From 98e42e40e525102ed2165fa7cb043b13dd6742ce Mon Sep 17 00:00:00 2001 From: xerox Date: Sun, 26 Jul 2020 02:44:30 +0000 Subject: [PATCH] Update README.md --- README.md | 67 +++++++++---------------------------------------------- 1 file changed, 10 insertions(+), 57 deletions(-) diff --git a/README.md b/README.md index 224fd9e..82a857c 100644 --- a/README.md +++ b/README.md @@ -82,64 +82,17 @@ BEDaisy checks the IRP's of every single loaded driver. Below is the checks done 00042944 92.55983734 [GoodEye] - string2: C:\Windows\System32\drivers\dxgkrnl.sys 00042945 92.55983734 [GoodEye] - count: 0x27 00042946 92.55996704 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFDD8B6 -00042947 92.55996704 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF80498F10000 -00042948 92.56076813 [GoodEye]ExFreePoolWithTag called from: 0xFFFFF804DEFDD8D7 -00042949 92.56076813 [GoodEye] - Freeing pool at: 0xFFFFC8081516C850 -00042950 92.56076813 [GoodEye] - Pool Tag: 0x0 +00042947 92.55996704 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF80498F10000 // base address of dxgkrnl.sys 00042951 92.56208801 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116 -00042952 92.56209564 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8049905E400 +00042952 92.56209564 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8049905E400 // address of DxgkCreateClose 00042953 92.56209564 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116 -00042954 92.56209564 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0 -00042955 92.56209564 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116 -00042956 92.56209564 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8049905E400 +00042956 92.56209564 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8049905E400 // address of DxgkCreateClose 00042957 92.56209564 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116 -00042958 92.56209564 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0 -00042959 92.56209564 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116 -00042960 92.56210327 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0 -00042961 92.56210327 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116 -00042962 92.56210327 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0 -00042963 92.56210327 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116 -00042964 92.56210327 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0 -00042965 92.56211090 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116 -00042966 92.56211090 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0 -00042967 92.56211090 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116 -00042968 92.56211090 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0 -00042969 92.56211853 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116 -00042970 92.56211853 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0 -00042971 92.56211853 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116 -00042972 92.56211853 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0 -00042973 92.56211853 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116 -00042974 92.56212616 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0 -00042975 92.56212616 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116 -00042976 92.56212616 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0 -00042977 92.56212616 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116 -00042978 92.56212616 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0 -00042979 92.56213379 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116 -00042980 92.56213379 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF80498F516A0 +00042980 92.56213379 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF80498F516A0 // address of DxgkDeviceIoctl 00042981 92.56213379 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116 -00042982 92.56213379 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF80499059670 -00042983 92.56214142 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116 -00042984 92.56214142 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8049916C4D0 -00042985 92.56214142 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116 -00042986 92.56214142 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0 -00042987 92.56214142 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116 -00042988 92.56214905 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0 -00042989 92.56214905 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116 -00042990 92.56214905 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0 -00042991 92.56214905 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116 -00042992 92.56214905 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0 -00042993 92.56215668 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116 -00042994 92.56215668 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0 -00042995 92.56215668 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116 -00042996 92.56215668 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0 -00042997 92.56215668 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116 -00042998 92.56216431 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0 -00042999 92.56216431 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116 -00043000 92.56216431 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0 -00043001 92.56216431 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116 -00043002 92.56216431 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0 -00043003 92.56217194 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116 -00043004 92.56217194 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0 -00043005 92.56217194 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116 -00043006 92.56217194 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0 -``` \ No newline at end of file +00042982 92.56213379 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF80499059670 // address of DxgkInternalDeviceIoctl +``` + +As you can see `0xFFFFF8049905E400` is `DxgkCreateClose`. + + \ No newline at end of file