afd endpoints owner

Alex as usually made perfect work to bypass even paranoid EDRs
The main problem is detection of duplicated sockets. There is a hint however:

all ownership of the socket still belongs to the original creator – even when the creator exists (and actually, because Netio.sys is still referencing the original EPROCESS, the creator and the PID become “zombies” and leak resources).

o`k, reason is true, but reference holds by afd.sys. Lets see why
We need disasm 2 functions to write simple script. First - we need back offset from afd!AfdEndpointListHead to read endpoint. It can be extracted from AfdIsAddressInUse:
  mov     [rsp+arg_0], rbx
  mov     [rsp+arg_8], rbp
  mov     [rsp+arg_10], rsi
  push    rdi
  sub     rsp, 30h
  mov     rsi, rcx
  xor     ebx, ebx
  mov     rcx, cs:AfdGlobalData
  call    cs:__imp_ExEnterCriticalRegionAndAcquireResourceShared
  nop     dword ptr [rax+rax+00h]
  mov     rdi, cs:AfdEndpointListHead
  lea     rbp, AfdEndpointListHead
  jmp     short loc_1C003C0D3
; ---------------------------------------------------------------------------
loc_1C003C054:                          ; CODE XREF: AfdIsAddressInUse+BE
loc_1C003C0D3
  cmp     rdi, rbp
  jnz     loc_1C003C054

Then we need offset to EPROCESS - it can be extracted for example from AfdFreeEndpointResources:

  mov     rcx, [rbx+28h]
  mov     edx, 200h
  call    cs:__imp_PsReturnPoolQuota
  nop     dword ptr [rax+rax+00h]
  mov     rcx, [rbx+28h]  ; Object
  call    cs:__imp_ObfDereferenceObject

Now we have all parts of this puzzle. Let`s see what we can do in windbg


kd> ? afd!AfdEndpointListHead
Evaluate expression: -8772979362448 = fffff805`61ae7570
kd> r $t0 =  0xfffff805`61ae7570; .for( r $t1 = poi(@$t0) ;  (@$t1 != @$t0) ; r $t1 = poi(@$t1) ) { !process poi(@$t1-120+28) 0 }
PROCESS ffffe50f664e0080
    SessionId: 1  Cid: 0bf4    Peb: 8c93382000  ParentCid: 02d8
    DirBase: 6ceb6000  ObjectTable: ffff818ffd8744c0  HandleCount:
    Image: SkypeApp.exe
...