[原创]驱动挂钩所有内核导出函数来进行驱动逻辑分析-软件逆向-看雪安全社区

[原创]驱动挂钩所有内核导出函数来进行驱动逻辑分析

发表于: 2025-4-27 17:39 10161

[原创]驱动挂钩所有内核导出函数来进行驱动逻辑分析

smallzhong_ 活跃值

2025-4-27 17:39

10161

三年前我写了一个用来在内核做 inlinehook 的项目 [原创]开源一个自己写的简易的windows内核hook框架  。写这个框架的初衷是我发现并没有一个很好用的在windows内核进行 inlinehook 的框架。米松大佬曾经把 detours 移植到了内核 797K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6y4K9i4u0G2d9$3q4C8N6g2)9J5c8V1c8W2N6r3!0#2M7Y4y4j5 ，这个框架很好用，但是 detours 本身是为了三环挂钩开发的，其设计之初好像并没有考虑内核挂钩的特殊情况，因此如果出现了4字节相对寻址，其还是会按照三环的逻辑来修复这个4字节寻址。而此时4字节寻址已经无论如何满足不了需求了，因为申请的内存在2GB开外。在该项目的issue区可以看到 6adK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6y4K9i4u0G2d9$3q4C8N6g2)9J5c8V1c8W2N6r3!0#2M7Y4y4j5i4K6u0r3K9i4y4K6N6h3g2K6i4K6u0r3x3R3`.`. 挂钩 MmIsAddressValid 失败的情况。这里就是因为有一个E8 call，detoursX 修复相对地址失败了。如图是hook之前的情况
hook之后，这个e8 call并没有被正确修复，导致跳到不存在的地址
 
事实上，对于这种有相对寻址的情况，并不能简单修复4字节的相对地址。因为内核是一个很宽广的空间，4字节只能寻址4GB内存，内核是申请不到离得这么近的内存地址用来存放 trampoline 的。为了解决这个问题，我写了一个hook框架，在框架中对相对寻址进行了特判，使得所有相对寻址都能正确找到对应的位置。
2025.6.3更新：该问题已被米松哥在 d81K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6y4K9i4u0G2d9$3q4C8N6g2)9J5c8V1c8W2N6r3!0#2M7Y4y4j5i4K6u0r3j5$3!0E0L8h3W2@1i4K6u0r3j5U0t1@1y4U0k6X3x3r3g2W2x3U0N6X3k6o6k6U0x3h3g2U0z5r3t1&6y4r3u0S2y4X3x3&6x3r3t1&6k6o6t1%4j5X3p5@1j5U0p5%4j5R3`.`. commit中被修复，使用了 48 b8 IMM64（MOV RAX, IMM64） 之后 FFD0(CALL RAX) 的方法。欢迎大家直接使用detourX来进行hook。
  如图，假设未被hook的代码如黄色图块显示。代码顺序为ABCDE，假设ABC三条指令加起来长度大于14字节，可以放下 ff 25 00 00 00 00 00 00 00 00 00 00 00 00 这个跳转。本框架会自动识别这三条代码的长度，然后将其替换为一个 ff25 jmp。其跳到自己申请的一块空间。跳转完成之后首先进行环境的保存，将所有寄存器保存到栈中。然后call一个C语言写的callback函数。可以在这个函数中进行相应的操作。如果这个函数的返回值是 FALSE ，则跳转回原函数处进行执行。如果为 TRUE ，则直接return，不再执行原函数。如果需要执行原函数，则重新POP所有之前保存的寄存器，然后执行 A B C 三条语句，最后通过一个 ff25 jmp跳到原函数中的下一行处执行（在此示例中是D处)。
本框架适配了大量相对跳转的模式，如7X XX && E1 xx && E2 xx && E3 xx && EB xx一字节短跳，0F 8X XX XX XX XX四字节相对跳转，E8 E9四字节短跳和call等。这些情况的处理方法都如下图所示
假设 ABC 三条语句中，只有B这一条语句是一个使用了相对跳转的语句。这里用 74 XX 这个JE跳转举例。
 
如图，本框架会自动计算出来跳转的目的地的绝对地址，然后生成一条 FF25 无条件跳转语句放在 shellcode 的最末尾。然后把74跳转的目标改为这一条FF25跳转指令的相对地址。这样的话，如果这条JE跳转条件成立，会跳转到FF25指令处，然后FF25跳转到原先的绝对地址处。这样保证了逻辑的正确性。其他1字节、4字节的相对寻址跳转都使用了这样的思想来进行修正。
这种情况比较复杂，因为这些代码并不像跳转指令那样可以简单使用FF25作为trampoline跳回真正的绝对地址。而且这些指令并不存在可以使用绝对地址寻址的指令版本，因此也不能将其特殊改造为绝对寻址版本。在本框架中，处理的方法如下：16字节对齐地查找被hook的模块中全0的地址，然后把相对寻址的代码复制过去，因为这时的地址在对应模块地址内部，因此可以完成相对寻址的执行。逻辑如图
 
  内核中大量存在 48 8D 05这种相对寻址代码。主要出现在Zw函数中。如果所有的函数都使用寻找模块内空白地址进行跳转的方法，会出现模块内空白地址耗尽导致无法hook的问题，因此这里对这种情况做了一下特判。把这个LEA改成了一个 48 B8的 MOV RAX, IMM64。
如下图所示
 
有了上面的hook框架，就可以考虑对内核的一些函数进行hook来进行对特定驱动的系统函数调用流程分析了。首先需要专门处理一种特殊情况，在这种情况下，不能直接hook函数。那就是，如果有其他代码会跳转到开头需要覆盖的指令的中间，就不能直接对函数进行hook。说起来有点拗口，但是举一个例子就明白了，如下
比如这个函数 RtlUnalignedStringCchLengthW ，可以看到 
在开头第12个字节有一个基本块，在其他地方有跳转到这个基本块的代码。在这种情况下，如果直接填入 ff25（14个字节），会覆盖这个位置。而后面的jnz还是有可能跳转到这个地址，这就会导致跳转到corrupted memory，而产生不可控的后果。
解决这个问题的办法是写一个IDA脚本对这种情况进行特判，一旦函数开头前14个字节出现了可能被其他基本块跳转到的基本块，就标记为False，不处理这个函数。判断函数如下
内核的导出函数都是一些调用非常频繁的函数，每时每刻都会有驱动程序对他们进行调用。全部记录下来是非常不现实的事情，会导致系统完全卡死。因此这里需要通过返回地址对调用来源进行选择性判断，只打印来自特定来源的函数调用。本监控框架封装了一个用于维护监控地址集合的singleton。可以通过以下三个宏
来添加、删除监控范围，以及判断某一个地址是否正在被监控。
如下是IDA脚本自动生成的一个handler。可以看到使用了 FILTER_RET_ADDR 判断调用来源，只有返回地址是特定来源的调用，才进行打印四个参数和返回地址的记录。
使用nuget导入米松哥封装的 Musa.Runtime  ，开始愉快地在内核编写C++代码 
把需要监控的驱动用IDA打开，打开 scripts\AutoGen.py ，ctrl + h 全局修改修改里面硬编码的保存路径后运行 AutoGen.py 脚本，得到 available_funcs.inc 、 handlers.h 、 handlers.c 三个自动生成的文件，并将其导入vs项目中。
在 DriverMain 中特定 Hook 自己感兴趣的函数。
加载驱动，查看日志。
在 DriverMain 中设置 ImageCallback
在 callback 中检查是否为 ACEDriver.sys 被加载，如果是的话，添加相应监控范围。
开启虚拟机，加载本分析框架。
 
成功自动 hook 所有导出函数中可以hook的函数。
  可以看到，中间出现了一次 KDTARGET: Refreshing KD connection 信息，再往上看，发现是 KdRefreshDebuggerNotPresent 函数被调用了。也就是说其使用了这个函数进行反调试。返回地址是 fffff8044d121634 ，imagebase是 FFFFF8044C9C0000 ，算出对这个函数进行调用的位置是 ACEDriver.sys + 0X761634 。直接通过dump的代码进入这个位置，发现这里是一个 ExQueueWorkItem 起来的线程，从log中也可以看出来调用了 ExQueueWorkItem 。最终分析得出结论：需要 hook KdDisableDebugger 和 KdRefreshDebuggerNotPresent 两个函数，并手动设置返回值。实现如下
  在 handler 里面直接修改 mRax 返回值，并 return TRUE 。在本框架中， return TRUE 是不调用原始函数，设置寄存器后直接返回。因此效果是，调用 KdDisableDebugger 直接返回 STATUS_SUCCESS ，不调用原始函数。调用 KdRefreshDebuggerNotPresent 返回1，这个值表明当前没有挂上调试器。在加上这两个函数的hook后，重新加载驱动。
把前文说到的相关hook加上后再次加载，这次不会蓝屏了。完整log如下
可以看到，会两个workitem互相调用，后面应该是 HV 的 EPT 相关信息的申请和保存，也可以通过这些函数的调用地点反推到关键函数。接下来的分析就不写了。因为找到关键算法位置之后就是令人头晕的逆向环节。本框架只能用来快速定位整个驱动的关键逻辑点，但是逆向工作还是需要自己手动通过打印出来的返回地址回溯并手工逆向。
def has_xrefs_to_middle(start_ea, end_ea):
    instr_size = idc.get_item_size(start_ea)
    start_ea += instr_size
    while start_ea < end_ea:
        t = idautils.CodeRefsTo(start_ea, False)
        for i in t:
            return True
        instr_size = idc.get_item_size(start_ea)
        start_ea += instr_size
    return False
def has_xrefs_to_middle(start_ea, end_ea):
    instr_size = idc.get_item_size(start_ea)
    start_ea += instr_size
    while start_ea < end_ea:
        t = idautils.CodeRefsTo(start_ea, False)
        for i in t:
            return True
        instr_size = idc.get_item_size(start_ea)
        start_ea += instr_size
    return False
#define ADD_MONITOR_RANGE(start, end) smallzhong::MonitorAddressManager::GetInstance().AddMonitorRange((start), (end))
#define DEL_FROM_MONITOR_LIST(addr) smallzhong::MonitorAddressManager::GetInstance().DelFromMonitorList((addr))
#define FILTER_RET_ADDR(ret_addr) smallzhong::MonitorAddressManager::GetInstance().FilterRetAddr((ret_addr))
#define ADD_MONITOR_RANGE(start, end) smallzhong::MonitorAddressManager::GetInstance().AddMonitorRange((start), (end))
#define DEL_FROM_MONITOR_LIST(addr) smallzhong::MonitorAddressManager::GetInstance().DelFromMonitorList((addr))
#define FILTER_RET_ADDR(ret_addr) smallzhong::MonitorAddressManager::GetInstance().FilterRetAddr((ret_addr))
BOOLEAN handler_c4a77d9f(PGuestContext context)
{
    ULONG64 origin_ret_addr = *(PULONG64)(context->mRsp);
    if (FILTER_RET_ADDR(origin_ret_addr))
    {
        LOG_INFO("Function: ExAllocatePoolWithTag\nRCX: %llx, RDX: %llx, R8: %llx, R9: %llx\nReturn Address: %llx\n\n", 
            context->mRcx, context->mRdx, context->mR8, context->mR9, origin_ret_addr);
    }
    return FALSE;
}
BOOLEAN handler_c4a77d9f(PGuestContext context)
{
    ULONG64 origin_ret_addr = *(PULONG64)(context->mRsp);
    if (FILTER_RET_ADDR(origin_ret_addr))
    {
        LOG_INFO("Function: ExAllocatePoolWithTag\nRCX: %llx, RDX: %llx, R8: %llx, R9: %llx\nReturn Address: %llx\n\n", 
            context->mRcx, context->mRdx, context->mR8, context->mR9, origin_ret_addr);
    }
    return FALSE;
}
EXTERN_C NTSTATUS DriverMain(const PDRIVER_OBJECT DriverObject, const PUNICODE_STRING Registry)
{
    LOG_INFO("entry\r\n");
 
    NTSTATUS status = STATUS_SUCCESS;
    status = PsSetLoadImageNotifyRoutine(ImageLoadCallback);
    ...
}
EXTERN_C NTSTATUS DriverMain(const PDRIVER_OBJECT DriverObject, const PUNICODE_STRING Registry)
{
    LOG_INFO("entry\r\n");
 
    NTSTATUS status = STATUS_SUCCESS;
    status = PsSetLoadImageNotifyRoutine(ImageLoadCallback);
    ...
}
VOID ImageLoadCallback(
    PUNICODE_STRING FullImageName,
    HANDLE ProcessId,
    PIMAGE_INFO ImageInfo)
{
 
    if (ProcessId == 0 && FullImageName != NULL)
    {
 
        // 检查是否是 ACEDriver.sys 被加载
        if (wcsstr(FullImageName->Buffer, L"\\ACEDriver.sys"))
        {
            LOG_INFO("ACEDriver.sys" " has been loaded!\n");
            LOG_INFO("Image Base: %p\n", ImageInfo->ImageBase);
            LOG_INFO("Image Size: %llx\n", ImageInfo->ImageSize);
 
            ADD_MONITOR_RANGE((ULONG64)ImageInfo->ImageBase, (ULONG64)ImageInfo->ImageBase + ImageInfo->ImageSize);
        }
    }
}
VOID ImageLoadCallback(
    PUNICODE_STRING FullImageName,
    HANDLE ProcessId,
    PIMAGE_INFO ImageInfo)
{
 
    if (ProcessId == 0 && FullImageName != NULL)
    {
 
        // 检查是否是 ACEDriver.sys 被加载
        if (wcsstr(FullImageName->Buffer, L"\\ACEDriver.sys"))
        {
            LOG_INFO("ACEDriver.sys" " has been loaded!\n");
            LOG_INFO("Image Base: %p\n", ImageInfo->ImageBase);
            LOG_INFO("Image Size: %llx\n", ImageInfo->ImageSize);
 
            ADD_MONITOR_RANGE((ULONG64)ImageInfo->ImageBase, (ULONG64)ImageInfo->ImageBase + ImageInfo->ImageSize);
        }
    }
}
[smallzhong][ImageLoadCallback():22] ACEDriver.sys has been loaded!
[smallzhong][ImageLoadCallback():23] Image Base: FFFFF8044C9C0000
[smallzhong][ImageLoadCallback():24] Image Size: 12ce000
Function: ExAllocatePool
RCX: 200, RDX: 1a0, R8: fffff80445f331f0, R9: ffffbc84b35e7768
Return Address: fffff8044d9eac91
 
Function: NtQuerySystemInformation
RCX: b, RDX: ffffbc84b35e7650, R8: 0, R9: ffffbc84b35e7648
Return Address: fffff8044d7b062a
 
Function: ExAllocatePool
RCX: 200, RDX: 19960, R8: ffffbc84b35e7380, R9: ffffbc84b35e73e0
Return Address: fffff8044d796230
 
Function: NtQuerySystemInformation
RCX: b, RDX: ffffd384236e6000, R8: 19960, R9: ffffbc84b35e7648
Return Address: fffff8044d1259a8
 
Function: ExFreePoolWithTag
RCX: ffffd384236e6000, RDX: 0, R8: fffff80445e00000, R9: fffff80445e313e0
Return Address: fffff8044d7ace2a
 
Function: IoAllocateMdl
RCX: fffff8044c9c0000, RDX: 762537, R8: 0, R9: 0
Return Address: fffff8044da92507
 
Function: MmProbeAndLockPages
RCX: ffffd384269f0000, RDX: 0, R8: 1, R9: ffffbc84b35e7760
Return Address: fffff8044dae65ef
 
Function: MmMapLockedPagesSpecifyCache
RCX: ffffd384269f0000, RDX: 0, R8: 1, R9: 0
Return Address: fffff8044db35827
 
Function: ExAllocatePool
RCX: 200, RDX: 3e6c, R8: ffffbc84b35e7768, R9: fffffff86df59f7a
Return Address: fffff8044d97b359
 
Function: ExFreePoolWithTag
RCX: ffffd3842325f000, RDX: 0, R8: ffffbc84b35e7768, R9: 2
Return Address: fffff8044d7dd486
 
Function: NtQuerySystemInformation
RCX: b, RDX: ffffbc84b35e7650, R8: 0, R9: ffffbc84b35e7648
Return Address: fffff8044d7b062a
 
Function: ExAllocatePool
RCX: 200, RDX: 19960, R8: ffffbc84b35e7380, R9: ffffbc84b35e73e0
Return Address: fffff8044d796230
 
Function: NtQuerySystemInformation
RCX: b, RDX: ffffd384236e6000, R8: 19960, R9: ffffbc84b35e7648
Return Address: fffff8044d1259a8
 
Function: ExFreePoolWithTag
RCX: ffffd384236e6000, RDX: 0, R8: fffff80445e00000, R9: fffff80445e313e0
Return Address: fffff8044d7ace2a
 
Function: NtQuerySystemInformation
RCX: b, RDX: ffffbc84b35e7650, R8: 0, R9: ffffbc84b35e7648
Return Address: fffff8044d7b062a
 
Function: ExAllocatePool
RCX: 200, RDX: 19960, R8: ffffbc84b35e7380, R9: ffffbc84b35e73e0
Return Address: fffff8044d796230
 
Function: NtQuerySystemInformation
RCX: b, RDX: ffffd384236e6000, R8: 19960, R9: ffffbc84b35e7648
Return Address: fffff8044d1259a8
 
Function: ExFreePoolWithTag
RCX: ffffd384236e6000, RDX: 0, R8: ffffbc84b35e766b, R9: ffffd384236e74d8
Return Address: fffff8044d7ace2a
 
Function: KeSetSystemAffinityThread
RCX: 1, RDX: 8, R8: 0, R9: ffffbc84b35e7770
Return Address: fffff8044d8c2bc1
 
Function: KeSetSystemAffinityThread
RCX: 2, RDX: 8, R8: 0, R9: ffffbc84b35e7770
Return Address: fffff8044d8c2bc1
 
Function: KeSetSystemAffinityThread
RCX: 4, RDX: 8, R8: 0, R9: ffffbc84b35e7770
Return Address: fffff8044d8c2bc1
 
Function: KeSetSystemAffinityThread
RCX: 8, RDX: 8, R8: 0, R9: ffffbc84b35e7770
Return Address: fffff8044d8c2bc1
 
Function: KeRevertToUserAffinityThread
RCX: 0, RDX: 0, R8: ffffbc84b35e7778, R9: ffffffffe12f6b55
Return Address: fffff8044d981c67
 
Function: MmUnlockPages
RCX: ffffd384269f0000, RDX: 8, R8: 0, R9: ffffbc84b35e7660
Return Address: fffff8044d9a16ea
 
Function: IoFreeMdl
RCX: ffffd384269f0000, RDX: 8, R8: 542b35c7, R9: ffffbc84b35e7660
Return Address: fffff8044d9d0743
 
Function: RtlCopyUnicodeString
RCX: fffff8044ca2b518, RDX: ffffd38427abf000, R8: ffffbc84b35e6f60, R9: 10
Return Address: fffff8044c9cde8c
 
Function: ExIsProcessorFeaturePresent
RCX: a, RDX: ffffd38427abf000, R8: ffffbe8a8e013084, R9: fffff8044c9d3210
Return Address: fffff8044c9ce70b
 
Function: RtlGetVersion
RCX: ffffbc84b35e76f0, RDX: 7, R8: 2, R9: 1
Return Address: fffff8044c9ce4d7
 
Function: MmGetSystemRoutineAddress
RCX: ffffbc84b35e76d8, RDX: 7, R8: 2, R9: 1
Return Address: fffff8044c9ce4f7
 
Function: NtQuerySystemInformation
RCX: e3, RDX: ffffbc84b35e76d0, R8: 1, R9: 0
Return Address: fffff8044c9ce516
 
Function: ZwOpenSection
RCX: ffffbc84b35e7800, RDX: 5, R8: ffffbc84b35e7770, R9: 0
Return Address: fffff8044c9cdbf0
 
Function: ZwQuerySection
RCX: ffffffff80002114, RDX: 1, R8: ffffbc84b35e77a0, R9: 40
Return Address: fffff8044c9cdc27
 
Function: ObReferenceObjectByHandle
RCX: ffffffff80002114, RDX: 5, R8: ffffd3841d2cfbc0, R9: 0
Return Address: fffff8044c9cdc57
 
Function: MmMapViewInSystemSpace
RCX: ffffbe8a81ea2350, RDX: ffffbc84b35e7768, R8: ffffbc84b35e7760, R9: fffff80445e00000
Return Address: fffff8044c9cdc6f
 
Function: MmUnmapViewInSystemSpace
RCX: fffff80442c00000, RDX: be8a80ec7f880400, R8: ffffbc84b35e74e0, R9: ffffbc84b35e7748
Return Address: fffff8044c9cdc92
 
Function: ObfDereferenceObject
RCX: ffffbe8a81ea2350, RDX: 4b, R8: ffffd38420124134, R9: 4
Return Address: fffff8044c9cdca1
 
Function: ZwClose
RCX: ffffffff80002114, RDX: 4b, R8: ffffd38420124134, R9: 4
Return Address: fffff8044c9cdcb0
 
Function: ExInitializeResourceLite
RCX: fffff8044ca2b6e0, RDX: fffff8044ca2b6e0, R8: ffffffff, R9: 7fffbe8a81ea2330
Return Address: fffff8044c9cebae
 
Function: ExInitializeNPagedLookasideList
RCX: fffff8044ca2b100, RDX: 0, R8: 0, R9: 200
Return Address: fffff8044c9cb60c
 
Function: RtlInitializeGenericTableAvl
RCX: fffff8044ca2b180, RDX: fffff8044c9cb460, R8: fffff8044c9cb450, R9: fffff8044c9cb480
Return Address: fffff8044c9cb640
 
Function: PsGetCurrentThreadId
RCX: ffffbc84b35e77e0, RDX: 0, R8: 0, R9: 0
Return Address: fffff8044c9cb658
 
Function: RtlInsertElementGenericTableAvl
RCX: fffff8044ca2b180, RDX: ffffbc84b35e7760, R8: 90, R9: ffffbc84b35e7728
Return Address: fffff8044c9cb4ba
 
Function: ExAllocatePoolWithTag
RCX: 200, RDX: b0, R8: 74726375, R9: ffffbc84b35e7728
Return Address: fffff8044c9cb3ae
 
Function: ExInitializeResourceLite
RCX: fffff8044ca2b5a0, RDX: fffff8044ca2b5a0, R8: 0, R9: 0
Return Address: fffff8044c9ceafe
 
Function: ExInitializeResourceLite
RCX: fffff8044ca2b608, RDX: fffff8044ca2b5a0, R8: 8, R9: 0
Return Address: fffff8044c9ceafe
 
Function: ExInitializeResourceLite
RCX: fffff8044ca2b670, RDX: fffff8044ca2b5a0, R8: 0, R9: 0
Return Address: fffff8044c9ceafe
 
Function: ExInitializeNPagedLookasideList
RCX: fffff8044ca2b200, RDX: 0, R8: 0, R9: 200
Return Address: fffff8044c9cda88
 
Function: RtlInitializeGenericTableAvl
RCX: fffff8044ca2b280, RDX: fffff8044c9cd8c0, R8: fffff8044c9cd8b0, R9: fffff8044c9cd8e0
Return Address: fffff8044c9cdabc
 
Function: PsGetCurrentThreadId
RCX: ffffbc84b35e77e8, RDX: 0, R8: 0, R9: 0
Return Address: fffff8044c9cdad2
 
Function: RtlInsertElementGenericTableAvl
RCX: fffff8044ca2b280, RDX: ffffbc84b35e77a0, R8: 48, R9: ffffbc84b35e7768
Return Address: fffff8044c9cd946
 
Function: ExAllocatePoolWithTag
RCX: 200, RDX: 68, R8: 74726375, R9: ffffbc84b35e7768
Return Address: fffff8044c9cb3ae
 
Function: ExAllocatePoolWithTag
RCX: 200, RDX: 1c0, R8: 74726375, R9: 0
Return Address: fffff8044c9cd45f
 
Function: RtlGetVersion
RCX: ffffd3842409a84c, RDX: 11c, R8: 0, R9: fff
Return Address: fffff8044c9c8cc7
 
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b35e77d8
Return Address: fffff8044d122066
 
Function: ExAllocatePoolWithTag
RCX: 0, RDX: ccb0, R8: 6d6f646c, R9: ffffbc84b35e73c0
Return Address: fffff8044d12206c
 
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38429406000, R8: ccb0, R9: ffffbc84b35e77d8
Return Address: fffff8044d122074
 
Function: ExFreePoolWithTag
RCX: ffffd38429406000, RDX: 6d6f646c, R8: ffffbc84b35e7300, R9: ffffbc84b35e73c0
Return Address: fffff8044d122091
 
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b35e77d8
Return Address: fffff8044d1220b9
 
Function: ExAllocatePoolWithTag
RCX: 0, RDX: ccb0, R8: 6d6f646c, R9: ffffbc84b35e73c0
Return Address: fffff8044d1220bf
 
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38429406000, R8: ccb0, R9: ffffbc84b35e77d8
Return Address: fffff8044d1220c5
 
Function: ExFreePoolWithTag
RCX: ffffd38429406000, RDX: 6d6f646c, R8: ffffbc84b35e7300, R9: ffffbc84b35e73c0
Return Address: fffff8044d1220d2
 
Function: ExAllocatePoolWithTag
RCX: 1, RDX: 1000, R8: 35384245, R9: 0
Return Address: fffff8044d122252
 
Function: ExAllocatePoolWithTag
RCX: 200, RDX: 20, R8: 44533143, R9: 0
Return Address: fffff8044d121f98
 
Function: ExQueueWorkItem
RCX: ffffd384233ee550, RDX: 1, R8: ffffd384233ee550, R9: fff
Return Address: fffff8044d121fef
 
Function: KeDelayExecutionThread
RCX: 0, RDX: 0, R8: ffffbc84b28cab38, R9: 0
Return Address: fffff8044d1209b1
 
Function: KeDelayExecutionThread
RCX: 0, RDX: 0, R8: ffffbc84b35e7808, R9: 2f
Return Address: fffff8044d1209b1
 
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b28cab38
Return Address: fffff8044d1209e2
 
Function: ExAllocatePoolWithTag
RCX: 0, RDX: ccb0, R8: 6d6f646c, R9: ffffbc84b28ca720
Return Address: fffff8044d1209f4
 
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38429406000, R8: ccb0, R9: ffffbc84b28cab38
Return Address: fffff8044d1209fa
 
Function: ExFreePoolWithTag
RCX: ffffd38429406000, RDX: 6d6f646c, R8: ffffbc84b28ca600, R9: ffffbc84b28ca720
Return Address: fffff8044d120a3f
 
Function: KdRefreshDebuggerNotPresent
RCX: fffff80446796028, RDX: 3bd, R8: fffff80446796000, R9: 188b5e66ecc8b28
Return Address: fffff8044d121634
 
KDTARGET: Refreshing KD connection
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b28caaa8
Return Address: fffff8044d120bc2
 
Function: ExAllocatePoolWithTag
RCX: 0, RDX: ccb0, R8: 6d6f646c, R9: ffffbc84b28ca690
Return Address: fffff8044d120bdc
 
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38429406000, R8: ccb0, R9: ffffbc84b28caaa8
Return Address: fffff8044d120be2
 
Function: ExFreePoolWithTag
RCX: ffffd38429406000, RDX: 6d6f646c, R8: ffffbc84b28ca600, R9: ffffbc84b28ca690
Return Address: fffff8044d120bfb
 
Function: ExAllocatePoolWithTag
RCX: 0, RDX: 40, R8: 41434520, R9: 882b074c4af83a16
Return Address: fffff8044d121195
 
Function: KeInitializeDpc
RCX: ffffd3841cd025d0, RDX: fffff8044c9c78c0, R8: fffff80445fc14e0, R9: fff
Return Address: fffff8044d1211d7
 
Function: KeInsertQueueDpc
RCX: ffffd3841cd025d0, RDX: 0, R8: 0, R9: fff
Return Address: fffff8044d121205
 
KDTARGET: Refreshing KD connection
 
*** Fatal System Error: 0x00414345
                       (0x0000000000000000,0x0000000000000000,0x0000000000000000,0x0000000000000000)
 
Break instruction exception - code 80000003 (first chance)
 
A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.
 
A fatal system error has occurred.
 
For analysis of this file, run !analyze -v
nt!DbgBreakPointWithStatus:
fffff804`45fc9370 cc              int     3
[smallzhong][ImageLoadCallback():22] ACEDriver.sys has been loaded!
[smallzhong][ImageLoadCallback():23] Image Base: FFFFF8044C9C0000
[smallzhong][ImageLoadCallback():24] Image Size: 12ce000
Function: ExAllocatePool
RCX: 200, RDX: 1a0, R8: fffff80445f331f0, R9: ffffbc84b35e7768
Return Address: fffff8044d9eac91
 
Function: NtQuerySystemInformation
RCX: b, RDX: ffffbc84b35e7650, R8: 0, R9: ffffbc84b35e7648
Return Address: fffff8044d7b062a
 
Function: ExAllocatePool
RCX: 200, RDX: 19960, R8: ffffbc84b35e7380, R9: ffffbc84b35e73e0
Return Address: fffff8044d796230
 
Function: NtQuerySystemInformation
RCX: b, RDX: ffffd384236e6000, R8: 19960, R9: ffffbc84b35e7648
Return Address: fffff8044d1259a8
 
Function: ExFreePoolWithTag
RCX: ffffd384236e6000, RDX: 0, R8: fffff80445e00000, R9: fffff80445e313e0
Return Address: fffff8044d7ace2a
 
Function: IoAllocateMdl
RCX: fffff8044c9c0000, RDX: 762537, R8: 0, R9: 0
Return Address: fffff8044da92507
 
Function: MmProbeAndLockPages
RCX: ffffd384269f0000, RDX: 0, R8: 1, R9: ffffbc84b35e7760
Return Address: fffff8044dae65ef
 
Function: MmMapLockedPagesSpecifyCache
RCX: ffffd384269f0000, RDX: 0, R8: 1, R9: 0
Return Address: fffff8044db35827
 
Function: ExAllocatePool
RCX: 200, RDX: 3e6c, R8: ffffbc84b35e7768, R9: fffffff86df59f7a
Return Address: fffff8044d97b359
 
Function: ExFreePoolWithTag
RCX: ffffd3842325f000, RDX: 0, R8: ffffbc84b35e7768, R9: 2
Return Address: fffff8044d7dd486
 
Function: NtQuerySystemInformation
RCX: b, RDX: ffffbc84b35e7650, R8: 0, R9: ffffbc84b35e7648
Return Address: fffff8044d7b062a
 
Function: ExAllocatePool
RCX: 200, RDX: 19960, R8: ffffbc84b35e7380, R9: ffffbc84b35e73e0
Return Address: fffff8044d796230
 
Function: NtQuerySystemInformation
RCX: b, RDX: ffffd384236e6000, R8: 19960, R9: ffffbc84b35e7648
Return Address: fffff8044d1259a8
 
Function: ExFreePoolWithTag
RCX: ffffd384236e6000, RDX: 0, R8: fffff80445e00000, R9: fffff80445e313e0
Return Address: fffff8044d7ace2a
 
Function: NtQuerySystemInformation
RCX: b, RDX: ffffbc84b35e7650, R8: 0, R9: ffffbc84b35e7648
Return Address: fffff8044d7b062a
 
Function: ExAllocatePool
RCX: 200, RDX: 19960, R8: ffffbc84b35e7380, R9: ffffbc84b35e73e0
Return Address: fffff8044d796230
 
Function: NtQuerySystemInformation
RCX: b, RDX: ffffd384236e6000, R8: 19960, R9: ffffbc84b35e7648
Return Address: fffff8044d1259a8
 
Function: ExFreePoolWithTag
RCX: ffffd384236e6000, RDX: 0, R8: ffffbc84b35e766b, R9: ffffd384236e74d8
Return Address: fffff8044d7ace2a
 
Function: KeSetSystemAffinityThread
RCX: 1, RDX: 8, R8: 0, R9: ffffbc84b35e7770
Return Address: fffff8044d8c2bc1
 
Function: KeSetSystemAffinityThread
RCX: 2, RDX: 8, R8: 0, R9: ffffbc84b35e7770
Return Address: fffff8044d8c2bc1
 
Function: KeSetSystemAffinityThread
RCX: 4, RDX: 8, R8: 0, R9: ffffbc84b35e7770
Return Address: fffff8044d8c2bc1
 
Function: KeSetSystemAffinityThread
RCX: 8, RDX: 8, R8: 0, R9: ffffbc84b35e7770
Return Address: fffff8044d8c2bc1
 
Function: KeRevertToUserAffinityThread
RCX: 0, RDX: 0, R8: ffffbc84b35e7778, R9: ffffffffe12f6b55
Return Address: fffff8044d981c67
 
Function: MmUnlockPages
RCX: ffffd384269f0000, RDX: 8, R8: 0, R9: ffffbc84b35e7660
Return Address: fffff8044d9a16ea
 
Function: IoFreeMdl
RCX: ffffd384269f0000, RDX: 8, R8: 542b35c7, R9: ffffbc84b35e7660
Return Address: fffff8044d9d0743
 
Function: RtlCopyUnicodeString
RCX: fffff8044ca2b518, RDX: ffffd38427abf000, R8: ffffbc84b35e6f60, R9: 10
Return Address: fffff8044c9cde8c
 
Function: ExIsProcessorFeaturePresent
RCX: a, RDX: ffffd38427abf000, R8: ffffbe8a8e013084, R9: fffff8044c9d3210
Return Address: fffff8044c9ce70b
 
Function: RtlGetVersion
RCX: ffffbc84b35e76f0, RDX: 7, R8: 2, R9: 1
Return Address: fffff8044c9ce4d7
 
Function: MmGetSystemRoutineAddress
RCX: ffffbc84b35e76d8, RDX: 7, R8: 2, R9: 1
Return Address: fffff8044c9ce4f7
 
Function: NtQuerySystemInformation
RCX: e3, RDX: ffffbc84b35e76d0, R8: 1, R9: 0
Return Address: fffff8044c9ce516
 
Function: ZwOpenSection
RCX: ffffbc84b35e7800, RDX: 5, R8: ffffbc84b35e7770, R9: 0
Return Address: fffff8044c9cdbf0
 
Function: ZwQuerySection
RCX: ffffffff80002114, RDX: 1, R8: ffffbc84b35e77a0, R9: 40
Return Address: fffff8044c9cdc27
 
Function: ObReferenceObjectByHandle
RCX: ffffffff80002114, RDX: 5, R8: ffffd3841d2cfbc0, R9: 0
Return Address: fffff8044c9cdc57
 
Function: MmMapViewInSystemSpace
RCX: ffffbe8a81ea2350, RDX: ffffbc84b35e7768, R8: ffffbc84b35e7760, R9: fffff80445e00000
Return Address: fffff8044c9cdc6f
 
Function: MmUnmapViewInSystemSpace
RCX: fffff80442c00000, RDX: be8a80ec7f880400, R8: ffffbc84b35e74e0, R9: ffffbc84b35e7748
Return Address: fffff8044c9cdc92
 
Function: ObfDereferenceObject
RCX: ffffbe8a81ea2350, RDX: 4b, R8: ffffd38420124134, R9: 4
Return Address: fffff8044c9cdca1
 
Function: ZwClose
RCX: ffffffff80002114, RDX: 4b, R8: ffffd38420124134, R9: 4
Return Address: fffff8044c9cdcb0
 
Function: ExInitializeResourceLite
RCX: fffff8044ca2b6e0, RDX: fffff8044ca2b6e0, R8: ffffffff, R9: 7fffbe8a81ea2330
Return Address: fffff8044c9cebae
 
Function: ExInitializeNPagedLookasideList
RCX: fffff8044ca2b100, RDX: 0, R8: 0, R9: 200
Return Address: fffff8044c9cb60c
 
Function: RtlInitializeGenericTableAvl
RCX: fffff8044ca2b180, RDX: fffff8044c9cb460, R8: fffff8044c9cb450, R9: fffff8044c9cb480
Return Address: fffff8044c9cb640
 
Function: PsGetCurrentThreadId
RCX: ffffbc84b35e77e0, RDX: 0, R8: 0, R9: 0
Return Address: fffff8044c9cb658
 
Function: RtlInsertElementGenericTableAvl
RCX: fffff8044ca2b180, RDX: ffffbc84b35e7760, R8: 90, R9: ffffbc84b35e7728
Return Address: fffff8044c9cb4ba
 
Function: ExAllocatePoolWithTag
RCX: 200, RDX: b0, R8: 74726375, R9: ffffbc84b35e7728
Return Address: fffff8044c9cb3ae
 
Function: ExInitializeResourceLite
RCX: fffff8044ca2b5a0, RDX: fffff8044ca2b5a0, R8: 0, R9: 0
Return Address: fffff8044c9ceafe
 
Function: ExInitializeResourceLite
RCX: fffff8044ca2b608, RDX: fffff8044ca2b5a0, R8: 8, R9: 0
Return Address: fffff8044c9ceafe
 
Function: ExInitializeResourceLite
RCX: fffff8044ca2b670, RDX: fffff8044ca2b5a0, R8: 0, R9: 0
Return Address: fffff8044c9ceafe
 
Function: ExInitializeNPagedLookasideList
RCX: fffff8044ca2b200, RDX: 0, R8: 0, R9: 200
Return Address: fffff8044c9cda88
 
Function: RtlInitializeGenericTableAvl
RCX: fffff8044ca2b280, RDX: fffff8044c9cd8c0, R8: fffff8044c9cd8b0, R9: fffff8044c9cd8e0
Return Address: fffff8044c9cdabc
 
Function: PsGetCurrentThreadId
RCX: ffffbc84b35e77e8, RDX: 0, R8: 0, R9: 0
Return Address: fffff8044c9cdad2
 
Function: RtlInsertElementGenericTableAvl
RCX: fffff8044ca2b280, RDX: ffffbc84b35e77a0, R8: 48, R9: ffffbc84b35e7768
Return Address: fffff8044c9cd946
 
Function: ExAllocatePoolWithTag
RCX: 200, RDX: 68, R8: 74726375, R9: ffffbc84b35e7768
Return Address: fffff8044c9cb3ae
 
Function: ExAllocatePoolWithTag
RCX: 200, RDX: 1c0, R8: 74726375, R9: 0
Return Address: fffff8044c9cd45f
 
Function: RtlGetVersion
RCX: ffffd3842409a84c, RDX: 11c, R8: 0, R9: fff
Return Address: fffff8044c9c8cc7
 
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b35e77d8
Return Address: fffff8044d122066
 
Function: ExAllocatePoolWithTag
RCX: 0, RDX: ccb0, R8: 6d6f646c, R9: ffffbc84b35e73c0
Return Address: fffff8044d12206c
 
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38429406000, R8: ccb0, R9: ffffbc84b35e77d8
Return Address: fffff8044d122074
 
Function: ExFreePoolWithTag
RCX: ffffd38429406000, RDX: 6d6f646c, R8: ffffbc84b35e7300, R9: ffffbc84b35e73c0
Return Address: fffff8044d122091
 
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b35e77d8
Return Address: fffff8044d1220b9
 
Function: ExAllocatePoolWithTag
RCX: 0, RDX: ccb0, R8: 6d6f646c, R9: ffffbc84b35e73c0
Return Address: fffff8044d1220bf
 
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38429406000, R8: ccb0, R9: ffffbc84b35e77d8
Return Address: fffff8044d1220c5
 
Function: ExFreePoolWithTag
RCX: ffffd38429406000, RDX: 6d6f646c, R8: ffffbc84b35e7300, R9: ffffbc84b35e73c0
Return Address: fffff8044d1220d2
 
Function: ExAllocatePoolWithTag
RCX: 1, RDX: 1000, R8: 35384245, R9: 0
Return Address: fffff8044d122252
 
Function: ExAllocatePoolWithTag
RCX: 200, RDX: 20, R8: 44533143, R9: 0
Return Address: fffff8044d121f98
 
Function: ExQueueWorkItem
RCX: ffffd384233ee550, RDX: 1, R8: ffffd384233ee550, R9: fff
Return Address: fffff8044d121fef
 
Function: KeDelayExecutionThread
RCX: 0, RDX: 0, R8: ffffbc84b28cab38, R9: 0
Return Address: fffff8044d1209b1
 
Function: KeDelayExecutionThread
RCX: 0, RDX: 0, R8: ffffbc84b35e7808, R9: 2f
Return Address: fffff8044d1209b1
 
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b28cab38
Return Address: fffff8044d1209e2
 
Function: ExAllocatePoolWithTag
RCX: 0, RDX: ccb0, R8: 6d6f646c, R9: ffffbc84b28ca720
Return Address: fffff8044d1209f4
 
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38429406000, R8: ccb0, R9: ffffbc84b28cab38
Return Address: fffff8044d1209fa
 
Function: ExFreePoolWithTag
RCX: ffffd38429406000, RDX: 6d6f646c, R8: ffffbc84b28ca600, R9: ffffbc84b28ca720
Return Address: fffff8044d120a3f
 
Function: KdRefreshDebuggerNotPresent
RCX: fffff80446796028, RDX: 3bd, R8: fffff80446796000, R9: 188b5e66ecc8b28
Return Address: fffff8044d121634
 
KDTARGET: Refreshing KD connection
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b28caaa8
Return Address: fffff8044d120bc2
 
Function: ExAllocatePoolWithTag
RCX: 0, RDX: ccb0, R8: 6d6f646c, R9: ffffbc84b28ca690
Return Address: fffff8044d120bdc
 
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38429406000, R8: ccb0, R9: ffffbc84b28caaa8
Return Address: fffff8044d120be2
 
Function: ExFreePoolWithTag
RCX: ffffd38429406000, RDX: 6d6f646c, R8: ffffbc84b28ca600, R9: ffffbc84b28ca690
Return Address: fffff8044d120bfb
 
Function: ExAllocatePoolWithTag
RCX: 0, RDX: 40, R8: 41434520, R9: 882b074c4af83a16
Return Address: fffff8044d121195
 
Function: KeInitializeDpc
RCX: ffffd3841cd025d0, RDX: fffff8044c9c78c0, R8: fffff80445fc14e0, R9: fff
Return Address: fffff8044d1211d7
 
Function: KeInsertQueueDpc
RCX: ffffd3841cd025d0, RDX: 0, R8: 0, R9: fff
Return Address: fffff8044d121205
 
KDTARGET: Refreshing KD connection
 
*** Fatal System Error: 0x00414345
                       (0x0000000000000000,0x0000000000000000,0x0000000000000000,0x0000000000000000)
 
Break instruction exception - code 80000003 (first chance)
 
A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.
 
A fatal system error has occurred.
 
For analysis of this file, run !analyze -v
nt!DbgBreakPointWithStatus:
fffff804`45fc9370 cc              int     3
if (func.function_name == "KdDisableDebugger")
{
    auto lambda = [](GuestContext* context) -> BOOLEAN {
        ULONG64 origin_ret_addr = *(PULONG64)(context->mRsp);
        if (FILTER_RET_ADDR(origin_ret_addr))
        {
            LOG_INFO("Function: KdDisableDebugger\nRCX: %llx, RDX: %llx, R8: %llx, R9: %llx\nReturn Address: %llx\n\n",
                context->mRcx, context->mRdx, context->mR8, context->mR9, origin_ret_addr);
        }
        context->mRax = STATUS_SUCCESS;
        return TRUE;
        };
 
    try {
        GLOBAL_HOOK_MANAGER.add_hook(func.address, reinterpret_cast<ULONG64>(+lambda));
        LOG_INFO("Successfully hooked %s at %llx\r\n", func.function_name.c_str(), func.address);
    }
    catch (const std::exception& e) {
        LOG_INFO("Failed to hook %s: %s\r\n", func.function_name.c_str(), e.what());
    }
 
}
else if (func.function_name == "KdRefreshDebuggerNotPresent")
{
    //DbgBreakPoint();
 
    auto lambda = [](GuestContext* context) -> BOOLEAN {
        ULONG64 origin_ret_addr = *(PULONG64)(context->mRsp);
        if (FILTER_RET_ADDR(origin_ret_addr))
        {
            LOG_INFO("Function: KdRefreshDebuggerNotPresent\nRCX: %llx, RDX: %llx, R8: %llx, R9: %llx\nReturn Address: %llx\n\n",
                context->mRcx, context->mRdx, context->mR8, context->mR9, origin_ret_addr);
        }
        context->mRax = 1;
        return TRUE;
        };
    try {
        GLOBAL_HOOK_MANAGER.add_hook(func.address, reinterpret_cast<ULONG64>(+lambda));
        LOG_INFO("Successfully hooked %s at %llx\r\n", func.function_name.c_str(), func.address);
    }
    catch (const std::exception& e) {
        LOG_INFO("Failed to hook %s: %s\r\n", func.function_name.c_str(), e.what());
    }
 
}
if (func.function_name == "KdDisableDebugger")
{
    auto lambda = [](GuestContext* context) -> BOOLEAN {
        ULONG64 origin_ret_addr = *(PULONG64)(context->mRsp);
        if (FILTER_RET_ADDR(origin_ret_addr))
        {
            LOG_INFO("Function: KdDisableDebugger\nRCX: %llx, RDX: %llx, R8: %llx, R9: %llx\nReturn Address: %llx\n\n",
                context->mRcx, context->mRdx, context->mR8, context->mR9, origin_ret_addr);
        }
        context->mRax = STATUS_SUCCESS;
        return TRUE;
        };
 
    try {
        GLOBAL_HOOK_MANAGER.add_hook(func.address, reinterpret_cast<ULONG64>(+lambda));
        LOG_INFO("Successfully hooked %s at %llx\r\n", func.function_name.c_str(), func.address);
    }
    catch (const std::exception& e) {
        LOG_INFO("Failed to hook %s: %s\r\n", func.function_name.c_str(), e.what());
    }
 
}
else if (func.function_name == "KdRefreshDebuggerNotPresent")
{
    //DbgBreakPoint();
 
    auto lambda = [](GuestContext* context) -> BOOLEAN {
        ULONG64 origin_ret_addr = *(PULONG64)(context->mRsp);
        if (FILTER_RET_ADDR(origin_ret_addr))
        {
            LOG_INFO("Function: KdRefreshDebuggerNotPresent\nRCX: %llx, RDX: %llx, R8: %llx, R9: %llx\nReturn Address: %llx\n\n",
                context->mRcx, context->mRdx, context->mR8, context->mR9, origin_ret_addr);
        }
        context->mRax = 1;
        return TRUE;
        };
    try {
        GLOBAL_HOOK_MANAGER.add_hook(func.address, reinterpret_cast<ULONG64>(+lambda));
        LOG_INFO("Successfully hooked %s at %llx\r\n", func.function_name.c_str(), func.address);
    }
    catch (const std::exception& e) {
        LOG_INFO("Failed to hook %s: %s\r\n", func.function_name.c_str(), e.what());
    }
 
}
[smallzhong][ImageLoadCallback():22] ACEDriver.sys has been loaded!
[smallzhong][ImageLoadCallback():23] Image Base: FFFFF8044CFA0000
[smallzhong][ImageLoadCallback():24] Image Size: 12ce000
Function: ExAllocatePool
RCX: 200, RDX: 1a0, R8: fffff80445f331f0, R9: ffffbc84b35d2768
Return Address: fffff8044dfcac91
 
Function: NtQuerySystemInformation
RCX: b, RDX: ffffbc84b35d2650, R8: 0, R9: ffffbc84b35d2648
Return Address: fffff8044dd9062a
 
Function: ExAllocatePool
RCX: 200, RDX: 19710, R8: ffffbc84b35d2380, R9: ffffbc84b35d23e0
Return Address: fffff8044dd76230
 
Function: NtQuerySystemInformation
RCX: b, RDX: ffffd384234c5000, R8: 19710, R9: ffffbc84b35d2648
Return Address: fffff8044d7059a8
 
Function: ExFreePoolWithTag
RCX: ffffd384234c5000, RDX: 0, R8: fffff80445e00000, R9: fffff80445e313e0
Return Address: fffff8044dd8ce2a
 
Function: IoAllocateMdl
RCX: fffff8044cfa0000, RDX: 762537, R8: 0, R9: 0
Return Address: fffff8044e072507
 
Function: MmProbeAndLockPages
RCX: ffffd384233e2000, RDX: 0, R8: 1, R9: ffffbc84b35d2760
Return Address: fffff8044e0c65ef
 
Function: MmMapLockedPagesSpecifyCache
RCX: ffffd384233e2000, RDX: 0, R8: 1, R9: 0
Return Address: fffff8044e115827
 
Function: ExAllocatePool
RCX: 200, RDX: 3e6c, R8: ffffbc84b35d2768, R9: fffffff86df59f7a
Return Address: fffff8044df5b359
 
Function: ExFreePoolWithTag
RCX: ffffd38422dc8000, RDX: 0, R8: ffffbc84b35d2768, R9: 2
Return Address: fffff8044ddbd486
 
Function: NtQuerySystemInformation
RCX: b, RDX: ffffbc84b35d2650, R8: 0, R9: ffffbc84b35d2648
Return Address: fffff8044dd9062a
 
Function: ExAllocatePool
RCX: 200, RDX: 19710, R8: ffffbc84b35d2380, R9: ffffbc84b35d23e0
Return Address: fffff8044dd76230
 
Function: NtQuerySystemInformation
RCX: b, RDX: ffffd384234c5000, R8: 19710, R9: ffffbc84b35d2648
Return Address: fffff8044d7059a8
 
Function: ExFreePoolWithTag
RCX: ffffd384234c5000, RDX: 0, R8: fffff80445e00000, R9: fffff80445e313e0
Return Address: fffff8044dd8ce2a
 
Function: NtQuerySystemInformation
RCX: b, RDX: ffffbc84b35d2650, R8: 0, R9: ffffbc84b35d2648
Return Address: fffff8044dd9062a
 
Function: ExAllocatePool
RCX: 200, RDX: 19710, R8: ffffbc84b35d2380, R9: ffffbc84b35d23e0
Return Address: fffff8044dd76230
 
Function: NtQuerySystemInformation
RCX: b, RDX: ffffd384234c5000, R8: 19710, R9: ffffbc84b35d2648
Return Address: fffff8044d7059a8
 
Function: ExFreePoolWithTag
RCX: ffffd384234c5000, RDX: 0, R8: ffffbc84b35d266b, R9: ffffd384234c64d8
Return Address: fffff8044dd8ce2a
 
Function: KeSetSystemAffinityThread
RCX: 1, RDX: 8, R8: 0, R9: ffffbc84b35d2770
Return Address: fffff8044dea2bc1
 
Function: KeSetSystemAffinityThread
RCX: 2, RDX: 8, R8: 0, R9: ffffbc84b35d2770
Return Address: fffff8044dea2bc1
 
Function: KeSetSystemAffinityThread
RCX: 4, RDX: 8, R8: 0, R9: ffffbc84b35d2770
Return Address: fffff8044dea2bc1
 
Function: KeSetSystemAffinityThread
RCX: 8, RDX: 8, R8: 0, R9: ffffbc84b35d2770
Return Address: fffff8044dea2bc1
 
Function: KeRevertToUserAffinityThread
RCX: 0, RDX: 0, R8: ffffbc84b35d2778, R9: ffffffffe12f6b55
Return Address: fffff8044df61c67
 
Function: MmUnlockPages
RCX: ffffd384233e2000, RDX: 8, R8: 0, R9: ffffbc84b35d2660
Return Address: fffff8044df816ea
 
Function: IoFreeMdl
RCX: ffffd384233e2000, RDX: 8, R8: 542b35c7, R9: ffffbc84b35d2660
Return Address: fffff8044dfb0743
 
Function: RtlCopyUnicodeString
RCX: fffff8044d00b518, RDX: ffffd38423134000, R8: ffffbc84b35d1f60, R9: 10
Return Address: fffff8044cfade8c
 
Function: ExIsProcessorFeaturePresent
RCX: a, RDX: ffffd38423134000, R8: ffffffffffff3fff, R9: fffff8044cfb3210
Return Address: fffff8044cfae70b
 
Function: RtlGetVersion
RCX: ffffbc84b35d26f0, RDX: 7, R8: 2, R9: 1
Return Address: fffff8044cfae4d7
 
Function: MmGetSystemRoutineAddress
RCX: ffffbc84b35d26d8, RDX: 7, R8: 2, R9: 1
Return Address: fffff8044cfae4f7
 
Function: NtQuerySystemInformation
RCX: e3, RDX: ffffbc84b35d26d0, R8: 1, R9: 0
Return Address: fffff8044cfae516
 
Function: ZwOpenSection
RCX: ffffbc84b35d2800, RDX: 5, R8: ffffbc84b35d2770, R9: 0
Return Address: fffff8044cfadbf0
 
Function: ZwQuerySection
RCX: ffffffff80002b70, RDX: 1, R8: ffffbc84b35d27a0, R9: 40
Return Address: fffff8044cfadc27
 
Function: ObReferenceObjectByHandle
RCX: ffffffff80002b70, RDX: 5, R8: ffffd3841d2cfbc0, R9: 0
Return Address: fffff8044cfadc57
 
Function: MmMapViewInSystemSpace
RCX: ffffbe8a81ea2350, RDX: ffffbc84b35d2768, R8: ffffbc84b35d2760, R9: fffff80445e00000
Return Address: fffff8044cfadc6f
 
Function: MmUnmapViewInSystemSpace
RCX: fffff80442c00000, RDX: be8a80ec7f880400, R8: ffffbc84b35d24e0, R9: ffffbc84b35d2748
Return Address: fffff8044cfadc92
 
Function: ObfDereferenceObject
RCX: ffffbe8a81ea2350, RDX: ac, R8: ffffd3842323415a, R9: 2a
Return Address: fffff8044cfadca1
 
Function: ZwClose
RCX: ffffffff80002b70, RDX: ac, R8: ffffd3842323415a, R9: 2a
Return Address: fffff8044cfadcb0
 
Function: ExInitializeResourceLite
RCX: fffff8044d00b6e0, RDX: fffff8044d00b6e0, R8: ffffffff, R9: 7fffbe8a81ea2330
Return Address: fffff8044cfaebae
 
Function: ExInitializeNPagedLookasideList
RCX: fffff8044d00b100, RDX: 0, R8: 0, R9: 200
Return Address: fffff8044cfab60c
 
Function: RtlInitializeGenericTableAvl
RCX: fffff8044d00b180, RDX: fffff8044cfab460, R8: fffff8044cfab450, R9: fffff8044cfab480
Return Address: fffff8044cfab640
 
Function: PsGetCurrentThreadId
RCX: ffffbc84b35d27e0, RDX: 0, R8: 0, R9: 0
Return Address: fffff8044cfab658
 
Function: RtlInsertElementGenericTableAvl
RCX: fffff8044d00b180, RDX: ffffbc84b35d2760, R8: 90, R9: ffffbc84b35d2728
Return Address: fffff8044cfab4ba
 
Function: ExAllocatePoolWithTag
RCX: 200, RDX: b0, R8: 74726375, R9: ffffbc84b35d2728
Return Address: fffff8044cfab3ae
 
Function: ExInitializeResourceLite
RCX: fffff8044d00b5a0, RDX: fffff8044d00b5a0, R8: 0, R9: 0
Return Address: fffff8044cfaeafe
 
Function: ExInitializeResourceLite
RCX: fffff8044d00b608, RDX: fffff8044d00b5a0, R8: 8, R9: 0
Return Address: fffff8044cfaeafe
 
Function: ExInitializeResourceLite
RCX: fffff8044d00b670, RDX: fffff8044d00b5a0, R8: 0, R9: 0
Return Address: fffff8044cfaeafe
 
Function: ExInitializeNPagedLookasideList
RCX: fffff8044d00b200, RDX: 0, R8: 0, R9: 200
Return Address: fffff8044cfada88
 
Function: RtlInitializeGenericTableAvl
RCX: fffff8044d00b280, RDX: fffff8044cfad8c0, R8: fffff8044cfad8b0, R9: fffff8044cfad8e0
Return Address: fffff8044cfadabc
 
Function: PsGetCurrentThreadId
RCX: ffffbc84b35d27e8, RDX: 0, R8: 0, R9: 0
Return Address: fffff8044cfadad2
 
Function: RtlInsertElementGenericTableAvl
RCX: fffff8044d00b280, RDX: ffffbc84b35d27a0, R8: 48, R9: ffffbc84b35d2768
Return Address: fffff8044cfad946
 
Function: ExAllocatePoolWithTag
RCX: 200, RDX: 68, R8: 74726375, R9: ffffbc84b35d2768
Return Address: fffff8044cfab3ae
 
Function: ExAllocatePoolWithTag
RCX: 200, RDX: 1c0, R8: 74726375, R9: 0
Return Address: fffff8044cfad45f
 
Function: RtlGetVersion
RCX: ffffd3841de7b2bc, RDX: 11c, R8: 0, R9: fff
Return Address: fffff8044cfa8cc7
 
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b35d27d8
Return Address: fffff8044d702066
 
Function: ExAllocatePoolWithTag
RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b35d23c0
Return Address: fffff8044d70206c
 
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b35d27d8
Return Address: fffff8044d702074
 
Function: ExFreePoolWithTag
RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b35d2300, R9: ffffbc84b35d23c0
Return Address: fffff8044d702091
 
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b35d27d8
Return Address: fffff8044d7020b9
 
Function: ExAllocatePoolWithTag
RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b35d23c0
Return Address: fffff8044d7020bf
 
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b35d27d8
Return Address: fffff8044d7020c5
 
Function: ExFreePoolWithTag
RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b35d2300, R9: ffffbc84b35d23c0
Return Address: fffff8044d7020d2
 
Function: ExAllocatePoolWithTag
RCX: 1, RDX: 1000, R8: 35384245, R9: 0
Return Address: fffff8044d702252
 
Function: ExAllocatePoolWithTag
RCX: 200, RDX: 20, R8: 44533143, R9: 0
Return Address: fffff8044d701f98
 
Function: ExQueueWorkItem
RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: fff
Return Address: fffff8044d701fef
 
Function: KeDelayExecutionThread
RCX: 0, RDX: 0, R8: ffffbc84b35d2808, R9: 2f
Return Address: fffff8044d7009b1
 
Function: KeDelayExecutionThread
RCX: 0, RDX: 0, R8: ffffbc84b27f0b38, R9: 0
Return Address: fffff8044d7009b1
 
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b27f0b38
Return Address: fffff8044d7009e2
 
Function: ExAllocatePoolWithTag
RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b27f0720
Return Address: fffff8044d7009f4
 
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b27f0b38
Return Address: fffff8044d7009fa
 
Function: ExFreePoolWithTag
RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b27f0600, R9: ffffbc84b27f0720
Return Address: fffff8044d700a3f
 
[smallzhong][DriverMain::<lambda_2>::operator ()():111] Function: KdRefreshDebuggerNotPresent
RCX: fffff80446796028, RDX: 3bd, R8: fffff80446796000, R9: 188b5e66ecc8b28
Return Address: fffff8044d701634
 
Function: ExQueueWorkItem
RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: 188b5e66ecc8b28
Return Address: fffff8044d7016c0
 
Function: KeDelayExecutionThread
RCX: 0, RDX: 0, R8: ffffbc84b28c3af8, R9: 0
Return Address: fffff8044d7009b1
 
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b28c3af8
Return Address: fffff8044d700a81
 
Function: ExAllocatePoolWithTag
RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b28c36e0
Return Address: fffff8044d700a87
 
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b28c3af8
Return Address: fffff8044d700a8d
 
Function: ExFreePoolWithTag
RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b28c3600, R9: ffffbc84b28c36e0
Return Address: fffff8044d700b02
 
[smallzhong][DriverMain::<lambda_1>::operator ()():87] Function: KdDisableDebugger
RCX: fffff80446796028, RDX: 3b4, R8: fffff80446796000, R9: abb86a985761b61
Return Address: fffff8044d7018fd
 
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b28c3af8
Return Address: fffff8044d700b37
 
Function: ExAllocatePoolWithTag
RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b28c36e0
Return Address: fffff8044d700b3d
 
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b28c3af8
Return Address: fffff8044d700b43
 
Function: ExFreePoolWithTag
RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b28c3600, R9: ffffbc84b28c36e0
Return Address: fffff8044d700b87
 
Function: ZwProtectVirtualMemory
RCX: ffffffffffffffff, RDX: ffffbc84b28c3b80, R8: ffffbc84b28c3b78, R9: 40
Return Address: fffff8044d701b36
 
Function: ExQueueWorkItem
RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: 0
Return Address: fffff8044d701c02
 
Function: KeDelayExecutionThread
RCX: 0, RDX: 0, R8: ffffbc84b27f0b38, R9: 0
Return Address: fffff8044d7009b1
 
Function: ExQueueWorkItem
RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: fffff80445e00000
Return Address: fffff8044d701e86
 
Function: KeDelayExecutionThread
RCX: 0, RDX: 0, R8: ffffbc84b35fcaf8, R9: 0
Return Address: fffff8044d7009b1
 
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b35fcaf8
Return Address: fffff8044d700a81
 
Function: ExAllocatePoolWithTag
RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b35fc6e0
Return Address: fffff8044d700a87
 
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b35fcaf8
Return Address: fffff8044d700a8d
 
Function: ExFreePoolWithTag
RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b35fc600, R9: ffffbc84b35fc6e0
Return Address: fffff8044d700b02
 
[smallzhong][DriverMain::<lambda_1>::operator ()():87] Function: KdDisableDebugger
RCX: fffff80446796028, RDX: 3b4, R8: fffff80446796000, R9: abb86a985761b61
Return Address: fffff8044d7018fd
 
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b35fcaf8
Return Address: fffff8044d700b37
 
Function: ExAllocatePoolWithTag
RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b35fc6e0
Return Address: fffff8044d700b3d
 
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b35fcaf8
Return Address: fffff8044d700b43
 
Function: ExFreePoolWithTag
RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b35fc600, R9: ffffbc84b35fc6e0
Return Address: fffff8044d700b87
 
Function: ZwProtectVirtualMemory
RCX: ffffffffffffffff, RDX: ffffbc84b35fcb80, R8: ffffbc84b35fcb78, R9: 40
Return Address: fffff8044d701b36
 
Function: ExQueueWorkItem
RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: 0
Return Address: fffff8044d701c02
 
Function: KeDelayExecutionThread
RCX: 0, RDX: 0, R8: ffffbc84b350eb38, R9: 0
Return Address: fffff8044d7009b1
 
Function: ExQueueWorkItem
RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: fffff80445e00000
Return Address: fffff8044d701e86
 
Function: KeDelayExecutionThread
RCX: 0, RDX: 0, R8: ffffbc84b35fcaf8, R9: 0
Return Address: fffff8044d7009b1
 
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b35fcaf8
Return Address: fffff8044d700a81
 
Function: ExAllocatePoolWithTag
RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b35fc6e0
Return Address: fffff8044d700a87
 
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b35fcaf8
Return Address: fffff8044d700a8d
 
Function: ExFreePoolWithTag
RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b35fc600, R9: ffffbc84b35fc6e0
Return Address: fffff8044d700b02
 
[smallzhong][DriverMain::<lambda_1>::operator ()():87] Function: KdDisableDebugger
RCX: fffff80446796028, RDX: 3b4, R8: fffff80446796000, R9: abb86a985761b61
Return Address: fffff8044d7018fd
 
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b35fcaf8
Return Address: fffff8044d700b37
 
Function: ExAllocatePoolWithTag
RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b35fc6e0
Return Address: fffff8044d700b3d
 
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b35fcaf8
Return Address: fffff8044d700b43
 
Function: ExFreePoolWithTag
RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b35fc600, R9: ffffbc84b35fc6e0
Return Address: fffff8044d700b87
 
Function: ZwProtectVirtualMemory
RCX: ffffffffffffffff, RDX: ffffbc84b35fcb80, R8: ffffbc84b35fcb78, R9: 40
Return Address: fffff8044d701b36
 
Function: ExQueueWorkItem
RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: 0
Return Address: fffff8044d701c02
 
Function: KeDelayExecutionThread
RCX: 0, RDX: 0, R8: ffffbc84b350eb38, R9: 0
Return Address: fffff8044d7009b1
 
Function: ExQueueWorkItem
RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: fffff80445e00000
Return Address: fffff8044d701e86
 
Function: KeDelayExecutionThread
RCX: 0, RDX: 0, R8: ffffbc84b35fcaf8, R9: 0
Return Address: fffff8044d7009b1
 
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b35fcaf8
Return Address: fffff8044d700a81
 
Function: ExAllocatePoolWithTag
RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b35fc6e0
Return Address: fffff8044d700a87
 
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b35fcaf8
Return Address: fffff8044d700a8d
 
Function: ExFreePoolWithTag
RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b35fc600, R9: ffffbc84b35fc6e0
Return Address: fffff8044d700b02
 
[smallzhong][DriverMain::<lambda_1>::operator ()():87] Function: KdDisableDebugger
RCX: fffff80446796028, RDX: 3b4, R8: fffff80446796000, R9: abb86a985761b61
Return Address: fffff8044d7018fd
 
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b35fcaf8
Return Address: fffff8044d700b37
 
Function: ExAllocatePoolWithTag
RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b35fc6e0
Return Address: fffff8044d700b3d
 
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b35fcaf8
Return Address: fffff8044d700b43
 
Function: ExFreePoolWithTag
RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b35fc600, R9: ffffbc84b35fc6e0
Return Address: fffff8044d700b87
 
Function: ZwProtectVirtualMemory
RCX: ffffffffffffffff, RDX: ffffbc84b35fcb80, R8: ffffbc84b35fcb78, R9: 40
Return Address: fffff8044d701b36
 
Function: ExQueueWorkItem
RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: 0
Return Address: fffff8044d701c02
 
Function: KeDelayExecutionThread
RCX: 0, RDX: 0, R8: ffffbc84b27f0b38, R9: 0
Return Address: fffff8044d7009b1
 
Function: ExQueueWorkItem
RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: fffff80445e00000
Return Address: fffff8044d701e86
 
Function: KeDelayExecutionThread
RCX: 0, RDX: 0, R8: ffffbc84b35fcaf8, R9: 0
Return Address: fffff8044d7009b1
 
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b35fcaf8
Return Address: fffff8044d700a81
 
Function: ExAllocatePoolWithTag
RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b35fc6e0
Return Address: fffff8044d700a87
 
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b35fcaf8
Return Address: fffff8044d700a8d
 
Function: ExFreePoolWithTag
RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b35fc600, R9: ffffbc84b35fc6e0
Return Address: fffff8044d700b02
 
[smallzhong][DriverMain::<lambda_1>::operator ()():87] Function: KdDisableDebugger
RCX: fffff80446796028, RDX: 3b4, R8: fffff80446796000, R9: abb86a985761b61
Return Address: fffff8044d7018fd
 
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b35fcaf8
Return Address: fffff8044d700b37
 
Function: ExAllocatePoolWithTag
RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b35fc6e0
Return Address: fffff8044d700b3d
 
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b35fcaf8
Return Address: fffff8044d700b43
 
Function: ExFreePoolWithTag
RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b35fc600, R9: ffffbc84b35fc6e0
Return Address: fffff8044d700b87
 
Function: ZwProtectVirtualMemory
RCX: ffffffffffffffff, RDX: ffffbc84b35fcb80, R8: ffffbc84b35fcb78, R9: 40
Return Address: fffff8044d701b36
 
Function: ExQueueWorkItem
RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: 0
Return Address: fffff8044d701c02
 
Function: KeDelayExecutionThread
RCX: 0, RDX: 0, R8: ffffbc84b28c3b38, R9: 0
Return Address: fffff8044d7009b1
 
Function: ExQueueWorkItem
RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: fffff80445e00000
Return Address: fffff8044d701e86
 
Function: KeDelayExecutionThread
RCX: 0, RDX: 0, R8: ffffbc84b35fcaf8, R9: 0
Return Address: fffff8044d7009b1
 
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b35fcaf8
Return Address: fffff8044d700a81
 
Function: ExAllocatePoolWithTag
RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b35fc6e0
Return Address: fffff8044d700a87
 
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b35fcaf8
Return Address: fffff8044d700a8d
 
Function: ExFreePoolWithTag
RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b35fc600, R9: ffffbc84b35fc6e0
Return Address: fffff8044d700b02
 
[smallzhong][DriverMain::<lambda_1>::operator ()():87] Function: KdDisableDebugger
RCX: fffff80446796028, RDX: 3b4, R8: fffff80446796000, R9: abb86a985761b61
Return Address: fffff8044d7018fd
 
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b35fcaf8
Return Address: fffff8044d700b37
 
Function: ExAllocatePoolWithTag
RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b35fc6e0
Return Address: fffff8044d700b3d
 
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b35fcaf8
Return Address: fffff8044d700b43
 
Function: ExFreePoolWithTag
RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b35fc600, R9: ffffbc84b35fc6e0
Return Address: fffff8044d700b87
 
Function: ZwProtectVirtualMemory
RCX: ffffffffffffffff, RDX: ffffbc84b35fcb80, R8: ffffbc84b35fcb78, R9: 40
Return Address: fffff8044d701b36
 
Function: ExQueueWorkItem
RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: 0
Return Address: fffff8044d701c02
 
Function: KeDelayExecutionThread
RCX: 0, RDX: 0, R8: ffffbc84b28c3b38, R9: 0
Return Address: fffff8044d7009b1
 
Function: ExQueueWorkItem
RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: fffff80445e00000
Return Address: fffff8044d701e86
 
Function: KeDelayExecutionThread
RCX: 0, RDX: 0, R8: ffffbc84b27f0af8, R9: 0
Return Address: fffff8044d7009b1
 
Function: KeQueryActiveProcessorCount
RCX: 0, RDX: 0, R8: 0, R9: 0
Return Address: fffff8044d6ff80f
 
Function: ExAllocatePoolWithTag
RCX: 200, RDX: 9d4000, R8: 41316333, R9: 0
Return Address: fffff8044d6ff85c
 
Function: KeDelayExecutionThread
RCX: 0, RDX: 0, R8: ffffbc84b35d2808, R9: 689
Return Address: fffff8044d7009b1
 
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b27f0af8
Return Address: fffff8044d700a81
 
Function: ExAllocatePoolWithTag
RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b27f06e0
Return Address: fffff8044d700a87
 
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b27f0af8
Return Address: fffff8044d700a8d
 
Function: ExFreePoolWithTag
RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b27f0600, R9: ffffbc84b27f06e0
Return Address: fffff8044d700b02
 
[smallzhong][DriverMain::<lambda_1>::operator ()():87] Function: KdDisableDebugger
RCX: fffff80446796028, RDX: 3b4, R8: fffff80446796000, R9: abb86a985761b61
Return Address: fffff8044d7018fd
 
Function: ZwQuerySystemInformation
RCX: b, RDX: 0, R8: 0, R9: ffffbc84b27f0af8
Return Address: fffff8044d700b37
 
Function: ExAllocatePoolWithTag
RCX: 0, RDX: cb88, R8: 6d6f646c, R9: ffffbc84b27f06e0
Return Address: fffff8044d700b3d
 
Function: ZwQuerySystemInformation
RCX: b, RDX: ffffd38425606000, R8: cb88, R9: ffffbc84b27f0af8
Return Address: fffff8044d700b43
 
Function: ExFreePoolWithTag
RCX: ffffd38425606000, RDX: 6d6f646c, R8: ffffbc84b27f0600, R9: ffffbc84b27f06e0
Return Address: fffff8044d700b87
 
Function: ZwProtectVirtualMemory
RCX: ffffffffffffffff, RDX: ffffbc84b27f0b80, R8: ffffbc84b27f0b78, R9: 40
Return Address: fffff8044d701b36
 
Function: ExQueueWorkItem
RCX: ffffd38420034940, RDX: 1, R8: ffffd38420034940, R9: 0
Return Address: fffff8044d701c02
 
Function: ExFreePoolWithTag
RCX: ffffd38420034940, RDX: 44533143, R8: 20, R9: 0
Return Address: fffff8044d701e86
 
Function: ExFreePoolWithTag
RCX: ffffbe8a89381000, RDX: 35384245, R8: ffffd3841d269040, R9: fffff80445e00000
Return Address: fffff8044d701f3d
 
Function: ExFreePoolWithTag
RCX: ffffd3841de7b290, RDX: 74726375, R8: ffffbc84b35d26b8, R9: ffffffff
Return Address: fffff8044cfad885
 
Function: ExEnterCriticalRegionAndAcquireResourceExclusive
RCX: fffff8044d00b5a0, RDX: ffffbc84b35d2840, R8: ffffbc84b35d2848, R9: ffffbc84b35d2878
Return Address: fffff8044cfae5ac
 
Function: ExEnterCriticalRegionAndAcquireResourceExclusive
RCX: fffff8044d00b5a0, RDX: ffffbc84b35d27c8, R8: ffffbc84b35d2790, R9: ffffbc84b35d27c0
Return Address: fffff8044cfae895
 
Function: ExReleaseResourceAndLeaveCriticalRegion
RCX: fffff8044d00b5a0, RDX: fffff8044d00b568, R8: 641e7b808835, R9: ffffbc84b35d27c0
Return Address: fffff8044cfae9c2
 
Function: ExReleaseResourceAndLeaveCriticalRegion
RCX: fffff8044d00b5a0, RDX: fffff8044cfb0240, R8: ffffbc84b35d26d0, R9: ffffbc84b35d27c0
Return Address: fffff8044cfae5bd
 
Function: RtlGetElementGenericTableAvl
RCX: fffff8044d00b280, RDX: 0, R8: ffffbc84b35d27c0, R9: ffffbc84b35d27c0
Return Address: fffff8044cfadb45
 
Function: RtlDeleteElementGenericTableAvl
RCX: fffff8044d00b280, RDX: ffffd384232486b0, R8: 0, R9: 0
Return Address: fffff8044cfadb36
 
Function: RtlGetElementGenericTableAvl
RCX: fffff8044d00b280, RDX: 0, R8: 0, R9: 0
Return Address: fffff8044cfadb45
 
Function: ExDeleteNPagedLookasideList
RCX: fffff8044d00b200, RDX: 0, R8: 0, R9: 0
Return Address: fffff8044cfadb57
 
Function: ExDeleteResourceLite
RCX: fffff8044d00b670, RDX: 8f, R8: ffffd3842323415a, R9: 2a
Return Address: fffff8044cfaeb66
 
Function: ExDeleteResourceLite
RCX: fffff8044d00b608, RDX: 0, R8: ffffd3842323415a, R9: 2a
Return Address: fffff8044cfaeb66
 
Function: ExDeleteResourceLite
RCX: fffff8044d00b5a0, RDX: 0, R8: ffffd3842323415a, R9: 2a
Return Address: fffff8044cfaeb66
 
Function: RtlGetElementGenericTableAvl
RCX: fffff8044d00b180, RDX: 0, R8: ffffd3842323415a, R9: 2a
Return Address: fffff8044cfab6c9
 
Function: RtlDeleteElementGenericTableAvl
RCX: fffff8044d00b180, RDX: ffffd38422954f40, R8: 0, R9: 0
Return Address: fffff8044cfab6ba
 
Function: RtlGetElementGenericTableAvl
RCX: fffff8044d00b180, RDX: 0, R8: 0, R9: 0
Return Address: fffff8044cfab6c9
 
Function: ExDeleteNPagedLookasideList
RCX: fffff8044d00b100, RDX: 0, R8: 0, R9: 0
Return Address: fffff8044cfab6db
 
Function: ExDeleteResourceLite
RCX: fffff8044d00b6e0, RDX: 27, R8: ffffd384229431ac, R9: 24
Return Address: fffff8044cfaebf6
 
Function: DbgPrintEx
RCX: 4d, RDX: 0, R8: fffff8044cfb0840, R9: c0000001
Return Address: fffff8044cfadf0c
 
DriverEntry failed 0xc0000001 for driver \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ACEDriver
Function: ExFreePoolWithTag
RCX: ffffd38422ef9e00, RDX: 0, R8: 140d712a4, R9: 2
Return Address: fffff8044e053193
[smallzhong][ImageLoadCallback():22] ACEDriver.sys has been loaded!
[smallzhong][ImageLoadCallback():23] Image Base: FFFFF8044CFA0000
[smallzhong][ImageLoadCallback():24] Image Size: 12ce000
Function: ExAllocatePool
RCX: 200, RDX: 1a0, R8: fffff80445f331f0, R9: ffffbc84b35d2768
Return Address: fffff8044dfcac91
 
Function: NtQuerySystemInformation
RCX: b, RDX: ffffbc84b35d2650, R8: 0, R9: ffffbc84b35d2648
Return Address: fffff8044dd9062a
 
Function: ExAllocatePool
RCX: 200, RDX: 19710, R8: ffffbc84b35d2380, R9: ffffbc84b35d23e0
Return Address: fffff8044dd76230
 
Function: NtQuerySystemInformation
RCX: b, RDX: ffffd384234c5000, R8: 19710, R9: ffffbc84b35d2648
Return Address: fffff8044d7059a8
 
Function: ExFreePoolWithTag
RCX: ffffd384234c5000, RDX: 0, R8: fffff80445e00000, R9: fffff80445e313e0
Return Address: fffff8044dd8ce2a
 
Function: IoAllocateMdl
RCX: fffff8044cfa0000, RDX: 762537, R8: 0, R9: 0
Return Address: fffff8044e072507
 
Function: MmProbeAndLockPages
RCX: ffffd384233e2000, RDX: 0, R8: 1, R9: ffffbc84b35d2760
Return Address: fffff8044e0c65ef
 
Function: MmMapLockedPagesSpecifyCache
RCX: ffffd384233e2000, RDX: 0, R8: 1, R9: 0
Return Address: fffff8044e115827
 
Function: ExAllocatePool
RCX: 200, RDX: 3e6c, R8: ffffbc84b35d2768, R9: fffffff86df59f7a
Return Address: fffff8044df5b359
 
Function: ExFreePoolWithTag
RCX: ffffd38422dc8000, RDX: 0, R8: ffffbc84b35d2768, R9: 2
Return Address: fffff8044ddbd486
 
Function: NtQuerySystemInformation
RCX: b, RDX: ffffbc84b35d2650, R8: 0, R9: ffffbc84b35d2648
Return Address: fffff8044dd9062a
 
Function: ExAllocatePool
RCX: 200, RDX: 19710, R8: ffffbc84b35d2380, R9: ffffbc84b35d23e0
Return Address: fffff8044dd76230
 
Function: NtQuerySystemInformation
RCX: b, RDX: ffffd384234c5000, R8: 19710, R9: ffffbc84b35d2648
Return Address: fffff8044d7059a8
 
Function: ExFreePoolWithTag
RCX: ffffd384234c5000, RDX: 0, R8: fffff80445e00000, R9: fffff80445e313e0
Return Address: fffff8044dd8ce2a
 
Function: NtQuerySystemInformation
RCX: b, RDX: ffffbc84b35d2650, R8: 0, R9: ffffbc84b35d2648
Return Address: fffff8044dd9062a
 
Function: ExAllocatePool
RCX: 200, RDX: 19710, R8: ffffbc84b35d2380, R9: ffffbc84b35d23e0
Return Address: fffff8044dd76230
 
Function: NtQuerySystemInformation
RCX: b, RDX: ffffd384234c5000, R8: 19710, R9: ffffbc84b35d2648
Return Address: fffff8044d7059a8
 
Function: ExFreePoolWithTag
RCX: ffffd384234c5000, RDX: 0, R8: ffffbc84b35d266b, R9: ffffd384234c64d8
Return Address: fffff8044dd8ce2a
 
Function: KeSetSystemAffinityThread
RCX: 1, RDX: 8, R8: 0, R9: ffffbc84b35d2770
Return Address: fffff8044dea2bc1
 
Function: KeSetSystemAffinityThread
RCX: 2, RDX: 8, R8: 0, R9: ffffbc84b35d2770
Return Address: fffff8044dea2bc1
 
Function: KeSetSystemAffinityThread
RCX: 4, RDX: 8, R8: 0, R9: ffffbc84b35d2770
Return Address: fffff8044dea2bc1
 
Function: KeSetSystemAffinityThread
RCX: 8, RDX: 8, R8: 0, R9: ffffbc84b35d2770
Return Address: fffff8044dea2bc1
 
Function: KeRevertToUserAffinityThread
RCX: 0, RDX: 0, R8: ffffbc84b35d2778, R9: ffffffffe12f6b55
Return Address: fffff8044df61c67
 
Function: MmUnlockPages
RCX: ffffd384233e2000, RDX: 8, R8: 0, R9: ffffbc84b35d2660
Return Address: fffff8044df816ea
 
Function: IoFreeMdl
RCX: ffffd384233e2000, RDX: 8, R8: 542b35c7, R9: ffffbc84b35d2660
Return Address: fffff8044dfb0743
 
Function: RtlCopyUnicodeString
RCX: fffff8044d00b518, RDX: ffffd38423134000, R8: ffffbc84b35d1f60, R9: 10
Return Address: fffff8044cfade8c
 
Function: ExIsProcessorFeaturePresent
RCX: a, RDX: ffffd38423134000, R8: ffffffffffff3fff, R9: fffff8044cfb3210
Return Address: fffff8044cfae70b
 
Function: RtlGetVersion
RCX: ffffbc84b35d26f0, RDX: 7, R8: 2, R9: 1
Return Address: fffff8044cfae4d7
 
Function: MmGetSystemRoutineAddress
RCX: ffffbc84b35d26d8, RDX: 7, R8: 2, R9: 1
Return Address: fffff8044cfae4f7
 
Function: NtQuerySystemInformation
RCX: e3, RDX: ffffbc84b35d26d0, R8: 1, R9: 0
Return Address: fffff8044cfae516
 
Function: ZwOpenSection
RCX: ffffbc84b35d2800, RDX: 5, R8: ffffbc84b35d2770, R9: 0
Return Address: fffff8044cfadbf0
 
Function: ZwQuerySection
RCX: ffffffff80002b70, RDX: 1, R8: ffffbc84b35d27a0, R9: 40
Return Address: fffff8044cfadc27
 
Function: ObReferenceObjectByHandle
RCX: ffffffff80002b70, RDX: 5, R8: ffffd3841d2cfbc0, R9: 0
Return Address: fffff8044cfadc57
 
Function: MmMapViewInSystemSpace
RCX: ffffbe8a81ea2350, RDX: ffffbc84b35d2768, R8: ffffbc84b35d2760, R9: fffff80445e00000
Return Address: fffff8044cfadc6f
 
Function: MmUnmapViewInSystemSpace
RCX: fffff80442c00000, RDX: be8a80ec7f880400, R8: ffffbc84b35d24e0, R9: ffffbc84b35d2748
Return Address: fffff8044cfadc92
 
Function: ObfDereferenceObject
RCX: ffffbe8a81ea2350, RDX: ac, R8: ffffd3842323415a, R9: 2a
Return Address: fffff8044cfadca1
 
Function: ZwClose
RCX: ffffffff80002b70, RDX: ac, R8: ffffd3842323415a, R9: 2a
Return Address: fffff8044cfadcb0
 
Function: ExInitializeResourceLite
RCX: fffff8044d00b6e0, RDX: fffff8044d00b6e0, R8: ffffffff, R9: 7fffbe8a81ea2330
Return Address: fffff8044cfaebae
 
Function: ExInitializeNPagedLookasideList
RCX: fffff8044d00b100, RDX: 0, R8: 0, R9: 200
Return Address: fffff8044cfab60c
 
Function: RtlInitializeGenericTableAvl
RCX: fffff8044d00b180, RDX: fffff8044cfab460, R8: fffff8044cfab450, R9: fffff8044cfab480
Return Address: fffff8044cfab640
 
Function: PsGetCurrentThreadId
RCX: ffffbc84b35d27e0, RDX: 0, R8: 0, R9: 0
Return Address: fffff8044cfab658
 
Function: RtlInsertElementGenericTableAvl
RCX: fffff8044d00b180, RDX: ffffbc84b35d2760, R8: 90, R9: ffffbc84b35d2728
Return Address: fffff8044cfab4ba
 
Function: ExAllocatePoolWithTag
RCX: 200, RDX: b0, R8: 74726375, R9: ffffbc84b35d2728
Return Address: fffff8044cfab3ae

		
								
				
				登录后可查看完整内容
			
			
				
	

传播安全知识、拓宽行业人脉——看雪讲师团队等你加入！

		最后于  2025-6-3 09:35		
				被smallzhong_编辑
				
		，原因： 		
	

		#调试逆向
		#系统底层
		#软件保护
	

收藏・56

免费・13

支持

最新回复 (22)
啊你好哇123 雪币： 179 能力值： ( LV1，RANK：0 ) 在线值：发帖 0 回帖 187 粉丝 0 关注私信	啊你好哇123 2 楼大佬问下这个不需要过pg吗？ 2025-4-28 00:38 0
龟仙人雪币： 551 能力值： ( LV1，RANK：0 ) 在线值：发帖 0 回帖 39 粉丝 1 关注私信	龟仙人 3 楼太强了,钟师傅太强了!!! 2025-4-28 01:38 0
Oday小斯雪币： 143 活跃值： (3526) 能力值： ( LV3，RANK：20 ) 在线值：发帖 3 回帖 158 粉丝 6 关注私信	Oday小斯 4 楼感谢分享 2025-4-28 09:16 0
青丝梦雪币： 1553 活跃值： (3702) 能力值： ( LV5，RANK：60 ) 在线值：发帖 9 回帖 162 粉丝 25 关注私信	青丝梦 1 5 楼钟师傅别写代码，上钟了 2025-4-28 09:42 0
TkBinary 雪币： 2805 活跃值： (12062) 能力值： (RANK：385 ) 在线值：发帖 25 回帖 478 粉丝 240 关注私信	TkBinary 5 6 楼感谢分享,用过c++ stl库.之前还提过issue win7x64下不支持. 也很快更新了. 自用可以.发布的话过verifier过不了. 慎用. 不过一般来说没啥问题. 2025-4-28 09:54 0
smallzhong_ 雪币： 3595 活跃值： (6301) 能力值： ( LV5，RANK：65 ) 在线值：发帖 10 回帖 78 粉丝 165 关注私信	smallzhong_ 7 楼 yazigegeda 大佬问下这个不需要过pg吗？需要，开测试模式就行，或者可以自己用EPThook把hook_by_addr包一层，就不用管PG了 2025-4-28 10:28 0
smallzhong_ 雪币： 3595 活跃值： (6301) 能力值： ( LV5，RANK：65 ) 在线值：发帖 10 回帖 78 粉丝 165 关注私信	smallzhong_ 8 楼龟仙人太强了,钟师傅太强了!!! 谢谢哥哥捧场 2025-4-28 10:29 0
smallzhong_ 雪币： 3595 活跃值： (6301) 能力值： ( LV5，RANK：65 ) 在线值：发帖 10 回帖 78 粉丝 165 关注私信	smallzhong_ 9 楼青丝梦钟师傅别写代码，上钟了好的老板，上三楼 2025-4-28 10:30 0
淡然他徒弟雪币： 5191 活跃值： (6048) 能力值： ( LV10，RANK：160 ) 在线值：发帖 23 回帖 260 粉丝 118 关注私信	淡然他徒弟 1 10 楼 mark 2025-4-28 10:41 0
wx_御史神风雪币： 6367 活跃值： (6005) 能力值： ( LV9，RANK：143 ) 在线值：发帖 16 回帖 33 粉丝 74 关注私信	wx_御史神风 1 11 楼顶 2025-4-28 12:10 0
smallzhong_ 雪币： 3595 活跃值： (6301) 能力值： ( LV5，RANK：65 ) 在线值：发帖 10 回帖 78 粉丝 165 关注私信	smallzhong_ 12 楼 wx_御史神风顶谢谢哥哥 2025-4-28 14:13 0
Roger 雪币： 4560 活跃值： (4144) 能力值： ( LV8，RANK：147 ) 在线值：发帖 6 回帖 108 粉丝 118 关注私信	Roger 1 13 楼 mark 2025-4-28 14:35 0
piaoyi587 雪币： 4730 活跃值： (6033) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 201 粉丝 8 关注私信	piaoyi587 14 楼感谢分享 2025-4-28 14:51 0
Foodie 雪币： 4753 活跃值： (2972) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 23 粉丝 3 关注私信	Foodie 15 楼 TkBinary 感谢分享,用过c++ stl库.之前还提过issue win7x64下不支持. 也很快更新了. 自用可以.发布的话过verifier过不了. 慎用. 不过一般来说没啥问题. 跑verifier需要取消勾选“低资源模拟”，不然分配内存都会失败，然后就会触发new的异常了。除非你每个new都用了 std::nothrow 或者 catch 异常。 2025-4-28 17:19 0
TkBinary 雪币： 2805 活跃值： (12062) 能力值： (RANK：385 ) 在线值：发帖 25 回帖 478 粉丝 240 关注私信	TkBinary 5 16 楼 Foodie 跑verifier需要取消勾选“低资源模拟”，不然分配内存都会失败，然后就会触发new的异常了。除非你每个new都用了 std::nothrow 或者 catch 异常。确实是.但这一项在不能去掉的前提下.还是不建议用了.用纯C吧.或者c with class这种. 我说的量级是千万级别-亿级别这个级别的哈. 其它还是建议用.人生苦短.我用stl 2025-4-28 19:03 0
鬼才zxy 雪币： 5318 活跃值： (3640) 能力值： ( LV7，RANK：117 ) 在线值：发帖 18 回帖 70 粉丝 153 关注私信	鬼才zxy 2 17 楼钟师傅太强了!!! 2025-4-28 21:21 0
smallzhong_ 雪币： 3595 活跃值： (6301) 能力值： ( LV5，RANK：65 ) 在线值：发帖 10 回帖 78 粉丝 165 关注私信	smallzhong_ 18 楼鬼才zxy 钟师傅太强了!!! 谢谢鬼哥捧场 2025-4-28 21:26 0
罗小墨雪币： 133 活跃值： (933) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 76 粉丝 1 关注私信	罗小墨 19 楼 666666，支持支持 2025-4-30 13:59 0
wem 雪币： 485 活跃值： (3463) 能力值： ( LV2，RANK：10 ) 在线值：发帖 87 回帖 244 粉丝 3 关注私信	wem 20 楼 888888支持支持 2025-5-2 19:19 0
smallzhong_ 雪币： 3595 活跃值： (6301) 能力值： ( LV5，RANK：65 ) 在线值：发帖 10 回帖 78 粉丝 165 关注私信	smallzhong_ 21 楼六位数找免杀找大牛，做无感加载驱动，过370免杀！重金拜师学艺！！懂的私信！哥你连个联系方式都不留，被坛主ban了都没人找得到你（bushi 2025-5-6 22:35 0
smallzhong_ 雪币： 3595 活跃值： (6301) 能力值： ( LV5，RANK：65 ) 在线值：发帖 10 回帖 78 粉丝 165 关注私信	smallzhong_ 22 楼 2025.6.3更新：detourX对相对地址的修复问题已经在 165K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6y4K9i4u0G2d9$3q4C8N6g2)9J5c8V1c8W2N6r3!0#2M7Y4y4j5i4K6u0r3j5$3!0E0L8h3W2@1i4K6u0r3j5U0t1@1y4U0k6X3x3r3g2W2x3U0N6X3k6o6k6U0x3h3g2U0z5r3t1&6y4r3u0S2y4X3x3&6x3r3t1&6k6o6t1%4j5X3p5@1j5U0p5%4j5W2)9J5y4X3&6T1M7%4m8Q4x3@1u0U0L8$3#2E0K9i4c8Q4c8e0c8Q4b7U0S2Q4b7f1c8Q4c8e0S2Q4b7e0u0Q4b7f1u0Q4c8e0c8Q4b7V1k6Q4b7f1g2Q4c8e0g2Q4b7e0c8Q4z5p5c8Q4c8f1k6Q4b7V1y4Q4z5p5y4Q4c8e0c8Q4b7V1c8Q4b7V1k6Q4c8e0N6Q4z5e0c8Q4b7e0S2Q4c8e0c8Q4b7V1q4Q4z5o6k6Q4x3U0k6F1j5Y4y4H3i4K6y4n7i4K6j5H3y4o6S2Q4x3U0k6F1j5Y4y4H3i4K6y4n7j5U0S2Q4x3U0k6F1j5Y4y4H3i4K6y4n7d9f1#2y4y4U0c8Q4c8f1k6Q4b7V1y4Q4z5o6S2y4e0#2k6Q4x3U0k6F1j5Y4y4H3i4K6y4n7f1V1q4j5i4K6u0o6i4K6t1$3L8X3u0K6M7q4)9K6b7V1W2y4e0e0j5@1i4@1g2r3i4@1u0o6i4K6R3&6i4K6j5H3i4K6t1$3L8X3u0K6M7q4)9K6b7W2!0q4y4q4!0n7z5g2)9^5b7W2!0q4y4g2)9&6x3q4)9^5c8g2)9J5y4X3&6T1M7%4m8Q4x3@1u0Q4y4U0m8r3c8V1b7H3i4K6t1^5b7@1q4x3e0q4)9J5y4X3&6T1M7%4m8Q4x3@1u0d9b7g2S2Q4x3U0W2Q4y4U0m8Q4x3U0k6F1j5Y4y4H3i4K6y4n7i4@1f1%4i4K6W2m8i4K6R3@1i4@1f1$3i4K6V1$3i4@1t1&6i4@1f1$3i4@1t1K6i4K6V1#2i4@1f1K6i4K6R3H3i4K6R3J5 2025-6-3 09:37 0
mb_qsxhpjqp 雪币： 186 活跃值： (115) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 3 粉丝 0 关注私信	mb_qsxhpjqp 23 楼你好私我一下，有个需求 2025-11-14 22:16 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

smallzhong_

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (22)
啊你好哇123 雪币： 179 能力值： ( LV1，RANK：0 ) 在线值：发帖 0 回帖 187 粉丝 0 关注私信	啊你好哇123 2 楼大佬问下这个不需要过pg吗？ 2025-4-28 00:38 0
龟仙人雪币： 551 能力值： ( LV1，RANK：0 ) 在线值：发帖 0 回帖 39 粉丝 1 关注私信	龟仙人 3 楼太强了,钟师傅太强了!!! 2025-4-28 01:38 0
Oday小斯雪币： 143 活跃值： (3526) 能力值： ( LV3，RANK：20 ) 在线值：发帖 3 回帖 158 粉丝 6 关注私信	Oday小斯 4 楼感谢分享 2025-4-28 09:16 0
青丝梦雪币： 1553 活跃值： (3702) 能力值： ( LV5，RANK：60 ) 在线值：发帖 9 回帖 162 粉丝 25 关注私信	青丝梦 1 5 楼钟师傅别写代码，上钟了 2025-4-28 09:42 0
TkBinary 雪币： 2805 活跃值： (12062) 能力值： (RANK：385 ) 在线值：发帖 25 回帖 478 粉丝 240 关注私信	TkBinary 5 6 楼感谢分享,用过c++ stl库.之前还提过issue win7x64下不支持. 也很快更新了. 自用可以.发布的话过verifier过不了. 慎用. 不过一般来说没啥问题. 2025-4-28 09:54 0
smallzhong_ 雪币： 3595 活跃值： (6301) 能力值： ( LV5，RANK：65 ) 在线值：发帖 10 回帖 78 粉丝 165 关注私信	smallzhong_ 7 楼 yazigegeda 大佬问下这个不需要过pg吗？需要，开测试模式就行，或者可以自己用EPThook把hook_by_addr包一层，就不用管PG了 2025-4-28 10:28 0
smallzhong_ 雪币： 3595 活跃值： (6301) 能力值： ( LV5，RANK：65 ) 在线值：发帖 10 回帖 78 粉丝 165 关注私信	smallzhong_ 8 楼龟仙人太强了,钟师傅太强了!!! 谢谢哥哥捧场 2025-4-28 10:29 0
smallzhong_ 雪币： 3595 活跃值： (6301) 能力值： ( LV5，RANK：65 ) 在线值：发帖 10 回帖 78 粉丝 165 关注私信	smallzhong_ 9 楼青丝梦钟师傅别写代码，上钟了好的老板，上三楼 2025-4-28 10:30 0
淡然他徒弟雪币： 5191 活跃值： (6048) 能力值： ( LV10，RANK：160 ) 在线值：发帖 23 回帖 260 粉丝 118 关注私信	淡然他徒弟 1 10 楼 mark 2025-4-28 10:41 0
wx_御史神风雪币： 6367 活跃值： (6005) 能力值： ( LV9，RANK：143 ) 在线值：发帖 16 回帖 33 粉丝 74 关注私信	wx_御史神风 1 11 楼顶 2025-4-28 12:10 0
smallzhong_ 雪币： 3595 活跃值： (6301) 能力值： ( LV5，RANK：65 ) 在线值：发帖 10 回帖 78 粉丝 165 关注私信	smallzhong_ 12 楼 wx_御史神风顶谢谢哥哥 2025-4-28 14:13 0
Roger 雪币： 4560 活跃值： (4144) 能力值： ( LV8，RANK：147 ) 在线值：发帖 6 回帖 108 粉丝 118 关注私信	Roger 1 13 楼 mark 2025-4-28 14:35 0
piaoyi587 雪币： 4730 活跃值： (6033) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 201 粉丝 8 关注私信	piaoyi587 14 楼感谢分享 2025-4-28 14:51 0
Foodie 雪币： 4753 活跃值： (2972) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 23 粉丝 3 关注私信	Foodie 15 楼 TkBinary 感谢分享,用过c++ stl库.之前还提过issue win7x64下不支持. 也很快更新了. 自用可以.发布的话过verifier过不了. 慎用. 不过一般来说没啥问题. 跑verifier需要取消勾选“低资源模拟”，不然分配内存都会失败，然后就会触发new的异常了。除非你每个new都用了 std::nothrow 或者 catch 异常。 2025-4-28 17:19 0
TkBinary 雪币： 2805 活跃值： (12062) 能力值： (RANK：385 ) 在线值：发帖 25 回帖 478 粉丝 240 关注私信	TkBinary 5 16 楼 Foodie 跑verifier需要取消勾选“低资源模拟”，不然分配内存都会失败，然后就会触发new的异常了。除非你每个new都用了 std::nothrow 或者 catch 异常。确实是.但这一项在不能去掉的前提下.还是不建议用了.用纯C吧.或者c with class这种. 我说的量级是千万级别-亿级别这个级别的哈. 其它还是建议用.人生苦短.我用stl 2025-4-28 19:03 0
鬼才zxy 雪币： 5318 活跃值： (3640) 能力值： ( LV7，RANK：117 ) 在线值：发帖 18 回帖 70 粉丝 153 关注私信	鬼才zxy 2 17 楼钟师傅太强了!!! 2025-4-28 21:21 0
smallzhong_ 雪币： 3595 活跃值： (6301) 能力值： ( LV5，RANK：65 ) 在线值：发帖 10 回帖 78 粉丝 165 关注私信	smallzhong_ 18 楼鬼才zxy 钟师傅太强了!!! 谢谢鬼哥捧场 2025-4-28 21:26 0
罗小墨雪币： 133 活跃值： (933) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 76 粉丝 1 关注私信	罗小墨 19 楼 666666，支持支持 2025-4-30 13:59 0
wem 雪币： 485 活跃值： (3463) 能力值： ( LV2，RANK：10 ) 在线值：发帖 87 回帖 244 粉丝 3 关注私信	wem 20 楼 888888支持支持 2025-5-2 19:19 0
smallzhong_ 雪币： 3595 活跃值： (6301) 能力值： ( LV5，RANK：65 ) 在线值：发帖 10 回帖 78 粉丝 165 关注私信	smallzhong_ 21 楼六位数找免杀找大牛，做无感加载驱动，过370免杀！重金拜师学艺！！懂的私信！哥你连个联系方式都不留，被坛主ban了都没人找得到你（bushi 2025-5-6 22:35 0
smallzhong_ 雪币： 3595 活跃值： (6301) 能力值： ( LV5，RANK：65 ) 在线值：发帖 10 回帖 78 粉丝 165 关注私信	smallzhong_ 22 楼 2025.6.3更新：detourX对相对地址的修复问题已经在 165K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6y4K9i4u0G2d9$3q4C8N6g2)9J5c8V1c8W2N6r3!0#2M7Y4y4j5i4K6u0r3j5$3!0E0L8h3W2@1i4K6u0r3j5U0t1@1y4U0k6X3x3r3g2W2x3U0N6X3k6o6k6U0x3h3g2U0z5r3t1&6y4r3u0S2y4X3x3&6x3r3t1&6k6o6t1%4j5X3p5@1j5U0p5%4j5W2)9J5y4X3&6T1M7%4m8Q4x3@1u0U0L8$3#2E0K9i4c8Q4c8e0c8Q4b7U0S2Q4b7f1c8Q4c8e0S2Q4b7e0u0Q4b7f1u0Q4c8e0c8Q4b7V1k6Q4b7f1g2Q4c8e0g2Q4b7e0c8Q4z5p5c8Q4c8f1k6Q4b7V1y4Q4z5p5y4Q4c8e0c8Q4b7V1c8Q4b7V1k6Q4c8e0N6Q4z5e0c8Q4b7e0S2Q4c8e0c8Q4b7V1q4Q4z5o6k6Q4x3U0k6F1j5Y4y4H3i4K6y4n7i4K6j5H3y4o6S2Q4x3U0k6F1j5Y4y4H3i4K6y4n7j5U0S2Q4x3U0k6F1j5Y4y4H3i4K6y4n7d9f1#2y4y4U0c8Q4c8f1k6Q4b7V1y4Q4z5o6S2y4e0#2k6Q4x3U0k6F1j5Y4y4H3i4K6y4n7f1V1q4j5i4K6u0o6i4K6t1$3L8X3u0K6M7q4)9K6b7V1W2y4e0e0j5@1i4@1g2r3i4@1u0o6i4K6R3&6i4K6j5H3i4K6t1$3L8X3u0K6M7q4)9K6b7W2!0q4y4q4!0n7z5g2)9^5b7W2!0q4y4g2)9&6x3q4)9^5c8g2)9J5y4X3&6T1M7%4m8Q4x3@1u0Q4y4U0m8r3c8V1b7H3i4K6t1^5b7@1q4x3e0q4)9J5y4X3&6T1M7%4m8Q4x3@1u0d9b7g2S2Q4x3U0W2Q4y4U0m8Q4x3U0k6F1j5Y4y4H3i4K6y4n7i4@1f1%4i4K6W2m8i4K6R3@1i4@1f1$3i4K6V1$3i4@1t1&6i4@1f1$3i4@1t1K6i4K6V1#2i4@1f1K6i4K6R3H3i4K6R3J5 2025-6-3 09:37 0
mb_qsxhpjqp 雪币： 186 活跃值： (115) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 3 粉丝 0 关注私信	mb_qsxhpjqp 23 楼你好私我一下，有个需求 2025-11-14 22:16 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复