Practical Reverse Engineering Solutions – Page 123 (Part IV)
my go at exercise 6 on pages 123ff- Problem Statement
- Solution
- ► AlpcSectionDeleteProcedure
- ► AlpcpUnregisterCompletionListDatabase
- ► AuthzBasepRemoveSecurityAttributeFromLists
- ► CcDeleteBcbs
- ► CcFindNextWorkQueueEntry
- ► CcLazyWriteScan
- ► CcSetFileSizesEx
- ► CmShutdownSystem
- ► CmUnRegisterCallback
- ► CmpCallCallBacks
- ► CmpPostApc
- ► ExFreePoolWithTag
- ► ExQueueWorkItem
- ► ExTimerRundown
- ► ExpDeleteTimer
- ► ExpSetTimer
- ► IoDeleteDevice
- ► IoUnregisterFsRegistrationChange
- ► IopfCompleteRequest
- ► KeDeregisterBugCheckCallback
- ► KeDeregisterObjectNotification
- ► KeRegisterObjectNotification
- ► KeRemoveQueueApc
- ► KeRemoveQueueDpc
- ► KiCancelTimer
- ► KeTerminateThread
- ► KiDeliverApc
- ► KiExecuteAllDpcs
- ► KiExpireTimerTable
- ► KiFindReadyThread
- ► KiFlushQueueApc
- ► KiInsertTimerTable
- ► KiProcessExpiredTimerList
- ► MiDeleteVirtualAddresses
- ► NtNotifyChangeMultipleKeys
- ► ObRegisterCallbacks
- ► ObUnRegisterCallbacks
This blog post presents my solution to exercise 6 on page 123 from the book Practical Reverse Engineering by Bruce Dang, Alexandre Gazet and Elias Bachaalany (ISBN: 1118787315). The book is my first contact with reverse engineering, so take my statements with a grain of salt. All code snippets are on GitHub. For an overview of my solutions consult this progress page.
I’m removing the raw instruction in hex to save space. I’m also not showing the upper 32 bits of the addresses. Check my GitHub page for the complete listings.
Problem Statement
Repeat the previous exercise for RemoveEntryList in the following routines:
AlpcSectionDeleteProcedureAlpcpDeletePortAlpcpUnregisterCompletionListDatabaseAuthzBasepRemoveSecurityAttributeFromListsCcDeleteBcbsCcFindNextWorkQueueEntryCcLazyWriteScanCcSetFileSizesExCmShutdownSystemCmUnRegisterCallbackCmpCallCallBacksCmpPostApcExFreePoolWithTagExQueueWorkItemExTimerRundownExDeleteTimerExpDeleteTimerExpSetTimerIoDelteDeviceIoDeleteDeviceIoUnregisterFsRegistrationChangeIopfCompleteRequestKeDeregisterBugCheckCallbackKeDeregisterObjectNotificationKeRegisterObjectNotificationKeRemoveQueueApcKeRemoveQueueDpcKiCancelTimerKeTerminateThreadKiDeliverApcKiExecuteAllDpcsKiExpireTimerTableKiFindReadyThreadKiFlushQueueApcKiInsertTimerTableKiProcessExpiredTimerListMiDeleteVirtualAddressesNtNotifyChangeMultipleKeysObRegisterCallbacksObUnRegisterCallbacks
Solution
► AlpcSectionDeleteProcedure
The following lines are RemoveEntryList:
nt!AlpcSectionDeleteProcedure+0x6e: 220d974a mov rax,qword ptr [rdi] 220d974d cmp rax,rdi 220d9750 jne nt!AlpcSectionDeleteProcedure+0x113 (fffff803`220d97ef) ... nt!AlpcSectionDeleteProcedure+0x113: 220d97ef mov rcx,qword ptr [rdi+8] 220d97f3 cmp qword ptr [rax+8],rdi 220d97f7 jne nt!AlpcSectionDeleteProcedure+0x135 (fffff803`220d9811) nt!AlpcSectionDeleteProcedure+0x11d: 220d97f9 cmp qword ptr [rcx],rdi 220d97fc jne nt!AlpcSectionDeleteProcedure+0x135 (fffff803`220d9811) nt!AlpcSectionDeleteProcedure+0x122: 220d97fe mov qword ptr [rcx],rax 220d9801 mov qword ptr [rax+8],rcx
This illustration shows the three list elements and where the links are set or referenced:
There is a second occurrence of RemoveEntryList here:
220beeec mov r8,qword ptr [rcx] 220beeef mov rdx,qword ptr [rcx+8] 220beef3 cmp qword ptr [r8+8],rcx 220beef7 jne nt!AlpcpDoPortCleanup+0x188 (fffff803`220bef38) nt!AlpcpDoPortCleanup+0x149: 220beef9 cmp qword ptr [rdx],rax 220beefc jne nt!AlpcpDoPortCleanup+0x188 (fffff803`220bef38) nt!AlpcpDoPortCleanup+0x14e: 220beefe mov qword ptr [rdx],r8 220bef01 mov qword ptr [r8+8],rdx
This illustration shows the three list elements and where the links are set or referenced:
There is a second occurrence of RemoveEntryList here:
220d445b mov rdx,qword ptr [rdi] 220d445e mov rax,qword ptr [rdi+8] 220d4462 cmp qword ptr [rdx+8],rdi 220d4466 jne nt! ?? ::NNGAKEGL::`string'+0x330fa (fffff803`22268bed) nt!AlpcpDeletePort+0x140: 220d446c cmp qword ptr [rax],rdi 220d446f jne nt! ?? ::NNGAKEGL::`string'+0x330fa (fffff803`22268bed) nt!AlpcpDeletePort+0x149: 220d4475 mov qword ptr [rax],rdx 220d4478 mov qword ptr [rdx+8],rax
This illustration shows the three list elements and where the links are set or referenced:
There is a third occurrence of RemoveEntryList here:
nt! ?? ::NNGAKEGL::`string'+0x32899: 222686d5 mov rax,qword ptr [rdi] 222686d8 cmp rax,rdi 222686db je nt! ?? ::NNGAKEGL::`string'+0x328be (fffff803`222686fa) nt! ?? ::NNGAKEGL::`string'+0x328a1: 222686dd mov rcx,qword ptr [rdi+8] 222686e1 cmp qword ptr [rax+8],rdi 222686e5 jne nt! ?? ::NNGAKEGL::`string'+0x328ea (fffff803`22268726) nt! ?? ::NNGAKEGL::`string'+0x328ab: 222686e7 cmp qword ptr [rcx],rdi 222686ea jne nt! ?? ::NNGAKEGL::`string'+0x328ea (fffff803`22268726) nt! ?? ::NNGAKEGL::`string'+0x328b0: 222686ec mov qword ptr [rcx],rax 222686ef mov qword ptr [rax+8],rcx
This illustration shows the three list elements and where the links are set or referenced:
► AlpcpUnregisterCompletionListDatabase
The following lines are RemoveEntryList:
nt!AlpcpUnregisterCompletionListDatabase+0x15: 21ffb831 mov rdx,qword ptr [rbx] 21ffb834 mov rax,qword ptr [rbx+8] 21ffb838 cmp qword ptr [rdx+8],rbx 21ffb83c jne nt!AlpcpUnregisterCompletionListDatabase+0x5d (fffff803`21ffb879) nt!AlpcpUnregisterCompletionListDatabase+0x22: 21ffb83e cmp qword ptr [rax],rbx 21ffb841 jne nt!AlpcpUnregisterCompletionListDatabase+0x5d (fffff803`21ffb879) nt!AlpcpUnregisterCompletionListDatabase+0x27: 21ffb843 mov qword ptr [rax],rdx 21ffb846 mov qword ptr [rdx+8],rax
This illustration shows the three list elements and where the links are set or referenced:
► AuthzBasepRemoveSecurityAttributeFromLists
The following lines are RemoveEntryList:
nt!AuthzBasepRemoveSecurityAttributeFromLists+0x49: 22141fbd mov r8,qword ptr [rdx] 22141fc0 mov rax,qword ptr [rdx+8] 22141fc4 cmp qword ptr [r8+8],rdx 22141fc8 jne nt!AuthzBasepRemoveSecurityAttributeFromLists+0x76 (fffff803`22141fea) nt!AuthzBasepRemoveSecurityAttributeFromLists+0x56: 22141fca cmp qword ptr [rax],rdx 22141fcd jne nt!AuthzBasepRemoveSecurityAttributeFromLists+0x76 (fffff803`22141fea) nt!AuthzBasepRemoveSecurityAttributeFromLists+0x5b: 22141fcf mov qword ptr [rax],r8 22141fd2 mov qword ptr [r8+8],rax
This illustration shows the three list elements and where the links are set or referenced:
► CcDeleteBcbs
The following lines are RemoveEntryList:
21c78327 mov rsi,qword ptr [rax] 21c7832a cmp word ptr [rbx],cx 21c7832d je nt! ?? ::FNODOBFM::`string'+0x2a82 (fffff803`21e3f014) ... nt! ?? ::FNODOBFM::`string'+0x2a82: 21e3f014 cmp dword ptr [rbx+40h],ebp 21e3f017 jne nt! ?? ::FNODOBFM::`string'+0x2b92 (fffff803`21e3f124) nt! ?? ::FNODOBFM::`string'+0x2a8b: 21e3f01d mov rcx,qword ptr [rax+8] 21e3f021 cmp qword ptr [rsi+8],rax 21e3f025 jne nt! ?? ::FNODOBFM::`string'+0x2b8b (fffff803`21e3f11d) nt! ?? ::FNODOBFM::`string'+0x2a99: 21e3f02b cmp qword ptr [rcx],rax 21e3f02e jne nt! ?? ::FNODOBFM::`string'+0x2b8b (fffff803`21e3f11d) nt! ?? ::FNODOBFM::`string'+0x2aa2: 21e3f034 mov qword ptr [rcx],rsi 21e3f037 mov qword ptr [rsi+8],rcx
This illustration shows the three list elements and where the links are set or referenced:
► CcFindNextWorkQueueEntry
The following lines are RemoveEntryList:
nt!CcFindNextWorkQueueEntry+0x27: 21cf9c97 mov rcx,qword ptr [rdx] 21cf9c9a mov rax,qword ptr [rdx+8] 21cf9c9e cmp qword ptr [rcx+8],rdx 21cf9ca2 jne nt! ?? ::FNODOBFM::`string'+0x3372 (fffff803`21e3f67c) nt!CcFindNextWorkQueueEntry+0x38: 21cf9ca8 cmp qword ptr [rax],rdx 21cf9cab jne nt! ?? ::FNODOBFM::`string'+0x3372 (fffff803`21e3f67c) nt!CcFindNextWorkQueueEntry+0x41: 21cf9cb1 mov qword ptr [rax],rcx 21cf9cb4 mov qword ptr [rcx+8],rax
This illustration shows the three list elements and where the links are set or referenced:
► CcLazyWriteScan
The following lines are RemoveEntryList:
nt!CcLazyWriteScan+0x648: 21d7010c mov rcx,qword ptr [nt!CcLazyWriterCursor (fffff803`21f5abe0)] 21d70113 mov rax,qword ptr [nt!CcLazyWriterCursor+0x8 (fffff803`21f5abe8)] 21d7011a cmp qword ptr [rcx+8],rdi 21d7011e jne nt! ?? ::FNODOBFM::`string'+0x37da (fffff803`21e3f779) nt!CcLazyWriteScan+0x660: 21d70124 cmp qword ptr [rax],rdi 21d70127 jne nt! ?? ::FNODOBFM::`string'+0x37da (fffff803`21e3f779) nt!CcLazyWriteScan+0x669: 21d7012d mov qword ptr [rax],rcx 21d70130 mov qword ptr [rcx+8],rax
This illustration shows the three list elements and where the links are set or referenced:
► CcSetFileSizesEx
The following lines are RemoveEntryList:
nt!CcSetFileSizesEx+0x338: 21d1de9a add rsi,88h 21d1dea1 mov rcx,qword ptr [rsi] 21d1dea4 mov rax,qword ptr [rsi+8] 21d1dea8 cmp qword ptr [rcx+8],rsi 21d1deac jne nt! ?? ::FNODOBFM::`string'+0x29be (fffff803`21e3ef4d) nt!CcSetFileSizesEx+0x350: 21d1deb2 cmp qword ptr [rax],rsi 21d1deb5 jne nt! ?? ::FNODOBFM::`string'+0x29be (fffff803`21e3ef4d) nt!CcSetFileSizesEx+0x359: 21d1debb mov qword ptr [rax],rcx 21d1debe mov qword ptr [rcx+8],rax
This illustration shows the three list elements and where the links are set or referenced:
There is a second occurrence of RemoveEntryList here:
nt!CcSetFileSizesEx+0x46f: 21d1dfd3 add rsi,88h 21d1dfda mov rcx,qword ptr [rsi] 21d1dfdd mov rax,qword ptr [rsi+8] 21d1dfe1 cmp qword ptr [rcx+8],rsi 21d1dfe5 jne nt!CcSetFileSizesEx+0x4d7 (fffff803`21d1e03b) nt!CcSetFileSizesEx+0x483: 21d1dfe7 cmp qword ptr [rax],rsi 21d1dfea jne nt!CcSetFileSizesEx+0x4d7 (fffff803`21d1e03b) nt!CcSetFileSizesEx+0x488: 21d1dfec mov qword ptr [rax],rcx 21d1dfef mov qword ptr [rcx+8],rax
This illustration shows the three list elements and where the links are set or referenced:
There is a third occurrence of RemoveEntryList here:
nt! ?? ::FNODOBFM::`string'+0x2723: 21e3ecf2 mov rdx,qword ptr [rsi+78h] 21e3ecf6 lea rax,[rsi+78h] 21e3ecfa mov rcx,qword ptr [rax+8] 21e3ecfe cmp qword ptr [rdx+8],rax 21e3ed02 jne nt! ?? ::FNODOBFM::`string'+0x27d4 (fffff803`21e3ed93) nt! ?? ::FNODOBFM::`string'+0x2739: 21e3ed08 cmp qword ptr [rcx],rax 21e3ed0b jne nt! ?? ::FNODOBFM::`string'+0x27d4 (fffff803`21e3ed93) nt! ?? ::FNODOBFM::`string'+0x2742: 21e3ed11 mov qword ptr [rcx],rdx 21e3ed14 mov qword ptr [rdx+8],rcx
This illustration shows the three list elements and where the links are set or referenced:
There is a fourth occurrence of RemoveEntryList here:
nt! ?? ::FNODOBFM::`string'+0x2778: 21e3ed43 add rsi,88h 21e3ed4a mov rcx,qword ptr [rsi] 21e3ed4d mov rax,qword ptr [rsi+8] 21e3ed51 cmp qword ptr [rcx+8],rsi 21e3ed55 jne nt! ?? ::FNODOBFM::`string'+0x27cd (fffff803`21e3ed8c) nt! ?? ::FNODOBFM::`string'+0x2790: 21e3ed57 cmp qword ptr [rax],rsi 21e3ed5a jne nt! ?? ::FNODOBFM::`string'+0x27cd (fffff803`21e3ed8c) nt! ?? ::FNODOBFM::`string'+0x2799: 21e3ed5c mov qword ptr [rax],rcx 21e3ed5f mov qword ptr [rcx+8],rax
This illustration shows the three list elements and where the links are set or referenced:
There is a fifth occurrence of RemoveEntryList here:
nt! ?? ::FNODOBFM::`string'+0x27db: 21e3ed9a mov rdx,qword ptr [rsi+78h] 21e3ed9e lea rax,[rsi+78h] 21e3eda2 mov rcx,qword ptr [rax+8] 21e3eda6 cmp qword ptr [rdx+8],rax 21e3edaa jne nt! ?? ::FNODOBFM::`string'+0x2835 (fffff803`21e3ede8) nt! ?? ::FNODOBFM::`string'+0x27f1: 21e3edac cmp qword ptr [rcx],rax 21e3edaf jne nt! ?? ::FNODOBFM::`string'+0x2835 (fffff803`21e3ede8) nt! ?? ::FNODOBFM::`string'+0x27fa: 21e3edb1 mov qword ptr [rcx],rdx 21e3edb4 mov qword ptr [rdx+8],rcx
This illustration shows the three list elements and where the links are set or referenced:
There is a sixth occurrence of RemoveEntryList here:
nt! ?? ::FNODOBFM::`string'+0x28a5: 21e3ee50 mov rdx,qword ptr [rsi+78h] 21e3ee54 lea rax,[rsi+78h] 21e3ee58 mov rcx,qword ptr [rax+8] 21e3ee5c cmp qword ptr [rdx+8],rax 21e3ee60 jne nt! ?? ::FNODOBFM::`string'+0x2956 (fffff803`21e3eef1) nt! ?? ::FNODOBFM::`string'+0x28bb: 21e3ee66 cmp qword ptr [rcx],rax 21e3ee69 jne nt! ?? ::FNODOBFM::`string'+0x2956 (fffff803`21e3eef1) nt! ?? ::FNODOBFM::`string'+0x28c4: 21e3ee6f mov qword ptr [rcx],rdx 21e3ee72 mov qword ptr [rdx+8],rcx
This illustration shows the three list elements and where the links are set or referenced:
There is a seventh occurrence of RemoveEntryList here:
nt! ?? ::FNODOBFM::`string'+0x28fa: 21e3eea1 add rsi,88h 21e3eea8 mov rcx,qword ptr [rsi] 21e3eeab mov rax,qword ptr [rsi+8] 21e3eeaf cmp qword ptr [rcx+8],rsi 21e3eeb3 jne nt! ?? ::FNODOBFM::`string'+0x294f (fffff803`21e3eeea) nt! ?? ::FNODOBFM::`string'+0x2912: 21e3eeb5 cmp qword ptr [rax],rsi 21e3eeb8 jne nt! ?? ::FNODOBFM::`string'+0x294f (fffff803`21e3eeea) nt! ?? ::FNODOBFM::`string'+0x291b: 21e3eeba mov qword ptr [rax],rcx 21e3eebd mov qword ptr [rcx+8],rax
This illustration shows the three list elements and where the links are set or referenced:
There is a eighth occurrence of RemoveEntryList here:
nt! ?? ::FNODOBFM::`string'+0x295d: 21e3eef8 mov rdx,qword ptr [rsi+78h] 21e3eefc lea rax,[rsi+78h] 21e3ef00 mov rcx,qword ptr [rax+8] 21e3ef04 cmp qword ptr [rdx+8],rax 21e3ef08 jne nt! ?? ::FNODOBFM::`string'+0x29c5 (fffff803`21e3ef54) nt! ?? ::FNODOBFM::`string'+0x2973: 21e3ef0a cmp qword ptr [rcx],rax 21e3ef0d jne nt! ?? ::FNODOBFM::`string'+0x29c5 (fffff803`21e3ef54) nt! ?? ::FNODOBFM::`string'+0x297c: 21e3ef0f mov qword ptr [rcx],rdx 21e3ef12 mov qword ptr [rdx+8],rcx
This illustration shows the three list elements and where the links are set or referenced:
► CmShutdownSystem
The following lines are RemoveEntryList:
nt!CmShutdownSystem+0x2b0: 221a4260 mov rcx,qword ptr [rsi] 221a4263 mov rax,qword ptr [rsi+8] 221a4267 cmp qword ptr [rcx+8],rsi 221a426b jne nt!CmShutdownSystem+0x4d2 (fffff803`221a4482) nt!CmShutdownSystem+0x2c1: 221a4271 cmp qword ptr [rax],rsi 221a4274 jne nt!CmShutdownSystem+0x4d2 (fffff803`221a4482) nt!CmShutdownSystem+0x2ca: 221a427a mov qword ptr [rax],rcx 221a427d mov qword ptr [rcx+8],rax
This illustration shows the three list elements and where the links are set or referenced:
► CmUnRegisterCallback
The following lines are RemoveEntryList:
nt!CmUnRegisterCallback+0xaf: 2218793f mov rcx,qword ptr [rdi] 22187942 mov rax,qword ptr [rdi+8] 22187946 cmp qword ptr [rcx+8],rdi 2218794a jne nt! ?? ::NNGAKEGL::`string'+0x5241 (fffff803`222419f5) nt!CmUnRegisterCallback+0xc0: 22187950 cmp qword ptr [rax],rdi 22187953 jne nt! ?? ::NNGAKEGL::`string'+0x5241 (fffff803`222419f5) nt!CmUnRegisterCallback+0xc9: 22187959 mov qword ptr [rax],rcx 2218795c mov qword ptr [rcx+8],rax
This illustration shows the three list elements and where the links are set or referenced:
There is a second occurrence of RemoveEntryList here:
nt! ?? ::NNGAKEGL::`string'+0x5176: 2224192a mov rcx,qword ptr [rdi] 2224192d mov rax,qword ptr [rdi+8] 22241931 cmp qword ptr [rcx+8],rdi 22241935 jne nt! ?? ::NNGAKEGL::`string'+0x5214 (fffff803`222419c8) nt! ?? ::NNGAKEGL::`string'+0x5187: 2224193b cmp qword ptr [rax],rdi 2224193e jne nt! ?? ::NNGAKEGL::`string'+0x5214 (fffff803`222419c8) nt! ?? ::NNGAKEGL::`string'+0x5190: 22241944 mov qword ptr [rax],rcx 22241947 mov qword ptr [rcx+8],rax
This illustration shows the three list elements and where the links are set or referenced:
There is a third occurrence of RemoveEntryList here:
nt! ?? ::NNGAKEGL::`string'+0x52fe: 22241aae lea rax,[r15+10h] 22241ab2 mov rdx,qword ptr [rax] 22241ab5 mov rcx,qword ptr [rax+8] 22241ab9 cmp qword ptr [rdx+8],rax 22241abd jne nt! ?? ::NNGAKEGL::`string'+0x53a4 (fffff803`22241b4c) nt! ?? ::NNGAKEGL::`string'+0x5313: 22241ac3 cmp qword ptr [rcx],rax 22241ac6 jne nt! ?? ::NNGAKEGL::`string'+0x53a4 (fffff803`22241b4c) nt! ?? ::NNGAKEGL::`string'+0x531c: 22241acc mov qword ptr [rcx],rdx 22241acf mov qword ptr [rdx+8],rcx
This illustration shows the three list elements and where the links are set or referenced:
► CmpCallCallBacks
The following lines are RemoveEntryList:
nt! ?? ::NNGAKEGL::`string'+0x55d6: 22241d81 mov rcx,qword ptr [r8] 22241d84 mov rax,qword ptr [r8+8] 22241d88 cmp qword ptr [rcx+8],r8 22241d8c jne nt! ?? ::NNGAKEGL::`string'+0x569d (fffff803`22241e35) nt! ?? ::NNGAKEGL::`string'+0x55e7: 22241d92 cmp qword ptr [rax],r8 22241d95 jne nt! ?? ::NNGAKEGL::`string'+0x569d (fffff803`22241e35) nt! ?? ::NNGAKEGL::`string'+0x55f0: 22241d9b mov qword ptr [rax],rcx 22241d9e mov qword ptr [rcx+8],rax
This illustration shows the three list elements and where the links are set or referenced:
► CmpPostApc
The following lines are RemoveEntryList:
nt!CmpPostApc+0x110: 2206ed48 lea rax,[rbx+10h] 2206ed4c mov rdx,qword ptr [rax] 2206ed4f mov rcx,qword ptr [rax+8] 2206ed53 cmp qword ptr [rdx+8],rax 2206ed57 jne nt! ?? ::NNGAKEGL::`string'+0xe402 (fffff803`222491e4) nt!CmpPostApc+0x125: 2206ed5d cmp qword ptr [rcx],rax 2206ed60 jne nt! ?? ::NNGAKEGL::`string'+0xe402 (fffff803`222491e4) nt!CmpPostApc+0x12e: 2206ed66 mov qword ptr [rcx],rdx 2206ed69 mov qword ptr [rdx+8],rcx
This illustration shows the three list elements and where the links are set or referenced:
There is a second occurrence of RemoveEntryList here:
2206ed94 mov r8,qword ptr [rax] 2206ed97 mov rdx,qword ptr [rax+8] 2206ed9b cmp qword ptr [r8+8],rax 2206ed9f jne nt!CmpPostApc+0x1a0 (fffff803`2206edd8) nt!CmpPostApc+0x169: 2206eda1 cmp qword ptr [rdx],rax 2206eda4 jne nt!CmpPostApc+0x1a0 (fffff803`2206edd8) nt!CmpPostApc+0x16e: 2206eda6 mov qword ptr [rdx],r8 2206eda9 mov qword ptr [r8+8],rdx
This illustration shows the three list elements and where the links are set or referenced:
There is a third occurrence of RemoveEntryList here:
2206edb1 mov r8,qword ptr [rdx] 2206edb4 mov rax,qword ptr [rdx+8] 2206edb8 cmp qword ptr [r8+8],rdx 2206edbc jne nt!CmpPostApc+0x199 (fffff803`2206edd1) nt!CmpPostApc+0x186: 2206edbe cmp qword ptr [rax],rdx 2206edc1 jne nt!CmpPostApc+0x199 (fffff803`2206edd1) nt!CmpPostApc+0x18b: 2206edc3 mov qword ptr [rax],r8 2206edc6 mov qword ptr [r8+8],rax
This illustration shows the three list elements and where the links are set or referenced:
► ExFreePoolWithTag
The following lines are RemoveEntryList:
nt!ExFreePoolWithTag+0x9a6: 21ee3b06 mov r8,qword ptr [r13+10h] 21ee3b0a mov rdx,qword ptr [r13+18h] 21ee3b0e lea rax,[r13+10h] 21ee3b12 cmp qword ptr [r8+8],rax 21ee3b16 jne nt!ExFreePool+0x946 (fffff803`21ee4a2c) nt!ExFreePoolWithTag+0x9bc: 21ee3b1c cmp qword ptr [rdx],rax 21ee3b1f jne nt!ExFreePool+0x946 (fffff803`21ee4a2c) nt!ExFreePoolWithTag+0x9c5: 21ee3b25 mov qword ptr [rdx],r8 21ee3b28 mov qword ptr [r8+8],rdx
This illustration shows the three list elements and where the links are set or referenced:
There is a second occurrence of RemoveEntryList here:
nt!ExFreePoolWithTag+0xf2c: 21ee408c mov rdx,qword ptr [r8+10h] 21ee4090 mov rcx,qword ptr [r8+18h] 21ee4094 lea rax,[r8+10h] 21ee4098 cmp qword ptr [rdx+8],rax 21ee409c jne nt!ExFreePool+0xc08 (fffff803`21ee4cca) nt!ExFreePoolWithTag+0xf42: 21ee40a2 cmp qword ptr [rcx],rax 21ee40a5 jne nt!ExFreePool+0xc08 (fffff803`21ee4cca) nt!ExFreePoolWithTag+0xf4b: 21ee40ab mov qword ptr [rcx],rdx 21ee40ae mov qword ptr [rdx+8],rcx
This illustration shows the three list elements and where the links are set or referenced:
There is a third occurrence of RemoveEntryList here:
nt!ExFreePool+0xc1b: 21ee4cd9 mov r8,qword ptr [rcx+10h] 21ee4cdd mov rdx,qword ptr [rcx+18h] 21ee4ce1 lea rax,[rcx+10h] 21ee4ce5 cmp qword ptr [r8+8],rax 21ee4ce9 jne nt!ExFreePool+0xc55 (fffff803`21ee4d0b) nt!ExFreePool+0xc31: 21ee4ceb cmp qword ptr [rdx],rax 21ee4cee jne nt!ExFreePool+0xc55 (fffff803`21ee4d0b) nt!ExFreePool+0xc3a: 21ee4cf0 mov qword ptr [rdx],r8 21ee4cf3 mov qword ptr [r8+8],rdx
This illustration shows the three list elements and where the links are set or referenced:
► ExQueueWorkItem
The following lines are RemoveEntryList:
nt!ExQueueWorkItem+0x144: 21d05814 mov rdx,rsi 21d05817 mov rsi,qword ptr [rdx+8] 21d0581b mov r8,qword ptr [rdx] 21d0581e cmp qword ptr [r8+8],rdx 21d05822 jne nt!ExQueueWorkItem+0x485 (fffff803`21d05b43) nt!ExQueueWorkItem+0x158: 21d05828 cmp qword ptr [rsi],rdx 21d0582b jne nt!ExQueueWorkItem+0x485 (fffff803`21d05b43) nt!ExQueueWorkItem+0x161: 21d05831 mov qword ptr [rsi],r8 21d05834 mov qword ptr [r8+8],rsi
This illustration shows the three list elements and where the links are set or referenced:
There is a second occurrence of RemoveEntryList here:
nt! ?? ::FNODOBFM::`string'+0x4d452: 21e71a79 mov rdx,qword ptr [rsi] 21e71a7c mov rax,qword ptr [rsi+8] 21e71a80 cmp qword ptr [rdx+8],rsi 21e71a84 jne nt! ?? ::FNODOBFM::`string'+0x4d55e (fffff803`21e71b7d) nt! ?? ::FNODOBFM::`string'+0x4d463: 21e71a8a cmp qword ptr [rax],rsi 21e71a8d jne nt! ?? ::FNODOBFM::`string'+0x4d55e (fffff803`21e71b7d) nt! ?? ::FNODOBFM::`string'+0x4d46c: 21e71a93 mov qword ptr [rax],rdx 21e71a96 mov qword ptr [rdx+8],rax
This illustration shows the three list elements and where the links are set or referenced:
► ExTimerRundown
The following lines are RemoveEntryList:
21d575dd mov rdx,qword ptr [rax] 21d575e0 mov rcx,qword ptr [rax+8] 21d575e4 cmp qword ptr [rdx+8],rax 21d575e8 jne nt! ?? ::FNODOBFM::`string'+0x4e595 (fffff803`21e72a8b) nt!ExTimerRundown+0x14e: 21d575ee cmp qword ptr [rcx],rax 21d575f1 jne nt! ?? ::FNODOBFM::`string'+0x4e595 (fffff803`21e72a8b) nt!ExTimerRundown+0x157: 21d575f7 mov qword ptr [rcx],rdx 21d575fa mov qword ptr [rdx+8],rcx
This illustration shows the three list elements and where the links are set or referenced:
► ExpDeleteTimer
The following lines are RemoveEntryList:
nt!ExpDeleteTimer+0xc0: 21d69bcc mov rcx,qword ptr [rdi] 21d69bcf mov rax,qword ptr [rdi+8] 21d69bd3 cmp qword ptr [rcx+8],rdi 21d69bd7 jne nt! ?? ::FNODOBFM::`string'+0x4e437 (fffff803`21d84597) nt!ExpDeleteTimer+0xd1: 21d69bdd cmp qword ptr [rax],rdi 21d69be0 jne nt! ?? ::FNODOBFM::`string'+0x4e437 (fffff803`21d84597) nt!ExpDeleteTimer+0xda: 21d69be6 mov qword ptr [rax],rcx 21d69be9 mov qword ptr [rcx+8],rax
This illustration shows the three list elements and where the links are set or referenced:
There is a second occurrence of RemoveEntryList here:
nt!ExpDeleteTimer+0x129: 21d69c35 mov rdx,qword ptr [r14] 21d69c38 mov rax,qword ptr [r14+8] 21d69c3c cmp qword ptr [rdx+8],r14 21d69c40 jne nt!ExpDeleteTimer+0x19d (fffff803`21d69ca9) nt!ExpDeleteTimer+0x136: 21d69c42 cmp qword ptr [rax],r14 21d69c45 jne nt!ExpDeleteTimer+0x19d (fffff803`21d69ca9) nt!ExpDeleteTimer+0x13b: 21d69c47 mov qword ptr [rax],rdx 21d69c4a mov qword ptr [rdx+8],rax
This illustration shows the three list elements and where the links are set or referenced:
► ExpSetTimer
The following lines are RemoveEntryList:
nt! ?? ::FNODOBFM::`string'+0x4df49: 21e72548 lea rax,[rdi+0E0h] 21e7254f mov r8,qword ptr [rax] 21e72552 mov rdx,qword ptr [rax+8] 21e72556 cmp qword ptr [r8+8],rax 21e7255a jne nt! ?? ::FNODOBFM::`string'+0x4dfd3 (fffff803`21e725c3) nt! ?? ::FNODOBFM::`string'+0x4df61: 21e7255c cmp qword ptr [rdx],rax 21e7255f jne nt! ?? ::FNODOBFM::`string'+0x4dfd3 (fffff803`21e725c3) nt! ?? ::FNODOBFM::`string'+0x4df6a: 21e72561 mov qword ptr [rdx],r8 21e72564 mov qword ptr [r8+8],rdx
This illustration shows the three list elements and where the links are set or referenced:
► IoDeleteDevice
The following lines are RemoveEntryList:
nt! ?? ::FNODOBFM::`string'+0xa9cc: 21e454e0 lea rax,[rdi+8] 21e454e4 mov rdx,qword ptr [rax] 21e454e7 mov rcx,qword ptr [rax+8] 21e454eb cmp qword ptr [rdx+8],rax 21e454ef jne nt! ?? ::FNODOBFM::`string'+0xaa34 (fffff803`21e45548) nt! ?? ::FNODOBFM::`string'+0xa9dd: 21e454f1 cmp qword ptr [rcx],rax 21e454f4 jne nt! ?? ::FNODOBFM::`string'+0xaa34 (fffff803`21e45548) nt! ?? ::FNODOBFM::`string'+0xa9e2: 21e454f6 mov qword ptr [rcx],rdx 21e454f9 mov qword ptr [rdx+8],rcx
This illustration shows the three list elements and where the links are set or referenced:
► IoUnregisterFsRegistrationChange
The following lines are RemoveEntryList:
nt!IoUnregisterFsRegistrationChange+0xac: 221be4cc mov rdx,qword ptr [rcx] 221be4cf mov rax,qword ptr [rcx+8] 221be4d3 cmp qword ptr [rdx+8],rcx 221be4d7 jne nt!IoUnregisterFsRegistrationChange+0xce (fffff803`221be4ee) nt!IoUnregisterFsRegistrationChange+0xb9: 221be4d9 cmp qword ptr [rax],rcx 221be4dc jne nt!IoUnregisterFsRegistrationChange+0xce (fffff803`221be4ee) nt!IoUnregisterFsRegistrationChange+0xbe: 221be4de mov qword ptr [rax],rdx 221be4e1 mov qword ptr [rdx+8],rax
This illustration shows the three list elements and where the links are set or referenced:
There is a second occurrence of RemoveEntryList here:
nt!IoUnregisterFileSystem+0x40: 221be540 mov rcx,qword ptr [r11] 221be543 mov rax,qword ptr [r11+8] 221be547 cmp qword ptr [rcx+8],r11 221be54b jne nt!IoUnregisterFileSystem+0x69 (fffff803`221be569) nt!IoUnregisterFileSystem+0x4d: 221be54d cmp qword ptr [rax],r11 221be550 jne nt!IoUnregisterFileSystem+0x69 (fffff803`221be569) nt!IoUnregisterFileSystem+0x52: 221be552 mov qword ptr [rax],rcx 221be555 mov qword ptr [rcx+8],rax
This illustration shows the three list elements and where the links are set or referenced:
► IopfCompleteRequest
The following lines are RemoveEntryList:
21c8414c mov rdx,qword ptr [rcx] 21c8414f mov qword ptr [rbp+67h],rax 21c84153 mov rax,qword ptr [rcx+8] 21c84157 cmp qword ptr [rdx+8],rcx 21c8415b jne nt! ?? ::FNODOBFM::`string'+0xadd6 (fffff803`21c841d3) nt! ?? ::FNODOBFM::`string'+0xad4a: 21c8415d cmp qword ptr [rax],rcx 21c84160 jne nt! ?? ::FNODOBFM::`string'+0xadd6 (fffff803`21c841d3) nt! ?? ::FNODOBFM::`string'+0xad53: 21c84162 mov qword ptr [rax],rdx 21c84165 mov qword ptr [rdx+8],rax
This illustration shows the three list elements and where the links are set or referenced:
There is a second occurrence of RemoveEntryList here:
nt! ?? ::FNODOBFM::`string'+0xaf7c: 21c84369 mov rdx,qword ptr [rsi] 21c8436c mov rax,qword ptr [rsi+8] 21c84370 cmp qword ptr [rdx+8],rsi 21c84374 jne nt! ?? ::FNODOBFM::`string'+0xaff8 (fffff803`21c843dd) nt! ?? ::FNODOBFM::`string'+0xaf8d: 21c84376 cmp qword ptr [rax],rsi 21c84379 jne nt! ?? ::FNODOBFM::`string'+0xaff8 (fffff803`21c843dd) nt! ?? ::FNODOBFM::`string'+0xaf96: 21c8437b mov qword ptr [rax],rdx 21c8437e mov qword ptr [rdx+8],rax
This illustration shows the three list elements and where the links are set or referenced:
There is a third occurrence of RemoveEntryList here:
nt! ?? ::FNODOBFM::`string'+0xb2ad: 21c8466f mov rdx,qword ptr [rcx] 21c84672 mov rax,qword ptr [rcx+8] 21c84676 cmp qword ptr [rdx+8],rcx 21c8467a jne nt! ?? ::FNODOBFM::`string'+0xb2f7 (fffff803`21c846b1) nt! ?? ::FNODOBFM::`string'+0xb2be: 21c8467c cmp qword ptr [rax],rcx 21c8467f jne nt! ?? ::FNODOBFM::`string'+0xb2f7 (fffff803`21c846b1) nt! ?? ::FNODOBFM::`string'+0xb2c7: 21c84681 mov qword ptr [rax],rdx 21c84684 mov qword ptr [rdx+8],rax
This illustration shows the three list elements and where the links are set or referenced:
There is a fourth occurrence of RemoveEntryList here:
nt!KiScanReadyThreads+0xfe: 21c847da lea r8,[r10+0D8h] 21c847e1 mov rcx,qword ptr [r8] 21c847e4 mov rax,qword ptr [r8+8] 21c847e8 cmp qword ptr [rcx+8],r8 21c847ec jne nt! ?? ::FNODOBFM::`string'+0x18b1e (fffff803`21dc04fc) nt!KiScanReadyThreads+0x116: 21c847f2 cmp qword ptr [rax],r8 21c847f5 jne nt! ?? ::FNODOBFM::`string'+0x18b1e (fffff803`21dc04fc) nt!KiScanReadyThreads+0x11f: 21c847fb mov qword ptr [rax],rcx 21c847fe mov qword ptr [rcx+8],rax
This illustration shows the three list elements and where the links are set or referenced:
There is a fifth occurrence of RemoveEntryList here:
nt!IopfCompleteRequest+0x34f: 21cfde4f mov rcx,qword ptr [rbx] 21cfde52 mov rax,qword ptr [rbx+8] 21cfde56 cmp qword ptr [rcx+8],rbx 21cfde5a jne nt!IopfCompleteRequest+0x11cc (fffff803`21cfecbc) nt!IopfCompleteRequest+0x360: 21cfde60 cmp qword ptr [rax],rbx 21cfde63 jne nt!IopfCompleteRequest+0x11cc (fffff803`21cfecbc) nt!IopfCompleteRequest+0x369: 21cfde69 mov qword ptr [rax],rcx 21cfde6c mov qword ptr [rcx+8],rax
This illustration shows the three list elements and where the links are set or referenced:
There is a sixth occurrence of RemoveEntryList here:
nt!IopfCompleteRequest+0x798: 21cfe296 mov rdx,qword ptr [r8] 21cfe299 mov rcx,qword ptr [r8+8] 21cfe29d mov r12,r8 21cfe2a0 mov qword ptr [rbp-29h],rcx 21cfe2a4 cmp qword ptr [rdx+8],r8 21cfe2a8 jne nt!IopfCompleteRequest+0xf88 (fffff803`21cfea7e) nt!IopfCompleteRequest+0x7b0: 21cfe2ae cmp qword ptr [rcx],r8 21cfe2b1 jne nt!IopfCompleteRequest+0xf88 (fffff803`21cfea7e) nt!IopfCompleteRequest+0x7b9: 21cfe2b7 mov qword ptr [rcx],rdx 21cfe2ba xor r14b,r14b 21cfe2bd mov qword ptr [rdx+8],rcx
This illustration shows the three list elements and where the links are set or referenced:
There is a seventh occurrence of RemoveEntryList here:
nt!IopfCompleteRequest+0x844: 21cfe342 lea rax,[rsi+0D8h] 21cfe349 mov rdx,qword ptr [rax] 21cfe34c mov rcx,qword ptr [rax+8] 21cfe350 cmp qword ptr [rdx+8],rax 21cfe354 jne nt!IopfCompleteRequest+0x1082 (fffff803`21cfeb7a) nt!IopfCompleteRequest+0x85c: 21cfe35a cmp qword ptr [rcx],rax 21cfe35d jne nt!IopfCompleteRequest+0x1082 (fffff803`21cfeb7a) nt!IopfCompleteRequest+0x865: 21cfe363 mov qword ptr [rcx],rdx 21cfe366 mov qword ptr [rdx+8],rcx
This illustration shows the three list elements and where the links are set or referenced:
► KeDeregisterBugCheckCallback
The following lines are RemoveEntryList:
nt!KeDeregisterBugCheckCallback+0x5a: 21dee412 mov rcx,qword ptr [rbx] 21dee415 mov rax,qword ptr [rbx+8] 21dee419 mov byte ptr [rbx+38h],dil 21dee41d cmp qword ptr [rcx+8],rbx 21dee421 jne nt!KeDeregisterBugCheckCallback+0x99 (fffff803`21dee451) nt!KeDeregisterBugCheckCallback+0x6b: 21dee423 cmp qword ptr [rax],rbx 21dee426 jne nt!KeDeregisterBugCheckCallback+0x99 (fffff803`21dee451) nt!KeDeregisterBugCheckCallback+0x70: 21dee428 mov qword ptr [rax],rcx 21dee42b mov dil,1 21dee42e mov qword ptr [rcx+8],rax
This illustration shows the three list elements and where the links are set or referenced:
► KeDeregisterObjectNotification
The following lines are RemoveEntryList:
nt!KeDeregisterObjectNotification+0x41: 21d78b51 mov rcx,qword ptr [rdi] 21d78b54 mov rax,qword ptr [rdi+8] 21d78b58 cmp qword ptr [rcx+8],rdi 21d78b5c jne nt!KeDeregisterObjectNotification+0x8c (fffff803`21d78b9c) nt!KeDeregisterObjectNotification+0x4e: 21d78b5e cmp qword ptr [rax],rdi 21d78b61 jne nt!KeDeregisterObjectNotification+0x8c (fffff803`21d78b9c) nt!KeDeregisterObjectNotification+0x53: 21d78b63 mov qword ptr [rax],rcx 21d78b66 mov qword ptr [rcx+8],rax
This illustration shows the three list elements and where the links are set or referenced:
► KeRegisterObjectNotification
The following lines are RemoveEntryList:
nt!KeRegisterObjectNotification+0x134: 21d2a0e8 mov rdx,r14 21d2a0eb mov r14,qword ptr [r14+8] 21d2a0ef mov r8,qword ptr [rdx] 21d2a0f2 cmp qword ptr [r8+8],rdx 21d2a0f6 jne nt!KeRegisterObjectNotification+0x252 (fffff803`21d2a206) nt!KeRegisterObjectNotification+0x148: 21d2a0fc cmp qword ptr [r14],rdx 21d2a0ff jne nt!KeRegisterObjectNotification+0x252 (fffff803`21d2a206) nt!KeRegisterObjectNotification+0x151: 21d2a105 mov qword ptr [r14],r8 21d2a108 mov qword ptr [r8+8],r14
This illustration shows the three list elements and where the links are set or referenced:
There is a second occurrence of RemoveEntryList here:
nt!KeDeregisterObjectNotification+0x41: 21d78b51 mov rcx,qword ptr [rdi] 21d78b54 mov rax,qword ptr [rdi+8] 21d78b58 cmp qword ptr [rcx+8],rdi 21d78b5c jne nt!KeDeregisterObjectNotification+0x8c (fffff803`21d78b9c) nt!KeDeregisterObjectNotification+0x4e: 21d78b5e cmp qword ptr [rax],rdi 21d78b61 jne nt!KeDeregisterObjectNotification+0x8c (fffff803`21d78b9c) nt!KeDeregisterObjectNotification+0x53: 21d78b63 mov qword ptr [rax],rcx 21d78b66 mov qword ptr [rcx+8],rax
This illustration shows the three list elements and where the links are set or referenced:
► KeRemoveQueueApc
The following lines are RemoveEntryList:
21cae802 mov rcx,qword ptr [r9] 21cae805 mov r8,qword ptr [rdi+rax*8+248h] 21cae80d mov rax,qword ptr [r9+8] 21cae811 cmp qword ptr [rcx+8],r9 21cae815 jne nt!KeRemoveQueueApc+0xb0 (fffff803`21cae840) nt!KeRemoveQueueApc+0x87: 21cae817 cmp qword ptr [rax],r9 21cae81a jne nt!KeRemoveQueueApc+0xb0 (fffff803`21cae840) nt!KeRemoveQueueApc+0x8c: 21cae81c mov qword ptr [rax],rcx 21cae81f mov qword ptr [rcx+8],rax
This illustration shows the three list elements and where the links are set or referenced:
There is a second occurrence of RemoveEntryList here:
nt!MiRemoveUnusedSubsection+0x3c: 21cae88c lea rax,[rdi+50h] 21cae890 mov rdx,qword ptr [rax] 21cae893 mov rcx,qword ptr [rax+8] 21cae897 cmp qword ptr [rdx+8],rax 21cae89b jne nt!MiRemoveUnusedSubsection+0xa1 (fffff803`21cae8f1) nt!MiRemoveUnusedSubsection+0x4d: 21cae89d cmp qword ptr [rcx],rax 21cae8a0 jne nt!MiRemoveUnusedSubsection+0xa1 (fffff803`21cae8f1) nt!MiRemoveUnusedSubsection+0x52: 21cae8a2 mov qword ptr [rcx],rdx 21cae8a5 mov qword ptr [rdx+8],rcx
This illustration shows the three list elements and where the links are set or referenced:
► KeRemoveQueueDpc
The following lines are RemoveEntryList:
nt! ?? ::FNODOBFM::`string'+0x12bdf: 21e4ae1f dec dword ptr [rdi+18h] 21e4ae22 lea rcx,[rbp+8] 21e4ae26 mov rdx,qword ptr [rcx] 21e4ae29 mov rax,qword ptr [rcx+8] 21e4ae2d cmp qword ptr [rdx+8],rcx 21e4ae31 jne nt! ?? ::FNODOBFM::`string'+0x12c2a (fffff803`21e4ae6a) nt! ?? ::FNODOBFM::`string'+0x12bf3: 21e4ae33 cmp qword ptr [rax],rcx 21e4ae36 jne nt! ?? ::FNODOBFM::`string'+0x12c2a (fffff803`21e4ae6a) nt! ?? ::FNODOBFM::`string'+0x12bf8: 21e4ae38 mov qword ptr [rax],rdx 21e4ae3b mov qword ptr [rdx+8],rax
This illustration shows the three list elements and where the links are set or referenced:
► KiCancelTimer
The following lines are RemoveEntryList:
nt!KiCancelTimer+0xd7: 21cf5837 mov rcx,qword ptr [rbx+20h] 21cf583b mov rax,qword ptr [rbx+28h] 21cf583f lea rdx,[rbx+20h] 21cf5843 lea r8,[r15+10h] 21cf5847 mov r9,r15 21cf584a shl r8,5 21cf584e cmp qword ptr [rcx+8],rdx 21cf5852 jne nt!KiCancelTimer+0x185 (fffff803`21cf58e5) nt!KiCancelTimer+0xf8: 21cf5858 cmp qword ptr [rax],rdx 21cf585b jne nt!KiCancelTimer+0x185 (fffff803`21cf58e5) nt!KiCancelTimer+0x101: 21cf5861 mov qword ptr [rax],rcx 21cf5864 mov qword ptr [rcx+8],rax
This illustration shows the three list elements and where the links are set or referenced:
► KeTerminateThread
The following lines are RemoveEntryList:
nt!KeTerminateThread+0xd7: 21d3c53b lea rax,[r15+238h] 21d3c542 mov rdx,qword ptr [rax] 21d3c545 mov rcx,qword ptr [rax+8] 21d3c549 cmp qword ptr [rdx+8],rax 21d3c54d jne nt! ?? ::FNODOBFM::`string'+0xe416 (fffff803`21c86c76) nt!KeTerminateThread+0xef: 21d3c553 cmp qword ptr [rcx],rax 21d3c556 jne nt! ?? ::FNODOBFM::`string'+0xe416 (fffff803`21c86c76) nt!KeTerminateThread+0xf8: 21d3c55c mov qword ptr [rcx],rdx 21d3c55f mov qword ptr [rdx+8],rcx
This illustration shows the three list elements and where the links are set or referenced:
There is a second occurrence of RemoveEntryList here:
nt!KeTerminateThread+0x148: 21d3c5ac mov rcx,qword ptr [r12] 21d3c5b0 mov rax,qword ptr [r12+8] 21d3c5b5 cmp qword ptr [rcx+8],r12 21d3c5b9 jne nt! ?? ::FNODOBFM::`string'+0xe4f3 (fffff803`21c86d4f) nt!KeTerminateThread+0x15b: 21d3c5bf cmp qword ptr [rax],r12 21d3c5c2 jne nt! ?? ::FNODOBFM::`string'+0xe4f3 (fffff803`21c86d4f) nt!KeTerminateThread+0x164: 21d3c5c8 mov qword ptr [rax],rcx 21d3c5cb mov r12d,0FFFFFF7Fh 21d3c5d1 mov qword ptr [rcx+8],rax
This illustration shows the three list elements and where the links are set or referenced:
► KiDeliverApc
The following lines are RemoveEntryList:
nt!KiDeliverApc+0x10e: 21d4171e mov rcx,qword ptr [rdx] 21d41721 mov rax,qword ptr [rdx+8] 21d41725 cmp qword ptr [rcx+8],rdx 21d41729 jne nt!KiDeliverApc+0x340 (fffff803`21d4194b) nt!KiDeliverApc+0x11f: 21d4172f cmp qword ptr [rax],rdx 21d41732 jne nt!KiDeliverApc+0x340 (fffff803`21d4194b) nt!KiDeliverApc+0x128: 21d41738 mov qword ptr [rax],rcx 21d4173b mov qword ptr [rcx+8],rax
This illustration shows the three list elements and where the links are set or referenced:
There is a second occurrence of RemoveEntryList here:
nt!KiDeliverApc+0x17f: 21d4178f mov rcx,qword ptr [rdx] 21d41792 mov rax,qword ptr [rdx+8] 21d41796 cmp qword ptr [rcx+8],rdx 21d4179a jne nt!KiDeliverApc+0x370 (fffff803`21d41980) nt!KiDeliverApc+0x190: 21d417a0 cmp qword ptr [rax],rdx 21d417a3 jne nt!KiDeliverApc+0x370 (fffff803`21d41980) nt!KiDeliverApc+0x199: 21d417a9 mov qword ptr [rax],rcx 21d417ac mov qword ptr [rcx+8],rax
This illustration shows the three list elements and where the links are set or referenced:
There is a third occurrence of RemoveEntryList here:
nt!KiDeliverApc+0x256: 21d41868 prefetchw [rcx-10h] 21d4186c mov rax,qword ptr [rcx+20h] 21d41870 mov r11,qword ptr [rcx+10h] 21d41874 mov qword ptr [rbp+48h],rax 21d41878 mov rax,qword ptr [rcx+28h] 21d4187c mov qword ptr [rbp-10h],rax 21d41880 mov rax,qword ptr [rcx+30h] 21d41884 mov qword ptr [rbp-18h],rax 21d41888 mov rax,qword ptr [rcx+38h] 21d4188c mov qword ptr [rbp+50h],rax 21d41890 mov rdx,qword ptr [rcx] 21d41893 mov rax,qword ptr [rcx+8] 21d41897 cmp qword ptr [rdx+8],rcx 21d4189b jne nt!KiDeliverApc+0x347 (fffff803`21d41952) nt!KiDeliverApc+0x28f: 21d418a1 cmp qword ptr [rax],rcx 21d418a4 jne nt!KiDeliverApc+0x347 (fffff803`21d41952) nt!KiDeliverApc+0x298: 21d418aa mov qword ptr [rax],rdx 21d418ad mov qword ptr [rdx+8],rax
This illustration shows the three list elements and where the links are set or referenced:
► KiExecuteAllDpcs
The following lines are RemoveEntryList:
nt!KiExecuteAllDpcs+0xbc: 21cf4c1c mov rdx,qword ptr [rcx] 21cf4c1f mov rax,qword ptr [rcx+8] 21cf4c23 cmp qword ptr [rdx+8],rcx 21cf4c27 jne nt!KiExecuteAllDpcs+0x392 (fffff803`21cf4ef2) nt!KiExecuteAllDpcs+0xcd: 21cf4c2d cmp qword ptr [rax],rcx 21cf4c30 jne nt!KiExecuteAllDpcs+0x392 (fffff803`21cf4ef2) nt!KiExecuteAllDpcs+0xd6: 21cf4c36 mov qword ptr [rax],rdx 21cf4c39 mov qword ptr [rdx+8],rax
This illustration shows the three list elements and where the links are set or referenced:
► KiExpireTimerTable
The following lines are RemoveEntryList:
nt!KiExpireTimerTable+0x12a: 21cf3726 mov rdx,qword ptr [r9+20h] 21cf372a mov rax,qword ptr [r9+28h] 21cf372e lea rcx,[r9+20h] 21cf3732 cmp qword ptr [rdx+8],rcx 21cf3736 jne nt!KiExpireTimerTable+0x1ff (fffff803`21cf37fb) nt!KiExpireTimerTable+0x140: 21cf373c cmp qword ptr [rax],rcx 21cf373f jne nt!KiExpireTimerTable+0x1ff (fffff803`21cf37fb) nt!KiExpireTimerTable+0x149: 21cf3745 mov qword ptr [rax],rdx 21cf3748 mov qword ptr [rdx+8],rax
This illustration shows the three list elements and where the links are set or referenced:
► KiFindReadyThread
The following lines are RemoveEntryList:
nt!KiFindReadyThread+0x6e: 21cc0cca mov r8,qword ptr [rcx] 21cc0ccd mov rdx,qword ptr [rcx+8] 21cc0cd1 cmp qword ptr [r8+8],rcx 21cc0cd5 jne nt!KiFindReadyThread+0xe3 (fffff803`21cc0d3f) nt!KiFindReadyThread+0x7b: 21cc0cd7 cmp qword ptr [rdx],rcx 21cc0cda jne nt!KiFindReadyThread+0xe3 (fffff803`21cc0d3f) nt!KiFindReadyThread+0x80: 21cc0cdc mov qword ptr [rdx],r8 21cc0cdf mov qword ptr [r8+8],rdx
This illustration shows the three list elements and where the links are set or referenced:
► KiFlushQueueApc
The following lines are RemoveEntryList:
21c88659 mov rax,qword ptr [rcx] 21c8865c cmp rax,rcx 21c8865f jne nt! ?? ::FNODOBFM::`string'+0x14ef7 (fffff803`21c88665) nt! ?? ::FNODOBFM::`string'+0x14ef3: 21c88661 xor eax,eax 21c88663 jmp nt! ?? ::FNODOBFM::`string'+0x14f23 (fffff803`21c88691) nt! ?? ::FNODOBFM::`string'+0x14ef7: 21c88665 mov rdx,qword ptr [rcx+8] 21c88669 cmp qword ptr [rax+8],rcx 21c8866d jne nt! ?? ::FNODOBFM::`string'+0x14f38 (fffff803`21c886a6) nt! ?? ::FNODOBFM::`string'+0x14f01: 21c8866f cmp qword ptr [rdx],rcx 21c88672 jne nt! ?? ::FNODOBFM::`string'+0x14f38 (fffff803`21c886a6) nt! ?? ::FNODOBFM::`string'+0x14f06: 21c88674 mov qword ptr [rdx],rax 21c88677 mov qword ptr [rax+8],rdx
This illustration shows the three list elements and where the links are set or referenced:
► KiInsertTimerTable
The following lines are RemoveEntryList:
nt!KiInsertTimerTable+0x1ff: 21cf479f mov rcx,qword ptr [rsi] 21cf47a2 mov rax,qword ptr [rsi+8] 21cf47a6 or ebx,1 21cf47a9 cmp qword ptr [rcx+8],rsi 21cf47ad jne nt! ?? ::FNODOBFM::`string'+0x17f68 (fffff803`21e4e262) nt!KiInsertTimerTable+0x213: 21cf47b3 cmp qword ptr [rax],rsi 21cf47b6 jne nt! ?? ::FNODOBFM::`string'+0x17f68 (fffff803`21e4e262) nt!KiInsertTimerTable+0x21c: 21cf47bc mov qword ptr [rax],rcx 21cf47bf mov qword ptr [rcx+8],rax
This illustration shows the three list elements and where the links are set or referenced:
There is a second occurrence of RemoveEntryList here:
nt!KiAdjustTimerDueTimes+0x94: 21da65e4 lea rcx,[r9+20h] 21da65e8 mov rdx,qword ptr [rcx] 21da65eb mov rax,qword ptr [rcx+8] 21da65ef cmp qword ptr [rdx+8],rcx 21da65f3 jne nt! ?? ::FNODOBFM::`string'+0x17fbb (fffff803`21e4e2bb) nt!KiAdjustTimerDueTimes+0xa9: 21da65f9 cmp qword ptr [rax],rcx 21da65fc jne nt! ?? ::FNODOBFM::`string'+0x17fbb (fffff803`21e4e2bb) nt!KiAdjustTimerDueTimes+0xb2: 21da6602 mov qword ptr [rax],rdx 21da6605 mov qword ptr [rdx+8],rax
This illustration shows the three list elements and where the links are set or referenced:
There is a third occurrence of RemoveEntryList here:
21da669f mov rdx,qword ptr [rax] 21da66a2 mov rcx,qword ptr [rax+8] 21da66a6 cmp qword ptr [rdx+8],rax 21da66aa jne nt! ?? ::FNODOBFM::`string'+0x17fe2 (fffff803`21e4e2e2) nt!KiAdjustTimerDueTimes+0x160: 21da66b0 cmp qword ptr [rcx],rax 21da66b3 jne nt! ?? ::FNODOBFM::`string'+0x17fe2 (fffff803`21e4e2e2) nt!KiAdjustTimerDueTimes+0x169: 21da66b9 mov qword ptr [rcx],rdx 21da66bc mov qword ptr [rdx+8],rcx
This illustration shows the three list elements and where the links are set or referenced:
► KiProcessExpiredTimerList
The following lines are RemoveEntryList:
nt!KiProcessExpiredTimerList+0x12e: 21cf513e mov rcx,qword ptr [rbx] 21cf5141 mov rax,qword ptr [rbx+8] 21cf5145 cmp qword ptr [rcx+8],rbx 21cf5149 jne nt!KiProcessExpiredTimerList+0x457 (fffff803`21cf5467) nt!KiProcessExpiredTimerList+0x13f: 21cf514f cmp qword ptr [rax],rbx 21cf5152 jne nt!KiProcessExpiredTimerList+0x457 (fffff803`21cf5467) nt!KiProcessExpiredTimerList+0x148: 21cf5158 mov qword ptr [rax],rcx 21cf515b mov qword ptr [rcx+8],rax
This illustration shows the three list elements and where the links are set or referenced:
There is a second occurrence of RemoveEntryList here:
nt!KiProcessExpiredTimerList+0x360: 21cf5370 mov rcx,qword ptr [rbx] 21cf5373 mov rax,qword ptr [rbx+8] 21cf5377 cmp qword ptr [rcx+8],rbx 21cf537b jne nt!KiProcessExpiredTimerList+0x497 (fffff803`21cf54a7) nt!KiProcessExpiredTimerList+0x371: 21cf5381 cmp qword ptr [rax],rbx 21cf5384 jne nt!KiProcessExpiredTimerList+0x497 (fffff803`21cf54a7) nt!KiProcessExpiredTimerList+0x37a: 21cf538a mov qword ptr [rax],rcx 21cf538d mov qword ptr [rcx+8],rax
This illustration shows the three list elements and where the links are set or referenced:
► MiDeleteVirtualAddresses
(no instance of RemoveEntryList found)
► NtNotifyChangeMultipleKeys
The following lines are RemoveEntryList:
220736e1 mov rdx,qword ptr [rcx] 220736e4 mov rax,qword ptr [rcx+8] 220736e8 cmp qword ptr [rdx+8],rcx 220736ec jne nt!NtNotifyChangeMultipleKeys+0x8e4 (fffff803`22073704) nt!NtNotifyChangeMultipleKeys+0x8ce: 220736ee cmp qword ptr [rax],rcx 220736f1 jne nt!NtNotifyChangeMultipleKeys+0x8e4 (fffff803`22073704) nt!NtNotifyChangeMultipleKeys+0x8d3: 220736f3 mov qword ptr [rax],rdx 220736f6 mov qword ptr [rdx+8],rax
This illustration shows the three list elements and where the links are set or referenced:
There is a second occurrence of RemoveEntryList here:
nt!NtNotifyChangeMultipleKeys+0xa35: 22073855 mov rax,qword ptr [r13] 22073859 test rax,rax 2207385c je nt!NtNotifyChangeMultipleKeys+0xa5b (fffff803`2207387b) nt!NtNotifyChangeMultipleKeys+0xa3e: 2207385e mov rcx,qword ptr [r13+8] 22073862 cmp qword ptr [rax+8],r13 22073866 jne nt!NtNotifyChangeMultipleKeys+0xa56 (fffff803`22073876) nt!NtNotifyChangeMultipleKeys+0xa48: 22073868 cmp qword ptr [rcx],r13 2207386b jne nt!NtNotifyChangeMultipleKeys+0xa56 (fffff803`22073876) nt!NtNotifyChangeMultipleKeys+0xa4d: 2207386d mov qword ptr [rcx],rax 22073870 mov qword ptr [rax+8],rcx
This illustration shows the three list elements and where the links are set or referenced:
There is a third occurrence of RemoveEntryList here:
nt!NtNotifyChangeMultipleKeys+0xa7f: 2207389f mov rax,qword ptr [rsi] 220738a2 test rax,rax 220738a5 je nt!NtNotifyChangeMultipleKeys+0xaa4 (fffff803`220738c4) nt!NtNotifyChangeMultipleKeys+0xa87: 220738a7 mov rcx,qword ptr [rsi+8] 220738ab cmp qword ptr [rax+8],rsi 220738af jne nt!NtNotifyChangeMultipleKeys+0xa9f (fffff803`220738bf) nt!NtNotifyChangeMultipleKeys+0xa91: 220738b1 cmp qword ptr [rcx],rsi 220738b4 jne nt!NtNotifyChangeMultipleKeys+0xa9f (fffff803`220738bf) nt!NtNotifyChangeMultipleKeys+0xa96: 220738b6 mov qword ptr [rcx],rax 220738b9 mov qword ptr [rax+8],rcx
This illustration shows the three list elements and where the links are set or referenced:
There is a fourth occurrence of RemoveEntryList here:
nt!NtNotifyChangeMultipleKeys+0xaa4: 220738c4 lea rax,[rsi+10h] 220738c8 mov rdx,qword ptr [rax] 220738cb mov rcx,qword ptr [rax+8] 220738cf cmp qword ptr [rdx+8],rax 220738d3 jne nt!NtNotifyChangeMultipleKeys+0xb32 (fffff803`22073952) nt!NtNotifyChangeMultipleKeys+0xab5: 220738d5 cmp qword ptr [rcx],rax 220738d8 jne nt!NtNotifyChangeMultipleKeys+0xb32 (fffff803`22073952) nt!NtNotifyChangeMultipleKeys+0xaba: 220738da mov qword ptr [rcx],rdx 220738dd mov qword ptr [rdx+8],rcx
This illustration shows the three list elements and where the links are set or referenced:
There is a fifth occurrence of RemoveEntryList here:
nt!NtNotifyChangeMultipleKeys+0xb53: 22073973 mov rax,qword ptr [r13] 22073977 test rax,rax 2207397a je nt!NtNotifyChangeMultipleKeys+0xb79 (fffff803`22073999) nt!NtNotifyChangeMultipleKeys+0xb5c: 2207397c mov rcx,qword ptr [r13+8] 22073980 cmp qword ptr [rax+8],r13 22073984 jne nt!NtNotifyChangeMultipleKeys+0xb74 (fffff803`22073994) nt!NtNotifyChangeMultipleKeys+0xb66: 22073986 cmp qword ptr [rcx],r13 22073989 jne nt!NtNotifyChangeMultipleKeys+0xb74 (fffff803`22073994) nt!NtNotifyChangeMultipleKeys+0xb6b: 2207398b mov qword ptr [rcx],rax 2207398e mov qword ptr [rax+8],rcx
This illustration shows the three list elements and where the links are set or referenced:
There is a sixth occurrence of RemoveEntryList here:
nt!NtNotifyChangeMultipleKeys+0xb79: 22073999 lea rax,[r13+10h] 2207399d mov rdx,qword ptr [rax] 220739a0 mov rcx,qword ptr [rax+8] 220739a4 cmp qword ptr [rdx+8],rax 220739a8 jne nt!NtNotifyChangeMultipleKeys+0xb98 (fffff803`220739b8) nt!NtNotifyChangeMultipleKeys+0xb8a: 220739aa cmp qword ptr [rcx],rax 220739ad jne nt!NtNotifyChangeMultipleKeys+0xb98 (fffff803`220739b8) nt!NtNotifyChangeMultipleKeys+0xb8f: 220739af mov qword ptr [rcx],rdx 220739b2 mov qword ptr [rdx+8],rcx
This illustration shows the three list elements and where the links are set or referenced:
There is a seventh occurrence of RemoveEntryList here:
nt!NtNotifyChangeMultipleKeys+0xb9d: 220739bd mov rax,qword ptr [rsi] 220739c0 test rax,rax 220739c3 je nt!NtNotifyChangeMultipleKeys+0xbc2 (fffff803`220739e2) nt!NtNotifyChangeMultipleKeys+0xba5: 220739c5 mov rcx,qword ptr [rsi+8] 220739c9 cmp qword ptr [rax+8],rsi 220739cd jne nt!NtNotifyChangeMultipleKeys+0xbbd (fffff803`220739dd) nt!NtNotifyChangeMultipleKeys+0xbaf: 220739cf cmp qword ptr [rcx],rsi 220739d2 jne nt!NtNotifyChangeMultipleKeys+0xbbd (fffff803`220739dd) nt!NtNotifyChangeMultipleKeys+0xbb4: 220739d4 mov qword ptr [rcx],rax 220739d7 mov qword ptr [rax+8],rcx
This illustration shows the three list elements and where the links are set or referenced:
There is a eighth occurrence of RemoveEntryList here:
nt!NtNotifyChangeMultipleKeys+0xbc2: 220739e2 lea rax,[rsi+10h] 220739e6 mov rdx,qword ptr [rax] 220739e9 mov rcx,qword ptr [rax+8] 220739ed cmp qword ptr [rdx+8],rax 220739f1 jne nt!NtNotifyChangeMultipleKeys+0xbf9 (fffff803`22073a19) nt!NtNotifyChangeMultipleKeys+0xbd3: 220739f3 cmp qword ptr [rcx],rax 220739f6 jne nt!NtNotifyChangeMultipleKeys+0xbf9 (fffff803`22073a19) nt!NtNotifyChangeMultipleKeys+0xbd8: 220739f8 mov qword ptr [rcx],rdx 220739fb mov qword ptr [rdx+8],rcx
This illustration shows the three list elements and where the links are set or referenced:
► ObRegisterCallbacks
The following lines are RemoveEntryList:
nt! ?? ::NNGAKEGL::`string'+0x3cf37: 2226fa89 mov rcx,qword ptr [r14] 2226fa8c mov rax,qword ptr [r14+8] 2226fa90 cmp qword ptr [rcx+8],r14 2226fa94 jne nt! ?? ::NNGAKEGL::`string'+0x3cfe0 (fffff803`2226fb32) nt! ?? ::NNGAKEGL::`string'+0x3cf48: 2226fa9a cmp qword ptr [rax],r14 2226fa9d jne nt! ?? ::NNGAKEGL::`string'+0x3cfe0 (fffff803`2226fb32) nt! ?? ::NNGAKEGL::`string'+0x3cf51: 2226faa3 mov qword ptr [rax],rcx 2226faa6 mov qword ptr [rcx+8],rax
This illustration shows the three list elements and where the links are set or referenced:
► ObUnRegisterCallbacks
The following lines are RemoveEntryList:
nt!ExFreePoolWithTag+0x9a6: 21ee3b06 mov r8,qword ptr [r13+10h] 21ee3b0a mov rdx,qword ptr [r13+18h] 21ee3b0e lea rax,[r13+10h] 21ee3b12 cmp qword ptr [r8+8],rax 21ee3b16 jne nt!ExFreePool+0x946 (fffff803`21ee4a2c) nt!ExFreePoolWithTag+0x9bc: 21ee3b1c cmp qword ptr [rdx],rax 21ee3b1f jne nt!ExFreePool+0x946 (fffff803`21ee4a2c) nt!ExFreePoolWithTag+0x9c5: 21ee3b25 mov qword ptr [rdx],r8 21ee3b28 mov qword ptr [r8+8],rdx
This illustration shows the three list elements and where the links are set or referenced:
There is a second occurrence of RemoveEntryList here:
nt!ExFreePoolWithTag+0xf2c: 21ee408c mov rdx,qword ptr [r8+10h] 21ee4090 mov rcx,qword ptr [r8+18h] 21ee4094 lea rax,[r8+10h] 21ee4098 cmp qword ptr [rdx+8],rax 21ee409c jne nt!ExFreePool+0xc08 (fffff803`21ee4cca) nt!ExFreePoolWithTag+0xf42: 21ee40a2 cmp qword ptr [rcx],rax 21ee40a5 jne nt!ExFreePool+0xc08 (fffff803`21ee4cca) nt!ExFreePoolWithTag+0xf4b: 21ee40ab mov qword ptr [rcx],rdx 21ee40ae mov qword ptr [rdx+8],rcx
This illustration shows the three list elements and where the links are set or referenced:
There is a third occurrence of RemoveEntryList here:
nt!ExFreePool+0xc1b: 21ee4cd9 mov r8,qword ptr [rcx+10h] 21ee4cdd mov rdx,qword ptr [rcx+18h] 21ee4ce1 lea rax,[rcx+10h] 21ee4ce5 cmp qword ptr [r8+8],rax 21ee4ce9 jne nt!ExFreePool+0xc55 (fffff803`21ee4d0b) nt!ExFreePool+0xc31: 21ee4ceb cmp qword ptr [rdx],rax 21ee4cee jne nt!ExFreePool+0xc55 (fffff803`21ee4d0b) nt!ExFreePool+0xc3a: 21ee4cf0 mov qword ptr [rdx],r8 21ee4cf3 mov qword ptr [r8+8],rdx
This illustration shows the three list elements and where the links are set or referenced:
There is a fourth occurrence of RemoveEntryList here:
nt!ObUnRegisterCallbacks+0x73: 221e9783 mov rcx,qword ptr [rbx-30h] 221e9787 lea rax,[rbx-38h] 221e978b mov rdx,qword ptr [rax] 221e978e cmp qword ptr [rdx+8],rax 221e9792 jne nt!ObUnRegisterCallbacks+0x142 (fffff803`221e9852) nt!ObUnRegisterCallbacks+0x88: 221e9798 cmp qword ptr [rcx],rax 221e979b jne nt!ObUnRegisterCallbacks+0x142 (fffff803`221e9852) nt!ObUnRegisterCallbacks+0x91: 221e97a1 mov qword ptr [rcx],rdx 221e97a4 mov qword ptr [rdx+8],rcx
This illustration shows the three list elements and where the links are set or referenced: