Practical Reverse Engineering Solutions – Page 123 (Part IV)my go at exercise 6 on pages 123ff

This blog post presents my solution to exercise 6 on page 123 from the book Practical Reverse Engineering by Bruce Dang, Alexandre Gazet and Elias Bachaalany (ISBN: 1118787315). The book is my first contact with reverse engineering, so take my statements with a grain of salt. All code snippets are on GitHub. For an overview of my solutions consult this progress page.

I’m removing the raw instruction in hex to save space. I’m also not showing the upper 32 bits of the addresses. Check my GitHub page for the complete listings.

Problem Statement

Repeat the previous exercise for RemoveEntryList in the following routines:

  • AlpcSectionDeleteProcedure
  • AlpcpDeletePort
  • AlpcpUnregisterCompletionListDatabase
  • AuthzBasepRemoveSecurityAttributeFromLists
  • CcDeleteBcbs
  • CcFindNextWorkQueueEntry
  • CcLazyWriteScan
  • CcSetFileSizesEx
  • CmShutdownSystem
  • CmUnRegisterCallback
  • CmpCallCallBacks
  • CmpPostApc
  • ExFreePoolWithTag
  • ExQueueWorkItem
  • ExTimerRundown
  • ExDeleteTimer
  • ExpDeleteTimer
  • ExpSetTimer
  • IoDelteDevice
  • IoDeleteDevice
  • IoUnregisterFsRegistrationChange
  • IopfCompleteRequest
  • KeDeregisterBugCheckCallback
  • KeDeregisterObjectNotification
  • KeRegisterObjectNotification
  • KeRemoveQueueApc
  • KeRemoveQueueDpc
  • KiCancelTimer
  • KeTerminateThread
  • KiDeliverApc
  • KiExecuteAllDpcs
  • KiExpireTimerTable
  • KiFindReadyThread
  • KiFlushQueueApc
  • KiInsertTimerTable
  • KiProcessExpiredTimerList
  • MiDeleteVirtualAddresses
  • NtNotifyChangeMultipleKeys
  • ObRegisterCallbacks
  • ObUnRegisterCallbacks

Solution

► AlpcSectionDeleteProcedure

The following lines are RemoveEntryList:

nt!AlpcSectionDeleteProcedure+0x6e:
220d974a  mov     rax,qword ptr [rdi]
220d974d  cmp     rax,rdi
220d9750  jne     nt!AlpcSectionDeleteProcedure+0x113 (fffff803`220d97ef)

...

nt!AlpcSectionDeleteProcedure+0x113:
220d97ef  mov     rcx,qword ptr [rdi+8]
220d97f3  cmp     qword ptr [rax+8],rdi
220d97f7  jne     nt!AlpcSectionDeleteProcedure+0x135 (fffff803`220d9811)

nt!AlpcSectionDeleteProcedure+0x11d:
220d97f9  cmp     qword ptr [rcx],rdi
220d97fc  jne     nt!AlpcSectionDeleteProcedure+0x135 (fffff803`220d9811)

nt!AlpcSectionDeleteProcedure+0x122:
220d97fe  mov     qword ptr [rcx],rax
220d9801  mov     qword ptr [rax+8],rcx

This illustration shows the three list elements and where the links are set or referenced:
AlpcSectionDeleteProcedure.png

There is a second occurrence of RemoveEntryList here:

220beeec  mov     r8,qword ptr [rcx]
220beeef  mov     rdx,qword ptr [rcx+8]
220beef3  cmp     qword ptr [r8+8],rcx
220beef7  jne     nt!AlpcpDoPortCleanup+0x188 (fffff803`220bef38)

nt!AlpcpDoPortCleanup+0x149:
220beef9  cmp     qword ptr [rdx],rax
220beefc  jne     nt!AlpcpDoPortCleanup+0x188 (fffff803`220bef38)

nt!AlpcpDoPortCleanup+0x14e:
220beefe  mov     qword ptr [rdx],r8
220bef01  mov     qword ptr [r8+8],rdx

This illustration shows the three list elements and where the links are set or referenced:
AlpcpDeletePort.png

There is a second occurrence of RemoveEntryList here:

220d445b  mov     rdx,qword ptr [rdi]
220d445e  mov     rax,qword ptr [rdi+8]
220d4462  cmp     qword ptr [rdx+8],rdi
220d4466  jne     nt! ?? ::NNGAKEGL::`string'+0x330fa (fffff803`22268bed)

nt!AlpcpDeletePort+0x140:
220d446c  cmp     qword ptr [rax],rdi
220d446f  jne     nt! ?? ::NNGAKEGL::`string'+0x330fa (fffff803`22268bed)

nt!AlpcpDeletePort+0x149:
220d4475  mov     qword ptr [rax],rdx
220d4478  mov     qword ptr [rdx+8],rax

This illustration shows the three list elements and where the links are set or referenced:
AlpcpDeletePort_2.png

There is a third occurrence of RemoveEntryList here:

nt! ?? ::NNGAKEGL::`string'+0x32899:
222686d5  mov     rax,qword ptr [rdi]
222686d8  cmp     rax,rdi
222686db  je      nt! ?? ::NNGAKEGL::`string'+0x328be (fffff803`222686fa)

nt! ?? ::NNGAKEGL::`string'+0x328a1:
222686dd  mov     rcx,qword ptr [rdi+8]
222686e1  cmp     qword ptr [rax+8],rdi
222686e5  jne     nt! ?? ::NNGAKEGL::`string'+0x328ea (fffff803`22268726)

nt! ?? ::NNGAKEGL::`string'+0x328ab:
222686e7  cmp     qword ptr [rcx],rdi
222686ea  jne     nt! ?? ::NNGAKEGL::`string'+0x328ea (fffff803`22268726)

nt! ?? ::NNGAKEGL::`string'+0x328b0:
222686ec  mov     qword ptr [rcx],rax
222686ef  mov     qword ptr [rax+8],rcx

This illustration shows the three list elements and where the links are set or referenced:
AlpcpDeletePort_3.png

► AlpcpUnregisterCompletionListDatabase

The following lines are RemoveEntryList:

nt!AlpcpUnregisterCompletionListDatabase+0x15:
21ffb831  mov     rdx,qword ptr [rbx]
21ffb834  mov     rax,qword ptr [rbx+8]
21ffb838  cmp     qword ptr [rdx+8],rbx
21ffb83c  jne     nt!AlpcpUnregisterCompletionListDatabase+0x5d (fffff803`21ffb879)

nt!AlpcpUnregisterCompletionListDatabase+0x22:
21ffb83e  cmp     qword ptr [rax],rbx
21ffb841  jne     nt!AlpcpUnregisterCompletionListDatabase+0x5d (fffff803`21ffb879)

nt!AlpcpUnregisterCompletionListDatabase+0x27:
21ffb843  mov     qword ptr [rax],rdx
21ffb846  mov     qword ptr [rdx+8],rax

This illustration shows the three list elements and where the links are set or referenced:
AlpcpUnregisterCompletionListDatabase.png

► AuthzBasepRemoveSecurityAttributeFromLists

The following lines are RemoveEntryList:

nt!AuthzBasepRemoveSecurityAttributeFromLists+0x49:
22141fbd  mov     r8,qword ptr [rdx]
22141fc0  mov     rax,qword ptr [rdx+8]
22141fc4  cmp     qword ptr [r8+8],rdx
22141fc8  jne     nt!AuthzBasepRemoveSecurityAttributeFromLists+0x76 (fffff803`22141fea)

nt!AuthzBasepRemoveSecurityAttributeFromLists+0x56:
22141fca  cmp     qword ptr [rax],rdx
22141fcd  jne     nt!AuthzBasepRemoveSecurityAttributeFromLists+0x76 (fffff803`22141fea)

nt!AuthzBasepRemoveSecurityAttributeFromLists+0x5b:
22141fcf  mov     qword ptr [rax],r8
22141fd2  mov     qword ptr [r8+8],rax

This illustration shows the three list elements and where the links are set or referenced:
AuthzBasepRemoveSecurityAttributeFromLists.png

► CcDeleteBcbs

The following lines are RemoveEntryList:

21c78327  mov     rsi,qword ptr [rax]
21c7832a  cmp     word ptr [rbx],cx
21c7832d  je      nt! ?? ::FNODOBFM::`string'+0x2a82 (fffff803`21e3f014)

...

nt! ?? ::FNODOBFM::`string'+0x2a82:
21e3f014  cmp     dword ptr [rbx+40h],ebp
21e3f017  jne     nt! ?? ::FNODOBFM::`string'+0x2b92 (fffff803`21e3f124)

nt! ?? ::FNODOBFM::`string'+0x2a8b:
21e3f01d  mov     rcx,qword ptr [rax+8]
21e3f021  cmp     qword ptr [rsi+8],rax
21e3f025  jne     nt! ?? ::FNODOBFM::`string'+0x2b8b (fffff803`21e3f11d)

nt! ?? ::FNODOBFM::`string'+0x2a99:
21e3f02b  cmp     qword ptr [rcx],rax
21e3f02e  jne     nt! ?? ::FNODOBFM::`string'+0x2b8b (fffff803`21e3f11d)

nt! ?? ::FNODOBFM::`string'+0x2aa2:
21e3f034  mov     qword ptr [rcx],rsi
21e3f037  mov     qword ptr [rsi+8],rcx

This illustration shows the three list elements and where the links are set or referenced:
CcDeleteBcbs.png

► CcFindNextWorkQueueEntry

The following lines are RemoveEntryList:

nt!CcFindNextWorkQueueEntry+0x27:
21cf9c97  mov     rcx,qword ptr [rdx]
21cf9c9a  mov     rax,qword ptr [rdx+8]
21cf9c9e  cmp     qword ptr [rcx+8],rdx
21cf9ca2  jne     nt! ?? ::FNODOBFM::`string'+0x3372 (fffff803`21e3f67c)

nt!CcFindNextWorkQueueEntry+0x38:
21cf9ca8  cmp     qword ptr [rax],rdx
21cf9cab  jne     nt! ?? ::FNODOBFM::`string'+0x3372 (fffff803`21e3f67c)

nt!CcFindNextWorkQueueEntry+0x41:
21cf9cb1  mov     qword ptr [rax],rcx
21cf9cb4  mov     qword ptr [rcx+8],rax

This illustration shows the three list elements and where the links are set or referenced:
CcFindNextWorkQueueEntry.png

► CcLazyWriteScan

The following lines are RemoveEntryList:

nt!CcLazyWriteScan+0x648:
21d7010c  mov     rcx,qword ptr [nt!CcLazyWriterCursor (fffff803`21f5abe0)]
21d70113  mov     rax,qword ptr [nt!CcLazyWriterCursor+0x8 (fffff803`21f5abe8)]
21d7011a  cmp     qword ptr [rcx+8],rdi
21d7011e  jne     nt! ?? ::FNODOBFM::`string'+0x37da (fffff803`21e3f779)

nt!CcLazyWriteScan+0x660:
21d70124  cmp     qword ptr [rax],rdi
21d70127  jne     nt! ?? ::FNODOBFM::`string'+0x37da (fffff803`21e3f779)

nt!CcLazyWriteScan+0x669:
21d7012d  mov     qword ptr [rax],rcx
21d70130  mov     qword ptr [rcx+8],rax

This illustration shows the three list elements and where the links are set or referenced:
CcLazyWriteScan.png

► CcSetFileSizesEx

The following lines are RemoveEntryList:

nt!CcSetFileSizesEx+0x338:
21d1de9a  add     rsi,88h
21d1dea1  mov     rcx,qword ptr [rsi]
21d1dea4  mov     rax,qword ptr [rsi+8]
21d1dea8  cmp     qword ptr [rcx+8],rsi
21d1deac  jne     nt! ?? ::FNODOBFM::`string'+0x29be (fffff803`21e3ef4d)

nt!CcSetFileSizesEx+0x350:
21d1deb2  cmp     qword ptr [rax],rsi
21d1deb5  jne     nt! ?? ::FNODOBFM::`string'+0x29be (fffff803`21e3ef4d)

nt!CcSetFileSizesEx+0x359:
21d1debb  mov     qword ptr [rax],rcx
21d1debe  mov     qword ptr [rcx+8],rax

This illustration shows the three list elements and where the links are set or referenced:

CcSetFileSizesEx.png

There is a second occurrence of RemoveEntryList here:

nt!CcSetFileSizesEx+0x46f:
21d1dfd3  add     rsi,88h
21d1dfda  mov     rcx,qword ptr [rsi]
21d1dfdd  mov     rax,qword ptr [rsi+8]
21d1dfe1  cmp     qword ptr [rcx+8],rsi
21d1dfe5  jne     nt!CcSetFileSizesEx+0x4d7 (fffff803`21d1e03b)

nt!CcSetFileSizesEx+0x483:
21d1dfe7  cmp     qword ptr [rax],rsi
21d1dfea  jne     nt!CcSetFileSizesEx+0x4d7 (fffff803`21d1e03b)

nt!CcSetFileSizesEx+0x488:
21d1dfec  mov     qword ptr [rax],rcx
21d1dfef  mov     qword ptr [rcx+8],rax

This illustration shows the three list elements and where the links are set or referenced:
CcSetFileSizesEx_2.png There is a third occurrence of RemoveEntryList here:

nt! ?? ::FNODOBFM::`string'+0x2723:
21e3ecf2  mov     rdx,qword ptr [rsi+78h]
21e3ecf6  lea     rax,[rsi+78h]
21e3ecfa  mov     rcx,qword ptr [rax+8]
21e3ecfe  cmp     qword ptr [rdx+8],rax
21e3ed02  jne     nt! ?? ::FNODOBFM::`string'+0x27d4 (fffff803`21e3ed93)

nt! ?? ::FNODOBFM::`string'+0x2739:
21e3ed08  cmp     qword ptr [rcx],rax
21e3ed0b  jne     nt! ?? ::FNODOBFM::`string'+0x27d4 (fffff803`21e3ed93)

nt! ?? ::FNODOBFM::`string'+0x2742:
21e3ed11  mov     qword ptr [rcx],rdx
21e3ed14  mov     qword ptr [rdx+8],rcx

This illustration shows the three list elements and where the links are set or referenced:
CcSetFileSizesEx_3.png

There is a fourth occurrence of RemoveEntryList here:

nt! ?? ::FNODOBFM::`string'+0x2778:
21e3ed43  add     rsi,88h
21e3ed4a  mov     rcx,qword ptr [rsi]
21e3ed4d  mov     rax,qword ptr [rsi+8]
21e3ed51  cmp     qword ptr [rcx+8],rsi
21e3ed55  jne     nt! ?? ::FNODOBFM::`string'+0x27cd (fffff803`21e3ed8c)

nt! ?? ::FNODOBFM::`string'+0x2790:
21e3ed57  cmp     qword ptr [rax],rsi
21e3ed5a  jne     nt! ?? ::FNODOBFM::`string'+0x27cd (fffff803`21e3ed8c)

nt! ?? ::FNODOBFM::`string'+0x2799:
21e3ed5c  mov     qword ptr [rax],rcx
21e3ed5f  mov     qword ptr [rcx+8],rax

This illustration shows the three list elements and where the links are set or referenced:

CcSetFileSizesEx_4.png

There is a fifth occurrence of RemoveEntryList here:

nt! ?? ::FNODOBFM::`string'+0x27db:
21e3ed9a  mov     rdx,qword ptr [rsi+78h]
21e3ed9e  lea     rax,[rsi+78h]
21e3eda2  mov     rcx,qword ptr [rax+8]
21e3eda6  cmp     qword ptr [rdx+8],rax
21e3edaa  jne     nt! ?? ::FNODOBFM::`string'+0x2835 (fffff803`21e3ede8)

nt! ?? ::FNODOBFM::`string'+0x27f1:
21e3edac  cmp     qword ptr [rcx],rax
21e3edaf  jne     nt! ?? ::FNODOBFM::`string'+0x2835 (fffff803`21e3ede8)

nt! ?? ::FNODOBFM::`string'+0x27fa:
21e3edb1  mov     qword ptr [rcx],rdx
21e3edb4  mov     qword ptr [rdx+8],rcx

This illustration shows the three list elements and where the links are set or referenced:
CcSetFileSizesEx_5.png

There is a sixth occurrence of RemoveEntryList here:

nt! ?? ::FNODOBFM::`string'+0x28a5:
21e3ee50  mov     rdx,qword ptr [rsi+78h]
21e3ee54  lea     rax,[rsi+78h]
21e3ee58  mov     rcx,qword ptr [rax+8]
21e3ee5c  cmp     qword ptr [rdx+8],rax
21e3ee60  jne     nt! ?? ::FNODOBFM::`string'+0x2956 (fffff803`21e3eef1)

nt! ?? ::FNODOBFM::`string'+0x28bb:
21e3ee66  cmp     qword ptr [rcx],rax
21e3ee69  jne     nt! ?? ::FNODOBFM::`string'+0x2956 (fffff803`21e3eef1)

nt! ?? ::FNODOBFM::`string'+0x28c4:
21e3ee6f  mov     qword ptr [rcx],rdx
21e3ee72  mov     qword ptr [rdx+8],rcx

This illustration shows the three list elements and where the links are set or referenced:
CcSetFileSizesEx_6.png

There is a seventh occurrence of RemoveEntryList here:

nt! ?? ::FNODOBFM::`string'+0x28fa:
21e3eea1  add     rsi,88h
21e3eea8  mov     rcx,qword ptr [rsi]
21e3eeab  mov     rax,qword ptr [rsi+8]
21e3eeaf  cmp     qword ptr [rcx+8],rsi
21e3eeb3  jne     nt! ?? ::FNODOBFM::`string'+0x294f (fffff803`21e3eeea)

nt! ?? ::FNODOBFM::`string'+0x2912:
21e3eeb5  cmp     qword ptr [rax],rsi
21e3eeb8  jne     nt! ?? ::FNODOBFM::`string'+0x294f (fffff803`21e3eeea)

nt! ?? ::FNODOBFM::`string'+0x291b:
21e3eeba  mov     qword ptr [rax],rcx
21e3eebd  mov     qword ptr [rcx+8],rax

This illustration shows the three list elements and where the links are set or referenced:
CcSetFileSizesEx_7.png There is a eighth occurrence of RemoveEntryList here:

nt! ?? ::FNODOBFM::`string'+0x295d:
21e3eef8  mov     rdx,qword ptr [rsi+78h]
21e3eefc  lea     rax,[rsi+78h]
21e3ef00  mov     rcx,qword ptr [rax+8]
21e3ef04  cmp     qword ptr [rdx+8],rax
21e3ef08  jne     nt! ?? ::FNODOBFM::`string'+0x29c5 (fffff803`21e3ef54)

nt! ?? ::FNODOBFM::`string'+0x2973:
21e3ef0a  cmp     qword ptr [rcx],rax
21e3ef0d  jne     nt! ?? ::FNODOBFM::`string'+0x29c5 (fffff803`21e3ef54)

nt! ?? ::FNODOBFM::`string'+0x297c:
21e3ef0f  mov     qword ptr [rcx],rdx
21e3ef12  mov     qword ptr [rdx+8],rcx

This illustration shows the three list elements and where the links are set or referenced:
CcSetFileSizesEx_8.png

► CmShutdownSystem

The following lines are RemoveEntryList:

nt!CmShutdownSystem+0x2b0:
221a4260  mov     rcx,qword ptr [rsi]
221a4263  mov     rax,qword ptr [rsi+8]
221a4267  cmp     qword ptr [rcx+8],rsi
221a426b  jne     nt!CmShutdownSystem+0x4d2 (fffff803`221a4482)

nt!CmShutdownSystem+0x2c1:
221a4271  cmp     qword ptr [rax],rsi
221a4274  jne     nt!CmShutdownSystem+0x4d2 (fffff803`221a4482)

nt!CmShutdownSystem+0x2ca:
221a427a  mov     qword ptr [rax],rcx
221a427d  mov     qword ptr [rcx+8],rax

This illustration shows the three list elements and where the links are set or referenced:
CmShutdownSystem.png

► CmUnRegisterCallback

The following lines are RemoveEntryList:

nt!CmUnRegisterCallback+0xaf:
2218793f  mov     rcx,qword ptr [rdi]
22187942  mov     rax,qword ptr [rdi+8]
22187946  cmp     qword ptr [rcx+8],rdi
2218794a  jne     nt! ?? ::NNGAKEGL::`string'+0x5241 (fffff803`222419f5)

nt!CmUnRegisterCallback+0xc0:
22187950  cmp     qword ptr [rax],rdi
22187953  jne     nt! ?? ::NNGAKEGL::`string'+0x5241 (fffff803`222419f5)

nt!CmUnRegisterCallback+0xc9:
22187959  mov     qword ptr [rax],rcx
2218795c  mov     qword ptr [rcx+8],rax

This illustration shows the three list elements and where the links are set or referenced:
CmUnRegisterCallback.png There is a second occurrence of RemoveEntryList here:

nt! ?? ::NNGAKEGL::`string'+0x5176:
2224192a  mov     rcx,qword ptr [rdi]
2224192d  mov     rax,qword ptr [rdi+8]
22241931  cmp     qword ptr [rcx+8],rdi
22241935  jne     nt! ?? ::NNGAKEGL::`string'+0x5214 (fffff803`222419c8)

nt! ?? ::NNGAKEGL::`string'+0x5187:
2224193b  cmp     qword ptr [rax],rdi
2224193e  jne     nt! ?? ::NNGAKEGL::`string'+0x5214 (fffff803`222419c8)

nt! ?? ::NNGAKEGL::`string'+0x5190:
22241944  mov     qword ptr [rax],rcx
22241947  mov     qword ptr [rcx+8],rax

This illustration shows the three list elements and where the links are set or referenced:
CmUnRegisterCallback_2.png There is a third occurrence of RemoveEntryList here:

nt! ?? ::NNGAKEGL::`string'+0x52fe:
22241aae  lea     rax,[r15+10h]
22241ab2  mov     rdx,qword ptr [rax]
22241ab5  mov     rcx,qword ptr [rax+8]
22241ab9  cmp     qword ptr [rdx+8],rax
22241abd  jne     nt! ?? ::NNGAKEGL::`string'+0x53a4 (fffff803`22241b4c)

nt! ?? ::NNGAKEGL::`string'+0x5313:
22241ac3  cmp     qword ptr [rcx],rax
22241ac6  jne     nt! ?? ::NNGAKEGL::`string'+0x53a4 (fffff803`22241b4c)

nt! ?? ::NNGAKEGL::`string'+0x531c:
22241acc  mov     qword ptr [rcx],rdx
22241acf  mov     qword ptr [rdx+8],rcx

This illustration shows the three list elements and where the links are set or referenced:
CmUnRegisterCallback_3.png

► CmpCallCallBacks

The following lines are RemoveEntryList:

nt! ?? ::NNGAKEGL::`string'+0x55d6:
22241d81  mov     rcx,qword ptr [r8]
22241d84  mov     rax,qword ptr [r8+8]
22241d88  cmp     qword ptr [rcx+8],r8
22241d8c  jne     nt! ?? ::NNGAKEGL::`string'+0x569d (fffff803`22241e35)

nt! ?? ::NNGAKEGL::`string'+0x55e7:
22241d92  cmp     qword ptr [rax],r8
22241d95  jne     nt! ?? ::NNGAKEGL::`string'+0x569d (fffff803`22241e35)

nt! ?? ::NNGAKEGL::`string'+0x55f0:
22241d9b  mov     qword ptr [rax],rcx
22241d9e  mov     qword ptr [rcx+8],rax

This illustration shows the three list elements and where the links are set or referenced:
CmpCallCallBacks.png

► CmpPostApc

The following lines are RemoveEntryList:

nt!CmpPostApc+0x110:
2206ed48  lea     rax,[rbx+10h]
2206ed4c  mov     rdx,qword ptr [rax]
2206ed4f  mov     rcx,qword ptr [rax+8]
2206ed53  cmp     qword ptr [rdx+8],rax
2206ed57  jne     nt! ?? ::NNGAKEGL::`string'+0xe402 (fffff803`222491e4)

nt!CmpPostApc+0x125:
2206ed5d  cmp     qword ptr [rcx],rax
2206ed60  jne     nt! ?? ::NNGAKEGL::`string'+0xe402 (fffff803`222491e4)

nt!CmpPostApc+0x12e:
2206ed66  mov     qword ptr [rcx],rdx
2206ed69  mov     qword ptr [rdx+8],rcx

This illustration shows the three list elements and where the links are set or referenced:
CmpPostApc.png There is a second occurrence of RemoveEntryList here:

2206ed94  mov     r8,qword ptr [rax]
2206ed97  mov     rdx,qword ptr [rax+8]
2206ed9b  cmp     qword ptr [r8+8],rax
2206ed9f  jne     nt!CmpPostApc+0x1a0 (fffff803`2206edd8)

nt!CmpPostApc+0x169:
2206eda1  cmp     qword ptr [rdx],rax
2206eda4  jne     nt!CmpPostApc+0x1a0 (fffff803`2206edd8)

nt!CmpPostApc+0x16e:
2206eda6  mov     qword ptr [rdx],r8
2206eda9  mov     qword ptr [r8+8],rdx

This illustration shows the three list elements and where the links are set or referenced:
CmpPostApc_2.png There is a third occurrence of RemoveEntryList here:

2206edb1  mov     r8,qword ptr [rdx]
2206edb4  mov     rax,qword ptr [rdx+8]
2206edb8  cmp     qword ptr [r8+8],rdx
2206edbc  jne     nt!CmpPostApc+0x199 (fffff803`2206edd1)

nt!CmpPostApc+0x186:
2206edbe  cmp     qword ptr [rax],rdx
2206edc1  jne     nt!CmpPostApc+0x199 (fffff803`2206edd1)

nt!CmpPostApc+0x18b:
2206edc3  mov     qword ptr [rax],r8
2206edc6  mov     qword ptr [r8+8],rax

This illustration shows the three list elements and where the links are set or referenced:
CmpPostApc_3.png

► ExFreePoolWithTag

The following lines are RemoveEntryList:

nt!ExFreePoolWithTag+0x9a6:
21ee3b06  mov     r8,qword ptr [r13+10h]
21ee3b0a  mov     rdx,qword ptr [r13+18h]
21ee3b0e  lea     rax,[r13+10h]
21ee3b12  cmp     qword ptr [r8+8],rax
21ee3b16  jne     nt!ExFreePool+0x946 (fffff803`21ee4a2c)

nt!ExFreePoolWithTag+0x9bc:
21ee3b1c  cmp     qword ptr [rdx],rax
21ee3b1f  jne     nt!ExFreePool+0x946 (fffff803`21ee4a2c)

nt!ExFreePoolWithTag+0x9c5:
21ee3b25  mov     qword ptr [rdx],r8
21ee3b28  mov     qword ptr [r8+8],rdx

This illustration shows the three list elements and where the links are set or referenced:
ExFreePoolWithTag.png There is a second occurrence of RemoveEntryList here:

nt!ExFreePoolWithTag+0xf2c:
21ee408c  mov     rdx,qword ptr [r8+10h]
21ee4090  mov     rcx,qword ptr [r8+18h]
21ee4094  lea     rax,[r8+10h]
21ee4098  cmp     qword ptr [rdx+8],rax
21ee409c  jne     nt!ExFreePool+0xc08 (fffff803`21ee4cca)

nt!ExFreePoolWithTag+0xf42:
21ee40a2  cmp     qword ptr [rcx],rax
21ee40a5  jne     nt!ExFreePool+0xc08 (fffff803`21ee4cca)

nt!ExFreePoolWithTag+0xf4b:
21ee40ab  mov     qword ptr [rcx],rdx
21ee40ae  mov     qword ptr [rdx+8],rcx

This illustration shows the three list elements and where the links are set or referenced:
ExFreePoolWithTag_2.png

There is a third occurrence of RemoveEntryList here:

nt!ExFreePool+0xc1b:
21ee4cd9  mov     r8,qword ptr [rcx+10h]
21ee4cdd  mov     rdx,qword ptr [rcx+18h]
21ee4ce1  lea     rax,[rcx+10h]
21ee4ce5  cmp     qword ptr [r8+8],rax
21ee4ce9  jne     nt!ExFreePool+0xc55 (fffff803`21ee4d0b)

nt!ExFreePool+0xc31:
21ee4ceb  cmp     qword ptr [rdx],rax
21ee4cee  jne     nt!ExFreePool+0xc55 (fffff803`21ee4d0b)

nt!ExFreePool+0xc3a:
21ee4cf0  mov     qword ptr [rdx],r8
21ee4cf3  mov     qword ptr [r8+8],rdx

This illustration shows the three list elements and where the links are set or referenced:
ExFreePoolWithTag_3.png

► ExQueueWorkItem

The following lines are RemoveEntryList:

nt!ExQueueWorkItem+0x144:
21d05814  mov     rdx,rsi
21d05817  mov     rsi,qword ptr [rdx+8]
21d0581b  mov     r8,qword ptr [rdx]
21d0581e  cmp     qword ptr [r8+8],rdx
21d05822  jne     nt!ExQueueWorkItem+0x485 (fffff803`21d05b43)

nt!ExQueueWorkItem+0x158:
21d05828  cmp     qword ptr [rsi],rdx
21d0582b  jne     nt!ExQueueWorkItem+0x485 (fffff803`21d05b43)

nt!ExQueueWorkItem+0x161:
21d05831  mov     qword ptr [rsi],r8
21d05834  mov     qword ptr [r8+8],rsi

This illustration shows the three list elements and where the links are set or referenced:
ExQueueWorkItem.png There is a second occurrence of RemoveEntryList here:

nt! ?? ::FNODOBFM::`string'+0x4d452:
21e71a79  mov     rdx,qword ptr [rsi]
21e71a7c  mov     rax,qword ptr [rsi+8]
21e71a80  cmp     qword ptr [rdx+8],rsi
21e71a84  jne     nt! ?? ::FNODOBFM::`string'+0x4d55e (fffff803`21e71b7d)

nt! ?? ::FNODOBFM::`string'+0x4d463:
21e71a8a  cmp     qword ptr [rax],rsi
21e71a8d  jne     nt! ?? ::FNODOBFM::`string'+0x4d55e (fffff803`21e71b7d)

nt! ?? ::FNODOBFM::`string'+0x4d46c:
21e71a93  mov     qword ptr [rax],rdx
21e71a96  mov     qword ptr [rdx+8],rax

This illustration shows the three list elements and where the links are set or referenced:
ExQueueWorkItem_2.png

► ExTimerRundown

The following lines are RemoveEntryList:

21d575dd  mov     rdx,qword ptr [rax]
21d575e0  mov     rcx,qword ptr [rax+8]
21d575e4  cmp     qword ptr [rdx+8],rax
21d575e8  jne     nt! ?? ::FNODOBFM::`string'+0x4e595 (fffff803`21e72a8b)

nt!ExTimerRundown+0x14e:
21d575ee  cmp     qword ptr [rcx],rax
21d575f1  jne     nt! ?? ::FNODOBFM::`string'+0x4e595 (fffff803`21e72a8b)

nt!ExTimerRundown+0x157:
21d575f7  mov     qword ptr [rcx],rdx
21d575fa  mov     qword ptr [rdx+8],rcx

This illustration shows the three list elements and where the links are set or referenced:
ExTimerRundown.png

► ExpDeleteTimer

The following lines are RemoveEntryList:

nt!ExpDeleteTimer+0xc0:
21d69bcc  mov     rcx,qword ptr [rdi]
21d69bcf  mov     rax,qword ptr [rdi+8]
21d69bd3  cmp     qword ptr [rcx+8],rdi
21d69bd7  jne     nt! ?? ::FNODOBFM::`string'+0x4e437 (fffff803`21d84597)

nt!ExpDeleteTimer+0xd1:
21d69bdd  cmp     qword ptr [rax],rdi
21d69be0  jne     nt! ?? ::FNODOBFM::`string'+0x4e437 (fffff803`21d84597)

nt!ExpDeleteTimer+0xda:
21d69be6  mov     qword ptr [rax],rcx
21d69be9  mov     qword ptr [rcx+8],rax

This illustration shows the three list elements and where the links are set or referenced:
ExpDeleteTimer.png There is a second occurrence of RemoveEntryList here:

nt!ExpDeleteTimer+0x129:
21d69c35  mov     rdx,qword ptr [r14]
21d69c38  mov     rax,qword ptr [r14+8]
21d69c3c  cmp     qword ptr [rdx+8],r14
21d69c40  jne     nt!ExpDeleteTimer+0x19d (fffff803`21d69ca9)

nt!ExpDeleteTimer+0x136:
21d69c42  cmp     qword ptr [rax],r14
21d69c45  jne     nt!ExpDeleteTimer+0x19d (fffff803`21d69ca9)

nt!ExpDeleteTimer+0x13b:
21d69c47  mov     qword ptr [rax],rdx
21d69c4a  mov     qword ptr [rdx+8],rax

This illustration shows the three list elements and where the links are set or referenced:
ExpDeleteTimer_2.png

► ExpSetTimer

The following lines are RemoveEntryList:

nt! ?? ::FNODOBFM::`string'+0x4df49:
21e72548  lea     rax,[rdi+0E0h]
21e7254f  mov     r8,qword ptr [rax]
21e72552  mov     rdx,qword ptr [rax+8]
21e72556  cmp     qword ptr [r8+8],rax
21e7255a  jne     nt! ?? ::FNODOBFM::`string'+0x4dfd3 (fffff803`21e725c3)

nt! ?? ::FNODOBFM::`string'+0x4df61:
21e7255c  cmp     qword ptr [rdx],rax
21e7255f  jne     nt! ?? ::FNODOBFM::`string'+0x4dfd3 (fffff803`21e725c3)

nt! ?? ::FNODOBFM::`string'+0x4df6a:
21e72561  mov     qword ptr [rdx],r8
21e72564  mov     qword ptr [r8+8],rdx

This illustration shows the three list elements and where the links are set or referenced:
ExpSetTimer.png

► IoDeleteDevice

The following lines are RemoveEntryList:

nt! ?? ::FNODOBFM::`string'+0xa9cc:
21e454e0  lea     rax,[rdi+8]
21e454e4  mov     rdx,qword ptr [rax]
21e454e7  mov     rcx,qword ptr [rax+8]
21e454eb  cmp     qword ptr [rdx+8],rax
21e454ef  jne     nt! ?? ::FNODOBFM::`string'+0xaa34 (fffff803`21e45548)

nt! ?? ::FNODOBFM::`string'+0xa9dd:
21e454f1  cmp     qword ptr [rcx],rax
21e454f4  jne     nt! ?? ::FNODOBFM::`string'+0xaa34 (fffff803`21e45548)

nt! ?? ::FNODOBFM::`string'+0xa9e2:
21e454f6  mov     qword ptr [rcx],rdx
21e454f9  mov     qword ptr [rdx+8],rcx

This illustration shows the three list elements and where the links are set or referenced:
IoDeleteDevice.png

► IoUnregisterFsRegistrationChange

The following lines are RemoveEntryList:

nt!IoUnregisterFsRegistrationChange+0xac:
221be4cc  mov     rdx,qword ptr [rcx]
221be4cf  mov     rax,qword ptr [rcx+8]
221be4d3  cmp     qword ptr [rdx+8],rcx
221be4d7  jne     nt!IoUnregisterFsRegistrationChange+0xce (fffff803`221be4ee)

nt!IoUnregisterFsRegistrationChange+0xb9:
221be4d9  cmp     qword ptr [rax],rcx
221be4dc  jne     nt!IoUnregisterFsRegistrationChange+0xce (fffff803`221be4ee)

nt!IoUnregisterFsRegistrationChange+0xbe:
221be4de  mov     qword ptr [rax],rdx
221be4e1  mov     qword ptr [rdx+8],rax

This illustration shows the three list elements and where the links are set or referenced:
IoUnregisterFsRegistrationChange.png There is a second occurrence of RemoveEntryList here:

nt!IoUnregisterFileSystem+0x40:
221be540  mov     rcx,qword ptr [r11]
221be543  mov     rax,qword ptr [r11+8]
221be547  cmp     qword ptr [rcx+8],r11
221be54b  jne     nt!IoUnregisterFileSystem+0x69 (fffff803`221be569)

nt!IoUnregisterFileSystem+0x4d:
221be54d  cmp     qword ptr [rax],r11
221be550  jne     nt!IoUnregisterFileSystem+0x69 (fffff803`221be569)

nt!IoUnregisterFileSystem+0x52:
221be552  mov     qword ptr [rax],rcx
221be555  mov     qword ptr [rcx+8],rax

This illustration shows the three list elements and where the links are set or referenced:
IoUnregisterFsRegistrationChange_2.png

► IopfCompleteRequest

The following lines are RemoveEntryList:

21c8414c  mov     rdx,qword ptr [rcx]
21c8414f  mov     qword ptr [rbp+67h],rax
21c84153  mov     rax,qword ptr [rcx+8]
21c84157  cmp     qword ptr [rdx+8],rcx
21c8415b  jne     nt! ?? ::FNODOBFM::`string'+0xadd6 (fffff803`21c841d3)

nt! ?? ::FNODOBFM::`string'+0xad4a:
21c8415d  cmp     qword ptr [rax],rcx
21c84160  jne     nt! ?? ::FNODOBFM::`string'+0xadd6 (fffff803`21c841d3)

nt! ?? ::FNODOBFM::`string'+0xad53:
21c84162  mov     qword ptr [rax],rdx
21c84165  mov     qword ptr [rdx+8],rax

This illustration shows the three list elements and where the links are set or referenced:
IopfCompleteRequest.png There is a second occurrence of RemoveEntryList here:

nt! ?? ::FNODOBFM::`string'+0xaf7c:
21c84369  mov     rdx,qword ptr [rsi]
21c8436c  mov     rax,qword ptr [rsi+8]
21c84370  cmp     qword ptr [rdx+8],rsi
21c84374  jne     nt! ?? ::FNODOBFM::`string'+0xaff8 (fffff803`21c843dd)

nt! ?? ::FNODOBFM::`string'+0xaf8d:
21c84376  cmp     qword ptr [rax],rsi
21c84379  jne     nt! ?? ::FNODOBFM::`string'+0xaff8 (fffff803`21c843dd)

nt! ?? ::FNODOBFM::`string'+0xaf96:
21c8437b  mov     qword ptr [rax],rdx
21c8437e  mov     qword ptr [rdx+8],rax

This illustration shows the three list elements and where the links are set or referenced:
IopfCompleteRequest_2.png There is a third occurrence of RemoveEntryList here:

nt! ?? ::FNODOBFM::`string'+0xb2ad:
21c8466f  mov     rdx,qword ptr [rcx]
21c84672  mov     rax,qword ptr [rcx+8]
21c84676  cmp     qword ptr [rdx+8],rcx
21c8467a  jne     nt! ?? ::FNODOBFM::`string'+0xb2f7 (fffff803`21c846b1)

nt! ?? ::FNODOBFM::`string'+0xb2be:
21c8467c  cmp     qword ptr [rax],rcx
21c8467f  jne     nt! ?? ::FNODOBFM::`string'+0xb2f7 (fffff803`21c846b1)

nt! ?? ::FNODOBFM::`string'+0xb2c7:
21c84681  mov     qword ptr [rax],rdx
21c84684  mov     qword ptr [rdx+8],rax

This illustration shows the three list elements and where the links are set or referenced:
IopfCompleteRequest_3.png There is a fourth occurrence of RemoveEntryList here:

nt!KiScanReadyThreads+0xfe:
21c847da  lea     r8,[r10+0D8h]
21c847e1  mov     rcx,qword ptr [r8]
21c847e4  mov     rax,qword ptr [r8+8]
21c847e8  cmp     qword ptr [rcx+8],r8
21c847ec  jne     nt! ?? ::FNODOBFM::`string'+0x18b1e (fffff803`21dc04fc)

nt!KiScanReadyThreads+0x116:
21c847f2  cmp     qword ptr [rax],r8
21c847f5  jne     nt! ?? ::FNODOBFM::`string'+0x18b1e (fffff803`21dc04fc)

nt!KiScanReadyThreads+0x11f:
21c847fb  mov     qword ptr [rax],rcx
21c847fe  mov     qword ptr [rcx+8],rax

This illustration shows the three list elements and where the links are set or referenced:
IopfCompleteRequest_4.png There is a fifth occurrence of RemoveEntryList here:

nt!IopfCompleteRequest+0x34f:
21cfde4f  mov     rcx,qword ptr [rbx]
21cfde52  mov     rax,qword ptr [rbx+8]
21cfde56  cmp     qword ptr [rcx+8],rbx
21cfde5a  jne     nt!IopfCompleteRequest+0x11cc (fffff803`21cfecbc)

nt!IopfCompleteRequest+0x360:
21cfde60  cmp     qword ptr [rax],rbx
21cfde63  jne     nt!IopfCompleteRequest+0x11cc (fffff803`21cfecbc)

nt!IopfCompleteRequest+0x369:
21cfde69  mov     qword ptr [rax],rcx
21cfde6c  mov     qword ptr [rcx+8],rax

This illustration shows the three list elements and where the links are set or referenced:
IopfCompleteRequest_5.png There is a sixth occurrence of RemoveEntryList here:

nt!IopfCompleteRequest+0x798:
21cfe296  mov     rdx,qword ptr [r8]
21cfe299  mov     rcx,qword ptr [r8+8]
21cfe29d  mov     r12,r8
21cfe2a0  mov     qword ptr [rbp-29h],rcx
21cfe2a4  cmp     qword ptr [rdx+8],r8
21cfe2a8  jne     nt!IopfCompleteRequest+0xf88 (fffff803`21cfea7e)

nt!IopfCompleteRequest+0x7b0:
21cfe2ae  cmp     qword ptr [rcx],r8
21cfe2b1  jne     nt!IopfCompleteRequest+0xf88 (fffff803`21cfea7e)

nt!IopfCompleteRequest+0x7b9:
21cfe2b7  mov     qword ptr [rcx],rdx
21cfe2ba  xor     r14b,r14b
21cfe2bd  mov     qword ptr [rdx+8],rcx

This illustration shows the three list elements and where the links are set or referenced:
IopfCompleteRequest_6.png There is a seventh occurrence of RemoveEntryList here:

nt!IopfCompleteRequest+0x844:
21cfe342  lea     rax,[rsi+0D8h]
21cfe349  mov     rdx,qword ptr [rax]
21cfe34c  mov     rcx,qword ptr [rax+8]
21cfe350  cmp     qword ptr [rdx+8],rax
21cfe354  jne     nt!IopfCompleteRequest+0x1082 (fffff803`21cfeb7a)

nt!IopfCompleteRequest+0x85c:
21cfe35a  cmp     qword ptr [rcx],rax
21cfe35d  jne     nt!IopfCompleteRequest+0x1082 (fffff803`21cfeb7a)

nt!IopfCompleteRequest+0x865:
21cfe363  mov     qword ptr [rcx],rdx
21cfe366  mov     qword ptr [rdx+8],rcx

This illustration shows the three list elements and where the links are set or referenced:
IopfCompleteRequest_7.png

► KeDeregisterBugCheckCallback

The following lines are RemoveEntryList:

nt!KeDeregisterBugCheckCallback+0x5a:
21dee412  mov     rcx,qword ptr [rbx]
21dee415  mov     rax,qword ptr [rbx+8]
21dee419  mov     byte ptr [rbx+38h],dil
21dee41d  cmp     qword ptr [rcx+8],rbx
21dee421  jne     nt!KeDeregisterBugCheckCallback+0x99 (fffff803`21dee451)

nt!KeDeregisterBugCheckCallback+0x6b:
21dee423  cmp     qword ptr [rax],rbx
21dee426  jne     nt!KeDeregisterBugCheckCallback+0x99 (fffff803`21dee451)

nt!KeDeregisterBugCheckCallback+0x70:
21dee428  mov     qword ptr [rax],rcx
21dee42b  mov     dil,1
21dee42e  mov     qword ptr [rcx+8],rax

This illustration shows the three list elements and where the links are set or referenced:
KeDeregisterBugCheckCallback.png

► KeDeregisterObjectNotification

The following lines are RemoveEntryList:

nt!KeDeregisterObjectNotification+0x41:
21d78b51  mov     rcx,qword ptr [rdi]
21d78b54  mov     rax,qword ptr [rdi+8]
21d78b58  cmp     qword ptr [rcx+8],rdi
21d78b5c  jne     nt!KeDeregisterObjectNotification+0x8c (fffff803`21d78b9c)

nt!KeDeregisterObjectNotification+0x4e:
21d78b5e  cmp     qword ptr [rax],rdi
21d78b61  jne     nt!KeDeregisterObjectNotification+0x8c (fffff803`21d78b9c)

nt!KeDeregisterObjectNotification+0x53:
21d78b63  mov     qword ptr [rax],rcx
21d78b66  mov     qword ptr [rcx+8],rax

This illustration shows the three list elements and where the links are set or referenced:
KeDeregisterObjectNotification.png

► KeRegisterObjectNotification

The following lines are RemoveEntryList:

nt!KeRegisterObjectNotification+0x134:
21d2a0e8  mov     rdx,r14
21d2a0eb  mov     r14,qword ptr [r14+8]
21d2a0ef  mov     r8,qword ptr [rdx]
21d2a0f2  cmp     qword ptr [r8+8],rdx
21d2a0f6  jne     nt!KeRegisterObjectNotification+0x252 (fffff803`21d2a206)

nt!KeRegisterObjectNotification+0x148:
21d2a0fc  cmp     qword ptr [r14],rdx
21d2a0ff  jne     nt!KeRegisterObjectNotification+0x252 (fffff803`21d2a206)

nt!KeRegisterObjectNotification+0x151:
21d2a105  mov     qword ptr [r14],r8
21d2a108  mov     qword ptr [r8+8],r14

This illustration shows the three list elements and where the links are set or referenced:
KeRegisterObjectNotification.png There is a second occurrence of RemoveEntryList here:

nt!KeDeregisterObjectNotification+0x41:
21d78b51  mov     rcx,qword ptr [rdi]
21d78b54  mov     rax,qword ptr [rdi+8]
21d78b58  cmp     qword ptr [rcx+8],rdi
21d78b5c  jne     nt!KeDeregisterObjectNotification+0x8c (fffff803`21d78b9c)

nt!KeDeregisterObjectNotification+0x4e:
21d78b5e  cmp     qword ptr [rax],rdi
21d78b61  jne     nt!KeDeregisterObjectNotification+0x8c (fffff803`21d78b9c)

nt!KeDeregisterObjectNotification+0x53:
21d78b63  mov     qword ptr [rax],rcx
21d78b66  mov     qword ptr [rcx+8],rax

This illustration shows the three list elements and where the links are set or referenced:
KeRegisterObjectNotification_2.png

► KeRemoveQueueApc

The following lines are RemoveEntryList:

21cae802  mov     rcx,qword ptr [r9]
21cae805  mov     r8,qword ptr [rdi+rax*8+248h]
21cae80d  mov     rax,qword ptr [r9+8]
21cae811  cmp     qword ptr [rcx+8],r9
21cae815  jne     nt!KeRemoveQueueApc+0xb0 (fffff803`21cae840)

nt!KeRemoveQueueApc+0x87:
21cae817  cmp     qword ptr [rax],r9
21cae81a  jne     nt!KeRemoveQueueApc+0xb0 (fffff803`21cae840)

nt!KeRemoveQueueApc+0x8c:
21cae81c  mov     qword ptr [rax],rcx
21cae81f  mov     qword ptr [rcx+8],rax

This illustration shows the three list elements and where the links are set or referenced:
KeRemoveQueueApc.png There is a second occurrence of RemoveEntryList here:

nt!MiRemoveUnusedSubsection+0x3c:
21cae88c  lea     rax,[rdi+50h]
21cae890  mov     rdx,qword ptr [rax]
21cae893  mov     rcx,qword ptr [rax+8]
21cae897  cmp     qword ptr [rdx+8],rax
21cae89b  jne     nt!MiRemoveUnusedSubsection+0xa1 (fffff803`21cae8f1)

nt!MiRemoveUnusedSubsection+0x4d:
21cae89d  cmp     qword ptr [rcx],rax
21cae8a0  jne     nt!MiRemoveUnusedSubsection+0xa1 (fffff803`21cae8f1)

nt!MiRemoveUnusedSubsection+0x52:
21cae8a2  mov     qword ptr [rcx],rdx
21cae8a5  mov     qword ptr [rdx+8],rcx

This illustration shows the three list elements and where the links are set or referenced:
KeRemoveQueueApc_2.png

► KeRemoveQueueDpc

The following lines are RemoveEntryList:

nt! ?? ::FNODOBFM::`string'+0x12bdf:
21e4ae1f  dec     dword ptr [rdi+18h]
21e4ae22  lea     rcx,[rbp+8]
21e4ae26  mov     rdx,qword ptr [rcx]
21e4ae29  mov     rax,qword ptr [rcx+8]
21e4ae2d  cmp     qword ptr [rdx+8],rcx
21e4ae31  jne     nt! ?? ::FNODOBFM::`string'+0x12c2a (fffff803`21e4ae6a)

nt! ?? ::FNODOBFM::`string'+0x12bf3:
21e4ae33  cmp     qword ptr [rax],rcx
21e4ae36  jne     nt! ?? ::FNODOBFM::`string'+0x12c2a (fffff803`21e4ae6a)

nt! ?? ::FNODOBFM::`string'+0x12bf8:
21e4ae38  mov     qword ptr [rax],rdx
21e4ae3b  mov     qword ptr [rdx+8],rax

This illustration shows the three list elements and where the links are set or referenced:
KeRemoveQueueDpc.png

► KiCancelTimer

The following lines are RemoveEntryList:

nt!KiCancelTimer+0xd7:
21cf5837  mov     rcx,qword ptr [rbx+20h]
21cf583b  mov     rax,qword ptr [rbx+28h]
21cf583f  lea     rdx,[rbx+20h]
21cf5843  lea     r8,[r15+10h]
21cf5847  mov     r9,r15
21cf584a  shl     r8,5
21cf584e  cmp     qword ptr [rcx+8],rdx
21cf5852  jne     nt!KiCancelTimer+0x185 (fffff803`21cf58e5)

nt!KiCancelTimer+0xf8:
21cf5858  cmp     qword ptr [rax],rdx
21cf585b  jne     nt!KiCancelTimer+0x185 (fffff803`21cf58e5)

nt!KiCancelTimer+0x101:
21cf5861  mov     qword ptr [rax],rcx
21cf5864  mov     qword ptr [rcx+8],rax

This illustration shows the three list elements and where the links are set or referenced:
KiCancelTimer.png

► KeTerminateThread

The following lines are RemoveEntryList:

nt!KeTerminateThread+0xd7:
21d3c53b  lea     rax,[r15+238h]
21d3c542  mov     rdx,qword ptr [rax]
21d3c545  mov     rcx,qword ptr [rax+8]
21d3c549  cmp     qword ptr [rdx+8],rax
21d3c54d  jne     nt! ?? ::FNODOBFM::`string'+0xe416 (fffff803`21c86c76)

nt!KeTerminateThread+0xef:
21d3c553  cmp     qword ptr [rcx],rax
21d3c556  jne     nt! ?? ::FNODOBFM::`string'+0xe416 (fffff803`21c86c76)

nt!KeTerminateThread+0xf8:
21d3c55c  mov     qword ptr [rcx],rdx
21d3c55f  mov     qword ptr [rdx+8],rcx

This illustration shows the three list elements and where the links are set or referenced:
KeTerminateThread.png There is a second occurrence of RemoveEntryList here:

nt!KeTerminateThread+0x148:
21d3c5ac  mov     rcx,qword ptr [r12]
21d3c5b0  mov     rax,qword ptr [r12+8]
21d3c5b5  cmp     qword ptr [rcx+8],r12
21d3c5b9  jne     nt! ?? ::FNODOBFM::`string'+0xe4f3 (fffff803`21c86d4f)

nt!KeTerminateThread+0x15b:
21d3c5bf  cmp     qword ptr [rax],r12
21d3c5c2  jne     nt! ?? ::FNODOBFM::`string'+0xe4f3 (fffff803`21c86d4f)

nt!KeTerminateThread+0x164:
21d3c5c8  mov     qword ptr [rax],rcx
21d3c5cb  mov     r12d,0FFFFFF7Fh
21d3c5d1  mov     qword ptr [rcx+8],rax

This illustration shows the three list elements and where the links are set or referenced:
KeTerminateThread_2.png

► KiDeliverApc

The following lines are RemoveEntryList:

nt!KiDeliverApc+0x10e:
21d4171e  mov     rcx,qword ptr [rdx]
21d41721  mov     rax,qword ptr [rdx+8]
21d41725  cmp     qword ptr [rcx+8],rdx
21d41729  jne     nt!KiDeliverApc+0x340 (fffff803`21d4194b)

nt!KiDeliverApc+0x11f:
21d4172f  cmp     qword ptr [rax],rdx
21d41732  jne     nt!KiDeliverApc+0x340 (fffff803`21d4194b)

nt!KiDeliverApc+0x128:
21d41738  mov     qword ptr [rax],rcx
21d4173b  mov     qword ptr [rcx+8],rax

This illustration shows the three list elements and where the links are set or referenced:
KiDeliverApc.png There is a second occurrence of RemoveEntryList here:

nt!KiDeliverApc+0x17f:
21d4178f  mov     rcx,qword ptr [rdx]
21d41792  mov     rax,qword ptr [rdx+8]
21d41796  cmp     qword ptr [rcx+8],rdx
21d4179a  jne     nt!KiDeliverApc+0x370 (fffff803`21d41980)

nt!KiDeliverApc+0x190:
21d417a0  cmp     qword ptr [rax],rdx
21d417a3  jne     nt!KiDeliverApc+0x370 (fffff803`21d41980)

nt!KiDeliverApc+0x199:
21d417a9  mov     qword ptr [rax],rcx
21d417ac  mov     qword ptr [rcx+8],rax

This illustration shows the three list elements and where the links are set or referenced:
KiDeliverApc_2.png There is a third occurrence of RemoveEntryList here:

nt!KiDeliverApc+0x256:
21d41868  prefetchw [rcx-10h]
21d4186c  mov     rax,qword ptr [rcx+20h]
21d41870  mov     r11,qword ptr [rcx+10h]
21d41874  mov     qword ptr [rbp+48h],rax
21d41878  mov     rax,qword ptr [rcx+28h]
21d4187c  mov     qword ptr [rbp-10h],rax
21d41880  mov     rax,qword ptr [rcx+30h]
21d41884  mov     qword ptr [rbp-18h],rax
21d41888  mov     rax,qword ptr [rcx+38h]
21d4188c  mov     qword ptr [rbp+50h],rax
21d41890  mov     rdx,qword ptr [rcx]
21d41893  mov     rax,qword ptr [rcx+8]
21d41897  cmp     qword ptr [rdx+8],rcx
21d4189b  jne     nt!KiDeliverApc+0x347 (fffff803`21d41952)

nt!KiDeliverApc+0x28f:
21d418a1  cmp     qword ptr [rax],rcx
21d418a4  jne     nt!KiDeliverApc+0x347 (fffff803`21d41952)

nt!KiDeliverApc+0x298:
21d418aa  mov     qword ptr [rax],rdx
21d418ad  mov     qword ptr [rdx+8],rax

This illustration shows the three list elements and where the links are set or referenced:
KiDeliverApc_3.png

► KiExecuteAllDpcs

The following lines are RemoveEntryList:

nt!KiExecuteAllDpcs+0xbc:
21cf4c1c  mov     rdx,qword ptr [rcx]
21cf4c1f  mov     rax,qword ptr [rcx+8]
21cf4c23  cmp     qword ptr [rdx+8],rcx
21cf4c27  jne     nt!KiExecuteAllDpcs+0x392 (fffff803`21cf4ef2)

nt!KiExecuteAllDpcs+0xcd:
21cf4c2d  cmp     qword ptr [rax],rcx
21cf4c30  jne     nt!KiExecuteAllDpcs+0x392 (fffff803`21cf4ef2)

nt!KiExecuteAllDpcs+0xd6:
21cf4c36  mov     qword ptr [rax],rdx
21cf4c39  mov     qword ptr [rdx+8],rax

This illustration shows the three list elements and where the links are set or referenced:
KiExecuteAllDpcs.png

► KiExpireTimerTable

The following lines are RemoveEntryList:

nt!KiExpireTimerTable+0x12a:
21cf3726  mov     rdx,qword ptr [r9+20h]
21cf372a  mov     rax,qword ptr [r9+28h]
21cf372e  lea     rcx,[r9+20h]
21cf3732  cmp     qword ptr [rdx+8],rcx
21cf3736  jne     nt!KiExpireTimerTable+0x1ff (fffff803`21cf37fb)

nt!KiExpireTimerTable+0x140:
21cf373c  cmp     qword ptr [rax],rcx
21cf373f  jne     nt!KiExpireTimerTable+0x1ff (fffff803`21cf37fb)

nt!KiExpireTimerTable+0x149:
21cf3745  mov     qword ptr [rax],rdx
21cf3748  mov     qword ptr [rdx+8],rax

This illustration shows the three list elements and where the links are set or referenced:
KiExpireTimerTable.png

► KiFindReadyThread

The following lines are RemoveEntryList:

nt!KiFindReadyThread+0x6e:
21cc0cca  mov     r8,qword ptr [rcx]
21cc0ccd  mov     rdx,qword ptr [rcx+8]
21cc0cd1  cmp     qword ptr [r8+8],rcx
21cc0cd5  jne     nt!KiFindReadyThread+0xe3 (fffff803`21cc0d3f)

nt!KiFindReadyThread+0x7b:
21cc0cd7  cmp     qword ptr [rdx],rcx
21cc0cda  jne     nt!KiFindReadyThread+0xe3 (fffff803`21cc0d3f)

nt!KiFindReadyThread+0x80:
21cc0cdc  mov     qword ptr [rdx],r8
21cc0cdf  mov     qword ptr [r8+8],rdx

This illustration shows the three list elements and where the links are set or referenced:
KiFindReadyThread.png

► KiFlushQueueApc

The following lines are RemoveEntryList:

21c88659  mov     rax,qword ptr [rcx]
21c8865c  cmp     rax,rcx
21c8865f  jne     nt! ?? ::FNODOBFM::`string'+0x14ef7 (fffff803`21c88665)

nt! ?? ::FNODOBFM::`string'+0x14ef3:
21c88661  xor     eax,eax
21c88663  jmp     nt! ?? ::FNODOBFM::`string'+0x14f23 (fffff803`21c88691)

nt! ?? ::FNODOBFM::`string'+0x14ef7:
21c88665  mov     rdx,qword ptr [rcx+8]
21c88669  cmp     qword ptr [rax+8],rcx
21c8866d  jne     nt! ?? ::FNODOBFM::`string'+0x14f38 (fffff803`21c886a6)

nt! ?? ::FNODOBFM::`string'+0x14f01:
21c8866f  cmp     qword ptr [rdx],rcx
21c88672  jne     nt! ?? ::FNODOBFM::`string'+0x14f38 (fffff803`21c886a6)

nt! ?? ::FNODOBFM::`string'+0x14f06:
21c88674  mov     qword ptr [rdx],rax
21c88677  mov     qword ptr [rax+8],rdx

This illustration shows the three list elements and where the links are set or referenced:
KiFlushQueueApc.png

► KiInsertTimerTable

The following lines are RemoveEntryList:

nt!KiInsertTimerTable+0x1ff:
21cf479f  mov     rcx,qword ptr [rsi]
21cf47a2  mov     rax,qword ptr [rsi+8]
21cf47a6  or      ebx,1
21cf47a9  cmp     qword ptr [rcx+8],rsi
21cf47ad  jne     nt! ?? ::FNODOBFM::`string'+0x17f68 (fffff803`21e4e262)

nt!KiInsertTimerTable+0x213:
21cf47b3  cmp     qword ptr [rax],rsi
21cf47b6  jne     nt! ?? ::FNODOBFM::`string'+0x17f68 (fffff803`21e4e262)

nt!KiInsertTimerTable+0x21c:
21cf47bc  mov     qword ptr [rax],rcx
21cf47bf  mov     qword ptr [rcx+8],rax

This illustration shows the three list elements and where the links are set or referenced:
KiInsertTimerTable.png There is a second occurrence of RemoveEntryList here:

nt!KiAdjustTimerDueTimes+0x94:
21da65e4  lea     rcx,[r9+20h]
21da65e8  mov     rdx,qword ptr [rcx]
21da65eb  mov     rax,qword ptr [rcx+8]
21da65ef  cmp     qword ptr [rdx+8],rcx
21da65f3  jne     nt! ?? ::FNODOBFM::`string'+0x17fbb (fffff803`21e4e2bb)

nt!KiAdjustTimerDueTimes+0xa9:
21da65f9  cmp     qword ptr [rax],rcx
21da65fc  jne     nt! ?? ::FNODOBFM::`string'+0x17fbb (fffff803`21e4e2bb)

nt!KiAdjustTimerDueTimes+0xb2:
21da6602  mov     qword ptr [rax],rdx
21da6605  mov     qword ptr [rdx+8],rax

This illustration shows the three list elements and where the links are set or referenced:
KiInsertTimerTable_2.png There is a third occurrence of RemoveEntryList here:

21da669f  mov     rdx,qword ptr [rax]
21da66a2  mov     rcx,qword ptr [rax+8]
21da66a6  cmp     qword ptr [rdx+8],rax
21da66aa  jne     nt! ?? ::FNODOBFM::`string'+0x17fe2 (fffff803`21e4e2e2)

nt!KiAdjustTimerDueTimes+0x160:
21da66b0  cmp     qword ptr [rcx],rax
21da66b3  jne     nt! ?? ::FNODOBFM::`string'+0x17fe2 (fffff803`21e4e2e2)

nt!KiAdjustTimerDueTimes+0x169:
21da66b9  mov     qword ptr [rcx],rdx
21da66bc  mov     qword ptr [rdx+8],rcx

This illustration shows the three list elements and where the links are set or referenced:
KiInsertTimerTable_3.png

► KiProcessExpiredTimerList

The following lines are RemoveEntryList:

nt!KiProcessExpiredTimerList+0x12e:
21cf513e  mov     rcx,qword ptr [rbx]
21cf5141  mov     rax,qword ptr [rbx+8]
21cf5145  cmp     qword ptr [rcx+8],rbx
21cf5149  jne     nt!KiProcessExpiredTimerList+0x457 (fffff803`21cf5467)

nt!KiProcessExpiredTimerList+0x13f:
21cf514f  cmp     qword ptr [rax],rbx
21cf5152  jne     nt!KiProcessExpiredTimerList+0x457 (fffff803`21cf5467)

nt!KiProcessExpiredTimerList+0x148:
21cf5158  mov     qword ptr [rax],rcx
21cf515b  mov     qword ptr [rcx+8],rax

This illustration shows the three list elements and where the links are set or referenced:
KiProcessExpiredTimerList.png There is a second occurrence of RemoveEntryList here:

nt!KiProcessExpiredTimerList+0x360:
21cf5370  mov     rcx,qword ptr [rbx]
21cf5373  mov     rax,qword ptr [rbx+8]
21cf5377  cmp     qword ptr [rcx+8],rbx
21cf537b  jne     nt!KiProcessExpiredTimerList+0x497 (fffff803`21cf54a7)

nt!KiProcessExpiredTimerList+0x371:
21cf5381  cmp     qword ptr [rax],rbx
21cf5384  jne     nt!KiProcessExpiredTimerList+0x497 (fffff803`21cf54a7)

nt!KiProcessExpiredTimerList+0x37a:
21cf538a  mov     qword ptr [rax],rcx
21cf538d  mov     qword ptr [rcx+8],rax

This illustration shows the three list elements and where the links are set or referenced:
KiProcessExpiredTimerList_2.png

► MiDeleteVirtualAddresses

(no instance of RemoveEntryList found)

► NtNotifyChangeMultipleKeys

The following lines are RemoveEntryList:

220736e1  mov     rdx,qword ptr [rcx]
220736e4  mov     rax,qword ptr [rcx+8]
220736e8  cmp     qword ptr [rdx+8],rcx
220736ec  jne     nt!NtNotifyChangeMultipleKeys+0x8e4 (fffff803`22073704)

nt!NtNotifyChangeMultipleKeys+0x8ce:
220736ee  cmp     qword ptr [rax],rcx
220736f1  jne     nt!NtNotifyChangeMultipleKeys+0x8e4 (fffff803`22073704)

nt!NtNotifyChangeMultipleKeys+0x8d3:
220736f3  mov     qword ptr [rax],rdx
220736f6  mov     qword ptr [rdx+8],rax

This illustration shows the three list elements and where the links are set or referenced:
NtNotifyChangeMultipleKeys.png

There is a second occurrence of RemoveEntryList here:

nt!NtNotifyChangeMultipleKeys+0xa35:
22073855  mov     rax,qword ptr [r13]
22073859  test    rax,rax
2207385c  je      nt!NtNotifyChangeMultipleKeys+0xa5b (fffff803`2207387b)

nt!NtNotifyChangeMultipleKeys+0xa3e:
2207385e  mov     rcx,qword ptr [r13+8]
22073862  cmp     qword ptr [rax+8],r13
22073866  jne     nt!NtNotifyChangeMultipleKeys+0xa56 (fffff803`22073876)

nt!NtNotifyChangeMultipleKeys+0xa48:
22073868  cmp     qword ptr [rcx],r13
2207386b  jne     nt!NtNotifyChangeMultipleKeys+0xa56 (fffff803`22073876)

nt!NtNotifyChangeMultipleKeys+0xa4d:
2207386d  mov     qword ptr [rcx],rax
22073870  mov     qword ptr [rax+8],rcx

This illustration shows the three list elements and where the links are set or referenced:
NtNotifyChangeMultipleKeys_2.png There is a third occurrence of RemoveEntryList here:

nt!NtNotifyChangeMultipleKeys+0xa7f:
2207389f  mov     rax,qword ptr [rsi]
220738a2  test    rax,rax
220738a5  je      nt!NtNotifyChangeMultipleKeys+0xaa4 (fffff803`220738c4)

nt!NtNotifyChangeMultipleKeys+0xa87:
220738a7  mov     rcx,qword ptr [rsi+8]
220738ab  cmp     qword ptr [rax+8],rsi
220738af  jne     nt!NtNotifyChangeMultipleKeys+0xa9f (fffff803`220738bf)

nt!NtNotifyChangeMultipleKeys+0xa91:
220738b1  cmp     qword ptr [rcx],rsi
220738b4  jne     nt!NtNotifyChangeMultipleKeys+0xa9f (fffff803`220738bf)

nt!NtNotifyChangeMultipleKeys+0xa96:
220738b6  mov     qword ptr [rcx],rax
220738b9  mov     qword ptr [rax+8],rcx

This illustration shows the three list elements and where the links are set or referenced:
NtNotifyChangeMultipleKeys_3.png There is a fourth occurrence of RemoveEntryList here:

nt!NtNotifyChangeMultipleKeys+0xaa4:
220738c4  lea     rax,[rsi+10h]
220738c8  mov     rdx,qword ptr [rax]
220738cb  mov     rcx,qword ptr [rax+8]
220738cf  cmp     qword ptr [rdx+8],rax
220738d3  jne     nt!NtNotifyChangeMultipleKeys+0xb32 (fffff803`22073952)

nt!NtNotifyChangeMultipleKeys+0xab5:
220738d5  cmp     qword ptr [rcx],rax
220738d8  jne     nt!NtNotifyChangeMultipleKeys+0xb32 (fffff803`22073952)

nt!NtNotifyChangeMultipleKeys+0xaba:
220738da  mov     qword ptr [rcx],rdx
220738dd  mov     qword ptr [rdx+8],rcx

This illustration shows the three list elements and where the links are set or referenced:
NtNotifyChangeMultipleKeys_4.png There is a fifth occurrence of RemoveEntryList here:

nt!NtNotifyChangeMultipleKeys+0xb53:
22073973  mov     rax,qword ptr [r13]
22073977  test    rax,rax
2207397a  je      nt!NtNotifyChangeMultipleKeys+0xb79 (fffff803`22073999)

nt!NtNotifyChangeMultipleKeys+0xb5c:
2207397c  mov     rcx,qword ptr [r13+8]
22073980  cmp     qword ptr [rax+8],r13
22073984  jne     nt!NtNotifyChangeMultipleKeys+0xb74 (fffff803`22073994)

nt!NtNotifyChangeMultipleKeys+0xb66:
22073986  cmp     qword ptr [rcx],r13
22073989  jne     nt!NtNotifyChangeMultipleKeys+0xb74 (fffff803`22073994)

nt!NtNotifyChangeMultipleKeys+0xb6b:
2207398b  mov     qword ptr [rcx],rax
2207398e  mov     qword ptr [rax+8],rcx

This illustration shows the three list elements and where the links are set or referenced:
NtNotifyChangeMultipleKeys_5.png There is a sixth occurrence of RemoveEntryList here:

nt!NtNotifyChangeMultipleKeys+0xb79:
22073999  lea     rax,[r13+10h]
2207399d  mov     rdx,qword ptr [rax]
220739a0  mov     rcx,qword ptr [rax+8]
220739a4  cmp     qword ptr [rdx+8],rax
220739a8  jne     nt!NtNotifyChangeMultipleKeys+0xb98 (fffff803`220739b8)

nt!NtNotifyChangeMultipleKeys+0xb8a:
220739aa  cmp     qword ptr [rcx],rax
220739ad  jne     nt!NtNotifyChangeMultipleKeys+0xb98 (fffff803`220739b8)

nt!NtNotifyChangeMultipleKeys+0xb8f:
220739af  mov     qword ptr [rcx],rdx
220739b2  mov     qword ptr [rdx+8],rcx

This illustration shows the three list elements and where the links are set or referenced:
NtNotifyChangeMultipleKeys_6.png There is a seventh occurrence of RemoveEntryList here:

nt!NtNotifyChangeMultipleKeys+0xb9d:
220739bd  mov     rax,qword ptr [rsi]
220739c0  test    rax,rax
220739c3  je      nt!NtNotifyChangeMultipleKeys+0xbc2 (fffff803`220739e2)

nt!NtNotifyChangeMultipleKeys+0xba5:
220739c5  mov     rcx,qword ptr [rsi+8]
220739c9  cmp     qword ptr [rax+8],rsi
220739cd  jne     nt!NtNotifyChangeMultipleKeys+0xbbd (fffff803`220739dd)

nt!NtNotifyChangeMultipleKeys+0xbaf:
220739cf  cmp     qword ptr [rcx],rsi
220739d2  jne     nt!NtNotifyChangeMultipleKeys+0xbbd (fffff803`220739dd)

nt!NtNotifyChangeMultipleKeys+0xbb4:
220739d4  mov     qword ptr [rcx],rax
220739d7  mov     qword ptr [rax+8],rcx

This illustration shows the three list elements and where the links are set or referenced:
NtNotifyChangeMultipleKeys_7.png There is a eighth occurrence of RemoveEntryList here:

nt!NtNotifyChangeMultipleKeys+0xbc2:
220739e2  lea     rax,[rsi+10h]
220739e6  mov     rdx,qword ptr [rax]
220739e9  mov     rcx,qword ptr [rax+8]
220739ed  cmp     qword ptr [rdx+8],rax
220739f1  jne     nt!NtNotifyChangeMultipleKeys+0xbf9 (fffff803`22073a19)

nt!NtNotifyChangeMultipleKeys+0xbd3:
220739f3  cmp     qword ptr [rcx],rax
220739f6  jne     nt!NtNotifyChangeMultipleKeys+0xbf9 (fffff803`22073a19)

nt!NtNotifyChangeMultipleKeys+0xbd8:
220739f8  mov     qword ptr [rcx],rdx
220739fb  mov     qword ptr [rdx+8],rcx

This illustration shows the three list elements and where the links are set or referenced:
NtNotifyChangeMultipleKeys_8.png

► ObRegisterCallbacks

The following lines are RemoveEntryList:

nt! ?? ::NNGAKEGL::`string'+0x3cf37:
2226fa89  mov     rcx,qword ptr [r14]
2226fa8c  mov     rax,qword ptr [r14+8]
2226fa90  cmp     qword ptr [rcx+8],r14
2226fa94  jne     nt! ?? ::NNGAKEGL::`string'+0x3cfe0 (fffff803`2226fb32)

nt! ?? ::NNGAKEGL::`string'+0x3cf48:
2226fa9a  cmp     qword ptr [rax],r14
2226fa9d  jne     nt! ?? ::NNGAKEGL::`string'+0x3cfe0 (fffff803`2226fb32)

nt! ?? ::NNGAKEGL::`string'+0x3cf51:
2226faa3  mov     qword ptr [rax],rcx
2226faa6  mov     qword ptr [rcx+8],rax

This illustration shows the three list elements and where the links are set or referenced:
ObRegisterCallbacks.png

► ObUnRegisterCallbacks

The following lines are RemoveEntryList:

nt!ExFreePoolWithTag+0x9a6:
21ee3b06  mov     r8,qword ptr [r13+10h]
21ee3b0a  mov     rdx,qword ptr [r13+18h]
21ee3b0e  lea     rax,[r13+10h]
21ee3b12  cmp     qword ptr [r8+8],rax
21ee3b16  jne     nt!ExFreePool+0x946 (fffff803`21ee4a2c)

nt!ExFreePoolWithTag+0x9bc:
21ee3b1c  cmp     qword ptr [rdx],rax
21ee3b1f  jne     nt!ExFreePool+0x946 (fffff803`21ee4a2c)

nt!ExFreePoolWithTag+0x9c5:
21ee3b25  mov     qword ptr [rdx],r8
21ee3b28  mov     qword ptr [r8+8],rdx

This illustration shows the three list elements and where the links are set or referenced:
ObUnRegisterCallbacks.png There is a second occurrence of RemoveEntryList here:

nt!ExFreePoolWithTag+0xf2c:
21ee408c  mov     rdx,qword ptr [r8+10h]
21ee4090  mov     rcx,qword ptr [r8+18h]
21ee4094  lea     rax,[r8+10h]
21ee4098  cmp     qword ptr [rdx+8],rax
21ee409c  jne     nt!ExFreePool+0xc08 (fffff803`21ee4cca)

nt!ExFreePoolWithTag+0xf42:
21ee40a2  cmp     qword ptr [rcx],rax
21ee40a5  jne     nt!ExFreePool+0xc08 (fffff803`21ee4cca)

nt!ExFreePoolWithTag+0xf4b:
21ee40ab  mov     qword ptr [rcx],rdx
21ee40ae  mov     qword ptr [rdx+8],rcx

This illustration shows the three list elements and where the links are set or referenced:
ObUnRegisterCallbacks_2.png There is a third occurrence of RemoveEntryList here:

nt!ExFreePool+0xc1b:
21ee4cd9  mov     r8,qword ptr [rcx+10h]
21ee4cdd  mov     rdx,qword ptr [rcx+18h]
21ee4ce1  lea     rax,[rcx+10h]
21ee4ce5  cmp     qword ptr [r8+8],rax
21ee4ce9  jne     nt!ExFreePool+0xc55 (fffff803`21ee4d0b)

nt!ExFreePool+0xc31:
21ee4ceb  cmp     qword ptr [rdx],rax
21ee4cee  jne     nt!ExFreePool+0xc55 (fffff803`21ee4d0b)

nt!ExFreePool+0xc3a:
21ee4cf0  mov     qword ptr [rdx],r8
21ee4cf3  mov     qword ptr [r8+8],rdx

This illustration shows the three list elements and where the links are set or referenced:
ObUnRegisterCallbacks_3.png

There is a fourth occurrence of RemoveEntryList here:

nt!ObUnRegisterCallbacks+0x73:
221e9783  mov     rcx,qword ptr [rbx-30h]
221e9787  lea     rax,[rbx-38h]
221e978b  mov     rdx,qword ptr [rax]
221e978e  cmp     qword ptr [rdx+8],rax
221e9792  jne     nt!ObUnRegisterCallbacks+0x142 (fffff803`221e9852)

nt!ObUnRegisterCallbacks+0x88:
221e9798  cmp     qword ptr [rcx],rax
221e979b  jne     nt!ObUnRegisterCallbacks+0x142 (fffff803`221e9852)

nt!ObUnRegisterCallbacks+0x91:
221e97a1  mov     qword ptr [rcx],rdx
221e97a4  mov     qword ptr [rdx+8],rcx

This illustration shows the three list elements and where the links are set or referenced:
ObUnRegisterCallbacks_4.png

comments powered by Disqus