├── README.md ├── chapter_1 ├── page_11 │ └── exercise_1 │ │ ├── Makefile │ │ ├── code.asm │ │ ├── code_with_comments.asm │ │ ├── scasb.png │ │ ├── scasb.svg │ │ ├── stack.png │ │ ├── stack.svg │ │ ├── version_1.c │ │ └── version_2.c ├── page_17 │ ├── exercise_1 │ │ ├── code.asm │ │ ├── stack.png │ │ └── stack.svg │ ├── exercise_2 │ │ ├── version_1.asm │ │ ├── version_2.asm │ │ └── version_3.asm │ ├── exercise_3 │ │ ├── addme_with_restore.asm │ │ └── addme_without_restore.asm │ └── exercise_4 │ │ ├── code.c │ │ ├── code_clang.asm │ │ ├── code_gcc_o0.asm │ │ ├── code_gcc_os.asm │ │ ├── stack.png │ │ ├── stack.svg │ │ └── stack2.svg └── page_35 │ ├── exercise_1 │ ├── 01_initial.png │ ├── 01_initial.svg │ ├── 02_line03_to_line12.png │ ├── 02_line03_to_line12.svg │ ├── 03_with_processentry.png │ ├── 03_with_processentry.svg │ ├── 04_line19_to_line29.png │ ├── 04_line19_to_line29.svg │ ├── 05_line35_to_line51.png │ ├── 05_line35_to_line51.svg │ ├── 06_line66_to_line92.png │ ├── 06_line66_to_line92.svg │ ├── 07_line93_to_line98.png │ └── 07_line93_to_line98.svg │ ├── exercise_2 │ └── dllmain.cpp │ ├── exercise_4 │ ├── my_memcpy.asm │ ├── my_memset.asm │ ├── my_strchr.asm │ ├── my_strcmp.asm │ ├── my_strlen.asm │ └── my_strset.asm │ ├── exercise_5 │ ├── KeInitializeApc │ │ ├── KeInitializeApc.asm │ │ ├── KeInitializeApc.cpp │ │ ├── KeInitializeApc.pseudo │ │ ├── structures.txt │ │ └── syntax.txt │ ├── KeInitializeDpc │ │ ├── KeInitializeDpc.asm │ │ ├── KeInitializeDpc.cpp │ │ ├── structures.txt │ │ └── syntax.txt │ ├── KeInitializeQueue │ │ ├── KeInitializeQueue.asm │ │ ├── KeInitializeQueue.cpp │ │ ├── KeInitializeQueue.pseudo │ │ ├── structures.txt │ │ └── syntax.txt │ ├── KeReadyThread │ │ ├── KeReadyThread.asm │ │ ├── KeReadyThread.cpp │ │ ├── KeReadyThread.pseudo │ │ └── syntax.txt │ ├── KiInitializeTSS │ │ ├── KiInitializeTSS.asm │ │ ├── KiInitializeTSS.cpp │ │ ├── KiInitializeTSS.pseudo │ │ ├── structures.txt │ │ └── syntax.txt │ ├── ObFastDereferenceObject │ │ ├── ObFastDereferenceObject.asm │ │ ├── ObFastDereferenceObject.cpp │ │ ├── ObFastDereferenceObject.pseudo │ │ ├── structures.txt │ │ └── syntax.txt │ └── RtlValidateUnicodeString │ │ ├── RtlValidateUnicodeString.asm │ │ ├── RtlValidateUnicodeString.cpp │ │ ├── RtlValidateUnicodeString.pseudo │ │ ├── RtlValidateUnicodeStringEx.asm │ │ └── syntax.txt │ ├── exercise_6 │ ├── pseudo_code.cpp │ └── sub_13842.asm │ ├── exercise_7 │ ├── code.asm │ └── code.cpp │ ├── exercise_8 │ ├── pseudocode_raw.cpp │ ├── pseudocode_simplified.cpp │ └── sub_1172E.asm │ └── exercise_9 │ ├── apples_strrchr.c │ ├── fully_working_code.asm │ ├── onetoone_strrchr.c │ └── snippet.asm ├── chapter_2 └── page_78 │ ├── mystery1 │ ├── ascii_art_1.txt │ ├── code.asm │ ├── code.cpp │ └── pseudocode.txt │ ├── mystery10 │ ├── code.asm │ └── code.c │ ├── mystery11 │ ├── mystery11.asm │ ├── mystery11.pseudo │ ├── mystery11_structures.png │ └── mystery11_structures.svg │ ├── mystery2 │ ├── code.asm │ ├── code.cpp │ └── pseudocode.txt │ ├── mystery3 │ ├── code.asm │ ├── code.cpp │ └── pseudocode.txt │ ├── mystery4 │ ├── code.asm │ ├── code.cpp │ └── pseudocode.txt │ ├── mystery5 │ ├── code.asm │ ├── code.c │ └── pseudocode.txt │ ├── mystery6 │ ├── code.asm │ ├── code.c │ └── pseudocode.txt │ ├── mystery7 │ ├── code.asm │ ├── code.c │ └── pseudocode.txt │ ├── mystery8 │ ├── code.asm │ ├── code.c │ ├── pseudocode_step1.txt │ ├── pseudocode_step2.txt │ └── pseudocode_step3.txt │ └── mystery9 │ ├── code.asm │ ├── code.c │ ├── notes.txt │ └── pseudocode.txt └── chapter_3 └── page_123 ├── exercise_1 └── KernelRoutines │ ├── CcAllocateInitializeMbcb.asm │ ├── CmpInitCallbacks.asm │ ├── ExCreateCallback.asm │ ├── ExpInitSystemPhase0.asm │ ├── ExpInitSystemPhase1.asm │ ├── ExpTimerInitialization.asm │ ├── InitBootProcessor.asm │ ├── IoCreateDevice.asm │ ├── IoInitializeIrp.asm │ ├── KeInitThread.asm │ ├── KeInitializeMutex.asm │ ├── KeInitializeProcess.asm │ ├── KeInitializeTimerEx.asm │ ├── KeInitializeTimerTable.asm │ ├── KiInitializeProcessor.asm │ ├── KiInitializeThread.asm │ ├── MiInitializeLoadedModuleList.asm │ ├── MiInitializePrefetchHead.asm │ ├── PspAllocateProcess.asm │ └── PspAllocateThread.asm ├── exercise_2 ├── KernelRoutines │ ├── CcSetVacbInFreeList.asm │ ├── CmpDoSort.asm │ ├── ExBurnMemory.asm │ ├── ExFreePoolWithTag.asm │ ├── IoPageRead.asm │ ├── IovpCallDriver1.asm │ ├── KeInitThread.asm │ ├── KeInsertQueueDpc.asm │ ├── KiInsertQueueApc.asm │ ├── KiQueueReadyThread.asm │ ├── MiInsertInSystemSpace.asm │ ├── MiUpdateWsle.asm │ └── ObpInsertCallbackByAltitude.asm └── ListPictures │ ├── CcSetVacbInFreeList.png │ ├── CmpDoSort.png │ ├── ExBurnMemory.png │ ├── ExFreePoolWithTag.png │ ├── IoPageRead.png │ ├── IovpCallDriver1.png │ ├── KeInitThread.png │ ├── KeInsertQueueDpc.png │ ├── KiInsertQueueApc.png │ ├── KiQueueReadyThread.png │ ├── MiInsertInSystemSpace.png │ ├── MiUpdateWsle.png │ └── ObpInsertCallbackByAltitude.png ├── exercise_3 ├── KernelRoutines │ ├── AlpcpCreateClientPort.asm │ ├── AlpcpCreateSection.asm │ ├── AlpcpCreateView.asm │ ├── AuthzBasepAddSecurityAttributeToLists.asm │ ├── CcFlushCachePriv.asm │ ├── CcInitializeCacheManager.asm │ ├── CcInsertVacbArray.asm │ ├── CcSetFileSizesEx.asm │ ├── CmRenameKey.asm │ ├── ExAllocatePoolWithTag.asm │ ├── ExFreePoolWithTag.asm │ ├── ExQueueWorkItem.asm │ ├── ExRegisterCallback.asm │ ├── ExpSetTimer.asm │ ├── IoSetIoCompletionEx2.asm │ ├── KeInsertQueueDpc.asm │ ├── KeStartThread.asm │ ├── KiAddThreadToScbQueue.asm │ ├── KiInsertQueueApc.asm │ ├── KiQueueReadyThread.asm │ ├── MiInsertNewProcess.asm │ ├── PnpRequestDeviceAction.asm │ ├── PspInsertProcess.asm │ └── PspInsertThread.asm └── ListImages │ ├── AlpcpCreateClientPort.png │ ├── AlpcpCreateSection.png │ ├── AlpcpCreateView.png │ ├── AuthzBasepAddSecurityAttributeToLists.png │ ├── AuthzBasepAddSecurityAttributeToLists_2.png │ ├── CcFlushCachePriv.png │ ├── CcInitializeCacheManager.png │ ├── CcInitializeCacheManager_2.png │ ├── CcInsertVacbArray.png │ ├── CcInsertVacbArray_2.png │ ├── CcSetFileSizesEx.png │ ├── CcSetFileSizesEx_3.png │ ├── CcSetFileSizesEx_4.png │ ├── CcSetFileSizesEx_5.png │ ├── CcSetFileSizesEx_6.png │ ├── CmRenameKey.png │ ├── CmRenameKey_2.png │ ├── CmRenameKey_3.png │ ├── CmRenameKey_4.png │ ├── ExAllocatePoolWithTag.png │ ├── ExAllocatePoolWithTag_2.png │ ├── ExFreePoolWithTag.png │ ├── ExQueueWorkItem.png │ ├── ExRegisterCallback.png │ ├── ExpSetTimer.png │ ├── IoSetIoCompletionEx2.png │ ├── IoSetIoCompletionEx2_2.png │ ├── KeInsertQueueDpc.png │ ├── KeStartThread.png │ ├── KeStartThread_2.png │ ├── KiAddThreadToScbQueue.png │ ├── KiInsertQueueApc.png │ ├── KiQueueReadyThread.png │ ├── MiInsertNewProcess.png │ ├── PnpRequestDeviceAction.png │ ├── PspInsertProcess.png │ └── PspInsertThread.png ├── exercise_4 ├── KernelRoutines │ ├── AlpcpFlushResourcesPort.asm │ ├── CcDeleteMbcb.asm │ ├── CcGetVacbMiss.asm │ ├── CmpLazyCommitWorker.asm │ ├── ExAllocatePoolWithTag.asm │ ├── FsRtlNotifyCompleteIrpList.asm │ ├── IopInitializeBootDrivers.asm │ ├── KiProcessDisconnectList.asm │ ├── PnpDeviceCompletionQueueGetCompletedRequest.asm │ ├── RtlDestroyAtomTable.asm │ ├── RtlEmptyAtomTable.asm │ └── RtlpFreeAllAtom.asm └── ListImages │ ├── CcDeleteMbcb.png │ ├── CcGetVacbMiss.png │ ├── CmpLazyCommitWorker.png │ ├── ExAllocatePoolWithTag.png │ ├── FsRtlNotifyCompleteIrpList.png │ ├── KiProcessDisconnectList.png │ ├── PnpDeviceQueueGetCompletedRequest.png │ ├── RtlDestroyAtomTable.png │ ├── RtlEmptyAtomTable.png │ └── RtlpFreeAllAtom.png ├── exercise_5 ├── KernelRoutines │ ├── BootApplicationPersistentDataProcess.asm │ ├── CmpCallCallBacks.asm │ ├── CmpDelayCloseWorker.asm │ ├── ObpCallPostOperationCallbacks.asm │ └── RaspAddCacheEntry.asm └── ListImages │ ├── CmpCallCallBacks.png │ ├── CmpDelayCloseWorker.png │ ├── ObpCallPostOperationCallbacks.png │ └── RaspAddCacheEntry.png └── exercise_6 ├── KernelRoutines ├── AlpcSectionDeleteProcedure.asm ├── AlpcpUnregisterCompletionListDatabase.asm ├── AuthzBasepRemoveSecurityAttributeFromLists.asm ├── CcDeleteBcbs.asm ├── CcFindNextWorkQueueEntry.asm ├── CcLazyWriteScan.asm ├── CcSetFileSizesEx.asm ├── CmShutdownSystem.asm ├── CmUnRegisterCallback.asm ├── CmpCallCallBacks.asm ├── CmpPostApc.asm ├── ExDeleteTimer.asm ├── ExFreePoolWithTag.asm ├── ExQueueWorkItem.asm ├── ExTimerRundown.asm ├── ExpDeleteTimer.asm ├── ExpSetTimer.asm ├── IoDeleteDevice.asm ├── IoDelteDevice.asm ├── IoUnregisterFsRegistrationChange.asm ├── IopfCompleteRequest.asm ├── KeDeregisterBugCheckCallback.asm ├── KeDeregisterObjectNotification.asm ├── KeRegisterObjectNotification.asm ├── KeRemoveQueueApc.asm ├── KeRemoveQueueDpc.asm ├── KeTerminateThread.asm ├── KiCancelTimer.asm ├── KiDeliverApc.asm ├── KiExecuteAllDpcs.asm ├── KiExpireTimerTable.asm ├── KiFindReadyThread.asm ├── KiFlushQueueApc.asm ├── KiInsertTimerTable.asm ├── KiProcessExpiredTimerList.asm ├── MiDeleteVirtualAddresses.asm ├── NtNotifyChangeMultipleKeys.asm ├── ObRegisterCallbacks.asm └── ObUnRegisterCallbacks.asm └── ListImages ├── AlpcSectionDeleteProcedure.png ├── AlpcpDeletePort.png ├── AlpcpDeletePort_2.png ├── AlpcpDeletePort_3.png ├── AlpcpUnregisterCompletionListDatabase.png ├── AuthzBasepRemoveSecurityAttributeFromLists.png ├── CcDeleteBcbs.png ├── CcFindNextWorkQueueEntry.png ├── CcLazyWriteScan.png ├── CcSetFileSizesEx.png ├── CcSetFileSizesEx_2.png ├── CcSetFileSizesEx_3.png ├── CcSetFileSizesEx_4.png ├── CcSetFileSizesEx_5.png ├── CcSetFileSizesEx_6.png ├── CcSetFileSizesEx_7.png ├── CcSetFileSizesEx_8.png ├── CmShutdownSystem.png ├── CmUnRegisterCallback.png ├── CmUnRegisterCallback_2.png ├── CmUnRegisterCallback_3.png ├── CmpCallCallBacks.png ├── CmpPostApc.png ├── CmpPostApc_2.png ├── CmpPostApc_3.png ├── ExFreePoolWithTag.png ├── ExFreePoolWithTag_2.png ├── ExFreePoolWithTag_3.png ├── ExQueueWorkItem.png ├── ExQueueWorkItem_2.png ├── ExTimerRundown.png ├── ExpDeleteTimer.png ├── ExpDeleteTimer_2.png ├── ExpSetTimer.png ├── IoDeleteDevice.png ├── IoUnregisterFsRegistrationChange.png ├── IoUnregisterFsRegistrationChange_2.png ├── IopfCompleteRequest.png ├── IopfCompleteRequest_2.png ├── IopfCompleteRequest_3.png ├── IopfCompleteRequest_4.png ├── IopfCompleteRequest_5.png ├── IopfCompleteRequest_6.png ├── IopfCompleteRequest_7.png ├── KeDeregisterBugCheckCallback.png ├── KeDeregisterObjectNotification.png ├── KeRegisterObjectNotification.png ├── KeRegisterObjectNotification_2.png ├── KeRemoveQueueApc.png ├── KeRemoveQueueApc_2.png ├── KeRemoveQueueDpc.png ├── KeTerminateThread.png ├── KeTerminateThread_2.png ├── KiCancelTimer.png ├── KiDeliverApc.png ├── KiDeliverApc_2.png ├── KiDeliverApc_3.png ├── KiExecuteAllDpcs.png ├── KiExpireTimerTable.png ├── KiFindReadyThread.png ├── KiFlushQueueApc.png ├── KiInsertTimerTable.png ├── KiInsertTimerTable_2.png ├── KiInsertTimerTable_3.png ├── KiProcessExpiredTimerList.png ├── KiProcessExpiredTimerList_2.png ├── NtNotifyChangeMultipleKeys.png ├── NtNotifyChangeMultipleKeys_2.png ├── NtNotifyChangeMultipleKeys_3.png ├── NtNotifyChangeMultipleKeys_4.png ├── NtNotifyChangeMultipleKeys_5.png ├── NtNotifyChangeMultipleKeys_6.png ├── NtNotifyChangeMultipleKeys_7.png ├── NtNotifyChangeMultipleKeys_8.png ├── ObRegisterCallbacks.png ├── ObUnRegisterCallbacks.png ├── ObUnRegisterCallbacks_2.png ├── ObUnRegisterCallbacks_3.png └── ObUnRegisterCallbacks_4.png /README.md: -------------------------------------------------------------------------------- 1 | Practical Reverse Engineering 2 | ============================= 3 | I'm currently reading the book 4 | *Practical Reverse Engineering* by Bruce Dang, Alexandre Gazet 5 | and Elias Bachaalany (ISBN: [1118787315](http://eu.wiley.com/WileyCDA/WileyTitle/productCd-1118787315.html)). 6 | 7 | An essential part of the book are exercises. They are quite 8 | challenging, especially for someone new to the field of reverse 9 | engineering. The book doesn't have solutions, but encourage 10 | the reader to share their results. This is what I'm doing on 11 | [my blog](http://www.johannesbader.ch/projects/solutions-to-practical-reverse-engineering/). 12 | You can find all accompanying material like source code in this 13 | repository. 14 | 15 | Again, I'm very inexperienced with reverse engineering and my 16 | results likely contain errors, but I hope you might still find 17 | them useful. If you have any corrections or remarks, I'll 18 | appreciate if you post them here or under the blog posts. -------------------------------------------------------------------------------- /chapter_1/page_11/exercise_1/Makefile: -------------------------------------------------------------------------------- 1 | all : code 2 | 3 | code : code.o 4 | ld -m elf_i386 -o code code.o 5 | 6 | code.o : code.asm 7 | nasm -f elf32 -g -F dwarf code.asm 8 | -------------------------------------------------------------------------------- /chapter_1/page_11/exercise_1/code.asm: -------------------------------------------------------------------------------- 1 | SECTION .data 2 | my_str: 3 | db 'The pool on the roof must have a leak.', 0 4 | SECTION .text 5 | GLOBAL _start 6 | _start: 7 | nop 8 | push byte 'x' 9 | push dword my_str 10 | call black_out 11 | add esp, 8 12 | mov ebx,0 13 | mov eax,1 14 | int 080h 15 | 16 | black_out: 17 | push ebp 18 | mov ebp, esp 19 | ; ------------ start code from book --------- 20 | mov edi, [ebp+8] 21 | mov edx, edi 22 | xor eax, eax 23 | or ecx, 0FFFFFFFFh 24 | repne scasb 25 | add ecx, 2 26 | neg ecx 27 | mov al, [ebp+0Ch] 28 | mov edi, edx 29 | rep stosb 30 | mov eax, edx 31 | ; ------------ end code from book ----------- 32 | mov esp, ebp 33 | pop ebp 34 | ret 35 | 36 | -------------------------------------------------------------------------------- /chapter_1/page_11/exercise_1/code_with_comments.asm: -------------------------------------------------------------------------------- 1 | SECTION .data 2 | my_str: 3 | db 'The pool on the roof must have a leak.', 0 4 | SECTION .text 5 | GLOBAL _start 6 | _start: 7 | nop 8 | push byte 'x' ; second function parameter 9 | push dword my_str ; first function parameter 10 | call black_out ; call function 11 | add esp, 4 ; cleaning out the stack 12 | mov ebx,0 ; parameter for exit call (return value) 13 | mov eax,1 ; exit system call 14 | int 080h ; run system call, see page 79 pal 15 | 16 | black_out: 17 | push ebp ; function prologue, save stack base pointer 18 | mov ebp, esp ; point base pointer to ESP 19 | ; ------------ start code from book --------- 20 | mov edi, [ebp+8] ; put first parameter (char*) in edi 21 | mov edx, edi ; make a copy of edi (scasb will change edi) 22 | xor eax, eax ; set eax to 0 (i.e., null byte) 23 | or ecx, 0FFFFFFFFh ; set ecs to 0xFFFFFFFF = (-1) 24 | repne scasb ; search eax (null byte) in memory at edi (first 25 | ; parameter), decrement ecx for each tested char. 26 | add ecx, 2 ; increment ecx by 2 (to compensate for starting 27 | ; at -1, and the final null byte 28 | neg ecx ; change sign of ecx. ecx is now length of string 29 | mov al, [ebp+0Ch] ; copy second parameter (char) to al (byte) 30 | mov edi, edx ; restore edi from backup (points at string again) 31 | rep stosb ; write byte at eax (second function parameter) to 32 | ; memory at edi (first function parameter), for edi 33 | ; times (length of string) 34 | mov eax, edx ; set eax (return value) to address of (changed) string 35 | ; ------------ end code from book ----------- 36 | mov esp, ebp ; restore stack pointer 37 | pop ebp ; restore stack base pointer 38 | ret 39 | 40 | -------------------------------------------------------------------------------- /chapter_1/page_11/exercise_1/scasb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_1/page_11/exercise_1/scasb.png -------------------------------------------------------------------------------- /chapter_1/page_11/exercise_1/stack.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_1/page_11/exercise_1/stack.png -------------------------------------------------------------------------------- /chapter_1/page_11/exercise_1/version_1.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | char* black_out(char *str, char ch) 4 | { 5 | /* find length of string */ 6 | int len = 0; 7 | char *str_cpy = str; 8 | while (*str_cpy != '\0') { 9 | len++; 10 | str_cpy++; 11 | } 12 | /* set each character of string to */ 13 | while (len-- > 0) { 14 | str[len] = ch; 15 | } 16 | return str; 17 | } 18 | 19 | int main (int argc, char *argv[] ) 20 | { 21 | if (argc != 3 ) 22 | printf("usage: %s string character", argv[0]); 23 | else { 24 | char *test2 = black_out(argv[1], *argv[2]); 25 | printf("%s\n", test2); 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /chapter_1/page_11/exercise_1/version_2.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | char* black_out(char *str, char ch) 4 | { 5 | /* find length of string */ 6 | int len = strlen(str); 7 | /* set each character of string to */ 8 | memset(str, ch, len); 9 | return str; 10 | } 11 | 12 | int main (int argc, char *argv[] ) 13 | { 14 | if (argc != 3 ) 15 | printf("usage: %s string character", argv[0]); 16 | else { 17 | char *test2 = black_out(argv[1], *argv[2]); 18 | printf("%s\n", test2); 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /chapter_1/page_17/exercise_1/code.asm: -------------------------------------------------------------------------------- 1 | SECTION .data 2 | SECTION .text 3 | GLOBAL _start 4 | _start: 5 | nop 6 | call read_eip 7 | mov ebx,0 8 | mov eax,1 9 | int 080h 10 | 11 | read_eip: 12 | mov eax, [esp] 13 | ret 14 | -------------------------------------------------------------------------------- /chapter_1/page_17/exercise_1/stack.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_1/page_17/exercise_1/stack.png -------------------------------------------------------------------------------- /chapter_1/page_17/exercise_1/stack.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | function parameter 2 15 | 16 | 17 | 18 | function parameter 3 19 | 20 | 21 | ... 22 | 23 | 24 | 25 | function parameter 1 26 | 27 | 28 | 29 | return address (EIP after CALL) 30 | 31 | ESP 32 | 33 | 34 | 35 | -------------------------------------------------------------------------------- /chapter_1/page_17/exercise_2/version_1.asm: -------------------------------------------------------------------------------- 1 | SECTION .data 2 | SECTION .text 3 | GLOBAL _start 4 | _start: 5 | nop 6 | push 0AABBCCDDh 7 | ret 8 | 9 | -------------------------------------------------------------------------------- /chapter_1/page_17/exercise_2/version_2.asm: -------------------------------------------------------------------------------- 1 | SECTION .data 2 | SECTION .text 3 | GLOBAL _start 4 | _start: 5 | nop 6 | jmp 0AABBCCDDh 7 | -------------------------------------------------------------------------------- /chapter_1/page_17/exercise_2/version_3.asm: -------------------------------------------------------------------------------- 1 | SECTION .data 2 | SECTION .text 3 | GLOBAL _start 4 | _start: 5 | nop 6 | call 0AABBCCDDh 7 | -------------------------------------------------------------------------------- /chapter_1/page_17/exercise_3/addme_with_restore.asm: -------------------------------------------------------------------------------- 1 | SECTION .data 2 | SECTION .text 3 | GLOBAL _start 4 | _start: 5 | nop 6 | mov eax, 7 7 | mov ecx, 5 8 | _before: 9 | push eax 10 | push ecx 11 | call add_me 12 | add esp, 8 13 | _after: 14 | mov ebx,0 15 | mov eax,1 16 | int 080h 17 | 18 | add_me: 19 | push ebp 20 | mov ebp, esp 21 | movsx eax, word [ebp+8] 22 | movsx eax, word [ebp+0Ch] 23 | add eax, ecx 24 | mov esp, ebp 25 | pop ebp 26 | retn 27 | 28 | -------------------------------------------------------------------------------- /chapter_1/page_17/exercise_3/addme_without_restore.asm: -------------------------------------------------------------------------------- 1 | SECTION .data 2 | SECTION .text 3 | GLOBAL _start 4 | _start: 5 | nop 6 | mov eax, 7 7 | mov ecx, 5 8 | _before: 9 | push eax 10 | push ecx 11 | call add_me 12 | add esp, 8 13 | _after: 14 | mov ebx,0 15 | mov eax,1 16 | int 080h 17 | 18 | add_me: 19 | push ebp 20 | mov ebp, esp 21 | movsx eax, word [ebp+8] 22 | movsx eax, word [ebp+0Ch] 23 | add eax, ecx 24 | ; mov esp, ebp 25 | pop ebp 26 | retn 27 | 28 | -------------------------------------------------------------------------------- /chapter_1/page_17/exercise_4/code.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | struct data 4 | { 5 | int n1; 6 | int n2; 7 | }; 8 | 9 | struct data test_return(void) { 10 | struct data test_object; 11 | test_object.n1 = 7; 12 | test_object.n2 = 5; 13 | return test_object; 14 | } 15 | 16 | int main (int argc, char *argv[] ) 17 | { 18 | struct data ret; 19 | ret = test_return(); 20 | int res = (ret.n1 + ret.n2); 21 | return res; 22 | } 23 | -------------------------------------------------------------------------------- /chapter_1/page_17/exercise_4/code_clang.asm: -------------------------------------------------------------------------------- 1 | .file "code.c" 2 | .text 3 | .globl test_return 4 | .align 16, 0x90 5 | .type test_return,@function 6 | test_return: # @test_return 7 | # BB#0: 8 | push ebp 9 | mov ebp, esp 10 | sub esp, 8 11 | mov eax, dword ptr [ebp + 8] 12 | mov dword ptr [ebp - 8], 7 13 | mov dword ptr [ebp - 4], 5 14 | movsd xmm0, qword ptr [ebp - 8] 15 | movsd qword ptr [eax], xmm0 16 | add esp, 8 17 | pop ebp 18 | ret 4 19 | .Ltmp0: 20 | .size test_return, .Ltmp0-test_return 21 | 22 | .globl main 23 | .align 16, 0x90 24 | .type main,@function 25 | main: # @main 26 | # BB#0: 27 | push ebp 28 | mov ebp, esp 29 | sub esp, 40 30 | mov eax, dword ptr [ebp + 12] 31 | mov ecx, dword ptr [ebp + 8] 32 | lea edx, dword ptr [ebp - 32] 33 | mov dword ptr [ebp - 4], 0 34 | mov dword ptr [ebp - 8], ecx 35 | mov dword ptr [ebp - 12], eax 36 | mov dword ptr [esp], edx 37 | call test_return 38 | sub esp, 4 39 | mov eax, dword ptr [ebp - 32] 40 | mov dword ptr [ebp - 24], eax 41 | mov eax, dword ptr [ebp - 28] 42 | mov dword ptr [ebp - 20], eax 43 | mov eax, dword ptr [ebp - 24] 44 | add eax, dword ptr [ebp - 20] 45 | mov dword ptr [ebp - 36], eax 46 | mov eax, dword ptr [ebp - 36] 47 | add esp, 40 48 | pop ebp 49 | ret 50 | .Ltmp1: 51 | .size main, .Ltmp1-main 52 | 53 | 54 | .ident "Ubuntu clang version 3.5-1ubuntu1 (trunk) (based on LLVM 3.5)" 55 | .section ".note.GNU-stack","",@progbits 56 | -------------------------------------------------------------------------------- /chapter_1/page_17/exercise_4/code_gcc_o0.asm: -------------------------------------------------------------------------------- 1 | .file "code.c" 2 | .intel_syntax noprefix 3 | .text 4 | .globl test_return 5 | .type test_return, @function 6 | test_return: 7 | push ebp 8 | mov ebp, esp 9 | sub esp, 16 10 | mov DWORD PTR [ebp-8], 7 11 | mov DWORD PTR [ebp-4], 5 12 | mov ecx, DWORD PTR [ebp+8] 13 | mov eax, DWORD PTR [ebp-8] 14 | mov edx, DWORD PTR [ebp-4] 15 | mov DWORD PTR [ecx], eax 16 | mov DWORD PTR [ecx+4], edx 17 | mov eax, DWORD PTR [ebp+8] 18 | leave 19 | ret 4 20 | .size test_return, .-test_return 21 | .globl main 22 | .type main, @function 23 | main: 24 | push ebp 25 | mov ebp, esp 26 | sub esp, 20 27 | lea eax, [ebp-8] 28 | mov DWORD PTR [esp], eax 29 | call test_return 30 | sub esp, 4 31 | mov edx, DWORD PTR [ebp-8] 32 | mov eax, DWORD PTR [ebp-4] 33 | add eax, edx 34 | mov DWORD PTR [ebp-12], eax 35 | mov eax, DWORD PTR [ebp-12] 36 | leave 37 | ret 38 | .size main, .-main 39 | .ident "GCC: (Ubuntu 4.8.2-19ubuntu1) 4.8.2" 40 | .section .note.GNU-stack,"",@progbits 41 | -------------------------------------------------------------------------------- /chapter_1/page_17/exercise_4/code_gcc_os.asm: -------------------------------------------------------------------------------- 1 | .file "code.c" 2 | .intel_syntax noprefix 3 | .text 4 | .globl test_return 5 | .type test_return, @function 6 | test_return: 7 | push ebp 8 | mov ebp, esp 9 | mov eax, DWORD PTR [ebp+8] 10 | mov DWORD PTR [eax], 7 11 | mov DWORD PTR [eax+4], 5 12 | pop ebp 13 | ret 4 14 | .size test_return, .-test_return 15 | .section .text.startup,"ax",@progbits 16 | .globl main 17 | .type main, @function 18 | main: 19 | push ebp 20 | mov eax, 12 21 | mov ebp, esp 22 | pop ebp 23 | ret 24 | .size main, .-main 25 | .ident "GCC: (Ubuntu 4.8.2-19ubuntu1) 4.8.2" 26 | .section .note.GNU-stack,"",@progbits 27 | -------------------------------------------------------------------------------- /chapter_1/page_17/exercise_4/stack.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_1/page_17/exercise_4/stack.png -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_1/01_initial.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_1/page_35/exercise_1/01_initial.png -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_1/01_initial.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 6 | 7 | 8 | 9 | initial stack 10 | 11 | 12 | lpvReserved 13 | 14 | 15 | 16 | fdwReason 17 | 18 | 19 | 20 | hinstDLL 21 | 22 | 23 | 24 | EIP 25 | 26 | 27 | ESP 28 | 29 | 30 | 31 | 32 | -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_1/02_line03_to_line12.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_1/page_35/exercise_1/02_line03_to_line12.png -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_1/03_with_processentry.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_1/page_35/exercise_1/03_with_processentry.png -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_1/04_line19_to_line29.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_1/page_35/exercise_1/04_line19_to_line29.png -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_1/05_line35_to_line51.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_1/page_35/exercise_1/05_line35_to_line51.png -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_1/06_line66_to_line92.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_1/page_35/exercise_1/06_line66_to_line92.png -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_1/07_line93_to_line98.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_1/page_35/exercise_1/07_line93_to_line98.png -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_2/dllmain.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | typedef struct _IDTR { 6 | DWORD base; 7 | SHORT limit; 8 | } IDTR, *PIDTR; 9 | 10 | BOOL APIENTRY DllMain(HMODULE hModule, 11 | DWORD ul_reason_for_call, 12 | LPVOID lpReserved 13 | ) // line 1 14 | { 15 | // line 2 --- 16 | IDTR idtr; 17 | __sidt(&idtr); 18 | if (idtr.base > 0x8003F400 && idtr.base < 0x80047400) { 19 | return FALSE; 20 | } 21 | // --- line 17 22 | // line 19 --- 23 | PROCESSENTRY32 procentry; 24 | memset(&procentry, 0, sizeof(PROCESSENTRY32)); 25 | procentry.dwSize = sizeof(procentry); // 0x128 26 | HANDLE h; 27 | h = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 28 | if (h == INVALID_HANDLE_VALUE) 29 | return FALSE; 30 | // --- line 34 31 | // line 36 --- 32 | int ret = Process32First(h, &procentry); 33 | while (ret) { 34 | // line 44 - line 51 AND line 59 - line 65 35 | if (!wcscmp(procentry.szExeFile, L"explorer.exe")) { 36 | break; 37 | } 38 | ret = Process32Next(h, &procentry); 39 | } 40 | // --- line 65 41 | // line 66 -- 42 | if (ret) 43 | if (procentry.th32ParentProcessID == procentry.th32ProcessID) 44 | return FALSE; 45 | // --- line 81 46 | // line 70 --- 47 | else 48 | if (ul_reason_for_call == DLL_PROCESS_DETACH) 49 | return FALSE; 50 | // --- line 81 51 | 52 | // line 82 53 | if (ul_reason_for_call == DLL_PROCESS_ATTACH) 54 | CreateThread(0, 0, (LPTHREAD_START_ROUTINE)0x100032D0, 0, 0, 0); 55 | return TRUE; 56 | } 57 | -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_4/my_memcpy.asm: -------------------------------------------------------------------------------- 1 | global _start 2 | section .data 3 | src_str: 4 | db 'The pool on the roof must have a leak.', 0 5 | dst_str: 6 | db 'Second Location.', 0 7 | section .bss 8 | section .text 9 | _start: 10 | nop ; for debugging purposes 11 | push dword 10 ; push nr of bytes as third parameter 12 | push dword dst_str ; push dst memory as second parameter 13 | push dword src_str ; push src memory as first parameter 14 | call memcpy ; call function 15 | mov eax, 1 ; exit system call 16 | int 080h ; make system call 17 | 18 | memcpy: 19 | push ebp 20 | mov ebp, esp 21 | mov esi, [ebp+8] ; src location (first parameter) 22 | mov edi, [ebp+12] ; dst location (second parameter) 23 | mov ecx, [ebp+16] ; number of bytes (third parameter) 24 | _loop: 25 | mov al, [esi]; ; copy byte from src ... 26 | mov [edi], al; ; ... to dst 27 | inc esi ; go to next byte in src ... 28 | inc edi ; ... and dst 29 | dec ecx ; decrement counter 30 | jnz _loop ; loop n-times 31 | mov esp, ebp 32 | pop ebp 33 | ret 34 | -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_4/my_memset.asm: -------------------------------------------------------------------------------- 1 | global _start 2 | section .data 3 | my_str: 4 | db 'The pool on the roof must have a leak.', 0 5 | section .bss 6 | section .text 7 | _start: 8 | nop ; for debugging purposes 9 | push dword 10 ; push nr of bytes as third parameter 10 | push byte 'x' ; push character as second parameter 11 | push dword my_str ; push string as first parameter 12 | call memset ; call function 13 | mov eax, 1 ; exit system call 14 | int 080h ; make system call 15 | 16 | memset: 17 | push ebp 18 | mov ebp, esp 19 | mov edi, [ebp+8] ; string (first parameter) 20 | mov al, [ebp+12] ; character (second parameter) 21 | mov ecx, [ebp+16] ; number of bytes (third parameter) 22 | repne stosb 23 | mov esp, ebp 24 | pop ebp 25 | ret 26 | -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_4/my_strchr.asm: -------------------------------------------------------------------------------- 1 | global _start 2 | section .data 3 | my_str: 4 | db 'The pool on the roof must have a leak.', 0 5 | section .bss 6 | section .text 7 | _start: 8 | nop ; for debugging purposes 9 | push byte 'X' ; push char as second parameter 10 | push dword my_str ; push string as first 11 | call strchr ; call function 12 | mov ebx, eax ; return value of function 13 | mov eax, 1 ; exit system call 14 | int 080h ; make system call 15 | 16 | strchr: 17 | push ebp 18 | mov ebp, esp 19 | mov edi, [ebp+8] ; get first parameter 20 | mov bl, [ebp+12] ; set bl to second parameter 21 | mov al, 0 ; set al to null byte 22 | _loop: 23 | mov cl, [edi] ; store current character 24 | cmp cl, bl ; check if character is what we search 25 | jz _return ; jump to return if match 26 | scasb ; check if null byte 27 | jnz _loop ; loop if no match 28 | mov edi, 0 ; set edi to zero, so function will return null 29 | _return: 30 | mov eax, edi ; return pointer to first occurence 31 | mov esp, ebp 32 | pop ebp 33 | ret 34 | -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_4/my_strcmp.asm: -------------------------------------------------------------------------------- 1 | global _start 2 | section .data 3 | str_a: 4 | db 'The pool on the roof must have a leak.', 0 5 | str_b: 6 | db 'The pool on the roof must have a leak.', 0 7 | section .bss 8 | section .text 9 | _start: 10 | nop ; for debugging purposes 11 | push dword str_b ; push string b as second parameter 12 | push dword str_a ; push string a as first parameter 13 | call strcmp ; call function 14 | mov ebx, eax ; return value of function 15 | mov eax, 1 ; exit system call 16 | int 080h ; make system call 17 | 18 | strcmp: 19 | push ebp 20 | mov ebp, esp 21 | mov edi, [ebp+12] ; get second string 22 | push edi ; next for lines calc len of string b 23 | call strlen ; ^^ 24 | add esp, 4 ; ^^ 25 | mov ebx, eax ; ^^ 26 | mov esi, [ebp+8] ; get first string 27 | push esi ; next for lines calc len of string a 28 | call strlen ; ^^ 29 | add esp, 4 ; ^^ 30 | _check: 31 | cmp eax, ebx ; compare lengths 32 | ja _greater ; string a is longer than string b 33 | jb _less ; string b is longer than string a 34 | jmp _equal_length ; strings have same length 35 | _greater: 36 | mov eax, 1 37 | jmp _return 38 | _less: 39 | mov eax, -1 40 | jmp _return 41 | _equal_length: 42 | mov edi, [ebp+12] ; get second string (restore) 43 | mov esi, [ebp+8] ; get first string (restore) 44 | mov ecx, eax ; length of strings 45 | repe cmpsb ; compare strings 46 | jg _greater ; string a is greater 47 | jl _less ; string b is greater 48 | mov eax, 0 ; strings are equal 49 | jmp _return 50 | _return: 51 | mov esp, ebp 52 | pop ebp 53 | ret 54 | 55 | 56 | 57 | strlen: 58 | push ebp 59 | mov ebp, esp 60 | mov edi, [ebp+8] ; get first parameter 61 | mov edx, edi ; copy address to start of string 62 | xor eax, eax ; set eax to null byte 63 | mov ecx, -1 ; make sure ecx does not become zero 64 | repne scasb ; search null byte 65 | sub edi, edx ; substract start address from end address 66 | dec edi ; decrement difference to compensate for null byte 67 | mov eax, edi ; return strlen result 68 | mov esp, ebp 69 | pop ebp 70 | ret 71 | -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_4/my_strlen.asm: -------------------------------------------------------------------------------- 1 | global _start 2 | section .data 3 | my_str: 4 | db 'The pool on the roof must have a leak.', 0 5 | section .bss 6 | section .text 7 | _start: 8 | nop ; for debugging purposes 9 | push dword my_str ; push string as first an only parameter 10 | call strlen ; call function 11 | mov ebx, eax ; return value of function 12 | mov eax, 1 ; exit system call 13 | int 080h ; make system call 14 | 15 | strlen: 16 | push ebp 17 | mov ebp, esp 18 | mov edi, [ebp+8] ; get first parameter 19 | mov edx, edi ; copy address to start of string 20 | xor eax, eax ; set eax to null byte 21 | mov ecx, -1 ; make sure ecx does not become zero 22 | repne scasb ; search null byte 23 | sub edi, edx ; substract start address from end address 24 | dec edi ; decrement difference to compensate for null byte 25 | mov eax, edi ; return strlen result 26 | mov esp, ebp 27 | pop ebp 28 | ret 29 | -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_4/my_strset.asm: -------------------------------------------------------------------------------- 1 | global _start 2 | section .data 3 | my_str: 4 | db 'The pool on the roof must have a leak.', 0 5 | section .bss 6 | section .text 7 | _start: 8 | nop ; for debugging purposes 9 | push byte 'x' ; character to fill as second parameter 10 | push dword my_str ; push string a as first parameter 11 | call strset ; call function 12 | mov ebx, eax ; return value of function 13 | mov eax, 1 ; exit system call 14 | int 080h ; make system call 15 | 16 | strset: 17 | push ebp 18 | mov ebp, esp 19 | mov edi, [ebp+8] ; get first string 20 | mov edx, edi ; make copy of esi 21 | push edi ; next for line put str length in ecx 22 | call strlen ; ^ 23 | add esp, 4 ; ^ 24 | mov ecx, eax ; ^ 25 | mov al, [ebp+12] ; get fill character 26 | mov edi, edx ; restore esi 27 | rep stosb ; fill string 28 | mov eax, edx ; return reference to string 29 | mov esp, ebp 30 | pop ebp 31 | ret 32 | 33 | 34 | strlen: 35 | push ebp 36 | mov ebp, esp 37 | mov edi, [ebp+8] ; get first parameter 38 | mov edx, edi ; copy address to start of string 39 | xor eax, eax ; set eax to null byte 40 | mov ecx, -1 ; make sure ecx does not become zero 41 | repne scasb ; search null byte 42 | sub edi, edx ; substract start address from end address 43 | dec edi ; decrement difference to compensate for null byte 44 | mov eax, edi ; return strlen result 45 | mov esp, ebp 46 | pop ebp 47 | ret 48 | -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_5/KeInitializeApc/KeInitializeApc.asm: -------------------------------------------------------------------------------- 1 | 81ab3956 8bff mov edi,edi 2 | 81ab3958 55 push ebp 3 | 81ab3959 8bec mov ebp,esp 4 | 81ab395b 8b4508 mov eax,dword ptr [ebp+8] 5 | 81ab395e 8b5510 mov edx,dword ptr [ebp+10h] 6 | 81ab3961 83fa02 cmp edx,2 7 | 81ab3964 8b4d0c mov ecx,dword ptr [ebp+0Ch] 8 | 81ab3967 c60012 mov byte ptr [eax],12h 9 | 81ab396a c6400230 mov byte ptr [eax+2],30h 10 | 81ab396e 7506 jne nt!KeInitializeApc+0x20 (81ab3976) 11 | 12 | nt!KeInitializeApc+0x1a: 13 | 81ab3970 8a9130010000 mov dl,byte ptr [ecx+130h] 14 | 15 | nt!KeInitializeApc+0x20: 16 | 81ab3976 894808 mov dword ptr [eax+8],ecx 17 | 81ab3979 8b4d14 mov ecx,dword ptr [ebp+14h] 18 | 81ab397c 894814 mov dword ptr [eax+14h],ecx 19 | 81ab397f 8b4d18 mov ecx,dword ptr [ebp+18h] 20 | 81ab3982 88502c mov byte ptr [eax+2Ch],dl 21 | 81ab3985 894818 mov dword ptr [eax+18h],ecx 22 | 81ab3988 8b4d1c mov ecx,dword ptr [ebp+1Ch] 23 | 81ab398b 33d2 xor edx,edx 24 | 81ab398d 3bca cmp ecx,edx 25 | 81ab398f 89481c mov dword ptr [eax+1Ch],ecx 26 | 81ab3992 740e je nt!KeInitializeApc+0x4c (81ab39a2) 27 | 28 | nt!KeInitializeApc+0x3e: 29 | 81ab3994 8a4d20 mov cl,byte ptr [ebp+20h] 30 | 81ab3997 88482d mov byte ptr [eax+2Dh],cl 31 | 81ab399a 8b4d24 mov ecx,dword ptr [ebp+24h] 32 | 81ab399d 894820 mov dword ptr [eax+20h],ecx 33 | 81ab39a0 eb06 jmp nt!KeInitializeApc+0x52 (81ab39a8) 34 | 35 | nt!KeInitializeApc+0x4c: 36 | 81ab39a2 88502d mov byte ptr [eax+2Dh],dl 37 | 81ab39a5 895020 mov dword ptr [eax+20h],edx 38 | 39 | nt!KeInitializeApc+0x52: 40 | 81ab39a8 88502e mov byte ptr [eax+2Eh],dl 41 | 81ab39ab 5d pop ebp 42 | 81ab39ac c22000 ret 20h 43 | -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_5/KeInitializeApc/KeInitializeApc.cpp: -------------------------------------------------------------------------------- 1 | NTKERNELAPI VOID KeInitializeApc( 2 | PKAPC Apc, 3 | PKTHREAD Thread, 4 | KAPC_ENVIRONMENT Environment, 5 | PKKERNEL_ROUTINE KernelRoutine, 6 | PKRUNDOWN_ROUTINE RundownRoutine, 7 | PKNORMAL_ROUTINE NormalRoutine, 8 | KPROCESSOR_MODE ProcessorMode, 9 | PVOID NormalContext 10 | ); 11 | { 12 | Apc->Type = 0x12; 13 | Apc-Thread = 0x30; 14 | 15 | if( Environment == CurrentApcEnvironment) 16 | Apc->ApcStateIndex == Thread->ApcStateIndex; 17 | else 18 | Apc->ApcStateIndex = Environment; 19 | 20 | Apc->Environment = Thread; 21 | Apc->KernelRoutine = KernelRoutine; 22 | Apc->RundownRoutine = RundownRoutine; 23 | Apc->NormalRoutine = NormalRoutine; 24 | 25 | if( NormalRoutine == NULL) { 26 | Apc->ApcMode = 0; 27 | Apc->NormalContext = NULL; 28 | } 29 | else { 30 | Apc->ApcMode = ProcessMode; 31 | Apc->NormalContext = NormalContext; 32 | } 33 | Apc->Inserted = 0; 34 | return 35 | } 36 | -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_5/KeInitializeApc/KeInitializeApc.pseudo: -------------------------------------------------------------------------------- 1 | eax = Apc 2 | edx = Environment 3 | ecx = Thread 4 | 5 | Apc->Type = 12h 6 | Apc-Thread = 30h 7 | 8 | if edx != 2 then 9 | # jump to +0x20 10 | else 11 | # continue with +0x1a 12 | # edx must be 2, so the higher bytes are 0 13 | edx<7:0> = Thread->ApcStateIndex 14 | endif 15 | 16 | # line +0x20 17 | Apc->Environment = Thread 18 | ecx = KernelRoutine 19 | Apc->KernelRoutine = ecx 20 | ecx = RundownRoutine 21 | Apc->ApcStateIndex = edx<7:0> 22 | Apc->RundownRoutine = ecx 23 | ecx = NormalRoutine 24 | Apc->NormalRoutine = NormalRoutine 25 | edx = 0 26 | if NormalRoutine == 0 then 27 | # line 0x4c 28 | Apc->ApcMode = edx<7:0> # = 0 29 | Apc->NormalContext = 0 # = 0 30 | else 31 | # continue with +0x3e 32 | ecx<7:0> = ProcessMode 33 | Apc->ApcMode = ProcessMode 34 | ecx = NormalContext 35 | Apc->NormalContext = NormalContext 36 | # jump to +0x52 37 | endif 38 | 39 | # line +0x52 40 | Apc->Inserted = edx<7:0> # = 0 41 | return 42 | 43 | -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_5/KeInitializeApc/structures.txt: -------------------------------------------------------------------------------- 1 | ntdll!_KAPC 2 | +0x000 Type : UChar 3 | +0x001 SpareByte0 : UChar 4 | +0x002 Size : UChar 5 | +0x003 SpareByte1 : UChar 6 | +0x004 SpareLong0 : Uint4B 7 | +0x008 Thread : Ptr32 _KTHREAD 8 | +0x00c ApcListEntry : _LIST_ENTRY 9 | +0x014 KernelRoutine : Ptr32 void 10 | +0x018 RundownRoutine : Ptr32 void 11 | +0x01c NormalRoutine : Ptr32 void 12 | +0x020 NormalContext : Ptr32 Void 13 | +0x024 SystemArgument1 : Ptr32 Void 14 | +0x028 SystemArgument2 : Ptr32 Void 15 | +0x02c ApcStateIndex : Char 16 | +0x02d ApcMode : Char 17 | +0x02e Inserted : UChar 18 | 19 | 20 | typedef struct _KAPC 21 | { 22 | UCHAR Type; 23 | UCHAR SpareByte0; 24 | UCHAR Size; 25 | UCHAR SpareByte1; 26 | DWORD SpareLong0; 27 | KTHREAD* Thread; 28 | LIST_ENTRY ApcListEntry; 29 | PVOID KernelRoutine; 30 | PVOID RundownRoutine; 31 | PVOID NormalRoutine; 32 | PVOID NormalContext; 33 | PVOID SystemArgument1; 34 | PVOID SystemArgument2; 35 | CHAR ApcStateIndex; 36 | CHAR ApcMode; 37 | UCHAR Inserted; 38 | }; 39 | 40 | 41 | kd> dt _KTHREAD 42 | ntdll!_KTHREAD 43 | +0x000 Header : _DISPATCHER_HEADER 44 | +0x010 CycleTime : Uint8B 45 | +0x018 HighCycleTime : Uint4B 46 | +0x020 QuantumTarget : Uint8B 47 | +0x028 InitialStack : Ptr32 Void 48 | +0x02c StackLimit : Ptr32 Void 49 | +0x030 KernelStack : Ptr32 Void 50 | +0x034 ThreadLock : Uint4B 51 | +0x038 ApcState : _KAPC_STATE 52 | +0x038 ApcStateFill : [23] UChar 53 | +0x04f Priority : Char 54 | +0x050 NextProcessor : Uint2B 55 | +0x052 DeferredProcessor : Uint2B 56 | +0x054 ApcQueueLock : Uint4B 57 | +0x058 ContextSwitches : Uint4B 58 | +0x05c State : UChar 59 | +0x05d NpxState : UChar 60 | +0x05e WaitIrql : UChar 61 | +0x05f WaitMode : Char 62 | +0x060 WaitStatus : Int4B 63 | +0x064 WaitBlockList : Ptr32 _KWAIT_BLOCK 64 | +0x064 GateObject : Ptr32 _KGATE 65 | +0x068 KernelStackResident : Pos 0, 1 Bit 66 | +0x068 ReadyTransition : Pos 1, 1 Bit 67 | +0x068 ProcessReadyQueue : Pos 2, 1 Bit 68 | +0x068 WaitNext : Pos 3, 1 Bit 69 | +0x068 SystemAffinityActive : Pos 4, 1 Bit 70 | +0x068 Alertable : Pos 5, 1 Bit 71 | +0x068 GdiFlushActive : Pos 6, 1 Bit 72 | +0x068 UserStackWalkActive : Pos 7, 1 Bit 73 | +0x068 Reserved : Pos 8, 24 Bits 74 | +0x068 MiscFlags : Int4B 75 | +0x06c WaitReason : UChar 76 | +0x06d SwapBusy : UChar 77 | +0x06e Alerted : [2] UChar 78 | +0x070 WaitListEntry : _LIST_ENTRY 79 | +0x070 SwapListEntry : _SINGLE_LIST_ENTRY 80 | +0x078 Queue : Ptr32 _KQUEUE 81 | +0x07c WaitTime : Uint4B 82 | +0x080 KernelApcDisable : Int2B 83 | +0x082 SpecialApcDisable : Int2B 84 | +0x080 CombinedApcDisable : Uint4B 85 | +0x084 Teb : Ptr32 Void 86 | +0x088 Timer : _KTIMER 87 | +0x088 TimerFill : [40] UChar 88 | +0x0b0 AutoAlignment : Pos 0, 1 Bit 89 | +0x0b0 DisableBoost : Pos 1, 1 Bit 90 | +0x0b0 EtwStackTraceApc1Inserted : Pos 2, 1 Bit 91 | +0x0b0 EtwStackTraceApc2Inserted : Pos 3, 1 Bit 92 | +0x0b0 CycleChargePending : Pos 4, 1 Bit 93 | +0x0b0 CalloutActive : Pos 5, 1 Bit 94 | +0x0b0 ApcQueueable : Pos 6, 1 Bit 95 | +0x0b0 EnableStackSwap : Pos 7, 1 Bit 96 | +0x0b0 GuiThread : Pos 8, 1 Bit 97 | +0x0b0 VdmSafe : Pos 9, 1 Bit 98 | +0x0b0 ReservedFlags : Pos 10, 22 Bits 99 | +0x0b0 ThreadFlags : Int4B 100 | +0x0b8 WaitBlock : [4] _KWAIT_BLOCK 101 | +0x0b8 WaitBlockFill0 : [23] UChar 102 | +0x0cf IdealProcessor : UChar 103 | +0x0b8 WaitBlockFill1 : [47] UChar 104 | +0x0e7 PreviousMode : Char 105 | +0x0b8 WaitBlockFill2 : [71] UChar 106 | +0x0ff ResourceIndex : UChar 107 | +0x0b8 WaitBlockFill3 : [95] UChar 108 | +0x117 LargeStack : UChar 109 | +0x118 QueueListEntry : _LIST_ENTRY 110 | +0x120 TrapFrame : Ptr32 _KTRAP_FRAME 111 | +0x124 FirstArgument : Ptr32 Void 112 | +0x128 CallbackStack : Ptr32 Void 113 | +0x128 CallbackDepth : Uint4B 114 | +0x12c ServiceTable : Ptr32 Void 115 | +0x130 ApcStateIndex : UChar 116 | +0x131 BasePriority : Char 117 | +0x132 PriorityDecrement : Char 118 | +0x133 Preempted : UChar 119 | +0x134 AdjustReason : UChar 120 | +0x135 AdjustIncrement : Char 121 | +0x136 Spare01 : UChar 122 | +0x137 Saturation : Char 123 | +0x138 SystemCallNumber : Uint4B 124 | +0x13c FreezeCount : Uint4B 125 | +0x140 UserAffinity : Uint4B 126 | +0x144 Process : Ptr32 _KPROCESS 127 | +0x148 Affinity : Uint4B 128 | +0x14c ApcStatePointer : [2] Ptr32 _KAPC_STATE 129 | +0x154 SavedApcState : _KAPC_STATE 130 | +0x154 SavedApcStateFill : [23] UChar 131 | +0x16b Spare02 : UChar 132 | +0x16c SuspendCount : Char 133 | +0x16d UserIdealProcessor : UChar 134 | +0x16e Spare03 : UChar 135 | +0x16f OtherPlatformFill : UChar 136 | +0x170 Win32Thread : Ptr32 Void 137 | +0x174 StackBase : Ptr32 Void 138 | +0x178 SuspendApc : _KAPC 139 | +0x178 SuspendApcFill0 : [1] UChar 140 | +0x179 Spare04 : Char 141 | +0x178 SuspendApcFill1 : [3] UChar 142 | +0x17b QuantumReset : UChar 143 | +0x178 SuspendApcFill2 : [4] UChar 144 | +0x17c KernelTime : Uint4B 145 | +0x178 SuspendApcFill3 : [36] UChar 146 | +0x19c WaitPrcb : Ptr32 _KPRCB 147 | +0x178 SuspendApcFill4 : [40] UChar 148 | +0x1a0 LegoData : Ptr32 Void 149 | +0x178 SuspendApcFill5 : [47] UChar 150 | +0x1a7 PowerState : UChar 151 | +0x1a8 UserTime : Uint4B 152 | +0x1ac SuspendSemaphore : _KSEMAPHORE 153 | +0x1ac SuspendSemaphorefill : [20] UChar 154 | +0x1c0 SListFaultCount : Uint4B 155 | +0x1c4 ThreadListEntry : _LIST_ENTRY 156 | +0x1cc MutantListHead : _LIST_ENTRY 157 | +0x1d4 SListFaultAddress : Ptr32 Void 158 | +0x1d8 MdlForLockedTeb : Ptr32 Void 159 | 160 | (see page 133) 161 | typedef enum _KAPC_ENVIRONMENT { 162 | OriginalApcEnvironment, 163 | AttachedApcEnvironment, 164 | CurrentApcEnvironment, 165 | InsertApcEnvironment 166 | } KAPC_ENVIRONMENT, *PKAPC_ENVIRONMENT; -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_5/KeInitializeApc/syntax.txt: -------------------------------------------------------------------------------- 1 | NTKERNELAPI VOID KeInitializeApc( 2 | PKAPC Apc, 3 | PKTHREAD Thread, 4 | KAPC_ENVIRONMENT Environment, 5 | PKKERNEL_ROUTINE KernelRoutine, 6 | PKRUNDOWN_ROUTINE RundownRoutine, 7 | PKNORMAL_ROUTINE NormalRoutine, 8 | KPROCESSOR_MODE ProcessorMode, 9 | PVOID NormalContext 10 | ); 11 | -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_5/KeInitializeDpc/KeInitializeDpc.asm: -------------------------------------------------------------------------------- 1 | 81a41776 8bff mov edi,edi 2 | 81a41778 55 push ebp 3 | 81a41779 8bec mov ebp,esp 4 | 81a4177b 8b4508 mov eax,dword ptr [ebp+8] 5 | 81a4177e 8b4d0c mov ecx,dword ptr [ebp+0Ch] 6 | 81a41781 83601c00 and dword ptr [eax+1Ch],0 7 | 81a41785 89480c mov dword ptr [eax+0Ch],ecx 8 | 81a41788 8b4d10 mov ecx,dword ptr [ebp+10h] 9 | 81a4178b c60013 mov byte ptr [eax],13h 10 | 81a4178e c6400101 mov byte ptr [eax+1],1 11 | 81a41792 66c740020000 mov word ptr [eax+2],0 12 | 81a41798 894810 mov dword ptr [eax+10h],ecx 13 | 81a4179b 5d pop ebp 14 | 81a4179c c20c00 ret 0Ch 15 | -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_5/KeInitializeDpc/KeInitializeDpc.cpp: -------------------------------------------------------------------------------- 1 | VOID KeInitializeDpc( 2 | _Out_ PRKDPC Dpc, 3 | _In_ PKDEFERRED_ROUTINE DeferredRoutine, 4 | _In_opt_ PVOID DeferredContext 5 | ) 6 | { 7 | Dpc->DpcData = 0; 8 | Dpc->DeferredRoutine = DeferredRoutine; 9 | DeferredRoutine = DeferredContext; 10 | Dpc->Type = 0x13; 11 | Dpc->Importance = 1; 12 | Dpc->Number = 0; 13 | Dpc->DeferredContext = DeferredContext; 14 | } 15 | 16 | 17 | 18 | -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_5/KeInitializeDpc/structures.txt: -------------------------------------------------------------------------------- 1 | ntdll!_KDPC 2 | +0x000 Type : UChar 3 | +0x001 Importance : UChar 4 | +0x002 Number : Uint2B 5 | +0x004 DpcListEntry : _LIST_ENTRY 6 | +0x00c DeferredRoutine : Ptr32 void 7 | +0x010 DeferredContext : Ptr32 Void 8 | +0x014 SystemArgument1 : Ptr32 Void 9 | +0x018 SystemArgument2 : Ptr32 Void 10 | +0x01c DpcData : Ptr32 Void 11 | 12 | 13 | typedef struct _KDPC 14 | { 15 | UCHAR Type; 16 | UCHAR Importance; 17 | WORD Number; 18 | LIST_ENTRY DpcListEntry; 19 | PVOID DeferredRoutine; 20 | PVOID DeferredContext; 21 | PVOID SystemArgument1; 22 | PVOID SystemArgument2; 23 | PVOID DpcData; 24 | } KDPC, *PKDPC; 25 | -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_5/KeInitializeDpc/syntax.txt: -------------------------------------------------------------------------------- 1 | VOID KeInitializeDpc( 2 | _Out_ PRKDPC Dpc, 3 | _In_ PKDEFERRED_ROUTINE DeferredRoutine, 4 | _In_opt_ PVOID DeferredContext 5 | ); 6 | -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_5/KeInitializeQueue/KeInitializeQueue.asm: -------------------------------------------------------------------------------- 1 | nt!KeInitializeQueue: 2 | 81a3c346 8bff mov edi,edi 3 | 81a3c348 55 push ebp 4 | 81a3c349 8bec mov ebp,esp 5 | 81a3c34b 8b4508 mov eax,dword ptr [ebp+8] 6 | 81a3c34e c60004 mov byte ptr [eax],4 7 | 81a3c351 33d2 xor edx,edx 8 | 81a3c353 885001 mov byte ptr [eax+1],dl 9 | 81a3c356 c640020a mov byte ptr [eax+2],0Ah 10 | 81a3c35a 895004 mov dword ptr [eax+4],edx 11 | 81a3c35d 8d4808 lea ecx,[eax+8] 12 | 81a3c360 894904 mov dword ptr [ecx+4],ecx 13 | 81a3c363 8909 mov dword ptr [ecx],ecx 14 | 81a3c365 8d4810 lea ecx,[eax+10h] 15 | 81a3c368 894904 mov dword ptr [ecx+4],ecx 16 | 81a3c36b 8909 mov dword ptr [ecx],ecx 17 | 81a3c36d 8d4820 lea ecx,[eax+20h] 18 | 81a3c370 894904 mov dword ptr [ecx+4],ecx 19 | 81a3c373 8909 mov dword ptr [ecx],ecx 20 | 81a3c375 8b4d0c mov ecx,dword ptr [ebp+0Ch] 21 | 81a3c378 3bca cmp ecx,edx 22 | 81a3c37a 895018 mov dword ptr [eax+18h],edx 23 | 81a3c37d 7509 jne nt!KeInitializeQueue+0x42 (81a3c388) 24 | 25 | nt!KeInitializeQueue+0x39: 26 | 81a3c37f 8a0dee49b581 mov cl,byte ptr [nt!KeNumberProcessors (81b549ee)] 27 | 81a3c385 0fbec9 movsx ecx,cl 28 | 29 | nt!KeInitializeQueue+0x42: 30 | 81a3c388 89481c mov dword ptr [eax+1Ch],ecx 31 | 81a3c38b 5d pop ebp 32 | 81a3c38c c20800 ret 8 -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_5/KeInitializeQueue/KeInitializeQueue.cpp: -------------------------------------------------------------------------------- 1 | VOID KeInitializeQueue( 2 | _Out_ PRKQUEUE Queue, 3 | _In_ ULONG Count 4 | ) 5 | { 6 | Queue->Header.Type = 4; 7 | Queue->Header.Abandoned = 0; 8 | Queue->Header.Size = 10; 9 | Queue->Header.SignalState = 0; 10 | 11 | 12 | Queue->WaitListHead.Blink = &Queue->WaitListHead; 13 | Queue->WaitListHead.Flink = &Queue->WaitListHead; 14 | 15 | Queue->EntryListHead.Blink = &(Queue->EntryListHead); 16 | Queue->EntryListHead.Flink = &(Queue->EntryListHead); 17 | 18 | Queue->ThreadListHead.Blink = &(Queue->ThreadListHead); 19 | Queue->ThreadListHead.Flink = &(Queue->ThreadListHead); 20 | 21 | Queue->CurrentCount = Count; 22 | if( Count == 0 ) 23 | Queue->MaximumCount = [nt!KeNumberProcessors] 24 | else 25 | Queue->MaximumCount = Count 26 | return 27 | } 28 | -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_5/KeInitializeQueue/KeInitializeQueue.pseudo: -------------------------------------------------------------------------------- 1 | Queue->Header.Type = 4 2 | Queue->Header.Abandoned = 0 3 | Queue->Header-Size = 10 4 | Queue->Header.SignalState = 0 5 | 6 | Queue->WaitListHead.Blink = &Queue->WaitListHead 7 | Queue->WaitListHead.Flink = &Queue->WaitListHead 8 | 9 | Queue->EntryListHead.Blink = &(Queue->EntryListHead) 10 | Queue->EntryListHead.Flink = &(Queue->EntryListHead) 11 | 12 | Queue->ThreadListHead.Blink = &(Queue->ThreadListHead) 13 | Queue->ThreadListHead.Flink = &(Queue->ThreadListHead) 14 | 15 | Queue->CurrentCount = 0; 16 | IF Count == 0 THEN 17 | Queue->MaximumCount = [nt!KeNumberProcessors] 18 | ELSE 19 | Queue->MaximumCount = Count 20 | ENDIF 21 | RETURN 22 | -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_5/KeInitializeQueue/structures.txt: -------------------------------------------------------------------------------- 1 | ntdll!_KQUEUE 2 | +0x000 Header : _DISPATCHER_HEADER 3 | +0x010 EntryListHead : _LIST_ENTRY 4 | +0x018 CurrentCount : Uint4B 5 | +0x01c MaximumCount : Uint4B 6 | +0x020 ThreadListHead : _LIST_ENTRY 7 | 8 | 9 | typedef struct _KQUEUE { 10 | DISPATCHER_HEADER Header; 11 | LIST_ENTRY EntryListHead; 12 | ULONG CurrentCount; 13 | ULONG MaximumCount; 14 | LIST_ENTRY ThreadListHead; 15 | } KQUEUE, *PKQUEUE, *RESTRICTED_POINTER PRKQUEUE; 16 | 17 | 18 | ntdll!_DISPATCHER_HEADER 19 | +0x000 Type : UChar 20 | +0x001 Abandoned : UChar 21 | +0x001 Absolute : UChar 22 | +0x001 NpxIrql : UChar 23 | +0x001 Signalling : UChar 24 | +0x002 Size : UChar 25 | +0x002 Hand : UChar 26 | +0x003 Inserted : UChar 27 | +0x003 DebugActive : UChar 28 | +0x003 DpcActive : UChar 29 | +0x000 Lock : Int4B 30 | +0x004 SignalState : Int4B 31 | +0x008 WaitListHead : _LIST_ENTRY 32 | 33 | 34 | typedef struct _DISPATCHER_HEADER { 35 | union { 36 | DWORD Lock; 37 | struct { 38 | UCHAR Type; 39 | union { 40 | UCHAR Abandoned; 41 | UCHAR Absolute; 42 | UCHAR NpxIrql; 43 | UCHAR Signalling; 44 | } 45 | union { 46 | UCHAR Size; 47 | UCHAR Hand; 48 | } 49 | union { 50 | UCHAR Inserted; 51 | UCHAR DebugActive; 52 | UCHAR DpcActive; 53 | } 54 | } 55 | } 56 | DWORD SignalState; 57 | LIST_ENTRY WaitListHead; 58 | } DISPATCHER_HEADER, *PDISPATCHER_HEADER; 59 | 60 | 61 | ntdll!_LIST_ENTRY 62 | +0x000 Flink : Ptr32 _LIST_ENTRY 63 | +0x004 Blink : Ptr32 _LIST_ENTRY 64 | 65 | typedef struct _LIST_ENTRY { 66 | struct _LIST_ENTRY *Flink; 67 | struct _LIST_ENTRY *Blink; 68 | } LIST_ENTRY, *PLIST_ENTRY; 69 | -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_5/KeInitializeQueue/syntax.txt: -------------------------------------------------------------------------------- 1 | VOID KeInitializeQueue( 2 | _Out_ PRKQUEUE Queue, 3 | _In_ ULONG Count 4 | ); 5 | -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_5/KeReadyThread/KeReadyThread.asm: -------------------------------------------------------------------------------- 1 | kd> uf KeReadyThread 2 | nt!KeReadyThread: 3 | 81a5bf06 8bff mov edi,edi 4 | 81a5bf08 55 push ebp 5 | 81a5bf09 8bec mov ebp,esp 6 | 81a5bf0b 53 push ebx 7 | 81a5bf0c 33c9 xor ecx,ecx 8 | 81a5bf0e ff1568e0a181 call dword ptr [nt!_imp_KeAcquireQueuedSpinLockRaiseToSynch (81a1e068)] 9 | 81a5bf14 8b4d08 mov ecx,dword ptr [ebp+8] 10 | 81a5bf17 8ad8 mov bl,al 11 | 81a5bf19 e88b860600 call nt!KiReadyThread (81ac45a9) 12 | 81a5bf1e 648b0d20000000 mov ecx,dword ptr fs:[20h] 13 | 81a5bf25 81c118040000 add ecx,418h 14 | 81a5bf2b e88c7b0600 call nt!KeReleaseQueuedSpinLockFromDpcLevel (81ac3ab 15 | c) 16 | 81a5bf30 8acb mov cl,bl 17 | 81a5bf32 e8fd8f0600 call nt!KiExitDispatcher (81ac4f34) 18 | 81a5bf37 5b pop ebx 19 | 81a5bf38 5d pop ebp 20 | 81a5bf39 c20400 ret 4 -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_5/KeReadyThread/KeReadyThread.cpp: -------------------------------------------------------------------------------- 1 | VOID NTAPI KeReadyThread( 2 | IN PKTHREAD Thread 3 | ) 4 | { 5 | KIRQL irql = KeAcquireQueuedSpinLockRaiseToSynch(0); 6 | KiReadyThread(Thread); 7 | KeReleaseQueuedSpinLockFromDpcLevel(fs:[20h] + 0x418h); 8 | KiExitDispatcher(irql); 9 | } -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_5/KeReadyThread/KeReadyThread.pseudo: -------------------------------------------------------------------------------- 1 | irql = KeAcquireQueuedSpinLockRaiseToSynch(0) 2 | KiReadyThread(Thread) 3 | KeReleaseQueuedSpinLockFromDpcLevel(fs:[20h] + 0x418h) 4 | KiExitDispatcher(irql) -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_5/KeReadyThread/syntax.txt: -------------------------------------------------------------------------------- 1 | VOID NTAPI KeReadyThread ( IN PKTHREAD Thread ) 2 | -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_5/KiInitializeTSS/KiInitializeTSS.asm: -------------------------------------------------------------------------------- 1 | kd> uf KiInitializeTSS 2 | nt!KiInitializeTSS: 3 | 81a16eea 8bff mov edi,edi 4 | 81a16eec 55 push ebp 5 | 81a16eed 8bec mov ebp,esp 6 | 81a16eef 8b4508 mov eax,dword ptr [ebp+8] 7 | 81a16ef2 6683606400 and word ptr [eax+64h],0 8 | 81a16ef7 6683606000 and word ptr [eax+60h],0 9 | 81a16efc 66c74066ac20 mov word ptr [eax+66h],20ACh 10 | 81a16f02 66c740081000 mov word ptr [eax+8],10h 11 | 81a16f08 5d pop ebp 12 | 81a16f09 c20400 ret 4 13 | -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_5/KiInitializeTSS/KiInitializeTSS.cpp: -------------------------------------------------------------------------------- 1 | VOID NTAPI KiInitializeTSS ( 2 | IN PKTSS Tss 3 | ) 4 | { 5 | Tss->Flags = 0; 6 | Tss->LDT = 0; 7 | Tss->IoMapBase = 0x20AC; 8 | Tss->Ss0 = 0x10; 9 | } 10 | -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_5/KiInitializeTSS/KiInitializeTSS.pseudo: -------------------------------------------------------------------------------- 1 | eax = Tss 2 | Tss->Flags = 0 3 | Tss->LDT = 0 4 | Tss->IoMapBase = 0x20AC 5 | Tss->Ss0 = 0x10 6 | return 7 | -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_5/KiInitializeTSS/structures.txt: -------------------------------------------------------------------------------- 1 | kd> dt _KTSS 2 | ntdll!_KTSS 3 | +0x000 Backlink : Uint2B 4 | +0x002 Reserved0 : Uint2B 5 | +0x004 Esp0 : Uint4B 6 | +0x008 Ss0 : Uint2B 7 | +0x00a Reserved1 : Uint2B 8 | +0x00c NotUsed1 : [4] Uint4B 9 | +0x01c CR3 : Uint4B 10 | +0x020 Eip : Uint4B 11 | +0x024 EFlags : Uint4B 12 | +0x028 Eax : Uint4B 13 | +0x02c Ecx : Uint4B 14 | +0x030 Edx : Uint4B 15 | +0x034 Ebx : Uint4B 16 | +0x038 Esp : Uint4B 17 | +0x03c Ebp : Uint4B 18 | +0x040 Esi : Uint4B 19 | +0x044 Edi : Uint4B 20 | +0x048 Es : Uint2B 21 | +0x04a Reserved2 : Uint2B 22 | +0x04c Cs : Uint2B 23 | +0x04e Reserved3 : Uint2B 24 | +0x050 Ss : Uint2B 25 | +0x052 Reserved4 : Uint2B 26 | +0x054 Ds : Uint2B 27 | +0x056 Reserved5 : Uint2B 28 | +0x058 Fs : Uint2B 29 | +0x05a Reserved6 : Uint2B 30 | +0x05c Gs : Uint2B 31 | +0x05e Reserved7 : Uint2B 32 | +0x060 LDT : Uint2B 33 | +0x062 Reserved8 : Uint2B 34 | +0x064 Flags : Uint2B 35 | +0x066 IoMapBase : Uint2B 36 | +0x068 IoMaps : [1] _KiIoAccessMap 37 | +0x208c IntDirectionMap : [32] UChar 38 | 39 | typedef struct _KTSS 40 | { 41 | WORD Backlink; 42 | WORD Reserved0; 43 | ULONG Esp0; 44 | WORD Ss0; 45 | WORD Reserved1; 46 | ULONG NotUsed1[4]; 47 | ULONG CR3; 48 | ULONG Eip; 49 | ULONG EFlags; 50 | ULONG Eax; 51 | ULONG Ecx; 52 | ULONG Edx; 53 | ULONG Ebx; 54 | ULONG Esp; 55 | ULONG Ebp; 56 | ULONG Esi; 57 | ULONG Edi; 58 | WORD Es; 59 | WORD Reserved2; 60 | WORD Cs; 61 | WORD Reserved3; 62 | WORD Ss; 63 | WORD Reserved4; 64 | WORD Ds; 65 | WORD Reserved5; 66 | WORD Fs; 67 | WORD Reserved6; 68 | WORD Gs; 69 | WORD Reserved7; 70 | WORD LDT; 71 | WORD Reserved8; 72 | WORD Flags; 73 | WORD IoMapBase; 74 | KiIoAccessMap IoMaps[1]; 75 | UCHAR IntDirectionMap[32]; 76 | } KTSS, *PKTSS; 77 | 78 | -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_5/KiInitializeTSS/syntax.txt: -------------------------------------------------------------------------------- 1 | VOID NTAPI KiInitializeTSS ( 2 | IN PKTSS Tss 3 | ); 4 | -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_5/ObFastDereferenceObject/ObFastDereferenceObject.asm: -------------------------------------------------------------------------------- 1 | kd> uf ObFastDereferenceObject 2 | nt!ObFastDereferenceObject: 3 | 81aadb39 8bff mov edi,edi 4 | 81aadb3b 55 push ebp 5 | 81aadb3c 8bec mov ebp,esp 6 | 81aadb3e 8b0a mov ecx,dword ptr [edx] 7 | 81aadb40 56 push esi 8 | 81aadb41 57 push edi 9 | 81aadb42 8bc1 mov eax,ecx 10 | 81aadb44 eb13 jmp nt!ObFastDereferenceObject+0x20 (81aadb59) 11 | 12 | nt!ObFastDereferenceObject+0xd: 13 | 81aadb46 8d4101 lea eax,[ecx+1] 14 | 81aadb49 8bf0 mov esi,eax 15 | 81aadb4b 8bfa mov edi,edx 16 | 81aadb4d 8bc1 mov eax,ecx 17 | 81aadb4f f00fb137 lock cmpxchg dword ptr [edi],esi 18 | 81aadb53 3bc1 cmp eax,ecx 19 | 81aadb55 7412 je nt!ObFastDereferenceObject+0x30 (81aadb69) 20 | 21 | nt!ObFastDereferenceObject+0x1e: 22 | 81aadb57 8bc8 mov ecx,eax 23 | 24 | nt!ObFastDereferenceObject+0x20: 25 | 81aadb59 334508 xor eax,dword ptr [ebp+8] 26 | 81aadb5c 83f807 cmp eax,7 27 | 81aadb5f 72e5 jb nt!ObFastDereferenceObject+0xd (81aadb46) 28 | 29 | nt!ObFastDereferenceObject+0x28: 30 | 81aadb61 8b4d08 mov ecx,dword ptr [ebp+8] 31 | 81aadb64 e8c671f9ff call nt!ObfDereferenceObject (81a44d2f) 32 | 33 | nt!ObFastDereferenceObject+0x30: 34 | 81aadb69 5f pop edi 35 | 81aadb6a 5e pop esi 36 | 81aadb6b 5d pop ebp 37 | 81aadb6c c20400 ret 4 38 | -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_5/ObFastDereferenceObject/ObFastDereferenceObject.cpp: -------------------------------------------------------------------------------- 1 | VOID FASTCALL ObFastDereferenceObject ( 2 | IN PEX_FAST_REF FastRef, 3 | IN PVOID Object 4 | ) 5 | { 6 | while( FastRef->Object == Object && FastRef->RefCnt < 7 ) { 7 | _Atomic(EX_FAST_REF) *FastRef; 8 | EX_FAST_REF oldVal = *atomic_load(FastRef); 9 | EX_FAST_REF newVal = old; 10 | newVal.RefCnt += 1; 11 | if( atomic_compare_exchange_strong(FastRef, *oldVal, newVal) ) 12 | return; // Successful 13 | } 14 | // fast dereference didn't work out, try the regular dereference routine 15 | ObfDereferenceObejct(Object); 16 | } 17 | -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_5/ObFastDereferenceObject/ObFastDereferenceObject.pseudo: -------------------------------------------------------------------------------- 1 | efr_1 = FastRef->Value 2 | efr_2 = FastRef->Value 3 | 4 | nt!ObFastDereferenceObject+0x20 5 | IF FastRef-Object == Object AND FastRef->RefCnt != 7 THEN 6 | _Atomic(EX_FAST_REF) *FastRef; 7 | old = *atomic_load(FastRef); 8 | new = old; 9 | new.RefCnt += 1; 10 | IF !atomic_compare_exchange_strong(FastRef, *old, new) THEN 11 | return 12 | ELSE 13 | efr_1 = FastRef->value 14 | goto nt!ObFastDereferenceObject+0x20 15 | ENDIF 16 | ELSE 17 | return ObfDereferenceObject(Object) 18 | ENDIF 19 | -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_5/ObFastDereferenceObject/structures.txt: -------------------------------------------------------------------------------- 1 | kd> dt _EX_FAST_REF 2 | ntdll!_EX_FAST_REF 3 | +0x000 Object : Ptr32 Void 4 | +0x000 RefCnt : Pos 0, 3 Bits 5 | +0x000 Value : Uint4B 6 | 7 | 8 | typedef struct _EX_FAST_REF 9 | { 10 | union 11 | { 12 | PVOID Object; 13 | ULONG RefCnt: 3; 14 | ULONG Value; 15 | }; 16 | } EX_FAST_REF, *PEX_FAST_REF; 17 | -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_5/ObFastDereferenceObject/syntax.txt: -------------------------------------------------------------------------------- 1 | VOID FASTCALL ObFastDereferenceObject ( 2 | IN PEX_FAST_REF FastRef, 3 | IN PVOID Object 4 | ) 5 | -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_5/RtlValidateUnicodeString/RtlValidateUnicodeString.asm: -------------------------------------------------------------------------------- 1 | kd> uf RtlValidateUnicodeString 2 | Flow analysis was incomplete, some code may be missing 3 | ntdll!RtlValidateUnicodeString: 4 | 77bd489f 8bff mov edi,edi 5 | 77bd48a1 55 push ebp 6 | 77bd48a2 8bec mov ebp,esp 7 | 77bd48a4 837d0800 cmp dword ptr [ebp+8],0 8 | 77bd48a8 0f85047b0300 jne ntdll!RtlValidateUnicodeString+0xb (77c0c3b2) 9 | 10 | ntdll!RtlValidateUnicodeString+0x12: 11 | 77bd48ae 6800010000 push 100h 12 | 77bd48b3 ff750c push dword ptr [ebp+0Ch] 13 | 77bd48b6 e809000000 call ntdll!RtlUnicodeStringValidateEx (77bd48c4) 14 | 77bd48bb 5d pop ebp 15 | 77bd48bc c20800 ret 8 16 | 17 | 18 | kd> u ntdll!RtlValidateUnicodeString+0xb 19 | ntdll!RtlValidateUnicodeString+0xb: 20 | 77bd48aa 047b add al,7Bh 21 | 77bd48ac 0300 add eax,dword ptr [eax] 22 | 77bd48ae 6800010000 push 100h 23 | 77bd48b3 ff750c push dword ptr [ebp+0Ch] 24 | 77bd48b6 e809000000 call ntdll!RtlUnicodeStringValidateEx (77bd48c4) 25 | 77bd48bb 5d pop ebp 26 | 77bd48bc c20800 ret 8 27 | -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_5/RtlValidateUnicodeString/RtlValidateUnicodeString.cpp: -------------------------------------------------------------------------------- 1 | NTSTATUS NTAPI RtlValidateUnicodeString ( 2 | IN ULONG Flags, 3 | IN PCUNICODE_STRING UnicodeString 4 | ) 5 | { 6 | if( Flags == 0 ) 7 | return RtlUnicodeStringValidateEx(UnicodeString, 0x100); 8 | else 9 | // GOTO ntdll!RtlValidateUnicodeString+0xb 10 | } 11 | 12 | -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_5/RtlValidateUnicodeString/RtlValidateUnicodeString.pseudo: -------------------------------------------------------------------------------- 1 | IF Flags != 0 THEN 2 | GOTO ntdll!RtlValidateUnicodeString+0xb 3 | ELSE 4 | RETURN RtlUnicodeStringValidateEx(UnicodeString, 0x100) 5 | 6 | ntdll!RtlValidateUnicodeString+0x12: 7 | 8 | -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_5/RtlValidateUnicodeString/RtlValidateUnicodeStringEx.asm: -------------------------------------------------------------------------------- 1 | kd> uf 77bd48c4 2 | Flow analysis was incomplete, some code may be missing 3 | ntdll!RtlUnicodeStringValidateEx: 4 | 77bd48c4 8bff mov edi,edi 5 | 77bd48c6 55 push ebp 6 | 77bd48c7 8bec mov ebp,esp 7 | 77bd48c9 f7450c00e0ffff test dword ptr [ebp+0Ch],0FFFFE000h 8 | 77bd48d0 0f857d7a0300 jne ntdll!RtlUnicodeStringValidateEx+0xe (77c0c353) 9 | 10 | 11 | ntdll!RtlUnicodeStringValidateEx+0x15: 12 | 77bd48d6 ff750c push dword ptr [ebp+0Ch] 13 | 77bd48d9 8b4d08 mov ecx,dword ptr [ebp+8] 14 | 77bd48dc 68ff7f0000 push 7FFFh 15 | 77bd48e1 e809000000 call ntdll!RtlUnlockMemoryZone+0x6a (77bd48ef) 16 | 77bd48e6 5d pop ebp 17 | 77bd48e7 c20800 ret 8 -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_5/RtlValidateUnicodeString/syntax.txt: -------------------------------------------------------------------------------- 1 | NTSTATUS NTAPI RtlValidateUnicodeString ( 2 | IN ULONG Flags, 3 | IN PCUNICODE_STRING UnicodeString 4 | ); 5 | -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_6/pseudo_code.cpp: -------------------------------------------------------------------------------- 1 | /* sizeof(s1) = 36 */ 2 | struct _s1 { 3 | char off_0h; 4 | /* (13h bytes of other members) */ 5 | struct _arg_2 *off_14h; 6 | /* other members */ 7 | } 8 | 9 | struct _arg_1 { 10 | /* (23h bytes of other members) */ 11 | char off_23h; 12 | /* (36h bytes of other members) */ 13 | struct _s1 off_60h[??]; 14 | } 15 | 16 | struct _s2 { 17 | /* (38h bytes of other members) */ 18 | int* off_38[...]; 19 | } 20 | 21 | struct _arg_2 { 22 | /* (8 bytes of other members) */ 23 | struct _s2 off_8h; 24 | } 25 | 26 | unknown_type __fastcall sub_13842(struct _arg_1 *arg_1, struct* _arg_2 arg_2) { 27 | struct _v1 *v1 = arg_1->off_60h; 28 | struct _v2 *v2 = arg_2->off_8h; 29 | arg_1->off_23h--; 30 | v1 -= 36; 31 | arg_1->off_60h = v1; 32 | v1->off_14h = arg_2; 33 | char index = v1->off_0h; 34 | int *func = v2->off_38h[index]; 35 | unknown_type return_value = (*func)(arg_2, arg_1); 36 | return return_value; 37 | } 38 | -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_6/sub_13842.asm: -------------------------------------------------------------------------------- 1 | .text:00013842 ; =============== S U B R O U T I N E ======================================= 2 | .text:00013842 3 | .text:00013842 4 | .text:00013842 sub_13842 proc near ; CODE XREF: sub_1386E+2E8p 5 | .text:00013842 ; sub_13BE2+84p ... 6 | .text:00013842 mov eax, [ecx+60h] 7 | .text:00013845 push esi 8 | .text:00013846 mov esi, [edx+8] 9 | .text:00013849 dec byte ptr [ecx+23h] 10 | .text:0001384C sub eax, 24h 11 | .text:0001384F mov [ecx+60h], eax 12 | .text:00013852 mov [eax+14h], edx 13 | .text:00013855 movzx eax, byte ptr [eax] 14 | .text:00013858 push ecx 15 | .text:00013859 push edx 16 | .text:0001385A call dword ptr [esi+eax*4+38h] 17 | .text:0001385E pop esi 18 | .text:0001385F retn 19 | .text:0001385F sub_13842 endp 20 | -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_7/code.asm: -------------------------------------------------------------------------------- 1 | mov eax, [esp+4] 2 | push ebx 3 | push esi 4 | mov esi, [eax+3Ch] 5 | add esi, eax 6 | movzx eax, word ptr [esi+14h] 7 | xor ebx, ebx 8 | cmp [esi+6], bx 9 | push edi 10 | lea edi, [eax+esi+18h] 11 | jbe short loc_0_10BEB 12 | 13 | loc_0_10BCE: 14 | push [esp+0Ch+8] 15 | push edi 16 | call ds:dword_0_169A4 17 | test eax, eax 18 | pop ecx 19 | pop ecx 20 | jz short loc_0_10BF3 21 | movzx eax, word ptr [esi+6] 22 | add edi, 28h 23 | inc ebx 24 | cmp ebx, eax 25 | jb short loc_0_10BCE 26 | 27 | loc_0_10BEB: 28 | xor eax, eax 29 | 30 | loc_0_10BED: 31 | pop edi 32 | pop esi 33 | pop ebx 34 | retn 8 35 | 36 | loc_0_10BF3: 37 | mov eax, edi 38 | jmp short loc_0_10BED 39 | -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_7/code.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | 4 | IMAGE_SECTION_HEADER* get_section(char* pe_file, char* criterion) 5 | { 6 | // line 1: mov eax, [esp+4] 7 | IMAGE_DOS_HEADER* dos_header = (IMAGE_DOS_HEADER*)pe_file; 8 | 9 | // lines 2-4: mov esi, [eax+3Ch] 10 | unsigned int pe_header_offset = dos_header->e_lfanew; 11 | 12 | // line 5: add esi, eax 13 | IMAGE_NT_HEADERS* nt_header = (IMAGE_NT_HEADERS*)(pe_file + pe_header_offset); 14 | 15 | // line 6: movzx eax, word ptr [esi+14h] 16 | unsigned short size_of_optional_header = nt_header->FileHeader.SizeOfOptionalHeader; 17 | 18 | // line 10: lea, [eax+esi+18h] 19 | IMAGE_OPTIONAL_HEADER* optional_header = &nt_header->OptionalHeader; // esi + 18h 20 | IMAGE_SECTION_HEADER* img_section_header = (IMAGE_SECTION_HEADER*)(optional_header + size_of_optional_header); 21 | 22 | // for loop in lines 7,8, 11 and 21, 23, 24, 25 23 | for (int i = 0; i < nt_header->FileHeader.NumberOfSections; i++) 24 | { 25 | // lines 14-16: call ds:dword_0_169A4 26 | int ret = check_section(img_section_header, criterion); 27 | 28 | // lines 17-20: 29 | if (!ret) 30 | { 31 | // lines 17-19, 30-34: mov eax, edi 32 | return img_section_header; 33 | } 34 | 35 | // line 22: add edi, 28h (28h = sizeof(IMAGE_SECTION_HEADER)) 36 | img_section_header += sizeof(IMAGE_SECTION_HEADER); 37 | } 38 | // lines 27-34: xor eax, eax 39 | return NULL; 40 | } -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_8/pseudocode_raw.cpp: -------------------------------------------------------------------------------- 1 | int __userpurge sub_1172E(struct _arg_1 *arg_1, struct _arg_1 **arg_2, 2 | int *arg_3, int arg_4) 3 | { 4 | int tmp; 5 | 6 | switch ( arg_4 ) 7 | { 8 | case 1: 9 | tmp = (arg_1->off_3Ch) / 2; 10 | arg_1 += 64; 11 | break; 12 | case 2: 13 | tmp = (arg_1->off_3Ch) / 2; 14 | arg_1 += 68; 15 | break; 16 | case 3: 17 | tmp = (arg_1->off_3Ch) / 2; 18 | arg_1 += 94; 19 | break; 20 | default: 21 | if ( arg_4 != 12 ) 22 | return arg_1; 23 | tmp = (arg_1->off_8h)/2; 24 | arg_1 += 12; 25 | break; 26 | } 27 | *arg_3 = tmp; 28 | *arg_2 = arg_1; 29 | return arg_1; 30 | } 31 | -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_8/pseudocode_simplified.cpp: -------------------------------------------------------------------------------- 1 | struct _arg_1 { 2 | /* 8 bytes of other members */ 3 | int off_8h; 4 | /* 58 bytes of other members */ 5 | int off_3Ch; 6 | } arg_1; 7 | 8 | 9 | int __userpurge sub_1172E(struct _arg_1 *arg_1, struct _arg_1 **arg_2, 10 | int *arg_3, int arg_4) 11 | { 12 | switch ( arg_4 ) 13 | { 14 | case 1: 15 | arg_1 += 64; 16 | break; 17 | case 2: 18 | arg_1 += 68; 19 | break; 20 | case 3: 21 | arg_1 += 94; 22 | break; 23 | case 12: 24 | arg_1 += 12; 25 | break; 26 | default: 27 | return arg_1; 28 | } 29 | 30 | if( arg_1 == 12 ) 31 | *arg_3 = (arg_1->off_8h) / 2; 32 | else 33 | *arg_3 = (arg_1->off_3Ch) / 2; 34 | 35 | *arg_2 = arg_1; 36 | return arg_1; 37 | } 38 | -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_8/sub_1172E.asm: -------------------------------------------------------------------------------- 1 | ; =============== S U B R O U T I N E ======================================= 2 | .text:0001172E 3 | .text:0001172E 4 | .text:0001172E sub_1172E proc near ; CODE XREF: sub_11798+115p 5 | .text:0001172E ; sub_11798+157p 6 | .text:0001172E 7 | .text:0001172E arg_0 = dword ptr 4 8 | .text:0001172E 9 | .text:0001172E push esi 10 | .text:0001172F mov esi, [esp+4+arg_0] 11 | .text:00011733 dec esi 12 | .text:00011734 jz short loc_1175F 13 | .text:00011736 dec esi 14 | .text:00011737 jz short loc_11755 15 | .text:00011739 dec esi 16 | .text:0001173A jz short loc_1174B 17 | .text:0001173C sub esi, 9 18 | .text:0001173F jnz short loc_1176B 19 | .text:00011741 mov esi, [eax+8] 20 | .text:00011744 shr esi, 1 21 | .text:00011746 add eax, 0Ch 22 | .text:00011749 jmp short loc_11767 23 | .text:0001174B ; --------------------------------------------------------------------------- 24 | .text:0001174B 25 | .text:0001174B loc_1174B: ; CODE XREF: sub_1172E+Cj 26 | .text:0001174B mov esi, [eax+3Ch] 27 | .text:0001174E shr esi, 1 28 | .text:00011750 add eax, 5Eh 29 | .text:00011753 jmp short loc_11767 30 | .text:00011755 ; --------------------------------------------------------------------------- 31 | .text:00011755 32 | .text:00011755 loc_11755: ; CODE XREF: sub_1172E+9j 33 | .text:00011755 mov esi, [eax+3Ch] 34 | .text:00011758 shr esi, 1 35 | .text:0001175A add eax, 44h 36 | .text:0001175D jmp short loc_11767 37 | .text:0001175F ; --------------------------------------------------------------------------- 38 | .text:0001175F 39 | .text:0001175F loc_1175F: ; CODE XREF: sub_1172E+6j 40 | .text:0001175F mov esi, [eax+3Ch] 41 | .text:00011762 shr esi, 1 42 | .text:00011764 add eax, 40h 43 | .text:00011767 44 | .text:00011767 loc_11767: ; CODE XREF: sub_1172E+1Bj 45 | .text:00011767 ; sub_1172E+25j ... 46 | .text:00011767 mov [ecx], esi 47 | .text:00011769 mov [edx], eax 48 | .text:0001176B 49 | .text:0001176B loc_1176B: ; CODE XREF: sub_1172E+11j 50 | .text:0001176B pop esi 51 | .text:0001176C retn 4 52 | .text:0001176C sub_1172E endp 53 | -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_9/apples_strrchr.c: -------------------------------------------------------------------------------- 1 | char * strrchr(const char *cp, int ch) 2 | { 3 | char *save; 4 | char c; 5 | 6 | for (save = (char *) 0; (c = *cp); cp++) { 7 | if (c == ch) 8 | save = (char *) cp; 9 | } 10 | 11 | return save; 12 | } -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_9/fully_working_code.asm: -------------------------------------------------------------------------------- 1 | SECTION .data 2 | my_str: 3 | db 'The pool on the roof must have a leak.', 0 4 | SECTION .text 5 | GLOBAL _start 6 | _start: 7 | nop 8 | push byte 'h' 9 | push dword my_str 10 | call do 11 | add esp, 8 12 | mov ebx,0 13 | mov eax,1 14 | int 080h 15 | 16 | do: 17 | push ebp 18 | mov ebp, esp 19 | push edi 20 | mov edi, [ebp+8] 21 | xor eax, eax 22 | or ecx, 0FFFFFFFFh 23 | repne scasb 24 | add ecx, 1 25 | neg ecx 26 | sub edi, 1 27 | mov al, [ebp+0Ch] 28 | std 29 | repne scasb 30 | add edi, 1 31 | cmp [edi], al 32 | jz short _loc1 33 | xor eax, eax 34 | jmp short _loc2 35 | _loc1: 36 | mov eax, edi 37 | _loc2: 38 | cld 39 | pop edi 40 | leave 41 | retn 42 | 43 | -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_9/onetoone_strrchr.c: -------------------------------------------------------------------------------- 1 | char* strrchr(const char *cp, char ch) { 2 | int len = 0; 3 | do 4 | { 5 | len++; 6 | } while ( *(char *)cp++ ); 7 | while( len >= 0 ) 8 | { 9 | if( *(char *)cp == ch) 10 | return cp; 11 | len--; 12 | cp--; 13 | } 14 | return 0; 15 | } -------------------------------------------------------------------------------- /chapter_1/page_35/exercise_9/snippet.asm: -------------------------------------------------------------------------------- 1 | ; --------------------------------------------------------------------------- 2 | .text:1000CE9A align 10h 3 | .text:1000CEA0 4 | .text:1000CEA0 ; =============== S U B R O U T I N E ======================================= 5 | .text:1000CEA0 6 | .text:1000CEA0 ; Attributes: bp-based frame 7 | .text:1000CEA0 8 | .text:1000CEA0 sub_1000CEA0 proc near ; CODE XREF: sub_10007A4B+1D7p 9 | .text:1000CEA0 ; sub_1000AD4D+3Ap ... 10 | .text:1000CEA0 11 | .text:1000CEA0 arg_0 = dword ptr 8 12 | .text:1000CEA0 arg_4 = byte ptr 0Ch 13 | .text:1000CEA0 14 | .text:1000CEA0 push ebp 15 | .text:1000CEA1 mov ebp, esp 16 | .text:1000CEA3 push edi 17 | .text:1000CEA4 mov edi, [ebp+arg_0] 18 | .text:1000CEA7 xor eax, eax 19 | .text:1000CEA9 or ecx, 0FFFFFFFFh 20 | .text:1000CEAC repne scasb 21 | .text:1000CEAE add ecx, 1 22 | .text:1000CEB1 neg ecx 23 | .text:1000CEB3 sub edi, 1 24 | .text:1000CEB6 mov al, [ebp+arg_4] 25 | .text:1000CEB9 std 26 | .text:1000CEBA repne scasb 27 | .text:1000CEBC add edi, 1 28 | .text:1000CEBF cmp [edi], al 29 | .text:1000CEC1 jz short loc_1000CEC7 30 | .text:1000CEC3 xor eax, eax 31 | .text:1000CEC5 jmp short loc_1000CEC9 32 | .text:1000CEC7 ; --------------------------------------------------------------------------- 33 | .text:1000CEC7 34 | .text:1000CEC7 loc_1000CEC7: ; CODE XREF: sub_1000CEA0+21j 35 | .text:1000CEC7 mov eax, edi 36 | .text:1000CEC9 37 | .text:1000CEC9 loc_1000CEC9: ; CODE XREF: sub_1000CEA0+25j 38 | .text:1000CEC9 cld 39 | .text:1000CECA pop edi 40 | .text:1000CECB leave 41 | .text:1000CECC retn 42 | .text:1000CECC sub_1000CEA0 endp 43 | .text:1000CECC 44 | -------------------------------------------------------------------------------- /chapter_2/page_78/mystery1/ascii_art_1.txt: -------------------------------------------------------------------------------- 1 | SP -> ▭ ▭ 2 | R8 3 | R7 4 | R6 5 | R5 6 | SP -> R4 7 | -------------------------------------------------------------------------------- /chapter_2/page_78/mystery1/code.asm: -------------------------------------------------------------------------------- 1 | 01: mystery1 2 | 02: F0 01 2D E9 STMFD SP!, {R4-R8} 3 | 03: 00 30 D0 E5 LDRB R3, [R0] 4 | 04: 2D 00 53 E3 CMP R3, #0x2D 5 | 05: 29 00 00 0A BEQ loc_B34806 6 | 06: 2B 00 53 E3 CMP R3, #0x2B 7 | 07: 00 60 A0 E3 MOV R6, #0 8 | 08: 01 30 F0 05 LDREQB R3, [R0,#1]! 9 | 09: loc_B2AC 10 | 10: 30 00 53 E3 CMP R3, #0x30 11 | 11: 04 00 00 1A BNE loc B2C8 12 | 12: 01 30 80 E2 ADD R3, R0, #1 13 | 13: loc_B2B8 14 | 14: 03 00 A0 E1 MOV R0, R3 15 | 15: 01 20 D3 E4 LDRB R2, [R3],#1 16 | 16: 30 00 52 E3 CMP R2, #0x30 17 | 17: FB FF FF 0A BEQ loc_B2B8 18 | 18: loc_B2C8 19 | 19: 00 C0 A0 E3 MOV R12, #0 20 | 20: 00 40 A0 E3 MOV R4, #0 21 | 21: 00 50 A0 E3 MOV R5, #0 22 | 22: 0A 80 A0 E3 MOV R8, #0xA 23 | 23: 01 00 00 EA B loc_B2E4 24 | 24: loc_B2DC 25 | 25: 07 40 92 E0 ADDS R4, R2, R7 26 | 26: C7 5F A3 E0 ADC R5, R3, R7,ASR#31 27 | 27: loc_B2E4 28 | 28: 0C 70 D0 E7 LDRB R7, [R0,R12] 29 | 29: 01 c0 8C E2 ADD R12, R12, #1 30 | 30: 94 28 83 E0 UMULL R2, R3, R4, R8 31 | 31: 30 70 57 E2 SUBS R7, R7, #0x30 32 | 32: 07 00 00 4A BMI loc_B318 33 | 33: 09 00 57 E3 CMP R7, #9 34 | 34: 98 35 23 E0 MLA R3, R8, R5, R3 35 | 35: 04 00 00 CA BGT loc_B318 36 | 36: 0B 00 5C E3 CMP R12, #0xB 37 | 37: F3 FF FF 1A BNE loc_B2DC 38 | 38: loc_B30C 39 | 39: 00 00 A0 E3 MOV R0, #0 40 | 40: loc_B310 41 | 41: F0 01 BD E8 LDMFD SP!, {R4-R8} 42 | 42: 1E FF 2F E1 BX LR 43 | 43: loc_B318 44 | 44: 06 20 54 E0 SUBS R2, R4, R6 45 | 45: C6 3F C5 E0 SBC R3, R5, R6,ASR#31 46 | 46: 02 01 52 E3 CMP R2, #0x80000000 47 | 47: 00 00 D3 E2 SBCS R0, R3, #0 48 | 48: F7 FF FF AA BGE loc_B30c 49 | 49: 00 00 56 E3 CMP R6, #0 50 | 50: 01 00 00 0A BEQ loc_B33C 51 | 51: 00 40 74 E2 RSBS R4, R4, #0 52 | 52: 00 50 E5 E2 RSC R5, R5, #0 53 | 53: loc_B33C 54 | 54: 00 40 81 E5 STR R4, [R1] 55 | 55: 01 00 A0 E3 MOV R0, #1 56 | 56: F1 FF FF EA B loc_B310 57 | 57: loc_B348 58 | 58: 01 30 F0 E5 LDRB R3, [R0,#1]! 59 | 59: 01 60 A0 E3 MOV R6, #1 60 | 60: D5 FF FF EA B loc_B2Ac 61 | 61: ; End of function mystery1 62 | -------------------------------------------------------------------------------- /chapter_2/page_78/mystery1/code.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | bool string2integer(char *str, int *result) { 4 | int index = 0; 5 | long res = 0; 6 | char sign = 1; 7 | 8 | // parse the(optional) sign 9 | if (str[index] == '+') { 10 | index++; 11 | } 12 | else if (str[index] == '-') { 13 | index++; 14 | sign = -1; 15 | } 16 | 17 | // skip any leading zeros 18 | while (str[index] == '0') 19 | index++; 20 | 21 | // parse the number 22 | while ('0' <= str[index] <= '9') 23 | res = res * 10 + (str[index] - '0'); 24 | 25 | if (abs(res) >= 2 ^ 31) 26 | return false; 27 | else { 28 | *result = res; 29 | return true; 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /chapter_2/page_78/mystery1/pseudocode.txt: -------------------------------------------------------------------------------- 1 | bool string2integer(char *str, int *result) { 2 | index = 0 3 | res = 0 4 | sign = 1 5 | 6 | # parse the (optional) sign 7 | if str[index] == '+' then 8 | index = index + 1 9 | elsif str[index] == '-' then 10 | index = index + 1 11 | sign = -1 12 | 13 | # skip any leading zeros 14 | while str[index] == '0' do 15 | index = index + 1 16 | 17 | # parse the number 18 | while '0' <= str[index] <= '9' do 19 | res = res*10 + (str[index] - '0') 20 | 21 | if abs(res) >= 2^31 then 22 | return FALSE 23 | else 24 | *result = res 25 | return TRUE 26 | } 27 | -------------------------------------------------------------------------------- /chapter_2/page_78/mystery10/code.asm: -------------------------------------------------------------------------------- 1 | mystery10 2 | 2D E9 70 48 PUSH.W {R4–R6,R11,LR} 3 | 0D F2 0C 0B ADDW R11, SP, #0xC 4 | 37 F0 CC F9 BL __security_push_cookie 5 | 84 B0 SUB SP, SP, #0x10 6 | 0D 46 MOV R5, R1 7 | 00 24 MOVS R4, #0 8 | 10 2D CMP R5, #0x10 9 | 16 46 MOV R6, R2 10 | 0C D3 BCC loc_1010786 11 | 1A 4B LDR R3, =__imp_GetSystemTime 12 | 68 46 MOV R0, SP 13 | 1B 68 LDR R3, [R3] 14 | 98 47 BLX R3 15 | 00 9B LDR R3, [SP,#0x1C+var_1C] 16 | 10 24 MOVS R4, #0x10 17 | 33 60 STR R3, [R6] 18 | 01 9B LDR R3, [SP,#0x1C+var_18] 19 | 73 60 STR R3, [R6,#4] 20 | 02 9B LDR R3, [SP,#0x1C+var_14] 21 | B3 60 STR R3, [R6,#8] 22 | 03 9B LDR R3, [SP,#0x1C+var_10] 23 | F3 60 STR R3, [R6,#0xC] 24 | loc_1010786 25 | 2B 1B SUBS R3, R5, R4 26 | 04 2B CMP R3, #4 27 | 04 D3 BCC loc_1010796 28 | 11 4B LDR R3, =__imp_GetCurrentProcessId 29 | 1B 68 LDR R3, [R3] 30 | 98 47 BLX R3 31 | 30 51 STR R0, [R6,R4] 32 | 04 34 ADDS R4, #4 33 | loc_1010796 34 | 2B 1B SUBS R3, R5, R4 35 | 04 2B CMP R3, #4 36 | 04 D3 BCC loc_10107A6 37 | 0C 4B LDR R3, =__imp_GetTickCount 38 | 1B 68 LDR R3, [R3] 39 | 98 47 BLX R3 40 | 30 51 STR R0, [R6,R4] 41 | 04 34 ADDS R4, #4 42 | loc_10107A6 43 | 2B 1B SUBS R3, R5, R4 44 | 08 2B CMP R3, #8 45 | 09 D3 BCC loc_10107C0 46 | 07 4B LDR R3, =__imp_QueryPerformanceCounter 47 | 68 46 MOV R0, SP 48 | 1B 68 LDR R3, [R3] 49 | 98 47 BLX R3 50 | 00 9B LDR R3, [SP,#0x1C+var_1C] 51 | 32 19 ADDS R2, R6, R4 52 | 33 51 STR R3, [R6,R4] 53 | 01 9B LDR R3, [SP,#0x1C+var_18] 54 | 08 34 ADDS R4, #8 55 | 53 60 STR R3, [R2,#4] 56 | loc_10107C0 57 | 20 46 MOV R0, R4 58 | 04 B0 ADD SP, SP, #0x10 59 | 37 F0 A4 F9 BL __security_pop_cookie 60 | BD E8 70 88 POP.W {R4–R6,R11,PC} 61 | ; End of function mystery10 62 | -------------------------------------------------------------------------------- /chapter_2/page_78/mystery10/code.c: -------------------------------------------------------------------------------- 1 | unsigned int system_info(void arg1, unsigned int nr_bytes, struct1 *result) 2 | { 3 | unsigned int nr_of_copied_bytes = 0; 4 | if ( nr_bytes >= 26 ) { 5 | SYSTEMTIME SystemTime; 6 | GetSystemTime(&SystemTime); 7 | memcpy(result, &SystemTime, sizeof(struct SYSTEMTIME)); 8 | nr_of_copied_bytes += sizeof(struct SYSTEMTIME); 9 | } 10 | if ( nr_bytes >= 18 ) { 11 | result->dwProcessId = GetCurrentProcessId(); 12 | nr_of_copied_bytes += sizeof(DWORD); 13 | } 14 | if ( nr_bytes >= 14 ) { 15 | result->dwTickCount = GetTickCount() 16 | nr_of_copied_bytes += sizeof(DWORD); 17 | } 18 | if ( nr_bytes >= 10 ) { 19 | LARGE_INTEGER perfCounter; 20 | QueryPerformanceCounter(&perfCounter); 21 | result->liPerformanceCounter = perfCounter; 22 | nr_of_copied_bytes += sizeof(LARGE_INTEGER); 23 | } 24 | return nr_of_copied_bytes; 25 | } 26 | -------------------------------------------------------------------------------- /chapter_2/page_78/mystery11/mystery11.asm: -------------------------------------------------------------------------------- 1 | mystery11 2 | 2D E9 F8 4F PUSH.W {R3–R11,LR} 3 | 0D F2 20 0B ADDW R11, SP, #0x20 4 | B0 F9 5A 30 LDRSH.W R3, [R0,#0x5A] 5 | 07 46 MOV R7, R0 6 | 90 46 MOV R8, R2 7 | 00 EB 83 03 ADD.W R3, R0, R3,LSL#2 8 | D3 F8 84 A0 LDR.W R10, [R3,#0x84] 9 | 7B 8F LDRH R3, [R7,#0x3A] 10 | 89 46 MOV R9, R1 11 | CB B9 CBNZ R3, loc_1018602 12 | B0 F9 5A 40 LDRSH.W R4, [R0,#0x5A] 13 | 17 F1 20 02 ADDS.W R2, R7, #0x20 14 | 00 EB 44 03 ADD.W R3, R0, R4,LSL#1 15 | B3 F8 5C 50 LDRH.W R5, [R3,#0x5C] 16 | 00 EB 84 03 ADD.W R3, R0, R4,LSL#2 17 | D3 F8 84 00 LDR.W R0, [R3,#0x84] 18 | 83 89 LDRH R3, [R0,#0xC] 19 | 06 6C LDR R6, [R0,#0x40] 20 | 03 EB 45 03 ADD.W R3, R3, R5,LSL#1 21 | 9B 19 ADDS R3, R3, R6 22 | 1C 78 LDRB R4, [R3] 23 | 5B 78 LDRB R3, [R3,#1] 24 | 43 EA 04 24 ORR.W R4, R3, R4,LSL#8 25 | 43 8A LDRH R3, [R0,#0x12] 26 | 23 40 ANDS R3, R4 27 | 99 19 ADDS R1, R3, R6 28 | FD F7 8D FF BL sub_101651C 29 | loc_1018602 30 | BA 8E LDRH R2, [R7,#0x34] 31 | BB 6A LDR R3, [R7,#0x28] 32 | D0 18 ADDS R0, R2, R3 33 | 9A F8 02 30 LDRB.W R3, [R10,#2] 34 | 0B B1 CBZ R3, loc_1018612 35 | 00 22 MOVS R2, #0 36 | 00 E0 B loc_1018614 37 | loc_1018612 38 | 3A 6A LDR R2, [R7,#0x20] 39 | loc_1018614 40 | FB 8E LDRH R3, [R7,#0x36] 41 | B8 F1 00 0F CMP.W R8, #0 42 | 01 D0 BEQ loc_1018620 43 | 80 18 ADDS R0, R0, R2 44 | 9B 1A SUBS R3, R3, R2 45 | loc_1018620 46 | C9 F8 00 30 STR.W R3, [R9] 47 | BD E8 F8 8F POP.W {R3–R11,PC} 48 | ; End of function mystery11 49 | -------------------------------------------------------------------------------- /chapter_2/page_78/mystery11/mystery11.pseudo: -------------------------------------------------------------------------------- 1 | INT mystery11(STRUCT1 *arg1, INT *arg2, UNKNOWN *arg3) 2 | 3 | struct2* pS2 = arg1 + 2*(arg1->field5A_s) 4 | struct3* pS3 = arg1 + 4*(arg1->field5A_s) 5 | struct4* pS4 = pS3->field84_p 6 | 7 | IF arg1->field3A_s == 0 THEN 8 | int index = pS4->field0C_s + 2*pS2->field5C_s 9 | unsigned short bigEndian = pS4->field40_p[index] 10 | unsigned short val = CONVERT_BIG_ENDIAN_SHORT(bigEndian) 11 | int index2 = pS4->field12_s & val 12 | sub_101651C(pS3, pS5[index2], arg1->field20_i) 13 | ENDIF 14 | 15 | int offset; 16 | IF pS4->field02_c == 0 THEN 17 | offset = arg1->field20_i; 18 | ELSE 19 | offset = 0; 20 | ENDIF 21 | 22 | 23 | int return_value = arg1->field28_i + arg1->field34_s 24 | unsigned short new_value = arg1->field36_s 25 | 26 | IF arg3 != 0 THEN 27 | return_value = return_value + offset 28 | new_value = new_value - offset 29 | ENDIF 30 | 31 | *arg2 = new_value 32 | RETURN return_value 33 | -------------------------------------------------------------------------------- /chapter_2/page_78/mystery11/mystery11_structures.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_2/page_78/mystery11/mystery11_structures.png -------------------------------------------------------------------------------- /chapter_2/page_78/mystery2/code.asm: -------------------------------------------------------------------------------- 1 | 01: mystery2 2 | 02: 28 B1 CBZ R0, loc_C672 3 | 03: 90 F8 63 00 LDRB.W R0, [R0,#0x63] 4 | 04: 00 38 SUBS R0, #0 5 | 05: 18 BF IT NE 6 | 06: 01 20 MOVNE R0, #1 7 | 07: 70 47 BX LR 8 | 08: loc_C672 9 | 09: 01 20 MOVS R0, #1 10 | 10: 70 47 BX LR 11 | 11: ; End of function mystery2 12 | -------------------------------------------------------------------------------- /chapter_2/page_78/mystery2/code.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | bool field63c_isnotzero(struct1 *s) 4 | { 5 | if (s && s->field63c) 6 | return true; 7 | else 8 | return false; 9 | } 10 | -------------------------------------------------------------------------------- /chapter_2/page_78/mystery2/pseudocode.txt: -------------------------------------------------------------------------------- 1 | BOOL field63c_isnotzero(struct1 *s) 2 | { 3 | if s == NULL then 4 | return TRUE 5 | elsif s->field63c == 0 then 6 | return FALSE 7 | else 8 | return TRUE 9 | } 10 | -------------------------------------------------------------------------------- /chapter_2/page_78/mystery3/code.asm: -------------------------------------------------------------------------------- 1 | 01: mystery3 2 | 02: 83 68 LDR R3, [R0,#8] 3 | 03: 0B 60 STR R3, [R1] 4 | 04: C3 68 LDR R3, [R0,#0xC] 5 | 05: 00 20 MOVS R0, #0 6 | 06: 4B 60 STR R3, [R1,#4] 7 | 07: 70 47 BX LR 8 | 08: ; End of function mystery3 9 | -------------------------------------------------------------------------------- /chapter_2/page_78/mystery3/code.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | bool copymembers(struct_arg1 *s1, struct_arg2 *s2) 4 | { 5 | s1->field00_i = s2->field08_i; 6 | s1->field04_i = s2->field0c_i; 7 | return false; 8 | } 9 | -------------------------------------------------------------------------------- /chapter_2/page_78/mystery3/pseudocode.txt: -------------------------------------------------------------------------------- 1 | BOOL copymembers(struct_arg1 *s1, struct_arg2 *s2) 2 | { 3 | s1->field00_i = s2->field08_i 4 | s1->field04_i = s2->field0c_i 5 | return FALSE 6 | } 7 | -------------------------------------------------------------------------------- /chapter_2/page_78/mystery4/code.asm: -------------------------------------------------------------------------------- 1 | 01: mystery4 2 | 02: 08 B9 CBNZ R0, loc_100C3DA 3 | 03: 00 20 MOVS R0, #0 4 | 04: 70 47 BX LR 5 | 05: loc_100C3DA 6 | 06: 50 F8 08 0C LDR.W R0, [R0,#–8] 7 | 07: 70 47 BX LR 8 | 08: ; End of function mystery4 9 | -------------------------------------------------------------------------------- /chapter_2/page_78/mystery4/code.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int retrieve_value_at_minus8(int* something) 4 | { 5 | if (!something) 6 | return 0; 7 | else 8 | return *(something - 8); 9 | } 10 | -------------------------------------------------------------------------------- /chapter_2/page_78/mystery4/pseudocode.txt: -------------------------------------------------------------------------------- 1 | INT32 retrieve_value_at_minus8(int* something) 2 | { 3 | if not something then 4 | return NULL 5 | else 6 | return *(something - 8) 7 | } 8 | -------------------------------------------------------------------------------- /chapter_2/page_78/mystery5/code.asm: -------------------------------------------------------------------------------- 1 | 01: mystery5 2 | 02: 03 46 MOV R3, R0 3 | 03: 06 2B CMP R3, #6 4 | 04: 0D D0 BEQ loc_1032596 5 | 05: 07 2B CMP R3, #7 6 | 06: 09 D0 BEQ loc_1032592 7 | 07: 08 2B CMP R3, #8 8 | 08: 05 D0 BEQ loc_103258E 9 | 09: 09 2B CMP R3, #9 10 | 10: 01 D0 BEQ loc_103258A 11 | 11: 09 48 LDR R0, =aA ; "A" 12 | 12: 70 47 BX LR 13 | 13: loc_103258A 14 | 14: 07 48 LDR R0, =aB ; "B" 15 | 15: 70 47 BX LR 16 | 16: loc_103258E 17 | 17: 05 48 LDR R0, =ac ; "C" 18 | 18: 70 47 BX LR 19 | 19: loc_1032592 20 | 20: 03 48 LDR R0, =aD ; "D" 21 | 21: 70 47 BX LR 22 | 22: loc_1032596 23 | 23: 01 48 LDR R0, =aE ; "E" 24 | 24: 70 47 BX LR 25 | 25: ; End of function mystery5 26 | -------------------------------------------------------------------------------- /chapter_2/page_78/mystery5/code.c: -------------------------------------------------------------------------------- 1 | char* number_to_string(unsigned char number) 2 | { 3 | switch (number) { 4 | case 6: return "E"; 5 | case 7: return "D"; 6 | case 8: return "C"; 7 | case 9: return "B"; 8 | default: return "A"; 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /chapter_2/page_78/mystery5/pseudocode.txt: -------------------------------------------------------------------------------- 1 | FUNCTION(integer number) 2 | CASE number OF 3 | 6 : return "E" 4 | 7 : return "D" 5 | 8 : return "C" 6 | 9 : return "B" 7 | OTHERS: 8 | return "A" 9 | ENDCASE 10 | -------------------------------------------------------------------------------- /chapter_2/page_78/mystery6/code.asm: -------------------------------------------------------------------------------- 1 | mystery6 2 | 2D E9 18 48 PUSH.W {R3,R4,R11,LR} 3 | 0D F2 08 0B ADDW R11, SP, #8 4 | 04 68 LDR R4, [R0] 5 | 00 22 MOVS R2, #0 6 | 00 2C CMP R4, #0 7 | 06 DD BLE loc_103B3B6 8 | loc_103B3A8 9 | 50 F8 04 3F LDR.W R3, [R0,#4]! 10 | 8B 42 CMP R3, R1 11 | 06 D0 BEQ loc_103B3BE 12 | 01 32 ADDS R2, #1 13 | A2 42 CMP R2, R4 14 | F8 DB BLT loc_103B3A8 15 | loc_103B3B6 16 | 00 20 MOVS R0, #0 17 | 00 21 MOVS R1, #0 18 | locret_103B3BA 19 | BD E8 18 88 POP.W {R3,R4,R11,PC} 20 | loc_103B3BE 21 | B2 F1 20 03 SUBS.W R3, R2, #0X20 22 | 01 21 MOVS R1, #1 23 | 99 40 LSLS R1, R3 24 | 01 23 MOVS R3, #1 25 | 13 FA 02 F0 LSLS.W R0, R3, R2 26 | F5 E7 B locret_103B3BA 27 | ; End of function mystery6 28 | -------------------------------------------------------------------------------- /chapter_2/page_78/mystery6/code.c: -------------------------------------------------------------------------------- 1 | struct struct_arg1 { 2 | int size; 3 | int array[]; 4 | }; 5 | 6 | 7 | __int64 bitmask_of_match(struct struct_arg1 *s, int m) 8 | { 9 | int size = s->size; 10 | int index; 11 | for (index = 0; index < size; index++) { 12 | if (s->array[index] == m) 13 | return __int64( 1 << index ); 14 | } 15 | return 0; 16 | } -------------------------------------------------------------------------------- /chapter_2/page_78/mystery6/pseudocode.txt: -------------------------------------------------------------------------------- 1 | FUNCTION bitmask_of_match(s, m) 2 | SIZE = s->size 3 | ARRAY = s->array 4 | 5 | FOR index = 0 to SIZE-1 6 | IF ARRAY[index] == m THEN 7 | RETURN 2^index 8 | ENDFOR 9 | 10 | RETURN 0 11 | 12 | 13 | -------------------------------------------------------------------------------- /chapter_2/page_78/mystery7/code.asm: -------------------------------------------------------------------------------- 1 | mystery7 2 | 02 46 MOV R2, R0 3 | 08 B9 CBNZ R0, loc_100E1D8 4 | 00 20 MOVS R0, #0 5 | 70 47 BX LR 6 | loc_100E1D8 7 | 90 F9 00 30 LDRSB.W R3, [R0] 8 | 02 E0 B loc_100E1E4 9 | loc_100E1DE 10 | 01 32 ADDS R2, #1 11 | 92 F9 00 30 LDRSB.W R3, [R2] 12 | loc_100E1E4 13 | 00 2B CMP R3, #0 14 | FA D1 BNE loc_100E1DE 15 | 10 1A SUBS R0, R2, R0 16 | 6F F3 9F 70 BFC.W R0, #0x1E, #2 17 | 70 47 BX LR 18 | ; End of function mystery7 19 | -------------------------------------------------------------------------------- /chapter_2/page_78/mystery7/code.c: -------------------------------------------------------------------------------- 1 | unsigned int strlen(const char *s) { 2 | unsigned int len = 0; 3 | while( s[len] != '\0' ) 4 | len++; 5 | return len; 6 | } -------------------------------------------------------------------------------- /chapter_2/page_78/mystery7/pseudocode.txt: -------------------------------------------------------------------------------- 1 | FUNCTION mystery7(string1) 2 | len = 0 3 | WHILE string1[len] != 0 DO 4 | len = len + 1 5 | ENDWHILE 6 | RETURN len 7 | END 8 | -------------------------------------------------------------------------------- /chapter_2/page_78/mystery8/code.asm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_2/page_78/mystery8/code.asm -------------------------------------------------------------------------------- /chapter_2/page_78/mystery8/code.c: -------------------------------------------------------------------------------- 1 | #include 2 | int strncmp(const char* s1, const char* s2, size_t n) 3 | { 4 | while (n--) 5 | if (*s1++ != *s2++) 6 | return *(unsigned char*)(s1 - 1) - *(unsigned char*)(s2 - 1); 7 | return 0; 8 | } -------------------------------------------------------------------------------- /chapter_2/page_78/mystery8/pseudocode_step1.txt: -------------------------------------------------------------------------------- 1 | FUNCTION mystery8(string1, string2, limit) 2 | byteArray = {0, 1, 2, ..., 255} 3 | index = 0 4 | DO 5 | IF limit <= 0 THEN 6 | // break to line 20 7 | 8 | R5 = string1[index] 9 | limit = limit -1 10 | IF R5 == 0 THEN 11 | // break to line 21 12 | 13 | R4 = byteArray[string2[index]] 14 | R3 = byteArray[string1[index]] 15 | index = index + 1 16 | WHILE R3 != R4 17 | index = index - 1 18 | 19 | // line 21 -------------------------------------------------------------------------------- /chapter_2/page_78/mystery8/pseudocode_step2.txt: -------------------------------------------------------------------------------- 1 | FUNCTION mystery8(string1, string2, limit) 2 | byteArray = {0, 1, 2, ..., 255} 3 | index = 0 4 | DO 5 | limit = limit -1 6 | IF limit < 0 THEN 7 | BREAK 8 | 9 | R5 = string1[index] 10 | IF R5 == 0 THEN 11 | BREAK 12 | 13 | R4 = byteArray[string2[index]] 14 | R3 = byteArray[string1[index]] 15 | index = index + 1 16 | WHILE R3 != R4 17 | 18 | // line 21 19 | index = index - 1 20 | IF limit >= 0 THEN 21 | R2 = byteArray[string2[index]] 22 | R3 = byteArray[string1[index]] 23 | RETURN R3 - R2 24 | ELSE 25 | RETURN 0 26 | 27 | 28 | -------------------------------------------------------------------------------- /chapter_2/page_78/mystery8/pseudocode_step3.txt: -------------------------------------------------------------------------------- 1 | FUNCTION mystery8(string1, string2, limit) 2 | FOR index = 0 to limit - 1 DO 3 | IF string1[index] == 0 OR string1[index] != string2[index] THEN 4 | RETURN string1[index] - string2[index] 5 | ENDIF 6 | ENDFOR 7 | RETURN 0 8 | END 9 | -------------------------------------------------------------------------------- /chapter_2/page_78/mystery9/code.asm: -------------------------------------------------------------------------------- 1 | mystery9 2 | 2D E9 30 48 PUSH.W {R4,R5,R11,LR} 3 | 0D F2 08 0B ADDW R11, SP, #8 4 | 09 4D LDR R5, =byteArray 5 | 06 E0 B loc_100E312 6 | loc_100E304 7 | 0B 78 LDRB R3, [R1] 8 | 5A 5D LDRB R2, [R3,R5] 9 | 63 5D LDRB R3, [R4,R5] 10 | 93 42 CMP R3, R2 11 | 04 D1 BNE loc_100E318 12 | 01 30 ADDS R0, #1 13 | 01 31 ADDS R1, #1 14 | loc_100E312 15 | 04 78 LDRB R4, [R0] 16 | 00 2C CMP R4, #0 17 | F5 D1 BNE loc_100E304 18 | loc_100E318 19 | 0B 78 LDRB R3, [R1] 20 | 5A 5D LDRB R2, [R3,R5] 21 | 03 78 LDRB R3, [R0] 22 | 5B 5D LDRB R3, [R3,R5] 23 | 98 1A SUBS R0, R3, R2 24 | BD E8 30 88 POP.W {R4,R5,R11,PC} 25 | ; End of function mystery9 26 | -------------------------------------------------------------------------------- /chapter_2/page_78/mystery9/code.c: -------------------------------------------------------------------------------- 1 | int strcmp(const char* s1, const char* s2) 2 | { 3 | while(*s1 && (*s1==*s2)) 4 | s1++,s2++; 5 | return *(const unsigned char*)s1-*(const unsigned char*)s2; 6 | } -------------------------------------------------------------------------------- /chapter_2/page_78/mystery9/notes.txt: -------------------------------------------------------------------------------- 1 | arg1 = "string a" // null terminated 2 | arg2 = "string b" // null terminated 3 | arg3 = 1000 4 | 5 | => return value -1 6 | 7 | 8 | 9 | arg1 = "string a" // null terminated 10 | arg2 = "string b" // null terminated 11 | arg3 = 3 12 | 13 | => return value 0 14 | 15 | arg1 = "string a" // null terminated 16 | arg2 = "String b" // null terminated 17 | arg3 = 1000 18 | 19 | => return value 32 20 | 21 | 22 | arg1 = "word" // null terminated 23 | arg2 = "wording" // null terminated 24 | arg3 = 1000 25 | 26 | => return value -105 27 | 28 | 29 | 30 | 31 | -------------------------------------------------------------------------------- /chapter_2/page_78/mystery9/pseudocode.txt: -------------------------------------------------------------------------------- 1 | FUNCTION mystery8(string1, string2) 2 | index = 0 3 | WHILE TRUE 4 | IF string1[index] == 0 OR string1[index] != string2[index] THEN 5 | RETURN string1[index] - string2[index] 6 | ENDIF 7 | index = index + 1 8 | ENDWHILE 9 | RETURN 0 10 | END 11 | -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_1/KernelRoutines/ExpTimerInitialization.asm: -------------------------------------------------------------------------------- 1 | 0: kd> uf ExpTimerInitialization 2 | nt!ExpTimerInitialization: 3 | fffff800`1233862c 48895c2408 mov qword ptr [rsp+8],rbx 4 | fffff800`12338631 48897c2410 mov qword ptr [rsp+10h],rdi 5 | fffff800`12338636 55 push rbp 6 | fffff800`12338637 488d6c24a9 lea rbp,[rsp-57h] 7 | fffff800`1233863c 4881ecb0000000 sub rsp,0B0h 8 | fffff800`12338643 488d05260cbdff lea rax,[nt!ExpWakeTimerList (fffff800`11f09270)] 9 | fffff800`1233864a 488d151ff10300 lea rdx,[nt! ?? ::PBOPGDP::`string' (fffff800`12377770)] 10 | fffff800`12338651 488d4dc7 lea rcx,[rbp-39h] 11 | fffff800`12338655 33db xor ebx,ebx 12 | fffff800`12338657 4889051a0cbdff mov qword ptr [nt!ExpWakeTimerList+0x8 (fffff800`11f09278)],rax 13 | fffff800`1233865e 4889050b0cbdff mov qword ptr [nt!ExpWakeTimerList (fffff800`11f09270)],rax 14 | fffff800`12338665 48891d140cbdff mov qword ptr [nt!ExpWakeTimerLock (fffff800`11f09280)],rbx 15 | fffff800`1233866c e8af469fff call nt!RtlInitUnicodeString (fffff800`11d2cd20) 16 | fffff800`12338671 8d7b78 lea edi,[rbx+78h] 17 | fffff800`12338674 488d4dd7 lea rcx,[rbp-29h] 18 | fffff800`12338678 448bc7 mov r8d,edi 19 | fffff800`1233867b 33d2 xor edx,edx 20 | fffff800`1233867d e83ef49bff call nt!memset (fffff800`11cf7ac0) 21 | fffff800`12338682 488d058374a3ff lea rax,[nt!ExpDeleteTimer (fffff800`11d6fb0c)] 22 | fffff800`12338689 4c8d0d107dc9ff lea r9,[nt!ExTimerObjectType (fffff800`11fd03a0)] 23 | fffff800`12338690 0f1005996bffff movups xmm0,xmmword ptr [nt!ExpTimerMapping (fffff800`1232f230)] 24 | fffff800`12338697 488d55d7 lea rdx,[rbp-29h] 25 | fffff800`1233869b 488d4dc7 lea rcx,[rbp-39h] 26 | fffff800`1233869f 4533c0 xor r8d,r8d 27 | fffff800`123386a2 f30f7f45e3 movdqu xmmword ptr [rbp-1Dh],xmm0 28 | fffff800`123386a7 66897dd7 mov word ptr [rbp-29h],di 29 | fffff800`123386ab c745df00010000 mov dword ptr [rbp-21h],100h 30 | fffff800`123386b2 c745fb00020000 mov dword ptr [rbp-5],200h 31 | fffff800`123386b9 c7450338010000 mov dword ptr [rbp+3],138h 32 | fffff800`123386c0 c745f303001f00 mov dword ptr [rbp-0Dh],1F0003h 33 | fffff800`123386c7 4889451f mov qword ptr [rbp+1Fh],rax 34 | fffff800`123386cb e8d0a6e3ff call nt!ObCreateObjectType (fffff800`12172da0) 35 | fffff800`123386d0 85c0 test eax,eax 36 | fffff800`123386d2 7843 js nt!ExpTimerInitialization+0xeb (fffff800`12338717) 37 | 38 | nt!ExpTimerInitialization+0xa8: 39 | fffff800`123386d4 488d15a5f00300 lea rdx,[nt! ?? ::PBOPGDP::`string' (fffff800`12377780)] 40 | fffff800`123386db 488d4dc7 lea rcx,[rbp-39h] 41 | fffff800`123386df e83c469fff call nt!RtlInitUnicodeString (fffff800`11d2cd20) 42 | fffff800`123386e4 488d05954bb0ff lea rax,[nt!ExpCloseIRTimer (fffff800`11e3d280)] 43 | fffff800`123386eb 4c8d0da67fc9ff lea r9,[nt!ExpIRTimerObjectType (fffff800`11fd0698)] 44 | fffff800`123386f2 488d55d7 lea rdx,[rbp-29h] 45 | fffff800`123386f6 488d4dc7 lea rcx,[rbp-39h] 46 | fffff800`123386fa 4533c0 xor r8d,r8d 47 | fffff800`123386fd 48894517 mov qword ptr [rbp+17h],rax 48 | fffff800`12338701 c7450388000000 mov dword ptr [rbp+3],88h 49 | fffff800`12338708 48895d1f mov qword ptr [rbp+1Fh],rbx 50 | fffff800`1233870c e88fa6e3ff call nt!ObCreateObjectType (fffff800`12172da0) 51 | fffff800`12338711 85c0 test eax,eax 52 | fffff800`12338713 7802 js nt!ExpTimerInitialization+0xeb (fffff800`12338717) 53 | 54 | nt!ExpTimerInitialization+0xe9: 55 | fffff800`12338715 b301 mov bl,1 56 | 57 | nt!ExpTimerInitialization+0xeb: 58 | fffff800`12338717 4c8d9c24b0000000 lea r11,[rsp+0B0h] 59 | fffff800`1233871f 8ac3 mov al,bl 60 | fffff800`12338721 498b5b10 mov rbx,qword ptr [r11+10h] 61 | fffff800`12338725 498b7b18 mov rdi,qword ptr [r11+18h] 62 | fffff800`12338729 498be3 mov rsp,r11 63 | fffff800`1233872c 5d pop rbp 64 | fffff800`1233872d c3 ret 65 | -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_1/KernelRoutines/IoInitializeIrp.asm: -------------------------------------------------------------------------------- 1 | 0: kd> uf IoInitializeIrp 2 | nt!IoInitializeIrp: 3 | fffff800`11ca06e0 48895c2408 mov qword ptr [rsp+8],rbx 4 | fffff800`11ca06e5 4889742410 mov qword ptr [rsp+10h],rsi 5 | fffff800`11ca06ea 57 push rdi 6 | fffff800`11ca06eb 4883ec20 sub rsp,20h 7 | fffff800`11ca06ef 48833d59f0260000 cmp qword ptr [nt!ViVerifierDriverAddedThunkListHead (fffff800`11f0f750)],0 8 | fffff800`11ca06f7 418af8 mov dil,r8b 9 | fffff800`11ca06fa 0fb7f2 movzx esi,dx 10 | fffff800`11ca06fd 488bd9 mov rbx,rcx 11 | fffff800`11ca0700 0f85a2b01a00 jne nt! ?? ::FNODOBFM::`string'+0xac86 (fffff800`11e4b7a8) 12 | 13 | nt!IoInitializeIrp+0x26: 14 | fffff800`11ca0706 440fb7c6 movzx r8d,si 15 | fffff800`11ca070a 33d2 xor edx,edx 16 | fffff800`11ca070c 488bcb mov rcx,rbx 17 | fffff800`11ca070f e8ac730500 call nt!memset (fffff800`11cf7ac0) 18 | fffff800`11ca0714 66897302 mov word ptr [rbx+2],si 19 | fffff800`11ca0718 488b742438 mov rsi,qword ptr [rsp+38h] 20 | fffff800`11ca071d 40887b42 mov byte ptr [rbx+42h],dil 21 | fffff800`11ca0721 8d4701 lea eax,[rdi+1] 22 | fffff800`11ca0724 41bb06000000 mov r11d,6 23 | fffff800`11ca072a 884343 mov byte ptr [rbx+43h],al 24 | fffff800`11ca072d 6644891b mov word ptr [rbx],r11w 25 | fffff800`11ca0731 65488b042588010000 mov rax,qword ptr gs:[188h] 26 | fffff800`11ca073a 8a8842020000 mov cl,byte ptr [rax+242h] 27 | fffff800`11ca0740 488d4320 lea rax,[rbx+20h] 28 | fffff800`11ca0744 884b46 mov byte ptr [rbx+46h],cl 29 | fffff800`11ca0747 48894008 mov qword ptr [rax+8],rax 30 | fffff800`11ca074b 488900 mov qword ptr [rax],rax 31 | fffff800`11ca074e 480fbec7 movsx rax,dil 32 | fffff800`11ca0752 488d04c0 lea rax,[rax+rax*8] 33 | fffff800`11ca0756 4883c01a add rax,1Ah 34 | fffff800`11ca075a 488d04c3 lea rax,[rbx+rax*8] 35 | fffff800`11ca075e 488983b8000000 mov qword ptr [rbx+0B8h],rax 36 | fffff800`11ca0765 488b5c2430 mov rbx,qword ptr [rsp+30h] 37 | fffff800`11ca076a 4883c420 add rsp,20h 38 | fffff800`11ca076e 5f pop rdi 39 | fffff800`11ca076f c3 ret 40 | 41 | nt! ?? ::FNODOBFM::`string'+0xac86: 42 | fffff800`11e4b7a8 e883cf4600 call nt!IovInitializeIrp (fffff800`122b8730) 43 | fffff800`11e4b7ad 90 nop 44 | fffff800`11e4b7ae e9534fe5ff jmp nt!IoInitializeIrp+0x26 (fffff800`11ca0706) 45 | -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_1/KernelRoutines/KeInitializeMutex.asm: -------------------------------------------------------------------------------- 1 | 0: kd> uf KeInitializeMutex 2 | nt!KeInitializeMutex: 3 | fffff800`11cb6cec 488d4108 lea rax,[rcx+8] 4 | fffff800`11cb6cf0 c60102 mov byte ptr [rcx],2 5 | fffff800`11cb6cf3 66c741020e00 mov word ptr [rcx+2],0Eh 6 | fffff800`11cb6cf9 c7410401000000 mov dword ptr [rcx+4],1 7 | fffff800`11cb6d00 33d2 xor edx,edx 8 | fffff800`11cb6d02 48895128 mov qword ptr [rcx+28h],rdx 9 | fffff800`11cb6d06 48894008 mov qword ptr [rax+8],rax 10 | fffff800`11cb6d0a 488900 mov qword ptr [rax],rax 11 | fffff800`11cb6d0d 66c741300001 mov word ptr [rcx+30h],100h 12 | fffff800`11cb6d13 c3 ret 13 | -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_1/KernelRoutines/KeInitializeProcess.asm: -------------------------------------------------------------------------------- 1 | 0: kd> uf KeInitializeProcess 2 | nt!KeInitializeGuardedMutex: 3 | fffff800`11d605a4 c70101000000 mov dword ptr [rcx],1 4 | fffff800`11d605aa 33c0 xor eax,eax 5 | fffff800`11d605ac 48894108 mov qword ptr [rcx+8],rax 6 | fffff800`11d605b0 894110 mov dword ptr [rcx+10h],eax 7 | fffff800`11d605b3 89411c mov dword ptr [rcx+1Ch],eax 8 | fffff800`11d605b6 488d4120 lea rax,[rcx+20h] 9 | fffff800`11d605ba 66c741180100 mov word ptr [rcx+18h],1 10 | fffff800`11d605c0 c6411a06 mov byte ptr [rcx+1Ah],6 11 | fffff800`11d605c4 48894008 mov qword ptr [rax+8],rax 12 | fffff800`11d605c8 488900 mov qword ptr [rax],rax 13 | fffff800`11d605cb c3 ret 14 | 15 | nt!KeInitializeProcess: 16 | fffff800`12111010 488bc4 mov rax,rsp 17 | fffff800`12111013 48895808 mov qword ptr [rax+8],rbx 18 | fffff800`12111017 48896810 mov qword ptr [rax+10h],rbp 19 | fffff800`1211101b 48897018 mov qword ptr [rax+18h],rsi 20 | fffff800`1211101f 48897820 mov qword ptr [rax+20h],rdi 21 | fffff800`12111023 4157 push r15 22 | fffff800`12111025 4883ec20 sub rsp,20h 23 | fffff800`12111029 c60103 mov byte ptr [rcx],3 24 | fffff800`1211102c c64102b2 mov byte ptr [rcx+2],0B2h 25 | fffff800`12111030 488d4108 lea rax,[rcx+8] 26 | fffff800`12111034 48894008 mov qword ptr [rax+8],rax 27 | fffff800`12111038 488900 mov qword ptr [rax],rax 28 | fffff800`1211103b 8891b4010000 mov byte ptr [rcx+1B4h],dl 29 | fffff800`12111041 83a10c01000000 and dword ptr [rcx+10Ch],0 30 | fffff800`12111048 c7810801000014001400 mov dword ptr [rcx+108h],140014h 31 | fffff800`12111052 498bf0 mov rsi,r8 32 | fffff800`12111055 488bd9 mov rbx,rcx 33 | fffff800`12111058 33d2 xor edx,edx 34 | fffff800`1211105a 41b8a0000000 mov r8d,0A0h 35 | fffff800`12111060 4881c110010000 add rcx,110h 36 | fffff800`12111067 498be9 mov rbp,r9 37 | fffff800`1211106a e8516abeff call nt!memset (fffff800`11cf7ac0) 38 | fffff800`1211106f 0fb6442458 movzx eax,byte ptr [rsp+58h] 39 | fffff800`12111074 bf01000000 mov edi,1 40 | fffff800`12111079 3383b0010000 xor eax,dword ptr [rbx+1B0h] 41 | fffff800`1211107f 488d4b50 lea rcx,[rbx+50h] 42 | fffff800`12111083 33d2 xor edx,edx 43 | fffff800`12111085 23c7 and eax,edi 44 | fffff800`12111087 41b8a0000000 mov r8d,0A0h 45 | fffff800`1211108d 3183b0010000 xor dword ptr [rbx+1B0h],eax 46 | fffff800`12111093 83634c00 and dword ptr [rbx+4Ch],0 47 | fffff800`12111097 c7434801001400 mov dword ptr [rbx+48h],140001h 48 | fffff800`1211109e e81d6abeff call nt!memset (fffff800`11cf7ac0) 49 | fffff800`121110a3 0fb74e08 movzx ecx,word ptr [rsi+8] 50 | fffff800`121110a7 4c8b1e mov r11,qword ptr [rsi] 51 | fffff800`121110aa 66394b48 cmp word ptr [rbx+48h],cx 52 | fffff800`121110ae 0f864c8e1500 jbe nt! ?? ::NNGAKEGL::`string'+0x2d150 (fffff800`12269f00) 53 | 54 | nt!KeInitializeProcess+0xa4: 55 | fffff800`121110b4 0fb7c1 movzx eax,cx 56 | fffff800`121110b7 4c095cc350 or qword ptr [rbx+rax*8+50h],r11 57 | fffff800`121110bc 8a4e08 mov cl,byte ptr [rsi+8] 58 | fffff800`121110bf d3e7 shl edi,cl 59 | fffff800`121110c1 c1e706 shl edi,6 60 | fffff800`121110c4 33bbb0010000 xor edi,dword ptr [rbx+1B0h] 61 | fffff800`121110ca 81e7c0ffff03 and edi,3FFFFC0h 62 | fffff800`121110d0 31bbb0010000 xor dword ptr [rbx+1B0h],edi 63 | fffff800`121110d6 488b16 mov rdx,qword ptr [rsi] 64 | fffff800`121110d9 0fb74e08 movzx ecx,word ptr [rsi+8] 65 | fffff800`121110dd e88ef1c4ff call nt!KiTestNodeAffinity (fffff800`11d60270) 66 | fffff800`121110e2 84c0 test al,al 67 | fffff800`121110e4 0f84228e1500 je nt! ?? ::NNGAKEGL::`string'+0x2d15c (fffff800`12269f0c) 68 | 69 | nt!KeInitializeProcess+0xda: 70 | fffff800`121110ea 488d4318 lea rax,[rbx+18h] 71 | fffff800`121110ee 488bd5 mov rdx,rbp 72 | fffff800`121110f1 488bcb mov rcx,rbx 73 | fffff800`121110f4 48894008 mov qword ptr [rax+8],rax 74 | fffff800`121110f8 488900 mov qword ptr [rax],rax 75 | fffff800`121110fb 488d83f0000000 lea rax,[rbx+0F0h] 76 | fffff800`12111102 48894008 mov qword ptr [rax+8],rax 77 | fffff800`12111106 488900 mov qword ptr [rax],rax 78 | fffff800`12111109 488d4330 lea rax,[rbx+30h] 79 | fffff800`1211110d 48894008 mov qword ptr [rax+8],rax 80 | fffff800`12111111 488900 mov qword ptr [rax],rax 81 | fffff800`12111114 83a33402000000 and dword ptr [rbx+234h],0 82 | fffff800`1211111b c683b501000006 mov byte ptr [rbx+1B5h],6 83 | fffff800`12111122 440fb74608 movzx r8d,word ptr [rsi+8] 84 | fffff800`12111127 e86404c5ff call nt!KiSetIdealNodeProcessByGroup (fffff800`11d61590) 85 | fffff800`1211112c 440fb75e08 movzx r11d,word ptr [rsi+8] 86 | fffff800`12111131 488d8b88020000 lea rcx,[rbx+288h] 87 | fffff800`12111138 420fb7845b08020000 movzx eax,word ptr [rbx+r11*2+208h] 88 | fffff800`12111141 66898330020000 mov word ptr [rbx+230h],ax 89 | fffff800`12111148 488b442450 mov rax,qword ptr [rsp+50h] 90 | fffff800`1211114d 48898358020000 mov qword ptr [rbx+258h],rax 91 | fffff800`12111154 488b5c2430 mov rbx,qword ptr [rsp+30h] 92 | fffff800`12111159 488b6c2438 mov rbp,qword ptr [rsp+38h] 93 | fffff800`1211115e 488b742440 mov rsi,qword ptr [rsp+40h] 94 | fffff800`12111163 488b7c2448 mov rdi,qword ptr [rsp+48h] 95 | fffff800`12111168 4883c420 add rsp,20h 96 | fffff800`1211116c 415f pop r15 97 | fffff800`1211116e e931f4c4ff jmp nt!KeInitializeGuardedMutex (fffff800`11d605a4) 98 | 99 | nt! ?? ::NNGAKEGL::`string'+0x2d150: 100 | fffff800`12269f00 8d0439 lea eax,[rcx+rdi] 101 | fffff800`12269f03 66894348 mov word ptr [rbx+48h],ax 102 | fffff800`12269f07 e9a871eaff jmp nt!KeInitializeProcess+0xa4 (fffff800`121110b4) 103 | 104 | nt! ?? ::NNGAKEGL::`string'+0x2d15c: 105 | fffff800`12269f0c 838bb001000008 or dword ptr [rbx+1B0h],8 106 | fffff800`12269f13 e9d271eaff jmp nt!KeInitializeProcess+0xda (fffff800`121110ea) 107 | -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_1/KernelRoutines/KeInitializeTimerEx.asm: -------------------------------------------------------------------------------- 1 | 0: kd> uf KeInitializeTimerEx 2 | nt!KeInitializeTimerEx: 3 | fffff800`11d2e5b0 4533c0 xor r8d,r8d 4 | fffff800`11d2e5b3 488d4108 lea rax,[rcx+8] 5 | fffff800`11d2e5b7 80c208 add dl,8 6 | fffff800`11d2e5ba 4c8901 mov qword ptr [rcx],r8 7 | fffff800`11d2e5bd 8811 mov byte ptr [rcx],dl 8 | fffff800`11d2e5bf 48894008 mov qword ptr [rax+8],rax 9 | fffff800`11d2e5c3 488900 mov qword ptr [rax],rax 10 | fffff800`11d2e5c6 4c894118 mov qword ptr [rcx+18h],r8 11 | fffff800`11d2e5ca 4c894138 mov qword ptr [rcx+38h],r8 12 | fffff800`11d2e5ce c3 ret 13 | -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_1/KernelRoutines/KiInitializeProcessor.asm: -------------------------------------------------------------------------------- 1 | 0: kd> uf KiInitializeProcessor 2 | nt!KiInitializeProcessor: 3 | fffff800`11fdca00 48895c2408 mov qword ptr [rsp+8],rbx 4 | fffff800`11fdca05 4889742410 mov qword ptr [rsp+10h],rsi 5 | fffff800`11fdca0a 57 push rdi 6 | fffff800`11fdca0b 4883ec30 sub rsp,30h 7 | fffff800`11fdca0f 833d2e39ffff00 cmp dword ptr [nt!KeThreadDpcEnable (fffff800`11fd0344)],0 8 | fffff800`11fdca16 488bf1 mov rsi,rcx 9 | fffff800`11fdca19 742c je nt!KiInitializeProcessor+0x47 (fffff800`11fdca47) 10 | 11 | nt!KiInitializeProcessor+0x1b: 12 | fffff800`11fdca1b 4881c100500000 add rcx,5000h 13 | fffff800`11fdca22 e8215fcbff call nt!KeInitializeGate (fffff800`11c92948) 14 | fffff800`11fdca27 488d96a02d0000 lea rdx,[rsi+2DA0h] 15 | fffff800`11fdca2e 48895208 mov qword ptr [rdx+8],rdx 16 | fffff800`11fdca32 488912 mov qword ptr [rdx],rdx 17 | fffff800`11fdca35 4883a6b02d000000 and qword ptr [rsi+2DB0h],0 18 | fffff800`11fdca3d c786b82d000000000000 mov dword ptr [rsi+2DB8h],0 19 | 20 | nt!KiInitializeProcessor+0x47: 21 | fffff800`11fdca47 833dfe36ffff00 cmp dword ptr [nt!KeDpcWatchdogPeriod (fffff800`11fd014c)],0 22 | fffff800`11fdca4e 0f8495000000 je nt!KiInitializeProcessor+0xe9 (fffff800`11fdcae9) 23 | 24 | nt!KiInitializeProcessor+0x54: 25 | fffff800`11fdca54 448b4624 mov r8d,dword ptr [rsi+24h] 26 | fffff800`11fdca58 488dbe38560000 lea rdi,[rsi+5638h] 27 | fffff800`11fdca5f 488d15fe7bcdff lea rdx,[nt!KiDpcWatchdog (fffff800`11cb4664)] 28 | fffff800`11fdca66 488bcf mov rcx,rdi 29 | fffff800`11fdca69 e8e2c4ddff call nt!KeInitializeThreadedDpc (fffff800`11db8f50) 30 | fffff800`11fdca6e 0fb74624 movzx eax,word ptr [rsi+24h] 31 | fffff800`11fdca72 b980020000 mov ecx,280h 32 | fffff800`11fdca77 6603c1 add ax,cx 33 | fffff800`11fdca7a 488d9e78560000 lea rbx,[rsi+5678h] 34 | fffff800`11fdca81 33d2 xor edx,edx 35 | fffff800`11fdca83 488bcb mov rcx,rbx 36 | fffff800`11fdca86 6689863a560000 mov word ptr [rsi+563Ah],ax 37 | fffff800`11fdca8d c6863956000002 mov byte ptr [rsi+5639h],2 38 | fffff800`11fdca94 e8171bd5ff call nt!KeInitializeTimerEx (fffff800`11d2e5b0) 39 | fffff800`11fdca99 448b057435ffff mov r8d,dword ptr [nt!KeMaximumIncrement (fffff800`11fd0014)] 40 | fffff800`11fdcaa0 448b1da536ffff mov r11d,dword ptr [nt!KeDpcWatchdogPeriod (fffff800`11fd014c)] 41 | fffff800`11fdcaa7 4569db10270000 imul r11d,r11d,2710h 42 | fffff800`11fdcaae 418d40ff lea eax,[r8-1] 43 | fffff800`11fdcab2 33d2 xor edx,edx 44 | fffff800`11fdcab4 41b9fa000000 mov r9d,0FAh 45 | fffff800`11fdcaba 4103c3 add eax,r11d 46 | fffff800`11fdcabd 488bcb mov rcx,rbx 47 | fffff800`11fdcac0 48897c2420 mov qword ptr [rsp+20h],rdi 48 | fffff800`11fdcac5 41f7f0 div eax,r8d 49 | fffff800`11fdcac8 41f7d8 neg r8d 50 | fffff800`11fdcacb 418bd0 mov edx,r8d 51 | fffff800`11fdcace 898668500000 mov dword ptr [rsi+5068h],eax 52 | fffff800`11fdcad4 89866c500000 mov dword ptr [rsi+506Ch],eax 53 | fffff800`11fdcada 448b056b36ffff mov r8d,dword ptr [nt!KeDpcWatchdogPeriod (fffff800`11fd014c)] 54 | fffff800`11fdcae1 41d1e8 shr r8d,1 55 | fffff800`11fdcae4 e8778ed4ff call nt!KeSetCoalescableTimer (fffff800`11d25960) 56 | 57 | nt!KiInitializeProcessor+0xe9: 58 | fffff800`11fdcae9 8b05b936ffff mov eax,dword ptr [nt!KiDPCTimeout (fffff800`11fd01a8)] 59 | fffff800`11fdcaef 85c0 test eax,eax 60 | fffff800`11fdcaf1 741a je nt!KiInitializeProcessor+0x10d (fffff800`11fdcb0d) 61 | 62 | nt!KiInitializeProcessor+0xf3: 63 | fffff800`11fdcaf3 8b0d1b35ffff mov ecx,dword ptr [nt!KeMaximumIncrement (fffff800`11fd0014)] 64 | fffff800`11fdcaf9 69c010270000 imul eax,eax,2710h 65 | fffff800`11fdcaff 33d2 xor edx,edx 66 | fffff800`11fdcb01 ffc8 dec eax 67 | fffff800`11fdcb03 03c1 add eax,ecx 68 | fffff800`11fdcb05 f7f1 div eax,ecx 69 | fffff800`11fdcb07 898624530000 mov dword ptr [rsi+5324h],eax 70 | 71 | nt!KiInitializeProcessor+0x10d: 72 | fffff800`11fdcb0d 488b5c2440 mov rbx,qword ptr [rsp+40h] 73 | fffff800`11fdcb12 488b742448 mov rsi,qword ptr [rsp+48h] 74 | fffff800`11fdcb17 33c0 xor eax,eax 75 | fffff800`11fdcb19 4883c430 add rsp,30h 76 | fffff800`11fdcb1d 5f pop rdi 77 | fffff800`11fdcb1e c3 ret 78 | -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_1/KernelRoutines/MiInitializePrefetchHead.asm: -------------------------------------------------------------------------------- 1 | 0: kd> uf MiInitializePrefetchHead 2 | nt!MiInitializePrefetchHead: 3 | fffff800`11db2bc4 488d4108 lea rax,[rcx+8] 4 | fffff800`11db2bc8 48894008 mov qword ptr [rax+8],rax 5 | fffff800`11db2bcc 488900 mov qword ptr [rax],rax 6 | fffff800`11db2bcf 488d4118 lea rax,[rcx+18h] 7 | fffff800`11db2bd3 48894008 mov qword ptr [rax+8],rax 8 | fffff800`11db2bd7 488900 mov qword ptr [rax],rax 9 | fffff800`11db2bda 488d4128 lea rax,[rcx+28h] 10 | fffff800`11db2bde 48894008 mov qword ptr [rax+8],rax 11 | fffff800`11db2be2 488900 mov qword ptr [rax],rax 12 | fffff800`11db2be5 33c0 xor eax,eax 13 | fffff800`11db2be7 448809 mov byte ptr [rcx],r9b 14 | fffff800`11db2bea 48895138 mov qword ptr [rcx+38h],rdx 15 | fffff800`11db2bee 4c894148 mov qword ptr [rcx+48h],r8 16 | fffff800`11db2bf2 884101 mov byte ptr [rcx+1],al 17 | fffff800`11db2bf5 48894158 mov qword ptr [rcx+58h],rax 18 | fffff800`11db2bf9 894170 mov dword ptr [rcx+70h],eax 19 | fffff800`11db2bfc 48894140 mov qword ptr [rcx+40h],rax 20 | fffff800`11db2c00 48894150 mov qword ptr [rcx+50h],rax 21 | fffff800`11db2c04 48894160 mov qword ptr [rcx+60h],rax 22 | fffff800`11db2c08 488b05a1d52100 mov rax,qword ptr [nt!MmBadPointer (fffff800`11fd01b0)] 23 | fffff800`11db2c0f 48894168 mov qword ptr [rcx+68h],rax 24 | fffff800`11db2c13 c3 ret 25 | -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_1/KernelRoutines/PspAllocateThread.asm: -------------------------------------------------------------------------------- 1 | Overview of my solution to the exercises from the book Practical Reverse Engineering by Bruce Dang, Alexandre Gazet and Elias Bachaalany (ISBN: 1118787315). The book is my first contact with reverse engineering, so take my statements with a grain of salt. All code snippets are on GitHub. 2 | 3 | 4 | 5 | 6 | 7 | 9 | 11 | 13 | 14 |
 solved wild guess published / partial solution not solved yet
15 | 16 |
17 |

Chapter 1: x86 and x64

18 | [custom_table style="2"] 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 |
PageExerciseLink to Solution
Page 11Exercise 1 May 9, 2014
Page 17Exercise 1 May 9, 2014
Exercise 2
Exercise 3
Exercise 4
Page 35/36Exercise 1 May 16, 2014
Exercise 2
Exercise 3
Exercise 4
Exercise 5June 15, 2014 and June 16, 2014
Exercise 6May 22, 2014
Exercise 7May 17, 2014
Exercise 8May 23, 2014
Exercise 9
Exercise 10(no solution)
Exercise 11
Exercise 12
Page 38Exercise 1
Exercise 2
119 | [/custom_table] 120 | 121 | 122 |

Chapter 2: ARM

123 | [custom_table style="2"] 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | 181 | 182 | 183 | 184 | 185 |
PageExerciseLink to Solution
Page 78-86Mystery 1June 4, 2014
Mystery 2
Mystery 3
Mystery 4
Mystery 5June 5, 2014
Mystery 6
Mystery 7June 6, 2014
Mystery 8
Mystery 9
Mystery 10June 26, 2014
Mystery 11
186 | [/custom_table] 187 |

Chapter 3: The Windows Kernel

188 | (not started yet) 189 |

Chapter 4: Debugging and Automation

190 | (not started yet) 191 |

Chapter 5: Obfuscation

192 | (not started yet) 193 | -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_2/KernelRoutines/MiInsertInSystemSpace.asm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_2/KernelRoutines/MiInsertInSystemSpace.asm -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_2/ListPictures/CcSetVacbInFreeList.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_2/ListPictures/CcSetVacbInFreeList.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_2/ListPictures/CmpDoSort.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_2/ListPictures/CmpDoSort.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_2/ListPictures/ExBurnMemory.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_2/ListPictures/ExBurnMemory.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_2/ListPictures/ExFreePoolWithTag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_2/ListPictures/ExFreePoolWithTag.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_2/ListPictures/IoPageRead.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_2/ListPictures/IoPageRead.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_2/ListPictures/IovpCallDriver1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_2/ListPictures/IovpCallDriver1.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_2/ListPictures/KeInitThread.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_2/ListPictures/KeInitThread.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_2/ListPictures/KeInsertQueueDpc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_2/ListPictures/KeInsertQueueDpc.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_2/ListPictures/KiInsertQueueApc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_2/ListPictures/KiInsertQueueApc.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_2/ListPictures/KiQueueReadyThread.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_2/ListPictures/KiQueueReadyThread.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_2/ListPictures/MiInsertInSystemSpace.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_2/ListPictures/MiInsertInSystemSpace.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_2/ListPictures/MiUpdateWsle.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_2/ListPictures/MiUpdateWsle.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_2/ListPictures/ObpInsertCallbackByAltitude.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_2/ListPictures/ObpInsertCallbackByAltitude.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_3/KernelRoutines/AuthzBasepAddSecurityAttributeToLists.asm: -------------------------------------------------------------------------------- 1 | 0: kd> uf AuthzBasepAddSecurityAttributeToLists 2 | nt!AuthzBasepAddSecurityAttributeToLists: 3 | fffff803`d9d55ff8 458ad0 mov r10b,r8b 4 | fffff803`d9d55ffb 4584c9 test r9b,r9b 5 | fffff803`d9d55ffe 7434 je nt!AuthzBasepAddSecurityAttributeToLists+0x3c (fffff803`d9d56034) 6 | 7 | nt!AuthzBasepAddSecurityAttributeToLists+0x8: 8 | fffff803`d9d56000 8b4238 mov eax,dword ptr [rdx+38h] 9 | fffff803`d9d56003 a802 test al,2 10 | fffff803`d9d56005 752d jne nt!AuthzBasepAddSecurityAttributeToLists+0x3c (fffff803`d9d56034) 11 | 12 | nt!AuthzBasepAddSecurityAttributeToLists+0xf: 13 | fffff803`d9d56007 4c8d4120 lea r8,[rcx+20h] 14 | fffff803`d9d5600b 488d4210 lea rax,[rdx+10h] 15 | fffff803`d9d5600f 4d8b4808 mov r9,qword ptr [r8+8] 16 | fffff803`d9d56013 4c8900 mov qword ptr [rax],r8 17 | fffff803`d9d56016 4c894808 mov qword ptr [rax+8],r9 18 | fffff803`d9d5601a 4d3901 cmp qword ptr [r9],r8 19 | fffff803`d9d5601d 7407 je nt!AuthzBasepAddSecurityAttributeToLists+0x2e (fffff803`d9d56026) 20 | 21 | nt!AuthzBasepAddSecurityAttributeToLists+0x27: 22 | fffff803`d9d5601f b903000000 mov ecx,3 23 | fffff803`d9d56024 cd29 int 29h 24 | 25 | nt!AuthzBasepAddSecurityAttributeToLists+0x2e: 26 | fffff803`d9d56026 498901 mov qword ptr [r9],rax 27 | fffff803`d9d56029 49894008 mov qword ptr [r8+8],rax 28 | fffff803`d9d5602d 834a3802 or dword ptr [rdx+38h],2 29 | fffff803`d9d56031 ff4118 inc dword ptr [rcx+18h] 30 | 31 | nt!AuthzBasepAddSecurityAttributeToLists+0x3c: 32 | fffff803`d9d56034 4584d2 test r10b,r10b 33 | fffff803`d9d56037 742f je nt!AuthzBasepAddSecurityAttributeToLists+0x70 (fffff803`d9d56068) 34 | 35 | nt!AuthzBasepAddSecurityAttributeToLists+0x41: 36 | fffff803`d9d56039 8b4238 mov eax,dword ptr [rdx+38h] 37 | fffff803`d9d5603c a801 test al,1 38 | fffff803`d9d5603e 7528 jne nt!AuthzBasepAddSecurityAttributeToLists+0x70 (fffff803`d9d56068) 39 | 40 | nt!AuthzBasepAddSecurityAttributeToLists+0x48: 41 | fffff803`d9d56040 488d4108 lea rax,[rcx+8] 42 | fffff803`d9d56044 4c8b4008 mov r8,qword ptr [rax+8] 43 | fffff803`d9d56048 488902 mov qword ptr [rdx],rax 44 | fffff803`d9d5604b 4c894208 mov qword ptr [rdx+8],r8 45 | fffff803`d9d5604f 493900 cmp qword ptr [r8],rax 46 | fffff803`d9d56052 7407 je nt!AuthzBasepAddSecurityAttributeToLists+0x63 (fffff803`d9d5605b) 47 | 48 | nt!AuthzBasepAddSecurityAttributeToLists+0x5c: 49 | fffff803`d9d56054 b903000000 mov ecx,3 50 | fffff803`d9d56059 cd29 int 29h 51 | 52 | nt!AuthzBasepAddSecurityAttributeToLists+0x63: 53 | fffff803`d9d5605b 498910 mov qword ptr [r8],rdx 54 | fffff803`d9d5605e 48895008 mov qword ptr [rax+8],rdx 55 | fffff803`d9d56062 834a3801 or dword ptr [rdx+38h],1 56 | fffff803`d9d56066 ff01 inc dword ptr [rcx] 57 | 58 | nt!AuthzBasepAddSecurityAttributeToLists+0x70: 59 | fffff803`d9d56068 c3 ret 60 | -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_3/KernelRoutines/MiInsertNewProcess.asm: -------------------------------------------------------------------------------- 1 | 0: kd> uf MiInsertNewProcess 2 | nt!MiInsertNewProcess: 3 | fffff803`d996fe7c 48895c2408 mov qword ptr [rsp+8],rbx 4 | fffff803`d996fe81 48896c2410 mov qword ptr [rsp+10h],rbp 5 | fffff803`d996fe86 4889742418 mov qword ptr [rsp+18h],rsi 6 | fffff803`d996fe8b 57 push rdi 7 | fffff803`d996fe8c 4883ec20 sub rsp,20h 8 | fffff803`d996fe90 488bda mov rbx,rdx 9 | fffff803`d996fe93 488bf9 mov rdi,rcx 10 | fffff803`d996fe96 440f20c6 mov rsi,cr8 11 | fffff803`d996fe9a b802000000 mov eax,2 12 | fffff803`d996fe9f 440f22c0 mov cr8,rax 13 | fffff803`d996fea3 65488b0c2528000000 mov rcx,qword ptr gs:[28h] 14 | fffff803`d996feac 4c8b4118 mov r8,qword ptr [rcx+18h] 15 | fffff803`d996feb0 33ed xor ebp,ebp 16 | fffff803`d996feb2 4883c110 add rcx,10h 17 | fffff803`d996feb6 f705c4e1260000002100 test dword ptr [nt!PerfGlobalGroupMask+0x4 (fffff803`d9bde084)],210000h 18 | fffff803`d996fec0 0f854e4f0f00 jne nt! ?? ::FNODOBFM::`string'+0x1b5cc (fffff803`d9a64e14) 19 | 20 | nt!MiInsertNewProcess+0x4a: 21 | fffff803`d996fec6 488bd1 mov rdx,rcx 22 | fffff803`d996fec9 498710 xchg rdx,qword ptr [r8] 23 | fffff803`d996fecc 4885d2 test rdx,rdx 24 | fffff803`d996fecf 0f85c0000000 jne nt!MiInsertNewProcess+0x119 (fffff803`d996ff95) 25 | 26 | nt!MiInsertNewProcess+0x59: 27 | fffff803`d996fed5 488b0d7c331e00 mov rcx,qword ptr [nt!MmProcessList+0x8 (fffff803`d9b53258)] 28 | fffff803`d996fedc 488d8778050000 lea rax,[rdi+578h] 29 | fffff803`d996fee3 488d1566331e00 lea rdx,[nt!MmProcessList (fffff803`d9b53250)] 30 | fffff803`d996feea 488910 mov qword ptr [rax],rdx 31 | fffff803`d996feed 48894808 mov qword ptr [rax+8],rcx 32 | fffff803`d996fef1 483911 cmp qword ptr [rcx],rdx 33 | fffff803`d996fef4 0f85284f0f00 jne nt! ?? ::FNODOBFM::`string'+0x1b5da (fffff803`d9a64e22) 34 | 35 | nt!MiInsertNewProcess+0x7e: 36 | fffff803`d996fefa 488901 mov qword ptr [rcx],rax 37 | fffff803`d996fefd 48890554331e00 mov qword ptr [nt!MmProcessList+0x8 (fffff803`d9b53258)],rax 38 | fffff803`d996ff04 4885db test rbx,rbx 39 | fffff803`d996ff07 7426 je nt!MiInsertNewProcess+0xb3 (fffff803`d996ff2f) 40 | 41 | nt!MiInsertNewProcess+0x8d: 42 | fffff803`d996ff09 488d4b10 lea rcx,[rbx+10h] 43 | fffff803`d996ff0d 488d8730030000 lea rax,[rdi+330h] 44 | fffff803`d996ff14 488b5108 mov rdx,qword ptr [rcx+8] 45 | fffff803`d996ff18 488908 mov qword ptr [rax],rcx 46 | fffff803`d996ff1b 48895008 mov qword ptr [rax+8],rdx 47 | fffff803`d996ff1f 48390a cmp qword ptr [rdx],rcx 48 | fffff803`d996ff22 0f85014f0f00 jne nt! ?? ::FNODOBFM::`string'+0x1b5e1 (fffff803`d9a64e29) 49 | 50 | nt!MiInsertNewProcess+0xac: 51 | fffff803`d996ff28 488902 mov qword ptr [rdx],rax 52 | fffff803`d996ff2b 48894108 mov qword ptr [rcx+8],rax 53 | 54 | nt!MiInsertNewProcess+0xb3: 55 | fffff803`d996ff2f 65488b1c2528000000 mov rbx,qword ptr gs:[28h] 56 | fffff803`d996ff38 4883c310 add rbx,10h 57 | fffff803`d996ff3c f7053ee1260000000100 test dword ptr [nt!PerfGlobalGroupMask+0x4 (fffff803`d9bde084)],10000h 58 | fffff803`d996ff46 0f85e44e0f00 jne nt! ?? ::FNODOBFM::`string'+0x1b5e8 (fffff803`d9a64e30) 59 | 60 | nt!MiInsertNewProcess+0xd0: 61 | fffff803`d996ff4c 0f0d0b prefetchw [rbx] 62 | fffff803`d996ff4f 488b03 mov rax,qword ptr [rbx] 63 | fffff803`d996ff52 4885c0 test rax,rax 64 | fffff803`d996ff55 7533 jne nt!MiInsertNewProcess+0x10e (fffff803`d996ff8a) 65 | 66 | nt!MiInsertNewProcess+0xdb: 67 | fffff803`d996ff57 488b4b08 mov rcx,qword ptr [rbx+8] 68 | fffff803`d996ff5b 488bc3 mov rax,rbx 69 | fffff803`d996ff5e f0480fb129 lock cmpxchg qword ptr [rcx],rbp 70 | fffff803`d996ff63 751d jne nt!MiInsertNewProcess+0x106 (fffff803`d996ff82) 71 | 72 | nt!MiInsertNewProcess+0xe9: 73 | fffff803`d996ff65 400fb6c6 movzx eax,sil 74 | fffff803`d996ff69 440f22c0 mov cr8,rax 75 | fffff803`d996ff6d 488b5c2430 mov rbx,qword ptr [rsp+30h] 76 | fffff803`d996ff72 488b6c2438 mov rbp,qword ptr [rsp+38h] 77 | fffff803`d996ff77 488b742440 mov rsi,qword ptr [rsp+40h] 78 | fffff803`d996ff7c 4883c420 add rsp,20h 79 | fffff803`d996ff80 5f pop rdi 80 | fffff803`d996ff81 c3 ret 81 | 82 | nt!MiInsertNewProcess+0x106: 83 | fffff803`d996ff82 488bcb mov rcx,rbx 84 | fffff803`d996ff85 e8e645fdff call nt!KxWaitForLockChainValid (fffff803`d9944570) 85 | 86 | nt!MiInsertNewProcess+0x10e: 87 | fffff803`d996ff8a f04883700801 lock xor qword ptr [rax+8],1 88 | fffff803`d996ff90 48892b mov qword ptr [rbx],rbp 89 | fffff803`d996ff93 ebd0 jmp nt!MiInsertNewProcess+0xe9 (fffff803`d996ff65) 90 | 91 | nt!MiInsertNewProcess+0x119: 92 | fffff803`d996ff95 e846a2fbff call nt!KxWaitForLockOwnerShip (fffff803`d992a1e0) 93 | fffff803`d996ff9a e936ffffff jmp nt!MiInsertNewProcess+0x59 (fffff803`d996fed5) 94 | 95 | nt! ?? ::FNODOBFM::`string'+0x1b5cc: 96 | fffff803`d9a64e14 498bd0 mov rdx,r8 97 | fffff803`d9a64e17 e8d4c8f9ff call nt!KiAcquireQueuedSpinLockInstrumented (fffff803`d9a016f0) 98 | fffff803`d9a64e1c 90 nop 99 | fffff803`d9a64e1d e9b3b0f0ff jmp nt!MiInsertNewProcess+0x59 (fffff803`d996fed5) 100 | 101 | nt! ?? ::FNODOBFM::`string'+0x1b5da: 102 | fffff803`d9a64e22 b903000000 mov ecx,3 103 | fffff803`d9a64e27 cd29 int 29h 104 | 105 | nt! ?? ::FNODOBFM::`string'+0x1b5e1: 106 | fffff803`d9a64e29 b903000000 mov ecx,3 107 | fffff803`d9a64e2e cd29 int 29h 108 | 109 | nt! ?? ::FNODOBFM::`string'+0x1b5e8: 110 | fffff803`d9a64e30 488b542428 mov rdx,qword ptr [rsp+28h] 111 | fffff803`d9a64e35 488bcb mov rcx,rbx 112 | fffff803`d9a64e38 e893c7f9ff call nt!KiReleaseQueuedSpinLockInstrumented (fffff803`d9a015d0) 113 | fffff803`d9a64e3d 90 nop 114 | fffff803`d9a64e3e e922b1f0ff jmp nt!MiInsertNewProcess+0xe9 (fffff803`d996ff65) 115 | -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_3/ListImages/AlpcpCreateClientPort.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_3/ListImages/AlpcpCreateClientPort.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_3/ListImages/AlpcpCreateSection.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_3/ListImages/AlpcpCreateSection.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_3/ListImages/AlpcpCreateView.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_3/ListImages/AlpcpCreateView.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_3/ListImages/AuthzBasepAddSecurityAttributeToLists.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_3/ListImages/AuthzBasepAddSecurityAttributeToLists.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_3/ListImages/AuthzBasepAddSecurityAttributeToLists_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_3/ListImages/AuthzBasepAddSecurityAttributeToLists_2.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_3/ListImages/CcFlushCachePriv.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_3/ListImages/CcFlushCachePriv.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_3/ListImages/CcInitializeCacheManager.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_3/ListImages/CcInitializeCacheManager.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_3/ListImages/CcInitializeCacheManager_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_3/ListImages/CcInitializeCacheManager_2.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_3/ListImages/CcInsertVacbArray.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_3/ListImages/CcInsertVacbArray.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_3/ListImages/CcInsertVacbArray_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_3/ListImages/CcInsertVacbArray_2.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_3/ListImages/CcSetFileSizesEx.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_3/ListImages/CcSetFileSizesEx.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_3/ListImages/CcSetFileSizesEx_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_3/ListImages/CcSetFileSizesEx_3.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_3/ListImages/CcSetFileSizesEx_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_3/ListImages/CcSetFileSizesEx_4.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_3/ListImages/CcSetFileSizesEx_5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_3/ListImages/CcSetFileSizesEx_5.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_3/ListImages/CcSetFileSizesEx_6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_3/ListImages/CcSetFileSizesEx_6.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_3/ListImages/CmRenameKey.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_3/ListImages/CmRenameKey.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_3/ListImages/CmRenameKey_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_3/ListImages/CmRenameKey_2.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_3/ListImages/CmRenameKey_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_3/ListImages/CmRenameKey_3.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_3/ListImages/CmRenameKey_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_3/ListImages/CmRenameKey_4.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_3/ListImages/ExAllocatePoolWithTag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_3/ListImages/ExAllocatePoolWithTag.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_3/ListImages/ExAllocatePoolWithTag_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_3/ListImages/ExAllocatePoolWithTag_2.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_3/ListImages/ExFreePoolWithTag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_3/ListImages/ExFreePoolWithTag.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_3/ListImages/ExQueueWorkItem.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_3/ListImages/ExQueueWorkItem.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_3/ListImages/ExRegisterCallback.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_3/ListImages/ExRegisterCallback.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_3/ListImages/ExpSetTimer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_3/ListImages/ExpSetTimer.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_3/ListImages/IoSetIoCompletionEx2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_3/ListImages/IoSetIoCompletionEx2.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_3/ListImages/IoSetIoCompletionEx2_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_3/ListImages/IoSetIoCompletionEx2_2.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_3/ListImages/KeInsertQueueDpc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_3/ListImages/KeInsertQueueDpc.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_3/ListImages/KeStartThread.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_3/ListImages/KeStartThread.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_3/ListImages/KeStartThread_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_3/ListImages/KeStartThread_2.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_3/ListImages/KiAddThreadToScbQueue.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_3/ListImages/KiAddThreadToScbQueue.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_3/ListImages/KiInsertQueueApc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_3/ListImages/KiInsertQueueApc.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_3/ListImages/KiQueueReadyThread.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_3/ListImages/KiQueueReadyThread.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_3/ListImages/MiInsertNewProcess.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_3/ListImages/MiInsertNewProcess.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_3/ListImages/PnpRequestDeviceAction.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_3/ListImages/PnpRequestDeviceAction.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_3/ListImages/PspInsertProcess.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_3/ListImages/PspInsertProcess.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_3/ListImages/PspInsertThread.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_3/ListImages/PspInsertThread.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_4/KernelRoutines/IopInitializeBootDrivers.asm: -------------------------------------------------------------------------------- 1 | Flow analysis was incomplete, some code may be missing 2 | nt!IopInitializeBootDrivers: 3 | fffff803`d9f7e100 0010 add byte ptr [rax],dl 4 | fffff803`d9f7e102 0000 add byte ptr [rax],al 5 | fffff803`d9f7e104 0000 add byte ptr [rax],al 6 | fffff803`d9f7e106 0000 add byte ptr [rax],al 7 | fffff803`d9f7e108 01c0 add eax,eax 8 | fffff803`d9f7e10a b209 mov dl,9 9 | fffff803`d9f7e10c a0f8ffff4d6d537401 mov al,byte ptr [0174536D4DFFFFF8h] 10 | fffff803`d9f7e115 0000 add byte ptr [rax],al 11 | fffff803`d9f7e117 800010 add byte ptr [rax],10h 12 | fffff803`d9f7e11a 0000 add byte ptr [rax],al 13 | fffff803`d9f7e11c 0000 add byte ptr [rax],al 14 | fffff803`d9f7e11e 0000 add byte ptr [rax],al 15 | fffff803`d9f7e120 0100 add dword ptr [rax],eax 16 | fffff803`d9f7e122 0000 add byte ptr [rax],al 17 | fffff803`d9f7e124 0000 add byte ptr [rax],al 18 | fffff803`d9f7e126 0000 add byte ptr [rax],al 19 | fffff803`d9f7e128 0000 add byte ptr [rax],al 20 | fffff803`d9f7e12a 0000 add byte ptr [rax],al 21 | fffff803`d9f7e12c 0000 add byte ptr [rax],al 22 | fffff803`d9f7e12e 0000 add byte ptr [rax],al 23 | fffff803`d9f7e130 0000 add byte ptr [rax],al 24 | fffff803`d9f7e132 0000 add byte ptr [rax],al 25 | fffff803`d9f7e134 0000 add byte ptr [rax],al 26 | fffff803`d9f7e136 0000 add byte ptr [rax],al 27 | fffff803`d9f7e138 0130 add dword ptr [rax],esi 28 | fffff803`d9f7e13a fb sti 29 | fffff803`d9f7e13b 19a0f8ffff43 sbb dword ptr [rax+43FFFFF8h],esp 30 | fffff803`d9f7e141 4d3136 xor qword ptr [r14],r14 31 | fffff803`d9f7e144 0500000000 add eax,0 32 | fffff803`d9f7e149 1000 adc byte ptr [rax],al 33 | fffff803`d9f7e14b 0000 add byte ptr [rax],al 34 | fffff803`d9f7e14d 0000 add byte ptr [rax],al 35 | fffff803`d9f7e14f 0001 add byte ptr [rcx],al 36 | fffff803`d9f7e151 f0240e lock and al,0Eh 37 | fffff803`d9f7e154 a0f8ffff4f624e6d09 mov al,byte ptr [096D4E624FFFFFF8h] 38 | fffff803`d9f7e15d 0000 add byte ptr [rax],al 39 | fffff803`d9f7e15f 0020 add byte ptr [rax],ah 40 | fffff803`d9f7e161 2000 and byte ptr [rax],al 41 | fffff803`d9f7e163 0000 add byte ptr [rax],al 42 | fffff803`d9f7e165 0000 add byte ptr [rax],al 43 | fffff803`d9f7e167 0001 add byte ptr [rcx],al 44 | fffff803`d9f7e169 0000 add byte ptr [rax],al 45 | fffff803`d9f7e16b 0000 add byte ptr [rax],al 46 | fffff803`d9f7e16d 0000 add byte ptr [rax],al 47 | fffff803`d9f7e16f 0000 add byte ptr [rax],al 48 | fffff803`d9f7e171 0000 add byte ptr [rax],al 49 | fffff803`d9f7e173 0000 add byte ptr [rax],al 50 | fffff803`d9f7e175 0000 add byte ptr [rax],al 51 | fffff803`d9f7e177 0000 add byte ptr [rax],al 52 | fffff803`d9f7e179 0000 add byte ptr [rax],al 53 | fffff803`d9f7e17b 0000 add byte ptr [rax],al 54 | fffff803`d9f7e17d 0000 add byte ptr [rax],al 55 | fffff803`d9f7e17f 0000 add byte ptr [rax],al 56 | fffff803`d9f7e181 107106 adc byte ptr [rcx+6],dh 57 | fffff803`d9f7e184 a0f8ffff434d333105 mov al,byte ptr [0531334D43FFFFF8h] 58 | fffff803`d9f7e18d 0000 add byte ptr [rax],al 59 | fffff803`d9f7e18f 0000 add byte ptr [rax],al 60 | fffff803`d9f7e191 1000 adc byte ptr [rax],al 61 | fffff803`d9f7e193 0000 add byte ptr [rax],al 62 | fffff803`d9f7e195 0000 add byte ptr [rax],al 63 | fffff803`d9f7e197 0001 add byte ptr [rcx],al 64 | fffff803`d9f7e199 209712a0f8ff and byte ptr [rdi-75FEEh],dl 65 | fffff803`d9f7e19f ff434d inc dword ptr [rbx+4Dh] 66 | fffff803`d9f7e1a2 3136 xor dword ptr [rsi],esi 67 | fffff803`d9f7e1a4 0500000000 add eax,0 68 | fffff803`d9f7e1a9 1000 adc byte ptr [rax],al 69 | fffff803`d9f7e1ab 0000 add byte ptr [rax],al 70 | fffff803`d9f7e1ad 0000 add byte ptr [rax],al 71 | fffff803`d9f7e1af 0001 add byte ptr [rcx],al 72 | fffff803`d9f7e1b1 008915a0f8ff add byte ptr [rcx-75FEBh],cl 73 | fffff803`d9f7e1b7 ff434d inc dword ptr [rbx+4Dh] 74 | fffff803`d9f7e1ba 3331 xor esi,dword ptr [rcx] 75 | fffff803`d9f7e1bc 0500000000 add eax,0 76 | fffff803`d9f7e1c1 1000 adc byte ptr [rax],al 77 | fffff803`d9f7e1c3 0000 add byte ptr [rax],al 78 | fffff803`d9f7e1c5 0000 add byte ptr [rax],al 79 | fffff803`d9f7e1c7 0001 add byte ptr [rcx],al 80 | fffff803`d9f7e1c9 40e30a jrcxz nt!IopInitializeBootDrivers+0xd6 (fffff803`d9f7e1d6) 81 | 82 | nt!IopInitializeBootDrivers+0xcc: 83 | fffff803`d9f7e1cc a0f8ffff434d416c01 mov al,byte ptr [016C414D43FFFFF8h] 84 | fffff803`d9f7e1d5 0000 add byte ptr [rax],al 85 | 86 | nt!IopInitializeBootDrivers+0xd6: 87 | fffff803`d9f7e1d6 0000 add byte ptr [rax],al 88 | 89 | nt!IopInitializeBootDrivers+0xd7: 90 | fffff803`d9f7e1d7 0000 add byte ptr [rax],al 91 | fffff803`d9f7e1d9 1000 adc byte ptr [rax],al 92 | fffff803`d9f7e1db 0000 add byte ptr [rax],al 93 | fffff803`d9f7e1dd 0000 add byte ptr [rax],al 94 | fffff803`d9f7e1df 0001 add byte ptr [rcx],al 95 | fffff803`d9f7e1e1 0000 add byte ptr [rax],al 96 | fffff803`d9f7e1e3 0000 add byte ptr [rax],al 97 | fffff803`d9f7e1e5 0000 add byte ptr [rax],al 98 | fffff803`d9f7e1e7 0000 add byte ptr [rax],al 99 | fffff803`d9f7e1e9 0000 add byte ptr [rax],al 100 | fffff803`d9f7e1eb 0000 add byte ptr [rax],al 101 | fffff803`d9f7e1ed 0000 add byte ptr [rax],al 102 | fffff803`d9f7e1ef 0000 add byte ptr [rax],al 103 | fffff803`d9f7e1f1 0000 add byte ptr [rax],al 104 | fffff803`d9f7e1f3 0000 add byte ptr [rax],al 105 | fffff803`d9f7e1f5 0000 add byte ptr [rax],al 106 | fffff803`d9f7e1f7 0001 add byte ptr [rcx],al 107 | fffff803`d9f7e1f9 b0ca mov al,0CAh 108 | fffff803`d9f7e1fb 18a0f8ffff43 sbb byte ptr [rax+43FFFFF8h],ah 109 | -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_4/KernelRoutines/KiProcessDisconnectList.asm: -------------------------------------------------------------------------------- 1 | nt!KiProcessDisconnectList: 2 | fffff803`d9a05618 fff3 push rbx 3 | fffff803`d9a0561a 4883ec20 sub rsp,20h 4 | fffff803`d9a0561e 488bd9 mov rbx,rcx 5 | 6 | nt!KiProcessDisconnectList+0x9: 7 | fffff803`d9a05621 488b03 mov rax,qword ptr [rbx] 8 | fffff803`d9a05624 483bc3 cmp rax,rbx 9 | fffff803`d9a05627 7435 je nt!KiProcessDisconnectList+0x46 (fffff803`d9a0565e) 10 | 11 | nt!KiProcessDisconnectList+0x11: 12 | fffff803`d9a05629 488b08 mov rcx,qword ptr [rax] 13 | fffff803`d9a0562c 48395808 cmp qword ptr [rax+8],rbx 14 | fffff803`d9a05630 7525 jne nt!KiProcessDisconnectList+0x3f (fffff803`d9a05657) 15 | 16 | nt!KiProcessDisconnectList+0x1a: 17 | fffff803`d9a05632 48394108 cmp qword ptr [rcx+8],rax 18 | fffff803`d9a05636 751f jne nt!KiProcessDisconnectList+0x3f (fffff803`d9a05657) 19 | 20 | nt!KiProcessDisconnectList+0x20: 21 | fffff803`d9a05638 48890b mov qword ptr [rbx],rcx 22 | fffff803`d9a0563b 48895908 mov qword ptr [rcx+8],rbx 23 | fffff803`d9a0563f 488b8098000000 mov rax,qword ptr [rax+98h] 24 | fffff803`d9a05646 488b08 mov rcx,qword ptr [rax] 25 | fffff803`d9a05649 4885c9 test rcx,rcx 26 | fffff803`d9a0564c 74d3 je nt!KiProcessDisconnectList+0x9 (fffff803`d9a05621) 27 | 28 | nt!KiProcessDisconnectList+0x36: 29 | fffff803`d9a0564e 33d2 xor edx,edx 30 | fffff803`d9a05650 e85bf8ffff call nt!KiSignalWaitDisconnectLock (fffff803`d9a04eb0) 31 | fffff803`d9a05655 ebca jmp nt!KiProcessDisconnectList+0x9 (fffff803`d9a05621) 32 | 33 | nt!KiProcessDisconnectList+0x3f: 34 | fffff803`d9a05657 b903000000 mov ecx,3 35 | fffff803`d9a0565c cd29 int 29h 36 | 37 | nt!KiProcessDisconnectList+0x46: 38 | fffff803`d9a0565e 4883c420 add rsp,20h 39 | fffff803`d9a05662 5b pop rbx 40 | fffff803`d9a05663 c3 ret 41 | -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_4/KernelRoutines/RtlpFreeAllAtom.asm: -------------------------------------------------------------------------------- 1 | nt!RtlpFreeAllAtom: 2 | fffff803`d98be780 4c8bdc mov r11,rsp 3 | fffff803`d98be783 49894b08 mov qword ptr [r11+8],rcx 4 | fffff803`d98be787 53 push rbx 5 | fffff803`d98be788 56 push rsi 6 | fffff803`d98be789 57 push rdi 7 | fffff803`d98be78a 4883ec40 sub rsp,40h 8 | fffff803`d98be78e 498d4308 lea rax,[r11+8] 9 | fffff803`d98be792 488bf2 mov rsi,rdx 10 | fffff803`d98be795 488d512a lea rdx,[rcx+2Ah] 11 | fffff803`d98be799 498943d8 mov qword ptr [r11-28h],rax 12 | fffff803`d98be79d 498d4320 lea rax,[r11+20h] 13 | fffff803`d98be7a1 4d8d4b18 lea r9,[r11+18h] 14 | fffff803`d98be7a5 498943d0 mov qword ptr [r11-30h],rax 15 | fffff803`d98be7a9 498363c800 and qword ptr [r11-38h],0 16 | fffff803`d98be7ae 4533c0 xor r8d,r8d 17 | fffff803`d98be7b1 488bce mov rcx,rsi 18 | fffff803`d98be7b4 e8c7d54000 call nt!RtlpHashStringToAtom (fffff803`d9ccbd80) 19 | fffff803`d98be7b9 85c0 test eax,eax 20 | fffff803`d98be7bb 7836 js nt!RtlpFreeAllAtom+0x73 (fffff803`d98be7f3) 21 | 22 | nt!RtlpFreeAllAtom+0x3d: 23 | fffff803`d98be7bd 488b7c2460 mov rdi,qword ptr [rsp+60h] 24 | fffff803`d98be7c2 4885ff test rdi,rdi 25 | fffff803`d98be7c5 742c je nt!RtlpFreeAllAtom+0x73 (fffff803`d98be7f3) 26 | 27 | nt!RtlpFreeAllAtom+0x47: 28 | fffff803`d98be7c7 488b4c2470 mov rcx,qword ptr [rsp+70h] 29 | fffff803`d98be7cc 4885c9 test rcx,rcx 30 | fffff803`d98be7cf 7406 je nt!RtlpFreeAllAtom+0x57 (fffff803`d98be7d7) 31 | 32 | nt!RtlpFreeAllAtom+0x51: 33 | fffff803`d98be7d1 488b07 mov rax,qword ptr [rdi] 34 | fffff803`d98be7d4 488901 mov qword ptr [rcx],rax 35 | 36 | nt!RtlpFreeAllAtom+0x57: 37 | fffff803`d98be7d7 488d5f10 lea rbx,[rdi+10h] 38 | 39 | nt!RtlpFreeAllAtom+0x5b: 40 | fffff803`d98be7db 48391b cmp qword ptr [rbx],rbx 41 | fffff803`d98be7de 751b jne nt!RtlpFreeAllAtom+0x7b (fffff803`d98be7fb) 42 | 43 | nt!RtlpFreeAllAtom+0x60: 44 | fffff803`d98be7e0 488bd7 mov rdx,rdi 45 | fffff803`d98be7e3 488bce mov rcx,rsi 46 | fffff803`d98be7e6 e88d3d3c00 call nt!RtlpFreeHandleForAtom (fffff803`d9c82578) 47 | fffff803`d98be7eb 488bcf mov rcx,rdi 48 | fffff803`d98be7ee e8313d3c00 call nt!RtlpFreeAtom (fffff803`d9c82524) 49 | 50 | nt!RtlpFreeAllAtom+0x73: 51 | fffff803`d98be7f3 4883c440 add rsp,40h 52 | fffff803`d98be7f7 5f pop rdi 53 | fffff803`d98be7f8 5e pop rsi 54 | fffff803`d98be7f9 5b pop rbx 55 | fffff803`d98be7fa c3 ret 56 | 57 | nt!RtlpFreeAllAtom+0x7b: 58 | fffff803`d98be7fb 488b0b mov rcx,qword ptr [rbx] 59 | fffff803`d98be7fe 488b01 mov rax,qword ptr [rcx] 60 | fffff803`d98be801 48395908 cmp qword ptr [rcx+8],rbx 61 | fffff803`d98be805 7514 jne nt!RtlpFreeAllAtom+0x9b (fffff803`d98be81b) 62 | 63 | nt!RtlpFreeAllAtom+0x87: 64 | fffff803`d98be807 48394808 cmp qword ptr [rax+8],rcx 65 | fffff803`d98be80b 750e jne nt!RtlpFreeAllAtom+0x9b (fffff803`d98be81b) 66 | 67 | nt!RtlpFreeAllAtom+0x8d: 68 | fffff803`d98be80d 488903 mov qword ptr [rbx],rax 69 | fffff803`d98be810 48895808 mov qword ptr [rax+8],rbx 70 | fffff803`d98be814 e80b3d3c00 call nt!RtlpFreeAtom (fffff803`d9c82524) 71 | fffff803`d98be819 ebc0 jmp nt!RtlpFreeAllAtom+0x5b (fffff803`d98be7db) 72 | 73 | nt!RtlpFreeAllAtom+0x9b: 74 | fffff803`d98be81b b903000000 mov ecx,3 75 | fffff803`d98be820 cd29 int 29h 76 | fffff803`d98be822 90 nop 77 | fffff803`d98be823 90 nop 78 | fffff803`d98be824 488b81d0020000 mov rax,qword ptr [rcx+2D0h] 79 | fffff803`d98be82b c3 ret 80 | -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_4/ListImages/CcDeleteMbcb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_4/ListImages/CcDeleteMbcb.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_4/ListImages/CcGetVacbMiss.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_4/ListImages/CcGetVacbMiss.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_4/ListImages/CmpLazyCommitWorker.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_4/ListImages/CmpLazyCommitWorker.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_4/ListImages/ExAllocatePoolWithTag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_4/ListImages/ExAllocatePoolWithTag.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_4/ListImages/FsRtlNotifyCompleteIrpList.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_4/ListImages/FsRtlNotifyCompleteIrpList.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_4/ListImages/KiProcessDisconnectList.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_4/ListImages/KiProcessDisconnectList.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_4/ListImages/PnpDeviceQueueGetCompletedRequest.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_4/ListImages/PnpDeviceQueueGetCompletedRequest.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_4/ListImages/RtlDestroyAtomTable.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_4/ListImages/RtlDestroyAtomTable.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_4/ListImages/RtlEmptyAtomTable.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_4/ListImages/RtlEmptyAtomTable.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_4/ListImages/RtlpFreeAllAtom.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_4/ListImages/RtlpFreeAllAtom.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_5/KernelRoutines/BootApplicationPersistentDataProcess.asm: -------------------------------------------------------------------------------- 1 | Flow analysis was incomplete, some code may be missing 2 | nt!BootApplicationPersistentDataProcess: 3 | fffff803`d9f72f1c 0000 add byte ptr [rax],al 4 | fffff803`d9f72f1e 0000 add byte ptr [rax],al 5 | fffff803`d9f72f20 0000 add byte ptr [rax],al 6 | fffff803`d9f72f22 0000 add byte ptr [rax],al 7 | fffff803`d9f72f24 0000 add byte ptr [rax],al 8 | fffff803`d9f72f26 0000 add byte ptr [rax],al 9 | fffff803`d9f72f28 0000 add byte ptr [rax],al 10 | fffff803`d9f72f2a 0000 add byte ptr [rax],al 11 | fffff803`d9f72f2c 0000 add byte ptr [rax],al 12 | fffff803`d9f72f2e 0000 add byte ptr [rax],al 13 | fffff803`d9f72f30 0100 add dword ptr [rax],eax 14 | fffff803`d9f72f32 0000 add byte ptr [rax],al 15 | fffff803`d9f72f34 0000 add byte ptr [rax],al 16 | fffff803`d9f72f36 0000 add byte ptr [rax],al 17 | fffff803`d9f72f38 0000 add byte ptr [rax],al 18 | fffff803`d9f72f3a 0000 add byte ptr [rax],al 19 | fffff803`d9f72f3c 0000 add byte ptr [rax],al 20 | fffff803`d9f72f3e 0000 add byte ptr [rax],al 21 | fffff803`d9f72f40 0000 add byte ptr [rax],al 22 | fffff803`d9f72f42 0000 add byte ptr [rax],al 23 | fffff803`d9f72f44 0000 add byte ptr [rax],al 24 | fffff803`d9f72f46 0000 add byte ptr [rax],al 25 | fffff803`d9f72f48 01d0 add eax,edx 26 | fffff803`d9f72f4a b116 mov cl,16h 27 | fffff803`d9f72f4c a0f8ffff434d313605 mov al,byte ptr [0536314D43FFFFF8h] 28 | fffff803`d9f72f55 0000 add byte ptr [rax],al 29 | fffff803`d9f72f57 0000 add byte ptr [rax],al 30 | fffff803`d9f72f59 1000 adc byte ptr [rax],al 31 | fffff803`d9f72f5b 0000 add byte ptr [rax],al 32 | fffff803`d9f72f5d 0000 add byte ptr [rax],al 33 | fffff803`d9f72f5f 0001 add byte ptr [rcx],al 34 | fffff803`d9f72f61 50 push rax 35 | fffff803`d9f72f62 5e pop rsi 36 | -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_5/KernelRoutines/ObpCallPostOperationCallbacks.asm: -------------------------------------------------------------------------------- 1 | nt!ObpCallPostOperationCallbacks: 2 | fffff803`d9dfd62c 48895c2408 mov qword ptr [rsp+8],rbx 3 | fffff803`d9dfd631 48896c2418 mov qword ptr [rsp+18h],rbp 4 | fffff803`d9dfd636 4889742420 mov qword ptr [rsp+20h],rsi 5 | fffff803`d9dfd63b 57 push rdi 6 | fffff803`d9dfd63c 4883ec20 sub rsp,20h 7 | fffff803`d9dfd640 488bfa mov rdi,rdx 8 | fffff803`d9dfd643 488be9 mov rbp,rcx 9 | 10 | nt!ObpCallPostOperationCallbacks+0x1a: 11 | fffff803`d9dfd646 48393f cmp qword ptr [rdi],rdi 12 | fffff803`d9dfd649 7464 je nt!ObpCallPostOperationCallbacks+0x83 (fffff803`d9dfd6af) 13 | 14 | nt!ObpCallPostOperationCallbacks+0x1f: 15 | fffff803`d9dfd64b 488b7708 mov rsi,qword ptr [rdi+8] 16 | fffff803`d9dfd64f 488b4608 mov rax,qword ptr [rsi+8] 17 | fffff803`d9dfd653 48393e cmp qword ptr [rsi],rdi 18 | fffff803`d9dfd656 7550 jne nt!ObpCallPostOperationCallbacks+0x7c (fffff803`d9dfd6a8) 19 | 20 | nt!ObpCallPostOperationCallbacks+0x2c: 21 | fffff803`d9dfd658 483930 cmp qword ptr [rax],rsi 22 | fffff803`d9dfd65b 754b jne nt!ObpCallPostOperationCallbacks+0x7c (fffff803`d9dfd6a8) 23 | 24 | nt!ObpCallPostOperationCallbacks+0x31: 25 | fffff803`d9dfd65d 48894708 mov qword ptr [rdi+8],rax 26 | fffff803`d9dfd661 488938 mov qword ptr [rax],rdi 27 | fffff803`d9dfd664 488b5e10 mov rbx,qword ptr [rsi+10h] 28 | fffff803`d9dfd668 488b4618 mov rax,qword ptr [rsi+18h] 29 | fffff803`d9dfd66c 488bd5 mov rdx,rbp 30 | fffff803`d9dfd66f 48894518 mov qword ptr [rbp+18h],rax 31 | fffff803`d9dfd673 488b4b18 mov rcx,qword ptr [rbx+18h] 32 | fffff803`d9dfd677 488b4908 mov rcx,qword ptr [rcx+8] 33 | fffff803`d9dfd67b ff5330 call qword ptr [rbx+30h] 34 | fffff803`d9dfd67e 488d4b38 lea rcx,[rbx+38h] 35 | fffff803`d9dfd682 0f0d09 prefetchw [rcx] 36 | fffff803`d9dfd685 488b01 mov rax,qword ptr [rcx] 37 | fffff803`d9dfd688 4883e0fe and rax,0FFFFFFFFFFFFFFFEh 38 | fffff803`d9dfd68c 488d50fe lea rdx,[rax-2] 39 | fffff803`d9dfd690 f0480fb111 lock cmpxchg qword ptr [rcx],rdx 40 | fffff803`d9dfd695 7405 je nt!ObpCallPostOperationCallbacks+0x70 (fffff803`d9dfd69c) 41 | 42 | nt!ObpCallPostOperationCallbacks+0x6b: 43 | fffff803`d9dfd697 e8d4dcb2ff call nt!ExfReleaseRundownProtection (fffff803`d992b370) 44 | 45 | nt!ObpCallPostOperationCallbacks+0x70: 46 | fffff803`d9dfd69c 33d2 xor edx,edx 47 | fffff803`d9dfd69e 488bce mov rcx,rsi 48 | fffff803`d9dfd6a1 e8ba9acfff call nt!ExFreePoolWithTag (fffff803`d9af7160) 49 | fffff803`d9dfd6a6 eb9e jmp nt!ObpCallPostOperationCallbacks+0x1a (fffff803`d9dfd646) 50 | 51 | nt!ObpCallPostOperationCallbacks+0x7c: 52 | fffff803`d9dfd6a8 b903000000 mov ecx,3 53 | fffff803`d9dfd6ad cd29 int 29h 54 | 55 | nt!ObpCallPostOperationCallbacks+0x83: 56 | fffff803`d9dfd6af 488b4d08 mov rcx,qword ptr [rbp+8] 57 | fffff803`d9dfd6b3 ba4f624362 mov edx,6243624Fh 58 | fffff803`d9dfd6b8 e8a337b1ff call nt!ObfDereferenceObjectWithTag (fffff803`d9910e60) 59 | fffff803`d9dfd6bd 654c8b1c2588010000 mov r11,qword ptr gs:[188h] 60 | fffff803`d9dfd6c6 410fbf83e4010000 movsx eax,word ptr [r11+1E4h] 61 | fffff803`d9dfd6ce ffc0 inc eax 62 | fffff803`d9dfd6d0 66418983e4010000 mov word ptr [r11+1E4h],ax 63 | fffff803`d9dfd6d8 6685c0 test ax,ax 64 | fffff803`d9dfd6db 751c jne nt!ObpCallPostOperationCallbacks+0xcd (fffff803`d9dfd6f9) 65 | 66 | nt!ObpCallPostOperationCallbacks+0xb1: 67 | fffff803`d9dfd6dd 498d8398000000 lea rax,[r11+98h] 68 | fffff803`d9dfd6e4 483900 cmp qword ptr [rax],rax 69 | fffff803`d9dfd6e7 7410 je nt!ObpCallPostOperationCallbacks+0xcd (fffff803`d9dfd6f9) 70 | 71 | nt!ObpCallPostOperationCallbacks+0xbd: 72 | fffff803`d9dfd6e9 664183bbe601000000 cmp word ptr [r11+1E6h],0 73 | fffff803`d9dfd6f2 7505 jne nt!ObpCallPostOperationCallbacks+0xcd (fffff803`d9dfd6f9) 74 | 75 | nt!ObpCallPostOperationCallbacks+0xc8: 76 | fffff803`d9dfd6f4 e80701b8ff call nt!KiCheckForKernelApcDelivery (fffff803`d997d800) 77 | 78 | nt!ObpCallPostOperationCallbacks+0xcd: 79 | fffff803`d9dfd6f9 488b5c2430 mov rbx,qword ptr [rsp+30h] 80 | fffff803`d9dfd6fe 488b6c2440 mov rbp,qword ptr [rsp+40h] 81 | fffff803`d9dfd703 488b742448 mov rsi,qword ptr [rsp+48h] 82 | fffff803`d9dfd708 33c0 xor eax,eax 83 | fffff803`d9dfd70a 4883c420 add rsp,20h 84 | fffff803`d9dfd70e 5f pop rdi 85 | fffff803`d9dfd70f c3 ret 86 | -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_5/ListImages/CmpCallCallBacks.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_5/ListImages/CmpCallCallBacks.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_5/ListImages/CmpDelayCloseWorker.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_5/ListImages/CmpDelayCloseWorker.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_5/ListImages/ObpCallPostOperationCallbacks.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_5/ListImages/ObpCallPostOperationCallbacks.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_5/ListImages/RaspAddCacheEntry.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_5/ListImages/RaspAddCacheEntry.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/KernelRoutines/AlpcpUnregisterCompletionListDatabase.asm: -------------------------------------------------------------------------------- 1 | nt!AlpcpUnregisterCompletionListDatabase: 2 | fffff803`21ffb81c fff3 push rbx 3 | fffff803`21ffb81e 4883ec20 sub rsp,20h 4 | fffff803`21ffb822 f0480fba2dd43bf4ff00 lock bts qword ptr [nt!AlpcpCompletionListDatabase (fffff803`21f3f400)],0 5 | fffff803`21ffb82c 488bd9 mov rbx,rcx 6 | fffff803`21ffb82f 723a jb nt!AlpcpUnregisterCompletionListDatabase+0x4f (fffff803`21ffb86b) 7 | 8 | nt!AlpcpUnregisterCompletionListDatabase+0x15: 9 | fffff803`21ffb831 488b13 mov rdx,qword ptr [rbx] 10 | fffff803`21ffb834 488b4308 mov rax,qword ptr [rbx+8] 11 | fffff803`21ffb838 48395a08 cmp qword ptr [rdx+8],rbx 12 | fffff803`21ffb83c 753b jne nt!AlpcpUnregisterCompletionListDatabase+0x5d (fffff803`21ffb879) 13 | 14 | nt!AlpcpUnregisterCompletionListDatabase+0x22: 15 | fffff803`21ffb83e 483918 cmp qword ptr [rax],rbx 16 | fffff803`21ffb841 7536 jne nt!AlpcpUnregisterCompletionListDatabase+0x5d (fffff803`21ffb879) 17 | 18 | nt!AlpcpUnregisterCompletionListDatabase+0x27: 19 | fffff803`21ffb843 488910 mov qword ptr [rax],rdx 20 | fffff803`21ffb846 48894208 mov qword ptr [rdx+8],rax 21 | fffff803`21ffb84a ff0db83bf4ff dec dword ptr [nt!AlpcpCompletionListDatabase+0x8 (fffff803`21f3f408)] 22 | fffff803`21ffb850 4883c8ff or rax,0FFFFFFFFFFFFFFFFh 23 | fffff803`21ffb854 f0480fc105a33bf4ff lock xadd qword ptr [nt!AlpcpCompletionListDatabase (fffff803`21f3f400)],rax 24 | fffff803`21ffb85d a802 test al,2 25 | fffff803`21ffb85f 0f8517d32600 jne nt! ?? ::NNGAKEGL::`string'+0x3303a (fffff803`22268b7c) 26 | 27 | nt!AlpcpUnregisterCompletionListDatabase+0x49: 28 | fffff803`21ffb865 4883c420 add rsp,20h 29 | fffff803`21ffb869 5b pop rbx 30 | fffff803`21ffb86a c3 ret 31 | 32 | nt!AlpcpUnregisterCompletionListDatabase+0x4f: 33 | fffff803`21ffb86b 488d0d8e3bf4ff lea rcx,[nt!AlpcpCompletionListDatabase (fffff803`21f3f400)] 34 | fffff803`21ffb872 e8895bd5ff call nt!ExfAcquirePushLockExclusive (fffff803`21d51400) 35 | fffff803`21ffb877 ebb8 jmp nt!AlpcpUnregisterCompletionListDatabase+0x15 (fffff803`21ffb831) 36 | 37 | nt!AlpcpUnregisterCompletionListDatabase+0x5d: 38 | fffff803`21ffb879 b903000000 mov ecx,3 39 | fffff803`21ffb87e cd29 int 29h 40 | fffff803`21ffb880 e963f91700 jmp nt!ExQueryBootEntropyInformation (fffff803`2217b1e8) 41 | 42 | nt!ExQueryBootEntropyInformation: 43 | fffff803`2217b1e8 48894c2408 mov qword ptr [rsp+8],rcx 44 | fffff803`2217b1ed 4883ec28 sub rsp,28h 45 | fffff803`2217b1f1 4c8d442430 lea r8,[rsp+30h] 46 | fffff803`2217b1f6 488d15872afeff lea rdx,[nt!ExpInitBootEntropyInformation (fffff803`2215dc84)] 47 | fffff803`2217b1fd 488d0da4ca1700 lea rcx,[nt!ExpBootEntropyInit (fffff803`222f7ca8)] 48 | fffff803`2217b204 4533c9 xor r9d,r9d 49 | fffff803`2217b207 e8d0b30000 call nt!RtlRunOnceExecuteOnce (fffff803`221865dc) 50 | fffff803`2217b20c 85c0 test eax,eax 51 | fffff803`2217b20e 780e js nt!ExQueryBootEntropyInformation+0x36 (fffff803`2217b21e) 52 | 53 | nt!ExQueryBootEntropyInformation+0x28: 54 | fffff803`2217b210 48837c2430ff cmp qword ptr [rsp+30h],0FFFFFFFFFFFFFFFFh 55 | fffff803`2217b216 b9010000c0 mov ecx,0C0000001h 56 | fffff803`2217b21b 0f45c1 cmovne eax,ecx 57 | 58 | nt!ExQueryBootEntropyInformation+0x36: 59 | fffff803`2217b21e 4883c428 add rsp,28h 60 | fffff803`2217b222 c3 ret 61 | 62 | nt! ?? ::NNGAKEGL::`string'+0x3303a: 63 | fffff803`22268b7c a804 test al,4 64 | fffff803`22268b7e 0f85e12cd9ff jne nt!AlpcpUnregisterCompletionListDatabase+0x49 (fffff803`21ffb865) 65 | 66 | nt! ?? ::NNGAKEGL::`string'+0x33042: 67 | fffff803`22268b84 488d0d7568cdff lea rcx,[nt!AlpcpCompletionListDatabase (fffff803`21f3f400)] 68 | fffff803`22268b8b e884c4aeff call nt!ExfTryToWakePushLock (fffff803`21d55014) 69 | fffff803`22268b90 90 nop 70 | fffff803`22268b91 e9cf2cd9ff jmp nt!AlpcpUnregisterCompletionListDatabase+0x49 (fffff803`21ffb865) 71 | -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/KernelRoutines/ExDeleteTimer.asm: -------------------------------------------------------------------------------- 1 | Couldn't resolve error at 'nt!ExDeleteTimer' 2 | -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/KernelRoutines/IoDelteDevice.asm: -------------------------------------------------------------------------------- 1 | Couldn't resolve error at 'nt!IoDelteDevice' 2 | -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/KernelRoutines/KeDeregisterBugCheckCallback.asm: -------------------------------------------------------------------------------- 1 | nt!KeDeregisterBugCheckCallback: 2 | fffff803`21dee3b8 48895c2408 mov qword ptr [rsp+8],rbx 3 | fffff803`21dee3bd 4889742410 mov qword ptr [rsp+10h],rsi 4 | fffff803`21dee3c2 57 push rdi 5 | fffff803`21dee3c3 4883ec20 sub rsp,20h 6 | fffff803`21dee3c7 488bd9 mov rbx,rcx 7 | fffff803`21dee3ca 440f20c6 mov rsi,cr8 8 | fffff803`21dee3ce b80f000000 mov eax,0Fh 9 | fffff803`21dee3d3 440f22c0 mov cr8,rax 10 | fffff803`21dee3d7 f705a3bc1d0000002100 test dword ptr [nt!PerfGlobalGroupMask+0x4 (fffff803`21fca084)],210000h 11 | fffff803`21dee3e1 740e je nt!KeDeregisterBugCheckCallback+0x39 (fffff803`21dee3f1) 12 | 13 | nt!KeDeregisterBugCheckCallback+0x2b: 14 | fffff803`21dee3e3 488d0d6e791500 lea rcx,[nt!KeBugCheckCallbackLock (fffff803`21f45d58)] 15 | fffff803`21dee3ea e8d1e0ffff call nt!KiAcquireSpinLockInstrumented (fffff803`21dec4c0) 16 | fffff803`21dee3ef eb18 jmp nt!KeDeregisterBugCheckCallback+0x51 (fffff803`21dee409) 17 | 18 | nt!KeDeregisterBugCheckCallback+0x39: 19 | fffff803`21dee3f1 f0480fba2d5d79150000 lock bts qword ptr [nt!KeBugCheckCallbackLock (fffff803`21f45d58)],0 20 | fffff803`21dee3fb 730c jae nt!KeDeregisterBugCheckCallback+0x51 (fffff803`21dee409) 21 | 22 | nt!KeDeregisterBugCheckCallback+0x45: 23 | fffff803`21dee3fd 488d0d54791500 lea rcx,[nt!KeBugCheckCallbackLock (fffff803`21f45d58)] 24 | fffff803`21dee404 e8b7eeebff call nt!KxWaitForSpinLockAndAcquire (fffff803`21cad2c0) 25 | 26 | nt!KeDeregisterBugCheckCallback+0x51: 27 | fffff803`21dee409 4032ff xor dil,dil 28 | fffff803`21dee40c 807b3801 cmp byte ptr [rbx+38h],1 29 | fffff803`21dee410 7520 jne nt!KeDeregisterBugCheckCallback+0x7a (fffff803`21dee432) 30 | 31 | nt!KeDeregisterBugCheckCallback+0x5a: 32 | fffff803`21dee412 488b0b mov rcx,qword ptr [rbx] 33 | fffff803`21dee415 488b4308 mov rax,qword ptr [rbx+8] 34 | fffff803`21dee419 40887b38 mov byte ptr [rbx+38h],dil 35 | fffff803`21dee41d 48395908 cmp qword ptr [rcx+8],rbx 36 | fffff803`21dee421 752e jne nt!KeDeregisterBugCheckCallback+0x99 (fffff803`21dee451) 37 | 38 | nt!KeDeregisterBugCheckCallback+0x6b: 39 | fffff803`21dee423 483918 cmp qword ptr [rax],rbx 40 | fffff803`21dee426 7529 jne nt!KeDeregisterBugCheckCallback+0x99 (fffff803`21dee451) 41 | 42 | nt!KeDeregisterBugCheckCallback+0x70: 43 | fffff803`21dee428 488908 mov qword ptr [rax],rcx 44 | fffff803`21dee42b 40b701 mov dil,1 45 | fffff803`21dee42e 48894108 mov qword ptr [rcx+8],rax 46 | 47 | nt!KeDeregisterBugCheckCallback+0x7a: 48 | fffff803`21dee432 f70548bc1d0000000100 test dword ptr [nt!PerfGlobalGroupMask+0x4 (fffff803`21fca084)],10000h 49 | fffff803`21dee43c 741a je nt!KeDeregisterBugCheckCallback+0xa0 (fffff803`21dee458) 50 | 51 | nt!KeDeregisterBugCheckCallback+0x86: 52 | fffff803`21dee43e 488b542428 mov rdx,qword ptr [rsp+28h] 53 | fffff803`21dee443 488d0d0e791500 lea rcx,[nt!KeBugCheckCallbackLock (fffff803`21f45d58)] 54 | fffff803`21dee44a e84de0ffff call nt!KiReleaseSpinLockInstrumented (fffff803`21dec49c) 55 | fffff803`21dee44f eb10 jmp nt!KeDeregisterBugCheckCallback+0xa9 (fffff803`21dee461) 56 | 57 | nt!KeDeregisterBugCheckCallback+0x99: 58 | fffff803`21dee451 b903000000 mov ecx,3 59 | fffff803`21dee456 cd29 int 29h 60 | 61 | nt!KeDeregisterBugCheckCallback+0xa0: 62 | fffff803`21dee458 f0488325f778150000 lock and qword ptr [nt!KeBugCheckCallbackLock (fffff803`21f45d58)],0 63 | 64 | nt!KeDeregisterBugCheckCallback+0xa9: 65 | fffff803`21dee461 400fb6ce movzx ecx,sil 66 | fffff803`21dee465 440f22c1 mov cr8,rcx 67 | fffff803`21dee469 488b5c2430 mov rbx,qword ptr [rsp+30h] 68 | fffff803`21dee46e 488b742438 mov rsi,qword ptr [rsp+38h] 69 | fffff803`21dee473 408ac7 mov al,dil 70 | fffff803`21dee476 4883c420 add rsp,20h 71 | fffff803`21dee47a 5f pop rdi 72 | fffff803`21dee47b c3 ret 73 | -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/KernelRoutines/KeDeregisterObjectNotification.asm: -------------------------------------------------------------------------------- 1 | nt!KeDeregisterObjectNotification: 2 | fffff803`21d78b10 48895c2408 mov qword ptr [rsp+8],rbx 3 | fffff803`21d78b15 48896c2410 mov qword ptr [rsp+10h],rbp 4 | fffff803`21d78b1a 4889742418 mov qword ptr [rsp+18h],rsi 5 | fffff803`21d78b1f 57 push rdi 6 | fffff803`21d78b20 4156 push r14 7 | fffff803`21d78b22 4157 push r15 8 | fffff803`21d78b24 4883ec20 sub rsp,20h 9 | fffff803`21d78b28 488bfa mov rdi,rdx 10 | fffff803`21d78b2b 488bd9 mov rbx,rcx 11 | fffff803`21d78b2e 33ed xor ebp,ebp 12 | fffff803`21d78b30 450f20c6 mov r14,cr8 13 | fffff803`21d78b34 448d7d02 lea r15d,[rbp+2] 14 | fffff803`21d78b38 450f22c7 mov cr8,r15 15 | fffff803`21d78b3c f00fba2907 lock bts dword ptr [rcx],7 16 | fffff803`21d78b41 8bf5 mov esi,ebp 17 | fffff803`21d78b43 0f821b130d00 jb nt! ?? ::FNODOBFM::`string'+0x1107c (fffff803`21e49e64) 18 | 19 | nt!KeDeregisterObjectNotification+0x39: 20 | fffff803`21d78b49 8a4711 mov al,byte ptr [rdi+11h] 21 | fffff803`21d78b4c 413ac7 cmp al,r15b 22 | fffff803`21d78b4f 7520 jne nt!KeDeregisterObjectNotification+0x61 (fffff803`21d78b71) 23 | 24 | nt!KeDeregisterObjectNotification+0x41: 25 | fffff803`21d78b51 488b0f mov rcx,qword ptr [rdi] 26 | fffff803`21d78b54 488b4708 mov rax,qword ptr [rdi+8] 27 | fffff803`21d78b58 48397908 cmp qword ptr [rcx+8],rdi 28 | fffff803`21d78b5c 753e jne nt!KeDeregisterObjectNotification+0x8c (fffff803`21d78b9c) 29 | 30 | nt!KeDeregisterObjectNotification+0x4e: 31 | fffff803`21d78b5e 483938 cmp qword ptr [rax],rdi 32 | fffff803`21d78b61 7539 jne nt!KeDeregisterObjectNotification+0x8c (fffff803`21d78b9c) 33 | 34 | nt!KeDeregisterObjectNotification+0x53: 35 | fffff803`21d78b63 488908 mov qword ptr [rax],rcx 36 | fffff803`21d78b66 48894108 mov qword ptr [rcx+8],rax 37 | fffff803`21d78b6a 40b501 mov bpl,1 38 | fffff803`21d78b6d c6471103 mov byte ptr [rdi+11h],3 39 | 40 | nt!KeDeregisterObjectNotification+0x61: 41 | fffff803`21d78b71 f081237fffffff lock and dword ptr [rbx],0FFFFFF7Fh 42 | fffff803`21d78b78 410fb6ce movzx ecx,r14b 43 | fffff803`21d78b7c 440f22c1 mov cr8,rcx 44 | fffff803`21d78b80 488b5c2440 mov rbx,qword ptr [rsp+40h] 45 | fffff803`21d78b85 488b742450 mov rsi,qword ptr [rsp+50h] 46 | fffff803`21d78b8a 408ac5 mov al,bpl 47 | fffff803`21d78b8d 488b6c2448 mov rbp,qword ptr [rsp+48h] 48 | fffff803`21d78b92 4883c420 add rsp,20h 49 | fffff803`21d78b96 415f pop r15 50 | fffff803`21d78b98 415e pop r14 51 | fffff803`21d78b9a 5f pop rdi 52 | fffff803`21d78b9b c3 ret 53 | 54 | nt!KeDeregisterObjectNotification+0x8c: 55 | fffff803`21d78b9c b903000000 mov ecx,3 56 | fffff803`21d78ba1 cd29 int 29h 57 | 58 | nt!KeDeregisterObjectNotification+0x93: 59 | fffff803`21d78ba3 f390 pause 60 | fffff803`21d78ba5 e9dd120d00 jmp nt! ?? ::FNODOBFM::`string'+0x1109f (fffff803`21e49e87) 61 | 62 | nt! ?? ::FNODOBFM::`string'+0x1107c: 63 | fffff803`21e49e64 ffc6 inc esi 64 | fffff803`21e49e66 8535e0051800 test dword ptr [nt!HvlLongSpinCountMask (fffff803`21fca44c)],esi 65 | fffff803`21e49e6c 0f8531edf2ff jne nt!KeDeregisterObjectNotification+0x93 (fffff803`21d78ba3) 66 | 67 | nt! ?? ::FNODOBFM::`string'+0x1108a: 68 | fffff803`21e49e72 8b05f8011800 mov eax,dword ptr [nt!HvlEnlightenments (fffff803`21fca070)] 69 | fffff803`21e49e78 a840 test al,40h 70 | fffff803`21e49e7a 0f8423edf2ff je nt!KeDeregisterObjectNotification+0x93 (fffff803`21d78ba3) 71 | 72 | nt! ?? ::FNODOBFM::`string'+0x11098: 73 | fffff803`21e49e80 8bce mov ecx,esi 74 | fffff803`21e49e82 e83d15f9ff call nt!HvlNotifyLongSpinWait (fffff803`21ddb3c4) 75 | 76 | nt! ?? ::FNODOBFM::`string'+0x1109f: 77 | fffff803`21e49e87 8b03 mov eax,dword ptr [rbx] 78 | fffff803`21e49e89 84c0 test al,al 79 | fffff803`21e49e8b 78d7 js nt! ?? ::FNODOBFM::`string'+0x1107c (fffff803`21e49e64) 80 | 81 | nt! ?? ::FNODOBFM::`string'+0x110a5: 82 | fffff803`21e49e8d f00fba2b07 lock bts dword ptr [rbx],7 83 | fffff803`21e49e92 72d0 jb nt! ?? ::FNODOBFM::`string'+0x1107c (fffff803`21e49e64) 84 | 85 | nt! ?? ::FNODOBFM::`string'+0x110ac: 86 | fffff803`21e49e94 e9b0ecf2ff jmp nt!KeDeregisterObjectNotification+0x39 (fffff803`21d78b49) 87 | -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/AlpcSectionDeleteProcedure.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/AlpcSectionDeleteProcedure.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/AlpcpDeletePort.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/AlpcpDeletePort.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/AlpcpDeletePort_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/AlpcpDeletePort_2.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/AlpcpDeletePort_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/AlpcpDeletePort_3.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/AlpcpUnregisterCompletionListDatabase.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/AlpcpUnregisterCompletionListDatabase.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/AuthzBasepRemoveSecurityAttributeFromLists.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/AuthzBasepRemoveSecurityAttributeFromLists.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/CcDeleteBcbs.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/CcDeleteBcbs.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/CcFindNextWorkQueueEntry.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/CcFindNextWorkQueueEntry.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/CcLazyWriteScan.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/CcLazyWriteScan.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/CcSetFileSizesEx.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/CcSetFileSizesEx.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/CcSetFileSizesEx_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/CcSetFileSizesEx_2.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/CcSetFileSizesEx_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/CcSetFileSizesEx_3.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/CcSetFileSizesEx_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/CcSetFileSizesEx_4.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/CcSetFileSizesEx_5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/CcSetFileSizesEx_5.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/CcSetFileSizesEx_6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/CcSetFileSizesEx_6.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/CcSetFileSizesEx_7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/CcSetFileSizesEx_7.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/CcSetFileSizesEx_8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/CcSetFileSizesEx_8.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/CmShutdownSystem.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/CmShutdownSystem.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/CmUnRegisterCallback.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/CmUnRegisterCallback.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/CmUnRegisterCallback_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/CmUnRegisterCallback_2.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/CmUnRegisterCallback_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/CmUnRegisterCallback_3.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/CmpCallCallBacks.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/CmpCallCallBacks.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/CmpPostApc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/CmpPostApc.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/CmpPostApc_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/CmpPostApc_2.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/CmpPostApc_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/CmpPostApc_3.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/ExFreePoolWithTag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/ExFreePoolWithTag.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/ExFreePoolWithTag_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/ExFreePoolWithTag_2.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/ExFreePoolWithTag_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/ExFreePoolWithTag_3.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/ExQueueWorkItem.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/ExQueueWorkItem.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/ExQueueWorkItem_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/ExQueueWorkItem_2.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/ExTimerRundown.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/ExTimerRundown.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/ExpDeleteTimer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/ExpDeleteTimer.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/ExpDeleteTimer_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/ExpDeleteTimer_2.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/ExpSetTimer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/ExpSetTimer.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/IoDeleteDevice.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/IoDeleteDevice.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/IoUnregisterFsRegistrationChange.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/IoUnregisterFsRegistrationChange.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/IoUnregisterFsRegistrationChange_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/IoUnregisterFsRegistrationChange_2.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/IopfCompleteRequest.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/IopfCompleteRequest.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/IopfCompleteRequest_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/IopfCompleteRequest_2.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/IopfCompleteRequest_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/IopfCompleteRequest_3.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/IopfCompleteRequest_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/IopfCompleteRequest_4.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/IopfCompleteRequest_5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/IopfCompleteRequest_5.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/IopfCompleteRequest_6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/IopfCompleteRequest_6.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/IopfCompleteRequest_7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/IopfCompleteRequest_7.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/KeDeregisterBugCheckCallback.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/KeDeregisterBugCheckCallback.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/KeDeregisterObjectNotification.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/KeDeregisterObjectNotification.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/KeRegisterObjectNotification.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/KeRegisterObjectNotification.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/KeRegisterObjectNotification_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/KeRegisterObjectNotification_2.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/KeRemoveQueueApc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/KeRemoveQueueApc.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/KeRemoveQueueApc_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/KeRemoveQueueApc_2.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/KeRemoveQueueDpc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/KeRemoveQueueDpc.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/KeTerminateThread.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/KeTerminateThread.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/KeTerminateThread_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/KeTerminateThread_2.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/KiCancelTimer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/KiCancelTimer.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/KiDeliverApc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/KiDeliverApc.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/KiDeliverApc_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/KiDeliverApc_2.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/KiDeliverApc_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/KiDeliverApc_3.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/KiExecuteAllDpcs.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/KiExecuteAllDpcs.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/KiExpireTimerTable.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/KiExpireTimerTable.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/KiFindReadyThread.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/KiFindReadyThread.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/KiFlushQueueApc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/KiFlushQueueApc.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/KiInsertTimerTable.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/KiInsertTimerTable.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/KiInsertTimerTable_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/KiInsertTimerTable_2.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/KiInsertTimerTable_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/KiInsertTimerTable_3.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/KiProcessExpiredTimerList.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/KiProcessExpiredTimerList.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/KiProcessExpiredTimerList_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/KiProcessExpiredTimerList_2.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/NtNotifyChangeMultipleKeys.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/NtNotifyChangeMultipleKeys.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/NtNotifyChangeMultipleKeys_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/NtNotifyChangeMultipleKeys_2.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/NtNotifyChangeMultipleKeys_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/NtNotifyChangeMultipleKeys_3.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/NtNotifyChangeMultipleKeys_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/NtNotifyChangeMultipleKeys_4.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/NtNotifyChangeMultipleKeys_5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/NtNotifyChangeMultipleKeys_5.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/NtNotifyChangeMultipleKeys_6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/NtNotifyChangeMultipleKeys_6.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/NtNotifyChangeMultipleKeys_7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/NtNotifyChangeMultipleKeys_7.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/NtNotifyChangeMultipleKeys_8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/NtNotifyChangeMultipleKeys_8.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/ObRegisterCallbacks.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/ObRegisterCallbacks.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/ObUnRegisterCallbacks.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/ObUnRegisterCallbacks.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/ObUnRegisterCallbacks_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/ObUnRegisterCallbacks_2.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/ObUnRegisterCallbacks_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/ObUnRegisterCallbacks_3.png -------------------------------------------------------------------------------- /chapter_3/page_123/exercise_6/ListImages/ObUnRegisterCallbacks_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/baderj/practical-reverse-engineering/661d8d754a9b57c4eb565dfdfba101d247f7db74/chapter_3/page_123/exercise_6/ListImages/ObUnRegisterCallbacks_4.png --------------------------------------------------------------------------------