winload.exe
.text:00000000004057E8 OslInitializeCodeIntegrity proc near    ; CODE XREF: OslpMain+61Cp
.text:00000000004057E8                                         ; DATA XREF: .pdata:00000000004B2168o
.text:00000000004057E8
.text:00000000004057E8 var_58          = qword ptr -58h
.text:00000000004057E8 var_50          = dword ptr -50h
.text:00000000004057E8 var_48          = dword ptr -48h
.text:00000000004057E8 var_38          = qword ptr -38h
.text:00000000004057E8 arg_8           = qword ptr  10h
.text:00000000004057E8 arg_18          = qword ptr  20h
.text:00000000004057E8
.text:00000000004057E8                 mov     rax, rsp               ; db 48h,8Bh,0C4h -> db 0B0,01h,0C3h = mov al,1 \ ret
.text:00000000004057EB                 push    rbx
.text:00000000004057EC                 push    rbp
.text:00000000004057ED                 push    rdi
.text:00000000004057EE                 push    r12
.text:00000000004057F0                 push    r13
.text:00000000004057F2                 sub     rsp, 50h
.text:00000000004057F6                 xor     r13d, r13d
.text:00000000004057F9                 mov     r12d, ecx
.text:00000000004057FC                 lea     r8, [rax+18h]
.text:0000000000405800                 lea     rcx, BlpApplicationEntry
.text:0000000000405807                 lea     rdx, [rax+10h]
.text:000000000040580B                 mov     [rax+20h], r13
.text:000000000040580F                 mov     rdi, r13
.text:0000000000405812                 mov     [rax-38h], r13
.text:0000000000405816                 call    BlImgQueryCodeIntegrityBootOptions





ntoskrnl.exe
PAGE:00000001403EAA60 SepInitializeCodeIntegrity proc near    ; CODE XREF: SepInitializationPhase1+231p
PAGE:00000001403EAA60
PAGE:00000001403EAA60 arg_0           = qword ptr  8
PAGE:00000001403EAA60
PAGE:00000001403EAA60                 mov     [rsp+arg_0], rbx
PAGE:00000001403EAA65                 push    rdi
PAGE:00000001403EAA66                 sub     rsp, 20h
PAGE:00000001403EAA6A                 xor     ebx, ebx
PAGE:00000001403EAA6C                 cmp     cs:InitIsWinPEMode, bl
PAGE:00000001403EAA72                 jnz     loc_1403EAB0C               ; db 0Fh,85h,94h,0,0,0 -> db 90,0E9h,94h,0,0,0 = nop \ jmp loc_1403EAB0C
PAGE:00000001403EAA78                 xor     eax, eax
PAGE:00000001403EAA7A                 mov     cs:g_CiEnabled, 1
PAGE:00000001403EAA81                 lea     edi, [rbx+6]
PAGE:00000001403EAA84                 mov     cs:g_CiCallbacks, rax
PAGE:00000001403EAA8B                 mov     cs:qword_14021EE48, rax
PAGE:00000001403EAA92                 mov     cs:qword_14021EE50, rax
PAGE:00000001403EAA99                 mov     rax, cs:qword_1402A8120
PAGE:00000001403EAAA0                 cmp     rax, rbx
PAGE:00000001403EAAA3                 jz      short loc_1403EAAF7
PAGE:00000001403EAAA5                 cmp     [rax+98h], rbx
PAGE:00000001403EAAAC                 jz      short loc_1403EAAEE
PAGE:00000001403EAAAE                 mov     rcx, [rax+98h]
PAGE:00000001403EAAB5                 lea     rdx, ??_C@_0BJ@KFBEEMJI@DISABLE_INTEGRITY_CHECKS?$AA@NNGAKEGL@
PAGE:00000001403EAABC                 call    SepIsOptionPresent
PAGE:00000001403EAAC1                 mov     rcx, cs:qword_1402A8120
PAGE:00000001403EAAC8                 lea     rdx, ??_C@_0M@LNFBLGLD@TESTSIGNING?$AA@NNGAKEGL@
PAGE:00000001403EAACF                 mov     rcx, [rcx+98h]
PAGE:00000001403EAAD6                 cmp     eax, ebx
PAGE:00000001403EAAD8                 cmovnz  edi, ebx
PAGE:00000001403EAADB                 call    SepIsOptionPresent
PAGE:00000001403EAAE0                 cmp     eax, ebx
PAGE:00000001403EAAE2                 mov     rax, cs:qword_1402A8120
PAGE:00000001403EAAE9                 jz      short loc_1403EAAEE
PAGE:00000001403EAAEB                 or      edi, 8
PAGE:00000001403EAAEE
PAGE:00000001403EAAEE loc_1403EAAEE:                          ; CODE XREF: SepInitializeCodeIntegrity+4Cj
PAGE:00000001403EAAEE                                         ; SepInitializeCodeIntegrity+89j
PAGE:00000001403EAAEE                 cmp     rax, rbx
PAGE:00000001403EAAF1                 jz      short loc_1403EAAF7
PAGE:00000001403EAAF3                 lea     rbx, [rax+30h]
PAGE:00000001403EAAF7
PAGE:00000001403EAAF7 loc_1403EAAF7:                          ; CODE XREF: SepInitializeCodeIntegrity+43j
PAGE:00000001403EAAF7                                         ; SepInitializeCodeIntegrity+91j
PAGE:00000001403EAAF7                 lea     r8, g_CiCallbacks
PAGE:00000001403EAAFE                 mov     rdx, rbx
PAGE:00000001403EAB01                 mov     ecx, edi
PAGE:00000001403EAB03                 call    CiInitialize
PAGE:00000001403EAB08                 mov     ebx, eax
PAGE:00000001403EAB0A                 jmp     short loc_1403EAB12
PAGE:00000001403EAB0C ; ---------------------------------------------------------------------------
PAGE:00000001403EAB0C
PAGE:00000001403EAB0C loc_1403EAB0C:                          ; CODE XREF: SepInitializeCodeIntegrity+12j
PAGE:00000001403EAB0C                 mov     cs:g_CiEnabled, bl
PAGE:00000001403EAB12
PAGE:00000001403EAB12 loc_1403EAB12:                          ; CODE XREF: SepInitializeCodeIntegrity+AAj
PAGE:00000001403EAB12                 mov     eax, ebx
PAGE:00000001403EAB14                 mov     rbx, [rsp+28h+arg_0]
PAGE:00000001403EAB19                 add     rsp, 20h
PAGE:00000001403EAB1D                 pop     rdi
PAGE:00000001403EAB1E                 retn
PAGE:00000001403EAB1E SepInitializeCodeIntegrity endp
PAGE:00000001403EAB1E
PAGE:00000001403EAB1E ; ---------------------------------------------------------------------------





ntoskrnl.exe
INIT:0000000140561340 ; =============== S U B R O U T I N E =======================================
INIT:0000000140561340
INIT:0000000140561340
INIT:0000000140561340 sub_140561340   proc near               ; CODE XREF: KiFilterFiberContext+FFp
INIT:0000000140561340                                         ; KiFilterFiberContext+187p
INIT:0000000140561340
INIT:0000000140561340 var_F78         = qword ptr -0F78h
INIT:0000000140561340 var_F70         = qword ptr -0F70h
INIT:0000000140561340 var_F68         = qword ptr -0F68h
INIT:0000000140561340 var_F60         = qword ptr -0F60h
INIT:0000000140561340 var_F58         = dword ptr -0F58h
...
...
...
INIT:0000000140561340 var_48          = byte ptr -48h
INIT:0000000140561340 arg_0           = dword ptr  8
INIT:0000000140561340 arg_8           = dword ptr  10h
INIT:0000000140561340 arg_10          = dword ptr  18h
INIT:0000000140561340 arg_18          = qword ptr  20h
INIT:0000000140561340
INIT:0000000140561340                 mov     [rsp+arg_10], r8d
INIT:0000000140561345                 mov     [rsp+arg_8], edx
INIT:0000000140561349                 mov     [rsp+arg_0], ecx
INIT:000000014056134D                 push    rbx
INIT:000000014056134E                 push    rbp
INIT:000000014056134F                 push    rsi
INIT:0000000140561350                 push    rdi
INIT:0000000140561351                 push    r12
INIT:0000000140561353                 push    r13
INIT:0000000140561355                 push    r14
INIT:0000000140561357                 push    r15
INIT:0000000140561359                 sub     rsp, 0F58h
INIT:0000000140561360                 xor     edi, edi
INIT:0000000140561362                 cmp     cs:InitSafeBootMode, edi
INIT:0000000140561368                 jz      short loc_140561371               ; db 74h,7 -> db 90h,90h = nop \ nop
INIT:000000014056136A                 mov     al, 1
INIT:000000014056136C                 jmp     loc_1405640D9
INIT:0000000140561371 ; ---------------------------------------------------------------------------
INIT:0000000140561371
INIT:0000000140561371 loc_140561371:                          ; CODE XREF: sub_140561340+28j
INIT:0000000140561371                 lea     rbx, FsRtlUninitializeSmallMcb
INIT:0000000140561378                 lea     rdx, [rsp+0F98h+var_E40]
INIT:0000000140561380                 mov     rcx, rbx
INIT:0000000140561383                 call    RtlPcToFileHeader
INIT:0000000140561388                 cmp     rax, rdi
INIT:000000014056138B                 jz      loc_1405640D7
INIT:0000000140561391                 mov     rcx, [rsp+0F98h+var_E40]
INIT:0000000140561399                 call    RtlImageNtHeader
INIT:000000014056139E                 cmp     rax, rdi
INIT:00000001405613A1                 jz      loc_1405640D7
...
...
...
INIT:00000001405640D9 loc_1405640D9:                          ; CODE XREF: sub_140561340+2Cj
INIT:00000001405640D9                                         ; sub_140561340+9C36j
INIT:00000001405640D9                 add     rsp, 0F58h
INIT:00000001405640E0                 pop     r15
INIT:00000001405640E2                 pop     r14
INIT:00000001405640E4                 pop     r13
INIT:00000001405640E6                 pop     r12
INIT:00000001405640E8                 pop     rdi
INIT:00000001405640E9                 pop     rsi
INIT:00000001405640EA                 pop     rbp
INIT:00000001405640EB                 pop     rbx
INIT:00000001405640EC                 retn





ntoskrnl.exe
.text:0000000140123C50                 public MmIsAddressValid
.text:0000000140123C50 MmIsAddressValid proc near              ; CODE XREF: KeValidateBugCheckCallbackRecord+58p
.text:0000000140123C50                                         ; KeValidateBugCheckCallbackRecord+9Ep ...
.text:0000000140123C50                 xor     edx, edx
.text:0000000140123C52                 jmp     MiIsAddressValid
.text:0000000140123C52 MmIsAddressValid endp
...
...
...
.text:00000001400AAE20 MiIsAddressValid proc near              ; CODE XREF: RtlpWalkFrameChain+13Ap
.text:00000001400AAE20                                         ; MmAccessFault-6DB6Dp ...
.text:00000001400AAE20                 mov     rax, rcx
.text:00000001400AAE23                 sar     rax, 30h        ; mistake, noncanonical addresses like 0000800000000000h, FFFF7FFFFFFFFFFFh may pass the check
                                                               ; virtual memory is in canonical form if bit 47 is sign extended into bits 63-48
.text:00000001400AAE27                 inc     rax
.text:00000001400AAE2A                 cmp     rax, 1
.text:00000001400AAE2E                 ja      loc_1400AAEC3





ntoskrnl.exe
.text:0000000140042BDC MmIsSpecialPoolAddress proc near        ; CODE XREF: ExReturnPoolQuota:loc_140026DF6p
.text:0000000140042BDC                                         ; ExProtectPool+25p ...
.text:0000000140042BDC
.text:0000000140042BDC ; FUNCTION CHUNK AT .text:00000001400C76C7 SIZE 0000006B BYTES
.text:0000000140042BDC
.text:0000000140042BDC                 sub     rsp, 28h
.text:0000000140042BE0                 mov     rax, 98000000000h
.text:0000000140042BEA                 mov     rdx, rcx
.text:0000000140042BED                 add     rax, rcx
.text:0000000140042BF0                 mov     rcx, 7FFFFFFFFFh
.text:0000000140042BFA                 cmp     rax, rcx
.text:0000000140042BFD                 jbe     short loc_140042C70
.text:0000000140042BFF                 mov     rax, rdx
.text:0000000140042C02                 sar     rax, 30h        ; mistake, noncanonical addresses like 0000800000000000h, FFFF7FFFFFFFFFFFh may pass the check
                                                               ; virtual memory is in canonical form if bit 47 is sign extended into bits 63-48
.text:0000000140042C06                 inc     rax
.text:0000000140042C09                 cmp     rax, 1
.text:0000000140042C0D                 ja      short loc_140042C70





ntoskrnl.exe
.text:000000014008BBE0 MmAccessFault   proc near               ; CODE XREF: MiCheckProtoPtePageState-5BA2Cp
.text:000000014008BBE0                                         ; MiDeletePerSessionProtos+85p ...
.text:000000014008BBE0
...
...
...
.text:000000014008BBE0                 mov     [rsp-8+var_B8], rbx
.text:000000014008BBE5                 push    rbp
.text:000000014008BBE6                 push    rsi
.text:000000014008BBE7                 push    rdi
.text:000000014008BBE8                 push    r12
.text:000000014008BBEA                 push    r13
.text:000000014008BBEC                 push    r14
.text:000000014008BBEE                 push    r15
.text:000000014008BBF0                 sub     rsp, 120h
.text:000000014008BBF7                 lea     rbp, [rsp+80h]
.text:000000014008BBFF                 and     rbp, 0FFFFFFFFFFFFFFC0h
.text:000000014008BC03                 mov     rax, rdx
.text:000000014008BC06                 mov     r12, r9
.text:000000014008BC09                 mov     r13, rdx
.text:000000014008BC0C                 sar     rax, 30h        ; mistake, noncanonical addresses like 0000800000000000h, FFFF7FFFFFFFFFFFh may pass the check
                                                               ; virtual memory is in canonical form if bit 47 is sign extended into bits 63-48
.text:000000014008BC10                 mov     r15, rcx
.text:000000014008BC13                 inc     rax
.text:000000014008BC16                 cmp     rax, 1
.text:000000014008BC1A                 ja      loc_1400EF63C
