IDA - llauncher_dump.i64 (llauncher_dump.exe) C:\Users\xerox\Desktop\amlegit.com\files\llauncher\llauncher

.text:00007FF7D93BAC80 .text:00007FF7D93BAC80 ; =============== S U B R O U T I N E ======================================= .text:00007FF7D93BAC80 .text:00007FF7D93BAC80 ; Attributes: noreturn bp-based frame .text:00007FF7D93BAC80 .text:00007FF7D93BAC80 load_driver proc near ; CODE XREF: sub_7FF7D93BB220+66↓p .text:00007FF7D93BAC80 ; DATA XREF: .vmp1:00007FF7D9CB5F14↓o .text:00007FF7D93BAC80 .text:00007FF7D93BAC80 arg_0 = qword ptr 20h .text:00007FF7D93BAC80 arg_8 = qword ptr 28h .text:00007FF7D93BAC80 arg_10 = qword ptr 30h .text:00007FF7D93BAC80 arg_18 = qword ptr 38h .text:00007FF7D93BAC80 .text:00007FF7D93BAC80 get_proc_result = rax .text:00007FF7D93BAC80 export_map_addr = rdi .text:00007FF7D93BAC80 export_loader_addr = rsi .text:00007FF7D93BAC80 ; __unwind { // sub_7FF7D93BD226 .text:00007FF7D93BAC80 mov [rsp-18h+arg_0], rbx .text:00007FF7D93BAC85 push rbp .text:00007FF7D93BAC86 push export_loader_addr .text:00007FF7D93BAC87 push export_map_addr .text:00007FF7D93BAC88 mov rbp, rsp .text:00007FF7D93BAC8B sub rsp, 20h .text:00007FF7D93BAC8F ; 6: sub_7FF7D95BBA6F(a1); .text:00007FF7D93BAC8F mov rbx, rcx .text:00007FF7D93BAC92 ; 5: v2 = &v1; .text:00007FF7D93BAC92 lea get_proc_result, [rbp+arg_8] .text:00007FF7D93BAC96 .text:00007FF7D93BAC96 loc_7FF7D93BAC96: ; DATA XREF: sub_7FF7D959D1A6-1C17C↓o .text:00007FF7D93BAC96 mov [rbp+arg_18], get_proc_result .text:00007FF7D93BAC9A mov edx, 11h .text:00007FF7D93BAC9F lea rcx, aLoadingDriver ; "Loading driver..." .text:00007FF7D93BACA6 call sub_7FF7D95BBA6F .text:00007FF7D93BACAB ; 7: __debugbreak(); .text:00007FF7D93BACAB int 3 ; Trap to Debugger .text:00007FF7D93BACAC ; --------------------------------------------------------------------------- .text:00007FF7D93BACAC mov [rbp+arg_8], get_proc_result .text:00007FF7D93BACB0 mov edx, 1 .text:00007FF7D93BACB5 lea rcx, aI ; "i" .text:00007FF7D93BACBC call sub_7FF7D940B132 .text:00007FF7D93BACC1 int 3 ; Trap to Debugger .text:00007FF7D93BACC2 ; --------------------------------------------------------------------------- .text:00007FF7D93BACC2 mov [rbp+arg_10], get_proc_result .text:00007FF7D93BACC6 lea r8, [rbp+arg_8] .text:00007FF7D93BACCA lea rdx, [rbp+arg_10] .text:00007FF7D93BACCE mov rcx, rbx .text:00007FF7D93BACD1 call sub_7FF7D93BB040 .text:00007FF7D93BACD6 ; --------------------------------------------------------------------------- .text:00007FF7D93BACD6 .text:00007FF7D93BACD6 loc_7FF7D93BACD6: ; DATA XREF: sub_7FF7D95E4FFB+1↓o .text:00007FF7D93BACD6 ; sub_7FF7D95ED6E8-E95B5↓o .text:00007FF7D93BACD6 lea get_proc_result, [rbp+arg_8] .text:00007FF7D93BACDA mov [rbp+arg_18], get_proc_result .text:00007FF7D93BACDE mov edx, 12h .text:00007FF7D93BACE3 lea rcx, aGettingExports ; "Getting exports..." .text:00007FF7D93BACEA push rbx .text:00007FF7D93BACEB .text:00007FF7D93BACEB loc_7FF7D93BACEB: ; DATA XREF: sub_7FF7D94757CA-1297F↓o .text:00007FF7D93BACEB call sub_7FF7D95592BA .text:00007FF7D93BACF0 mov [rbp+arg_8], get_proc_result .text:00007FF7D93BACF4 .text:00007FF7D93BACF4 loc_7FF7D93BACF4: ; DATA XREF: sub_7FF7D94468AE+1674B7↓o .text:00007FF7D93BACF4 mov edx, 1 .text:00007FF7D93BACF9 lea rcx, aD ; "d" .text:00007FF7D93BAD00 push get_proc_result .text:00007FF7D93BAD01 call sub_7FF7D95056A0 .text:00007FF7D93BAD06 .text:00007FF7D93BAD06 loc_7FF7D93BAD06: ; DATA XREF: sub_7FF7D942142B+1BEC8↓o .text:00007FF7D93BAD06 mov [rbp+arg_10], get_proc_result .text:00007FF7D93BAD0A lea r8, [rbp+arg_8] .text:00007FF7D93BAD0E lea rdx, [rbp+arg_10] .text:00007FF7D93BAD12 mov rcx, rbx .text:00007FF7D93BAD15 call sub_7FF7D93BB040 .text:00007FF7D93BAD1A ; --------------------------------------------------------------------------- .text:00007FF7D93BAD1A lea rdx, aExportload ; "ExportLoad" .text:00007FF7D93BAD21 lea rcx, InjectModuleHandle ; handle to inject.dll .text:00007FF7D93BAD28 push export_map_addr .text:00007FF7D93BAD29 call GetProcAddress_Wrapper_0 ; GetProcAddress(InjectHandle, "ExportLoad"); .text:00007FF7D93BAD2E .text:00007FF7D93BAD2E loc_7FF7D93BAD2E: ; DATA XREF: sub_7FF7D954B379-8B56A↓o .text:00007FF7D93BAD2E ; sub_7FF7D953050F+19↓o .text:00007FF7D93BAD2E mov export_loader_addr, get_proc_result .text:00007FF7D93BAD31 lea rdx, aExportmap ; "ExportMap" .text:00007FF7D93BAD38 lea rcx, InjectModuleHandle .text:00007FF7D93BAD3F call GetProcAddress_Wrapper_1 ; GetProcAddress(InjectHandle, "ExportMap"); .text:00007FF7D93BAD44 int 3 ; Trap to Debugger .text:00007FF7D93BAD45 ; --------------------------------------------------------------------------- .text:00007FF7D93BAD45 mov export_map_addr, get_proc_result .text:00007FF7D93BAD48 test export_loader_addr, export_loader_addr .text:00007FF7D93BAD4B jz get_import_failed ; if(!GetProcAddress(InjectHandle, "ExportLoad")) .text:00007FF7D93BAD51 .text:00007FF7D93BAD51 loc_7FF7D93BAD51: ; DATA XREF: sub_7FF7D94AAA89+10F799↓o .text:00007FF7D93BAD51 test get_proc_result, get_proc_result .text:00007FF7D93BAD54 jz get_import_failed .text:00007FF7D93BAD5A lea get_proc_result, [rbp+arg_8] .text:00007FF7D93BAD5E mov [rbp+arg_18], get_proc_result .text:00007FF7D93BAD62 mov edx, 1Ch .text:00007FF7D93BAD67 .text:00007FF7D93BAD67 loc_7FF7D93BAD67: ; DATA XREF: sub_7FF7D95ECD37-A8861↓o .text:00007FF7D93BAD67 ; .vmp0:loc_7FF7D94B4A3E↓o .text:00007FF7D93BAD67 lea rcx, aLoadingVulnera ; "Loading vulnerable driver..." .text:00007FF7D93BAD6E push rbx .text:00007FF7D93BAD6F call print_wrapper .text:00007FF7D93BAD74 mov [rbp+arg_8], get_proc_result .text:00007FF7D93BAD78 mov edx, 1 .text:00007FF7D93BAD7D .text:00007FF7D93BAD7D loc_7FF7D93BAD7D: ; DATA XREF: sub_7FF7D94503B6-30DA4↓o .text:00007FF7D93BAD7D lea rcx, aD ; "d" .text:00007FF7D93BAD84 call sub_7FF7D9478BE0 .text:00007FF7D93BAD89 int 3 ; Trap to Debugger .text:00007FF7D93BAD8A ; --------------------------------------------------------------------------- .text:00007FF7D93BAD8A mov [rbp+arg_10], get_proc_result .text:00007FF7D93BAD8E lea r8, [rbp+arg_8] .text:00007FF7D93BAD92 lea rdx, [rbp+arg_10] .text:00007FF7D93BAD96 mov rcx, rbx .text:00007FF7D93BAD99 call sub_7FF7D93BB040 .text:00007FF7D93BAD9E ; --------------------------------------------------------------------------- .text:00007FF7D93BAD9E call export_loader_addr ; ExportLoad() .text:00007FF7D93BADA0 test al, al .text:00007FF7D93BADA2 lea get_proc_result, [rbp+arg_8] .text:00007FF7D93BADA6 mov [rbp+arg_18], get_proc_result .text:00007FF7D93BADAA jnz short loaded_intel_driver ; if(!ExportLoad()) .text:00007FF7D93BADAC mov edx, 20h ; ' ' .text:00007FF7D93BADB1 lea rcx, aFailedToLoadVu ; "Failed to load vulnerable driver" .text:00007FF7D93BADB8 call sub_7FF7D958DEFC .text:00007FF7D93BADBD int 3 ; Trap to Debugger .text:00007FF7D93BADBE ; --------------------------------------------------------------------------- .text:00007FF7D93BADBE mov [rbp+arg_8], get_proc_result .text:00007FF7D93BADC2 jmp loc_7FF7D93BAE6D .text:00007FF7D93BADC7 ; --------------------------------------------------------------------------- .text:00007FF7D93BADC7 .text:00007FF7D93BADC7 loaded_intel_driver: ; CODE XREF: load_driver+12A↑j .text:00007FF7D93BADC7 mov edx, 21 .text:00007FF7D93BADCC .text:00007FF7D93BADCC loc_7FF7D93BADCC: ; DATA XREF: .vmp0:00007FF7D95F9431↓o .text:00007FF7D93BADCC lea rcx, aMappingOurDriv ; "Mapping our driver..." .text:00007FF7D93BADD3 push rdx .text:00007FF7D93BADD4 call sub_7FF7D955E32D .text:00007FF7D93BADD9 mov [rbp+arg_8], get_proc_result .text:00007FF7D93BADDD mov edx, 1 .text:00007FF7D93BADE2 lea rcx, aD ; "d" .text:00007FF7D93BADE9 .text:00007FF7D93BADE9 loc_7FF7D93BADE9: ; DATA XREF: sub_7FF7D95A4C59:loc_7FF7D9592C44↓o .text:00007FF7D93BADE9 call sub_7FF7D952ADCD .text:00007FF7D93BADEE int 3 ; Trap to Debugger .text:00007FF7D93BADEF ; --------------------------------------------------------------------------- .text:00007FF7D93BADEF mov [rbp+arg_10], get_proc_result .text:00007FF7D93BADF3 lea r8, [rbp+arg_8] .text:00007FF7D93BADF7 lea rdx, [rbp+arg_10] .text:00007FF7D93BADFB mov rcx, rbx .text:00007FF7D93BADFE call sub_7FF7D93BB040 .text:00007FF7D93BAE03 ; --------------------------------------------------------------------------- .text:00007FF7D93BAE03 lea rcx, aDriverSys ; "driver.sys" .text:00007FF7D93BAE0A call export_map_addr .text:00007FF7D93BAE0C test al, al .text:00007FF7D93BAE0E .text:00007FF7D93BAE0E loc_7FF7D93BAE0E: ; DATA XREF: sub_7FF7D957BEA6-FC4D7↓o .text:00007FF7D93BAE0E lea get_proc_result, [rbp+arg_8] .text:00007FF7D93BAE12 mov [rbp+arg_18], get_proc_result .text:00007FF7D93BAE16 jnz short mapped_driver_success .text:00007FF7D93BAE18 mov edx, 18h .text:00007FF7D93BAE1D lea rcx, aFailedToMapOur ; "Failed to map our driver" .text:00007FF7D93BAE24 .text:00007FF7D93BAE24 loc_7FF7D93BAE24: ; DATA XREF: sub_7FF7D94FF131-2DECE↓o .text:00007FF7D93BAE24 push export_loader_addr .text:00007FF7D93BAE25 call sub_7FF7D954EE11 .text:00007FF7D93BAE2A mov [rbp+arg_8], get_proc_result .text:00007FF7D93BAE2E jmp short loc_7FF7D93BAE6D .text:00007FF7D93BAE30 ; --------------------------------------------------------------------------- .text:00007FF7D93BAE30 .text:00007FF7D93BAE30 mapped_driver_success: ; CODE XREF: load_driver+196↑j .text:00007FF7D93BAE30 mov edx, 1Ah .text:00007FF7D93BAE35 .text:00007FF7D93BAE35 loc_7FF7D93BAE35: ; DATA XREF: sub_7FF7D9567ABC-7F50C↓o .text:00007FF7D93BAE35 ; sub_7FF7D95A8564-271A↓o .text:00007FF7D93BAE35 lea rcx, aDriverLoadedSu ; "Driver loaded successfully" .text:00007FF7D93BAE3C .text:00007FF7D93BAE3C loc_7FF7D93BAE3C: ; DATA XREF: sub_7FF7D9471582+10↓o .text:00007FF7D93BAE3C call sub_7FF7D95B77C9 .text:00007FF7D93BAE41 int 3 ; Trap to Debugger .text:00007FF7D93BAE42 ; --------------------------------------------------------------------------- .text:00007FF7D93BAE42 mov [rbp+arg_8], get_proc_result .text:00007FF7D93BAE46 lea rcx, aS ; "s" .text:00007FF7D93BAE4D jmp short loc_7FF7D93BAE74 .text:00007FF7D93BAE4F ; --------------------------------------------------------------------------- .text:00007FF7D93BAE4F .text:00007FF7D93BAE4F get_import_failed: ; CODE XREF: load_driver+CB↑j .text:00007FF7D93BAE4F ; load_driver+D4↑j .text:00007FF7D93BAE4F lea get_proc_result, [rbp+arg_8] .text:00007FF7D93BAE53 mov [rbp+arg_18], get_proc_result .text:00007FF7D93BAE57 .text:00007FF7D93BAE57 loc_7FF7D93BAE57: ; DATA XREF: sub_7FF7D9529E62+78856↓o .text:00007FF7D93BAE57 mov edx, 15h .text:00007FF7D93BAE5C lea rcx, aFailedToGetExp ; "Failed to get exports" .text:00007FF7D93BAE63 call sub_7FF7D95DC54A .text:00007FF7D93BAE68 int 3 ; Trap to Debugger .text:00007FF7D93BAE69 ; --------------------------------------------------------------------------- .text:00007FF7D93BAE69 mov [rbp+arg_8], get_proc_result .text:00007FF7D93BAE6D .text:00007FF7D93BAE6D loc_7FF7D93BAE6D: ; CODE XREF: load_driver+142↑j .text:00007FF7D93BAE6D ; load_driver+1AE↑j .text:00007FF7D93BAE6D ; DATA XREF: ... .text:00007FF7D93BAE6D lea rcx, aE ; "e" .text:00007FF7D93BAE74 .text:00007FF7D93BAE74 loc_7FF7D93BAE74: ; CODE XREF: load_driver+1CD↑j .text:00007FF7D93BAE74 mov edx, 1 .text:00007FF7D93BAE79 call sub_7FF7D959401E .text:00007FF7D93BAE7E int 3 ; Trap to Debugger .text:00007FF7D93BAE7F ; --------------------------------------------------------------------------- .text:00007FF7D93BAE7F mov [rbp+arg_10], get_proc_result .text:00007FF7D93BAE83 lea r8, [rbp+arg_8] .text:00007FF7D93BAE87 lea rdx, [rbp+arg_10] .text:00007FF7D93BAE8B mov rcx, rbx .text:00007FF7D93BAE8E call sub_7FF7D93BB040 .text:00007FF7D93BAE93 ; --------------------------------------------------------------------------- .text:00007FF7D93BAE93 mov rbx, [rsp+20h+arg_0] .text:00007FF7D93BAE98 add rsp, 20h .text:00007FF7D93BAE9C .text:00007FF7D93BAE9C loc_7FF7D93BAE9C: ; DATA XREF: sub_7FF7D954BA34+37E22↓o .text:00007FF7D93BAE9C pop export_map_addr .text:00007FF7D93BAE9D pop export_loader_addr .text:00007FF7D93BAE9E pop rbp .text:00007FF7D93BAE9F retn .text:00007FF7D93BAE9F ; } // starts at 7FF7D93BAC80 .text:00007FF7D93BAE9F load_driver endp .text:00007FF7D93BAE9F