- Visual Chart Diff
- Metadata
- Deleted
- Added
- Modified
- CClfsRequest::Close
- CClfsLogCcb::Cleanup
- Feature_2834328890__private_IsEnabledFallback
- `CClfsRequest::Close'::__l1::fin$0
- wil_details_FeatureReporting_RecordUsageInCache
- wil_details_FeatureReporting_ReportUsageToServiceDirect
- wil_details_FeatureReporting_ReportUsageToService
- wil_details_IsEnabledFallback
- wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath
- Modified (No Code Changes)
flowchart LR
CClfsRequestClose-1-old<--Match 68%-->CClfsRequestClose-1-new
CClfsLogCcbCleanup-1-old<--Match 51%-->CClfsLogCcbCleanup-1-new
Feature_2834328890__private_IsEnabledFallback-2-old<--Match 89%-->Feature_2834328890__private_IsEnabledFallback-2-new
CClfsRequestClose__l1fin0-2-old<--Match 82%-->CClfsRequestClose__l1fin0-2-new
wil_details_FeatureReporting_RecordUsageInCache-4-old<--Match 99%-->wil_details_FeatureReporting_RecordUsageInCache-4-new
wil_details_FeatureReporting_ReportUsageToServiceDirect-3-old<--Match 93%-->wil_details_FeatureReporting_ReportUsageToServiceDirect-3-new
wil_details_FeatureReporting_ReportUsageToService-3-old<--Match 94%-->wil_details_FeatureReporting_ReportUsageToService-3-new
wil_details_IsEnabledFallback-2-old<--Match 94%-->wil_details_IsEnabledFallback-2-new
wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath-2-old<--Match 83%-->wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath-2-new
subgraph clfs_apr.sys
CClfsRequestClose-1-new
CClfsLogCcbCleanup-1-new
Feature_2834328890__private_IsEnabledFallback-2-new
CClfsRequestClose__l1fin0-2-new
wil_details_FeatureReporting_RecordUsageInCache-4-new
wil_details_FeatureReporting_ReportUsageToServiceDirect-3-new
wil_details_FeatureReporting_ReportUsageToService-3-new
wil_details_IsEnabledFallback-2-new
wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath-2-new
subgraph Added
direction LR
Feature_3200318777__private_IsEnabledDeviceUsage
Feature_3200318777__private_IsEnabledFallback
CClfsLogCcb-Close
end
end
subgraph clfs_march.sys
CClfsRequestClose-1-old
CClfsLogCcbCleanup-1-old
Feature_2834328890__private_IsEnabledFallback-2-old
CClfsRequestClose__l1fin0-2-old
wil_details_FeatureReporting_RecordUsageInCache-4-old
wil_details_FeatureReporting_ReportUsageToServiceDirect-3-old
wil_details_FeatureReporting_ReportUsageToService-3-old
wil_details_IsEnabledFallback-2-old
wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath-2-old
end
pie showData
title Function Matches - 99.8959%
"unmatched_funcs_len" : 3
"matched_funcs_len" : 2880
pie showData
title Matched Function Similarity - 99.5833%
"matched_funcs_with_code_changes_len" : 9
"matched_funcs_with_non_code_changes_len" : 3
"matched_funcs_no_changes_len" : 2868
ghidriff --project-location ghidra_projects --project-name ghidriff --symbols-path symbols --threaded --log-level INFO --file-log-level INFO --log-path ghidriff.log --min-func-len 10 --gdt [] --bsim --max-ram-percent 60.0 --max-section-funcs 200 clfs_march.sys clfs_apr.sys
--old ['www/clfs_march.sys'] --new [['www/clfs_apr.sys']] --engine VersionTrackingDiff --output-path clfs/ --summary False --project-location ghidra_projects --project-name ghidriff --symbols-path symbols --threaded True --force-analysis False --force-diff False --no-symbols False --log-level INFO --file-log-level INFO --log-path ghidriff.log --va False --min-func-len 10 --use-calling-counts False --gdt [] --bsim True --bsim-full False --max-ram-percent 60.0 --print-flags False --jvm-args None --side-by-side False --max-section-funcs 200 --md-title None
wget https://msdl.microsoft.com/download/symbols/Clfs.Sys/17A5B1EC6D000/Clfs.Sys -O clfs.sys.x64.10.0.20348.3328
wget https://msdl.microsoft.com/download/symbols/Clfs.Sys/7C335CEA6D000/Clfs.Sys -O clfs.sys.x64.10.0.20348.3453
--- clfs_march.sys Meta
+++ clfs_apr.sys Meta
@@ -1,44 +1,44 @@
-Program Name: clfs_march.sys
+Program Name: clfs_apr.sys
Language ID: x86:LE:64:default (4.1)
Compiler ID: windows
Processor: x86
Endian: Little
Address Size: 64
Minimum Address: 1c0000000
Maximum Address: ff0000184f
-# of Bytes: 452508
+# of Bytes: 452524
# of Memory Blocks: 13
-# of Instructions: 78597
-# of Defined Data: 3303
-# of Functions: 1440
-# of Symbols: 11105
+# of Instructions: 78691
+# of Defined Data: 3308
+# of Functions: 1443
+# of Symbols: 11119
# of Data Types: 391
# of Data Type Categories: 18
Analyzed: true
Compiler: visualstudio:unknown
Created With Ghidra Version: 11.3
-Date Created: Wed Apr 09 13:06:42 CEST 2025
+Date Created: Wed Apr 09 13:06:44 CEST 2025
Executable Format: Portable Executable (PE)
-Executable Location: /home/b/www/clfs_march.sys
-Executable MD5: ce4489f9ea51468472b68294915d720a
-Executable SHA256: 33f50960df5515b5a61d3c1989b1002ef5f01a24ef362547788546b9f4103866
-FSRL: file:///home/b/www/clfs_march.sys?MD5=ce4489f9ea51468472b68294915d720a
+Executable Location: /home/b/www/clfs_apr.sys
+Executable MD5: 96808a6e4b2de52b40bdbe32ca143cee
+Executable SHA256: 430a5fca22c6236c715025f22b76fb017256ea6be7e7b0a9e9a2440bfadb26d1
+FSRL: file:///home/b/www/clfs_apr.sys?MD5=96808a6e4b2de52b40bdbe32ca143cee
PDB Age: 1
PDB File: clfs.pdb
-PDB GUID: a0ff9c8a-3818-433c-fc1e-99a6d5a55ce9
+PDB GUID: f4603716-961c-9f0f-e18d-c0631938161a
PDB Loaded: true
PDB Version: RSDS
PE Property[CompanyName]: Microsoft Corporation
PE Property[FileDescription]: Common Log File System Driver
-PE Property[FileVersion]: 10.0.20348.3328 (WinBuild.160101.0800)
+PE Property[FileVersion]: 10.0.20348.3453 (WinBuild.160101.0800)
PE Property[InternalName]: clfs.sys
PE Property[LegalCopyright]: © Microsoft Corporation. All rights reserved.
PE Property[OriginalFilename]: Clfs.Sys
PE Property[ProductName]: Microsoft® Windows® Operating System
-PE Property[ProductVersion]: 10.0.20348.3328
+PE Property[ProductVersion]: 10.0.20348.3453
PE Property[Translation]: 4b00000
Preferred Root Namespace Category:
RTTI Found: false
Relocatable: true
SectionAlignment: 4096
Should Ask To Analyze: false
Ghidra clfs_march.sys Decompiler Options
| Decompiler Option | Value |
|---|---|
| Prototype Evaluation | __fastcall |
Ghidra clfs_march.sys Specification extensions Options
| Specification extensions Option | Value |
|---|---|
| FormatVersion | 0 |
| VersionCounter | 0 |
Ghidra clfs_march.sys Analyzers Options
| Analyzers Option | Value |
|---|---|
| ASCII Strings | true |
| ASCII Strings.Create Strings Containing Existing Strings | true |
| ASCII Strings.Create Strings Containing References | true |
| ASCII Strings.Force Model Reload | false |
| ASCII Strings.Minimum String Length | LEN_5 |
| ASCII Strings.Model File | StringModel.sng |
| ASCII Strings.Require Null Termination for String | true |
| ASCII Strings.Search Only in Accessible Memory Blocks | true |
| ASCII Strings.String Start Alignment | ALIGN_1 |
| ASCII Strings.String end alignment | 4 |
| Aggressive Instruction Finder | false |
| Aggressive Instruction Finder.Create Analysis Bookmarks | true |
| Apply Data Archives | true |
| Apply Data Archives.Archive Chooser | [Auto-Detect] |
| Apply Data Archives.Create Analysis Bookmarks | true |
| Apply Data Archives.GDT User File Archive Path | None |
| Apply Data Archives.User Project Archive Path | None |
| Call Convention ID | true |
| Call Convention ID.Analysis Decompiler Timeout (sec) | 60 |
| Call-Fixup Installer | true |
| Condense Filler Bytes | false |
| Condense Filler Bytes.Filler Value | Auto |
| Condense Filler Bytes.Minimum number of sequential bytes | 1 |
| Create Address Tables | true |
| Create Address Tables.Allow Offcut References | false |
| Create Address Tables.Auto Label Table | false |
| Create Address Tables.Create Analysis Bookmarks | true |
| Create Address Tables.Maxmimum Pointer Distance | 16777215 |
| Create Address Tables.Minimum Pointer Address | 4132 |
| Create Address Tables.Minimum Table Size | 2 |
| Create Address Tables.Pointer Alignment | 1 |
| Create Address Tables.Relocation Table Guide | true |
| Create Address Tables.Table Alignment | 4 |
| Data Reference | true |
| Data Reference.Address Table Alignment | 1 |
| Data Reference.Address Table Minimum Size | 2 |
| Data Reference.Align End of Strings | false |
| Data Reference.Ascii String References | true |
| Data Reference.Create Address Tables | true |
| Data Reference.Minimum String Length | 5 |
| Data Reference.References to Pointers | true |
| Data Reference.Relocation Table Guide | true |
| Data Reference.Respect Execute Flag | true |
| Data Reference.Subroutine References | true |
| Data Reference.Switch Table References | false |
| Data Reference.Unicode String References | true |
| Decompiler Parameter ID | true |
| Decompiler Parameter ID.Analysis Clear Level | ANALYSIS |
| Decompiler Parameter ID.Analysis Decompiler Timeout (sec) | 60 |
| Decompiler Parameter ID.Commit Data Types | true |
| Decompiler Parameter ID.Commit Void Return Values | false |
| Decompiler Parameter ID.Prototype Evaluation | __fastcall |
| Decompiler Switch Analysis | true |
| Decompiler Switch Analysis.Analysis Decompiler Timeout (sec) | 60 |
| Demangler Microsoft | true |
| Demangler Microsoft.Apply Function Calling Conventions | true |
| Demangler Microsoft.Apply Function Signatures | true |
| Demangler Microsoft.C-Style Symbol Interpretation | FUNCTION_IF_EXISTS |
| Demangler Microsoft.Demangle Only Known Mangled Symbols | false |
| Disassemble Entry Points | true |
| Disassemble Entry Points.Respect Execute Flag | true |
| Embedded Media | true |
| Embedded Media.Create Analysis Bookmarks | true |
| External Entry References | true |
| Function ID | true |
| Function ID.Always Apply FID Labels | false |
| Function ID.Create Analysis Bookmarks | true |
| Function ID.Instruction Count Threshold | 14.6 |
| Function ID.Multiple Match Threshold | 30.0 |
| Function Start Search | true |
| Function Start Search.Bookmark Functions | false |
| Function Start Search.Search Data Blocks | false |
| Non-Returning Functions - Discovered | true |
| Non-Returning Functions - Discovered.Create Analysis Bookmarks | true |
| Non-Returning Functions - Discovered.Function Non-return Threshold | 3 |
| Non-Returning Functions - Discovered.Repair Flow Damage | true |
| Non-Returning Functions - Known | true |
| Non-Returning Functions - Known.Create Analysis Bookmarks | true |
| PDB MSDIA | false |
| PDB MSDIA.Search untrusted symbol servers | false |
| PDB Universal | true |
| PDB Universal.Import Source Line Info | true |
| PDB Universal.Search untrusted symbol servers | false |
| Reference | true |
| Reference.Address Table Alignment | 1 |
| Reference.Address Table Minimum Size | 2 |
| Reference.Align End of Strings | false |
| Reference.Ascii String References | true |
| Reference.Create Address Tables | true |
| Reference.Minimum String Length | 5 |
| Reference.References to Pointers | true |
| Reference.Relocation Table Guide | true |
| Reference.Respect Execute Flag | true |
| Reference.Subroutine References | true |
| Reference.Switch Table References | false |
| Reference.Unicode String References | true |
| Scalar Operand References | true |
| Scalar Operand References.Relocation Table Guide | true |
| Shared Return Calls | true |
| Shared Return Calls.Allow Conditional Jumps | false |
| Shared Return Calls.Assume Contiguous Functions Only | true |
| Stack | true |
| Stack.Create Local Variables | true |
| Stack.Create Param Variables | false |
| Stack.useNewFunctionStackAnalysis | true |
| Subroutine References | true |
| Subroutine References.Create Thunks Early | true |
| Variadic Function Signature Override | false |
| Variadic Function Signature Override.Create Analysis Bookmarks | false |
| Windows x86 PE Exception Handling | true |
| Windows x86 PE RTTI Analyzer | true |
| Windows x86 Thread Environment Block (TEB) Analyzer | true |
| Windows x86 Thread Environment Block (TEB) Analyzer.Starting Address of the TEB | |
| Windows x86 Thread Environment Block (TEB) Analyzer.Windows OS Version | Windows 7 |
| WindowsPE x86 Propagate External Parameters | false |
| WindowsResourceReference | true |
| WindowsResourceReference.Create Analysis Bookmarks | true |
| x86 Constant Reference Analyzer | true |
| x86 Constant Reference Analyzer.Create Data from pointer | false |
| x86 Constant Reference Analyzer.Function parameter/return Pointer analysis | true |
| x86 Constant Reference Analyzer.Max Threads | 2 |
| x86 Constant Reference Analyzer.Min absolute reference | 4 |
| x86 Constant Reference Analyzer.Require pointer param data type | false |
| x86 Constant Reference Analyzer.Speculative reference max | 256 |
| x86 Constant Reference Analyzer.Speculative reference min | 1024 |
| x86 Constant Reference Analyzer.Stored Value Pointer analysis | true |
| x86 Constant Reference Analyzer.Trust values read from writable memory | true |
Ghidra clfs_apr.sys Decompiler Options
| Decompiler Option | Value |
|---|---|
| Prototype Evaluation | __fastcall |
Ghidra clfs_apr.sys Specification extensions Options
| Specification extensions Option | Value |
|---|---|
| FormatVersion | 0 |
| VersionCounter | 0 |
Ghidra clfs_apr.sys Analyzers Options
| Analyzers Option | Value |
|---|---|
| ASCII Strings | true |
| ASCII Strings.Create Strings Containing Existing Strings | true |
| ASCII Strings.Create Strings Containing References | true |
| ASCII Strings.Force Model Reload | false |
| ASCII Strings.Minimum String Length | LEN_5 |
| ASCII Strings.Model File | StringModel.sng |
| ASCII Strings.Require Null Termination for String | true |
| ASCII Strings.Search Only in Accessible Memory Blocks | true |
| ASCII Strings.String Start Alignment | ALIGN_1 |
| ASCII Strings.String end alignment | 4 |
| Aggressive Instruction Finder | false |
| Aggressive Instruction Finder.Create Analysis Bookmarks | true |
| Apply Data Archives | true |
| Apply Data Archives.Archive Chooser | [Auto-Detect] |
| Apply Data Archives.Create Analysis Bookmarks | true |
| Apply Data Archives.GDT User File Archive Path | None |
| Apply Data Archives.User Project Archive Path | None |
| Call Convention ID | true |
| Call Convention ID.Analysis Decompiler Timeout (sec) | 60 |
| Call-Fixup Installer | true |
| Condense Filler Bytes | false |
| Condense Filler Bytes.Filler Value | Auto |
| Condense Filler Bytes.Minimum number of sequential bytes | 1 |
| Create Address Tables | true |
| Create Address Tables.Allow Offcut References | false |
| Create Address Tables.Auto Label Table | false |
| Create Address Tables.Create Analysis Bookmarks | true |
| Create Address Tables.Maxmimum Pointer Distance | 16777215 |
| Create Address Tables.Minimum Pointer Address | 4132 |
| Create Address Tables.Minimum Table Size | 2 |
| Create Address Tables.Pointer Alignment | 1 |
| Create Address Tables.Relocation Table Guide | true |
| Create Address Tables.Table Alignment | 4 |
| Data Reference | true |
| Data Reference.Address Table Alignment | 1 |
| Data Reference.Address Table Minimum Size | 2 |
| Data Reference.Align End of Strings | false |
| Data Reference.Ascii String References | true |
| Data Reference.Create Address Tables | true |
| Data Reference.Minimum String Length | 5 |
| Data Reference.References to Pointers | true |
| Data Reference.Relocation Table Guide | true |
| Data Reference.Respect Execute Flag | true |
| Data Reference.Subroutine References | true |
| Data Reference.Switch Table References | false |
| Data Reference.Unicode String References | true |
| Decompiler Parameter ID | true |
| Decompiler Parameter ID.Analysis Clear Level | ANALYSIS |
| Decompiler Parameter ID.Analysis Decompiler Timeout (sec) | 60 |
| Decompiler Parameter ID.Commit Data Types | true |
| Decompiler Parameter ID.Commit Void Return Values | false |
| Decompiler Parameter ID.Prototype Evaluation | __fastcall |
| Decompiler Switch Analysis | true |
| Decompiler Switch Analysis.Analysis Decompiler Timeout (sec) | 60 |
| Demangler Microsoft | true |
| Demangler Microsoft.Apply Function Calling Conventions | true |
| Demangler Microsoft.Apply Function Signatures | true |
| Demangler Microsoft.C-Style Symbol Interpretation | FUNCTION_IF_EXISTS |
| Demangler Microsoft.Demangle Only Known Mangled Symbols | false |
| Disassemble Entry Points | true |
| Disassemble Entry Points.Respect Execute Flag | true |
| Embedded Media | true |
| Embedded Media.Create Analysis Bookmarks | true |
| External Entry References | true |
| Function ID | true |
| Function ID.Always Apply FID Labels | false |
| Function ID.Create Analysis Bookmarks | true |
| Function ID.Instruction Count Threshold | 14.6 |
| Function ID.Multiple Match Threshold | 30.0 |
| Function Start Search | true |
| Function Start Search.Bookmark Functions | false |
| Function Start Search.Search Data Blocks | false |
| Non-Returning Functions - Discovered | true |
| Non-Returning Functions - Discovered.Create Analysis Bookmarks | true |
| Non-Returning Functions - Discovered.Function Non-return Threshold | 3 |
| Non-Returning Functions - Discovered.Repair Flow Damage | true |
| Non-Returning Functions - Known | true |
| Non-Returning Functions - Known.Create Analysis Bookmarks | true |
| PDB MSDIA | false |
| PDB MSDIA.Search untrusted symbol servers | false |
| PDB Universal | true |
| PDB Universal.Import Source Line Info | true |
| PDB Universal.Search untrusted symbol servers | false |
| Reference | true |
| Reference.Address Table Alignment | 1 |
| Reference.Address Table Minimum Size | 2 |
| Reference.Align End of Strings | false |
| Reference.Ascii String References | true |
| Reference.Create Address Tables | true |
| Reference.Minimum String Length | 5 |
| Reference.References to Pointers | true |
| Reference.Relocation Table Guide | true |
| Reference.Respect Execute Flag | true |
| Reference.Subroutine References | true |
| Reference.Switch Table References | false |
| Reference.Unicode String References | true |
| Scalar Operand References | true |
| Scalar Operand References.Relocation Table Guide | true |
| Shared Return Calls | true |
| Shared Return Calls.Allow Conditional Jumps | false |
| Shared Return Calls.Assume Contiguous Functions Only | true |
| Stack | true |
| Stack.Create Local Variables | true |
| Stack.Create Param Variables | false |
| Stack.useNewFunctionStackAnalysis | true |
| Subroutine References | true |
| Subroutine References.Create Thunks Early | true |
| Variadic Function Signature Override | false |
| Variadic Function Signature Override.Create Analysis Bookmarks | false |
| Windows x86 PE Exception Handling | true |
| Windows x86 PE RTTI Analyzer | true |
| Windows x86 Thread Environment Block (TEB) Analyzer | true |
| Windows x86 Thread Environment Block (TEB) Analyzer.Starting Address of the TEB | |
| Windows x86 Thread Environment Block (TEB) Analyzer.Windows OS Version | Windows 7 |
| WindowsPE x86 Propagate External Parameters | false |
| WindowsResourceReference | true |
| WindowsResourceReference.Create Analysis Bookmarks | true |
| x86 Constant Reference Analyzer | true |
| x86 Constant Reference Analyzer.Create Data from pointer | false |
| x86 Constant Reference Analyzer.Function parameter/return Pointer analysis | true |
| x86 Constant Reference Analyzer.Max Threads | 2 |
| x86 Constant Reference Analyzer.Min absolute reference | 4 |
| x86 Constant Reference Analyzer.Require pointer param data type | false |
| x86 Constant Reference Analyzer.Speculative reference max | 256 |
| x86 Constant Reference Analyzer.Speculative reference min | 1024 |
| x86 Constant Reference Analyzer.Stored Value Pointer analysis | true |
| x86 Constant Reference Analyzer.Trust values read from writable memory | true |
| Stat | Value |
|---|---|
| added_funcs_len | 3 |
| deleted_funcs_len | 0 |
| modified_funcs_len | 12 |
| added_symbols_len | 6 |
| deleted_symbols_len | 3 |
| diff_time | 7.386976957321167 |
| deleted_strings_len | 0 |
| added_strings_len | 0 |
| match_types | Counter({'SymbolsHash': 1408, 'ExternalsName': 187, 'ExactInstructionsFunctionHasher': 28, 'StructuralGraphHash': 4, 'ExactBytesFunctionHasher': 1, 'BSIM': 1}) |
| items_to_process | 24 |
| diff_types | Counter({'address': 11, 'length': 10, 'code': 9, 'sig': 6, 'refcount': 4, 'called': 4, 'calling': 3}) |
| unmatched_funcs_len | 3 |
| total_funcs_len | 2883 |
| matched_funcs_len | 2880 |
| matched_funcs_with_code_changes_len | 9 |
| matched_funcs_with_non_code_changes_len | 3 |
| matched_funcs_no_changes_len | 2868 |
| match_func_similarity_percent | 99.5833% |
| func_match_overall_percent | 99.8959% |
| first_matches | Counter({'SymbolsHash': 1408, 'ExactInstructionsFunctionHasher': 28, 'StructuralGraphHash': 4, 'ExactBytesFunctionHasher': 1, 'BSIM': 1}) |
pie showData
title All Matches
"SymbolsHash" : 1408
"ExternalsName" : 187
"ExactBytesFunctionHasher" : 1
"ExactInstructionsFunctionHasher" : 28
"BSIM" : 1
"StructuralGraphHash" : 4
pie showData
title First Matches
"SymbolsHash" : 1408
"ExactBytesFunctionHasher" : 1
"ExactInstructionsFunctionHasher" : 28
"BSIM" : 1
"StructuralGraphHash" : 4
pie showData
title Diff Stats
"added_funcs_len" : 3
"deleted_funcs_len" : 0
"modified_funcs_len" : 12
pie showData
title Symbols
"added_symbols_len" : 6
"deleted_symbols_len" : 3
No string differences found
| Key | clfs_apr.sys |
|---|---|
| name | Feature_3200318777__private_IsEnabledDeviceUsage |
| fullname | Feature_3200318777__private_IsEnabledDeviceUsage |
| refcount | 6 |
| length | 49 |
| called | Feature_3200318777__private_IsEnabledFallback |
| calling | CClfsLogCcb::Cleanup CClfsRequest::Close `CClfsRequest::Close'::__l1::fin$0 |
| paramcount | 0 |
| address | 1c000cf18 |
| sig | ulonglong __fastcall Feature_3200318777__private_IsEnabledDeviceUsage(void) |
| sym_type | Function |
| sym_source | IMPORTED |
| external | False |
--- Feature_3200318777__private_IsEnabledDeviceUsage
+++ Feature_3200318777__private_IsEnabledDeviceUsage
@@ -0,0 +1,17 @@
+
+ulonglong Feature_3200318777__private_IsEnabledDeviceUsage(void)
+
+{
+ ulonglong uVar1;
+ undefined8 local_res8;
+
+ local_res8 = (ulonglong)Feature_3200318777__private_featureState;
+ if ((Feature_3200318777__private_featureState & 0x10) == 0) {
+ uVar1 = Feature_3200318777__private_IsEnabledFallback(local_res8,3);
+ }
+ else {
+ uVar1 = (ulonglong)(Feature_3200318777__private_featureState & 1);
+ }
+ return uVar1;
+}
+
| Key | clfs_apr.sys |
|---|---|
| name | Feature_3200318777__private_IsEnabledFallback |
| fullname | Feature_3200318777__private_IsEnabledFallback |
| refcount | 2 |
| length | 21 |
| called | wil_details_IsEnabledFallback |
| calling | Feature_3200318777__private_IsEnabledDeviceUsage |
| paramcount | 2 |
| address | 1c000cf50 |
| sig | undefined __fastcall Feature_3200318777__private_IsEnabledFallback(ulonglong param_1, int param_2) |
| sym_type | Function |
| sym_source | IMPORTED |
| external | False |
--- Feature_3200318777__private_IsEnabledFallback
+++ Feature_3200318777__private_IsEnabledFallback
@@ -0,0 +1,8 @@
+
+void Feature_3200318777__private_IsEnabledFallback(ulonglong param_1,int param_2)
+
+{
+ wil_details_IsEnabledFallback(param_1,param_2,&Feature_3200318777__private_descriptor);
+ return;
+}
+
| Key | clfs_apr.sys |
|---|---|
| name | Close |
| fullname | CClfsLogCcb::Close |
| refcount | 2 |
| length | 14 |
| called | CClfsLogCcb::Release |
| calling | CClfsRequest::Close |
| paramcount | 1 |
| address | 1c00285b0 |
| sig | void __thiscall Close(CClfsLogCcb * this) |
| sym_type | Function |
| sym_source | ANALYSIS |
| external | False |
--- CClfsLogCcb::Close
+++ CClfsLogCcb::Close
@@ -0,0 +1,10 @@
+
+/* public: void __cdecl CClfsLogCcb::Close(void) __ptr64 */
+
+void __thiscall CClfsLogCcb::Close(CClfsLogCcb *this)
+
+{
+ Release(this);
+ return;
+}
+
Modified functions contain code changes
| Key | clfs_march.sys - clfs_apr.sys |
|---|---|
| diff_type | code,length,address,called |
| ratio | 0.33 |
| i_ratio | 0.33 |
| m_ratio | 0.78 |
| b_ratio | 0.68 |
| match_types | SymbolsHash |
| Key | clfs_march.sys | clfs_apr.sys |
|---|---|---|
| name | Close | Close |
| fullname | CClfsRequest::Close | CClfsRequest::Close |
| refcount | 2 | 2 |
length |
264 | 372 |
called |
CClfsLogFcbCommon::Close NTOSKRNL.EXE::ExAcquireResourceExclusiveLite NTOSKRNL.EXE::ExReleaseResourceForThreadLite NTOSKRNL.EXE::IofCompleteRequest NTOSKRNL.EXE::KeBugCheckEx _guard_dispatch_icall |
CClfsLogCcb::AddRef CClfsLogCcb::Close CClfsLogCcb::Release CClfsLogFcbCommon::Close Feature_3200318777__private_IsEnabledDeviceUsage NTOSKRNL.EXE::ExAcquireResourceExclusiveLite NTOSKRNL.EXE::ExReleaseResourceForThreadLite NTOSKRNL.EXE::IofCompleteRequest NTOSKRNL.EXE::KeBugCheckEx _guard_dispatch_icall |
| calling | ClfsDispatchIoRequest | ClfsDispatchIoRequest |
| paramcount | 1 | 1 |
address |
1c002eee4 | 1c002ef84 |
| sig | long __cdecl Close(_IRP * param_1) | long __cdecl Close(_IRP * param_1) |
| sym_type | Function | Function |
| sym_source | ANALYSIS | ANALYSIS |
| external | False | False |
--- CClfsRequest::Close called
+++ CClfsRequest::Close called
@@ -0,0 +1,3 @@
+CClfsLogCcb::AddRef
+CClfsLogCcb::Close
+CClfsLogCcb::Release
@@ -1,0 +5 @@
+Feature_3200318777__private_IsEnabledDeviceUsage--- CClfsRequest::Close
+++ CClfsRequest::Close
@@ -1,30 +1,55 @@
/* WARNING: Function: _guard_dispatch_icall replaced with injection: guard_dispatch_icall */
/* public: static long __cdecl CClfsRequest::Close(struct _IRP * __ptr64) */
long __cdecl CClfsRequest::Close(_IRP *param_1)
{
longlong *plVar1;
- char cVar2;
+ char *pcVar2;
+ longlong lVar3;
+ longlong *plVar4;
+ char cVar5;
+ ulonglong uVar6;
+ CClfsLogCcb *this;
+ CClfsLogCcb *local_38;
- cVar2 = **(char **)(param_1 + 0xb8);
- if (cVar2 != '\x02') {
+ local_38 = (CClfsLogCcb *)0x0;
+ pcVar2 = *(char **)(param_1 + 0xb8);
+ if (*pcVar2 != '\x02') {
/* WARNING: Subroutine does not return */
- KeBugCheckEx(0xc1f5,0x46,cVar2,0,0);
+ KeBugCheckEx(0xc1f5,0x46,*pcVar2,0,0);
}
- plVar1 = *(longlong **)
- (*(longlong *)(*(longlong *)(*(char **)(param_1 + 0xb8) + 0x30) + 0x18) + 0x68);
- (**(code **)(*plVar1 + 0x40))(plVar1);
- cVar2 = ExAcquireResourceExclusiveLite(plVar1 + 0x17,1);
- CClfsLogFcbCommon::Close(plVar1);
- if (cVar2 != '\0') {
- ExReleaseResourceForThreadLite(plVar1 + 0x17,SystemReserved1[0xf]);
+ lVar3 = *(longlong *)(pcVar2 + 0x30);
+ plVar1 = (longlong *)(lVar3 + 0x18);
+ plVar4 = *(longlong **)(*plVar1 + 0x68);
+ (**(code **)(*plVar4 + 0x40))(plVar4);
+ uVar6 = Feature_3200318777__private_IsEnabledDeviceUsage();
+ if ((int)uVar6 != 0) {
+ local_38 = *(CClfsLogCcb **)(*(longlong *)(pcVar2 + 0x30) + 0x20);
+ if (local_38 != (CClfsLogCcb *)0x0) {
+ this = local_38;
+ CClfsLogCcb::AddRef(local_38);
+ CClfsLogCcb::Close(this);
+ }
}
- (**(code **)(*plVar1 + 0x48))(plVar1);
+ cVar5 = ExAcquireResourceExclusiveLite(plVar4 + 0x17,1);
+ CClfsLogFcbCommon::Close(plVar4);
+ if (cVar5 != '\0') {
+ ExReleaseResourceForThreadLite(plVar4 + 0x17,SystemReserved1[0xf]);
+ }
+ uVar6 = Feature_3200318777__private_IsEnabledDeviceUsage();
+ if ((int)uVar6 != 0) {
+ *plVar1 = 0;
+ *(undefined8 *)(lVar3 + 0x20) = 0;
+ if (local_38 != (CClfsLogCcb *)0x0) {
+ CClfsLogCcb::Release(local_38);
+ }
+ }
+ (**(code **)(*plVar4 + 0x48))(plVar4);
*(undefined4 *)(param_1 + 0x30) = 0;
*(undefined8 *)(param_1 + 0x38) = 0;
IofCompleteRequest(param_1,0);
return 0;
}
| Key | clfs_march.sys - clfs_apr.sys |
|---|---|
| diff_type | code,refcount,length,sig,address,called |
| ratio | 0.58 |
| i_ratio | 0.52 |
| m_ratio | 0.99 |
| b_ratio | 0.51 |
| match_types | SymbolsHash |
| Key | clfs_march.sys | clfs_apr.sys |
|---|---|---|
| name | Cleanup | Cleanup |
| fullname | CClfsLogCcb::Cleanup | CClfsLogCcb::Cleanup |
refcount |
3 | 2 |
length |
366 | 356 |
called |
CClfsLogCcb::Release CClfsLogCcb::ResetFileSystemFlag NTOSKRNL.EXE::ExAcquireResourceExclusiveLite NTOSKRNL.EXE::ExReleaseResourceForThreadLite _guard_dispatch_icall |
CClfsLogCcb::Release CClfsLogCcb::ResetFileSystemFlag Feature_3200318777__private_IsEnabledDeviceUsage NTOSKRNL.EXE::ExAcquireResourceExclusiveLite NTOSKRNL.EXE::ExReleaseResourceForThreadLite _guard_dispatch_icall |
| calling | CClfsRequest::Cleanup | CClfsRequest::Cleanup |
| paramcount | 1 | 1 |
address |
1c002ea64 | 1c002ea74 |
sig |
undefined __fastcall Cleanup(CClfsLogCcb * param_1) | void __thiscall Cleanup(CClfsLogCcb * this) |
| sym_type | Function | Function |
| sym_source | IMPORTED | ANALYSIS |
| external | False | False |
--- CClfsLogCcb::Cleanup called
+++ CClfsLogCcb::Cleanup called
@@ -2,0 +3 @@
+Feature_3200318777__private_IsEnabledDeviceUsage--- CClfsLogCcb::Cleanup
+++ CClfsLogCcb::Cleanup
@@ -1,55 +1,63 @@
/* WARNING: Function: _guard_dispatch_icall replaced with injection: guard_dispatch_icall */
+/* public: void __cdecl CClfsLogCcb::Cleanup(void) __ptr64 */
-void CClfsLogCcb::Cleanup(CClfsLogCcb *param_1)
+void __thiscall CClfsLogCcb::Cleanup(CClfsLogCcb *this)
{
CClfsLogCcb *pCVar1;
longlong *plVar2;
longlong lVar3;
longlong *plVar4;
code *pcVar5;
+ ulonglong uVar6;
ulonglong local_res8;
longlong local_res10;
- if (*(longlong **)(param_1 + 0x100) != (longlong *)0x0) {
- (**(code **)(**(longlong **)(param_1 + 0x100) + 0x10))();
- if (*(longlong **)(param_1 + 0x100) != (longlong *)0x0) {
- (**(code **)(**(longlong **)(param_1 + 0x100) + 8))();
- *(undefined8 *)(param_1 + 0x100) = 0;
+ if (*(longlong **)(this + 0x100) != (longlong *)0x0) {
+ (**(code **)(**(longlong **)(this + 0x100) + 0x10))();
+ if (*(longlong **)(this + 0x100) != (longlong *)0x0) {
+ (**(code **)(**(longlong **)(this + 0x100) + 8))();
+ *(undefined8 *)(this + 0x100) = 0;
}
}
- ResetFileSystemFlag((longlong)param_1);
- plVar2 = *(longlong **)(*(longlong *)(*(longlong *)(param_1 + 0x48) + 0x18) + 0x68);
- if (0 < *(int *)(param_1 + 0x28)) {
+ ResetFileSystemFlag((longlong)this);
+ plVar2 = *(longlong **)(*(longlong *)(*(longlong *)(this + 0x48) + 0x18) + 0x68);
+ if (0 < *(int *)(this + 0x28)) {
local_res8 = local_res8 & 0xffffffff00000000;
(**(code **)(*plVar2 + 0x58))
- (plVar2,*(longlong *)(param_1 + 0x48),*(int *)(param_1 + 0x28),&local_res8,
- param_1 + 0x70);
+ (plVar2,*(longlong *)(this + 0x48),*(int *)(this + 0x28),&local_res8,this + 0x70);
}
- if (0 < *(longlong *)(param_1 + 0x68)) {
- local_res10 = -*(longlong *)(param_1 + 0x68);
+ if (0 < *(longlong *)(this + 0x68)) {
local_res8 = 0;
- (**(code **)(*plVar2 + 0x128))(plVar2,*(undefined8 *)(param_1 + 0x48),&local_res10,&local_res8);
+ local_res10 = -*(longlong *)(this + 0x68);
+ (**(code **)(*plVar2 + 0x128))(plVar2,*(undefined8 *)(this + 0x48),&local_res10,&local_res8);
}
ExAcquireResourceExclusiveLite(plVar2 + 0x17,1);
- pCVar1 = param_1 + 8;
+ pCVar1 = this + 8;
lVar3 = *(longlong *)pCVar1;
if ((*(CClfsLogCcb **)(lVar3 + 8) == pCVar1) &&
- (plVar4 = *(longlong **)(param_1 + 0x10), (CClfsLogCcb *)*plVar4 == pCVar1)) {
+ (plVar4 = *(longlong **)(this + 0x10), (CClfsLogCcb *)*plVar4 == pCVar1)) {
*plVar4 = lVar3;
*(longlong **)(lVar3 + 8) = plVar4;
- *(uint *)(param_1 + 0x1c) = *(uint *)(param_1 + 0x1c) & 0xffffff7f;
+ *(uint *)(this + 0x1c) = *(uint *)(this + 0x1c) & 0xffffff7f;
+ uVar6 = Feature_3200318777__private_IsEnabledDeviceUsage();
+ if ((int)uVar6 != 0) {
+ *(uint *)(this + 0x1c) = *(uint *)(this + 0x1c) | 4;
+ }
ExReleaseResourceForThreadLite(plVar2 + 0x17,SystemReserved1[0xf]);
- (**(code **)(*plVar2 + 0x68))(plVar2,*(undefined8 *)(param_1 + 0x48));
- *(uint *)(param_1 + 0x1c) = *(uint *)(param_1 + 0x1c) | 4;
- Release(param_1);
+ (**(code **)(*plVar2 + 0x68))(plVar2,*(undefined8 *)(this + 0x48));
+ uVar6 = Feature_3200318777__private_IsEnabledDeviceUsage();
+ if ((int)uVar6 == 0) {
+ *(uint *)(this + 0x1c) = *(uint *)(this + 0x1c) | 4;
+ Release(this);
+ }
return;
}
pcVar5 = (code *)swi(0x29);
(*pcVar5)(3);
pcVar5 = (code *)swi(3);
(*pcVar5)();
return;
}
| Key | clfs_march.sys - clfs_apr.sys |
|---|---|
| diff_type | code,length,sig,address |
| ratio | 0.8 |
| i_ratio | 0.67 |
| m_ratio | 0.89 |
| b_ratio | 0.89 |
| match_types | SymbolsHash |
| Key | clfs_march.sys | clfs_apr.sys |
|---|---|---|
| name | Feature_2834328890__private_IsEnabledFallback | Feature_2834328890__private_IsEnabledFallback |
| fullname | Feature_2834328890__private_IsEnabledFallback | Feature_2834328890__private_IsEnabledFallback |
| refcount | 2 | 2 |
length |
14 | 21 |
| called | wil_details_IsEnabledFallback | wil_details_IsEnabledFallback |
| calling | Feature_2834328890__private_IsEnabledDeviceUsage | Feature_2834328890__private_IsEnabledDeviceUsage |
| paramcount | 2 | 2 |
address |
1c000cfe8 | 1c000d8c0 |
sig |
undefined __fastcall Feature_2834328890__private_IsEnabledFallback(undefined4 * param_1, uint param_2) | undefined __fastcall Feature_2834328890__private_IsEnabledFallback(ulonglong param_1, int param_2) |
| sym_type | Function | Function |
| sym_source | IMPORTED | IMPORTED |
| external | False | False |
--- Feature_2834328890__private_IsEnabledFallback
+++ Feature_2834328890__private_IsEnabledFallback
@@ -1,8 +1,8 @@
-void Feature_2834328890__private_IsEnabledFallback(undefined4 *param_1,uint param_2)
+void Feature_2834328890__private_IsEnabledFallback(ulonglong param_1,int param_2)
{
- wil_details_IsEnabledFallback(param_1,param_2);
+ wil_details_IsEnabledFallback(param_1,param_2,&Feature_2834328890__private_descriptor);
return;
}
| Key | clfs_march.sys - clfs_apr.sys |
|---|---|
| diff_type | code,length,address,called |
| ratio | 0.57 |
| i_ratio | 0.65 |
| m_ratio | 0.82 |
| b_ratio | 0.82 |
| match_types | SymbolsHash |
| Key | clfs_march.sys | clfs_apr.sys |
|---|---|---|
| name | fin$0 | fin$0 |
| fullname | `CClfsRequest::Close'::__l1::fin$0 | `CClfsRequest::Close'::__l1::fin$0 |
| refcount | 1 | 1 |
length |
110 | 156 |
called |
NTOSKRNL.EXE::ExReleaseResourceForThreadLite NTOSKRNL.EXE::IofCompleteRequest _guard_dispatch_icall |
CClfsLogCcb::Release Feature_3200318777__private_IsEnabledDeviceUsage NTOSKRNL.EXE::ExReleaseResourceForThreadLite NTOSKRNL.EXE::IofCompleteRequest _guard_dispatch_icall |
| calling | ||
| paramcount | 2 | 2 |
address |
1c0048656 | 1c0048756 |
| sig | undefined __fastcall fin$0(undefined8 param_1, longlong param_2) | undefined __fastcall fin$0(undefined8 param_1, longlong param_2) |
| sym_type | Function | Function |
| sym_source | IMPORTED | IMPORTED |
| external | False | False |
--- `CClfsRequest::Close'::__l1::fin$0 called
+++ `CClfsRequest::Close'::__l1::fin$0 called
@@ -0,0 +1,2 @@
+CClfsLogCcb::Release
+Feature_3200318777__private_IsEnabledDeviceUsage--- `CClfsRequest::Close'::__l1::fin$0
+++ `CClfsRequest::Close'::__l1::fin$0
@@ -1,22 +1,34 @@
/* WARNING: Function: _guard_dispatch_icall replaced with injection: guard_dispatch_icall */
void `CClfsRequest::Close'::__l1::fin_0(undefined8 param_1,longlong param_2)
{
longlong lVar1;
+ ulonglong uVar2;
if (*(char *)(param_2 + 0x30) != '\0') {
- ExReleaseResourceForThreadLite(*(longlong *)(param_2 + 0x38) + 0xb8,SystemReserved1[0xf]);
+ ExReleaseResourceForThreadLite(*(longlong *)(param_2 + 0x48) + 0xb8,SystemReserved1[0xf]);
*(undefined1 *)(param_2 + 0x30) = 0;
}
- if (*(longlong **)(param_2 + 0x38) != (longlong *)0x0) {
- (**(code **)(**(longlong **)(param_2 + 0x38) + 0x48))();
+ uVar2 = Feature_3200318777__private_IsEnabledDeviceUsage();
+ if ((int)uVar2 != 0) {
+ lVar1 = *(longlong *)(param_2 + 0x38);
+ if (lVar1 != 0) {
+ *(undefined8 *)(lVar1 + 0x18) = 0;
+ *(undefined8 *)(lVar1 + 0x20) = 0;
+ }
+ if (*(CClfsLogCcb **)(param_2 + 0x40) != (CClfsLogCcb *)0x0) {
+ CClfsLogCcb::Release(*(CClfsLogCcb **)(param_2 + 0x40));
+ }
}
- lVar1 = *(longlong *)(param_2 + 0x50);
+ if (*(longlong **)(param_2 + 0x48) != (longlong *)0x0) {
+ (**(code **)(**(longlong **)(param_2 + 0x48) + 0x48))();
+ }
+ lVar1 = *(longlong *)(param_2 + 0x80);
*(undefined4 *)(lVar1 + 0x30) = *(undefined4 *)(param_2 + 0x34);
*(undefined8 *)(lVar1 + 0x38) = 0;
IofCompleteRequest(lVar1,0);
return;
}
| Key | clfs_march.sys - clfs_apr.sys |
|---|---|
| diff_type | code,length,address |
| ratio | 0.98 |
| i_ratio | 0.73 |
| m_ratio | 0.99 |
| b_ratio | 0.99 |
| match_types | SymbolsHash |
| Key | clfs_march.sys | clfs_apr.sys |
|---|---|---|
| name | wil_details_FeatureReporting_RecordUsageInCache | wil_details_FeatureReporting_RecordUsageInCache |
| fullname | wil_details_FeatureReporting_RecordUsageInCache | wil_details_FeatureReporting_RecordUsageInCache |
| refcount | 2 | 2 |
length |
345 | 352 |
| called | wil_details_FeatureReporting_IncrementOpportunityInCache wil_details_FeatureReporting_IncrementUsageInCache |
wil_details_FeatureReporting_IncrementOpportunityInCache wil_details_FeatureReporting_IncrementUsageInCache |
| calling | wil_details_FeatureReporting_ReportUsageToServiceDirect | wil_details_FeatureReporting_ReportUsageToServiceDirect |
| paramcount | 4 | 4 |
address |
1c000d2a8 | 1c000d140 |
| sig | uint * __fastcall wil_details_FeatureReporting_RecordUsageInCache(uint * param_1, uint * param_2, undefined8 param_3, uint param_4) | uint * __fastcall wil_details_FeatureReporting_RecordUsageInCache(uint * param_1, uint * param_2, undefined8 param_3, uint param_4) |
| sym_type | Function | Function |
| sym_source | IMPORTED | IMPORTED |
| external | False | False |
--- wil_details_FeatureReporting_RecordUsageInCache
+++ wil_details_FeatureReporting_RecordUsageInCache
@@ -1,100 +1,103 @@
uint * wil_details_FeatureReporting_RecordUsageInCache
(uint *param_1,uint *param_2,undefined8 param_3,uint param_4)
{
uint uVar1;
uint uVar2;
uint uVar3;
uint uVar4;
uint uVar5;
bool bVar6;
param_1[0] = 0;
param_1[1] = 0;
param_1[2] = 0;
param_1[3] = 0;
param_1[4] = 0;
param_1[5] = 0;
uVar4 = (uint)param_3;
if (uVar4 == 0) {
LAB_0:
wil_details_FeatureReporting_IncrementUsageInCache(param_2,uVar4,param_3,param_1);
}
else {
uVar5 = 1;
if (uVar4 == 1) {
LAB_1:
wil_details_FeatureReporting_IncrementOpportunityInCache(param_2,uVar4,param_3,param_1);
return param_1;
}
if ((int)uVar4 < 2) {
LAB_2:
uVar3 = uVar4 - 0x140;
if (uVar3 < 0x40) {
uVar2 = param_2[1];
do {
if (((uVar2 & 0x10) == 0) || (uVar1 = uVar5, (uVar2 >> 5 & 0x3f) != uVar3)) {
uVar1 = 0;
}
param_1[4] = uVar1;
LOCK();
uVar1 = param_2[1];
bVar6 = uVar2 == uVar1;
if (bVar6) {
param_2[1] = uVar2 & 0xfffff81f | (uVar3 & 0x3f) << 5 | 0x10;
uVar1 = uVar2;
}
uVar2 = uVar1;
UNLOCK();
} while (!bVar6);
+ if (param_1[4] != 0) {
+ return param_1;
+ }
}
param_1[2] = uVar4;
param_1[1] = 1;
param_1[3] = param_4;
return param_1;
}
if (3 < (int)uVar4) {
if (uVar4 == 4) goto LAB_0;
if (uVar4 == 5) goto LAB_1;
if (1 < uVar4 - 6) goto LAB_2;
}
uVar3 = 0;
if (uVar4 == 2) {
uVar3 = 2;
}
else if (uVar4 == 3) {
uVar3 = 8;
}
else if (uVar4 == 6) {
uVar3 = 4;
}
else if (uVar4 == 7) {
uVar3 = 0x10;
}
uVar4 = *param_2;
do {
uVar1 = uVar4;
uVar4 = uVar3 | uVar1;
param_1[4] = (uint)(uVar4 == uVar1);
uVar2 = uVar4 | 1;
if (uVar4 == uVar1) {
uVar2 = uVar4;
}
LOCK();
uVar4 = *param_2;
bVar6 = uVar1 == uVar4;
if (bVar6) {
*param_2 = uVar2;
uVar4 = uVar1;
}
UNLOCK();
} while (!bVar6);
if (((uVar2 & 1) == 0) || ((uVar1 & 1) != 0)) {
uVar5 = 0;
}
*param_1 = uVar5;
}
return param_1;
}
| Key | clfs_march.sys - clfs_apr.sys |
|---|---|
| diff_type | code,length,sig,address |
| ratio | 0.37 |
| i_ratio | 0.62 |
| m_ratio | 0.98 |
| b_ratio | 0.93 |
| match_types | SymbolsHash |
| Key | clfs_march.sys | clfs_apr.sys |
|---|---|---|
| name | wil_details_FeatureReporting_ReportUsageToServiceDirect | wil_details_FeatureReporting_ReportUsageToServiceDirect |
| fullname | wil_details_FeatureReporting_ReportUsageToServiceDirect | wil_details_FeatureReporting_ReportUsageToServiceDirect |
| refcount | 2 | 2 |
length |
231 | 224 |
| called | NTOSKRNL.EXE::RtlNotifyFeatureUsage __security_check_cookie _guard_dispatch_icall wil_details_FeatureReporting_RecordUsageInCache |
NTOSKRNL.EXE::RtlNotifyFeatureUsage __security_check_cookie _guard_dispatch_icall wil_details_FeatureReporting_RecordUsageInCache |
| calling | wil_details_FeatureReporting_ReportUsageToService | wil_details_FeatureReporting_ReportUsageToService |
| paramcount | 3 | 3 |
address |
1c000d484 | 1c000d330 |
sig |
undefined __fastcall wil_details_FeatureReporting_ReportUsageToServiceDirect(undefined8 param_1, undefined8 param_2, ulonglong param_3) | undefined __fastcall wil_details_FeatureReporting_ReportUsageToServiceDirect(longlong param_1, undefined8 param_2, ulonglong param_3) |
| sym_type | Function | Function |
| sym_source | IMPORTED | IMPORTED |
| external | False | False |
--- wil_details_FeatureReporting_ReportUsageToServiceDirect
+++ wil_details_FeatureReporting_ReportUsageToServiceDirect
@@ -1,47 +1,46 @@
/* WARNING: Function: _guard_dispatch_icall replaced with injection: guard_dispatch_icall */
void wil_details_FeatureReporting_ReportUsageToServiceDirect
- (undefined8 param_1,undefined8 param_2,ulonglong param_3)
+ (longlong param_1,undefined8 param_2,ulonglong param_3)
{
uint6 uVar1;
uint *puVar2;
- undefined1 auStack_88 [32];
- uint *local_68;
- undefined8 local_58;
- uint local_50 [6];
- uint local_38;
- uint uStack_34;
- uint uStack_30;
- uint uStack_2c;
- undefined8 local_28;
- ulonglong local_20;
+ undefined1 auStack_98 [32];
+ uint *local_78;
+ undefined8 local_68;
+ uint local_60 [6];
+ uint local_48;
+ uint uStack_44;
+ uint uStack_40;
+ uint uStack_3c;
+ undefined8 local_38;
+ ulonglong local_30;
- local_20 = __security_cookie ^ (ulonglong)auStack_88;
+ local_30 = __security_cookie ^ (ulonglong)auStack_98;
puVar2 = wil_details_FeatureReporting_RecordUsageInCache
- (local_50,(uint *)&Feature_2834328890__private_reporting,param_3,
- (uint)((ulonglong)param_2 >> 0x20));
- local_38 = *puVar2;
- uStack_34 = puVar2[1];
- uStack_30 = puVar2[2];
- uStack_2c = puVar2[3];
- local_28 = *(undefined8 *)(puVar2 + 4);
+ (local_60,*(uint **)(param_1 + 8),param_3,(uint)((ulonglong)param_2 >> 0x20));
+ local_48 = *puVar2;
+ uStack_44 = puVar2[1];
+ uStack_40 = puVar2[2];
+ uStack_3c = puVar2[3];
+ local_38 = *(undefined8 *)(puVar2 + 4);
if (g_wil_details_recordFeatureUsage != 0) {
- local_68 = &local_38;
+ local_78 = &local_48;
(*(code *)g_wil_details_recordFeatureUsage)
- (0x34762f4,param_3 & 0xffffffff,1,&Feature_2834328890__private_reporting);
+ (*(undefined4 *)(param_1 + 0x18),param_3 & 0xffffffff,1,*(undefined8 *)(param_1 + 8));
}
if ((((uint)param_2 >> 10 & 1) != 0) && ((int)param_3 != 0xfe)) {
- local_58._0_6_ = CONCAT24((short)(param_3 & 0xffffffff),0x34762f4);
- uVar1 = (uint6)local_58;
- local_58 = (ulonglong)(uint6)local_58;
+ local_68._0_6_ = CONCAT24((short)(param_3 & 0xffffffff),*(undefined4 *)(param_1 + 0x18));
+ uVar1 = (uint6)local_68;
+ local_68 = (ulonglong)(uint6)local_68;
if (((uint)param_2 >> 0xb & 1) != 0) {
- local_58 = CONCAT26(1,uVar1);
+ local_68 = CONCAT26(1,uVar1);
}
- RtlNotifyFeatureUsage(&local_58);
+ RtlNotifyFeatureUsage(&local_68);
}
- __security_check_cookie(local_20 ^ (ulonglong)auStack_88);
+ __security_check_cookie(local_30 ^ (ulonglong)auStack_98);
return;
}
| Key | clfs_march.sys - clfs_apr.sys |
|---|---|
| diff_type | code,length,sig,address |
| ratio | 0.59 |
| i_ratio | 0.53 |
| m_ratio | 0.94 |
| b_ratio | 0.94 |
| match_types | SymbolsHash |
| Key | clfs_march.sys | clfs_apr.sys |
|---|---|---|
| name | wil_details_FeatureReporting_ReportUsageToService | wil_details_FeatureReporting_ReportUsageToService |
| fullname | wil_details_FeatureReporting_ReportUsageToService | wil_details_FeatureReporting_ReportUsageToService |
| refcount | 2 | 2 |
length |
115 | 126 |
| called | _guard_dispatch_icall wil_details_FeatureReporting_ReportUsageToServiceDirect wil_details_MapReportingKind |
_guard_dispatch_icall wil_details_FeatureReporting_ReportUsageToServiceDirect wil_details_MapReportingKind |
| calling | wil_details_IsEnabledFallback | wil_details_IsEnabledFallback |
| paramcount | 3 | 3 |
address |
1c000d408 | 1c000d2a8 |
sig |
undefined __fastcall wil_details_FeatureReporting_ReportUsageToService(undefined8 param_1, undefined8 param_2, uint param_3) | undefined __fastcall wil_details_FeatureReporting_ReportUsageToService(longlong param_1, undefined8 param_2, int param_3) |
| sym_type | Function | Function |
| sym_source | IMPORTED | IMPORTED |
| external | False | False |
--- wil_details_FeatureReporting_ReportUsageToService
+++ wil_details_FeatureReporting_ReportUsageToService
@@ -1,25 +1,24 @@
/* WARNING: Function: _guard_dispatch_icall replaced with injection: guard_dispatch_icall */
void wil_details_FeatureReporting_ReportUsageToService
- (undefined8 param_1,undefined8 param_2,uint param_3)
+ (longlong param_1,undefined8 param_2,int param_3)
{
uint uVar1;
int iVar2;
- ulonglong uVar3;
- uint uVar4;
- uint local_res18 [4];
+ uint uVar3;
+ int local_res18 [4];
- uVar4 = (uint)param_2 & 1;
- uVar3 = (ulonglong)param_3;
+ uVar3 = (uint)param_2 & 1;
local_res18[0] = param_3;
- uVar1 = wil_details_MapReportingKind(param_3,uVar4);
- iVar2 = wil_details_FeatureReporting_ReportUsageToServiceDirect(uVar3,param_2,(ulonglong)uVar1);
+ uVar1 = wil_details_MapReportingKind(param_3,uVar3);
+ iVar2 = wil_details_FeatureReporting_ReportUsageToServiceDirect(param_1,param_2,(ulonglong)uVar1);
if ((iVar2 != 0) && (g_wil_details_pfnFeatureLoggingHook != 0)) {
(*(code *)g_wil_details_pfnFeatureLoggingHook)
- (0x34762f4,&Feature_2834328890_logged_traits,0,uVar4,local_res18,0,0,1);
+ (*(undefined4 *)(param_1 + 0x18),*(undefined8 *)(param_1 + 0x10),0,uVar3,local_res18,0
+ ,0,1);
}
return;
}
| Key | clfs_march.sys - clfs_apr.sys |
|---|---|
| diff_type | code,refcount,length,sig,address,calling |
| ratio | 0.48 |
| i_ratio | 0.44 |
| m_ratio | 0.96 |
| b_ratio | 0.94 |
| match_types | SymbolsHash |
| Key | clfs_march.sys | clfs_apr.sys |
|---|---|---|
| name | wil_details_IsEnabledFallback | wil_details_IsEnabledFallback |
| fullname | wil_details_IsEnabledFallback | wil_details_IsEnabledFallback |
refcount |
2 | 3 |
length |
133 | 138 |
| called | wil_details_FeatureReporting_ReportUsageToService wil_details_FeatureStateCache_ReevaluateCachedFeatureEnabledState wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath |
wil_details_FeatureReporting_ReportUsageToService wil_details_FeatureStateCache_ReevaluateCachedFeatureEnabledState wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath |
calling |
Feature_2834328890__private_IsEnabledFallback | Feature_2834328890__private_IsEnabledFallback Feature_3200318777__private_IsEnabledFallback |
| paramcount | 2 | 3 |
address |
1c000d808 | 1c000d6bc |
sig |
uint __fastcall wil_details_IsEnabledFallback(undefined4 * param_1, uint param_2) | uint __fastcall wil_details_IsEnabledFallback(ulonglong param_1, int param_2, undefined8 * param_3) |
| sym_type | Function | Function |
| sym_source | IMPORTED | IMPORTED |
| external | False | False |
--- wil_details_IsEnabledFallback calling
+++ wil_details_IsEnabledFallback calling
@@ -1,0 +2 @@
+Feature_3200318777__private_IsEnabledFallback--- wil_details_IsEnabledFallback
+++ wil_details_IsEnabledFallback
@@ -1,26 +1,22 @@
-uint wil_details_IsEnabledFallback(undefined4 *param_1,uint param_2)
+uint wil_details_IsEnabledFallback(ulonglong param_1,int param_2,undefined8 *param_3)
{
uint uVar1;
- undefined4 *puVar2;
- ulonglong local_res18;
+ ulonglong local_res8;
uVar1 = (uint)param_1;
- local_res18 = (ulonglong)param_1 & 0xffffffff;
- if (((ulonglong)param_1 & 2) == 0) {
- puVar2 = &Feature_2834328890__private_featureState;
- local_res18 = wil_details_FeatureStateCache_ReevaluateCachedFeatureEnabledState
- (&Feature_2834328890__private_featureState,(ulonglong)param_1,
- 0x1c001ce00);
- param_1 = puVar2;
- uVar1 = (uint)local_res18;
+ local_res8 = param_1 & 0xffffffff;
+ if ((param_1 & 2) == 0) {
+ local_res8 = wil_details_FeatureStateCache_ReevaluateCachedFeatureEnabledState
+ ((uint *)*param_3,param_1,(longlong)param_3);
+ uVar1 = (uint)local_res8;
}
if ((param_2 != 0) &&
- (wil_details_FeatureReporting_ReportUsageToService(param_1,local_res18,param_2),
- param_2 - 3 < 2)) {
- wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath((uint)local_res18,param_2);
+ (wil_details_FeatureReporting_ReportUsageToService((longlong)param_3,local_res8,param_2),
+ param_2 - 3U < 2)) {
+ wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath((uint)local_res8,param_2,param_3);
}
return uVar1 & 1;
}
| Key | clfs_march.sys - clfs_apr.sys |
|---|---|
| diff_type | code,length,sig,address |
| ratio | 0.41 |
| i_ratio | 0.39 |
| m_ratio | 0.87 |
| b_ratio | 0.83 |
| match_types | SymbolsHash |
| Key | clfs_march.sys | clfs_apr.sys |
|---|---|---|
| name | wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath | wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath |
| fullname | wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath | wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath |
| refcount | 2 | 2 |
length |
58 | 74 |
| called | ||
| calling | wil_details_IsEnabledFallback | wil_details_IsEnabledFallback |
| paramcount | 2 | 3 |
address |
1c000d674 | 1c000d518 |
sig |
undefined __fastcall wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath(uint param_1, int param_2) | undefined __fastcall wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath(uint param_1, int param_2, undefined8 * param_3) |
| sym_type | Function | Function |
| sym_source | IMPORTED | IMPORTED |
| external | False | False |
--- wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath
+++ wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath
@@ -1,40 +1,50 @@
-void wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath(uint param_1,int param_2)
+void wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath
+ (uint param_1,int param_2,undefined8 *param_3)
{
uint uVar1;
- uint uVar2;
+ uint *puVar2;
uint uVar3;
- bool bVar4;
+ uint uVar4;
+ bool bVar5;
- uVar2 = Feature_2834328890__private_featureState;
+ puVar2 = (uint *)*param_3;
if (param_2 == 3) {
- uVar3 = 0x10;
+ uVar4 = 0x10;
}
else {
if (param_2 != 4) {
return;
}
- uVar3 = 0x20;
+ uVar4 = 0x20;
}
- while( true ) {
- if ((uVar2 & 2) == 0) {
- return;
- }
- if (((uVar2 ^ param_1) & 1) != 0) break;
+ if ((*(char *)((longlong)param_3 + 0x1e) == '\0') && (*(char *)((longlong)param_3 + 0x1d) == '\0')
+ ) {
+ uVar3 = *puVar2;
+ do {
+ if ((uVar3 & 2) == 0) {
+ return;
+ }
+ if (((uVar3 ^ param_1) & 1) != 0) {
+ return;
+ }
+ LOCK();
+ uVar1 = *puVar2;
+ bVar5 = uVar3 == uVar1;
+ if (bVar5) {
+ *puVar2 = uVar4 | uVar3;
+ uVar1 = uVar3;
+ }
+ uVar3 = uVar1;
+ UNLOCK();
+ } while (!bVar5);
+ }
+ else {
LOCK();
- bVar4 = uVar2 != Feature_2834328890__private_featureState;
- uVar1 = uVar2 | uVar3;
- if (bVar4) {
- uVar2 = Feature_2834328890__private_featureState;
- uVar1 = Feature_2834328890__private_featureState;
- }
- Feature_2834328890__private_featureState = uVar1;
+ *puVar2 = *puVar2 | uVar4;
UNLOCK();
- if (!bVar4) {
- return;
- }
}
return;
}
Slightly modified functions have no code changes, rather differnces in:
- refcount
- length
- called
- calling
- name
- fullname
| Key | clfs_march.sys - clfs_apr.sys |
|---|---|
| diff_type | refcount,calling |
| ratio | 1.0 |
| i_ratio | 1.0 |
| m_ratio | 1.0 |
| b_ratio | 1.0 |
| match_types | SymbolsHash |
| Key | clfs_march.sys | clfs_apr.sys |
|---|---|---|
| name | AddRef | AddRef |
| fullname | CClfsLogCcb::AddRef | CClfsLogCcb::AddRef |
refcount |
34 | 35 |
| length | 13 | 13 |
| called | ||
calling |
Expand for full list:ClfsAddLogContainerSet |
Expand for full list:CClfsRequest::WriteRestart |
| paramcount | 1 | 1 |
| address | 1c0004904 | 1c0004904 |
| sig | ulong __thiscall AddRef(CClfsLogCcb * this) | ulong __thiscall AddRef(CClfsLogCcb * this) |
| sym_type | Function | Function |
| sym_source | ANALYSIS | ANALYSIS |
| external | False | False |
--- CClfsLogCcb::AddRef calling
+++ CClfsLogCcb::AddRef calling
@@ -3,0 +4 @@
+CClfsRequest::Close| Key | clfs_march.sys - clfs_apr.sys |
|---|---|
| diff_type | length,address,called |
| ratio | 1.0 |
| i_ratio | 0.87 |
| m_ratio | 0.95 |
| b_ratio | 0.95 |
| match_types | SymbolsHash |
| Key | clfs_march.sys | clfs_apr.sys |
|---|---|---|
| name | ReadLogPagingIo | ReadLogPagingIo |
| fullname | CClfsRequest::ReadLogPagingIo | CClfsRequest::ReadLogPagingIo |
| refcount | 3 | 3 |
length |
318 | 352 |
called |
CClfsRequest_State::Change_State_ReadPending _guard_dispatch_icall |
CClfsRequest_State::Change_State_ReadPending NTOSKRNL.EXE::KeBugCheckEx _guard_dispatch_icall |
| calling | CClfsRequest::Dispatch | CClfsRequest::Dispatch |
| paramcount | 1 | 1 |
address |
1c003fde4 | 1c003fee4 |
| sig | undefined8 __fastcall ReadLogPagingIo(CClfsRequest * param_1) | undefined8 __fastcall ReadLogPagingIo(CClfsRequest * param_1) |
| sym_type | Function | Function |
| sym_source | IMPORTED | IMPORTED |
| external | False | False |
--- CClfsRequest::ReadLogPagingIo called
+++ CClfsRequest::ReadLogPagingIo called
@@ -1,0 +2 @@
+NTOSKRNL.EXE::KeBugCheckEx| Key | clfs_march.sys - clfs_apr.sys |
|---|---|
| diff_type | refcount,address,calling |
| ratio | 1.0 |
| i_ratio | 0.8 |
| m_ratio | 1.0 |
| b_ratio | 1.0 |
| match_types | SymbolsHash |
| Key | clfs_march.sys | clfs_apr.sys |
|---|---|---|
| name | Release | Release |
| fullname | CClfsLogCcb::Release | CClfsLogCcb::Release |
refcount |
55 | 58 |
| length | 66 | 66 |
| called | CClfsLogCcb::~CClfsLogCcb ExFreeToPagedLookasideList |
CClfsLogCcb::~CClfsLogCcb ExFreeToPagedLookasideList |
calling |
Expand for full list:ClfsAdvanceLogBaseInternal |
Expand for full list:ClfsAddLogContainerSet |
| paramcount | 1 | 1 |
address |
1c002d750 | 1c002d760 |
| sig | ulong __thiscall Release(CClfsLogCcb * this) | ulong __thiscall Release(CClfsLogCcb * this) |
| sym_type | Function | Function |
| sym_source | ANALYSIS | ANALYSIS |
| external | False | False |
--- CClfsLogCcb::Release calling
+++ CClfsLogCcb::Release calling
@@ -1,0 +2 @@
+CClfsLogCcb::Close
@@ -5,0 +7 @@
+CClfsRequest::Close
@@ -49,0 +52 @@
+`CClfsRequest::Close'::__l1::fin$0Generated with ghidriff version: 0.8.0 on 2025-04-09T13:07:24