우선, 커널 변수를 이용하여, 테이블 위치 확인
0: kd> dd KeServiceDescriptorTable
8055c700 80504450 00000000 0000011c 805048c4
8055c710 00000000 00000000 00000000 00000000
8055c720 00000000 00000000 00000000 00000000
8055c730 00000000 00000000 00000000 00000000
8055c740 00000002 00002710 bf80c0b6 00000000
8055c750 f719ba80 f6b89b60 86d74950 806f60c0
8055c760 00000000 00000000 ffea8ad6 ffffffff
8055c770 ee4ae396 01c90284 00000000 00000000
8055c700 80504450 00000000 0000011c 805048c4
8055c710 00000000 00000000 00000000 00000000
8055c720 00000000 00000000 00000000 00000000
8055c730 00000000 00000000 00000000 00000000
8055c740 00000002 00002710 bf80c0b6 00000000
8055c750 f719ba80 f6b89b60 86d74950 806f60c0
8055c760 00000000 00000000 ffea8ad6 ffffffff
8055c770 ee4ae396 01c90284 00000000 00000000
0: kd> dd KeServiceDescriptorTableShadow
8055c6c0 80504450 00000000 0000011c 805048c4
8055c6d0 bf999b80 00000000 0000029b bf99a890
8055c6e0 00000000 00000000 00000000 00000000
8055c6f0 00000000 00000000 00000000 00000000
8055c700 80504450 00000000 0000011c 805048c4
8055c710 00000000 00000000 00000000 00000000
8055c720 00000000 00000000 00000000 00000000
8055c730 00000000 00000000 00000000 00000000
8055c6c0 80504450 00000000 0000011c 805048c4
8055c6d0 bf999b80 00000000 0000029b bf99a890
8055c6e0 00000000 00000000 00000000 00000000
8055c6f0 00000000 00000000 00000000 00000000
8055c700 80504450 00000000 0000011c 805048c4
8055c710 00000000 00000000 00000000 00000000
8055c720 00000000 00000000 00000000 00000000
8055c730 00000000 00000000 00000000 00000000
KeServiceDescriptorTable 에서, NtOsKrnl 에 연결된 서비스.
KeServiceDescriptorTableShadow 에서, Win32K 에 연결된 서비스 를 확인 할 수 있다.
typedef struct _SERVICE_DESCRIPTOR_TABLE
{
PULONG ServiceTable; // array of entry-points
PULONG puCounterTable; // array of counters
ULONG uTableSize; // number of table entries
PUCHAR pbArgumentTable; // array of byte counts
} SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE;
{
PULONG ServiceTable; // array of entry-points
PULONG puCounterTable; // array of counters
ULONG uTableSize; // number of table entries
PUCHAR pbArgumentTable; // array of byte counts
} SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE;
ServiceDescriptorTable의 구조가 위와 같으므로,
앞의 SDT에서는
ServiceTable Array of Entry 가 80504450
Entry의 개수는 0000011c 개 임을 알 수 있다.
출력하여 보면
0: kd> dds 0x80504450 L11c
80504450 805a4614 nt!NtAcceptConnectPort
80504454 805f0adc nt!NtAccessCheck
80504458 805f4312 nt!NtAccessCheckAndAuditAlarm
8050445c 805f0b0e nt!NtAccessCheckByType
80504460 805f434c nt!NtAccessCheckByTypeAndAuditAlarm
80504464 805f0b44 nt!NtAccessCheckByTypeResultList
80504468 805f4390 nt!NtAccessCheckByTypeResultListAndAuditAlarm
8050446c 805f43d4 nt!NtAccessCheckByTypeResultListAndAuditAlarmByHandle
80504470 806153a2 nt!NtAddAtom
...
80504450 805a4614 nt!NtAcceptConnectPort
80504454 805f0adc nt!NtAccessCheck
80504458 805f4312 nt!NtAccessCheckAndAuditAlarm
8050445c 805f0b0e nt!NtAccessCheckByType
80504460 805f434c nt!NtAccessCheckByTypeAndAuditAlarm
80504464 805f0b44 nt!NtAccessCheckByTypeResultList
80504468 805f4390 nt!NtAccessCheckByTypeResultListAndAuditAlarm
8050446c 805f43d4 nt!NtAccessCheckByTypeResultListAndAuditAlarmByHandle
80504470 806153a2 nt!NtAddAtom
...
위와 같이 List를 확인할 수 있다.
덧붙혀, 위의 순서가 바로 서비스 Index가 된다.
XP servicdescriptor table
804e4d20 80588691 nt!NtAcceptConnectPort
804e4d24 805726ef nt!NtAccessCheck
804e4d28 8057bb71 nt!NtAccessCheckAndAuditAlarm
804e4d2c 80582b5c nt!NtAccessCheckByType
804e4d30 8059aff7 nt!NtAccessCheckByTypeAndAuditAlarm
804e4d34 80638b80 nt!NtAccessCheckByTypeResultList
804e4d38 8063ad05 nt!NtAccessCheckByTypeResultListAndAuditAlarm
804e4d3c 8063ad4e nt!NtAccessCheckByTypeResultListAndAuditAlarmByHandle
804e4d40 8057841c nt!NtAddAtom
804e4d44 8064955b nt!NtAddBootEntry
804e4d48 80638347 nt!NtAdjustGroupsToken
804e4d4c 8059a539 nt!NtAdjustPrivilegesToken
804e4d50 806304ec nt!NtAlertResumeThread
804e4d54 8057b98c nt!NtAlertThread
804e4d58 8059255e nt!NtAllocateLocallyUniqueId
804e4d5c 8062761f nt!NtAllocateUserPhysicalPages
804e4d60 80597801 nt!NtAllocateUuids
804e4d64 8056a777 nt!NtAllocateVirtualMemory
804e4d68 805dc3fd nt!NtAreMappedFilesTheSame
804e4d6c 805a6567 nt!NtAssignProcessToJobObject
804e4d70 804e5340 nt!NtCallbackReturn
804e4d74 80649547 nt!NtDeleteBootEntry
804e4d78 805cdca2 nt!NtCancelIoFile
804e4d7c 804fbf8f nt!NtCancelTimer
804e4d80 80568c11 nt!NtClearEvent
804e4d84 805695d9 nt!NtClose
804e4d88 8059a9a7 nt!NtCloseObjectAuditAlarm
804e4d8c 8064f537 nt!NtCompactKeys
804e4d90 80584410 nt!NtCompareTokens
804e4d94 80582562 nt!NtCompleteConnectPort
804e4d98 8064f7a5 nt!NtCompressKey
804e4d9c 8059ac34 nt!NtConnectPort
804e4da0 804e48ff nt!NtContinue
804e4da4 8065a494 nt!NtCreateDebugObject
804e4da8 805a6a04 nt!NtCreateDirectoryObject
804e4dac 8056d553 nt!NtCreateEvent
804e4db0 80649bac nt!NtCreateEventPair
804e4db4 8057364c nt!NtCreateFile
804e4db8 80599eed nt!NtCreateIoCompletion
804e4dbc 805af39a nt!NtCreateJobObject
804e4dc0 80630993 nt!NtCreateJobSet
804e4dc4 80571063 nt!NtCreateKey
804e4dc8 805dc312 nt!NtCreateMailslotFile
804e4dcc 8057ae73 nt!NtCreateMutant
804e4dd0 80582f0d nt!NtCreateNamedPipeFile
804e4dd4 805bf9d8 nt!NtCreatePagingFile
804e4dd8 80594699 nt!NtCreatePort
804e4ddc 805b5543 nt!NtCreateProcess
804e4de0 8058a5d3 nt!NtCreateProcessEx
804e4de4 8064a1cd nt!NtCreateProfile
804e4de8 80566b1b nt!NtCreateSection
804e4dec 805770d8 nt!NtCreateSemaphore
804e4df0 805a47b0 nt!NtCreateSymbolicLinkObject
804e4df4 80581262 nt!NtCreateThread
804e4df8 805e10b0 nt!NtCreateTimer
804e4dfc 805acd09 nt!NtCreateToken
804e4e00 805a6f96 nt!NtCreateWaitablePort
804e4e04 8065b60c nt!NtDebugActiveProcess
804e4e08 8065b767 nt!NtDebugContinue
804e4e0c 80567fe1 nt!NtDelayExecution
804e4e10 8057b6b4 nt!NtDeleteAtom
804e4e14 80649547 nt!NtDeleteBootEntry
804e4e18 805dacf7 nt!NtDeleteFile
804e4e1c 8059f6bd nt!NtDeleteKey
804e4e20 8063ada5 nt!NtDeleteObjectAuditAlarm
804e4e24 80599430 nt!NtDeleteValueKey
804e4e28 80581bd0 nt!NtDeviceIoControlFile
804e4e2c 805c30e1 nt!NtDisplayString
804e4e30 805763be nt!NtDuplicateObject
804e4e34 8057f3f7 nt!NtDuplicateToken
804e4e38 8064955b nt!NtAddBootEntry
804e4e3c 8057176a nt!NtEnumerateKey
804e4e40 80649533 nt!NtEnumerateSystemEnvironmentValuesEx
804e4e44 805821fe nt!NtEnumerateValueKey
804e4e48 80626448 nt!NtExtendSection
804e4e4c 805b4d2d nt!NtFilterToken
804e4e50 8059a095 nt!NtFindAtom
804e4e54 8057b7b4 nt!NtFlushBuffersFile
804e4e58 805789ab nt!NtFlushInstructionCache
804e4e5c 80596925 nt!NtFlushKey
804e4e60 8059d83b nt!NtFlushVirtualMemory
804e4e64 80627e7f nt!NtFlushWriteBuffer
804e4e68 806279d4 nt!NtFreeUserPhysicalPages
804e4e6c 8056afc4 nt!NtFreeVirtualMemory
804e4e70 8057fa0d nt!NtFsControlFile
804e4e74 805de5b0 nt!NtGetContextThread
804e4e78 8062cce3 nt!NtGetDevicePowerState
804e4e7c 805a3173 nt!NtGetPlugPlayEvent
804e4e80 8053d0ef nt!NtGetWriteWatch
804e4e84 80598925 nt!NtImpersonateAnonymousToken
804e4e88 80583b6a nt!NtImpersonateClientOfPort
804e4e8c 8057e33a nt!NtImpersonateThread
804e4e90 805a7a4d nt!NtInitializeRegistry
804e4e94 8062caaf nt!NtInitiatePowerAction
804e4e98 8063084b nt!NtIsProcessInJob
804e4e9c 8062ccca nt!NtIsSystemResumeAutomatic
804e4ea0 805aee2a nt!NtListenPort
804e4ea4 805a8b26 nt!NtLoadDriver
804e4ea8 805b2f28 nt!NtLoadKey
804e4eac 805b2d76 nt!NtLoadKey2
804e4eb0 80586301 nt!NtLockFile
804e4eb4 805b4efd nt!NtLockProductActivationKeys
804e4eb8 805d7933 nt!NtLockRegistryKey
804e4ebc 805b436a nt!NtLockVirtualMemory
804e4ec0 805a4a81 nt!NtMakePermanentObject
804e4ec4 805a4c6e nt!NtMakeTemporaryObject
804e4ec8 80626b13 nt!NtMapUserPhysicalPages
804e4ecc 80626fe2 nt!NtMapUserPhysicalPagesScatter
804e4ed0 80575c04 nt!NtMapViewOfSection
804e4ed4 80649547 nt!NtDeleteBootEntry
804e4ed8 80584c94 nt!NtNotifyChangeDirectoryFile
804e4edc 805849dd nt!NtNotifyChangeKey
804e4ee0 80584aa6 nt!NtNotifyChangeMultipleKeys
804e4ee4 80589840 nt!NtOpenDirectoryObject
804e4ee8 80582306 nt!NtOpenEvent
804e4eec 80649c9d nt!NtOpenEventPair
804e4ef0 805735e7 nt!NtOpenFile
804e4ef4 8061757f nt!NtOpenIoCompletion
804e4ef8 80630be9 nt!NtOpenJobObject
804e4efc 8056a4d5 nt!NtOpenKey
804e4f00 8057af21 nt!NtOpenMutant
804e4f04 8059cc32 nt!NtOpenObjectAuditAlarm
804e4f08 8057659e nt!NtOpenProcess
804e4f0c 8056e8fc nt!NtOpenProcessToken
804e4f10 8056eaf5 nt!NtOpenProcessTokenEx
804e4f14 805786cc nt!NtOpenSection
804e4f18 805a5c97 nt!NtOpenSemaphore
804e4f1c 8058970c nt!NtOpenSymbolicLinkObject
804e4f20 80599c0a nt!NtOpenThread
804e4f24 8056e383 nt!NtOpenThreadToken
804e4f28 8056e2f1 nt!NtOpenThreadTokenEx
804e4f2c 80649ad3 nt!NtOpenTimer
804e4f30 80597dec nt!NtPlugPlayControl
804e4f34 805a08d7 nt!NtPowerInformation
804e4f38 80599207 nt!NtPrivilegeCheck
804e4f3c 80597670 nt!NtPrivilegeObjectAuditAlarm
804e4f40 805af13e nt!NtPrivilegedServiceAuditAlarm
804e4f44 8057694d nt!NtProtectVirtualMemory
804e4f48 805a6eee nt!NtPulseEvent
804e4f4c 80573ecb nt!NtQueryAttributesFile
804e4f50 8064955b nt!NtAddBootEntry
804e4f54 8064955b nt!NtAddBootEntry
804e4f58 804f5bdd nt!NtQueryDebugFilterState
804e4f5c 8056876e nt!NtQueryDefaultLocale
804e4f60 80588f59 nt!NtQueryDefaultUILanguage
804e4f64 80576dad nt!NtQueryDirectoryFile
804e4f68 8058f55d nt!NtQueryDirectoryObject
804e4f6c 80617a00 nt!NtQueryEaFile
804e4f70 805898bd nt!NtQueryEvent
804e4f74 8057d349 nt!NtQueryFullAttributesFile
804e4f78 805da720 nt!NtQueryInformationAtom
804e4f7c 80574d12 nt!NtQueryInformationFile
804e4f80 8058b6bc nt!NtQueryInformationJobObject
804e4f84 80623f19 nt!NtQueryInformationPort
804e4f88 8056e537 nt!NtQueryInformationProcess
804e4f8c 80568d06 nt!NtQueryInformationThread
804e4f90 8056feab nt!NtQueryInformationToken
804e4f94 80582509 nt!NtQueryInstallUILanguage
804e4f98 8064a67f nt!NtQueryIntervalProfile
804e4f9c 80617640 nt!NtQueryIoCompletion
804e4fa0 80571473 nt!NtQueryKey
804e4fa4 8064ef58 nt!NtQueryMultipleValueKey
804e4fa8 8064a006 nt!NtQueryMutant
804e4fac 80589e10 nt!NtQueryObject
804e4fb0 8064f15e nt!NtQueryOpenSubKeys
804e4fb4 80569041 nt!NtQueryPerformanceCounter
804e4fb8 806182c3 nt!NtQueryQuotaInformationFile
804e4fbc 8057d825 nt!NtQuerySection
804e4fc0 805990a2 nt!NtQuerySecurityObject
804e4fc4 80648dff nt!NtQuerySemaphore
804e4fc8 8058957d nt!NtQuerySymbolicLinkObject
804e4fcc 80649583 nt!NtQuerySystemEnvironmentValue
804e4fd0 80649520 nt!NtSetSystemEnvironmentValueEx
804e4fd4 8057ec27 nt!NtQuerySystemInformation
804e4fd8 80599d9c nt!NtQuerySystemTime
804e4fdc 805e0777 nt!NtQueryTimer
804e4fe0 8058d9e6 nt!NtQueryTimerResolution
804e4fe4 8056d9a8 nt!NtQueryValueKey
804e4fe8 8056ebf3 nt!NtQueryVirtualMemory
804e4fec 8057388f nt!NtQueryVolumeInformationFile
804e4ff0 80582a00 nt!NtQueueApcThread
804e4ff4 804e494c nt!NtRaiseException
804e4ff8 80648b3b nt!NtRaiseHardError
804e4ffc 80573b30 nt!NtReadFile
804e5000 805dd7a8 nt!NtReadFileScatter
804e5004 805841c2 nt!NtReadRequestData
804e5008 8057dfd1 nt!NtReadVirtualMemory
804e500c 805819af nt!NtRegisterThreadTerminatePort
804e5010 8056804c nt!NtReleaseMutant
804e5014 8057b463 nt!NtReleaseSemaphore
804e5018 80568ab2 nt!NtRemoveIoCompletion
804e501c 8065b6e1 nt!NtRemoveProcessDebug
804e5020 8064f39f nt!NtRenameKey
804e5024 8064f892 nt!NtReplaceKey
804e5028 8057f0f1 nt!NtReplyPort
804e502c 8056c6fd nt!NtReplyWaitReceivePort
804e5030 8056c210 nt!NtReplyWaitReceivePortEx
804e5034 80623ff8 nt!NtReplyWaitReplyPort
804e5038 8062cc57 nt!NtRequestDeviceWakeup
804e503c 805e12bf nt!NtRequestPort
804e5040 8057a60f nt!NtRequestWaitReplyPort
804e5044 8062ca50 nt!NtRequestWakeupLatency
804e5048 805debaf nt!NtResetEvent
804e504c 8053d57a nt!NtResetWriteWatch
804e5050 8064e3b0 nt!NtRestoreKey
804e5054 8063048c nt!NtResumeProcess
804e5058 805818d5 nt!NtResumeThread
804e505c 8064e457 nt!NtSaveKey
804e5060 8064e4ef nt!NtSaveKeyEx
804e5064 8064e5c3 nt!NtSaveMergedKeys
804e5068 80587d7d nt!NtSecureConnectPort
804e506c 8064955b nt!NtAddBootEntry
804e5070 8064955b nt!NtAddBootEntry
804e5074 8062e85b nt!NtSetContextThread
804e5078 8065d228 nt!NtSetDebugFilterState
804e507c 805d868f nt!NtSetDefaultHardErrorPort
804e5080 805b2a35 nt!NtSetDefaultLocale
804e5084 805b29dc nt!NtSetDefaultUILanguage
804e5088 80617f4d nt!NtSetEaFile
804e508c 8056bcce nt!NtSetEvent
804e5090 80579275 nt!NtSetEventBoostPriority
804e5094 80649f91 nt!NtSetHighEventPair
804e5098 80649eb5 nt!NtSetHighWaitLowEventPair
804e509c 8065b081 nt!NtSetInformationDebugObject
804e50a0 8057be7e nt!NtSetInformationFile
804e50a4 805af4ee nt!NtSetInformationJobObject
804e50a8 8064eabb nt!NtSetInformationKey
804e50ac 8058242e nt!NtSetInformationObject
804e50b0 8056e608 nt!NtSetInformationProcess
804e50b4 80578e5d nt!NtSetInformationThread
804e50b8 805ac8a1 nt!NtSetInformationToken
804e50bc 8064a1ab nt!NtSetIntervalProfile
804e50c0 80578d12 nt!NtSetIoCompletion
804e50c4 8062f573 nt!NtSetLdtEntries
804e50c8 80649f27 nt!NtSetLowEventPair
804e50cc 80649e43 nt!NtSetLowWaitHighEventPair
804e50d0 8061829b nt!NtSetQuotaInformationFile
804e50d4 8059fb78 nt!NtSetSecurityObject
804e50d8 80649820 nt!NtSetSystemEnvironmentValue
804e50dc 80649520 nt!NtSetSystemEnvironmentValueEx
804e50e0 805a7110 nt!NtSetSystemInformation
804e50e4 8066808f nt!NtSetSystemPowerState
804e50e8 80648487 nt!NtSetSystemTime
804e50ec 8059e19f nt!NtSetThreadExecutionState
804e50f0 804e7d2b nt!NtSetTimer
804e50f4 80597bcf nt!NtSetTimerResolution
804e50f8 805af2ea nt!NtSetUuidSeed
804e50fc 80577527 nt!NtSetValueKey
804e5100 806187df nt!NtSetVolumeInformationFile
804e5104 80647bd3 nt!NtShutdownSystem
804e5108 80502906 nt!NtSignalAndWaitForSingleObject
804e510c 8064a414 nt!NtStartProfile
804e5110 8064a5cd nt!NtStopProfile
804e5114 80630431 nt!NtSuspendProcess
804e5118 805de61b nt!NtSuspendThread
804e511c 8064a72d nt!NtSystemDebugControl
804e5120 80630d63 nt!NtTerminateJobObject
804e5124 8058ce1e nt!NtTerminateProcess
804e5128 8058097c nt!NtTerminateThread
804e512c 805813bc nt!NtTestAlert
804e5130 805473b8 nt!NtTraceEvent
804e5134 8064956f nt!NtTranslateFilePath
804e5138 8061ab6e nt!NtUnloadDriver
804e513c 8064e689 nt!NtUnloadKey
804e5140 8064e886 nt!NtUnloadKeyEx
804e5144 80586461 nt!NtUnlockFile
804e5148 80627ef3 nt!NtUnlockVirtualMemory
804e514c 80575789 nt!NtUnmapViewOfSection
804e5150 805bbb48 nt!NtVdmControl
804e5154 8065add0 nt!NtWaitForDebugEvent
804e5158 805682b1 nt!NtWaitForMultipleObjects
804e515c 80567a0b nt!NtWaitForSingleObject
804e5160 80649dd9 nt!NtWaitHighEventPair
804e5164 80649d6f nt!NtWaitLowEventPair
804e5168 8057c125 nt!NtWriteFile
804e516c 805dd3de nt!NtWriteFileGather
804e5170 805843ae nt!NtWriteRequestData
804e5174 8057e123 nt!NtWriteVirtualMemory
804e5178 804fe679 nt!NtYieldExecution
804e517c 805cff0c nt!NtCreateKeyedEvent
804e5180 8058c043 nt!NtOpenKeyedEvent
804e5184 8064aba1 nt!NtReleaseKeyedEvent
804e5188 8064ae3c nt!NtWaitForKeyedEvent
804e518c 8062e033 nt!NtQueryPortInformationProcess
804e4d24 805726ef nt!NtAccessCheck
804e4d28 8057bb71 nt!NtAccessCheckAndAuditAlarm
804e4d2c 80582b5c nt!NtAccessCheckByType
804e4d30 8059aff7 nt!NtAccessCheckByTypeAndAuditAlarm
804e4d34 80638b80 nt!NtAccessCheckByTypeResultList
804e4d38 8063ad05 nt!NtAccessCheckByTypeResultListAndAuditAlarm
804e4d3c 8063ad4e nt!NtAccessCheckByTypeResultListAndAuditAlarmByHandle
804e4d40 8057841c nt!NtAddAtom
804e4d44 8064955b nt!NtAddBootEntry
804e4d48 80638347 nt!NtAdjustGroupsToken
804e4d4c 8059a539 nt!NtAdjustPrivilegesToken
804e4d50 806304ec nt!NtAlertResumeThread
804e4d54 8057b98c nt!NtAlertThread
804e4d58 8059255e nt!NtAllocateLocallyUniqueId
804e4d5c 8062761f nt!NtAllocateUserPhysicalPages
804e4d60 80597801 nt!NtAllocateUuids
804e4d64 8056a777 nt!NtAllocateVirtualMemory
804e4d68 805dc3fd nt!NtAreMappedFilesTheSame
804e4d6c 805a6567 nt!NtAssignProcessToJobObject
804e4d70 804e5340 nt!NtCallbackReturn
804e4d74 80649547 nt!NtDeleteBootEntry
804e4d78 805cdca2 nt!NtCancelIoFile
804e4d7c 804fbf8f nt!NtCancelTimer
804e4d80 80568c11 nt!NtClearEvent
804e4d84 805695d9 nt!NtClose
804e4d88 8059a9a7 nt!NtCloseObjectAuditAlarm
804e4d8c 8064f537 nt!NtCompactKeys
804e4d90 80584410 nt!NtCompareTokens
804e4d94 80582562 nt!NtCompleteConnectPort
804e4d98 8064f7a5 nt!NtCompressKey
804e4d9c 8059ac34 nt!NtConnectPort
804e4da0 804e48ff nt!NtContinue
804e4da4 8065a494 nt!NtCreateDebugObject
804e4da8 805a6a04 nt!NtCreateDirectoryObject
804e4dac 8056d553 nt!NtCreateEvent
804e4db0 80649bac nt!NtCreateEventPair
804e4db4 8057364c nt!NtCreateFile
804e4db8 80599eed nt!NtCreateIoCompletion
804e4dbc 805af39a nt!NtCreateJobObject
804e4dc0 80630993 nt!NtCreateJobSet
804e4dc4 80571063 nt!NtCreateKey
804e4dc8 805dc312 nt!NtCreateMailslotFile
804e4dcc 8057ae73 nt!NtCreateMutant
804e4dd0 80582f0d nt!NtCreateNamedPipeFile
804e4dd4 805bf9d8 nt!NtCreatePagingFile
804e4dd8 80594699 nt!NtCreatePort
804e4ddc 805b5543 nt!NtCreateProcess
804e4de0 8058a5d3 nt!NtCreateProcessEx
804e4de4 8064a1cd nt!NtCreateProfile
804e4de8 80566b1b nt!NtCreateSection
804e4dec 805770d8 nt!NtCreateSemaphore
804e4df0 805a47b0 nt!NtCreateSymbolicLinkObject
804e4df4 80581262 nt!NtCreateThread
804e4df8 805e10b0 nt!NtCreateTimer
804e4dfc 805acd09 nt!NtCreateToken
804e4e00 805a6f96 nt!NtCreateWaitablePort
804e4e04 8065b60c nt!NtDebugActiveProcess
804e4e08 8065b767 nt!NtDebugContinue
804e4e0c 80567fe1 nt!NtDelayExecution
804e4e10 8057b6b4 nt!NtDeleteAtom
804e4e14 80649547 nt!NtDeleteBootEntry
804e4e18 805dacf7 nt!NtDeleteFile
804e4e1c 8059f6bd nt!NtDeleteKey
804e4e20 8063ada5 nt!NtDeleteObjectAuditAlarm
804e4e24 80599430 nt!NtDeleteValueKey
804e4e28 80581bd0 nt!NtDeviceIoControlFile
804e4e2c 805c30e1 nt!NtDisplayString
804e4e30 805763be nt!NtDuplicateObject
804e4e34 8057f3f7 nt!NtDuplicateToken
804e4e38 8064955b nt!NtAddBootEntry
804e4e3c 8057176a nt!NtEnumerateKey
804e4e40 80649533 nt!NtEnumerateSystemEnvironmentValuesEx
804e4e44 805821fe nt!NtEnumerateValueKey
804e4e48 80626448 nt!NtExtendSection
804e4e4c 805b4d2d nt!NtFilterToken
804e4e50 8059a095 nt!NtFindAtom
804e4e54 8057b7b4 nt!NtFlushBuffersFile
804e4e58 805789ab nt!NtFlushInstructionCache
804e4e5c 80596925 nt!NtFlushKey
804e4e60 8059d83b nt!NtFlushVirtualMemory
804e4e64 80627e7f nt!NtFlushWriteBuffer
804e4e68 806279d4 nt!NtFreeUserPhysicalPages
804e4e6c 8056afc4 nt!NtFreeVirtualMemory
804e4e70 8057fa0d nt!NtFsControlFile
804e4e74 805de5b0 nt!NtGetContextThread
804e4e78 8062cce3 nt!NtGetDevicePowerState
804e4e7c 805a3173 nt!NtGetPlugPlayEvent
804e4e80 8053d0ef nt!NtGetWriteWatch
804e4e84 80598925 nt!NtImpersonateAnonymousToken
804e4e88 80583b6a nt!NtImpersonateClientOfPort
804e4e8c 8057e33a nt!NtImpersonateThread
804e4e90 805a7a4d nt!NtInitializeRegistry
804e4e94 8062caaf nt!NtInitiatePowerAction
804e4e98 8063084b nt!NtIsProcessInJob
804e4e9c 8062ccca nt!NtIsSystemResumeAutomatic
804e4ea0 805aee2a nt!NtListenPort
804e4ea4 805a8b26 nt!NtLoadDriver
804e4ea8 805b2f28 nt!NtLoadKey
804e4eac 805b2d76 nt!NtLoadKey2
804e4eb0 80586301 nt!NtLockFile
804e4eb4 805b4efd nt!NtLockProductActivationKeys
804e4eb8 805d7933 nt!NtLockRegistryKey
804e4ebc 805b436a nt!NtLockVirtualMemory
804e4ec0 805a4a81 nt!NtMakePermanentObject
804e4ec4 805a4c6e nt!NtMakeTemporaryObject
804e4ec8 80626b13 nt!NtMapUserPhysicalPages
804e4ecc 80626fe2 nt!NtMapUserPhysicalPagesScatter
804e4ed0 80575c04 nt!NtMapViewOfSection
804e4ed4 80649547 nt!NtDeleteBootEntry
804e4ed8 80584c94 nt!NtNotifyChangeDirectoryFile
804e4edc 805849dd nt!NtNotifyChangeKey
804e4ee0 80584aa6 nt!NtNotifyChangeMultipleKeys
804e4ee4 80589840 nt!NtOpenDirectoryObject
804e4ee8 80582306 nt!NtOpenEvent
804e4eec 80649c9d nt!NtOpenEventPair
804e4ef0 805735e7 nt!NtOpenFile
804e4ef4 8061757f nt!NtOpenIoCompletion
804e4ef8 80630be9 nt!NtOpenJobObject
804e4efc 8056a4d5 nt!NtOpenKey
804e4f00 8057af21 nt!NtOpenMutant
804e4f04 8059cc32 nt!NtOpenObjectAuditAlarm
804e4f08 8057659e nt!NtOpenProcess
804e4f0c 8056e8fc nt!NtOpenProcessToken
804e4f10 8056eaf5 nt!NtOpenProcessTokenEx
804e4f14 805786cc nt!NtOpenSection
804e4f18 805a5c97 nt!NtOpenSemaphore
804e4f1c 8058970c nt!NtOpenSymbolicLinkObject
804e4f20 80599c0a nt!NtOpenThread
804e4f24 8056e383 nt!NtOpenThreadToken
804e4f28 8056e2f1 nt!NtOpenThreadTokenEx
804e4f2c 80649ad3 nt!NtOpenTimer
804e4f30 80597dec nt!NtPlugPlayControl
804e4f34 805a08d7 nt!NtPowerInformation
804e4f38 80599207 nt!NtPrivilegeCheck
804e4f3c 80597670 nt!NtPrivilegeObjectAuditAlarm
804e4f40 805af13e nt!NtPrivilegedServiceAuditAlarm
804e4f44 8057694d nt!NtProtectVirtualMemory
804e4f48 805a6eee nt!NtPulseEvent
804e4f4c 80573ecb nt!NtQueryAttributesFile
804e4f50 8064955b nt!NtAddBootEntry
804e4f54 8064955b nt!NtAddBootEntry
804e4f58 804f5bdd nt!NtQueryDebugFilterState
804e4f5c 8056876e nt!NtQueryDefaultLocale
804e4f60 80588f59 nt!NtQueryDefaultUILanguage
804e4f64 80576dad nt!NtQueryDirectoryFile
804e4f68 8058f55d nt!NtQueryDirectoryObject
804e4f6c 80617a00 nt!NtQueryEaFile
804e4f70 805898bd nt!NtQueryEvent
804e4f74 8057d349 nt!NtQueryFullAttributesFile
804e4f78 805da720 nt!NtQueryInformationAtom
804e4f7c 80574d12 nt!NtQueryInformationFile
804e4f80 8058b6bc nt!NtQueryInformationJobObject
804e4f84 80623f19 nt!NtQueryInformationPort
804e4f88 8056e537 nt!NtQueryInformationProcess
804e4f8c 80568d06 nt!NtQueryInformationThread
804e4f90 8056feab nt!NtQueryInformationToken
804e4f94 80582509 nt!NtQueryInstallUILanguage
804e4f98 8064a67f nt!NtQueryIntervalProfile
804e4f9c 80617640 nt!NtQueryIoCompletion
804e4fa0 80571473 nt!NtQueryKey
804e4fa4 8064ef58 nt!NtQueryMultipleValueKey
804e4fa8 8064a006 nt!NtQueryMutant
804e4fac 80589e10 nt!NtQueryObject
804e4fb0 8064f15e nt!NtQueryOpenSubKeys
804e4fb4 80569041 nt!NtQueryPerformanceCounter
804e4fb8 806182c3 nt!NtQueryQuotaInformationFile
804e4fbc 8057d825 nt!NtQuerySection
804e4fc0 805990a2 nt!NtQuerySecurityObject
804e4fc4 80648dff nt!NtQuerySemaphore
804e4fc8 8058957d nt!NtQuerySymbolicLinkObject
804e4fcc 80649583 nt!NtQuerySystemEnvironmentValue
804e4fd0 80649520 nt!NtSetSystemEnvironmentValueEx
804e4fd4 8057ec27 nt!NtQuerySystemInformation
804e4fd8 80599d9c nt!NtQuerySystemTime
804e4fdc 805e0777 nt!NtQueryTimer
804e4fe0 8058d9e6 nt!NtQueryTimerResolution
804e4fe4 8056d9a8 nt!NtQueryValueKey
804e4fe8 8056ebf3 nt!NtQueryVirtualMemory
804e4fec 8057388f nt!NtQueryVolumeInformationFile
804e4ff0 80582a00 nt!NtQueueApcThread
804e4ff4 804e494c nt!NtRaiseException
804e4ff8 80648b3b nt!NtRaiseHardError
804e4ffc 80573b30 nt!NtReadFile
804e5000 805dd7a8 nt!NtReadFileScatter
804e5004 805841c2 nt!NtReadRequestData
804e5008 8057dfd1 nt!NtReadVirtualMemory
804e500c 805819af nt!NtRegisterThreadTerminatePort
804e5010 8056804c nt!NtReleaseMutant
804e5014 8057b463 nt!NtReleaseSemaphore
804e5018 80568ab2 nt!NtRemoveIoCompletion
804e501c 8065b6e1 nt!NtRemoveProcessDebug
804e5020 8064f39f nt!NtRenameKey
804e5024 8064f892 nt!NtReplaceKey
804e5028 8057f0f1 nt!NtReplyPort
804e502c 8056c6fd nt!NtReplyWaitReceivePort
804e5030 8056c210 nt!NtReplyWaitReceivePortEx
804e5034 80623ff8 nt!NtReplyWaitReplyPort
804e5038 8062cc57 nt!NtRequestDeviceWakeup
804e503c 805e12bf nt!NtRequestPort
804e5040 8057a60f nt!NtRequestWaitReplyPort
804e5044 8062ca50 nt!NtRequestWakeupLatency
804e5048 805debaf nt!NtResetEvent
804e504c 8053d57a nt!NtResetWriteWatch
804e5050 8064e3b0 nt!NtRestoreKey
804e5054 8063048c nt!NtResumeProcess
804e5058 805818d5 nt!NtResumeThread
804e505c 8064e457 nt!NtSaveKey
804e5060 8064e4ef nt!NtSaveKeyEx
804e5064 8064e5c3 nt!NtSaveMergedKeys
804e5068 80587d7d nt!NtSecureConnectPort
804e506c 8064955b nt!NtAddBootEntry
804e5070 8064955b nt!NtAddBootEntry
804e5074 8062e85b nt!NtSetContextThread
804e5078 8065d228 nt!NtSetDebugFilterState
804e507c 805d868f nt!NtSetDefaultHardErrorPort
804e5080 805b2a35 nt!NtSetDefaultLocale
804e5084 805b29dc nt!NtSetDefaultUILanguage
804e5088 80617f4d nt!NtSetEaFile
804e508c 8056bcce nt!NtSetEvent
804e5090 80579275 nt!NtSetEventBoostPriority
804e5094 80649f91 nt!NtSetHighEventPair
804e5098 80649eb5 nt!NtSetHighWaitLowEventPair
804e509c 8065b081 nt!NtSetInformationDebugObject
804e50a0 8057be7e nt!NtSetInformationFile
804e50a4 805af4ee nt!NtSetInformationJobObject
804e50a8 8064eabb nt!NtSetInformationKey
804e50ac 8058242e nt!NtSetInformationObject
804e50b0 8056e608 nt!NtSetInformationProcess
804e50b4 80578e5d nt!NtSetInformationThread
804e50b8 805ac8a1 nt!NtSetInformationToken
804e50bc 8064a1ab nt!NtSetIntervalProfile
804e50c0 80578d12 nt!NtSetIoCompletion
804e50c4 8062f573 nt!NtSetLdtEntries
804e50c8 80649f27 nt!NtSetLowEventPair
804e50cc 80649e43 nt!NtSetLowWaitHighEventPair
804e50d0 8061829b nt!NtSetQuotaInformationFile
804e50d4 8059fb78 nt!NtSetSecurityObject
804e50d8 80649820 nt!NtSetSystemEnvironmentValue
804e50dc 80649520 nt!NtSetSystemEnvironmentValueEx
804e50e0 805a7110 nt!NtSetSystemInformation
804e50e4 8066808f nt!NtSetSystemPowerState
804e50e8 80648487 nt!NtSetSystemTime
804e50ec 8059e19f nt!NtSetThreadExecutionState
804e50f0 804e7d2b nt!NtSetTimer
804e50f4 80597bcf nt!NtSetTimerResolution
804e50f8 805af2ea nt!NtSetUuidSeed
804e50fc 80577527 nt!NtSetValueKey
804e5100 806187df nt!NtSetVolumeInformationFile
804e5104 80647bd3 nt!NtShutdownSystem
804e5108 80502906 nt!NtSignalAndWaitForSingleObject
804e510c 8064a414 nt!NtStartProfile
804e5110 8064a5cd nt!NtStopProfile
804e5114 80630431 nt!NtSuspendProcess
804e5118 805de61b nt!NtSuspendThread
804e511c 8064a72d nt!NtSystemDebugControl
804e5120 80630d63 nt!NtTerminateJobObject
804e5124 8058ce1e nt!NtTerminateProcess
804e5128 8058097c nt!NtTerminateThread
804e512c 805813bc nt!NtTestAlert
804e5130 805473b8 nt!NtTraceEvent
804e5134 8064956f nt!NtTranslateFilePath
804e5138 8061ab6e nt!NtUnloadDriver
804e513c 8064e689 nt!NtUnloadKey
804e5140 8064e886 nt!NtUnloadKeyEx
804e5144 80586461 nt!NtUnlockFile
804e5148 80627ef3 nt!NtUnlockVirtualMemory
804e514c 80575789 nt!NtUnmapViewOfSection
804e5150 805bbb48 nt!NtVdmControl
804e5154 8065add0 nt!NtWaitForDebugEvent
804e5158 805682b1 nt!NtWaitForMultipleObjects
804e515c 80567a0b nt!NtWaitForSingleObject
804e5160 80649dd9 nt!NtWaitHighEventPair
804e5164 80649d6f nt!NtWaitLowEventPair
804e5168 8057c125 nt!NtWriteFile
804e516c 805dd3de nt!NtWriteFileGather
804e5170 805843ae nt!NtWriteRequestData
804e5174 8057e123 nt!NtWriteVirtualMemory
804e5178 804fe679 nt!NtYieldExecution
804e517c 805cff0c nt!NtCreateKeyedEvent
804e5180 8058c043 nt!NtOpenKeyedEvent
804e5184 8064aba1 nt!NtReleaseKeyedEvent
804e5188 8064ae3c nt!NtWaitForKeyedEvent
804e518c 8062e033 nt!NtQueryPortInformationProcess
