├── GetTcpTableInternal_assembly.gif ├── GetTcpTableInternal_Pseudocode.gif ├── README.md ├── Hook.cpp ├── GetTcpTableInternal_Pseudocode.cpp └── GetTcpTableInternal_Assembly.asm /GetTcpTableInternal_assembly.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Speedi13/NsiAllocateAndGetTable-used-from-GetTcpTableInternal/HEAD/GetTcpTableInternal_assembly.gif -------------------------------------------------------------------------------- /GetTcpTableInternal_Pseudocode.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Speedi13/NsiAllocateAndGetTable-used-from-GetTcpTableInternal/HEAD/GetTcpTableInternal_Pseudocode.gif -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # NsiAllocateAndGetTable-used-from-GetTcpTableInternal 2 | Undocumented NsiAllocateAndGetTable usage in GetTcpTableInternal reverse engineered on Win7 X64

3 | This might be useful for security researchers or other people who want to know how NsiAllocateAndGetTable is used since microsoft doesn't say anything about this function 4 | 5 | # Reversed and commented disassemblies 6 | 7 | IDA's Pseudocode
8 | - >>GetTcpTableInternal Pseudocode<< 9 | - >>GetTcpTableInternal Pseudocode as cpp file<< 10 | 11 | IDA's Assembly in graph view
12 | - >>GetTcpTableInternal Assembly<< 13 | - >>GetTcpTableInternal Assembly as asm file<< 14 | 15 | # Knowledge used to create a hook 16 | - >>NsiAllocateAndGetTable hook in c++<< 17 | -------------------------------------------------------------------------------- /Hook.cpp: -------------------------------------------------------------------------------- 1 | 2 | //for NPI_MODULEID look at https://msdn.microsoft.com/en-us/library/windows/hardware/ff568813(v=vs.85).aspx 3 | 4 | typedef __int64 (*t_NsiAllocateAndGetTable)( 5 | __int64 a1, struct NPI_MODULEID* a2, unsigned int a3, void *a4, int a5, void *a6, int a7, void *a8, __int64 a9, void *a10, int a11, DWORD *a12 6 | ); 7 | 8 | BYTE NPI_MS_TCP_MODULEID[] = { 0x18, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x03, 0x4A, 0x00, 0xEB, 0x1A, 0x9B, 0xD4, 0x11, 0x91, 0x23, 0x00, 0x50, 0x04, 0x77, 0x59, 0x0BC }; 9 | 10 | t_NsiAllocateAndGetTable oNsiAllocateAndGetTable = NULL; 11 | __int64 __fastcall hkNsiAllocateAndGetTable(__int64 a1, 12 | struct NPI_MODULEID* NPI_MS_ID, 13 | unsigned int TcpInformationId, 14 | void *pAddrEntry, 15 | int SizeOfAddrEntry, 16 | void *a6, int a7, 17 | void *pStateEntry, 18 | int SizeOfStateEntry, 19 | void *pOwnerEntry, 20 | int SizeOfOwnerEntry, 21 | DWORD *Count) 22 | { 23 | __int64 result = oNsiAllocateAndGetTable( a1, NPI_MS_ID, TcpInformationId, pAddrEntry, SizeOfAddrEntry, a6, a7, pStateEntry, SizeOfStateEntry, pOwnerEntry, SizeOfOwnerEntry, Count ); 24 | 25 | //based on reversed data from GetTcpTableInternal 26 | if ( memcmp( NPI_MS_ID, NPI_MS_TCP_MODULEID, 24 ) == NULL && result == NULL && *(DWORD*)Count > 0 ) 27 | { 28 | DWORD64 StateEntryOffset = NULL; 29 | DWORD64 AddrEnryOffset = NULL; 30 | DWORD64 OwnerEntryOffset = NULL; 31 | 32 | DWORD dwNumEntries = 1; 33 | 34 | for (DWORD i = 0; i < *(DWORD*)Count; i++, 35 | StateEntryOffset += 0x10, 36 | AddrEnryOffset += 0x38, 37 | OwnerEntryOffset += 0x20 ) 38 | { 39 | DWORD64 AddrEnry = (DWORD64)( *(DWORD64*)pAddrEntry + AddrEnryOffset ); 40 | DWORD64 StateEntry = (DWORD64)( *(DWORD64*)pStateEntry + StateEntryOffset ); 41 | DWORD64 OwnerEntry = (DWORD64)( *(DWORD64*)pOwnerEntry + OwnerEntryOffset ); 42 | 43 | //maby not sure if named correctly: 44 | BOOL bShowAllConnections = TRUE; 45 | 46 | if ( *(WORD *)(AddrEnry + 0x00) != 2 && (!bShowAllConnections || !*(BYTE *)(OwnerEntry + 0x03) ) ) 47 | continue; 48 | 49 | dwNumEntries++; 50 | 51 | WORD dwState = *(WORD*)( StateEntry ); 52 | DWORD dwOffloadState = *(DWORD*)( StateEntry + 0x08 ); 53 | 54 | printf("[%u] State = %u || %u\n",i,dwState,*(WORD*)( AddrEnry )); 55 | 56 | DWORD LocalAddr = *(DWORD*)( AddrEnry + 0x04 ); 57 | 58 | WORD LocalPort = ntohs((*(WORD*)( AddrEnry + 0x02 ))); 59 | printf("[%u] LocalPort = %u\n",i,LocalPort); 60 | 61 | DWORD RemoteAddr = *(DWORD*)( AddrEnry + 0x20 ); 62 | 63 | WORD RemotePort = ntohs((*(WORD*)( AddrEnry + 0x1E ))); 64 | printf("[%u] RemotePort = %u\n",i,RemotePort); 65 | 66 | DWORD dwOwningPid = *(DWORD*)( OwnerEntry + 0x0C ); 67 | printf("[%u] dwOwningPid = %u\n",i,dwOwningPid); 68 | 69 | LARGE_INTEGER liCreateTimestamp = *(LARGE_INTEGER*)( OwnerEntry + 0x10 ); 70 | ULONGLONG OwningModuleInfo = *(ULONGLONG*)( OwnerEntry + 0x18 ); 71 | } 72 | 73 | printf("dwNumEntries = %u\n",dwNumEntries); 74 | } 75 | return result; 76 | } 77 | 78 | //credits for this function to: 79 | // https://stackoverflow.com/questions/15573504/getextendedtcptable-donesnt-return-the-same-result-as-netstat-ano 80 | std::string GetListOfTcpPorts() 81 | { 82 | std::string ApplicationName = ""; 83 | std::string result = ""; 84 | std::string aux = ""; 85 | std::string RemotePort = ""; 86 | typedef DWORD (WINAPI *t_pGetExtendedTcpTable)( 87 | PVOID pTcpTable, 88 | PDWORD pdwSize, 89 | BOOL bOrder, 90 | ULONG ulAf, 91 | TCP_TABLE_CLASS TableClass, 92 | ULONG Reserved 93 | ); 94 | 95 | MIB_TCPTABLE_OWNER_PID *pTCPInfo; 96 | MIB_TCPROW_OWNER_PID *owner; 97 | DWORD size; 98 | DWORD dwResult; 99 | 100 | 101 | HMODULE hLib = LoadLibrary("iphlpapi.dll"); 102 | 103 | t_pGetExtendedTcpTable pGetExtendedTcpTable = (t_pGetExtendedTcpTable) 104 | GetProcAddress(hLib, "GetExtendedTcpTable"); 105 | 106 | dwResult = pGetExtendedTcpTable(NULL, &size, false, AF_INET, TCP_TABLE_OWNER_PID_ALL, 0); 107 | pTCPInfo = (MIB_TCPTABLE_OWNER_PID*)malloc(size); 108 | dwResult = pGetExtendedTcpTable(pTCPInfo, &size, false, AF_INET, TCP_TABLE_OWNER_PID_ALL, 0); 109 | 110 | 111 | for (DWORD dwLoop = 0; dwLoop < pTCPInfo->dwNumEntries; dwLoop++) 112 | { 113 | owner = &pTCPInfo->table[dwLoop]; 114 | ApplicationName = std::to_string(owner->dwOwningPid); 115 | std::string OpenedPort = std::to_string(ntohs(owner->dwLocalPort)); 116 | std::string RemotePort = std::to_string(ntohs(owner->dwRemotePort)); 117 | aux = "TCP ; dwLocalPort [" + OpenedPort + "]; RemotePort["+ RemotePort+"];PID["+ ApplicationName + "]\n"; 118 | result = result + aux; 119 | 120 | } 121 | return result; 122 | } 123 | 124 | int main() 125 | { 126 | HMODULE hNsi = LoadLibraryA( "nsi.dll" ); 127 | void* FncNsiAllocateAndGetTable = GetProcAddress( hNsi, "NsiAllocateAndGetTable" ); 128 | 129 | //Hook the function 130 | oNsiAllocateAndGetTable = (t_NsiAllocateAndGetTable)DetourTrampoline( FncNsiAllocateAndGetTable, &hkNsiAllocateAndGetTable ); 131 | 132 | //Call the higher level api to trigger the hook: 133 | MessageBoxA(0,GetListOfTcpPorts().c_str(),"GetListOfTcpPorts",0); 134 | return 0; 135 | } 136 | -------------------------------------------------------------------------------- /GetTcpTableInternal_Pseudocode.cpp: -------------------------------------------------------------------------------- 1 | __int64 __fastcall GetTcpTableInternal(unsigned int *TcpTable, _DWORD *SizePointer, BOOL Order, unsigned int TcpInformationId, unsigned int TableId, BOOL bShowAllConnections) 2 | { 3 | __int64 AddrEnryOffset; // r14 4 | BOOL v7; // ebx 5 | _DWORD *pSizePointer; // r12 6 | unsigned int *TableBase; // r15 7 | unsigned int EntryNbr; // esi 8 | __int64 result; // rax 9 | unsigned int ReturnCode; // edi 10 | unsigned int dwCount; // edx 11 | unsigned int v14; // er11 12 | signed int v15; // er8 13 | __int64 OwnerEntryOffset; // r13 14 | __int64 StateEntryOffset; // r9 15 | __int64 TableOut; // rbx 16 | size_t v19; // r10 17 | __int64 v20; // r10 18 | __int64 v21; // r11 19 | void *v22; // rax 20 | size_t SizeOfElementsToSort; // r10 21 | size_t NumberOfElementsToSort; // r11 22 | __int64 SizeOfAddrEntry; // [rsp+20h] [rbp-B8h] 23 | __int64 a7; // [rsp+30h] [rbp-A8h] 24 | __int64 SizeOfStateEntryMaby; // [rsp+40h] [rbp-98h] 25 | __int64 SizeOfOwnerEntry; // [rsp+50h] [rbp-88h] 26 | unsigned int Count; // [rsp+70h] [rbp-68h] 27 | unsigned int v30; // [rsp+74h] [rbp-64h] 28 | __int64 AddrEntry; // [rsp+78h] [rbp-60h] 29 | __int64 OwnerEntry; // [rsp+80h] [rbp-58h] 30 | __int64 StateEntry; // [rsp+88h] [rbp-50h] 31 | __int64 _StateEntryOffset; // [rsp+90h] [rbp-48h] 32 | signed int v35; // [rsp+E8h] [rbp+10h] 33 | BOOL bOrder; // [rsp+F0h] [rbp+18h] 34 | // TableId: 35 | // 0 => MIB_TCPROW 36 | // 1 => MIB_TCPTABLE2 37 | // 2 => MIB_TCPTABLE_OWNER_MODULE 38 | // 3 => MIB_TCPTABLE_OWNER_PID 39 | bOrder = Order; 40 | AddrEnryOffset = 0i64; 41 | v7 = Order; 42 | pSizePointer = SizePointer; 43 | TableBase = TcpTable; 44 | AddrEntry = 0i64; 45 | StateEntry = 0i64; 46 | OwnerEntry = 0i64; 47 | EntryNbr = 0; 48 | if ( !SizePointer ) 49 | return 87i64; 50 | LODWORD(SizeOfOwnerEntry) = 0x20; 51 | LODWORD(SizeOfStateEntryMaby) = 0x10; 52 | LODWORD(a7) = 0; 53 | LODWORD(SizeOfAddrEntry) = 0x38; 54 | result = NsiAllocateAndGetTable_0( 55 | 1i64, 56 | (__int64)&NPI_MS_TCP_MODULEID, 57 | TcpInformationId, 58 | (__int64)&AddrEntry, 59 | SizeOfAddrEntry, 60 | 0i64, 61 | a7, 62 | (__int64)&StateEntry, 63 | SizeOfStateEntryMaby, 64 | (__int64)&OwnerEntry, 65 | SizeOfOwnerEntry, 66 | (__int64)&Count); // Size is zero so should not have a retun 67 | ReturnCode = result; 68 | if ( !(_DWORD)result ) // check for error 69 | { 70 | if ( !TableBase ) // check for invalid table base 71 | { 72 | ReturnCode = 0x7A; // ERROR_INSUFFICIENT_BUFFER 73 | *pSizePointer = 0; 74 | } 75 | dwCount = Count; 76 | v14 = 0; 77 | v30 = 0; 78 | if ( Count > 0 ) 79 | { 80 | v15 = 1; 81 | OwnerEntryOffset = 0i64; 82 | StateEntryOffset = 0i64; 83 | v35 = 1; 84 | _StateEntryOffset = 0i64; 85 | while ( 1 ) 86 | { 87 | if ( *(_WORD *)(AddrEnryOffset + AddrEntry) != 2 88 | && (!bShowAllConnections || !*(_BYTE *)(OwnerEntryOffset + OwnerEntry + 3)) ) 89 | { 90 | goto l_Skip; 91 | } 92 | if ( (unsigned __int64)(TcpRowSize[TableId] * v15) + 12 <= (unsigned int)*pSizePointer ) 93 | break; 94 | ReturnCode = 0x7A; // ERROR_INSUFFICIENT_BUFFER 95 | l_Loop: 96 | ++EntryNbr; 97 | v35 = ++v15; 98 | l_Skip: 99 | ++v14; 100 | StateEntryOffset += 0x10i64; 101 | AddrEnryOffset += 0x38i64; 102 | OwnerEntryOffset += 0x20i64; 103 | v30 = v14; 104 | _StateEntryOffset = StateEntryOffset; 105 | if ( v14 >= dwCount ) 106 | { 107 | v7 = bOrder; 108 | LODWORD(AddrEnryOffset) = 0; 109 | goto l_ExitLoop; 110 | } 111 | } 112 | TableOut = GetTcpRowFromTable((__int64)TableBase, EntryNbr, TableId); 113 | memset_0((void *)TableOut, 0, v19); 114 | StateEntryOffset = _StateEntryOffset; 115 | *(_DWORD *)TableOut = *(_DWORD *)(_StateEntryOffset + StateEntry);// TableOut.dwState 116 | // 117 | if ( *(_WORD *)(AddrEnryOffset + AddrEntry) == 2 )// HasLocalAddress and RemoteAddress: 118 | { 119 | *(_DWORD *)(TableOut + 4) = *(_DWORD *)(AddrEnryOffset + AddrEntry + 4);// TableOut.dwLocalAddr 120 | *(_DWORD *)(TableOut + 8) = *(unsigned __int16 *)(AddrEnryOffset + AddrEntry + 2);// TableOut.dwLocalPort 121 | *(_DWORD *)(TableOut + 0xC) = *(_DWORD *)(AddrEnryOffset + AddrEntry + 0x20);// TableOut.dwRemoteAddr 122 | } 123 | else 124 | { // Has no local and no remote address: 125 | *(_DWORD *)(TableOut + 4) = 0; // TableOut.dwLocalAddr 126 | *(_QWORD *)(TableOut + 8) = *(unsigned __int16 *)(AddrEnryOffset + AddrEntry + 2);// TableOut.dwLocalPort 127 | // TableOut.dwRemoteAddr = 0 128 | // (this is a quad-word operation so it will zero dwRemoteAddr at + 0x0C too ) 129 | } 130 | *(_DWORD *)(TableOut + 0x10) = *(unsigned __int16 *)(AddrEnryOffset + AddrEntry + 0x1E);// TableOut.dwRemotePort 131 | if ( TableId != 1 ) 132 | { 133 | if ( TableId == 2 ) 134 | { // MIB_TCPTABLE_OWNER_MODULE: 135 | *(_DWORD *)(TableOut + 0x14) = *(_DWORD *)(OwnerEntryOffset + OwnerEntry + 0xC);// TableOut.dwOwningPid 136 | *(_QWORD *)(TableOut + 0x18) = *(_QWORD *)(OwnerEntryOffset + OwnerEntry + 0x10);// TableOut.liCreateTimestamp 137 | *(_QWORD *)(TableOut + 0x20) = *(_QWORD *)(OwnerEntryOffset + OwnerEntry + 0x18);// TableOut.OwningModuleInfo[0] 138 | } 139 | else if ( TableId == 3 ) 140 | { // MIB_TCPTABLE_OWNER_PID: 141 | goto LABEL_22; 142 | } 143 | LABEL_23: 144 | v15 = v35; 145 | dwCount = Count; 146 | v14 = v30; 147 | goto l_Loop; 148 | } 149 | *(_DWORD *)(TableOut + 0x18) = *(_DWORD *)(StateEntryOffset + StateEntry + 8);// TableOut.dwOffloadState 150 | LABEL_22: 151 | *(_DWORD *)(TableOut + 0x14) = *(_DWORD *)(OwnerEntryOffset + OwnerEntry + 0xC);// TableOut.dwOwningPid 152 | goto LABEL_23; 153 | } 154 | l_ExitLoop: 155 | NsiFreeTable_0(AddrEntry, 0i64, StateEntry, OwnerEntry); 156 | if ( ReturnCode == 0x7A ) // ERROR_INSUFFICIENT_BUFFER 157 | { 158 | *pSizePointer = (EntryNbr + 10) * TcpRowSize[TableId] + 0xC; 159 | } 160 | else 161 | { 162 | *TableBase = EntryNbr; // TableBase->dwNumEntries = EntryNbr 163 | *pSizePointer = EntryNbr * TcpRowSize[TableId] + 0xC; 164 | if ( v7 != (_DWORD)AddrEnryOffset ) // Resort the table 165 | { 166 | v20 = TcpRowSize[TableId]; 167 | v21 = *TableBase; 168 | v22 = (void *)GetTcpRowFromTable((__int64)TableBase, 0, TableId); 169 | qsort( 170 | v22, 171 | NumberOfElementsToSort, // r11d = EntryNbr 172 | SizeOfElementsToSort, // = pSizePointer = r10d, [r13+rbp*4+0] 173 | (int (__cdecl *)(const void *, const void *))CompareMibTcpRow); 174 | } 175 | } 176 | result = ReturnCode; 177 | } 178 | return result; 179 | } 180 | 181 | signed __int64 __fastcall GetTcpRowFromTable(__int64 TableBase, unsigned int EntryNbr, int TableNbr) 182 | { 183 | int v3; // er8 184 | int v4; // er8 185 | // also look at "int TcpRowSize[4]" 186 | if ( !TableNbr ) // TableNbr=0 => MIB_TCPROW 187 | return TableBase + 0x14i64 * EntryNbr + 4; // "+ 4" =>add padding for the table size entry at 0x00 188 | v3 = TableNbr - 1; 189 | if ( !v3 ) // TableNbr=1 => MIB_TCPTABLE2 190 | return 0x1Ci64 * EntryNbr + TableBase + 4; 191 | v4 = v3 - 1; 192 | if ( !v4 ) // TableNbr=2 => MIB_TCPTABLE_OWNER_MODULE 193 | return 0xA0i64 * EntryNbr + TableBase + 8; 194 | if ( v4 == 1 ) // TableNbr=3 => MIB_TCPTABLE_OWNER_PID 195 | return TableBase + 0x18i64 * EntryNbr + 4; 196 | return 0i64; 197 | } 198 | -------------------------------------------------------------------------------- /GetTcpTableInternal_Assembly.asm: -------------------------------------------------------------------------------- 1 | .text:000007FF718A104C 2 | .text:000007FF718A104C ; =============== S U B R O U T I N E ======================================= 3 | .text:000007FF718A104C 4 | .text:000007FF718A104C 5 | .text:000007FF718A104C ; __int64 __fastcall GetTcpTableInternal(unsigned int *TcpTable, _DWORD *SizePointer, BOOL Order, unsigned int TcpInformationId, unsigned int TableId, BOOL bShowAllConnections) 6 | .text:000007FF718A104C GetTcpTableInternal proc near ; CODE XREF: GetTcpTableV4+14?p 7 | .text:000007FF718A104C ; GetTcpTable+17?p ... 8 | .text:000007FF718A104C 9 | .text:000007FF718A104C SizeOfAddrEntry = qword ptr -0B8h 10 | .text:000007FF718A104C a6 = qword ptr -0B0h 11 | .text:000007FF718A104C a7 = qword ptr -0A8h 12 | .text:000007FF718A104C a8 = qword ptr -0A0h 13 | .text:000007FF718A104C SizeOfStateEntryMaby= qword ptr -98h 14 | .text:000007FF718A104C a10 = qword ptr -90h 15 | .text:000007FF718A104C SizeOfOwnerEntry= qword ptr -88h 16 | .text:000007FF718A104C a12 = qword ptr -80h 17 | .text:000007FF718A104C UnknownTableSize= qword ptr -78h 18 | .text:000007FF718A104C Count = dword ptr -68h 19 | .text:000007FF718A104C anonymous_0 = dword ptr -64h 20 | .text:000007FF718A104C AddrEntry = qword ptr -60h 21 | .text:000007FF718A104C OwnerEntry = qword ptr -58h 22 | .text:000007FF718A104C StateEntry = qword ptr -50h 23 | .text:000007FF718A104C _StateEntryOffset= qword ptr -48h 24 | .text:000007FF718A104C arg_0 = qword ptr 8 25 | .text:000007FF718A104C arg_8 = dword ptr 10h 26 | .text:000007FF718A104C bOrder = dword ptr 18h 27 | .text:000007FF718A104C TableId = dword ptr 28h 28 | .text:000007FF718A104C bShowAllConnections= dword ptr 30h 29 | .text:000007FF718A104C 30 | .text:000007FF718A104C mov r11, rsp 31 | .text:000007FF718A104F mov [r11+8], rbx 32 | .text:000007FF718A1053 mov [r11+18h], r8d 33 | .text:000007FF718A1057 push rbp 34 | .text:000007FF718A1058 push rsi 35 | .text:000007FF718A1059 push rdi 36 | .text:000007FF718A105A push r12 37 | .text:000007FF718A105C push r13 38 | .text:000007FF718A105E push r14 39 | .text:000007FF718A1060 push r15 40 | .text:000007FF718A1062 sub rsp, 0A0h 41 | .text:000007FF718A1069 xor r14d, r14d 42 | .text:000007FF718A106C mov eax, r9d 43 | .text:000007FF718A106F mov ebx, r8d 44 | .text:000007FF718A1072 mov r12, rdx 45 | .text:000007FF718A1075 mov r15, rcx 46 | .text:000007FF718A1078 mov [r11-60h], r14 47 | .text:000007FF718A107C mov [r11-50h], r14 48 | .text:000007FF718A1080 mov [r11-58h], r14 49 | .text:000007FF718A1084 mov esi, r14d 50 | .text:000007FF718A1087 cmp rdx, r14 51 | .text:000007FF718A108A jnz short loc_7FF718A1095 52 | .text:000007FF718A108C lea eax, [r14+57h] 53 | .text:000007FF718A1090 jmp loc_7FF718A1367 54 | .text:000007FF718A1095 ; --------------------------------------------------------------------------- 55 | .text:000007FF718A1095 56 | .text:000007FF718A1095 loc_7FF718A1095: ; CODE XREF: GetTcpTableInternal+3E?j 57 | .text:000007FF718A1095 mov byte ptr [rsp+0D8h+UnknownTableSize], r14b ; a13 58 | .text:000007FF718A109A lea rcx, [rsp+0D8h+Count] 59 | .text:000007FF718A109F lea r9, [rsp+0D8h+AddrEntry] ; a4 60 | .text:000007FF718A10A4 mov [rsp+0D8h+a12], rcx ; a12 61 | .text:000007FF718A10A9 mov dword ptr [rsp+0D8h+SizeOfOwnerEntry], 20h ; SizeOfOwnerEntry 62 | .text:000007FF718A10B1 lea rcx, [rsp+0D8h+OwnerEntry] 63 | .text:000007FF718A10B9 mov [rsp+0D8h+a10], rcx ; a10 64 | .text:000007FF718A10BE mov dword ptr [rsp+0D8h+SizeOfStateEntryMaby], 10h ; SizeOfStateEntryMaby 65 | .text:000007FF718A10C6 lea rcx, [rsp+0D8h+StateEntry] 66 | .text:000007FF718A10CE mov [rsp+0D8h+a8], rcx ; a8 67 | .text:000007FF718A10D3 mov dword ptr [rsp+0D8h+a7], r14d ; rsp+0x30 68 | .text:000007FF718A10D8 lea rdx, NPI_MS_TCP_MODULEID ; TypePtr 69 | .text:000007FF718A10DF mov ecx, 1 ; a1 70 | .text:000007FF718A10E4 mov r8d, eax ; a3 71 | .text:000007FF718A10E7 mov [rsp+0D8h+a6], r14 ; rsp+0x28 72 | .text:000007FF718A10EC mov dword ptr [rsp+0D8h+SizeOfAddrEntry], 38h ; rsp+0x20 73 | .text:000007FF718A10F4 call NsiAllocateAndGetTable_0 74 | .text:000007FF718A10F9 mov edi, eax 75 | .text:000007FF718A10FB cmp eax, r14d ; Did return error 76 | .text:000007FF718A10FE jnz loc_7FF718A1367 ; jump if error 77 | .text:000007FF718A1104 cmp r15, r14 ; check table base ptr for zero 78 | .text:000007FF718A1107 jnz short loc_7FF718A1112 79 | .text:000007FF718A1109 mov edi, 7Ah ; ERROR_INSUFFICIENT_BUFFER 80 | .text:000007FF718A110E mov [r12], r14d 81 | .text:000007FF718A1112 82 | .text:000007FF718A1112 loc_7FF718A1112: ; CODE XREF: GetTcpTableInternal+BB?j 83 | .text:000007FF718A1112 mov edx, [rsp+0D8h+Count] 84 | .text:000007FF718A1116 movsxd rbp, [rsp+0D8h+TableId] 85 | .text:000007FF718A111E mov r11d, r14d 86 | .text:000007FF718A1121 mov [rsp+0D8h+anonymous_0], r14d 87 | .text:000007FF718A1126 lea r13, TcpRowSize 88 | .text:000007FF718A112D cmp edx, r14d 89 | .text:000007FF718A1130 jbe loc_7FF718A12EE 90 | .text:000007FF718A1136 mov r8d, 1 91 | .text:000007FF718A113C mov r13, r14 92 | .text:000007FF718A113F mov r9, r14 93 | .text:000007FF718A1142 mov [rsp+0D8h+arg_8], r8d 94 | .text:000007FF718A114A mov [rsp+0D8h+_StateEntryOffset], r14 95 | .text:000007FF718A1152 96 | .text:000007FF718A1152 loc_7FF718A1152: ; CODE XREF: GetTcpTableInternal+28B?j 97 | .text:000007FF718A1152 mov rax, [rsp+0D8h+AddrEntry] 98 | .text:000007FF718A1157 cmp word ptr [r14+rax], 2 99 | .text:000007FF718A115D jz short loc_7FF718A1181 100 | .text:000007FF718A115F cmp [rsp+0D8h+bShowAllConnections], 0 101 | .text:000007FF718A1167 jz loc_7FF718A12B8 102 | .text:000007FF718A116D mov rax, [rsp+0D8h+OwnerEntry] 103 | .text:000007FF718A1175 cmp byte ptr [r13+rax+3], 0 104 | .text:000007FF718A117B jz loc_7FF718A12B8 105 | .text:000007FF718A1181 106 | .text:000007FF718A1181 loc_7FF718A1181: ; CODE XREF: GetTcpTableInternal+111?j 107 | .text:000007FF718A1181 mov eax, [r12] 108 | .text:000007FF718A1185 lea rcx, TcpRowSize 109 | .text:000007FF718A118C mov r10d, [rcx+rbp*4] 110 | .text:000007FF718A1190 mov ecx, r8d 111 | .text:000007FF718A1193 imul ecx, r10d 112 | .text:000007FF718A1197 add rcx, 0Ch 113 | .text:000007FF718A119B cmp rcx, rax 114 | .text:000007FF718A119E jbe short loc_7FF718A11AA 115 | .text:000007FF718A11A0 mov edi, 7Ah ; ERROR_INSUFFICIENT_BUFFER 116 | .text:000007FF718A11A5 jmp loc_7FF718A12AB 117 | .text:000007FF718A11AA ; --------------------------------------------------------------------------- 118 | .text:000007FF718A11AA 119 | .text:000007FF718A11AA loc_7FF718A11AA: ; CODE XREF: GetTcpTableInternal+152?j 120 | .text:000007FF718A11AA mov r8d, ebp ; TableNbr 121 | .text:000007FF718A11AD mov edx, esi ; EntryNbr 122 | .text:000007FF718A11AF mov rcx, r15 ; TableBase 123 | .text:000007FF718A11B2 call GetTcpRowFromTable 124 | .text:000007FF718A11B7 mov r8, r10 ; Size 125 | .text:000007FF718A11BA xor edx, edx ; Val 126 | .text:000007FF718A11BC mov rcx, rax ; Dst 127 | .text:000007FF718A11BF mov rbx, rax 128 | .text:000007FF718A11C2 call memset_0 129 | .text:000007FF718A11C7 mov r11, [rsp+0D8h+StateEntry] 130 | .text:000007FF718A11CF mov r9, [rsp+0D8h+_StateEntryOffset] 131 | .text:000007FF718A11D7 mov ecx, [r9+r11] 132 | .text:000007FF718A11DB mov [rbx], ecx 133 | .text:000007FF718A11DD mov rax, [rsp+0D8h+AddrEntry] 134 | .text:000007FF718A11E2 cmp word ptr [r14+rax], 2 135 | .text:000007FF718A11E8 jnz short loc_7FF718A120F 136 | .text:000007FF718A11EA mov ecx, [r14+rax+4] 137 | .text:000007FF718A11EF mov [rbx+4], ecx 138 | .text:000007FF718A11F2 mov rax, [rsp+0D8h+AddrEntry] 139 | .text:000007FF718A11F7 movzx ecx, word ptr [r14+rax+2] 140 | .text:000007FF718A11FD mov [rbx+8], ecx 141 | .text:000007FF718A1200 mov rax, [rsp+0D8h+AddrEntry] 142 | .text:000007FF718A1205 mov ecx, [r14+rax+20h] 143 | .text:000007FF718A120A mov [rbx+0Ch], ecx 144 | .text:000007FF718A120D jmp short loc_7FF718A1225 145 | .text:000007FF718A120F ; --------------------------------------------------------------------------- 146 | .text:000007FF718A120F 147 | .text:000007FF718A120F loc_7FF718A120F: ; CODE XREF: GetTcpTableInternal+19C?j 148 | .text:000007FF718A120F and dword ptr [rbx+4], 0 149 | .text:000007FF718A1213 mov rax, [rsp+0D8h+AddrEntry] 150 | .text:000007FF718A1218 movzx ecx, word ptr [r14+rax+2] 151 | .text:000007FF718A121E and dword ptr [rbx+0Ch], 0 152 | .text:000007FF718A1222 mov [rbx+8], ecx 153 | .text:000007FF718A1225 154 | .text:000007FF718A1225 loc_7FF718A1225: ; CODE XREF: GetTcpTableInternal+1C1?j 155 | .text:000007FF718A1225 mov rax, [rsp+0D8h+AddrEntry] 156 | .text:000007FF718A122A movzx ecx, word ptr [r14+rax+1Eh] 157 | .text:000007FF718A1230 mov [rbx+10h], ecx 158 | .text:000007FF718A1233 mov ecx, ebp 159 | .text:000007FF718A1235 sub ecx, 1 160 | .text:000007FF718A1238 jz short loc_7FF718A127A 161 | .text:000007FF718A123A sub ecx, 1 162 | .text:000007FF718A123D jz short loc_7FF718A1246 163 | .text:000007FF718A123F cmp ecx, 1 164 | .text:000007FF718A1242 jnz short loc_7FF718A129A 165 | .text:000007FF718A1244 jmp short loc_7FF718A128A 166 | .text:000007FF718A1246 ; --------------------------------------------------------------------------- 167 | .text:000007FF718A1246 168 | .text:000007FF718A1246 loc_7FF718A1246: ; CODE XREF: GetTcpTableInternal+1F1?j 169 | .text:000007FF718A1246 mov rax, [rsp+0D8h+OwnerEntry] 170 | .text:000007FF718A124E mov ecx, [r13+rax+0Ch] 171 | .text:000007FF718A1253 mov [rbx+14h], ecx 172 | .text:000007FF718A1256 mov rax, [rsp+0D8h+OwnerEntry] 173 | .text:000007FF718A125E mov rcx, [r13+rax+10h] 174 | .text:000007FF718A1263 mov [rbx+18h], rcx 175 | .text:000007FF718A1267 mov rax, [rsp+0D8h+OwnerEntry] 176 | .text:000007FF718A126F mov rcx, [r13+rax+18h] 177 | .text:000007FF718A1274 mov [rbx+20h], rcx 178 | .text:000007FF718A1278 jmp short loc_7FF718A129A 179 | .text:000007FF718A127A ; --------------------------------------------------------------------------- 180 | .text:000007FF718A127A 181 | .text:000007FF718A127A loc_7FF718A127A: ; CODE XREF: GetTcpTableInternal+1EC?j 182 | .text:000007FF718A127A mov rax, [rsp+0D8h+StateEntry] 183 | .text:000007FF718A1282 mov ecx, [r9+rax+8] 184 | .text:000007FF718A1287 mov [rbx+18h], ecx 185 | .text:000007FF718A128A 186 | .text:000007FF718A128A loc_7FF718A128A: ; CODE XREF: GetTcpTableInternal+1F8?j 187 | .text:000007FF718A128A mov rax, [rsp+0D8h+OwnerEntry] 188 | .text:000007FF718A1292 mov ecx, [r13+rax+0Ch] 189 | .text:000007FF718A1297 mov [rbx+14h], ecx 190 | .text:000007FF718A129A 191 | .text:000007FF718A129A loc_7FF718A129A: ; CODE XREF: GetTcpTableInternal+1F6?j 192 | .text:000007FF718A129A ; GetTcpTableInternal+22C?j 193 | .text:000007FF718A129A mov r8d, [rsp+0D8h+arg_8] 194 | .text:000007FF718A12A2 mov edx, [rsp+0D8h+Count] 195 | .text:000007FF718A12A6 mov r11d, [rsp+0D8h+anonymous_0] 196 | .text:000007FF718A12AB 197 | .text:000007FF718A12AB loc_7FF718A12AB: ; CODE XREF: GetTcpTableInternal+159?j 198 | .text:000007FF718A12AB inc esi 199 | .text:000007FF718A12AD inc r8d 200 | .text:000007FF718A12B0 mov [rsp+0D8h+arg_8], r8d 201 | .text:000007FF718A12B8 202 | .text:000007FF718A12B8 loc_7FF718A12B8: ; CODE XREF: GetTcpTableInternal+11B?j 203 | .text:000007FF718A12B8 ; GetTcpTableInternal+12F?j 204 | .text:000007FF718A12B8 inc r11d 205 | .text:000007FF718A12BB add r9, 10h 206 | .text:000007FF718A12BF add r14, 38h 207 | .text:000007FF718A12C3 add r13, 20h 208 | .text:000007FF718A12C7 mov [rsp+0D8h+anonymous_0], r11d 209 | .text:000007FF718A12CC mov [rsp+0D8h+_StateEntryOffset], r9 210 | .text:000007FF718A12D4 cmp r11d, edx 211 | .text:000007FF718A12D7 jb loc_7FF718A1152 212 | .text:000007FF718A12DD mov ebx, [rsp+0D8h+bOrder] 213 | .text:000007FF718A12E4 xor r14d, r14d 214 | .text:000007FF718A12E7 lea r13, TcpRowSize 215 | .text:000007FF718A12EE 216 | .text:000007FF718A12EE loc_7FF718A12EE: ; CODE XREF: GetTcpTableInternal+E4?j 217 | .text:000007FF718A12EE mov r9, [rsp+0D8h+OwnerEntry] 218 | .text:000007FF718A12F6 mov r8, [rsp+0D8h+StateEntry] 219 | .text:000007FF718A12FE mov rcx, [rsp+0D8h+AddrEntry] 220 | .text:000007FF718A1303 xor edx, edx 221 | .text:000007FF718A1305 call NsiFreeTable_0 222 | .text:000007FF718A130A cmp edi, 7Ah ; ERROR_INSUFFICIENT_BUFFER 223 | .text:000007FF718A130D jnz short loc_7FF718A1323 224 | .text:000007FF718A130F mov edx, [r13+rbp*4+0] 225 | .text:000007FF718A1314 lea eax, [rsi+0Ah] 226 | .text:000007FF718A1317 imul edx, eax 227 | .text:000007FF718A131A add edx, 0Ch 228 | .text:000007FF718A131D mov [r12], edx 229 | .text:000007FF718A1321 jmp short loc_7FF718A1365 230 | .text:000007FF718A1323 ; --------------------------------------------------------------------------- 231 | .text:000007FF718A1323 232 | .text:000007FF718A1323 loc_7FF718A1323: ; CODE XREF: GetTcpTableInternal+2C1?j 233 | .text:000007FF718A1323 mov [r15], esi 234 | .text:000007FF718A1326 mov eax, [r13+rbp*4+0] 235 | .text:000007FF718A132B imul eax, esi 236 | .text:000007FF718A132E add eax, 0Ch 237 | .text:000007FF718A1331 mov [r12], eax 238 | .text:000007FF718A1335 cmp ebx, r14d 239 | .text:000007FF718A1338 jz short loc_7FF718A1365 240 | .text:000007FF718A133A mov r10d, [r13+rbp*4+0] 241 | .text:000007FF718A133F mov r11d, [r15] 242 | .text:000007FF718A1342 mov r8d, ebp ; TableNbr 243 | .text:000007FF718A1345 xor edx, edx ; EntryNbr 244 | .text:000007FF718A1347 mov rcx, r15 ; TableBase 245 | .text:000007FF718A134A call GetTcpRowFromTable 246 | .text:000007FF718A134F lea r9, CompareMibTcpRow ; PtFuncCompare 247 | .text:000007FF718A1356 mov r8, r10 ; SizeOfElements 248 | .text:000007FF718A1359 mov rcx, rax ; Base 249 | .text:000007FF718A135C mov rdx, r11 ; NumOfElements 250 | .text:000007FF718A135F call cs:__imp_qsort 251 | .text:000007FF718A1365 252 | .text:000007FF718A1365 loc_7FF718A1365: ; CODE XREF: GetTcpTableInternal+2D5?j 253 | .text:000007FF718A1365 ; GetTcpTableInternal+2EC?j 254 | .text:000007FF718A1365 mov eax, edi 255 | .text:000007FF718A1367 256 | .text:000007FF718A1367 loc_7FF718A1367: ; CODE XREF: GetTcpTableInternal+44?j 257 | .text:000007FF718A1367 ; GetTcpTableInternal+B2?j 258 | .text:000007FF718A1367 mov rbx, [rsp+0D8h+arg_0] 259 | .text:000007FF718A136F add rsp, 0A0h 260 | .text:000007FF718A1376 pop r15 261 | .text:000007FF718A1378 pop r14 262 | .text:000007FF718A137A pop r13 263 | .text:000007FF718A137C pop r12 264 | .text:000007FF718A137E pop rdi 265 | .text:000007FF718A137F pop rsi 266 | .text:000007FF718A1380 pop rbp 267 | .text:000007FF718A1381 retn 268 | .text:000007FF718A1381 ; --------------------------------------------------------------------------- 269 | .text:000007FF718A1382 align 8 270 | .text:000007FF718A1382 GetTcpTableInternal endp 271 | .text:000007FF718A1382 --------------------------------------------------------------------------------