|
|
|
|
@ -19,4 +19,24 @@ __int64 __usercall apc_callback@<rax>(char _CL@<cl>, char _BH@<bh>, __int64 *a3@
|
|
|
|
|
*(_DWORD *)(v4 + 2160) = RtlWalkFrameChain(*a3 + 0x70, 256i64, 0i64);
|
|
|
|
|
return KeSetEvent(v4 + 88, 0i64, 0i64);
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Registeration of APCS:
|
|
|
|
|
|
|
|
|
|
```cpp
|
|
|
|
|
current_thread_id = PsLookupThreadByThreadId(thread_id, &some_pethread);
|
|
|
|
|
v17 = 0;
|
|
|
|
|
if ( (int)current_thread_id >= 0 )
|
|
|
|
|
{
|
|
|
|
|
allocated_pool = ExAllocatePool(0x200i64, 0x878i64);
|
|
|
|
|
allocated_pool_1 = allocated_pool;
|
|
|
|
|
allocated_pool_2 = allocated_pool;
|
|
|
|
|
if ( allocated_pool )
|
|
|
|
|
{
|
|
|
|
|
allocated_pool_plus_58 = allocated_pool + 0x58;
|
|
|
|
|
KeInitializeEvent((PRKEVENT)(allocated_pool + 0x58), NotificationEvent, 0);
|
|
|
|
|
__asm { rcl cx, 0C6h }
|
|
|
|
|
LOBYTE(v77) = 0;
|
|
|
|
|
KeInitializeApc(allocated_pool_2, some_pethread, 0i64, j_apc_callback, 0i64, 0i64, v77, 0i64);
|
|
|
|
|
if ( (unsigned __int8)KeInsertQueueApc(allocated_pool_2, allocated_pool_2, 0i64, 2i64) )
|
|
|
|
|
```
|
xerox
4 years ago