alternative system re:configurations: stopping kernel timers in NT 6.x

Someone comes up with this idea that you install copy Vista, with 30 days to activation. Then promptly install a kernel rootkit...eehhmmm device driver that stops the kernel timers. I figure the device driver HAS to have some form of malware in it. So I break out ida and here is what I see. You be the judge....

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.text:00011000 ; Format : Portable executable for IBM PC (PE)
.text:00011000 ; Section 1. (virtual address 00001000)
.text:00011000 ; Virtual size : 000001A3 ( 419.)
.text:00011000 ; Section size in file : 00000200 ( 512.)
.text:00011000 ; Offset to raw data for section: 00000400
.text:00011000 ; Flags 68000020: Text Not pageable Executable Readable
.text:00011000 ; Alignment : 16 bytes ?
.text:00011000
.text:00011000 model flat
.text:00011000
.text:00011000 ; ---------------------------------------------------------------------------
.text:00011000
.text:00011000 ; Segment type: Pure code
.text:00011000 _text segment para public 'CODE' use32
.text:00011000 assume cs:_text
.text:00011000 ;org 11000h
.text:00011000 assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
.text:00011000 dd 0
.text:00011004 db 2 dup(0)
.text:00011006
.text:00011006 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.text:00011006
.text:00011006 ; Attributes: bp-based frame
.text:00011006
.text:00011006 sub_11006 proc near ; CODE XREF: sub_11080+Bp
.text:00011006 ; sub_11080+23p
.text:00011006
.text:00011006 var_28 = byte ptr -28h
.text:00011006 var_C = dword ptr -0Ch
.text:00011006
.text:00011006 mov edi, edi
.text:00011008 push ebp
.text:00011009 mov ebp, esp
.text:0001100B sub esp, 28h
.text:0001100E push ebx
.text:0001100F push esi
.text:00011010 push edi
.text:00011011 lea eax, [ebp+var_28]
.text:00011014 push eax
.text:00011015 call ds:KeInitializeTimer
.text:0001101B mov esi, ds:KeSetTimer
.text:00011021 or ebx, 0FFFFFFFFh
.text:00011024 mov edi, ebx
.text:00011026 jmp short loc_1102E
.text:00011028 ; ---------------------------------------------------------------------------
.text:00011028
.text:00011028 loc_11028: ; CODE XREF: sub_11006+34j
.text:00011028 add edi, 0FFFFFFFFh
.text:0001102B adc ebx, 0FFFFFFFFh
.text:0001102E
.text:0001102E loc_1102E: ; CODE XREF: sub_11006+20j
.text:0001102E push 0
.text:00011030 push ebx
.text:00011031 push edi
.text:00011032 lea eax, [ebp+var_28]
.text:00011035 push eax
.text:00011036 call esi
.text:00011038 test al, al
.text:0001103A jz short loc_11028
.text:0001103C mov esi, [ebp+var_C]
.text:0001103F lea eax, [ebp+var_28]
.text:00011042 push eax
.text:00011043 call ds:KeCancelTimer
.text:00011049 jmp short loc_1104E
.text:0001104B ; ---------------------------------------------------------------------------
.text:0001104B
.text:0001104B loc_1104B: ; CODE XREF: sub_11006+4Bj
.text:0001104B sub esi, 10h
.text:0001104E
.text:0001104E loc_1104E: ; CODE XREF: sub_11006+43j
.text:0001104E cmp dword ptr [esi], 0
.text:00011051 jnz short loc_1104B
.text:00011053 pop edi
.text:00011054 lea eax, [esi+10h]
.text:00011057 pop esi
.text:00011058 pop ebx
.text:00011059 leave
.text:0001105A retn
.text:0001105A sub_11006 endp ; sp = 4
.text:0001105A
.text:0001105A ; ---------------------------------------------------------------------------
.text:0001105B align 8
.text:00011060
.text:00011060 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.text:00011060
.text:00011060 ; Attributes: bp-based frame
.text:00011060
.text:00011060 sub_11060 proc near ; CODE XREF: sub_11080+55p
.text:00011060
.text:00011060 arg_4 = dword ptr 8
.text:00011060
.text:00011060 mov edi, edi
.text:00011062 push ebp
.text:00011063 mov ebp, esp
.text:00011065 mov eax, [ebp+arg_4]
.text:00011068 and eax, 0FFFh
.text:0001106D sub eax, 218h
.text:00011072 neg eax
.text:00011074 sbb eax, eax
.text:00011076 inc eax
.text:00011077 pop ebp
.text:00011078 retn 4
.text:00011078 sub_11060 endp
.text:00011078
.text:00011078 ; ---------------------------------------------------------------------------
.text:0001107B align 8
.text:00011080
.text:00011080 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.text:00011080
.text:00011080 ; Attributes: bp-based frame
.text:00011080
.text:00011080 sub_11080 proc near ; CODE XREF: .text:00011135p
.text:00011080
.text:00011080 var_C = dword ptr -0Ch
.text:00011080 var_8 = dword ptr -8
.text:00011080 var_1 = byte ptr -1
.text:00011080
.text:00011080 mov edi, edi
.text:00011082 push ebp
.text:00011083 mov ebp, esp
.text:00011085 sub esp, 0Ch
.text:00011088 push ebx
.text:00011089 push esi
.text:0001108A push edi
.text:0001108B call sub_11006
.text:00011090 and [ebp+var_8], 0
.text:00011094 and [ebp+var_C], 0
.text:00011098 mov cl, 2
.text:0001109A call ds:KfRaiseIrql
.text:000110A0 mov [ebp+var_1], al
.text:000110A3 call sub_11006
.text:000110A8 mov esi, eax
.text:000110AA push esi
.text:000110AB push offset aTimertableX ; "TimerTable : %x\n"
.text:000110B0 call DbgPrint
.text:000110B5 pop ecx
.text:000110B6 pop ecx
.text:000110B7 mov ebx, esi
.text:000110B9
.text:000110B9 loc_110B9: ; CODE XREF: sub_11080+91j
.text:000110B9 mov edi, [ebx]
.text:000110BB test edi, edi
.text:000110BD jz short loc_11113
.text:000110BF jmp short loc_11100
.text:000110C1 ; ---------------------------------------------------------------------------
.text:000110C1
.text:000110C1 loc_110C1: ; CODE XREF: sub_11080+82j
.text:000110C1 lea esi, [edi-18h]
.text:000110C4 mov eax, [esi+20h]
.text:000110C7 test eax, eax
.text:000110C9 mov edi, [edi]
.text:000110CB jz short loc_11100
.text:000110CD mov ecx, [eax+0Ch]
.text:000110D0 test ecx, ecx
.text:000110D2 jz short loc_11100
.text:000110D4 push ecx
.text:000110D5 call sub_11060
.text:000110DA test eax, eax
.text:000110DC jz short loc_11100
.text:000110DE push dword ptr [esi+14h]
.text:000110E1 push dword ptr [esi+10h]
.text:000110E4 push ecx
.text:000110E5 push offset aFoundDeferredr ; "Found DeferredRoutine %x QuadPart %lld\n"...
.text:000110EA call DbgPrint
.text:000110EF mov eax, [esi+18h]
.text:000110F2 mov esi, [esi+1Ch]
.text:000110F5 add esp, 10h
.text:000110F8 inc [ebp+var_C]
.text:000110FB mov [esi], eax
.text:000110FD mov [eax+4], esi
.text:00011100
.text:00011100 loc_11100: ; CODE XREF: sub_11080+3Fj
.text:00011100 ; sub_11080+4Bj ...
.text:00011100 cmp edi, ebx
.text:00011102 jnz short loc_110C1
.text:00011104 inc [ebp+var_8]
.text:00011107 add ebx, 10h
.text:0001110A cmp [ebp+var_8], 1F4h
.text:00011111 jb short loc_110B9
.text:00011113
.text:00011113 loc_11113: ; CODE XREF: sub_11080+3Dj
.text:00011113 mov cl, [ebp+var_1]
.text:00011116 call ds:KfLowerIrql
.text:0001111C mov eax, [ebp+var_C]
.text:0001111F pop edi
.text:00011120 pop esi
.text:00011121 pop ebx
.text:00011122 leave
.text:00011123 retn
.text:00011123 sub_11080 endp ; sp = 4
.text:00011123
.text:00011123 ; ---------------------------------------------------------------------------
.text:00011124 dd 0CCCCCCCCh
.text:00011128 db 2 dup(0CCh)
.text:0001112A ; ---------------------------------------------------------------------------
.text:0001112A
.text:0001112A loc_1112A: ; CODE XREF: start+3Dj
.text:0001112A push offset aTimerstopDrive ; "TimerStop Driver loaded\n"
.text:0001112F call DbgPrint
.text:00011134 pop ecx
.text:00011135 call sub_11080
.text:0001113A or ecx, 0FFFFFFFFh
.text:0001113D sub ecx, eax
.text:0001113F mov eax, ecx
.text:00011141 retn 8
.text:00011141 ; ---------------------------------------------------------------------------
.text:00011144 dd 0CCCCCCCCh
.text:00011148 db 2 dup(0CCh)
.text:0001114A
.text:0001114A ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.text:0001114A
.text:0001114A ; Attributes: thunk
.text:0001114A
.text:0001114A DbgPrint proc near ; CODE XREF: sub_11080+30p
.text:0001114A ; sub_11080+6Ap ...
.text:0001114A jmp ds:__imp_DbgPrint
.text:0001114A DbgPrint endp
.text:0001114A
.text:0001114A ; ---------------------------------------------------------------------------
.text:00011150 aFoundDeferredr db 'Found DeferredRoutine %x QuadPart %lld',0Ah,0
.text:00011150 ; DATA XREF: sub_11080+65o
.text:00011178 aTimertableX db 'TimerTable : %x',0Ah,0 ; DATA XREF: sub_11080+2Bo
.text:00011189 align 2
.text:0001118A aTimerstopDrive db 'TimerStop Driver loaded',0Ah,0
.text:0001118A ; DATA XREF: .text:0001112Ao
.text:000111A3 align 80h
.text:000111A3 _text ends
.text:000111A3
.idata:00012000 ; Section 2. (virtual address 00002000)
.idata:00012000 ; Virtual size : 00000093 ( 147.)
.idata:00012000 ; Section size in file : 00000200 ( 512.)
.idata:00012000 ; Offset to raw data for section: 00000600
.idata:00012000 ; Flags 48000040: Data Not pageable Readable
.idata:00012000 ; Alignment : 16 bytes ?
.idata:00012000 ;
.idata:00012000 ; Imports from HAL.dll
.idata:00012000 ;
.idata:00012000 ; ---------------------------------------------------------------------------
.idata:00012000
.idata:00012000 ; Segment type: Externs
.idata:00012000 ; _idata
.idata:00012000 extrn KfRaiseIrql:dword ; DATA XREF: sub_11080+1Ar
.idata:00012004 extrn KfLowerIrql:dword ; DATA XREF: sub_11080+96r
.idata:00012008
.idata:0001200C ;
.idata:0001200C ; Imports from ntoskrnl.exe
.idata:0001200C ;
.idata:0001200C extrn KeTickCount:dword ; DATA XREF: start+17r
.idata:00012010 extrn __imp_DbgPrint:dword ; DATA XREF: DbgPrintr
.idata:00012014 extrn KeInitializeTimer:dword ; DATA XREF: sub_11006+Fr
.idata:00012018 extrn KeSetTimer:dword ; DATA XREF: sub_11006+15r
.idata:0001201C extrn KeCancelTimer:dword ; DATA XREF: sub_11006+3Dr
.idata:00012020
.idata:00012020
.rdata:00012024 ; ---------------------------------------------------------------------------
.rdata:00012024
.rdata:00012024 ; Segment type: Pure data
.rdata:00012024 _rdata segment para public 'DATA' use32
.rdata:00012024 assume cs:_rdata
.rdata:00012024 ;org 12024h
.rdata:00012024 db 0 ;
.rdata:00012025 db 0 ;
.rdata:00012026 db 0 ;
.rdata:00012027 db 0 ;
.rdata:00012028 db 0 ;
.rdata:00012029 db 0 ;
.rdata:0001202A db 0 ;
.rdata:0001202B db 0 ;
.rdata:0001202C db 0 ;
.rdata:0001202D db 0 ;
.rdata:0001202E db 0 ;
.rdata:0001202F db 0 ;
.rdata:00012030 db 0 ;
.rdata:00012031 db 0 ;
.rdata:00012032 db 0 ;
.rdata:00012033 db 0 ;
.rdata:00012034 db 74h ; t
.rdata:00012035 db 0D7h ; +
.rdata:00012036 db 85h ; à
.rdata:00012037 db 45h ; E
.rdata:00012038 db 0 ;
.rdata:00012039 db 0 ;
.rdata:0001203A db 0 ;
.rdata:0001203B db 0 ;
.rdata:0001203C db 2 ;
.rdata:0001203D db 0 ;
.rdata:0001203E db 0 ;
.rdata:0001203F db 0 ;
.rdata:00012040 db 47h ; G
.rdata:00012041 db 0 ;
.rdata:00012042 db 0 ;
.rdata:00012043 db 0 ;
.rdata:00012044 db 4Ch ; L
.rdata:00012045 db 20h ;
.rdata:00012046 db 0 ;
.rdata:00012047 db 0 ;
.rdata:00012048 db 4Ch ; L
.rdata:00012049 db 6 ;
.rdata:0001204A db 0 ;
.rdata:0001204B db 0 ;
.rdata:0001204C db 52h ; R
.rdata:0001204D db 53h ; S
.rdata:0001204E db 44h ; D
.rdata:0001204F db 53h ; S
.rdata:00012050 db 28h ; (
.rdata:00012051 db 99h ; Ö
.rdata:00012052 db 0F9h ; ·
.rdata:00012053 db 64h ; d
.rdata:00012054 db 0A7h ; º
.rdata:00012055 db 0DEh ; ¦
.rdata:00012056 db 5Ch ; \
.rdata:00012057 db 4Fh ; O
.rdata:00012058 db 0B7h ; +
.rdata:00012059 db 1Ah ;
.rdata:0001205A db 88h ; ê
.rdata:0001205B db 4Fh ; O
.rdata:0001205C db 47h ; G
.rdata:0001205D db 0E5h ; s
.rdata:0001205E db 0D3h ; +
.rdata:0001205F db 5Dh ; ]
.rdata:00012060 db 4 ;
.rdata:00012061 db 0 ;
.rdata:00012062 db 0 ;
.rdata:00012063 db 0 ;
.rdata:00012064 db 63h ; c
.rdata:00012065 db 3Ah ; :
.rdata:00012066 db 5Ch ; \
.rdata:00012067 db 74h ; t
.rdata:00012068 db 69h ; i
.rdata:00012069 db 6Dh ; m
.rdata:0001206A db 65h ; e
.rdata:0001206B db 72h ; r
.rdata:0001206C db 73h ; s
.rdata:0001206D db 74h ; t
.rdata:0001206E db 6Fh ; o
.rdata:0001206F db 70h ; p
.rdata:00012070 db 5Ch ; \
.rdata:00012071 db 6Fh ; o
.rdata:00012072 db 62h ; b
.rdata:00012073 db 6Ah ; j
.rdata:00012074 db 66h ; f
.rdata:00012075 db 72h ; r
.rdata:00012076 db 65h ; e
.rdata:00012077 db 5Fh ; _
.rdata:00012078 db 77h ; w
.rdata:00012079 db 6Ch ; l
.rdata:0001207A db 68h ; h
.rdata:0001207B db 5Fh ; _
.rdata:0001207C db 78h ; x
.rdata:0001207D db 38h ; 8
.rdata:0001207E db 36h ; 6
.rdata:0001207F db 5Ch ; \
.rdata:00012080 db 69h ; i
.rdata:00012081 db 33h ; 3
.rdata:00012082 db 38h ; 8
.rdata:00012083 db 36h ; 6
.rdata:00012084 db 5Ch ; \
.rdata:00012085 db 54h ; T
.rdata:00012086 db 69h ; i
.rdata:00012087 db 6Dh ; m
.rdata:00012088 db 65h ; e
.rdata:00012089 db 72h ; r
.rdata:0001208A db 53h ; S
.rdata:0001208B db 74h ; t
.rdata:0001208C db 6Fh ; o
.rdata:0001208D db 70h ; p
.rdata:0001208E db 2Eh ; .
.rdata:0001208F db 70h ; p
.rdata:00012090 db 64h ; d
.rdata:00012091 db 62h ; b
.rdata:00012092 db 0 ;
.rdata:00012093 db 0 ;
.rdata:00012094 db 0 ;
.rdata:00012095 db 0 ;
.rdata:00012096 db 0 ;
.rdata:00012097 db 0 ;
.rdata:00012098 db 0 ;
.rdata:00012099 db 0 ;
.rdata:0001209A db 0 ;
.rdata:0001209B db 0 ;
.rdata:0001209C db 0 ;
.rdata:0001209D db 0 ;
.rdata:0001209E db 0 ;
.rdata:0001209F db 0 ;
.rdata:000120A0 db 0 ;
.rdata:000120A1 db 0 ;
.rdata:000120A2 db 0 ;
.rdata:000120A3 db 0 ;
.rdata:000120A4 db 0 ;
.rdata:000120A5 db 0 ;
.rdata:000120A6 db 0 ;
.rdata:000120A7 db 0 ;
.rdata:000120A8 db 0 ;
.rdata:000120A9 db 0 ;
.rdata:000120AA db 0 ;
.rdata:000120AB db 0 ;
.rdata:000120AC db 0 ;
.rdata:000120AD db 0 ;
.rdata:000120AE db 0 ;
.rdata:000120AF db 0 ;
.rdata:000120B0 db 0 ;
.rdata:000120B1 db 0 ;
.rdata:000120B2 db 0 ;
.rdata:000120B3 db 0 ;
.rdata:000120B4 db 0 ;
.rdata:000120B5 db 0 ;
.rdata:000120B6 db 0 ;
.rdata:000120B7 db 0 ;
.rdata:000120B8 db 0 ;
.rdata:000120B9 db 0 ;
.rdata:000120BA db 0 ;
.rdata:000120BB db 0 ;
.rdata:000120BC db 0 ;
.rdata:000120BD db 0 ;
.rdata:000120BE db 0 ;
.rdata:000120BF db 0 ;
.rdata:000120C0 db 0 ;
.rdata:000120C1 db 0 ;
.rdata:000120C2 db 0 ;
.rdata:000120C3 db 0 ;
.rdata:000120C4 db 0 ;
.rdata:000120C5 db 0 ;
.rdata:000120C6 db 0 ;
.rdata:000120C7 db 0 ;
.rdata:000120C8 db 0 ;
.rdata:000120C9 db 0 ;
.rdata:000120CA db 0 ;
.rdata:000120CB db 0 ;
.rdata:000120CC db 0 ;
.rdata:000120CD db 0 ;
.rdata:000120CE db 0 ;
.rdata:000120CF db 0 ;
.rdata:000120D0 db 0 ;
.rdata:000120D1 db 0 ;
.rdata:000120D2 db 0 ;
.rdata:000120D3 db 0 ;
.rdata:000120D4 db 0 ;
.rdata:000120D5 db 0 ;
.rdata:000120D6 db 0 ;
.rdata:000120D7 db 0 ;
.rdata:000120D8 db 0 ;
.rdata:000120D9 db 0 ;
.rdata:000120DA db 0 ;
.rdata:000120DB db 0 ;
.rdata:000120DC db 0 ;
.rdata:000120DD db 0 ;
.rdata:000120DE db 0 ;
.rdata:000120DF db 0 ;
.rdata:000120E0 db 0 ;
.rdata:000120E1 db 0 ;
.rdata:000120E2 db 0 ;
.rdata:000120E3 db 0 ;
.rdata:000120E4 db 0 ;
.rdata:000120E5 db 0 ;
.rdata:000120E6 db 0 ;
.rdata:000120E7 db 0 ;
.rdata:000120E8 db 0 ;
.rdata:000120E9 db 0 ;
.rdata:000120EA db 0 ;
.rdata:000120EB db 0 ;
.rdata:000120EC db 0 ;
.rdata:000120ED db 0 ;
.rdata:000120EE db 0 ;
.rdata:000120EF db 0 ;
.rdata:000120F0 db 0 ;
.rdata:000120F1 db 0 ;
.rdata:000120F2 db 0 ;
.rdata:000120F3 db 0 ;
.rdata:000120F4 db 0 ;
.rdata:000120F5 db 0 ;
.rdata:000120F6 db 0 ;
.rdata:000120F7 db 0 ;
.rdata:000120F8 db 0 ;
.rdata:000120F9 db 0 ;
.rdata:000120FA db 0 ;
.rdata:000120FB db 0 ;
.rdata:000120FC db 0 ;
.rdata:000120FD db 0 ;
.rdata:000120FE db 0 ;
.rdata:000120FF db 0 ;
.rdata:00012100 db 0 ;
.rdata:00012101 db 0 ;
.rdata:00012102 db 0 ;
.rdata:00012103 db 0 ;
.rdata:00012104 db 0 ;
.rdata:00012105 db 0 ;
.rdata:00012106 db 0 ;
.rdata:00012107 db 0 ;
.rdata:00012108 db 0 ;
.rdata:00012109 db 0 ;
.rdata:0001210A db 0 ;
.rdata:0001210B db 0 ;
.rdata:0001210C db 0 ;
.rdata:0001210D db 0 ;
.rdata:0001210E db 0 ;
.rdata:0001210F db 0 ;
.rdata:00012110 db 0 ;
.rdata:00012111 db 0 ;
.rdata:00012112 db 0 ;
.rdata:00012113 db 0 ;
.rdata:00012114 db 0 ;
.rdata:00012115 db 0 ;
.rdata:00012116 db 0 ;
.rdata:00012117 db 0 ;
.rdata:00012118 db 0 ;
.rdata:00012119 db 0 ;
.rdata:0001211A db 0 ;
.rdata:0001211B db 0 ;
.rdata:0001211C db 0 ;
.rdata:0001211D db 0 ;
.rdata:0001211E db 0 ;
.rdata:0001211F db 0 ;
.rdata:00012120 db 0 ;
.rdata:00012121 db 0 ;
.rdata:00012122 db 0 ;
.rdata:00012123 db 0 ;
.rdata:00012124 db 0 ;
.rdata:00012125 db 0 ;
.rdata:00012126 db 0 ;
.rdata:00012127 db 0 ;
.rdata:00012128 db 0 ;
.rdata:00012129 db 0 ;
.rdata:0001212A db 0 ;
.rdata:0001212B db 0 ;
.rdata:0001212C db 0 ;
.rdata:0001212D db 0 ;
.rdata:0001212E db 0 ;
.rdata:0001212F db 0 ;
.rdata:00012130 db 0 ;
.rdata:00012131 db 0 ;
.rdata:00012132 db 0 ;
.rdata:00012133 db 0 ;
.rdata:00012134 db 0 ;
.rdata:00012135 db 0 ;
.rdata:00012136 db 0 ;
.rdata:00012137 db 0 ;
.rdata:00012138 db 0 ;
.rdata:00012139 db 0 ;
.rdata:0001213A db 0 ;
.rdata:0001213B db 0 ;
.rdata:0001213C db 0 ;
.rdata:0001213D db 0 ;
.rdata:0001213E db 0 ;
.rdata:0001213F db 0 ;
.rdata:00012140 db 0 ;
.rdata:00012141 db 0 ;
.rdata:00012142 db 0 ;
.rdata:00012143 db 0 ;
.rdata:00012144 db 0 ;
.rdata:00012145 db 0 ;
.rdata:00012146 db 0 ;
.rdata:00012147 db 0 ;
.rdata:00012148 db 0 ;
.rdata:00012149 db 0 ;
.rdata:0001214A db 0 ;
.rdata:0001214B db 0 ;
.rdata:0001214C db 0 ;
.rdata:0001214D db 0 ;
.rdata:0001214E db 0 ;
.rdata:0001214F db 0 ;
.rdata:00012150 db 0 ;
.rdata:00012151 db 0 ;
.rdata:00012152 db 0 ;
.rdata:00012153 db 0 ;
.rdata:00012154 db 0 ;
.rdata:00012155 db 0 ;
.rdata:00012156 db 0 ;
.rdata:00012157 db 0 ;
.rdata:00012158 db 0 ;
.rdata:00012159 db 0 ;
.rdata:0001215A db 0 ;
.rdata:0001215B db 0 ;
.rdata:0001215C db 0 ;
.rdata:0001215D db 0 ;
.rdata:0001215E db 0 ;
.rdata:0001215F db 0 ;
.rdata:00012160 db 0 ;
.rdata:00012161 db 0 ;
.rdata:00012162 db 0 ;
.rdata:00012163 db 0 ;
.rdata:00012164 db 0 ;
.rdata:00012165 db 0 ;
.rdata:00012166 db 0 ;
.rdata:00012167 db 0 ;
.rdata:00012168 db 0 ;
.rdata:00012169 db 0 ;
.rdata:0001216A db 0 ;
.rdata:0001216B db 0 ;
.rdata:0001216C db 0 ;
.rdata:0001216D db 0 ;
.rdata:0001216E db 0 ;
.rdata:0001216F db 0 ;
.rdata:00012170 db 0 ;
.rdata:00012171 db 0 ;
.rdata:00012172 db 0 ;
.rdata:00012173 db 0 ;
.rdata:00012174 db 0 ;
.rdata:00012175 db 0 ;
.rdata:00012176 db 0 ;
.rdata:00012177 db 0 ;
.rdata:00012178 db 0 ;
.rdata:00012179 db 0 ;
.rdata:0001217A db 0 ;
.rdata:0001217B db 0 ;
.rdata:0001217C db 0 ;
.rdata:0001217D db 0 ;
.rdata:0001217E db 0 ;
.rdata:0001217F db 0 ;
.rdata:00012180 db 0 ;
.rdata:00012181 db 0 ;
.rdata:00012182 db 0 ;
.rdata:00012183 db 0 ;
.rdata:00012184 db 0 ;
.rdata:00012185 db 0 ;
.rdata:00012186 db 0 ;
.rdata:00012187 db 0 ;
.rdata:00012188 db 0 ;
.rdata:00012189 db 0 ;
.rdata:0001218A db 0 ;
.rdata:0001218B db 0 ;
.rdata:0001218C db 0 ;
.rdata:0001218D db 0 ;
.rdata:0001218E db 0 ;
.rdata:0001218F db 0 ;
.rdata:00012190 db 0 ;
.rdata:00012191 db 0 ;
.rdata:00012192 db 0 ;
.rdata:00012193 db 0 ;
.rdata:00012194 db 0 ;
.rdata:00012195 db 0 ;
.rdata:00012196 db 0 ;
.rdata:00012197 db 0 ;
.rdata:00012198 db 0 ;
.rdata:00012199 db 0 ;
.rdata:0001219A db 0 ;
.rdata:0001219B db 0 ;
.rdata:0001219C db 0 ;
.rdata:0001219D db 0 ;
.rdata:0001219E db 0 ;
.rdata:0001219F db 0 ;
.rdata:000121A0 db 0 ;
.rdata:000121A1 db 0 ;
.rdata:000121A2 db 0 ;
.rdata:000121A3 db 0 ;
.rdata:000121A4 db 0 ;
.rdata:000121A5 db 0 ;
.rdata:000121A6 db 0 ;
.rdata:000121A7 db 0 ;
.rdata:000121A8 db 0 ;
.rdata:000121A9 db 0 ;
.rdata:000121AA db 0 ;
.rdata:000121AB db 0 ;
.rdata:000121AC db 0 ;
.rdata:000121AD db 0 ;
.rdata:000121AE db 0 ;
.rdata:000121AF db 0 ;
.rdata:000121B0 db 0 ;
.rdata:000121B1 db 0 ;
.rdata:000121B2 db 0 ;
.rdata:000121B3 db 0 ;
.rdata:000121B4 db 0 ;
.rdata:000121B5 db 0 ;
.rdata:000121B6 db 0 ;
.rdata:000121B7 db 0 ;
.rdata:000121B8 db 0 ;
.rdata:000121B9 db 0 ;
.rdata:000121BA db 0 ;
.rdata:000121BB db 0 ;
.rdata:000121BC db 0 ;
.rdata:000121BD db 0 ;
.rdata:000121BE db 0 ;
.rdata:000121BF db 0 ;
.rdata:000121C0 db 0 ;
.rdata:000121C1 db 0 ;
.rdata:000121C2 db 0 ;
.rdata:000121C3 db 0 ;
.rdata:000121C4 db 0 ;
.rdata:000121C5 db 0 ;
.rdata:000121C6 db 0 ;
.rdata:000121C7 db 0 ;
.rdata:000121C8 db 0 ;
.rdata:000121C9 db 0 ;
.rdata:000121CA db 0 ;
.rdata:000121CB db 0 ;
.rdata:000121CC db 0 ;
.rdata:000121CD db 0 ;
.rdata:000121CE db 0 ;
.rdata:000121CF db 0 ;
.rdata:000121D0 db 0 ;
.rdata:000121D1 db 0 ;
.rdata:000121D2 db 0 ;
.rdata:000121D3 db 0 ;
.rdata:000121D4 db 0 ;
.rdata:000121D5 db 0 ;
.rdata:000121D6 db 0 ;
.rdata:000121D7 db 0 ;
.rdata:000121D8 db 0 ;
.rdata:000121D9 db 0 ;
.rdata:000121DA db 0 ;
.rdata:000121DB db 0 ;
.rdata:000121DC db 0 ;
.rdata:000121DD db 0 ;
.rdata:000121DE db 0 ;
.rdata:000121DF db 0 ;
.rdata:000121E0 db 0 ;
.rdata:000121E1 db 0 ;
.rdata:000121E2 db 0 ;
.rdata:000121E3 db 0 ;
.rdata:000121E4 db 0 ;
.rdata:000121E5 db 0 ;
.rdata:000121E6 db 0 ;
.rdata:000121E7 db 0 ;
.rdata:000121E8 db 0 ;
.rdata:000121E9 db 0 ;
.rdata:000121EA db 0 ;
.rdata:000121EB db 0 ;
.rdata:000121EC db 0 ;
.rdata:000121ED db 0 ;
.rdata:000121EE db 0 ;
.rdata:000121EF db 0 ;
.rdata:000121F0 db 0 ;
.rdata:000121F1 db 0 ;
.rdata:000121F2 db 0 ;
.rdata:000121F3 db 0 ;
.rdata:000121F4 db 0 ;
.rdata:000121F5 db 0 ;
.rdata:000121F6 db 0 ;
.rdata:000121F7 db 0 ;
.rdata:000121F8 db 0 ;
.rdata:000121F9 db 0 ;
.rdata:000121FA db 0 ;
.rdata:000121FB db 0 ;
.rdata:000121FC db 0 ;
.rdata:000121FD db 0 ;
.rdata:000121FE db 0 ;
.rdata:000121FF db 0 ;
.rdata:000121FF _rdata ends
.rdata:000121FF
.data:00013000 ; Section 3. (virtual address 00003000)
.data:00013000 ; Virtual size : 00000008 ( 8.)
.data:00013000 ; Section size in file : 00000200 ( 512.)
.data:00013000 ; Offset to raw data for section: 00000800
.data:00013000 ; Flags C8000040: Data Not pageable Readable Writable
.data:00013000 ; Alignment : 16 bytes ?
.data:00013000 ; ---------------------------------------------------------------------------
.data:00013000
.data:00013000 ; Segment type: Pure data
.data:00013000 _data segment para public 'DATA' use32
.data:00013000 assume cs:_data
.data:00013000 ;org 13000h
.data:00013000 dword_13000 dd 0BB40E64Eh ; DATA XREF: start+5r
.data:00013000 ; start+1Do ...
.data:00013004 dword_13004 dd 44BF19B1h ; DATA XREF: start+37w
.data:00013008 align 200h
.data:00013008 _data ends
.data:00013008
INIT:00014000 ; Section 4. (virtual address 00004000)
INIT:00014000 ; Virtual size : 00000126 ( 294.)
INIT:00014000 ; Section size in file : 00000200 ( 512.)
INIT:00014000 ; Offset to raw data for section: 00000A00
INIT:00014000 ; Flags E2000020: Text Discardable Executable Readable Writable
INIT:00014000 ; Alignment : 16 bytes ?
INIT:00014000 ; ---------------------------------------------------------------------------
INIT:00014000
INIT:00014000 ; Segment type: Pure code
INIT:00014000 INIT segment para public 'CODE' use32
INIT:00014000 assume cs:INIT
INIT:00014000 ;org 14000h
INIT:00014000 assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
INIT:00014000 dd 0
INIT:00014004 db 0
INIT:00014005
INIT:00014005 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
INIT:00014005
INIT:00014005 ; Attributes: bp-based frame
INIT:00014005
INIT:00014005 public start
INIT:00014005 start proc near
INIT:00014005 mov edi, edi
INIT:00014007 push ebp
INIT:00014008 mov ebp, esp
INIT:0001400A mov eax, dword_13000
INIT:0001400F test eax, eax
INIT:00014011 mov ecx, 0BB40E64Eh
INIT:00014016 jz short loc_1401C
INIT:00014018 cmp eax, ecx
INIT:0001401A jnz short loc_1403A
INIT:0001401C
INIT:0001401C loc_1401C: ; CODE XREF: start+11j
INIT:0001401C mov edx, ds:KeTickCount
INIT:00014022 mov eax, offset dword_13000
INIT:00014027 shr eax, 8
INIT:0001402A xor eax, [edx]
INIT:0001402C mov dword_13000, eax
INIT:00014031 jnz short loc_1403A
INIT:00014033 mov eax, ecx
INIT:00014035 mov dword_13000, eax
INIT:0001403A
INIT:0001403A loc_1403A: ; CODE XREF: start+15j
INIT:0001403A ; start+2Cj
INIT:0001403A not eax
INIT:0001403C mov dword_13004, eax
INIT:00014041 pop ebp
INIT:00014042 jmp loc_1112A
INIT:00014042 start endp
INIT:00014042
INIT:00014042 ; ---------------------------------------------------------------------------
INIT:00014047 dd 4090CCh, 2 dup(0), 40F400h, 200C00h, 408400h, 2 dup(0)
INIT:00014047 dd 411E00h, 200000h, 5 dup(0), 411000h, 410200h, 0, 40E600h
INIT:00014047 dd 40DA00h, 40C600h, 40B800h, 40A800h, 0, 4B02A000h, 6E614365h
INIT:00014047 dd 546C6563h, 72656D69h, 4B031E00h, 74655365h, 656D6954h
INIT:00014047 dd 0CD000072h, 49654B02h, 6974696Eh, 7A696C61h, 6D695465h
INIT:00014047 dd 3C007265h, 67624400h, 6E697250h, 27000074h, 54654B03h
INIT:00014047 dd 436B6369h, 746E756Fh, 6F746E00h, 6E726B73h, 78652E6Ch
INIT:00014047 dd 59000065h, 4C664B00h, 7265776Fh, 6C717249h, 4B005A00h
INIT:00014047 dd 69615266h, 72496573h, 48006C71h, 642E4C41h, 6C6Ch, 36h dup(0)
INIT:000141FF align 4
INIT:000141FF INIT ends
INIT:000141FF
INIT:000141FF
INIT:000141FF end start

alternative system re:configurations

Sunday, February 11, 2007

stopping kernel timers in NT 6.x

No comments:

interesting links

alternative system re:configurations

Sunday, February 11, 2007

stopping kernel timers in NT 6.x

No comments:

interesting links

subscribe to alt.sysrec