├── .gitignore ├── Headers └── definitions.h ├── README.md └── XC3 ├── DriverEntry.asm ├── DriverEntry_original.c ├── DriverEntry_reversed.c ├── fn_CreateProcessNotifyRoutine.asm ├── fn_CreateProcessNotifyRoutineExImp.asm ├── fn_CreateProcessNotifyRoutineExImp_original.c ├── fn_CreateProcessNotifyRoutineExImp_reversed.c ├── fn_CreateProcessNotifyRoutine_original.c ├── fn_CreateProcessNotifyRoutine_reversed.c ├── fn_DispatchIOCTLMethod.asm ├── fn_DispatchIOCTLMethod_original.c ├── fn_DispatchIOCTLMethod_reversed.c ├── fn_DriverIOCTLDispatcher.asm ├── fn_DriverIOCTLDispatcher_original.c ├── fn_DriverIOCTLDispatcher_reversed.c ├── fn_InitDispatchMethodArray.asm ├── fn_InitDispatchMethodArray_original.c ├── fn_InitDispatchMethodArray_reversed.c ├── fn_InitRegistrationNotifyAndCallbackRoutines.asm ├── fn_InitRegistrationNotifyAndCallbackRoutines_original.c ├── fn_InitRegistrationNotifyAndCallbackRoutines_reversed.c ├── fn_ObtainKernelFunctions.asm ├── fn_ObtainKernelFunctions_original.c ├── fn_ObtainKernelFunctions_reversed.c ├── j_fn_ConfigWindowsVersion.asm └── j_fn_ConfigWindowsVersion_orignal.c /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | 4 | # User-specific files 5 | *.suo 6 | *.user 7 | *.userosscache 8 | *.sln.docstates 9 | 10 | # User-specific files (MonoDevelop/Xamarin Studio) 11 | *.userprefs 12 | 13 | # Build results 14 | [Dd]ebug/ 15 | [Dd]ebugPublic/ 16 | [Rr]elease/ 17 | [Rr]eleases/ 18 | x64/ 19 | x86/ 20 | bld/ 21 | [Bb]in/ 22 | [Oo]bj/ 23 | [Ll]og/ 24 | 25 | # Visual Studio 2015 cache/options directory 26 | .vs/ 27 | # Uncomment if you have tasks that create the project's static files in wwwroot 28 | #wwwroot/ 29 | 30 | # MSTest test Results 31 | [Tt]est[Rr]esult*/ 32 | [Bb]uild[Ll]og.* 33 | 34 | # NUNIT 35 | *.VisualState.xml 36 | TestResult.xml 37 | 38 | # Build Results of an ATL Project 39 | [Dd]ebugPS/ 40 | [Rr]eleasePS/ 41 | dlldata.c 42 | 43 | # DNX 44 | project.lock.json 45 | project.fragment.lock.json 46 | artifacts/ 47 | 48 | *_i.c 49 | *_p.c 50 | *_i.h 51 | *.ilk 52 | *.meta 53 | *.obj 54 | *.pch 55 | *.pdb 56 | *.pgc 57 | *.pgd 58 | *.rsp 59 | *.sbr 60 | *.tlb 61 | *.tli 62 | *.tlh 63 | *.tmp 64 | *.tmp_proj 65 | *.log 66 | *.vspscc 67 | *.vssscc 68 | .builds 69 | *.pidb 70 | *.svclog 71 | *.scc 72 | 73 | # Chutzpah Test files 74 | _Chutzpah* 75 | 76 | # Visual C++ cache files 77 | ipch/ 78 | *.aps 79 | *.ncb 80 | *.opendb 81 | *.opensdf 82 | *.sdf 83 | *.cachefile 84 | *.VC.db 85 | *.VC.VC.opendb 86 | 87 | # Visual Studio profiler 88 | *.psess 89 | *.vsp 90 | *.vspx 91 | *.sap 92 | 93 | # TFS 2012 Local Workspace 94 | $tf/ 95 | 96 | # Guidance Automation Toolkit 97 | *.gpState 98 | 99 | # ReSharper is a .NET coding add-in 100 | _ReSharper*/ 101 | *.[Rr]e[Ss]harper 102 | *.DotSettings.user 103 | 104 | # JustCode is a .NET coding add-in 105 | .JustCode 106 | 107 | # TeamCity is a build add-in 108 | _TeamCity* 109 | 110 | # DotCover is a Code Coverage Tool 111 | *.dotCover 112 | 113 | # NCrunch 114 | _NCrunch_* 115 | .*crunch*.local.xml 116 | nCrunchTemp_* 117 | 118 | # MightyMoose 119 | *.mm.* 120 | AutoTest.Net/ 121 | 122 | # Web workbench (sass) 123 | .sass-cache/ 124 | 125 | # Installshield output folder 126 | [Ee]xpress/ 127 | 128 | # DocProject is a documentation generator add-in 129 | DocProject/buildhelp/ 130 | DocProject/Help/*.HxT 131 | DocProject/Help/*.HxC 132 | DocProject/Help/*.hhc 133 | DocProject/Help/*.hhk 134 | DocProject/Help/*.hhp 135 | DocProject/Help/Html2 136 | DocProject/Help/html 137 | 138 | # Click-Once directory 139 | publish/ 140 | 141 | # Publish Web Output 142 | *.[Pp]ublish.xml 143 | *.azurePubxml 144 | # TODO: Comment the next line if you want to checkin your web deploy settings 145 | # but database connection strings (with potential passwords) will be unencrypted 146 | #*.pubxml 147 | *.publishproj 148 | 149 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 150 | # checkin your Azure Web App publish settings, but sensitive information contained 151 | # in these scripts will be unencrypted 152 | PublishScripts/ 153 | 154 | # NuGet Packages 155 | *.nupkg 156 | # The packages folder can be ignored because of Package Restore 157 | **/packages/* 158 | # except build/, which is used as an MSBuild target. 159 | !**/packages/build/ 160 | # Uncomment if necessary however generally it will be regenerated when needed 161 | #!**/packages/repositories.config 162 | # NuGet v3's project.json files produces more ignoreable files 163 | *.nuget.props 164 | *.nuget.targets 165 | 166 | # Microsoft Azure Build Output 167 | csx/ 168 | *.build.csdef 169 | 170 | # Microsoft Azure Emulator 171 | ecf/ 172 | rcf/ 173 | 174 | # Windows Store app package directories and files 175 | AppPackages/ 176 | BundleArtifacts/ 177 | Package.StoreAssociation.xml 178 | _pkginfo.txt 179 | 180 | # Visual Studio cache files 181 | # files ending in .cache can be ignored 182 | *.[Cc]ache 183 | # but keep track of directories ending in .cache 184 | !*.[Cc]ache/ 185 | 186 | # Others 187 | ClientBin/ 188 | ~$* 189 | *~ 190 | *.dbmdl 191 | *.dbproj.schemaview 192 | *.jfm 193 | *.pfx 194 | *.publishsettings 195 | node_modules/ 196 | orleans.codegen.cs 197 | 198 | # Since there are multiple workflows, uncomment next line to ignore bower_components 199 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 200 | #bower_components/ 201 | 202 | # RIA/Silverlight projects 203 | Generated_Code/ 204 | 205 | # Backup & report files from converting an old project file 206 | # to a newer Visual Studio version. Backup files are not needed, 207 | # because we have git ;-) 208 | _UpgradeReport_Files/ 209 | Backup*/ 210 | UpgradeLog*.XML 211 | UpgradeLog*.htm 212 | 213 | # SQL Server files 214 | *.mdf 215 | *.ldf 216 | 217 | # Business Intelligence projects 218 | *.rdl.data 219 | *.bim.layout 220 | *.bim_*.settings 221 | 222 | # Microsoft Fakes 223 | FakesAssemblies/ 224 | 225 | # GhostDoc plugin setting file 226 | *.GhostDoc.xml 227 | 228 | # Node.js Tools for Visual Studio 229 | .ntvs_analysis.dat 230 | 231 | # Visual Studio 6 build log 232 | *.plg 233 | 234 | # Visual Studio 6 workspace options file 235 | *.opt 236 | 237 | # Visual Studio LightSwitch build output 238 | **/*.HTMLClient/GeneratedArtifacts 239 | **/*.DesktopClient/GeneratedArtifacts 240 | **/*.DesktopClient/ModelManifest.xml 241 | **/*.Server/GeneratedArtifacts 242 | **/*.Server/ModelManifest.xml 243 | _Pvt_Extensions 244 | 245 | # Paket dependency manager 246 | .paket/paket.exe 247 | paket-files/ 248 | 249 | # FAKE - F# Make 250 | .fake/ 251 | 252 | # JetBrains Rider 253 | .idea/ 254 | *.sln.iml 255 | 256 | # CodeRush 257 | .cr/ 258 | 259 | # Python Tools for Visual Studio (PTVS) 260 | __pycache__/ 261 | *.pyc -------------------------------------------------------------------------------- /Headers/definitions.h: -------------------------------------------------------------------------------- 1 | 2 | /// IRP Major Codes 3 | 4 | #define IRP_MJ_CREATE 0x00 5 | #define IRP_MJ_CREATE_NAMED_PIPE 0x01 6 | #define IRP_MJ_CLOSE 0x02 7 | #define IRP_MJ_READ 0x03 8 | #define IRP_MJ_WRITE 0x04 9 | #define IRP_MJ_QUERY_INFORMATION 0x05 10 | #define IRP_MJ_SET_INFORMATION 0x06 11 | #define IRP_MJ_QUERY_EA 0x07 12 | #define IRP_MJ_SET_EA 0x08 13 | #define IRP_MJ_FLUSH_BUFFERS 0x09 14 | #define IRP_MJ_QUERY_VOLUME_INFORMATION 0x0a 15 | #define IRP_MJ_SET_VOLUME_INFORMATION 0x0b 16 | #define IRP_MJ_DIRECTORY_CONTROL 0x0c 17 | #define IRP_MJ_FILE_SYSTEM_CONTROL 0x0d 18 | #define IRP_MJ_DEVICE_CONTROL 0x0e 19 | #define IRP_MJ_INTERNAL_DEVICE_CONTROL 0x0f 20 | #define IRP_MJ_SHUTDOWN 0x10 21 | #define IRP_MJ_LOCK_CONTROL 0x11 22 | #define IRP_MJ_CLEANUP 0x12 23 | #define IRP_MJ_CREATE_MAILSLOT 0x13 24 | #define IRP_MJ_QUERY_SECURITY 0x14 25 | #define IRP_MJ_SET_SECURITY 0x15 26 | #define IRP_MJ_POWER 0x16 27 | #define IRP_MJ_SYSTEM_CONTROL 0x17 28 | #define IRP_MJ_DEVICE_CHANGE 0x18 29 | #define IRP_MJ_QUERY_QUOTA 0x19 30 | #define IRP_MJ_SET_QUOTA 0x1a 31 | #define IRP_MJ_PNP 0x1b 32 | #define IRP_MJ_MAXIMUM_FUNCTION 0x1b 33 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # XC3-Driver-Reversed 2 | I'm going to be dropping code from the XC3 Driver (result of reversing the driver) 3 | 4 | Twitter: [@niemand_sec](https://twitter.com/niemand_sec) 5 | 6 | 7 | # Blog Posts 8 | 9 | This is the result of a series of blog posts starting here: 10 | - [Reversing XignCode3 Driver - Part 1 - Identifying the Driver Entry Point](https://niemand.com.ar/2020/01/08/reversing-xigncode3-driver-part-1-identifying-the-driver-entry-point/) 11 | 12 | - [Reversing XignCode3 Driver – Part 2 – Analyzing init functions](https://niemand.com.ar/2020/01/16/reversing-xigncode3-driver-part-2-analyzing-init-functions/) 13 | 14 | - [Reversing XignCode3 Driver – Part 3 – Analyzing dispatch functions](https://niemand.com.ar/2020/01/24/reversing-xigncode3-driver-part-3-analyzing-dispatch-functions/) 15 | 16 | - [Reversing XignCode3 Driver – Part 4.1 – Registering Notify and Callback Routines](https://niemand.com.ar/2019/12/28/reversing-xigncode3-driver-part-4-1-registering-notify-and-callback-routines/) 17 | -------------------------------------------------------------------------------- /XC3/DriverEntry.asm: -------------------------------------------------------------------------------- 1 | .text:00000001400047B8 ; =============== S U B R O U T I N E ======================================= 2 | .text:00000001400047B8 3 | .text:00000001400047B8 ; Attributes: bp-based frame 4 | .text:00000001400047B8 5 | .text:00000001400047B8 ; __int64 __fastcall DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) 6 | .text:00000001400047B8 DriverEntry proc near ; CODE XREF: start+25↓j 7 | .text:00000001400047B8 ; DATA XREF: .pdata:000000014000D3E4↓o ... 8 | .text:00000001400047B8 9 | .text:00000001400047B8 DeviceCharacteristics= dword ptr -50h 10 | .text:00000001400047B8 Exclusive = byte ptr -48h 11 | .text:00000001400047B8 DeviceObject = qword ptr -40h 12 | .text:00000001400047B8 var_30 = xmmword ptr -30h 13 | .text:00000001400047B8 DeviceName = UNICODE_STRING ptr -20h 14 | .text:00000001400047B8 SymbolicLinkName= UNICODE_STRING ptr -10h 15 | .text:00000001400047B8 var_s0 = byte ptr 0 16 | .text:00000001400047B8 arg_0 = qword ptr 10h 17 | .text:00000001400047B8 arg_8 = qword ptr 18h 18 | .text:00000001400047B8 arg_10 = qword ptr 20h 19 | .text:00000001400047B8 arg_18 = qword ptr 28h 20 | .text:00000001400047B8 21 | .text:00000001400047B8 mov [rsp-8+arg_0], rbx 22 | .text:00000001400047BD mov [rsp-8+arg_10], rsi 23 | .text:00000001400047C2 mov [rsp-8+arg_18], rdi 24 | .text:00000001400047C7 push rbp 25 | .text:00000001400047C8 mov rbp, rsp 26 | .text:00000001400047CB sub rsp, 70h 27 | .text:00000001400047CF xor esi, esi 28 | .text:00000001400047D1 mov rdi, rcx 29 | .text:00000001400047D4 mov [rbp+arg_8], rsi 30 | .text:00000001400047D8 cmp [rdx], si 31 | .text:00000001400047DB jnz short loc_1400047E7 32 | .text:00000001400047DD 33 | .text:00000001400047DD loc_1400047DD: ; CODE XREF: DriverEntry+3A↓j 34 | .text:00000001400047DD ; DriverEntry+56↓j 35 | .text:00000001400047DD mov eax, 0C0000001h 36 | .text:00000001400047E2 jmp loc_140004922 37 | .text:00000001400047E7 ; --------------------------------------------------------------------------- 38 | .text:00000001400047E7 39 | .text:00000001400047E7 loc_1400047E7: ; CODE XREF: DriverEntry+23↑j 40 | .text:00000001400047E7 lea rcx, [rbp+var_30] 41 | .text:00000001400047EB call sub_140004A58 42 | .text:00000001400047F0 test eax, eax 43 | .text:00000001400047F2 js short loc_1400047DD 44 | .text:00000001400047F4 lea rdx, [rbp+var_30] 45 | .text:00000001400047F8 lea rcx, [rbp+SymbolicLinkName] 46 | .text:00000001400047FC call sub_140003A50 47 | .text:0000000140004801 test eax, eax 48 | .text:0000000140004803 jns short loc_140004810 49 | .text:0000000140004805 lea rcx, [rbp+var_30] 50 | .text:0000000140004809 call sub_140004AC0 51 | .text:000000014000480E jmp short loc_1400047DD 52 | .text:0000000140004810 ; --------------------------------------------------------------------------- 53 | .text:0000000140004810 54 | .text:0000000140004810 loc_140004810: ; CODE XREF: DriverEntry+4B↑j 55 | .text:0000000140004810 lea rdx, [rbp+var_30] 56 | .text:0000000140004814 lea rcx, [rbp+DeviceName] 57 | .text:0000000140004818 call sub_1400039B0 58 | .text:000000014000481D test eax, eax 59 | .text:000000014000481F jns short loc_140004831 60 | .text:0000000140004821 lea rcx, [rbp+var_30] 61 | .text:0000000140004825 call sub_140004AC0 62 | .text:000000014000482A mov ebx, 0C0000001h 63 | .text:000000014000482F jmp short loc_1400048A2 64 | .text:0000000140004831 ; --------------------------------------------------------------------------- 65 | .text:0000000140004831 66 | .text:0000000140004831 loc_140004831: ; CODE XREF: DriverEntry+67↑j 67 | .text:0000000140004831 lea rax, sub_140004938 68 | .text:0000000140004838 mov r9d, 22h ; DeviceType 69 | .text:000000014000483E mov [rdi+68h], rax 70 | .text:0000000140004842 lea r8, [rbp+DeviceName] ; DeviceName 71 | .text:0000000140004846 lea rax, sub_1400045D0 72 | .text:000000014000484D xor edx, edx ; DeviceExtensionSize 73 | .text:000000014000484F mov [rdi+70h], rax 74 | .text:0000000140004853 mov rcx, rdi ; DriverObject 75 | .text:0000000140004856 lea rax, sub_140004580 76 | .text:000000014000485D mov [rdi+80h], rax 77 | .text:0000000140004864 lea rax, sub_140004604 78 | .text:000000014000486B mov [rdi+90h], rax 79 | .text:0000000140004872 lea rax, [rbp+arg_8] 80 | .text:0000000140004876 mov [rsp+70h+DeviceObject], rax ; DeviceObject 81 | .text:000000014000487B mov [rsp+70h+Exclusive], sil ; Exclusive 82 | .text:0000000140004880 mov [rsp+70h+DeviceCharacteristics], esi ; DeviceCharacteristics 83 | .text:0000000140004884 call cs:IoCreateDevice 84 | .text:000000014000488A mov ebx, eax 85 | .text:000000014000488C test eax, eax 86 | .text:000000014000488E jns short loc_1400048A8 87 | .text:0000000140004890 lea rcx, [rbp+var_30] 88 | .text:0000000140004894 call sub_140004AC0 89 | .text:0000000140004899 lea rcx, [rbp+DeviceName] 90 | .text:000000014000489D call sub_140004AC0 91 | .text:00000001400048A2 92 | .text:00000001400048A2 loc_1400048A2: ; CODE XREF: DriverEntry+77↑j 93 | .text:00000001400048A2 lea rcx, [rbp+SymbolicLinkName] 94 | .text:00000001400048A6 jmp short loc_14000491B 95 | .text:00000001400048A8 ; --------------------------------------------------------------------------- 96 | .text:00000001400048A8 97 | .text:00000001400048A8 loc_1400048A8: ; CODE XREF: DriverEntry+D6↑j 98 | .text:00000001400048A8 mov rax, [rbp+arg_8] 99 | .text:00000001400048AC or dword ptr [rax+30h], 4 100 | .text:00000001400048B0 movups xmm0, [rbp+var_30] 101 | .text:00000001400048B4 movups xmm1, xmmword ptr [rbp+SymbolicLinkName.Length] 102 | .text:00000001400048B8 movdqu cs:xmmword_14000CD78, xmm0 103 | .text:00000001400048C0 movdqu xmmword ptr cs:SymbolicLinkName.Length, xmm1 104 | .text:00000001400048C8 call sub_1400015F8 105 | .text:00000001400048CD mov rcx, rdi 106 | .text:00000001400048D0 call sub_140003550 107 | .text:00000001400048D5 mov ebx, eax 108 | .text:00000001400048D7 test eax, eax 109 | .text:00000001400048D9 js short loc_140004909 110 | .text:00000001400048DB call sub_140002A18 111 | .text:00000001400048E0 mov ebx, eax 112 | .text:00000001400048E2 test eax, eax 113 | .text:00000001400048E4 js short loc_1400048FF 114 | .text:00000001400048E6 lea rdx, [rbp+DeviceName] ; DeviceName 115 | .text:00000001400048EA lea rcx, [rbp+SymbolicLinkName] ; SymbolicLinkName 116 | .text:00000001400048EE call cs:IoCreateSymbolicLink 117 | .text:00000001400048F4 mov ebx, eax 118 | .text:00000001400048F6 test eax, eax 119 | .text:00000001400048F8 jns short loc_140004915 120 | .text:00000001400048FA call nullsub_1 121 | .text:00000001400048FF 122 | .text:00000001400048FF loc_1400048FF: ; CODE XREF: DriverEntry+12C↑j 123 | .text:00000001400048FF call sub_1400034D8 124 | .text:0000000140004904 call nullsub_1 125 | .text:0000000140004909 126 | .text:0000000140004909 loc_140004909: ; CODE XREF: DriverEntry+121↑j 127 | .text:0000000140004909 mov rcx, [rbp+arg_8] ; DeviceObject 128 | .text:000000014000490D call cs:IoDeleteDevice 129 | .text:0000000140004913 jmp short loc_140004917 130 | .text:0000000140004915 ; --------------------------------------------------------------------------- 131 | .text:0000000140004915 132 | .text:0000000140004915 loc_140004915: ; CODE XREF: DriverEntry+140↑j 133 | .text:0000000140004915 mov ebx, esi 134 | .text:0000000140004917 135 | .text:0000000140004917 loc_140004917: ; CODE XREF: DriverEntry+15B↑j 136 | .text:0000000140004917 lea rcx, [rbp+DeviceName] 137 | .text:000000014000491B 138 | .text:000000014000491B loc_14000491B: ; CODE XREF: DriverEntry+EE↑j 139 | .text:000000014000491B call sub_140004AC0 140 | .text:0000000140004920 mov eax, ebx 141 | .text:0000000140004922 142 | .text:0000000140004922 loc_140004922: ; CODE XREF: DriverEntry+2A↑j 143 | .text:0000000140004922 lea r11, [rsp+70h+var_s0] 144 | .text:0000000140004927 mov rbx, [r11+10h] 145 | .text:000000014000492B mov rsi, [r11+20h] 146 | .text:000000014000492F mov rdi, [r11+28h] 147 | .text:0000000140004933 mov rsp, r11 148 | .text:0000000140004936 pop rbp 149 | .text:0000000140004937 retn 150 | .text:0000000140004937 DriverEntry endp 151 | .text:0000000140004937 152 | -------------------------------------------------------------------------------- /XC3/DriverEntry_original.c: -------------------------------------------------------------------------------- 1 | __int64 __fastcall DriverEntry(PDRIVER_OBJECT DriverObject, _WORD *a2) 2 | { 3 | PDRIVER_OBJECT v2; // rdi 4 | NTSTATUS v4; // ebx 5 | UNICODE_STRING *v5; // rcx 6 | __m128i v6; // [rsp+40h] [rbp-30h] 7 | UNICODE_STRING DeviceName; // [rsp+50h] [rbp-20h] 8 | UNICODE_STRING SymbolicLinkName; // [rsp+60h] [rbp-10h] 9 | PDEVICE_OBJECT DeviceObject; // [rsp+88h] [rbp+18h] 10 | 11 | v2 = DriverObject; 12 | DeviceObject = 0i64; 13 | if (!*a2 || (signed int)sub_140004A58(&v6) < 0) 14 | return 3221225473i64; 15 | if ((signed int)sub_140003A50(&SymbolicLinkName, &v6) < 0) 16 | { 17 | sub_140004AC0(&v6); 18 | return 3221225473i64; 19 | } 20 | if ((signed int)sub_1400039B0(&DeviceName, &v6) >= 0) 21 | { 22 | v2->DriverUnload = (PDRIVER_UNLOAD)sub_140004938; 23 | v2->MajorFunction[0] = (PDRIVER_DISPATCH)&sub_1400045D0; 24 | v2->MajorFunction[2] = (PDRIVER_DISPATCH)&sub_140004580; 25 | v2->MajorFunction[4] = (PDRIVER_DISPATCH)&sub_140004604; 26 | v4 = IoCreateDevice(v2, 0, &DeviceName, 0x22u, 0, 0, &DeviceObject); 27 | if (v4 < 0) 28 | { 29 | sub_140004AC0(&v6); 30 | sub_140004AC0(&DeviceName); 31 | goto LABEL_10; 32 | } 33 | DeviceObject->Flags |= 4u; 34 | _mm_storeu_si128((__m128i *)&xmmword_14000CD78, v6); 35 | _mm_storeu_si128((__m128i *)&::SymbolicLinkName, (__m128i)SymbolicLinkName); 36 | sub_1400015F8(); 37 | v4 = sub_140003550(v2); 38 | if (v4 >= 0) 39 | { 40 | v4 = sub_140002A18(); 41 | if (v4 >= 0) 42 | { 43 | v4 = IoCreateSymbolicLink(&SymbolicLinkName, &DeviceName); 44 | if (v4 >= 0) 45 | { 46 | v4 = 0; 47 | goto LABEL_18; 48 | } 49 | nullsub_1(); 50 | } 51 | sub_1400034D8(); 52 | nullsub_1(); 53 | } 54 | IoDeleteDevice(DeviceObject); 55 | LABEL_18: 56 | v5 = &DeviceName; 57 | goto LABEL_19; 58 | } 59 | sub_140004AC0(&v6); 60 | v4 = -1073741823; 61 | LABEL_10: 62 | v5 = &SymbolicLinkName; 63 | LABEL_19: 64 | sub_140004AC0(v5); 65 | return (unsigned int)v4; 66 | } -------------------------------------------------------------------------------- /XC3/DriverEntry_reversed.c: -------------------------------------------------------------------------------- 1 | __int64 __fastcall DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) 2 | { 3 | PDRIVER_OBJECT _DriverObject; // rdi 4 | signed int ntStatus; // ebx 5 | UNICODE_STRING *v5; // rcx 6 | char Dest[16]; // [rsp+40h] [rbp-30h] 7 | UNICODE_STRING DeviceName; // [rsp+50h] [rbp-20h] 8 | UNICODE_STRING SymbolicLinkName; // [rsp+60h] [rbp-10h] 9 | PDEVICE_OBJECT DeviceObject; // [rsp+88h] [rbp+18h] 10 | 11 | _DriverObject = DriverObject; 12 | DeviceObject = 0i64; 13 | if (!RegistryPath->Length || fn_strcat(Dest, RegistryPath) < 0) 14 | return 0xC0000001i64; 15 | if (sub_140003A50(&SymbolicLinkName, Dest) < 0) 16 | { 17 | Real_Driver_Entry(Dest); 18 | return 0xC0000001i64; 19 | } 20 | if (sub_1400039B0(&DeviceName, Dest) >= 0) 21 | { 22 | _DriverObject->DriverUnload = fn_DriverUnloadDispatcher; 23 | _DriverObject->MajorFunction[0] = fn_DispatchCreate;// IRP_MJ_CREATE 24 | _DriverObject->MajorFunction[2] = fn_DispatchClose;// IRP_MJ_CLOSE 25 | _DriverObject->MajorFunction[4] = fn_DriverIOCTLDistpacher;// IRP_MJ_WRITE 26 | ntStatus = IoCreateDevice(_DriverObject, 0, &DeviceName, 0x22u, 0, 0, &DeviceObject); 27 | if (ntStatus < 0) 28 | { 29 | Real_Driver_Entry(Dest); 30 | Real_Driver_Entry(&DeviceName); 31 | goto LABEL_10; 32 | } 33 | DeviceObject->Flags |= 4u; 34 | _mm_storeu_si128(&xmmword_14000CD78, *Dest); 35 | _mm_storeu_si128(&::SymbolicLinkName, SymbolicLinkName); 36 | fn_InitDispatchMethodArray(); 37 | ntStatus = fn_InitRegistrationNotifyAndCallbackRoutines(); 38 | if (ntStatus >= 0) 39 | { 40 | ntStatus = fn_ObtainKernelFunctions(); 41 | if (ntStatus >= 0) 42 | { 43 | ntStatus = IoCreateSymbolicLink(&SymbolicLinkName, &DeviceName); 44 | if (ntStatus >= 0) 45 | { 46 | ntStatus = 0; 47 | goto LABEL_18; 48 | } 49 | nullsub_1(); 50 | } 51 | fn_RegisterCreateProcessNotifyRoutine(); 52 | nullsub_1(); 53 | } 54 | IoDeleteDevice(DeviceObject); 55 | LABEL_18: 56 | v5 = &DeviceName; 57 | goto LABEL_19; 58 | } 59 | Real_Driver_Entry(Dest); 60 | ntStatus = 0xC0000001; 61 | LABEL_10: 62 | v5 = &SymbolicLinkName; 63 | LABEL_19: 64 | Real_Driver_Entry(v5); 65 | return ntStatus; 66 | } -------------------------------------------------------------------------------- /XC3/fn_CreateProcessNotifyRoutine.asm: -------------------------------------------------------------------------------- 1 | .text:00000001400034B0 2 | .text:00000001400034B0 ; =============== S U B R O U T I N E ======================================= 3 | .text:00000001400034B0 4 | .text:00000001400034B0 5 | .text:00000001400034B0 sub_1400034B0 proc near ; DATA XREF: sub_1400034D8+34↓o 6 | .text:00000001400034B0 ; sub_140003550+113↓o ... 7 | .text:00000001400034B0 test r8b, r8b 8 | .text:00000001400034B3 jz short loc_1400034BD 9 | .text:00000001400034B5 mov rcx, rdx 10 | .text:00000001400034B8 jmp sub_1400033B0 11 | .text:00000001400034BD ; --------------------------------------------------------------------------- 12 | .text:00000001400034BD 13 | .text:00000001400034BD loc_1400034BD: ; CODE XREF: sub_1400034B0+3↑j 14 | .text:00000001400034BD mov ecx, edx 15 | .text:00000001400034BF jmp sub_140002DD0 16 | .text:00000001400034BF sub_1400034B0 endp 17 | .text:00000001400034BF -------------------------------------------------------------------------------- /XC3/fn_CreateProcessNotifyRoutineExImp.asm: -------------------------------------------------------------------------------- 1 | .text:00000001400034C4 2 | .text:00000001400034C4 ; =============== S U B R O U T I N E ======================================= 3 | .text:00000001400034C4 4 | .text:00000001400034C4 5 | .text:00000001400034C4 sub_1400034C4 proc near ; DATA XREF: sub_1400034D8+20↓o 6 | .text:00000001400034C4 ; sub_140003550+EB↓o ... 7 | .text:00000001400034C4 test r8, r8 8 | .text:00000001400034C7 jz short loc_1400034D1 9 | .text:00000001400034C9 mov rcx, rdx 10 | .text:00000001400034CC jmp sub_1400033B0 11 | .text:00000001400034D1 ; --------------------------------------------------------------------------- 12 | .text:00000001400034D1 13 | .text:00000001400034D1 loc_1400034D1: ; CODE XREF: sub_1400034C4+3↑j 14 | .text:00000001400034D1 mov ecx, edx 15 | .text:00000001400034D3 jmp sub_140002DD0 16 | .text:00000001400034D3 sub_1400034C4 endp 17 | .text:00000001400034D3 -------------------------------------------------------------------------------- /XC3/fn_CreateProcessNotifyRoutineExImp_original.c: -------------------------------------------------------------------------------- 1 | __int64 __fastcall sub_1400034C4(__int64 a1, __int64 a2, __int64 a3) 2 | { 3 | __int64 result; // rax 4 | 5 | if (a3) 6 | result = sub_1400033B0(a2); 7 | else 8 | result = sub_140002DD0(a2); 9 | return result; 10 | } -------------------------------------------------------------------------------- /XC3/fn_CreateProcessNotifyRoutineExImp_reversed.c: -------------------------------------------------------------------------------- 1 | void __fastcall fn_CreateProcessNotifyRoutineExImp(PEPROCESS Process, __int64 ProcessId, PVOID CreateInfo) 2 | { 3 | if (CreateInfo) // If CreateInfo parameter is NULL, the specified process is exiting. 4 | fn_Analyze_CreateProcessNotifyRoutine(ProcessId); 5 | else 6 | fn_Analyze_ExitProcessNotifyRoutine(ProcessId); 7 | } -------------------------------------------------------------------------------- /XC3/fn_CreateProcessNotifyRoutine_original.c: -------------------------------------------------------------------------------- 1 | __int64 __fastcall sub_1400034B0(__int64 a1, __int64 a2, char a3) 2 | { 3 | __int64 result; // rax 4 | 5 | if (a3) 6 | result = sub_1400033B0(a2); 7 | else 8 | result = sub_140002DD0(a2); 9 | return result; 10 | } -------------------------------------------------------------------------------- /XC3/fn_CreateProcessNotifyRoutine_reversed.c: -------------------------------------------------------------------------------- 1 | __int64 __fastcall fn_CreateProcessNotifyRoutine(HANDLE ParentId, HANDLE ProcessId, BOOLEAN Create) 2 | { 3 | __int64 result; // rax 4 | 5 | if (Create) 6 | fn_Analyze_CreateProcessNotifyRoutine(ProcessId); 7 | else 8 | fn_Analyze_ExitProcessNotifyRoutine(ProcessId); 9 | return result; 10 | } -------------------------------------------------------------------------------- /XC3/fn_DispatchIOCTLMethod.asm: -------------------------------------------------------------------------------- 1 | .text:0000000140001E00 2 | .text:0000000140001E00 ; =============== S U B R O U T I N E ======================================= 3 | .text:0000000140001E00 4 | .text:0000000140001E00 5 | .text:0000000140001E00 ; __int64 __fastcall fn_DispatchIOCTLMethod(__int64 a1, __int64 a1) 6 | .text:0000000140001E00 fn_DispatchIOCTLMethod proc near ; CODE XREF: sub_140004604+79↓p 7 | .text:0000000140001E00 mov r9d, cs:dword_14000A240 8 | .text:0000000140001E07 xor r8d, r8d 9 | .text:0000000140001E0A test r9d, r9d 10 | .text:0000000140001E0D jz short loc_140001E2E 11 | .text:0000000140001E0F mov r10d, [rcx+0Ch] 12 | .text:0000000140001E13 lea r11, dword_140009E40 13 | .text:0000000140001E1A 14 | .text:0000000140001E1A loc_140001E1A: ; CODE XREF: fn_DispatchIOCTLMethod+2C↓j 15 | .text:0000000140001E1A mov eax, r8d 16 | .text:0000000140001E1D add rax, rax 17 | .text:0000000140001E20 cmp [r11+rax*8], r10d 18 | .text:0000000140001E24 jz short loc_140001E34 19 | .text:0000000140001E26 inc r8d 20 | .text:0000000140001E29 cmp r8d, r9d 21 | .text:0000000140001E2C jb short loc_140001E1A 22 | .text:0000000140001E2E 23 | .text:0000000140001E2E loc_140001E2E: ; CODE XREF: fn_DispatchIOCTLMethod+D↑j 24 | .text:0000000140001E2E mov eax, 0C0000001h 25 | .text:0000000140001E33 retn 26 | .text:0000000140001E34 ; --------------------------------------------------------------------------- 27 | .text:0000000140001E34 28 | .text:0000000140001E34 loc_140001E34: ; CODE XREF: fn_DispatchIOCTLMethod+24↑j 29 | .text:0000000140001E34 mov eax, r8d 30 | .text:0000000140001E37 add rax, rax 31 | .text:0000000140001E3A jmp qword ptr [r11+rax*8+8] 32 | .text:0000000140001E3A fn_DispatchIOCTLMethod endp 33 | .text:0000000140001E3A 34 | .text:0000000140001E3A ; --------------------------------------------------------------------------- -------------------------------------------------------------------------------- /XC3/fn_DispatchIOCTLMethod_original.c: -------------------------------------------------------------------------------- 1 | __int64 __fastcall fn_DispatchIOCTLMethod(__int64 a1, __int64 a2) 2 | { 3 | int v2; // er8 4 | 5 | v2 = 0; 6 | if (!dword_14000A240) 7 | return 3221225473i64; 8 | while (dword_140009E40[4 * v2] != *(_DWORD *)(a1 + 0xC)) 9 | { 10 | if (++v2 >= (unsigned int)dword_14000A240) 11 | return 3221225473i64; 12 | } 13 | return (*(__int64(__fastcall **)(__int64, __int64))&dword_140009E40[4 * v2 + 2])(a1, a2); 14 | } -------------------------------------------------------------------------------- /XC3/fn_DispatchIOCTLMethod_reversed.c: -------------------------------------------------------------------------------- 1 | __int64 __fastcall fn_DispatchIOCTLMethod(DrvInputBuffer *SystemBuffer, DrvOutputBuffer *a2) 2 | { 3 | int counter; // er8 4 | 5 | counter = 0; 6 | if (!FunctionsCount) 7 | return 0xC0000001i64; 8 | while (IOCTLFunctionArray[counter].Index != SystemBuffer->FnIndex) 9 | { 10 | if (++counter >= FunctionsCount) 11 | return 0xC0000001i64; 12 | } 13 | return (IOCTLFunctionArray[counter].FnPtr)(SystemBuffer, a2); 14 | } -------------------------------------------------------------------------------- /XC3/fn_DriverIOCTLDispatcher.asm: -------------------------------------------------------------------------------- 1 | .text:0000000140004604 ; =============== S U B R O U T I N E ======================================= 2 | .text:0000000140004604 3 | .text:0000000140004604 4 | .text:0000000140004604 sub_140004604 proc near ; DATA XREF: DriverEntry+AC↓o 5 | .text:0000000140004604 ; .pdata:000000014000D3D8↓o ... 6 | .text:0000000140004604 7 | .text:0000000140004604 var_338 = dword ptr -338h 8 | .text:0000000140004604 var_334 = dword ptr -334h 9 | .text:0000000140004604 var_330 = qword ptr -330h 10 | .text:0000000140004604 var_328 = qword ptr -328h 11 | .text:0000000140004604 MemoryDescriptorList= qword ptr -320h 12 | .text:0000000140004604 v13 = qword ptr -318h 13 | .text:0000000140004604 var_18 = qword ptr -18h 14 | .text:0000000140004604 var_8 = byte ptr -8 15 | .text:0000000140004604 arg_0 = qword ptr 8 16 | .text:0000000140004604 arg_10 = qword ptr 18h 17 | .text:0000000140004604 arg_18 = qword ptr 20h 18 | .text:0000000140004604 19 | .text:0000000140004604 ; __unwind { // __GSHandlerCheck_SEH 20 | .text:0000000140004604 mov [rsp+arg_0], rbx 21 | .text:0000000140004609 mov [rsp+arg_10], rsi 22 | .text:000000014000460E mov [rsp+arg_18], rdi 23 | .text:0000000140004613 push r14 24 | .text:0000000140004615 sub rsp, 350h 25 | .text:000000014000461C mov rax, cs:__security_cookie 26 | .text:0000000140004623 xor rax, rsp 27 | .text:0000000140004626 mov [rsp+358h+var_18], rax 28 | .text:000000014000462E mov rbx, rdx 29 | .text:0000000140004631 mov [rsp+358h+var_328], rdx 30 | .text:0000000140004636 mov rax, [rdx+0B8h] 31 | .text:000000014000463D xor esi, esi 32 | .text:000000014000463F mov [rsp+358h+var_338], esi 33 | .text:0000000140004643 mov edi, 0C0000001h 34 | .text:0000000140004648 mov [rsp+358h+var_334], edi 35 | .text:000000014000464C mov ecx, 270h 36 | .text:0000000140004651 cmp [rax+8], ecx 37 | .text:0000000140004654 jnz loc_140004778 38 | .text:000000014000465A mov r14, [rdx+18h] 39 | .text:000000014000465E cmp [r14], ecx 40 | .text:0000000140004661 jnz loc_140004778 41 | .text:0000000140004667 cmp dword ptr [r14+4], 345821ABh 42 | .text:000000014000466F jnz loc_140004778 43 | .text:0000000140004675 lea rdx, [rsp+358h+v13] ; a2 44 | .text:000000014000467A mov rcx, r14 ; a1 45 | .text:000000014000467D call fn_DispatchIOCTLMethod 46 | .text:0000000140004682 mov rcx, [r14+10h] 47 | .text:0000000140004686 lea r8, [rsp+358h+MemoryDescriptorList] 48 | .text:000000014000468B mov r14d, 2FAh 49 | .text:0000000140004691 mov edx, r14d 50 | .text:0000000140004694 call sub_140003DBC 51 | .text:0000000140004699 mov r8, rax 52 | .text:000000014000469C mov [rsp+358h+var_330], rax 53 | .text:00000001400046A1 test rax, rax 54 | .text:00000001400046A4 jz loc_140004778 55 | .text:00000001400046AA 56 | .text:00000001400046AA loc_1400046AA: ; DATA XREF: .rdata:0000000140008A5C↓o 57 | .text:00000001400046AA ; __try { // __except at loc_140004759 58 | .text:00000001400046AA mov rcx, rax 59 | .text:00000001400046AD lea rdx, [rsp+358h+v13] 60 | .text:00000001400046B2 lea eax, [rsi+5] 61 | .text:00000001400046B5 lea r9d, [rax+7Bh] 62 | .text:00000001400046B9 63 | .text:00000001400046B9 loc_1400046B9: ; CODE XREF: sub_140004604+FD↓j 64 | .text:00000001400046B9 movups xmm0, xmmword ptr [rdx] 65 | .text:00000001400046BC movups xmmword ptr [rcx], xmm0 66 | .text:00000001400046BF movups xmm1, xmmword ptr [rdx+10h] 67 | .text:00000001400046C3 movups xmmword ptr [rcx+10h], xmm1 68 | .text:00000001400046C7 movups xmm0, xmmword ptr [rdx+20h] 69 | .text:00000001400046CB movups xmmword ptr [rcx+20h], xmm0 70 | .text:00000001400046CF movups xmm1, xmmword ptr [rdx+30h] 71 | .text:00000001400046D3 movups xmmword ptr [rcx+30h], xmm1 72 | .text:00000001400046D7 movups xmm0, xmmword ptr [rdx+40h] 73 | .text:00000001400046DB movups xmmword ptr [rcx+40h], xmm0 74 | .text:00000001400046DF movups xmm1, xmmword ptr [rdx+50h] 75 | .text:00000001400046E3 movups xmmword ptr [rcx+50h], xmm1 76 | .text:00000001400046E7 movups xmm0, xmmword ptr [rdx+60h] 77 | .text:00000001400046EB movups xmmword ptr [rcx+60h], xmm0 78 | .text:00000001400046EF add rcx, r9 79 | .text:00000001400046F2 movups xmm1, xmmword ptr [rdx+70h] 80 | .text:00000001400046F6 movups xmmword ptr [rcx-10h], xmm1 81 | .text:00000001400046FA add rdx, r9 82 | .text:00000001400046FD sub rax, 1 83 | .text:0000000140004701 jnz short loc_1400046B9 84 | .text:0000000140004703 movups xmm0, xmmword ptr [rdx] 85 | .text:0000000140004706 movups xmmword ptr [rcx], xmm0 86 | .text:0000000140004709 movups xmm1, xmmword ptr [rdx+10h] 87 | .text:000000014000470D movups xmmword ptr [rcx+10h], xmm1 88 | .text:0000000140004711 movups xmm0, xmmword ptr [rdx+20h] 89 | .text:0000000140004715 movups xmmword ptr [rcx+20h], xmm0 90 | .text:0000000140004719 movups xmm1, xmmword ptr [rdx+30h] 91 | .text:000000014000471D movups xmmword ptr [rcx+30h], xmm1 92 | .text:0000000140004721 movups xmm0, xmmword ptr [rdx+40h] 93 | .text:0000000140004725 movups xmmword ptr [rcx+40h], xmm0 94 | .text:0000000140004729 movups xmm1, xmmword ptr [rdx+50h] 95 | .text:000000014000472D movups xmmword ptr [rcx+50h], xmm1 96 | .text:0000000140004731 movups xmm0, xmmword ptr [rdx+60h] 97 | .text:0000000140004735 movups xmmword ptr [rcx+60h], xmm0 98 | .text:0000000140004739 mov rax, [rdx+70h] 99 | .text:000000014000473D mov [rcx+70h], rax 100 | .text:0000000140004741 movzx eax, word ptr [rdx+78h] 101 | .text:0000000140004745 mov [rcx+78h], ax 102 | .text:0000000140004749 mov edi, esi 103 | .text:000000014000474B mov [rsp+358h+var_334], esi 104 | .text:000000014000474F mov esi, r14d 105 | .text:0000000140004752 mov [rsp+358h+var_338], r14d 106 | .text:0000000140004757 jmp short loc_14000476B 107 | .text:0000000140004757 ; } // starts at 1400046AA 108 | .text:0000000140004759 ; --------------------------------------------------------------------------- 109 | .text:0000000140004759 110 | .text:0000000140004759 loc_140004759: ; DATA XREF: .rdata:0000000140008A5C↓o 111 | .text:0000000140004759 ; __except(1) // owned by 1400046AA 112 | .text:0000000140004759 mov esi, [rsp+358h+var_338] 113 | .text:000000014000475D mov edi, [rsp+358h+var_334] 114 | .text:0000000140004761 mov r8, [rsp+358h+var_330] 115 | .text:0000000140004766 mov rbx, [rsp+358h+var_328] 116 | .text:000000014000476B 117 | .text:000000014000476B loc_14000476B: ; CODE XREF: sub_140004604+153↑j 118 | .text:000000014000476B mov rdx, r8 ; BaseAddress 119 | .text:000000014000476E mov rcx, [rsp+358h+MemoryDescriptorList] ; MemoryDescriptorList 120 | .text:0000000140004773 call sub_140003980 121 | .text:0000000140004778 122 | .text:0000000140004778 loc_140004778: ; CODE XREF: sub_140004604+50↑j 123 | .text:0000000140004778 ; sub_140004604+5D↑j ... 124 | .text:0000000140004778 mov [rbx+30h], edi 125 | .text:000000014000477B mov edx, esi 126 | .text:000000014000477D mov [rbx+38h], rdx 127 | .text:0000000140004781 xor edx, edx ; PriorityBoost 128 | .text:0000000140004783 mov rcx, rbx ; Irp 129 | .text:0000000140004786 call cs:IofCompleteRequest 130 | .text:000000014000478C mov eax, edi 131 | .text:000000014000478E mov rcx, [rsp+358h+var_18] 132 | .text:0000000140004796 xor rcx, rsp 133 | .text:0000000140004799 call __security_check_cookie 134 | .text:000000014000479E lea r11, [rsp+358h+var_8] 135 | .text:00000001400047A6 mov rbx, [r11+10h] 136 | .text:00000001400047AA mov rsi, [r11+20h] 137 | .text:00000001400047AE mov rdi, [r11+28h] 138 | .text:00000001400047B2 mov rsp, r11 139 | .text:00000001400047B5 pop r14 140 | .text:00000001400047B7 retn 141 | .text:00000001400047B7 ; } // starts at 140004604 142 | .text:00000001400047B7 sub_140004604 endp 143 | .text:00000001400047B7 -------------------------------------------------------------------------------- /XC3/fn_DriverIOCTLDispatcher_original.c: -------------------------------------------------------------------------------- 1 | __int64 __fastcall sub_140004604(__int64 a1, _IRP *a2) 2 | { 3 | _IRP *v2; // rbx 4 | unsigned int v3; // esi 5 | unsigned int v4; // edi 6 | _IRP *v5; // r14 7 | __int64 v6; // rax 8 | void *v7; // r8 9 | __int64 v8; // rcx 10 | __int64 *v9; // rdx 11 | signed __int64 v10; // rax 12 | PMDL MemoryDescriptorList; // [rsp+38h] [rbp-320h] 13 | __int64 v13; // [rsp+40h] [rbp-318h] 14 | 15 | v2 = a2; 16 | v3 = 0; 17 | v4 = -1073741823; 18 | if (LODWORD(a2->Tail.Overlay.CurrentStackLocation->Parameters.Others.Argument1) == 0x270) 19 | { 20 | v5 = a2->AssociatedIrp.MasterIrp; 21 | if (*&v5->Type == 0x270 && *(&v5->Size + 1) == 0x345821AB) 22 | { 23 | fn_DispatchIOCTLMethod(v5, &v13); 24 | v6 = sub_140003DBC(*&v5->Flags, 762i64, &MemoryDescriptorList); 25 | v7 = v6; 26 | if (v6) 27 | { 28 | v8 = v6; 29 | v9 = &v13; 30 | v10 = 5i64; 31 | do 32 | { 33 | *v8 = *v9; 34 | *(v8 + 16) = *(v9 + 1); 35 | *(v8 + 32) = *(v9 + 2); 36 | *(v8 + 48) = *(v9 + 3); 37 | *(v8 + 64) = *(v9 + 4); 38 | *(v8 + 80) = *(v9 + 5); 39 | *(v8 + 96) = *(v9 + 6); 40 | v8 += 128i64; 41 | *(v8 - 16) = *(v9 + 7); 42 | v9 += 16; 43 | --v10; 44 | } while (v10); 45 | *v8 = *v9; 46 | *(v8 + 16) = *(v9 + 1); 47 | *(v8 + 32) = *(v9 + 2); 48 | *(v8 + 48) = *(v9 + 3); 49 | *(v8 + 64) = *(v9 + 4); 50 | *(v8 + 80) = *(v9 + 5); 51 | *(v8 + 96) = *(v9 + 6); 52 | *(v8 + 112) = v9[14]; 53 | *(v8 + 120) = *(v9 + 60); 54 | v4 = 0; 55 | v3 = 762; 56 | sub_140003980(MemoryDescriptorList, v7); 57 | } 58 | } 59 | } 60 | v2->IoStatus.Status = v4; 61 | v2->IoStatus.Information = v3; 62 | IofCompleteRequest(v2, 0); 63 | return v4; 64 | } -------------------------------------------------------------------------------- /XC3/fn_DriverIOCTLDispatcher_reversed.c: -------------------------------------------------------------------------------- 1 | __int64 __fastcall fn_DriverIOCTLDispatcher(PDEVICE_OBJECT a1, struct _IRP *_irp_request) 2 | { 3 | unsigned int Size; // esi 4 | unsigned int _errorCode; // edi 5 | DrvInputBuffer *_inputBuffer; // r14 6 | PVOID Mdl; // rax MAPDST 7 | PVOID v8; // rcx 8 | PVOID response; // rdx 9 | signed __int64 counter; // rax 10 | PMDL MemoryDescriptorList; // [rsp+38h] [rbp-320h] 11 | DrvOutputBuffer _irp_response; // [rsp+40h] [rbp-318h] 12 | 13 | Size = 0; 14 | _errorCode = 0xC0000001; 15 | // Indicates how many bytes to transfer, needs to be equal to 0x270 16 | if (_irp_request->Tail.Overlay.CurrentStackLocation->Parameters.Read.Length == 0x270) 17 | { 18 | _inputBuffer = _irp_request->AssociatedIrp.SystemBuffer; 19 | if (_inputBuffer->Size == 0x270 && _inputBuffer->MagicNumber == 0x345821AB) 20 | { 21 | fn_DispatchIOCTLMethod(_inputBuffer, &_irp_response); 22 | Mdl = fn_AllocateMdl(_inputBuffer->pvoid10, 0x2FAu, &MemoryDescriptorList); 23 | if (Mdl) 24 | { 25 | v8 = Mdl; 26 | response = &_irp_response; 27 | counter = 5i64; 28 | do 29 | { 30 | *v8 = *response; 31 | *(v8 + 1) = *(response + 1); 32 | *(v8 + 2) = *(response + 2); 33 | *(v8 + 3) = *(response + 3); 34 | *(v8 + 4) = *(response + 4); 35 | *(v8 + 5) = *(response + 5); 36 | *(v8 + 6) = *(response + 6); 37 | v8 = v8 + 128; 38 | *(v8 - 1) = *(response + 7); 39 | response = response + 128; 40 | --counter; 41 | } while (counter); 42 | *v8 = *response; 43 | *(v8 + 1) = *(response + 1); 44 | *(v8 + 2) = *(response + 2); 45 | *(v8 + 3) = *(response + 3); 46 | *(v8 + 4) = *(response + 4); 47 | *(v8 + 5) = *(response + 5); 48 | *(v8 + 6) = *(response + 6); 49 | *(v8 + 14) = *(response + 14); 50 | *(v8 + 60) = *(response + 60); 51 | _errorCode = 0; 52 | Size = 0x2FA; 53 | sub_140003980(MemoryDescriptorList, Mdl); 54 | } 55 | } 56 | } 57 | _irp_request->IoStatus.Status = _errorCode; 58 | _irp_request->IoStatus.Information = Size; 59 | IofCompleteRequest(_irp_request, 0); 60 | return _errorCode; 61 | } -------------------------------------------------------------------------------- /XC3/fn_InitDispatchMethodArray.asm: -------------------------------------------------------------------------------- 1 | .text:00000001400015F8 ; =============== S U B R O U T I N E ======================================= 2 | .text:00000001400015F8 3 | .text:00000001400015F8 4 | .text:00000001400015F8 sub_1400015F8 proc near ; CODE XREF: DriverEntry+110↓p 5 | .text:00000001400015F8 ; DATA XREF: .pdata:000000014000D084↓o 6 | .text:00000001400015F8 sub rsp, 28h 7 | .text:00000001400015FC xor edx, edx ; Val 8 | .text:00000001400015FE lea rcx, dword_140009E40 ; Dst 9 | .text:0000000140001605 mov r8d, 400h ; Size 10 | .text:000000014000160B call memset 11 | .text:0000000140001610 lea rax, sub_140001058 12 | .text:0000000140001617 mov cs:dword_140009E40, 306h 13 | .text:0000000140001621 mov cs:qword_140009E48, rax 14 | .text:0000000140001628 lea rax, sub_14000101C 15 | .text:000000014000162F mov cs:qword_140009E58, rax 16 | .text:0000000140001636 lea rax, sub_140001CC8 17 | .text:000000014000163D mov cs:qword_140009E68, rax 18 | .text:0000000140001644 lea rax, sub_140001BFC 19 | .text:000000014000164B mov cs:qword_140009E78, rax 20 | .text:0000000140001652 lea rax, sub_140001DC0 21 | .text:0000000140001659 mov cs:qword_140009E88, rax 22 | .text:0000000140001660 lea rax, sub_140001B50 23 | .text:0000000140001667 mov cs:qword_140009E98, rax 24 | .text:000000014000166E lea rax, sub_140001C3C 25 | .text:0000000140001675 mov cs:qword_140009EA8, rax 26 | .text:000000014000167C lea rax, sub_140001D04 27 | .text:0000000140001683 mov cs:qword_140009EB8, rax 28 | .text:000000014000168A lea rax, sub_14000137C 29 | .text:0000000140001691 mov cs:qword_140009EC8, rax 30 | .text:0000000140001698 lea rax, sub_14000191C 31 | .text:000000014000169F mov cs:qword_140009ED8, rax 32 | .text:00000001400016A6 lea rax, sub_140001340 33 | .text:00000001400016AD mov cs:qword_140009EE8, rax 34 | .text:00000001400016B4 lea rax, sub_140001A58 35 | .text:00000001400016BB mov cs:qword_140009EF8, rax 36 | .text:00000001400016C2 lea rax, sub_1400019A4 37 | .text:00000001400016C9 mov cs:qword_140009F08, rax 38 | .text:00000001400016D0 lea rax, sub_140001224 39 | .text:00000001400016D7 mov cs:qword_140009F18, rax 40 | .text:00000001400016DE lea rax, sub_14000187C 41 | .text:00000001400016E5 mov cs:qword_140009F28, rax 42 | .text:00000001400016EC lea rax, sub_140001488 43 | .text:00000001400016F3 mov cs:qword_140009F38, rax 44 | .text:00000001400016FA lea rax, sub_140001548 45 | .text:0000000140001701 mov cs:qword_140009F48, rax 46 | .text:0000000140001708 lea rax, sub_1400013B8 47 | .text:000000014000170F mov cs:qword_140009F58, rax 48 | .text:0000000140001716 lea rax, sub_140001264 49 | .text:000000014000171D mov cs:qword_140009F68, rax 50 | .text:0000000140001724 lea rax, sub_14000150C 51 | .text:000000014000172B mov cs:qword_140009F78, rax 52 | .text:0000000140001732 lea rax, sub_140001174 53 | .text:0000000140001739 mov cs:qword_140009F88, rax 54 | .text:0000000140001740 lea rax, sub_1400015CC 55 | .text:0000000140001747 mov cs:qword_140009F98, rax 56 | .text:000000014000174E lea rax, sub_14000107C 57 | .text:0000000140001755 mov cs:qword_140009FA8, rax 58 | .text:000000014000175C lea rax, sub_140001D4C 59 | .text:0000000140001763 mov cs:qword_140009FB8, rax 60 | .text:000000014000176A lea rax, sub_140001D88 61 | .text:0000000140001771 mov cs:qword_140009FC8, rax 62 | .text:0000000140001778 xor eax, eax 63 | .text:000000014000177A mov cs:dword_140009E50, 307h 64 | .text:0000000140001784 mov cs:dword_140009E60, 308h 65 | .text:000000014000178E mov cs:dword_140009E70, 309h 66 | .text:0000000140001798 mov cs:dword_140009E80, 30Ah 67 | .text:00000001400017A2 mov cs:dword_140009E90, 30Bh 68 | .text:00000001400017AC mov cs:dword_140009EA0, 316h 69 | .text:00000001400017B6 mov cs:dword_140009EB0, 30Eh 70 | .text:00000001400017C0 mov cs:dword_140009EC0, 30Fh 71 | .text:00000001400017CA mov cs:dword_140009ED0, 311h 72 | .text:00000001400017D4 mov cs:dword_140009EE0, 312h 73 | .text:00000001400017DE mov cs:dword_140009EF0, 313h 74 | .text:00000001400017E8 mov cs:dword_140009F00, 314h 75 | .text:00000001400017F2 mov cs:dword_140009F10, 315h 76 | .text:00000001400017FC mov cs:dword_140009F20, 317h 77 | .text:0000000140001806 mov cs:dword_140009F30, 318h 78 | .text:0000000140001810 mov cs:dword_140009F40, 319h 79 | .text:000000014000181A mov cs:dword_140009F50, 31Ah 80 | .text:0000000140001824 mov cs:dword_140009F60, 31Ch 81 | .text:000000014000182E mov cs:dword_140009F70, 31Dh 82 | .text:0000000140001838 mov cs:dword_140009F80, 31Eh 83 | .text:0000000140001842 mov cs:dword_140009F90, 31Fh 84 | .text:000000014000184C mov cs:dword_140009FA0, 320h 85 | .text:0000000140001856 mov cs:dword_140009FB0, 321h 86 | .text:0000000140001860 mov cs:dword_140009FC0, 322h 87 | .text:000000014000186A mov cs:dword_14000A240, 19h 88 | .text:0000000140001874 add rsp, 28h 89 | .text:0000000140001878 retn 90 | .text:0000000140001878 sub_1400015F8 endp 91 | .text:0000000140001878 -------------------------------------------------------------------------------- /XC3/fn_InitDispatchMethodArray_original.c: -------------------------------------------------------------------------------- 1 | __int64 sub_1400015F8() 2 | { 3 | __int64 result; // rax 4 | 5 | memset(&dword_140009E40, 0, 0x400ui64); 6 | dword_140009E40 = 774; 7 | qword_140009E48 = (__int64)sub_140001058; 8 | qword_140009E58 = (__int64)sub_14000101C; 9 | qword_140009E68 = (__int64)sub_140001CC8; 10 | qword_140009E78 = (__int64)sub_140001BFC; 11 | qword_140009E88 = (__int64)sub_140001DC0; 12 | qword_140009E98 = (__int64)sub_140001B50; 13 | qword_140009EA8 = (__int64)sub_140001C3C; 14 | qword_140009EB8 = (__int64)sub_140001D04; 15 | qword_140009EC8 = (__int64)sub_14000137C; 16 | qword_140009ED8 = (__int64)sub_14000191C; 17 | qword_140009EE8 = (__int64)sub_140001340; 18 | qword_140009EF8 = (__int64)sub_140001A58; 19 | qword_140009F08 = (__int64)sub_1400019A4; 20 | qword_140009F18 = (__int64)sub_140001224; 21 | qword_140009F28 = (__int64)sub_14000187C; 22 | qword_140009F38 = (__int64)sub_140001488; 23 | qword_140009F48 = (__int64)sub_140001548; 24 | qword_140009F58 = (__int64)sub_1400013B8; 25 | qword_140009F68 = (__int64)sub_140001264; 26 | qword_140009F78 = (__int64)sub_14000150C; 27 | qword_140009F88 = (__int64)sub_140001174; 28 | qword_140009F98 = (__int64)sub_1400015CC; 29 | qword_140009FA8 = (__int64)sub_14000107C; 30 | qword_140009FB8 = (__int64)sub_140001D4C; 31 | qword_140009FC8 = (__int64)sub_140001D88; 32 | result = 0i64; 33 | dword_140009E50 = 775; 34 | dword_140009E60 = 776; 35 | dword_140009E70 = 777; 36 | dword_140009E80 = 778; 37 | dword_140009E90 = 779; 38 | dword_140009EA0 = 790; 39 | dword_140009EB0 = 782; 40 | dword_140009EC0 = 783; 41 | dword_140009ED0 = 785; 42 | dword_140009EE0 = 786; 43 | dword_140009EF0 = 787; 44 | dword_140009F00 = 788; 45 | dword_140009F10 = 789; 46 | dword_140009F20 = 791; 47 | dword_140009F30 = 792; 48 | dword_140009F40 = 793; 49 | dword_140009F50 = 794; 50 | dword_140009F60 = 796; 51 | dword_140009F70 = 797; 52 | dword_140009F80 = 798; 53 | dword_140009F90 = 799; 54 | dword_140009FA0 = 800; 55 | dword_140009FB0 = 801; 56 | dword_140009FC0 = 802; 57 | dword_14000A240 = 25; 58 | return result; 59 | } -------------------------------------------------------------------------------- /XC3/fn_InitDispatchMethodArray_reversed.c: -------------------------------------------------------------------------------- 1 | __int64 fn_InitDispatchMethodArray() 2 | { 3 | __int64 result; // rax 4 | 5 | memset(IOCTLFunctionArray, 0, 0x400ui64); 6 | IOCTLFunctionArray[0].Index = 774; // 9E40 7 | IOCTLFunctionArray[0].FnPtr = sub_140001058; 8 | IOCTLFunctionArray[1].FnPtr = sub_14000101C; 9 | IOCTLFunctionArray[2].FnPtr = sub_140001CC8; 10 | IOCTLFunctionArray[3].FnPtr = sub_140001BFC; 11 | IOCTLFunctionArray[4].FnPtr = sub_140001DC0; 12 | IOCTLFunctionArray[5].FnPtr = sub_140001B50; 13 | IOCTLFunctionArray[6].FnPtr = sub_140001C3C; 14 | IOCTLFunctionArray[7].FnPtr = sub_140001D04; 15 | IOCTLFunctionArray[8].FnPtr = sub_14000137C; 16 | IOCTLFunctionArray[9].FnPtr = sub_14000191C; 17 | IOCTLFunctionArray[10].FnPtr = sub_140001340; 18 | IOCTLFunctionArray[11].FnPtr = sub_140001A58; 19 | IOCTLFunctionArray[12].FnPtr = sub_1400019A4; 20 | IOCTLFunctionArray[13].FnPtr = sub_140001224; 21 | IOCTLFunctionArray[14].FnPtr = sub_14000187C; 22 | IOCTLFunctionArray[15].FnPtr = sub_140001488; 23 | IOCTLFunctionArray[16].FnPtr = sub_140001548; 24 | IOCTLFunctionArray[17].FnPtr = sub_1400013B8; 25 | IOCTLFunctionArray[18].FnPtr = fn_ReadFileContent_; 26 | IOCTLFunctionArray[19].FnPtr = fn_IOCTL_ValidatePidPEB; 27 | IOCTLFunctionArray[20].FnPtr = fn_IOCTL_ControlCallbackRoutines; 28 | IOCTLFunctionArray[21].FnPtr = sub_1400015CC; 29 | IOCTLFunctionArray[22].FnPtr = sub_14000107C; 30 | IOCTLFunctionArray[23].FnPtr = sub_140001D4C; // CR0 31 | IOCTLFunctionArray[24].FnPtr = sub_140001D88; 32 | result = 0i64; 33 | IOCTLFunctionArray[1].Index = 775; 34 | IOCTLFunctionArray[2].Index = 776; 35 | IOCTLFunctionArray[3].Index = 777; 36 | IOCTLFunctionArray[4].Index = 778; 37 | IOCTLFunctionArray[5].Index = 779; 38 | IOCTLFunctionArray[6].Index = 790; 39 | IOCTLFunctionArray[7].Index = 782; 40 | IOCTLFunctionArray[8].Index = 783; 41 | IOCTLFunctionArray[9].Index = 785; 42 | IOCTLFunctionArray[10].Index = 786; 43 | IOCTLFunctionArray[11].Index = 787; 44 | IOCTLFunctionArray[12].Index = 788; 45 | IOCTLFunctionArray[13].Index = 789; 46 | IOCTLFunctionArray[14].Index = 791; 47 | IOCTLFunctionArray[15].Index = 792; 48 | IOCTLFunctionArray[16].Index = 793; 49 | IOCTLFunctionArray[17].Index = 794; 50 | IOCTLFunctionArray[18].Index = 796; 51 | IOCTLFunctionArray[19].Index = 797; 52 | IOCTLFunctionArray[20].Index = 798; 53 | IOCTLFunctionArray[21].Index = 799; 54 | IOCTLFunctionArray[22].Index = 800; 55 | IOCTLFunctionArray[23].Index = 801; 56 | IOCTLFunctionArray[24].Index = 802; 57 | FunctionsCount = 0x19; 58 | return result; 59 | } -------------------------------------------------------------------------------- /XC3/fn_InitRegistrationNotifyAndCallbackRoutines.asm: -------------------------------------------------------------------------------- 1 | .text:0000000140003550 2 | .text:0000000140003550 ; =============== S U B R O U T I N E ======================================= 3 | .text:0000000140003550 4 | .text:0000000140003550 5 | .text:0000000140003550 sub_140003550 proc near ; CODE XREF: DriverEntry+118↓p 6 | .text:0000000140003550 ; DATA XREF: .pdata:000000014000D288↓o 7 | .text:0000000140003550 8 | .text:0000000140003550 DestinationString= UNICODE_STRING ptr -18h 9 | .text:0000000140003550 arg_0 = qword ptr 8 10 | .text:0000000140003550 arg_8 = qword ptr 10h 11 | .text:0000000140003550 12 | .text:0000000140003550 mov [rsp+arg_0], rbx 13 | .text:0000000140003555 mov [rsp+arg_8], rsi 14 | .text:000000014000355A push rdi 15 | .text:000000014000355B sub rsp, 30h 16 | .text:000000014000355F mov esi, 78687A31h 17 | .text:0000000140003564 mov edx, 28h ; NumberOfBytes 18 | .text:0000000140003569 mov r8d, esi ; Tag 19 | .text:000000014000356C xor ecx, ecx ; PoolType 20 | .text:000000014000356E call cs:ExAllocatePoolWithTag 21 | .text:0000000140003574 xor edi, edi 22 | .text:0000000140003576 mov cs:qword_14000CD70, rax 23 | .text:000000014000357D mov rbx, rax 24 | .text:0000000140003580 test rax, rax 25 | .text:0000000140003583 jz loc_1400036E1 26 | .text:0000000140003589 xor edx, edx ; Val 27 | .text:000000014000358B lea r8d, [rdi+28h] ; Size 28 | .text:000000014000358F mov rcx, rax ; Dst 29 | .text:0000000140003592 call memset 30 | .text:0000000140003597 mov [rbx], rdi 31 | .text:000000014000359A lea rcx, Mutex ; Mutex 32 | .text:00000001400035A1 xor edx, edx ; Level 33 | .text:00000001400035A3 mov cs:dword_14000CD18, edi 34 | .text:00000001400035A9 mov cs:dword_14000CD1C, edi 35 | .text:00000001400035AF call cs:KeInitializeMutex 36 | .text:00000001400035B5 mov r8d, esi ; Tag 37 | .text:00000001400035B8 mov edx, 2000h ; NumberOfBytes 38 | .text:00000001400035BD xor ecx, ecx ; PoolType 39 | .text:00000001400035BF call cs:ExAllocatePoolWithTag 40 | .text:00000001400035C5 mov cs:Str1, rax 41 | .text:00000001400035CC test rax, rax 42 | .text:00000001400035CF jz loc_1400036E1 43 | .text:00000001400035D5 mov [rax], di 44 | .text:00000001400035D8 mov cs:qword_14000CD08, rdi 45 | .text:00000001400035DF mov cs:qword_14000CD10, 1000h 46 | .text:00000001400035EA call sub_140003C38 47 | .text:00000001400035EF test eax, eax 48 | .text:00000001400035F1 js loc_1400036E6 49 | .text:00000001400035F7 call sub_140002D60 50 | .text:00000001400035FC call sub_140002ED8 51 | .text:0000000140003601 lea rdx, aPssetcreatepro ; "PsSetCreateProcessNotifyRoutineEx" 52 | .text:0000000140003608 mov cs:dword_14000CD34, edi 53 | .text:000000014000360E lea rcx, [rsp+38h+DestinationString] ; DestinationString 54 | .text:0000000140003613 mov cs:dword_14000CD30, edi 55 | .text:0000000140003619 call cs:RtlInitUnicodeString 56 | .text:000000014000361F lea rcx, [rsp+38h+DestinationString] ; SystemRoutineName 57 | .text:0000000140003624 call cs:MmGetSystemRoutineAddress 58 | .text:000000014000362A mov cs:qword_14000CD28, rax 59 | .text:0000000140003631 lea esi, [rdi+1] 60 | .text:0000000140003634 test rax, rax 61 | .text:0000000140003637 jz short loc_140003657 62 | .text:0000000140003639 xor edx, edx 63 | .text:000000014000363B lea rcx, sub_1400034C4 64 | .text:0000000140003642 call rax 65 | .text:0000000140003644 mov ecx, cs:dword_14000CD30 66 | .text:000000014000364A test eax, eax 67 | .text:000000014000364C cmovns ecx, esi 68 | .text:000000014000364F mov cs:dword_14000CD30, ecx 69 | .text:0000000140003655 jmp short loc_14000365D 70 | .text:0000000140003657 ; --------------------------------------------------------------------------- 71 | .text:0000000140003657 72 | .text:0000000140003657 loc_140003657: ; CODE XREF: sub_140003550+E7↑j 73 | .text:0000000140003657 mov ecx, cs:dword_14000CD30 74 | .text:000000014000365D 75 | .text:000000014000365D loc_14000365D: ; CODE XREF: sub_140003550+105↑j 76 | .text:000000014000365D test ecx, ecx 77 | .text:000000014000365F jnz short loc_14000367C 78 | .text:0000000140003661 xor edx, edx 79 | .text:0000000140003663 lea rcx, sub_1400034B0 80 | .text:000000014000366A call cs:PsSetCreateProcessNotifyRoutine 81 | .text:0000000140003670 mov ebx, eax 82 | .text:0000000140003672 test eax, eax 83 | .text:0000000140003674 js short loc_140003690 84 | .text:0000000140003676 mov cs:dword_14000CD34, esi 85 | .text:000000014000367C 86 | .text:000000014000367C loc_14000367C: ; CODE XREF: sub_140003550+10F↑j 87 | .text:000000014000367C mov ebx, edi 88 | .text:000000014000367E 89 | .text:000000014000367E loc_14000367E: ; CODE XREF: sub_140003550+146↓j 90 | .text:000000014000367E test ebx, ebx 91 | .text:0000000140003680 jns short loc_140003698 92 | .text:0000000140003682 93 | .text:0000000140003682 loc_140003682: ; CODE XREF: sub_140003550+179↓j 94 | .text:0000000140003682 ; sub_140003550+18B↓j 95 | .text:0000000140003682 call sub_140002E50 96 | .text:0000000140003687 call nullsub_1 97 | .text:000000014000368C mov eax, ebx 98 | .text:000000014000368E jmp short loc_1400036E6 99 | .text:0000000140003690 ; --------------------------------------------------------------------------- 100 | .text:0000000140003690 101 | .text:0000000140003690 loc_140003690: ; CODE XREF: sub_140003550+124↑j 102 | .text:0000000140003690 mov cs:dword_14000CD34, edi 103 | .text:0000000140003696 jmp short loc_14000367E 104 | .text:0000000140003698 ; --------------------------------------------------------------------------- 105 | .text:0000000140003698 106 | .text:0000000140003698 loc_140003698: ; CODE XREF: sub_140003550+130↑j 107 | .text:0000000140003698 call sub_14000213C 108 | .text:000000014000369D mov ebx, eax 109 | .text:000000014000369F test eax, eax 110 | .text:00000001400036A1 jns short loc_1400036DD 111 | .text:00000001400036A3 cmp cs:dword_14000CD30, edi 112 | .text:00000001400036A9 jz short loc_1400036C3 113 | .text:00000001400036AB mov rax, cs:qword_14000CD28 114 | .text:00000001400036B2 test rax, rax 115 | .text:00000001400036B5 jz short loc_1400036C3 116 | .text:00000001400036B7 mov dl, sil 117 | .text:00000001400036BA lea rcx, sub_1400034C4 118 | .text:00000001400036C1 call rax ; qword_14000CD28 119 | .text:00000001400036C3 120 | .text:00000001400036C3 loc_1400036C3: ; CODE XREF: sub_140003550+159↑j 121 | .text:00000001400036C3 ; sub_140003550+165↑j 122 | .text:00000001400036C3 cmp cs:dword_14000CD34, edi 123 | .text:00000001400036C9 jz short loc_140003682 124 | .text:00000001400036CB mov dl, sil 125 | .text:00000001400036CE lea rcx, sub_1400034B0 126 | .text:00000001400036D5 call cs:PsSetCreateProcessNotifyRoutine 127 | .text:00000001400036DB jmp short loc_140003682 128 | .text:00000001400036DD ; --------------------------------------------------------------------------- 129 | .text:00000001400036DD 130 | .text:00000001400036DD loc_1400036DD: ; CODE XREF: sub_140003550+151↑j 131 | .text:00000001400036DD xor eax, eax 132 | .text:00000001400036DF jmp short loc_1400036E6 133 | .text:00000001400036E1 ; --------------------------------------------------------------------------- 134 | .text:00000001400036E1 135 | .text:00000001400036E1 loc_1400036E1: ; CODE XREF: sub_140003550+33↑j 136 | .text:00000001400036E1 ; sub_140003550+7F↑j 137 | .text:00000001400036E1 mov eax, 0C000009Ah 138 | .text:00000001400036E6 139 | .text:00000001400036E6 loc_1400036E6: ; CODE XREF: sub_140003550+A1↑j 140 | .text:00000001400036E6 ; sub_140003550+13E↑j ... 141 | .text:00000001400036E6 mov rbx, [rsp+38h+arg_0] 142 | .text:00000001400036EB mov rsi, [rsp+38h+arg_8] 143 | .text:00000001400036F0 add rsp, 30h 144 | .text:00000001400036F4 pop rdi 145 | .text:00000001400036F5 retn 146 | .text:00000001400036F5 sub_140003550 endp 147 | .text:00000001400036F5 148 | .text:00000001400036F5 ; --------------------------------------------------------------------------- -------------------------------------------------------------------------------- /XC3/fn_InitRegistrationNotifyAndCallbackRoutines_original.c: -------------------------------------------------------------------------------- 1 | __int64 sub_140003550() 2 | { 3 | _QWORD *v0; // rax 4 | _QWORD *v1; // rbx 5 | wchar_t *v2; // rax 6 | __int64 result; // rax 7 | PVOID v4; // rax 8 | int v5; // eax 9 | signed int v6; // ecx 10 | signed int v7; // ebx 11 | __int64 v8; // rdx 12 | UNICODE_STRING DestinationString; // [rsp+20h] [rbp-18h] 13 | 14 | v0 = ExAllocatePoolWithTag(0, 0x28ui64, 0x78687A31u); 15 | qword_14000CD70 = v0; 16 | v1 = v0; 17 | if (!v0) 18 | return 3221225626i64; 19 | memset(v0, 0, 0x28ui64); 20 | *v1 = 0i64; 21 | dword_14000CD18 = 0; 22 | dword_14000CD1C = 0; 23 | KeInitializeMutex(&Mutex, 0); 24 | v2 = ExAllocatePoolWithTag(0, 0x2000ui64, 0x78687A31u); 25 | Str1 = v2; 26 | if (!v2) 27 | return 3221225626i64; 28 | *v2 = 0; 29 | qword_14000CD08 = 0i64; 30 | qword_14000CD10 = 4096i64; 31 | result = sub_140003C38(); 32 | if (result < 0) 33 | return result; 34 | sub_140002D60(); 35 | sub_140002ED8(); 36 | dword_14000CD34 = 0; 37 | dword_14000CD30 = 0; 38 | RtlInitUnicodeString(&DestinationString, L"PsSetCreateProcessNotifyRoutineEx"); 39 | v4 = MmGetSystemRoutineAddress(&DestinationString); 40 | qword_14000CD28 = v4; 41 | if (v4) 42 | { 43 | v5 = (v4)(sub_1400034C4, 0i64); 44 | v6 = dword_14000CD30; 45 | if (v5 >= 0) 46 | v6 = 1; 47 | dword_14000CD30 = v6; 48 | } 49 | else 50 | { 51 | v6 = dword_14000CD30; 52 | } 53 | if (!v6) 54 | { 55 | v7 = PsSetCreateProcessNotifyRoutine(sub_1400034B0, 0i64); 56 | if (v7 < 0) 57 | { 58 | dword_14000CD34 = 0; 59 | goto LABEL_13; 60 | } 61 | dword_14000CD34 = 1; 62 | } 63 | v7 = 0; 64 | LABEL_13: 65 | if (v7 < 0) 66 | { 67 | LABEL_14: 68 | sub_140002E50(); 69 | nullsub_1(); 70 | return v7; 71 | } 72 | v7 = sub_14000213C(); 73 | if (v7 < 0) 74 | { 75 | if (dword_14000CD30 && qword_14000CD28) 76 | { 77 | LOBYTE(v8) = 1; 78 | qword_14000CD28(sub_1400034C4, v8); 79 | } 80 | if (dword_14000CD34) 81 | { 82 | LOBYTE(v8) = 1; 83 | PsSetCreateProcessNotifyRoutine(sub_1400034B0, v8); 84 | } 85 | goto LABEL_14; 86 | } 87 | return 0i64; 88 | } -------------------------------------------------------------------------------- /XC3/fn_InitRegistrationNotifyAndCallbackRoutines_reversed.c: -------------------------------------------------------------------------------- 1 | signed __int64 fn_InitRegistrationNotifyAndCallbackRoutines() 2 | { 3 | _QWORD *v0; // rax 4 | _QWORD *v1; // rbx 5 | wchar_t *v2; // rax 6 | signed __int64 result; // rax 7 | __int64(__fastcall *PsSetCreateProcessNotifyRoutineEx)(PVOID, BOOLEAN); // rax 8 | int ntStatus; // eax 9 | signed int v6; // ecx 10 | signed int ntStatus_1; // ebx 11 | __int64 _RemoveRoutine; // rdx 12 | UNICODE_STRING DestinationString; // [rsp+20h] [rbp-18h] 13 | 14 | v0 = ExAllocatePoolWithTag(0, 0x28ui64, 0x78687A31u); 15 | qword_14000CD70 = v0; 16 | v1 = v0; 17 | if (!v0) 18 | return 0xC000009Ai64; 19 | memset(v0, 0, 0x28ui64); 20 | *v1 = 0i64; 21 | task_status_NotifyCallbackRoutine = 0; // Task mutex 22 | bNotifyCallbackRoutines = 0; 23 | KeInitializeMutex(&BlackCipherMutex, 0); 24 | v2 = ExAllocatePoolWithTag(0, 0x2000ui64, 0x78687A31u); 25 | Str1 = v2; 26 | if (!v2) 27 | return 0xC000009Ai64; 28 | *v2 = 0; 29 | qword_14000CD08 = 0i64; 30 | someMaxValue = 0x1000i64; 31 | result = j_fn_ConfigWindowsVersion(); 32 | if (result < 0) 33 | return result; 34 | fn_InitWeirdVariables_(); 35 | fn_InitWeirdVariables2_(); 36 | status_PsSetCreateProcessNotifyRoutine = 0; 37 | status_PsSetCreateProcessNotifyRoutineEx = 0; 38 | RtlInitUnicodeString(&DestinationString, L"PsSetCreateProcessNotifyRoutineEx"); 39 | PsSetCreateProcessNotifyRoutineEx = MmGetSystemRoutineAddress(&DestinationString); 40 | fn_pPsSetCreateProcessNotifyRoutineEx = PsSetCreateProcessNotifyRoutineEx; 41 | if (PsSetCreateProcessNotifyRoutineEx) 42 | { 43 | ntStatus = PsSetCreateProcessNotifyRoutineEx(fn_CreateProcessNotifyRoutineExImp, 0i64); 44 | v6 = status_PsSetCreateProcessNotifyRoutineEx; 45 | if (ntStatus >= 0) 46 | v6 = 1; 47 | status_PsSetCreateProcessNotifyRoutineEx = v6; 48 | } 49 | else 50 | { 51 | v6 = status_PsSetCreateProcessNotifyRoutineEx; 52 | } 53 | if (!v6) 54 | { 55 | ntStatus_1 = PsSetCreateProcessNotifyRoutine(fn_CreateProcessNotifyRoutine, 0i64); 56 | if (ntStatus_1 < 0) 57 | { 58 | status_PsSetCreateProcessNotifyRoutine = 0; 59 | goto LABEL_13; 60 | } 61 | status_PsSetCreateProcessNotifyRoutine = 1; 62 | } 63 | ntStatus_1 = 0; 64 | LABEL_13: 65 | if (ntStatus_1 < 0) 66 | { 67 | 68 | label_exit: 69 | fn_InitWeirdVariables3_(); 70 | nullsub_1(); 71 | return ntStatus_1; 72 | 73 | } 74 | 75 | 76 | ntStatus_1 = fn_RegisterCallbackFunction(); 77 | 78 | if (ntStatus_1 < 0) // In case the registerCallbackFunction failed, we need to remove the Notify routines previously registered. 79 | { 80 | 81 | if (status_PsSetCreateProcessNotifyRoutineEx && fn_pPsSetCreateProcessNotifyRoutineEx) 82 | fn_pPsSetCreateProcessNotifyRoutineEx(fn_CreateProcessNotifyRoutineExImp, 1u);// 2nd Parameter equal to 1 == remove 83 | if (status_PsSetCreateProcessNotifyRoutine) 84 | { 85 | LOBYTE(_RemoveRoutine) = 1; 86 | PsSetCreateProcessNotifyRoutine(fn_CreateProcessNotifyRoutine, _RemoveRoutine); 87 | } 88 | goto label_exit; 89 | 90 | } 91 | return 0i64; 92 | } -------------------------------------------------------------------------------- /XC3/fn_ObtainKernelFunctions.asm: -------------------------------------------------------------------------------- 1 | .text:0000000140002A18 2 | .text:0000000140002A18 ; =============== S U B R O U T I N E ======================================= 3 | .text:0000000140002A18 4 | .text:0000000140002A18 5 | .text:0000000140002A18 sub_140002A18 proc near ; CODE XREF: DriverEntry+123↓p 6 | .text:0000000140002A18 ; DATA XREF: .pdata:000000014000D1B0↓o 7 | .text:0000000140002A18 8 | .text:0000000140002A18 DestinationString= UNICODE_STRING ptr -18h 9 | .text:0000000140002A18 10 | .text:0000000140002A18 sub rsp, 38h 11 | .text:0000000140002A1C lea rdx, SourceString ; "ObGetFilterVersion" 12 | .text:0000000140002A23 lea rcx, [rsp+38h+DestinationString] ; DestinationString 13 | .text:0000000140002A28 call cs:RtlInitUnicodeString 14 | .text:0000000140002A2E lea rcx, [rsp+38h+DestinationString] ; SystemRoutineName 15 | .text:0000000140002A33 call cs:MmGetSystemRoutineAddress 16 | .text:0000000140002A39 lea rdx, aObregistercall ; "ObRegisterCallbacks" 17 | .text:0000000140002A40 mov cs:qword_14000A288, rax 18 | .text:0000000140002A47 lea rcx, [rsp+38h+DestinationString] ; DestinationString 19 | .text:0000000140002A4C call cs:RtlInitUnicodeString 20 | .text:0000000140002A52 lea rcx, [rsp+38h+DestinationString] ; SystemRoutineName 21 | .text:0000000140002A57 call cs:MmGetSystemRoutineAddress 22 | .text:0000000140002A5D lea rdx, aObunregisterca ; "ObUnRegisterCallbacks" 23 | .text:0000000140002A64 mov cs:qword_14000A278, rax 24 | .text:0000000140002A6B lea rcx, [rsp+38h+DestinationString] ; DestinationString 25 | .text:0000000140002A70 call cs:RtlInitUnicodeString 26 | .text:0000000140002A76 lea rcx, [rsp+38h+DestinationString] ; SystemRoutineName 27 | .text:0000000140002A7B call cs:MmGetSystemRoutineAddress 28 | .text:0000000140002A81 lea rdx, aExfacquirepush ; "ExfAcquirePushLockExclusive" 29 | .text:0000000140002A88 mov cs:qword_14000A280, rax 30 | .text:0000000140002A8F lea rcx, [rsp+38h+DestinationString] ; DestinationString 31 | .text:0000000140002A94 call cs:RtlInitUnicodeString 32 | .text:0000000140002A9A lea rcx, [rsp+38h+DestinationString] ; SystemRoutineName 33 | .text:0000000140002A9F call cs:MmGetSystemRoutineAddress 34 | .text:0000000140002AA5 lea rdx, aExfreleasepush ; "ExfReleasePushLockExclusive" 35 | .text:0000000140002AAC mov cs:qword_14000A290, rax 36 | .text:0000000140002AB3 lea rcx, [rsp+38h+DestinationString] ; DestinationString 37 | .text:0000000140002AB8 call cs:RtlInitUnicodeString 38 | .text:0000000140002ABE lea rcx, [rsp+38h+DestinationString] ; SystemRoutineName 39 | .text:0000000140002AC3 call cs:MmGetSystemRoutineAddress 40 | .text:0000000140002AC9 mov cs:qword_14000A298, rax 41 | .text:0000000140002AD0 xor eax, eax 42 | .text:0000000140002AD2 add rsp, 38h 43 | .text:0000000140002AD6 retn 44 | .text:0000000140002AD6 sub_140002A18 endp 45 | .text:0000000140002AD6 46 | .text:0000000140002AD6 ; --------------------------------------------------------------------------- -------------------------------------------------------------------------------- /XC3/fn_ObtainKernelFunctions_original.c: -------------------------------------------------------------------------------- 1 | __int64 sub_140002A18() 2 | { 3 | UNICODE_STRING DestinationString; // [rsp+20h] [rbp-18h] 4 | 5 | RtlInitUnicodeString(&DestinationString, L"ObGetFilterVersion"); 6 | qword_14000A288 = (__int64)MmGetSystemRoutineAddress(&DestinationString); 7 | RtlInitUnicodeString(&DestinationString, L"ObRegisterCallbacks"); 8 | qword_14000A278 = (__int64)MmGetSystemRoutineAddress(&DestinationString); 9 | RtlInitUnicodeString(&DestinationString, L"ObUnRegisterCallbacks"); 10 | qword_14000A280 = (__int64)MmGetSystemRoutineAddress(&DestinationString); 11 | RtlInitUnicodeString(&DestinationString, L"ExfAcquirePushLockExclusive"); 12 | qword_14000A290 = (__int64)MmGetSystemRoutineAddress(&DestinationString); 13 | RtlInitUnicodeString(&DestinationString, L"ExfReleasePushLockExclusive"); 14 | qword_14000A298 = (__int64)MmGetSystemRoutineAddress(&DestinationString); 15 | return 0i64; 16 | } -------------------------------------------------------------------------------- /XC3/fn_ObtainKernelFunctions_reversed.c: -------------------------------------------------------------------------------- 1 | __int64 fn_ObtainKernelFunctions() 2 | { 3 | UNICODE_STRING DestinationString; // [rsp+20h] [rbp-18h] 4 | 5 | RtlInitUnicodeString(&DestinationString, L"ObGetFilterVersion"); 6 | ObGetFilterVersion_ = MmGetSystemRoutineAddress(&DestinationString); 7 | RtlInitUnicodeString(&DestinationString, L"ObRegisterCallbacks"); 8 | ObRegisterCallbacks_ = MmGetSystemRoutineAddress(&DestinationString); 9 | RtlInitUnicodeString(&DestinationString, L"ObUnRegisterCallbacks"); 10 | ObUnRegisterCallbacks_ = MmGetSystemRoutineAddress(&DestinationString); 11 | RtlInitUnicodeString(&DestinationString, L"ExfAcquirePushLockExclusive"); 12 | ExfAcquirePushLockExclusive = MmGetSystemRoutineAddress(&DestinationString); 13 | RtlInitUnicodeString(&DestinationString, L"ExfReleasePushLockExclusive"); 14 | ExfReleasePushLockExclusive = MmGetSystemRoutineAddress(&DestinationString); 15 | return 0i64; 16 | } -------------------------------------------------------------------------------- /XC3/j_fn_ConfigWindowsVersion.asm: -------------------------------------------------------------------------------- 1 | .text:0000000140003C38 2 | .text:0000000140003C38 ; =============== S U B R O U T I N E ======================================= 3 | .text:0000000140003C38 4 | .text:0000000140003C38 ; Attributes: thunk 5 | .text:0000000140003C38 6 | .text:0000000140003C38 sub_140003C38 proc near ; CODE XREF: sub_140003550+9A↑p 7 | .text:0000000140003C38 jmp sub_14000646C 8 | .text:0000000140003C38 sub_140003C38 endp 9 | .text:0000000140003C38 10 | .text:0000000140003C38 ; --------------------------------------------------------------------------- 11 | 12 | 13 | 14 | 15 | .text:000000014000646C ; =============== S U B R O U T I N E ======================================= 16 | .text:000000014000646C 17 | .text:000000014000646C 18 | .text:000000014000646C sub_14000646C proc near ; CODE XREF: sub_140003C38↑j 19 | .text:000000014000646C ; DATA XREF: .pdata:000000014000D588↓o 20 | .text:000000014000646C 21 | .text:000000014000646C arg_0 = dword ptr 8 22 | .text:000000014000646C arg_8 = dword ptr 10h 23 | .text:000000014000646C arg_10 = dword ptr 18h 24 | .text:000000014000646C 25 | .text:000000014000646C sub rsp, 28h 26 | .text:0000000140006470 xor r9d, r9d 27 | .text:0000000140006473 lea r8, [rsp+28h+arg_8] 28 | .text:0000000140006478 lea rdx, [rsp+28h+arg_0] 29 | .text:000000014000647D lea rcx, [rsp+28h+arg_10] 30 | .text:0000000140006482 call cs:PsGetVersion 31 | .text:0000000140006488 mov ecx, [rsp+28h+arg_10] 32 | .text:000000014000648C mov eax, [rsp+28h+arg_8] 33 | .text:0000000140006490 mov cs:dword_14000CDEC, eax 34 | .text:0000000140006496 cmp ecx, 0Ah 35 | .text:0000000140006499 jnz loc_1400067B0 36 | .text:000000014000649F cmp [rsp+28h+arg_0], 0 37 | .text:00000001400064A4 jnz loc_140006A42 38 | .text:00000001400064AA mov ecx, 295Ah 39 | .text:00000001400064AF cmp eax, ecx 40 | .text:00000001400064B1 jnb short loc_14000652B 41 | .text:00000001400064B3 lea rax, off_140009A00 42 | .text:00000001400064BA mov cs:dword_14000CDE8, 9 43 | .text:00000001400064C4 mov cs:qword_14000CDF0, rax 44 | .text:00000001400064CB lea rax, off_140009A48 45 | .text:00000001400064D2 mov cs:qword_14000CDF8, rax 46 | .text:00000001400064D9 lea rax, off_140009A68 47 | .text:00000001400064E0 mov cs:qword_14000CE00, rax 48 | .text:00000001400064E7 lea rax, off_140009A70 49 | .text:00000001400064EE mov cs:qword_14000CE08, rax 50 | .text:00000001400064F5 lea rax, off_140009A78 51 | .text:00000001400064FC mov cs:qword_14000CE10, rax 52 | .text:0000000140006503 lea rax, off_140009A80 53 | .text:000000014000650A mov cs:qword_14000CE18, rax 54 | .text:0000000140006511 lea rax, off_140009AA8 55 | .text:0000000140006518 mov cs:qword_14000CE20, rax 56 | .text:000000014000651F lea rax, off_140009AB8 57 | .text:0000000140006526 jmp loc_140006A37 58 | .text:000000014000652B ; --------------------------------------------------------------------------- 59 | .text:000000014000652B 60 | .text:000000014000652B loc_14000652B: ; CODE XREF: sub_14000646C+45↑j 61 | .text:000000014000652B ja short loc_1400065A5 62 | .text:000000014000652D lea rax, off_140009AD0 63 | .text:0000000140006534 mov cs:dword_14000CDE8, 0Ah 64 | .text:000000014000653E mov cs:qword_14000CDF0, rax 65 | .text:0000000140006545 lea rax, off_140009B18 66 | .text:000000014000654C mov cs:qword_14000CDF8, rax 67 | .text:0000000140006553 lea rax, off_140009B38 68 | .text:000000014000655A mov cs:qword_14000CE00, rax 69 | .text:0000000140006561 lea rax, off_140009B40 70 | .text:0000000140006568 mov cs:qword_14000CE08, rax 71 | .text:000000014000656F lea rax, off_140009B48 72 | .text:0000000140006576 mov cs:qword_14000CE10, rax 73 | .text:000000014000657D lea rax, off_140009B50 74 | .text:0000000140006584 mov cs:qword_14000CE18, rax 75 | .text:000000014000658B lea rax, off_140009B78 76 | .text:0000000140006592 mov cs:qword_14000CE20, rax 77 | .text:0000000140006599 lea rax, off_140009B88 78 | .text:00000001400065A0 jmp loc_140006A37 79 | .text:00000001400065A5 ; --------------------------------------------------------------------------- 80 | .text:00000001400065A5 81 | .text:00000001400065A5 loc_1400065A5: ; CODE XREF: sub_14000646C:loc_14000652B↑j 82 | .text:00000001400065A5 cmp eax, 3839h 83 | .text:00000001400065AA ja short loc_140006624 84 | .text:00000001400065AC lea rax, off_140009D40 85 | .text:00000001400065B3 mov cs:dword_14000CDE8, 0Bh 86 | .text:00000001400065BD mov cs:qword_14000CDF0, rax 87 | .text:00000001400065C4 lea rax, off_140009D88 88 | .text:00000001400065CB mov cs:qword_14000CDF8, rax 89 | .text:00000001400065D2 lea rax, off_140009D38 90 | .text:00000001400065D9 mov cs:qword_14000CE00, rax 91 | .text:00000001400065E0 lea rax, off_140009DA8 92 | .text:00000001400065E7 mov cs:qword_14000CE08, rax 93 | .text:00000001400065EE lea rax, off_140009DB0 94 | .text:00000001400065F5 mov cs:qword_14000CE10, rax 95 | .text:00000001400065FC lea rax, off_140009DB8 96 | .text:0000000140006603 mov cs:qword_14000CE18, rax 97 | .text:000000014000660A lea rax, off_140009DE0 98 | .text:0000000140006611 mov cs:qword_14000CE20, rax 99 | .text:0000000140006618 lea rax, off_140009DF0 100 | .text:000000014000661F jmp loc_140006A37 101 | .text:0000000140006624 ; --------------------------------------------------------------------------- 102 | .text:0000000140006624 103 | .text:0000000140006624 loc_140006624: ; CODE XREF: sub_14000646C+13E↑j 104 | .text:0000000140006624 cmp eax, 3AD7h 105 | .text:0000000140006629 ja short loc_1400066A3 106 | .text:000000014000662B mov cs:dword_14000CDE8, 0Ch 107 | .text:0000000140006635 108 | .text:0000000140006635 loc_140006635: ; CODE XREF: sub_14000646C+33F↓j 109 | .text:0000000140006635 lea rax, off_140009520 110 | .text:000000014000663C mov cs:qword_14000CDF0, rax 111 | .text:0000000140006643 lea rax, off_140009568 112 | .text:000000014000664A mov cs:qword_14000CDF8, rax 113 | .text:0000000140006651 lea rax, off_140009588 114 | .text:0000000140006658 mov cs:qword_14000CE00, rax 115 | .text:000000014000665F lea rax, off_140009590 116 | .text:0000000140006666 mov cs:qword_14000CE08, rax 117 | .text:000000014000666D lea rax, off_140009598 118 | .text:0000000140006674 mov cs:qword_14000CE10, rax 119 | .text:000000014000667B lea rax, off_1400095A0 120 | .text:0000000140006682 mov cs:qword_14000CE18, rax 121 | .text:0000000140006689 lea rax, off_1400095C8 122 | .text:0000000140006690 mov cs:qword_14000CE20, rax 123 | .text:0000000140006697 lea rax, off_1400096A8 124 | .text:000000014000669E jmp loc_140006A37 125 | .text:00000001400066A3 ; --------------------------------------------------------------------------- 126 | .text:00000001400066A3 127 | .text:00000001400066A3 loc_1400066A3: ; CODE XREF: sub_14000646C+1BD↑j 128 | .text:00000001400066A3 cmp eax, 3FABh 129 | .text:00000001400066A8 ja short loc_140006722 130 | .text:00000001400066AA lea rax, off_140009BA0 131 | .text:00000001400066B1 mov cs:dword_14000CDE8, 0Dh 132 | .text:00000001400066BB mov cs:qword_14000CDF0, rax 133 | .text:00000001400066C2 lea rax, off_140009BE8 134 | .text:00000001400066C9 mov cs:qword_14000CDF8, rax 135 | .text:00000001400066D0 lea rax, off_140009C08 136 | .text:00000001400066D7 mov cs:qword_14000CE00, rax 137 | .text:00000001400066DE lea rax, off_140009C10 138 | .text:00000001400066E5 mov cs:qword_14000CE08, rax 139 | .text:00000001400066EC lea rax, off_140009C18 140 | .text:00000001400066F3 mov cs:qword_14000CE10, rax 141 | .text:00000001400066FA lea rax, off_140009C20 142 | .text:0000000140006701 mov cs:qword_14000CE18, rax 143 | .text:0000000140006708 lea rax, off_140009C48 144 | .text:000000014000670F mov cs:qword_14000CE20, rax 145 | .text:0000000140006716 lea rax, off_140009C58 146 | .text:000000014000671D jmp loc_140006A37 147 | .text:0000000140006722 ; --------------------------------------------------------------------------- 148 | .text:0000000140006722 149 | .text:0000000140006722 loc_140006722: ; CODE XREF: sub_14000646C+23C↑j 150 | .text:0000000140006722 cmp eax, 42EEh 151 | .text:0000000140006727 ja short loc_1400067A1 152 | .text:0000000140006729 lea rax, off_140009C70 153 | .text:0000000140006730 mov cs:dword_14000CDE8, 0Eh 154 | .text:000000014000673A mov cs:qword_14000CDF0, rax 155 | .text:0000000140006741 lea rax, off_140009CB8 156 | .text:0000000140006748 mov cs:qword_14000CDF8, rax 157 | .text:000000014000674F lea rax, unk_14000CE30 158 | .text:0000000140006756 mov cs:qword_14000CE00, rax 159 | .text:000000014000675D lea rax, off_140009CD8 160 | .text:0000000140006764 mov cs:qword_14000CE08, rax 161 | .text:000000014000676B lea rax, off_140009CE0 162 | .text:0000000140006772 mov cs:qword_14000CE10, rax 163 | .text:0000000140006779 lea rax, off_140009CE8 164 | .text:0000000140006780 mov cs:qword_14000CE18, rax 165 | .text:0000000140006787 lea rax, off_140009D10 166 | .text:000000014000678E mov cs:qword_14000CE20, rax 167 | .text:0000000140006795 lea rax, off_140009D20 168 | .text:000000014000679C jmp loc_140006A37 169 | .text:00000001400067A1 ; --------------------------------------------------------------------------- 170 | .text:00000001400067A1 171 | .text:00000001400067A1 loc_1400067A1: ; CODE XREF: sub_14000646C+2BB↑j 172 | .text:00000001400067A1 mov cs:dword_14000CDE8, 0Fh 173 | .text:00000001400067AB jmp loc_140006635 174 | .text:00000001400067B0 ; --------------------------------------------------------------------------- 175 | .text:00000001400067B0 176 | .text:00000001400067B0 loc_1400067B0: ; CODE XREF: sub_14000646C+2D↑j 177 | .text:00000001400067B0 cmp ecx, 6 178 | .text:00000001400067B3 jnz loc_1400069B4 179 | .text:00000001400067B9 mov eax, [rsp+28h+arg_0] 180 | .text:00000001400067BD cmp eax, 3 181 | .text:00000001400067C0 jnz short loc_14000683A 182 | .text:00000001400067C2 lea rax, off_140009930 183 | .text:00000001400067C9 mov cs:dword_14000CDE8, 8 184 | .text:00000001400067D3 mov cs:qword_14000CDF0, rax 185 | .text:00000001400067DA lea rax, off_140009978 186 | .text:00000001400067E1 mov cs:qword_14000CDF8, rax 187 | .text:00000001400067E8 lea rax, off_140009998 188 | .text:00000001400067EF mov cs:qword_14000CE00, rax 189 | .text:00000001400067F6 lea rax, off_1400099A0 190 | .text:00000001400067FD mov cs:qword_14000CE08, rax 191 | .text:0000000140006804 lea rax, off_1400099A8 192 | .text:000000014000680B mov cs:qword_14000CE10, rax 193 | .text:0000000140006812 lea rax, off_1400099B0 194 | .text:0000000140006819 mov cs:qword_14000CE18, rax 195 | .text:0000000140006820 lea rax, off_1400099D8 196 | .text:0000000140006827 mov cs:qword_14000CE20, rax 197 | .text:000000014000682E lea rax, off_1400099E8 198 | .text:0000000140006835 jmp loc_140006A37 199 | .text:000000014000683A ; --------------------------------------------------------------------------- 200 | .text:000000014000683A 201 | .text:000000014000683A loc_14000683A: ; CODE XREF: sub_14000646C+354↑j 202 | .text:000000014000683A cmp eax, 2 203 | .text:000000014000683D jnz short loc_1400068B7 204 | .text:000000014000683F lea rax, off_140009860 205 | .text:0000000140006846 mov cs:dword_14000CDE8, 7 206 | .text:0000000140006850 mov cs:qword_14000CDF0, rax 207 | .text:0000000140006857 lea rax, off_1400098A8 208 | .text:000000014000685E mov cs:qword_14000CDF8, rax 209 | .text:0000000140006865 lea rax, off_1400098C8 210 | .text:000000014000686C mov cs:qword_14000CE00, rax 211 | .text:0000000140006873 lea rax, off_1400098D0 212 | .text:000000014000687A mov cs:qword_14000CE08, rax 213 | .text:0000000140006881 lea rax, off_1400098D8 214 | .text:0000000140006888 mov cs:qword_14000CE10, rax 215 | .text:000000014000688F lea rax, off_1400098E0 216 | .text:0000000140006896 mov cs:qword_14000CE18, rax 217 | .text:000000014000689D lea rax, off_140009908 218 | .text:00000001400068A4 mov cs:qword_14000CE20, rax 219 | .text:00000001400068AB lea rax, off_140009918 220 | .text:00000001400068B2 jmp loc_140006A37 221 | .text:00000001400068B7 ; --------------------------------------------------------------------------- 222 | .text:00000001400068B7 223 | .text:00000001400068B7 loc_1400068B7: ; CODE XREF: sub_14000646C+3D1↑j 224 | .text:00000001400068B7 cmp eax, 1 225 | .text:00000001400068BA jnz short loc_140006934 226 | .text:00000001400068BC lea rax, off_1400095E0 227 | .text:00000001400068C3 mov cs:dword_14000CDE8, 6 228 | .text:00000001400068CD mov cs:qword_14000CDF0, rax 229 | .text:00000001400068D4 lea rax, off_140009628 230 | .text:00000001400068DB mov cs:qword_14000CDF8, rax 231 | .text:00000001400068E2 lea rax, off_1400095D8 232 | .text:00000001400068E9 mov cs:qword_14000CE00, rax 233 | .text:00000001400068F0 lea rax, off_140009648 234 | .text:00000001400068F7 mov cs:qword_14000CE08, rax 235 | .text:00000001400068FE lea rax, off_140009650 236 | .text:0000000140006905 mov cs:qword_14000CE10, rax 237 | .text:000000014000690C lea rax, off_140009658 238 | .text:0000000140006913 mov cs:qword_14000CE18, rax 239 | .text:000000014000691A lea rax, off_140009680 240 | .text:0000000140006921 mov cs:qword_14000CE20, rax 241 | .text:0000000140006928 lea rax, off_140009690 242 | .text:000000014000692F jmp loc_140006A37 243 | .text:0000000140006934 ; --------------------------------------------------------------------------- 244 | .text:0000000140006934 245 | .text:0000000140006934 loc_140006934: ; CODE XREF: sub_14000646C+44E↑j 246 | .text:0000000140006934 test eax, eax 247 | .text:0000000140006936 jnz loc_140006A42 248 | .text:000000014000693C lea rax, off_140009790 249 | .text:0000000140006943 mov cs:dword_14000CDE8, 4 250 | .text:000000014000694D mov cs:qword_14000CDF0, rax 251 | .text:0000000140006954 lea rax, off_1400097D8 252 | .text:000000014000695B mov cs:qword_14000CDF8, rax 253 | .text:0000000140006962 lea rax, off_1400097F8 254 | .text:0000000140006969 mov cs:qword_14000CE00, rax 255 | .text:0000000140006970 lea rax, off_140009800 256 | .text:0000000140006977 mov cs:qword_14000CE08, rax 257 | .text:000000014000697E lea rax, off_140009808 258 | .text:0000000140006985 mov cs:qword_14000CE10, rax 259 | .text:000000014000698C lea rax, off_140009810 260 | .text:0000000140006993 mov cs:qword_14000CE18, rax 261 | .text:000000014000699A lea rax, off_140009838 262 | .text:00000001400069A1 mov cs:qword_14000CE20, rax 263 | .text:00000001400069A8 lea rax, off_140009848 264 | .text:00000001400069AF jmp loc_140006A37 265 | .text:00000001400069B4 ; --------------------------------------------------------------------------- 266 | .text:00000001400069B4 267 | .text:00000001400069B4 loc_1400069B4: ; CODE XREF: sub_14000646C+347↑j 268 | .text:00000001400069B4 cmp ecx, 5 269 | .text:00000001400069B7 jnz loc_140006A42 270 | .text:00000001400069BD cmp [rsp+28h+arg_0], 2 271 | .text:00000001400069C2 jnz short loc_140006A42 272 | .text:00000001400069C4 lea rax, off_1400096C0 273 | .text:00000001400069CB mov cs:dword_14000CDE8, 3 274 | .text:00000001400069D5 mov cs:qword_14000CDF0, rax 275 | .text:00000001400069DC lea rax, off_140009708 276 | .text:00000001400069E3 mov cs:qword_14000CDF8, rax 277 | .text:00000001400069EA lea rax, off_140009728 278 | .text:00000001400069F1 mov cs:qword_14000CE00, rax 279 | .text:00000001400069F8 lea rax, off_140009730 280 | .text:00000001400069FF mov cs:qword_14000CE08, rax 281 | .text:0000000140006A06 lea rax, off_140009738 282 | .text:0000000140006A0D mov cs:qword_14000CE10, rax 283 | .text:0000000140006A14 lea rax, off_140009740 284 | .text:0000000140006A1B mov cs:qword_14000CE18, rax 285 | .text:0000000140006A22 lea rax, off_140009768 286 | .text:0000000140006A29 mov cs:qword_14000CE20, rax 287 | .text:0000000140006A30 lea rax, off_140009778 288 | .text:0000000140006A37 289 | .text:0000000140006A37 loc_140006A37: ; CODE XREF: sub_14000646C+BA↑j 290 | .text:0000000140006A37 ; sub_14000646C+134↑j ... 291 | .text:0000000140006A37 mov cs:qword_14000CE28, rax 292 | .text:0000000140006A3E xor eax, eax 293 | .text:0000000140006A40 jmp short loc_140006A4E 294 | .text:0000000140006A42 ; --------------------------------------------------------------------------- 295 | .text:0000000140006A42 296 | .text:0000000140006A42 loc_140006A42: ; CODE XREF: sub_14000646C+38↑j 297 | .text:0000000140006A42 ; sub_14000646C+4CA↑j ... 298 | .text:0000000140006A42 and cs:dword_14000CDE8, 0 299 | .text:0000000140006A49 mov eax, 0C0000001h 300 | .text:0000000140006A4E 301 | .text:0000000140006A4E loc_140006A4E: ; CODE XREF: sub_14000646C+5D4↑j 302 | .text:0000000140006A4E add rsp, 28h 303 | .text:0000000140006A52 retn 304 | .text:0000000140006A52 sub_14000646C endp 305 | .text:0000000140006A52 306 | .text:0000000140006A52 ; --------------------------------------------------------------------------- -------------------------------------------------------------------------------- /XC3/j_fn_ConfigWindowsVersion_orignal.c: -------------------------------------------------------------------------------- 1 | __int64 sub_140003C38(void) 2 | { 3 | return sub_14000646C(); 4 | } 5 | 6 | 7 | signed __int64 sub_14000646C() 8 | { 9 | __int64(__fastcall **v0)(); // rax 10 | int v2; // [rsp+30h] [rbp+8h] 11 | unsigned int v3; // [rsp+38h] [rbp+10h] 12 | int v4; // [rsp+40h] [rbp+18h] 13 | 14 | PsGetVersion(&v4, &v2, &v3, 0i64); 15 | dword_14000CDEC = v3; 16 | if (v4 == 10) 17 | { 18 | if (!v2) 19 | { 20 | if (v3 >= 0x295A) 21 | { 22 | if (v3 > 0x295A) 23 | { 24 | if (v3 > 0x3839) 25 | { 26 | if (v3 > 0x3AD7) 27 | { 28 | if (v3 <= 0x3FAB) 29 | { 30 | dword_14000CDE8 = 13; 31 | qword_14000CDF0 = off_140009BA0; 32 | qword_14000CDF8 = off_140009BE8; 33 | qword_14000CE00 = off_140009C08; 34 | qword_14000CE08 = off_140009C10; 35 | qword_14000CE10 = off_140009C18; 36 | qword_14000CE18 = off_140009C20; 37 | qword_14000CE20 = off_140009C48; 38 | v0 = off_140009C58; 39 | goto LABEL_29; 40 | } 41 | if (v3 <= 0x42EE) 42 | { 43 | dword_14000CDE8 = 14; 44 | qword_14000CDF0 = off_140009C70; 45 | qword_14000CDF8 = off_140009CB8; 46 | qword_14000CE00 = &unk_14000CE30; 47 | qword_14000CE08 = off_140009CD8; 48 | qword_14000CE10 = off_140009CE0; 49 | qword_14000CE18 = off_140009CE8; 50 | qword_14000CE20 = off_140009D10; 51 | v0 = off_140009D20; 52 | goto LABEL_29; 53 | } 54 | dword_14000CDE8 = 15; 55 | } 56 | else 57 | { 58 | dword_14000CDE8 = 12; 59 | } 60 | qword_14000CDF0 = off_140009520; 61 | qword_14000CDF8 = off_140009568; 62 | qword_14000CE00 = off_140009588; 63 | qword_14000CE08 = off_140009590; 64 | qword_14000CE10 = off_140009598; 65 | qword_14000CE18 = off_1400095A0; 66 | qword_14000CE20 = off_1400095C8; 67 | v0 = off_1400096A8; 68 | } 69 | else 70 | { 71 | dword_14000CDE8 = 11; 72 | qword_14000CDF0 = off_140009D40; 73 | qword_14000CDF8 = off_140009D88; 74 | qword_14000CE00 = off_140009D38; 75 | qword_14000CE08 = off_140009DA8; 76 | qword_14000CE10 = off_140009DB0; 77 | qword_14000CE18 = off_140009DB8; 78 | qword_14000CE20 = off_140009DE0; 79 | v0 = off_140009DF0; 80 | } 81 | } 82 | else 83 | { 84 | dword_14000CDE8 = 10; 85 | qword_14000CDF0 = off_140009AD0; 86 | qword_14000CDF8 = off_140009B18; 87 | qword_14000CE00 = off_140009B38; 88 | qword_14000CE08 = off_140009B40; 89 | qword_14000CE10 = off_140009B48; 90 | qword_14000CE18 = off_140009B50; 91 | qword_14000CE20 = off_140009B78; 92 | v0 = off_140009B88; 93 | } 94 | } 95 | else 96 | { 97 | dword_14000CDE8 = 9; 98 | qword_14000CDF0 = off_140009A00; 99 | qword_14000CDF8 = off_140009A48; 100 | qword_14000CE00 = off_140009A68; 101 | qword_14000CE08 = off_140009A70; 102 | qword_14000CE10 = off_140009A78; 103 | qword_14000CE18 = off_140009A80; 104 | qword_14000CE20 = off_140009AA8; 105 | v0 = off_140009AB8; 106 | } 107 | LABEL_29: 108 | qword_14000CE28 = v0; 109 | return 0i64; 110 | } 111 | } 112 | else if (v4 == 6) 113 | { 114 | switch (v2) 115 | { 116 | case 3: 117 | dword_14000CDE8 = 8; 118 | qword_14000CDF0 = off_140009930; 119 | qword_14000CDF8 = off_140009978; 120 | qword_14000CE00 = off_140009998; 121 | qword_14000CE08 = off_1400099A0; 122 | qword_14000CE10 = off_1400099A8; 123 | qword_14000CE18 = off_1400099B0; 124 | qword_14000CE20 = off_1400099D8; 125 | v0 = off_1400099E8; 126 | goto LABEL_29; 127 | case 2: 128 | dword_14000CDE8 = 7; 129 | qword_14000CDF0 = off_140009860; 130 | qword_14000CDF8 = off_1400098A8; 131 | qword_14000CE00 = off_1400098C8; 132 | qword_14000CE08 = off_1400098D0; 133 | qword_14000CE10 = off_1400098D8; 134 | qword_14000CE18 = off_1400098E0; 135 | qword_14000CE20 = off_140009908; 136 | v0 = off_140009918; 137 | goto LABEL_29; 138 | case 1: 139 | dword_14000CDE8 = 6; 140 | qword_14000CDF0 = off_1400095E0; 141 | qword_14000CDF8 = off_140009628; 142 | qword_14000CE00 = off_1400095D8; 143 | qword_14000CE08 = off_140009648; 144 | qword_14000CE10 = off_140009650; 145 | qword_14000CE18 = off_140009658; 146 | qword_14000CE20 = off_140009680; 147 | v0 = off_140009690; 148 | goto LABEL_29; 149 | case 0: 150 | dword_14000CDE8 = 4; 151 | qword_14000CDF0 = off_140009790; 152 | qword_14000CDF8 = off_1400097D8; 153 | qword_14000CE00 = off_1400097F8; 154 | qword_14000CE08 = off_140009800; 155 | qword_14000CE10 = &off_140009808; 156 | qword_14000CE18 = &off_140009810; 157 | qword_14000CE20 = off_140009838; 158 | v0 = off_140009848; 159 | goto LABEL_29; 160 | } 161 | } 162 | else if (v4 == 5 && v2 == 2) 163 | { 164 | dword_14000CDE8 = 3; 165 | qword_14000CDF0 = off_1400096C0; 166 | qword_14000CDF8 = off_140009708; 167 | qword_14000CE00 = off_140009728; 168 | qword_14000CE08 = off_140009730; 169 | qword_14000CE10 = &off_140009738; 170 | qword_14000CE18 = &off_140009740; 171 | qword_14000CE20 = off_140009768; 172 | v0 = off_140009778; 173 | goto LABEL_29; 174 | } 175 | dword_14000CDE8 = 0; 176 | return 3221225473i64; 177 | } --------------------------------------------------------------------------------