flowchart LR
AfdAccept-4-old<--Match 17%-->AfdAccept-4-new
subgraph afd.sys
AfdAccept-4-new
end
subgraph afd.sys
AfdAccept-4-old
subgraph Deleted
direction LR
Feature_3464771897__private_IsEnabledDeviceUsageNoInline
Feature_3464771897__private_IsEnabledFallback
end
end
pie showData
title Function Matches - 99.9343%
"unmatched_funcs_len" : 2
"matched_funcs_len" : 3042
pie showData
title Matched Function Similarity - 99.7370%
"matched_funcs_with_code_changes_len" : 1
"matched_funcs_with_non_code_changes_len" : 7
"matched_funcs_no_changes_len" : 3034
ghidriff --project-location ghidra_projects --project-name ghidriff --symbols-path symbols --threaded --log-level INFO --file-log-level INFO --log-path ghidriff.log --min-func-len 10 --gdt [] --bsim --max-ram-percent 60.0 --max-section-funcs 200 afd.sys afd.sys
--old ['ai/01jan/afd.sys'] --new [['ai/02feb/afd.sys']] --engine VersionTrackingDiff --output-path ai_out/ --summary False --project-location ghidra_projects --project-name ghidriff --symbols-path symbols --threaded True --force-analysis False --force-diff False --no-symbols False --log-level INFO --file-log-level INFO --log-path ghidriff.log --va False --min-func-len 10 --use-calling-counts False --gdt [] --bsim True --bsim-full False --max-ram-percent 60.0 --print-flags False --jvm-args None --side-by-side False --max-section-funcs 200 --md-title None
wget https://msdl.microsoft.com/download/symbols/afd.sys/6907B869AF000/afd.sys -O afd.sys.x64.10.0.26100.3037
wget https://msdl.microsoft.com/download/symbols/afd.sys/8562F3E7AF000/afd.sys -O afd.sys.x64.10.0.26100.3194
--- afd.sys Meta
+++ afd.sys Meta
@@ -1,44 +1,44 @@
Program Name: afd.sys
Language ID: x86:LE:64:default (4.1)
Compiler ID: windows
Processor: x86
Endian: Little
Address Size: 64
Minimum Address: 1c0000000
Maximum Address: ff0000184f
# of Bytes: 723024
# of Memory Blocks: 17
-# of Instructions: 111466
-# of Defined Data: 4341
-# of Functions: 1521
-# of Symbols: 13778
-# of Data Types: 387
+# of Instructions: 111470
+# of Defined Data: 4349
+# of Functions: 1523
+# of Symbols: 13725
+# of Data Types: 398
# of Data Type Categories: 24
Analyzed: true
Compiler: visualstudio:unknown
Created With Ghidra Version: 11.3
-Date Created: Wed Feb 12 13:59:52 CET 2025
+Date Created: Wed Feb 12 13:59:53 CET 2025
Executable Format: Portable Executable (PE)
-Executable Location: /home/b/ai/01jan/afd.sys
-Executable MD5: d3032ac089a85009adab8d2250eefd56
-Executable SHA256: b5db5d55c17f45ec87034ed44b763ec7390b41a3d3334e590ac6466cfb8501ab
-FSRL: file:///home/b/ai/01jan/afd.sys?MD5=d3032ac089a85009adab8d2250eefd56
+Executable Location: /home/b/ai/02feb/afd.sys
+Executable MD5: d41eb3ef51d47824552eca6aeb41bd4d
+Executable SHA256: 55255820bd02ff4799fe1237c812acf80e2f7b2ced3e007384c35862db1d77ef
+FSRL: file:///home/b/ai/02feb/afd.sys?MD5=d41eb3ef51d47824552eca6aeb41bd4d
PDB Age: 1
PDB File: afd.pdb
-PDB GUID: 83d96e3e-0a9e-bb3e-2b86-0dfcce4b2a7e
+PDB GUID: e0a1c932-7963-414c-c780-d3935aaa4cfb
PDB Loaded: true
PDB Version: RSDS
PE Property[CompanyName]: Microsoft Corporation
PE Property[FileDescription]: Ancillary Function Driver for WinSock
-PE Property[FileVersion]: 10.0.26100.3037 (WinBuild.160101.0800)
+PE Property[FileVersion]: 10.0.26100.3194 (WinBuild.160101.0800)
PE Property[InternalName]: afd.sys
PE Property[LegalCopyright]: © Microsoft Corporation. All rights reserved.
PE Property[OriginalFilename]: afd.sys
PE Property[ProductName]: Microsoft® Windows® Operating System
-PE Property[ProductVersion]: 10.0.26100.3037
+PE Property[ProductVersion]: 10.0.26100.3194
PE Property[Translation]: 4b00409
Preferred Root Namespace Category:
RTTI Found: false
Relocatable: true
SectionAlignment: 4096
Should Ask To Analyze: false
Ghidra afd.sys Decompiler Options
| Decompiler Option | Value |
|---|---|
| Prototype Evaluation | __fastcall |
Ghidra afd.sys Specification extensions Options
| Specification extensions Option | Value |
|---|---|
| FormatVersion | 0 |
| VersionCounter | 0 |
Ghidra afd.sys Analyzers Options
| Analyzers Option | Value |
|---|---|
| ASCII Strings | true |
| ASCII Strings.Create Strings Containing Existing Strings | true |
| ASCII Strings.Create Strings Containing References | true |
| ASCII Strings.Force Model Reload | false |
| ASCII Strings.Minimum String Length | LEN_5 |
| ASCII Strings.Model File | StringModel.sng |
| ASCII Strings.Require Null Termination for String | true |
| ASCII Strings.Search Only in Accessible Memory Blocks | true |
| ASCII Strings.String Start Alignment | ALIGN_1 |
| ASCII Strings.String end alignment | 4 |
| Aggressive Instruction Finder | false |
| Aggressive Instruction Finder.Create Analysis Bookmarks | true |
| Apply Data Archives | true |
| Apply Data Archives.Archive Chooser | [Auto-Detect] |
| Apply Data Archives.Create Analysis Bookmarks | true |
| Apply Data Archives.GDT User File Archive Path | None |
| Apply Data Archives.User Project Archive Path | None |
| Call Convention ID | true |
| Call Convention ID.Analysis Decompiler Timeout (sec) | 60 |
| Call-Fixup Installer | true |
| Condense Filler Bytes | false |
| Condense Filler Bytes.Filler Value | Auto |
| Condense Filler Bytes.Minimum number of sequential bytes | 1 |
| Create Address Tables | true |
| Create Address Tables.Allow Offcut References | false |
| Create Address Tables.Auto Label Table | false |
| Create Address Tables.Create Analysis Bookmarks | true |
| Create Address Tables.Maxmimum Pointer Distance | 16777215 |
| Create Address Tables.Minimum Pointer Address | 4132 |
| Create Address Tables.Minimum Table Size | 2 |
| Create Address Tables.Pointer Alignment | 1 |
| Create Address Tables.Relocation Table Guide | true |
| Create Address Tables.Table Alignment | 4 |
| Data Reference | true |
| Data Reference.Address Table Alignment | 1 |
| Data Reference.Address Table Minimum Size | 2 |
| Data Reference.Align End of Strings | false |
| Data Reference.Ascii String References | true |
| Data Reference.Create Address Tables | true |
| Data Reference.Minimum String Length | 5 |
| Data Reference.References to Pointers | true |
| Data Reference.Relocation Table Guide | true |
| Data Reference.Respect Execute Flag | true |
| Data Reference.Subroutine References | true |
| Data Reference.Switch Table References | false |
| Data Reference.Unicode String References | true |
| Decompiler Parameter ID | true |
| Decompiler Parameter ID.Analysis Clear Level | ANALYSIS |
| Decompiler Parameter ID.Analysis Decompiler Timeout (sec) | 60 |
| Decompiler Parameter ID.Commit Data Types | true |
| Decompiler Parameter ID.Commit Void Return Values | false |
| Decompiler Parameter ID.Prototype Evaluation | __fastcall |
| Decompiler Switch Analysis | true |
| Decompiler Switch Analysis.Analysis Decompiler Timeout (sec) | 60 |
| Demangler Microsoft | true |
| Demangler Microsoft.Apply Function Calling Conventions | true |
| Demangler Microsoft.Apply Function Signatures | true |
| Demangler Microsoft.C-Style Symbol Interpretation | FUNCTION_IF_EXISTS |
| Demangler Microsoft.Demangle Only Known Mangled Symbols | false |
| Disassemble Entry Points | true |
| Disassemble Entry Points.Respect Execute Flag | true |
| Embedded Media | true |
| Embedded Media.Create Analysis Bookmarks | true |
| External Entry References | true |
| Function ID | true |
| Function ID.Always Apply FID Labels | false |
| Function ID.Create Analysis Bookmarks | true |
| Function ID.Instruction Count Threshold | 14.6 |
| Function ID.Multiple Match Threshold | 30.0 |
| Function Start Search | true |
| Function Start Search.Bookmark Functions | false |
| Function Start Search.Search Data Blocks | false |
| Non-Returning Functions - Discovered | true |
| Non-Returning Functions - Discovered.Create Analysis Bookmarks | true |
| Non-Returning Functions - Discovered.Function Non-return Threshold | 3 |
| Non-Returning Functions - Discovered.Repair Flow Damage | true |
| Non-Returning Functions - Known | true |
| Non-Returning Functions - Known.Create Analysis Bookmarks | true |
| PDB MSDIA | false |
| PDB MSDIA.Search untrusted symbol servers | false |
| PDB Universal | true |
| PDB Universal.Import Source Line Info | true |
| PDB Universal.Search untrusted symbol servers | false |
| Reference | true |
| Reference.Address Table Alignment | 1 |
| Reference.Address Table Minimum Size | 2 |
| Reference.Align End of Strings | false |
| Reference.Ascii String References | true |
| Reference.Create Address Tables | true |
| Reference.Minimum String Length | 5 |
| Reference.References to Pointers | true |
| Reference.Relocation Table Guide | true |
| Reference.Respect Execute Flag | true |
| Reference.Subroutine References | true |
| Reference.Switch Table References | false |
| Reference.Unicode String References | true |
| Scalar Operand References | true |
| Scalar Operand References.Relocation Table Guide | true |
| Shared Return Calls | true |
| Shared Return Calls.Allow Conditional Jumps | false |
| Shared Return Calls.Assume Contiguous Functions Only | true |
| Stack | true |
| Stack.Create Local Variables | true |
| Stack.Create Param Variables | false |
| Stack.useNewFunctionStackAnalysis | true |
| Subroutine References | true |
| Subroutine References.Create Thunks Early | true |
| Variadic Function Signature Override | false |
| Variadic Function Signature Override.Create Analysis Bookmarks | false |
| Windows x86 PE Exception Handling | true |
| Windows x86 PE RTTI Analyzer | true |
| Windows x86 Thread Environment Block (TEB) Analyzer | true |
| Windows x86 Thread Environment Block (TEB) Analyzer.Starting Address of the TEB | |
| Windows x86 Thread Environment Block (TEB) Analyzer.Windows OS Version | Windows 7 |
| WindowsPE x86 Propagate External Parameters | false |
| WindowsResourceReference | true |
| WindowsResourceReference.Create Analysis Bookmarks | true |
| x86 Constant Reference Analyzer | true |
| x86 Constant Reference Analyzer.Create Data from pointer | false |
| x86 Constant Reference Analyzer.Function parameter/return Pointer analysis | true |
| x86 Constant Reference Analyzer.Max Threads | 2 |
| x86 Constant Reference Analyzer.Min absolute reference | 4 |
| x86 Constant Reference Analyzer.Require pointer param data type | false |
| x86 Constant Reference Analyzer.Speculative reference max | 256 |
| x86 Constant Reference Analyzer.Speculative reference min | 1024 |
| x86 Constant Reference Analyzer.Stored Value Pointer analysis | true |
| x86 Constant Reference Analyzer.Trust values read from writable memory | true |
| Stat | Value |
|---|---|
| added_funcs_len | 0 |
| deleted_funcs_len | 2 |
| modified_funcs_len | 8 |
| added_symbols_len | 4 |
| deleted_symbols_len | 1 |
| diff_time | 6.412733316421509 |
| deleted_strings_len | 0 |
| added_strings_len | 0 |
| match_types | Counter({'SymbolsHash': 1520, 'ExternalsName': 318}) |
| items_to_process | 15 |
| diff_types | Counter({'refcount': 7, 'address': 6, 'calling': 5, 'code': 1, 'length': 1, 'called': 1}) |
| unmatched_funcs_len | 2 |
| total_funcs_len | 3044 |
| matched_funcs_len | 3042 |
| matched_funcs_with_code_changes_len | 1 |
| matched_funcs_with_non_code_changes_len | 7 |
| matched_funcs_no_changes_len | 3034 |
| match_func_similarity_percent | 99.7370% |
| func_match_overall_percent | 99.9343% |
| first_matches | Counter({'SymbolsHash': 1520}) |
pie showData
title All Matches
"SymbolsHash" : 1520
"ExternalsName" : 318
pie showData
title First Matches
"SymbolsHash" : 1520
pie showData
title Diff Stats
"added_funcs_len" : 0
"deleted_funcs_len" : 2
"modified_funcs_len" : 8
pie showData
title Symbols
"added_symbols_len" : 4
"deleted_symbols_len" : 1
No string differences found
| Key | afd.sys |
|---|---|
| name | Feature_3464771897__private_IsEnabledDeviceUsageNoInline |
| fullname | Feature_3464771897__private_IsEnabledDeviceUsageNoInline |
| refcount | 2 |
| length | 49 |
| called | Feature_3464771897__private_IsEnabledFallback |
| calling | AfdAccept |
| paramcount | 0 |
| address | 1c0040d90 |
| sig | ulonglong __fastcall Feature_3464771897__private_IsEnabledDeviceUsageNoInline(void) |
| sym_type | Function |
| sym_source | IMPORTED |
| external | False |
--- Feature_3464771897__private_IsEnabledDeviceUsageNoInline
+++ Feature_3464771897__private_IsEnabledDeviceUsageNoInline
@@ -1,17 +0,0 @@
-
-ulonglong Feature_3464771897__private_IsEnabledDeviceUsageNoInline(void)
-
-{
- ulonglong uVar1;
- undefined8 local_res8;
-
- local_res8 = (ulonglong)Feature_3464771897__private_featureState;
- if ((Feature_3464771897__private_featureState & 0x10) == 0) {
- uVar1 = Feature_3464771897__private_IsEnabledFallback(local_res8,3);
- }
- else {
- uVar1 = (ulonglong)(Feature_3464771897__private_featureState & 1);
- }
- return uVar1;
-}
-
| Key | afd.sys |
|---|---|
| name | Feature_3464771897__private_IsEnabledFallback |
| fullname | Feature_3464771897__private_IsEnabledFallback |
| refcount | 2 |
| length | 21 |
| called | wil_details_IsEnabledFallback |
| calling | Feature_3464771897__private_IsEnabledDeviceUsageNoInline |
| paramcount | 2 |
| address | 1c0040dc8 |
| sig | undefined __fastcall Feature_3464771897__private_IsEnabledFallback(ulonglong param_1, int param_2) |
| sym_type | Function |
| sym_source | IMPORTED |
| external | False |
--- Feature_3464771897__private_IsEnabledFallback
+++ Feature_3464771897__private_IsEnabledFallback
@@ -1,8 +0,0 @@
-
-void Feature_3464771897__private_IsEnabledFallback(ulonglong param_1,int param_2)
-
-{
- wil_details_IsEnabledFallback(param_1,param_2,&Feature_3464771897__private_descriptor);
- return;
-}
-
Modified functions contain code changes
| Key | afd.sys - afd.sys |
|---|---|
| diff_type | code,length,address,called |
| ratio | 0.05 |
| i_ratio | 0.22 |
| m_ratio | 0.98 |
| b_ratio | 0.17 |
| match_types | SymbolsHash |
| Key | afd.sys | afd.sys |
|---|---|---|
| name | AfdAccept | AfdAccept |
| fullname | AfdAccept | AfdAccept |
| refcount | 3 | 3 |
length |
1969 | 1730 |
called |
Expand for full list:NTOSKRNL.EXE::ExAllocatePool2 |
Expand for full list:NTOSKRNL.EXE::ExAllocatePool2 |
| calling | ||
| paramcount | 4 | 4 |
address |
1c00242c0 | 1c0039680 |
| sig | int __fastcall AfdAccept(longlong param_1, longlong param_2, undefined8 param_3, undefined8 param_4) | int __fastcall AfdAccept(longlong param_1, longlong param_2, undefined8 param_3, undefined8 param_4) |
| sym_type | Function | Function |
| sym_source | IMPORTED | IMPORTED |
| external | False | False |
--- AfdAccept called
+++ AfdAccept called
@@ -6 +6 @@
-AfdNotifyPostEvents
+AfdNotifySockIndicateEventsUnlock
@@ -11 +11 @@
-NTOSKRNL.EXE::ExAcquireRundownProtection
+Feature_3464771897__private_IsEnabledDeviceUsageNoInline
@@ -14 +13,0 @@
-NTOSKRNL.EXE::ExReleaseRundownProtection--- AfdAccept
+++ AfdAccept
@@ -1,268 +1,336 @@
-/* WARNING: Function: _guard_dispatch_icall replaced with injection: guard_dispatch_icall */
-/* WARNING: Globals starting with '_' overlap smaller symbols at the same address */
-
-int AfdAccept(longlong param_1,longlong param_2,undefined8 param_3,longlong ******param_4)
+int AfdAccept(longlong param_1,longlong param_2,undefined8 param_3,undefined8 param_4)
{
- longlong *plVar1;
- longlong ******pppppplVar2;
- longlong lVar3;
- longlong ****pppplVar4;
- undefined1 uVar5;
- short sVar6;
- ushort uVar7;
- longlong ******pppppplVar8;
- ulonglong uVar9;
- undefined8 uVar10;
- code *pcVar11;
- int extraout_EAX;
- char *in_RAX;
- uint uVar12;
- longlong *****ppppplVar13;
- longlong *****ppppplVar14;
- longlong *****ppppplVar15;
- char cVar16;
- longlong unaff_RBX;
- longlong unaff_RBP;
- undefined2 *unaff_RSI;
- longlong ******unaff_RDI;
- undefined4 unaff_R15D;
- undefined8 uVar17;
- int in_stack_00000060;
+ uint *puVar1;
+ byte *pbVar2;
+ uint uVar3;
+ short *psVar4;
+ undefined1 *puVar5;
+ char *pcVar6;
+ code *pcVar7;
+ undefined2 *puVar8;
+ char cVar9;
+ int iVar10;
+ uint uVar11;
+ undefined1 *puVar12;
+ undefined8 uVar13;
+ ulonglong uVar14;
+ longlong *plVar15;
+ int *piVar16;
+ undefined8 *puVar17;
+ longlong *plVar18;
+ undefined4 uVar19;
+ longlong lVar20;
+ short *psVar21;
+ undefined1 *puVar22;
+ undefined4 uVar23;
+ char *pcVar24;
+ undefined2 *puVar25;
+ longlong ******pppppplVar26;
+ bool bVar27;
+ longlong local_res10;
+ char local_res18 [8];
+ undefined8 local_res20;
+ undefined8 uStackY_a0;
+ undefined1 auStackY_98 [8];
+ undefined1 auStackY_90 [24];
+ undefined8 local_68;
+ undefined8 local_50;
+ undefined8 uStack_48;
+ undefined8 local_40;
- *in_RAX = *in_RAX + (char)param_3;
- uVar10 = *(undefined8 *)(unaff_RBP + 0x30);
- KeAcquireInStackQueuedSpinLock(unaff_RDI + 6,&stack0x00000048);
- *(uint *)(unaff_RSI + 2) = *(uint *)(unaff_RSI + 2) | 0x100000;
- AfdDeleteConnectedReference(unaff_RSI,'\x01');
- KeReleaseInStackQueuedSpinLock(&stack0x00000048);
- LOCK();
- plVar1 = (longlong *)(unaff_RSI + 0x18);
- lVar3 = *plVar1;
- *plVar1 = *plVar1 + unaff_RBX;
- UNLOCK();
- if (lVar3 < 2) {
- if (lVar3 != 1) goto LAB_0;
- AfdCloseConnection(unaff_RSI);
- }
-LAB_1:
- if (((ulonglong)*unaff_RDI & 0xafd4) == 0xafd4) {
- *(undefined8 *)((longlong)register0x00000020 + -8) = 0x1c0024790;
- KeAcquireInStackQueuedSpinLock
- (unaff_RDI + 6,(undefined1 *)((longlong)register0x00000020 + 0x48));
- if (((ulonglong)*unaff_RDI & 0xafd4) == 0xafd4) {
- pppppplVar2 = unaff_RDI + 0x10;
- while (pppppplVar8 = (longlong ******)*pppppplVar2, pppppplVar8 != pppppplVar2) {
- if (((longlong ******)pppppplVar8[1] != pppppplVar2) ||
- (ppppplVar13 = *pppppplVar8, (longlong ******)ppppplVar13[1] != pppppplVar8))
- goto LAB_2;
- *pppppplVar2 = ppppplVar13;
- ppppplVar13[1] = (longlong ****)pppppplVar2;
- *pppppplVar8 = (longlong *****)0x0;
- if ((*(char *)pppppplVar8[2] == '\x0f') && (*(char *)((longlong)pppppplVar8[2] + 1) == ' '))
- {
- *(undefined8 *)((longlong)register0x00000020 + -8) = 0x1c0024bfd;
- AfdCleanupSuperAccept((longlong)(pppppplVar8 + -0x15),unaff_R15D);
+ puVar22 = auStackY_98;
+ local_50 = 0;
+ uStack_48 = 0;
+ local_40 = 0;
+ plVar15 = (longlong *)0x0;
+ psVar4 = *(short **)(*(longlong *)(param_2 + 0x30) + 0x18);
+ *(undefined8 *)(param_1 + 0x38) = 0;
+ puVar1 = (uint *)(param_2 + 0x10);
+ lVar20 = param_2;
+ cVar9 = IoIs32bitProcess();
+ if (cVar9 == '\0') {
+LAB_0:
+ if ((((*(uint *)(psVar4 + 4) & 1) == 0) || (*puVar1 < 0x10)) ||
+ (*(longlong *)(param_1 + 8) != 0)) {
+ uVar19 = 0x1772;
+ goto LAB_1;
+ }
+ pcVar6 = *(char **)(param_1 + 0x18);
+ uVar3 = *(uint *)(pcVar6 + 4);
+ if ((*pcVar6 == '\0') && (AfdSanServiceHelper != 0)) {
+ if ((DAT_2 & 1) != 0) {
+ uVar13 = PsGetCurrentProcessId();
+ WPP_SF_q(10,&WPP_1ef867f93bd9308bd10e188177b53ed9_Traceguids,uVar13);
+ }
+ iVar10 = -0x3fffff06;
+ uVar19 = 0x1773;
+ }
+ else {
+ pcVar24 = pcVar6;
+ if ((*(uint *)(psVar4 + 4) & 0x400100) == 0) {
+ LOCK();
+ *(int *)(psVar4 + 0x58) = *(int *)(psVar4 + 0x58) + 1;
+ UNLOCK();
+ pcVar24 = (char *)AfdReplenishListenBacklog((longlong)psVar4,lVar20,param_3,param_4);
+ }
+ puVar25 = (undefined2 *)
+ CONCAT71((int7)((ulonglong)param_4 >> 8),*(undefined1 *)(param_1 + 0x40));
+ uVar13 = *(undefined8 *)IoFileObjectType_exref;
+ local_68 = 0;
+ iVar10 = ObReferenceObjectByHandle
+ (*(undefined8 *)(pcVar24 + 8),*(uint *)(param_2 + 0x18) >> 0xe & 3);
+ puVar8 = puRam0000000000000018;
+ if (-1 < iVar10) {
+ if (lRam0000000000000008 == AfdDeviceObject) {
+ if ((DAT_3 & 1) != 0) {
+ uVar13 = local_68;
+ puVar25 = puRam0000000000000018;
+ WPP_SF_qqq(0xb,&WPP_1ef867f93bd9308bd10e188177b53ed9_Traceguids,0,puRam0000000000000018)
+ ;
+ }
+ LOCK();
+ bVar27 = *(int *)(puVar8 + 0xb4) == 0;
+ if (bVar27) {
+ *(int *)(puVar8 + 0xb4) = 4;
+ }
+ UNLOCK();
+ if (!bVar27) {
+ uVar23 = 0xc000000d;
+ iVar10 = -0x3ffffff3;
+ uVar19 = 0x1776;
+ goto LAB_4;
+ }
+ if ((Feature_3464771897__private_featureState & 0x10) == 0) {
+ uVar14 = Feature_3464771897__private_IsEnabledDeviceUsageNoInline();
+ uVar11 = (uint)uVar14;
+ }
+ else {
+ uVar11 = Feature_3464771897__private_featureState & 1;
+ }
+ if (((((uVar11 == 0) || ((*(byte *)(puVar8 + 3) & 1) == 0)) &&
+ ((*(longlong *)(puVar8 + 0x84) == *(longlong *)(psVar4 + 0x84) ||
+ (((*(uint *)(psVar4 + 4) & 0x200000) != 0 &&
+ (*(longlong *)(puVar8 + 0x84) == *(longlong *)(psVar4 + 0x88))))))) &&
+ (((*(uint *)(puVar8 + 4) & 0x100) == 0 || (*(char *)(puVar8 + 1) == '\x02')))) &&
+ ((((*(uint *)(puVar8 + 4) & 0x100) != 0 || (*(char *)(puVar8 + 1) == '\x01')) &&
+ (*(longlong *)(puVar8 + 0x10) == 0)))) {
+ KeAcquireInStackQueuedSpinLock(psVar4 + 0x18,&local_50);
+ uVar14 = (ulonglong)uVar3;
+ plVar15 = AfdGetReturnedConnection((longlong)psVar4,uVar3);
+ if (plVar15 == (longlong *)0x0) {
+ KeReleaseInStackQueuedSpinLock();
+ uVar19 = 0x1778;
+ goto LAB_5;
+ }
+ if (((*(uint *)(psVar4 + 4) & 0x100) == 0) && ((*(uint *)(psVar4 + 4) >> 0x16 & 1) != 0)
+ ) {
+ if ((*plVar15 & 0x200000000) == 0) {
+ piVar16 = (int *)(psVar4 + 0x58);
+ }
+ else {
+ piVar16 = (int *)(*(longlong *)(psVar4 + 0x88) + 0x30);
+ }
+ LOCK();
+ *piVar16 = *piVar16 + 1;
+ UNLOCK();
+ KeReleaseInStackQueuedSpinLock(&local_50);
+ AfdReplenishListenBacklog((longlong)psVar4,uVar14,uVar13,puVar25);
+ KeAcquireInStackQueuedSpinLock(psVar4 + 0x18,&local_50);
+ }
+ if ((char)*(uint *)((longlong)plVar15 + 4) < '\0') {
+ KeReleaseInStackQueuedSpinLock();
+ iVar10 = -0x3ffffdf3;
+ uVar23 = 0xc000020d;
+ uVar19 = 0x1779;
+ goto LAB_6;
+ }
+ if ((*(uint *)((longlong)plVar15 + 4) >> 0x1d & 1) == 0) {
+ pppppplVar26 = (longlong ******)0x0;
+ AFDETW_TRACEACCEPT(0,0x177a,psVar4,0,(ushort *)plVar15[0x13],(longlong)puVar8);
+ puVar17 = AfdAcceptCore(param_1,puVar8,(longlong)plVar15);
+ iVar10 = (int)puVar17;
+ puVar22 = auStackY_98;
+ if (((*(uint *)(psVar4 + 4) & 0x100) != 0) && (puVar22 = auStackY_98, iVar10 == 0x103)
+ ) {
+ LOCK();
+ plVar18 = (longlong *)(psVar4 + 0x1c);
+ lVar20 = *plVar18;
+ *plVar18 = *plVar18 + 1;
+ UNLOCK();
+ puVar22 = auStackY_98;
+ if (lVar20 + 1 < 2) {
+ pcVar7 = (code *)swi(0x29);
+ (*pcVar7)(0xe);
+ puVar22 = auStackY_90;
+ }
+ plVar18 = plVar15 + 0x16;
+ psVar21 = psVar4 + 0x48;
+ puVar17 = *(undefined8 **)(psVar4 + 0x4c);
+ if ((short *)*puVar17 != psVar21) {
+ pcVar7 = (code *)swi(0x29);
+ plVar18 = (longlong *)(*pcVar7)(3);
+ puVar22 = puVar22 + 8;
+ }
+ *plVar18 = (longlong)psVar21;
+ plVar18[1] = (longlong)puVar17;
+ *puVar17 = plVar18;
+ *(longlong **)(psVar21 + 4) = plVar18;
+ }
+ *(undefined8 *)(puVar22 + -8) = 0x1c0039b5d;
+ AfdNotifySockIndicateEventsUnlock
+ ((longlong)psVar4,(undefined8 *)(puVar22 + 0x48),'\0');
+ if ((*(uint *)(puVar8 + 4) & 0x2000) != 0) {
+ *(undefined8 *)(puVar22 + -8) = 0x1c0039b6f;
+ AfdDerefTLBaseEndpoint((longlong)puVar8);
+ }
+ lVar20 = plVar15[0x13];
+ if (AfdStandardAddressLength < *(uint *)(plVar15 + 0x14)) {
+ *(undefined8 *)(puVar22 + -8) = 0x1c0039ba2;
+ ExFreePoolWithTag();
+ }
+ else {
+ *(undefined8 *)(puVar22 + -8) = 0x1c0039b94;
+ PplFreeToLookasideList(PplAddressPool,lVar20);
+ }
+ plVar15[0x13] = 0;
+ if (iVar10 == 0) {
+ *(undefined2 **)(puVar22 + 0x28) = puVar8;
+ *(undefined8 *)(puVar22 + 0x20) = 0;
+ *(undefined8 *)(puVar22 + -8) = 0x1c0039bd4;
+ AFDETW_TRACEACCEPT(1,0x177b,psVar4,0,*(ushort **)(puVar22 + 0x20),
+ *(longlong *)(puVar22 + 0x28));
+ }
+ else {
+ if (iVar10 == 0x103) {
+ if ((*(uint *)(psVar4 + 4) & 0x100) == 0) {
+ LOCK();
+ *(int *)(psVar4 + 0x5a) = *(int *)(psVar4 + 0x5a) + 1;
+ UNLOCK();
+ *(undefined8 *)(*(longlong *)(puVar22 + 0xa8) + 0x20) =
+ *(undefined8 *)(param_1 + 0x18);
+ *(undefined8 *)(param_1 + 0x18) = 0;
+ lVar20 = *(longlong *)(param_1 + 0xb8);
+ *(code **)(lVar20 + -0x10) = AfdRestartDelayedAccept;
+ *(undefined8 *)(lVar20 + -8) = *(undefined8 *)(puVar22 + 0xb8);
+ *(undefined1 *)(lVar20 + -0x45) = 0xe0;
+ LOCK();
+ *(int *)(puVar8 + 0x7c) = *(int *)(puVar8 + 0x7c) + 1;
+ UNLOCK();
+ lVar20 = plVar15[3];
+ *(undefined8 *)(puVar22 + -8) = 0x1c0039cc3;
+ IofCallDriver(lVar20,param_1);
+ }
+ else {
+ *(longlong **)(param_1 + 0x78) = plVar15;
+ *(undefined8 *)(param_1 + 0x90) = *(undefined8 *)(puVar22 + 0xb8);
+ plVar15[5] = param_1;
+ pbVar2 = (byte *)(*(longlong *)(param_1 + 0xb8) + 3);
+ *pbVar2 = *pbVar2 | 1;
+ LOCK();
+ *(code **)(param_1 + 0x68) = AfdTLCancelResumeDelayAccept;
+ UNLOCK();
+ if (*(char *)(param_1 + 0x44) != '\0') {
+ LOCK();
+ lVar20 = *(longlong *)(param_1 + 0x68);
+ *(longlong *)(param_1 + 0x68) = 0;
+ UNLOCK();
+ if (lVar20 != 0) {
+ uVar13 = 2;
+ *(undefined8 *)(puVar22 + -8) = 0x1c0039c3b;
+ AfdTLResumeConnectionSetup((longlong)psVar4,(longlong)plVar15,2);
+ *(undefined8 *)(puVar22 + -8) = 0x1c0039c46;
+ IoAcquireCancelSpinLock();
+ *(undefined8 *)(puVar22 + -8) = 0x1c0039c55;
+ AfdTLCancelResumeDelayAccept(0,param_1,uVar13,pppppplVar26);
+ return 0x103;
+ }
+ }
+ *(undefined8 *)(puVar22 + -8) = 0x1c0039c68;
+ AfdTLResumeConnectionSetup((longlong)psVar4,(longlong)plVar15,1);
+ }
+ return 0x103;
+ }
+ *(undefined2 **)(puVar22 + 0x28) = puVar8;
+ *(undefined8 *)(puVar22 + 0x20) = 0;
+ *(undefined8 *)(puVar22 + -8) = 0x1c0039ceb;
+ AFDETW_TRACEACCEPT(1,0x177c,psVar4,iVar10,*(ushort **)(puVar22 + 0x20),
+ *(longlong *)(puVar22 + 0x28));
+ *(undefined8 *)(puVar22 + -8) = 0x1c0039cf3;
+ AfdAbortConnection((undefined2 *)plVar15);
+ }
+ }
+ else {
+ *(undefined8 *)(param_1 + 0x90) = *(undefined8 *)(pcVar6 + 8);
+ *(undefined8 *)(param_2 + 0x20) = 0;
+ *(undefined4 *)(param_2 + 8) = 0;
+ *(undefined4 *)(param_2 + 0x18) = 0;
+ *(undefined4 *)(param_2 + 0x10) = 0;
+ uVar13 = AfdSanAcceptCore(param_1,0,(undefined2 *)plVar15,&local_50);
+ iVar10 = (int)uVar13;
+ if (iVar10 == 0x103) {
+ return 0x103;
+ }
+ }
+ local_68 = *(undefined8 *)(puVar22 + 0xb8);
+ }
+ else {
+ uVar19 = 0x1777;
+LAB_5:
+ uVar23 = 0xc000000d;
+ iVar10 = -0x3ffffff3;
+LAB_6:
+ AFDETW_TRACEACCEPT(0,uVar19,psVar4,uVar23,(ushort *)0x0,0);
+ puVar22 = auStackY_98;
+ }
+ LOCK();
+ *(undefined4 *)(puVar8 + 0xb4) = 0;
+ UNLOCK();
+ if (puVar22[0xb0] != '\0') {
+ *(undefined8 *)(puVar22 + -8) = 0x1c0039d17;
+ AfdAbortConnection((undefined2 *)plVar15);
+ }
}
else {
- *(undefined4 *)(pppppplVar8 + -0xf) = unaff_R15D;
- pppppplVar8[-0xe] = (longlong *****)0x0;
+ iVar10 = -0x3ffffff8;
+ uVar23 = 0xc0000008;
+ uVar19 = 0x1775;
+LAB_4:
+ AFDETW_TRACEACCEPT(0,uVar19,psVar4,uVar23,(ushort *)0x0,0);
+ puVar22 = auStackY_98;
}
- *(undefined8 *)((longlong)register0x00000020 + -8) = 0x1c0024857;
- KeReleaseInStackQueuedSpinLock((undefined1 *)((longlong)register0x00000020 + 0x48));
- LOCK();
- ppppplVar13 = pppppplVar8[-8];
- pppppplVar8[-8] = (longlong *****)0x0;
- UNLOCK();
- if (ppppplVar13 == (longlong *****)0x0) {
- *(undefined1 *)((longlong)register0x00000020 + 0x41) = 0;
- *(undefined8 *)((longlong)register0x00000020 + -8) = 0x1c0024c13;
- IoAcquireCancelSpinLock((undefined1 *)((longlong)register0x00000020 + 0x41));
- *(undefined8 *)((longlong)register0x00000020 + -8) = 0x1c0024c24;
- IoReleaseCancelSpinLock(*(undefined1 *)((longlong)register0x00000020 + 0x41));
- }
- *(undefined8 *)((longlong)register0x00000020 + -8) = 0x1c002487c;
- IofCompleteRequest(pppppplVar8 + -0x15,AfdPriorityBoost);
- *(undefined8 *)((longlong)register0x00000020 + -8) = 0x1c0024891;
- KeAcquireInStackQueuedSpinLock
- (unaff_RDI + 6,(undefined1 *)((longlong)register0x00000020 + 0x48));
+ *(undefined8 *)(puVar22 + -8) = 0x1c0039d21;
+ ObfDereferenceObject(local_68);
+ goto LAB_7;
}
- }
- *(undefined8 *)((longlong)register0x00000020 + -8) = 0x1c00247bb;
- KeReleaseInStackQueuedSpinLock((undefined1 *)((longlong)register0x00000020 + 0x48));
- *(undefined8 *)((longlong)register0x00000020 + -8) = 0x1c00247c8;
- AfdFreeQueuedConnections((short *)unaff_RDI);
- }
- if (unaff_RDI[0x23] != (longlong *****)0x0) {
- *(undefined8 *)((longlong)register0x00000020 + -8) = 0x1c0024c36;
- AfdCloseRouteChangeNotifyHandles((longlong)unaff_RDI);
- }
- ppppplVar13 = (longlong *****)((longlong)register0x00000020 + 0x48);
- *(undefined8 *)((longlong)register0x00000020 + -8) = 0x1c0023d63;
- KeAcquireInStackQueuedSpinLock(unaff_RDI + 6);
- pppppplVar2 = unaff_RDI + 0x24;
- do {
- pppppplVar8 = (longlong ******)*pppppplVar2;
- if (pppppplVar8 == pppppplVar2) {
- if (unaff_RDI[0x2c] == (longlong *****)0x0) {
- *(undefined8 *)((longlong)register0x00000020 + -8) = 0x1c0023d95;
- KeReleaseInStackQueuedSpinLock();
- }
- else {
- *(undefined1 *)((longlong)register0x00000020 + 0x40) = 0;
- *(undefined8 *)((longlong)register0x00000020 + -8) = 0x1c00248ed;
- KeReleaseInStackQueuedSpinLock((undefined1 *)((longlong)register0x00000020 + 0x48));
- *(undefined8 *)((longlong)register0x00000020 + -8) = 0x1c00248fe;
- IoAcquireCancelSpinLock((undefined1 *)((longlong)register0x00000020 + 0x40));
- ppppplVar15 = (longlong *****)((longlong)register0x00000020 + 0x48);
- *(undefined8 *)((longlong)register0x00000020 + -8) = 0x1c0024913;
- KeAcquireInStackQueuedSpinLockAtDpcLevel(unaff_RDI + 6);
- ppppplVar13 = unaff_RDI[0x2c];
- if (ppppplVar13 == (longlong *****)0x0) {
- *(undefined8 *)((longlong)register0x00000020 + -8) = 0x1c0024c42;
- KeReleaseInStackQueuedSpinLockFromDpcLevel
- ((undefined1 *)((longlong)register0x00000020 + 0x48));
- uVar5 = *(undefined1 *)((longlong)register0x00000020 + 0x40);
- }
- else {
- *(undefined1 *)((longlong)ppppplVar13 + 0x44) = 1;
- LOCK();
- pppplVar4 = ppppplVar13[0xd];
- ppppplVar13[0xd] = (longlong ****)0x0;
- UNLOCK();
- *(undefined8 *)((longlong)register0x00000020 + -8) = 0x1c002493e;
- KeReleaseInStackQueuedSpinLockFromDpcLevel();
- uVar5 = *(undefined1 *)((longlong)register0x00000020 + 0x40);
- if (pppplVar4 != (longlong ****)0x0) {
- *(undefined1 *)((longlong)ppppplVar13 + 0x45) = uVar5;
- *(undefined8 *)((longlong)register0x00000020 + -8) = 0x1c0024961;
- (*(code *)pppplVar4)(0);
- goto LAB_3;
- }
- }
- ppppplVar13 = ppppplVar15;
- *(undefined8 *)((longlong)register0x00000020 + -8) = 0x1c0024c53;
- IoReleaseCancelSpinLock(uVar5);
- }
-LAB_3:
- uVar12 = *(uint *)(unaff_RDI + 1);
- if ((((uVar12 >> 8 & 1) != 0) || (unaff_RDI[0x20] == (longlong *****)0x0)) ||
- (*(char *)((longlong)unaff_RDI + 2) == '\x01')) goto LAB_4;
- ppppplVar15 = unaff_RDI[3];
- ppppplVar14 = (longlong *****)0x0;
- break;
- }
- if (((longlong ******)pppppplVar8[1] != pppppplVar2) ||
- (ppppplVar13 = *pppppplVar8, (longlong ******)ppppplVar13[1] != pppppplVar8))
- goto LAB_2;
- *pppppplVar2 = ppppplVar13;
- ppppplVar13[1] = (longlong ****)pppppplVar2;
- *pppppplVar8 = (longlong *****)0x0;
- *(undefined8 *)((longlong)register0x00000020 + -8) = 0x1c0023e6e;
- uVar17 = KeReleaseInStackQueuedSpinLock((undefined1 *)((longlong)register0x00000020 + 0x48));
- ppppplVar13 = pppppplVar8[2];
- *(undefined8 *)((longlong)register0x00000020 + -8) = 0x1c0023e82;
- (*(code *)ppppplVar13)(uVar17,pppppplVar8);
- ppppplVar13 = (longlong *****)((longlong)register0x00000020 + 0x48);
- *(undefined8 *)((longlong)register0x00000020 + -8) = 0x1c0023e92;
- KeAcquireInStackQueuedSpinLock(unaff_RDI + 6);
- } while( true );
-LAB_5:
- cVar16 = (char)ppppplVar14;
- if ((uVar12 & 1) == 0) {
- uVar7 = *(ushort *)unaff_RDI;
- ppppplVar13 = (longlong *****)(ulonglong)uVar7;
- if ((uVar7 + 0x5030 & 0xfff9) == 0) {
- if ((uVar12 >> 8 & 1) == 0) {
- uVar12 = *(uint *)(unaff_RDI + 2);
- goto joined_r0x0001c0024c64;
- }
- goto LAB_6;
- }
- if (uVar7 == 0xafd1) {
- *(undefined8 *)((longlong)register0x00000020 + -8) = 0x1c002457c;
- AfdSetEventHandler(ppppplVar15,4,0,0);
- *(undefined8 *)((longlong)register0x00000020 + -8) = 0x1c002458e;
- AfdSetEventHandler(ppppplVar15,10,0,0);
- param_4 = (longlong ******)0x0;
- ppppplVar13 = (longlong *****)0x2;
- *(undefined8 *)((longlong)register0x00000020 + -8) = 0x1c00245a0;
- AfdSetEventHandler(ppppplVar15,2,0,0);
- if ((((ulonglong)unaff_RDI[1] & 0x100) != 0) || (((ulonglong)unaff_RDI[2] & 0x100000) != 0))
- goto LAB_6;
+ uVar19 = 0x1774;
}
}
else {
- param_4 = (longlong ******)0x0;
- ppppplVar13 = (longlong *****)0x0;
- *(undefined8 *)((longlong)register0x00000020 + -8) = 0x1c002473b;
- AfdSetEventHandler(ppppplVar15,0,0,0);
- if (((ulonglong)unaff_RDI[1] & 0x100) == 0) {
- uVar12 = *(uint *)(unaff_RDI + 2);
-joined_r0x0001c0024c64:
- if ((uVar12 & 0x100000) == 0) goto LAB_7;
+ puVar5 = *(undefined1 **)(param_1 + 0x18);
+ if (0xb < *puVar1) {
+ param_3 = 0x73646641;
+ puVar12 = (undefined1 *)ExAllocatePool2(99);
+ *puVar12 = *puVar5;
+ *(longlong *)(puVar12 + 8) = (longlong)*(int *)(puVar5 + 8);
+ *(undefined4 *)(puVar12 + 4) = *(undefined4 *)(puVar5 + 4);
+ lVar20 = 0;
+ ExFreePoolWithTag(*(undefined8 *)(param_1 + 0x18));
+ *(undefined1 **)(param_1 + 0x18) = puVar12;
+ *puVar1 = 0x10;
+ goto LAB_0;
}
-LAB_6:
- *(undefined8 *)((longlong)register0x00000020 + -8) = 0x1c0024753;
- AfdUnbind((longlong)unaff_RDI,cVar16);
- ppppplVar13 = ppppplVar14;
+ uVar19 = 6000;
+LAB_1:
+ iVar10 = -0x3ffffff3;
}
+ AFDETW_TRACEACCEPT(0,uVar19,psVar4,iVar10,(ushort *)0x0,0);
+ puVar22 = auStackY_98;
LAB_7:
- param_3 = 0xfff9;
- if ((cVar16 != '\0') || (uVar12 = *(uint *)(unaff_RDI + 1), (uVar12 >> 0x16 & 1) == 0)) {
-LAB_4:
- if (((((ulonglong)unaff_RDI[1] & 0x100) != 0) && (in_stack_00000060 != 0)) &&
- (((byte)(*(char *)((longlong)unaff_RDI + 2) - 2U) < 3 ||
- (*(char *)((longlong)unaff_RDI + 2) == '\a')))) {
- *(undefined8 *)((longlong)register0x00000020 + -8) = 0x1c0023f7e;
- AfdCloseTransportEndpoint(unaff_RDI,ppppplVar13,param_3,param_4);
- }
- *(undefined8 *)(unaff_RBP + -0x38) = 0;
- *(undefined8 *)(unaff_RBP + -0x30) = 0;
- *(undefined8 *)(unaff_RBP + -0x28) = 0;
- *(undefined8 *)((longlong)register0x00000020 + -8) = 0x1c0023ddb;
- KeAcquireInStackQueuedSpinLock(unaff_RDI + 6,unaff_RBP + -0x38);
- ppppplVar13 = unaff_RDI[0x2f];
- if (ppppplVar13 == (longlong *****)0x0) {
- *(undefined8 *)((longlong)register0x00000020 + -8) = 0x1c0023dfb;
- KeReleaseInStackQueuedSpinLock();
- }
- else {
- unaff_RDI[0x2f] = (longlong *****)0x0;
- *(undefined8 *)((longlong)register0x00000020 + -8) = 0x1c0024c8f;
- KeReleaseInStackQueuedSpinLock(unaff_RBP + -0x38);
- *(undefined8 *)((longlong)register0x00000020 + -8) = 0x1c0024c9f;
- AfdNotifyDestroyContext(uVar10,(longlong)ppppplVar13);
- }
- if (g_AfdEtwTraceEnable != 0) {
- sVar6 = *(short *)unaff_RDI;
- *(undefined8 *)(unaff_RBP + 0x30) = 0x3ea1004100003ea;
- *(undefined8 *)(unaff_RBP + 0x38) = 0x8000000000000004;
- *(undefined1 *)(unaff_RBP + 0x34) = 4;
- *(ulonglong *)(unaff_RBP + 0x38) = (ulonglong)(sVar6 != -0x502f) + 1 | 0x8000000000000004;
- *(undefined8 *)((longlong)register0x00000020 + -8) = 0x1c00241c7;
- AFDETW_TRACESTATUS(unaff_RBP + 0x30,1,0x7d3,(longlong)unaff_RDI);
- }
- LOCK();
- _AfdEndpointsCleanedUp = _AfdEndpointsCleanedUp + 1;
- UNLOCK();
- uVar9 = *(ulonglong *)(unaff_RBP + 0x40);
- *(undefined8 *)((longlong)register0x00000020 + -8) = 0x1c0023e2a;
- __security_check_cookie(uVar9 ^ (ulonglong)register0x00000020);
- return extraout_EAX;
- }
- ppppplVar14 = (longlong *****)0x1;
- ppppplVar15 = (longlong *****)unaff_RDI[0x22][1];
- goto LAB_5;
-LAB_2:
- pcVar11 = (code *)swi(0x29);
- (*pcVar11)(3);
- register0x00000020 = (BADSPACEBASE *)((longlong)register0x00000020 + 8);
-LAB_0:
- pcVar11 = (code *)swi(0x29);
- (*pcVar11)(0xe);
- register0x00000020 = (BADSPACEBASE *)((longlong)register0x00000020 + 8);
- goto LAB_1;
+ *(int *)(param_1 + 0x30) = iVar10;
+ *(undefined8 *)(puVar22 + -8) = 0x1c0039d5d;
+ IofCompleteRequest(param_1,AfdPriorityBoost);
+ return iVar10;
}
Slightly modified functions have no code changes, rather differnces in:
- refcount
- length
- called
- calling
- name
- fullname
| Key | afd.sys - afd.sys |
|---|---|
| diff_type | refcount,calling |
| ratio | 1.0 |
| i_ratio | 1.0 |
| m_ratio | 1.0 |
| b_ratio | 1.0 |
| match_types | SymbolsHash,ExternalsName |
| Key | afd.sys | afd.sys |
|---|---|---|
| name | ExAcquireRundownProtection | ExAcquireRundownProtection |
| fullname | NTOSKRNL.EXE::ExAcquireRundownProtection | NTOSKRNL.EXE::ExAcquireRundownProtection |
refcount |
45 | 44 |
| length | 0 | 0 |
| called | ||
calling |
Expand for full list:AfdFastDatagramSend |
Expand for full list:AfdFinishConnect |
| paramcount | 0 | 0 |
| address | EXTERNAL:00000080 | EXTERNAL:00000080 |
| sig | undefined ExAcquireRundownProtection(void) | undefined ExAcquireRundownProtection(void) |
| sym_type | Function | Function |
| sym_source | IMPORTED | IMPORTED |
| external | True | True |
--- NTOSKRNL.EXE::ExAcquireRundownProtection calling
+++ NTOSKRNL.EXE::ExAcquireRundownProtection calling
@@ -1 +0,0 @@
-AfdAccept| Key | afd.sys - afd.sys |
|---|---|
| diff_type | refcount,address |
| ratio | 1.0 |
| i_ratio | 1.0 |
| m_ratio | 1.0 |
| b_ratio | 1.0 |
| match_types | SymbolsHash,ExternalsName |
| Key | afd.sys | afd.sys |
|---|---|---|
| name | KeReleaseInStackQueuedSpinLock | KeReleaseInStackQueuedSpinLock |
| fullname | NTOSKRNL.EXE::KeReleaseInStackQueuedSpinLock | NTOSKRNL.EXE::KeReleaseInStackQueuedSpinLock |
refcount |
550 | 549 |
| length | 0 | 0 |
| called | ||
| calling | Expand for full list:AfdCleanupAddressListChange |
Expand for full list:AfdCleanupAddressListChange |
| paramcount | 0 | 0 |
address |
EXTERNAL:000000f2 | EXTERNAL:000000f0 |
| sig | undefined KeReleaseInStackQueuedSpinLock(void) | undefined KeReleaseInStackQueuedSpinLock(void) |
| sym_type | Function | Function |
| sym_source | IMPORTED | IMPORTED |
| external | True | True |
| Key | afd.sys - afd.sys |
|---|---|
| diff_type | refcount,calling |
| ratio | 1.0 |
| i_ratio | 1.0 |
| m_ratio | 1.0 |
| b_ratio | 1.0 |
| match_types | SymbolsHash,ExternalsName |
| Key | afd.sys | afd.sys |
|---|---|---|
| name | ExReleaseRundownProtection | ExReleaseRundownProtection |
| fullname | NTOSKRNL.EXE::ExReleaseRundownProtection | NTOSKRNL.EXE::ExReleaseRundownProtection |
refcount |
44 | 43 |
| length | 0 | 0 |
| called | ||
calling |
Expand for full list:AfdFastDatagramSend |
Expand for full list:AfdFinishConnect |
| paramcount | 0 | 0 |
| address | EXTERNAL:00000082 | EXTERNAL:00000082 |
| sig | undefined ExReleaseRundownProtection(void) | undefined ExReleaseRundownProtection(void) |
| sym_type | Function | Function |
| sym_source | IMPORTED | IMPORTED |
| external | True | True |
--- NTOSKRNL.EXE::ExReleaseRundownProtection calling
+++ NTOSKRNL.EXE::ExReleaseRundownProtection calling
@@ -1 +0,0 @@
-AfdAcceptGenerated with ghidriff version: 0.8.0 on 2025-02-12T14:01:04