本帖最后由 smallzhong 于 2025-4-27 20:39 编辑
驱动挂钩所有内核导出函数来进行驱动逻辑分析
太长不看
引言
事实上,对于这种有相对寻址的情况,并不能简单修复4字节的相对地址。因为内核是一个很宽广的空间,4字节只能寻址4GB内存,内核是申请不到离得这么近的内存地址用来存放 trampoline 的。为了解决这个问题,我写了一个hook框架,在框架中对相对寻址进行了特判,使得所有相对寻址都能正确找到对应的位置。
- 三年前写的只是一个简单的框架,后来慢慢适配了很多特殊情况,并修改了一些存在的bug,慢慢提高了整个框架的鲁棒性。
KernelHook
在函数中没有任何相对寻址指令时的 hook 流程
代码中存在相对寻址跳转的情况
-
本框架适配了大量相对跳转的模式,如7X XX && E1 xx && E2 xx && E3 xx && EB xx一字节短跳,0F 8X XX XX XX XX四字节相对跳转,E8 E9四字节短跳和call等。这些情况的处理方法都如下图所示
假设 ABC 三条语句中,只有B这一条语句是一个使用了相对跳转的语句。这里用 74 XX 这个JE跳转举例。
如图,本框架会自动计算出来跳转的目的地的绝对地址,然后生成一条 FF25 无条件跳转语句放在 shellcode 的最末尾。然后把74跳转的目标改为这一条FF25跳转指令的相对地址。这样的话,如果这条JE跳转条件成立,会跳转到FF25指令处,然后FF25跳转到原先的绝对地址处。这样保证了逻辑的正确性。其他1字节、4字节的相对寻址跳转都使用了这样的思想来进行修正。
代码中存在使用4字节相对寻址的 test、lea、mov的情况
特殊处理 48 8d 05 LEA
HOOK大部分导出函数,实现内核的详细监控
特殊情况处理
-
有了上面的hook框架,就可以考虑对内核的一些函数进行hook来进行对特定驱动的系统函数调用流程分析了。首先需要专门处理一种特殊情况,在这种情况下,不能直接hook函数。那就是,如果有其他代码会跳转到开头需要覆盖的指令的中间,就不能直接对函数进行hook。说起来有点拗口,但是举一个例子就明白了,如下
-
比如这个函数 RtlUnalignedStringCchLengthW ,可以看到
在开头第12个字节有一个基本块,在其他地方有跳转到这个基本块的代码。在这种情况下,如果直接填入 ff25(14个字节),会覆盖这个位置。而后面的jnz还是有可能跳转到这个地址,这就会导致跳转到corrupted memory,而产生不可控的后果。
-
解决这个问题的办法是写一个IDA脚本对这种情况进行特判,一旦函数开头前14个字节出现了可能被其他基本块跳转到的基本块,就标记为False,不处理这个函数。判断函数如下
def has_xrefs_to_middle(start_ea, end_ea):
instr_size = idc.get_item_size(start_ea)
start_ea += instr_size
while start_ea < end_ea:
t = idautils.CodeRefsTo(start_ea, False)
for i in t:
return True
instr_size = idc.get_item_size(start_ea)
start_ea += instr_size
return False
对调用地址的监控
-
内核的导出函数都是一些调用非常频繁的函数,每时每刻都会有驱动程序对他们进行调用。全部记录下来是非常不现实的事情,会导致系统完全卡死。因此这里需要通过返回地址对调用来源进行选择性判断,只打印来自特定来源的函数调用。本监控框架封装了一个用于维护监控地址集合的singleton。可以通过以下三个宏
#define ADD_MONITOR_RANGE(start, end) smallzhong::MonitorAddressManager::GetInstance().AddMonitorRange((start), (end))
#define DEL_FROM_MONITOR_LIST(addr) smallzhong::MonitorAddressManager::GetInstance().DelFromMonitorList((addr))
#define FILTER_RET_ADDR(ret_addr) smallzhong::MonitorAddressManager::GetInstance().FilterRetAddr((ret_addr))
来添加、删除监控范围,以及判断某一个地址是否正在被监控。
-
如下是IDA脚本自动生成的一个handler。可以看到使用了 FILTER_RET_ADDR 判断调用来源,只有返回地址是特定来源的调用,才进行打印四个参数和返回地址的记录。
BOOLEAN handler_c4a77d9f(PGuestContext context)
{
ULONG64 origin_ret_addr = *(PULONG64)(context->mRsp);
if (FILTER_RET_ADDR(origin_ret_addr))
{
LOG_INFO("Function: ExAllocatePoolWithTag\nRCX: %llx, RDX: %llx, R8: %llx, R9: %llx\nReturn Address: %llx\n\n",
context->mRcx, context->mRdx, context->mR8, context->mR9, origin_ret_addr);
}
return FALSE;
}
使用流程
-
使用nuget导入米松哥封装的 Musa.Runtime ,开始愉快地在内核编写C++代码
-
把需要监控的驱动用IDA打开,打开 scripts\AutoGen.py ,ctrl + h 全局修改修改里面硬编码的保存路径后运行 AutoGen.py 脚本,得到 available_funcs.inc 、 handlers.h 、 handlers.c 三个自动生成的文件,并将其导入vs项目中。
-
在 DriverMain 中特定 Hook 自己感兴趣的函数。
-
加载驱动,查看日志。
使用本框架对驱动进行分析,以2025腾讯游戏安全决赛题目为例
设置分析环境
-
在 DriverMain 中设置 ImageCallback
EXTERN_C NTSTATUS DriverMain(const PDRIVER_OBJECT DriverObject, const PUNICODE_STRING Registry)
{
LOG_INFO("entry\r\n");
NTSTATUS status = STATUS_SUCCESS;
status = PsSetLoadImageNotifyRoutine(ImageLoadCallback);
...
}
在 callback 中检查是否为 ACEDriver.sys 被加载,如果是的话,添加相应监控范围。
VOID ImageLoadCallback(
PUNICODE_STRING FullImageName,
HANDLE ProcessId,
PIMAGE_INFO ImageInfo)
{
if (ProcessId == 0 && FullImageName != NULL)
{
if (wcsstr(FullImageName->Buffer, L"\\ACEDriver.sys"))
{
LOG_INFO("ACEDriver.sys" " has been loaded!\n");
LOG_INFO("Image Base: %p\n", ImageInfo->ImageBase);
LOG_INFO("Image Size: %llx\n", ImageInfo->ImageSize);
ADD_MONITOR_RANGE((ULONG64)ImageInfo->ImageBase, (ULONG64)ImageInfo->ImageBase + ImageInfo->ImageSize);
}
}
}
-
开启虚拟机,加载本分析框架。
成功自动 hook 所有导出函数中可以hook的函数。
加载 ACEDriver.sys
-
加载后完整 log 如下
[smallzhong][ImageLoadCallback():22] ACEDriver.sys has been loaded!
[smallzhong][ImageLoadCallback():23] Image Base: FFFFF8044C9C0000
[smallzhong][ImageLoadCallback():24] Image Size: 12ce000
Function: ExAllocatePool
RCX: 200, RDX: 1a0, R8: fffff80445f331f0, R9: ffffbc84b35e7768
Return Address: fffff8044d9eac91
Function: NtQuerySystemInformation
RCX: b, RDX: ffffbc84b35e7650, R8: 0, R9: ffffbc84b35e7648
Return Address: fffff8044d7b062a
Function: ExAllocatePool
RCX: 200, RDX: 19960, R8: ffffbc84b35e7380, R9: ffffbc84b35e73e0
Return Address: fffff8044d796230
Function: NtQuerySystemInformation
RCX: b, RDX: ffffd384236e6000, R8: 19960, R9: ffffbc84b35e7648
Return Address: fffff8044d1259a8
Function: ExFreePoolWithTag
RCX: ffffd384236e6000, RDX: 0, R8: fffff80445e00000, R9: fffff80445e313e0
Return Address: fffff8044d7ace2a
Function: IoAllocateMdl
RCX: fffff8044c9c0000, RDX: 762537, R8: 0, R9: 0
Return Address: fffff8044da92507
Function: MmProbeAndLockPages
RCX: ffffd384269f0000, RDX: 0, R8: 1, R9: ffffbc84b35e7760
Return Address: fffff8044dae65ef
Function: MmMapLockedPagesSpecifyCache
RCX: ffffd384269f0000, RDX: 0, R8: 1, R9: 0
Return Address: fffff8044db35827
Function: ExAllocatePool
RCX: 200, RDX: 3e6c, R8: ffffbc84b35e7768, R9: fffffff86df59f7a
Return Address: fffff8044d97b359
Function: ExFreePoolWithTag
RCX: ffffd3842325f000, RDX: 0, R8: ffffbc84b35e7768, R9: 2
Return Address: fffff8044d7dd486
Function: NtQuerySystemInformation
RCX: b, RDX: ffffbc84b35e7650, R8: 0, R9: ffffbc84b35e7648
Return Address: fffff8044d7b062a
Function: ExAllocatePool
RCX: 200, RDX: 19960, R8: ffffbc84b35e7380, R9: ffffbc84b35e73e0
Return Address: fffff8044d796230
Function: NtQuerySystemInformation
RCX: b, RDX: ffffd384236e6000, R8: 19960, R9: ffffbc84b35e7648
Return Address: fffff8044d1259a8
Function: ExFreePoolWithTag
RCX: ffffd384236e6000, RDX: 0, R8: fffff80445e00000, R9: fffff80445e313e0
Return Address: fffff8044d7ace2a
Function: NtQuerySystemInformation
RCX: b, RDX: ffffbc84b35e7650, R8: 0, R9: ffffbc84b35e7648
Return Address: fffff8044d7b062a
Function: ExAllocatePool
RCX: 200, RDX: 19960, R8: ffffbc84b35e7380, R9: ffffbc84b35e73e0
Return Address: fffff8044d796230
Function: NtQuerySystemInformation
RCX: b, RDX: ffffd384236e6000, R8: 19960, R9: ffffbc84b35e7648
Return Address: fffff8044d1259a8
Function: ExFreePoolWithTag
RCX: ffffd384236e6000, RDX: 0, R8: ffffbc84b35e766b, R9: ffffd384236e74d8
Return Address: fffff8044d7ace2a
Function: KeSetSystemAffinityThread
RCX: 1, RDX: 8, R8: 0, R9: ffffbc84b35e7770
Return Address: fffff8044d8c2bc1
Function: KeSetSystemAffinityThread
RCX: 2, RDX: 8, R8: 0, R9: ffffbc84b35e7770
Return Address: fffff8044d8c2bc1
Function: KeSetSystemAffinityThread
RCX: 4, RDX: 8, R8: 0, R9: ffffbc84b35e7770
Return Address: fffff8044d8c2bc1
Function: KeSetSystemAffinityThread
RCX: 8, RDX: 8, R8: 0, R9: ffffbc84b35e7770
Return Address: fffff8044d8c2bc1
Function: KeRevertToUserAffinityThread
RCX: 0, RDX: 0, R8: ffffbc84b35e7778, R9: ffffffffe12f6b55
Return Address: fffff8044d981c67
Function: MmUnlockPages
RCX: ffffd384269f0000, RDX: 8, R8: 0, R9: ffffbc84b35e7660
Return Address: fffff8044d9a16ea
Function: IoFreeMdl
RCX: ffffd384269f0000, RDX: 8, R8: 542b35c7, R9: ffffbc84b35e7660
Return Address: fffff8044d9d0743
Function: RtlCopyUnicodeString
RCX: fffff8044ca2b518, RDX: ffffd38427abf000, R8: ffffbc84b35e6f60, R9: 10
Return Address: fffff8044c9cde8c
Function: ExIsProcessorFeaturePresent
RCX: a, RDX: ffffd38427abf000, R8: ffffbe8a8e013084, R9: fffff8044c9d3210
Return Address: fffff8044c9ce70b
Function: RtlGetVersion
RCX: ffffbc84b35e76f0, RDX: 7, R8: 2, R9: 1
Return Address: fffff8044c9ce4d7
Function: MmGetSystemRoutineAddress
RCX: ffffbc84b35e76d8, RDX: 7, R8: 2, R9: 1
Return Address: fffff8044c9ce4f7
Function: NtQuerySystemInformation
RCX: e3, RDX: ffffbc84b35e76d0, R8: 1, R9: 0
Return Address: fffff8044c9ce516
Function: ZwOpenSection
RCX: ffffbc84b35e7800, RDX: 5, R8: ffffbc84b35e7770, R9: 0
Return Address: fffff8044c9cdbf0
Function: ZwQuerySection
RCX: ffffffff80002114, RDX: 1, R8: ffffbc84b35e77a0, R9: 40
Return Address: fffff8044c9cdc27
Function: ObReferenceObjectByHandle
RCX: ffffffff80002114, RDX: 5, R8: ffffd3841d2cfbc0, R9: 0
Return Address: fffff8044c9cdc57
Function: MmMapViewInSystemSpace
RCX: ffffbe8a81ea2350, RDX: ffffbc84b35e7768, R8: ffffbc84b35e7760, R9: fffff80445e00000
Return Address: fffff8044c9cdc6f
Function: MmUnmapViewInSystemSpace
RCX: fffff80442c00000, RDX: be8a80ec7f880400, R8: ffffbc84b35e74e0, R9: ffffbc84b35e7748
Return Address: fffff8044c9cdc92
Function: ObfDereferenceObject
RCX: ffffbe8a81ea2350, RDX: 4b, R8: ffffd38420124134, R9: 4
Return Address: fffff8044c9cdca1
Function: ZwClose
RCX: ffffffff80002114, RDX: 4b, R8: ffffd38420124134, R9: 4
Return Address: fffff8044c9cdcb0
Function: ExInitializeResourceLite
RCX: fffff8044ca2b6e0, RDX: fffff8044ca2b6e0, R8: ffffffff, R9: 7fffbe8a81ea2330
Return Address: fffff8044c9cebae
Function: ExInitializeNPagedLookasideList
RCX: fffff8044ca2b100, RDX: 0, R8: 0, R9: 200
Return Address: fffff8044c9cb60c
Function: RtlInitializeGenericTableAvl
RCX: fffff8044ca2b180, RDX: fffff8044c9cb460, R8: fffff8044c9cb450, R9: fffff8044c9cb480
Return Address: fffff8044c9cb640
Function: PsGetCurrentThreadId
RCX: ffffbc84b35e77e0, RDX: 0, R8: 0, R9: 0
Return Address: fffff8044c9cb658
Function: RtlInsertElementGenericTableAvl
RCX: fffff8044ca2b180, RDX: ffffbc84b35e7760, R8: 90, R9: ffffbc84b35e7728
Return Address: fffff8044c9cb4ba
Function: ExAllocatePoolWithTag
RCX: 200, RDX: b0, R8: 74726375, R9: ffffbc84b35e7728
Return Address: fffff8044c9cb3ae
Function: ExInitializeResourceLite
RCX: fffff8044ca2b5a0, RDX: fffff8044ca2b5a0, R8: 0, R9: 0
Return Address: fffff8044c9ceafe
Function: ExInitializeResourceLite
RCX: fffff8044ca2b608, RDX: fffff8044ca2b5a0, R8: 8, R9: 0
Return Address: fffff8044c9ceafe
Function: ExInitializeResourceLite
RCX: fffff8044ca2b670, RDX: fffff8044ca2b5a0, R8: 0, R9: 0
Return Address: fffff8044c9ceafe
Function: ExInitializeNPagedLookasideList
RCX: fffff8044ca2b200, RDX: 0, R8: 0, R9: 200
Return Address: fffff8044c9cda88
Function: RtlInitializeGenericTableAvl
RCX: fffff8044ca2b280, RDX: fffff8044c9cd8c0, R8: fffff8044c9cd8b0, R9: fffff8044c9cd8e0
Return Address: fffff8044c9cdabc
Function: PsGetCurrentThreadId
RCX: ffffbc84b35e77e8, RDX: 0, R8: 0, R9: 0
Return Address: fffff8044c9cdad2
Function: RtlInsertElementGenericTableAvl
RCX: fffff8044ca2b280, RDX: ffffbc84b35e77a0, R8: 48, R9: ffffbc84b35e7768
Return Address: fffff8044c9cd946
Function: ExAllocatePoolWithTag
RCX: 200, RDX: 68, R8: 74726375, R9: ffffbc84b35e7768
Return Address: fffff8044c9cb3ae
Function: ExAllocatePoolWithTag
RCX: 200, RDX: 1c0, R8: 74726375, R9: 0
Return Address: fffff8044c9cd45f
Function: RtlGetVersion
RCX: ffffd3842409a84c, RDX: 11c, R8: 0, R9: fff
Return Address: fffff8044c9c8cc7
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b35e77d8
Return Address: fffff8044d122066
Function: ExAllocatePoolWithTag
RCX: 0, RDX: ccb0, R8: 6d6f646c, R9: ffffbc84b35e73c0
Return Address: fffff8044d12206c
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38429406000, R8: ccb0, R9: ffffbc84b35e77d8
Return Address: fffff8044d122074
Function: ExFreePoolWithTag
RCX: ffffd38429406000, RDX: 6d6f646c, R8: ffffbc84b35e7300, R9: ffffbc84b35e73c0
Return Address: fffff8044d122091
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b35e77d8
Return Address: fffff8044d1220b9
Function: ExAllocatePoolWithTag
RCX: 0, RDX: ccb0, R8: 6d6f646c, R9: ffffbc84b35e73c0
Return Address: fffff8044d1220bf
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38429406000, R8: ccb0, R9: ffffbc84b35e77d8
Return Address: fffff8044d1220c5
Function: ExFreePoolWithTag
RCX: ffffd38429406000, RDX: 6d6f646c, R8: ffffbc84b35e7300, R9: ffffbc84b35e73c0
Return Address: fffff8044d1220d2
Function: ExAllocatePoolWithTag
RCX: 1, RDX: 1000, R8: 35384245, R9: 0
Return Address: fffff8044d122252
Function: ExAllocatePoolWithTag
RCX: 200, RDX: 20, R8: 44533143, R9: 0
Return Address: fffff8044d121f98
Function: ExQueueWorkItem
RCX: ffffd384233ee550, RDX: 1, R8: ffffd384233ee550, R9: fff
Return Address: fffff8044d121fef
Function: KeDelayExecutionThread
RCX: 0, RDX: 0, R8: ffffbc84b28cab38, R9: 0
Return Address: fffff8044d1209b1
Function: KeDelayExecutionThread
RCX: 0, RDX: 0, R8: ffffbc84b35e7808, R9: 2f
Return Address: fffff8044d1209b1
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b28cab38
Return Address: fffff8044d1209e2
Function: ExAllocatePoolWithTag
RCX: 0, RDX: ccb0, R8: 6d6f646c, R9: ffffbc84b28ca720
Return Address: fffff8044d1209f4
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38429406000, R8: ccb0, R9: ffffbc84b28cab38
Return Address: fffff8044d1209fa
Function: ExFreePoolWithTag
RCX: ffffd38429406000, RDX: 6d6f646c, R8: ffffbc84b28ca600, R9: ffffbc84b28ca720
Return Address: fffff8044d120a3f
Function: KdRefreshDebuggerNotPresent
RCX: fffff80446796028, RDX: 3bd, R8: fffff80446796000, R9: 188b5e66ecc8b28
Return Address: fffff8044d121634
KDTARGET: Refreshing KD connection
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b28caaa8
Return Address: fffff8044d120bc2
Function: ExAllocatePoolWithTag
RCX: 0, RDX: ccb0, R8: 6d6f646c, R9: ffffbc84b28ca690
Return Address: fffff8044d120bdc
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38429406000, R8: ccb0, R9: ffffbc84b28caaa8
Return Address: fffff8044d120be2
Function: ExFreePoolWithTag
RCX: ffffd38429406000, RDX: 6d6f646c, R8: ffffbc84b28ca600, R9: ffffbc84b28ca690
Return Address: fffff8044d120bfb
Function: ExAllocatePoolWithTag
RCX: 0, RDX: 40, R8: 41434520, R9: 882b074c4af83a16
Return Address: fffff8044d121195
Function: KeInitializeDpc
RCX: ffffd3841cd025d0, RDX: fffff8044c9c78c0, R8: fffff80445fc14e0, R9: fff
Return Address: fffff8044d1211d7
Function: KeInsertQueueDpc
RCX: ffffd3841cd025d0, RDX: 0, R8: 0, R9: fff
Return Address: fffff8044d121205
KDTARGET: Refreshing KD connection
*** Fatal System Error: 0x00414345
(0x0000000000000000,0x0000000000000000,0x0000000000000000,0x0000000000000000)
Break instruction exception - code 80000003 (first chance)
A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.
A fatal system error has occurred.
For analysis of this file, run !analyze -v
nt!DbgBreakPointWithStatus:
fffff804`45fc9370 cc int 3
可以看到,中间出现了一次 KDTARGET: Refreshing KD connection 信息,再往上看,发现是 KdRefreshDebuggerNotPresent 函数被调用了。也就是说其使用了这个函数进行反调试。返回地址是 fffff8044d121634 ,imagebase是 FFFFF8044C9C0000 ,算出对这个函数进行调用的位置是 ACEDriver.sys + 0X761634 。直接通过dump的代码进入这个位置,发现这里是一个 ExQueueWorkItem 起来的线程,从log中也可以看出来调用了 ExQueueWorkItem 。最终分析得出结论:需要 hook KdDisableDebugger 和 KdRefreshDebuggerNotPresent 两个函数,并手动设置返回值。实现如下
if (func.function_name == "KdDisableDebugger")
{
auto lambda = [](GuestContext* context) -> BOOLEAN {
ULONG64 origin_ret_addr = *(PULONG64)(context->mRsp);
if (FILTER_RET_ADDR(origin_ret_addr))
{
LOG_INFO("Function: KdDisableDebugger\nRCX: %llx, RDX: %llx, R8: %llx, R9: %llx\nReturn Address: %llx\n\n",
context->mRcx, context->mRdx, context->mR8, context->mR9, origin_ret_addr);
}
context->mRax = STATUS_SUCCESS;
return TRUE;
};
try {
GLOBAL_HOOK_MANAGER.add_hook(func.address, reinterpret_cast<ULONG64>(+lambda));
LOG_INFO("Successfully hooked %s at %llx\r\n", func.function_name.c_str(), func.address);
}
catch (const std::exception& e) {
LOG_INFO("Failed to hook %s: %s\r\n", func.function_name.c_str(), e.what());
}
}
else if (func.function_name == "KdRefreshDebuggerNotPresent")
{
auto lambda = [](GuestContext* context) -> BOOLEAN {
ULONG64 origin_ret_addr = *(PULONG64)(context->mRsp);
if (FILTER_RET_ADDR(origin_ret_addr))
{
LOG_INFO("Function: KdRefreshDebuggerNotPresent\nRCX: %llx, RDX: %llx, R8: %llx, R9: %llx\nReturn Address: %llx\n\n",
context->mRcx, context->mRdx, context->mR8, context->mR9, origin_ret_addr);
}
context->mRax = 1;
return TRUE;
};
try {
GLOBAL_HOOK_MANAGER.add_hook(func.address, reinterpret_cast<ULONG64>(+lambda));
LOG_INFO("Successfully hooked %s at %llx\r\n", func.function_name.c_str(), func.address);
}
catch (const std::exception& e) {
LOG_INFO("Failed to hook %s: %s\r\n", func.function_name.c_str(), e.what());
}
}
在 handler 里面直接修改 mRax 返回值,并 return TRUE 。在本框架中, return TRUE 是不调用原始函数,设置寄存器后直接返回。因此效果是,调用 KdDisableDebugger 直接返回 STATUS_SUCCESS ,不调用原始函数。调用 KdRefreshDebuggerNotPresent 返回1,这个值表明当前没有挂上调试器。在加上这两个函数的hook后,重新加载驱动。
hook后再次加载 ACEDriver.sys
-
把前文说到的相关hook加上后再次加载,这次不会蓝屏了。完整log如下
[smallzhong][ImageLoadCallback():22] ACEDriver.sys has been loaded!
[smallzhong][ImageLoadCallback():23] Image Base: FFFFF8044CFA0000
[smallzhong][ImageLoadCallback():24] Image Size: 12ce000
Function: ExAllocatePool
RCX: 200, RDX: 1a0, R8: fffff80445f331f0, R9: ffffbc84b35d2768
Return Address: fffff8044dfcac91
Function: NtQuerySystemInformation
RCX: b, RDX: ffffbc84b35d2650, R8: 0, R9: ffffbc84b35d2648
Return Address: fffff8044dd9062a
Function: ExAllocatePool
RCX: 200, RDX: 19710, R8: ffffbc84b35d2380, R9: ffffbc84b35d23e0
Return Address: fffff8044dd76230
Function: NtQuerySystemInformation
RCX: b, RDX: ffffd384234c5000, R8: 19710, R9: ffffbc84b35d2648
Return Address: fffff8044d7059a8
Function: ExFreePoolWithTag
RCX: ffffd384234c5000, RDX: 0, R8: fffff80445e00000, R9: fffff80445e313e0
Return Address: fffff8044dd8ce2a
Function: IoAllocateMdl
RCX: fffff8044cfa0000, RDX: 762537, R8: 0, R9: 0
Return Address: fffff8044e072507
Function: MmProbeAndLockPages
RCX: ffffd384233e2000, RDX: 0, R8: 1, R9: ffffbc84b35d2760
Return Address: fffff8044e0c65ef
Function: MmMapLockedPagesSpecifyCache
RCX: ffffd384233e2000, RDX: 0, R8: 1, R9: 0
Return Address: fffff8044e115827
Function: ExAllocatePool
RCX: 200, RDX: 3e6c, R8: ffffbc84b35d2768, R9: fffffff86df59f7a
Return Address: fffff8044df5b359
Function: ExFreePoolWithTag
RCX: ffffd38422dc8000, RDX: 0, R8: ffffbc84b35d2768, R9: 2
Return Address: fffff8044ddbd486
Function: NtQuerySystemInformation
RCX: b, RDX: ffffbc84b35d2650, R8: 0, R9: ffffbc84b35d2648
Return Address: fffff8044dd9062a
Function: ExAllocatePool
RCX: 200, RDX: 19710, R8: ffffbc84b35d2380, R9: ffffbc84b35d23e0
Return Address: fffff8044dd76230
Function: NtQuerySystemInformation
RCX: b, RDX: ffffd384234c5000, R8: 19710, R9: ffffbc84b35d2648
Return Address: fffff8044d7059a8
Function: ExFreePoolWithTag
RCX: ffffd384234c5000, RDX: 0, R8: fffff80445e00000, R9: fffff80445e313e0
Return Address: fffff8044dd8ce2a
Function: NtQuerySystemInformation
RCX: b, RDX: ffffbc84b35d2650, R8: 0, R9: ffffbc84b35d2648
Return Address: fffff8044dd9062a
Function: ExAllocatePool
RCX: 200, RDX: 19710, R8: ffffbc84b35d2380, R9: ffffbc84b35d23e0
Return Address: fffff8044dd76230
Function: NtQuerySystemInformation
RCX: b, RDX: ffffd384234c5000, R8: 19710, R9: ffffbc84b35d2648
Return Address: fffff8044d7059a8
Function: ExFreePoolWithTag
RCX: ffffd384234c5000, RDX: 0, R8: ffffbc84b35d266b, R9: ffffd384234c64d8
Return Address: fffff8044dd8ce2a
Function: KeSetSystemAffinityThread
RCX: 1, RDX: 8, R8: 0, R9: ffffbc84b35d2770
Return Address: fffff8044dea2bc1
Function: KeSetSystemAffinityThread
RCX: 2, RDX: 8, R8: 0, R9: ffffbc84b35d2770
Return Address: fffff8044dea2bc1
Function: KeSetSystemAffinityThread
RCX: 4, RDX: 8, R8: 0, R9: ffffbc84b35d2770
Return Address: fffff8044dea2bc1
Function: KeSetSystemAffinityThread
RCX: 8, RDX: 8, R8: 0, R9: ffffbc84b35d2770
Return Address: fffff8044dea2bc1
Function: KeRevertToUserAffinityThread
RCX: 0, RDX: 0, R8: ffffbc84b35d2778, R9: ffffffffe12f6b55
Return Address: fffff8044df61c67
Function: MmUnlockPages
RCX: ffffd384233e2000, RDX: 8, R8: 0, R9: ffffbc84b35d2660
Return Address: fffff8044df816ea
Function: IoFreeMdl
RCX: ffffd384233e2000, RDX: 8, R8: 542b35c7, R9: ffffbc84b35d2660
Return Address: fffff8044dfb0743
Function: RtlCopyUnicodeString
RCX: fffff8044d00b518, RDX: ffffd38423134000, R8: ffffbc84b35d1f60, R9: 10
Return Address: fffff8044cfade8c
Function: ExIsProcessorFeaturePresent
RCX: a, RDX: ffffd38423134000, R8: ffffffffffff3fff, R9: fffff8044cfb3210
Return Address: fffff8044cfae70b
Function: RtlGetVersion
RCX: ffffbc84b35d26f0, RDX: 7, R8: 2, R9: 1
Return Address: fffff8044cfae4d7
Function: MmGetSystemRoutineAddress
RCX: ffffbc84b35d26d8, RDX: 7, R8: 2, R9: 1
Return Address: fffff8044cfae4f7
Function: NtQuerySystemInformation
RCX: e3, RDX: ffffbc84b35d26d0, R8: 1, R9: 0
Return Address: fffff8044cfae516
Function: ZwOpenSection
RCX: ffffbc84b35d2800, RDX: 5, R8: ffffbc84b35d2770, R9: 0
Return Address: fffff8044cfadbf0
Function: ZwQuerySection
RCX: ffffffff80002b70, RDX: 1, R8: ffffbc84b35d27a0, R9: 40
Return Address: fffff8044cfadc27
Function: ObReferenceObjectByHandle
RCX: ffffffff80002b70, RDX: 5, R8: ffffd3841d2cfbc0, R9: 0
Return Address: fffff8044cfadc57
Function: MmMapViewInSystemSpace
RCX: ffffbe8a81ea2350, RDX: ffffbc84b35d2768, R8: ffffbc84b35d2760, R9: fffff80445e00000
Return Address: fffff8044cfadc6f
Function: MmUnmapViewInSystemSpace
RCX: fffff80442c00000, RDX: be8a80ec7f880400, R8: ffffbc84b35d24e0, R9: ffffbc84b35d2748
Return Address: fffff8044cfadc92
Function: ObfDereferenceObject
RCX: ffffbe8a81ea2350, RDX: ac, R8: ffffd3842323415a, R9: 2a
Return Address: fffff8044cfadca1
Function: ZwClose
RCX: ffffffff80002b70, RDX: ac, R8: ffffd3842323415a, R9: 2a
Return Address: fffff8044cfadcb0
Function: ExInitializeResourceLite
RCX: fffff8044d00b6e0, RDX: fffff8044d00b6e0, R8: ffffffff, R9: 7fffbe8a81ea2330
Return Address: fffff8044cfaebae
Function: ExInitializeNPagedLookasideList
RCX: fffff8044d00b100, RDX: 0, R8: 0, R9: 200
Return Address: fffff8044cfab60c
Function: RtlInitializeGenericTableAvl
RCX: fffff8044d00b180, RDX: fffff8044cfab460, R8: fffff8044cfab450, R9: fffff8044cfab480
Return Address: fffff8044cfab640
Function: PsGetCurrentThreadId
RCX: ffffbc84b35d27e0, RDX: 0, R8: 0, R9: 0
Return Address: fffff8044cfab658
Function: RtlInsertElementGenericTableAvl
RCX: fffff8044d00b180, RDX: ffffbc84b35d2760, R8: 90, R9: ffffbc84b35d2728
Return Address: fffff8044cfab4ba
Function: ExAllocatePoolWithTag
RCX: 200, RDX: b0, R8: 74726375, R9: ffffbc84b35d2728
Return Address: fffff8044cfab3ae
Function: ExInitializeResourceLite
RCX: fffff8044d00b5a0, RDX: fffff8044d00b5a0, R8: 0, R9: 0
Return Address: fffff8044cfaeafe
Function: ExInitializeResourceLite
RCX: fffff8044d00b608, RDX: fffff8044d00b5a0, R8: 8, R9: 0
Return Address: fffff8044cfaeafe
Function: ExInitializeResourceLite
RCX: fffff8044d00b670, RDX: fffff8044d00b5a0, R8: 0, R9: 0
Return Address: fffff8044cfaeafe
Function: ExInitializeNPagedLookasideList
RCX: fffff8044d00b200, RDX: 0, R8: 0, R9: 200
Return Address: fffff8044cfada88
Function: RtlInitializeGenericTableAvl
RCX: fffff8044d00b280, RDX: fffff8044cfad8c0, R8: fffff8044cfad8b0, R9: fffff8044cfad8e0
Return Address: fffff8044cfadabc
Function: PsGetCurrentThreadId
RCX: ffffbc84b35d27e8, RDX: 0, R8: 0, R9: 0
Return Address: fffff8044cfadad2
Function: RtlInsertElementGenericTableAvl
RCX: fffff8044d00b280, RDX: ffffbc84b35d27a0, R8: 48, R9: ffffbc84b35d2768
Return Address: fffff8044cfad946
Function: ExAllocatePoolWithTag
RCX: 200, RDX: 68, R8: 74726375, R9: ffffbc84b35d2768
Return Address: fffff8044cfab3ae
Function: ExAllocatePoolWithTag
RCX: 200, RDX: 1c0, R8: 74726375, R9: 0
Return Address: fffff8044cfad45f
Function: RtlGetVersion
RCX: ffffd3841de7b2bc, RDX: 11c, R8: 0, R9: fff
Return Address: fffff8044cfa8cc7
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b35d27d8
Return Address: fffff8044d702066
Function: ExAllocatePoolWithTag
RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b35d23c0
Return Address: fffff8044d70206c
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b35d27d8
Return Address: fffff8044d702074
Function: ExFreePoolWithTag
RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b35d2300, R9: ffffbc84b35d23c0
Return Address: fffff8044d702091
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b35d27d8
Return Address: fffff8044d7020b9
Function: ExAllocatePoolWithTag
RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b35d23c0
Return Address: fffff8044d7020bf
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b35d27d8
Return Address: fffff8044d7020c5
Function: ExFreePoolWithTag
RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b35d2300, R9: ffffbc84b35d23c0
Return Address: fffff8044d7020d2
Function: ExAllocatePoolWithTag
RCX: 1, RDX: 1000, R8: 35384245, R9: 0
Return Address: fffff8044d702252
Function: ExAllocatePoolWithTag
RCX: 200, RDX: 20, R8: 44533143, R9: 0
Return Address: fffff8044d701f98
Function: ExQueueWorkItem
RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: fff
Return Address: fffff8044d701fef
Function: KeDelayExecutionThread
RCX: 0, RDX: 0, R8: ffffbc84b35d2808, R9: 2f
Return Address: fffff8044d7009b1
Function: KeDelayExecutionThread
RCX: 0, RDX: 0, R8: ffffbc84b27f0b38, R9: 0
Return Address: fffff8044d7009b1
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b27f0b38
Return Address: fffff8044d7009e2
Function: ExAllocatePoolWithTag
RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b27f0720
Return Address: fffff8044d7009f4
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b27f0b38
Return Address: fffff8044d7009fa
Function: ExFreePoolWithTag
RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b27f0600, R9: ffffbc84b27f0720
Return Address: fffff8044d700a3f
[smallzhong][DriverMain::<lambda_2>::operator ()():111] Function: KdRefreshDebuggerNotPresent
RCX: fffff80446796028, RDX: 3bd, R8: fffff80446796000, R9: 188b5e66ecc8b28
Return Address: fffff8044d701634
Function: ExQueueWorkItem
RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: 188b5e66ecc8b28
Return Address: fffff8044d7016c0
Function: KeDelayExecutionThread
RCX: 0, RDX: 0, R8: ffffbc84b28c3af8, R9: 0
Return Address: fffff8044d7009b1
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b28c3af8
Return Address: fffff8044d700a81
Function: ExAllocatePoolWithTag
RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b28c36e0
Return Address: fffff8044d700a87
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b28c3af8
Return Address: fffff8044d700a8d
Function: ExFreePoolWithTag
RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b28c3600, R9: ffffbc84b28c36e0
Return Address: fffff8044d700b02
[smallzhong][DriverMain::<lambda_1>::operator ()():87] Function: KdDisableDebugger
RCX: fffff80446796028, RDX: 3b4, R8: fffff80446796000, R9: abb86a985761b61
Return Address: fffff8044d7018fd
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b28c3af8
Return Address: fffff8044d700b37
Function: ExAllocatePoolWithTag
RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b28c36e0
Return Address: fffff8044d700b3d
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b28c3af8
Return Address: fffff8044d700b43
Function: ExFreePoolWithTag
RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b28c3600, R9: ffffbc84b28c36e0
Return Address: fffff8044d700b87
Function: ZwProtectVirtualMemory
RCX: ffffffffffffffff, RDX: ffffbc84b28c3b80, R8: ffffbc84b28c3b78, R9: 40
Return Address: fffff8044d701b36
Function: ExQueueWorkItem
RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: 0
Return Address: fffff8044d701c02
Function: KeDelayExecutionThread
RCX: 0, RDX: 0, R8: ffffbc84b27f0b38, R9: 0
Return Address: fffff8044d7009b1
Function: ExQueueWorkItem
RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: fffff80445e00000
Return Address: fffff8044d701e86
Function: KeDelayExecutionThread
RCX: 0, RDX: 0, R8: ffffbc84b35fcaf8, R9: 0
Return Address: fffff8044d7009b1
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b35fcaf8
Return Address: fffff8044d700a81
Function: ExAllocatePoolWithTag
RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b35fc6e0
Return Address: fffff8044d700a87
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b35fcaf8
Return Address: fffff8044d700a8d
Function: ExFreePoolWithTag
RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b35fc600, R9: ffffbc84b35fc6e0
Return Address: fffff8044d700b02
[smallzhong][DriverMain::<lambda_1>::operator ()():87] Function: KdDisableDebugger
RCX: fffff80446796028, RDX: 3b4, R8: fffff80446796000, R9: abb86a985761b61
Return Address: fffff8044d7018fd
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b35fcaf8
Return Address: fffff8044d700b37
Function: ExAllocatePoolWithTag
RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b35fc6e0
Return Address: fffff8044d700b3d
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b35fcaf8
Return Address: fffff8044d700b43
Function: ExFreePoolWithTag
RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b35fc600, R9: ffffbc84b35fc6e0
Return Address: fffff8044d700b87
Function: ZwProtectVirtualMemory
RCX: ffffffffffffffff, RDX: ffffbc84b35fcb80, R8: ffffbc84b35fcb78, R9: 40
Return Address: fffff8044d701b36
Function: ExQueueWorkItem
RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: 0
Return Address: fffff8044d701c02
Function: KeDelayExecutionThread
RCX: 0, RDX: 0, R8: ffffbc84b350eb38, R9: 0
Return Address: fffff8044d7009b1
Function: ExQueueWorkItem
RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: fffff80445e00000
Return Address: fffff8044d701e86
Function: KeDelayExecutionThread
RCX: 0, RDX: 0, R8: ffffbc84b35fcaf8, R9: 0
Return Address: fffff8044d7009b1
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b35fcaf8
Return Address: fffff8044d700a81
Function: ExAllocatePoolWithTag
RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b35fc6e0
Return Address: fffff8044d700a87
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b35fcaf8
Return Address: fffff8044d700a8d
Function: ExFreePoolWithTag
RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b35fc600, R9: ffffbc84b35fc6e0
Return Address: fffff8044d700b02
[smallzhong][DriverMain::<lambda_1>::operator ()():87] Function: KdDisableDebugger
RCX: fffff80446796028, RDX: 3b4, R8: fffff80446796000, R9: abb86a985761b61
Return Address: fffff8044d7018fd
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b35fcaf8
Return Address: fffff8044d700b37
Function: ExAllocatePoolWithTag
RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b35fc6e0
Return Address: fffff8044d700b3d
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b35fcaf8
Return Address: fffff8044d700b43
Function: ExFreePoolWithTag
RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b35fc600, R9: ffffbc84b35fc6e0
Return Address: fffff8044d700b87
Function: ZwProtectVirtualMemory
RCX: ffffffffffffffff, RDX: ffffbc84b35fcb80, R8: ffffbc84b35fcb78, R9: 40
Return Address: fffff8044d701b36
Function: ExQueueWorkItem
RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: 0
Return Address: fffff8044d701c02
Function: KeDelayExecutionThread
RCX: 0, RDX: 0, R8: ffffbc84b350eb38, R9: 0
Return Address: fffff8044d7009b1
Function: ExQueueWorkItem
RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: fffff80445e00000
Return Address: fffff8044d701e86
Function: KeDelayExecutionThread
RCX: 0, RDX: 0, R8: ffffbc84b35fcaf8, R9: 0
Return Address: fffff8044d7009b1
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b35fcaf8
Return Address: fffff8044d700a81
Function: ExAllocatePoolWithTag
RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b35fc6e0
Return Address: fffff8044d700a87
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b35fcaf8
Return Address: fffff8044d700a8d
Function: ExFreePoolWithTag
RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b35fc600, R9: ffffbc84b35fc6e0
Return Address: fffff8044d700b02
[smallzhong][DriverMain::<lambda_1>::operator ()():87] Function: KdDisableDebugger
RCX: fffff80446796028, RDX: 3b4, R8: fffff80446796000, R9: abb86a985761b61
Return Address: fffff8044d7018fd
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b35fcaf8
Return Address: fffff8044d700b37
Function: ExAllocatePoolWithTag
RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b35fc6e0
Return Address: fffff8044d700b3d
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b35fcaf8
Return Address: fffff8044d700b43
Function: ExFreePoolWithTag
RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b35fc600, R9: ffffbc84b35fc6e0
Return Address: fffff8044d700b87
Function: ZwProtectVirtualMemory
RCX: ffffffffffffffff, RDX: ffffbc84b35fcb80, R8: ffffbc84b35fcb78, R9: 40
Return Address: fffff8044d701b36
Function: ExQueueWorkItem
RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: 0
Return Address: fffff8044d701c02
Function: KeDelayExecutionThread
RCX: 0, RDX: 0, R8: ffffbc84b27f0b38, R9: 0
Return Address: fffff8044d7009b1
Function: ExQueueWorkItem
RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: fffff80445e00000
Return Address: fffff8044d701e86
Function: KeDelayExecutionThread
RCX: 0, RDX: 0, R8: ffffbc84b35fcaf8, R9: 0
Return Address: fffff8044d7009b1
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b35fcaf8
Return Address: fffff8044d700a81
Function: ExAllocatePoolWithTag
RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b35fc6e0
Return Address: fffff8044d700a87
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b35fcaf8
Return Address: fffff8044d700a8d
Function: ExFreePoolWithTag
RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b35fc600, R9: ffffbc84b35fc6e0
Return Address: fffff8044d700b02
[smallzhong][DriverMain::<lambda_1>::operator ()():87] Function: KdDisableDebugger
RCX: fffff80446796028, RDX: 3b4, R8: fffff80446796000, R9: abb86a985761b61
Return Address: fffff8044d7018fd
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b35fcaf8
Return Address: fffff8044d700b37
Function: ExAllocatePoolWithTag
RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b35fc6e0
Return Address: fffff8044d700b3d
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b35fcaf8
Return Address: fffff8044d700b43
Function: ExFreePoolWithTag
RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b35fc600, R9: ffffbc84b35fc6e0
Return Address: fffff8044d700b87
Function: ZwProtectVirtualMemory
RCX: ffffffffffffffff, RDX: ffffbc84b35fcb80, R8: ffffbc84b35fcb78, R9: 40
Return Address: fffff8044d701b36
Function: ExQueueWorkItem
RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: 0
Return Address: fffff8044d701c02
Function: KeDelayExecutionThread
RCX: 0, RDX: 0, R8: ffffbc84b28c3b38, R9: 0
Return Address: fffff8044d7009b1
Function: ExQueueWorkItem
RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: fffff80445e00000
Return Address: fffff8044d701e86
Function: KeDelayExecutionThread
RCX: 0, RDX: 0, R8: ffffbc84b35fcaf8, R9: 0
Return Address: fffff8044d7009b1
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b35fcaf8
Return Address: fffff8044d700a81
Function: ExAllocatePoolWithTag
RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b35fc6e0
Return Address: fffff8044d700a87
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b35fcaf8
Return Address: fffff8044d700a8d
Function: ExFreePoolWithTag
RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b35fc600, R9: ffffbc84b35fc6e0
Return Address: fffff8044d700b02
[smallzhong][DriverMain::<lambda_1>::operator ()():87] Function: KdDisableDebugger
RCX: fffff80446796028, RDX: 3b4, R8: fffff80446796000, R9: abb86a985761b61
Return Address: fffff8044d7018fd
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b35fcaf8
Return Address: fffff8044d700b37
Function: ExAllocatePoolWithTag
RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b35fc6e0
Return Address: fffff8044d700b3d
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b35fcaf8
Return Address: fffff8044d700b43
Function: ExFreePoolWithTag
RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b35fc600, R9: ffffbc84b35fc6e0
Return Address: fffff8044d700b87
Function: ZwProtectVirtualMemory
RCX: ffffffffffffffff, RDX: ffffbc84b35fcb80, R8: ffffbc84b35fcb78, R9: 40
Return Address: fffff8044d701b36
Function: ExQueueWorkItem
RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: 0
Return Address: fffff8044d701c02
Function: KeDelayExecutionThread
RCX: 0, RDX: 0, R8: ffffbc84b28c3b38, R9: 0
Return Address: fffff8044d7009b1
Function: ExQueueWorkItem
RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: fffff80445e00000
Return Address: fffff8044d701e86
Function: KeDelayExecutionThread
RCX: 0, RDX: 0, R8: ffffbc84b27f0af8, R9: 0
Return Address: fffff8044d7009b1
Function: KeQueryActiveProcessorCount
RCX: 0, RDX: 0, R8: 0, R9: 0
Return Address: fffff8044d6ff80f
Function: ExAllocatePoolWithTag
RCX: 200, RDX: 9d4000, R8: 41316333, R9: 0
Return Address: fffff8044d6ff85c
Function: KeDelayExecutionThread
RCX: 0, RDX: 0, R8: ffffbc84b35d2808, R9: 689
Return Address: fffff8044d7009b1
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b27f0af8
Return Address: fffff8044d700a81
Function: ExAllocatePoolWithTag
RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b27f06e0
Return Address: fffff8044d700a87
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b27f0af8
Return Address: fffff8044d700a8d
Function: ExFreePoolWithTag
RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b27f0600, R9: ffffbc84b27f06e0
Return Address: fffff8044d700b02
[smallzhong][DriverMain::<lambda_1>::operator ()():87] Function: KdDisableDebugger
RCX: fffff80446796028, RDX: 3b4, R8: fffff80446796000, R9: abb86a985761b61
Return Address: fffff8044d7018fd
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b27f0af8
Return Address: fffff8044d700b37
Function: ExAllocatePoolWithTag
RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b27f06e0
Return Address: fffff8044d700b3d
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b27f0af8
Return Address: fffff8044d700b43
Function: ExFreePoolWithTag
RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b27f0600, R9: ffffbc84b27f06e0
Return Address: fffff8044d700b87
Function: ZwProtectVirtualMemory
RCX: ffffffffffffffff, RDX: ffffbc84b27f0b80, R8: ffffbc84b27f0b78, R9: 40
Return Address: fffff8044d701b36
Function: ExQueueWorkItem
RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: 0
Return Address: fffff8044d701c02
Function: ExFreePoolWithTag
RCX: ffffd38420034940, RDX: 44533143, R8: 20, R9: 0
Return Address: fffff8044d701e86
Function: ExFreePoolWithTag
RCX: ffffbe8a89381000, RDX: 35384245, R8: ffffd3841d269040, R9: fffff80445e00000
Return Address: fffff8044d701f3d
Function: ExFreePoolWithTag
RCX: ffffd3841de7b290, RDX: 74726375, R8: ffffbc84b35d26b8, R9: ffffffff
Return Address: fffff8044cfad885
Function: ExEnterCriticalRegionAndAcquireResourceExclusive
RCX: fffff8044d00b5a0, RDX: ffffbc84b35d2840, R8: ffffbc84b35d2848, R9: ffffbc84b35d2878
Return Address: fffff8044cfae5ac
Function: ExEnterCriticalRegionAndAcquireResourceExclusive
RCX: fffff8044d00b5a0, RDX: ffffbc84b35d27c8, R8: ffffbc84b35d2790, R9: ffffbc84b35d27c0
Return Address: fffff8044cfae895
Function: ExReleaseResourceAndLeaveCriticalRegion
RCX: fffff8044d00b5a0, RDX: fffff8044d00b568, R8: 641e7b808835, R9: ffffbc84b35d27c0
Return Address: fffff8044cfae9c2
Function: ExReleaseResourceAndLeaveCriticalRegion
RCX: fffff8044d00b5a0, RDX: fffff8044cfb0240, R8: ffffbc84b35d26d0, R9: ffffbc84b35d27c0
Return Address: fffff8044cfae5bd
Function: RtlGetElementGenericTableAvl
RCX: fffff8044d00b280, RDX: 0, R8: ffffbc84b35d27c0, R9: ffffbc84b35d27c0
Return Address: fffff8044cfadb45
Function: RtlDeleteElementGenericTableAvl
RCX: fffff8044d00b280, RDX: ffffd384232486b0, R8: 0, R9: 0
Return Address: fffff8044cfadb36
Function: RtlGetElementGenericTableAvl
RCX: fffff8044d00b280, RDX: 0, R8: 0, R9: 0
Return Address: fffff8044cfadb45
Function: ExDeleteNPagedLookasideList
RCX: fffff8044d00b200, RDX: 0, R8: 0, R9: 0
Return Address: fffff8044cfadb57
Function: ExDeleteResourceLite
RCX: fffff8044d00b670, RDX: 8f, R8: ffffd3842323415a, R9: 2a
Return Address: fffff8044cfaeb66
Function: ExDeleteResourceLite
RCX: fffff8044d00b608, RDX: 0, R8: ffffd3842323415a, R9: 2a
Return Address: fffff8044cfaeb66
Function: ExDeleteResourceLite
RCX: fffff8044d00b5a0, RDX: 0, R8: ffffd3842323415a, R9: 2a
Return Address: fffff8044cfaeb66
Function: RtlGetElementGenericTableAvl
RCX: fffff8044d00b180, RDX: 0, R8: ffffd3842323415a, R9: 2a
Return Address: fffff8044cfab6c9
Function: RtlDeleteElementGenericTableAvl
RCX: fffff8044d00b180, RDX: ffffd38422954f40, R8: 0, R9: 0
Return Address: fffff8044cfab6ba
Function: RtlGetElementGenericTableAvl
RCX: fffff8044d00b180, RDX: 0, R8: 0, R9: 0
Return Address: fffff8044cfab6c9
Function: ExDeleteNPagedLookasideList
RCX: fffff8044d00b100, RDX: 0, R8: 0, R9: 0
Return Address: fffff8044cfab6db
Function: ExDeleteResourceLite
RCX: fffff8044d00b6e0, RDX: 27, R8: ffffd384229431ac, R9: 24
Return Address: fffff8044cfaebf6
Function: DbgPrintEx
RCX: 4d, RDX: 0, R8: fffff8044cfb0840, R9: c0000001
Return Address: fffff8044cfadf0c
DriverEntry failed 0xc0000001 for driver \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ACEDriver
Function: ExFreePoolWithTag
RCX: ffffd38422ef9e00, RDX: 0, R8: 140d712a4, R9: 2
Return Address: fffff8044e053193
可以看到,会两个workitem互相调用,后面应该是 HV 的 EPT 相关信息的申请和保存,也可以通过这些函数的调用地点反推到关键函数。接下来的分析就不写了。因为找到关键算法位置之后就是令人头晕的逆向环节。本框架只能用来快速定位整个驱动的关键逻辑点,但是逆向工作还是需要自己手动通过打印出来的返回地址回溯并手工逆向。
|