64 .ModuleName = u
"ntoskrnl.exe",
65 .FunctionName =
"ExAllocatePoolWithTag",
87 0x81, 0x7C, 0x24, 0x0c, 0x44, 0x72, 0x69, 0xF6,
91 0x81, 0x7C, 0x24, 0x0c, 0x44, 0x72, 0x69, 0x76,
95 0x81, 0x7C, 0x24, 0x0c, 0x46, 0x4D, 0x66, 0x69,
99 0x81, 0x7C, 0x24, 0x0c, 0x54, 0x6f, 0x6b, 0x65,
103 0x81, 0x7C, 0x24, 0x0c, 0x54, 0x6f, 0x6b, 0xe5,
115 0xE9, 0x00, 0x00, 0x00, 0x00,
117 .HypercallOffset = 0x34,
118 .RelocatedCodeOffset = 0x37,
124 .ModuleName = u
"ntoskrnl.exe",
125 .FunctionName =
"ExFreePoolWithTag",
131 .NotCritical =
FALSE,
147 0x81, 0x7C, 0x24, 0x08, 0x44, 0x72, 0x69, 0xF6,
151 0x81, 0x7C, 0x24, 0x08, 0x44, 0x72, 0x69, 0x76,
155 0x81, 0x7C, 0x24, 0x08, 0x46, 0x4D, 0x66, 0x69,
167 0xE9, 0x00, 0x00, 0x00, 0x00
169 .HypercallOffset = 0x20,
170 .RelocatedCodeOffset = 0x23,
176 .ModuleName = u
"ntoskrnl.exe",
177 .FunctionName =
"KeBugCheck2",
183 .NotCritical =
FALSE,
205 0xE9, 0x00, 0x00, 0x00, 0x00
207 .HypercallOffset = 0x0,
208 .RelocatedCodeOffset = 0x3,
214 .ModuleName = u
"ntoskrnl.exe",
215 .FunctionName =
"MiProcessLoaderEntry",
221 .NotCritical =
FALSE,
243 0xE9, 0x00, 0x00, 0x00, 0x00
245 .HypercallOffset = 0x0,
246 .RelocatedCodeOffset = 0x3,
252 .ModuleName = u
"ntoskrnl.exe",
253 .FunctionName =
"MiUnloadSystemImage",
259 .NotCritical =
FALSE,
281 0xE9, 0x00, 0x00, 0x00, 0x00
283 .HypercallOffset = 0x0,
284 .RelocatedCodeOffset = 0x3,
290 .ModuleName = u
"ntoskrnl.exe",
291 .FunctionName =
"PspInsertProcess",
298 .NotCritical =
FALSE,
320 0xB8, 0x22, 0x00, 0x00, 0xC0,
325 0xE9, 0x00, 0x00, 0x00, 0x00
327 .HypercallOffset = 0x00,
328 .RelocatedCodeOffset = 0x0B,
334 .ModuleName = u
"ntoskrnl.exe",
335 .FunctionName =
"MmCleanProcessAddressSpace",
341 .NotCritical =
FALSE,
363 0xE9, 0x00, 0x00, 0x00, 0x00
365 .HypercallOffset = 0x0,
366 .RelocatedCodeOffset = 0x3,
373 .ModuleName = u
"ntoskrnl.exe",
374 .FunctionName =
"MmCopyVirtualMemory",
381 .NotCritical =
FALSE,
403 0x8b, 0x44, 0x24, 0x10,
405 0x8b, 0x5c, 0x24, 0x18,
413 0x3b, 0x8b, 0x00, 0x00, 0x00, 0x00,
418 0x8b, 0x9b, 0x00, 0x00, 0x00, 0x00,
424 0x0f, 0xba, 0xe3, 0x09,
431 0x8b, 0x80, 0x00, 0x00, 0x00, 0x00,
437 0x0f, 0xba, 0xe0, 0x0a,
444 0x3d, 0x22, 0x00, 0x00, 0xc0,
464 0xe9, 0x00, 0x00, 0x00, 0x00,
466 .HypercallOffset = 0x3d,
467 .RelocatedCodeOffset = 0x50,
473 .ModuleName = u
"ntoskrnl.exe",
474 .FunctionName =
"NtSetInformationProcess",
481 .NotCritical =
FALSE,
497 0x83, 0x7c, 0x24, 0x08, 0x28,
507 0x8b, 0x4c, 0x24, 0x10,
512 0x8b, 0x44, 0x24, 0x24,
514 0x89, 0x44, 0x24, 0x08,
516 0x8b, 0x44, 0x24, 0x28,
518 0x89, 0x44, 0x24, 0x0c,
520 0x8d, 0x44, 0x24, 0x04,
522 0xc7, 0x44, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00,
531 0xff, 0x35, 0x00, 0xf8, 0xff, 0xff,
538 0xb8, 0x00, 0xf8, 0xff, 0xff,
544 0xb8, 0x00, 0x00, 0x00, 0x00,
548 0x8b, 0x4c, 0x24, 0x04,
551 0x8b, 0x81, 0x50, 0x01, 0x00, 0x00,
555 0x0f, 0xba, 0xe0, 0x0d,
576 0xb8, 0x00, 0xf8, 0xff, 0xff,
590 0x3d, 0x22, 0x00, 0x00, 0xc0,
604 0xe9, 0xfc, 0xff, 0xff, 0xff,
607 .HypercallOffset = 0x5f,
608 .RelocatedCodeOffset = 0x7f,
614 .ModuleName = u
"ntoskrnl.exe",
615 .FunctionName =
"NtQueueApcThreadEx",
622 .NotCritical =
FALSE,
644 0x8b, 0x4c, 0x24, 0x10,
648 0x8d, 0x44, 0x24, 0x04,
650 0xc7, 0x44, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00,
658 0xff, 0x35, 0x00, 0xf8, 0xff, 0xff,
665 0xb8, 0x00, 0xf8, 0xff, 0xff,
674 0x8b, 0x4c, 0x24, 0x04,
677 0x8b, 0x81, 0x50, 0x01, 0x00, 0x00,
684 0x8b, 0x81, 0x50, 0x01, 0x00, 0x00,
687 0x8b, 0x80, 0x50, 0x01, 0x00, 0x00,
693 0x0f, 0xba, 0xe0, 0x0c,
696 0xb8, 0x00, 0x00, 0x00, 0x00,
702 0x64, 0xa1, 0x24, 0x01, 0x00, 0x00,
711 0x89, 0x44, 0x24, 0x08,
715 0xb8, 0x00, 0xf8, 0xff, 0xff,
720 0x8b, 0x44, 0x24, 0x08,
729 0x3d, 0x22, 0x00, 0x00, 0xc0,
740 0xe9, 0xfc, 0xff, 0xff, 0xff,
742 .HypercallOffset = 0x5e,
743 .RelocatedCodeOffset = 0x84,
749 .ModuleName = u
"ntoskrnl.exe",
750 .FunctionName =
"PspSetContextThreadInternal",
757 .NotCritical =
FALSE,
777 0x8b, 0x4c, 0x24, 0x0c,
779 0x8b, 0x81, 0x80, 0x00, 0x00, 0x00,
785 0x8b, 0x81, 0x50, 0x01, 0x00, 0x00,
788 0x8b, 0x80, 0x70, 0x01, 0x00, 0x00,
792 0x0f, 0xba, 0xe0, 0x0b,
798 0x64, 0xa1, 0x24, 0x01, 0x00, 0x00,
800 0x3b, 0x44, 0x24, 0x0c,
810 0x3d, 0x22, 0x00, 0x00, 0xc0,
825 0xe9, 0x00, 0x00, 0x00, 0x00,
827 .HypercallOffset = 0x32,
828 .RelocatedCodeOffset = 0x45,
835 .ModuleName = u
"ntoskrnl.exe",
836 .FunctionName =
"KiDispatchException",
842 .NotCritical =
FALSE,
858 0x83, 0x7C, 0x24, 0x10, 0x01,
868 0xE9, 0x00, 0x00, 0x00, 0x00
870 .HypercallOffset = 0x07,
871 .RelocatedCodeOffset = 0x0A,
877 .ModuleName = u
"ntoskrnl.exe",
878 .FunctionName =
"MiInsertPrivateVad",
885 .NotCritical =
FALSE,
901 0xF6, 0x47, 0x17, 0x02,
909 0x64, 0x8b, 0x0d, 0x24, 0x01, 0x00, 0x00,
917 0x8B, 0x81, 0x50, 0x01, 0x00, 0x00,
919 0x8b, 0x80, 0x6c, 0x01, 0x00, 0x00,
923 0x0f, 0xba, 0xe0, 0x08,
935 0xE9, 0x00, 0x00, 0x00, 0x00
937 .HypercallOffset = 0x2e,
938 .RelocatedCodeOffset = 0x2f,
952 0x8b, 0x44, 0x24, 0x10,
954 0x8b, 0x80, 0x70, 0x01, 0x00, 0x00,
958 0x0f, 0xba, 0xe0, 0x08,
968 0xe9, 0x00, 0x00, 0x00, 0x00,
970 .HypercallOffset = 0x16,
971 .RelocatedCodeOffset = 0x17,
983 0xF6, 0x41, 0x1C, 0x10,
989 0x8b, 0x44, 0x24, 0x08,
991 0x8b, 0x80, 0x70, 0x01, 0x00, 0x00,
995 0x0f, 0xba, 0xe0, 0x08,
1005 0xe9, 0x00, 0x00, 0x00, 0x00,
1007 .HypercallOffset = 0x1c,
1008 .RelocatedCodeOffset = 0x1d,
1012 .MinVersion = 18362,
1013 .MaxVersion = 18362,
1020 0xF6, 0x41, 0x1d, 0x01,
1027 0x8b, 0x44, 0x24, 0x08,
1029 0x8b, 0x80, 0x7c, 0x01, 0x00, 0x00,
1033 0x0f, 0xba, 0xe0, 0x08,
1043 0xe9, 0x00, 0x00, 0x00, 0x00,
1045 .HypercallOffset = 0x1c,
1046 .RelocatedCodeOffset = 0x1d,
1052 .ModuleName = u
"ntoskrnl.exe",
1053 .FunctionName =
"MiInsertVad",
1054 .MinVersion = 18363,
1060 .NotCritical =
FALSE,
1068 .MinVersion = 18363,
1076 0xF6, 0x41, 0x1D, 0x01,
1083 0x8b, 0x82, 0x7c, 0x01, 0x00, 0x00,
1087 0x0f, 0xba, 0xe0, 0x08,
1097 0xe9, 0x00, 0x00, 0x00, 0x00,
1099 .HypercallOffset = 0x18,
1100 .RelocatedCodeOffset = 0x19,
1106 .ModuleName = u
"ntoskrnl.exe",
1107 .FunctionName =
"MiGetWsAndInsertVad",
1109 .MaxVersion = 18362,
1114 .NotCritical =
FALSE,
1130 0xf6, 0x47, 0x17, 0x02,
1138 0x64, 0x8b, 0x0d, 0x24, 0x01, 0x00, 0x00,
1146 0x8B, 0x81, 0x50, 0x01, 0x00, 0x00,
1148 0x8b, 0x80, 0x6c, 0x01, 0x00, 0x00,
1152 0x0f, 0xba, 0xe0, 0x08,
1164 0xE9, 0x00, 0x00, 0x00, 0x00
1166 .HypercallOffset = 0x2e,
1167 .RelocatedCodeOffset = 0x2f,
1179 0xf6, 0x40, 0x18, 0x10,
1187 0x64, 0x8b, 0x0d, 0x24, 0x01, 0x00, 0x00,
1189 0x8b, 0x81, 0x80, 0x00, 0x00, 0x00,
1195 0x8B, 0x81, 0x50, 0x01, 0x00, 0x00,
1197 0x8b, 0x80, 0x70, 0x01, 0x00, 0x00,
1201 0x0f, 0xba, 0xe0, 0x08,
1213 0xE9, 0x00, 0x00, 0x00, 0x00
1215 .HypercallOffset = 0x31,
1216 .RelocatedCodeOffset = 0x32,
1221 .MaxVersion = 17763,
1228 0xf6, 0x41, 0x1c, 0x10,
1236 0x64, 0x8b, 0x0d, 0x24, 0x01, 0x00, 0x00,
1238 0x8b, 0x81, 0x80, 0x00, 0x00, 0x00,
1244 0x8B, 0x81, 0x50, 0x01, 0x00, 0x00,
1246 0x8b, 0x80, 0x70, 0x01, 0x00, 0x00,
1250 0x0f, 0xba, 0xe0, 0x08,
1262 0xE9, 0x00, 0x00, 0x00, 0x00
1264 .HypercallOffset = 0x31,
1265 .RelocatedCodeOffset = 0x32,
1269 .MinVersion = 18362,
1277 0xf6, 0x41, 0x1d, 0x1,
1285 0x64, 0x8b, 0x0d, 0x24, 0x01, 0x00, 0x00,
1287 0x8b, 0x81, 0x80, 0x00, 0x00, 0x00,
1293 0x8b, 0x81, 0x50, 0x01, 0x00, 0x00,
1295 0x8b, 0x80, 0x7c, 0x01, 0x00, 0x00,
1299 0x0f, 0xba, 0xe0, 0x08,
1311 0xe9, 0x00, 0x00, 0x00, 0x00,
1313 .HypercallOffset = 0x31,
1314 .RelocatedCodeOffset = 0x32,
1320 .ModuleName = u
"ntoskrnl.exe",
1321 .FunctionName =
"MiCommitExistingVad",
1328 .NotCritical =
FALSE,
1345 0xf6, 0x44, 0x24, 0x00, 0xf0,
1354 0x64, 0x8b, 0x0d, 0x00, 0x00, 0x00, 0x00,
1357 0x8b, 0x81, 0x00, 0x00, 0x00, 0x00,
1364 0x8b, 0x81, 0x00, 0x00, 0x00, 0x00,
1367 0x80, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x2a,
1370 0x0f, 0xba, 0xa0, 0x00, 0x00, 0x00, 0x00, 0x08,
1382 0xe9, 0x00, 0x00, 0x00, 0x00
1384 .HypercallOffset = 0x35,
1385 .RelocatedCodeOffset = 0x36,
1391 .ModuleName = u
"ntoskrnl.exe",
1392 .FunctionName =
"MiProtectVirtualMemory",
1399 .NotCritical =
FALSE,
1415 0xF6, 0x44, 0x24, 0x10, 0xF0,
1421 0x8b, 0x44, 0x24, 0x08,
1423 0x8b, 0x80, 0x6c, 0x01, 0x00, 0x00,
1427 0x0f, 0xba, 0xe0, 0x08,
1437 0xe9, 0x00, 0x00, 0x00, 0x00,
1439 .HypercallOffset = 0x1d,
1440 .RelocatedCodeOffset = 0x1e,
1452 0xF6, 0x44, 0x24, 0x0C, 0xF0,
1456 0x80, 0xba, 0x70, 0x01, 0x00, 0x00, 0x2a,
1458 0x0f, 0xba, 0xa2, 0x70, 0x01, 0x00, 0x00, 0x08,
1466 0xe9, 0x00, 0x00, 0x00, 0x00,
1468 .HypercallOffset = 0x1a,
1469 .RelocatedCodeOffset = 0x1b,
1475 .ModuleName = u
"ntoskrnl.exe",
1476 .FunctionName =
"MiDeleteVirtualAddresses",
1478 .MaxVersion = 16299,
1483 .NotCritical =
FALSE,
1503 0x64, 0x8b, 0x0d, 0x24, 0x01, 0x00, 0x00,
1511 0x8B, 0x81, 0x50, 0x01, 0x00, 0x00,
1513 0x8b, 0x80, 0x6c, 0x01, 0x00, 0x00,
1517 0x0f, 0xba, 0xe0, 0x08,
1529 0xE9, 0x00, 0x00, 0x00, 0x00
1531 .HypercallOffset = 0x28,
1532 .RelocatedCodeOffset = 0x29,
1537 .MaxVersion = 16299,
1548 0x64, 0x8b, 0x0d, 0x24, 0x01, 0x00, 0x00,
1550 0x8b, 0x81, 0x80, 0x00, 0x00, 0x00,
1556 0x8B, 0x81, 0x50, 0x01, 0x00, 0x00,
1558 0x8b, 0x80, 0x70, 0x01, 0x00, 0x00,
1562 0x0f, 0xba, 0xe0, 0x08,
1574 0xE9, 0x00, 0x00, 0x00, 0x00
1576 .HypercallOffset = 0x2b,
1577 .RelocatedCodeOffset = 0x2c,
1583 .ModuleName = u
"ntoskrnl.exe",
1584 .FunctionName =
"MiFinishVadDeletion",
1585 .MinVersion = 17134,
1591 .NotCritical =
FALSE,
1599 .MinVersion = 17134,
1611 0x64, 0x8b, 0x0d, 0x24, 0x01, 0x00, 0x00,
1613 0x8b, 0x81, 0x80, 0x00, 0x00, 0x00,
1619 0x8b, 0x81, 0x50, 0x01, 0x00, 0x00,
1621 0x8b, 0x80, 0x7c, 0x01, 0x00, 0x00,
1625 0x0f, 0xba, 0xe0, 0x08,
1637 0xE9, 0x00, 0x00, 0x00, 0x00
1639 .HypercallOffset = 0x2b,
1640 .RelocatedCodeOffset = 0x2c,
1646 .ModuleName = u
"ntoskrnl.exe",
1647 .FunctionName =
"NtSetSystemPowerState",
1653 .NotCritical =
TRUE,
1671 0x66, 0x66, 0x66, 0x66, 0x90,
1677 0xe9, 0x00, 0x00, 0x00, 0x00
1679 .HypercallOffset = 0x0,
1680 .RelocatedCodeOffset = 0xA,
1686 .ModuleName = u
"ntoskrnl.exe",
1687 .FunctionName =
"KiDisplayBlueScreen",
1693 .NotCritical =
TRUE,
1715 0xE9, 0x00, 0x00, 0x00, 0x00
1717 .HypercallOffset = 0x0,
1718 .RelocatedCodeOffset = 0x3,
1724 .ModuleName = u
"ntoskrnl.exe",
1725 .FunctionName =
"MmInSwapProcessHijack",
1731 .NotCritical =
FALSE,
1754 0xE9, 0x00, 0x00, 0x00, 0x00
1756 .HypercallOffset = 0x0,
1757 .RelocatedCodeOffset = 0x3,
1763 .ModuleName = u
"ntoskrnl.exe",
1764 .FunctionName =
"KiOutSwapProcessesHijack",
1771 .NotCritical =
FALSE,
1789 0x8B, 0x87, 0x00, 0x00, 0x00, 0x00,
1791 0x0f, 0xba, 0xe0, 0x07,
1799 0xE9, 0x00, 0x00, 0x00, 0x00
1801 .HypercallOffset = 0x0D,
1802 .RelocatedCodeOffset = 0x0F,
1819 .ModuleName = u
"ntoskrnl.exe",
1820 .FunctionName =
"ExAllocatePoolWithTag",
1826 .NotCritical =
FALSE,
1842 0x41, 0x81, 0xF8, 0x44, 0x72, 0x69, 0xF6,
1846 0x41, 0x81, 0xF8, 0x44, 0x72, 0x69, 0x76,
1850 0x41, 0x81, 0xF8, 0x46, 0x4D, 0x66, 0x69,
1854 0x41, 0x81, 0xF8, 0x54, 0x6f, 0x6b, 0x65,
1858 0x41, 0x81, 0xF8, 0x54, 0x6f, 0x6b, 0xe5,
1870 0xE9, 0x00, 0x00, 0x00, 0x00,
1872 .HypercallOffset = 0x2F,
1873 .RelocatedCodeOffset = 0x32,
1879 .ModuleName = u
"ntoskrnl.exe",
1880 .FunctionName =
"ExFreePoolWithTag",
1886 .NotCritical =
FALSE,
1902 0x81, 0xFA, 0x44, 0x72, 0x69, 0xF6,
1906 0x81, 0xFA, 0x44, 0x72, 0x69, 0x76,
1910 0x81, 0xFA, 0x46, 0x4D, 0x66, 0x69,
1922 0xE9, 0x00, 0x00, 0x00, 0x00,
1924 .HypercallOffset = 0x1A,
1925 .RelocatedCodeOffset = 0x1D,
1931 .ModuleName = u
"ntoskrnl.exe",
1932 .FunctionName =
"KeBugCheckEx",
1938 .NotCritical =
FALSE,
1960 0xE9, 0x00, 0x00, 0x00, 0x00
1962 .HypercallOffset = 0x0,
1963 .RelocatedCodeOffset = 0x3,
1969 .ModuleName = u
"ntoskrnl.exe",
1970 .FunctionName =
"NtSetInformationProcess",
1977 .NotCritical =
FALSE,
1995 0x0f, 0x85, 0xaf, 0x00, 0x00, 0x00,
2012 0x48, 0x83, 0xec, 0x10,
2014 0xba, 0x00, 0x00, 0x00, 0x00,
2017 0x48, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff, 0xff,
2021 0x49, 0xc7, 0xc1, 0x01, 0x00, 0x00, 0x00,
2023 0x48, 0x8d, 0x44, 0x24, 0x08,
2030 0x48, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff, 0xff,
2032 0x48, 0x83, 0xec, 0x20,
2036 0x48, 0x83, 0xc4, 0x30,
2040 0xb8, 0x00, 0x00, 0x00, 0x00,
2044 0x48, 0x8b, 0x4c, 0x24, 0x08,
2047 0x48, 0x8b, 0x81, 0x50, 0x01, 0x00, 0x00,
2051 0x48, 0x0f, 0xba, 0xe0, 0x0d,
2057 0x48, 0x8b, 0x54, 0x24, 0x30,
2059 0x4c, 0x8b, 0x44, 0x24, 0x28,
2071 0x48, 0x8b, 0x4c, 0x24, 0x08,
2073 0x48, 0x89, 0x44, 0x24, 0x08,
2076 0x48, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff, 0xff,
2078 0x48, 0x83, 0xec, 0x20,
2082 0x48, 0x83, 0xc4, 0x20,
2084 0x48, 0x8b, 0x44, 0x24, 0x08,
2088 0x48, 0x83, 0xc4, 0x10,
2102 0x3d, 0x22, 0x00, 0x00, 0xc0,
2106 0x48, 0x83, 0xc4, 0x08,
2116 0xe9, 0x00, 0x00, 0x00, 0x00,
2119 .HypercallOffset = 0x77,
2120 .RelocatedCodeOffset = 0xb8,
2126 .ModuleName = u
"ntoskrnl.exe",
2127 .FunctionName =
"MiProcessLoaderEntry",
2133 .NotCritical =
FALSE,
2155 0xE9, 0x00, 0x00, 0x00, 0x00
2157 .HypercallOffset = 0x0,
2158 .RelocatedCodeOffset = 0x3,
2164 .ModuleName = u
"ntoskrnl.exe",
2165 .FunctionName =
"MiUnloadSystemImage",
2171 .NotCritical =
FALSE,
2188 0x66, 0x83, 0x79, 0x6C, 0x01,
2198 0xE9, 0x00, 0x00, 0x00, 0x00,
2200 .HypercallOffset = 0x07,
2201 .RelocatedCodeOffset = 0x0A,
2207 .ModuleName = u
"ntoskrnl.exe",
2208 .FunctionName =
"PspInsertProcess",
2214 .NotCritical =
FALSE,
2236 0xB8, 0x22, 0x00, 0x00, 0xC0,
2241 0xE9, 0x00, 0x00, 0x00, 0x00,
2243 .HypercallOffset = 0x00,
2244 .RelocatedCodeOffset = 0x09,
2250 .ModuleName = u
"ntoskrnl.exe",
2251 .FunctionName =
"MmCleanProcessAddressSpace",
2257 .NotCritical =
FALSE,
2279 0xE9, 0x00, 0x00, 0x00, 0x00
2281 .HypercallOffset = 0x0,
2282 .RelocatedCodeOffset = 0x3,
2288 .ModuleName = u
"ntoskrnl.exe",
2289 .FunctionName =
"MmCopyVirtualMemory",
2296 .NotCritical =
FALSE,
2323 0x49, 0x3b, 0x80, 0x00, 0x00, 0x00, 0x00,
2328 0x41, 0x80, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x2a,
2332 0x41, 0x0f, 0xba, 0xa0, 0x00, 0x00, 0x00, 0x00, 0x09,
2339 0x80, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x2a,
2343 0x0f, 0xba, 0xa1, 0x00, 0x00, 0x00, 0x00, 0x0a,
2354 0x3d, 0x22, 0x00, 0x00, 0xc0,
2358 0x48, 0x83, 0xc4, 0x10,
2368 0xe9, 0x00, 0x00, 0x00, 0x00,
2370 .HypercallOffset = 0x3d,
2371 .RelocatedCodeOffset = 0x4e,
2377 .ModuleName = u
"ntoskrnl.exe",
2378 .FunctionName =
"NtQueueApcThreadEx",
2385 .NotCritical =
FALSE,
2415 0x48, 0x83, 0xec, 0x20,
2417 0x48, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
2424 0xba, 0x10, 0x00, 0x00, 0x00,
2426 0x48, 0x8d, 0x44, 0x24, 0x08,
2428 0x48, 0xc7, 0x44, 0x24, 0x08, 0x00, 0x00, 0x00, 0x00,
2434 0x48, 0x83, 0xec, 0x20,
2436 0x48, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
2441 0x48, 0x83, 0xc4, 0x30,
2447 0x48, 0x8b, 0x4c, 0x24, 0x08,
2450 0x4c, 0x8b, 0x4c, 0x24, 0x30,
2452 0x4c, 0x8b, 0x44, 0x24, 0x38,
2454 0x48, 0x8b, 0x81, 0x50, 0x01, 0x00, 0x00,
2461 0x48, 0x8b, 0x81, 0x50, 0x01, 0x00, 0x00,
2465 0x48, 0x8b, 0x80, 0x50, 0x01, 0x00, 0x00,
2471 0x48, 0x0f, 0xba, 0xe0, 0x0c,
2474 0x48, 0xc7, 0xc0, 0x00, 0x00, 0x00, 0x00,
2480 0x65, 0x48, 0x8b, 0x04, 0x25, 0x88, 0x01, 0x00, 0x00,
2489 0x48, 0x89, 0x44, 0x24, 0x10,
2491 0x48, 0x8b, 0x4c, 0x24, 0x08,
2493 0x48, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
2498 0x48, 0x8b, 0x44, 0x24, 0x10,
2501 0x48, 0x83, 0xc4, 0x20,
2515 0x3d, 0x22, 0x00, 0x00, 0xc0,
2519 0x48, 0x83, 0xc4, 0x08,
2526 0xe9, 0x00, 0x00, 0x00, 0x00,
2528 .HypercallOffset = 0x91,
2529 .RelocatedCodeOffset = 0xca,
2535 .ModuleName = u
"ntoskrnl.exe",
2536 .FunctionName =
"PspSetContextThreadInternal",
2543 .NotCritical =
FALSE,
2561 0x48, 0x8b, 0x81, 0x50, 0x01, 0x00, 0x00,
2568 0x48, 0x8b, 0x81, 0x50, 0x01, 0x00, 0x00,
2572 0x48, 0x8b, 0x80, 0x50, 0x01, 0x00, 0x00,
2578 0x48, 0x0f, 0xba, 0xe0, 0x0b,
2585 0x65, 0x48, 0x8b, 0x04, 0x25, 0x88, 0x01, 0x00, 0x00,
2597 0x3d, 0x22, 0x00, 0x00, 0xc0,
2601 0x48, 0x83, 0xc4, 0x08,
2608 0xe9, 0x00, 0x00, 0x00, 0x00,
2610 .HypercallOffset = 0x34,
2611 .RelocatedCodeOffset = 0x44,
2621 .ModuleName = u
"ntoskrnl.exe",
2622 .FunctionName =
"PspWow64SetContextThread",
2629 .NotCritical =
FALSE,
2647 0x48, 0x8b, 0x81, 0x50, 0x01, 0x00, 0x00,
2654 0x48, 0x8b, 0x81, 0x50, 0x01, 0x00, 0x00,
2658 0x48, 0x8b, 0x80, 0x50, 0x01, 0x00, 0x00,
2663 0x48, 0x0f, 0xba, 0xe0, 0x0b,
2670 0x65, 0x48, 0x8b, 0x04, 0x25, 0x88, 0x01, 0x00, 0x00,
2682 0x3d, 0x22, 0x00, 0x00, 0xc0,
2686 0x48, 0x83, 0xc4, 0x08,
2693 0xe9, 0x00, 0x00, 0x00, 0x00,
2695 .HypercallOffset = 0x34,
2696 .RelocatedCodeOffset = 0x44,
2702 .ModuleName = u
"ntoskrnl.exe",
2703 .FunctionName =
"KiDispatchException",
2709 .NotCritical =
FALSE,
2725 0x41, 0x83, 0xf9, 0x00,
2735 0xE9, 0x00, 0x00, 0x00, 0x00
2737 .HypercallOffset = 0x06,
2738 .RelocatedCodeOffset = 0x09,
2744 .ModuleName = u
"ntoskrnl.exe",
2745 .FunctionName =
"MiInsertVad",
2746 .MinVersion = 10240,
2752 .NotCritical =
FALSE,
2760 .MinVersion = 10240,
2761 .MaxVersion = 17763,
2768 0xF6, 0x41, 0x30, 0x10,
2772 0x80, 0xBA, 0x48, 0x04, 0x00, 0x00, 0x2A,
2774 0x0f, 0xba, 0xa2, 0x48, 0x04, 0x00, 0x00, 0x08,
2782 0xE9, 0x00, 0x00, 0x00, 0x00,
2784 .HypercallOffset = 0x19,
2785 .RelocatedCodeOffset = 0x1a,
2789 .MinVersion = 18362,
2797 0xF6, 0x41, 0x31, 0x01,
2801 0x80, 0xBA, 0x48, 0x04, 0x00, 0x00, 0x2A,
2803 0x0f, 0xba, 0xa2, 0x48, 0x04, 0x00, 0x00, 0x08,
2811 0xE9, 0x00, 0x00, 0x00, 0x00,
2813 .HypercallOffset = 0x19,
2814 .RelocatedCodeOffset = 0x1a,
2821 .ModuleName = u
"ntoskrnl.exe",
2822 .FunctionName =
"MiInsertPrivateVad",
2829 .NotCritical =
FALSE,
2845 0xF6, 0x41, 0x2F, 0x02,
2853 0x65, 0x48, 0x8B, 0x0C, 0x25, 0x88, 0x01, 0x00, 0x00,
2855 0x48, 0x8B, 0x81, 0x70, 0x00, 0x00, 0x00,
2861 0x48, 0x8B, 0x81, 0x10, 0x02, 0x00, 0x00,
2863 0x80, 0xB8, 0xE0, 0x02, 0x00, 0x00, 0x2A,
2865 0x0f, 0xba, 0xa0, 0xe0, 0x02, 0x00, 0x00, 0x08,
2877 0xE9, 0x00, 0x00, 0x00, 0x00
2879 .HypercallOffset = 0x38,
2880 .RelocatedCodeOffset = 0x39,
2892 0xF6, 0x41, 0x28, 0x10,
2900 0x65, 0x48, 0x8B, 0x0C, 0x25, 0x88, 0x01, 0x00, 0x00,
2902 0x48, 0x8B, 0x81, 0xB8, 0x00, 0x00, 0x00,
2908 0x48, 0x8B, 0x81, 0x20, 0x02, 0x00, 0x00,
2910 0x80, 0xB8, 0x38, 0x04, 0x00, 0x00, 0x2A,
2912 0x0f, 0xba, 0xa0, 0x38, 0x04, 0x00, 0x00, 0x08,
2924 0xE9, 0x00, 0x00, 0x00, 0x00
2926 .HypercallOffset = 0x38,
2927 .RelocatedCodeOffset = 0x39,
2939 0xF6, 0x41, 0x30, 0x10,
2943 0x41, 0x80, 0xB8, 0x38, 0x04, 0x00, 0x00, 0x2A,
2945 0x41, 0x0f, 0xba, 0xa0, 0x38, 0x04, 0x00, 0x00, 0x08,
2953 0xE9, 0x00, 0x00, 0x00, 0x00,
2955 .HypercallOffset = 0x1b,
2956 .RelocatedCodeOffset = 0x1c,
2962 .ModuleName = u
"ntoskrnl.exe",
2963 .FunctionName =
"MiInsertPrivateVad",
2964 .MinVersion = 17763,
2965 .MaxVersion = 18362,
2970 .NotCritical =
FALSE,
2978 .MinVersion = 17763,
2979 .MaxVersion = 17763,
2986 0xF6, 0x41, 0x30, 0x10,
2994 0x65, 0x48, 0x8B, 0x0C, 0x25, 0x88, 0x01, 0x00, 0x00,
2996 0x48, 0x8B, 0x81, 0xB8, 0x00, 0x00, 0x00,
3002 0x48, 0x8B, 0x81, 0x20, 0x02, 0x00, 0x00,
3004 0x80, 0xB8, 0x50, 0x04, 0x00, 0x00, 0x2A,
3006 0x0f, 0xba, 0xa0, 0x50, 0x04, 0x00, 0x00, 0x08,
3018 0xE9, 0x00, 0x00, 0x00, 0x00
3020 .HypercallOffset = 0x38,
3021 .RelocatedCodeOffset = 0x39,
3025 .MinVersion = 18362,
3026 .MaxVersion = 18362,
3033 0xf6, 0x41, 0x31, 0x01,
3041 0x65, 0x48, 0x8B, 0x0C, 0x25, 0x88, 0x01, 0x00, 0x00,
3043 0x48, 0x8B, 0x81, 0xB8, 0x00, 0x00, 0x00,
3049 0x48, 0x8B, 0x81, 0x20, 0x02, 0x00, 0x00,
3051 0x80, 0xB8, 0x50, 0x04, 0x00, 0x00, 0x2A,
3053 0x0f, 0xba, 0xa0, 0x50, 0x04, 0x00, 0x00, 0x08,
3065 0xE9, 0x00, 0x00, 0x00, 0x00
3067 .HypercallOffset = 0x38,
3068 .RelocatedCodeOffset = 0x39,
3074 .ModuleName = u
"ntoskrnl.exe",
3075 .FunctionName =
"MiGetWsAndInsertVad",
3082 .NotCritical =
FALSE,
3098 0xF6, 0x41, 0x2F, 0x02,
3106 0x65, 0x48, 0x8B, 0x0C, 0x25, 0x88, 0x01, 0x00, 0x00,
3108 0x48, 0x8B, 0x81, 0x70, 0x00, 0x00, 0x00,
3114 0x48, 0x8B, 0x81, 0x10, 0x02, 0x00, 0x00,
3116 0x80, 0xB8, 0xE0, 0x02, 0x00, 0x00, 0x2A,
3118 0x0f, 0xba, 0xa0, 0xe0, 0x02, 0x00, 0x00, 0x08,
3130 0xE9, 0x00, 0x00, 0x00, 0x00
3132 .HypercallOffset = 0x38,
3133 .RelocatedCodeOffset = 0x39,
3145 0xF6, 0x41, 0x28, 0x10,
3153 0x65, 0x48, 0x8B, 0x0C, 0x25, 0x88, 0x01, 0x00, 0x00,
3155 0x48, 0x8B, 0x81, 0xB8, 0x00, 0x00, 0x00,
3161 0x48, 0x8B, 0x81, 0x20, 0x02, 0x00, 0x00,
3163 0x80, 0xB8, 0x38, 0x04, 0x00, 0x00, 0x2A,
3165 0x0f, 0xba, 0xa0, 0x38, 0x04, 0x00, 0x00, 0x08,
3177 0xE9, 0x00, 0x00, 0x00, 0x00
3179 .HypercallOffset = 0x38,
3180 .RelocatedCodeOffset = 0x39,
3192 0xF6, 0x41, 0x30, 0x10,
3200 0x65, 0x48, 0x8B, 0x0C, 0x25, 0x88, 0x01, 0x00, 0x00,
3202 0x48, 0x8B, 0x81, 0xB8, 0x00, 0x00, 0x00,
3208 0x48, 0x8B, 0x81, 0x20, 0x02, 0x00, 0x00,
3210 0x80, 0xB8, 0x38, 0x04, 0x00, 0x00, 0x2A,
3212 0x0f, 0xba, 0xa0, 0x38, 0x04, 0x00, 0x00, 0x08,
3224 0xE9, 0x00, 0x00, 0x00, 0x00
3226 .HypercallOffset = 0x38,
3227 .RelocatedCodeOffset = 0x39,
3233 .ModuleName = u
"ntoskrnl.exe",
3234 .FunctionName =
"MiGetWsAndInsertVad",
3235 .MinVersion = 17763,
3236 .MaxVersion = 18362,
3241 .NotCritical =
FALSE,
3249 .MinVersion = 17763,
3250 .MaxVersion = 17763,
3257 0xF6, 0x41, 0x30, 0x10,
3265 0x65, 0x48, 0x8B, 0x0C, 0x25, 0x88, 0x01, 0x00, 0x00,
3267 0x48, 0x8B, 0x81, 0xB8, 0x00, 0x00, 0x00,
3273 0x48, 0x8B, 0x81, 0x20, 0x02, 0x00, 0x00,
3275 0x80, 0xB8, 0x50, 0x04, 0x00, 0x00, 0x2A,
3277 0x0f, 0xba, 0xa0, 0x50, 0x04, 0x00, 0x00, 0x08,
3289 0xE9, 0x00, 0x00, 0x00, 0x00
3291 .HypercallOffset = 0x38,
3292 .RelocatedCodeOffset = 0x39,
3295 .MinVersion = 18362,
3296 .MaxVersion = 18362,
3303 0xf6, 0x41, 0x31, 0x01,
3311 0x65, 0x48, 0x8B, 0x0C, 0x25, 0x88, 0x01, 0x00, 0x00,
3313 0x48, 0x8B, 0x81, 0xB8, 0x00, 0x00, 0x00,
3319 0x48, 0x8B, 0x81, 0x20, 0x02, 0x00, 0x00,
3321 0x80, 0xB8, 0x50, 0x04, 0x00, 0x00, 0x2A,
3323 0x0f, 0xba, 0xa0, 0x50, 0x04, 0x00, 0x00, 0x08,
3335 0xE9, 0x00, 0x00, 0x00, 0x00
3337 .HypercallOffset = 0x38,
3338 .RelocatedCodeOffset = 0x39,
3344 .ModuleName = u
"ntoskrnl.exe",
3345 .FunctionName =
"MiCommitExistingVad",
3352 .NotCritical =
FALSE,
3369 0x41, 0xf6, 0xc1, 0xf0,
3379 0x65, 0x48, 0x8b, 0x0c, 0x25, 0x00, 0x00, 0x00, 0x00,
3382 0x48, 0x8b, 0x81, 0x00, 0x00, 0x00, 0x00,
3389 0x48, 0x8b, 0x81, 0x00, 0x00, 0x00, 0x00,
3392 0x80, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x2a,
3395 0x0f, 0xba, 0xa0, 0x00, 0x00, 0x00, 0x00, 0x08,
3407 0xe9, 0x00, 0x00, 0x00, 0x00
3409 .HypercallOffset = 0x38,
3410 .RelocatedCodeOffset = 0x39,
3416 .ModuleName = u
"ntoskrnl.exe",
3417 .FunctionName =
"MiProtectVirtualMemory",
3424 .NotCritical =
FALSE,
3440 0x41, 0xF6, 0xC1, 0xF0,
3444 0x80, 0xB9, 0xe0, 0x02, 0x00, 0x00, 0x2A,
3446 0x0f, 0xba, 0xa1, 0xe0, 0x02, 0x00, 0x00, 0x08,
3454 0xE9, 0x00, 0x00, 0x00, 0x00,
3456 .HypercallOffset = 0x19,
3457 .RelocatedCodeOffset = 0x1a,
3469 0xF6, 0x44, 0x24, 0x28, 0xF0,
3473 0x80, 0xBA, 0x38, 0x04, 0x00, 0x00, 0x2A,
3475 0x0f, 0xba, 0xa2, 0x38, 0x04, 0x00, 0x00, 0x08,
3483 0xE9, 0x00, 0x00, 0x00, 0x00,
3485 .HypercallOffset = 0x1a,
3486 .RelocatedCodeOffset = 0x1b,
3492 .ModuleName = u
"ntoskrnl.exe",
3493 .FunctionName =
"MiDeleteVirtualAddresses",
3495 .MaxVersion = 16299,
3500 .NotCritical =
FALSE,
3520 0x65, 0x48, 0x8B, 0x0C, 0x25, 0x88, 0x01, 0x00, 0x00,
3522 0x48, 0x8B, 0x81, 0x70, 0x00, 0x00, 0x00,
3528 0x48, 0x8B, 0x81, 0x10, 0x02, 0x00, 0x00,
3530 0x80, 0xB8, 0xE0, 0x02, 0x00, 0x00, 0x2A,
3532 0x0f, 0xba, 0xa0, 0xe0, 0x02, 0x00, 0x00, 0x08,
3544 0xE9, 0x00, 0x00, 0x00, 0x00
3546 .HypercallOffset = 0x32,
3547 .RelocatedCodeOffset = 0x33,
3563 0x65, 0x48, 0x8B, 0x0C, 0x25, 0x88, 0x01, 0x00, 0x00,
3565 0x48, 0x8B, 0x81, 0xB8, 0x00, 0x00, 0x00,
3571 0x48, 0x8B, 0x81, 0x20, 0x02, 0x00, 0x00,
3573 0x80, 0xB8, 0x38, 0x04, 0x00, 0x00, 0x2A,
3575 0x0f, 0xba, 0xa0, 0x38, 0x04, 0x00, 0x00, 0x08,
3587 0xE9, 0x00, 0x00, 0x00, 0x00
3589 .HypercallOffset = 0x32,
3590 .RelocatedCodeOffset = 0x33,
3594 .MinVersion = 10240,
3595 .MaxVersion = 10240,
3606 0x65, 0x48, 0x8B, 0x0C, 0x25, 0x88, 0x01, 0x00, 0x00,
3608 0x48, 0x8B, 0x81, 0xB8, 0x00, 0x00, 0x00,
3614 0x48, 0x8B, 0x81, 0x20, 0x02, 0x00, 0x00,
3616 0x80, 0xB8, 0x48, 0x04, 0x00, 0x00, 0x2A,
3618 0x0f, 0xba, 0xa0, 0x48, 0x04, 0x00, 0x00, 0x08,
3630 0xE9, 0x00, 0x00, 0x00, 0x00
3632 .HypercallOffset = 0x32,
3633 .RelocatedCodeOffset = 0x33,
3637 .MinVersion = 10586,
3638 .MaxVersion = 16299,
3649 0x65, 0x48, 0x8B, 0x0C, 0x25, 0x88, 0x01, 0x00, 0x00,
3651 0x48, 0x8B, 0x81, 0xB8, 0x00, 0x00, 0x00,
3657 0x48, 0x8B, 0x81, 0x20, 0x02, 0x00, 0x00,
3659 0x80, 0xB8, 0x50, 0x04, 0x00, 0x00, 0x2A,
3661 0x0f, 0xba, 0xa0, 0x50, 0x04, 0x00, 0x00, 0x08,
3673 0xE9, 0x00, 0x00, 0x00, 0x00
3675 .HypercallOffset = 0x32,
3676 .RelocatedCodeOffset = 0x33,
3682 .ModuleName = u
"ntoskrnl.exe",
3683 .FunctionName =
"MiFinishVadDeletion",
3684 .MinVersion = 17134,
3690 .NotCritical =
FALSE,
3698 .MinVersion = 17134,
3699 .MaxVersion = 17763,
3706 0xF6, 0x41, 0x30, 0x10,
3714 0x65, 0x48, 0x8B, 0x0C, 0x25, 0x88, 0x01, 0x00, 0x00,
3716 0x48, 0x8B, 0x81, 0xB8, 0x00, 0x00, 0x00,
3722 0x48, 0x8B, 0x81, 0x20, 0x02, 0x00, 0x00,
3724 0x80, 0xB8, 0x50, 0x04, 0x00, 0x00, 0x2A,
3726 0x0f, 0xba, 0xa0, 0x50, 0x04, 0x00, 0x00, 0x08,
3738 0xE9, 0x00, 0x00, 0x00, 0x00
3740 .HypercallOffset = 0x38,
3741 .RelocatedCodeOffset = 0x39,
3745 .MinVersion = 18362,
3753 0xf6, 0x41, 0x31, 0x01,
3761 0x65, 0x48, 0x8B, 0x0C, 0x25, 0x88, 0x01, 0x00, 0x00,
3763 0x48, 0x8B, 0x81, 0xB8, 0x00, 0x00, 0x00,
3769 0x48, 0x8B, 0x81, 0x20, 0x02, 0x00, 0x00,
3771 0x80, 0xB8, 0x50, 0x04, 0x00, 0x00, 0x2A,
3773 0x0f, 0xba, 0xa0, 0x50, 0x04, 0x00, 0x00, 0x08,
3785 0xE9, 0x00, 0x00, 0x00, 0x00
3787 .HypercallOffset = 0x38,
3788 .RelocatedCodeOffset = 0x39,
3794 .ModuleName = u
"ntoskrnl.exe",
3795 .FunctionName =
"NtSetSystemPowerState",
3801 .NotCritical =
TRUE,
3819 0x66, 0x66, 0x66, 0x66, 0x90,
3825 0xe9, 0x00, 0x00, 0x00, 0x00
3827 .HypercallOffset = 0x0,
3828 .RelocatedCodeOffset = 0xA,
3829 .PublicDataOffsets = {
3831 .PublicDataName =
"5bytenop",
3832 .PublicDataOffset = 0x1,
3833 .PublicDataSize = 0x5
3836 .PublicDataName =
"spinwait",
3837 .PublicDataOffset = 0x6,
3838 .PublicDataSize = 0x4
3841 .NrPublicDataOffsets = 2,
3855 .ModuleName = u
"ntoskrnl.exe",
3856 .FunctionName =
"RtlpVirtualUnwind1",
3862 .NotCritical =
TRUE,
3882 0x81, 0xF9, 0x00, 0x00, 0x00, 0x00,
3888 0x81, 0xF9, 0x00, 0x00, 0x00, 0x00,
3894 0x81, 0xF9, 0x00, 0x00, 0x00, 0x00,
3900 0x81, 0xF9, 0x00, 0x00, 0x00, 0x00,
3906 0x81, 0xF9, 0x00, 0x00, 0x00, 0x00,
3912 0x81, 0xF9, 0x00, 0x00, 0x00, 0x00,
3918 0x81, 0xF9, 0x00, 0x00, 0x00, 0x00,
3924 0x81, 0xF9, 0x00, 0x00, 0x00, 0x00,
3930 0x81, 0xF9, 0x00, 0x00, 0x00, 0x00,
3936 0x81, 0xF9, 0x00, 0x00, 0x00, 0x00,
3942 0x81, 0xF9, 0x00, 0x00, 0x00, 0x00,
3948 0x81, 0xF9, 0x00, 0x00, 0x00, 0x00,
3958 0xE9, 0x00, 0x00, 0x00, 0x00
3960 .HypercallOffset = 0xFF,
3961 .RelocatedCodeOffset = 0x7C,
3967 .ModuleName = u
"ntoskrnl.exe",
3968 .FunctionName =
"RtlpVirtualUnwind2",
3974 .NotCritical =
TRUE,
3994 0x81, 0xF9, 0x00, 0x00, 0x00, 0x00,
4000 0x81, 0xF9, 0x00, 0x00, 0x00, 0x00,
4006 0x81, 0xF9, 0x00, 0x00, 0x00, 0x00,
4012 0x81, 0xF9, 0x00, 0x00, 0x00, 0x00,
4018 0x81, 0xF9, 0x00, 0x00, 0x00, 0x00,
4024 0x81, 0xF9, 0x00, 0x00, 0x00, 0x00,
4030 0x81, 0xF9, 0x00, 0x00, 0x00, 0x00,
4036 0x81, 0xF9, 0x00, 0x00, 0x00, 0x00,
4042 0x81, 0xF9, 0x00, 0x00, 0x00, 0x00,
4048 0x81, 0xF9, 0x00, 0x00, 0x00, 0x00,
4054 0x81, 0xF9, 0x00, 0x00, 0x00, 0x00,
4060 0x81, 0xF9, 0x00, 0x00, 0x00, 0x00,
4069 0xE9, 0x00, 0x00, 0x00, 0x00
4071 .HypercallOffset = 0xFF,
4072 .RelocatedCodeOffset = 0x7C,
4078 .ModuleName = u
"ntoskrnl.exe",
4079 .FunctionName =
"RtlpVirtualUnwind3",
4085 .NotCritical =
TRUE,
4105 0x81, 0xF9, 0x00, 0x00, 0x00, 0x00,
4111 0x81, 0xF9, 0x00, 0x00, 0x00, 0x00,
4117 0x81, 0xF9, 0x00, 0x00, 0x00, 0x00,
4123 0x81, 0xF9, 0x00, 0x00, 0x00, 0x00,
4129 0x81, 0xF9, 0x00, 0x00, 0x00, 0x00,
4135 0x81, 0xF9, 0x00, 0x00, 0x00, 0x00,
4141 0x81, 0xF9, 0x00, 0x00, 0x00, 0x00,
4147 0x81, 0xF9, 0x00, 0x00, 0x00, 0x00,
4153 0x81, 0xF9, 0x00, 0x00, 0x00, 0x00,
4159 0x81, 0xF9, 0x00, 0x00, 0x00, 0x00,
4165 0x81, 0xF9, 0x00, 0x00, 0x00, 0x00,
4171 0x81, 0xF9, 0x00, 0x00, 0x00, 0x00,
4180 0xE9, 0x00, 0x00, 0x00, 0x00
4182 .HypercallOffset = 0xFF,
4183 .RelocatedCodeOffset = 0x7C,
4189 .ModuleName = u
"ntoskrnl.exe",
4190 .FunctionName =
"RtlpVirtualUnwind4",
4196 .NotCritical =
TRUE,
4216 0x81, 0xFD, 0x00, 0x00, 0x00, 0x00,
4222 0x81, 0xFD, 0x00, 0x00, 0x00, 0x00,
4228 0x81, 0xFD, 0x00, 0x00, 0x00, 0x00,
4234 0x81, 0xFD, 0x00, 0x00, 0x00, 0x00,
4240 0x81, 0xFD, 0x00, 0x00, 0x00, 0x00,
4246 0x81, 0xFD, 0x00, 0x00, 0x00, 0x00,
4252 0x81, 0xFD, 0x00, 0x00, 0x00, 0x00,
4258 0x81, 0xFD, 0x00, 0x00, 0x00, 0x00,
4264 0x81, 0xFD, 0x00, 0x00, 0x00, 0x00,
4270 0x81, 0xFD, 0x00, 0x00, 0x00, 0x00,
4276 0x81, 0xFD, 0x00, 0x00, 0x00, 0x00,
4282 0x81, 0xFD, 0x00, 0x00, 0x00, 0x00,
4291 0xE9, 0x00, 0x00, 0x00, 0x00
4293 .HypercallOffset = 0xFF,
4294 .RelocatedCodeOffset = 0x7C,
4300 .ModuleName = u
"ntoskrnl.exe",
4301 .FunctionName =
"RtlpVirtualUnwind5",
4307 .NotCritical =
TRUE,
4327 0x81, 0xFD, 0xBD, 0xBD, 0xBD, 0xBD,
4341 0x81, 0xFD, 0xBD, 0xBD, 0xBD, 0xBD,
4355 0x81, 0xFD, 0xBD, 0xBD, 0xBD, 0xBD,
4369 0x81, 0xFD, 0xBD, 0xBD, 0xBD, 0xBD,
4383 0x81, 0xFD, 0xBD, 0xBD, 0xBD, 0xBD,
4397 0x81, 0xFD, 0xBD, 0xBD, 0xBD, 0xBD,
4411 0x81, 0xFD, 0xBD, 0xBD, 0xBD, 0xBD,
4425 0x81, 0xFD, 0xBD, 0xBD, 0xBD, 0xBD,
4444 0xE9, 0x00, 0x00, 0x00, 0x00
4446 .HypercallOffset = 0xFF,
4447 .RelocatedCodeOffset = 0x84,
4453 .ModuleName = u
"ntoskrnl.exe",
4454 .FunctionName =
"RtlpVirtualUnwind6",
4460 .NotCritical =
TRUE,
4480 0x81, 0xFD, 0x00, 0x00, 0x00, 0x00,
4486 0x81, 0xFD, 0x00, 0x00, 0x00, 0x00,
4492 0x81, 0xFD, 0x00, 0x00, 0x00, 0x00,
4498 0x81, 0xFD, 0x00, 0x00, 0x00, 0x00,
4504 0x81, 0xFD, 0x00, 0x00, 0x00, 0x00,
4510 0x81, 0xFD, 0x00, 0x00, 0x00, 0x00,
4516 0x81, 0xFD, 0x00, 0x00, 0x00, 0x00,
4522 0x81, 0xFD, 0x00, 0x00, 0x00, 0x00,
4528 0x81, 0xFD, 0x00, 0x00, 0x00, 0x00,
4534 0x81, 0xFD, 0x00, 0x00, 0x00, 0x00,
4540 0x81, 0xFD, 0x00, 0x00, 0x00, 0x00,
4546 0x81, 0xFD, 0x00, 0x00, 0x00, 0x00,
4555 0xE9, 0x00, 0x00, 0x00, 0x00
4557 .HypercallOffset = 0xFF,
4558 .RelocatedCodeOffset = 0x7C,
4564 .ModuleName = u
"ntoskrnl.exe",
4565 .FunctionName =
"RtlpVirtualUnwind7",
4571 .NotCritical =
TRUE,
4591 0x81, 0xFD, 0xBD, 0xBD, 0xBD, 0xBD,
4605 0x81, 0xFD, 0xBD, 0xBD, 0xBD, 0xBD,
4619 0x81, 0xFD, 0xBD, 0xBD, 0xBD, 0xBD,
4633 0x81, 0xFD, 0xBD, 0xBD, 0xBD, 0xBD,
4647 0x81, 0xFD, 0xBD, 0xBD, 0xBD, 0xBD,
4661 0x81, 0xFD, 0xBD, 0xBD, 0xBD, 0xBD,
4675 0x81, 0xFD, 0xBD, 0xBD, 0xBD, 0xBD,
4689 0x81, 0xFD, 0xBD, 0xBD, 0xBD, 0xBD,
4708 0xE9, 0x00, 0x00, 0x00, 0x00
4710 .HypercallOffset = 0xFF,
4711 .RelocatedCodeOffset = 0x84,
4717 .ModuleName = u
"ntoskrnl.exe",
4718 .FunctionName =
"RtlpVirtualUnwind8",
4724 .NotCritical =
TRUE,
4744 0x81, 0xF9, 0xBD, 0xBD, 0xBD, 0xBD,
4758 0x81, 0xF9, 0xBD, 0xBD, 0xBD, 0xBD,
4772 0x81, 0xF9, 0xBD, 0xBD, 0xBD, 0xBD,
4786 0x81, 0xF9, 0xBD, 0xBD, 0xBD, 0xBD,
4800 0x81, 0xF9, 0xBD, 0xBD, 0xBD, 0xBD,
4814 0x81, 0xF9, 0xBD, 0xBD, 0xBD, 0xBD,
4828 0x81, 0xF9, 0xBD, 0xBD, 0xBD, 0xBD,
4842 0x81, 0xF9, 0xBD, 0xBD, 0xBD, 0xBD,
4861 0xE9, 0x00, 0x00, 0x00, 0x00
4863 .HypercallOffset = 0xFF,
4864 .RelocatedCodeOffset = 0x84,
4870 .ModuleName = u
"ntoskrnl.exe",
4871 .FunctionName =
"KiDisplayBlueScreen",
4877 .NotCritical =
TRUE,
4899 0xE9, 0x00, 0x00, 0x00, 0x00
4901 .HypercallOffset = 0x0,
4902 .RelocatedCodeOffset = 0x3,
4908 .ModuleName = u
"ntoskrnl.exe",
4909 .FunctionName =
"MmInSwapProcessHijack",
4915 .NotCritical =
FALSE,
4937 0xE9, 0x00, 0x00, 0x00, 0x00
4939 .HypercallOffset = 0x0,
4940 .RelocatedCodeOffset = 0x3,
4946 .ModuleName = u
"ntoskrnl.exe",
4947 .FunctionName =
"KiOutSwapProcessesHijack",
4954 .NotCritical =
FALSE,
4972 0x48, 0x8B, 0x83, 0x00, 0x00, 0x00, 0x00,
4974 0x48, 0x0f, 0xba, 0xe0, 0x07,
4982 0xE9, 0x00, 0x00, 0x00, 0x00
4984 .HypercallOffset = 0x0F,
4985 .RelocatedCodeOffset = 0x11,
INTSTATUS IntWinProcPatchPspInsertProcess86(QWORD FunctionAddress, void *Handler, void *Descriptor)
This functions is responsible for patching the detour that handles the "PspInsertProcess".
INTSTATUS IntWinVadPatchInsert(QWORD FunctionAddress, API_HOOK_HANDLER *Handler, void *Descriptor)
This is the PFUNC_PreDetourCallback for the MiInsertVad guest API detour.It will be invoked before th...
#define DETOUR_ENABLE_ALWAYS
Can be used as the API_HOOK_DESCRIPTOR.EnableFlags to always enable the detour.
INTSTATUS IntWinProcHandleInstrument(void *Detour)
Handles an exit on NtSetInformationProcess calls where the InformationClass argument is 40 (instrumen...
INTSTATUS IntWinPowHandlePowerStateChange(void *Detour)
Detour callback which is called whenever NtSetSystemPowerState is called, resulting in a hypercall to...
INTSTATUS IntWinVadHandleInsert(void const *Detour)
The detour handler that will be invoked when the guest inserts a new VAD in the tree.This is the detour handler for the MiInsertVad guest API.
INTSTATUS IntWinVadHandleDeleteVaRange(void const *Detour)
The detour handler that will be invoked when a memory range contained by a VAD is deleted...
INTSTATUS IntWinHandleException(void *Detour)
Handles a hardware exception triggered inside the guestThis is the detour handler for the guest KiDis...
INTSTATUS IntWinVadPatchInsertMap(QWORD FunctionAddress, API_HOOK_HANDLER *Handler, void *Descriptor)
This is the PFUNC_PreDetourCallback for the MiGetWsAndInsertVad guest API detour.It will be invoked b...
INTSTATUS IntWinThrPatchThreadHijackHandler(QWORD FunctionAddress, void *Handler, void *Descriptor)
This functions is responsible for patching the detour that handles the "PspSetContextThreadInternal"...
INTSTATUS IntWinProcSwapOut(void *Detour)
Detour handler for the KiOutSwapProcess Windows kernel API.The detour on KiOutSwapProcess is set afte...
INTSTATUS IntWinThrHandleQueueApc(void *Detour)
Handles a NtQueueApcThreadEx call - blocking process injections.Asynchronous Procedure Call (APC) inj...
INTSTATUS IntWinProcSwapIn(void *Detour)
Detour handler for the MmInSwapProcess Windows kernel API.The detour on MmInSwapProcess is set inside...
INTSTATUS IntWinVadHandleVirtualProtect(void const *Detour)
The detour handler that will be invoked when a memory range contained by a VAD has the protection rig...
INTSTATUS IntDriverUnloadHandler(void const *Detour)
The detour handler that will be invoked when a guest driver is unloaded.This handles driver unloading...
INTSTATUS IntWinProcHandleTerminate(void *Detour)
This functions handles the termination of a Windows process.This function is invoked every time "MmCl...
INTSTATUS IntWinProcPrepareInstrument(QWORD FunctionAddress, void *Handler, void *Descriptor)
This function is responsible for patching the detour that handles "NtSetInformationProcess".
#define DETOUR_MAX_VERSION_ANY
Specifies that the first OS version for which a detour handler is available is the latest OS version ...
INTSTATUS IntWinVadHandleCommit(void const *Detour)
The detour handler that will be invoked when an existing VAD is committed by the guest.This is the detour handler for the MiCommitExistingVad guest API. Due to the way we ignore certain VADs, this can be invoked either when protection is changed for a known VAD, in which case we have to adjust our protection; or, when protection is changed for a previously unknown VAD in a way that makes it relevant for Introcore, in which case we treat as a newly created VAD.
The detour will use a INT3 instruction in order to notify introcore about an event.
const size_t gHookableApisX64Size
The number of functions to be hooked for 64-bit Windows guests.
#define INTRO_OPT_EVENT_PROCESS_CRASH
Enable application crash events (generates introEventExceptionEvent).
INTSTATUS IntWinPoolHandleAlloc(void *Detour)
Detour callback for ExAllocatePoolWithTag.Handles allocations within a Windows guest, executed using the ExAllocatePoolWithTag API. Basically, it will check the tag of the allocation, and if it identifies an allocation for a driver object or a fast I/O dispatch, it will patch the Size argument of the call so that it's almost a page. This ensures us that critical structures protected by the introspection will be allocated alone in each page, which gives us an enormous performance boost.
INTSTATUS IntWinThrHandleThreadHijack(void *Detour)
Handles a SetContextThread call - blocking thread hijacking.Thread hijacking (amongst others) is an a...
INTSTATUS IntDriverLoadHandler(void const *Detour)
The detour handler that will be invoked when a guest loads a new driver.This handles driver loading i...
INTSTATUS IntGuestUninitOnBugcheck(void const *Detour)
Prepares Introcore unload in case of a guest crash in order to clean up the code and data injected in...
Exposes the functions used to provide Windows Threads related support.
const size_t gHookableApisX86Size
The number of functions to be hooked for 32-bit Windows guests.
INTSTATUS IntWinProcPatchCopyMemoryDetour(QWORD FunctionAddress, void *Handler, void *Descriptor)
This functions is responsible for patching the detour that handles the "MmCopyVirtualMemory".This function is invoked every time "MmCopyVirtualMemory" is called (a process is writing/reading another process) but before the actual handler IntWinProcHandleCopyMemory, its purpose being to modify the hook code (see winhkhnd.c).
#define DETOUR_MIN_VERSION_ANY
Specifies that the first OS version for which a detour handler is available is the first OS version s...
INTSTATUS IntWinVadPatchVirtualProtect(QWORD FunctionAddress, API_HOOK_HANDLER *Handler, void *Descriptor)
This is the PFUNC_PreDetourCallback for the MiProtectVirtualMemory guest API detour.It will be invoked before the detour is placed inside the guest and will patch the detour handler with the value of winKmFieldProcessSpare.
Information about Windows kernel crashes.
#define DET_ARGS_DEFAULT_WIN86
Default argument passing convention for 32-bit Windows guests.
INTSTATUS IntWinVadPatchDeleteVaRange(QWORD FunctionAddress, API_HOOK_HANDLER *Handler, void *Descriptor)
This is the PFUNC_PreDetourCallback for the MiDeleteVirtualAddresses guest API detour.It will be invoked before the detour is placed inside the guest and will patch the detour handler with the value of winKmFieldProcessSpare.
#define INTRO_OPT_ENABLE_MISC_EVENTS
Aggregates all the miscellaneous protection flags.
INTSTATUS IntWinVadHandleInsertPrivate(void const *Detour)
The detour handler that will be invoked when the guest inserts a new VAD in the tree.This is the detour handler for the MiInsertPrivateVad guest API.
INTSTATUS IntWinVadPatchFinishVadDeletion(QWORD FunctionAddress, API_HOOK_HANDLER *Handler, void *Descriptor)
This is the PFUNC_PreDetourCallback for the MiFinishVadDeletion guest API detour.It will be invoked b...
INTSTATUS IntWinBcHandleBugCheck(void const *Detour)
Handles a Windows OS crash.This is the detour handle for the KeBugCheck2 32-bit Windows kernel API an...
INTSTATUS IntWinProcPatchSwapOut64(QWORD FunctionAddress, void *Handler, void *Descriptor)
This functions is responsible for patching the detour that handles the "KiOutSwapProcesses".
INTSTATUS IntWinPoolHandleFree(void *Detour)
Detour callback for ExFreePoolWithTag.This function handles de-allocation requests executed by the gu...
INTSTATUS IntWinPatchVadHandleCommit(QWORD FunctionAddress, API_HOOK_HANDLER *Handler, void *Descriptor)
This is the PFUNC_PreDetourCallback for the MiCommitExistingVad guest API detour.It will be invoked b...
#define INTRO_OPT_ENABLE_UM_PROTECTION
Aggregates all the user mode protection flags.
INTSTATUS IntWinVadHandleInsertMap(void const *Detour)
The detour handler that will be invoked when a VAD is inserted in the guest VAD tree.This is the detour handler for the MiGetWsAndInsertVad guest API.
INTSTATUS IntWinVadPatchInsertPrivate(QWORD FunctionAddress, API_HOOK_HANDLER *Handler, void *Descriptor)
This is the PFUNC_PreDetourCallback for the MiInsertPrivateVad guest API detour.It will be invoked be...
INTSTATUS IntWinVadHandleFinishVadDeletion(void const *Detour)
The detour handler that will be invoked when a memory range contained by a VAD is deleted...
API_HOOK_DESCRIPTOR gHookableApisX64[]
The functions to be hooked for 64-bit Windows guests.
INTSTATUS IntWinProcPatchSwapOut32(QWORD FunctionAddress, void *Handler, void *Descriptor)
This functions is responsible for patching the detour that handles the "KiOutSwapProcesses".
INTSTATUS IntWinProcHandleCopyMemory(void *Detour)
This functions is responsible handling process read/write operations.This function is invoked every t...
#define INTRO_OPT_BUGCHECK_CLEANUP
Enable memory cleanup after an OS crash (Windows).
INTSTATUS IntWinThrPrepareApcHandler(QWORD FunctionAddress, void *Handler, void *Descriptor)
This functions is responsible for patching the detour that handles the "NtQueueApcThreadEx".This function is called before the hook is placed into memory in order to "patch" the addresses of guest functions or guest file offsets that are used by the hook handler. Specifically, this patches the addresses of PsThreadType, ObReferenceObjectByHandle, ObDereferenceObject and the offsets of the AttachedProcess and Process fields of _KTHREAD and the Spare field of _KPROCESS, but also patches the "retn" instruction accordingly.
#define INTRO_OPT_EVENT_OS_CRASH
Enable OS crash events (generates introEventCrashEvent events).
INTSTATUS IntWinProcHandleCreate(void *Detour)
Detour handler for the PspInsertProcess Windows kernel API.The actual process creation is handled by ...
#define DET_ARGS_DEFAULT_WIN64
Default argument passing convention for 64-bit Windows guests.
API_HOOK_DESCRIPTOR gHookableApisX86[]
The functions to be hooked for 32-bit Windows guests.
Describes a function to be hooked.