winload.exe
OslInitializeCodeIntegrity
.text:00000000004057DC ; =============== S U B R O U T I N E =======================================
.text:00000000004057DC
.text:00000000004057DC
.text:00000000004057DC sub_4057DC      proc near               ; CODE XREF: sub_4010B8+61Cp
.text:00000000004057DC                                         ; DATA XREF: .pdata:00000000004B3168o
.text:00000000004057DC
.text:00000000004057DC var_58          = qword ptr -58h
.text:00000000004057DC var_50          = dword ptr -50h
.text:00000000004057DC var_48          = dword ptr -48h
.text:00000000004057DC var_38          = qword ptr -38h
.text:00000000004057DC arg_8           = qword ptr  10h
.text:00000000004057DC arg_18          = qword ptr  20h
.text:00000000004057DC
.text:00000000004057DC                 mov     rax, rsp               ; db 48h,8Bh,0C4h -> db 0B0,01h,0C3h = mov al,1 \ ret
.text:00000000004057DF                 push    rbx
.text:00000000004057E0                 push    rbp
.text:00000000004057E1                 push    rdi
.text:00000000004057E2                 push    r12
.text:00000000004057E4                 push    r13
.text:00000000004057E6                 sub     rsp, 50h
.text:00000000004057EA                 xor     r13d, r13d
.text:00000000004057ED                 mov     r12d, ecx
.text:00000000004057F0                 lea     r8, [rax+18h]
.text:00000000004057F4                 lea     rcx, dword_4AF480
.text:00000000004057FB                 lea     rdx, [rax+10h]
.text:00000000004057FF                 mov     [rax+20h], r13
.text:0000000000405803                 mov     rdi, r13
.text:0000000000405806                 mov     [rax-38h], r13
.text:000000000040580A                 call    sub_430E30
.text:000000000040580F                 mov     r11b, byte ptr [rsp+78h+arg_8]
.text:0000000000405817                 lea     rdx, [rsp+78h+arg_18]
.text:000000000040581F                 lea     rcx, aSystem32Catroo ; "System32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE"
.text:0000000000405826                 neg     r11b
.text:0000000000405829                 sbb     ebp, ebp
.text:000000000040582B                 and     ebp, 0FFFFFFFEh
.text:000000000040582E                 add     ebp, 3
.text:0000000000405831                 call    sub_406C90


ntoskrnl.exe
SepInitializeCodeIntegrity
PAGE:00000001403F5AD0                 mov     [rsp+8], rbx
PAGE:00000001403F5AD5                 push    rdi
PAGE:00000001403F5AD6                 sub     rsp, 20h
PAGE:00000001403F5ADA                 xor     ebx, ebx
PAGE:00000001403F5ADC                 cmp     cs:byte_140208B70, bl	; InitIsWinPEMode
PAGE:00000001403F5AE2                 jnz     loc_1403F5B7C		; db 0Fh, 85h, 94h, 0, 0, 0 -> db 90,0E9h,94h,0,0,0 = nop \ jmp loc_1403F5B7C
PAGE:00000001403F5AE8                 xor     eax, eax			; db 33h,0C0h
PAGE:00000001403F5AEA                 mov     cs:byte_140226EB8, 1	; g_CiEnabled
PAGE:00000001403F5AF1                 lea     edi, [rbx+6]
PAGE:00000001403F5AF4                 mov     cs:qword_140226EA0, rax
PAGE:00000001403F5AFB                 mov     cs:qword_140226EA8, rax
PAGE:00000001403F5B02                 mov     cs:qword_140226EB0, rax
PAGE:00000001403F5B09                 mov     rax, cs:qword_1402B1130
PAGE:00000001403F5B10                 cmp     rax, rbx
PAGE:00000001403F5B13                 jz      short loc_1403F5B67
PAGE:00000001403F5B15                 cmp     [rax+98h], rbx
PAGE:00000001403F5B1C                 jz      short loc_1403F5B5E
PAGE:00000001403F5B1E                 mov     rcx, [rax+98h]
PAGE:00000001403F5B25                 lea     rdx, aDisable_integr ; "DISABLE_INTEGRITY_CHECKS"
PAGE:00000001403F5B2C                 call    sub_1403E7A00
PAGE:00000001403F5B31                 mov     rcx, cs:qword_1402B1130
PAGE:00000001403F5B38                 lea     rdx, aTestsigning ; "TESTSIGNING"
PAGE:00000001403F5B3F                 mov     rcx, [rcx+98h]
PAGE:00000001403F5B46                 cmp     eax, ebx
PAGE:00000001403F5B48                 cmovnz  edi, ebx
PAGE:00000001403F5B4B                 call    sub_1403E7A00
PAGE:00000001403F5B50                 cmp     eax, ebx
PAGE:00000001403F5B52                 mov     rax, cs:qword_1402B1130
PAGE:00000001403F5B59                 jz      short loc_1403F5B5E
PAGE:00000001403F5B5B                 or      edi, 8
PAGE:00000001403F5B5E
PAGE:00000001403F5B5E loc_1403F5B5E:                          ; CODE XREF: PAGE:00000001403F5B1Cj
PAGE:00000001403F5B5E                                         ; PAGE:00000001403F5B59j
PAGE:00000001403F5B5E                 cmp     rax, rbx
PAGE:00000001403F5B61                 jz      short loc_1403F5B67
PAGE:00000001403F5B63                 lea     rbx, [rax+30h]
PAGE:00000001403F5B67
PAGE:00000001403F5B67 loc_1403F5B67:                          ; CODE XREF: PAGE:00000001403F5B13j
PAGE:00000001403F5B67                                         ; PAGE:00000001403F5B61j
PAGE:00000001403F5B67                 lea     r8, qword_140226EA0
PAGE:00000001403F5B6E                 mov     rdx, rbx
PAGE:00000001403F5B71                 mov     ecx, edi
PAGE:00000001403F5B73                 call    CiInitialize
PAGE:00000001403F5B78                 mov     ebx, eax
PAGE:00000001403F5B7A                 jmp     short loc_1403F5B82
PAGE:00000001403F5B7C ; ---------------------------------------------------------------------------
PAGE:00000001403F5B7C
PAGE:00000001403F5B7C loc_1403F5B7C:                          ; CODE XREF: PAGE:00000001403F5AE2j
PAGE:00000001403F5B7C                 mov     cs:byte_140226EB8, bl
PAGE:00000001403F5B82
PAGE:00000001403F5B82 loc_1403F5B82:                          ; CODE XREF: PAGE:00000001403F5B7Aj
PAGE:00000001403F5B82                 mov     eax, ebx
PAGE:00000001403F5B84                 mov     rbx, [rsp+30h]
PAGE:00000001403F5B89                 add     rsp, 20h
PAGE:00000001403F5B8D                 pop     rdi
PAGE:00000001403F5B8E                 retn



File : ntoskrnl.exe                 Size :  5563776 bytes
004D1540:a4489442418                     mov       [rsp+18],r8d
004D1545:a89542410                       mov       [rsp+10],edx
004D1549:a894C2408                       mov       [rsp+08],ecx
004D154D:a53                             push      rbx
004D154E:a55                             push      rbp
004D154F:a56                             push      rsi
004D1550:a57                             push      rdi
004D1551:a4154                           push      r12
004D1553:a4155                           push      r13
004D1555:a4156                           push      r14
004D1557:a4157                           push      r15
004D1559:a4881EC580F0000                 sub       rsp,+00000F58
004D1560:a33FF                           xor       edi,edi
004D1562:a393D8821D1FF                   cmp       [rip-002EDE78],edi
004D1568:a7407                           je        file:004D1571
004D156A:aB001                           mov       al,01
004D156C:aE9682D0000                     jmpn      file:004D42D9
004D1571:a488D1D34A5C3FF                 lea       rbx,[rip-003C5ACC]
004D1578:a488D942458010000               lea       rdx,[rsp+00000158]
004D1580:a488BCB                         mov       rcx,rbx
004D1583:aE8686CBFFF                     calln     file:000C81F0
004D1588:a483BC7                         cmp       rax,rdi
004D158B:a0F84462D0000                   je        file:004D42D7
004D1591:a488B8C2458010000               mov       rcx,[rsp+00000158]
004D1599:aE8BE46AFFF                     calln     -0050B942
004D159E:a483BC7                         cmp       rax,rdi
004D15A1:a0F84302D0000                   je        file:004D42D7
004D15A7:a488B942458010000               mov       rdx,[rsp+00000158]
004D15AF:a448BC3                         mov       r8d,ebx
004D15B2:a488BC8                         mov       rcx,rax
004D15B5:a442BC2                         sub       r8d,edx
004D15B8:aE8837BB9FF                     calln     file:00069140
004D15BD:a483BC7                         cmp       rax,rdi
004D15C0:a0F84112D0000                   je        file:004D42D7
004D15C6:a8B480C                         mov       ecx,[rax+0C]
004D15C9:a8B4008                         mov       eax,[rax+08]
004D15CC:a48038C2458010000               add       rcx,[rsp+00000158]
004D15D4:a89442474                       mov       [rsp+74],eax
004D15D8:a2BD9                           sub       ebx,ecx
004D15DA:a48898C2490000000               mov       [rsp+00000090],rcx
004D15E2:a48899C2460030000               mov       [rsp+00000360],rbx
004D15EA:aFA                             cli





ntoskrnl.exe
INIT:0000000140561340 ; =============== S U B R O U T I N E =======================================
INIT:0000000140561340
INIT:0000000140561340
INIT:0000000140561340 sub_140561340   proc near               ; CODE XREF: KiFilterFiberContext+FFp
INIT:0000000140561340                                         ; KiFilterFiberContext+187p
INIT:0000000140561340
INIT:0000000140561340 var_F78         = qword ptr -0F78h
INIT:0000000140561340 var_F70         = qword ptr -0F70h
INIT:0000000140561340 var_F68         = qword ptr -0F68h
INIT:0000000140561340 var_F60         = qword ptr -0F60h
INIT:0000000140561340 var_F58         = dword ptr -0F58h
...
...
...
INIT:0000000140561340 var_48          = byte ptr -48h
INIT:0000000140561340 arg_0           = dword ptr  8
INIT:0000000140561340 arg_8           = dword ptr  10h
INIT:0000000140561340 arg_10          = dword ptr  18h
INIT:0000000140561340 arg_18          = qword ptr  20h
INIT:0000000140561340
INIT:0000000140561340                 mov     [rsp+arg_10], r8d
INIT:0000000140561345                 mov     [rsp+arg_8], edx
INIT:0000000140561349                 mov     [rsp+arg_0], ecx
INIT:000000014056134D                 push    rbx
INIT:000000014056134E                 push    rbp
INIT:000000014056134F                 push    rsi
INIT:0000000140561350                 push    rdi
INIT:0000000140561351                 push    r12
INIT:0000000140561353                 push    r13
INIT:0000000140561355                 push    r14
INIT:0000000140561357                 push    r15
INIT:0000000140561359                 sub     rsp, 0F58h
INIT:0000000140561360                 xor     edi, edi
INIT:0000000140561362                 cmp     cs:InitSafeBootMode, edi
INIT:0000000140561368                 jz      short loc_140561371               ; db 74h,7 -> db 90h,90h = nop \ nop
INIT:000000014056136A                 mov     al, 1
INIT:000000014056136C                 jmp     loc_1405640D9
INIT:0000000140561371 ; ---------------------------------------------------------------------------
INIT:0000000140561371
INIT:0000000140561371 loc_140561371:                          ; CODE XREF: sub_140561340+28j
INIT:0000000140561371                 lea     rbx, FsRtlUninitializeSmallMcb
INIT:0000000140561378                 lea     rdx, [rsp+0F98h+var_E40]
INIT:0000000140561380                 mov     rcx, rbx
INIT:0000000140561383                 call    RtlPcToFileHeader
INIT:0000000140561388                 cmp     rax, rdi
INIT:000000014056138B                 jz      loc_1405640D7
INIT:0000000140561391                 mov     rcx, [rsp+0F98h+var_E40]
INIT:0000000140561399                 call    RtlImageNtHeader
INIT:000000014056139E                 cmp     rax, rdi
INIT:00000001405613A1                 jz      loc_1405640D7
...
...
...
INIT:00000001405640D9 loc_1405640D9:                          ; CODE XREF: sub_140561340+2Cj
INIT:00000001405640D9                                         ; sub_140561340+9C36j
INIT:00000001405640D9                 add     rsp, 0F58h
INIT:00000001405640E0                 pop     r15
INIT:00000001405640E2                 pop     r14
INIT:00000001405640E4                 pop     r13
INIT:00000001405640E6                 pop     r12
INIT:00000001405640E8                 pop     rdi
INIT:00000001405640E9                 pop     rsi
INIT:00000001405640EA                 pop     rbp
INIT:00000001405640EB                 pop     rbx
INIT:00000001405640EC                 retn





ntoskrnl.exe
.text:0000000140123C50                 public MmIsAddressValid
.text:0000000140123C50 MmIsAddressValid proc near              ; CODE XREF: KeValidateBugCheckCallbackRecord+58p
.text:0000000140123C50                                         ; KeValidateBugCheckCallbackRecord+9Ep ...
.text:0000000140123C50                 xor     edx, edx
.text:0000000140123C52                 jmp     MiIsAddressValid
.text:0000000140123C52 MmIsAddressValid endp
...
...
...
.text:00000001400AAE20 MiIsAddressValid proc near              ; CODE XREF: RtlpWalkFrameChain+13Ap
.text:00000001400AAE20                                         ; MmAccessFault-6DB6Dp ...
.text:00000001400AAE20                 mov     rax, rcx
.text:00000001400AAE23                 sar     rax, 30h        ; mistake, noncanonical addresses like 0000800000000000h, FFFF7FFFFFFFFFFFh may pass the check
                                                               ; virtual memory is in canonical form if bit 47 is sign extended into bits 63-48
.text:00000001400AAE27                 inc     rax
.text:00000001400AAE2A                 cmp     rax, 1
.text:00000001400AAE2E                 ja      loc_1400AAEC3





ntoskrnl.exe
MmIsSpecialPoolAddress
	mov	rax,rdx
	sar	rax,30h		; mistake, noncanonical addresses like 0000800000000000h, FFFF7FFFFFFFFFFFh may pass the check
				; virtual memory is in canonical form if bit 47 is sign extended into bits 63-48
	inc	rax
	cmp	rax,1
	ja	...





MmAccessFault
	mov	rax,rdx
	mov	r14,r9
	movzx	r10d,r8b
	sar	rax,30h		; mistake, noncanonical addresses like 0000800000000000h, FFFF7FFFFFFFFFFFh may pass the check
				; virtual memory is in canonical form if bit 47 is sign extended into bits 63-48
	mov	r13,rdx
	mov	r11,rcx
	inc	rax
	cmp	rax,1
	ja	...
