Update lpus

File scan printing update Update values sent to driver in ioctl for Windows 10 2019/2018
check read access when dump file name in _FILE_OBJECT
2020-06-02 16:27:29 +07:00 · 2020-05-29 01:39:32 +07:00 · 2020-05-22 14:44:47 +07:00 · 2020-05-21 17:36:06 +07:00 · 2020-05-20 15:02:09 +07:00 · 2020-05-20 13:51:38 +07:00
16 changed files with 52097 additions and 665 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -5,6 +5,17 @@ name = "anyhow"
 version = "1.0.26"
 source = "registry+https://github.com/rust-lang/crates.io-index"

+[[package]]
+name = "app_dirs"
+version = "1.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "ole32-sys 0.2.0 (registry+https://github.com/rust-lang/crates.io-index)",
+ "shell32-sys 0.1.2 (registry+https://github.com/rust-lang/crates.io-index)",
+ "winapi 0.2.8 (registry+https://github.com/rust-lang/crates.io-index)",
+ "xdg 2.2.0 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
 [[package]]
 name = "autocfg"
 version = "1.0.0"
@ -48,6 +59,16 @@ name = "cfg-if"
 version = "0.1.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"

+[[package]]
+name = "chrono"
+version = "0.4.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "num-integer 0.1.42 (registry+https://github.com/rust-lang/crates.io-index)",
+ "num-traits 0.2.11 (registry+https://github.com/rust-lang/crates.io-index)",
+ "time 0.1.42 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
 [[package]]
 name = "core-foundation"
 version = "0.6.4"
@ -327,6 +348,19 @@ dependencies = [
 "cfg-if 0.1.10 (registry+https://github.com/rust-lang/crates.io-index)",
 ]

+[[package]]
+name = "lpus"
+version = "0.1.0"
+dependencies = [
+ "app_dirs 1.2.1 (registry+https://github.com/rust-lang/crates.io-index)",
+ "chrono 0.4.10 (registry+https://github.com/rust-lang/crates.io-index)",
+ "hex 0.4.2 (registry+https://github.com/rust-lang/crates.io-index)",
+ "pdb 0.5.0 (registry+https://github.com/rust-lang/crates.io-index)",
+ "reqwest 0.10.1 (registry+https://github.com/rust-lang/crates.io-index)",
+ "widestring 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)",
+ "winapi 0.3.8 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
 [[package]]
 name = "matches"
 version = "0.1.8"
@ -416,6 +450,23 @@ dependencies = [
 "version_check 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)",
 ]

+[[package]]
+name = "num-integer"
+version = "0.1.42"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "autocfg 1.0.0 (registry+https://github.com/rust-lang/crates.io-index)",
+ "num-traits 0.2.11 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
+[[package]]
+name = "num-traits"
+version = "0.2.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "autocfg 1.0.0 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
 [[package]]
 name = "num_cpus"
 version = "1.12.0"
@ -425,6 +476,15 @@ dependencies = [
 "libc 0.2.66 (registry+https://github.com/rust-lang/crates.io-index)",
 ]

+[[package]]
+name = "ole32-sys"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "winapi 0.2.8 (registry+https://github.com/rust-lang/crates.io-index)",
+ "winapi-build 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
 [[package]]
 name = "openssl"
 version = "0.10.28"
@ -455,17 +515,6 @@ dependencies = [
 "vcpkg 0.2.8 (registry+https://github.com/rust-lang/crates.io-index)",
 ]

-[[package]]
-name = "parse_pdb_for_offsets"
-version = "0.1.0"
-dependencies = [
- "hex 0.4.2 (registry+https://github.com/rust-lang/crates.io-index)",
- "pdb 0.5.0 (registry+https://github.com/rust-lang/crates.io-index)",
- "reqwest 0.10.1 (registry+https://github.com/rust-lang/crates.io-index)",
- "widestring 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)",
- "winapi 0.3.8 (registry+https://github.com/rust-lang/crates.io-index)",
-]
-
 [[package]]
 name = "pdb"
 version = "0.5.0"
@ -734,6 +783,15 @@ dependencies = [
 "url 2.1.1 (registry+https://github.com/rust-lang/crates.io-index)",
 ]

+[[package]]
+name = "shell32-sys"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "winapi 0.2.8 (registry+https://github.com/rust-lang/crates.io-index)",
+ "winapi-build 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
 [[package]]
 name = "slab"
 version = "0.4.2"
@ -1071,8 +1129,14 @@ dependencies = [
 "winapi-build 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)",
 ]

+[[package]]
+name = "xdg"
+version = "2.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+
 [metadata]
 "checksum anyhow 1.0.26 (registry+https://github.com/rust-lang/crates.io-index)" = "7825f6833612eb2414095684fcf6c635becf3ce97fe48cf6421321e93bfbd53c"
+"checksum app_dirs 1.2.1 (registry+https://github.com/rust-lang/crates.io-index)" = "e73a24bad9bd6a94d6395382a6c69fe071708ae4409f763c5475e14ee896313d"
 "checksum autocfg 1.0.0 (registry+https://github.com/rust-lang/crates.io-index)" = "f8aac770f1885fd7e387acedd76065302551364496e46b3dd00860b2f8359b9d"
 "checksum base64 0.11.0 (registry+https://github.com/rust-lang/crates.io-index)" = "b41b7ea54a0c9d92199de89e20e58d49f02f8e699814ef3fdf266f6f748d15c7"
 "checksum bitflags 1.2.1 (registry+https://github.com/rust-lang/crates.io-index)" = "cf1de2fe8c75bc145a2f577add951f8134889b4795d47466a54a5c846d691693"
@ -1081,6 +1145,7 @@ dependencies = [
 "checksum c2-chacha 0.2.3 (registry+https://github.com/rust-lang/crates.io-index)" = "214238caa1bf3a496ec3392968969cab8549f96ff30652c9e56885329315f6bb"
 "checksum cc 1.0.50 (registry+https://github.com/rust-lang/crates.io-index)" = "95e28fa049fda1c330bcf9d723be7663a899c4679724b34c81e9f5a326aab8cd"
 "checksum cfg-if 0.1.10 (registry+https://github.com/rust-lang/crates.io-index)" = "4785bdd1c96b2a846b2bd7cc02e86b6b3dbf14e7e53446c4f54c92a361040822"
+"checksum chrono 0.4.10 (registry+https://github.com/rust-lang/crates.io-index)" = "31850b4a4d6bae316f7a09e691c944c28299298837edc0a03f755618c23cbc01"
 "checksum core-foundation 0.6.4 (registry+https://github.com/rust-lang/crates.io-index)" = "25b9e03f145fd4f2bf705e07b900cd41fc636598fe5dc452fd0db1441c3f496d"
 "checksum core-foundation-sys 0.6.2 (registry+https://github.com/rust-lang/crates.io-index)" = "e7ca8a5221364ef15ce201e8ed2f609fc312682a8f4e0e3d4aa5879764e0fa3b"
 "checksum dtoa 0.4.5 (registry+https://github.com/rust-lang/crates.io-index)" = "4358a9e11b9a09cf52383b451b49a169e8d797b68aa02301ff586d70d9661ea3"
@ -1125,7 +1190,10 @@ dependencies = [
 "checksum native-tls 0.2.3 (registry+https://github.com/rust-lang/crates.io-index)" = "4b2df1a4c22fd44a62147fd8f13dd0f95c9d8ca7b2610299b2a2f9cf8964274e"
 "checksum net2 0.2.33 (registry+https://github.com/rust-lang/crates.io-index)" = "42550d9fb7b6684a6d404d9fa7250c2eb2646df731d1c06afc06dcee9e1bcf88"
 "checksum nom 4.2.3 (registry+https://github.com/rust-lang/crates.io-index)" = "2ad2a91a8e869eeb30b9cb3119ae87773a8f4ae617f41b1eb9c154b2905f7bd6"
+"checksum num-integer 0.1.42 (registry+https://github.com/rust-lang/crates.io-index)" = "3f6ea62e9d81a77cd3ee9a2a5b9b609447857f3d358704331e4ef39eb247fcba"
+"checksum num-traits 0.2.11 (registry+https://github.com/rust-lang/crates.io-index)" = "c62be47e61d1842b9170f0fdeec8eba98e60e90e5446449a0545e5152acd7096"
 "checksum num_cpus 1.12.0 (registry+https://github.com/rust-lang/crates.io-index)" = "46203554f085ff89c235cd12f7075f3233af9b11ed7c9e16dfe2560d03313ce6"
+"checksum ole32-sys 0.2.0 (registry+https://github.com/rust-lang/crates.io-index)" = "5d2c49021782e5233cd243168edfa8037574afed4eba4bbaf538b3d8d1789d8c"
 "checksum openssl 0.10.28 (registry+https://github.com/rust-lang/crates.io-index)" = "973293749822d7dd6370d6da1e523b0d1db19f06c459134c658b2a4261378b52"
 "checksum openssl-probe 0.1.2 (registry+https://github.com/rust-lang/crates.io-index)" = "77af24da69f9d9341038eba93a073b1fdaaa1b788221b00a69bce9e762cb32de"
 "checksum openssl-sys 0.9.54 (registry+https://github.com/rust-lang/crates.io-index)" = "1024c0a59774200a555087a6da3f253a9095a5f344e353b212ac4c8b8e450986"
@ -1160,6 +1228,7 @@ dependencies = [
 "checksum serde 1.0.104 (registry+https://github.com/rust-lang/crates.io-index)" = "414115f25f818d7dfccec8ee535d76949ae78584fc4f79a6f45a904bf8ab4449"
 "checksum serde_json 1.0.48 (registry+https://github.com/rust-lang/crates.io-index)" = "9371ade75d4c2d6cb154141b9752cf3781ec9c05e0e5cf35060e1e70ee7b9c25"
 "checksum serde_urlencoded 0.6.1 (registry+https://github.com/rust-lang/crates.io-index)" = "9ec5d77e2d4c73717816afac02670d5c4f534ea95ed430442cad02e7a6e32c97"
+"checksum shell32-sys 0.1.2 (registry+https://github.com/rust-lang/crates.io-index)" = "9ee04b46101f57121c9da2b151988283b6beb79b34f5bb29a58ee48cb695122c"
 "checksum slab 0.4.2 (registry+https://github.com/rust-lang/crates.io-index)" = "c111b5bd5695e56cffe5129854aa230b39c93a305372fdbb2668ca2394eea9f8"
 "checksum smallvec 1.2.0 (registry+https://github.com/rust-lang/crates.io-index)" = "5c2fb2ec9bcd216a5b0d0ccf31ab17b5ed1d627960edff65bbe95d3ce221cefc"
 "checksum sourcefile 0.1.4 (registry+https://github.com/rust-lang/crates.io-index)" = "4bf77cb82ba8453b42b6ae1d692e4cdc92f9a47beaf89a847c8be83f4e328ad3"
@ -1202,3 +1271,4 @@ dependencies = [
 "checksum winapi-x86_64-pc-windows-gnu 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)" = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
 "checksum winreg 0.6.2 (registry+https://github.com/rust-lang/crates.io-index)" = "b2986deb581c4fe11b621998a5e53361efe6b48a151178d0cd9eeffa4dc6acc9"
 "checksum ws2_32-sys 0.2.1 (registry+https://github.com/rust-lang/crates.io-index)" = "d59cefebd0c892fa2dd6de581e937301d8552cb44489cdff035c6187cb63fa5e"
+"checksum xdg 2.2.0 (registry+https://github.com/rust-lang/crates.io-index)" = "d089681aa106a86fade1b0128fb5daf07d5867a509ab036d99988dec80429a57"
--- a/Cargo.toml
+++ b/Cargo.toml
@ -1,14 +1,20 @@
 [package]
-name = "parse_pdb_for_offsets"
+name = "lpus"
 version = "0.1.0"
 authors = ["nganhkhoa <mail.nganhkhoa@gmail.com>"]
+description = "Live pool tag scanning frontend"
 edition = "2018"

-# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+#  See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+[lib]
+name = "lpus"
+doctest = false

 [dependencies]
+app_dirs = "1.2.1"
 hex = "0.4.2"
 pdb = "0.5.0"
+chrono = "0.4"
 widestring = "0.4.0"
-winapi = { version = "0.3.8", features = ["libloaderapi", "processthreadsapi", "winbase", "securitybaseapi", "handleapi", "winnt", "winreg"] }
+winapi = { version = "0.3.8", features = ["libloaderapi", "processthreadsapi", "winbase", "securitybaseapi", "handleapi", "winnt", "winreg", "fileapi", "ioapiset", "winioctl", "errhandlingapi", "sysinfoapi"] }
 reqwest = { version = "0.10.1", features = ["blocking"] }
--- a/README.md
+++ b/README.md
@ -1,558 +1,35 @@
-> If you came here for `MmNonPagedPoolStart`, `MmNonPagedPoolEnd`, you ended up at the right place.
+# LPUS (A live pool-tag scanning solution)

-`NonPagedPool` in Windows has two variables that defined the start and end of the section in kernel memory. Online blog posts and tutorials show an outdated version of these two variables.
+This is the frontend to the live pool tag scanning solution, the backend is a driver (which is now closed source).

-Take a look at [this old post](https://web.archive.org/web/20061110120809/http://www.rootkit.com/newsread.php?newsid=153). `_DBGKD_GET_VERSION64 KdVersionBlock` was a very important structure into the debugger block of Windows. However, if you try to find this structure in Windows 10, you will hit `KdVersionBlock == 0` (Ouch!!!). But this structure provides offset into `MmNonPagedPool{Start,End}`, how can we get those?
+## How this works

-Luckily, both `MmNonPagedPoolStart` and `MmNonPagedPoolEnd` in Windows XP, can be found by offseting from `ntoskrnl.exe`. Rekall team are very positive that their tools doesn't rely on profiles file like Volatility but use PDB provided by Windows to find these values.
+In simple way, we use PDB files to get the global variable offsets and structure definitions.
+The backend finds the kernel base and use these values to calculate the nonpaged-pool range.
+A more detailed report is in [nonpaged-pool-range.md](nonpaged-pool-range.md)
+The frontend calls the backend to scan for a specific tag.

-In [Rekall source code](https://github.com/google/rekall/blob/c5d68e31705f4b5bd2581c1d951b7f6983f7089c/rekall-core/rekall/plugins/windows/pool.py#L87), the values of those variables are:
+## How to use

- Windows XP: `MmNonPagedPool{Start,End}`
- Windows 7 and maybe 8: `MiNonPagedPoolStartAligned`, `MiNonPagedPoolEnd`, and `MiNonPagedPoolBitMap`
- Windows 10 below
+Example is [here](./src/bin/eprocess_scan.rs).

-In Windows 7, 8, another field was added to controll the allocation of `NonPagedPool`, which is why there is [this paper about pool tag quick scanning](https://www.sciencedirect.com/science/article/pii/S1742287616000062).
+```rust
+use lpus::{
+    driver_state::{DriverState}
+};

-However, from Windows 10, the whole game changed around when the global offset to those (similar) variables are gone. Instead Windows 10 introduced a new variable `MiState`. `MiState` offset is available and we can get those start/end variables by either:
-
- Windows 2015: `*((ntoskrnl.exe+MiState)->SystemNodeInformation->NonPagedPool{First,Last}Va)`
- Windows 2016: `*((ntoskrnl.exe+MiState)->Hardware.SystemNodeInformation->NonPagedPool{First,Last}Va)`
-
-The `NonPagedBitMap` was still visible untill the May 2019 Update, here, take a look at these 2 consecutive update [`1809 Redstone 5 (October Update)`](https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016/1809%20Redstone%205%20(October%20Update)/\_MI\_SYSTEM\_NODE\_INFORMATION) and [`1903 19H1 (May 2019 Update)`](https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016/1903%2019H1%20(May%202019%20Update)/\_MI\_SYSTEM\_NODE\_INFORMATION).
-
-Yeah, now `pool tag quick scanning` is useless (gah). Windows OS changes quite frequently right? Tell you more, I am using the Insider version of Windows in 2020, and guess what, I found out that they put another struct to point to those value. So now we need to go like this:
-
- Windows 2020 Insider preview: `*((ntoskrnl.exe+MiState)->SystemNodeNonPagedPool->NonPagedPool{First,Last}Va)`
-
-> If you go with low-level, then you only care about the offset and formula to get those variables but knowing the structure is well benefit.
-
-Anyway, I create this project to help me with my thesis, following outdated structs online yields no result. Oh, yeah, a guy seems to be asking on [how to get `MmNonPagedPoolStart`](https://reverseengineering.stackexchange.com/q/6483) on `stackexchange`, too bad [the answer](https://reverseengineering.stackexchange.com/a/6487) is not so much helpful.
-
-Take a look at my ntoskrnl.exe pdb file parsed.
-
-```
-PDB for Amd64, guid: 3c6978d6-66d9-c05a-53b6-a1e1561282c8, age: 1,
-
-Void(UNNOWN) PsActiveProcessHead 0xc1f970 23:129392
-Void(UNNOWN) MiState 0xc4f200 23:324096
-Void(UNNOWN) KeNumberNodes 0xcfc000 24:0
-Void(UNNOWN) PsLoadedModuleList 0xc2ba30 23:178736
-Void(UNNOWN) KdDebuggerDataBlock 0xc00a30 23:2608
-
-beginstruct _LIST_ENTRY
-	0x0 _LIST_ENTRY* Flink
-	0x8 _LIST_ENTRY* Blink
-endstruct
-
-beginstruct _RTL_BITMAP
-	0x0 U32 SizeOfBitMap
-	0x8 U32 Buffer
-endstruct
-
-beginstruct _EPROCESS
-	0x0 _KPROCESS Pcb
-	0x438 _EX_PUSH_LOCK ProcessLock
-	0x440 Void UniqueProcessId
-	0x448 _LIST_ENTRY ActiveProcessLinks
-	0x458 _EX_RUNDOWN_REF RundownProtect
-	0x460 U32 Flags2
-	0x460 UNNOWN JobNotReallyActive
-	0x460 UNNOWN AccountingFolded
-	0x460 UNNOWN NewProcessReported
-	0x460 UNNOWN ExitProcessReported
-	0x460 UNNOWN ReportCommitChanges
-	0x460 UNNOWN LastReportMemory
-	0x460 UNNOWN ForceWakeCharge
-	0x460 UNNOWN CrossSessionCreate
-	0x460 UNNOWN NeedsHandleRundown
-	0x460 UNNOWN RefTraceEnabled
-	0x460 UNNOWN PicoCreated
-	0x460 UNNOWN EmptyJobEvaluated
-	0x460 UNNOWN DefaultPagePriority
-	0x460 UNNOWN PrimaryTokenFrozen
-	0x460 UNNOWN ProcessVerifierTarget
-	0x460 UNNOWN RestrictSetThreadContext
-	0x460 UNNOWN AffinityPermanent
-	0x460 UNNOWN AffinityUpdateEnable
-	0x460 UNNOWN PropagateNode
-	0x460 UNNOWN ExplicitAffinity
-	0x460 UNNOWN ProcessExecutionState
-	0x460 UNNOWN EnableReadVmLogging
-	0x460 UNNOWN EnableWriteVmLogging
-	0x460 UNNOWN FatalAccessTerminationRequested
-	0x460 UNNOWN DisableSystemAllowedCpuSet
-	0x460 UNNOWN ProcessStateChangeRequest
-	0x460 UNNOWN ProcessStateChangeInProgress
-	0x460 UNNOWN InPrivate
-	0x464 U32 Flags
-	0x464 UNNOWN CreateReported
-	0x464 UNNOWN NoDebugInherit
-	0x464 UNNOWN ProcessExiting
-	0x464 UNNOWN ProcessDelete
-	0x464 UNNOWN ManageExecutableMemoryWrites
-	0x464 UNNOWN VmDeleted
-	0x464 UNNOWN OutswapEnabled
-	0x464 UNNOWN Outswapped
-	0x464 UNNOWN FailFastOnCommitFail
-	0x464 UNNOWN Wow64VaSpace4Gb
-	0x464 UNNOWN AddressSpaceInitialized
-	0x464 UNNOWN SetTimerResolution
-	0x464 UNNOWN BreakOnTermination
-	0x464 UNNOWN DeprioritizeViews
-	0x464 UNNOWN WriteWatch
-	0x464 UNNOWN ProcessInSession
-	0x464 UNNOWN OverrideAddressSpace
-	0x464 UNNOWN HasAddressSpace
-	0x464 UNNOWN LaunchPrefetched
-	0x464 UNNOWN Background
-	0x464 UNNOWN VmTopDown
-	0x464 UNNOWN ImageNotifyDone
-	0x464 UNNOWN PdeUpdateNeeded
-	0x464 UNNOWN VdmAllowed
-	0x464 UNNOWN ProcessRundown
-	0x464 UNNOWN ProcessInserted
-	0x464 UNNOWN DefaultIoPriority
-	0x464 UNNOWN ProcessSelfDelete
-	0x464 UNNOWN SetTimerResolutionLink
-	0x468 _LARGE_INTEGER CreateTime
-	0x470 U64[16] ProcessQuotaUsage
-	0x480 U64[16] ProcessQuotaPeak
-	0x490 U64 PeakVirtualSize
-	0x498 U64 VirtualSize
-	0x4a0 _LIST_ENTRY SessionProcessLinks
-	0x4b0 Void ExceptionPortData
-	0x4b0 U64 ExceptionPortValue
-	0x4b0 UNNOWN ExceptionPortState
-	0x4b8 _EX_FAST_REF Token
-	0x4c0 U64 MmReserved
-	0x4c8 _EX_PUSH_LOCK AddressCreationLock
-	0x4d0 _EX_PUSH_LOCK PageTableCommitmentLock
-	0x4d8 _ETHREAD* RotateInProgress
-	0x4e0 _ETHREAD* ForkInProgress
-	0x4e8 _EJOB* CommitChargeJob
-	0x4f0 _RTL_AVL_TREE CloneRoot
-	0x4f8 volatile U64 NumberOfPrivatePages
-	0x500 volatile U64 NumberOfLockedPages
-	0x508 Void Win32Process
-	0x510 _EJOB* Job
-	0x518 Void SectionObject
-	0x520 Void SectionBaseAddress
-	0x528 U32 Cookie
-	0x530 _PAGEFAULT_HISTORY* WorkingSetWatch
-	0x538 Void Win32WindowStation
-	0x540 Void InheritedFromUniqueProcessId
-	0x548 volatile U64 OwnerProcessId
-	0x550 _PEB* Peb
-	0x558 _MM_SESSION_SPACE* Session
-	0x560 Void Spare1
-	0x568 _EPROCESS_QUOTA_BLOCK* QuotaBlock
-	0x570 _HANDLE_TABLE* ObjectTable
-	0x578 Void DebugPort
-	0x580 _EWOW64PROCESS* WoW64Process
-	0x588 Void DeviceMap
-	0x590 Void EtwDataSource
-	0x598 U64 PageDirectoryPte
-	0x5a0 _FILE_OBJECT* ImageFilePointer
-	0x5a8 UChar[15] ImageFileName
-	0x5b7 UChar PriorityClass
-	0x5b8 Void SecurityPort
-	0x5c0 _SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo
-	0x5c8 _LIST_ENTRY JobLinks
-	0x5d8 Void HighestUserAddress
-	0x5e0 _LIST_ENTRY ThreadListHead
-	0x5f0 volatile U32 ActiveThreads
-	0x5f4 U32 ImagePathHash
-	0x5f8 U32 DefaultHardErrorProcessing
-	0x5fc I32 LastThreadExitStatus
-	0x600 _EX_FAST_REF PrefetchTrace
-	0x608 Void LockedPagesList
-	0x610 _LARGE_INTEGER ReadOperationCount
-	0x618 _LARGE_INTEGER WriteOperationCount
-	0x620 _LARGE_INTEGER OtherOperationCount
-	0x628 _LARGE_INTEGER ReadTransferCount
-	0x630 _LARGE_INTEGER WriteTransferCount
-	0x638 _LARGE_INTEGER OtherTransferCount
-	0x640 U64 CommitChargeLimit
-	0x648 volatile U64 CommitCharge
-	0x650 volatile U64 CommitChargePeak
-	0x680 _MMSUPPORT_FULL Vm
-	0x7c0 _LIST_ENTRY MmProcessLinks
-	0x7d0 U32 ModifiedPageCount
-	0x7d4 I32 ExitStatus
-	0x7d8 _RTL_AVL_TREE VadRoot
-	0x7e0 Void VadHint
-	0x7e8 U64 VadCount
-	0x7f0 volatile U64 VadPhysicalPages
-	0x7f8 U64 VadPhysicalPagesLimit
-	0x800 _ALPC_PROCESS_CONTEXT AlpcContext
-	0x820 _LIST_ENTRY TimerResolutionLink
-	0x830 _PO_DIAG_STACK_RECORD* TimerResolutionStackRecord
-	0x838 U32 RequestedTimerResolution
-	0x83c U32 SmallestTimerResolution
-	0x840 _LARGE_INTEGER ExitTime
-	0x848 _INVERTED_FUNCTION_TABLE* InvertedFunctionTable
-	0x850 _EX_PUSH_LOCK InvertedFunctionTableLock
-	0x858 U32 ActiveThreadsHighWatermark
-	0x85c U32 LargePrivateVadCount
-	0x860 _EX_PUSH_LOCK ThreadListLock
-	0x868 Void WnfContext
-	0x870 _EJOB* ServerSilo
-	0x878 UChar SignatureLevel
-	0x879 UChar SectionSignatureLevel
-	0x87a _PS_PROTECTION Protection
-	0x87b UNNOWN HangCount
-	0x87b UNNOWN GhostCount
-	0x87b UNNOWN PrefilterException
-	0x87c U32 Flags3
-	0x87c UNNOWN Minimal
-	0x87c UNNOWN ReplacingPageRoot
-	0x87c UNNOWN Crashed
-	0x87c UNNOWN JobVadsAreTracked
-	0x87c UNNOWN VadTrackingDisabled
-	0x87c UNNOWN AuxiliaryProcess
-	0x87c UNNOWN SubsystemProcess
-	0x87c UNNOWN IndirectCpuSets
-	0x87c UNNOWN RelinquishedCommit
-	0x87c UNNOWN HighGraphicsPriority
-	0x87c UNNOWN CommitFailLogged
-	0x87c UNNOWN ReserveFailLogged
-	0x87c UNNOWN SystemProcess
-	0x87c UNNOWN HideImageBaseAddresses
-	0x87c UNNOWN AddressPolicyFrozen
-	0x87c UNNOWN ProcessFirstResume
-	0x87c UNNOWN ForegroundExternal
-	0x87c UNNOWN ForegroundSystem
-	0x87c UNNOWN HighMemoryPriority
-	0x87c UNNOWN EnableProcessSuspendResumeLogging
-	0x87c UNNOWN EnableThreadSuspendResumeLogging
-	0x87c UNNOWN SecurityDomainChanged
-	0x87c UNNOWN SecurityFreezeComplete
-	0x87c UNNOWN VmProcessorHost
-	0x87c UNNOWN VmProcessorHostTransition
-	0x87c UNNOWN AltSyscall
-	0x87c UNNOWN TimerResolutionIgnore
-	0x880 I32 DeviceAsid
-	0x888 Void SvmData
-	0x890 _EX_PUSH_LOCK SvmProcessLock
-	0x898 U64 SvmLock
-	0x8a0 _LIST_ENTRY SvmProcessDeviceListHead
-	0x8b0 U64 LastFreezeInterruptTime
-	0x8b8 _PROCESS_DISK_COUNTERS* DiskCounters
-	0x8c0 Void PicoContext
-	0x8c8 Void EnclaveTable
-	0x8d0 U64 EnclaveNumber
-	0x8d8 _EX_PUSH_LOCK EnclaveLock
-	0x8e0 U32 HighPriorityFaultsAllowed
-	0x8e8 _PO_PROCESS_ENERGY_CONTEXT* EnergyContext
-	0x8f0 Void VmContext
-	0x8f8 U64 SequenceNumber
-	0x900 U64 CreateInterruptTime
-	0x908 U64 CreateUnbiasedInterruptTime
-	0x910 U64 TotalUnbiasedFrozenTime
-	0x918 U64 LastAppStateUpdateTime
-	0x920 UNNOWN LastAppStateUptime
-	0x920 UNNOWN LastAppState
-	0x928 volatile U64 SharedCommitCharge
-	0x930 _EX_PUSH_LOCK SharedCommitLock
-	0x938 _LIST_ENTRY SharedCommitLinks
-	0x948 U64 AllowedCpuSets
-	0x950 U64 DefaultCpuSets
-	0x948 U64 AllowedCpuSetsIndirect
-	0x950 U64 DefaultCpuSetsIndirect
-	0x958 Void DiskIoAttribution
-	0x960 Void DxgProcess
-	0x968 U32 Win32KFilterSet
-	0x970 volatile _PS_INTERLOCKED_TIMER_DELAY_VALUES ProcessTimerDelay
-	0x978 volatile U32 KTimerSets
-	0x97c volatile U32 KTimer2Sets
-	0x980 volatile U32 ThreadTimerSets
-	0x988 U64 VirtualTimerListLock
-	0x990 _LIST_ENTRY VirtualTimerListHead
-	0x9a0 _WNF_STATE_NAME WakeChannel
-	0x9a0 _PS_PROCESS_WAKE_INFORMATION WakeInfo
-	0x9d0 U32 MitigationFlags
-	0x9d0 <anonymous-tag> MitigationFlagsValues
-	0x9d4 U32 MitigationFlags2
-	0x9d4 <anonymous-tag> MitigationFlags2Values
-	0x9d8 Void PartitionObject
-	0x9e0 U64 SecurityDomain
-	0x9e8 U64 ParentSecurityDomain
-	0x9f0 Void CoverageSamplerContext
-	0x9f8 Void MmHotPatchContext
-	0xa00 _KE_IDEAL_PROCESSOR_ASSIGNMENT_BLOCK IdealProcessorAssignmentBlock
-	0xab8 _RTL_AVL_TREE DynamicEHContinuationTargetsTree
-	0xac0 _EX_PUSH_LOCK DynamicEHContinuationTargetsLock
-endstruct
-
-beginstruct _RTL_BITMAP_EX
-	0x0 U64 SizeOfBitMap
-	0x8 U64 Buffer
-endstruct
-
-beginstruct _MI_SYSTEM_INFORMATION
-	0x0 _MI_POOL_STATE Pools
-	0xc0 _MI_SECTION_STATE Sections
-	0x400 _MI_SYSTEM_IMAGE_STATE SystemImages
-	0x4a8 _MI_SESSION_STATE Sessions
-	0x1530 _MI_PROCESS_STATE Processes
-	0x1580 _MI_HARDWARE_STATE Hardware
-	0x1740 _MI_SYSTEM_VA_STATE SystemVa
-	0x1c00 _MI_COMBINE_STATE PageCombines
-	0x1c20 _MI_PAGELIST_STATE PageLists
-	0x1cc0 _MI_PARTITION_STATE Partitions
-	0x1d80 _MI_SHUTDOWN_STATE Shutdowns
-	0x1df8 _MI_ERROR_STATE Errors
-	0x1f00 _MI_ACCESS_LOG_STATE AccessLog
-	0x1f80 _MI_DEBUGGER_STATE Debugger
-	0x20a0 _MI_STANDBY_STATE Standby
-	0x2140 _MI_SYSTEM_PTE_STATE SystemPtes
-	0x2340 _MI_IO_PAGE_STATE IoPages
-	0x2400 _MI_PAGING_IO_STATE PagingIo
-	0x24b0 _MI_COMMON_PAGE_STATE CommonPages
-	0x2580 _MI_SYSTEM_TRIM_STATE Trims
-	0x25c0 _MI_SYSTEM_ZEROING Zeroing
-	0x25e0 _MI_ENCLAVE_STATE Enclaves
-	0x2628 U64 Cookie
-	0x2630 Void** BootRegistryRuns
-	0x2638 volatile I32 ZeroingDisabled
-	0x263c UChar FullyInitialized
-	0x263d UChar SafeBooted
-	0x2640 const _tlgProvider_t* TraceLogging
-	0x2680 _MI_VISIBLE_STATE Vs
-endstruct
-
-beginstruct _PEB
-	0x0 UChar InheritedAddressSpace
-	0x1 UChar ReadImageFileExecOptions
-	0x2 UChar BeingDebugged
-	0x3 UChar BitField
-	0x3 UNNOWN ImageUsesLargePages
-	0x3 UNNOWN IsProtectedProcess
-	0x3 UNNOWN IsImageDynamicallyRelocated
-	0x3 UNNOWN SkipPatchingUser32Forwarders
-	0x3 UNNOWN IsPackagedProcess
-	0x3 UNNOWN IsAppContainer
-	0x3 UNNOWN IsProtectedProcessLight
-	0x3 UNNOWN IsLongPathAwareProcess
-	0x4 UChar[4] Padding0
-	0x8 Void Mutant
-	0x10 Void ImageBaseAddress
-	0x18 _PEB_LDR_DATA* Ldr
-	0x20 _RTL_USER_PROCESS_PARAMETERS* ProcessParameters
-	0x28 Void SubSystemData
-	0x30 Void ProcessHeap
-	0x38 _RTL_CRITICAL_SECTION* FastPebLock
-	0x40 _SLIST_HEADER* AtlThunkSListPtr
-	0x48 Void IFEOKey
-	0x50 U32 CrossProcessFlags
-	0x50 UNNOWN ProcessInJob
-	0x50 UNNOWN ProcessInitializing
-	0x50 UNNOWN ProcessUsingVEH
-	0x50 UNNOWN ProcessUsingVCH
-	0x50 UNNOWN ProcessUsingFTH
-	0x50 UNNOWN ProcessPreviouslyThrottled
-	0x50 UNNOWN ProcessCurrentlyThrottled
-	0x50 UNNOWN ProcessImagesHotPatched
-	0x50 UNNOWN ReservedBits0
-	0x54 UChar[4] Padding1
-	0x58 Void KernelCallbackTable
-	0x58 Void UserSharedInfoPtr
-	0x60 U32 SystemReserved
-	0x64 U32 AtlThunkSListPtr32
-	0x68 Void ApiSetMap
-	0x70 U32 TlsExpansionCounter
-	0x74 UChar[4] Padding2
-	0x78 Void TlsBitmap
-	0x80 U32[8] TlsBitmapBits
-	0x88 Void ReadOnlySharedMemoryBase
-	0x90 Void SharedData
-	0x98 Void* ReadOnlyStaticServerData
-	0xa0 Void AnsiCodePageData
-	0xa8 Void OemCodePageData
-	0xb0 Void UnicodeCaseTableData
-	0xb8 U32 NumberOfProcessors
-	0xbc U32 NtGlobalFlag
-	0xc0 _LARGE_INTEGER CriticalSectionTimeout
-	0xc8 U64 HeapSegmentReserve
-	0xd0 U64 HeapSegmentCommit
-	0xd8 U64 HeapDeCommitTotalFreeThreshold
-	0xe0 U64 HeapDeCommitFreeBlockThreshold
-	0xe8 U32 NumberOfHeaps
-	0xec U32 MaximumNumberOfHeaps
-	0xf0 Void* ProcessHeaps
-	0xf8 Void GdiSharedHandleTable
-	0x100 Void ProcessStarterHelper
-	0x108 U32 GdiDCAttributeList
-	0x10c UChar[4] Padding3
-	0x110 _RTL_CRITICAL_SECTION* LoaderLock
-	0x118 U32 OSMajorVersion
-	0x11c U32 OSMinorVersion
-	0x120 U16 OSBuildNumber
-	0x122 U16 OSCSDVersion
-	0x124 U32 OSPlatformId
-	0x128 U32 ImageSubsystem
-	0x12c U32 ImageSubsystemMajorVersion
-	0x130 U32 ImageSubsystemMinorVersion
-	0x134 UChar[4] Padding4
-	0x138 U64 ActiveProcessAffinityMask
-	0x140 U32[240] GdiHandleBuffer
-	0x230 Void(UNNOWN)* PostProcessInitRoutine
-	0x238 Void TlsExpansionBitmap
-	0x240 U32[128] TlsExpansionBitmapBits
-	0x2c0 U32 SessionId
-	0x2c4 UChar[4] Padding5
-	0x2c8 _ULARGE_INTEGER AppCompatFlags
-	0x2d0 _ULARGE_INTEGER AppCompatFlagsUser
-	0x2d8 Void pShimData
-	0x2e0 Void AppCompatInfo
-	0x2e8 _UNICODE_STRING CSDVersion
-	0x2f8 const _ACTIVATION_CONTEXT_DATA* ActivationContextData
-	0x300 _ASSEMBLY_STORAGE_MAP* ProcessAssemblyStorageMap
-	0x308 const _ACTIVATION_CONTEXT_DATA* SystemDefaultActivationContextData
-	0x310 _ASSEMBLY_STORAGE_MAP* SystemAssemblyStorageMap
-	0x318 U64 MinimumStackCommit
-	0x320 Void[32] SparePointers
-	0x340 U32[20] SpareUlongs
-	0x358 Void WerRegistrationData
-	0x360 Void WerShipAssertPtr
-	0x368 Void pUnused
-	0x370 Void pImageHeaderHash
-	0x378 U32 TracingFlags
-	0x378 UNNOWN HeapTracingEnabled
-	0x378 UNNOWN CritSecTracingEnabled
-	0x378 UNNOWN LibLoaderTracingEnabled
-	0x378 UNNOWN SpareTracingBits
-	0x37c UChar[4] Padding6
-	0x380 U64 CsrServerReadOnlySharedMemoryBase
-	0x388 U64 TppWorkerpListLock
-	0x390 _LIST_ENTRY TppWorkerpList
-	0x3a0 Void[1024] WaitOnAddressHashTable
-	0x7a0 Void TelemetryCoverageHeader
-	0x7a8 U32 CloudFileFlags
-	0x7ac U32 CloudFileDiagFlags
-	0x7b0 RChar PlaceholderCompatibilityMode
-	0x7b1 RChar[7] PlaceholderCompatibilityModeReserved
-	0x7b8 _LEAP_SECOND_DATA* LeapSecondData
-	0x7c0 U32 LeapSecondFlags
-	0x7c0 UNNOWN SixtySecondEnabled
-	0x7c0 UNNOWN Reserved
-	0x7c4 U32 NtGlobalFlag2
-endstruct
-
-beginstruct _MI_DYNAMIC_BITMAP
-	0x0 _RTL_BITMAP_EX Bitmap
-	0x10 U64 MaximumSize
-	0x18 U64 Hint
-	0x20 Void BaseVa
-	0x28 U64 SizeTopDown
-	0x30 U64 HintTopDown
-	0x38 Void BaseVaTopDown
-	0x40 U64 SpinLock
-endstruct
-
-beginstruct _MI_HARDWARE_STATE
-	0x0 U32 NodeMask
-	0x4 U32 NumaHintIndex
-	0x8 U32 NumaLastRangeIndexInclusive
-	0xc UChar NodeShift
-	0xd UChar ChannelShift
-	0x10 U32 ChannelHintIndex
-	0x14 U32 ChannelLastRangeIndexInclusive
-	0x18 _MI_NODE_NUMBER_ZERO_BASED* NodeGraph
-	0x20 _MI_SYSTEM_NODE_NONPAGED_POOL* SystemNodeNonPagedPool
-	0x28 _HAL_NODE_RANGE[32] TemporaryNumaRanges
-	0x48 _HAL_NODE_RANGE* NumaMemoryRanges
-	0x50 _HAL_CHANNEL_MEMORY_RANGES* ChannelMemoryRanges
-	0x58 U32 SecondLevelCacheSize
-	0x5c U32 FirstLevelCacheSize
-	0x60 U32 PhysicalAddressBits
-	0x64 U32 PfnDatabasePageBits
-	0x68 U32 LogicalProcessorsPerCore
-	0x6c UChar ProcessorCachesFlushedOnPowerLoss
-	0x70 U64 TotalPagesAllowed
-	0x78 U32 SecondaryColorMask
-	0x7c U32 SecondaryColors
-	0x80 U32 FlushTbForAttributeChange
-	0x84 U32 FlushCacheForAttributeChange
-	0x88 U32 FlushCacheForPageAttributeChange
-	0x8c U32 CacheFlushPromoteThreshold
-	0x90 _LARGE_INTEGER PerformanceCounterFrequency
-	0xc0 U64 InvalidPteMask
-	0x100 U32[12] LargePageColors
-	0x110 U64 FlushTbThreshold
-	0x118 _MI_PFN_CACHE_ATTRIBUTE[16][64] OptimalZeroingAttribute
-	0x158 UChar AttributeChangeRequiresReZero
-	0x160 _MI_ZERO_COST_COUNTS[32] ZeroCostCounts
-	0x180 U64 HighestPossiblePhysicalPage
-	0x188 U64 VsmKernelPageCount
-endstruct
-
-beginstruct _MI_SYSTEM_NODE_NONPAGED_POOL
-	0x0 _MI_DYNAMIC_BITMAP DynamicBitMapNonPagedPool
-	0x48 U64 CachedNonPagedPoolCount
-	0x50 U64 NonPagedPoolSpinLock
-	0x58 _MMPFN* CachedNonPagedPool
-	0x60 Void NonPagedPoolFirstVa
-	0x68 Void NonPagedPoolLastVa
-	0x70 _MI_SYSTEM_NODE_INFORMATION* SystemNodeInformation
-endstruct
-
-beginstruct _MI_SYSTEM_NODE_INFORMATION
-	0x0 _CACHED_KSTACK_LIST[64] CachedKernelStacks
-	0x40 _GROUP_AFFINITY GroupAffinity
-	0x50 U16 ProcessorCount
-	0x58 Void BootZeroPageTimesPerProcessor
-	0x60 U64 CyclesToZeroOneLargePage
-	0x68 U64 ScaledCyclesToZeroOneLargePage
-	0x70 _MI_WRITE_CALIBRATION WriteCalibration
-	0xc0 volatile I32 IoPfnLock
-endstruct
-
-```
-
----
-
-Global variables offset are parsed and can be queried by `nt!` in Windbg. In a kernel driver, we need to get the kernel base address (which is `nt!`). Kernel base address is the loaded address of `ntoskrnl.exe`. There is a shellcode to get the address [here](https://gist.github.com/Barakat/34e9924217ed81fd78c9c92d746ec9c6), using IDT table. But when I use the shellcode with the Windows Insider preview 2020, the address is wrong (it still a loaded PE though). Other ways to get the address are listed [here](https://m0uk4.gitbook.io/notebooks/mouka/windowsinternal/find-kernel-module-address-todo). And hereby I present another way to get the kernel base address.
-
-A device driver can get a pointer to a `EPROCESS` through the use of `PEPROCESS IoGetCurrentProcess`. And as we know, `EPROCESS` has pointer to other `EPROCESS` as a doubly linked list. If we dump them all out, we can notice a few things:
-
- The image name returned by calling `IoGetCurrentProcess` is `System`
- The `EPROCESS` before `System` is somehow empty
-
-```cpp
-PVOID eprocess = (PVOID)IoGetCurrentProcess();
-DbgPrint("eprocess : 0x%p, [%15s]\n", eprocess, (char*)((ULONG64)eprocess + ImageBaseNameOffset));
-for (int i = 0; i < 100; i++) {
-  eprocess = (PVOID)(*(ULONG64*)((ULONG64)eprocess + ActiveProcessLinksOffset) - ActiveProcessLinksOffset);
-  DbgPrint("eprocess : 0x%p, [%15s]\n", eprocess, (char*)((ULONG64)eprocess + ImageBaseOffset));
+fn main() -> Result<(), Box<dyn Error>> {
+    let mut driver = DriverState::new();
+    println!("NtLoadDriver()   -> 0x{:x}", driver.startup());
+    driver.scan_pool(b"Tag ", |pool_addr, header, data_addr| {
+    })?;
+    println!("NtUnloadDriver() -> 0x{:x}", driver.shutdown());
 }
-
-// sample output
-eprocess : 0xFFFFF8037401F528, [               ]
-eprocess : 0xFFFF840F5A0D9080, [         System]
-eprocess : 0xFFFF840F5A28C040, [  Secure System]
-eprocess : 0xFFFF840F5A2EF040, [       Registry]
-eprocess : 0xFFFF840F622BF040, [       smss.exe]
-eprocess : 0xFFFF840F6187D080, [       smss.exe]
-eprocess : 0xFFFF840F6263D140, [      csrss.exe]
-eprocess : 0xFFFF840F6277F0C0, [       smss.exe]
-eprocess : 0xFFFF840F627C2080, [    wininit.exe]
-eprocess : 0xFFFF840F64187140, [      csrss.exe]
-eprocess : 0xFFFF840F641CD080, [   services.exe]
 ```

-And if we debug and compare the address of that `Empty EPROCESS+ActiveProcessLinksOffset` with `nt!PsActiveProcessHead`, it is just the same. And with the given offset parsed from the PDB file, we can get kernel base address.
+The closure is a mutable closure, so you can just put a vector and saves the result.
+The function signature for the closure is: `FnMut(u64, &[u8], u64) -> Result<bool, std::error::Error>`
+Parsing the struct data is up to you.
+You can use `driver.deref_addr(addr, &value)` to dereference an address in kernel space
+and `driver.pdb_store.get_offset_r("offset")?` to get an offset from PDB file.

-```cpp
-PVOID eprocess = (PVOID)IoGetCurrentProcess();
-DbgPrint("eprocess               : 0x%p, [%15s]\n", eprocess, (char*)((ULONG64)eprocess + ImageBaseNameOffset));
-PVOID processHead = (PVOID)(*(ULONG64*)((ULONG64)eprocess + ActiveProcessLinksOffset + BLinkOffset));
-DbgPrint("PsActiveProcessHead    : 0x%p\n", processHead);
-PVOID ntosbase = (PVOID)((ULONG64)processHead - ActiveHeadOffset);
-DbgPrint("ntoskrnl.exe           : 0x%p\n", ntosbase);
-```
-
-From now we have successfully get the kernel base address to index into other global variables.
-
-(In this way we use `PsActiveProcessHead`, but a better way maybe traversing `PsLoadedModuleList` which could get the correct address of `ntoskrnl.exe` but I do not know)
--- a/logs/eprocess_scan_log_2.txt
+++ b/logs/eprocess_scan_log_2.txt
@ -0,0 +1,325 @@
+PDB for Amd64, guid: 94add4fd-403f-5f1a-8d4b-aba8db5d5b7a, age: 1
+
+NtLoadDriver()   -> 0x0
+pool: 0xffffa80e2cced000 | eprocess: 0xffffa80e2cced040 |  | System
+pool: 0xffffa80e2cd17000 | eprocess: 0xffffa80e2cd17080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e2cd3d010 | eprocess: 0xffffa80e2cd3d080 |  | Registry
+pool: 0xffffa80e2cd3e000 | eprocess: 0xffffa80e2cd3e080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e2cd79040 | eprocess: 0xffffa80e2cd79080 |  | Secure System
+pool: 0xffffa80e2cdc8000 | eprocess: 0xffffa80e2cdc8080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e2efcc000 | eprocess: 0xffffa80e2efcc080 |  | svchost.exe
+pool: 0xffffa80e2efcf000 | eprocess: 0xffffa80e2efcf080 | \Windows\System32\conhost.exe | conhost.exe
+pool: 0xffffa80e2efd1000 | eprocess: 0xffffa80e2efd1080 | \Program Files\Dell\SupportAssistAgent\PCDr\SupportAssist\6.0.7106.1428\DSAPI.exe | DSAPI.exe
+pool: 0xffffa80e316cb0f0 | eprocess: 0xffffa80e316cb180 | \Windows\System32\dllhost.exe | dllhost.exe
+pool: 0xffffa80e365b9000 | eprocess: 0xffffa80e365b9040 | \Windows\System32\smss.exe | smss.exe
+pool: 0xffffa80e368ed000 | eprocess: 0xffffa80e368ed080 |  | smss.exe
+pool: 0xffffa80e369420c0 | eprocess: 0xffffa80e36942140 | \Windows\System32\csrss.exe | csrss.exe
+pool: 0xffffa80e384c1000 | eprocess: 0xffffa80e384c1080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e38502040 | eprocess: 0xffffa80e385020c0 | \Windows\System32\wbem\WmiPrvSE.exe | WmiPrvSE.exe
+pool: 0xffffa80e38772000 | eprocess: 0xffffa80e38772080 |  | smss.exe
+pool: 0xffffa80e3877e0c0 | eprocess: 0xffffa80e3877e140 | \Windows\System32\csrss.exe | csrss.exe
+pool: 0xffffa80e3877f000 | eprocess: 0xffffa80e3877f080 | \Windows\System32\wininit.exe | wininit.exe
+pool: 0xffffa80e387d4000 | eprocess: 0xffffa80e387d4080 | \Windows\System32\ibtsiva.exe | ibtsiva.exe
+pool: 0xffffa80e387f2000 | eprocess: 0xffffa80e387f2080 | \Windows\System32\services.exe | services.exe
+pool: 0xffffa80e387f4000 | eprocess: 0xffffa80e387f4080 | \Windows\System32\lsass.exe | lsass.exe
+pool: 0xffffa80e387f6000 | eprocess: 0xffffa80e387f6080 | \Windows\System32\LsaIso.exe | LsaIso.exe
+pool: 0xffffa80e38e88000 | eprocess: 0xffffa80e38e88080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e38eed000 | eprocess: 0xffffa80e38eed080 | \Windows\System32\fontdrvhost.exe | fontdrvhost.ex
+pool: 0xffffa80e38ef9000 | eprocess: 0xffffa80e38ef9080 | \Windows\System32\WUDFHost.exe | WUDFHost.exe
+pool: 0xffffa80e38fc1000 | eprocess: 0xffffa80e38fc1080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39005000 | eprocess: 0xffffa80e39005080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39006000 | eprocess: 0xffffa80e39006080 | \Windows\System32\winlogon.exe | winlogon.exe
+pool: 0xffffa80e39102040 | eprocess: 0xffffa80e391020c0 | \Windows\System32\fontdrvhost.exe | fontdrvhost.ex
+pool: 0xffffa80e39107000 | eprocess: 0xffffa80e39107080 | \Windows\System32\dwm.exe | dwm.exe
+pool: 0xffffa80e3910a000 | eprocess: 0xffffa80e3910a080 |  | LogonUI.exe
+pool: 0xffffa80e391c10b0 | eprocess: 0xffffa80e391c1140 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e391c5000 | eprocess: 0xffffa80e391c5080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39259000 | eprocess: 0xffffa80e39259080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39264000 | eprocess: 0xffffa80e39264080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39289040 | eprocess: 0xffffa80e392890c0 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e392db000 | eprocess: 0xffffa80e392db080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e392de000 | eprocess: 0xffffa80e392de080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e392e4000 | eprocess: 0xffffa80e392e4080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39306000 | eprocess: 0xffffa80e39306080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3930d000 | eprocess: 0xffffa80e3930d080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3930f000 | eprocess: 0xffffa80e3930f080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e393bc040 | eprocess: 0xffffa80e393bc0c0 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e393c1000 | eprocess: 0xffffa80e393c1080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e393c2000 | eprocess: 0xffffa80e393c2080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e393d5000 | eprocess: 0xffffa80e393d5080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39423040 | eprocess: 0xffffa80e394230c0 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39430000 | eprocess: 0xffffa80e39430080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39454000 | eprocess: 0xffffa80e39454080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39580000 | eprocess: 0xffffa80e39580080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e395ab000 | eprocess: 0xffffa80e395ab080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e395af000 | eprocess: 0xffffa80e395af080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39613040 | eprocess: 0xffffa80e396130c0 | \Program Files (x86)\Dell\UpdateService\ServiceShell.exe | ServiceShell.e
+pool: 0xffffa80e39637000 | eprocess: 0xffffa80e39637080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3965e000 | eprocess: 0xffffa80e3965e080 | \Windows\System32\vmms.exe | vmms.exe
+pool: 0xffffa80e39677000 | eprocess: 0xffffa80e39677080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e396eb000 | eprocess: 0xffffa80e396eb080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39723040 | eprocess: 0xffffa80e397230c0 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3977a070 | eprocess: 0xffffa80e3977a100 | \Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe | NVDisplay.Cont
+pool: 0xffffa80e39785000 | eprocess: 0xffffa80e39785080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3979d000 | eprocess: 0xffffa80e3979d080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e397a1000 | eprocess: 0xffffa80e397a1080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e397a8000 | eprocess: 0xffffa80e397a8080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e397f6000 | eprocess: 0xffffa80e397f6080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39829000 | eprocess: 0xffffa80e39829040 |  | MemCompression
+pool: 0xffffa80e3982f000 | eprocess: 0xffffa80e3982f080 | \Windows\System32\DriverStore\FileRepository\ki127176.inf_amd64_86c658cabfb17c9c\igfxCUIService.exe | igfxCUIService
+pool: 0xffffa80e39842000 | eprocess: 0xffffa80e39842080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3984e000 | eprocess: 0xffffa80e3984e080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39853000 | eprocess: 0xffffa80e39853080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39983000 | eprocess: 0xffffa80e39983080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e399e3000 | eprocess: 0xffffa80e399e3080 | \Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe | NVDisplay.Cont
+pool: 0xffffa80e39a47000 | eprocess: 0xffffa80e39a47080 | \Windows\System32\SettingSyncHost.exe | SettingSyncHos
+pool: 0xffffa80e39a48000 | eprocess: 0xffffa80e39a48080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39a4c000 | eprocess: 0xffffa80e39a4c080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39a50000 | eprocess: 0xffffa80e39a50080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39a6d000 | eprocess: 0xffffa80e39a6d080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39a98000 | eprocess: 0xffffa80e39a98080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39ab5000 | eprocess: 0xffffa80e39ab5080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39b08000 | eprocess: 0xffffa80e39b08080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39b84000 | eprocess: 0xffffa80e39b84080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39c49000 | eprocess: 0xffffa80e39c49080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39c89000 | eprocess: 0xffffa80e39c89080 | \Windows\System32\wbem\WmiPrvSE.exe | WmiPrvSE.exe
+pool: 0xffffa80e39dc5000 | eprocess: 0xffffa80e39dc5080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39dc7040 | eprocess: 0xffffa80e39dc70c0 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e39ea0000 | eprocess: 0xffffa80e39ea0080 | \Windows\System32\spoolsv.exe | spoolsv.exe
+pool: 0xffffa80e39fc2040 | eprocess: 0xffffa80e39fc20c0 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3a0ab000 | eprocess: 0xffffa80e3a0ab080 | \Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ElevationManager\AdobeUpdateService.exe | AdobeUpdateSer
+pool: 0xffffa80e3a0ac000 | eprocess: 0xffffa80e3a0ac080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3a0b11d0 | eprocess: 0xffffa80e3a0b1240 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3a0b4000 | eprocess: 0xffffa80e3a0b4080 | \Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe | armsvc.exe
+pool: 0xffffa80e3a1a7000 | eprocess: 0xffffa80e3a1a7080 | \Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGMService.exe | AGMService.exe
+pool: 0xffffa80e3a1a8000 | eprocess: 0xffffa80e3a1a8080 | \Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe | OfficeClickToR
+pool: 0xffffa80e3a1ab000 | eprocess: 0xffffa80e3a1ab080 | \Program Files\Docker\Docker\com.docker.service | com.docker.ser
+pool: 0xffffa80e3a1ac000 | eprocess: 0xffffa80e3a1ac080 | \Windows\System32\DriverStore\FileRepository\ki127176.inf_amd64_86c658cabfb17c9c\IntelCpHDCPSvc.exe | IntelCpHDCPSvc
+pool: 0xffffa80e3a21b000 | eprocess: 0xffffa80e3a21b080 | \Windows\System32\CxAudMsg64.exe | CxAudMsg64.exe
+pool: 0xffffa80e3a21c000 | eprocess: 0xffffa80e3a21c080 | \Program Files\CONEXANT\SA3\Dell-Notebook\CxUtilSvc.exe | CxUtilSvc.exe
+pool: 0xffffa80e3a245000 | eprocess: 0xffffa80e3a245080 | \Windows\System32\DbxSvc.exe | DbxSvc.exe
+pool: 0xffffa80e3a246000 | eprocess: 0xffffa80e3a246080 | \Windows\System32\wlanext.exe | wlanext.exe
+pool: 0xffffa80e3a24d000 | eprocess: 0xffffa80e3a24d080 | \Windows\System32\conhost.exe | conhost.exe
+pool: 0xffffa80e3a251000 | eprocess: 0xffffa80e3a251080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3a27a000 | eprocess: 0xffffa80e3a27a080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3a2a1000 | eprocess: 0xffffa80e3a2a1080 | \Windows\System32\sihost.exe | sihost.exe
+pool: 0xffffa80e3a2a9040 | eprocess: 0xffffa80e3a2a90c0 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3a2ad1d0 | eprocess: 0xffffa80e3a2ad240 | \Windows\System32\ApplicationFrameHost.exe | ApplicationFra
+pool: 0xffffa80e3a2b2000 | eprocess: 0xffffa80e3a2b2080 | \Windows\System32\Intel\DPTF\esif_uf.exe | esif_uf.exe
+pool: 0xffffa80e3a2b4070 | eprocess: 0xffffa80e3a2b4100 | \Program Files\Intel\Intel(R) Online Connect Access\IntelTechnologyAccessService.exe | IntelTechnolog
+pool: 0xffffa80e3a2b5000 | eprocess: 0xffffa80e3a2b5080 | \Program Files\Intel\WiFi\bin\EvtEng.exe | EvtEng.exe
+pool: 0xffffa80e3a2b8000 | eprocess: 0xffffa80e3a2b8080 | \Windows\System32\FMService64.exe | FMService64.ex
+pool: 0xffffa80e3a2d5000 | eprocess: 0xffffa80e3a2d5080 | \Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe | IAStorIcon.exe
+pool: 0xffffa80e3a362000 | eprocess: 0xffffa80e3a362080 | \Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe | IpOverUsbSvc.e
+pool: 0xffffa80e3a363000 | eprocess: 0xffffa80e3a363080 | \Program Files\Intel\Intel(R) Online Connect Access\LegacyCsLoaderService.exe | LegacyCsLoader
+pool: 0xffffa80e3a36c080 | eprocess: 0xffffa80e3a36c100 | \Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe | NvTelemetryCon
+pool: 0xffffa80e3a37d000 | eprocess: 0xffffa80e3a37d080 | \Windows\SysWOW64\PnkBstrA.exe | PnkBstrA.exe
+pool: 0xffffa80e3a3a4000 | eprocess: 0xffffa80e3a3a4080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3a3a5000 | eprocess: 0xffffa80e3a3a5080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3a447000 | eprocess: 0xffffa80e3a447080 | \Program Files\Rivet Networks\SmartByte\SmartByteNetworkService.exe | SmartByteNetwo
+pool: 0xffffa80e3a448000 | eprocess: 0xffffa80e3a448080 | \Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe | sqlwriter.exe
+pool: 0xffffa80e3a44d000 | eprocess: 0xffffa80e3a44d080 | \Windows\ThunderboltService.exe | ThunderboltSer
+pool: 0xffffa80e3a44f000 | eprocess: 0xffffa80e3a44f080 | \Windows\System32\RtkAudUService64.exe | RtkAudUService
+pool: 0xffffa80e3a450000 | eprocess: 0xffffa80e3a450080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3a514000 | eprocess: 0xffffa80e3a514080 | \Program Files\TrueColor\TrueColorALS.exe | TrueColorALS.e
+pool: 0xffffa80e3a51a000 | eprocess: 0xffffa80e3a51a080 | \Program Files\Intel\WiFi\bin\ZeroConfigService.exe | ZeroConfigServ
+pool: 0xffffa80e3a51b000 | eprocess: 0xffffa80e3a51b080 | \Program Files (x86)\TeamViewer\TeamViewer_Service.exe | TeamViewer_Ser
+pool: 0xffffa80e3a520000 | eprocess: 0xffffa80e3a520080 | \Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe | WDDriveService
+pool: 0xffffa80e3a521000 | eprocess: 0xffffa80e3a521080 | \Windows\System32\dasHost.exe | dasHost.exe
+pool: 0xffffa80e3a522000 | eprocess: 0xffffa80e3a522080 | \Program Files\Waves\MaxxAudio\WavesSysSvc64.exe | WavesSysSvc64.
+pool: 0xffffa80e3a562000 | eprocess: 0xffffa80e3a562080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3a565000 | eprocess: 0xffffa80e3a565080 | \ProgramData\Microsoft\Windows Defender\Platform\4.18.2004.6-0\MsMpEng.exe | MsMpEng.exe
+pool: 0xffffa80e3a586000 | eprocess: 0xffffa80e3a586080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3a587000 | eprocess: 0xffffa80e3a587080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3a588000 | eprocess: 0xffffa80e3a588080 | \Windows\System32\DriverStore\FileRepository\ki127176.inf_amd64_86c658cabfb17c9c\igfxext.exe | igfxext.exe
+pool: 0xffffa80e3a589000 | eprocess: 0xffffa80e3a589080 | \Windows\System32\vmcompute.exe | vmcompute.exe
+pool: 0xffffa80e3a58b000 | eprocess: 0xffffa80e3a58b080 | \Windows\System32\wbem\unsecapp.exe | unsecapp.exe
+pool: 0xffffa80e3a58c000 | eprocess: 0xffffa80e3a58c080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3a58d000 | eprocess: 0xffffa80e3a58d080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3a592040 | eprocess: 0xffffa80e3a5920c0 | \Windows\System32\DriverStore\FileRepository\ki127176.inf_amd64_86c658cabfb17c9c\IntelCpHeciSvc.exe | IntelCpHeciSvc
+pool: 0xffffa80e3a593000 | eprocess: 0xffffa80e3a593080 | \Windows\System32\Intel\DPTF\dptf_helper.exe | dptf_helper.ex
+pool: 0xffffa80e3abf7000 | eprocess: 0xffffa80e3abf7080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3ad6f000 | eprocess: 0xffffa80e3ad6f080 | \Windows\System32\dllhost.exe | dllhost.exe
+pool: 0xffffa80e3b05e040 | eprocess: 0xffffa80e3b05e0c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e3b08b000 | eprocess: 0xffffa80e3b08b080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3b090000 | eprocess: 0xffffa80e3b090080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3b0be000 | eprocess: 0xffffa80e3b0be080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3b0bf000 | eprocess: 0xffffa80e3b0bf080 |  | GoogleUpdate.e
+pool: 0xffffa80e3b0e6040 | eprocess: 0xffffa80e3b0e60c0 | \Windows\System32\taskhostw.exe | taskhostw.exe
+pool: 0xffffa80e3b0f1000 | eprocess: 0xffffa80e3b0f1080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3b0f3000 | eprocess: 0xffffa80e3b0f3080 | \Program Files (x86)\Dropbox\Update\DropboxUpdate.exe | DropboxUpdate.
+pool: 0xffffa80e3b18a000 | eprocess: 0xffffa80e3b18a080 | \Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe | PresentationFo
+pool: 0xffffa80e3b206060 | eprocess: 0xffffa80e3b2060c0 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3b208000 | eprocess: 0xffffa80e3b208080 | \Windows\System32\ctfmon.exe | ctfmon.exe
+pool: 0xffffa80e3b27b000 | eprocess: 0xffffa80e3b27b080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3b2d9000 | eprocess: 0xffffa80e3b2d9080 |  | userinit.exe
+pool: 0xffffa80e3b3b9040 | eprocess: 0xffffa80e3b3b90c0 | \Windows\explorer.exe | explorer.exe
+pool: 0xffffa80e3b3f6000 | eprocess: 0xffffa80e3b3f6080 |  | cmd.exe
+pool: 0xffffa80e3b428000 | eprocess: 0xffffa80e3b428080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3b429000 | eprocess: 0xffffa80e3b429080 | \Windows\System32\InputMethod\CHS\ChsIME.exe | ChsIME.exe
+pool: 0xffffa80e3b49d120 | eprocess: 0xffffa80e3b49d180 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3b4a00c0 | eprocess: 0xffffa80e3b4a0140 | \Windows\System32\SearchIndexer.exe | SearchIndexer.
+pool: 0xffffa80e3b661000 | eprocess: 0xffffa80e3b661080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3b698000 | eprocess: 0xffffa80e3b698080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3b6cd000 | eprocess: 0xffffa80e3b6cd080 | \Windows\System32\DriverStore\FileRepository\ki127176.inf_amd64_86c658cabfb17c9c\igfxEM.exe | igfxEM.exe
+pool: 0xffffa80e3b74f000 | eprocess: 0xffffa80e3b74f080 | \ProgramData\Microsoft\Windows Defender\Platform\4.18.2004.6-0\NisSrv.exe | NisSrv.exe
+pool: 0xffffa80e3b8cf000 | eprocess: 0xffffa80e3b8cf080 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
+pool: 0xffffa80e3b9de000 | eprocess: 0xffffa80e3b9de080 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
+pool: 0xffffa80e3bac5040 | eprocess: 0xffffa80e3bac50c0 |  | HxTsr.exe
+pool: 0xffffa80e3bad6040 | eprocess: 0xffffa80e3bad60c0 | \Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | StartMenuExper
+pool: 0xffffa80e3bbbb000 | eprocess: 0xffffa80e3bbbb080 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
+pool: 0xffffa80e3bc0b000 | eprocess: 0xffffa80e3bc0b080 | \Program Files\WindowsApps\FACEBOOK.317180B0BB486_520.3.60.0_x64__8xx8rvfyw5nnt\app\Messenger.exe | Messenger.exe
+pool: 0xffffa80e3bc83000 | eprocess: 0xffffa80e3bc83080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e3bccc040 | eprocess: 0xffffa80e3bccc0c0 | \Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | ShellExperienc
+pool: 0xffffa80e3bd1e000 | eprocess: 0xffffa80e3bd1e080 | \Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe | TextInputHost.
+pool: 0xffffa80e3be13040 | eprocess: 0xffffa80e3be130c0 | \Windows\System32\MicrosoftEdgeCP.exe | MicrosoftEdgeC
+pool: 0xffffa80e3be2a000 | eprocess: 0xffffa80e3be2a080 | \Program Files\WindowsApps\Microsoft.SkypeApp_14.56.102.0_x64__kzf8qxf38zg5c\SkypeApp.exe | SkypeApp.exe
+pool: 0xffffa80e3be3f000 | eprocess: 0xffffa80e3be3f080 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
+pool: 0xffffa80e3bea3000 | eprocess: 0xffffa80e3bea3080 | \Windows\System32\RtkAudUService64.exe | RtkAudUService
+pool: 0xffffa80e3bf6d000 | eprocess: 0xffffa80e3bf6d080 | \Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe | LockApp.exe
+pool: 0xffffa80e3bfd6000 | eprocess: 0xffffa80e3bfd6080 | \Program Files\WindowsApps\Microsoft.SkypeApp_14.56.102.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe | SkypeBackgroun
+pool: 0xffffa80e442ac000 | eprocess: 0xffffa80e442ac080 |  | IAStorIconLaun
+pool: 0xffffa80e442b3000 | eprocess: 0xffffa80e442b3080 | \Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe | CAudioFilterAg
+pool: 0xffffa80e443d8040 | eprocess: 0xffffa80e443d80c0 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e44480020 | eprocess: 0xffffa80e44480080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e444f5020 | eprocess: 0xffffa80e444f5080 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
+pool: 0xffffa80e4452f000 | eprocess: 0xffffa80e4452f080 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e445be000 | eprocess: 0xffffa80e445be080 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e445c4000 | eprocess: 0xffffa80e445c4080 | \Program Files\Dell\DellDataVault\DDVRulesProcessor.exe | DDVRulesProces
+pool: 0xffffa80e445e6000 | eprocess: 0xffffa80e445e6080 | \Windows\System32\SecurityHealthService.exe | SecurityHealth
+pool: 0xffffa80e445e8000 | eprocess: 0xffffa80e445e8080 | \Windows\System32\SecurityHealthSystray.exe | SecurityHealth
+pool: 0xffffa80e44613040 | eprocess: 0xffffa80e446130c0 | \Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | SearchApp.exe
+pool: 0xffffa80e446fb000 | eprocess: 0xffffa80e446fb080 | \Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe | GoogleCrashHan
+pool: 0xffffa80e4474c000 | eprocess: 0xffffa80e4474c080 | \Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe | GoogleCrashHan
+pool: 0xffffa80e44771140 | eprocess: 0xffffa80e447711c0 | \Windows\ImmersiveControlPanel\SystemSettings.exe | SystemSettings
+pool: 0xffffa80e44773050 | eprocess: 0xffffa80e447730c0 | \Windows\System32\Speech_OneCore\common\SpeechRuntime.exe | SpeechRuntime.
+pool: 0xffffa80e448f5000 | eprocess: 0xffffa80e448f5080 | \Windows\System32\conhost.exe | conhost.exe
+pool: 0xffffa80e449eb000 | eprocess: 0xffffa80e449eb080 | \Program Files\WindowsApps\FACEBOOK.317180B0BB486_520.3.60.0_x64__8xx8rvfyw5nnt\app\Messenger.exe | Messenger.exe
+pool: 0xffffa80e44cec000 | eprocess: 0xffffa80e44cec080 | \Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe | jhi_service.ex
+pool: 0xffffa80e44cee000 | eprocess: 0xffffa80e44cee080 | \Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe | IAStorDataMgrS
+pool: 0xffffa80e44eb3000 | eprocess: 0xffffa80e44eb3080 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e45154040 | eprocess: 0xffffa80e451540c0 | \Windows\System32\msdtc.exe | msdtc.exe
+pool: 0xffffa80e451c8040 | eprocess: 0xffffa80e451c80c0 | \Program Files\Dell\DellDataVault\DDVDataCollector.exe | DDVDataCollect
+pool: 0xffffa80e451f0000 | eprocess: 0xffffa80e451f0080 | \Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe | LMS.exe
+pool: 0xffffa80e451f4000 | eprocess: 0xffffa80e451f4080 | \Windows\System32\vmwp.exe | vmwp.exe
+pool: 0xffffa80e45208000 | eprocess: 0xffffa80e45208080 | \Program Files\Dell\DellDataVault\DDVCollectorSvcApi.exe | DDVCollectorSv
+pool: 0xffffa80e45235040 | eprocess: 0xffffa80e452350c0 | \ProgramData\Microsoft\Windows Defender\Scans\MsMpEngCP.exe | MsMpEngCP.exe
+pool: 0xffffa80e452f7050 | eprocess: 0xffffa80e452f70c0 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e453c9040 | eprocess: 0xffffa80e453c90c0 | \Windows\System32\conhost.exe | conhost.exe
+pool: 0xffffa80e453eb040 | eprocess: 0xffffa80e453eb0c0 | \Windows\System32\dllhost.exe | dllhost.exe
+pool: 0xffffa80e4549e000 | eprocess: 0xffffa80e4549e080 | \Program Files\Docker\Docker\Docker Desktop.exe | Docker Desktop
+pool: 0xffffa80e45502040 | eprocess: 0xffffa80e455020c0 |  | sacpl.exe
+pool: 0xffffa80e45554000 | eprocess: 0xffffa80e45554080 | \Program Files\CONEXANT\SA3\Dell-Notebook\SmartAudio3.exe | SmartAudio3.ex
+pool: 0xffffa80e455d9040 | eprocess: 0xffffa80e455d90c0 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e455eb000 | eprocess: 0xffffa80e455eb080 | \Program Files\WindowsApps\FACEBOOK.317180B0BB486_520.3.60.0_x64__8xx8rvfyw5nnt\app\Messenger.exe | Messenger.exe
+pool: 0xffffa80e45690020 | eprocess: 0xffffa80e45690080 | \Program Files\Intel\Intel(R) Online Connect\ioc.exe | ioc.exe
+pool: 0xffffa80e45859000 | eprocess: 0xffffa80e45859080 | \Program Files\Dolby\Dolby DAX2\DAX2_API\DolbyDAX2API.exe | DolbyDAX2API.e
+pool: 0xffffa80e45ae3000 | eprocess: 0xffffa80e45ae3080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e45b22000 | eprocess: 0xffffa80e45b22080 |  | vmmem
+pool: 0xffffa80e45b35040 | eprocess: 0xffffa80e45b350c0 | \ProgramData\Docker\cli-plugins\docker-mutagen.exe | docker-mutagen
+pool: 0xffffa80e45b46040 | eprocess: 0xffffa80e45b460c0 | \Program Files\Docker\Docker\resources\com.docker.backend.exe | com.docker.bac
+pool: 0xffffa80e45b79040 | eprocess: 0xffffa80e45b790c0 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e45b88090 | eprocess: 0xffffa80e45b88100 |  | nvapiw.exe
+pool: 0xffffa80e45dcc000 | eprocess: 0xffffa80e45dcc080 | \Windows\System32\SgrmBroker.exe | SgrmBroker.exe
+pool: 0xffffa80e45dd7000 | eprocess: 0xffffa80e45dd7080 | \Program Files\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe | SupportAssistA
+pool: 0xffffa80e47872000 | eprocess: 0xffffa80e47872080 | \Program Files\WindowsApps\AcrobatNotificationClient_1.0.4.0_x86__e1rzdqpraam7r\AcrobatNotificationClient.exe | AcrobatNotific
+pool: 0xffffa80e479c5040 | eprocess: 0xffffa80e479c50c0 | \Program Files\Dell\DellDataVault\nvapiw.exe | nvapiw.exe
+pool: 0xffffa80e479c6000 | eprocess: 0xffffa80e479c6080 | \Windows\System32\conhost.exe | conhost.exe
+pool: 0xffffa80e47b090f0 | eprocess: 0xffffa80e47b09180 | \Windows\System32\conhost.exe | conhost.exe
+pool: 0xffffa80e47b100f0 | eprocess: 0xffffa80e47b10180 | \Windows\System32\lxss\wslhost.exe | wslhost.exe
+pool: 0xffffa80e47b3a0f0 | eprocess: 0xffffa80e47b3a180 | \Windows\System32\wsl.exe | wsl.exe
+pool: 0xffffa80e47df0000 | eprocess: 0xffffa80e47df0080 | \Program Files\Docker\Docker\resources\vpnkit-bridge.exe | vpnkit-bridge.
+pool: 0xffffa80e47ea0000 | eprocess: 0xffffa80e47ea0080 | \Windows\System32\conhost.exe | conhost.exe
+pool: 0xffffa80e47ead000 | eprocess: 0xffffa80e47ead080 | \Windows\System32\conhost.exe | conhost.exe
+pool: 0xffffa80e47ec2000 | eprocess: 0xffffa80e47ec2080 | \Windows\System32\wsl.exe | wsl.exe
+pool: 0xffffa80e47ec5000 | eprocess: 0xffffa80e47ec5080 | \Windows\System32\lxss\wslhost.exe | wslhost.exe
+pool: 0xffffa80e47ee8000 | eprocess: 0xffffa80e47ee8080 | \Windows\System32\lxss\wslhost.exe | wslhost.exe
+pool: 0xffffa80e47ee9000 | eprocess: 0xffffa80e47ee9080 | \Program Files\Docker\Docker\resources\vpnkit.exe | vpnkit.exe
+pool: 0xffffa80e47eeb040 | eprocess: 0xffffa80e47eeb0c0 | \Windows\System32\wsl.exe | wsl.exe
+pool: 0xffffa80e47f18000 | eprocess: 0xffffa80e47f18080 | \Windows\System32\conhost.exe | conhost.exe
+pool: 0xffffa80e47f19000 | eprocess: 0xffffa80e47f19080 | \Windows\System32\conhost.exe | conhost.exe
+pool: 0xffffa80e47f42000 | eprocess: 0xffffa80e47f42080 | \Program Files\Docker\Docker\resources\com.docker.proxy.exe | com.docker.pro
+pool: 0xffffa80e47fa9000 | eprocess: 0xffffa80e47fa9080 | \Windows\System32\lxss\wslhost.exe | wslhost.exe
+pool: 0xffffa80e47fd8000 | eprocess: 0xffffa80e47fd8080 | \Windows\System32\lxss\wslhost.exe | wslhost.exe
+pool: 0xffffa80e47fda000 | eprocess: 0xffffa80e47fda080 | \Windows\System32\conhost.exe | conhost.exe
+pool: 0xffffa80e48002040 | eprocess: 0xffffa80e480020c0 | \Windows\System32\conhost.exe | conhost.exe
+pool: 0xffffa80e4800b000 | eprocess: 0xffffa80e4800b080 | \Program Files\Rivet Networks\SmartByte\SmartByteTelemetry.exe | SmartByteTelem
+pool: 0xffffa80e48024040 | eprocess: 0xffffa80e480240c0 | \Windows\System32\conhost.exe | conhost.exe
+pool: 0xffffa80e48029000 | eprocess: 0xffffa80e48029080 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
+pool: 0xffffa80e48077040 | eprocess: 0xffffa80e480770c0 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e48102040 | eprocess: 0xffffa80e481020c0 | \Windows\System32\wsl.exe | wsl.exe
+pool: 0xffffa80e48171040 | eprocess: 0xffffa80e481710c0 | \Program Files\Docker\Docker\resources\com.docker.wsl-distro-proxy.exe | com.docker.wsl
+pool: 0xffffa80e48189000 | eprocess: 0xffffa80e48189080 | \Windows\System32\dllhost.exe | dllhost.exe
+pool: 0xffffa80e4846c1d0 | eprocess: 0xffffa80e4846c240 |  | HxTsr.exe
+pool: 0xffffa80e48470000 | eprocess: 0xffffa80e48470080 | \Program Files\WindowsApps\AdobeNotificationClient_1.0.1.22_x86__enpm4xejd91yc\AdobeNotificationClient.exe | AdobeNotificat
+pool: 0xffffa80e48480040 | eprocess: 0xffffa80e484800c0 | \Windows\System32\conhost.exe | conhost.exe
+pool: 0xffffa80e4854d040 | eprocess: 0xffffa80e4854d0c0 | \Windows\System32\MicrosoftEdgeSH.exe | MicrosoftEdgeS
+pool: 0xffffa80e485541d0 | eprocess: 0xffffa80e48554240 | \Windows\System32\rundll32.exe | rundll32.exe
+pool: 0xffffa80e4858a040 | eprocess: 0xffffa80e4858a0c0 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
+pool: 0xffffa80e485c0040 | eprocess: 0xffffa80e485c00c0 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
+pool: 0xffffa80e4879c040 | eprocess: 0xffffa80e4879c0c0 |  | AcroRd32.exe
+pool: 0xffffa80e499c5040 | eprocess: 0xffffa80e499c50c0 | \Windows\System32\browser_broker.exe | browser_broker
+pool: 0xffffa80e4a2d6040 | eprocess: 0xffffa80e4a2d60c0 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e4a2f0050 | eprocess: 0xffffa80e4a2f00c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4a85a0c0 | eprocess: 0xffffa80e4a85a140 | \Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | MicrosoftEdge.
+pool: 0xffffa80e4a8a5000 | eprocess: 0xffffa80e4a8a5080 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
+pool: 0xffffa80e4ac35040 | eprocess: 0xffffa80e4ac350c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4ac6c000 | eprocess: 0xffffa80e4ac6c080 |  | chrome.exe
+pool: 0xffffa80e4acdc040 | eprocess: 0xffffa80e4acdc0c0 | \Program Files\WindowsApps\FACEBOOK.317180B0BB486_520.3.60.0_x64__8xx8rvfyw5nnt\app\Messenger.exe | Messenger.exe
+pool: 0xffffa80e4b03d050 | eprocess: 0xffffa80e4b03d0c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4b335040 | eprocess: 0xffffa80e4b3350c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4b4840c0 | eprocess: 0xffffa80e4b484140 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4b8d5040 | eprocess: 0xffffa80e4b8d50c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4ba1b040 | eprocess: 0xffffa80e4ba1b0c0 |  | VirtualBoxVM.e
+pool: 0xffffa80e4bbdb040 | eprocess: 0xffffa80e4bbdb0c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4bbec040 | eprocess: 0xffffa80e4bbec0c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4bc24040 | eprocess: 0xffffa80e4bc240c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4bc46040 | eprocess: 0xffffa80e4bc460c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4bc68040 | eprocess: 0xffffa80e4bc680c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4bc8a040 | eprocess: 0xffffa80e4bc8a0c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4bcce040 | eprocess: 0xffffa80e4bcce0c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4bcdf040 | eprocess: 0xffffa80e4bcdf0c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4bd02040 | eprocess: 0xffffa80e4bd020c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4bd24040 | eprocess: 0xffffa80e4bd240c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4bd67040 | eprocess: 0xffffa80e4bd670c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4bd9a040 | eprocess: 0xffffa80e4bd9a0c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4bdcd040 | eprocess: 0xffffa80e4bdcd0c0 | \My Programs\fvim-win-x64\FVim.exe | FVim.exe
+pool: 0xffffa80e4be02040 | eprocess: 0xffffa80e4be020c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4be03000 | eprocess: 0xffffa80e4be03080 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4bedd000 | eprocess: 0xffffa80e4bedd080 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4bf961d0 | eprocess: 0xffffa80e4bf96240 | \tools\neovim\Neovim\bin\nvim.exe | nvim.exe
+pool: 0xffffa80e4c024040 | eprocess: 0xffffa80e4c0240c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4c04f000 | eprocess: 0xffffa80e4c04f080 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e4c387020 | eprocess: 0xffffa80e4c387080 | \Windows\System32\dllhost.exe | dllhost.exe
+pool: 0xffffa80e4c74c090 | eprocess: 0xffffa80e4c74c100 | \Windows\System32\svchost.exe | svchost.exe
+pool: 0xffffa80e4c7b9040 | eprocess: 0xffffa80e4c7b90c0 | \Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe | windbg.exe
+pool: 0xffffa80e4cec0040 | eprocess: 0xffffa80e4cec00c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4d5f2000 | eprocess: 0xffffa80e4d5f2080 |  | chrome.exe
+pool: 0xffffa80e4d6061d0 | eprocess: 0xffffa80e4d606240 | \Windows\System32\conhost.exe | conhost.exe
+pool: 0xffffa80e4d985040 | eprocess: 0xffffa80e4d9850c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4da281c0 | eprocess: 0xffffa80e4da28240 | \Windows\System32\conhost.exe | conhost.exe
+pool: 0xffffa80e4dc3a000 | eprocess: 0xffffa80e4dc3a080 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4dc79040 | eprocess: 0xffffa80e4dc790c0 | \Windows\explorer.exe | explorer.exe
+pool: 0xffffa80e4df44000 | eprocess: 0xffffa80e4df44080 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4dfc41c0 | eprocess: 0xffffa80e4dfc4240 | \Users\nganhkhoa\AppData\Local\nvim\plugged\LanguageClient-neovim\bin\languageclient.exe | languageclient
+pool: 0xffffa80e4e00b000 | eprocess: 0xffffa80e4e00b080 | \Windows\System32\conhost.exe | conhost.exe
+pool: 0xffffa80e4e026000 | eprocess: 0xffffa80e4e026080 | \Users\nganhkhoa\Desktop\findDbgBlock\parsePDBforOffsets\target\debug\eprocess_scan.exe | eprocess_scan.
+pool: 0xffffa80e4e08f000 | eprocess: 0xffffa80e4e08f080 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4e131000 | eprocess: 0xffffa80e4e131080 | \Program Files\WindowsApps\FACEBOOK.317180B0BB486_520.3.60.0_x64__8xx8rvfyw5nnt\app\Messenger.exe | Messenger.exe
+pool: 0xffffa80e4e16f0a0 | eprocess: 0xffffa80e4e16f100 | \Windows\System32\SearchProtocolHost.exe | SearchProtocol
+pool: 0xffffa80e4e4ac040 | eprocess: 0xffffa80e4e4ac0c0 | \Program Files\WindowsApps\Microsoft.YourPhone_1.20051.90.0_x64__8wekyb3d8bbwe\YourPhone.exe | YourPhone.exe
+pool: 0xffffa80e4e779040 | eprocess: 0xffffa80e4e7790c0 | \Windows\System32\cmd.exe | cmd.exe
+pool: 0xffffa80e4e9b2040 | eprocess: 0xffffa80e4e9b20c0 | \Program Files\WindowsApps\FACEBOOK.317180B0BB486_520.3.60.0_x64__8xx8rvfyw5nnt\app\Messenger.exe | Messenger.exe
+pool: 0xffffa80e4e9e5040 | eprocess: 0xffffa80e4e9e50c0 | \Windows\System32\conhost.exe | conhost.exe
+pool: 0xffffa80e4ea05000 | eprocess: 0xffffa80e4ea05080 | \Windows\System32\cmd.exe | cmd.exe
+pool: 0xffffa80e4ea9b040 | eprocess: 0xffffa80e4ea9b0c0 |  | nvapiw.exe
+pool: 0xffffa80e4ee02040 | eprocess: 0xffffa80e4ee020c0 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
+pool: 0xffffa80e4ee3f1d0 | eprocess: 0xffffa80e4ee3f240 | \Program Files\WindowsApps\Microsoft.Windows.Photos_2020.20050.19001.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe | Microsoft.Phot
+pool: 0xffffa80e4efb5040 | eprocess: 0xffffa80e4efb50c0 | \Windows\System32\SearchProtocolHost.exe | SearchProtocol
+pool: 0xffffa80e4f3ea040 | eprocess: 0xffffa80e4f3ea0c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4f3ee1d0 | eprocess: 0xffffa80e4f3ee240 | \tools\neovim\Neovim\bin\winpty-agent.exe | winpty-agent.e
+pool: 0xffffa80e4f4e1040 | eprocess: 0xffffa80e4f4e10c0 | \Program Files\Notepad++\notepad++.exe | notepad++.exe
+pool: 0xffffa80e4f55e040 | eprocess: 0xffffa80e4f55e0c0 | \Program Files (x86)\Google\Chrome\Application\chrome.exe | chrome.exe
+pool: 0xffffa80e4f5610c0 | eprocess: 0xffffa80e4f561140 | \Windows\System32\SearchFilterHost.exe | SearchFilterHo
+pool: 0xffffa80e4f5621d0 | eprocess: 0xffffa80e4f562240 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
+NtUnloadDriver() -> 0x0
--- a/logs/file_object_scan_log_2.txt
+++ b/logs/file_object_scan_log_2.txt
--- a/nonpaged-pool-range.md
+++ b/nonpaged-pool-range.md
@ -0,0 +1,80 @@
+> If you came here for `MmNonPagedPoolStart`, `MmNonPagedPoolEnd`, you ended up at the right place.
+
+`NonPagedPool` in Windows has two variables that defined the start and end of the section in kernel memory. Online blog posts and tutorials show an outdated version of these two variables.
+
+Take a look at [this old post](https://web.archive.org/web/20061110120809/http://www.rootkit.com/newsread.php?newsid=153). `_DBGKD_GET_VERSION64 KdVersionBlock` was a very important structure into the debugger block of Windows. However, if you try to find this structure in Windows 10, you will hit `KdVersionBlock == 0` (Ouch!!!). But this structure provides offset into `MmNonPagedPool{Start,End}`, how can we get those?
+
+Luckily, both `MmNonPagedPoolStart` and `MmNonPagedPoolEnd` in Windows XP, can be found by offseting from `ntoskrnl.exe`. Rekall team are very positive that their tools doesn't rely on profiles file like Volatility but use PDB provided by Windows to find these values.
+
+In [Rekall source code](https://github.com/google/rekall/blob/c5d68e31705f4b5bd2581c1d951b7f6983f7089c/rekall-core/rekall/plugins/windows/pool.py#L87), the values of those variables are:
+
+- Windows XP: `MmNonPagedPool{Start,End}`
+- Windows 7 and maybe 8: `MiNonPagedPoolStartAligned`, `MiNonPagedPoolEnd`, and `MiNonPagedPoolBitMap`
+
+In Windows 7, 8, another field was added to controll the allocation of `NonPagedPool`, which is also mentioned in [this paper about pool tag quick scanning](https://www.sciencedirect.com/science/article/pii/S1742287616000062).
+
+However, from Windows 10, the whole game changed around when the global offset to those (similar) variables are gone. Instead Windows 10 introduced a new variable `MiState`. `MiState` offset is available and we can get those start/end variables by either:
+
+- Windows 2015: `(_MI_SYSTEM_INFORMATION*)(MiState)->SystemNodeInformation.NonPagedPool{First,Last}Va`
+- Windows 2016: `(_MI_SYSTEM_INFORMATION*)(MiState)->Hardware.SystemNodeInformation.NonPagedPool{First,Last}Va`
+
+The `NonPagedBitMap` was still visible untill the May 2019 Update, here, take a look at these 2 consecutive update [`1809 Redstone 5 (October Update)`](https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016/1809%20Redstone%205%20(October%20Update)/\_MI\_SYSTEM\_NODE\_INFORMATION) and [`1903 19H1 (May 2019 Update)`](https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016/1903%2019H1%20(May%202019%20Update)/\_MI\_SYSTEM\_NODE\_INFORMATION).
+
+Windows OS changes quite frequently right? Tell you more, I am using the Insider version of Windows in 2020, and guess what, I found out that they put another struct to point to those value. So now we need to go like this:
+
+- Windows 2020 Insider preview: `*(_MI_SYSTEM_INFORMATION*)(MiState)->Hardware.SystemNodeNonPagedPool.NonPagedPool{First,Last}Va`
+
+> If you go with low-level, then you only care about the offset and formula to get those variables but knowing the structure is well benefit.
+
+Anyway, I create this project to help me with my thesis, following outdated structs online yields no result. Oh, yeah, a guy seems to be asking on [how to get `MmNonPagedPoolStart`](https://reverseengineering.stackexchange.com/q/6483) on `stackexchange`, too bad [the answer](https://reverseengineering.stackexchange.com/a/6487) is not so much helpful.
+
+----
+
+Global variables offset are parsed from the PDB file and can be queried by `nt!` in Windbg. In a kernel driver, we need to get the kernel base address (which is `nt!`). Kernel base address is the loaded address of `ntoskrnl.exe`. There is a shellcode to get the address [here](https://gist.github.com/Barakat/34e9924217ed81fd78c9c92d746ec9c6), using IDT table. But when I use the shellcode with the Windows Insider preview 2020, the address is wrong (it still a loaded PE though). Other ways to get the address are listed [here](https://m0uk4.gitbook.io/notebooks/mouka/windowsinternal/find-kernel-module-address-todo). And hereby I present another way to get the kernel base address.
+
+A device driver can get a pointer to an `_EPROCESS` through the use of `PEPROCESS IoGetCurrentProcess`. And as we know, `_EPROCESS` has pointer to other `_EPROCESS` as a circular doubly linked list. If we dump them all out, we can notice a few things:
+
+- The image name returned by calling `IoGetCurrentProcess` in `DriverEntry` is `System`
+- The `_EPROCESS` before `System` is somehow empty
+
+```cpp
+// in DriverEntry
+PVOID eprocess = (PVOID)IoGetCurrentProcess();
+
+// somewhere after offsets are setup
+DbgPrint("eprocess : 0x%p, [%15s]\n", eprocess, (char*)((ULONG64)eprocess + ImageBaseNameOffset));
+for (int i = 0; i < 100; i++) {
+  eprocess = (PVOID)(*(ULONG64*)((ULONG64)eprocess + ActiveProcessLinksOffset) - ActiveProcessLinksOffset);
+  DbgPrint("eprocess : 0x%p, [%15s]\n", eprocess, (char*)((ULONG64)eprocess + ImageBaseOffset));
+}
+
+// sample output
+eprocess : 0xFFFFF8037401F528, [               ]
+eprocess : 0xFFFF840F5A0D9080, [         System]
+eprocess : 0xFFFF840F5A28C040, [  Secure System]
+eprocess : 0xFFFF840F5A2EF040, [       Registry]
+eprocess : 0xFFFF840F622BF040, [       smss.exe]
+eprocess : 0xFFFF840F6187D080, [       smss.exe]
+eprocess : 0xFFFF840F6263D140, [      csrss.exe]
+eprocess : 0xFFFF840F6277F0C0, [       smss.exe]
+eprocess : 0xFFFF840F627C2080, [    wininit.exe]
+eprocess : 0xFFFF840F64187140, [      csrss.exe]
+eprocess : 0xFFFF840F641CD080, [   services.exe]
+```
+
+And if we debug and compare the address of that `Empty _EPROCESS+ActiveProcessLinksOffset` with `nt!PsActiveProcessHead`, it is just the same. And with the given offset parsed from the PDB file, we can get kernel base address.
+
+```cpp
+// In DriverEntry
+PVOID eprocess = (PVOID)IoGetCurrentProcess();
+
+// somwhere after offsets are setup
+DbgPrint("eprocess               : 0x%p, [%15s]\n", eprocess, (char*)((ULONG64)eprocess + ImageBaseNameOffset));
+PVOID processHead = (PVOID)(*(ULONG64*)((ULONG64)eprocess + ActiveProcessLinksOffset + BLinkOffset));
+DbgPrint("PsActiveProcessHead    : 0x%p\n", processHead);
+PVOID ntosbase = (PVOID)((ULONG64)processHead - ActiveHeadOffset);
+DbgPrint("ntoskrnl.exe           : 0x%p\n", ntosbase);
+```
+
+From now we have successfully get the kernel base address to index into other global variables.
+
--- a/other/parse_file_scan_result.py
+++ b/other/parse_file_scan_result.py
@ -0,0 +1,20 @@
+import sys
+import re
+
+s = list(filter(lambda x: "unicode" in x, open(sys.argv[1], 'r').read().split('\n')))
+
+
+m = re.compile(r"unicode str: (0x[0-9a-f]+) size: (0x[0-9a-f]+) capacity: (0x[0-9a-f]+)")
+
+ss = list(filter(lambda x: int(x[0], 16) != 0 and int(x[1], 16) <= int(x[2], 16) and int(x[1], 16) != 0 and int(x[1], 16) % 2 == 0,
+                 map(lambda x: m.match(x).group(1,2,3), s)))
+
+aa = set()
+bb = set()
+
+for (a, s, c) in ss:
+    if a in aa or a in bb:
+        continue
+    aa.add(a)
+    # print("du", a, "|", s, c)
+    print("du", a)
--- a/src/bin/eprocess_scan.rs
+++ b/src/bin/eprocess_scan.rs
@ -0,0 +1,91 @@
+use std::error::Error;
+use std::str::{from_utf8};
+use chrono::Utc;
+use chrono::{DateTime};
+use std::time::{UNIX_EPOCH, Duration};
+
+use lpus::{
+    driver_state::{DriverState /* , EprocessPoolChunk */}
+};
+
+#[allow(dead_code)]
+fn to_str_time(time_ms: u64) -> String {
+    if time_ms == 0 {
+        return "".to_string();
+    }
+    let d = UNIX_EPOCH + Duration::from_millis(time_ms);
+    let datetime = DateTime::<Utc>::from(d);
+    let timestamp_str = datetime.format("%Y-%m-%d %H:%M:%S.%f").to_string();
+    timestamp_str
+}
+
+fn main() -> Result<(), Box<dyn Error>> {
+    // for windows admin require
+    // https://github.com/nabijaczleweli/rust-embed-resource
+
+    let mut driver = DriverState::new();
+    println!("NtLoadDriver()   -> 0x{:x}", driver.startup());
+
+    // let eprocess_scan_head = driver.scan_active_head(ntosbase)?;
+    // let mut eprocess_list: Vec<EprocessPoolChunk> = Vec::new();
+    driver.scan_pool(b"Proc", |pool_addr, header, data_addr| {
+        let chunk_size = (header[2] as u64) * 16u64;
+
+        let eprocess_size = driver.pdb_store.get_offset_r("_EPROCESS.struct_size")?;
+        let eprocess_name_offset = driver.pdb_store.get_offset_r("_EPROCESS.ImageFileName")?;
+        let eprocess_create_time_offset = driver.pdb_store.get_offset_r("_EPROCESS.CreateTime")?;
+        let fob_filename_offset = driver.pdb_store.get_offset_r("_FILE_OBJECT.FileName")?;
+        let eprocess_image_file_ptr_offset = driver.pdb_store.get_offset_r("_EPROCESS.ImageFilePointer")?;
+        // let eprocess_exit_time_offset = driver.pdb_store.get_offset_r("_EPROCESS.ExitTime")?;
+
+        let eprocess_valid_start = data_addr;
+        let eprocess_valid_end = (pool_addr + chunk_size) - eprocess_size;
+        let mut try_eprocess_ptr = eprocess_valid_start;
+
+        let mut create_time = 0u64;
+        // let mut exit_time = 0u64;
+        while try_eprocess_ptr <= eprocess_valid_end {
+            driver.deref_addr(try_eprocess_ptr + eprocess_create_time_offset, &mut create_time);
+            // driver.deref_addr(try_eprocess_ptr + eprocess_exit_time_offset, &mut exit_time);
+            // using heuristics to eliminate false positive
+            if driver.windows_ffi.valid_process_time(create_time) {
+                break;
+            }
+            try_eprocess_ptr += 0x4;        // search exhaustively
+        }
+        if try_eprocess_ptr > eprocess_valid_end {
+            return Ok(false);
+        }
+
+        let mut image_name = [0u8; 15];
+        let mut file_object_ptr = 0u64;
+
+        driver.deref_addr(try_eprocess_ptr + eprocess_name_offset, &mut image_name);
+        driver.deref_addr(try_eprocess_ptr + eprocess_image_file_ptr_offset, &mut file_object_ptr);
+        let filename = if file_object_ptr != 0 { driver.get_unicode_string(file_object_ptr + fob_filename_offset, true)? }
+                       else { "".to_string() };
+
+        if let Ok(name) = from_utf8(&image_name) {
+            let eprocess_name = name
+                                .to_string()
+                                .trim_end_matches(char::from(0))
+                                .to_string();
+            println!("pool: 0x{:x} | eprocess: 0x{:x} | {} | {}", pool_addr, try_eprocess_ptr, filename, eprocess_name);
+        }
+        else {
+            println!("pool: 0x{:x} | eprocess: 0x{:x} | {} | {:?}", pool_addr, try_eprocess_ptr, filename, image_name);
+        }
+        Ok(true)
+        // eprocess_list.push(EprocessPoolChunk {
+        //     pool_addr,
+        //     eprocess_addr: try_eprocess_ptr,
+        //     eprocess_name: eprocess_name,
+        //     create_time: to_epoch(create_time),
+        //     exit_time: to_epoch(exit_time)
+        // });
+    })?;
+
+    println!("NtUnloadDriver() -> 0x{:x}", driver.shutdown());
+    Ok(())
+}
+
--- a/src/bin/file_object_scan.rs
+++ b/src/bin/file_object_scan.rs
@ -0,0 +1,57 @@
+use std::error::Error;
+
+use lpus::{
+    driver_state::{DriverState}
+};
+
+fn main() -> Result<(), Box<dyn Error>> {
+    let mut driver = DriverState::new();
+    println!("NtLoadDriver()   -> 0x{:x}", driver.startup());
+
+    driver.scan_pool(b"File", |pool_addr, header, data_addr| {
+        let chunk_size = (header[2] as u64) * 16u64;
+
+        let fob_size = driver.pdb_store.get_offset_r("_FILE_OBJECT.struct_size")?;
+        let fob_size_offset = driver.pdb_store.get_offset_r("_FILE_OBJECT.Size")?;
+        let fob_read_access_offset = driver.pdb_store.get_offset_r("_FILE_OBJECT.ReadAccess")?;
+        let fob_filename_offset = driver.pdb_store.get_offset_r("_FILE_OBJECT.FileName")?;
+
+        let valid_end = (pool_addr + chunk_size) - fob_size;
+        let mut try_ptr = data_addr;
+
+        let mut ftype = 0u16;
+        let mut size = 0u16;
+        while try_ptr <= valid_end {
+            driver.deref_addr(try_ptr, &mut ftype);
+            driver.deref_addr(try_ptr + fob_size_offset, &mut size);
+            if (size as u64) == fob_size && ftype == 5u16 {
+                break;
+            }
+            try_ptr += 0x4;        // search exhaustively
+        }
+        if try_ptr > valid_end {
+            println!("pool: 0x{:x} cannot detect file object", pool_addr);
+            return Ok(false);
+        }
+        let fob_addr = try_ptr;
+        let mut read_ok = 0u8;
+        driver.deref_addr(fob_addr + fob_read_access_offset, &mut read_ok);
+
+        println!("pool: 0x{:x} | file object: 0x{:x} | offsetby: 0x{:x}", pool_addr, fob_addr, fob_addr - pool_addr);
+        if read_ok == 0 {
+            println!("      [NOT READABLE]");
+        }
+        else if let Ok(filename) = driver.get_unicode_string(fob_addr + fob_filename_offset, true) {
+            println!("      {}", filename);
+        }
+        else {
+            println!("      [NOT A VALID _UNICODE_STRING]");
+        }
+        Ok(true)
+    })?;
+
+    println!("NtUnloadDriver() -> 0x{:x}", driver.shutdown());
+    Ok(())
+}
+
+
--- a/src/bin/print_pdb.rs
+++ b/src/bin/print_pdb.rs
@ -0,0 +1,12 @@
+use std::error::Error;
+
+use lpus::{
+    driver_state::{DriverState}
+};
+
+fn main() -> Result<(), Box<dyn Error>> {
+    let driver = DriverState::new();
+    driver.windows_ffi.print_version();
+    driver.pdb_store.print_default_information();
+    Ok(())
+}
--- a/src/driver_state.rs
+++ b/src/driver_state.rs
@ -0,0 +1,320 @@
+use std::error::Error;
+// use std::io::{Error, ErrorKind};
+use std::ffi::c_void;
+use std::mem::{size_of_val};
+
+use winapi::shared::ntdef::{NTSTATUS};
+use winapi::shared::minwindef::{DWORD};
+use winapi::um::winioctl::{
+    CTL_CODE, FILE_ANY_ACCESS,
+    METHOD_IN_DIRECT, METHOD_OUT_DIRECT, /* METHOD_BUFFERED, */ METHOD_NEITHER
+};
+
+use crate::pdb_store::{PdbStore, parse_pdb};
+use crate::windows::{WindowsFFI, WindowsVersion};
+use crate::ioctl_protocol::{
+    InputData, OffsetData, DerefAddr, ScanPoolData, /* HideProcess, */
+    /* OutputData, */ Nothing
+};
+
+type BoxResult<T> = Result<T, Box<dyn Error>>;
+
+const SIOCTL_TYPE: DWORD = 40000;
+
+pub fn to_epoch(filetime: u64) -> u64 {
+    let windows_epoch_diff: u64 = 11644473600000 * 10000;
+    if filetime < windows_epoch_diff {
+        return 0;
+    }
+    let process_time_epoch: u64 = (filetime - windows_epoch_diff) / 10000;
+    process_time_epoch
+}
+
+#[allow(dead_code)]
+#[derive(Debug)]
+pub enum DriverAction {
+    SetupOffset,
+    GetKernelBase,
+    ScanPsActiveHead,
+    ScanPool,
+    ScanPoolRemote,
+    DereferenceAddress,
+    HideProcess
+}
+
+impl DriverAction {
+    pub fn get_code(&self) -> DWORD {
+        match self {
+            DriverAction::SetupOffset => CTL_CODE(SIOCTL_TYPE, 0x900, METHOD_IN_DIRECT, FILE_ANY_ACCESS),
+            DriverAction::GetKernelBase => CTL_CODE(SIOCTL_TYPE, 0x901, METHOD_OUT_DIRECT, FILE_ANY_ACCESS),
+            DriverAction::ScanPsActiveHead => CTL_CODE(SIOCTL_TYPE, 0x902, METHOD_NEITHER, FILE_ANY_ACCESS),
+            DriverAction::ScanPool => CTL_CODE(SIOCTL_TYPE, 0x903, METHOD_IN_DIRECT, FILE_ANY_ACCESS),
+            DriverAction::ScanPoolRemote => CTL_CODE(SIOCTL_TYPE, 0x904, METHOD_IN_DIRECT, FILE_ANY_ACCESS),
+            DriverAction::DereferenceAddress => CTL_CODE(SIOCTL_TYPE, 0xA00, METHOD_OUT_DIRECT, FILE_ANY_ACCESS),
+            DriverAction::HideProcess => CTL_CODE(SIOCTL_TYPE, 0xA01, METHOD_IN_DIRECT, FILE_ANY_ACCESS)
+        }
+    }
+}
+
+#[derive(Debug)]
+pub struct EprocessPoolChunk {
+    pub pool_addr: u64,
+    pub eprocess_addr: u64,
+    pub eprocess_name: String,
+    pub create_time: u64,
+    pub exit_time: u64
+}
+
+impl PartialEq for EprocessPoolChunk {
+    fn eq(&self, other: &Self) -> bool {
+        self.eprocess_addr == other.eprocess_addr
+    }
+}
+
+#[allow(dead_code)]
+pub struct DriverState {
+    // TODO: Make private, only call methods of DriverState
+    pub pdb_store: PdbStore,
+    pub windows_ffi: WindowsFFI,
+}
+
+impl DriverState {
+    pub fn new() -> Self {
+        Self {
+            pdb_store: parse_pdb().expect("Cannot get PDB file"),
+            windows_ffi: WindowsFFI::new()
+        }
+    }
+
+    pub fn startup(&mut self) -> NTSTATUS {
+        let s = self.windows_ffi.load_driver();
+        let mut input = InputData {
+            offset_value: OffsetData::new(&self.pdb_store, self.windows_ffi.short_version)
+        };
+        self.windows_ffi.device_io(DriverAction::SetupOffset.get_code(),
+                                   &mut input, &mut Nothing);
+        s
+    }
+
+    pub fn shutdown(&self) -> NTSTATUS {
+        self.windows_ffi.unload_driver()
+    }
+
+    pub fn get_kernel_base(&self) -> u64 {
+        let mut ntosbase = 0u64;
+        self.windows_ffi.device_io(DriverAction::GetKernelBase.get_code(),
+                                   &mut Nothing, &mut ntosbase);
+        // println!("ntosbase: 0x{:x}", self.ntosbase);
+        ntosbase
+    }
+
+    pub fn scan_active_head(&self) -> BoxResult<Vec<EprocessPoolChunk>> {
+        let ntosbase = self.get_kernel_base();
+        let ps_active_head = ntosbase + self.pdb_store.get_offset_r("PsActiveProcessHead")?;
+        let flink_offset = self.pdb_store.get_offset_r("_LIST_ENTRY.Flink")?;
+        let eprocess_link_offset = self.pdb_store.get_offset_r("_EPROCESS.ActiveProcessLinks")?;
+        let eprocess_name_offset = self.pdb_store.get_offset_r("_EPROCESS.ImageFileName")?;
+
+        let mut ptr = ps_active_head;
+        self.deref_addr(ptr + flink_offset, &mut ptr);
+
+        let mut result: Vec<EprocessPoolChunk> = Vec::new();
+        while ptr != ps_active_head {
+            let mut image_name = [0u8; 15];
+            let eprocess = ptr - eprocess_link_offset;
+            self.deref_addr(eprocess + eprocess_name_offset, &mut image_name);
+            match std::str::from_utf8(&image_name) {
+                Ok(n) => {
+                    result.push(EprocessPoolChunk {
+                        pool_addr: 0,
+                        eprocess_addr: eprocess,
+                        eprocess_name: n.to_string()
+                                        .trim_end_matches(char::from(0))
+                                        .to_string(),
+                        create_time: 0,
+                        exit_time: 0
+
+                    });
+                },
+                _ => {}
+            };
+            self.deref_addr(ptr + flink_offset, &mut ptr);
+        }
+        Ok(result)
+    }
+
+    pub fn scan_pool<F>(&self, tag: &[u8; 4], mut handler: F) -> BoxResult<bool>
+                        where F: FnMut(u64, &[u8], u64) -> BoxResult<bool>
+                        // F(Pool Address, Pool Header Data, Pool Data Address)
+                        // TODO: Pool Header as a real struct
+    {
+        let ntosbase = self.get_kernel_base();
+        let pool_header_size = self.pdb_store.get_offset_r("_POOL_HEADER.struct_size")?;
+        let minimum_block_size = self.get_minimum_block_size(tag)?;
+        let code = DriverAction::ScanPoolRemote.get_code();
+        let range = self.get_nonpaged_range(ntosbase)?;
+        let start_address = range[0];
+        let end_address = range[1];
+        let mut ptr = start_address;
+        while ptr < end_address {
+            let mut input = InputData {
+                scan_range: ScanPoolData::new(&[ptr, end_address], tag)
+            };
+            self.windows_ffi.device_io(code, &mut input, &mut ptr);
+            // println!("found: 0x{:x}", ptr);
+            if ptr >= end_address {
+                break;
+            }
+
+            let pool_addr = ptr;
+            let mut header = vec![0u8; pool_header_size as usize];
+            self.deref_addr_ptr(pool_addr, header.as_mut_ptr(), pool_header_size);
+            let chunk_size = (header[2] as u64) * 16u64;
+
+            if pool_addr + chunk_size > end_address {
+                // the chunk found is not a valid chunk for sure
+                break;
+            }
+
+            // automatically reject bad chunk
+            if chunk_size < minimum_block_size {
+                ptr += 0x4;
+                continue;
+            }
+
+            let success = handler(pool_addr, &header, pool_addr + pool_header_size)?;
+            if success {
+                ptr += chunk_size; /* pass this chunk */
+                // ptr += 0x4;
+            }
+            else {
+                ptr += 0x4; /* search next */
+            }
+        }
+        Ok(true)
+    }
+
+    fn get_minimum_block_size(&self, tag: &[u8; 4]) -> BoxResult<u64> {
+        // Proc -> _EPROCESS
+        // Thre -> _KTHREAD
+        let pool_header_size = self.pdb_store.get_offset_r("_POOL_HEADER.struct_size")?;
+        if tag == b"Proc" {
+            let eprocess_size = self.pdb_store.get_offset_r("_EPROCESS.struct_size")?;
+            let minimum_data_size = eprocess_size + pool_header_size;
+            Ok(minimum_data_size)
+        }
+        else if tag == b"File" {
+            let file_object_size = self.pdb_store.get_offset_r("_FILE_OBJECT.struct_size")?;
+            let minimum_data_size = file_object_size + pool_header_size;
+            Ok(minimum_data_size)
+        }
+        else {
+            Err("Tag unknown".into())
+        }
+    }
+
+    pub fn deref_addr<T>(&self, addr: u64, outbuf: &mut T) {
+        // println!("deref addr: 0x{:x}", addr);
+        let code = DriverAction::DereferenceAddress.get_code();
+        let size: usize = size_of_val(outbuf);
+        let mut input = InputData {
+            deref_addr: DerefAddr {
+                addr,
+                size: size as u64
+            }
+        };
+        // unsafe { println!("Dereference {} bytes at 0x{:x}", input.deref_addr.size, input.deref_addr.addr) };
+        self.windows_ffi.device_io(code, &mut input, outbuf);
+    }
+
+    pub fn deref_addr_ptr<T>(&self, addr: u64, outptr: *mut T, output_len: u64) {
+        let code = DriverAction::DereferenceAddress.get_code();
+        let mut input = InputData {
+            deref_addr: DerefAddr {
+                addr,
+                size: output_len
+            }
+        };
+        self.windows_ffi.device_io_raw(code,
+                                       &mut input as *mut _ as *mut c_void, size_of_val(&input) as DWORD,
+                                       outptr as *mut c_void, output_len as DWORD);
+    }
+
+    pub fn get_unicode_string(&self, unicode_str_addr: u64, deref: bool) -> BoxResult<String> {
+        let mut strlen = 0u16;
+        let mut capacity = 0u16;
+        let mut bufaddr = 0u64;
+        let buffer_ptr = unicode_str_addr + self.pdb_store.get_offset_r("_UNICODE_STRING.Buffer")?;
+        let capacity_addr  = unicode_str_addr + self.pdb_store.get_offset_r("_UNICODE_STRING.MaximumLength")?;
+
+        self.deref_addr(unicode_str_addr, &mut strlen);
+        self.deref_addr(capacity_addr, &mut capacity);
+        self.deref_addr(buffer_ptr, &mut bufaddr);
+
+        // println!("unicode str: 0x{:x} size: 0x{:x} capacity: 0x{:x}", bufaddr, strlen, capacity);
+        if bufaddr == 0 || strlen > capacity || strlen == 0 || strlen % 2 != 0 {
+            return Err("Unicode string is empty".into());
+        }
+
+        if !deref {
+            return Ok("".to_string());
+        }
+
+        let mut buf = vec![0u16; (strlen / 2) as usize];
+        self.deref_addr_ptr(bufaddr, buf.as_mut_ptr(), strlen as u64);
+
+        Ok(String::from_utf16(&buf)?)
+    }
+
+    pub fn get_nonpaged_range(&self, ntosbase: u64) -> BoxResult<[u64; 2]> {
+        // TODO: Add support for other Windows version here
+        match self.windows_ffi.short_version {
+            WindowsVersion::Windows10FastRing => {
+                let mistate = ntosbase + self.pdb_store.get_offset_r("MiState")?;
+                let system_node_ptr = self.pdb_store.addr_decompose(
+                                        mistate, "_MI_SYSTEM_INFORMATION.Hardware.SystemNodeNonPagedPool")?;
+                let mut system_node_addr = 0u64;
+                self.deref_addr(system_node_ptr, &mut system_node_addr);
+
+                let mut first_va = 0u64;
+                let mut last_va = 0u64;
+                self.deref_addr(
+                    system_node_addr
+                    + self.pdb_store.get_offset_r("_MI_SYSTEM_NODE_NONPAGED_POOL.NonPagedPoolFirstVa")?,
+                    &mut first_va);
+
+                self.deref_addr(
+                    system_node_addr
+                    + self.pdb_store.get_offset_r("_MI_SYSTEM_NODE_NONPAGED_POOL.NonPagedPoolLastVa")?,
+                    &mut last_va);
+
+                Ok([first_va, last_va])
+            },
+            WindowsVersion::Windows10_2019 => {
+                let mistate = ntosbase + self.pdb_store.get_offset_r("MiState")?;
+                let system_node_ptr = self.pdb_store.addr_decompose(
+                                        mistate, "_MI_SYSTEM_INFORMATION.Hardware.SystemNodeInformation")?;
+                let mut system_node_addr = 0u64;
+                self.deref_addr(system_node_ptr, &mut system_node_addr);
+
+                let mut first_va = 0u64;
+                let mut last_va = 0u64;
+                self.deref_addr(
+                    system_node_addr
+                    + self.pdb_store.get_offset_r("_MI_SYSTEM_NODE_INFORMATION.NonPagedPoolFirstVa")?,
+                    &mut first_va);
+
+                self.deref_addr(
+                    system_node_addr
+                    + self.pdb_store.get_offset_r("_MI_SYSTEM_NODE_INFORMATION.NonPagedPoolLastVa")?,
+                    &mut last_va);
+
+                Ok([first_va, last_va])
+            },
+            _ => {
+                Err("Windows version for nonpaged pool algorithm is not implemented".into())
+            }
+        }
+    }
+
+}
--- a/src/ioctl_protocol.rs
+++ b/src/ioctl_protocol.rs
@ -0,0 +1,121 @@
+use crate::pdb_store::PdbStore;
+use crate::windows::WindowsVersion;
+
+#[repr(C)]
+#[derive(Debug, Copy, Clone)]
+pub struct OffsetData {
+    eprocess_name_offset: u64,
+    eprocess_link_offset: u64,
+    list_blink_offset: u64,
+    process_head_offset: u64,
+    mistate_offset: u64,
+    hardware_offset: u64,
+    system_node_offset: u64,
+    first_va_offset: u64,
+    last_va_offset: u64,
+    large_page_table_offset: u64,
+    large_page_size_offset: u64,
+    pool_chunk_size: u64,
+}
+
+// TODO: Move to WindowsScanStrategy and return the corresponding struct base on Windows version
+impl OffsetData {
+    pub fn new(pdb_store: &PdbStore, windows_version: WindowsVersion) -> Self {
+        match windows_version {
+            WindowsVersion::Windows10FastRing => Self {
+                eprocess_name_offset: pdb_store.get_offset("_EPROCESS.ImageFileName").unwrap_or(0u64),
+                eprocess_link_offset: pdb_store.get_offset("_EPROCESS.ActiveProcessLinks").unwrap_or(0u64),
+                list_blink_offset: pdb_store.get_offset("_LIST_ENTRY.Blink").unwrap_or(0u64),
+                process_head_offset: pdb_store.get_offset("PsActiveProcessHead").unwrap_or(0u64),
+                mistate_offset: pdb_store.get_offset("MiState").unwrap_or(0u64),
+                hardware_offset: pdb_store.get_offset("_MI_SYSTEM_INFORMATION.Hardware").unwrap_or(0u64),
+                system_node_offset: pdb_store.get_offset("_MI_HARDWARE_STATE.SystemNodeNonPagedPool").unwrap_or(0u64),
+                first_va_offset: pdb_store.get_offset("_MI_SYSTEM_NODE_NONPAGED_POOL.NonPagedPoolFirstVa").unwrap_or(0u64),
+                last_va_offset: pdb_store.get_offset("_MI_SYSTEM_NODE_NONPAGED_POOL.NonPagedPoolLastVa").unwrap_or(0u64),
+                large_page_table_offset: pdb_store.get_offset("PoolBigPageTable").unwrap_or(0u64),
+                large_page_size_offset: pdb_store.get_offset("PoolBigPageTableSize").unwrap_or(0u64),
+                pool_chunk_size: pdb_store.get_offset("_POOL_HEADER.struct_size").unwrap_or(0u64),
+            },
+            WindowsVersion::Windows10_2019 |
+            WindowsVersion::Windows10_2018 => Self {
+                eprocess_name_offset: pdb_store.get_offset("_EPROCESS.ImageFileName").unwrap_or(0u64),
+                eprocess_link_offset: pdb_store.get_offset("_EPROCESS.ActiveProcessLinks").unwrap_or(0u64),
+                list_blink_offset: pdb_store.get_offset("_LIST_ENTRY.Blink").unwrap_or(0u64),
+                process_head_offset: pdb_store.get_offset("PsActiveProcessHead").unwrap_or(0u64),
+                mistate_offset: pdb_store.get_offset("MiState").unwrap_or(0u64),
+                hardware_offset: pdb_store.get_offset("_MI_SYSTEM_INFORMATION.Hardware").unwrap_or(0u64),
+                system_node_offset: pdb_store.get_offset("_MI_HARDWARE_STATE.SystemNodeInformation").unwrap_or(0u64),
+                first_va_offset: pdb_store.get_offset("_MI_SYSTEM_NODE_INFORMATION.NonPagedPoolFirstVa").unwrap_or(0u64),
+                last_va_offset: pdb_store.get_offset("_MI_SYSTEM_NODE_INFORMATION.NonPagedPoolLastVa").unwrap_or(0u64),
+                large_page_table_offset: pdb_store.get_offset("PoolBigPageTable").unwrap_or(0u64),
+                large_page_size_offset: pdb_store.get_offset("PoolBigPageTableSize").unwrap_or(0u64),
+                pool_chunk_size: pdb_store.get_offset("_POOL_HEADER.struct_size").unwrap_or(0u64),
+            },
+            // TODO: Add other version of Windows here
+            // TODO: Warn user of unknown windows version, because BSOD will occur
+            _ => Self {
+                eprocess_name_offset: 0u64,
+                eprocess_link_offset: 0u64,
+                list_blink_offset: 0u64,
+                process_head_offset: 0u64,
+                mistate_offset: 0u64,
+                hardware_offset: 0u64,
+                system_node_offset: 0u64,
+                first_va_offset: 0u64,
+                last_va_offset: 0u64,
+                large_page_table_offset: 0u64,
+                large_page_size_offset: 0u64,
+                pool_chunk_size: 0u64,
+            }
+        }
+    }
+}
+
+#[repr(C)]
+#[derive(Debug, Copy, Clone)]
+pub struct DerefAddr {
+    pub addr: u64,
+    pub size: u64
+}
+
+#[repr(C)]
+#[derive(Debug, Copy, Clone)]
+pub struct ScanPoolData {
+    pub start: u64,
+    pub end: u64,
+    pub tag: u32
+}
+
+impl ScanPoolData{
+    pub fn new(arr: &[u64; 2], tag: &[u8; 4]) -> Self {
+        Self {
+            start: arr[0],
+            end: arr[1],
+            tag: u32::from_le_bytes(*tag)
+        }
+    }
+}
+
+#[repr(C)]
+#[derive(Debug, Copy, Clone)]
+pub struct HideProcess {
+    pub name: [u8; 15],
+    pub size: u64
+}
+
+#[repr(C)]
+pub union InputData {
+    pub offset_value: OffsetData,
+    pub deref_addr: DerefAddr,
+    pub scan_range: ScanPoolData,
+    pub hide_process: HideProcess,
+}
+
+#[repr(C)]
+#[derive(Debug, Copy, Clone)]
+pub struct Nothing; // for empty data
+
+#[repr(C)]
+pub union OutputData {
+    pub nothing: Nothing,
+}
--- a/src/lib.rs
+++ b/src/lib.rs
@ -0,0 +1,8 @@
+extern crate chrono;
+extern crate app_dirs;
+
+pub mod pdb_store;
+pub mod windows;
+pub mod ioctl_protocol;
+pub mod driver_state;
+
--- a/src/main.rs
+++ b/src/main.rs
@ -1,13 +0,0 @@
-mod pdb_store;
-mod windows;
-
-fn main() {
-    let store = pdb_store::parse_pdb();
-    store.print_default_information();
-
-    let mut windows_ffi = windows::WindowsFFI::new();
-    windows_ffi.print_version();
-
-    println!("NtLoadDriver()   -> 0x{:x}", windows_ffi.load_driver());
-    println!("NtUnloadDriver() -> 0x{:x}", windows_ffi.unload_driver());
-}
--- a/src/pdb_store.rs
+++ b/src/pdb_store.rs
@ -1,25 +1,25 @@
+use std::error::Error;
 use std::io;
 use std::io::{Read};
-use std::path::Path;
+use std::path::{PathBuf};
 use std::fs::File;
 use std::collections::HashMap;

-use pdb::PDB;
-use pdb::SymbolData;
-use pdb::TypeData;
-use pdb::ClassType;
-use pdb::ModifierType;
-use pdb::Rva;
+use pdb::{
+    PDB, SymbolData, TypeData, ClassType, ModifierType, Rva,
+    FallibleIterator, TypeFinder, TypeIndex
+};

-use pdb::FallibleIterator;
-use pdb::TypeFinder;
-use pdb::TypeIndex;
+use app_dirs::{AppInfo, AppDataType, app_dir};

+const APP_INFO: AppInfo = AppInfo { name: "lpus", author: "nganhkhoa" };

-const PDBNAME: &str = "ntkrnlmp.pdb";
+const KERNEL_PDB_NAME: &str = "ntkrnlmp.pdb";
 const NTOSKRNL_PATH: &str = "C:\\Windows\\System32\\ntoskrnl.exe";
 const PDB_SERVER_PATH: &str = "http://msdl.microsoft.com/download/symbols";

+type BoxResult<T> = Result<T, Box<dyn Error>>;
+
 type SymbolStore = HashMap<String, u64>;
 type StructStore = HashMap<String, HashMap<String, (String, u64)>>;

@ -29,6 +29,10 @@ pub struct PdbStore {
 }

 impl PdbStore {
+    pub fn get_offset_r(&self, name: &str) -> BoxResult<u64> {
+        self.get_offset(name)
+            .ok_or(format!("{} is not found in PDB", name).into())
+    }
    #[allow(dead_code)]
    pub fn get_offset(&self, name: &str) -> Option<u64> {
        if name.contains(".") {
@ -52,9 +56,9 @@ impl PdbStore {
    }

    #[allow(dead_code)]
-    pub fn addr_decompose(&self, addr: u64, full_name: &str) -> Result<u64, String>{
+    pub fn addr_decompose(&self, addr: u64, full_name: &str) -> BoxResult<u64>{
        if !full_name.contains(".") {
-            return Err("Not decomposable".to_string());
+            return Err("Not decomposable".into());
        }

        let mut name_part: Vec<&str> = full_name.split_terminator('.').collect();
@ -65,7 +69,7 @@ impl PdbStore {
                    Some((memtype, offset)) => {
                        if next.len() != 0 {
                            if memtype.contains("*") {
-                                return Err(format!("Cannot dereference pointer at {} {}", memtype, name_part[1]));
+                                return Err(format!("Cannot dereference pointer at {} {}", memtype, name_part[1]).into());
                            }
                            next.insert(0, memtype);
                            self.addr_decompose(addr + *offset, &next.join("."))
@ -74,10 +78,10 @@ impl PdbStore {
                            Ok(addr + *offset)
                        }
                    },
-                    None => Err(format!("Not found member {}", name_part[1]))
+                    None => Err(format!("Not found member {}", name_part[1]).into())
                }
            },
-            None => Err(format!("Struct {} not found", name_part[0]))
+            None => Err(format!("Struct {} not found", name_part[0]).into())
        }
    }

@ -94,7 +98,10 @@ impl PdbStore {
        ];

        let mut need_structs = HashMap::new();
-        need_structs.insert("_POOL_HEADER", vec![]);
+        need_structs.insert("_POOL_HEADER", vec![
+            "struct_size",
+            "PoolType", "BlockSize", "PoolTag"
+        ]);
        need_structs.insert("_PEB", vec![]);
        need_structs.insert("_LIST_ENTRY", vec![
            "Flink", "Blink"
@ -250,11 +257,12 @@ fn get_type_as_str(type_finder: &TypeFinder, typ: &TypeIndex) -> String {
    }
 }

-pub fn download_pdb() {
-    let mut ntoskrnl = File::open(NTOSKRNL_PATH).expect("Cannot open ntoskrnl.exe");
+fn get_guid_age(exe_file: &str) -> BoxResult<(String, u32)>{
+    // TODO: Check file existance
+    let mut file = File::open(exe_file)?;

    let mut buffer = Vec::new();
-    ntoskrnl.read_to_end(&mut buffer).expect("Cannot read file ntoskrnl.exe");
+    file.read_to_end(&mut buffer)?;

    let mut buffiter = buffer.chunks(4);
    while buffiter.next().unwrap() != [0x52, 0x53, 0x44, 0x53] {
@ -284,29 +292,54 @@ pub fn download_pdb() {
        raw_age[0], raw_age[1], raw_age[2], raw_age[3]
    ]);

-    let downloadurl = format!("{}/{}/{}{:X}/{}", PDB_SERVER_PATH, PDBNAME, guid, age, PDBNAME);
-    println!("{}", downloadurl);
-
-    let mut resp = reqwest::blocking::get(&downloadurl).expect("request failed");
-    let mut out = File::create(PDBNAME).expect("failed to create file");
-    io::copy(&mut resp, &mut out).expect("failed to copy content");
+    Ok((guid, age))
 }

-pub fn parse_pdb() -> PdbStore {
-    // TODO: Detect pdb file and ntoskrnl file version differs
-    // The guid of ntoskrnl and pdb file are different
-    if !Path::new(PDBNAME).exists() {
-        download_pdb();
-    }
-    let f = File::open("ntkrnlmp.pdb").expect("No such file ./ntkrnlmp.pdb");
-    let mut pdb = PDB::open(f).expect("Cannot open as a PDB file");
+fn pdb_exists(pdbname: &str, guid: &str, age: u32) -> BoxResult<(bool, PathBuf)> {
+    // Use a folder at %APPDATA% to save pdb files
+    // %APPDATA%\nganhkhoaa\lpus
+    // |--ntkrnlmp.pdb
+    // |--|--GUID
+    // |--|--|--ntkrnlmp.pdb
+    // |--file.pdb
+    // |--|--GUID
+    // |--|--|--file.pdb
+    let mut pdb_location = app_dir(AppDataType::UserData, &APP_INFO,
+                                   &format!("{}/{}/{}", pdbname, guid, age))?;
+    pdb_location.push(pdbname);
+    Ok((pdb_location.exists(), pdb_location))
+}

-    let info = pdb.pdb_information().expect("Cannot get pdb information");
-    let dbi = pdb.debug_information().expect("cannot get debug information");
+fn download_pdb(pdbname: &str, guid: &str, age: u32, outfile: &PathBuf) -> BoxResult<()> {
+    let downloadurl = format!("{}/{}/{}{:X}/{}", PDB_SERVER_PATH, pdbname, guid, age, pdbname);
+    println!("{}", downloadurl);
+
+    let mut resp = reqwest::blocking::get(&downloadurl)?;
+    let mut out = File::create(outfile)?;
+    io::copy(&mut resp, &mut out)?;
+    Ok(())
+}
+
+pub fn parse_pdb() -> BoxResult<PdbStore> {
+    // TODO: Resolve pdb name
+    // ntoskrnl.exe -> ntkrnlmp.pdb
+    // tcpip.sys -> tcpip.pdb ?????
+    // There may be more pdb files in the future
+    let (guid, age) = get_guid_age(NTOSKRNL_PATH)?;
+    let (exists, pdb_path) = pdb_exists(KERNEL_PDB_NAME, &guid, age)?;
+    if !exists {
+        println!("PDB not found, download into {:?}", pdb_path);
+        download_pdb(KERNEL_PDB_NAME, &guid, age, &pdb_path)?;
+    }
+    let f = File::open(pdb_path)?;
+    let mut pdb = PDB::open(f)?;
+
+    let info = pdb.pdb_information()?;
+    let dbi = pdb.debug_information()?;
    println!("PDB for {}, guid: {}, age: {}\n",
        dbi.machine_type().unwrap(), info.guid, dbi.age().unwrap_or(0));

-    let type_information = pdb.type_information().expect("Cannot get type information");
+    let type_information = pdb.type_information()?;
    let mut type_finder = type_information.type_finder();
    let mut iter = type_information.iter();
    while let Some(_typ) = iter.next().unwrap() {
@ -314,8 +347,8 @@ pub fn parse_pdb() -> PdbStore {
    }

    let mut symbol_extracted: SymbolStore = HashMap::new();
-    let addr_map = pdb.address_map().expect("Cannot get address map");
-    let glosym = pdb.global_symbols().expect("Cannot get global symbols");
+    let addr_map = pdb.address_map()?;
+    let glosym = pdb.global_symbols()?;
    let mut symbols = glosym.iter();
    while let Some(symbol) = symbols.next().unwrap() {
        match symbol.parse() {
@ -354,8 +387,8 @@ pub fn parse_pdb() -> PdbStore {
        }
    }

-    PdbStore {
+    Ok(PdbStore {
        symbols: symbol_extracted,
        structs: struct_extracted
-    }
+    })
 }
--- a/src/windows.rs
+++ b/src/windows.rs
@ -1,23 +1,33 @@
-use std::ffi::CString;
-use widestring::{U16CString};
+use std::ffi::{c_void, CString};
+use std::mem::{transmute, size_of_val};
+use std::ptr::null_mut;
+use std::time::{SystemTime, UNIX_EPOCH};
+use widestring::U16CString;

 use winapi::shared::ntdef::*;
 use winapi::shared::minwindef::{DWORD, HKEY, HMODULE};
 use winapi::um::winnt::{
    SE_PRIVILEGE_ENABLED, TOKEN_PRIVILEGES, TOKEN_ADJUST_PRIVILEGES, LUID_AND_ATTRIBUTES,
    REG_DWORD, REG_SZ, REG_OPTION_NON_VOLATILE, KEY_WRITE,
-    PRTL_OSVERSIONINFOW, OSVERSIONINFOW
+    PRTL_OSVERSIONINFOW, OSVERSIONINFOW,
+    FILE_ATTRIBUTE_NORMAL, GENERIC_READ, GENERIC_WRITE
 };

-use winapi::um::handleapi::*;
-use winapi::um::libloaderapi::*;
-use winapi::um::processthreadsapi::*;
-use winapi::um::securitybaseapi::*;
-use winapi::um::winbase::*;
-use winapi::um::winreg::*;
+use winapi::um::ioapiset::{DeviceIoControl};
+use winapi::um::errhandlingapi::{GetLastError};
+use winapi::um::fileapi::{CreateFileA, CREATE_ALWAYS};
+use winapi::um::handleapi::{INVALID_HANDLE_VALUE, CloseHandle};
+use winapi::um::libloaderapi::{LoadLibraryA, GetProcAddress};
+use winapi::um::processthreadsapi::{GetCurrentProcess, OpenProcessToken};
+use winapi::um::sysinfoapi::{GetTickCount64};
+use winapi::um::securitybaseapi::{AdjustTokenPrivileges};
+use winapi::um::winbase::{LookupPrivilegeValueA};
+use winapi::um::winreg::{RegCreateKeyExA, RegSetValueExA, RegCloseKey, HKEY_LOCAL_MACHINE};
+
+const STR_DRIVER_REGISTRY_PATH: &str = "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\lpus";

 #[allow(dead_code)]
-#[derive(Debug)]
+#[derive(Debug, Copy, Clone)]
 pub enum WindowsVersion {
    Windows10_2015,
    Windows10_2016,
@ -30,36 +40,34 @@ pub enum WindowsVersion {
 }

 #[allow(dead_code)]
+#[derive(Copy, Clone)]
 pub struct WindowsFFI {
    pub version_info: OSVERSIONINFOW,
    pub short_version: WindowsVersion,
-    driver_registry_string: UNICODE_STRING,
+    driver_handle: HANDLE,
    ntdll: HMODULE,
-    nt_load_driver: extern "stdcall" fn(PUNICODE_STRING) -> NTSTATUS,
-    nt_unload_driver: extern "stdcall" fn(PUNICODE_STRING) -> NTSTATUS,
-    rtl_init_unicode_str: extern "stdcall" fn(PUNICODE_STRING, PCWSTR),
+    nt_load_driver: extern "system" fn(PUNICODE_STRING) -> NTSTATUS,
+    nt_unload_driver: extern "system" fn(PUNICODE_STRING) -> NTSTATUS,
+    rtl_init_unicode_str: extern "system" fn(PUNICODE_STRING, PCWSTR),
    rtl_get_version: extern "system" fn(PRTL_OSVERSIONINFOW) -> NTSTATUS,
 }

 impl WindowsFFI {
    pub fn new() -> Self {
-        let str_ntdll = CString::new("ntdll").expect("");
-        let str_nt_load_driver = CString::new("NtLoadDriver").expect("");
-        let str_nt_unload_driver = CString::new("NtUnloadDriver").expect("");
-        let str_rtl_init_unicode_str = CString::new("RtlInitUnicodeString").expect("");
-        let str_rtl_get_version = CString::new("RtlGetVersion").expect("");
-        let str_se_load_driver_privilege = CString::new("SeLoadDriverPrivilege").expect("");
+        let str_ntdll = CString::new("ntdll").unwrap();
+        let str_nt_load_driver = CString::new("NtLoadDriver").unwrap();
+        let str_nt_unload_driver = CString::new("NtUnloadDriver").unwrap();
+        let str_rtl_init_unicode_str = CString::new("RtlInitUnicodeString").unwrap();
+        let str_rtl_get_version = CString::new("RtlGetVersion").unwrap();
+        let str_se_load_driver_privilege = CString::new("SeLoadDriverPrivilege").unwrap();

-        let str_driver_path = CString::new("\\SystemRoot\\System32\\DRIVERS\\nganhkhoa.sys").expect("");
-        let str_registry_path = CString::new("System\\CurrentControlSet\\Services\\nganhkhoa").expect("");
-        let str_driver_reg =
-            U16CString::from_str("\\Registry\\Machine\\System\\CurrentControlSet\\Services\\nganhkhoa").expect("");
-        let str_type = CString::new("Type").expect("");
-        let str_error_control = CString::new("ErrorControl").expect("");
-        let str_start = CString::new("Start").expect("");
-        let str_image_path = CString::new("ImagePath").expect("");
+        let str_driver_path = CString::new("\\SystemRoot\\System32\\DRIVERS\\lpus.sys").unwrap();
+        let str_registry_path = CString::new("System\\CurrentControlSet\\Services\\lpus").unwrap();
+        let str_type = CString::new("Type").unwrap();
+        let str_error_control = CString::new("ErrorControl").unwrap();
+        let str_start = CString::new("Start").unwrap();
+        let str_image_path = CString::new("ImagePath").unwrap();

-        let mut str_driver_reg_unicode = UNICODE_STRING::default();
        let mut version_info = OSVERSIONINFOW {
            dwOSVersionInfoSize: 0u32,
            dwMajorVersion: 0u32,
@ -70,9 +78,9 @@ impl WindowsFFI {
        };

        let ntdll: HMODULE;
-        let nt_load_driver: extern "stdcall" fn(PUNICODE_STRING) -> NTSTATUS;
-        let nt_unload_driver: extern "stdcall" fn(PUNICODE_STRING) -> NTSTATUS;
-        let rtl_init_unicode_str: extern "stdcall" fn(PUNICODE_STRING, PCWSTR);
+        let nt_load_driver: extern "system" fn(PUNICODE_STRING) -> NTSTATUS;
+        let nt_unload_driver: extern "system" fn(PUNICODE_STRING) -> NTSTATUS;
+        let rtl_init_unicode_str: extern "system" fn(PUNICODE_STRING, PCWSTR);
        let rtl_get_version: extern "system" fn(PRTL_OSVERSIONINFOW) -> NTSTATUS;

        // some pointer unsafe C code
@ -83,18 +91,18 @@ impl WindowsFFI {
            let rtl_init_unicode_str_ = GetProcAddress(ntdll, str_rtl_init_unicode_str.as_ptr());
            let rtl_get_version_ = GetProcAddress(ntdll, str_rtl_get_version.as_ptr());

-            nt_load_driver = std::mem::transmute(nt_load_driver_);
-            nt_unload_driver = std::mem::transmute(nt_unload_driver_);
-            rtl_init_unicode_str = std::mem::transmute(rtl_init_unicode_str_);
-            rtl_get_version = std::mem::transmute(rtl_get_version_);
+            nt_load_driver = transmute(nt_load_driver_);
+            nt_unload_driver = transmute(nt_unload_driver_);
+            rtl_init_unicode_str = transmute(rtl_init_unicode_str_);
+            rtl_get_version = transmute(rtl_get_version_);

            // setup registry
-            let mut registry_key: HKEY = std::ptr::null_mut();
+            let mut registry_key: HKEY = null_mut();
            RegCreateKeyExA(
                HKEY_LOCAL_MACHINE, str_registry_path.as_ptr(),
-                0, std::ptr::null_mut(),
+                0, null_mut(),
                REG_OPTION_NON_VOLATILE, KEY_WRITE,
-                std::ptr::null_mut(), &mut registry_key, std::ptr::null_mut()
+                null_mut(), &mut registry_key, null_mut()
            );
            let type_value: [u8; 4] = 1u32.to_le_bytes();
            let error_control_value: [u8; 4] = 1u32.to_le_bytes();
@ -115,10 +123,10 @@ impl WindowsFFI {
            RegCloseKey(registry_key);

            // Setup privilege SeLoadDriverPrivilege
-            let mut token_handle: HANDLE = std::ptr::null_mut();
+            let mut token_handle: HANDLE = null_mut();
            let mut luid = LUID::default();
            OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &mut token_handle);
-            LookupPrivilegeValueA(std::ptr::null_mut(), str_se_load_driver_privilege.as_ptr(), &mut luid);
+            LookupPrivilegeValueA(null_mut(), str_se_load_driver_privilege.as_ptr(), &mut luid);
            let mut new_token_state = TOKEN_PRIVILEGES {
                PrivilegeCount: 1,
                Privileges: [LUID_AND_ATTRIBUTES {
@ -127,11 +135,8 @@ impl WindowsFFI {
                }]
            };
            AdjustTokenPrivileges(
-                token_handle, 0, &mut new_token_state, 16, std::ptr::null_mut(), std::ptr::null_mut());
+                token_handle, 0, &mut new_token_state, 16, null_mut(), null_mut());
            CloseHandle(token_handle);
-
-            // init string for load and unload driver routine
-            rtl_init_unicode_str(&mut str_driver_reg_unicode, str_driver_reg.as_ptr() as *const u16);
        }

        rtl_get_version(&mut version_info);
@ -147,7 +152,7 @@ impl WindowsFFI {
        Self {
            version_info,
            short_version,
-            driver_registry_string: str_driver_reg_unicode,
+            driver_handle: INVALID_HANDLE_VALUE,
            ntdll,
            nt_load_driver,
            nt_unload_driver,
@ -156,12 +161,40 @@ impl WindowsFFI {
        }
    }

-    pub fn load_driver(&mut self) -> NTSTATUS {
-        (self.nt_load_driver)(&mut self.driver_registry_string)
+    pub fn driver_loaded(self) -> bool {
+        self.driver_handle != INVALID_HANDLE_VALUE
    }

-    pub fn unload_driver(&mut self) -> NTSTATUS {
-        (self.nt_unload_driver)(&mut self.driver_registry_string)
+    pub fn load_driver(&mut self) -> NTSTATUS {
+        // TODO: Move this to new()
+        // If we move this function to new(), self.driver_handle will be init, and thus no mut here
+        let str_driver_reg = U16CString::from_str(STR_DRIVER_REGISTRY_PATH).unwrap();
+        let mut str_driver_reg_unicode = UNICODE_STRING::default();
+        (self.rtl_init_unicode_str)(&mut str_driver_reg_unicode, str_driver_reg.as_ptr() as *const u16);
+        let status = (self.nt_load_driver)(&mut str_driver_reg_unicode);
+
+        let filename = CString::new("\\\\.\\poolscanner").unwrap();
+        let driver_file_handle: HANDLE = unsafe {
+            CreateFileA(filename.as_ptr(),
+                        GENERIC_READ | GENERIC_WRITE,
+                        0, null_mut(), CREATE_ALWAYS,
+                        FILE_ATTRIBUTE_NORMAL, null_mut())
+        };
+
+        if driver_file_handle == INVALID_HANDLE_VALUE {
+            println!("Driver CreateFileA failed");
+        }
+        else {
+            self.driver_handle = driver_file_handle;
+        }
+        status
+    }
+
+    pub fn unload_driver(&self) -> NTSTATUS {
+        let str_driver_reg = U16CString::from_str(STR_DRIVER_REGISTRY_PATH).unwrap();
+        let mut str_driver_reg_unicode = UNICODE_STRING::default();
+        (self.rtl_init_unicode_str)(&mut str_driver_reg_unicode, str_driver_reg.as_ptr());
+        (self.nt_unload_driver)(&mut str_driver_reg_unicode)
    }

    #[allow(dead_code)]
@ -178,4 +211,47 @@ impl WindowsFFI {
            self.short_version
        );
    }
+
+    pub fn valid_process_time(&self, filetime: u64) -> bool {
+        // https://www.frenk.com/2009/12/convert-filetime-to-unix-timestamp/
+        let windows_epoch_diff = 11644473600000 * 10000;
+        if filetime < windows_epoch_diff {
+            return false;
+        }
+        let system_up_time_ms = unsafe { GetTickCount64() };
+        let process_time_epoch = (filetime - windows_epoch_diff) / 10000;
+        let now_ms = SystemTime::now().duration_since(UNIX_EPOCH).expect("Time went backwards").as_millis() as u64;
+        let system_start_up_time_ms = now_ms - system_up_time_ms;
+
+        if process_time_epoch < system_start_up_time_ms {
+            false
+        } else if process_time_epoch > now_ms {
+            false
+        } else {
+            true
+        }
+    }
+
+    pub fn device_io<T, E>(&self, code: DWORD, inbuf: &mut T, outbuf: &mut E) -> DWORD {
+        self.device_io_raw(code,
+                           inbuf as *mut _ as *mut c_void, size_of_val(inbuf) as DWORD,
+                           outbuf as *mut _ as *mut c_void, size_of_val(outbuf) as DWORD)
+    }
+
+    pub fn device_io_raw(&self, code: DWORD,
+                         input_ptr: *mut c_void, input_len: DWORD,
+                         output_ptr: *mut c_void, output_len: DWORD) -> DWORD {
+        // println!("driver loaded: {}; device_io_code: {}", self.driver_loaded(), code);
+        let mut bytes_returned: DWORD = 0;
+        unsafe {
+            let status = DeviceIoControl(self.driver_handle, code,
+                                         input_ptr, input_len,
+                                         output_ptr, output_len,
+                                         &mut bytes_returned, null_mut());
+            if status == 0 {
+                println!("device io failed: last error {}", GetLastError());
+            }
+        };
+        bytes_returned
+    }
 }
Author	SHA1	Message	Date
nganhkhoa	c8ce82e8a7	Update lpus File scan printing update Update values sent to driver in ioctl for Windows 10 2019/2018	2020-06-02 16:27:29 +07:00
nganhkhoa	4bf2bb71ff	check read access when dump file name in _FILE_OBJECT	2020-05-29 01:39:32 +07:00
nganhkhoa	ecc476c604	Update scan frontend Reject invalid block size Unicode string handle for empty ptr, empty size Add _FILE_OBJECT scan Add FileImage dump of _EPROCESS scan	2020-05-22 14:44:47 +07:00
nganhkhoa	ee13c6be58	Update non-paged pool range documentation	2020-05-21 17:36:06 +07:00
nganhkhoa	7be3b2fc05	General updates Driver is renamed to lpus.sys Pdb will be downloaded ino %APPDATA%/nganhkhoa/lpus And some little fixes	2020-05-20 15:02:09 +07:00
nganhkhoa	5842ed216c	Add Windows 10 2019 support	2020-05-20 13:51:38 +07:00
nganhkhoa	ff53a1a31c	Fix runtime BOSD Chunk size and tag is check before handle. Check if heuristics search is not correct, and the try_ptr goes of the bound, making dereference an invalid address.	2020-05-20 00:42:24 +07:00
nganhkhoa	dd16a31984	update READMME	2020-05-19 04:20:04 +07:00
Nguyễn Anh Khoa	5bddf90501	Merge pull request #2 from nganhkhoa/device_io_call	2020-05-19 04:00:32 +07:00
nganhkhoa	dae10a5312	multiple binary and code refactor	2020-05-19 03:52:18 +07:00
nganhkhoa	3214e79d63	code renew build ok	2020-05-18 04:04:40 +07:00
nganhkhoa	cbc3cb7e15	update new design in code call, no test build	2020-05-04 11:40:31 +00:00
nganhkhoa	862a5c0788	hide process call	2020-02-27 23:37:04 +07:00
nganhkhoa	d0c0161b06	find eprocess offset base on CreateTime	2020-02-27 08:25:39 +07:00
nganhkhoa	d08852af55	finish device io call to scan	2020-02-27 03:27:54 +07:00
nganhkhoa	0ca87a871c	fix driver file name path	2020-02-25 01:33:16 +07:00
nganhkhoa	2ee77d16c7	Fix load driver issue The Buffer pointer of UNICODE_STRING seems to be cleaned up after routine, so we cannot store the string, but have to init the string when needed.	2020-02-25 01:20:54 +07:00
nganhkhoa	8928e4e4cb	add device io call	2020-02-24 22:53:30 +07:00
Nguyễn Anh Khoa	c036f3645a	Merge pull request #1 from nganhkhoa/loaddriver Load Driver and PdbStore	2020-02-24 00:36:04 +07:00