Skip to content

Instantly share code, notes, and snippets.

@rbmm

rbmm/gist:2b6a788b5d767520c09878e7028a2d8e

Created February 18, 2025 17:39
Show Gist options
  • Save rbmm/2b6a788b5d767520c09878e7028a2d8e to your computer and use it in GitHub Desktop.
Save rbmm/2b6a788b5d767520c09878e7028a2d8e to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.txt
PsSetCreateProcessNotifyRoutineEx=0
PsSetLoadImageNotifyRoutine=0
00001 17:38:07 + 13ac(sc.exe) 00007FFEEDED0000{1a000} u \Device\HarddiskVolume9\Windows\System32\kernel.appcore.dll
(::)C:\WINDOWS\SYSTEM32\kernel.appcore.dll
00002 17:38:07 + 13ac(sc.exe) 00007FFEEFB20000{a9000} u \Device\HarddiskVolume9\Windows\System32\msvcrt.dll
(::)C:\WINDOWS\System32\msvcrt.dll
1 13ac exit [1]13ac(sc.exe) ================
00003 17:38:07 b58(cmd.exe) 00007FFEEDED0000{1a000} u \Device\HarddiskVolume9\Windows\System32\kernel.appcore.dll
(::)C:\WINDOWS\SYSTEM32\kernel.appcore.dll
1 b58 exit [1]b58(cmd.exe) ================
++pid=0000000000001788 <FFFFE78F23C890C0> p=0000000000001D94 s=0
1 FN=<\??\C:\Users\Harry\Documents\GitHub\RtlClone\x64\Release\SkipPsNotify.exe>
CL=<"C:\Users\Harry\Documents\GitHub\RtlClone\x64\Release\SkipPsNotify.exe" >
00004 17:38:10 + 1788(SkipPsNotify.e) 00007FF72FF90000{7000} u \Device\HarddiskVolume9\Users\Harry\Documents\GitHub\RtlClone\x64\Release\SkipPsNotify.exe
00005 17:38:10 + 1788(SkipPsNotify.e) 00007FFEF1CA0000{263000} u \Device\HarddiskVolume9\Windows\System32\ntdll.dll
00006 17:38:10 + 1788(SkipPsNotify.e) 00007FFEF0050000{c7000} u \Device\HarddiskVolume9\Windows\System32\kernel32.dll
(::)C:\WINDOWS\System32\KERNEL32.DLL
00007 17:38:10 + 1788(SkipPsNotify.e) 00007FFEEF340000{3a1000} u \Device\HarddiskVolume9\Windows\System32\KernelBase.dll
(::)C:\WINDOWS\System32\KERNELBASE.dll
00008 17:38:10 + 1788(SkipPsNotify.e) 00007FFEEFC70000{1c3000} u \Device\HarddiskVolume9\Windows\System32\user32.dll
(::)C:\WINDOWS\System32\USER32.dll
00009 17:38:10 + 1788(SkipPsNotify.e) 00007FFEEF130000{27000} u \Device\HarddiskVolume9\Windows\System32\win32u.dll
(::)C:\WINDOWS\System32\win32u.dll
00010 17:38:10 + 1788(SkipPsNotify.e) 00007FFEF1690000{2a000} u \Device\HarddiskVolume9\Windows\System32\gdi32.dll
(::)C:\WINDOWS\System32\GDI32.dll
00011 17:38:10 + 1788(SkipPsNotify.e) 00007FFEEF210000{121000} u \Device\HarddiskVolume9\Windows\System32\gdi32full.dll
(::)C:\WINDOWS\System32\gdi32full.dll
00012 17:38:10 + 1788(SkipPsNotify.e) 00007FFEEF160000{a3000} u \Device\HarddiskVolume9\Windows\System32\msvcp_win.dll
(::)C:\WINDOWS\System32\msvcp_win.dll
00013 17:38:10 + 1788(SkipPsNotify.e) 00007FFEEF850000{14b000} u \Device\HarddiskVolume9\Windows\System32\ucrtbase.dll
(::)C:\WINDOWS\System32\ucrtbase.dll
00014 17:38:10 + 1788(SkipPsNotify.e) 00007FFEF1AB0000{2f000} u \Device\HarddiskVolume9\Windows\System32\imm32.dll
(::)C:\WINDOWS\System32\IMM32.DLL
00015 17:38:10 + 1788(SkipPsNotify.e) 00007FFEEC500000{ad000} u \Device\HarddiskVolume9\Windows\System32\uxtheme.dll
(::)C:\WINDOWS\system32\uxtheme.dll
00016 17:38:10 + 1788(SkipPsNotify.e) 00007FFEF0BC0000{37c000} u \Device\HarddiskVolume9\Windows\System32\combase.dll
(::)C:\WINDOWS\System32\combase.dll
00017 17:38:10 + 1788(SkipPsNotify.e) 00007FFEF0590000{116000} u \Device\HarddiskVolume9\Windows\System32\rpcrt4.dll
(::)C:\WINDOWS\System32\RPCRT4.dll
00018 17:38:10 + 1788(SkipPsNotify.e) 00007FFEEFEF0000{159000} u \Device\HarddiskVolume9\Windows\System32\msctf.dll
(::)C:\WINDOWS\System32\MSCTF.dll
00019 17:38:10 1788(SkipPsNotify.e) 00007FFEEFB20000{a9000} u \Device\HarddiskVolume9\Windows\System32\msvcrt.dll
(::)C:\WINDOWS\System32\msvcrt.dll
00020 17:38:10 + 1788(SkipPsNotify.e) 00007FFED6AD0000{290000} u \Device\HarddiskVolume9\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.26100.1591_none_3e0fac18e32dc903\comctl32.dll
(::)C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.26100.1591_none_3e0fac18e32dc903\comctl32.dll
00021 17:38:10 1788(SkipPsNotify.e) 00007FFEEDED0000{1a000} u \Device\HarddiskVolume9\Windows\System32\kernel.appcore.dll
(::)C:\WINDOWS\SYSTEM32\kernel.appcore.dll
00022 17:38:10 + 1788(SkipPsNotify.e) 00007FFEEF6F0000{99000} u \Device\HarddiskVolume9\Windows\System32\bcryptprimitives.dll
(::)C:\WINDOWS\System32\bcryptPrimitives.dll
00023 17:38:10 + 1788(SkipPsNotify.e) 00007FFEF04B0000{d6000} u \Device\HarddiskVolume9\Windows\System32\oleaut32.dll
(::)C:\WINDOWS\System32\OLEAUT32.dll
00024 17:38:10 + 1788(SkipPsNotify.e) 00007FFEF1B50000{a7000} u \Device\HarddiskVolume9\Windows\System32\sechost.dll
(::)C:\WINDOWS\System32\sechost.dll
00025 17:38:10 + 1788(SkipPsNotify.e) 00007FFEDE680000{144000} u \Device\HarddiskVolume9\Windows\System32\TextInputFramework.dll
(::)C:\WINDOWS\SYSTEM32\textinputframework.dll
00026 17:38:10 + 1788(SkipPsNotify.e) 00007FFEF1910000{d3000} u \Device\HarddiskVolume9\Windows\System32\SHCore.dll
(::)C:\WINDOWS\System32\SHCORE.dll
00027 17:38:10 + 1788(SkipPsNotify.e) 00007FFED61A0000{ac000} u \Device\HarddiskVolume9\Windows\System32\TextShaping.dll
(::)C:\WINDOWS\SYSTEM32\TextShaping.dll
00028 17:38:11 + 1788(SkipPsNotify.e) 00007FFEEBE10000{125000} u \Device\HarddiskVolume9\Windows\System32\CoreMessaging.dll
(::)C:\WINDOWS\SYSTEM32\CoreMessaging.dll
00029 17:38:11 + 1788(SkipPsNotify.e) 00007FFEE97B0000{2e3000} u \Device\HarddiskVolume9\Windows\System32\CoreUIComponents.dll
(::)C:\WINDOWS\SYSTEM32\CoreUIComponents.dll
00030 17:38:11 + 1788(SkipPsNotify.e) 00007FFEE9580000{168000} u \Device\HarddiskVolume9\Windows\System32\WinTypes.dll
(::)C:\WINDOWS\SYSTEM32\wintypes.dll
00031 17:38:11 + 1788(SkipPsNotify.e) 00007FFEF0250000{b2000} u \Device\HarddiskVolume9\Windows\System32\advapi32.dll
(::)C:\WINDOWS\System32\advapi32.dll
00032 17:38:11 + 1788(SkipPsNotify.e) 00007FFEEE5E0000{c000} u \Device\HarddiskVolume9\Windows\System32\cryptbase.dll
(::)C:\WINDOWS\SYSTEM32\CRYPTBASE.DLL
00033 17:38:11 + 1788(SkipPsNotify.e) 00007FFEF0310000{199000} u \Device\HarddiskVolume9\Windows\System32\ole32.dll
(::)C:\WINDOWS\System32\ole32.dll
++pid=00000000000006AC <FFFFE78F250E6080> p=0000000000001788 s=0
0 FN=<\Users\Harry\Documents\GitHub\RtlClone\x64\Release\SkipPsNotify.exe>
CL=<(null)>
00034 17:38:11 6ac(SkipPsNotify.e) 00007FF72FF90000{7000} u \Device\HarddiskVolume9\Users\Harry\Documents\GitHub\RtlClone\x64\Release\SkipPsNotify.exe
00035 17:38:11 6ac(SkipPsNotify.e) 00007FFEF1CA0000{263000} u \Device\HarddiskVolume9\Windows\System32\ntdll.dll
1 6ac exit [1]6ac(SkipPsNotify.e) ================
++pid=0000000000000F58 <FFFFE78F261E7080> p=0000000000001788 s=0
0 FN=<\Users\Harry\Documents\GitHub\RtlClone\x64\Release\SkipPsNotify.exe>
CL=<(null)>
00036 17:38:12 f58(SkipPsNotify.e) 00007FF72FF90000{7000} u \Device\HarddiskVolume9\Users\Harry\Documents\GitHub\RtlClone\x64\Release\SkipPsNotify.exe
00037 17:38:12 f58(SkipPsNotify.e) 00007FFEF1CA0000{263000} u \Device\HarddiskVolume9\Windows\System32\ntdll.dll
1 f58 exit [1]f58(SkipPsNotify.e) ================
1 1788 exit [1]1788(SkipPsNotify.e) ================
++pid=0000000000000854 <FFFFE78F27B08080> p=0000000000001D94 s=0
1 FN=<\??\C:\WINDOWS\system32\cmd.exe>
CL=<"C:\WINDOWS\system32\cmd.exe" /C "C:\WINDOWS\system32\sc.EXE stop discovery.dll">
00038 17:38:16 + 854(cmd.exe) 00007FF754950000{6f000} u \Device\HarddiskVolume9\Windows\System32\cmd.exe
00039 17:38:16 854(cmd.exe) 00007FFEF1CA0000{263000} u \Device\HarddiskVolume9\Windows\System32\ntdll.dll
00040 17:38:16 854(cmd.exe) 00007FFEF0050000{c7000} u \Device\HarddiskVolume9\Windows\System32\kernel32.dll
(::)C:\WINDOWS\System32\KERNEL32.DLL
00041 17:38:16 854(cmd.exe) 00007FFEEF340000{3a1000} u \Device\HarddiskVolume9\Windows\System32\KernelBase.dll
(::)C:\WINDOWS\System32\KERNELBASE.dll
00042 17:38:16 854(cmd.exe) 00007FFEEF850000{14b000} u \Device\HarddiskVolume9\Windows\System32\ucrtbase.dll
(::)C:\WINDOWS\System32\ucrtbase.dll
00043 17:38:16 854(cmd.exe) 00007FFEF1B50000{a7000} u \Device\HarddiskVolume9\Windows\System32\sechost.dll
(::)C:\WINDOWS\System32\sechost.dll
++pid=0000000000002100 <FFFFE78F23CE5080> p=0000000000000854 s=0
1 FN=<\??\C:\WINDOWS\system32\sc.exe>
CL=<C:\WINDOWS\system32\sc.EXE stop discovery.dll>
00044 17:38:16 854(cmd.exe) 00007FFEF0250000{b2000} u \Device\HarddiskVolume9\Windows\System32\advapi32.dll
(::)C:\WINDOWS\System32\ADVAPI32.DLL
00045 17:38:16 854(cmd.exe) 00007FFEEFB20000{a9000} u \Device\HarddiskVolume9\Windows\System32\msvcrt.dll
(::)C:\WINDOWS\System32\msvcrt.dll
00046 17:38:16 854(cmd.exe) 00007FFEF0590000{116000} u \Device\HarddiskVolume9\Windows\System32\rpcrt4.dll
(::)C:\WINDOWS\System32\RPCRT4.dll
00047 17:38:16 + 2100(sc.exe) 00007FF760D50000{19000} u \Device\HarddiskVolume9\Windows\System32\sc.exe
00048 17:38:16 2100(sc.exe) 00007FFEF1CA0000{263000} u \Device\HarddiskVolume9\Windows\System32\ntdll.dll
00049 17:38:16 2100(sc.exe) 00007FFEF0050000{c7000} u \Device\HarddiskVolume9\Windows\System32\kernel32.dll
(::)C:\WINDOWS\System32\KERNEL32.DLL
00050 17:38:16 2100(sc.exe) 00007FFEEF340000{3a1000} u \Device\HarddiskVolume9\Windows\System32\KernelBase.dll
(::)C:\WINDOWS\System32\KERNELBASE.dll
00051 17:38:16 2100(sc.exe) 00007FFEEF850000{14b000} u \Device\HarddiskVolume9\Windows\System32\ucrtbase.dll
(::)C:\WINDOWS\System32\ucrtbase.dll
00052 17:38:16 2100(sc.exe) 00007FFEF0590000{116000} u \Device\HarddiskVolume9\Windows\System32\rpcrt4.dll
(::)C:\WINDOWS\System32\RPCRT4.dll
00053 17:38:16 2100(sc.exe) 00007FFEF1B50000{a7000} u \Device\HarddiskVolume9\Windows\System32\sechost.dll
(::)C:\WINDOWS\System32\sechost.dll
DriverUnload(FFFFE78F24484E20)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment