc080,svchost.exe,\Windows\System32\svchost.exe
+0xffff948960ad3080,RuntimeBroker.,\Windows\System32\RuntimeBroker.exe
+0xffff9489610de080,MicrosoftEdgeC,\Windows\System32\MicrosoftEdgeCP.exe

logs/dump_test/1/eprocess_scan_log.txt

@@ -0,0 +1,121 @@
+PDB for Amd64, guid: e7477a03-a707-8050-cb79-36455ce346b5, age: 1
+
+NtLoadDriver()   -> 0x0
+pool: 0xffff948957c6c000 | eprocess: 0xffff948957c6c080 |  | svchost.exe
+pool: 0xffff948957caa000 | eprocess: 0xffff948957caa080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895ad15000 | eprocess: 0xffff94895ad15080 |  | powershell.exe
+pool: 0xffff94895ad1a000 | eprocess: 0xffff94895ad1a080 | \Users\User\AppData\Local\Programs\Microsoft VS Code\resources\app\out\vs\platform\files\node\watcher\win32\CodeHelper.exe | CodeHelper.exe
+pool: 0xffff94895b394000 | eprocess: 0xffff94895b394080 | \Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe | Code.exe
+pool: 0xffff94895ba28000 | eprocess: 0xffff94895ba28080 | \Windows\System32\MicrosoftEdgeCP.exe | MicrosoftEdgeC
+pool: 0xffff94895ba2b000 | eprocess: 0xffff94895ba2b080 | \Windows\System32\sppsvc.exe | sppsvc.exe
+pool: 0xffff94895ba43360 | eprocess: 0xffff94895ba433c0 | \Windows\System32\audiodg.exe | audiodg.exe
+pool: 0xffff94895bb21310 | eprocess: 0xffff94895bb21380 | \Windows\System32\WindowsPowerShell\v1.0\powershell.exe | powershell.exe
+pool: 0xffff94895bb25000 | eprocess: 0xffff94895bb25080 | \Windows\System32\MicrosoftEdgeCP.exe | MicrosoftEdgeC
+pool: 0xffff94895bb28000 | eprocess: 0xffff94895bb28080 | \Windows\System32\conhost.exe | conhost.exe
+pool: 0xffff94895bb8a000 | eprocess: 0xffff94895bb8a080 | \Windows\System32\conhost.exe | conhost.exe
+pool: 0xffff94895cbc9000 | eprocess: 0xffff94895cbc9080 | \Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe | Code.exe
+pool: 0xffff94895ce98390 | eprocess: 0xffff94895ce98400 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895cea7040 | eprocess: 0xffff94895cea7080 |  | MemCompression
+pool: 0xffff94895ceb5310 | eprocess: 0xffff94895ceb5380 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895cec9000 | eprocess: 0xffff94895cec9080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895cf2e350 | eprocess: 0xffff94895cf2e3c0 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895cf5c390 | eprocess: 0xffff94895cf5c400 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895cf90390 | eprocess: 0xffff94895cf90400 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895cf98390 | eprocess: 0xffff94895cf98400 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895e0173c0 | eprocess: 0xffff94895e017440 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895e02b310 | eprocess: 0xffff94895e02b380 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895e072390 | eprocess: 0xffff94895e072400 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895e077390 | eprocess: 0xffff94895e077400 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895e0ce390 | eprocess: 0xffff94895e0ce400 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895e0d8390 | eprocess: 0xffff94895e0d8400 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895e167040 | eprocess: 0xffff94895e1670c0 | \Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe | sqlwriter.exe
+pool: 0xffff94895e169310 | eprocess: 0xffff94895e169380 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895e16a000 | eprocess: 0xffff94895e16a080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895e16b000 | eprocess: 0xffff94895e16b080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895e16c000 | eprocess: 0xffff94895e16c080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895e16d000 | eprocess: 0xffff94895e16d080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895e170000 | eprocess: 0xffff94895e170080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895e171000 | eprocess: 0xffff94895e171080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895e172000 | eprocess: 0xffff94895e172080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895e174000 | eprocess: 0xffff94895e174080 | \Windows\System32\spoolsv.exe | spoolsv.exe
+pool: 0xffff94895e178040 | eprocess: 0xffff94895e1780c0 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895e38b000 | eprocess: 0xffff94895e38b080 | \Windows\SystemApps\InputApp_cw5n1h2txyewy\WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe | WindowsInterna
+pool: 0xffff94895e390000 | eprocess: 0xffff94895e390080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895e391000 | eprocess: 0xffff94895e391080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895e392000 | eprocess: 0xffff94895e392080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895e394000 | eprocess: 0xffff94895e394080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895e395000 | eprocess: 0xffff94895e395080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895e396000 | eprocess: 0xffff94895e396080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895e399040 | eprocess: 0xffff94895e3990c0 | \Windows\System32\wlms\wlms.exe | wlms.exe
+pool: 0xffff94895e54e450 | eprocess: 0xffff94895e54e4c0 | \ProgramData\Microsoft\Windows Defender\Platform\4.18.2005.5-0\NisSrv.exe | NisSrv.exe
+pool: 0xffff94895e929410 | eprocess: 0xffff94895e929480 | \Windows\System32\smartscreen.exe | smartscreen.ex
+pool: 0xffff94895e92a000 | eprocess: 0xffff94895e92a080 | \Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe | Code.exe
+pool: 0xffff94895e941250 | eprocess: 0xffff94895e9412c0 | \Windows\System32\Windows.WARP.JITService.exe | Windows.WARP.J
+pool: 0xffff94895e951230 | eprocess: 0xffff94895e9512c0 | \ProgramData\Microsoft\Windows Defender\Platform\4.18.2005.5-0\MsMpEng.exe | MsMpEng.exe
+pool: 0xffff94895e970000 | eprocess: 0xffff94895e970080 | \Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | SearchUI.exe
+pool: 0xffff94895eaaf3b0 | eprocess: 0xffff94895eaaf440 | \Windows\System32\sihost.exe | sihost.exe
+pool: 0xffff94895eaee420 | eprocess: 0xffff94895eaee480 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895eaf5430 | eprocess: 0xffff94895eaf54c0 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895eaf8430 | eprocess: 0xffff94895eaf84c0 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895eb4f000 | eprocess: 0xffff94895eb4f080 |  | svchost.exe
+pool: 0xffff94895eb57310 | eprocess: 0xffff94895eb57380 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895eb5b430 | eprocess: 0xffff94895eb5b4c0 | \Windows\System32\taskhostw.exe | taskhostw.exe
+pool: 0xffff94895ebbd340 | eprocess: 0xffff94895ebbd3c0 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895ebc23b0 | eprocess: 0xffff94895ebc2440 | \Windows\System32\ctfmon.exe | ctfmon.exe
+pool: 0xffff94895ec48380 | eprocess: 0xffff94895ec48400 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895ec5e000 | eprocess: 0xffff94895ec5e080 |  | userinit.exe
+pool: 0xffff94895ec62000 | eprocess: 0xffff94895ec62080 | \Windows\explorer.exe | explorer.exe
+pool: 0xffff94895ec70000 | eprocess: 0xffff94895ec70080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895ec77000 | eprocess: 0xffff94895ec77080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895ec93430 | eprocess: 0xffff94895ec934c0 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895eccc450 | eprocess: 0xffff94895eccc4c0 | \Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe | Code.exe
+pool: 0xffff94895ece5000 | eprocess: 0xffff94895ece5080 | \Windows\System32\dllhost.exe | dllhost.exe
+pool: 0xffff94895edca000 | eprocess: 0xffff94895edca080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895edda000 | eprocess: 0xffff94895edda080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895edf6000 | eprocess: 0xffff94895edf6080 | \Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | StartMenuExper
+pool: 0xffff94895ef1b420 | eprocess: 0xffff94895ef1b480 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
+pool: 0xffff94895efb9000 | eprocess: 0xffff94895efb9080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895f089420 | eprocess: 0xffff94895f089480 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
+pool: 0xffff94895f118420 | eprocess: 0xffff94895f118480 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
+pool: 0xffff94895f119000 | eprocess: 0xffff94895f119080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895f122310 | eprocess: 0xffff94895f122380 | \Windows\System32\SearchIndexer.exe | SearchIndexer.
+pool: 0xffff94895f19e000 | eprocess: 0xffff94895f19e080 | \Windows\System32\Windows.WARP.JITService.exe | Windows.WARP.J
+pool: 0xffff94895f202040 | eprocess: 0xffff94895f2020c0 | \Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | MicrosoftEdge.
+pool: 0xffff94895f207440 | eprocess: 0xffff94895f2074c0 | \Windows\System32\ApplicationFrameHost.exe | ApplicationFra
+pool: 0xffff94895f2673c0 | eprocess: 0xffff94895f267440 | \Windows\System32\cmd.exe | cmd.exe
+pool: 0xffff94895f2c8000 | eprocess: 0xffff94895f2c8080 | \Windows\System32\SgrmBroker.exe | SgrmBroker.exe
+pool: 0xffff94895f2db000 | eprocess: 0xffff94895f2db080 | \Program Files\WindowsApps\Microsoft.SkypeApp_14.56.102.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe | SkypeBackgroun
+pool: 0xffff94895f2dd000 | eprocess: 0xffff94895f2dd080 | \Program Files\WindowsApps\Microsoft.SkypeApp_14.56.102.0_x64__kzf8qxf38zg5c\SkypeApp.exe | SkypeApp.exe
+pool: 0xffff94895f3be420 | eprocess: 0xffff94895f3be480 | \Windows\System32\browser_broker.exe | browser_broker
+pool: 0xffff94895f3c5000 | eprocess: 0xffff94895f3c5080 | \Program Files\WindowsApps\Microsoft.YourPhone_1.20041.91.0_x64__8wekyb3d8bbwe\YourPhone.exe | YourPhone.exe
+pool: 0xffff94895f3ce390 | eprocess: 0xffff94895f3ce400 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895f419000 | eprocess: 0xffff94895f419080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895f449000 | eprocess: 0xffff94895f449080 | \Program Files\WindowsApps\Microsoft.WindowsStore_12005.1001.1.0_x64__8wekyb3d8bbwe\WinStore.App.exe | WinStore.App.e
+pool: 0xffff94895f44b420 | eprocess: 0xffff94895f44b480 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
+pool: 0xffff94895f4b1000 | eprocess: 0xffff94895f4b1080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895f4e5000 | eprocess: 0xffff94895f4e5080 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
+pool: 0xffff94895f4e91d0 | eprocess: 0xffff94895f4e9240 | \Windows\System32\MicrosoftEdgeCP.exe | MicrosoftEdgeC
+pool: 0xffff94895f571420 | eprocess: 0xffff94895f571480 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
+pool: 0xffff94895f588040 | eprocess: 0xffff94895f5880c0 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
+pool: 0xffff94895f58e000 | eprocess: 0xffff94895f58e080 | \Windows\System32\VBoxTray.exe | VBoxTray.exe
+pool: 0xffff94895f5c7000 | eprocess: 0xffff94895f5c7080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff94895f603000 | eprocess: 0xffff94895f603080 | \Windows\System32\MicrosoftEdgeSH.exe | MicrosoftEdgeS
+pool: 0xffff94895f7c7000 | eprocess: 0xffff94895f7c7080 | \Users\User\AppData\Local\Microsoft\OneDrive\OneDrive.exe | OneDrive.exe
+pool: 0xffff94895f7c8000 | eprocess: 0xffff94895f7c8080 | \Windows\System32\SecurityHealthSystray.exe | SecurityHealth
+pool: 0xffff94895f7ca320 | eprocess: 0xffff94895f7ca380 | \Windows\System32\SecurityHealthService.exe | SecurityHealth
+pool: 0xffff94895fce6040 | eprocess: 0xffff94895fce60c0 | \Windows\System32\backgroundTaskHost.exe | backgroundTask
+pool: 0xffff94895fdd2000 | eprocess: 0xffff94895fdd2080 | \Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe | Code.exe
+pool: 0xffff94895ffce000 | eprocess: 0xffff94895ffce080 |  | MicrosoftEdgeC
+pool: 0xffff94895ffe2000 | eprocess: 0xffff94895ffe2080 | \Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe | Code.exe
+pool: 0xffff94895ffef000 | eprocess: 0xffff94895ffef080 | \Windows\System32\backgroundTaskHost.exe | backgroundTask
+pool: 0xffff94895fff2400 | eprocess: 0xffff94895fff2480 | \Windows\System32\conhost.exe | conhost.exe
+pool: 0xffff9489600c5040 | eprocess: 0xffff9489600c50c0 | \Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe | Code.exe
+pool: 0xffff9489600cf2b0 | eprocess: 0xffff9489600cf340 | \Users\User\Desktop\lpus-0.3-alpha\target\release\eprocess_scan.exe | eprocess_scan.
+pool: 0xffff9489602ec000 | eprocess: 0xffff9489602ec080 | \Windows\System32\dllhost.exe | dllhost.exe
+pool: 0xffff9489602f0000 | eprocess: 0xffff9489602f0080 |  | conhost.exe
+pool: 0xffff9489602f5000 | eprocess: 0xffff9489602f5080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff9489603ca000 | eprocess: 0xffff9489603ca080 | \Windows\System32\Windows.WARP.JITService.exe | Windows.WARP.J
+pool: 0xffff948960acc000 | eprocess: 0xffff948960acc080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffff948960ad3000 | eprocess: 0xffff948960ad3080 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
+pool: 0xffff9489610de000 | eprocess: 0xffff9489610de080 | \Windows\System32\MicrosoftEdgeCP.exe | MicrosoftEdgeC
+NtUnloadDriver() -> 0x0

logs/dump_test/1/eprocess_to_csv.py

@@ -0,0 +1,29 @@
+import re
+import csv
+
+vp = re.compile(r'^(0x[0-9a-f]+)\s+(.{15})\s+\d+\s+\d+.*$')
+
+vol = map(lambda x: x.group(1, 2), filter(lambda x: x is not None, map(vp.match, open('eprocess_volscan.txt', 'r').read().split('\n'))))
+
+with open('eprocess_volscan.csv', 'w', newline='') as f:
+    writer = csv.writer(f)
+    writer.writerow(['address', 'process'])
+    for v in vol:
+        a, b = list(v)
+        a = hex(int(a, 16) + 0xffff000000000000)
+        b = b.rstrip(' ')
+        writer.writerow([a, b])
+
+
+# lp = re.compile(r'pool: 0x[0-9a-f]+ \| file object: (0x[0-9a-f]+) \| offsetby: 0x[0-9a-f]+\s+(.*)$', re.MULTILINE)
+
+lpus = re.finditer(r'pool: 0x[0-9a-f]+ \| eprocess: (0x[0-9a-f]+) \| ([^|]*) \| (.*)$',
+                   open('eprocess_scan_log.txt', 'r', encoding='utf-8').read(), re.MULTILINE)
+
+with open('eprocess_lpusscan.csv', 'w', newline='', encoding='utf-8') as f:
+    writer = csv.writer(f)
+    writer.writerow(['address', 'process', 'fullpath'])
+    for v in lpus:
+        a, b, c = list(v.groups())
+        writer.writerow([a, c, b])
+

logs/dump_test/1/eprocess_volscan.csv

@@ -0,0 +1,75 @@
+address,process
+0xffff948957c67080,VBoxService.ex
+0xffff948957c6c080,svchost.exe
+0xffff948957caa080,svchost.exe
+0xffff948957ce3080,svchost.exe
+0xffff948957d1b080,svchost.exe
+0xffff948957ddf040,Registry
+0xffff94895ac79400,smss.exe
+0xffff94895ad15080,powershell.exe
+0xffff94895b0452c0,csrss.exe
+0xffff94895ba28080,MicrosoftEdgeC
+0xffff94895bb25080,MicrosoftEdgeC
+0xffff94895bdb0080,winlogon.exe
+0xffff94895bdf51c0,services.exe
+0xffff94895ca5f280,fontdrvhost.ex
+0xffff94895ca6a280,fontdrvhost.ex
+0xffff94895ca70380,svchost.exe
+0xffff94895caf6400,svchost.exe
+0xffff94895cb3a380,svchost.exe
+0xffff94895cbd8400,svchost.exe
+0xffff94895cc15440,svchost.exe
+0xffff94895cc223c0,svchost.exe
+0xffff94895cc5b380,svchost.exe
+0xffff94895ccae400,svchost.exe
+0xffff94895cdac400,svchost.exe
+0xffff94895cdae400,svchost.exe
+0xffff94895ce19400,svchost.exe
+0xffff94895ce1b080,svchost.exe
+0xffff94895ce98400,svchost.exe
+0xffff94895cea7080,MemCompression
+0xffff94895ceb5380,svchost.exe
+0xffff94895cf2e3c0,svchost.exe
+0xffff94895cf90400,svchost.exe
+0xffff94895cf98400,svchost.exe
+0xffff94895e017440,svchost.exe
+0xffff94895e02b380,svchost.exe
+0xffff94895e077400,svchost.exe
+0xffff94895e0ce400,svchost.exe
+0xffff94895e0d8400,svchost.exe
+0xffff94895e169380,svchost.exe
+0xffff94895e171080,svchost.exe
+0xffff94895e391080,SearchProtocol
+0xffff94895e54e4c0,NisSrv.exe
+0xffff94895e929480,smartscreen.ex
+0xffff94895e9412c0,Windows.WARP.J
+0xffff94895e9512c0,MsMpEng.exe
+0xffff94895e970080,SearchUI.exe
+0xffff94895eaaf440,sihost.exe
+0xffff94895eaee480,svchost.exe
+0xffff94895eaf54c0,svchost.exe
+0xffff94895eaf84c0,svchost.exe
+0xffff94895eb5b4c0,taskhostw.exe
+0xffff94895ebbd3c0,svchost.exe
+0xffff94895ebc2440,ctfmon.exe
+0xffff94895ec5e080,userinit.exe
+0xffff94895eccc4c0,Code.exe
+0xffff94895ece5080,dllhost.exe
+0xffff94895edf6080,StartMenuExper
+0xffff94895ef1b480,RuntimeBroker.
+0xffff94895f2074c0,ApplicationFra
+0xffff94895f2dd080,SkypeApp.exe
+0xffff94895f3be480,browser_broker
+0xffff94895f3c5080,YourPhone.exe
+0xffff94895f3ce400,svchost.exe
+0xffff94895f449080,WinStore.App.e
+0xffff94895f44b480,RuntimeBroker.
+0xffff94895f4e9240,MicrosoftEdgeC
+0xffff94895f571480,RuntimeBroker.
+0xffff94895f7ca380,SecurityHealth
+0xffff94895ffce080,MicrosoftEdgeC
+0xffff94895fff2480,conhost.exe
+0xffff9489600c50c0,Code.exe
+0xffff9489602ec080,dllhost.exe
+0xffff9489603ca080,Windows.WARP.J
+0xffff948960acc080,svchost.exe

logs/dump_test/1/eprocess_volscan.txt

@@ -0,0 +1,77 @@
+Volatility Foundation Volatility Framework 2.6.1
+Offset(P)          Name                PID   PPID PDB                Time created                   Time exited                   
+------------------ ---------------- ------ ------ ------------------ ------------------------------ ------------------------------
+0x0000948957c67080 VBoxService.ex     1604    596 0x00000000205e9002 2020-06-04 20:20:35 UTC+0000                                 
+0x0000948957c6c080 svchost.exe        6904    596 0x0000000009506002 2020-06-04 06:25:45 UTC+0000   2020-06-04 06:27:55 UTC+0000  
+0x0000948957caa080 svchost.exe        6448    596 0x000000006a7bc002 2020-06-04 06:21:12 UTC+0000                                 
+0x0000948957ce3080 svchost.exe        1508    596 0x000000001ff45002 2020-06-04 20:20:35 UTC+0000                                 
+0x0000948957d1b080 svchost.exe        1444    596 0x000000001e3b9002 2020-06-04 20:20:35 UTC+0000                                 
+0x0000948957ddf040 Registry             68      4 0x0000000000341002 2020-06-04 20:20:13 UTC+0000                                 
+0x000094895ac79400 smss.exe            324      4 0x0000000101742002 2020-06-04 20:20:19 UTC+0000                                 
+0x000094895ad15080 powershell.exe      408   1060 0x00000000b5241002 2020-06-04 07:19:20 UTC+0000   2020-06-04 07:20:22 UTC+0000  
+0x000094895b0452c0 csrss.exe           416    408 0x0000000002e84002 2020-06-04 20:20:33 UTC+0000                                 
+0x000094895ba28080 MicrosoftEdgeC     1436    772 0x000000011866b002 2020-06-04 07:16:47 UTC+0000                                 
+0x000094895bb25080 MicrosoftEdgeC     2776    772 0x00000000d2641002 2020-06-04 07:16:57 UTC+0000                                 
+0x000094895bdb0080 winlogon.exe        544    480 0x0000000001add002 2020-06-04 20:20:33 UTC+0000                                 
+0x000094895bdf51c0 services.exe        596    488 0x0000000016c16002 2020-06-04 20:20:33 UTC+0000                                 
+0x000094895ca5f280 fontdrvhost.ex      680    544 0x0000000019366002 2020-06-04 20:20:33 UTC+0000                                 
+0x000094895ca6a280 fontdrvhost.ex      688    488 0x0000000015d1b002 2020-06-04 20:20:33 UTC+0000                                 
+0x000094895ca70380 svchost.exe         708    596 0x0000000017338002 2020-06-04 20:20:33 UTC+0000                                 
+0x000094895caf6400 svchost.exe         824    596 0x0000000019ad0002 2020-06-04 20:20:34 UTC+0000                                 
+0x000094895cb3a380 svchost.exe         876    596 0x000000001a2b4002 2020-06-04 20:20:34 UTC+0000                                 
+0x000094895cbd8400 svchost.exe         384    596 0x000000001950d002 2020-06-04 20:20:34 UTC+0000                                 
+0x000094895cc15440 svchost.exe         420    596 0x000000001c315002 2020-06-04 20:20:34 UTC+0000                                 
+0x000094895cc223c0 svchost.exe         592    596 0x000000001c549002 2020-06-04 20:20:34 UTC+0000                                 
+0x000094895cc5b380 svchost.exe        1064    596 0x000000001d1a4002 2020-06-04 20:20:34 UTC+0000                                 
+0x000094895ccae400 svchost.exe        1148    596 0x000000001ddbf002 2020-06-04 20:20:34 UTC+0000                                 
+0x000094895cdac400 svchost.exe        1372    596 0x000000001ca24002 2020-06-04 20:20:35 UTC+0000                                 
+0x000094895cdae400 svchost.exe        1452    596 0x00000000206dd002 2020-06-04 20:20:35 UTC+0000                                 
+0x000094895ce19400 svchost.exe        1632    596 0x0000000023c4f002 2020-06-04 20:20:35 UTC+0000                                 
+0x000094895ce1b080 svchost.exe        1640    596 0x0000000022b39002 2020-06-04 20:20:35 UTC+0000                                 
+0x000094895ce98400 svchost.exe        1772    596 0x0000000020e71002 2020-06-04 06:20:37 UTC+0000                                 
+0x000094895cea7080 MemCompression     1812      4 0x00000000236f8002 2020-06-04 06:20:37 UTC+0000                                 
+0x000094895ceb5380 svchost.exe        1868    596 0x0000000025c34002 2020-06-04 06:20:37 UTC+0000                                 
+0x000094895cf2e3c0 svchost.exe        1936    596 0x0000000024179002 2020-06-04 06:20:37 UTC+0000                                 
+0x000094895cf90400 svchost.exe        1660    596 0x0000000022790002 2020-06-04 06:20:37 UTC+0000                                 
+0x000094895cf98400 svchost.exe        1352    596 0x0000000025171002 2020-06-04 06:20:37 UTC+0000                                 
+0x000094895e017440 svchost.exe        2088    596 0x0000000021120002 2020-06-04 06:20:38 UTC+0000                                 
+0x000094895e02b380 svchost.exe        2128    596 0x0000000027d28002 2020-06-04 06:20:38 UTC+0000                                 
+0x000094895e077400 svchost.exe        2160    596 0x0000000025ec9002 2020-06-04 06:20:38 UTC+0000                                 
+0x000094895e0ce400 svchost.exe        2208    596 0x00000000260c0002 2020-06-04 06:20:38 UTC+0000                                 
+0x000094895e0d8400 svchost.exe        2232    596 0x000000002652a002 2020-06-04 06:20:38 UTC+0000                                 
+0x000094895e169380 svchost.exe        2928    596 0x000000002e054002 2020-06-04 06:20:39 UTC+0000                                 
+0x000094895e171080 svchost.exe        2684    596 0x000000002ad7c002 2020-06-04 06:20:39 UTC+0000                                 
+0x000094895e391080 SearchProtocol     1648   5160 0x000000009b248002 2020-06-04 07:26:11 UTC+0000                                 
+0x000094895e54e4c0 NisSrv.exe         2016    596 0x00000000b4eff002 2020-06-04 06:28:41 UTC+0000                                 
+0x000094895e929480 smartscreen.ex     3256    772 0x00000000c11d6002 2020-06-04 07:16:27 UTC+0000                                 
+0x000094895e9412c0 Windows.WARP.J     5712   5580 0x00000000c0f76002 2020-06-04 07:16:26 UTC+0000                                 
+0x000094895e9512c0 MsMpEng.exe        4676    596 0x0000000044f09002 2020-06-04 06:28:33 UTC+0000                                 
+0x000094895e970080 SearchUI.exe       4692    772 0x0000000057496002 2020-06-04 06:21:01 UTC+0000                                 
+0x000094895eaaf440 sihost.exe          432   1292 0x0000000043c29002 2020-06-04 06:20:50 UTC+0000                                 
+0x000094895eaee480 svchost.exe        1588    596 0x0000000043ecd002 2020-06-04 06:20:50 UTC+0000                                 
+0x000094895eaf54c0 svchost.exe        3152    596 0x0000000045d46002 2020-06-04 06:20:50 UTC+0000                                 
+0x000094895eaf84c0 svchost.exe        3672    596 0x00000000465a3002 2020-06-04 06:20:50 UTC+0000                                 
+0x000094895eb5b4c0 taskhostw.exe      4124   1064 0x0000000046bc4002 2020-06-04 06:20:50 UTC+0000                                 
+0x000094895ebbd3c0 svchost.exe        4232    596 0x000000004306e002 2020-06-04 06:20:50 UTC+0000                                 
+0x000094895ebc2440 ctfmon.exe         4300   4232 0x0000000041c8c002 2020-06-04 06:20:50 UTC+0000                                 
+0x000094895ec5e080 userinit.exe       4400    544 0x0000000046ed7002 2020-06-04 06:20:51 UTC+0000   2020-06-04 06:21:20 UTC+0000  
+0x000094895eccc4c0 Code.exe           6968   3736 0x00000000bb0c4002 2020-06-04 07:19:16 UTC+0000                                 
+0x000094895ece5080 dllhost.exe        4648    772 0x00000000502b5002 2020-06-04 06:20:53 UTC+0000                                 
+0x000094895edf6080 StartMenuExper     4972    772 0x0000000053638002 2020-06-04 06:21:00 UTC+0000                                 
+0x000094895ef1b480 RuntimeBroker.     5092    772 0x0000000056e70002 2020-06-04 06:21:00 UTC+0000                                 
+0x000094895f2074c0 ApplicationFra     5336    772 0x000000005c223002 2020-06-04 06:21:04 UTC+0000                                 
+0x000094895f2dd080 SkypeApp.exe       5412    772 0x000000005fea5002 2020-06-04 06:21:05 UTC+0000                                 
+0x000094895f3be480 browser_broker     5544    772 0x0000000060a28002 2020-06-04 06:21:05 UTC+0000                                 
+0x000094895f3c5080 YourPhone.exe      5588    772 0x000000006315e002 2020-06-04 06:21:05 UTC+0000                                 
+0x000094895f3ce400 svchost.exe        5580    596 0x0000000063376002 2020-06-04 06:21:05 UTC+0000                                 
+0x000094895f449080 WinStore.App.e     5952    772 0x00000001142d1002 2020-06-04 06:22:36 UTC+0000                                 
+0x000094895f44b480 RuntimeBroker.     5860    772 0x0000000061748002 2020-06-04 06:21:06 UTC+0000                                 
+0x000094895f4e9240 MicrosoftEdgeC     6048    772 0x0000000063ba6002 2020-06-04 06:21:07 UTC+0000                                 
+0x000094895f571480 RuntimeBroker.     6908    772 0x000000006dcb1002 2020-06-04 06:21:16 UTC+0000                                 
+0x000094895f7ca380 SecurityHealth     2248    596 0x000000006f4ba002 2020-06-04 06:21:21 UTC+0000                                 
+0x000094895ffce080 MicrosoftEdgeC     3288    772 0x00000000bd993002 2020-06-04 07:16:41 UTC+0000   2020-06-04 07:19:52 UTC+0000  
+0x000094895fff2480 conhost.exe        5696   1892 0x0000000058bc3002 2020-06-04 07:19:49 UTC+0000                                 
+0x00009489600c50c0 Code.exe           1060   3736 0x000000003859d002 2020-06-04 07:19:17 UTC+0000                                 
+0x00009489602ec080 dllhost.exe        4156    772 0x000000009589c002 2020-06-04 07:16:29 UTC+0000                                 
+0x00009489603ca080 Windows.WARP.J     7068   5580 0x00000000bb4da002 2020-06-04 07:16:48 UTC+0000                                 
+0x0000948960acc080 svchost.exe        3204    596 0x00000000c4173002 2020-06-04 07:19:47 UTC+0000                                 

logs/dump_test/1/file_to_csv.py

@@ -0,0 +1,29 @@
+import re
+import csv
+
+vp = re.compile(r'(0x[0-9a-f]+)\s+\d+\s+[01]\s+[RWDrwd-]+\s+(.*)')
+
+vol = map(lambda x: x.group(1, 2), filter(lambda x: x is not None, map(vp.match, open('file_volscan.txt', 'r').read().split('\n'))))
+
+with open('file_volscan.csv', 'w', newline='') as f:
+    writer = csv.writer(f)
+    writer.writerow(['address', 'file'])
+    for v in vol:
+        a, b = list(v)
+        a = hex(int(a, 16) + 0xffff000000000000)
+        writer.writerow([a, b])
+
+
+# lp = re.compile(r'pool: 0x[0-9a-f]+ \| file object: (0x[0-9a-f]+) \| offsetby: 0x[0-9a-f]+\s+(.*)$', re.MULTILINE)
+
+lpus = map(lambda x: x.group(1, 2), filter(lambda x: x is not None, map(vp.match, open('file_volscan.txt', 'r').read().split('\n'))))
+
+lpus = re.finditer(r'pool: 0x[0-9a-f]+ \| file object: (0x[0-9a-f]+) \| offsetby: 0x[0-9a-f]+\s+(.*)$',
+                   open('file_scan_log.txt', 'r', encoding='utf-8').read(), re.MULTILINE)
+
+with open('file_lpusscan.csv', 'w', newline='', encoding='utf-8') as f:
+    writer = csv.writer(f)
+    writer.writerow(['address', 'file'])
+    for v in lpus:
+        a, b = list(v.groups())
+        writer.writerow([a, b])

logs/dump_test/1/stat.py

@@ -0,0 +1,50 @@
+import pandas as pd
+
+elpus = pd.read_csv('eprocess_lpusscan.csv')
+flpus = pd.read_csv('file_lpusscan.csv', encoding='utf-8')
+
+evol = pd.read_csv('eprocess_volscan.csv')
+fvol = pd.read_csv('file_volscan.csv')
+
+print('''
+A simple statistics for LPUS and Volatility
+
+Environment: Windows 10 2019 (build number 18362) on VirtualBox
+RAM: 4GB
+
+> The VM is downloaded through Microsoft
+
+LPUS scan _EPROCESS and _FILE_OBJECT.
+The scan time: approximate 5 minutes.
+
+After that, use VirtualBox command to generate the memory image
+
+> "C:\Program Files\Oracle\VirtualBox\VBoxManage.exe" debugvm "<name>" dumpvmcore --filename "/path/to/<name>.elf"
+
+Volatility version is at 5f685e5
+
+> The latest release of Volatility doesn't have support for Windows build no. 18362
+
+Then compare the log from LPUS and the two volatility command with profile Win10x64_18362:
+- psscan to scan _EPROCESS, approximate 30 minutes
+- filescan to scan _EPROCESS, approximate 2-3 hours
+
+(The log file is then converted to csv files, see 'eprocess_to_csv.py' and 'file_to_csv.py')
+
+''')
+
+print('==================================================')
+
+print('_EPROCESS')
+print('lpus scan: ', elpus['address'].shape, 'results')
+print('volatility scan: ', evol['address'].shape, 'results')
+print('volatility scan misses lpus: ', elpus['address'][~elpus['address'].isin(evol['address'])].shape, 'results')
+print('lpus scan misses volatility: ', evol['address'][~evol['address'].isin(elpus['address'])].shape, 'results')
+
+print('==================================================')
+
+print('_FILE_OBJECT')
+print('lpus scan: ', flpus['address'].shape, 'results')
+print('volatility scan: ', fvol['address'].shape, 'results')
+print('volatility scan misses lpus: ', flpus['address'][~flpus['address'].isin(fvol['address'])].shape, 'results')
+print('lpus scan misses volatility: ', fvol['address'][~fvol['address'].isin(flpus['address'])].shape, 'results')

logs/eprocess_scan.log

@@ -0,0 +1,138 @@
+PDB for Amd64, guid: 8b11040a-5928-757b-1139-0ac78f6b6925, age: 1
+
+NtLoadDriver()   -> 0x0
+pool: 0xffffe282a0463000 | eprocess: 0xffffe282a0463080 | pid: 1088 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a0465010 | eprocess: 0xffffe282a0465080 | pid: 1032 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a046b160 | eprocess: 0xffffe282a046b1c0 | pid: 4 | ppid: 0 | name: System | path: 
+pool: 0xffffe282a047e000 | eprocess: 0xffffe282a047e080 | pid: 1080 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a0482260 | eprocess: 0xffffe282a04822c0 | pid: 1812 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a04b6000 | eprocess: 0xffffe282a04b6080 | pid: 1220 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a04ed000 | eprocess: 0xffffe282a04ed080 | pid: 1276 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a050d000 | eprocess: 0xffffe282a050d080 | pid: 1148 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a0511000 | eprocess: 0xffffe282a0511080 | pid: 1156 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a31d04d0 | eprocess: 0xffffe282a31d0540 | pid: 288 | ppid: 4 | name: smss.exe | path: \Windows\System32\smss.exe
+pool: 0xffffe282a3cbe1f0 | eprocess: 0xffffe282a3cbe280 | pid: 6736 | ppid: 756 | name: smartscreen.ex | path: \Windows\System32\smartscreen.exe
+pool: 0xffffe282a3cd94d0 | eprocess: 0xffffe282a3cd9540 | pid: 4976 | ppid: 4868 | name: Windows.WARP.J | path: \Windows\System32\Windows.WARP.JITService.exe
+pool: 0xffffe282a3d45000 | eprocess: 0xffffe282a3d45080 | pid: 808 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a3d4b000 | eprocess: 0xffffe282a3d4b080 | pid: 452 | ppid: 376 | name: wininit.exe | path: \Windows\System32\wininit.exe
+pool: 0xffffe282a3d500b0 | eprocess: 0xffffe282a3d50140 | pid: 460 | ppid: 444 | name: csrss.exe | path: \Windows\System32\csrss.exe
+pool: 0xffffe282a3d65000 | eprocess: 0xffffe282a3d65080 | pid: 512 | ppid: 444 | name: winlogon.exe | path: \Windows\System32\winlogon.exe
+pool: 0xffffe282a3dc90d0 | eprocess: 0xffffe282a3dc9140 | pid: 560 | ppid: 452 | name: services.exe | path: \Windows\System32\services.exe
+pool: 0xffffe282a3dd50b0 | eprocess: 0xffffe282a3dd5140 | pid: 584 | ppid: 452 | name: lsass.exe | path: \Windows\System32\lsass.exe
+pool: 0xffffe282a3e910b0 | eprocess: 0xffffe282a3e91140 | pid: 384 | ppid: 376 | name: csrss.exe | path: \Windows\System32\csrss.exe
+pool: 0xffffe282a3f08260 | eprocess: 0xffffe282a3f082c0 | pid: 4964 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a4c2b2d0 | eprocess: 0xffffe282a4c2b340 | pid: 660 | ppid: 512 | name: fontdrvhost.ex | path: \Windows\System32\fontdrvhost.exe
+pool: 0xffffe282a4c2f000 | eprocess: 0xffffe282a4c2f080 | pid: 668 | ppid: 452 | name: fontdrvhost.ex | path: \Windows\System32\fontdrvhost.exe
+pool: 0xffffe282a4c76290 | eprocess: 0xffffe282a4c76300 | pid: 684 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a4cd1280 | eprocess: 0xffffe282a4cd1300 | pid: 756 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a4e06290 | eprocess: 0xffffe282a4e06300 | pid: 852 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a4e9a0e0 | eprocess: 0xffffe282a4e9a140 | pid: 928 | ppid: 512 | name: LogonUI.exe | path: 
+pool: 0xffffe282a4e9c240 | eprocess: 0xffffe282a4e9c2c0 | pid: 936 | ppid: 512 | name: dwm.exe | path: \Windows\System32\dwm.exe
+pool: 0xffffe282a4f61290 | eprocess: 0xffffe282a4f61300 | pid: 1008 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a4f68310 | eprocess: 0xffffe282a4f68380 | pid: 1020 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a4f76340 | eprocess: 0xffffe282a4f763c0 | pid: 336 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a4fc62c0 | eprocess: 0xffffe282a4fc6340 | pid: 348 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a60c3340 | eprocess: 0xffffe282a60c33c0 | pid: 376 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a623c000 | eprocess: 0xffffe282a623c080 | pid: 1456 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a623f2b0 | eprocess: 0xffffe282a623f340 | pid: 1300 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a628f320 | eprocess: 0xffffe282a628f380 | pid: 1312 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a62c3270 | eprocess: 0xffffe282a62c3300 | pid: 1372 | ppid: 560 | name: VBoxService.ex | path: \Windows\System32\VBoxService.exe
+pool: 0xffffe282a62c62b0 | eprocess: 0xffffe282a62c6340 | pid: 1464 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a62ca290 | eprocess: 0xffffe282a62ca300 | pid: 1484 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a64d6000 | eprocess: 0xffffe282a64d6040 | pid: 1548 | ppid: 4 | name: MemCompression | path: 
+pool: 0xffffe282a64d9280 | eprocess: 0xffffe282a64d9300 | pid: 1560 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a64dc320 | eprocess: 0xffffe282a64dc380 | pid: 1568 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a65242d0 | eprocess: 0xffffe282a6524340 | pid: 1608 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a653a320 | eprocess: 0xffffe282a653a380 | pid: 1628 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a653f000 | eprocess: 0xffffe282a653f080 | pid: 2108 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a6546320 | eprocess: 0xffffe282a6546380 | pid: 1668 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a659c320 | eprocess: 0xffffe282a659c380 | pid: 1772 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a659e000 | eprocess: 0xffffe282a659e080 | pid: 1780 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a6652350 | eprocess: 0xffffe282a66523c0 | pid: 1832 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a665d000 | eprocess: 0xffffe282a665d080 | pid: 1388 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a665e000 | eprocess: 0xffffe282a665e080 | pid: 1320 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a666b000 | eprocess: 0xffffe282a666b080 | pid: 2020 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a666c000 | eprocess: 0xffffe282a666c080 | pid: 2012 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a666e000 | eprocess: 0xffffe282a666e080 | pid: 1936 | ppid: 1032 | name: CompatTelRunne | path: \Windows\System32\CompatTelRunner.exe
+pool: 0xffffe282a6670000 | eprocess: 0xffffe282a6670080 | pid: 1920 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a6673000 | eprocess: 0xffffe282a6673080 | pid: 1900 | ppid: 560 | name: spoolsv.exe | path: \Windows\System32\spoolsv.exe
+pool: 0xffffe282a67eb000 | eprocess: 0xffffe282a67eb080 | pid: 2384 | ppid: 560 | name: MsMpEng.exe | path: \ProgramData\Microsoft\Windows Defender\Platform\4.18.2005.5-0\MsMpEng.exe
+pool: 0xffffe282a67ec000 | eprocess: 0xffffe282a67ec080 | pid: 2376 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a67ed000 | eprocess: 0xffffe282a67ed080 | pid: 2368 | ppid: 560 | name: ruby.exe | path: \Program Files\Puppet Labs\Puppet\sys\ruby\bin\ruby.exe
+pool: 0xffffe282a67f0000 | eprocess: 0xffffe282a67f0080 | pid: 2296 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a67f2000 | eprocess: 0xffffe282a67f2080 | pid: 2272 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a67f4000 | eprocess: 0xffffe282a67f4080 | pid: 2252 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a67f6000 | eprocess: 0xffffe282a67f6080 | pid: 2240 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a67f7000 | eprocess: 0xffffe282a67f7080 | pid: 2220 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a6802040 | eprocess: 0xffffe282a68020c0 | pid: 2200 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a694c260 | eprocess: 0xffffe282a694c2c0 | pid: 1896 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a694d000 | eprocess: 0xffffe282a694d080 | pid: 3016 | ppid: 2964 | name: dasHost.exe | path: \Windows\System32\dasHost.exe
+pool: 0xffffe282a6950000 | eprocess: 0xffffe282a6950080 | pid: 2964 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a6953000 | eprocess: 0xffffe282a6953080 | pid: 2728 | ppid: 560 | name: sppsvc.exe | path: \Windows\System32\sppsvc.exe
+pool: 0xffffe282a6956040 | eprocess: 0xffffe282a69560c0 | pid: 2500 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a6959000 | eprocess: 0xffffe282a6959080 | pid: 2444 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a695c000 | eprocess: 0xffffe282a695c080 | pid: 2400 | ppid: 560 | name: wlms.exe | path: \Windows\System32\wlms\wlms.exe
+pool: 0xffffe282a6d1e450 | eprocess: 0xffffe282a6d1e4c0 | pid: 3316 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a6d26000 | eprocess: 0xffffe282a6d26080 | pid: 3256 | ppid: 1032 | name: taskhostw.exe | path: \Windows\System32\taskhostw.exe
+pool: 0xffffe282a6d29000 | eprocess: 0xffffe282a6d29080 | pid: 6516 | ppid: 756 | name: RuntimeBroker. | path: \Windows\System32\RuntimeBroker.exe
+pool: 0xffffe282a6d2a000 | eprocess: 0xffffe282a6d2a080 | pid: 3172 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a6d2b000 | eprocess: 0xffffe282a6d2b080 | pid: 6804 | ppid: 560 | name: SecurityHealth | path: \Windows\System32\SecurityHealthService.exe
+pool: 0xffffe282a6d2d000 | eprocess: 0xffffe282a6d2d080 | pid: 3140 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a6d2f000 | eprocess: 0xffffe282a6d2f080 | pid: 3108 | ppid: 1148 | name: sihost.exe | path: \Windows\System32\sihost.exe
+pool: 0xffffe282a6d30000 | eprocess: 0xffffe282a6d30080 | pid: 4372 | ppid: 756 | name: SearchUI.exe | path: \Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
+pool: 0xffffe282a6d35040 | eprocess: 0xffffe282a6d350c0 | pid: 2192 | ppid: 560 | name: NisSrv.exe | path: \ProgramData\Microsoft\Windows Defender\Platform\4.18.2005.5-0\NisSrv.exe
+pool: 0xffffe282a6ece000 | eprocess: 0xffffe282a6ece080 | pid: 4016 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a6ed0000 | eprocess: 0xffffe282a6ed0080 | pid: 3892 | ppid: 3788 | name: explorer.exe | path: \Windows\explorer.exe
+pool: 0xffffe282a6ed1000 | eprocess: 0xffffe282a6ed1080 | pid: 3224 | ppid: 3892 | name: OneDrive.exe | path: \Users\IEUser\AppData\Local\Microsoft\OneDrive\OneDrive.exe
+pool: 0xffffe282a6ed3000 | eprocess: 0xffffe282a6ed3080 | pid: 3808 | ppid: 1936 | name: conhost.exe | path: \Windows\System32\conhost.exe
+pool: 0xffffe282a6ed4000 | eprocess: 0xffffe282a6ed4080 | pid: 6296 | ppid: 5824 | name: SearchProtocol | path: \Windows\System32\SearchProtocolHost.exe
+pool: 0xffffe282a6ed5000 | eprocess: 0xffffe282a6ed5080 | pid: 3788 | ppid: 512 | name: userinit.exe | path: 
+pool: 0xffffe282a6ed7000 | eprocess: 0xffffe282a6ed7080 | pid: 3752 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a6ed9000 | eprocess: 0xffffe282a6ed9080 | pid: 3656 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a6edc040 | eprocess: 0xffffe282a6edc0c0 | pid: 3548 | ppid: 3460 | name: ctfmon.exe | path: \Windows\System32\ctfmon.exe
+pool: 0xffffe282a6edf000 | eprocess: 0xffffe282a6edf080 | pid: 3468 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a6ee0000 | eprocess: 0xffffe282a6ee0080 | pid: 3460 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a722d310 | eprocess: 0xffffe282a722d380 | pid: 5068 | ppid: 756 | name: backgroundTask | path: \Windows\System32\backgroundTaskHost.exe
+pool: 0xffffe282a724f000 | eprocess: 0xffffe282a724f080 | pid: 4256 | ppid: 756 | name: ShellExperienc | path: \Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
+pool: 0xffffe282a72f02d0 | eprocess: 0xffffe282a72f0340 | pid: 6612 | ppid: 756 | name: RuntimeBroker. | path: \Windows\System32\RuntimeBroker.exe
+pool: 0xffffe282a7437370 | eprocess: 0xffffe282a7437400 | pid: 4548 | ppid: 756 | name: RuntimeBroker. | path: \Windows\System32\RuntimeBroker.exe
+pool: 0xffffe282a74bc000 | eprocess: 0xffffe282a74bc080 | pid: 6012 | ppid: 756 | name: RuntimeBroker. | path: \Windows\System32\RuntimeBroker.exe
+pool: 0xffffe282a74cf000 | eprocess: 0xffffe282a74cf080 | pid: 7592 | ppid: 7584 | name: conhost.exe | path: \Windows\System32\conhost.exe
+pool: 0xffffe282a74f43a0 | eprocess: 0xffffe282a74f4400 | pid: 4632 | ppid: 756 | name: ApplicationFra | path: \Windows\System32\ApplicationFrameHost.exe
+pool: 0xffffe282a75484d0 | eprocess: 0xffffe282a7548540 | pid: 6776 | ppid: 3892 | name: SecurityHealth | path: \Windows\System32\SecurityHealthSystray.exe
+pool: 0xffffe282a7564040 | eprocess: 0xffffe282a75640c0 | pid: 4668 | ppid: 756 | name: MicrosoftEdge. | path: \Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
+pool: 0xffffe282a75a2000 | eprocess: 0xffffe282a75a2080 | pid: 5636 | ppid: 756 | name: LockApp.exe | path: \Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe
+pool: 0xffffe282a768a320 | eprocess: 0xffffe282a768a380 | pid: 4868 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a768f380 | eprocess: 0xffffe282a768f400 | pid: 4876 | ppid: 756 | name: browser_broker | path: \Windows\System32\browser_broker.exe
+pool: 0xffffe282a7724040 | eprocess: 0xffffe282a77240c0 | pid: 1604 | ppid: 756 | name: backgroundTask | path: \Windows\System32\backgroundTaskHost.exe
+pool: 0xffffe282a7740290 | eprocess: 0xffffe282a7740300 | pid: 3364 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a778f040 | eprocess: 0xffffe282a778f0c0 | pid: 736 | ppid: 756 | name: YourPhone.exe | path: \Program Files\WindowsApps\Microsoft.YourPhone_1.20051.93.0_x64__8wekyb3d8bbwe\YourPhone.exe
+pool: 0xffffe282a77e1370 | eprocess: 0xffffe282a77e1400 | pid: 4128 | ppid: 756 | name: RuntimeBroker. | path: \Windows\System32\RuntimeBroker.exe
+pool: 0xffffe282a7813040 | eprocess: 0xffffe282a78130c0 | pid: 5204 | ppid: 756 | name: SkypeBackgroun | path: \Program Files\WindowsApps\Microsoft.SkypeApp_14.56.102.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe
+pool: 0xffffe282a78171d0 | eprocess: 0xffffe282a7817240 | pid: 5260 | ppid: 756 | name: SkypeApp.exe | path: \Program Files\WindowsApps\Microsoft.SkypeApp_14.56.102.0_x64__kzf8qxf38zg5c\SkypeApp.exe
+pool: 0xffffe282a781b1d0 | eprocess: 0xffffe282a781b240 | pid: 5284 | ppid: 756 | name: MicrosoftEdgeC | path: \Windows\System32\MicrosoftEdgeCP.exe
+pool: 0xffffe282a78a4040 | eprocess: 0xffffe282a78a40c0 | pid: 5384 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a78b3000 | eprocess: 0xffffe282a78b3080 | pid: 5432 | ppid: 4128 | name: MicrosoftEdgeS | path: \Windows\System32\MicrosoftEdgeSH.exe
+pool: 0xffffe282a78bb290 | eprocess: 0xffffe282a78bb300 | pid: 5504 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a79f1000 | eprocess: 0xffffe282a79f1080 | pid: 5756 | ppid: 756 | name: backgroundTask | path: \Windows\System32\backgroundTaskHost.exe
+pool: 0xffffe282a7a1c370 | eprocess: 0xffffe282a7a1c400 | pid: 5704 | ppid: 756 | name: RuntimeBroker. | path: \Windows\System32\RuntimeBroker.exe
+pool: 0xffffe282a7a44290 | eprocess: 0xffffe282a7a44300 | pid: 5824 | ppid: 560 | name: SearchIndexer. | path: \Windows\System32\SearchIndexer.exe
+pool: 0xffffe282a7a90320 | eprocess: 0xffffe282a7a90380 | pid: 5904 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a7b02040 | eprocess: 0xffffe282a7b020c0 | pid: 7900 | ppid: 7584 | name: eprocess_scan. | path: \Users\IEUser\Downloads\eprocess_scan.exe
+pool: 0xffffe282a7b03000 | eprocess: 0xffffe282a7b03080 | pid: 6820 | ppid: 2368 | name: cmd.exe | path: 
+pool: 0xffffe282a7b0e000 | eprocess: 0xffffe282a7b0e080 | pid: 6164 | ppid: 756 | name: RuntimeBroker. | path: \Windows\System32\RuntimeBroker.exe
+pool: 0xffffe282a7b20430 | eprocess: 0xffffe282a7b204c0 | pid: 5936 | ppid: 756 | name: RuntimeBroker. | path: \Windows\System32\RuntimeBroker.exe
+pool: 0xffffe282a7b4a000 | eprocess: 0xffffe282a7b4a080 | pid: 6860 | ppid: 756 | name: RuntimeBroker. | path: \Windows\System32\RuntimeBroker.exe
+pool: 0xffffe282a7ba32c0 | eprocess: 0xffffe282a7ba3340 | pid: 6232 | ppid: 756 | name: WmiPrvSE.exe | path: \Windows\System32\wbem\WmiPrvSE.exe
+pool: 0xffffe282a7cea000 | eprocess: 0xffffe282a7cea080 | pid: 6456 | ppid: 5824 | name: SearchFilterHo | path: \Windows\System32\SearchFilterHost.exe
+pool: 0xffffe282a7e7f000 | eprocess: 0xffffe282a7e7f080 | pid: 7028 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a7e843a0 | eprocess: 0xffffe282a7e84400 | pid: 7000 | ppid: 3892 | name: VBoxTray.exe | path: \Windows\System32\VBoxTray.exe
+pool: 0xffffe282a7ed23c0 | eprocess: 0xffffe282a7ed2440 | pid: 7104 | ppid: 756 | name: dllhost.exe | path: \Windows\System32\dllhost.exe
+pool: 0xffffe282a7ed8000 | eprocess: 0xffffe282a7ed8080 | pid: 5672 | ppid: 6820 | name: ruby.exe | path: 
+pool: 0xffffe282a7f15000 | eprocess: 0xffffe282a7f15080 | pid: 7656 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a7f16000 | eprocess: 0xffffe282a7f16080 | pid: 6392 | ppid: 756 | name: WindowsInterna | path: \Windows\SystemApps\InputApp_cw5n1h2txyewy\WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe
+pool: 0xffffe282a80f12b0 | eprocess: 0xffffe282a80f1340 | pid: 6904 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a811a340 | eprocess: 0xffffe282a811a3c0 | pid: 7184 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a81cd290 | eprocess: 0xffffe282a81cd300 | pid: 7288 | ppid: 560 | name: svchost.exe | path: \Windows\System32\svchost.exe
+pool: 0xffffe282a81ce000 | eprocess: 0xffffe282a81ce080 | pid: 7584 | ppid: 3892 | name: cmd.exe | path: \Windows\System32\cmd.exe
+NtUnloadDriver() -> 0x0

logs/eprocess_scan_log_2.txt

@@ -0,0 +1,325 @@
+PDB for Amd64, guid: 94add4fd-403f-5f1a-8d4b-aba8db5d5b7a, age: 1
+
+NtLoadDriver()   -> 0x0
+pool: 0xffffa80e2cced000 | eprocess: 0xffffa80e2cced040 |  | System
+pool: 0xffffa80e2cd17000 | eprocess: 0xffffa80e2cd17080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e2cd3d010 | eprocess: 0xffffa80e2cd3d080 |  | Registry
+pool: 0xffffa80e2cd3e000 | eprocess: 0xffffa80e2cd3e080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e2cd79040 | eprocess: 0xffffa80e2cd79080 |  | Secure System
+pool: 0xffffa80e2cdc8000 | eprocess: 0xffffa80e2cdc8080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e2efcc000 | eprocess: 0xffffa80e2efcc080 |  | svchost.exe
+pool: 0xffffa80e2efcf000 | eprocess: 0xffffa80e2efcf080 | \Windows\System32\conhost.exe | conhost.exe
+pool: 0xffffa80e2efd1000 | eprocess: 0xffffa80e2efd1080 | \Program Files\Dell\SupportAssistAgent\PCDr\SupportAssist\6.0.7106.1428\DSAPI.exe | DSAPI.exe
+pool: 0xffffa80e316cb0f0 | eprocess: 0xffffa80e316cb180 | \Windows\System32\dllhost.exe | dllhost.exe
+pool: 0xffffa80e365b9000 | eprocess: 0xffffa80e365b9040 | \Windows\System32\smss.exe | smss.exe
+pool: 0xffffa80e368ed000 | eprocess: 0xffffa80e368ed080 |  | smss.exe
+pool: 0xffffa80e369420c0 | eprocess: 0xffffa80e36942140 | \Windows\System32\csrss.exe | csrss.exe
+pool: 0xffffa80e384c1000 | eprocess: 0xffffa80e384c1080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e38502040 | eprocess: 0xffffa80e385020c0 | \Windows\System32\wbem\WmiPrvSE.exe | WmiPrvSE.exe
+pool: 0xffffa80e38772000 | eprocess: 0xffffa80e38772080 |  | smss.exe
+pool: 0xffffa80e3877e0c0 | eprocess: 0xffffa80e3877e140 | \Windows\System32\csrss.exe | csrss.exe
+pool: 0xffffa80e3877f000 | eprocess: 0xffffa80e3877f080 | \Windows\System32\wininit.exe | wininit.exe
+pool: 0xffffa80e387d4000 | eprocess: 0xffffa80e387d4080 | \Windows\System32\ibtsiva.exe | ibtsiva.exe
+pool: 0xffffa80e387f2000 | eprocess: 0xffffa80e387f2080 | \Windows\System32\services.exe | services.exe
+pool: 0xffffa80e387f4000 | eprocess: 0xffffa80e387f4080 | \Windows\System32\lsass.exe | lsass.exe
+pool: 0xffffa80e387f6000 | eprocess: 0xffffa80e387f6080 | \Windows\System32\LsaIso.exe | LsaIso.exe
+pool: 0xffffa80e38e88000 | eprocess: 0xffffa80e38e88080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e38eed000 | eprocess: 0xffffa80e38eed080 | \Windows\System32\fontdrvhost.exe | fontdrvhost.ex
+pool: 0xffffa80e38ef9000 | eprocess: 0xffffa80e38ef9080 | \Windows\System32\WUDFHost.exe | WUDFHost.exe
+pool: 0xffffa80e38fc1000 | eprocess: 0xffffa80e38fc1080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39005000 | eprocess: 0xffffa80e39005080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39006000 | eprocess: 0xffffa80e39006080 | \Windows\System32\winlogon.exe | winlogon.exe
+pool: 0xffffa80e39102040 | eprocess: 0xffffa80e391020c0 | \Windows\System32\fontdrvhost.exe | fontdrvhost.ex
+pool: 0xffffa80e39107000 | eprocess: 0xffffa80e39107080 | \Windows\System32\dwm.exe | dwm.exe
+pool: 0xffffa80e3910a000 | eprocess: 0xffffa80e3910a080 |  | LogonUI.exe
+pool: 0xffffa80e391c10b0 | eprocess: 0xffffa80e391c1140 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e391c5000 | eprocess: 0xffffa80e391c5080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39259000 | eprocess: 0xffffa80e39259080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39264000 | eprocess: 0xffffa80e39264080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39289040 | eprocess: 0xffffa80e392890c0 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e392db000 | eprocess: 0xffffa80e392db080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e392de000 | eprocess: 0xffffa80e392de080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e392e4000 | eprocess: 0xffffa80e392e4080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39306000 | eprocess: 0xffffa80e39306080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3930d000 | eprocess: 0xffffa80e3930d080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3930f000 | eprocess: 0xffffa80e3930f080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e393bc040 | eprocess: 0xffffa80e393bc0c0 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e393c1000 | eprocess: 0xffffa80e393c1080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e393c2000 | eprocess: 0xffffa80e393c2080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e393d5000 | eprocess: 0xffffa80e393d5080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39423040 | eprocess: 0xffffa80e394230c0 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39430000 | eprocess: 0xffffa80e39430080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39454000 | eprocess: 0xffffa80e39454080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39580000 | eprocess: 0xffffa80e39580080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e395ab000 | eprocess: 0xffffa80e395ab080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e395af000 | eprocess: 0xffffa80e395af080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39613040 | eprocess: 0xffffa80e396130c0 | \Program Files (x86)\Dell\UpdateService\ServiceShell.exe | ServiceShell.e
+pool: 0xffffa80e39637000 | eprocess: 0xffffa80e39637080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3965e000 | eprocess: 0xffffa80e3965e080 | \Windows\System32\vmms.exe | vmms.exe
+pool: 0xffffa80e39677000 | eprocess: 0xffffa80e39677080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e396eb000 | eprocess: 0xffffa80e396eb080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39723040 | eprocess: 0xffffa80e397230c0 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3977a070 | eprocess: 0xffffa80e3977a100 | \Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe | NVDisplay.Cont
+pool: 0xffffa80e39785000 | eprocess: 0xffffa80e39785080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3979d000 | eprocess: 0xffffa80e3979d080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e397a1000 | eprocess: 0xffffa80e397a1080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e397a8000 | eprocess: 0xffffa80e397a8080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e397f6000 | eprocess: 0xffffa80e397f6080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39829000 | eprocess: 0xffffa80e39829040 |  | MemCompression
+pool: 0xffffa80e3982f000 | eprocess: 0xffffa80e3982f080 | \Windows\System32\DriverStore\FileRepository\ki127176.inf_amd64_86c658cabfb17c9c\igfxCUIService.exe | igfxCUIService
+pool: 0xffffa80e39842000 | eprocess: 0xffffa80e39842080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3984e000 | eprocess: 0xffffa80e3984e080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39853000 | eprocess: 0xffffa80e39853080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39983000 | eprocess: 0xffffa80e39983080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e399e3000 | eprocess: 0xffffa80e399e3080 | \Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe | NVDisplay.Cont
+pool: 0xffffa80e39a47000 | eprocess: 0xffffa80e39a47080 | \Windows\System32\SettingSyncHost.exe | SettingSyncHos
+pool: 0xffffa80e39a48000 | eprocess: 0xffffa80e39a48080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39a4c000 | eprocess: 0xffffa80e39a4c080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39a50000 | eprocess: 0xffffa80e39a50080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39a6d000 | eprocess: 0xffffa80e39a6d080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39a98000 | eprocess: 0xffffa80e39a98080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39ab5000 | eprocess: 0xffffa80e39ab5080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39b08000 | eprocess: 0xffffa80e39b08080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39b84000 | eprocess: 0xffffa80e39b84080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39c49000 | eprocess: 0xffffa80e39c49080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39c89000 | eprocess: 0xffffa80e39c89080 | \Windows\System32\wbem\WmiPrvSE.exe | WmiPrvSE.exe
+pool: 0xffffa80e39dc5000 | eprocess: 0xffffa80e39dc5080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39dc7040 | eprocess: 0xffffa80e39dc70c0 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39ea0000 | eprocess: 0xffffa80e39ea0080 | \Windows\System32\spoolsv.exe | spoolsv.exe
+pool: 0xffffa80e39fc2040 | eprocess: 0xffffa80e39fc20c0 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3a0ab000 | eprocess: 0xffffa80e3a0ab080 | \Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ElevationManager\AdobeUpdateService.exe | AdobeUpdateSer
+pool: 0xffffa80e3a0ac000 | eprocess: 0xffffa80e3a0ac080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3a0b11d0 | eprocess: 0xffffa80e3a0b1240 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3a0b4000 | eprocess: 0xffffa80e3a0b4080 | \Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe | armsvc.exe
+pool: 0xffffa80e3a1a7000 | eprocess: 0xffffa80e3a1a7080 | \Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGMService.exe | AGMService.exe
+pool: 0xffffa80e3a1a8000 | eprocess: 0xffffa80e3a1a8080 | \Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe | OfficeClickToR
+pool: 0xffffa80e3a1ab000 | eprocess: 0xffffa80e3a1ab080 | \Program Files\Docker\Docker\com.docker.service | com.docker.ser
+pool: 0xffffa80e3a1ac000 | eprocess: 0xffffa80e3a1ac080 | \Windows\System32\DriverStore\FileRepository\ki127176.inf_amd64_86c658cabfb17c9c\IntelCpHDCPSvc.exe | IntelCpHDCPSvc
+pool: 0xffffa80e3a21b000 | eprocess: 0xffffa80e3a21b080 | \Windows\System32\CxAudMsg64.exe | CxAudMsg64.exe
+pool: 0xffffa80e3a21c000 | eprocess: 0xffffa80e3a21c080 | \Program Files\CONEXANT\SA3\Dell-Notebook\CxUtilSvc.exe | CxUtilSvc.exe
+pool: 0xffffa80e3a245000 | eprocess: 0xffffa80e3a245080 | \Windows\System32\DbxSvc.exe | DbxSvc.exe
+pool: 0xffffa80e3a246000 | eprocess: 0xffffa80e3a246080 | \Windows\System32\wlanext.exe | wlanext.exe
+pool: 0xffffa80e3a24d000 | eprocess: 0xffffa80e3a24d080 | \Windows\System32\conhost.exe | conhost.exe
+pool: 0xffffa80e3a251000 | eprocess: 0xffffa80e3a251080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3a27a000 | eprocess: 0xffffa80e3a27a080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3a2a1000 | eprocess: 0xffffa80e3a2a1080 | \Windows\System32\sihost.exe | sihost.exe
+pool: 0xffffa80e3a2a9040 | eprocess: 0xffffa80e3a2a90c0 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3a2ad1d0 | eprocess: 0xffffa80e3a2ad240 | \Windows\System32\ApplicationFrameHost.exe | ApplicationFra
+pool: 0xffffa80e3a2b2000 | eprocess: 0xffffa80e3a2b2080 | \Windows\System32\Intel\DPTF\esif_uf.exe | esif_uf.exe
+pool: 0xffffa80e3a2b4070 | eprocess: 0xffffa80e3a2b4100 | \Program Files\Intel\Intel(R) Online Connect Access\IntelTechnologyAccessService.exe | IntelTechnolog
+pool: 0xffffa80e3a2b5000 | eprocess: 0xffffa80e3a2b5080 | \Program Files\Intel\WiFi\bin\EvtEng.exe | EvtEng.exe
+pool: 0xffffa80e3a2b8000 | eprocess: 0xffffa80e3a2b8080 | \Windows\System32\FMService64.exe | FMService64.ex
+pool: 0xffffa80e3a2d5000 | eprocess: 0xffffa80e3a2d5080 | \Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe | IAStorIcon.exe
+pool: 0xffffa80e3a362000 | eprocess: 0xffffa80e3a362080 | \Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe | IpOverUsbSvc.e
+pool: 0xffffa80e3a363000 | eprocess: 0xffffa80e3a363080 | \Program Files\Intel\Intel(R) Online Connect Access\LegacyCsLoaderService.exe | LegacyCsLoader
+pool: 0xffffa80e3a36c080 | eprocess: 0xffffa80e3a36c100 | \Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe | NvTelemetryCon
+pool: 0xffffa80e3a37d000 | eprocess: 0xffffa80e3a37d080 | \Windows\SysWOW64\PnkBstrA.exe | PnkBstrA.exe
+pool: 0xffffa80e3a3a4000 | eprocess: 0xffffa80e3a3a4080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3a3a5000 | eprocess: 0xffffa80e3a3a5080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3a447000 | eprocess: 0xffffa80e3a447080 | \Program Files\Rivet Networks\SmartByte\SmartByteNetworkService.exe | SmartByteNetwo
+pool: 0xffffa80e3a448000 | eprocess: 0xffffa80e3a448080 | \Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe | sqlwriter.exe
+pool: 0xffffa80e3a44d000 | eprocess: 0xffffa80e3a44d080 | \Windows\ThunderboltService.exe | ThunderboltSer
+pool: 0xffffa80e3a44f000 | eprocess: 0xffffa80e3a44f080 | \Windows\System32\RtkAudUService64.exe | RtkAudUService
+pool: 0xffffa80e3a450000 | eprocess: 0xffffa80e3a450080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3a514000 | eprocess: 0xffffa80e3a514080 | \Program Files\TrueColor\TrueColorALS.exe | TrueColorALS.e
+pool: 0xffffa80e3a51a000 | eprocess: 0xffffa80e3a51a080 | \Program Files\Intel\WiFi\bin\ZeroConfigService.exe | ZeroConfigServ
+pool: 0xffffa80e3a51b000 | eprocess: 0xffffa80e3a51b080 | \Program Files (x86)\TeamViewer\TeamViewer_Service.exe | TeamViewer_Ser
+pool: 0xffffa80e3a520000 | eprocess: 0xffffa80e3a520080 | \Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe | WDDriveService
+pool: 0xffffa80e3a521000 | eprocess: 0xffffa80e3a521080 | \Windows\System32\dasHost.exe | dasHost.exe
+pool: 0xffffa80e3a522000 | eprocess: 0xffffa80e3a522080 | \Program Files\Waves\MaxxAudio\WavesSysSvc64.exe | WavesSysSvc64.
+pool: 0xffffa80e3a562000 | eprocess: 0xffffa80e3a562080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3a565000 | eprocess: 0xffffa80e3a565080 | \ProgramData\Microsoft\Windows Defender\Platform\4.18.2004.6-0\MsMpEng.exe | MsMpEng.exe
+pool: 0xffffa80e3a586000 | eprocess: 0xffffa80e3a586080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3a587000 | eprocess: 0xffffa80e3a587080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3a588000 | eprocess: 0xffffa80e3a588080 | \Windows\System32\DriverStore\FileRepository\ki127176.inf_amd64_86c658cabfb17c9c\igfxext.exe | igfxext.exe
+pool: 0xffffa80e3a589000 | eprocess: 0xffffa80e3a589080 | \Windows\System32\vmcompute.exe | vmcompute.exe
+pool: 0xffffa80e3a58b000 | eprocess: 0xffffa80e3a58b080 | \Windows\System32\wbem\unsecapp.exe | unsecapp.exe
+pool: 0xffffa80e3a58c000 | eprocess: 0xffffa80e3a58c080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3a58d000 | eprocess: 0xffffa80e3a58d080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3a592040 | eprocess: 0xffffa80e3a5920c0 | \Windows\System32\DriverStore\FileRepository\ki127176.inf_amd64_86c658cabfb17c9c\IntelCpHeciSvc.exe | IntelCpHeciSvc
+pool: 0xffffa80e3a593000 | eprocess: 0xffffa80e3a593080 | \Windows\System32\Intel\DPTF\dptf_helper.exe | dptf_helper.ex
+pool: 0xffffa80e3abf7000 | eprocess: 0xffffa80e3abf7080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3ad6f000 | eprocess: 0xffffa80e3ad6f080 | \Windows\System32\dllhost.exe | dllhost.exe
+pool: 0xffffa80e3b05e040 | eprocess: 0xffffa80e3b05e0c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e3b08b000 | eprocess: 0xffffa80e3b08b080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3b090000 | eprocess: 0xffffa80e3b090080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3b0be000 | eprocess: 0xffffa80e3b0be080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3b0bf000 | eprocess: 0xffffa80e3b0bf080 |  | GoogleUpdate.e
+pool: 0xffffa80e3b0e6040 | eprocess: 0xffffa80e3b0e60c0 | \Windows\System32\taskhostw.exe | taskhostw.exe
+pool: 0xffffa80e3b0f1000 | eprocess: 0xffffa80e3b0f1080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3b0f3000 | eprocess: 0xffffa80e3b0f3080 | \Program Files (x86)\Dropbox\Update\DropboxUpdate.exe | DropboxUpdate.
+pool: 0xffffa80e3b18a000 | eprocess: 0xffffa80e3b18a080 | \Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe | PresentationFo
+pool: 0xffffa80e3b206060 | eprocess: 0xffffa80e3b2060c0 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3b208000 | eprocess: 0xffffa80e3b208080 | \Windows\System32\ctfmon.exe | ctfmon.exe
+pool: 0xffffa80e3b27b000 | eprocess: 0xffffa80e3b27b080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3b2d9000 | eprocess: 0xffffa80e3b2d9080 |  | userinit.exe
+pool: 0xffffa80e3b3b9040 | eprocess: 0xffffa80e3b3b90c0 | \Windows\explorer.exe | explorer.exe
+pool: 0xffffa80e3b3f6000 | eprocess: 0xffffa80e3b3f6080 |  | cmd.exe
+pool: 0xffffa80e3b428000 | eprocess: 0xffffa80e3b428080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3b429000 | eprocess: 0xffffa80e3b429080 | \Windows\System32\InputMethod\CHS\ChsIME.exe | ChsIME.exe
+pool: 0xffffa80e3b49d120 | eprocess: 0xffffa80e3b49d180 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3b4a00c0 | eprocess: 0xffffa80e3b4a0140 | \Windows\System32\SearchIndexer.exe | SearchIndexer.
+pool: 0xffffa80e3b661000 | eprocess: 0xffffa80e3b661080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3b698000 | eprocess: 0xffffa80e3b698080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3b6cd000 | eprocess: 0xffffa80e3b6cd080 | \Windows\System32\DriverStore\FileRepository\ki127176.inf_amd64_86c658cabfb17c9c\igfxEM.exe | igfxEM.exe
+pool: 0xffffa80e3b74f000 | eprocess: 0xffffa80e3b74f080 | \ProgramData\Microsoft\Windows Defender\Platform\4.18.2004.6-0\NisSrv.exe | NisSrv.exe
+pool: 0xffffa80e3b8cf000 | eprocess: 0xffffa80e3b8cf080 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
+pool: 0xffffa80e3b9de000 | eprocess: 0xffffa80e3b9de080 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
+pool: 0xffffa80e3bac5040 | eprocess: 0xffffa80e3bac50c0 |  | HxTsr.exe
+pool: 0xffffa80e3bad6040 | eprocess: 0xffffa80e3bad60c0 | \Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | StartMenuExper
+pool: 0xffffa80e3bbbb000 | eprocess: 0xffffa80e3bbbb080 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
+pool: 0xffffa80e3bc0b000 | eprocess: 0xffffa80e3bc0b080 | \Program Files\WindowsApps\FACEBOOK.317180B0BB486_520.3.60.0_x64__8xx8rvfyw5nnt\app\Messenger.exe | Messenger.exe
+pool: 0xffffa80e3bc83000 | eprocess: 0xffffa80e3bc83080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3bccc040 | eprocess: 0xffffa80e3bccc0c0 | \Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | ShellExperienc
+pool: 0xffffa80e3bd1e000 | eprocess: 0xffffa80e3bd1e080 | \Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe | TextInputHost.
+pool: 0xffffa80e3be13040 | eprocess: 0xffffa80e3be130c0 | \Windows\System32\MicrosoftEdgeCP.exe | MicrosoftEdgeC
+pool: 0xffffa80e3be2a000 | eprocess: 0xffffa80e3be2a080 | \Program Files\WindowsApps\Microsoft.SkypeApp_14.56.102.0_x64__kzf8qxf38zg5c\SkypeApp.exe | SkypeApp.exe
+pool: 0xffffa80e3be3f000 | eprocess: 0xffffa80e3be3f080 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
+pool: 0xffffa80e3bea3000 | eprocess: 0xffffa80e3bea3080 | \Windows\System32\RtkAudUService64.exe | RtkAudUService
+pool: 0xffffa80e3bf6d000 | eprocess: 0xffffa80e3bf6d080 | \Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe | LockApp.exe
+pool: 0xffffa80e3bfd6000 | eprocess: 0xffffa80e3bfd6080 | \Program Files\WindowsApps\Microsoft.SkypeApp_14.56.102.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe | SkypeBackgroun
+pool: 0xffffa80e442ac000 | eprocess: 0xffffa80e442ac080 |  | IAStorIconLaun
+pool: 0xffffa80e442b3000 | eprocess: 0xffffa80e442b3080 | \Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe | CAudioFilterAg
+pool: 0xffffa80e443d8040 | eprocess: 0xffffa80e443d80c0 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e44480020 | eprocess: 0xffffa80e44480080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e444f5020 | eprocess: 0xffffa80e444f5080 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
+pool: 0xffffa80e4452f000 | eprocess: 0xffffa80e4452f080 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e445be000 | eprocess: 0xffffa80e445be080 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e445c4000 | eprocess: 0xffffa80e445c4080 | \Program Files\Dell\DellDataVault\DDVRulesProcessor.exe | DDVRulesProces
+pool: 0xffffa80e445e6000 | eprocess: 0xffffa80e445e6080 | \Windows\System32\SecurityHealthService.exe | SecurityHealth
+pool: 0xffffa80e445e8000 | eprocess: 0xffffa80e445e8080 | \Windows\System32\SecurityHealthSystray.exe | SecurityHealth
+pool: 0xffffa80e44613040 | eprocess: 0xffffa80e446130c0 | \Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | SearchApp.exe
+pool: 0xffffa80e446fb000 | eprocess: 0xffffa80e446fb080 | \Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe | GoogleCrashHan
+pool: 0xffffa80e4474c000 | eprocess: 0xffffa80e4474c080 | \Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe | GoogleCrashHan
+pool: 0xffffa80e44771140 | eprocess: 0xffffa80e447711c0 | \Windows\ImmersiveControlPanel\SystemSettings.exe | SystemSettings
+pool: 0xffffa80e44773050 | eprocess: 0xffffa80e447730c0 | \Windows\System32\Speech_OneCore\common\SpeechRuntime.exe | SpeechRuntime.
+pool: 0xffffa80e448f5000 | eprocess: 0xffffa80e448f5080 | \Windows\System32\conhost.exe | conhost.exe
+pool: 0xffffa80e449eb000 | eprocess: 0xffffa80e449eb080 | \Program Files\WindowsApps\FACEBOOK.317180B0BB486_520.3.60.0_x64__8xx8rvfyw5nnt\app\Messenger.exe | Messenger.exe
+pool: 0xffffa80e44cec000 | eprocess: 0xffffa80e44cec080 | \Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe | jhi_service.ex
+pool: 0xffffa80e44cee000 | eprocess: 0xffffa80e44cee080 | \Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe | IAStorDataMgrS
+pool: 0xffffa80e44eb3000 | eprocess: 0xffffa80e44eb3080 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e45154040 | eprocess: 0xffffa80e451540c0 | \Windows\System32\msdtc.exe | msdtc.exe
+pool: 0xffffa80e451c8040 | eprocess: 0xffffa80e451c80c0 | \Program Files\Dell\DellDataVault\DDVDataCollector.exe | DDVDataCollect
+pool: 0xffffa80e451f0000 | eprocess: 0xffffa80e451f0080 | \Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe | LMS.exe
+pool: 0xffffa80e451f4000 | eprocess: 0xffffa80e451f4080 | \Windows\System32\vmwp.exe | vmwp.exe
+pool: 0xffffa80e45208000 | eprocess: 0xffffa80e45208080 | \Program Files\Dell\DellDataVault\DDVCollectorSvcApi.exe | DDVCollectorSv
+pool: 0xffffa80e45235040 | eprocess: 0xffffa80e452350c0 | \ProgramData\Microsoft\Windows Defender\Scans\MsMpEngCP.exe | MsMpEngCP.exe
+pool: 0xffffa80e452f7050 | eprocess: 0xffffa80e452f70c0 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e453c9040 | eprocess: 0xffffa80e453c90c0 | \Windows\System32\conhost.exe | conhost.exe
+pool: 0xffffa80e453eb040 | eprocess: 0xffffa80e453eb0c0 | \Windows\System32\dllhost.exe | dllhost.exe
+pool: 0xffffa80e4549e000 | eprocess: 0xffffa80e4549e080 | \Program Files\Docker\Docker\Docker Desktop.exe | Docker Desktop
+pool: 0xffffa80e45502040 | eprocess: 0xffffa80e455020c0 |  | sacpl.exe
+pool: 0xffffa80e45554000 | eprocess: 0xffffa80e45554080 | \Program Files\CONEXANT\SA3\Dell-Notebook\SmartAudio3.exe | SmartAudio3.ex
+pool: 0xffffa80e455d9040 | eprocess: 0xffffa80e455d90c0 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e455eb000 | eprocess: 0xffffa80e455eb080 | \Program Files\WindowsApps\FACEBOOK.317180B0BB486_520.3.60.0_x64__8xx8rvfyw5nnt\app\Messenger.exe | Messenger.exe
+pool: 0xffffa80e45690020 | eprocess: 0xffffa80e45690080 | \Program Files\Intel\Intel(R) Online Connect\ioc.exe | ioc.exe
+pool: 0xffffa80e45859000 | eprocess: 0xffffa80e45859080 | \Program Files\Dolby\Dolby DAX2\DAX2_API\DolbyDAX2API.exe | DolbyDAX2API.e
+pool: 0xffffa80e45ae3000 | eprocess: 0xffffa80e45ae3080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e45b22000 | eprocess: 0xffffa80e45b22080 |  | vmmem
+pool: 0xffffa80e45b35040 | eprocess: 0xffffa80e45b350c0 | \ProgramData\Docker\cli-plugins\docker-mutagen.exe | docker-mutagen
+pool: 0xffffa80e45b46040 | eprocess: 0xffffa80e45b460c0 | \Program Files\Docker\Docker\resources\com.docker.backend.exe | com.docker.bac
+pool: 0xffffa80e45b79040 | eprocess: 0xffffa80e45b790c0 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e45b88090 | eprocess: 0xffffa80e45b88100 |  | nvapiw.exe
+pool: 0xffffa80e45dcc000 | eprocess: 0xffffa80e45dcc080 | \Windows\System32\SgrmBroker.exe | SgrmBroker.exe
+pool: 0xffffa80e45dd7000 | eprocess: 0xffffa80e45dd7080 | \Program Files\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe | SupportAssistA
+pool: 0xffffa80e47872000 | eprocess: 0xffffa80e47872080 | \Program Files\WindowsApps\AcrobatNotificationClient_1.0.4.0_x86__e1rzdqpraam7r\AcrobatNotificationClient.exe | AcrobatNotific
+pool: 0xffffa80e479c5040 | eprocess: 0xffffa80e479c50c0 | \Program Files\Dell\DellDataVault\nvapiw.exe | nvapiw.exe
+pool: 0xffffa80e479c6000 | eprocess: 0xffffa80e479c6080 | \Windows\System32\conhost.exe | conhost.exe
+pool: 0xffffa80e47b090f0 | eprocess: 0xffffa80e47b09180 | \Windows\System32\conhost.exe | conhost.exe
+pool: 0xffffa80e47b100f0 | eprocess: 0xffffa80e47b10180 | \Windows\System32\lxss\wslhost.exe | wslhost.exe
+pool: 0xffffa80e47b3a0f0 | eprocess: 0xffffa80e47b3a180 | \Windows\System32\wsl.exe | wsl.exe
+pool: 0xffffa80e47df0000 | eprocess: 0xffffa80e47df0080 | \Program Files\Docker\Docker\resources\vpnkit-bridge.exe | vpnkit-bridge.
+pool: 0xffffa80e47ea0000 | eprocess: 0xffffa80e47ea0080 | \Windows\System32\conhost.exe | conhost.exe
+pool: 0xffffa80e47ead000 | eprocess: 0xffffa80e47ead080 | \Windows\System32\conhost.exe | conhost.exe
+pool: 0xffffa80e47ec2000 | eprocess: 0xffffa80e47ec2080 | \Windows\System32\wsl.exe | wsl.exe
+pool: 0xffffa80e47ec5000 | eprocess: 0xffffa80e47ec5080 | \Windows\System32\lxss\wslhost.exe | wslhost.exe
+pool: 0xffffa80e47ee8000 | eprocess: 0xffffa80e47ee8080 | \Windows\System32\lxss\wslhost.exe | wslhost.exe
+pool: 0xffffa80e47ee9000 | eprocess: 0xffffa80e47ee9080 | \Program Files\Docker\Docker\resources\vpnkit.exe | vpnkit.exe
+pool: 0xffffa80e47eeb040 | eprocess: 0xffffa80e47eeb0c0 | \Windows\System32\wsl.exe | wsl.exe
+pool: 0xffffa80e47f18000 | eprocess: 0xffffa80e47f18080 | \Windows\System32\conhost.exe | conhost.exe
+pool: 0xffffa80e47f19000 | eprocess: 0xffffa80e47f19080 | \Windows\System32\conhost.exe | conhost.exe
+pool: 0xffffa80e47f42000 | eprocess: 0xffffa80e47f42080 | \Program Files\Docker\Docker\resources\com.docker.proxy.exe | com.docker.pro
+pool: 0xffffa80e47fa9000 | eprocess: 0xffffa80e47fa9080 | \Windows\System32\lxss\wslhost.exe | wslhost.exe
+pool: 0xffffa80e47fd8000 | eprocess: 0xffffa80e47fd8080 | \Windows\System32\lxss\wslhost.exe | wslhost.exe
+pool: 0xffffa80e47fda000 | eprocess: 0xffffa80e47fda080 | \Windows\System32\conhost.exe | conhost.exe
+pool: 0xffffa80e48002040 | eprocess: 0xffffa80e480020c0 | \Windows\System32\conhost.exe | conhost.exe
+pool: 0xffffa80e4800b000 | eprocess: 0xffffa80e4800b080 | \Program Files\Rivet Networks\SmartByte\SmartByteTelemetry.exe | SmartByteTelem
+pool: 0xffffa80e48024040 | eprocess: 0xffffa80e480240c0 | \Windows\System32\conhost.exe | conhost.exe
+pool: 0xffffa80e48029000 | eprocess: 0xffffa80e48029080 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
+pool: 0xffffa80e48077040 | eprocess: 0xffffa80e480770c0 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e48102040 | eprocess: 0xffffa80e481020c0 | \Windows\System32\wsl.exe | wsl.exe
+pool: 0xffffa80e48171040 | eprocess: 0xffffa80e481710c0 | \Program Files\Docker\Docker\resources\com.docker.wsl-distro-proxy.exe | com.docker.wsl
+pool: 0xffffa80e48189000 | eprocess: 0xffffa80e48189080 | \Windows\System32\dllhost.exe | dllhost.exe
+pool: 0xffffa80e4846c1d0 | eprocess: 0xffffa80e4846c240 |  | HxTsr.exe
+pool: 0xffffa80e48470000 | eprocess: 0xffffa80e48470080 | \Program Files\WindowsApps\AdobeNotificationClient_1.0.1.22_x86__enpm4xejd91yc\AdobeNotificationClient.exe | AdobeNotificat
+pool: 0xffffa80e48480040 | eprocess: 0xffffa80e484800c0 | \Windows\System32\conhost.exe | conhost.exe
+pool: 0xffffa80e4854d040 | eprocess: 0xffffa80e4854d0c0 | \Windows\System32\MicrosoftEdgeSH.exe | MicrosoftEdgeS
+pool: 0xffffa80e485541d0 | eprocess: 0xffffa80e48554240 | \Windows\System32\rundll32.exe | rundll32.exe
+pool: 0xffffa80e4858a040 | eprocess: 0xffffa80e4858a0c0 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
+pool: 0xffffa80e485c0040 | eprocess: 0xffffa80e485c00c0 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
+pool: 0xffffa80e4879c040 | eprocess: 0xffffa80e4879c0c0 |  | AcroRd32.exe
+pool: 0xffffa80e499c5040 | eprocess: 0xffffa80e499c50c0 | \Windows\System32\browser_broker.exe | browser_broker
+pool: 0xffffa80e4a2d6040 | eprocess: 0xffffa80e4a2d60c0 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e4a2f0050 | eprocess: 0xffffa80e4a2f00c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4a85a0c0 | eprocess: 0xffffa80e4a85a140 | \Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | MicrosoftEdge.
+pool: 0xffffa80e4a8a5000 | eprocess: 0xffffa80e4a8a5080 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
+pool: 0xffffa80e4ac35040 | eprocess: 0xffffa80e4ac350c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4ac6c000 | eprocess: 0xffffa80e4ac6c080 |  | chrome.exe
+pool: 0xffffa80e4acdc040 | eprocess: 0xffffa80e4acdc0c0 | \Program Files\WindowsApps\FACEBOOK.317180B0BB486_520.3.60.0_x64__8xx8rvfyw5nnt\app\Messenger.exe | Messenger.exe
+pool: 0xffffa80e4b03d050 | eprocess: 0xffffa80e4b03d0c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4b335040 | eprocess: 0xffffa80e4b3350c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4b4840c0 | eprocess: 0xffffa80e4b484140 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4b8d5040 | eprocess: 0xffffa80e4b8d50c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4ba1b040 | eprocess: 0xffffa80e4ba1b0c0 |  | VirtualBoxVM.e
+pool: 0xffffa80e4bbdb040 | eprocess: 0xffffa80e4bbdb0c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4bbec040 | eprocess: 0xffffa80e4bbec0c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4bc24040 | eprocess: 0xffffa80e4bc240c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4bc46040 | eprocess: 0xffffa80e4bc460c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4bc68040 | eprocess: 0xffffa80e4bc680c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4bc8a040 | eprocess: 0xffffa80e4bc8a0c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4bcce040 | eprocess: 0xffffa80e4bcce0c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4bcdf040 | eprocess: 0xffffa80e4bcdf0c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4bd02040 | eprocess: 0xffffa80e4bd020c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4bd24040 | eprocess: 0xffffa80e4bd240c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4bd67040 | eprocess: 0xffffa80e4bd670c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4bd9a040 | eprocess: 0xffffa80e4bd9a0c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4bdcd040 | eprocess: 0xffffa80e4bdcd0c0 | \My Programs\fvim-win-x64\FVim.exe | FVim.exe
+pool: 0xffffa80e4be02040 | eprocess: 0xffffa80e4be020c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4be03000 | eprocess: 0xffffa80e4be03080 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4bedd000 | eprocess: 0xffffa80e4bedd080 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4bf961d0 | eprocess: 0xffffa80e4bf96240 | \tools\neovim\Neovim\bin\nvim.exe | nvim.exe
+pool: 0xffffa80e4c024040 | eprocess: 0xffffa80e4c0240c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4c04f000 | eprocess: 0xffffa80e4c04f080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e4c387020 | eprocess: 0xffffa80e4c387080 | \Windows\System32\dllhost.exe | dllhost.exe
+pool: 0xffffa80e4c74c090 | eprocess: 0xffffa80e4c74c100 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e4c7b9040 | eprocess: 0xffffa80e4c7b90c0 | \Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe | windbg.exe
+pool: 0xffffa80e4cec0040 | eprocess: 0xffffa80e4cec00c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4d5f2000 | eprocess: 0xffffa80e4d5f2080 |  | chrome.exe
+pool: 0xffffa80e4d6061d0 | eprocess: 0xffffa80e4d606240 | \Windows\System32\conhost.exe | conhost.exe
+pool: 0xffffa80e4d985040 | eprocess: 0xffffa80e4d9850c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4da281c0 | eprocess: 0xffffa80e4da28240 | \Windows\System32\conhost.exe | conhost.exe
+pool: 0xffffa80e4dc3a000 | eprocess: 0xffffa80e4dc3a080 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4dc79040 | eprocess: 0xffffa80e4dc790c0 | \Windows\explorer.exe | explorer.exe
+pool: 0xffffa80e4df44000 | eprocess: 0xffffa80e4df44080 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4dfc41c0 | eprocess: 0xffffa80e4dfc4240 | \Users\nganhkhoa\AppData\Local\nvim\plugged\LanguageClient-neovim\bin\languageclient.exe | languageclient
+pool: 0xffffa80e4e00b000 | eprocess: 0xffffa80e4e00b080 | \Windows\System32\conhost.exe | conhost.exe
+pool: 0xffffa80e4e026000 | eprocess: 0xffffa80e4e026080 | \Users\nganhkhoa\Desktop\findDbgBlock\parsePDBforOffsets\target\debug\eprocess_scan.exe | eprocess_scan.
+pool: 0xffffa80e4e08f000 | eprocess: 0xffffa80e4e08f080 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4e131000 | eprocess: 0xffffa80e4e131080 | \Program Files\WindowsApps\FACEBOOK.317180B0BB486_520.3.60.0_x64__8xx8rvfyw5nnt\app\Messenger.exe | Messenger.exe
+pool: 0xffffa80e4e16f0a0 | eprocess: 0xffffa80e4e16f100 | \Windows\System32\SearchProtocolHost.exe | SearchProtocol
+pool: 0xffffa80e4e4ac040 | eprocess: 0xffffa80e4e4ac0c0 | \Program Files\WindowsApps\Microsoft.YourPhone_1.20051.90.0_x64__8wekyb3d8bbwe\YourPhone.exe | YourPhone.exe
+pool: 0xffffa80e4e779040 | eprocess: 0xffffa80e4e7790c0 | \Windows\System32\cmd.exe | cmd.exe
+pool: 0xffffa80e4e9b2040 | eprocess: 0xffffa80e4e9b20c0 | \Program Files\WindowsApps\FACEBOOK.317180B0BB486_520.3.60.0_x64__8xx8rvfyw5nnt\app\Messenger.exe | Messenger.exe
+pool: 0xffffa80e4e9e5040 | eprocess: 0xffffa80e4e9e50c0 | \Windows\System32\conhost.exe | conhost.exe
+pool: 0xffffa80e4ea05000 | eprocess: 0xffffa80e4ea05080 | \Windows\System32\cmd.exe | cmd.exe
+pool: 0xffffa80e4ea9b040 | eprocess: 0xffffa80e4ea9b0c0 |  | nvapiw.exe
+pool: 0xffffa80e4ee02040 | eprocess: 0xffffa80e4ee020c0 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
+pool: 0xffffa80e4ee3f1d0 | eprocess: 0xffffa80e4ee3f240 | \Program Files\WindowsApps\Microsoft.Windows.Photos_2020.20050.19001.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe | Microsoft.Phot
+pool: 0xffffa80e4efb5040 | eprocess: 0xffffa80e4efb50c0 | \Windows\System32\SearchProtocolHost.exe | SearchProtocol
+pool: 0xffffa80e4f3ea040 | eprocess: 0xffffa80e4f3ea0c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4f3ee1d0 | eprocess: 0xffffa80e4f3ee240 | \tools\neovim\Neovim\bin\winpty-agent.exe | winpty-agent.e
+pool: 0xffffa80e4f4e1040 | eprocess: 0xffffa80e4f4e10c0 | \Program Files\Notepad++\notepad++.exe | notepad++.exe
+pool: 0xffffa80e4f55e040 | eprocess: 0xffffa80e4f55e0c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4f5610c0 | eprocess: 0xffffa80e4f561140 | \Windows\System32\SearchFilterHost.exe | SearchFilterHo
+pool: 0xffffa80e4f5621d0 | eprocess: 0xffffa80e4f562240 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
+NtUnloadDriver() -> 0x0

nonpaged-pool-range.md

@@ -0,0 +1,80 @@
+> If you came here for `MmNonPagedPoolStart`, `MmNonPagedPoolEnd`, you ended up at the right place.
+
+`NonPagedPool` in Windows has two variables that defined the start and end of the section in kernel memory. Online blog posts and tutorials show an outdated version of these two variables.
+
+Take a look at [this old post](https://web.archive.org/web/20061110120809/http://www.rootkit.com/newsread.php?newsid=153). `_DBGKD_GET_VERSION64 KdVersionBlock` was a very important structure into the debugger block of Windows. However, if you try to find this structure in Windows 10, you will hit `KdVersionBlock == 0` (Ouch!!!). But this structure provides offset into `MmNonPagedPool{Start,End}`, how can we get those?
+
+Luckily, both `MmNonPagedPoolStart` and `MmNonPagedPoolEnd` in Windows XP, can be found by offseting from `ntoskrnl.exe`. Rekall team are very positive that their tools doesn't rely on profiles file like Volatility but use PDB provided by Windows to find these values.
+
+In [Rekall source code](https://github.com/google/rekall/blob/c5d68e31705f4b5bd2581c1d951b7f6983f7089c/rekall-core/rekall/plugins/windows/pool.py#L87), the values of those variables are:
+
+- Windows XP: `MmNonPagedPool{Start,End}`
+- Windows 7 and maybe 8: `MiNonPagedPoolStartAligned`, `MiNonPagedPoolEnd`, and `MiNonPagedPoolBitMap`
+
+In Windows 7, 8, another field was added to controll the allocation of `NonPagedPool`, which is also mentioned in [this paper about pool tag quick scanning](https://www.sciencedirect.com/science/article/pii/S1742287616000062).
+
+However, from Windows 10, the whole game changed around when the global offset to those (similar) variables are gone. Instead Windows 10 introduced a new variable `MiState`. `MiState` offset is available and we can get those start/end variables by either:
+
+- Windows 2015: `(_MI_SYSTEM_INFORMATION*)(MiState)->SystemNodeInformation.NonPagedPool{First,Last}Va`
+- Windows 2016: `(_MI_SYSTEM_INFORMATION*)(MiState)->Hardware.SystemNodeInformation.NonPagedPool{First,Last}Va`
+
+The `NonPagedBitMap` was still visible untill the May 2019 Update, here, take a look at these 2 consecutive update [`1809 Redstone 5 (October Update)`](https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016/1809%20Redstone%205%20(October%20Update)/\_MI\_SYSTEM\_NODE\_INFORMATION) and [`1903 19H1 (May 2019 Update)`](https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016/1903%2019H1%20(May%202019%20Update)/\_MI\_SYSTEM\_NODE\_INFORMATION).
+
+Windows OS changes quite frequently right? Tell you more, I am using the Insider version of Windows in 2020, and guess what, I found out that they put another struct to point to those value. So now we need to go like this:
+
+- Windows 2020 Insider preview: `*(_MI_SYSTEM_INFORMATION*)(MiState)->Hardware.SystemNodeNonPagedPool.NonPagedPool{First,Last}Va`
+
+> If you go with low-level, then you only care about the offset and formula to get those variables but knowing the structure is well benefit.
+
+Anyway, I create this project to help me with my thesis, following outdated structs online yields no result. Oh, yeah, a guy seems to be asking on [how to get `MmNonPagedPoolStart`](https://reverseengineering.stackexchange.com/q/6483) on `stackexchange`, too bad [the answer](https://reverseengineering.stackexchange.com/a/6487) is not so much helpful.
+
+----
+
+Global variables offset are parsed from the PDB file and can be queried by `nt!` in Windbg. In a kernel driver, we need to get the kernel base address (which is `nt!`). Kernel base address is the loaded address of `ntoskrnl.exe`. There is a shellcode to get the address [here](https://gist.github.com/Barakat/34e9924217ed81fd78c9c92d746ec9c6), using IDT table. But when I use the shellcode with the Windows Insider preview 2020, the address is wrong (it still a loaded PE though). Other ways to get the address are listed [here](https://m0uk4.gitbook.io/notebooks/mouka/windowsinternal/find-kernel-module-address-todo). And hereby I present another way to get the kernel base address.
+
+A device driver can get a pointer to an `_EPROCESS` through the use of `PEPROCESS IoGetCurrentProcess`. And as we know, `_EPROCESS` has pointer to other `_EPROCESS` as a circular doubly linked list. If we dump them all out, we can notice a few things:
+
+- The image name returned by calling `IoGetCurrentProcess` in `DriverEntry` is `System`
+- The `_EPROCESS` before `System` is somehow empty
+
+```cpp
+// in DriverEntry
+PVOID eprocess = (PVOID)IoGetCurrentProcess();
+
+// somewhere after offsets are setup
+DbgPrint("eprocess : 0x%p, [%15s]\n", eprocess, (char*)((ULONG64)eprocess + ImageBaseNameOffset));
+for (int i = 0; i < 100; i++) {
+  eprocess = (PVOID)(*(ULONG64*)((ULONG64)eprocess + ActiveProcessLinksOffset) - ActiveProcessLinksOffset);
+  DbgPrint("eprocess : 0x%p, [%15s]\n", eprocess, (char*)((ULONG64)eprocess + ImageBaseOffset));
+}
+
+// sample output
+eprocess : 0xFFFFF8037401F528, [               ]
+eprocess : 0xFFFF840F5A0D9080, [         System]
+eprocess : 0xFFFF840F5A28C040, [  Secure System]
+eprocess : 0xFFFF840F5A2EF040, [       Registry]
+eprocess : 0xFFFF840F622BF040, [       smss.exe]
+eprocess : 0xFFFF840F6187D080, [       smss.exe]
+eprocess : 0xFFFF840F6263D140, [      csrss.exe]
+eprocess : 0xFFFF840F6277F0C0, [       smss.exe]
+eprocess : 0xFFFF840F627C2080, [    wininit.exe]
+eprocess : 0xFFFF840F64187140, [      csrss.exe]
+eprocess : 0xFFFF840F641CD080, [   services.exe]
+```
+
+And if we debug and compare the address of that `Empty _EPROCESS+ActiveProcessLinksOffset` with `nt!PsActiveProcessHead`, it is just the same. And with the given offset parsed from the PDB file, we can get kernel base address.
+
+```cpp
+// In DriverEntry
+PVOID eprocess = (PVOID)IoGetCurrentProcess();
+
+// somwhere after offsets are setup
+DbgPrint("eprocess               : 0x%p, [%15s]\n", eprocess, (char*)((ULONG64)eprocess + ImageBaseNameOffset));
+PVOID processHead = (PVOID)(*(ULONG64*)((ULONG64)eprocess + ActiveProcessLinksOffset + BLinkOffset));
+DbgPrint("PsActiveProcessHead    : 0x%p\n", processHead);
+PVOID ntosbase = (PVOID)((ULONG64)processHead - ActiveHeadOffset);
+DbgPrint("ntoskrnl.exe           : 0x%p\n", ntosbase);
+```
+
+From now we have successfully get the kernel base address to index into other global variables.
+

other/parse_file_scan_result.py

@@ -0,0 +1,20 @@
+import sys
+import re
+
+s = list(filter(lambda x: "unicode" in x, open(sys.argv[1], 'r').read().split('\n')))
+
+
+m = re.compile(r"unicode str: (0x[0-9a-f]+) size: (0x[0-9a-f]+) capacity: (0x[0-9a-f]+)")
+
+ss = list(filter(lambda x: int(x[0], 16) != 0 and int(x[1], 16) <= int(x[2], 16) and int(x[1], 16) != 0 and int(x[1], 16) % 2 == 0,
+                 map(lambda x: m.match(x).group(1,2,3), s)))
+
+aa = set()
+bb = set()
+
+for (a, s, c) in ss:
+    if a in aa or a in bb:
+        continue
+    aa.add(a)
+    # print("du", a, "|", s, c)
+    print("du", a)

src/address.rs

@@ -0,0 +1,177 @@
+use std::rc::Rc;
+use std::ops::{Add, AddAssign, Sub, SubAssign};
+use std::cmp::Ordering;
+use std::fmt;
+
+// pub struct Object {
+//     name: String,
+//     address: Address
+// }
+//
+// impl Object {
+//     pub fn get<F>(&self, resolver: &F) -> u64
+//         where F: Fn(u64) -> u64 {
+//         // this function returns address of Object
+//         self.address.get(resolver)
+//     }
+// }
+
+pub struct Address {
+    base: u64,
+    pointer: Option<Rc<Address>>,
+    offset: u64,
+    // TODO: resolver
+    // It would be nice to have an address resolver
+    // Then implement Deref trait to call get()
+    // resolver uses DriverState address decompose
+    // lifetime issue occur
+}
+
+impl Address {
+    pub fn from_base(base: u64) -> Self {
+        Address {
+            base: base,
+            pointer: None,
+            offset: 0,
+        }
+    }
+    pub fn from_ptr(pointer: Address) -> Self {
+        Address {
+            base: 0,
+            pointer: Some(Rc::new(pointer)),
+            offset: 0,
+        }
+    }
+    fn deref<F>(&self, resolver: &F) -> Address
+        where F: Fn(u64) -> u64 {
+        match &self.pointer {
+            Some(p) => {
+                let addr = p.deref(resolver);
+                // println!("deref: {} -> {}; resolve: 0x{:x}", self, addr, addr.base + addr.offset);
+                let base =
+                    if addr.base != 0 {
+                        resolver(addr.base + addr.offset)
+                    } else {
+                        0
+                    };
+                Address {
+                    base: base,
+                    pointer: None,
+                    offset: self.offset,
+                }
+            },
+            None => {
+                Address {
+                    base: self.base,
+                    pointer: None,
+                    offset: self.offset,
+                }
+            }
+        }
+    }
+    pub fn get<F>(&self, resolver: &F) -> u64
+        where F: Fn(u64) -> u64 {
+        if self.pointer.is_some() {
+            self.deref(resolver).get(resolver)
+        }
+        else if self.base == 0 {
+            0
+        }
+        else {
+            self.base + self.offset
+        }
+    }
+    pub fn address(&self) -> u64 {
+        self.base + self.offset
+    }
+    // pub fn to(&self, name: &str) -> Object {
+    //     Object {
+    //         name: name.to_string(),
+    //         address: self.clone()
+    //     }
+    // }
+}
+
+impl Add<u64> for Address {
+    type Output = Self;
+    fn add(self, other: u64) -> Self {
+        Self {
+            base: self.base,
+            pointer: self.pointer.map(|p| Rc::clone(&p)),
+            offset: self.offset + other,
+        }
+    }
+}
+
+impl AddAssign<u64> for Address {
+    fn add_assign(&mut self, other: u64) {
+        *self = Self {
+            base: self.base,
+            pointer: self.pointer.clone(),
+            offset: self.offset + other,
+        }
+    }
+}
+
+impl Sub<u64> for Address {
+    type Output = Self;
+    fn sub(self, other: u64) -> Self {
+        Self {
+            base: self.base,
+            pointer: self.pointer.map(|p| Rc::clone(&p)),
+            offset: self.offset - other,
+        }
+    }
+}
+
+impl SubAssign<u64> for Address {
+    fn sub_assign(&mut self, other: u64) {
+        *self = Self {
+            base: self.base,
+            pointer: self.pointer.clone(),
+            offset: self.offset - other,
+        }
+    }
+}
+
+impl PartialEq for Address {
+    fn eq(&self, other: &Self) -> bool {
+        self.pointer.is_none() && other.pointer.is_none()
+        && self.base == other.base
+        && self.offset == other.offset
+    }
+}
+
+impl PartialOrd for Address {
+    fn partial_cmp(&self, other: &Address) -> Option<Ordering> {
+        if self.pointer.is_some() || other.pointer.is_some() {
+            None
+        }
+        else {
+            let this = self.base + self.offset;
+            let that = other.base + other.offset;
+            Some(this.cmp(&that))
+        }
+    }
+}
+
+impl fmt::Display for Address {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        if let Some(p) = &self.pointer {
+            write!(f, "*({}) + 0x{:x}", *p, self.offset)
+        }
+        else {
+            write!(f, "0x{:x} + 0x{:x}", self.base, self.offset)
+        }
+    }
+}
+
+impl Clone for Address {
+    fn clone(&self) -> Self {
+        Address {
+            base: self.base,
+            pointer: self.pointer.clone(),
+            offset: self.offset
+        }
+    }
+}

src/bin/driver_scan.rs

@@ -0,0 +1,21 @@
+use std::error::Error;
+
+use lpus::{
+    driver_state::{DriverState},
+    scan_driver
+};
+
+fn main() -> Result<(), Box<dyn Error>> {
+    let mut driver = DriverState::new();
+    println!("NtLoadDriver()   -> 0x{:x}", driver.startup());
+
+    let result = scan_driver(&driver).unwrap_or(Vec::new());
+
+    for r in result.iter() {
+        println!("{:#}", r.to_string());
+    }
+
+    println!("NtUnloadDriver() -> 0x{:x}", driver.shutdown());
+    Ok(())
+}
+

src/bin/eprocess_scan.rs

@@ -0,0 +1,21 @@
+use std::error::Error;
+
+use lpus::{
+    driver_state::{DriverState},
+    scan_eprocess
+};
+
+fn main() -> Result<(), Box<dyn Error>> {
+    let mut driver = DriverState::new();
+    println!("NtLoadDriver()   -> 0x{:x}", driver.startup());
+
+    let result = scan_eprocess(&driver).unwrap_or(Vec::new());
+
+    for r in result.iter() {
+        println!("{:#}", r.to_string());
+    }
+
+    println!("NtUnloadDriver() -> 0x{:x}", driver.shutdown());
+    Ok(())
+}
+

src/bin/file_object_scan.rs

@@ -0,0 +1,22 @@
+use std::error::Error;
+
+use lpus::{
+    driver_state::{DriverState},
+    scan_file
+};
+
+fn main() -> Result<(), Box<dyn Error>> {
+    let mut driver = DriverState::new();
+    println!("NtLoadDriver()   -> 0x{:x}", driver.startup());
+
+    let result = scan_file(&driver).unwrap_or(Vec::new());
+
+    for r in result.iter() {
+        println!("{:#}", r.to_string());
+    }
+
+    println!("NtUnloadDriver() -> 0x{:x}", driver.shutdown());
+    Ok(())
+}
+
+

src/bin/print_pdb.rs

@@ -0,0 +1,12 @@
+use std::error::Error;
+
+use lpus::{
+    driver_state::{DriverState},
+};
+
+fn main() -> Result<(), Box<dyn Error>> {
+    let driver = DriverState::new();
+    driver.windows_ffi.print_version();
+    driver.pdb_store.print_default_information();
+    Ok(())
+}

src/bin/thread_scan.rs

@@ -0,0 +1,26 @@
+use std::error::Error;
+
+use lpus::{
+    driver_state::{DriverState},
+    scan_ethread, /* scan_mutant */
+};
+
+fn main() -> Result<(), Box<dyn Error>> {
+    let mut driver = DriverState::new();
+    println!("NtLoadDriver()   -> 0x{:x}", driver.startup());
+
+    let threads = scan_ethread(&driver).unwrap_or(Vec::new());
+    // let mutants = scan_mutant(&driver).unwrap_or(Vec::new());
+
+    for r in threads.iter() {
+        println!("{:#}", r.to_string());
+    }
+    // for r in mutants.iter() {
+    //     println!("{:#}", r.to_string());
+    // }
+
+    println!("NtUnloadDriver() -> 0x{:x}", driver.shutdown());
+    Ok(())
+}
+
+

src/driver_state.rs

@@ -0,0 +1,347 @@
+use std::default::Default;
+use std::clone::Clone;
+use std::error::Error;
+// use std::io::{Error, ErrorKind};
+use std::ffi::c_void;
+use std::mem::{size_of_val};
+
+use winapi::shared::ntdef::{NTSTATUS};
+use winapi::shared::minwindef::{DWORD};
+use winapi::um::winioctl::{
+    CTL_CODE, FILE_ANY_ACCESS,
+    METHOD_IN_DIRECT, METHOD_OUT_DIRECT, /* METHOD_BUFFERED, */ METHOD_NEITHER
+};
+
+use crate::address::Address;
+use crate::pdb_store::{PdbStore, parse_pdb};
+use crate::windows::{WindowsFFI, WindowsVersion};
+use crate::ioctl_protocol::{
+    InputData, OffsetData, DerefAddr, ScanPoolData, /* HideProcess, */
+    /* OutputData, */ Nothing
+};
+
+type BoxResult<T> = Result<T, Box<dyn Error>>;
+
+const SIOCTL_TYPE: DWORD = 40000;
+
+pub fn to_epoch(filetime: u64) -> u64 {
+    let windows_epoch_diff: u64 = 11644473600000 * 10000;
+    if filetime < windows_epoch_diff {
+        return 0;
+    }
+    let process_time_epoch: u64 = (filetime - windows_epoch_diff) / 10000;
+    process_time_epoch
+}
+
+#[allow(dead_code)]
+#[derive(Debug)]
+pub enum DriverAction {
+    SetupOffset,
+    GetKernelBase,
+    ScanPsActiveHead,
+    ScanPool,
+    ScanPoolRemote,
+    DereferenceAddress,
+    HideProcess
+}
+
+impl DriverAction {
+    pub fn get_code(&self) -> DWORD {
+        match self {
+            DriverAction::SetupOffset => CTL_CODE(SIOCTL_TYPE, 0x900, METHOD_IN_DIRECT, FILE_ANY_ACCESS),
+            DriverAction::GetKernelBase => CTL_CODE(SIOCTL_TYPE, 0x901, METHOD_OUT_DIRECT, FILE_ANY_ACCESS),
+            DriverAction::ScanPsActiveHead => CTL_CODE(SIOCTL_TYPE, 0x902, METHOD_NEITHER, FILE_ANY_ACCESS),
+            DriverAction::ScanPool => CTL_CODE(SIOCTL_TYPE, 0x903, METHOD_IN_DIRECT, FILE_ANY_ACCESS),
+            DriverAction::ScanPoolRemote => CTL_CODE(SIOCTL_TYPE, 0x904, METHOD_IN_DIRECT, FILE_ANY_ACCESS),
+            DriverAction::DereferenceAddress => CTL_CODE(SIOCTL_TYPE, 0xA00, METHOD_OUT_DIRECT, FILE_ANY_ACCESS),
+            DriverAction::HideProcess => CTL_CODE(SIOCTL_TYPE, 0xA01, METHOD_IN_DIRECT, FILE_ANY_ACCESS)
+        }
+    }
+}
+
+#[derive(Debug)]
+pub struct EprocessPoolChunk {
+    pub pool_addr: u64,
+    pub eprocess_addr: u64,
+    pub eprocess_name: String,
+    pub create_time: u64,
+    pub exit_time: u64
+}
+
+impl PartialEq for EprocessPoolChunk {
+    fn eq(&self, other: &Self) -> bool {
+        self.eprocess_addr == other.eprocess_addr
+    }
+}
+
+#[allow(dead_code)]
+pub struct DriverState {
+    // TODO: Make private, only call methods of DriverState
+    pub pdb_store: PdbStore,
+    pub windows_ffi: WindowsFFI,
+}
+
+impl DriverState {
+    pub fn new() -> Self {
+        Self {
+            pdb_store: parse_pdb().expect("Cannot get PDB file"),
+            windows_ffi: WindowsFFI::new()
+        }
+    }
+
+    pub fn startup(&mut self) -> NTSTATUS {
+        let s = self.windows_ffi.load_driver();
+        let mut input = InputData {
+            offset_value: OffsetData::new(&self.pdb_store, self.windows_ffi.short_version)
+        };
+        self.windows_ffi.device_io(DriverAction::SetupOffset.get_code(),
+                                   &mut input, &mut Nothing);
+        s
+    }
+
+    pub fn shutdown(&self) -> NTSTATUS {
+        self.windows_ffi.unload_driver()
+    }
+
+    pub fn get_kernel_base(&self) -> Address {
+        let mut ntosbase = 0u64;
+        self.windows_ffi.device_io(DriverAction::GetKernelBase.get_code(),
+                                   &mut Nothing, &mut ntosbase);
+        Address::from_base(ntosbase)
+    }
+
+    // pub fn scan_active_head(&self) -> BoxResult<Vec<EprocessPoolChunk>> {
+    //     let ntosbase = self.get_kernel_base();
+    //     let ps_active_head = ntosbase + self.pdb_store.get_offset_r("PsActiveProcessHead")?;
+    //     let flink_offset = self.pdb_store.get_offset_r("_LIST_ENTRY.Flink")?;
+    //     let eprocess_link_offset = self.pdb_store.get_offset_r("_EPROCESS.ActiveProcessLinks")?;
+    //     let eprocess_name_offset = self.pdb_store.get_offset_r("_EPROCESS.ImageFileName")?;
+    //
+    //     let mut ptr = ps_active_head;
+    //     self.deref_addr((ptr + flink_offset).get(), &mut ptr);
+    //
+    //     let mut result: Vec<EprocessPoolChunk> = Vec::new();
+    //     while ptr != ps_active_head {
+    //         let mut image_name = [0u8; 15];
+    //         let eprocess = ptr - eprocess_link_offset;
+    //         self.deref_addr(eprocess + eprocess_name_offset, &mut image_name);
+    //         match std::str::from_utf8(&image_name) {
+    //             Ok(n) => {
+    //                 result.push(EprocessPoolChunk {
+    //                     pool_addr: 0,
+    //                     eprocess_addr: eprocess,
+    //                     eprocess_name: n.to_string()
+    //                                     .trim_end_matches(char::from(0))
+    //                                     .to_string(),
+    //                     create_time: 0,
+    //                     exit_time: 0
+    //
+    //                 });
+    //             },
+    //             _ => {}
+    //         };
+    //         self.deref_addr(ptr + flink_offset, &mut ptr);
+    //     }
+    //     Ok(result)
+    // }
+
+    pub fn scan_pool<F>(&self, tag: &[u8; 4], expected_struct: &str, mut handler: F) -> BoxResult<bool>
+                        where F: FnMut(Address, &[u8], Address) -> BoxResult<bool>
+                        // F(Pool Address, Pool Header Data, Pool Data Address)
+                        // TODO: Pool Header as a real struct
+    {
+        // TODO: make generator, in hold: https://github.com/rust-lang/rust/issues/43122
+        // Making this function a generator will turn the call to a for loop
+        // https://docs.rs/gen-iter/0.2.0/gen_iter/
+        // >> More flexibility in code
+        let pool_header_size = self.pdb_store.get_offset_r("_POOL_HEADER.struct_size")?;
+        let minimum_block_size = self.pdb_store.get_offset_r(&format!("{}.struct_size", expected_struct))?
+                               + pool_header_size;
+        let code = DriverAction::ScanPoolRemote.get_code();
+        let ntosbase = self.get_kernel_base();
+        let [start_address, end_address] = self.get_nonpaged_range(&ntosbase)?;
+
+        println!("kernel base: {}; non-paged pool (start, end): ({}, {})", ntosbase, start_address, end_address);
+
+        let mut ptr = start_address;
+        while ptr < end_address {
+            let mut next_found = 0u64;
+            let mut input = InputData {
+                scan_range: ScanPoolData::new(&[ptr.address(), end_address.address()], tag)
+            };
+            self.windows_ffi.device_io(code, &mut input, &mut next_found);
+            ptr = Address::from_base(next_found);
+            if ptr >= end_address {
+                break;
+            }
+
+            let pool_addr = Address::from_base(ptr.address());
+            let header: Vec<u8> = self.deref_array(&pool_addr, pool_header_size);
+            let chunk_size = (header[2] as u64) * 16u64;
+
+            if pool_addr.address() + chunk_size > end_address.address() {
+                // the chunk surpasses the non page pool range
+                break;
+            }
+
+            // automatically reject bad chunk
+            if chunk_size < minimum_block_size {
+                ptr += 0x4;
+                continue;
+            }
+
+            let data_addr = Address::from_base(pool_addr.address() + pool_header_size);
+
+            let success = handler(pool_addr, &header, data_addr)?;
+            if success {
+                ptr += chunk_size; /* skip this chunk */
+            }
+            else {
+                ptr += 0x4; /* search next */
+            }
+        }
+        Ok(true)
+    }
+
+    pub fn address_of(&self, addr: &Address, name: &str) -> BoxResult<u64> {
+        let resolver = |p| { self.deref_addr_new(p) };
+        let r = self.pdb_store.decompose(&addr, &name)?;
+        Ok(r.get(&resolver))
+    }
+
+    pub fn decompose<T: Default>(&self, addr: &Address, name: &str) -> BoxResult<T> {
+        // interface to pdb_store.decompose
+        let resolver = |p| { self.deref_addr_new(p) };
+        let r: T = self.deref_addr_new(self.pdb_store.decompose(&addr, &name)?.get(&resolver));
+        Ok(r)
+    }
+
+    pub fn decompose_array<T: Default + Clone>(&self, addr: &Address, name: &str, len: u64) -> BoxResult<Vec<T>> {
+        // interface to pdb_store.decompose for array
+        let r: Vec<T> = self.deref_array(&self.pdb_store.decompose(&addr, &name)?, len);
+        Ok(r)
+    }
+
+    pub fn deref_addr_new<T: Default>(&self, addr: u64) -> T {
+        let mut r: T = Default::default();
+        if addr != 0 {
+            self.deref_addr(addr, &mut r);
+        }
+        r
+    }
+
+    pub fn deref_array<T: Default + Clone>(&self, addr: &Address, len: u64) -> Vec<T> {
+        let resolver = |p| { self.deref_addr_new(p) };
+        let mut r: Vec<T> = vec![Default::default(); len as usize];
+        self.deref_addr_ptr(addr.get(&resolver), r.as_mut_ptr(), len);
+        r
+    }
+
+    // #[deprecated(note="use deref_addr_new<T>")]
+    pub fn deref_addr<T>(&self, addr: u64, outbuf: &mut T) {
+        let code = DriverAction::DereferenceAddress.get_code();
+        let size: usize = size_of_val(outbuf);
+        let mut input = InputData {
+            deref_addr: DerefAddr {
+                addr,
+                size: size as u64
+            }
+        };
+        self.windows_ffi.device_io(code, &mut input, outbuf);
+    }
+
+    // #[deprecated(note="use deref_array<T>")]
+    pub fn deref_addr_ptr<T>(&self, addr: u64, outptr: *mut T, output_len: u64) {
+        let code = DriverAction::DereferenceAddress.get_code();
+        let mut input = InputData {
+            deref_addr: DerefAddr {
+                addr,
+                size: output_len
+            }
+        };
+        self.windows_ffi.device_io_raw(code,
+                                       &mut input as *mut _ as *mut c_void, size_of_val(&input) as DWORD,
+                                       outptr as *mut c_void, output_len as DWORD);
+    }
+
+    pub fn get_unicode_string(&self, unicode_str_addr: u64, deref: bool) -> BoxResult<String> {
+        if unicode_str_addr == 0 {
+            return Err("Not a valid address".into());
+        }
+
+        let mut strlen = 0u16;
+        let mut capacity = 0u16;
+        let mut bufaddr = 0u64;
+        let buffer_ptr = unicode_str_addr + self.pdb_store.get_offset_r("_UNICODE_STRING.Buffer")?;
+        let capacity_addr  = unicode_str_addr + self.pdb_store.get_offset_r("_UNICODE_STRING.MaximumLength")?;
+
+        self.deref_addr(unicode_str_addr, &mut strlen);
+        self.deref_addr(capacity_addr, &mut capacity);
+        self.deref_addr(buffer_ptr, &mut bufaddr);
+
+        if bufaddr == 0 || strlen > capacity || strlen == 0 || strlen % 2 != 0 {
+            return Err("Unicode string is empty".into());
+        }
+
+        if !deref {
+            return Ok("".to_string());
+        }
+
+        let mut buf = vec![0u16; (strlen / 2) as usize];
+        self.deref_addr_ptr(bufaddr, buf.as_mut_ptr(), strlen as u64);
+        // TODO: BUG with deref_array, len is wrong,
+        // >> the size of vector is strlen / 2
+        // >> the size to dereference is strlen
+        // XXX: use Vec<u8> and turn to Vec<u16>
+        // let buf: Vec<u16> = self.deref_array(&Address::from_base(bufaddr), (strlen / 2) as u64);
+
+        Ok(String::from_utf16(&buf)?)
+    }
+
+    pub fn get_nonpaged_range(&self, ntosbase: &Address) -> BoxResult<[Address; 2]> {
+        // TODO: Add support for other Windows version here
+        match self.windows_ffi.short_version {
+            WindowsVersion::Windows10FastRing => {
+                let mistate = ntosbase.clone() + self.pdb_store.get_offset_r("MiState")?;
+                let path_first_va: String = vec![
+                    "_MI_SYSTEM_INFORMATION",
+                    "Hardware",
+                    "SystemNodeNonPagedPool",
+                    "NonPagedPoolFirstVa"
+                ].join(".");
+                let path_last_va: String = vec![
+                    "_MI_SYSTEM_INFORMATION",
+                    "Hardware",
+                    "SystemNodeNonPagedPool",
+                    "NonPagedPoolLastVa"
+                ].join(".");
+                let first_va = Address::from_base(self.decompose(&mistate, &path_first_va)?);
+                let last_va = Address::from_base(self.decompose(&mistate, &path_last_va)?);
+                Ok([first_va, last_va])
+            },
+            WindowsVersion::Windows10_2019 |
+            WindowsVersion::Windows10_2018 => {
+                let mistate = ntosbase.clone() + self.pdb_store.get_offset_r("MiState")?;
+                let path_first_va: String = vec![
+                    "_MI_SYSTEM_INFORMATION",
+                    "Hardware",
+                    "SystemNodeInformation",
+                    "NonPagedPoolFirstVa"
+                ].join(".");
+                let path_last_va: String = vec![
+                    "_MI_SYSTEM_INFORMATION",
+                    "Hardware",
+                    "SystemNodeInformation",
+                    "NonPagedPoolLastVa"
+                ].join(".");
+                let first_va = Address::from_base(self.decompose(&mistate, &path_first_va)?);
+                let last_va = Address::from_base(self.decompose(&mistate, &path_last_va)?);
+                Ok([first_va, last_va])
+            },
+            _ => {
+                Err("Windows version for nonpaged pool algorithm is not implemented".into())
+            }
+        }
+    }
+
+}

src/ioctl_protocol.rs

@@ -0,0 +1,121 @@
+use crate::pdb_store::PdbStore;
+use crate::windows::WindowsVersion;
+
+#[repr(C)]
+#[derive(Debug, Copy, Clone)]
+pub struct OffsetData {
+    eprocess_name_offset: u64,
+    eprocess_link_offset: u64,
+    list_blink_offset: u64,
+    process_head_offset: u64,
+    mistate_offset: u64,
+    hardware_offset: u64,
+    system_node_offset: u64,
+    first_va_offset: u64,
+    last_va_offset: u64,
+    large_page_table_offset: u64,
+    large_page_size_offset: u64,
+    pool_chunk_size: u64,
+}
+
+// TODO: Move to WindowsScanStrategy and return the corresponding struct base on Windows version
+impl OffsetData {
+    pub fn new(pdb_store: &PdbStore, windows_version: WindowsVersion) -> Self {
+        match windows_version {
+            WindowsVersion::Windows10FastRing => Self {
+                eprocess_name_offset: pdb_store.get_offset("_EPROCESS.ImageFileName").unwrap_or(0u64),
+                eprocess_link_offset: pdb_store.get_offset("_EPROCESS.ActiveProcessLinks").unwrap_or(0u64),
+                list_blink_offset: pdb_store.get_offset("_LIST_ENTRY.Blink").unwrap_or(0u64),
+                process_head_offset: pdb_store.get_offset("PsActiveProcessHead").unwrap_or(0u64),
+                mistate_offset: pdb_store.get_offset("MiState").unwrap_or(0u64),
+                hardware_offset: pdb_store.get_offset("_MI_SYSTEM_INFORMATION.Hardware").unwrap_or(0u64),
+                system_node_offset: pdb_store.get_offset("_MI_HARDWARE_STATE.SystemNodeNonPagedPool").unwrap_or(0u64),
+                first_va_offset: pdb_store.get_offset("_MI_SYSTEM_NODE_NONPAGED_POOL.NonPagedPoolFirstVa").unwrap_or(0u64),
+                last_va_offset: pdb_store.get_offset("_MI_SYSTEM_NODE_NONPAGED_POOL.NonPagedPoolLastVa").unwrap_or(0u64),
+                large_page_table_offset: pdb_store.get_offset("PoolBigPageTable").unwrap_or(0u64),
+                large_page_size_offset: pdb_store.get_offset("PoolBigPageTableSize").unwrap_or(0u64),
+                pool_chunk_size: pdb_store.get_offset("_POOL_HEADER.struct_size").unwrap_or(0u64),
+            },
+            WindowsVersion::Windows10_2019 |
+            WindowsVersion::Windows10_2018 => Self {
+                eprocess_name_offset: pdb_store.get_offset("_EPROCESS.ImageFileName").unwrap_or(0u64),
+                eprocess_link_offset: pdb_store.get_offset("_EPROCESS.ActiveProcessLinks").unwrap_or(0u64),
+                list_blink_offset: pdb_store.get_offset("_LIST_ENTRY.Blink").unwrap_or(0u64),
+                process_head_offset: pdb_store.get_offset("PsActiveProcessHead").unwrap_or(0u64),
+                mistate_offset: pdb_store.get_offset("MiState").unwrap_or(0u64),
+                hardware_offset: pdb_store.get_offset("_MI_SYSTEM_INFORMATION.Hardware").unwrap_or(0u64),
+                system_node_offset: pdb_store.get_offset("_MI_HARDWARE_STATE.SystemNodeInformation").unwrap_or(0u64),
+                first_va_offset: pdb_store.get_offset("_MI_SYSTEM_NODE_INFORMATION.NonPagedPoolFirstVa").unwrap_or(0u64),
+                last_va_offset: pdb_store.get_offset("_MI_SYSTEM_NODE_INFORMATION.NonPagedPoolLastVa").unwrap_or(0u64),
+                large_page_table_offset: pdb_store.get_offset("PoolBigPageTable").unwrap_or(0u64),
+                large_page_size_offset: pdb_store.get_offset("PoolBigPageTableSize").unwrap_or(0u64),
+                pool_chunk_size: pdb_store.get_offset("_POOL_HEADER.struct_size").unwrap_or(0u64),
+            },
+            // TODO: Add other version of Windows here
+            // TODO: Warn user of unknown windows version, because BSOD will occur
+            _ => Self {
+                eprocess_name_offset: 0u64,
+                eprocess_link_offset: 0u64,
+                list_blink_offset: 0u64,
+                process_head_offset: 0u64,
+                mistate_offset: 0u64,
+                hardware_offset: 0u64,
+                system_node_offset: 0u64,
+                first_va_offset: 0u64,
+                last_va_offset: 0u64,
+                large_page_table_offset: 0u64,
+                large_page_size_offset: 0u64,
+                pool_chunk_size: 0u64,
+            }
+        }
+    }
+}
+
+#[repr(C)]
+#[derive(Debug, Copy, Clone)]
+pub struct DerefAddr {
+    pub addr: u64,
+    pub size: u64
+}
+
+#[repr(C)]
+#[derive(Debug, Copy, Clone)]
+pub struct ScanPoolData {
+    pub start: u64,
+    pub end: u64,
+    pub tag: u32
+}
+
+impl ScanPoolData{
+    pub fn new(arr: &[u64; 2], tag: &[u8; 4]) -> Self {
+        Self {
+            start: arr[0],
+            end: arr[1],
+            tag: u32::from_le_bytes(*tag)
+        }
+    }
+}
+
+#[repr(C)]
+#[derive(Debug, Copy, Clone)]
+pub struct HideProcess {
+    pub name: [u8; 15],
+    pub size: u64
+}
+
+#[repr(C)]
+pub union InputData {
+    pub offset_value: OffsetData,
+    pub deref_addr: DerefAddr,
+    pub scan_range: ScanPoolData,
+    pub hide_process: HideProcess,
+}
+
+#[repr(C)]
+#[derive(Debug, Copy, Clone)]
+pub struct Nothing; // for empty data
+
+#[repr(C)]
+pub union OutputData {
+    pub nothing: Nothing,
+}

src/lib.rs

@@ -0,0 +1,288 @@
+extern crate chrono;
+extern crate app_dirs;
+
+pub mod pdb_store;
+pub mod windows;
+pub mod ioctl_protocol;
+pub mod driver_state;
+pub mod address;
+
+use std::error::Error;
+use std::str::{from_utf8};
+use serde_json::{json, Value};
+use driver_state::DriverState;
+use address::Address;
+
+type BoxResult<T> = Result<T, Box<dyn Error>>;
+
+pub fn scan_eprocess(driver: &DriverState) -> BoxResult<Vec<Value>> {
+    let mut result: Vec<Value> = Vec::new();
+    driver.scan_pool(b"Proc", "_EPROCESS", |pool_addr, header, data_addr| {
+        let chunk_size = (header[2] as u64) * 16u64;
+
+        let eprocess_size = driver.pdb_store.get_offset_r("_EPROCESS.struct_size")?;
+
+        let eprocess_valid_start = &data_addr;
+        let eprocess_valid_end = (pool_addr.clone() + chunk_size) - eprocess_size;
+        let mut try_eprocess_ptr = eprocess_valid_start.clone();
+
+        while try_eprocess_ptr <= eprocess_valid_end {
+            let create_time: u64 = driver.decompose(&try_eprocess_ptr, "_EPROCESS.CreateTime")?;
+            if driver.windows_ffi.valid_process_time(create_time) {
+                break;
+            }
+            try_eprocess_ptr += 0x4;        // search exhaustively
+        }
+        if try_eprocess_ptr > eprocess_valid_end {
+            return Ok(false);
+        }
+
+        let eprocess_ptr = &try_eprocess_ptr;
+
+        let pid: u64 = driver.decompose(eprocess_ptr, "_EPROCESS.UniqueProcessId")?;
+        let ppid: u64 = driver.decompose(eprocess_ptr, "_EPROCESS.InheritedFromUniqueProcessId")?;
+        let image_name: Vec<u8> = driver.decompose_array(eprocess_ptr, "_EPROCESS.ImageFileName", 15)?;
+        let unicode_str_ptr = driver.address_of(eprocess_ptr, "_EPROCESS.ImageFilePointer.FileName")?;
+
+        let eprocess_name =
+            if let Ok(name) = from_utf8(&image_name) {
+                name.to_string().trim_end_matches(char::from(0)).to_string()
+            } else {
+                "".to_string()
+            };
+        let binary_path = driver.get_unicode_string(unicode_str_ptr, true)
+                          .unwrap_or("".to_string());
+
+        result.push(json!({
+            "pool": format!("0x{:x}", pool_addr.address()),
+            "address": format!("0x{:x}", eprocess_ptr.address()),
+            "type": "_EPROCESS",
+            "pid": pid,
+            "ppid": ppid,
+            "name": eprocess_name,
+            "path": binary_path
+        }));
+        Ok(true)
+    })?;
+    Ok(result)
+}
+
+pub fn scan_file(driver: &DriverState) -> BoxResult<Vec<Value>> {
+    let mut result: Vec<Value> = Vec::new();
+
+    driver.scan_pool(b"File", "_FILE_OBJECT", |pool_addr, header, data_addr| {
+        let chunk_size = (header[2] as u64) * 16u64;
+
+        let fob_size = driver.pdb_store.get_offset_r("_FILE_OBJECT.struct_size")?;
+        let valid_end = (pool_addr.clone() + chunk_size) - fob_size;
+        let mut try_ptr = data_addr;
+
+        while try_ptr <= valid_end {
+            let ftype: u16 = driver.decompose(&try_ptr, "_FILE_OBJECT.Type")?;
+            let size: u16 = driver.decompose(&try_ptr, "_FILE_OBJECT.Size")?;
+            if (size as u64) == fob_size && ftype == 5u16 {
+                break;
+            }
+            try_ptr += 0x4;        // search exhaustively
+        }
+        if try_ptr > valid_end {
+            return Ok(false);
+        }
+
+        let fob_addr = &try_ptr;
+        let read_ok: u8 = driver.decompose(fob_addr, "_FILE_OBJECT.ReadAccess")?;
+        let write_ok: u8 = driver.decompose(fob_addr, "_FILE_OBJECT.WriteAccess")?;
+        let delete_ok: u8 = driver.decompose(fob_addr, "_FILE_OBJECT.DeleteAccess")?;
+        let share_read_ok: u8 = driver.decompose(fob_addr, "_FILE_OBJECT.SharedRead")?;
+        let share_write_ok: u8 = driver.decompose(fob_addr, "_FILE_OBJECT.SharedWrite")?;
+        let share_delete_ok: u8 = driver.decompose(fob_addr, "_FILE_OBJECT.SharedDelete")?;
+        let filename_ptr = driver.address_of(fob_addr, "_FILE_OBJECT.FileName")?;
+        let devicename_ptr: u64 = driver.address_of(fob_addr, "_FILE_OBJECT.DeviceObject.DriverObject.DriverName")?;
+        let hardware_ptr: u64 = driver.decompose(fob_addr, "_FILE_OBJECT.DeviceObject.DriverObject.HardwareDatabase")?;
+
+        let filename =
+            if read_ok == 0 {
+                "[NOT READABLE]".to_string()
+            }
+            else if let Ok(n) = driver.get_unicode_string(filename_ptr, true) {
+                n
+            }
+            else {
+                "[NOT A VALID _UNICODE_STRING]".to_string()
+            };
+        let devicename = driver.get_unicode_string(devicename_ptr, true)
+                         .unwrap_or("".to_string());
+        let hardware = driver.get_unicode_string(hardware_ptr, true)
+                       .unwrap_or("".to_string());
+        result.push(json!({
+            "pool": format!("0x{:x}", pool_addr.address()),
+            "address": format!("0x{:x}", fob_addr.address()),
+            "type": "_FILE_OBJECT",
+            "path": filename,
+            "device": devicename,
+            "hardware": hardware,
+            "access": {
+                "r": read_ok == 1,
+                "w": write_ok == 1,
+                "d": delete_ok == 1,
+                "R": share_read_ok == 1,
+                "W": share_write_ok == 1,
+                "D": share_delete_ok == 1
+            }
+        }));
+        Ok(true)
+    })?;
+
+    Ok(result)
+}
+
+pub fn scan_ethread(driver: &DriverState) -> BoxResult<Vec<Value>> {
+    let mut result: Vec<Value> = Vec::new();
+
+    driver.scan_pool(b"Thre", "_ETHREAD", |pool_addr, header, data_addr| {
+        let chunk_size = (header[2] as u64) * 16u64;
+
+        let ethread_size = driver.pdb_store.get_offset_r("_ETHREAD.struct_size")?;
+        let ethread_valid_start = &data_addr;
+        let ethread_valid_end = (pool_addr.clone() + chunk_size) - ethread_size;
+        let mut try_ethread_ptr = ethread_valid_start.clone();
+
+        while try_ethread_ptr <= ethread_valid_end {
+            let create_time: u64 = driver.decompose(&try_ethread_ptr, "_ETHREAD.CreateTime")?;
+            if driver.windows_ffi.valid_process_time(create_time) {
+                break;
+            }
+            try_ethread_ptr += 0x4;        // search exhaustively
+        }
+        if try_ethread_ptr > ethread_valid_end {
+            return Ok(false);
+        }
+
+        let ethread_ptr = &try_ethread_ptr;
+
+        let pid: u64 = driver.decompose(ethread_ptr, "_ETHREAD.Cid.UniqueProcess")?;
+        let tid: u64 = driver.decompose(ethread_ptr, "_ETHREAD.Cid.UniqueThread")?;
+        let unicode_str_ptr: u64 = driver.address_of(ethread_ptr, "_ETHREAD.ThreadName")?;
+
+        let thread_name =
+            if let Ok(name) = driver.get_unicode_string(unicode_str_ptr, true) {
+                name
+            }
+            else {
+                "".to_string()
+            };
+
+        result.push(json!({
+            "pool": format!("0x{:x}", pool_addr.address()),
+            "address": format!("0x{:x}", ethread_ptr.address()),
+            "type": "_ETHREAD",
+            "pid": pid,
+            "tid": tid,
+            "name": thread_name
+        }));
+        Ok(true)
+    })?;
+
+    Ok(result)
+}
+
+// Unstable, do not use
+pub fn scan_mutant(driver: &DriverState) -> BoxResult<Vec<Value>> {
+    let mut result: Vec<Value> = Vec::new();
+
+    let ntosbase = driver.get_kernel_base();
+    let [start, end] = driver.get_nonpaged_range(&ntosbase)?;
+
+    driver.scan_pool(b"Muta", "_KMUTANT", |pool_addr, header, data_addr| {
+        let chunk_size = (header[2] as u64) * 16u64;
+
+        let kmutant_size = driver.pdb_store.get_offset_r("_KMUTANT.struct_size")?;
+
+        let kmutant_valid_start = data_addr;
+        let kmutant_valid_end = (pool_addr.clone() + chunk_size) - kmutant_size;
+        let mut try_kmutant_ptr = kmutant_valid_start.clone();
+
+        while try_kmutant_ptr <= kmutant_valid_end {
+            // TODO: Stronger constrain
+            let kthread_ptr = driver.address_of(&try_kmutant_ptr, "_KMUTANT.OwnerThread")?;
+            if kthread_ptr > start.address() && kthread_ptr < end.address() {
+                break;
+            }
+            try_kmutant_ptr += 0x4;        // search exhaustively
+        }
+        if try_kmutant_ptr > kmutant_valid_end {
+            return Ok(false);
+        }
+
+        let kmutant_ptr = try_kmutant_ptr;
+        let ethread_ptr = Address::from_base(driver.address_of(&kmutant_ptr, "_KMUTANT.OwnerThread")?);
+
+        let pid: u64 = driver.decompose(&ethread_ptr, "_ETHREAD.Cid.UniqueProcess")?;
+        let tid: u64 = driver.decompose(&ethread_ptr, "_ETHREAD.Cid.UniqueThread")?;
+        let unicode_str_ptr: u64 = driver.address_of(&ethread_ptr, "_ETHREAD.ThreadName")?;
+
+        let thread_name =
+            if let Ok(name) = driver.get_unicode_string(unicode_str_ptr, true) {
+                name
+            }
+            else {
+                "".to_string()
+            };
+
+        result.push(json!({
+            "pool": format!("0x{:x}", pool_addr.address()),
+            "address": format!("0x{:x}", ethread_ptr.address()),
+            "type": "_KMUTANT",
+            "pid": pid,
+            "tid": tid,
+            "name": thread_name
+        }));
+        Ok(true)
+    })?;
+
+    Ok(result)
+}
+
+pub fn scan_driver(driver: &DriverState) -> BoxResult<Vec<Value>> {
+    let mut result: Vec<Value> = Vec::new();
+
+    driver.scan_pool(b"Driv", "_DRIVER_OBJECT", |pool_addr, header, data_addr| {
+        let chunk_size = (header[2] as u64) * 16u64;
+
+        let dob_size = driver.pdb_store.get_offset_r("_DRIVER_OBJECT.struct_size")?;
+        let valid_end = (pool_addr.clone() + chunk_size) - dob_size;
+        let mut try_ptr = data_addr;
+
+        while try_ptr <= valid_end {
+            // No documentation on type constrain
+            // let ftype: u16 = driver.decompose(&try_ptr, "_DRIVER_OBJECT.Type")?;
+            let size: u16 = driver.decompose(&try_ptr, "_DRIVER_OBJECT.Size")?;
+            if (size as u64) == dob_size /* && ftype == 5u16 */ {
+                break;
+            }
+            try_ptr += 0x4;        // search exhaustively
+        }
+        if try_ptr > valid_end {
+            return Ok(false);
+        }
+        let dob_addr = &try_ptr;
+
+        let devicename_ptr = driver.address_of(dob_addr, "_DRIVER_OBJECT.DriverName")?;
+        let hardware_ptr: u64 = driver.decompose(dob_addr, "_DRIVER_OBJECT.HardwareDatabase")?;
+
+        let devicename = driver.get_unicode_string(devicename_ptr, true)
+                         .unwrap_or("".to_string());
+        let hardware = driver.get_unicode_string(hardware_ptr, true)
+                       .unwrap_or("".to_string());
+        result.push(json!({
+            "pool": format!("0x{:x}", pool_addr.address()),
+            "address": format!("0x{:x}", dob_addr.address()),
+            "type": "_DRIVER_OBJECT",
+            "device": devicename,
+            "hardware": hardware
+        }));
+        Ok(true)
+    })?;
+
+    Ok(result)
+}

src/main.rs

@@ -1,13 +0,0 @@
-mod pdb_store;
-mod windows;
-
-fn main() {
-    let store = pdb_store::parse_pdb();
-    store.print_default_information();
-
-    let mut windows_ffi = windows::WindowsFFI::new();
-    windows_ffi.print_version();
-
-    println!("NtLoadDriver()   -> 0x{:x}", windows_ffi.load_driver());
-    println!("NtUnloadDriver() -> 0x{:x}", windows_ffi.unload_driver());
-}

src/pdb_store.rs

@@ -1,25 +1,26 @@
+use std::error::Error;
 use std::io;
 use std::io::{Read};
-use std::path::Path;
+use std::path::{PathBuf};
 use std::fs::File;
 use std::collections::HashMap;
 
-use pdb::PDB;
-use pdb::SymbolData;
-use pdb::TypeData;
-use pdb::ClassType;
-use pdb::ModifierType;
-use pdb::Rva;
+use pdb::{
+    PDB, SymbolData, TypeData, ClassType, ModifierType, Rva,
+    FallibleIterator, TypeFinder, TypeIndex
+};
+use app_dirs::{AppInfo, AppDataType, app_dir};
 
-use pdb::FallibleIterator;
-use pdb::TypeFinder;
-use pdb::TypeIndex;
+use crate::address::Address;
 
+const APP_INFO: AppInfo = AppInfo { name: "lpus", author: "nganhkhoa" };
 
-const PDBNAME: &str = "ntkrnlmp.pdb";
+const KERNEL_PDB_NAME: &str = "ntkrnlmp.pdb";
 const NTOSKRNL_PATH: &str = "C:\\Windows\\System32\\ntoskrnl.exe";
 const PDB_SERVER_PATH: &str = "http://msdl.microsoft.com/download/symbols";
 
+type BoxResult<T> = Result<T, Box<dyn Error>>;
+
 type SymbolStore = HashMap<String, u64>;
 type StructStore = HashMap<String, HashMap<String, (String, u64)>>;
 
@@ -29,6 +30,10 @@ pub struct PdbStore {
 }
 
 impl PdbStore {
+    pub fn get_offset_r(&self, name: &str) -> BoxResult<u64> {
+        self.get_offset(name)
+            .ok_or(format!("{} is not found in PDB", name).into())
+    }
     #[allow(dead_code)]
     pub fn get_offset(&self, name: &str) -> Option<u64> {
         if name.contains(".") {
@@ -52,9 +57,9 @@ impl PdbStore {
     }
 
     #[allow(dead_code)]
-    pub fn addr_decompose(&self, addr: u64, full_name: &str) -> Result<u64, String>{
+    pub fn addr_decompose(&self, addr: u64, full_name: &str) -> BoxResult<u64>{
         if !full_name.contains(".") {
-            return Err("Not decomposable".to_string());
+            return Err("Not decomposable".into());
         }
 
         let mut name_part: Vec<&str> = full_name.split_terminator('.').collect();
@@ -65,7 +70,7 @@ impl PdbStore {
                     Some((memtype, offset)) => {
                         if next.len() != 0 {
                             if memtype.contains("*") {
-                                return Err(format!("Cannot dereference pointer at {} {}", memtype, name_part[1]));
+                                return Err(format!("Cannot dereference pointer at {} {}", memtype, name_part[1]).into());
                             }
                             next.insert(0, memtype);
                             self.addr_decompose(addr + *offset, &next.join("."))
@@ -74,10 +79,40 @@ impl PdbStore {
                             Ok(addr + *offset)
                         }
                     },
-                    None => Err(format!("Not found member {}", name_part[1]))
+                    None => Err(format!("Not found member {}", name_part[1]).into())
                 }
             },
-            None => Err(format!("Struct {} not found", name_part[0]))
+            None => Err(format!("Struct {} not found", name_part[0]).into())
+        }
+    }
+
+    pub fn decompose(&self, source: &Address, full_name: &str) -> BoxResult<Address> {
+        // println!("decompose {}", full_name);
+        if !full_name.contains(".") {
+            return Err("Not decomposable".into());
+        }
+
+        let mut name_part: Vec<&str> = full_name.split_terminator('.').collect();
+        let mut next: Vec<_> = name_part.drain(2..).collect();
+        let member_info = self.structs.get(name_part[0])
+                          .ok_or(format!("No struct {}", name_part[0]))?;
+        let (memtype, offset) = member_info.get(name_part[1])
+                                .ok_or(format!("No member {} in {}", name_part[1], name_part[0]))?;
+
+        if next.len() == 0 {
+            return Ok(source.clone() + *offset);
+        }
+        if memtype.contains("*") {
+            let mut t = memtype.clone(); // remove *
+            t.pop();
+            next.insert(0, &t);
+            let p = Address::from_ptr(source.clone() + *offset);
+            self.decompose(&p, &next.join("."))
+
+        }
+        else {
+            next.insert(0, memtype);
+            self.decompose(&(source.clone() + *offset), &next.join("."))
         }
     }
 
@@ -94,7 +129,10 @@ impl PdbStore {
         ];
 
         let mut need_structs = HashMap::new();
-        need_structs.insert("_POOL_HEADER", vec![]);
+        need_structs.insert("_POOL_HEADER", vec![
+            "struct_size",
+            "PoolType", "BlockSize", "PoolTag"
+        ]);
         need_structs.insert("_PEB", vec![]);
         need_structs.insert("_LIST_ENTRY", vec![
             "Flink", "Blink"
@@ -250,11 +288,12 @@ fn get_type_as_str(type_finder: &TypeFinder, typ: &TypeIndex) -> String {
     }
 }
 
-pub fn download_pdb() {
-    let mut ntoskrnl = File::open(NTOSKRNL_PATH).expect("Cannot open ntoskrnl.exe");
+fn get_guid_age(exe_file: &str) -> BoxResult<(String, u32)>{
+    // TODO: Check file existance
+    let mut file = File::open(exe_file)?;
 
     let mut buffer = Vec::new();
-    ntoskrnl.read_to_end(&mut buffer).expect("Cannot read file ntoskrnl.exe");
+    file.read_to_end(&mut buffer)?;
 
     let mut buffiter = buffer.chunks(4);
     while buffiter.next().unwrap() != [0x52, 0x53, 0x44, 0x53] {
@@ -284,29 +323,54 @@ pub fn download_pdb() {
         raw_age[0], raw_age[1], raw_age[2], raw_age[3]
     ]);
 
-    let downloadurl = format!("{}/{}/{}{:X}/{}", PDB_SERVER_PATH, PDBNAME, guid, age, PDBNAME);
-    println!("{}", downloadurl);
-
-    let mut resp = reqwest::blocking::get(&downloadurl).expect("request failed");
-    let mut out = File::create(PDBNAME).expect("failed to create file");
-    io::copy(&mut resp, &mut out).expect("failed to copy content");
+    Ok((guid, age))
 }
 
-pub fn parse_pdb() -> PdbStore {
-    // TODO: Detect pdb file and ntoskrnl file version differs
-    // The guid of ntoskrnl and pdb file are different
-    if !Path::new(PDBNAME).exists() {
-        download_pdb();
-    }
-    let f = File::open("ntkrnlmp.pdb").expect("No such file ./ntkrnlmp.pdb");
-    let mut pdb = PDB::open(f).expect("Cannot open as a PDB file");
+fn pdb_exists(pdbname: &str, guid: &str, age: u32) -> BoxResult<(bool, PathBuf)> {
+    // Use a folder at %APPDATA% to save pdb files
+    // %APPDATA%\nganhkhoaa\lpus
+    // |--ntkrnlmp.pdb
+    // |--|--GUID
+    // |--|--|--ntkrnlmp.pdb
+    // |--file.pdb
+    // |--|--GUID
+    // |--|--|--file.pdb
+    let mut pdb_location = app_dir(AppDataType::UserData, &APP_INFO,
+                                   &format!("{}/{}/{}", pdbname, guid, age))?;
+    pdb_location.push(pdbname);
+    Ok((pdb_location.exists(), pdb_location))
+}
 
-    let info = pdb.pdb_information().expect("Cannot get pdb information");
-    let dbi = pdb.debug_information().expect("cannot get debug information");
+fn download_pdb(pdbname: &str, guid: &str, age: u32, outfile: &PathBuf) -> BoxResult<()> {
+    let downloadurl = format!("{}/{}/{}{:X}/{}", PDB_SERVER_PATH, pdbname, guid, age, pdbname);
+    println!("{}", downloadurl);
+
+    let mut resp = reqwest::blocking::get(&downloadurl)?;
+    let mut out = File::create(outfile)?;
+    io::copy(&mut resp, &mut out)?;
+    Ok(())
+}
+
+pub fn parse_pdb() -> BoxResult<PdbStore> {
+    // TODO: Resolve pdb name
+    // ntoskrnl.exe -> ntkrnlmp.pdb
+    // tcpip.sys -> tcpip.pdb ?????
+    // There may be more pdb files in the future
+    let (guid, age) = get_guid_age(NTOSKRNL_PATH)?;
+    let (exists, pdb_path) = pdb_exists(KERNEL_PDB_NAME, &guid, age)?;
+    if !exists {
+        println!("PDB not found, download into {:?}", pdb_path);
+        download_pdb(KERNEL_PDB_NAME, &guid, age, &pdb_path)?;
+    }
+    let f = File::open(pdb_path)?;
+    let mut pdb = PDB::open(f)?;
+
+    let info = pdb.pdb_information()?;
+    let dbi = pdb.debug_information()?;
     println!("PDB for {}, guid: {}, age: {}\n",
         dbi.machine_type().unwrap(), info.guid, dbi.age().unwrap_or(0));
 
-    let type_information = pdb.type_information().expect("Cannot get type information");
+    let type_information = pdb.type_information()?;
     let mut type_finder = type_information.type_finder();
     let mut iter = type_information.iter();
     while let Some(_typ) = iter.next().unwrap() {
@@ -314,8 +378,8 @@ pub fn parse_pdb() -> PdbStore {
     }
 
     let mut symbol_extracted: SymbolStore = HashMap::new();
-    let addr_map = pdb.address_map().expect("Cannot get address map");
-    let glosym = pdb.global_symbols().expect("Cannot get global symbols");
+    let addr_map = pdb.address_map()?;
+    let glosym = pdb.global_symbols()?;
     let mut symbols = glosym.iter();
     while let Some(symbol) = symbols.next().unwrap() {
         match symbol.parse() {
@@ -354,8 +418,8 @@ pub fn parse_pdb() -> PdbStore {
         }
     }
 
-    PdbStore {
+    Ok(PdbStore {
         symbols: symbol_extracted,
         structs: struct_extracted
-    }
+    })
 }

src/repl/eval.rs

@@ -0,0 +1,581 @@
+use crate::{
+    error::{BlisprError, BlisprResult},
+    lenv::Lenv,
+    lval::{
+        lval_add, lval_join, lval_lambda, lval_num, lval_pop, lval_qexpr, lval_sexpr, Lval, LvalFun,
+    },
+};
+use log::debug;
+use std::{collections::HashMap, ops::{Add, Div, Mul, Rem, Sub}};
+
+// macro to shorten code for applying a binary operation to two Lvals
+macro_rules! apply_binop {
+    ( $op:ident, $x:ident, $y:ident ) => {
+        match (*$x, *$y) {
+            (Lval::Num(x_num), Lval::Num(y_num)) => {
+                $x = lval_num(x_num.$op(y_num));
+                continue;
+            }
+            _ => return Err(BlisprError::NotANumber),
+        }
+    };
+}
+
+// apply a binary operation {+ - * / ^ % min max} to a list of arguments in succession
+fn builtin_op(mut v: &mut Lval, func: &str) -> BlisprResult {
+    let mut child_count;
+    match *v {
+        Lval::Sexpr(ref children) => {
+            child_count = children.len();
+        }
+        _ => return Ok(Box::new(v.clone())),
+    }
+
+    let mut x = lval_pop(&mut v, 0)?;
+
+    // If no args given and we're doing subtraction, perform unary negation
+    if (func == "-" || func == "sub") && child_count == 1 {
+        debug!("builtin_op: Unary negation on {}", x);
+        let x_num = x.as_num()?;
+        return Ok(lval_num(-x_num));
+    }
+
+    // consume the children until empty
+    // and operate on x
+    while child_count > 1 {
+        let y = lval_pop(&mut v, 0)?;
+        child_count -= 1;
+        match func {
+            "+" | "add" => {
+                debug!("builtin_op: Add {} and {}", x, y);
+                apply_binop!(add, x, y)
+            }
+            "-" | "sub" => {
+                debug!("builtin_op: Subtract {} and {}", x, y);
+                apply_binop!(sub, x, y)
+            }
+            "*" | "mul" => {
+                debug!("builtin_op: Multiply {} and {}", x, y);
+                apply_binop!(mul, x, y)
+            }
+            "/" | "div" => {
+                if y.as_num()? == 0 {
+                    debug!("builtin_op: Failed divide {} by {}", x, y);
+                    return Err(BlisprError::DivideByZero);
+                } else {
+                    debug!("builtin_op: Divide {} by {}", x, y);
+                    apply_binop!(div, x, y)
+                }
+            }
+            "%" | "rem" => {
+                debug!("builtin_op: {} % {}", x, y);
+                apply_binop!(rem, x, y)
+            }
+            "^" | "pow" => {
+                debug!("builtin_op: Raise {} to the {} power", x, y);
+                let y_num = y.as_num()?;
+                let x_num = x.as_num()?;
+                let mut coll = 1;
+                for _ in 0..y_num {
+                    coll *= x_num;
+                }
+                x = lval_num(coll);
+            }
+            "min" => {
+                debug!("builtin_op: Min {} and {}", x, y);
+                let x_num = x.as_num()?;
+                let y_num = y.as_num()?;
+                if x_num < y_num {
+                    x = lval_num(x_num);
+                } else {
+                    x = lval_num(y_num);
+                };
+            }
+            "max" => {
+                debug!("builtin_op: Max {} and {}", x, y);
+                let x_num = x.as_num()?;
+                let y_num = y.as_num()?;
+                if x_num > y_num {
+                    x = lval_num(x_num);
+                } else {
+                    x = lval_num(y_num);
+                };
+            }
+            _ => unreachable!(),
+        }
+    }
+    Ok(x)
+}
+
+// Operator aliases, function pointers will be stored in env
+// TODO macro??  create_builtin!(a, &str)
+pub fn builtin_add(a: &mut Lval) -> BlisprResult {
+    builtin_op(a, "+")
+}
+
+pub fn builtin_sub(a: &mut Lval) -> BlisprResult {
+    builtin_op(a, "-")
+}
+
+pub fn builtin_mul(a: &mut Lval) -> BlisprResult {
+    builtin_op(a, "*")
+}
+
+pub fn builtin_div(a: &mut Lval) -> BlisprResult {
+    builtin_op(a, "/")
+}
+
+pub fn builtin_pow(a: &mut Lval) -> BlisprResult {
+    builtin_op(a, "^")
+}
+
+pub fn builtin_rem(a: &mut Lval) -> BlisprResult {
+    builtin_op(a, "%")
+}
+
+pub fn builtin_max(a: &mut Lval) -> BlisprResult {
+    builtin_op(a, "max")
+}
+
+pub fn builtin_min(a: &mut Lval) -> BlisprResult {
+    builtin_op(a, "min")
+}
+
+// define a list of values
+// if "def" define in global env
+// if "=" define in local env
+fn builtin_var(e: &mut Lenv, a: &mut Lval, func: &str) -> BlisprResult {
+    let args = lval_pop(a, 0)?;
+    match *args {
+        Lval::Qexpr(names) => {
+            // grab the rest of the vals
+            let mut vals = Vec::new();
+            for _ in 0..a.len()? {
+                vals.push(lval_pop(a, 0)?);
+            }
+            let names_len = names.len();
+            let vals_len = vals.len();
+            // TODO assert all symbols?
+            if vals_len != names_len {
+                Err(BlisprError::NumArguments(names_len, vals_len))
+            } else {
+                for (k, v) in names.iter().zip(vals.iter()) {
+                    let scope = if func == "def" { "global" } else { "local" };
+                    debug!("adding key, value pair {}, {} to {} env {}", k, v, scope, e);
+                    let name = k.clone().as_string()?;
+                    if scope == "local" {
+                        e.put(name, v.clone());
+                    } else {
+                        //e.def(name, v.clone())?;
+                        debug!("warning: global scope definition unimplemented!");
+                        e.put(name, v.clone());
+                    }
+                }
+                Ok(lval_sexpr())
+            }
+        }
+        _ => Err(BlisprError::WrongType(
+            "qexpr".to_string(),
+            format!("{:?}", args),
+        )),
+    }
+}
+
+// BROKEN
+//pub fn builtin_def_stub(_v: &Lval) -> BlisprResult {
+//    Ok(lval_sexpr())
+//}
+
+// FOR NOW def IS LOCAL ENV ASSIGN
+fn builtin_def(e: &mut Lenv, v: &mut Lval) -> BlisprResult {
+    builtin_var(e, v, "def")
+}
+
+pub fn builtin_put_stub(_v: &mut Lval) -> BlisprResult {
+    Ok(lval_sexpr())
+}
+
+//BROKEN
+//fn builtin_put(e: &mut Lenv, v: &Lval) -> BlisprResult {
+//    builtin_var(e, v, "=")
+//}
+
+// Attach a value to the front of a qexpr
+pub fn builtin_cons(v: &mut Lval) -> BlisprResult {
+    let child_count = v.len()?;
+    if child_count != 2 {
+        return Err(BlisprError::NumArguments(2, child_count));
+    }
+    let new_elem = lval_pop(v, 0)?;
+    let qexpr = lval_pop(v, 0)?;
+    match *qexpr {
+        Lval::Qexpr(ref children) => {
+            let mut ret = lval_qexpr();
+            lval_add(&mut ret, &new_elem)?;
+            for c in children {
+                lval_add(&mut ret, &c.clone())?;
+            }
+            Ok(ret)
+        }
+        _ => Err(BlisprError::WrongType(
+            "qexpr".to_string(),
+            format!("{:?}", v),
+        )),
+    }
+}
+
+// correct call dispatched in lval_call
+pub fn builtin_eval_stub(_v: &mut Lval) -> BlisprResult {
+    Ok(lval_sexpr())
+}
+
+// Evaluate qexpr as a sexpr
+pub fn builtin_eval(e: &mut Lenv, v: &mut Lval) -> BlisprResult {
+    let qexpr = lval_pop(v, 0)?;
+    match *qexpr {
+        Lval::Qexpr(ref children) => {
+            let mut new_sexpr = lval_sexpr();
+            for c in children {
+                let cloned = Box::new(*c.clone());
+                lval_add(&mut new_sexpr, &cloned)?;
+            }
+            debug!("builtin_eval: {:?}", new_sexpr);
+            lval_eval(e, &mut new_sexpr)
+        }
+        _ => {
+            // add it back
+            lval_add(v, &qexpr)?;
+            lval_eval(e, v)
+        }
+    }
+}
+
+// terminate the program (or exit the prompt)
+pub fn builtin_exit(_v: &mut Lval) -> BlisprResult {
+    // always succeeds
+    println!("Goodbye!");
+    ::std::process::exit(0);
+}
+
+// Return the first element of a qexpr
+pub fn builtin_head(v: &mut Lval) -> BlisprResult {
+    let mut qexpr = lval_pop(v, 0)?;
+    match *qexpr {
+        Lval::Qexpr(ref mut children) => {
+            if children.is_empty() {
+                return Err(BlisprError::EmptyList);
+            }
+            debug!("builtin_head: Returning the first element");
+            Ok(children[0].clone())
+        }
+        _ => Err(BlisprError::WrongType(
+            "qexpr".to_string(),
+            format!("{:?}", qexpr),
+        )),
+    }
+}
+
+// Return everything but the last element of a qexpr
+pub fn builtin_init(v: &mut Lval) -> BlisprResult {
+    let qexpr = lval_pop(v, 0)?;
+    match *qexpr {
+        Lval::Qexpr(ref children) => {
+            let mut ret = lval_qexpr();
+            for item in children.iter().take(children.len() - 1) {
+                lval_add(&mut ret, &item.clone())?;
+            }
+            Ok(ret)
+        }
+        _ => Err(BlisprError::WrongType(
+            "qexpr".to_string(),
+            format!("{:?}", qexpr),
+        )),
+    }
+}
+
+// Join the children into one qexpr
+pub fn builtin_join(v: &mut Lval) -> BlisprResult {
+    let mut ret = lval_qexpr();
+    for _ in 0..v.len()? {
+        let next = lval_pop(v, 0)?;
+        match *next {
+            Lval::Qexpr(_) => {
+                lval_join(&mut ret, next)?;
+            }
+            _ => {
+                return Err(BlisprError::WrongType(
+                    "qexpr".to_string(),
+                    format!("{:?}", next),
+                ))
+            }
+        }
+    }
+    Ok(ret)
+}
+
+//builtin_lambda returns a lambda lval from two lists of symbols
+pub fn builtin_lambda(v: &mut Lval) -> BlisprResult {
+    // ensure there's only two arguments
+    let child_count = v.len()?;
+    if child_count != 2 {
+        return Err(BlisprError::NumArguments(2, child_count));
+    }
+
+    // first qexpr should contain only symbols - lval.as_string().is_ok()
+    let formals = lval_pop(v, 0)?;
+    let formals_ret = formals.clone(); // ewwww but it gets moved on me?!  this might be why Rc<> - it doesn't need to mutate
+    let body = lval_pop(v, 0)?;
+    match *formals {
+        Lval::Qexpr(contents) => {
+            for cell in contents {
+                if cell.as_string().is_err() {
+                    return Err(BlisprError::WrongType(
+                        "Symbol".to_string(),
+                        format!("{:?}", cell),
+                    ));
+                }
+            }
+            match *body {
+                Lval::Qexpr(_) => Ok(lval_lambda(HashMap::new(), formals_ret, body)),
+                _ => Err(BlisprError::WrongType(
+                    "Q-Expression".to_string(),
+                    format!("{:?}", body),
+                )),
+            }
+        }
+        _ => Err(BlisprError::WrongType(
+            "Q-Expression".to_string(),
+            format!("{:?}", formals),
+        )),
+    }
+}
+
+// make sexpr into a qexpr
+pub fn builtin_list(v: &mut Lval) -> BlisprResult {
+    match *v {
+        Lval::Sexpr(ref children) => {
+            debug!("builtin_list: Building qexpr from {:?}", children);
+            let mut new_qexpr = lval_qexpr();
+            for c in children {
+                let cloned = Box::new(*c.clone());
+                lval_add(&mut new_qexpr, &cloned)?;
+            }
+            Ok(new_qexpr)
+        }
+        _ => Ok(Box::new(v.clone())),
+    }
+}
+
+pub fn builtin_len(v: &mut Lval) -> BlisprResult {
+    let child_count = v.len()?;
+    match child_count {
+        1 => {
+            let qexpr = lval_pop(v, 0)?;
+            match *qexpr {
+                Lval::Qexpr(_) => {
+                    debug!("Returning length of {:?}", qexpr);
+                    Ok(lval_num(qexpr.len()? as i64))
+                }
+                _ => Err(BlisprError::WrongType(
+                    "qexpr".to_string(),
+                    format!("{:?}", qexpr),
+                )),
+            }
+        }
+        _ => Err(BlisprError::NumArguments(1, child_count)),
+    }
+}
+
+pub fn builtin_printenv_stub(_v: &mut Lval) -> BlisprResult {
+    Ok(lval_sexpr())
+}
+
+// Print all the named variables in the environment
+pub fn builtin_printenv(e: &mut Lenv) -> BlisprResult {
+    // we don't use the input
+    lval_eval(e, &mut *e.list_all()?)
+}
+
+pub fn builtin_tail(v: &mut Lval) -> BlisprResult {
+    let mut qexpr = lval_pop(v, 0)?;
+    debug!("Returning tail of {:?}", qexpr);
+    match *qexpr {
+        Lval::Qexpr(ref mut children) => {
+            if children.is_empty() {
+                return Err(BlisprError::EmptyList);
+            }
+            let mut ret = lval_qexpr();
+            for c in &children[1..] {
+                lval_add(&mut ret, &c.clone())?;
+            }
+            Ok(ret)
+        }
+        _ => Err(BlisprError::WrongType(
+            "qexpr".to_string(),
+            format!("{:?}", qexpr),
+        )),
+    }
+}
+
+// Call a Lval::Fun(f) on an argument list
+// This will handle both builtins and lambdas
+pub fn lval_call(e: &mut Lenv, f: Lval, args: &mut Lval) -> BlisprResult {
+    match f {
+        Lval::Fun(func) => {
+            match func {
+                // if its one of the ones that need an environment, intercept and route to the properly typed fn
+                LvalFun::Builtin(name, fp) => match name.as_str() {
+                    "eval" => builtin_eval(e, args),
+                    "def" => builtin_def(e, args),
+                    //"=" => builtin_put(e, args),
+                    "printenv" => builtin_printenv(e),
+                    // Otherwise, just apply the actual stored function pointer
+                    _ => fp(args),
+                },
+                LvalFun::Lambda(env, mut formals, body) => {
+                    debug!(
+                        "Executing lambda.  Environment: {:?}, Formals: {:?}, body: {:?}",
+                        env, formals, body
+                    );
+                    // If it's a Lambda, bind arguments to a new local environment
+
+                    // First, build the lookup hashmap
+                    let mut new_env: HashMap<String, Box<Lval>> = HashMap::new();
+                    // grab the argument and body
+                    let given = args.len()?;
+                    let total = formals.len()?;
+
+                    while args.len()? > 0 {
+                        // if we've run out of args to bind, error
+                        if formals.len()? == 0 {
+                            return Err(BlisprError::NumArguments(total, given));
+                        }
+
+                        // grab first symbol from formals
+                        let sym = lval_pop(&mut formals, 0)?;
+
+                        // special case to handle '&'
+                        if &sym.as_string()? == "&" {
+                            // make sure there's one symbol left
+                            if formals.len()? != 1 {
+                                return Err(BlisprError::FunctionFormat);
+                            }
+
+                            // next formal should be found to remaining args
+                            let next_sym = lval_pop(&mut formals, 0)?;
+                            let arglist = builtin_list(args)?;
+                            let curr = new_env
+                                .entry(next_sym.as_string()?)
+                                .or_insert(arglist.clone());
+                            if *curr != arglist {
+                                *curr = arglist.clone();
+                            }
+                            break;
+                        }
+
+                        // grab next argument from list
+                        let val = lval_pop(args, 0)?;
+
+                        // bind a copy to the function's environment
+                        debug!("lval_call: adding {},{} to local fn environment", sym, val);
+                        let curr = new_env.entry(sym.as_string()?).or_insert(val.clone());
+                        // if we're overwriting, overwrite!
+                        if *curr != val {
+                            *curr = val.clone();
+                        }
+                    }
+                    // Use the lookup map to initialize the new child env for evaluation
+                    let mut local_env = Lenv::new(Some(new_env.clone()), Some(e));
+                    // if all formals have been bound
+                    if formals.len()? == 0 {
+                        // Evaluate and return
+                        // first, apply any held by the lambda.
+                        for (k, v) in env {
+                            local_env.put(k, v);
+                        }
+                        let mut ret = lval_sexpr();
+                        lval_add(&mut ret, &body)?;
+                        debug!("lval_call: evaluating fully applied lambda {}", ret);
+                        // evaluate with the environment of the function, which now has the env this was called with as a parent.
+                        builtin_eval(&mut local_env, &mut ret)
+                    } else {
+                        // Otherwise return partially evaluated function
+                        // build a new lval for it
+                        debug!("Returning partially applied lambda");
+                        Ok(lval_lambda(new_env, formals.clone(), body.clone()))
+                    }
+                }
+            }
+        }
+        _ => Err(BlisprError::WrongType(
+            "Function".to_string(),
+            format!("{:?}", f),
+        )),
+    }
+}
+
+// Given a slice of boxed Lvals, return a single evaluated sexpr
+fn eval_cells(e: &mut Lenv, cells: &[Box<Lval>]) -> BlisprResult {
+    cells.iter().fold(Ok(lval_sexpr()), |acc, c| {
+        match acc {
+            Ok(mut lval) => {
+                lval_add(&mut lval, &*lval_eval(e, &mut c.clone())?)?;
+                Ok(lval)
+            }
+            // it's just a Result so we can bubble errors out of the fold
+            Err(_) => unreachable!(),
+        }
+    })
+}
+
+// Fully evaluate an `Lval`
+pub fn lval_eval(e: &mut Lenv, v: &mut Lval) -> BlisprResult {
+    let child_count;
+    let mut args_eval;
+    match v {
+        Lval::Blispr(forms) => {
+            // If it's multiple, evaluate each and return the result of the last
+            args_eval = eval_cells(e, forms)?;
+            let forms_len = args_eval.len()?;
+            return Ok(lval_pop(&mut args_eval, forms_len - 1)?);
+        }
+        Lval::Sym(s) => {
+            // If it's a symbol, perform an environment lookup
+            let result = e.get(&s)?;
+            debug!(
+                "lval_eval: Symbol lookup - retrieved {:?} from key {:?}",
+                result, s
+            );
+            // The environment stores Lvals ready to go, we're done
+            return Ok(result);
+        }
+        Lval::Sexpr(ref mut cells) => {
+            // If it's a Sexpr, we're going to continue past this match
+            // First, though, recursively evaluate each child with lval_eval()
+            debug!("lval_eval: Sexpr, evaluating children");
+            // grab the length and evaluate the children
+            child_count = cells.len();
+            args_eval = eval_cells(e, cells)?;
+        }
+        // if it's not a sexpr, we're done, return as is
+        _ => {
+            debug!("lval_eval: Non-sexpr: {:?}", v);
+            return Ok(Box::new(v.clone()));
+        }
+    }
+    if child_count == 0 {
+        // It was a Sexpr, but it was empty.  We're done, return it
+        Ok(Box::new(v.clone()))
+    } else if child_count == 1 {
+        // Single expression
+        debug!("Single-expression");
+        lval_eval(e, &mut *lval_pop(v, 0)?)
+    } else {
+        // Function call
+        // We'll pop the first element off and attempt to call it on the rest of the elements
+        // lval_call will handle typechecking fp
+        let fp = lval_pop(&mut args_eval, 0)?;
+        debug!("Calling function {:?} on {:?}", fp, v);
+        lval_call(e, *fp, &mut *args_eval)
+    }
+}

src/repl/lpus.pest

@@ -0,0 +1,19 @@
+COMMENT = _{ "/*" ~ (!"*/" ~ ANY)* ~ "*/" }
+WHITESPACE = _{ (" " | NEWLINE ) }
+
+num = @{ int }
+    int = { ("+" | "-")? ~ digit+ }
+    digit = { '0'..'9' }
+
+symbol = @{ (letter | digit | "_" | arithmetic_ops | "\\" | comparison_ops | "&")+ }
+    letter = { 'a' .. 'z' | 'A' .. 'Z' }
+    arithmetic_ops = { "+" | "-" | "*" | "/" | "%" | "^" }
+    comparison_ops = { "=" | "<" | ">" | "!" }
+
+sexpr = { "(" ~ expr* ~ ")" }
+
+qexpr = { "{" ~ expr* ~ "}" }
+
+expr = { num | symbol | sexpr | qexpr }
+
+program = { SOI ~ expr* ~ EOI }

src/repl/lval.rs

@@ -0,0 +1,182 @@
+use std::{collections::HashMap, fmt};
+
+// The recursive types hold their children in one of these bad boys
+// TODO Should this be a VecDeque or a LinkedList instead?
+type LvalChildren = Vec<Box<Lval>>;
+pub type LBuiltin = fn(&mut Lval) -> ReplResult;
+
+// There are two types of function - builtin and lambda
+#[derive(Clone)]
+pub enum LvalFun {
+    Builtin(String, LBuiltin), // (name, function pointer)
+    Lambda(HashMap<String, Box<Lval>>, Box<Lval>, Box<Lval>), // (environment(?), formals, body), both should be Qexpr // TODO these should both be Rc<T>
+}
+
+// The book has a pointer to an Lenv in the Lambda
+// I instead just store a plain old hashmap of any extras
+// it's then applied in lval_call
+
+// The main type - all possible Blispr values
+#[derive(Debug, Clone, PartialEq)]
+pub enum Lval {
+    Lpus(LvalChildren),
+    Fun(LvalFun),
+    Num(i64),
+    Sym(String),
+    Sexpr(LvalChildren),
+    Qexpr(LvalChildren),
+}
+
+impl Lval {
+    pub fn as_num(&self) -> Result<i64> {
+        match *self {
+            Lval::Num(n_num) => Ok(n_num),
+            _ => Err("".into()),
+        }
+    }
+    pub fn as_string(&self) -> Result<String> {
+        match self {
+            Lval::Sym(s) => Ok(s.to_string()),
+            _ => Err(BlisprError::WrongType(
+                "symbol".to_string(),
+                format!("{}", self),
+            )),
+        }
+    }
+    pub fn len(&self) -> Result<usize> {
+        match *self {
+            Lval::Sexpr(ref children) | Lval::Qexpr(ref children) | Lval::Blispr(ref children) => {
+                Ok(children.len())
+            }
+            _ => Err(BlisprError::NoChildren),
+        }
+    }
+}
+
+impl fmt::Debug for LvalFun {
+    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+        match self {
+            LvalFun::Builtin(name, _) => write!(f, "Builtin({})", name),
+            LvalFun::Lambda(env, formals, body) => {
+                write!(f, "Lambda({{{:?}}},{{{}}},{{{}}})", env, formals, body)
+            }
+        }
+    }
+}
+
+impl PartialEq for LvalFun {
+    fn eq(&self, other: &LvalFun) -> bool {
+        match self {
+            LvalFun::Builtin(name, _) => match other {
+                LvalFun::Builtin(other_name, _) => name == other_name,
+                _ => false,
+            },
+            LvalFun::Lambda(env, formals, body) => match other {
+                LvalFun::Lambda(other_env, other_f, other_b) => {
+                    formals == other_f && body == other_b && env == other_env
+                }
+                _ => false,
+            },
+        }
+    }
+}
+
+impl fmt::Display for Lval {
+    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+        match self {
+            Lval::Blispr(_cells) => write!(f, "<toplevel>"),
+            Lval::Fun(lf) => match lf {
+                LvalFun::Builtin(name, _) => write!(f, "<builtin: {}>", name),
+                LvalFun::Lambda(_, formals, body) => write!(f, "(\\ {} {})", formals, body),
+            },
+            Lval::Num(n) => write!(f, "{}", n),
+            Lval::Sym(s) => write!(f, "{}", s),
+            Lval::Sexpr(cell) => write!(f, "({})", lval_expr_print(cell)),
+            Lval::Qexpr(cell) => write!(f, "{{{}}}", lval_expr_print(cell)),
+        }
+    }
+}
+
+fn lval_expr_print(cell: &[Box<Lval>]) -> String {
+    let mut ret = String::new();
+    for i in 0..cell.len() {
+        ret.push_str(&format!("{}", cell[i]));
+        if i < cell.len() - 1 {
+            ret.push_str(" ");
+        }
+    }
+    ret
+}
+
+// Constructors
+// Each allocates a brand new boxed Lval
+// The recursive types start empty
+
+pub fn lval_blispr() -> Box<Lval> {
+    Box::new(Lval::Blispr(Vec::new()))
+}
+
+pub fn lval_builtin(f: LBuiltin, name: &str) -> Box<Lval> {
+    Box::new(Lval::Fun(LvalFun::Builtin(name.to_string(), f)))
+}
+
+pub fn lval_lambda(
+    env: HashMap<String, Box<Lval>>,
+    formals: Box<Lval>,
+    body: Box<Lval>,
+) -> Box<Lval> {
+    Box::new(Lval::Fun(LvalFun::Lambda(env, formals, body)))
+}
+
+pub fn lval_num(n: i64) -> Box<Lval> {
+    Box::new(Lval::Num(n))
+}
+
+pub fn lval_sym(s: &str) -> Box<Lval> {
+    Box::new(Lval::Sym(s.into()))
+}
+
+pub fn lval_sexpr() -> Box<Lval> {
+    Box::new(Lval::Sexpr(Vec::new()))
+}
+
+pub fn lval_qexpr() -> Box<Lval> {
+    Box::new(Lval::Qexpr(Vec::new()))
+}
+
+// Manipulating children
+
+// Add lval x to lval::sexpr or lval::qexpr v
+pub fn lval_add(v: &mut Lval, x: &Lval) -> Result<()> {
+    match *v {
+        Lval::Sexpr(ref mut children)
+        | Lval::Qexpr(ref mut children)
+        | Lval::Blispr(ref mut children) => {
+            children.push(Box::new(x.clone()));
+        }
+        _ => return Err(BlisprError::NoChildren),
+    }
+    Ok(())
+}
+
+// Extract single element of sexpr at index i
+pub fn lval_pop(v: &mut Lval, i: usize) -> BlisprResult {
+    match *v {
+        Lval::Sexpr(ref mut children)
+        | Lval::Qexpr(ref mut children)
+        | Lval::Blispr(ref mut children) => {
+            let ret = (&children[i]).clone();
+            children.remove(i);
+            Ok(ret)
+        }
+        _ => Err(BlisprError::NoChildren),
+    }
+}
+
+// Add each cell in y to x
+pub fn lval_join(x: &mut Lval, mut y: Box<Lval>) -> Result<()> {
+    while y.len()? > 0 {
+        lval_add(x, &*lval_pop(&mut y, 0)?)?;
+    }
+    Ok(())
+}

src/repl/parser.rs

@@ -0,0 +1,56 @@
+use pest::{iterators::Pair, Parser};
+
+#[derive(Parser)]
+#[grammar = "lpus.pest"]
+pub struct LpusParser;
+
+fn is_bracket_or_eoi(parsed: &Pair<Rule>) -> bool {
+    if parsed.as_rule() == Rule::EOI {
+        return true;
+    }
+    let c = parsed.as_str();
+    c == "(" || c == ")" || c == "{" || c == "}"
+}
+
+// Read a rule with children into the given containing Lval
+fn read_to_lval(mut v: &mut Lval, parsed: Pair<Rule>) -> Result<()> {
+    for child in parsed.into_inner() {
+        if is_bracket_or_eoi(&child) {
+            continue;
+        }
+        lval_add(&mut v, &*lval_read(child)?)?;
+    }
+    Ok(())
+}
+
+fn lval_read(parsed: Pair<Rule>) -> ReplResult {
+    match parsed.as_rule() {
+        // Rule::program => {
+        //     let mut ret = lval_lpus();
+        //     read_to_lval(&mut ret, parsed)?;
+        //     Ok(ret)
+        // }
+        // Rule::expr => lval_read(parsed.into_inner().next().unwrap()),
+        Rule::sexpr => {
+            let mut ret = lval_sexpr();
+            read_to_lval(&mut ret, parsed)?;
+            Ok(ret)
+        }
+        // Rule::qexpr => {
+        //     let mut ret = lval_qexpr();
+        //     read_to_lval(&mut ret, parsed)?;
+        //     Ok(ret)
+        // }
+        Rule::num => Ok(lval_num(parsed.as_str().parse::<i64>()?)),
+        Rule::symbol => Ok(lval_sym(parsed.as_str())),
+        _ => unreachable!(), // COMMENT/WHITESPACE etc
+    }
+}
+
+pub fn eval_str(e: &mut Lenv, s: &str) -> ReplResult {
+    let parsed = LpusParser::parse(Rule::sexpr, s)?.next().unwrap();
+    // debug!("{}", parsed);
+    let mut lval_ptr = lval_read(parsed)?;
+    // debug!("Parsed: {:?}", *lval_ptr);
+    lval_eval(e, &mut *lval_ptr)
+}

src/repl/repl.rs

@@ -0,0 +1,44 @@
+use rustyline::error::ReadlineError;
+use rustyline::Editor;
+
+fn repl(e: &mut Lenv) -> Result<()> {
+    println!("LPUS v0.0.1");
+    println!("Use exit(), Ctrl-C, or Ctrl-D to exit prompt");
+
+    let mut rl = Editor::<()>::new();
+    if rl.load_history("./.lpus-history.txt").is_err() {
+        println!("No history found.");
+    }
+
+    loop {
+        let input = rl.readline("lpus> ");
+
+        match input {
+            Ok(line) => {
+                rl.add_history_entry(line.as_ref());
+                print_eval_result(eval_str(e, &line));
+            }
+            Err(ReadlineError::Interrupted) => {
+                info!("CTRL-C");
+                break;
+            }
+            Err(ReadlineError::Eof) => {
+                info!("CTRL-D");
+                break;
+            }
+            Err(err) => {
+                warn!("Error: {:?}", err);
+                break;
+            }
+        }
+    }
+    rl.save_history("./.blispr-history.txt")?;
+    Ok(())
+}
+
+fn print_eval_result(v: ReplResult) {
+    match v {
+        Ok(res) => println!("{}", res),
+        Err(e) => eprintln!("Error: {}", e),
+    }
+}

src/windows.rs

@@ -1,23 +1,33 @@
-use std::ffi::CString;
-use widestring::{U16CString};
+use std::ffi::{c_void, CString};
+use std::mem::{transmute, size_of_val};
+use std::ptr::null_mut;
+use std::time::{SystemTime, UNIX_EPOCH};
+use widestring::U16CString;
 
 use winapi::shared::ntdef::*;
 use winapi::shared::minwindef::{DWORD, HKEY, HMODULE};
 use winapi::um::winnt::{
     SE_PRIVILEGE_ENABLED, TOKEN_PRIVILEGES, TOKEN_ADJUST_PRIVILEGES, LUID_AND_ATTRIBUTES,
     REG_DWORD, REG_SZ, REG_OPTION_NON_VOLATILE, KEY_WRITE,
-    PRTL_OSVERSIONINFOW, OSVERSIONINFOW
+    PRTL_OSVERSIONINFOW, OSVERSIONINFOW,
+    FILE_ATTRIBUTE_NORMAL, GENERIC_READ, GENERIC_WRITE
 };
 
-use winapi::um::handleapi::*;
-use winapi::um::libloaderapi::*;
-use winapi::um::processthreadsapi::*;
-use winapi::um::securitybaseapi::*;
-use winapi::um::winbase::*;
-use winapi::um::winreg::*;
+use winapi::um::ioapiset::{DeviceIoControl};
+use winapi::um::errhandlingapi::{GetLastError};
+use winapi::um::fileapi::{CreateFileA, CREATE_ALWAYS};
+use winapi::um::handleapi::{INVALID_HANDLE_VALUE, CloseHandle};
+use winapi::um::libloaderapi::{LoadLibraryA, GetProcAddress};
+use winapi::um::processthreadsapi::{GetCurrentProcess, OpenProcessToken};
+use winapi::um::sysinfoapi::{GetTickCount64};
+use winapi::um::securitybaseapi::{AdjustTokenPrivileges};
+use winapi::um::winbase::{LookupPrivilegeValueA};
+use winapi::um::winreg::{RegCreateKeyExA, RegSetValueExA, RegCloseKey, HKEY_LOCAL_MACHINE};
+
+const STR_DRIVER_REGISTRY_PATH: &str = "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\lpus";
 
 #[allow(dead_code)]
-#[derive(Debug)]
+#[derive(Debug, Copy, Clone)]
 pub enum WindowsVersion {
     Windows10_2015,
     Windows10_2016,
@@ -30,36 +40,34 @@ pub enum WindowsVersion {
 }
 
 #[allow(dead_code)]
+#[derive(Copy, Clone)]
 pub struct WindowsFFI {
     pub version_info: OSVERSIONINFOW,
     pub short_version: WindowsVersion,
-    driver_registry_string: UNICODE_STRING,
+    driver_handle: HANDLE,
     ntdll: HMODULE,
-    nt_load_driver: extern "stdcall" fn(PUNICODE_STRING) -> NTSTATUS,
-    nt_unload_driver: extern "stdcall" fn(PUNICODE_STRING) -> NTSTATUS,
-    rtl_init_unicode_str: extern "stdcall" fn(PUNICODE_STRING, PCWSTR),
+    nt_load_driver: extern "system" fn(PUNICODE_STRING) -> NTSTATUS,
+    nt_unload_driver: extern "system" fn(PUNICODE_STRING) -> NTSTATUS,
+    rtl_init_unicode_str: extern "system" fn(PUNICODE_STRING, PCWSTR),
     rtl_get_version: extern "system" fn(PRTL_OSVERSIONINFOW) -> NTSTATUS,
 }
 
 impl WindowsFFI {
     pub fn new() -> Self {
-        let str_ntdll = CString::new("ntdll").expect("");
-        let str_nt_load_driver = CString::new("NtLoadDriver").expect("");
-        let str_nt_unload_driver = CString::new("NtUnloadDriver").expect("");
-        let str_rtl_init_unicode_str = CString::new("RtlInitUnicodeString").expect("");
-        let str_rtl_get_version = CString::new("RtlGetVersion").expect("");
-        let str_se_load_driver_privilege = CString::new("SeLoadDriverPrivilege").expect("");
+        let str_ntdll = CString::new("ntdll").unwrap();
+        let str_nt_load_driver = CString::new("NtLoadDriver").unwrap();
+        let str_nt_unload_driver = CString::new("NtUnloadDriver").unwrap();
+        let str_rtl_init_unicode_str = CString::new("RtlInitUnicodeString").unwrap();
+        let str_rtl_get_version = CString::new("RtlGetVersion").unwrap();
+        let str_se_load_driver_privilege = CString::new("SeLoadDriverPrivilege").unwrap();
 
-        let str_driver_path = CString::new("\\SystemRoot\\System32\\DRIVERS\\nganhkhoa.sys").expect("");
-        let str_registry_path = CString::new("System\\CurrentControlSet\\Services\\nganhkhoa").expect("");
-        let str_driver_reg =
-            U16CString::from_str("\\Registry\\Machine\\System\\CurrentControlSet\\Services\\nganhkhoa").expect("");
-        let str_type = CString::new("Type").expect("");
-        let str_error_control = CString::new("ErrorControl").expect("");
-        let str_start = CString::new("Start").expect("");
-        let str_image_path = CString::new("ImagePath").expect("");
+        let str_driver_path = CString::new("\\SystemRoot\\System32\\DRIVERS\\lpus.sys").unwrap();
+        let str_registry_path = CString::new("System\\CurrentControlSet\\Services\\lpus").unwrap();
+        let str_type = CString::new("Type").unwrap();
+        let str_error_control = CString::new("ErrorControl").unwrap();
+        let str_start = CString::new("Start").unwrap();
+        let str_image_path = CString::new("ImagePath").unwrap();
 
-        let mut str_driver_reg_unicode = UNICODE_STRING::default();
         let mut version_info = OSVERSIONINFOW {
             dwOSVersionInfoSize: 0u32,
             dwMajorVersion: 0u32,
@@ -70,9 +78,9 @@ impl WindowsFFI {
         };
 
         let ntdll: HMODULE;
-        let nt_load_driver: extern "stdcall" fn(PUNICODE_STRING) -> NTSTATUS;
-        let nt_unload_driver: extern "stdcall" fn(PUNICODE_STRING) -> NTSTATUS;
-        let rtl_init_unicode_str: extern "stdcall" fn(PUNICODE_STRING, PCWSTR);
+        let nt_load_driver: extern "system" fn(PUNICODE_STRING) -> NTSTATUS;
+        let nt_unload_driver: extern "system" fn(PUNICODE_STRING) -> NTSTATUS;
+        let rtl_init_unicode_str: extern "system" fn(PUNICODE_STRING, PCWSTR);
         let rtl_get_version: extern "system" fn(PRTL_OSVERSIONINFOW) -> NTSTATUS;
 
         // some pointer unsafe C code
@@ -83,18 +91,18 @@ impl WindowsFFI {
             let rtl_init_unicode_str_ = GetProcAddress(ntdll, str_rtl_init_unicode_str.as_ptr());
             let rtl_get_version_ = GetProcAddress(ntdll, str_rtl_get_version.as_ptr());
 
-            nt_load_driver = std::mem::transmute(nt_load_driver_);
-            nt_unload_driver = std::mem::transmute(nt_unload_driver_);
-            rtl_init_unicode_str = std::mem::transmute(rtl_init_unicode_str_);
-            rtl_get_version = std::mem::transmute(rtl_get_version_);
+            nt_load_driver = transmute(nt_load_driver_);
+            nt_unload_driver = transmute(nt_unload_driver_);
+            rtl_init_unicode_str = transmute(rtl_init_unicode_str_);
+            rtl_get_version = transmute(rtl_get_version_);
 
             // setup registry
-            let mut registry_key: HKEY = std::ptr::null_mut();
+            let mut registry_key: HKEY = null_mut();
             RegCreateKeyExA(
                 HKEY_LOCAL_MACHINE, str_registry_path.as_ptr(),
-                0, std::ptr::null_mut(),
+                0, null_mut(),
                 REG_OPTION_NON_VOLATILE, KEY_WRITE,
-                std::ptr::null_mut(), &mut registry_key, std::ptr::null_mut()
+                null_mut(), &mut registry_key, null_mut()
             );
             let type_value: [u8; 4] = 1u32.to_le_bytes();
             let error_control_value: [u8; 4] = 1u32.to_le_bytes();
@@ -115,10 +123,10 @@ impl WindowsFFI {
             RegCloseKey(registry_key);
 
             // Setup privilege SeLoadDriverPrivilege
-            let mut token_handle: HANDLE = std::ptr::null_mut();
+            let mut token_handle: HANDLE = null_mut();
             let mut luid = LUID::default();
             OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &mut token_handle);
-            LookupPrivilegeValueA(std::ptr::null_mut(), str_se_load_driver_privilege.as_ptr(), &mut luid);
+            LookupPrivilegeValueA(null_mut(), str_se_load_driver_privilege.as_ptr(), &mut luid);
             let mut new_token_state = TOKEN_PRIVILEGES {
                 PrivilegeCount: 1,
                 Privileges: [LUID_AND_ATTRIBUTES {
@@ -127,11 +135,8 @@ impl WindowsFFI {
                 }]
             };
             AdjustTokenPrivileges(
-                token_handle, 0, &mut new_token_state, 16, std::ptr::null_mut(), std::ptr::null_mut());
+                token_handle, 0, &mut new_token_state, 16, null_mut(), null_mut());
             CloseHandle(token_handle);
-
-            // init string for load and unload driver routine
-            rtl_init_unicode_str(&mut str_driver_reg_unicode, str_driver_reg.as_ptr() as *const u16);
         }
 
         rtl_get_version(&mut version_info);
@@ -147,7 +152,7 @@ impl WindowsFFI {
         Self {
             version_info,
             short_version,
-            driver_registry_string: str_driver_reg_unicode,
+            driver_handle: INVALID_HANDLE_VALUE,
             ntdll,
             nt_load_driver,
             nt_unload_driver,
@@ -156,12 +161,40 @@ impl WindowsFFI {
         }
     }
 
-    pub fn load_driver(&mut self) -> NTSTATUS {
-        (self.nt_load_driver)(&mut self.driver_registry_string)
+    pub fn driver_loaded(self) -> bool {
+        self.driver_handle != INVALID_HANDLE_VALUE
     }
 
-    pub fn unload_driver(&mut self) -> NTSTATUS {
-        (self.nt_unload_driver)(&mut self.driver_registry_string)
+    pub fn load_driver(&mut self) -> NTSTATUS {
+        // TODO: Move this to new()
+        // If we move this function to new(), self.driver_handle will be init, and thus no mut here
+        let str_driver_reg = U16CString::from_str(STR_DRIVER_REGISTRY_PATH).unwrap();
+        let mut str_driver_reg_unicode = UNICODE_STRING::default();
+        (self.rtl_init_unicode_str)(&mut str_driver_reg_unicode, str_driver_reg.as_ptr() as *const u16);
+        let status = (self.nt_load_driver)(&mut str_driver_reg_unicode);
+
+        let filename = CString::new("\\\\.\\poolscanner").unwrap();
+        let driver_file_handle: HANDLE = unsafe {
+            CreateFileA(filename.as_ptr(),
+                        GENERIC_READ | GENERIC_WRITE,
+                        0, null_mut(), CREATE_ALWAYS,
+                        FILE_ATTRIBUTE_NORMAL, null_mut())
+        };
+
+        if driver_file_handle == INVALID_HANDLE_VALUE {
+            println!("Driver CreateFileA failed");
+        }
+        else {
+            self.driver_handle = driver_file_handle;
+        }
+        status
+    }
+
+    pub fn unload_driver(&self) -> NTSTATUS {
+        let str_driver_reg = U16CString::from_str(STR_DRIVER_REGISTRY_PATH).unwrap();
+        let mut str_driver_reg_unicode = UNICODE_STRING::default();
+        (self.rtl_init_unicode_str)(&mut str_driver_reg_unicode, str_driver_reg.as_ptr());
+        (self.nt_unload_driver)(&mut str_driver_reg_unicode)
     }
 
     #[allow(dead_code)]
@@ -178,4 +211,47 @@ impl WindowsFFI {
             self.short_version
         );
     }
+
+    pub fn valid_process_time(&self, filetime: u64) -> bool {
+        // https://www.frenk.com/2009/12/convert-filetime-to-unix-timestamp/
+        let windows_epoch_diff = 11644473600000 * 10000;
+        if filetime < windows_epoch_diff {
+            return false;
+        }
+        let system_up_time_ms = unsafe { GetTickCount64() };
+        let process_time_epoch = (filetime - windows_epoch_diff) / 10000;
+        let now_ms = SystemTime::now().duration_since(UNIX_EPOCH).expect("Time went backwards").as_millis() as u64;
+        let system_start_up_time_ms = now_ms - system_up_time_ms;
+
+        if process_time_epoch < system_start_up_time_ms {
+            false
+        } else if process_time_epoch > now_ms {
+            false
+        } else {
+            true
+        }
+    }
+
+    pub fn device_io<T, E>(&self, code: DWORD, inbuf: &mut T, outbuf: &mut E) -> DWORD {
+        self.device_io_raw(code,
+                           inbuf as *mut _ as *mut c_void, size_of_val(inbuf) as DWORD,
+                           outbuf as *mut _ as *mut c_void, size_of_val(outbuf) as DWORD)
+    }
+
+    pub fn device_io_raw(&self, code: DWORD,
+                         input_ptr: *mut c_void, input_len: DWORD,
+                         output_ptr: *mut c_void, output_len: DWORD) -> DWORD {
+        // println!("driver loaded: {}; device_io_code: {}", self.driver_loaded(), code);
+        let mut bytes_returned: DWORD = 0;
+        unsafe {
+            let status = DeviceIoControl(self.driver_handle, code,
+                                         input_ptr, input_len,
+                                         output_ptr, output_len,
+                                         &mut bytes_returned, null_mut());
+            if status == 0 {
+                println!("device io failed: last error {}", GetLastError());
+            }
+        };
+        bytes_returned
+    }
 }