Created
August 1, 2021 00:29
-
-
Save iximeow/66c02c716d7924753f80a516232bb5fb to your computer and use it in GitHub Desktop.
some function out of ntoskrn and (... some of its ...) interactions with memory
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 0x00000000: 48895c2408 : mov qword [rsp + 0x8], rbx | |
| 0x00000005: 48896c2410 : mov qword [rsp + 0x10], rbp | |
| 0x0000000a: 4889742418 : mov qword [rsp + 0x18], rsi | |
| 0x0000000f: 57 : push rdi | |
| 0x00000010: 4154 : push r12 | |
| 0x00000012: 4155 : push r13 | |
| 0x00000014: 4883ec20 : sub rsp, 0x20 | |
| 0x00000018: 4885c9 : test rcx, rcx | |
| 0x0000001b: 0f844b040c00 : jz 0xc044b | |
| 0x00000021: f6410602 : test byte [rcx + 0x6], 0x2 | |
| 0x00000025: 0f8441040c00 : jz 0xc0441 | |
| 0x0000002b: 8a4107 : mov al, byte [rcx + 0x7] | |
| 0x0000002e: 4533e4 : xor r12d, r12d | |
| 0x00000031: 488bfa : mov rdi, rdx | |
| 0x00000034: 24f0 : and al, -0x10 | |
| 0x00000036: 488bd9 : mov rbx, rcx | |
| 0x00000039: 458d6c2401 : lea r13d, dword [r12 + 0x1] | |
| 0x0000003e: 3c10 : cmp al, 0x10 | |
| 0x00000040: 0f8285030c00 : jb 0xc0385 | |
| 0x00000046: 65488b042588010000: mov rax, qword gs:[0x188] | |
| 0x0000004f: 4883c148 : add rcx, 0x48 | |
| 0x00000053: 66ff88c4010000 : dec word [rax + 0x1c4] | |
| 0x0000005a: f0480fba2900 : lock bts qword [rcx], 0x0 | |
| 0x00000060: 0f825a030c00 : jb 0xc035a | |
| 0x00000066: 488d4b38 : lea rcx, qword [rbx + 0x38] | |
| 0x0000006a: 488b01 : mov rax, qword [rcx] | |
| 0x0000006d: 48894f08 : mov qword [rdi + 0x8], rcx | |
| 0x00000071: 488907 : mov qword [rdi], rax | |
| 0x00000074: 48897808 : mov qword [rax + 0x8], rdi | |
| 0x00000078: 488939 : mov qword [rcx], rdi | |
| 0x0000007b: 8a4307 : mov al, byte [rbx + 0x7] | |
| 0x0000007e: 24f0 : and al, -0x10 | |
| 0x00000080: 3c10 : cmp al, 0x10 | |
| 0x00000082: 0f829f030c00 : jb 0xc039f | |
| 0x00000088: 0f0d4b48 : prefetchw zmmword [rbx + 0x48] | |
| 0x0000008c: 488b4348 : mov rax, qword [rbx + 0x48] | |
| 0x00000090: 488bc8 : mov rcx, rax | |
| 0x00000093: 4883e1f0 : and rcx, -0x10 | |
| 0x00000097: 4883f910 : cmp rcx, 0x10 | |
| 0x0000009b: 488d48f0 : lea rcx, qword [rax - 0x10] | |
| 0x0000009f: 7703 : ja 0x3 | |
| 0x000000a1: 498bcc : mov rcx, r12 | |
| 0x000000a4: a802 : test al, 0x2 | |
| 0x000000a6: 0f8553030c00 : jnz 0xc0353 | |
| 0x000000ac: f0480fb14b48 : lock cmpxchg qword [rbx + 0x48], rcx | |
| 0x000000b2: 0f8547030c00 : jnz 0xc0347 | |
| 0x000000b8: 65488b0c2588010000: mov rcx, qword gs:[0x188] | |
| 0x000000c1: 664401a9c4010000 : add word [rcx + 0x1c4], r13w | |
| 0x000000c9: 750d : jnz 0xd | |
| 0x000000cb: 488d4150 : lea rax, qword [rcx + 0x50] | |
| 0x000000cf: 483900 : cmp qword [rax], rax | |
| 0x000000d2: 0f8536030c00 : jnz 0xc0336 | |
| 0x000000d8: 33c0 : xor eax, eax | |
| 0x000000da: 488b5c2440 : mov rbx, qword [rsp + 0x40] | |
| 0x000000df: 488b6c2448 : mov rbp, qword [rsp + 0x48] | |
| 0x000000e4: 488b742450 : mov rsi, qword [rsp + 0x50] | |
| 0x000000e9: 4883c420 : add rsp, 0x20 | |
| 0x000000ed: 415d : pop r13 | |
| 0x000000ef: 415c : pop r12 | |
| 0x000000f1: 5f : pop rdi | |
| 0x000000f2: c3 : ret |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| at region <unknown value> ((mem:any)_0): | |
| --- address <rsp_input> --- | |
| 8 | 0x0008: -w- | | |
| --------------------------- | |
| at region <unknown value> ((mem:any)_1): | |
| --- address <rsp_input> --- | |
| 8 | 0x0008: -w- | | |
| 16 | 0x0008: -w- | | |
| --------------------------- | |
| at region <unknown value> ((mem:any)_2): | |
| --- address <rsp_input> --- | |
| 8 | 0x0008: -w- | | |
| 16 | 0x0008: -w- | | |
| 24 | 0x0008: -w- | | |
| --------------------------- | |
| at region <unknown value> ((mem:any)_5): | |
| --- address <rcx_input> --- | |
| 6 | 0x0008: r-- | | |
| 7 | 0x0008: r-- | | |
| --------------------------- | |
| --- address <rax_2> --- | |
| 452 | 0x0008: r-- | | |
| --------------------------- | |
| at region <unknown value> ((mem:any)_6): | |
| --- address <rcx_input> --- | |
| 6 | 0x0008: r-- | | |
| 7 | 0x0008: r-- | | |
| --------------------------- | |
| --- address <rax_2> --- | |
| 452 | 0x0008: rw- | | |
| --------------------------- | |
| at region <unknown value> ((mem:any)_7): | |
| --- address <rax_2> --- | |
| 452 | 0x0008: rw- | | |
| --------------------------- | |
| --- address <rdx_input> --- | |
| 8 | 0x0008: -w- | | |
| --------------------------- | |
| --- address <rcx_input> --- | |
| 6 | 0x0008: r-- | | |
| 7 | 0x0008: r-- | | |
| --------------------------- | |
| at region <unknown value> ((mem:any)_8): | |
| --- address <rax_2> --- | |
| 452 | 0x0008: rw- | | |
| --------------------------- | |
| --- address <rcx_input> --- | |
| 6 | 0x0008: r-- | | |
| 7 | 0x0008: r-- | | |
| --------------------------- | |
| --- address <rdx_input> --- | |
| 8 | 0x0008: -w- | | |
| --------------------------- | |
| at region <unknown value> ((mem:any)_9): | |
| --- address <rax_3> --- | |
| 8 | 0x0008: -w- | | |
| --------------------------- | |
| --- address <rdx_input> --- | |
| 8 | 0x0008: -w- | | |
| --------------------------- | |
| --- address <rax_2> --- | |
| 452 | 0x0008: rw- | | |
| --------------------------- | |
| --- address <rcx_input> --- | |
| 6 | 0x0008: r-- | | |
| 7 | 0x0008: r-- | | |
| --------------------------- | |
| at region <unknown value> ((mem:any)_10): | |
| --- address <rax_2> --- | |
| 452 | 0x0008: rw- | | |
| --------------------------- | |
| --- address <rcx_input> --- | |
| 6 | 0x0008: r-- | | |
| 7 | 0x0008: r-- | | |
| 72 | 0x0008: r-- | | |
| --------------------------- | |
| --- address <rax_3> --- | |
| 8 | 0x0008: -w- | | |
| --------------------------- | |
| --- address <rdx_input> --- | |
| 8 | 0x0008: -w- | | |
| --------------------------- | |
| at region <unknown value> ((mem:any)_11): | |
| --- address <rcx_7> --- | |
| 452 | 0x0008: r-- | | |
| --------------------------- | |
| at region <unknown value> ((mem:any)_12): | |
| --- address <rcx_7> --- | |
| 452 | 0x0008: rw- | | |
| --------------------------- | |
| --- address <rsp_3> --- | |
| 64 | 0x0008: r-- | | |
| 72 | 0x0008: r-- | | |
| 80 | 0x0008: r-- | | |
| --------------------------- |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment