Practical Reverse Engineering Solutions – Page 123 (Part III)

my go at exercises 4 and 5 on pages 123ff

This blog post presents my solution to exercises 4 and 5 on page 123 from the book Practical Reverse Engineering by Bruce Dang, Alexandre Gazet and Elias Bachaalany (ISBN: 1118787315). The book is my first contact with reverse engineering, so take my statements with a grain of salt. All code snippets are on GitHub. For an overview of my solutions consult this progress page.

I’m removing the raw instruction in hex to save space. I’m also not showing the upper 32 bits of the addresses. Check my GitHub page for the complete listings.

Exercise 4

Problem Statement

Repeat the previous exercise for RemoveHeadList in the following routines: AlpcpFlushResourcesPort.asm, CcDeleteMbcb.asm, CcGetVacbMiss.asm, CmpLazyCommitWorker.asm, ExAllocatePoolWithTag.asm, FsRtlNotifyCompleteIrpList.asm, IopInitializeBootDrivers.asm, KiProcessDisconnectList.asm, PnpDeviceCompletionQueueGetCompletedRequest.asm, RtlDestroyAtomTable.asm, RtlEmptyAtomTable.asm, RtlpFreeAllAtom.asm

► AlpcpFlushResourcesPort

The following lines are RemoveHeadList:

nt!AlpcpFlushResourcesPort+0x33:
d9cecf03  mov     rsi,qword ptr [r14]
d9cecf06  cmp     rsi,r14
d9cecf09  jne     nt!AlpcpFlushResourcesPort+0x5f (fffff803`d9cecf2f)

nt!AlpcpFlushResourcesPort+0x3b:
d9cecf0b  lock xadd qword ptr [rdi],rbx
d9cecf10  test    bl,2
d9cecf13  jne     nt! ?? ::NNGAKEGL::`string`+0x337cd (fffff803`d9e7cf45)

nt!AlpcpFlushResourcesPort+0x49:
d9cecf19  mov     rbx,qword ptr [rsp+30h]
d9cecf1e  mov     rsi,qword ptr [rsp+38h]
d9cecf23  mov     rdi,qword ptr [rsp+40h]
d9cecf28  add     rsp,20h
d9cecf2c  pop     r14
d9cecf2e  ret

nt!AlpcpFlushResourcesPort+0x5f:
d9cecf2f  mov     rax,qword ptr [rsi]
d9cecf32  cmp     qword ptr [rsi+8],r14
d9cecf36  jne     nt! ?? ::NNGAKEGL::`string`+0x337c6 (fffff803`d9e7cf3e)

nt!AlpcpFlushResourcesPort+0x6c:
d9cecf3c  cmp     qword ptr [rax+8],rsi
d9cecf40  jne     nt! ?? ::NNGAKEGL::`string`+0x337c6 (fffff803`d9e7cf3e)

nt!AlpcpFlushResourcesPort+0x76:
d9cecf46  mov     qword ptr [r14],rax
d9cecf49  mov     qword ptr [rax+8],r14

This illustration shows the three list elements and where the links are set or referenced:

► CcDeleteMbcb

The following lines are RemoveHeadList:

d998758d  mov     rdi,qword ptr [r15]
d9987590  cmp     rdi,r15
d9987593  je      nt!CcDeleteMbcb+0x1aa (fffff803`d9987602)

nt!CcDeleteMbcb+0x13d:
d9987595  mov     rcx,qword ptr [rdi]
d9987598  mov     rax,qword ptr [rdi+8]
d998759c  cmp     qword ptr [rcx+8],rdi
d99875a0  jne     nt!CcDeleteMbcb+0x26c (fffff803`d99876c4)

nt!CcDeleteMbcb+0x14e:
d99875a6  cmp     qword ptr [rax],rdi
d99875a9  jne     nt!CcDeleteMbcb+0x26c (fffff803`d99876c4)

nt!CcDeleteMbcb+0x157:
d99875af  mov     qword ptr [rax],rcx
d99875b2  mov     qword ptr [rcx+8],rax

This illustration shows the three list elements and where the links are set or referenced:

► CcGetVacbMiss

The following lines are RemoveHeadList:

nt!CcGetVacbMiss+0x267:
fffff803`d9966c87 488b55d8        mov     rdx,qword ptr [rbp-28h]
fffff803`d9966c8b 488d45d8        lea     rax,[rbp-28h]
fffff803`d9966c8f 483bd0          cmp     rdx,rax
fffff803`d9966c92 7531            jne     nt!CcGetVacbMiss+0x2a5 (fffff803`d9966cc5)

...

nt!CcGetVacbMiss+0x2a5:
fffff803`d9966cc5 488b02          mov     rax,qword ptr [rdx]
fffff803`d9966cc8 488d4dd8        lea     rcx,[rbp-28h]
fffff803`d9966ccc 48394a08        cmp     qword ptr [rdx+8],rcx
fffff803`d9966cd0 0f854dec0e00    jne     nt! ?? ::FNODOBFM::`string`+0x5e69 (fffff803`d9a55923)

nt!CcGetVacbMiss+0x2b6:
fffff803`d9966cd6 48395008        cmp     qword ptr [rax+8],rdx
fffff803`d9966cda 0f8543ec0e00    jne     nt! ?? ::FNODOBFM::`string`+0x5e69 (fffff803`d9a55923)

nt!CcGetVacbMiss+0x2c0:
fffff803`d9966ce0 488945d8        mov     qword ptr [rbp-28h],rax
fffff803`d9966ce4 488d4dd8        lea     rcx,[rbp-28h]
fffff803`d9966ce8 48894808        mov     qword ptr [rax+8],rcx

This illustration shows the three list elements and where the links are set or referenced:

► CmpLazyCommitWorker

The following lines are RemoveHeadList:

d9dbd081  lea     r15,[nt!CmpLazyCommitListHead (fffff803`d9b6d6e0)]

nt!CmpLazyCommitWorker+0x108:
d9dbd088  mov   rax,qword ptr gs:[188h]
d9dbd091  dec     word ptr [rax+1E4h]
d9dbd098  mov   rbx,qword ptr gs:[188h]
d9dbd0a1  lock btr dword ptr [r14],0
d9dbd0a7  jb      nt!CmpLazyCommitWorker+0x131 (fffff803`d9dbd0b1)

nt!CmpLazyCommitWorker+0x129:
d9dbd0a9  mov     rcx,r14
d9dbd0ac  call    nt!ExpAcquireFastMutexContended (fffff803`d9987a20)

nt!CmpLazyCommitWorker+0x131:
d9dbd0b1  mov     qword ptr [nt!CmpTransactionListLock+0x8 (fffff803`d9b6d688)],rbx
d9dbd0b8  mov     rbx,qword ptr [nt!CmpLazyCommitListHead (fffff803`d9b6d6e0)]
d9dbd0bf  mov     rax,qword ptr [rbx]
d9dbd0c2  cmp     qword ptr [rbx+8],r15
d9dbd0c6  jne     nt!CmpLazyCommitWorker+0x458 (fffff803`d9dbd3d8)

nt!CmpLazyCommitWorker+0x14c:
d9dbd0cc  cmp     qword ptr [rax+8],rbx
d9dbd0d0  jne     nt!CmpLazyCommitWorker+0x458 (fffff803`d9dbd3d8)

nt!CmpLazyCommitWorker+0x156:
d9dbd0d6  mov     qword ptr [nt!CmpLazyCommitListHead (fffff803`d9b6d6e0)],rax
d9dbd0dd  mov     qword ptr [rax+8],r15

This illustration shows the three list elements and where the links are set or referenced:

► ExAllocatePoolWithTag

The following lines are RemoveHeadList:

d9af6444  mov     r8,qword ptr [rbx]
d9af6447  mov     rax,qword ptr [r8]
d9af644a  mov     r9,qword ptr [rax+8]
d9af644e  cmp     r9,r8
d9af6451  jne     nt!ExFreePool+0x3d3 (fffff803`d9af8523)

nt!ExAllocatePoolWithTag+0x44f:
d9af6457  mov     rax,qword ptr [r8+8]
d9af645b  cmp     qword ptr [rax],r8
d9af645e  jne     nt!ExFreePool+0x3d3 (fffff803`d9af8523)

nt!ExAllocatePoolWithTag+0x45c:
d9af6464  mov     rax,qword ptr [r8]
d9af6467  cmp     qword ptr [r8+8],rbx
d9af646b  jne     nt!ExFreePool+0x3cc (fffff803`d9af851c)

nt!ExAllocatePoolWithTag+0x469:
d9af6471  cmp     qword ptr [rax+8],r8
d9af6475  jne     nt!ExFreePool+0x3cc (fffff803`d9af851c)

nt!ExAllocatePoolWithTag+0x473:
d9af647b  mov     r12d,dword ptr [rsp+0D0h]
d9af6483  mov     qword ptr [rbx],rax
d9af6486  mov     qword ptr [rax+8],rbx

This illustration shows the three list elements and where the links are set or referenced:

► IopInitializeBootDrivers

Could not get the disassembly for this one: Flow analysis was incomplete, some code may be missing.

► FsRtlNotifyCompleteIrpList

The following lines are RemoveHeadList:

d9c609a9  mov     rax,qword ptr [rbx]
d9c609ac  mov     rcx,qword ptr [rbx]
d9c609af  mov     rdx,qword ptr [rax]
d9c609b2  sub     rcx,0A8h
d9c609b9  cmp     qword ptr [rax+8],rbx
d9c609bd  jne     nt!FsRtlNotifyCompleteIrpList+0x92 (fffff803`d9c60a0a)

nt!FsRtlNotifyCompleteIrpList+0x47:
d9c609bf  cmp     qword ptr [rdx+8],rax
d9c609c3  jne     nt!FsRtlNotifyCompleteIrpList+0x92 (fffff803`d9c60a0a)

nt!FsRtlNotifyCompleteIrpList+0x4d:
d9c609c5  mov     qword ptr [rbx],rdx
d9c609c8  mov     qword ptr [rdx+8],rbx

This illustration shows the three list elements and where the links are set or referenced:

► KiProcessDisconnectList

The following lines are RemoveHeadList:

d9a05621  mov     rax,qword ptr [rbx]
d9a05624  cmp     rax,rbx
d9a05627  je      nt!KiProcessDisconnectList+0x46 (fffff803`d9a0565e)

nt!KiProcessDisconnectList+0x11:
d9a05629  mov     rcx,qword ptr [rax]
d9a0562c  cmp     qword ptr [rax+8],rbx
d9a05630  jne     nt!KiProcessDisconnectList+0x3f (fffff803`d9a05657)

nt!KiProcessDisconnectList+0x1a:
d9a05632  cmp     qword ptr [rcx+8],rax
d9a05636  jne     nt!KiProcessDisconnectList+0x3f (fffff803`d9a05657)

nt!KiProcessDisconnectList+0x20:
d9a05638  mov     qword ptr [rbx],rcx
d9a0563b  mov     qword ptr [rcx+8],rbx

This illustration shows the three list elements and where the links are set or referenced:

► PnpDeviceQueueGetCompletedRequest

The following lines are RemoveHeadList:

nt!PnpDeviceCompletionQueueGetCompletedRequest+0x49:
fffff803`d989f0c9 488b1de8f42b00  mov     rbx,qword ptr [nt!PnpDeviceCompletionQueue+0x18 (fffff803`d9b5e5b8)]
fffff803`d989f0d0 488d0de1f42b00  lea     rcx,[nt!PnpDeviceCompletionQueue+0x18 (fffff803`d9b5e5b8)]
fffff803`d989f0d7 488b03          mov     rax,qword ptr [rbx]
fffff803`d989f0da 48394b08        cmp     qword ptr [rbx+8],rcx
fffff803`d989f0de 755c            jne     nt!PnpDeviceCompletionQueueGetCompletedRequest+0xbc (fffff803`d989f13c)

nt!PnpDeviceCompletionQueueGetCompletedRequest+0x60:
fffff803`d989f0e0 48395808        cmp     qword ptr [rax+8],rbx
fffff803`d989f0e4 7556            jne     nt!PnpDeviceCompletionQueueGetCompletedRequest+0xbc (fffff803`d989f13c)

nt!PnpDeviceCompletionQueueGetCompletedRequest+0x66:
fffff803`d989f0e6 488905cbf42b00  mov     qword ptr [nt!PnpDeviceCompletionQueue+0x18 (fffff803`d9b5e5b8)],rax
fffff803`d989f0ed 48894808        mov     qword ptr [rax+8],rcx

This illustration shows the three list elements and where the links are set or referenced:

► RtlEmptyAtomTable

The following lines are RemoveHeadList:

d9e0e711  mov     rcx,qword ptr [rsi]
d9e0e714  mov     rax,qword ptr [rcx]
d9e0e717  cmp     qword ptr [rcx+8],rsi
d9e0e71b  jne     nt!RtlEmptyAtomTable+0x135 (fffff803`d9e0e7c5)

nt!RtlEmptyAtomTable+0x91:
d9e0e721  cmp     qword ptr [rax+8],rcx
d9e0e725  jne     nt!RtlEmptyAtomTable+0x135 (fffff803`d9e0e7c5)

nt!RtlEmptyAtomTable+0x9b:
d9e0e72b  mov     qword ptr [rsi],rax
d9e0e72e  mov     qword ptr [rax+8],rsi

This illustration shows the three list elements and where the links are set or referenced:

► RtlDestroyAtomTable

The following lines are RemoveHeadList:

d9e94c6a  mov     rcx,qword ptr [r14]
d9e94c6d  mov     rax,qword ptr [rcx]
d9e94c70  cmp     qword ptr [rcx+8],r14
d9e94c74  jne     nt! ?? ::NNGAKEGL::`string'+0x50c4e (fffff803`d9e94c8e)

nt! ?? ::NNGAKEGL::`string'+0x50c36:
d9e94c76  cmp     qword ptr [rax+8],rcx
d9e94c7a  jne     nt! ?? ::NNGAKEGL::`string'+0x50c4e (fffff803`d9e94c8e)

nt! ?? ::NNGAKEGL::`string'+0x50c3c:
d9e94c7c  mov     qword ptr [r14],rax
d9e94c7f  mov     qword ptr [rax+8],r14

This illustration shows the three list elements and where the links are set or referenced:

► RtlpFreeAllAtom

The following lines are RemoveHeadList:

nt!RtlpFreeAllAtom+0x7b:
d98be7fb  mov     rcx,qword ptr [rbx]
d98be7fe  mov     rax,qword ptr [rcx]
d98be801  cmp     qword ptr [rcx+8],rbx
d98be805  jne     nt!RtlpFreeAllAtom+0x9b (fffff803`d98be81b)

nt!RtlpFreeAllAtom+0x87:
d98be807  cmp     qword ptr [rax+8],rcx
d98be80b  jne     nt!RtlpFreeAllAtom+0x9b (fffff803`d98be81b)

nt!RtlpFreeAllAtom+0x8d:
d98be80d  mov     qword ptr [rbx],rax
d98be810  mov     qword ptr [rax+8],rbx

This illustration shows the three list elements and where the links are set or referenced:

Exercise 5

Problem Statement

Repeat the previous exercise for RemoveTailList in the following routines: BootApplicationPersistentDataProcess.asm, CmpCallCallBacks.asm, CmpDelayCloseWorker.asm, ObpCallPostOperationCallbacks.asm, RaspAddCacheEntry.asm

► BootApplicationPersistentDataProcess

Could not get the disassembly for this one: Flow analysis was incomplete, some code may be missing.

► CmpCallCallBacks

The following lines are RemoveTailList:

nt!CmpCallCallBacks+0x315:
d9d61955  mov     rbx,qword ptr [rsi+8]
d9d61959  mov     qword ptr [rsp+40h],rbx
d9d6195e  mov     rax,qword ptr [rbx+8]
d9d61962  cmp     qword ptr [rbx],rsi
d9d61965  jne     nt! ?? ::NNGAKEGL::`string'+0x5770 (fffff803`d9e55efd)

nt!CmpCallCallBacks+0x32b:
d9d6196b  cmp     qword ptr [rax],rbx
d9d6196e  jne     nt! ?? ::NNGAKEGL::`string'+0x5770 (fffff803`d9e55efd)

nt!CmpCallCallBacks+0x334:
d9d61974  mov     qword ptr [rsi+8],rax
d9d61978  mov     qword ptr [rax],rsi

This illustration shows the three list elements and where the links are set or referenced:

► CmpDelayCloseWorker

The following lines are RemoveTailList:

nt!CmpDelayCloseWorker+0x7a:
d9c2f70a  lea     r8,[nt!CmpDelayedLRUListHead (fffff803`d9b6d8a0)]

...

nt!CmpDelayCloseWorker+0xdb:
d9c2f76b  mov     rcx,qword ptr [nt!CmpDelayedLRUListHead+0x8 (fffff803`d9b6d8a8)]
d9c2f772  mov     rdx,qword ptr [rcx+8]
d9c2f776  lea     r9,[rcx-0D8h]
d9c2f77d  cmp     qword ptr [rcx],r8
d9c2f780  jne     nt! ?? ::NNGAKEGL::`string'+0x966d (fffff803`d9e58c1f)

nt!CmpDelayCloseWorker+0xf6:
d9c2f786  cmp     qword ptr [rdx],rcx
d9c2f789  jne     nt! ?? ::NNGAKEGL::`string'+0x966d (fffff803`d9e58c1f)

nt!CmpDelayCloseWorker+0xff:
d9c2f78f  mov     qword ptr [nt!CmpDelayedLRUListHead+0x8 (fffff803`d9b6d8a8)],rdx
d9c2f796  mov     qword ptr [rdx],r8

This illustration shows the three list elements and where the links are set or referenced:

► ObpCallPostOperationCallbacks

The following lines are RemoveTailList:

nt!ObpCallPostOperationCallbacks+0x1f:
d9dfd64b  mov     rsi,qword ptr [rdi+8]
d9dfd64f  mov     rax,qword ptr [rsi+8]
d9dfd653  cmp     qword ptr [rsi],rdi
d9dfd656  jne     nt!ObpCallPostOperationCallbacks+0x7c (fffff803`d9dfd6a8)

nt!ObpCallPostOperationCallbacks+0x2c:
d9dfd658  cmp     qword ptr [rax],rsi
d9dfd65b  jne     nt!ObpCallPostOperationCallbacks+0x7c (fffff803`d9dfd6a8)

nt!ObpCallPostOperationCallbacks+0x31:
d9dfd65d  mov     qword ptr [rdi+8],rax
d9dfd661  mov     qword ptr [rax],rdi

This illustration shows the three list elements and where the links are set or referenced:

► RaspAddCacheEntry

The following lines are RemoveTailList:

nt! ?? ::CIJCHKMG::`string'+0xee3:
d9ef26b4  mov     rax,qword ptr [rcx+8]
d9ef26b8  mov     rdx,qword ptr [rax+8]
d9ef26bc  cmp     qword ptr [rax],rcx
d9ef26bf  jne     nt! ?? ::CIJCHKMG::`string'+0xf04 (fffff803`d9ef26d5)

nt! ?? ::CIJCHKMG::`string'+0xef0:
d9ef26c1  cmp     qword ptr [rdx],rax
d9ef26c4  jne     nt! ?? ::CIJCHKMG::`string'+0xf04 (fffff803`d9ef26d5)

nt! ?? ::CIJCHKMG::`string'+0xef5:
d9ef26c6  mov     qword ptr [rcx+8],rdx
d9ef26ca  mov     qword ptr [rdx],rcx

This illustration shows the three list elements and where the links are set or referenced: