renamed the project to BELog, added ZwSwapCert.lib

added log of 1/3/2021

BELog/BELog.sln

@@ -0,0 +1,23 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.30621.155
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "BELog", "BELog.vcxproj", "{1F1679F7-60D4-4170-8FE1-FA6B49D7D229}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Release|x64 = Release|x64
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{1F1679F7-60D4-4170-8FE1-FA6B49D7D229}.Release|x64.ActiveCfg = Release|x64
+		{1F1679F7-60D4-4170-8FE1-FA6B49D7D229}.Release|x64.Build.0 = Release|x64
+		{1F1679F7-60D4-4170-8FE1-FA6B49D7D229}.Release|x64.Deploy.0 = Release|x64
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {FE28234E-8EE3-4A24-99D6-9AA8E3D93CC4}
+	EndGlobalSection
+EndGlobal

BELog/BELog.vcxproj

@@ -43,7 +43,7 @@
     <Platform Condition="'$(Platform)' == ''">Win32</Platform>
     <RootNamespace>ioctl_meme</RootNamespace>
     <WindowsTargetPlatformVersion>$(LatestTargetPlatformVersion)</WindowsTargetPlatformVersion>
-    <ProjectName>BEDaisy</ProjectName>
+    <ProjectName>BELog</ProjectName>
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
@@ -254,11 +254,11 @@
       <TreatWarningAsError>false</TreatWarningAsError>
     </ClCompile>
     <Link>
-      <EntryPointSymbol>DriverEntry</EntryPointSymbol>
+      <EntryPointSymbol>ScDriverEntry</EntryPointSymbol>
     </Link>
     <Link>
       <NoEntryPoint>false</NoEntryPoint>
-      <AdditionalDependencies>FltMgr.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>ZwSwapCert.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
   </ItemDefinitionGroup>
   <ItemGroup>

BELog/DriverEntry.cpp

@@ -26,7 +26,7 @@ NTSTATUS TdDeviceClose(
     return STATUS_SUCCESS;
 }
 
-NTSTATUS DriverEntry(
+extern "C" NTSTATUS DriverEntry(
     _In_ PDRIVER_OBJECT  DriverObject,
     _In_ PUNICODE_STRING RegistryPath
 )

BELog/Hooks.cpp

@@ -3,17 +3,6 @@
 
 namespace Hooks
 {
-    BOOLEAN gh_ExEnumHandleTable(
-        PVOID HandleTable,
-        PVOID EnumHandleProcedure,
-        PVOID EnumParameter,
-        PHANDLE Handle OPTIONAL
-    )
-    {
-        DBG_PRINT("EnumHandleProcedure Called From: 0x%p, EnumHandleProcedure: 0x%p", _ReturnAddress(), EnumHandleProcedure);
-        return TRUE;
-    }
-
     NTSTATUS gh_ZwAllocateVirtualMemory(
         _In_    HANDLE    ProcessHandle,
         _Inout_ PVOID*    BaseAddress,
@@ -50,18 +39,6 @@ namespace Hooks
         return PsSetLoadImageNotifyRoutine(NotifyRoutine);
     }
 
-    NTSTATUS gh_ObRegisterCallbacks(
-        POB_CALLBACK_REGISTRATION CallbackRegistration,
-        PVOID* RegistrationHandle
-    )
-    {
-        DBG_PRINT("ObRegisterCallbacks called from: 0x%p", _ReturnAddress());
-        return ObRegisterCallbacks(
-            CallbackRegistration,
-            RegistrationHandle
-        );
-    }
-
     NTSTATUS gh_ZwQuerySystemInformation(
         _In_      SYSTEM_INFORMATION_CLASS SystemInformationClass,
         _Inout_   PVOID                    SystemInformation,
@@ -74,36 +51,12 @@ namespace Hooks
         DBG_PRINT("     - SystemInformation: 0x%p", SystemInformation);
         DBG_PRINT("     - SystemInformationLength: 0x%p", SystemInformationLength);
 
-        auto result = ZwQuerySystemInformation(
+        return ZwQuerySystemInformation(
             SystemInformationClass,
             SystemInformation,
             SystemInformationLength,
             ReturnLength
         );
-
-        if (SystemInformationLength && SystemInformation && ReturnLength && *ReturnLength)
-        {
-            switch (SystemInformationClass)
-            {
-            case SystemProcessInformation:
-            {
-                auto process_info = reinterpret_cast<PSYSTEM_PROCESS_INFORMATION>(SystemInformation);
-                process_info->NextEntryOffset = NULL;
-                DBG_PRINT("Spoofed SystemProcessInformation.....");
-                break;
-            }
-            case SystemModuleInformation:
-            {
-                auto module_info = reinterpret_cast<PRTL_PROCESS_MODULES>(SystemInformation);
-                module_info->NumberOfModules = 1;
-                DBG_PRINT("Spoofed SystemModuleInformation.....");
-                break;
-            }
-            default:
-                break;
-            }
-        }
-        return result;
     }
 
     NTSTATUS gh_PsSetCreateProcessNotifyRoutineEx(
@@ -143,6 +96,40 @@ namespace Hooks
         );
     }
 
+    NTSTATUS gh_ZwReadFile(
+        HANDLE           FileHandle,
+        HANDLE           Event,
+        PIO_APC_ROUTINE  ApcRoutine,
+        PVOID            ApcContext,
+        PIO_STATUS_BLOCK IoStatusBlock,
+        PVOID            Buffer,
+        ULONG            Length,
+        PLARGE_INTEGER   ByteOffset,
+        PULONG           Key
+    )
+    {
+        DBG_PRINT("ZwReadFile Called From 0x%p\n", _ReturnAddress());
+        PFILE_NAME_INFORMATION buffer = (PFILE_NAME_INFORMATION)ExAllocatePool(NonPagedPool, MAX_PATH * 2);
+        IO_STATUS_BLOCK StatusBlock;
+        NtQueryInformationFile(FileHandle, &StatusBlock, buffer, MAX_PATH * 2, FileNameInformation);
+        DBG_PRINT("     - FilePath: %ws", buffer->FileName);
+        ExFreePool(buffer);
+
+        DBG_PRINT("     - FileHandle: 0x%x", FileHandle);
+        DBG_PRINT("     - Buffer: 0x%p\n", Buffer);
+        DBG_PRINT("     - Length: 0x%x\n", Length);
+        DBG_PRINT("     - File Offset: 0x%p\n", ByteOffset ? ByteOffset->QuadPart : NULL);
+        return ZwReadFile(FileHandle, Event, ApcRoutine, ApcContext, IoStatusBlock, Buffer, Length, ByteOffset, Key);
+    }
+
+    extern "C" PIMAGE_NT_HEADERS RtlImageNtHeader(PVOID ModuleAddress);
+    PIMAGE_NT_HEADERS gh_RtlImageNtHeader(PVOID ModuleAddress)
+    {
+        DBG_PRINT("RtlImageNtHeader Called From 0x%p\n", _ReturnAddress());
+        DBG_PRINT("     - Module Base: 0x%p\n", ModuleAddress);
+        return RtlImageNtHeader(ModuleAddress);
+    }
+
     NTSTATUS gh_PsSetCreateThreadNotifyRoutine(
         PCREATE_THREAD_NOTIFY_ROUTINE NotifyRoutine
     )
@@ -200,9 +187,6 @@ namespace Hooks
             OutputBuffer,
             OutputBufferLength
         );
-        ULONG seed = 0x1000;
-        for (auto idx = 0u; idx < OutputBufferLength; ++idx)
-            *(unsigned char*)((unsigned char*)OutputBuffer + idx) = (unsigned char)RtlRandomEx(&seed);
         return result;
     }
 
@@ -325,7 +309,9 @@ namespace Hooks
             ParseContext,
             Handle
         );
-        DBG_PRINT("     - ObjectName: %s", ObjectAttributes->ObjectName->Buffer);
+
+        if(ObjectAttributes->ObjectName && ObjectAttributes->ObjectName->Buffer)
+            DBG_PRINT("     - ObjectName: %s", ObjectAttributes->ObjectName->Buffer);
         return result;
     }
 
@@ -607,6 +593,7 @@ namespace Hooks
             StartRoutine,
             StartContext
         );
+
         DBG_PRINT("     - Thread Handle: 0x%x", *ThreadHandle);
         return result;
     }
@@ -623,6 +610,7 @@ namespace Hooks
         DBG_PRINT("     - VirtualAddress: 0x%p", VirtualAddress);
         DBG_PRINT("     - Length: 0x%x", Length);
         DBG_PRINT("     - Irp: 0x%p", Irp);
+
         return IoAllocateMdl(
             VirtualAddress,
             Length, 
@@ -688,7 +676,124 @@ namespace Hooks
         __in ULONG 	Flags
     )
     {
-        return NULL;
+        DBG_PRINT("RtlWalkFrameChain called from: 0x%p", _ReturnAddress());
+        DBG_PRINT("     - Running Stack Walk On Thread ID: 0x%x\n", PsGetCurrentThreadId());
+        DBG_PRINT("     - Thread Running In Process: %s", PsGetProcessImageFileName(IoGetCurrentProcess()));
+        return RtlWalkFrameChain(Callers, Count, Flags);
+    }
+
+    NTSTATUS gh_ZwOpenSection(
+        PHANDLE            SectionHandle,
+        ACCESS_MASK        DesiredAccess,
+        POBJECT_ATTRIBUTES ObjectAttributes
+    )
+    {
+        DBG_PRINT("ZwOpenSection called from: 0x%p", _ReturnAddress());
+        DBG_PRINT("     - DesiredAccess: 0x%x", DesiredAccess);
+        if(ObjectAttributes->ObjectName && ObjectAttributes->ObjectName->Buffer)
+            DBG_PRINT("     - Section Name: %ws", ObjectAttributes->ObjectName->Buffer);
+
+        auto result = ZwOpenSection(SectionHandle, DesiredAccess, ObjectAttributes);
+        DBG_PRINT("     - Handle: 0x%x", *SectionHandle);
+        return result;
+    }
+
+     typedef enum _KAPC_ENVIRONMENT
+         {
+            OriginalApcEnvironment,
+                AttachedApcEnvironment,
+                CurrentApcEnvironment,
+                InsertApcEnvironment
+            } KAPC_ENVIRONMENT, * PKAPC_ENVIRONMENT;
+
+    extern "C" VOID
+        KeInitializeApc(
+            IN  PRKAPC Apc,
+            IN  PRKTHREAD Thread,
+            IN  KAPC_ENVIRONMENT Environment,
+            IN  VOID* KernelRoutine,
+            IN  VOID* RundownRoutine OPTIONAL,
+            IN  VOID* NormalRoutine OPTIONAL,
+            IN  KPROCESSOR_MODE ApcMode OPTIONAL,
+            IN  PVOID NormalContext OPTIONAL
+        );
+
+    VOID gh_KeInitializeApc(
+        IN  PRKAPC Apc,
+        IN  PRKTHREAD Thread,
+        IN  KAPC_ENVIRONMENT Environment,
+        IN  VOID* KernelRoutine,
+        IN  VOID* RundownRoutine OPTIONAL,
+        IN  VOID* NormalRoutine OPTIONAL,
+        IN  KPROCESSOR_MODE ApcMode OPTIONAL,
+        IN  PVOID NormalContext OPTIONAL
+    )
+    {
+        DBG_PRINT("KeInitializeApc called from: 0x%p", _ReturnAddress());
+        DBG_PRINT("     - Init APC For Thread ID: 0x%x", PsGetThreadId(Thread));
+        DBG_PRINT("     - Thread In Process: %s", PsGetProcessImageFileName(PsGetThreadProcess(Thread)));
+        return KeInitializeApc(Apc, Thread, Environment, KernelRoutine, RundownRoutine, NormalRoutine, ApcMode, NormalContext);
+    }
+
+    VOID gh_KeUnstackDetachProcess(
+        PRKAPC_STATE ApcState
+    )
+    {
+        DBG_PRINT("KeUnstackDetachProcess called from: 0x%p", _ReturnAddress());
+        DBG_PRINT("     - KeUnstackDetachProcess From Process: %s", PsGetProcessImageFileName(IoGetCurrentProcess()));
+        KeUnstackDetachProcess(ApcState);
+    }
+
+    extern "C" NTSTATUS
+        PsGetContextThread(
+            __in PETHREAD Thread,
+            __inout PCONTEXT ThreadContext,
+            __in KPROCESSOR_MODE Mode
+        );
+
+    NTSTATUS gh_PsGetContextThread(
+        __in PETHREAD Thread,
+        __inout PCONTEXT ThreadContext,
+        __in KPROCESSOR_MODE Mode
+    )
+    {
+        DBG_PRINT("PsGetContextThread called from: 0x%p", _ReturnAddress());
+        DBG_PRINT("     - Getting Context From Thread In Process: %s", PsGetProcessImageFileName(PsGetThreadProcess(Thread)));
+        return PsGetContextThread(Thread, ThreadContext, Mode);
+    }
+
+    NTSTATUS gh_ZwUnmapViewOfSection(
+        HANDLE ProcessHandle,
+        PVOID  BaseAddress
+    )
+    {
+        DBG_PRINT("ZwUnmapViewOfSection called from: 0x%p", _ReturnAddress());
+        DBG_PRINT("     - Process Handle: 0x%x", ProcessHandle);
+        if (ProcessHandle == (HANDLE)-1)
+            DBG_PRINT("     - unmapping section in process: %s", PsGetProcessImageFileName(IoGetCurrentProcess()));
+        DBG_PRINT("     - Section Base Address: 0x%p\n", BaseAddress);
+        return ZwUnmapViewOfSection(ProcessHandle, BaseAddress);
+    }
+
+    NTSTATUS gh_ZwClose(
+        HANDLE Handle
+    )
+    {
+        DBG_PRINT("ZwClose called from: 0x%p", _ReturnAddress());
+        PFILE_NAME_INFORMATION buffer = (PFILE_NAME_INFORMATION)ExAllocatePool(NonPagedPool, MAX_PATH * 2);
+        IO_STATUS_BLOCK StatusBlock;
+        NtQueryInformationFile(Handle, &StatusBlock, buffer, MAX_PATH * 2, FileNameInformation);
+        DBG_PRINT("     - Closing File: %ws", buffer->FileName);
+        ExFreePool(buffer);
+        return ZwClose(Handle);
+    }
+
+    extern "C" PPEB PsGetProcessPeb(IN PEPROCESS Process);
+    PPEB gh_PsGetProcessPeb(IN PEPROCESS Process)
+    {
+        DBG_PRINT("PsGetProcessPeb called from: 0x%p", _ReturnAddress());
+        DBG_PRINT("     - Getting PEB Of Process: %s", PsGetProcessImageFileName(Process));
+        return PsGetProcessPeb(Process);
     }
 
     PVOID gh_MmGetSystemRoutineAddress(
@@ -726,21 +831,11 @@ namespace Hooks
             DBG_PRINT("Hooking PsSetCreateProcessNotifyRoutineEx...");
             return &gh_PsSetCreateProcessNotifyRoutineEx;
         }
-        else if (wcsstr(SystemRoutineName->Buffer, L"ObRegisterCallbacks"))
-        {
-            DBG_PRINT("Hooking ObRegisterCallbacks...");
-            return &gh_ObRegisterCallbacks;
-        }
         else if (wcsstr(SystemRoutineName->Buffer, L"PsSetLoadImageNotifyRoutine"))
         {
             DBG_PRINT("Hooking PsSetLoadImageNotifyRoutine...");
             return &gh_PsSetLoadImageNotifyRoutine;
         }
-        else if (wcsstr(SystemRoutineName->Buffer, L"ExEnumHandleTable"))
-        {
-            //DBG_PRINT("Hooking ExEnumHandleTable...");
-            //return &gh_ExEnumHandleTable;
-        }
         else if (wcsstr(SystemRoutineName->Buffer, L"MmGetPhysicalAddress"))
         {
             DBG_PRINT("Hooking MmGetPhysicalAddress...");
@@ -796,16 +891,6 @@ namespace Hooks
             DBG_PRINT("Hooking QuerySystemInformation...");
             return &gh_ZwQuerySystemInformation;
         }
-        else if (wcsstr(SystemRoutineName->Buffer, L"stricmp"))
-        {
-            //DBG_PRINT("Hooking stricmp...");
-            //return &gh_stricmp;
-        }
-        else if (wcsstr(SystemRoutineName->Buffer, L"strnicmp"))
-        {
-            //DBG_PRINT("Hooking strnicmp...");
-            //return &gh_strnicmp;
-        }
         else if (wcsstr(SystemRoutineName->Buffer, L"wcsncmp"))
         {
             DBG_PRINT("Hooking wcsncmp...");
@@ -871,26 +956,54 @@ namespace Hooks
             DBG_PRINT("Hooking RtlWalkFrameChain...");
             return &gh_RtlWalkFrameChain;
         }
+        else if (wcsstr(SystemRoutineName->Buffer, L"ZwReadFile"))
+        {
+            DBG_PRINT("Hooking ZwReadFile...");
+            return &gh_ZwReadFile;
+        }
+        else if (wcsstr(SystemRoutineName->Buffer, L"RtlImageNtHeader"))
+        {
+            DBG_PRINT("Hooking RtlImageNtHeader...");
+            return &gh_RtlImageNtHeader;
+        }
+        else if (wcsstr(SystemRoutineName->Buffer, L"ZwOpenSection"))
+        {
+            DBG_PRINT("Hooking ZwOpenSection...");
+            return &gh_ZwOpenSection;
+        }
+        else if (wcsstr(SystemRoutineName->Buffer, L"KeInitializeApc"))
+        {
+            DBG_PRINT("Hooking KeInitializeApc...");
+            return &gh_KeInitializeApc;
+        }
+        else if (wcsstr(SystemRoutineName->Buffer, L"KeUnstackDetachProcess"))
+        {
+            DBG_PRINT("Hooking KeUnstackDetachProcess...");
+            return &gh_KeUnstackDetachProcess;
+        }
+        else if (wcsstr(SystemRoutineName->Buffer, L"PsGetContextThread"))
+        {
+            DBG_PRINT("Hooking PsGetContextThread...");
+            return &gh_PsGetContextThread;
+        }
+        else if (wcsstr(SystemRoutineName->Buffer, L"ZwUnmapViewOfSection"))
+        {
+            DBG_PRINT("Hooking ZwUnmapViewOfSection...");
+            return &gh_ZwUnmapViewOfSection;
+        }
+        else if (wcsstr(SystemRoutineName->Buffer, L"ZwClose"))
+        {
+            //DBG_PRINT("Hooking ZwClose...");
+            //return &gh_ZwClose;
+        }
+        else if (wcsstr(SystemRoutineName->Buffer, L"PsGetProcessPeb"))
+        {
+            DBG_PRINT("Hooking PsGetProcessPeb...");
+            return &gh_PsGetProcessPeb;
+        }
         return MmGetSystemRoutineAddress(SystemRoutineName);
     }
 
-    PVOID gh_FltGetRoutineAddress(
-        PCSTR FltMgrRoutineName
-    )
-    {
-        DBG_PRINT("FltGetRoutineAddress: %s", FltMgrRoutineName);
-        return FltGetRoutineAddress(FltMgrRoutineName);
-    }
-
-    VOID gh_KeBugCheckEx(
-        ULONG     BugCheckCode,
-        ULONG_PTR BugCheckParameter1,
-        ULONG_PTR BugCheckParameter2,
-        ULONG_PTR BugCheckParameter3,
-        ULONG_PTR BugCheckParameter4
-    )
-    { DBG_PRINT("KeBugCheckEx Called!"); }
-
     VOID LoadImageNotifyRoutine(
         PUNICODE_STRING FullImageName,
         HANDLE ProcessId,
@@ -900,23 +1013,11 @@ namespace Hooks
         if (!ProcessId && FullImageName && wcsstr(FullImageName->Buffer, L"BEDaisy.sys"))
         {
             DBG_PRINT("> ============= Driver %ws ================", FullImageName->Buffer);
-            DriverUtil::IATHook(
-                ImageInfo->ImageBase,
-                "KeBugCheckEx",
-                &gh_KeBugCheckEx
-            );
-
             DriverUtil::IATHook(
                 ImageInfo->ImageBase,
                 "MmGetSystemRoutineAddress",
                 &gh_MmGetSystemRoutineAddress
             );
-
-            DriverUtil::IATHook(
-                ImageInfo->ImageBase,
-                "FltGetRoutineAddress",
-                &gh_FltGetRoutineAddress
-            );
         }
     }
 }

BELog/Hooks.h

@@ -24,11 +24,6 @@ namespace Hooks
         PLOAD_IMAGE_NOTIFY_ROUTINE NotifyRoutine
     );
 
-    NTSTATUS gh_ObRegisterCallbacks(
-        POB_CALLBACK_REGISTRATION CallbackRegistration,
-        PVOID* RegistrationHandle
-    );
-
     NTSTATUS gh_ZwQuerySystemInformation(
         _In_      SYSTEM_INFORMATION_CLASS SystemInformationClass,
         _Inout_   PVOID                    SystemInformation,

BELog/Types.h

@@ -7,7 +7,7 @@
 #define POOLTAG 'MEME'
 
 #if true
-#define DBG_PRINT(...) DbgPrintEx( DPFLTR_SYSTEM_ID, DPFLTR_ERROR_LEVEL, "[GoodEye]" __VA_ARGS__);
+#define DBG_PRINT(...) DbgPrintEx( DPFLTR_SYSTEM_ID, DPFLTR_ERROR_LEVEL, "[BELog]" __VA_ARGS__);
 #else
 #define DBG_PRINT(...)
 #endif

RuntimeLog/LoadedKernelDrivers.1.3.2021.log

@@ -0,0 +1,199 @@
+WUDFRd.sys, 0xfffff80714ac0000, 336 kB, Windows Driver Foundation - User-mode Driver Framework Reflector
+ws2ifsl.sys, 0xfffff80715120000, 56 kB, Winsock2 IFS Layer
+WppRecorder.sys, 0xfffff8070ccb0000, 68 kB, WPP Trace Recorder
+WpdUpFltr.sys, 0xfffff80714b40000, 56 kB, Windows Portable Device Upper Class Filter Driver
+Wof.sys, 0xfffff8070d410000, 256 kB, Windows Overlay Filter
+WMILIB.SYS, 0xfffff8070cf70000, 48 kB, WMILIB WMI support library Dll
+wmiacpi.sys, 0xfffff80716af0000, 48 kB, Windows Management Interface for ACPI
+winhvr.sys, 0xfffff80714010000, 132 kB, Windows Hypervisor Root Interface Driver
+WindowsTrustedRTProxy.sys, 0xfffff8070cfd0000, 44 kB, Windows Trusted Runtime Service Proxy Driver
+WindowsTrustedRT.sys, 0xfffff8070cfa0000, 92 kB, Windows Trusted Runtime Interface Driver
+win32kfull.sys, 0xffffa261f0cf0000, 3.71 MB, Full/Desktop Win32k Kernel Driver
+win32kbase.sys, 0xffffa261f0a00000, 2.89 MB, Base Win32k Kernel Driver
+win32k.sys, 0xffffa261f18d0000, 616 kB, Multi-User Win32 Driver
+wfplwfs.sys, 0xfffff8070dd70000, 192 kB, WFP NDIS 6.30 Lightweight Filter Driver
+werkernel.sys, 0xfffff8070c9c0000, 68 kB, Windows Error Reporting Kernel Driver
+WDFLDR.SYS, 0xfffff8070cc80000, 76 kB, Kernel Mode Driver Framework Loader
+WdFilter.sys, 0xfffff8070d460000, 360 kB, Microsoft antimalware file system filter driver
+Wdf01000.sys, 0xfffff8070cba0000, 836 kB, Kernel Mode Driver Framework Runtime
+wcifs.sys, 0xfffff807149f0000, 216 kB, Windows Container Isolation FS Filter Driver
+watchdog.sys, 0xfffff80715010000, 96 kB, Watchdog Driver
+wanarp.sys, 0xfffff807141f0000, 116 kB, MS Remote Access and Routing ARP Driver
+vwififlt.sys, 0xfffff80713ed0000, 104 kB, Virtual WiFi Filter Driver
+vstor2-x64.sys, 0xfffff80753980000, 48 kB, VMware Virtual Storage Volume Driver
+vsock.sys, 0xfffff8070d340000, 96 kB, VMware vSockets Service
+volume.sys, 0xfffff8070dee0000, 44 kB, Volume driver
+volsnap.sys, 0xfffff8070def0000, 436 kB, Volume Shadow Copy driver
+volmgrx.sys, 0xfffff8070d2b0000, 396 kB, Volume Manager Extension Driver
+volmgr.sys, 0xfffff8070d290000, 100 kB, Volume Manager Driver
+vmx86.sys, 0xfffff807527b0000, 132 kB, VMware kernel driver
+vmswitch.sys, 0xfffff807142f0000, 2.43 MB, Microsoft® Network Virtualization Service Provider
+VmsProxyHNic.sys, 0xfffff8070de00000, 60 kB, VmSwitch NIC Proxy Driver
+VmsProxy.sys, 0xfffff8070ddb0000, 64 kB, VMSWITCH Proxy Driver
+vmparport.sys, 0xfffff80753970000, 48 kB, VMware parallel port driver
+vmnetuserif.sys, 0xfffff807151f0000, 44 kB, VMware network application interface driver (64-bit)
+vmnetbridge.sys, 0xfffff80714c40000, 72 kB, VMware bridge driver (64-bit)
+vmnetadapter.sys, 0xfffff80714570000, 44 kB, VMware virtual network adapter driver (64-bit)
+VMNET.SYS, 0xfffff80714580000, 48 kB, VMware virtual network driver (64-bit)
+vmci.sys, 0xfffff8070d320000, 112 kB, VMware PCI VMCI Bus Device
+vmbkmclr.sys, 0xfffff8070ddd0000, 144 kB, Hyper-V VMBus Root KMCL
+Vid.sys, 0xfffff80713f60000, 644 kB, Microsoft Hyper-V Virtualization Infrastructure Driver
+vdrvroot.sys, 0xfffff8070d100000, 84 kB, Virtual Drive Root Enumerator
+USBSTOR.SYS, 0xfffff807146e0000, 148 kB, USB Mass Storage Class Driver
+USBPORT.SYS, 0xfffff807168e0000, 484 kB, USB 1.1 & 2.0 Port Driver
+usbhub.sys, 0xfffff807145e0000, 532 kB, Default Hub Driver for USB
+usbehci.sys, 0xfffff807168c0000, 104 kB, EHCI eUSB Miniport Driver
+USBD.SYS, 0xfffff80716b30000, 56 kB, Universal Serial Bus Driver
+usbccgp.sys, 0xfffff80714710000, 208 kB, USB Common Class Generic Parent Driver
+umbus.sys, 0xfffff807145c0000, 84 kB, User-Mode Bus Enumerator
+tsusbhub.sys, 0xfffff80714bc0000, 156 kB, Remote Desktop USB Hub
+tm.sys, 0xfffff807072a0000, 156 kB, Kernel Transaction Manager Driver
+TeeDriverW8x64.sys, 0xfffff80716880000, 192 kB, Intel(R) Management Engine Interface
+tdx.sys, 0xfffff807150d0000, 136 kB, TDI Translation Driver
+TDI.SYS, 0xfffff80715100000, 64 kB, TDI Wrapper
+tcpipreg.sys, 0xfffff80753950000, 84 kB, TCP/IP Registry Compatibility Driver
+tcpip.sys, 0xfffff8070da00000, 2.92 MB, TCP/IP Driver
+tbs.sys, 0xfffff8070e660000, 56 kB, Export driver for kernel mode TPM API
+tapprotonvpn.sys, 0xfffff80714560000, 48 kB, TAP-Windows Virtual Network Driver (NDIS 6.0)
+swenum.sys, 0xfffff80716b10000, 48 kB, Plug and Play Software Device Enumerator
+storqosflt.sys, 0xfffff80714b20000, 104 kB, Storage QoS Filter
+srvnet.sys, 0xfffff80752860000, 328 kB, Server Network driver
+srv2.sys, 0xfffff80752a00000, 796 kB, Smb 2.0 Server driver
+spaceport.sys, 0xfffff8070d1e0000, 680 kB, Storage Spaces Driver
+SleepStudyHelper.sys, 0xfffff8070cca0000, 60 kB, Sleep Study Helper
+SgrmAgent.sys, 0xfffff8070cd50000, 104 kB, System Guard Runtime Monitor Agent Driver
+serial.sys, 0xfffff80716a70000, 112 kB, Serial Device Driver
+serenum.sys, 0xfffff80716a90000, 60 kB, Serial Port Enumerator
+rt640x64.sys, 0xfffff80716960000, 928 kB, Realtek 8101E/8168/8169 NDIS 6.40 64-bit Driver                
+rspndr.sys, 0xfffff807151d0000, 108 kB, Link-Layer Topology Responder Driver for NDIS 6
+rdyboost.sys, 0xfffff8070df60000, 320 kB, ReadyBoost Driver
+rdpvideominiport.sys, 0xfffff80714b50000, 52 kB, Microsoft RDP Video Miniport driver
+rdpdr.sys, 0xfffff80714b90000, 188 kB, Microsoft RDP Device redirector
+rdpbus.sys, 0xfffff80716b20000, 56 kB, Microsoft RDP Bus Device driver
+rdbss.sys, 0xfffff80714040000, 492 kB, Redirected Drive Buffering SubSystem Driver
+rassstp.sys, 0xfffff80752ad0000, 112 kB, RAS SSTP Miniport Call Manager
+raspptp.sys, 0xfffff80752b70000, 132 kB, Peer-to-Peer Tunneling Protocol
+raspppoe.sys, 0xfffff80752ba0000, 112 kB, RAS PPPoE mini-port/call-manager driver
+rasl2tp.sys, 0xfffff80752b40000, 132 kB, RAS L2TP mini-port/call-manager driver
+qwavedrv.sys, 0xfffff80752f90000, 80 kB, Microsoft Quality Windows Audio Video Experience (qWave) Support Driver
+PSHED.dll, 0xfffff80707340000, 104 kB, Platform Specific Hardware Error Driver
+portcls.sys, 0xfffff80718150000, 408 kB, Port Class (Class Driver for Port/Miniport Devices)
+peauth.sys, 0xfffff80753820000, 856 kB, Protected Environment Authentication and Authorization Export Driver
+pdc.sys, 0xfffff8070d120000, 188 kB, Power Dependency Coordinator Driver
+pcw.sys, 0xfffff8070cfe0000, 80 kB, Performance Counters for Windows Driver
+PCIIDEX.SYS, 0xfffff8070d1c0000, 76 kB, PCI IDE Bus Driver Extension
+pciide.sys, 0xfffff8070d1b0000, 40 kB, Generic PCI IDE Bus Driver
+pci.sys, 0xfffff8070d080000, 472 kB, NT Plug and Play PCI Enumerator
+partmgr.sys, 0xfffff8070d170000, 196 kB, Partition driver
+parport.sys, 0xfffff80716a50000, 124 kB, Parallel Port Driver
+pacer.sys, 0xfffff80713ef0000, 172 kB, QoS Packet Scheduler
+nvlddmkm.sys, 0xfffff80716ba0000, 21.46 MB, NVIDIA Windows Kernel Mode Driver, Version 432.00 
+nvhda64v.sys, 0xfffff80716b40000, 220 kB, NVIDIA HDMI Audio Driver
+Null.SYS, 0xfffff8070e670000, 40 kB, NULL Driver
+ntoskrnl.exe, 0xfffff8070a600000, 16.27 MB, NT Kernel & System
+ntosext.sys, 0xfffff8070c9e0000, 48 kB, NTOS extension host driver
+Ntfs.sys, 0xfffff8070d4c0000, 2.85 MB, NT File System Driver
+nsiproxy.sys, 0xfffff80714160000, 72 kB, NSI Proxy
+npsvctrig.sys, 0xfffff80714180000, 56 kB, Named pipe service triggers
+Npfs.SYS, 0xfffff80715070000, 112 kB, NPFS Driver
+npcap.sys, 0xfffff80713eb0000, 76 kB, npcap.sys (NT6 AMD64) Kernel Filter Driver
+NETIO.SYS, 0xfffff8070d920000, 608 kB, Network I/O Subsystem
+netbt.sys, 0xfffff80715130000, 368 kB, MBT Transport driver
+netbios.sys, 0xfffff80713f40000, 80 kB, NetBIOS interface driver
+Ndu.sys, 0xfffff80753920000, 156 kB, Windows Network Data Usage Monitoring Driver
+NDProxy.sys, 0xfffff80752af0000, 116 kB, NDIS Proxy
+ndiswan.sys, 0xfffff80752bd0000, 232 kB, MS PPP Framing Driver (Strong Encryption)
+NdisVirtualBus.sys, 0xfffff80716b00000, 52 kB, Microsoft Virtual Network Adapter Enumerator
+ndistapi.sys, 0xfffff80752bc0000, 60 kB, NDIS 3.0 connection wrapper driver
+ndiscap.sys, 0xfffff80713f20000, 80 kB, Microsoft NDIS Packet Capture Filter Driver
+ndis.sys, 0xfffff8070d7b0000, 1.43 MB, Network Driver Interface Specification (NDIS)
+mup.sys, 0xfffff8070dfc0000, 152 kB, Multiple UNC Provider Driver
+mssmbios.sys, 0xfffff80714190000, 64 kB, System Management BIOS Driver
+mssecflt.sys, 0xfffff8070cd00000, 276 kB, Microsoft Security Events Component file system filter driver
+msrpc.sys, 0xfffff8070c950000, 392 kB, Kernel Remote Procedure Call Provider
+msquic.sys, 0xfffff8070e690000, 344 kB, Windows QUIC Driver
+mslldp.sys, 0xfffff80714bf0000, 96 kB, Microsoft Link-Layer Discovery Protocol Driver
+msisadrv.sys, 0xfffff8070d070000, 44 kB, ISA Driver
+Msfs.SYS, 0xfffff80715090000, 68 kB, Mailslot driver
+mrxsmb20.sys, 0xfffff807528e0000, 276 kB, Longhorn SMB 2.0 Redirector
+mrxsmb.sys, 0xfffff8070e760000, 588 kB, Windows NT SMB Minirdr
+mpsdrv.sys, 0xfffff80752790000, 104 kB, Microsoft Protection Service Driver
+mountmgr.sys, 0xfffff8070d360000, 120 kB, Mount Point Manager
+mouhid.sys, 0xfffff807147d0000, 64 kB, HID Mouse Filter Driver
+mouclass.sys, 0xfffff807147f0000, 76 kB, Mouse Class Driver
+monitor.sys, 0xfffff807149a0000, 108 kB, Monitor Driver
+mmcss.sys, 0xfffff80753900000, 80 kB, MMCSS Driver
+mcupdate_GenuineIntel.dll, 0xfffff80706ff0000, 2.56 MB, Intel Microcode Update Library
+lxss.sys, 0xfffff8070cd70000, 40 kB, LXSS
+LXCORE.SYS, 0xfffff8070cd80000, 1.08 MB, LX Core
+lltdio.sys, 0xfffff807151b0000, 96 kB, Link-Layer Topology Mapper I/O Driver
+LdBoxDrv.sys, 0xfffff80752800000, 372 kB, VirtualBox Support Driver
+ksthunk.sys, 0xfffff80716b80000, 60 kB, Kernel Streaming WOW Thunk Service
+ksecpkg.sys, 0xfffff8070d9c0000, 200 kB, Kernel Security Support Provider Interface Packages
+ksecdd.sys, 0xfffff8070c920000, 172 kB, Kernel Security Support Provider Interface
+ks.sys, 0xfffff80716800000, 472 kB, Kernel CSA Library
+kprocesshacker.sys, 0xfffff80753320000, 44 kB, KProcessHacker
+kdnic.sys, 0xfffff807145b0000, 52 kB, Microsoft Kernel Debugger Network Miniport
+kd.dll, 0xfffff80707290000, 44 kB, Local Kernel Debugger
+kbdhid.sys, 0xfffff80714810000, 68 kB, HID Keyboard Filter Driver
+kbdclass.sys, 0xfffff80714830000, 80 kB, Keyboard Class Driver
+iorate.sys, 0xfffff8070dff0000, 72 kB, I/O rate control Filter
+IntelTA.sys, 0xfffff8070cfc0000, 44 kB, Intel Telemetry Driver
+intelppm.sys, 0xfffff80716aa0000, 256 kB, Processor Device Driver
+intelpep.sys, 0xfffff8070d000000, 404 kB, Intel Power Engine Plugin
+HTTP.sys, 0xfffff80752600000, 1.52 MB, HTTP Protocol Stack
+hidusb.sys, 0xfffff80714750000, 72 kB, USB Miniport Driver for Input Devices
+HIDPARSE.SYS, 0xfffff807147b0000, 76 kB, Hid Parsing Library
+HIDCLASS.SYS, 0xfffff80714770000, 252 kB, Hid Class Library
+HdAudio.sys, 0xfffff80714670000, 444 kB, High Definition Audio Function Driver
+HDAudBus.sys, 0xfffff80718120000, 148 kB, High Definition Audio Bus Driver
+hcmon.sys, 0xfffff807527e0000, 84 kB, VMware USB monitor
+hal.dll, 0xfffff80707280000, 24 kB, Hardware Abstraction Layer DLL
+gpuenergydrv.sys, 0xfffff807141b0000, 40 kB, GPU Energy Kernel Driver
+fwpkclnt.sys, 0xfffff8070dcf0000, 508 kB, FWP/IPsec Kernel-Mode API
+fvevol.sys, 0xfffff8070de10000, 804 kB, BitLocker Drive Encryption Driver
+Fs_Rec.sys, 0xfffff8070d7a0000, 52 kB, File System Recognizer Driver
+FLTMGR.SYS, 0xfffff80707370000, 444 kB, Microsoft Filesystem Filter Manager
+fileinfo.sys, 0xfffff8070d3f0000, 104 kB, FileInfo Filter Driver
+filecrypt.sys, 0xfffff8070e640000, 84 kB, Windows sandboxing and encryption filter
+fastfat.SYS, 0xfffff80714210000, 432 kB, Fast FAT File System Driver
+dxgmms2.sys, 0xfffff807148b0000, 904 kB, DirectX Graphics MMS
+dxgkrnl.sys, 0xfffff80714c60000, 3.64 MB, DirectX Graphics Kernel
+dump_dumpfve.sys, 0xfffff80714890000, 116 kB, 
+dump_dumpata.sys, 0xfffff807181f0000, 60 kB, 
+dump_atapi.sys, 0xfffff80714860000, 52 kB, 
+drmk.sys, 0xfffff807181c0000, 132 kB, Microsoft Trusted Audio Drivers
+disk.sys, 0xfffff8070e020000, 112 kB, PnP Disk Driver
+dfsc.sys, 0xfffff807141c0000, 176 kB, DFS Namespace Client Driver
+Dbgv.sys, 0xfffff80752c30000, 36 kB, Windows Debug Monitor
+csc.sys, 0xfffff807140c0000, 592 kB, Windows Client Side Caching Driver
+crashdmp.sys, 0xfffff8070e740000, 120 kB, Crash Dump Driver
+condrv.sys, 0xfffff80752c10000, 76 kB, Console Driver
+CompositeBus.sys, 0xfffff80714590000, 72 kB, Multi-Transport Composite Bus Enumerator
+cng.sys, 0xfffff8070cae0000, 732 kB, Kernel Cryptography, Next Generation
+cmimcext.sys, 0xfffff807073e0000, 56 kB, Kernel Configuration Manager Initial Configuration Extension Host Export Driver
+clipsp.sys, 0xfffff8070c800000, 1.07 MB, CLIP Service
+CLFS.SYS, 0xfffff807072d0000, 420 kB, Common Log File System Driver
+cldflt.sys, 0xfffff80714a30000, 512 kB, Cloud Files Mini Filter Driver
+CLASSPNP.SYS, 0xfffff8070e040000, 432 kB, SCSI Class System Dll
+CimFS.SYS, 0xfffff807150b0000, 108 kB, 
+CI.dll, 0xfffff8070c9f0000, 900 kB, Code Integrity Module
+CEA.sys, 0xfffff8070d150000, 100 kB, Event Aggregation Kernel Mode Library
+cdrom.sys, 0xfffff8070e600000, 192 kB, SCSI CD-ROM Driver
+cdd.dll, 0xffffa261f10b0000, 288 kB, Canonical Display Driver
+bowser.sys, 0xfffff80714c10000, 148 kB, NT Lan Manager Datagram Receiver Driver
+BOOTVID.dll, 0xfffff80707360000, 44 kB, VGA Boot Driver
+bindflt.sys, 0xfffff80714b60000, 156 kB, Windows Bind Filter Driver
+BELog.sys, 0xfffff80752fb0000, 160 kB, KSLD
+Beep.SYS, 0xfffff8070e680000, 40 kB, BEEP Driver
+BasicRender.sys, 0xfffff80715050000, 68 kB, Microsoft Basic Render Driver
+BasicDisplay.sys, 0xfffff80715030000, 88 kB, Microsoft Basic Display Driver
+bam.sys, 0xfffff80714280000, 92 kB, BAM Kernel Driver
+ataport.SYS, 0xfffff8070d390000, 240 kB, ATAPI Driver Extension
+atapi.sys, 0xfffff8070d380000, 52 kB, ATAPI IDE Miniport Driver
+ahcache.sys, 0xfffff807142a0000, 312 kB, Application Compatibility Cache
+AgileVpn.sys, 0xfffff80752b10000, 156 kB, RAS Agile Vpn Miniport Call Manager
+afunix.sys, 0xfffff80715190000, 76 kB, AF_UNIX socket provider
+afd.sys, 0xfffff80713e00000, 652 kB, Ancillary Function Driver for WinSock
+acpiex.sys, 0xfffff8070ccd0000, 152 kB, ACPIEx Driver
+ACPI.sys, 0xfffff8070cea0000, 816 kB, ACPI Driver for NT