Practical Reverse Engineering Solutions – Page 123 (Part II)

This blog post presents my solution to exercise 2 and 3 on pages 123ff from the book Practical Reverse Engineering by Bruce Dang, Alexandre Gazet and Elias Bachaalany (ISBN: 1118787315). The book is my first contact with reverse engineering, so take my statements with a grain of salt. All code snippets are on GitHub. For an overview of my solutions consult this progress page.

Exercise 2

To save space I’m removing the raw instruction in hex. I’m also not showing the upper 32 bits of the addresses. You can see the full kernel routines on my GitHub page.

► CcSetVacbInFreeList

The following lines are InsertHeadList:

`11c7f6c9  lea     rax,[rcx+10h]
`11c7f6cd  mov     rcx,qword ptr [nt!CcVacbFreeList (fffff800`11f60b00)]
`11c7f6d4  lea     rdx,[nt!CcVacbFreeList (fffff800`11f60b00)]
`11c7f6db  mov     qword ptr [rax],rcx
`11c7f6de  mov     qword ptr [rax+8],rdx
`11c7f6e2  cmp     qword ptr [rcx+8],rdx
`11c7f6e6  jne     nt!CcSetVacbInFreeList+0x5a (fffff800`11c7f70e)

nt!CcSetVacbInFreeList+0x34: 
`11c7f6e8  mov     qword ptr [rcx+8],rax
`11c7f6ec  mov     qword ptr [nt!CcVacbFreeList (fffff800`11f60b00)],rax

This illustration shows the three list elements and where the links are set:

► CmpDoSort

The following lines are InsertHeadList:

`12372d01  mov     r11,qword ptr [r12]
`12372d05  mov     qword ptr [rbx+8],r12
`12372d09  mov     qword ptr [rbx],r11
`12372d0c  cmp     qword ptr [r11+8],r12
`12372d10  string'+0x2cf5  

nt!CmpAddDriverToList+0x19e: 
`12372d16  mov     qword ptr [r11+8],rbx
`12372d1a  lea     r8,[nt!CmpErrorControlString (fffff800`1232f3b0)]
`12372d21  mov     rdx,rsi
`12372d24  mov     rcx,rdi
`12372d27  mov     qword ptr [r12],rbx

This illustration shows the three list elements and where the links are set:

► ExBurnMemory

The following lines are InsertHeadList:

`d9f8b5f4  mov     rax,qword ptr [r8]
`d9f8b5f7  mov     qword ptr [nt!BurnMemoryDescriptor+0x8 (fffff803`d9b6f228)],r8
`d9f8b5fe  mov     qword ptr [nt!BurnMemoryDescriptor (fffff803`d9b6f220)],rax
`d9f8b605  cmp     qword ptr [rax+8],r8
`d9f8b609  jne     nt!ExBurnMemory+0x95 (fffff803`d9f8b61d)

nt!ExBurnMemory+0x83:
`d9f8b60b  lea     rcx,[nt!BurnMemoryDescriptor (fffff803`d9b6f220)]
`d9f8b612  mov     qword ptr [rax+8],rcx
`d9f8b616  mov     qword ptr [r8],rcx

This illustration shows the three list elements and where the links are set:

► ExFreePoolWithTag

The following lines are InsertHeadList:

`d9af8115  mov     rax,qword ptr [rcx]
`d9af8118  mov     qword ptr [rbx+8],rcx
`d9af811c  mov     qword ptr [rbx],rax
`d9af811f  cmp     qword ptr [rax+8],rcx
`d9af8123  jne     nt!ExFreePoolWithTag+0x1014 (fffff803`d9af8174)

nt!ExFreePoolWithTag+0xfc5:
`d9af8125  mov     qword ptr [rax+8],rbx
`d9af8129  mov     qword ptr [rcx],rbx

This illustration shows the three list elements and where the links are set:

► IoPageRead

The following lines are InsertHeadList:

`d995d410  mov     rax,qword ptr [r15]
`d995d413  mov     qword ptr [r14+8],r15
`d995d417  mov     qword ptr [r14],rax
`d995d41a  cmp     qword ptr [rax+8],r15
`d995d41e  string'+0xa7e5  

nt!IoPageRead+0x1b4:
`d995d424  mov     qword ptr [rax+8],r14
`d995d428  mov     qword ptr [r15],r14

This illustration shows the three list elements and where the links are set:

► IovpCallDriver1

The following lines are InsertHeadList:

`d9ed1cda  mov     r8,qword ptr [rax]
`d9ed1cdd  lea     rdx,[r15+20h]
`d9ed1ce1  mov     qword ptr [rdx],r8
`d9ed1ce4  mov     qword ptr [rdx+8],rax
`d9ed1ce8  cmp     qword ptr [r8+8],rax
`d9ed1cec  je      nt!IovpCallDriver1+0x46d (fffff803`d9ed1cf5)

nt!IovpCallDriver1+0x466:
`d9ed1cee  mov     ecx,3
`d9ed1cf3  int     29h

nt!IovpCallDriver1+0x46d:
`d9ed1cf5  mov     qword ptr [r8+8],rdx
`d9ed1cf9  mov     qword ptr [rax],rdx

This illustration shows the three list elements and where the links are set:

► KeInitThread

The following lines are InsertHeadList:

`d9be54a9  mov     rcx,qword ptr [rbx]
`d9be54ac  mov     qword ptr [rax],rcx
`d9be54af  mov     qword ptr [rax+8],rbx
`d9be54b3  cmp     qword ptr [rcx+8],rbx
`d9be54b7  string'+0x1c0  

nt!KeInitThread+0x18d:
`d9be54bd  mov     qword ptr [rcx+8],rax
`d9be54c1  mov     qword ptr [rbx],rax

This illustration shows the three list elements and where the links are set:

► KiInsertQueueApc

The following lines are InsertHeadList:

`d99593b7  mov     r8,qword ptr [rax]
`d99593ba  lea     rcx,[rdx+10h]
`d99593be  mov     qword ptr [rcx],r8
`d99593c1  mov     qword ptr [rcx+8],rax
`d99593c5  cmp     qword ptr [r8+8],rax
`d99593c9  string'+0x14f4e  

nt!KiInsertQueueApc+0x6f:
`d99593cf  mov     qword ptr [r8+8],rcx
`d99593d3  mov     qword ptr [rax],rcx

This illustration shows the three list elements and where the links are set:

► KeInsertQueueDpc

The following lines are InsertHeadList:

`d992fec1  mov     rcx,qword ptr [rdi]
`d992fec4  mov     qword ptr [rax+8],rdi
`d992fec8  mov     qword ptr [rax],rcx
`d992fecb  cmp     qword ptr [rcx+8],rdi
`d992fecf  string'+0x12c8b  

nt!KeInsertQueueDpc+0x273:
`d992fed5  mov     qword ptr [rcx+8],rax
`d992fed9  mov     qword ptr [rdi],rax

This illustration shows the three list elements and where the links are set:

► KiQueueReadyThread

The following lines are InsertHeadList:

`d9909bb0  mov     rax,qword ptr [rcx]
`d9909bb3  mov     qword ptr [rbx+8],rcx
`d9909bb7  mov     qword ptr [rbx],rax
`d9909bba  cmp     qword ptr [rax+8],rcx
`d9909bbe  `string'+0x15dee  

nt!KiQueueReadyThread+0xc4:
`d9909bc4  mov     qword ptr [rax+8],rbx
`d9909bc8  mov     qword ptr [rcx],rbx

This illustration shows the three list elements and where the links are set:

► MiInsertInSystemSpace

The following lines are InsertHeadList:

`d98d2067  mov     rax,qword ptr [r11]
`d98d206a  mov     qword ptr [r14+8],r11
`d98d206e  mov     qword ptr [r14],rax
`d98d2071  cmp     qword ptr [rax+8],r11
`d98d2075  `string'+0x1a834  

nt!MiInsertInSystemSpace+0x21b:
`d98d207b  mov     qword ptr [rax+8],r14
`d98d207f  mov     qword ptr [r11],r14

This illustration shows the three list elements and where the links are set:

► MiUpdateWsle

The following lines are InsertHeadList:

`d991a0b1  mov     rax,qword ptr [nt!MmWorkingSetExpansionHead (fffff803`d9b52960)]
`d991a0b8  lea     rcx,[nt!MmWorkingSetExpansionHead (fffff803`d9b52960)]
`d991a0bf  mov     qword ptr [rdi],rax
`d991a0c2  mov     qword ptr [rdi+8],rcx
`d991a0c6  cmp     qword ptr [rax+8],rcx
`d991a0ca  `string'+0x1dc58  

nt!MiUpdateWsle+0x550:
`d991a0d0  mov     qword ptr [rax+8],rdi
`d991a0d4  mov     qword ptr [nt!MmWorkingSetExpansionHead (fffff803`d9b52960)],rdi

This illustration shows the three list elements and where the links are set:

► ObpInsertCallbackByAltitude

The following lines are InsertHeadList:

`d9d790db  mov     rcx,qword ptr [rax]
`d9d790de  mov     qword ptr [rsi+8],rax
`d9d790e2  mov     qword ptr [rsi],rcx
`d9d790e5  cmp     qword ptr [rcx+8],rax
`d9d790e9  `string'+0x3d025  

nt!ObpInsertCallbackByAltitude+0x77:
`d9d790ef  mov     qword ptr [rcx+8],rsi
`d9d790f3  mov     qword ptr [rax],rsi

This illustration shows the three list elements and where the links are set:

Exercise 3

► AlpcpCreateClientPort

The following lines are InsertTailList:

`d9d147ef  mov     rdx,qword ptr [rax+20h]
`d9d147f3  add     rax,18h
`d9d147f7  add     rcx,18h
`d9d147fb  mov     qword ptr [rcx+8],rdx
`d9d147ff  mov     qword ptr [rcx],rax
`d9d14802  cmp     qword ptr [rdx],rax
`d9d14805  `string'+0x2f4e3  

nt!AlpcpCreateClientPort+0x1cb:
`d9d1480b  mov     qword ptr [rdx],rcx
`d9d1480e  mov     qword ptr [rax+8],rcx

This illustration shows the three list elements and where the links are set:

► AlpcpCreateSection

The following lines are InsertTailList:

`d9d14080  mov     rax,qword ptr [r15+8]
`d9d14084  mov     qword ptr [rsi],r15
`d9d14087  mov     qword ptr [rsi+8],rax
`d9d1408b  cmp     qword ptr [rax],r15
`d9d1408e  `string'+0x3284d  

nt!AlpcpCreateSection+0x17c:
`d9d14094  mov     qword ptr [rax],rsi
`d9d14097  mov     qword ptr [r15+8],rsi

This illustration shows the three list elements and where the links are set:

► AlpcpCreateView

The following lines are InsertTailList:

`d9d1be00  mov     rax,qword ptr [rbp+8]
`d9d1be04  mov     qword ptr [r15],rbp
`d9d1be07  mov     qword ptr [r15+8],rax
`d9d1be0b  cmp     qword ptr [rax],rbp
`d9d1be0e  `string'+0x3273d  

nt!AlpcpCreateView+0x214:
`d9d1be14  mov     qword ptr [rax],r15
`d9d1be17  mov     qword ptr [rbp+8],r15

This illustration shows the three list elements and where the links are set:

► AuthzBasepAddSecurityAttributeToLists

The following lines are InsertTailList:

`d9d5600f  mov     r9,qword ptr [r8+8]
`d9d56013  mov     qword ptr [rax],r8
`d9d56016  mov     qword ptr [rax+8],r9
`d9d5601a  cmp     qword ptr [r9],r8
`d9d5601d  je      nt!AuthzBasepAddSecurityAttributeToLists+0x2e (fffff803`d9d56026)

nt!AuthzBasepAddSecurityAttributeToLists+0x27:
`d9d5601f  mov     ecx,3
`d9d56024  int     29h

nt!AuthzBasepAddSecurityAttributeToLists+0x2e:
`d9d56026  mov     qword ptr [r9],rax
`d9d56029  mov     qword ptr [r8+8],rax

This illustration shows the three list elements and where the links are set:

There is a second occurence of InsertTailList here:

`d9d56044  mov     r8,qword ptr [rax+8]
`d9d56048  mov     qword ptr [rdx],rax
`d9d5604b  mov     qword ptr [rdx+8],r8
`d9d5604f  cmp     qword ptr [r8],rax
`d9d56052  je      nt!AuthzBasepAddSecurityAttributeToLists+0x63 (fffff803`d9d5605b)

nt!AuthzBasepAddSecurityAttributeToLists+0x5c:
`d9d56054  mov     ecx,3
`d9d56059  int     29h

nt!AuthzBasepAddSecurityAttributeToLists+0x63:
`d9d5605b  mov     qword ptr [r8],rdx
`d9d5605e  mov     qword ptr [rax+8],rdx

This illustration shows the three list elements and where the links are set:

► CcFlushCachePriv

The following lines are InsertTailList:

`d9980d90  mov     rcx,qword ptr [nt!CcLazyWriterCursor+0x8 (fffff803`d9b6ebe8)]
`d9980d97  lea     rdx,[nt!CcLazyWriterCursor (fffff803`d9b6ebe0)]
`d9980d9e  mov     qword ptr [rax+8],rcx
`d9980da2  mov     qword ptr [rax],rdx
`d9980da5  cmp     qword ptr [rcx],rdx
`d9980da8  `string'+0x4801  

nt!CcFlushCachePriv+0x8cc:
`d9980dae  mov     qword ptr [rcx],rax
`d9980db1  xor     edx,edx
`d9980db3  movzx   ecx,r8b
`d9980db7  mov     qword ptr [nt!CcLazyWriterCursor+0x8 (fffff803`d9b6ebe8)],rax

This illustration shows the three list elements and where the links are set:

► CcInitializeCacheManager

The following lines are InsertTailList:

`d9f77cbf  mov     rcx,qword ptr [nt!CcIdleWorkerThreadList+0x8 (fffff803`d9b6ec78)]
`d9f77cc6  lea     rdx,[nt!CcIdleWorkerThreadList (fffff803`d9b6ec70)]
`d9f77ccd  mov     qword ptr [rax+8],rcx
`d9f77cd1  mov     qword ptr [rax],rdx
`d9f77cd4  cmp     qword ptr [rcx],rdx
`d9f77cd7  `string'+0x1f89  

nt!CcInitializeCacheManager+0x2c9:
`d9f77cdd  add     ebx,r15d
`d9f77ce0  mov     qword ptr [rcx],rax
`d9f77ce3  mov     qword ptr [nt!CcIdleWorkerThreadList+0x8 (fffff803`d9b6ec78)],rax

This illustration shows the three list elements and where the links are set:

There is a second occurence of InsertTailList here:

`d9f77d33  mov     rcx,qword ptr [nt!CcIdleExtraWriteBehindThreadList+0x8 (fffff803`d9b6ee88)]
`d9f77d3a  lea     rdx,[nt!CcIdleExtraWriteBehindThreadList (fffff803`d9b6ee80)]
`d9f77d41  mov     qword ptr [rax+8],rcx
`d9f77d45  mov     qword ptr [rax],rdx
`d9f77d48  cmp     qword ptr [rcx],rdx
`d9f77d4b  `string'+0x1faa  

nt!CcInitializeCacheManager+0x33d:
`d9f77d51  mov     r8d,dword ptr [nt!CcMaxExtraWriteBehindThreads (fffff803`d9b07afc)]
`d9f77d58  add     ebx,r15d
`d9f77d5b  mov     qword ptr [rcx],rax
`d9f77d5e  mov     qword ptr [nt!CcIdleExtraWriteBehindThreadList+0x8 (fffff803`d9b6ee88)],rax

This illustration shows the three list elements and where the links are set:

► CcInsertVacbArray

The following lines are InsertTailList:

`d9893272  lea     r8,[nt!CcVacbFreeList (fffff803`d9b6eb00)]
`d9893279  lea     r9,[nt!CcVacbFreeHighPriorityList (fffff803`d9b6eb10)]

nt!CcInsertVacbArray+0x5c:
`d9893280  cmp     qword ptr [rax-10h],0
`d9893285  jne     nt!CcInsertVacbArray+0x99 (fffff803`d98932bd)

nt!CcInsertVacbArray+0x63:
`d9893287  mov     rcx,qword ptr [nt!CcVacbFreeList+0x8 (fffff803`d9b6eb08)]
`d989328e  mov     qword ptr [rax],r8
`d9893291  mov     qword ptr [rax+8],rcx
`d9893295  cmp     qword ptr [rcx],r8
`d9893298  jne     nt!CcInsertVacbArray+0xdd (fffff803`d9893301)

nt!CcInsertVacbArray+0x76:
`d989329a  mov     qword ptr [rcx],rax
`d989329d  inc     dword ptr [nt!CcNumberOfFreeVacbs (fffff803`d9b6ead8)]
`d98932a3  mov     qword ptr [nt!CcVacbFreeList+0x8 (fffff803`d9b6eb08)],rax

This illustration shows the three list elements and where the links are set:

There is a second occurence of InsertTailList here:

`d9893279  lea     r9,[nt!CcVacbFreeHighPriorityList (fffff803`d9b6eb10)]
...
`d98932bd  mov     rcx,qword ptr [nt!CcVacbFreeHighPriorityList+0x8 (fffff803`d9b6eb18)]
`d98932c4  mov     qword ptr [rax],r9
`d98932c7  mov     qword ptr [rax+8],rcx
`d98932cb  cmp     qword ptr [rcx],r9
`d98932ce  jne     nt!CcInsertVacbArray+0xe4 (fffff803`d9893308)

nt!CcInsertVacbArray+0xac:
`d98932d0  mov     qword ptr [rcx],rax
`d98932d3  inc     dword ptr [nt!CcNumberOfFreeHighPriorityVacbs (fffff803`d9b6eadc)]
`d98932d9  mov     qword ptr [nt!CcVacbFreeHighPriorityList+0x8 (fffff803`d9b6eb18)],rax

This illustration shows the three list elements and where the links are set:

► CcSetFileSizesEx

The following lines are InsertTailList:

`d9931bfb  lea     r13,[nt!CcLazyWriterCursor (fffff803`d9b6ebe0)]
...
`d9931ec2  mov     rax,qword ptr [nt!CcLazyWriterCursor+0x8 (fffff803`d9b6ebe8)]
`d9931ec9  mov     qword ptr [rsi+8],rax
`d9931ecd  mov     qword ptr [rsi],r13
`d9931ed0  cmp     qword ptr [rax],r13
`d9931ed3  `string'+0x29b7  

nt!CcSetFileSizesEx+0x377:
`d9931ed9  mov     qword ptr [rax],rsi
`d9931edc  xor     edx,edx
`d9931ede  movzx   ecx,r8b
`d9931ee2  mov     qword ptr [nt!CcLazyWriterCursor+0x8 (fffff803`d9b6ebe8)],rsi

This illustration shows the three list elements and where the links are set:

There is a second occurence of InsertTailList here:

`d9931bfb  lea     r13,[nt!CcLazyWriterCursor (fffff803`d9b6ebe0)]
...
`d9931ff3  mov     rax,qword ptr [nt!CcLazyWriterCursor+0x8 (fffff803`d9b6ebe8)]
`d9931ffa  mov     qword ptr [rsi+8],rax
`d9931ffe  mov     qword ptr [rsi],r13
`d9932001  cmp     qword ptr [rax],r13
`d9932004  jne     nt!CcSetFileSizesEx+0x4d0 (fffff803`d9932034)

nt!CcSetFileSizesEx+0x4a2:
`d9932006  mov     qword ptr [rax],rsi
`d9932009  xor     edx,edx
`d993200b  movzx   ecx,r8b
`d993200f  mov     qword ptr [nt!CcLazyWriterCursor+0x8 (fffff803`d9b6ebe8)],rsi

This illustration shows the three list elements and where the links are set:

There is a third occurrence of InsertTailList here:

`d9a52d18  mov     rcx,qword ptr [nt!CcDirtySharedCacheMapWithLogHandleList+0x8 (fffff803`d9b6eba8)]
`d9a52d1f  lea     rdx,[nt!CcDirtySharedCacheMapWithLogHandleList (fffff803`d9b6eba0)]
`d9a52d26  mov     qword ptr [rax+8],rcx
`d9a52d2a  mov     qword ptr [rax],rdx
`d9a52d2d  cmp     qword ptr [rcx],rdx
`d9a52d30  `string'+0x276e  

nt! ?? ::FNODOBFM::`string'+0x2767:
`d9a52d32  mov     ecx,3
`d9a52d37  int     29h

nt! ?? ::FNODOBFM::`string'+0x276e:
`d9a52d39  mov     qword ptr [rcx],rax
`d9a52d3c  mov     qword ptr [nt!CcDirtySharedCacheMapWithLogHandleList+0x8 (fffff803`d9b6eba8)],rax

This illustration shows the three list elements and where the links are set:

There is a fourth occurrence of InsertTailList here:

`d9931bfb  lea     r13,[nt!CcLazyWriterCursor (fffff803`d9b6ebe0)]
...
`d9a52d63  mov     rax,qword ptr [nt!CcLazyWriterCursor+0x8 (fffff803`d9b6ebe8)]
`d9a52d6a  mov     qword ptr [rsi+8],rax
`d9a52d6e  mov     qword ptr [rsi],r13
`d9a52d71  cmp     qword ptr [rax],r13
`d9a52d74  `string'+0x27be  

nt! ?? ::FNODOBFM::`string'+0x27b7:
`d9a52d76  mov     ecx,3
`d9a52d7b  int     29h

nt! ?? ::FNODOBFM::`string'+0x27be:
`d9a52d7d  mov     qword ptr [rax],rsi
`d9a52d80  mov     qword ptr [nt!CcLazyWriterCursor+0x8 (fffff803`d9b6ebe8)],rsi
`d9a52d87  jmp     nt!CcSetFileSizesEx+0x4bc (fffff803`d9932020)

This illustration shows the three list elements and where the links are set:

There is a sixth occurrence of InsertTailList here:

`d9a52db8  mov     rcx,qword ptr [nt!CcDirtySharedCacheMapWithLogHandleList+0x8 (fffff803`d9b6eba8)]
`d9a52dbf  lea     rdx,[nt!CcDirtySharedCacheMapWithLogHandleList (fffff803`d9b6eba0)]
`d9a52dc6  mov     qword ptr [rax+8],rcx
`d9a52dca  mov     qword ptr [rax],rdx
`d9a52dcd  cmp     qword ptr [rcx],rdx
`d9a52dd0  `string'+0x2826  

nt! ?? ::FNODOBFM::`string'+0x281f:
`d9a52dd2  mov     ecx,3
`d9a52dd7  int     29h

nt! ?? ::FNODOBFM::`string'+0x2826:
`d9a52dd9  mov     qword ptr [rcx],rax
`d9a52ddc  mov     qword ptr [nt!CcDirtySharedCacheMapWithLogHandleList+0x8 (fffff803`d9b6eba8)],rax

This illustration shows the three list elements and where the links are set:

There is a seventh occurrence of InsertTailList here:

`d9a52e76  mov     rcx,qword ptr [nt!CcDirtySharedCacheMapWithLogHandleList+0x8 (fffff803`d9b6eba8)]
`d9a52e7d  lea     rdx,[nt!CcDirtySharedCacheMapWithLogHandleList (fffff803`d9b6eba0)]
`d9a52e84  mov     qword ptr [rax+8],rcx
`d9a52e88  mov     qword ptr [rax],rdx
`d9a52e8b  cmp     qword ptr [rcx],rdx
`d9a52e8e  `string'+0x28f0  

nt! ?? ::FNODOBFM::`string'+0x28e9:
`d9a52e90  mov     ecx,3
`d9a52e95  int     29h

nt! ?? ::FNODOBFM::`string'+0x28f0:
`d9a52e97  mov     qword ptr [rcx],rax
`d9a52e9a  mov     qword ptr [nt!CcDirtySharedCacheMapWithLogHandleList+0x8 (fffff803`d9b6eba8)],rax

This illustration shows the three list elements and where the links are set:

There is a eighth occurrence of InsertTailList here:

`d9931bfb  lea     r13,[nt!CcLazyWriterCursor (fffff803`d9b6ebe0)]
...
`d9a52ec1  mov     rax,qword ptr [nt!CcLazyWriterCursor+0x8 (fffff803`d9b6ebe8)]
`d9a52ec8  mov     qword ptr [rsi+8],rax
`d9a52ecc  mov     qword ptr [rsi],r13
`d9a52ecf  cmp     qword ptr [rax],r13
`d9a52ed2  `string'+0x2940  

nt! ?? ::FNODOBFM::`string'+0x2939:
`d9a52ed4  mov     ecx,3
`d9a52ed9  int     29h

nt! ?? ::FNODOBFM::`string'+0x2940:
`d9a52edb  mov     qword ptr [rax],rsi
`d9a52ede  mov     qword ptr [nt!CcLazyWriterCursor+0x8 (fffff803`d9b6ebe8)],rsi

This illustration shows the three list elements and where the links are set:

► CmRenameKey

The following lines are InsertTailList:

`d9db9c7f  mov     rdx,qword ptr [rax+8]
`d9db9c83  mov     qword ptr [rcx],rax
`d9db9c86  mov     qword ptr [rcx+8],rdx
`d9db9c8a  cmp     qword ptr [rdx],rax
`d9db9c8d  je      nt!CmRenameKey+0x402 (fffff803`d9db9c96)

nt!CmRenameKey+0x3fb:
`d9db9c8f  mov     ecx,3
`d9db9c94  int     29h

nt!CmRenameKey+0x402:
`d9db9c96  mov     qword ptr [rdx],rcx
`d9db9c99  mov     qword ptr [rax+8],rcx

This illustration shows the three list elements and where the links are set:

There is a second occurrence of InsertTailList here:

`d9db9d77  mov     rcx,qword ptr [r14+8]
`d9db9d7b  lea     rax,[r15+20h]
`d9db9d7f  mov     qword ptr [rax],r14
`d9db9d82  mov     qword ptr [rax+8],rcx
`d9db9d86  cmp     qword ptr [rcx],r14
`d9db9d89  je      nt!CmRenameKey+0x4fe (fffff803`d9db9d92)

nt!CmRenameKey+0x4f7:
`d9db9d8b  mov     ecx,3
`d9db9d90  int     29h

nt!CmRenameKey+0x4fe:
`d9db9d92  mov     qword ptr [rcx],rax
`d9db9d95  mov     rcx,rdi
`d9db9d98  mov     qword ptr [r14+8],rax

This illustration shows the three list elements and where the links are set

There is a third occurrence of InsertTailList here:

`d9db9ddc  mov     rax,qword ptr [rbx+8]
`d9db9de0  mov     qword ptr [r15],rbx
`d9db9de3  mov     qword ptr [r15+8],rax
`d9db9de7  cmp     qword ptr [rax],rbx
`d9db9dea  je      nt!CmRenameKey+0x55f (fffff803`d9db9df3)

nt!CmRenameKey+0x558:
`d9db9dec  mov     ecx,3
`d9db9df1  int     29h

nt!CmRenameKey+0x55f:
`d9db9df3  mov     qword ptr [rax],r15
`d9db9df6  mov     qword ptr [rbx+8],r15

This illustration shows the three list elements and where the links are set:

There is a fourth occurrence of InsertTailList here:

`d9dba399  mov     rdx,qword ptr [rax+8]
`d9dba39d  mov     qword ptr [rcx],rax
`d9dba3a0  mov     qword ptr [rcx+8],rdx
`d9dba3a4  cmp     qword ptr [rdx],rax
`d9dba3a7  je      nt!CmRenameKey+0xb1c (fffff803`d9dba3b0)

nt!CmRenameKey+0xb15:
`d9dba3a9  lea     ecx,[r12+3]
`d9dba3ae  int     29h

nt!CmRenameKey+0xb1c:
`d9dba3b0  mov     qword ptr [rdx],rcx
`d9dba3b3  mov     qword ptr [rax+8],rcx

This illustration shows the three list elements and where the links are set:

► ExAllocatePoolWithTag

The following lines are InsertTailList:

d9af6597  mov     rax,qword ptr [rcx+8]
d9af659b  mov     qword ptr [rdx],rcx
d9af659e  mov     qword ptr [rdx+8],rax
d9af65a2  cmp     qword ptr [rax],rcx
d9af65a5  jne     nt!ExFreePool+0x3c5 (fffff803`d9af8515)

nt!ExAllocatePoolWithTag+0x59b:
d9af65ab  mov     qword ptr [rax],rdx
d9af65ae  mov     qword ptr [rcx+8],rdx

This illustration shows the three list elements and where the links are set:

There is a second occurrence of InsertTailList here:

d9af6980  mov     rax,qword ptr [rcx+8]
d9af6984  mov     qword ptr [rsi],rcx
d9af6987  mov     qword ptr [rsi+8],rax
d9af698b  cmp     qword ptr [rax],rcx
d9af698e  jne     nt!ExFreePool+0x47a (fffff803`d9af85c9)

nt!ExAllocatePoolWithTag+0x982:
d9af6994  cmp     dword ptr [rsp+0E8h],0
d9af699c  mov     qword ptr [rax],rsi
d9af699f  mov     qword ptr [rcx+8],rsi

This illustration shows the three list elements and where the links are set:

► ExFreePoolWithTag

The following lines are InsertTailList:

d9af7ed9  mov     rax,qword ptr [rdx+8]
d9af7edd  mov     qword ptr [rcx],rdx
d9af7ee0  mov     qword ptr [rcx+8],rax
d9af7ee4  cmp     qword ptr [rax],rdx
d9af7ee7  jne     nt!ExFreePool+0x94d (fffff803`d9af8a33)

nt!ExFreePoolWithTag+0xd8d:
d9af7eed  mov     rbx,qword ptr [rbp-49h]
d9af7ef1  mov     qword ptr [rax],rcx
d9af7ef4  mov     qword ptr [rdx+8],rcx

This illustration shows the three list elements and where the links are set:

► ExQueueWorkItem

The following lines are InsertTailList:

d991997d  mov     rcx,qword ptr [rbx+20h]
d9919981  lea     rax,[rbx+18h]
d9919985  mov     qword ptr [rdi+8],rcx
d9919989  mov     qword ptr [rdi],rax
d991998c  cmp     qword ptr [rcx],rax
d991998f  jne     nt! ?? ::FNODOBFM::`string'+0x4d3eb (fffff803`d9a85a1a)

nt!ExQueueWorkItem+0x2c5:
d9919995  mov     qword ptr [rcx],rdi
d9919998  mov     qword ptr [rax+8],rdi

This illustration shows the three list elements and where the links are set:

► ExRegisterCallback

The following lines are InsertTailList:

d99d4642  mov     rcx,qword ptr [rax+8]
d99d4646  mov     qword ptr [rbx],rax
d99d4649  mov     qword ptr [rbx+8],rcx
d99d464d  cmp     qword ptr [rcx],rax
d99d4650  jne     nt!ExRegisterCallback+0x100 (fffff803`d99d46a4)

nt!ExRegisterCallback+0xae:
d99d4652  mov     qword ptr [rcx],rbx
d99d4655  mov     qword ptr [rax+8],rbx

This illustration shows the three list elements and where the links are set:

► ExpSetTimer

The following lines are InsertTailList:

d990e577  mov     rcx,qword ptr [nt!ExpWakeTimerList+0x8 (fffff803`d9b17278)]
d990e57e  lea     rdx,[nt!ExpWakeTimerList (fffff803`d9b17270)]
d990e585  mov     qword ptr [rax],rdx
d990e588  mov     qword ptr [rax+8],rcx
d990e58c  cmp     qword ptr [rcx],rdx
d990e58f  jne     nt!ExpSetTimer+0x6a5 (fffff803`d990e5d5)

nt!ExpSetTimer+0x661:
d990e591  mov     qword ptr [rcx],rax
d990e594  mov     qword ptr [nt!ExpWakeTimerList+0x8 (fffff803`d9b17278)],rax

This illustration shows the three list elements and where the links are set:

► IoSetIoCompletionEx2

The following lines are InsertTailList:

d98b1f74  mov     rcx,qword ptr [rax+8]
d98b1f78  mov     qword ptr [rdi],rax
d98b1f7b  mov     qword ptr [rdi+8],rcx
d98b1f7f  cmp     qword ptr [rcx],rax
d98b1f82  jne     nt! ?? ::FNODOBFM::`string'+0xb7fb (fffff803`d9a59c2f)

nt!IoSetIoCompletionEx2+0xf8:
d98b1f88  mov     qword ptr [rcx],rdi
d98b1f8b  mov     qword ptr [rax+8],rdi

This illustration shows the three list elements and where the links are set:

There is a second occurrence of InsertTailList here:

d98b22e4  mov     rcx,qword ptr [rax+8]
d98b22e8  mov     qword ptr [rdi],rax
d98b22eb  mov     qword ptr [rdi+8],rcx
d98b22ef  cmp     qword ptr [rcx],rax
d98b22f2  jne     nt! ?? ::FNODOBFM::`string'+0xb9d8 (fffff803`d9a59df4)

nt!IoSetIoCompletionEx2+0x46f:
d98b22f8  mov     qword ptr [rcx],rdi
d98b22fb  mov     qword ptr [rax+8],rdi

This illustration shows the three list elements and where the links are set:

► KeInsertQueueDpc

The following lines are InsertTailList:

d992fd63  mov     rcx,qword ptr [rdi+8]
d992fd67  mov     qword ptr [rax],rdi
d992fd6a  mov     qword ptr [rax+8],rcx
d992fd6e  cmp     qword ptr [rcx],rdi
d992fd71  jne     nt! ?? ::FNODOBFM::`string'+0x12c92 (fffff803`d9a5eee2)

nt!KeInsertQueueDpc+0x117:
d992fd77  mov     qword ptr [rcx],rax
d992fd7a  mov     qword ptr [rdi+8],rax

This illustration shows the three list elements and where the links are set:

► KeStartThread

The following lines are InsertTailList:

d996960d  mov     rcx,qword ptr [nt!KiProcessListHead+0x8 (fffff803`d9b59cc8)]
d9969614  lea     rax,[rbx+238h]
d996961b  lea     rdx,[nt!KiProcessListHead (fffff803`d9b59cc0)]
d9969622  mov     qword ptr [rax],rdx
d9969625  mov     qword ptr [rax+8],rcx
d9969629  cmp     qword ptr [rcx],rdx
d996962c  jne     nt! ?? ::FNODOBFM::`string'+0xec4c (fffff803`d999ea28)

nt!KeStartThread+0x25a:
d9969632  mov     qword ptr [rcx],rax
d9969635  test    dword ptr [nt!PerfGlobalGroupMask+0x4 (fffff803`d9bde084)],r15d
d996963c  mov     qword ptr [nt!KiProcessListHead+0x8 (fffff803`d9b59cc8)],rax

This illustration shows the three list elements and where the links are set:

There is a second occurrence of InsertTailList here:

d99696c4  mov     rcx,qword ptr [rsi+8]
d99696c8  lea     rax,[rdi+2F8h]
d99696cf  mov     qword ptr [rax],rsi
d99696d2  mov     qword ptr [rax+8],rcx
d99696d6  cmp     qword ptr [rcx],rsi
d99696d9  jne     nt! ?? ::FNODOBFM::`string'+0xeca8 (fffff803`d999ea84)

nt!KeStartThread+0x307:
d99696df  mov     qword ptr [rcx],rax
d99696e2  mov     qword ptr [rsi+8],rax

This illustration shows the three list elements and where the links are set:

► KiAddThreadToScbQueue

The following lines are InsertTailList:

d99b0d30  mov     rax,qword ptr [rdx+8]
d99b0d34  mov     qword ptr [rcx],rdx
d99b0d37  mov     qword ptr [rcx+8],rax
d99b0d3b  cmp     qword ptr [rax],rdx
d99b0d3e  jne     nt! ?? ::FNODOBFM::`string'+0x17bf8 (fffff803`d9a61ee0)

nt!KiAddThreadToScbQueue+0x68:
d99b0d44  mov     qword ptr [rax],rcx
d99b0d47  mov     qword ptr [rdx+8],rcx

This illustration shows the three list elements and where the links are set:

► KiInsertQueueApc

The following lines are InsertTailList:

d995953c  mov     rax,qword ptr [rcx+8]
d9959540  mov     qword ptr [r8],rcx
d9959543  mov     qword ptr [r8+8],rax
d9959547  cmp     qword ptr [rax],rcx
d995954a  jne     nt! ?? ::FNODOBFM::`string'+0x14f47 (fffff803`d9a60407)

nt!KiInsertQueueApc+0x1f0:
d9959550  mov     qword ptr [rax],r8
d9959553  mov     qword ptr [rcx+8],r8

This illustration shows the three list elements and where the links are set:

► KiQueueReadyThread

The following lines are InsertTailList:

d9909bf4  mov     rax,qword ptr [rcx+8]
d9909bf8  mov     qword ptr [rbx],rcx
d9909bfb  mov     qword ptr [rbx+8],rax
d9909bff  cmp     qword ptr [rax],rcx
d9909c02  jne     nt! ?? ::FNODOBFM::`string'+0x15df5 (fffff803`d9a60f9c)

nt!KiQueueReadyThread+0x108:
d9909c08  mov     qword ptr [rax],rbx
d9909c0b  mov     qword ptr [rcx+8],rbx

This illustration shows the three list elements and where the links are set:

► MiInsertNewProcess

Correction: These lines are InsertHeadList, NOT InsertTailList. Thanks to @hInfern0 on Twitter for pointing out the error.

d996fed5  mov     rcx,qword ptr [nt!MmProcessList+0x8 (fffff803`d9b53258)]
d996fedc  lea     rax,[rdi+578h]
d996fee3  lea     rdx,[nt!MmProcessList (fffff803`d9b53250)]
d996feea  mov     qword ptr [rax],rdx
d996feed  mov     qword ptr [rax+8],rcx
d996fef1  cmp     qword ptr [rcx],rdx
d996fef4  jne     nt! ?? ::FNODOBFM::`string'+0x1b5da (fffff803`d9a64e22)

nt!MiInsertNewProcess+0x7e:
d996fefa  mov     qword ptr [rcx],rax
d996fefd  mov     qword ptr [nt!MmProcessList+0x8 (fffff803`d9b53258)],rax

► PnpRequestDeviceAction

The following lines are InsertTailList:

d98be315  mov     rax,qword ptr [nt!PnpEnumerationRequestList+0x8 (fffff803`d9b5b748)]
d98be31c  lea     rcx,[nt!PnpEnumerationRequestList (fffff803`d9b5b740)]
d98be323  mov     qword ptr [rsi+8],rax
d98be327  mov     qword ptr [rsi],rcx
d98be32a  cmp     qword ptr [rax],rcx
d98be32d  jne     nt! ?? ::FNODOBFM::`string'+0xd9a8 (fffff803`d99d007c)

nt!PnpRequestDeviceAction+0xd7:
d98be333  mov     qword ptr [rax],rsi
d98be336  mov     qword ptr [nt!PnpEnumerationRequestList+0x8 (fffff803`d9b5b748)],rsi

This illustration shows the three list elements and where the links are set:

► PspInsertProcess

The following lines are InsertTailList:

d9d056be  mov     rcx,qword ptr [nt!PsActiveProcessHead+0x8 (fffff803`d9b1ec88)]
d9d056c5  lea     rax,[rdi+2E8h]
d9d056cc  lea     rdx,[nt!PsActiveProcessHead (fffff803`d9b1ec80)]
d9d056d3  mov     qword ptr [rax],rdx
d9d056d6  mov     qword ptr [rax+8],rcx
d9d056da  cmp     qword ptr [rcx],rdx
d9d056dd  jne     nt! ?? ::NNGAKEGL::`string'+0x49d62 (fffff803`d9e8f256)

nt!PspInsertProcess+0xcb:
d9d056e3  mov     qword ptr [rcx],rax
d9d056e6  mov     qword ptr [nt!PsActiveProcessHead+0x8 (fffff803`d9b1ec88)],rax

This illustration shows the three list elements and where the links are set:

► PspInsertThread

The following lines are InsertTailList:

d9cf852d  mov     rdx,qword ptr [rax+8]
d9cf8531  mov     qword ptr [rcx],rax
d9cf8534  mov     qword ptr [rcx+8],rdx
d9cf8538  cmp     qword ptr [rdx],rax
d9cf853b  jne     nt! ?? ::NNGAKEGL::`string'+0x4934a (fffff803`d9e8e8b0)

nt!PspInsertThread+0x261:
d9cf8541  mov     qword ptr [rdx],rcx
d9cf8544  mov     qword ptr [rax+8],rcx

This illustration shows the three list elements and where the links are set: