Last active
July 17, 2024 02:21
-
-
Save hfiref0x/41b2b084d6e59ee6581ed1ceeaaf9253 to your computer and use it in GitHub Desktop.
MiRememberUnloadedDriver
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| typedef struct _UNLOADED_DRIVERS { | |
| UNICODE_STRING Name; | |
| PVOID StartAddress; | |
| PVOID EndAddress; | |
| LARGE_INTEGER CurrentTime; | |
| } UNLOADED_DRIVERS, *PUNLOADED_DRIVERS; | |
| #define MI_UNLOADED_DRIVERS 50 | |
| mov reg, 7D0h ; -> NumberOfBytes = MI_UNLOADED_DRIVERS * sizeof (UNLOADED_DRIVERS); | |
| MiRememberUnloadedDriver | |
| 7601 | |
| PAGE:000000014042B079 BB D0 07 00 00 mov ebx, 7D0h | |
| PAGE:000000014042B07E 41 B8 4D 6D 44 54 mov r8d, 54446D4Dh ; Tag | |
| PAGE:000000014042B084 33 C9 xor ecx, ecx ; PoolType | |
| PAGE:000000014042B086 48 8B D3 mov rdx, rbx ; NumberOfBytes | |
| PAGE:000000014042B089 E8 52 C0 D7 FF call ExAllocatePoolWithTag | |
| PAGE:000000014042B08E 48 89 05 5B 11 E8 FF mov cs:MmUnloadedDrivers, rax | |
| 9200 | |
| PAGE:000000014048899A BB D0 07 00 00 mov ebx, 7D0h | |
| PAGE:000000014048899F 41 B8 4D 6D 44 54 mov r8d, 54446D4Dh ; Tag | |
| PAGE:00000001404889A5 B9 00 02 00 00 mov ecx, 200h ; PoolType | |
| PAGE:00000001404889AA 8B D3 mov edx, ebx ; NumberOfBytes | |
| PAGE:00000001404889AC E8 8F 66 DE FF call ExAllocatePoolWithTag | |
| PAGE:00000001404889B1 48 89 05 50 D8 EC FF mov cs:MmUnloadedDrivers, rax | |
| 9600 | |
| PAGE:00000001404CA74F BB D0 07 00 00 mov ebx, 7D0h | |
| PAGE:00000001404CA754 41 B8 4D 6D 44 54 mov r8d, 54446D4Dh ; Tag | |
| PAGE:00000001404CA75A B9 00 02 00 00 mov ecx, 200h ; PoolType | |
| PAGE:00000001404CA75F 8B D3 mov edx, ebx ; NumberOfBytes | |
| PAGE:00000001404CA761 E8 8A B4 DC FF call ExAllocatePoolWithTag | |
| PAGE:00000001404CA766 48 89 05 CB BA E8 FF mov cs:MmUnloadedDrivers, rax | |
| 10240 | |
| PAGE:00000001405372B0 BF D0 07 00 00 mov edi, 7D0h | |
| PAGE:00000001405372B5 41 B8 4D 6D 44 54 mov r8d, 54446D4Dh ; Tag | |
| PAGE:00000001405372BB 8B D7 mov edx, edi ; NumberOfBytes | |
| PAGE:00000001405372BD B9 00 02 00 00 mov ecx, 200h ; PoolType | |
| PAGE:00000001405372C2 E8 99 B6 D3 FF call ExAllocatePoolWithTag | |
| PAGE:00000001405372C7 48 89 05 E2 B9 E0 FF mov cs:MmUnloadedDrivers, rax | |
| 10586 | |
| PAGE:0000000140496245 BB D0 07 00 00 mov ebx, 7D0h | |
| PAGE:000000014049624A 41 B8 4D 6D 44 54 mov r8d, 54446D4Dh ; Tag | |
| PAGE:0000000140496250 8B D3 mov edx, ebx ; NumberOfBytes | |
| PAGE:0000000140496252 B9 00 02 00 00 mov ecx, 200h ; PoolType | |
| PAGE:0000000140496257 E8 F4 A6 D9 FF call ExAllocatePoolWithTag | |
| PAGE:000000014049625C 48 89 05 DD 89 E4 FF mov cs:MmUnloadedDrivers, rax | |
| 14393 | |
| PAGE:0000000140531391 BB D0 07 00 00 mov ebx, 7D0h | |
| PAGE:0000000140531396 41 B8 4D 6D 44 54 mov r8d, 54446D4Dh ; Tag | |
| PAGE:000000014053139C 8B D3 mov edx, ebx ; NumberOfBytes | |
| PAGE:000000014053139E B9 00 02 00 00 mov ecx, 200h ; PoolType | |
| PAGE:00000001405313A3 E8 38 EA D1 FF call ExAllocatePoolWithTag | |
| PAGE:00000001405313A8 48 89 05 D1 0D DD FF mov cs:MmUnloadedDrivers, rax | |
| 15063 | |
| PAGE:000000014057C46E BB D0 07 00 00 mov ebx, 7D0h | |
| PAGE:000000014057C473 41 B8 4D 6D 44 54 mov r8d, 54446D4Dh ; Tag | |
| PAGE:000000014057C479 8B D3 mov edx, ebx ; NumberOfBytes | |
| PAGE:000000014057C47B B9 00 02 00 00 mov ecx, 200h ; PoolType | |
| PAGE:000000014057C480 E8 0B 2F D0 FF call ExAllocatePoolWithTag | |
| PAGE:000000014057C485 48 89 05 6C FC DC FF mov cs:MmUnloadedDrivers, rax | |
| 16299 | |
| PAGE:00000001404874AA BB D0 07 00 00 mov ebx, 7D0h | |
| PAGE:00000001404874AF 41 B8 4D 6D 44 54 mov r8d, 54446D4Dh ; Tag | |
| PAGE:00000001404874B5 8B D3 mov edx, ebx ; NumberOfBytes | |
| PAGE:00000001404874B7 B9 00 02 00 00 mov ecx, 200h ; PoolType | |
| PAGE:00000001404874BC E8 8F F8 E1 FF call ExAllocatePoolWithTag | |
| PAGE:00000001404874C1 48 89 05 10 AB ED FF mov cs:MmUnloadedDrivers, rax | |
| 17134 | |
| PAGE:000000014060DB4E BB D0 07 00 00 mov ebx, 7D0h | |
| PAGE:000000014060DB53 41 B8 4D 6D 44 54 mov r8d, 54446D4Dh ; Tag | |
| PAGE:000000014060DB59 8B D3 mov edx, ebx ; NumberOfBytes | |
| PAGE:000000014060DB5B B9 00 02 00 00 mov ecx, 200h ; PoolType | |
| PAGE:000000014060DB60 E8 AB 78 CE FF call ExAllocatePoolWithTag | |
| PAGE:000000014060DB65 48 89 05 F4 D5 DA FF mov cs:MmUnloadedDrivers, rax | |
| 17763 | |
| PAGE:0000000140674C22 BB D0 07 00 00 mov ebx, 7D0h | |
| PAGE:0000000140674C27 41 B8 4D 6D 44 54 mov r8d, 54446D4Dh ; Tag | |
| PAGE:0000000140674C2D 8B D3 mov edx, ebx ; NumberOfBytes | |
| PAGE:0000000140674C2F B9 00 02 00 00 mov ecx, 200h ; PoolType | |
| PAGE:0000000140674C34 E8 47 8D CD FF call ExAllocatePoolWithTag | |
| PAGE:0000000140674C39 48 89 05 90 AD DA FF mov cs:MmUnloadedDrivers, rax | |
| 18362/18363 | |
| PAGE:000000014073EE72 BB D0 07 00 00 mov ebx, 7D0h | |
| PAGE:000000014073EE77 41 B8 4D 6D 44 54 mov r8d, 54446D4Dh ; Tag | |
| PAGE:000000014073EE7D 8B D3 mov edx, ebx ; NumberOfBytes | |
| PAGE:000000014073EE7F B9 00 02 00 00 mov ecx, 200h ; PoolType | |
| PAGE:000000014073EE84 E8 87 F1 C2 FF call ExAllocatePoolWithTag | |
| PAGE:000000014073EE89 48 89 05 A8 86 D0 FF mov cs:MmUnloadedDrivers, rax | |
| 19041 | |
| PAGE:00000001406C4A7C BA D0 07 00 00 mov edx, 7D0h | |
| PAGE:00000001406C4A81 B9 40 00 00 00 mov ecx, 40h | |
| PAGE:00000001406C4A86 41 B8 4D 6D 44 54 mov r8d, 54446D4Dh | |
| PAGE:00000001406C4A8C E8 5B E3 BC FF call MiAllocatePool | |
| PAGE:00000001406C4A91 48 89 05 F0 57 56 00 mov cs:MmUnloadedDrivers, rax | |
| 19042 | |
| PAGE:00000001406C4A7C BA D0 07 00 00 mov edx, 7D0h | |
| PAGE:00000001406C4A81 B9 40 00 00 00 mov ecx, 40h | |
| PAGE:00000001406C4A86 41 B8 4D 6D 44 54 mov r8d, 54446D4Dh | |
| PAGE:00000001406C4A8C E8 5B E3 BC FF call MiAllocatePool | |
| PAGE:00000001406C4A91 48 89 05 F0 57 56 00 mov cs:MmUnloadedDrivers, rax | |
| 19043 | |
| PAGE:000000014074860C BA D0 07 00 00 mov edx, 7D0h | |
| PAGE:0000000140748611 B9 40 00 00 00 mov ecx, 40h | |
| PAGE:0000000140748616 41 B8 4D 6D 44 54 mov r8d, 54446D4Dh | |
| PAGE:000000014074861C E8 8F 89 B5 FF call MiAllocatePool | |
| PAGE:0000000140748621 48 89 05 50 1E 4E 00 mov cs:MmUnloadedDrivers, rax | |
| 20348 | |
| PAGE:00000001407EDB18 BA D0 07 00 00 mov edx, 7D0h | |
| PAGE:00000001407EDB1D B9 40 00 00 00 mov ecx, 40h ; '@' | |
| PAGE:00000001407EDB22 41 B8 4D 6D 44 54 mov r8d, 54446D4Dh | |
| PAGE:00000001407EDB28 E8 63 D9 A6 FF call MiAllocatePool | |
| PAGE:00000001407EDB2D 48 89 05 1C 61 44 00 mov cs:MmUnloadedDrivers, rax | |
| 21359 | |
| PAGE:0000000140801C43 BA D0 07 00 00 mov edx, 7D0h | |
| PAGE:0000000140801C48 B9 40 00 00 00 mov ecx, 40h | |
| PAGE:0000000140801C4D 41 B8 4D 6D 44 54 mov r8d, 54446D4Dh | |
| PAGE:0000000140801C53 E8 18 4E A9 FF call MiAllocatePool | |
| PAGE:0000000140801C58 48 89 05 19 7F 42 00 mov cs:MmUnloadedDrivers, rax | |
| 22000 | |
| PAGE:00000001408019EB BA D0 07 00 00 mov edx, 7D0h | |
| PAGE:00000001408019F0 B9 40 00 00 00 mov ecx, 40h | |
| PAGE:00000001408019F5 41 B8 4D 6D 44 54 mov r8d, 54446D4Dh | |
| PAGE:00000001408019FB E8 E0 41 A3 FF call MiAllocatePool | |
| PAGE:0000000140801A00 48 89 05 11 81 42 00 mov cs:MmUnloadedDrivers, rax | |
| 22621 | |
| PAGE:000000014081D44F BA D0 07 00 00 mov edx, 7D0h | |
| PAGE:000000014081D454 B9 40 00 00 00 mov ecx, 40h ; '@' | |
| PAGE:000000014081D459 41 B8 4D 6D 44 54 mov r8d, 54446D4Dh | |
| PAGE:000000014081D45F E8 3C E3 AF FF call MiAllocatePool | |
| PAGE:000000014081D464 48 89 05 85 60 3F 00 mov cs:MmUnloadedDrivers, rax | |
| 22631 | |
| PAGE:000000014084B2EF BA D0 07 00 00 mov edx, 7D0h | |
| PAGE:000000014084B2F4 B9 40 00 00 00 mov ecx, 40h ; '@' | |
| PAGE:000000014084B2F9 41 B8 4D 6D 44 54 mov r8d, 54446D4Dh | |
| PAGE:000000014084B2FF E8 2C 60 A5 FF call MiAllocatePool | |
| PAGE:000000014084B304 48 89 05 8D 7D 3C 00 mov cs:MmUnloadedDrivers, rax | |
| 26100 | |
| PAGE:00000001407C1E63 BA D0 07 00 00 mov edx, 7D0h | |
| PAGE:00000001407C1E68 41 8D 4E 40 lea ecx, [r14+40h] | |
| PAGE:00000001407C1E6C 41 B8 4D 6D 44 54 mov r8d, 54446D4Dh | |
| PAGE:00000001407C1E72 E8 09 28 A8 FF call MiAllocatePool | |
| PAGE:00000001407C1E77 48 89 05 8A 26 73 00 mov cs:MmUnloadedDrivers, rax | |
| 26120 | |
| PAGE:00000001407B0883 BA D0 07 00 00 mov edx, 7D0h | |
| PAGE:00000001407B0888 41 8D 4E 40 lea ecx, [r14+40h] | |
| PAGE:00000001407B088C 41 B8 4D 6D 44 54 mov r8d, 54446D4Dh | |
| PAGE:00000001407B0892 E8 C9 42 AE FF call MiAllocatePool | |
| PAGE:00000001407B0897 48 89 05 EA 3B 74 00 mov cs:MmUnloadedDrivers, rax | |
| 26212 | |
| PAGE:00000001407C1DA3 BA D0 07 00 00 mov edx, 7D0h | |
| PAGE:00000001407C1DA8 41 8D 4E 40 lea ecx, [r14+40h] | |
| PAGE:00000001407C1DAC 41 B8 4D 6D 44 54 mov r8d, 54446D4Dh | |
| PAGE:00000001407C1DB2 E8 89 28 A8 FF call MiAllocatePool | |
| PAGE:00000001407C1DB7 48 89 05 AA 26 73 00 mov cs:MmUnloadedDrivers, rax | |
| 26231 | |
| PAGE:00000001407C1EA3 BA D0 07 00 00 mov edx, 7D0h | |
| PAGE:00000001407C1EA8 41 8D 4E 40 lea ecx, [r14+40h] | |
| PAGE:00000001407C1EAC 41 B8 4D 6D 44 54 mov r8d, 54446D4Dh | |
| PAGE:00000001407C1EB2 E8 89 27 A8 FF call MiAllocatePool | |
| PAGE:00000001407C1EB7 48 89 05 4A 26 73 00 mov cs:MmUnloadedDrivers, rax |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment