# kli-ex kli-ex is an extended version of kli. Just providing a modification idea. You can modify the encryption algorithm in any way you like. ## Features - Hide Global Variables - Use random seeds - Add caching mechanism ## Example1 ```C++ auto pExAllocatePoolWithTag = KLI_CALL(ExAllocatePoolWithTag, NonPagedPool, PAGE_SIZE, 'enoN'); if (pExAllocatePoolWithTag) { dprintf("test_once:ExAllocatePoolWithTag=%p\n", pExAllocatePoolWithTag); KLI_CALL(ExFreePoolWithTag, pExAllocatePoolWithTag, 'enoN'); } ``` ## Output1 ```C++ void test_once(void) { __int64 v0; // rax unsigned __int64 kernel_base; // rax __m128i si128; // xmm0 __int64 v3; // rcx __m128i v4; // xmm1 __int64 v5; // rdx unsigned __int8 v6; // r8 int v7; // r9d char v8; // r10 int v9; // r11d __int64 v10; // rcx __int64 v11; // rdx unsigned __int8 v12; // r8 char v13; // r9 char v14; // r11 __m128i v15; // xmm0 __int64 v16; // rcx __m128i v17; // xmm6 __int64 v18; // rdx unsigned __int8 v19; // r8 int v20; // r9d char v21; // r10 int v22; // r11d __int64 v23; // rcx __int64 v24; // rdx unsigned __int8 v25; // r8 char v26; // r9 char v27; // r11 __int64 v28; // rdx __m128i v29; // xmm0 __int64 i; // rcx __int64 v31; // r8 unsigned __int8 v32; // r9 int v33; // r10d char v34; // r11 int v35; // esi __int64 v36; // rcx __int64 v37; // r8 unsigned __int8 v38; // r9 char v39; // r10 char v40; // bl __int64 v41; // rcx __int64 v42; // r8 __m128i v43; // xmm0 __int64 j; // rdx __int64 v45; // rcx __int64 v46; // r9 unsigned __int8 v47; // r10 int v48; // r11d char v49; // bl int v50; // esi __int64 v51; // rdx __int64 v52; // r9 unsigned __int8 v53; // r10 char v54; // r11 char v55; // bl __int64 v56; // rdx __int64 v57; // r8 __m128i v58; // xmm0 __int64 k; // rcx __int64 v60; // rdx __int64 v61; // r9 unsigned __int8 v62; // r10 int v63; // r11d char v64; // bl int v65; // esi __int64 v66; // rcx __int64 v67; // r9 unsigned __int8 v68; // r10 char v69; // r11 char v70; // bl __int64 v71; // rcx __int64 v72; // r9 __m128i v73; // xmm0 __int64 m; // r10 __int64 v75; // rcx __int64 v76; // r11 unsigned __int8 v77; // si int v78; // edi char v79; // bl int v80; // r14d __int64 v81; // r10 __int64 v82; // r11 unsigned __int8 v83; // si char v84; // bl char v85; // r14 __int64 v86; // r10 __int64 v87; // r11 __m128i v88; // xmm0 __int64 n; // rsi __int64 v90; // r10 __int64 v91; // rsi unsigned __int8 v92; // di int v93; // ebx char v94; // r14 int v95; // r15d __int64 v96; // rcx __int64 v97; // r9 __int64 v98; // r11 unsigned __int8 v99; // si char v100; // bl char v101; // r14 __int64 v102; // r11 __int64 v103; // r9 __m128i v104; // xmm0 __int64 v105; // r8 __int64 v106; // r14 __m128i v107; // xmm1 unsigned __int8 v108; // r14 __int64 v109; // r15 int v110; // r12d char v111; // r13 int v112; // edi __int64 v113; // r14 __int64 v114; // r15 unsigned __int8 v115; // r12 char v116; // dl char v117; // r13 __int64 v118; // r12 char v119; // r15 char *v120; // r14 __int64 v121; // r12 __m128i v122; // xmm0 __int64 ii; // r9 __int64 v124; // r10 unsigned __int8 v125; // r11 int v126; // esi char v127; // dl int v128; // edi __int64 v129; // r9 __int64 v130; // r10 unsigned __int8 v131; // r11 char v132; // dl char v133; // di __int64 v134; // r9 __int64 v135; // rcx __m128i v136; // xmm0 __int64 jj; // rdx __int64 v138; // r8 unsigned __int8 v139; // r10 int v140; // r11d char v141; // si int v142; // edi __int64 v143; // rdx __int64 v144; // r8 unsigned __int8 v145; // r10 char v146; // r11 char v147; // di __m128i v148; // xmm0 __int64 kk; // rax __int64 v150; // rcx unsigned __int8 v151; // dl int v152; // r8d char v153; // r10 int v154; // r11d __int64 v155; // rax __int64 v156; // rcx unsigned __int8 v157; // dl char v158; // r8 char v159; // r11 unsigned __int16 *v160; // rax __int64 v161; // rax unsigned __int64 v162; // rax __m128i v163; // xmm0 __int64 mm; // rcx __int64 v165; // rdx unsigned __int8 v166; // r8 int v167; // r9d char v168; // r10 int v169; // r11d __int64 v170; // rcx __int64 v171; // rdx unsigned __int8 v172; // r8 char v173; // r9 char v174; // r11 __m128i v175; // xmm0 __int64 nn; // rcx __int64 v177; // rdx unsigned __int8 v178; // r8 int v179; // r9d char v180; // r10 int v181; // r11d __int64 v182; // rcx __int64 v183; // rdx unsigned __int8 v184; // r8 char v185; // r9 char v186; // r11 __int64 v187; // rdx __m128i v188; // xmm0 __int64 i1; // rcx __int64 v190; // r8 unsigned __int8 v191; // r9 int v192; // r10d char v193; // r11 int v194; // edi __int64 v195; // rcx __int64 v196; // r8 unsigned __int8 v197; // r9 char v198; // r10 char v199; // di __int64 v200; // rcx __int64 v201; // r8 __m128i v202; // xmm0 __int64 i2; // rdx __int64 v204; // rcx __int64 v205; // r9 unsigned __int8 v206; // r10 int v207; // r11d char v208; // di int v209; // r14d __int64 v210; // rdx __int64 v211; // r9 unsigned __int8 v212; // r10 char v213; // r11 char v214; // r14 __int64 v215; // rdx __int64 v216; // r9 __m128i v217; // xmm0 __int64 i3; // rcx __int64 v219; // rdx __int64 v220; // r8 unsigned __int8 v221; // r10 int v222; // r11d char v223; // di int v224; // r14d __int64 v225; // rcx __int64 v226; // r8 unsigned __int8 v227; // r10 char v228; // r11 char v229; // r14 __int64 v230; // rcx __int64 v231; // r8 __m128i v232; // xmm0 __int64 i4; // r10 __int64 v234; // rcx __int64 v235; // r11 unsigned __int8 v236; // r14 int v237; // r15d char v238; // di int v239; // r12d __int64 v240; // r10 __int64 v241; // r11 unsigned __int8 v242; // r14 char v243; // di char v244; // r12 __int64 v245; // r10 __int64 v246; // r11 __m128i v247; // xmm0 __int64 i5; // r14 __int64 v249; // r10 __int64 v250; // r14 unsigned __int8 v251; // r15 int v252; // r12d char v253; // di int v254; // r13d __int64 v255; // rcx __int64 v256; // r8 __int64 v257; // r11 unsigned __int8 v258; // r14 char v259; // si char v260; // r15 __int64 v261; // r11 __int64 v262; // r8 __m128i v263; // xmm0 __int64 v264; // r9 __int64 v265; // r15 __m128i v266; // xmm1 unsigned __int8 v267; // r15 __int64 v268; // r12 int v269; // r13d char v270; // si int v271; // edi __int64 v272; // r15 __int64 v273; // r12 unsigned __int8 v274; // r13 char v275; // dl char v276; // di __int64 v277; // r13 char v278; // r12 char *v279; // r15 __int64 v280; // r13 __m128i v281; // xmm0 __int64 i6; // r8 __int64 v283; // r10 unsigned __int8 v284; // r11 int v285; // edi char v286; // dl int v287; // esi __int64 v288; // r8 __int64 v289; // r10 unsigned __int8 v290; // r11 char v291; // dl char v292; // bl __int64 v293; // r8 __int64 v294; // rcx __m128i v295; // xmm0 __int64 i7; // rdx __int64 v297; // r9 unsigned __int8 v298; // r10 int v299; // r11d char v300; // bl int v301; // esi __int64 v302; // rdx __int64 v303; // r9 unsigned __int8 v304; // r10 char v305; // r11 char v306; // bl __m128i v307; // xmm0 __int64 i8; // rax __int64 v309; // rcx unsigned __int8 v310; // dl int v311; // r9d char v312; // r10 int v313; // r11d __int64 v314; // rax __int64 v315; // rcx unsigned __int8 v316; // dl char v317; // r9 char v318; // r11 __int64 v319; // [rsp+28h] [rbp-58h] __int64 v320[34]; // [rsp+30h] [rbp-50h] unsigned __int16 *v321; // [rsp+140h] [rbp+C0h] __int64 v322; // [rsp+148h] [rbp+C8h] v0 = kli::cache::base; if ( kli::cache::base == 4116 ) { kernel_base = kli::detail::get_kernel_base(); v320[0] = 3786i64; v319 = 3596i64; si128 = _mm_load_si128((const __m128i *)&_xmm); v3 = 1i64; v4 = _mm_load_si128((const __m128i *)&_xmm); do { *(__m128i *)&v320[v3 + 1] = si128; si128 = _mm_add_epi8(si128, v4); v3 += 2i64; } while ( v3 != 33 ); v5 = 8i64; v6 = 0; v7 = 0; do { v8 = *((_BYTE *)&v320[1] + v5); v9 = v7; v6 += *((_BYTE *)v320 + v7) + v8; *((_BYTE *)&v320[1] + v5) = *((_BYTE *)&v320[2] + v6); *((_BYTE *)&v320[2] + v6) = v8; ++v7; if ( v9 >= 7 ) v7 = 0; ++v5; } while ( v5 != 264 ); v10 = 0i64; LOBYTE(v11) = 0; v12 = 0; do { v11 = (unsigned __int8)(v11 + 1); v13 = *((_BYTE *)&v320[2] + v11); v12 += v13; v14 = *((_BYTE *)&v320[2] + v12); *((_BYTE *)&v320[2] + v11) = v14; *((_BYTE *)&v320[2] + v12) = v13; *((_BYTE *)&v320[-1] + v10++) ^= *((_BYTE *)&v320[2] + (unsigned __int8)(v13 + v14)); } while ( v10 != 8 ); v0 = v319 ^ kernel_base; kli::cache::base = v0; } v320[0] = 3786i64; v319 = 3596i64; v15 = _mm_load_si128((const __m128i *)&_xmm); v16 = 1i64; v17 = _mm_load_si128((const __m128i *)&_xmm); do { *(__m128i *)&v320[v16 + 1] = v15; v15 = _mm_add_epi8(v15, v17); v16 += 2i64; } while ( v16 != 33 ); v18 = 8i64; v19 = 0; v20 = 0; do { v21 = *((_BYTE *)&v320[1] + v18); v22 = v20; v19 += *((_BYTE *)v320 + v20) + v21; *((_BYTE *)&v320[1] + v18) = *((_BYTE *)&v320[2] + v19); *((_BYTE *)&v320[2] + v19) = v21; ++v20; if ( v22 >= 7 ) v20 = 0; ++v18; } while ( v18 != 264 ); v23 = 0i64; LOBYTE(v24) = 0; v25 = 0; do { v24 = (unsigned __int8)(v24 + 1); v26 = *((_BYTE *)&v320[2] + v24); v25 += v26; v27 = *((_BYTE *)&v320[2] + v25); *((_BYTE *)&v320[2] + v24) = v27; *((_BYTE *)&v320[2] + v25) = v26; *((_BYTE *)&v320[-1] + v23++) ^= *((_BYTE *)&v320[2] + (unsigned __int8)(v26 + v27)); } while ( v23 != 8 ); v28 = v319; v320[0] = 3786i64; v319 = 3596i64; v29 = _mm_load_si128((const __m128i *)&_xmm); for ( i = 1i64; i != 33; i += 2i64 ) { *(__m128i *)&v320[i + 1] = v29; v29 = _mm_add_epi8(v29, v17); } v31 = 8i64; v32 = 0; v33 = 0; do { v34 = *((_BYTE *)&v320[1] + v31); v35 = v33; v32 += *((_BYTE *)v320 + v33) + v34; *((_BYTE *)&v320[1] + v31) = *((_BYTE *)&v320[2] + v32); *((_BYTE *)&v320[2] + v32) = v34; ++v33; if ( v35 >= 7 ) v33 = 0; ++v31; } while ( v31 != 264 ); v36 = 0i64; LOBYTE(v37) = 0; v38 = 0; do { v37 = (unsigned __int8)(v37 + 1); v39 = *((_BYTE *)&v320[2] + v37); v38 += v39; v40 = *((_BYTE *)&v320[2] + v38); *((_BYTE *)&v320[2] + v37) = v40; *((_BYTE *)&v320[2] + v38) = v39; *((_BYTE *)&v320[-1] + v36++) ^= *((_BYTE *)&v320[2] + (unsigned __int8)(v39 + v40)); } while ( v36 != 8 ); v41 = v319; v42 = *(int *)((v0 ^ v28) + 0x3C); v320[0] = 3786i64; v319 = 3596i64; v43 = _mm_load_si128((const __m128i *)&_xmm); for ( j = 1i64; j != 33; j += 2i64 ) { *(__m128i *)&v320[j + 1] = v43; v43 = _mm_add_epi8(v43, v17); } v45 = v0 ^ v41; v46 = 8i64; v47 = 0; v48 = 0; do { v49 = *((_BYTE *)&v320[1] + v46); v50 = v48; v47 += *((_BYTE *)v320 + v48) + v49; *((_BYTE *)&v320[1] + v46) = *((_BYTE *)&v320[2] + v47); *((_BYTE *)&v320[2] + v47) = v49; ++v48; if ( v50 >= 7 ) v48 = 0; ++v46; } while ( v46 != 264 ); v51 = 0i64; LOBYTE(v52) = 0; v53 = 0; do { v52 = (unsigned __int8)(v52 + 1); v54 = *((_BYTE *)&v320[2] + v52); v53 += v54; v55 = *((_BYTE *)&v320[2] + v53); *((_BYTE *)&v320[2] + v52) = v55; *((_BYTE *)&v320[2] + v53) = v54; *((_BYTE *)&v320[-1] + v51++) ^= *((_BYTE *)&v320[2] + (unsigned __int8)(v54 + v55)); } while ( v51 != 8 ); v56 = v319; v57 = *(unsigned int *)(v45 + v42 + 136); v320[0] = 3786i64; v319 = 3596i64; v58 = _mm_load_si128((const __m128i *)&_xmm); for ( k = 1i64; k != 33; k += 2i64 ) { *(__m128i *)&v320[k + 1] = v58; v58 = _mm_add_epi8(v58, v17); } v60 = v0 ^ v56; v61 = 8i64; v62 = 0; v63 = 0; do { v64 = *((_BYTE *)&v320[1] + v61); v65 = v63; v62 += *((_BYTE *)v320 + v63) + v64; *((_BYTE *)&v320[1] + v61) = *((_BYTE *)&v320[2] + v62); *((_BYTE *)&v320[2] + v62) = v64; ++v63; if ( v65 >= 7 ) v63 = 0; ++v61; } while ( v61 != 264 ); v66 = 0i64; LOBYTE(v67) = 0; v68 = 0; do { v67 = (unsigned __int8)(v67 + 1); v69 = *((_BYTE *)&v320[2] + v67); v68 += v69; v70 = *((_BYTE *)&v320[2] + v68); *((_BYTE *)&v320[2] + v67) = v70; *((_BYTE *)&v320[2] + v68) = v69; *((_BYTE *)&v320[-1] + v66++) ^= *((_BYTE *)&v320[2] + (unsigned __int8)(v69 + v70)); } while ( v66 != 8 ); v71 = v319; v72 = *(unsigned int *)(v60 + v57 + 28); v320[0] = 3786i64; v319 = 3596i64; v73 = _mm_load_si128((const __m128i *)&_xmm); for ( m = 1i64; m != 33; m += 2i64 ) { *(__m128i *)&v320[m + 1] = v73; v73 = _mm_add_epi8(v73, v17); } v75 = v0 ^ v71; v76 = 8i64; v77 = 0; v78 = 0; do { v79 = *((_BYTE *)&v320[1] + v76); v80 = v78; v77 += *((_BYTE *)v320 + v78) + v79; *((_BYTE *)&v320[1] + v76) = *((_BYTE *)&v320[2] + v77); *((_BYTE *)&v320[2] + v77) = v79; ++v78; if ( v80 >= 7 ) v78 = 0; ++v76; } while ( v76 != 264 ); v81 = 0i64; LOBYTE(v82) = 0; v83 = 0; do { v82 = (unsigned __int8)(v82 + 1); v84 = *((_BYTE *)&v320[2] + v82); v83 += v84; v85 = *((_BYTE *)&v320[2] + v83); *((_BYTE *)&v320[2] + v82) = v85; *((_BYTE *)&v320[2] + v83) = v84; *((_BYTE *)&v320[-1] + v81++) ^= *((_BYTE *)&v320[2] + (unsigned __int8)(v84 + v85)); } while ( v81 != 8 ); v86 = v319; v87 = *(unsigned int *)(v57 + v60 + 32); v320[0] = 3786i64; v319 = 3596i64; v88 = _mm_load_si128((const __m128i *)&_xmm); for ( n = 1i64; n != 33; n += 2i64 ) { *(__m128i *)&v320[n + 1] = v88; v88 = _mm_add_epi8(v88, v17); } v90 = v87 + (v0 ^ v86); v91 = 8i64; v92 = 0; v93 = 0; do { v94 = *((_BYTE *)&v320[1] + v91); v95 = v93; v92 += *((_BYTE *)v320 + v93) + v94; *((_BYTE *)&v320[1] + v91) = *((_BYTE *)&v320[2] + v92); *((_BYTE *)&v320[2] + v92) = v94; ++v93; if ( v95 >= 7 ) v93 = 0; ++v91; } while ( v91 != 264 ); v96 = v72 + v75; v97 = 0i64; LOBYTE(v98) = 0; v99 = 0; do { v98 = (unsigned __int8)(v98 + 1); v100 = *((_BYTE *)&v320[2] + v98); v99 += v100; v101 = *((_BYTE *)&v320[2] + v99); *((_BYTE *)&v320[2] + v98) = v101; *((_BYTE *)&v320[2] + v99) = v100; *((_BYTE *)&v320[-1] + v97++) ^= *((_BYTE *)&v320[2] + (unsigned __int8)(v100 + v101)); } while ( v97 != 8 ); v102 = *(unsigned int *)(v57 + v60 + 24); v103 = 0i64; if ( *(_DWORD *)(v57 + v60 + 24) ) { v321 = (unsigned __int16 *)((v0 ^ v319) + *(unsigned int *)(v57 + v60 + 36)); v104 = _mm_load_si128((const __m128i *)&_xmm); v105 = 0i64; while ( 1 ) { v320[0] = 3786i64; v319 = 3596i64; v106 = 1i64; v107 = v104; do { *(__m128i *)&v320[v106 + 1] = v107; v107 = _mm_add_epi8(v107, v17); v106 += 2i64; } while ( v106 != 33 ); v108 = 0; v109 = 8i64; v110 = 0; do { v111 = *((_BYTE *)&v320[1] + v109); v112 = v110; v108 += *((_BYTE *)v320 + v110) + v111; *((_BYTE *)&v320[1] + v109) = *((_BYTE *)&v320[2] + v108); *((_BYTE *)&v320[2] + v108) = v111; ++v110; if ( v112 >= 7 ) v110 = 0; ++v109; } while ( v109 != 264 ); v113 = 0i64; LOBYTE(v114) = 0; v115 = 0; do { v114 = (unsigned __int8)(v114 + 1); v116 = *((_BYTE *)&v320[2] + v114); v115 += v116; v117 = *((_BYTE *)&v320[2] + v115); *((_BYTE *)&v320[2] + v114) = v117; *((_BYTE *)&v320[2] + v115) = v116; *((_BYTE *)&v320[-1] + v113++) ^= *((_BYTE *)&v320[2] + (unsigned __int8)(v116 + v117)); } while ( v113 != 8 ); v118 = *(unsigned int *)(v90 + 4 * v105); v119 = *(_BYTE *)((v0 ^ v319) + v118); if ( v119 ) { v120 = (char *)(v118 + (v0 ^ v319) + 1); v121 = 0xCBF29CE4843FCD9Fui64; do { v121 = 0x100000001B3i64 * (v119 ^ (unsigned __int64)v121); v119 = *v120++; } while ( v119 ); if ( v121 == 0x4E334AF717DAD95Di64 ) break; } if ( ++v105 == v102 ) goto LABEL_92; } v320[0] = 3786i64; v319 = 3596i64; v122 = _mm_load_si128((const __m128i *)&_xmm); for ( ii = 1i64; ii != 33; ii += 2i64 ) { *(__m128i *)&v320[ii + 1] = v122; v122 = _mm_add_epi8(v122, v17); } v124 = 8i64; v125 = 0; v126 = 0; do { v127 = *((_BYTE *)&v320[1] + v124); v128 = v126; v125 += *((_BYTE *)v320 + v126) + v127; *((_BYTE *)&v320[1] + v124) = *((_BYTE *)&v320[2] + v125); *((_BYTE *)&v320[2] + v125) = v127; ++v126; if ( v128 >= 7 ) v126 = 0; ++v124; } while ( v124 != 264 ); v129 = 0i64; LOBYTE(v130) = 0; v131 = 0; do { v130 = (unsigned __int8)(v130 + 1); v132 = *((_BYTE *)&v320[2] + v130); v131 += v132; v133 = *((_BYTE *)&v320[2] + v131); *((_BYTE *)&v320[2] + v130) = v133; *((_BYTE *)&v320[2] + v131) = v132; *((_BYTE *)&v320[-1] + v129++) ^= *((_BYTE *)&v320[2] + (unsigned __int8)(v132 + v133)); } while ( v129 != 8 ); v134 = v319; v135 = *(unsigned int *)(v96 + 4i64 * v321[(unsigned int)v105]); v320[0] = 3596i64; v319 = 3786i64; v136 = _mm_load_si128((const __m128i *)&_xmm); for ( jj = 1i64; jj != 33; jj += 2i64 ) { *(__m128i *)&v320[jj + 1] = v136; v136 = _mm_add_epi8(v136, v17); } v138 = 8i64; v139 = 0; v140 = 0; do { v141 = *((_BYTE *)&v320[1] + v138); v142 = v140; v139 += *((_BYTE *)v320 + v140) + v141; *((_BYTE *)&v320[1] + v138) = *((_BYTE *)&v320[2] + v139); *((_BYTE *)&v320[2] + v139) = v141; ++v140; if ( v142 >= 7 ) v140 = 0; ++v138; } while ( v138 != 264 ); v143 = 0i64; LOBYTE(v144) = 0; v145 = 0; do { v144 = (unsigned __int8)(v144 + 1); v146 = *((_BYTE *)&v320[2] + v144); v145 += v146; v147 = *((_BYTE *)&v320[2] + v145); *((_BYTE *)&v320[2] + v144) = v147; *((_BYTE *)&v320[2] + v145) = v146; *((_BYTE *)&v320[-1] + v143++) ^= *((_BYTE *)&v320[2] + (unsigned __int8)(v146 + v147)); } while ( v143 != 8 ); v103 = v319 ^ (v135 + (v0 ^ v134)); } LABEL_92: v320[0] = 3596i64; v319 = 3786i64; v148 = _mm_load_si128((const __m128i *)&_xmm); for ( kk = 1i64; kk != 33; kk += 2i64 ) { *(__m128i *)&v320[kk + 1] = v148; v148 = _mm_add_epi8(v148, v17); } v150 = 8i64; v151 = 0; v152 = 0; do { v153 = *((_BYTE *)&v320[1] + v150); v154 = v152; v151 += *((_BYTE *)v320 + v152) + v153; *((_BYTE *)&v320[1] + v150) = *((_BYTE *)&v320[2] + v151); *((_BYTE *)&v320[2] + v151) = v153; ++v152; if ( v154 >= 7 ) v152 = 0; ++v150; } while ( v150 != 264 ); v155 = 0i64; LOBYTE(v156) = 0; v157 = 0; do { v156 = (unsigned __int8)(v156 + 1); v158 = *((_BYTE *)&v320[2] + v156); v157 += v158; v159 = *((_BYTE *)&v320[2] + v157); *((_BYTE *)&v320[2] + v156) = v159; *((_BYTE *)&v320[2] + v157) = v158; *((_BYTE *)&v320[-1] + v155++) ^= *((_BYTE *)&v320[2] + (unsigned __int8)(v158 + v159)); } while ( v155 != 8 ); v160 = (unsigned __int16 *)((__int64 (__fastcall *)(_QWORD, __int64, __int64))(v319 ^ v103))( 0i64, 4096i64, 1701736270i64); if ( v160 ) { v321 = v160; DbgPrintEx(0x4Du, 0, "test_once:ExAllocatePoolWithTag=%p\n", v160); v161 = kli::cache::base; if ( kli::cache::base == 4116 ) { v162 = kli::detail::get_kernel_base(); v320[0] = 3786i64; v319 = 3596i64; v163 = _mm_load_si128((const __m128i *)&_xmm); for ( mm = 1i64; mm != 33; mm += 2i64 ) { *(__m128i *)&v320[mm + 1] = v163; v163 = _mm_add_epi8(v163, v17); } v165 = 8i64; v166 = 0; v167 = 0; do { v168 = *((_BYTE *)&v320[1] + v165); v169 = v167; v166 += *((_BYTE *)v320 + v167) + v168; *((_BYTE *)&v320[1] + v165) = *((_BYTE *)&v320[2] + v166); *((_BYTE *)&v320[2] + v166) = v168; ++v167; if ( v169 >= 7 ) v167 = 0; ++v165; } while ( v165 != 264 ); v170 = 0i64; LOBYTE(v171) = 0; v172 = 0; do { v171 = (unsigned __int8)(v171 + 1); v173 = *((_BYTE *)&v320[2] + v171); v172 += v173; v174 = *((_BYTE *)&v320[2] + v172); *((_BYTE *)&v320[2] + v171) = v174; *((_BYTE *)&v320[2] + v172) = v173; *((_BYTE *)&v320[-1] + v170++) ^= *((_BYTE *)&v320[2] + (unsigned __int8)(v173 + v174)); } while ( v170 != 8 ); v161 = v319 ^ v162; kli::cache::base = v161; } v320[0] = 3786i64; v319 = 3596i64; v175 = _mm_load_si128((const __m128i *)&_xmm); for ( nn = 1i64; nn != 33; nn += 2i64 ) { *(__m128i *)&v320[nn + 1] = v175; v175 = _mm_add_epi8(v175, v17); } v177 = 8i64; v178 = 0; v179 = 0; do { v180 = *((_BYTE *)&v320[1] + v177); v181 = v179; v178 += *((_BYTE *)v320 + v179) + v180; *((_BYTE *)&v320[1] + v177) = *((_BYTE *)&v320[2] + v178); *((_BYTE *)&v320[2] + v178) = v180; ++v179; if ( v181 >= 7 ) v179 = 0; ++v177; } while ( v177 != 264 ); v182 = 0i64; LOBYTE(v183) = 0; v184 = 0; do { v183 = (unsigned __int8)(v183 + 1); v185 = *((_BYTE *)&v320[2] + v183); v184 += v185; v186 = *((_BYTE *)&v320[2] + v184); *((_BYTE *)&v320[2] + v183) = v186; *((_BYTE *)&v320[2] + v184) = v185; *((_BYTE *)&v320[-1] + v182++) ^= *((_BYTE *)&v320[2] + (unsigned __int8)(v185 + v186)); } while ( v182 != 8 ); v187 = v319; v320[0] = 3786i64; v319 = 3596i64; v188 = _mm_load_si128((const __m128i *)&_xmm); for ( i1 = 1i64; i1 != 33; i1 += 2i64 ) { *(__m128i *)&v320[i1 + 1] = v188; v188 = _mm_add_epi8(v188, v17); } v190 = 8i64; v191 = 0; v192 = 0; do { v193 = *((_BYTE *)&v320[1] + v190); v194 = v192; v191 += *((_BYTE *)v320 + v192) + v193; *((_BYTE *)&v320[1] + v190) = *((_BYTE *)&v320[2] + v191); *((_BYTE *)&v320[2] + v191) = v193; ++v192; if ( v194 >= 7 ) v192 = 0; ++v190; } while ( v190 != 264 ); v195 = 0i64; LOBYTE(v196) = 0; v197 = 0; do { v196 = (unsigned __int8)(v196 + 1); v198 = *((_BYTE *)&v320[2] + v196); v197 += v198; v199 = *((_BYTE *)&v320[2] + v197); *((_BYTE *)&v320[2] + v196) = v199; *((_BYTE *)&v320[2] + v197) = v198; *((_BYTE *)&v320[-1] + v195++) ^= *((_BYTE *)&v320[2] + (unsigned __int8)(v198 + v199)); } while ( v195 != 8 ); v200 = v319; v201 = *(int *)((v161 ^ v187) + 0x3C); v320[0] = 3786i64; v319 = 3596i64; v202 = _mm_load_si128((const __m128i *)&_xmm); for ( i2 = 1i64; i2 != 33; i2 += 2i64 ) { *(__m128i *)&v320[i2 + 1] = v202; v202 = _mm_add_epi8(v202, v17); } v204 = v161 ^ v200; v205 = 8i64; v206 = 0; v207 = 0; do { v208 = *((_BYTE *)&v320[1] + v205); v209 = v207; v206 += *((_BYTE *)v320 + v207) + v208; *((_BYTE *)&v320[1] + v205) = *((_BYTE *)&v320[2] + v206); *((_BYTE *)&v320[2] + v206) = v208; ++v207; if ( v209 >= 7 ) v207 = 0; ++v205; } while ( v205 != 264 ); v210 = 0i64; LOBYTE(v211) = 0; v212 = 0; do { v211 = (unsigned __int8)(v211 + 1); v213 = *((_BYTE *)&v320[2] + v211); v212 += v213; v214 = *((_BYTE *)&v320[2] + v212); *((_BYTE *)&v320[2] + v211) = v214; *((_BYTE *)&v320[2] + v212) = v213; *((_BYTE *)&v320[-1] + v210++) ^= *((_BYTE *)&v320[2] + (unsigned __int8)(v213 + v214)); } while ( v210 != 8 ); v215 = v319; v216 = *(unsigned int *)(v204 + v201 + 136); v320[0] = 3786i64; v319 = 3596i64; v217 = _mm_load_si128((const __m128i *)&_xmm); for ( i3 = 1i64; i3 != 33; i3 += 2i64 ) { *(__m128i *)&v320[i3 + 1] = v217; v217 = _mm_add_epi8(v217, v17); } v219 = v161 ^ v215; v220 = 8i64; v221 = 0; v222 = 0; do { v223 = *((_BYTE *)&v320[1] + v220); v224 = v222; v221 += *((_BYTE *)v320 + v222) + v223; *((_BYTE *)&v320[1] + v220) = *((_BYTE *)&v320[2] + v221); *((_BYTE *)&v320[2] + v221) = v223; ++v222; if ( v224 >= 7 ) v222 = 0; ++v220; } while ( v220 != 264 ); v225 = 0i64; LOBYTE(v226) = 0; v227 = 0; do { v226 = (unsigned __int8)(v226 + 1); v228 = *((_BYTE *)&v320[2] + v226); v227 += v228; v229 = *((_BYTE *)&v320[2] + v227); *((_BYTE *)&v320[2] + v226) = v229; *((_BYTE *)&v320[2] + v227) = v228; *((_BYTE *)&v320[-1] + v225++) ^= *((_BYTE *)&v320[2] + (unsigned __int8)(v228 + v229)); } while ( v225 != 8 ); v230 = v319; v231 = *(unsigned int *)(v219 + v216 + 28); v320[0] = 3786i64; v319 = 3596i64; v232 = _mm_load_si128((const __m128i *)&_xmm); for ( i4 = 1i64; i4 != 33; i4 += 2i64 ) { *(__m128i *)&v320[i4 + 1] = v232; v232 = _mm_add_epi8(v232, v17); } v234 = v161 ^ v230; v235 = 8i64; v236 = 0; v237 = 0; do { v238 = *((_BYTE *)&v320[1] + v235); v239 = v237; v236 += *((_BYTE *)v320 + v237) + v238; *((_BYTE *)&v320[1] + v235) = *((_BYTE *)&v320[2] + v236); *((_BYTE *)&v320[2] + v236) = v238; ++v237; if ( v239 >= 7 ) v237 = 0; ++v235; } while ( v235 != 264 ); v240 = 0i64; LOBYTE(v241) = 0; v242 = 0; do { v241 = (unsigned __int8)(v241 + 1); v243 = *((_BYTE *)&v320[2] + v241); v242 += v243; v244 = *((_BYTE *)&v320[2] + v242); *((_BYTE *)&v320[2] + v241) = v244; *((_BYTE *)&v320[2] + v242) = v243; *((_BYTE *)&v320[-1] + v240++) ^= *((_BYTE *)&v320[2] + (unsigned __int8)(v243 + v244)); } while ( v240 != 8 ); v245 = v319; v246 = *(unsigned int *)(v216 + v219 + 32); v320[0] = 3786i64; v319 = 3596i64; v247 = _mm_load_si128((const __m128i *)&_xmm); for ( i5 = 1i64; i5 != 33; i5 += 2i64 ) { *(__m128i *)&v320[i5 + 1] = v247; v247 = _mm_add_epi8(v247, v17); } v249 = v246 + (v161 ^ v245); v250 = 8i64; v251 = 0; v252 = 0; do { v253 = *((_BYTE *)&v320[1] + v250); v254 = v252; v251 += *((_BYTE *)v320 + v252) + v253; *((_BYTE *)&v320[1] + v250) = *((_BYTE *)&v320[2] + v251); *((_BYTE *)&v320[2] + v251) = v253; ++v252; if ( v254 >= 7 ) v252 = 0; ++v250; } while ( v250 != 264 ); v255 = v231 + v234; v256 = 0i64; LOBYTE(v257) = 0; v258 = 0; do { v257 = (unsigned __int8)(v257 + 1); v259 = *((_BYTE *)&v320[2] + v257); v258 += v259; v260 = *((_BYTE *)&v320[2] + v258); *((_BYTE *)&v320[2] + v257) = v260; *((_BYTE *)&v320[2] + v258) = v259; *((_BYTE *)&v320[-1] + v256++) ^= *((_BYTE *)&v320[2] + (unsigned __int8)(v259 + v260)); } while ( v256 != 8 ); v261 = *(unsigned int *)(v216 + v219 + 24); v262 = 0i64; if ( *(_DWORD *)(v216 + v219 + 24) ) { v322 = (v161 ^ v319) + *(unsigned int *)(v216 + v219 + 36); v263 = _mm_load_si128((const __m128i *)&_xmm); v264 = 0i64; while ( 1 ) { v320[0] = 3786i64; v319 = 3596i64; v265 = 1i64; v266 = v263; do { *(__m128i *)&v320[v265 + 1] = v266; v266 = _mm_add_epi8(v266, v17); v265 += 2i64; } while ( v265 != 33 ); v267 = 0; v268 = 8i64; v269 = 0; do { v270 = *((_BYTE *)&v320[1] + v268); v271 = v269; v267 += *((_BYTE *)v320 + v269) + v270; *((_BYTE *)&v320[1] + v268) = *((_BYTE *)&v320[2] + v267); *((_BYTE *)&v320[2] + v267) = v270; ++v269; if ( v271 >= 7 ) v269 = 0; ++v268; } while ( v268 != 264 ); v272 = 0i64; LOBYTE(v273) = 0; v274 = 0; do { v273 = (unsigned __int8)(v273 + 1); v275 = *((_BYTE *)&v320[2] + v273); v274 += v275; v276 = *((_BYTE *)&v320[2] + v274); *((_BYTE *)&v320[2] + v273) = v276; *((_BYTE *)&v320[2] + v274) = v275; *((_BYTE *)&v320[-1] + v272++) ^= *((_BYTE *)&v320[2] + (unsigned __int8)(v275 + v276)); } while ( v272 != 8 ); v277 = *(unsigned int *)(v249 + 4 * v264); v278 = *(_BYTE *)((v161 ^ v319) + v277); if ( v278 ) { v279 = (char *)(v277 + (v161 ^ v319) + 1); v280 = 0xCBF29CE4843FCD9Fui64; do { v280 = 0x100000001B3i64 * (v278 ^ (unsigned __int64)v280); v278 = *v279++; } while ( v278 ); if ( v280 == 0xCC1730B76CA73B5Aui64 ) break; } if ( ++v264 == v261 ) goto LABEL_192; } v320[0] = 3786i64; v319 = 3596i64; v281 = _mm_load_si128((const __m128i *)&_xmm); for ( i6 = 1i64; i6 != 33; i6 += 2i64 ) { *(__m128i *)&v320[i6 + 1] = v281; v281 = _mm_add_epi8(v281, v17); } v283 = 8i64; v284 = 0; v285 = 0; do { v286 = *((_BYTE *)&v320[1] + v283); v287 = v285; v284 += *((_BYTE *)v320 + v285) + v286; *((_BYTE *)&v320[1] + v283) = *((_BYTE *)&v320[2] + v284); *((_BYTE *)&v320[2] + v284) = v286; ++v285; if ( v287 >= 7 ) v285 = 0; ++v283; } while ( v283 != 264 ); v288 = 0i64; LOBYTE(v289) = 0; v290 = 0; do { v289 = (unsigned __int8)(v289 + 1); v291 = *((_BYTE *)&v320[2] + v289); v290 += v291; v292 = *((_BYTE *)&v320[2] + v290); *((_BYTE *)&v320[2] + v289) = v292; *((_BYTE *)&v320[2] + v290) = v291; *((_BYTE *)&v320[-1] + v288++) ^= *((_BYTE *)&v320[2] + (unsigned __int8)(v291 + v292)); } while ( v288 != 8 ); v293 = v319; v294 = *(unsigned int *)(v255 + 4i64 * *(unsigned __int16 *)(v322 + 2i64 * (unsigned int)v264)); v320[0] = 3596i64; v319 = 3786i64; v295 = _mm_load_si128((const __m128i *)&_xmm); for ( i7 = 1i64; i7 != 33; i7 += 2i64 ) { *(__m128i *)&v320[i7 + 1] = v295; v295 = _mm_add_epi8(v295, v17); } v297 = 8i64; v298 = 0; v299 = 0; do { v300 = *((_BYTE *)&v320[1] + v297); v301 = v299; v298 += *((_BYTE *)v320 + v299) + v300; *((_BYTE *)&v320[1] + v297) = *((_BYTE *)&v320[2] + v298); *((_BYTE *)&v320[2] + v298) = v300; ++v299; if ( v301 >= 7 ) v299 = 0; ++v297; } while ( v297 != 264 ); v302 = 0i64; LOBYTE(v303) = 0; v304 = 0; do { v303 = (unsigned __int8)(v303 + 1); v305 = *((_BYTE *)&v320[2] + v303); v304 += v305; v306 = *((_BYTE *)&v320[2] + v304); *((_BYTE *)&v320[2] + v303) = v306; *((_BYTE *)&v320[2] + v304) = v305; *((_BYTE *)&v320[-1] + v302++) ^= *((_BYTE *)&v320[2] + (unsigned __int8)(v305 + v306)); } while ( v302 != 8 ); v262 = v319 ^ (v294 + (v161 ^ v293)); } LABEL_192: v320[0] = 3596i64; v319 = 3786i64; v307 = _mm_load_si128((const __m128i *)&_xmm); for ( i8 = 1i64; i8 != 33; i8 += 2i64 ) { *(__m128i *)&v320[i8 + 1] = v307; v307 = _mm_add_epi8(v307, v17); } v309 = 8i64; v310 = 0; v311 = 0; do { v312 = *((_BYTE *)&v320[1] + v309); v313 = v311; v310 += *((_BYTE *)v320 + v311) + v312; *((_BYTE *)&v320[1] + v309) = *((_BYTE *)&v320[2] + v310); *((_BYTE *)&v320[2] + v310) = v312; ++v311; if ( v313 >= 7 ) v311 = 0; ++v309; } while ( v309 != 264 ); v314 = 0i64; LOBYTE(v315) = 0; v316 = 0; do { v315 = (unsigned __int8)(v315 + 1); v317 = *((_BYTE *)&v320[2] + v315); v316 += v317; v318 = *((_BYTE *)&v320[2] + v316); *((_BYTE *)&v320[2] + v315) = v318; *((_BYTE *)&v320[2] + v316) = v317; *((_BYTE *)&v320[-1] + v314++) ^= *((_BYTE *)&v320[2] + (unsigned __int8)(v317 + v318)); } while ( v314 != 8 ); ((void (__fastcall *)(unsigned __int16 *, __int64))(v319 ^ v262))(v321, 1701736270i64); } } ``` ## Example2 ```C++ auto pAddr = KLI_CACHED_CALL(ExAllocatePoolWithTag, NonPagedPool, PAGE_SIZE, 'x1x1'); if (pAddr) { dprintf("test_cached:pAddr=%p\n", pAddr); KLI_CACHED_CALL(ExFreePoolWithTag, pAddr, 'x1x1'); } ``` ## Output2 ```C++ void test_cached(void) { unsigned __int64 v0; // rax __m128i si128; // xmm0 __int64 v2; // rcx __m128i v3; // xmm6 __int64 v4; // rdx unsigned __int8 v5; // r8 int v6; // r9d char v7; // r10 int v8; // r11d __int64 v9; // rcx __int64 v10; // rdx unsigned __int8 v11; // r8 char v12; // r9 char v13; // r11 const void *v14; // rax const void *v15; // rsi unsigned __int64 v16; // rax __m128i v17; // xmm0 __int64 i; // rcx __int64 v19; // rdx unsigned __int8 v20; // r8 int v21; // r9d char v22; // r10 int v23; // r11d __int64 v24; // rcx __int64 v25; // rdx unsigned __int8 v26; // r8 char v27; // r9 char v28; // r11 __int64 v29; // [rsp+28h] [rbp-58h] __int64 v30[34]; // [rsp+30h] [rbp-50h] v0 = (unsigned __int64)KLIExAllocatePoolWithTag; v30[0] = 3596i64; v29 = 3786i64; si128 = _mm_load_si128((const __m128i *)&_xmm); v2 = 1i64; v3 = _mm_load_si128((const __m128i *)&_xmm); do { *(__m128i *)&v30[v2 + 1] = si128; si128 = _mm_add_epi8(si128, v3); v2 += 2i64; } while ( v2 != 33 ); v4 = 8i64; v5 = 0; v6 = 0; do { v7 = *((_BYTE *)&v30[1] + v4); v8 = v6; v5 += *((_BYTE *)v30 + v6) + v7; *((_BYTE *)&v30[1] + v4) = *((_BYTE *)&v30[2] + v5); *((_BYTE *)&v30[2] + v5) = v7; ++v6; if ( v8 >= 7 ) v6 = 0; ++v4; } while ( v4 != 264 ); v9 = 0i64; LOBYTE(v10) = 0; v11 = 0; do { v10 = (unsigned __int8)(v10 + 1); v12 = *((_BYTE *)&v30[2] + v10); v11 += v12; v13 = *((_BYTE *)&v30[2] + v11); *((_BYTE *)&v30[2] + v10) = v13; *((_BYTE *)&v30[2] + v11) = v12; *((_BYTE *)&v30[-1] + v9++) ^= *((_BYTE *)&v30[2] + (unsigned __int8)(v12 + v13)); } while ( v9 != 8 ); v14 = (const void *)((__int64 (__fastcall *)(_QWORD, __int64, __int64))(v29 ^ v0))(0i64, 4096i64, 2016507953i64); if ( v14 ) { v15 = v14; DbgPrintEx(0x4Du, 0, "test_cached:pAddr=%p\n", v14); v16 = (unsigned __int64)KLIExFreePoolWithTag; v30[0] = 3596i64; v29 = 3786i64; v17 = _mm_load_si128((const __m128i *)&_xmm); for ( i = 1i64; i != 33; i += 2i64 ) { *(__m128i *)&v30[i + 1] = v17; v17 = _mm_add_epi8(v17, v3); } v19 = 8i64; v20 = 0; v21 = 0; do { v22 = *((_BYTE *)&v30[1] + v19); v23 = v21; v20 += *((_BYTE *)v30 + v21) + v22; *((_BYTE *)&v30[1] + v19) = *((_BYTE *)&v30[2] + v20); *((_BYTE *)&v30[2] + v20) = v22; ++v21; if ( v23 >= 7 ) v21 = 0; ++v19; } while ( v19 != 264 ); v24 = 0i64; LOBYTE(v25) = 0; v26 = 0; do { v25 = (unsigned __int8)(v25 + 1); v27 = *((_BYTE *)&v30[2] + v25); v26 += v27; v28 = *((_BYTE *)&v30[2] + v26); *((_BYTE *)&v30[2] + v25) = v28; *((_BYTE *)&v30[2] + v26) = v27; *((_BYTE *)&v30[-1] + v24++) ^= *((_BYTE *)&v30[2] + (unsigned __int8)(v27 + v28)); } while ( v24 != 8 ); ((void (__fastcall *)(const void *, __int64))(v29 ^ v16))(v15, 2016507953i64); } } ``` ## Compile - Visual Studio 2022 & WDK10 - llvm-msvc [[link]](https://github.com/NewWorldComingSoon/llvm-msvc-build) ## Credit - https://github.com/hypervisor/kli ## Some discussions on UnknownCheats - https://www.unknowncheats.me/forum/general-programming-and-reversing/571397-expanding-kernel-lazy-importer-kli-ex.html