- Visual Chart Diff
- Metadata
- Deleted
- Added
- Modified
- CClfsRequest::Close
- CClfsLogCcb::Cleanup
- `CClfsRequest::Close'::__l1::fin$0
- Feature_2633002298__private_IsEnabledFallback
- wil_details_FeatureReporting_ReportUsageToServiceDirect
- wil_details_FeatureReporting_ReportUsageToService
- wil_details_IsEnabledFallback
- wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath
- Modified (No Code Changes)
flowchart LR
CClfsRequestClose-1-old<--Match 69%-->CClfsRequestClose-1-new
CClfsLogCcbCleanup-1-old<--Match 51%-->CClfsLogCcbCleanup-1-new
CClfsRequestClose__l1fin0-2-old<--Match 81%-->CClfsRequestClose__l1fin0-2-new
Feature_2633002298__private_IsEnabledFallback-2-old<--Match 89%-->Feature_2633002298__private_IsEnabledFallback-2-new
wil_details_FeatureReporting_ReportUsageToServiceDirect-3-old<--Match 95%-->wil_details_FeatureReporting_ReportUsageToServiceDirect-3-new
wil_details_FeatureReporting_ReportUsageToService-3-old<--Match 94%-->wil_details_FeatureReporting_ReportUsageToService-3-new
wil_details_IsEnabledFallback-2-old<--Match 94%-->wil_details_IsEnabledFallback-2-new
wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath-2-old<--Match 90%-->wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath-2-new
subgraph clfs.sys.x64.10.0.26100.3775
CClfsRequestClose-1-new
CClfsLogCcbCleanup-1-new
CClfsRequestClose__l1fin0-2-new
Feature_2633002298__private_IsEnabledFallback-2-new
wil_details_FeatureReporting_ReportUsageToServiceDirect-3-new
wil_details_FeatureReporting_ReportUsageToService-3-new
wil_details_IsEnabledFallback-2-new
wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath-2-new
subgraph Added
direction LR
Feature_2931883321__private_IsEnabledDeviceUsageNoInline
Feature_2931883321__private_IsEnabledFallback
end
end
subgraph clfs.sys.x64.10.0.26100.3624
CClfsRequestClose-1-old
CClfsLogCcbCleanup-1-old
CClfsRequestClose__l1fin0-2-old
Feature_2633002298__private_IsEnabledFallback-2-old
wil_details_FeatureReporting_ReportUsageToServiceDirect-3-old
wil_details_FeatureReporting_ReportUsageToService-3-old
wil_details_IsEnabledFallback-2-old
wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath-2-old
end
pie showData
title Function Matches - 99.9448%
"unmatched_funcs_len" : 2
"matched_funcs_len" : 3624
pie showData
title Matched Function Similarity - 99.7241%
"matched_funcs_with_code_changes_len" : 8
"matched_funcs_with_non_code_changes_len" : 2
"matched_funcs_no_changes_len" : 3614
ghidriff --project-location ghidra_projects --project-name ghidriff --symbols-path symbols --gzfs-path gzfs --threaded --log-level INFO --file-log-level INFO --log-path ghidriff.log --min-func-len 10 --gdt ['/mnt/c/Users/user/Desktop/pdiff-dark/resources/ghidra_gdts/ntddk_64.gdt'] --bsim --max-ram-percent 60.0 --max-section-funcs 200 clfs.sys.x64.10.0.26100.3624 clfs.sys.x64.10.0.26100.3775
Details
--old ['clfs.sys.x64.10.0.26100.3624'] --new [['clfs.sys.x64.10.0.26100.3775']] --engine VersionTrackingDiff --output-path ghidriffs --summary False --project-location ghidra_projects --project-name ghidriff --symbols-path symbols --gzfs-path gzfs --base-address None --program-options None --threaded True --force-analysis False --force-diff False --no-symbols False --log-level INFO --file-log-level INFO --log-path ghidriff.log --va False --min-func-len 10 --use-calling-counts False --gdt ['/mnt/c/Users/user/Desktop/pdiff-dark/resources/ghidra_gdts/ntddk_64.gdt'] --bsim True --bsim-full False --max-ram-percent 60.0 --print-flags False --jvm-args None --side-by-side False --max-section-funcs 200 --md-title None
wget https://msdl.microsoft.com/download/symbols/Clfs.Sys/B199B0AF86000/Clfs.Sys -O clfs.sys.x64.10.0.26100.3624
wget https://msdl.microsoft.com/download/symbols/Clfs.Sys/931DCBBD86000/Clfs.Sys -O clfs.sys.x64.10.0.26100.3775
--- clfs.sys.x64.10.0.26100.3624 Meta
+++ clfs.sys.x64.10.0.26100.3775 Meta
@@ -1,44 +1,44 @@
-Program Name: clfs.sys.x64.10.0.26100.3624
+Program Name: clfs.sys.x64.10.0.26100.3775
Language ID: x86:LE:64:default (4.6)
Compiler ID: windows
Processor: x86
Endian: Little
Address Size: 64
Minimum Address: 1c0000000
Maximum Address: ff0000184f
-# of Bytes: 552936
+# of Bytes: 552944
# of Memory Blocks: 14
-# of Instructions: 97815
-# of Defined Data: 3612
-# of Functions: 1812
-# of Symbols: 14225
+# of Instructions: 97898
+# of Defined Data: 3618
+# of Functions: 1814
+# of Symbols: 14241
# of Data Types: 1113
# of Data Type Categories: 20
Analyzed: true
Compiler: visualstudio:unknown
Created With Ghidra Version: 11.4.2
-Date Created: Wed Oct 29 18:37:09 PDT 2025
+Date Created: Wed Oct 29 18:37:13 PDT 2025
Executable Format: Portable Executable (PE)
-Executable Location: /tmp/clfs.sys.x64.10.0.26100.3624
-Executable MD5: 868f53d68b2ae6c2fce2e2887d120f9e
-Executable SHA256: 3f6d52194ba69ac5b72aa94c81e7aafb00dc643edced2347d1420f58af98411f
-FSRL: file:///tmp/clfs.sys.x64.10.0.26100.3624?MD5=868f53d68b2ae6c2fce2e2887d120f9e
+Executable Location: /tmp/clfs.sys.x64.10.0.26100.3775
+Executable MD5: c319e5d8c2f1a3f12e2cd0de13830799
+Executable SHA256: 1236ade15a1d9549947821aec37e5d016ce10e0a88f9546ccd7b4e5dc42f53e7
+FSRL: file:///tmp/clfs.sys.x64.10.0.26100.3775?MD5=c319e5d8c2f1a3f12e2cd0de13830799
PDB Age: 1
PDB File: clfs.pdb
-PDB GUID: 13f89e9c-7828-fb7f-468e-82e8f3434f57
+PDB GUID: 59a49944-f0b3-1ccf-96e7-0f370e67415d
PDB Loaded: true
PDB Version: RSDS
PE Property[CompanyName]: Microsoft Corporation
PE Property[FileDescription]: Common Log File System Driver
-PE Property[FileVersion]: 10.0.26100.3624 (WinBuild.160101.0800)
+PE Property[FileVersion]: 10.0.26100.3775 (WinBuild.160101.0800)
PE Property[InternalName]: clfs.sys
PE Property[LegalCopyright]: © Microsoft Corporation. All rights reserved.
PE Property[OriginalFilename]: Clfs.Sys
PE Property[ProductName]: Microsoft® Windows® Operating System
-PE Property[ProductVersion]: 10.0.26100.3624
+PE Property[ProductVersion]: 10.0.26100.3775
PE Property[Translation]: 4b00000
Preferred Root Namespace Category:
RTTI Found: false
Relocatable: true
SectionAlignment: 4096
Should Ask To Analyze: false
Ghidra clfs.sys.x64.10.0.26100.3624 Decompiler Options
| Decompiler Option | Value |
|---|---|
| Prototype Evaluation | __fastcall |
Ghidra clfs.sys.x64.10.0.26100.3624 Specification extensions Options
| Specification extensions Option | Value |
|---|---|
| FormatVersion | 0 |
| VersionCounter | 0 |
Ghidra clfs.sys.x64.10.0.26100.3624 Analyzers Options
| Analyzers Option | Value |
|---|---|
| ASCII Strings | true |
| ASCII Strings.Create Strings Containing Existing Strings | true |
| ASCII Strings.Create Strings Containing References | true |
| ASCII Strings.Force Model Reload | false |
| ASCII Strings.Minimum String Length | LEN_5 |
| ASCII Strings.Model File | StringModel.sng |
| ASCII Strings.Require Null Termination for String | true |
| ASCII Strings.Search Only in Accessible Memory Blocks | true |
| ASCII Strings.String Start Alignment | ALIGN_1 |
| ASCII Strings.String end alignment | 4 |
| Aggressive Instruction Finder | false |
| Aggressive Instruction Finder.Create Analysis Bookmarks | true |
| Apply Data Archives | true |
| Apply Data Archives.Archive Chooser | [Auto-Detect] |
| Apply Data Archives.Create Analysis Bookmarks | true |
| Apply Data Archives.GDT User File Archive Path | None |
| Apply Data Archives.User Project Archive Path | None |
| Call Convention ID | true |
| Call Convention ID.Analysis Decompiler Timeout (sec) | 60 |
| Call-Fixup Installer | true |
| Condense Filler Bytes | false |
| Condense Filler Bytes.Filler Value | Auto |
| Condense Filler Bytes.Minimum number of sequential bytes | 1 |
| Create Address Tables | true |
| Create Address Tables.Allow Offcut References | false |
| Create Address Tables.Auto Label Table | false |
| Create Address Tables.Create Analysis Bookmarks | true |
| Create Address Tables.Maxmimum Pointer Distance | 16777215 |
| Create Address Tables.Minimum Pointer Address | 4132 |
| Create Address Tables.Minimum Table Size | 2 |
| Create Address Tables.Pointer Alignment | 1 |
| Create Address Tables.Relocation Table Guide | true |
| Create Address Tables.Table Alignment | 4 |
| Data Reference | true |
| Data Reference.Address Table Alignment | 1 |
| Data Reference.Address Table Minimum Size | 2 |
| Data Reference.Align End of Strings | false |
| Data Reference.Ascii String References | true |
| Data Reference.Create Address Tables | true |
| Data Reference.Minimum String Length | 5 |
| Data Reference.References to Pointers | true |
| Data Reference.Relocation Table Guide | true |
| Data Reference.Respect Execute Flag | true |
| Data Reference.Subroutine References | true |
| Data Reference.Switch Table References | false |
| Data Reference.Unicode String References | true |
| Decompiler Parameter ID | true |
| Decompiler Parameter ID.Analysis Clear Level | ANALYSIS |
| Decompiler Parameter ID.Analysis Decompiler Timeout (sec) | 60 |
| Decompiler Parameter ID.Commit Data Types | true |
| Decompiler Parameter ID.Commit Void Return Values | false |
| Decompiler Parameter ID.Prototype Evaluation | __fastcall |
| Decompiler Switch Analysis | true |
| Decompiler Switch Analysis.Analysis Decompiler Timeout (sec) | 60 |
| Demangler Microsoft | true |
| Demangler Microsoft.Apply Function Calling Conventions | true |
| Demangler Microsoft.Apply Function Signatures | true |
| Demangler Microsoft.C-Style Symbol Interpretation | FUNCTION_IF_EXISTS |
| Demangler Microsoft.Demangle Only Known Mangled Symbols | false |
| Disassemble Entry Points | true |
| Disassemble Entry Points.Respect Execute Flag | true |
| Embedded Media | true |
| Embedded Media.Create Analysis Bookmarks | true |
| External Entry References | true |
| Function ID | true |
| Function ID.Always Apply FID Labels | false |
| Function ID.Create Analysis Bookmarks | true |
| Function ID.Instruction Count Threshold | 14.6 |
| Function ID.Multiple Match Threshold | 30.0 |
| Function Start Search | true |
| Function Start Search.Bookmark Functions | false |
| Function Start Search.Search Data Blocks | false |
| Non-Returning Functions - Discovered | true |
| Non-Returning Functions - Discovered.Create Analysis Bookmarks | true |
| Non-Returning Functions - Discovered.Function Non-return Threshold | 3 |
| Non-Returning Functions - Discovered.Repair Flow Damage | true |
| Non-Returning Functions - Known | true |
| Non-Returning Functions - Known.Create Analysis Bookmarks | true |
| PDB MSDIA | false |
| PDB MSDIA.Search untrusted symbol servers | false |
| PDB Universal | true |
| PDB Universal.Import Source Line Info | true |
| PDB Universal.Search untrusted symbol servers | false |
| Reference | true |
| Reference.Address Table Alignment | 1 |
| Reference.Address Table Minimum Size | 2 |
| Reference.Align End of Strings | false |
| Reference.Ascii String References | true |
| Reference.Create Address Tables | true |
| Reference.Minimum String Length | 5 |
| Reference.References to Pointers | true |
| Reference.Relocation Table Guide | true |
| Reference.Respect Execute Flag | true |
| Reference.Subroutine References | true |
| Reference.Switch Table References | false |
| Reference.Unicode String References | true |
| Scalar Operand References | true |
| Scalar Operand References.Relocation Table Guide | true |
| Shared Return Calls | true |
| Shared Return Calls.Allow Conditional Jumps | false |
| Shared Return Calls.Assume Contiguous Functions Only | true |
| Stack | true |
| Stack.Create Local Variables | true |
| Stack.Create Param Variables | false |
| Stack.Max Threads | 2 |
| Stack.useNewFunctionStackAnalysis | true |
| Subroutine References | true |
| Subroutine References.Create Thunks Early | true |
| Variadic Function Signature Override | false |
| Variadic Function Signature Override.Create Analysis Bookmarks | false |
| Windows x86 PE Exception Handling | true |
| Windows x86 PE RTTI Analyzer | true |
| Windows x86 Thread Environment Block (TEB) Analyzer | true |
| Windows x86 Thread Environment Block (TEB) Analyzer.Starting Address of the TEB | |
| Windows x86 Thread Environment Block (TEB) Analyzer.Windows OS Version | Windows 7 |
| WindowsPE x86 Propagate External Parameters | false |
| WindowsResourceReference | true |
| WindowsResourceReference.Create Analysis Bookmarks | true |
| x86 Constant Reference Analyzer | true |
| x86 Constant Reference Analyzer.Create Data from pointer | false |
| x86 Constant Reference Analyzer.Function parameter/return Pointer analysis | true |
| x86 Constant Reference Analyzer.Max Threads | 2 |
| x86 Constant Reference Analyzer.Min absolute reference | 4 |
| x86 Constant Reference Analyzer.Require pointer param data type | false |
| x86 Constant Reference Analyzer.Speculative reference max | 256 |
| x86 Constant Reference Analyzer.Speculative reference min | 1024 |
| x86 Constant Reference Analyzer.Stored Value Pointer analysis | true |
| x86 Constant Reference Analyzer.Trust values read from writable memory | true |
Ghidra clfs.sys.x64.10.0.26100.3775 Decompiler Options
| Decompiler Option | Value |
|---|---|
| Prototype Evaluation | __fastcall |
Ghidra clfs.sys.x64.10.0.26100.3775 Specification extensions Options
| Specification extensions Option | Value |
|---|---|
| FormatVersion | 0 |
| VersionCounter | 0 |
Ghidra clfs.sys.x64.10.0.26100.3775 Analyzers Options
| Analyzers Option | Value |
|---|---|
| ASCII Strings | true |
| ASCII Strings.Create Strings Containing Existing Strings | true |
| ASCII Strings.Create Strings Containing References | true |
| ASCII Strings.Force Model Reload | false |
| ASCII Strings.Minimum String Length | LEN_5 |
| ASCII Strings.Model File | StringModel.sng |
| ASCII Strings.Require Null Termination for String | true |
| ASCII Strings.Search Only in Accessible Memory Blocks | true |
| ASCII Strings.String Start Alignment | ALIGN_1 |
| ASCII Strings.String end alignment | 4 |
| Aggressive Instruction Finder | false |
| Aggressive Instruction Finder.Create Analysis Bookmarks | true |
| Apply Data Archives | true |
| Apply Data Archives.Archive Chooser | [Auto-Detect] |
| Apply Data Archives.Create Analysis Bookmarks | true |
| Apply Data Archives.GDT User File Archive Path | None |
| Apply Data Archives.User Project Archive Path | None |
| Call Convention ID | true |
| Call Convention ID.Analysis Decompiler Timeout (sec) | 60 |
| Call-Fixup Installer | true |
| Condense Filler Bytes | false |
| Condense Filler Bytes.Filler Value | Auto |
| Condense Filler Bytes.Minimum number of sequential bytes | 1 |
| Create Address Tables | true |
| Create Address Tables.Allow Offcut References | false |
| Create Address Tables.Auto Label Table | false |
| Create Address Tables.Create Analysis Bookmarks | true |
| Create Address Tables.Maxmimum Pointer Distance | 16777215 |
| Create Address Tables.Minimum Pointer Address | 4132 |
| Create Address Tables.Minimum Table Size | 2 |
| Create Address Tables.Pointer Alignment | 1 |
| Create Address Tables.Relocation Table Guide | true |
| Create Address Tables.Table Alignment | 4 |
| Data Reference | true |
| Data Reference.Address Table Alignment | 1 |
| Data Reference.Address Table Minimum Size | 2 |
| Data Reference.Align End of Strings | false |
| Data Reference.Ascii String References | true |
| Data Reference.Create Address Tables | true |
| Data Reference.Minimum String Length | 5 |
| Data Reference.References to Pointers | true |
| Data Reference.Relocation Table Guide | true |
| Data Reference.Respect Execute Flag | true |
| Data Reference.Subroutine References | true |
| Data Reference.Switch Table References | false |
| Data Reference.Unicode String References | true |
| Decompiler Parameter ID | true |
| Decompiler Parameter ID.Analysis Clear Level | ANALYSIS |
| Decompiler Parameter ID.Analysis Decompiler Timeout (sec) | 60 |
| Decompiler Parameter ID.Commit Data Types | true |
| Decompiler Parameter ID.Commit Void Return Values | false |
| Decompiler Parameter ID.Prototype Evaluation | __fastcall |
| Decompiler Switch Analysis | true |
| Decompiler Switch Analysis.Analysis Decompiler Timeout (sec) | 60 |
| Demangler Microsoft | true |
| Demangler Microsoft.Apply Function Calling Conventions | true |
| Demangler Microsoft.Apply Function Signatures | true |
| Demangler Microsoft.C-Style Symbol Interpretation | FUNCTION_IF_EXISTS |
| Demangler Microsoft.Demangle Only Known Mangled Symbols | false |
| Disassemble Entry Points | true |
| Disassemble Entry Points.Respect Execute Flag | true |
| Embedded Media | true |
| Embedded Media.Create Analysis Bookmarks | true |
| External Entry References | true |
| Function ID | true |
| Function ID.Always Apply FID Labels | false |
| Function ID.Create Analysis Bookmarks | true |
| Function ID.Instruction Count Threshold | 14.6 |
| Function ID.Multiple Match Threshold | 30.0 |
| Function Start Search | true |
| Function Start Search.Bookmark Functions | false |
| Function Start Search.Search Data Blocks | false |
| Non-Returning Functions - Discovered | true |
| Non-Returning Functions - Discovered.Create Analysis Bookmarks | true |
| Non-Returning Functions - Discovered.Function Non-return Threshold | 3 |
| Non-Returning Functions - Discovered.Repair Flow Damage | true |
| Non-Returning Functions - Known | true |
| Non-Returning Functions - Known.Create Analysis Bookmarks | true |
| PDB MSDIA | false |
| PDB MSDIA.Search untrusted symbol servers | false |
| PDB Universal | true |
| PDB Universal.Import Source Line Info | true |
| PDB Universal.Search untrusted symbol servers | false |
| Reference | true |
| Reference.Address Table Alignment | 1 |
| Reference.Address Table Minimum Size | 2 |
| Reference.Align End of Strings | false |
| Reference.Ascii String References | true |
| Reference.Create Address Tables | true |
| Reference.Minimum String Length | 5 |
| Reference.References to Pointers | true |
| Reference.Relocation Table Guide | true |
| Reference.Respect Execute Flag | true |
| Reference.Subroutine References | true |
| Reference.Switch Table References | false |
| Reference.Unicode String References | true |
| Scalar Operand References | true |
| Scalar Operand References.Relocation Table Guide | true |
| Shared Return Calls | true |
| Shared Return Calls.Allow Conditional Jumps | false |
| Shared Return Calls.Assume Contiguous Functions Only | true |
| Stack | true |
| Stack.Create Local Variables | true |
| Stack.Create Param Variables | false |
| Stack.Max Threads | 2 |
| Stack.useNewFunctionStackAnalysis | true |
| Subroutine References | true |
| Subroutine References.Create Thunks Early | true |
| Variadic Function Signature Override | false |
| Variadic Function Signature Override.Create Analysis Bookmarks | false |
| Windows x86 PE Exception Handling | true |
| Windows x86 PE RTTI Analyzer | true |
| Windows x86 Thread Environment Block (TEB) Analyzer | true |
| Windows x86 Thread Environment Block (TEB) Analyzer.Starting Address of the TEB | |
| Windows x86 Thread Environment Block (TEB) Analyzer.Windows OS Version | Windows 7 |
| WindowsPE x86 Propagate External Parameters | false |
| WindowsResourceReference | true |
| WindowsResourceReference.Create Analysis Bookmarks | true |
| x86 Constant Reference Analyzer | true |
| x86 Constant Reference Analyzer.Create Data from pointer | false |
| x86 Constant Reference Analyzer.Function parameter/return Pointer analysis | true |
| x86 Constant Reference Analyzer.Max Threads | 2 |
| x86 Constant Reference Analyzer.Min absolute reference | 4 |
| x86 Constant Reference Analyzer.Require pointer param data type | false |
| x86 Constant Reference Analyzer.Speculative reference max | 256 |
| x86 Constant Reference Analyzer.Speculative reference min | 1024 |
| x86 Constant Reference Analyzer.Stored Value Pointer analysis | true |
| x86 Constant Reference Analyzer.Trust values read from writable memory | true |
| Stat | Value |
|---|---|
| added_funcs_len | 2 |
| deleted_funcs_len | 0 |
| modified_funcs_len | 10 |
| added_symbols_len | 6 |
| deleted_symbols_len | 3 |
| diff_time | 15.030994653701782 |
| deleted_strings_len | 1 |
| added_strings_len | 1 |
| match_types | Counter({'SymbolsHash': 1798, 'ExternalsName': 245, 'ExactInstructionsFunctionHasher': 12, 'ExactBytesFunctionHasher': 1}) |
| items_to_process | 21 |
| diff_types | Counter({'code': 8, 'length': 8, 'address': 7, 'sig': 5, 'refcount': 3, 'calling': 3, 'called': 3}) |
| unmatched_funcs_len | 2 |
| total_funcs_len | 3626 |
| matched_funcs_len | 3624 |
| matched_funcs_with_code_changes_len | 8 |
| matched_funcs_with_non_code_changes_len | 2 |
| matched_funcs_no_changes_len | 3614 |
| match_func_similarity_percent | 99.7241% |
| func_match_overall_percent | 99.9448% |
| first_matches | Counter({'SymbolsHash': 1798, 'ExactInstructionsFunctionHasher': 12, 'ExactBytesFunctionHasher': 1}) |
pie showData
title All Matches
"SymbolsHash" : 1798
"ExternalsName" : 245
"ExactBytesFunctionHasher" : 1
"ExactInstructionsFunctionHasher" : 12
pie showData
title First Matches
"SymbolsHash" : 1798
"ExactBytesFunctionHasher" : 1
"ExactInstructionsFunctionHasher" : 12
pie showData
title Diff Stats
"added_funcs_len" : 2
"deleted_funcs_len" : 0
"modified_funcs_len" : 10
pie showData
title Symbols
"added_symbols_len" : 6
"deleted_symbols_len" : 3
pie showData
title Strings
"deleted_strings_len" : 1
"added_strings_len" : 1
| String | Ref Count | Ref Func |
|---|---|---|
| s_CClfsRequest::Create::<lambda_2 | 1 | operator() |
| String | Ref Count | Ref Func |
|---|---|---|
| s_CClfsRequest::Create::<lambda_9 | 1 | operator() |
| Key | clfs.sys.x64.10.0.26100.3775 |
|---|---|
| name | Feature_2931883321__private_IsEnabledDeviceUsageNoInline |
| fullname | Feature_2931883321__private_IsEnabledDeviceUsageNoInline |
| refcount | 6 |
| length | 49 |
| called | Feature_2931883321__private_IsEnabledFallback |
| calling | CClfsLogCcb::Cleanup CClfsRequest::Close `CClfsRequest::Close'::__l1::fin$0 |
| paramcount | 0 |
| address | 1c00145fc |
| sig | ulonglong __fastcall Feature_2931883321__private_IsEnabledDeviceUsageNoInline(void) |
| sym_type | Function |
| sym_source | IMPORTED |
| external | False |
--- Feature_2931883321__private_IsEnabledDeviceUsageNoInline
+++ Feature_2931883321__private_IsEnabledDeviceUsageNoInline
@@ -0,0 +1,17 @@
+
+ulonglong Feature_2931883321__private_IsEnabledDeviceUsageNoInline(void)
+
+{
+ ulonglong uVar1;
+ undefined8 local_res8;
+
+ local_res8 = (ulonglong)Feature_2931883321__private_featureState;
+ if ((Feature_2931883321__private_featureState & 0x10) == 0) {
+ uVar1 = Feature_2931883321__private_IsEnabledFallback(local_res8,3);
+ }
+ else {
+ uVar1 = (ulonglong)(Feature_2931883321__private_featureState & 1);
+ }
+ return uVar1;
+}
+
| Key | clfs.sys.x64.10.0.26100.3775 |
|---|---|
| name | Feature_2931883321__private_IsEnabledFallback |
| fullname | Feature_2931883321__private_IsEnabledFallback |
| refcount | 2 |
| length | 21 |
| called | wil_details_IsEnabledFallback |
| calling | Feature_2931883321__private_IsEnabledDeviceUsageNoInline |
| paramcount | 2 |
| address | 1c0014634 |
| sig | undefined __fastcall Feature_2931883321__private_IsEnabledFallback(ulonglong param_1, int param_2) |
| sym_type | Function |
| sym_source | IMPORTED |
| external | False |
--- Feature_2931883321__private_IsEnabledFallback
+++ Feature_2931883321__private_IsEnabledFallback
@@ -0,0 +1,8 @@
+
+void Feature_2931883321__private_IsEnabledFallback(ulonglong param_1,int param_2)
+
+{
+ wil_details_IsEnabledFallback(param_1,param_2,&Feature_2931883321__private_descriptor);
+ return;
+}
+
Modified functions contain code changes
| Key | clfs.sys.x64.10.0.26100.3624 - clfs.sys.x64.10.0.26100.3775 |
|---|---|
| diff_type | code,length,called |
| ratio | 0.48 |
| i_ratio | 0.37 |
| m_ratio | 0.81 |
| b_ratio | 0.69 |
| match_types | SymbolsHash |
| Key | clfs.sys.x64.10.0.26100.3624 | clfs.sys.x64.10.0.26100.3775 |
|---|---|---|
| name | Close | Close |
| fullname | CClfsRequest::Close | CClfsRequest::Close |
| refcount | 2 | 2 |
length |
246 | 341 |
called |
CClfsLogFcbCommon::Close CClfsLogFcbCommon::Unlock NTOSKRNL.EXE::ExAcquireResourceExclusiveLite NTOSKRNL.EXE::IofCompleteRequest NTOSKRNL.EXE::KeBugCheckEx _guard_dispatch_icall |
CClfsLogCcb::AddRef CClfsLogCcb::Release CClfsLogFcbCommon::Close CClfsLogFcbCommon::Unlock Feature_2931883321__private_IsEnabledDeviceUsageNoInline NTOSKRNL.EXE::ExAcquireResourceExclusiveLite NTOSKRNL.EXE::IofCompleteRequest NTOSKRNL.EXE::KeBugCheckEx _guard_dispatch_icall |
| calling | ClfsDispatchIoRequest | ClfsDispatchIoRequest |
| paramcount | 1 | 1 |
| address | 1c0068f70 | 1c0068f70 |
| sig | long __cdecl Close(_IRP * param_1) | long __cdecl Close(_IRP * param_1) |
| sym_type | Function | Function |
| sym_source | ANALYSIS | ANALYSIS |
| external | False | False |
--- CClfsRequest::Close called
+++ CClfsRequest::Close called
@@ -0,0 +1,2 @@
+CClfsLogCcb::AddRef
+CClfsLogCcb::Release
@@ -2,0 +5 @@
+Feature_2931883321__private_IsEnabledDeviceUsageNoInline--- CClfsRequest::Close
+++ CClfsRequest::Close
@@ -1,35 +1,56 @@
/* WARNING: Function: _guard_dispatch_icall replaced with injection: guard_dispatch_icall */
/* public: static long __cdecl CClfsRequest::Close(struct _IRP * __ptr64) */
long __cdecl CClfsRequest::Close(_IRP *param_1)
{
- byte bVar1;
- _IO_STACK_LOCATION *p_Var2;
+ _IO_STACK_LOCATION *p_Var1;
+ PFILE_OBJECT p_Var2;
CClfsLogFcbCommon *this;
BOOLEAN BVar3;
+ ulonglong uVar4;
+ CClfsLogCcb *this_00;
undefined8 in_RDX;
- _FILE_OBJECT *p_Var4;
+ _FILE_OBJECT *p_Var5;
+ CClfsLogCcb *this_01;
- p_Var2 = (param_1->Tail).Overlay.field3_0x30.field1_0x10.CurrentStackLocation;
- bVar1 = p_Var2->MajorFunction;
- if (bVar1 != 2) {
+ this_01 = (CClfsLogCcb *)0x0;
+ p_Var1 = (param_1->Tail).Overlay.field3_0x30.field1_0x10.CurrentStackLocation;
+ if (p_Var1->MajorFunction != 2) {
/* WARNING: Subroutine does not return */
- KeBugCheckEx(0xc1f5,0x46,(ulonglong)bVar1,0,0);
+ KeBugCheckEx(0xc1f5,0x46,(ulonglong)p_Var1->MajorFunction,0,0);
}
- this = *(CClfsLogFcbCommon **)((longlong)p_Var2->FileObject->FsContext + 0x78);
+ p_Var2 = p_Var1->FileObject;
+ this = *(CClfsLogFcbCommon **)((longlong)p_Var2->FsContext + 0x78);
(**(code **)(*(longlong *)this + 0x40))(this);
- p_Var4 = (_FILE_OBJECT *)CONCAT71((int7)((ulonglong)in_RDX >> 8),1);
+ uVar4 = Feature_2931883321__private_IsEnabledDeviceUsageNoInline();
+ if ((int)uVar4 != 0) {
+ this_01 = (CClfsLogCcb *)p_Var1->FileObject->FsContext2;
+ if (this_01 != (CClfsLogCcb *)0x0) {
+ this_00 = this_01;
+ CClfsLogCcb::AddRef(this_01);
+ CClfsLogCcb::Release(this_00);
+ }
+ }
+ p_Var5 = (_FILE_OBJECT *)CONCAT71((int7)((ulonglong)in_RDX >> 8),1);
BVar3 = ExAcquireResourceExclusiveLite((PERESOURCE)(this + 200),'\x01');
- CClfsLogFcbCommon::Close(this,p_Var4);
+ CClfsLogFcbCommon::Close(this,p_Var5);
if (BVar3 != '\0') {
CClfsLogFcbCommon::Unlock((PERESOURCE)(this + 200));
+ }
+ uVar4 = Feature_2931883321__private_IsEnabledDeviceUsageNoInline();
+ if ((int)uVar4 != 0) {
+ p_Var2->FsContext = (PVOID)0x0;
+ p_Var2->FsContext2 = (PVOID)0x0;
+ if (this_01 != (CClfsLogCcb *)0x0) {
+ CClfsLogCcb::Release(this_01);
+ }
}
(**(code **)(*(longlong *)this + 0x48))(this);
(param_1->IoStatus).field0_0x0.Status = 0;
(param_1->IoStatus).Information = 0;
IofCompleteRequest(param_1,'\0');
return 0;
}
| Key | clfs.sys.x64.10.0.26100.3624 - clfs.sys.x64.10.0.26100.3775 |
|---|---|
| diff_type | code,length,address,called |
| ratio | 0.81 |
| i_ratio | 0.26 |
| m_ratio | 0.98 |
| b_ratio | 0.51 |
| match_types | SymbolsHash |
| Key | clfs.sys.x64.10.0.26100.3624 | clfs.sys.x64.10.0.26100.3775 |
|---|---|---|
| name | Cleanup | Cleanup |
| fullname | CClfsLogCcb::Cleanup | CClfsLogCcb::Cleanup |
| refcount | 2 | 2 |
length |
309 | 301 |
called |
CClfsLogCcb::Release CClfsLogCcb::ResetFileSystemFlag CClfsLogCcb::Unlink CClfsLogFcbCommon::Unlock NTOSKRNL.EXE::ExAcquireResourceExclusiveLite _guard_dispatch_icall |
CClfsLogCcb::Release CClfsLogCcb::ResetFileSystemFlag CClfsLogCcb::Unlink CClfsLogFcbCommon::Unlock Feature_2931883321__private_IsEnabledDeviceUsageNoInline NTOSKRNL.EXE::ExAcquireResourceExclusiveLite _guard_dispatch_icall |
| calling | CClfsRequest::Cleanup | CClfsRequest::Cleanup |
| paramcount | 1 | 1 |
address |
1c006e50c | 1c0074d44 |
| sig | void __thiscall Cleanup(CClfsLogCcb * this) | void __thiscall Cleanup(CClfsLogCcb * this) |
| sym_type | Function | Function |
| sym_source | ANALYSIS | ANALYSIS |
| external | False | False |
--- CClfsLogCcb::Cleanup called
+++ CClfsLogCcb::Cleanup called
@@ -4,0 +5 @@
+Feature_2931883321__private_IsEnabledDeviceUsageNoInline--- CClfsLogCcb::Cleanup
+++ CClfsLogCcb::Cleanup
@@ -1,39 +1,47 @@
/* WARNING: Function: _guard_dispatch_icall replaced with injection: guard_dispatch_icall */
/* public: void __cdecl CClfsLogCcb::Cleanup(void) __ptr64 */
void __thiscall CClfsLogCcb::Cleanup(CClfsLogCcb *this)
{
longlong *plVar1;
+ ulonglong uVar2;
ulonglong local_res8;
longlong local_res10;
if (*(longlong **)(this + 0x100) != (longlong *)0x0) {
(**(code **)(**(longlong **)(this + 0x100) + 0x10))();
if (*(longlong **)(this + 0x100) != (longlong *)0x0) {
(**(code **)(**(longlong **)(this + 0x100) + 8))();
*(undefined8 *)(this + 0x100) = 0;
}
}
ResetFileSystemFlag(this);
plVar1 = *(longlong **)(*(longlong *)(*(longlong *)(this + 0x48) + 0x18) + 0x78);
if (0 < *(int *)(this + 0x28)) {
local_res8 = local_res8 & 0xffffffff00000000;
(**(code **)(*plVar1 + 0x58))
(plVar1,*(longlong *)(this + 0x48),*(int *)(this + 0x28),&local_res8,this + 0x70);
}
if (0 < *(longlong *)(this + 0x68)) {
+ local_res8 = 0;
local_res10 = -*(longlong *)(this + 0x68);
- local_res8 = 0;
(**(code **)(*plVar1 + 0x128))(plVar1,*(undefined8 *)(this + 0x48),&local_res10,&local_res8);
}
ExAcquireResourceExclusiveLite((_ERESOURCE *)(plVar1 + 0x19),'\x01');
Unlink(this);
+ uVar2 = Feature_2931883321__private_IsEnabledDeviceUsageNoInline();
+ if ((int)uVar2 != 0) {
+ *(uint *)(this + 0x1c) = *(uint *)(this + 0x1c) | 4;
+ }
CClfsLogFcbCommon::Unlock((_ERESOURCE *)(plVar1 + 0x19));
(**(code **)(*plVar1 + 0x68))(plVar1,*(undefined8 *)(this + 0x48));
- *(uint *)(this + 0x1c) = *(uint *)(this + 0x1c) | 4;
- Release(this);
+ uVar2 = Feature_2931883321__private_IsEnabledDeviceUsageNoInline();
+ if ((int)uVar2 == 0) {
+ *(uint *)(this + 0x1c) = *(uint *)(this + 0x1c) | 4;
+ Release(this);
+ }
return;
}
| Key | clfs.sys.x64.10.0.26100.3624 - clfs.sys.x64.10.0.26100.3775 |
|---|---|
| diff_type | code,length,address,called |
| ratio | 0.68 |
| i_ratio | 0.66 |
| m_ratio | 0.81 |
| b_ratio | 0.81 |
| match_types | SymbolsHash |
| Key | clfs.sys.x64.10.0.26100.3624 | clfs.sys.x64.10.0.26100.3775 |
|---|---|---|
| name | fin$0 | fin$0 |
| fullname | `CClfsRequest::Close'::__l1::fin$0 | `CClfsRequest::Close'::__l1::fin$0 |
| refcount | 1 | 1 |
length |
93 | 136 |
called |
CClfsLogFcbCommon::Unlock NTOSKRNL.EXE::IofCompleteRequest _guard_dispatch_icall |
CClfsLogCcb::Release CClfsLogFcbCommon::Unlock Feature_2931883321__private_IsEnabledDeviceUsageNoInline NTOSKRNL.EXE::IofCompleteRequest _guard_dispatch_icall |
| calling | ||
| paramcount | 2 | 2 |
address |
1c00783cb | 1c007840b |
| sig | undefined __fastcall fin$0(undefined8 param_1, longlong param_2) | undefined __fastcall fin$0(undefined8 param_1, longlong param_2) |
| sym_type | Function | Function |
| sym_source | IMPORTED | IMPORTED |
| external | False | False |
--- `CClfsRequest::Close'::__l1::fin$0 called
+++ `CClfsRequest::Close'::__l1::fin$0 called
@@ -0,0 +1 @@
+CClfsLogCcb::Release
@@ -1,0 +3 @@
+Feature_2931883321__private_IsEnabledDeviceUsageNoInline--- `CClfsRequest::Close'::__l1::fin$0
+++ `CClfsRequest::Close'::__l1::fin$0
@@ -1,22 +1,35 @@
/* WARNING: Function: _guard_dispatch_icall replaced with injection: guard_dispatch_icall */
void `CClfsRequest::Close'::__l1::fin_0(undefined8 param_1,longlong param_2)
{
+ longlong lVar1;
PIRP Irp;
+ ulonglong uVar2;
if (*(char *)(param_2 + 0x30) != '\0') {
CClfsLogFcbCommon::Unlock((_ERESOURCE *)(*(longlong *)(param_2 + 0x38) + 200));
*(undefined1 *)(param_2 + 0x30) = 0;
}
+ uVar2 = Feature_2931883321__private_IsEnabledDeviceUsageNoInline();
+ if ((int)uVar2 != 0) {
+ lVar1 = *(longlong *)(param_2 + 0x40);
+ if (lVar1 != 0) {
+ *(undefined8 *)(lVar1 + 0x18) = 0;
+ *(undefined8 *)(lVar1 + 0x20) = 0;
+ }
+ if (*(CClfsLogCcb **)(param_2 + 0x48) != (CClfsLogCcb *)0x0) {
+ CClfsLogCcb::Release(*(CClfsLogCcb **)(param_2 + 0x48));
+ }
+ }
if (*(longlong **)(param_2 + 0x38) != (longlong *)0x0) {
(**(code **)(**(longlong **)(param_2 + 0x38) + 0x48))();
}
- Irp = *(PIRP *)(param_2 + 0x50);
+ Irp = *(PIRP *)(param_2 + 0x70);
(Irp->IoStatus).field0_0x0.Status = *(NTSTATUS *)(param_2 + 0x34);
(Irp->IoStatus).Information = 0;
IofCompleteRequest(Irp,'\0');
return;
}
| Key | clfs.sys.x64.10.0.26100.3624 - clfs.sys.x64.10.0.26100.3775 |
|---|---|
| diff_type | code,length,sig,address |
| ratio | 0.8 |
| i_ratio | 0.67 |
| m_ratio | 0.89 |
| b_ratio | 0.89 |
| match_types | SymbolsHash |
| Key | clfs.sys.x64.10.0.26100.3624 | clfs.sys.x64.10.0.26100.3775 |
|---|---|---|
| name | Feature_2633002298__private_IsEnabledFallback | Feature_2633002298__private_IsEnabledFallback |
| fullname | Feature_2633002298__private_IsEnabledFallback | Feature_2633002298__private_IsEnabledFallback |
| refcount | 2 | 2 |
length |
14 | 21 |
| called | wil_details_IsEnabledFallback | wil_details_IsEnabledFallback |
| calling | Feature_2633002298__private_IsEnabledDeviceUsageNoInline | Feature_2633002298__private_IsEnabledDeviceUsageNoInline |
| paramcount | 2 | 2 |
address |
1c0015e90 | 1c00167b0 |
sig |
undefined __fastcall Feature_2633002298__private_IsEnabledFallback(undefined4 * param_1, uint param_2) | undefined __fastcall Feature_2633002298__private_IsEnabledFallback(ulonglong param_1, int param_2) |
| sym_type | Function | Function |
| sym_source | IMPORTED | IMPORTED |
| external | False | False |
--- Feature_2633002298__private_IsEnabledFallback
+++ Feature_2633002298__private_IsEnabledFallback
@@ -1,8 +1,8 @@
-void Feature_2633002298__private_IsEnabledFallback(undefined4 *param_1,uint param_2)
+void Feature_2633002298__private_IsEnabledFallback(ulonglong param_1,int param_2)
{
- wil_details_IsEnabledFallback(param_1,param_2);
+ wil_details_IsEnabledFallback(param_1,param_2,&Feature_2633002298__private_descriptor);
return;
}
| Key | clfs.sys.x64.10.0.26100.3624 - clfs.sys.x64.10.0.26100.3775 |
|---|---|
| diff_type | code,length,sig,address |
| ratio | 0.37 |
| i_ratio | 0.56 |
| m_ratio | 0.95 |
| b_ratio | 0.95 |
| match_types | SymbolsHash |
| Key | clfs.sys.x64.10.0.26100.3624 | clfs.sys.x64.10.0.26100.3775 |
|---|---|---|
| name | wil_details_FeatureReporting_ReportUsageToServiceDirect | wil_details_FeatureReporting_ReportUsageToServiceDirect |
| fullname | wil_details_FeatureReporting_ReportUsageToServiceDirect | wil_details_FeatureReporting_ReportUsageToServiceDirect |
| refcount | 2 | 2 |
length |
226 | 232 |
| called | NTOSKRNL.EXE::RtlNotifyFeatureUsage __security_check_cookie _guard_dispatch_icall wil_details_FeatureReporting_RecordUsageInCache |
NTOSKRNL.EXE::RtlNotifyFeatureUsage __security_check_cookie _guard_dispatch_icall wil_details_FeatureReporting_RecordUsageInCache |
| calling | wil_details_FeatureReporting_ReportUsageToService | wil_details_FeatureReporting_ReportUsageToService |
| paramcount | 3 | 3 |
address |
1c0016a48 | 1c0014a2c |
sig |
undefined __fastcall wil_details_FeatureReporting_ReportUsageToServiceDirect(undefined8 param_1, undefined8 param_2, ulonglong param_3) | undefined __fastcall wil_details_FeatureReporting_ReportUsageToServiceDirect(longlong param_1, undefined8 param_2, ulonglong param_3) |
| sym_type | Function | Function |
| sym_source | IMPORTED | IMPORTED |
| external | False | False |
--- wil_details_FeatureReporting_ReportUsageToServiceDirect
+++ wil_details_FeatureReporting_ReportUsageToServiceDirect
@@ -1,47 +1,46 @@
/* WARNING: Function: _guard_dispatch_icall replaced with injection: guard_dispatch_icall */
void wil_details_FeatureReporting_ReportUsageToServiceDirect
- (undefined8 param_1,undefined8 param_2,ulonglong param_3)
+ (longlong param_1,undefined8 param_2,ulonglong param_3)
{
uint6 uVar1;
uint *puVar2;
- undefined1 auStack_88 [32];
- uint *local_68;
- undefined8 local_58;
- uint local_50 [6];
- uint local_38;
- uint uStack_34;
- uint uStack_30;
- uint uStack_2c;
- undefined8 local_28;
- ulonglong local_20;
+ undefined1 auStack_98 [32];
+ uint *local_78;
+ undefined8 local_68;
+ uint local_60 [6];
+ uint local_48;
+ uint uStack_44;
+ uint uStack_40;
+ uint uStack_3c;
+ undefined8 local_38;
+ ulonglong local_30;
- local_20 = __security_cookie ^ (ulonglong)auStack_88;
+ local_30 = __security_cookie ^ (ulonglong)auStack_98;
puVar2 = wil_details_FeatureReporting_RecordUsageInCache
- (local_50,(uint *)&Feature_2633002298__private_reporting,param_3,
- (uint)((ulonglong)param_2 >> 0x20));
- local_38 = *puVar2;
- uStack_34 = puVar2[1];
- uStack_30 = puVar2[2];
- uStack_2c = puVar2[3];
- local_28 = *(undefined8 *)(puVar2 + 4);
+ (local_60,*(uint **)(param_1 + 8),param_3,(uint)((ulonglong)param_2 >> 0x20));
+ local_48 = *puVar2;
+ uStack_44 = puVar2[1];
+ uStack_40 = puVar2[2];
+ uStack_3c = puVar2[3];
+ local_38 = *(undefined8 *)(puVar2 + 4);
if (g_wil_details_recordFeatureUsage != (code *)0x0) {
- local_68 = &local_38;
+ local_78 = &local_48;
(*g_wil_details_recordFeatureUsage)
- (0x34762f9,param_3 & 0xffffffff,1,&Feature_2633002298__private_reporting);
+ (*(undefined4 *)(param_1 + 0x18),param_3 & 0xffffffff,1,*(undefined8 *)(param_1 + 8));
}
if ((((uint)param_2 >> 10 & 1) != 0) && ((int)param_3 != 0xfe)) {
- local_58._0_6_ = CONCAT24((short)(param_3 & 0xffffffff),0x34762f9);
- uVar1 = (uint6)local_58;
- local_58 = (ulonglong)(uint6)local_58;
+ local_68._0_6_ = CONCAT24((short)(param_3 & 0xffffffff),*(undefined4 *)(param_1 + 0x18));
+ uVar1 = (uint6)local_68;
+ local_68 = (ulonglong)(uint6)local_68;
if (((uint)param_2 >> 0xb & 1) != 0) {
- local_58 = CONCAT26(1,uVar1);
+ local_68 = CONCAT26(1,uVar1);
}
- RtlNotifyFeatureUsage(&local_58);
+ RtlNotifyFeatureUsage(&local_68);
}
- __security_check_cookie(local_20 ^ (ulonglong)auStack_88);
+ __security_check_cookie(local_30 ^ (ulonglong)auStack_98);
return;
}
| Key | clfs.sys.x64.10.0.26100.3624 - clfs.sys.x64.10.0.26100.3775 |
|---|---|
| diff_type | code,length,sig,address |
| ratio | 0.59 |
| i_ratio | 0.53 |
| m_ratio | 0.94 |
| b_ratio | 0.94 |
| match_types | SymbolsHash |
| Key | clfs.sys.x64.10.0.26100.3624 | clfs.sys.x64.10.0.26100.3775 |
|---|---|---|
| name | wil_details_FeatureReporting_ReportUsageToService | wil_details_FeatureReporting_ReportUsageToService |
| fullname | wil_details_FeatureReporting_ReportUsageToService | wil_details_FeatureReporting_ReportUsageToService |
| refcount | 2 | 2 |
length |
114 | 125 |
| called | _guard_dispatch_icall wil_details_FeatureReporting_ReportUsageToServiceDirect wil_details_MapReportingKind |
_guard_dispatch_icall wil_details_FeatureReporting_ReportUsageToServiceDirect wil_details_MapReportingKind |
| calling | wil_details_IsEnabledFallback | wil_details_IsEnabledFallback |
| paramcount | 3 | 3 |
address |
1c00169cc | 1c00149a8 |
sig |
undefined __fastcall wil_details_FeatureReporting_ReportUsageToService(undefined8 param_1, undefined8 param_2, uint param_3) | undefined __fastcall wil_details_FeatureReporting_ReportUsageToService(longlong param_1, undefined8 param_2, int param_3) |
| sym_type | Function | Function |
| sym_source | IMPORTED | IMPORTED |
| external | False | False |
--- wil_details_FeatureReporting_ReportUsageToService
+++ wil_details_FeatureReporting_ReportUsageToService
@@ -1,25 +1,24 @@
/* WARNING: Function: _guard_dispatch_icall replaced with injection: guard_dispatch_icall */
void wil_details_FeatureReporting_ReportUsageToService
- (undefined8 param_1,undefined8 param_2,uint param_3)
+ (longlong param_1,undefined8 param_2,int param_3)
{
uint uVar1;
int iVar2;
- ulonglong uVar3;
- uint uVar4;
- uint local_res18 [4];
+ uint uVar3;
+ int local_res18 [4];
- uVar4 = (uint)param_2 & 1;
- uVar3 = (ulonglong)param_3;
+ uVar3 = (uint)param_2 & 1;
local_res18[0] = param_3;
- uVar1 = wil_details_MapReportingKind(param_3,uVar4);
- iVar2 = wil_details_FeatureReporting_ReportUsageToServiceDirect(uVar3,param_2,(ulonglong)uVar1);
+ uVar1 = wil_details_MapReportingKind(param_3,uVar3);
+ iVar2 = wil_details_FeatureReporting_ReportUsageToServiceDirect(param_1,param_2,(ulonglong)uVar1);
if ((iVar2 != 0) && (g_wil_details_pfnFeatureLoggingHook != (code *)0x0)) {
(*g_wil_details_pfnFeatureLoggingHook)
- (0x34762f9,&Feature_2633002298_logged_traits,0,uVar4,local_res18,0,0,1);
+ (*(undefined4 *)(param_1 + 0x18),*(undefined8 *)(param_1 + 0x10),0,uVar3,local_res18,0
+ ,0,1);
}
return;
}
| Key | clfs.sys.x64.10.0.26100.3624 - clfs.sys.x64.10.0.26100.3775 |
|---|---|
| diff_type | code,refcount,length,sig,address,calling |
| ratio | 0.48 |
| i_ratio | 0.43 |
| m_ratio | 0.96 |
| b_ratio | 0.94 |
| match_types | SymbolsHash |
| Key | clfs.sys.x64.10.0.26100.3624 | clfs.sys.x64.10.0.26100.3775 |
|---|---|---|
| name | wil_details_IsEnabledFallback | wil_details_IsEnabledFallback |
| fullname | wil_details_IsEnabledFallback | wil_details_IsEnabledFallback |
refcount |
2 | 3 |
length |
135 | 140 |
| called | wil_details_FeatureReporting_ReportUsageToService wil_details_FeatureStateCache_ReevaluateCachedFeatureEnabledState wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath |
wil_details_FeatureReporting_ReportUsageToService wil_details_FeatureStateCache_ReevaluateCachedFeatureEnabledState wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath |
calling |
Feature_2633002298__private_IsEnabledFallback | Feature_2633002298__private_IsEnabledFallback Feature_2931883321__private_IsEnabledFallback |
| paramcount | 2 | 3 |
address |
1c0016df8 | 1c0014df0 |
sig |
uint __fastcall wil_details_IsEnabledFallback(undefined4 * param_1, uint param_2) | uint __fastcall wil_details_IsEnabledFallback(ulonglong param_1, int param_2, undefined8 * param_3) |
| sym_type | Function | Function |
| sym_source | IMPORTED | IMPORTED |
| external | False | False |
--- wil_details_IsEnabledFallback calling
+++ wil_details_IsEnabledFallback calling
@@ -1,0 +2 @@
+Feature_2931883321__private_IsEnabledFallback--- wil_details_IsEnabledFallback
+++ wil_details_IsEnabledFallback
@@ -1,26 +1,22 @@
-uint wil_details_IsEnabledFallback(undefined4 *param_1,uint param_2)
+uint wil_details_IsEnabledFallback(ulonglong param_1,int param_2,undefined8 *param_3)
{
uint uVar1;
- undefined4 *puVar2;
- ulonglong local_res18;
+ ulonglong local_res8;
uVar1 = (uint)param_1;
- local_res18 = (ulonglong)param_1 & 0xffffffff;
- if (((ulonglong)param_1 & 2) == 0) {
- puVar2 = &Feature_2633002298__private_featureState;
- local_res18 = wil_details_FeatureStateCache_ReevaluateCachedFeatureEnabledState
- (&Feature_2633002298__private_featureState,(ulonglong)param_1,
- 0x1c0024830);
- param_1 = puVar2;
- uVar1 = (uint)local_res18;
+ local_res8 = param_1 & 0xffffffff;
+ if ((param_1 & 2) == 0) {
+ local_res8 = wil_details_FeatureStateCache_ReevaluateCachedFeatureEnabledState
+ ((uint *)*param_3,param_1,(longlong)param_3);
+ uVar1 = (uint)local_res8;
}
if ((param_2 != 0) &&
- (wil_details_FeatureReporting_ReportUsageToService(param_1,local_res18,param_2),
- param_2 - 3 < 2)) {
- wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath((uint)local_res18,param_2);
+ (wil_details_FeatureReporting_ReportUsageToService((longlong)param_3,local_res8,param_2),
+ param_2 - 3U < 2)) {
+ wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath((uint)local_res8,param_2,param_3);
}
return uVar1 & 1;
}
| Key | clfs.sys.x64.10.0.26100.3624 - clfs.sys.x64.10.0.26100.3775 |
|---|---|
| diff_type | code,length,sig,address |
| ratio | 0.4 |
| i_ratio | 0.37 |
| m_ratio | 0.9 |
| b_ratio | 0.9 |
| match_types | SymbolsHash |
| Key | clfs.sys.x64.10.0.26100.3624 | clfs.sys.x64.10.0.26100.3775 |
|---|---|---|
| name | wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath | wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath |
| fullname | wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath | wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath |
| refcount | 2 | 2 |
length |
76 | 91 |
| called | ||
| calling | wil_details_IsEnabledFallback | wil_details_IsEnabledFallback |
| paramcount | 2 | 3 |
address |
1c0016c44 | 1c0014c2c |
sig |
undefined __fastcall wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath(uint param_1, int param_2) | undefined __fastcall wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath(uint param_1, int param_2, undefined8 * param_3) |
| sym_type | Function | Function |
| sym_source | IMPORTED | IMPORTED |
| external | False | False |
--- wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath
+++ wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath
@@ -1,41 +1,52 @@
-void wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath(uint param_1,int param_2)
+void wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath
+ (uint param_1,int param_2,undefined8 *param_3)
{
- uint uVar1;
+ uint *puVar1;
uint uVar2;
uint uVar3;
- bool bVar4;
+ uint uVar4;
+ bool bVar5;
+ puVar1 = (uint *)*param_3;
if (param_2 == 3) {
- uVar3 = 0x10;
+ uVar4 = 0x10;
}
else {
if (param_2 != 4) {
return;
}
- uVar3 = 0x20;
+ uVar4 = 0x20;
}
- if ((Feature_2633002298__private_featureState & 2) != 0) {
- uVar2 = Feature_2633002298__private_featureState;
- while ((uVar2 & 1) == (param_1 & 1)) {
- LOCK();
- bVar4 = uVar2 == Feature_2633002298__private_featureState;
- uVar1 = uVar3 | uVar2;
- if (!bVar4) {
- uVar2 = Feature_2633002298__private_featureState;
- uVar1 = Feature_2633002298__private_featureState;
- }
- Feature_2633002298__private_featureState = uVar1;
- UNLOCK();
- if (bVar4) {
- return;
- }
- if ((uVar2 & 2) == 0) {
- return;
+ if ((*(char *)((longlong)param_3 + 0x1e) == '\0') && (*(char *)((longlong)param_3 + 0x1d) == '\0')
+ ) {
+ if ((*puVar1 & 2) != 0) {
+ uVar3 = *puVar1;
+ while ((uVar3 & 1) == (param_1 & 1)) {
+ LOCK();
+ uVar2 = *puVar1;
+ bVar5 = uVar3 == uVar2;
+ if (bVar5) {
+ *puVar1 = uVar4 | uVar3;
+ uVar2 = uVar3;
+ }
+ UNLOCK();
+ if (bVar5) {
+ return;
+ }
+ uVar3 = uVar2;
+ if ((uVar2 & 2) == 0) {
+ return;
+ }
}
}
+ }
+ else {
+ LOCK();
+ *puVar1 = *puVar1 | uVar4;
+ UNLOCK();
}
return;
}
Slightly modified functions have no code changes, rather differnces in:
- refcount
- length
- called
- calling
- name
- fullname
| Key | clfs.sys.x64.10.0.26100.3624 - clfs.sys.x64.10.0.26100.3775 |
|---|---|
| diff_type | refcount,calling |
| ratio | 1.0 |
| i_ratio | 1.0 |
| m_ratio | 1.0 |
| b_ratio | 1.0 |
| match_types | SymbolsHash |
| Key | clfs.sys.x64.10.0.26100.3624 | clfs.sys.x64.10.0.26100.3775 |
|---|---|---|
| name | AddRef | AddRef |
| fullname | CClfsLogCcb::AddRef | CClfsLogCcb::AddRef |
refcount |
35 | 36 |
| length | 13 | 13 |
| called | ||
calling |
Expand for full list:ClfsAddLogContainerSet |
Expand for full list:CClfsRequest::WriteRestart |
| paramcount | 1 | 1 |
| address | 1c000b5e0 | 1c000b5e0 |
| sig | ulong __thiscall AddRef(CClfsLogCcb * this) | ulong __thiscall AddRef(CClfsLogCcb * this) |
| sym_type | Function | Function |
| sym_source | ANALYSIS | ANALYSIS |
| external | False | False |
--- CClfsLogCcb::AddRef calling
+++ CClfsLogCcb::AddRef calling
@@ -3,0 +4 @@
+CClfsRequest::Close| Key | clfs.sys.x64.10.0.26100.3624 - clfs.sys.x64.10.0.26100.3775 |
|---|---|
| diff_type | refcount,calling |
| ratio | 1.0 |
| i_ratio | 1.0 |
| m_ratio | 1.0 |
| b_ratio | 1.0 |
| match_types | SymbolsHash |
| Key | clfs.sys.x64.10.0.26100.3624 | clfs.sys.x64.10.0.26100.3775 |
|---|---|---|
| name | Release | Release |
| fullname | CClfsLogCcb::Release | CClfsLogCcb::Release |
refcount |
53 | 56 |
| length | 75 | 75 |
| called | CClfsLogCcb::~CClfsLogCcb NTOSKRNL.EXE::ExFreeToNPagedLookasideList |
CClfsLogCcb::~CClfsLogCcb NTOSKRNL.EXE::ExFreeToNPagedLookasideList |
calling |
Expand for full list:ClfsAdvanceLogBaseInternal |
Expand for full list:ClfsAddLogContainerSet$fin$0 |
| paramcount | 1 | 1 |
| address | 1c00570b0 | 1c00570b0 |
| sig | ulong __thiscall Release(CClfsLogCcb * this) | ulong __thiscall Release(CClfsLogCcb * this) |
| sym_type | Function | Function |
| sym_source | ANALYSIS | ANALYSIS |
| external | False | False |
--- CClfsLogCcb::Release calling
+++ CClfsLogCcb::Release calling
@@ -5,0 +6 @@
+CClfsRequest::Close
@@ -47,0 +49 @@
+`CClfsRequest::Close'::__l1::fin$0Generated with ghidriff version: 1.0.0 on 2025-10-29T18:39:22