The main problem is detection of duplicated sockets. There is a hint however:
all ownership of the socket still belongs to the original creator – even when the creator exists (and actually, because Netio.sys is still referencing the original EPROCESS, the creator and the PID become “zombies” and leak resources).o`k, reason is true, but reference holds by afd.sys. Lets see why
We need disasm 2 functions to write simple script. First - we need back offset from afd!AfdEndpointListHead to read endpoint. It can be extracted from AfdIsAddressInUse:
mov [rsp+arg_0], rbx
mov [rsp+arg_8], rbp
mov [rsp+arg_10], rsi
push rdi
sub rsp, 30h
mov rsi, rcx
xor ebx, ebx
mov rcx, cs:AfdGlobalData
call cs:__imp_ExEnterCriticalRegionAndAcquireResourceShared
nop dword ptr [rax+rax+00h]
mov rdi, cs:AfdEndpointListHead
lea rbp, AfdEndpointListHead
jmp short loc_1C003C0D3
; ---------------------------------------------------------------------------loc_1C003C054: ; CODE XREF: AfdIsAddressInUse+BE lea rdx, [rdi-120h]...loc_1C003C0D3
cmp rdi, rbp
jnz loc_1C003C054Then we need offset to EPROCESS - it can be extracted for example from AfdFreeEndpointResources:
mov rcx, [rbx+28h]
mov edx, 200h
call cs:__imp_PsReturnPoolQuota
nop dword ptr [rax+rax+00h]
mov rcx, [rbx+28h] ; Object
call cs:__imp_ObfDereferenceObjectNow we have all parts of this puzzle. Let`s see what we can do in windbg
