armpatched

Several days ago I started my new pet project on GitHub, bcs

• quarantine is boring
• reading a book "ARM 64-Bit Assembly Language" without practice is useless

So I just forked arm64 disasm called armadillo, ported it on windows, added naïve pe loader (btw attempt to use MapViewOfFile function was unsuccessful with GetLastError 1132) and today add some practical usage of static code analysis to extract lists and lock of lookaside lists from arm64 windows kernel

Main magic happens in ntoskrnl_hack::find_lock_list function

As you can notice code not emulate every instruction. I just check if after pair ADRP/ADD target register holds some address in .data section. If we encounter call to (exported) KeAcquireSpinLockRaiseToDpc - we change state to 1 and assign value of x0 register to lock, and then next loaded from .data section address must be list